{"text": "The admin@338 has largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors .", "spans": {"Organization: admin@338": [[4, 13]], "Malware: publicly available RATs": [[117, 140]], "Malware: Poison Ivy": [[149, 159]], "Malware: non-public backdoors": [[175, 195]]}, "info": {"id": "dnrti_train_000000", "source": "dnrti_train"}}
{"text": "The admin@338 started targeting Hong Kong media companies , probably in response to political and economic challenges in Hong Kong and China .", "spans": {"Organization: admin@338": [[4, 13]], "Organization: media companies": [[42, 57]]}, "info": {"id": "dnrti_train_000001", "source": "dnrti_train"}}
{"text": "Multiple China-based cyber threat groups have targeted international media organizations in the past .", "spans": {"Organization: cyber threat groups": [[21, 40]], "Organization: international media organizations": [[55, 88]]}, "info": {"id": "dnrti_train_000002", "source": "dnrti_train"}}
{"text": "The admin@338 has targeted international media organizations in the past .", "spans": {"Organization: admin@338": [[4, 13]], "Organization: international media organizations": [[27, 60]]}, "info": {"id": "dnrti_train_000003", "source": "dnrti_train"}}
{"text": "In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television .", "spans": {"Organization: admin@338": [[21, 30]], "System: spear phishing emails": [[36, 57]], "Organization: media organizations": [[89, 108]]}, "info": {"id": "dnrti_train_000004", "source": "dnrti_train"}}
{"text": "In August 2015 , the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television .", "spans": {"Organization: threat actors": [[21, 34]], "System: spear phishing emails": [[40, 61]], "Organization: media organizations": [[93, 112]]}, "info": {"id": "dnrti_train_000005", "source": "dnrti_train"}}
{"text": "In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations .", "spans": {"Organization: admin@338": [[21, 30]], "System: spear phishing emails": [[36, 57]], "Organization: media organizations": [[89, 108]]}, "info": {"id": "dnrti_train_000006", "source": "dnrti_train"}}
{"text": "The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"Organization: admin@338": [[4, 13]], "Organization: policy organizations": [[56, 76]], "System: spear phishing emails": [[101, 122]], "Organization: audiences": [[165, 174]]}, "info": {"id": "dnrti_train_000007", "source": "dnrti_train"}}
{"text": "Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer .", "spans": {"Malware: LOWBALL malware": [[9, 24]], "Organization: admin@338": [[65, 74]], "Malware: upload.bat": [[101, 111]]}, "info": {"id": "dnrti_train_000008", "source": "dnrti_train"}}
{"text": "We observed the admin@338 upload a second stage malware , known as BUBBLEWRAP ( also known as Backdoor.APT.FakeWinHTTPHelper ) to their Dropbox account along with the following command .", "spans": {"Organization: admin@338": [[16, 25]], "Malware: BUBBLEWRAP": [[67, 77]], "Malware: Backdoor.APT.FakeWinHTTPHelper": [[94, 124]]}, "info": {"id": "dnrti_train_000009", "source": "dnrti_train"}}
{"text": "We have previously observed the admin@338 group use BUBBLEWRAP .", "spans": {"Organization: admin@338 group": [[32, 47]], "Malware: BUBBLEWRAP": [[52, 62]]}, "info": {"id": "dnrti_train_000010", "source": "dnrti_train"}}
{"text": "The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets .", "spans": {"Malware: LOWBALL": [[4, 11]], "Organization: group": [[43, 48]], "Malware: BUBBLEWRAP": [[106, 116]]}, "info": {"id": "dnrti_train_000011", "source": "dnrti_train"}}
{"text": "The admin@338 linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong .", "spans": {"Organization: admin@338": [[4, 13]]}, "info": {"id": "dnrti_train_000012", "source": "dnrti_train"}}
{"text": "An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong .", "spans": {"Organization: APT": [[3, 6]], "Organization: gang": [[7, 11]]}, "info": {"id": "dnrti_train_000013", "source": "dnrti_train"}}
{"text": "The group targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy .", "spans": {"Organization: group": [[4, 9]], "Organization: admin@338": [[54, 63]], "Malware: remote access Trojans": [[121, 142]], "Malware: Poison Ivy": [[151, 161]], "Organization: financial firms": [[187, 202]]}, "info": {"id": "dnrti_train_000014", "source": "dnrti_train"}}
{"text": "The agroup targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy .", "spans": {"Organization: agroup": [[4, 10]], "Organization: admin@338": [[55, 64]], "Malware: remote access Trojans": [[122, 143]], "Malware: Poison Ivy": [[152, 162]], "Organization: financial firms": [[188, 203]]}, "info": {"id": "dnrti_train_000015", "source": "dnrti_train"}}
{"text": "The admin@338 , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors .", "spans": {"Organization: admin@338": [[4, 13]], "Organization: defense sectors": [[130, 145]]}, "info": {"id": "dnrti_train_000016", "source": "dnrti_train"}}
{"text": "The APT actor , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors .", "spans": {"Organization: APT actor": [[4, 13]], "Organization: defense sectors": [[130, 145]]}, "info": {"id": "dnrti_train_000017", "source": "dnrti_train"}}
{"text": "In August 2013 , FireEye reported that admin@338 had been using the Poison Ivy RAT in its operations .", "spans": {"Organization: FireEye": [[17, 24]], "Organization: admin@338": [[39, 48]], "Malware: Poison Ivy RAT": [[68, 82]]}, "info": {"id": "dnrti_train_000018", "source": "dnrti_train"}}
{"text": "In March 2014 , the admin@338 leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank .", "spans": {"Organization: admin@338": [[20, 29]], "Organization: think tank": [[157, 167]]}, "info": {"id": "dnrti_train_000019", "source": "dnrti_train"}}
{"text": "In March 2014 , the group leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank .", "spans": {"Organization: group": [[20, 25]], "Organization: think tank": [[153, 163]]}, "info": {"id": "dnrti_train_000020", "source": "dnrti_train"}}
{"text": "According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Organization: FireEye": [[13, 20]], "Organization: admin@338": [[27, 36]], "System: emails": [[46, 52]], "Vulnerability: Microsoft Office vulnerabilities": [[104, 136]], "Malware: LOWBALL": [[187, 194]]}, "info": {"id": "dnrti_train_000021", "source": "dnrti_train"}}
{"text": "According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Organization: FireEye": [[13, 20]], "Organization: attackers": [[27, 36]], "System: emails": [[46, 52]], "Vulnerability: Microsoft Office vulnerabilities": [[104, 136]], "Malware: LOWBALL": [[187, 194]]}, "info": {"id": "dnrti_train_000022", "source": "dnrti_train"}}
{"text": "The admin@338 's Dropbox accounts have also been found to contain a different backdoor dubbed BUBBLEWRAP .", "spans": {"Organization: admin@338": [[4, 13]], "Malware: BUBBLEWRAP": [[94, 104]]}, "info": {"id": "dnrti_train_000023", "source": "dnrti_train"}}
{"text": "Researchers have pointed out that it is not uncommon for China-based threat groups to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement .", "spans": {"Organization: threat groups": [[69, 82]], "Organization: media organizations": [[103, 122]]}, "info": {"id": "dnrti_train_000024", "source": "dnrti_train"}}
{"text": "Researchers have pointed out that it is not uncommon for admin@338 to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement .", "spans": {"Organization: admin@338": [[57, 66]], "Organization: media organizations": [[87, 106]]}, "info": {"id": "dnrti_train_000025", "source": "dnrti_train"}}
{"text": "This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose .", "spans": {"Organization: FireEye": [[25, 32]], "Organization: group": [[51, 56]], "Organization: hackers": [[74, 81]], "Organization: admin@338": [[89, 98]], "System: spear phishing emails": [[130, 151]], "Organization: attackers": [[158, 167]], "Organization: government officials": [[177, 197]], "Organization: cyber espionage": [[233, 248]]}, "info": {"id": "dnrti_train_000026", "source": "dnrti_train"}}
{"text": "The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": {"Organization: attackers": [[4, 13]], "Malware: Poison Ivy RAT": [[31, 45]], "Malware: WinHTTPHelper malware": [[50, 71]], "Organization: government officials": [[103, 123]]}, "info": {"id": "dnrti_train_000027", "source": "dnrti_train"}}
{"text": "The admin@338 used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": {"Organization: admin@338": [[4, 13]], "Malware: Poison Ivy RAT": [[31, 45]], "Malware: WinHTTPHelper malware": [[50, 71]], "Organization: government officials": [[103, 123]]}, "info": {"id": "dnrti_train_000028", "source": "dnrti_train"}}
{"text": "FireEye analysts documented the admin@338 group 's activities in a previous paper titled Poison Ivy : Assessing Damage and Extracting Intelligence paper .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: admin@338 group": [[32, 47]], "Malware: Poison Ivy": [[89, 99]]}, "info": {"id": "dnrti_train_000029", "source": "dnrti_train"}}
{"text": "The spear-phishing campaign against Asian entities isn't isolated , the admin@338 also started another attack against the US-based think tank on 14th March .", "spans": {"Organization: admin@338": [[72, 81]], "Organization: think tank": [[131, 141]]}, "info": {"id": "dnrti_train_000030", "source": "dnrti_train"}}
{"text": "Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China 's cyber threat actors .", "spans": {"Organization: APT1": [[41, 45]], "Organization: cyber threat actors": [[120, 139]]}, "info": {"id": "dnrti_train_000031", "source": "dnrti_train"}}
{"text": "FireEye said it has tracked admin@338 's activity since 2013 and the group has largely targeted organizations involved in financial , economic , and trade policy .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: admin@338": [[28, 37]], "Organization: group": [[69, 74]]}, "info": {"id": "dnrti_train_000032", "source": "dnrti_train"}}
{"text": "The simplest conclusion based on these facts is that APT1 is operating in China , and most likely in Shanghai .", "spans": {"Organization: APT1": [[53, 57]]}, "info": {"id": "dnrti_train_000033", "source": "dnrti_train"}}
{"text": "These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are .", "spans": {"Organization: APT1": [[26, 30], [105, 109]]}, "info": {"id": "dnrti_train_000034", "source": "dnrti_train"}}
{"text": "APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently .", "spans": {"Organization: APT1": [[0, 4]], "Malware: BISCUIT": [[36, 43]]}, "info": {"id": "dnrti_train_000035", "source": "dnrti_train"}}
{"text": "While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT .", "spans": {"Organization: APT1": [[6, 10]], "Malware: publicly available backdoors": [[38, 66]], "Malware: Poison Ivy": [[75, 85]], "Malware: Gh0st RAT": [[90, 99]]}, "info": {"id": "dnrti_train_000036", "source": "dnrti_train"}}
{"text": "Given the mission , resourcing , and location of PLA Unit 61398 , we conclude that PLA Unit 61398 is APT1 .", "spans": {"Organization: PLA Unit 61398": [[49, 63], [83, 97]], "Organization: APT1": [[101, 105]]}, "info": {"id": "dnrti_train_000037", "source": "dnrti_train"}}
{"text": "APT1 were a highly prolific cyber-attack group operating out of China .", "spans": {"Organization: APT1": [[0, 4]], "Organization: cyber-attack group": [[28, 46]]}, "info": {"id": "dnrti_train_000038", "source": "dnrti_train"}}
{"text": "APT1 is a China-based cyber-espionage group , active since mid-2006 .", "spans": {"Organization: APT1": [[0, 4]], "Organization: cyber-espionage group": [[22, 43]]}, "info": {"id": "dnrti_train_000039", "source": "dnrti_train"}}
{"text": "APT12 's targets are consistent with larger People 's Republic of China ( PRC ) goals .", "spans": {"Organization: APT12": [[0, 5]]}, "info": {"id": "dnrti_train_000040", "source": "dnrti_train"}}
{"text": "Since the release of the Arbor blog post , FireEye has observed APT12 use a modified backdoor that we call HIGHTIDE .", "spans": {"Organization: Arbor": [[25, 30]], "Organization: FireEye": [[43, 50]], "Organization: APT12": [[64, 69]], "Malware: HIGHTIDE": [[107, 115]]}, "info": {"id": "dnrti_train_000041", "source": "dnrti_train"}}
{"text": "However , the malware shared several traits with the RIPTIDE and HIGHTIDE backdoor that we have attributed to APT12 .", "spans": {"Malware: RIPTIDE": [[53, 60]], "Malware: HIGHTIDE backdoor": [[65, 82]], "Organization: APT12": [[110, 115]]}, "info": {"id": "dnrti_train_000042", "source": "dnrti_train"}}
{"text": "From October 2012 to May 2014 , FireEye observed APT12 utilizing RIPTIDE , that communicates via HTTP to a hard-coded command and control ( C2 ) server .", "spans": {"Organization: FireEye": [[32, 39]], "Organization: APT12": [[49, 54]], "Malware: RIPTIDE": [[65, 72]], "Malware: HTTP": [[97, 101]]}, "info": {"id": "dnrti_train_000043", "source": "dnrti_train"}}
{"text": "Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 .", "spans": {"Organization: APT12": [[31, 36]], "Malware: HIGHTIDE": [[65, 73]], "Malware: Microsoft Word": [[82, 96]], "Malware: .doc": [[99, 103]], "Vulnerability: CVE-2012-0158": [[129, 142]]}, "info": {"id": "dnrti_train_000044", "source": "dnrti_train"}}
{"text": "FireEye believes the change from RIPTIDE to HIGHTIDE represents a temporary tool shift to decrease malware detection while APT12 developed a completely new malware toolset .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: RIPTIDE": [[33, 40]], "Malware: HIGHTIDE": [[44, 52]], "Organization: APT12": [[123, 128]]}, "info": {"id": "dnrti_train_000045", "source": "dnrti_train"}}
{"text": "They have largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors .", "spans": {"Malware: publicly available RATs": [[109, 132]], "Malware: Poison Ivy": [[141, 151]], "Malware: non-public backdoors": [[167, 187]]}, "info": {"id": "dnrti_train_000046", "source": "dnrti_train"}}
{"text": "A China-based cyber threat group , which FireEye tracks as an uncategorized advanced persistent threat ( APT ) group and other researchers refer to as admin@338 , may have conducted the activity .", "spans": {"Organization: cyber threat group": [[14, 32]], "Organization: FireEye": [[41, 48]], "Organization: threat": [[96, 102]], "Organization: admin@338": [[151, 160]]}, "info": {"id": "dnrti_train_000047", "source": "dnrti_train"}}
{"text": "The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"Organization: group": [[4, 9]], "Organization: policy organizations": [[52, 72]], "System: spear phishing emails": [[97, 118]], "Organization: audiences": [[161, 170]]}, "info": {"id": "dnrti_train_000048", "source": "dnrti_train"}}
{"text": "About four months after The New York Times publicized an attack on its network , the APT12 behind the intrusion deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families .", "spans": {"Organization: The New York Times": [[24, 42]], "Organization: APT12": [[85, 90]], "Malware: Backdoor.APT.Aumlib": [[147, 166]], "Malware: Backdoor.APT.Ixeshe malware families": [[171, 207]]}, "info": {"id": "dnrti_train_000049", "source": "dnrti_train"}}
{"text": "With this in mind , this week we are providing some indicators for a China based adversary who we crypt as \" NUMBERED PANDA \" Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc .", "spans": {"Organization: NUMBERED PANDA": [[109, 123]], "Organization: Numbered Panda": [[126, 140]], "Organization: DYNCALC": [[227, 234]], "Organization: IXESHE": [[237, 243]], "Organization: JOY RAT": [[246, 253]], "Organization: APT-12": [[256, 262]]}, "info": {"id": "dnrti_train_000050", "source": "dnrti_train"}}
{"text": "Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc .", "spans": {"Organization: Numbered Panda": [[0, 14]], "Organization: DYNCALC": [[101, 108]], "Organization: IXESHE": [[111, 117]], "Organization: JOY RAT": [[120, 127]], "Organization: APT-12": [[130, 136]]}, "info": {"id": "dnrti_train_000051", "source": "dnrti_train"}}
{"text": "The new campaigns mark the first significant stirrings from the APT12 since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China .", "spans": {"Organization: APT12": [[64, 69]], "Organization: group": [[142, 147]]}, "info": {"id": "dnrti_train_000052", "source": "dnrti_train"}}
{"text": "Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT16 launched several spear phishing attacks targeting Japan and Taiwan in the high-tech , government services , media and financial services industries .", "spans": {"Organization: APT16": [[85, 90]]}, "info": {"id": "dnrti_train_000053", "source": "dnrti_train"}}
{"text": "Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries .", "spans": {"Organization: APT groups": [[85, 95]]}, "info": {"id": "dnrti_train_000054", "source": "dnrti_train"}}
{"text": "On November 26 , 2015 , a suspected China-based APT16 sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": {"Organization: APT16": [[48, 53]], "System: spear phishing emails": [[90, 111]], "Organization: financial": [[133, 142]], "Organization: high-tech companies": [[147, 166]]}, "info": {"id": "dnrti_train_000055", "source": "dnrti_train"}}
{"text": "On November 26 , 2015 , a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": {"Organization: APT group": [[48, 57]], "System: spear phishing emails": [[94, 115]], "Organization: financial": [[137, 146]], "Organization: high-tech companies": [[151, 170]]}, "info": {"id": "dnrti_train_000056", "source": "dnrti_train"}}
{"text": "While attribution of the first two spear phishing attacks is still uncertain , we attribute the second December phishing campaign to the China-based APT group that we refer to as APT16 .", "spans": {"Organization: APT group": [[149, 158]], "Organization: APT16": [[179, 184]]}, "info": {"id": "dnrti_train_000057", "source": "dnrti_train"}}
{"text": "APT16 actors sent spear phishing emails to two Taiwanese media organizations .", "spans": {"Organization: APT16 actors": [[0, 12]], "System: spear phishing emails": [[18, 39]], "Organization: media organizations": [[57, 76]]}, "info": {"id": "dnrti_train_000058", "source": "dnrti_train"}}
{"text": "On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website .", "spans": {"Organization: APT16": [[22, 27]], "Organization: APT actors": [[73, 83]], "Organization: government agency": [[110, 127]], "System: lure document": [[140, 153]]}, "info": {"id": "dnrti_train_000059", "source": "dnrti_train"}}
{"text": "It is possible , although not confirmed , that APT16 was also responsible for targeting this government agency , given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor .", "spans": {"Organization: APT16": [[47, 52]], "Organization: government agency": [[93, 110]], "Malware: ELMER backdoor": [[193, 207]]}, "info": {"id": "dnrti_train_000060", "source": "dnrti_train"}}
{"text": "Despite the differing sponsorship , penetration of Hong Kong and Taiwan-based media organizations continues to be a priority for China-based APT16 .", "spans": {"Organization: media organizations": [[78, 97]], "Organization: APT16": [[141, 146]]}, "info": {"id": "dnrti_train_000061", "source": "dnrti_train"}}
{"text": "The suspected APT16 targeting of the Taiwanese government agency – in addition to the Taiwanese media organizations – further supports this possibility .", "spans": {"Organization: APT16": [[14, 19]], "Organization: government agency": [[47, 64]], "Organization: media organizations": [[96, 115]]}, "info": {"id": "dnrti_train_000062", "source": "dnrti_train"}}
{"text": "APT17 was embedding the encoded CnC IP address for the BLACKCOFFEE malware in legitimate Microsoft TechNet profiles pages and forum threads , a method some in the information security community call a \" dead drop resolver \" .", "spans": {"Organization: APT17": [[0, 5]], "Malware: BLACKCOFFEE malware": [[55, 74]], "Organization: information security community": [[163, 193]]}, "info": {"id": "dnrti_train_000063", "source": "dnrti_train"}}
{"text": "APT17 , also known as DeputyDog , is a China-based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations .", "spans": {"Organization: APT17": [[0, 5]], "Organization: DeputyDog": [[22, 31]], "Organization: threat group": [[51, 63]], "Organization: FireEye Intelligence": [[69, 89]], "Organization: government entities": [[146, 165]], "Organization: law firms": [[191, 200]], "Organization: information technology companies": [[203, 235]], "Organization: mining companies": [[238, 254]], "Organization: non-government organizations": [[261, 289]]}, "info": {"id": "dnrti_train_000064", "source": "dnrti_train"}}
{"text": "FireEye has monitored APT17 's use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal web traffic by disguising the CnC communication as queries to web search engines .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT17": [[22, 27]], "Malware: BLACKCOFFEE": [[38, 49]]}, "info": {"id": "dnrti_train_000065", "source": "dnrti_train"}}
{"text": "The use of BLACKCOFFEE demonstrates APT17 's evolving use of public websites to hide in plain sight .", "spans": {"Malware: BLACKCOFFEE": [[11, 22]], "Organization: APT17": [[36, 41]]}, "info": {"id": "dnrti_train_000066", "source": "dnrti_train"}}
{"text": "TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology .", "spans": {"Organization: TG-0416": [[0, 7]], "Organization: Advanced Persistent Threat": [[47, 73]], "Organization: APT": [[76, 79]], "Organization: human rights groups": [[205, 224]]}, "info": {"id": "dnrti_train_000067", "source": "dnrti_train"}}
{"text": "The APT18 then installed the hcdLoader RAT , which installs as a Windows service and provides command line access to the compromised system .", "spans": {"Organization: APT18": [[4, 9]], "Malware: hcdLoader RAT": [[29, 42]]}, "info": {"id": "dnrti_train_000068", "source": "dnrti_train"}}
{"text": "The malware used by the Wekby group has ties to the HTTPBrowser malware family , and uses DNS requests as a command and control mechanism .", "spans": {"Organization: Wekby group": [[24, 35]], "Malware: HTTPBrowser malware family": [[52, 78]]}, "info": {"id": "dnrti_train_000069", "source": "dnrti_train"}}
{"text": "These URIs result in the download of an installer , which creates a PE of the malware typically known as HTTPBrowser , but called Token Control by the Wekby group themselves ( based upon the PDB strings found within many of the samples ) .", "spans": {"Malware: HTTPBrowser": [[105, 116]], "Malware: Token Control": [[130, 143]], "Organization: Wekby group": [[151, 162]]}, "info": {"id": "dnrti_train_000070", "source": "dnrti_train"}}
{"text": "APT19 seemed to be going after defense sector firms , Chinese dissident groups and political , financial , pharmaceutical and energy sectors that could benefit the Chinese economy .", "spans": {"Organization: APT19": [[0, 5]], "Organization: defense sector firms": [[31, 51]], "Organization: energy sectors": [[126, 140]]}, "info": {"id": "dnrti_train_000071", "source": "dnrti_train"}}
{"text": "APT19 seemed to be going after defense sector firms , Chinese dissident groups and other political target , as well as certain financial targets and other commercial targets in pharmaceutical and energy sectors that could benefit the Chinese economy .", "spans": {"Organization: APT19": [[0, 5]], "Organization: defense sector firms": [[31, 51]], "Organization: energy sectors": [[196, 210]]}, "info": {"id": "dnrti_train_000072", "source": "dnrti_train"}}
{"text": "FANCY BEAR ( also known as Sofacy or APT 28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors .", "spans": {"Organization: FANCY BEAR": [[0, 10]], "Organization: Sofacy": [[27, 33]], "Organization: APT 28": [[37, 43]], "Organization: threat actor": [[74, 86]], "Organization: Media sectors": [[245, 258]]}, "info": {"id": "dnrti_train_000073", "source": "dnrti_train"}}
{"text": "APT28 malware , in particular the family of modular backdoors that we call CHOPSTICK , indicates a formal code development environment .", "spans": {"Malware: APT28 malware": [[0, 13]], "Malware: CHOPSTICK": [[75, 84]]}, "info": {"id": "dnrti_train_000074", "source": "dnrti_train"}}
{"text": "However , three themes in APT28 's targeting clearly reflects areas of specific interest to an Eastern European government , most likely the Russian government .", "spans": {"Organization: APT28": [[26, 31]]}, "info": {"id": "dnrti_train_000075", "source": "dnrti_train"}}
{"text": "We identified three themes in APT28 's lures and registered domains , which together are particularly relevant to the Russian government .", "spans": {"Organization: APT28": [[30, 35]]}, "info": {"id": "dnrti_train_000076", "source": "dnrti_train"}}
{"text": "Georgian military security issues , particularly with regard to U.S. cooperation and NATO , provide a strong incentive for Russian state-sponsored threat actors to steal information that sheds light on these topics .", "spans": {"Organization: threat actors": [[147, 160]]}, "info": {"id": "dnrti_train_000077", "source": "dnrti_train"}}
{"text": "Instead , we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials .", "spans": {"Organization: espionage groups": [[38, 54]]}, "info": {"id": "dnrti_train_000078", "source": "dnrti_train"}}
{"text": "APT28 's malware settings suggest that the developers have done the majority of their work in a Russian language build environment during Russian business hours , which suggests that the Russian government is APT28 's sponsor .", "spans": {"Organization: APT28": [[0, 5], [209, 214]]}, "info": {"id": "dnrti_train_000079", "source": "dnrti_train"}}
{"text": "We believe that APT28 's targeting of the MOD aligns with Russian threat perceptions .", "spans": {"Organization: APT28": [[16, 21]]}, "info": {"id": "dnrti_train_000080", "source": "dnrti_train"}}
{"text": "We assess that APT28 is most likely sponsored by the Russian government .", "spans": {"Organization: APT28": [[15, 20]]}, "info": {"id": "dnrti_train_000081", "source": "dnrti_train"}}
{"text": "Given the available data , we assess that APT28 's work is sponsored by the Russian government .", "spans": {"Organization: APT28": [[42, 47]]}, "info": {"id": "dnrti_train_000082", "source": "dnrti_train"}}
{"text": "The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election .", "spans": {"Organization: government personnel": [[139, 159]], "Organization: authors": [[254, 261]], "Organization: journalists": [[266, 277]], "System: email": [[298, 303]]}, "info": {"id": "dnrti_train_000083", "source": "dnrti_train"}}
{"text": "The targets of TG-4127 include military , government and defense sectors .", "spans": {"Organization: TG-4127": [[15, 22]], "Organization: defense sectors": [[57, 72]]}, "info": {"id": "dnrti_train_000084", "source": "dnrti_train"}}
{"text": "Some of APT28 's more commonly used tools are the SOURFACE downloader , its second stage backdoor EVILTOSS , and a modular family of implants that we call CHOPSTICK .", "spans": {"Organization: APT28": [[8, 13]], "Malware: SOURFACE downloader": [[50, 69]], "Malware: EVILTOSS": [[98, 106]], "Malware: modular family of implants": [[115, 141]], "Malware: CHOPSTICK": [[155, 164]]}, "info": {"id": "dnrti_train_000085", "source": "dnrti_train"}}
{"text": "While TG-4127 continues to primarily threaten organizations and individuals operating in Russia and former Soviet states , this campaign illustrates its willingness to expand its scope to other targets that have intelligence of interest to the Russian government .", "spans": {"Organization: TG-4127": [[6, 13]]}, "info": {"id": "dnrti_train_000086", "source": "dnrti_train"}}
{"text": "CTU researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government .", "spans": {"Organization: CTU": [[0, 3]], "Organization: group": [[57, 62]]}, "info": {"id": "dnrti_train_000087", "source": "dnrti_train"}}
{"text": "This intelligence has been critical to protecting and informing our clients , exposing this threat , and strengthening our confidence in attributing APT28 to the Russian Government .", "spans": {"Organization: APT28": [[149, 154]]}, "info": {"id": "dnrti_train_000088", "source": "dnrti_train"}}
{"text": "Our visibility into the operations of APT28 - a group we believe the Russian Government sponsors - has given us insight into some of the government 's targets , as well as its objectives and the activities designed to further them .", "spans": {"Organization: APT28": [[38, 43]], "Organization: group": [[48, 53]]}, "info": {"id": "dnrti_train_000089", "source": "dnrti_train"}}
{"text": "Since at least 2007 , APT28 has engaged in extensive operations in support of Russian strategic interests .", "spans": {"Organization: APT28": [[22, 27]]}, "info": {"id": "dnrti_train_000090", "source": "dnrti_train"}}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government .", "spans": {"Organization: media entities": [[183, 197]], "Organization: dissidents": [[204, 214]], "Organization: figures": [[219, 226]]}, "info": {"id": "dnrti_train_000091", "source": "dnrti_train"}}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government .", "spans": {"Organization: media entities": [[185, 199]], "Organization: dissidents": [[206, 216]], "Organization: figures": [[221, 228]]}, "info": {"id": "dnrti_train_000092", "source": "dnrti_train"}}
{"text": "Over the past two years , Russia appears to have increasingly leveraged APT28 to conduct information operations commensurate with broader strategic military doctrine .", "spans": {"Organization: APT28": [[72, 77]]}, "info": {"id": "dnrti_train_000093", "source": "dnrti_train"}}
{"text": "After compromising a victim organization , APT28 will steal internal data that is then leaked to further political narratives aligned with Russian interests .", "spans": {"Organization: APT28": [[43, 48]]}, "info": {"id": "dnrti_train_000094", "source": "dnrti_train"}}
{"text": "After compromising a political organization , APT28 will steal internal data .", "spans": {"Organization: political organization": [[21, 43]], "Organization: APT28": [[46, 51]]}, "info": {"id": "dnrti_train_000095", "source": "dnrti_train"}}
{"text": "On December 29 , 2016 , the Department of Homeland Security ( DHS ) and Federal Bureau of Investigation ( FBI ) released a Joint Analysis Report confirming FireEye 's long held public assessment that the Russian Government sponsors APT28 .", "spans": {"Organization: Department of Homeland Security": [[28, 59]], "Organization: DHS": [[62, 65]], "Organization: FBI": [[106, 109]], "Organization: FireEye": [[156, 163]], "Organization: APT28": [[232, 237]]}, "info": {"id": "dnrti_train_000096", "source": "dnrti_train"}}
{"text": "In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations , and characterized APT28 's activity as aligning with the Russian Government 's strategic intelligence requirements .", "spans": {"Organization: FireEye": [[18, 25]], "Organization: APT28": [[35, 40], [114, 119]]}, "info": {"id": "dnrti_train_000097", "source": "dnrti_train"}}
{"text": "In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations' , and characterized APT28 's activity as aligning with the Russian Government 's strategic intelligence requirements .", "spans": {"Organization: FireEye": [[18, 25]], "Organization: APT28": [[35, 40], [115, 120]]}, "info": {"id": "dnrti_train_000098", "source": "dnrti_train"}}
{"text": "APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": {"Organization: APT28": [[0, 5]], "Organization: rockers": [[22, 29]], "Organization: dissidents": [[34, 44]], "System: spear-phishing emails": [[60, 81]]}, "info": {"id": "dnrti_train_000099", "source": "dnrti_train"}}
{"text": "Our investigation of APT28 's compromise of WADA 's network , and our observations of the surrounding events reveal how Russia sought to counteract a damaging narrative and delegitimize the institutions leveling criticism .", "spans": {"Organization: APT28": [[21, 26]]}, "info": {"id": "dnrti_train_000100", "source": "dnrti_train"}}
{"text": "Since releasing our 2014 report , we continue to assess that APT28 is sponsored by the Russian Government .", "spans": {"Organization: APT28": [[61, 66]]}, "info": {"id": "dnrti_train_000101", "source": "dnrti_train"}}
{"text": "In our 2014 report , we identified APT28 as a suspected Russian government-sponsored espionage actor .", "spans": {"Organization: APT28": [[35, 40]], "Organization: espionage actor": [[85, 100]]}, "info": {"id": "dnrti_train_000102", "source": "dnrti_train"}}
{"text": "For full details , please reference our 2014 report , APT28 : A Window into Russia 's Cyber Espionage Operations .", "spans": {"Organization: APT28": [[54, 59]]}, "info": {"id": "dnrti_train_000103", "source": "dnrti_train"}}
{"text": "The espionage group , which according to the U.S. Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": {"Organization: espionage group": [[4, 19]], "Organization: Department of Homeland Security": [[50, 81]], "Organization: DHS": [[84, 87]], "Organization: FBI": [[132, 135]]}, "info": {"id": "dnrti_train_000104", "source": "dnrti_train"}}
{"text": "The APT28 , which is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": {"Organization: APT28": [[4, 9]]}, "info": {"id": "dnrti_train_000105", "source": "dnrti_train"}}
{"text": "Another attack group , Earworm ( aka Zebrocy ) , has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe , Central Asia , and Eastern Asia .", "spans": {"Organization: attack group": [[8, 20]], "Organization: Earworm": [[23, 30]], "Organization: Zebrocy": [[37, 44]]}, "info": {"id": "dnrti_train_000106", "source": "dnrti_train"}}
{"text": "Several sources consider APT28 a group of CyberMercs based in Russia .", "spans": {"Organization: APT28": [[25, 30]], "Organization: group": [[33, 38]]}, "info": {"id": "dnrti_train_000107", "source": "dnrti_train"}}
{"text": "The primary targets of APT28 are potential victims in several countries such as Ukraine , Spain , Russia , Romania , the United States and Canada .", "spans": {"Organization: APT28": [[23, 28]]}, "info": {"id": "dnrti_train_000108", "source": "dnrti_train"}}
{"text": "We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian .", "spans": {"Organization: operators": [[36, 45]], "Organization: APT28": [[53, 58]], "Organization: citizens": [[86, 94], [98, 106]]}, "info": {"id": "dnrti_train_000109", "source": "dnrti_train"}}
{"text": "Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin .", "spans": {"Organization: FireEye": [[43, 50]], "Organization: group": [[80, 85]]}, "info": {"id": "dnrti_train_000110", "source": "dnrti_train"}}
{"text": "Finally , the use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28 's ability and interest in exploiting geopolitical events for their operations .", "spans": {"Organization: APT28": [[131, 136]]}, "info": {"id": "dnrti_train_000111", "source": "dnrti_train"}}
{"text": "In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM , JHUHUGIT , AZZY and a few others .", "spans": {"Organization: Sofacy group": [[14, 26]], "Malware: CORESHELL": [[97, 106]], "Malware: SPLM": [[109, 113]], "Malware: JHUHUGIT": [[116, 124]], "Malware: AZZY": [[127, 131]]}, "info": {"id": "dnrti_train_000112", "source": "dnrti_train"}}
{"text": "In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM ( aka Xagent , aka CHOPSTICK ) , JHUHUGIT ( which is built with code from the Carberp sources ) , AZZY ( aka ADVSTORESHELL , NETUI , EVILTOSS , and spans across 4-5 generations ) and a few others .", "spans": {"Organization: Sofacy group": [[14, 26]], "Malware: CORESHELL": [[97, 106]], "Malware: SPLM": [[109, 113]], "Malware: Xagent": [[120, 126]], "Malware: CHOPSTICK": [[133, 142]], "Malware: JHUHUGIT": [[147, 155]], "Malware: Carberp": [[192, 199]], "Malware: AZZY": [[212, 216]], "Malware: EVILTOSS": [[247, 255]]}, "info": {"id": "dnrti_train_000113", "source": "dnrti_train"}}
{"text": "The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"Organization: Sofacy group": [[4, 16]], "Vulnerability: Flash exploits": [[60, 74]], "Malware: Carberp": [[92, 99]], "Malware: JHUHUGIT downloaders": [[106, 126]]}, "info": {"id": "dnrti_train_000114", "source": "dnrti_train"}}
{"text": "APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"Organization: APT28": [[0, 5]], "Vulnerability: Flash exploits": [[49, 63]], "Malware: Carberp": [[81, 88]], "Malware: JHUHUGIT downloaders": [[95, 115]]}, "info": {"id": "dnrti_train_000115", "source": "dnrti_train"}}
{"text": "The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: Flash exploits": [[53, 67]], "Malware: Carberp": [[85, 92]], "Malware: JHUHUGIT downloaders": [[99, 119]]}, "info": {"id": "dnrti_train_000116", "source": "dnrti_train"}}
{"text": "Their evolving and modified SPLM , CHOPSTICK , XAgent code is a long-standing part of Sofacy activity , however much of it is changing .", "spans": {"Malware: SPLM": [[28, 32]], "Malware: CHOPSTICK": [[35, 44]], "Malware: XAgent": [[47, 53]]}, "info": {"id": "dnrti_train_000117", "source": "dnrti_train"}}
{"text": "FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28 .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: hospitality sector": [[62, 80]], "Organization: actor APT28": [[106, 117]]}, "info": {"id": "dnrti_train_000118", "source": "dnrti_train"}}
{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": {"Organization: APT28": [[0, 5]], "Vulnerability: EternalBlue exploit": [[46, 65]], "Malware: open source tool": [[74, 90]], "Malware: Responder": [[91, 100]]}, "info": {"id": "dnrti_train_000119", "source": "dnrti_train"}}
{"text": "Upon gaining access to the machines connected to corporate and guest Wi-Fi networks , APT28 deployed Responder .", "spans": {"Organization: APT28": [[86, 91]], "Malware: Responder": [[101, 110]]}, "info": {"id": "dnrti_train_000120", "source": "dnrti_train"}}
{"text": "Compared to other backdoor tools associated with the Sofacy group , the use of Zebrocy in attack campaigns is far more widespread .", "spans": {"Malware: backdoor tools": [[18, 32]], "Organization: Sofacy group": [[53, 65]], "Malware: Zebrocy": [[79, 86]]}, "info": {"id": "dnrti_train_000121", "source": "dnrti_train"}}
{"text": "As alluded to in our previous blog regarding the Cannon tool , the Sofacy group ( AKA Fancy Bear , APT28 , STRONTIUM , Pawn Storm , Sednit ) has persistently attacked various government and private organizations around the world from mid-October 2018 through mid-November 2018 .", "spans": {"Malware: Cannon tool": [[49, 60]], "Organization: Sofacy group": [[67, 79]], "Organization: Fancy Bear": [[86, 96]], "Organization: APT28": [[99, 104]], "Organization: STRONTIUM": [[107, 116]], "Organization: Pawn Storm": [[119, 129]], "Organization: Sednit": [[132, 138]]}, "info": {"id": "dnrti_train_000122", "source": "dnrti_train"}}
{"text": "Russian citizens—journalists , software developers , politicians , researchers at universities , and artists are also targeted by Pawn Storm .", "spans": {"Organization: citizens—journalists": [[8, 28]], "Organization: software developers": [[31, 50]], "Organization: politicians": [[53, 64]], "Organization: researchers at universities": [[67, 94]], "Organization: artists": [[101, 108]], "Organization: Pawn Storm": [[130, 140]]}, "info": {"id": "dnrti_train_000123", "source": "dnrti_train"}}
{"text": "The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 .", "spans": {"Malware: JHUHUGIT": [[4, 12]], "Vulnerability: Java zero-day": [[110, 123]], "Vulnerability: CVE-2015-2590": [[126, 139]]}, "info": {"id": "dnrti_train_000124", "source": "dnrti_train"}}
{"text": "While the JHUHUGIT ( and more recently , \" JKEYSKW \" ) implant used in most of the Sofacy attacks , high profile victims are being targeted with another first level implant , representing the latest evolution of their AZZY Trojan .", "spans": {"Malware: JHUHUGIT": [[10, 18]], "Malware: JKEYSKW": [[43, 50]], "Malware: AZZY Trojan": [[218, 229]]}, "info": {"id": "dnrti_train_000125", "source": "dnrti_train"}}
{"text": "Once a foothold is established , Sofacy trys to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement .", "spans": {"Organization: Sofacy": [[33, 39]], "Malware: backdoors": [[60, 69]], "Malware: USB stealers": [[72, 84]], "Malware: Mimikatz": [[126, 134]]}, "info": {"id": "dnrti_train_000126", "source": "dnrti_train"}}
{"text": "Once a foothold is established , they try to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement .", "spans": {"Malware: backdoors": [[57, 66]], "Malware: USB stealers": [[69, 81]], "Malware: Mimikatz": [[123, 131]]}, "info": {"id": "dnrti_train_000127", "source": "dnrti_train"}}
{"text": "The Sofacy threat group continues to target government organizations in the EU , US , and former Soviet states to deliver the Zebrocy tool as a payload .", "spans": {"Organization: Sofacy threat group": [[4, 23]], "Organization: government organizations": [[44, 68]], "Malware: Zebrocy tool": [[126, 138]]}, "info": {"id": "dnrti_train_000128", "source": "dnrti_train"}}
{"text": "Of note , we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon .", "spans": {"Organization: Sofacy group": [[33, 45]], "Malware: Trojan": [[102, 108]], "Malware: Cannon": [[116, 122]]}, "info": {"id": "dnrti_train_000129", "source": "dnrti_train"}}
{"text": "Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows .", "spans": {"Malware: Komplex": [[0, 7]], "Organization: Sofacy": [[90, 96], [124, 130]], "Malware: Carberp": [[103, 110]]}, "info": {"id": "dnrti_train_000130", "source": "dnrti_train"}}
{"text": "The Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system – a move that showcases their continued evolution toward multi-platform attacks .", "spans": {"Organization: Sofacy group": [[4, 16]], "Malware: Komplex Trojan": [[29, 43]]}, "info": {"id": "dnrti_train_000131", "source": "dnrti_train"}}
{"text": "The Komplex Trojan revealed a design similar to Sofacy 's Carberp variant Trojan , which we believe may have been done in order to handle compromised Windows and OS X systems using the same C2 server application with relative ease .", "spans": {"Malware: Komplex Trojan": [[4, 18]], "Organization: Sofacy": [[48, 54]], "Malware: Carberp": [[58, 65]]}, "info": {"id": "dnrti_train_000132", "source": "dnrti_train"}}
{"text": "This whitepaper explores the tools - such as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , etc- of the Dukes , a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": {"Malware: MiniDuke": [[45, 53]], "Malware: CosmicDuke": [[56, 66]], "Malware: OnionDuke": [[69, 78]], "Malware: CozyDuke": [[81, 89]], "Organization: Dukes": [[104, 109]], "Organization: cyberespionage group": [[162, 182]]}, "info": {"id": "dnrti_train_000133", "source": "dnrti_train"}}
{"text": "The Dukes are a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": {"Organization: Dukes": [[4, 9]], "Organization: cyberespionage group": [[64, 84]]}, "info": {"id": "dnrti_train_000134", "source": "dnrti_train"}}
{"text": "The Dukes are known to employ a vast arsenal of malware toolsets , which we identify as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , CloudDuke , SeaDuke , HammerDuke , PinchDuke , and GeminiDuke .", "spans": {"Organization: Dukes": [[4, 9]], "Malware: MiniDuke": [[88, 96]], "Malware: CosmicDuke": [[99, 109]], "Malware: OnionDuke": [[112, 121]], "Malware: CozyDuke": [[124, 132]], "Malware: CloudDuke": [[135, 144]], "Malware: SeaDuke": [[147, 154]], "Malware: HammerDuke": [[157, 167]], "Malware: PinchDuke": [[170, 179]], "Malware: GeminiDuke": [[186, 196]]}, "info": {"id": "dnrti_train_000135", "source": "dnrti_train"}}
{"text": "The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs coined the term \" MiniDuke \" to identify the first Duke-related malware they found .", "spans": {"Organization: Kaspersky Labs": [[80, 94]], "Malware: MiniDuke": [[113, 121]], "Malware: Duke-related malware": [[146, 166]]}, "info": {"id": "dnrti_train_000136", "source": "dnrti_train"}}
{"text": "As researchers continued discovering new toolsets that were created and used by the same group that had been operating MiniDuke , and thus the threat actor operating the toolsets started to be commonly referred to as \" Dukes \" .", "spans": {"Organization: group": [[89, 94]], "Malware: MiniDuke": [[119, 127]], "Organization: threat actor": [[143, 155]], "Organization: Dukes": [[219, 224]]}, "info": {"id": "dnrti_train_000137", "source": "dnrti_train"}}
{"text": "Based on the campaign identifiers found in PinchDuke samples discovered from 2009 , the targets of the Dukes group during that year included organizations such as the Ministry of Defense of Georgia and the ministries of foreign affairs of Turkey and Uganda .", "spans": {"Malware: PinchDuke samples": [[43, 60]], "Organization: Dukes group": [[103, 114]], "Organization: ministries of foreign affairs": [[206, 235]]}, "info": {"id": "dnrti_train_000138", "source": "dnrti_train"}}
{"text": "Importantly , PinchDuke trojan samples always contain a notable text string , which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel .", "spans": {"Malware: PinchDuke trojan samples": [[14, 38]], "Organization: Dukes group": [[135, 146]]}, "info": {"id": "dnrti_train_000139", "source": "dnrti_train"}}
{"text": "This neatly ties together many of the tools used by the Dukes group , as versions of this one loader have been used to load malware from three different Dukes-related toolsets CosmicDuke , PinchDuke , and MiniDuke – over the course of five years .", "spans": {"Organization: Dukes group": [[56, 67]], "Malware: CosmicDuke": [[176, 186]], "Malware: PinchDuke": [[189, 198]], "Malware: MiniDuke": [[205, 213]]}, "info": {"id": "dnrti_train_000140", "source": "dnrti_train"}}
{"text": "The Dukes continued the expansion of their arsenal in 2011 with the addition of two more toolsets : MiniDuke and CozyDuke .", "spans": {"Organization: Dukes": [[4, 9]], "Malware: MiniDuke": [[100, 108]], "Malware: CozyDuke": [[113, 121]]}, "info": {"id": "dnrti_train_000141", "source": "dnrti_train"}}
{"text": "As we now know , by February 2013 the Dukes group had been operating MiniDuke and other toolsets for at least 4 and a half years .", "spans": {"Organization: Dukes group": [[38, 49]], "Malware: MiniDuke": [[69, 77]]}, "info": {"id": "dnrti_train_000142", "source": "dnrti_train"}}
{"text": "Secondly , the value the Dukes intended to gain from these MiniDuke campaigns may have been so great that they deemed it worth the risk of getting noticed .", "spans": {"Organization: Dukes": [[25, 30]]}, "info": {"id": "dnrti_train_000143", "source": "dnrti_train"}}
{"text": "This is in stark contrast to some other suspected Russian threat actors ( such as Operation Pawn Storm ) who appear to have increased their targeting of Ukraine following the crisis .", "spans": {"Organization: threat actors": [[58, 71]]}, "info": {"id": "dnrti_train_000144", "source": "dnrti_train"}}
{"text": "The Dukes actively targeted Ukraine before the crisis , at a time when Russia was still weighing her options , but once Russia moved from diplomacy to direct action , Ukraine was no longer relevant to the Dukes in the same way .", "spans": {"Organization: Dukes": [[4, 9], [205, 210]]}, "info": {"id": "dnrti_train_000145", "source": "dnrti_train"}}
{"text": "In the latter case however , the Dukes group appear to have also simultaneously developed an entirely new loader , which we first observed being used in conjunction with CosmicDuke during the spring of 2015 .", "spans": {"Organization: Dukes group": [[33, 44]], "Malware: CosmicDuke": [[170, 180]]}, "info": {"id": "dnrti_train_000146", "source": "dnrti_train"}}
{"text": "The Dukes could have ceased all use of CosmicDuke ( at least until they had developed a new loader ) or retired it entirely , since they still had other toolsets available .", "spans": {"Organization: Dukes": [[4, 9]], "Malware: CosmicDuke": [[39, 49]]}, "info": {"id": "dnrti_train_000147", "source": "dnrti_train"}}
{"text": "For these CozyDuke campaigns however , the Dukes appear to have employed two particular later-stage toolsets , SeaDuke and HammerDuke .", "spans": {"Organization: Dukes": [[43, 48]], "Malware: SeaDuke": [[111, 118]], "Malware: HammerDuke": [[123, 133]]}, "info": {"id": "dnrti_train_000148", "source": "dnrti_train"}}
{"text": "Firstly , as with the MiniDuke campaigns of February 2013 and CosmicDuke campaigns in the summer of 2014 , again the group clearly prioritized the continuation of their operations over maintaining stealth .", "spans": {"Organization: group": [[117, 122]]}, "info": {"id": "dnrti_train_000149", "source": "dnrti_train"}}
{"text": "In addition to the notably overt and large-scale campaigns with CozyDuke and CloudDuke , the Dukes also continued to engage in more covert , surgical campaigns using CosmicDuke .", "spans": {"Organization: Dukes": [[93, 98]], "Malware: CosmicDuke": [[166, 176]]}, "info": {"id": "dnrti_train_000150", "source": "dnrti_train"}}
{"text": "We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit .", "spans": {"Vulnerability: CVE-2013-0640": [[64, 77]], "Malware: MiniDuke": [[88, 96]], "Vulnerability: zero-day": [[150, 158]], "Organization: group": [[180, 185]]}, "info": {"id": "dnrti_train_000151", "source": "dnrti_train"}}
{"text": "All of the available evidence however does in our opinion suggest that the group operates on behalf of the Russian Federation .", "spans": {"Organization: group": [[75, 80]]}, "info": {"id": "dnrti_train_000152", "source": "dnrti_train"}}
{"text": "This assertion of time zone is also supported by timestamps found in many GeminiDuke samples , which similarly suggest the group work in the Moscow Standard Time timezone , as further detailed in the section on the technical analysis of GeminiDuke .", "spans": {"Malware: GeminiDuke samples": [[74, 92]], "Organization: group": [[123, 128]], "Malware: GeminiDuke": [[237, 247]]}, "info": {"id": "dnrti_train_000153", "source": "dnrti_train"}}
{"text": "Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years .", "spans": {"Organization: Mandiant": [[0, 8]], "Organization: attackers": [[43, 52]], "Organization: APT29": [[53, 58]]}, "info": {"id": "dnrti_train_000154", "source": "dnrti_train"}}
{"text": "APT29 has used The Onion Router and the TOR domain fronting plugin meek to create a hidden , encrypted network tunnel that appeared to connect to Google services over TLS .", "spans": {"Organization: APT29": [[0, 5]], "Malware: The Onion Router": [[15, 31]], "Malware: TOR domain fronting plugin meek": [[40, 71]], "Organization: Google": [[146, 152]]}, "info": {"id": "dnrti_train_000155", "source": "dnrti_train"}}
{"text": "Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY .", "spans": {"Organization: Mandiant": [[0, 8]], "Organization: APT29": [[22, 27]], "Malware: POSHSPY": [[67, 74]]}, "info": {"id": "dnrti_train_000156", "source": "dnrti_train"}}
{"text": "Mandiant has since identified POSHSPY in several other environments compromised by APT29 over the past two years .", "spans": {"Organization: Mandiant": [[0, 8]], "Malware: POSHSPY": [[30, 37]], "Organization: APT29": [[83, 88]]}, "info": {"id": "dnrti_train_000157", "source": "dnrti_train"}}
{"text": "In the investigations Mandiant has conducted , it appeared that APT29 deployed POSHSPY as a secondary backdoor for use if they lost access to their primary backdoors .", "spans": {"Organization: Mandiant": [[22, 30]], "Organization: APT29": [[64, 69]], "Malware: POSHSPY": [[79, 86]]}, "info": {"id": "dnrti_train_000158", "source": "dnrti_train"}}
{"text": "POSHSPY is an excellent example of the skill and craftiness of APT29 .", "spans": {"Malware: POSHSPY": [[0, 7]], "Organization: APT29": [[63, 68]]}, "info": {"id": "dnrti_train_000159", "source": "dnrti_train"}}
{"text": "FireEye assesses that APT32 leverages a unique suite of fully-featured malware , in conjunction with commercially-available tools , to conduct targeted operations that are aligned with Vietnamese state interests .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT32": [[22, 27]]}, "info": {"id": "dnrti_train_000160", "source": "dnrti_train"}}
{"text": "In addition to focused targeting of the private sector with ties to Vietnam , APT32 has also targeted foreign governments , as well as Vietnamese dissidents and journalists since at least 2013 .", "spans": {"Organization: APT32": [[78, 83]], "Organization: dissidents": [[146, 156]], "Organization: journalists": [[161, 172]]}, "info": {"id": "dnrti_train_000161", "source": "dnrti_train"}}
{"text": "From 2016 through 2017 , two subsidiaries of U.S. and Philippine consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations .", "spans": {"Organization: consumer products corporations": [[65, 95]], "Organization: APT32": [[142, 147]]}, "info": {"id": "dnrti_train_000162", "source": "dnrti_train"}}
{"text": "From 2016 through 2017 , two consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations .", "spans": {"Organization: consumer products corporations": [[29, 59]], "Organization: APT32": [[106, 111]]}, "info": {"id": "dnrti_train_000163", "source": "dnrti_train"}}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": {"Organization: APT32": [[10, 15]], "System: spear-phishing attachment": [[28, 53]], "Malware: Vietnam.exe": [[114, 125]], "Organization: diaspora": [[185, 193]]}, "info": {"id": "dnrti_train_000164", "source": "dnrti_train"}}
{"text": "In 2015 and 2016 , two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32 .", "spans": {"Organization: FireEye": [[80, 87]], "Organization: APT32": [[113, 118]]}, "info": {"id": "dnrti_train_000165", "source": "dnrti_train"}}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" .", "spans": {"Organization: APT32": [[10, 15]], "System: spear-phishing attachment": [[28, 53]], "Malware: Vietnam.exe": [[114, 125]]}, "info": {"id": "dnrti_train_000166", "source": "dnrti_train"}}
{"text": "Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam 's manufacturing , consumer products , and hospitality sectors .", "spans": {"Organization: FireEye": [[22, 29]], "Organization: APT32": [[43, 48]], "Organization: hospitality sectors": [[157, 176]]}, "info": {"id": "dnrti_train_000167", "source": "dnrti_train"}}
{"text": "APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD , KOMPROGO , SOUNDBITE , and PHOREAL .", "spans": {"Organization: APT32": [[0, 5]], "Malware: WINDSHIELD": [[94, 104]], "Malware: KOMPROGO": [[107, 115]], "Malware: SOUNDBITE": [[118, 127]], "Malware: PHOREAL": [[134, 141]]}, "info": {"id": "dnrti_train_000168", "source": "dnrti_train"}}
{"text": "In 2017 , social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines .", "spans": {"Organization: actor": [[58, 63]], "Organization: diaspora": [[142, 150]], "Organization: government employees": [[175, 195]]}, "info": {"id": "dnrti_train_000169", "source": "dnrti_train"}}
{"text": "APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor .", "spans": {"Organization: APT32": [[0, 5]], "Malware: Cobalt Strike BEACON backdoor": [[74, 103]]}, "info": {"id": "dnrti_train_000170", "source": "dnrti_train"}}
{"text": "APT32 often deploys these backdoors along with the commercially-available Cobalt Strike backdoor .", "spans": {"Organization: APT32": [[0, 5]], "Malware: Cobalt Strike backdoor": [[74, 96]]}, "info": {"id": "dnrti_train_000171", "source": "dnrti_train"}}
{"text": "Based on incident response investigations , product detections , and intelligence observations along with additional publications on the same operators , FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests .", "spans": {"Organization: operators": [[142, 151]], "Organization: FireEye": [[154, 161]], "Organization: APT32": [[176, 181]], "Organization: cyber espionage group": [[187, 208]]}, "info": {"id": "dnrti_train_000172", "source": "dnrti_train"}}
{"text": "OceanLotus , also known as APT32 , is believed to be a Vietnam-based APT group that has become increasingly sophisticated in its attack tactics , techniques , and procedures ( TTPs ) .", "spans": {"Organization: OceanLotus": [[0, 10]], "Organization: APT32": [[27, 32]], "Organization: APT group": [[69, 78]]}, "info": {"id": "dnrti_train_000173", "source": "dnrti_train"}}
{"text": "While Volexity does not typically engage in attempting attribution of any threat actor , Volexity does agree with previously reported assessments that OceanLotus is likely operating out of Vietnam .", "spans": {"Organization: Volexity": [[6, 14], [89, 97]], "Organization: threat actor": [[74, 86]], "Organization: OceanLotus": [[151, 161]]}, "info": {"id": "dnrti_train_000174", "source": "dnrti_train"}}
{"text": "During that phase , the APT32 operated a fileless PowerShell-based infrastructure , using customized PowerShell payloads taken from known offensive frameworks such as Cobalt Strike , PowerSploit and Nishang .", "spans": {"Organization: APT32": [[24, 29]], "Malware: customized PowerShell": [[90, 111]], "Malware: Cobalt Strike": [[167, 180]], "Malware: PowerSploit": [[183, 194]], "Malware: Nishang": [[199, 206]]}, "info": {"id": "dnrti_train_000175", "source": "dnrti_train"}}
{"text": "However , over the past few years , we have been tracking a separate , less widely known suspected Iranian group with potential destructive capabilities , whom we call APT33 .", "spans": {"Organization: group": [[107, 112]], "Organization: APT33": [[168, 173]]}, "info": {"id": "dnrti_train_000176", "source": "dnrti_train"}}
{"text": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013 .", "spans": {"Organization: APT33": [[26, 31]], "Organization: group": [[45, 50]]}, "info": {"id": "dnrti_train_000177", "source": "dnrti_train"}}
{"text": "We assess APT33 works at the behest of the Iranian government .", "spans": {"Organization: APT33": [[10, 15]]}, "info": {"id": "dnrti_train_000178", "source": "dnrti_train"}}
{"text": "APT33 has targeted organizations – spanning multiple industries – headquartered in the United States , Saudi Arabia and South Korea .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_000179", "source": "dnrti_train"}}
{"text": "Cybereason also attributes the recently reported Backdoor.Win32.Denis to the OceanLotus Group , which at the time of this report 's writing , had not been officially linked to this threat actor .", "spans": {"Organization: Cybereason": [[0, 10]], "Malware: Backdoor.Win32.Denis": [[49, 69]], "Organization: OceanLotus Group": [[77, 93]], "Organization: threat actor": [[181, 193]]}, "info": {"id": "dnrti_train_000180", "source": "dnrti_train"}}
{"text": "APT33 has shown particular interest in organizations in the aviation sector , as well as organizations in the energy sector with ties to petrochemical production .", "spans": {"Organization: APT33": [[0, 5]], "Organization: aviation sector": [[60, 75]], "Organization: energy sector": [[110, 123]]}, "info": {"id": "dnrti_train_000181", "source": "dnrti_train"}}
{"text": "From mid-2016 through early 2017 , APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings .", "spans": {"Organization: APT33": [[35, 40]], "Organization: organization": [[60, 72]], "Organization: aerospace sector": [[80, 96]], "Organization: business conglomerate": [[112, 133]]}, "info": {"id": "dnrti_train_000182", "source": "dnrti_train"}}
{"text": "From mid-2016 through early 2017 , APT33 compromised organizations located in Saudi Arabia and U.S. in the aerospace sector .", "spans": {"Organization: APT33": [[35, 40]], "Organization: aerospace sector": [[107, 123]]}, "info": {"id": "dnrti_train_000183", "source": "dnrti_train"}}
{"text": "During the same time period , APT33 also targeted companies in South Korea involved in oil refining and petrochemicals .", "spans": {"Organization: APT33": [[30, 35]]}, "info": {"id": "dnrti_train_000184", "source": "dnrti_train"}}
{"text": "More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company .", "spans": {"Organization: APT33": [[30, 35]], "Organization: organization": [[63, 75]], "Organization: business conglomerate": [[95, 116]], "Malware: malicious file": [[125, 139]], "Organization: petrochemical company": [[212, 233]]}, "info": {"id": "dnrti_train_000185", "source": "dnrti_train"}}
{"text": "More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies .", "spans": {"Organization: APT33": [[30, 35]], "Malware: malicious file": [[102, 116]]}, "info": {"id": "dnrti_train_000186", "source": "dnrti_train"}}
{"text": "We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia .", "spans": {"Organization: APT33": [[112, 117]]}, "info": {"id": "dnrti_train_000187", "source": "dnrti_train"}}
{"text": "APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_000188", "source": "dnrti_train"}}
{"text": "The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups , indicating a common interest in the sectors across Iranian actors .", "spans": {"Organization: threat groups": [[146, 159]], "Organization: actors": [[221, 227]]}, "info": {"id": "dnrti_train_000189", "source": "dnrti_train"}}
{"text": "APT33 sent spear phishing emails to employees whose jobs related to the aviation industry .", "spans": {"Organization: APT33": [[0, 5]], "System: spear phishing emails": [[11, 32]], "Organization: employees": [[36, 45]]}, "info": {"id": "dnrti_train_000190", "source": "dnrti_train"}}
{"text": "APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training , maintenance and support for Saudi 's military and commercial fleet .", "spans": {"Organization: APT33": [[0, 5]], "Organization: aviation companies": [[67, 85]]}, "info": {"id": "dnrti_train_000191", "source": "dnrti_train"}}
{"text": "We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries .", "spans": {"Malware: APT33 malware": [[14, 27]]}, "info": {"id": "dnrti_train_000192", "source": "dnrti_train"}}
{"text": "APT33 's targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests , implying that the threat actor is most likely government sponsored .", "spans": {"Organization: APT33": [[0, 5]], "Organization: threat actor": [[137, 149]]}, "info": {"id": "dnrti_train_000193", "source": "dnrti_train"}}
{"text": "APT33 leverages popular Iranian hacker tools and DNS servers used by other suspected Iranian threat groups .", "spans": {"Organization: APT33": [[0, 5]], "Organization: threat groups": [[93, 106]]}, "info": {"id": "dnrti_train_000194", "source": "dnrti_train"}}
{"text": "This coupled with the timing of operations – which coincides with Iranian working hours – and the use of multiple Iranian hacker tools and name servers bolsters our assessment that APT33 may have operated on behalf of the Iranian government .", "spans": {"Malware: name servers": [[139, 151]], "Organization: APT33": [[181, 186]]}, "info": {"id": "dnrti_train_000195", "source": "dnrti_train"}}
{"text": "The publicly available backdoors and tools utilized by APT33 – including NANOCORE , NETWIRE , and ALFA Shell – are all available on Iranian hacking websites , associated with Iranian hackers , and used by other suspected Iranian threat groups .", "spans": {"Organization: APT33": [[55, 60]], "Malware: NANOCORE": [[73, 81]], "Malware: NETWIRE": [[84, 91]], "Malware: ALFA Shell": [[98, 108]], "Organization: hackers": [[183, 190]], "Organization: threat groups": [[229, 242]]}, "info": {"id": "dnrti_train_000196", "source": "dnrti_train"}}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_000197", "source": "dnrti_train"}}
{"text": "Specifically , the targeting of organizations in the aerospace and energy sectors indicates that the APT33 is likely in search of strategic intelligence capable of benefitting a government or military sponsor .", "spans": {"Organization: energy sectors": [[67, 81]], "Organization: APT33": [[101, 106]]}, "info": {"id": "dnrti_train_000198", "source": "dnrti_train"}}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_000199", "source": "dnrti_train"}}
{"text": "We expect APT33 activity will continue to cover a broad scope of targeted entities , and may spread into other regions and sectors as Iranian interests dictate .", "spans": {}, "info": {"id": "dnrti_train_000200", "source": "dnrti_train"}}
{"text": "The Elfin espionage group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries .", "spans": {"Organization: Elfin": [[4, 9]], "Organization: espionage group": [[10, 25]], "Organization: APT33": [[32, 37]]}, "info": {"id": "dnrti_train_000201", "source": "dnrti_train"}}
{"text": "On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" ( referred to as GroupB in this blog post ) to APT33 , operating at the behest of the Iranian government .", "spans": {"Organization: FireEye 's Advanced Practices": [[17, 46]], "Organization: APT33": [[153, 158]]}, "info": {"id": "dnrti_train_000202", "source": "dnrti_train"}}
{"text": "The Elfin group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries .", "spans": {"Organization: Elfin group": [[4, 15]], "Organization: APT33": [[22, 27]]}, "info": {"id": "dnrti_train_000203", "source": "dnrti_train"}}
{"text": "On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" to APT33 , operating at the behest of the Iranian government .", "spans": {"Organization: FireEye 's Advanced Practices": [[17, 46]], "Organization: APT33": [[109, 114]]}, "info": {"id": "dnrti_train_000204", "source": "dnrti_train"}}
{"text": "APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea .", "spans": {"Organization: APT37": [[0, 5]]}, "info": {"id": "dnrti_train_000205", "source": "dnrti_train"}}
{"text": "In 2017 , APT37 expanded its targeting beyond the Korean peninsula to include Japan , Vietnam and the Middle East , and to a wider range of industry verticals , including chemicals , electronics , manufacturing , aerospace , automotive and healthcare entities .", "spans": {"Organization: APT37": [[10, 15]], "Organization: healthcare entities": [[240, 259]]}, "info": {"id": "dnrti_train_000206", "source": "dnrti_train"}}
{"text": "In 2017 , APT37 targeted a company in Middle East that entered into a joint venture with the North Korean government to provide telecommunications service to the country .", "spans": {"Organization: APT37": [[10, 15]]}, "info": {"id": "dnrti_train_000207", "source": "dnrti_train"}}
{"text": "While not conclusive by itself , the use of publicly available Iranian hacking tools and popular Iranian hosting companies may be a result of APT33 's familiarity with them and lends support to the assessment that APT33 may be based in Iran .", "spans": {"Organization: hosting companies": [[105, 122]], "Organization: APT33": [[142, 147], [214, 219]]}, "info": {"id": "dnrti_train_000208", "source": "dnrti_train"}}
{"text": "North Korean defector and human rights-related targeting provides further evidence that APT37 conducts operations aligned with the interests of North Korea .", "spans": {"Organization: APT37": [[88, 93]]}, "info": {"id": "dnrti_train_000209", "source": "dnrti_train"}}
{"text": "In 2017 , APT37 targeted a Middle Eastern company that entered into a joint venture with the North Korean government to provide telecommunications service to the country ( read on for a case study ) .", "spans": {"Organization: APT37": [[10, 15]], "Organization: company": [[42, 49]]}, "info": {"id": "dnrti_train_000210", "source": "dnrti_train"}}
{"text": "APT37 targeted a research fellow , advisory member , and journalist associated with different North Korean human rights issues and strategic organizations .", "spans": {"Organization: APT37": [[0, 5]], "Organization: research fellow": [[17, 32]], "Organization: advisory member": [[35, 50]], "Organization: journalist": [[57, 67]], "Organization: strategic organizations": [[131, 154]]}, "info": {"id": "dnrti_train_000211", "source": "dnrti_train"}}
{"text": "APT37 distributed SLOWDRIFT malware using a lure referencing the Korea Global Forum against academic and strategic institutions located in South Korea .", "spans": {"Organization: APT37": [[0, 5]], "Malware: SLOWDRIFT malware": [[18, 35]], "Organization: academic": [[92, 100]], "Organization: strategic institutions": [[105, 127]]}, "info": {"id": "dnrti_train_000212", "source": "dnrti_train"}}
{"text": "We believe a organization located in Middle East was targeted by APT37 because it had been involved with a North Korean company and a business deal went bad .", "spans": {"Organization: APT37": [[65, 70]], "Organization: company": [[120, 127]]}, "info": {"id": "dnrti_train_000213", "source": "dnrti_train"}}
{"text": "In one instance , APT37 weaponized a video downloader application with KARAE malware that was indiscriminately distributed to South Korean victims through torrent websites .", "spans": {"Organization: APT37": [[18, 23]], "Malware: KARAE malware": [[71, 84]]}, "info": {"id": "dnrti_train_000214", "source": "dnrti_train"}}
{"text": "FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT37": [[54, 59]], "Vulnerability: zero-day Adobe Flash vulnerability": [[72, 106]], "Vulnerability: CVE-2018-4878": [[109, 122]], "Malware: DOGCALL malware": [[139, 154]]}, "info": {"id": "dnrti_train_000215", "source": "dnrti_train"}}
{"text": "FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"Organization: FireEye iSIGHT Intelligence": [[0, 27]], "Organization: APT37": [[74, 79]], "Vulnerability: zero-day Adobe Flash vulnerability": [[92, 126]], "Vulnerability: CVE-2018-4878": [[129, 142]], "Malware: DOGCALL malware": [[159, 174]]}, "info": {"id": "dnrti_train_000216", "source": "dnrti_train"}}
{"text": "In April 2017 , APT37 targeted South Korean military and government organizations with the DOGCALL backdoor and RUHAPPY wiper malware .", "spans": {"Organization: APT37": [[16, 21]], "Organization: military": [[44, 52]], "Organization: government organizations": [[57, 81]], "Malware: DOGCALL backdoor": [[91, 107]], "Malware: RUHAPPY wiper malware": [[112, 133]]}, "info": {"id": "dnrti_train_000217", "source": "dnrti_train"}}
{"text": "It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations .", "spans": {"Organization: APT37": [[20, 25]], "Malware: KARAE malware": [[45, 58]], "System: distributed denial-of-service": [[140, 169]], "System: DDoS": [[172, 176]]}, "info": {"id": "dnrti_train_000218", "source": "dnrti_train"}}
{"text": "We assess with high confidence that APT37 acts in support of the North Korean government and is primarily based in North Korea .", "spans": {"Organization: APT37": [[36, 41]]}, "info": {"id": "dnrti_train_000219", "source": "dnrti_train"}}
{"text": "The compilation times of APT37 malware is consistent with a developer operating in the North Korea time zone ( UTC +8:30 ) and follows what is believed to be a typical North Korean workday .", "spans": {"Malware: APT37 malware": [[25, 38]]}, "info": {"id": "dnrti_train_000220", "source": "dnrti_train"}}
{"text": "The majority of APT37 activity continues to target South Korea , North Korean defectors , and organizations and individuals involved in Korean Peninsula reunification efforts .", "spans": {"Organization: defectors": [[78, 87]]}, "info": {"id": "dnrti_train_000221", "source": "dnrti_train"}}
{"text": "Similarly , APT37 targeting of a company located in Middle East in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea .", "spans": {"Organization: APT37": [[12, 17]]}, "info": {"id": "dnrti_train_000222", "source": "dnrti_train"}}
{"text": "Similarly , APT37 targeting of a Middle Eastern company in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea .", "spans": {"Organization: APT37": [[12, 17]], "Organization: company": [[48, 55]]}, "info": {"id": "dnrti_train_000223", "source": "dnrti_train"}}
{"text": "In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company .", "spans": {"Organization: APT37": [[14, 19]], "System: spear phishing lure": [[56, 75]], "Organization: board member": [[86, 98]], "Organization: financial company": [[119, 136]]}, "info": {"id": "dnrti_train_000224", "source": "dnrti_train"}}
{"text": "Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions , APT37 is an additional tool available to the regime , perhaps even desirable for its relative obscurity .", "spans": {"Organization: APT37": [[120, 125]]}, "info": {"id": "dnrti_train_000225", "source": "dnrti_train"}}
{"text": "ScarCruft is a relatively new APT group , victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"Organization: ScarCruft": [[0, 9]], "Organization: APT group": [[30, 39]]}, "info": {"id": "dnrti_train_000226", "source": "dnrti_train"}}
{"text": "Certain details , such as using the same infrastructure and targeting , make us believe that Operation Daybreak is being done by the ScarCruft APT group .", "spans": {"Organization: ScarCruft": [[133, 142]], "Organization: APT group": [[143, 152]]}, "info": {"id": "dnrti_train_000227", "source": "dnrti_train"}}
{"text": "Prior to the discovery of Operation Daybreak , we observed the ScarCruft APT launching a series of attacks in Operation Erebus .", "spans": {"Organization: ScarCruft APT": [[63, 76]]}, "info": {"id": "dnrti_train_000228", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails .", "spans": {"Organization: attackers": [[60, 69]], "System: spear-phishing e-mails": [[109, 131]]}, "info": {"id": "dnrti_train_000229", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails .", "spans": {"Organization: APT37": [[52, 57]], "System: spear-phishing e-mails": [[97, 119]]}, "info": {"id": "dnrti_train_000230", "source": "dnrti_train"}}
{"text": "On occasion the APT37 directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes .", "spans": {"Organization: APT37": [[16, 21]], "Malware: ROKRAT": [[44, 50]], "Organization: attackers": [[116, 125]]}, "info": {"id": "dnrti_train_000231", "source": "dnrti_train"}}
{"text": "In the early part of 2017 , Group123 started the \" Evil New Year \" campaign .", "spans": {"Organization: Group123": [[28, 36]]}, "info": {"id": "dnrti_train_000232", "source": "dnrti_train"}}
{"text": "In November 2017 , Talos observed the latest Group123 campaign of the year , which included a new version of ROKRAT being used in the latest wave of attacks .", "spans": {"Organization: Talos": [[19, 24]], "Malware: ROKRAT": [[109, 115]]}, "info": {"id": "dnrti_train_000233", "source": "dnrti_train"}}
{"text": "Group123 is constantly evolving as the new fileless capability that was added to ROKRAT demonstrates .", "spans": {"Organization: Group123": [[0, 8]], "Malware: ROKRAT": [[81, 87]]}, "info": {"id": "dnrti_train_000234", "source": "dnrti_train"}}
{"text": "In this campaign , the Group123 used a classical HWP document in order to download and execute a previously unknown malware : NavRAT .", "spans": {"Organization: Group123": [[23, 31]], "Malware: HWP document": [[49, 61]], "Malware: NavRAT": [[126, 132]]}, "info": {"id": "dnrti_train_000235", "source": "dnrti_train"}}
{"text": "However , we asses with medium confidence that NavRAT is linked to Group123 .", "spans": {"Malware: NavRAT": [[47, 53]], "Organization: Group123": [[67, 75]]}, "info": {"id": "dnrti_train_000236", "source": "dnrti_train"}}
{"text": "APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world 's largest cyber heists .", "spans": {"Organization: APT38": [[0, 5]], "Organization: regime-backed group": [[46, 65]], "Organization: financial institutions": [[121, 143]], "Organization: cyber heists": [[186, 198]]}, "info": {"id": "dnrti_train_000237", "source": "dnrti_train"}}
{"text": "APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world .", "spans": {"Organization: APT38": [[0, 5]], "Organization: regime-backed group": [[46, 65]], "Organization: financial institutions": [[121, 143]]}, "info": {"id": "dnrti_train_000238", "source": "dnrti_train"}}
{"text": "APT38 is believed to operate more similarly to an espionage operation , carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems .", "spans": {"Organization: APT38": [[0, 5]], "Organization: financial institutions": [[127, 149]]}, "info": {"id": "dnrti_train_000239", "source": "dnrti_train"}}
{"text": "The group has compromised more than 16 organizations in at least 13 different countries , sometimes simultaneously , since at least 2014 .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_000240", "source": "dnrti_train"}}
{"text": "APT38 shares malware code and other development resources with TEMP.Hermit North Korean cyber espionage activity , although we consider APT38 .", "spans": {"Organization: APT38": [[0, 5], [136, 141]], "Organization: TEMP.Hermit": [[63, 74]]}, "info": {"id": "dnrti_train_000241", "source": "dnrti_train"}}
{"text": "We consider APT38 's operations more global and highly specialized for targeting the financial sector .", "spans": {"Organization: APT38": [[12, 17]], "Organization: financial sector": [[85, 101]]}, "info": {"id": "dnrti_train_000242", "source": "dnrti_train"}}
{"text": "APT38 is a financially motivated group linked to North Korean cyber espionage operators , renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware .", "spans": {"Organization: APT38": [[0, 5]], "Organization: group": [[33, 38]], "Organization: cyber espionage operators": [[62, 87]], "Organization: financial institutions": [[158, 180]]}, "info": {"id": "dnrti_train_000243", "source": "dnrti_train"}}
{"text": "Because APT38 is backed by ( and acts on behalf of ) the North Korean regime , we opted to categorize the group as an \" APT \" instead of a \" FIN \" .", "spans": {"Organization: APT38": [[8, 13]], "Organization: group": [[106, 111]], "Organization: APT": [[120, 123]]}, "info": {"id": "dnrti_train_000244", "source": "dnrti_train"}}
{"text": "Over time these malware similarities diverged , as did targeting , intended outcomes , and TTPs , almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship .", "spans": {"Organization: operational groups": [[175, 193]]}, "info": {"id": "dnrti_train_000245", "source": "dnrti_train"}}
{"text": "Based on observed activity , we judge that APT38 's primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime .", "spans": {"Organization: APT38": [[43, 48]], "Organization: financial institutions": [[81, 103]]}, "info": {"id": "dnrti_train_000246", "source": "dnrti_train"}}
{"text": "Since 2015 , APT38 has attempted to steal hundreds of millions of dollars from financial institutions .", "spans": {"Organization: APT38": [[13, 18]], "Organization: financial institutions": [[79, 101]]}, "info": {"id": "dnrti_train_000247", "source": "dnrti_train"}}
{"text": "APT38 has pursued their main objective of targeting banks and financial entities since at least 2014 .", "spans": {"Organization: APT38": [[0, 5]], "Organization: financial entities": [[62, 80]]}, "info": {"id": "dnrti_train_000248", "source": "dnrti_train"}}
{"text": "We surmise that the targeting of banks , media , and government agencies is conducted in support of APT38 's primary mission .", "spans": {"Organization: government agencies": [[53, 72]], "Organization: APT38": [[100, 105]]}, "info": {"id": "dnrti_train_000249", "source": "dnrti_train"}}
{"text": "The APT38 targeted news outlets known for their business and financial sector reporting , probably in support of efforts to identify and compromise additional financial institutions .", "spans": {"Organization: APT38": [[4, 9]], "Organization: financial sector": [[61, 77]], "Organization: financial institutions": [[159, 181]]}, "info": {"id": "dnrti_train_000250", "source": "dnrti_train"}}
{"text": "APT38 also targeted financial transaction exchange companies likely because of their proximity to banks .", "spans": {"Organization: APT38": [[0, 5]], "Organization: financial transaction exchange companies": [[20, 60]]}, "info": {"id": "dnrti_train_000251", "source": "dnrti_train"}}
{"text": "Given the lapse in time between the spear-phishing and the heist activity in the above example , we suggest two separate but related groups under the North Korean regime were responsible for carrying out missions ; one associated with reconnaissance ( TEMP.Hermit or a related group ) and another for the heists ( APT38 ) .", "spans": {"System: spear-phishing": [[36, 50]], "Organization: groups": [[133, 139]], "Organization: TEMP.Hermit": [[252, 263]], "Organization: group": [[277, 282]], "Organization: APT38": [[314, 319]]}, "info": {"id": "dnrti_train_000252", "source": "dnrti_train"}}
{"text": "APT38 , in particular , is strongly distinguishable because of its specific focus on financial institutions and operations that attempt to use SWIFT fraud to steal millions of dollars at a time .", "spans": {"Organization: APT38": [[0, 5]], "Organization: financial institutions": [[85, 107]], "Malware: SWIFT": [[143, 148]]}, "info": {"id": "dnrti_train_000253", "source": "dnrti_train"}}
{"text": "We can confirm that the APT38 operator activity is linked to the North Korean regime , but maintains a set of common characteristics , including motivation , malware , targeting , and TTPs that set it apart from other statesponsored operations .", "spans": {}, "info": {"id": "dnrti_train_000254", "source": "dnrti_train"}}
{"text": "As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions to raise money for the North Korean regime .", "spans": {"Organization: APT38": [[62, 67]], "Organization: financial institutions": [[103, 125]]}, "info": {"id": "dnrti_train_000255", "source": "dnrti_train"}}
{"text": "As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions and financial systems to raise money for the North Korean regime .", "spans": {"Organization: APT38": [[62, 67]], "Organization: financial institutions": [[103, 125]]}, "info": {"id": "dnrti_train_000256", "source": "dnrti_train"}}
{"text": "Although the APT38 's primary targets appear to be Financial Exchange banks and other financial organizations , they have also Financial Exchange targeted countries ' media organizations with a focus on the financial sector .", "spans": {"Organization: APT38": [[13, 18]], "Organization: Financial Exchange banks": [[51, 75]], "Organization: financial organizations": [[86, 109]], "Organization: media organizations": [[167, 186]], "Organization: financial sector": [[207, 223]]}, "info": {"id": "dnrti_train_000257", "source": "dnrti_train"}}
{"text": "Since at least the beginning of 2014 , APT38 operations have focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities , whereas TEMP.Hermit is generally linked to operations focused on South Korea and the United States .", "spans": {"Organization: APT38": [[39, 44]], "Organization: international entities": [[159, 181]], "Organization: TEMP.Hermit": [[192, 203]]}, "info": {"id": "dnrti_train_000258", "source": "dnrti_train"}}
{"text": "TEMP.Hermit is generally linked to operations focused on South Korea and the United States .", "spans": {"Organization: TEMP.Hermit": [[0, 11]]}, "info": {"id": "dnrti_train_000259", "source": "dnrti_train"}}
{"text": "While North Korean cyber operations against specific countries may have been driven by diplomatic factors and perceived insults against Pyongyang , the application of increasingly restrictive and numerous financial sanctions against North Korea probably contributed to the formation of APT38 .", "spans": {"Organization: APT38": [[286, 291]]}, "info": {"id": "dnrti_train_000260", "source": "dnrti_train"}}
{"text": "APT38 's operations began in February 2014 and were likely influenced by financial sanctions enacted in March 2013 that blocked bulk cash transfers and restricted North Korea 's access to international banking systems .", "spans": {"Organization: APT38": [[0, 5]]}, "info": {"id": "dnrti_train_000261", "source": "dnrti_train"}}
{"text": "APT37 ( Reaper ) , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud .", "spans": {"Organization: APT37": [[0, 5]], "Organization: Reaper": [[8, 14]], "Organization: state-sponsored group": [[40, 61]], "Organization: financial company": [[90, 107]]}, "info": {"id": "dnrti_train_000262", "source": "dnrti_train"}}
{"text": "APT37 , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud .", "spans": {"Organization: APT37": [[0, 5]], "Organization: state-sponsored group": [[29, 50]], "Organization: financial company": [[79, 96]]}, "info": {"id": "dnrti_train_000263", "source": "dnrti_train"}}
{"text": "Early APT38 operations suggest that the group began targeting financial institutions with an intent to manipulate financial transaction systems at least as early as February 2014 , although we did not observe fraudulent transactions until 2015 .", "spans": {"Organization: APT38": [[6, 11]], "Organization: group": [[40, 45]], "Organization: financial institutions": [[62, 84]]}, "info": {"id": "dnrti_train_000264", "source": "dnrti_train"}}
{"text": "We do not have evidence that the earliest targeted financial institutions were victimized by fraudulent transactions before APT38 left the compromised environments , possibly indicating that APT38 was conducting reconnaissance-only activity at that time .", "spans": {"Organization: financial institutions": [[51, 73]], "Organization: APT38": [[124, 129], [191, 196]]}, "info": {"id": "dnrti_train_000265", "source": "dnrti_train"}}
{"text": "In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank .", "spans": {"Organization: APT38": [[20, 25]], "Malware: NESTEGG": [[35, 42]], "Malware: KEYLIME": [[62, 69]], "Malware: keylogger": [[74, 83]]}, "info": {"id": "dnrti_train_000266", "source": "dnrti_train"}}
{"text": "In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank .", "spans": {"Organization: APT38": [[20, 25]], "Malware: NESTEGG": [[35, 42]], "Malware: KEYLIME": [[62, 69]], "Malware: keylogger": [[74, 83]]}, "info": {"id": "dnrti_train_000267", "source": "dnrti_train"}}
{"text": "From November 2015 through the end of 2016 , APT38 was involved in at least nine separate compromises against banks .", "spans": {"Organization: APT38": [[45, 50]]}, "info": {"id": "dnrti_train_000268", "source": "dnrti_train"}}
{"text": "Per the complaint , the email account watsonhenny@gmail.com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 .", "spans": {"System: email": [[24, 29]], "Organization: employees": [[101, 110]], "Organization: APT38": [[139, 144]]}, "info": {"id": "dnrti_train_000269", "source": "dnrti_train"}}
{"text": "Further , the recent DOJ complaint provides insight into initial compromise techniques conducted by North Korean operators against APT38 targets , which may have been leveraged as part of the initial compromise into the targeted organizations .", "spans": {"Organization: operators": [[113, 122]], "Organization: APT38": [[131, 136]]}, "info": {"id": "dnrti_train_000270", "source": "dnrti_train"}}
{"text": "This is corroborated by our identification of TEMP.Hermit 's use of MACKTRUCK at a bank , preceding the APT38 operation targeting the bank 's SWIFT systems in late 2015 .", "spans": {"Organization: TEMP.Hermit": [[46, 57]], "Malware: MACKTRUCK": [[68, 77]], "Organization: APT38": [[104, 109]]}, "info": {"id": "dnrti_train_000271", "source": "dnrti_train"}}
{"text": "APT38 relies on DYEPACK , a SWIFT transaction-hijacking framework , to initiate transactions , steal money , and hide any evidence of the fraudulent transactions from the victimized bank .", "spans": {"Organization: APT38": [[0, 5]], "Malware: DYEPACK": [[16, 23]]}, "info": {"id": "dnrti_train_000272", "source": "dnrti_train"}}
{"text": "The APT38 uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions , so bank personnel are none the wiser when they review recent transactions .", "spans": {"Organization: APT38": [[4, 9]], "Malware: DYEPACK": [[15, 22]], "Organization: bank personnel": [[120, 134]]}, "info": {"id": "dnrti_train_000273", "source": "dnrti_train"}}
{"text": "During this heist , APT38 waited for a holiday weekend in the respective countries to increase the likelihood of hiding the transactions from banking authorities .", "spans": {"Organization: APT38": [[20, 25]]}, "info": {"id": "dnrti_train_000274", "source": "dnrti_train"}}
{"text": "During one reported incident , APT38 caused an outage in the bank 's essential services .", "spans": {"Organization: APT38": [[31, 36]]}, "info": {"id": "dnrti_train_000275", "source": "dnrti_train"}}
{"text": "We attribute APT38 to North Korean state-sponsored operators based on a combination of technical indicators linking the activity to Pyongyang and details released by DOJ implicating North Korean national Park Jin Hyok in a criminal conspiracy .", "spans": {"Organization: APT38": [[13, 18]], "Organization: operators": [[51, 60]]}, "info": {"id": "dnrti_train_000276", "source": "dnrti_train"}}
{"text": "As detailed in the DOJ complaint , a sample of WHITEOUT malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": {"Malware: WHITEOUT malware": [[47, 63]], "Organization: APT38": [[80, 85]]}, "info": {"id": "dnrti_train_000277", "source": "dnrti_train"}}
{"text": "APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition .", "spans": {"Organization: APT38": [[0, 5]], "Organization: financial institutions": [[67, 89]]}, "info": {"id": "dnrti_train_000278", "source": "dnrti_train"}}
{"text": "APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition .", "spans": {"Organization: APT38": [[0, 5]], "Organization: financial institutions": [[67, 89]]}, "info": {"id": "dnrti_train_000279", "source": "dnrti_train"}}
{"text": "APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition .", "spans": {"Organization: APT38": [[0, 5]], "Organization: financial institutions": [[67, 89]]}, "info": {"id": "dnrti_train_000280", "source": "dnrti_train"}}
{"text": "Malware overlaps between APT38 and TEMP.Hermit highlight the shared development resources accessible by multiple operational groups linked to North Korean state-sponsored activity .", "spans": {"Organization: APT38": [[25, 30]], "Organization: TEMP.Hermit": [[35, 46]], "Organization: operational groups": [[113, 131]]}, "info": {"id": "dnrti_train_000281", "source": "dnrti_train"}}
{"text": "APT39 has prioritized the telecommunications sector , with additional targeting of the travel industry and IT firms that support it and the high-tech industry .", "spans": {"Organization: APT39": [[0, 5]], "Organization: telecommunications sector": [[26, 51]], "Organization: IT firms": [[107, 115]]}, "info": {"id": "dnrti_train_000282", "source": "dnrti_train"}}
{"text": "This is evidence of shared motivation and intent to target the SWIFT system by the North Korean operators performing the reconnaissance and APT38 which later targeted that organization .", "spans": {"Organization: operators": [[96, 105]], "Organization: APT38": [[140, 145]]}, "info": {"id": "dnrti_train_000283", "source": "dnrti_train"}}
{"text": "Although APT38 is distinct from other TEMP.Hermit activity , both groups operate consistently within the interests of the North Korean state .", "spans": {"Organization: APT38": [[9, 14]], "Organization: groups": [[66, 72]]}, "info": {"id": "dnrti_train_000284", "source": "dnrti_train"}}
{"text": "Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea .", "spans": {"Organization: APT38": [[109, 114]], "Organization: cyber operators": [[125, 140]], "Organization: TEMP.Hermit": [[151, 162]], "Organization: Lab 110": [[183, 190]]}, "info": {"id": "dnrti_train_000285", "source": "dnrti_train"}}
{"text": "As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": {"Malware: WHITEOUT": [[47, 55]], "Malware: Contopee": [[62, 70]], "Organization: APT38": [[97, 102]]}, "info": {"id": "dnrti_train_000286", "source": "dnrti_train"}}
{"text": "Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea 's Reconnaissance General Bureau ( RGB ) .", "spans": {"Organization: APT38": [[109, 114]], "Organization: cyber operators": [[125, 140]], "Organization: TEMP.Hermit": [[151, 162]], "Organization: Lab 110": [[183, 190]]}, "info": {"id": "dnrti_train_000287", "source": "dnrti_train"}}
{"text": "APT38 .", "spans": {"Organization: APT38": [[0, 5]]}, "info": {"id": "dnrti_train_000288", "source": "dnrti_train"}}
{"text": "As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": {"Malware: WHITEOUT": [[47, 55]], "Malware: Contopee": [[62, 70]], "Organization: APT38": [[97, 102]]}, "info": {"id": "dnrti_train_000289", "source": "dnrti_train"}}
{"text": "APT38 's targeting of financial institutions is most likely an effort by the North Korean government to supplement their heavily-sanctioned economy .", "spans": {"Organization: APT38": [[0, 5]], "Organization: financial institutions": [[22, 44]]}, "info": {"id": "dnrti_train_000290", "source": "dnrti_train"}}
{"text": "We have moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East .", "spans": {"Organization: APT39": [[28, 33]]}, "info": {"id": "dnrti_train_000291", "source": "dnrti_train"}}
{"text": "APT39 's focus on the widespread theft of personal information sets it apart from other Iranian groups FireEye tracks , which have been linked to influence operations , disruptive attacks , and other threats .", "spans": {"Organization: APT39": [[0, 5]], "Organization: groups": [[96, 102]], "Organization: FireEye": [[103, 110]]}, "info": {"id": "dnrti_train_000292", "source": "dnrti_train"}}
{"text": "APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns .", "spans": {"Organization: APT39": [[0, 5]], "Organization: specific individuals": [[149, 169]]}, "info": {"id": "dnrti_train_000293", "source": "dnrti_train"}}
{"text": "Other groups attributed to Iranian attackers , such as Rocket Kitten , have targeted Iranian individuals in the past , including anonymous proxy users , researchers , journalists , and dissidents .", "spans": {"Organization: groups": [[6, 12]], "Organization: attackers": [[35, 44]], "Organization: Rocket Kitten": [[55, 68]], "Organization: anonymous proxy users": [[129, 150]], "Organization: researchers": [[153, 164]], "Organization: journalists": [[167, 178]], "Organization: dissidents": [[185, 195]]}, "info": {"id": "dnrti_train_000294", "source": "dnrti_train"}}
{"text": "Remexi is a basic back door Trojan that allows Cadelle to open a remote shell on the computer and execute commands .", "spans": {"Malware: Remexi": [[0, 6]], "Organization: Cadelle": [[47, 54]]}, "info": {"id": "dnrti_train_000295", "source": "dnrti_train"}}
{"text": "Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands .", "spans": {"Malware: Remexi": [[0, 6]], "Organization: attackers": [[47, 56]]}, "info": {"id": "dnrti_train_000296", "source": "dnrti_train"}}
{"text": "One group , which we call Cadelle , uses Backdoor.Cadelspy , while the other , which we've named Chafer , uses Backdoor.Remexi and Backdoor.Remexi.B .", "spans": {"Organization: group": [[4, 9]], "Organization: Cadelle": [[26, 33]], "Malware: Backdoor.Cadelspy": [[41, 58]], "Organization: Chafer": [[97, 103]], "Malware: Backdoor.Remexi": [[111, 126]], "Malware: Backdoor.Remexi.B": [[131, 148]]}, "info": {"id": "dnrti_train_000297", "source": "dnrti_train"}}
{"text": "APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol ( RDP ) , Secure Shell ( SSH ) , PsExec , RemCom , and xCmdSvc .", "spans": {"Organization: APT39": [[0, 5]], "Malware: Remote Desktop Protocol": [[64, 87]], "Malware: RDP": [[90, 93]], "Malware: Secure Shell": [[98, 110]], "Malware: SSH": [[113, 116]], "Malware: PsExec": [[121, 127]], "Malware: RemCom": [[130, 136]], "Malware: xCmdSvc": [[143, 150]]}, "info": {"id": "dnrti_train_000298", "source": "dnrti_train"}}
{"text": "The APT39 were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation .", "spans": {"Organization: APT39": [[4, 9]]}, "info": {"id": "dnrti_train_000299", "source": "dnrti_train"}}
{"text": "A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"Organization: group": [[30, 35]], "Organization: hackers": [[54, 61]], "Vulnerability: zero-day exploit": [[105, 121]], "Organization: Gamma Group": [[247, 258]]}, "info": {"id": "dnrti_train_000300", "source": "dnrti_train"}}
{"text": "A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"Organization: BlackOasis group": [[30, 46]], "Organization: hackers": [[65, 72]], "Vulnerability: zero-day exploit": [[116, 132]], "Organization: Gamma Group": [[258, 269]]}, "info": {"id": "dnrti_train_000301", "source": "dnrti_train"}}
{"text": "The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" .", "spans": {"Organization: hacker group": [[19, 31]], "Organization: BlackOasis": [[60, 70]]}, "info": {"id": "dnrti_train_000302", "source": "dnrti_train"}}
{"text": "Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: BlackOasis group": [[20, 36]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[54, 95]], "Vulnerability: CVE-2016-4117": [[98, 111]], "Malware: FinSpy": [[158, 164]]}, "info": {"id": "dnrti_train_000303", "source": "dnrti_train"}}
{"text": "Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: group": [[20, 25]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[43, 84]], "Vulnerability: CVE-2016-4117": [[87, 100]], "Malware: FinSpy": [[147, 153]]}, "info": {"id": "dnrti_train_000304", "source": "dnrti_train"}}
{"text": "BlackOasis ' interests span a wide gamut of figures involved in Middle Eastern politics .", "spans": {"Organization: BlackOasis": [[0, 10]]}, "info": {"id": "dnrti_train_000305", "source": "dnrti_train"}}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japanese organizations such as government agencies ( including defense ) as well as those in biotechnology , electronics manufacturing , and industrial chemistry .", "spans": {"Organization: REDBALDKNIGHT": [[0, 13]], "Organization: BRONZE BUTLER": [[30, 43]], "Organization: Tick": [[48, 52]], "Organization: cyberespionage group": [[60, 80]], "Organization: government agencies": [[128, 147]]}, "info": {"id": "dnrti_train_000306", "source": "dnrti_train"}}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japan such as government agencies as well as those in biotechnology , electronics manufacturing , and industrial chemistry .", "spans": {"Organization: REDBALDKNIGHT": [[0, 13]], "Organization: BRONZE BUTLER": [[30, 43]], "Organization: Tick": [[48, 52]], "Organization: cyberespionage group": [[60, 80]], "Organization: government agencies": [[111, 130]]}, "info": {"id": "dnrti_train_000307", "source": "dnrti_train"}}
{"text": "In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets .", "spans": {"Organization: REDBALDKNIGHT": [[10, 23]], "Malware: decoy documents": [[104, 119]]}, "info": {"id": "dnrti_train_000308", "source": "dnrti_train"}}
{"text": "In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 — at least based on the file properties of the decoy documents they've been sending to their targets .", "spans": {"Organization: REDBALDKNIGHT": [[10, 23]], "Malware: decoy documents": [[134, 149]]}, "info": {"id": "dnrti_train_000309", "source": "dnrti_train"}}
{"text": "Secureworks® incident responders and Counter Threat Unit™ ( CTU ) researchers investigated activities associated with the BRONZE BUTLER ( also known as Tick ) threat group , which likely originates in the People .", "spans": {"Organization: Secureworks®": [[0, 12]], "Organization: CTU": [[60, 63]], "Organization: BRONZE BUTLER": [[122, 135]], "Organization: Tick": [[152, 156]], "Organization: threat group": [[159, 171]]}, "info": {"id": "dnrti_train_000310", "source": "dnrti_train"}}
{"text": "Targeting data supports the belief that APT39 's key mission is to track or monitor targets of interest , collect personal information , including travel itineraries , and gather customer data from telecommunications firms .", "spans": {"Organization: APT39": [[40, 45]], "Organization: telecommunications firms": [[198, 222]]}, "info": {"id": "dnrti_train_000311", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has used a broad range of publicly available ( Mimikatz and gsecdump ) and proprietary ( Daserf and Datper ) tools .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "Malware: Mimikatz": [[61, 69]], "Malware: gsecdump": [[74, 82]], "Malware: Daserf": [[103, 109]], "Malware: Datper": [[114, 120]]}, "info": {"id": "dnrti_train_000312", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER are also fluent in Japanese , crafting phishing emails in native Japanese and operating successfully within a Japanese-language environment .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "System: phishing emails": [[53, 68]]}, "info": {"id": "dnrti_train_000313", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "Vulnerability: zero-day vulnerability": [[69, 91]], "System: scan-and-exploit techniques": [[146, 173]]}, "info": {"id": "dnrti_train_000314", "source": "dnrti_train"}}
{"text": "The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: zero-day vulnerability": [[65, 87]], "System: scan-and-exploit techniques": [[142, 169]]}, "info": {"id": "dnrti_train_000315", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "System: phishing emails": [[23, 38]], "Malware: Daserf malware": [[96, 110]], "Vulnerability: Flash exploits": [[136, 150]]}, "info": {"id": "dnrti_train_000316", "source": "dnrti_train"}}
{"text": "The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"Organization: group": [[4, 9]], "System: phishing emails": [[19, 34]], "Malware: Daserf malware": [[92, 106]], "Vulnerability: Flash exploits": [[132, 146]]}, "info": {"id": "dnrti_train_000317", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER uses credential theft tools such as Mimikatz and WCE to steal authentication information from the memory of compromised hosts .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "Malware: Mimikatz": [[50, 58]], "Malware: WCE": [[63, 66]]}, "info": {"id": "dnrti_train_000318", "source": "dnrti_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"Organization: Secureworks": [[39, 50]], "Organization: BRONZE BUTLER": [[62, 75]], "System: remote code execution": [[104, 125]], "Vulnerability: CVE-2016-7836": [[142, 155]]}, "info": {"id": "dnrti_train_000319", "source": "dnrti_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"Organization: Secureworks": [[39, 50]], "Organization: BRONZE BUTLER": [[82, 95]], "System: remote code execution": [[124, 145]], "Vulnerability: CVE-2016-7836": [[162, 175]]}, "info": {"id": "dnrti_train_000320", "source": "dnrti_train"}}
{"text": "Several xxmm samples analyzed by CTU researchers incorporate Mimikatz , allowing BRONZE BUTLER to issue Mimikatz commands directly from xxmm .", "spans": {"Organization: CTU": [[33, 36]], "Malware: Mimikatz": [[61, 69], [104, 112]], "Organization: BRONZE BUTLER": [[81, 94]]}, "info": {"id": "dnrti_train_000321", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER compromises organizations to conduct cyberespionage , primarily focusing on Japan .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "Organization: cyberespionage": [[51, 65]]}, "info": {"id": "dnrti_train_000322", "source": "dnrti_train"}}
{"text": "Symantec discovered the most recent wave of Tick attacks in July 2015 , when the group compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: group": [[81, 86]], "System: Flash ( .swf ) exploit": [[140, 162]]}, "info": {"id": "dnrti_train_000323", "source": "dnrti_train"}}
{"text": "Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Malware: Carberp": [[51, 58]], "Organization: espionage": [[76, 85]]}, "info": {"id": "dnrti_train_000324", "source": "dnrti_train"}}
{"text": "Symantec discovered the most recent wave of Tick attacks in July 2015 , when BRONZE BUTLER compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: BRONZE BUTLER": [[77, 90]], "System: Flash ( .swf ) exploit": [[144, 166]]}, "info": {"id": "dnrti_train_000325", "source": "dnrti_train"}}
{"text": "In some cases , the attackers used the Society for Worldwide Interbank Financial Telecommunication ( SWIFT ) network to transfer money to their accounts .", "spans": {"Organization: attackers": [[20, 29]], "Malware: Worldwide Interbank Financial Telecommunication": [[51, 98]], "Malware: SWIFT": [[101, 106]]}, "info": {"id": "dnrti_train_000326", "source": "dnrti_train"}}
{"text": "Carbanak is a backdoor used by the attackers to compromise the victim .", "spans": {"Malware: Carbanak": [[0, 8]], "Malware: backdoor": [[14, 22]], "Organization: attackers": [[35, 44]]}, "info": {"id": "dnrti_train_000327", "source": "dnrti_train"}}
{"text": "If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation .", "spans": {"Vulnerability: Carbanak": [[32, 40]], "Vulnerability: CVE-2013-3660": [[209, 222]]}, "info": {"id": "dnrti_train_000328", "source": "dnrti_train"}}
{"text": "To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto .", "spans": {"Malware: Remote Desktop Protocol": [[57, 80]], "Malware: RDP": [[83, 86]], "Vulnerability: Carbanak": [[91, 99]]}, "info": {"id": "dnrti_train_000329", "source": "dnrti_train"}}
{"text": "Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system .", "spans": {"Vulnerability: Carbanak": [[0, 8]]}, "info": {"id": "dnrti_train_000330", "source": "dnrti_train"}}
{"text": "Sensitive bank documents have be found on the servers that were controlling Carbanak .", "spans": {"Vulnerability: Carbanak": [[76, 84]]}, "info": {"id": "dnrti_train_000331", "source": "dnrti_train"}}
{"text": "Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa .", "spans": {"Vulnerability: Carbanak": [[38, 46]], "Organization: attackers": [[47, 56]]}, "info": {"id": "dnrti_train_000332", "source": "dnrti_train"}}
{"text": "FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015 .", "spans": {"Organization: FIN7": [[0, 4]], "Organization: threat group": [[32, 44]]}, "info": {"id": "dnrti_train_000333", "source": "dnrti_train"}}
{"text": "As with previous campaigns , and as highlighted in our annual M-Trends 2017 report , FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process .", "spans": {"Organization: M-Trends": [[62, 70]], "Organization: FIN7": [[85, 89]], "System: email": [[162, 167]]}, "info": {"id": "dnrti_train_000334", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]], "Organization: customers": [[187, 196]]}, "info": {"id": "dnrti_train_000335", "source": "dnrti_train"}}
{"text": "While FIN7 has embedded VBE as OLE objects for over a year , they continue to update their script launching mechanisms .", "spans": {"Organization: FIN7": [[6, 10]], "Malware: VBE": [[24, 27]]}, "info": {"id": "dnrti_train_000336", "source": "dnrti_train"}}
{"text": "This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies .", "spans": {"Vulnerability: Carbanak": [[72, 80]], "Organization: payment providers": [[126, 143]], "Organization: PR companies": [[166, 178]]}, "info": {"id": "dnrti_train_000337", "source": "dnrti_train"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Organization: consumer": [[76, 84]], "Malware: Carberp": [[176, 183]]}, "info": {"id": "dnrti_train_000338", "source": "dnrti_train"}}
{"text": "The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Organization: group": [[4, 9]], "Organization: consumer": [[77, 85]], "Malware: Carberp": [[177, 184]]}, "info": {"id": "dnrti_train_000339", "source": "dnrti_train"}}
{"text": "From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space .", "spans": {"Vulnerability: Carbanak": [[10, 18]]}, "info": {"id": "dnrti_train_000340", "source": "dnrti_train"}}
{"text": "Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems .", "spans": {"Vulnerability: Carbanak": [[11, 19]]}, "info": {"id": "dnrti_train_000341", "source": "dnrti_train"}}
{"text": "The first successful bank robbery was committed by this group in January 2013 .", "spans": {"Organization: group": [[56, 61]]}, "info": {"id": "dnrti_train_000342", "source": "dnrti_train"}}
{"text": "To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer .", "spans": {"Vulnerability: Carbanak": [[71, 79]], "Malware: Ammy Admin": [[174, 184]], "Malware: Team Viewer": [[189, 200]]}, "info": {"id": "dnrti_train_000343", "source": "dnrti_train"}}
{"text": "We have no evidence of compromises against banks in Western Europe or United States , but it should be noted that the attackers methods could be utilized against banks outside of Russia as well .", "spans": {"Organization: attackers": [[118, 127]]}, "info": {"id": "dnrti_train_000344", "source": "dnrti_train"}}
{"text": "Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research .", "spans": {"Vulnerability: Carbanak": [[28, 36]]}, "info": {"id": "dnrti_train_000345", "source": "dnrti_train"}}
{"text": "Without any insight into the evidence Kaspersky has obtained , we can only repeat our view that Anunak has targeted only banks in Russia and we have no concrete reports of compromised banks outside of Russia directly related to this criminal group .", "spans": {"Organization: Kaspersky": [[38, 47]], "Organization: Anunak": [[96, 102]], "Organization: criminal group": [[233, 247]]}, "info": {"id": "dnrti_train_000346", "source": "dnrti_train"}}
{"text": "Charming Kitten is an Iranian cyberespionage group operating since approximately 2014 .", "spans": {"Organization: Charming Kitten": [[0, 15]], "Organization: cyberespionage group": [[30, 50]]}, "info": {"id": "dnrti_train_000347", "source": "dnrti_train"}}
{"text": "These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider .", "spans": {"Organization: criminal groups": [[28, 43]], "Organization: PoSeidon": [[104, 112]], "Vulnerability: Carbanak": [[148, 156]], "Organization: criminal organization": [[174, 195]], "Organization: Carbon Spider": [[208, 221]]}, "info": {"id": "dnrti_train_000348", "source": "dnrti_train"}}
{"text": "The Charming Kitten' focus appears to be individuals of interest to Iran in the fields of academic research .", "spans": {"Organization: Charming Kitten'": [[4, 20]]}, "info": {"id": "dnrti_train_000349", "source": "dnrti_train"}}
{"text": "Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as OilRig and CopyKittens .", "spans": {"Organization: threat groups": [[212, 225]], "Organization: OilRig": [[236, 242]], "Organization: CopyKittens": [[247, 258]]}, "info": {"id": "dnrti_train_000350", "source": "dnrti_train"}}
{"text": "Flying Kitten ( which is another name given by the security industry to Charming Kitten ) was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of the IRI ( Islamic Republic of Iran ) government and foreign espionage targets .", "spans": {"Organization: Flying Kitten": [[0, 13]], "Organization: Charming Kitten": [[72, 87]], "Organization: groups": [[111, 117]], "Organization: threat actor": [[148, 160]], "Organization: espionage": [[274, 283]]}, "info": {"id": "dnrti_train_000351", "source": "dnrti_train"}}
{"text": "Flying Kitten was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of government and foreign espionage targets .", "spans": {"Organization: Flying Kitten": [[0, 13]], "Organization: groups": [[35, 41]], "Organization: threat actor": [[72, 84]], "Organization: espionage": [[161, 170]]}, "info": {"id": "dnrti_train_000352", "source": "dnrti_train"}}
{"text": "At certain times , Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team \" .", "spans": {"Organization: hacking group": [[60, 73]], "Organization: Turk Black Hat": [[85, 99]]}, "info": {"id": "dnrti_train_000353", "source": "dnrti_train"}}
{"text": "During intense intelligence gathering over the last 24 months , we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort .", "spans": {"Organization: Operation Cleaver": [[110, 127]]}, "info": {"id": "dnrti_train_000354", "source": "dnrti_train"}}
{"text": "TinyZBot is a bot written in C# and developed by the Cleaver team .", "spans": {"Malware: TinyZBot": [[0, 8]], "Organization: Cleaver": [[53, 60]]}, "info": {"id": "dnrti_train_000355", "source": "dnrti_train"}}
{"text": "Some of the teams publicly known today include Iranian Cyber Army , Ashiyane , Islamic Cyber Resistance Group , Izz ad-Din al-Qassam Cyber Fighters , Parastoo , Shabgard , Iran Black Hats and many others 9 .", "spans": {"Organization: Cyber Army": [[55, 65]], "Organization: Ashiyane": [[68, 76]], "Organization: Cyber Resistance Group": [[87, 109]], "Organization: Izz ad-Din al-Qassam Cyber Fighters": [[112, 147]], "Organization: Parastoo": [[150, 158]], "Organization: Shabgard": [[161, 169]], "Organization: Iran Black Hats": [[172, 187]]}, "info": {"id": "dnrti_train_000356", "source": "dnrti_train"}}
{"text": "However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army ( botnets ) , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team .", "spans": {"Organization: Cleaver": [[38, 45]], "Organization: Cyber Army": [[99, 109]], "Organization: Ashiyane": [[124, 132]], "System: SQL injection": [[135, 148]], "System: phishing": [[180, 188]]}, "info": {"id": "dnrti_train_000357", "source": "dnrti_train"}}
{"text": "The Cobalt group 's traditional \" stomping grounds \" are the Eastern Europe , Central Asia , and Southeast Asia .", "spans": {"Organization: Cobalt group": [[4, 16]]}, "info": {"id": "dnrti_train_000358", "source": "dnrti_train"}}
{"text": "Against targets in the CIS countries , the Cobalt also used their own infrastructure , which included rented dedicated servers .", "spans": {"Organization: Cobalt": [[43, 49]]}, "info": {"id": "dnrti_train_000359", "source": "dnrti_train"}}
{"text": "In several cases , the Cobalt compromised company infrastructure and employee accounts in order to send phishing messages to partner companies in North and South America , Europe , CIS countries , and Central and Southeast Asia .", "spans": {"Organization: Cobalt": [[23, 29]], "System: phishing messages": [[104, 121]]}, "info": {"id": "dnrti_train_000360", "source": "dnrti_train"}}
{"text": "To ensure remote access to the workstation of an employee at a target organization , the Cobalt group ( as in previous years ) uses Beacon , a Trojan available as part of commercial penetration testing software .", "spans": {"System: remote access": [[10, 23]], "Organization: Cobalt group": [[89, 101]], "Malware: Beacon": [[132, 138]]}, "info": {"id": "dnrti_train_000361", "source": "dnrti_train"}}
{"text": "Artifacts indicated the involvement of the Cobalt that , according to Positive Technologies information , from August to October had performed similar successful attacks in Eastern Europe , and it 's likely that this group may will soon become active in the West .", "spans": {"Organization: Cobalt": [[43, 49]], "Organization: Technologies information": [[79, 103]], "Organization: group": [[217, 222]]}, "info": {"id": "dnrti_train_000362", "source": "dnrti_train"}}
{"text": "In a recent spear-phishing campaign , the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike .", "spans": {"Organization: Cobalt Hacking Group": [[42, 62]], "System: remote code execution": [[70, 91]], "Malware: Cobalt Strike": [[184, 197]]}, "info": {"id": "dnrti_train_000363", "source": "dnrti_train"}}
{"text": "The basic principles of targeted attacks on financial institutions have not changed since 2013 when the Anunak , Corkow , Buhtrap , and Lurk groups began conducting the first attacks on Russian banks .", "spans": {"Organization: financial institutions": [[44, 66]], "Organization: Anunak": [[104, 110]], "Organization: Corkow": [[113, 119]], "Organization: Buhtrap": [[122, 129]], "Organization: Lurk groups": [[136, 147]]}, "info": {"id": "dnrti_train_000364", "source": "dnrti_train"}}
{"text": "In a recent spear-phishing campaign , the Cobalt Group used a known CVE to connect to its C&C server via Cobalt Strike , but ended up revealing all targets .", "spans": {"Organization: Cobalt Group": [[42, 54]], "Malware: Cobalt Strike": [[105, 118]]}, "info": {"id": "dnrti_train_000365", "source": "dnrti_train"}}
{"text": "This isn't the first time we've seen Cobalt makes this error—back in March , an attack focussing on 1,880 targets across financial institutions in Kazakhstan had the same flaw .", "spans": {"Organization: Cobalt": [[37, 43]], "Organization: financial institutions": [[121, 143]]}, "info": {"id": "dnrti_train_000366", "source": "dnrti_train"}}
{"text": "The Carbanak attacks targeting over a 100 financial institutions worldwide .", "spans": {"Organization: financial institutions": [[42, 64]]}, "info": {"id": "dnrti_train_000367", "source": "dnrti_train"}}
{"text": "The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police .", "spans": {"Organization: crime gang": [[18, 28]], "Vulnerability: Carbanak": [[40, 48]], "Organization: financial institutions": [[97, 119]]}, "info": {"id": "dnrti_train_000368", "source": "dnrti_train"}}
{"text": "Since 2013 , the Cobalt have attempted to attack banks and financial institutions using pieces of malware they designed .", "spans": {"Organization: Cobalt": [[17, 23]], "Organization: financial institutions": [[59, 81]]}, "info": {"id": "dnrti_train_000369", "source": "dnrti_train"}}
{"text": "Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt .", "spans": {"Organization: cybercrime gang": [[17, 32]], "Organization: financial institutions": [[88, 110]], "Vulnerability: Carbanak": [[160, 168]], "Malware: Cobalt": [[173, 179]]}, "info": {"id": "dnrti_train_000370", "source": "dnrti_train"}}
{"text": "The organised crime group started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world .", "spans": {"Organization: crime group": [[14, 25]], "Organization: financial institutions": [[176, 198]]}, "info": {"id": "dnrti_train_000371", "source": "dnrti_train"}}
{"text": "One of the Cobalt Group 's latest campaigns , an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor , was investigated and presented by the Talos research team .", "spans": {"Organization: Cobalt Group": [[11, 23]], "Malware: Cobalt": [[72, 78]], "Malware: Strike beacon": [[79, 92]], "Malware: JavaScript backdoor": [[100, 119]], "Organization: Talos": [[160, 165]]}, "info": {"id": "dnrti_train_000372", "source": "dnrti_train"}}
{"text": "The Cobalt started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world .", "spans": {"Organization: Cobalt": [[4, 10]], "Organization: financial institutions": [[161, 183]]}, "info": {"id": "dnrti_train_000373", "source": "dnrti_train"}}
{"text": "The Cobalt group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia .", "spans": {"Organization: Cobalt group": [[4, 16]], "Malware: Cobalt Strike": [[25, 38]], "Organization: cyber heists": [[74, 86]], "Organization: financial institutions": [[98, 120]]}, "info": {"id": "dnrti_train_000374", "source": "dnrti_train"}}
{"text": "The hacking group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia .", "spans": {"Organization: hacking group": [[4, 17]], "Malware: Cobalt Strike": [[26, 39]], "Organization: cyber heists": [[75, 87]], "Organization: financial institutions": [[99, 121]]}, "info": {"id": "dnrti_train_000375", "source": "dnrti_train"}}
{"text": "If successful , Cobalt goes on to attack financial institutions outside the country .", "spans": {"Organization: Cobalt": [[16, 22]], "Organization: financial institutions": [[41, 63]]}, "info": {"id": "dnrti_train_000376", "source": "dnrti_train"}}
{"text": "The vulnerability was used to retrieve and execute Cobalt Strike from a remote server they controlled .", "spans": {"Malware: Cobalt Strike": [[51, 64]]}, "info": {"id": "dnrti_train_000377", "source": "dnrti_train"}}
{"text": "As part of our monitoring of Iranian threat agents activities , we have detected that since October 2016 and until the end of January 2017 , the Jerusalem Post , as well as multiple other Israeli websites and one website in the Palestinian Authority were compromised by Iranian threat agent CopyKittens .", "spans": {"Organization: Jerusalem Post": [[145, 159]], "Organization: Palestinian Authority": [[228, 249]], "Organization: CopyKittens": [[291, 302]]}, "info": {"id": "dnrti_train_000378", "source": "dnrti_train"}}
{"text": "CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date , and are analyzed in this report : TDTESS backdoor ; Vminst , a lateral movement tool ; NetSrv , a Cobalt Strike loader ; and ZPP , a files compression console program .", "spans": {"Organization: CopyKittens": [[0, 11]], "Malware: TDTESS backdoor": [[146, 161]], "Malware: Vminst": [[164, 170]], "Malware: NetSrv": [[199, 205]], "Malware: Cobalt Strike loader": [[210, 230]], "Malware: ZPP": [[237, 240]]}, "info": {"id": "dnrti_train_000379", "source": "dnrti_train"}}
{"text": "CopyKittens often uses the trial version of Cobalt Strike , a publicly available commercial software for \" Adversary Simulations and Red Team Operations \" .", "spans": {"Organization: CopyKittens": [[0, 11]], "Malware: Cobalt Strike": [[44, 57]]}, "info": {"id": "dnrti_train_000380", "source": "dnrti_train"}}
{"text": "Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent .", "spans": {"Organization: CopyKittens": [[31, 42]], "Malware: Metasploit": [[47, 57]], "Malware: Mimikatz": [[180, 188]], "Malware: Empire": [[255, 261]], "Malware: PowerShell": [[266, 276]]}, "info": {"id": "dnrti_train_000381", "source": "dnrti_train"}}
{"text": "The group , which we have given the name Gallmaker , has been operating since at least December 2017 , with its most recent activity observed in June 2018 .", "spans": {"Organization: group": [[4, 9]], "Organization: Gallmaker": [[41, 50]]}, "info": {"id": "dnrti_train_000382", "source": "dnrti_train"}}
{"text": "Rather , the Gallmaker 's attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools .", "spans": {"Organization: Gallmaker": [[13, 22]], "Malware: LotL": [[87, 91]], "Malware: publicly available hack tools": [[104, 133]]}, "info": {"id": "dnrti_train_000383", "source": "dnrti_train"}}
{"text": "Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines .", "spans": {"Organization: Gallmaker": [[0, 9]], "System: lure documents": [[15, 29]]}, "info": {"id": "dnrti_train_000384", "source": "dnrti_train"}}
{"text": "Should a user enable this content , the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim 's system .", "spans": {"Organization: attackers": [[40, 49]], "Malware: DDE protocol": [[75, 87]], "System: remotely execute commands": [[91, 116]]}, "info": {"id": "dnrti_train_000385", "source": "dnrti_train"}}
{"text": "Back in 2013 , CopyKittens used several Facebook profiles to spread links to a website impersonating Haaretz news , an Israeli newspaper .", "spans": {"Organization: CopyKittens": [[15, 26]], "Organization: Facebook": [[40, 48]]}, "info": {"id": "dnrti_train_000386", "source": "dnrti_train"}}
{"text": "Gallmaker 's activity appears to be highly targeted , with its victims all related to government , military , or defense sectors .", "spans": {"Organization: Gallmaker": [[0, 9]], "Organization: defense sectors": [[113, 128]]}, "info": {"id": "dnrti_train_000387", "source": "dnrti_train"}}
{"text": "Gallmaker 's targets are embassies of an Eastern European country .", "spans": {"Organization: Gallmaker": [[0, 9]], "Organization: embassies": [[25, 34]]}, "info": {"id": "dnrti_train_000388", "source": "dnrti_train"}}
{"text": "There are no obvious links between the Eastern European and Middle Eastern targets , but it is clear that Gallmaker is specifically targeting the defense , military , and government sectors .", "spans": {"Organization: Gallmaker": [[106, 115]], "Organization: government sectors": [[171, 189]]}, "info": {"id": "dnrti_train_000389", "source": "dnrti_train"}}
{"text": "The group has carried out attacks most months since December 2017 .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_000390", "source": "dnrti_train"}}
{"text": "Its activity subsequently increased in the second quarter of 2018 , with a particular spike in April 2018 .", "spans": {}, "info": {"id": "dnrti_train_000391", "source": "dnrti_train"}}
{"text": "The fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its activities extremely hard to detect .", "spans": {"Organization: Gallmaker": [[14, 23]], "Malware: LotL": [[55, 59]], "Malware: publicly available hack tools": [[72, 101]]}, "info": {"id": "dnrti_train_000392", "source": "dnrti_train"}}
{"text": "The Gamaredon Group primarily makes use of compromised domains , dynamic DNS providers , Russian and Ukrainian country code top-level domains ( ccTLDs ) , and Russian hosting providers to distribute their custom-built malware .", "spans": {"Organization: Gamaredon Group": [[4, 19]], "Organization: dynamic DNS providers": [[65, 86]], "Organization: hosting providers": [[167, 184]], "Malware: custom-built malware": [[205, 225]]}, "info": {"id": "dnrti_train_000393", "source": "dnrti_train"}}
{"text": "Gallmaker may well have continued to avoid detection were it not for Symantec 's technology .", "spans": {"Organization: Gallmaker": [[0, 9]], "Organization: Symantec": [[69, 77]]}, "info": {"id": "dnrti_train_000394", "source": "dnrti_train"}}
{"text": "In this instance , Symantec identified the specific PowerShell commands used by Gallmaker as being suspicious , leading to the discovery of this new campaign .", "spans": {"Organization: Symantec": [[19, 27]], "Malware: PowerShell commands": [[52, 71]], "Organization: Gallmaker": [[80, 89]]}, "info": {"id": "dnrti_train_000395", "source": "dnrti_train"}}
{"text": "Without Symantec 's advanced AI-based capabilities , Gallmaker 's activities may well have remained undetected .", "spans": {"Organization: Symantec": [[8, 16]], "Organization: Gallmaker": [[53, 62]]}, "info": {"id": "dnrti_train_000396", "source": "dnrti_train"}}
{"text": "Previously , LookingGlass reported on a campaign they named \" Operation Armageddon \" , targeting individuals involved in the Ukrainian military and national security establishment .", "spans": {"Organization: LookingGlass": [[13, 25]]}, "info": {"id": "dnrti_train_000397", "source": "dnrti_train"}}
{"text": "The earliest discovered sample ( based on compile times and sandbox submission times ) distributed by this threat group resembles the descriptions of Gamaredon provided by Symantec and Trend Micro .", "spans": {"Organization: threat group": [[107, 119]], "Organization: Gamaredon": [[150, 159]], "Organization: Symantec": [[172, 180]], "Organization: Trend Micro": [[185, 196]]}, "info": {"id": "dnrti_train_000398", "source": "dnrti_train"}}
{"text": "The scripts would also use wget to send POST requests to command and control ( C2 ) servers that would contain information about the compromised system .", "spans": {"Malware: wget": [[27, 31]]}, "info": {"id": "dnrti_train_000399", "source": "dnrti_train"}}
{"text": "These VNC exectuables would either be included in the SFX file or downloaded by the batch script .", "spans": {"Malware: VNC": [[6, 9]], "System: SFX file": [[54, 62]], "System: batch script": [[84, 96]]}, "info": {"id": "dnrti_train_000400", "source": "dnrti_train"}}
{"text": "The batch script would then attempt to have the VNC program connect to a command and control ( C2 ) server to enable the server to control the compromised system .", "spans": {"Malware: VNC": [[48, 51]]}, "info": {"id": "dnrti_train_000401", "source": "dnrti_train"}}
{"text": "While the most recent samples observed still use batch scripts and SFX files , the Gamaredon Group has moved away from applications like wget , Remote Manipulator Tool , VNC and ChkFlsh.exe .", "spans": {"Malware: batch scripts": [[49, 62]], "Malware: SFX files": [[67, 76]], "Organization: Gamaredon Group": [[83, 98]], "Malware: wget": [[137, 141]], "Malware: Remote Manipulator Tool": [[144, 167]], "Malware: VNC": [[170, 173]], "Malware: ChkFlsh.exe": [[178, 189]]}, "info": {"id": "dnrti_train_000402", "source": "dnrti_train"}}
{"text": "The threat group using these implants has been active since at least 2014 and has been seen targeting individuals likely involved in the Ukrainian government .", "spans": {"Organization: threat group": [[4, 16]]}, "info": {"id": "dnrti_train_000403", "source": "dnrti_train"}}
{"text": "Some of the samples share delivery mechanisms and infrastructure with samples which are detected by a few antivirus vendors as Gamaredon .", "spans": {"Organization: Gamaredon": [[127, 136]]}, "info": {"id": "dnrti_train_000404", "source": "dnrti_train"}}
{"text": "Periodically , researchers at Palo Alto Networks hunt through WildFire execution reports , using AutoFocus , to identify untagged samples ' artifacts in the hopes of identifying previously undiscovered malware families , behaviors , and campaigns .", "spans": {"Organization: Palo Alto Networks": [[30, 48]], "Organization: WildFire": [[62, 70]]}, "info": {"id": "dnrti_train_000405", "source": "dnrti_train"}}
{"text": "Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries .", "spans": {"Vulnerability: Carbanak": [[75, 83]], "Organization: cyber-criminal gang": [[88, 107]], "System: APT techniques": [[137, 151]], "Organization: financial institutions": [[209, 231]]}, "info": {"id": "dnrti_train_000406", "source": "dnrti_train"}}
{"text": "Today at the Security Analyst Summit ( SAS 2016 ) , Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights .", "spans": {"Organization: Kaspersky Lab": [[52, 65]], "Organization: Metel": [[149, 154]], "Organization: GCMAN": [[159, 164]], "Organization: Carbanak group": [[194, 208]]}, "info": {"id": "dnrti_train_000407", "source": "dnrti_train"}}
{"text": "In 2015 , Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups .", "spans": {"Organization: Kaspersky Lab": [[10, 23]], "Organization: groups": [[131, 137]]}, "info": {"id": "dnrti_train_000408", "source": "dnrti_train"}}
{"text": "Kaspersky Lab is releasing crucial Indicators of Compromise ( IOCs ) and other data to help organizations search for traces of these attack groups in their corporate networks .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Organization: attack groups": [[133, 146]]}, "info": {"id": "dnrti_train_000409", "source": "dnrti_train"}}
{"text": "In all , Kaspersky Lab discovered Metel in more than 30 financial institutions .", "spans": {"Organization: Kaspersky Lab": [[9, 22]], "Organization: Metel": [[34, 39]], "Organization: financial institutions": [[56, 78]]}, "info": {"id": "dnrti_train_000410", "source": "dnrti_train"}}
{"text": "It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware .", "spans": {"Organization: financial institutions": [[72, 94]], "Malware: Metel malware": [[152, 165]]}, "info": {"id": "dnrti_train_000411", "source": "dnrti_train"}}
{"text": "A second group , which we call GCMAN because the malware is based on code compiled on the GCC compiler , emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services .", "spans": {"Organization: group": [[9, 14]], "Organization: GCMAN": [[31, 36]], "Organization: Metel Group": [[154, 165]], "Organization: banking institutions": [[176, 196]]}, "info": {"id": "dnrti_train_000412", "source": "dnrti_train"}}
{"text": "Our investigations revealed that the attackers drove around several cities in Russia , stealing money from ATMs belonging to different banks .", "spans": {"Organization: attackers": [[37, 46]]}, "info": {"id": "dnrti_train_000413", "source": "dnrti_train"}}
{"text": "Once inside the network , the GCMAN group uses legitimate and penetration testing tools such as Putty , VNC , and Meterpreter for lateral movement .", "spans": {"Organization: GCMAN group": [[30, 41]], "Malware: Putty": [[96, 101]], "Malware: VNC": [[104, 107]], "Malware: Meterpreter": [[114, 125]]}, "info": {"id": "dnrti_train_000414", "source": "dnrti_train"}}
{"text": "Our investigation revealed an attack where the GCMAN group then planted a cron script into bank 's server , sending financial transactions at the rate of $200 per minute .", "spans": {"Organization: GCMAN group": [[47, 58]], "System: cron script": [[74, 85]]}, "info": {"id": "dnrti_train_000415", "source": "dnrti_train"}}
{"text": "The GCMAN group used an MS SQL injection in commercial software running on one of bank 's public web services , and about a year and a half later , they came back to cash out .", "spans": {"Organization: GCMAN group": [[4, 15]], "System: MS SQL injection": [[24, 40]]}, "info": {"id": "dnrti_train_000416", "source": "dnrti_train"}}
{"text": "During that time they poked 70 internal hosts , compromised 56 accounts , making their way from 139 attack sources ( TOR and compromised home routers ) .", "spans": {}, "info": {"id": "dnrti_train_000417", "source": "dnrti_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"Organization: CSIS": [[50, 54]], "Vulnerability: Carbanak": [[88, 96]], "Organization: customers": [[126, 135]]}, "info": {"id": "dnrti_train_000418", "source": "dnrti_train"}}
{"text": "Kaspersky Lab 's research team responded to three financial institutions in Russia that were infected with the GCMAN malware .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Organization: financial institutions": [[50, 72]], "Malware: GCMAN malware": [[111, 124]]}, "info": {"id": "dnrti_train_000419", "source": "dnrti_train"}}
{"text": "In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company .", "spans": {"Vulnerability: Carbanak": [[29, 37]], "Organization: financial institution": [[68, 89]]}, "info": {"id": "dnrti_train_000420", "source": "dnrti_train"}}
{"text": "Recently Subaat drew our attention due to renewed targeted attack activity .", "spans": {"Organization: Subaat": [[9, 15]]}, "info": {"id": "dnrti_train_000421", "source": "dnrti_train"}}
{"text": "Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec , in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking , which we are calling Gorgon Group .", "spans": {"Organization: actors": [[85, 91]], "Organization: 360": [[122, 125]], "Organization: Tuisec": [[130, 136]], "Organization: group": [[195, 200]], "Organization: attackers": [[204, 213]], "Organization: Unit 42": [[214, 221]], "Organization: Gorgon Group": [[276, 288]]}, "info": {"id": "dnrti_train_000422", "source": "dnrti_train"}}
{"text": "Starting in February 2018 , Palo Alto Networks identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"Organization: Palo Alto Networks": [[28, 46]], "Organization: Gorgon Group": [[104, 116]], "Organization: governmental organizations": [[127, 153]]}, "info": {"id": "dnrti_train_000423", "source": "dnrti_train"}}
{"text": "Starting in February 2018 , Palo Alto Networks Unit 42 identified a", "spans": {"Organization: Palo Alto Networks Unit 42": [[28, 54]]}, "info": {"id": "dnrti_train_000424", "source": "dnrti_train"}}
{"text": "of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"Organization: Gorgon Group": [[35, 47]], "Organization: governmental organizations": [[58, 84]]}, "info": {"id": "dnrti_train_000425", "source": "dnrti_train"}}
{"text": "The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques .", "spans": {"Organization: GCMAN group": [[4, 15]], "Organization: budgeting": [[64, 73]], "Organization: accounting departments": [[78, 100]]}, "info": {"id": "dnrti_train_000426", "source": "dnrti_train"}}
{"text": "Starting in February 2018 , Unit 42 identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"Organization: Unit 42": [[28, 35]], "Organization: Gorgon Group": [[93, 105]], "Organization: governmental organizations": [[116, 142]]}, "info": {"id": "dnrti_train_000427", "source": "dnrti_train"}}
{"text": "APT38 's increasingly aggressive targeting against banks .", "spans": {"Organization: APT38": [[0, 5]]}, "info": {"id": "dnrti_train_000428", "source": "dnrti_train"}}
{"text": "Gorgon Group used common URL shortening services to download payloads .", "spans": {"Organization: Gorgon Group": [[0, 12]], "System: URL shortening services": [[25, 48]]}, "info": {"id": "dnrti_train_000429", "source": "dnrti_train"}}
{"text": "The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques .", "spans": {"Organization: GCMAN group": [[4, 15]], "Organization: budgeting": [[64, 73]], "Organization: accounting departments": [[78, 100]]}, "info": {"id": "dnrti_train_000430", "source": "dnrti_train"}}
{"text": "APT38 has paralleled North Korea 's worsening financial condition .", "spans": {"Organization: APT38": [[0, 5]]}, "info": {"id": "dnrti_train_000431", "source": "dnrti_train"}}
{"text": "On much of the C2 infrastructure we identified several crimeware family samples .", "spans": {}, "info": {"id": "dnrti_train_000432", "source": "dnrti_train"}}
{"text": "While investigating the domains and infrastructure used by the phishing components of Gorgon Group , Unit 42 researchers witnessed several common operational security flaws with Gorgon Group 's actors throughout their many campaigns .", "spans": {"System: phishing components": [[63, 82]], "Organization: Gorgon Group": [[86, 98]], "Organization: Unit 42": [[101, 108]], "Organization: Gorgon Group 's actors": [[178, 200]]}, "info": {"id": "dnrti_train_000433", "source": "dnrti_train"}}
{"text": "360 and Tuisec already identified some Gorgon Group members .", "spans": {"Organization: 360": [[0, 3]], "Organization: Tuisec": [[8, 14]], "Organization: Gorgon Group": [[39, 51]], "Organization: members": [[52, 59]]}, "info": {"id": "dnrti_train_000434", "source": "dnrti_train"}}
{"text": "RATs such as NjRat and infostealers like Lokibot were leveraging the same C2 infrastructure as that of the targeted attacks .", "spans": {"Malware: RATs": [[0, 4]], "Malware: NjRat": [[13, 18]], "Malware: Lokibot": [[41, 48]]}, "info": {"id": "dnrti_train_000435", "source": "dnrti_train"}}
{"text": "it 's not known if the attackers physically reside in Pakistan .", "spans": {"Organization: attackers": [[23, 32]]}, "info": {"id": "dnrti_train_000436", "source": "dnrti_train"}}
{"text": "Gorgon used numerous decoy documents and phishing emails , both styles of attacks lacked overall sophistication .", "spans": {"Organization: Gorgon": [[0, 6]], "System: decoy documents": [[21, 36]], "System: phishing emails": [[41, 56]]}, "info": {"id": "dnrti_train_000437", "source": "dnrti_train"}}
{"text": "While it 's not known if the attackers physically reside in Pakistan , all members of Gorgon Group purport to be in Pakistan based on their online personas .", "spans": {"Organization: attackers": [[29, 38]], "Organization: Gorgon Group": [[86, 98]]}, "info": {"id": "dnrti_train_000438", "source": "dnrti_train"}}
{"text": "Starting in mid-February , Unit 42 researchers have been tracking an active campaign sharing a significant portion of infrastructure leveraged by Gorgon Group for criminal and targeted attacks .", "spans": {"Organization: Unit 42": [[27, 34]], "Organization: Gorgon Group": [[146, 158]]}, "info": {"id": "dnrti_train_000439", "source": "dnrti_train"}}
{"text": "Unit 42 researchers have been tracking Gorgon Group for criminal and targeted attacks .", "spans": {"Organization: Unit 42": [[0, 7]], "Organization: Gorgon Group": [[39, 51]]}, "info": {"id": "dnrti_train_000440", "source": "dnrti_train"}}
{"text": "As part of the investigation , Unit 42 researchers were able to identify an interesting characteristic about how the Gorgon Group crew uses shared infrastructure between cybercrime and targeted attacks .", "spans": {"Organization: Unit 42": [[31, 38]], "Organization: Gorgon Group": [[117, 129]], "Malware: shared infrastructure": [[140, 161]]}, "info": {"id": "dnrti_train_000441", "source": "dnrti_train"}}
{"text": "The crew combines both regular crime and targeted attack objectives using the same domain infrastructure over time , rarely changing their TTPs .", "spans": {"Malware: domain infrastructure": [[83, 104]]}, "info": {"id": "dnrti_train_000442", "source": "dnrti_train"}}
{"text": "One interesting note about the criminal activity of Gorgon Group is their usage of Bitly .", "spans": {"Organization: Gorgon Group": [[52, 64]], "Malware: Bitly": [[83, 88]]}, "info": {"id": "dnrti_train_000443", "source": "dnrti_train"}}
{"text": "Between April 1 , 2018 and May 30 , 2018 , we observed the domain stevemike-fireforce.info used in a Gorgon Group cybercrime campaign involving more than 2,300 emails and 19 documents in the initial attack .", "spans": {"System: emails": [[160, 166]]}, "info": {"id": "dnrti_train_000444", "source": "dnrti_train"}}
{"text": "Similar to that of their targeted attacks , Gorgon Group leveraged Bitly for distribution and shortening of C2 domains .", "spans": {"Organization: Gorgon Group": [[44, 56]], "Malware: Bitly": [[67, 72]]}, "info": {"id": "dnrti_train_000445", "source": "dnrti_train"}}
{"text": "Beginning in early March 2018 , Unit 42 started observing targeted attacks against Russian , Spanish and United States government agencies operating in Pakistan .", "spans": {"Organization: Unit 42": [[32, 39]], "Organization: government agencies": [[119, 138]]}, "info": {"id": "dnrti_train_000446", "source": "dnrti_train"}}
{"text": "Leveraging click counts for the campaign for Bitly , we were able to see Gorgon Group 's activity volume increase throughout April .", "spans": {"Malware: Bitly": [[45, 50]], "Organization: Gorgon Group": [[73, 85]]}, "info": {"id": "dnrti_train_000447", "source": "dnrti_train"}}
{"text": "As we continued to investigate , it became apparent that Gorgon Group had been consistently targeting worldwide governmental organizations operating within Pakistan .", "spans": {"Organization: Gorgon Group": [[57, 69]], "Organization: governmental organizations": [[112, 138]]}, "info": {"id": "dnrti_train_000448", "source": "dnrti_train"}}
{"text": "Starting in mid-February .", "spans": {}, "info": {"id": "dnrti_train_000449", "source": "dnrti_train"}}
{"text": "Additionally , during that time , members of Gorgon Group were also performing criminal operations against targets across the globe , often using shared infrastructure with their targeted attack operations .", "spans": {"Organization: Gorgon Group": [[45, 57]], "Malware: shared infrastructure": [[146, 167]]}, "info": {"id": "dnrti_train_000450", "source": "dnrti_train"}}
{"text": "Unit 42 researchers have been tracking an active campaign .", "spans": {"Organization: Unit 42": [[0, 7]]}, "info": {"id": "dnrti_train_000451", "source": "dnrti_train"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"System: spear phishing emails": [[37, 58]], "Malware: Microsoft Word documents": [[64, 88]], "Vulnerability: CVE-2017-0199": [[100, 113]]}, "info": {"id": "dnrti_train_000452", "source": "dnrti_train"}}
{"text": "Beginning in early March 2018 , Unit 42 started observing Gorgon group attacks against Russian , Spanish and United States government agencies operating in Pakistan .", "spans": {"Organization: Unit 42": [[32, 39]], "Organization: government agencies": [[123, 142]]}, "info": {"id": "dnrti_train_000453", "source": "dnrti_train"}}
{"text": "Like all of Gorgon Group 's members , Fudpage 's online profile , infrastructure utilization and standardization , connects them back to Gorgon Group .", "spans": {"Organization: Gorgon Group": [[12, 24], [137, 149]], "Malware: infrastructure utilization": [[66, 92]], "Malware: standardization": [[97, 112]]}, "info": {"id": "dnrti_train_000454", "source": "dnrti_train"}}
{"text": "Ultimately , this lead us to the conclusion that several of Gorgon Group 's members have a nexus in Pakistan .", "spans": {"Organization: Gorgon Group": [[60, 72]]}, "info": {"id": "dnrti_train_000455", "source": "dnrti_train"}}
{"text": "Gorgon Group isn't the first actor group we've witnessed dabble in both nation state level and criminal attacks .", "spans": {"Organization: Gorgon Group": [[0, 12]], "Organization: actor group": [[29, 40]]}, "info": {"id": "dnrti_train_000456", "source": "dnrti_train"}}
{"text": "Overall , in spite of the lack of sophistication in Gorgon Group 's activity , they were still relatively successful ; once again proving that simple attacks on individuals without proper protections , work .", "spans": {"Organization: Gorgon Group": [[52, 64]]}, "info": {"id": "dnrti_train_000457", "source": "dnrti_train"}}
{"text": "On January 15 , Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor .", "spans": {"Organization: Advanced Threat Research": [[16, 40]], "Malware: SYSCON backdoor": [[92, 107]]}, "info": {"id": "dnrti_train_000458", "source": "dnrti_train"}}
{"text": "The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee .", "spans": {"Malware: Word document": [[20, 33]], "Malware: manual.doc": [[34, 44]], "Organization: Honeybee": [[114, 122]]}, "info": {"id": "dnrti_train_000459", "source": "dnrti_train"}}
{"text": "While Gorgon Group has been making minor changes in their methodologies , they are still actively involved in both targeted and criminal attacks .", "spans": {"Organization: Gorgon Group": [[6, 18]]}, "info": {"id": "dnrti_train_000460", "source": "dnrti_train"}}
{"text": "This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics .", "spans": {"System: Visual Basic macro": [[35, 53]], "Malware: SYSCON": [[124, 130]], "Malware: malicious Word documents": [[159, 183]]}, "info": {"id": "dnrti_train_000461", "source": "dnrti_train"}}
{"text": "This key was also used in the Honeybee campaign and appears to have been used since August 2017 .", "spans": {}, "info": {"id": "dnrti_train_000462", "source": "dnrti_train"}}
{"text": "Several additional documents surfaced between January 17 and February 3 .", "spans": {}, "info": {"id": "dnrti_train_000463", "source": "dnrti_train"}}
{"text": "All contain the same Visual Basic macro code and author name as Honeybee .", "spans": {"System: Visual Basic macro code": [[21, 44]], "Organization: Honeybee": [[64, 72]]}, "info": {"id": "dnrti_train_000464", "source": "dnrti_train"}}
{"text": "Some of the malicious documents were test files without the implant .", "spans": {"Malware: test files": [[37, 47]]}, "info": {"id": "dnrti_train_000465", "source": "dnrti_train"}}
{"text": "From our analysis , Honeybee submitted most of these documents from South Korea , indicating that some of the targeting was in South Korea .", "spans": {"Organization: Honeybee": [[20, 28]]}, "info": {"id": "dnrti_train_000466", "source": "dnrti_train"}}
{"text": "Honeybee attacked beyond the borders of South Korea to target Vietnam , Singapore , Argentina , Japan , Indonesia , and Canada .", "spans": {"Organization: Honeybee": [[0, 8]]}, "info": {"id": "dnrti_train_000467", "source": "dnrti_train"}}
{"text": "Honeybee appears to target humanitarian aid and inter-Korean affairs .", "spans": {"Organization: Honeybee": [[0, 8]]}, "info": {"id": "dnrti_train_000468", "source": "dnrti_train"}}
{"text": "McAfee Advanced Threat Research team 's analysis , we find multiple components from this operation are unique from a code perspective , even though the code is loosely based on previous versions of the SYSCON backdoor .", "spans": {"Organization: McAfee Advanced Threat Research": [[0, 31]], "Malware: SYSCON backdoor": [[202, 217]]}, "info": {"id": "dnrti_train_000469", "source": "dnrti_train"}}
{"text": "Large-scale cyber espionage campaigns such as \" GhostNet \" .", "spans": {}, "info": {"id": "dnrti_train_000470", "source": "dnrti_train"}}
{"text": "As the crisis in Syria escalates , FireEye researchers have discovered a cyber espionage campaign , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe .", "spans": {"Organization: FireEye": [[35, 42]], "Organization: Ke3chang": [[116, 124]]}, "info": {"id": "dnrti_train_000471", "source": "dnrti_train"}}
{"text": "As the crisis in Syria escalates , FireEye researchers have discovered a threat group , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe .", "spans": {"Organization: FireEye": [[35, 42]], "Organization: threat group": [[73, 85]], "Organization: Ke3chang": [[104, 112]]}, "info": {"id": "dnrti_train_000472", "source": "dnrti_train"}}
{"text": "We believe that the Ke3chang attackers are operating out of China and have been active since at least 2010 .", "spans": {"Organization: Ke3chang": [[20, 28]], "Organization: attackers": [[29, 38]]}, "info": {"id": "dnrti_train_000473", "source": "dnrti_train"}}
{"text": "FireEye gained visibility into one of 23 known command-and-control ( CnC ) servers operated by the Ke3chang actor for about one week .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: command-and-control": [[47, 66]], "Malware: CnC": [[69, 72]], "Organization: Ke3chang actor": [[99, 113]]}, "info": {"id": "dnrti_train_000474", "source": "dnrti_train"}}
{"text": "Each attack comprises a variety of phases , including reconnaissance , exploitation , command and control , lateral movement , and exfiltration .", "spans": {}, "info": {"id": "dnrti_train_000475", "source": "dnrti_train"}}
{"text": "The Ke3chang attackers have been active since at least 2010 .", "spans": {"Organization: Ke3chang": [[4, 12]], "Organization: attackers": [[13, 22]]}, "info": {"id": "dnrti_train_000476", "source": "dnrti_train"}}
{"text": "traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors .", "spans": {"Organization: mining sectors": [[127, 141]]}, "info": {"id": "dnrti_train_000477", "source": "dnrti_train"}}
{"text": "The Ke3chang have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , chemicals , manufacturing , mining sectors .", "spans": {"Organization: Ke3chang": [[4, 12]], "Organization: mining sectors": [[193, 207]]}, "info": {"id": "dnrti_train_000478", "source": "dnrti_train"}}
{"text": "August 2013 , FireEye gained visibility on one of 22 CnC servers used at that time by the Ke3chang attackers .", "spans": {"Organization: FireEye": [[14, 21]], "Organization: Ke3chang": [[90, 98]], "Organization: attackers": [[99, 108]]}, "info": {"id": "dnrti_train_000479", "source": "dnrti_train"}}
{"text": "In this report , we present the historical intelligence we have gathered on the Ke3chang campaign , as well as an in-depth assessment of the ongoing Syrian-themed attacks against these MFAs .", "spans": {}, "info": {"id": "dnrti_train_000480", "source": "dnrti_train"}}
{"text": "Ke3chang attackers have used spear-phishing emails .", "spans": {"Organization: Ke3chang": [[0, 8]], "Organization: attackers": [[9, 18]], "System: spear-phishing emails": [[29, 50]]}, "info": {"id": "dnrti_train_000481", "source": "dnrti_train"}}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": {"Organization: Ke3chang": [[0, 8]], "Vulnerability: Java zero-day vulnerability": [[30, 57]], "Vulnerability: CVE-2012-4681": [[60, 73]], "Malware: Microsoft Word": [[119, 133]], "Vulnerability: CVE-2010-3333": [[136, 149]], "Malware: Adobe PDF Reader": [[156, 172]], "Vulnerability: CVE-2010-2883": [[175, 188]]}, "info": {"id": "dnrti_train_000482", "source": "dnrti_train"}}
{"text": "Traditionally , the Ke3chang attackers have used spear-phishing emails with either a malware attachment or a link to a malicious download .", "spans": {"Organization: Ke3chang": [[20, 28]], "Organization: attackers": [[29, 38]], "System: spear-phishing emails": [[49, 70]]}, "info": {"id": "dnrti_train_000483", "source": "dnrti_train"}}
{"text": "Over the years , the Ke3chang attackers have used three types of malware that we call : \" BS2005 \" , \" BMW \" , and \" MyWeb \" .", "spans": {"Organization: Ke3chang": [[21, 29]], "Organization: attackers": [[30, 39]], "Malware: BS2005": [[90, 96]], "Malware: BMW": [[103, 106]], "Malware: MyWeb": [[117, 122]]}, "info": {"id": "dnrti_train_000484", "source": "dnrti_train"}}
{"text": "it is a typical first stage backdoor commonly found in APT attacks .", "spans": {}, "info": {"id": "dnrti_train_000485", "source": "dnrti_train"}}
{"text": "The attackers have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors .", "spans": {"Organization: attackers": [[4, 13]], "Organization: mining sectors": [[198, 212]]}, "info": {"id": "dnrti_train_000486", "source": "dnrti_train"}}
{"text": "All of the CnC communications are performed over the HTTP protocol .", "spans": {"Malware: HTTP protocol": [[53, 66]]}, "info": {"id": "dnrti_train_000487", "source": "dnrti_train"}}
{"text": "The current Ke3chang campaign leverages the BS2005 malware , while older activity from 2010 - 2011 leveraged BMW , followed by the MyWeb malware sporadically used in between .", "spans": {"Malware: BS2005 malware": [[44, 58]], "Malware: BMW": [[109, 112]], "Malware: MyWeb malware": [[131, 144]]}, "info": {"id": "dnrti_train_000488", "source": "dnrti_train"}}
{"text": "A trait common to all three malware families we analyzed is that they use the IWebBrowser2 COM interface to perform their CnC communication .", "spans": {"Malware: IWebBrowser2 COM": [[78, 94]]}, "info": {"id": "dnrti_train_000489", "source": "dnrti_train"}}
{"text": "Three months after the Olympics-themed attacks , FireEye observed a new BS2005 campaign labeled \" newtiger \" , which is possibly a reference to an older 2010 campaign labeled \" tiger \" .", "spans": {"Organization: FireEye": [[49, 56]]}, "info": {"id": "dnrti_train_000490", "source": "dnrti_train"}}
{"text": "Using information from the FireEye DTI cloud , FireEye observed that Ke3chang targeted a single firm .", "spans": {"Organization: FireEye DTI": [[27, 38]], "Organization: FireEye": [[47, 54]], "Organization: Ke3chang": [[69, 77]]}, "info": {"id": "dnrti_train_000491", "source": "dnrti_train"}}
{"text": "The Ke3chang attackers used the older \" MyWeb \" malware family from 2010 to 2011 .", "spans": {"Organization: Ke3chang": [[4, 12]], "Organization: attackers": [[13, 22]], "Malware: MyWeb": [[40, 45]]}, "info": {"id": "dnrti_train_000492", "source": "dnrti_train"}}
{"text": "The Ke3chang attackers used the older MyWeb malware family from 2010 to 2011 .", "spans": {"Organization: Ke3chang": [[4, 12]], "Organization: attackers": [[13, 22]], "Malware: MyWeb malware": [[38, 51]]}, "info": {"id": "dnrti_train_000493", "source": "dnrti_train"}}
{"text": "During our period of visibility into the BS2005 \" moviestar \" campaign against various ministries of foreign affairs in Europe , FireEye discovered that the Ke3chang had initially tested the malware in virtual machines , prior to compromising actual targets .", "spans": {"Organization: ministries of foreign affairs": [[87, 116]], "Organization: FireEye": [[129, 136]], "Organization: Ke3chang": [[157, 165]]}, "info": {"id": "dnrti_train_000494", "source": "dnrti_train"}}
{"text": "The MyWeb sample that FireEye analyzed has a compile date of 1/20/2011 .", "spans": {"Malware: MyWeb sample": [[4, 16]], "Organization: FireEye": [[22, 29]]}, "info": {"id": "dnrti_train_000495", "source": "dnrti_train"}}
{"text": "At least one of the attacks in this campaign leveraged a European security and defense-themed lure , which aligns with the targeting preferences for this group .", "spans": {"Organization: group": [[154, 159]]}, "info": {"id": "dnrti_train_000496", "source": "dnrti_train"}}
{"text": "MyWeb is the second-generation malware used by Ke3chang .", "spans": {"Malware: MyWeb": [[0, 5]], "Organization: Ke3chang": [[47, 55]]}, "info": {"id": "dnrti_train_000497", "source": "dnrti_train"}}
{"text": "ministries of foreign affairs in Europe have been targeted and compromised by a threat actor we call Ke3chang .", "spans": {"Organization: ministries of foreign affairs": [[0, 29]], "Organization: threat actor": [[80, 92]], "Organization: Ke3chang": [[101, 109]]}, "info": {"id": "dnrti_train_000498", "source": "dnrti_train"}}
{"text": "This attack used the crisis in Syria as a lure to deliver malware to its targets .", "spans": {}, "info": {"id": "dnrti_train_000499", "source": "dnrti_train"}}
{"text": "Tracking the malicious activities of the elusive Ke3chang APT group , ESET researchers have discovered new versions of malware families linked to the group , and a previously unreported backdoor .", "spans": {"Organization: Ke3chang": [[49, 57]], "Organization: APT group": [[58, 67]], "Organization: ESET": [[70, 74]], "Organization: group": [[150, 155]]}, "info": {"id": "dnrti_train_000500", "source": "dnrti_train"}}
{"text": "Furthermore , FireEye has presented evidence indicating that the Ke3chang attackers have been active since at least 2010 and have attacked targets related to G20 meetings in the past .", "spans": {"Organization: FireEye": [[14, 21]], "Organization: Ke3chang": [[65, 73]], "Organization: attackers": [[74, 83]], "Organization: G20 meetings": [[158, 170]]}, "info": {"id": "dnrti_train_000501", "source": "dnrti_train"}}
{"text": "During our brief window of visibility into one of the known 22 CnC nodes , FireEye observed the Ke3chang conducting reconnaissance and moving laterally throughout the compromised networks .", "spans": {"Organization: FireEye": [[75, 82]], "Organization: Ke3chang": [[96, 104]]}, "info": {"id": "dnrti_train_000502", "source": "dnrti_train"}}
{"text": "Ke3chang attackers are operating within China .", "spans": {"Organization: Ke3chang": [[0, 8]], "Organization: attackers": [[9, 18]]}, "info": {"id": "dnrti_train_000503", "source": "dnrti_train"}}
{"text": "In May 2017 , NCC Group 's Incident Response team reacted to an ongoing incident .", "spans": {"Organization: NCC Group 's Incident Response": [[14, 44]]}, "info": {"id": "dnrti_train_000504", "source": "dnrti_train"}}
{"text": "which provides a range of services to UK Government .", "spans": {"Organization: UK Government": [[38, 51]]}, "info": {"id": "dnrti_train_000505", "source": "dnrti_train"}}
{"text": "APT15 was targeting information related to UK government departments and military technology .", "spans": {"Organization: APT15": [[0, 5]]}, "info": {"id": "dnrti_train_000506", "source": "dnrti_train"}}
{"text": "backdoors that now appear to be part of APT15 's toolset .", "spans": {"Organization: APT15": [[40, 45]]}, "info": {"id": "dnrti_train_000507", "source": "dnrti_train"}}
{"text": "This report demonstrates that Ke3chang is able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place .", "spans": {"Organization: Ke3chang": [[30, 38]]}, "info": {"id": "dnrti_train_000508", "source": "dnrti_train"}}
{"text": "RoyalDNS - required APT15 .", "spans": {"Malware: RoyalDNS": [[0, 8]], "Organization: APT15": [[20, 25]]}, "info": {"id": "dnrti_train_000509", "source": "dnrti_train"}}
{"text": "The Ke3chang group also used keyloggers and their own .NET tool to enumerate folders and dump data from Microsoft Exchange mailboxes .", "spans": {"Organization: Ke3chang group": [[4, 18]], "Malware: keyloggers": [[29, 39]], "Malware: .NET tool": [[54, 63]]}, "info": {"id": "dnrti_train_000510", "source": "dnrti_train"}}
{"text": "APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets .", "spans": {"Organization: APT15": [[0, 5]], "Malware: Mimikatz": [[30, 38]]}, "info": {"id": "dnrti_train_000511", "source": "dnrti_train"}}
{"text": "This time , APT15 opted for a DNS based backdoor : RoyalDNS .", "spans": {"Organization: APT15": [[12, 17]], "Malware: DNS based backdoor": [[30, 48]], "Malware: RoyalDNS": [[51, 59]]}, "info": {"id": "dnrti_train_000512", "source": "dnrti_train"}}
{"text": "APT15 then used a tool known as RemoteExec .", "spans": {"Organization: APT15": [[0, 5]], "Malware: RemoteExec": [[32, 42]]}, "info": {"id": "dnrti_train_000513", "source": "dnrti_train"}}
{"text": "APT15 then used a tool known as RemoteExec ( similar to Microsoft .", "spans": {"Organization: APT15": [[0, 5]], "Malware: RemoteExec": [[32, 42]], "Organization: Microsoft": [[56, 65]]}, "info": {"id": "dnrti_train_000514", "source": "dnrti_train"}}
{"text": "Coincidentally , following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare , we have found evidence of very recent activity by a group referred to as APT15 , known for committing cyber espionage which is believed to be affiliated with the Chinese government .", "spans": {"Organization: Navy": [[51, 55]], "Organization: group": [[177, 182]], "Organization: APT15": [[198, 203]], "Organization: cyber espionage": [[227, 242]]}, "info": {"id": "dnrti_train_000515", "source": "dnrti_train"}}
{"text": "APT15 is known for committing cyberespionage against companies and organizations located in many different countries , targeting different sectors such as the oil industry , government contractors , military , and more .", "spans": {"Organization: APT15": [[0, 5]], "Organization: cyberespionage": [[30, 44]], "Organization: government contractors": [[174, 196]]}, "info": {"id": "dnrti_train_000516", "source": "dnrti_train"}}
{"text": "Other names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon .", "spans": {"Organization: group": [[20, 25]], "Organization: Vixen Panda": [[30, 41]], "Organization: Ke3chang": [[44, 52]], "Organization: Royal APT": [[55, 64]], "Organization: Playful Dragon": [[71, 85]]}, "info": {"id": "dnrti_train_000517", "source": "dnrti_train"}}
{"text": "ther names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon .", "spans": {"Organization: group": [[19, 24]], "Organization: Vixen Panda": [[29, 40]], "Organization: Ke3chang": [[43, 51]], "Organization: Royal APT": [[54, 63]], "Organization: Playful Dragon": [[70, 84]]}, "info": {"id": "dnrti_train_000518", "source": "dnrti_train"}}
{"text": "There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group .", "spans": {"Organization: APT15": [[52, 57]], "Organization: NCC Group": [[104, 113]]}, "info": {"id": "dnrti_train_000519", "source": "dnrti_train"}}
{"text": "There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group ; although posted in March 2018 , it refers to a campaign in 2017 .", "spans": {"Organization: APT15": [[52, 57]], "Organization: NCC Group": [[104, 113]]}, "info": {"id": "dnrti_train_000520", "source": "dnrti_train"}}
{"text": "both attributed to Chinese government affiliated groups .", "spans": {}, "info": {"id": "dnrti_train_000521", "source": "dnrti_train"}}
{"text": "DLL hijacking techniques have been seen in the past with the APT15 group .", "spans": {"System: DLL hijacking techniques": [[0, 24]], "Organization: APT15 group": [[61, 72]]}, "info": {"id": "dnrti_train_000522", "source": "dnrti_train"}}
{"text": "cyber actors of the North Korean to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally .", "spans": {"Organization: cyber actors": [[0, 12]], "Organization: critical infrastructure sectors": [[83, 114]]}, "info": {"id": "dnrti_train_000523", "source": "dnrti_train"}}
{"text": "The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA .", "spans": {"Organization: U.S. Government": [[4, 19]], "Organization: HIDDEN COBRA": [[93, 105]]}, "info": {"id": "dnrti_train_000524", "source": "dnrti_train"}}
{"text": "Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets , keyloggers , remote access tools ( RATs ) , and wiper malware .", "spans": {"Organization: HIDDEN COBRA actors": [[31, 50]], "Malware: DDoS botnets": [[59, 71]], "Malware: keyloggers": [[74, 84]], "Malware: remote access tools": [[87, 106]], "Malware: RATs": [[109, 113]], "Malware: wiper malware": [[122, 135]]}, "info": {"id": "dnrti_train_000525", "source": "dnrti_train"}}
{"text": "Variants of malware and tools used by HIDDEN COBRA actors include Destover and Hangman .", "spans": {"Organization: HIDDEN COBRA actors": [[38, 57]], "Malware: Destover": [[66, 74]], "Malware: Hangman": [[79, 86]]}, "info": {"id": "dnrti_train_000526", "source": "dnrti_train"}}
{"text": "DHS has previously released Alert TA14-353A .", "spans": {"Organization: DHS": [[0, 3]]}, "info": {"id": "dnrti_train_000527", "source": "dnrti_train"}}
{"text": "The DeltaCharlie DDoS bot was originally reported by Novetta in their 2016 Operation Blockbuster Malware Report .", "spans": {"Organization: Novetta": [[53, 60]]}, "info": {"id": "dnrti_train_000528", "source": "dnrti_train"}}
{"text": "Our analysis shows that the cybercriminals behind the attack against an online casino in Central America , and several other targets in late-2017 , were most likely the infamous Lazarus hacking group .", "spans": {"Organization: cybercriminals": [[28, 42]], "Organization: Lazarus hacking group": [[178, 199]]}, "info": {"id": "dnrti_train_000529", "source": "dnrti_train"}}
{"text": "The Lazarus Group was first identified in Novetta 's report Operation Blockbuster in February 2016 .", "spans": {"Organization: Lazarus Group": [[4, 17]], "Organization: Novetta": [[42, 49]]}, "info": {"id": "dnrti_train_000530", "source": "dnrti_train"}}
{"text": "cyberattacks against high-value targets in Ukraine in December 2015 and December 2016 .", "spans": {}, "info": {"id": "dnrti_train_000531", "source": "dnrti_train"}}
{"text": "In all of these incidents , the Lazarus utilized similar toolsets , including KillDisk that was executed on compromised machines .", "spans": {"Organization: Lazarus": [[32, 39]], "Malware: KillDisk": [[78, 86]]}, "info": {"id": "dnrti_train_000532", "source": "dnrti_train"}}
{"text": "We are confident this KillDisk malware was deployed by Lazarus , rather than by another , unrelated attacker .", "spans": {"Malware: KillDisk malware": [[22, 38]], "Organization: Lazarus": [[55, 62]], "Organization: attacker": [[100, 108]]}, "info": {"id": "dnrti_train_000533", "source": "dnrti_train"}}
{"text": "This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack ( we didn't see these exact samples anywhere else ) .", "spans": {"Organization: Lazarus": [[100, 107]]}, "info": {"id": "dnrti_train_000534", "source": "dnrti_train"}}
{"text": "Utilizing KillDisk in the attack scenario most likely served one of two purposes : the attackers covering their tracks after an espionage operation , or it was used directly for extortion or cyber-sabotage .", "spans": {"Malware: KillDisk": [[10, 18]], "Organization: attackers": [[87, 96]], "Organization: cyber-sabotage": [[191, 205]]}, "info": {"id": "dnrti_train_000535", "source": "dnrti_train"}}
{"text": "Today we'd like to share some of our findings , and add something new to what 's currently common knowledge about Lazarus Group activities , and their connection to the much talked about February 2016 incident , when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank .", "spans": {"Organization: attacker": [[228, 236]], "Organization: Bangladesh Central Bank": [[277, 300]]}, "info": {"id": "dnrti_train_000536", "source": "dnrti_train"}}
{"text": "Since the Bangladesh incident there have been just a few articles explaining the connection between Lazarus Group and the Bangladesh bank heist .", "spans": {"Organization: Lazarus Group": [[100, 113]]}, "info": {"id": "dnrti_train_000537", "source": "dnrti_train"}}
{"text": "However , from this it 's only clear that Lazarus might have attacked Polish banks .", "spans": {"Organization: Lazarus": [[42, 49]]}, "info": {"id": "dnrti_train_000538", "source": "dnrti_train"}}
{"text": "Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Lazarus": [[35, 42]], "Organization: customers": [[80, 89]]}, "info": {"id": "dnrti_train_000539", "source": "dnrti_train"}}
{"text": "Considering that the afterhack publications by the media mentioned that the investigation stumbled upon three different attackers , it was not obvious whether Lazarus was the one responsible for the fraudulent SWIFT transactions , or if Lazarus had in fact developed its own malware to attack banks ' systems .", "spans": {"Organization: attackers": [[120, 129]], "Organization: Lazarus": [[159, 166], [237, 244]]}, "info": {"id": "dnrti_train_000540", "source": "dnrti_train"}}
{"text": "We would like to add some strong facts that link some attacks on banks to Lazarus , and share some of our own findings as well as shed some light on the recent TTPs used by the attacker , including some yet unpublished details from the attack in Europe in 2017 .", "spans": {"Organization: Lazarus": [[74, 81]], "Organization: attacker": [[177, 185]]}, "info": {"id": "dnrti_train_000541", "source": "dnrti_train"}}
{"text": "Lazarus attacks are not a local problem and clearly the group 's operations span across the whole world .", "spans": {"Organization: group": [[56, 61]]}, "info": {"id": "dnrti_train_000542", "source": "dnrti_train"}}
{"text": "Lazarus was previously known to conduct cyberespionage and cybersabotage activities , such as attacks on Sony Pictures Entertainment with volumes of internal data leaked , and many system harddrives in the company wiped .", "spans": {"Organization: Lazarus": [[0, 7]], "Organization: Sony Pictures Entertainment": [[105, 132]]}, "info": {"id": "dnrti_train_000543", "source": "dnrti_train"}}
{"text": "We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations , while a substantially smaller units within the group , which we have dubbed Bluenoroff , is responsible for financial profit .", "spans": {"Organization: Lazarus Group": [[16, 29]], "Organization: group": [[151, 156]], "Organization: Bluenoroff": [[180, 190]]}, "info": {"id": "dnrti_train_000544", "source": "dnrti_train"}}
{"text": "Lazarus regrouped and rushed into new countries , selecting mostly poorer and less developed locations , hitting smaller banks because they are , apparently , easy prey .", "spans": {"Organization: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_000545", "source": "dnrti_train"}}
{"text": "To date , the Lazarus group has been one of the most successful in launching large scale operations against the financial industry .", "spans": {"Organization: Lazarus group": [[14, 27]]}, "info": {"id": "dnrti_train_000546", "source": "dnrti_train"}}
{"text": "We believe that Lazarus will remain one of the biggest threats to the banking sector , finance , and trading companies , as well as casinos for the next few years .", "spans": {"Organization: Lazarus": [[16, 23]], "Organization: banking sector": [[70, 84]], "Organization: trading companies": [[101, 118]], "Organization: casinos": [[132, 139]]}, "info": {"id": "dnrti_train_000547", "source": "dnrti_train"}}
{"text": "We believe Lazarus started this watering hole attack at the end of 2016 after their other operation was interrupted in South East Asia .", "spans": {"Organization: Lazarus": [[11, 18]]}, "info": {"id": "dnrti_train_000548", "source": "dnrti_train"}}
{"text": "We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia .", "spans": {}, "info": {"id": "dnrti_train_000549", "source": "dnrti_train"}}
{"text": "A rudimentary but somewhat clever design , KiloAlfa provides keylogging capability for the Lazarus Group 's collection of malicious tools .", "spans": {"Malware: KiloAlfa": [[43, 51]], "Organization: Lazarus Group": [[91, 104]]}, "info": {"id": "dnrti_train_000550", "source": "dnrti_train"}}
{"text": "The design of KiloAlfa is broken down into two basic components : the persistence functionality and the keylogging functionality .", "spans": {"Malware: KiloAlfa": [[14, 22]], "Malware: keylogging functionality": [[104, 128]]}, "info": {"id": "dnrti_train_000551", "source": "dnrti_train"}}
{"text": "The persistence functionality of KiloAlfa allows the malware to self-install on a victim 's machine when activated ( described below ) .", "spans": {"Malware: KiloAlfa": [[33, 41]]}, "info": {"id": "dnrti_train_000552", "source": "dnrti_train"}}
{"text": "Evidence suggest that the Lazarus Group uses compromised infrastructure as the public-facing touchpoint for the majority of their malware samples .", "spans": {"Organization: Lazarus Group": [[26, 39]], "Malware: compromised infrastructure": [[45, 71]]}, "info": {"id": "dnrti_train_000553", "source": "dnrti_train"}}
{"text": "PapaAlfa is believed to be one of the proxy malware components that the Lazarus Group uses to hide the true command and control server ( s ) for operations .", "spans": {"Malware: PapaAlfa": [[0, 8]], "Organization: Lazarus Group": [[72, 85]]}, "info": {"id": "dnrti_train_000554", "source": "dnrti_train"}}
{"text": "Rather , PapaAlfa could be considered a smart proxy due in part to the fact that the Lazarus can easily switch the backend destination address and port without having to reestablish control over the infected machine hosting the PapaAlfa malware .", "spans": {"Malware: PapaAlfa": [[9, 17]], "Organization: Lazarus": [[85, 92]], "Malware: PapaAlfa malware": [[228, 244]]}, "info": {"id": "dnrti_train_000555", "source": "dnrti_train"}}
{"text": "In terms of form factor , PapaAlfa comes in two flavors : service DLL and standalone executable .", "spans": {"Malware: PapaAlfa": [[26, 34]], "Malware: service DLL": [[58, 69]], "Malware: standalone executable": [[74, 95]]}, "info": {"id": "dnrti_train_000556", "source": "dnrti_train"}}
{"text": "The IndiaBravo-PapaAlfa installer is responsible for installing the service DLL variant .", "spans": {"Malware: IndiaBravo-PapaAlfa installer": [[4, 33]]}, "info": {"id": "dnrti_train_000557", "source": "dnrti_train"}}
{"text": "While the tools profiled in this report are not inherently malicious , their capabilities are nonetheless integral to the Lazarus Group 's cyber operations , both espionage and destructive in nature , making them inherently dangerous to potential victims .", "spans": {"Organization: Lazarus Group": [[122, 135]], "Organization: espionage": [[163, 172]]}, "info": {"id": "dnrti_train_000558", "source": "dnrti_train"}}
{"text": "These tools often lay the groundwork for further malicious activity , such as the targeting of antivirus capabilities and the disabling of firewalls , both of which are very fundamental defensive measures .", "spans": {}, "info": {"id": "dnrti_train_000559", "source": "dnrti_train"}}
{"text": "Furthermore , like many other identified Lazarus Group families , these tools showcase the group 's creative solutions , such as the PapaAlfa , which makes it difficult to immediately identify potentially malicious activity on a compromised network .", "spans": {"Organization: Lazarus Group": [[41, 54]], "Organization: group": [[91, 96]], "Malware: PapaAlfa": [[133, 141]]}, "info": {"id": "dnrti_train_000560", "source": "dnrti_train"}}
{"text": "The first class , colloquially known as \" wipers \" , are a class of malware has the primary intent of destroying data on a victim 's machine .", "spans": {"Malware: wipers": [[42, 48]]}, "info": {"id": "dnrti_train_000561", "source": "dnrti_train"}}
{"text": "DDoS malware floods a target 's network-connected service with an excessive number of request at once in order to overload the capacity of the server .", "spans": {"Malware: DDoS malware": [[0, 12]]}, "info": {"id": "dnrti_train_000562", "source": "dnrti_train"}}
{"text": "For example , DeltaAlfa specifies a DDoS bot family identified as Alfa .", "spans": {"Malware: DeltaAlfa": [[14, 23]], "Malware: DDoS bot": [[36, 44]]}, "info": {"id": "dnrti_train_000563", "source": "dnrti_train"}}
{"text": "The naming scheme used by Novetta for the malware identified during Operation Blockbuster consists of at least two identifiers which each identifier coming from the International Civil Aviation Organization ( ICAO ) 's phonetic alphabet ,2 commonly referred to as the NATO phonetic alphabet .", "spans": {"Organization: Novetta": [[26, 33]], "Organization: International Civil Aviation Organization": [[165, 206]]}, "info": {"id": "dnrti_train_000564", "source": "dnrti_train"}}
{"text": "Loaders are typically responsible for loading a DLL component into memory given that a DLL cannot operate in a standalone mode such as an executable .", "spans": {}, "info": {"id": "dnrti_train_000565", "source": "dnrti_train"}}
{"text": "This report will explore the various installers , uninstallers and loaders Novetta has observed the Lazarus Group using .", "spans": {"Malware: installers": [[37, 47]], "Malware: uninstallers": [[50, 62]], "Organization: Novetta": [[75, 82]], "Organization: Lazarus Group": [[100, 113]]}, "info": {"id": "dnrti_train_000566", "source": "dnrti_train"}}
{"text": "This reverse engineering report looks at the RATs and staging malware found within the Lazarus Group 's collection .", "spans": {"Malware: RATs": [[45, 49]], "Malware: staging malware": [[54, 69]], "Organization: Lazarus Group": [[87, 100]]}, "info": {"id": "dnrti_train_000567", "source": "dnrti_train"}}
{"text": "Regardless of their sophistication or refinement , the malware families within the Lazarus Group 's India and Lima classes perform at a reasonable level for their designed purpose : the introduction and persistence of malware from the Lazarus Group on a victim 's infrastructure .", "spans": {"Organization: Lazarus Group": [[83, 96], [235, 248]]}, "info": {"id": "dnrti_train_000568", "source": "dnrti_train"}}
{"text": "While the capabilities for the installers , loaders , and uninstallers in this report are relatively straight forward and single-focused , analysis of these malware families provide further insight into the capabilities of the Lazarus Group .", "spans": {"Malware: installers": [[31, 41]], "Malware: loaders": [[44, 51]], "Malware: uninstallers": [[58, 70]], "Organization: Lazarus Group": [[227, 240]]}, "info": {"id": "dnrti_train_000569", "source": "dnrti_train"}}
{"text": "The Lazarus Group employs a variety of RATs that operate in both client mode and server mode .", "spans": {"Organization: Lazarus Group": [[4, 17]], "Malware: RATs": [[39, 43]]}, "info": {"id": "dnrti_train_000570", "source": "dnrti_train"}}
{"text": "The most common communication mode for a RAT is to act as a client to a remote server .", "spans": {"Malware: RAT": [[41, 44]], "System: client": [[60, 66]]}, "info": {"id": "dnrti_train_000571", "source": "dnrti_train"}}
{"text": "The Lazarus Group employs a variety of RATs and staging malware to conduct cyber operations , many of which contain significant code overlap that points to at least a shared development environment .", "spans": {"Organization: Lazarus Group": [[4, 17]], "Malware: RATs": [[39, 43]], "Malware: staging malware": [[48, 63]]}, "info": {"id": "dnrti_train_000572", "source": "dnrti_train"}}
{"text": "While some members within the Romeo and Sierra groups may not implement sound authentication strategies , shift their design focus in abrupt and unusual manners , and fail to understand the pitfalls of distributed command networks , on the whole the families within the Lazarus Group 's collection of RATs and staging malware perform their tasks with surprising effectiveness .", "spans": {"Organization: Romeo": [[30, 35]], "Organization: Sierra groups": [[40, 53]], "Organization: Lazarus Group": [[270, 283]], "Malware: RATs": [[301, 305]], "Malware: staging malware": [[310, 325]]}, "info": {"id": "dnrti_train_000573", "source": "dnrti_train"}}
{"text": "This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations .", "spans": {"Organization: Lazarus": [[44, 51]], "System: phishing emails": [[63, 78]], "Organization: Bitcoin users": [[129, 142]], "Organization: financial organizations": [[154, 177]]}, "info": {"id": "dnrti_train_000574", "source": "dnrti_train"}}
{"text": "This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets financial organizations .", "spans": {"Organization: Lazarus": [[44, 51]], "System: phishing emails": [[63, 78]], "Organization: financial organizations": [[129, 152]]}, "info": {"id": "dnrti_train_000575", "source": "dnrti_train"}}
{"text": "McAfee Advanced Threat Research analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact .", "spans": {"Organization: McAfee Advanced Threat Research": [[0, 31]], "Organization: cybercrime group": [[127, 143]], "Organization: Lazarus": [[144, 151]], "Malware: sophisticated malware": [[162, 183]]}, "info": {"id": "dnrti_train_000576", "source": "dnrti_train"}}
{"text": "McAfee Advanced Threat Research ( ATR ) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact .", "spans": {"Organization: McAfee Advanced Threat Research": [[0, 31]], "Organization: ATR": [[34, 37]], "Organization: cybercrime group": [[135, 151]], "Organization: Lazarus": [[152, 159]], "Malware: sophisticated malware": [[170, 191]]}, "info": {"id": "dnrti_train_000577", "source": "dnrti_train"}}
{"text": "Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents .", "spans": {"Organization: Lazarus group": [[24, 37]], "System: spear phishing emails": [[72, 93]], "Organization: job recruiters": [[108, 122]]}, "info": {"id": "dnrti_train_000578", "source": "dnrti_train"}}
{"text": "The use of decoy documents also reveals some of the potential targets of the Lazarus group 's malicious activity , specifically the use spear phishing attacks observed targeting South Korean government and aerospace organizations .", "spans": {"Malware: decoy documents": [[11, 26]], "Organization: Lazarus group": [[77, 90]], "Organization: aerospace organizations": [[206, 229]]}, "info": {"id": "dnrti_train_000579", "source": "dnrti_train"}}
{"text": "The campaign lasted from April to October and used job descriptions relevant to target organizations , in both English and Korean language .", "spans": {}, "info": {"id": "dnrti_train_000580", "source": "dnrti_train"}}
{"text": "The Lazarus Group 's objective was to gain access to the target 's environment and obtain key military program insight or steal money .", "spans": {"Organization: Lazarus Group": [[4, 17]]}, "info": {"id": "dnrti_train_000581", "source": "dnrti_train"}}
{"text": "In this latest discovery by McAfee , despite a short pause in similar operations , the Lazarus group targets financial organizations .", "spans": {"Organization: McAfee": [[28, 34]], "Organization: Lazarus group": [[87, 100]], "Organization: financial organizations": [[109, 132]]}, "info": {"id": "dnrti_train_000582", "source": "dnrti_train"}}
{"text": "This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans .", "spans": {}, "info": {"id": "dnrti_train_000583", "source": "dnrti_train"}}
{"text": "This Malware Analysis Report ( MAR ) is the result of analytic efforts between the Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) .", "spans": {"Organization: Department of Homeland Security": [[83, 114]], "Organization: DHS": [[117, 120]], "Organization: FBI": [[165, 168]]}, "info": {"id": "dnrti_train_000584", "source": "dnrti_train"}}
{"text": "When victims open malicious documents attached to the emails , the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering .", "spans": {"System: emails": [[54, 60]]}, "info": {"id": "dnrti_train_000585", "source": "dnrti_train"}}
{"text": "According to trusted third-party reporting , HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace , telecommunications , and finance industries .", "spans": {"Organization: HIDDEN COBRA actors": [[45, 64]], "Malware: FALLCHILL malware": [[88, 105]]}, "info": {"id": "dnrti_train_000586", "source": "dnrti_train"}}
{"text": "The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control ( C2 ) server to a victim 's system via dual proxies .", "spans": {"Malware: RAT": [[34, 37]], "Organization: actors": [[70, 76]]}, "info": {"id": "dnrti_train_000587", "source": "dnrti_train"}}
{"text": "FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors .", "spans": {"Malware: FALLCHILL": [[0, 9]], "Malware: HIDDEN COBRA malware": [[64, 84]], "Organization: HIDDEN COBRA actors": [[165, 184]]}, "info": {"id": "dnrti_train_000588", "source": "dnrti_train"}}
{"text": "HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware to establish persistence .", "spans": {"Organization: HIDDEN COBRA actors": [[0, 19]], "Malware: external tool": [[27, 40]], "Malware: dropper": [[44, 51]], "Malware: FALLCHILL malware": [[67, 84]]}, "info": {"id": "dnrti_train_000589", "source": "dnrti_train"}}
{"text": "HIDDEN COBRA actors install the FALLCHILL malware to establish persistence .", "spans": {"Organization: HIDDEN COBRA actors": [[0, 19]], "Malware: FALLCHILL malware": [[32, 49]]}, "info": {"id": "dnrti_train_000590", "source": "dnrti_train"}}
{"text": "Working with U.S. government partners , DHS and FBI identified Internet Protocol ( IP ) addresses and other indicators of compromise ( IOCs ) associated with a remote administration tool ( RAT ) used by the North Korean government—commonly known as FALLCHILL .", "spans": {"Organization: DHS": [[40, 43]], "Organization: FBI": [[48, 51]], "Malware: remote administration tool": [[160, 186]], "Malware: RAT": [[189, 192]], "Malware: FALLCHILL": [[249, 258]]}, "info": {"id": "dnrti_train_000591", "source": "dnrti_train"}}
{"text": "This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL .", "spans": {"Malware: IOC files": [[14, 23]], "Organization: HIDDEN COBRA": [[32, 44]], "Malware: FALLCHILL": [[67, 76]]}, "info": {"id": "dnrti_train_000592", "source": "dnrti_train"}}
{"text": "McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure , entertainment , finance , health care , and telecommunications .", "spans": {"Organization: McAfee Advanced Threat Research": [[0, 31]]}, "info": {"id": "dnrti_train_000593", "source": "dnrti_train"}}
{"text": "Because of this , additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL .", "spans": {"Malware: HIDDEN COBRA malware": [[29, 49]], "Malware: FALLCHILL": [[93, 102]]}, "info": {"id": "dnrti_train_000594", "source": "dnrti_train"}}
{"text": "This campaign , dubbed Operation GhostSecret , leverages multiple implants , tools , and malware variants associated with the state-sponsored cyber group HIDDEN COBRA .", "spans": {"Organization: cyber group": [[142, 153]], "Organization: HIDDEN COBRA": [[154, 166]]}, "info": {"id": "dnrti_train_000595", "source": "dnrti_train"}}
{"text": "From March 18 to 26 we observed the malware operating in multiple areas of the world .", "spans": {}, "info": {"id": "dnrti_train_000596", "source": "dnrti_train"}}
{"text": "Furthermore , the Advanced Threat Research team has discovered Proxysvc , which appears to be an undocumented implant .", "spans": {"Organization: Advanced Threat Research": [[18, 42]], "Malware: Proxysvc": [[63, 71]]}, "info": {"id": "dnrti_train_000597", "source": "dnrti_train"}}
{"text": "Our investigation into this campaign reveals that the actor used multiple malware implants , including an unknown implant with capabilities similar to Bankshot .", "spans": {"Organization: actor": [[54, 59]], "Malware: Bankshot": [[151, 159]]}, "info": {"id": "dnrti_train_000598", "source": "dnrti_train"}}
{"text": "The attackers behind Operation GhostSecret used a similar infrastructure to earlier threats , including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad , which was used in the Sony Pictures attack .", "spans": {"Organization: attackers": [[4, 13]], "Malware: SSL certificates": [[104, 120]], "Malware: FakeTLS": [[129, 136]], "Malware: Destover backdoor": [[162, 179]], "Malware: Escad": [[197, 202]]}, "info": {"id": "dnrti_train_000599", "source": "dnrti_train"}}
{"text": "Based on our analysis of public and private information from submissions , along with product telemetry , it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017 .", "spans": {"Malware: Proxysvc": [[117, 125]], "Malware: Destover": [[154, 162]]}, "info": {"id": "dnrti_train_000600", "source": "dnrti_train"}}
{"text": "This new variant resembles parts of the Destover malware , which was used in the 2014 Sony Pictures attack .", "spans": {"Malware: Destover malware": [[40, 56]]}, "info": {"id": "dnrti_train_000601", "source": "dnrti_train"}}
{"text": "The Lazarus used a similar infrastructure to earlier threats , including the Destover backdoor variant known as Escad .", "spans": {"Organization: Lazarus": [[4, 11]], "Malware: Destover backdoor": [[77, 94]], "Malware: Escad": [[112, 117]]}, "info": {"id": "dnrti_train_000602", "source": "dnrti_train"}}
{"text": "The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 .", "spans": {"Organization: McAfee Advanced Threat Research": [[4, 35]], "Malware: data-gathering implant": [[73, 95]]}, "info": {"id": "dnrti_train_000603", "source": "dnrti_train"}}
{"text": "The Advanced Threat Research team uncovered activity related to this campaign in March 2018 , when the actors targeted Turkish banks .", "spans": {"Organization: Advanced Threat Research": [[4, 28]], "Organization: actors": [[103, 109]]}, "info": {"id": "dnrti_train_000604", "source": "dnrti_train"}}
{"text": "Lazarus used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets .", "spans": {"Organization: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_000605", "source": "dnrti_train"}}
{"text": "Malefactors used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets .", "spans": {"Organization: Malefactors": [[0, 11]]}, "info": {"id": "dnrti_train_000606", "source": "dnrti_train"}}
{"text": "Feedback from our Smart Protection Network revealed that apart from attacks in North America ( mainly the U.S. ) , Europe , and South America , the campaign also noticeably affected enterprises in Taiwan , Hong Kong , China , and Bahrain .", "spans": {"Organization: Smart Protection Network": [[18, 42]]}, "info": {"id": "dnrti_train_000607", "source": "dnrti_train"}}
{"text": "On February 28 , the McAfee discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations .", "spans": {"Organization: McAfee": [[21, 27]], "Organization: cybercrime group": [[48, 64]], "Organization: HIDDEN COBRA": [[65, 77]], "Organization: financial organizations": [[117, 140]]}, "info": {"id": "dnrti_train_000608", "source": "dnrti_train"}}
{"text": "On February 28 , the McAfee Advanced Threat Research team discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations .", "spans": {"Organization: McAfee Advanced Threat Research": [[21, 52]], "Organization: cybercrime group": [[78, 94]], "Organization: HIDDEN COBRA": [[95, 107]], "Organization: financial organizations": [[147, 170]]}, "info": {"id": "dnrti_train_000609", "source": "dnrti_train"}}
{"text": "While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 .", "spans": {"Vulnerability: CVE-2015-8651": [[147, 160]], "Vulnerability: CVE-2016-1019": [[163, 176]], "Vulnerability: CVE-2016-4117": [[183, 196]]}, "info": {"id": "dnrti_train_000610", "source": "dnrti_train"}}
{"text": "In this analysis , we observed the return of HIDDEN COBRA 's Bankshot malware implant surfacing in the Turkish financial system .", "spans": {"Organization: HIDDEN COBRA": [[45, 57]], "Malware: Bankshot malware": [[61, 77]]}, "info": {"id": "dnrti_train_000611", "source": "dnrti_train"}}
{"text": "In this new , aggressive campaign we see a return of the Bankshot implant , which last appeared in 2017 .", "spans": {"Malware: Bankshot": [[57, 65]]}, "info": {"id": "dnrti_train_000612", "source": "dnrti_train"}}
{"text": "This attack resembles previous attacks by HIDDEN COBRA conducted against the SWIFT .", "spans": {"Organization: HIDDEN COBRA": [[42, 54]]}, "info": {"id": "dnrti_train_000613", "source": "dnrti_train"}}
{"text": "The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant .", "spans": {"Vulnerability: CVE-2018-4878": [[39, 52]], "Organization: attacker": [[65, 73]]}, "info": {"id": "dnrti_train_000614", "source": "dnrti_train"}}
{"text": "These implants are variations of earlier forms of Bankshot , a remote access tool that gives an attacker full capability on a victim 's system .", "spans": {"Malware: Bankshot": [[50, 58]], "Organization: attacker": [[96, 104]]}, "info": {"id": "dnrti_train_000615", "source": "dnrti_train"}}
{"text": "Bankshot was first reported by the Department of Homeland Security on December 13 , 2017 , and has only recently resurfaced in newly compiled variants .", "spans": {"Malware: Bankshot": [[0, 8]], "Organization: Department of Homeland Security": [[35, 66]]}, "info": {"id": "dnrti_train_000616", "source": "dnrti_train"}}
{"text": "We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey ( and possibly other countries ) .", "spans": {"Organization: financial organizations": [[88, 111]]}, "info": {"id": "dnrti_train_000617", "source": "dnrti_train"}}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"Malware: Documents": [[0, 9]], "Vulnerability: Flash exploit": [[19, 32]]}, "info": {"id": "dnrti_train_000618", "source": "dnrti_train"}}
{"text": "This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) .", "spans": {"Malware: 32-bit Windows executable file": [[45, 75]], "Malware: Remote Access Trojan": [[94, 114]], "Malware: RAT": [[117, 120]]}, "info": {"id": "dnrti_train_000619", "source": "dnrti_train"}}
{"text": "This malware is capable of accessing device configuration data , downloading additional files , executing commands , modifying the registry , capturing screen shots , and exfiltrating data .", "spans": {}, "info": {"id": "dnrti_train_000620", "source": "dnrti_train"}}
{"text": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system .", "spans": {"Malware: Volgmer": [[0, 7]], "Malware: backdoor Trojan": [[13, 28]]}, "info": {"id": "dnrti_train_000621", "source": "dnrti_train"}}
{"text": "It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections ; however , HIDDEN COBRA actors use a suite of custom tools , some of which could also be used to initially compromise a system .", "spans": {"System: spear phishing": [[21, 35]], "Malware: Volgmer": [[74, 81]], "Organization: HIDDEN COBRA actors": [[105, 124]], "Malware: custom tools": [[140, 152]]}, "info": {"id": "dnrti_train_000622", "source": "dnrti_train"}}
{"text": "Since at least 2013 , HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government , financial , automotive , and media industries .", "spans": {"Organization: HIDDEN COBRA actors": [[22, 41]], "Malware: Volgmer malware": [[67, 82]]}, "info": {"id": "dnrti_train_000623", "source": "dnrti_train"}}
{"text": "Therefore , it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer .", "spans": {"Malware: HIDDEN COBRA malware": [[43, 63]], "System: network infrastructure": [[82, 104]], "Malware: Volgmer": [[122, 129]]}, "info": {"id": "dnrti_train_000624", "source": "dnrti_train"}}
{"text": "As a backdoor Trojan , Volgmer has several capabilities including : gathering system information , updating service registry keys , downloading and uploading files , executing commands , terminating processes , and listing directories .", "spans": {"Malware: backdoor Trojan": [[5, 20]], "Malware: Volgmer": [[23, 30]]}, "info": {"id": "dnrti_train_000625", "source": "dnrti_train"}}
{"text": "In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality .", "spans": {"Organization: US-CERT Code Analysis Team": [[50, 76]], "Malware: botnet controller": [[86, 103]]}, "info": {"id": "dnrti_train_000626", "source": "dnrti_train"}}
{"text": "Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll )", "spans": {"Malware: Volgmer": [[0, 7]], "Malware: .dll": [[99, 103]]}, "info": {"id": "dnrti_train_000627", "source": "dnrti_train"}}
{"text": "Lazarus actors commonly maintain persistence on a victim 's system by installing the malware-as-a-service .", "spans": {"Organization: Lazarus actors": [[0, 14]], "System: malware-as-a-service": [[85, 105]]}, "info": {"id": "dnrti_train_000628", "source": "dnrti_train"}}
{"text": "Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government - referred to by the U.S. Government as BADCALL .", "spans": {"Organization: U.S. Government": [[13, 28], [144, 159]], "Organization: DHS": [[40, 43]], "Organization: FBI": [[48, 51]], "Malware: Trojan malware": [[63, 77]]}, "info": {"id": "dnrti_train_000629", "source": "dnrti_train"}}
{"text": "The malware uses a custom binary protocol to beacon back to the command and control ( C2 ) server , often via TCP port 8080 or 8088 , with some payloads implementing Secure Socket Layer ( SSL ) encryption to obfuscate communications .", "spans": {"Malware: custom binary protocol": [[19, 41]], "Malware: beacon": [[45, 51]], "Malware: Secure Socket Layer": [[166, 185]], "Malware: SSL": [[188, 191]]}, "info": {"id": "dnrti_train_000630", "source": "dnrti_train"}}
{"text": "DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity .", "spans": {"Organization: DHS": [[0, 3]], "Organization: FBI": [[8, 11]]}, "info": {"id": "dnrti_train_000631", "source": "dnrti_train"}}
{"text": "The malware known as RATANKBA is just one of the weapons in Lazarus ' arsenal .", "spans": {"Malware: RATANKBA": [[21, 29]], "Organization: Lazarus": [[60, 67]]}, "info": {"id": "dnrti_train_000632", "source": "dnrti_train"}}
{"text": "We analyzed a new RATANKBA variant ( BKDR_RATANKBA.ZAEL–A ) , discovered in June 2017 , that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified .", "spans": {"Malware: RATANKBA": [[18, 26]], "Malware: BKDR_RATANKBA.ZAEL–A": [[37, 57]], "Malware: PowerShell script": [[100, 117]]}, "info": {"id": "dnrti_train_000633", "source": "dnrti_train"}}
{"text": "Around 55% of the victims of Lazarus were located in India and neighboring countries .", "spans": {"Organization: Lazarus": [[29, 36]]}, "info": {"id": "dnrti_train_000634", "source": "dnrti_train"}}
{"text": "Lazarus group could have been active since late 2016 , was used in a recent campaign targeting financial institutions using watering hole attacks .", "spans": {"Organization: Lazarus group": [[0, 13]], "Organization: financial institutions": [[95, 117]]}, "info": {"id": "dnrti_train_000635", "source": "dnrti_train"}}
{"text": "Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government , these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks—such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank—in recent history .", "spans": {"Organization: threat actors": [[122, 135]]}, "info": {"id": "dnrti_train_000636", "source": "dnrti_train"}}
{"text": "It 's possible that Lazarus is using RATANKBA to target larger organizations .", "spans": {"Organization: Lazarus": [[20, 27]], "Malware: RATANKBA": [[37, 45]]}, "info": {"id": "dnrti_train_000637", "source": "dnrti_train"}}
{"text": "RATANKBA is delivered to its victims using a variety of lure documents , including Microsoft Office documents , malicious CHM files , and different script downloaders .", "spans": {"Malware: RATANKBA": [[0, 8]], "Malware: Microsoft Office documents": [[83, 109]], "Malware: CHM files": [[122, 131]]}, "info": {"id": "dnrti_train_000638", "source": "dnrti_train"}}
{"text": "Overall , an organization will need multilayered security strategies , as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses .", "spans": {"Organization: Lazarus": [[74, 81]], "Organization: groups": [[100, 106]], "Organization: cybercriminals": [[123, 137]]}, "info": {"id": "dnrti_train_000639", "source": "dnrti_train"}}
{"text": "simultaneous use of the detected Win32/KillDisk.NBO variants .", "spans": {"Malware: Win32/KillDisk.NBO": [[33, 51]]}, "info": {"id": "dnrti_train_000640", "source": "dnrti_train"}}
{"text": "Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government – commonly known as HARDRAIN .", "spans": {"Organization: U.S. Government": [[13, 28]], "Organization: DHS": [[40, 43]], "Organization: FBI": [[48, 51]], "Malware: Trojan malware": [[63, 77]], "Malware: HARDRAIN": [[143, 151]]}, "info": {"id": "dnrti_train_000641", "source": "dnrti_train"}}
{"text": "These files have the capability to download and install malware , install proxy and Remote Access Trojans ( RATs ) , connect to command and control ( C2 ) servers to receive additional instructions , and modify the victim 's firewall to allow incoming connections .", "spans": {"Malware: RATs": [[108, 112]]}, "info": {"id": "dnrti_train_000642", "source": "dnrti_train"}}
{"text": "The cybercriminal group Lazarus has a history of attacking financial organizations in Asia and Latin America .", "spans": {"Organization: cybercriminal group": [[4, 23]], "Organization: Lazarus": [[24, 31]], "Organization: financial organizations": [[59, 82]]}, "info": {"id": "dnrti_train_000643", "source": "dnrti_train"}}
{"text": "We also recently discovered that Lazarus successfully planted their backdoor ( detected by Trend Micro as BKDR_BINLODR.ZNFJ-A ) into several machines of financial institutions across Latin America .", "spans": {"Organization: Lazarus": [[33, 40]], "Organization: Trend Micro": [[91, 102]], "Malware: BKDR_BINLODR.ZNFJ-A": [[106, 125]], "Organization: financial institutions": [[153, 175]]}, "info": {"id": "dnrti_train_000644", "source": "dnrti_train"}}
{"text": "We determined that these backdoors were installed on the targets ' machines on September 19 2018 , based mainly on the service creation time of the loader component .", "spans": {}, "info": {"id": "dnrti_train_000645", "source": "dnrti_train"}}
{"text": "Just last week Lazarus were found stealing millions from ATMs across Asia and Africa .", "spans": {"Organization: Lazarus": [[15, 22]]}, "info": {"id": "dnrti_train_000646", "source": "dnrti_train"}}
{"text": "These and other tools used by the Lazarus group can be mitigated by routinely scanning the network for any malicious activity to help prevent the malware from entering and spreading through an organization .", "spans": {"Organization: Lazarus group": [[34, 47]]}, "info": {"id": "dnrti_train_000647", "source": "dnrti_train"}}
{"text": "The backdoors Lazarus are deploying are difficult to detect and a significant threat to the privacy and security of enterprises , allowing attackers to steal information , delete files , install malware , and more .", "spans": {"Organization: Lazarus": [[14, 21]], "Organization: attackers": [[139, 148]]}, "info": {"id": "dnrti_train_000648", "source": "dnrti_train"}}
{"text": "Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs .", "spans": {"Organization: Trend Micro": [[0, 11]], "Organization: Trend Micro™ Smart Protection Suites": [[39, 75]], "Organization: Worry-Free™ Business Security": [[80, 109]], "Malware: malicious files": [[175, 190]]}, "info": {"id": "dnrti_train_000649", "source": "dnrti_train"}}
{"text": "FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation .", "spans": {"Organization: FBI": [[0, 3]], "Organization: HIDDEN COBRA actors": [[29, 48]]}, "info": {"id": "dnrti_train_000650", "source": "dnrti_train"}}
{"text": "Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others .", "spans": {"Malware: WannaCry": [[42, 50]], "Malware: WCry": [[57, 61]], "Malware: WanaCrypt0r": [[69, 80]]}, "info": {"id": "dnrti_train_000651", "source": "dnrti_train"}}
{"text": "Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others .", "spans": {"Malware: WannaCry": [[42, 50]], "Malware: WCry": [[57, 61]], "Malware: WanaCrypt0r": [[69, 80]]}, "info": {"id": "dnrti_train_000652", "source": "dnrti_train"}}
{"text": "We also saw that the attack technique bears some resemblance to a previous 2017 Lazarus attack , analyzed by BAE Systems , against targets in Asia .", "spans": {"Organization: BAE Systems": [[109, 120]]}, "info": {"id": "dnrti_train_000653", "source": "dnrti_train"}}
{"text": "WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system .", "spans": {"Malware: WannaCry": [[0, 8]], "Vulnerability: EternalBlue": [[18, 29]], "Malware: SMB": [[51, 54]]}, "info": {"id": "dnrti_train_000654", "source": "dnrti_train"}}
{"text": "Notably , after the first SMB packet sent to the victim 's IP address , WannaCry sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5 .", "spans": {"System: SMB packet": [[26, 36]], "Malware: WannaCry": [[72, 80]]}, "info": {"id": "dnrti_train_000655", "source": "dnrti_train"}}
{"text": "WannaCry ( also known as WCry or WanaCryptor ) malware is a self-propagating ( worm-like ) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft 's Server Message Block ( SMB ) protocol , MS17-010 .", "spans": {"Malware: WannaCry": [[0, 8]], "Malware: WCry": [[25, 29]], "Malware: WanaCryptor": [[33, 44]], "Malware: ransomware": [[91, 101]], "Organization: Microsoft": [[203, 212]], "Malware: Server Message Block": [[216, 236]], "Malware: SMB": [[239, 242]]}, "info": {"id": "dnrti_train_000656", "source": "dnrti_train"}}
{"text": "The WannaCry malware consists of two distinct components , one that provides ransomware functionality and a component used for propagation , which contains functionality to enable SMB exploitation capabilities .", "spans": {"Malware: WannaCry malware": [[4, 20]], "Malware: SMB": [[180, 183]]}, "info": {"id": "dnrti_train_000657", "source": "dnrti_train"}}
{"text": "WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"Malware: WannaCry": [[0, 8]], "Vulnerability: EternalBlue": [[44, 55]], "Organization: Shadow Brokers": [[85, 99]]}, "info": {"id": "dnrti_train_000658", "source": "dnrti_train"}}
{"text": "WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data .", "spans": {"Malware: WannaCry": [[0, 8]], "Malware: .WCRY": [[47, 52]]}, "info": {"id": "dnrti_train_000659", "source": "dnrti_train"}}
{"text": "In May 2017 , SecureWorks® Counter Threat Unit® ( CTU ) researchers investigated a widespread and opportunistic WCry ( also known as WanaCry , WanaCrypt , and Wana Decrypt0r ) ransomware campaign that impacted many systems around the world .", "spans": {"Organization: SecureWorks® Counter Threat Unit®": [[14, 47]], "Organization: CTU": [[50, 53]], "Malware: WCry": [[112, 116]]}, "info": {"id": "dnrti_train_000660", "source": "dnrti_train"}}
{"text": "In November 2017 , SecureWorks Counter Threat Unit ( CTU ) researchers investigated a widespread and opportunistic WCry ransomware campaign that impacted many systems around the world .", "spans": {"Organization: SecureWorks Counter Threat Unit": [[19, 50]], "Organization: CTU": [[53, 56]]}, "info": {"id": "dnrti_train_000661", "source": "dnrti_train"}}
{"text": "Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 .", "spans": {"Organization: Microsoft": [[0, 9]], "Vulnerability: SMBv1 vulnerabilities": [[24, 45]]}, "info": {"id": "dnrti_train_000662", "source": "dnrti_train"}}
{"text": "The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April .", "spans": {"Vulnerability: SMBv1 exploit": [[22, 35]], "Organization: Shadow Brokers": [[79, 93]], "Organization: threat group": [[94, 106]]}, "info": {"id": "dnrti_train_000663", "source": "dnrti_train"}}
{"text": "If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit .", "spans": {"Malware: DoublePulsar backdoor": [[7, 28]], "Malware: SMB worm": [[55, 63]], "Vulnerability: Eternalblue SMBv1 exploit": [[108, 133]]}, "info": {"id": "dnrti_train_000664", "source": "dnrti_train"}}
{"text": "WCry uses a combination of the RSA and AES algorithms to encrypt files .", "spans": {"Malware: WCry": [[0, 4]], "Malware: RSA": [[31, 34]], "Malware: AES": [[39, 42]]}, "info": {"id": "dnrti_train_000665", "source": "dnrti_train"}}
{"text": "The campaign 's use of an SMB worm to distribute WCry contributed to the ransomware 's virulence .", "spans": {"Malware: SMB worm": [[26, 34]], "Malware: WCry": [[49, 53]]}, "info": {"id": "dnrti_train_000666", "source": "dnrti_train"}}
{"text": "Last week Microsoft , working together with Facebook and others in the security community , took strong steps to protect our customers and the internet from ongoing attacks by an advanced persistent threat actor known to us as ZINC , also known as the Lazarus Group .", "spans": {"Organization: Microsoft": [[10, 19]], "Organization: Facebook": [[44, 52]], "Organization: security community": [[71, 89]], "Organization: threat actor": [[199, 211]], "Organization: ZINC": [[227, 231]], "Organization: Lazarus Group": [[252, 265]]}, "info": {"id": "dnrti_train_000667", "source": "dnrti_train"}}
{"text": "Last week Microsoft , working together with Facebook , took strong steps to protect our customers and the internet from ongoing attacks by the Lazarus Group .", "spans": {"Organization: Microsoft": [[10, 19]], "Organization: Facebook": [[44, 52]], "Organization: Lazarus Group": [[143, 156]]}, "info": {"id": "dnrti_train_000668", "source": "dnrti_train"}}
{"text": "We concluded that Lazarus Group was responsible for WannaCry , a destructive malware .", "spans": {"Organization: Lazarus Group": [[18, 31]], "Malware: WannaCry": [[52, 60]]}, "info": {"id": "dnrti_train_000669", "source": "dnrti_train"}}
{"text": "We concluded that Lazarus Group was responsible for WannaCry , a destructive attack in May that targeted Microsoft customers .", "spans": {"Organization: Lazarus Group": [[18, 31]], "Malware: WannaCry": [[52, 60]], "Organization: Microsoft customers": [[105, 124]]}, "info": {"id": "dnrti_train_000670", "source": "dnrti_train"}}
{"text": "Today , the governments of the United States , United Kingdom , Australia , Canada , New Zealand and Japan have all announced that the government of North Korea is responsible for the activities of ZINC/Lazarus .", "spans": {"Organization: ZINC/Lazarus": [[198, 210]]}, "info": {"id": "dnrti_train_000671", "source": "dnrti_train"}}
{"text": "In November 2017 , Secureworks Counter Threat Unit™ ( CTU ) researchers discovered the North Korean cyber threat group , known as Lazarus Group and internally tracked as NICKEL ACADEMY by Secureworks , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company .", "spans": {"Organization: Secureworks Counter Threat Unit™": [[19, 51]], "Organization: CTU": [[54, 57]], "Organization: cyber threat group": [[100, 118]], "Organization: Lazarus Group": [[130, 143]], "Organization: NICKEL ACADEMY": [[170, 184]], "Organization: Secureworks": [[188, 199]], "Organization: cryptocurrency company": [[319, 341]]}, "info": {"id": "dnrti_train_000672", "source": "dnrti_train"}}
{"text": "In November 2017 , CTU researchers discovered the North Korean cyber threat group , known as Lazarus Group , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company .", "spans": {"Organization: CTU": [[19, 22]], "Organization: cyber threat group": [[63, 81]], "Organization: Lazarus Group": [[93, 106]], "Organization: cryptocurrency company": [[226, 248]]}, "info": {"id": "dnrti_train_000673", "source": "dnrti_train"}}
{"text": "Bankshot is designed to persist on a victim 's network for further exploitation ; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations .", "spans": {"Malware: Bankshot": [[0, 8]], "Organization: Advanced Threat Research": [[91, 115]], "Organization: financial organizations": [[184, 207]]}, "info": {"id": "dnrti_train_000674", "source": "dnrti_train"}}
{"text": "CTU researchers assess this as the continuation of activity first observed in 2016 , and it is likely that the campaign is ongoing .", "spans": {"Organization: CTU": [[0, 3]]}, "info": {"id": "dnrti_train_000675", "source": "dnrti_train"}}
{"text": "CTU researchers have observed NICKEL ACADEMY ( Lazarus ) copying and pasting job descriptions from online recruitment sites in previous campaigns .", "spans": {"Organization: CTU": [[0, 3]], "Organization: NICKEL ACADEMY": [[30, 44]], "Organization: Lazarus": [[47, 54]]}, "info": {"id": "dnrti_train_000676", "source": "dnrti_train"}}
{"text": "There are several indicators , which have led CTU researchers to believe with high confidence that NICKEL ACADEMY is behind the current spearphishing campaign .", "spans": {"Organization: CTU": [[46, 49]], "Organization: NICKEL ACADEMY": [[99, 113]]}, "info": {"id": "dnrti_train_000677", "source": "dnrti_train"}}
{"text": "CTU researchers also identified components in the custom C2 protocol being used which they have seen utilized by Nickel Academy ( Lazarus ) previously .", "spans": {"Organization: CTU": [[0, 3]], "Malware: custom C2 protocol": [[50, 68]], "Organization: Nickel Academy": [[113, 127]], "Organization: Lazarus": [[130, 137]]}, "info": {"id": "dnrti_train_000678", "source": "dnrti_train"}}
{"text": "CTU researchers also identified components in the custom C2 protocol being used ( the way in which the malware talks to the Command and Control Servers ) which they have seen utilized by Nickel Academy ( Lazarus ) previously .", "spans": {"Organization: CTU": [[0, 3]], "Malware: custom C2 protocol": [[50, 68]], "Organization: Nickel Academy": [[187, 201]], "Organization: Lazarus": [[204, 211]]}, "info": {"id": "dnrti_train_000679", "source": "dnrti_train"}}
{"text": "Leafminer attempts to infiltrate target networks through various means of intrusion : watering hole websites , vulnerability scans of network services on the internet , and brute-force login attempts .", "spans": {"Organization: Leafminer": [[0, 9]], "System: network services": [[134, 150]], "System: brute-force login": [[173, 190]]}, "info": {"id": "dnrti_train_000680", "source": "dnrti_train"}}
{"text": "The researchers found that there are common elements in the macro and in the first- stage RAT used in this campaign , with former campaigns of the NICKEL ACADEMY ( Lazarus ) threat group .", "spans": {"Malware: RAT": [[90, 93]], "Organization: NICKEL ACADEMY": [[147, 161]], "Organization: Lazarus": [[164, 171]], "Organization: threat group": [[174, 186]]}, "info": {"id": "dnrti_train_000681", "source": "dnrti_train"}}
{"text": "During our investigation , there was a breakthrough discovery that helped connect Leafminer to a number of attacks observed on systems in the Middle East and identify the toolkit used in the group 's efforts of intrusion , lateral movement , and exfiltration .", "spans": {"Organization: Leafminer": [[82, 91]], "Organization: group": [[191, 196]]}, "info": {"id": "dnrti_train_000682", "source": "dnrti_train"}}
{"text": "As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the Leafminer .", "spans": {"Malware: public web shell": [[103, 119]], "Organization: Leafminer": [[135, 144]]}, "info": {"id": "dnrti_train_000683", "source": "dnrti_train"}}
{"text": "As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers .", "spans": {"Malware: public web shell": [[103, 119]], "Organization: attackers": [[135, 144]]}, "info": {"id": "dnrti_train_000684", "source": "dnrti_train"}}
{"text": "The Leafminer 's post-compromise toolkit suggests that Leafminer is looking for email data , files , and database servers on compromised target systems .", "spans": {"Organization: Leafminer": [[4, 13], [55, 64]]}, "info": {"id": "dnrti_train_000685", "source": "dnrti_train"}}
{"text": "Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army .", "spans": {"Organization: hacker": [[16, 22]], "Organization: Ashiyane": [[92, 100]], "Organization: hacker group": [[139, 151]], "Organization: Sun Army": [[152, 160]]}, "info": {"id": "dnrti_train_000686", "source": "dnrti_train"}}
{"text": "Targeted regions included in the list of Leafminer are Saudi Arabia , United Arab Emirates , Qatar , Kuwait , Bahrain , Egypt , Israel , and Afghanistan .", "spans": {"Organization: Leafminer": [[41, 50]]}, "info": {"id": "dnrti_train_000687", "source": "dnrti_train"}}
{"text": "Our investigation of Leafminer started with the discovery of JavaScript code on several compromised websites in the Middle East .", "spans": {"Organization: Leafminer": [[21, 30]], "Malware: JavaScript code": [[61, 76]], "Malware: compromised websites": [[88, 108]]}, "info": {"id": "dnrti_train_000688", "source": "dnrti_train"}}
{"text": "This included the Fuzzbunch framework that was part of an infamous leak of exploits and tools by the Shadow Brokers in April 2017 .", "spans": {"Malware: Fuzzbunch": [[18, 27]], "Organization: Shadow Brokers": [[101, 115]]}, "info": {"id": "dnrti_train_000689", "source": "dnrti_train"}}
{"text": "Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft .", "spans": {"Organization: Leafminer": [[0, 9]], "Vulnerability: SMB vulnerabilities": [[124, 143]], "Organization: Microsoft": [[157, 166]]}, "info": {"id": "dnrti_train_000690", "source": "dnrti_train"}}
{"text": "The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 .", "spans": {"Vulnerability: EternalBlue exploit": [[4, 23]], "Malware: Petya": [[137, 142]], "Malware: NotPetya": [[145, 153]]}, "info": {"id": "dnrti_train_000691", "source": "dnrti_train"}}
{"text": "The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers .", "spans": {"Organization: Leafminer": [[4, 13]], "Organization: operators": [[14, 23]], "Vulnerability: EternalBlue": [[28, 39]]}, "info": {"id": "dnrti_train_000692", "source": "dnrti_train"}}
{"text": "Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Leafminer": [[35, 44]], "Vulnerability: Heartbleed vulnerability": [[61, 85]], "Vulnerability: CVE-2014-0160": [[88, 101]]}, "info": {"id": "dnrti_train_000693", "source": "dnrti_train"}}
{"text": "Furthermore , the Leafminer arsenal server hosted a Python script to scan for this vulnerability .", "spans": {"Organization: Leafminer": [[18, 27]], "Malware: Python script": [[52, 65]]}, "info": {"id": "dnrti_train_000694", "source": "dnrti_train"}}
{"text": "Another intrusion approach used by Leafminer seems a lot less sophisticated than the previously described methods but can be just as effective : using specific hacktools to guess the login passwords for services exposed by a targeted system .", "spans": {"Organization: Leafminer": [[35, 44]], "Malware: hacktools": [[160, 169]]}, "info": {"id": "dnrti_train_000695", "source": "dnrti_train"}}
{"text": "Commands found in a readme text that was stored in a ZIP archive together with the hacktool THC Hydra in Leafminer 's tool arsenal represent online dictionary attacks on Microsoft Exchange and Remote Desktop Protocol services of regional government servers in Saudi Arabia .", "spans": {"Malware: THC Hydra": [[92, 101]], "Organization: Leafminer": [[105, 114]]}, "info": {"id": "dnrti_train_000696", "source": "dnrti_train"}}
{"text": "Symantec identified two strains of custom malware used by the Leafminer group : Trojan.Imecab and Backdoor.Sorgu .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Leafminer group": [[62, 77]], "Malware: Trojan.Imecab": [[80, 93]], "Malware: Backdoor.Sorgu": [[98, 112]]}, "info": {"id": "dnrti_train_000697", "source": "dnrti_train"}}
{"text": "Leafminer is a highly active group , responsible for targeting a range of organizations across the Middle East .", "spans": {"Organization: Leafminer": [[0, 9]], "Organization: group": [[29, 34]]}, "info": {"id": "dnrti_train_000698", "source": "dnrti_train"}}
{"text": "Leafminer appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors .", "spans": {"Organization: Leafminer": [[0, 9]], "Organization: threat actors": [[135, 148]]}, "info": {"id": "dnrti_train_000699", "source": "dnrti_train"}}
{"text": "Leafminer also utilized Process Doppelganging , a detection evasion technique first discussed at the Black Hat EU conference last year .", "spans": {"Organization: Leafminer": [[0, 9]], "System: Process Doppelganging": [[24, 45]]}, "info": {"id": "dnrti_train_000700", "source": "dnrti_train"}}
{"text": "Dragos has identified Leafminer group targeting access operations in the electric utility sector .", "spans": {"Organization: Dragos": [[0, 6]], "Organization: Leafminer group": [[22, 37]], "Organization: electric utility sector": [[73, 96]]}, "info": {"id": "dnrti_train_000701", "source": "dnrti_train"}}
{"text": "Analysis of RASPITE tactics , techniques , and procedures ( TTPs ) indicate the group has been active in some form since early - to mid-2017 .", "spans": {"Organization: RASPITE": [[12, 19]], "Organization: group": [[80, 85]]}, "info": {"id": "dnrti_train_000702", "source": "dnrti_train"}}
{"text": "RASPITE targeting includes entities in the US , Middle East , Europe , and East Asia .", "spans": {"Organization: RASPITE": [[0, 7]]}, "info": {"id": "dnrti_train_000703", "source": "dnrti_train"}}
{"text": "RASPITE overlaps significantly with Symantec 's Leafminer , which recently released a report on the group 's activity in the Middle East .", "spans": {"Organization: RASPITE": [[0, 7]], "Organization: Symantec": [[36, 44]], "Organization: Leafminer": [[48, 57]], "Organization: group": [[100, 105]]}, "info": {"id": "dnrti_train_000704", "source": "dnrti_train"}}
{"text": "RASPITE 's activity to date currently focuses on initial access operations within the electric utility sector .", "spans": {"Organization: RASPITE": [[0, 7]], "Organization: electric utility sector": [[86, 109]]}, "info": {"id": "dnrti_train_000705", "source": "dnrti_train"}}
{"text": "This means that the Leafminer group is targeting electric utilities .", "spans": {"Organization: Leafminer group": [[20, 35]], "Organization: electric utilities": [[49, 67]]}, "info": {"id": "dnrti_train_000706", "source": "dnrti_train"}}
{"text": "While the group has not yet demonstrated an ICS capability , RASPITE 's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events .", "spans": {"Organization: group": [[10, 15]], "Malware: ICS": [[44, 47], [245, 248]], "Organization: RASPITE": [[61, 68]]}, "info": {"id": "dnrti_train_000707", "source": "dnrti_train"}}
{"text": "Active since at least 2014 , this actor has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe .", "spans": {"Organization: actor": [[34, 39]], "Organization: naval defense contractors": [[92, 117]], "Organization: research institutions": [[135, 156]]}, "info": {"id": "dnrti_train_000708", "source": "dnrti_train"}}
{"text": "Active since at least 2014 , the Leviathan has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe .", "spans": {"Organization: Leviathan": [[33, 42]], "Organization: naval defense contractors": [[95, 120]], "Organization: research institutions": [[138, 159]]}, "info": {"id": "dnrti_train_000709", "source": "dnrti_train"}}
{"text": "On September 15 and 19 , 2017 , Proofpoint detected and blocked spearphishing emails from this group targeting a US shipbuilding company and a US university research center with military ties .", "spans": {"Organization: Proofpoint": [[32, 42]], "System: spearphishing emails": [[64, 84]], "Organization: group": [[95, 100]], "Organization: shipbuilding company": [[116, 136]]}, "info": {"id": "dnrti_train_000710", "source": "dnrti_train"}}
{"text": "The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign .", "spans": {"Vulnerability: CVE-2017-8759": [[26, 39]]}, "info": {"id": "dnrti_train_000711", "source": "dnrti_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_train_000712", "source": "dnrti_train"}}
{"text": "Between August 2 and 4 , the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors .", "spans": {"Organization: actor": [[29, 34]], "System: spearphishing emails": [[49, 69]], "Organization: defense contractors": [[129, 148]]}, "info": {"id": "dnrti_train_000713", "source": "dnrti_train"}}
{"text": "Between August 2 and 4 , the Leviathan sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors .", "spans": {"Organization: Leviathan": [[29, 38]], "System: spearphishing emails": [[53, 73]], "Organization: defense contractors": [[133, 152]]}, "info": {"id": "dnrti_train_000714", "source": "dnrti_train"}}
{"text": "The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period .", "spans": {"Organization: Leviathan": [[4, 13]], "Malware: macro-laden Microsoft Word documents": [[37, 73]], "Organization: development organizations": [[106, 131]]}, "info": {"id": "dnrti_train_000715", "source": "dnrti_train"}}
{"text": "The period between November 2014 and January 2015 marked one of the earlier instances in which Proofpoint observed persistent exploitation attempts by this actor .", "spans": {"Organization: Proofpoint": [[95, 105]], "Organization: actor": [[156, 161]]}, "info": {"id": "dnrti_train_000716", "source": "dnrti_train"}}
{"text": "The Leviathan , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 .", "spans": {"Organization: Leviathan": [[4, 13]]}, "info": {"id": "dnrti_train_000717", "source": "dnrti_train"}}
{"text": "This actor , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 .", "spans": {"Organization: actor": [[5, 10]]}, "info": {"id": "dnrti_train_000718", "source": "dnrti_train"}}
{"text": "The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013 , dubbed TEMP.Periscope .", "spans": {"Organization: group": [[28, 33]], "Organization: cyber espionage actors": [[55, 77]], "Organization: TEMP.Periscope": [[114, 128]]}, "info": {"id": "dnrti_train_000719", "source": "dnrti_train"}}
{"text": "The Leviathan generally emailed Microsoft Excel documents with malicious macros to US universities with military interests , most frequently related to the Navy .", "spans": {"Organization: Leviathan": [[4, 13]], "System: Microsoft Excel documents": [[32, 57]], "Organization: Navy": [[156, 160]]}, "info": {"id": "dnrti_train_000720", "source": "dnrti_train"}}
{"text": "The current campaign is a sharp escalation of detected activity since summer 2017 .", "spans": {}, "info": {"id": "dnrti_train_000721", "source": "dnrti_train"}}
{"text": "Since early 2018 , FireEye ( including our FireEye as a Service ( FaaS ) , Mandiant Consulting , and iSIGHT Intelligence teams ) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities , especially those connected to South China Sea issues .", "spans": {"Organization: FireEye": [[19, 26], [43, 50]], "Organization: Mandiant Consulting": [[75, 94]], "Organization: iSIGHT Intelligence": [[101, 120]], "Organization: maritime entities": [[203, 220]]}, "info": {"id": "dnrti_train_000722", "source": "dnrti_train"}}
{"text": "Known targets of the Leviathan have been involved in the maritime industry , and research institutes , academic organizations , and private firms in the United States .", "spans": {"Organization: Leviathan": [[21, 30]], "Organization: research institutes": [[81, 100]], "Organization: academic organizations": [[103, 125]], "Organization: private firms": [[132, 145]]}, "info": {"id": "dnrti_train_000723", "source": "dnrti_train"}}
{"text": "Active since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities .", "spans": {"Organization: TEMP.Periscope": [[29, 43]], "Organization: engineering firms": [[132, 149]], "Organization: government offices": [[208, 226]]}, "info": {"id": "dnrti_train_000724", "source": "dnrti_train"}}
{"text": "TEMP.Periscope overlaps in targeting , as well as tactics , techniques , and procedures ( TTPs ) , with TEMP.Jumper , a group that also overlaps significantly with public reporting on NanHaiShu .", "spans": {"Organization: TEMP.Periscope": [[0, 14]], "Organization: TEMP.Jumper": [[104, 115]], "Organization: group": [[120, 125]], "Malware: NanHaiShu": [[184, 193]]}, "info": {"id": "dnrti_train_000725", "source": "dnrti_train"}}
{"text": "The actor has conducted operations since at least 2013 in support of China 's naval modernization effort .", "spans": {"Organization: actor": [[4, 9]]}, "info": {"id": "dnrti_train_000726", "source": "dnrti_train"}}
{"text": "FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40 .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: actor": [[155, 160]], "Organization: APT40": [[169, 174]]}, "info": {"id": "dnrti_train_000727", "source": "dnrti_train"}}
{"text": "The Leviathan group has specifically targeted engineering , transportation , and the defense industry , especially where these sectors overlap with maritime technologies .", "spans": {"Organization: Leviathan group": [[4, 19]]}, "info": {"id": "dnrti_train_000728", "source": "dnrti_train"}}
{"text": "We believe APT40 's emphasis on maritime issues and naval technology ultimately support China 's ambition to establish a blue-water navy .", "spans": {"Organization: APT40": [[11, 16]]}, "info": {"id": "dnrti_train_000729", "source": "dnrti_train"}}
{"text": "Within a year APT40 was observed masquerading as a UUV manufacturer , and targeting universities engaged in naval research .", "spans": {"Organization: APT40": [[14, 19]]}, "info": {"id": "dnrti_train_000730", "source": "dnrti_train"}}
{"text": "APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia .", "spans": {"Organization: APT40": [[0, 5]]}, "info": {"id": "dnrti_train_000731", "source": "dnrti_train"}}
{"text": "We assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation .", "spans": {"Organization: APT40": [[40, 45]]}, "info": {"id": "dnrti_train_000732", "source": "dnrti_train"}}
{"text": "The actor 's targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China .", "spans": {"Organization: actor": [[4, 9], [124, 129]]}, "info": {"id": "dnrti_train_000733", "source": "dnrti_train"}}
{"text": "Analysis of the operational times of the group 's activities indicates that it is probably centered around China Standard Time ( UTC +8 ) .", "spans": {"Organization: group": [[41, 46]]}, "info": {"id": "dnrti_train_000734", "source": "dnrti_train"}}
{"text": "APT40 relies heavily on web shells for an initial foothold into an organization .", "spans": {"Organization: APT40": [[0, 5]], "Malware: web shells": [[24, 34]]}, "info": {"id": "dnrti_train_000735", "source": "dnrti_train"}}
{"text": "APT40 has been observed leveraging a variety of techniques for initial compromise , including web server exploitation , phishing campaigns delivering publicly available and custom backdoors , and strategic web compromises .", "spans": {"Organization: APT40": [[0, 5]], "System: strategic web compromises": [[196, 221]]}, "info": {"id": "dnrti_train_000736", "source": "dnrti_train"}}
{"text": "Depending on placement , a web shell can provide continued access to victims ' environments , re-infect victim systems , and facilitate lateral movement .", "spans": {}, "info": {"id": "dnrti_train_000737", "source": "dnrti_train"}}
{"text": "The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: CVE-2012-0158": [[59, 72]]}, "info": {"id": "dnrti_train_000738", "source": "dnrti_train"}}
{"text": "A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label \" the Lotus Blossom Operation \" , likely named for the debug string present in much of the \" Elise \" codebase since at least 2012 : \" d:\\lstudio\\projects\\lotus\\… \" .", "spans": {"Organization: Palo Alto Networks": [[44, 62]], "Malware: Elise": [[213, 218]]}, "info": {"id": "dnrti_train_000739", "source": "dnrti_train"}}
{"text": "Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack .", "spans": {"Organization: Spring Dragon group": [[14, 33]], "Vulnerability: spearphish exploits": [[60, 79]], "System: strategic web compromises": [[82, 107]]}, "info": {"id": "dnrti_train_000740", "source": "dnrti_train"}}
{"text": "The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: PDF exploits": [[41, 53]], "Vulnerability: Adobe Flash Player exploits": [[56, 83]], "Vulnerability: CVE-2012-0158": [[101, 114]], "Vulnerability: Word exploits": [[115, 128]], "Malware: Tran Duy Linh": [[175, 188]]}, "info": {"id": "dnrti_train_000741", "source": "dnrti_train"}}
{"text": "The Spring Dragon appears to have rolled out a steady mix of exploits against government-related organizations in VN , TW , PH , and other locations over the past few years .", "spans": {"Organization: Spring Dragon": [[4, 17]], "Organization: government-related organizations": [[78, 110]]}, "info": {"id": "dnrti_train_000742", "source": "dnrti_train"}}
{"text": "Organizations located in Myanmar and targeted by Spring Dragon have gone unmentioned .", "spans": {"Organization: Spring Dragon": [[49, 62]]}, "info": {"id": "dnrti_train_000743", "source": "dnrti_train"}}
{"text": "Spring Dragon 's infiltration techniques there were not simply spearphish .", "spans": {"Organization: Spring Dragon": [[0, 13]], "System: spearphish": [[63, 73]]}, "info": {"id": "dnrti_train_000744", "source": "dnrti_train"}}
{"text": "The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) .", "spans": {"Malware: Zawgyi_Keyboard_L.zip": [[24, 45]], "Malware: setup.exe": [[69, 78]], "Malware: Elise": [[139, 144]], "Malware: wincex.dll": [[147, 157]]}, "info": {"id": "dnrti_train_000745", "source": "dnrti_train"}}
{"text": "While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well .", "spans": {"Organization: actor": [[22, 27]], "Vulnerability: CVE-2012-0158": [[67, 80]], "Organization: Spring Dragon": [[104, 117]]}, "info": {"id": "dnrti_train_000746", "source": "dnrti_train"}}
{"text": "The well-known threat group called DRAGONFISH or Lotus Blossom are distributing a new form of Elise malware targeting organizations for espionage purposes .", "spans": {"Organization: threat group": [[15, 27]], "Organization: DRAGONFISH": [[35, 45]], "Organization: Lotus Blossom": [[49, 62]], "Malware: Elise malware": [[94, 107]], "Organization: espionage": [[136, 145]]}, "info": {"id": "dnrti_train_000747", "source": "dnrti_train"}}
{"text": "The threat actors associated with DRAGONFISH have previously focused their campaigns on targets in Southeast Asia , specifically those located in countries near the South China Sea .", "spans": {"Organization: threat actors": [[4, 17]], "Organization: DRAGONFISH": [[34, 44]]}, "info": {"id": "dnrti_train_000748", "source": "dnrti_train"}}
{"text": "iDefense analysts have identified a campaign likely to be targeting members of— or those with affiliation or interest in—the ASEAN Defence Ministers ' Meeting ( ADMM ) .", "spans": {"Organization: iDefense": [[0, 8]], "Organization: Defence Ministers ' Meeting": [[131, 158]], "Organization: ADMM": [[161, 165]]}, "info": {"id": "dnrti_train_000749", "source": "dnrti_train"}}
{"text": "iDefense analysts have identified a campaign likely to be targeting members of or those with affiliation or interest in the ASEAN Defence Minister 's Meeting ( ADMM ) .", "spans": {"Organization: iDefense": [[0, 8]], "Organization: ASEAN Defence Minister 's Meeting": [[124, 157]], "Organization: ADMM": [[160, 164]]}, "info": {"id": "dnrti_train_000750", "source": "dnrti_train"}}
{"text": "iDefense assesses with high confidence that this campaign is associated with the threat group DRAGONFISH ( also known as Lotus Blossom and Spring Dragon ) .", "spans": {"Organization: iDefense": [[0, 8]], "Organization: threat group": [[81, 93]], "Organization: DRAGONFISH": [[94, 104]], "Organization: Lotus Blossom": [[121, 134]], "Organization: Spring Dragon": [[139, 152]]}, "info": {"id": "dnrti_train_000751", "source": "dnrti_train"}}
{"text": "To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability .", "spans": {"Vulnerability: CVE-2017-11882": [[239, 253]]}, "info": {"id": "dnrti_train_000752", "source": "dnrti_train"}}
{"text": "The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign .", "spans": {"Organization: actors": [[4, 10]], "Vulnerability: CVE-2014-6332": [[32, 45]], "Malware: Emissary": [[144, 152]]}, "info": {"id": "dnrti_train_000753", "source": "dnrti_train"}}
{"text": "The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan .", "spans": {"Organization: individual": [[22, 32]], "Organization: actors": [[46, 52]]}, "info": {"id": "dnrti_train_000754", "source": "dnrti_train"}}
{"text": "On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"Organization: threat actors": [[24, 37]], "System: spear-phishing email": [[45, 65]], "Organization: individual": [[72, 82]]}, "info": {"id": "dnrti_train_000755", "source": "dnrti_train"}}
{"text": "On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"Organization: Lotus Blossom": [[24, 37]], "System: spear-phishing email": [[45, 65]], "Organization: individual": [[72, 82]]}, "info": {"id": "dnrti_train_000756", "source": "dnrti_train"}}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": {"Malware: malicious Word documents": [[21, 45]], "Vulnerability: Windows OLE Automation Array Remote Code Execution Vulnerability": [[74, 138]], "Vulnerability: CVE-2014-6332": [[150, 163]]}, "info": {"id": "dnrti_train_000757", "source": "dnrti_train"}}
{"text": "Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild .", "spans": {"Organization: Lotus Blossom": [[0, 13]], "Vulnerability: CVE-2014-6332": [[35, 48]]}, "info": {"id": "dnrti_train_000758", "source": "dnrti_train"}}
{"text": "This Trojan is related to the Elise backdoor described in the Operation Lotus Blossom report .", "spans": {"Malware: Elise backdoor": [[30, 44]]}, "info": {"id": "dnrti_train_000759", "source": "dnrti_train"}}
{"text": "Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 .", "spans": {"Organization: Lotus Blossom": [[0, 13]], "Vulnerability: CVE-2014-6332": [[40, 53]], "Malware: Emissary Trojan": [[86, 101]]}, "info": {"id": "dnrti_train_000760", "source": "dnrti_train"}}
{"text": "APT threat actors , most likely nation state-sponsored , targeted a diplomat in the French Ministry of Foreign Affairs with a seemingly legitimate invitation to a technology conference in Taiwan .", "spans": {"Organization: APT threat actors": [[0, 17]], "Organization: diplomat": [[68, 76]]}, "info": {"id": "dnrti_train_000761", "source": "dnrti_train"}}
{"text": "Additionally , the targeting of a French diplomat based in Taipei , Taiwan aligns with previous targeting by these actors , as does the separate infrastructure .", "spans": {"Organization: French diplomat": [[34, 49]], "Organization: actors": [[115, 121]]}, "info": {"id": "dnrti_train_000762", "source": "dnrti_train"}}
{"text": "The Elise malware used by Lotus Blossom , which was an attack campaign on targets in Southeast Asia .", "spans": {"Malware: Elise malware": [[4, 17]], "Organization: Lotus Blossom": [[26, 39]]}, "info": {"id": "dnrti_train_000763", "source": "dnrti_train"}}
{"text": "Based on the targeting and lures , Unit 42 assesses that the Lotus Blossom actors ' collection requirements include militaries and government agencies in Southeast Asia .", "spans": {"Organization: Unit 42": [[35, 42]], "Organization: Lotus Blossom actors": [[61, 81]], "Organization: government agencies": [[131, 150]]}, "info": {"id": "dnrti_train_000764", "source": "dnrti_train"}}
{"text": "In December 2015 , Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload .", "spans": {"Organization: Unit 42": [[19, 26]], "Malware: Emissary Trojan": [[85, 100]]}, "info": {"id": "dnrti_train_000765", "source": "dnrti_train"}}
{"text": "The oldest sample we found was created in 2009 , indicating this tool has been in use for almost seven years .", "spans": {}, "info": {"id": "dnrti_train_000766", "source": "dnrti_train"}}
{"text": "In addition , Emissary appears to against Taiwan or Hong Kong , all of the decoys are written in Traditional Chinese , and they use themes related to the government or military .", "spans": {"Malware: Emissary": [[14, 22]]}, "info": {"id": "dnrti_train_000767", "source": "dnrti_train"}}
{"text": "Of note , this is three years earlier than the oldest Elise sample we have found , suggesting this group has been active longer than previously documented .", "spans": {"Malware: Elise sample": [[54, 66]], "Organization: group": [[99, 104]]}, "info": {"id": "dnrti_train_000768", "source": "dnrti_train"}}
{"text": "In addition , we observed a TTP shift post publication with regards to their malware delivery ; they started using compromised but legitimate domains to serve their malware .", "spans": {"Malware: legitimate domains": [[131, 149]]}, "info": {"id": "dnrti_train_000769", "source": "dnrti_train"}}
{"text": "All of the Emissary we've collected are written in Traditional Chinese , which is used primarily in Taiwan and Hong Kong .", "spans": {"Malware: Emissary": [[11, 19]]}, "info": {"id": "dnrti_train_000770", "source": "dnrti_train"}}
{"text": "One of the most interesting observations made during this analysis is that the amount of development effort devoted to Emissary significantly increased after we published our Operation Lotus Blossom report in June 2015 , resulting in many new versions of the Emissary Trojan .", "spans": {"Malware: Emissary": [[119, 127]], "Malware: Emissary Trojan": [[259, 274]]}, "info": {"id": "dnrti_train_000771", "source": "dnrti_train"}}
{"text": "Lotus Blossom targeted the government , higher education , and high tech companies .", "spans": {"Organization: Lotus Blossom": [[0, 13]], "Organization: high tech companies": [[63, 82]]}, "info": {"id": "dnrti_train_000772", "source": "dnrti_train"}}
{"text": "Our evidence suggests that malware authors created Emissary as early as 2009 , which suggests that threat actors have relied on this tool as a payload in cyber-espionage attacks for many years .", "spans": {"Malware: Emissary": [[51, 59]], "Organization: threat actors": [[99, 112]]}, "info": {"id": "dnrti_train_000773", "source": "dnrti_train"}}
{"text": "While it lacks more advanced functionality like screen capturing , it is still able to carry out most tasks desired by threat actors : exfiltration of files , ability to download and execute additional payloads , and gain remote shell access .", "spans": {"Organization: threat actors": [[119, 132]]}, "info": {"id": "dnrti_train_000774", "source": "dnrti_train"}}
{"text": "The timeline in Figure 2 shows that the Emissary Trojan was first created ( version 1.0 ) in May 2009 and quickly received an update that resulted in version 1.1 in June 2009 .", "spans": {"Malware: Emissary Trojan": [[40, 55]]}, "info": {"id": "dnrti_train_000775", "source": "dnrti_train"}}
{"text": "Between August and November 2015 the malware author creates several new versions of Emissary , specifically 5.0 , 5.1 , 5.3 and 5.4 in a much more rapid succession compared to development process in earlier versions .", "spans": {"Malware: Emissary": [[84, 92]]}, "info": {"id": "dnrti_train_000776", "source": "dnrti_train"}}
{"text": "Version 2.0 received one update in October 2013 before the malware author released version 3.0 in December 2014 .", "spans": {}, "info": {"id": "dnrti_train_000777", "source": "dnrti_train"}}
{"text": "While this may be coincidental , the out-of-sequence version 3.0 sample was created ten days after we published the Operation Lotus Blossom paper that exposed the Elise Trojan that is closely related to Emissary .", "spans": {"Malware: Elise Trojan": [[163, 175]], "Malware: Emissary": [[203, 211]]}, "info": {"id": "dnrti_train_000778", "source": "dnrti_train"}}
{"text": "The Lotus Blossom largely targets military or government , with some cases of higher education and high tech companies .", "spans": {"Organization: Lotus Blossom": [[4, 17]], "Organization: high tech companies": [[99, 118]]}, "info": {"id": "dnrti_train_000779", "source": "dnrti_train"}}
{"text": "The use of Emissary appears to be focused only on Taiwan and Hong Kong , with regular malware updates to avoid detection and to increase the odds of success .", "spans": {"Malware: Emissary": [[11, 19]]}, "info": {"id": "dnrti_train_000780", "source": "dnrti_train"}}
{"text": "The Lotus Blossom actors using Emissary have been active for at least seven years in Southeast Asia .", "spans": {"Organization: Lotus Blossom actors": [[4, 24]], "Malware: Emissary": [[31, 39]]}, "info": {"id": "dnrti_train_000781", "source": "dnrti_train"}}
{"text": "Magic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia .", "spans": {"Organization: technology sectors": [[82, 100]]}, "info": {"id": "dnrti_train_000782", "source": "dnrti_train"}}
{"text": "Regardless of causation , the rapid development of new versions of Emissary suggests that the malware authors are making frequent modifications to evade detection , which as a corollary suggests the Lotus Blossom are actively using the Emissary Trojan as a payload in attacks .", "spans": {"Malware: Emissary": [[67, 75]], "Organization: Lotus Blossom": [[199, 212]], "Malware: Emissary Trojan": [[236, 251]]}, "info": {"id": "dnrti_train_000783", "source": "dnrti_train"}}
{"text": "Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called \" Rocket Kitten \" ( AKA Operation Saffron Rose , Ajax Security Team , Operation Woolen-Goldfish ) as well as an older attack campaign called Newscasters .", "spans": {"Organization: group": [[119, 124]], "Organization: Rocket Kitten": [[134, 147]], "Organization: Operation Saffron Rose": [[156, 178]], "Organization: Ajax Security Team": [[181, 199]], "Organization: Operation Woolen-Goldfish": [[202, 227]]}, "info": {"id": "dnrti_train_000784", "source": "dnrti_train"}}
{"text": "In addition to the malware evolution , the actors also shifted from solely spear-phishing targets with attachments to also compromising legitimate websites to host malware .", "spans": {"Organization: actors": [[43, 49]], "System: spear-phishing": [[75, 89]]}, "info": {"id": "dnrti_train_000785", "source": "dnrti_train"}}
{"text": "It is highly likely the Lotus Blossom used spear-phishing attacks containing links to these malicious documents as a delivery mechanism .", "spans": {"Organization: Lotus Blossom": [[24, 37]]}, "info": {"id": "dnrti_train_000786", "source": "dnrti_train"}}
{"text": "We were ultimately able to identify multiple organizations in the government , energy , and technology sectors targeted by Magic Hound .", "spans": {"Organization: technology sectors": [[92, 110]]}, "info": {"id": "dnrti_train_000787", "source": "dnrti_train"}}
{"text": "The Magic Hound attacks did not rely on exploit code to compromise targeted systems , instead relying on Excel and Word documents containing malicious macros .", "spans": {"System: Excel": [[105, 110]], "System: Word documents": [[115, 129]]}, "info": {"id": "dnrti_train_000788", "source": "dnrti_train"}}
{"text": "The MPK bot is not publicly available and had previously been attributed to an adversary group called \" Rocket Kitten \" which has often been thought to be a state sponsored adversary operating in the Middle East region .", "spans": {"Malware: MPK bot": [[4, 11]], "Organization: group": [[89, 94]], "Organization: Rocket Kitten": [[104, 117]]}, "info": {"id": "dnrti_train_000789", "source": "dnrti_train"}}
{"text": "One payload was a Python based open source remote administration tool ( RAT ) called Pupy .", "spans": {"Malware: RAT": [[72, 75]], "Malware: Pupy": [[85, 89]]}, "info": {"id": "dnrti_train_000790", "source": "dnrti_train"}}
{"text": "The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method , specifically attempting to load MagicHound.Rollover .", "spans": {"System: Word": [[30, 34]], "System: Excel": [[39, 44]], "Malware: MagicHound.Rollover": [[138, 157]]}, "info": {"id": "dnrti_train_000791", "source": "dnrti_train"}}
{"text": "Many of the Fetch samples we analyzed attempted to obfuscate their functionality by encrypting their embedded strings using AES .", "spans": {"Malware: AES": [[124, 127]]}, "info": {"id": "dnrti_train_000792", "source": "dnrti_train"}}
{"text": "The loader 's main goal was to run a PowerShell command to execute shellcode .", "spans": {"Malware: PowerShell command": [[37, 55]]}, "info": {"id": "dnrti_train_000793", "source": "dnrti_train"}}
{"text": "To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys .", "spans": {"Malware: c:\\temp\\rr.exe": [[54, 68]]}, "info": {"id": "dnrti_train_000794", "source": "dnrti_train"}}
{"text": "The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt .", "spans": {"Malware: custom dropper": [[53, 67]], "Malware: MagicHound.DropIt": [[95, 112]]}, "info": {"id": "dnrti_train_000795", "source": "dnrti_train"}}
{"text": "We have also seen Magic Hound using DropIt as a binder , specifically dropping a legitimate decoy executable along with the malicious executable onto the target host .", "spans": {"Malware: DropIt": [[36, 42]]}, "info": {"id": "dnrti_train_000796", "source": "dnrti_train"}}
{"text": "We also found a second IRC bot called MPK using the same IP for its C2 server that a Leash sample was hosted on .", "spans": {"Malware: IRC bot": [[23, 30]], "Malware: MPK": [[38, 41]], "Malware: Leash sample": [[85, 97]]}, "info": {"id": "dnrti_train_000797", "source": "dnrti_train"}}
{"text": "The Magic Hound attack campaign is an active and persistent espionage motivated adversary operating in the Middle East region .", "spans": {"Organization: espionage": [[60, 69]]}, "info": {"id": "dnrti_train_000798", "source": "dnrti_train"}}
{"text": "Organizations in the government , energy , and technology sectors have been targeted by Magic Hound , specifically organizations based in or doing business in Saudi Arabia .", "spans": {"Organization: technology sectors": [[47, 65]]}, "info": {"id": "dnrti_train_000799", "source": "dnrti_train"}}
{"text": "At a high level , Retriever is a .NET downloader that downloads secondary payloads from servers associated with Magic Hound .", "spans": {"Malware: Retriever": [[18, 27]], "Malware: .NET downloader": [[33, 48]]}, "info": {"id": "dnrti_train_000800", "source": "dnrti_train"}}
{"text": "For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer .", "spans": {"Malware: DropIt sample": [[28, 41]], "Malware: %TEMP%\\flash_update.exe": [[179, 202]], "Malware: Flash Player installer": [[227, 249]]}, "info": {"id": "dnrti_train_000801", "source": "dnrti_train"}}
{"text": "M-Trends 2018 can arm security teams with the knowledge they need to defend against today 's most often used cyber attacks , as well as lesser seen and emerging threats .", "spans": {"Organization: M-Trends": [[0, 8]]}, "info": {"id": "dnrti_train_000802", "source": "dnrti_train"}}
{"text": "FireEye tracks thousands of threat actors , but pays special attention to state-sponsored attackers who carry out advanced persistent threat ( APT ) attacks .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: threat actors": [[28, 41]], "Organization: attackers": [[90, 99]], "Organization: APT": [[143, 146]]}, "info": {"id": "dnrti_train_000803", "source": "dnrti_train"}}
{"text": "Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents .", "spans": {"Organization: APT32": [[22, 27]], "Organization: OceanLotus Group": [[48, 64]], "Organization: foreign governments": [[131, 150]], "Organization: journalists": [[153, 164]], "Organization: dissidents": [[182, 192]]}, "info": {"id": "dnrti_train_000804", "source": "dnrti_train"}}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": {"Organization: APT32": [[27, 32]], "System: social engineering emails": [[43, 68]], "Malware: Microsoft ActiveMime file": [[74, 99]]}, "info": {"id": "dnrti_train_000805", "source": "dnrti_train"}}
{"text": "Evidence also suggests that APT32 has targeted network security and technology infrastructure corporations with connections to foreign investors .", "spans": {"Organization: APT32": [[28, 33]], "Organization: technology infrastructure corporations": [[68, 106]]}, "info": {"id": "dnrti_train_000806", "source": "dnrti_train"}}
{"text": "Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations foreign governments .", "spans": {"Organization: APT32": [[22, 27]], "Organization: OceanLotus Group": [[48, 64]]}, "info": {"id": "dnrti_train_000807", "source": "dnrti_train"}}
{"text": "FireEye asesses that APT32 actors may be aligned with the national interests of Vietnam .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT32 actors": [[21, 33]]}, "info": {"id": "dnrti_train_000808", "source": "dnrti_train"}}
{"text": "APT32 poses a threat to companies doing business or preparing to invest in Vietnam .", "spans": {"Organization: APT32": [[0, 5]]}, "info": {"id": "dnrti_train_000809", "source": "dnrti_train"}}
{"text": "We believe recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business or preparing to invest in the country .", "spans": {"Organization: APT32": [[80, 85]]}, "info": {"id": "dnrti_train_000810", "source": "dnrti_train"}}
{"text": "DROPSHOT is a notable piece of malware used to deliver variants of the TURNEDUP backdoor .", "spans": {"Malware: DROPSHOT": [[0, 8]], "Malware: malware": [[31, 38]]}, "info": {"id": "dnrti_train_000811", "source": "dnrti_train"}}
{"text": "Additionally , there is evidence to suggest APT33 targeted Saudi Arabia .", "spans": {"Organization: APT33": [[44, 49]]}, "info": {"id": "dnrti_train_000812", "source": "dnrti_train"}}
{"text": "APT33 often conducts spear-phishing operations using a built-in phishing module .", "spans": {"Organization: APT33": [[0, 5]], "System: spear-phishing": [[21, 35]], "System: phishing module": [[64, 79]]}, "info": {"id": "dnrti_train_000813", "source": "dnrti_train"}}
{"text": "Additionally , there is evidence to suggest APT33 targeted Saudi Arabian and Western organizations that provide training , maintenance and support for Saudi Arabia 's military and commercial fleets .", "spans": {"Organization: APT33": [[44, 49]]}, "info": {"id": "dnrti_train_000814", "source": "dnrti_train"}}
{"text": "Although we have only observed APT33 use DROPSHOT to deliver TURNEDUP , we have identified multiple DROPSHOT samples in the wild that delivered wiper malware we call SHAPESHIFT .", "spans": {"Organization: APT33": [[31, 36]], "Malware: DROPSHOT": [[41, 49]], "Malware: DROPSHOT samples": [[100, 116]], "Malware: SHAPESHIFT": [[166, 176]]}, "info": {"id": "dnrti_train_000815", "source": "dnrti_train"}}
{"text": "The SHAPESHIFT wiper is capable of wiping disks and volumes , as well as deleting files .", "spans": {"Malware: SHAPESHIFT wiper": [[4, 20]]}, "info": {"id": "dnrti_train_000816", "source": "dnrti_train"}}
{"text": "Ties to SHAPESHIFT suggest that APT33 may engage in destructive operations or shares tools or development resources with an Iranian threat group that conducts destructive operations .", "spans": {"Malware: SHAPESHIFT": [[8, 18]], "Organization: APT33": [[32, 37]], "Organization: threat group": [[132, 144]]}, "info": {"id": "dnrti_train_000817", "source": "dnrti_train"}}
{"text": "In a recent attack , APT33 sent spear-phishing emails to workers in the aviation industry .", "spans": {"Organization: APT33": [[21, 26]], "System: spear-phishing emails": [[32, 53]]}, "info": {"id": "dnrti_train_000818", "source": "dnrti_train"}}
{"text": "The HTA files contained job descriptions and links to job postings on popular employment websites .", "spans": {"Malware: HTA files": [[4, 13]]}, "info": {"id": "dnrti_train_000819", "source": "dnrti_train"}}
{"text": "Since at least 2014 , an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran .", "spans": {"Organization: threat group": [[33, 45]], "Organization: FireEye": [[57, 64]], "Organization: APT34": [[68, 73]]}, "info": {"id": "dnrti_train_000820", "source": "dnrti_train"}}
{"text": "These emails included recruitment-themed lures and links to malicious HTML application ( HTA ) files .", "spans": {"System: emails": [[6, 12]], "System: recruitment-themed lures": [[22, 46]], "Malware: HTML application": [[70, 86]], "Malware: HTA": [[89, 92]]}, "info": {"id": "dnrti_train_000821", "source": "dnrti_train"}}
{"text": "The OilRig group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries .", "spans": {"Organization: OilRig group": [[4, 16]]}, "info": {"id": "dnrti_train_000822", "source": "dnrti_train"}}
{"text": "APT34 uses a mix of public and non-public tools .", "spans": {"Organization: APT34": [[0, 5]], "Malware: public and non-public tools": [[20, 47]]}, "info": {"id": "dnrti_train_000823", "source": "dnrti_train"}}
{"text": "APT34 often uses compromised accounts to conduct spear-phishing operations .", "spans": {"Organization: APT34": [[0, 5]], "Malware: compromised accounts": [[17, 37]], "System: spear-phishing": [[49, 63]]}, "info": {"id": "dnrti_train_000824", "source": "dnrti_train"}}
{"text": "APT33 leverages a mix of public and non-public tools and often conducts spear-phishing operations using a built-in phishing module from \" ALFA TEaM Shell \" , a publicly available web shell .", "spans": {"Organization: APT33": [[0, 5]], "Malware: public and non-public tools": [[25, 52]], "System: spear-phishing": [[72, 86]], "System: phishing module": [[115, 130]], "Malware: ALFA TEaM Shell": [[138, 153]], "Malware: publicly available web shell": [[160, 188]]}, "info": {"id": "dnrti_train_000825", "source": "dnrti_train"}}
{"text": "In July 2017 , FireEye observed APT34 targeting an organization in the Middle East using the POWRUNER PowerShell-based backdoor and the downloader BONDUPDATER , which includes a domain generation algorithm ( DGA ) for command and control .", "spans": {"Organization: FireEye": [[15, 22]], "Organization: APT34": [[32, 37]], "Malware: POWRUNER PowerShell-based backdoor": [[93, 127]], "Malware: BONDUPDATER": [[147, 158]]}, "info": {"id": "dnrti_train_000826", "source": "dnrti_train"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Malware: POWRUNER": [[0, 8]], "Malware: RTF file": [[41, 49]], "Vulnerability: CVE-2017-0199": [[65, 78]]}, "info": {"id": "dnrti_train_000827", "source": "dnrti_train"}}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"Organization: APT34": [[19, 24]], "Vulnerability: Microsoft Office vulnerability": [[39, 69]], "Vulnerability: CVE-2017-11882": [[70, 84]], "Malware: POWRUNER": [[95, 103]], "Malware: BONDUPDATER": [[108, 119]], "Organization: Microsoft": [[143, 152]]}, "info": {"id": "dnrti_train_000828", "source": "dnrti_train"}}
{"text": "FireEye has identified APT35 operations dating back to 2014 .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT35": [[23, 28]]}, "info": {"id": "dnrti_train_000829", "source": "dnrti_train"}}
{"text": "APT35 , also known as the Newscaster Team , is a threat group sponsored by the Iranian government that conducts long term , resource-intensive operations to collect strategic intelligence .", "spans": {"Organization: APT35": [[0, 5]], "Organization: Newscaster Team": [[26, 41]], "Organization: threat group": [[49, 61]]}, "info": {"id": "dnrti_train_000830", "source": "dnrti_train"}}
{"text": "APT35 typically targets military , diplomatic and government , media , energy , engineering , business services and telecommunications sectors in U.S. and the Middle East .", "spans": {"Organization: APT35": [[0, 5]], "Organization: telecommunications sectors": [[116, 142]]}, "info": {"id": "dnrti_train_000831", "source": "dnrti_train"}}
{"text": "APT35 has historically used unsophisticated tools like those listed below in Figure 3 .", "spans": {"Organization: APT35": [[0, 5]], "Malware: unsophisticated tools": [[28, 49]]}, "info": {"id": "dnrti_train_000832", "source": "dnrti_train"}}
{"text": "APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors .", "spans": {"Organization: APT35": [[0, 5]], "Organization: military": [[52, 60]], "Organization: diplomatic": [[63, 73]], "Organization: government personnel": [[78, 98]], "Organization: defense industrial base": [[141, 164]], "Organization: DIB": [[167, 170]], "Organization: telecommunications sectors": [[215, 241]]}, "info": {"id": "dnrti_train_000833", "source": "dnrti_train"}}
{"text": "Many of the fake personas utilized by APT35 claimed to be part of news organizations , which led to APT35 being referred to as the Newscaster Team .", "spans": {"Organization: APT35": [[38, 43], [100, 105]], "Organization: news organizations": [[66, 84]], "Organization: Newscaster Team": [[131, 146]]}, "info": {"id": "dnrti_train_000834", "source": "dnrti_train"}}
{"text": "Since at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": {"Organization: threat group": [[34, 46]], "Organization: FireEye": [[52, 59]], "Organization: APT33": [[70, 75]], "Organization: petrochemical organizations": [[172, 199]]}, "info": {"id": "dnrti_train_000835", "source": "dnrti_train"}}
{"text": "Since at least 2013 , the Iranian threat group FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": {"Organization: threat group": [[34, 46]], "Organization: FireEye": [[47, 54]], "Organization: APT33": [[65, 70]], "Organization: petrochemical organizations": [[167, 194]]}, "info": {"id": "dnrti_train_000836", "source": "dnrti_train"}}
{"text": "In early 2017 , Mandiant responded to an incident involving APT35 targeting an energy company .", "spans": {"Organization: Mandiant": [[16, 24]], "Organization: APT35": [[60, 65]], "Organization: energy company": [[79, 93]]}, "info": {"id": "dnrti_train_000837", "source": "dnrti_train"}}
{"text": "The attacker used a spear-phishing email containing a link to a fake resume hosted on a legitimate website that had been compromised .", "spans": {"Organization: attacker": [[4, 12]], "System: spear-phishing email": [[20, 40]]}, "info": {"id": "dnrti_train_000838", "source": "dnrti_train"}}
{"text": "APT35 also installed BROKEYOLK , a custom backdoor , to maintain persistence on the compromised host .", "spans": {"Organization: APT35": [[0, 5]], "Malware: custom backdoor": [[35, 50]]}, "info": {"id": "dnrti_train_000839", "source": "dnrti_train"}}
{"text": "They then proceeded to log directly into the VPN using the credentials of the compromised user .", "spans": {"Malware: credentials of the compromised user": [[59, 94]]}, "info": {"id": "dnrti_train_000840", "source": "dnrti_train"}}
{"text": "The resume contained the PupyRAT backdoor , which communicated with known APT35 infrastructure .", "spans": {"Malware: PupyRAT backdoor": [[25, 41]], "Organization: APT35": [[74, 79]]}, "info": {"id": "dnrti_train_000841", "source": "dnrti_train"}}
{"text": "Once connected to the VPN , APT35 focused on stealing domain credentials from a Microsoft Active Directory Domain Controller to allow them to authenticate to the single-factor VPN and Office 365 instance .", "spans": {"Organization: APT35": [[28, 33]]}, "info": {"id": "dnrti_train_000842", "source": "dnrti_train"}}
{"text": "While having access to the organization 's environment , the Magic Hound targeted data related to entities in the Middle East .", "spans": {}, "info": {"id": "dnrti_train_000843", "source": "dnrti_train"}}
{"text": "Mandiant has previously observed targeted attackers stealing email , but few threat actors have been as successful at this as APT35 .", "spans": {"Organization: Mandiant": [[0, 8]], "Organization: attackers": [[42, 51]], "Organization: threat actors": [[77, 90]], "Organization: APT35": [[126, 131]]}, "info": {"id": "dnrti_train_000844", "source": "dnrti_train"}}
{"text": "The campaigns delivered PupyRAT , an open-source cross-platform remote access trojan ( RAT ) .", "spans": {"Malware: PupyRAT": [[24, 31]], "Malware: remote access trojan": [[64, 84]], "Malware: RAT": [[87, 90]]}, "info": {"id": "dnrti_train_000845", "source": "dnrti_train"}}
{"text": "Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks .", "spans": {"Organization: APT35": [[13, 18]]}, "info": {"id": "dnrti_train_000846", "source": "dnrti_train"}}
{"text": "CTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash .", "spans": {"Organization: CTU": [[0, 3]], "System: spearphishing": [[98, 111]], "Organization: threat actor": [[150, 162]], "Organization: Mia Ash": [[178, 185]]}, "info": {"id": "dnrti_train_000847", "source": "dnrti_train"}}
{"text": "Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims .", "spans": {}, "info": {"id": "dnrti_train_000848", "source": "dnrti_train"}}
{"text": "COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites .", "spans": {"Organization: COBALT GYPSY": [[0, 12]], "System: spearphishing": [[22, 35]], "Organization: financial services organizations": [[100, 132]], "Organization: individual victims": [[191, 209]]}, "info": {"id": "dnrti_train_000849", "source": "dnrti_train"}}
{"text": "The connections associated with these profiles indicate the threat actor began using the persona to target organizations in April 2016 .", "spans": {"Organization: threat actor": [[60, 72]]}, "info": {"id": "dnrti_train_000850", "source": "dnrti_train"}}
{"text": "Between December 28 , 2016 and January 1 , 2017 , CTU researchers observed a phishing campaign targeting Middle Eastern organizations .", "spans": {"Organization: CTU": [[50, 53]]}, "info": {"id": "dnrti_train_000851", "source": "dnrti_train"}}
{"text": "The macro ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT , a research and penetration-testing tool that has been used in attacks .", "spans": {"Malware: PowerShell command": [[16, 34]], "Malware: PupyRAT": [[103, 110]], "Malware: research and penetration-testing tool": [[115, 152]]}, "info": {"id": "dnrti_train_000852", "source": "dnrti_train"}}
{"text": "The survey contained macros that , once enabled , downloaded PupyRAT .", "spans": {"Malware: PupyRAT": [[61, 68]]}, "info": {"id": "dnrti_train_000853", "source": "dnrti_train"}}
{"text": "CTU researchers determined that the COBALT GYPSY threat group orchestrated this activity due to the tools , techniques , and procedures ( TTPs ) used in both campaigns .", "spans": {"Organization: CTU": [[0, 3]], "Organization: COBALT GYPSY": [[36, 48]], "Organization: threat group": [[49, 61]]}, "info": {"id": "dnrti_train_000854", "source": "dnrti_train"}}
{"text": "The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents .", "spans": {"Organization: employees": [[79, 88]], "System: Excel documents": [[140, 155]]}, "info": {"id": "dnrti_train_000855", "source": "dnrti_train"}}
{"text": "The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT .", "spans": {"Organization: group": [[4, 9]], "System: Excel documents": [[162, 177]], "Malware: RATs": [[189, 193]], "Malware: PupyRAT": [[202, 209]]}, "info": {"id": "dnrti_train_000856", "source": "dnrti_train"}}
{"text": "By compromising a user account that has administrative or elevated access , Magic Hound can quickly access a targeted environment to achieve their objectives .", "spans": {"System: compromising a user account": [[3, 30]]}, "info": {"id": "dnrti_train_000857", "source": "dnrti_train"}}
{"text": "These characteristics suggest that COBALT GYPSY executed the January and February phishing campaigns and that it created the Mia Ash persona .", "spans": {"Organization: COBALT GYPSY": [[35, 47]], "Organization: Mia Ash": [[125, 132]]}, "info": {"id": "dnrti_train_000858", "source": "dnrti_train"}}
{"text": "CTU researchers have observed multiple COBALT GYPSY campaigns since 2015 and consider it highly likely that the group is associated with Iranian government-directed cyber operations .", "spans": {"Organization: CTU": [[0, 3]], "Organization: group": [[112, 117]]}, "info": {"id": "dnrti_train_000859", "source": "dnrti_train"}}
{"text": "The use of the Mia Ash persona demonstrates the creativity and persistence that threat actors employ to compromise targets .", "spans": {"Malware: Mia Ash": [[15, 22]], "Organization: threat actors": [[80, 93]]}, "info": {"id": "dnrti_train_000860", "source": "dnrti_train"}}
{"text": "CTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering .", "spans": {"Organization: CTU": [[0, 3]], "Organization: COBALT GYPSY": [[30, 42]]}, "info": {"id": "dnrti_train_000861", "source": "dnrti_train"}}
{"text": "The persistent use of social media to identify and manipulate victims indicates that COBALT GYPSY successfully achieves its objectives using this tactic .", "spans": {"Organization: COBALT GYPSY": [[85, 97]]}, "info": {"id": "dnrti_train_000862", "source": "dnrti_train"}}
{"text": "COBALT GYPSY 's continued social media use reinforces the importance of recurring social engineering training .", "spans": {"Organization: COBALT GYPSY": [[0, 12]]}, "info": {"id": "dnrti_train_000863", "source": "dnrti_train"}}
{"text": "SecureWorks Counter Threat Unit ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 .", "spans": {"Organization: SecureWorks Counter Threat Unit": [[0, 31]], "Organization: CTU": [[34, 37]], "Organization: organization": [[112, 124]]}, "info": {"id": "dnrti_train_000864", "source": "dnrti_train"}}
{"text": "SecureWorks® Counter Threat Unit™ ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 .", "spans": {"Organization: SecureWorks® Counter Threat Unit™": [[0, 33]], "Organization: CTU": [[36, 39]], "Organization: organization": [[114, 126]]}, "info": {"id": "dnrti_train_000865", "source": "dnrti_train"}}
{"text": "CTU analysis suggests this activity is related to Iranian threat actors closely aligned with or acting on behalf of the COBALT GYPSY threat group ( formerly labeled Threat Group-2889 ) .", "spans": {"Organization: CTU": [[0, 3]], "Organization: threat actors": [[58, 71]], "Organization: COBALT GYPSY": [[120, 132]], "Organization: threat group": [[133, 145]], "Organization: Threat Group-2889": [[165, 182]]}, "info": {"id": "dnrti_train_000866", "source": "dnrti_train"}}
{"text": "Since early 2014 , an attacker group of Iranian origin has been actively targeting persons of interest by means of malware infection , supported by persistent spear phishing campaigns .", "spans": {"Organization: attacker group": [[22, 36]]}, "info": {"id": "dnrti_train_000867", "source": "dnrti_train"}}
{"text": "This cyber-espionage group was dubbed ' Rocket Kitten ' , and remains active as of this writing , with reported attacks as recent as October 2015 .", "spans": {"Organization: cyber-espionage group": [[5, 26]], "Organization: Rocket Kitten": [[40, 53]]}, "info": {"id": "dnrti_train_000868", "source": "dnrti_train"}}
{"text": "Characterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East ( including targets inside Iran itself ) , as well as across Europe and in the United States .", "spans": {"Malware: unsophisticated technical merit": [[28, 59]], "System: spear phishing": [[81, 95]]}, "info": {"id": "dnrti_train_000869", "source": "dnrti_train"}}
{"text": "The May 2014 ' Operation Saffron Rose ' publication identifies an Iranian hacking group formerly named ' Ajax Security ' ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": {"Organization: hacking group": [[74, 87]], "Organization: Ajax Security": [[105, 118]], "Organization: Flying Kitten": [[136, 149]], "Organization: CrowdStrike": [[155, 166]], "Organization: dissidents": [[221, 231]]}, "info": {"id": "dnrti_train_000870", "source": "dnrti_train"}}
{"text": "An Iranian hacking group formerly named Ajax Security ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": {"Organization: hacking group": [[11, 24]], "Organization: Ajax Security": [[40, 53]], "Organization: Flying Kitten": [[69, 82]], "Organization: CrowdStrike": [[88, 99]], "Organization: dissidents": [[154, 164]]}, "info": {"id": "dnrti_train_000871", "source": "dnrti_train"}}
{"text": "The report specifies the Magic Hound targeted political , military and defense industry in the US , UK and Israel .", "spans": {}, "info": {"id": "dnrti_train_000872", "source": "dnrti_train"}}
{"text": "ClearSky 's September 2014 blog post first described active attacks using a piece of malware they dubbed ' Gholee ' ( as appears in a malicious payload export function , potentially named after a popular Iranian singer9 ) .", "spans": {"Organization: ClearSky": [[0, 8]], "Malware: Gholee": [[107, 113]]}, "info": {"id": "dnrti_train_000873", "source": "dnrti_train"}}
{"text": "The Rocket Kitten attacker group 's main attack vector is spear-phishing .", "spans": {"Organization: Rocket Kitten": [[4, 17]], "Organization: attacker group": [[18, 32]], "System: spear-phishing": [[58, 72]]}, "info": {"id": "dnrti_train_000874", "source": "dnrti_train"}}
{"text": "After learning of an active attack incident from the Rocket Kitten group on a customer network , Check Point researchers decided to actively join the investigation .", "spans": {"Organization: Rocket Kitten group": [[53, 72]], "Organization: Check Point": [[97, 108]]}, "info": {"id": "dnrti_train_000875", "source": "dnrti_train"}}
{"text": "As described in previous publications , the Rocket Kitten attackers make extensive use of various phishing schemes .", "spans": {"Organization: Rocket Kitten": [[44, 57]], "Organization: attackers": [[58, 67]], "System: phishing": [[98, 106]]}, "info": {"id": "dnrti_train_000876", "source": "dnrti_train"}}
{"text": "While the recent paper from Trend Micro and ClearSky ( ' The Spy Kittens Are Back : Rocket Kitten 2 ' ) does extensively cover the campaign 's narrative , we aimed to seek confirmation that our analyzed attack was positively connected to the same campaign and set out to provide additional value and insight .", "spans": {"Organization: Trend Micro": [[28, 39]], "Organization: ClearSky": [[44, 52]], "Organization: Spy Kittens": [[61, 72]], "Organization: Rocket Kitten": [[84, 97]]}, "info": {"id": "dnrti_train_000877", "source": "dnrti_train"}}
{"text": "As the Rocket Kitten group 's behavior was well characterized in previous publications ( see the recent report from Trend Micro and ClearSky ) .", "spans": {"Organization: Rocket Kitten group": [[7, 26]], "Organization: Trend Micro": [[116, 127]], "Organization: ClearSky": [[132, 140]]}, "info": {"id": "dnrti_train_000878", "source": "dnrti_train"}}
{"text": "Magic Hound will often find simpler ways for effective compromise , such as creative phishing and simple custom malware .", "spans": {"System: phishing": [[85, 93]], "System: custom malware": [[105, 119]]}, "info": {"id": "dnrti_train_000879", "source": "dnrti_train"}}
{"text": "We present the connection between Behzad Mesri , an Iranian national recently indicted for his involvement in hacking HBO , and Charming Kitten .", "spans": {"Organization: Behzad Mesri": [[34, 46]], "Organization: Charming Kitten": [[128, 143]]}, "info": {"id": "dnrti_train_000880", "source": "dnrti_train"}}
{"text": "Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as Oilrig1 and CopyKittens2 .", "spans": {"Organization: threat groups": [[212, 225]], "Organization: Oilrig1": [[236, 243]], "Organization: CopyKittens2": [[248, 260]]}, "info": {"id": "dnrti_train_000881", "source": "dnrti_train"}}
{"text": "A case of these obscure lines can be found in a blogpost published in coordination and parallel to this report - \" Flying Kitten to Rocket Kitten , A Case of Ambiguity and Shared Code \" 3 by Collin Anderson and Claudio Guarnieri .", "spans": {"Organization: Flying Kitten": [[115, 128]], "Organization: Rocket Kitten": [[132, 145]]}, "info": {"id": "dnrti_train_000882", "source": "dnrti_train"}}
{"text": "FireEye 's publication of \" Operation Saffron Rose \" report , which described Flying Kitten 's operations against aviation firms , led to the dismantling of Flying Kitten 's infrastructure and the apparent end of its activities .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: Flying Kitten": [[78, 91], [157, 170]], "Organization: aviation firms": [[114, 128]]}, "info": {"id": "dnrti_train_000883", "source": "dnrti_train"}}
{"text": "To sum up , the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn , who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari , who is a Facebook friend of Behzad Mesri 's .", "spans": {"Organization: hacker": [[20, 26]], "Organization: Behzad Mesri": [[29, 41], [249, 261]], "Organization: Turk Black Hat": [[57, 71]], "Organization: ArYaIeIrAn": [[83, 93]], "Malware: PersianDNS": [[157, 167]], "Malware: Mahanserver": [[170, 181]], "Organization: Facebook": [[230, 238]]}, "info": {"id": "dnrti_train_000884", "source": "dnrti_train"}}
{"text": "Charming kitten regularly target international media outlets with Persian-language services .", "spans": {"Organization: Charming kitten": [[0, 15]]}, "info": {"id": "dnrti_train_000885", "source": "dnrti_train"}}
{"text": "It was a decoy to make visitor download a \" Flash Player \" , which was in fact DownPaper malware , analyzed later in this report .", "spans": {"Malware: DownPaper malware": [[79, 96]]}, "info": {"id": "dnrti_train_000886", "source": "dnrti_train"}}
{"text": "In addition to using PlugX and Poison Ivy ( PIVY ) , both known to be used by the group , they also used a new Trojan called \" ChChes \" by the Japan Computer Emergency Response Team Coordination Center ( JPCERT ) .", "spans": {"Malware: PlugX": [[21, 26]], "Malware: Poison Ivy": [[31, 41]], "Malware: PIVY": [[44, 48]], "Organization: group": [[82, 87]], "Malware: ChChes": [[127, 133]], "Organization: Japan Computer Emergency Response Team Coordination Center": [[143, 201]], "Organization: JPCERT": [[204, 210]]}, "info": {"id": "dnrti_train_000887", "source": "dnrti_train"}}
{"text": "Wapack labs also observed a similar sample targeting Japan in November .", "spans": {"Organization: Wapack": [[0, 6]]}, "info": {"id": "dnrti_train_000888", "source": "dnrti_train"}}
{"text": "MenuPass spoofed several sender email addresses to send spear phishing emails , most notably public addresses associated with the Sasakawa Peace Foundation and The White House .", "spans": {"Organization: MenuPass": [[0, 8]], "System: email": [[32, 37]], "System: spear phishing emails": [[56, 77]], "Organization: Sasakawa Peace Foundation": [[130, 155]], "Organization: White House": [[164, 175]]}, "info": {"id": "dnrti_train_000889", "source": "dnrti_train"}}
{"text": "menuPass typically makes use of a mix of DDNS and actor-registered domains in their attack campaigns .", "spans": {"Malware: DDNS and actor-registered domains": [[41, 74]]}, "info": {"id": "dnrti_train_000890", "source": "dnrti_train"}}
{"text": "There is not much public information about the APT campaign called menuPass ( also known as Stone Panda and APT10 ) .", "spans": {"Organization: menuPass": [[67, 75]], "Organization: Stone Panda": [[92, 103]], "Organization: APT10": [[108, 113]]}, "info": {"id": "dnrti_train_000891", "source": "dnrti_train"}}
{"text": "A paper from FireEye in 2013 on several campaigns using PIVY included menuPass as one of them .", "spans": {"Organization: FireEye": [[13, 20]], "Malware: PIVY": [[56, 60]]}, "info": {"id": "dnrti_train_000892", "source": "dnrti_train"}}
{"text": "Believed to have started activity in 2009 and to originate from China , the group initially was known for targeting US and overseas defense contractors but broadened their targeting as time passed .", "spans": {"Organization: group": [[76, 81]], "Organization: defense contractors": [[132, 151]]}, "info": {"id": "dnrti_train_000893", "source": "dnrti_train"}}
{"text": "menuPass has targeted individuals and organizations in Japan since at least 2014 , and as the same organizations and academics were largely targeted each month in these attacks , it further shows menuPass is persistent in attempts to compromise their targets .", "spans": {}, "info": {"id": "dnrti_train_000894", "source": "dnrti_train"}}
{"text": "menuPass also heavily favors spear phishing , and so takes steps to socially engineer their spear phishes for maximum appearance of legitimacy .", "spans": {"System: spear phishing": [[29, 43]], "System: spear phishes": [[92, 105]]}, "info": {"id": "dnrti_train_000895", "source": "dnrti_train"}}
{"text": "menuPass is an ongoing APT campaign with a broad range of targets and will likely continue to target Japan in the future .", "spans": {}, "info": {"id": "dnrti_train_000896", "source": "dnrti_train"}}
{"text": "ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints .", "spans": {"Malware: ChopShop1": [[0, 9]], "Organization: MITRE Corporation": [[46, 63]]}, "info": {"id": "dnrti_train_000897", "source": "dnrti_train"}}
{"text": "PyCommands , meanwhile , are Python scripts that automate tasks for Immunity Debugger , a popular tool for reverse-engineering malware binaries .", "spans": {"Malware: Immunity Debugger": [[68, 85]]}, "info": {"id": "dnrti_train_000898", "source": "dnrti_train"}}
{"text": "Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com .", "spans": {"Malware: Poison Ivy": [[0, 10]]}, "info": {"id": "dnrti_train_000899", "source": "dnrti_train"}}
{"text": "First released in 2005 , the tool has gone unchanged since 2008 with v ersion 2.3.2 .", "spans": {}, "info": {"id": "dnrti_train_000900", "source": "dnrti_train"}}
{"text": "Poison Ivy includes features common to most Windows-based RATs , including key logging , screen capturing , video capturing , file transfers , system administration , password theft , and traffic relaying .", "spans": {"Malware: Poison Ivy": [[0, 10]], "Malware: RATs": [[58, 62]]}, "info": {"id": "dnrti_train_000901", "source": "dnrti_train"}}
{"text": "APT40 was previously reported as TEMP.Periscope and TEMP.Jumper .", "spans": {"Organization: APT40": [[0, 5]], "Organization: TEMP.Periscope": [[33, 47]], "Organization: TEMP.Jumper": [[52, 63]]}, "info": {"id": "dnrti_train_000902", "source": "dnrti_train"}}
{"text": "They move laterally and escalate system privileges to extract sensitive information — whenever the attacker wants to do so.4 ,5 Because some RATs used in targeted attacks are widely available , determining whether an attack is part of a broader APT campaign can be difficult .", "spans": {"Organization: attacker": [[99, 107]], "Malware: RATs": [[141, 145]]}, "info": {"id": "dnrti_train_000903", "source": "dnrti_train"}}
{"text": "In 2011 , three years after the most recent release of PIVY , attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system .", "spans": {"Malware: PIVY": [[55, 59]], "Organization: attackers": [[62, 71]], "Malware: RAT": [[81, 84]], "Organization: security firm RSA": [[99, 116]]}, "info": {"id": "dnrti_train_000904", "source": "dnrti_train"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"Malware: PIVY": [[0, 4], [266, 270]], "Organization: chemical makers": [[78, 93]], "Organization: government agencies": [[96, 115]], "Organization: defense contractors": [[118, 137]], "Organization: attackers": [[208, 217]], "Vulnerability: zero-day vulnerability": [[225, 247]]}, "info": {"id": "dnrti_train_000905", "source": "dnrti_train"}}
{"text": "Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others .", "spans": {"Malware: PIVY": [[16, 20]], "Vulnerability: zero-day exploit": [[42, 58]]}, "info": {"id": "dnrti_train_000906", "source": "dnrti_train"}}
{"text": "The Poison Ivy builder kit allows attackers to customize and build their own PIVY server , which is delivered as mobile code to a target that has been compromised , typically using social engineering .", "spans": {"Malware: Poison Ivy": [[4, 14]], "Organization: attackers": [[34, 43]]}, "info": {"id": "dnrti_train_000907", "source": "dnrti_train"}}
{"text": "Attackers can point and click their way through a compromised network and exfiltrate data .", "spans": {"Organization: Attackers": [[0, 9]]}, "info": {"id": "dnrti_train_000908", "source": "dnrti_train"}}
{"text": "Commodity RATs also complicate efforts by security professionals to correlate a threat actor 's activity over time—attackers can hide in the sea of malicious activity that also uses Poison Ivy-based malware .", "spans": {"Malware: RATs": [[10, 14]], "Organization: threat actor": [[80, 92]], "Malware: Poison Ivy-based malware": [[182, 206]]}, "info": {"id": "dnrti_train_000909", "source": "dnrti_train"}}
{"text": "This report is an initial public release of research PwC UK and BAE Systems have conducted into new , sustained global campaigns by an established threat actor against managed IT service providers and their clients as well as several directly targeted organisations in Japan .", "spans": {"Organization: PwC UK": [[53, 59]], "Organization: BAE Systems": [[64, 75]], "Organization: threat actor": [[147, 159]], "Organization: managed IT service providers": [[168, 196]]}, "info": {"id": "dnrti_train_000910", "source": "dnrti_train"}}
{"text": "Since late 2016 , PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign conducted by APT10 .", "spans": {"Organization: PwC UK": [[18, 24]], "Organization: BAE Systems": [[29, 40]], "Organization: APT10": [[116, 121]]}, "info": {"id": "dnrti_train_000911", "source": "dnrti_train"}}
{"text": "The campaign , which we refer to as Operation Cloud Hopper , has targeted managed IT service providers ( MSPs ) , allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally .", "spans": {"Organization: managed IT service providers": [[74, 102]], "Organization: MSPs": [[105, 109], [217, 221]], "Organization: APT10": [[123, 128]]}, "info": {"id": "dnrti_train_000912", "source": "dnrti_train"}}
{"text": "APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report , which comprehensively detailed the malware 's functionality and features , and its use by several China-based threat actors , including APT10 .", "spans": {"Organization: APT10": [[0, 5], [220, 225]], "Malware: Poison Ivy malware family": [[28, 53]], "Organization: FireEye": [[67, 74]], "Organization: threat actors": [[194, 207]]}, "info": {"id": "dnrti_train_000913", "source": "dnrti_train"}}
{"text": "APT10 primarily used PlugX malware from 2014 to 2016 , progressively improving and deploying newer versions , while simultaneously standardising their command and control function .", "spans": {"Organization: APT10": [[0, 5]], "Malware: PlugX malware": [[21, 34]]}, "info": {"id": "dnrti_train_000914", "source": "dnrti_train"}}
{"text": "PwC UK and BAE Systems assess it is highly likely that APT10 is a China-based threat actor with a focus on espionage and wide ranging information collection .", "spans": {"Organization: PwC UK": [[0, 6]], "Organization: BAE Systems": [[11, 22]], "Organization: APT10": [[55, 60]], "Organization: threat actor": [[78, 90]], "Organization: espionage": [[107, 116]]}, "info": {"id": "dnrti_train_000915", "source": "dnrti_train"}}
{"text": "APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world .", "spans": {"Organization: APT10": [[0, 5]], "Malware: MSP networks": [[104, 116]], "Organization: customers": [[138, 147]]}, "info": {"id": "dnrti_train_000916", "source": "dnrti_train"}}
{"text": "APT10 , a name originally coined by FireEye , is also referred to as Red Apollo by PwC UK , CVNX by BAE Systems , Stone Panda by CrowdStrike , and menuPass Team more broadly in the public domain .", "spans": {"Organization: APT10": [[0, 5]], "Organization: FireEye": [[36, 43]], "Organization: Red Apollo": [[69, 79]], "Organization: PwC UK": [[83, 89]], "Organization: CVNX": [[92, 96]], "Organization: BAE Systems": [[100, 111]], "Organization: Stone Panda": [[114, 125]], "Organization: CrowdStrike": [[129, 140]], "Organization: menuPass Team": [[147, 160]]}, "info": {"id": "dnrti_train_000917", "source": "dnrti_train"}}
{"text": "The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro3 similarly detailing the use of EvilGrab malware .", "spans": {"Organization: threat actor": [[4, 16], [160, 172]], "Organization: FireEye": [[122, 129]], "Malware: Poison Ivy malware family": [[187, 212]], "Organization: Trend Micro3": [[231, 243]], "Malware: EvilGrab malware": [[275, 291]]}, "info": {"id": "dnrti_train_000918", "source": "dnrti_train"}}
{"text": "The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro similarly detailing the use of EvilGrab malware .", "spans": {"Organization: threat actor": [[4, 16], [160, 172]], "Organization: FireEye": [[122, 129]], "Malware: Poison Ivy malware family": [[187, 212]], "Organization: Trend Micro": [[231, 242]], "Malware: EvilGrab malware": [[274, 290]]}, "info": {"id": "dnrti_train_000919", "source": "dnrti_train"}}
{"text": "APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB )1 and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs .", "spans": {"Organization: APT10": [[0, 5]], "Organization: technology": [[151, 161]], "Organization: telecommunications sector": [[166, 191]], "Organization: MSPs": [[305, 309]]}, "info": {"id": "dnrti_train_000920", "source": "dnrti_train"}}
{"text": "The research and ongoing tracking of APT10 by both PwC UK and BAE .", "spans": {"Organization: APT10": [[37, 42]], "Organization: PwC UK": [[51, 57]], "Organization: BAE": [[62, 65]]}, "info": {"id": "dnrti_train_000921", "source": "dnrti_train"}}
{"text": "APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB ) and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs .", "spans": {"Organization: APT10": [[0, 5]], "Organization: technology": [[150, 160]], "Organization: telecommunications sector": [[165, 190]], "Organization: MSPs": [[304, 308]]}, "info": {"id": "dnrti_train_000922", "source": "dnrti_train"}}
{"text": "PwC UK has been engaged in supporting investigations linked to APT10 compromises .", "spans": {"Organization: PwC UK": [[0, 6]], "Organization: APT10": [[63, 68]]}, "info": {"id": "dnrti_train_000923", "source": "dnrti_train"}}
{"text": "As a result of our analysis of APT10 's activities , we believe that it almost certainly benefits from significant staffing and logistical resources , which have increased over the last three years , with a significant step-change in 2016 .", "spans": {"Organization: APT10": [[31, 36]]}, "info": {"id": "dnrti_train_000924", "source": "dnrti_train"}}
{"text": "Due to the scale of the threat actor 's operations throughout 2016 and 2017 , we similarly assess it currently comprises multiple teams , each responsible for a different section of the day-to-day operations , namely domain registration , infrastructure management , malware development , target operations , and analysis .", "spans": {"Organization: threat actor": [[24, 36]], "System: namely domain registration": [[210, 236]]}, "info": {"id": "dnrti_train_000925", "source": "dnrti_train"}}
{"text": "APT10 withdrew from direct targeting using Poison Ivy in 2013 and conducted its first known retooling operation , upgrading its capabilities and replatforming to use PlugX .", "spans": {"Organization: APT10": [[0, 5]], "Malware: Poison Ivy": [[43, 53]], "Malware: PlugX": [[166, 171]]}, "info": {"id": "dnrti_train_000926", "source": "dnrti_train"}}
{"text": "It is highly likely that this is due to the release of the 2013 FireEye report .", "spans": {"Organization: FireEye": [[64, 71]]}, "info": {"id": "dnrti_train_000927", "source": "dnrti_train"}}
{"text": "Our report will detail the most recent campaigns conducted by APT10 , including the sustained targeting of MSPs , which we have named Operation Cloud Hopper , and the targeting of a number of Japanese institutions .", "spans": {"Organization: APT10": [[62, 67]], "Organization: MSPs": [[107, 111]], "Organization: institutions": [[201, 213]]}, "info": {"id": "dnrti_train_000928", "source": "dnrti_train"}}
{"text": "MSPs therefore represent a high-payoff target for espionagefocused threat actors such as APT10 .", "spans": {"Organization: MSPs": [[0, 4]], "Organization: threat actors": [[67, 80]], "Organization: APT10": [[89, 94]]}, "info": {"id": "dnrti_train_000929", "source": "dnrti_train"}}
{"text": "Given the level of client network access MSPs have , once APT10 has gained access to a MSP , it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims .", "spans": {"Organization: MSPs": [[41, 45]], "Organization: APT10": [[58, 63]], "Malware: MSP": [[87, 90]]}, "info": {"id": "dnrti_train_000930", "source": "dnrti_train"}}
{"text": "This , in turn , would provide access to a larger amount of intellectual property and sensitive data .", "spans": {}, "info": {"id": "dnrti_train_000931", "source": "dnrti_train"}}
{"text": "APT10 has been observed to exfiltrate stolen intellectual property via the MSPs , hence evading local network defences .", "spans": {"Organization: APT10": [[0, 5]], "Organization: MSPs": [[75, 79]]}, "info": {"id": "dnrti_train_000932", "source": "dnrti_train"}}
{"text": "The command and control ( C2 ) infrastructure chosen by APT10 for Operation Cloud Hopper is predominantly referenced using dynamic-DNS domains .", "spans": {"Organization: APT10": [[56, 61]], "Malware: dynamic-DNS domains": [[123, 142]]}, "info": {"id": "dnrti_train_000933", "source": "dnrti_train"}}
{"text": "Several of these provide enterprise services or cloud hosting , supporting our assessment that APT10 are almost certainly targeting MSPs .", "spans": {"Organization: APT10": [[95, 100]], "Organization: MSPs": [[132, 136]]}, "info": {"id": "dnrti_train_000934", "source": "dnrti_train"}}
{"text": "The 13th FYP was released in March 2016 and the sectors and organisations known to be targeted by APT10 are broadly in line with the strategic aims documented in this plan .", "spans": {"Organization: APT10": [[98, 103]]}, "info": {"id": "dnrti_train_000935", "source": "dnrti_train"}}
{"text": "These aims outlined in the FYP will largely dictate the growth of businesses in China and are , therefore , likely to also form part of Chinese companies ' business strategies .", "spans": {"Organization: companies": [[144, 153]]}, "info": {"id": "dnrti_train_000936", "source": "dnrti_train"}}
{"text": "APT10 has , in the past , primarily been known for its targeting of government and US defence industrial base organisations , with the earliest known date of its activity being in December 2009 .", "spans": {"Organization: APT10": [[0, 5]]}, "info": {"id": "dnrti_train_000937", "source": "dnrti_train"}}
{"text": "Observed APT10 targeting is in line with many of the historic compromises we have outlined previously as originating from China .", "spans": {"Organization: APT10": [[9, 14]]}, "info": {"id": "dnrti_train_000938", "source": "dnrti_train"}}
{"text": "In line with commonly used APT actor methodologies , the threat actor aligns its decoy documents to a topic of interest relevant to the recipient .", "spans": {"Organization: APT actor": [[27, 36]], "Organization: threat actor": [[57, 69]], "Malware: decoy documents": [[81, 96]]}, "info": {"id": "dnrti_train_000939", "source": "dnrti_train"}}
{"text": "This section details changes made to APT10 tools , techniques and procedures ( TTPs ) post-2014 , following its shift from Poison Ivy to PlugX .", "spans": {"Organization: APT10": [[37, 42]], "Malware: Poison Ivy": [[123, 133]], "Malware: PlugX": [[137, 142]]}, "info": {"id": "dnrti_train_000940", "source": "dnrti_train"}}
{"text": "We have observed that in cases where APT10 has infiltrated a target via an MSP , it continues to use the MSPs credentials .", "spans": {"Organization: APT10": [[37, 42]], "Malware: MSP": [[75, 78]], "Organization: MSPs": [[105, 109]]}, "info": {"id": "dnrti_train_000941", "source": "dnrti_train"}}
{"text": "In order to gain any further credentials , APT10 will usually deploy credential theft tools such as mimikatz or PwDump , sometimes using DLL load order hijacking , to use against a domain controller , explained further in Annex B .", "spans": {"Organization: APT10": [[43, 48]], "Malware: mimikatz": [[100, 108]], "Malware: PwDump": [[112, 118]], "Malware: DLL load order hijacking": [[137, 161]]}, "info": {"id": "dnrti_train_000942", "source": "dnrti_train"}}
{"text": "APT10 achieves persistence on its targets primarily by using scheduled tasks or Windows services in order to ensure the malware remains active regardless of system reboots .", "spans": {"Organization: APT10": [[0, 5]], "Malware: scheduled tasks": [[61, 76]], "Malware: Windows services": [[80, 96]]}, "info": {"id": "dnrti_train_000943", "source": "dnrti_train"}}
{"text": "For example , in addition to compromising high value domain controllers and security servers , the threat actor has also been observed identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business , and are thus less likely to draw the attention of system administrators .", "spans": {"Organization: threat actor": [[99, 111]]}, "info": {"id": "dnrti_train_000944", "source": "dnrti_train"}}
{"text": "In the majority of instances APT10 used either a reverse shell or RDP connection to install its malware ; the actor also uses these methods to propagate across the network .", "spans": {"Organization: APT10": [[29, 34]], "Malware: reverse shell": [[49, 62]], "Malware: RDP": [[66, 69]], "Organization: actor": [[110, 115]]}, "info": {"id": "dnrti_train_000945", "source": "dnrti_train"}}
{"text": "The tactical malware , historically EvilGrab , and now ChChes ( and likely also RedLeaves ) , is designed to be lightweight and disposable , often being delivered through spear phishing .", "spans": {"Malware: EvilGrab": [[36, 44]], "Malware: ChChes": [[55, 61]], "Malware: RedLeaves": [[80, 89]], "System: spear phishing": [[171, 185]]}, "info": {"id": "dnrti_train_000946", "source": "dnrti_train"}}
{"text": "Once executed , tactical malware contains the capability to profile the network and manoeuvre through it to identify a key system of interest .", "spans": {}, "info": {"id": "dnrti_train_000947", "source": "dnrti_train"}}
{"text": "We have also observed APT10 use DLL search order hijacking and sideloading , to execute some modified versions of open-source tools .", "spans": {"Organization: APT10": [[22, 27]], "System: DLL search order hijacking and sideloading": [[32, 74]]}, "info": {"id": "dnrti_train_000948", "source": "dnrti_train"}}
{"text": "For example , PwC UK has observed APT10 compiling DLLs out of tools , such as Mimikatz and PwDump6 , and using legitimate , signed software , such as Windows Defender to load the malicious payloads .", "spans": {"Organization: PwC UK": [[14, 20]], "Organization: APT10": [[34, 39]], "Malware: Mimikatz": [[78, 86]], "Malware: PwDump6": [[91, 98]], "Malware: signed software": [[124, 139]]}, "info": {"id": "dnrti_train_000949", "source": "dnrti_train"}}
{"text": "During our analysis of victim networks , we were able to observe APT10 once again initiate a retooling cycle in late 2016 .", "spans": {"Organization: APT10": [[65, 70]]}, "info": {"id": "dnrti_train_000950", "source": "dnrti_train"}}
{"text": "We observed the deployment and testing of multiple versions of Quasar malware , and the introduction of the bespoke malware families ChChes and RedLeaves .", "spans": {"Malware: Quasar malware": [[63, 77]], "Malware: ChChes": [[133, 139]], "Malware: RedLeaves": [[144, 153]]}, "info": {"id": "dnrti_train_000951", "source": "dnrti_train"}}
{"text": "APT10 is a constantly evolving , highly persistent China-based threat actor that has an ambitious and unprecedented collection programme against a broad spectrum of sectors , enabled by its strategic targeting .", "spans": {"Organization: APT10": [[0, 5]], "Organization: threat actor": [[63, 75]]}, "info": {"id": "dnrti_train_000952", "source": "dnrti_train"}}
{"text": "Since exposure of its operations in 2013 , APT10 has made a number of significant changes intended to thwart detection of its campaigns .", "spans": {"Organization: APT10": [[43, 48]]}, "info": {"id": "dnrti_train_000953", "source": "dnrti_train"}}
{"text": "PwC UK and BAE Systems , working closely with industry and government , have uncovered a new , unparallelled campaign which we refer to as Operation Cloud Hopper .", "spans": {"Organization: PwC UK": [[0, 6]], "Organization: BAE Systems": [[11, 22]]}, "info": {"id": "dnrti_train_000954", "source": "dnrti_train"}}
{"text": "This operation has targeted managed IT service providers , the compromise of which provides APT10 with potential access to thousands of further victims .", "spans": {"Organization: managed IT service providers": [[28, 56]], "Organization: APT10": [[92, 97]]}, "info": {"id": "dnrti_train_000955", "source": "dnrti_train"}}
{"text": "An additional campaign has also been observed targeting Japanese entities .", "spans": {}, "info": {"id": "dnrti_train_000956", "source": "dnrti_train"}}
{"text": "APT10 's malware toolbox shows a clear evolution from malware commonly associated with China-based threat actors towards bespoke in-house malware that has been used in more recent campaigns ; this is indicative of APT10 's increasing sophistication , which is highly likely to continue .", "spans": {"Organization: APT10": [[0, 5], [214, 219]], "Organization: threat actors": [[99, 112]]}, "info": {"id": "dnrti_train_000957", "source": "dnrti_train"}}
{"text": "The threat actor 's known working hours align to Chinese Standard Time ( CST ) and its targeting corresponds to that of other known China-based threat actors , which supports our assessment that these campaigns are conducted by APT10 .", "spans": {"Organization: threat actor": [[4, 16]], "Organization: threat actors": [[144, 157]], "Organization: APT10": [[228, 233]]}, "info": {"id": "dnrti_train_000958", "source": "dnrti_train"}}
{"text": "APT10 ( MenuPass Group ) is a Chinese cyber espionage group that FireEye has tracked since 2009 .", "spans": {"Organization: APT10": [[0, 5]], "Organization: MenuPass Group": [[8, 22]], "Organization: cyber espionage group": [[38, 59]], "Organization: FireEye": [[65, 72]]}, "info": {"id": "dnrti_train_000959", "source": "dnrti_train"}}
{"text": "Its targets include the military organizations and governments of countries with national interests in the South China Sea , including some within the U.S. defense industrial base .", "spans": {"Organization: military organizations": [[24, 46]], "Organization: defense industrial base": [[156, 179]]}, "info": {"id": "dnrti_train_000960", "source": "dnrti_train"}}
{"text": "Moafee may have chosen its targets based on the rich resources of South China Sea region – the world 's second business sea-lane , according to Wikipedia – including rare earth metals , crude oil , and natural gas .", "spans": {"Organization: Moafee": [[0, 6]]}, "info": {"id": "dnrti_train_000961", "source": "dnrti_train"}}
{"text": "DragonOK appears to operate out of China 's Jiangsu Province .", "spans": {"Organization: DragonOK": [[0, 8]]}, "info": {"id": "dnrti_train_000962", "source": "dnrti_train"}}
{"text": "Moafee and DragonOK both use a well-known proxy tool – HUC Packet Transmit Tool ( HTRAN ) – to disguise their geographical locations .", "spans": {"Organization: Moafee": [[0, 6]], "Organization: DragonOK": [[11, 19]], "Malware: HUC Packet Transmit Tool": [[55, 79]], "Malware: HTRAN": [[82, 87]]}, "info": {"id": "dnrti_train_000963", "source": "dnrti_train"}}
{"text": "However , FireEye researchers do not have enough insight to reliably report a definitive connection to the Moafee and DragonOK groups .", "spans": {"Organization: FireEye": [[10, 17]], "Organization: Moafee": [[107, 113]], "Organization: DragonOK groups": [[118, 133]]}, "info": {"id": "dnrti_train_000964", "source": "dnrti_train"}}
{"text": "Both Moafee and DragonOK favor spear-phishing emails as an attack vector , often employing a decoy to deceive the victim .", "spans": {"Organization: Moafee": [[5, 11]], "Organization: DragonOK": [[16, 24]], "System: spear-phishing emails": [[31, 52]]}, "info": {"id": "dnrti_train_000965", "source": "dnrti_train"}}
{"text": "Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document .", "spans": {"Malware: Attachments": [[0, 11]], "System: ZIP archive": [[67, 78]], "System: password-protected Microsoft Office document": [[84, 128]]}, "info": {"id": "dnrti_train_000966", "source": "dnrti_train"}}
{"text": "We observed Moafee running HTRAN proxies on their multiple Command and Control ( C2 ) servers – all operated on CHINANET , and hosted in Guangdong Province .", "spans": {"Organization: Moafee": [[12, 18]], "Malware: HTRAN": [[27, 32]]}, "info": {"id": "dnrti_train_000967", "source": "dnrti_train"}}
{"text": "Like the Moafee group , we observed DragonOK running HTRAN to proxy their C2 servers , which are also operated on CHINANET but are hosted in the Jiangsu Province .", "spans": {"Organization: Moafee group": [[9, 21]], "Organization: DragonOK": [[36, 44]], "Malware: HTRAN": [[53, 58]]}, "info": {"id": "dnrti_train_000968", "source": "dnrti_train"}}
{"text": "Primarily focused on governments and military operations of countries with interests in the South China Sea , Moafee likely chooses its targets based on region 's rich natural resources .", "spans": {"Organization: Moafee": [[110, 116]]}, "info": {"id": "dnrti_train_000969", "source": "dnrti_train"}}
{"text": "By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage .", "spans": {"Organization: DragonOK": [[74, 82]]}, "info": {"id": "dnrti_train_000970", "source": "dnrti_train"}}
{"text": "Security researchers subsequently linked these attacks to a broader , yearlong campaign that targeted not just Israelis but Palestinians as well .", "spans": {}, "info": {"id": "dnrti_train_000971", "source": "dnrti_train"}}
{"text": "and as discovered later , even the U.S. and UK governments .", "spans": {}, "info": {"id": "dnrti_train_000972", "source": "dnrti_train"}}
{"text": "The second group , known as DragonOK , targets high-tech and manufacturing companies in Japan and Taiwan .", "spans": {"Organization: group": [[11, 16]], "Organization: DragonOK": [[28, 36]], "Organization: high-tech": [[47, 56]], "Organization: manufacturing companies": [[61, 84]]}, "info": {"id": "dnrti_train_000973", "source": "dnrti_train"}}
{"text": "In 2012 , the Molerats attacks appeared to rely heavily on the XtremeRAT , a freely available tool that is popular with attackers based in the Middle East .", "spans": {"Malware: XtremeRAT": [[63, 72]], "Organization: attackers": [[120, 129]]}, "info": {"id": "dnrti_train_000974", "source": "dnrti_train"}}
{"text": "But the group has also used Poison Ivy ( PIVY ) , a RAT more commonly associated with threat actors in China — so much so that PIVY has , inaccurately , become synonymous with all APT attacks linked to China .", "spans": {"Organization: group": [[8, 13]], "Malware: Poison Ivy": [[28, 38]], "Malware: PIVY": [[41, 45], [127, 131]], "Malware: RAT": [[52, 55]], "Organization: threat actors": [[86, 99]]}, "info": {"id": "dnrti_train_000975", "source": "dnrti_train"}}
{"text": "This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files .", "spans": {"Malware: PIVY": [[70, 74]], "Malware: malicious files": [[298, 313]]}, "info": {"id": "dnrti_train_000976", "source": "dnrti_train"}}
{"text": "We do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat actors for their attacks or simply evidence that they have added another effective , publicly-available RAT to its arsenal .", "spans": {"Malware: PIVY": [[29, 33]], "Organization: threat actors": [[107, 120]], "Malware: RAT": [[218, 221]]}, "info": {"id": "dnrti_train_000977", "source": "dnrti_train"}}
{"text": "We observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control ( CnC ) infrastructure used by the Molerats attackers .", "spans": {"Malware: PIVY": [[113, 117]], "Malware: command-and-control": [[144, 163]], "Malware: CnC": [[166, 169]], "Organization: Molerats": [[199, 207]], "Organization: attackers": [[208, 217]]}, "info": {"id": "dnrti_train_000978", "source": "dnrti_train"}}
{"text": "The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon .", "spans": {"Malware: .exe file": [[24, 33]], "Malware: Microsoft Word file": [[61, 80]]}, "info": {"id": "dnrti_train_000979", "source": "dnrti_train"}}
{"text": "In addition to DustySky , the attackers use publicly available tools such as the following Remote Administration Tools ( RAT ) : Poison Ivy , Nano Core , XtremeRAT , DarkComet and Spy-Net .", "spans": {"Malware: DustySky": [[15, 23]], "Organization: attackers": [[30, 39]], "Malware: publicly available tools": [[44, 68]], "Malware: Remote Administration Tools": [[91, 118]], "Malware: RAT": [[121, 124]], "Malware: Poison Ivy": [[129, 139]], "Malware: Nano Core": [[142, 151]], "Malware: XtremeRAT": [[154, 163]], "Malware: DarkComet": [[166, 175]], "Malware: Spy-Net": [[180, 187]]}, "info": {"id": "dnrti_train_000980", "source": "dnrti_train"}}
{"text": "DustySky ( called \" NeD Worm \" by its developer ) is a multi-stage malware in use since May 2015 .", "spans": {"Malware: DustySky": [[0, 8]]}, "info": {"id": "dnrti_train_000981", "source": "dnrti_train"}}
{"text": "It is in use by the Molerats ( aka Gaza cybergang ) , a politically motivated group whose main objective , we believe , is intelligence gathering .", "spans": {"Organization: Molerats": [[20, 28]], "Organization: Gaza cybergang": [[35, 49]], "Organization: group": [[78, 83]]}, "info": {"id": "dnrti_train_000982", "source": "dnrti_train"}}
{"text": "Operating since 2012 , the Molerats group 's activity has been reported by Norman , Kaspersky , FireEye , and PwC .", "spans": {"Organization: Molerats group": [[27, 41]], "Organization: Norman": [[75, 81]], "Organization: Kaspersky": [[84, 93]], "Organization: FireEye": [[96, 103]], "Organization: PwC": [[110, 113]]}, "info": {"id": "dnrti_train_000983", "source": "dnrti_train"}}
{"text": "DustySky has been developed and used since May 2015 by Molerats ( aka \" Gaza cybergang \" ) , a terrorist group whose main objective in this campaign is intelligence gathering .", "spans": {"Malware: DustySky": [[0, 8]], "Organization: Molerats": [[55, 63]], "Organization: Gaza cybergang": [[72, 86]], "Organization: terrorist group": [[95, 110]]}, "info": {"id": "dnrti_train_000984", "source": "dnrti_train"}}
{"text": "Most targets are from the Middle East : Israel , Egypt , Saudi Arabia , United Arab Emirates and Iraq .", "spans": {}, "info": {"id": "dnrti_train_000985", "source": "dnrti_train"}}
{"text": "The United States and countries in Europe are targeted as well .", "spans": {}, "info": {"id": "dnrti_train_000986", "source": "dnrti_train"}}
{"text": "The sample analyzed is f589827c4cf94662544066b80bfda6ab from late August 2015 .", "spans": {}, "info": {"id": "dnrti_train_000987", "source": "dnrti_train"}}
{"text": "The MuddyWater attacks are primarily against Middle Eastern nations .", "spans": {}, "info": {"id": "dnrti_train_000988", "source": "dnrti_train"}}
{"text": "However , we have also observed attacks against surrounding nations and beyond , including targets in India and the USA .", "spans": {}, "info": {"id": "dnrti_train_000989", "source": "dnrti_train"}}
{"text": "Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers .", "spans": {"Organization: Molerats": [[20, 28]], "Organization: governmental": [[37, 49]], "Organization: embassies": [[90, 99]], "Organization: financial institutions": [[156, 178]], "Organization: journalists": [[181, 192]], "Organization: software developers": [[195, 214]]}, "info": {"id": "dnrti_train_000990", "source": "dnrti_train"}}
{"text": "The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes .", "spans": {"Organization: Palo Alto Networks Unit 42": [[4, 30]], "Malware: malicious files": [[78, 93]], "Organization: MalwareBytes": [[194, 206]]}, "info": {"id": "dnrti_train_000991", "source": "dnrti_train"}}
{"text": "MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call \" POWERSTATS \" .", "spans": {"Malware: PowerShell-based first stage backdoor": [[69, 106]], "Malware: POWERSTATS": [[117, 127]]}, "info": {"id": "dnrti_train_000992", "source": "dnrti_train"}}
{"text": "When we looked at the cluster of activity which consisted of what appeared to be espionage-focused attacks in the Middle East , we were somewhat confused as the previous public reporting had attributed these attacks to FIN7 .", "spans": {"Organization: FIN7": [[219, 223]]}, "info": {"id": "dnrti_train_000993", "source": "dnrti_train"}}
{"text": "FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors .", "spans": {"Organization: FIN7": [[0, 4]], "Organization: threat actor group": [[10, 28]], "Organization: financial sectors": [[105, 122]]}, "info": {"id": "dnrti_train_000994", "source": "dnrti_train"}}
{"text": "Following the trail of existing public reporting , the tie to FIN7 is essentially made based on a download observed from a MuddyWater C2 , of a non-public tool \" DNSMessenger \" .", "spans": {"Organization: FIN7": [[62, 66]], "Malware: MuddyWater C2": [[123, 136]], "Malware: non-public tool": [[144, 159]], "Malware: DNSMessenger": [[162, 174]]}, "info": {"id": "dnrti_train_000995", "source": "dnrti_train"}}
{"text": "There was a mistake in the original Morphisec analysis which linked these attacks to FIN7 .", "spans": {"Organization: Morphisec": [[36, 45]], "Organization: FIN7": [[85, 89]]}, "info": {"id": "dnrti_train_000996", "source": "dnrti_train"}}
{"text": "The DNSMessenger malware is a shared tool , used by FIN7 , MuddyWater and perhaps other groups .", "spans": {"Malware: DNSMessenger malware": [[4, 24]], "Organization: FIN7": [[52, 56]], "Organization: MuddyWater": [[59, 69]], "Organization: groups": [[88, 94]]}, "info": {"id": "dnrti_train_000997", "source": "dnrti_train"}}
{"text": "In September 2018 , we found evidence of Seedworm and the espionage group APT28 ( aka Swallowtail , Fancy Bear ) , on a computer within the Brazil-based embassy of an oil-producing nation .", "spans": {"Organization: Seedworm": [[41, 49]], "Organization: espionage group": [[58, 73]], "Organization: APT28": [[74, 79]], "Organization: Swallowtail": [[86, 97]], "Organization: Fancy Bear": [[100, 110]], "Organization: embassy": [[153, 160]]}, "info": {"id": "dnrti_train_000998", "source": "dnrti_train"}}
{"text": "We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded .", "spans": {"Malware: Powermud backdoor": [[29, 46]], "Malware: Backdoor.Powemuddy": [[66, 84]], "Malware: custom tools": [[93, 105]], "Malware: makecab.exe": [[238, 249]]}, "info": {"id": "dnrti_train_000999", "source": "dnrti_train"}}
{"text": "Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor 's interests .", "spans": {"Organization: Seedworm": [[0, 8]], "Organization: cyber espionage group": [[31, 52]]}, "info": {"id": "dnrti_train_001000", "source": "dnrti_train"}}
{"text": "During the operations , the group used tools consistent with those leveraged during past intrusions including Powermud , a custom tool used by the Seedworm group , and customized PowerShell , LaZagne , and Crackmapexec scripts .", "spans": {"Organization: group": [[28, 33]], "Malware: Powermud": [[110, 118]], "Organization: Seedworm group": [[147, 161]], "Malware: customized PowerShell": [[168, 189]], "Malware: LaZagne": [[192, 199]], "Malware: Crackmapexec scripts": [[206, 226]]}, "info": {"id": "dnrti_train_001001", "source": "dnrti_train"}}
{"text": "The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control ( C&C ) location .", "spans": {"Organization: Seedworm group": [[4, 18]], "Malware: Powermud backdoor": [[32, 49]], "Malware: command-and-control": [[99, 118]]}, "info": {"id": "dnrti_train_001002", "source": "dnrti_train"}}
{"text": "After compromising a system , typically by installing Powermud or Powemuddy , Seedworm first runs a tool that steals passwords saved in users ' web browsers and email , demonstrating that access to the victim 's email , social media , and chat accounts is one of their likely goals .", "spans": {"Malware: Powermud": [[54, 62]], "Malware: Powemuddy": [[66, 75]], "Organization: Seedworm": [[78, 86]], "System: web browsers": [[144, 156]], "System: email": [[161, 166]], "System: demonstrating": [[169, 182]]}, "info": {"id": "dnrti_train_001003", "source": "dnrti_train"}}
{"text": "Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials .", "spans": {"Organization: Seedworm": [[0, 8]], "Malware: LaZagne": [[45, 52]], "Malware: Crackmapexec": [[57, 69]]}, "info": {"id": "dnrti_train_001004", "source": "dnrti_train"}}
{"text": "The group , which we call Seedworm ( aka MuddyWater ) , has been operating since at least 2017 , with its most recent activity observed in December 2018 .", "spans": {"Organization: group": [[4, 9]], "Organization: Seedworm": [[26, 34]], "Organization: MuddyWater": [[41, 51]]}, "info": {"id": "dnrti_train_001005", "source": "dnrti_train"}}
{"text": "The Seedworm group is the only group known to use the Powermud backdoor .", "spans": {"Organization: Seedworm group": [[4, 18]], "Organization: group": [[31, 36]], "Malware: Powermud backdoor": [[54, 71]]}, "info": {"id": "dnrti_train_001006", "source": "dnrti_train"}}
{"text": "Additionally , the group compromised organizations in Europe and North America that have ties to the Middle East .", "spans": {"Organization: group": [[19, 24]]}, "info": {"id": "dnrti_train_001007", "source": "dnrti_train"}}
{"text": "MuddyWater is an Iranian high-profile threat actor that 's been seen active since 2017 .", "spans": {"Organization: MuddyWater": [[0, 10]], "Organization: threat actor": [[38, 50]]}, "info": {"id": "dnrti_train_001008", "source": "dnrti_train"}}
{"text": "Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link .", "spans": {"Malware: DNSMessenger": [[67, 79]], "Malware: MuddyWater": [[84, 94]]}, "info": {"id": "dnrti_train_001009", "source": "dnrti_train"}}
{"text": "Over the past year , we've seen the group extensively targeting a wide gamut of entities in various sectors , including Governments , Academy , Crypto-Currency , Telecommunications and the Oil sectors .", "spans": {"Organization: group": [[36, 41]], "Organization: Oil sectors": [[189, 200]]}, "info": {"id": "dnrti_train_001010", "source": "dnrti_train"}}
{"text": "Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link .", "spans": {"Malware: DNSMessenger": [[67, 79]], "Malware: MuddyWater": [[84, 94]]}, "info": {"id": "dnrti_train_001011", "source": "dnrti_train"}}
{"text": "Depending on each sample , the content of document is either a fake resume application , or a letter from the Ministry of Justice in Lebanon or Saudi Arabia .", "spans": {"Malware: fake resume application": [[63, 86]], "Malware: letter": [[94, 100]]}, "info": {"id": "dnrti_train_001012", "source": "dnrti_train"}}
{"text": "Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network .", "spans": {"Organization: DeepSight Managed Adversary and Threat Intelligence": [[16, 67]], "Organization: MATI": [[70, 74]], "Malware: Backdoor.Powemuddy": [[110, 128]], "Organization: Seedworm": [[147, 155]], "Malware: Powermud backdoor": [[159, 176]], "Malware: POWERSTATS": [[183, 193]], "Organization: group": [[230, 235], [306, 311]]}, "info": {"id": "dnrti_train_001013", "source": "dnrti_train"}}
{"text": "From January 2018 to March 2018 , through FireEye 's Dynamic Threat Intelligence , we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East .", "spans": {"Organization: FireEye 's Dynamic Threat Intelligence": [[42, 80]], "Organization: attackers": [[95, 104]]}, "info": {"id": "dnrti_train_001014", "source": "dnrti_train"}}
{"text": "MuddyWater has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia .", "spans": {"Organization: MuddyWater": [[0, 10]], "System: spear phishing": [[35, 49]], "Organization: defense entities": [[68, 84]]}, "info": {"id": "dnrti_train_001015", "source": "dnrti_train"}}
{"text": "This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia .", "spans": {"Organization: actor": [[5, 10]], "System: spear phishing": [[35, 49]], "Organization: defense entities": [[68, 84]]}, "info": {"id": "dnrti_train_001016", "source": "dnrti_train"}}
{"text": "When successfully executed , the malicious documents install a backdoor we track as POWERSTATS .", "spans": {"Malware: backdoor": [[63, 71]], "Malware: POWERSTATS": [[84, 94]]}, "info": {"id": "dnrti_train_001017", "source": "dnrti_train"}}
{"text": "The group is known for espionage campaigns in the Middle East .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_001018", "source": "dnrti_train"}}
{"text": "The threat group in this recently observed campaign – TEMP.Zagros – weaponized their malware using the following techniques .", "spans": {"Organization: threat group": [[4, 16]]}, "info": {"id": "dnrti_train_001019", "source": "dnrti_train"}}
{"text": "The MuddyWater campaign was first sighted in 2017 when it targeted the Saudi government using an attack involving PowerShell scripts deployed via Microsoft Office Word macro .", "spans": {"Malware: PowerShell scripts": [[114, 132]], "Malware: Microsoft": [[146, 155]], "Malware: Office Word": [[156, 167]]}, "info": {"id": "dnrti_train_001020", "source": "dnrti_train"}}
{"text": "The threat group in this recently observed campaign a TEMP.Zagros a weaponized their malware using the following techniques .", "spans": {"Organization: threat group": [[4, 16]]}, "info": {"id": "dnrti_train_001021", "source": "dnrti_train"}}
{"text": "Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload .", "spans": {"Malware: Microsoft Word document": [[60, 83]]}, "info": {"id": "dnrti_train_001022", "source": "dnrti_train"}}
{"text": "MuddyWater is a relatively new APT that surfaced in 2017 .", "spans": {"Organization: MuddyWater": [[0, 10]], "Organization: APT": [[31, 34]]}, "info": {"id": "dnrti_train_001023", "source": "dnrti_train"}}
{"text": "We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro as MuddyWater ) , an Iran-nexus actor that has been active since at least May 2017 .", "spans": {"Organization: TEMP.Zagros": [[30, 41]], "Organization: Palo Alto Networks": [[56, 74]], "Organization: Trend Micro": [[79, 90]], "Organization: MuddyWater": [[94, 104]], "Organization: actor": [[123, 128]]}, "info": {"id": "dnrti_train_001024", "source": "dnrti_train"}}
{"text": "We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro ) , an Iran-nexus actor that has been active since at least May 2017 .", "spans": {"Organization: TEMP.Zagros": [[30, 41]], "Organization: Palo Alto Networks": [[56, 74]], "Organization: Trend Micro": [[79, 90]], "Organization: actor": [[109, 114]]}, "info": {"id": "dnrti_train_001025", "source": "dnrti_train"}}
{"text": "Entities in these sectors are often \" enabling victims \" as telecommunications providers or IT services agencies and vendors could provide Seedworm actors with further victims to compromise .", "spans": {"Organization: telecommunications providers": [[60, 88]], "Organization: IT services agencies": [[92, 112]], "Organization: Seedworm actors": [[139, 154]]}, "info": {"id": "dnrti_train_001026", "source": "dnrti_train"}}
{"text": "The group mainly targets the telecommunications and IT services sectors .", "spans": {"Organization: group": [[4, 9]], "Organization: telecommunications": [[29, 47]], "Organization: IT services sectors": [[52, 71]]}, "info": {"id": "dnrti_train_001027", "source": "dnrti_train"}}
{"text": "However , the group behind MuddyWater has been known to target other countries in the Middle East , Europe and the US .", "spans": {"Organization: group": [[14, 19]], "Organization: MuddyWater": [[27, 37]]}, "info": {"id": "dnrti_train_001028", "source": "dnrti_train"}}
{"text": "The group has focused mainly on governmental targets in Iraq and Saudi Arabia , according to past telemetry .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_001029", "source": "dnrti_train"}}
{"text": "The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros .", "spans": {"System: spear-phishing": [[8, 22]], "Organization: MuddyWater": [[36, 46]]}, "info": {"id": "dnrti_train_001030", "source": "dnrti_train"}}
{"text": "MuddyWater has recently been targeting victims likely from Lebanon and Oman , while leveraging compromised domains , one of which is owned by an Israeli web developer .", "spans": {"Organization: MuddyWater": [[0, 10]]}, "info": {"id": "dnrti_train_001031", "source": "dnrti_train"}}
{"text": "As MuddyWater has consistently been using POWERSTATS as its main tool , they are relatively easy to distinguish from other actors .", "spans": {"Organization: MuddyWater": [[3, 13]], "Malware: POWERSTATS": [[42, 52]], "Organization: actors": [[123, 129]]}, "info": {"id": "dnrti_train_001032", "source": "dnrti_train"}}
{"text": "In March 2018 , Trend Micro provided a detailed analysis of another campaign that bore the hallmarks of MuddyWater .", "spans": {"Organization: Trend Micro": [[16, 27]], "Organization: MuddyWater": [[104, 114]]}, "info": {"id": "dnrti_train_001033", "source": "dnrti_train"}}
{"text": "In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": {"Organization: Trend Micro": [[14, 25]], "Malware: W2KM_DLOADR.UHAOEEN": [[59, 78]]}, "info": {"id": "dnrti_train_001034", "source": "dnrti_train"}}
{"text": "In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": {"Organization: Trend Micro": [[14, 25]], "Malware: W2KM_DLOADR.UHAOEEN": [[59, 78]]}, "info": {"id": "dnrti_train_001035", "source": "dnrti_train"}}
{"text": "Given the use of lure documents designed with social engineering in mind , it is likely that MuddyWater use phishing or spam to target users who are unaware of these documents ' malicious nature .", "spans": {"Organization: MuddyWater": [[93, 103]], "System: phishing": [[108, 116]], "System: spam": [[120, 124]]}, "info": {"id": "dnrti_train_001036", "source": "dnrti_train"}}
{"text": "We recently noticed the group behind MuddyWater that appear to be targeting government bodies , military entities , telcos and educational institutions in Jordan , Turkey , Azerbaijan and Pakistan , in addition to the continuous targeting of Iraq and Saudi Arabia , other victims were also detected in Mali , Austria , Russia , Iran and Bahrain. .", "spans": {"Organization: group": [[24, 29]], "Organization: MuddyWater": [[37, 47]], "Organization: government bodies": [[76, 93]], "Organization: military entities": [[96, 113]], "Organization: educational institutions": [[127, 151]]}, "info": {"id": "dnrti_train_001037", "source": "dnrti_train"}}
{"text": "Observed Seedworm victims were located primarily in Pakistan and Turkey , but also in Russia , Saudi Arabia , Afghanistan , Jordan , and elsewhere .", "spans": {"Organization: Seedworm": [[9, 17]]}, "info": {"id": "dnrti_train_001038", "source": "dnrti_train"}}
{"text": "The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering , in addition to the active development of attacks , infrastructure and the use of new methods and techniques .", "spans": {"Organization: MuddyWaters group": [[4, 21]], "System: social engineering": [[90, 108]]}, "info": {"id": "dnrti_train_001039", "source": "dnrti_train"}}
{"text": "Cisco Talos assesses with moderate confidence that a campaign we recently discovered called \" BlackWater \" is associated with suspected persistent threat actor MuddyWater .", "spans": {"Organization: Cisco Talos": [[0, 11]], "Organization: threat actor MuddyWater": [[147, 170]]}, "info": {"id": "dnrti_train_001040", "source": "dnrti_train"}}
{"text": "In this latest activity , BlackWater first added an obfuscated Visual Basic for Applications ( VBA ) script to establish persistence as a registry key .", "spans": {"Malware: Visual Basic for Applications": [[63, 92]], "Malware: VBA": [[95, 98]]}, "info": {"id": "dnrti_train_001041", "source": "dnrti_train"}}
{"text": "Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater .", "spans": {"Organization: Talos": [[0, 5]], "Organization: threat actor MuddyWater": [[111, 134]]}, "info": {"id": "dnrti_train_001042", "source": "dnrti_train"}}
{"text": "MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East .", "spans": {"Organization: MuddyWater": [[0, 10]]}, "info": {"id": "dnrti_train_001043", "source": "dnrti_train"}}
{"text": "Between February and March 2019 , probable MuddyWater-associated samples indicated that BlackWater established persistence on the compromised host , at used PowerShell commands to enumerate the victim 's machine and contained the IP address of the actor 's command and control ( C2 ) .", "spans": {"Malware: MuddyWater-associated samples": [[43, 72]], "Malware: PowerShell commands": [[157, 176]], "Organization: actor": [[248, 253]]}, "info": {"id": "dnrti_train_001044", "source": "dnrti_train"}}
{"text": "Despite last month 's report on aspects of the MuddyWater campaign , the group is undeterred and continues to perform operations .", "spans": {"Organization: group": [[73, 78]]}, "info": {"id": "dnrti_train_001045", "source": "dnrti_train"}}
{"text": "Based on these observations , as well as MuddyWater 's history of targeting Turkey-based entities , we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group .", "spans": {"Organization: MuddyWater": [[41, 51], [177, 187]], "Organization: threat actor group": [[188, 206]]}, "info": {"id": "dnrti_train_001046", "source": "dnrti_train"}}
{"text": "Our recent report , \" The Chronicles of the Hellsing APT : the Empire Strikes Back \" began with an introduction to the Naikon APT , describing it as \" One of the most active APTs in Asia , especially around the South China Sea \" .", "spans": {"Organization: Hellsing APT": [[44, 56]], "Malware: Empire Strikes Back": [[63, 82]], "Organization: Naikon APT": [[119, 129]]}, "info": {"id": "dnrti_train_001047", "source": "dnrti_train"}}
{"text": "It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 .", "spans": {"Malware: Tran Duy Linh": [[27, 40]], "Vulnerability: CVE-2012-0158": [[43, 56]]}, "info": {"id": "dnrti_train_001048", "source": "dnrti_train"}}
{"text": "Considering the volume of Naikon activity observed and its relentless , repeated attack attempts , such a confrontation was worth looking into , so we did .", "spans": {}, "info": {"id": "dnrti_train_001049", "source": "dnrti_train"}}
{"text": "The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal , Thailand , Laos and China .", "spans": {"Organization: attackers": [[4, 13]], "Organization: government agencies": [[76, 95]], "Organization: civil and military organizations": [[100, 132]]}, "info": {"id": "dnrti_train_001050", "source": "dnrti_train"}}
{"text": "The oil and gas infrastructure nexus observed in connection with greensky27.vicp.net and other Unit 78020 ( Naikon ) infrastructure suggests targeting patterns supportive of the PRC 's strategic interests over energy resources within the South China Sea and Southeast Asia .", "spans": {"Organization: Naikon": [[108, 114]]}, "info": {"id": "dnrti_train_001051", "source": "dnrti_train"}}
{"text": "This Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the incredible volume of attack activity around the South China Sea that has been going on since at least 2010 .", "spans": {"Organization: Naikon": [[5, 11], [84, 90]]}, "info": {"id": "dnrti_train_001052", "source": "dnrti_train"}}
{"text": "The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal .", "spans": {"Organization: attackers": [[4, 13]], "Organization: government agencies": [[76, 95]], "Organization: civil and military organizations": [[100, 132]]}, "info": {"id": "dnrti_train_001053", "source": "dnrti_train"}}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": {"Malware: bait document": [[5, 18]], "System: email attachment": [[24, 40]], "Malware: Word document": [[68, 81]], "Vulnerability: CVE-2012-0158": [[102, 115]]}, "info": {"id": "dnrti_train_001054", "source": "dnrti_train"}}
{"text": "In the Naikon scheme , a C&C server can be specialized XSControl software running on the host machine .", "spans": {"Organization: Naikon": [[7, 13]], "Malware: C&C server": [[25, 35]]}, "info": {"id": "dnrti_train_001055", "source": "dnrti_train"}}
{"text": "It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data exfiltration from high-profile victim organizations .", "spans": {"Organization: attackers": [[56, 65]], "Malware: Naikon proxies": [[73, 87]]}, "info": {"id": "dnrti_train_001056", "source": "dnrti_train"}}
{"text": "In addition to stealing keystrokes , Naikon also intercepted network traffic .", "spans": {"Organization: Naikon": [[37, 43]], "System: network traffic": [[61, 76]]}, "info": {"id": "dnrti_train_001057", "source": "dnrti_train"}}
{"text": "Operator X also took advantage of cultural idiosyncrasies in its target countries , for example , the regular and widely accepted use of personal Gmail accounts for work .", "spans": {}, "info": {"id": "dnrti_train_001058", "source": "dnrti_train"}}
{"text": "In the spring of 2014 , we noticed an increase in the volume of attack activity by the Naikon APT .", "spans": {"Organization: Naikon APT": [[87, 97]]}, "info": {"id": "dnrti_train_001059", "source": "dnrti_train"}}
{"text": "In particular , we noticed that the Naikon group was spear-phished by an actor we now call \" Hellsing \" .", "spans": {"Organization: Naikon group": [[36, 48]], "Organization: actor": [[73, 78]], "Organization: Hellsing": [[93, 101]]}, "info": {"id": "dnrti_train_001060", "source": "dnrti_train"}}
{"text": "More details about the cloak and dagger games between Naikon and Hellsing can be found in our blogpost : \" The Chronicles of the Hellsing APT : The Empire Strikes Back \" .", "spans": {"Organization: Naikon": [[54, 60]], "Organization: Hellsing": [[65, 73]], "Organization: Hellsing APT": [[129, 141]], "Malware: Empire Strikes Back": [[148, 167]]}, "info": {"id": "dnrti_train_001061", "source": "dnrti_train"}}
{"text": "Truvasys has been involved in several attack campaigns , where it has masqueraded as one of server common computer utilities , including WinUtils , TrueCrypt , WinRAR , or SanDisk .", "spans": {"Malware: Truvasys": [[0, 8]], "Organization: computer utilities": [[106, 124]], "Organization: WinUtils": [[137, 145]], "Organization: TrueCrypt": [[148, 157]], "Organization: WinRAR": [[160, 166]], "Organization: SanDisk": [[172, 179]]}, "info": {"id": "dnrti_train_001062", "source": "dnrti_train"}}
{"text": "PROMETHIUM is an activity group that has been active as early as 2012 .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Organization: activity group": [[17, 31]]}, "info": {"id": "dnrti_train_001063", "source": "dnrti_train"}}
{"text": "The group primarily uses Truvasys , a first-stage malware that has been in circulation for several years .", "spans": {"Organization: group": [[4, 9]], "Malware: Truvasys": [[25, 33]]}, "info": {"id": "dnrti_train_001064", "source": "dnrti_train"}}
{"text": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird .", "spans": {"Organization: NEODYMIUM": [[0, 9]], "Organization: activity group": [[16, 30]], "Organization: Microsoft": [[83, 92]], "Malware: Wingbird": [[96, 104]]}, "info": {"id": "dnrti_train_001065", "source": "dnrti_train"}}
{"text": "PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Organization: NEODYMIUM": [[15, 24]], "Vulnerability: CVE-2016-4117": [[50, 63]]}, "info": {"id": "dnrti_train_001066", "source": "dnrti_train"}}
{"text": "Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks .", "spans": {}, "info": {"id": "dnrti_train_001067", "source": "dnrti_train"}}
{"text": "In early May 2016 , both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe .", "spans": {"Organization: PROMETHIUM": [[25, 35]], "Organization: NEODYMIUM": [[40, 49]], "Organization: specific individuals": [[94, 114]]}, "info": {"id": "dnrti_train_001068", "source": "dnrti_train"}}
{"text": "Meanwhile , NEODYMIUM used well-tailored spear-phishing emails with attachments that delivered the exploit code , ultimately leading to Wingbird 's installation on victim computers .", "spans": {"Organization: NEODYMIUM": [[12, 21]], "System: spear-phishing emails": [[41, 62]], "Malware: Wingbird": [[136, 144]]}, "info": {"id": "dnrti_train_001069", "source": "dnrti_train"}}
{"text": "PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Organization: NEODYMIUM": [[15, 24]], "Vulnerability: zero-day exploit": [[37, 53]]}, "info": {"id": "dnrti_train_001070", "source": "dnrti_train"}}
{"text": "Wingbird , the advanced malware used by NEODYMIUM , has several behaviors that trigger alerts in Windows Defender ATP .", "spans": {"Malware: Wingbird": [[0, 8]], "Organization: NEODYMIUM": [[40, 49]], "Organization: Windows Defender ATP": [[97, 117]]}, "info": {"id": "dnrti_train_001071", "source": "dnrti_train"}}
{"text": "This volume chronicles two activity groups , code-named PROMETHIUM and NEODYMIUM , both of which target individuals in a specific area of Europe .", "spans": {"Organization: activity groups": [[27, 42]], "Organization: PROMETHIUM": [[56, 66]], "Organization: NEODYMIUM": [[71, 80]]}, "info": {"id": "dnrti_train_001072", "source": "dnrti_train"}}
{"text": "Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals .", "spans": {"Organization: espionage": [[67, 76]], "Organization: activity groups": [[116, 131]], "Organization: specific individuals": [[165, 185]]}, "info": {"id": "dnrti_train_001073", "source": "dnrti_train"}}
{"text": "In May 2016 , both PROMETHIUM and NEODYMIUM were observed to launch attack campaigns .", "spans": {"Organization: PROMETHIUM": [[19, 29]], "Organization: NEODYMIUM": [[34, 43]]}, "info": {"id": "dnrti_train_001074", "source": "dnrti_train"}}
{"text": "NEODYMIUM is an activity group that , like PROMETHIUM , conducted an attack campaign in early May 2016 .", "spans": {"Organization: NEODYMIUM": [[0, 9]], "Organization: activity group": [[16, 30]], "Organization: PROMETHIUM": [[43, 53]]}, "info": {"id": "dnrti_train_001075", "source": "dnrti_train"}}
{"text": "Data about Wingbird activity indicates that it is typically used to attack individuals and individual computers instead of networks .", "spans": {}, "info": {"id": "dnrti_train_001076", "source": "dnrti_train"}}
{"text": "NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence .", "spans": {"Organization: NEODYMIUM": [[0, 9]], "Vulnerability: CVE-2016-4117": [[35, 48]], "Organization: PROMETHIUM": [[67, 77]]}, "info": {"id": "dnrti_train_001077", "source": "dnrti_train"}}
{"text": "NEODYMIUM used a backdoor detected by Windows Defender as Wingbird , whose characteristics closely match FinFisher , a government-grade commercial surveillance package .", "spans": {"Organization: NEODYMIUM": [[0, 9]], "Malware: Wingbird": [[58, 66]], "Organization: FinFisher": [[105, 114]]}, "info": {"id": "dnrti_train_001078", "source": "dnrti_train"}}
{"text": "In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown .", "spans": {"Organization: activity groups": [[39, 54]], "Organization: PROMETHIUM": [[57, 67]], "Organization: NEODYMIUM": [[72, 81]], "Vulnerability: zeroday exploit": [[140, 155]]}, "info": {"id": "dnrti_train_001079", "source": "dnrti_train"}}
{"text": "The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"Organization: hacker group": [[19, 31]], "Organization: BlackOasis": [[60, 70]], "Organization: Kaspersky": [[73, 82]], "Organization: group": [[93, 98]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[116, 157]], "Vulnerability: CVE-2016-4117": [[160, 173]], "Malware: FinSpy": [[220, 226]]}, "info": {"id": "dnrti_train_001080", "source": "dnrti_train"}}
{"text": "FinSpy , a final-stage payload that allows for an attacker to covertly learn what a target is talking about and who they are communicating with , is associated with Gamma Group — which goes by other names , including FinFisher and Lench IT Solutions .", "spans": {"Malware: FinSpy": [[0, 6]], "Organization: attacker": [[50, 58]], "Organization: Gamma Group": [[165, 176]], "Organization: FinFisher": [[217, 226]]}, "info": {"id": "dnrti_train_001081", "source": "dnrti_train"}}
{"text": "In the past , BlackOasis messages were designed to appear like news articles from 2016 about political relations between Angola and China .", "spans": {"Organization: BlackOasis": [[14, 24]]}, "info": {"id": "dnrti_train_001082", "source": "dnrti_train"}}
{"text": "BlackOasis in recent months sent a wave of phishing emails .", "spans": {"Organization: BlackOasis": [[0, 10]], "System: phishing emails": [[43, 58]]}, "info": {"id": "dnrti_train_001083", "source": "dnrti_train"}}
{"text": "PROMETHIUM uses a unique set of tools and methods to perform actions like lateral movement and data exfiltration .", "spans": {"Organization: PROMETHIUM": [[0, 10]]}, "info": {"id": "dnrti_train_001084", "source": "dnrti_train"}}
{"text": "Last year , Microsoft researchers described Neodymium 's behavior as unusual : \" unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": {"Organization: Microsoft": [[12, 21]], "Organization: Neodymium": [[44, 53]], "Organization: activity groups": [[93, 108]], "Organization: PROMETHIUM": [[188, 198]], "Organization: NEODYMIUM": [[203, 212]]}, "info": {"id": "dnrti_train_001085", "source": "dnrti_train"}}
{"text": "The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 .", "spans": {"Organization: Kaspersky": [[17, 26]], "Vulnerability: zero-day exploit": [[52, 68]], "Organization: BlackOasis": [[77, 87]]}, "info": {"id": "dnrti_train_001086", "source": "dnrti_train"}}
{"text": "Victims of BlackOasis have been observed in the following countries : Russia , Iraq , Afghanistan , Nigeria , Libya , Jordan , Tunisia , Saudi Arabia , Iran , Netherlands , Bahrain , United Kingdom and Angola .", "spans": {"Organization: BlackOasis": [[11, 21]]}, "info": {"id": "dnrti_train_001087", "source": "dnrti_train"}}
{"text": "Unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": {"Organization: activity groups": [[12, 27]], "Organization: PROMETHIUM": [[107, 117]], "Organization: NEODYMIUM": [[122, 131]]}, "info": {"id": "dnrti_train_001088", "source": "dnrti_train"}}
{"text": "A cursory review of BlackOasis ' espionage campaign suggests there is some overlap between the group 's actions and Saudi Arabia 's geopolitical interests .", "spans": {"Organization: BlackOasis": [[20, 30]], "Organization: group": [[95, 100]]}, "info": {"id": "dnrti_train_001089", "source": "dnrti_train"}}
{"text": "Kaspersky 's research notes that BlackOasis hacked into computers based in Saudi Arabia .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: BlackOasis": [[33, 43]]}, "info": {"id": "dnrti_train_001090", "source": "dnrti_train"}}
{"text": "All 13 countries where Kaspersky reportedly observed BlackOasis activity are connected to Saudi Arabia in one of three ways : economically ; from a national security perspective ; or due to established policy agreements .", "spans": {"Organization: Kaspersky": [[23, 32]]}, "info": {"id": "dnrti_train_001091", "source": "dnrti_train"}}
{"text": "The Operation Aurora , named by McAfee and announced in January 2010 , and the WikiLeaks document disclosures of 2010 have highlighted the fact that external and internal threats are nearly impossible to prevent .", "spans": {"Organization: McAfee": [[32, 38]], "Organization: WikiLeaks": [[79, 88]]}, "info": {"id": "dnrti_train_001092", "source": "dnrti_train"}}
{"text": "These attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations .", "spans": {"Malware: remote administration tools": [[199, 226]], "Malware: RATs": [[229, 233]]}, "info": {"id": "dnrti_train_001093", "source": "dnrti_train"}}
{"text": "Night Dragon 's attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations .", "spans": {"Organization: Night Dragon": [[0, 12]], "Malware: remote administration tools": [[209, 236]], "Malware: RATs": [[239, 243]]}, "info": {"id": "dnrti_train_001094", "source": "dnrti_train"}}
{"text": "We have identified the tools , techniques , and network activities used in these continuing attacks—which we have dubbed Night Dragon—as originating primarily in China .", "spans": {"Organization: Night Dragon—as": [[121, 136]]}, "info": {"id": "dnrti_train_001095", "source": "dnrti_train"}}
{"text": "Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": {"Organization: Attackers": [[0, 9]], "Organization: petrochemical companies": [[210, 233]], "Organization: executives": [[263, 273]]}, "info": {"id": "dnrti_train_001096", "source": "dnrti_train"}}
{"text": "Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": {"Organization: Attackers": [[0, 9]], "Organization: petrochemical companies": [[210, 233]], "Organization: executives": [[263, 273]]}, "info": {"id": "dnrti_train_001097", "source": "dnrti_train"}}
{"text": "The primary operational technique used by Night Dragon comprised a variety of hacker tools , including privately developed and customized RAT tools that provided complete remote administration capabilities to the attacker .", "spans": {"Organization: Night Dragon": [[42, 54]], "Malware: RAT tools": [[138, 147]], "Organization: attacker": [[213, 221]]}, "info": {"id": "dnrti_train_001098", "source": "dnrti_train"}}
{"text": "While Night Dragon attacks focused specifically on the energy sector , the tools and techniques of this kind can be highly successful when targeting any industry .", "spans": {"Organization: energy sector": [[55, 68]]}, "info": {"id": "dnrti_train_001099", "source": "dnrti_train"}}
{"text": "In addition , the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums .", "spans": {"Organization: attackers": [[18, 27]]}, "info": {"id": "dnrti_train_001100", "source": "dnrti_train"}}
{"text": "We have been presented with a rare opportunity to see some development activities from the actors associated with the OilRig attack campaign , a campaign Unit 42 has been following since May 2016 .", "spans": {"Organization: actors": [[91, 97]], "Organization: Unit 42": [[154, 161]]}, "info": {"id": "dnrti_train_001101", "source": "dnrti_train"}}
{"text": "Recently we were able to observe these actors making modifications to their Clayslide delivery documents in an attempt to evade antivirus detection .", "spans": {"Organization: actors": [[39, 45]], "Malware: Clayslide delivery documents": [[76, 104]]}, "info": {"id": "dnrti_train_001102", "source": "dnrti_train"}}
{"text": "We collected two sets of Clayslide samples that appear to be created during the OilRig actor 's development phase of their attack lifecycle .", "spans": {"Malware: Clayslide samples": [[25, 42]], "Organization: OilRig actor": [[80, 92]]}, "info": {"id": "dnrti_train_001103", "source": "dnrti_train"}}
{"text": "On November 15 , 2016 , an actor related to the OilRig campaign began testing the Clayslide delivery documents .", "spans": {"Organization: actor": [[27, 32]], "Malware: Clayslide delivery documents": [[82, 110]]}, "info": {"id": "dnrti_train_001104", "source": "dnrti_train"}}
{"text": "The actor then made subtle modifications to the file and uploaded the newly created file to the same popular antivirus testing website in order to determine how to evade detection .", "spans": {"Organization: actor": [[4, 9]]}, "info": {"id": "dnrti_train_001105", "source": "dnrti_train"}}
{"text": "In addition to making changes to the Excel worksheets that contain the decoy content , the actor also made changes to the worksheet that is initially displayed to the user .", "spans": {"System: Excel worksheets": [[37, 53]], "Organization: actor": [[91, 96]]}, "info": {"id": "dnrti_train_001106", "source": "dnrti_train"}}
{"text": "Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system .", "spans": {"Organization: OilRig": [[65, 71]], "Malware: Clayslide delivery documents": [[79, 107]]}, "info": {"id": "dnrti_train_001107", "source": "dnrti_train"}}
{"text": "This realization suggests that the OilRig threat group will continue to use their delivery documents for extended periods with subtle modifications to remain effective .", "spans": {"Organization: OilRig": [[35, 41]], "Organization: threat group": [[42, 54]], "Malware: delivery documents": [[82, 100]]}, "info": {"id": "dnrti_train_001108", "source": "dnrti_train"}}
{"text": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015 .", "spans": {"Organization: OilRig": [[21, 27]]}, "info": {"id": "dnrti_train_001109", "source": "dnrti_train"}}
{"text": "In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors , several financial institutes , and the Israeli Post Office .", "spans": {"Malware: VPN Web Portal": [[37, 51]], "Organization: IT vendors": [[87, 97]], "Organization: financial institutes": [[108, 128]], "Organization: Israeli Post Office": [[139, 158]]}, "info": {"id": "dnrti_train_001110", "source": "dnrti_train"}}
{"text": "In these websites they hosted malware that was digitally signed with a valid , likely stolen code signing certificate .", "spans": {"Malware: stolen code signing certificate": [[86, 117]]}, "info": {"id": "dnrti_train_001111", "source": "dnrti_train"}}
{"text": "In December 2015 , Symantec published a post about \" two Iran-based attack groups that appear to be connected , Cadelle and Chafer \" that \" have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations \" .", "spans": {"Organization: Symantec": [[19, 27]], "Organization: attack groups": [[68, 81]], "Organization: Cadelle": [[112, 119]], "Organization: Chafer": [[124, 130]], "Malware: Backdoor.Cadelspy": [[156, 173]], "Malware: Backdoor.Remexi": [[178, 193]]}, "info": {"id": "dnrti_train_001112", "source": "dnrti_train"}}
{"text": "In May 2016 , Unit 42 observed attacks of OilRig primarily focused on financial institutions and technology organizations within Saudi Arabia .", "spans": {"Organization: Unit 42": [[14, 21]], "Organization: OilRig": [[42, 48]], "Organization: financial institutions": [[70, 92]], "Organization: technology organizations": [[97, 121]]}, "info": {"id": "dnrti_train_001113", "source": "dnrti_train"}}
{"text": "In recent OilRig attacks , the threat actors purport to be legitimate service providers offering service and technical troubleshooting as a social engineering theme in their spear-phishing attacks .", "spans": {"Organization: threat actors": [[31, 44]], "Organization: legitimate service providers": [[59, 87]]}, "info": {"id": "dnrti_train_001114", "source": "dnrti_train"}}
{"text": "The campaign appears highly targeted and delivers a backdoor we have called ' Helminth ' .", "spans": {"Malware: Helminth": [[78, 86]]}, "info": {"id": "dnrti_train_001115", "source": "dnrti_train"}}
{"text": "Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia , which appears to be related to an earlier wave of attacks carried out in the fall of 2015 .", "spans": {}, "info": {"id": "dnrti_train_001116", "source": "dnrti_train"}}
{"text": "In May 2016 , Unit 42 began researching attacks that used spear-phishing emails with attachments , specifically malicious Excel spreadsheets sent to financial organizations within Saudi Arabia .", "spans": {"Organization: Unit 42": [[14, 21]], "System: spear-phishing emails with attachments": [[58, 96]], "System: Excel spreadsheets": [[122, 140]], "Organization: financial organizations": [[149, 172]]}, "info": {"id": "dnrti_train_001117", "source": "dnrti_train"}}
{"text": "Over the course of the attack campaign , we have observed two different variations of the Helminth backdoor , one written in VBScript and PowerShell that was delivered via a macro within Excel spreadsheets and the other a standalone Windows executable .", "spans": {"Malware: Helminth backdoor": [[90, 107]], "System: Excel spreadsheets": [[187, 205]], "System: Windows executable": [[233, 251]]}, "info": {"id": "dnrti_train_001118", "source": "dnrti_train"}}
{"text": "FireEye also reported on these attacks in a May 22 blog post .", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "dnrti_train_001119", "source": "dnrti_train"}}
{"text": "The executable variant of Helminth is installed with a dropper Trojan that we are tracking as the HerHer Trojan .", "spans": {"Malware: Helminth": [[26, 34]], "Malware: dropper Trojan": [[55, 69]], "Malware: HerHer Trojan": [[98, 111]]}, "info": {"id": "dnrti_train_001120", "source": "dnrti_train"}}
{"text": "The Helminth executable variant is very similar in functionality to its script-based counterpart , as it also communicates with its C2 server using both HTTP and DNS queries .", "spans": {"Malware: Helminth": [[4, 12]], "Malware: HTTP": [[153, 157]], "Malware: DNS": [[162, 165]]}, "info": {"id": "dnrti_train_001121", "source": "dnrti_train"}}
{"text": "Helminth executable samples send artifacts within network beacons to its C2 server that the Trojan refers to as a ' Group ' and ' Name ' .", "spans": {"Malware: Helminth": [[0, 8]], "System: network beacons": [[50, 65]]}, "info": {"id": "dnrti_train_001122", "source": "dnrti_train"}}
{"text": "It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries .", "spans": {"Organization: group": [[20, 25]]}, "info": {"id": "dnrti_train_001123", "source": "dnrti_train"}}
{"text": "It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries .", "spans": {"Organization: group": [[20, 25]]}, "info": {"id": "dnrti_train_001124", "source": "dnrti_train"}}
{"text": "This suggests that the threat actors are not only focused on financial organizations , as their target set could include other industries as well .", "spans": {"Organization: threat actors": [[23, 36]], "Organization: financial organizations": [[61, 84]]}, "info": {"id": "dnrti_train_001125", "source": "dnrti_train"}}
{"text": "The email address edmundj@chmail.ir and the geolocation of Tehran , Iran , being of note .", "spans": {}, "info": {"id": "dnrti_train_001126", "source": "dnrti_train"}}
{"text": "The registrant information for kernel.ws also provided a geolocation of Tehran , IR and the email provider for the address used in checkgoogle.org was the same used for mydomain1607.com , chmail.ir .", "spans": {"Organization: email provider": [[92, 106]]}, "info": {"id": "dnrti_train_001127", "source": "dnrti_train"}}
{"text": "The mydomain1110.com domain did not appear to reuse any of the previously observed WHOIS data artifacts , but did still give a geolocation of Tehran in addition to the use of an email address linked to other domains thematically similar to the know command and control domains and are potentially related .", "spans": {}, "info": {"id": "dnrti_train_001128", "source": "dnrti_train"}}
{"text": "While researching the OilRig campaign , we have seen two waves of targeted attacks on Saudi Arabian organizations in which a group of threat actors delivered the Helminth Trojan as a payload .", "spans": {"Organization: group": [[125, 130]], "Organization: threat actors": [[134, 147]], "System: Helminth Trojan": [[162, 177]]}, "info": {"id": "dnrti_train_001129", "source": "dnrti_train"}}
{"text": "The two variants of Helminth do require different delivery methods , with the script variant relying on an Excel spreadsheet for delivery , while the executable variant is more traditional in the fact that it can be installed without a delivery document .", "spans": {"Malware: Helminth": [[20, 28]], "System: Excel spreadsheet": [[107, 124]], "System: executable variant": [[150, 168]]}, "info": {"id": "dnrti_train_001130", "source": "dnrti_train"}}
{"text": "Since our first published analysis of the OilRig campaign in May 2016 , we have continued to monitor this group for new activity .", "spans": {"Organization: group": [[106, 111]]}, "info": {"id": "dnrti_train_001131", "source": "dnrti_train"}}
{"text": "Additionally , the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia , but also a company in Qatar and government organizations in Turkey , Israel and the United States .", "spans": {"Organization: group": [[59, 64]], "Organization: government organizations": [[166, 190]]}, "info": {"id": "dnrti_train_001132", "source": "dnrti_train"}}
{"text": "The group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel documents to compromise victims .", "spans": {"Organization: group": [[4, 9]], "System: spear-phishing emails": [[59, 80]], "System: Microsoft Excel documents": [[96, 121]]}, "info": {"id": "dnrti_train_001133", "source": "dnrti_train"}}
{"text": "In addition to these instances , multiple Qatari organizations were the subject to spear phishing attacks carrying Helminth samples earlier this year .", "spans": {"Organization: Qatari organizations": [[42, 62]], "Malware: Helminth samples": [[115, 131]]}, "info": {"id": "dnrti_train_001134", "source": "dnrti_train"}}
{"text": "While the malware deployed is not terribly sophisticated , it uses techniques such as DNS command and control ( C2 ) that allows it to stay under the radar at many establishments .", "spans": {"System: DNS command and control": [[86, 109]]}, "info": {"id": "dnrti_train_001135", "source": "dnrti_train"}}
{"text": "Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": {"Organization: Microsoft": [[23, 32]], "Vulnerability: CVE-2017-11882": [[52, 66]], "Organization: FireEye": [[87, 94]], "Organization: attacker": [[107, 115]], "Vulnerability: Microsoft Office vulnerability": [[141, 171]], "Organization: government organization": [[184, 207]]}, "info": {"id": "dnrti_train_001136", "source": "dnrti_train"}}
{"text": "We assess this activity was carried out by a suspected Iranian cyber espionage threat group , whom we refer to as APT34 , using a custom PowerShell backdoor to achieve its objectives .", "spans": {"Organization: cyber espionage threat group": [[63, 91]], "Organization: APT34": [[114, 119]], "Malware: custom PowerShell backdoor": [[130, 156]]}, "info": {"id": "dnrti_train_001137", "source": "dnrti_train"}}
{"text": "This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East .", "spans": {"Organization: threat group": [[5, 17]]}, "info": {"id": "dnrti_train_001138", "source": "dnrti_train"}}
{"text": "We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran , use of Iranian infrastructure , and targeting that aligns with nation-state interests .", "spans": {"Organization: APT34": [[15, 20]]}, "info": {"id": "dnrti_train_001139", "source": "dnrti_train"}}
{"text": "APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts , sometimes coupled with social engineering tactics .", "spans": {"Organization: APT34": [[0, 5]], "Malware: public and non-public tools": [[20, 47]], "System: spear phishing operations": [[67, 92]], "Malware: compromised accounts": [[99, 119]], "System: social engineering tactics": [[145, 171]]}, "info": {"id": "dnrti_train_001140", "source": "dnrti_train"}}
{"text": "We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014 .", "spans": {"Organization: APT34": [[11, 16]]}, "info": {"id": "dnrti_train_001141", "source": "dnrti_train"}}
{"text": "In May 2016 , we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware .", "spans": {"Malware: POWBAT malware": [[162, 176]]}, "info": {"id": "dnrti_train_001142", "source": "dnrti_train"}}
{"text": "In July 2017 , we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER , based on strings within the malware .", "spans": {"Organization: APT34": [[27, 32]], "Malware: PowerShell-based backdoor": [[78, 103]], "Malware: POWRUNER": [[117, 125]], "Malware: BONDUPDATER": [[203, 214]]}, "info": {"id": "dnrti_train_001143", "source": "dnrti_train"}}
{"text": "APT34 loosely aligns with public reporting related to the group \" OilRig \" .", "spans": {"Organization: APT34": [[0, 5]], "Organization: group": [[58, 63]], "Organization: OilRig": [[66, 72]]}, "info": {"id": "dnrti_train_001144", "source": "dnrti_train"}}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": {"Malware: .rtf file": [[43, 52]], "Vulnerability: CVE-2017-0199": [[68, 81]]}, "info": {"id": "dnrti_train_001145", "source": "dnrti_train"}}
{"text": "In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER .", "spans": {"Organization: APT34": [[26, 31]], "Vulnerability: Microsoft Office vulnerability": [[53, 83]], "Vulnerability: CVE-2017-11882": [[84, 98]], "Malware: POWRUNER": [[109, 117]], "Malware: BONDUPDATER": [[122, 133]]}, "info": {"id": "dnrti_train_001146", "source": "dnrti_train"}}
{"text": "The vulnerability was patched by Microsoft on Nov 14 , 2017 .", "spans": {"Organization: Microsoft": [[33, 42]]}, "info": {"id": "dnrti_train_001147", "source": "dnrti_train"}}
{"text": "The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas .", "spans": {"Malware: Equation Editor": [[36, 51]], "Malware: EQNEDT32.EXE": [[54, 66]]}, "info": {"id": "dnrti_train_001148", "source": "dnrti_train"}}
{"text": "During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East .", "spans": {"Organization: APT34": [[29, 34]], "Vulnerability: CVE-2017-0199": [[125, 138]], "Vulnerability: CVE-2017-11882": [[143, 157]]}, "info": {"id": "dnrti_train_001149", "source": "dnrti_train"}}
{"text": "The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region .", "spans": {"Organization: OilRig group": [[4, 16]], "Organization: APT34": [[23, 28]], "Organization: Helix Kitten": [[31, 43]], "Organization: espionage": [[75, 84]]}, "info": {"id": "dnrti_train_001150", "source": "dnrti_train"}}
{"text": "We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region .", "spans": {"Organization: APT34": [[10, 15]]}, "info": {"id": "dnrti_train_001151", "source": "dnrti_train"}}
{"text": "The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region .", "spans": {"Organization: OilRig group": [[4, 16]], "Organization: APT34": [[23, 28]], "Organization: Helix Kitten": [[31, 43]], "Organization: espionage": [[75, 84]]}, "info": {"id": "dnrti_train_001152", "source": "dnrti_train"}}
{"text": "We first discovered this group in mid-2016 , although it is possible their operations extends earlier than that time frame .", "spans": {"Organization: group": [[25, 30]]}, "info": {"id": "dnrti_train_001153", "source": "dnrti_train"}}
{"text": "Between May and June 2018 , Unit 42 observed multiple attacks by the OilRig group appearing to originate from a government agency in the Middle East .", "spans": {"Organization: Unit 42": [[28, 35]], "Organization: OilRig group": [[69, 81]], "Organization: government agency": [[112, 129]]}, "info": {"id": "dnrti_train_001154", "source": "dnrti_train"}}
{"text": "The use of script-based backdoors is a common technique used by the OilRig group as we have previously documented .", "spans": {"Malware: script-based backdoors": [[11, 33]], "Organization: OilRig group": [[68, 80]]}, "info": {"id": "dnrti_train_001155", "source": "dnrti_train"}}
{"text": "The attacks delivered a PowerShell backdoor called QUADAGENT , a tool attributed to the OilRig group by both ClearSky Cyber Security and FireEye .", "spans": {"Malware: PowerShell backdoor": [[24, 43]], "Malware: QUADAGENT": [[51, 60]], "Organization: OilRig group": [[88, 100]], "Organization: ClearSky Cyber Security": [[109, 132]], "Organization: FireEye": [[137, 144]]}, "info": {"id": "dnrti_train_001156", "source": "dnrti_train"}}
{"text": "A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation .", "spans": {"Organization: OilRig group": [[58, 70]], "Malware: QUADAGENT samples": [[80, 97]], "Malware: Invoke-Obfuscation": [[160, 178]]}, "info": {"id": "dnrti_train_001157", "source": "dnrti_train"}}
{"text": "All three waves involved a single spear phishing email that appeared to originate from a government agency based in the Middle East .", "spans": {"System: spear phishing email": [[34, 54]], "Organization: government agency": [[89, 106]]}, "info": {"id": "dnrti_train_001158", "source": "dnrti_train"}}
{"text": "This latest attack consisted of three waves between May and June 2018 .", "spans": {}, "info": {"id": "dnrti_train_001159", "source": "dnrti_train"}}
{"text": "The OilRig group continues to be a persistent adversary group in the Middle East region .", "spans": {"Organization: OilRig group": [[4, 16]], "Organization: group": [[56, 61]]}, "info": {"id": "dnrti_train_001160", "source": "dnrti_train"}}
{"text": "APT34 are involved in long-term cyber espionage operations largely focused on the Middle East .", "spans": {"Organization: APT34": [[0, 5]]}, "info": {"id": "dnrti_train_001161", "source": "dnrti_train"}}
{"text": "This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications .", "spans": {"Organization: threat group": [[5, 17]]}, "info": {"id": "dnrti_train_001162", "source": "dnrti_train"}}
{"text": "Recent investigations by FireEye 's Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis have given us a more complete picture of a suspected Iranian threat group , that we believe has been operating since at least 2014 .", "spans": {"Organization: FireEye 's Mandiant": [[25, 44]], "Organization: FireEye iSIGHT Threat Intelligence": [[89, 123]], "Organization: threat group": [[194, 206]]}, "info": {"id": "dnrti_train_001163", "source": "dnrti_train"}}
{"text": "Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government , with a mission that would benefit nation-state geopolitical and economic needs .", "spans": {"Organization: threat group": [[45, 57]], "Organization: Iranian Government": [[104, 122]]}, "info": {"id": "dnrti_train_001164", "source": "dnrti_train"}}
{"text": "On January 8 , 2018 , Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East .", "spans": {"Organization: Unit 42": [[22, 29]], "Organization: OilRig": [[43, 49]], "Organization: threat group": [[50, 62]], "Organization: insurance agency": [[89, 105]]}, "info": {"id": "dnrti_train_001165", "source": "dnrti_train"}}
{"text": "APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts from trusted third parties , sometimes coupled with social engineering tactics .", "spans": {"Organization: APT34": [[0, 5]], "Malware: public and non-public tools": [[20, 47]], "System: spear phishing operations": [[67, 92]], "Malware: compromised accounts": [[99, 119]], "System: social engineering tactics": [[172, 198]]}, "info": {"id": "dnrti_train_001166", "source": "dnrti_train"}}
{"text": "Just over a week later , on January 16 , 2018 , we observed an attack on a Middle Eastern financial institution .", "spans": {"Organization: financial institution": [[90, 111]]}, "info": {"id": "dnrti_train_001167", "source": "dnrti_train"}}
{"text": "The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 .", "spans": {"Malware: ThreeDollars delivery document": [[43, 73]], "Organization: OilRig": [[111, 117]]}, "info": {"id": "dnrti_train_001168", "source": "dnrti_train"}}
{"text": "However , the attack on January 16 did not involve ThreeDollars at all .", "spans": {"Malware: ThreeDollars": [[51, 63]]}, "info": {"id": "dnrti_train_001169", "source": "dnrti_train"}}
{"text": "Interestingly , the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017 .", "spans": {"Organization: OilRig group": [[100, 112]]}, "info": {"id": "dnrti_train_001170", "source": "dnrti_train"}}
{"text": "Instead , OilRig 's attack involved delivering the OopsIE Trojan directly to the victim , most likely using a link in a spear phishing email .", "spans": {"Organization: OilRig": [[10, 16]], "Malware: OopsIE Trojan": [[51, 64]], "System: spear phishing email": [[120, 140]]}, "info": {"id": "dnrti_train_001171", "source": "dnrti_train"}}
{"text": "In the January 16 , 2018 attack , we observed OilRig attacking an organization it previously targeted in January 2017 .", "spans": {}, "info": {"id": "dnrti_train_001172", "source": "dnrti_train"}}
{"text": "On January 8 , 2018 , the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East .", "spans": {"Organization: OilRig": [[26, 32]], "Organization: threat group": [[33, 45]], "System: email": [[54, 59]], "Organization: insurance agency": [[119, 135]]}, "info": {"id": "dnrti_train_001173", "source": "dnrti_train"}}
{"text": "The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars .", "spans": {"System: email": [[4, 9]], "Malware: Seminar-Invitation.doc": [[40, 62]], "Malware: Microsoft Word": [[86, 100]], "Malware: ThreeDollars": [[122, 134]]}, "info": {"id": "dnrti_train_001174", "source": "dnrti_train"}}
{"text": "This suggests that due to the January 2017 attack , the targeted organization may have taken actions to counter known OilRig TTPs , in this case delivering malicious macro documents , causing the OilRig operators to adopt a different delivery tactic .", "spans": {"Organization: OilRig": [[118, 124], [196, 202]], "Organization: operators": [[203, 212]]}, "info": {"id": "dnrti_train_001175", "source": "dnrti_train"}}
{"text": "We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot .", "spans": {"Malware: ThreeDollars": [[37, 49]], "Malware: preparation.dot": [[109, 124]]}, "info": {"id": "dnrti_train_001176", "source": "dnrti_train"}}
{"text": "The samples of ThreeDollars we collected in these attacks are structurally very similar to the first sample we analyzed in October 2017 , down to the lure image used to trick the recipient into clicking the \" Enable Content \" button to execute the malicious macro .", "spans": {"Malware: ThreeDollars": [[15, 27]]}, "info": {"id": "dnrti_train_001177", "source": "dnrti_train"}}
{"text": "Since May 2016 , we have continued to monitor and uncover various attacks and tools associated with the OilRig group .", "spans": {"Organization: OilRig group": [[104, 116]]}, "info": {"id": "dnrti_train_001178", "source": "dnrti_train"}}
{"text": "] com , which we previously identified in October 2017 to be an OilRig C2 .", "spans": {"Organization: OilRig": [[64, 70]]}, "info": {"id": "dnrti_train_001179", "source": "dnrti_train"}}
{"text": "Based on previously observed tactics , it is highly likely the OilRig group leveraged credential harvesting and compromised accounts to use the government agency as a launching platform for their true attacks .", "spans": {"Organization: OilRig group": [[63, 75]], "Malware: credential harvesting": [[86, 107]], "Malware: compromised accounts": [[112, 132]], "Organization: government agency": [[144, 161]]}, "info": {"id": "dnrti_train_001180", "source": "dnrti_train"}}
{"text": "Inspecting the class C network for 185.162.235.0/24 shows us that another IP on the same network resolves to an OilRig domain , msoffice-cdn.com which we identified in August 2017 .", "spans": {"Organization: OilRig": [[112, 118]]}, "info": {"id": "dnrti_train_001181", "source": "dnrti_train"}}
{"text": "We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 .", "spans": {"Malware: ThreeDollars document": [[83, 104]]}, "info": {"id": "dnrti_train_001182", "source": "dnrti_train"}}
{"text": "The OilRig group continues to remain a highly active adversary in the Middle East region .", "spans": {"Organization: OilRig group": [[4, 16]]}, "info": {"id": "dnrti_train_001183", "source": "dnrti_train"}}
{"text": "Organizations detected a compromise themselves in 62% of the cases that Mandiant worked in 2017 .", "spans": {"Organization: Mandiant": [[72, 80]]}, "info": {"id": "dnrti_train_001184", "source": "dnrti_train"}}
{"text": "The group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_001185", "source": "dnrti_train"}}
{"text": "Repeated targeting of Middle Eastern financial , energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34 .", "spans": {"Organization: financial": [[37, 46]], "Organization: energy": [[49, 55]], "Organization: government organizations": [[60, 84]], "Organization: FireEye": [[91, 98]], "Organization: APT34": [[153, 158]]}, "info": {"id": "dnrti_train_001186", "source": "dnrti_train"}}
{"text": "The use of infrastructure tied to Iranian operations , timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government .", "spans": {"Organization: FireEye": [[122, 129]], "Organization: APT34": [[145, 150]]}, "info": {"id": "dnrti_train_001187", "source": "dnrti_train"}}
{"text": "APT34 uses a mix of public and non-public tools ( Fig.2 ) and often uses compromised accounts to conduct spear-phishing operations .", "spans": {"Organization: APT34": [[0, 5]], "Malware: public and non-public tools": [[20, 47]], "Malware: compromised accounts": [[73, 93]], "System: spear-phishing": [[105, 119]]}, "info": {"id": "dnrti_train_001188", "source": "dnrti_train"}}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"Organization: APT34": [[19, 24]], "Vulnerability: Microsoft Office vulnerability": [[39, 69]], "Vulnerability: CVE-2017-11882": [[70, 84]], "Malware: POWRUNER": [[95, 103]], "Malware: BONDUPDATER": [[108, 119]], "Organization: Microsoft": [[143, 152]]}, "info": {"id": "dnrti_train_001189", "source": "dnrti_train"}}
{"text": "Unit 42 's ongoing research into the OilRig campaign shows that the threat actors involved in the original attack campaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East .", "spans": {"Organization: Unit 42": [[0, 7]], "Organization: threat actors": [[68, 81]]}, "info": {"id": "dnrti_train_001190", "source": "dnrti_train"}}
{"text": "When we first discovered the OilRig attack campaign in May 2016 , we believed at the time it was a unique attack campaign likely operated by a known , existing threat group .", "spans": {"Organization: threat group": [[160, 172]]}, "info": {"id": "dnrti_train_001191", "source": "dnrti_train"}}
{"text": "The email address is associated with the Lebanese domain of a major global financial institution .", "spans": {"Organization: financial institution": [[75, 96]]}, "info": {"id": "dnrti_train_001192", "source": "dnrti_train"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Malware: POWRUNER": [[0, 8]], "Malware: malicious RTF": [[31, 44]], "Vulnerability: CVE-2017-0199": [[65, 78]]}, "info": {"id": "dnrti_train_001193", "source": "dnrti_train"}}
{"text": "In July 2017 , we observed the OilRig group using a tool they developed called ISMAgent in a new set of targeted attacks .", "spans": {"Organization: OilRig group": [[31, 43]], "Malware: ISMAgent": [[79, 87]]}, "info": {"id": "dnrti_train_001194", "source": "dnrti_train"}}
{"text": "In August 2017 , we found this threat group has developed yet another Trojan that they call ' Agent Injector ' with the specific purpose of installing the ISMAgent backdoor .", "spans": {"Organization: threat group": [[31, 43]], "Malware: ISMAgent backdoor": [[155, 172]]}, "info": {"id": "dnrti_train_001195", "source": "dnrti_train"}}
{"text": "On August 23 , 2017 , we observed OilRig targeting an organization within the United Arab Emirates government .", "spans": {"Organization: OilRig": [[34, 40]]}, "info": {"id": "dnrti_train_001196", "source": "dnrti_train"}}
{"text": "Based on that research and this observation , we postulate that the OilRig group gathered credentials to a legitimate user 's OWA account and logged into the user 's account to send phishing attacks to other individuals within the same , targeted organization .", "spans": {"Organization: OilRig group": [[68, 80]]}, "info": {"id": "dnrti_train_001197", "source": "dnrti_train"}}
{"text": "The OilRig group continues to target organizations in the Middle East , in this instance targeting the government of the United Arab Emirates .", "spans": {"Organization: OilRig group": [[4, 16]]}, "info": {"id": "dnrti_train_001198", "source": "dnrti_train"}}
{"text": "The payload embedded within the ISMInjector sample delivered in this attack is a variant of the ISMAgent backdoor that we had discussed in detail in our blog discussing a targeted attack on a Saudi Arabian technology company .", "spans": {"Malware: ISMInjector sample": [[32, 50]], "Malware: ISMAgent backdoor": [[96, 113]], "Organization: technology company": [[206, 224]]}, "info": {"id": "dnrti_train_001199", "source": "dnrti_train"}}
{"text": "Initial inspection of this attack suggested this was again the OilRig campaign using their existing toolset , but further examination revealed not only new variants of the delivery document we named Clayslide , but also a different payload embedded inside it .", "spans": {"Malware: Clayslide": [[199, 208]]}, "info": {"id": "dnrti_train_001200", "source": "dnrti_train"}}
{"text": "In July 2017 , we observed an attack on a Middle Eastern technology organization that was also targeted by the OilRig campaign in August 2016 .", "spans": {"Organization: technology organization": [[57, 80]]}, "info": {"id": "dnrti_train_001201", "source": "dnrti_train"}}
{"text": "This technique was observed in previous Clayslide documents to access the script variant of the Helminth Trojan in earlier OilRig attacks .", "spans": {"Malware: Clayslide documents": [[40, 59]], "System: Helminth Trojan": [[96, 111]]}, "info": {"id": "dnrti_train_001202", "source": "dnrti_train"}}
{"text": "In the past , we had primarily associated the OilRig campaign with using the Clayslide documents to deliver as a payload a Trojan we named Helminth ; in this instance , the payload was instead a variant of the ISMDoor Trojan with significant modifications which we are now tracking as ISMAgent .", "spans": {"Malware: Clayslide documents": [[77, 96]], "Malware: Helminth": [[139, 147]], "Malware: ISMDoor Trojan": [[210, 224]], "Malware: ISMAgent": [[285, 293]]}, "info": {"id": "dnrti_train_001203", "source": "dnrti_train"}}
{"text": "The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet .", "spans": {"Malware: Clayslide": [[24, 33]], "Malware: OfficeServicesStatus.vbs file": [[53, 82]], "Malware: ISMAgent Clayslide document": [[96, 123]]}, "info": {"id": "dnrti_train_001204", "source": "dnrti_train"}}
{"text": "Clearly , OilRig incorporates a testing component within their development process , as we have previously observed OilRig performing testing activities on their delivery documents and their TwoFace webshells .", "spans": {"Organization: OilRig": [[10, 16], [116, 122]], "Malware: delivery documents": [[162, 180]], "Malware: TwoFace webshells": [[191, 208]]}, "info": {"id": "dnrti_train_001205", "source": "dnrti_train"}}
{"text": "While continuing research on the August 2018 attacks on a Middle eastern government that delivered BONDUPDATER , Unit 42 researchers observed OilRig 's testing activities and with high confidence links this testing to the creation of the weaponized delivery document used in this attack .", "spans": {"Malware: BONDUPDATER": [[99, 110]], "Organization: Unit 42": [[113, 120]], "Organization: OilRig": [[142, 148]]}, "info": {"id": "dnrti_train_001206", "source": "dnrti_train"}}
{"text": "While investigating recent attacks performed by the threat actor group OilRig using their new Bondupdater version , Unit 42 researchers searched for additional Microsoft Office documents used by OilRig hoping to locate additional malware being used in other attacks during the same time period .", "spans": {"Organization: threat actor group OilRig": [[52, 77]], "Malware: Bondupdater": [[94, 105]], "Organization: Unit 42": [[116, 123]], "Organization: OilRig": [[195, 201]]}, "info": {"id": "dnrti_train_001207", "source": "dnrti_train"}}
{"text": "The tester created the final test file less than 8 hours before the creation time of a delivery document , which was then delivered via a spear-phishing email 20 minutes later .", "spans": {"System: spear-phishing email": [[138, 158]]}, "info": {"id": "dnrti_train_001208", "source": "dnrti_train"}}
{"text": "During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface – test.xls .", "spans": {"Malware: XLS-withyourface.xls": [[139, 159]], "Malware: XLS-withyourface – test.xls": [[164, 191]]}, "info": {"id": "dnrti_train_001209", "source": "dnrti_train"}}
{"text": "These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 .", "spans": {"Organization: OilRig": [[47, 53]], "Malware: N56.15.doc": [[239, 249]]}, "info": {"id": "dnrti_train_001210", "source": "dnrti_train"}}
{"text": "However , they later continued by making modifications to the Excel document just prior to the attack on August 26th .", "spans": {"System: Excel document": [[62, 76]]}, "info": {"id": "dnrti_train_001211", "source": "dnrti_train"}}
{"text": "HELIX KITTEN is likely an Iranian-based adversary group , active since at least late 2015 , targeting organizations in the aerospace , energy , financial , government , hospitality and telecommunications business verticals .", "spans": {"Organization: HELIX KITTEN": [[0, 12]], "Organization: group": [[50, 55]]}, "info": {"id": "dnrti_train_001212", "source": "dnrti_train"}}
{"text": "Additionally , HELIX KITTEN actors have shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel .", "spans": {"Organization: HELIX KITTEN actors": [[15, 34]], "System: spear-phishing": [[108, 122]], "Organization: personnel": [[170, 179]]}, "info": {"id": "dnrti_train_001213", "source": "dnrti_train"}}
{"text": "In addition to Helminth , the ISMDoor implant is likely used by the Iran-based adversary to attack targets particularly those in the Middle East region .", "spans": {"Malware: Helminth": [[15, 23]], "Malware: ISMDoor": [[30, 37]]}, "info": {"id": "dnrti_train_001214", "source": "dnrti_train"}}
{"text": "These incidents involved spear-phishing attacks , which characteristic of HELIX KITTEN , included emails containing malicious PowerShell in their macros that connects to known C2 infrastructure .", "spans": {"Organization: HELIX KITTEN": [[74, 86]], "System: emails": [[98, 104]], "Malware: PowerShell": [[126, 136]]}, "info": {"id": "dnrti_train_001215", "source": "dnrti_train"}}
{"text": "During the summer of 2018 , HELIX KITTEN actors were observed targeting entities in the Middle East — of note , targets appeared to be located in Bahrain and Kuwait .", "spans": {"Organization: HELIX KITTEN actors": [[28, 47]]}, "info": {"id": "dnrti_train_001216", "source": "dnrti_train"}}
{"text": "ISMDoor is able to exfiltrate data , take screenshots , and execute arbitrary commands on the victim 's machine .", "spans": {"Malware: ISMDoor": [[0, 7]]}, "info": {"id": "dnrti_train_001217", "source": "dnrti_train"}}
{"text": "In early November 2018 , CrowdStrike observed activity from the HELIX KITTEN adversary at a customer in the telecommunications vertical .", "spans": {"Organization: CrowdStrike": [[25, 36]], "Organization: HELIX KITTEN": [[64, 76]]}, "info": {"id": "dnrti_train_001218", "source": "dnrti_train"}}
{"text": "The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": {"Organization: attackers": [[4, 13]], "System: emails": [[28, 34]], "Malware: XLS files": [[60, 69]], "Organization: employees working in the banking sector": [[73, 112]]}, "info": {"id": "dnrti_train_001219", "source": "dnrti_train"}}
{"text": "In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region .", "spans": {"Organization: FireEye 's DTI": [[32, 46]], "System: emails": [[68, 74]], "Malware: malicious attachments": [[86, 107]]}, "info": {"id": "dnrti_train_001220", "source": "dnrti_train"}}
{"text": "Our data suggests that actors have deployed the RGDoor backdoor on webservers belonging to eight Middle Eastern government organizations , as well as one financial and one educational institution .", "spans": {"Organization: actors": [[23, 29]], "Malware: RGDoor backdoor": [[48, 63]], "Organization: government organizations": [[112, 136]], "Organization: financial": [[154, 163]], "Organization: educational institution": [[172, 195]]}, "info": {"id": "dnrti_train_001221", "source": "dnrti_train"}}
{"text": "In August 2018 , Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER .", "spans": {"Organization: Unit 42": [[17, 24]], "Organization: OilRig": [[34, 40]], "Organization: government organization": [[53, 76]], "System: spear-phishing emails": [[83, 104]], "Malware: BONDUPDATER": [[156, 167]]}, "info": {"id": "dnrti_train_001222", "source": "dnrti_train"}}
{"text": "The OilRig group has been active since at least mid-2016 , and continues their attack campaigns throughout the Middle East , targeting both governmental agencies and businesses on an almost routine basis .", "spans": {"Organization: OilRig group": [[4, 16]], "Organization: governmental agencies": [[140, 161]]}, "info": {"id": "dnrti_train_001223", "source": "dnrti_train"}}
{"text": "BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017 , when OilRig targeted a different Middle Eastern governmental organization .", "spans": {"Malware: BONDUPDATER": [[0, 11]], "Malware: PowerShell-based Trojan": [[17, 40]], "Organization: FireEye": [[61, 68]], "Organization: OilRig": [[97, 103]], "Organization: governmental organization": [[140, 165]]}, "info": {"id": "dnrti_train_001224", "source": "dnrti_train"}}
{"text": "During the past month , Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware , which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications .", "spans": {"Organization: Unit 42": [[24, 31]], "Malware: BONDUPDATER malware": [[130, 149]], "Malware: DNS tunneling": [[213, 226]]}, "info": {"id": "dnrti_train_001225", "source": "dnrti_train"}}
{"text": "The email had no subject and what initially drew our attention to OilRig 's attack was the content of the spear phishing email .", "spans": {"System: email": [[4, 9]], "Organization: OilRig": [[66, 72]], "System: spear phishing email": [[106, 126]]}, "info": {"id": "dnrti_train_001226", "source": "dnrti_train"}}
{"text": "As expected , OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East .", "spans": {"Organization: OilRig": [[14, 20]]}, "info": {"id": "dnrti_train_001227", "source": "dnrti_train"}}
{"text": "First identified in January 2015 , Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims .", "spans": {}, "info": {"id": "dnrti_train_001228", "source": "dnrti_train"}}
{"text": "According to Symantec telemetry , almost 40 percent of Orangeworm 's confirmed victim organizations operate within the healthcare industry .", "spans": {"Organization: Symantec": [[13, 21]]}, "info": {"id": "dnrti_train_001229", "source": "dnrti_train"}}
{"text": "Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": {"Organization: government office": [[116, 133]], "Malware: Word documents": [[188, 202]]}, "info": {"id": "dnrti_train_001230", "source": "dnrti_train"}}
{"text": "Sowbug 's next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": {"Organization: Sowbug": [[0, 6]], "Organization: government office": [[120, 137]], "Malware: Word documents": [[192, 206]]}, "info": {"id": "dnrti_train_001231", "source": "dnrti_train"}}
{"text": "For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug .", "spans": {"Organization: Sowbug": [[34, 40]], "Malware: Felismus backdoor": [[93, 110]], "Malware: adobecms.exe": [[170, 182]], "Malware: CSIDL_WINDOWS\\debug": [[186, 205]]}, "info": {"id": "dnrti_train_001232", "source": "dnrti_train"}}
{"text": "In this case , the attackers maintained a presence on the target 's network for nearly six months between September 2016 and March 2017 .", "spans": {}, "info": {"id": "dnrti_train_001233", "source": "dnrti_train"}}
{"text": "In other attacks , there was evidence that Felismus was installed using a tool known as Starloader ( detected by Symantec as Trojan.Starloader ) .", "spans": {"Malware: Felismus": [[43, 51]], "Malware: Starloader": [[88, 98]], "Organization: Symantec": [[113, 121]], "Malware: Trojan.Starloader": [[125, 142]]}, "info": {"id": "dnrti_train_001234", "source": "dnrti_train"}}
{"text": "Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others .", "spans": {"Organization: Symantec": [[0, 8]], "Malware: Starloader files": [[31, 47]], "Malware: AdobeUpdate.exe": [[60, 75]], "Malware: AcrobatUpdate.exe": [[78, 95]], "Malware: INTELUPDATE.EXE": [[102, 117]]}, "info": {"id": "dnrti_train_001235", "source": "dnrti_train"}}
{"text": "Additionally , Starloader was also observed deploying additional tools used by the attackers , such as credential dumpers and keyloggers .", "spans": {"Malware: Starloader": [[15, 25]], "Malware: credential dumpers": [[103, 121]], "Malware: keyloggers": [[126, 136]]}, "info": {"id": "dnrti_train_001236", "source": "dnrti_train"}}
{"text": "ASERT has learned of an APT campaign , possibly originating from DPRK , we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018 .", "spans": {"Organization: ASERT": [[0, 5]], "Organization: academic institutions": [[119, 140]]}, "info": {"id": "dnrti_train_001237", "source": "dnrti_train"}}
{"text": "Once gaining a foothold on a user 's system , the threat actors behind STOLEN PENCIL use Microsoft 's Remote Desktop Protocol ( RDP ) for remote point-and-click access .", "spans": {"Organization: Microsoft": [[89, 98]], "Malware: Remote Desktop Protocol": [[102, 125]], "Malware: RDP": [[128, 131]]}, "info": {"id": "dnrti_train_001238", "source": "dnrti_train"}}
{"text": "The group uses an advanced piece of malware known as Remsec ( Backdoor.Remsec ) to conduct its attacks .", "spans": {"Malware: Remsec": [[53, 59]], "Malware: Backdoor.Remsec": [[62, 77]]}, "info": {"id": "dnrti_train_001239", "source": "dnrti_train"}}
{"text": "Strider has been active since at least October 2011 .", "spans": {"Organization: Strider": [[0, 7]]}, "info": {"id": "dnrti_train_001240", "source": "dnrti_train"}}
{"text": "Lua modules is a technique that has previously been used by Flamer .", "spans": {"Malware: Lua modules": [[0, 11]]}, "info": {"id": "dnrti_train_001241", "source": "dnrti_train"}}
{"text": "The Remsec malware used by Strider has a modular design .", "spans": {"Malware: Remsec malware": [[4, 18]], "Organization: Strider": [[27, 34]]}, "info": {"id": "dnrti_train_001242", "source": "dnrti_train"}}
{"text": "The group has maintained a low profile until now and its targets have been mainly organizations and individuals that would be of interest to a nation state 's intelligence services .", "spans": {}, "info": {"id": "dnrti_train_001243", "source": "dnrti_train"}}
{"text": "The group 's targets include a number of organizations and individuals located in Russia .", "spans": {}, "info": {"id": "dnrti_train_001244", "source": "dnrti_train"}}
{"text": "Remsec uses a Lua interpreter to run Lua modules which perform various functions .", "spans": {"Malware: Remsec": [[0, 6]], "Malware: Lua interpreter": [[14, 29]], "Malware: Lua modules": [[37, 48]]}, "info": {"id": "dnrti_train_001245", "source": "dnrti_train"}}
{"text": "Russia .", "spans": {}, "info": {"id": "dnrti_train_001246", "source": "dnrti_train"}}
{"text": "The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information .", "spans": {"Malware: cmd.exe": [[80, 87]]}, "info": {"id": "dnrti_train_001247", "source": "dnrti_train"}}
{"text": "the group 's targets include an organization in Sweden .", "spans": {}, "info": {"id": "dnrti_train_001248", "source": "dnrti_train"}}
{"text": "the group 's targets include an embassy in Belgium .", "spans": {"Organization: embassy": [[32, 39]]}, "info": {"id": "dnrti_train_001249", "source": "dnrti_train"}}
{"text": "Symantec will continue to search for more Remsec modules and targets in order to build upon our understanding of Strider and better protect our customers .", "spans": {"Organization: Symantec": [[0, 8]], "Malware: Remsec modules": [[42, 56]], "Organization: Strider": [[113, 120]]}, "info": {"id": "dnrti_train_001250", "source": "dnrti_train"}}
{"text": "Another such an exceptional espionage platform is \" ProjectSauron , also known as \" Strider \" .", "spans": {"Malware: ProjectSauron": [[52, 65]], "Organization: Strider": [[84, 91]]}, "info": {"id": "dnrti_train_001251", "source": "dnrti_train"}}
{"text": "In September 2015 , our anti-targeted attack technologies caught a previously unknown attack .", "spans": {}, "info": {"id": "dnrti_train_001252", "source": "dnrti_train"}}
{"text": "Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016 .", "spans": {}, "info": {"id": "dnrti_train_001253", "source": "dnrti_train"}}
{"text": "After getting the IP , the ProjectSauron component tries to communicate with the remote server using its own ( ProjectSauron ) protocol as if it was yet another C&C server .", "spans": {"Malware: ProjectSauron": [[27, 40], [111, 124]]}, "info": {"id": "dnrti_train_001254", "source": "dnrti_train"}}
{"text": "In a number of the cases we analyzed , ProjectSauron deployed malicious modules inside the custom network encryption 's software directory , disguised under similar filenames and accessing the data placed beside its own executable .", "spans": {"Malware: ProjectSauron": [[39, 52]], "Malware: malicious modules": [[62, 79]]}, "info": {"id": "dnrti_train_001255", "source": "dnrti_train"}}
{"text": "The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication , designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods .", "spans": {"Malware: ProjectSauron": [[24, 37]]}, "info": {"id": "dnrti_train_001256", "source": "dnrti_train"}}
{"text": "In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network .", "spans": {"Organization: Kaspersky Lab": [[20, 33]], "Malware: anomalous network traffic": [[78, 103]], "Organization: government organization": [[109, 132]]}, "info": {"id": "dnrti_train_001257", "source": "dnrti_train"}}
{"text": "In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers .", "spans": {"Organization: Symantec": [[15, 23]], "Organization: customers": [[126, 135]]}, "info": {"id": "dnrti_train_001258", "source": "dnrti_train"}}
{"text": "Secondary ProjectSauron modules are designed to perform specific functions like stealing documents , recording keystrokes , and hijacking encryption keys from both infected computers and attached USB sticks .", "spans": {"Malware: ProjectSauron modules": [[10, 31]], "System: stealing documents": [[80, 98]], "System: recording keystrokes": [[101, 121]], "System: hijacking encryption keys": [[128, 153]]}, "info": {"id": "dnrti_train_001259", "source": "dnrti_train"}}
{"text": "activity originated from three separate IP addresses , all located in Chengdu , China .", "spans": {}, "info": {"id": "dnrti_train_001260", "source": "dnrti_train"}}
{"text": "We don't know the exact date Suckfly stole the certificates from the South Korean organizations .", "spans": {}, "info": {"id": "dnrti_train_001261", "source": "dnrti_train"}}
{"text": "stolen certificates being used maliciously occurred in early 2014 .", "spans": {}, "info": {"id": "dnrti_train_001262", "source": "dnrti_train"}}
{"text": "Symantec detects this threat as Backdoor.Nidiran .", "spans": {"Organization: Symantec": [[0, 8]], "Malware: Backdoor.Nidiran": [[32, 48]]}, "info": {"id": "dnrti_train_001263", "source": "dnrti_train"}}
{"text": "Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows .", "spans": {"Vulnerability: Microsoft Windows OLE Remote Code Execution Vulnerability": [[87, 144]], "Vulnerability: CVE-2014-6332": [[147, 160]]}, "info": {"id": "dnrti_train_001264", "source": "dnrti_train"}}
{"text": "The threat then executes \" svchost.exe \" .", "spans": {"Malware: svchost.exe": [[27, 38]]}, "info": {"id": "dnrti_train_001265", "source": "dnrti_train"}}
{"text": "Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer .", "spans": {"Malware: malicious files": [[40, 55]], "Malware: iviewers.dll file": [[87, 104]], "Malware: DLL load hijacking": [[118, 136]]}, "info": {"id": "dnrti_train_001266", "source": "dnrti_train"}}
{"text": "Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed .", "spans": {"Malware: Nidiran": [[33, 40]], "Malware: self-extracting executable": [[64, 90]], "Malware: .tmp": [[125, 129]]}, "info": {"id": "dnrti_train_001267", "source": "dnrti_train"}}
{"text": "The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry .", "spans": {"Organization: companies": [[60, 69]]}, "info": {"id": "dnrti_train_001268", "source": "dnrti_train"}}
{"text": "Blackfly began with a campaign to steal certificates , which were later used to sign malware used in targeted attacks .", "spans": {"Organization: Blackfly": [[0, 8]]}, "info": {"id": "dnrti_train_001269", "source": "dnrti_train"}}
{"text": "In March 2016 , Symantec published a blog on Suckfly , an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates .", "spans": {"Organization: Symantec": [[16, 24]]}, "info": {"id": "dnrti_train_001270", "source": "dnrti_train"}}
{"text": "Since then we have identified a number of attacks over a two-year period , beginning in April 2014 , which we attribute to Suckfly .", "spans": {}, "info": {"id": "dnrti_train_001271", "source": "dnrti_train"}}
{"text": "The attacks targeted high-profile targets , including government and commercial organizations .", "spans": {"Organization: commercial organizations": [[69, 93]]}, "info": {"id": "dnrti_train_001272", "source": "dnrti_train"}}
{"text": "these attacks were part of a planned operation against specific targets in India .", "spans": {}, "info": {"id": "dnrti_train_001273", "source": "dnrti_train"}}
{"text": "While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": {"Malware: Backdoor.Nidiran": [[109, 125]]}, "info": {"id": "dnrti_train_001274", "source": "dnrti_train"}}
{"text": "While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": {"Malware: Backdoor.Nidiran": [[109, 125]]}, "info": {"id": "dnrti_train_001275", "source": "dnrti_train"}}
{"text": "The first known Suckfly campaign began in April of 2014 .", "spans": {}, "info": {"id": "dnrti_train_001276", "source": "dnrti_train"}}
{"text": "Suckfly 's attacks on government organizations that provide information technology services to other government branches is not limited to India .", "spans": {"Organization: government organizations": [[22, 46]]}, "info": {"id": "dnrti_train_001277", "source": "dnrti_train"}}
{"text": "It has conducted attacks on similar organizations in Saudi Arabia , likely because of the access that those organizations have .", "spans": {}, "info": {"id": "dnrti_train_001278", "source": "dnrti_train"}}
{"text": "Similar to its other attacks , Suckfly used the Nidiran back door along with a number of hacktools to infect the victim 's internal hosts .", "spans": {"Malware: Nidiran back door": [[48, 65]], "Malware: hacktools": [[89, 98]]}, "info": {"id": "dnrti_train_001279", "source": "dnrti_train"}}
{"text": "In 2015 , Suckfly conducted a multistage attack .", "spans": {}, "info": {"id": "dnrti_train_001280", "source": "dnrti_train"}}
{"text": "Suckfly conducted a multistage attack between April 22 and May 4 .", "spans": {}, "info": {"id": "dnrti_train_001281", "source": "dnrti_train"}}
{"text": "On April 22 , 2015 , Suckfly exploited a vulnerability on the targeted employee 's operating system ( Windows ) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack .", "spans": {"Malware: Nidiran back door": [[190, 207]]}, "info": {"id": "dnrti_train_001282", "source": "dnrti_train"}}
{"text": "Suckfly conducted a multistage attack against an e-commerce organization .", "spans": {"Organization: e-commerce organization": [[49, 72]]}, "info": {"id": "dnrti_train_001283", "source": "dnrti_train"}}
{"text": "Suckfly conducted a multistage attack against an e-commerce organization based in India .", "spans": {"Organization: e-commerce organization": [[49, 72]]}, "info": {"id": "dnrti_train_001284", "source": "dnrti_train"}}
{"text": "Most of the group 's attacks are focused on government or technology related companies and organizations .", "spans": {"Organization: government": [[44, 54]], "Organization: technology related companies": [[58, 86]]}, "info": {"id": "dnrti_train_001285", "source": "dnrti_train"}}
{"text": "While we know the attackers used a custom dropper to install the back door , we do not know the delivery vector .", "spans": {"Malware: custom dropper": [[35, 49]]}, "info": {"id": "dnrti_train_001286", "source": "dnrti_train"}}
{"text": "While tracking what days of the week Suckfly used its hacktools , we discovered that the group was only active Monday through Friday .", "spans": {"Malware: hacktools": [[54, 63]]}, "info": {"id": "dnrti_train_001287", "source": "dnrti_train"}}
{"text": "By targeting all of these organizations together , Suckfly could have had a much larger impact on India and its economy .", "spans": {}, "info": {"id": "dnrti_train_001288", "source": "dnrti_train"}}
{"text": "While we don't know the motivations behind the attacks , the targeted commercial organizations , along with the targeted government organizations , may point in this direction .", "spans": {"Organization: commercial organizations": [[70, 94]], "Organization: government organizations": [[121, 145]]}, "info": {"id": "dnrti_train_001289", "source": "dnrti_train"}}
{"text": "There is no evidence that Suckfly gained any benefits from attacking the government organizations , but someone else may have benefited from these attacks .", "spans": {"Organization: government organizations": [[73, 97]]}, "info": {"id": "dnrti_train_001290", "source": "dnrti_train"}}
{"text": "During this time they were able to steal digital certificates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations .", "spans": {"Organization: companies": [[80, 89]], "Organization: government organizations": [[142, 166]]}, "info": {"id": "dnrti_train_001291", "source": "dnrti_train"}}
{"text": "We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly 's operations .", "spans": {}, "info": {"id": "dnrti_train_001292", "source": "dnrti_train"}}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[51, 72]], "Malware: Microsoft Word attachment": [[80, 105]], "Vulnerability: CVE-2017-0199": [[138, 151]], "Malware: ZeroT Trojan": [[166, 178]], "Malware: PlugX Remote Access Trojan": [[210, 236]], "Malware: RAT": [[239, 242]]}, "info": {"id": "dnrti_train_001293", "source": "dnrti_train"}}
{"text": "Proofpoint is tracking this attacker , believed to operate out of China , as TA459 .", "spans": {"Organization: Proofpoint": [[0, 10]], "Organization: TA459": [[77, 82]]}, "info": {"id": "dnrti_train_001294", "source": "dnrti_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[55, 76]], "Malware: Microsoft Word attachment": [[84, 109]], "Vulnerability: CVE-2017-0199": [[142, 155]], "Malware: ZeroT Trojan": [[170, 182]], "Malware: PlugX Remote Access Trojan": [[214, 240]], "Malware: RAT": [[243, 246]]}, "info": {"id": "dnrti_train_001295", "source": "dnrti_train"}}
{"text": "TA549 possesses a diverse malware arsenal including PlugX , NetTraveler , and ZeroT .", "spans": {"Organization: TA549": [[0, 5]], "Malware: PlugX": [[52, 57]], "Malware: NetTraveler": [[60, 71]], "Malware: ZeroT": [[78, 83]]}, "info": {"id": "dnrti_train_001296", "source": "dnrti_train"}}
{"text": "TA459 is well-known for targeting organizations in Russia and neighboring countries .", "spans": {"Organization: TA459": [[0, 5]]}, "info": {"id": "dnrti_train_001297", "source": "dnrti_train"}}
{"text": "Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats , phishing campaigns , and socially engineered threats every day .", "spans": {"Organization: TA459": [[41, 46]]}, "info": {"id": "dnrti_train_001298", "source": "dnrti_train"}}
{"text": "Using data collected from the Trend Micro™ Smart Protection Network , we are able to identify victims whose networks communicated with Taidoor C&C servers .", "spans": {"Organization: Trend Micro™ Smart Protection Network": [[30, 67]], "Malware: Taidoor C&C servers": [[135, 154]]}, "info": {"id": "dnrti_train_001299", "source": "dnrti_train"}}
{"text": "The Taidoor attackers have been actively engaging in targeted attacks since at least March 4 , 2009 .", "spans": {}, "info": {"id": "dnrti_train_001300", "source": "dnrti_train"}}
{"text": "Taidoor spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues .", "spans": {"System: socially engineered emails": [[65, 91]]}, "info": {"id": "dnrti_train_001301", "source": "dnrti_train"}}
{"text": "Despite some exceptions , the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments .", "spans": {"Malware: IP": [[68, 70]], "System: socially engineered emails": [[128, 154]]}, "info": {"id": "dnrti_train_001302", "source": "dnrti_train"}}
{"text": "One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government .", "spans": {}, "info": {"id": "dnrti_train_001303", "source": "dnrti_train"}}
{"text": "Suckfly targeted one of India 's largest e-commerce companies , a major Indian shipping company , one of India 's largest financial organizations , and an IT firm that provides support for India 's largest stock exchange .", "spans": {"Organization: e-commerce companies": [[41, 61]], "Organization: shipping company": [[79, 95]], "Organization: financial organizations": [[122, 145]], "Organization: IT firm": [[155, 162]]}, "info": {"id": "dnrti_train_001304", "source": "dnrti_train"}}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": {"Malware: malicious.DOC": [[86, 99]], "Vulnerability: Microsoft Common Controls vulnerability": [[119, 158]], "Vulnerability: CVE-2012-0158": [[161, 174]]}, "info": {"id": "dnrti_train_001305", "source": "dnrti_train"}}
{"text": "Taidoor actively sent out malicious documents and maintained several IP addresses for command and control .", "spans": {"System: malicious documents": [[26, 45]], "System: IP addresses": [[69, 81]]}, "info": {"id": "dnrti_train_001306", "source": "dnrti_train"}}
{"text": "The attackers actively sent out malicious documents and maintained several IP addresses for command and control .", "spans": {"System: IP addresses": [[75, 87]]}, "info": {"id": "dnrti_train_001307", "source": "dnrti_train"}}
{"text": "As part of their social engineering ploy , the Taidoor attackers attach a decoy document to their emails that , when opened , displays the contents of a legitimate document but executes a malicious payload in the background .", "spans": {"System: emails": [[98, 104]]}, "info": {"id": "dnrti_train_001308", "source": "dnrti_train"}}
{"text": "Sometimes , however , certain samples made use of domain names for HTTP communication .", "spans": {"System: domain names": [[50, 62]]}, "info": {"id": "dnrti_train_001309", "source": "dnrti_train"}}
{"text": "Based on the command capabilities of the Taidoor malware , we were able to determine that data theft and data destruction was possible .", "spans": {"Malware: Taidoor malware": [[41, 56]]}, "info": {"id": "dnrti_train_001310", "source": "dnrti_train"}}
{"text": "The ultimate objective of targeted attacks is to acquire sensitive data .", "spans": {}, "info": {"id": "dnrti_train_001311", "source": "dnrti_train"}}
{"text": "In December 2017 , FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown .", "spans": {"Organization: FireEye": [[19, 26]], "Malware: TRITON": [[117, 123]]}, "info": {"id": "dnrti_train_001312", "source": "dnrti_train"}}
{"text": "In our most recent analysis , we attributed the intrusion activity that led to the deployment of TRITON to a Russian government-owned technical research institute in Moscow .", "spans": {"Malware: TRITON": [[97, 103]]}, "info": {"id": "dnrti_train_001313", "source": "dnrti_train"}}
{"text": "For more in-depth analysis of TRITON and other cyber threats , consider subscribing to FireEye Cyber Threat Intelligence .", "spans": {"Malware: TRITON": [[30, 36]], "Organization: FireEye Cyber Threat Intelligence": [[87, 120]]}, "info": {"id": "dnrti_train_001314", "source": "dnrti_train"}}
{"text": "During this time , the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom ICS malware .", "spans": {"Malware: ICS malware": [[151, 162]]}, "info": {"id": "dnrti_train_001315", "source": "dnrti_train"}}
{"text": "In this report we continue our research of the actor 's operations with a specific focus on a selection of custom information technology ( IT ) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle .", "spans": {}, "info": {"id": "dnrti_train_001316", "source": "dnrti_train"}}
{"text": "Additionally , the actor possibly gained a foothold on other target networks—beyond the two intrusions discussed in this post – using similar strategies .", "spans": {}, "info": {"id": "dnrti_train_001317", "source": "dnrti_train"}}
{"text": "There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild .", "spans": {"Organization: security community": [[41, 59]], "Malware: ICS malware": [[63, 74]]}, "info": {"id": "dnrti_train_001318", "source": "dnrti_train"}}
{"text": "ЦНИИХМ ) , a Russian government-owned technical research institution located in Moscow .", "spans": {"Organization: research institution": [[48, 68]]}, "info": {"id": "dnrti_train_001319", "source": "dnrti_train"}}
{"text": "In this blog post we provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute .", "spans": {"Organization: TEMP.Veles": [[60, 70]], "Malware: TRITON": [[106, 112]]}, "info": {"id": "dnrti_train_001320", "source": "dnrti_train"}}
{"text": "Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates .", "spans": {}, "info": {"id": "dnrti_train_001321", "source": "dnrti_train"}}
{"text": "TEMP.Veles' lateral movement activities used a publicly-available PowerShell-based tool , WMImplant .", "spans": {"Organization: TEMP.Veles'": [[0, 11]], "Malware: PowerShell-based tool": [[66, 87]], "Malware: WMImplant": [[90, 99]]}, "info": {"id": "dnrti_train_001322", "source": "dnrti_train"}}
{"text": "On multiple dates in 2017 , TEMP.Veles struggled to execute this utility on multiple victim systems , potentially due to AV detection .", "spans": {"Organization: TEMP.Veles": [[28, 38]]}, "info": {"id": "dnrti_train_001323", "source": "dnrti_train"}}
{"text": "Custom payloads utilized by TEMP.Veles in investigations conducted by Mandiant are typically weaponized versions of legitimate open-source software , retrofitted with code used for command and control .", "spans": {"Organization: TEMP.Veles": [[28, 38]], "Organization: Mandiant": [[70, 78]], "System: retrofitted with code": [[150, 171]]}, "info": {"id": "dnrti_train_001324", "source": "dnrti_train"}}
{"text": "We identified file creation times for numerous files that TEMP.Veles created during lateral movement on a target 's network .", "spans": {"Organization: TEMP.Veles": [[58, 68]]}, "info": {"id": "dnrti_train_001325", "source": "dnrti_train"}}
{"text": "Adversary behavioral artifacts further suggest the TEMP.Veles operators are based in Moscow , lending some further support to the scenario that CNIIHM , a Russian research organization in Moscow , has been involved in TEMP.Veles activity .", "spans": {"Organization: TEMP.Veles": [[51, 61], [218, 228]], "Organization: CNIIHM": [[144, 150]], "Organization: research organization": [[163, 184]]}, "info": {"id": "dnrti_train_001326", "source": "dnrti_train"}}
{"text": "XENOTIME is easily the most dangerous threat activity publicly known .", "spans": {"Organization: XENOTIME": [[0, 8]]}, "info": {"id": "dnrti_train_001327", "source": "dnrti_train"}}
{"text": "CNIIHM 's characteristics are consistent with what we might expect of an organization responsible for TEMP.Veles activity .", "spans": {"Organization: CNIIHM": [[0, 6]], "Organization: TEMP.Veles": [[102, 112]]}, "info": {"id": "dnrti_train_001328", "source": "dnrti_train"}}
{"text": "Dragos identified several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME , providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks .", "spans": {"Organization: Dragos": [[0, 6]], "Malware: ICS vendors and manufacturers": [[41, 70]], "Organization: XENOTIME": [[107, 115]], "Malware: ICS networks": [[226, 238]]}, "info": {"id": "dnrti_train_001329", "source": "dnrti_train"}}
{"text": "XENOTIME rose to prominence in December 2017 when Dragos and FireEye jointly published details of TRISIS destructive malware targeting Schneider Electric 's Triconex safety instrumented system .", "spans": {"Organization: XENOTIME": [[0, 8]], "Organization: Dragos": [[50, 56]], "Organization: FireEye": [[61, 68]], "Malware: TRISIS": [[98, 104]]}, "info": {"id": "dnrti_train_001330", "source": "dnrti_train"}}
{"text": "Targeting a safety system indicates significant damage and loss of human life were either intentional or acceptable goals of the attack , a consequence not seen in previous disruptive attacks such as the 2016 CRASHOVERRIDE malware that caused a power loss in Ukraine .", "spans": {"Malware: CRASHOVERRIDE malware": [[209, 230]]}, "info": {"id": "dnrti_train_001331", "source": "dnrti_train"}}
{"text": "XENOTIME used credential capture and replay to move between networks , Windows commands , standard command-line tools such as PSExec , and proprietary tools for operations on victim hosts .", "spans": {"Organization: XENOTIME": [[0, 8]], "Malware: credential capture and replay": [[14, 43]], "Malware: PSExec": [[126, 132]]}, "info": {"id": "dnrti_train_001332", "source": "dnrti_train"}}
{"text": "XENOTIME configured TRISIS based on the specifics and functions of the Triconex system within the industrial control ( ICS ) environment .", "spans": {"Organization: XENOTIME": [[0, 8]], "Malware: TRISIS": [[20, 26]], "Malware: ICS": [[119, 122]]}, "info": {"id": "dnrti_train_001333", "source": "dnrti_train"}}
{"text": "Dragos' data indicates XENOTIME remains active .", "spans": {"Organization: Dragos'": [[0, 7]], "Organization: XENOTIME": [[23, 31]]}, "info": {"id": "dnrti_train_001334", "source": "dnrti_train"}}
{"text": "TEMP.Veles created a custom malware framework and tailormade credential gathering tools , but an apparent misconfiguration prevented the attack from executing properly .", "spans": {"Organization: TEMP.Veles": [[0, 10]], "Malware: custom malware": [[21, 35]], "Malware: tailormade credential gathering tools": [[50, 87]]}, "info": {"id": "dnrti_train_001335", "source": "dnrti_train"}}
{"text": "Furthermore , Dragos' analysis of the TRISIS event continues as we recover additional data surrounding the incident .", "spans": {"Organization: Dragos'": [[14, 21]], "Malware: TRISIS": [[38, 44]]}, "info": {"id": "dnrti_train_001336", "source": "dnrti_train"}}
{"text": "XENOTIME operates globally , impacting regions far outside of the Middle East , their initial target .", "spans": {"Organization: XENOTIME": [[0, 8]]}, "info": {"id": "dnrti_train_001337", "source": "dnrti_train"}}
{"text": "Intelligence suggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting safety systems beyond Triconex .", "spans": {}, "info": {"id": "dnrti_train_001338", "source": "dnrti_train"}}
{"text": "Dragos instead focuses on threat behaviors and appropriate detection and response .", "spans": {"Organization: Dragos": [[0, 6]]}, "info": {"id": "dnrti_train_001339", "source": "dnrti_train"}}
{"text": "Dragos assesses with moderate confidence that XENOTIME intends to establish required access and capability to cause a potential , future disruptive—or even destructive—event .", "spans": {"Organization: Dragos": [[0, 6]], "Organization: XENOTIME": [[46, 54]]}, "info": {"id": "dnrti_train_001340", "source": "dnrti_train"}}
{"text": "However , full details on XENOTIME and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView .", "spans": {"Organization: XENOTIME": [[26, 34]], "Organization: Dragos WorldView": [[142, 158]]}, "info": {"id": "dnrti_train_001341", "source": "dnrti_train"}}
{"text": "This seems confusing as FireEye earlier publicly declared the TRITON as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" .", "spans": {"Organization: FireEye": [[24, 31]], "Malware: TRITON": [[62, 68]], "Organization: research institution": [[112, 132]], "Organization: TEMP.Veles": [[158, 168]]}, "info": {"id": "dnrti_train_001342", "source": "dnrti_train"}}
{"text": "This seems confusing as FireEye earlier publicly declared the \" TRITON actor \" as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" .", "spans": {"Organization: FireEye": [[24, 31]], "Malware: TRITON": [[64, 70]], "Organization: research institution": [[122, 142]], "Organization: TEMP.Veles": [[168, 178]]}, "info": {"id": "dnrti_train_001343", "source": "dnrti_train"}}
{"text": "Meanwhile , parallel work at Dragos ( my employer , where I have performed significant work on the activity described above ) uncovered similar conclusions concerning TTPs and behaviors , for both the 2017 event and subsequent activity in other industrial sectors .", "spans": {"Organization: Dragos": [[29, 35]], "Organization: industrial sectors": [[245, 263]]}, "info": {"id": "dnrti_train_001344", "source": "dnrti_train"}}
{"text": "FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the \" TRITON actor \" when preparing to deploy the TRITON/TRISIS malware framework in 2017 .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: TRITON": [[104, 110]], "Malware: TRITON/TRISIS malware": [[148, 169]]}, "info": {"id": "dnrti_train_001345", "source": "dnrti_train"}}
{"text": "Based on information gained from discussion with the initial TRITON/TRISIS responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye 's analysis published in April 2019 , described in various media .", "spans": {"Malware: TRITON/TRISIS": [[61, 74]], "Organization: Dragos": [[145, 151]], "Organization: FireEye": [[236, 243]]}, "info": {"id": "dnrti_train_001346", "source": "dnrti_train"}}
{"text": "Since late 2018 , based upon the most-recent posting , FireEye appears to have \" walked back \" the previously-used terminology of TEMP.Veles and instead refers rather cryptically to the \" TRITON actor \" , while Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": {"Organization: FireEye": [[55, 62]], "Organization: TEMP.Veles": [[130, 140]], "Malware: TRITON": [[188, 194]], "Organization: Dragos": [[211, 217]], "Organization: XENOTIME": [[294, 302]]}, "info": {"id": "dnrti_train_001347", "source": "dnrti_train"}}
{"text": "Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": {"Organization: Dragos": [[0, 6]], "Organization: XENOTIME": [[83, 91]]}, "info": {"id": "dnrti_train_001348", "source": "dnrti_train"}}
{"text": "Aside from the competitive vendor naming landscape ( which I am not a fan of in cases on direct overlap , but which has more to say for itself when different methodologies are employed around similar observations ) , the distinction between FireEye and Dragos' approaches with respect to the \" TRITON actor \" comes down to fundamental philosophical differences in methodology .", "spans": {"Organization: FireEye": [[241, 248]], "Organization: Dragos'": [[253, 260]], "Malware: TRITON": [[294, 300]]}, "info": {"id": "dnrti_train_001349", "source": "dnrti_train"}}
{"text": "In the 2018 public posting announcing TEMP.Veles , FireEye researchers noted that the institute in question at least supported TEMP.Veles activity in deploying TRITON .", "spans": {"Organization: TEMP.Veles": [[38, 48], [127, 137]], "Organization: FireEye": [[51, 58]], "Malware: TRITON": [[160, 166]]}, "info": {"id": "dnrti_train_001350", "source": "dnrti_train"}}
{"text": "My understanding is FireEye labels entities where definitive attribution is not yet possible with the \" TEMP \" moniker ( hence , TEMP.Veles ) – yet in this case FireEye developed and deployed the label , then appeared to move away from it in subsequent reporting .", "spans": {"Organization: FireEye": [[20, 27], [161, 168]], "Organization: TEMP.Veles": [[129, 139]]}, "info": {"id": "dnrti_train_001351", "source": "dnrti_train"}}
{"text": "In comparison , XENOTIME was defined based on principles of infrastructure ( compromised third-party infrastructure and various networks associated with several Russian research institutions ) , capabilities ( publicly- and commercially-available tools with varying levels of customization ) and targeting ( an issue not meant for discussion in this blog ) .", "spans": {"Organization: XENOTIME": [[16, 24]], "Organization: research institutions": [[169, 190]]}, "info": {"id": "dnrti_train_001352", "source": "dnrti_train"}}
{"text": "Of note , this methodology of naming abstracts away the \" who \" element – XENOTIME may represent a single discrete entity ( such as a Russian research institution ) or several entities working in coordination in a roughly repeatable , similar manner across multiple events .", "spans": {"Organization: XENOTIME": [[74, 82]], "Organization: research institution": [[142, 162]]}, "info": {"id": "dnrti_train_001353", "source": "dnrti_train"}}
{"text": "Much like the observers watching the shadows of objects cast upon the wall of the cave , these two definitions ( XENOTIME and TEMP.Veles , both presumably referring to \" the TRITON actor \" ) describe the same phenomena , yet at the same time appear different .", "spans": {"Organization: XENOTIME": [[113, 121]], "Organization: TEMP.Veles": [[126, 136]], "Malware: TRITON": [[174, 180]]}, "info": {"id": "dnrti_train_001354", "source": "dnrti_train"}}
{"text": "To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts .", "spans": {"Organization: CTU": [[97, 100]], "Malware: cmd.exe": [[122, 129]]}, "info": {"id": "dnrti_train_001355", "source": "dnrti_train"}}
{"text": "CTU researchers assess with high confidence that threat groups like Threat Group-1314 will continue to live off of the land to avoid detection and conduct their operations .", "spans": {"Organization: CTU": [[0, 3]], "Organization: Threat Group-1314": [[68, 85]]}, "info": {"id": "dnrti_train_001356", "source": "dnrti_train"}}
{"text": "Analysis of TG-3390 's operations , targeting , and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China .", "spans": {"Organization: TG-3390": [[12, 19]], "Organization: CTU": [[62, 65]]}, "info": {"id": "dnrti_train_001357", "source": "dnrti_train"}}
{"text": "The threat actors target a wide range of organizations : CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects , but also targeting other industry verticals and attacking organizations involved in international relations .", "spans": {"Organization: CTU": [[57, 60]], "Organization: TG-3390": [[87, 94]]}, "info": {"id": "dnrti_train_001358", "source": "dnrti_train"}}
{"text": "In comparison to other threat groups , TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger .", "spans": {"Organization: TG-3390": [[39, 46]], "Malware: custom backdoor": [[124, 139]], "Malware: credential logger": [[144, 161]]}, "info": {"id": "dnrti_train_001359", "source": "dnrti_train"}}
{"text": "CTU researchers have evidence that the TG-3390 compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-3390": [[39, 46]], "Organization: defense contractors": [[164, 183]]}, "info": {"id": "dnrti_train_001360", "source": "dnrti_train"}}
{"text": "Based on analysis of the group 's SWCs , TG-3390 operations likely affect organizations in other countries and verticals .", "spans": {"Malware: SWCs": [[34, 38]], "Organization: TG-3390": [[41, 48]]}, "info": {"id": "dnrti_train_001361", "source": "dnrti_train"}}
{"text": "TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication .", "spans": {"Organization: TG-3390": [[0, 7]]}, "info": {"id": "dnrti_train_001362", "source": "dnrti_train"}}
{"text": "CTU researchers have evidence that the threat group compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": {"Organization: CTU": [[0, 3]], "Organization: defense contractors": [[169, 188]]}, "info": {"id": "dnrti_train_001363", "source": "dnrti_train"}}
{"text": "Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization 's vertical or demographic to increase the likelihood of finding victims with relevant information .", "spans": {"Organization: TG-3390": [[26, 33]], "System: strategic web compromises": [[43, 68]], "Malware: SWCs": [[71, 75]]}, "info": {"id": "dnrti_train_001364", "source": "dnrti_train"}}
{"text": "Through an IP address whitelisting process , the threat group selectively targets visitors to these websites .", "spans": {"System: IP address whitelisting process": [[11, 42]]}, "info": {"id": "dnrti_train_001365", "source": "dnrti_train"}}
{"text": "After the initial compromise , TG-3390 delivers the HTTPBrowser backdoor to its victims .", "spans": {"Organization: TG-3390": [[31, 38]], "Malware: HTTPBrowser backdoor": [[52, 72]]}, "info": {"id": "dnrti_train_001366", "source": "dnrti_train"}}
{"text": "CTU researchers assess with high confidence that TG-3390 uses information gathered from prior reconnaissance activities to selectively compromise users who visit websites under its control .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-3390": [[49, 56]]}, "info": {"id": "dnrti_train_001367", "source": "dnrti_train"}}
{"text": "TG-3390 uses the PlugX remote access tool .", "spans": {"Organization: TG-3390": [[0, 7]], "Malware: PlugX remote access tool": [[17, 41]]}, "info": {"id": "dnrti_train_001368", "source": "dnrti_train"}}
{"text": "The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China .", "spans": {"Malware: SWC": [[4, 7]], "Organization: Uyghur ethnic group": [[67, 86]], "Organization: Muslim minority group": [[91, 112]]}, "info": {"id": "dnrti_train_001369", "source": "dnrti_train"}}
{"text": "The threat actors have used the Baidu search engine , which is only available in Chinese , to conduct reconnaissance activities .", "spans": {"Malware: Baidu search engine": [[32, 51]]}, "info": {"id": "dnrti_train_001370", "source": "dnrti_train"}}
{"text": "Recently , CTU researchers responded to an intrusion perpetrated by Threat Group-1314 , one of numerous threat groups that employ the \" living off the land \" technique to conduct their intrusions .", "spans": {"Organization: CTU": [[11, 14]], "Organization: Threat Group-1314": [[68, 85]], "System: living off the land": [[136, 155]]}, "info": {"id": "dnrti_train_001371", "source": "dnrti_train"}}
{"text": "CTU researchers have observed the Threat Group-3390 obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both .", "spans": {"Organization: CTU": [[0, 3]], "Organization: Group-3390": [[41, 51]]}, "info": {"id": "dnrti_train_001372", "source": "dnrti_train"}}
{"text": "CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both .", "spans": {"Organization: CTU": [[0, 3]]}, "info": {"id": "dnrti_train_001373", "source": "dnrti_train"}}
{"text": "TG-3390 can quickly leverage compromised network infrastructure during an operation and can conduct simultaneous intrusions into multiple environments .", "spans": {"Organization: TG-3390": [[0, 7]], "System: network infrastructure": [[41, 63]]}, "info": {"id": "dnrti_train_001374", "source": "dnrti_train"}}
{"text": "Malware used by the threat group can be configured to bypass network-based detection ; however , the threat actors rarely modify host-based configuration settings when deploying payloads .", "spans": {"Malware: Malware": [[0, 7]]}, "info": {"id": "dnrti_train_001375", "source": "dnrti_train"}}
{"text": "TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication .", "spans": {"Organization: TG-3390": [[0, 7]], "Organization: CTU": [[56, 59]], "Vulnerability: zero-day exploits": [[114, 131]]}, "info": {"id": "dnrti_train_001376", "source": "dnrti_train"}}
{"text": "In addition to using SWCs to target specific types of organizations , TG-3390 uses spearphishing emails to target specific victims .", "spans": {"Malware: SWCs": [[21, 25]], "Organization: TG-3390": [[70, 77]], "System: spearphishing emails": [[83, 103]]}, "info": {"id": "dnrti_train_001377", "source": "dnrti_train"}}
{"text": "After gaining access to a target network in one intrusion analyzed by CTU researchers , TG-3390 actors identified and exfiltrated data for specific projects run by the target organization , indicating that they successfully obtained the information they sought .", "spans": {"Organization: CTU": [[70, 73]], "Organization: TG-3390": [[88, 95]]}, "info": {"id": "dnrti_train_001378", "source": "dnrti_train"}}
{"text": "Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs .", "spans": {"Organization: CTU": [[28, 31]], "Organization: TG-3390": [[56, 63]]}, "info": {"id": "dnrti_train_001379", "source": "dnrti_train"}}
{"text": "Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions .", "spans": {"Organization: CTU": [[41, 44]], "Organization: TG-3390": [[82, 89]]}, "info": {"id": "dnrti_train_001380", "source": "dnrti_train"}}
{"text": "CTU researchers have not observed TG-3390 actors performing reconnaissance prior to compromising organizations .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-3390": [[34, 41]], "Organization: compromising organizations": [[84, 110]]}, "info": {"id": "dnrti_train_001381", "source": "dnrti_train"}}
{"text": "CTU researchers have observed the threat actors installing a credential logger and backdoor on Microsoft Exchange servers , which requires a technical grasp of Internet Information Services ( IIS ) .", "spans": {"Organization: CTU": [[0, 3]], "Malware: credential logger": [[61, 78]]}, "info": {"id": "dnrti_train_001382", "source": "dnrti_train"}}
{"text": "TG-3390 is capable of using a C2 infrastructure that spans multiple networks and registrars .", "spans": {"Organization: TG-3390": [[0, 7]], "System: C2 infrastructure": [[30, 47]]}, "info": {"id": "dnrti_train_001383", "source": "dnrti_train"}}
{"text": "TG-3390 SWCs may be largely geographically independent , but the group 's most frequently used C2 registrars and IP net blocks are located in the U.S .", "spans": {"Organization: TG-3390": [[0, 7]]}, "info": {"id": "dnrti_train_001384", "source": "dnrti_train"}}
{"text": "Using a U.S.-based C2 infrastructure ( see Figure 7 ) to compromise targets in the U.S. helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense .", "spans": {"Malware: U.S.-based C2 infrastructure": [[8, 36]], "Organization: TG-3390": [[94, 101]]}, "info": {"id": "dnrti_train_001385", "source": "dnrti_train"}}
{"text": "The threat actors create PlugX DLL stub loaders that will run only after a specific date .", "spans": {"Malware: PlugX DLL": [[25, 34]]}, "info": {"id": "dnrti_train_001386", "source": "dnrti_train"}}
{"text": "The compile dates of the samples analyzed by CTU researchers are all later than the hard-coded August 8 , 2013 date , indicating that the code might be reused from previous tools .", "spans": {"Organization: CTU": [[45, 48]]}, "info": {"id": "dnrti_train_001387", "source": "dnrti_train"}}
{"text": "One archive sample analyzed by CTU researchers contained a legitimate PDF file , a benign image of interest to targets ( see Figure 8 ) , and an HTTPBrowser installer disguised as an image file .", "spans": {"Organization: CTU": [[31, 34]], "Malware: PDF file": [[70, 78]], "Malware: HTTPBrowser installer": [[145, 166]]}, "info": {"id": "dnrti_train_001388", "source": "dnrti_train"}}
{"text": "CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC , which is 12:00 to 17:00 local time in China ( UTC +8 ) .", "spans": {"Organization: CTU": [[0, 3]]}, "info": {"id": "dnrti_train_001389", "source": "dnrti_train"}}
{"text": "TG-3390 sends spearphishing emails with ZIP archive attachments .", "spans": {"Organization: TG-3390": [[0, 7]], "System: spearphishing emails": [[14, 34]]}, "info": {"id": "dnrti_train_001390", "source": "dnrti_train"}}
{"text": "CTU researchers have observed TG-3390 compromising a target organization 's externally and internally accessible assets , such as an OWA server , and adding redirect code to point internal users to an external website that hosts an exploit and delivers malware .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-3390": [[30, 37]], "System: adding redirect code": [[150, 170]]}, "info": {"id": "dnrti_train_001391", "source": "dnrti_train"}}
{"text": "TG-3390 actors have used Java exploits in their SWCs .", "spans": {"Organization: TG-3390": [[0, 7]], "Vulnerability: Java exploits": [[25, 38]], "Malware: SWCs": [[48, 52]]}, "info": {"id": "dnrti_train_001392", "source": "dnrti_train"}}
{"text": "In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"Organization: TG-3390": [[16, 23]], "Vulnerability: CVE-2011-3544": [[38, 51]], "Malware: HTTPBrowser backdoor": [[119, 139]], "Vulnerability: CVE-2010-0738": [[146, 159]], "Malware: JBoss": [[181, 186]]}, "info": {"id": "dnrti_train_001393", "source": "dnrti_train"}}
{"text": "In activity analyzed by CTU researchers , TG-3390 executed the Hunter web application scanning tool against a target server running IIS .", "spans": {"Organization: CTU": [[24, 27]], "Organization: TG-3390": [[42, 49]], "Malware: Hunter web application scanning tool": [[63, 99]]}, "info": {"id": "dnrti_train_001394", "source": "dnrti_train"}}
{"text": "In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"Vulnerability: CVE-2011-3544": [[49, 62]], "Malware: HTTPBrowser backdoor": [[130, 150]], "Vulnerability: CVE-2010-0738": [[157, 170]], "Malware: JBoss": [[192, 197]]}, "info": {"id": "dnrti_train_001395", "source": "dnrti_train"}}
{"text": "TG-3390 uses DLL side loading , a technique that involves running a legitimate , typically digitally signed , program that loads a malicious DLL .", "spans": {"Organization: TG-3390": [[0, 7]], "System: DLL side loading": [[13, 29]]}, "info": {"id": "dnrti_train_001396", "source": "dnrti_train"}}
{"text": "CTU researchers have observed the Threat Group-3390 employing legitimate Kaspersky antivirus variants in analyzed samples .", "spans": {"Organization: CTU": [[0, 3]], "Organization: Threat Group-3390": [[34, 51]], "Organization: Kaspersky": [[73, 82]]}, "info": {"id": "dnrti_train_001397", "source": "dnrti_train"}}
{"text": "The adversaries have used this technique to allow PlugX and HTTPBrowser to persist on a system .", "spans": {"Malware: PlugX": [[50, 55]], "Malware: HTTPBrowser": [[60, 71]]}, "info": {"id": "dnrti_train_001398", "source": "dnrti_train"}}
{"text": "CTU researchers have observed the TG-3390 employing legitimate Kaspersky antivirus variants in analyzed samples .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-3390": [[34, 41]], "Organization: Kaspersky": [[63, 72]]}, "info": {"id": "dnrti_train_001399", "source": "dnrti_train"}}
{"text": "TG-3390 actors have deployed the OwaAuth web shell to Exchange servers , disguising it as an ISAPI filter .", "spans": {"Organization: TG-3390": [[0, 7]], "Malware: OwaAuth web shell": [[33, 50]]}, "info": {"id": "dnrti_train_001400", "source": "dnrti_train"}}
{"text": "In other cases , threat actors placed web shells on externally accessible servers , sometimes behind a reverse proxy , to execute commands on the compromised system .", "spans": {"Malware: web shells": [[38, 48]]}, "info": {"id": "dnrti_train_001401", "source": "dnrti_train"}}
{"text": "CTU researchers have discovered numerous details about TG-3390 operations , including how the adversaries explore a network , move laterally , and exfiltrate data .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-3390": [[55, 62]]}, "info": {"id": "dnrti_train_001402", "source": "dnrti_train"}}
{"text": "When the adversaries' operations are live , they modify the record again to point the C2 domain to an IP address they can access .", "spans": {}, "info": {"id": "dnrti_train_001403", "source": "dnrti_train"}}
{"text": "They then identify the Exchange server and attempt to install the OwaAuth web shell .", "spans": {"Malware: OwaAuth web shell": [[66, 83]]}, "info": {"id": "dnrti_train_001404", "source": "dnrti_train"}}
{"text": "If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail , TG-3390 identify other externally accessible servers and deploy ChinaChopper web shells .", "spans": {"Malware: OwaAuth web shell": [[7, 24]], "Organization: TG-3390": [[104, 111]], "System: ChinaChopper web shells": [[168, 191]]}, "info": {"id": "dnrti_train_001405", "source": "dnrti_train"}}
{"text": "After compromising an initial victim 's system ( patient 0 ) , the threat actors use the Baidu search engine to search for the victim 's organization name .", "spans": {"Malware: Baidu search engine": [[89, 108]]}, "info": {"id": "dnrti_train_001406", "source": "dnrti_train"}}
{"text": "CTU researchers discovered the threat actors searching for \" [company] login \" , which directed them to the landing page for remote access .", "spans": {"Organization: CTU": [[0, 3]]}, "info": {"id": "dnrti_train_001407", "source": "dnrti_train"}}
{"text": "TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations , preferring to issue commands via an internally accessible web shell rather than HTTPBrowser or PlugX .", "spans": {"Organization: TG-3390": [[0, 7]], "Malware: ASPXTool web shells": [[51, 70]], "Malware: HTTPBrowser": [[173, 184]], "Malware: PlugX": [[188, 193]]}, "info": {"id": "dnrti_train_001408", "source": "dnrti_train"}}
{"text": "Within six hours of entering the environment , the threat actors compromised multiple systems and stole credentials for the entire domain .", "spans": {}, "info": {"id": "dnrti_train_001409", "source": "dnrti_train"}}
{"text": "Despite multiple public disclosures of their activities , BRONZE UNION remains an active and formidable threat as of this publication .", "spans": {}, "info": {"id": "dnrti_train_001410", "source": "dnrti_train"}}
{"text": "In 2015 , the SecureWorks® Counter Threat Unit™ ( CTU ) research team documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU™ analysis suggests is based in the People's Republic of China ( PRC ) .", "spans": {"Organization: SecureWorks® Counter Threat Unit™": [[14, 47]], "Organization: CTU": [[50, 53]], "Organization: TG-3390": [[130, 137]], "Organization: CTU™": [[148, 152]]}, "info": {"id": "dnrti_train_001411", "source": "dnrti_train"}}
{"text": "After reestablishing access , the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used .", "spans": {"Malware: gsecudmp": [[69, 77]], "Malware: WCE": [[82, 85]], "Organization: TG-3390": [[131, 138]]}, "info": {"id": "dnrti_train_001412", "source": "dnrti_train"}}
{"text": "In 2015 , the SecureWorks documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU analysis suggests is based in the People's Republic of China ( PRC ) .", "spans": {"Organization: SecureWorks": [[14, 25]], "Organization: TG-3390": [[86, 93]], "Organization: CTU": [[104, 107]]}, "info": {"id": "dnrti_train_001413", "source": "dnrti_train"}}
{"text": "BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives .", "spans": {}, "info": {"id": "dnrti_train_001414", "source": "dnrti_train"}}
{"text": "Based on BRONZE UNION 's targeting activity , CTU researchers assess it is highly likely that the group focuses on political and defense organization networks .", "spans": {"Organization: CTU": [[46, 49]], "Organization: political": [[115, 124]], "Organization: defense organization": [[129, 149]]}, "info": {"id": "dnrti_train_001415", "source": "dnrti_train"}}
{"text": "this SWC was used to specifically target Turkish .", "spans": {"Malware: SWC": [[5, 8]]}, "info": {"id": "dnrti_train_001416", "source": "dnrti_train"}}
{"text": "In 2016 , the threat actors conducted a strategic web compromise ( SWC ) on the website of an international industry organization that affected aerospace , academic , media , technology , government , and utilities organizations around the world .", "spans": {"Malware: SWC": [[67, 70]], "Organization: international industry organization": [[94, 129]], "Organization: utilities organizations": [[205, 228]]}, "info": {"id": "dnrti_train_001417", "source": "dnrti_train"}}
{"text": "In addition , BRONZE UNION activity on multiple U.S.-based defense manufacturer networks included the threat actors seeking information associated with aerospace technologies , combat processes , and naval defense systems .", "spans": {}, "info": {"id": "dnrti_train_001418", "source": "dnrti_train"}}
{"text": "this SWC was used to specifically target Turkish goverment .", "spans": {"Malware: SWC": [[5, 8]]}, "info": {"id": "dnrti_train_001419", "source": "dnrti_train"}}
{"text": "Since that analysis , CTU researchers have observed multiple BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives .", "spans": {"Organization: CTU": [[22, 25]]}, "info": {"id": "dnrti_train_001420", "source": "dnrti_train"}}
{"text": "this SWC was used to specifically target Turkish banking .", "spans": {"Malware: SWC": [[5, 8]]}, "info": {"id": "dnrti_train_001421", "source": "dnrti_train"}}
{"text": "this SWC was used to specifically target Turkish academic networks .", "spans": {"Malware: SWC": [[5, 8]]}, "info": {"id": "dnrti_train_001422", "source": "dnrti_train"}}
{"text": "BRONZE UNION has consistently demonstrated the capability to conduct successful large-scale intrusions against high-profile networks and systems .", "spans": {}, "info": {"id": "dnrti_train_001423", "source": "dnrti_train"}}
{"text": "The threat actors appear to be able to create and leverage multiple SWCs in parallel .", "spans": {"Malware: SWCs": [[68, 72]]}, "info": {"id": "dnrti_train_001424", "source": "dnrti_train"}}
{"text": "In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool .", "spans": {"Organization: CTU": [[25, 28]], "Malware: s.txt": [[65, 70]]}, "info": {"id": "dnrti_train_001425", "source": "dnrti_train"}}
{"text": "BRONZE UNION actors leveraged initial web shell access on Internet-facing systems to conduct internal reconnaissance .", "spans": {"System: web shell": [[38, 47]]}, "info": {"id": "dnrti_train_001426", "source": "dnrti_train"}}
{"text": "BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control ( C2 ) and operational infrastructure .", "spans": {}, "info": {"id": "dnrti_train_001427", "source": "dnrti_train"}}
{"text": "This script relays commands and output between the controller and the system .", "spans": {}, "info": {"id": "dnrti_train_001428", "source": "dnrti_train"}}
{"text": "The threat actors used the appcmd command-line tool to unlock and disable the default logging component on the server ( systsm.webServer/httplogging ) and then delete existing logs from the system ( see Figure 4 ) .", "spans": {}, "info": {"id": "dnrti_train_001429", "source": "dnrti_train"}}
{"text": "In 2016 , CTU researchers observed the group using native system .", "spans": {"Organization: CTU": [[10, 13]]}, "info": {"id": "dnrti_train_001430", "source": "dnrti_train"}}
{"text": "In March 2018 we detected an ongoing campaign .", "spans": {}, "info": {"id": "dnrti_train_001431", "source": "dnrti_train"}}
{"text": "TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems .", "spans": {"System: leveraging SWCs": [[48, 63]], "System: scan-and-exploit techniques": [[68, 95]]}, "info": {"id": "dnrti_train_001432", "source": "dnrti_train"}}
{"text": "As of this publication , BRONZE UNION remains a formidable threat group that targets intellectual property and executes its operations at a swift pace .", "spans": {}, "info": {"id": "dnrti_train_001433", "source": "dnrti_train"}}
{"text": "we detected an ongoing campaign targeting a national data center .", "spans": {}, "info": {"id": "dnrti_train_001434", "source": "dnrti_train"}}
{"text": "The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool ( RAT ) .", "spans": {"Malware: HyperBro Trojan": [[23, 38]], "Malware: RAT": [[98, 101]]}, "info": {"id": "dnrti_train_001435", "source": "dnrti_train"}}
{"text": "we detected an ongoing campaign targeting a national data center in the Centeral Asia .", "spans": {}, "info": {"id": "dnrti_train_001436", "source": "dnrti_train"}}
{"text": "The tools found in this campaign , such as the HyperBro Trojan , are regularly used by a variety of Chinese-speaking actors .", "spans": {"Malware: HyperBro Trojan": [[47, 62]]}, "info": {"id": "dnrti_train_001437", "source": "dnrti_train"}}
{"text": "Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor ( also known as EmissaryPanda and APT27 ) .", "spans": {"Organization: LuckyMouse": [[61, 71]], "Organization: EmissaryPanda": [[111, 124]], "Organization: APT27": [[129, 134]]}, "info": {"id": "dnrti_train_001438", "source": "dnrti_train"}}
{"text": "It's possible TG-3390 used a waterhole to infect data center employees .", "spans": {"Organization: TG-3390": [[14, 21]], "System: waterhole": [[29, 38]], "Organization: data center employees": [[49, 70]]}, "info": {"id": "dnrti_train_001439", "source": "dnrti_train"}}
{"text": "Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can′t prove they were related to this particular attack .", "spans": {"Vulnerability: CVE-2017-11882": [[65, 79]], "Malware: Microsoft Office Equation Editor": [[82, 114]]}, "info": {"id": "dnrti_train_001440", "source": "dnrti_train"}}
{"text": "We suspect this router was hacked as part of the campaign in order to process the malware 's HTTP requests .", "spans": {"Malware: router": [[16, 22]]}, "info": {"id": "dnrti_train_001441", "source": "dnrti_train"}}
{"text": "In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed .", "spans": {"Organization: Wikileaks": [[16, 25]], "Malware: Mikrotik": [[71, 79]], "Malware: ChimayRed": [[87, 96]]}, "info": {"id": "dnrti_train_001442", "source": "dnrti_train"}}
{"text": "There were traces of HyperBro in the infected data center from mid-November 2017 .", "spans": {"Malware: HyperBro": [[21, 29]]}, "info": {"id": "dnrti_train_001443", "source": "dnrti_train"}}
{"text": "In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed .", "spans": {"Organization: Wikileaks": [[16, 25]], "Malware: Mikrotik": [[71, 79]], "Malware: ChimayRed": [[87, 96]]}, "info": {"id": "dnrti_train_001444", "source": "dnrti_train"}}
{"text": "This is a hacking group with Chinese origins which targets selected organisations related with education , energy and technology .", "spans": {}, "info": {"id": "dnrti_train_001445", "source": "dnrti_train"}}
{"text": "Usually , the delivered payload is either the well-known ' PlugX ' or ' HTTPBrowser ' RAT , a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups .", "spans": {"Malware: PlugX": [[59, 64]], "Malware: HTTPBrowser": [[72, 83]], "Malware: RAT": [[86, 89]]}, "info": {"id": "dnrti_train_001446", "source": "dnrti_train"}}
{"text": "Emissary Panda has used many ways with the most notable being the exploits from the Hacking Team leak .", "spans": {}, "info": {"id": "dnrti_train_001447", "source": "dnrti_train"}}
{"text": "Emissary Panda is still active and continues to target selected organisations .", "spans": {}, "info": {"id": "dnrti_train_001448", "source": "dnrti_train"}}
{"text": "Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks .", "spans": {"Organization: Cybersecurity": [[0, 13]]}, "info": {"id": "dnrti_train_001449", "source": "dnrti_train"}}
{"text": "The campaign is believed to be active covertly since fall 2017 .", "spans": {}, "info": {"id": "dnrti_train_001450", "source": "dnrti_train"}}
{"text": "LuckyMouse , also known as Iron Tiger , EmissaryPanda , APT 27 and Threat Group-3390 , is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year .", "spans": {"Organization: LuckyMouse": [[0, 10]], "Organization: Iron Tiger": [[27, 37]], "Organization: EmissaryPanda": [[40, 53]], "Organization: APT 27": [[56, 62]], "Organization: Threat Group-3390": [[67, 84]], "Malware: Bitcoin mining malware": [[169, 191]]}, "info": {"id": "dnrti_train_001451", "source": "dnrti_train"}}
{"text": "March by security researchers from Kaspersky Labs .", "spans": {"Organization: Kaspersky Labs": [[35, 49]]}, "info": {"id": "dnrti_train_001452", "source": "dnrti_train"}}
{"text": "For example , at the end of 2016 CTU researchers observed the threat actors using native system functionality to disable logging processes and delete logs within a network .", "spans": {"Organization: CTU": [[33, 36]]}, "info": {"id": "dnrti_train_001453", "source": "dnrti_train"}}
{"text": "The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors .", "spans": {"Organization: defense contractors": [[186, 205]]}, "info": {"id": "dnrti_train_001454", "source": "dnrti_train"}}
{"text": "attacks to a Chinese-speaking threat actor group called LuckyMouse .", "spans": {}, "info": {"id": "dnrti_train_001455", "source": "dnrti_train"}}
{"text": "LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) .", "spans": {"Vulnerability: Microsoft Office vulnerability": [[48, 78]], "Vulnerability: CVE-2017-11882": [[81, 95]]}, "info": {"id": "dnrti_train_001456", "source": "dnrti_train"}}
{"text": "This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain \" access to a wide range of government resources at one fell swoop \" .", "spans": {}, "info": {"id": "dnrti_train_001457", "source": "dnrti_train"}}
{"text": "The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center .", "spans": {"Organization: LuckyMouse": [[106, 116]], "Organization: employees": [[210, 219]]}, "info": {"id": "dnrti_train_001458", "source": "dnrti_train"}}
{"text": "According to the researchers , the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks .", "spans": {"Malware: JavaScript code": [[60, 75]]}, "info": {"id": "dnrti_train_001459", "source": "dnrti_train"}}
{"text": "the targeted system with a piece of malware called HyperBro , a Remote Access Trojan ( RAT ) .", "spans": {"Malware: HyperBro": [[51, 59]], "Malware: Remote Access Trojan": [[64, 84]], "Malware: RAT": [[87, 90]]}, "info": {"id": "dnrti_train_001460", "source": "dnrti_train"}}
{"text": "The main command and control ( C&C ) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP , specifically to a MikroTik router running a firmware version released in March 2016 .", "spans": {"Malware: MikroTik": [[144, 152]]}, "info": {"id": "dnrti_train_001461", "source": "dnrti_train"}}
{"text": "the targets of the hacking group were in the automotive .", "spans": {}, "info": {"id": "dnrti_train_001462", "source": "dnrti_train"}}
{"text": "Dell SecureWorks researchers unveiled a report on Threat Group-3390 that has targeted companies around the world while stealing massive amounts of industrial data .", "spans": {"Organization: Dell SecureWorks": [[0, 16]], "Organization: Group-3390": [[57, 67]]}, "info": {"id": "dnrti_train_001463", "source": "dnrti_train"}}
{"text": "The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations — including organizations related to Chinese minority ethnic groups .", "spans": {"Organization: defense contractors": [[62, 81]], "Organization: law firms": [[112, 121]], "Organization: political organizations": [[128, 151]], "Organization: minority ethnic groups": [[197, 219]]}, "info": {"id": "dnrti_train_001464", "source": "dnrti_train"}}
{"text": "LAS VEGAS—Today at the Black Hat information security conference , Dell SecureWorks researchers unveiled a report on a newly detected hacking group that has targeted companies around the world while stealing massive amounts of industrial data .", "spans": {"Organization: Dell SecureWorks": [[67, 83]]}, "info": {"id": "dnrti_train_001465", "source": "dnrti_train"}}
{"text": "Designated as Threat Group 3390 and nicknamed \" Emissary Panda \" by researchers , the hacking group has compromised victims' networks largely through \" watering hole \" attacks launched from over 100 compromised legitimate websites , sites picked because they were known to be frequented by those targeted in the attack .", "spans": {"Organization: Threat Group 3390": [[14, 31]], "Organization: Emissary Panda": [[48, 62]]}, "info": {"id": "dnrti_train_001466", "source": "dnrti_train"}}
{"text": "the United Kingdom had data stolen by members of Emissary Panda .", "spans": {"Organization: Emissary Panda": [[49, 63]]}, "info": {"id": "dnrti_train_001467", "source": "dnrti_train"}}
{"text": "the US had data stolen by members of Emissary Panda .", "spans": {"Organization: Emissary Panda": [[37, 51]]}, "info": {"id": "dnrti_train_001468", "source": "dnrti_train"}}
{"text": "No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" — a near-year-old Java security hole — \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported .", "spans": {"Vulnerability: zero-day vulnerabilities": [[3, 27]], "Vulnerability: CVE-2011-3544": [[124, 137]], "Vulnerability: CVE-2010-0738": [[185, 198]], "Organization: Dell SecureWorks'": [[231, 248]]}, "info": {"id": "dnrti_train_001469", "source": "dnrti_train"}}
{"text": "The group used a number of tools common to other Chinese hacking groups , but they had a few unique tools of their own with interfaces developed for Standard ( Simplified ) Chinese .", "spans": {}, "info": {"id": "dnrti_train_001470", "source": "dnrti_train"}}
{"text": "If the address falls within ranges that the attackers are interested in , the malicious site waits for their next page view to drop an exploit on the desirable target 's PC .", "spans": {}, "info": {"id": "dnrti_train_001471", "source": "dnrti_train"}}
{"text": "Visitors to sites exploited by Emissary Panda are directed by code embedded in the sites to a malicious webpage , which screens their IP address .", "spans": {}, "info": {"id": "dnrti_train_001472", "source": "dnrti_train"}}
{"text": "There has also been at least one victim targeted by a spear-phishing attack .", "spans": {}, "info": {"id": "dnrti_train_001473", "source": "dnrti_train"}}
{"text": "A variety of malware , including the PlugX tool , was shared with other known Chinese threat groups .", "spans": {"Malware: PlugX tool": [[37, 47]]}, "info": {"id": "dnrti_train_001474", "source": "dnrti_train"}}
{"text": "Once inside networks , the group generally targeted Windows network domain controllers and Exchange e-mail servers , targeting user credentials to allow them to move to other systems throughout the targeted network .", "spans": {"System: e-mail servers": [[100, 114]]}, "info": {"id": "dnrti_train_001475", "source": "dnrti_train"}}
{"text": "They used an exploit of Internet Information Server to inject keylogger and backdoor malware onto the Exchange server .", "spans": {"Malware: keylogger": [[62, 71]], "Malware: backdoor malware": [[76, 92]]}, "info": {"id": "dnrti_train_001476", "source": "dnrti_train"}}
{"text": "But two tools used were unique to the group : ASPXTool , an Internet Information Services ( IIS ) specific \" Web shell \" used to gain access to servers inside a target 's network ; and the OwaAuth credential stealing tool and Web shell , used to attack Microsoft Exchange servers running the Web Outlook interface .", "spans": {"Malware: ASPXTool": [[46, 54]], "Malware: OwaAuth credential stealing tool": [[189, 221]], "Malware: Web shell": [[226, 235]]}, "info": {"id": "dnrti_train_001477", "source": "dnrti_train"}}
{"text": "By using such features and tools , attackers are hoping to blend in on the victim 's network and hide their activity in a sea of legitimate processes .", "spans": {}, "info": {"id": "dnrti_train_001478", "source": "dnrti_train"}}
{"text": "TAA leverages advanced artificial intelligence and machine learning that combs through Symantec 's data lake of telemetry in order to spot patterns associated with targeted attacks .", "spans": {"Organization: TAA": [[0, 3]], "Organization: Symantec": [[87, 95]]}, "info": {"id": "dnrti_train_001479", "source": "dnrti_train"}}
{"text": "January 2018 , TAA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": {"Organization: TAA": [[15, 18]], "Organization: telecoms operator": [[49, 66]]}, "info": {"id": "dnrti_train_001480", "source": "dnrti_train"}}
{"text": "Thrip was using PsExec to move laterally between computers on the company 's network .", "spans": {"Malware: PsExec": [[16, 22]]}, "info": {"id": "dnrti_train_001481", "source": "dnrti_train"}}
{"text": "TAA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": {"Organization: TAA": [[0, 3]], "Organization: telecoms operator": [[34, 51]]}, "info": {"id": "dnrti_train_001482", "source": "dnrti_train"}}
{"text": "AA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": {"Organization: telecoms operator": [[33, 50]]}, "info": {"id": "dnrti_train_001483", "source": "dnrti_train"}}
{"text": "PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land .", "spans": {"Malware: PsExec": [[0, 6]]}, "info": {"id": "dnrti_train_001484", "source": "dnrti_train"}}
{"text": "TAA not only flagged this malicious use of PsExec , it also told us what the attackers were using it for .", "spans": {"Organization: TAA": [[0, 3]], "Malware: PsExec": [[43, 49]]}, "info": {"id": "dnrti_train_001485", "source": "dnrti_train"}}
{"text": "Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network .", "spans": {"Malware: Infostealer.Catchamas": [[81, 102]]}, "info": {"id": "dnrti_train_001486", "source": "dnrti_train"}}
{"text": "three computers in China being used to launch the Thrip attacks .", "spans": {}, "info": {"id": "dnrti_train_001487", "source": "dnrti_train"}}
{"text": "Perhaps the most worrying discovery we made was that Thrip had targeted a satellite communications operator .", "spans": {"Organization: satellite communications operator": [[74, 107]]}, "info": {"id": "dnrti_train_001488", "source": "dnrti_train"}}
{"text": "Thrip seemed to be mainly interested in the operational side of the company .", "spans": {}, "info": {"id": "dnrti_train_001489", "source": "dnrti_train"}}
{"text": "This suggests to us that Thrip 's motives go beyond spying and may also include disruption .", "spans": {}, "info": {"id": "dnrti_train_001490", "source": "dnrti_train"}}
{"text": "Armed with this information about the malware and living off the land tactics being used by this group of attackers whom we named Thrip , we broadened our search to see if we could find similar patterns that indicated Thrip had been targeting other organizations .", "spans": {"System: land tactics": [[65, 77]]}, "info": {"id": "dnrti_train_001491", "source": "dnrti_train"}}
{"text": "The group had also targeted three different telecoms operators , all based in Southeast Asia .", "spans": {"Organization: telecoms operators": [[44, 62]]}, "info": {"id": "dnrti_train_001492", "source": "dnrti_train"}}
{"text": "In all cases , based on the nature of the computers infected by Thrip , it appeared that the telecoms companies themselves and not their customers were the targets of these attacks .", "spans": {"Organization: telecoms companies": [[93, 111]], "Organization: customers": [[137, 146]]}, "info": {"id": "dnrti_train_001493", "source": "dnrti_train"}}
{"text": "Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection .", "spans": {"Malware: Catchamas": [[0, 9]]}, "info": {"id": "dnrti_train_001494", "source": "dnrti_train"}}
{"text": "Many of the tools they use now feature new behaviors , including a change in the way they maintain a foothold in the targeted network .", "spans": {}, "info": {"id": "dnrti_train_001495", "source": "dnrti_train"}}
{"text": "Execute a command through exploits for CVE-2017-11882 .", "spans": {"Vulnerability: CVE-2017-11882": [[39, 53]]}, "info": {"id": "dnrti_train_001496", "source": "dnrti_train"}}
{"text": "Execute a command through exploits for CVE-2018-0802 .", "spans": {"Vulnerability: CVE-2018-0802": [[39, 52]]}, "info": {"id": "dnrti_train_001497", "source": "dnrti_train"}}
{"text": "The backdoor will load the encrypted configuration file and decrypt it , then use Secure Sockets Layer ( SSL ) protocol to connect to command-and-control ( C&C ) servers .", "spans": {"Malware: Secure Sockets Layer": [[82, 102]], "Malware: SSL": [[105, 108]], "Malware: command-and-control": [[134, 153]]}, "info": {"id": "dnrti_train_001498", "source": "dnrti_train"}}
{"text": "TClient is actually one of Tropic Trooper 's other backdoors .", "spans": {"Malware: TClient": [[0, 7]]}, "info": {"id": "dnrti_train_001499", "source": "dnrti_train"}}
{"text": "The malicious loader will use dynamic-link library ( DLL ) hijacking — injecting malicious code into a process of a file/application — on sidebar.exe and launch dllhost.exe ( a normal file ) .", "spans": {"Malware: sidebar.exe": [[138, 149]], "Malware: dllhost.exe": [[161, 172]]}, "info": {"id": "dnrti_train_001500", "source": "dnrti_train"}}
{"text": "TClient , for instance , uses DLL hijacking and injection that may not be as noticeable to others .", "spans": {"Malware: TClient": [[0, 7]], "System: DLL hijacking and injection": [[30, 57]]}, "info": {"id": "dnrti_train_001501", "source": "dnrti_train"}}
{"text": "The backdoor noted by other security researchers was encoded with different algorithms and configured with different parameter names in 2016 , for instance .", "spans": {}, "info": {"id": "dnrti_train_001502", "source": "dnrti_train"}}
{"text": "Taiwan has been a regular target of cyber espionage threat actors for a number of years .", "spans": {}, "info": {"id": "dnrti_train_001503", "source": "dnrti_train"}}
{"text": "In early August , Unit 42 identified two attacks using similar techniques .", "spans": {"Organization: Unit 42": [[18, 25]]}, "info": {"id": "dnrti_train_001504", "source": "dnrti_train"}}
{"text": "which has been active since at least 2011 .", "spans": {}, "info": {"id": "dnrti_train_001505", "source": "dnrti_train"}}
{"text": "One of the attacks used Tropic Trooper 's known Yahoyah malware , but the other attack deployed the widely available Poison Ivy RAT .", "spans": {"Malware: Yahoyah malware": [[48, 63]], "System: Poison Ivy RAT": [[117, 131]]}, "info": {"id": "dnrti_train_001506", "source": "dnrti_train"}}
{"text": "This confirms the actors are using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them .", "spans": {"Malware: Poison Ivy": [[35, 45]], "Organization: Trend Micro": [[110, 121]]}, "info": {"id": "dnrti_train_001507", "source": "dnrti_train"}}
{"text": "The document attached to this e-mail exploits CVE-2012-0158 .", "spans": {"Vulnerability: e-mail exploits": [[30, 45]], "Vulnerability: CVE-2012-0158": [[46, 59]]}, "info": {"id": "dnrti_train_001508", "source": "dnrti_train"}}
{"text": "As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate .", "spans": {"Malware: decoy files": [[66, 77]]}, "info": {"id": "dnrti_train_001509", "source": "dnrti_train"}}
{"text": "Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family , which has not been previously tied to the group .", "spans": {"Malware: PCShare malware family": [[89, 111]]}, "info": {"id": "dnrti_train_001510", "source": "dnrti_train"}}
{"text": "This matches with known Tactics , Techniques , and Procedures ( TTPs ) for Tropic Trooper , targeting both government institutions and also the energy industry in Taiwan .", "spans": {"Organization: Tropic Trooper": [[75, 89]], "Organization: government institutions": [[107, 130]]}, "info": {"id": "dnrti_train_001511", "source": "dnrti_train"}}
{"text": "Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors .", "spans": {"Organization: Tropic Trooper": [[0, 14]], "Vulnerability: CVE-2012-0158": [[40, 53]]}, "info": {"id": "dnrti_train_001512", "source": "dnrti_train"}}
{"text": "The Tropic Trooper threat actor group has been known to target governments and organizations in the Asia Pacific region for at least six years .", "spans": {"Organization: Tropic Trooper threat actor group": [[4, 37]]}, "info": {"id": "dnrti_train_001513", "source": "dnrti_train"}}
{"text": "Turla is a notorious group that has been targeting governments .", "spans": {"Organization: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_001514", "source": "dnrti_train"}}
{"text": "Turla is known to run watering hole and spearphishing campaigns to better pinpoint their targets .", "spans": {"Organization: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_001515", "source": "dnrti_train"}}
{"text": "Turla is a notorious group that has been targeting government officials .", "spans": {"Organization: Turla": [[0, 5]], "Organization: government officials": [[51, 71]]}, "info": {"id": "dnrti_train_001516", "source": "dnrti_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"Malware: documents": [[4, 13]], "System: spear-phishing e-mails": [[26, 48]], "Vulnerability: CVE-2012-0158": [[97, 110]], "Vulnerability: Microsoft Word vulnerabilities": [[166, 196]]}, "info": {"id": "dnrti_train_001517", "source": "dnrti_train"}}
{"text": "Turla is a notorious group that has been targeting diplomats .", "spans": {"Organization: Turla": [[0, 5]], "Organization: diplomats": [[51, 60]]}, "info": {"id": "dnrti_train_001518", "source": "dnrti_train"}}
{"text": "The codename for Turla APT group in this presentation is MAKERSMARK .", "spans": {"Organization: Turla APT group": [[17, 32]]}, "info": {"id": "dnrti_train_001519", "source": "dnrti_train"}}
{"text": "The Intercept reported that there exists a 2011 presentation by Canada 's Communication Security Establishment ( CSE ) outlining the errors made by the Turla operators during their operations even though the tools they use are quite advanced .", "spans": {"Organization: Canada 's Communication Security Establishment": [[64, 110]], "Organization: CSE": [[113, 116]], "Organization: Turla operators": [[152, 167]]}, "info": {"id": "dnrti_train_001520", "source": "dnrti_train"}}
{"text": "The witnessed techniques , tactics and procedures ( TTPs ) are in-line with what we usuallysee in Turla 's operation : a first stage backdoor , such as Skipper , likely delivered through spearphishing followed by the appearance on the compromised system of a second stage backdoor , Gazerin this case .", "spans": {"Organization: Turla 's operation": [[98, 116]], "System: stage backdoor": [[127, 141]], "Malware: Skipper": [[152, 159]], "System: spearphishing": [[187, 200]]}, "info": {"id": "dnrti_train_001521", "source": "dnrti_train"}}
{"text": "Southeastern Europe as well as countries in the former Soviet Union Republichas recently been the main target .", "spans": {}, "info": {"id": "dnrti_train_001522", "source": "dnrti_train"}}
{"text": "Finally , there are many similarities between Gazer and other second stage backdoors used by the Turla group such as Carbon and Kazuar .", "spans": {"Malware: Gazer": [[46, 51]], "Malware: backdoors": [[75, 84]], "Organization: Turla": [[97, 102]], "Organization: Carbon": [[117, 123]], "Organization: Kazuar": [[128, 134]]}, "info": {"id": "dnrti_train_001523", "source": "dnrti_train"}}
{"text": "Skipper , which has been linked to Turla in the past , was found alongside Gazer in most cases we investigated .", "spans": {"Malware: Skipper": [[0, 7]], "Malware: Gazer": [[75, 80]]}, "info": {"id": "dnrti_train_001524", "source": "dnrti_train"}}
{"text": "Turla APT group makes an extra effort to avoid detection by wiping files securely , changing the strings and randomizing what could be simple markers through the different backdoor versions .", "spans": {"Organization: Turla APT group": [[0, 15]]}, "info": {"id": "dnrti_train_001525", "source": "dnrti_train"}}
{"text": "The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including government institutions .", "spans": {"Malware: Epic Turla": [[21, 31]], "Organization: government institutions": [[110, 133]]}, "info": {"id": "dnrti_train_001526", "source": "dnrti_train"}}
{"text": "Turla all uses an encrypted container to store the malware 's components and configuration and they also log their actions in a file .", "spans": {"Organization: Turla": [[0, 5]], "Malware: encrypted container": [[18, 37]]}, "info": {"id": "dnrti_train_001527", "source": "dnrti_train"}}
{"text": "Over the last 10 months , Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call \" Epic Turla \" .", "spans": {"Organization: Kaspersky Lab": [[26, 39]], "Malware: Epic Turla": [[118, 128]]}, "info": {"id": "dnrti_train_001528", "source": "dnrti_train"}}
{"text": "We also observed exploits against older ( patched ) vulnerabilities , social engineering techniques and watering hole strategies in these attacks .", "spans": {}, "info": {"id": "dnrti_train_001529", "source": "dnrti_train"}}
{"text": "The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including embassies .", "spans": {"Malware: Epic Turla": [[21, 31]], "Organization: embassies": [[110, 119]]}, "info": {"id": "dnrti_train_001530", "source": "dnrti_train"}}
{"text": "The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including military .", "spans": {"Malware: Epic Turla": [[21, 31]]}, "info": {"id": "dnrti_train_001531", "source": "dnrti_train"}}
{"text": "The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including education .", "spans": {"Malware: Epic Turla": [[21, 31]]}, "info": {"id": "dnrti_train_001532", "source": "dnrti_train"}}
{"text": "When G-Data published on Turla/Uroburos back in February , several questions remained unanswered .", "spans": {"Organization: G-Data": [[5, 11]], "Organization: Turla/Uroburos": [[25, 39]]}, "info": {"id": "dnrti_train_001533", "source": "dnrti_train"}}
{"text": "The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including research and pharmaceutical companies .", "spans": {"Malware: Epic Turla": [[21, 31]], "Organization: pharmaceutical companies": [[123, 147]]}, "info": {"id": "dnrti_train_001534", "source": "dnrti_train"}}
{"text": "The primary backdoor used in the Epic attacks is also known as \" WorldCupSec \" , \" TadjMakhal \" , \" Wipbot \" or \" Tavdig \" .", "spans": {"Organization: WorldCupSec": [[65, 76]], "Organization: TadjMakhal": [[83, 93]], "Organization: Wipbot": [[100, 106]], "Organization: Tavdig": [[114, 120]]}, "info": {"id": "dnrti_train_001535", "source": "dnrti_train"}}
{"text": "Thrip 's motive is likely espionage and its targets include those in the communications , geospatial imaging , and defense sectors , both in the United States and Southeast Asia .", "spans": {"Organization: defense sectors": [[115, 130]]}, "info": {"id": "dnrti_train_001536", "source": "dnrti_train"}}
{"text": "One big unknown was the infection vector for Turla ( aka Snake or Uroburos ) .", "spans": {"Organization: Snake": [[57, 62]], "Organization: Uroburos": [[66, 74]]}, "info": {"id": "dnrti_train_001537", "source": "dnrti_train"}}
{"text": "The mothership server is generally a VPS , which runs the Control panel software used to interact with the victims .", "spans": {"Malware: VPS": [[37, 40]]}, "info": {"id": "dnrti_train_001538", "source": "dnrti_train"}}
{"text": "the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated .", "spans": {"Vulnerability: CVE-2013-5065": [[43, 56]], "Vulnerability: EoP exploit": [[57, 68]]}, "info": {"id": "dnrti_train_001539", "source": "dnrti_train"}}
{"text": "Once a victim is confirmed as \" interesting \" , the attackers upload another Epic backdoor which has a unique ID used to control this specific victim .", "spans": {"Malware: Epic backdoor": [[77, 90]]}, "info": {"id": "dnrti_train_001540", "source": "dnrti_train"}}
{"text": "Our analysis indicates this is a sophisticated multi-stage infection ; which begins with Epic Turla .", "spans": {"Malware: Epic Turla": [[89, 99]]}, "info": {"id": "dnrti_train_001541", "source": "dnrti_train"}}
{"text": "this attack against a Kaspersky Lab user on August 5 , 2014 .", "spans": {"Organization: Kaspersky Lab": [[22, 35]]}, "info": {"id": "dnrti_train_001542", "source": "dnrti_train"}}
{"text": "VENOMOUS BEAR is an advanced , Russia-based adversary that's been active since at least 2004 .", "spans": {"Organization: VENOMOUS BEAR": [[0, 13]]}, "info": {"id": "dnrti_train_001543", "source": "dnrti_train"}}
{"text": "Venomous Bear has deployed malware to targets using several novel methods .", "spans": {"Organization: Venomous Bear": [[0, 13]], "System: novel methods": [[60, 73]]}, "info": {"id": "dnrti_train_001544", "source": "dnrti_train"}}
{"text": "For years , Turla has relied , among other impersonations , on fake Flash installers to compromise victims .", "spans": {"Organization: Turla": [[12, 17]], "Malware: fake Flash installers": [[63, 84]]}, "info": {"id": "dnrti_train_001545", "source": "dnrti_train"}}
{"text": "Turla merely uses the Adobe brand to trick users into downloading the malware .", "spans": {"Organization: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_001546", "source": "dnrti_train"}}
{"text": "By looking at our telemetry , we found evidence that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016 .", "spans": {"Organization: Turla": [[53, 58]]}, "info": {"id": "dnrti_train_001547", "source": "dnrti_train"}}
{"text": "Thus , it is clear they are trying to be as stealthy as possible by hiding in the network traffic of the targeted organizations .", "spans": {"System: network traffic": [[82, 97]]}, "info": {"id": "dnrti_train_001548", "source": "dnrti_train"}}
{"text": "Finally , some of the victims are also infected with other Turla-related malware such as ComRAT or Gazer .", "spans": {"Organization: Turla-related": [[59, 72]], "Malware: malware": [[73, 80]], "Malware: ComRAT": [[89, 95]], "Malware: Gazer": [[99, 104]]}, "info": {"id": "dnrti_train_001549", "source": "dnrti_train"}}
{"text": "Kaspersky Lab documented this behavior in 2014 .", "spans": {"Organization: Kaspersky Lab": [[0, 13]]}, "info": {"id": "dnrti_train_001550", "source": "dnrti_train"}}
{"text": "It is not a new tactic for Turla to rely on fake Flash installers to try to trick the user to install one of their backdoors .", "spans": {"Malware: fake Flash installers": [[44, 65]]}, "info": {"id": "dnrti_train_001551", "source": "dnrti_train"}}
{"text": "Turla operators could use an already-compromised machine in the network of the victim 's organization to perform a local MitM attack .", "spans": {}, "info": {"id": "dnrti_train_001552", "source": "dnrti_train"}}
{"text": "Our January 2018 white paper was the first public analysis of a Turla campaign called Mosquito .", "spans": {}, "info": {"id": "dnrti_train_001553", "source": "dnrti_train"}}
{"text": "It is not the first time Turla has used generic tools .", "spans": {"Organization: Turla": [[25, 30]], "Malware: generic tools": [[40, 53]]}, "info": {"id": "dnrti_train_001554", "source": "dnrti_train"}}
{"text": "In the past , we have seen the group using open-source password dumpers such as Mimikatz .", "spans": {"Malware: open-source password dumpers": [[43, 71]], "Malware: Mimikatz": [[80, 88]]}, "info": {"id": "dnrti_train_001555", "source": "dnrti_train"}}
{"text": "Starting in March 2018 , we observed a significant change in the campaign : it now leverages the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor .", "spans": {"Malware: Metasploit": [[132, 142]]}, "info": {"id": "dnrti_train_001556", "source": "dnrti_train"}}
{"text": "Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure .", "spans": {"Malware: malicious file": [[56, 70]], "System: adobe.com": [[95, 104]]}, "info": {"id": "dnrti_train_001557", "source": "dnrti_train"}}
{"text": "However , to our knowledge , this is the first time Turla has used Metasploit as a first stage backdoor , instead of relying on one of its own tools such as Skipper .", "spans": {"Malware: Metasploit": [[67, 77]], "Malware: Skipper": [[157, 164]]}, "info": {"id": "dnrti_train_001558", "source": "dnrti_train"}}
{"text": "Traffic was intercepted on a node between the end machine and the Adobe servers , allowing Turla 's operators to replace the legitimate Flash executable with a trojanized version .", "spans": {"System: replace the legitimate Flash executable": [[113, 152]]}, "info": {"id": "dnrti_train_001559", "source": "dnrti_train"}}
{"text": "At the beginning of March 2018 , as part of our regular tracking of Turla 's activities , we observed some changes in the Mosquito campaign .", "spans": {"Organization: Turla": [[68, 73]]}, "info": {"id": "dnrti_train_001560", "source": "dnrti_train"}}
{"text": "In this post , we have presented the evolutions of the Turla Mosquito campaign over the last few months .", "spans": {}, "info": {"id": "dnrti_train_001561", "source": "dnrti_train"}}
{"text": "Primary targets for this adversary are in the government , aerospace , NGO , defense , cryptology and education sectors .", "spans": {"Organization: education sectors": [[102, 119]]}, "info": {"id": "dnrti_train_001562", "source": "dnrti_train"}}
{"text": "Turla 's campaign still relies on a fake Flash installer but , instead of directly dropping the two malicious DLLs , it executes a Metasploit shellcode and drops , or downloads from Google Drive , a legitimate Flash installer .", "spans": {"Malware: Metasploit shellcode and drops": [[131, 161]]}, "info": {"id": "dnrti_train_001563", "source": "dnrti_train"}}
{"text": "The Turla espionage group has been targeting various institutions for many years .", "spans": {}, "info": {"id": "dnrti_train_001564", "source": "dnrti_train"}}
{"text": "Recently , we found several new versions of Carbon , a second stage backdoor in the Turla group arsenal .", "spans": {"Malware: Carbon": [[44, 50]]}, "info": {"id": "dnrti_train_001565", "source": "dnrti_train"}}
{"text": "The Turla group is known to be painstaking and work in stages , first doing reconnaissance on their victims' systems before deploying their most sophisticated tools such as Carbon .", "spans": {"Malware: Carbon": [[173, 179]]}, "info": {"id": "dnrti_train_001566", "source": "dnrti_train"}}
{"text": "Kaspersky APT Intelligence Reporting subscription , customers received an update in mid-February 2017 .", "spans": {"Organization: Kaspersky APT Intelligence Reporting subscription": [[0, 49]]}, "info": {"id": "dnrti_train_001567", "source": "dnrti_train"}}
{"text": "Like previous Turla activity , WhiteBear leverages compromised websites and hijacked satellite connections for command and control ( C2 ) infrastructure .", "spans": {"Malware: WhiteBear": [[31, 40]], "System: compromised websites": [[51, 71]]}, "info": {"id": "dnrti_train_001568", "source": "dnrti_train"}}
{"text": "WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report \" Skipper Turla – the White Atlas framework \" from mid-2016 .", "spans": {"Malware: WhiteBear": [[0, 9]], "Malware: Skipper Turla": [[55, 68], [141, 154]], "Malware: White Atlas": [[161, 172]]}, "info": {"id": "dnrti_train_001569", "source": "dnrti_train"}}
{"text": "However , despite the similarities to previous Turla campaigns , we believe that WhiteBear is a distinct project with a separate focus .", "spans": {"Malware: WhiteBear": [[81, 90]]}, "info": {"id": "dnrti_train_001570", "source": "dnrti_train"}}
{"text": "From February to September 2016 , WhiteBear activity was narrowly focused on embassies and consular operations around the world .", "spans": {"Organization: embassies": [[77, 86]]}, "info": {"id": "dnrti_train_001571", "source": "dnrti_train"}}
{"text": "Continued WhiteBear activity later shifted to include defense-related organizations into June 2017 .", "spans": {"Organization: defense-related organizations": [[54, 83]]}, "info": {"id": "dnrti_train_001572", "source": "dnrti_train"}}
{"text": "All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations .", "spans": {"Malware: WhiteBear": [[19, 28]], "Organization: embassies": [[53, 62]]}, "info": {"id": "dnrti_train_001573", "source": "dnrti_train"}}
{"text": "Thus , Turla operators had access to some highly sensitive information ( such as emails sent by the German Foreign Office staff ) for almost a year .", "spans": {"Organization: Turla": [[7, 12]], "System: emails": [[81, 87]], "Organization: German Foreign Office staff": [[100, 127]]}, "info": {"id": "dnrti_train_001574", "source": "dnrti_train"}}
{"text": "Our investigation also led to the discovery of dozens of email addresses registered by Turla operators for this campaign and used to receive exfiltrated data from the victims .", "spans": {}, "info": {"id": "dnrti_train_001575", "source": "dnrti_train"}}
{"text": "It mainly targets Microsoft Outlook , a widely used mail client , but also targets The Bat! , a mail client very popular in Eastern Europe .", "spans": {}, "info": {"id": "dnrti_train_001576", "source": "dnrti_train"}}
{"text": "First , Turla steals emails by forwarding all outgoing emails to the attackers .", "spans": {"Organization: Turla": [[8, 13]], "System: emails": [[21, 27], [55, 61]]}, "info": {"id": "dnrti_train_001577", "source": "dnrti_train"}}
{"text": "We identified several European governments and defense companies compromised with this group .", "spans": {"Organization: defense companies": [[47, 64]]}, "info": {"id": "dnrti_train_001578", "source": "dnrti_train"}}
{"text": "What actually happens is that the malware is able to decode data from the PDF documents and interpret it as commands for the backdoor .", "spans": {"Malware: PDF documents": [[74, 87]]}, "info": {"id": "dnrti_train_001579", "source": "dnrti_train"}}
{"text": "In early 2018 , multiple media claimed that Turla operators used mail attachments to control infected machines .", "spans": {"System: mail attachments": [[65, 81]]}, "info": {"id": "dnrti_train_001580", "source": "dnrti_train"}}
{"text": "As detailed in the previous section , this malware is able to manipulate and exfiltrate emails .", "spans": {}, "info": {"id": "dnrti_train_001581", "source": "dnrti_train"}}
{"text": "To our knowledge , Turla is the only espionage group that currently uses a backdoor entirely controlled by emails , and more specifically via PDF attachments .", "spans": {"System: emails": [[107, 113]], "Malware: PDF attachments": [[142, 157]]}, "info": {"id": "dnrti_train_001582", "source": "dnrti_train"}}
{"text": "The attackers first infected in March 2017 .", "spans": {}, "info": {"id": "dnrti_train_001583", "source": "dnrti_train"}}
{"text": "Our research shows that compromised organizations are at risk of not only being spied on by the Turla group who planted the backdoor , but also by other attackers .", "spans": {}, "info": {"id": "dnrti_train_001584", "source": "dnrti_train"}}
{"text": "The developers refer to this tool by the name Kazuar , which is a Trojan written using the Microsoft.NET Framework that offers actors complete access to compromised systems targeted by its operator .", "spans": {"Malware: Kazuar": [[46, 52]]}, "info": {"id": "dnrti_train_001585", "source": "dnrti_train"}}
{"text": "We suspect the Kazuar tool may be linked to the Turla threat actor group ( also known as Uroburos and Snake ) , who have been reported to have compromised embassies , defense contractors , educational institutions , and research organizations across the globe .", "spans": {"Malware: Kazuar tool": [[15, 26]], "Organization: Uroburos": [[89, 97]], "Organization: Snake": [[102, 107]], "Organization: embassies": [[155, 164]], "Organization: defense contractors": [[167, 186]], "Organization: educational institutions": [[189, 213]], "Organization: research organizations": [[220, 242]]}, "info": {"id": "dnrti_train_001586", "source": "dnrti_train"}}
{"text": "This is also a full-featured backdoor controlled by email , and which can work independently of any other Turla component .", "spans": {"Malware: full-featured backdoor": [[15, 37]], "System: email": [[52, 57]]}, "info": {"id": "dnrti_train_001587", "source": "dnrti_train"}}
{"text": "A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005 .", "spans": {"System: code lineage": [[64, 76]], "Malware: Kazuar": [[80, 86]]}, "info": {"id": "dnrti_train_001588", "source": "dnrti_train"}}
{"text": "If the hypothesis is correct and the Turla threat group is using Kazuar , we believe they may be using it as a replacement for Carbon and its derivatives .", "spans": {"Organization: Turla": [[37, 42]], "Malware: Kazuar": [[65, 71]], "Malware: Carbon": [[127, 133]]}, "info": {"id": "dnrti_train_001589", "source": "dnrti_train"}}
{"text": "We used a combination of tools such as NoFuserEx , ConfuserEx Fixer , ConfuserEx Switch Killer , and de4d0t in order to deobfuscate the code for in depth analysis .", "spans": {"Malware: NoFuserEx": [[39, 48]], "Malware: ConfuserEx Fixer": [[51, 67]], "Malware: ConfuserEx Switch Killer": [[70, 94]], "Malware: de4d0t": [[101, 107]]}, "info": {"id": "dnrti_train_001590", "source": "dnrti_train"}}
{"text": "Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string \" [username]=>singleton-instance-mutex \" .", "spans": {"Organization: Kazuar": [[0, 6]]}, "info": {"id": "dnrti_train_001591", "source": "dnrti_train"}}
{"text": "The subject is a series of targeted attacks against private companies .", "spans": {"Organization: private companies": [[52, 69]]}, "info": {"id": "dnrti_train_001592", "source": "dnrti_train"}}
{"text": "e uncovered the activity of a hacking group which has Chinese origins .", "spans": {}, "info": {"id": "dnrti_train_001593", "source": "dnrti_train"}}
{"text": "Also , by creating this type of API access , Turla could use one accessible server as a single point to dump data to and exfiltrate data from .", "spans": {"System: API access": [[32, 42]]}, "info": {"id": "dnrti_train_001594", "source": "dnrti_train"}}
{"text": "According to our estimations , this group has been active for several years and specializes in cyberattacks against the online video game industry .", "spans": {}, "info": {"id": "dnrti_train_001595", "source": "dnrti_train"}}
{"text": "Based on our analysis , we believe that threat actors may compile Windows and Unix based payloads using the same code to deploy Kazuar against both platforms .", "spans": {"Organization: Kazuar": [[128, 134]]}, "info": {"id": "dnrti_train_001596", "source": "dnrti_train"}}
{"text": "The group 's main objective is to steal source codes .", "spans": {}, "info": {"id": "dnrti_train_001597", "source": "dnrti_train"}}
{"text": "In 2010 HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers – an American video game company .", "spans": {"Organization: HBGary": [[8, 14], [99, 105]], "Organization: American video game company": [[124, 151]]}, "info": {"id": "dnrti_train_001598", "source": "dnrti_train"}}
{"text": "In 2010 US-based HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers – an American video game company .", "spans": {"Organization: HBGary": [[17, 23], [108, 114]], "Organization: video game company": [[142, 160]]}, "info": {"id": "dnrti_train_001599", "source": "dnrti_train"}}
{"text": "For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically .", "spans": {"Organization: Winnti group": [[20, 32]], "Organization: gaming companies": [[89, 105]]}, "info": {"id": "dnrti_train_001600", "source": "dnrti_train"}}
{"text": "In April Novetta released its excellent report on the Winnti malware spotted in the operations of Axiom group .", "spans": {"Organization: Novetta": [[9, 16]], "Malware: Winnti malware": [[54, 68]]}, "info": {"id": "dnrti_train_001601", "source": "dnrti_train"}}
{"text": "The Axiom group has been presented as an advanced Chinese threat actor carrying out cyber-espionage attacks against a whole range of different industries .", "spans": {"Organization: Axiom": [[4, 9]]}, "info": {"id": "dnrti_train_001602", "source": "dnrti_train"}}
{"text": "this library includes two drivers compiled on August 22 and September 4 , 2014 .", "spans": {}, "info": {"id": "dnrti_train_001603", "source": "dnrti_train"}}
{"text": "Also our visibility as a vendor does not cover every company in the world ( at least so far ; ) ) and the Kaspersky Security Network ( KSN ) did not reveal other attacks except those against gaming companies .", "spans": {"Organization: Kaspersky Security Network": [[106, 132]], "Organization: KSN": [[135, 138]], "Organization: gaming companies": [[191, 207]]}, "info": {"id": "dnrti_train_001604", "source": "dnrti_train"}}
{"text": "Conversely , LokiBot and Agent Tesla are new malware tools .", "spans": {"Malware: LokiBot": [[13, 20]], "Malware: Agent Tesla": [[25, 36]]}, "info": {"id": "dnrti_train_001605", "source": "dnrti_train"}}
{"text": "Based on multiple active compromises by the Axiom threat group , Novetta was able to capture and analyze new Winnti malware samples .", "spans": {"Organization: Novetta": [[65, 72]], "Malware: Winnti malware samples": [[109, 131]]}, "info": {"id": "dnrti_train_001606", "source": "dnrti_train"}}
{"text": "Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China .", "spans": {"Organization: gaming organizations": [[49, 69]]}, "info": {"id": "dnrti_train_001607", "source": "dnrti_train"}}
{"text": "Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China .", "spans": {"Organization: gaming organizations": [[49, 69]]}, "info": {"id": "dnrti_train_001608", "source": "dnrti_train"}}
{"text": "The samples Novetta obtained from the active Axiom infection were compiled in mid- to late 2014 and represent what Novetta is referring to as version 3.0 of the Winnti lineage .", "spans": {"Organization: Novetta": [[12, 19], [115, 122]], "Organization: Winnti": [[161, 167]]}, "info": {"id": "dnrti_train_001609", "source": "dnrti_train"}}
{"text": "We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus , with at least some elements located in the Xicheng District of Beijing .", "spans": {}, "info": {"id": "dnrti_train_001610", "source": "dnrti_train"}}
{"text": "The Winnti umbrella continues to operate highly successfully in 2018 .", "spans": {}, "info": {"id": "dnrti_train_001611", "source": "dnrti_train"}}
{"text": "The Winnti umbrella and closely associated entities has been active since at least 2009 .", "spans": {}, "info": {"id": "dnrti_train_001612", "source": "dnrti_train"}}
{"text": "The Winnti and Axiom group names were created by Kaspersky Lab and Symantec , respectively , for their 2013/2014 reports on the original group .", "spans": {"Organization: Winnti": [[4, 10]], "Organization: group": [[21, 26]], "Organization: Kaspersky Lab": [[49, 62]], "Organization: Symantec": [[67, 75]]}, "info": {"id": "dnrti_train_001613", "source": "dnrti_train"}}
{"text": "Their operations against gaming and technology organizations are believed to be economically motivated in nature .", "spans": {"Organization: gaming": [[25, 31]], "Organization: technology organizations": [[36, 60]]}, "info": {"id": "dnrti_train_001614", "source": "dnrti_train"}}
{"text": "However , based on the findings shared in this report we assess with high confidence that the actor 's primary long-term mission is politically focused .", "spans": {}, "info": {"id": "dnrti_train_001615", "source": "dnrti_train"}}
{"text": "The Winnti umbrella and linked groups' initial targets are gaming studios and high tech businesses .", "spans": {"Organization: gaming studios": [[59, 73]]}, "info": {"id": "dnrti_train_001616", "source": "dnrti_train"}}
{"text": "During the same time period , we also observed the actor using the Browser Exploitation Framework ( BeEF ) to compromise victim hosts and download Cobalt Strike .", "spans": {"Malware: Cobalt Strike": [[147, 160]]}, "info": {"id": "dnrti_train_001617", "source": "dnrti_train"}}
{"text": "In this campaign , the attackers experimented with publicly available tooling for attack operations .", "spans": {"Malware: publicly available tooling": [[51, 77]]}, "info": {"id": "dnrti_train_001618", "source": "dnrti_train"}}
{"text": "The primary goal of these attacks was likely to find code-signing certificates for signing future malware .", "spans": {}, "info": {"id": "dnrti_train_001619", "source": "dnrti_train"}}
{"text": "The Chinese intelligence apparatus has been reported on under many names , including Winnti , PassCV , APT17 , Axiom , LEAD , BARIUM , Wicked Panda , and GREF .", "spans": {}, "info": {"id": "dnrti_train_001620", "source": "dnrti_train"}}
{"text": "The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block 221.216.0.0/13 .", "spans": {}, "info": {"id": "dnrti_train_001621", "source": "dnrti_train"}}
{"text": "ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security ( DHS ) .", "spans": {"Organization: Department of Homeland Security": [[72, 103]], "Organization: DHS": [[106, 109]]}, "info": {"id": "dnrti_train_001622", "source": "dnrti_train"}}
{"text": "ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security .", "spans": {"Organization: Department of Homeland Security": [[72, 103]]}, "info": {"id": "dnrti_train_001623", "source": "dnrti_train"}}
{"text": "ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks , including collecting and distributing screenshots of industrial control systems .", "spans": {"Malware: compromised websites": [[43, 63]], "System: watering holes": [[71, 85]]}, "info": {"id": "dnrti_train_001624", "source": "dnrti_train"}}
{"text": "In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly ( which Dragos associates with DYMALLOY ) .", "spans": {"Organization: DHS": [[20, 23]], "Organization: Symantec": [[110, 118]], "Organization: Dragos": [[143, 149]]}, "info": {"id": "dnrti_train_001625", "source": "dnrti_train"}}
{"text": "In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group .", "spans": {"Organization: DHS": [[20, 23]]}, "info": {"id": "dnrti_train_001626", "source": "dnrti_train"}}
{"text": "We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus .", "spans": {}, "info": {"id": "dnrti_train_001627", "source": "dnrti_train"}}
{"text": "ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities .", "spans": {}, "info": {"id": "dnrti_train_001628", "source": "dnrti_train"}}
{"text": "In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly .", "spans": {"Organization: DHS": [[20, 23]], "Organization: Symantec": [[110, 118]]}, "info": {"id": "dnrti_train_001629", "source": "dnrti_train"}}
{"text": "Public disclosure by third-parties , including the DHS , associate ALLANITE operations with Russian strategic interests .", "spans": {"Organization: DHS": [[51, 54]]}, "info": {"id": "dnrti_train_001630", "source": "dnrti_train"}}
{"text": "ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system .", "spans": {}, "info": {"id": "dnrti_train_001631", "source": "dnrti_train"}}
{"text": "Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation .", "spans": {"Organization: Dragos": [[0, 6]]}, "info": {"id": "dnrti_train_001632", "source": "dnrti_train"}}
{"text": "However , full details on ALLANITE and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView .", "spans": {"Organization: Dragos WorldView": [[142, 158]]}, "info": {"id": "dnrti_train_001633", "source": "dnrti_train"}}
{"text": "In addition to maritime operations in this region , Anchor Panda also heavily targeted western companies in the US , Germany , Sweden , the UK , and Australia , and other countries involved in maritime satellite systems , aerospace companies , and defense contractors .", "spans": {"Organization: aerospace companies": [[222, 241]], "Organization: defense contractors": [[248, 267]]}, "info": {"id": "dnrti_train_001634", "source": "dnrti_train"}}
{"text": "A current round of cyber-attacks from Chinese source groups are targeting the maritime sector in an attempt to steal technology .", "spans": {"Organization: maritime sector": [[78, 93]]}, "info": {"id": "dnrti_train_001635", "source": "dnrti_train"}}
{"text": "PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy .", "spans": {"Organization: Anchor Panda": [[9, 21]], "Organization: CrowdStrike": [[43, 54]]}, "info": {"id": "dnrti_train_001636", "source": "dnrti_train"}}
{"text": "ALLANITE operations continue and intelligence indicates activity since at least May 2017 .", "spans": {}, "info": {"id": "dnrti_train_001637", "source": "dnrti_train"}}
{"text": "APT Anchor Panda is a Chinese threat actor group who target maritime operations .", "spans": {}, "info": {"id": "dnrti_train_001638", "source": "dnrti_train"}}
{"text": "According to cyber security researchers , Anchor Panda , who work directly for the Chinese PLA Navy , likely remains active .", "spans": {}, "info": {"id": "dnrti_train_001639", "source": "dnrti_train"}}
{"text": "Dragos does not corroborate nor conduct political attribution to threat activity .", "spans": {"Organization: Dragos": [[0, 6]]}, "info": {"id": "dnrti_train_001640", "source": "dnrti_train"}}
{"text": "In the past they used Adobe Gh0st , Poison Ivy and Torn RAT malware as their primary attack vector is sphere phishing .", "spans": {"Malware: Adobe Gh0st": [[22, 33]], "Malware: Poison Ivy": [[36, 46]], "Malware: Torn RAT malware": [[51, 67]], "System: phishing": [[109, 117]]}, "info": {"id": "dnrti_train_001641", "source": "dnrti_train"}}
{"text": "Their targets are marine companies that operate in and around the South China Sea , an area of much Chinese interest .", "spans": {"Organization: marine companies": [[18, 34]]}, "info": {"id": "dnrti_train_001642", "source": "dnrti_train"}}
{"text": "As recently as this past week , researchers observed Chinese hackers escalating cyber-attack efforts to steal military research secrets from US universities .", "spans": {}, "info": {"id": "dnrti_train_001643", "source": "dnrti_train"}}
{"text": "The cyber-espionage campaign has labelled the group Advanced Persistent Threat ( APT ) 40 or , titled , Periscope .", "spans": {"Organization: Advanced Persistent": [[52, 71]], "Organization: Threat ( APT ) 40": [[72, 89]], "Organization: Periscope": [[104, 113]]}, "info": {"id": "dnrti_train_001644", "source": "dnrti_train"}}
{"text": "The group has been active since at least January 2013 .", "spans": {}, "info": {"id": "dnrti_train_001645", "source": "dnrti_train"}}
{"text": "The group has also targeted businesses operating in the South China Sea , which is a strategically important region and the focus of disputes between China and other states .", "spans": {}, "info": {"id": "dnrti_train_001646", "source": "dnrti_train"}}
{"text": "The main targets seem to be US companies in engineering , transport and defense , although it has targeted other organizations around the world .", "spans": {}, "info": {"id": "dnrti_train_001647", "source": "dnrti_train"}}
{"text": "The times of day the group is active also suggests that it is based near Beijing and the group has reportedly used malware that has been observed in other Chinese operations , indicating some level of collaboration .", "spans": {}, "info": {"id": "dnrti_train_001648", "source": "dnrti_train"}}
{"text": "Periscope 's activity has previously been suspected of being linked to China , but now researchers believe their evidence links the operation to the Chinese state .", "spans": {}, "info": {"id": "dnrti_train_001649", "source": "dnrti_train"}}
{"text": "APT40 is described as a moderately sophisticated cyber-espionage group which combines access to significant development resources with the ability to leverage publicly available tools .", "spans": {"Organization: APT40": [[0, 5]], "Malware: publicly available tools": [[159, 183]]}, "info": {"id": "dnrti_train_001650", "source": "dnrti_train"}}
{"text": "Anchor Panda uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities .", "spans": {"Malware: CVE software vulnerabilities": [[182, 210]]}, "info": {"id": "dnrti_train_001651", "source": "dnrti_train"}}
{"text": "Like many espionage campaigns , much of APT40 's activity begins by attempting to trick targets with phishing emails , before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network .", "spans": {"Organization: APT40": [[40, 45]], "System: phishing emails": [[101, 116]], "Malware: Gh0st RAT trojan": [[156, 172]]}, "info": {"id": "dnrti_train_001652", "source": "dnrti_train"}}
{"text": "The group uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities .", "spans": {"Malware: CVE software vulnerabilities": [[179, 207]]}, "info": {"id": "dnrti_train_001653", "source": "dnrti_train"}}
{"text": "More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors .", "spans": {}, "info": {"id": "dnrti_train_001654", "source": "dnrti_train"}}
{"text": "APT5 has been active since at least 2007 .", "spans": {"Organization: APT5": [[0, 4]]}, "info": {"id": "dnrti_train_001655", "source": "dnrti_train"}}
{"text": "APT5 has targeted or breached organizations across multiple industries , but its focus appears to be on telecommunications and technology companies , especially information about satellite communications .", "spans": {"Organization: APT5": [[0, 4]], "Organization: technology companies": [[127, 147]]}, "info": {"id": "dnrti_train_001656", "source": "dnrti_train"}}
{"text": "APT5 targeted the network of an electronics firm that sells products for both industrial and military applications .", "spans": {"Organization: APT5": [[0, 4]], "Organization: electronics firm": [[32, 48]]}, "info": {"id": "dnrti_train_001657", "source": "dnrti_train"}}
{"text": "The group subsequently stole communications related to the firm 's business relationship with a national military , including inventories and memoranda about specific products they provided .", "spans": {}, "info": {"id": "dnrti_train_001658", "source": "dnrti_train"}}
{"text": "In one case in late 2014 , APT5 breached the network of an international telecommunications company .", "spans": {"Organization: international telecommunications company": [[59, 99]]}, "info": {"id": "dnrti_train_001659", "source": "dnrti_train"}}
{"text": "The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company 's relationships with other telecommunications companies .", "spans": {"Organization: telecommunications companies": [[144, 172]]}, "info": {"id": "dnrti_train_001660", "source": "dnrti_train"}}
{"text": "APT5 also targeted the networks of some of Southeast Asia 's major telecommunications providers with Leouncia malware .", "spans": {"Organization: telecommunications providers": [[67, 95]], "Malware: Leouncia malware": [[101, 117]]}, "info": {"id": "dnrti_train_001661", "source": "dnrti_train"}}
{"text": "We suspect that the group sought access to these networks to obtain information that would enable it to monitor communications passing through the providers' systems .", "spans": {}, "info": {"id": "dnrti_train_001662", "source": "dnrti_train"}}
{"text": "The FBI said the \" group of malicious cyber actors \" ( known as APT6 or 1.php ) used dedicated top-level domains in conjunction with the command and control servers to deliver \" customized malicious software \" to government computer systems .", "spans": {"Organization: FBI": [[4, 7]], "Organization: group of malicious cyber actors": [[19, 50]], "Organization: APT6": [[64, 68]], "Organization: 1.php": [[72, 77]], "Malware: customized malicious software": [[178, 207]]}, "info": {"id": "dnrti_train_001663", "source": "dnrti_train"}}
{"text": "Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts , Defense Department entities , and geospatial groups within the federal government .", "spans": {"Organization: Deepen": [[0, 6]], "Organization: China and US relations experts": [[95, 125]], "Organization: Defense Department": [[128, 146]], "Organization: geospatial groups": [[162, 179]]}, "info": {"id": "dnrti_train_001664", "source": "dnrti_train"}}
{"text": "Government officials said they knew the initial attack occurred in 2011 , but are unaware of who specifically is behind the attacks .", "spans": {"Organization: Government officials": [[0, 20]]}, "info": {"id": "dnrti_train_001665", "source": "dnrti_train"}}
{"text": "According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file .", "spans": {"Organization: Deepen": [[13, 19]], "Organization: APT6": [[22, 26]], "System: spear phishing": [[42, 56]], "Malware: PDF": [[82, 85]], "Malware: ZIP": [[90, 93]], "Malware: SCR file": [[170, 178]]}, "info": {"id": "dnrti_train_001666", "source": "dnrti_train"}}
{"text": "Nearly a month later , security experts are now shining a bright light on the alert and the mysterious group behind the attack .", "spans": {}, "info": {"id": "dnrti_train_001667", "source": "dnrti_train"}}
{"text": "The attacks discussed in this blog are related to an APT campaign commonly referred to as \" th3bug \" , named for the password the actors often use with their Poison Ivy malware .", "spans": {"Malware: Poison Ivy malware": [[158, 176]]}, "info": {"id": "dnrti_train_001668", "source": "dnrti_train"}}
{"text": "Over the summer they compromised several sites , including a well-known Uyghur website written in that native language .", "spans": {}, "info": {"id": "dnrti_train_001669", "source": "dnrti_train"}}
{"text": "In contrast to many other APT campaigns , which tend to rely heavily on spear phishing to gain victims , \" th3bug \" is known for compromising legitimate websites their intended visitors are likely to frequent .", "spans": {"System: spear phishing": [[72, 86]]}, "info": {"id": "dnrti_train_001670", "source": "dnrti_train"}}
{"text": "While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July .", "spans": {"Vulnerability: CVE-2014-0515": [[89, 102]], "Vulnerability: Adobe Flash exploit": [[103, 122]], "Organization: Cisco TRAC": [[141, 151]]}, "info": {"id": "dnrti_train_001671", "source": "dnrti_train"}}
{"text": "However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised .", "spans": {"Organization: APT20": [[36, 41]], "Vulnerability: zero-day exploits": [[50, 67]]}, "info": {"id": "dnrti_train_001672", "source": "dnrti_train"}}
{"text": "Our direct observation of in-the-wild spearphishing attacks staged by the Bahamut group have been solely attempts to deceive targets into providing account passwords through impersonation of notices from platform providers .", "spans": {"Organization: platform providers": [[204, 222]]}, "info": {"id": "dnrti_train_001673", "source": "dnrti_train"}}
{"text": "Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017 .", "spans": {"Organization: Middle Eastern human rights activist": [[45, 81]]}, "info": {"id": "dnrti_train_001674", "source": "dnrti_train"}}
{"text": "Later that month , the same tactics and patterns were seen in attempts against an Iranian women 's activist – an individual commonly targeted by Iranian actors , such as Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk .", "spans": {"Organization: Iranian women 's activist": [[82, 107]], "Organization: individual": [[113, 123]]}, "info": {"id": "dnrti_train_001675", "source": "dnrti_train"}}
{"text": "In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia .", "spans": {"Organization: Bahamut": [[62, 69]], "System: phishing": [[96, 104]]}, "info": {"id": "dnrti_train_001676", "source": "dnrti_train"}}
{"text": "Once inside a network , APT40 uses credential-harvesting tools to gain usernames and passwords , allowing it to expand its reach across the network and move laterally through an environment as it moves to towards the ultimate goal of stealing data .", "spans": {"Organization: APT40": [[24, 29]], "Malware: credential-harvesting tools": [[35, 62]]}, "info": {"id": "dnrti_train_001677", "source": "dnrti_train"}}
{"text": "Bahamut was shown to be resourceful , not only maintaining their own Android malware but running propaganda sites , although the quality of these activities varied noticeably .", "spans": {"Organization: Bahamut": [[0, 7]], "Malware: Android malware": [[69, 84]]}, "info": {"id": "dnrti_train_001678", "source": "dnrti_train"}}
{"text": "In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia .", "spans": {"Organization: Bahamut": [[62, 69]], "System: phishing": [[96, 104]]}, "info": {"id": "dnrti_train_001679", "source": "dnrti_train"}}
{"text": "Several times , APT5 has targeted organizations and personnel based in Southeast Asia .", "spans": {"Organization: APT5": [[16, 20]], "Organization: organizations": [[34, 47]], "Organization: personnel": [[52, 61]]}, "info": {"id": "dnrti_train_001680", "source": "dnrti_train"}}
{"text": "However , in the same week of September a series of spearphishing attempts once again targeted a set of otherwise unrelated individuals , employing the same tactics as before .", "spans": {"System: spearphishing": [[52, 65]]}, "info": {"id": "dnrti_train_001681", "source": "dnrti_train"}}
{"text": "Our primary contribution in this update is to implicate Bahamut in what are likely counterterrorism-motivated surveillance operations , and to further affirm our belief that the group is a hacker-for-hire operation .", "spans": {}, "info": {"id": "dnrti_train_001682", "source": "dnrti_train"}}
{"text": "As we wrote then , compared to Kingphish , Bahamut operates as though it were a generation ahead in terms of professionalism and ambition .", "spans": {}, "info": {"id": "dnrti_train_001683", "source": "dnrti_train"}}
{"text": "In the Bahamut report , we discussed two domains found within our search that were linked with a custom Android malware agent .", "spans": {"Malware: domains": [[41, 48]], "Malware: custom Android malware agent": [[97, 125]]}, "info": {"id": "dnrti_train_001684", "source": "dnrti_train"}}
{"text": "After the publication of the original report , these sites were taken offline despite the fact that one agent was even updated a six days prior to our post ( the \" Khuai \" application ) .", "spans": {"Malware: Khuai": [[164, 169]]}, "info": {"id": "dnrti_train_001685", "source": "dnrti_train"}}
{"text": "FIF is notable for its links to the Lashkar-e-Taiba ( LeT ) terrorist organization , which has committed mass-casualty attacks in India in support of establishing Pakistani control over the disputed Jammu and Kashmir border region .", "spans": {}, "info": {"id": "dnrti_train_001686", "source": "dnrti_train"}}
{"text": "As a result , it is already flagged as Bahamut by antivirus engines .", "spans": {}, "info": {"id": "dnrti_train_001687", "source": "dnrti_train"}}
{"text": "Our initial observation of the Bahamut group originated from in-the-wild attempts to deceive targets into providing account passwords through impersonation of platform providers .", "spans": {"Organization: platform providers": [[159, 177]]}, "info": {"id": "dnrti_train_001688", "source": "dnrti_train"}}
{"text": "One curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities , rather than push nonfunctional fake apps or bundle malware with legitimate software .", "spans": {"Malware: legitimate software": [[184, 203]]}, "info": {"id": "dnrti_train_001689", "source": "dnrti_train"}}
{"text": "Curiously , Bahamut appears to track password attempts in response to failed phishing attempts or to provoke the target to provide more passwords .", "spans": {"System: phishing": [[77, 85]]}, "info": {"id": "dnrti_train_001690", "source": "dnrti_train"}}
{"text": "Bahamut spearphishing attempts have also been accompanied with SMS messages purporting to be from Google about security issues on their account , including a class 0 message or \" flash text \" .", "spans": {"System: spearphishing": [[8, 21]], "Organization: Google": [[98, 104]]}, "info": {"id": "dnrti_train_001691", "source": "dnrti_train"}}
{"text": "These text messages did not include links but are intended to build credibility around the fake service notifications later sent to the target 's email address .", "spans": {}, "info": {"id": "dnrti_train_001692", "source": "dnrti_train"}}
{"text": "We have not found evidence of Bahamut engaging in crime or operating outside its limited geographic domains , although this narrow perspective could be accounted for by its compartmentalization of operations .", "spans": {"Organization: Bahamut": [[30, 37]]}, "info": {"id": "dnrti_train_001693", "source": "dnrti_train"}}
{"text": "Thus far , Bahamut 's campaigns have appeared to be primarily espionage or information operations – not destructive attacks or fraud .", "spans": {"Organization: Bahamut": [[11, 18]]}, "info": {"id": "dnrti_train_001694", "source": "dnrti_train"}}
{"text": "The targets and themes of Bahamut 's campaigns have consistently fallen within two regions – South Asia ( primarily Pakistan , specifically Kashmir ) and the Middle East ( from Morocco to Iran ) .", "spans": {}, "info": {"id": "dnrti_train_001695", "source": "dnrti_train"}}
{"text": "Our prior publication also failed to acknowledge immensely valuable input from a number of colleagues , including Nadim Kobeissi 's feedback on how the API endpoints on the Android malware were encrypted .", "spans": {"Malware: Android malware": [[173, 188]]}, "info": {"id": "dnrti_train_001696", "source": "dnrti_train"}}
{"text": "Bahamut targeted similar Qatar-based individuals during their campaign .", "spans": {"Organization: Bahamut": [[0, 7]]}, "info": {"id": "dnrti_train_001697", "source": "dnrti_train"}}
{"text": "Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using hxxp://voguextra.com/decoy.doc .", "spans": {"Organization: Bellingcat": [[0, 10]], "Malware: decoy documents": [[79, 94]], "Malware: hxxp://voguextra.com/decoy.doc": [[132, 162]]}, "info": {"id": "dnrti_train_001698", "source": "dnrti_train"}}
{"text": "The China-backed BARIUM APT is suspected to be at the helm of the project .", "spans": {}, "info": {"id": "dnrti_train_001699", "source": "dnrti_train"}}
{"text": "Trojanized versions of the utility were then signed with legitimate certificates and were hosted on and distributed from official ASUS update servers – which made them mostly invisible to the vast majority of protection solutions , according to Kaspersky Lab .", "spans": {"Organization: Kaspersky Lab": [[245, 258]]}, "info": {"id": "dnrti_train_001700", "source": "dnrti_train"}}
{"text": "Kaspersky Lab To compromise the utility , Kaspersky Lab determined that the cyberattackers used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code .", "spans": {"Organization: Kaspersky Lab": [[0, 13], [42, 55]]}, "info": {"id": "dnrti_train_001701", "source": "dnrti_train"}}
{"text": "To compromise the utility , Kaspersky Lab determined that Barium used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code .", "spans": {"Organization: Kaspersky Lab": [[28, 41]]}, "info": {"id": "dnrti_train_001702", "source": "dnrti_train"}}
{"text": "BARIUM , a Chinese state player that also goes by APT17 , Axiom and Deputy Dog , was previously linked to the ShadowPad and CCleaner incidents , which were also supply-chain attacks that used software updates to sneak onto machines .", "spans": {"Organization: BARIUM": [[0, 6]], "Organization: APT17": [[50, 55]], "Organization: Axiom": [[58, 63]], "Organization: Deputy": [[68, 74]], "Organization: Dog": [[75, 78]], "Malware: ShadowPad": [[110, 119]], "Malware: CCleaner": [[124, 132]], "Malware: software updates": [[192, 208]]}, "info": {"id": "dnrti_train_001703", "source": "dnrti_train"}}
{"text": "That said , the \" fingerprints \" left on the samples by the attackers – including techniques used to achieve unauthorized code execution – suggest that the BARIUM APT is behind the effort , according to the researchers .", "spans": {"Organization: BARIUM APT": [[156, 166]]}, "info": {"id": "dnrti_train_001704", "source": "dnrti_train"}}
{"text": "In the 2017 ShadowPad attack , the update mechanism for Korean server management software provider NetSarang was compromised to serve up an eponymous backdoor .", "spans": {"Organization: server management software provider": [[63, 98]]}, "info": {"id": "dnrti_train_001705", "source": "dnrti_train"}}
{"text": "In the next incident , also in 2017 , software updates for the legitimate computer cleanup tool CCleaner was found to have been compromised by hackers to taint them with the same ShadowPad backdoor .", "spans": {"Malware: software updates": [[38, 54]], "Malware: ShadowPad backdoor": [[179, 197]]}, "info": {"id": "dnrti_train_001706", "source": "dnrti_train"}}
{"text": "NetSarang , which has headquarters in South Korea and the United States , removed the backdoored update , but not before it was activated on at least one victim 's machine in Hong Kong .", "spans": {}, "info": {"id": "dnrti_train_001707", "source": "dnrti_train"}}
{"text": "Given our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its focus on the foreign policy institutions other Gulf states , Bahamut 's interests are seemingly too expansive to be limited one sponsor or customer .", "spans": {"Organization: labor rights advocates": [[84, 106]], "Organization: foreign policy institutions": [[128, 155]]}, "info": {"id": "dnrti_train_001708", "source": "dnrti_train"}}
{"text": "Barium specializes in targeting high value organizations holding sensitive data , by gathering extensive information about their employees through publicly available information and social media , using that information to fashion phishing attacks intended to trickthose employees into compromising their computers and networks .", "spans": {"Organization: employees": [[129, 138], [271, 280]]}, "info": {"id": "dnrti_train_001709", "source": "dnrti_train"}}
{"text": "We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post .", "spans": {"Organization: Bahamut": [[73, 80]], "Malware: Devoted To Humanity": [[96, 115]]}, "info": {"id": "dnrti_train_001710", "source": "dnrti_train"}}
{"text": "Althoughthe BariumDefendants have relied on differentand distinct infrastructures in an effortto evade detection , Bariumused the same e-mail address (hostay88@gmail.com ) to register malicious domains used in connection with at least two toolsets that Barium has employed to compromise victim computers .", "spans": {"System: e-mail": [[135, 141]], "Organization: Barium": [[253, 259]]}, "info": {"id": "dnrti_train_001711", "source": "dnrti_train"}}
{"text": "The second method , described in Part D.2 , below , involves the \" ShadowPad \" malware , which the Barium Defendants have distributed via a third-party software provider 's compromised update .", "spans": {"Malware: ShadowPad": [[67, 76]], "Organization: Barium": [[99, 105]], "Organization: third-party software provider": [[140, 169]]}, "info": {"id": "dnrti_train_001712", "source": "dnrti_train"}}
{"text": "To enhance the effectiveness of phishing attacks into the organization , Barium will collect additional background informationfrom social media sites .", "spans": {"Organization: Barium": [[73, 79]]}, "info": {"id": "dnrti_train_001713", "source": "dnrti_train"}}
{"text": "Employing a technique known as \" spear phishing \" , Barium has heavily targeted individuals within HumanResources or Business Developmentdepartments ofthe targeted organizations in order to compromise the computers ofsuch individuals .", "spans": {"System: spear phishing": [[33, 47]], "Organization: Barium": [[52, 58]]}, "info": {"id": "dnrti_train_001714", "source": "dnrti_train"}}
{"text": "The first method , described in Part D.l , below , involves the \" Barlaiy \" and \" PlugXL \" malware , which the Barium Defendants propagate using phishing techniques .", "spans": {"Malware: Barlaiy": [[66, 73]], "Malware: PlugXL": [[82, 88]], "System: phishing techniques": [[145, 164]]}, "info": {"id": "dnrti_train_001715", "source": "dnrti_train"}}
{"text": "Using the information gathered from its reconnaissance on social media sites , Barium packages the phishing e-mail in a way that gives the e-mail credibility to the target user , often by making the e-mail appear as ifit were sent from an organization known to and trusted by the victim or concerning a topic of interest to the victim .", "spans": {"Organization: Barium": [[79, 85]], "System: phishing e-mail": [[99, 114]], "System: e-mail": [[139, 145], [199, 205]]}, "info": {"id": "dnrti_train_001716", "source": "dnrti_train"}}
{"text": "Barium Defendants install the malicious \" Win32/Barlaiy \" malware and the malicious \" Win32/PlugX.L \" malware on victim computers using the means described above .", "spans": {"Organization: Barium": [[0, 6]], "Malware: Win32/Barlaiy": [[42, 55]], "Malware: Win32/PlugX.L": [[86, 99]]}, "info": {"id": "dnrti_train_001717", "source": "dnrti_train"}}
{"text": "Both Win32/Barlaiy & Win32/PlugX.L are remote access \" trojans \" , which allow Barium to gather a victim 's information , control a victim 's device , install additional malware , and exfiltrate information fi-om a victim 's device .", "spans": {"Malware: Win32/Barlaiy": [[5, 18]], "Malware: Win32/PlugX.L": [[21, 34]], "Organization: Barium": [[79, 85]]}, "info": {"id": "dnrti_train_001718", "source": "dnrti_train"}}
{"text": "Barium Defendants install the malicious credential stealing and injection tool known as \" Win32/RibDoor.A!dha \" .", "spans": {"Organization: Barium": [[0, 6]], "Malware: Win32/RibDoor.A!dha": [[90, 109]]}, "info": {"id": "dnrti_train_001719", "source": "dnrti_train"}}
{"text": "While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" .", "spans": {"Organization: Microsoft": [[33, 42]], "Organization: Barium": [[94, 100]], "Malware: Win32/ShadowPad.A": [[139, 156]]}, "info": {"id": "dnrti_train_001720", "source": "dnrti_train"}}
{"text": "MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) .", "spans": {"Malware: MXI Player": [[0, 10]]}, "info": {"id": "dnrti_train_001721", "source": "dnrti_train"}}
{"text": "Figure 9a , below , shows detections of encounters with the Barium actors and their infrastructure , including infected computers located in Virginia , and Figure 9b , below , shows detections of encounters throughout the United States .", "spans": {}, "info": {"id": "dnrti_train_001722", "source": "dnrti_train"}}
{"text": "Barium has targeted Microsoft customers both in Virginia , the United States , and around the world .", "spans": {"Organization: Barium": [[0, 6]], "Organization: Microsoft customers": [[20, 39]]}, "info": {"id": "dnrti_train_001723", "source": "dnrti_train"}}
{"text": "Once the Barium Defendants have access to a victim computer through the malware described above , they monitor the victim 's activity and ultimately search for and steal sensitive documents ( for example , exfiltration of intellectual property regarding technology has been seen ) , and personal information fi\"om the victim 's network .", "spans": {}, "info": {"id": "dnrti_train_001724", "source": "dnrti_train"}}
{"text": "According to a 49-page report published Thursday , all of the attacks are the work of Chinese government 's intelligence apparatus , which the report 's authors dub the Winnti Umbrella .", "spans": {"Organization: Winnti Umbrella": [[169, 184]]}, "info": {"id": "dnrti_train_001725", "source": "dnrti_train"}}
{"text": "Researchers from various security organizations have used a variety of names to assign responsibility for the hacks , including LEAD , BARIUM , Wicked Panda , GREF , PassCV , Axiom , and Winnti .", "spans": {"Organization: LEAD": [[128, 132]], "Organization: BARIUM": [[135, 141]], "Organization: Wicked Panda": [[144, 156]], "Organization: GREF": [[159, 163]], "Organization: PassCV": [[166, 172]], "Organization: Axiom": [[175, 180]], "Organization: Winnti": [[187, 193]]}, "info": {"id": "dnrti_train_001726", "source": "dnrti_train"}}
{"text": "It targets organizations in Japan , South Korea , and Taiwan , leveling its attacks on public sector agencies and telecommunications and other high-technology industries .", "spans": {"Organization: public sector agencies": [[87, 109]]}, "info": {"id": "dnrti_train_001727", "source": "dnrti_train"}}
{"text": "In 2016 , for instance , we found their campaigns attacking Japanese organizations with various malware tools , notably the Elirks backdoor .", "spans": {"Malware: Elirks backdoor": [[124, 139]]}, "info": {"id": "dnrti_train_001728", "source": "dnrti_train"}}
{"text": "Blackgear has been targeting various industries since its emergence a decade ago .", "spans": {}, "info": {"id": "dnrti_train_001729", "source": "dnrti_train"}}
{"text": "Blackgear 's campaigns also use email as an entry point , which is why it's important to secure the email gateway .", "spans": {"System: email": [[32, 37]], "System: email gateway": [[100, 113]]}, "info": {"id": "dnrti_train_001730", "source": "dnrti_train"}}
{"text": "BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years .", "spans": {"Organization: users": [[54, 59]]}, "info": {"id": "dnrti_train_001731", "source": "dnrti_train"}}
{"text": "Our research indicates that it has started targeting Japanese users .", "spans": {"Organization: Japanese users": [[53, 67]]}, "info": {"id": "dnrti_train_001732", "source": "dnrti_train"}}
{"text": "The malware tools used by BLACKGEAR can be categorized into three categories : binders , downloaders and backdoors .", "spans": {"Malware: binders": [[79, 86]], "Malware: downloaders": [[89, 100]], "Malware: backdoors": [[105, 114]]}, "info": {"id": "dnrti_train_001733", "source": "dnrti_train"}}
{"text": "Binders are delivered by attack vectors ( such as phishing and watering hole attacks ) onto a machine .", "spans": {"Malware: Binders": [[0, 7]], "System: phishing": [[50, 58]]}, "info": {"id": "dnrti_train_001734", "source": "dnrti_train"}}
{"text": "Based on the mutexes and domain names of some of their C&C servers , BlackTech 's campaigns are likely designed to steal their target 's technology .", "spans": {}, "info": {"id": "dnrti_train_001735", "source": "dnrti_train"}}
{"text": "Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns : PLEAD , Shrouded Crossbow , and of late , Waterbear .", "spans": {}, "info": {"id": "dnrti_train_001736", "source": "dnrti_train"}}
{"text": "Active since 2012 , it has so far targeted Taiwanese government agencies and private organizations .", "spans": {"Organization: government agencies": [[53, 72]]}, "info": {"id": "dnrti_train_001737", "source": "dnrti_train"}}
{"text": "PLEAD uses spear-phishing emails to deliver and install their backdoor , either as an attachment or through links to cloud storage services .", "spans": {"System: spear-phishing emails": [[11, 32]], "Malware: cloud storage services": [[117, 139]]}, "info": {"id": "dnrti_train_001738", "source": "dnrti_train"}}
{"text": "PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach .", "spans": {"Vulnerability: Flash vulnerability": [[108, 127]], "Vulnerability: CVE-2015-5119": [[130, 143]]}, "info": {"id": "dnrti_train_001739", "source": "dnrti_train"}}
{"text": "PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server .", "spans": {"Vulnerability: CVE-2017-7269": [[16, 29]]}, "info": {"id": "dnrti_train_001740", "source": "dnrti_train"}}
{"text": "This campaign , first observed in 2010 , is believed to be operated by a well-funded group given how it appeared to have purchased the source code of the BIFROST backdoor , which the operators enhanced and created other tools from .", "spans": {}, "info": {"id": "dnrti_train_001741", "source": "dnrti_train"}}
{"text": "Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the consumer electronics , computer , healthcare , and financial industries .", "spans": {"Organization: privatized agencies": [[27, 46]], "Organization: government contractors": [[51, 73]]}, "info": {"id": "dnrti_train_001742", "source": "dnrti_train"}}
{"text": "Shrouded Crossbow employs three BIFROST-derived backdoors : BIFROSE , KIVARS , and XBOW .", "spans": {"Malware: BIFROST-derived backdoors": [[32, 57]], "Malware: BIFROSE": [[60, 67]], "Malware: KIVARS": [[70, 76]], "Malware: XBOW": [[83, 87]]}, "info": {"id": "dnrti_train_001743", "source": "dnrti_train"}}
{"text": "Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents .", "spans": {"System: spear-phishing emails": [[36, 57]], "Malware: RTLO technique": [[107, 121]], "Malware: decoy documents": [[141, 156]]}, "info": {"id": "dnrti_train_001744", "source": "dnrti_train"}}
{"text": "XBOW 's capabilities are derived from BIFROSE and KIVARS ; Shrouded Crossbow gets its name from its unique mutex format .", "spans": {"Malware: XBOW": [[0, 4]], "Malware: BIFROSE": [[38, 45]], "Malware: KIVARS": [[50, 56]]}, "info": {"id": "dnrti_train_001745", "source": "dnrti_train"}}
{"text": "While PLEAD and KIVARS are most likely to be used in first phase attacks , Waterbear can be seen as a secondary backdoor installed after attackers have gained a certain level of privilege .", "spans": {"Malware: PLEAD": [[6, 11]], "Malware: KIVARS": [[16, 22]]}, "info": {"id": "dnrti_train_001746", "source": "dnrti_train"}}
{"text": "Recently , the JPCERT published a thorough analysis of the Plead backdoor , which , according to Trend Micro , is used by the cyberespionage group BlackTech .", "spans": {"Organization: JPCERT": [[15, 21]], "Malware: Plead backdoor": [[59, 73]], "Organization: Trend Micro": [[97, 108]]}, "info": {"id": "dnrti_train_001747", "source": "dnrti_train"}}
{"text": "Despite the fact that the Changing Information Technology Inc. certificate was revoked on July 4 , 2017 , the BlackTech group is still using it to sign their malicious tools .", "spans": {}, "info": {"id": "dnrti_train_001748", "source": "dnrti_train"}}
{"text": "The BlackTech group is primarily focused on cyberespionage in Asia .", "spans": {}, "info": {"id": "dnrti_train_001749", "source": "dnrti_train"}}
{"text": "The new activity described in this blogpost was detected by ESET in Taiwan , where the Plead malware has always been most actively deployed .", "spans": {"Organization: ESET": [[60, 64]], "Malware: Plead malware": [[87, 100]]}, "info": {"id": "dnrti_train_001750", "source": "dnrti_train"}}
{"text": "Attackers are targeting Windows platform and aiming at government institutions as well as big companies in Colombia .", "spans": {"Organization: government institutions": [[55, 78]]}, "info": {"id": "dnrti_train_001751", "source": "dnrti_train"}}
{"text": "Attackers like to use spear-fishing email with password protected RAR attachment to avoid being detected by the email gateway .", "spans": {"System: spear-fishing email": [[22, 41]], "Malware: RAR": [[66, 69]], "System: email gateway": [[112, 125]]}, "info": {"id": "dnrti_train_001752", "source": "dnrti_train"}}
{"text": "The first sample being captured was in April 2018 and since that we observed a lot more related ones .", "spans": {}, "info": {"id": "dnrti_train_001753", "source": "dnrti_train"}}
{"text": "After performing investigations on the classified victims , we find the attacker targets big companies and government agencies in Colombia .", "spans": {"Organization: government agencies": [[107, 126]]}, "info": {"id": "dnrti_train_001754", "source": "dnrti_train"}}
{"text": "After monitoring and correlating the APT attack , 360 Threat Intelligence Center discovered multiple related emails to attack Colombian government agencies , financial institutions and large enterprises .", "spans": {"Organization: 360 Threat Intelligence Center": [[50, 80]], "System: emails": [[109, 115]], "Organization: government agencies": [[136, 155]], "Organization: financial institutions": [[158, 180]]}, "info": {"id": "dnrti_train_001755", "source": "dnrti_train"}}
{"text": "The oldest sample we've seen up to now is from November 2013 .", "spans": {}, "info": {"id": "dnrti_train_001756", "source": "dnrti_train"}}
{"text": "One of the top targets is the Japan Pension Service , but the list of targeted industries includes government and government agencies , local governments , public interest groups , universities , banks , financial services , energy and so on .", "spans": {"Organization: Pension Service": [[36, 51]]}, "info": {"id": "dnrti_train_001757", "source": "dnrti_train"}}
{"text": "However , the attack is different in two respects : unlike other APTs , the main focus of Blue Termite is to attack Japanese organizations ; and most of their C2s are located in Japan .", "spans": {"Malware: Blue Termite": [[90, 102]]}, "info": {"id": "dnrti_train_001758", "source": "dnrti_train"}}
{"text": "Originally , the main infection vector of Blue Termite was spear-phishing emails .", "spans": {"Malware: Blue Termite": [[42, 54]], "System: spear-phishing emails": [[59, 80]]}, "info": {"id": "dnrti_train_001759", "source": "dnrti_train"}}
{"text": "Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Vulnerability: flash exploit": [[96, 109]], "Vulnerability: CVE-2015-5119": [[112, 125]]}, "info": {"id": "dnrti_train_001760", "source": "dnrti_train"}}
{"text": "Kaspersky Lab also found some watering hole attacks , including one on a website belonging to a prominent member of the Japanese government .", "spans": {"Organization: Kaspersky Lab": [[0, 13]]}, "info": {"id": "dnrti_train_001761", "source": "dnrti_train"}}
{"text": "In early July 2015 , however , Kaspersky Lab found a sample that creates a decryption key with Salt1 , Salt2 , and Salt3 .", "spans": {"Organization: Kaspersky Lab": [[31, 44]]}, "info": {"id": "dnrti_train_001762", "source": "dnrti_train"}}
{"text": "From early June , when the cyber-attack on the Japan Pension Service started to be reported widely , various Japanese organizations would have started to deploy protection measures .", "spans": {"Organization: Pension Service": [[53, 68]]}, "info": {"id": "dnrti_train_001763", "source": "dnrti_train"}}
{"text": "It employs AES in addition to SID tricks , making it difficult to decrypt sensitive data .", "spans": {"Malware: AES": [[11, 14]], "Malware: SID": [[30, 33]]}, "info": {"id": "dnrti_train_001764", "source": "dnrti_train"}}
{"text": "In order to fight back against this cyber-espionage , Kaspersky Lab will continue its research .", "spans": {"Organization: Kaspersky Lab": [[54, 67]]}, "info": {"id": "dnrti_train_001765", "source": "dnrti_train"}}
{"text": "Bookworm 's functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42 .", "spans": {"Malware: Bookworm": [[0, 8]], "Malware: PlugX": [[56, 61]], "Organization: Unit 42": [[145, 152]]}, "info": {"id": "dnrti_train_001766", "source": "dnrti_train"}}
{"text": "Bookworm has little malicious functionality built-in , with its only core ability involving stealing keystrokes and clipboard contents .", "spans": {"Malware: Bookworm": [[0, 8]]}, "info": {"id": "dnrti_train_001767", "source": "dnrti_train"}}
{"text": "The Plead malware is a backdoor which , according to Trend Micro , is used by the BlackTech group in targeted attacks .", "spans": {"Malware: Plead malware": [[4, 17]], "Malware: backdoor": [[23, 31]], "Organization: Trend Micro": [[53, 64]]}, "info": {"id": "dnrti_train_001768", "source": "dnrti_train"}}
{"text": "So far , it appears threat actors have deployed the Bookworm Trojan primarily in attacks on targets in Thailand .", "spans": {"Malware: Bookworm Trojan": [[52, 67]]}, "info": {"id": "dnrti_train_001769", "source": "dnrti_train"}}
{"text": "The threat actors use a commercial installation tool called Smart Installer Maker to encapsulate and execute a self-extracting RAR archive and in some cases a decoy slideshow or Flash installation application .", "spans": {"Malware: Smart Installer Maker": [[60, 81]], "Malware: self-extracting RAR": [[111, 130]], "Malware: decoy slideshow": [[159, 174]], "Malware: Flash installation application": [[178, 208]]}, "info": {"id": "dnrti_train_001770", "source": "dnrti_train"}}
{"text": "The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable .", "spans": {"Malware: self-extracting RAR": [[4, 23]], "Malware: Loader.dll": [[85, 95]], "Malware: readme.txt": [[113, 123]]}, "info": {"id": "dnrti_train_001771", "source": "dnrti_train"}}
{"text": "targeted attacks .", "spans": {}, "info": {"id": "dnrti_train_001772", "source": "dnrti_train"}}
{"text": "Using XREFs during static analysis is a common technique to quickly find where functions of interest are called .", "spans": {"Malware: XREFs": [[6, 11]]}, "info": {"id": "dnrti_train_001773", "source": "dnrti_train"}}
{"text": "The developers designed Bookworm to be a modular Trojan not limited to just the initial architecture of the Trojan , as Bookworm can also load additional modules provided by the C2 server .", "spans": {"Malware: Bookworm": [[24, 32], [120, 128]], "Malware: modular Trojan": [[41, 55]]}, "info": {"id": "dnrti_train_001774", "source": "dnrti_train"}}
{"text": "Although the developers of Bookworm have included only keylogging functionality in Bookworm as a core ability , as suggested in Table 1 , several of the embedded DLLs provide Leader with cryptographic and hashing functions , while others support Leader 's ability to communicate with its C2 server .", "spans": {"Malware: Bookworm": [[27, 35], [83, 91]], "Malware: Leader": [[246, 252]]}, "info": {"id": "dnrti_train_001775", "source": "dnrti_train"}}
{"text": "While we did not discuss the surrounding attacks using Bookworm in detail , we have observed threat actors deploying Bookworm primarily in attacks on targets in Thailand .", "spans": {"Malware: Bookworm": [[55, 63], [117, 125]]}, "info": {"id": "dnrti_train_001776", "source": "dnrti_train"}}
{"text": "Also , Bookworm uses a combination of encryption and compression algorithms to obfuscate the traffic between the system and C2 server .", "spans": {"Malware: Bookworm": [[7, 15]]}, "info": {"id": "dnrti_train_001777", "source": "dnrti_train"}}
{"text": "The developers of Bookworm have gone to great lengths to create a modular framework that is very flexible through its ability to run additional modules directly from its C2 server .", "spans": {"Malware: Bookworm": [[18, 26]]}, "info": {"id": "dnrti_train_001778", "source": "dnrti_train"}}
{"text": "Unit 42 recently published a blog on a newly identified Trojan called Bookworm , which discussed the architecture and capabilities of the malware and alluded to Thailand being the focus of the threat actors' campaigns .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: Bookworm": [[70, 78]]}, "info": {"id": "dnrti_train_001779", "source": "dnrti_train"}}
{"text": "Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality .", "spans": {"Malware: Leader": [[0, 6]], "Malware: Bookworm": [[10, 18]], "Malware: DLLs": [[114, 118]]}, "info": {"id": "dnrti_train_001780", "source": "dnrti_train"}}
{"text": "The developers of Bookworm use these modules in a rather unique way , as the other embedded DLLs provide API functions for Leader to carry out its tasks .", "spans": {"Malware: Bookworm": [[18, 26]], "Malware: Leader": [[123, 129]]}, "info": {"id": "dnrti_train_001781", "source": "dnrti_train"}}
{"text": "Unit 42 does not have detailed targeting information for all known Bookworm samples , but we are aware of attempted attacks on at least two branches of government in Thailand .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: Bookworm samples": [[67, 83]]}, "info": {"id": "dnrti_train_001782", "source": "dnrti_train"}}
{"text": "We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" .", "spans": {"Malware: Bookworm": [[43, 51]], "Malware: decoys documents": [[138, 154]], "Malware: dynamic DNS domain": [[183, 201]]}, "info": {"id": "dnrti_train_001783", "source": "dnrti_train"}}
{"text": "We believe that it is likely threat actors will continue development Bookworm , and will continue to use it for the foreseeable future .", "spans": {"Malware: Bookworm": [[69, 77]]}, "info": {"id": "dnrti_train_001784", "source": "dnrti_train"}}
{"text": "Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand .", "spans": {"Malware: Bookworm": [[29, 37]]}, "info": {"id": "dnrti_train_001785", "source": "dnrti_train"}}
{"text": "Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand .", "spans": {"Malware: Bookworm C2 servers": [[56, 75]]}, "info": {"id": "dnrti_train_001786", "source": "dnrti_train"}}
{"text": "As mentioned in our previous blog on Bookworm , the Trojan sends a static date string to the C2 server that we referred to as a campaign code .", "spans": {"Malware: Bookworm": [[37, 45]], "Malware: Trojan": [[52, 58]]}, "info": {"id": "dnrti_train_001787", "source": "dnrti_train"}}
{"text": "We believed that the actors would use this date code to track their attack campaigns ; however , after continued analysis of the malware , we think these static dates could also be a build identifier for the Trojan .", "spans": {"Malware: date code": [[43, 52]]}, "info": {"id": "dnrti_train_001788", "source": "dnrti_train"}}
{"text": "Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier .", "spans": {"Malware: date string hardcoded": [[26, 47]], "Malware: Bookworm sample": [[58, 73]]}, "info": {"id": "dnrti_train_001789", "source": "dnrti_train"}}
{"text": "A Trojan sending a build identifier to its C2 server is quite common , as it notifies the threat actors of the specific version of the Trojan in which they are interacting .", "spans": {}, "info": {"id": "dnrti_train_001790", "source": "dnrti_train"}}
{"text": "Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier .", "spans": {"Malware: date string": [[35, 46]], "Malware: date codes": [[64, 74]], "Malware: Bookworm": [[120, 128]]}, "info": {"id": "dnrti_train_001791", "source": "dnrti_train"}}
{"text": "We believe that Bookworm samples use the static date string as campaign codes , which we used to determine the approximate date of each attack that we did not have detailed targeting information .", "spans": {"Malware: Bookworm samples": [[16, 32]]}, "info": {"id": "dnrti_train_001792", "source": "dnrti_train"}}
{"text": "Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 .", "spans": {"Malware: decoy slideshow": [[8, 23]]}, "info": {"id": "dnrti_train_001793", "source": "dnrti_train"}}
{"text": "The campaign code \" 20150920 \" is associated with this decoy , which is a week prior to media articles announcing that the Crown Price of Thailand Maha Vajiralongkorn will lead the Bike for Dad 2015 event .", "spans": {}, "info": {"id": "dnrti_train_001794", "source": "dnrti_train"}}
{"text": "Chitpas is heavily involved with Thailand politics and was a core leader of the People's Committee for Absolute Democracy ( PCAD ) , which is an organization that staged anti-government campaigns in 2013 and 2014 .", "spans": {}, "info": {"id": "dnrti_train_001795", "source": "dnrti_train"}}
{"text": "The final remaining known decoy includes photos of Chitpas Tant Kridakon ( Figure 7 ) , who is known as heiress to the largest brewery in Thailand .", "spans": {"Malware: decoy": [[26, 31]], "Malware: Chitpas Tant Kridakon": [[51, 72]]}, "info": {"id": "dnrti_train_001796", "source": "dnrti_train"}}
{"text": "These images were associated with the Bookworm campaign code \" 20150905 \" .", "spans": {}, "info": {"id": "dnrti_train_001797", "source": "dnrti_train"}}
{"text": "Unit 42 analyzed the systems communicating with the Bookworm C2 domains and found that a majority of the IP addresses existed within autonomous systems ( ASN ) located in Thailand .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: Bookworm": [[52, 60]]}, "info": {"id": "dnrti_train_001798", "source": "dnrti_train"}}
{"text": "The pie chart in Figure 8 shows that the vast majority ( 73% ) of the hosts are geographically located in Thailand , which matches the known targeting of this threat group .", "spans": {}, "info": {"id": "dnrti_train_001799", "source": "dnrti_train"}}
{"text": "We believe that the IP addresses from Canada , Russia and Norway are analysis systems of antivirus companies or security researchers .", "spans": {"Organization: antivirus companies": [[89, 108]]}, "info": {"id": "dnrti_train_001800", "source": "dnrti_train"}}
{"text": "Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others .", "spans": {"Malware: Bookworm": [[14, 22]], "Malware: FFRAT": [[131, 136]], "Malware: Poison Ivy": [[139, 149]], "Malware: PlugX": [[152, 157]]}, "info": {"id": "dnrti_train_001801", "source": "dnrti_train"}}
{"text": "Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others .", "spans": {"Malware: Bookworm": [[14, 22]], "Malware: FFRAT": [[131, 136]], "Malware: Poison Ivy": [[139, 149]], "Malware: PlugX": [[152, 157]]}, "info": {"id": "dnrti_train_001802", "source": "dnrti_train"}}
{"text": "Unit 42 enumerated the threat infrastructure related to Bookworm and created a chart to visualize connected entities to its current attack campaign .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: Bookworm": [[56, 64]]}, "info": {"id": "dnrti_train_001803", "source": "dnrti_train"}}
{"text": "Threat actors have targeted the government of Thailand and delivered the newly discovered Bookworm Trojan since July 2015 .", "spans": {"Malware: Bookworm Trojan": [[90, 105]]}, "info": {"id": "dnrti_train_001804", "source": "dnrti_train"}}
{"text": "The actors appear to follow a set playbook , as the observed TTPs are fairly static within each attack in this campaign .", "spans": {}, "info": {"id": "dnrti_train_001805", "source": "dnrti_train"}}
{"text": "So far , Unit 42 has seen infrastructure overlaps with servers hosting C2 servers for samples of the FFRAT , PlugX , Poison Ivy and Scieron Trojans , suggesting that the threat actors use these tools as the payload in their attacks .", "spans": {"Organization: Unit 42": [[9, 16]], "Malware: FFRAT": [[101, 106]], "Malware: PlugX": [[109, 114]], "Malware: Poison Ivy": [[117, 127]], "Malware: Scieron Trojans": [[132, 147]]}, "info": {"id": "dnrti_train_001806", "source": "dnrti_train"}}
{"text": "The threat actors have continually used Flash Player installers and Flash slideshows for decoys .", "spans": {"Malware: Flash Player installers": [[40, 63]], "Malware: Flash slideshows": [[68, 84]]}, "info": {"id": "dnrti_train_001807", "source": "dnrti_train"}}
{"text": "The vast majority of systems communicating with Bookworm C2 servers are within the Bangkok metropolitan area where a majority of the government of Thailand exists .", "spans": {"Malware: Bookworm": [[48, 56]]}, "info": {"id": "dnrti_train_001808", "source": "dnrti_train"}}
{"text": "Buhtrap has been active since 2014 , however their first attacks against financial institutions were only detected in August 2015 .", "spans": {"Organization: Buhtrap": [[0, 7]], "Organization: financial institutions": [[73, 95]]}, "info": {"id": "dnrti_train_001809", "source": "dnrti_train"}}
{"text": "At the moment , the group is known to target Russian and Ukrainian banks .", "spans": {}, "info": {"id": "dnrti_train_001810", "source": "dnrti_train"}}
{"text": "Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network .", "spans": {"Organization: Buhtrap": [[0, 7]], "System: network worm": [[42, 54]]}, "info": {"id": "dnrti_train_001811", "source": "dnrti_train"}}
{"text": "Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central bank of Russia ( further referred to as BCS CBR ) .", "spans": {}, "info": {"id": "dnrti_train_001812", "source": "dnrti_train"}}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": {"Malware: document": [[7, 15]], "Vulnerability: CVE-2012-0158": [[64, 77]], "Vulnerability: CVE-2013-3906": [[80, 93]], "Vulnerability: CVE-2014-1761": [[97, 110]]}, "info": {"id": "dnrti_train_001813", "source": "dnrti_train"}}
{"text": "We noticed that criminals were spreading Buhtrap using this method from May 2015 to August 2015 .", "spans": {"Organization: Buhtrap": [[41, 48]]}, "info": {"id": "dnrti_train_001814", "source": "dnrti_train"}}
{"text": "It is worth noting that attackers used the same compromised websites to spread Buhtrap as those that had been used for the Corkow Trojan .", "spans": {"Malware: compromised websites": [[48, 68]], "Malware: Buhtrap": [[79, 86]], "Malware: Corkow Trojan": [[123, 136]]}, "info": {"id": "dnrti_train_001815", "source": "dnrti_train"}}
{"text": "Moreover , they used the same exploit kit Niteris as that in the Corkow case .", "spans": {"Vulnerability: kit Niteris": [[38, 49]], "Malware: Corkow": [[65, 71]]}, "info": {"id": "dnrti_train_001816", "source": "dnrti_train"}}
{"text": "Purportedly during one of the first attacks hackers intercepted the mailing list of the Anti-drop \" club and created a specific phishing email for its members .", "spans": {"System: phishing email": [[128, 142]]}, "info": {"id": "dnrti_train_001817", "source": "dnrti_train"}}
{"text": "However , it is still widely used , notably in Russia .", "spans": {}, "info": {"id": "dnrti_train_001818", "source": "dnrti_train"}}
{"text": "As noted in our previous blog on Buhtrap , this gang has been actively targeting Russian businesses , mostly through spear-phishing .", "spans": {"System: spear-phishing": [[117, 131]]}, "info": {"id": "dnrti_train_001819", "source": "dnrti_train"}}
{"text": "It is thus interesting to see Buhtrap add strategic web compromises to their arsenal .", "spans": {"System: strategic web compromises": [[42, 67]]}, "info": {"id": "dnrti_train_001820", "source": "dnrti_train"}}
{"text": "The first malware we saw was the lurk downloader , which was distributed on October 26th .", "spans": {"Malware: lurk downloader": [[33, 48]]}, "info": {"id": "dnrti_train_001821", "source": "dnrti_train"}}
{"text": "The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload .", "spans": {"Malware: AmmyyService.exe": [[97, 113]], "Malware: AmmyySvc.exe": [[117, 129]]}, "info": {"id": "dnrti_train_001822", "source": "dnrti_train"}}
{"text": "Buhtrap is getting better at disguising the code they inject into compromised websites .", "spans": {"Organization: Buhtrap": [[0, 7]], "Malware: compromised websites": [[66, 86]]}, "info": {"id": "dnrti_train_001823", "source": "dnrti_train"}}
{"text": "With the recent arrests of actors using the Lurk banking trojan , Buhtrap appears to be a likely alternative for actors wishing to target Russian banks and software .", "spans": {"Malware: Lurk banking trojan": [[44, 63]]}, "info": {"id": "dnrti_train_001824", "source": "dnrti_train"}}
{"text": "They have different functions and ways of spreading , but the same purpose — to steal money from the accounts of businesses .", "spans": {}, "info": {"id": "dnrti_train_001825", "source": "dnrti_train"}}
{"text": "Our experts have found that cybercriminals are actively focusing on SMBs , and giving particular attention to accountants .", "spans": {"Malware: SMBs": [[68, 72]], "Organization: accountants": [[110, 121]]}, "info": {"id": "dnrti_train_001826", "source": "dnrti_train"}}
{"text": "The first encounter with Buhtrap was registered back in 2014 .", "spans": {}, "info": {"id": "dnrti_train_001827", "source": "dnrti_train"}}
{"text": "For now , we can call RTM one of the most active financial Trojans .", "spans": {"Malware: RTM": [[22, 25]]}, "info": {"id": "dnrti_train_001828", "source": "dnrti_train"}}
{"text": "At that time it was the name of a cybercriminal group that was stealing money from Russian financial establishments — to the tune of at least $150,000 per hit .", "spans": {"Organization: financial establishments": [[91, 115]]}, "info": {"id": "dnrti_train_001829", "source": "dnrti_train"}}
{"text": "Buhtrap resurfaced in the beginning of 2017 in the TwoBee campaign , where it served primarily as means of malware delivery .", "spans": {}, "info": {"id": "dnrti_train_001830", "source": "dnrti_train"}}
{"text": "After the source codes of their tools became public in 2016 , the name Buhtrap was used for the financial Trojan .", "spans": {"Malware: financial Trojan": [[96, 112]]}, "info": {"id": "dnrti_train_001831", "source": "dnrti_train"}}
{"text": "Just like last time , Buhtrap is spreading through exploits embedded in news outlets .", "spans": {}, "info": {"id": "dnrti_train_001832", "source": "dnrti_train"}}
{"text": "Estimating the damages is challenging , but as we learned , the criminals are siphoning off assets in transactions that do not exceed $15,000 each .", "spans": {}, "info": {"id": "dnrti_train_001833", "source": "dnrti_train"}}
{"text": "As explained later , we believe this campaign is financially-motivated and that it targets accounting departments in Russian businesses .", "spans": {"Organization: accounting departments": [[91, 113]]}, "info": {"id": "dnrti_train_001834", "source": "dnrti_train"}}
{"text": "\" Buhgalter \" means \" accountant \" in Russian .", "spans": {}, "info": {"id": "dnrti_train_001835", "source": "dnrti_train"}}
{"text": "Seeing a campaign like this , inevitably the Anunak/Carbanak documented by Fox-IT and Kaspersky comes to mind .", "spans": {"Malware: Anunak/Carbanak": [[45, 60]], "Organization: Fox-IT": [[75, 81]], "Organization: Kaspersky": [[86, 95]]}, "info": {"id": "dnrti_train_001836", "source": "dnrti_train"}}
{"text": "The infection vector is similar , it uses a similar modified mimikatz application , and it uses a third-party remote access tool , changes system settings to allow concurrent RDP sessions , and so on .", "spans": {"Malware: mimikatz": [[61, 69]], "Malware: third-party remote access tool": [[98, 128]], "Malware: RDP": [[175, 178]]}, "info": {"id": "dnrti_train_001837", "source": "dnrti_train"}}
{"text": "The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator .", "spans": {"Malware: kontrakt87.doc": [[28, 42]], "Organization: MegaFon": [[105, 112]], "Organization: mobile phone operator": [[131, 152]]}, "info": {"id": "dnrti_train_001838", "source": "dnrti_train"}}
{"text": "In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task .", "spans": {"Malware: Careto": [[59, 65]]}, "info": {"id": "dnrti_train_001839", "source": "dnrti_train"}}
{"text": "Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website .", "spans": {"Malware: Careto": [[0, 6]], "System: spear-phishing e-mails": [[48, 70]]}, "info": {"id": "dnrti_train_001840", "source": "dnrti_train"}}
{"text": "Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate .", "spans": {"Malware: sub-domains": [[30, 41]]}, "info": {"id": "dnrti_train_001841", "source": "dnrti_train"}}
{"text": "These sub-domains simulate sub-sections of the main newspapers in Spain plus some international ones like the Guardian and the Washington Post .", "spans": {"Organization: Washington Post": [[127, 142]]}, "info": {"id": "dnrti_train_001842", "source": "dnrti_train"}}
{"text": "The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story .", "spans": {"Vulnerability: CVE-2012-0773": [[4, 17]]}, "info": {"id": "dnrti_train_001843", "source": "dnrti_train"}}
{"text": "In other words , the attackers attracted our attention by attempting to exploit Kaspersky Lab products .", "spans": {"Malware: Kaspersky Lab products": [[80, 102]]}, "info": {"id": "dnrti_train_001844", "source": "dnrti_train"}}
{"text": "We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system .", "spans": {"Malware: Careto": [[29, 35]]}, "info": {"id": "dnrti_train_001845", "source": "dnrti_train"}}
{"text": "Most modules were created in 2012 .", "spans": {}, "info": {"id": "dnrti_train_001846", "source": "dnrti_train"}}
{"text": "The attackers began taking them offline in January 2014 .", "spans": {}, "info": {"id": "dnrti_train_001847", "source": "dnrti_train"}}
{"text": "Last week we discussed Numbered Panda , a group that is also based out of China and is fairly well known to the security community , though by many names .", "spans": {"Organization: Numbered Panda": [[23, 37]], "Organization: security community": [[112, 130]]}, "info": {"id": "dnrti_train_001848", "source": "dnrti_train"}}
{"text": "We revealed a Chinese-based adversary we crypt as Anchor Panda , a group with very specific tactics , techniques , and procedures ( TTPs ) and a keen interest in maritime operations and naval and aerospace technology .", "spans": {"Organization: Anchor Panda": [[50, 62]]}, "info": {"id": "dnrti_train_001849", "source": "dnrti_train"}}
{"text": "The campaign was active until January 2014 , but during our investigations the C&C servers were shut down .", "spans": {}, "info": {"id": "dnrti_train_001850", "source": "dnrti_train"}}
{"text": "This week we are going to discuss Clever Kitten , whom , by virtue of several indicators , we have affiliated with the Islamic Republic of Iran .", "spans": {}, "info": {"id": "dnrti_train_001851", "source": "dnrti_train"}}
{"text": "Clever Kitten has moved to leveraging strategic web compromises .", "spans": {"Organization: Clever Kitten": [[0, 13]], "System: strategic web compromises": [[38, 63]]}, "info": {"id": "dnrti_train_001852", "source": "dnrti_train"}}
{"text": "Clever Kitten actors have a strong affinity for PHP server-side attacks to make access ; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering .", "spans": {"Organization: Clever Kitten": [[0, 13]], "Organization: individual": [[179, 189]]}, "info": {"id": "dnrti_train_001853", "source": "dnrti_train"}}
{"text": "Clever Kitten primarily targets global companies with strategic importance to countries that are contrary to Iranian interests .", "spans": {"Organization: Clever Kitten": [[0, 13]]}, "info": {"id": "dnrti_train_001854", "source": "dnrti_train"}}
{"text": "A Clever Kitten attack starts with the use of a web vulnerability scanner to conduct reconnaissance .", "spans": {"Organization: Clever Kitten": [[2, 15]], "Malware: web vulnerability scanner": [[48, 73]]}, "info": {"id": "dnrti_train_001855", "source": "dnrti_train"}}
{"text": "The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial .", "spans": {"Malware: Acunetix Web Vulnerability Scanner": [[34, 68]]}, "info": {"id": "dnrti_train_001856", "source": "dnrti_train"}}
{"text": "Once an exploitable page is identified , Clever Kitten will attempt to upload a PHP backdoor to gain remote access to the system .", "spans": {}, "info": {"id": "dnrti_train_001857", "source": "dnrti_train"}}
{"text": "The reason for this is likely the availability of exploits against web browsers , which for a variety of reasons allows an attacker to bypass security features such as Data Execution Prevention ( DEP ) or Address Space Layout Randomization ( ASLR ) .", "spans": {}, "info": {"id": "dnrti_train_001858", "source": "dnrti_train"}}
{"text": "Once an exploitable page is identified , the actor will attempt to upload a PHP backdoor to gain remote access to the system .", "spans": {}, "info": {"id": "dnrti_train_001859", "source": "dnrti_train"}}
{"text": "In Clever Kitten 's attacks , the goal is lateral movement ; this is an attempt to move further into the target environment in order to begin intelligence collection .", "spans": {}, "info": {"id": "dnrti_train_001860", "source": "dnrti_train"}}
{"text": "This activity is a longer tail for the actor than a spearphish ; this is likely based on the Clever Kitten background , which may be focused on web development/application testing .", "spans": {"System: spearphish": [[52, 62]]}, "info": {"id": "dnrti_train_001861", "source": "dnrti_train"}}
{"text": "Without going too deep into the rabbit hole , there are several indicators pointing to an Iranian nexus , including language artifacts in the tool-marks used by the attacker , as well as network activity tying this actor to a very specific location that we have high confidence in not being spoofed .", "spans": {}, "info": {"id": "dnrti_train_001862", "source": "dnrti_train"}}
{"text": "Clever Kitten 's goal is to eventually be able to masquerade as a legitimate user by compromising credentials either through a pass-the-hash attack , or by dumping password hashes from a compromised host .", "spans": {"Organization: Clever Kitten": [[0, 13]]}, "info": {"id": "dnrti_train_001863", "source": "dnrti_train"}}
{"text": "The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries are also targeted .", "spans": {"Organization: Arab": [[86, 90]], "Organization: Emirates": [[91, 99]]}, "info": {"id": "dnrti_train_001864", "source": "dnrti_train"}}
{"text": "There are new TTPs used in this attack – for example Agent_Drable is leveraging the Django python framework for command and control infrastructure , the technical details of which are outlined later in the blog .", "spans": {"Malware: Django": [[84, 90]]}, "info": {"id": "dnrti_train_001865", "source": "dnrti_train"}}
{"text": "n summary , Cold River is a sophisticated threat actor making malicious use of DNS tunneling for command and control activities , compelling lure documents , and previously unknown implants .", "spans": {"Malware: DNS tunneling": [[79, 92]]}, "info": {"id": "dnrti_train_001866", "source": "dnrti_train"}}
{"text": "Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers , but we have not yet located the Linux backdoor .", "spans": {"Organization: Linux computers": [[93, 108]]}, "info": {"id": "dnrti_train_001867", "source": "dnrti_train"}}
{"text": "The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries may have also been targeted .", "spans": {"Organization: Arab Emirates": [[86, 99]]}, "info": {"id": "dnrti_train_001868", "source": "dnrti_train"}}
{"text": "The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated .", "spans": {"Malware: decoy documents": [[4, 19]], "Vulnerability: InPage exploits": [[32, 47]]}, "info": {"id": "dnrti_train_001869", "source": "dnrti_train"}}
{"text": "The use of InPage as an attack vector is not commonly seen , with the only previously noted attacks being documented by Kaspersky in late 2016 .", "spans": {"Malware: InPage": [[11, 17]], "Organization: Kaspersky": [[120, 129]]}, "info": {"id": "dnrti_train_001870", "source": "dnrti_train"}}
{"text": "The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents .", "spans": {"Malware: decoy documents": [[4, 19]]}, "info": {"id": "dnrti_train_001871", "source": "dnrti_train"}}
{"text": "While documents designed to exploit the InPage software are rare , they are not new – however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky .", "spans": {"Malware: InPage software": [[40, 55]], "Organization: Unit42": [[110, 116]], "Vulnerability: InPage exploits": [[139, 154]], "Organization: Kaspersky": [[250, 259]]}, "info": {"id": "dnrti_train_001872", "source": "dnrti_train"}}
{"text": "Confucius targeted a particular set of individuals in South Asian countries , such as military personnel and businessmen , among others .", "spans": {"Organization: military personnel": [[86, 104]], "Organization: businessmen": [[109, 120]]}, "info": {"id": "dnrti_train_001873", "source": "dnrti_train"}}
{"text": "Tweety Chat 's Android version can record audio , too .", "spans": {"Malware: Tweety Chat": [[0, 11]]}, "info": {"id": "dnrti_train_001874", "source": "dnrti_train"}}
{"text": "Confucius' operations include deploying bespoke backdoors and stealing files from their victim 's systems with tailored file stealers , some of which bore resemblances to Patchwork 's .", "spans": {"Organization: Patchwork": [[171, 180]]}, "info": {"id": "dnrti_train_001875", "source": "dnrti_train"}}
{"text": "Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"Organization: Patchwork": [[12, 21]], "Vulnerability: CVE-2015-1641": [[191, 204]], "Vulnerability: CVE-2017-11882": [[209, 223]]}, "info": {"id": "dnrti_train_001876", "source": "dnrti_train"}}
{"text": "Back in February , we noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia .", "spans": {"Organization: Patchwork": [[57, 66]], "Organization: Confucius groups": [[71, 87]]}, "info": {"id": "dnrti_train_001877", "source": "dnrti_train"}}
{"text": "Back in February , Trend Micro noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia .", "spans": {"Organization: Trend Micro": [[19, 30]], "Organization: Patchwork": [[66, 75]], "Organization: Confucius groups": [[80, 96]]}, "info": {"id": "dnrti_train_001878", "source": "dnrti_train"}}
{"text": "One of its file stealers , swissknife2 , abuses a cloud storage service as a repository of exfiltrated files .", "spans": {"Malware: swissknife2": [[27, 38]]}, "info": {"id": "dnrti_train_001879", "source": "dnrti_train"}}
{"text": "During the months that followed in which we tracked Confucius' activities , we found that they were still aiming for Pakistani targets .", "spans": {}, "info": {"id": "dnrti_train_001880", "source": "dnrti_train"}}
{"text": "During their previous campaign , we found Confucius using fake romance websites to entice victims into installing malicious Android applications .", "spans": {}, "info": {"id": "dnrti_train_001881", "source": "dnrti_train"}}
{"text": "Periodically , the malware tries to contact the Command-and-Control ( C&C ) server with the username encoded into parameters .", "spans": {"Malware: Command-and-Control": [[48, 67]]}, "info": {"id": "dnrti_train_001882", "source": "dnrti_train"}}
{"text": "This function is similar to the various versions of backdoors ( such as sctrls and sip_telephone ) that we analyzed in our previous blog post and whitepaper .", "spans": {"Malware: sctrls": [[72, 78]], "Malware: sip_telephone": [[83, 96]]}, "info": {"id": "dnrti_train_001883", "source": "dnrti_train"}}
{"text": "This algorithm was previously discussed by security researchers in a Confucius-related blog post .", "spans": {}, "info": {"id": "dnrti_train_001884", "source": "dnrti_train"}}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": {"Organization: Patchwork": [[9, 18]], "Malware: RTF files": [[45, 54]], "Vulnerability: CVE-2017-8570": [[66, 79]]}, "info": {"id": "dnrti_train_001885", "source": "dnrti_train"}}
{"text": "The group still uses the Badnews malware , a backdoor with information-stealing and file-executing capabilities , albeit updated with a slight modification in the encryption routine at the end of 2017 , when they added Blowfish encryption on top of their custom encryption described in our former Patchwork blogpost .", "spans": {"Malware: Badnews malware": [[25, 40]], "Organization: Patchwork": [[297, 306]]}, "info": {"id": "dnrti_train_001886", "source": "dnrti_train"}}
{"text": "Threat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving techniques that can render traditional security solutions — which are often not designed to handle the persistent and sophisticated threats detailed in this blog — ineffective .", "spans": {"Organization: Confucius": [[19, 28]], "Organization: Patchwork": [[33, 42]]}, "info": {"id": "dnrti_train_001887", "source": "dnrti_train"}}
{"text": "The reality is that IT departments of small to large-sized organizations are not equipped to handle the more advanced threats that groups like Confucius use in their attacks .", "spans": {"Organization: IT departments": [[20, 34]]}, "info": {"id": "dnrti_train_001888", "source": "dnrti_train"}}
{"text": "Patchwork uses email as an entry point , which is why securing the email gateway is important .", "spans": {"Organization: Patchwork": [[0, 9]], "System: email": [[15, 20]], "System: email gateway": [[67, 80]]}, "info": {"id": "dnrti_train_001889", "source": "dnrti_train"}}
{"text": "This blog post examines two similar malware families that utilize the aforementioned technique to abuse legitimate websites , their connections to each other , and their connections to known espionage campaigns .", "spans": {}, "info": {"id": "dnrti_train_001890", "source": "dnrti_train"}}
{"text": "In order to increase the likelihood of their malware successfully communicating home , cyber espionage threat actors are increasingly abusing legitimate web services , in lieu of DNS lookups to retrieve a command and control address .", "spans": {"System: abusing legitimate web services": [[134, 165]], "System: DNS lookups": [[179, 190]]}, "info": {"id": "dnrti_train_001891", "source": "dnrti_train"}}
{"text": "In 2013 , Rapid7 reported on a series of relatively amateur attacks against Pakistani targets .", "spans": {"Organization: Rapid7": [[10, 16]]}, "info": {"id": "dnrti_train_001892", "source": "dnrti_train"}}
{"text": "The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 .", "spans": {"Malware: CONFUCIUS_A": [[29, 40]], "Malware: SNEEPY": [[159, 165]], "Malware: ByeByeShell": [[172, 183]], "Organization: Rapid7": [[204, 210]]}, "info": {"id": "dnrti_train_001893", "source": "dnrti_train"}}
{"text": "At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files .", "spans": {"Malware: CONFUCIUS_B": [[16, 27]], "Malware: CONFUCIUS_A": [[50, 61]], "Malware: SFX binary files": [[100, 116]]}, "info": {"id": "dnrti_train_001894", "source": "dnrti_train"}}
{"text": "The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon .", "spans": {"Malware: CONFUCIUS_B": [[4, 15]], "Malware: RTLO": [[104, 108]]}, "info": {"id": "dnrti_train_001895", "source": "dnrti_train"}}
{"text": "We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover .", "spans": {"Malware: SNEEPY/BYEBYESHELL": [[147, 165]], "Malware: CONFUCIUS_B": [[174, 185]], "Malware: Hangover": [[207, 215]]}, "info": {"id": "dnrti_train_001896", "source": "dnrti_train"}}
{"text": "The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B .", "spans": {"Organization: development company": [[153, 172]], "Malware: CONFUCIUS_A": [[187, 198]], "Malware: CONFUCIUS_B": [[203, 214]]}, "info": {"id": "dnrti_train_001897", "source": "dnrti_train"}}
{"text": "In this blog post , we discussed two separate malware variations that behave in very similar ways and use similar techniques to acquire a C2 address , with both using Yahoo Answers and Quora to evade traditional mechanisms for blocking command and control domains .", "spans": {}, "info": {"id": "dnrti_train_001898", "source": "dnrti_train"}}
{"text": "The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio .", "spans": {"Malware: Android version": [[4, 19]]}, "info": {"id": "dnrti_train_001899", "source": "dnrti_train"}}
{"text": "Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"Malware: Confucius'": [[0, 10]], "Vulnerability: CVE-2015-1641": [[105, 118]], "Vulnerability: CVE-2017-11882": [[123, 137]]}, "info": {"id": "dnrti_train_001900", "source": "dnrti_train"}}
{"text": "We dove deeper into Confucius' operations—namely , the malware-ridden documents , backdoors , and file stealers they use in their campaigns .", "spans": {}, "info": {"id": "dnrti_train_001901", "source": "dnrti_train"}}
{"text": "The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 .", "spans": {"Malware: sctrls backdoor": [[4, 19]], "System: RTF files": [[52, 61]], "Vulnerability: CVE-2015-1641": [[73, 86]]}, "info": {"id": "dnrti_train_001902", "source": "dnrti_train"}}
{"text": "The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"Vulnerability: CVE2017-11882": [[27, 40]], "Malware: HTML Application": [[71, 87]], "Malware: HTA": [[90, 93]], "Malware: mshta.exe": [[223, 232]]}, "info": {"id": "dnrti_train_001903", "source": "dnrti_train"}}
{"text": "In August 2015 a new incident related to the Corkow ( Metel ) Trojan was detected .", "spans": {"Malware: Corkow": [[45, 51]], "Organization: Metel": [[54, 59]]}, "info": {"id": "dnrti_train_001904", "source": "dnrti_train"}}
{"text": "Corkow provided remote access to the ITS-Broker system terminal by 《 Platforma soft 》 Ltd , which enabled the fraud to be committed .", "spans": {"Malware: Corkow": [[0, 6]], "System: remote access": [[16, 29]]}, "info": {"id": "dnrti_train_001905", "source": "dnrti_train"}}
{"text": "According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list .", "spans": {"Malware: botnet encompassed": [[63, 81]], "Organization: financial institutions": [[156, 178]]}, "info": {"id": "dnrti_train_001906", "source": "dnrti_train"}}
{"text": "The interest among hackers in targeting trading systems is expected to grow .", "spans": {}, "info": {"id": "dnrti_train_001907", "source": "dnrti_train"}}
{"text": "Russian-speaking hackers are believed to be responsible for these attacks and used the Corkow Trojan .", "spans": {"Malware: Corkow Trojan": [[87, 100]]}, "info": {"id": "dnrti_train_001908", "source": "dnrti_train"}}
{"text": "Hackers target primarily companies in Russia and CIS countries , though it is noticed that the amount of attacks targeting the USA has increased 5 times since 2011 .", "spans": {"Organization: primarily companies": [[15, 34]]}, "info": {"id": "dnrti_train_001909", "source": "dnrti_train"}}
{"text": "One of the first botnets specializing in targeting the trading software called Quik was \" Ranbyus \" , created in 2012 .", "spans": {"Malware: Quik": [[79, 83]], "Malware: Ranbyus": [[90, 97]]}, "info": {"id": "dnrti_train_001910", "source": "dnrti_train"}}
{"text": "As of the Group-IB investigation of this malware program in March 2015 , Corkow v.7.118.1.1 had not been detected by a single antivirus program .", "spans": {"Organization: Group-IB": [[10, 18]], "Malware: Corkow": [[73, 79]]}, "info": {"id": "dnrti_train_001911", "source": "dnrti_train"}}
{"text": "Hackers gained access to a computer in the trading system in September 2014 .", "spans": {}, "info": {"id": "dnrti_train_001912", "source": "dnrti_train"}}
{"text": "Starting in December 2014 , the criminal group began running keyloggers in the infected system .", "spans": {"Malware: keyloggers": [[61, 71]]}, "info": {"id": "dnrti_train_001913", "source": "dnrti_train"}}
{"text": "To spread the Corkow malware criminals use a drive-by downloads method , when victims are infected while visiting compromised legitimate websites .", "spans": {}, "info": {"id": "dnrti_train_001914", "source": "dnrti_train"}}
{"text": "Group-IB specialists detected various sites used by criminals to spread the Trojan : mail tracking websites , news portals , electronic books , computer graphics resources , music portals , etc .", "spans": {"Organization: Group-IB": [[0, 8]], "Malware: mail tracking websites": [[85, 107]], "Malware: news portals": [[110, 122]], "Malware: electronic books": [[125, 141]], "Malware: computer graphics resources": [[144, 171]], "Malware: music portals": [[174, 187]]}, "info": {"id": "dnrti_train_001915", "source": "dnrti_train"}}
{"text": "Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users .", "spans": {"Vulnerability: Nitris Exploit Kit": [[27, 45]], "Vulnerability: CottonCastle": [[67, 79]]}, "info": {"id": "dnrti_train_001916", "source": "dnrti_train"}}
{"text": "Group-IB Bot-trek TDS sensors are in place at a number of financial institutions and , unfortunately , we register that currently Corkow malware is present on 80% of protected corporate systems .", "spans": {"Organization: Group-IB": [[0, 8]], "Organization: financial institutions": [[58, 80]], "Malware: Corkow malware": [[130, 144]]}, "info": {"id": "dnrti_train_001917", "source": "dnrti_train"}}
{"text": "Considering the Trojan delivery method and through our analysis of infections on banks' networks , we can confirm that all infections were conducted on a random basis .", "spans": {}, "info": {"id": "dnrti_train_001918", "source": "dnrti_train"}}
{"text": "According to statistics , Corkow primarily targets users in Russia and the CIS , but it is worth noting that in 2014 the amount of attacks targeting the USA increased by 5 times , in comparison with 2011 .", "spans": {"Malware: Corkow": [[26, 32]], "Organization: users": [[51, 56]]}, "info": {"id": "dnrti_train_001919", "source": "dnrti_train"}}
{"text": "Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries .", "spans": {"Malware: Corkow": [[25, 31]]}, "info": {"id": "dnrti_train_001920", "source": "dnrti_train"}}
{"text": "Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries .", "spans": {"Malware: Corkow": [[25, 31]]}, "info": {"id": "dnrti_train_001921", "source": "dnrti_train"}}
{"text": "Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance .", "spans": {"Vulnerability: Niteris exploit": [[45, 60]]}, "info": {"id": "dnrti_train_001922", "source": "dnrti_train"}}
{"text": "In addition to the legitimate AmmyAdmin tool , the hackers used Visconti Backdoor developed based on legitimate RMS ( remote manipulator system ) software .", "spans": {"Malware: AmmyAdmin tool": [[30, 44]], "Malware: Visconti Backdoor": [[64, 81]], "Malware: RMS": [[112, 115]]}, "info": {"id": "dnrti_train_001923", "source": "dnrti_train"}}
{"text": "If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs .", "spans": {"Malware: bot": [[5, 8]]}, "info": {"id": "dnrti_train_001924", "source": "dnrti_train"}}
{"text": "To obtain logins and passwords they applied keyloggers built into Corkow , as well as a commonly used feature of Mimikatz , dumping clear text Windows credentials from LSA .", "spans": {"Malware: keyloggers": [[44, 54]], "Malware: Corkow": [[66, 72]]}, "info": {"id": "dnrti_train_001925", "source": "dnrti_train"}}
{"text": "Hackers used the remote access to detect servers of their interest in the internal network .", "spans": {"System: remote access": [[17, 30]]}, "info": {"id": "dnrti_train_001926", "source": "dnrti_train"}}
{"text": "In 2015 , the Metel gang began to target banks and financial institutions directly .", "spans": {"Organization: financial institutions": [[51, 73]]}, "info": {"id": "dnrti_train_001927", "source": "dnrti_train"}}
{"text": "Metel is a banking Trojan ( also known as Corkow ) discovered in 2011 when it was used to attack users of online banking services .", "spans": {"Malware: Metel": [[0, 5]], "Malware: banking Trojan": [[11, 25]], "Organization: Corkow": [[42, 48]]}, "info": {"id": "dnrti_train_001928", "source": "dnrti_train"}}
{"text": "After the infection stage , criminals move laterally with the help of legitimate and pentesting tools , stealing passwords from their initial victims ( entry point ) to gain access to the computers within the organization that have access to money transactions .", "spans": {}, "info": {"id": "dnrti_train_001929", "source": "dnrti_train"}}
{"text": "With this level of access , the gang has been able to pull off a clever trick by automating the rollback of ATM transactions .", "spans": {"System: rollback of ATM transactions": [[96, 124]]}, "info": {"id": "dnrti_train_001930", "source": "dnrti_train"}}
{"text": "COVELLITE operates globally with targets primarily in Europe , East Asia , and North America .", "spans": {}, "info": {"id": "dnrti_train_001931", "source": "dnrti_train"}}
{"text": "US targets emerged in September 2017 with a small , targeted phishing campaign directed at select U.S. electric companies .", "spans": {"Organization: electric companies": [[103, 121]]}, "info": {"id": "dnrti_train_001932", "source": "dnrti_train"}}
{"text": "LAZARUS GROUP is responsible for attacks ranging from the 2014 attack on Sony Pictures to a number of Bitcoin heists in 2017 .", "spans": {"Organization: Sony Pictures": [[73, 86]]}, "info": {"id": "dnrti_train_001933", "source": "dnrti_train"}}
{"text": "Technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits .", "spans": {"Malware: COVELLITE malware": [[22, 39]], "Malware: LAZARUS toolkits": [[74, 90]]}, "info": {"id": "dnrti_train_001934", "source": "dnrti_train"}}
{"text": "COVELLITE remains active but appears to have abandoned North American targets , with indications of activity in Europe and East Asia .", "spans": {}, "info": {"id": "dnrti_train_001935", "source": "dnrti_train"}}
{"text": "Given the group 's specific interest in infrastructure operations , rapidly improving capabilities , and history of aggressive targeting , Dragos considers this group a primary threat to the ICS industry .", "spans": {"Organization: Dragos": [[139, 145]]}, "info": {"id": "dnrti_train_001936", "source": "dnrti_train"}}
{"text": "Delivering a backdoor and spyware , this campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video .", "spans": {"System: phishing email": [[216, 230]]}, "info": {"id": "dnrti_train_001937", "source": "dnrti_train"}}
{"text": "Lookout researchers have discovered a new mobile surveillanceware family , FrozenCell .", "spans": {"Organization: Lookout": [[0, 7]], "Malware: FrozenCell": [[75, 85]]}, "info": {"id": "dnrti_train_001938", "source": "dnrti_train"}}
{"text": "The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party .", "spans": {"Organization: employees": [[31, 40]], "Organization: government agencies": [[64, 83]], "Organization: students": [[118, 126]], "Organization: Fatah political party": [[159, 180]]}, "info": {"id": "dnrti_train_001939", "source": "dnrti_train"}}
{"text": "Delivering a backdoor and spyware , Desert Falcons 's campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video .", "spans": {"System: phishing email": [[229, 243]]}, "info": {"id": "dnrti_train_001940", "source": "dnrti_train"}}
{"text": "FrozenCell is the mobile component of a multi-platform attack we've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 \" , use to spy on victims through compromised mobile devices and desktops .", "spans": {"Malware: FrozenCell": [[0, 10]], "Organization: Scorpion/APT-C-23": [[110, 127]]}, "info": {"id": "dnrti_train_001941", "source": "dnrti_train"}}
{"text": "This threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns as a primary attack vector .", "spans": {"Malware: mobile device": [[80, 93]]}, "info": {"id": "dnrti_train_001942", "source": "dnrti_train"}}
{"text": "Desert Falcons is keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying .", "spans": {"Organization: Desert Falcons": [[0, 14]], "System: phishing": [[113, 121]]}, "info": {"id": "dnrti_train_001943", "source": "dnrti_train"}}
{"text": "FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat .", "spans": {"Malware: FrozenCell masquerades": [[0, 22]], "Organization: Facebook": [[65, 73]], "Organization: WhatsApp": [[76, 84]], "Organization: Messenger": [[87, 96]], "Organization: LINE": [[99, 103]], "Organization: LoveChat": [[110, 118]]}, "info": {"id": "dnrti_train_001944", "source": "dnrti_train"}}
{"text": "For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination .", "spans": {"Malware: FrozenCell": [[32, 42]], "Malware: Tawjihi 2016": [[69, 81]], "Organization: students": [[115, 123]]}, "info": {"id": "dnrti_train_001945", "source": "dnrti_train"}}
{"text": "It appears the Desert Falcons sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) .", "spans": {"Organization: Desert Falcons": [[15, 29]], "Organization: National Liberation Front": [[279, 304]]}, "info": {"id": "dnrti_train_001946", "source": "dnrti_train"}}
{"text": "The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party .", "spans": {"Organization: government agencies": [[105, 124]], "Organization: Fatah political party": [[133, 154]]}, "info": {"id": "dnrti_train_001947", "source": "dnrti_train"}}
{"text": "We believe that this is a new variant of VAMP , indicating that the threat actors behind APT-C-23 are still active and continuously improving their product .", "spans": {"Malware: VAMP": [[41, 45]], "Organization: APT-C-23": [[89, 97]]}, "info": {"id": "dnrti_train_001948", "source": "dnrti_train"}}
{"text": "VAMP targeted various types of data from the phones of victims : images , text messages , contacts , and call history , among others .", "spans": {"Malware: VAMP": [[0, 4]]}, "info": {"id": "dnrti_train_001949", "source": "dnrti_train"}}
{"text": "Recently , Trend Micro researchers came across a new mobile malware family which we have called GnatSpy .", "spans": {"Organization: Trend Micro": [[11, 22]], "Malware: GnatSpy": [[96, 103]]}, "info": {"id": "dnrti_train_001950", "source": "dnrti_train"}}
{"text": "On Nov. 27 , 2018 , Cisco 's Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed DNSpionage .", "spans": {"Organization: Cisco 's Talos": [[20, 34]]}, "info": {"id": "dnrti_train_001951", "source": "dnrti_train"}}
{"text": "Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets , so that all email and virtual private networking ( VPN ) traffic was redirected to an Internet address controlled by the attackers .", "spans": {"Organization: Talos": [[0, 5]], "System: email": [[252, 257]], "Malware: VPN": [[291, 294]]}, "info": {"id": "dnrti_train_001952", "source": "dnrti_train"}}
{"text": "Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains ( e.g.webmail.finance.gov.lb ) , which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text .", "spans": {"Organization: Talos": [[0, 5]], "System: DNS hijacks": [[26, 37]]}, "info": {"id": "dnrti_train_001953", "source": "dnrti_train"}}
{"text": "That changed on Jan. 25 , 2019 , when security firm CrowdStrike published a blog post listing virtually every Internet address known to be ( ab )used by the espionage campaign to date .", "spans": {"Organization: security firm": [[38, 51]], "Organization: CrowdStrike": [[52, 63]]}, "info": {"id": "dnrti_train_001954", "source": "dnrti_train"}}
{"text": "Working backwards from each Internet address , I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies , including targets in Albania , Cyprus , Egypt , Iraq , Jordan , Kuwait , Lebanon , Libya , Saudi Arabia and the United Arab Emirates .", "spans": {"Organization: companies": [[226, 235]], "Organization: government agencies": [[240, 259]]}, "info": {"id": "dnrti_train_001955", "source": "dnrti_train"}}
{"text": "PCH is a nonprofit entity based in northern California that also manages significant amounts of the world 's DNS infrastructure , particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage .", "spans": {}, "info": {"id": "dnrti_train_001956", "source": "dnrti_train"}}
{"text": "This APT group usually carries out target attacks against government agencies to steal sensitive information .", "spans": {"Organization: government agencies": [[58, 77]]}, "info": {"id": "dnrti_train_001957", "source": "dnrti_train"}}
{"text": "In addition to spreading malware via spear fishing email with Office attachment containing either vulnerability or malicious macro , this group is particularly good at leveraging malicious Android APKs in the target attacks .", "spans": {"System: spear fishing email": [[37, 56]], "System: Office attachment": [[62, 79]], "Malware: Android APKs": [[189, 201]]}, "info": {"id": "dnrti_train_001958", "source": "dnrti_train"}}
{"text": "We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware .", "spans": {"Organization: DustSquad": [[19, 28]], "Malware: Windows malware": [[149, 164]]}, "info": {"id": "dnrti_train_001959", "source": "dnrti_train"}}
{"text": "In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities .", "spans": {"Malware: Octopus": [[65, 72]], "Organization: diplomatic entities": [[93, 112]]}, "info": {"id": "dnrti_train_001960", "source": "dnrti_train"}}
{"text": "We also started monitoring the malware and , using Kaspersky Attribution Engine based on similarity algorithms , discovered that Octopus is related to DustSquad , something we reported in April 2018 .", "spans": {"Organization: Kaspersky": [[51, 60]], "Malware: Octopus": [[129, 136]]}, "info": {"id": "dnrti_train_001961", "source": "dnrti_train"}}
{"text": "From early 2014 until December 2018 , ns0.idm.net.lb pointed to 194.126.10.18 , which appropriately enough is an Internet address based in Lebanon .", "spans": {}, "info": {"id": "dnrti_train_001962", "source": "dnrti_train"}}
{"text": "Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Malware: Octopus Trojan": [[34, 48]]}, "info": {"id": "dnrti_train_001963", "source": "dnrti_train"}}
{"text": "Political entities in Central Asia have been targeted throughout 2018 by different actors , including IndigoZebra , Sofacy ( with Zebrocy malware ) and most recently by DustSquad ( with Octopus malware ) .", "spans": {"Organization: Political entities": [[0, 18]], "Organization: IndigoZebra": [[102, 113]], "Organization: Sofacy": [[116, 122]], "Malware: Zebrocy malware": [[130, 145]], "Malware: Octopus malware": [[186, 201]]}, "info": {"id": "dnrti_train_001964", "source": "dnrti_train"}}
{"text": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here .", "spans": {"Organization: Kaspersky": [[82, 91]]}, "info": {"id": "dnrti_train_001965", "source": "dnrti_train"}}
{"text": "We've found that this group has continued to operate successfully , predominantly in Latin America , since 2014 .", "spans": {}, "info": {"id": "dnrti_train_001966", "source": "dnrti_train"}}
{"text": "All attackers simply moved to new C2 infrastructure , based largely around dynamic DNS domains , in addition to making minimal changes to the malware in order to evade signature-based detection .", "spans": {"System: dynamic DNS domains": [[75, 94]]}, "info": {"id": "dnrti_train_001967", "source": "dnrti_train"}}
{"text": "In the case of Octopus , DustSquad used Delphi as their programming language of choice , which is unusual for such an actor .", "spans": {"Malware: Octopus": [[15, 22]]}, "info": {"id": "dnrti_train_001968", "source": "dnrti_train"}}
{"text": "Targets included a wide array of high-profile entities , including intelligence services , military , utility providers ( telecommunications and power ) , embassies , and government institutions .", "spans": {"Organization: utility providers": [[102, 119]], "Organization: embassies": [[155, 164]], "Organization: government institutions": [[171, 194]]}, "info": {"id": "dnrti_train_001969", "source": "dnrti_train"}}
{"text": "Some time ago , a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown , undetected malware .", "spans": {"Organization: Kaspersky Lab": [[18, 31]]}, "info": {"id": "dnrti_train_001970", "source": "dnrti_train"}}
{"text": "It was a targeted attack we are calling \" Machete \" .", "spans": {}, "info": {"id": "dnrti_train_001971", "source": "dnrti_train"}}
{"text": "At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file .", "spans": {"Malware: Java related application": [[36, 60]], "Malware: Java file": [[148, 157]]}, "info": {"id": "dnrti_train_001972", "source": "dnrti_train"}}
{"text": "\" Machete \" is a targeted attack campaign with Spanish speaking roots .", "spans": {}, "info": {"id": "dnrti_train_001973", "source": "dnrti_train"}}
{"text": "The decoy slideshows all contain photos from very meaningful events to individuals in Thailand , suggesting that the actors continually look for impactful events to use to disguise their attacks .", "spans": {"Malware: decoy slideshows": [[4, 20]]}, "info": {"id": "dnrti_train_001974", "source": "dnrti_train"}}
{"text": "In some cases , such as Russia , the target appears to be an embassy from one of the countries of this list .", "spans": {"Organization: embassy": [[61, 68]]}, "info": {"id": "dnrti_train_001975", "source": "dnrti_train"}}
{"text": "Both attackers and victims speak Spanish natively , as we see it consistently in the source code of the client side and in the Python code .", "spans": {}, "info": {"id": "dnrti_train_001976", "source": "dnrti_train"}}
{"text": "We are also grateful to the Private Office of his Holiness the Dalai Lama , the Tibetan Government-in-Exile , the missions of Tibet in London , Brussels , and New York , and Drewla ( a Tibetan NGO ) .", "spans": {"Organization: Tibet": [[126, 131]], "Organization: Brussels": [[144, 152]], "Organization: Drewla": [[174, 180]], "Organization: Tibetan": [[185, 192]]}, "info": {"id": "dnrti_train_001977", "source": "dnrti_train"}}
{"text": "Between June 2008 and March 2009 the Information Warfare Monitor conducted an extensive and exhaustive two-phase investigation focused on allegations of Chinese cyber espionage against the Tibetan community .", "spans": {"Organization: Tibetan community": [[189, 206]]}, "info": {"id": "dnrti_train_001978", "source": "dnrti_train"}}
{"text": "These instances of Gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan , People's Republic of China .", "spans": {"Malware: Gh0st RAT": [[19, 28]]}, "info": {"id": "dnrti_train_001979", "source": "dnrti_train"}}
{"text": "The fieldwork generated extensive data that allowed us to examine Tibetan information security practices , as well as capture real-time evidence of malware that had penetrated Tibetan computer systems .", "spans": {"Organization: Tibetan information security practices": [[66, 104]], "Organization: Tibetan": [[176, 183]]}, "info": {"id": "dnrti_train_001980", "source": "dnrti_train"}}
{"text": "It is therefore possible that the large percentage of high value targets identified in our analysis of the GhostNet are coincidental , spread by contact between individuals who previously communicated through e-mail .", "spans": {"System: e-mail": [[209, 215]]}, "info": {"id": "dnrti_train_001981", "source": "dnrti_train"}}
{"text": "Where they exist , they often use grey market or pirated software .", "spans": {"Malware: grey market": [[34, 45]], "Malware: pirated software": [[49, 65]]}, "info": {"id": "dnrti_train_001982", "source": "dnrti_train"}}
{"text": "Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer .", "spans": {"System: emails": [[22, 28]], "Malware: documents": [[72, 81]]}, "info": {"id": "dnrti_train_001983", "source": "dnrti_train"}}
{"text": "GhostNet represents a network of compromised computers resident in high-value political , economic , and media locations spread across numerous countries worldwide .", "spans": {}, "info": {"id": "dnrti_train_001984", "source": "dnrti_train"}}
{"text": "After that , the attacker is capable to control the compromised device .", "spans": {"System: compromised device": [[52, 70]]}, "info": {"id": "dnrti_train_001985", "source": "dnrti_train"}}
{"text": "The computers of diplomats , military attachés , private assistants , secretaries to Prime Ministers , journalists and others are under the concealed control of unknown assailant (s ) .", "spans": {"Organization: diplomats": [[17, 26]], "Organization: military attachés": [[29, 46]], "Organization: private assistants": [[49, 67]], "Organization: secretaries": [[70, 81]], "Organization: Prime Ministers": [[85, 100]], "Organization: journalists": [[103, 114]]}, "info": {"id": "dnrti_train_001986", "source": "dnrti_train"}}
{"text": "The C&C server ( 82.137.255.56 ) used by the above backdoors was used by APT-C-27 ( Goldmouse ) many times since 2017 .", "spans": {"Organization: Goldmouse": [[84, 93]]}, "info": {"id": "dnrti_train_001987", "source": "dnrti_train"}}
{"text": "According to 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor .", "spans": {"Organization: 360 Threat Intelligence Center": [[13, 43]], "Malware: njRAT backdoor": [[92, 106]]}, "info": {"id": "dnrti_train_001988", "source": "dnrti_train"}}
{"text": "The banking malware GozNym has legs ; only a few weeks after the hybrid Trojan was discovered , it has reportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks .", "spans": {"Malware: GozNym": [[20, 26]], "Organization: banking customers": [[152, 169]]}, "info": {"id": "dnrti_train_001989", "source": "dnrti_train"}}
{"text": "The APT group is reportedly targeting the Middle East region .", "spans": {}, "info": {"id": "dnrti_train_001990", "source": "dnrti_train"}}
{"text": "The malware has started targeting corporate , SMB , investment banking and consumer accounts at banks , including some in Portugal and the U.S. , in addition to Poland , according to researchers at IBM 's X-Force team .", "spans": {"Malware: SMB": [[46, 49]], "Organization: IBM 's X-Force": [[198, 212]]}, "info": {"id": "dnrti_train_001991", "source": "dnrti_train"}}
{"text": "According to Kessem the malware has redirection instructions for 17 banks , and features an additional 230 URLs to assist attackers in targeting community banks and email service providers in Poland .", "spans": {"Organization: Kessem": [[13, 19]], "Organization: email service providers": [[165, 188]]}, "info": {"id": "dnrti_train_001992", "source": "dnrti_train"}}
{"text": "With GozNym , attackers dupe users by showing them the actual bank 's URL and SSL certificate .", "spans": {"Malware: GozNym": [[5, 11]], "Malware: URL": [[70, 73]], "Malware: SSL certificate": [[78, 93]]}, "info": {"id": "dnrti_train_001993", "source": "dnrti_train"}}
{"text": "Fresh from targeting banks in Poland , the banking Trojan GozNym has begun taking aim at banks in Germany .", "spans": {"Malware: banking Trojan": [[43, 57]], "Malware: GozNym": [[58, 64]]}, "info": {"id": "dnrti_train_001994", "source": "dnrti_train"}}
{"text": "Attackers went on to use the Trojan to steal $4 million from 24 banks , including 22 in the United States and two in Canada , in just two weeks .", "spans": {}, "info": {"id": "dnrti_train_001995", "source": "dnrti_train"}}
{"text": "Recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the GozNym group appears up to the task .", "spans": {"Organization: Kessem": [[72, 78]]}, "info": {"id": "dnrti_train_001996", "source": "dnrti_train"}}
{"text": "The malware is distributed primarily through laced spam emails that lure recipients into opening attachments .", "spans": {"System: laced spam emails": [[45, 62]]}, "info": {"id": "dnrti_train_001997", "source": "dnrti_train"}}
{"text": "Kessem .", "spans": {"Organization: Kessem": [[0, 6]]}, "info": {"id": "dnrti_train_001998", "source": "dnrti_train"}}
{"text": "Fresh from targeting banks in Poland , the banking Trojan has reportedly begun taking aim at banks in Germany .", "spans": {"Malware: banking Trojan": [[43, 57]]}, "info": {"id": "dnrti_train_001999", "source": "dnrti_train"}}
{"text": "Now GozNym is now targeting 13 banks and subsidiaries in Germany , Limor Kessem , Executive Security Advisor at IBM , said Tuesday .", "spans": {"Malware: GozNym": [[4, 10]], "Organization: subsidiaries": [[41, 53]], "Organization: Kessem": [[73, 79]], "Organization: Executive Security": [[82, 100]], "Organization: IBM": [[112, 115]]}, "info": {"id": "dnrti_train_002000", "source": "dnrti_train"}}
{"text": "he Trojan , a hybrid of Nymaim and Gozi malware , initially formed in April and thrives on carrying out redirection attacks via DNS poisoning .", "spans": {"Malware: Nymaim": [[24, 30]], "Malware: Gozi malware": [[35, 47]], "System: DNS poisoning": [[128, 141]]}, "info": {"id": "dnrti_train_002001", "source": "dnrti_train"}}
{"text": "In April , shortly after the Trojan 's discovery , researchers observed a massive GozNym campaign targeting 24 North American banks .", "spans": {}, "info": {"id": "dnrti_train_002002", "source": "dnrti_train"}}
{"text": "The method , which technically redirects users through local DNS poisoning , requires a fair bit of work ; recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the group behind GozNym – Nymaim – appear up to the task .", "spans": {"System: DNS poisoning": [[61, 74]], "Organization: Kessem": [[179, 185]], "Malware: GozNym": [[210, 216]]}, "info": {"id": "dnrti_train_002003", "source": "dnrti_train"}}
{"text": "Attackers behind Dyre have used similar tactics in the past but have only deployed their attacks in English speaking countries and Spain .", "spans": {}, "info": {"id": "dnrti_train_002004", "source": "dnrti_train"}}
{"text": "When we last heard from the Trojan , its operators were seen launching redirection attacks on four large , U.S. banks in June .", "spans": {"Malware: Trojan": [[28, 34]]}, "info": {"id": "dnrti_train_002005", "source": "dnrti_train"}}
{"text": "The fact that the cybercriminals behind GozNym have already adapted the Trojan for three different languages and in countries which have different banking systems is unique , according to Kessem .", "spans": {"Malware: GozNym": [[40, 46]], "Organization: Kessem": [[188, 194]]}, "info": {"id": "dnrti_train_002006", "source": "dnrti_train"}}
{"text": "By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country .", "spans": {"Malware: GozNym": [[22, 28]], "Organization: email service providers": [[189, 212]]}, "info": {"id": "dnrti_train_002007", "source": "dnrti_train"}}
{"text": "Seeking to tease out any possible links between Operation Aurora , VOHO , Operation DeputyDog , and Ephemeral Hydra , we began with Symantec 's Hidden Lynx report as our foundation .", "spans": {"Organization: Symantec": [[132, 140]]}, "info": {"id": "dnrti_train_002008", "source": "dnrti_train"}}
{"text": "The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": {"Malware: Trojan.Naid": [[106, 117]], "Malware: Backdoor.Moudoor": [[120, 136]], "Malware: Backdoor.Hikit": [[143, 157]]}, "info": {"id": "dnrti_train_002009", "source": "dnrti_train"}}
{"text": "We will detail how the C&C infrastructure and tools used by hacker group Hidden Lynx during its VOHO campaign ( 2012 ) , excellently documented by Symantec researchers last September , overlap with tools used in other high profile operations during the past few years .", "spans": {"Organization: Hidden Lynx": [[73, 84]], "Organization: Symantec": [[147, 155]]}, "info": {"id": "dnrti_train_002010", "source": "dnrti_train"}}
{"text": "When the New York Times and Mandiant last year unmasked a large scale Chinese hacking operation , pinpointing its location down to the building , the report drew mainstream attention to what security professionals already well knew : sophisticated threat actors carry out persistent cyber operations over months and years .", "spans": {"Organization: New York Times": [[9, 23]], "Organization: Mandiant": [[28, 36]]}, "info": {"id": "dnrti_train_002011", "source": "dnrti_train"}}
{"text": "By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country .", "spans": {"Malware: GozNym": [[22, 28]], "Organization: email service providers": [[189, 212]]}, "info": {"id": "dnrti_train_002012", "source": "dnrti_train"}}
{"text": "Using Recorded Future , we quickly built a timeline of the reported use of those tools in major security incidents , finding many events prior to the early 2013 exposé on Hidden Lynx .", "spans": {"Organization: Hidden Lynx": [[171, 182]]}, "info": {"id": "dnrti_train_002013", "source": "dnrti_train"}}
{"text": "In particular , FireEye during the fall of 2013 called out infrastructure overlap between Ephemeral Hydra and DeputyDog .", "spans": {"Organization: FireEye": [[16, 23]], "Malware: DeputyDog": [[110, 119]]}, "info": {"id": "dnrti_train_002014", "source": "dnrti_train"}}
{"text": "The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": {"Malware: Trojan.Naid": [[105, 116]], "Malware: Backdoor.Moudoor": [[119, 135]], "Malware: Backdoor.Hikit": [[142, 156]]}, "info": {"id": "dnrti_train_002015", "source": "dnrti_train"}}
{"text": "Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx .", "spans": {"Organization: Symantec": [[0, 8]], "Malware: Trojan.Naid": [[72, 83]], "Malware: Backdoor.Moudoor": [[88, 104]], "Malware: Aurora": [[123, 129]], "Organization: Elderwood Gang": [[139, 153]], "Organization: Hidden Lynx": [[163, 174]]}, "info": {"id": "dnrti_train_002016", "source": "dnrti_train"}}
{"text": "In addition to these , we also identified \" Macfog \" , a native Mac OS X implementation of Icefog that infected several hundred victims worldwide .", "spans": {"Malware: Macfog": [[44, 50]], "Malware: native Mac OS X implementation": [[57, 87]], "Malware: Icefog": [[91, 97]]}, "info": {"id": "dnrti_train_002017", "source": "dnrti_train"}}
{"text": "Icefog , also known as the \" Dagger Panda \" by Crowdstrike 's naming convention , infected targets mainly in South Korea and Japan .", "spans": {"Organization: Icefog": [[0, 6]], "Organization: Dagger Panda": [[29, 41]], "Organization: Crowdstrike": [[47, 58]]}, "info": {"id": "dnrti_train_002018", "source": "dnrti_train"}}
{"text": "In 2013 , a public report reveals a group of actors conducted targeted attacks leverage a malware dubbed ICEFOG against mainly government organizations and defense industry of South Korea and Japan .", "spans": {"Malware: ICEFOG": [[105, 111]], "Organization: government organizations": [[127, 151]]}, "info": {"id": "dnrti_train_002019", "source": "dnrti_train"}}
{"text": "Similar to our approach with Symantec 's report on Hidden Lynx , we used Recorded Future to organize the technical details about the DeputyDog attacks to reveal technical information described in the open source reporting across multiple campaigns .", "spans": {"Organization: Symantec": [[29, 37]]}, "info": {"id": "dnrti_train_002020", "source": "dnrti_train"}}
{"text": "With Javafog , we are turning yet another page in the Icefog story by discovering another generation of backdoors used by the attackers .", "spans": {"Malware: Icefog": [[54, 60]]}, "info": {"id": "dnrti_train_002021", "source": "dnrti_train"}}
{"text": "Since January 2013 , we've been on the lookout for a possible RedOctober comeback .", "spans": {"Organization: RedOctober": [[62, 72]]}, "info": {"id": "dnrti_train_002022", "source": "dnrti_train"}}
{"text": "One possible hit was triggered when we observed Mevade , an unusual piece of malware that appeared late in 2013 .", "spans": {}, "info": {"id": "dnrti_train_002023", "source": "dnrti_train"}}
{"text": "In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware .", "spans": {"Vulnerability: CVE-2012-0158": [[81, 94]]}, "info": {"id": "dnrti_train_002024", "source": "dnrti_train"}}
{"text": "It wasn't until August 2014 that we observed something which made us wonder if RedOctober is back for good .", "spans": {}, "info": {"id": "dnrti_train_002025", "source": "dnrti_train"}}
{"text": "The Cloud Atlas implants utilize a rather unusual C&C mechanism .", "spans": {"System: C&C mechanism": [[50, 63]]}, "info": {"id": "dnrti_train_002026", "source": "dnrti_train"}}
{"text": "We named it RedOctober because we started this investigation in October 2012 , an unusually hot month .", "spans": {}, "info": {"id": "dnrti_train_002027", "source": "dnrti_train"}}
{"text": "The attackers upload data to the account , which is downloaded by the implant , decrypted and interpreted .", "spans": {}, "info": {"id": "dnrti_train_002028", "source": "dnrti_train"}}
{"text": "Just like with RedOctober , the top target of Cloud Atlas is Russia , followed closely by Kazakhstan , according to data from the Kaspersky Security Network ( KSN ) .", "spans": {"Organization: RedOctober": [[15, 25]], "Organization: Kaspersky Security Network": [[130, 156]], "Organization: KSN": [[159, 162]]}, "info": {"id": "dnrti_train_002029", "source": "dnrti_train"}}
{"text": "In May 2015 , Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account , sent to an Israeli industrial organization .", "spans": {"Organization: Palo Alto Networks WildFire": [[14, 41]], "System: e-mails": [[55, 62]], "Organization: industrial organization": [[166, 189]]}, "info": {"id": "dnrti_train_002030", "source": "dnrti_train"}}
{"text": "One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" .", "spans": {"System: e-mail": [[4, 10]], "Malware: Microsoft PowerPoint file": [[21, 46]], "Malware: thanks.pps": [[55, 65]], "Malware: Microsoft Word document": [[97, 120]], "Malware: request.docx": [[129, 141]]}, "info": {"id": "dnrti_train_002031", "source": "dnrti_train"}}
{"text": "Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient .", "spans": {"Organization: WildFire": [[23, 31]], "System: e-mail": [[49, 55]], "Malware: Word document": [[69, 82], [140, 153]], "Malware: hello.docx": [[87, 97]]}, "info": {"id": "dnrti_train_002032", "source": "dnrti_train"}}
{"text": "Attacks using this tool were still active as of April 2016 .", "spans": {}, "info": {"id": "dnrti_train_002033", "source": "dnrti_train"}}
{"text": "Considering the language being used in the malicious code is Arabic , it seems that the attacker is familiar with Arabic language as well .", "spans": {}, "info": {"id": "dnrti_train_002034", "source": "dnrti_train"}}
{"text": "The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll .", "spans": {"Malware: thanks.pps": [[25, 35]], "Malware: ins8376.exe": [[99, 110]], "Malware: mpro324.dll": [[143, 154]]}, "info": {"id": "dnrti_train_002035", "source": "dnrti_train"}}
{"text": "In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 .", "spans": {"Malware: Cyberlink": [[49, 58]]}, "info": {"id": "dnrti_train_002036", "source": "dnrti_train"}}
{"text": "Unit 42 published a blog at the beginning of May titled \" Prince of Persia \" , in which we described the discovery of a decade-long campaign using a formerly unknown malware family , Infy , that targeted government and industry interests worldwide .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: Infy": [[183, 187]]}, "info": {"id": "dnrti_train_002037", "source": "dnrti_train"}}
{"text": "We noted in our original blog the large amount of targeting of Iranian citizens in this campaign , we observed almost one-third of all victims to be Iranian .", "spans": {"Organization: citizens": [[71, 79]]}, "info": {"id": "dnrti_train_002038", "source": "dnrti_train"}}
{"text": "In addition to the original \" Infy \" variant , we also see the newer , more sophisticated , interactive , and fuller-featured \" Infy M \" variant deployed against apparently-higher-value targets .", "spans": {"Malware: Infy": [[30, 34]], "Malware: Infy M": [[128, 134]]}, "info": {"id": "dnrti_train_002039", "source": "dnrti_train"}}
{"text": "This documentation provides new insight into intrusion efforts conducted by at least four discrete Iranian threat actors , Rocket Kitten , Infy , Sima , and Operation Cleaver , including groups and tools that have not been previously disclosed .", "spans": {"Organization: Rocket Kitten": [[123, 136]], "Organization: Infy": [[139, 143]], "Organization: Sima": [[146, 150]]}, "info": {"id": "dnrti_train_002040", "source": "dnrti_train"}}
{"text": "Since early 2013 , we have observed activity from a unique threat actor group , which we began to investigate based on increased activities against human right activists in the beginning of 2015 .", "spans": {"Organization: activists": [[160, 169]]}, "info": {"id": "dnrti_train_002041", "source": "dnrti_train"}}
{"text": "Over the course of three years of observation of campaigns targeting civil society and human rights organizations , from records of well over two hundred spearphishing and other intrusion attempts against individuals inside of Iran and in the diaspora , a narrative of persistent intrusion efforts emerges .", "spans": {"Organization: human rights organizations": [[87, 113]], "System: spearphishing": [[154, 167]], "Organization: diaspora": [[243, 251]]}, "info": {"id": "dnrti_train_002042", "source": "dnrti_train"}}
{"text": "Thanks to information we have been able to collect during the course of our research , such as characteristics of the group 's malware and development cycle , our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state .", "spans": {"Organization: Infy": [[209, 213]]}, "info": {"id": "dnrti_train_002043", "source": "dnrti_train"}}
{"text": "Amongst a backdrop of other incidents , Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014 , growing in use up to the February 2016 parliamentary election in Iran .", "spans": {}, "info": {"id": "dnrti_train_002044", "source": "dnrti_train"}}
{"text": "Until the publication of the Palo Alto report , the developers of the Infy appeared to be actively updating and maintaining the codebase , and new releases were distributed to existing , as well as new , targets quite regularly .", "spans": {"Organization: Palo Alto": [[29, 38]], "Malware: Infy": [[70, 74]]}, "info": {"id": "dnrti_train_002045", "source": "dnrti_train"}}
{"text": "Other samples were found bearing a compilation time as early as June 2012 and version 00002 .", "spans": {}, "info": {"id": "dnrti_train_002046", "source": "dnrti_train"}}
{"text": "Over the months following the elections , the accounts of Iranians that had been compromised by the actors were then used for spreading the malware .", "spans": {"Organization: Iranians": [[58, 66]]}, "info": {"id": "dnrti_train_002047", "source": "dnrti_train"}}
{"text": "When activities targeting of civil society subsided , the actors instead appeared to have focused on external targets , such a series of attempts to spearphish the Danish Ministry of Foreign Affairs .", "spans": {"System: spearphish": [[149, 159]]}, "info": {"id": "dnrti_train_002048", "source": "dnrti_train"}}
{"text": "Palo Alto Networks has noted and described the differences of two malware agents developed in parallel , with commonalities in behavior but differing functionalities ; families described as Infy and Infy M. Our primary observation was of the Infy ( non-M ) malware , which primarily functions as a keylogger for the collection of account credentials .", "spans": {"Organization: Palo Alto Networks": [[0, 18]], "Malware: Infy": [[190, 194], [242, 246]], "Malware: Infy M.": [[199, 206]], "Malware: malware": [[257, 264]], "Malware: keylogger": [[298, 307]]}, "info": {"id": "dnrti_train_002049", "source": "dnrti_train"}}
{"text": "Our observation of Infy 's campaigns , primarily through the lens of spearphishing attacks against Iranian civil society and media organizations , indicates a wandering focus on particular demographics on a strategic basis over time .", "spans": {"Organization: media organizations": [[125, 144]]}, "info": {"id": "dnrti_train_002050", "source": "dnrti_train"}}
{"text": "The Infy malware was seen targeting Iranians again in June 2015 , when it was shared with researchers after being sent to a broadcast journalist at BBC Persian with a generic introduction and a PowerPoint presentation attached titled \" Nostalogy \" ( sic ) .", "spans": {"Malware: Infy malware": [[4, 16]], "Organization: Iranians": [[36, 44]], "Organization: broadcast journalist": [[124, 144]], "Malware: PowerPoint": [[194, 204]]}, "info": {"id": "dnrti_train_002051", "source": "dnrti_train"}}
{"text": "Based on information collected in the course of this research , the targets and victims of Infy 's campaigns have continued to be strongly aligned with Iran 's \" soft war \" agenda , internal security policies , and regional adversaries of the hardline establishment of the Islamic Republic of Iran .", "spans": {}, "info": {"id": "dnrti_train_002052", "source": "dnrti_train"}}
{"text": "Until late December 2015 , in nearly every Infy message documented since our tracking began in May 2013 , no attempt included strong tailoring of the approach , often not even including an email body , instead relying on cryptic filenames and email subjects to attract interest .", "spans": {"Malware: Infy message": [[43, 55]], "System: email": [[189, 194], [243, 248]]}, "info": {"id": "dnrti_train_002053", "source": "dnrti_train"}}
{"text": "One narrowly-targeted spearphishing from Infy was sent from the compromised account of a political activist promoting participation inside of Iran , claiming to be a set of images of a British-Iranian dual national that has been held in Evin Prison for five years on espionage charges .", "spans": {"System: spearphishing": [[22, 35]], "Organization: political activist": [[89, 107]], "Organization: British-Iranian": [[185, 200]]}, "info": {"id": "dnrti_train_002054", "source": "dnrti_train"}}
{"text": "As in the past , these messages have been sent accounts believed to be fake and accounts compromised by Infy , including Kurdish activists that had previously been compromised by the Flying Kitten actor group .", "spans": {"Organization: Kurdish activists": [[121, 138]], "Organization: Flying Kitten actor group": [[183, 208]]}, "info": {"id": "dnrti_train_002055", "source": "dnrti_train"}}
{"text": "The actors successfully compromised a host of an Saudi government institutions on January 17 , 2016 , and maintained access for at least two weeks .", "spans": {"Organization: government institutions": [[55, 78]]}, "info": {"id": "dnrti_train_002056", "source": "dnrti_train"}}
{"text": "The Infy group also appears to engage in espionage activities against foreign governments and businesses .", "spans": {"Organization: Infy group": [[4, 14]]}, "info": {"id": "dnrti_train_002057", "source": "dnrti_train"}}
{"text": "In order to initially compromise the designated targets , Infy typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks .", "spans": {"System: malicious documents containing": [[106, 136]], "Malware: Infy": [[137, 141]]}, "info": {"id": "dnrti_train_002058", "source": "dnrti_train"}}
{"text": "In order to initially compromise the designated targets , the attackers typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks .", "spans": {"System: malicious documents containing": [[115, 145]], "Malware: Infy": [[146, 150]]}, "info": {"id": "dnrti_train_002059", "source": "dnrti_train"}}
{"text": "On May 2 , 2016 , Palo Alto Networks published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available .", "spans": {"Organization: Palo Alto Networks": [[18, 36]], "Organization: Infy": [[147, 151]]}, "info": {"id": "dnrti_train_002060", "source": "dnrti_train"}}
{"text": "Prior to the distribution of new versions of the agent , the Infy developers appear to consistently conduct tests from local hosts , which indicates that the control and maintenance of the software occurs in the Khorasan Razavi province of Iran , potentially in the city of Mashhad .", "spans": {"Malware: Infy": [[61, 65]]}, "info": {"id": "dnrti_train_002061", "source": "dnrti_train"}}
{"text": "On May 2 , 2016 , Palo Alto published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available .", "spans": {"Organization: Palo Alto": [[18, 27]]}, "info": {"id": "dnrti_train_002062", "source": "dnrti_train"}}
{"text": "Only one client , based in Iran , continued to communicate with the infrastructure .", "spans": {}, "info": {"id": "dnrti_train_002063", "source": "dnrti_train"}}
{"text": "A researcher has attributed a recently publicized attack on Citrix' internal network to the Iranian-linked group known as IRIDIUM – and said that the data heist involved 6 terabytes of sensitive data .", "spans": {"Organization: Citrix'": [[60, 67]]}, "info": {"id": "dnrti_train_002064", "source": "dnrti_train"}}
{"text": "\" IRIDIUM has hit more than 200 government agencies , oil and gas companies and technology companies , including Citrix Systems Inc \" , they said .", "spans": {"Organization: government agencies": [[32, 51]], "Organization: gas companies": [[62, 75]], "Organization: technology companies": [[80, 100]], "Organization: Citrix Systems Inc": [[113, 131]]}, "info": {"id": "dnrti_train_002065", "source": "dnrti_train"}}
{"text": "Citrix told Threatpost that this is indeed the same password-spraying attack it announced itself last week – but it wouldn't confirm the other details in Resecurity 's post , including the attribution .", "spans": {"Organization: Citrix": [[0, 6]], "Organization: Resecurity": [[154, 164]]}, "info": {"id": "dnrti_train_002066", "source": "dnrti_train"}}
{"text": "In wake of these events , a security firm Resecurity reached out to NBC news and claimed that they had reasons to believe that the attacks were carried out by Iranian-linked group known as IRIDIUM .", "spans": {"Organization: security firm": [[28, 41]], "Organization: Resecurity": [[42, 52]]}, "info": {"id": "dnrti_train_002067", "source": "dnrti_train"}}
{"text": "Resecurity says that IRIDIUM \" has hit more than 200 government agencies , oil and gas companies , and technology companies including Citrix .", "spans": {"Organization: Resecurity": [[0, 10]], "Organization: government agencies": [[53, 72]], "Organization: gas companies": [[83, 96]], "Organization: technology companies": [[103, 123]], "Organization: Citrix": [[134, 140]]}, "info": {"id": "dnrti_train_002068", "source": "dnrti_train"}}
{"text": "Resecurity claims that IRIDIUM breached Citrix 's network during December 2018 .", "spans": {"Organization: Resecurity": [[0, 10]], "Organization: Citrix": [[40, 46]]}, "info": {"id": "dnrti_train_002069", "source": "dnrti_train"}}
{"text": "Infy engaged in malware spearphishing against the same targets as Flying Kitten from the outset of its campaign ; Operation Cleaver has registered several resources related to development agencies that have been the subject of intrusion attempts by others since February 2014 .", "spans": {"Malware: Infy": [[0, 4]], "System: spearphishing": [[24, 37]], "Organization: development agencies": [[176, 196]]}, "info": {"id": "dnrti_train_002070", "source": "dnrti_train"}}
{"text": "The malicious samples we found are the early stage malware most often delivered by spear-phishing e-mails .", "spans": {"System: spear-phishing e-mails": [[83, 105]]}, "info": {"id": "dnrti_train_002071", "source": "dnrti_train"}}
{"text": "This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name — either KBDLV2.DLL or AUTO.DLL , depending on the malware sample .", "spans": {"Malware: KBDLV2.DLL": [[127, 137]], "Malware: AUTO.DLL": [[141, 149]]}, "info": {"id": "dnrti_train_002072", "source": "dnrti_train"}}
{"text": "At this stage , the malware gathers information about the infected computer .", "spans": {}, "info": {"id": "dnrti_train_002073", "source": "dnrti_train"}}
{"text": "Hancom Office is widely used in South Korea .", "spans": {}, "info": {"id": "dnrti_train_002074", "source": "dnrti_train"}}
{"text": "Perhaps it also points to the suspected North Korean origin of attack .", "spans": {}, "info": {"id": "dnrti_train_002075", "source": "dnrti_train"}}
{"text": "The attacker is from North Korea .", "spans": {}, "info": {"id": "dnrti_train_002076", "source": "dnrti_train"}}
{"text": "All of them lie in ranges of the Jilin Province Network and Liaoning Province Network , in China .", "spans": {"System: lie in ranges": [[12, 25]]}, "info": {"id": "dnrti_train_002077", "source": "dnrti_train"}}
{"text": "Finally , this geo-location supports the likely theory that the attackers behind Kimsuky are based in North Korea .", "spans": {"Organization: Kimsuky": [[81, 88]]}, "info": {"id": "dnrti_train_002078", "source": "dnrti_train"}}
{"text": "In this blog , we look at the Winnti malware implant as used by two known activity groups BARIUM and LEAD .", "spans": {"Malware: Winnti malware": [[30, 44]], "Organization: BARIUM": [[90, 96]]}, "info": {"id": "dnrti_train_002079", "source": "dnrti_train"}}
{"text": "According to the German press , the intruders used the Winnti family of malware as their main implant , giving them persistent access to the conglomerate 's network as early as February 2016 .", "spans": {"Malware: Winnti family of malware": [[55, 79]]}, "info": {"id": "dnrti_train_002080", "source": "dnrti_train"}}
{"text": "In the case of this malware , the activity groups strongly associated with Winnti are BARIUM and LEAD .", "spans": {"Malware: Winnti": [[75, 81]], "Malware: BARIUM": [[86, 92]], "Malware: LEAD": [[97, 101]]}, "info": {"id": "dnrti_train_002081", "source": "dnrti_train"}}
{"text": "But even though they share the use of Winnti , the BARIUM and LEAD activity groups are involved in very different intrusion scenarios .", "spans": {"Malware: Winnti": [[38, 44]], "Malware: BARIUM": [[51, 57]], "Malware: LEAD": [[62, 66]]}, "info": {"id": "dnrti_train_002082", "source": "dnrti_train"}}
{"text": "To show how this breach and similar breaches can be mitigated , we look at how Windows Defender ATP flags activities associated with BARIUM , LEAD , and other known activity groups and how it provides extensive threat intelligence about these groups .", "spans": {"Organization: Windows Defender ATP": [[79, 99]]}, "info": {"id": "dnrti_train_002083", "source": "dnrti_train"}}
{"text": "BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms .", "spans": {}, "info": {"id": "dnrti_train_002084", "source": "dnrti_train"}}
{"text": "During these intrusions , LEAD 's objective was to steal sensitive data , including research materials , process documents , and project plans .", "spans": {}, "info": {"id": "dnrti_train_002085", "source": "dnrti_train"}}
{"text": "Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C .", "spans": {"Malware: Win32/Barlaiy": [[37, 50]]}, "info": {"id": "dnrti_train_002086", "source": "dnrti_train"}}
{"text": "Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads , compiled HTML help ( .chm ) files , or Microsoft Office documents containing macros or exploits .", "spans": {"Malware: unsophisticated malware": [[85, 108]], "Malware: malicious shortcut": [[142, 160]], "Malware: .lnk": [[163, 167]], "Malware: HTML help ( .chm ) files": [[208, 232]], "Malware: Microsoft Office documents": [[238, 264]]}, "info": {"id": "dnrti_train_002087", "source": "dnrti_train"}}
{"text": "Instead , the group often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware .", "spans": {"System: emails": [[33, 39]], "Malware: Winnti installer": [[42, 58]], "System: social engineering tactics": [[99, 125]]}, "info": {"id": "dnrti_train_002088", "source": "dnrti_train"}}
{"text": "Microsoft Analytics shows that Winnti has been used in intrusions carried out throughout Asia , Europe , Oceania , the Middle East , and the United States in the last six months ( Figure 1 ) .", "spans": {"Organization: Microsoft Analytics": [[0, 19]], "Malware: Winnti": [[31, 37]]}, "info": {"id": "dnrti_train_002089", "source": "dnrti_train"}}
{"text": "Instead , Lead often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware .", "spans": {"System: emails": [[28, 34]], "Malware: Winnti installer": [[37, 53]], "System: social engineering tactics": [[94, 120]]}, "info": {"id": "dnrti_train_002090", "source": "dnrti_train"}}
{"text": "In some other cases , LEAD gains access to a target by brute-forcing remote access login credentials , performing SQL injection , or exploiting unpatched web servers , and then they copy the Winnti installer directly to compromised machines .", "spans": {"Malware: Winnti installer": [[191, 207]]}, "info": {"id": "dnrti_train_002091", "source": "dnrti_train"}}
{"text": "This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter .", "spans": {"Malware: ASPNET_FILTER.DLL": [[92, 109]], "Malware: ASP.NET ISAPI Filter": [[146, 166]]}, "info": {"id": "dnrti_train_002092", "source": "dnrti_train"}}
{"text": "Windows Defender ATP helps network security professionals deal with intrusions from activity groups like LEAD and BARIUM in several ways .", "spans": {"Organization: Windows Defender ATP": [[0, 20]], "Malware: LEAD": [[105, 109]], "Malware: BARIUM": [[114, 120]]}, "info": {"id": "dnrti_train_002093", "source": "dnrti_train"}}
{"text": "The following examples were developed using a Winnti installer that was used in attacks in December 2016 .", "spans": {"Malware: Winnti installer": [[46, 62]]}, "info": {"id": "dnrti_train_002094", "source": "dnrti_train"}}
{"text": "The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat .", "spans": {"Malware: Windows 10 Creators Update": [[4, 30]], "Organization: Windows Defender ATP": [[66, 86]], "Organization: SOC personnel": [[105, 118]]}, "info": {"id": "dnrti_train_002095", "source": "dnrti_train"}}
{"text": "LEAD and BARIUM are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": {"System: spear-phishing": [[46, 60]], "Organization: SOC personnel": [[86, 99]]}, "info": {"id": "dnrti_train_002096", "source": "dnrti_train"}}
{"text": "And , finally , with the upcoming Creators Update , Windows Defender ATP will provide additional capabilities for detecting threats such as Winnti , as well as centralized response options , such as machine isolation and file blocking , that will enable fast containment of known attack jump off points .", "spans": {"Malware: Creators Update": [[34, 49]], "Organization: Windows Defender ATP": [[52, 72]]}, "info": {"id": "dnrti_train_002097", "source": "dnrti_train"}}
{"text": "The police suspected Lurk of stealing nearly three billion rubles , using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations , including banks .", "spans": {"Malware: Lurk": [[21, 25]], "Organization: commercial organizations": [[161, 185]]}, "info": {"id": "dnrti_train_002098", "source": "dnrti_train"}}
{"text": "When we first encountered Lurk , in 2011 , it was a nameless Trojan .", "spans": {"Malware: Lurk": [[26, 30]]}, "info": {"id": "dnrti_train_002099", "source": "dnrti_train"}}
{"text": "While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions .", "spans": {"Organization: SOC personnel": [[36, 49]]}, "info": {"id": "dnrti_train_002100", "source": "dnrti_train"}}
{"text": "This article is an attempt to share this experience with other experts , particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks .", "spans": {"Organization: financial institutions": [[131, 153]]}, "info": {"id": "dnrti_train_002101", "source": "dnrti_train"}}
{"text": "In most cases , the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash .", "spans": {}, "info": {"id": "dnrti_train_002102", "source": "dnrti_train"}}
{"text": "We were soon able to help investigate another incident involving Lurk .", "spans": {"Malware: Lurk": [[65, 69]]}, "info": {"id": "dnrti_train_002103", "source": "dnrti_train"}}
{"text": "This event significantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles during a few years of activity , and was considered a \" leader \" among cybercriminals .", "spans": {}, "info": {"id": "dnrti_train_002104", "source": "dnrti_train"}}
{"text": "In Russia , there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS .", "spans": {}, "info": {"id": "dnrti_train_002105", "source": "dnrti_train"}}
{"text": "In April 2013 , a year after we found the \" bodiless \" Lurk module , the Russian cybercriminal underground exploited several families of malicious software that specialized in attacks on banking software .", "spans": {"Malware: Lurk module": [[55, 66]]}, "info": {"id": "dnrti_train_002106", "source": "dnrti_train"}}
{"text": "Through the information exchanges used by people in the security industry , we learned that several Russian banks were struggling with malicious programs created specifically to attack a particular type of legal banking software .", "spans": {}, "info": {"id": "dnrti_train_002107", "source": "dnrti_train"}}
{"text": "If it did , the malware downloaded additional modules , including ones allowing for the automatic creation of unauthorized payment orders , changing details in legal payment orders , etc .", "spans": {}, "info": {"id": "dnrti_train_002108", "source": "dnrti_train"}}
{"text": "As far as we can judge from the data we have , in 2014 the criminal group behind Lurk seriously reduced its activity and \" lived from hand to mouth \" , attacking anyone they could , including ordinary users .", "spans": {"Malware: Lurk": [[81, 85]]}, "info": {"id": "dnrti_train_002109", "source": "dnrti_train"}}
{"text": "In February 2015 , Kaspersky Lab 's Global Research and Analysis Team ( GReAT ) released its research into the Carbanak campaign targeting financial institutions .", "spans": {"Organization: Kaspersky Lab": [[19, 32]], "Organization: GReAT": [[72, 77]], "Organization: financial institutions": [[139, 161]]}, "info": {"id": "dnrti_train_002110", "source": "dnrti_train"}}
{"text": "Since 2011 , the robbers had allegedly been stealing money directly from bank accounts in Russia and other countries of the Commonwealth of Independent States ( CIS ) by using a Trojan called Lurk .", "spans": {"Malware: Trojan": [[178, 184]], "Malware: Lurk": [[192, 196]]}, "info": {"id": "dnrti_train_002111", "source": "dnrti_train"}}
{"text": "which they launched targeted attacks against Russian banks , businesses and media companies .", "spans": {"Organization: media companies": [[76, 91]]}, "info": {"id": "dnrti_train_002112", "source": "dnrti_train"}}
{"text": "Lurk uses a form of steganography : that's where one file is hidden away inside another file of a completely different sort , such as an image , audio , or video file .", "spans": {"Malware: Lurk": [[0, 4]]}, "info": {"id": "dnrti_train_002113", "source": "dnrti_train"}}
{"text": "The latest version of Madi also has the ability to monitor the Russian social network Vkontakte ( VK ) along with the Jabber messaging platform to look for users who visit websites that contain words like \" USA \" , \" Skype \" , and \" gov \" .", "spans": {}, "info": {"id": "dnrti_train_002114", "source": "dnrti_train"}}
{"text": "Madi was found capturing computer screens , recording audio and stealing screenshots , keystrokes , documents and e-mail correspondence from \" Middle Eastern critical infrastructure engineering firms , government agencies , financial houses and academia .", "spans": {"System: e-mail": [[114, 120]], "Organization: critical infrastructure engineering firms": [[158, 199]], "Organization: government agencies": [[202, 221]]}, "info": {"id": "dnrti_train_002115", "source": "dnrti_train"}}
{"text": "A timeline of new activity can be scoped out for the group , with the greatest number of related downloaders created by the developers in December 2011 , Feb and March of 2012 , followed by June of 2012 .", "spans": {}, "info": {"id": "dnrti_train_002116", "source": "dnrti_train"}}
{"text": "it reports to was created on August 10 , 2011 .", "spans": {}, "info": {"id": "dnrti_train_002117", "source": "dnrti_train"}}
{"text": "Since at least 2008 , The Lamberts have used multiple sophisticated attack tools against high-profile victims .", "spans": {"Malware: Lamberts": [[26, 34]]}, "info": {"id": "dnrti_train_002118", "source": "dnrti_train"}}
{"text": "Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) .", "spans": {"Organization: The Lamberts": [[45, 57]], "Organization: ITSec community": [[97, 112]], "Organization: FireEye": [[148, 155]], "Vulnerability: zero day vulnerability": [[185, 207]], "Vulnerability: CVE-2014-4148": [[210, 223]]}, "info": {"id": "dnrti_train_002119", "source": "dnrti_train"}}
{"text": "The attack leveraged malware we called ' BlackLambert ' , which was used to target a high profile organization in Europe .", "spans": {"Malware: BlackLambert": [[41, 53]], "Organization: high profile organization": [[85, 110]]}, "info": {"id": "dnrti_train_002120", "source": "dnrti_train"}}
{"text": "Their arsenal includes network-driven backdoors , several generations of modular backdoors , harvesting tools , and wipers .", "spans": {"Malware: network-driven backdoors": [[23, 47]], "Malware: modular backdoors": [[73, 90]], "Malware: harvesting tools": [[93, 109]], "Malware: wipers": [[116, 122]]}, "info": {"id": "dnrti_train_002121", "source": "dnrti_train"}}
{"text": "The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild .", "spans": {"Malware: Lambert family malware": [[19, 41]], "Organization: FireEye": [[92, 99]], "Vulnerability: zero day exploit": [[122, 138]], "Vulnerability: CVE-2014-4148": [[141, 154]]}, "info": {"id": "dnrti_train_002122", "source": "dnrti_train"}}
{"text": "Interestingly , while most Blue Lambert variants have version numbers in the range of 2.x , Green Lambert is mostly in 3.x versions .", "spans": {"Malware: Blue Lambert": [[27, 39]], "Malware: Green Lambert": [[92, 105]]}, "info": {"id": "dnrti_train_002123", "source": "dnrti_train"}}
{"text": "While investigating one of these infections involving White Lambert ( network-driven implant ) and Blue Lambert ( active implant ) , we found yet another family of tools that appear to be related .", "spans": {"Malware: White Lambert": [[54, 67]], "Malware: Blue Lambert": [[99, 111]]}, "info": {"id": "dnrti_train_002124", "source": "dnrti_train"}}
{"text": "Versions of this particular orchestrator were found on other victims , together with White Lambert samples , indicating a close relationship between the White and Pink Lambert malware families .", "spans": {"Malware: White Lambert samples": [[85, 106]], "Malware: White": [[153, 158]], "Malware: Pink Lambert malware families": [[163, 192]]}, "info": {"id": "dnrti_train_002125", "source": "dnrti_train"}}
{"text": "While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) .", "spans": {"Vulnerability: zero-day exploit": [[125, 141]], "Vulnerability: CVE-2014-4148": [[144, 157]]}, "info": {"id": "dnrti_train_002126", "source": "dnrti_train"}}
{"text": "This migration activity was last observed in October 2016 .", "spans": {}, "info": {"id": "dnrti_train_002127", "source": "dnrti_train"}}
{"text": "Most of the Blue and Green Lambert samples have two C&C servers hardcoded in their configuration block : a hostname and an IP address .", "spans": {"Malware: Blue and Green Lambert samples": [[12, 42]]}, "info": {"id": "dnrti_train_002128", "source": "dnrti_train"}}
{"text": "Some of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll – it should be pointed though that the filenames used by the Lamberts are generally unique and have never been used twice .", "spans": {"Malware: Gray Lambert": [[32, 44]], "Malware: mwapi32.dll": [[49, 60]], "Malware: poolstr.dll": [[65, 76]], "Malware: Lamberts": [[138, 146]]}, "info": {"id": "dnrti_train_002129", "source": "dnrti_train"}}
{"text": "Black Lambert was seen only briefly and we assume it was \" retired \" from the arsenal after being discovered by FireEye in 2014 .", "spans": {"Malware: Black Lambert": [[0, 13]], "Organization: FireEye": [[112, 119]]}, "info": {"id": "dnrti_train_002130", "source": "dnrti_train"}}
{"text": "The Lamberts toolkit spans across several years , with most activity occurring in 2013 and 2014 .", "spans": {"Malware: Lamberts toolkit": [[4, 20]]}, "info": {"id": "dnrti_train_002131", "source": "dnrti_train"}}
{"text": "To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 .", "spans": {"Malware: Lamberts toolkit": [[69, 85]], "Malware: Black Lambert": [[102, 115]], "Vulnerability: zero day exploit": [[152, 168]], "Vulnerability: CVE-2014-4148": [[171, 184]]}, "info": {"id": "dnrti_train_002132", "source": "dnrti_train"}}
{"text": "Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated cyber espionage toolkits we have ever analysed .", "spans": {"Malware: Lamberts": [[43, 51]], "Malware: Regin": [[87, 92]], "Malware: ProjectSauron": [[95, 108]], "Malware: Equation": [[111, 119]], "Malware: Duqu2": [[124, 129]]}, "info": {"id": "dnrti_train_002133", "source": "dnrti_train"}}
{"text": "Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated cyber espionage toolkits we have ever analysed .", "spans": {"Malware: Lamberts": [[43, 51]], "Malware: Regin": [[87, 92]], "Malware: ProjectSauron": [[95, 108]], "Malware: Equation": [[111, 119]], "Malware: Duqu2": [[124, 129]]}, "info": {"id": "dnrti_train_002134", "source": "dnrti_train"}}
{"text": "On January 15 , Confiant exposed the activity of the Zirconium group , spreading malicious ads via a network of fake ad agencies through 2017 , in what amounted to the largest malvertising campaign of recent times .", "spans": {"Organization: fake ad agencies": [[112, 128]]}, "info": {"id": "dnrti_train_002135", "source": "dnrti_train"}}
{"text": "Cadelle , uses Backdoor.Cadelspy .", "spans": {"Malware: Backdoor.Cadelspy": [[15, 32]]}, "info": {"id": "dnrti_train_002136", "source": "dnrti_train"}}
{"text": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014 , however , it's likely that activity began well before this date .", "spans": {"Organization: Symantec": [[0, 8]]}, "info": {"id": "dnrti_train_002137", "source": "dnrti_train"}}
{"text": "Chafer , uses Backdoor.Remexi .", "spans": {"Malware: Backdoor.Remexi": [[14, 29]]}, "info": {"id": "dnrti_train_002138", "source": "dnrti_train"}}
{"text": "Cadelle 's threats are capable of opening a back door and stealing information from victims' computers .", "spans": {}, "info": {"id": "dnrti_train_002139", "source": "dnrti_train"}}
{"text": "Chafer , uses Backdoor.Remexi.B .", "spans": {"Malware: Backdoor.Remexi.B": [[14, 31]]}, "info": {"id": "dnrti_train_002140", "source": "dnrti_train"}}
{"text": "registrant information points to activity possibly as early as 2011 .", "spans": {}, "info": {"id": "dnrti_train_002141", "source": "dnrti_train"}}
{"text": "These threats are capable of opening a back door and stealing information from victims' computers .", "spans": {}, "info": {"id": "dnrti_train_002142", "source": "dnrti_train"}}
{"text": "executable compilation times suggest early 2012 .", "spans": {}, "info": {"id": "dnrti_train_002143", "source": "dnrti_train"}}
{"text": "It's unclear how Cadelle infects its targets with Backdoor.Cadelspy .", "spans": {"Malware: Backdoor.Cadelspy": [[50, 67]]}, "info": {"id": "dnrti_train_002144", "source": "dnrti_train"}}
{"text": "The affected organizations we were able to identify are mostly based in the Middle East .", "spans": {}, "info": {"id": "dnrti_train_002145", "source": "dnrti_train"}}
{"text": "one organization is located in the US .", "spans": {}, "info": {"id": "dnrti_train_002146", "source": "dnrti_train"}}
{"text": "There are a number of factors in these groups' campaigns that suggests that the attackers may be based in Iran .", "spans": {}, "info": {"id": "dnrti_train_002147", "source": "dnrti_train"}}
{"text": "Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands .", "spans": {"Malware: Remexi": [[0, 6]]}, "info": {"id": "dnrti_train_002148", "source": "dnrti_train"}}
{"text": "Their primary interest appears to be gathering intelligence .", "spans": {}, "info": {"id": "dnrti_train_002149", "source": "dnrti_train"}}
{"text": "This stands in opposition to the data gathered from export timestamps and C&C domain activity that points to Green Lambert being considerably older than the Blue variant .", "spans": {"Malware: Green Lambert": [[109, 122]], "Malware: Blue": [[157, 161]]}, "info": {"id": "dnrti_train_002150", "source": "dnrti_train"}}
{"text": "security policy in the Eastern Europe and South Caucasus regions .", "spans": {}, "info": {"id": "dnrti_train_002151", "source": "dnrti_train"}}
{"text": "Callisto Group via credential phishingThese spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing .", "spans": {"System: spear phishing emails": [[44, 65]], "System: phishing": [[244, 252]]}, "info": {"id": "dnrti_train_002152", "source": "dnrti_train"}}
{"text": "In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform .", "spans": {"System: spear phishing emails": [[63, 84]], "Malware: malicious attachments": [[90, 111]], "Malware: Scout": [[160, 165]]}, "info": {"id": "dnrti_train_002153", "source": "dnrti_train"}}
{"text": "These spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing .", "spans": {"System: spear phishing emails": [[6, 27]], "System: phishing": [[206, 214]]}, "info": {"id": "dnrti_train_002154", "source": "dnrti_train"}}
{"text": "Callisto Group appears to be intelligence gathering related to European foreign and security policy .", "spans": {}, "info": {"id": "dnrti_train_002155", "source": "dnrti_train"}}
{"text": "some indications of loosely linked activity dating back to at least 2013 .", "spans": {}, "info": {"id": "dnrti_train_002156", "source": "dnrti_train"}}
{"text": "In October 2015 , the Callisto Group was observed sending targeted credential phishing emails .", "spans": {"Organization: Callisto Group": [[22, 36]], "System: phishing emails": [[78, 93]]}, "info": {"id": "dnrti_train_002157", "source": "dnrti_train"}}
{"text": "In early 2016 , the Callisto Group was observed sending targeted spear phishing emails .", "spans": {"System: spear phishing emails": [[65, 86]]}, "info": {"id": "dnrti_train_002158", "source": "dnrti_train"}}
{"text": "The malicious attachments purported to be invitations or drafts of the agenda for the conference .", "spans": {"Malware: malicious attachments": [[4, 25]], "Malware: invitations": [[42, 53]], "Malware: drafts of the agenda": [[57, 77]]}, "info": {"id": "dnrti_train_002159", "source": "dnrti_train"}}
{"text": "Based on our analysis of Callisto Group 's usage of RCS Galileo , we believe the Callisto Group did not utilize the leaked RCS Galileo source code , but rather used the leaked readymade installers to set up their own installation of the RCS Galileo platform .", "spans": {"Organization: Callisto Group": [[25, 39]], "Malware: installers": [[186, 196]]}, "info": {"id": "dnrti_train_002160", "source": "dnrti_train"}}
{"text": "In the known spear phishing attacks by the Callisto Group , they employed the \" Scout \" malware tool from the RCS Galileo platform .", "spans": {"Organization: Callisto Group": [[43, 57]], "Malware: Scout": [[80, 85]], "Organization: Galileo": [[114, 121]]}, "info": {"id": "dnrti_train_002161", "source": "dnrti_train"}}
{"text": "We are confident the Callisto Group used this type of access to a target 's email account for the purposes of sending spear phishing to other targets .", "spans": {"System: spear phishing": [[118, 132]]}, "info": {"id": "dnrti_train_002162", "source": "dnrti_train"}}
{"text": "If a target of the spear phishing described in \" Phase 2 : malware deployment \" opened the email attachment and , crucially , clicked on the icon in the attachment , this would lead to the target 's computer becoming infected with the \" Scout \" malware tool from the RCS Galileo platform .", "spans": {"System: spear phishing": [[19, 33]], "System: email attachment": [[91, 107]], "Malware: Scout": [[237, 242]]}, "info": {"id": "dnrti_train_002163", "source": "dnrti_train"}}
{"text": "Callisto Group and related infrastructure contain links to at least Russia , Ukraine , and China .", "spans": {}, "info": {"id": "dnrti_train_002164", "source": "dnrti_train"}}
{"text": "they have been last known to employ malware in February 2016 .", "spans": {}, "info": {"id": "dnrti_train_002165", "source": "dnrti_train"}}
{"text": "RCS Galileo platform .", "spans": {}, "info": {"id": "dnrti_train_002166", "source": "dnrti_train"}}
{"text": "The spear phishing emails used in the known attacks by the Callisto Group were so convincing that even skilled and alert users would likely have attempted to open the malicious attachment .", "spans": {"System: spear phishing emails": [[4, 25]], "Organization: Callisto Group": [[59, 73]]}, "info": {"id": "dnrti_train_002167", "source": "dnrti_train"}}
{"text": "In October 2015 the Callisto Group targeted a handful of individuals with phishing emails that attempted to obtain the target 's webmail credentials .", "spans": {"System: phishing emails": [[74, 89]]}, "info": {"id": "dnrti_train_002168", "source": "dnrti_train"}}
{"text": "The Callisto Group has been active at least since late 2015 and continues to be so , including continuing to set up new phishing infrastructure every week .", "spans": {"System: phishing infrastructure": [[120, 143]]}, "info": {"id": "dnrti_train_002169", "source": "dnrti_train"}}
{"text": "Called Greenbug , this group is believed to be instrumental in helping Shamoon steal user credentials of targets ahead of Shamoon 's destructive attacks .", "spans": {}, "info": {"id": "dnrti_train_002170", "source": "dnrti_train"}}
{"text": "On Tuesday , Arbor Networks said that it has new leads on a credential stealing remote access Trojan ( RAT ) called Ismdoor , possibly used by Greenbug to steal credentials on Shamoon 's behalf .", "spans": {"Organization: Arbor Networks": [[13, 27]], "Malware: Trojan": [[94, 100]], "Malware: RAT": [[103, 106]], "Malware: Ismdoor": [[116, 123]]}, "info": {"id": "dnrti_train_002171", "source": "dnrti_train"}}
{"text": "\" With our latest research we now see how Greenbug has shifted away from HTTP-based C2 communication with Ismdoor .", "spans": {"Malware: Ismdoor": [[106, 113]]}, "info": {"id": "dnrti_train_002172", "source": "dnrti_train"}}
{"text": "It's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost .", "spans": {"Malware: DNS-based attack technique": [[26, 52]], "Organization: Arbor 's ASERT Team": [[183, 202]]}, "info": {"id": "dnrti_train_002173", "source": "dnrti_train"}}
{"text": "t's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost .", "spans": {"Malware: DNS-based attack technique": [[25, 51]], "Organization: Arbor 's ASERT Team": [[182, 201]]}, "info": {"id": "dnrti_train_002174", "source": "dnrti_train"}}
{"text": "By relying on a native PDF command to navigate to a new URL , Zirconium successfully circumvented Chrome 's anti-redirect protection .", "spans": {"System: PDF command": [[23, 34]], "System: URL": [[56, 59]]}, "info": {"id": "dnrti_train_002175", "source": "dnrti_train"}}
{"text": "In the context of the Ismdoor RAT , the DNS attack technique is used primarily by Greenbug for stealing credentials .", "spans": {"Malware: Ismdoor RAT": [[22, 33]]}, "info": {"id": "dnrti_train_002176", "source": "dnrti_train"}}
{"text": "To do this , it employs a number of specific commands via DNSMessenger .", "spans": {"Malware: DNSMessenger": [[58, 70]]}, "info": {"id": "dnrti_train_002177", "source": "dnrti_train"}}
{"text": "Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies .", "spans": {"Organization: High-Tech": [[87, 96]], "Organization: Cyber Security Companies": [[101, 125]]}, "info": {"id": "dnrti_train_002178", "source": "dnrti_train"}}
{"text": "By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent .", "spans": {}, "info": {"id": "dnrti_train_002179", "source": "dnrti_train"}}
{"text": "Named Trochilus , this new RAT was part of Group 27 's malware portfolio that included six other malware strains , all served together or in different combinations , based on the data that needed to be stolen from each victim .", "spans": {"Malware: Trochilus": [[6, 15]], "Malware: RAT": [[27, 30]]}, "info": {"id": "dnrti_train_002180", "source": "dnrti_train"}}
{"text": "According to the security experts , this collection of malware was discovered after their first initial report was published , meaning that Group 27 ignored the fact they were unmasked and continued to infect their targets regardless , through the same entry point , the Myanmar Union Election Commission ( UEC ) website .", "spans": {"Organization: Myanmar Union Election Commission": [[271, 304]], "Organization: UEC": [[307, 310]]}, "info": {"id": "dnrti_train_002181", "source": "dnrti_train"}}
{"text": "Trochilus RAT activity was discovered during both months of October and November 2015 .", "spans": {}, "info": {"id": "dnrti_train_002182", "source": "dnrti_train"}}
{"text": "From September 2016 through late November 2016 , a threat actor group used both the Trochilus RAT and a newly idenfied RAT we've named MoonWind to target organizations in Thailand , including a utility organization .", "spans": {"Malware: Trochilus RAT": [[84, 97]], "Malware: RAT": [[119, 122]], "Malware: MoonWind": [[135, 143]], "Organization: utility organization": [[194, 214]]}, "info": {"id": "dnrti_train_002183", "source": "dnrti_train"}}
{"text": "We chose the name ' MoonWind ' based on debugging strings we saw within the samples , as well as the compiler used to generate the samples .", "spans": {"Malware: MoonWind": [[20, 28]]}, "info": {"id": "dnrti_train_002184", "source": "dnrti_train"}}
{"text": "The attackers compromised two legitimate Thai websites to host the malware , which is a tactic this group has used in the past .", "spans": {"Malware: legitimate Thai websites": [[30, 54]]}, "info": {"id": "dnrti_train_002185", "source": "dnrti_train"}}
{"text": "Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time .", "spans": {"Malware: Trochilus": [[9, 18]], "Malware: MoonWind RATs": [[23, 36]]}, "info": {"id": "dnrti_train_002186", "source": "dnrti_train"}}
{"text": "The attackers used different command and control servers ( C2s ) for each malware family , a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone .", "spans": {"Malware: command and control servers": [[29, 56]]}, "info": {"id": "dnrti_train_002187", "source": "dnrti_train"}}
{"text": "Further research led us to additional MoonWind samples using the same C2 ( dns.webswindows.com ) but hosted on a different compromised but legitimate website .", "spans": {"Malware: MoonWind samples": [[38, 54]], "Malware: legitimate website": [[139, 157]]}, "info": {"id": "dnrti_train_002188", "source": "dnrti_train"}}
{"text": "The attacks in that case took place in late September to early October 2016 and the attackers stored the MoonWind samples as RAR files , while in the November attacks the RATs were stored as executables .", "spans": {"Malware: MoonWind samples": [[105, 121]], "Malware: RAR files": [[125, 134]], "Malware: RATs": [[171, 175]]}, "info": {"id": "dnrti_train_002189", "source": "dnrti_train"}}
{"text": "We were not able to find additional tools , but the attackers again compromised a legitimate Thai website to host their malware , in this case the student portal for a Thai University .", "spans": {}, "info": {"id": "dnrti_train_002190", "source": "dnrti_train"}}
{"text": "Trochilus was first reported by Arbor Networks in their Seven Pointed Dagger report tying its use to other targeted Southeast Asia activity .", "spans": {"Malware: Trochilus": [[0, 9]], "Organization: Arbor Networks": [[32, 46]]}, "info": {"id": "dnrti_train_002191", "source": "dnrti_train"}}
{"text": "The activity dates to at least 2013 and has ties to multiple reports by other researchers .", "spans": {}, "info": {"id": "dnrti_train_002192", "source": "dnrti_train"}}
{"text": "It is highly likely MoonWind is yet another new tool being used by the group or groups responsible for that activity , indicating they are not only still active but continuing to evolve their playbook .", "spans": {"Malware: MoonWind": [[20, 28]]}, "info": {"id": "dnrti_train_002193", "source": "dnrti_train"}}
{"text": "The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists .", "spans": {}, "info": {"id": "dnrti_train_002194", "source": "dnrti_train"}}
{"text": "On June 7 , 2013 , Rapid7 released an analysis of malware dubbed ' KeyBoy ' , also exploiting unknown vulnerabilities in Microsoft Office , similarly patched by MS12-060 , but allegedly targeting interests in Vietnam and India .", "spans": {"Organization: Rapid7": [[19, 25]], "Malware: KeyBoy": [[67, 73]], "Malware: MS12-060": [[161, 169]]}, "info": {"id": "dnrti_train_002195", "source": "dnrti_train"}}
{"text": "As we have seen in some previous targeted malware attacks , the attackers in this incident are taking advantage of services like changeip.com to establish free subdomains in their infrastructure .", "spans": {}, "info": {"id": "dnrti_train_002196", "source": "dnrti_train"}}
{"text": "Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar .", "spans": {"Malware: legitimate traffic": [[17, 35]]}, "info": {"id": "dnrti_train_002197", "source": "dnrti_train"}}
{"text": "Subdomains at phmail.us have been linked to malicious activity dating back as far as December 2011 .", "spans": {}, "info": {"id": "dnrti_train_002198", "source": "dnrti_train"}}
{"text": "Based on the patterns of subdomain registration over time in DNS , TRAC believes this is an example where the attackers registered their own second-level domain .", "spans": {"Organization: TRAC": [[67, 71]]}, "info": {"id": "dnrti_train_002199", "source": "dnrti_train"}}
{"text": "In this blog post we'll analyze two specific incidents apparently targeting victims in Vietnam and in India and we'll describe the capabilities of the custom backdoor being used that for convenience ( and to our knowledge , for a lack of an existing name ) we call KeyBoy , due to a string present in one of the samples .", "spans": {"Malware: backdoor": [[158, 166]], "Malware: KeyBoy": [[265, 271]]}, "info": {"id": "dnrti_train_002200", "source": "dnrti_train"}}
{"text": "We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 .", "spans": {"Malware: THAM luan - GD -": [[51, 67]], "Malware: NCKH2.doc": [[68, 77]], "Malware: MS12-060": [[162, 170]]}, "info": {"id": "dnrti_train_002201", "source": "dnrti_train"}}
{"text": "This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics .", "spans": {"Malware: document": [[5, 13]]}, "info": {"id": "dnrti_train_002202", "source": "dnrti_train"}}
{"text": "For the sake of this analysis we'll take the Vietnamese backdoor as an example ; the one found in the Indian attack operates in the exact same way .", "spans": {"Malware: Vietnamese backdoor": [[45, 64]]}, "info": {"id": "dnrti_train_002203", "source": "dnrti_train"}}
{"text": "In the second set they are making use of a dynamic DNS service by ChangeIP.com .", "spans": {"Malware: dynamic DNS service": [[43, 62]]}, "info": {"id": "dnrti_train_002204", "source": "dnrti_train"}}
{"text": "The Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information .", "spans": {"Organization: Tibetan community": [[4, 21]], "Malware: malware": [[91, 98]]}, "info": {"id": "dnrti_train_002205", "source": "dnrti_train"}}
{"text": "he Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information .", "spans": {"Organization: Tibetan community": [[3, 20]], "Malware: malware": [[90, 97]]}, "info": {"id": "dnrti_train_002206", "source": "dnrti_train"}}
{"text": "They are often targeted simultaneously with other ethnic minorities and religious groups in China .", "spans": {"Organization: ethnic minorities": [[50, 67]], "Organization: religious groups": [[72, 88]]}, "info": {"id": "dnrti_train_002207", "source": "dnrti_train"}}
{"text": "Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": {"Malware: document malware": [[26, 42]], "Organization: Tibetan non-governmental organizations": [[62, 100]], "Organization: Falun Gong": [[129, 139]], "Organization: Uyghur groups": [[144, 157]]}, "info": {"id": "dnrti_train_002208", "source": "dnrti_train"}}
{"text": "More recently in 2016 , Arbor Networks reported on connected malware operations continuing to target these same groups , which the Communist Party of China perceives as a threat to its power .", "spans": {"Organization: Arbor Networks": [[24, 38]]}, "info": {"id": "dnrti_train_002209", "source": "dnrti_train"}}
{"text": "There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information .", "spans": {"Malware: exploit code": [[13, 25]]}, "info": {"id": "dnrti_train_002210", "source": "dnrti_train"}}
{"text": "For example , we have observed frequent reuse of older ( patched ) exploits in malware operations against the Tibetan community .", "spans": {"Organization: Tibetan community": [[110, 127]]}, "info": {"id": "dnrti_train_002211", "source": "dnrti_train"}}
{"text": "These operations involved highly targeted email lures with repurposed content and attachments that contained an updated version of KeyBoy .", "spans": {"Malware: email lures": [[42, 53]], "Malware: KeyBoy": [[131, 137]]}, "info": {"id": "dnrti_train_002212", "source": "dnrti_train"}}
{"text": "In August and October 2016 we observed a malware operation targeting members of the Tibetan Parliament ( the highest legislative organ of the Tibetan government in exile , formally known as Central Tibetan Administration ) .", "spans": {"Organization: Tibetan Parliament": [[84, 102]], "Organization: Tibetan": [[142, 149]], "Organization: Central Tibetan Administration": [[190, 220]]}, "info": {"id": "dnrti_train_002213", "source": "dnrti_train"}}
{"text": "The Arbor report describes the ongoing use of these four vulnerabilities in a series of espionage campaigns against not only Tibetan groups , but also others related to Hong Kong , Taiwan , and Uyghur interests .", "spans": {"Organization: Arbor": [[4, 9]], "Organization: Tibetan groups": [[125, 139]]}, "info": {"id": "dnrti_train_002214", "source": "dnrti_train"}}
{"text": "The malware samples deployed in both of these operations are updated versions of the KeyBoy backdoor first discussed in 2013 by Rapid7 .", "spans": {"Malware: KeyBoy backdoor": [[85, 100]], "Organization: Rapid7": [[128, 134]]}, "info": {"id": "dnrti_train_002215", "source": "dnrti_train"}}
{"text": "This behavioural tactic was previously mentioned in relation to KeyBoy in a 2013 blog post by Cisco .", "spans": {"Malware: KeyBoy": [[64, 70]], "Organization: Cisco": [[94, 99]]}, "info": {"id": "dnrti_train_002216", "source": "dnrti_train"}}
{"text": "These versions of KeyBoy differed from the one first described by Rapid7 in several ways , many of which will be described in the sections to follow .", "spans": {"Malware: KeyBoy": [[18, 24]], "Organization: Rapid7": [[66, 72]]}, "info": {"id": "dnrti_train_002217", "source": "dnrti_train"}}
{"text": "These samples were contained in exploit documents containing distinct lure content , one having a Tibetan nexus , the other an Indian nexus .", "spans": {}, "info": {"id": "dnrti_train_002218", "source": "dnrti_train"}}
{"text": "We believe the 2013 , 2015 , and 2016 KeyBoy samples provide evidence of a development effort focused on changing components that would be used by researchers to develop detection signatures .", "spans": {"Malware: KeyBoy samples": [[38, 52]]}, "info": {"id": "dnrti_train_002219", "source": "dnrti_train"}}
{"text": "In another modification , first observed in the most recent October 11 Parliamentarian operation ( version agewkassif ) , the developer (s ) of KeyBoy began using a string obfuscation routine in order to hide many of the critical values referenced within the malware .", "spans": {"Malware: KeyBoy": [[144, 150]], "Malware: string obfuscation routine": [[165, 191]]}, "info": {"id": "dnrti_train_002220", "source": "dnrti_train"}}
{"text": "Trend Micro specifically noted that the 2013 versions of KeyBoy used the same algorithm for encoding their configuration files as was observed in the Operation Tropic Trooper malware .", "spans": {"Organization: Trend Micro": [[0, 11]], "Malware: KeyBoy": [[57, 63]]}, "info": {"id": "dnrti_train_002221", "source": "dnrti_train"}}
{"text": "This sample was also found to be deployed using the CVE-2012-0158 vulnerability .", "spans": {"Vulnerability: CVE-2012-0158": [[52, 65]]}, "info": {"id": "dnrti_train_002222", "source": "dnrti_train"}}
{"text": "The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits .", "spans": {"Organization: Tibetan Parliamentarians": [[26, 50]], "Malware: malicious attachments": [[84, 105]], "Malware: documents bearing exploits": [[121, 147]]}, "info": {"id": "dnrti_train_002223", "source": "dnrti_train"}}
{"text": "Chances are about even , though , that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved .", "spans": {"Organization: Mofang": [[39, 45]]}, "info": {"id": "dnrti_train_002224", "source": "dnrti_train"}}
{"text": "In addition to the campaign in Myanmar , Mofang has been observed to attack targets across multiple sectors ( government , military , critical infrastructure and the automotive and weapon industries ) in multiple countries .", "spans": {"Organization: Mofang": [[41, 47]]}, "info": {"id": "dnrti_train_002225", "source": "dnrti_train"}}
{"text": "This threat report gives insight into some of the information that Fox-IT has about a threat actor that it follows , called Mofang .", "spans": {"Organization: Fox-IT": [[67, 73]], "Organization: Mofang": [[124, 130]]}, "info": {"id": "dnrti_train_002226", "source": "dnrti_train"}}
{"text": "The name Mofang is based on the Mandarin verb , which means to imitate .", "spans": {"Organization: Mofang": [[9, 15]]}, "info": {"id": "dnrti_train_002227", "source": "dnrti_train"}}
{"text": "It is highly likely that the Mofang group is a group that operates out of China and is probably government-affiliated .", "spans": {"Organization: Mofang group": [[29, 41]]}, "info": {"id": "dnrti_train_002228", "source": "dnrti_train"}}
{"text": "Chapter 7 explains the working of Mofang 's preferred tools : ShimRat and SimRatReporter .", "spans": {"Malware: ShimRat": [[62, 69]], "Malware: SimRatReporter": [[74, 88]]}, "info": {"id": "dnrti_train_002229", "source": "dnrti_train"}}
{"text": "The Mofang group has been active in relation to the Kyaukphyu sez .", "spans": {"Organization: Mofang group": [[4, 16]]}, "info": {"id": "dnrti_train_002230", "source": "dnrti_train"}}
{"text": "KeyBoy provides basic backdoor functionality , allowing the operators to select from various capabilities used to surveil and steal information from the victim machine .", "spans": {"Malware: KeyBoy": [[0, 6]]}, "info": {"id": "dnrti_train_002231", "source": "dnrti_train"}}
{"text": "The first attack started in early July with a ShimRatReporter payload .", "spans": {"Malware: ShimRatReporter": [[46, 61]]}, "info": {"id": "dnrti_train_002232", "source": "dnrti_train"}}
{"text": "Myanmar has been the target of Mofang 's attacks for years before the campaign related to the sez .", "spans": {"Organization: Mofang": [[31, 37]]}, "info": {"id": "dnrti_train_002233", "source": "dnrti_train"}}
{"text": "In late September 2015 Mofang used the website of Myanmar 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar .", "spans": {"Organization: Mofang": [[23, 29]]}, "info": {"id": "dnrti_train_002234", "source": "dnrti_train"}}
{"text": "In December 2012 Mofang started a campaign against a new target , called ' seg ' for the purpose of this report .", "spans": {}, "info": {"id": "dnrti_train_002235", "source": "dnrti_train"}}
{"text": "From the configuration it can be determined that the company was running F-Secure Antivirus and Mofang registered the domain to not appear suspicious .", "spans": {"Malware: F-Secure Antivirus": [[73, 91]], "Malware: Mofang": [[96, 102]]}, "info": {"id": "dnrti_train_002236", "source": "dnrti_train"}}
{"text": "In September 2015 Mofang launched another attack .", "spans": {"Organization: Mofang": [[18, 24]]}, "info": {"id": "dnrti_train_002237", "source": "dnrti_train"}}
{"text": "A new version of ShimRat was built on the 7th of September , uploaded to the server and only days later used in a new campaign .", "spans": {"Malware: ShimRat": [[17, 24]]}, "info": {"id": "dnrti_train_002238", "source": "dnrti_train"}}
{"text": "MoneyTaker has primarily been targeting card processing systems , including the AWS CBR ( Russian Interbank System ) and purportedly SWIFT ( US ) .", "spans": {}, "info": {"id": "dnrti_train_002239", "source": "dnrti_train"}}
{"text": "Given the wide usage of STAR in LATAM , financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group .", "spans": {"Organization: financial institutions": [[40, 62]], "Organization: MoneyTaker group": [[136, 152]]}, "info": {"id": "dnrti_train_002240", "source": "dnrti_train"}}
{"text": "In addition to banks , the MoneyTaker group has attacked law firms and also financial software vendors .", "spans": {"Organization: MoneyTaker group": [[27, 43]], "Organization: law firms": [[57, 66]]}, "info": {"id": "dnrti_train_002241", "source": "dnrti_train"}}
{"text": "Since that time , the group attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida .", "spans": {}, "info": {"id": "dnrti_train_002242", "source": "dnrti_train"}}
{"text": "The first attack in the US that Group-IB attributes to MoneyTaker was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal .", "spans": {"Organization: Group-IB": [[32, 40]]}, "info": {"id": "dnrti_train_002243", "source": "dnrti_train"}}
{"text": "The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal .", "spans": {"Organization: Group-IB": [[32, 40]]}, "info": {"id": "dnrti_train_002244", "source": "dnrti_train"}}
{"text": "In 2017 , the number of MoneyTaker 's attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted .", "spans": {"Organization: MoneyTaker": [[24, 34]], "Organization: law firm": [[88, 96]]}, "info": {"id": "dnrti_train_002245", "source": "dnrti_train"}}
{"text": "In 2017 , the number of attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted .", "spans": {"Organization: law firm": [[74, 82]]}, "info": {"id": "dnrti_train_002246", "source": "dnrti_train"}}
{"text": "By analyzing the attack infrastructure , Group-IB identified that MoneyTaker group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks .", "spans": {"Organization: Group-IB": [[41, 49]], "Organization: MoneyTaker group": [[66, 82]]}, "info": {"id": "dnrti_train_002247", "source": "dnrti_train"}}
{"text": "Group-IB reports that MoneyTaker uses both borrowed and their own self-written tools .", "spans": {"Organization: Group-IB": [[0, 8]]}, "info": {"id": "dnrti_train_002248", "source": "dnrti_train"}}
{"text": "Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of our cooperation in fighting cybercrime .", "spans": {"Organization: Group-IB": [[0, 8]]}, "info": {"id": "dnrti_train_002249", "source": "dnrti_train"}}
{"text": "In late September 2015 Mofang used the website of Myanmara 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar .", "spans": {}, "info": {"id": "dnrti_train_002250", "source": "dnrti_train"}}
{"text": "To control the full operation , MoneyTaker uses a Pentest framework Server .", "spans": {"Organization: MoneyTaker": [[32, 42]], "Malware: Pentest framework Server": [[50, 74]]}, "info": {"id": "dnrti_train_002251", "source": "dnrti_train"}}
{"text": "On it , MoneyTaker install a legitimate tool for penetration testing – Metasploit .", "spans": {"Organization: MoneyTaker": [[8, 18]], "Malware: Metasploit": [[71, 81]]}, "info": {"id": "dnrti_train_002252", "source": "dnrti_train"}}
{"text": "At the end of June 2015 Mofang started its campaign to gather information of a specific target in relation to the sezs : the cpg Corporation .", "spans": {"Organization: cpg Corporation": [[125, 140]]}, "info": {"id": "dnrti_train_002253", "source": "dnrti_train"}}
{"text": "MoneyTaker uses ' fileless ' malware only existing in RAM and is destroyed after reboot .", "spans": {"Organization: MoneyTaker": [[0, 10]], "Malware: fileless": [[18, 26]]}, "info": {"id": "dnrti_train_002254", "source": "dnrti_train"}}
{"text": "To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts - they are both difficult to detect by antivirus and easy to modify .", "spans": {"Organization: MoneyTaker": [[36, 46]], "Malware: PowerShell": [[57, 67]], "Malware: VBS scripts": [[72, 83]]}, "info": {"id": "dnrti_train_002255", "source": "dnrti_train"}}
{"text": "After successfully infecting one of the computers and gaining initial access to the system , the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network .", "spans": {}, "info": {"id": "dnrti_train_002256", "source": "dnrti_train"}}
{"text": "MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs .", "spans": {"Organization: MUSTANG PANDA": [[0, 13]], "Malware: PowerShell scripts": [[84, 102]], "Malware: Microsoft Office documents": [[107, 133]]}, "info": {"id": "dnrti_train_002257", "source": "dnrti_train"}}
{"text": "This newly observed activity uses a series of redirections and fileless , malicious implementations of legitimate tools to gain access to the targeted systems .", "spans": {}, "info": {"id": "dnrti_train_002258", "source": "dnrti_train"}}
{"text": "Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China .", "spans": {"Organization: Unit 42": [[0, 7]], "Organization: Foreign Ministry": [[84, 100]]}, "info": {"id": "dnrti_train_002259", "source": "dnrti_train"}}
{"text": "Since that time , MoneyTaker attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida .", "spans": {"Organization: MoneyTaker": [[18, 28]]}, "info": {"id": "dnrti_train_002260", "source": "dnrti_train"}}
{"text": "In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy .", "spans": {"Organization: Trend Micro": [[43, 54]], "Malware: espionage toolkit": [[104, 121]], "Malware: KeyBoy": [[202, 208]]}, "info": {"id": "dnrti_train_002261", "source": "dnrti_train"}}
{"text": "Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"Vulnerability: CVE-2012-0158": [[52, 65]], "Malware: NetTraveler Trojan": [[77, 95]]}, "info": {"id": "dnrti_train_002262", "source": "dnrti_train"}}
{"text": "Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: NetTraveler": [[31, 42]], "Vulnerability: CVE-2012-0158": [[64, 77]], "Malware: NetTraveler Trojan": [[89, 107]]}, "info": {"id": "dnrti_train_002263", "source": "dnrti_train"}}
{"text": "Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"Malware: NetTraveler": [[24, 35]], "Vulnerability: CVE-2012-0158": [[57, 70]], "Malware: NetTraveler Trojan": [[82, 100]]}, "info": {"id": "dnrti_train_002264", "source": "dnrti_train"}}
{"text": "In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker , 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks .", "spans": {"Organization: Group-IB": [[10, 18]], "Organization: service provider": [[115, 131]]}, "info": {"id": "dnrti_train_002265", "source": "dnrti_train"}}
{"text": "If KeyBoy is a single component of a larger espionage toolkit , the developers may have realized that this older , static-key based , configuration encoding algorithm was inadvertently providing a link between disparate components of their malware suite .", "spans": {"Malware: KeyBoy": [[3, 9]], "Malware: configuration encoding algorithm": [[134, 166]]}, "info": {"id": "dnrti_train_002266", "source": "dnrti_train"}}
{"text": "In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker ; 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks .", "spans": {"Organization: Group-IB": [[10, 18]], "Organization: service provider": [[115, 131]]}, "info": {"id": "dnrti_train_002267", "source": "dnrti_train"}}
{"text": "The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data .", "spans": {"Malware: NetTraveler trojan": [[4, 22]]}, "info": {"id": "dnrti_train_002268", "source": "dnrti_train"}}
{"text": "The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched .", "spans": {"Malware: exploit document": [[4, 20]], "Malware: KeyBoy": [[45, 51]], "Malware: decoy document": [[78, 92]]}, "info": {"id": "dnrti_train_002269", "source": "dnrti_train"}}
{"text": "Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB .", "spans": {"Organization: Group-IB": [[98, 106]]}, "info": {"id": "dnrti_train_002270", "source": "dnrti_train"}}
{"text": "This program is designed to capture keystrokes , take screenshots of the user 's desktop and get contents from the clipboard .", "spans": {}, "info": {"id": "dnrti_train_002271", "source": "dnrti_train"}}
{"text": "To conduct targeted attacks , MoneyTaker use a distributed infrastructure that is difficult to track .", "spans": {"Organization: MoneyTaker": [[30, 40]], "Malware: distributed infrastructure": [[47, 73]]}, "info": {"id": "dnrti_train_002272", "source": "dnrti_train"}}
{"text": "This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files .", "spans": {"Malware: rastls.dll": [[93, 103]], "Malware: Sycmentec.config files": [[108, 130]]}, "info": {"id": "dnrti_train_002273", "source": "dnrti_train"}}
{"text": "Hackers use Metasploit to conduct all these activities : network reconnaissance , search for vulnerable applications , exploit vulnerabilities , escalate systems privileges , and collect information .", "spans": {"Malware: Metasploit": [[12, 22]], "System: network reconnaissance": [[57, 79]], "System: vulnerable applications": [[93, 116]]}, "info": {"id": "dnrti_train_002274", "source": "dnrti_train"}}
{"text": "Over the years they've used application components from Norman , McAfee and Norton .", "spans": {"Organization: Norman": [[56, 62]], "Organization: McAfee": [[65, 71]], "Organization: Norton": [[76, 82]]}, "info": {"id": "dnrti_train_002275", "source": "dnrti_train"}}
{"text": "Recently , Falcon Intelligence observed new activity from MUSTANG PANDA , using a unique infection chain to target likely Mongolia-based victims .", "spans": {"Organization: Falcon Intelligence": [[11, 30]], "Malware: infection chain": [[89, 104]]}, "info": {"id": "dnrti_train_002276", "source": "dnrti_train"}}
{"text": "Throughout the years , the Mofang group has compromised countless servers belonging to government or other Myanmar related organizations , in order to stage attacks .", "spans": {}, "info": {"id": "dnrti_train_002277", "source": "dnrti_train"}}
{"text": "This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page .", "spans": {"Malware: .lnk file": [[53, 62]]}, "info": {"id": "dnrti_train_002278", "source": "dnrti_train"}}
{"text": "A report published by Kaspersky Labs in 2011 on NetTraveler also mentions the C2 servers were being hosted by Krypt Technolgies .", "spans": {"Organization: Kaspersky Labs": [[22, 36]], "Malware: NetTraveler": [[48, 59]]}, "info": {"id": "dnrti_train_002279", "source": "dnrti_train"}}
{"text": "Obviously , the developers behind NetTraveler have taken steps to try to hide the malware 's configuration .", "spans": {"Malware: NetTraveler": [[34, 45]]}, "info": {"id": "dnrti_train_002280", "source": "dnrti_train"}}
{"text": "In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"Vulnerability: CVE-2012-0158": [[66, 79]], "Malware: NetTraveler Trojan": [[95, 113]]}, "info": {"id": "dnrti_train_002281", "source": "dnrti_train"}}
{"text": "In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"Malware: NetTraveler": [[34, 45]], "Vulnerability: CVE-2012-0158": [[67, 80]], "Malware: NetTraveler Trojan": [[96, 114]]}, "info": {"id": "dnrti_train_002282", "source": "dnrti_train"}}
{"text": "In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"Malware: NetTraveler": [[38, 49]], "Vulnerability: CVE-2012-0158": [[71, 84]], "Malware: NetTraveler Trojan": [[100, 118]]}, "info": {"id": "dnrti_train_002283", "source": "dnrti_train"}}
{"text": "Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": {"Malware: attachment": [[35, 45]], "Malware: NetTraveler": [[79, 90]], "Malware: DLL side-loading": [[99, 115]]}, "info": {"id": "dnrti_train_002284", "source": "dnrti_train"}}
{"text": "NetTraveler has been used to target diplomats , embassies and government institutions for over a decade , and remains the tool of choice by the adversaries behind these cyber espionage campaigns .", "spans": {"Malware: NetTraveler": [[0, 11]], "Organization: diplomats": [[36, 45]], "Organization: embassies": [[48, 57]], "Organization: government institutions": [[62, 85]]}, "info": {"id": "dnrti_train_002285", "source": "dnrti_train"}}
{"text": "WildFire correctly classifies NetTraveler as malicious .", "spans": {"Organization: WildFire": [[0, 8]], "Malware: NetTraveler": [[30, 41]]}, "info": {"id": "dnrti_train_002286", "source": "dnrti_train"}}
{"text": "The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions , embassies , the oil and gas industry , research centers , military contractors and activists .", "spans": {"Organization: government institutions": [[122, 145]], "Organization: embassies": [[148, 157]], "Organization: military contractors": [[206, 226]], "Organization: activists": [[231, 240]]}, "info": {"id": "dnrti_train_002287", "source": "dnrti_train"}}
{"text": "Today Kaspersky Lab 's team of experts published a new research report about NetTraveler , which is a family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries .", "spans": {"Organization: Kaspersky Lab": [[6, 19]], "Malware: NetTraveler": [[77, 88]]}, "info": {"id": "dnrti_train_002288", "source": "dnrti_train"}}
{"text": "According to Kaspersky Lab 's report , this threat actor has been active since as early as 2004 ; however , the highest volume of activity occurred from 2010 – 2013 .", "spans": {"Organization: Kaspersky Lab": [[13, 26]]}, "info": {"id": "dnrti_train_002289", "source": "dnrti_train"}}
{"text": "Most recently , the NetTraveler group 's main domains of interest for cyberespionage activities include space exploration , nanotechnology , energy production , nuclear power , lasers , medicine and communications .", "spans": {}, "info": {"id": "dnrti_train_002290", "source": "dnrti_train"}}
{"text": "In addition , the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor , and it could be customized to steal other types of sensitive information such as configuration details for an application or computer-aided design files .", "spans": {"Malware: NetTraveler toolkit": [[18, 37]]}, "info": {"id": "dnrti_train_002291", "source": "dnrti_train"}}
{"text": "During Kaspersky Lab 's analysis of NetTraveler , the company 's experts identified six victims that had been infected by both NetTraveler and Red October , which was another cyberespionage operation analyzed by Kaspersky Lab in January 2013 .", "spans": {"Organization: Kaspersky Lab": [[7, 20], [212, 225]], "Malware: NetTraveler": [[36, 47]]}, "info": {"id": "dnrti_train_002292", "source": "dnrti_train"}}
{"text": "Kaspersky Lab 's products detect and neutralize the malicious programs and its variants used by the NetTraveler Toolkit , including Trojan-Spy.Win32.TravNet and Downloader.Win32.NetTraveler .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Malware: NetTraveler Toolkit": [[100, 119]], "Malware: Trojan-Spy.Win32.TravNet": [[132, 156]], "Malware: Downloader.Win32.NetTraveler": [[161, 189]]}, "info": {"id": "dnrti_train_002293", "source": "dnrti_train"}}
{"text": "Based on Kaspersky Lab 's analysis of NetTraveler 's C&C data , there were a total of 350 victims in 40 countries across including the United States , Canada , United Kingdom , Russia , Chile , Morocco , Greece , Belgium , Austria , Ukraine , Lithuania , Belarus , Australia , Hong Kong , Japan , China , Mongolia , Iran , Turkey , India , Pakistan , South Korea , Thailand , Qatar , Kazakhstan , and Jordan .", "spans": {"Organization: Kaspersky Lab": [[9, 22]]}, "info": {"id": "dnrti_train_002294", "source": "dnrti_train"}}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Vulnerability: Microsoft Office exploits": [[37, 62]], "Malware: Exploit.MSWord.CVE-2010-333": [[110, 137]], "Malware: Exploit.Win32.CVE-2012-0158": [[140, 167]]}, "info": {"id": "dnrti_train_002295", "source": "dnrti_train"}}
{"text": "In this case , it was a group commonly referred to as \" Nitro \" , which was coined by Symantec in its 2011 whitepaper .", "spans": {"Organization: Symantec": [[86, 94]]}, "info": {"id": "dnrti_train_002296", "source": "dnrti_train"}}
{"text": "Historically , Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware , which was not seen in these attacks .", "spans": {"Malware: Poison Ivy malware": [[78, 96]]}, "info": {"id": "dnrti_train_002297", "source": "dnrti_train"}}
{"text": "Since at least 2013 , Nitro appears to have somewhat modified their malware and delivery methods to include Spindest and legitimate compromised websites , as reported by Cyber Squared 's TCIRT .", "spans": {"Malware: Spindest": [[108, 116]], "Malware: legitimate compromised websites": [[121, 152]], "Organization: Cyber Squared 's TCIRT": [[170, 192]]}, "info": {"id": "dnrti_train_002298", "source": "dnrti_train"}}
{"text": "In July , Nitro compromised a South Korean clothing and accessories manufacturer 's website to serve malware commonly referred to as \" Spindest \" .", "spans": {"Malware: Spindest": [[135, 143]]}, "info": {"id": "dnrti_train_002299", "source": "dnrti_train"}}
{"text": "Of all the samples we've tied to this activity so far noted in this blog , this is the only one configured to connect directly to an IP address for Command and Control ( C2 ) .", "spans": {}, "info": {"id": "dnrti_train_002300", "source": "dnrti_train"}}
{"text": "The next sample was another Spindest variant and had the same timestamp as the aforementioned PcClient sample .", "spans": {"Malware: Spindest": [[28, 36]], "Malware: PcClient sample": [[94, 109]]}, "info": {"id": "dnrti_train_002301", "source": "dnrti_train"}}
{"text": "As this post and previous cited research show , APT groups such as Nitro will continue to evolve their techniques within the kill chain to avoid detection .", "spans": {}, "info": {"id": "dnrti_train_002302", "source": "dnrti_train"}}
{"text": "Attacks on the chemical industry are merely their latest attack wave .", "spans": {}, "info": {"id": "dnrti_train_002303", "source": "dnrti_train"}}
{"text": "The goal of the attackers appears to be to collect intellectual property such as design documents , formulas , and manufacturing processes .", "spans": {}, "info": {"id": "dnrti_train_002304", "source": "dnrti_train"}}
{"text": "The attack wave started in late July 2011 and continued into midSeptember 2011 .", "spans": {}, "info": {"id": "dnrti_train_002305", "source": "dnrti_train"}}
{"text": "The purpose of the attacks appears to be industrial espionage , collecting intellectual property for competitive advantage .", "spans": {}, "info": {"id": "dnrti_train_002306", "source": "dnrti_train"}}
{"text": "They then moved on to the motor industry in late May .", "spans": {}, "info": {"id": "dnrti_train_002307", "source": "dnrti_train"}}
{"text": "From late April to early May , the attackers focused on human rights related NGOs .", "spans": {}, "info": {"id": "dnrti_train_002308", "source": "dnrti_train"}}
{"text": "Attackers then moved on to the motor industry in late May .", "spans": {}, "info": {"id": "dnrti_train_002309", "source": "dnrti_train"}}
{"text": "At this point , the current attack campaign against the chemical industry began .", "spans": {}, "info": {"id": "dnrti_train_002310", "source": "dnrti_train"}}
{"text": "The attackers first researched desired targets and then sent an email specifically to the target .", "spans": {"System: email": [[64, 69]]}, "info": {"id": "dnrti_train_002311", "source": "dnrti_train"}}
{"text": "First , when a specific recipient was targeted , the mails often purported to be meeting invitations from established business partners .", "spans": {}, "info": {"id": "dnrti_train_002312", "source": "dnrti_train"}}
{"text": "While the attackers used different pretexts when sending these malicious emails , two methodologies stood out .", "spans": {"System: malicious emails": [[63, 79]]}, "info": {"id": "dnrti_train_002313", "source": "dnrti_train"}}
{"text": "Secondly , when the emails were being sent to a broad set of recipients , the mails purported to be a necessary security update .", "spans": {"System: emails": [[20, 26]]}, "info": {"id": "dnrti_train_002314", "source": "dnrti_train"}}
{"text": "The attacks were traced back to a computer system that was a virtual private server ( VPS ) located in the United States .", "spans": {"Malware: VPS": [[86, 89]]}, "info": {"id": "dnrti_train_002315", "source": "dnrti_train"}}
{"text": "Attackers are sending malicious PDF and DOC files , which use exploits to drop variants of Backdoor.Sogu .", "spans": {"Malware: PDF": [[32, 35]], "Malware: DOC files": [[40, 49]], "Malware: Backdoor.Sogu": [[91, 104]]}, "info": {"id": "dnrti_train_002316", "source": "dnrti_train"}}
{"text": "This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users .", "spans": {}, "info": {"id": "dnrti_train_002317", "source": "dnrti_train"}}
{"text": "The Sogu gang use a custom developed threat – Backdoor.Sogu , whereas the group described in this document use an off the shelf threat – Poison Ivy .", "spans": {"Malware: Backdoor.Sogu": [[46, 59]], "Malware: Poison Ivy": [[137, 147]]}, "info": {"id": "dnrti_train_002318", "source": "dnrti_train"}}
{"text": "The Sogu gang , in contrast , use PDF and DOC files in very tailored , targeted emails .", "spans": {"Malware: PDF": [[34, 37]], "Malware: DOC files": [[42, 51]], "System: emails": [[80, 86]]}, "info": {"id": "dnrti_train_002319", "source": "dnrti_train"}}
{"text": "These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage , military institutions , and governmental organizations often in search of documents related to current political events and human rights organizations .", "spans": {"Organization: military institutions": [[122, 143]], "Organization: governmental organizations": [[150, 176]], "Organization: human rights organizations": [[246, 272]]}, "info": {"id": "dnrti_train_002320", "source": "dnrti_train"}}
{"text": "Nitro 's campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": {"Organization: Nitro": [[0, 5]], "Organization: chemical sector": [[33, 48]]}, "info": {"id": "dnrti_train_002321", "source": "dnrti_train"}}
{"text": "This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": {"Organization: chemical sector": [[36, 51]]}, "info": {"id": "dnrti_train_002322", "source": "dnrti_train"}}
{"text": "These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions .", "spans": {}, "info": {"id": "dnrti_train_002323", "source": "dnrti_train"}}
{"text": "The attackers try to lure targets through spear phishing emails that include compressed executables .", "spans": {"System: spear phishing emails": [[42, 63]]}, "info": {"id": "dnrti_train_002324", "source": "dnrti_train"}}
{"text": "We found that the group behind this campaign targeted mainly industrial , engineering and manufacturing organizations in more than 30 countries .", "spans": {"Organization: manufacturing organizations": [[90, 117]]}, "info": {"id": "dnrti_train_002325", "source": "dnrti_train"}}
{"text": "Using the Kaspersky Security Network ( KSN ) and artifacts from malware files and attack sites , we were able to trace the attacks back to March 2015 .", "spans": {"Organization: Kaspersky Security Network": [[10, 36]], "Organization: KSN": [[39, 42]]}, "info": {"id": "dnrti_train_002326", "source": "dnrti_train"}}
{"text": "Operation Ghoul is one of the many attacks in the wild targeting industrial , manufacturing and engineering organizations , Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments .", "spans": {"Organization: engineering organizations": [[96, 121]], "Organization: Kaspersky Lab": [[124, 137]], "System: emails and attachments": [[203, 225]]}, "info": {"id": "dnrti_train_002327", "source": "dnrti_train"}}
{"text": "The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People's Republics .", "spans": {"Organization: anti-government separatists": [[112, 139]]}, "info": {"id": "dnrti_train_002328", "source": "dnrti_train"}}
{"text": "The attacks appear to be geopolitically motivated and target high profile organizations .", "spans": {"Organization: high profile organizations": [[61, 87]]}, "info": {"id": "dnrti_train_002329", "source": "dnrti_train"}}
{"text": "The objective of the attacks is clearly espionage – they involve gaining access to top legislative , executive and judicial bodies around the world .", "spans": {}, "info": {"id": "dnrti_train_002330", "source": "dnrti_train"}}
{"text": "The attackers have targeted a large number of organizations globally since early 2017 , with the main focus on the Middle East and North Africa ( MENA ) , especially Palestine .", "spans": {}, "info": {"id": "dnrti_train_002331", "source": "dnrti_train"}}
{"text": "The attacks were initially discovered while investigating a phishing attack that targeted political figures in the MENA region .", "spans": {}, "info": {"id": "dnrti_train_002332", "source": "dnrti_train"}}
{"text": "Like BlackEnergy ( a.k.a Sandworm , Quedagh ) , Potao is an example of targeted espionage ( APT ) malware detected mostly in Ukraine and a number of other CIS countries , including Russia , Georgia and Belarus .", "spans": {"Malware: BlackEnergy": [[5, 16]], "Organization: Sandworm": [[25, 33]], "Organization: Quedagh": [[36, 43]], "Malware: Potao": [[48, 53]]}, "info": {"id": "dnrti_train_002333", "source": "dnrti_train"}}
{"text": "The main reason for the increase in Potao detections in 2014 and 2015 were infections through USB drives .", "spans": {"Malware: Potao": [[36, 41]]}, "info": {"id": "dnrti_train_002334", "source": "dnrti_train"}}
{"text": "The first Potao campaign that we examined took place in August 2011 .", "spans": {}, "info": {"id": "dnrti_train_002335", "source": "dnrti_train"}}
{"text": "In March 2014 , the gang behind Potao started using a new infection vector .", "spans": {"Malware: Potao": [[32, 37]], "Malware: infection vector": [[58, 74]]}, "info": {"id": "dnrti_train_002336", "source": "dnrti_train"}}
{"text": "Since March 2015 , ESET has detected Potao binaries at several high-value Ukrainian targets that include government and military entities and one of the major Ukrainian news agencies .", "spans": {"Organization: ESET": [[19, 23]], "Malware: Potao": [[37, 42]], "Organization: military entities": [[120, 137]], "Organization: news agencies": [[169, 182]]}, "info": {"id": "dnrti_train_002337", "source": "dnrti_train"}}
{"text": "As confirmation that the malware writers are still very active even at the time of this writing , ESET detected a new Potao sample compiled on July 20 , 2015 .", "spans": {"Organization: ESET": [[98, 102]], "Malware: Potao sample": [[118, 130]]}, "info": {"id": "dnrti_train_002338", "source": "dnrti_train"}}
{"text": "In the previous pages we have presented our findings based on ESET detection telemetry and our analysis of Win32/Potao and Win32/FakeTC samples .", "spans": {"Organization: ESET": [[62, 66]], "Malware: Win32/Potao": [[107, 118]], "Malware: Win32/FakeTC samples": [[123, 143]]}, "info": {"id": "dnrti_train_002339", "source": "dnrti_train"}}
{"text": "Potao is another example of targeted espionage malware , a so-called APT , to use the popular buzzword , although technically the malware is not particularly advanced or sophisticated .", "spans": {"Malware: Potao": [[0, 5]], "Malware: malware": [[130, 137]]}, "info": {"id": "dnrti_train_002340", "source": "dnrti_train"}}
{"text": "Examples of notable Potao dissemination techniques , some of which were previously unseen , or at least relatively uncommon , include the use of highly-targeted spear-phishing SMS messages to drive potential victims to malware download sites and USB worm functionality that tricked the user into ' willingly ' executing the trojan .", "spans": {"Malware: Potao": [[20, 25]], "System: spear-phishing": [[161, 175]]}, "info": {"id": "dnrti_train_002341", "source": "dnrti_train"}}
{"text": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates .", "spans": {"Organization: PassCV group": [[4, 16]]}, "info": {"id": "dnrti_train_002342", "source": "dnrti_train"}}
{"text": "The PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) .", "spans": {"Organization: PassCV group": [[4, 16]], "Malware: publicly available RATs": [[36, 59]]}, "info": {"id": "dnrti_train_002343", "source": "dnrti_train"}}
{"text": "he PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) .", "spans": {"Organization: PassCV": [[3, 9]], "Malware: publicly available RATs": [[35, 58]]}, "info": {"id": "dnrti_train_002344", "source": "dnrti_train"}}
{"text": "PassCV continues to maintain a heavy reliance on obfuscated and signed versions of older RATs like ZxShell and Ghost RAT , which have remained a favorite of the wider Chinese criminal community since their initial public release .", "spans": {"Organization: PassCV": [[0, 6]], "Malware: RATs": [[89, 93]], "Malware: ZxShell": [[99, 106]], "Malware: Ghost RAT": [[111, 120]]}, "info": {"id": "dnrti_train_002345", "source": "dnrti_train"}}
{"text": "SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire .", "spans": {"Organization: SPEAR": [[0, 5]], "Malware: PassCV samples": [[24, 38]], "Malware: RAT": [[99, 102]], "Malware: Netwire": [[110, 117]]}, "info": {"id": "dnrti_train_002346", "source": "dnrti_train"}}
{"text": "SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire .", "spans": {"Organization: SPEAR": [[0, 5]], "Malware: PassCV samples": [[24, 38]], "Malware: RAT": [[99, 102]], "Malware: Netwire": [[110, 117]]}, "info": {"id": "dnrti_train_002347", "source": "dnrti_train"}}
{"text": "The first new connection SPEAR identified was derived from an email address listed in Blue Coat Systems' original report on PassCV .", "spans": {"Organization: SPEAR": [[25, 30]], "Organization: PassCV": [[124, 130]]}, "info": {"id": "dnrti_train_002348", "source": "dnrti_train"}}
{"text": "Syncopate is a well-known Russian company that is best known as the developer and operator of the ' GameNet ' platform .", "spans": {"Organization: company": [[34, 41]]}, "info": {"id": "dnrti_train_002349", "source": "dnrti_train"}}
{"text": "The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations .", "spans": {"Organization: PassCV": [[4, 10]], "Organization: game companies": [[90, 104]]}, "info": {"id": "dnrti_train_002350", "source": "dnrti_train"}}
{"text": "Since the last report , PassCV has significantly expanded its targets to include victims in the United States , Taiwan , China and Russia .", "spans": {"Organization: PassCV": [[24, 30]]}, "info": {"id": "dnrti_train_002351", "source": "dnrti_train"}}
{"text": "Based on data collected from Palo Alto Networks AutoFocus threat intelligence , we discovered continued operations of activity very similar to the Roaming Tiger attack campaign that began in the August 2015 timeframe , with a concentration of attacks in late October and continuing into December .", "spans": {"Organization: Palo Alto Networks AutoFocus": [[29, 57]]}, "info": {"id": "dnrti_train_002352", "source": "dnrti_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_train_002353", "source": "dnrti_train"}}
{"text": "BBSRAT is typically packaged within a portable executable file , although in a few of the observed instances , a raw DLL was discovered to contain BBSRAT .", "spans": {"Malware: BBSRAT": [[0, 6], [147, 153]], "System: portable executable file": [[38, 62]]}, "info": {"id": "dnrti_train_002354", "source": "dnrti_train"}}
{"text": "WildFire properly classifies BBSRAT malware samples as malicious .", "spans": {"Organization: WildFire": [[0, 8]], "Malware: BBSRAT malware samples": [[29, 51]]}, "info": {"id": "dnrti_train_002355", "source": "dnrti_train"}}
{"text": "This week we will discuss another Chinese nexus adversary we call Samurai Panda .", "spans": {}, "info": {"id": "dnrti_train_002356", "source": "dnrti_train"}}
{"text": "Samurai Panda is interesting in that their target selection tends to focus on Asia Pacific victims in Japan , the Republic of Korea , and other democratic Asian victims .", "spans": {"Organization: Samurai Panda": [[0, 13]]}, "info": {"id": "dnrti_train_002357", "source": "dnrti_train"}}
{"text": "Next , in an effort to demonstrate it wasn't relegated to China , CrowdStrike exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary .", "spans": {"Organization: CrowdStrike": [[66, 77]]}, "info": {"id": "dnrti_train_002358", "source": "dnrti_train"}}
{"text": "Next , in an effort to demonstrate it wasn't relegated to China , we exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary .", "spans": {}, "info": {"id": "dnrti_train_002359", "source": "dnrti_train"}}
{"text": "Beginning in 2009 , we've observed this actor conduct more than 40 unique campaigns that we've identified in the malware configurations' campaign codes .", "spans": {}, "info": {"id": "dnrti_train_002360", "source": "dnrti_train"}}
{"text": "These codes are often leveraged in the malware used by coordinated targeted attackers to differentiate victims that were successfully compromised from different target sets .", "spans": {}, "info": {"id": "dnrti_train_002361", "source": "dnrti_train"}}
{"text": "When conducting programmatic espionage activity , it can presumably become quite confusing if the attacker targets a heavy industry company , an avionics program , and seven other unique targets as to which infected host you will collect what information from .", "spans": {"Organization: heavy industry company": [[117, 139]]}, "info": {"id": "dnrti_train_002362", "source": "dnrti_train"}}
{"text": "These rules detect the malware \" beaconing \" to the command-and-control server , the initial malware check-in , and an attempt to download a backdoor module .", "spans": {"Malware: beaconing": [[33, 42]], "Malware: command-and-control server": [[52, 78]]}, "info": {"id": "dnrti_train_002363", "source": "dnrti_train"}}
{"text": "Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks .", "spans": {"Organization: Securelist": [[21, 31]], "Vulnerability: zero-day Adobe Flash Player exploit": [[61, 96]]}, "info": {"id": "dnrti_train_002364", "source": "dnrti_train"}}
{"text": "Securelist believe the attacks are launched by an APT Group we track under the codename \" ScarCruft \" .", "spans": {"Organization: Securelist": [[0, 10]], "Organization: ScarCruft": [[90, 99]]}, "info": {"id": "dnrti_train_002365", "source": "dnrti_train"}}
{"text": "ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"Organization: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002366", "source": "dnrti_train"}}
{"text": "ScarCruft has several ongoing operations , utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer .", "spans": {"Organization: ScarCruft": [[0, 9]], "Malware: Adobe Flash": [[81, 92]], "Malware: Microsoft Internet Explorer": [[105, 132]]}, "info": {"id": "dnrti_train_002367", "source": "dnrti_train"}}
{"text": "ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"Organization: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002368", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit .", "spans": {"Vulnerability: 0-day": [[111, 116]], "Vulnerability: Adobe Flash Player exploit": [[119, 145]]}, "info": {"id": "dnrti_train_002369", "source": "dnrti_train"}}
{"text": "Adobe Flash Player exploit .", "spans": {"Vulnerability: Adobe Flash Player exploit": [[0, 26]]}, "info": {"id": "dnrti_train_002370", "source": "dnrti_train"}}
{"text": "It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April .", "spans": {"Organization: ScarCruft": [[25, 34]], "Vulnerability: zero day exploit": [[52, 68]], "Vulnerability: CVE-2016-0147": [[71, 84]]}, "info": {"id": "dnrti_train_002371", "source": "dnrti_train"}}
{"text": "Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"Vulnerability: Flash Player exploit": [[35, 55]], "Vulnerability: CVE-2016-4117": [[58, 71]]}, "info": {"id": "dnrti_train_002372", "source": "dnrti_train"}}
{"text": "ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"Organization: ScarCruft": [[0, 9]], "Vulnerability: Flash Player exploit": [[48, 68]], "Vulnerability: CVE-2016-4117": [[71, 84]]}, "info": {"id": "dnrti_train_002373", "source": "dnrti_train"}}
{"text": "Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets .", "spans": {"Organization: ScarCruft": [[49, 58]], "Vulnerability: zero-day exploits": [[92, 109]]}, "info": {"id": "dnrti_train_002374", "source": "dnrti_train"}}
{"text": "After publishing our initial series of blogposts back in 2016 , Kaspersky have continued to track the ScarCruft threat actor .", "spans": {"Organization: Kaspersky": [[64, 73]], "Organization: ScarCruft": [[102, 111]]}, "info": {"id": "dnrti_train_002375", "source": "dnrti_train"}}
{"text": "After publishing our initial series of blogposts back in 2016 , we have continued to track the ScarCruft threat actor .", "spans": {}, "info": {"id": "dnrti_train_002376", "source": "dnrti_train"}}
{"text": "ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula .", "spans": {"Organization: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002377", "source": "dnrti_train"}}
{"text": "The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises ( SWC ) .", "spans": {"Organization: ScarCruft group": [[4, 19]], "System: spear phishing": [[68, 82]], "System: Strategic Web Compromises": [[87, 112]], "Malware: SWC": [[115, 118]]}, "info": {"id": "dnrti_train_002378", "source": "dnrti_train"}}
{"text": "ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula .", "spans": {"Organization: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002379", "source": "dnrti_train"}}
{"text": "ScarCruft uses a multi-stage binary infection scheme .", "spans": {"Organization: ScarCruft": [[0, 9]], "System: binary infection scheme": [[29, 52]]}, "info": {"id": "dnrti_train_002380", "source": "dnrti_train"}}
{"text": "One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges .", "spans": {"Malware: dropper": [[49, 56]]}, "info": {"id": "dnrti_train_002381", "source": "dnrti_train"}}
{"text": "This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams .", "spans": {"Vulnerability: CVE-2018-8120": [[63, 76]], "Malware: UACME": [[80, 85]]}, "info": {"id": "dnrti_train_002382", "source": "dnrti_train"}}
{"text": "Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it .", "spans": {}, "info": {"id": "dnrti_train_002383", "source": "dnrti_train"}}
{"text": "The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload .", "spans": {"Malware: downloader malware": [[4, 22]]}, "info": {"id": "dnrti_train_002384", "source": "dnrti_train"}}
{"text": "The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration .", "spans": {"Organization: ScarCruft": [[4, 13]]}, "info": {"id": "dnrti_train_002385", "source": "dnrti_train"}}
{"text": "We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester .", "spans": {"Malware: malware": [[48, 55]], "Malware: Bluetooth device harvester": [[89, 115]]}, "info": {"id": "dnrti_train_002386", "source": "dnrti_train"}}
{"text": "We believe they may have some links to North Korea , which may explain why ScarCruft decided to closely monitor them .", "spans": {}, "info": {"id": "dnrti_train_002387", "source": "dnrti_train"}}
{"text": "ScarCruft also attacked a diplomatic agency in Hong Kong , and another diplomatic agency in North Korea .", "spans": {"Organization: diplomatic agency": [[26, 43], [71, 88]]}, "info": {"id": "dnrti_train_002388", "source": "dnrti_train"}}
{"text": "It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes .", "spans": {"Organization: ScarCruft": [[11, 20]]}, "info": {"id": "dnrti_train_002389", "source": "dnrti_train"}}
{"text": "ScarCruft infected this victim on September 21 , 2018 .", "spans": {"Organization: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002390", "source": "dnrti_train"}}
{"text": "But before the ScarCruft infection , however , another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26 , 2018 .", "spans": {"Organization: ScarCruft": [[15, 24]]}, "info": {"id": "dnrti_train_002391", "source": "dnrti_train"}}
{"text": "ScarCruft has a keen interest in North Korean affairs , attacking those in the business sector who may have any connection to North Korea , as well as diplomatic agencies around the globe .", "spans": {"Organization: ScarCruft": [[0, 9]], "Organization: business sector": [[79, 94]], "Organization: diplomatic agencies": [[151, 170]]}, "info": {"id": "dnrti_train_002392", "source": "dnrti_train"}}
{"text": "Earlier this month , we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks .", "spans": {"Vulnerability: zero-day Adobe Flash Player exploit": [[39, 74]]}, "info": {"id": "dnrti_train_002393", "source": "dnrti_train"}}
{"text": "ScarCruft is a relatively new APT group ; victims have been observed in several countries , including Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"Organization: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002394", "source": "dnrti_train"}}
{"text": "Currently , the group is engaged in two major operations : Operation Daybreak and Operation Erebus .", "spans": {}, "info": {"id": "dnrti_train_002395", "source": "dnrti_train"}}
{"text": "The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"Vulnerability: CVE-2016-4117": [[77, 90]], "System: watering holes": [[105, 119]]}, "info": {"id": "dnrti_train_002396", "source": "dnrti_train"}}
{"text": "The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"Vulnerability: CVE-2016-4117": [[68, 81]], "System: watering holes": [[96, 110]]}, "info": {"id": "dnrti_train_002397", "source": "dnrti_train"}}
{"text": "We will publish more details about the attack once Adobe patches the vulnerability , which should be on June 16 .", "spans": {}, "info": {"id": "dnrti_train_002398", "source": "dnrti_train"}}
{"text": "The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily .", "spans": {"Vulnerability: Flash zero day": [[41, 55]]}, "info": {"id": "dnrti_train_002399", "source": "dnrti_train"}}
{"text": "Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia .", "spans": {"Vulnerability: zero-day vulnerability": [[28, 50]]}, "info": {"id": "dnrti_train_002400", "source": "dnrti_train"}}
{"text": "Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak .", "spans": {"Organization: Kaspersky Lab": [[15, 28], [156, 169]], "Vulnerability: zero-day": [[94, 102]]}, "info": {"id": "dnrti_train_002401", "source": "dnrti_train"}}
{"text": "Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: ScarCruft": [[26, 35]], "Vulnerability: zero-day": [[65, 73]], "Vulnerability: CVE-2016-0147": [[76, 89]]}, "info": {"id": "dnrti_train_002402", "source": "dnrti_train"}}
{"text": "Attacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with ScarCruft and used in other attacks .", "spans": {"System: spear-phishing emails": [[19, 40]], "Organization: ScarCruft": [[113, 122]]}, "info": {"id": "dnrti_train_002403", "source": "dnrti_train"}}
{"text": "Another set of attacks called Operation Erebus leverages another Flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation .", "spans": {"Vulnerability: Flash exploit": [[65, 78]], "Vulnerability: CVE-2016-4117": [[81, 94]]}, "info": {"id": "dnrti_train_002404", "source": "dnrti_train"}}
{"text": "Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 .", "spans": {"Vulnerability: zero day": [[82, 90]], "Vulnerability: CVE-2016-4171": [[91, 104]]}, "info": {"id": "dnrti_train_002405", "source": "dnrti_train"}}
{"text": "The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019 .", "spans": {}, "info": {"id": "dnrti_train_002406", "source": "dnrti_train"}}
{"text": "Cisco Talos assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 .", "spans": {"Organization: Cisco Talos": [[0, 11]]}, "info": {"id": "dnrti_train_002407", "source": "dnrti_train"}}
{"text": "We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 .", "spans": {}, "info": {"id": "dnrti_train_002408", "source": "dnrti_train"}}
{"text": "The common use of the Enfal Trojan suggests that Shadow Network may be exchanging tools and techniques .", "spans": {"Malware: Enfal Trojan": [[22, 34]]}, "info": {"id": "dnrti_train_002409", "source": "dnrti_train"}}
{"text": "While Silence had previously targeted Russian banks , Group-IB experts also have discovered evidence of the group 's activity in more than 25 countries worldwide .", "spans": {"Organization: While Silence": [[0, 13]], "Organization: Group-IB": [[54, 62]]}, "info": {"id": "dnrti_train_002410", "source": "dnrti_train"}}
{"text": "In August 2017 , the National Bank of Ukraine warned state-owned and private banks across the country about a large-scale phishing attack .", "spans": {"Organization: National Bank": [[21, 34]]}, "info": {"id": "dnrti_train_002411", "source": "dnrti_train"}}
{"text": "The threat actor used an exploit from the arsenal of the state-sponsored hacker group APT28 .", "spans": {"Organization: APT28": [[86, 91]]}, "info": {"id": "dnrti_train_002412", "source": "dnrti_train"}}
{"text": "The new threat actor group was eventually named Silence .", "spans": {}, "info": {"id": "dnrti_train_002413", "source": "dnrti_train"}}
{"text": "Silence is a group of Russian-speaking hackers , based on their commands language , the location of infrastructure they used , and the geography of their targets ( Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan ) .", "spans": {}, "info": {"id": "dnrti_train_002414", "source": "dnrti_train"}}
{"text": "Although Silence 's phishing emails were also sent to bank employees in Central and Western Europe , Africa , and Asia ) .", "spans": {"System: phishing emails": [[20, 35]], "Organization: bank employees": [[54, 68]]}, "info": {"id": "dnrti_train_002415", "source": "dnrti_train"}}
{"text": "Silence also used Russian-language web hosting services .", "spans": {"Malware: web hosting services": [[35, 55]]}, "info": {"id": "dnrti_train_002416", "source": "dnrti_train"}}
{"text": "Financially motivated APT groups which focus efforts on targeted attacks on the financial sector such as — Anunak , Corkow , Buhtrap — usually managed botnets using developed or modified banking Trojans .", "spans": {"Organization: financial sector": [[80, 96]], "Malware: Corkow": [[116, 122]]}, "info": {"id": "dnrti_train_002417", "source": "dnrti_train"}}
{"text": "They tried new techniques to steal from banking systems , including AWS CBR ( the Russian Central Bank 's Automated Workstation Client ) , ATMs , and card processing .", "spans": {"Organization: Central Bank 's Automated Workstation Client": [[90, 134]], "Organization: ATMs": [[139, 143]]}, "info": {"id": "dnrti_train_002418", "source": "dnrti_train"}}
{"text": "Group-IB researchers were tracking Silence throughout this period and conducting response following incidents in the financial sector .", "spans": {"Organization: Group-IB": [[0, 8]], "Organization: financial sector": [[117, 133]]}, "info": {"id": "dnrti_train_002419", "source": "dnrti_train"}}
{"text": "Group-IB detected the first incidents relating to Silence in June 2016 .", "spans": {"Organization: Group-IB": [[0, 8]]}, "info": {"id": "dnrti_train_002420", "source": "dnrti_train"}}
{"text": "One of Silence 's first targets was a Russian bank , when they tried to attack AWS CBR .", "spans": {}, "info": {"id": "dnrti_train_002421", "source": "dnrti_train"}}
{"text": "They are selective in their attacks and wait for about three months between incidents , which is approximately three times longer than other financially motivated APT groups , like MoneyTaker , Anunak ( Carbanak ) , Buhtrap or Cobalt .", "spans": {}, "info": {"id": "dnrti_train_002422", "source": "dnrti_train"}}
{"text": "Silence try to apply new techniques and ways of stealing from various banking systems , including AWS CBR , ATMs , and card processing .", "spans": {}, "info": {"id": "dnrti_train_002423", "source": "dnrti_train"}}
{"text": "Silence 's successful attacks currently have been limited to the CIS and Eastern European countries .", "spans": {}, "info": {"id": "dnrti_train_002424", "source": "dnrti_train"}}
{"text": "He is responsible for developing tools for conducting attacks and is also able to modify complex exploits and third party software .", "spans": {}, "info": {"id": "dnrti_train_002425", "source": "dnrti_train"}}
{"text": "Silence 's main targets are located in Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan .", "spans": {}, "info": {"id": "dnrti_train_002426", "source": "dnrti_train"}}
{"text": "However , some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe , Africa and Asia including : Kyrgyzstan , Armenia , Georgia , Serbia , Germany , Latvia , Czech Republic , Romania , Kenya , Israel , Cyprus , Greece , Turkey , Taiwan , Malaysia , Switzerland , Vietnam , Austria , Uzbekistan , Great Britain , Hong Kong , and others .", "spans": {"System: phishing emails": [[15, 30]], "Organization: bank employees": [[44, 58]]}, "info": {"id": "dnrti_train_002427", "source": "dnrti_train"}}
{"text": "In the same year , they conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans .", "spans": {"Malware: Perl IRC bot": [[57, 69]], "Malware: public IRC chats": [[74, 90]]}, "info": {"id": "dnrti_train_002428", "source": "dnrti_train"}}
{"text": "In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans .", "spans": {"Malware: Perl IRC bot": [[60, 72]], "Malware: public IRC chats": [[77, 93]]}, "info": {"id": "dnrti_train_002429", "source": "dnrti_train"}}
{"text": "In two months , the group returned to their proven method and withdrew funds again through ATMs .", "spans": {}, "info": {"id": "dnrti_train_002430", "source": "dnrti_train"}}
{"text": "In September 2017 , we discovered a new targeted attack on financial institutions .", "spans": {"Organization: financial institutions": [[59, 81]]}, "info": {"id": "dnrti_train_002431", "source": "dnrti_train"}}
{"text": "In September 2017 , we discovered Silence attack on financial institutions .", "spans": {"Organization: financial institutions": [[52, 74]]}, "info": {"id": "dnrti_train_002432", "source": "dnrti_train"}}
{"text": "The infection vector is a spear-phishing email with a malicious attachment .", "spans": {"System: spear-phishing email": [[26, 46]]}, "info": {"id": "dnrti_train_002433", "source": "dnrti_train"}}
{"text": "An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims .", "spans": {"System: spear-phishing emails": [[140, 161]], "Organization: bank employees": [[189, 203]]}, "info": {"id": "dnrti_train_002434", "source": "dnrti_train"}}
{"text": "The spear-phishing infection vector is still the most popular way to initiate targeted campaigns .", "spans": {"System: spear-phishing": [[4, 18]]}, "info": {"id": "dnrti_train_002435", "source": "dnrti_train"}}
{"text": "We conclude that the actor behind the attack is Silence group , a relatively new threat actor that's been operating since mid-2016 .", "spans": {}, "info": {"id": "dnrti_train_002436", "source": "dnrti_train"}}
{"text": "A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that , among other things , shows that Silence was targeting employees from financial entities , specifically in the Russian Federation and the Republic of Belarus .", "spans": {"Organization: employees": [[181, 190]], "Organization: financial entities": [[196, 214]]}, "info": {"id": "dnrti_train_002437", "source": "dnrti_train"}}
{"text": "As shown above , the threat runs several native binaries to collect useful information for its recon phase .", "spans": {"Malware: native binaries": [[41, 56]]}, "info": {"id": "dnrti_train_002438", "source": "dnrti_train"}}
{"text": "The intelligence we have collected shows that Silence is part of a more extensive operation , still focused on financial institutions operating mainly on Russian territory .", "spans": {"Organization: financial institutions": [[111, 133]]}, "info": {"id": "dnrti_train_002439", "source": "dnrti_train"}}
{"text": "These spearphishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting .", "spans": {"System: spearphishing": [[6, 19]], "System: social engineering tactics": [[85, 111]]}, "info": {"id": "dnrti_train_002440", "source": "dnrti_train"}}
{"text": "Based on file modification dates and timestamps of samples , it appears that the observed campaign was initiated in the middle of February 2016 , with the infrastructure taken offline at the start of March .", "spans": {}, "info": {"id": "dnrti_train_002441", "source": "dnrti_train"}}
{"text": "While the Sima moniker could similarly originate from software labels , it is a common female Persian name and a Persian-language word for \" visage \" or \" appearance \" .", "spans": {}, "info": {"id": "dnrti_train_002442", "source": "dnrti_train"}}
{"text": "Given its use in more advanced social engineering campaigns against women 's rights activists , the label seem particularly apt .", "spans": {"Organization: social engineering campaigns": [[31, 59]], "Organization: women 's rights activists": [[68, 93]]}, "info": {"id": "dnrti_train_002443", "source": "dnrti_train"}}
{"text": "Samples and resource names contained the family names of prominent Iranians , and several of these individuals received the malware located in their respective folder .", "spans": {"Organization: Iranians": [[67, 75]]}, "info": {"id": "dnrti_train_002444", "source": "dnrti_train"}}
{"text": "The Sima group also engaged in impersonation of Citizenship and Immigration Services at the Department of Homeland Security , posing as a notice about the expiration of the recipient 's Permanent Residence status .", "spans": {"Organization: Sima": [[4, 8]], "Organization: Department of Homeland Security": [[92, 123]]}, "info": {"id": "dnrti_train_002445", "source": "dnrti_train"}}
{"text": "In another case , Sima mirrored an announcement made about the broadcast of a television program on Iranian-American cultural affairs in order to impersonate the individual and engage in spearphishing within hours of the legitimate message .", "spans": {"Organization: Sima": [[18, 22]], "System: spearphishing": [[187, 200]]}, "info": {"id": "dnrti_train_002446", "source": "dnrti_train"}}
{"text": "The server used to host these malware samples was located on the German provider Hetzner ( 148.251.55.114 ) , within a small block of IP addresses that are registered with the customer ID \" HOS-156205 \" .", "spans": {"Organization: provider": [[72, 80]]}, "info": {"id": "dnrti_train_002447", "source": "dnrti_train"}}
{"text": "All the samples appear to be have been compiled between February 29 and March 1 2016 , shortly before our discovery , suggesting that , despite the known C&C servers having quickly gone offline shortly after , this spree of attacks might be fresh and currently undergoing .", "spans": {}, "info": {"id": "dnrti_train_002448", "source": "dnrti_train"}}
{"text": "These archives provide further indication that those entities behind the campaigns are Persian-language speakers , due to the naming of files and folders in Persian .", "spans": {}, "info": {"id": "dnrti_train_002449", "source": "dnrti_train"}}
{"text": "For the sake of narrative we are going to focus exclusively to those samples we identified being used in attacks against Iranian civil society and diaspora .", "spans": {"Organization: diaspora": [[147, 155]]}, "info": {"id": "dnrti_train_002450", "source": "dnrti_train"}}
{"text": "Butterfly has attacked multi-billion dollar companies operating in the internet , IT software , pharmaceutical , and commodities sectors .", "spans": {"Organization: Butterfly": [[0, 9]], "Organization: multi-billion dollar companies": [[23, 53]], "Organization: commodities sectors": [[117, 136]]}, "info": {"id": "dnrti_train_002451", "source": "dnrti_train"}}
{"text": "The first signs of Butterfly 's activities emerged in early 2013 when several major technology and internet firms were compromised .", "spans": {"Organization: internet firms": [[99, 113]]}, "info": {"id": "dnrti_train_002452", "source": "dnrti_train"}}
{"text": "However , an investigation by Symantec has found that the group has been active since at least March 2012 and its attacks have not only continued to the present day , but have also increased in number .", "spans": {"Organization: Symantec": [[30, 38]]}, "info": {"id": "dnrti_train_002453", "source": "dnrti_train"}}
{"text": "Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly .", "spans": {"Organization: Symantec": [[0, 8]]}, "info": {"id": "dnrti_train_002454", "source": "dnrti_train"}}
{"text": "Aside from the four companies which have publicly acknowledged attacks , Symantec has identified five other large technology firms compromised by Butterfly , primarily headquartered in the US .", "spans": {"Organization: Symantec": [[73, 81]], "Organization: technology firms": [[114, 130]]}, "info": {"id": "dnrti_train_002455", "source": "dnrti_train"}}
{"text": "In the first attack , Butterfly gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters .", "spans": {}, "info": {"id": "dnrti_train_002456", "source": "dnrti_train"}}
{"text": "However , technology is not the only sector the group has focused on and Symantec has found evidence that Butterfly has attacked three major European pharmaceutical firms .", "spans": {"Organization: Symantec": [[73, 81]], "Organization: pharmaceutical firms": [[150, 170]]}, "info": {"id": "dnrti_train_002457", "source": "dnrti_train"}}
{"text": "Butterfly has also shown an interest in the commodities sector , attacking two major companies involved in gold and oil in late 2014 .", "spans": {"Organization: Butterfly": [[0, 9]], "Organization: commodities sector": [[44, 62]]}, "info": {"id": "dnrti_train_002458", "source": "dnrti_train"}}
{"text": "The company specializes in finance and natural resources specific to that region .", "spans": {}, "info": {"id": "dnrti_train_002459", "source": "dnrti_train"}}
{"text": "The latter was one of at least three law firms Butterfly has targeted over the past three years .", "spans": {"Organization: law firms": [[37, 46]], "Organization: Butterfly": [[47, 56]]}, "info": {"id": "dnrti_train_002460", "source": "dnrti_train"}}
{"text": "In many attacks , the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and possibly use them to send counterfeit emails .", "spans": {"Malware: Microsoft Exchange": [[58, 76]], "Malware: Lotus Domino email servers": [[80, 106]], "System: emails": [[137, 143], [186, 192]]}, "info": {"id": "dnrti_train_002461", "source": "dnrti_train"}}
{"text": "A powerful threat actor known as \" Wild Neutron \" ( also known as \" Jripbot \" and \" Morpho \" ) has been active since at least 2011 , infecting high profile companies for several years by using a combination of exploits , watering holes and multi-platform malware .", "spans": {"Organization: Jripbot": [[68, 75]], "Organization: Morpho": [[84, 90]], "Organization: high profile companies": [[143, 165]], "System: watering holes": [[221, 235]]}, "info": {"id": "dnrti_train_002462", "source": "dnrti_train"}}
{"text": "Based on the profile of the victims and the type of information targeted by the attackers , Symantec believes that Butterfly is financially motivated , stealing information it can potentially profit from .", "spans": {"Organization: Symantec": [[92, 100]]}, "info": {"id": "dnrti_train_002463", "source": "dnrti_train"}}
{"text": "Wild Neutron hit the spotlight in 2013 , when it successfully infected companies such as Apple , Facebook , Twitter and Microsoft .", "spans": {"Organization: Apple": [[89, 94]], "Organization: Facebook": [[97, 105]], "Organization: Twitter": [[108, 115]], "Organization: Microsoft": [[120, 129]]}, "info": {"id": "dnrti_train_002464", "source": "dnrti_train"}}
{"text": "Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit .", "spans": {"Organization: Wild Neutron": [[0, 12]], "Malware: stolen code signing certificate": [[39, 70]], "Vulnerability: Flash Player exploit": [[132, 152]]}, "info": {"id": "dnrti_train_002465", "source": "dnrti_train"}}
{"text": "During the 2013 attacks , the Wild Neutron actor successfully compromised and leveraged the website www.iphonedevsdk.com , which is an iPhone developers forum .", "spans": {}, "info": {"id": "dnrti_train_002466", "source": "dnrti_train"}}
{"text": "Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes .", "spans": {"Organization: Wild Neutron": [[0, 12]], "Vulnerability: Java zero-day exploit": [[43, 64]], "System: watering holes": [[91, 105]]}, "info": {"id": "dnrti_train_002467", "source": "dnrti_train"}}
{"text": "While the group used watering hole attacks in 2013 , it's still unclear how victims get redirected to the exploitation kits in the new 2014-2015 attacks .", "spans": {}, "info": {"id": "dnrti_train_002468", "source": "dnrti_train"}}
{"text": "Wild Neutron 's tools include a password harvesting trojan , a reverse-shell backdoor and customized implementations of OpenSSH , WMIC and SMB .", "spans": {"Organization: Wild Neutron": [[0, 12]], "Malware: password harvesting trojan": [[32, 58]], "Malware: reverse-shell backdoor": [[63, 85]], "Malware: customized implementations of OpenSSH": [[90, 127]], "Malware: WMIC": [[130, 134]], "Malware: SMB": [[139, 142]]}, "info": {"id": "dnrti_train_002469", "source": "dnrti_train"}}
{"text": "Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b .", "spans": {"Vulnerability: Flash exploits": [[11, 25]], "System: watering holes": [[64, 78]], "Vulnerability: Java zero-day": [[95, 108]], "Organization: Kaspersky Lab": [[168, 181]], "Vulnerability: Exploit.Java.CVE-2012-3213.b": [[194, 222]]}, "info": {"id": "dnrti_train_002470", "source": "dnrti_train"}}
{"text": "The victims for the 2014-2015 versions are generally IT and real estate/investment companies and in both cases , a small number of computers have been infected throughout Wild Neutron .", "spans": {"Organization: IT": [[53, 55]], "Organization: real estate/investment companies": [[60, 92]], "Organization: Wild Neutron": [[171, 183]]}, "info": {"id": "dnrti_train_002471", "source": "dnrti_train"}}
{"text": "Wild Neutron 's targeting of major IT companies , spyware developers ( FlexiSPY ) , jihadist forums ( the \" Ansar Al-Mujahideen English Forum \" ) and Bitcoin companies indicate a flexible yet unusual mindset and interests .", "spans": {"Organization: Wild Neutron": [[0, 12]], "Organization: IT companies": [[35, 47]], "Organization: spyware developers": [[50, 68]], "Organization: FlexiSPY": [[71, 79]], "Organization: jihadist forums": [[84, 99]], "Organization: Ansar Al-Mujahideen English Forum": [[108, 141]], "Organization: Bitcoin companies": [[150, 167]]}, "info": {"id": "dnrti_train_002472", "source": "dnrti_train"}}
{"text": "We continue to track the Wild Neutron group , which is still active as of June 2015 .", "spans": {"Organization: Wild Neutron group": [[25, 43]]}, "info": {"id": "dnrti_train_002473", "source": "dnrti_train"}}
{"text": "A ransomware variant dubbed PyLocky was observed in September 2018 being distributed by a phishing campaign using an invoicing theme .", "spans": {"Malware: PyLocky": [[28, 35]]}, "info": {"id": "dnrti_train_002474", "source": "dnrti_train"}}
{"text": "PyLocky was found to be targeting entities in France and Germany .", "spans": {"Malware: PyLocky": [[0, 7]]}, "info": {"id": "dnrti_train_002475", "source": "dnrti_train"}}
{"text": "Fxmsp specialize in breaching highly secure protected networks to access private corporate and government information .", "spans": {"Organization: Fxmsp": [[0, 5]]}, "info": {"id": "dnrti_train_002476", "source": "dnrti_train"}}
{"text": "Fxmsp is a hacking collective that has operated in various top-tier Russian- and English-speaking underground communities since 2017 .", "spans": {"Organization: Fxmsp": [[0, 5]]}, "info": {"id": "dnrti_train_002477", "source": "dnrti_train"}}
{"text": "Throughout 2017 and 2018 , Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground .", "spans": {"Organization: Fxmsp": [[27, 32]]}, "info": {"id": "dnrti_train_002478", "source": "dnrti_train"}}
{"text": "On April 24 , 2019 , Fxmsp claimed to have secured access to three leading antivirus companies .", "spans": {"Organization: Fxmsp": [[21, 26]], "Organization: antivirus companies": [[75, 94]]}, "info": {"id": "dnrti_train_002479", "source": "dnrti_train"}}
{"text": "According to the Fxmsp , they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies' internal networks .", "spans": {}, "info": {"id": "dnrti_train_002480", "source": "dnrti_train"}}
{"text": "Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body . For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2 This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP port 443 .", "spans": {"Organization: Booz Allen Hamilton": [[0, 19]], "Organization: AhnLab": [[32, 38]], "Organization: Bisonal malware": [[152, 167]], "Malware: Bisonal": [[236, 243]], "System: HTTP POST": [[354, 363]]}, "info": {"id": "dnrti_train_002481", "source": "dnrti_train"}}
{"text": "Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia .", "spans": {"Malware: Bisonal malware": [[32, 47]]}, "info": {"id": "dnrti_train_002482", "source": "dnrti_train"}}
{"text": "This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others .", "spans": {"Malware: sample": [[16, 22]]}, "info": {"id": "dnrti_train_002483", "source": "dnrti_train"}}
{"text": "If it's Cyrillic and the command to the shell is not ‘ipconfig’ , the threat converts the command result text encoding from Cyrillic to UTF-16 .", "spans": {"Malware: it's": [[3, 7]], "Malware: Cyrillic": [[8, 16]], "Malware: UTF-16": [[136, 142]]}, "info": {"id": "dnrti_train_002484", "source": "dnrti_train"}}
{"text": "Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document .", "spans": {"Malware: Bisonal": [[15, 22]]}, "info": {"id": "dnrti_train_002485", "source": "dnrti_train"}}
{"text": "The contents of the decoy PDF is a job descriptions with the South Korean Coast Guard .", "spans": {"Malware: the decoy PDF": [[16, 29]]}, "info": {"id": "dnrti_train_002486", "source": "dnrti_train"}}
{"text": "The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization .", "spans": {"Malware: installed EXE file": [[4, 22]], "Malware: Bisonal variant": [[72, 87]]}, "info": {"id": "dnrti_train_002487", "source": "dnrti_train"}}
{"text": "The targets are military or defense industry in particular countries , it used DDNS for C2 servers , and tracked connections from their victims by using target or campaign codes , as well as disguising the malware as document file , and using a dropper to install the malware and decoy file .", "spans": {"System: malware": [[206, 213]], "Malware: dropper": [[245, 252]]}, "info": {"id": "dnrti_train_002488", "source": "dnrti_train"}}
{"text": "A previous campaign of this APT group was uncovered by Talos in June 2017 , and since then very little of this operation was seen in the wild .", "spans": {"Organization: Talos": [[55, 60]]}, "info": {"id": "dnrti_train_002489", "source": "dnrti_train"}}
{"text": "ined in the archive is called DriverInstallerU.exe” but its metadata shows that its original name is Interenet Assistant.exe” .", "spans": {"Malware: DriverInstallerU.exe”": [[30, 51]], "Malware: Interenet Assistant.exe”": [[101, 125]]}, "info": {"id": "dnrti_train_002490", "source": "dnrti_train"}}
{"text": "After reviewing all the malware functionalities , we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile .", "spans": {"Organization: attackers": [[86, 95]], "Organization: victims who answer": [[105, 123]]}, "info": {"id": "dnrti_train_002491", "source": "dnrti_train"}}
{"text": "In this sample , however , the module names were changed from actors and characters’ names to car models , namely BMW_x1” , BMW_x2” and up to BMW_x8” .", "spans": {"Malware: BMW_x1”": [[114, 121]], "Malware: BMW_x2”": [[124, 131]], "Malware: BMW_x8”": [[142, 149]]}, "info": {"id": "dnrti_train_002492", "source": "dnrti_train"}}
{"text": "But , thanks to the attackers known affection for decoy documents that pose as news summaries , we were able to date the campaign back to March 2018 .", "spans": {"Organization: attackers": [[20, 29]]}, "info": {"id": "dnrti_train_002493", "source": "dnrti_train"}}
{"text": "With the experience gained from the APT attack that began in March 2017 , it seems this campaign has evolved into an attack with new capabilities , and an even more specific target , over a year later .", "spans": {}, "info": {"id": "dnrti_train_002494", "source": "dnrti_train"}}
{"text": "These unknown actors continued launching DDoS attacks over the next few years .", "spans": {"Organization: unknown actors": [[6, 20]]}, "info": {"id": "dnrti_train_002495", "source": "dnrti_train"}}
{"text": "For simplicity , Kaspersky is calling them the BlackEnergy APT group .", "spans": {"Organization: Kaspersky": [[17, 26]]}, "info": {"id": "dnrti_train_002496", "source": "dnrti_train"}}
{"text": "Since the middle of 2015 , one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document .", "spans": {"Organization: BlackEnergy": [[67, 78]]}, "info": {"id": "dnrti_train_002497", "source": "dnrti_train"}}
{"text": "A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum the text is only available in Russian for now , but can be read via Google Translate .", "spans": {"Organization: Cys Centrum": [[142, 153]]}, "info": {"id": "dnrti_train_002498", "source": "dnrti_train"}}
{"text": "The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014 .", "spans": {"Organization: BlackEnergy": [[48, 59]]}, "info": {"id": "dnrti_train_002499", "source": "dnrti_train"}}
{"text": "BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda , in addition to compromising industrial control installations and espionage activities .", "spans": {"Organization: BlackEnergy": [[0, 11]]}, "info": {"id": "dnrti_train_002500", "source": "dnrti_train"}}
{"text": "Kaspersky will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: BlackEnergy": [[39, 50]]}, "info": {"id": "dnrti_train_002501", "source": "dnrti_train"}}
{"text": "From Buhtrap perpetrating cybercrime for financial gain , its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia .", "spans": {"Organization: Buhtrap": [[5, 12]]}, "info": {"id": "dnrti_train_002502", "source": "dnrti_train"}}
{"text": "Throughout our tracking , we've seen this group deploy its main backdoor as well as other tools against various victims , but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign .", "spans": {"Organization: we've": [[26, 31]], "Organization: this group": [[37, 47]], "System: backdoor": [[64, 72]], "Organization: Buhtrap": [[166, 173]]}, "info": {"id": "dnrti_train_002503", "source": "dnrti_train"}}
{"text": "In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims .", "spans": {"Organization: Buhtrap": [[27, 34]], "Vulnerability: CVE-2019-1132": [[80, 93]]}, "info": {"id": "dnrti_train_002504", "source": "dnrti_train"}}
{"text": "However , as the shift in targets occurred before the source code leak , we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions .", "spans": {"Organization: Buhtrap": [[142, 149]]}, "info": {"id": "dnrti_train_002505", "source": "dnrti_train"}}
{"text": "When Buhtrap was targeting businesses , the decoy documents would typically be contracts or invoices .", "spans": {"Organization: Buhtrap": [[5, 12]]}, "info": {"id": "dnrti_train_002506", "source": "dnrti_train"}}
{"text": "The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia .", "spans": {"Organization: Buhtrap": [[4, 11]]}, "info": {"id": "dnrti_train_002507", "source": "dnrti_train"}}
{"text": "Figure 2 is a typical example of a generic invoice the group used in a campaign in 2014 .", "spans": {"Organization: group": [[55, 60]]}, "info": {"id": "dnrti_train_002508", "source": "dnrti_train"}}
{"text": "When the group's focus shifted to banks , the decoy documents were related to banking system regulations or advisories from FinCERT , an organization created by the Russian government to provide help and guidance to its financial institutions .", "spans": {"Organization: group's": [[9, 16]], "Organization: FinCERT": [[124, 131]]}, "info": {"id": "dnrti_train_002509", "source": "dnrti_train"}}
{"text": "We confirmed that this is a DarkHydrus Group's new attack targeting Middle East region .", "spans": {"Organization: DarkHydrus": [[28, 38]]}, "info": {"id": "dnrti_train_002510", "source": "dnrti_train"}}
{"text": "In July 2018 , Palo Alto disclosed DarkHydrus Group which showed its special interest to governments in Middle East .", "spans": {"Organization: Palo Alto": [[15, 24]], "Organization: DarkHydrus": [[35, 45]]}, "info": {"id": "dnrti_train_002511", "source": "dnrti_train"}}
{"text": "Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus .", "spans": {"Vulnerability: CVE-2018-8414": [[74, 87]], "Organization: DarkHydrus": [[177, 187]]}, "info": {"id": "dnrti_train_002512", "source": "dnrti_train"}}
{"text": "However , the final payload is something that welivesecurity have never seen associated with Buhtrap .", "spans": {"Organization: welivesecurity": [[46, 60]], "Organization: Buhtrap": [[93, 100]]}, "info": {"id": "dnrti_train_002513", "source": "dnrti_train"}}
{"text": "It's coincident that both 'darkhydrus' APT group name and ‘Williams’ user name in PDB path found in this Twitter user .", "spans": {"Organization: 'darkhydrus'": [[26, 38]], "Organization: ‘Williams’": [[58, 68]], "Organization: Twitter user": [[105, 117]]}, "info": {"id": "dnrti_train_002514", "source": "dnrti_train"}}
{"text": "In recent APT incidents , Dark Hydruns tend to adopt Office VBA macro instead of Office 0day vulnerability in the consideration of cost reduction .", "spans": {"Organization: Dark Hydruns": [[26, 38]], "Malware: Office VBA macro": [[53, 69]]}, "info": {"id": "dnrti_train_002515", "source": "dnrti_train"}}
{"text": "ASERT uncovered a credential theft campaign we call LUCKY ELEPHANT where attackers masquerade as legitimate entities such as foreign government , telecommunications , and military .", "spans": {"Organization: ASERT": [[0, 5]], "Organization: LUCKY ELEPHANT": [[52, 66]]}, "info": {"id": "dnrti_train_002516", "source": "dnrti_train"}}
{"text": "From at least February 2019 to present , the actors in the LUCKY ELEPHANT campaign copied webpages to mimic South Asian government websites as well as Microsoft Outlook 365 login pages and hosted them on their own doppelganger domains , presumably to trick victims into providing login credentials .", "spans": {"Organization: LUCKY ELEPHANT": [[59, 73]], "Organization: Microsoft Outlook": [[151, 168]]}, "info": {"id": "dnrti_train_002517", "source": "dnrti_train"}}
{"text": "ASERT suspects that the Actors use phishing emails to lure victims to the doppelganger websites and entice users to enter their credentials .", "spans": {"Organization: ASERT": [[0, 5]]}, "info": {"id": "dnrti_train_002518", "source": "dnrti_train"}}
{"text": "It is important to note that one domain , yahoomail[.]cf is only associated with this group from February 2019 onward .", "spans": {"Organization: group": [[86, 91]]}, "info": {"id": "dnrti_train_002519", "source": "dnrti_train"}}
{"text": "In late 2018 , the domain was associated with a different APT group / campaign of Chinese origin .", "spans": {"Organization: APT group": [[58, 67]]}, "info": {"id": "dnrti_train_002520", "source": "dnrti_train"}}
{"text": "Based on our analysis into the activity , ASERT deems with moderate confidence that an Indian APT group is behind the LUCKY ELEPHANT campaign .", "spans": {"Organization: Indian APT group": [[87, 103]]}, "info": {"id": "dnrti_train_002521", "source": "dnrti_train"}}
{"text": "The targets are typical of known Indian APT activity and the infrastructure was previously used by an Indian APT group .", "spans": {"Organization: APT group": [[109, 118]]}, "info": {"id": "dnrti_train_002522", "source": "dnrti_train"}}
{"text": "DoNot Team has a history of heavily targeting Pakistan , in addition to other neighboring countries .", "spans": {"Organization: DoNot Team": [[0, 10]]}, "info": {"id": "dnrti_train_002523", "source": "dnrti_train"}}
{"text": "The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017 (link) , recently targeting Pakistani businessmen working in China .", "spans": {"Organization: Pakistani businessmen": [[117, 138]]}, "info": {"id": "dnrti_train_002524", "source": "dnrti_train"}}
{"text": "DoNot Team’s confirmed use of this IP dates back to September 2018 , with a six-month gap until it was used to host doppelganger domains for the LUCKY ELEPHANT campaign in early February .", "spans": {"Organization: DoNot": [[0, 5]]}, "info": {"id": "dnrti_train_002525", "source": "dnrti_train"}}
{"text": "One of the IP addresses , 128.127.105.13 , was previously used by the DoNot Team (aka APT-C-35) , a suspected Indian APT group .", "spans": {"Organization: DoNot Team": [[70, 80]]}, "info": {"id": "dnrti_train_002526", "source": "dnrti_train"}}
{"text": "The actors behind LUCKY ELEPHANT recognize the effectiveness and use doppelganger webpages nearly identical to legitimate sites , enticing users to input their credentials .", "spans": {"Organization: LUCKY ELEPHANT": [[18, 32]], "Malware: doppelganger webpages": [[69, 90]]}, "info": {"id": "dnrti_train_002527", "source": "dnrti_train"}}
{"text": "The heavier targeting in Pakistan adheres to historical targeting and the ongoing tension between the two countries , which has escalated since a terrorist attack in Kashmir on 14 February 2019 .", "spans": {}, "info": {"id": "dnrti_train_002528", "source": "dnrti_train"}}
{"text": "The targeting of Pakistan , Bangladesh , Sri Lanka , Maldives , Myanmar , Nepal , and the Shanghai Cooperation Organization are all historical espionage targets by India .", "spans": {"Organization: espionage": [[143, 152]]}, "info": {"id": "dnrti_train_002529", "source": "dnrti_train"}}
{"text": "However , it is clear is that Donot are actively establishing infrastructure and are targeting governments in South Asia .", "spans": {"Organization: Donot": [[30, 35]]}, "info": {"id": "dnrti_train_002530", "source": "dnrti_train"}}
{"text": "First attack of this campaign took place in May 2018 .", "spans": {}, "info": {"id": "dnrti_train_002531", "source": "dnrti_train"}}
{"text": "Arbor also published APT research on this group , and named it ‘Donot’ .", "spans": {"Organization: Arbor": [[0, 5]], "Organization: ‘Donot’": [[63, 70]]}, "info": {"id": "dnrti_train_002532", "source": "dnrti_train"}}
{"text": "Donot attacked government agencies , aiming for classified intelligence .", "spans": {"Organization: Donot": [[0, 5]]}, "info": {"id": "dnrti_train_002533", "source": "dnrti_train"}}
{"text": "We identified this APT group coded as ‘APT-C-35’ in 2017 , who is mainly targeting Pakistan and other South Asian countries for cyber espionage .", "spans": {"Organization: ‘APT-C-35’": [[38, 48]]}, "info": {"id": "dnrti_train_002534", "source": "dnrti_train"}}
{"text": "At least 4 attack campaigns against Pakistan have been observed by us since 2017 .", "spans": {}, "info": {"id": "dnrti_train_002535", "source": "dnrti_train"}}
{"text": "Spear phishing emails with vulnerable Office documents or malicious macros are sent to victims .", "spans": {"Malware: Spear phishing": [[0, 14]]}, "info": {"id": "dnrti_train_002536", "source": "dnrti_train"}}
{"text": "In the latest attack , Donot group is targeting Pakistani businessman working in China .", "spans": {"Organization: Donot group": [[23, 34]], "Organization: Pakistani businessman": [[48, 69]]}, "info": {"id": "dnrti_train_002537", "source": "dnrti_train"}}
{"text": "Two unique malware frameworks , EHDevel and yty , are developed by attackers .", "spans": {"Malware: EHDevel": [[32, 39]], "Malware: yty": [[44, 47]], "Organization: attackers": [[67, 76]]}, "info": {"id": "dnrti_train_002538", "source": "dnrti_train"}}
{"text": "wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 .", "spans": {"Malware: wuaupdt.exe": [[0, 11]], "Malware: CMD": [[17, 20]]}, "info": {"id": "dnrti_train_002539", "source": "dnrti_train"}}
{"text": "Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones .", "spans": {"Malware: wuaupdt.exe": [[57, 68]]}, "info": {"id": "dnrti_train_002540", "source": "dnrti_train"}}
{"text": "From the attack activity captured this time , it is obvious that Donot APT group is still keen on Pakistan as primary target of attack , and even expands scope of attack to include Pakistani staffs and institutions in China .", "spans": {"Organization: Donot APT group": [[65, 80]]}, "info": {"id": "dnrti_train_002541", "source": "dnrti_train"}}
{"text": "Buhtrap still make extensive use of NSIS installers as droppers and these are mainly delivered through malicious documents .", "spans": {"Organization: Buhtrap": [[0, 7]], "Organization: NSIS installers": [[36, 51]]}, "info": {"id": "dnrti_train_002542", "source": "dnrti_train"}}
{"text": "They first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) .", "spans": {}, "info": {"id": "dnrti_train_002543", "source": "dnrti_train"}}
{"text": "Earworm first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) .", "spans": {"Organization: Earworm": [[0, 7]]}, "info": {"id": "dnrti_train_002544", "source": "dnrti_train"}}
{"text": "They were also behind an attack on the World Anti-Doping Agency (WADA) , in which they leaked confidential information about several drug tests .", "spans": {"Organization: They": [[0, 4]]}, "info": {"id": "dnrti_train_002545", "source": "dnrti_train"}}
{"text": "SPLM , GAMEFISH , and Zebrocy delivery all maintain their own clusters , but frequently overlap later .", "spans": {"Organization: SPLM": [[0, 4]], "Organization: GAMEFISH": [[7, 15]], "Organization: Zebrocy": [[22, 29]]}, "info": {"id": "dnrti_train_002546", "source": "dnrti_train"}}
{"text": "Our previous post on Sofacy's 2017 activity stepped away from the previously covered headline buzz presenting their association with previously known political hacks and interest in Europe and the US , and examines their under-reported ongoing activity in middle east , central asia , and now a shift in targeting further east , including China , along with an overlap surprise .", "spans": {"Organization: Sofacy's": [[21, 29]]}, "info": {"id": "dnrti_train_002547", "source": "dnrti_train"}}
{"text": "The larger , 300kb+ SPLM backdoors deployed in 2016 and 2017 are not observed any longer at targets in 2018 .", "spans": {"Organization: SPLM": [[20, 24]]}, "info": {"id": "dnrti_train_002548", "source": "dnrti_train"}}
{"text": "A previous , removed , report from another vendor claimed non-specific information about the groups' interest in Chinese universities , but that report has been removed – most likely detections were related to students’ and researchers’ scanning known collected samples and any incidents” remain unconfirmed and unknown .", "spans": {"Organization: groups'": [[93, 100]], "Organization: Chinese universities": [[113, 133]]}, "info": {"id": "dnrti_train_002549", "source": "dnrti_train"}}
{"text": "Either way , the group's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion .", "spans": {"Organization: group's": [[17, 24]]}, "info": {"id": "dnrti_train_002550", "source": "dnrti_train"}}
{"text": "The actors behind this campaign we call LUCKY ELEPHANT use doppelganger webpages to mimic legitimate entities such as foreign governments , telecommunications , and military .", "spans": {"Organization: LUCKY ELEPHANT": [[40, 54]], "Malware: doppelganger webpages": [[59, 80]]}, "info": {"id": "dnrti_train_002551", "source": "dnrti_train"}}
{"text": "Currently , Sofacy targets large air-defense related commercial organizations in China with SPLM , and moves Zebrocy focus across Armenia , Turkey , Kazahkstan , Tajikistan , Afghanistan , Mongolia , China , and Japan .", "spans": {}, "info": {"id": "dnrti_train_002552", "source": "dnrti_train"}}
{"text": "Either way , Sofacy's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion .", "spans": {"Organization: Sofacy's": [[13, 21]]}, "info": {"id": "dnrti_train_002553", "source": "dnrti_train"}}
{"text": "According to this new alert , Hidden Cobra the U.S government’s code name for Lazarus has been conducting FASTCash attacks stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016 .", "spans": {"Organization: Hidden Cobra": [[30, 42]]}, "info": {"id": "dnrti_train_002554", "source": "dnrti_train"}}
{"text": "Lazarus is a very active attack group involved in both cyber crime and espionage .", "spans": {"Organization: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_002555", "source": "dnrti_train"}}
{"text": "The group was initially known for its espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_002556", "source": "dnrti_train"}}
{"text": "Following US-CERTs report , Symantec's research uncovered the key component used in Lazarus's recent wave of financial attacks .", "spans": {"Organization: Lazarus's": [[84, 93]]}, "info": {"id": "dnrti_train_002557", "source": "dnrti_train"}}
{"text": "More recently , Lazarus has also become involved in financially motivated attacks , including an US$81 million dollar theft from the Bangladesh Central Bank and the WannaCry ransomware .", "spans": {"Organization: Lazarus": [[16, 23]], "Malware: WannaCry": [[165, 173]]}, "info": {"id": "dnrti_train_002558", "source": "dnrti_train"}}
{"text": "Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well .", "spans": {"Malware: nbtscan": [[61, 68]], "Malware: powercat": [[73, 81]]}, "info": {"id": "dnrti_train_002559", "source": "dnrti_train"}}
{"text": "To make the fraudulent withdrawals , Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions .", "spans": {"Organization: Lazarus": [[37, 44]]}, "info": {"id": "dnrti_train_002560", "source": "dnrti_train"}}
{"text": "The operation , known as FASTCash” has enabled Lazarus to fraudulently empty ATMs of cash .", "spans": {"Organization: Lazarus": [[47, 54]]}, "info": {"id": "dnrti_train_002561", "source": "dnrti_train"}}
{"text": "In order to permit their fraudulent withdrawals from ATMs , Lazarus inject a malicious Advanced Interactive eXecutive (AIX) executable into a running , legitimate process on the switch application server of a financial transaction network , in this case a network handling ATM transactions .", "spans": {"Organization: Lazarus": [[60, 67]], "Malware: (AIX)": [[118, 123]]}, "info": {"id": "dnrti_train_002562", "source": "dnrti_train"}}
{"text": "It was previously believed that the attackers used scripts to manipulate legitimate software on the server into enabling the fraudulent activity .", "spans": {"Organization: attackers": [[36, 45]], "Malware: scripts": [[51, 58]]}, "info": {"id": "dnrti_train_002563", "source": "dnrti_train"}}
{"text": "In recent years , Lazarus has also become involved in financially motivated attacks .", "spans": {"Organization: Lazarus": [[18, 25]]}, "info": {"id": "dnrti_train_002564", "source": "dnrti_train"}}
{"text": "This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses , allowing the attackers to steal cash from ATMs .", "spans": {"Malware: malware": [[5, 12]], "Organization: Lazarus": [[43, 50]]}, "info": {"id": "dnrti_train_002565", "source": "dnrti_train"}}
{"text": "Lazarus was linked to the $81 million theft from the Bangladesh central bank in 2016 , along with a number of other bank heists .", "spans": {"Organization: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_002566", "source": "dnrti_train"}}
{"text": "Lazarus was also linked to the WannaCry ransomware outbreak in May 2017 .", "spans": {"Organization: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_002567", "source": "dnrti_train"}}
{"text": "WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet .", "spans": {"Vulnerability: CVE-2017-0144": [[100, 113]], "Vulnerability: CVE-2017-0145": [[118, 131]]}, "info": {"id": "dnrti_train_002568", "source": "dnrti_train"}}
{"text": "Lazarus was initially known for its involvement in espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures that saw large amounts of information being stolen and computers wiped by malware .", "spans": {"Organization: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_002569", "source": "dnrti_train"}}
{"text": "In short , Lazarus continues to pose a serious threat to the financial sector and organizations should take all necessary steps to ensure that their payment systems are fully up to date and secured .", "spans": {"Organization: Lazarus": [[11, 18]]}, "info": {"id": "dnrti_train_002570", "source": "dnrti_train"}}
{"text": "As with the 2016 series of virtual bank heists , including the Bangladesh Bank heist , FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks .", "spans": {"Organization: FASTCash": [[87, 95]], "Organization: Lazarus": [[113, 120]]}, "info": {"id": "dnrti_train_002571", "source": "dnrti_train"}}
{"text": "The attack , which starts with a malicious attachment disguised as a top secret US document , weaponizes TeamViewer , the popular remote access and desktop sharing software , to gain full control of the infected computer .", "spans": {"Organization: attack": [[4, 10]], "Malware: TeamViewer": [[105, 115]]}, "info": {"id": "dnrti_train_002572", "source": "dnrti_train"}}
{"text": "As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC .", "spans": {"Malware: AutoHotKey scripts": [[66, 84]]}, "info": {"id": "dnrti_train_002573", "source": "dnrti_train"}}
{"text": "It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting , since it was not after a specific region and the victims came from different places in the world .", "spans": {}, "info": {"id": "dnrti_train_002574", "source": "dnrti_train"}}
{"text": "The initial infection vector used by the threat actor also changed over time , during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey , which displayed a decoy image to the user .", "spans": {"Malware: archives": [[137, 145]], "Organization: AutoHotKey": [[182, 192]], "Malware: decoy image": [[213, 224]]}, "info": {"id": "dnrti_train_002575", "source": "dnrti_train"}}
{"text": "The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities .", "spans": {"Organization: Lazarus group": [[126, 139]]}, "info": {"id": "dnrti_train_002576", "source": "dnrti_train"}}
{"text": "Although both examples of the different delivery methods described above show an exclusive targeting of Russian speakers , the recurring financial and political themes that they use highlight the attacker's interest in the financial world once more .", "spans": {"Organization: attacker's": [[196, 206]]}, "info": {"id": "dnrti_train_002577", "source": "dnrti_train"}}
{"text": "Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group .", "spans": {"Malware: implant": [[103, 110]], "Organization: Gamaredon": [[115, 124]]}, "info": {"id": "dnrti_train_002578", "source": "dnrti_train"}}
{"text": "Gamaredon Group is an alleged Russian threat group .", "spans": {"Organization: Gamaredon Group": [[0, 15]]}, "info": {"id": "dnrti_train_002579", "source": "dnrti_train"}}
{"text": "Gamaredon Group has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government .", "spans": {"Organization: Gamaredon Group": [[0, 15]]}, "info": {"id": "dnrti_train_002580", "source": "dnrti_train"}}
{"text": "EvilGnome's functionalities include desktop screenshots , file stealing , allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules .", "spans": {"Organization: EvilGnome's": [[0, 11]], "Malware: desktop screenshots": [[36, 55]], "Malware: file stealing": [[58, 71]], "Malware: capturing audio recording": [[83, 108]]}, "info": {"id": "dnrti_train_002581", "source": "dnrti_train"}}
{"text": "Gamaredon Group primarily makes use of Russian hosting providers in order to distribute its malware .", "spans": {"Organization: Gamaredon Group": [[0, 15]], "Malware: malware": [[92, 99]]}, "info": {"id": "dnrti_train_002582", "source": "dnrti_train"}}
{"text": "Gamaredon Group's implants are characterized by the employment of information stealing tools — among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task .", "spans": {"Organization: Gamaredon Group's": [[0, 17]], "Malware: information stealing tools": [[66, 92]]}, "info": {"id": "dnrti_train_002583", "source": "dnrti_train"}}
{"text": "Gamaredon Group infects victims using malicious attachments , delivered via spear phishing techniques .", "spans": {"Organization: Gamaredon Group": [[0, 15]], "Malware: malicious attachments": [[38, 59]], "System: spear phishing": [[76, 90]]}, "info": {"id": "dnrti_train_002584", "source": "dnrti_train"}}
{"text": "The techniques and modules employed by EvilGnome — that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools—remind us of Gamaredon Group’s Windows tools .", "spans": {"Organization: EvilGnome": [[39, 48]], "Malware: SFX": [[70, 73]], "Malware: Windows tools": [[188, 201]]}, "info": {"id": "dnrti_train_002585", "source": "dnrti_train"}}
{"text": "We can observe that the sample is very recent , created on Thursday , July 4 .", "spans": {"Malware: sample": [[24, 30]]}, "info": {"id": "dnrti_train_002586", "source": "dnrti_train"}}
{"text": "As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking .", "spans": {"Malware: makeself script": [[51, 66]], "Malware: ./setup.sh": [[88, 98]]}, "info": {"id": "dnrti_train_002587", "source": "dnrti_train"}}
{"text": "The ShooterAudio module uses PulseAudio to capture audio from the user's microphone .", "spans": {"Malware: ShooterAudio module": [[4, 23]], "Malware: PulseAudio": [[29, 39]]}, "info": {"id": "dnrti_train_002588", "source": "dnrti_train"}}
{"text": "makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory .", "spans": {"Malware: makeself.sh": [[0, 11]], "Malware: shell script": [[23, 35]]}, "info": {"id": "dnrti_train_002589", "source": "dnrti_train"}}
{"text": "During our 2018 monitoring of this group , we were able to identify different techniques utilized by very similar attackers in the MENA region , sometimes on the same target .", "spans": {"Organization: group": [[35, 40]]}, "info": {"id": "dnrti_train_002590", "source": "dnrti_train"}}
{"text": "Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament .", "spans": {"Organization: Gaza Cybergang Group3": [[0, 21]]}, "info": {"id": "dnrti_train_002591", "source": "dnrti_train"}}
{"text": "Gaza Cybergang has been seen employing phishing , with several chained stages to evade detection and extend command and control server lifetimes .", "spans": {"Organization: Gaza Cybergang": [[0, 14]], "System: employing phishing": [[29, 47]]}, "info": {"id": "dnrti_train_002592", "source": "dnrti_train"}}
{"text": "The most popular targets of SneakyPastes are embassies , government entities , education , media outlets , journalists , activists , political parties or personnel , healthcare and banking .", "spans": {"Organization: SneakyPastes": [[28, 40]], "Organization: embassies": [[45, 54]], "Organization: activists": [[121, 130]], "Organization: personnel": [[154, 163]]}, "info": {"id": "dnrti_train_002593", "source": "dnrti_train"}}
{"text": "Through our continuous monitoring of threats during 2018 , we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel .", "spans": {"Organization: Gaza Cybergang Group1": [[96, 117]], "Organization: political personnel": [[142, 161]]}, "info": {"id": "dnrti_train_002594", "source": "dnrti_train"}}
{"text": "Gaza Cybergang Group1 is an attack group with limited infrastructure and an open-source type of toolset , which conducts widespread attacks , but is nevertheless focused on Palestinian political problems .", "spans": {"Organization: Gaza Cybergang Group1": [[0, 21]]}, "info": {"id": "dnrti_train_002595", "source": "dnrti_train"}}
{"text": "In this campaign , Gaza Cybergang used disposable emails and domains as the phishing platform to target the victims .", "spans": {"Organization: Gaza Cybergang": [[19, 33]], "System: disposable emails": [[39, 56]], "System: phishing": [[76, 84]]}, "info": {"id": "dnrti_train_002596", "source": "dnrti_train"}}
{"text": "The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc .", "spans": {"Malware: RAT": [[4, 7]]}, "info": {"id": "dnrti_train_002597", "source": "dnrti_train"}}
{"text": "We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation .", "spans": {"Organization: attacks": [[65, 72]]}, "info": {"id": "dnrti_train_002598", "source": "dnrti_train"}}
{"text": "Cylance determined that the ‘Ghost Dragon’ group utilized specifically tailored variants of Gh0st RAT , which the group modified from the 3.6 version of the source code released in 2008 .", "spans": {"Organization: Cylance": [[0, 7]], "Organization: ‘Ghost Dragon’": [[28, 42]], "Malware: Gh0st RAT": [[92, 101]]}, "info": {"id": "dnrti_train_002599", "source": "dnrti_train"}}
{"text": "The standard network protocol for Gh0st RAT 3.6 employs zlib compression , which utilizes ‘Gh0st’ as a static five-byte packet flag that must be included in the first five bytes of initial transmission from the victim .", "spans": {"Organization: Gh0st RAT 3.6": [[34, 47]], "Malware: zlib compression": [[56, 72]]}, "info": {"id": "dnrti_train_002600", "source": "dnrti_train"}}
{"text": "In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller .", "spans": {"Malware: Gh0st RAT": [[41, 50]], "Organization: Ghost Dragon": [[61, 73]]}, "info": {"id": "dnrti_train_002601", "source": "dnrti_train"}}
{"text": "SPEAR has observed numerous different XOR keys utilized by Ghost Dragon .", "spans": {"Organization: Ghost Dragon": [[59, 71]]}, "info": {"id": "dnrti_train_002602", "source": "dnrti_train"}}
{"text": "Exploit and tools continued to be used after Buckeye's apparent disappearance in 2017 .", "spans": {"Organization: Buckeye's": [[45, 54]]}, "info": {"id": "dnrti_train_002603", "source": "dnrti_train"}}
{"text": "The Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak .", "spans": {"Organization: Buckeye": [[4, 11]], "Malware: Equation Group tools": [[35, 55]]}, "info": {"id": "dnrti_train_002604", "source": "dnrti_train"}}
{"text": "Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability .", "spans": {"Organization: Buckeye's": [[0, 9]], "System: zero-day": [[96, 104]]}, "info": {"id": "dnrti_train_002605", "source": "dnrti_train"}}
{"text": "While Buckeye appeared to cease operations in mid-2017 , the Equation Group tools it used continued to be used in attacks until late 2018 .", "spans": {"Organization: Buckeye": [[6, 13]], "Malware: Equation Group tools": [[61, 81]]}, "info": {"id": "dnrti_train_002606", "source": "dnrti_train"}}
{"text": "The 2017 leak of Equation Group tools by a mysterious group calling itself the Shadow Brokers was one of the most significant cyber security stories in recent years .", "spans": {"Organization: mysterious group": [[43, 59]]}, "info": {"id": "dnrti_train_002607", "source": "dnrti_train"}}
{"text": "However , Symantec has now found evidence that the Buckeye cyber espionage group (aka APT3 , Gothic Panda ) began using Equation Group tools in attacks at least a year prior to the Shadow Brokers leak .", "spans": {"Organization: Symantec": [[10, 18]], "Organization: Buckeye": [[51, 58]], "Organization: (aka APT3": [[81, 90]], "Organization: Gothic Panda": [[93, 105]], "Malware: Equation Group tools": [[120, 140]]}, "info": {"id": "dnrti_train_002608", "source": "dnrti_train"}}
{"text": "Equation is regarded as one of the most technically adept espionage groups and the release of a trove of its tools had a major impact , with many attackers rushing to deploy the malware and exploits disclosed .", "spans": {"Organization: Equation": [[0, 8]], "Malware: trove": [[96, 101]]}, "info": {"id": "dnrti_train_002609", "source": "dnrti_train"}}
{"text": "DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar .", "spans": {"Organization: DoublePulsar": [[0, 12]], "Malware: exploit tool": [[53, 65]]}, "info": {"id": "dnrti_train_002610", "source": "dnrti_train"}}
{"text": "One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec .", "spans": {"Vulnerability: zero-day vulnerability": [[31, 53]], "Organization: Symantec": [[84, 92]]}, "info": {"id": "dnrti_train_002611", "source": "dnrti_train"}}
{"text": "Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers .", "spans": {"Organization: Bemstour": [[0, 8]], "Vulnerability: vulnerabilities": [[30, 45]]}, "info": {"id": "dnrti_train_002612", "source": "dnrti_train"}}
{"text": "The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak .", "spans": {"Vulnerability: vulnerability": [[19, 32]], "Organization: Shadow Brokers": [[211, 225]]}, "info": {"id": "dnrti_train_002613", "source": "dnrti_train"}}
{"text": "It was reported by Symantec to Microsoft in September 2018 and was patched on March 12 , 2019 .", "spans": {"Organization: Symantec": [[19, 27]]}, "info": {"id": "dnrti_train_002614", "source": "dnrti_train"}}
{"text": "How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown .", "spans": {"Organization: Buckeye": [[4, 11]], "Malware: Equation Group tools": [[21, 41]]}, "info": {"id": "dnrti_train_002615", "source": "dnrti_train"}}
{"text": "The Buckeye attack group had been active since at least 2009 , when it began mounting a string of espionage attacks , mainly against organizations based in the U.S .", "spans": {"Organization: Buckeye": [[4, 11]], "System: espionage attacks": [[98, 115]]}, "info": {"id": "dnrti_train_002616", "source": "dnrti_train"}}
{"text": "These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 .", "spans": {"Vulnerability: CVE-2010-3962": [[14, 27]], "Vulnerability: CVE-2014-1776": [[70, 83]]}, "info": {"id": "dnrti_train_002617", "source": "dnrti_train"}}
{"text": "Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group .", "spans": {"Organization: Shadow Brokers": [[54, 68]], "Organization: Equation": [[130, 138]]}, "info": {"id": "dnrti_train_002618", "source": "dnrti_train"}}
{"text": "Over the coming months , it progressively released more tools , until April 2017 , when it released a final , large cache of tools , including the DoublePulsar backdoor , the FuzzBunch framework , and the EternalBlue , EternalSynergy , and EternalRomance exploit tools .", "spans": {"Malware: DoublePulsar": [[147, 159]], "Malware: backdoor": [[160, 168]], "Malware: FuzzBunch": [[175, 184]], "Malware: framework": [[185, 194]], "Malware: EternalBlue": [[205, 216]], "Malware: EternalSynergy": [[219, 233]], "Malware: EternalRomance": [[240, 254]], "Malware: exploit": [[255, 262]], "Malware: tools": [[263, 268]]}, "info": {"id": "dnrti_train_002619", "source": "dnrti_train"}}
{"text": "However , Buckeye had already been using some of these leaked tools at least a year beforehand .", "spans": {"Organization: Buckeye": [[10, 17]], "Malware: leaked tools": [[55, 67]]}, "info": {"id": "dnrti_train_002620", "source": "dnrti_train"}}
{"text": "The earliest known use of Equation Group tools by Buckeye is March 31 , 2016 , during an attack on a target in Hong Kong .", "spans": {"Malware: Equation Group tools": [[26, 46]], "Organization: Buckeye": [[50, 57]]}, "info": {"id": "dnrti_train_002621", "source": "dnrti_train"}}
{"text": "Beginning in March 2016 , Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar) , a backdoor that was subsequently released by the Shadow Brokers in 2017 .", "spans": {"Organization: Buckeye": [[26, 33]], "Organization: Shadow Brokers": [[147, 161]]}, "info": {"id": "dnrti_train_002622", "source": "dnrti_train"}}
{"text": "However , while activity involving known Buckeye tools ceased in mid-2017 , the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018 in conjunction with different malware .", "spans": {"Organization: Buckeye": [[41, 48]], "Malware: Bemstour exploit tool": [[80, 101]], "Malware: DoublePulsar": [[110, 122]]}, "info": {"id": "dnrti_train_002623", "source": "dnrti_train"}}
{"text": "During this attack , the Bemstour exploit tool was delivered to victims via known Buckeye malware (Backdoor.Pirpi) .", "spans": {"Malware: Buckeye malware": [[82, 97]]}, "info": {"id": "dnrti_train_002624", "source": "dnrti_train"}}
{"text": "One hour later , Bemstour was used against an educational institution in Belgium .", "spans": {"Malware: Bemstour": [[17, 25]], "Malware: Belgium": [[73, 80]]}, "info": {"id": "dnrti_train_002625", "source": "dnrti_train"}}
{"text": "Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor .", "spans": {"Malware: Bemstour": [[0, 8]], "Malware: DoublePulsar backdoor": [[62, 83]]}, "info": {"id": "dnrti_train_002626", "source": "dnrti_train"}}
{"text": "DoublePulsar is then used to inject a secondary payload , which runs in memory only .", "spans": {"Malware: DoublePulsar": [[0, 12]]}, "info": {"id": "dnrti_train_002627", "source": "dnrti_train"}}
{"text": "A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong .", "spans": {"Malware: Bemstour": [[40, 48]]}, "info": {"id": "dnrti_train_002628", "source": "dnrti_train"}}
{"text": "When used against 32-bit targets , Bemstour still delivered the same DoublePulsar backdoor .", "spans": {"Malware: Bemstour": [[35, 43]], "Malware: DoublePulsar backdoor": [[69, 90]]}, "info": {"id": "dnrti_train_002629", "source": "dnrti_train"}}
{"text": "Bemstour was used again in June 2017 in an attack against an organization in Luxembourg .", "spans": {"Malware: Bemstour": [[0, 8]]}, "info": {"id": "dnrti_train_002630", "source": "dnrti_train"}}
{"text": "Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam .", "spans": {"Malware: Bemstour": [[34, 42]]}, "info": {"id": "dnrti_train_002631", "source": "dnrti_train"}}
{"text": "Development of Bemstour has continued into 2019 .", "spans": {"Malware: Bemstour": [[15, 23]]}, "info": {"id": "dnrti_train_002632", "source": "dnrti_train"}}
{"text": "Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan (Backdoor.Filensfer) .", "spans": {"Malware: Bemstour": [[28, 36]], "Malware: Pirpi": [[67, 72]], "Malware: backdoor": [[73, 81], [151, 159]], "Malware: different": [[141, 150]]}, "info": {"id": "dnrti_train_002633", "source": "dnrti_train"}}
{"text": "The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft .", "spans": {"Malware: Bemstour": [[26, 34]], "Organization: Symantec": [[43, 51]]}, "info": {"id": "dnrti_train_002634", "source": "dnrti_train"}}
{"text": "Filensfer is a family of malware that has been used in targeted attacks since at least 2013 .", "spans": {"Malware: Filensfer": [[0, 9]]}, "info": {"id": "dnrti_train_002635", "source": "dnrti_train"}}
{"text": "The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests .", "spans": {"Organization: Symantec": [[49, 57]], "Vulnerability: (CVE-2019-0703)": [[58, 73]]}, "info": {"id": "dnrti_train_002636", "source": "dnrti_train"}}
{"text": "While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) .", "spans": {"Organization: Symantec": [[6, 14]], "Malware: Filensfer": [[45, 54]], "Malware: Buckeye malware": [[206, 221]], "Malware: (Backdoor.Pirpi)": [[222, 238]]}, "info": {"id": "dnrti_train_002637", "source": "dnrti_train"}}
{"text": "CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 .", "spans": {"Vulnerability: CVE-2017-0143": [[0, 13]], "Malware: tools—EternalRomance": [[49, 69]], "Malware: EternalSynergy—that": [[74, 93]]}, "info": {"id": "dnrti_train_002638", "source": "dnrti_train"}}
{"text": "Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers. In the case of the Buckeye exploit tool , the attackers exploited their own zero-day vulnerability (CVE-2019-0703) .", "spans": {"Malware: EternalRomance": [[25, 39]], "Malware: EternalSynergy": [[53, 67]], "Malware: CVE-2017-0143": [[86, 99]], "Malware: Buckeye exploit tool": [[216, 236]]}, "info": {"id": "dnrti_train_002639", "source": "dnrti_train"}}
{"text": "It is noteworthy that the attackers never used the FuzzBunch framework in its attacks .", "spans": {"Organization: attackers": [[26, 35]], "Malware: FuzzBunch framework": [[51, 70]]}, "info": {"id": "dnrti_train_002640", "source": "dnrti_train"}}
{"text": "FuzzBunch is a framework designed to manage DoublePulsar and other Equation Group tools and was leaked by the Shadow Brokers in 2017 .", "spans": {"Malware: FuzzBunch": [[0, 9]], "Organization: Shadow Brokers": [[110, 124]]}, "info": {"id": "dnrti_train_002641", "source": "dnrti_train"}}
{"text": "There are multiple possibilities as to how Buckeye obtained Equation Group tools before the Shadow Brokers leak .", "spans": {"Organization: Buckeye": [[43, 50]], "Organization: Equation Group": [[60, 74]]}, "info": {"id": "dnrti_train_002642", "source": "dnrti_train"}}
{"text": "However , aside from the continued use of the tools , Symantec has found no other evidence suggesting Buckeye has retooled .", "spans": {"Organization: Symantec": [[54, 62]], "Organization: Buckeye": [[102, 109]]}, "info": {"id": "dnrti_train_002643", "source": "dnrti_train"}}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe .", "spans": {"Malware: RTF": [[5, 8]], "Vulnerability: CVE-2017_1882": [[28, 41]], "Malware: eqnedt32.exe": [[45, 57]]}, "info": {"id": "dnrti_train_002644", "source": "dnrti_train"}}
{"text": "And the dropper execute the iassvcs.exe to make a side loading and make the persistence .", "spans": {"Malware: dropper": [[8, 15]], "Malware: iassvcs.exe": [[28, 39]]}, "info": {"id": "dnrti_train_002645", "source": "dnrti_train"}}
{"text": "This IP is very interesting because it connects with tele.zyns.com and old infrastructures used by chinese APT or DDOS Chinese team against the ancient soviet republics .", "spans": {"Organization: chinese APT": [[99, 110]]}, "info": {"id": "dnrti_train_002646", "source": "dnrti_train"}}
{"text": "Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S .", "spans": {"Malware: Filensfer": [[28, 37]]}, "info": {"id": "dnrti_train_002647", "source": "dnrti_train"}}
{"text": "All zero-day exploits known , or suspected , to have been used by this group are for vulnerabilities in Internet Explorer and Flash .", "spans": {"Organization: group": [[71, 76]], "Malware: Internet Explorer": [[104, 121]], "Malware: Flash": [[126, 131]]}, "info": {"id": "dnrti_train_002648", "source": "dnrti_train"}}
{"text": "According to reports , the Philippines is the most exposed country in ASEAN to the cyberattacks known as advanced persistent threats , or APTs .", "spans": {"Organization: cyberattacks": [[83, 95]]}, "info": {"id": "dnrti_train_002649", "source": "dnrti_train"}}
{"text": "Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 .", "spans": {"Malware: Hussarini": [[54, 63]]}, "info": {"id": "dnrti_train_002650", "source": "dnrti_train"}}
{"text": "OutExtra.exe is a signed legitimate application from Microsoft named finder.exe .", "spans": {"Malware: OutExtra.exe": [[0, 12]], "Malware: finder.exe": [[69, 79]]}, "info": {"id": "dnrti_train_002651", "source": "dnrti_train"}}
{"text": "In addition to file-based protection , customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received reports on Buckeye , which detail methods of detecting and thwarting activities of this group .", "spans": {"Organization: DeepSight": [[56, 65]], "Organization: Buckeye": [[161, 168]]}, "info": {"id": "dnrti_train_002652", "source": "dnrti_train"}}
{"text": "However , in this attack , this file is used to load the Hussarini backdoor via DLL hijacking .", "spans": {"Organization: attack": [[18, 24]], "Malware: DLL": [[80, 83]], "Malware: hijacking": [[84, 93]]}, "info": {"id": "dnrti_train_002653", "source": "dnrti_train"}}
{"text": "Today , this malware is still actively being used against the Philippines .", "spans": {"Malware: malware": [[13, 20]]}, "info": {"id": "dnrti_train_002654", "source": "dnrti_train"}}
{"text": "Hussarini was first mentioned in APT campaigns targeting the Philippines and Thailand in 2014 .", "spans": {"Organization: APT": [[33, 36]]}, "info": {"id": "dnrti_train_002655", "source": "dnrti_train"}}
{"text": "Further analysis showed that the Iron cybercrime group used two main functions from HackingTeam's source in both IronStealer and Iron ransomware .", "spans": {"Organization: Iron": [[33, 37]], "Malware: IronStealer": [[113, 124]], "Malware: Iron ransomware": [[129, 144]]}, "info": {"id": "dnrti_train_002656", "source": "dnrti_train"}}
{"text": "Xagent” is the original filename Xagent.exe whereas seems to be the version of the worm .", "spans": {"Malware: Xagent”": [[0, 7]], "Malware: worm": [[83, 87]]}, "info": {"id": "dnrti_train_002657", "source": "dnrti_train"}}
{"text": "Xagent – A variant of JbossMiner Mining Worm” – a worm written in Python and compiled using PyInstaller for both Windows and Linux platforms .", "spans": {"Organization: Xagent": [[0, 6]], "Organization: JbossMiner Mining": [[22, 39]]}, "info": {"id": "dnrti_train_002658", "source": "dnrti_train"}}
{"text": "Its activities were traced back to 2010 in FireEye's 2013 report on operation Ke3chang – a cyberespionage campaign directed at diplomatic organizations in Europe .", "spans": {"Organization: FireEye's": [[43, 52]], "Organization: Ke3chang": [[78, 86]]}, "info": {"id": "dnrti_train_002659", "source": "dnrti_train"}}
{"text": "We have been tracking the malicious activities related to this threat actor and discovered a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum .", "spans": {"Organization: Ke3chang": [[157, 165]], "Malware: backdoor": [[176, 184]], "Malware: Okrum": [[194, 199]]}, "info": {"id": "dnrti_train_002660", "source": "dnrti_train"}}
{"text": "Furthermore , from 2015 to 2019 , we detected new versions of known malware families attributed to the Ke3chang group – BS2005 backdoors from operation Ke3chang and the RoyalDNS malware , reported by NCC Group in 2018 .", "spans": {"Organization: Ke3chang": [[103, 111]], "Malware: BS2005 backdoors": [[120, 136]], "Malware: RoyalDNS malware": [[169, 185]], "Organization: NCC": [[200, 203]]}, "info": {"id": "dnrti_train_002661", "source": "dnrti_train"}}
{"text": "Ke3chang behind the attacks seemed to have a particular interest in Slovakia , where a big portion of the discovered malware samples was detected; Croatia , the Czech Republic and other countries were also affected .", "spans": {"Organization: Ke3chang": [[0, 8]]}, "info": {"id": "dnrti_train_002662", "source": "dnrti_train"}}
{"text": "Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe .", "spans": {"Malware: malware": [[30, 37]], "Malware: BS2005 backdoors": [[81, 97]], "Malware: TidePool malware": [[141, 157]], "Organization: Palo Alto": [[179, 188]]}, "info": {"id": "dnrti_train_002663", "source": "dnrti_train"}}
{"text": "The story continued in late 2016 , when we discovered a new , previously unknown backdoor that we named Okrum .", "spans": {"Malware: backdoor": [[81, 89]], "Malware: Okrum": [[104, 109]]}, "info": {"id": "dnrti_train_002664", "source": "dnrti_train"}}
{"text": "The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors .", "spans": {"Malware: Okrum malware": [[32, 45]], "Malware: backdoors": [[138, 147]]}, "info": {"id": "dnrti_train_002665", "source": "dnrti_train"}}
{"text": "We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 .", "spans": {"Malware: Okrum backdoor": [[59, 73]], "Malware: Ketrican backdoor": [[93, 110]]}, "info": {"id": "dnrti_train_002666", "source": "dnrti_train"}}
{"text": "In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors .", "spans": {"Malware: Okrum malware": [[54, 67]], "Malware: Ketrican backdoors": [[84, 102]]}, "info": {"id": "dnrti_train_002667", "source": "dnrti_train"}}
{"text": "This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor .", "spans": {"Malware: RoyalDNS malware": [[51, 67]], "Malware: Ketrican": [[74, 82]]}, "info": {"id": "dnrti_train_002668", "source": "dnrti_train"}}
{"text": "According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 .", "spans": {"Organization: ESET": [[13, 17]], "Malware: Okrum": [[30, 35]]}, "info": {"id": "dnrti_train_002669", "source": "dnrti_train"}}
{"text": "In addition to file-based protection , customers of the DeepSight has received reports on Buckeye , which detail methods of detecting and thwarting activities of this group .", "spans": {"Organization: DeepSight": [[56, 65]], "Organization: Buckeye": [[90, 97]]}, "info": {"id": "dnrti_train_002670", "source": "dnrti_train"}}
{"text": "In 2018 , we discovered a new version of the Ketrican backdoor that featured some code improvements .", "spans": {"Organization: we": [[10, 12]]}, "info": {"id": "dnrti_train_002671", "source": "dnrti_train"}}
{"text": "According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia .", "spans": {"Malware: Okrum": [[29, 34]]}, "info": {"id": "dnrti_train_002672", "source": "dnrti_train"}}
{"text": "Indeed , we have detected various external tools being abused by Okrum , such as a keylogger , tools for dumping passwords , or enumerating network sessions .", "spans": {"Organization: Okrum": [[65, 70]], "Malware: keylogger": [[83, 92]], "Malware: tools": [[95, 100]], "Malware: enumerating network sessions": [[128, 156]]}, "info": {"id": "dnrti_train_002673", "source": "dnrti_train"}}
{"text": "The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation .", "spans": {"Malware: Okrum": [[52, 57]]}, "info": {"id": "dnrti_train_002674", "source": "dnrti_train"}}
{"text": "The unnamed company makes products used in the military and aerospace industries , and the hackers could have been after commercial secrets or more traditional espionage , according to ClearSky , the cybersecurity firm that exposed the operation .", "spans": {"Organization: ClearSky": [[185, 193]]}, "info": {"id": "dnrti_train_002675", "source": "dnrti_train"}}
{"text": "North Korean dictator Kim Jong Un has set ambitious economic goals , and some cybersecurity analysts have predicted he will unleash the Pyongyang-affiliated hackers to meet those deadlines by targeting multinational companies’ trade secrets .", "spans": {"Organization: Pyongyang-affiliated hackers": [[136, 164]], "Organization: multinational companies’": [[202, 226]]}, "info": {"id": "dnrti_train_002676", "source": "dnrti_train"}}
{"text": "According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month .", "spans": {"Organization: ClearSky": [[13, 21]], "Malware: WinRAR": [[104, 110]]}, "info": {"id": "dnrti_train_002677", "source": "dnrti_train"}}
{"text": "This new Lotus Blossom campaign delivers a malicious RTF document posing as an ASEAN Defence Minister's Meeting (ADMM) directory (decoy) that also carries an executable (payload) embedded as an OLE object , the Elise backdoor .", "spans": {"Organization: Lotus Blossom": [[9, 22]], "System: malicious RTF": [[43, 56]]}, "info": {"id": "dnrti_train_002678", "source": "dnrti_train"}}
{"text": "Just months after the APT32 watering hole activity against ASEAN-related websites was observed in Fall 2017 , this new activity clearly indicates the association (ASEAN) clearly remains a priority collection target in the region .", "spans": {"Organization: APT32": [[22, 27]]}, "info": {"id": "dnrti_train_002679", "source": "dnrti_train"}}
{"text": "Researchers implicated Lazarus Group because of digital clues including a malicious implant known as Rising Sun that has been attributed to the group .", "spans": {"Organization: Researchers": [[0, 11]], "Organization: Lazarus": [[23, 30]], "Malware: malicious implant": [[74, 91]], "Organization: Rising Sun": [[101, 111]]}, "info": {"id": "dnrti_train_002680", "source": "dnrti_train"}}
{"text": "The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file , and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script .", "spans": {"Organization: attackers": [[4, 13]], "System: embedded": [[25, 33]]}, "info": {"id": "dnrti_train_002681", "source": "dnrti_train"}}
{"text": "Lazarus used the open-source tool Invoke-PSImage , released December 20 , to embed the PowerShell script into the image file .", "spans": {"Organization: Lazarus": [[0, 7]], "Malware: Invoke-PSImage": [[34, 48]]}, "info": {"id": "dnrti_train_002682", "source": "dnrti_train"}}
{"text": "Once the script runs , it passes the decoded script from the image file to the Windows command line in a variable $x , which uses cmd.exe to execute the obfuscated script and run it via PowerShell .", "spans": {"Organization: it": [[23, 25]], "Malware: PowerShell": [[186, 196]]}, "info": {"id": "dnrti_train_002683", "source": "dnrti_train"}}
{"text": "The Department of Homeland Security (DHS) issued an alert about this activity on Jan. 24 2019 , warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names .", "spans": {"Organization: (DHS)": [[36, 41]]}, "info": {"id": "dnrti_train_002684", "source": "dnrti_train"}}
{"text": "In the Sea Turtle campaign , Talos was able to identify two distinct groups of victims .", "spans": {"Organization: Talos": [[29, 34]]}, "info": {"id": "dnrti_train_002685", "source": "dnrti_train"}}
{"text": "The first group , we identify as primary victims , includes national security organizations , ministries of foreign affairs , and prominent energy organizations .", "spans": {"Organization: group": [[10, 15]]}, "info": {"id": "dnrti_train_002686", "source": "dnrti_train"}}
{"text": "The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors .", "spans": {"Organization: threat actors": [[4, 17]]}, "info": {"id": "dnrti_train_002687", "source": "dnrti_train"}}
{"text": "In most cases , threat actors typically stop or slow down their activities once their campaigns are publicly revealed .", "spans": {"Organization: threat actors": [[16, 29]], "System: slow down their activities": [[48, 74]]}, "info": {"id": "dnrti_train_002688", "source": "dnrti_train"}}
{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space .", "spans": {"Organization: threat actors": [[4, 17]]}, "info": {"id": "dnrti_train_002689", "source": "dnrti_train"}}
{"text": "If an attacker was able to compromise an organization's network administrator credentials , the attacker would be able to change that particular organization's DNS records at will .", "spans": {"Organization: attacker": [[6, 14]]}, "info": {"id": "dnrti_train_002690", "source": "dnrti_train"}}
{"text": "If the attackers were able to obtain one of these EPP keys , they would be able to modify any DNS records that were managed by that particular registrar .", "spans": {"Organization: attackers": [[7, 16]]}, "info": {"id": "dnrti_train_002691", "source": "dnrti_train"}}
{"text": "Captured legitimate user credentials when users interacted with these actor - controlled servers .", "spans": {"Organization: actor": [[70, 75]], "System: controlled": [[78, 88]], "System: servers": [[89, 96]]}, "info": {"id": "dnrti_train_002692", "source": "dnrti_train"}}
{"text": "The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals .", "spans": {"Malware: Sea Turtle": [[67, 77]]}, "info": {"id": "dnrti_train_002693", "source": "dnrti_train"}}
{"text": "As of early 2019 , the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure .", "spans": {"System: spear-phishing": [[44, 58]], "Organization: threat vector": [[59, 72]]}, "info": {"id": "dnrti_train_002694", "source": "dnrti_train"}}
{"text": "On January 4 , Packet Clearing House , which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system , provided confirmation of this aspect of the actors’ tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar .", "spans": {"Organization: actors’": [[236, 243]], "System: hijacked": [[312, 320]]}, "info": {"id": "dnrti_train_002695", "source": "dnrti_train"}}
{"text": "During a typical incident , the actor would modify the NS records for the targeted organization , pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries .", "spans": {"Organization: actor": [[32, 37]]}, "info": {"id": "dnrti_train_002696", "source": "dnrti_train"}}
{"text": "The next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials .", "spans": {"Organization: actor": [[22, 27]], "Malware: MitM servers": [[41, 53]]}, "info": {"id": "dnrti_train_002697", "source": "dnrti_train"}}
{"text": "In addition to the MitM server IP addresses published in previous reports , Talos identified 16 additional servers leveraged by the actor during the observed attacks .", "spans": {"Malware: MitM server": [[19, 30]], "Organization: Talos": [[76, 81]], "Malware: additional servers": [[96, 114]], "Organization: actor": [[132, 137]]}, "info": {"id": "dnrti_train_002698", "source": "dnrti_train"}}
{"text": "The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials .", "spans": {"Organization: attackers": [[4, 13]], "Malware: MitM": [[95, 99]]}, "info": {"id": "dnrti_train_002699", "source": "dnrti_train"}}
{"text": "In some cases , the victims were redirected to these actor-controlled servers displaying the stolen certificate .", "spans": {"Organization: actor-controlled": [[53, 69]], "Malware: servers": [[70, 77]]}, "info": {"id": "dnrti_train_002700", "source": "dnrti_train"}}
{"text": "One notable aspect of the campaign was the actors' ability to impersonate VPN applications , such as Cisco Adaptive Security Appliance (ASA) products , to perform MitM attacks .", "spans": {"Organization: actors'": [[43, 50]], "Malware: VPN applications": [[74, 90]], "Malware: Adaptive Security Appliance": [[107, 134]]}, "info": {"id": "dnrti_train_002701", "source": "dnrti_train"}}
{"text": "At this time , we do not believe that the attackers found a new ASA exploit .", "spans": {"Organization: we": [[15, 17]], "Organization: attackers": [[42, 51]], "Vulnerability: ASA": [[64, 67]], "Vulnerability: exploit": [[68, 75]]}, "info": {"id": "dnrti_train_002702", "source": "dnrti_train"}}
{"text": "Rather , they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network .", "spans": {"Organization: they": [[9, 13]], "Malware: ASA's": [[71, 76]]}, "info": {"id": "dnrti_train_002703", "source": "dnrti_train"}}
{"text": "As an example , DNS records indicate that a targeted domain resolved to an actor-controlled MitM server .", "spans": {"Organization: actor-controlled": [[75, 91]], "Malware: MitM server": [[92, 103]]}, "info": {"id": "dnrti_train_002704", "source": "dnrti_train"}}
{"text": "In another case , the attackers were able to compromise NetNod , a non-profit , independent internet infrastructure organization based in Sweden .", "spans": {"Organization: attackers": [[22, 31]], "System: compromise NetNod": [[45, 62]]}, "info": {"id": "dnrti_train_002705", "source": "dnrti_train"}}
{"text": "Using this access , the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net .", "spans": {"Organization: actors": [[31, 37]], "System: manipulate": [[51, 61]]}, "info": {"id": "dnrti_train_002706", "source": "dnrti_train"}}
{"text": "This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa) .", "spans": {"Organization: attackers": [[29, 38]]}, "info": {"id": "dnrti_train_002707", "source": "dnrti_train"}}
{"text": "In one of the more recent campaigns on March 27 , 2019 , the threat actors targeted the Sweden-based consulting firm Cafax .", "spans": {"Organization: threat actors": [[61, 74]], "Organization: Cafax": [[117, 122]]}, "info": {"id": "dnrti_train_002708", "source": "dnrti_train"}}
{"text": "We assess with high confidence that Sea Turtle was targeted in an attempt to re-establish access to the NetNod network , which was previously compromised by this threat actor .", "spans": {"Organization: NetNod": [[104, 110]], "Organization: threat actor": [[162, 174]]}, "info": {"id": "dnrti_train_002709", "source": "dnrti_train"}}
{"text": "Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs .", "spans": {"Organization: attackers": [[61, 70]]}, "info": {"id": "dnrti_train_002710", "source": "dnrti_train"}}
{"text": "These actors perform DNS hijacking through the use of actor-controlled name servers .", "spans": {"Organization: actors": [[6, 12]], "Malware: name servers": [[71, 83]]}, "info": {"id": "dnrti_train_002711", "source": "dnrti_train"}}
{"text": "Sea Turtle have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs .", "spans": {"Organization: Sea Turtle": [[0, 10]]}, "info": {"id": "dnrti_train_002712", "source": "dnrti_train"}}
{"text": "These actors use Let's Encrypts , Comodo , Sectigo , and self-signed certificates in their MitM servers to gain the initial round of credentials .", "spans": {"Organization: actors": [[6, 12]], "Malware: Encrypts": [[23, 31]], "Malware: Comodo": [[34, 40]], "Malware: Sectigo": [[43, 50]], "Malware: self-signed certificates": [[57, 81]], "Malware: MitM servers": [[91, 103]]}, "info": {"id": "dnrti_train_002713", "source": "dnrti_train"}}
{"text": "These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs .", "spans": {"Organization: actors": [[6, 12]], "Organization: manage": [[131, 137]], "Organization: ccTLDs": [[138, 144]]}, "info": {"id": "dnrti_train_002714", "source": "dnrti_train"}}
{"text": "Once they have access to the network , they steal the organization's legitimate SSL certificate and use it on actor-controlled servers .", "spans": {"System: access to the network": [[15, 36]], "Organization: they": [[39, 43]], "Malware: actor-controlled": [[110, 126]], "Malware: servers": [[127, 134]]}, "info": {"id": "dnrti_train_002715", "source": "dnrti_train"}}
{"text": "We believe that the Sea Turtle campaign continues to be highly successful for several reasons .", "spans": {"Organization: We": [[0, 2]]}, "info": {"id": "dnrti_train_002716", "source": "dnrti_train"}}
{"text": "Had more ccTLDs implemented security features such as registrar locks , attackers would be unable to redirect the targeted domains .", "spans": {"System: ccTLDs": [[9, 15]], "Organization: attackers": [[72, 81]]}, "info": {"id": "dnrti_train_002717", "source": "dnrti_train"}}
{"text": "The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials , allowing the actors to gain access to the targeted network .", "spans": {"Organization: attackers": [[4, 13]], "Malware: ASA": [[96, 99]]}, "info": {"id": "dnrti_train_002718", "source": "dnrti_train"}}
{"text": "The threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials .", "spans": {"Organization: threat actors": [[4, 17]], "System: maintain": [[31, 39]], "System: utilizing compromised credentials": [[97, 130]]}, "info": {"id": "dnrti_train_002719", "source": "dnrti_train"}}
{"text": "Cisco Talos will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed .", "spans": {"Organization: Cisco Talos": [[0, 11]]}, "info": {"id": "dnrti_train_002720", "source": "dnrti_train"}}
{"text": "If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file .", "spans": {"Malware: xlsm file": [[38, 47]], "Malware: it": [[50, 52]]}, "info": {"id": "dnrti_train_002721", "source": "dnrti_train"}}
{"text": "Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart .", "spans": {"Malware: link file": [[9, 18]], "Malware: AutoHotkeyU32.exe": [[45, 62]]}, "info": {"id": "dnrti_train_002722", "source": "dnrti_train"}}
{"text": "More importantly , one of these files also enables the download of TeamViewer , a remote access tool that gives threat actors remote control over the system .", "spans": {"System: download": [[55, 63]], "Malware: TeamViewer": [[67, 77]], "Organization: threat actors": [[112, 125]]}, "info": {"id": "dnrti_train_002723", "source": "dnrti_train"}}
{"text": "Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources .", "spans": {"Malware: attacks": [[5, 12]], "System: downloading files": [[51, 68]]}, "info": {"id": "dnrti_train_002724", "source": "dnrti_train"}}
{"text": "The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities .", "spans": {"Organization: hacking division": [[13, 29]], "Organization: NSA": [[105, 108]]}, "info": {"id": "dnrti_train_002725", "source": "dnrti_train"}}
{"text": "By the end of 2016 , the CIA's hacking division , which formally falls under the agency's Center for Cyber Intelligence (CCI) , had over 5000 registered users and had produced more than a thousand hacking systems , trojans , viruses , and other weaponized malware .", "spans": {"Organization: CIA's hacking division": [[25, 47]], "Malware: hacking systems": [[197, 212]], "Malware: trojans": [[215, 222]], "Malware: viruses": [[225, 232]], "Malware: weaponized malware": [[245, 263]]}, "info": {"id": "dnrti_train_002726", "source": "dnrti_train"}}
{"text": "Such is the scale of the CIA's undertaking that by 2016 , its hackers had utilized more code than that used to run Facebook .", "spans": {"Organization: hackers": [[62, 69]]}, "info": {"id": "dnrti_train_002727", "source": "dnrti_train"}}
{"text": "Wikileaks has carefully reviewed the Year Zero disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed , disarmed and published .", "spans": {"Organization: Wikileaks": [[0, 9]], "Organization: CIA": [[84, 87]]}, "info": {"id": "dnrti_train_002728", "source": "dnrti_train"}}
{"text": "These redactions include ten of thousands of CIA targets and attack machines throughout Latin America , Europe and the United States .", "spans": {"Organization: CIA": [[45, 48]]}, "info": {"id": "dnrti_train_002729", "source": "dnrti_train"}}
{"text": "The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984 , but Weeping Angel , developed by the CIA's Embedded Devices Branch (EDB) , which infests smart TVs , transforming them into covert microphones , is surely its most emblematic realization .", "spans": {"Malware: Weeping Angel": [[111, 124]], "Organization: CIA's": [[144, 149]], "Malware: smart TVs": [[196, 205]]}, "info": {"id": "dnrti_train_002730", "source": "dnrti_train"}}
{"text": "After infestation , Weeping Angel places the target TV in a 'Fake-Off' mode , so that the owner falsely believes the TV is off when it is on .", "spans": {"Organization: Weeping Angel": [[20, 33]]}, "info": {"id": "dnrti_train_002731", "source": "dnrti_train"}}
{"text": "As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks .", "spans": {"Organization: CIA": [[23, 26]]}, "info": {"id": "dnrti_train_002732", "source": "dnrti_train"}}
{"text": "The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones .", "spans": {"Organization: CIA's": [[4, 9]]}, "info": {"id": "dnrti_train_002733", "source": "dnrti_train"}}
{"text": "Despite iPhone's minority share (14.5%) of the global smart phone market in 2016 , a specialized unit in the CIA's Mobile Development Branch produces malware to infest , control and exfiltrate data from iPhones and other Apple products running iOS , such as iPads .", "spans": {"Organization: CIA's": [[109, 114]], "Malware: iPhones": [[203, 210]], "Malware: Apple": [[221, 226]], "Malware: iOS": [[244, 247]], "Malware: iPads": [[258, 263]]}, "info": {"id": "dnrti_train_002734", "source": "dnrti_train"}}
{"text": "The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS .", "spans": {"Organization: Samsung smart TVs": [[19, 36]], "Organization: MI5/BTSS": [[92, 100]]}, "info": {"id": "dnrti_train_002735", "source": "dnrti_train"}}
{"text": "CIA's arsenal includes numerous local and remote zero days developed by CIA or obtained from GCHQ , NSA , FBI or purchased from cyber arms contractors such as Baitshop .", "spans": {"Organization: CIA's": [[0, 5]], "System: zero days": [[49, 58]], "Malware: GCHQ": [[93, 97]], "Malware: NSA": [[100, 103]], "Malware: cyber arms contractors": [[128, 150]]}, "info": {"id": "dnrti_train_002736", "source": "dnrti_train"}}
{"text": "These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied .", "spans": {"Organization: CIA": [[28, 31]]}, "info": {"id": "dnrti_train_002737", "source": "dnrti_train"}}
{"text": "The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware .", "spans": {"Organization: CIA": [[4, 7]]}, "info": {"id": "dnrti_train_002738", "source": "dnrti_train"}}
{"text": "CIA's malware includes multiple local and remote weaponized zero days , air gap jumping viruses such as Hammer Drill which infects software distributed on CD/DVDs , infectors for removable media such as USBs , systems to hide data in images or in covert disk areas Brutal Kangaroo and to keep its malware infestations going .", "spans": {"Organization: CIA's": [[0, 5]], "System: zero days": [[60, 69]], "Malware: Hammer Drill": [[104, 116]], "Malware: Brutal Kangaroo": [[265, 280]]}, "info": {"id": "dnrti_train_002739", "source": "dnrti_train"}}
{"text": "Many of these infection efforts are pulled together by the CIA's Automated Implant Branch (AIB) , which has developed several attack systems for automated infestation and control of CIA malware , such as Assassin and Medusa .", "spans": {"Organization: CIA's": [[59, 64]], "Malware: Assassin": [[204, 212]], "Malware: Medusa": [[217, 223]]}, "info": {"id": "dnrti_train_002740", "source": "dnrti_train"}}
{"text": "The CIA has developed automated multi-platform malware attack and control systems covering Windows , Mac OS X , Solaris , Linux and more , such as EDB's HIVE and the related Cutthroat and Swindle tools , which are described in the examples section below .", "spans": {"Organization: CIA": [[4, 7]], "Malware: Windows": [[91, 98]], "Malware: Mac OS X": [[101, 109]], "Malware: Solaris": [[112, 119]], "Malware: Linux": [[122, 127]], "Malware: HIVE": [[153, 157]], "Malware: Cutthroat": [[174, 183]], "Malware: Swindle": [[188, 195]]}, "info": {"id": "dnrti_train_002741", "source": "dnrti_train"}}
{"text": "By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone &mdsh; at the expense of leaving everyone hackable .", "spans": {"Organization: Apple": [[55, 60]], "Organization: Google": [[65, 71]], "Organization: CIA": [[76, 79]]}, "info": {"id": "dnrti_train_002742", "source": "dnrti_train"}}
{"text": "Once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border area — including France , Italy and Switzerland .", "spans": {"Organization: CIA": [[18, 21]]}, "info": {"id": "dnrti_train_002743", "source": "dnrti_train"}}
{"text": "A number of the CIA's electronic attack methods are designed for physical proximity .", "spans": {"Organization: CIA's": [[16, 21]], "System: physical proximity": [[65, 83]]}, "info": {"id": "dnrti_train_002744", "source": "dnrti_train"}}
{"text": "The attacker is provided with a USB containing malware developed for the CIA for this purpose , which is inserted into the targeted computer .", "spans": {"Organization: attacker": [[4, 12]], "Malware: USB containing malware": [[32, 54]]}, "info": {"id": "dnrti_train_002745", "source": "dnrti_train"}}
{"text": "The attacker then infects and exfiltrates data to removable media .", "spans": {"Organization: attacker": [[4, 12]]}, "info": {"id": "dnrti_train_002746", "source": "dnrti_train"}}
{"text": "As an example , specific CIA malware revealed in Year Zero is able to penetrate , infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts .", "spans": {"Organization: CIA": [[25, 28]], "Malware: malware": [[29, 36]]}, "info": {"id": "dnrti_train_002747", "source": "dnrti_train"}}
{"text": "For example , the CIA attack system Fine Dining , provides 24 decoy applications for CIA spies to use .", "spans": {}, "info": {"id": "dnrti_train_002748", "source": "dnrti_train"}}
{"text": "For example , Comodo was defeated by CIA malware placing itself in the Window's Recycle Bin .", "spans": {"Organization: Comodo": [[14, 20]], "Organization: CIA": [[37, 40]]}, "info": {"id": "dnrti_train_002749", "source": "dnrti_train"}}
{"text": "CIA hackers discussed what the NSA's Equation Group hackers did wrong and how the CIA's malware makers could avoid similar exposure .", "spans": {"Organization: CIA": [[0, 3]], "Organization: Equation Group": [[37, 51]]}, "info": {"id": "dnrti_train_002750", "source": "dnrti_train"}}
{"text": "The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation .", "spans": {"Organization: CIA's": [[4, 9]], "Organization: UMBRAGE": [[34, 41]]}, "info": {"id": "dnrti_train_002751", "source": "dnrti_train"}}
{"text": "This information is used by the CIA's 'JQJIMPROVISE' software (see below) to configure a set of CIA malware suited to the specific needs of an operation .", "spans": {"Organization: CIA's": [[32, 37]], "Malware: 'JQJIMPROVISE'": [[38, 52]]}, "info": {"id": "dnrti_train_002752", "source": "dnrti_train"}}
{"text": "Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies .", "spans": {"Malware: Margarita": [[33, 42]]}, "info": {"id": "dnrti_train_002753", "source": "dnrti_train"}}
{"text": "HIVE is a multi-platform CIA malware suite and its associated control software .", "spans": {"Malware: HIVE": [[0, 4]], "Organization: CIA": [[25, 28]]}, "info": {"id": "dnrti_train_002754", "source": "dnrti_train"}}
{"text": "A series of standards lay out CIA malware infestation patterns which are likely to assist forensic crime scene investigators as well as Apple , Microsoft , Google , Samsung , Nokia , Blackberry , Siemens and anti-virus companies attribute and defend against attacks .", "spans": {"Organization: CIA": [[30, 33]], "Organization: Apple": [[136, 141]], "Organization: Microsoft": [[144, 153]], "Organization: Google": [[156, 162]], "Organization: Samsung": [[165, 172]], "Organization: Nokia": [[175, 180]], "Organization: Blackberry": [[183, 193]], "Organization: Siemens": [[196, 203]], "Organization: anti-virus companies": [[208, 228]]}, "info": {"id": "dnrti_train_002755", "source": "dnrti_train"}}
{"text": "In April 2013 , Kaspersky Lab reported that a popular game was altered to include a backdoor in 2011 .", "spans": {"Organization: Kaspersky": [[16, 25]]}, "info": {"id": "dnrti_train_002756", "source": "dnrti_train"}}
{"text": "Yet again , new supply-chain attacks recently caught the attention of ESET Researchers .", "spans": {"Organization: ESET": [[70, 74]]}, "info": {"id": "dnrti_train_002757", "source": "dnrti_train"}}
{"text": "Given that these attacks were mostly targeted against Asia and the gaming industry , it shouldn’t be surprising they are the work of the group described in Kaspersky’s Winnti – More than just a game” .", "spans": {"Organization: Kaspersky’s": [[156, 167]], "Organization: Winnti": [[168, 174]]}, "info": {"id": "dnrti_train_002758", "source": "dnrti_train"}}
{"text": "The OSB functions as the interface between CIA operational staff and the relevant technical support staff .", "spans": {"Malware: OSB": [[4, 7]], "Organization: CIA": [[43, 46]]}, "info": {"id": "dnrti_train_002759", "source": "dnrti_train"}}
{"text": "A sustained cyberespionage campaign targeting at least three companies in the United States and Europe was uncovered by Recorded Future and Rapid7 between November 2017 and September 2018 .", "spans": {"Organization: Recorded Future": [[120, 135]], "Organization: Rapid7": [[140, 146]]}, "info": {"id": "dnrti_train_002760", "source": "dnrti_train"}}
{"text": "The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant .", "spans": {"Malware: Honeycomb": [[4, 13]]}, "info": {"id": "dnrti_train_002761", "source": "dnrti_train"}}
{"text": "The attackers then enumerated access and conducted privilege escalation on the victim networks , utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware .", "spans": {"System: DLL sideloading": [[107, 122]], "Organization: APT10": [[167, 172]]}, "info": {"id": "dnrti_train_002762", "source": "dnrti_train"}}
{"text": "On the two other victim networks , the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor , known to have only been used by APT10 .", "spans": {"Malware: UPPERCUT": [[82, 90]], "Organization: APT10": [[141, 146]]}, "info": {"id": "dnrti_train_002763", "source": "dnrti_train"}}
{"text": "APT10 actors then compressed proprietary data from Visma using WinRAR (deployed by the attackers) and exfiltrated to a Dropbox account using the cURL for Windows command-line tool .", "spans": {"Organization: APT10": [[0, 5]], "Malware: WinRAR": [[63, 69]], "Malware: cURL": [[145, 149]]}, "info": {"id": "dnrti_train_002764", "source": "dnrti_train"}}
{"text": "UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques .", "spans": {"Malware: UMBRAGE": [[0, 7]]}, "info": {"id": "dnrti_train_002765", "source": "dnrti_train"}}
{"text": "we assess with high confidence that these incidents were conducted by APT10 also known as Stone Panda , menuPass , CVNX in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage .", "spans": {"Organization: APT10": [[70, 75]], "Organization: Stone Panda": [[90, 101]], "Organization: menuPass": [[104, 112]], "Organization: CVNX": [[115, 119]]}, "info": {"id": "dnrti_train_002766", "source": "dnrti_train"}}
{"text": "On top of the breadth , volume , and targets of attacks that APT10 has conducted since at least 2016 , we now know that these operations are being run by the Chinese intelligence agency , the Ministry of State Security (MSS) .", "spans": {"Organization: APT10": [[61, 66]]}, "info": {"id": "dnrti_train_002767", "source": "dnrti_train"}}
{"text": "Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd , the MSS has conducted an unprecedented campaign , dubbed Operation Cloud Hopper , ” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients .", "spans": {"Organization: MSS": [[116, 119]]}, "info": {"id": "dnrti_train_002768", "source": "dnrti_train"}}
{"text": "We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks , and not of stealing Visma intellectual property .", "spans": {"Organization: APT10": [[15, 20]]}, "info": {"id": "dnrti_train_002769", "source": "dnrti_train"}}
{"text": "In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage .", "spans": {"Organization: APT10": [[26, 31]]}, "info": {"id": "dnrti_train_002770", "source": "dnrti_train"}}
{"text": "The backdoor was deployed using the Notepad++ updater and sideloading malicious DLL , as noted in APT10’s targeting of Japanese corporations in July 2018 .", "spans": {"Organization: APT10’s": [[98, 105]]}, "info": {"id": "dnrti_train_002771", "source": "dnrti_train"}}
{"text": "That attack was attributed to perpetrators Kaspersky called the Winnti Group .", "spans": {"Organization: Kaspersky": [[43, 52]], "Organization: Winnti Group": [[64, 76]]}, "info": {"id": "dnrti_train_002772", "source": "dnrti_train"}}
{"text": "APT10 is a threat actor that has been active since at least 2009 .", "spans": {"Organization: APT10": [[0, 5]]}, "info": {"id": "dnrti_train_002773", "source": "dnrti_train"}}
{"text": "APT10 has historically targeted healthcare , defense , aerospace , government , heavy industry and mining , and MSPs and IT services , as well as other sectors , for probable intellectual property theft .", "spans": {"Organization: APT10": [[0, 5]]}, "info": {"id": "dnrti_train_002774", "source": "dnrti_train"}}
{"text": "We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date .", "spans": {"Organization: APT10": [[11, 16]]}, "info": {"id": "dnrti_train_002775", "source": "dnrti_train"}}
{"text": "In the blog , Intrusion Truth identified APT10 as having utilized several Tianjin-based companies , including Huaying Haitai Science and Technology Development Co Ltd and Laoying Baichen Instruments Equipment Co Ltd .", "spans": {"Organization: APT10": [[41, 46]]}, "info": {"id": "dnrti_train_002776", "source": "dnrti_train"}}
{"text": "Based on the technical data uncovered , and in light of recent disclosures by the U.S. Department of Justice on the ongoing activities of Chinese state-sponsored threat actors .", "spans": {"Organization: Chinese state-sponsored": [[138, 161]]}, "info": {"id": "dnrti_train_002777", "source": "dnrti_train"}}
{"text": "Our research from 2017 concluded that Guangdong ITSEC (and therefore the MSS) directed the activities of a company named Boyusec , which was identified as a shell company for APT3 .", "spans": {"Organization: Guangdong ITSEC": [[38, 53]], "Organization: Boyusec": [[121, 128]], "Organization: APT3": [[175, 179]]}, "info": {"id": "dnrti_train_002778", "source": "dnrti_train"}}
{"text": "Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds , if not thousands , of corporations around the world .", "spans": {"Organization: MSS": [[73, 76]]}, "info": {"id": "dnrti_train_002779", "source": "dnrti_train"}}
{"text": "The December APT10 indictment noted that the group’s malicious activities breached at least 45 companies and managed service providers in 12 countries , including Brazil , Canada , Finland , France , Germany , India , Japan , Sweden , Switzerland , the United Arab Emirates , the United Kingdom , and the United States .", "spans": {"Organization: APT10": [[13, 18]]}, "info": {"id": "dnrti_train_002780", "source": "dnrti_train"}}
{"text": "In all three incidents , APT10 gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials .", "spans": {"Organization: APT10": [[25, 30]], "Malware: Citrix": [[80, 86]], "Malware: LogMeIn": [[91, 98]]}, "info": {"id": "dnrti_train_002781", "source": "dnrti_train"}}
{"text": "In all three incidents , the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials .", "spans": {"Organization: attackers": [[29, 38]], "System: stolen": [[136, 142]]}, "info": {"id": "dnrti_train_002782", "source": "dnrti_train"}}
{"text": "In all three incidents , APT10 actors used previously acquired legitimate credentials , possibly gained via a third-party supply chain compromise in order to gain initial access to the law firm and the apparel company .", "spans": {"Organization: APT10": [[25, 30]], "System: used": [[38, 42]]}, "info": {"id": "dnrti_train_002783", "source": "dnrti_train"}}
{"text": "In early 2017 , APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers’ networks .", "spans": {"Organization: APT10": [[16, 21]], "Organization: (MSPs)": [[91, 97]]}, "info": {"id": "dnrti_train_002784", "source": "dnrti_train"}}
{"text": "'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) .", "spans": {"Malware: 'Improvise'": [[0, 11]], "System: Windows": [[182, 189]], "System: MacOS": [[204, 209]], "System: Linux": [[224, 229]]}, "info": {"id": "dnrti_train_002785", "source": "dnrti_train"}}
{"text": "During this operation (dubbed ‘Cloud Hopper” because of the group’s use of popular western cloud-based services) , APT10 utilized both new malware (Quasar RAT , Trochilus , RedLeaves , ChChes as well as some familiar old tools .", "spans": {"Organization: APT10": [[115, 120]], "Malware: (Quasar RAT": [[147, 158]], "Malware: Trochilus": [[161, 170]], "Malware: RedLeaves": [[173, 182]], "Malware: ChChes": [[185, 191]]}, "info": {"id": "dnrti_train_002786", "source": "dnrti_train"}}
{"text": "Most recently , on December 20 , 2018 , the U.S. Department of Justice charged two hackers associated with the Chinese Ministry of State Security (MSS) with global computer intrusion campaigns targeting intellectual property .", "spans": {"Organization: U.S. Department": [[44, 59]], "Organization: hackers": [[83, 90]]}, "info": {"id": "dnrti_train_002787", "source": "dnrti_train"}}
{"text": "This indictment attributed the intrusions to APT10 , a group that had been conducting the malicious activities for over a decade on behalf of the MSS , China’s civilian human intelligence agency .", "spans": {"Organization: APT10": [[45, 50]]}, "info": {"id": "dnrti_train_002788", "source": "dnrti_train"}}
{"text": "The Visma group operates across the entire Nordic region along with Benelux , Central , and Eastern Europe .", "spans": {"Organization: Visma": [[4, 9]]}, "info": {"id": "dnrti_train_002789", "source": "dnrti_train"}}
{"text": "Recorded Future has actively tracked APT10 for several years , focusing specifically on the group’s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 .", "spans": {"Organization: Recorded Future": [[0, 15]], "Organization: APT10": [[37, 42]]}, "info": {"id": "dnrti_train_002790", "source": "dnrti_train"}}
{"text": "We were particularly interested in identifying whether any customers of the targeted MSPs were subsequently compromised by APT10 , given their potential access through compromised MSP networks .", "spans": {"Organization: APT10": [[123, 128]], "Organization: MSP": [[180, 183]]}, "info": {"id": "dnrti_train_002791", "source": "dnrti_train"}}
{"text": "Recorded Future’s Insikt Group has actively tracked APT10 for several years , focusing specifically on the group’s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 .", "spans": {"Organization: Recorded Future’s": [[0, 17]]}, "info": {"id": "dnrti_train_002792", "source": "dnrti_train"}}
{"text": "In September 2018 , one of our clients (and a supplier as well) , Visma , reached out to us for assistance in investigating an incident uncovered on their network following a breach notification by Rapid7 .", "spans": {"Organization: Rapid7": [[198, 204]]}, "info": {"id": "dnrti_train_002793", "source": "dnrti_train"}}
{"text": "This was followed by an initial exploitation , network enumeration , and malicious tool deployment on various Visma endpoints within two weeks of initial access .", "spans": {"Malware: Visma endpoints": [[110, 125]]}, "info": {"id": "dnrti_train_002794", "source": "dnrti_train"}}
{"text": "On August 30 , 2018 , APT10 deployed their first modified version of Trochilus that had its C2 communications encrypted using Salsa20 and RC4 ciphers instead of the more common RC4-encrypted Trochilus variant seen in the wild .", "spans": {"Organization: APT10": [[22, 27]], "Malware: Trochilus": [[69, 78]]}, "info": {"id": "dnrti_train_002795", "source": "dnrti_train"}}
{"text": "This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 .", "spans": {"Malware: sample": [[5, 11]], "Malware: Trochilus": [[31, 40]]}, "info": {"id": "dnrti_train_002796", "source": "dnrti_train"}}
{"text": "The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process .", "spans": {"Malware: configuration file": [[4, 22]]}, "info": {"id": "dnrti_train_002797", "source": "dnrti_train"}}
{"text": "APT10 also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API .", "spans": {"Organization: APT10": [[0, 5]], "Malware: WinRAR": [[16, 22]], "Malware: cURL": [[27, 31]]}, "info": {"id": "dnrti_train_002798", "source": "dnrti_train"}}
{"text": "In order to exfiltrate the compromised data , APT10 employed custom malware that used Dropbox as its C2 .", "spans": {"Organization: APT10": [[46, 51]], "Malware: Dropbox": [[86, 93]]}, "info": {"id": "dnrti_train_002799", "source": "dnrti_train"}}
{"text": "They also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API .", "spans": {"Malware: Visma": [[120, 125]], "Malware: Dropbox API": [[141, 152]]}, "info": {"id": "dnrti_train_002800", "source": "dnrti_train"}}
{"text": "Our research partner Rapid7 investigated the Dropbox use and found that the attackers had used the same account to store exfiltrated data from a global apparel company .", "spans": {"Organization: Rapid7": [[21, 27]], "Malware: Dropbox": [[45, 52]], "Organization: attackers": [[76, 85]]}, "info": {"id": "dnrti_train_002801", "source": "dnrti_train"}}
{"text": "They also identified broadly similar TTPs being used in the attack against a U.S law firm specializing in intellectual property law .", "spans": {"Organization: They": [[0, 4]]}, "info": {"id": "dnrti_train_002802", "source": "dnrti_train"}}
{"text": "Rapid7’s investigation revealed the law firm was first targeted in late 2017 , followed by the apparel company a few months later , and finally , the Visma attack in August 2018 .", "spans": {"Organization: Rapid7’s": [[0, 8]], "Organization: law firm": [[36, 44]]}, "info": {"id": "dnrti_train_002803", "source": "dnrti_train"}}
{"text": "In one of the attacks , Rapid7 identified the attackers escaping a Citrix application in order to run the payload script on the victim desktop .", "spans": {"Organization: Rapid7": [[24, 30]], "Organization: attackers": [[46, 55]], "Malware: Citrix": [[67, 73]]}, "info": {"id": "dnrti_train_002804", "source": "dnrti_train"}}
{"text": "Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe .", "spans": {"Malware: Visma": [[66, 71]], "Organization: APT10": [[128, 133]], "Malware: 1.bat": [[169, 174]], "Malware: cu.exe": [[177, 183]], "Malware: ss.rar": [[186, 192]], "Malware: r.exe": [[195, 200]], "Malware: pd.exe": [[203, 209]]}, "info": {"id": "dnrti_train_002805", "source": "dnrti_train"}}
{"text": "Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL .", "spans": {"Organization: Rapid7": [[21, 27]], "Malware: gup.exe": [[70, 77]], "Malware: ANEL": [[215, 219]]}, "info": {"id": "dnrti_train_002806", "source": "dnrti_train"}}
{"text": "APT10 used this approach to deploy UPPERCUT when targeting Japanese corporations in July 2018 .", "spans": {"Organization: APT10": [[0, 5]], "Malware: UPPERCUT": [[35, 43]]}, "info": {"id": "dnrti_train_002807", "source": "dnrti_train"}}
{"text": "APT10 actors gained initial access to the Visma network around August 17 , 2018 .", "spans": {"Organization: APT10": [[0, 5]], "Malware: Visma network": [[42, 55]]}, "info": {"id": "dnrti_train_002808", "source": "dnrti_train"}}
{"text": "While we are confident that APT10 actors gained access to the Visma network in August using stolen employee Citrix remote desktop credentials , it is not clear how or when these credentials were initially compromised .", "spans": {"Organization: APT10": [[28, 33]], "Organization: Visma": [[62, 67]], "Malware: Citrix remote desktop": [[108, 129]]}, "info": {"id": "dnrti_train_002809", "source": "dnrti_train"}}
{"text": "Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials .", "spans": {"Organization: Insikt Group": [[0, 12]], "Malware: Citrix-hosted": [[111, 124]]}, "info": {"id": "dnrti_train_002810", "source": "dnrti_train"}}
{"text": "After almost two weeks , on August 30 , 2018 , APT10 attackers used their access to the network to move laterally and made their first deployment of an RC4- and Salsa20-encrypted variant of the Trochilus malware using a previously associated DLL sideloading techniquE .", "spans": {"Organization: APT10": [[47, 52]], "Malware: Trochilus": [[194, 203]]}, "info": {"id": "dnrti_train_002811", "source": "dnrti_train"}}
{"text": "This means that APT10 actors had two separate access points into the Visma network .", "spans": {"Organization: APT10": [[16, 21]], "Malware: Visma network": [[69, 82]]}, "info": {"id": "dnrti_train_002812", "source": "dnrti_train"}}
{"text": "This slight delay may point to the handing over of active exploitation duties to other operator(s) in a multi-team APT10 effort within the Ministry of State Security for the attack .", "spans": {"Organization: APT10": [[115, 120]]}, "info": {"id": "dnrti_train_002813", "source": "dnrti_train"}}
{"text": "Other examples of malicious infrastructure registered with internet.bs include domains for APT28’s VPNFilter malware campaign and the registration of the cyber-berkut .", "spans": {"Organization: APT28’s": [[91, 98]], "Malware: VPNFilter": [[99, 108]], "Malware: cyber-berkut": [[154, 166]]}, "info": {"id": "dnrti_train_002814", "source": "dnrti_train"}}
{"text": "org domain that was affiliated with the pro-Russian and potentially Russian state-linked threat actor CyberBerkut .", "spans": {"Organization: CyberBerkut": [[102, 113]]}, "info": {"id": "dnrti_train_002815", "source": "dnrti_train"}}
{"text": "KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK .", "spans": {"Malware: KHRAT": [[0, 5]], "Malware: backdoor trojan": [[11, 26]], "Organization: DragonOK": [[91, 99]]}, "info": {"id": "dnrti_train_002816", "source": "dnrti_train"}}
{"text": "In early 2018 , Rapid7 identified that APT10 compromised an apparel company , based upon detections and intelligence gathered from the U.S.-based law firm breach .", "spans": {"Organization: Rapid7": [[16, 22]], "Organization: APT10": [[39, 44]]}, "info": {"id": "dnrti_train_002817", "source": "dnrti_train"}}
{"text": "The attacker gained access to the victim’s internet-accessible Citrix systems and authenticated to them from networks associated with low-cost VPN providers owned by VPN Consumer Network .", "spans": {"Organization: attacker": [[4, 12]], "Malware: Citrix": [[63, 69]]}, "info": {"id": "dnrti_train_002818", "source": "dnrti_train"}}
{"text": "Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe.” The attackers used identical TTPs for executing malware and Mimikatz as observed before , by using DLL sideloading with known good binaries that had DLL search order path issues .", "spans": {"Organization: Rapid7": [[0, 6]], "Organization: APT10": [[22, 27]], "Malware: Mimikatz": [[127, 135]]}, "info": {"id": "dnrti_train_002819", "source": "dnrti_train"}}
{"text": "Rapid7 reviewed malware discovered in the victim’s environment and found implants that used Dropbox as the C2 .", "spans": {"Organization: Rapid7": [[0, 6]], "Malware: Dropbox": [[92, 99]]}, "info": {"id": "dnrti_train_002820", "source": "dnrti_train"}}
{"text": "The attackers used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script .", "spans": {"Organization: attackers": [[4, 13]], "Malware: 1.bat": [[106, 111]]}, "info": {"id": "dnrti_train_002821", "source": "dnrti_train"}}
{"text": "APT10 used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script .", "spans": {"Organization: APT10": [[0, 5]], "System: mounting": [[50, 58]], "System: task scheduler": [[118, 132]]}, "info": {"id": "dnrti_train_002822", "source": "dnrti_train"}}
{"text": "For exfiltration of stolen data , APT10 used WinRAR and renamed rar.exe” to r.exe” to create archives , upload them with curl.exe” (renamed to c.exe”) , and again , use the cloud storage provider Dropbox .", "spans": {"Organization: APT10": [[34, 39]], "Malware: WinRAR": [[45, 51]], "Malware: rar.exe”": [[64, 72]], "Malware: r.exe”": [[76, 82]], "Malware: Dropbox": [[196, 203]]}, "info": {"id": "dnrti_train_002823", "source": "dnrti_train"}}
{"text": "Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the attacker during the compromise and was able to attribute data that was placed into it as being owned by Visma .", "spans": {"Organization: Rapid7": [[0, 6]], "Organization: attacker": [[97, 105]], "System: attribute data": [[144, 158]]}, "info": {"id": "dnrti_train_002824", "source": "dnrti_train"}}
{"text": "Once on the Visma network , APT10 attackers used the Microsoft BITSAdmin CLI tool to copy malicious tools from a suspected attacker-controlled C2 hosted on 173.254.236[.]158 to the \\ProgramData\\temp\\ directory on the infected host .", "spans": {"Malware: Visma network": [[12, 25]], "Organization: APT10": [[28, 33]], "Malware: BITSAdmin": [[63, 72]]}, "info": {"id": "dnrti_train_002825", "source": "dnrti_train"}}
{"text": "Rapid7 then provided a breach notification to Visma to alert them to this compromise in September 2018 .", "spans": {"Organization: Rapid7": [[0, 6]]}, "info": {"id": "dnrti_train_002826", "source": "dnrti_train"}}
{"text": "We believe APT10 is the most significant known Chinese state-sponsored cyber threat to global corporations .", "spans": {"Organization: APT10": [[11, 16]]}, "info": {"id": "dnrti_train_002827", "source": "dnrti_train"}}
{"text": "APT10's unprecedented campaign against MSPs , alleged to have included some of the largest MSPs in the world , in order to conduct secondary attacks against their clients , grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world .", "spans": {"Organization: APT10's": [[0, 7]], "Organization: MSPs": [[39, 43]]}, "info": {"id": "dnrti_train_002828", "source": "dnrti_train"}}
{"text": "This campaign brings to light further evidence supporting the assertions made by the Five Eyes nations , led by the U.S Department of Justice indictment against APT10 actors outlining the unprecedented scale of economic cyberespionage being conducted by the Chinese Ministry of State Security .", "spans": {"Organization: APT10": [[161, 166]]}, "info": {"id": "dnrti_train_002829", "source": "dnrti_train"}}
{"text": "This report , alongside the plethora of other reporting on APT10 operations , acutely highlights the vulnerability of organizational supply chains .", "spans": {"Organization: APT10": [[59, 64]], "System: highlights": [[86, 96]]}, "info": {"id": "dnrti_train_002830", "source": "dnrti_train"}}
{"text": "We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor .", "spans": {"Organization: groups": [[15, 21]], "Vulnerability: CVE-2018-0798": [[35, 48]]}, "info": {"id": "dnrti_train_002831", "source": "dnrti_train"}}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": {"Malware: sample": [[146, 152]], "Vulnerability: CVE-2017-11882": [[172, 186]], "Vulnerability: CVE-2018-0802": [[190, 203]]}, "info": {"id": "dnrti_train_002832", "source": "dnrti_train"}}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) .", "spans": {"Malware: RTF files": [[52, 61]], "Vulnerability: CVE-2018-0798": [[82, 95]]}, "info": {"id": "dnrti_train_002833", "source": "dnrti_train"}}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": {"Organization: Anomali": [[0, 7]], "Malware: ITW": [[86, 89]], "Vulnerability: CVE-2018-0798": [[117, 130]]}, "info": {"id": "dnrti_train_002834", "source": "dnrti_train"}}
{"text": "The earliest use of the exploit ITW we were able to identify and confirm is a sample (e228045ef57fb8cc1226b62ada7eee9b) dating back to October 2018 (VirusTotal submission of 2018-10-29) with the RTF creation time 2018-10-23 .", "spans": {"Malware: ITW": [[32, 35]], "Malware: RTF": [[195, 198]]}, "info": {"id": "dnrti_train_002835", "source": "dnrti_train"}}
{"text": "CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption .", "spans": {"Vulnerability: CVE-2018-0798": [[0, 13]], "Organization: threat actor": [[91, 103]]}, "info": {"id": "dnrti_train_002836", "source": "dnrti_train"}}
{"text": "As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity .", "spans": {"Vulnerability: CVE-2017-11882": [[28, 42]], "Vulnerability: CVE-2018-0802": [[47, 60]], "Malware: weaponizer": [[67, 77]], "Organization: actors": [[126, 132]]}, "info": {"id": "dnrti_train_002837", "source": "dnrti_train"}}
{"text": "Upon decrypting and executing , it drops two additional files wsc_proxy.exe” (legitimate Avast executable) and a malicious DLL wsc.dll” in the %TEMP% folder .", "spans": {"Malware: wsc_proxy.exe”": [[62, 76]], "Malware: wsc.dll”": [[127, 135]]}, "info": {"id": "dnrti_train_002838", "source": "dnrti_train"}}
{"text": "However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit (CVE-2018-0798) .", "spans": {"Organization: we": [[38, 40]], "Malware: AsyncRAT": [[104, 112]]}, "info": {"id": "dnrti_train_002839", "source": "dnrti_train"}}
{"text": "Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer .", "spans": {"Organization: threat groups": [[90, 103]], "Vulnerability: CVE-2018-0798": [[122, 135]], "Malware: RTF weaponizer": [[145, 159]]}, "info": {"id": "dnrti_train_002840", "source": "dnrti_train"}}
{"text": "These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers .", "spans": {"Organization: threat groups": [[37, 50]], "Vulnerability: CVE-2018-0798": [[103, 116]]}, "info": {"id": "dnrti_train_002841", "source": "dnrti_train"}}
{"text": "In addition , a current ANY.RUN playback of our observed Elise infection is also available .", "spans": {"Malware: ANY.RUN": [[24, 31]], "Malware: Elise": [[57, 62]]}, "info": {"id": "dnrti_train_002842", "source": "dnrti_train"}}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": {"Vulnerability: CVE-2017-11882": [[66, 80]], "Malware: 'NavShExt.dll'": [[147, 161]], "Malware: iexplore.exe": [[192, 204]]}, "info": {"id": "dnrti_train_002843", "source": "dnrti_train"}}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": {"Vulnerability: CVE-2017-1182": [[87, 100]], "Malware: Microsoft Equation Editor": [[118, 143]], "Malware: 'EQNEDT32.exe'": [[146, 160]]}, "info": {"id": "dnrti_train_002844", "source": "dnrti_train"}}
{"text": "Most recently though , a new campaign , targeting Belarus , Turkey and Ukraine , has emerged that caught the attention of Check Point researchers .", "spans": {"Organization: Check Point": [[122, 133]]}, "info": {"id": "dnrti_train_002845", "source": "dnrti_train"}}
{"text": "The well-crafted and socially engineered malicious documents then become the first stage of a long and mainly fileless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group .", "spans": {"Malware: POWERSTATS": [[158, 168]], "Malware: PowerShell backdoor": [[183, 202]], "Organization: threat group": [[211, 223]]}, "info": {"id": "dnrti_train_002846", "source": "dnrti_train"}}
{"text": "This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more .", "spans": {"Malware: backdoor": [[14, 22]]}, "info": {"id": "dnrti_train_002847", "source": "dnrti_train"}}
{"text": "If the macros in SPK KANUN DEĞİŞİKLİĞİ GİB GÖRÜŞÜ.doc” are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe” .", "spans": {"Malware: SPK KANUN": [[17, 26]], "Malware: CiscoAny.exe”": [[151, 164]]}, "info": {"id": "dnrti_train_002848", "source": "dnrti_train"}}
{"text": "INF files have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll .", "spans": {"Malware: INF files": [[0, 8]], "Organization: MuddyWater": [[39, 49]], "Malware: Advpack.dll": [[86, 97]], "Malware: IEAdvpack.dll": [[106, 119]]}, "info": {"id": "dnrti_train_002849", "source": "dnrti_train"}}
{"text": "In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document .", "spans": {"Malware: VBA2Graph": [[23, 32]]}, "info": {"id": "dnrti_train_002850", "source": "dnrti_train"}}
{"text": "Although it has focused most of its efforts on the Middle East region , the political affiliations , motives and purposes behind MuddyWater’s attacks are not very well- defined , thus earning it its name .", "spans": {"Organization: MuddyWater’s": [[128, 140]]}, "info": {"id": "dnrti_train_002851", "source": "dnrti_train"}}
{"text": "In the past , countries such as Saudi Arabia , the UAE and Turkey have been a MuddyWater's main target , but the campaigns have also reached a much wider audience , making their way to victims in countries such as Belarus and Ukraine .", "spans": {"Organization: MuddyWater's": [[78, 90]]}, "info": {"id": "dnrti_train_002852", "source": "dnrti_train"}}
{"text": "MuddyWater target groups across Middle East and Central Asia , primarily using spear phishing emails with malicious attachments .", "spans": {"Organization: MuddyWater": [[0, 10]], "System: spear phishing": [[79, 93]]}, "info": {"id": "dnrti_train_002853", "source": "dnrti_train"}}
{"text": "Most recently MuddyWater were connected to a campaign in March that targeted organizations in Turkey , Pakistan , and Tajikistan .", "spans": {"Organization: MuddyWater": [[14, 24]]}, "info": {"id": "dnrti_train_002854", "source": "dnrti_train"}}
{"text": "The group has been quite visible since the initial 2017 Malwarebytes report on their elaborate espionage attack against the Saudi Arabian government .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_002855", "source": "dnrti_train"}}
{"text": "Our analysis revealed that they drop a new backdoor , which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor .", "spans": {"Organization: MuddyWater’s": [[88, 100]], "Malware: POWERSTATS backdoor": [[107, 126]]}, "info": {"id": "dnrti_train_002856", "source": "dnrti_train"}}
{"text": "We assume that RunPow stands for run PowerShell , ” and triggers the PowerShell code embedded inside the .dll file .", "spans": {"Malware: PowerShell": [[37, 47]], "Malware: .dll file": [[105, 114]]}, "info": {"id": "dnrti_train_002857", "source": "dnrti_train"}}
{"text": "This backdoor has some features similar to a previously discovered version of the Muddywater backdoor .", "spans": {"Malware: backdoor": [[5, 13]], "Organization: Muddywater": [[82, 92]]}, "info": {"id": "dnrti_train_002858", "source": "dnrti_train"}}
{"text": "Based on our analysis , we can confirm that MuddyWater target Turkish government organizations related to the finance and energy sectors .", "spans": {"Organization: MuddyWater": [[44, 54]]}, "info": {"id": "dnrti_train_002859", "source": "dnrti_train"}}
{"text": "This is yet another similarity with previous MuddyWater campaigns , which were known to have targeted multiple Turkish government entities .", "spans": {"Organization: MuddyWater": [[45, 55]]}, "info": {"id": "dnrti_train_002860", "source": "dnrti_train"}}
{"text": "The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents .", "spans": {"Malware: backdoor": [[41, 49]], "System: spear": [[53, 58]], "System: phishing": [[59, 67]], "System: spam": [[78, 82]]}, "info": {"id": "dnrti_train_002861", "source": "dnrti_train"}}
{"text": "Trend Micro™ Deep Discovery™ provides detection , in-depth analysis , and proactive response to today’s stealthy malware , and targeted attacks in real time .", "spans": {"Organization: Trend Micro™": [[0, 12]], "Organization: attacks": [[136, 143]]}, "info": {"id": "dnrti_train_002862", "source": "dnrti_train"}}
{"text": "MuddyWater first surfaced in 2017 .", "spans": {"Organization: MuddyWater": [[0, 10]]}, "info": {"id": "dnrti_train_002863", "source": "dnrti_train"}}
{"text": "First stage infections and graphical decoys have been described by multiple sources , including in our previous research MuddyWater expands operations .", "spans": {"Organization: MuddyWater": [[121, 131]]}, "info": {"id": "dnrti_train_002864", "source": "dnrti_train"}}
{"text": "MuddyWater compiles various offensive Python scripts .", "spans": {"Organization: MuddyWater": [[0, 10]], "Malware: Python": [[38, 44]], "Malware: scripts": [[45, 52]]}, "info": {"id": "dnrti_train_002865", "source": "dnrti_train"}}
{"text": "This includes Python scripts .", "spans": {}, "info": {"id": "dnrti_train_002866", "source": "dnrti_train"}}
{"text": "Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll” , Ext_server_extapi.x64.dll” , and Ext_server_espia.x64.dll” extensions .", "spans": {"Malware: Stageless Meterpreter": [[14, 35]], "Malware: Ext_server_stdapi.x64.dll”": [[44, 70]], "Malware: Ext_server_extapi.x64.dll”": [[73, 99]], "Malware: Ext_server_espia.x64.dll”": [[106, 131]]}, "info": {"id": "dnrti_train_002867", "source": "dnrti_train"}}
{"text": "The January 2017 report followed up on other private reports published on the group’s BeEF-related activity in 2015 and 2016 .", "spans": {"Organization: BeEF-related": [[86, 98]]}, "info": {"id": "dnrti_train_002868", "source": "dnrti_train"}}
{"text": "Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets , and lacks advanced offensive technology development capabilities .", "spans": {"Organization: NewsBeef": [[25, 33]]}, "info": {"id": "dnrti_train_002869", "source": "dnrti_train"}}
{"text": "However , in the summer of 2016 , NewsBeef deployed a new toolset that includes macro-enabled Office documents , PowerSploit , and the Pupy backdoor .", "spans": {"Organization: NewsBeef": [[34, 42]], "Malware: macro-enabled Office documents": [[80, 110]], "Malware: PowerSploit": [[113, 124]], "Malware: Pupy backdoor": [[135, 148]]}, "info": {"id": "dnrti_train_002870", "source": "dnrti_train"}}
{"text": "The most recent NewsBeef campaign uses this toolset in conjunction with spearphishing emails , links sent over social media/standalone private messaging applications , and watering hole attacks that leverage compromised high-profile websites some belonging to the SA government .", "spans": {"Organization: NewsBeef": [[16, 24]], "System: spearphishing": [[72, 85]], "System: social media/standalone": [[111, 134]], "System: private messaging applications": [[135, 165]], "System: watering hole": [[172, 185]]}, "info": {"id": "dnrti_train_002871", "source": "dnrti_train"}}
{"text": "The NewsBeef actor deployed a new toolset in a campaign that focused primarily on Saudi Arabian targets .", "spans": {"Organization: NewsBeef": [[4, 12]]}, "info": {"id": "dnrti_train_002872", "source": "dnrti_train"}}
{"text": "NewsBeef continues to deploy malicious macro-enabled Office documents , poisoned legitimate Flash and Chrome installers , PowerSploit , and Pupy tools .", "spans": {"Organization: NewsBeef": [[0, 8]], "Malware: Flash": [[92, 97]], "Malware: Chrome installers": [[102, 119]], "Malware: PowerSploit": [[122, 133]], "Malware: Pupy tools": [[140, 150]]}, "info": {"id": "dnrti_train_002873", "source": "dnrti_train"}}
{"text": "The NewsBeef campaign is divided into two main attack vectors , spearphishing and strategic web compromise watering hole attacks .", "spans": {"Organization: NewsBeef": [[4, 12]], "System: spearphishing": [[64, 77]], "System: strategic web compromise": [[82, 106]], "System: watering hole": [[107, 120]]}, "info": {"id": "dnrti_train_002874", "source": "dnrti_train"}}
{"text": "On December 25 , 2016 , the NewsBeef APT stood up a server to host a new set of Microsoft Office documents (maintaining malicious macros and PowerShell scripts) to support its spear-phishing operations .", "spans": {"Organization: NewsBeef": [[28, 36]], "System: spear-phishing": [[176, 190]]}, "info": {"id": "dnrti_train_002875", "source": "dnrti_train"}}
{"text": "These compromised servers include Saudi Arabian government servers and other high-value organizational identities relevant to NewsBeef's targets .", "spans": {"Organization: NewsBeef's": [[126, 136]]}, "info": {"id": "dnrti_train_002876", "source": "dnrti_train"}}
{"text": "However , Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client outlook.live.com” as well as attachments arriving through the Outlook desktop application .", "spans": {"Organization: Kaspersky": [[10, 19]], "Malware: outlook.live.com”": [[119, 136]]}, "info": {"id": "dnrti_train_002877", "source": "dnrti_train"}}
{"text": "Interestingly , NewsBeef set up its server using the hosting provider Choopa , LLC , US” , the same hosting provider that the group used in attacks over the summer of 2016 .", "spans": {"Organization: NewsBeef": [[16, 24]], "Malware: Choopa": [[70, 76]], "Malware: LLC": [[79, 82]], "Malware: US”": [[85, 88]]}, "info": {"id": "dnrti_train_002878", "source": "dnrti_train"}}
{"text": "NTG’s IT focus and client list likely aided NewsBeef’s delivery of malicious PowerShell-enabled Office documents and poisoned installers .", "spans": {"Organization: NTG’s": [[0, 5]], "Organization: NewsBeef’s": [[44, 54]]}, "info": {"id": "dnrti_train_002879", "source": "dnrti_train"}}
{"text": "In other schemes , NewsBeef sent macro-enabled Office attachments from spoofed law firm identities or other relevant service providers to targets in SA .", "spans": {"Organization: NewsBeef": [[19, 27]]}, "info": {"id": "dnrti_train_002880", "source": "dnrti_train"}}
{"text": "The law firm in this scheme is based in the United Kingdom and is the sole location for targets outside of SA for this campaign .", "spans": {"Organization: targets": [[88, 95]]}, "info": {"id": "dnrti_train_002881", "source": "dnrti_train"}}
{"text": "Starting in October 2016 , NewsBeef compromised a set of legitimate servers (shown below) , and injected JavaScript to redirect visitors to http://analytics-google.org:69/Check.aspx .", "spans": {"Organization: NewsBeef": [[27, 35]]}, "info": {"id": "dnrti_train_002882", "source": "dnrti_train"}}
{"text": "For example , on a Saudi government website , the NewsBeef APT delivered packed JavaScript into the bottom of a referenced script that is included in every page served from the site the packed and unpacked JavaScript is shown below .", "spans": {"Organization: NewsBeef": [[50, 58]], "Malware: JavaScript": [[206, 216]]}, "info": {"id": "dnrti_train_002883", "source": "dnrti_train"}}
{"text": "The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” .", "spans": {"Malware: JavaScript": [[4, 14]]}, "info": {"id": "dnrti_train_002884", "source": "dnrti_train"}}
{"text": "A high volume of redirections from the compromised site continues into mid-January 2017 .", "spans": {"Organization: redirections": [[17, 29]]}, "info": {"id": "dnrti_train_002885", "source": "dnrti_train"}}
{"text": "However , as this recent campaign indicates , the NewsBeef APT appears to have shifted its intrusion toolset away from BeEF and towards macro-enabled malicious Office documents , PowerSploit , and Pupy .", "spans": {"Organization: NewsBeef": [[50, 58]], "Malware: Office documents": [[160, 176]], "Malware: PowerSploit": [[179, 190]], "Malware: Pupy": [[197, 201]]}, "info": {"id": "dnrti_train_002886", "source": "dnrti_train"}}
{"text": "Despite this shift in toolset , the group still relies on old infrastructure as evidenced by their reuse of servers hosted by the service providers Choopa and Atlantic.net .", "spans": {}, "info": {"id": "dnrti_train_002887", "source": "dnrti_train"}}
{"text": "Its attack activities can be traced back to April 2012 .", "spans": {}, "info": {"id": "dnrti_train_002888", "source": "dnrti_train"}}
{"text": "The OceanLotus reflects a very strong confrontational ability and willing to attack by keep evolving their techniques .", "spans": {"Organization: OceanLotus": [[4, 14]], "System: reflects": [[15, 23]]}, "info": {"id": "dnrti_train_002889", "source": "dnrti_train"}}
{"text": "These APT attacks and adopting confrontation measures will exist for a long time .", "spans": {"Organization: APT": [[6, 9]], "Organization: adopting confrontation measures": [[22, 53]]}, "info": {"id": "dnrti_train_002890", "source": "dnrti_train"}}
{"text": "OceanLotus’ targets are global .", "spans": {"Organization: OceanLotus’": [[0, 11]]}, "info": {"id": "dnrti_train_002891", "source": "dnrti_train"}}
{"text": "OceanLotus have been actively using since at least early 2018 .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "dnrti_train_002892", "source": "dnrti_train"}}
{"text": "OceanLotus malware family samples used no earlier than 2017 .", "spans": {"Organization: OceanLotus": [[0, 10]]}, "info": {"id": "dnrti_train_002893", "source": "dnrti_train"}}
{"text": "We identified two methods to deliver the KerrDown downloader to targets .", "spans": {"Organization: We": [[0, 2]], "Malware: KerrDown": [[41, 49]]}, "info": {"id": "dnrti_train_002894", "source": "dnrti_train"}}
{"text": "The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon .", "spans": {"Malware: KerrDown": [[33, 41]], "Organization: we": [[97, 99]]}, "info": {"id": "dnrti_train_002895", "source": "dnrti_train"}}
{"text": "While investigating KerrDown we found multiple RAR files containing a variant of the malware .", "spans": {"Malware: KerrDown": [[20, 28]], "Organization: we": [[29, 31]]}, "info": {"id": "dnrti_train_002896", "source": "dnrti_train"}}
{"text": "Therefore , it is clear that the OceanLotus group works during weekdays and takes a break during the weekends .", "spans": {"Organization: OceanLotus": [[33, 43]]}, "info": {"id": "dnrti_train_002897", "source": "dnrti_train"}}
{"text": "The group was first revealed and named by SkyEye Team in May 2015 .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_002898", "source": "dnrti_train"}}
{"text": "OceanLotus's targets include China's maritime institutions , maritime construction , scientific research institutes and shipping enterprises .", "spans": {"Organization: OceanLotus's": [[0, 12]], "Organization: maritime institutions": [[37, 58]], "Organization: maritime construction": [[61, 82]], "Organization: scientific research institutes": [[85, 115]], "Organization: shipping enterprises": [[120, 140]]}, "info": {"id": "dnrti_train_002899", "source": "dnrti_train"}}
{"text": "RedDrip Team (formerly SkyEye Team) has been to OceanLotus to keep track of high strength , groupactivity , found it in the near future to Indochinese Peninsula countries since 2019 On April 1 , 2019 , RedDrip discovered a Vietnamese file name Hop dong sungroup.rar in the process of daily monitoring the attack activities of the OceanLotus .", "spans": {"Organization: OceanLotus": [[48, 58], [330, 340]], "Organization: RedDrip": [[202, 209]]}, "info": {"id": "dnrti_train_002900", "source": "dnrti_train"}}
{"text": "COCCOC is a Vietnam was founded in 2013 .", "spans": {"Organization: COCCOC": [[0, 6]]}, "info": {"id": "dnrti_train_002901", "source": "dnrti_train"}}
{"text": "In fact , according to reports of various security vendors , OceanLotus also attacked several countries , including Cambodia , Thailand , Laos , even some victims in Vietnam , like opinion leaders , media , real estate companies , foreign enterprises and banks .", "spans": {"Organization: OceanLotus": [[61, 71]]}, "info": {"id": "dnrti_train_002902", "source": "dnrti_train"}}
{"text": "Unlike the 2016 variants of Ratsnif that stored all packets to a PCAP file .", "spans": {"Organization: Ratsnif": [[28, 35]]}, "info": {"id": "dnrti_train_002903", "source": "dnrti_train"}}
{"text": "these threat actors targeted a number of government agencies Threat actors targeted a number of government agencies in East Asia .", "spans": {"Organization: Threat actors": [[61, 74]]}, "info": {"id": "dnrti_train_002904", "source": "dnrti_train"}}
{"text": "Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT .", "spans": {"Organization: Attackers": [[0, 9]], "Vulnerability: CVE-2018-0798": [[54, 67]]}, "info": {"id": "dnrti_train_002905", "source": "dnrti_train"}}
{"text": "Maudi Surveillance Operation which was previously reported in 2013 .", "spans": {"Organization: Maudi": [[0, 5]]}, "info": {"id": "dnrti_train_002906", "source": "dnrti_train"}}
{"text": "specifically CVE-2018-0798 , before downloading subsequent payloads .", "spans": {"Vulnerability: CVE-2018-0798": [[13, 26]]}, "info": {"id": "dnrti_train_002907", "source": "dnrti_train"}}
{"text": "The dropped PE file has the distinctive file name 8.t” .", "spans": {"Malware: PE": [[12, 14]], "Malware: 8.t”": [[50, 54]]}, "info": {"id": "dnrti_train_002908", "source": "dnrti_train"}}
{"text": "The last process is utilized as part of the loading process for Cotx RAT and involves the legitimate Symantec binary noted above .", "spans": {"Organization: Cotx RAT": [[64, 72]], "Organization: Symantec": [[101, 109]]}, "info": {"id": "dnrti_train_002909", "source": "dnrti_train"}}
{"text": "These conflicts have even resulted in Haftar leading an attack on the capital city in April .", "spans": {"Organization: Haftar": [[38, 44]]}, "info": {"id": "dnrti_train_002910", "source": "dnrti_train"}}
{"text": "The attackers have targeted a large number of organizations globally since early 2017 .", "spans": {"Organization: attackers": [[4, 13]]}, "info": {"id": "dnrti_train_002911", "source": "dnrti_train"}}
{"text": "Attackers were initially discovered while investigating a phishing attack that targeted political figures in the MENA region .", "spans": {"Organization: Attackers": [[0, 9]], "System: phishing attack": [[58, 73]]}, "info": {"id": "dnrti_train_002912", "source": "dnrti_train"}}
{"text": "Group's targets include high-profile entities such as parliaments , senates , top state offices and officials , political science scholars , military and intelligence agencies , ministries , media outlets , research centers , election commissions , Olympic organizations , large trading companies , and other unknown entities .", "spans": {"Organization: Group's": [[0, 7]], "Organization: parliaments": [[54, 65]], "Organization: senates": [[68, 75]], "Organization: top state offices": [[78, 95]], "Organization: officials": [[100, 109]], "Organization: political science scholars": [[112, 138]], "Organization: intelligence agencies": [[154, 175]], "Organization: election commissions": [[226, 246]], "Organization: Olympic organizations": [[249, 270]], "Organization: trading companies": [[279, 296]], "Organization: unknown entities": [[309, 325]]}, "info": {"id": "dnrti_train_002913", "source": "dnrti_train"}}
{"text": "Cisco Talos recently published a blogpost describing targeted attacks in the Middle East region which we believe may be connected .", "spans": {"Organization: Cisco Talos": [[0, 11]]}, "info": {"id": "dnrti_train_002914", "source": "dnrti_train"}}
{"text": "Operation Parliament appears to be another symptom of escalating tensions in the Middle East region .", "spans": {"Organization: Operation Parliament": [[0, 20]]}, "info": {"id": "dnrti_train_002915", "source": "dnrti_train"}}
{"text": "The attackers have taken great care to stay under the radar , imitating another attack group in the region .", "spans": {"Organization: attackers": [[4, 13]], "System: imitating": [[62, 71]]}, "info": {"id": "dnrti_train_002916", "source": "dnrti_train"}}
{"text": "With deception and false flags increasingly being employed by threat actors , attribution is a hard and complicated task that requires solid evidence , especially in complex regions such as the Middle East .", "spans": {"Organization: threat actors": [[62, 75]]}, "info": {"id": "dnrti_train_002917", "source": "dnrti_train"}}
{"text": "The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware .", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "dnrti_train_002918", "source": "dnrti_train"}}
{"text": "The malware starts communicating with the C&C server by sending basic information about the infected machine .", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "dnrti_train_002919", "source": "dnrti_train"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests .", "spans": {"Malware: malware": [[4, 11]], "Malware: CMD/PowerShell": [[40, 54]], "Organization: attackers": [[72, 81]]}, "info": {"id": "dnrti_train_002920", "source": "dnrti_train"}}
{"text": "What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists , human rights defenders , trade unions and labour rights activists , many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal .", "spans": {}, "info": {"id": "dnrti_train_002921", "source": "dnrti_train"}}
{"text": "We refer to this campaign and the associated actor as Operation Kingphish Malik” , in one of its written forms in Arabic , translates to King” .", "spans": {"Organization: Operation Kingphish": [[54, 73]]}, "info": {"id": "dnrti_train_002922", "source": "dnrti_train"}}
{"text": "It is worth noting that in December 2016 , Amnesty International published an investigation into another social engineering campaign perpetrated by a seemingly fake human rights organization known as Voiceless Victims , which targeted international human rights and labour rights organizations campaigning on migrant workers’ rights in Qatar .", "spans": {"Organization: Voiceless": [[200, 209]]}, "info": {"id": "dnrti_train_002923", "source": "dnrti_train"}}
{"text": "It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile , along with a professional biography also stolen from yet another person .", "spans": {"Organization: attackers": [[20, 29]]}, "info": {"id": "dnrti_train_002924", "source": "dnrti_train"}}
{"text": "In the course of this email correspondence , the attacker — Safeena” — then sent what appeared to be invitations to access several documents on Google Drive .", "spans": {"Organization: attacker": [[49, 57]], "System: invitations": [[101, 112]]}, "info": {"id": "dnrti_train_002925", "source": "dnrti_train"}}
{"text": "The attackers were meticulous in making their phishing page as credible as possible .", "spans": {"Organization: attackers": [[4, 13]], "System: phishing page": [[46, 59]]}, "info": {"id": "dnrti_train_002926", "source": "dnrti_train"}}
{"text": "Among the targets of this campaign is the International Trade Union Confederation (ITUC) .", "spans": {"Organization: Trade Union Confederation": [[56, 81]]}, "info": {"id": "dnrti_train_002927", "source": "dnrti_train"}}
{"text": "Both in the attacks against ITUC and in other occasions , Operation Kingphish approached selected targets over social media , prominently Facebook , and engaged in chat conversations with them on and off , sometimes over a period of several months .", "spans": {"Organization: ITUC": [[28, 32]], "Organization: Operation Kingphish": [[58, 77]], "Malware: social media": [[111, 123]], "Malware: prominently Facebook": [[126, 146]]}, "info": {"id": "dnrti_train_002928", "source": "dnrti_train"}}
{"text": "This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar .", "spans": {"Malware: document": [[14, 22]]}, "info": {"id": "dnrti_train_002929", "source": "dnrti_train"}}
{"text": "While there is a clear underlying Qatar migrant workers theme in Operation Sheep , it is also hypothetically possible that these attacks could have been perpetrated by a malicious actor affiliated to a different government with an interest in damaging the reputation of the State of Qatar .", "spans": {"Organization: Operation Sheep": [[65, 80]]}, "info": {"id": "dnrti_train_002930", "source": "dnrti_train"}}
{"text": "Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year .", "spans": {"Organization: ‘Operation Sheep’": [[7, 24]], "Vulnerability: Man-in-the-Disk": [[123, 138]]}, "info": {"id": "dnrti_train_002931", "source": "dnrti_train"}}
{"text": "The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store .", "spans": {"Malware: SDK": [[4, 7]], "Malware: SWAnalytics": [[16, 27]], "System: published on": [[87, 99]]}, "info": {"id": "dnrti_train_002932", "source": "dnrti_train"}}
{"text": "After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers .", "spans": {"Malware: SWAnalytics": [[34, 45]]}, "info": {"id": "dnrti_train_002933", "source": "dnrti_train"}}
{"text": "In theory , Shun Wang Technologies could have collected a third of China’s population names and contact numbers if not more .", "spans": {"Organization: Shun Wang": [[12, 21]]}, "info": {"id": "dnrti_train_002934", "source": "dnrti_train"}}
{"text": "With no clear declaration of usage from Shun Wang , nor proper regulatory supervision , such data could circulate into underground markets for further exploit , ranging from rogue marketing , targeted telephone scams or even friend referral program abuse during November’s Single’s Day and December’s Asian online shopping fest .", "spans": {"Organization: Shun Wang": [[40, 49]]}, "info": {"id": "dnrti_train_002935", "source": "dnrti_train"}}
{"text": "This paper will cover the discovery of this campaign , dubbed ‘Operation Sheep’ , and an analysis of SWAnalytics .", "spans": {"Organization: ‘Operation Sheep’": [[62, 79]], "System: SWAnalytics": [[101, 112]]}, "info": {"id": "dnrti_train_002936", "source": "dnrti_train"}}
{"text": "In mid-September , an app named ‘Network Speed Master’ stood out on our radar with its rather unusual behavior patterns .", "spans": {"Organization: ‘Network Speed Master’": [[32, 54]]}, "info": {"id": "dnrti_train_002937", "source": "dnrti_train"}}
{"text": "This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge .", "spans": {"Malware: module": [[5, 11]]}, "info": {"id": "dnrti_train_002938", "source": "dnrti_train"}}
{"text": "It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in .", "spans": {"Malware: SWAnalytics": [[60, 71]]}, "info": {"id": "dnrti_train_002939", "source": "dnrti_train"}}
{"text": "With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” .", "spans": {"Malware: SWAnalytics": [[24, 35]]}, "info": {"id": "dnrti_train_002940", "source": "dnrti_train"}}
{"text": "From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category .", "spans": {"Malware: malicious sample": [[15, 31]]}, "info": {"id": "dnrti_train_002941", "source": "dnrti_train"}}
{"text": "By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device .", "spans": {"Malware: SWAnalytics": [[25, 36]]}, "info": {"id": "dnrti_train_002942", "source": "dnrti_train"}}
{"text": "Operation Sheep is the first campaign we have observed in the wild that abuses similar concept since our MitD publication .", "spans": {"Organization: Operation Sheep": [[0, 15]], "System: abuses similar concept": [[72, 94]]}, "info": {"id": "dnrti_train_002943", "source": "dnrti_train"}}
{"text": "To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control .", "spans": {"Malware: SWAnalytics": [[50, 61]]}, "info": {"id": "dnrti_train_002944", "source": "dnrti_train"}}
{"text": "Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json” .", "spans": {"System: Network Speed Master": [[46, 66]], "Malware: SWAnalytics": [[69, 80]]}, "info": {"id": "dnrti_train_002945", "source": "dnrti_train"}}
{"text": "In order to understand SWAnalytics’ impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets .", "spans": {"Malware: SWAnalytics’": [[23, 35]]}, "info": {"id": "dnrti_train_002946", "source": "dnrti_train"}}
{"text": "Data points span from September 2018 to January 2019 where we observed over 17 million downloads in just five months .", "spans": {"Organization: we": [[59, 61]]}, "info": {"id": "dnrti_train_002947", "source": "dnrti_train"}}
{"text": "In China alone , we have seen underground market sheep shavers” ported SMS rogue marketing strategy to spread Alipay Red Packet referral URL links .", "spans": {"Organization: sheep shavers”": [[49, 63]]}, "info": {"id": "dnrti_train_002948", "source": "dnrti_train"}}
{"text": "In Operation Sheep’s case , Shun Wang likely harvests end user contact lists without application developer acknowledgement .", "spans": {"Organization: Shun Wang": [[28, 37]]}, "info": {"id": "dnrti_train_002949", "source": "dnrti_train"}}
{"text": "According to Cheetah Mobile’s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK .", "spans": {"Malware: Batmobi": [[106, 113]], "Malware: Duapps": [[116, 122]], "Malware: Cheetah SDK": [[141, 152]]}, "info": {"id": "dnrti_train_002950", "source": "dnrti_train"}}
{"text": "It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns .", "spans": {"Organization: actor": [[31, 36]], "Malware: Panda Banker": [[51, 63], [204, 216]], "Organization: Arbor": [[128, 133]]}, "info": {"id": "dnrti_train_002951", "source": "dnrti_train"}}
{"text": "Webinjects targeting Japan , a country we haven’t seen targeted by Panda Banker before .", "spans": {"Malware: Panda Banker": [[67, 79]]}, "info": {"id": "dnrti_train_002952", "source": "dnrti_train"}}
{"text": "Japan is no stranger to banking malware .", "spans": {"Malware: banking": [[24, 31]], "Malware: malware": [[32, 39]]}, "info": {"id": "dnrti_train_002953", "source": "dnrti_train"}}
{"text": "Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware .", "spans": {"Malware: Ursnif": [[76, 82]], "Malware: Urlzone": [[87, 94]]}, "info": {"id": "dnrti_train_002954", "source": "dnrti_train"}}
{"text": "This post was our first analysis of the first Panda Banker campaign that we’ve seen to target financial institutions in Japan .", "spans": {"Malware: Panda Banker": [[46, 58]]}, "info": {"id": "dnrti_train_002955", "source": "dnrti_train"}}
{"text": "Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities , like the military , governments , defense industries , and the media .", "spans": {"Organization: Operation Pawn Storm": [[0, 20]]}, "info": {"id": "dnrti_train_002956", "source": "dnrti_train"}}
{"text": "We believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems .", "spans": {"Organization: We": [[0, 2]], "Malware: SEDNIT": [[112, 118]]}, "info": {"id": "dnrti_train_002957", "source": "dnrti_train"}}
{"text": "We found two malicious iOS applications in Operation Pawn Storm .", "spans": {"Organization: We": [[0, 2]]}, "info": {"id": "dnrti_train_002958", "source": "dnrti_train"}}
{"text": "One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B .", "spans": {"Malware: XAgent": [[14, 20]], "Malware: IOS_XAGENT.A": [[33, 45]], "Malware: MadCap": [[105, 111]], "Malware: XAGENT.B": [[129, 137]]}, "info": {"id": "dnrti_train_002959", "source": "dnrti_train"}}
{"text": "The obvious goal of the SEDNIT-related spyware is to steal personal data , record audio , make screenshots , and send them to a remote command-and-control (C&C) server .", "spans": {"Organization: SEDNIT-related": [[24, 38]], "Organization: personal data": [[59, 72]]}, "info": {"id": "dnrti_train_002960", "source": "dnrti_train"}}
{"text": "Madcap” is similar to the XAgent malware , but the former is focused on recording audio .", "spans": {"Malware: Madcap”": [[0, 7]], "Malware: XAgent": [[26, 32]]}, "info": {"id": "dnrti_train_002961", "source": "dnrti_train"}}
{"text": "To learn more about this campaign , you may refer to our report , Operation Pawn Storm Using Decoys to Evade Detection .", "spans": {"Organization: Evade Detection": [[103, 118]]}, "info": {"id": "dnrti_train_002962", "source": "dnrti_train"}}
{"text": "Additionally , we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle .", "spans": {"Organization: actors": [[119, 125]]}, "info": {"id": "dnrti_train_002963", "source": "dnrti_train"}}
{"text": "Talos now has moderate confidence that the threat actors behind Sea Turtle have been using another DNS hijacking technique .", "spans": {"Organization: Talos": [[0, 5]]}, "info": {"id": "dnrti_train_002964", "source": "dnrti_train"}}
{"text": "This technique was also observed against a government organizations in the Middle East and North African region .", "spans": {}, "info": {"id": "dnrti_train_002965", "source": "dnrti_train"}}
{"text": "Cisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network from an operational command and control (C2) node .", "spans": {"Organization: Cisco": [[0, 5]], "Malware: control (C2)": [[135, 147]]}, "info": {"id": "dnrti_train_002966", "source": "dnrti_train"}}
{"text": "Our telemetry indicates that the actors maintained access in the ICS-Forth network through at least April 24 , five days after the statement was publicly released .", "spans": {"Organization: actors": [[33, 39]]}, "info": {"id": "dnrti_train_002967", "source": "dnrti_train"}}
{"text": "This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’ .", "spans": {"Malware: ‘Tokyo’": [[64, 71]], "Malware: ‘Yokohama’": [[76, 86]]}, "info": {"id": "dnrti_train_002968", "source": "dnrti_train"}}
{"text": "Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue .", "spans": {"Malware: TajMahal": [[37, 45]]}, "info": {"id": "dnrti_train_002969", "source": "dnrti_train"}}
{"text": "The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014 .", "spans": {"Malware: TajMahal": [[30, 38]]}, "info": {"id": "dnrti_train_002970", "source": "dnrti_train"}}
{"text": "More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com) .", "spans": {"Malware: TajMahal": [[19, 27]], "Organization: Kaspersky": [[62, 71]]}, "info": {"id": "dnrti_train_002971", "source": "dnrti_train"}}
{"text": "The dropper first appeared in mid-July , suggesting that this APT activity is potentially ongoing , with Turla actively targeting G20 participants and/or those with interest in the G20 , including member nations , journalists , and policymakers .", "spans": {"Organization: Turla": [[105, 110]]}, "info": {"id": "dnrti_train_002972", "source": "dnrti_train"}}
{"text": "Turla is a well-documented , long operating APT group that is widely believed to be a Russian state-sponsored organization .", "spans": {"Organization: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_002973", "source": "dnrti_train"}}
{"text": "Turla is perhaps most notoriously suspected as responsible for the breach of the United States Central Command in 2008 .", "spans": {"Organization: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_002974", "source": "dnrti_train"}}
{"text": "More recently Turla was accused of breaching RUAG , a Swiss technology company , in a public report published by GovCERT.ch .", "spans": {"Organization: Turla": [[14, 19]], "Organization: RUAG": [[45, 49]], "Organization: GovCERT.ch": [[113, 123]]}, "info": {"id": "dnrti_train_002975", "source": "dnrti_train"}}
{"text": "The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository .", "spans": {"Malware: MSIL dropper": [[71, 83]], "Organization: Proofpoint": [[110, 120]]}, "info": {"id": "dnrti_train_002976", "source": "dnrti_train"}}
{"text": "Assuming this variant of KopiLuwak has been observed in the wild , there are a number of ways it may have been delivered including some of Turla’s previous attack methods such as spear phishing or via a watering hole .", "spans": {"Organization: Turla’s": [[139, 146]], "System: spear phishing": [[179, 193]], "System: watering hole": [[203, 216]]}, "info": {"id": "dnrti_train_002977", "source": "dnrti_train"}}
{"text": "This could include diplomats , experts in the areas of interest related to the Digital Economy Task Force , or possibly even journalists .", "spans": {"Organization: diplomats": [[19, 28]], "Organization: journalists": [[125, 136]]}, "info": {"id": "dnrti_train_002978", "source": "dnrti_train"}}
{"text": "Turla's goal could include diplomats , experts in the areas of interest related to the Digital Economy Task Force , or possibly even journalists .", "spans": {"Organization: Turla's": [[0, 7]]}, "info": {"id": "dnrti_train_002979", "source": "dnrti_train"}}
{"text": "The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper .", "spans": {"Malware: KopiLuwak": [[70, 79]], "Malware: MSIL dropper": [[147, 159]]}, "info": {"id": "dnrti_train_002980", "source": "dnrti_train"}}
{"text": "The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper .", "spans": {"Malware: MSIL dropper": [[48, 60]], "Malware: Javascript (JS) dropper": [[115, 138]]}, "info": {"id": "dnrti_train_002981", "source": "dnrti_train"}}
{"text": "As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only .", "spans": {"Malware: JS dropper": [[43, 53]], "Malware: JS decryptor": [[76, 88]], "Malware: KopiLuwak": [[168, 177]]}, "info": {"id": "dnrti_train_002982", "source": "dnrti_train"}}
{"text": "As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload .", "spans": {"Organization: Proofpoint": [[3, 13]], "Malware: MSIL payload": [[145, 157]]}, "info": {"id": "dnrti_train_002983", "source": "dnrti_train"}}
{"text": "The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine .", "spans": {"Malware: KopiLuwak": [[21, 30]]}, "info": {"id": "dnrti_train_002984", "source": "dnrti_train"}}
{"text": "Despite the added capabilities , we still agree with Kaspersky that this backdoor is likely used as an initial reconnaissance tool and would probably be used as a staging point to deploy one of Turla’s more fully featured implants .", "spans": {"Organization: Kaspersky": [[53, 62]], "Organization: Turla’s": [[194, 201]]}, "info": {"id": "dnrti_train_002985", "source": "dnrti_train"}}
{"text": "Turla is a complex cyberattack platform focused predominantly on diplomatic and government-related targets , particularly in the Middle East , Central and Far East Asia , Europe , North and South America and former Soviet bloc nations .", "spans": {"Organization: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_002986", "source": "dnrti_train"}}
{"text": "We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves .", "spans": {"Malware: .NET malware": [[51, 63]], "Malware: Topinambour": [[84, 95]]}, "info": {"id": "dnrti_train_002987", "source": "dnrti_train"}}
{"text": "The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan .", "spans": {"Malware: .NET module": [[16, 27]], "Malware: KopiLuwak JavaScript": [[52, 72]]}, "info": {"id": "dnrti_train_002988", "source": "dnrti_train"}}
{"text": "Moreover , Turla now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak .", "spans": {"Organization: Turla": [[11, 16]], "System: PowerShell Trojan": [[51, 68]]}, "info": {"id": "dnrti_train_002989", "source": "dnrti_train"}}
{"text": "RocketMan!” (probably a reference to Donald Trump’s nickname for Kim Jong Un) and MiamiBeach” serve as the first beacon messages from the victim to the control server .", "spans": {"Malware: RocketMan!”": [[0, 11]], "Malware: MiamiBeach”": [[82, 93]]}, "info": {"id": "dnrti_train_002990", "source": "dnrti_train"}}
{"text": "These could be tools to circumvent internet censorship , such as Softether VPN 4.12” and psiphon3” , or Microsoft Office activators” .", "spans": {"Malware: Softether VPN 4.12”": [[65, 84]], "Malware: psiphon3”": [[89, 98]], "Malware: Microsoft Office activators”": [[104, 132]]}, "info": {"id": "dnrti_train_002991", "source": "dnrti_train"}}
{"text": "These campaign-related VPSs are located in South Africa .", "spans": {"Organization: VPSs": [[23, 27]]}, "info": {"id": "dnrti_train_002992", "source": "dnrti_train"}}
{"text": "The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems .", "spans": {"Malware: Trojan": [[33, 39]]}, "info": {"id": "dnrti_train_002993", "source": "dnrti_train"}}
{"text": "The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": {"Malware: PowerShell": [[4, 14]]}, "info": {"id": "dnrti_train_002994", "source": "dnrti_train"}}
{"text": "The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally , it includes the #screen” command to take a screenshot .", "spans": {"Malware: Trojan": [[4, 10]], "Malware: .NET RocketMan Trojan": [[35, 56]]}, "info": {"id": "dnrti_train_002995", "source": "dnrti_train"}}
{"text": "The usage of KopiLuwak , a well-known and exclusive artefact previously used by the Turla group , makes us attribute this campaign to this actor with high confidence .", "spans": {"Malware: KopiLuwak": [[13, 22]], "Organization: Turla": [[84, 89]]}, "info": {"id": "dnrti_train_002996", "source": "dnrti_train"}}
{"text": "Winnti's mode of operation: to collect information on the organizational charts of companies , on cooperating departments , on the IT systems of individual business units , and on trade secrets , obviously .", "spans": {"Organization: Winnti's": [[0, 8]]}, "info": {"id": "dnrti_train_002997", "source": "dnrti_train"}}
{"text": "Hackers usually take precautions , which experts refer to as Opsec .", "spans": {"Organization: Hackers": [[0, 7]], "System: Opsec": [[61, 66]]}, "info": {"id": "dnrti_train_002998", "source": "dnrti_train"}}
{"text": "The Winnti group’s Opsec was dismal to say the least .", "spans": {"Organization: Winnti": [[4, 10]], "System: Opsec": [[19, 24]]}, "info": {"id": "dnrti_train_002999", "source": "dnrti_train"}}
{"text": "This mode of operation is typical of many hacker groups—and especially of Winnti .", "spans": {"Organization: hacker": [[42, 48]], "Organization: Winnti": [[74, 80]]}, "info": {"id": "dnrti_train_003000", "source": "dnrti_train"}}
{"text": "They are a very , very persistent group , ” says Costin Raiu , who has been watching Winnti since 2011 .", "spans": {"Organization: Costin Raiu": [[49, 60]], "Organization: Winnti": [[85, 91]]}, "info": {"id": "dnrti_train_003001", "source": "dnrti_train"}}
{"text": "Raiu and his team have followed the digital tracks left behind by some of the Winnti hackers .", "spans": {"Organization: Raiu": [[0, 4]], "Organization: Winnti": [[78, 84]]}, "info": {"id": "dnrti_train_003002", "source": "dnrti_train"}}
{"text": "One government official puts it very matter-of-factly: Winnti is very specific to Germany .", "spans": {"Organization: Winnti": [[55, 61]]}, "info": {"id": "dnrti_train_003003", "source": "dnrti_train"}}
{"text": "By 2014 , the Winnti malware code was no longer limited to game manufacturers .", "spans": {"Organization: Winnti": [[14, 20]]}, "info": {"id": "dnrti_train_003004", "source": "dnrti_train"}}
{"text": "Winnti is targeting high-tech companies as well as chemical and pharmaceutical companies .", "spans": {"Organization: Winnti": [[0, 6]], "Organization: high-tech companies": [[20, 39]], "Organization: pharmaceutical companies": [[64, 88]]}, "info": {"id": "dnrti_train_003005", "source": "dnrti_train"}}
{"text": "Winnti is attacking companies in Japan , France , the U.S. and Germany .", "spans": {"Organization: Winnti": [[0, 6]]}, "info": {"id": "dnrti_train_003006", "source": "dnrti_train"}}
{"text": "The Winnti hackers broke into Henkel’s network in 2014 .", "spans": {"Organization: Winnti": [[4, 10]], "Organization: Henkel’s": [[30, 38]]}, "info": {"id": "dnrti_train_003007", "source": "dnrti_train"}}
{"text": "Henkel confirms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions .", "spans": {"Organization: Henkel": [[0, 6]], "Organization: Winnti": [[20, 26]]}, "info": {"id": "dnrti_train_003008", "source": "dnrti_train"}}
{"text": "Far from attacking Henkel and the other companies arbitrarily , Winnti takes a highly strategic approach .", "spans": {"Organization: Henkel": [[19, 25]], "Organization: Winnti": [[64, 70]]}, "info": {"id": "dnrti_train_003009", "source": "dnrti_train"}}
{"text": "The hackers behind Winnti have also set their sights on Japan’s biggest chemical company , Shin-Etsu Chemical .", "spans": {"Organization: hackers": [[4, 11]], "Organization: Shin-Etsu Chemical": [[91, 109]]}, "info": {"id": "dnrti_train_003010", "source": "dnrti_train"}}
{"text": "In the case of another Japanese company , Sumitomo Electric , Winnti apparently penetrated their networks during the summer of 2016 .", "spans": {"Organization: Sumitomo Electric": [[42, 59]], "Organization: Winnti": [[62, 68]]}, "info": {"id": "dnrti_train_003011", "source": "dnrti_train"}}
{"text": "Winnti hackers also penetrated the BASF and Siemens networks .", "spans": {"Organization: Winnti": [[0, 6]], "Organization: BASF": [[35, 39]], "Organization: Siemens": [[44, 51]], "Organization: networks": [[52, 60]]}, "info": {"id": "dnrti_train_003012", "source": "dnrti_train"}}
{"text": "Thanks to this tool , we found out back in March 2019 that the Bayer pharmaceutical group had been hacked by Winnti .", "spans": {"Organization: Bayer pharmaceutical": [[63, 83]], "Organization: Winnti": [[109, 115]]}, "info": {"id": "dnrti_train_003013", "source": "dnrti_train"}}
{"text": "At Gameforge , the Winnti hackers had already been removed from the networks when a staff member noticed a Windows start screen with Chinese characters .", "spans": {"Organization: Winnti": [[19, 25]]}, "info": {"id": "dnrti_train_003014", "source": "dnrti_train"}}
{"text": "To witnesses , the spy appears to be running a program showing videos (e.g VLC) , presenting slides (Prezi) , playing a computer game (Breakout2 , 2048) or even running a fake virus scanner .", "spans": {"Organization: spy": [[19, 22]], "Malware: presenting slides": [[82, 99]], "Malware: fake virus scanner": [[171, 189]]}, "info": {"id": "dnrti_train_003015", "source": "dnrti_train"}}
{"text": "From the time of file creation , the attacker started working at least as early as July 2018 .", "spans": {"Organization: attacker": [[37, 45]]}, "info": {"id": "dnrti_train_003016", "source": "dnrti_train"}}
{"text": "The link to feeds.rapidfeeds.com left in its XML configuration file was also mentioned by Kaspersky’s report in the reference section , which confirms that the APT-C-09 group keeps updating its C2 configuration channel and the recent one reserves some past features .", "spans": {"Organization: Kaspersky’s": [[90, 101]], "Organization: APT-C-09": [[160, 168]]}, "info": {"id": "dnrti_train_003017", "source": "dnrti_train"}}
{"text": "For example , Donot and Bitter disguised as Kashmiri Voice to attack Pakistan , Transparent Tribe attacked India with decoy document regarding terrorist attacks in Kashmir .", "spans": {"Organization: Donot": [[14, 19]], "Organization: Bitter": [[24, 30]]}, "info": {"id": "dnrti_train_003018", "source": "dnrti_train"}}
{"text": "Considering APT-C-09 , Bitter and Donot have carried out targeted attacks against China , we must take actions in advance and keep a close eye on their recent activities .", "spans": {"Organization: APT-C-09": [[12, 20]], "Organization: Bitter": [[23, 29]], "Organization: Donot": [[34, 39]]}, "info": {"id": "dnrti_train_003019", "source": "dnrti_train"}}
{"text": "APT41 espionage operations against the healthcare , high-tech , and telecommunications sectors include establishing and maintaining strategic access , and through mid-2015 , the theft of intellectual property .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003020", "source": "dnrti_train"}}
{"text": "FireEye Threat Intelligence assesses with high confidence that APT41 carries out an array of financially motivated intrusions , particularly against the video game industry , including stealing source code and digital certificates , virtual currency manipulation , and attempting to deploy ransomware .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT41": [[63, 68]]}, "info": {"id": "dnrti_train_003021", "source": "dnrti_train"}}
{"text": "APT41 has executed multiple software supply chain compromises , gaining access to software companies to inject malicious code into legitimate files before distributing updates .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003022", "source": "dnrti_train"}}
{"text": "APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage operations in what appears to be activity that falls outside the scope of state-sponsored missions .", "spans": {"Organization: APT41": [[0, 5]], "System: leverages non-public malware": [[60, 88]]}, "info": {"id": "dnrti_train_003023", "source": "dnrti_train"}}
{"text": "Based on early observed activity , consistent behavior , and APT41's unusual focus on the video game industry , we believe the group's cyber crime activities are most likely motivated by personal financial gain or hobbyist interests .", "spans": {"Organization: APT41's": [[61, 68]]}, "info": {"id": "dnrti_train_003024", "source": "dnrti_train"}}
{"text": "APT41 campaigns include most of the incidents previously attributed in FireEye Threat Intelligence reporting to GREF Team and a number of additional clusters that were previously unnamed .", "spans": {"Organization: APT41": [[0, 5]], "Organization: FireEye": [[71, 78]]}, "info": {"id": "dnrti_train_003025", "source": "dnrti_train"}}
{"text": "Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity .", "spans": {"Organization: APT41": [[56, 61]]}, "info": {"id": "dnrti_train_003026", "source": "dnrti_train"}}
{"text": "Learning to access video game production environments enabled APT41 to develop the tactics , techniques , and procedures (TTPs) that were later leveraged against software companies to inject malicious code into software updates .", "spans": {"Organization: APT41": [[62, 67]]}, "info": {"id": "dnrti_train_003027", "source": "dnrti_train"}}
{"text": "APT41 has targeted organizations in 14 countries (and Hong Kong) over seven years , including: France , India , Italy , Japan , Myanmar , the Netherlands , Singapore , South Korea , South Africa , Switzerland , Thailand , Turkey , the United Kingdom , and the United States (Figure 1) .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003028", "source": "dnrti_train"}}
{"text": "APT41 espionage operations against entities in these countries follow targeting of verticals consistent with Chinese national policy priorities .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003029", "source": "dnrti_train"}}
{"text": "We believe that like other Chinese espionage operators , APT41 has moved toward strategic intelligence collection and establishing access , but away from direct intellectual property theft .", "spans": {"Organization: APT41": [[57, 62]]}, "info": {"id": "dnrti_train_003030", "source": "dnrti_train"}}
{"text": "In 2014 , APT41 was observed carrying out espionage campaigns concurrently with financially motivated intrusions , demonstrating that they could balance different objectives simultaneously .", "spans": {"Organization: APT41": [[10, 15]]}, "info": {"id": "dnrti_train_003031", "source": "dnrti_train"}}
{"text": "Since 2017 , APT41's activities have included a series of supply chain compromises .", "spans": {"Organization: APT41's": [[13, 20]]}, "info": {"id": "dnrti_train_003032", "source": "dnrti_train"}}
{"text": "The group also targeted companies involved in producing motherboards , processors , and server solutions for enterprises .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_003033", "source": "dnrti_train"}}
{"text": "Since 2013 , APT41 has targeted organizations involved in the research , development , and sale of computer components used for machine-learning , autonomous vehicles , medical imaging , and the consumer market .", "spans": {"Organization: APT41": [[13, 18]]}, "info": {"id": "dnrti_train_003034", "source": "dnrti_train"}}
{"text": "In a 2014 compromise , APT41 targeted a European conglomerate and specifically focused on systems physically located in China .", "spans": {"Organization: APT41": [[23, 28]]}, "info": {"id": "dnrti_train_003035", "source": "dnrti_train"}}
{"text": "In spring 2015 , APT41 targeted information related to two entities undergoing a merger announced the previous year .", "spans": {"Organization: APT41": [[17, 22]]}, "info": {"id": "dnrti_train_003036", "source": "dnrti_train"}}
{"text": "Since 2017 , APT41 has consistently targeted telecommunications companies , possibly a crucial first step to establish a foothold in targeting a particular region .", "spans": {"Organization: APT41": [[13, 18]]}, "info": {"id": "dnrti_train_003037", "source": "dnrti_train"}}
{"text": "Targeted telecom companies spanned several countries , and recently identified intrusions were concentrated in countries where we had not identified any prior APT41 activity .", "spans": {"Organization: telecom companies": [[9, 26]], "Organization: APT41": [[159, 164]]}, "info": {"id": "dnrti_train_003038", "source": "dnrti_train"}}
{"text": "In July and August 2016 , APT41 sent spear-phishing emails to Hong Kong media organizations known for pro-democracy editorial content .", "spans": {"Organization: APT41": [[26, 31]], "System: spear-phishing": [[37, 51]]}, "info": {"id": "dnrti_train_003039", "source": "dnrti_train"}}
{"text": "This was the first instance we have observed of APT41 targeting pro-democracy groups in Hong Kong .", "spans": {"Organization: APT41": [[48, 53]]}, "info": {"id": "dnrti_train_003040", "source": "dnrti_train"}}
{"text": "APT41 frequently leverages timely news stories as the lure content in their spear-phishing emails , although social engineering content does not always correlate with targeted users or organizations .", "spans": {"Organization: APT41": [[0, 5]], "System: spear-phishing emails": [[76, 97]]}, "info": {"id": "dnrti_train_003041", "source": "dnrti_train"}}
{"text": "In 2015 , APT41 targeted a Japanese media organization with a lure document (Figure 3) titled 中東呼吸器症候 群(MERS)の予防 , ” which translates to Prevention of Middle East Respiratory Syndrome (MERS) .", "spans": {"Organization: APT41": [[10, 15]]}, "info": {"id": "dnrti_train_003042", "source": "dnrti_train"}}
{"text": "APT41 activity aimed at medical device companies and pharmaceuticals is demonstrative of the group's capacity to collect sensitive and highly valuable intellectual property (IP) , although we have not observed evidence of IP theft since late 2015 .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003043", "source": "dnrti_train"}}
{"text": "Unlike other observed Chinese espionage operators , APT41 conducts explicit financially motivated activity , which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests .", "spans": {"Organization: APT41": [[52, 57]]}, "info": {"id": "dnrti_train_003044", "source": "dnrti_train"}}
{"text": "Although APT41 initially targeted the parent company , 30 percent of the victimized hosts were related to a subsidiary specialized in manufacturing medical devices .", "spans": {"Organization: APT41": [[9, 14]]}, "info": {"id": "dnrti_train_003045", "source": "dnrti_train"}}
{"text": "In 2018 , we observed APT41 target a third healthcare company , although their goals during this compromise were unclear .", "spans": {"Organization: APT41": [[22, 27]]}, "info": {"id": "dnrti_train_003046", "source": "dnrti_train"}}
{"text": "In June 2018 , APT41 sent spear-phishing emails using an invitation lure to join a decentralized gaming platform linked to a cryptocurrency service (Figure 5) that had positioned itself as a medium of exchange for online games and gambling sites .", "spans": {"Organization: APT41": [[15, 20]], "System: spear-phishing": [[26, 40]]}, "info": {"id": "dnrti_train_003047", "source": "dnrti_train"}}
{"text": "This provides another connection between the targeting of the cryptocurrency organizations and video game targeting .", "spans": {}, "info": {"id": "dnrti_train_003048", "source": "dnrti_train"}}
{"text": "In October 2018 , the group compiled an instance of XMRig , a Monero cryptocurrency mining tool , demonstrating a continued interest in cryptocurrency .", "spans": {"Organization: group": [[22, 27]], "Malware: XMRig": [[52, 57]]}, "info": {"id": "dnrti_train_003049", "source": "dnrti_train"}}
{"text": "APT41 campaigns focused on the video game sector have largely affected studios and distributors in East and Southeast Asia , although global companies based in the United States have also been targeted .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003050", "source": "dnrti_train"}}
{"text": "APT41 continuously returns to targeting the video game sector and seems to have matured its campaigns through lessons learned in operations against the industry .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003051", "source": "dnrti_train"}}
{"text": "We believe these operations include broadly malicious activity that can enable further operations , such as targeting game source code and compromising digital certificates , while other activities are explicitly financially motivated , such as abusing in-game currency mechanics .", "spans": {"Malware: game source code": [[118, 134]], "Malware: digital certificates": [[152, 172]]}, "info": {"id": "dnrti_train_003052", "source": "dnrti_train"}}
{"text": "In October 2012 , APT41 used captured credentials to compromise a jump server and access a production environment where they deployed a Linux version of PHOTO .", "spans": {"Organization: APT41": [[18, 23]]}, "info": {"id": "dnrti_train_003053", "source": "dnrti_train"}}
{"text": "Since at least 2012 , APT41 has repeatedly gained access to game development environments within affected companies , including online multiplayer networks , as well as targeting of production database administrators .", "spans": {"Organization: APT41": [[22, 27]], "Organization: administrators": [[202, 216]]}, "info": {"id": "dnrti_train_003054", "source": "dnrti_train"}}
{"text": "APT41 has been observed inserting malicious code into legitimate video game files to distribute malware .", "spans": {"Organization: APT41": [[0, 5]], "System: inserting malicious code": [[24, 48]]}, "info": {"id": "dnrti_train_003055", "source": "dnrti_train"}}
{"text": "In 2018 , the group inserted CRACKSHOT malware into game files that were signed with legitimate codesigning certificates , most likely indicating access to the production environment , which facilitated a supply chain compromise .", "spans": {"Organization: group": [[14, 19]]}, "info": {"id": "dnrti_train_003056", "source": "dnrti_train"}}
{"text": "We have also observed APT41 limitedly deploy rootkits on Linux systems and Master Boot Record (MBR) bootkits , such as ROCKBOOT , on Windows systems to hide their malware and maintain persistence on victim systems .", "spans": {"Organization: APT41": [[22, 27]], "System: rootkits": [[45, 53]], "Malware: ROCKBOOT": [[119, 127]]}, "info": {"id": "dnrti_train_003057", "source": "dnrti_train"}}
{"text": "Selective deployment of ROCKBOOT suggests that APT41 reserves more advanced TTPs and malware only for high-value targets .", "spans": {"Organization: ROCKBOOT": [[24, 32]], "Organization: APT41": [[47, 52]]}, "info": {"id": "dnrti_train_003058", "source": "dnrti_train"}}
{"text": "APT41 has blatantly engaged in financially motivated activity targeting the video game industry , including manipulating virtual currencies .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003059", "source": "dnrti_train"}}
{"text": "In a highly unusual case , APT41 attempted to extort a game company by deploying the Encryptor RaaS ransomware .", "spans": {"Organization: APT41": [[27, 32]], "System: deploying": [[71, 80]]}, "info": {"id": "dnrti_train_003060", "source": "dnrti_train"}}
{"text": "APT41 is well-known for leveraging compromised digital certificates from video game studios to sign malware .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003061", "source": "dnrti_train"}}
{"text": "We suggest that APT41 sought to target in-game currency but found they could not monetize the specific targeted game , so the group resorted to ransomware to attempt to salvage their efforts and profit from the compromise .", "spans": {"Organization: APT41": [[16, 21]], "System: resorted to ransomware": [[132, 154]]}, "info": {"id": "dnrti_train_003062", "source": "dnrti_train"}}
{"text": "APT41 has also used credentials compromised in previous operations .", "spans": {"Organization: APT41": [[0, 5]], "System: used credentials compromised": [[15, 43]]}, "info": {"id": "dnrti_train_003063", "source": "dnrti_train"}}
{"text": "In 2014 , APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service .", "spans": {"Organization: APT41": [[10, 15]], "Organization: service provider": [[101, 117]], "Organization: payment": [[135, 142]], "Organization: service": [[143, 150]]}, "info": {"id": "dnrti_train_003064", "source": "dnrti_train"}}
{"text": "Although we do not have first-hand evidence of APT41's compromise of TeamViewer , we have observed APT41 use compromised TeamViewer credentials as an entry point at multiple organizations .", "spans": {"Malware: TeamViewer": [[69, 79]], "Organization: APT41": [[99, 104]]}, "info": {"id": "dnrti_train_003065", "source": "dnrti_train"}}
{"text": "Public reports of supply chain compromises linked to APT41 date back to at least 2014 , and technical evidence associated with these incidents was used to determine a relationship , if any , with APT41 .", "spans": {"Organization: APT41": [[53, 58], [196, 201]]}, "info": {"id": "dnrti_train_003066", "source": "dnrti_train"}}
{"text": "As demonstrated in operations targeting the video game industry , APT41 leverages a variety of TTPs to access production environments where they can inject malicious code into legitimate files .", "spans": {"Organization: APT41": [[66, 71]], "Malware: variety of TTPs": [[84, 99]], "System: inject": [[149, 155]]}, "info": {"id": "dnrti_train_003067", "source": "dnrti_train"}}
{"text": "In March 2017 , suspected Chinese espionage operators targeted CCleaner , a utility that assists in the removal of unwanted files from a computer .", "spans": {"Organization: Chinese espionage operators": [[26, 53]]}, "info": {"id": "dnrti_train_003068", "source": "dnrti_train"}}
{"text": "In July 2017 , APT41 injected malicious code into a software update package maintained by Netsarang and signed it with a legitimate Netsarang certificate in an operation referred to as ShadowPad by Kaspersky .", "spans": {"Organization: APT41": [[15, 20]], "System: injected malicious code": [[21, 44]], "Organization: Kaspersky": [[198, 207]]}, "info": {"id": "dnrti_train_003069", "source": "dnrti_train"}}
{"text": "Both APT41 and the actors in the CCleaner incident used TeamViewer during initial compromise .", "spans": {"Organization: APT41": [[5, 10]], "Malware: TeamViewer": [[56, 66]]}, "info": {"id": "dnrti_train_003070", "source": "dnrti_train"}}
{"text": "Supply chain compromises are most likely an extension of APT41's tactics used in gaining access to gaming development environments and to other gaming organizations via third-party service providers .", "spans": {"System: Supply chain compromises": [[0, 24]], "Organization: APT41's": [[57, 64]]}, "info": {"id": "dnrti_train_003071", "source": "dnrti_train"}}
{"text": "Beginning in July 2018 , APT41 appeared to have directly targeted several East and Southeast Asia-based video game developers and distributors to inject legitimate executables with the CRACKSHOT backdoor .", "spans": {"Organization: APT41": [[25, 30]]}, "info": {"id": "dnrti_train_003072", "source": "dnrti_train"}}
{"text": "The lure used to target the cryptocurrency exchange (displayed in Figure 5 and translated in Figure 6) referenced an online gaming platform , tying the cryptocurrency targeting to APT41's focus on video game-related targeting .", "spans": {"Organization: APT41's": [[180, 187]]}, "info": {"id": "dnrti_train_003073", "source": "dnrti_train"}}
{"text": "FireEye malware analysis identified source code overlaps between malware used by APT41 in May 2016 targeting of a U.S.-based game development studio and the malware observed in supply chain compromises in 2017 and 2018 .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT41": [[81, 86]]}, "info": {"id": "dnrti_train_003074", "source": "dnrti_train"}}
{"text": "In May 2016 , APT41 deployed a POISONPLUG sample at a U.S.-based game development studio .", "spans": {"Organization: APT41": [[14, 19]]}, "info": {"id": "dnrti_train_003075", "source": "dnrti_train"}}
{"text": "Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own .", "spans": {"Organization: APT41": [[41, 46]], "System: injected malicious code": [[47, 70]]}, "info": {"id": "dnrti_train_003076", "source": "dnrti_train"}}
{"text": "Either APT41 is operating outside of state control but still working with other Chinese APT malware actors , tools , and infrastructure on a parttime or contractual basis , or APT41 is a full-time .", "spans": {"Organization: APT41": [[7, 12], [176, 181]]}, "info": {"id": "dnrti_train_003077", "source": "dnrti_train"}}
{"text": "APT41 uses many of the same tools and compromised digital certificates that have been leveraged by other Chinese espionage operators .", "spans": {"Organization: APT41": [[0, 5]], "Malware: digital certificates": [[50, 70]]}, "info": {"id": "dnrti_train_003078", "source": "dnrti_train"}}
{"text": "Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations .", "spans": {"Malware: HIGHNOON": [[22, 30]], "Organization: Winnti": [[69, 75]]}, "info": {"id": "dnrti_train_003079", "source": "dnrti_train"}}
{"text": "APT41 has used several malware families that have also been used by other Chinese espionage operators , including variants of HIGHNOON , HOMEUNIX , PHOTO , SOGU , and ZXSHELL , among others .", "spans": {"Organization: APT41": [[0, 5]], "Malware: HIGHNOON": [[126, 134]], "Malware: HOMEUNIX": [[137, 145]], "Malware: PHOTO": [[148, 153]], "Malware: SOGU": [[156, 160]], "Malware: ZXSHELL": [[167, 174]]}, "info": {"id": "dnrti_train_003080", "source": "dnrti_train"}}
{"text": "HIGHNOON , one of the main code families observed being used by APT41 , was also used by APT17 in 2015 to target semiconductor and chemical manufacturers .", "spans": {"Malware: HIGHNOON": [[0, 8]], "Organization: APT41": [[64, 69]], "Organization: APT17": [[89, 94]]}, "info": {"id": "dnrti_train_003081", "source": "dnrti_train"}}
{"text": "HOMEUNIX , another popular backdoor used by APT41 , has been used by at least 14 separate Chinese espionage groups , including APT1 , APT10 , APT17 , APT18 , and APT20 .", "spans": {"Malware: HOMEUNIX": [[0, 8]], "Malware: backdoor": [[27, 35]], "Organization: APT41": [[44, 49]], "Organization: groups": [[108, 114]], "Organization: APT1": [[127, 131]], "Organization: APT10": [[134, 139]], "Organization: APT17": [[142, 147]], "Organization: APT18": [[150, 155]], "Organization: APT20": [[162, 167]]}, "info": {"id": "dnrti_train_003082", "source": "dnrti_train"}}
{"text": "APT41 has used CROSSWALK.BIN , a kernel driver , to circumvent firewalls and covertly send data .", "spans": {"Organization: APT41": [[0, 5]], "Malware: CROSSWALK.BIN": [[15, 28]]}, "info": {"id": "dnrti_train_003083", "source": "dnrti_train"}}
{"text": "Another Chinese espionage group used a similar tool , CLASSFON , to covertly proxy network communications in 2011 .", "spans": {"Organization: espionage group": [[16, 31]], "Malware: CLASSFON": [[54, 62]]}, "info": {"id": "dnrti_train_003084", "source": "dnrti_train"}}
{"text": "At least two of these malware families , HIGHNOON.CLI and GEARSHIFT , have been used by APT17 and another suspected Chinese espionage group .", "spans": {"Malware: HIGHNOON.CLI": [[41, 53]], "Malware: GEARSHIFT": [[58, 67]], "Organization: APT17": [[88, 93]], "Organization: group": [[134, 139]]}, "info": {"id": "dnrti_train_003085", "source": "dnrti_train"}}
{"text": "APT41 regularly leverages code-signing certificates to sign malware when targeting both gaming and nongaming organizations .", "spans": {"Organization: APT41": [[0, 5]], "Malware: code-signing certificates": [[26, 51]]}, "info": {"id": "dnrti_train_003086", "source": "dnrti_train"}}
{"text": "In July 2017 , APT41 initiated a TeamViewer session and transferred files that were later deleted .", "spans": {"Organization: APT41": [[15, 20]]}, "info": {"id": "dnrti_train_003087", "source": "dnrti_train"}}
{"text": "In these instances , APT41 leveraged TeamViewer to transfer malware into the compromised environment , although we do not have direct evidence of APT41 compromising TeamViewer .", "spans": {"Organization: APT41": [[21, 26], [146, 151]], "Malware: TeamViewer": [[37, 47]]}, "info": {"id": "dnrti_train_003088", "source": "dnrti_train"}}
{"text": "In May 2018 , APT41 used TeamViewer for initial entry in the compromise of a healthcare company .", "spans": {"Organization: APT41": [[14, 19]], "Malware: TeamViewer": [[25, 35]]}, "info": {"id": "dnrti_train_003089", "source": "dnrti_train"}}
{"text": "Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence .", "spans": {"Organization: APT41": [[10, 15]], "System: using proof-of-concept": [[29, 51]], "Vulnerability: exploit": [[52, 59]], "Vulnerability: CVE-2019-3396": [[69, 82]]}, "info": {"id": "dnrti_train_003090", "source": "dnrti_train"}}
{"text": "APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003091", "source": "dnrti_train"}}
{"text": "We observed APT41 using a compromised account to create a scheduled task on a system , write a binary component of HIGHNOON containing the payload and C&C information to disk , and then modify the legitimate Windows WMI Performance Adaptor (wmiApSrv) to execute the HIGHNOON payload .", "spans": {"Organization: APT41": [[12, 17]], "System: write": [[87, 92]], "System: execute": [[254, 261]]}, "info": {"id": "dnrti_train_003092", "source": "dnrti_train"}}
{"text": "The group will also use a compromised account to create scheduled tasks on systems or modify legitimate Windows services to install the HIGHNOON and SOGU backdoors .", "spans": {"Organization: group": [[4, 9]], "Malware: HIGHNOON": [[136, 144]], "Malware: SOGU": [[149, 153]]}, "info": {"id": "dnrti_train_003093", "source": "dnrti_train"}}
{"text": "APT41 uses multiple methods to perform lateral movement in an environment , including RDP sessions , using stolen credentials , adding accounts to User and Admin groups , and password brute-forcing utilities .", "spans": {"Organization: APT41": [[0, 5]], "System: RDP sessions": [[86, 98]], "System: using stolen credentials": [[101, 125]], "System: adding accounts": [[128, 143]], "System: password brute-forcing utilities": [[175, 207]]}, "info": {"id": "dnrti_train_003094", "source": "dnrti_train"}}
{"text": "To maintain presence , APT41 relies on backdoors , a Sticky Keys vulnerability , scheduled tasks , bootkits , rootkits , registry modifications , and creating or modifying startup files .", "spans": {"Organization: APT41": [[23, 28]], "Malware: Sticky Keys": [[53, 64]], "Malware: scheduled tasks": [[81, 96]], "Malware: bootkits": [[99, 107]], "Malware: rootkits": [[110, 118]], "Malware: registry modifications": [[121, 143]]}, "info": {"id": "dnrti_train_003095", "source": "dnrti_train"}}
{"text": "APT41 leveraged ROCKBOOT as a persistence mechanism for PHOTO and TERA backdoors .", "spans": {"Organization: APT41": [[0, 5]], "Malware: ROCKBOOT": [[16, 24]]}, "info": {"id": "dnrti_train_003096", "source": "dnrti_train"}}
{"text": "APT41 has also been observed modifying firewall rules to enable file and printer sharing to allow for inbound Server Message Block (SMB) traffic .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003097", "source": "dnrti_train"}}
{"text": "In some instances , APT41 leveraged POISONPLUG as a first-stage backdoor to deploy the HIGHNOON backdoor in the targeted environment .", "spans": {"Organization: APT41": [[20, 25]], "Malware: POISONPLUG": [[36, 46]], "Malware: HIGHNOON": [[87, 95]]}, "info": {"id": "dnrti_train_003098", "source": "dnrti_train"}}
{"text": "The group also deploys the SOGU and CROSSWALK malware families as means to maintain presence .", "spans": {"Organization: group": [[4, 9]], "System: deploys": [[15, 22]]}, "info": {"id": "dnrti_train_003099", "source": "dnrti_train"}}
{"text": "APT41 sent spear-phishing emails to multiple HR employees three days after the compromise had been remediated and systems were brought back online .", "spans": {"Organization: APT41": [[0, 5]], "System: spear-phishing": [[11, 25]]}, "info": {"id": "dnrti_train_003100", "source": "dnrti_train"}}
{"text": "APT41 also deploys the SOGU and CROSSWALK malware families as means to maintain presence .", "spans": {"Organization: APT41": [[0, 5]], "Malware: SOGU": [[23, 27]], "Malware: CROSSWALK": [[32, 41]]}, "info": {"id": "dnrti_train_003101", "source": "dnrti_train"}}
{"text": "Within hours of a user opening the malicious attachment dropping a HOMEUNIX backdoor , APT41 regained a foothold within the environment by installing PHOTO on the organization's servers across multiple geographic regions .", "spans": {"Malware: HOMEUNIX backdoor": [[67, 84]], "Organization: APT41": [[87, 92]], "Malware: PHOTO": [[150, 155]]}, "info": {"id": "dnrti_train_003102", "source": "dnrti_train"}}
{"text": "Before attempting to deploy the publicly available Ransomware-as-a-Service (RaaS) Encryptor RaaS through group policy , APT41 blocked victim systems from retrieving anti-virus updates by accessing the DNS management console and implementing a forward lookup on the domain used for anti-virus updates to the park IP address 1.1.1.1 .", "spans": {"Organization: APT41": [[120, 125]], "System: accessing": [[187, 196]]}, "info": {"id": "dnrti_train_003103", "source": "dnrti_train"}}
{"text": "APT41 has been observed creating a RAR archive of targeted files for exfiltration .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003104", "source": "dnrti_train"}}
{"text": "APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain .", "spans": {"Organization: APT41": [[0, 5]], "System: leverages": [[60, 69]]}, "info": {"id": "dnrti_train_003105", "source": "dnrti_train"}}
{"text": "During multiple engagements , APT41 attempted to remove evidence of some of its activity by deleting Bash histories , clearing Windows security and system events , and modifying DNS management to avoid anti-virus detections .", "spans": {"Organization: APT41": [[30, 35]], "System: deleting Bash histories": [[92, 115]], "System: clearing Windows security": [[118, 143]], "System: modifying DNS management": [[168, 192]], "System: avoid anti-virus detections": [[196, 223]]}, "info": {"id": "dnrti_train_003106", "source": "dnrti_train"}}
{"text": "Explicit financially-motivated targeting is unusual among Chinese statesponsored threat groups , and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward .", "spans": {"Organization: APT41": [[119, 124]]}, "info": {"id": "dnrti_train_003107", "source": "dnrti_train"}}
{"text": "APT41 operations against higher education , travel services , and news/media firms provide some indication that the group also tracks individuals and conducts surveillance .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003108", "source": "dnrti_train"}}
{"text": "For example , the group has repeatedly targeted call record information at telecom companies .", "spans": {"Organization: group": [[18, 23]], "Organization: telecom": [[75, 82]], "Organization: companies": [[83, 92]]}, "info": {"id": "dnrti_train_003109", "source": "dnrti_train"}}
{"text": "APT41 has established and maintained strategic access to organizations in the healthcare , high-tech , and telecommunications sectors .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003110", "source": "dnrti_train"}}
{"text": "The group’s financially motivated activity has primarily focused on the video game industry , where APT41 has manipulated virtual currencies and even attempted to deploy ransomware .", "spans": {"Organization: video game industry": [[72, 91]], "Organization: APT41": [[100, 105]]}, "info": {"id": "dnrti_train_003111", "source": "dnrti_train"}}
{"text": "In another instance , APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there , suggesting the group was tasked to reconnoiter the facility for security reasons .", "spans": {"Organization: APT41": [[22, 27]]}, "info": {"id": "dnrti_train_003112", "source": "dnrti_train"}}
{"text": "These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns .", "spans": {"System: supply chain": [[6, 18]], "Organization: APT41’s": [[71, 78]]}, "info": {"id": "dnrti_train_003113", "source": "dnrti_train"}}
{"text": "Interestingly , despite the significant effort required to execute supply chain compromises and the large number of affected organizations , APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers .", "spans": {"Organization: APT41": [[141, 146]], "System: limits": [[147, 153]], "System: matching": [[220, 228]]}, "info": {"id": "dnrti_train_003114", "source": "dnrti_train"}}
{"text": "Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs .", "spans": {"Organization: APT41": [[88, 93]]}, "info": {"id": "dnrti_train_003115", "source": "dnrti_train"}}
{"text": "The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations .", "spans": {"Organization: APT41": [[41, 46]]}, "info": {"id": "dnrti_train_003116", "source": "dnrti_train"}}
{"text": "APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions , including publicly available utilities , malware shared with other Chinese espionage operations , and tools unique to the group .", "spans": {"Organization: APT41": [[0, 5]], "Malware: malware families": [[48, 64]], "Malware: tools": [[69, 74]], "Organization: group": [[228, 233]]}, "info": {"id": "dnrti_train_003117", "source": "dnrti_train"}}
{"text": "Once in a victim organization , APT41 can leverage more sophisticated TTPs and deploy additional malware .", "spans": {"Organization: APT41": [[32, 37]]}, "info": {"id": "dnrti_train_003118", "source": "dnrti_train"}}
{"text": "APT41 often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims .", "spans": {"Organization: APT41": [[0, 5]], "System: spear-phishing emails": [[22, 43]]}, "info": {"id": "dnrti_train_003119", "source": "dnrti_train"}}
{"text": "APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems .", "spans": {"Organization: APT41": [[0, 5]], "System: deployed rootkits": [[15, 32]]}, "info": {"id": "dnrti_train_003120", "source": "dnrti_train"}}
{"text": "The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets .", "spans": {"Organization: APT41": [[34, 39]]}, "info": {"id": "dnrti_train_003121", "source": "dnrti_train"}}
{"text": "Like other Chinese espionage operators , APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015 .", "spans": {"Organization: APT41": [[41, 46]]}, "info": {"id": "dnrti_train_003122", "source": "dnrti_train"}}
{"text": "This shift , however , has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons .", "spans": {"Organization: group's": [[44, 51]]}, "info": {"id": "dnrti_train_003123", "source": "dnrti_train"}}
{"text": "BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse .", "spans": {"Malware: BalkanRAT": [[0, 9]], "Malware: BalkanDoor": [[120, 130]]}, "info": {"id": "dnrti_train_003124", "source": "dnrti_train"}}
{"text": "With the contents of the emails , included links and decoy PDFs all involving taxes , the attackers are apparently targeting the financial departments of organizations in the Balkans region .", "spans": {"Organization: attackers": [[90, 99]]}, "info": {"id": "dnrti_train_003125", "source": "dnrti_train"}}
{"text": "Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in 2017 .", "spans": {"Organization: Serbian security": [[55, 71]]}, "info": {"id": "dnrti_train_003126", "source": "dnrti_train"}}
{"text": "The campaign has been active at least from January 2016 to the time of writing the most recent detections in our telemetry are from July 2019 .", "spans": {}, "info": {"id": "dnrti_train_003127", "source": "dnrti_train"}}
{"text": "Our findings show that the mentioned attacks have been orchestrated and we consider them a single long-term campaign that spans Croatia , Serbia , Montenegro , and Bosnia and Herzegovina .", "spans": {"Organization: attacks": [[37, 44]]}, "info": {"id": "dnrti_train_003128", "source": "dnrti_train"}}
{"text": "We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Organization: BalkanDoor": [[34, 44]], "Vulnerability: CVE-2018-20250": [[134, 148]]}, "info": {"id": "dnrti_train_003129", "source": "dnrti_train"}}
{"text": "Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina .", "spans": {"Malware: BalkanRAT": [[5, 14]], "Malware: BalkanDoor": [[19, 29]]}, "info": {"id": "dnrti_train_003130", "source": "dnrti_train"}}
{"text": "According to our telemetry , the campaign spreading these tools has been live since 2016 , with the most recent detections as late as in July 2019 .", "spans": {}, "info": {"id": "dnrti_train_003131", "source": "dnrti_train"}}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Malware: BalkanDoor": [[33, 43]], "Vulnerability: CVE-2018-20250": [[228, 242]]}, "info": {"id": "dnrti_train_003132", "source": "dnrti_train"}}
{"text": "Via the BalkanDoor backdoor , the attacker sends a backdoor command to unlock the screen… and using BalkanRAT , they can do whatever they want on the computer .", "spans": {"Organization: attacker": [[34, 42]], "Malware: BalkanRAT": [[100, 109]]}, "info": {"id": "dnrti_train_003133", "source": "dnrti_train"}}
{"text": "The BalkanDoor backdoor does not implement any exfiltration channel .", "spans": {"Malware: BalkanDoor": [[4, 14]], "Malware: backdoor": [[15, 23]]}, "info": {"id": "dnrti_train_003134", "source": "dnrti_train"}}
{"text": "APT41 leveraged ADORE.XSEC , a Linux backdoor launched by the Adore-NG rootkit , throughout an organization's Linux environment .", "spans": {"Organization: APT41": [[0, 5]], "Malware: ADORE.XSEC": [[16, 26]]}, "info": {"id": "dnrti_train_003135", "source": "dnrti_train"}}
{"text": "The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience .", "spans": {"Malware: backdoor": [[4, 12]]}, "info": {"id": "dnrti_train_003136", "source": "dnrti_train"}}
{"text": "The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access .", "spans": {"Malware: BalkanRAT malware": [[21, 38]]}, "info": {"id": "dnrti_train_003137", "source": "dnrti_train"}}
{"text": "Interestingly , some of the APT41's POISONPLUG malware samples leverage the Steam Community website associated with Valve , a video game developer and publisher .", "spans": {"Organization: APT41's": [[28, 35]], "Malware: POISONPLUG": [[36, 46]]}, "info": {"id": "dnrti_train_003138", "source": "dnrti_train"}}
{"text": "The campaign targeting accountants in the Balkans shows some similarities with a campaign aimed at Ukrainian notaries reported in 2016 .", "spans": {}, "info": {"id": "dnrti_train_003139", "source": "dnrti_train"}}
{"text": "Based on the Let’s Encrypt certificate issuance date , we believe this campaign to be active from May 2019 .", "spans": {"Organization: Encrypt": [[19, 26]]}, "info": {"id": "dnrti_train_003140", "source": "dnrti_train"}}
{"text": "One of the domains uncovered during the investigation was identified by the Chinese security vendor CERT 360 as being part of the BITTER APT campaign in May 2019 .", "spans": {"Organization: CERT 360": [[100, 108]], "Organization: BITTER APT": [[130, 140]]}, "info": {"id": "dnrti_train_003141", "source": "dnrti_train"}}
{"text": "Further analysis of the BITTER APT’s infrastructure uncovered a broader phishing campaign targeting other government sites and state-owned enterprises in China .", "spans": {"Organization: BITTER APT’s": [[24, 36]]}, "info": {"id": "dnrti_train_003142", "source": "dnrti_train"}}
{"text": "Further investigation revealed approximately 40 additional sites , all of which appear to be targeting the government of China and other organisations in China .", "spans": {}, "info": {"id": "dnrti_train_003143", "source": "dnrti_train"}}
{"text": "We expect to see BITTER APT continuing to target the government of China by employing spoofed login pages designed to steal user credentials and obtain access to privileged account information .", "spans": {"Organization: BITTER APT": [[17, 27]]}, "info": {"id": "dnrti_train_003144", "source": "dnrti_train"}}
{"text": "This domain and IP address has been previously associated with the BITTER APT and targeting government agencies in China with phishing attacks , based on reporting from 360-CERT .", "spans": {"Organization: BITTER APT": [[67, 77]], "Organization: 360-CERT": [[169, 177]]}, "info": {"id": "dnrti_train_003145", "source": "dnrti_train"}}
{"text": "At the time of analysis , the subdomains did not host a website; however , based on BITTER APT group’s targeting patterns , it is highly likely that they were created to host faux login phishing pages designed to steal user’s credentials .", "spans": {"Organization: BITTER APT": [[84, 94]]}, "info": {"id": "dnrti_train_003146", "source": "dnrti_train"}}
{"text": "BITTER APT campaigns are primarily targeting China , Pakistan and Saudi Arabia historically .", "spans": {"Organization: BITTER APT": [[0, 10]]}, "info": {"id": "dnrti_train_003147", "source": "dnrti_train"}}
{"text": "As part of its ongoing research initiatives , the Anomali Threat Research Team has discovered a new phishing attack leveraging spoof sites that seem to be designed to steal email credentials from the target victims within the government of the People’s Republic of China .", "spans": {"Organization: Anomali": [[50, 57]]}, "info": {"id": "dnrti_train_003148", "source": "dnrti_train"}}
{"text": "360 Threat Intelligence Center has reported on related indicators being attributed to BITTER APT a South Asian country suspected Indian APT in open source reporting .", "spans": {"Organization: 360 Threat Intelligence Center": [[0, 30]], "Organization: BITTER APT": [[86, 96]]}, "info": {"id": "dnrti_train_003149", "source": "dnrti_train"}}
{"text": "China Chopper is a tool that has been used by some state-sponsored actors such as Leviathan and Threat Group-3390 , but during our investigation we've seen actors with varying skill levels .", "spans": {"Malware: China Chopper": [[0, 13]], "Organization: Leviathan": [[82, 91]], "Organization: Threat Group-3390": [[96, 113]]}, "info": {"id": "dnrti_train_003150", "source": "dnrti_train"}}
{"text": "China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool .", "spans": {"Malware: China Chopper": [[0, 13]], "Organization: attackers": [[36, 45]]}, "info": {"id": "dnrti_train_003151", "source": "dnrti_train"}}
{"text": "Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017 , which shows that even nine years after its creation , attackers are using China Chopper without significant modifications .", "spans": {"Organization: Cisco Talos": [[0, 11]], "Malware: China Chopper": [[35, 48], [180, 193]], "Organization: attackers": [[160, 169]]}, "info": {"id": "dnrti_train_003152", "source": "dnrti_train"}}
{"text": "Here , we investigate a campaign targeting an Asian government organization .", "spans": {"Organization: government organization": [[52, 75]]}, "info": {"id": "dnrti_train_003153", "source": "dnrti_train"}}
{"text": "We observed another campaign targeting an organisation located in Lebanon .", "spans": {}, "info": {"id": "dnrti_train_003154", "source": "dnrti_train"}}
{"text": "China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED .", "spans": {"Malware: China Chopper": [[0, 13]]}, "info": {"id": "dnrti_train_003155", "source": "dnrti_train"}}
{"text": "They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe .", "spans": {"Malware: Mimikatz Lite": [[125, 138]], "Malware: GetPassword.exe": [[142, 157]]}, "info": {"id": "dnrti_train_003156", "source": "dnrti_train"}}
{"text": "The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords .", "spans": {"Malware: tool": [[4, 8]]}, "info": {"id": "dnrti_train_003157", "source": "dnrti_train"}}
{"text": "The actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit .", "spans": {"Organization: actor": [[4, 9]], "Vulnerability: CVE-2018–8440": [[30, 43]], "Vulnerability: vulnerability": [[72, 85]], "Vulnerability: proof-of-concept": [[208, 224]], "Vulnerability: exploit": [[225, 232]]}, "info": {"id": "dnrti_train_003158", "source": "dnrti_train"}}
{"text": "The attacker obtains the required privileges and launches a few other tools to modify the access control lists (ACLs) of all websites running on the affected server .", "spans": {"Organization: attacker": [[4, 12]], "System: modify": [[79, 85]]}, "info": {"id": "dnrti_train_003159", "source": "dnrti_train"}}
{"text": "The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims .", "spans": {"Organization: Cloud Atlas": [[26, 37]], "System: spear-phishing emails": [[63, 84]]}, "info": {"id": "dnrti_train_003160", "source": "dnrti_train"}}
{"text": "From the beginning of 2019 until July , we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia , Central Asia and regions of Ukraine with ongoing military conflicts .", "spans": {"System: spear-phishing": [[80, 94]], "Organization: threat actor": [[121, 133]]}, "info": {"id": "dnrti_train_003161", "source": "dnrti_train"}}
{"text": "We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018 .", "spans": {"Organization: Cloud Atlas": [[43, 54]], "Organization: Palo Alto": [[85, 94]]}, "info": {"id": "dnrti_train_003162", "source": "dnrti_train"}}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": {"Malware: China Chopper": [[4, 17]], "Vulnerability: CVE-2015-0062": [[146, 159]], "Vulnerability: CVE-2015-1701": [[162, 175]], "Vulnerability: CVE-2016-0099": [[180, 193]], "Organization: attacker": [[207, 215]]}, "info": {"id": "dnrti_train_003163", "source": "dnrti_train"}}
{"text": "Previously , Cloud Atlas dropped its validator” implant named PowerShower” directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 .", "spans": {"Organization: Cloud Atlas": [[13, 24]], "Vulnerability: CVE-2017-11882": [[140, 154]], "Vulnerability: CVE-2018-0802": [[166, 179]]}, "info": {"id": "dnrti_train_003164", "source": "dnrti_train"}}
{"text": "This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage .", "spans": {"Organization: Cloud Atlas": [[49, 60]]}, "info": {"id": "dnrti_train_003165", "source": "dnrti_train"}}
{"text": "Cloud Atlas remains very prolific in Eastern Europe and Central Asia .", "spans": {"Organization: Cloud Atlas": [[0, 11]]}, "info": {"id": "dnrti_train_003166", "source": "dnrti_train"}}
{"text": "During its recent campaigns , Cloud Atlas used a new polymorphic” infection chain relying no more on PowerShower directly after infection , but executing a polymorphic HTA hosted on a remote server , which is used to drop three different files on the local system .", "spans": {"Organization: Cloud Atlas": [[30, 41]], "System: infection chain": [[66, 81]]}, "info": {"id": "dnrti_train_003167", "source": "dnrti_train"}}
{"text": "The Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian government and military departments from the mid-2013s .", "spans": {"Organization: Gamaredon Group": [[4, 19]], "System: spear-phishing attacks": [[48, 70]]}, "info": {"id": "dnrti_train_003168", "source": "dnrti_train"}}
{"text": "In addition , the anonymous cybersecurity experts referenced in the article connected the malicious Gamaredon Group actors with Russian state-sponsored hackers .", "spans": {"Organization: Gamaredon Group": [[100, 115]]}, "info": {"id": "dnrti_train_003169", "source": "dnrti_train"}}
{"text": "In one article published in the Kharkiv Observer – an independent Ukranian online publication – an unnamed source stated that even the Ukrainian Presidential Administration has been attacked by malware developed by the Gamaredon Group .", "spans": {"Organization: Gamaredon Group": [[219, 234]]}, "info": {"id": "dnrti_train_003170", "source": "dnrti_train"}}
{"text": "Gamaredon Group primarily target Ukrainian organizations and resources using spear-phishing attacks , and they use military or similar documents as bait .", "spans": {"Organization: Gamaredon Group": [[0, 15]], "Malware: documents": [[135, 144]]}, "info": {"id": "dnrti_train_003171", "source": "dnrti_train"}}
{"text": "Once they have found a victim , they then deploy remote manipulation system binaries (RMS) via self-extracting archives and batch command files .", "spans": {"Organization: they": [[5, 9]], "Malware: (RMS)": [[85, 90]]}, "info": {"id": "dnrti_train_003172", "source": "dnrti_train"}}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": {"Malware: archive": [[14, 21]], "Vulnerability: vulnerability": [[82, 95]]}, "info": {"id": "dnrti_train_003173", "source": "dnrti_train"}}
{"text": "During a recent incident response investigation , our team identified new attacks by the financially motivated attack group ITG08 , also known as FIN6 .", "spans": {"Organization: ITG08": [[124, 129]], "Organization: FIN6": [[146, 150]]}, "info": {"id": "dnrti_train_003174", "source": "dnrti_train"}}
{"text": "More recently , ITG08 has been observed targeting e-commerce environments by injecting malicious code into online checkout pages of compromised websites — a technique known as online skimming — thereby stealing payment card data transmitted to the vendor by unsuspecting customers .", "spans": {"Organization: ITG08": [[16, 21]], "System: injecting malicious code": [[77, 101]]}, "info": {"id": "dnrti_train_003175", "source": "dnrti_train"}}
{"text": "This tool , a TTP observed in ITG08 attacks since 2018 , is sold on the dark web by an underground malware-as-a-service (MaaS) provider .", "spans": {"Organization: ITG08": [[30, 35]]}, "info": {"id": "dnrti_train_003176", "source": "dnrti_train"}}
{"text": "ITG08 is an organized cybercrime gang that has been active since 2015 , mostly targeting pointof-sale (POS) machines in brick-and-mortar retailers and companies in the hospitality sector in the U.S. and Europe .", "spans": {"Organization: ITG08": [[0, 5]]}, "info": {"id": "dnrti_train_003177", "source": "dnrti_train"}}
{"text": "Past campaigns by ITG08 using the More_eggs backdoor were last reported in February 2019 .", "spans": {"Organization: ITG08": [[18, 23]], "Malware: More_eggs backdoor": [[34, 52]]}, "info": {"id": "dnrti_train_003178", "source": "dnrti_train"}}
{"text": "Attackers use it to create , expand and cement their foothold in compromised environments .", "spans": {"Organization: Attackers": [[0, 9]], "System: expand": [[29, 35]], "System: cement": [[40, 46]]}, "info": {"id": "dnrti_train_003179", "source": "dnrti_train"}}
{"text": "Lastly , ITG08 used Comodo code-signing certificates several times during the course of the campaign .", "spans": {"Organization: ITG08": [[9, 14]], "Malware: Comodo code-signing certificates": [[20, 52]]}, "info": {"id": "dnrti_train_003180", "source": "dnrti_train"}}
{"text": "Let’s take a closer look at ITG08’s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor .", "spans": {"Organization: ITG08’s": [[28, 35]], "System: spear phishing": [[111, 125]], "System: intrusion tactics": [[130, 147]], "System: covering information": [[152, 172]], "Malware: More_eggs backdoor": [[191, 209]]}, "info": {"id": "dnrti_train_003181", "source": "dnrti_train"}}
{"text": "Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe .", "spans": {"Malware: More_eggs malware": [[31, 48]], "Malware: cmd.exe": [[132, 139]]}, "info": {"id": "dnrti_train_003182", "source": "dnrti_train"}}
{"text": "X-Force IRIS determined that the More_eggs backdoor later downloaded additional files , including a signed binary shellcode loader and a signed Dynamic Link Library (DLL) , as described below , to create a reverse shell and connect to a remote host .", "spans": {"Organization: X-Force IRIS": [[0, 12]], "Malware: More_eggs backdoor": [[33, 51]]}, "info": {"id": "dnrti_train_003183", "source": "dnrti_train"}}
{"text": "Once the ITG08 established a foothold on the network , they employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment .", "spans": {"Organization: ITG08": [[9, 14]], "Malware: WMI": [[69, 72]], "Malware: PowerShell": [[77, 87]]}, "info": {"id": "dnrti_train_003184", "source": "dnrti_train"}}
{"text": "The attackers used this technique to remotely install a Metasploit reverse TCP stager on select systems , subsequently spawning a Meterpreter session and Mimikatz .", "spans": {"Organization: attackers": [[4, 13]]}, "info": {"id": "dnrti_train_003185", "source": "dnrti_train"}}
{"text": "In addition to the More_eggs malware , ITG08 leveraged in-memory attacks by injecting malicious code , in this case Mimikatz , into legitimate system processes .", "spans": {"Malware: More_eggs": [[19, 28]], "Organization: ITG08": [[39, 44]], "Malware: Mimikatz": [[116, 124]]}, "info": {"id": "dnrti_train_003186", "source": "dnrti_train"}}
{"text": "A recently rising attack tool in ITG08 campaigns has been the More_eggs JScript backdoor .", "spans": {"Organization: ITG08": [[33, 38]], "Malware: More_eggs JScript backdoor": [[62, 88]]}, "info": {"id": "dnrti_train_003187", "source": "dnrti_train"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": {"Malware: Mimikatz": [[0, 8]]}, "info": {"id": "dnrti_train_003188", "source": "dnrti_train"}}
{"text": "After a successful phishing attack in which users have opened emails and browsed to malicious links , ITG08 attackers install the More_eggs JScript backdoor on user devices alongside several other malware components .", "spans": {"Organization: ITG08": [[102, 107]], "Malware: More_eggs JScript backdoor": [[130, 156]]}, "info": {"id": "dnrti_train_003189", "source": "dnrti_train"}}
{"text": "Beyond using More_eggs as a backdoor , ITG08 in this campaign also used offensive security tools and PowerShell scripts to carry out the different stages of the attack .", "spans": {"Malware: More_eggs": [[13, 22]], "Organization: ITG08": [[39, 44]], "Malware: offensive security tools": [[72, 96]], "Malware: PowerShell scripts": [[101, 119]]}, "info": {"id": "dnrti_train_003190", "source": "dnrti_train"}}
{"text": "After injecting Meterpreter into memory , the attacker had complete control of the infected device .", "spans": {"Organization: attacker": [[46, 54]]}, "info": {"id": "dnrti_train_003191", "source": "dnrti_train"}}
{"text": "IBM X-Force IRIS has gained insight into ITG08’s intrusion methods , ability to navigate laterally , use of custom and open-source tools , and typical persistence mechanisms .", "spans": {"Organization: IBM X-Force IRIS": [[0, 16]], "Organization: ITG08’s": [[41, 48]], "Malware: tools": [[131, 136]]}, "info": {"id": "dnrti_train_003192", "source": "dnrti_train"}}
{"text": "After the phishing email resulted in a successful infiltration , ITG08 used the More_eggs backdoor to gain a foothold and infect additional devices .", "spans": {"System: phishing email": [[10, 24]], "Organization: ITG08": [[65, 70]], "Malware: More_eggs backdoor": [[80, 98]]}, "info": {"id": "dnrti_train_003193", "source": "dnrti_train"}}
{"text": "In addition , configuring PowerShell script logging and identifying any obfuscation will assist in mitigating ITG08’s use of PowerShell to conduct malicious activity .", "spans": {"Organization: ITG08’s": [[110, 117]], "Malware: PowerShell": [[125, 135]]}, "info": {"id": "dnrti_train_003194", "source": "dnrti_train"}}
{"text": "The LYCEUM threat group targets organizations in sectors of strategic national importance , including oil and gas and possibly telecommunications .", "spans": {"Organization: LYCEUM": [[4, 10]]}, "info": {"id": "dnrti_train_003195", "source": "dnrti_train"}}
{"text": "CTU research indicates that LYCEUM may have been active as early as April 2018 .", "spans": {"Organization: CTU": [[0, 3]], "Organization: LYCEUM": [[28, 34]]}, "info": {"id": "dnrti_train_003196", "source": "dnrti_train"}}
{"text": "In May 2019 , the threat group launched a campaign against oil and gas organizations in the Middle East .", "spans": {"Organization: group": [[25, 30]]}, "info": {"id": "dnrti_train_003197", "source": "dnrti_train"}}
{"text": "This campaign followed a sharp uptick in development and testing of their toolkit against a public multivendor malware scanning service in February 2019 .", "spans": {}, "info": {"id": "dnrti_train_003198", "source": "dnrti_train"}}
{"text": "Stylistically , the observed tradecraft resembles activity from groups such as COBALT GYPSY (which is related to OilRig , Crambus , and APT34 and COBALT TRINITY also known as Elfin and APT33 .", "spans": {"Organization: COBALT GYPSY": [[79, 91]], "Organization: OilRig": [[113, 119]], "Organization: Crambus": [[122, 129]], "Organization: APT34": [[136, 141]], "Organization: COBALT TRINITY": [[146, 160]], "Organization: Elfin": [[175, 180]], "Organization: APT33": [[185, 190]]}, "info": {"id": "dnrti_train_003199", "source": "dnrti_train"}}
{"text": "When CTU researchers first published information about LYCEUM to Secureworks Threat Intelligence clients , no public documentation on the group existed .", "spans": {"Organization: CTU": [[5, 8]], "Organization: LYCEUM": [[55, 61]]}, "info": {"id": "dnrti_train_003200", "source": "dnrti_train"}}
{"text": "Using compromised accounts , LYCEUM send spearphishing emails with malicious Excel attachments to deliver the DanBot malware , which subsequently deploys post-intrusion tools .", "spans": {"Organization: LYCEUM": [[29, 35]], "System: spearphishing emails": [[41, 61]], "System: deliver": [[98, 105]], "Malware: post-intrusion tools": [[154, 174]]}, "info": {"id": "dnrti_train_003201", "source": "dnrti_train"}}
{"text": "The developer consistently used Accept-Enconding” (note the extra ‘n’) in all DanBot samples analyzed by CTU researchers .", "spans": {"Malware: DanBot": [[78, 84]], "Organization: CTU": [[105, 108]]}, "info": {"id": "dnrti_train_003202", "source": "dnrti_train"}}
{"text": "Get-LAPSP.ps1 is a PowerShell script that gathers account information from Active Directory via LDAP .", "spans": {"Malware: Get-LAPSP.ps1": [[0, 13]], "Malware: PowerShell script": [[19, 36]]}, "info": {"id": "dnrti_train_003203", "source": "dnrti_train"}}
{"text": "LYCEUM deployed this tool via DanBot shortly after gaining initial access to a compromised environment .", "spans": {"Organization: LYCEUM": [[0, 6]], "Malware: DanBot": [[30, 36]]}, "info": {"id": "dnrti_train_003204", "source": "dnrti_train"}}
{"text": "LYCEUM delivers weaponized maldocs via spearphishing from the compromised accounts to the targeted executives , human resources (HR) staff , and IT personnel .", "spans": {"Organization: LYCEUM": [[0, 6]], "Malware: maldocs": [[27, 34]], "System: spearphishing": [[39, 52]]}, "info": {"id": "dnrti_train_003205", "source": "dnrti_train"}}
{"text": "This focus on training aligns with LYCEUM’s targeting of executives , HR staff , and IT personnel .", "spans": {"Organization: LYCEUM’s": [[35, 43]], "Organization: executives": [[57, 67]], "Organization: HR staff": [[70, 78]], "Organization: IT personnel": [[85, 97]]}, "info": {"id": "dnrti_train_003206", "source": "dnrti_train"}}
{"text": "Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments .", "spans": {"Malware: maldoc": [[40, 46]], "Organization: ICS": [[71, 74]], "Organization: OT staff": [[78, 86]], "Organization: LYCEUM": [[89, 95]]}, "info": {"id": "dnrti_train_003207", "source": "dnrti_train"}}
{"text": "However , CTU researchers cannot dismiss the possibility that the LYCEUM could seek access to OT environments after establishing robust access to the IT environment .", "spans": {"Organization: CTU": [[10, 13]], "Organization: LYCEUM": [[66, 72]]}, "info": {"id": "dnrti_train_003208", "source": "dnrti_train"}}
{"text": "LYCEUM is an emerging threat to energy organizations in the Middle East , but organizations should not assume that future targeting will be limited to this sector .", "spans": {"Organization: LYCEUM": [[0, 6]]}, "info": {"id": "dnrti_train_003209", "source": "dnrti_train"}}
{"text": "Aside from deploying novel malware , LYCEUM’s activity demonstrates capabilities CTU researchers have observed from other threat groups and reinforces the value of a few key controls .", "spans": {"Organization: LYCEUM’s": [[37, 45]], "Organization: CTU": [[81, 84]]}, "info": {"id": "dnrti_train_003210", "source": "dnrti_train"}}
{"text": "Password spraying , DNS tunneling , social engineering , and abuse of security testing frameworks are common tactics , particularly from threat groups operating in the Middle East .", "spans": {"System: Password spraying": [[0, 17]], "System: DNS tunneling": [[20, 33]], "System: social engineering": [[36, 54]], "System: abuse": [[61, 66]], "Organization: groups": [[144, 150]]}, "info": {"id": "dnrti_train_003211", "source": "dnrti_train"}}
{"text": "The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_003212", "source": "dnrti_train"}}
{"text": "Machete is still very active at the time of this publication , regularly introducing changes to its malware , infrastructure and spearphishing campaigns .", "spans": {"Organization: Machete": [[0, 7]], "Malware: malware": [[100, 107]], "System: spearphishing": [[129, 142]]}, "info": {"id": "dnrti_train_003213", "source": "dnrti_train"}}
{"text": "ESET has been tracking a new version of Machete (the group’s Python-based toolset) that was first seen in April 2018 .", "spans": {"Organization: ESET": [[0, 4]], "Organization: Machete": [[40, 47]]}, "info": {"id": "dnrti_train_003214", "source": "dnrti_train"}}
{"text": "This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted with the Machete malware .", "spans": {"Organization: Machete": [[132, 139]]}, "info": {"id": "dnrti_train_003215", "source": "dnrti_train"}}
{"text": "Their long run of attacks , focused on Latin American countries , has allowed them to collect intelligence and refine their tactics over the years .", "spans": {"Organization: Their": [[0, 5]]}, "info": {"id": "dnrti_train_003216", "source": "dnrti_train"}}
{"text": "Machete is interested in files that describe navigation routes and positioning using military grids .", "spans": {"Organization: Machete": [[0, 7]]}, "info": {"id": "dnrti_train_003217", "source": "dnrti_train"}}
{"text": "The Machete group sends very specific emails directly to its victims , and these change from target to target .", "spans": {"Organization: Machete": [[4, 11]], "System: sends": [[18, 23]]}, "info": {"id": "dnrti_train_003218", "source": "dnrti_train"}}
{"text": "The Machete group is very active and has introduced several changes to its malware since a new version was released in April 2018 .", "spans": {"Organization: Machete": [[4, 11]]}, "info": {"id": "dnrti_train_003219", "source": "dnrti_train"}}
{"text": "Previous versions were described by Kaspersky in 2014 and Cylance in 2017 .", "spans": {"Malware: Previous versions": [[0, 17]], "Organization: Kaspersky": [[36, 45]], "Organization: Cylance": [[58, 65]]}, "info": {"id": "dnrti_train_003220", "source": "dnrti_train"}}
{"text": "Since August 2018 , the Machete components have been delivered with an extra layer of obfuscation .", "spans": {"Organization: Machete": [[24, 31]]}, "info": {"id": "dnrti_train_003221", "source": "dnrti_train"}}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server .", "spans": {"Malware: GoogleUpdate.exe": [[4, 20]]}, "info": {"id": "dnrti_train_003222", "source": "dnrti_train"}}
{"text": "ESET has been tracking this threat for months and has observed several changes , sometimes within weeks .", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "dnrti_train_003223", "source": "dnrti_train"}}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries .", "spans": {"Malware: malware": [[15, 22]]}, "info": {"id": "dnrti_train_003224", "source": "dnrti_train"}}
{"text": "The presence of code to exfiltrate data to removable drives when there is physical access to a compromised computer may indicate that Machete operators could have a presence in one of the targeted countries , although we cannot be certain .", "spans": {"Organization: Machete": [[134, 141]], "Organization: we": [[218, 220]]}, "info": {"id": "dnrti_train_003225", "source": "dnrti_train"}}
{"text": "This group is very active and continues to develop new features for its malware , and implement infrastructure changes in 2019 .", "spans": {"Organization: group": [[5, 10]]}, "info": {"id": "dnrti_train_003226", "source": "dnrti_train"}}
{"text": "Machete's long run of attacks , focused in Latin American countries , has allowed them to collect intelligence and refine their tactics over the years .", "spans": {"Organization: Machete's": [[0, 9]]}, "info": {"id": "dnrti_train_003227", "source": "dnrti_train"}}
{"text": "ESET researchers have detected an ongoing , highly targeted campaign , with a majority of the targets being military organizations .", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "dnrti_train_003228", "source": "dnrti_train"}}
{"text": "The group behind Machete uses effective spearphishing techniques .", "spans": {"Organization: Machete": [[17, 24]], "System: spearphishing": [[40, 53]]}, "info": {"id": "dnrti_train_003229", "source": "dnrti_train"}}
{"text": "First described by Kaspersky in 2014 [1] and later , by Cylance in 2017 [2] , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries .", "spans": {"Organization: Kaspersky": [[19, 28]], "Organization: Cylance": [[56, 63]], "Organization: Machete": [[78, 85]]}, "info": {"id": "dnrti_train_003230", "source": "dnrti_train"}}
{"text": "In 2018 Machete reappeared with new code and new features .", "spans": {"Organization: Machete": [[8, 15]]}, "info": {"id": "dnrti_train_003231", "source": "dnrti_train"}}
{"text": "As of June 2019 , ESET has seen over 50 victims being actively spied upon by Machete , with more than half of them being computers belonging to the Venezuelan military forces .", "spans": {"Organization: ESET": [[18, 22]], "Organization: Machete": [[77, 84]]}, "info": {"id": "dnrti_train_003232", "source": "dnrti_train"}}
{"text": "Machete has Latin American targets and has been developed by a Spanish-speaking group , presumably from a LATAM country .", "spans": {"Organization: Machete": [[0, 7]], "Organization: group": [[80, 85]]}, "info": {"id": "dnrti_train_003233", "source": "dnrti_train"}}
{"text": "Machete was active and constantly working on very effective spearphishing campaigns .", "spans": {"Organization: Machete": [[0, 7]], "System: spearphishing": [[60, 73]]}, "info": {"id": "dnrti_train_003234", "source": "dnrti_train"}}
{"text": "In some cases , Machete trick new victims by sending real documents that had been stolen on the very same day .", "spans": {"Organization: Machete": [[16, 23]], "System: sending real documents": [[45, 67]]}, "info": {"id": "dnrti_train_003235", "source": "dnrti_train"}}
{"text": "Machete relies on spearphishing to compromise its targets .", "spans": {"Organization: Machete": [[0, 7]], "System: spearphishing": [[18, 31]]}, "info": {"id": "dnrti_train_003236", "source": "dnrti_train"}}
{"text": "They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes .", "spans": {"Organization: They": [[0, 4]]}, "info": {"id": "dnrti_train_003237", "source": "dnrti_train"}}
{"text": "Attackers take advantage of that , along with their knowledge of military jargon and etiquette , to craft very convincing phishing emails .", "spans": {"Organization: Attackers": [[0, 9]], "System: phishing emails": [[122, 137]]}, "info": {"id": "dnrti_train_003238", "source": "dnrti_train"}}
{"text": "Operators behind Machete apparently already have information about individuals or organizations of interest to them in Latin America , how to reach them , and how best to trick them into getting compromised .", "spans": {"Organization: Machete": [[17, 24]]}, "info": {"id": "dnrti_train_003239", "source": "dnrti_train"}}
{"text": "Since the end of March up until the end of May 2019 , ESET observed that there were more than 50 victimized computers actively communicating with the C&C server .", "spans": {"Organization: ESET": [[54, 58]]}, "info": {"id": "dnrti_train_003240", "source": "dnrti_train"}}
{"text": "This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted by Machete .", "spans": {"Organization: Machete": [[126, 133]]}, "info": {"id": "dnrti_train_003241", "source": "dnrti_train"}}
{"text": "Machete is malware that has been developed and is actively maintained by a Spanish-speaking group .", "spans": {"Organization: Machete": [[0, 7]]}, "info": {"id": "dnrti_train_003242", "source": "dnrti_train"}}
{"text": "Since it was active in 2012 , it has been carrying out attacks against sensitive targets in China and is one of the most active APT attack organizations targeting mainland China in recent years .", "spans": {"Organization: organizations": [[139, 152]]}, "info": {"id": "dnrti_train_003243", "source": "dnrti_train"}}
{"text": "By introducing small changes to their code and infrastructure , the group has bypassed several security products .", "spans": {"System: introducing small changes": [[3, 28]], "Organization: group": [[68, 73]]}, "info": {"id": "dnrti_train_003244", "source": "dnrti_train"}}
{"text": "OceanLotus will release malicious sub-packages in the background , receive the remote control command , steal the privacy information of users such as SMS messages , contacts , call records , geographic locations , and browser records .", "spans": {"Organization: OceanLotus": [[0, 10]], "System: release malicious": [[16, 33]], "System: receive": [[67, 74]], "System: steal": [[104, 109]]}, "info": {"id": "dnrti_train_003245", "source": "dnrti_train"}}
{"text": "They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage .", "spans": {"Malware: They": [[0, 4]]}, "info": {"id": "dnrti_train_003246", "source": "dnrti_train"}}
{"text": "It can be seen that after the code leakage , the CEO of the HackingTeam organization said that the leaked code is only a small part is based on the facts , which also reflects that the network arms merchants have lowered the threshold of APT attacks to a certain extent , making more uncertainties of cyber attacks .", "spans": {"Organization: HackingTeam": [[60, 71]], "System: leaked code": [[99, 110]]}, "info": {"id": "dnrti_train_003247", "source": "dnrti_train"}}
{"text": "This report includes details related to the major hacking targets of the SectorJ04 group in 2019 , how those targets were hacked , characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking .", "spans": {"Organization: report": [[5, 11]], "Organization: SectorJ04": [[73, 82], [209, 218]]}, "info": {"id": "dnrti_train_003248", "source": "dnrti_train"}}
{"text": "In 2019 , the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia , and is changing the pattern of their attacks from targeted attacks to searching for random victims .", "spans": {"Organization: SectorJ04": [[14, 23]]}, "info": {"id": "dnrti_train_003249", "source": "dnrti_train"}}
{"text": "The SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking activities to companies in various industrial sectors located in East Asia and Southeast Asia .", "spans": {"Organization: SectorJ04": [[4, 13]]}, "info": {"id": "dnrti_train_003250", "source": "dnrti_train"}}
{"text": "There was a significant increase in SectorJ04's hacking activities in 2019 , especially those targeting South Korea .", "spans": {"Organization: SectorJ04's": [[36, 47]]}, "info": {"id": "dnrti_train_003251", "source": "dnrti_train"}}
{"text": "They mainly utilize spam email to deliver their backdoor to the infected system that can perform additional commands from the attacker’s server .", "spans": {"System: utilize spam email": [[12, 30]], "Organization: attacker’s": [[126, 136]]}, "info": {"id": "dnrti_train_003252", "source": "dnrti_train"}}
{"text": "We saw SectorJ04 group activity in Germany , Indonesia , the United States , Taiwan , India .", "spans": {"Organization: SectorJ04": [[7, 16]]}, "info": {"id": "dnrti_train_003253", "source": "dnrti_train"}}
{"text": "The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system .", "spans": {"Organization: SectorJ04": [[4, 13]], "System: spear phishing email": [[38, 58]], "Malware: document files": [[106, 120]], "Organization: attacker": [[188, 196]]}, "info": {"id": "dnrti_train_003254", "source": "dnrti_train"}}
{"text": "The SectorJ04 group’s preexisting targets were financial institutions located in countries such as North America and Europe , or general companies such as retail and manufacturing , but they recently expanded their areas of activity to include the medical , pharmaceutical , media , energy and manufacturing industries .", "spans": {"Organization: SectorJ04": [[4, 13]]}, "info": {"id": "dnrti_train_003255", "source": "dnrti_train"}}
{"text": "The SectorJ04 group mainly used their own backdoor , ServHelper and FlawedAmmy RAT , for hacking .", "spans": {"Organization: SectorJ04": [[4, 13]], "Malware: ServHelper": [[53, 63]], "Malware: FlawedAmmy RAT": [[68, 82]]}, "info": {"id": "dnrti_train_003256", "source": "dnrti_train"}}
{"text": "SectorJ04 also used the Remote Manipulator System (RMS) RAT , a legitimate remote management software created in Russia .", "spans": {"Organization: SectorJ04": [[0, 9]], "Malware: Remote Manipulator System": [[24, 49]]}, "info": {"id": "dnrti_train_003257", "source": "dnrti_train"}}
{"text": "Backdoors are installed in infected systems and SectorJ04 also distributed email stealers , botnet malware and ransomware through those backdoors .", "spans": {"Organization: SectorJ04": [[48, 57]], "Malware: backdoors": [[136, 145]]}, "info": {"id": "dnrti_train_003258", "source": "dnrti_train"}}
{"text": "Backdoor installed in the infected system distributed additional botnet malware , ransomware and email stealers .", "spans": {"Malware: Backdoor": [[0, 8]], "System: additional botnet": [[54, 71]], "System: ransomware": [[82, 92]], "System: email": [[97, 102]], "System: stealers": [[103, 111]]}, "info": {"id": "dnrti_train_003259", "source": "dnrti_train"}}
{"text": "SectorJ04 was recently confirmed to use additional backdoor called AdroMut and FlowerPippi , which is used to install other backdoor such as FlawedAmmy RAT on behalf of the MSI file , or to collect system information and send it to the attacker’s server .", "spans": {"Organization: SectorJ04": [[0, 9]], "Malware: AdroMut": [[67, 74]], "Malware: FlowerPippi": [[79, 90]], "Organization: attacker’s": [[236, 246]]}, "info": {"id": "dnrti_train_003260", "source": "dnrti_train"}}
{"text": "Although the SectorJ04 group mainly targeted countries located in Europe or North America , it has recently expanded its field of activities to countries located in Southeast Asia and East Asia .", "spans": {"Organization: SectorJ04": [[13, 22]]}, "info": {"id": "dnrti_train_003261", "source": "dnrti_train"}}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format .", "spans": {"Malware: email stealer": [[4, 17]]}, "info": {"id": "dnrti_train_003262", "source": "dnrti_train"}}
{"text": "A new type of backdoor called AdroMut and a new malware called FlowerPippi was also found coming from SectorJ04 .", "spans": {"Malware: AdroMut": [[30, 37]], "Malware: FlowerPippi": [[63, 74]], "Organization: SectorJ04": [[102, 111]]}, "info": {"id": "dnrti_train_003263", "source": "dnrti_train"}}
{"text": "But after 2019 SectorJ04 has changed its hacking strategy to attack using spam email .", "spans": {"Organization: SectorJ04": [[15, 24]], "System: spam": [[74, 78]], "System: email": [[79, 84]]}, "info": {"id": "dnrti_train_003264", "source": "dnrti_train"}}
{"text": "The hacking activities of SectorJ04 group , which targeted South Korea in the first half of 2019 , have been continuously discovered .", "spans": {"Organization: SectorJ04": [[26, 35]]}, "info": {"id": "dnrti_train_003265", "source": "dnrti_train"}}
{"text": "Prior to 2019 , the SectorJ04 group conducted large-scale hacking activities for financial gain using exploit kits on websites to install ransomware , such as Locky and GlobeImporter , along with its banking Trojan , on its victims computers .", "spans": {"Organization: SectorJ04": [[20, 29]], "Malware: exploit kits": [[102, 114]], "Malware: Locky": [[159, 164]], "Malware: GlobeImporter": [[169, 182]], "Malware: banking Trojan": [[200, 214]]}, "info": {"id": "dnrti_train_003266", "source": "dnrti_train"}}
{"text": "In June 2019 , continuous SectorJ04's activities targeting South Korea were found again and spam emails were written with various contents , including transaction statements , receipts and remittance cards .", "spans": {"Organization: SectorJ04's": [[26, 37]]}, "info": {"id": "dnrti_train_003267", "source": "dnrti_train"}}
{"text": "The SectorJ04 group has carried out large-scale hacking activities targeting South Korea , while also expanding the field of attacks to Southeast Asian countries such as Taiwan and the Philippines .", "spans": {"Organization: SectorJ04": [[4, 13]]}, "info": {"id": "dnrti_train_003268", "source": "dnrti_train"}}
{"text": "In June , SectorJ04 group conducted hacking using spam emails written in various languages , including English , Arabic , Korean and Italian , and the emails were written with various contents , including remittance card , invoice and tax invoice .", "spans": {"Organization: SectorJ04": [[10, 19]]}, "info": {"id": "dnrti_train_003269", "source": "dnrti_train"}}
{"text": "Spam emails and attachments written in Chinese were found in May , and the SectorJ04 group at that time targeted industrial sectors such as electronics and telecommunications , international schools and manufacturing .", "spans": {"Organization: SectorJ04": [[75, 84]]}, "info": {"id": "dnrti_train_003270", "source": "dnrti_train"}}
{"text": "In addition to their preexist backdoor , ServHelper and FlawedAmmy , they have also been confirmed to use the backdoor called AdroMut and FlowerPippi .", "spans": {"Malware: ServHelper": [[41, 51]], "Malware: FlawedAmmy": [[56, 66]], "Malware: AdroMut": [[126, 133]], "Malware: FlowerPippi": [[138, 149]]}, "info": {"id": "dnrti_train_003271", "source": "dnrti_train"}}
{"text": "AdroMut downloads the malware ServHelper and FlawedAmmy RAT used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor .", "spans": {"Malware: ServHelper": [[30, 40]], "Malware: FlawedAmmy": [[45, 55]], "Organization: SectorJ04": [[72, 81]]}, "info": {"id": "dnrti_train_003272", "source": "dnrti_train"}}
{"text": "The SectorJ04 group , which has been utilizing the same pattern of infection and the same malware for more than six months , is believed to be attempting to change its infection methods such as downloading malware directly from malicious documents without using MSI installation files , changing their spam email format and using new types of backdoor .", "spans": {"Organization: SectorJ04": [[4, 13]], "System: downloading malware": [[194, 213]], "System: changing": [[287, 295]]}, "info": {"id": "dnrti_train_003273", "source": "dnrti_train"}}
{"text": "Until 2019 , SectorJ04 group had carried out massive website-based hacking activities that mainly utilize ransomware and banking trojans for financial profit , and has also been carrying out information gathering activities to secure attack resources such as email accounts and system login information from users since 2019 .", "spans": {"Organization: SectorJ04": [[13, 22]], "Malware: ransomware": [[106, 116]], "Malware: banking trojans": [[121, 136]]}, "info": {"id": "dnrti_train_003274", "source": "dnrti_train"}}
{"text": "The SectorJ04 group has shown a pattern of hacking activities that have changed from targeted attacks to a large-scale distribution of spam .", "spans": {"Organization: SectorJ04": [[4, 13]], "System: distribution of spam": [[119, 139]]}, "info": {"id": "dnrti_train_003275", "source": "dnrti_train"}}
{"text": "This allows them to expand their range of targets of hacking activities for financial profit , and in this regard , SectorJ04 group has been found to have hacked into a company’s internal network by using a spear phishing email targeting executives and employees of certain South Korean companies around February 2019 .", "spans": {"Organization: SectorJ04": [[116, 125]], "System: spear phishing": [[207, 221]], "Organization: companies": [[287, 296]]}, "info": {"id": "dnrti_train_003276", "source": "dnrti_train"}}
{"text": "SectorJ04 group carried out intensive hacking on various industrial sectors , including South Korea’s media , manufacturing and universities , around February and March 2019 .", "spans": {"Organization: SectorJ04": [[0, 9]]}, "info": {"id": "dnrti_train_003277", "source": "dnrti_train"}}
{"text": "SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker’s server when the malicious documents were run .", "spans": {"Organization: SectorJ04": [[0, 9]], "System: spear phishing": [[19, 33]], "Organization: attacker’s": [[130, 140]]}, "info": {"id": "dnrti_train_003278", "source": "dnrti_train"}}
{"text": "SectorJ04 group conducted hacking activities targeting financial institutions located in India and Hong Kong around April 2019 .", "spans": {"Organization: SectorJ04": [[0, 9]]}, "info": {"id": "dnrti_train_003279", "source": "dnrti_train"}}
{"text": "SectorJ04 group carried out hacking activities targeting financial institutions located in Italy and other countries around May 2019 .", "spans": {"Organization: SectorJ04": [[0, 9]]}, "info": {"id": "dnrti_train_003280", "source": "dnrti_train"}}
{"text": "In late July , SectorJ04 group used FlawedAmmy RAT to carry out hacking attacks on companies and universities in sectors such as education , job openings , real estate and semiconductors in South Korea .", "spans": {"Organization: SectorJ04": [[15, 24]]}, "info": {"id": "dnrti_train_003281", "source": "dnrti_train"}}
{"text": "In early August , the SectorJ04 group carried out extensive hacking activities targeting the users around the world , including South Korea , India , Britain , the United States , Germany , Canada , Argentina , Bangladesh and Hong Kong .", "spans": {"Organization: SectorJ04": [[22, 31]]}, "info": {"id": "dnrti_train_003282", "source": "dnrti_train"}}
{"text": "Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity .", "spans": {"System: Spam emails": [[0, 11]]}, "info": {"id": "dnrti_train_003283", "source": "dnrti_train"}}
{"text": "They are one of the most active cyber crime groups in 2019 , and they often modify and tweak their hacking methods and perform periodic hacking activities .", "spans": {"Organization: groups": [[44, 50]]}, "info": {"id": "dnrti_train_003284", "source": "dnrti_train"}}
{"text": "Now , Silence is one of the most active threat actors targeting the financial sector .", "spans": {"Organization: Silence": [[6, 13]]}, "info": {"id": "dnrti_train_003285", "source": "dnrti_train"}}
{"text": "Since we released our original report , Silence: Moving into the darkside , the confirmed damage from Silence's operations has increased fivefold compared to the figures in Group-IB's initial report .", "spans": {"Organization: Silence:": [[40, 48]], "Organization: Group-IB's": [[173, 183]]}, "info": {"id": "dnrti_train_003286", "source": "dnrti_train"}}
{"text": "Silence started by targeting organizations in Russia , gradually shifting their focus to former Soviet countries , and then the world .", "spans": {"Organization: Silence": [[0, 7]]}, "info": {"id": "dnrti_train_003287", "source": "dnrti_train"}}
{"text": "Silence also started using Ivoke , a fileless loader , and EDA agent , both written in PowerShell .", "spans": {"Organization: Silence": [[0, 7]], "Malware: Ivoke": [[27, 32]], "Malware: EDA agent": [[59, 68]]}, "info": {"id": "dnrti_train_003288", "source": "dnrti_train"}}
{"text": "Silence 2.0: Going Global is an extension of our original report: Silence: Moving into the Darkside which remains the most significant contribution to the research on the group and is the first such report to reveal Silence’s activity .", "spans": {"Organization: Going Global": [[13, 25]], "Organization: group": [[171, 176]], "Organization: Silence’s activity": [[216, 234]]}, "info": {"id": "dnrti_train_003289", "source": "dnrti_train"}}
{"text": "Since the report’s release in September 2018 , Group-IB’s Threat Intelligence team has detected 16 campaigns targeting banks launched by Silence .", "spans": {"Organization: Group-IB’s": [[47, 57]], "Organization: banks": [[119, 124]], "Organization: Silence": [[137, 144]]}, "info": {"id": "dnrti_train_003290", "source": "dnrti_train"}}
{"text": "Like the majority of APT groups , Silence uses phishing as their infection vector .", "spans": {"Organization: Silence": [[34, 41]], "System: phishing": [[47, 55]]}, "info": {"id": "dnrti_train_003291", "source": "dnrti_train"}}
{"text": "In the last successful attack described in Silence: Moving into the darkside , dated April 2018 , the hackers siphoned off about $150 , 000 through ATMs in a single night .", "spans": {"Organization: hackers": [[102, 109]]}, "info": {"id": "dnrti_train_003292", "source": "dnrti_train"}}
{"text": "Prior to April 2018 , as described in Group-IB’s Silence: Moving into the darkside report , Silence’s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan .", "spans": {"Organization: Group-IB’s": [[38, 48]]}, "info": {"id": "dnrti_train_003293", "source": "dnrti_train"}}
{"text": "In 2018 , Silence conducted test campaigns to update their database of current targets and expand their attack geography .", "spans": {"Organization: Silence": [[10, 17]]}, "info": {"id": "dnrti_train_003294", "source": "dnrti_train"}}
{"text": "The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": {"Organization: actor’s": [[11, 18]], "Malware: malicious payload": [[72, 89]], "Organization: users": [[154, 159]]}, "info": {"id": "dnrti_train_003295", "source": "dnrti_train"}}
{"text": "Silence has conducted at least three campaigns using recon emails , followed by malicious mail sent to an updated recipient list .", "spans": {"Organization: Silence": [[0, 7]], "System: malicious mail": [[80, 94]]}, "info": {"id": "dnrti_train_003296", "source": "dnrti_train"}}
{"text": "Group-IB has also detected recon emails sent out to New Zealand .", "spans": {"Organization: Group-IB": [[0, 8]], "Malware: recon emails": [[27, 39]]}, "info": {"id": "dnrti_train_003297", "source": "dnrti_train"}}
{"text": "Since our last public report , Silence has sent out more than 170 , 000 recon emails to banks in Russia , the former Soviet Union , Asia and Europe .", "spans": {"Organization: Silence": [[31, 38]]}, "info": {"id": "dnrti_train_003298", "source": "dnrti_train"}}
{"text": "In November 2018 , Silence tried their hand at targeting the Asian market for the first time in their history .", "spans": {"Organization: Silence": [[19, 26]]}, "info": {"id": "dnrti_train_003299", "source": "dnrti_train"}}
{"text": "In total , Silence sent out about 80 , 000 emails , with more than half of them targeting Taiwan , Malaysia , and South Korea .", "spans": {"Organization: Silence": [[11, 18]]}, "info": {"id": "dnrti_train_003300", "source": "dnrti_train"}}
{"text": "Prior to April 2018 , as described in Group-IB’s Silence: Moving into the darkside report , Silence’s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan .", "spans": {"Organization: Group-IB’s": [[38, 48]], "Organization: Silence’s": [[92, 101]]}, "info": {"id": "dnrti_train_003301", "source": "dnrti_train"}}
{"text": "From 16 October 2018 to 1 January 2019 , Silence sent out about 84 , 000 emails in Russia alone to update their address database .", "spans": {"Organization: Silence": [[41, 48]]}, "info": {"id": "dnrti_train_003302", "source": "dnrti_train"}}
{"text": "As part of their phishing campaigns , silence still uses Microsoft Office documents with macros or exploits , CHM files , and .LNK shortcuts as malicious attachments .", "spans": {"System: phishing": [[17, 25]], "Organization: silence": [[38, 45]]}, "info": {"id": "dnrti_train_003303", "source": "dnrti_train"}}
{"text": "In the former Soviet Union , Silence targeted banks in Kyrgyzstan , Kazakhstan , and Ukraine .", "spans": {"Organization: Silence": [[29, 36]]}, "info": {"id": "dnrti_train_003304", "source": "dnrti_train"}}
{"text": "In 2019 , Group-IB also observed the use of a new fileless PowerShell loader called Ivoke .", "spans": {"Organization: Group-IB": [[10, 18]], "Malware: Ivoke": [[84, 89]]}, "info": {"id": "dnrti_train_003305", "source": "dnrti_train"}}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer .", "spans": {"Malware: Silence.Main Trojan": [[4, 23]]}, "info": {"id": "dnrti_train_003306", "source": "dnrti_train"}}
{"text": "As the CnC server , Silence use CnC-3 server running Windows , from which they send commands to download additional modules .", "spans": {"Organization: Silence": [[20, 27]], "Malware: CnC-3 server": [[32, 44]]}, "info": {"id": "dnrti_train_003307", "source": "dnrti_train"}}
{"text": "To control ATMs , the group uses the Atmosphere Trojan , which is unique to Silence , or a program called xfs-disp.exe .", "spans": {"Organization: group": [[22, 27]], "Malware: Atmosphere Trojan": [[37, 54]], "Organization: Silence": [[76, 83]], "Malware: xfs-disp.exe": [[106, 118]]}, "info": {"id": "dnrti_train_003308", "source": "dnrti_train"}}
{"text": "In addition , Silence downloads the reverse proxy programs Silence.ProxyBot and Silence. ProxyBot.NET , which are described in detail in the report Silence: moving into the darkside .", "spans": {"Organization: Silence": [[14, 21]], "Malware: Silence.ProxyBot": [[59, 75]], "Malware: Silence. ProxyBot.NET": [[80, 101]]}, "info": {"id": "dnrti_train_003309", "source": "dnrti_train"}}
{"text": "Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability .", "spans": {"Vulnerability: exploit": [[65, 72]], "Vulnerability: CVE-2017-11882 vulnerability": [[81, 109]]}, "info": {"id": "dnrti_train_003310", "source": "dnrti_train"}}
{"text": "Group-IB specialists tracked a massive mailout of emails containing a malicious Microsoft Word attachment titled Договор.doc” [Contract.doc] .", "spans": {"Organization: Group-IB": [[0, 8]], "Malware: malicious Microsoft Word attachment": [[70, 105]]}, "info": {"id": "dnrti_train_003311", "source": "dnrti_train"}}
{"text": "Silence sent out emails to Russian banks .", "spans": {"Organization: Silence": [[0, 7]]}, "info": {"id": "dnrti_train_003312", "source": "dnrti_train"}}
{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs .", "spans": {"Vulnerability: exploit": [[4, 11]], "Organization: Silence’s": [[21, 30]]}, "info": {"id": "dnrti_train_003313", "source": "dnrti_train"}}
{"text": "Silence conducted a massive phishing campaign posing as the Central Bank of the Russian Federation .", "spans": {"Organization: Silence": [[0, 7]], "System: phishing": [[28, 36]], "System: posing": [[46, 52]]}, "info": {"id": "dnrti_train_003314", "source": "dnrti_train"}}
{"text": "Group-IB specialists have established that the aim of the attack was to deliver and launch the second stage of Silence’s Trojan , known as Silence.MainModule .", "spans": {"Organization: Group-IB": [[0, 8]], "Organization: Silence’s": [[111, 120]]}, "info": {"id": "dnrti_train_003315", "source": "dnrti_train"}}
{"text": "Silence attacked financial organisations in the UK .", "spans": {"Organization: Silence": [[0, 7]]}, "info": {"id": "dnrti_train_003316", "source": "dnrti_train"}}
{"text": "Silence conducted the first stage of their Asian campaign , organising a massive phishing attack aimed at receiving an up-to-date list of current recipients in different countries for further targeted attacks delivering their malicious software .", "spans": {"Organization: Silence": [[0, 7]]}, "info": {"id": "dnrti_train_003317", "source": "dnrti_train"}}
{"text": "The attackers used the server deployed on 6 June 2019 to control compromised workstations in these banks .", "spans": {"Organization: attackers": [[4, 13]]}, "info": {"id": "dnrti_train_003318", "source": "dnrti_train"}}
{"text": "On 24 March 2019 , Silence.ProxyBot (MD5 2fe01a04d6beef14555b2cf9a717615c) was uploaded to VirusTotal from an IP address in Sri Lanka .", "spans": {"Malware: Silence.ProxyBot": [[19, 35]]}, "info": {"id": "dnrti_train_003319", "source": "dnrti_train"}}
{"text": "On October 18th , 2018 , the group sent out emails to British financial companies as part of their preparatory campaign .", "spans": {"Organization: group": [[29, 34]]}, "info": {"id": "dnrti_train_003320", "source": "dnrti_train"}}
{"text": "Group-IB experts established that the server 185.20.187.89 started functioning no later than 28 January 2019 .", "spans": {"Organization: Group-IB": [[0, 8]]}, "info": {"id": "dnrti_train_003321", "source": "dnrti_train"}}
{"text": "According to local media reports , in 2019 Silence successfully withdrew money from the Bangladeshi bank twice within 2 months .", "spans": {"Organization: Silence": [[43, 50]]}, "info": {"id": "dnrti_train_003322", "source": "dnrti_train"}}
{"text": "To do this , the actor may have used a unique tool called Atmosphere , a Trojan developed by Silence to remotely control ATM dispensers , or a similar program called xfs-disp.exe , which the actor may have used in their attack on IT Bank .", "spans": {"Malware: Atmosphere": [[58, 68]], "Organization: Silence": [[93, 100]], "Malware: xfs-disp.exe": [[166, 178]]}, "info": {"id": "dnrti_train_003323", "source": "dnrti_train"}}
{"text": "As we described in Silence: Moving into the darkside report , Silence has experience with theft using compromised card processing systems .", "spans": {"Organization: Silence:": [[19, 27]], "Organization: Silence": [[62, 69]]}, "info": {"id": "dnrti_train_003324", "source": "dnrti_train"}}
{"text": "In February 2019 , Russian media7 reported a Silence attack on IT Bank in the city of Omsk .", "spans": {}, "info": {"id": "dnrti_train_003325", "source": "dnrti_train"}}
{"text": "On 16 January 2019 , Silence sent out phishing emails with malicious attachments disguised as invitations to the International Financial Forum iFin-2019 (see section ‘Attack timeline’) .", "spans": {"Organization: Silence": [[21, 28]], "System: phishing emails": [[38, 53]]}, "info": {"id": "dnrti_train_003326", "source": "dnrti_train"}}
{"text": "Group-IB specialists determined that the email addresses of IT bank employees were among the recipients of these emails .", "spans": {"Organization: Group-IB": [[0, 8]], "Organization: employees": [[68, 77]]}, "info": {"id": "dnrti_train_003327", "source": "dnrti_train"}}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine .", "spans": {"Malware: Silence.Downloader": [[17, 35]]}, "info": {"id": "dnrti_train_003328", "source": "dnrti_train"}}
{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server .", "spans": {"Malware: Silence.MainModule": [[0, 18]]}, "info": {"id": "dnrti_train_003329", "source": "dnrti_train"}}
{"text": "Since at least 2011 , these hackers have been using malware to spy on corporate networks .", "spans": {"Organization: hackers": [[28, 35]], "Malware: malware": [[52, 59]]}, "info": {"id": "dnrti_train_003330", "source": "dnrti_train"}}
{"text": "Hackers are targeting high-tech companies as well as chemical and pharmaceutical companies .", "spans": {"Organization: Hackers": [[0, 7]]}, "info": {"id": "dnrti_train_003331", "source": "dnrti_train"}}
{"text": "The hackers will map a company’s network and look for strategically favorable locations for placing their malware .", "spans": {"Organization: hackers": [[4, 11]]}, "info": {"id": "dnrti_train_003332", "source": "dnrti_train"}}
{"text": "The corporation conrms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions.” Henkel claims that a very small portion” of its worldwide IT systems had been aected — the systems in Germany .", "spans": {"Organization: Winnti": [[27, 33]]}, "info": {"id": "dnrti_train_003333", "source": "dnrti_train"}}
{"text": "A BASF spokeswoman tells us in an email that in July 2015 , hackers had successfully overcome the rst levels” of defense .", "spans": {"Organization: hackers": [[60, 67]]}, "info": {"id": "dnrti_train_003334", "source": "dnrti_train"}}
{"text": "The tool was written by sta of Thyssenkrupp , because the industrial giant—company number eleven—had been spied on by Winnti .", "spans": {"Malware: Thyssenkrupp": [[31, 43]], "Organization: Winnti": [[118, 124]]}, "info": {"id": "dnrti_train_003335", "source": "dnrti_train"}}
{"text": "Hackers are charged with spying on a manufacturer of gas turbines .", "spans": {"Organization: Hackers": [[0, 7]]}, "info": {"id": "dnrti_train_003336", "source": "dnrti_train"}}
{"text": "The Hong Kong government was spied on by the Winnti hackers .", "spans": {"Organization: Winnti": [[45, 51]]}, "info": {"id": "dnrti_train_003337", "source": "dnrti_train"}}
{"text": "Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX .", "spans": {"Malware: Komplex": [[0, 7]], "Organization: APT28": [[44, 49]]}, "info": {"id": "dnrti_train_003338", "source": "dnrti_train"}}
{"text": "While OceanLotus’ targets are global , their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries , foreign governments , activists , and dissidents connected to Vietnam .", "spans": {"Organization: OceanLotus’": [[6, 17]], "Organization: activists": [[192, 201]], "Organization: dissidents": [[208, 218]]}, "info": {"id": "dnrti_train_003339", "source": "dnrti_train"}}
{"text": "NewsBeef attacks against Saudi Arabian organizations and individuals (as well as targets in the European Union) are likely to continue .", "spans": {"Organization: NewsBeef": [[0, 8]]}, "info": {"id": "dnrti_train_003340", "source": "dnrti_train"}}
{"text": "Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the APT10 during the compromise and was able to attribute data that was placed into it as being owned by Visma .", "spans": {"Organization: Rapid7": [[0, 6]], "Organization: APT10": [[97, 102]], "System: placed": [[165, 171]]}, "info": {"id": "dnrti_train_003341", "source": "dnrti_train"}}
{"text": "Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe .", "spans": {"Organization: Rapid7": [[0, 6]], "Organization: APT10": [[22, 27]], "Malware: ccSEUPDT.exe": [[52, 64]]}, "info": {"id": "dnrti_train_003342", "source": "dnrti_train"}}
{"text": "These RAT families are discussed in Novetta’s other report on the Lazarus Group’s RAT and Staging capabilities .", "spans": {"Organization: Novetta’s": [[36, 45]], "Organization: Lazarus": [[66, 73]]}, "info": {"id": "dnrti_train_003343", "source": "dnrti_train"}}
{"text": "\bMagic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia .", "spans": {"Organization: \bMagic Hound": [[0, 12]]}, "info": {"id": "dnrti_train_003344", "source": "dnrti_train"}}
{"text": "\bSince at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": {"Organization: group": [[42, 47]], "Organization: FireEye": [[53, 60]], "Organization: APT33": [[71, 76]]}, "info": {"id": "dnrti_train_003345", "source": "dnrti_train"}}
{"text": "\bCTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash .", "spans": {"Organization: \bCTU": [[0, 4]], "System: spearphishing": [[99, 112]], "System: social engineering attacks": [[117, 143]], "Organization: Mia Ash": [[179, 186]]}, "info": {"id": "dnrti_train_003346", "source": "dnrti_train"}}
{"text": "\bCTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering .", "spans": {"Organization: \bCTU": [[0, 4]], "Organization: COBALT GYPSY": [[31, 43]], "System: social engineering": [[126, 144]]}, "info": {"id": "dnrti_train_003347", "source": "dnrti_train"}}
{"text": "\bCharacterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East (including targets inside Iran itself) , as well as across Europe and in the United States .", "spans": {"System: spear phishing": [[82, 96]], "Organization: Magic Hound": [[103, 114]]}, "info": {"id": "dnrti_train_003348", "source": "dnrti_train"}}
{"text": "These malware families have a rich history of being used in many targeted attacks against government and private organizations .", "spans": {"Malware: malware": [[6, 13]]}, "info": {"id": "dnrti_train_003349", "source": "dnrti_train"}}
{"text": "The activity surfaced in Southeast Asia , a region where APT10 frequently operates .", "spans": {"Organization: APT10": [[57, 62]]}, "info": {"id": "dnrti_train_003350", "source": "dnrti_train"}}
{"text": "The samples we analyzed originated from the Philippines .", "spans": {"Malware: samples": [[4, 11]]}, "info": {"id": "dnrti_train_003351", "source": "dnrti_train"}}
{"text": "APT10 frequently targets the Southeast Asia region .", "spans": {"Organization: APT10": [[0, 5]]}, "info": {"id": "dnrti_train_003352", "source": "dnrti_train"}}
{"text": "Both of the loader’s variants and their various payloads that enSilo analyzed share similar Tactics , Techniques , and Procedures (TTPs) and code associated with APT10 .", "spans": {"Organization: enSilo": [[62, 68]], "Organization: APT10": [[162, 167]]}, "info": {"id": "dnrti_train_003353", "source": "dnrti_train"}}
{"text": "Typically , APT10 tends to employ a namesquatting scheme in their domains that aims to confuse the observer by posing as a legitimate domain .", "spans": {"Organization: APT10": [[12, 17]], "System: employ": [[27, 33]]}, "info": {"id": "dnrti_train_003354", "source": "dnrti_train"}}
{"text": "Also , the certificate embedded in the Quasar sample was issued at 22.12.2018 , which correlates with the file’s compilation date .", "spans": {"Malware: sample": [[46, 52]]}, "info": {"id": "dnrti_train_003355", "source": "dnrti_train"}}
{"text": "Over the past three months , Recorded Future’s Insikt Group has observed an increase in APT33’s also known as Elfin infrastructure building and targeting activity , and on June 21 , 2019 , Yahoo .", "spans": {"Organization: Recorded Future’s": [[29, 46]], "Organization: APT33’s": [[88, 95]], "Organization: Elfin": [[110, 115]]}, "info": {"id": "dnrti_train_003356", "source": "dnrti_train"}}
{"text": "News reported that the U.S. Cyber Command launched cyberattacks on an Iranian spy group .", "spans": {"Organization: U.S. Cyber": [[23, 33]], "Organization: group": [[82, 87]]}, "info": {"id": "dnrti_train_003357", "source": "dnrti_train"}}
{"text": "Iranian state-sponsored threat actor APT33 has been conducting cyberespionage activity since at least 2013 , predominantly targeting nations in the Middle East , but also notably targeting U.S. , South Korean , and European commercial entities across a wide variety of sectors .", "spans": {"Organization: APT33": [[37, 42]]}, "info": {"id": "dnrti_train_003358", "source": "dnrti_train"}}
{"text": "Our research found that APT33 , or a closely aligned threat actor , continues to conduct and prepare for widespread cyberespionage activity , with over 1 , 200 domains used since March 28 , 2019 and with a strong emphasis on using commodity malware .", "spans": {"Organization: APT33": [[24, 29]]}, "info": {"id": "dnrti_train_003359", "source": "dnrti_train"}}
{"text": "The targeting of mainly Saudi Arabian organizations across a wide variety of industries aligns with historical targeting patterns for the group , which appear undeterred following previous exposés of their activity .", "spans": {"Organization: group": [[138, 143]]}, "info": {"id": "dnrti_train_003360", "source": "dnrti_train"}}
{"text": "Towards the end of April 2019 , we tracked down what we believe to be new activity by APT10 , a Chinese cyber espionage group .", "spans": {"Organization: APT10": [[86, 91]], "Organization: group": [[120, 125]]}, "info": {"id": "dnrti_train_003361", "source": "dnrti_train"}}
{"text": "Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections , a RAT not previously associated with APT33 activity .", "spans": {"Organization: APT33": [[28, 33], [150, 155]], "Malware: njRAT": [[94, 99]]}, "info": {"id": "dnrti_train_003362", "source": "dnrti_train"}}
{"text": "Other commodity RAT malware families , such as AdwindRAT and RevengeRAT , were also linked to suspected APT33 domain activity .", "spans": {"Malware: AdwindRAT": [[47, 56]], "Malware: RevengeRAT": [[61, 71]], "Organization: APT33": [[104, 109]]}, "info": {"id": "dnrti_train_003363", "source": "dnrti_train"}}
{"text": "APT33 is an Iranian state-sponsored threat actor that has engaged in cyberespionage activities since at least 2013 .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_003364", "source": "dnrti_train"}}
{"text": "Western and Saudi organizations in industries that have been historically targeted by APT33 should be monitoring geopolitical developments and increasing the scrutiny of operational security controls focusing on detection and remediation of initial unauthorized access , specifically from phishing campaigns , webshells .", "spans": {"Organization: APT33": [[86, 91]]}, "info": {"id": "dnrti_train_003365", "source": "dnrti_train"}}
{"text": "Symantec’s Elfin report denoted additional targeting of the engineering , chemical , research , finance , IT , and healthcare sectors .", "spans": {"Organization: Symantec’s": [[0, 10]], "Organization: Elfin": [[11, 16]]}, "info": {"id": "dnrti_train_003366", "source": "dnrti_train"}}
{"text": "We assess that the recent reporting on links between the Nasr Institute and Kavosh Security Group , as well as technical and persona analysis , overlaps among APT33 , APT35 , and MUDDYWATER , and is probably a result of the tiered structure that Iran utilizes to manage cyber operations .", "spans": {"Organization: Nasr Institute": [[57, 71]], "Organization: Group": [[92, 97]], "Organization: APT33": [[159, 164]], "Organization: APT35": [[167, 172]], "Organization: MUDDYWATER": [[179, 189]]}, "info": {"id": "dnrti_train_003367", "source": "dnrti_train"}}
{"text": "Recorded Future has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) .", "spans": {"Organization: Recorded Future": [[0, 15]], "Organization: APT33": [[36, 41]]}, "info": {"id": "dnrti_train_003368", "source": "dnrti_train"}}
{"text": "FireEye also noted in their 2017 report that the online handle xman_1365_x , ” found within the PDB path in an APT33 TURNEDUP backdoor sample , belonged to an individual at the Nasr Institute .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT33": [[111, 116]]}, "info": {"id": "dnrti_train_003369", "source": "dnrti_train"}}
{"text": "Recorded Future’s Insikt Group has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) .", "spans": {"Organization: Recorded Future’s": [[0, 17]], "Organization: Insikt": [[18, 24]], "Organization: Group": [[25, 30]], "Organization: APT33": [[51, 56]]}, "info": {"id": "dnrti_train_003370", "source": "dnrti_train"}}
{"text": "Based on this information , it is possible that upon the exposure of the Nasr Institute as a front for Iranian state-sponsored offensive cyber activity , employees transitioned over to other entities , such as Kavosh , to protect their identities and minimize further exposure .", "spans": {"Organization: Nasr": [[73, 77]]}, "info": {"id": "dnrti_train_003371", "source": "dnrti_train"}}
{"text": "Insikt Group researchers used proprietary methods , including Recorded Future Domain Analysis and Recorded Future Network Traffic Analysis , along with other common analytical approaches , to profile recently reported Iranian threat actor APT33’s domain and hosting infrastructure in an effort to identify recent activity .", "spans": {"Organization: Insikt": [[0, 6]], "Organization: Recorded Future": [[98, 113]], "Organization: APT33’s": [[239, 246]]}, "info": {"id": "dnrti_train_003372", "source": "dnrti_train"}}
{"text": "Insikt Group enumerated all domains reported as being used by APT33 since January 2019 .", "spans": {"Organization: Insikt": [[0, 6]], "Organization: APT33": [[62, 67]]}, "info": {"id": "dnrti_train_003373", "source": "dnrti_train"}}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more .", "spans": {"Malware: PlugX": [[0, 5]]}, "info": {"id": "dnrti_train_003374", "source": "dnrti_train"}}
{"text": "Using data from Recorded Future Domain Analysis and combining it with data derived from Recorded Future Network Traffic Analysis , Insikt Group researchers were able to identify a small selection of likely targeted organizations impacted by suspected APT33 activity .", "spans": {"Organization: Recorded Future": [[16, 31]], "Organization: Insikt Group": [[131, 143]], "Organization: APT33": [[251, 256]]}, "info": {"id": "dnrti_train_003375", "source": "dnrti_train"}}
{"text": "Following the exposure of a wide range of their infrastructure and operations by Symantec earlier this year , we discovered that APT33 , or closely aligned actors , reacted by either parking or reassigning some of their domain infrastructure .", "spans": {"Organization: Symantec": [[81, 89]], "Organization: APT33": [[129, 134]]}, "info": {"id": "dnrti_train_003376", "source": "dnrti_train"}}
{"text": "Since late March , suspected APT33 threat actors have continued to use a large swath of operational infrastructure , well in excess of 1 , 200 domains , with many observed communicating with 19 different commodity RAT implants .", "spans": {"Organization: APT33": [[29, 34]], "Malware: RAT": [[214, 217]]}, "info": {"id": "dnrti_train_003377", "source": "dnrti_train"}}
{"text": "While we haven’t observed a widespread targeting of commercial entities or regional adversaries like in previously documented APT33 operations , the handful of targeted organizations that we did observe were mainly located in Saudi Arabia across a range of industries , indicating ongoing targeting aligned with geopolitical aims .", "spans": {"Organization: we": [[6, 8]], "Organization: APT33": [[126, 131]]}, "info": {"id": "dnrti_train_003378", "source": "dnrti_train"}}
{"text": "The zip contained a sample of the Poison Ivy malware which is also known to be used by APT10 .", "spans": {"Malware: Poison Ivy": [[34, 44]], "Organization: APT10": [[87, 92]]}, "info": {"id": "dnrti_train_003379", "source": "dnrti_train"}}
{"text": "The new malware families , which we will examine later in this post , show APT34 relying on their PowerShell development capabilities , as well as trying their hand at Golang .", "spans": {"Organization: APT34": [[75, 80]], "Malware: PowerShell": [[98, 108]]}, "info": {"id": "dnrti_train_003380", "source": "dnrti_train"}}
{"text": "Additionally , with the assistance of our FireEye Labs Advanced Reverse Engineering (FLARE) , Intelligence , and Advanced Practices teams , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 .", "spans": {"Organization: FireEye": [[42, 49]], "Organization: Advanced Practices": [[113, 131]], "Malware: APT34": [[255, 260]]}, "info": {"id": "dnrti_train_003381", "source": "dnrti_train"}}
{"text": "This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however , we believe APT34's strongest interest is gaining access to financial , energy , and government entities .", "spans": {"Organization: group": [[12, 17]]}, "info": {"id": "dnrti_train_003382", "source": "dnrti_train"}}
{"text": "Additionally , with the assistance of FireEye Labs , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 .", "spans": {"Organization: FireEye Labs": [[38, 50]], "Malware: PICKPOCKET": [[116, 126]], "Organization: APT34": [[168, 173]]}, "info": {"id": "dnrti_train_003383", "source": "dnrti_train"}}
{"text": "APT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014 .", "spans": {"Organization: APT34": [[0, 5]]}, "info": {"id": "dnrti_train_003384", "source": "dnrti_train"}}
{"text": "This CPE was created to ensure our customers are updated with new discoveries , activity and detection efforts related to this campaign , along with other recent activity from Iranian-nexus threat actors to include APT33 , which is mentioned in this updated FireEye blog post .", "spans": {"Organization: APT33": [[215, 220]], "Organization: FireEye": [[258, 265]]}, "info": {"id": "dnrti_train_003385", "source": "dnrti_train"}}
{"text": "On June 19 , 2019 , FireEye’s Managed Defense Security Operations Center received an exploit detection alert on one of our FireEye Endpoint Security appliances .", "spans": {"Organization: FireEye’s": [[20, 29]], "Organization: FireEye": [[123, 130]]}, "info": {"id": "dnrti_train_003386", "source": "dnrti_train"}}
{"text": "A backdoor that communicates with a single command and control (C2) server using HTTP GET and POST requests , TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution .", "spans": {"Malware: TONEDEAF": [[110, 118]]}, "info": {"id": "dnrti_train_003387", "source": "dnrti_train"}}
{"text": "FireEye’s Advanced Practices and Intelligence teams were able to identify additional artifacts and activity from the APT34 actors at other victim organizations .", "spans": {"Organization: FireEye’s": [[0, 9]], "Organization: APT34": [[117, 122]], "Organization: victim organizations": [[139, 159]]}, "info": {"id": "dnrti_train_003388", "source": "dnrti_train"}}
{"text": "Of note , FireEye discovered two additional new malware families hosted at this domain , VALUEVAULT and LONGWATCH .", "spans": {"Organization: FireEye": [[10, 17]], "Malware: VALUEVAULT": [[89, 99]], "Malware: LONGWATCH": [[104, 113]]}, "info": {"id": "dnrti_train_003389", "source": "dnrti_train"}}
{"text": "This tool was previously observed during a Mandiant incident response in 2018 and , to date , solely utilized by APT34 .", "spans": {"Malware: tool": [[5, 9]], "Organization: APT34": [[113, 118]]}, "info": {"id": "dnrti_train_003390", "source": "dnrti_train"}}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file .", "spans": {"Malware: PICKPOCKET": [[0, 10]]}, "info": {"id": "dnrti_train_003391", "source": "dnrti_train"}}
{"text": "FireEye detects this activity across our platforms , including named detection for TONEDEAF , VALUEVAULT , and LONGWATCH .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: TONEDEAF": [[83, 91]], "Malware: VALUEVAULT": [[94, 104]], "Malware: LONGWATCH": [[111, 120]]}, "info": {"id": "dnrti_train_003392", "source": "dnrti_train"}}
{"text": "Several spear-phishing campaigns attributed to Carbanak , all occurring between March and May 2018 , were analyzed by security researchers in 2018 .", "spans": {"System: spear-phishing": [[8, 22]], "Organization: Carbanak": [[47, 55]]}, "info": {"id": "dnrti_train_003393", "source": "dnrti_train"}}
{"text": "One of the most prolific APT-style cyberattacks , specifically targeting the financial sector , is known as Carbanak .", "spans": {"Organization: Carbanak": [[108, 116]]}, "info": {"id": "dnrti_train_003394", "source": "dnrti_train"}}
{"text": "Discovered in 2014 , the campaign quickly gained notoriety after compromising the security systems of 100 banks in 40 countries and stealing up to $1 billion in the process .", "spans": {}, "info": {"id": "dnrti_train_003395", "source": "dnrti_train"}}
{"text": "The same group is believed to have also been using the Cobalt Strike framework to run sophisticated campaigns , plotting and performing financial heists of financial institutions .", "spans": {"Organization: group": [[9, 14]], "Malware: framework": [[69, 78]]}, "info": {"id": "dnrti_train_003396", "source": "dnrti_train"}}
{"text": "Banks in countries such as Russia , the United Kingdom , the Netherlands , Spain , Romania , Belarus , Poland , Estonia , Bulgaria , Georgia , Moldova , Kyrgyzstan , Armenia , Taiwan and Malaysia have allegedly been targeted with spearphishing emails , luring victims into clicking malicious URLs and executing booby-trapped documents .", "spans": {"Malware: spearphishing emails": [[230, 250]]}, "info": {"id": "dnrti_train_003397", "source": "dnrti_train"}}
{"text": "A Carbanak trademark in cyberattacks remains the use of Cobalt Strike – a powerful pentesting tool designed for exploiting and executing malicious code , simulating post-exploitation actions of advanced threat actors – which allows them to infiltrate the organization , move laterally , exfiltrate data , and deploy anti-forensic and evasion tools .", "spans": {"Organization: Carbanak": [[2, 10]], "Malware: Cobalt Strike": [[56, 69]], "System: exfiltrate data": [[287, 302]], "System: deploy": [[309, 315]]}, "info": {"id": "dnrti_train_003398", "source": "dnrti_train"}}
{"text": "However , this action doesn’t appear to have made a dent in the cybercriminal organization , as subsequent spear-phishing campaigns seem to have been reported from March until May 2018 .", "spans": {}, "info": {"id": "dnrti_train_003399", "source": "dnrti_train"}}
{"text": "Bitdefender’s forensics and investigation team was contacted to look into a security incident that started in May 2018 with an email received by two of the bank’s employees .", "spans": {"Organization: Bitdefender’s": [[0, 13]]}, "info": {"id": "dnrti_train_003400", "source": "dnrti_train"}}
{"text": "The Carbanak group , which has a long track record of compromising infrastructure belonging to financial institutions , is still active .", "spans": {"Organization: Carbanak": [[4, 12]]}, "info": {"id": "dnrti_train_003401", "source": "dnrti_train"}}
{"text": "Its purpose remains to manipulate financial assets , such as transferring funds from bank accounts or taking over ATM infrastructures and instructing them to dispense cash at predetermined time intervals .", "spans": {"Organization: Its": [[0, 3]], "System: financial": [[34, 43]]}, "info": {"id": "dnrti_train_003402", "source": "dnrti_train"}}
{"text": "If the attack had succeeded , it would have given hackers control over the ATM network , while money mules would have been standing by the ATM machines at pre-set time intervals to cash them out .", "spans": {"Organization: hackers": [[50, 57]]}, "info": {"id": "dnrti_train_003403", "source": "dnrti_train"}}
{"text": "The actors uploaded a variety of tools that they used to perform additional activities on the compromised network , such as dumping credentials , as well as locating and pivoting to additional systems on the network .", "spans": {"Organization: actors": [[4, 10]], "Malware: dumping credentials": [[124, 143]], "System: locating": [[157, 165]], "System: pivoting": [[170, 178]]}, "info": {"id": "dnrti_train_003404", "source": "dnrti_train"}}
{"text": "We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell .", "spans": {"Organization: Emissary Panda": [[11, 25]], "Vulnerability: vulnerability": [[55, 68]], "Vulnerability: CVE-2019-0604": [[104, 117]]}, "info": {"id": "dnrti_train_003405", "source": "dnrti_train"}}
{"text": "Bitdefender’s investigation shows the attackers’ main methods remain to quietly infiltrate the infrastructure by establishing a foothold on an employee’s system , then move laterally across the infrastructure or elevate privileges to find critical systems that manage financial transactions or ATM networks .", "spans": {"Organization: Bitdefender’s": [[0, 13]], "System: establishing": [[113, 125]]}, "info": {"id": "dnrti_train_003406", "source": "dnrti_train"}}
{"text": "We also found the China Chopper webshell on the SharePoint servers , which has also been used by the Emissary Panda threat group .", "spans": {"Malware: China Chopper webshell": [[18, 40]], "Organization: Emissary Panda": [[101, 115]]}, "info": {"id": "dnrti_train_003407", "source": "dnrti_train"}}
{"text": "Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 .", "spans": {"Vulnerability: CVE-2017-0144": [[75, 88]]}, "info": {"id": "dnrti_train_003408", "source": "dnrti_train"}}
{"text": "In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks .", "spans": {"System: run a malicious DLL": [[164, 183]], "Organization: Emissary Panda": [[218, 232]]}, "info": {"id": "dnrti_train_003409", "source": "dnrti_train"}}
{"text": "This webshell activity took place across three SharePoint servers hosted by two different government organizations between April 1 , 2019 and April 16 , 2019 , where actors uploaded a total of 24 unique executables across the three SharePoint servers .", "spans": {}, "info": {"id": "dnrti_train_003410", "source": "dnrti_train"}}
{"text": "The timeline shows three main clusters of activity across the three webshells , with activity occurring on two separate webshells (green and orange) within a very small window of time on April 2 , 2019 and the activity involving the third webshell two weeks later on April 16 , 2019 .", "spans": {}, "info": {"id": "dnrti_train_003411", "source": "dnrti_train"}}
{"text": "In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security .", "spans": {"Vulnerability: CVE-2019-0604": [[75, 88]], "Organization: Cyber Security Center": [[141, 162]], "Organization: Canadian Center": [[171, 186]]}, "info": {"id": "dnrti_train_003412", "source": "dnrti_train"}}
{"text": "Based on the functionality of the various tools uploaded to the webshells , we believe the threat actors breach the SharePoint servers to use as a beachhead , then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities .", "spans": {"Organization: threat actors": [[91, 104]]}, "info": {"id": "dnrti_train_003413", "source": "dnrti_train"}}
{"text": "We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated with Emissary Panda .", "spans": {"Organization: actors": [[21, 27]], "Malware: HyperBro": [[63, 71]], "Organization: Emissary Panda": [[106, 120]]}, "info": {"id": "dnrti_train_003414", "source": "dnrti_train"}}
{"text": "Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell .", "spans": {"Organization: actors": [[50, 56]], "Vulnerability: CVE-2019-0604": [[66, 79]], "Malware: China Chopper webshell": [[125, 147]]}, "info": {"id": "dnrti_train_003415", "source": "dnrti_train"}}
{"text": "During our research into this attack campaign , Unit 42 gathered several tools that the Emissary Panda uploaded to the three webshells at the two government organizations .", "spans": {"Organization: Unit 42": [[48, 55]], "Organization: Emissary Panda": [[88, 102]], "Organization: government organizations": [[146, 170]]}, "info": {"id": "dnrti_train_003416", "source": "dnrti_train"}}
{"text": "We also observed the actors uploading the HyperBro backdoor to one of the webshells , as well as legitimate executables that would sideload malicious DLLs that have overlapping code associated with known Emissary Panda activity .", "spans": {"Organization: actors": [[21, 27]], "Malware: HyperBro backdoor": [[42, 59]], "System: sideload malicious": [[131, 149]], "System: DLLs": [[150, 154]], "Organization: Emissary Panda": [[204, 218]]}, "info": {"id": "dnrti_train_003417", "source": "dnrti_train"}}
{"text": "Lastly , we saw the actor uploading a custom backdoor called HyperBro , which has been associated with Emissary Panda operations in the past .", "spans": {"Organization: actor": [[20, 25]], "Malware: HyperBro": [[61, 69]], "Organization: Emissary Panda": [[103, 117]]}, "info": {"id": "dnrti_train_003418", "source": "dnrti_train"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network (etool.exe) , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket (psexec.exe) .", "spans": {"Vulnerability: CVE-2017-0144": [[152, 165]], "Malware: MS07-010": [[191, 199]], "Malware: PsExec": [[299, 305]]}, "info": {"id": "dnrti_train_003419", "source": "dnrti_train"}}
{"text": "Also , the NCSC advisory mentioned that the actors used a file name stylecss.aspx for their webshell , which is the same filename we saw associated with China Chopper .", "spans": {"Malware: stylecss.aspx": [[68, 81]], "Malware: China Chopper": [[153, 166]]}, "info": {"id": "dnrti_train_003420", "source": "dnrti_train"}}
{"text": "We will provide an analysis of the HyperBro tool in an upcoming section .", "spans": {"Organization: We": [[0, 2]], "Malware: HyperBro": [[35, 43]]}, "info": {"id": "dnrti_train_003421", "source": "dnrti_train"}}
{"text": "However , using NCC Group’s research published in May 2018 , we were able to discover code overlaps between these DLLs and a sideloaded DLL that ran the SysUpdate tool that the NCC group has associated with an Emissary Panda campaign .", "spans": {"Organization: NCC": [[16, 19], [177, 180]], "Organization: Emissary Panda": [[210, 224]]}, "info": {"id": "dnrti_train_003422", "source": "dnrti_train"}}
{"text": "The list also includes several hack tools , such as Mimikatz for credential dumping and several compiled python scripts used to locate and compromise other systems on the local network .", "spans": {"Malware: hack tools": [[31, 41]], "Malware: Mimikatz": [[52, 60]], "Malware: python scripts": [[105, 119]]}, "info": {"id": "dnrti_train_003423", "source": "dnrti_train"}}
{"text": "Unfortunately , we do not have access to the PYTHON33.hlp or CreateTsMediaAdm.hlp files , so we do not know the final payload loaded by either of these DLLs .", "spans": {}, "info": {"id": "dnrti_train_003424", "source": "dnrti_train"}}
{"text": "Figure 9 shows a code comparison between the PYTHON33.dll (right) and inicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822) , which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign .", "spans": {"Malware: PYTHON33.dll": [[45, 57]], "Malware: inicore_v2.3.30.dll": [[70, 89]], "Malware: SysUpdate": [[206, 215]], "Organization: Emissary Panda": [[235, 249]]}, "info": {"id": "dnrti_train_003425", "source": "dnrti_train"}}
{"text": "The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 .", "spans": {"Organization: Emissary Panda": [[4, 18]], "Malware: China Chopper": [[43, 56]], "Vulnerability: CVE-2019-0604": [[264, 277]]}, "info": {"id": "dnrti_train_003426", "source": "dnrti_train"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell .", "spans": {"Malware: python script": [[63, 76]], "Vulnerability: CVE-2017-0144": [[132, 145]], "Malware: errr.aspx": [[194, 203]]}, "info": {"id": "dnrti_train_003427", "source": "dnrti_train"}}
{"text": "According to Microsoft’s advisory , this vulnerability was patched on March 12 , 2019 and we first saw the webshell activity on April 1 , 2019 .", "spans": {"Organization: Microsoft’s": [[13, 24]]}, "info": {"id": "dnrti_train_003428", "source": "dnrti_train"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 .", "spans": {"Organization: actors": [[15, 21]], "Vulnerability: CVE-2017-0144": [[109, 122]], "Malware: MS17-010": [[162, 170]]}, "info": {"id": "dnrti_train_003429", "source": "dnrti_train"}}
{"text": "Once the adversary established a foothold on the targeted network , they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials , perform network reconnaissance and pivot to other systems .", "spans": {"Organization: they": [[68, 72]], "Malware: China Chopper": [[78, 91]], "System: dump credentials": [[167, 183]]}, "info": {"id": "dnrti_train_003430", "source": "dnrti_train"}}
{"text": "We also observed Emissary Panda uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft’s Create Media application , both of which we had never seen used for DLL sideloading before .", "spans": {"Organization: Emissary Panda": [[17, 31]], "System: sideload DLLs": [[70, 83]], "System: DLL sideloading": [[216, 231]]}, "info": {"id": "dnrti_train_003431", "source": "dnrti_train"}}
{"text": "Consequently , the Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers .", "spans": {"Organization: vulnerable servers": [[130, 148]]}, "info": {"id": "dnrti_train_003432", "source": "dnrti_train"}}
{"text": "We also observed the actors uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft’s Create Media application , both of which we had never seen used for DLL sideloading before .", "spans": {"Organization: actors": [[21, 27]], "System: sideload DLLs": [[66, 79]], "Malware: Sublime Text": [[99, 111]], "Malware: Media application": [[151, 168]]}, "info": {"id": "dnrti_train_003433", "source": "dnrti_train"}}
{"text": "It has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government .", "spans": {"Organization: It": [[0, 2]]}, "info": {"id": "dnrti_train_003434", "source": "dnrti_train"}}
{"text": "The group’s implants are characterized by the employment of information stealing tools among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task .", "spans": {"Organization: group’s": [[4, 11]], "Malware: stealing tools": [[72, 86]], "Malware: document stealers": [[119, 136]]}, "info": {"id": "dnrti_train_003435", "source": "dnrti_train"}}
{"text": "The finding shows that EvilGnome operates on an IP address that was controlled by the Gamaredon group two months ago .", "spans": {"Malware: EvilGnome": [[23, 32]], "Organization: Gamaredon group": [[86, 101]]}, "info": {"id": "dnrti_train_003436", "source": "dnrti_train"}}
{"text": "FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015 .", "spans": {"Organization: FIN7": [[0, 4]]}, "info": {"id": "dnrti_train_003437", "source": "dnrti_train"}}
{"text": "The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year .", "spans": {"Organization: FIN7": [[4, 8]], "System: spear phishing": [[46, 60]]}, "info": {"id": "dnrti_train_003438", "source": "dnrti_train"}}
{"text": "In addition , during the investigation , we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations .", "spans": {"Organization: we": [[41, 43]], "Organization: attacker groups": [[85, 100]], "Organization: FIN7": [[134, 138]]}, "info": {"id": "dnrti_train_003439", "source": "dnrti_train"}}
{"text": "In 2018-2019 , researchers of Kaspersky Lab’s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7 , leading the researchers to believe that this threat actor had remained active despite the 2018 arrests .", "spans": {"Organization: Kaspersky": [[30, 39]], "Organization: FIN7": [[178, 182]], "Organization: threat actor": [[230, 242]]}, "info": {"id": "dnrti_train_003440", "source": "dnrti_train"}}
{"text": "One of the domains used by FIN7 in their 2018 campaign of spear phishing contained more than 130 email HackOrges , leading us to think that more than 130 companies had been targeted by the end of 2018 .", "spans": {"Organization: FIN7": [[27, 31]], "System: spear phishing": [[58, 72]]}, "info": {"id": "dnrti_train_003441", "source": "dnrti_train"}}
{"text": "Interestingly , following some open-source publications about them , the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit , which they employed during the summer of 2018 .", "spans": {"Organization: FIN7": [[73, 77]], "Malware: malicious Office document": [[134, 159]]}, "info": {"id": "dnrti_train_003442", "source": "dnrti_train"}}
{"text": "The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation .", "spans": {"Malware: GRIFFON": [[35, 42]]}, "info": {"id": "dnrti_train_003443", "source": "dnrti_train"}}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less” aspect of this method .", "spans": {"Malware: GRIFFON": [[8, 15]]}, "info": {"id": "dnrti_train_003444", "source": "dnrti_train"}}
{"text": "Given FIN7’s previous use of false security companies , we decided to look deeper into this one .", "spans": {"Organization: FIN7’s": [[6, 12]], "Organization: security companies": [[35, 53]]}, "info": {"id": "dnrti_train_003445", "source": "dnrti_train"}}
{"text": "This activity cluster , which Kaspersky Lab has followed for a few years , uses various implants for targeting mainly banks , and developers of banking and money processing software solutions .", "spans": {"Organization: activity cluster": [[5, 21]], "Organization: Kaspersky": [[30, 39]]}, "info": {"id": "dnrti_train_003446", "source": "dnrti_train"}}
{"text": "FIN7’s last campaigns were targeting banks in Europe and Central America .", "spans": {"Organization: FIN7’s": [[0, 6]]}, "info": {"id": "dnrti_train_003447", "source": "dnrti_train"}}
{"text": "After a successful penetration , FIN7 uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network , where it can monetize its access .", "spans": {"Organization: FIN7": [[33, 37]], "Malware: backdoors": [[51, 60]], "Malware: CobaltStrike framework": [[69, 91]], "Malware: Powershell": [[95, 105]]}, "info": {"id": "dnrti_train_003448", "source": "dnrti_train"}}
{"text": "AveMaria is a new botnet , whose first version we found in September 2018 , right after the arrests of the FIN7 members .", "spans": {"Organization: AveMaria": [[0, 8]], "Organization: FIN7": [[107, 111]]}, "info": {"id": "dnrti_train_003449", "source": "dnrti_train"}}
{"text": "This threat actor stole suspected of stealing €13 million from Bank of Valetta , Malta earlier this year .", "spans": {"Organization: threat actor": [[5, 17]], "Organization: Bank": [[63, 67]]}, "info": {"id": "dnrti_train_003450", "source": "dnrti_train"}}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger .", "spans": {"Malware: AveMaria": [[10, 18]]}, "info": {"id": "dnrti_train_003451", "source": "dnrti_train"}}
{"text": "They also use AutoIT droppers , password-protected EXE files and even ISO images .", "spans": {"Organization: They": [[0, 4]], "Malware: AutoIT droppers": [[14, 29]]}, "info": {"id": "dnrti_train_003452", "source": "dnrti_train"}}
{"text": "To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT .", "spans": {"Organization: cyber criminals": [[31, 46]], "Malware: spearphishing emails": [[51, 71]], "Malware: attachments:": [[94, 106]], "Malware: documents": [[117, 126], [209, 218]], "Vulnerability: CVE-2017-11882": [[189, 203]]}, "info": {"id": "dnrti_train_003453", "source": "dnrti_train"}}
{"text": "Interestingly , this actor targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center .", "spans": {"Organization: actor": [[21, 26]]}, "info": {"id": "dnrti_train_003454", "source": "dnrti_train"}}
{"text": "At the end of 2018 , while searching for new FIN7 campaigns via telemetry , we discovered a set of activity that we temporarily called CopyPaste” from a previously unknown APT .", "spans": {"Organization: FIN7": [[45, 49]]}, "info": {"id": "dnrti_train_003455", "source": "dnrti_train"}}
{"text": "FIN7 and Cobalt used decoy 302 HTTP redirections too , FIN7 on its GRIFFON C2s before January 2018 , and Cobalt , on its staging servers , similar to CopyPaste .", "spans": {"Organization: FIN7": [[0, 4], [55, 59]], "Organization: Cobalt": [[9, 15]], "System: decoy": [[21, 26]]}, "info": {"id": "dnrti_train_003456", "source": "dnrti_train"}}
{"text": "Quite recently , FIN7 threat actors typosquatted the brand Digicert” using the domain name digicert-cdn[.]com , which is used as a command and control server for their GRIFFON implants .", "spans": {"Organization: FIN7": [[17, 21]], "Organization: Digicert”": [[59, 68]], "Malware: command": [[131, 138]], "Malware: control server": [[143, 157]]}, "info": {"id": "dnrti_train_003457", "source": "dnrti_train"}}
{"text": "The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure .", "spans": {"Organization: FIN7": [[36, 40]], "Organization: various companies": [[74, 91]]}, "info": {"id": "dnrti_train_003458", "source": "dnrti_train"}}
{"text": "The second one is CobaltGoblin Carbanak EmpireMonkey , which uses the same toolkit , techniques and similar infrastructure but targets only financial institutions and associated software/services providers .", "spans": {"Organization: CobaltGoblin": [[18, 30]], "Organization: Carbanak": [[31, 39]], "Organization: EmpireMonkey": [[40, 52]]}, "info": {"id": "dnrti_train_003459", "source": "dnrti_train"}}
{"text": "We observe , with various level of confidence , that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks .", "spans": {"Organization: We": [[0, 2]], "Organization: groups": [[86, 92]], "Malware: similar toolkits": [[104, 120]], "Malware: infrastructure": [[134, 148]]}, "info": {"id": "dnrti_train_003460", "source": "dnrti_train"}}
{"text": "The last piece is the newly discovered CopyPaste group , who targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center .", "spans": {"Organization: CopyPaste": [[39, 48]], "Organization: companies": [[93, 102]], "Organization: training center": [[208, 223]]}, "info": {"id": "dnrti_train_003461", "source": "dnrti_train"}}
{"text": "At the end of 2018 , the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims’ networks .", "spans": {"Organization: cluster": [[25, 32]], "Malware: CobaltStrike": [[57, 69]], "Malware: Powershell": [[79, 89]]}, "info": {"id": "dnrti_train_003462", "source": "dnrti_train"}}
{"text": "FIN7 thus continues to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework .", "spans": {"Organization: FIN7": [[0, 4]], "System: spearphishing": [[37, 50]]}, "info": {"id": "dnrti_train_003463", "source": "dnrti_train"}}
{"text": "MuddyWater is widely regarded as a long-lived APT group in the Middle East .", "spans": {"Organization: MuddyWater": [[0, 10]]}, "info": {"id": "dnrti_train_003464", "source": "dnrti_train"}}
{"text": "From February to April 2019 , MuddyWater launched a series of spear-phishing attacks against governments , educational institutions , financial , telecommunications and defense companies in Turkey , Iran , Afghanistan , Iraq , Tajikistan and Azerbaijan .", "spans": {"Organization: MuddyWater": [[30, 40]], "System: spear-phishing": [[62, 76]], "Organization: governments": [[93, 104]]}, "info": {"id": "dnrti_train_003465", "source": "dnrti_train"}}
{"text": "FIN7 thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework .", "spans": {"Organization: FIN7": [[0, 4]], "System: spearphishing": [[36, 49]]}, "info": {"id": "dnrti_train_003466", "source": "dnrti_train"}}
{"text": "We also unearthed and detailed our other findings on MuddyWater , such as its connection to four Android malware variants and its use of false flag techniques , among others , in our report New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors , False Flags , Android Malware , and More .", "spans": {"Organization: MuddyWater": [[53, 63]], "Malware: Android malware": [[97, 112]], "Malware: Multi-Stage Backdoors": [[246, 267]], "Malware: False Flags": [[270, 281]], "Malware: Android Malware": [[284, 299]]}, "info": {"id": "dnrti_train_003467", "source": "dnrti_train"}}
{"text": "Instead , the campaign used compromised legitimate accounts to trick victims into installing malware .", "spans": {"Malware: compromised legitimate accounts": [[28, 59]], "System: installing malware": [[82, 100]]}, "info": {"id": "dnrti_train_003468", "source": "dnrti_train"}}
{"text": "Notably , the group’s use of email as infection vector seems to yield success for their campaigns .", "spans": {"Organization: group’s": [[14, 21]], "Malware: email": [[29, 34]]}, "info": {"id": "dnrti_train_003469", "source": "dnrti_train"}}
{"text": "We also observed MuddyWater’s use of multiple open source post-exploitation tools , which they deployed after successfully compromising a target .", "spans": {"Organization: MuddyWater’s": [[17, 29]], "Malware: post-exploitation tools": [[58, 81]]}, "info": {"id": "dnrti_train_003470", "source": "dnrti_train"}}
{"text": "The attacker also connected to the compromised servers from IP addresses that were linked to dynamic domain names used as C&Cs by the delivered payloads .", "spans": {"Organization: attacker": [[4, 12]], "System: connected": [[18, 27]], "Malware: delivered payloads": [[134, 152]]}, "info": {"id": "dnrti_train_003471", "source": "dnrti_train"}}
{"text": "The main payload is usually Imminent Monitor RAT; however , at the beginning of 2018 , we also observed the use of LuminosityLink RAT , NetWire RAT , and NjRAT .", "spans": {"Malware: Monitor RAT;": [[37, 49]], "Malware: LuminosityLink RAT": [[115, 133]], "Malware: NetWire RAT": [[136, 147]], "Malware: NjRAT": [[154, 159]]}, "info": {"id": "dnrti_train_003472", "source": "dnrti_train"}}
{"text": "In a case in June 2019 , we also noticed Warzone RAT being used .", "spans": {"Malware: Warzone RAT": [[41, 52]]}, "info": {"id": "dnrti_train_003473", "source": "dnrti_train"}}
{"text": "Xpert RAT reportedly first appeared in 2011 .", "spans": {"Malware: Xpert RAT": [[0, 9]]}, "info": {"id": "dnrti_train_003474", "source": "dnrti_train"}}
{"text": "The first version of Proyecto RAT” was published at the end of 2010 .", "spans": {"Malware: Proyecto RAT”": [[21, 34]]}, "info": {"id": "dnrti_train_003475", "source": "dnrti_train"}}
{"text": "But with the West African gang we’ve named Scattered Canary , we have a deeper look at how business email compromise is connected to the rest of the cybercrime .", "spans": {"Organization: Scattered Canary": [[43, 59]], "System: connected": [[120, 129]]}, "info": {"id": "dnrti_train_003476", "source": "dnrti_train"}}
{"text": "In a recent report , the FBI’s Internet Crime Complaint Center (IC3) reported that more than 20 , 000 businesses lost nearly $1.3 billion to BEC attacks in 2018 .", "spans": {"Organization: FBI’s": [[25, 30]]}, "info": {"id": "dnrti_train_003477", "source": "dnrti_train"}}
{"text": "This investigation by the Agari Cyber Intelligence Division into the cybercriminal group we’ve named Scattered Canary offers unprecedented visibility into eleven years of fraud and criminal activities , and the growth of a 419 startup into a fully operational BEC business .", "spans": {"Organization: Agari Cyber Intelligence": [[26, 50]], "Organization: group": [[83, 88]], "Organization: Scattered Canary": [[101, 117]]}, "info": {"id": "dnrti_train_003478", "source": "dnrti_train"}}
{"text": "While this criminal organization’s activities now center around BEC , and extend to romance scams , credit card fraud , check fraud , fake job listings , credential harvesting , tax schemes , and more , these actors came from much humbler beginnings , starting with basic Craigslist scams in 2008 .", "spans": {"Organization: organization’s": [[20, 34]]}, "info": {"id": "dnrti_train_003479", "source": "dnrti_train"}}
{"text": "On November 29 , 2018 , Scattered Canary sent an attack email to Agari CFO Raymond Lim , enquiring as to his availability to send out a domestic wire transfer .", "spans": {"Organization: Scattered Canary": [[24, 40]]}, "info": {"id": "dnrti_train_003480", "source": "dnrti_train"}}
{"text": "Many feel that they have a home team advantage living in Nigeria , where they are free to pay off law enforcement to look the other way .", "spans": {"Organization: they": [[73, 77]]}, "info": {"id": "dnrti_train_003481", "source": "dnrti_train"}}
{"text": "Scattered Canary’s fraudulent history can be traced as far back as October 2008 , when the group first arrived on the cybercriminal circuit .", "spans": {"Organization: Scattered Canary’s": [[0, 18]], "Organization: group": [[91, 96]]}, "info": {"id": "dnrti_train_003482", "source": "dnrti_train"}}
{"text": "By March 2016 , one of Scattered Canary’s members had built enough trust with a romance victim—who we’ll call Jane—that she became a frequent source of new mule accounts for the group .", "spans": {"Organization: Scattered Canary’s": [[23, 41]], "Organization: group": [[178, 183]]}, "info": {"id": "dnrti_train_003483", "source": "dnrti_train"}}
{"text": "Alpha’s early role was fairly simple: engage with individuals , who he chose based on the goods they were selling , and then provide personal shipping addresses back to Omega .", "spans": {"Organization: Alpha’s": [[0, 7]]}, "info": {"id": "dnrti_train_003484", "source": "dnrti_train"}}
{"text": "By all accounts , late 2015 was the beginning of BEC for Scattered Canary .", "spans": {"Organization: Scattered Canary": [[57, 73]]}, "info": {"id": "dnrti_train_003485", "source": "dnrti_train"}}
{"text": "The first type of attack Scattered Canary pivoted to was credential phishing .", "spans": {"Organization: Scattered Canary": [[25, 41]], "System: credential phishing": [[57, 76]]}, "info": {"id": "dnrti_train_003486", "source": "dnrti_train"}}
{"text": "Between July 2015 and February 2016 , Scattered Canary’s primary focus seemed to be mass harvesting general credentials using a Google Docs phishing page .", "spans": {"Organization: Scattered Canary’s": [[38, 56]], "System: phishing": [[140, 148]]}, "info": {"id": "dnrti_train_003487", "source": "dnrti_train"}}
{"text": "In the first few months of their credential phishing ventures , Scattered Canary’s sights were mostly set on Asian targets—Malaysia and Japan , in particular .", "spans": {"System: phishing": [[44, 52]], "Organization: Scattered Canary’s": [[64, 82]]}, "info": {"id": "dnrti_train_003488", "source": "dnrti_train"}}
{"text": "In November 2015 , the group started to focus on North American users , mostly in the United States .", "spans": {"Organization: group": [[23, 28]]}, "info": {"id": "dnrti_train_003489", "source": "dnrti_train"}}
{"text": "This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills. In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks .", "spans": {"Organization: Scattered Canary": [[75, 91], [146, 162]], "Vulnerability: phishing": [[231, 239]]}, "info": {"id": "dnrti_train_003490", "source": "dnrti_train"}}
{"text": "For over eighteen months from March 2017 until November 2018 , Scattered Canary’s frequent enterprise-focused credential phishing campaigns almost exclusively targeted businesses in the United States and Canada .", "spans": {"Organization: Scattered Canary’s": [[63, 81]]}, "info": {"id": "dnrti_train_003491", "source": "dnrti_train"}}
{"text": "In July 2018 , following a trend we have observed across the entire BEC threat landscape , Scattered Canary changed their preferred cash out mechanism from wire transfers to gift cards .", "spans": {"Organization: Scattered Canary": [[91, 107]]}, "info": {"id": "dnrti_train_003492", "source": "dnrti_train"}}
{"text": "Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials .", "spans": {"System: phishing": [[34, 42], [124, 132]], "Organization: Scattered Canary": [[95, 111]]}, "info": {"id": "dnrti_train_003493", "source": "dnrti_train"}}
{"text": "Using personal information obtained from various sources , Scattered Canary started perpetrating fraud against US federal and state government agencies .", "spans": {"Organization: Scattered Canary": [[59, 75]], "Organization: state government agencies": [[126, 151]]}, "info": {"id": "dnrti_train_003494", "source": "dnrti_train"}}
{"text": "In total , 35 actors have been tied to Scattered Canary’s operations since the group emerged in 2008 .", "spans": {"Organization: Scattered Canary’s": [[39, 57]]}, "info": {"id": "dnrti_train_003495", "source": "dnrti_train"}}
{"text": "Just as with romance scams , actors make use of scripts and templates they can copy-and-paste without having to create something on their own .", "spans": {"Organization: actors": [[29, 35]], "Malware: scripts": [[48, 55]], "Malware: templates": [[60, 69]]}, "info": {"id": "dnrti_train_003496", "source": "dnrti_train"}}
{"text": "When it comes to engaging targets , Scattered Canary frequently maximized efficiencies through the use of scripts , or as some members of the group call them , formats.” These formats are templated text documents that can contain several layers of phishing messages to send to potential victims .", "spans": {"Organization: Scattered Canary": [[36, 52]], "System: phishing": [[248, 256]]}, "info": {"id": "dnrti_train_003497", "source": "dnrti_train"}}
{"text": "Recently , we unveiled the existence of a UEFI rootkit , called LoJax , which we attribute to the Sednit group .", "spans": {"Malware: LoJax": [[64, 69]], "Organization: Sednit": [[98, 104]]}, "info": {"id": "dnrti_train_003498", "source": "dnrti_train"}}
{"text": "If Scattered Canary can be seen as a microcosm for the rapidly evolving organizations behind today’s most pernicious email scams , this report demonstrates that a much more holistic approach—one based on threat actor identity rather than type of fraudulent activity—is required to detect email fraud and protect organizations .", "spans": {"Organization: Scattered Canary": [[3, 19]], "System: email scams": [[117, 128]]}, "info": {"id": "dnrti_train_003499", "source": "dnrti_train"}}
{"text": "This is a first for an APT group , and shows Sednit has access to very sophisticated tools to conduct its espionage operations .", "spans": {"Organization: Sednit": [[45, 51]], "Malware: sophisticated tools": [[71, 90]]}, "info": {"id": "dnrti_train_003500", "source": "dnrti_train"}}
{"text": "Three years ago , the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia .", "spans": {"Organization: Sednit": [[22, 28]]}, "info": {"id": "dnrti_train_003501", "source": "dnrti_train"}}
{"text": "In the past , Sednit used a similar technique for credential phishing .", "spans": {"Organization: Sednit": [[14, 20]], "System: credential phishing": [[50, 69]]}, "info": {"id": "dnrti_train_003502", "source": "dnrti_train"}}
{"text": "At the end of August 2018 , the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components .", "spans": {}, "info": {"id": "dnrti_train_003503", "source": "dnrti_train"}}
{"text": "As we explained in our most recent blogpost about Zebrocy , the configuration of the backdoor is stored in in the resource section and is split into four different hex-encoded , encrypted blobs .", "spans": {"Organization: we": [[3, 5]], "Organization: Zebrocy": [[50, 57]], "Malware: backdoor": [[85, 93]]}, "info": {"id": "dnrti_train_003504", "source": "dnrti_train"}}
{"text": "The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability .", "spans": {"Organization: SLUB": [[22, 26]], "System: watering hole": [[48, 61]], "Vulnerability: CVE-2018-8174": [[81, 94]]}, "info": {"id": "dnrti_train_003505", "source": "dnrti_train"}}
{"text": "It used GitHub and Slack as tools for communication between the malware and its controller .", "spans": {"Organization: It": [[0, 2]], "Malware: GitHub": [[8, 14]], "Malware: Slack": [[19, 24]]}, "info": {"id": "dnrti_train_003506", "source": "dnrti_train"}}
{"text": "On July 9 , we discovered a new version of SLUB delivered via another unique watering hole website .", "spans": {"Organization: we": [[12, 14]], "Organization: SLUB": [[43, 47]], "System: watering hole": [[77, 90]]}, "info": {"id": "dnrti_train_003507", "source": "dnrti_train"}}
{"text": "This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro’s Zero Day Initiative (ZDI) that was just patched this April .", "spans": {"Vulnerability: CVE-2019-0752": [[25, 38]], "Organization: Trend Micro’s": [[90, 103]]}, "info": {"id": "dnrti_train_003508", "source": "dnrti_train"}}
{"text": "Since we published out last report on SLUB , the backdoor has been updated and several improvements were implemented .", "spans": {"Organization: we": [[6, 8]], "Organization: SLUB": [[38, 42]], "Malware: backdoor": [[49, 57]]}, "info": {"id": "dnrti_train_003509", "source": "dnrti_train"}}
{"text": "The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 .", "spans": {"Organization: SLUB": [[4, 8]], "Vulnerability: CVE-2018-8174": [[99, 112]], "Vulnerability: CVE-2019-0752": [[116, 129]]}, "info": {"id": "dnrti_train_003510", "source": "dnrti_train"}}
{"text": "During this attack , we found that the SLUB malware used two Slack teams sales-yww9809” and marketing-pwx7789 .", "spans": {"Organization: SLUB": [[39, 43]], "System: used two Slack": [[52, 66]]}, "info": {"id": "dnrti_train_003511", "source": "dnrti_train"}}
{"text": "SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments .", "spans": {"Organization: SWEED": [[0, 5]], "System: spear-phishing": [[72, 86]]}, "info": {"id": "dnrti_train_003512", "source": "dnrti_train"}}
{"text": "In April 2018 , SWEED began making use of a previously disclosed Office exploit .", "spans": {"Organization: SWEED": [[16, 21]]}, "info": {"id": "dnrti_train_003513", "source": "dnrti_train"}}
{"text": "In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution .", "spans": {"Organization: SWEED": [[43, 48]], "Vulnerability: CVE-2017-11882": [[109, 123]]}, "info": {"id": "dnrti_train_003514", "source": "dnrti_train"}}
{"text": "We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia , as well as other countries such as India , Japan , Argentina , the Philippines , and South Korea .", "spans": {"Organization: them": [[9, 13]]}, "info": {"id": "dnrti_train_003515", "source": "dnrti_train"}}
{"text": "Similar to previous campaigns , the JAR was directly attached to emails and used file names such as Order_2018.jar .", "spans": {"Malware: JAR": [[36, 39]], "Malware: Order_2018.jar": [[100, 114]]}, "info": {"id": "dnrti_train_003516", "source": "dnrti_train"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": {"Malware: slides": [[33, 39]], "Vulnerability: CVE-2017-8759": [[64, 77]], "Malware: Microsoft .NET framework": [[121, 145]]}, "info": {"id": "dnrti_train_003517", "source": "dnrti_train"}}
{"text": "TA505 is also using FlowerPippi (Backdoor.Win32.FLOWERPIPPI.A) , a new backdoor that we found them using in their campaigns against targets in Japan , India , and Argentina .", "spans": {"Organization: TA505": [[0, 5]], "Malware: FlowerPippi": [[20, 31]], "Malware: backdoor": [[71, 79]]}, "info": {"id": "dnrti_train_003518", "source": "dnrti_train"}}
{"text": "TA505 targeted Middle Eastern countries in a June 11 campaign that delivered more than 90% of the total spam emails to the UAE , Saudi Arabia , and Morroco .", "spans": {"Organization: TA505": [[0, 5]]}, "info": {"id": "dnrti_train_003519", "source": "dnrti_train"}}
{"text": "It fetches the same FlawedAmmyy downloader .msi file , then downloads the FlawedAmmyy payload .", "spans": {"Organization: It": [[0, 2]], "System: FlawedAmmyy downloader": [[20, 42]], "Malware: FlawedAmmyy payload": [[74, 93]]}, "info": {"id": "dnrti_train_003520", "source": "dnrti_train"}}
{"text": "TA505 used Wizard (.wiz) files in this campaign , with FlawedAmmyy RAT as the final payload .", "spans": {"Organization: TA505": [[0, 5]], "Malware: Wizard (.wiz) files": [[11, 30]], "Malware: FlawedAmmyy RAT": [[55, 70]]}, "info": {"id": "dnrti_train_003521", "source": "dnrti_train"}}
{"text": "On June 14 , we saw TA505’s campaign still targeting UAE with similar tactics and techniques , but this time , some of the spam emails were delivered via the Amadey botnet .", "spans": {"Organization: TA505’s": [[20, 27]], "Malware: Amadey botnet": [[158, 171]]}, "info": {"id": "dnrti_train_003522", "source": "dnrti_train"}}
{"text": "It later delivered an information stealer named EmailStealer , ” which stolesimple mail transfer protocol (SMTP) credentials and email addresses in the victim’s machine .", "spans": {"Organization: It": [[0, 2]], "Malware: EmailStealer": [[48, 60]]}, "info": {"id": "dnrti_train_003523", "source": "dnrti_train"}}
{"text": "On June 18 , the majority of the campaign’s spam emails were sent with the subject , Your RAKBANK Tax Invoice / Tax Credit Note” or Confirmation .", "spans": {}, "info": {"id": "dnrti_train_003524", "source": "dnrti_train"}}
{"text": "This campaign used the abovementioned .html file , malicious Excel/Word document VBA macro , the FlawedAmmyy payload , and Amadey .", "spans": {"Malware: macro": [[85, 90]], "Malware: FlawedAmmyy payload": [[97, 116]], "Malware: Amadey": [[123, 129]]}, "info": {"id": "dnrti_train_003525", "source": "dnrti_train"}}
{"text": "On June 24 , we found another campaign targeting Lebanon with the ServHelper malware .", "spans": {"Malware: ServHelper": [[66, 76]]}, "info": {"id": "dnrti_train_003526", "source": "dnrti_train"}}
{"text": "On June 17 , we observed the campaign’s spam emails delivering malware-embedded Excel files directly as an attachment .", "spans": {}, "info": {"id": "dnrti_train_003527", "source": "dnrti_train"}}
{"text": "On June 20 , we spotted the campaign’s spam emails delivering .doc and .xls files .", "spans": {"Organization: we": [[13, 15]]}, "info": {"id": "dnrti_train_003528", "source": "dnrti_train"}}
{"text": "Nonetheless , these spam emails were not delivered to the UAE or Arabic-speaking users , but to banks in Asian countries such as India , Indonesia , and the Philippines .", "spans": {"Malware: spam emails": [[20, 31]]}, "info": {"id": "dnrti_train_003529", "source": "dnrti_train"}}
{"text": "After our analysis , we found that Proofpoint reported this malware as AndroMut as well .", "spans": {"Organization: we": [[21, 23]], "Organization: Proofpoint": [[35, 45]], "Organization: AndroMut": [[71, 79]]}, "info": {"id": "dnrti_train_003530", "source": "dnrti_train"}}
{"text": "In the campaign that targeted Japan , Philippines , and Argentina on June 20 , we found what seems to be a new , undisclosed malware , which we named Gelup .", "spans": {"Malware: Gelup": [[150, 155]]}, "info": {"id": "dnrti_train_003531", "source": "dnrti_train"}}
{"text": "Another new malware we found that TA505 is using in their campaigns last June 20 against targets in Japan , the Philippines , and Argentina is FlowerPippi .", "spans": {"Organization: TA505": [[34, 39]], "Malware: FlowerPippi": [[143, 154]]}, "info": {"id": "dnrti_train_003532", "source": "dnrti_train"}}
{"text": "The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution , discovering a potential expansion of the TA505 operation .", "spans": {"Organization: ZLAB": [[76, 80]], "Organization: TA505": [[190, 195]]}, "info": {"id": "dnrti_train_003533", "source": "dnrti_train"}}
{"text": "The attack , as stated by CyberInt , leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world , threatening a wide range of high profile companies , active since 2014 .", "spans": {"Organization: TA505": [[110, 115]], "Organization: high profile companies": [[231, 253]]}, "info": {"id": "dnrti_train_003534", "source": "dnrti_train"}}
{"text": "The comparison of the infection chains reveals in both cases TA505 used a couple of SFX stages to deploy the RMS” software: a legitimate remote administration tool produced by the Russian company TektonIT .", "spans": {"Organization: TA505": [[61, 66]], "System: deploy the RMS”": [[98, 113]]}, "info": {"id": "dnrti_train_003535", "source": "dnrti_train"}}
{"text": "The TA505 group is one of the most active threat groups operating since 2014 , it has traditionally targeted Banking and Retail industries , as we recently documented during the analysis of the Stealthy Email Stealer” part of their arsenal .", "spans": {"Organization: TA505": [[4, 9]]}, "info": {"id": "dnrti_train_003536", "source": "dnrti_train"}}
{"text": "Also , some code pieces are directly re-used in the analyzed campaigns , such as the i.cmd” and exit.exe” files , and , at the same time , some new components have been introduced , for instance the rtegre.exe” and the veter1605_MAPS_10cr0.exe” file .", "spans": {"Malware: i.cmd”": [[85, 91]], "Malware: exit.exe”": [[96, 105]], "Malware: rtegre.exe”": [[199, 210]], "Malware: veter1605_MAPS_10cr0.exe”": [[219, 244]]}, "info": {"id": "dnrti_train_003537", "source": "dnrti_train"}}
{"text": "In 2018 , Kaspersky Labs published a report that analyzed a Turla PowerShell loader that was based on the open-source project Posh-SecMod .", "spans": {"Organization: Kaspersky": [[10, 19]], "Organization: Turla": [[60, 65]], "Malware: PowerShell loader": [[66, 83]]}, "info": {"id": "dnrti_train_003538", "source": "dnrti_train"}}
{"text": "Turla is believed to have been operating since at least 2008 , when it successfully breached the US military .", "spans": {"Organization: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_003539", "source": "dnrti_train"}}
{"text": "This is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing security products .", "spans": {"Organization: Turla": [[27, 32]], "Malware: PowerShell": [[42, 52]]}, "info": {"id": "dnrti_train_003540", "source": "dnrti_train"}}
{"text": "However , it is likely the same scripts are used more globally against many traditional Turla targets in Western Europe and the Middle East .", "spans": {"Organization: Turla": [[88, 93]]}, "info": {"id": "dnrti_train_003541", "source": "dnrti_train"}}
{"text": "In some samples deployed since March 2019 , Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI) .", "spans": {"Organization: Turla": [[44, 49]]}, "info": {"id": "dnrti_train_003542", "source": "dnrti_train"}}
{"text": "Based on our research , SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans .", "spans": {"Organization: SWEED": [[24, 29]]}, "info": {"id": "dnrti_train_003543", "source": "dnrti_train"}}
{"text": "It is interesting to note that Turla operators used the free email provider GMX again , as in the Outlook Backdoor and in LightNeuron .", "spans": {"Organization: Turla": [[31, 36]], "Malware: Outlook Backdoor": [[98, 114]], "Malware: LightNeuron": [[122, 133]]}, "info": {"id": "dnrti_train_003544", "source": "dnrti_train"}}
{"text": "This new research confirms our forecast and shows that the Turla group does not hesitate to use open-source pen-testing frameworks to conduct intrusion .", "spans": {"Organization: Turla": [[59, 64]], "Malware: frameworks": [[120, 130]]}, "info": {"id": "dnrti_train_003545", "source": "dnrti_train"}}
{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers .", "spans": {"Malware: Neptun": [[0, 6]], "Organization: attackers": [[108, 117]]}, "info": {"id": "dnrti_train_003546", "source": "dnrti_train"}}
{"text": "One attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus aka OilRig , APT34 .", "spans": {"Organization: Crambus": [[113, 120]], "Organization: OilRig": [[125, 131]], "Organization: APT34": [[134, 139]]}, "info": {"id": "dnrti_train_003547", "source": "dnrti_train"}}
{"text": "Waterbug has been using Meterpreter since at least early 2018 and , in this campaign , used a modified version of Meterpreter , which was encoded and given a .wav extension in order to disguise its true purpose .", "spans": {"Organization: Waterbug": [[0, 8]], "Malware: Meterpreter": [[24, 35], [114, 125]]}, "info": {"id": "dnrti_train_003548", "source": "dnrti_train"}}
{"text": "In all likelihood , Waterbug’s use of Crambus infrastructure appears to have been a hostile takeover .", "spans": {"Organization: Waterbug’s": [[20, 30]], "Malware: Crambus infrastructure": [[38, 60]]}, "info": {"id": "dnrti_train_003549", "source": "dnrti_train"}}
{"text": "One of the most interesting things to occur during one of Waterbug’s recent campaigns was that during an attack against one target in the Middle East , Waterbug appeared to hijack infrastructure from the Crambus espionage group and used it to deliver malware on to the victim’s network .", "spans": {"Organization: Waterbug’s": [[58, 68]], "Organization: Waterbug": [[152, 160]], "Organization: group": [[222, 227]]}, "info": {"id": "dnrti_train_003550", "source": "dnrti_train"}}
{"text": "These three recent Waterbug campaigns have seen the group compromise governments and international organizations across the globe in addition to targets in the IT and education sectors .", "spans": {"Organization: Waterbug": [[19, 27]], "Organization: group": [[52, 57]], "Organization: compromise governments": [[58, 80]], "Organization: international organizations": [[85, 112]]}, "info": {"id": "dnrti_train_003551", "source": "dnrti_train"}}
{"text": "Curiously though , Waterbug also compromised other computers on the victim’s network using its own infrastructure .", "spans": {"Organization: Waterbug": [[19, 27]], "Organization: infrastructure": [[99, 113]]}, "info": {"id": "dnrti_train_003552", "source": "dnrti_train"}}
{"text": "Symantec believes that the variant of Mimikatz used in this attack is unique to Waterbug .", "spans": {"Organization: Symantec": [[0, 8]], "Malware: Mimikatz": [[38, 46]], "Organization: Waterbug": [[80, 88]]}, "info": {"id": "dnrti_train_003553", "source": "dnrti_train"}}
{"text": "Aside from the attack involving Crambus infrastructure , this sample of Mimikatz has only been seen used in one other attack , against an education target in the UK in 2017 .", "spans": {"Malware: Mimikatz": [[72, 80]]}, "info": {"id": "dnrti_train_003554", "source": "dnrti_train"}}
{"text": "The first observed evidence of Waterbug activity came on January 11 , 2018 , when a Waterbug-linked tool (a task scheduler named msfgi.exe) was dropped on to a computer on the victim’s network .", "spans": {"Organization: Waterbug": [[31, 39]]}, "info": {"id": "dnrti_train_003555", "source": "dnrti_train"}}
{"text": "In the case of the attack against the Middle Eastern target , Crambus was the first group to compromise the victim’s network , with the earliest evidence of activity dating to November 2017 .", "spans": {"Organization: Crambus": [[62, 69]]}, "info": {"id": "dnrti_train_003556", "source": "dnrti_train"}}
{"text": "Waterbug’s intrusions on the victim’s network continued for much of 2018 .", "spans": {"Organization: Waterbug’s": [[0, 10]]}, "info": {"id": "dnrti_train_003557", "source": "dnrti_train"}}
{"text": "Symantec did not observe the initial access point and the close timeframe between Waterbug observed activity on the victim’s network and its observed use of Crambus infrastructure suggests that Waterbug may have used the Crambus infrastructure as an initial access point. It also reconfigures the Microsoft Sysinternals registry to prevent pop-ups when running the PsExec tool .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Waterbug": [[82, 90], [194, 202]], "Organization: Crambus infrastructure": [[221, 243]], "Malware: PsExec tool": [[365, 376]]}, "info": {"id": "dnrti_train_003558", "source": "dnrti_train"}}
{"text": "Waterbug also used an older version of PowerShell , likely to avoid logging .", "spans": {"Organization: Waterbug": [[0, 8]], "Malware: PowerShell": [[39, 49]]}, "info": {"id": "dnrti_train_003559", "source": "dnrti_train"}}
{"text": "In one of these campaigns , Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest .", "spans": {"Organization: Waterbug": [[28, 36]], "Malware: USB stealer": [[44, 55]]}, "info": {"id": "dnrti_train_003560", "source": "dnrti_train"}}
{"text": "The malware then uses WebDAV to upload the RAR archive to a Box account .", "spans": {"Malware: malware": [[4, 11]], "Malware: WebDAV": [[22, 28]], "Malware: RAR archive": [[43, 54]]}, "info": {"id": "dnrti_train_003561", "source": "dnrti_train"}}
{"text": "The DeepSight Managed Adversary and Threat Intelligence (MATI) team co-authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug (aka Turla) cyber espionage group , and methods of detecting and thwarting activities of this adversary .", "spans": {"Organization: DeepSight Managed Adversary": [[4, 31]], "Organization: Threat Intelligence": [[36, 55]], "Organization: Waterbug": [[210, 218]], "Organization: group": [[247, 252]]}, "info": {"id": "dnrti_train_003562", "source": "dnrti_train"}}
{"text": "The DeepSight MATI team authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug (aka Turla) cyber espionage group , and methods of detecting and thwarting activities of this adversary .", "spans": {"Organization: DeepSight MATI team": [[4, 23]], "Organization: Waterbug": [[163, 171]], "Organization: group": [[200, 205]], "System: detecting": [[223, 232]], "System: thwarting activities": [[237, 257]]}, "info": {"id": "dnrti_train_003563", "source": "dnrti_train"}}
{"text": "While reviewing a 2015 report⁵ of a Winnti intrusion at a Vietnamese gaming company , we identified a small cluster of Winnti⁶ samples designed specifically for Linux⁷ .", "spans": {"Organization: Winnti": [[36, 42]], "Organization: Vietnamese gaming company": [[58, 83]], "Organization: Winnti⁶": [[119, 126]]}, "info": {"id": "dnrti_train_003564", "source": "dnrti_train"}}
{"text": "Following these reports , Chronicle researchers doubled down on efforts to try to unravel the various campaigns where Winnti was leveraged .", "spans": {"Organization: Chronicle": [[26, 35]], "Organization: Winnti": [[118, 124]]}, "info": {"id": "dnrti_train_003565", "source": "dnrti_train"}}
{"text": "Distinct changes to Azazel by the Winnti developers include the addition of a function named ‘Decrypt2’ , which is used to decode an embedded configuration similar to the core implant .", "spans": {"Malware: Azazel": [[20, 26]], "Organization: Winnti developers": [[34, 51]]}, "info": {"id": "dnrti_train_003566", "source": "dnrti_train"}}
{"text": "Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits .", "spans": {"Organization: Zebrocy": [[0, 7]], "System: spearphishing": [[32, 45]], "Vulnerability: 0day exploits": [[132, 145]]}, "info": {"id": "dnrti_train_003567", "source": "dnrti_train"}}
{"text": "We will see more from Zebrocy into 2019 on government and military related organizations .", "spans": {"Organization: Zebrocy": [[22, 29]], "Organization: government": [[43, 53]]}, "info": {"id": "dnrti_train_003568", "source": "dnrti_train"}}
{"text": "The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded .", "spans": {"Malware: PowerShell script": [[4, 21]], "Malware: malicious DLL files": [[81, 100]]}, "info": {"id": "dnrti_train_003569", "source": "dnrti_train"}}
{"text": "In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans .", "spans": {"Organization: Silence": [[19, 26]], "Malware: Perl IRC bot": [[60, 72]], "Malware: public IRC": [[77, 87]]}, "info": {"id": "dnrti_train_003570", "source": "dnrti_train"}}
{"text": "\bThe FBI issued a rare bulletin admitting that a group named APT6 hacked into US government computer systems as far back as 2011 and for years stole sensitive data .", "spans": {"Organization: FBI": [[5, 8]], "Organization: group": [[49, 54]], "Organization: APT6": [[61, 65]], "Organization: US government": [[78, 91]]}, "info": {"id": "dnrti_train_003571", "source": "dnrti_train"}}
{"text": "\bFireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123 .", "spans": {"Organization: \bFireEye iSIGHT": [[0, 15]], "Organization: APT37": [[43, 48]], "Organization: Scarcruft": [[99, 108]], "Organization: Group123": [[113, 121]]}, "info": {"id": "dnrti_train_003572", "source": "dnrti_train"}}
{"text": "\bTrend Micro attributes this activity to MuddyWater , an Iran-nexus actor that has been active since at least May 2017 .", "spans": {"Organization: \bTrend Micro": [[0, 12]], "Organization: MuddyWater": [[41, 51]], "Organization: actor": [[68, 73]]}, "info": {"id": "dnrti_train_003573", "source": "dnrti_train"}}
{"text": "\bFireEye assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper .", "spans": {"Organization: \bFireEye": [[0, 8]], "Organization: actors": [[25, 31]], "System: zero-day": [[60, 68]], "Organization: TEMP.Reaper": [[116, 127]]}, "info": {"id": "dnrti_train_003574", "source": "dnrti_train"}}
{"text": "FireEye has observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: TEMP.Hermit": [[72, 83]]}, "info": {"id": "dnrti_train_003575", "source": "dnrti_train"}}
{"text": "On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": {"Organization: FireEye": [[18, 25]], "Organization: APT34": [[35, 40]], "Vulnerability: vulnerability": [[83, 96]], "Organization: government organization": [[109, 132]]}, "info": {"id": "dnrti_train_003576", "source": "dnrti_train"}}
{"text": "Kaspersky reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013 .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: APT33": [[23, 28]], "Organization: group": [[42, 47]]}, "info": {"id": "dnrti_train_003577", "source": "dnrti_train"}}
{"text": "APT33 is the only group that Kaspersky has observed use the DROPSHOT dropper .", "spans": {"Organization: APT33": [[0, 5]], "Organization: Kaspersky": [[29, 38]], "Malware: DROPSHOT dropper": [[60, 76]]}, "info": {"id": "dnrti_train_003578", "source": "dnrti_train"}}
{"text": "The cyber espionage group APT32 heavily obfuscates their backdoors and scripts , and Mandiant consultants observed APT32 implement additional command argument obfuscation in April 2017 .", "spans": {"Organization: APT32": [[26, 31], [115, 120]], "Malware: backdoors": [[57, 66]], "Malware: scripts": [[71, 78]]}, "info": {"id": "dnrti_train_003579", "source": "dnrti_train"}}
{"text": "In all Mandiant investigations to date where the CARBANAK backdoor has been discovered , the activity has been attributed to the FIN7 threat group .", "spans": {"Organization: Mandiant": [[7, 15]], "Organization: FIN7": [[129, 133]]}, "info": {"id": "dnrti_train_003580", "source": "dnrti_train"}}
{"text": "Kaspersky released a similar report about the same group under the name Carbanak in February 2015 .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: group": [[51, 56]], "Organization: Carbanak": [[72, 80]]}, "info": {"id": "dnrti_train_003581", "source": "dnrti_train"}}
{"text": "FireEye assesses that APT32 leverages a unique suite of fully-featured malware .", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "dnrti_train_003582", "source": "dnrti_train"}}
{"text": "FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam’s manufacturing , consumer products , and hospitality sectors .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT32": [[21, 26]], "Organization: Vietnam’s manufacturing": [[84, 107]]}, "info": {"id": "dnrti_train_003583", "source": "dnrti_train"}}
{"text": "The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions .", "spans": {"Organization: FireEye": [[4, 11]], "Organization: iSIGHT": [[12, 18]], "Organization: Mandiant": [[115, 123]], "Organization: APT32": [[142, 147]]}, "info": {"id": "dnrti_train_003584", "source": "dnrti_train"}}
{"text": "FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT32": [[22, 27]], "Organization: Vietnamese": [[68, 78]], "Organization: government": [[79, 89]]}, "info": {"id": "dnrti_train_003585", "source": "dnrti_train"}}
{"text": "In May and June 2017 , FireEye has associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government .", "spans": {"Organization: FireEye": [[23, 30]], "Organization: APT19": [[65, 70]], "Organization: group": [[75, 80]], "Organization: Chinese government": [[164, 182]]}, "info": {"id": "dnrti_train_003586", "source": "dnrti_train"}}
{"text": "APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009 .", "spans": {"Organization: APT10": [[0, 5]], "Organization: FireEye": [[46, 53]]}, "info": {"id": "dnrti_train_003587", "source": "dnrti_train"}}
{"text": "In addition to the spear phishes , FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers .", "spans": {"System: spear phishes": [[19, 32]], "Organization: FireEye ISIGHT Intelligence": [[35, 62]], "Organization: APT10": [[76, 81]]}, "info": {"id": "dnrti_train_003588", "source": "dnrti_train"}}
{"text": "FireEye’s visibility into the operations of APT28 – a group we believe the Russian government sponsors – has given us insight into some of the government’s targets , as well as its objectives and the activities designed to further them .", "spans": {"Organization: FireEye’s": [[0, 9]], "Organization: APT28": [[44, 49]], "Organization: Russian government": [[75, 93]]}, "info": {"id": "dnrti_train_003589", "source": "dnrti_train"}}
{"text": "FireEye has tracked and profiled APT28 group through multiple investigations , endpoint and network detections , and continuous monitoring .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT28": [[33, 38]]}, "info": {"id": "dnrti_train_003590", "source": "dnrti_train"}}
{"text": "In April 2015 , FireEye uncovered the malicious efforts of APT30 , a suspected China-based threat group .", "spans": {"Organization: FireEye": [[16, 23]], "Organization: APT30": [[59, 64]]}, "info": {"id": "dnrti_train_003591", "source": "dnrti_train"}}
{"text": "FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the Vendetta Brothers .", "spans": {"Organization: FireEye iSIGHT": [[0, 14]], "Organization: Vendetta Brothers": [[95, 112]]}, "info": {"id": "dnrti_train_003592", "source": "dnrti_train"}}
{"text": "Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack .", "spans": {"Organization: Google": [[0, 6]], "Organization: Microsoft": [[11, 20]], "Organization: APT28": [[69, 74]], "Vulnerability: CVE-2016-7855": [[102, 115]]}, "info": {"id": "dnrti_train_003593", "source": "dnrti_train"}}
{"text": "McAfee concludes that some groups—and especially the Poetry Group —have shifted tactics to use Citadel in ways other than what it was originally intended for .", "spans": {"Organization: McAfee": [[0, 6]], "Organization: Group": [[60, 65]]}, "info": {"id": "dnrti_train_003594", "source": "dnrti_train"}}
{"text": "McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 .", "spans": {"Organization: McAfee": [[0, 6]], "Organization: Lazarus": [[64, 71], [219, 226]], "Malware: malicious document": [[193, 211]]}, "info": {"id": "dnrti_train_003595", "source": "dnrti_train"}}
{"text": "In November 2017 , Talos observed the Group123 , which included a new version of ROKRAT being used in the latest wave of attacks .", "spans": {"Organization: Talos": [[19, 24]], "Organization: Group123": [[38, 46]]}, "info": {"id": "dnrti_train_003596", "source": "dnrti_train"}}
{"text": "In addition to TALOS investigation on KONNI , on July 18 2017 , BitDefender released a whitepaper on DarkHotel .", "spans": {"Organization: TALOS": [[15, 20]], "Organization: DarkHotel": [[101, 110]]}, "info": {"id": "dnrti_train_003597", "source": "dnrti_train"}}
{"text": "According to security 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor .", "spans": {"Organization: 360 Threat Intelligence Center": [[22, 52]], "Malware: njRAT backdoor": [[101, 115]]}, "info": {"id": "dnrti_train_003598", "source": "dnrti_train"}}
{"text": "ESET has also reported PowerShell scripts being used by Turla to provide direct , in-memory loading and execution of malware .", "spans": {"Organization: ESET": [[0, 4]], "Malware: PowerShell scripts": [[23, 41]], "Organization: Turla": [[56, 61]]}, "info": {"id": "dnrti_train_003599", "source": "dnrti_train"}}
{"text": "Additionally Kaspersky identified a new backdoor that we attribute with medium confidence to Turla .", "spans": {"Organization: Kaspersky": [[13, 22]], "Malware: backdoor": [[40, 48]], "Organization: Turla": [[93, 98]]}, "info": {"id": "dnrti_train_003600", "source": "dnrti_train"}}
{"text": "Researchers at Symantec suspect that Turla used the hijacked network to attack a Middle Eastern government .", "spans": {"Organization: Symantec": [[15, 23]], "Organization: government": [[96, 106]]}, "info": {"id": "dnrti_train_003601", "source": "dnrti_train"}}
{"text": "Symantec researchers have uncovered evidence that the Waterbug APT group has conducted a hostile takeover of an attack platform .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Waterbug": [[54, 62]]}, "info": {"id": "dnrti_train_003602", "source": "dnrti_train"}}
{"text": "Researchers at the Microstep Intelligence Bureau have published a report on targeted attacks on the Ukrainian government that they attribute to the Gamaredon threat actor .", "spans": {"Organization: Microstep Intelligence Bureau": [[19, 48]], "Organization: Ukrainian government": [[100, 120]], "Organization: Gamaredon": [[148, 157]]}, "info": {"id": "dnrti_train_003603", "source": "dnrti_train"}}
{"text": "Kaspersky found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: SixLittleMonkeys": [[66, 82]], "Malware: Microcin Trojan": [[114, 129]], "Malware: RAT": [[136, 139]]}, "info": {"id": "dnrti_train_003604", "source": "dnrti_train"}}
{"text": "Trend Micro has previously reported the use of this malware in targeted attacks by the BlackTech group , primarily focused on cyber-espionage in Asia .", "spans": {"Organization: Trend Micro": [[0, 11]], "Organization: BlackTech": [[87, 96]]}, "info": {"id": "dnrti_train_003605", "source": "dnrti_train"}}
{"text": "LuckyMouse activity detected by Palo Alto involved the attackers installing web shells on SharePoint servers to compromise government organizations in the Middle East .", "spans": {"Organization: LuckyMouse": [[0, 10]], "Organization: Palo Alto": [[32, 41]], "Malware: web shells": [[76, 86]], "Organization: government organizations": [[123, 147]]}, "info": {"id": "dnrti_train_003606", "source": "dnrti_train"}}
{"text": "Talos published its analysis of the BlackWater campaign , related to MuddyWater group .", "spans": {"Organization: Talos": [[0, 5]], "Organization: MuddyWater": [[69, 79]]}, "info": {"id": "dnrti_train_003607", "source": "dnrti_train"}}
{"text": "Trend Micro also reported MuddyWater’s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3 .", "spans": {"Organization: Trend Micro": [[0, 11]], "Organization: MuddyWater’s": [[26, 38]], "Malware: POWERSTATS v3": [[97, 110]]}, "info": {"id": "dnrti_train_003608", "source": "dnrti_train"}}
{"text": "Regarding other groups , Kaspersky discovered new activity related to ZooPark , a cyber-espionage threat actor that has focused mainly on stealing data from Android devices .", "spans": {"Organization: groups": [[16, 22]], "Organization: Kaspersky": [[25, 34]], "Organization: ZooPark": [[70, 77]], "System: stealing data": [[138, 151]]}, "info": {"id": "dnrti_train_003609", "source": "dnrti_train"}}
{"text": "Recorded Future published an analysis of the infrastructure built by APT33 (aka Elfin) to target Saudi organizations .", "spans": {"Organization: Recorded Future": [[0, 15]], "Organization: APT33": [[69, 74]]}, "info": {"id": "dnrti_train_003610", "source": "dnrti_train"}}
{"text": "Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code .", "spans": {"Organization: Kaspersky": [[14, 23]], "Organization: Lazarus": [[50, 57]]}, "info": {"id": "dnrti_train_003611", "source": "dnrti_train"}}
{"text": "In a recent campaign , Kaspersky observed ScarCruft using a multi-stage binary to infect several victims and ultimately install a final payload known as ROKRAT – a cloud service-based backdoor .", "spans": {"Organization: Kaspersky": [[23, 32]], "Organization: ScarCruft": [[42, 51]], "Malware: ROKRAT": [[153, 159]]}, "info": {"id": "dnrti_train_003612", "source": "dnrti_train"}}
{"text": "ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal .", "spans": {"Organization: ESET": [[0, 4]], "Malware: sample": [[36, 42]], "Organization: OceanLotus": [[52, 62]], "System: uploaded to VirusTotal": [[83, 105]]}, "info": {"id": "dnrti_train_003613", "source": "dnrti_train"}}
{"text": "The threat actor behind the campaign , which Kaspersky believes to be the PLATINUM APT group , uses an elaborate , previously unseen , steganographic technique to conceal communication .", "spans": {"Organization: actor": [[11, 16]], "Organization: Kaspersky": [[45, 54]], "Organization: PLATINUM": [[74, 82]]}, "info": {"id": "dnrti_train_003614", "source": "dnrti_train"}}
{"text": "FireEye defined APT40 as the Chinese state-sponsored threat actor previously reported as TEMP.Periscope , Leviathan and TEMP.Jumper .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT40": [[16, 21]], "Organization: TEMP.Periscope": [[89, 103]], "Organization: Leviathan": [[106, 115]], "Organization: TEMP.Jumper": [[120, 131]]}, "info": {"id": "dnrti_train_003615", "source": "dnrti_train"}}
{"text": "In January , Kaspersky identified new activity by the Transparent Tribe APT group aka PROJECTM and MYTHIC LEOPARD , a threat actor with interests aligned with Pakistan that has shown a persistent focus on Indian military targets .", "spans": {"Organization: Kaspersky": [[13, 22]], "Organization: PROJECTM": [[86, 94]], "Organization: MYTHIC LEOPARD": [[99, 113]]}, "info": {"id": "dnrti_train_003616", "source": "dnrti_train"}}
{"text": "OceanLotus was another actor active during this period , using a new downloader called KerrDown , as reported by Palo Alto .", "spans": {"Organization: OceanLotus": [[0, 10]], "Malware: KerrDown": [[87, 95]], "Organization: Palo Alto": [[113, 122]]}, "info": {"id": "dnrti_train_003617", "source": "dnrti_train"}}
{"text": "ESET recently uncovered a new addition to OceanLotus’s toolset targeting Mac OS .", "spans": {"Organization: ESET": [[0, 4]], "Organization: OceanLotus’s": [[42, 54]]}, "info": {"id": "dnrti_train_003618", "source": "dnrti_train"}}
{"text": "In mid-2018 , Kaspersky's report on Operation AppleJeus” highlighted the focus of the Lazarus threat actor on cryptocurrency exchanges .", "spans": {"Organization: Kaspersky's": [[14, 25]], "Organization: Lazarus": [[86, 93]]}, "info": {"id": "dnrti_train_003619", "source": "dnrti_train"}}
{"text": "Kaspersky also observed some activity from Gaza Team and MuddyWater .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: MuddyWater": [[57, 67]]}, "info": {"id": "dnrti_train_003620", "source": "dnrti_train"}}
{"text": "Kaspersky wrote about LuckyMouse targeting national data centers in June .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: LuckyMouse": [[22, 32]]}, "info": {"id": "dnrti_train_003621", "source": "dnrti_train"}}
{"text": "Kaspersky also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: LuckyMouse": [[31, 41]]}, "info": {"id": "dnrti_train_003622", "source": "dnrti_train"}}
{"text": "Kaspersky have observed similar activity in the past from groups such as Oilrig and Stonedrill , which leads us to believe the new attacks could be connected , though for now that connection is only assessed as low confidence .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: Oilrig": [[73, 79]], "Organization: Stonedrill": [[84, 94]]}, "info": {"id": "dnrti_train_003623", "source": "dnrti_train"}}
{"text": "In August 2019 , FireEye released the Double Dragon” report on our newest graduated threat group , APT41 .", "spans": {"Organization: FireEye": [[17, 24]], "Organization: APT41": [[99, 104]]}, "info": {"id": "dnrti_train_003624", "source": "dnrti_train"}}
{"text": "Today , FireEye Intelligence is releasing a comprehensive report detailing APT41 , a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations .", "spans": {"Organization: FireEye": [[8, 15]], "Organization: APT41": [[75, 80]]}, "info": {"id": "dnrti_train_003625", "source": "dnrti_train"}}
{"text": "Group-IB experts continuously monitor the Silence’ activities .", "spans": {"Organization: Group-IB": [[0, 8]], "Organization: Silence’": [[42, 50]]}, "info": {"id": "dnrti_train_003626", "source": "dnrti_train"}}
{"text": "Group-IB has uncovered a hacker group , MoneyTaker , attacking banks in the USA and Russia .", "spans": {"Organization: Group-IB": [[0, 8]], "Organization: MoneyTaker": [[40, 50]]}, "info": {"id": "dnrti_train_003627", "source": "dnrti_train"}}
{"text": "Group-IB reveals the unknown details of attacks from one of the most notorious APT groups , Lazarus .", "spans": {"Organization: Group-IB": [[0, 8]], "Organization: Lazarus": [[92, 99]]}, "info": {"id": "dnrti_train_003628", "source": "dnrti_train"}}
{"text": "Finally , Kaspersky produced a summary report on Sofacy’s summertime activity .", "spans": {"Organization: Kaspersky": [[10, 19]], "Organization: Sofacy’s": [[49, 57]]}, "info": {"id": "dnrti_train_003629", "source": "dnrti_train"}}
{"text": "Kaspersky were also able to produce two reports on Korean speaking actors , specifically involving Scarcruft and Bluenoroff .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: Scarcruft": [[99, 108]], "Organization: Bluenoroff": [[113, 123]]}, "info": {"id": "dnrti_train_003630", "source": "dnrti_train"}}
{"text": "Analysis of the payload allowed us to confidently link this attack to an actor Kaspersky track as BlackOasis .", "spans": {"Organization: Kaspersky": [[79, 88]], "Organization: BlackOasis": [[98, 108]]}, "info": {"id": "dnrti_train_003631", "source": "dnrti_train"}}
{"text": "Kaspersky first became aware of BlackOasis’ activities in May 2016 , while investigating another Adobe Flash zero day .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: BlackOasis’": [[32, 43]], "Vulnerability: zero day": [[109, 117]]}, "info": {"id": "dnrti_train_003632", "source": "dnrti_train"}}
{"text": "It contains a Word document in plaintext ( written to Bienvenue_a_Sahaja_Yoga_Toulouse.doc ) , along with an executable ( Update.exe ) and DLL ( McUpdate.dll ) .", "spans": {"Malware: Word document": [[14, 27]], "Malware: Bienvenue_a_Sahaja_Yoga_Toulouse.doc": [[54, 90]], "Malware: Update.exe": [[122, 132]], "Malware: McUpdate.dll": [[145, 157]]}, "info": {"id": "dnrti_train_003633", "source": "dnrti_train"}}
{"text": "We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages .", "spans": {"Malware: decoy files": [[14, 25]], "System: spear phishing messages": [[66, 89]]}, "info": {"id": "dnrti_train_003634", "source": "dnrti_train"}}
{"text": "Additionally , these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case , Facebook .", "spans": {"Malware: decoy documents": [[21, 36]], "Organization: Cambodia Government": [[119, 138]], "Organization: Facebook": [[167, 175]]}, "info": {"id": "dnrti_train_003635", "source": "dnrti_train"}}
{"text": "However , the unique malware variant , BlackEnergy 3 , reemerged in Ukraine early in 2015 , where we had first found Sandworm Team .", "spans": {"Malware: BlackEnergy 3": [[39, 52]], "Organization: Sandworm Team": [[117, 130]]}, "info": {"id": "dnrti_train_003636", "source": "dnrti_train"}}
{"text": "The initial indicator of the attack was a malicious web shell that was detected on an IIS server , coming out of the w3wp.exe process .", "spans": {"Malware: w3wp.exe": [[117, 125]]}, "info": {"id": "dnrti_train_003637", "source": "dnrti_train"}}
{"text": "We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply .", "spans": {"Organization: groups": [[28, 34]], "Organization: government": [[83, 93]]}, "info": {"id": "dnrti_train_003638", "source": "dnrti_train"}}
{"text": "Instead , sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government , a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims .", "spans": {"Malware: KHNP documents": [[20, 34]], "Organization: actors": [[54, 60]], "Organization: South Korean Government": [[134, 157]]}, "info": {"id": "dnrti_train_003639", "source": "dnrti_train"}}
{"text": "North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide .", "spans": {}, "info": {"id": "dnrti_train_003640", "source": "dnrti_train"}}
{"text": "The malware may inject itself into browser processes and explorer.exe .", "spans": {"Malware: malware": [[4, 11]], "System: inject itself": [[16, 29]], "Malware: explorer.exe": [[57, 69]]}, "info": {"id": "dnrti_train_003641", "source": "dnrti_train"}}
{"text": "In the last few weeks , FormBook was seen downloading other malware families such as NanoCore .", "spans": {"Malware: FormBook": [[24, 32]], "Malware: NanoCore": [[85, 93]]}, "info": {"id": "dnrti_train_003642", "source": "dnrti_train"}}
{"text": "The vulnerability is bypassing most mitigations; however , as noted above , FireEye email and network products detect the malicious documents .", "spans": {"Organization: FireEye": [[76, 83]], "Malware: malicious documents": [[122, 141]]}, "info": {"id": "dnrti_train_003643", "source": "dnrti_train"}}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": {"Vulnerability: CVE-2017-1099": [[71, 84]], "Malware: RTF attachments": [[100, 115]]}, "info": {"id": "dnrti_train_003644", "source": "dnrti_train"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": {"System: phishing lures": [[19, 33]], "Malware: RTF attachments": [[44, 59]], "Vulnerability: CVE-2017-0199": [[124, 137]]}, "info": {"id": "dnrti_train_003645", "source": "dnrti_train"}}
{"text": "In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros .", "spans": {"Organization: APT32": [[28, 33]], "Malware: ActiveMime files": [[48, 64]], "System: social engineering": [[77, 95]]}, "info": {"id": "dnrti_train_003646", "source": "dnrti_train"}}
{"text": "APT32 actors continue to deliver the malicious attachments via spear-phishing emails .", "spans": {"Organization: APT32": [[0, 5]], "Malware: malicious attachments": [[37, 58]], "System: spear-phishing": [[63, 77]]}, "info": {"id": "dnrti_train_003647", "source": "dnrti_train"}}
{"text": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits .", "spans": {"Organization: APT19": [[0, 5]], "Malware: Microsoft Excel files": [[57, 78]]}, "info": {"id": "dnrti_train_003648", "source": "dnrti_train"}}
{"text": "Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time .", "spans": {"Malware: CARBANAK": [[80, 88]]}, "info": {"id": "dnrti_train_003649", "source": "dnrti_train"}}
{"text": "February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker , a macOS version of APT28’s Xagent malware , and a new Trojan ransomware .", "spans": {"Organization: attacker": [[181, 189]], "Organization: APT28’s": [[211, 218]], "Malware: Trojan ransomware": [[246, 263]]}, "info": {"id": "dnrti_train_003650", "source": "dnrti_train"}}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": {"Malware: malicious documents": [[29, 48]], "Vulnerability: CVE-2017-0199": [[60, 73]], "Malware: LATENTBOT malware": [[99, 116]]}, "info": {"id": "dnrti_train_003651", "source": "dnrti_train"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"Malware: st07383.en17.docx": [[12, 29]], "Vulnerability: CVE-2017-0001": [[80, 93]], "Malware: SHIRIME": [[199, 206]]}, "info": {"id": "dnrti_train_003652", "source": "dnrti_train"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” .", "spans": {"Malware: document": [[34, 42]], "Vulnerability: Trump's_Attack_on_Syria_English.docx”": [[49, 86]]}, "info": {"id": "dnrti_train_003653", "source": "dnrti_train"}}
{"text": "To install and register the malicious shim database on a system , FIN7 used a custom Base64 encoded PowerShell script , which ran the sdbinst.exe” utility to register a custom shim database file containing a patch onto a system .", "spans": {"Organization: FIN7": [[66, 70]], "Malware: PowerShell script": [[100, 117]], "Malware: sdbinst.exe”": [[134, 146]]}, "info": {"id": "dnrti_train_003654", "source": "dnrti_train"}}
{"text": "During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe” with their CARBANAK payload .", "spans": {"Organization: Mandiant": [[28, 36]], "Organization: FIN7": [[51, 55]], "Malware: services.exe”": [[132, 145]], "Malware: CARBANAK": [[157, 165]]}, "info": {"id": "dnrti_train_003655", "source": "dnrti_train"}}
{"text": "We have not yet identified FIN7’s ultimate goal in this campaign , as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft .", "spans": {"Organization: FIN7’s": [[27, 33]], "Malware: malicious emails": [[113, 129]]}, "info": {"id": "dnrti_train_003656", "source": "dnrti_train"}}
{"text": "Figure 1 shows a sample phishing email used by HawkEye operators in this latest campaign .", "spans": {"Malware: phishing email": [[24, 38]]}, "info": {"id": "dnrti_train_003657", "source": "dnrti_train"}}
{"text": "Many groups leverage the regsvr32.exe application whitelisting bypass , including APT19 in their 2017 campaign against law firms .", "spans": {"Malware: regsvr32.exe": [[25, 37]], "Organization: APT19": [[82, 87]], "Organization: law firms": [[119, 128]]}, "info": {"id": "dnrti_train_003658", "source": "dnrti_train"}}
{"text": "The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 .", "spans": {"Malware: malware": [[4, 11]], "System: stolen credentials": [[116, 134]], "System: SMB exploits": [[139, 151]], "Malware: EternalBlue exploit": [[168, 187]], "Organization: WannaCry": [[200, 208]]}, "info": {"id": "dnrti_train_003659", "source": "dnrti_train"}}
{"text": "The malware appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD (via Bitcoin) to decrypt the data .", "spans": {"Malware: malware": [[4, 11]], "Malware: .WCRY extension": [[50, 65]]}, "info": {"id": "dnrti_train_003660", "source": "dnrti_train"}}
{"text": "The malware then builds two DLLs in memory – they are 32 and 64-bit DLLs that have identical functionality .", "spans": {"Malware: malware": [[4, 11]], "Malware: DLLs": [[28, 32]]}, "info": {"id": "dnrti_train_003661", "source": "dnrti_train"}}
{"text": "The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments -m security .", "spans": {"Malware: malware": [[4, 11]], "Malware: mssecsvc2.0": [[50, 61]]}, "info": {"id": "dnrti_train_003662", "source": "dnrti_train"}}
{"text": "The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe .", "spans": {"Malware: malware": [[4, 11]], "Malware: file": [[51, 55]]}, "info": {"id": "dnrti_train_003663", "source": "dnrti_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"Malware: flare-qdb": [[18, 27]]}, "info": {"id": "dnrti_train_003664", "source": "dnrti_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"Malware: flare-qdb": [[18, 27]]}, "info": {"id": "dnrti_train_003665", "source": "dnrti_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"Malware: flare-qdb": [[18, 27]]}, "info": {"id": "dnrti_train_003666", "source": "dnrti_train"}}
{"text": "Attaching with IDA Pro via WinDbg as in Figure 11 shows that the program counter points to the infinite loop written in memory allocated by flare-qdb .", "spans": {"Malware: IDA Pro": [[15, 22]], "Malware: WinDbg": [[27, 33]]}, "info": {"id": "dnrti_train_003667", "source": "dnrti_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": {"Malware: them": [[22, 26]]}, "info": {"id": "dnrti_train_003668", "source": "dnrti_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server .", "spans": {"Malware: Pony DLL": [[89, 97]], "Malware: Vawtrak": [[102, 109]]}, "info": {"id": "dnrti_train_003669", "source": "dnrti_train"}}
{"text": "The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to the download of Hancitor .", "spans": {"System: Microsoft Office document": [[47, 72]], "Malware: Hancitor": [[149, 157]]}, "info": {"id": "dnrti_train_003670", "source": "dnrti_train"}}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data .", "spans": {"Malware: Pony": [[48, 52]], "Malware: Vawtrak": [[57, 64]]}, "info": {"id": "dnrti_train_003671", "source": "dnrti_train"}}
{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll” along with a standard Vawtrak trojan .", "spans": {"Malware: Pony malware": [[102, 114]], "Malware: pm.dll”": [[117, 124]]}, "info": {"id": "dnrti_train_003672", "source": "dnrti_train"}}
{"text": "In this blog , FireEye Labs dissects this new ATM malware that we have dubbed RIPPER (due to the project name ATMRIPPER” identified in the sample) and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand .", "spans": {"Organization: FireEye": [[15, 22]], "Malware: ATM malware": [[46, 57]], "Malware: RIPPER": [[78, 84]]}, "info": {"id": "dnrti_train_003673", "source": "dnrti_train"}}
{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism .", "spans": {"Malware: RIPPER": [[0, 6]]}, "info": {"id": "dnrti_train_003674", "source": "dnrti_train"}}
{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself .", "spans": {"Malware: RIPPER": [[0, 6]], "Organization: ATM vendors": [[77, 88]]}, "info": {"id": "dnrti_train_003675", "source": "dnrti_train"}}
{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices .", "spans": {"Malware: malware": [[5, 12]]}, "info": {"id": "dnrti_train_003676", "source": "dnrti_train"}}
{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August .", "spans": {"Malware: Locky": [[43, 48]]}, "info": {"id": "dnrti_train_003677", "source": "dnrti_train"}}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before .", "spans": {"Malware: Ploutus": [[55, 62]]}, "info": {"id": "dnrti_train_003678", "source": "dnrti_train"}}
{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL’s Kalignite multivendor ATM platform .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: Ploutus": [[68, 75]], "Malware: Ploutus-D": [[85, 94]]}, "info": {"id": "dnrti_train_003679", "source": "dnrti_train"}}
{"text": "The samples we identified target the ATM vendor Diebold .", "spans": {"Malware: samples": [[4, 11]], "Organization: ATM vendor Diebold": [[37, 55]]}, "info": {"id": "dnrti_train_003680", "source": "dnrti_train"}}
{"text": "This blog covers the changes , improvements , and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat .", "spans": {"Malware: Ploutus-D": [[84, 93]]}, "info": {"id": "dnrti_train_003681", "source": "dnrti_train"}}
{"text": "Ploutus-D also allows the attackers to enter the amount to withdraw (billUnits – 4 digits) and the number of cycles (billCount – 2 digits) to repeat the dispensing operation (see Figure 10) .", "spans": {"Malware: Ploutus-D": [[0, 9]], "Organization: attackers": [[26, 35]]}, "info": {"id": "dnrti_train_003682", "source": "dnrti_train"}}
{"text": "Ploutus-D will load KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) .", "spans": {"Malware: Ploutus-D": [[0, 9]], "Malware: (K3A.Platform.dll)": [[82, 100]]}, "info": {"id": "dnrti_train_003683", "source": "dnrti_train"}}
{"text": "Since Ploutus-D interacts with the Kalignite Platform , only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide .", "spans": {"Malware: Ploutus-D": [[6, 15], [88, 97]], "Organization: ATM vendors": [[139, 150]]}, "info": {"id": "dnrti_train_003684", "source": "dnrti_train"}}
{"text": "The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process .", "spans": {"Organization: actors": [[11, 17]], "System: inject shellcode": [[108, 124]], "Malware: userinit.exe": [[134, 146]]}, "info": {"id": "dnrti_train_003685", "source": "dnrti_train"}}
{"text": "The regsvr32.exe executable can be used to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument .", "spans": {"Malware: regsvr32.exe": [[4, 16]], "Malware: SCT file": [[121, 129]]}, "info": {"id": "dnrti_train_003686", "source": "dnrti_train"}}
{"text": "We observed implementation of this bypass in the macro code to invoke regsvr32.exe , along with a URL passed to it which was hosting a malicious SCT file .", "spans": {"Malware: regsvr32.exe": [[70, 82]], "Malware: SCT file": [[145, 153]]}, "info": {"id": "dnrti_train_003687", "source": "dnrti_train"}}
{"text": "There was code to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet .", "spans": {"Malware: winword.exe": [[86, 97]], "Malware: Start-Process": [[116, 129]], "Malware: cmdlet": [[130, 136]]}, "info": {"id": "dnrti_train_003688", "source": "dnrti_train"}}
{"text": "Ordnance will be able to immediately generate shellcode after users provide the IP and Port that the shellcode should connect to or listen on .", "spans": {"Malware: Ordnance": [[0, 8]], "Malware: shellcode": [[101, 110]]}, "info": {"id": "dnrti_train_003689", "source": "dnrti_train"}}
{"text": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category .", "spans": {"Malware: DarkPulsar": [[0, 10]], "Malware: backdoor": [[81, 89]], "Malware: sipauth32.tsp": [[98, 111]]}, "info": {"id": "dnrti_train_003690", "source": "dnrti_train"}}
{"text": "One of them – ipv4.dll – has been placed by the APT with what is , in fact , a downloader for other malicious components .", "spans": {"Malware: ipv4.dll": [[14, 22]], "Malware: downloader": [[79, 89]]}, "info": {"id": "dnrti_train_003691", "source": "dnrti_train"}}
{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection .", "spans": {"Malware: Canhadr/Ndriver": [[29, 44]]}, "info": {"id": "dnrti_train_003692", "source": "dnrti_train"}}
{"text": "First observed in mid-2014 , this malware shared code with the Bugat ( aka Feodo ) banking Trojan .", "spans": {"Malware: Bugat": [[63, 68]], "Malware: banking Trojan": [[83, 97]]}, "info": {"id": "dnrti_train_003693", "source": "dnrti_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Organization: government officials": [[28, 48]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_train_003694", "source": "dnrti_train"}}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": {"Vulnerability: CVE-2012-0158": [[79, 92]], "Malware: Microsoft Word": [[104, 118]]}, "info": {"id": "dnrti_train_003695", "source": "dnrti_train"}}
{"text": "Whitefly first infects its victims using a dropper in the form of a malicious.exe or .dll file that is disguised as a document or image .", "spans": {"Organization: Whitefly": [[0, 8]], "Malware: dropper": [[43, 50]], "Malware: malicious.exe": [[68, 81]], "Malware: .dll file": [[85, 94]]}, "info": {"id": "dnrti_train_003696", "source": "dnrti_train"}}
{"text": "CraP2P has frequently been used to distribute other malware such as Locky and Dridex , but also supported large scale spam campaigns for dating advertisement and pump-and-dump scams after the demise of Kelihos .", "spans": {"Malware: CraP2P": [[0, 6]], "Malware: Locky": [[68, 73]], "Malware: Dridex": [[78, 84]]}, "info": {"id": "dnrti_train_003697", "source": "dnrti_train"}}
{"text": "Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer .", "spans": {"Malware: LOWBALL malware": [[9, 24]], "Organization: admin@338": [[65, 74]], "Malware: upload.bat": [[101, 111]]}, "info": {"id": "dnrti_train_003698", "source": "dnrti_train"}}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": {"Organization: APT32": [[10, 15]], "System: spear-phishing attachment": [[28, 53]], "Malware: Vietnam.exe": [[114, 125]], "Organization: diaspora": [[185, 193]]}, "info": {"id": "dnrti_train_003699", "source": "dnrti_train"}}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" .", "spans": {"Organization: APT32": [[10, 15]], "System: spear-phishing attachment": [[28, 53]], "Malware: Vietnam.exe": [[114, 125]]}, "info": {"id": "dnrti_train_003700", "source": "dnrti_train"}}
{"text": "More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company .", "spans": {"Organization: APT33": [[30, 35]], "Organization: organization": [[63, 75]], "Organization: business conglomerate": [[95, 116]], "Malware: malicious file": [[125, 139]], "Organization: petrochemical company": [[212, 233]]}, "info": {"id": "dnrti_train_003701", "source": "dnrti_train"}}
{"text": "More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies .", "spans": {"Organization: APT33": [[30, 35]], "Malware: malicious file": [[102, 116]]}, "info": {"id": "dnrti_train_003702", "source": "dnrti_train"}}
{"text": "In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets .", "spans": {"Organization: REDBALDKNIGHT": [[10, 23]], "Malware: decoy documents": [[104, 119]]}, "info": {"id": "dnrti_train_003703", "source": "dnrti_train"}}
{"text": "In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 — at least based on the file properties of the decoy documents they've been sending to their targets .", "spans": {"Organization: REDBALDKNIGHT": [[10, 23]], "Malware: decoy documents": [[134, 149]]}, "info": {"id": "dnrti_train_003704", "source": "dnrti_train"}}
{"text": "Carbanak is a backdoor used by the attackers to compromise the victim .", "spans": {"Malware: Carbanak": [[0, 8]], "Malware: backdoor": [[14, 22]], "Organization: attackers": [[35, 44]]}, "info": {"id": "dnrti_train_003705", "source": "dnrti_train"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"System: spear phishing emails": [[37, 58]], "Malware: Microsoft Word documents": [[64, 88]], "Vulnerability: CVE-2017-0199": [[100, 113]]}, "info": {"id": "dnrti_train_003706", "source": "dnrti_train"}}
{"text": "The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee .", "spans": {"Malware: Word document": [[20, 33]], "Malware: manual.doc": [[34, 44]], "Organization: Honeybee": [[114, 122]]}, "info": {"id": "dnrti_train_003707", "source": "dnrti_train"}}
{"text": "This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics .", "spans": {"System: Visual Basic macro": [[35, 53]], "Malware: SYSCON": [[124, 130]], "Malware: malicious Word documents": [[159, 183]]}, "info": {"id": "dnrti_train_003708", "source": "dnrti_train"}}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": {"Organization: Ke3chang": [[0, 8]], "Vulnerability: Java zero-day vulnerability": [[30, 57]], "Vulnerability: CVE-2012-4681": [[60, 73]], "Malware: Microsoft Word": [[119, 133]], "Vulnerability: CVE-2010-3333": [[136, 149]], "Malware: Adobe PDF Reader": [[156, 172]], "Vulnerability: CVE-2010-2883": [[175, 188]]}, "info": {"id": "dnrti_train_003709", "source": "dnrti_train"}}
{"text": "For example , DeltaAlfa specifies a DDoS bot family identified as Alfa .", "spans": {"Malware: DeltaAlfa": [[14, 23]], "Malware: DDoS bot": [[36, 44]]}, "info": {"id": "dnrti_train_003710", "source": "dnrti_train"}}
{"text": "This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL .", "spans": {"Malware: IOC files": [[14, 23]], "Organization: HIDDEN COBRA": [[32, 44]], "Malware: FALLCHILL": [[67, 76]]}, "info": {"id": "dnrti_train_003711", "source": "dnrti_train"}}
{"text": "The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 .", "spans": {"Organization: McAfee Advanced Threat Research": [[4, 35]], "Malware: data-gathering implant": [[73, 95]]}, "info": {"id": "dnrti_train_003712", "source": "dnrti_train"}}
{"text": "This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL .", "spans": {"Malware: IOC files": [[14, 23]], "Organization: HIDDEN COBRA": [[32, 44]], "Malware: FALLCHILL": [[67, 76]]}, "info": {"id": "dnrti_train_003713", "source": "dnrti_train"}}
{"text": "The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 .", "spans": {"Organization: McAfee Advanced Threat Research": [[4, 35]], "Malware: data-gathering implant": [[73, 95]]}, "info": {"id": "dnrti_train_003714", "source": "dnrti_train"}}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"Malware: Documents": [[0, 9]], "Vulnerability: Flash exploit": [[19, 32]]}, "info": {"id": "dnrti_train_003715", "source": "dnrti_train"}}
{"text": "This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) .", "spans": {"Malware: 32-bit Windows executable file": [[45, 75]], "Malware: Remote Access Trojan": [[94, 114]], "Malware: RAT": [[117, 120]]}, "info": {"id": "dnrti_train_003716", "source": "dnrti_train"}}
{"text": "In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality .", "spans": {"Organization: US-CERT Code Analysis Team": [[50, 76]], "Malware: botnet controller": [[86, 103]]}, "info": {"id": "dnrti_train_003717", "source": "dnrti_train"}}
{"text": "Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll )", "spans": {"Malware: Volgmer": [[0, 7]], "Malware: .dll": [[99, 103]]}, "info": {"id": "dnrti_train_003718", "source": "dnrti_train"}}
{"text": "Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs .", "spans": {"Organization: Trend Micro": [[0, 11]], "Organization: Trend Micro™ Smart Protection Suites": [[39, 75]], "Organization: Worry-Free™ Business Security": [[80, 109]], "Malware: malicious files": [[175, 190]]}, "info": {"id": "dnrti_train_003719", "source": "dnrti_train"}}
{"text": "WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data .", "spans": {"Malware: WannaCry": [[0, 8]], "Malware: .WCRY": [[47, 52]]}, "info": {"id": "dnrti_train_003720", "source": "dnrti_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_train_003721", "source": "dnrti_train"}}
{"text": "The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period .", "spans": {"Organization: Leviathan": [[4, 13]], "Malware: macro-laden Microsoft Word documents": [[37, 73]], "Organization: development organizations": [[106, 131]]}, "info": {"id": "dnrti_train_003722", "source": "dnrti_train"}}
{"text": "The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) .", "spans": {"Malware: Zawgyi_Keyboard_L.zip": [[24, 45]], "Malware: setup.exe": [[69, 78]], "Malware: Elise": [[139, 144]], "Malware: wincex.dll": [[147, 157]]}, "info": {"id": "dnrti_train_003723", "source": "dnrti_train"}}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": {"Malware: malicious Word documents": [[21, 45]], "Vulnerability: Windows OLE Automation Array Remote Code Execution Vulnerability": [[74, 138]], "Vulnerability: CVE-2014-6332": [[150, 163]]}, "info": {"id": "dnrti_train_003724", "source": "dnrti_train"}}
{"text": "To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys .", "spans": {"Malware: c:\\temp\\rr.exe": [[54, 68]]}, "info": {"id": "dnrti_train_003725", "source": "dnrti_train"}}
{"text": "The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt .", "spans": {"Malware: custom dropper": [[53, 67]], "Malware: MagicHound.DropIt": [[95, 112]]}, "info": {"id": "dnrti_train_003726", "source": "dnrti_train"}}
{"text": "For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer .", "spans": {"Malware: DropIt sample": [[28, 41]], "Malware: %TEMP%\\flash_update.exe": [[179, 202]], "Malware: Flash Player installer": [[227, 249]]}, "info": {"id": "dnrti_train_003727", "source": "dnrti_train"}}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": {"Organization: APT32": [[27, 32]], "System: social engineering emails": [[43, 68]], "Malware: Microsoft ActiveMime file": [[74, 99]]}, "info": {"id": "dnrti_train_003728", "source": "dnrti_train"}}
{"text": "The HTA files contained job descriptions and links to job postings on popular employment websites .", "spans": {"Malware: HTA files": [[4, 13]]}, "info": {"id": "dnrti_train_003729", "source": "dnrti_train"}}
{"text": "These emails included recruitment-themed lures and links to malicious HTML application ( HTA ) files .", "spans": {"System: emails": [[6, 12]], "System: recruitment-themed lures": [[22, 46]], "Malware: HTML application": [[70, 86]], "Malware: HTA": [[89, 92]]}, "info": {"id": "dnrti_train_003730", "source": "dnrti_train"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Malware: POWRUNER": [[0, 8]], "Malware: RTF file": [[41, 49]], "Vulnerability: CVE-2017-0199": [[65, 78]]}, "info": {"id": "dnrti_train_003731", "source": "dnrti_train"}}
{"text": "ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints .", "spans": {"Malware: ChopShop1": [[0, 9]], "Organization: MITRE Corporation": [[46, 63]]}, "info": {"id": "dnrti_train_003732", "source": "dnrti_train"}}
{"text": "Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document .", "spans": {"Malware: Attachments": [[0, 11]], "System: ZIP archive": [[67, 78]], "System: password-protected Microsoft Office document": [[84, 128]]}, "info": {"id": "dnrti_train_003733", "source": "dnrti_train"}}
{"text": "This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files .", "spans": {"Malware: PIVY": [[70, 74]], "Malware: malicious files": [[298, 313]]}, "info": {"id": "dnrti_train_003734", "source": "dnrti_train"}}
{"text": "The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon .", "spans": {"Malware: .exe file": [[24, 33]], "Malware: Microsoft Word file": [[61, 80]]}, "info": {"id": "dnrti_train_003735", "source": "dnrti_train"}}
{"text": "The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes .", "spans": {"Organization: Palo Alto Networks Unit 42": [[4, 30]], "Malware: malicious files": [[78, 93]], "Organization: MalwareBytes": [[194, 206]]}, "info": {"id": "dnrti_train_003736", "source": "dnrti_train"}}
{"text": "We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded .", "spans": {"Malware: Powermud backdoor": [[29, 46]], "Malware: Backdoor.Powemuddy": [[66, 84]], "Malware: custom tools": [[93, 105]], "Malware: makecab.exe": [[238, 249]]}, "info": {"id": "dnrti_train_003737", "source": "dnrti_train"}}
{"text": "Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network .", "spans": {"Organization: DeepSight Managed Adversary and Threat Intelligence": [[16, 67]], "Organization: MATI": [[70, 74]], "Malware: Backdoor.Powemuddy": [[110, 128]], "Organization: Seedworm": [[147, 155]], "Malware: Powermud backdoor": [[159, 176]], "Malware: POWERSTATS": [[183, 193]], "Organization: group": [[230, 235], [306, 311]]}, "info": {"id": "dnrti_train_003738", "source": "dnrti_train"}}
{"text": "Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload .", "spans": {"Malware: Microsoft Word document": [[60, 83]]}, "info": {"id": "dnrti_train_003739", "source": "dnrti_train"}}
{"text": "In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": {"Organization: Trend Micro": [[14, 25]], "Malware: W2KM_DLOADR.UHAOEEN": [[59, 78]]}, "info": {"id": "dnrti_train_003740", "source": "dnrti_train"}}
{"text": "In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": {"Organization: Trend Micro": [[14, 25]], "Malware: W2KM_DLOADR.UHAOEEN": [[59, 78]]}, "info": {"id": "dnrti_train_003741", "source": "dnrti_train"}}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": {"Malware: bait document": [[5, 18]], "System: email attachment": [[24, 40]], "Malware: Word document": [[68, 81]], "Vulnerability: CVE-2012-0158": [[102, 115]]}, "info": {"id": "dnrti_train_003742", "source": "dnrti_train"}}
{"text": "Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system .", "spans": {"Organization: OilRig": [[65, 71]], "Malware: Clayslide delivery documents": [[79, 107]]}, "info": {"id": "dnrti_train_003743", "source": "dnrti_train"}}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": {"Malware: .rtf file": [[43, 52]], "Vulnerability: CVE-2017-0199": [[68, 81]]}, "info": {"id": "dnrti_train_003744", "source": "dnrti_train"}}
{"text": "The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas .", "spans": {"Malware: Equation Editor": [[36, 51]], "Malware: EQNEDT32.EXE": [[54, 66]]}, "info": {"id": "dnrti_train_003745", "source": "dnrti_train"}}
{"text": "The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 .", "spans": {"Malware: ThreeDollars delivery document": [[43, 73]], "Organization: OilRig": [[111, 117]]}, "info": {"id": "dnrti_train_003746", "source": "dnrti_train"}}
{"text": "The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars .", "spans": {"System: email": [[4, 9]], "Malware: Seminar-Invitation.doc": [[40, 62]], "Malware: Microsoft Word": [[86, 100]], "Malware: ThreeDollars": [[122, 134]]}, "info": {"id": "dnrti_train_003747", "source": "dnrti_train"}}
{"text": "We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot .", "spans": {"Malware: ThreeDollars": [[37, 49]], "Malware: preparation.dot": [[109, 124]]}, "info": {"id": "dnrti_train_003748", "source": "dnrti_train"}}
{"text": "We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 .", "spans": {"Malware: ThreeDollars document": [[83, 104]]}, "info": {"id": "dnrti_train_003749", "source": "dnrti_train"}}
{"text": "The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet .", "spans": {"Malware: Clayslide": [[24, 33]], "Malware: OfficeServicesStatus.vbs file": [[53, 82]], "Malware: ISMAgent Clayslide document": [[96, 123]]}, "info": {"id": "dnrti_train_003750", "source": "dnrti_train"}}
{"text": "During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface – test.xls .", "spans": {"Malware: XLS-withyourface.xls": [[139, 159]], "Malware: XLS-withyourface – test.xls": [[164, 191]]}, "info": {"id": "dnrti_train_003751", "source": "dnrti_train"}}
{"text": "These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 .", "spans": {"Organization: OilRig": [[47, 53]], "Malware: N56.15.doc": [[239, 249]]}, "info": {"id": "dnrti_train_003752", "source": "dnrti_train"}}
{"text": "The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": {"Organization: attackers": [[4, 13]], "System: emails": [[28, 34]], "Malware: XLS files": [[60, 69]], "Organization: employees working in the banking sector": [[73, 112]]}, "info": {"id": "dnrti_train_003753", "source": "dnrti_train"}}
{"text": "In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region .", "spans": {"Organization: FireEye 's DTI": [[32, 46]], "System: emails": [[68, 74]], "Malware: malicious attachments": [[86, 107]]}, "info": {"id": "dnrti_train_003754", "source": "dnrti_train"}}
{"text": "Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": {"Organization: government office": [[116, 133]], "Malware: Word documents": [[188, 202]]}, "info": {"id": "dnrti_train_003755", "source": "dnrti_train"}}
{"text": "For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug .", "spans": {"Organization: Sowbug": [[34, 40]], "Malware: Felismus backdoor": [[93, 110]], "Malware: adobecms.exe": [[170, 182]], "Malware: CSIDL_WINDOWS\\debug": [[186, 205]]}, "info": {"id": "dnrti_train_003756", "source": "dnrti_train"}}
{"text": "Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others .", "spans": {"Organization: Symantec": [[0, 8]], "Malware: Starloader files": [[31, 47]], "Malware: AdobeUpdate.exe": [[60, 75]], "Malware: AcrobatUpdate.exe": [[78, 95]], "Malware: INTELUPDATE.EXE": [[102, 117]]}, "info": {"id": "dnrti_train_003757", "source": "dnrti_train"}}
{"text": "The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information .", "spans": {"Malware: cmd.exe": [[80, 87]]}, "info": {"id": "dnrti_train_003758", "source": "dnrti_train"}}
{"text": "In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network .", "spans": {"Organization: Kaspersky Lab": [[20, 33]], "Malware: anomalous network traffic": [[78, 103]], "Organization: government organization": [[109, 132]]}, "info": {"id": "dnrti_train_003759", "source": "dnrti_train"}}
{"text": "Symantec detects this threat as Backdoor.Nidiran .", "spans": {"Organization: Symantec": [[0, 8]], "Malware: Backdoor.Nidiran": [[32, 48]]}, "info": {"id": "dnrti_train_003760", "source": "dnrti_train"}}
{"text": "Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer .", "spans": {"Malware: malicious files": [[40, 55]], "Malware: iviewers.dll file": [[87, 104]], "Malware: DLL load hijacking": [[118, 136]]}, "info": {"id": "dnrti_train_003761", "source": "dnrti_train"}}
{"text": "Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed .", "spans": {"Malware: Nidiran": [[33, 40]], "Malware: self-extracting executable": [[64, 90]], "Malware: .tmp": [[125, 129]]}, "info": {"id": "dnrti_train_003762", "source": "dnrti_train"}}
{"text": "While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": {"Malware: Backdoor.Nidiran": [[109, 125]]}, "info": {"id": "dnrti_train_003763", "source": "dnrti_train"}}
{"text": "While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": {"Malware: Backdoor.Nidiran": [[109, 125]]}, "info": {"id": "dnrti_train_003764", "source": "dnrti_train"}}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[51, 72]], "Malware: Microsoft Word attachment": [[80, 105]], "Vulnerability: CVE-2017-0199": [[138, 151]], "Malware: ZeroT Trojan": [[166, 178]], "Malware: PlugX Remote Access Trojan": [[210, 236]], "Malware: RAT": [[239, 242]]}, "info": {"id": "dnrti_train_003765", "source": "dnrti_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[55, 76]], "Malware: Microsoft Word attachment": [[84, 109]], "Vulnerability: CVE-2017-0199": [[142, 155]], "Malware: ZeroT Trojan": [[170, 182]], "Malware: PlugX Remote Access Trojan": [[214, 240]], "Malware: RAT": [[243, 246]]}, "info": {"id": "dnrti_train_003766", "source": "dnrti_train"}}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": {"Malware: malicious.DOC": [[86, 99]], "Vulnerability: Microsoft Common Controls vulnerability": [[119, 158]], "Vulnerability: CVE-2012-0158": [[161, 174]]}, "info": {"id": "dnrti_train_003767", "source": "dnrti_train"}}
{"text": "To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts .", "spans": {"Organization: CTU": [[97, 100]], "Malware: cmd.exe": [[122, 129]]}, "info": {"id": "dnrti_train_003768", "source": "dnrti_train"}}
{"text": "In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool .", "spans": {"Organization: CTU": [[25, 28]], "Malware: s.txt": [[65, 70]]}, "info": {"id": "dnrti_train_003769", "source": "dnrti_train"}}
{"text": "Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network .", "spans": {"Malware: Infostealer.Catchamas": [[81, 102]]}, "info": {"id": "dnrti_train_003770", "source": "dnrti_train"}}
{"text": "Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection .", "spans": {"Malware: Catchamas": [[0, 9]]}, "info": {"id": "dnrti_train_003771", "source": "dnrti_train"}}
{"text": "The malicious loader will use dynamic-link library ( DLL ) hijacking — injecting malicious code into a process of a file/application — on sidebar.exe and launch dllhost.exe ( a normal file ) .", "spans": {"Malware: sidebar.exe": [[138, 149]], "Malware: dllhost.exe": [[161, 172]]}, "info": {"id": "dnrti_train_003772", "source": "dnrti_train"}}
{"text": "As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate .", "spans": {"Malware: decoy files": [[66, 77]]}, "info": {"id": "dnrti_train_003773", "source": "dnrti_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"Malware: documents": [[4, 13]], "System: spear-phishing e-mails": [[26, 48]], "Vulnerability: CVE-2012-0158": [[97, 110]], "Vulnerability: Microsoft Word vulnerabilities": [[166, 196]]}, "info": {"id": "dnrti_train_003774", "source": "dnrti_train"}}
{"text": "Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure .", "spans": {"Malware: malicious file": [[56, 70]], "System: adobe.com": [[95, 104]]}, "info": {"id": "dnrti_train_003775", "source": "dnrti_train"}}
{"text": "According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file .", "spans": {"Organization: Deepen": [[13, 19]], "Organization: APT6": [[22, 26]], "System: spear phishing": [[42, 56]], "Malware: PDF": [[82, 85]], "Malware: ZIP": [[90, 93]], "Malware: SCR file": [[170, 178]]}, "info": {"id": "dnrti_train_003776", "source": "dnrti_train"}}
{"text": "Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using hxxp://voguextra.com/decoy.doc .", "spans": {"Organization: Bellingcat": [[0, 10]], "Malware: decoy documents": [[79, 94]], "Malware: hxxp://voguextra.com/decoy.doc": [[132, 162]]}, "info": {"id": "dnrti_train_003777", "source": "dnrti_train"}}
{"text": "We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post .", "spans": {"Organization: Bahamut": [[73, 80]], "Malware: Devoted To Humanity": [[96, 115]]}, "info": {"id": "dnrti_train_003778", "source": "dnrti_train"}}
{"text": "While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" .", "spans": {"Organization: Microsoft": [[33, 42]], "Organization: Barium": [[94, 100]], "Malware: Win32/ShadowPad.A": [[139, 156]]}, "info": {"id": "dnrti_train_003779", "source": "dnrti_train"}}
{"text": "MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) .", "spans": {"Malware: MXI Player": [[0, 10]]}, "info": {"id": "dnrti_train_003780", "source": "dnrti_train"}}
{"text": "Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents .", "spans": {"System: spear-phishing emails": [[36, 57]], "Malware: RTLO technique": [[107, 121]], "Malware: decoy documents": [[141, 156]]}, "info": {"id": "dnrti_train_003781", "source": "dnrti_train"}}
{"text": "The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable .", "spans": {"Malware: self-extracting RAR": [[4, 23]], "Malware: Loader.dll": [[85, 95]], "Malware: readme.txt": [[113, 123]]}, "info": {"id": "dnrti_train_003782", "source": "dnrti_train"}}
{"text": "Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality .", "spans": {"Malware: Leader": [[0, 6]], "Malware: Bookworm": [[10, 18]], "Malware: DLLs": [[114, 118]]}, "info": {"id": "dnrti_train_003783", "source": "dnrti_train"}}
{"text": "We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" .", "spans": {"Malware: Bookworm": [[43, 51]], "Malware: decoys documents": [[138, 154]], "Malware: dynamic DNS domain": [[183, 201]]}, "info": {"id": "dnrti_train_003784", "source": "dnrti_train"}}
{"text": "Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier .", "spans": {"Malware: date string hardcoded": [[26, 47]], "Malware: Bookworm sample": [[58, 73]]}, "info": {"id": "dnrti_train_003785", "source": "dnrti_train"}}
{"text": "Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier .", "spans": {"Malware: date string": [[35, 46]], "Malware: date codes": [[64, 74]], "Malware: Bookworm": [[120, 128]]}, "info": {"id": "dnrti_train_003786", "source": "dnrti_train"}}
{"text": "Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 .", "spans": {"Malware: decoy slideshow": [[8, 23]]}, "info": {"id": "dnrti_train_003787", "source": "dnrti_train"}}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": {"Malware: document": [[7, 15]], "Vulnerability: CVE-2012-0158": [[64, 77]], "Vulnerability: CVE-2013-3906": [[80, 93]], "Vulnerability: CVE-2014-1761": [[97, 110]]}, "info": {"id": "dnrti_train_003788", "source": "dnrti_train"}}
{"text": "The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload .", "spans": {"Malware: AmmyyService.exe": [[97, 113]], "Malware: AmmyySvc.exe": [[117, 129]]}, "info": {"id": "dnrti_train_003789", "source": "dnrti_train"}}
{"text": "The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator .", "spans": {"Malware: kontrakt87.doc": [[28, 42]], "Organization: MegaFon": [[105, 112]], "Organization: mobile phone operator": [[131, 152]]}, "info": {"id": "dnrti_train_003790", "source": "dnrti_train"}}
{"text": "In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task .", "spans": {"Malware: Careto": [[59, 65]]}, "info": {"id": "dnrti_train_003791", "source": "dnrti_train"}}
{"text": "Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website .", "spans": {"Malware: Careto": [[0, 6]], "System: spear-phishing e-mails": [[48, 70]]}, "info": {"id": "dnrti_train_003792", "source": "dnrti_train"}}
{"text": "Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate .", "spans": {"Malware: sub-domains": [[30, 41]]}, "info": {"id": "dnrti_train_003793", "source": "dnrti_train"}}
{"text": "We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system .", "spans": {"Malware: Careto": [[29, 35]]}, "info": {"id": "dnrti_train_003794", "source": "dnrti_train"}}
{"text": "The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial .", "spans": {"Malware: Acunetix Web Vulnerability Scanner": [[34, 68]]}, "info": {"id": "dnrti_train_003795", "source": "dnrti_train"}}
{"text": "The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents .", "spans": {"Malware: decoy documents": [[4, 19]]}, "info": {"id": "dnrti_train_003796", "source": "dnrti_train"}}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": {"Organization: Patchwork": [[9, 18]], "Malware: RTF files": [[45, 54]], "Vulnerability: CVE-2017-8570": [[66, 79]]}, "info": {"id": "dnrti_train_003797", "source": "dnrti_train"}}
{"text": "The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 .", "spans": {"Malware: CONFUCIUS_A": [[29, 40]], "Malware: SNEEPY": [[159, 165]], "Malware: ByeByeShell": [[172, 183]], "Organization: Rapid7": [[204, 210]]}, "info": {"id": "dnrti_train_003798", "source": "dnrti_train"}}
{"text": "At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files .", "spans": {"Malware: CONFUCIUS_B": [[16, 27]], "Malware: CONFUCIUS_A": [[50, 61]], "Malware: SFX binary files": [[100, 116]]}, "info": {"id": "dnrti_train_003799", "source": "dnrti_train"}}
{"text": "The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon .", "spans": {"Malware: CONFUCIUS_B": [[4, 15]], "Malware: RTLO": [[104, 108]]}, "info": {"id": "dnrti_train_003800", "source": "dnrti_train"}}
{"text": "We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover .", "spans": {"Malware: SNEEPY/BYEBYESHELL": [[147, 165]], "Malware: CONFUCIUS_B": [[174, 185]], "Malware: Hangover": [[207, 215]]}, "info": {"id": "dnrti_train_003801", "source": "dnrti_train"}}
{"text": "The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B .", "spans": {"Organization: development company": [[153, 172]], "Malware: CONFUCIUS_A": [[187, 198]], "Malware: CONFUCIUS_B": [[203, 214]]}, "info": {"id": "dnrti_train_003802", "source": "dnrti_train"}}
{"text": "The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio .", "spans": {"Malware: Android version": [[4, 19]]}, "info": {"id": "dnrti_train_003803", "source": "dnrti_train"}}
{"text": "The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"Vulnerability: CVE2017-11882": [[27, 40]], "Malware: HTML Application": [[71, 87]], "Malware: HTA": [[90, 93]], "Malware: mshta.exe": [[223, 232]]}, "info": {"id": "dnrti_train_003804", "source": "dnrti_train"}}
{"text": "According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list .", "spans": {"Malware: botnet encompassed": [[63, 81]], "Organization: financial institutions": [[156, 178]]}, "info": {"id": "dnrti_train_003805", "source": "dnrti_train"}}
{"text": "If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs .", "spans": {"Malware: bot": [[5, 8]]}, "info": {"id": "dnrti_train_003806", "source": "dnrti_train"}}
{"text": "At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file .", "spans": {"Malware: Java related application": [[36, 60]], "Malware: Java file": [[148, 157]]}, "info": {"id": "dnrti_train_003807", "source": "dnrti_train"}}
{"text": "Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer .", "spans": {"System: emails": [[22, 28]], "Malware: documents": [[72, 81]]}, "info": {"id": "dnrti_train_003808", "source": "dnrti_train"}}
{"text": "The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": {"Malware: Trojan.Naid": [[106, 117]], "Malware: Backdoor.Moudoor": [[120, 136]], "Malware: Backdoor.Hikit": [[143, 157]]}, "info": {"id": "dnrti_train_003809", "source": "dnrti_train"}}
{"text": "The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": {"Malware: Trojan.Naid": [[105, 116]], "Malware: Backdoor.Moudoor": [[119, 135]], "Malware: Backdoor.Hikit": [[142, 156]]}, "info": {"id": "dnrti_train_003810", "source": "dnrti_train"}}
{"text": "Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx .", "spans": {"Organization: Symantec": [[0, 8]], "Malware: Trojan.Naid": [[72, 83]], "Malware: Backdoor.Moudoor": [[88, 104]], "Malware: Aurora": [[123, 129]], "Organization: Elderwood Gang": [[139, 153]], "Organization: Hidden Lynx": [[163, 174]]}, "info": {"id": "dnrti_train_003811", "source": "dnrti_train"}}
{"text": "One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" .", "spans": {"System: e-mail": [[4, 10]], "Malware: Microsoft PowerPoint file": [[21, 46]], "Malware: thanks.pps": [[55, 65]], "Malware: Microsoft Word document": [[97, 120]], "Malware: request.docx": [[129, 141]]}, "info": {"id": "dnrti_train_003812", "source": "dnrti_train"}}
{"text": "Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient .", "spans": {"Organization: WildFire": [[23, 31]], "System: e-mail": [[49, 55]], "Malware: Word document": [[69, 82], [140, 153]], "Malware: hello.docx": [[87, 97]]}, "info": {"id": "dnrti_train_003813", "source": "dnrti_train"}}
{"text": "The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll .", "spans": {"Malware: thanks.pps": [[25, 35]], "Malware: ins8376.exe": [[99, 110]], "Malware: mpro324.dll": [[143, 154]]}, "info": {"id": "dnrti_train_003814", "source": "dnrti_train"}}
{"text": "In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 .", "spans": {"Malware: Cyberlink": [[49, 58]]}, "info": {"id": "dnrti_train_003815", "source": "dnrti_train"}}
{"text": "This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name — either KBDLV2.DLL or AUTO.DLL , depending on the malware sample .", "spans": {"Malware: KBDLV2.DLL": [[127, 137]], "Malware: AUTO.DLL": [[141, 149]]}, "info": {"id": "dnrti_train_003816", "source": "dnrti_train"}}
{"text": "Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads , compiled HTML help ( .chm ) files , or Microsoft Office documents containing macros or exploits .", "spans": {"Malware: unsophisticated malware": [[85, 108]], "Malware: malicious shortcut": [[142, 160]], "Malware: .lnk": [[163, 167]], "Malware: HTML help ( .chm ) files": [[208, 232]], "Malware: Microsoft Office documents": [[238, 264]]}, "info": {"id": "dnrti_train_003817", "source": "dnrti_train"}}
{"text": "This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter .", "spans": {"Malware: ASPNET_FILTER.DLL": [[92, 109]], "Malware: ASP.NET ISAPI Filter": [[146, 166]]}, "info": {"id": "dnrti_train_003818", "source": "dnrti_train"}}
{"text": "In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform .", "spans": {"System: spear phishing emails": [[63, 84]], "Malware: malicious attachments": [[90, 111]], "Malware: Scout": [[160, 165]]}, "info": {"id": "dnrti_train_003819", "source": "dnrti_train"}}
{"text": "The malicious attachments purported to be invitations or drafts of the agenda for the conference .", "spans": {"Malware: malicious attachments": [[4, 25]], "Malware: invitations": [[42, 53]], "Malware: drafts of the agenda": [[57, 77]]}, "info": {"id": "dnrti_train_003820", "source": "dnrti_train"}}
{"text": "We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 .", "spans": {"Malware: THAM luan - GD -": [[51, 67]], "Malware: NCKH2.doc": [[68, 77]], "Malware: MS12-060": [[162, 170]]}, "info": {"id": "dnrti_train_003821", "source": "dnrti_train"}}
{"text": "This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics .", "spans": {"Malware: document": [[5, 13]]}, "info": {"id": "dnrti_train_003822", "source": "dnrti_train"}}
{"text": "Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": {"Malware: document malware": [[26, 42]], "Organization: Tibetan non-governmental organizations": [[62, 100]], "Organization: Falun Gong": [[129, 139]], "Organization: Uyghur groups": [[144, 157]]}, "info": {"id": "dnrti_train_003823", "source": "dnrti_train"}}
{"text": "There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information .", "spans": {"Malware: exploit code": [[13, 25]]}, "info": {"id": "dnrti_train_003824", "source": "dnrti_train"}}
{"text": "The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits .", "spans": {"Organization: Tibetan Parliamentarians": [[26, 50]], "Malware: malicious attachments": [[84, 105]], "Malware: documents bearing exploits": [[121, 147]]}, "info": {"id": "dnrti_train_003825", "source": "dnrti_train"}}
{"text": "The first attack started in early July with a ShimRatReporter payload .", "spans": {"Malware: ShimRatReporter": [[46, 61]]}, "info": {"id": "dnrti_train_003826", "source": "dnrti_train"}}
{"text": "In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy .", "spans": {"Organization: Trend Micro": [[43, 54]], "Malware: espionage toolkit": [[104, 121]], "Malware: KeyBoy": [[202, 208]]}, "info": {"id": "dnrti_train_003827", "source": "dnrti_train"}}
{"text": "The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched .", "spans": {"Malware: exploit document": [[4, 20]], "Malware: KeyBoy": [[45, 51]], "Malware: decoy document": [[78, 92]]}, "info": {"id": "dnrti_train_003828", "source": "dnrti_train"}}
{"text": "This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files .", "spans": {"Malware: rastls.dll": [[93, 103]], "Malware: Sycmentec.config files": [[108, 130]]}, "info": {"id": "dnrti_train_003829", "source": "dnrti_train"}}
{"text": "This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page .", "spans": {"Malware: .lnk file": [[53, 62]]}, "info": {"id": "dnrti_train_003830", "source": "dnrti_train"}}
{"text": "Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": {"Malware: attachment": [[35, 45]], "Malware: NetTraveler": [[79, 90]], "Malware: DLL side-loading": [[99, 115]]}, "info": {"id": "dnrti_train_003831", "source": "dnrti_train"}}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Vulnerability: Microsoft Office exploits": [[37, 62]], "Malware: Exploit.MSWord.CVE-2010-333": [[110, 137]], "Malware: Exploit.Win32.CVE-2012-0158": [[140, 167]]}, "info": {"id": "dnrti_train_003832", "source": "dnrti_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_train_003833", "source": "dnrti_train"}}
{"text": "We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester .", "spans": {"Malware: malware": [[48, 55]], "Malware: Bluetooth device harvester": [[89, 115]]}, "info": {"id": "dnrti_train_003834", "source": "dnrti_train"}}
{"text": "For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2 This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP port 443 .", "spans": {"Organization: Bisonal malware": [[14, 29]], "Malware: Bisonal": [[98, 105]], "System: HTTP POST": [[216, 225]]}, "info": {"id": "dnrti_train_003835", "source": "dnrti_train"}}
{"text": "Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia .", "spans": {"Malware: Bisonal malware": [[32, 47]]}, "info": {"id": "dnrti_train_003836", "source": "dnrti_train"}}
{"text": "This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others .", "spans": {"Malware: sample": [[16, 22]]}, "info": {"id": "dnrti_train_003837", "source": "dnrti_train"}}
{"text": "If it's Cyrillic and the command to the shell is not ‘ipconfig’ , the threat converts the command result text encoding from Cyrillic to UTF-16 .", "spans": {"Malware: it's": [[3, 7]], "Malware: Cyrillic": [[8, 16]], "Malware: UTF-16": [[136, 142]]}, "info": {"id": "dnrti_train_003838", "source": "dnrti_train"}}
{"text": "Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document .", "spans": {"Malware: Bisonal": [[15, 22]]}, "info": {"id": "dnrti_train_003839", "source": "dnrti_train"}}
{"text": "The contents of the decoy PDF is a job descriptions with the South Korean Coast Guard .", "spans": {"Malware: the decoy PDF": [[16, 29]]}, "info": {"id": "dnrti_train_003840", "source": "dnrti_train"}}
{"text": "The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization .", "spans": {"Malware: installed EXE file": [[4, 22]], "Malware: Bisonal variant": [[72, 87]]}, "info": {"id": "dnrti_train_003841", "source": "dnrti_train"}}
{"text": "ined in the archive is called DriverInstallerU.exe” but its metadata shows that its original name is Interenet Assistant.exe” .", "spans": {"Malware: DriverInstallerU.exe”": [[30, 51]], "Malware: Interenet Assistant.exe”": [[101, 125]]}, "info": {"id": "dnrti_train_003842", "source": "dnrti_train"}}
{"text": "In this sample , however , the module names were changed from actors and characters’ names to car models , namely BMW_x1” , BMW_x2” and up to BMW_x8” .", "spans": {"Malware: BMW_x1”": [[114, 121]], "Malware: BMW_x2”": [[124, 131]], "Malware: BMW_x8”": [[142, 149]]}, "info": {"id": "dnrti_train_003843", "source": "dnrti_train"}}
{"text": "wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 .", "spans": {"Malware: wuaupdt.exe": [[0, 11]], "Malware: CMD": [[17, 20]]}, "info": {"id": "dnrti_train_003844", "source": "dnrti_train"}}
{"text": "Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones .", "spans": {"Malware: wuaupdt.exe": [[57, 68]]}, "info": {"id": "dnrti_train_003845", "source": "dnrti_train"}}
{"text": "Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well .", "spans": {"Malware: nbtscan": [[61, 68]], "Malware: powercat": [[73, 81]]}, "info": {"id": "dnrti_train_003846", "source": "dnrti_train"}}
{"text": "As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC .", "spans": {"Malware: AutoHotKey scripts": [[66, 84]]}, "info": {"id": "dnrti_train_003847", "source": "dnrti_train"}}
{"text": "Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group .", "spans": {"Malware: implant": [[103, 110]], "Organization: Gamaredon": [[115, 124]]}, "info": {"id": "dnrti_train_003848", "source": "dnrti_train"}}
{"text": "The techniques and modules employed by EvilGnome — that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools—remind us of Gamaredon Group’s Windows tools .", "spans": {"Organization: EvilGnome": [[39, 48]], "Malware: SFX": [[70, 73]], "Malware: Windows tools": [[188, 201]]}, "info": {"id": "dnrti_train_003849", "source": "dnrti_train"}}
{"text": "We can observe that the sample is very recent , created on Thursday , July 4", "spans": {"Malware: sample": [[24, 30]]}, "info": {"id": "dnrti_train_003850", "source": "dnrti_train"}}
{"text": "As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking .", "spans": {"Malware: makeself script": [[51, 66]], "Malware: ./setup.sh": [[88, 98]]}, "info": {"id": "dnrti_train_003851", "source": "dnrti_train"}}
{"text": "The ShooterAudio module uses PulseAudio to capture audio from the user's microphone .", "spans": {"Malware: ShooterAudio module": [[4, 23]], "Malware: PulseAudio": [[29, 39]]}, "info": {"id": "dnrti_train_003852", "source": "dnrti_train"}}
{"text": "makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory .", "spans": {"Malware: makeself.sh": [[0, 11]], "Malware: shell script": [[23, 35]]}, "info": {"id": "dnrti_train_003853", "source": "dnrti_train"}}
{"text": "The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc .", "spans": {"Malware: RAT": [[4, 7]]}, "info": {"id": "dnrti_train_003854", "source": "dnrti_train"}}
{"text": "In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller .", "spans": {"Malware: Gh0st RAT": [[41, 50]], "Organization: Ghost Dragon": [[61, 73]]}, "info": {"id": "dnrti_train_003855", "source": "dnrti_train"}}
{"text": "One hour later , Bemstour was used against an educational institution in Belgium .", "spans": {"Malware: Bemstour": [[17, 25]], "Malware: Belgium": [[73, 80]]}, "info": {"id": "dnrti_train_003856", "source": "dnrti_train"}}
{"text": "Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor .", "spans": {"Malware: Bemstour": [[0, 8]], "Malware: DoublePulsar backdoor": [[62, 83]]}, "info": {"id": "dnrti_train_003857", "source": "dnrti_train"}}
{"text": "DoublePulsar is then used to inject a secondary payload , which runs in memory only .", "spans": {"Malware: DoublePulsar": [[0, 12]]}, "info": {"id": "dnrti_train_003858", "source": "dnrti_train"}}
{"text": "A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong .", "spans": {"Malware: Bemstour": [[40, 48]]}, "info": {"id": "dnrti_train_003859", "source": "dnrti_train"}}
{"text": "Bemstour was used again in June 2017 in an attack against an organization in Luxembourg .", "spans": {"Malware: Bemstour": [[0, 8]]}, "info": {"id": "dnrti_train_003860", "source": "dnrti_train"}}
{"text": "Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam .", "spans": {"Malware: Bemstour": [[34, 42]]}, "info": {"id": "dnrti_train_003861", "source": "dnrti_train"}}
{"text": "Development of Bemstour has continued into 2019 .", "spans": {"Malware: Bemstour": [[15, 23]]}, "info": {"id": "dnrti_train_003862", "source": "dnrti_train"}}
{"text": "Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan (Backdoor.Filensfer) .", "spans": {"Malware: Bemstour": [[28, 36]], "Malware: Pirpi": [[67, 72]], "Malware: backdoor": [[73, 81], [151, 159]], "Malware: different": [[141, 150]]}, "info": {"id": "dnrti_train_003863", "source": "dnrti_train"}}
{"text": "The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft .", "spans": {"Malware: Bemstour": [[26, 34]], "Organization: Symantec": [[43, 51]]}, "info": {"id": "dnrti_train_003864", "source": "dnrti_train"}}
{"text": "Filensfer is a family of malware that has been used in targeted attacks since at least 2013 .", "spans": {"Malware: Filensfer": [[0, 9]]}, "info": {"id": "dnrti_train_003865", "source": "dnrti_train"}}
{"text": "While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) .", "spans": {"Organization: Symantec": [[6, 14]], "Malware: Filensfer": [[45, 54]], "Malware: Buckeye malware": [[206, 221]], "Malware: (Backdoor.Pirpi)": [[222, 238]]}, "info": {"id": "dnrti_train_003866", "source": "dnrti_train"}}
{"text": "CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 .", "spans": {"Vulnerability: CVE-2017-0143": [[0, 13]], "Malware: tools—EternalRomance": [[49, 69]], "Malware: EternalSynergy—that": [[74, 93]]}, "info": {"id": "dnrti_train_003867", "source": "dnrti_train"}}
{"text": "Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers .", "spans": {"Malware: EternalRomance": [[25, 39]], "Malware: EternalSynergy": [[53, 67]], "Malware: CVE-2017-0143": [[86, 99]]}, "info": {"id": "dnrti_train_003868", "source": "dnrti_train"}}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe .", "spans": {"Malware: RTF": [[5, 8]], "Vulnerability: CVE-2017_1882": [[28, 41]], "Malware: eqnedt32.exe": [[45, 57]]}, "info": {"id": "dnrti_train_003869", "source": "dnrti_train"}}
{"text": "And the dropper execute the iassvcs.exe to make a side loading and make the persistence .", "spans": {"Malware: dropper": [[8, 15]], "Malware: iassvcs.exe": [[28, 39]]}, "info": {"id": "dnrti_train_003870", "source": "dnrti_train"}}
{"text": "Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S .", "spans": {"Malware: Filensfer": [[28, 37]]}, "info": {"id": "dnrti_train_003871", "source": "dnrti_train"}}
{"text": "Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 .", "spans": {"Malware: Hussarini": [[54, 63]]}, "info": {"id": "dnrti_train_003872", "source": "dnrti_train"}}
{"text": "OutExtra.exe is a signed legitimate application from Microsoft named finder.exe .", "spans": {"Malware: OutExtra.exe": [[0, 12]], "Malware: finder.exe": [[69, 79]]}, "info": {"id": "dnrti_train_003873", "source": "dnrti_train"}}
{"text": "Today , this malware is still actively being used against the Philippines .", "spans": {"Malware: malware": [[13, 20]]}, "info": {"id": "dnrti_train_003874", "source": "dnrti_train"}}
{"text": "Xagent” is the original filename Xagent.exe whereas seems to be the version of the worm .", "spans": {"Malware: Xagent”": [[0, 7]], "Malware: worm": [[83, 87]]}, "info": {"id": "dnrti_train_003875", "source": "dnrti_train"}}
{"text": "Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe .", "spans": {"Malware: malware": [[30, 37]], "Malware: BS2005 backdoors": [[81, 97]], "Malware: TidePool malware": [[141, 157]], "Organization: Palo Alto": [[179, 188]]}, "info": {"id": "dnrti_train_003876", "source": "dnrti_train"}}
{"text": "The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors .", "spans": {"Malware: Okrum malware": [[32, 45]], "Malware: backdoors": [[138, 147]]}, "info": {"id": "dnrti_train_003877", "source": "dnrti_train"}}
{"text": "We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 .", "spans": {"Malware: Okrum backdoor": [[59, 73]], "Malware: Ketrican backdoor": [[93, 110]]}, "info": {"id": "dnrti_train_003878", "source": "dnrti_train"}}
{"text": "In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors .", "spans": {"Malware: Okrum malware": [[54, 67]], "Malware: Ketrican backdoors": [[84, 102]]}, "info": {"id": "dnrti_train_003879", "source": "dnrti_train"}}
{"text": "This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor .", "spans": {"Malware: RoyalDNS malware": [[51, 67]], "Malware: Ketrican": [[74, 82]]}, "info": {"id": "dnrti_train_003880", "source": "dnrti_train"}}
{"text": "According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 .", "spans": {"Organization: ESET": [[13, 17]], "Malware: Okrum": [[30, 35]]}, "info": {"id": "dnrti_train_003881", "source": "dnrti_train"}}
{"text": "According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia .", "spans": {"Malware: Okrum": [[29, 34]]}, "info": {"id": "dnrti_train_003882", "source": "dnrti_train"}}
{"text": "The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation .", "spans": {"Malware: Okrum": [[52, 57]]}, "info": {"id": "dnrti_train_003883", "source": "dnrti_train"}}
{"text": "According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month .", "spans": {"Organization: ClearSky": [[13, 21]], "Malware: WinRAR": [[104, 110]]}, "info": {"id": "dnrti_train_003884", "source": "dnrti_train"}}
{"text": "The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals .", "spans": {"Malware: Sea Turtle": [[67, 77]]}, "info": {"id": "dnrti_train_003885", "source": "dnrti_train"}}
{"text": "If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file .", "spans": {"Malware: xlsm file": [[38, 47]], "Malware: it": [[50, 52]]}, "info": {"id": "dnrti_train_003886", "source": "dnrti_train"}}
{"text": "Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart .", "spans": {"Malware: link file": [[9, 18]], "Malware: AutoHotkeyU32.exe": [[45, 62]]}, "info": {"id": "dnrti_train_003887", "source": "dnrti_train"}}
{"text": "Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources .", "spans": {"Malware: attacks": [[5, 12]], "System: downloading files": [[51, 68]]}, "info": {"id": "dnrti_train_003888", "source": "dnrti_train"}}
{"text": "Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies .", "spans": {"Malware: Margarita": [[33, 42]]}, "info": {"id": "dnrti_train_003889", "source": "dnrti_train"}}
{"text": "Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant .", "spans": {"Malware: Honeycomb": [[0, 9]]}, "info": {"id": "dnrti_train_003890", "source": "dnrti_train"}}
{"text": "UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques .", "spans": {"Malware: UMBRAGE": [[0, 7]]}, "info": {"id": "dnrti_train_003891", "source": "dnrti_train"}}
{"text": "'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) .", "spans": {"Malware: 'Improvise'": [[0, 11]], "System: Windows": [[182, 189]], "System: MacOS": [[204, 209]], "System: Linux": [[224, 229]]}, "info": {"id": "dnrti_train_003892", "source": "dnrti_train"}}
{"text": "This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 .", "spans": {"Malware: sample": [[5, 11]], "Malware: Trochilus": [[31, 40]]}, "info": {"id": "dnrti_train_003893", "source": "dnrti_train"}}
{"text": "The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process .", "spans": {"Malware: configuration file": [[4, 22]]}, "info": {"id": "dnrti_train_003894", "source": "dnrti_train"}}
{"text": "Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe .", "spans": {"Malware: Visma": [[66, 71]], "Organization: APT10": [[128, 133]], "Malware: 1.bat": [[169, 174]], "Malware: cu.exe": [[177, 183]], "Malware: ss.rar": [[186, 192]], "Malware: r.exe": [[195, 200]], "Malware: pd.exe": [[203, 209]]}, "info": {"id": "dnrti_train_003895", "source": "dnrti_train"}}
{"text": "Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL .", "spans": {"Organization: Rapid7": [[21, 27]], "Malware: gup.exe": [[70, 77]], "Malware: ANEL": [[215, 219]]}, "info": {"id": "dnrti_train_003896", "source": "dnrti_train"}}
{"text": "Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials .", "spans": {"Organization: Insikt Group": [[0, 12]], "Malware: Citrix-hosted": [[111, 124]]}, "info": {"id": "dnrti_train_003897", "source": "dnrti_train"}}
{"text": "KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK .", "spans": {"Malware: KHRAT": [[0, 5]], "Malware: backdoor trojan": [[11, 26]], "Organization: DragonOK": [[91, 99]]}, "info": {"id": "dnrti_train_003898", "source": "dnrti_train"}}
{"text": "Rapid7 reviewed malware discovered in the victim’s environment and found implants that used Dropbox as the C2 .", "spans": {"Organization: Rapid7": [[0, 6]], "Malware: Dropbox": [[92, 99]]}, "info": {"id": "dnrti_train_003899", "source": "dnrti_train"}}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": {"Malware: sample": [[146, 152]], "Vulnerability: CVE-2017-11882": [[172, 186]], "Vulnerability: CVE-2018-0802": [[190, 203]]}, "info": {"id": "dnrti_train_003900", "source": "dnrti_train"}}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) .", "spans": {"Malware: RTF files": [[52, 61]], "Vulnerability: CVE-2018-0798": [[82, 95]]}, "info": {"id": "dnrti_train_003901", "source": "dnrti_train"}}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": {"Organization: Anomali": [[0, 7]], "Malware: ITW": [[86, 89]], "Vulnerability: CVE-2018-0798": [[117, 130]]}, "info": {"id": "dnrti_train_003902", "source": "dnrti_train"}}
{"text": "The earliest use of the exploit ITW we were able to identify and confirm is a sample (e228045ef57fb8cc1226b62ada7eee9b) dating back to October 2018 (VirusTotal submission of 2018-10-29) with the RTF creation time 2018-10-23 .", "spans": {"Malware: ITW": [[32, 35]], "Malware: RTF": [[195, 198]]}, "info": {"id": "dnrti_train_003903", "source": "dnrti_train"}}
{"text": "Upon decrypting and executing , it drops two additional files wsc_proxy.exe” (legitimate Avast executable) and a malicious DLL wsc.dll” in the %TEMP% folder .", "spans": {"Malware: wsc_proxy.exe”": [[62, 76]], "Malware: wsc.dll”": [[127, 135]]}, "info": {"id": "dnrti_train_003904", "source": "dnrti_train"}}
{"text": "However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit (CVE-2018-0798) .", "spans": {"Organization: we": [[38, 40]], "Malware: AsyncRAT": [[104, 112]]}, "info": {"id": "dnrti_train_003905", "source": "dnrti_train"}}
{"text": "In addition , a current ANY.RUN playback of our observed Elise infection is also available .", "spans": {"Malware: ANY.RUN": [[24, 31]], "Malware: Elise": [[57, 62]]}, "info": {"id": "dnrti_train_003906", "source": "dnrti_train"}}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": {"Vulnerability: CVE-2017-11882": [[66, 80]], "Malware: 'NavShExt.dll'": [[147, 161]], "Malware: iexplore.exe": [[192, 204]]}, "info": {"id": "dnrti_train_003907", "source": "dnrti_train"}}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": {"Vulnerability: CVE-2017-1182": [[87, 100]], "Malware: Microsoft Equation Editor": [[118, 143]], "Malware: 'EQNEDT32.exe'": [[146, 160]]}, "info": {"id": "dnrti_train_003908", "source": "dnrti_train"}}
{"text": "The well-crafted and socially engineered malicious documents then become the first stage of a long and mainly fileless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group .", "spans": {"Malware: POWERSTATS": [[158, 168]], "Malware: PowerShell backdoor": [[183, 202]], "Organization: threat group": [[211, 223]]}, "info": {"id": "dnrti_train_003909", "source": "dnrti_train"}}
{"text": "This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more .", "spans": {"Malware: backdoor": [[14, 22]]}, "info": {"id": "dnrti_train_003910", "source": "dnrti_train"}}
{"text": "If the macros in SPK KANUN DEĞİŞİKLİĞİ GİB GÖRÜŞÜ.doc” are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe” .", "spans": {"Malware: SPK KANUN": [[17, 26]], "Malware: CiscoAny.exe”": [[151, 164]]}, "info": {"id": "dnrti_train_003911", "source": "dnrti_train"}}
{"text": "INF files have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll .", "spans": {"Malware: INF files": [[0, 8]], "Organization: MuddyWater": [[39, 49]], "Malware: Advpack.dll": [[86, 97]], "Malware: IEAdvpack.dll": [[106, 119]]}, "info": {"id": "dnrti_train_003912", "source": "dnrti_train"}}
{"text": "In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document .", "spans": {"Malware: VBA2Graph": [[23, 32]]}, "info": {"id": "dnrti_train_003913", "source": "dnrti_train"}}
{"text": "We assume that RunPow stands for run PowerShell , ” and triggers the PowerShell code embedded inside the .dll file .", "spans": {"Malware: PowerShell": [[37, 47]], "Malware: .dll file": [[105, 114]]}, "info": {"id": "dnrti_train_003914", "source": "dnrti_train"}}
{"text": "The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents .", "spans": {"Malware: backdoor": [[41, 49]], "System: spear": [[53, 58]], "System: phishing": [[59, 67]], "System: spam": [[78, 82]]}, "info": {"id": "dnrti_train_003915", "source": "dnrti_train"}}
{"text": "This includes Python scripts .", "spans": {}, "info": {"id": "dnrti_train_003916", "source": "dnrti_train"}}
{"text": "Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll” , Ext_server_extapi.x64.dll” , and Ext_server_espia.x64.dll” extensions .", "spans": {"Malware: Stageless Meterpreter": [[14, 35]], "Malware: Ext_server_stdapi.x64.dll”": [[44, 70]], "Malware: Ext_server_extapi.x64.dll”": [[73, 99]], "Malware: Ext_server_espia.x64.dll”": [[106, 131]]}, "info": {"id": "dnrti_train_003917", "source": "dnrti_train"}}
{"text": "However , Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client outlook.live.com” as well as attachments arriving through the Outlook desktop application .", "spans": {"Organization: Kaspersky": [[10, 19]], "Malware: outlook.live.com”": [[119, 136]]}, "info": {"id": "dnrti_train_003918", "source": "dnrti_train"}}
{"text": "The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” .", "spans": {"Malware: JavaScript": [[4, 14]]}, "info": {"id": "dnrti_train_003919", "source": "dnrti_train"}}
{"text": "We identified two methods to deliver the KerrDown downloader to targets .", "spans": {"Organization: We": [[0, 2]], "Malware: KerrDown": [[41, 49]]}, "info": {"id": "dnrti_train_003920", "source": "dnrti_train"}}
{"text": "The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon .", "spans": {"Malware: KerrDown": [[33, 41]], "Organization: we": [[97, 99]]}, "info": {"id": "dnrti_train_003921", "source": "dnrti_train"}}
{"text": "While investigating KerrDown we found multiple RAR files containing a variant of the malware .", "spans": {"Malware: KerrDown": [[20, 28]], "Organization: we": [[29, 31]]}, "info": {"id": "dnrti_train_003922", "source": "dnrti_train"}}
{"text": "The dropped PE file has the distinctive file name 8.t” .", "spans": {"Malware: PE": [[12, 14]], "Malware: 8.t”": [[50, 54]]}, "info": {"id": "dnrti_train_003923", "source": "dnrti_train"}}
{"text": "The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware .", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "dnrti_train_003924", "source": "dnrti_train"}}
{"text": "The malware starts communicating with the C&C server by sending basic information about the infected machine .", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "dnrti_train_003925", "source": "dnrti_train"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests .", "spans": {"Malware: malware": [[4, 11]], "Malware: CMD/PowerShell": [[40, 54]], "Organization: attackers": [[72, 81]]}, "info": {"id": "dnrti_train_003926", "source": "dnrti_train"}}
{"text": "This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar .", "spans": {"Malware: document": [[14, 22]]}, "info": {"id": "dnrti_train_003927", "source": "dnrti_train"}}
{"text": "The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store .", "spans": {"Malware: SDK": [[4, 7]], "Malware: SWAnalytics": [[16, 27]], "System: published on": [[87, 99]]}, "info": {"id": "dnrti_train_003928", "source": "dnrti_train"}}
{"text": "After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers .", "spans": {"Malware: SWAnalytics": [[34, 45]]}, "info": {"id": "dnrti_train_003929", "source": "dnrti_train"}}
{"text": "This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge .", "spans": {"Malware: module": [[5, 11]]}, "info": {"id": "dnrti_train_003930", "source": "dnrti_train"}}
{"text": "It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in .", "spans": {"Malware: SWAnalytics": [[60, 71]]}, "info": {"id": "dnrti_train_003931", "source": "dnrti_train"}}
{"text": "With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” .", "spans": {"Malware: SWAnalytics": [[24, 35]]}, "info": {"id": "dnrti_train_003932", "source": "dnrti_train"}}
{"text": "From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category .", "spans": {"Malware: malicious sample": [[15, 31]]}, "info": {"id": "dnrti_train_003933", "source": "dnrti_train"}}
{"text": "By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device .", "spans": {"Malware: SWAnalytics": [[25, 36]]}, "info": {"id": "dnrti_train_003934", "source": "dnrti_train"}}
{"text": "To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control .", "spans": {"Malware: SWAnalytics": [[50, 61]]}, "info": {"id": "dnrti_train_003935", "source": "dnrti_train"}}
{"text": "Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json” .", "spans": {"System: Network Speed Master": [[46, 66]], "Malware: SWAnalytics": [[69, 80]]}, "info": {"id": "dnrti_train_003936", "source": "dnrti_train"}}
{"text": "In order to understand SWAnalytics’ impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets .", "spans": {"Malware: SWAnalytics’": [[23, 35]]}, "info": {"id": "dnrti_train_003937", "source": "dnrti_train"}}
{"text": "According to Cheetah Mobile’s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK .", "spans": {"Malware: Batmobi": [[106, 113]], "Malware: Duapps": [[116, 122]], "Malware: Cheetah SDK": [[141, 152]]}, "info": {"id": "dnrti_train_003938", "source": "dnrti_train"}}
{"text": "It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns .", "spans": {"Organization: actor": [[31, 36]], "Malware: Panda Banker": [[51, 63], [204, 216]], "Organization: Arbor": [[128, 133]]}, "info": {"id": "dnrti_train_003939", "source": "dnrti_train"}}
{"text": "Webinjects targeting Japan , a country we haven’t seen targeted by Panda Banker before .", "spans": {"Malware: Panda Banker": [[67, 79]]}, "info": {"id": "dnrti_train_003940", "source": "dnrti_train"}}
{"text": "Japan is no stranger to banking malware .", "spans": {"Malware: banking": [[24, 31]], "Malware: malware": [[32, 39]]}, "info": {"id": "dnrti_train_003941", "source": "dnrti_train"}}
{"text": "Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware .", "spans": {"Malware: Ursnif": [[76, 82]], "Malware: Urlzone": [[87, 94]]}, "info": {"id": "dnrti_train_003942", "source": "dnrti_train"}}
{"text": "This post was our first analysis of the first Panda Banker campaign that we’ve seen to target financial institutions in Japan .", "spans": {"Malware: Panda Banker": [[46, 58]]}, "info": {"id": "dnrti_train_003943", "source": "dnrti_train"}}
{"text": "We believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems .", "spans": {"Organization: We": [[0, 2]], "Malware: SEDNIT": [[112, 118]]}, "info": {"id": "dnrti_train_003944", "source": "dnrti_train"}}
{"text": "One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B .", "spans": {"Malware: XAgent": [[14, 20]], "Malware: IOS_XAGENT.A": [[33, 45]], "Malware: MadCap": [[105, 111]], "Malware: XAGENT.B": [[129, 137]]}, "info": {"id": "dnrti_train_003945", "source": "dnrti_train"}}
{"text": "Madcap” is similar to the XAgent malware , but the former is focused on recording audio .", "spans": {"Malware: Madcap”": [[0, 7]], "Malware: XAgent": [[26, 32]]}, "info": {"id": "dnrti_train_003946", "source": "dnrti_train"}}
{"text": "This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’ .", "spans": {"Malware: ‘Tokyo’": [[64, 71]], "Malware: ‘Yokohama’": [[76, 86]]}, "info": {"id": "dnrti_train_003947", "source": "dnrti_train"}}
{"text": "Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue .", "spans": {"Malware: TajMahal": [[37, 45]]}, "info": {"id": "dnrti_train_003948", "source": "dnrti_train"}}
{"text": "The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014 .", "spans": {"Malware: TajMahal": [[30, 38]]}, "info": {"id": "dnrti_train_003949", "source": "dnrti_train"}}
{"text": "More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com) .", "spans": {"Malware: TajMahal": [[19, 27]], "Organization: Kaspersky": [[62, 71]]}, "info": {"id": "dnrti_train_003950", "source": "dnrti_train"}}
{"text": "The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository .", "spans": {"Malware: MSIL dropper": [[71, 83]], "Organization: Proofpoint": [[110, 120]]}, "info": {"id": "dnrti_train_003951", "source": "dnrti_train"}}
{"text": "The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper .", "spans": {"Malware: KopiLuwak": [[70, 79]], "Malware: MSIL dropper": [[147, 159]]}, "info": {"id": "dnrti_train_003952", "source": "dnrti_train"}}
{"text": "The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper .", "spans": {"Malware: MSIL dropper": [[48, 60]], "Malware: Javascript (JS) dropper": [[115, 138]]}, "info": {"id": "dnrti_train_003953", "source": "dnrti_train"}}
{"text": "As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only .", "spans": {"Malware: JS dropper": [[43, 53]], "Malware: JS decryptor": [[76, 88]], "Malware: KopiLuwak": [[168, 177]]}, "info": {"id": "dnrti_train_003954", "source": "dnrti_train"}}
{"text": "As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload .", "spans": {"Organization: Proofpoint": [[3, 13]], "Malware: MSIL payload": [[145, 157]]}, "info": {"id": "dnrti_train_003955", "source": "dnrti_train"}}
{"text": "The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine .", "spans": {"Malware: KopiLuwak": [[21, 30]]}, "info": {"id": "dnrti_train_003956", "source": "dnrti_train"}}
{"text": "We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves .", "spans": {"Malware: .NET malware": [[51, 63]], "Malware: Topinambour": [[84, 95]]}, "info": {"id": "dnrti_train_003957", "source": "dnrti_train"}}
{"text": "The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan .", "spans": {"Malware: .NET module": [[16, 27]], "Malware: KopiLuwak JavaScript": [[52, 72]]}, "info": {"id": "dnrti_train_003958", "source": "dnrti_train"}}
{"text": "RocketMan!” (probably a reference to Donald Trump’s nickname for Kim Jong Un) and MiamiBeach” serve as the first beacon messages from the victim to the control server .", "spans": {"Malware: RocketMan!”": [[0, 11]], "Malware: MiamiBeach”": [[82, 93]]}, "info": {"id": "dnrti_train_003959", "source": "dnrti_train"}}
{"text": "These could be tools to circumvent internet censorship , such as Softether VPN 4.12” and psiphon3” , or Microsoft Office activators” .", "spans": {"Malware: Softether VPN 4.12”": [[65, 84]], "Malware: psiphon3”": [[89, 98]], "Malware: Microsoft Office activators”": [[104, 132]]}, "info": {"id": "dnrti_train_003960", "source": "dnrti_train"}}
{"text": "These campaign-related VPSs are located in South Africa .", "spans": {"Organization: VPSs": [[23, 27]]}, "info": {"id": "dnrti_train_003961", "source": "dnrti_train"}}
{"text": "The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems .", "spans": {"Malware: Trojan": [[33, 39]]}, "info": {"id": "dnrti_train_003962", "source": "dnrti_train"}}
{"text": "The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": {"Malware: PowerShell": [[4, 14]]}, "info": {"id": "dnrti_train_003963", "source": "dnrti_train"}}
{"text": "The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally , it includes the #screen” command to take a screenshot .", "spans": {"Malware: Trojan": [[4, 10]], "Malware: .NET RocketMan Trojan": [[35, 56]]}, "info": {"id": "dnrti_train_003964", "source": "dnrti_train"}}
{"text": "Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations .", "spans": {"Malware: HIGHNOON": [[22, 30]], "Organization: Winnti": [[69, 75]]}, "info": {"id": "dnrti_train_003965", "source": "dnrti_train"}}
{"text": "BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse .", "spans": {"Malware: BalkanRAT": [[0, 9]], "Malware: BalkanDoor": [[120, 130]]}, "info": {"id": "dnrti_train_003966", "source": "dnrti_train"}}
{"text": "Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina .", "spans": {"Malware: BalkanRAT": [[5, 14]], "Malware: BalkanDoor": [[19, 29]]}, "info": {"id": "dnrti_train_003967", "source": "dnrti_train"}}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Malware: BalkanDoor": [[33, 43]], "Vulnerability: CVE-2018-20250": [[228, 242]]}, "info": {"id": "dnrti_train_003968", "source": "dnrti_train"}}
{"text": "The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience .", "spans": {"Malware: backdoor": [[4, 12]]}, "info": {"id": "dnrti_train_003969", "source": "dnrti_train"}}
{"text": "The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access .", "spans": {"Malware: BalkanRAT malware": [[21, 38]]}, "info": {"id": "dnrti_train_003970", "source": "dnrti_train"}}
{"text": "China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool .", "spans": {"Malware: China Chopper": [[0, 13]], "Organization: attackers": [[36, 45]]}, "info": {"id": "dnrti_train_003971", "source": "dnrti_train"}}
{"text": "China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED .", "spans": {"Malware: China Chopper": [[0, 13]]}, "info": {"id": "dnrti_train_003972", "source": "dnrti_train"}}
{"text": "They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe .", "spans": {"Malware: Mimikatz Lite": [[125, 138]], "Malware: GetPassword.exe": [[142, 157]]}, "info": {"id": "dnrti_train_003973", "source": "dnrti_train"}}
{"text": "The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords .", "spans": {"Malware: tool": [[4, 8]]}, "info": {"id": "dnrti_train_003974", "source": "dnrti_train"}}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": {"Malware: China Chopper": [[4, 17]], "Vulnerability: CVE-2015-0062": [[146, 159]], "Vulnerability: CVE-2015-1701": [[162, 175]], "Vulnerability: CVE-2016-0099": [[180, 193]], "Organization: attacker": [[207, 215]]}, "info": {"id": "dnrti_train_003975", "source": "dnrti_train"}}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": {"Malware: archive": [[14, 21]], "Vulnerability: vulnerability": [[82, 95]]}, "info": {"id": "dnrti_train_003976", "source": "dnrti_train"}}
{"text": "Let’s take a closer look at ITG08’s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor .", "spans": {"Organization: ITG08’s": [[28, 35]], "System: spear phishing": [[111, 125]], "System: intrusion tactics": [[130, 147]], "System: covering information": [[152, 172]], "Malware: More_eggs backdoor": [[191, 209]]}, "info": {"id": "dnrti_train_003977", "source": "dnrti_train"}}
{"text": "Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe .", "spans": {"Malware: More_eggs malware": [[31, 48]], "Malware: cmd.exe": [[132, 139]]}, "info": {"id": "dnrti_train_003978", "source": "dnrti_train"}}
{"text": "X-Force IRIS determined that the More_eggs backdoor later downloaded additional files , including a signed binary shellcode loader and a signed Dynamic Link Library (DLL) , as described below , to create a reverse shell and connect to a remote host .", "spans": {"Organization: X-Force IRIS": [[0, 12]], "Malware: More_eggs backdoor": [[33, 51]]}, "info": {"id": "dnrti_train_003979", "source": "dnrti_train"}}
{"text": "The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection .", "spans": {"Vulnerability: CVE-2012-0158": [[23, 36]]}, "info": {"id": "dnrti_train_003980", "source": "dnrti_train"}}
{"text": "iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 .", "spans": {"Organization: iSiGHT Partners": [[0, 15]], "Organization: Sandworm Team": [[28, 41]], "Vulnerability: zero-day exploit": [[163, 179]], "Vulnerability: CVE-2014-4114": [[182, 195]]}, "info": {"id": "dnrti_train_003981", "source": "dnrti_train"}}
{"text": "In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document .", "spans": {"System: e-mail": [[39, 45]], "Vulnerability: Scarlet Mimic exploit": [[103, 124]]}, "info": {"id": "dnrti_train_003982", "source": "dnrti_train"}}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated .", "spans": {"Organization: group": [[4, 9]], "Malware: legitimate administration tools": [[15, 46]]}, "info": {"id": "dnrti_train_003983", "source": "dnrti_train"}}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": {"Vulnerability: CVE-2017-1099": [[71, 84]], "Malware: RTF attachments": [[100, 115]]}, "info": {"id": "dnrti_train_003984", "source": "dnrti_train"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": {"System: phishing lures": [[19, 33]], "Malware: RTF attachments": [[44, 59]], "Vulnerability: CVE-2017-0199": [[124, 137]]}, "info": {"id": "dnrti_train_003985", "source": "dnrti_train"}}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": {"Malware: malicious documents": [[29, 48]], "Vulnerability: CVE-2017-0199": [[60, 73]], "Malware: LATENTBOT malware": [[99, 116]]}, "info": {"id": "dnrti_train_003986", "source": "dnrti_train"}}
{"text": "FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: actors": [[26, 32]], "Vulnerability: CVE-2017-0261": [[120, 133]], "Organization: APT28": [[140, 145]], "Vulnerability: CVE-2017-0262": [[180, 193]], "Vulnerability: CVE-2017-0263": [[250, 263]]}, "info": {"id": "dnrti_train_003987", "source": "dnrti_train"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"Malware: st07383.en17.docx": [[12, 29]], "Vulnerability: CVE-2017-0001": [[80, 93]], "Malware: SHIRIME": [[199, 206]]}, "info": {"id": "dnrti_train_003988", "source": "dnrti_train"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” .", "spans": {"Malware: document": [[34, 42]], "Vulnerability: Trump's_Attack_on_Syria_English.docx”": [[49, 86]]}, "info": {"id": "dnrti_train_003989", "source": "dnrti_train"}}
{"text": "It is possible that CVE-2017-8759 was being used by additional actors .", "spans": {"Vulnerability: CVE-2017-8759": [[20, 33]], "Organization: actors": [[63, 69]]}, "info": {"id": "dnrti_train_003990", "source": "dnrti_train"}}
{"text": "The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities .", "spans": {"Vulnerability: EternalBlue": [[20, 31]], "Malware: Metasploit": [[43, 53]], "Organization: actors": [[82, 88]]}, "info": {"id": "dnrti_train_003991", "source": "dnrti_train"}}
{"text": "The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched .", "spans": {"Malware: Magnitude EK": [[4, 16]], "Vulnerability: CVE-2016-0189": [[43, 56]], "Organization: FireEye": [[87, 94]], "Malware: Neutrino Exploit Kit": [[112, 132]]}, "info": {"id": "dnrti_train_003992", "source": "dnrti_train"}}
{"text": "The malware leverages an exploit , codenamed EternalBlue” , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"Vulnerability: EternalBlue”": [[45, 57]], "Organization: Shadow Brokers": [[85, 99]]}, "info": {"id": "dnrti_train_003993", "source": "dnrti_train"}}
{"text": "Some hackers even went onto use the Cisco exploits in the wild .", "spans": {"Vulnerability: Cisco exploits": [[36, 50]]}, "info": {"id": "dnrti_train_003994", "source": "dnrti_train"}}
{"text": "DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar .", "spans": {"Malware: DanderSpritz": [[0, 12]], "Malware: FuZZbuNch": [[81, 90]], "Malware: DisableSecurity": [[196, 211]], "Malware: EnableSecurity": [[216, 230]], "Malware: DarkPulsar": [[235, 245]]}, "info": {"id": "dnrti_train_003995", "source": "dnrti_train"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server .", "spans": {"Vulnerability: UNITEDRAKE NSA exploit": [[46, 68]]}, "info": {"id": "dnrti_train_003996", "source": "dnrti_train"}}
{"text": "On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious ETERNALBLUE that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide .", "spans": {"Organization: NSA": [[133, 136]], "Vulnerability: ETERNALBLUE": [[161, 172]]}, "info": {"id": "dnrti_train_003997", "source": "dnrti_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Organization: government officials": [[28, 48]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_train_003998", "source": "dnrti_train"}}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": {"Vulnerability: CVE-2012-0158": [[79, 92]], "Malware: Microsoft Word": [[104, 118]]}, "info": {"id": "dnrti_train_003999", "source": "dnrti_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"Organization: security firm": [[17, 30]], "Organization: military officials": [[63, 81]], "System: spear-phishing emails": [[86, 107]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_train_004000", "source": "dnrti_train"}}
{"text": "In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers .", "spans": {"Malware: publicly available tools": [[47, 71]], "Malware: Mimikatz": [[84, 92]], "Malware: Hacktool.Mimikatz": [[95, 112]], "Vulnerability: CVE-2016-0051": [[206, 219]]}, "info": {"id": "dnrti_train_004001", "source": "dnrti_train"}}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": {"Malware: .doc files": [[54, 64]], "Malware: RTF documents": [[85, 98]], "Vulnerability: CVE-2017-8570": [[123, 136]], "Vulnerability: Composite": [[139, 148]], "Vulnerability: Moniker": [[149, 156]]}, "info": {"id": "dnrti_train_004002", "source": "dnrti_train"}}
{"text": "The Word document usually exploits CVE-2012-0158 .", "spans": {"Malware: Word document": [[4, 17]], "Vulnerability: CVE-2012-0158": [[35, 48]]}, "info": {"id": "dnrti_train_004003", "source": "dnrti_train"}}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: attackers": [[14, 23]], "Malware: MS PowerPoint document": [[32, 54]], "Vulnerability: CVE-2014-6352": [[80, 93]]}, "info": {"id": "dnrti_train_004004", "source": "dnrti_train"}}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: Patchwork": [[10, 19]], "Malware: MS PowerPoint document": [[28, 50]], "Vulnerability: CVE-2014-6352": [[76, 89]]}, "info": {"id": "dnrti_train_004005", "source": "dnrti_train"}}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": {"Organization: Unit 42": [[29, 36]], "Malware: EPS files": [[109, 118]], "Vulnerability: CVE-2015-2545": [[133, 146]], "Vulnerability: CVE-2017-0261": [[151, 164]]}, "info": {"id": "dnrti_train_004006", "source": "dnrti_train"}}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": {"Organization: Pitty Tiger group": [[40, 57]], "Malware: Microsoft Office Word document": [[86, 116]], "Vulnerability: CVE-2012-0158": [[159, 172]]}, "info": {"id": "dnrti_train_004007", "source": "dnrti_train"}}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": {"Malware: ActiveX control": [[46, 61]], "Malware: JavaScript file": [[76, 91]], "Vulnerability: CVE-2013-7331": [[203, 216]]}, "info": {"id": "dnrti_train_004008", "source": "dnrti_train"}}
{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section .", "spans": {"Malware: document files": [[4, 18]], "Vulnerability: vulnerabilities": [[48, 63]]}, "info": {"id": "dnrti_train_004009", "source": "dnrti_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Organization: government officials": [[28, 48]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_train_004010", "source": "dnrti_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"Organization: security firm": [[17, 30]], "Organization: military officials": [[63, 81]], "System: spear-phishing emails": [[86, 107]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_train_004011", "source": "dnrti_train"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishing tactics": [[30, 52]], "System: phishing": [[55, 63]], "Organization: specific individuals": [[82, 102]], "Vulnerability: zero-day exploits": [[143, 160]]}, "info": {"id": "dnrti_train_004012", "source": "dnrti_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: group": [[4, 9]], "System: spear phishing tactics": [[31, 53]], "System: phishing": [[56, 64]], "Organization: specific individuals": [[83, 103]], "Vulnerability: zero-day exploits": [[144, 161]]}, "info": {"id": "dnrti_train_004013", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]], "Organization: customers": [[187, 196]]}, "info": {"id": "dnrti_train_004014", "source": "dnrti_train"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Organization: consumer": [[76, 84]], "Malware: Carberp": [[176, 183]]}, "info": {"id": "dnrti_train_004015", "source": "dnrti_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"Organization: CSIS": [[50, 54]], "Vulnerability: Carbanak": [[88, 96]], "Organization: customers": [[126, 135]]}, "info": {"id": "dnrti_train_004016", "source": "dnrti_train"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"Malware: PIVY": [[0, 4], [266, 270]], "Organization: chemical makers": [[78, 93]], "Organization: government agencies": [[96, 115]], "Organization: defense contractors": [[118, 137]], "Organization: attackers": [[208, 217]], "Vulnerability: zero-day vulnerability": [[225, 247]]}, "info": {"id": "dnrti_train_004017", "source": "dnrti_train"}}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": {"Malware: .doc files": [[54, 64]], "Malware: RTF documents": [[85, 98]], "Vulnerability: CVE-2017-8570": [[123, 136]], "Vulnerability: Composite": [[139, 148]], "Vulnerability: Moniker": [[149, 156]]}, "info": {"id": "dnrti_train_004018", "source": "dnrti_train"}}
{"text": "The Word document usually exploits CVE-2012-0158 .", "spans": {"Malware: Word document": [[4, 17]], "Vulnerability: CVE-2012-0158": [[35, 48]]}, "info": {"id": "dnrti_train_004019", "source": "dnrti_train"}}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: attackers": [[14, 23]], "Malware: MS PowerPoint document": [[32, 54]], "Vulnerability: CVE-2014-6352": [[80, 93]]}, "info": {"id": "dnrti_train_004020", "source": "dnrti_train"}}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: Patchwork": [[10, 19]], "Malware: MS PowerPoint document": [[28, 50]], "Vulnerability: CVE-2014-6352": [[76, 89]]}, "info": {"id": "dnrti_train_004021", "source": "dnrti_train"}}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": {"Organization: Unit 42": [[29, 36]], "Malware: EPS files": [[109, 118]], "Vulnerability: CVE-2015-2545": [[133, 146]], "Vulnerability: CVE-2017-0261": [[151, 164]]}, "info": {"id": "dnrti_train_004022", "source": "dnrti_train"}}
{"text": "Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability .", "spans": {"Organization: Patchwork": [[24, 33]], "Vulnerability: CVE-2017-0261": [[49, 62]], "Vulnerability: CVE-2015-2545": [[196, 209]]}, "info": {"id": "dnrti_train_004023", "source": "dnrti_train"}}
{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Organization: PittyTiger": [[0, 10]], "Vulnerability: Heartbleed vulnerability": [[36, 60]]}, "info": {"id": "dnrti_train_004024", "source": "dnrti_train"}}
{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Vulnerability: Heartbleed vulnerability": [[31, 55]]}, "info": {"id": "dnrti_train_004025", "source": "dnrti_train"}}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": {"Organization: Pitty Tiger group": [[40, 57]], "Malware: Microsoft Office Word document": [[86, 116]], "Vulnerability: CVE-2012-0158": [[159, 172]]}, "info": {"id": "dnrti_train_004026", "source": "dnrti_train"}}
{"text": "PittyTiger could also use CVE-2014-1761 , which is more recent .", "spans": {"Organization: PittyTiger": [[0, 10]], "Vulnerability: CVE-2014-1761": [[26, 39]]}, "info": {"id": "dnrti_train_004027", "source": "dnrti_train"}}
{"text": "PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts .", "spans": {"Organization: PLATINUM": [[0, 8]], "Vulnerability: zero-day exploits": [[43, 60]]}, "info": {"id": "dnrti_train_004028", "source": "dnrti_train"}}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": {"Malware: ActiveX control": [[46, 61]], "Malware: JavaScript file": [[76, 91]], "Vulnerability: CVE-2013-7331": [[203, 216]]}, "info": {"id": "dnrti_train_004029", "source": "dnrti_train"}}
{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"Malware: Word": [[32, 36]], "Organization: PLATINUM": [[39, 47]], "Vulnerability: CVE-2015-2545": [[153, 166]], "Organization: attacker": [[200, 208]], "System: malicious DLL": [[248, 261]]}, "info": {"id": "dnrti_train_004030", "source": "dnrti_train"}}
{"text": "The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application .", "spans": {"Malware: DLL": [[4, 7]], "Vulnerability: CVE-2015-2546": [[72, 85]], "Malware: Word": [[159, 163]]}, "info": {"id": "dnrti_train_004031", "source": "dnrti_train"}}
{"text": "When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"Malware: Word": [[32, 36]], "Vulnerability: CVE-2015-2545": [[147, 160]], "Organization: attacker": [[194, 202]], "System: malicious DLL": [[242, 255]]}, "info": {"id": "dnrti_train_004032", "source": "dnrti_train"}}
{"text": "In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves .", "spans": {"Organization: PLATINUM": [[11, 19]], "Vulnerability: zero-day exploits": [[37, 54], [289, 306], [358, 375]], "System: remote code execution": [[95, 116]]}, "info": {"id": "dnrti_train_004033", "source": "dnrti_train"}}
{"text": "PLATINUM has used several zero-day exploits against their victims .", "spans": {"Organization: PLATINUM": [[0, 8]], "Vulnerability: zero-day exploits": [[26, 43]]}, "info": {"id": "dnrti_train_004034", "source": "dnrti_train"}}
{"text": "Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers .", "spans": {"Vulnerability: CVE-2015-2546": [[8, 21]], "Organization: attackers": [[168, 177]]}, "info": {"id": "dnrti_train_004035", "source": "dnrti_train"}}
{"text": "For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 .", "spans": {"Vulnerability: zero-day vulnerability": [[18, 40]], "Vulnerability: CVE-2015-2545": [[51, 64]], "Organization: PLATINUM": [[75, 83]]}, "info": {"id": "dnrti_train_004036", "source": "dnrti_train"}}
{"text": "It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks .", "spans": {"Malware: technical exploitation capabilities": [[29, 64]], "Vulnerability: zero-day exploits": [[131, 148]]}, "info": {"id": "dnrti_train_004037", "source": "dnrti_train"}}
{"text": "In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched .", "spans": {"Organization: group": [[37, 42]], "Vulnerability: CVE-2016-4117": [[101, 114]]}, "info": {"id": "dnrti_train_004038", "source": "dnrti_train"}}
{"text": "To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion .", "spans": {"Vulnerability: Rocke group exploits vulnerabilities": [[52, 88]]}, "info": {"id": "dnrti_train_004039", "source": "dnrti_train"}}
{"text": "However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 .", "spans": {"Organization: Rocke": [[31, 36]], "Vulnerability: CVE-2018-1000861": [[105, 121]], "Vulnerability: CVE-2019-1003000": [[126, 142]]}, "info": {"id": "dnrti_train_004040", "source": "dnrti_train"}}
{"text": "The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites .", "spans": {"Vulnerability: NSA exploits": [[86, 98]]}, "info": {"id": "dnrti_train_004041", "source": "dnrti_train"}}
{"text": "In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group’s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild .", "spans": {"Organization: 360 Core Security": [[22, 39]], "Organization: APT-C-06": [[72, 80]], "Vulnerability: (CVE-2018-8174)": [[132, 147]]}, "info": {"id": "dnrti_train_004042", "source": "dnrti_train"}}
{"text": "The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802) , and the ability to incorporate them into operations .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: (CVE-2018-0802)": [[62, 77]]}, "info": {"id": "dnrti_train_004043", "source": "dnrti_train"}}
{"text": "FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 .", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: CVE-2017-10271": [[79, 93]]}, "info": {"id": "dnrti_train_004044", "source": "dnrti_train"}}
{"text": "If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host .", "spans": {"Malware: PingCastle MS17-010": [[71, 90]], "Vulnerability: EternalBlue": [[218, 229]]}, "info": {"id": "dnrti_train_004045", "source": "dnrti_train"}}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() .", "spans": {"Vulnerability: CVE-2017-10271": [[110, 124]], "Malware: PowerShell": [[138, 148]], "System: executing": [[222, 231]], "System: using ShellExecute()": [[235, 255]]}, "info": {"id": "dnrti_train_004046", "source": "dnrti_train"}}
{"text": "We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper .", "spans": {"Vulnerability: zero-day": [[54, 62]], "Organization: TEMP.Reaper": [[110, 121]]}, "info": {"id": "dnrti_train_004047", "source": "dnrti_train"}}
{"text": "Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 .", "spans": {"Organization: Zyklon": [[10, 16]], "Vulnerability: CVE-2017-8759": [[49, 62]]}, "info": {"id": "dnrti_train_004048", "source": "dnrti_train"}}
{"text": "This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild .", "spans": {"Vulnerability: vulnerability": [[5, 18]], "Organization: FireEye": [[37, 44]]}, "info": {"id": "dnrti_train_004049", "source": "dnrti_train"}}
{"text": "Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office .", "spans": {"Vulnerability: CVE-2017-11882": [[37, 51]], "Organization: actors": [[86, 92]], "Vulnerability: (CVE-2017-11882)": [[146, 162]]}, "info": {"id": "dnrti_train_004050", "source": "dnrti_train"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network (etool.exe) , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket (psexec.exe) .", "spans": {"Vulnerability: CVE-2017-0144": [[152, 165]], "Malware: MS07-010": [[191, 199]], "Malware: PsExec": [[299, 305]]}, "info": {"id": "dnrti_train_004051", "source": "dnrti_train"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell .", "spans": {"Malware: python script": [[63, 76]], "Vulnerability: CVE-2017-0144": [[132, 145]], "Malware: errr.aspx": [[194, 203]]}, "info": {"id": "dnrti_train_004052", "source": "dnrti_train"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 .", "spans": {"Organization: actors": [[15, 21]], "Vulnerability: CVE-2017-0144": [[109, 122]], "Malware: MS17-010": [[162, 170]]}, "info": {"id": "dnrti_train_004053", "source": "dnrti_train"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": {"Malware: slides": [[33, 39]], "Vulnerability: CVE-2017-8759": [[64, 77]], "Malware: Microsoft .NET framework": [[121, 145]]}, "info": {"id": "dnrti_train_004054", "source": "dnrti_train"}}
{"text": "According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Organization: FireEye": [[13, 20]], "Organization: admin@338": [[27, 36]], "System: emails": [[46, 52]], "Vulnerability: Microsoft Office vulnerabilities": [[104, 136]], "Malware: LOWBALL": [[187, 194]]}, "info": {"id": "dnrti_train_004055", "source": "dnrti_train"}}
{"text": "According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Organization: FireEye": [[13, 20]], "Organization: attackers": [[27, 36]], "System: emails": [[46, 52]], "Vulnerability: Microsoft Office vulnerabilities": [[104, 136]], "Malware: LOWBALL": [[187, 194]]}, "info": {"id": "dnrti_train_004056", "source": "dnrti_train"}}
{"text": "Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 .", "spans": {"Organization: APT12": [[31, 36]], "Malware: HIGHTIDE": [[65, 73]], "Malware: Microsoft Word": [[82, 96]], "Malware: .doc": [[99, 103]], "Vulnerability: CVE-2012-0158": [[129, 142]]}, "info": {"id": "dnrti_train_004057", "source": "dnrti_train"}}
{"text": "The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"Organization: Sofacy group": [[4, 16]], "Vulnerability: Flash exploits": [[60, 74]], "Malware: Carberp": [[92, 99]], "Malware: JHUHUGIT downloaders": [[106, 126]]}, "info": {"id": "dnrti_train_004058", "source": "dnrti_train"}}
{"text": "APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"Organization: APT28": [[0, 5]], "Vulnerability: Flash exploits": [[49, 63]], "Malware: Carberp": [[81, 88]], "Malware: JHUHUGIT downloaders": [[95, 115]]}, "info": {"id": "dnrti_train_004059", "source": "dnrti_train"}}
{"text": "The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: Flash exploits": [[53, 67]], "Malware: Carberp": [[85, 92]], "Malware: JHUHUGIT downloaders": [[99, 119]]}, "info": {"id": "dnrti_train_004060", "source": "dnrti_train"}}
{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": {"Organization: APT28": [[0, 5]], "Vulnerability: EternalBlue exploit": [[46, 65]], "Malware: open source tool": [[74, 90]], "Malware: Responder": [[91, 100]]}, "info": {"id": "dnrti_train_004061", "source": "dnrti_train"}}
{"text": "The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 .", "spans": {"Malware: JHUHUGIT": [[4, 12]], "Vulnerability: Java zero-day": [[110, 123]], "Vulnerability: CVE-2015-2590": [[126, 139]]}, "info": {"id": "dnrti_train_004062", "source": "dnrti_train"}}
{"text": "We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit .", "spans": {"Vulnerability: CVE-2013-0640": [[64, 77]], "Malware: MiniDuke": [[88, 96]], "Vulnerability: zero-day": [[150, 158]], "Organization: group": [[180, 185]]}, "info": {"id": "dnrti_train_004063", "source": "dnrti_train"}}
{"text": "FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT37": [[54, 59]], "Vulnerability: zero-day Adobe Flash vulnerability": [[72, 106]], "Vulnerability: CVE-2018-4878": [[109, 122]], "Malware: DOGCALL malware": [[139, 154]]}, "info": {"id": "dnrti_train_004064", "source": "dnrti_train"}}
{"text": "FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"Organization: FireEye iSIGHT Intelligence": [[0, 27]], "Organization: APT37": [[74, 79]], "Vulnerability: zero-day Adobe Flash vulnerability": [[92, 126]], "Vulnerability: CVE-2018-4878": [[129, 142]], "Malware: DOGCALL malware": [[159, 174]]}, "info": {"id": "dnrti_train_004065", "source": "dnrti_train"}}
{"text": "A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"Organization: group": [[30, 35]], "Organization: hackers": [[54, 61]], "Vulnerability: zero-day exploit": [[105, 121]], "Organization: Gamma Group": [[247, 258]]}, "info": {"id": "dnrti_train_004066", "source": "dnrti_train"}}
{"text": "A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"Organization: BlackOasis group": [[30, 46]], "Organization: hackers": [[65, 72]], "Vulnerability: zero-day exploit": [[116, 132]], "Organization: Gamma Group": [[258, 269]]}, "info": {"id": "dnrti_train_004067", "source": "dnrti_train"}}
{"text": "Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: BlackOasis group": [[20, 36]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[54, 95]], "Vulnerability: CVE-2016-4117": [[98, 111]], "Malware: FinSpy": [[158, 164]]}, "info": {"id": "dnrti_train_004068", "source": "dnrti_train"}}
{"text": "Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: group": [[20, 25]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[43, 84]], "Vulnerability: CVE-2016-4117": [[87, 100]], "Malware: FinSpy": [[147, 153]]}, "info": {"id": "dnrti_train_004069", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "Vulnerability: zero-day vulnerability": [[69, 91]], "System: scan-and-exploit techniques": [[146, 173]]}, "info": {"id": "dnrti_train_004070", "source": "dnrti_train"}}
{"text": "The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: zero-day vulnerability": [[65, 87]], "System: scan-and-exploit techniques": [[142, 169]]}, "info": {"id": "dnrti_train_004071", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "System: phishing emails": [[23, 38]], "Malware: Daserf malware": [[96, 110]], "Vulnerability: Flash exploits": [[136, 150]]}, "info": {"id": "dnrti_train_004072", "source": "dnrti_train"}}
{"text": "The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"Organization: group": [[4, 9]], "System: phishing emails": [[19, 34]], "Malware: Daserf malware": [[92, 106]], "Vulnerability: Flash exploits": [[132, 146]]}, "info": {"id": "dnrti_train_004073", "source": "dnrti_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"Organization: Secureworks": [[39, 50]], "Organization: BRONZE BUTLER": [[62, 75]], "System: remote code execution": [[104, 125]], "Vulnerability: CVE-2016-7836": [[142, 155]]}, "info": {"id": "dnrti_train_004074", "source": "dnrti_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"Organization: Secureworks": [[39, 50]], "Organization: BRONZE BUTLER": [[82, 95]], "System: remote code execution": [[124, 145]], "Vulnerability: CVE-2016-7836": [[162, 175]]}, "info": {"id": "dnrti_train_004075", "source": "dnrti_train"}}
{"text": "Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Malware: Carberp": [[51, 58]], "Organization: espionage": [[76, 85]]}, "info": {"id": "dnrti_train_004076", "source": "dnrti_train"}}
{"text": "If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation .", "spans": {"Vulnerability: Carbanak": [[32, 40]], "Vulnerability: CVE-2013-3660": [[209, 222]]}, "info": {"id": "dnrti_train_004077", "source": "dnrti_train"}}
{"text": "To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto .", "spans": {"Malware: Remote Desktop Protocol": [[57, 80]], "Malware: RDP": [[83, 86]], "Vulnerability: Carbanak": [[91, 99]]}, "info": {"id": "dnrti_train_004078", "source": "dnrti_train"}}
{"text": "Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system .", "spans": {"Vulnerability: Carbanak": [[0, 8]]}, "info": {"id": "dnrti_train_004079", "source": "dnrti_train"}}
{"text": "Sensitive bank documents have be found on the servers that were controlling Carbanak .", "spans": {"Vulnerability: Carbanak": [[76, 84]]}, "info": {"id": "dnrti_train_004080", "source": "dnrti_train"}}
{"text": "Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa .", "spans": {"Vulnerability: Carbanak": [[38, 46]], "Organization: attackers": [[47, 56]]}, "info": {"id": "dnrti_train_004081", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]], "Organization: customers": [[187, 196]]}, "info": {"id": "dnrti_train_004082", "source": "dnrti_train"}}
{"text": "This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies .", "spans": {"Vulnerability: Carbanak": [[72, 80]], "Organization: payment providers": [[126, 143]], "Organization: PR companies": [[166, 178]]}, "info": {"id": "dnrti_train_004083", "source": "dnrti_train"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Organization: consumer": [[76, 84]], "Malware: Carberp": [[176, 183]]}, "info": {"id": "dnrti_train_004084", "source": "dnrti_train"}}
{"text": "From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space .", "spans": {"Vulnerability: Carbanak": [[10, 18]]}, "info": {"id": "dnrti_train_004085", "source": "dnrti_train"}}
{"text": "Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems .", "spans": {"Vulnerability: Carbanak": [[11, 19]]}, "info": {"id": "dnrti_train_004086", "source": "dnrti_train"}}
{"text": "To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer .", "spans": {"Vulnerability: Carbanak": [[71, 79]], "Malware: Ammy Admin": [[174, 184]], "Malware: Team Viewer": [[189, 200]]}, "info": {"id": "dnrti_train_004087", "source": "dnrti_train"}}
{"text": "Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research .", "spans": {"Vulnerability: Carbanak": [[28, 36]]}, "info": {"id": "dnrti_train_004088", "source": "dnrti_train"}}
{"text": "These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider .", "spans": {"Organization: criminal groups": [[28, 43]], "Organization: PoSeidon": [[104, 112]], "Vulnerability: Carbanak": [[148, 156]], "Organization: criminal organization": [[174, 195]], "Organization: Carbon Spider": [[208, 221]]}, "info": {"id": "dnrti_train_004089", "source": "dnrti_train"}}
{"text": "The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police .", "spans": {"Organization: crime gang": [[18, 28]], "Vulnerability: Carbanak": [[40, 48]], "Organization: financial institutions": [[97, 119]]}, "info": {"id": "dnrti_train_004090", "source": "dnrti_train"}}
{"text": "Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt .", "spans": {"Organization: cybercrime gang": [[17, 32]], "Organization: financial institutions": [[88, 110]], "Vulnerability: Carbanak": [[160, 168]], "Malware: Cobalt": [[173, 179]]}, "info": {"id": "dnrti_train_004091", "source": "dnrti_train"}}
{"text": "Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent .", "spans": {"Organization: CopyKittens": [[31, 42]], "Malware: Metasploit": [[47, 57]], "Malware: Mimikatz": [[180, 188]], "Malware: Empire": [[255, 261]], "Malware: PowerShell": [[266, 276]]}, "info": {"id": "dnrti_train_004092", "source": "dnrti_train"}}
{"text": "Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries .", "spans": {"Vulnerability: Carbanak": [[75, 83]], "Organization: cyber-criminal gang": [[88, 107]], "System: APT techniques": [[137, 151]], "Organization: financial institutions": [[209, 231]]}, "info": {"id": "dnrti_train_004093", "source": "dnrti_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"Organization: CSIS": [[50, 54]], "Vulnerability: Carbanak": [[88, 96]], "Organization: customers": [[126, 135]]}, "info": {"id": "dnrti_train_004094", "source": "dnrti_train"}}
{"text": "In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company .", "spans": {"Vulnerability: Carbanak": [[29, 37]], "Organization: financial institution": [[68, 89]]}, "info": {"id": "dnrti_train_004095", "source": "dnrti_train"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"System: spear phishing emails": [[37, 58]], "Malware: Microsoft Word documents": [[64, 88]], "Vulnerability: CVE-2017-0199": [[100, 113]]}, "info": {"id": "dnrti_train_004096", "source": "dnrti_train"}}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": {"Organization: Ke3chang": [[0, 8]], "Vulnerability: Java zero-day vulnerability": [[30, 57]], "Vulnerability: CVE-2012-4681": [[60, 73]], "Malware: Microsoft Word": [[119, 133]], "Vulnerability: CVE-2010-3333": [[136, 149]], "Malware: Adobe PDF Reader": [[156, 172]], "Vulnerability: CVE-2010-2883": [[175, 188]]}, "info": {"id": "dnrti_train_004097", "source": "dnrti_train"}}
{"text": "While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 .", "spans": {"Vulnerability: CVE-2015-8651": [[147, 160]], "Vulnerability: CVE-2016-1019": [[163, 176]], "Vulnerability: CVE-2016-4117": [[183, 196]]}, "info": {"id": "dnrti_train_004098", "source": "dnrti_train"}}
{"text": "The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant .", "spans": {"Vulnerability: CVE-2018-4878": [[39, 52]], "Organization: attacker": [[65, 73]]}, "info": {"id": "dnrti_train_004099", "source": "dnrti_train"}}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"Malware: Documents": [[0, 9]], "Vulnerability: Flash exploit": [[19, 32]]}, "info": {"id": "dnrti_train_004100", "source": "dnrti_train"}}
{"text": "WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system .", "spans": {"Malware: WannaCry": [[0, 8]], "Vulnerability: EternalBlue": [[18, 29]], "Malware: SMB": [[51, 54]]}, "info": {"id": "dnrti_train_004101", "source": "dnrti_train"}}
{"text": "WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"Malware: WannaCry": [[0, 8]], "Vulnerability: EternalBlue": [[44, 55]], "Organization: Shadow Brokers": [[85, 99]]}, "info": {"id": "dnrti_train_004102", "source": "dnrti_train"}}
{"text": "Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 .", "spans": {"Organization: Microsoft": [[0, 9]], "Vulnerability: SMBv1 vulnerabilities": [[24, 45]]}, "info": {"id": "dnrti_train_004103", "source": "dnrti_train"}}
{"text": "The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April .", "spans": {"Vulnerability: SMBv1 exploit": [[22, 35]], "Organization: Shadow Brokers": [[79, 93]], "Organization: threat group": [[94, 106]]}, "info": {"id": "dnrti_train_004104", "source": "dnrti_train"}}
{"text": "If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit .", "spans": {"Malware: DoublePulsar backdoor": [[7, 28]], "Malware: SMB worm": [[55, 63]], "Vulnerability: Eternalblue SMBv1 exploit": [[108, 133]]}, "info": {"id": "dnrti_train_004105", "source": "dnrti_train"}}
{"text": "Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft .", "spans": {"Organization: Leafminer": [[0, 9]], "Vulnerability: SMB vulnerabilities": [[124, 143]], "Organization: Microsoft": [[157, 166]]}, "info": {"id": "dnrti_train_004106", "source": "dnrti_train"}}
{"text": "The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 .", "spans": {"Vulnerability: EternalBlue exploit": [[4, 23]], "Malware: Petya": [[137, 142]], "Malware: NotPetya": [[145, 153]]}, "info": {"id": "dnrti_train_004107", "source": "dnrti_train"}}
{"text": "The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers .", "spans": {"Organization: Leafminer": [[4, 13]], "Organization: operators": [[14, 23]], "Vulnerability: EternalBlue": [[28, 39]]}, "info": {"id": "dnrti_train_004108", "source": "dnrti_train"}}
{"text": "Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Leafminer": [[35, 44]], "Vulnerability: Heartbleed vulnerability": [[61, 85]], "Vulnerability: CVE-2014-0160": [[88, 101]]}, "info": {"id": "dnrti_train_004109", "source": "dnrti_train"}}
{"text": "The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign .", "spans": {"Vulnerability: CVE-2017-8759": [[26, 39]]}, "info": {"id": "dnrti_train_004110", "source": "dnrti_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_train_004111", "source": "dnrti_train"}}
{"text": "The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: CVE-2012-0158": [[59, 72]]}, "info": {"id": "dnrti_train_004112", "source": "dnrti_train"}}
{"text": "Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack .", "spans": {"Organization: Spring Dragon group": [[14, 33]], "Vulnerability: spearphish exploits": [[60, 79]], "System: strategic web compromises": [[82, 107]]}, "info": {"id": "dnrti_train_004113", "source": "dnrti_train"}}
{"text": "The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: PDF exploits": [[41, 53]], "Vulnerability: Adobe Flash Player exploits": [[56, 83]], "Vulnerability: CVE-2012-0158": [[101, 114]], "Vulnerability: Word exploits": [[115, 128]], "Malware: Tran Duy Linh": [[175, 188]]}, "info": {"id": "dnrti_train_004114", "source": "dnrti_train"}}
{"text": "While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well .", "spans": {"Organization: actor": [[22, 27]], "Vulnerability: CVE-2012-0158": [[67, 80]], "Organization: Spring Dragon": [[104, 117]]}, "info": {"id": "dnrti_train_004115", "source": "dnrti_train"}}
{"text": "To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability .", "spans": {"Vulnerability: CVE-2017-11882": [[239, 253]]}, "info": {"id": "dnrti_train_004116", "source": "dnrti_train"}}
{"text": "The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign .", "spans": {"Organization: actors": [[4, 10]], "Vulnerability: CVE-2014-6332": [[32, 45]], "Malware: Emissary": [[144, 152]]}, "info": {"id": "dnrti_train_004117", "source": "dnrti_train"}}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": {"Malware: malicious Word documents": [[21, 45]], "Vulnerability: Windows OLE Automation Array Remote Code Execution Vulnerability": [[74, 138]], "Vulnerability: CVE-2014-6332": [[150, 163]]}, "info": {"id": "dnrti_train_004118", "source": "dnrti_train"}}
{"text": "Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild .", "spans": {"Organization: Lotus Blossom": [[0, 13]], "Vulnerability: CVE-2014-6332": [[35, 48]]}, "info": {"id": "dnrti_train_004119", "source": "dnrti_train"}}
{"text": "Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 .", "spans": {"Organization: Lotus Blossom": [[0, 13]], "Vulnerability: CVE-2014-6332": [[40, 53]], "Malware: Emissary Trojan": [[86, 101]]}, "info": {"id": "dnrti_train_004120", "source": "dnrti_train"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Malware: POWRUNER": [[0, 8]], "Malware: RTF file": [[41, 49]], "Vulnerability: CVE-2017-0199": [[65, 78]]}, "info": {"id": "dnrti_train_004121", "source": "dnrti_train"}}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"Organization: APT34": [[19, 24]], "Vulnerability: Microsoft Office vulnerability": [[39, 69]], "Vulnerability: CVE-2017-11882": [[70, 84]], "Malware: POWRUNER": [[95, 103]], "Malware: BONDUPDATER": [[108, 119]], "Organization: Microsoft": [[143, 152]]}, "info": {"id": "dnrti_train_004122", "source": "dnrti_train"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"Malware: PIVY": [[0, 4], [266, 270]], "Organization: chemical makers": [[78, 93]], "Organization: government agencies": [[96, 115]], "Organization: defense contractors": [[118, 137]], "Organization: attackers": [[208, 217]], "Vulnerability: zero-day vulnerability": [[225, 247]]}, "info": {"id": "dnrti_train_004123", "source": "dnrti_train"}}
{"text": "Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others .", "spans": {"Malware: PIVY": [[16, 20]], "Vulnerability: zero-day exploit": [[42, 58]]}, "info": {"id": "dnrti_train_004124", "source": "dnrti_train"}}
{"text": "It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 .", "spans": {"Malware: Tran Duy Linh": [[27, 40]], "Vulnerability: CVE-2012-0158": [[43, 56]]}, "info": {"id": "dnrti_train_004125", "source": "dnrti_train"}}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": {"Malware: bait document": [[5, 18]], "System: email attachment": [[24, 40]], "Malware: Word document": [[68, 81]], "Vulnerability: CVE-2012-0158": [[102, 115]]}, "info": {"id": "dnrti_train_004126", "source": "dnrti_train"}}
{"text": "PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Organization: NEODYMIUM": [[15, 24]], "Vulnerability: CVE-2016-4117": [[50, 63]]}, "info": {"id": "dnrti_train_004127", "source": "dnrti_train"}}
{"text": "PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Organization: NEODYMIUM": [[15, 24]], "Vulnerability: zero-day exploit": [[37, 53]]}, "info": {"id": "dnrti_train_004128", "source": "dnrti_train"}}
{"text": "NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence .", "spans": {"Organization: NEODYMIUM": [[0, 9]], "Vulnerability: CVE-2016-4117": [[35, 48]], "Organization: PROMETHIUM": [[67, 77]]}, "info": {"id": "dnrti_train_004129", "source": "dnrti_train"}}
{"text": "In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown .", "spans": {"Organization: activity groups": [[39, 54]], "Organization: PROMETHIUM": [[57, 67]], "Organization: NEODYMIUM": [[72, 81]], "Vulnerability: zeroday exploit": [[140, 155]]}, "info": {"id": "dnrti_train_004130", "source": "dnrti_train"}}
{"text": "The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"Organization: hacker group": [[19, 31]], "Organization: BlackOasis": [[60, 70]], "Organization: Kaspersky": [[73, 82]], "Organization: group": [[93, 98]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[116, 157]], "Vulnerability: CVE-2016-4117": [[160, 173]], "Malware: FinSpy": [[220, 226]]}, "info": {"id": "dnrti_train_004131", "source": "dnrti_train"}}
{"text": "The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 .", "spans": {"Organization: Kaspersky": [[17, 26]], "Vulnerability: zero-day exploit": [[52, 68]], "Organization: BlackOasis": [[77, 87]]}, "info": {"id": "dnrti_train_004132", "source": "dnrti_train"}}
{"text": "Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": {"Organization: Microsoft": [[23, 32]], "Vulnerability: CVE-2017-11882": [[52, 66]], "Organization: FireEye": [[87, 94]], "Organization: attacker": [[107, 115]], "Vulnerability: Microsoft Office vulnerability": [[141, 171]], "Organization: government organization": [[184, 207]]}, "info": {"id": "dnrti_train_004133", "source": "dnrti_train"}}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": {"Malware: .rtf file": [[43, 52]], "Vulnerability: CVE-2017-0199": [[68, 81]]}, "info": {"id": "dnrti_train_004134", "source": "dnrti_train"}}
{"text": "In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER .", "spans": {"Organization: APT34": [[26, 31]], "Vulnerability: Microsoft Office vulnerability": [[53, 83]], "Vulnerability: CVE-2017-11882": [[84, 98]], "Malware: POWRUNER": [[109, 117]], "Malware: BONDUPDATER": [[122, 133]]}, "info": {"id": "dnrti_train_004135", "source": "dnrti_train"}}
{"text": "During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East .", "spans": {"Organization: APT34": [[29, 34]], "Vulnerability: CVE-2017-0199": [[125, 138]], "Vulnerability: CVE-2017-11882": [[143, 157]]}, "info": {"id": "dnrti_train_004136", "source": "dnrti_train"}}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"Organization: APT34": [[19, 24]], "Vulnerability: Microsoft Office vulnerability": [[39, 69]], "Vulnerability: CVE-2017-11882": [[70, 84]], "Malware: POWRUNER": [[95, 103]], "Malware: BONDUPDATER": [[108, 119]], "Organization: Microsoft": [[143, 152]]}, "info": {"id": "dnrti_train_004137", "source": "dnrti_train"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Malware: POWRUNER": [[0, 8]], "Malware: malicious RTF": [[31, 44]], "Vulnerability: CVE-2017-0199": [[65, 78]]}, "info": {"id": "dnrti_train_004138", "source": "dnrti_train"}}
{"text": "Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows .", "spans": {"Vulnerability: Microsoft Windows OLE Remote Code Execution Vulnerability": [[87, 144]], "Vulnerability: CVE-2014-6332": [[147, 160]]}, "info": {"id": "dnrti_train_004139", "source": "dnrti_train"}}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[51, 72]], "Malware: Microsoft Word attachment": [[80, 105]], "Vulnerability: CVE-2017-0199": [[138, 151]], "Malware: ZeroT Trojan": [[166, 178]], "Malware: PlugX Remote Access Trojan": [[210, 236]], "Malware: RAT": [[239, 242]]}, "info": {"id": "dnrti_train_004140", "source": "dnrti_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[55, 76]], "Malware: Microsoft Word attachment": [[84, 109]], "Vulnerability: CVE-2017-0199": [[142, 155]], "Malware: ZeroT Trojan": [[170, 182]], "Malware: PlugX Remote Access Trojan": [[214, 240]], "Malware: RAT": [[243, 246]]}, "info": {"id": "dnrti_train_004141", "source": "dnrti_train"}}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": {"Malware: malicious.DOC": [[86, 99]], "Vulnerability: Microsoft Common Controls vulnerability": [[119, 158]], "Vulnerability: CVE-2012-0158": [[161, 174]]}, "info": {"id": "dnrti_train_004142", "source": "dnrti_train"}}
{"text": "TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication .", "spans": {"Organization: TG-3390": [[0, 7]], "Organization: CTU": [[56, 59]], "Vulnerability: zero-day exploits": [[114, 131]]}, "info": {"id": "dnrti_train_004143", "source": "dnrti_train"}}
{"text": "TG-3390 actors have used Java exploits in their SWCs .", "spans": {"Organization: TG-3390": [[0, 7]], "Vulnerability: Java exploits": [[25, 38]], "Malware: SWCs": [[48, 52]]}, "info": {"id": "dnrti_train_004144", "source": "dnrti_train"}}
{"text": "In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"Organization: TG-3390": [[16, 23]], "Vulnerability: CVE-2011-3544": [[38, 51]], "Malware: HTTPBrowser backdoor": [[119, 139]], "Vulnerability: CVE-2010-0738": [[146, 159]], "Malware: JBoss": [[181, 186]]}, "info": {"id": "dnrti_train_004145", "source": "dnrti_train"}}
{"text": "In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"Vulnerability: CVE-2011-3544": [[49, 62]], "Malware: HTTPBrowser backdoor": [[130, 150]], "Vulnerability: CVE-2010-0738": [[157, 170]], "Malware: JBoss": [[192, 197]]}, "info": {"id": "dnrti_train_004146", "source": "dnrti_train"}}
{"text": "TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems .", "spans": {"System: leveraging SWCs": [[48, 63]], "System: scan-and-exploit techniques": [[68, 95]]}, "info": {"id": "dnrti_train_004147", "source": "dnrti_train"}}
{"text": "Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can′t prove they were related to this particular attack .", "spans": {"Vulnerability: CVE-2017-11882": [[65, 79]], "Malware: Microsoft Office Equation Editor": [[82, 114]]}, "info": {"id": "dnrti_train_004148", "source": "dnrti_train"}}
{"text": "LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) .", "spans": {"Vulnerability: Microsoft Office vulnerability": [[48, 78]], "Vulnerability: CVE-2017-11882": [[81, 95]]}, "info": {"id": "dnrti_train_004149", "source": "dnrti_train"}}
{"text": "No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" — a near-year-old Java security hole — \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported .", "spans": {"Vulnerability: zero-day vulnerabilities": [[3, 27]], "Vulnerability: CVE-2011-3544": [[124, 137]], "Vulnerability: CVE-2010-0738": [[185, 198]], "Organization: Dell SecureWorks'": [[231, 248]]}, "info": {"id": "dnrti_train_004150", "source": "dnrti_train"}}
{"text": "Execute a command through exploits for CVE-2017-11882 .", "spans": {"Vulnerability: CVE-2017-11882": [[39, 53]]}, "info": {"id": "dnrti_train_004151", "source": "dnrti_train"}}
{"text": "Execute a command through exploits for CVE-2018-0802 .", "spans": {"Vulnerability: CVE-2018-0802": [[39, 52]]}, "info": {"id": "dnrti_train_004152", "source": "dnrti_train"}}
{"text": "The document attached to this e-mail exploits CVE-2012-0158 .", "spans": {"Vulnerability: e-mail exploits": [[30, 45]], "Vulnerability: CVE-2012-0158": [[46, 59]]}, "info": {"id": "dnrti_train_004153", "source": "dnrti_train"}}
{"text": "Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors .", "spans": {"Organization: Tropic Trooper": [[0, 14]], "Vulnerability: CVE-2012-0158": [[40, 53]]}, "info": {"id": "dnrti_train_004154", "source": "dnrti_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"Malware: documents": [[4, 13]], "System: spear-phishing e-mails": [[26, 48]], "Vulnerability: CVE-2012-0158": [[97, 110]], "Vulnerability: Microsoft Word vulnerabilities": [[166, 196]]}, "info": {"id": "dnrti_train_004155", "source": "dnrti_train"}}
{"text": "the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated .", "spans": {"Vulnerability: CVE-2013-5065": [[43, 56]], "Vulnerability: EoP exploit": [[57, 68]]}, "info": {"id": "dnrti_train_004156", "source": "dnrti_train"}}
{"text": "While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July .", "spans": {"Vulnerability: CVE-2014-0515": [[89, 102]], "Vulnerability: Adobe Flash exploit": [[103, 122]], "Organization: Cisco TRAC": [[141, 151]]}, "info": {"id": "dnrti_train_004157", "source": "dnrti_train"}}
{"text": "However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised .", "spans": {"Organization: APT20": [[36, 41]], "Vulnerability: zero-day exploits": [[50, 67]]}, "info": {"id": "dnrti_train_004158", "source": "dnrti_train"}}
{"text": "PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach .", "spans": {"Vulnerability: Flash vulnerability": [[108, 127]], "Vulnerability: CVE-2015-5119": [[130, 143]]}, "info": {"id": "dnrti_train_004159", "source": "dnrti_train"}}
{"text": "PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server .", "spans": {"Vulnerability: CVE-2017-7269": [[16, 29]]}, "info": {"id": "dnrti_train_004160", "source": "dnrti_train"}}
{"text": "Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Vulnerability: flash exploit": [[96, 109]], "Vulnerability: CVE-2015-5119": [[112, 125]]}, "info": {"id": "dnrti_train_004161", "source": "dnrti_train"}}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": {"Malware: document": [[7, 15]], "Vulnerability: CVE-2012-0158": [[64, 77]], "Vulnerability: CVE-2013-3906": [[80, 93]], "Vulnerability: CVE-2014-1761": [[97, 110]]}, "info": {"id": "dnrti_train_004162", "source": "dnrti_train"}}
{"text": "Moreover , they used the same exploit kit Niteris as that in the Corkow case .", "spans": {"Vulnerability: kit Niteris": [[38, 49]], "Malware: Corkow": [[65, 71]]}, "info": {"id": "dnrti_train_004163", "source": "dnrti_train"}}
{"text": "The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story .", "spans": {"Vulnerability: CVE-2012-0773": [[4, 17]]}, "info": {"id": "dnrti_train_004164", "source": "dnrti_train"}}
{"text": "The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated .", "spans": {"Malware: decoy documents": [[4, 19]], "Vulnerability: InPage exploits": [[32, 47]]}, "info": {"id": "dnrti_train_004165", "source": "dnrti_train"}}
{"text": "While documents designed to exploit the InPage software are rare , they are not new – however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky .", "spans": {"Malware: InPage software": [[40, 55]], "Organization: Unit42": [[110, 116]], "Vulnerability: InPage exploits": [[139, 154]], "Organization: Kaspersky": [[250, 259]]}, "info": {"id": "dnrti_train_004166", "source": "dnrti_train"}}
{"text": "Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"Organization: Patchwork": [[12, 21]], "Vulnerability: CVE-2015-1641": [[191, 204]], "Vulnerability: CVE-2017-11882": [[209, 223]]}, "info": {"id": "dnrti_train_004167", "source": "dnrti_train"}}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": {"Organization: Patchwork": [[9, 18]], "Malware: RTF files": [[45, 54]], "Vulnerability: CVE-2017-8570": [[66, 79]]}, "info": {"id": "dnrti_train_004168", "source": "dnrti_train"}}
{"text": "Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"Malware: Confucius'": [[0, 10]], "Vulnerability: CVE-2015-1641": [[105, 118]], "Vulnerability: CVE-2017-11882": [[123, 137]]}, "info": {"id": "dnrti_train_004169", "source": "dnrti_train"}}
{"text": "The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 .", "spans": {"Malware: sctrls backdoor": [[4, 19]], "System: RTF files": [[52, 61]], "Vulnerability: CVE-2015-1641": [[73, 86]]}, "info": {"id": "dnrti_train_004170", "source": "dnrti_train"}}
{"text": "The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"Vulnerability: CVE2017-11882": [[27, 40]], "Malware: HTML Application": [[71, 87]], "Malware: HTA": [[90, 93]], "Malware: mshta.exe": [[223, 232]]}, "info": {"id": "dnrti_train_004171", "source": "dnrti_train"}}
{"text": "Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users .", "spans": {"Vulnerability: Nitris Exploit Kit": [[27, 45]], "Vulnerability: CottonCastle": [[67, 79]]}, "info": {"id": "dnrti_train_004172", "source": "dnrti_train"}}
{"text": "Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance .", "spans": {"Vulnerability: Niteris exploit": [[45, 60]]}, "info": {"id": "dnrti_train_004173", "source": "dnrti_train"}}
{"text": "In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware .", "spans": {"Vulnerability: CVE-2012-0158": [[81, 94]]}, "info": {"id": "dnrti_train_004174", "source": "dnrti_train"}}
{"text": "Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) .", "spans": {"Organization: The Lamberts": [[45, 57]], "Organization: ITSec community": [[97, 112]], "Organization: FireEye": [[148, 155]], "Vulnerability: zero day vulnerability": [[185, 207]], "Vulnerability: CVE-2014-4148": [[210, 223]]}, "info": {"id": "dnrti_train_004175", "source": "dnrti_train"}}
{"text": "The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild .", "spans": {"Malware: Lambert family malware": [[19, 41]], "Organization: FireEye": [[92, 99]], "Vulnerability: zero day exploit": [[122, 138]], "Vulnerability: CVE-2014-4148": [[141, 154]]}, "info": {"id": "dnrti_train_004176", "source": "dnrti_train"}}
{"text": "While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) .", "spans": {"Vulnerability: zero-day exploit": [[125, 141]], "Vulnerability: CVE-2014-4148": [[144, 157]]}, "info": {"id": "dnrti_train_004177", "source": "dnrti_train"}}
{"text": "To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 .", "spans": {"Malware: Lamberts toolkit": [[69, 85]], "Malware: Black Lambert": [[102, 115]], "Vulnerability: zero day exploit": [[152, 168]], "Vulnerability: CVE-2014-4148": [[171, 184]]}, "info": {"id": "dnrti_train_004178", "source": "dnrti_train"}}
{"text": "This sample was also found to be deployed using the CVE-2012-0158 vulnerability .", "spans": {"Vulnerability: CVE-2012-0158": [[52, 65]]}, "info": {"id": "dnrti_train_004179", "source": "dnrti_train"}}
{"text": "Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"Vulnerability: CVE-2012-0158": [[52, 65]], "Malware: NetTraveler Trojan": [[77, 95]]}, "info": {"id": "dnrti_train_004180", "source": "dnrti_train"}}
{"text": "Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: NetTraveler": [[31, 42]], "Vulnerability: CVE-2012-0158": [[64, 77]], "Malware: NetTraveler Trojan": [[89, 107]]}, "info": {"id": "dnrti_train_004181", "source": "dnrti_train"}}
{"text": "Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"Malware: NetTraveler": [[24, 35]], "Vulnerability: CVE-2012-0158": [[57, 70]], "Malware: NetTraveler Trojan": [[82, 100]]}, "info": {"id": "dnrti_train_004182", "source": "dnrti_train"}}
{"text": "In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"Vulnerability: CVE-2012-0158": [[66, 79]], "Malware: NetTraveler Trojan": [[95, 113]]}, "info": {"id": "dnrti_train_004183", "source": "dnrti_train"}}
{"text": "In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"Malware: NetTraveler": [[34, 45]], "Vulnerability: CVE-2012-0158": [[67, 80]], "Malware: NetTraveler Trojan": [[96, 114]]}, "info": {"id": "dnrti_train_004184", "source": "dnrti_train"}}
{"text": "In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"Malware: NetTraveler": [[38, 49]], "Vulnerability: CVE-2012-0158": [[71, 84]], "Malware: NetTraveler Trojan": [[100, 118]]}, "info": {"id": "dnrti_train_004185", "source": "dnrti_train"}}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Vulnerability: Microsoft Office exploits": [[37, 62]], "Malware: Exploit.MSWord.CVE-2010-333": [[110, 137]], "Malware: Exploit.Win32.CVE-2012-0158": [[140, 167]]}, "info": {"id": "dnrti_train_004186", "source": "dnrti_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_train_004187", "source": "dnrti_train"}}
{"text": "Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks .", "spans": {"Organization: Securelist": [[21, 31]], "Vulnerability: zero-day Adobe Flash Player exploit": [[61, 96]]}, "info": {"id": "dnrti_train_004188", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit .", "spans": {"Vulnerability: 0-day": [[111, 116]], "Vulnerability: Adobe Flash Player exploit": [[119, 145]]}, "info": {"id": "dnrti_train_004189", "source": "dnrti_train"}}
{"text": "Adobe Flash Player exploit .", "spans": {"Vulnerability: Adobe Flash Player exploit": [[0, 26]]}, "info": {"id": "dnrti_train_004190", "source": "dnrti_train"}}
{"text": "It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April .", "spans": {"Organization: ScarCruft": [[25, 34]], "Vulnerability: zero day exploit": [[52, 68]], "Vulnerability: CVE-2016-0147": [[71, 84]]}, "info": {"id": "dnrti_train_004191", "source": "dnrti_train"}}
{"text": "Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"Vulnerability: Flash Player exploit": [[35, 55]], "Vulnerability: CVE-2016-4117": [[58, 71]]}, "info": {"id": "dnrti_train_004192", "source": "dnrti_train"}}
{"text": "ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"Organization: ScarCruft": [[0, 9]], "Vulnerability: Flash Player exploit": [[48, 68]], "Vulnerability: CVE-2016-4117": [[71, 84]]}, "info": {"id": "dnrti_train_004193", "source": "dnrti_train"}}
{"text": "Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets .", "spans": {"Organization: ScarCruft": [[49, 58]], "Vulnerability: zero-day exploits": [[92, 109]]}, "info": {"id": "dnrti_train_004194", "source": "dnrti_train"}}
{"text": "This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams .", "spans": {"Vulnerability: CVE-2018-8120": [[63, 76]], "Malware: UACME": [[80, 85]]}, "info": {"id": "dnrti_train_004195", "source": "dnrti_train"}}
{"text": "Earlier this month , we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks .", "spans": {"Vulnerability: zero-day Adobe Flash Player exploit": [[39, 74]]}, "info": {"id": "dnrti_train_004196", "source": "dnrti_train"}}
{"text": "The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"Vulnerability: CVE-2016-4117": [[77, 90]], "System: watering holes": [[105, 119]]}, "info": {"id": "dnrti_train_004197", "source": "dnrti_train"}}
{"text": "The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"Vulnerability: CVE-2016-4117": [[68, 81]], "System: watering holes": [[96, 110]]}, "info": {"id": "dnrti_train_004198", "source": "dnrti_train"}}
{"text": "The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily .", "spans": {"Vulnerability: Flash zero day": [[41, 55]]}, "info": {"id": "dnrti_train_004199", "source": "dnrti_train"}}
{"text": "Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia .", "spans": {"Vulnerability: zero-day vulnerability": [[28, 50]]}, "info": {"id": "dnrti_train_004200", "source": "dnrti_train"}}
{"text": "Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak .", "spans": {"Organization: Kaspersky Lab": [[15, 28], [156, 169]], "Vulnerability: zero-day": [[94, 102]]}, "info": {"id": "dnrti_train_004201", "source": "dnrti_train"}}
{"text": "Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: ScarCruft": [[26, 35]], "Vulnerability: zero-day": [[65, 73]], "Vulnerability: CVE-2016-0147": [[76, 89]]}, "info": {"id": "dnrti_train_004202", "source": "dnrti_train"}}
{"text": "Another set of attacks called Operation Erebus leverages another Flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation .", "spans": {"Vulnerability: Flash exploit": [[65, 78]], "Vulnerability: CVE-2016-4117": [[81, 94]]}, "info": {"id": "dnrti_train_004203", "source": "dnrti_train"}}
{"text": "Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 .", "spans": {"Vulnerability: zero day": [[82, 90]], "Vulnerability: CVE-2016-4171": [[91, 104]]}, "info": {"id": "dnrti_train_004204", "source": "dnrti_train"}}
{"text": "Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit .", "spans": {"Organization: Wild Neutron": [[0, 12]], "Malware: stolen code signing certificate": [[39, 70]], "Vulnerability: Flash Player exploit": [[132, 152]]}, "info": {"id": "dnrti_train_004205", "source": "dnrti_train"}}
{"text": "Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes .", "spans": {"Organization: Wild Neutron": [[0, 12]], "Vulnerability: Java zero-day exploit": [[43, 64]], "System: watering holes": [[91, 105]]}, "info": {"id": "dnrti_train_004206", "source": "dnrti_train"}}
{"text": "Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b .", "spans": {"Vulnerability: Flash exploits": [[11, 25]], "System: watering holes": [[64, 78]], "Vulnerability: Java zero-day": [[95, 108]], "Organization: Kaspersky Lab": [[168, 181]], "Vulnerability: Exploit.Java.CVE-2012-3213.b": [[194, 222]]}, "info": {"id": "dnrti_train_004207", "source": "dnrti_train"}}
{"text": "In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims .", "spans": {"Organization: Buhtrap": [[27, 34]], "Vulnerability: CVE-2019-1132": [[80, 93]]}, "info": {"id": "dnrti_train_004208", "source": "dnrti_train"}}
{"text": "Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus .", "spans": {"Vulnerability: CVE-2018-8414": [[74, 87]], "Organization: DarkHydrus": [[177, 187]]}, "info": {"id": "dnrti_train_004209", "source": "dnrti_train"}}
{"text": "WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet .", "spans": {"Vulnerability: CVE-2017-0144": [[100, 113]], "Vulnerability: CVE-2017-0145": [[118, 131]]}, "info": {"id": "dnrti_train_004210", "source": "dnrti_train"}}
{"text": "One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec .", "spans": {"Vulnerability: zero-day vulnerability": [[31, 53]], "Organization: Symantec": [[84, 92]]}, "info": {"id": "dnrti_train_004211", "source": "dnrti_train"}}
{"text": "Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers .", "spans": {"Organization: Bemstour": [[0, 8]], "Vulnerability: vulnerabilities": [[30, 45]]}, "info": {"id": "dnrti_train_004212", "source": "dnrti_train"}}
{"text": "The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak .", "spans": {"Vulnerability: vulnerability": [[19, 32]], "Organization: Shadow Brokers": [[211, 225]]}, "info": {"id": "dnrti_train_004213", "source": "dnrti_train"}}
{"text": "These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 .", "spans": {"Vulnerability: CVE-2010-3962": [[14, 27]], "Vulnerability: CVE-2014-1776": [[70, 83]]}, "info": {"id": "dnrti_train_004214", "source": "dnrti_train"}}
{"text": "Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group .", "spans": {"Organization: Shadow Brokers": [[54, 68]], "Organization: Equation": [[130, 138]]}, "info": {"id": "dnrti_train_004215", "source": "dnrti_train"}}
{"text": "The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests .", "spans": {"Organization: Symantec": [[49, 57]], "Vulnerability: (CVE-2019-0703)": [[58, 73]]}, "info": {"id": "dnrti_train_004216", "source": "dnrti_train"}}
{"text": "CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 .", "spans": {"Vulnerability: CVE-2017-0143": [[0, 13]], "Malware: tools—EternalRomance": [[49, 69]], "Malware: EternalSynergy—that": [[74, 93]]}, "info": {"id": "dnrti_train_004217", "source": "dnrti_train"}}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe .", "spans": {"Malware: RTF": [[5, 8]], "Vulnerability: CVE-2017_1882": [[28, 41]], "Malware: eqnedt32.exe": [[45, 57]]}, "info": {"id": "dnrti_train_004218", "source": "dnrti_train"}}
{"text": "At this time , we do not believe that the attackers found a new ASA exploit .", "spans": {"Organization: we": [[15, 17]], "Organization: attackers": [[42, 51]], "Vulnerability: ASA": [[64, 67]], "Vulnerability: exploit": [[68, 75]]}, "info": {"id": "dnrti_train_004219", "source": "dnrti_train"}}
{"text": "We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor .", "spans": {"Organization: groups": [[15, 21]], "Vulnerability: CVE-2018-0798": [[35, 48]]}, "info": {"id": "dnrti_train_004220", "source": "dnrti_train"}}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": {"Malware: sample": [[146, 152]], "Vulnerability: CVE-2017-11882": [[172, 186]], "Vulnerability: CVE-2018-0802": [[190, 203]]}, "info": {"id": "dnrti_train_004221", "source": "dnrti_train"}}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) .", "spans": {"Malware: RTF files": [[52, 61]], "Vulnerability: CVE-2018-0798": [[82, 95]]}, "info": {"id": "dnrti_train_004222", "source": "dnrti_train"}}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": {"Organization: Anomali": [[0, 7]], "Malware: ITW": [[86, 89]], "Vulnerability: CVE-2018-0798": [[117, 130]]}, "info": {"id": "dnrti_train_004223", "source": "dnrti_train"}}
{"text": "CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption .", "spans": {"Vulnerability: CVE-2018-0798": [[0, 13]], "Organization: threat actor": [[91, 103]]}, "info": {"id": "dnrti_train_004224", "source": "dnrti_train"}}
{"text": "As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity .", "spans": {"Vulnerability: CVE-2017-11882": [[28, 42]], "Vulnerability: CVE-2018-0802": [[47, 60]], "Malware: weaponizer": [[67, 77]], "Organization: actors": [[126, 132]]}, "info": {"id": "dnrti_train_004225", "source": "dnrti_train"}}
{"text": "Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer .", "spans": {"Organization: threat groups": [[90, 103]], "Vulnerability: CVE-2018-0798": [[122, 135]], "Malware: RTF weaponizer": [[145, 159]]}, "info": {"id": "dnrti_train_004226", "source": "dnrti_train"}}
{"text": "These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers .", "spans": {"Organization: threat groups": [[37, 50]], "Vulnerability: CVE-2018-0798": [[103, 116]]}, "info": {"id": "dnrti_train_004227", "source": "dnrti_train"}}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": {"Vulnerability: CVE-2017-11882": [[66, 80]], "Malware: 'NavShExt.dll'": [[147, 161]], "Malware: iexplore.exe": [[192, 204]]}, "info": {"id": "dnrti_train_004228", "source": "dnrti_train"}}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": {"Vulnerability: CVE-2017-1182": [[87, 100]], "Malware: Microsoft Equation Editor": [[118, 143]], "Malware: 'EQNEDT32.exe'": [[146, 160]]}, "info": {"id": "dnrti_train_004229", "source": "dnrti_train"}}
{"text": "Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT Maudi Surveillance Operation which was previously reported in 2013 .", "spans": {"Organization: Attackers": [[0, 9]], "Vulnerability: CVE-2018-0798": [[54, 67]], "Organization: Maudi": [[145, 150]]}, "info": {"id": "dnrti_train_004230", "source": "dnrti_train"}}
{"text": "specifically CVE-2018-0798 , before downloading subsequent payloads .", "spans": {"Vulnerability: CVE-2018-0798": [[13, 26]]}, "info": {"id": "dnrti_train_004231", "source": "dnrti_train"}}
{"text": "Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year .", "spans": {"Organization: ‘Operation Sheep’": [[7, 24]], "Vulnerability: Man-in-the-Disk": [[123, 138]]}, "info": {"id": "dnrti_train_004232", "source": "dnrti_train"}}
{"text": "Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence .", "spans": {"Organization: APT41": [[10, 15]], "System: using proof-of-concept": [[29, 51]], "Vulnerability: exploit": [[52, 59]], "Vulnerability: CVE-2019-3396": [[69, 82]]}, "info": {"id": "dnrti_train_004233", "source": "dnrti_train"}}
{"text": "We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Organization: BalkanDoor": [[34, 44]], "Vulnerability: CVE-2018-20250": [[134, 148]]}, "info": {"id": "dnrti_train_004234", "source": "dnrti_train"}}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Malware: BalkanDoor": [[33, 43]], "Vulnerability: CVE-2018-20250": [[228, 242]]}, "info": {"id": "dnrti_train_004235", "source": "dnrti_train"}}
{"text": "The actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit .", "spans": {"Organization: actor": [[4, 9]], "Vulnerability: CVE-2018–8440": [[30, 43]], "Vulnerability: vulnerability": [[72, 85]], "Vulnerability: proof-of-concept": [[208, 224]], "Vulnerability: exploit": [[225, 232]]}, "info": {"id": "dnrti_train_004236", "source": "dnrti_train"}}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": {"Malware: China Chopper": [[4, 17]], "Vulnerability: CVE-2015-0062": [[146, 159]], "Vulnerability: CVE-2015-1701": [[162, 175]], "Vulnerability: CVE-2016-0099": [[180, 193]], "Organization: attacker": [[207, 215]]}, "info": {"id": "dnrti_train_004237", "source": "dnrti_train"}}
{"text": "Previously , Cloud Atlas dropped its validator” implant named PowerShower” directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 .", "spans": {"Organization: Cloud Atlas": [[13, 24]], "Vulnerability: CVE-2017-11882": [[140, 154]], "Vulnerability: CVE-2018-0802": [[166, 179]]}, "info": {"id": "dnrti_train_004238", "source": "dnrti_train"}}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": {"Malware: archive": [[14, 21]], "Vulnerability: vulnerability": [[82, 95]]}, "info": {"id": "dnrti_train_004239", "source": "dnrti_train"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": {"Malware: Mimikatz": [[0, 8]]}, "info": {"id": "dnrti_train_004240", "source": "dnrti_train"}}
{"text": "Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability .", "spans": {"Vulnerability: exploit": [[65, 72]], "Vulnerability: CVE-2017-11882 vulnerability": [[81, 109]]}, "info": {"id": "dnrti_train_004241", "source": "dnrti_train"}}
{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs .", "spans": {"Vulnerability: exploit": [[4, 11]], "Organization: Silence’s": [[21, 30]]}, "info": {"id": "dnrti_train_004242", "source": "dnrti_train"}}
{"text": "We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell .", "spans": {"Organization: Emissary Panda": [[11, 25]], "Vulnerability: vulnerability": [[55, 68]], "Vulnerability: CVE-2019-0604": [[104, 117]]}, "info": {"id": "dnrti_train_004243", "source": "dnrti_train"}}
{"text": "Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 .", "spans": {"Vulnerability: CVE-2017-0144": [[75, 88]]}, "info": {"id": "dnrti_train_004244", "source": "dnrti_train"}}
{"text": "In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks .", "spans": {"System: run a malicious DLL": [[164, 183]], "Organization: Emissary Panda": [[218, 232]]}, "info": {"id": "dnrti_train_004245", "source": "dnrti_train"}}
{"text": "PUTTER PANDA are a determined adversary group who have been operating for several years , conducting intelligence-gathering operations with a significant focus on the space sector .", "spans": {"Organization: PUTTER PANDA": [[0, 12]], "Organization: group": [[40, 45]], "Organization: space sector": [[167, 179]]}, "info": {"id": "dnrti_train_004246", "source": "dnrti_train"}}
{"text": "PUTTER PANDA is likely to continue to aggressively target Western entities that hold valuable information or intellectual property relevant to these interests .", "spans": {"Organization: PUTTER PANDA": [[0, 12]]}, "info": {"id": "dnrti_train_004247", "source": "dnrti_train"}}
{"text": "Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia .", "spans": {"Organization: groups": [[6, 12]], "Organization: Buhtrap": [[23, 30]], "Organization: Corkow": [[33, 39]], "Organization: Carbanak": [[44, 52]], "Organization: financial institutions": [[118, 140]], "Organization: customers": [[151, 160]]}, "info": {"id": "dnrti_train_004248", "source": "dnrti_train"}}
{"text": "Related or not , one thing is certain : the actor ( s ) using these customized BlackEnergy malware are intent on stealing information from the targets .", "spans": {"Organization: actor": [[44, 49]], "Malware: BlackEnergy malware": [[79, 98]]}, "info": {"id": "dnrti_train_004249", "source": "dnrti_train"}}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated .", "spans": {"Organization: group": [[4, 9]], "Malware: legitimate administration tools": [[15, 46]]}, "info": {"id": "dnrti_train_004250", "source": "dnrti_train"}}
{"text": "In 2014 , Unit 42 released a report titled \" 419 Evolution \" that documented one of the first known cases of Nigerian cybercriminals using malware for financial gain .", "spans": {"Organization: Unit 42": [[10, 17]], "Organization: cybercriminals": [[118, 132]]}, "info": {"id": "dnrti_train_004251", "source": "dnrti_train"}}
{"text": "The threat actor attempted to compromise critical assets , such as database servers , billing servers , and the active directory .", "spans": {"Organization: threat actor": [[4, 16]]}, "info": {"id": "dnrti_train_004252", "source": "dnrti_train"}}
{"text": "The threat actor was able to leverage the web shell to run reconnaissance commands , steal credentials , and deploy other tools .", "spans": {"Organization: threat actor": [[4, 16]], "Malware: web shell": [[42, 51]]}, "info": {"id": "dnrti_train_004253", "source": "dnrti_train"}}
{"text": "In order to exfiltrate data from a network segment not connected to the Internet , the threat actor deployed a modified version of hTran .", "spans": {"Organization: threat actor": [[87, 99]], "Malware: hTran": [[131, 136]]}, "info": {"id": "dnrti_train_004254", "source": "dnrti_train"}}
{"text": "Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries .", "spans": {"Organization: threat actor": [[73, 85]], "Organization: specific individuals": [[125, 145]]}, "info": {"id": "dnrti_train_004255", "source": "dnrti_train"}}
{"text": "The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware .", "spans": {"Organization: attackers": [[4, 13]]}, "info": {"id": "dnrti_train_004256", "source": "dnrti_train"}}
{"text": "We have previously observed APT19 steal data from law and investment firms for competitive economic purposes .", "spans": {"Organization: APT19": [[28, 33]]}, "info": {"id": "dnrti_train_004257", "source": "dnrti_train"}}
{"text": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits .", "spans": {"Organization: APT19": [[0, 5]], "Malware: Microsoft Excel files": [[57, 78]]}, "info": {"id": "dnrti_train_004258", "source": "dnrti_train"}}
{"text": "Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images .", "spans": {"Organization: Mandiant": [[0, 8]], "Organization: APT32": [[34, 39]]}, "info": {"id": "dnrti_train_004259", "source": "dnrti_train"}}
{"text": "Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time .", "spans": {"Malware: CARBANAK": [[80, 88]]}, "info": {"id": "dnrti_train_004260", "source": "dnrti_train"}}
{"text": "Since May 2017 , Mandiant experts observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds .", "spans": {"Organization: Mandiant": [[17, 25]]}, "info": {"id": "dnrti_train_004261", "source": "dnrti_train"}}
{"text": "Russian cyber espionage actors use zero-day exploits in addition to less complex measures .", "spans": {}, "info": {"id": "dnrti_train_004262", "source": "dnrti_train"}}
{"text": "If the attackers are attempting to compromise persons involved in SEC filings due to their information access , they may ultimately be pursuing securities fraud or other investment abuse .", "spans": {"Organization: attackers": [[7, 16]]}, "info": {"id": "dnrti_train_004263", "source": "dnrti_train"}}
{"text": "The HawkEye malware is primarily used for credential theft and is often combined with additional tools to extract passwords from email and web browser applications .", "spans": {"Malware: HawkEye malware": [[4, 19]]}, "info": {"id": "dnrti_train_004264", "source": "dnrti_train"}}
{"text": "HawkEye is a versatile Trojan used by diverse actors for multiple purposes .", "spans": {"Malware: HawkEye": [[0, 7]], "Organization: actors": [[46, 52]]}, "info": {"id": "dnrti_train_004265", "source": "dnrti_train"}}
{"text": "In this blog we provide insight into the tactics , techniques and procedures (TTPs) of a Brazilian cyber crime group that specializes in payment card fraud operations .", "spans": {"Organization: crime group": [[105, 116]]}, "info": {"id": "dnrti_train_004266", "source": "dnrti_train"}}
{"text": "The threat actors , observed by FireEye Labs , use a variety of different methods to either compromise or acquire already compromised payment card credentials , including sharing or purchasing dumps online , hacking vulnerable merchant websites and compromising payment card processing devices .", "spans": {"Organization: actors": [[11, 17]], "Organization: FireEye Labs": [[32, 44]], "System: compromising payment card": [[249, 274]]}, "info": {"id": "dnrti_train_004267", "source": "dnrti_train"}}
{"text": "Once in their possession , the actors use these compromised payment card credentials to generate further card information .", "spans": {"Organization: actors": [[31, 37]]}, "info": {"id": "dnrti_train_004268", "source": "dnrti_train"}}
{"text": "The members of the group use a variety of tools , including CCleaner , on a daily basis to effectively remove any evidence of their operations .", "spans": {"Organization: group": [[19, 24]], "Malware: CCleaner": [[60, 68]]}, "info": {"id": "dnrti_train_004269", "source": "dnrti_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": {"Malware: them": [[22, 26]]}, "info": {"id": "dnrti_train_004270", "source": "dnrti_train"}}
{"text": "Based on our observations , this group uses a variety of different methods to either compromise or acquire already compromised payment card credentials .", "spans": {"Organization: group": [[33, 38]]}, "info": {"id": "dnrti_train_004271", "source": "dnrti_train"}}
{"text": "Similarly , the group takes advantage of freely available consolidations of email credentials , personal information , and other data shared in eCrime forums for fraud purposes .", "spans": {"Organization: group": [[16, 21]], "Malware: email credentials": [[76, 93]], "Malware: personal information": [[96, 116]]}, "info": {"id": "dnrti_train_004272", "source": "dnrti_train"}}
{"text": "These actors scan websites for vulnerabilities to exploit to illicitly access databases .", "spans": {"Organization: actors": [[6, 12]]}, "info": {"id": "dnrti_train_004273", "source": "dnrti_train"}}
{"text": "The group also uses the SQL injection (SQLi) tools Havij Advanced SQL Injection Tool and SQLi Dumper version 7.0 (Figure 4) to scan for and exploit vulnerabilities in targeted eCommerce sites .", "spans": {"Organization: group": [[4, 9]], "Malware: SQL injection": [[24, 37]]}, "info": {"id": "dnrti_train_004274", "source": "dnrti_train"}}
{"text": "Once in possession of compromised payment card credentials , these actors use tools commonly known as card generators to generate new card numbers based on the compromised ones , creating additional opportunities for monetization .", "spans": {"Malware: card credentials": [[42, 58]], "Organization: actors": [[67, 73]]}, "info": {"id": "dnrti_train_004275", "source": "dnrti_train"}}
{"text": "The actors frequently use the stolen data to create cloned physical cards , which they use to attempt to withdraw funds from ATMs .", "spans": {"Organization: actors": [[4, 10]]}, "info": {"id": "dnrti_train_004276", "source": "dnrti_train"}}
{"text": "The group primarily uses the MSR 606 Software (Figure 12) and Hardware (Figure 13) to create cloned cards .", "spans": {"Organization: group": [[4, 9]], "Malware: MSR 606 Software": [[29, 45]], "Malware: Hardware": [[62, 70]]}, "info": {"id": "dnrti_train_004277", "source": "dnrti_train"}}
{"text": "However , Brazilian actors commonly use several methods to do so , such as reselling cards they have created , paying bills with stolen cards in return for a portion of the bill's value and reselling illicitly obtained goods .", "spans": {"Organization: actors": [[20, 26]]}, "info": {"id": "dnrti_train_004278", "source": "dnrti_train"}}
{"text": "The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims .", "spans": {"Organization: individuals": [[4, 15]], "Malware: Hancitor": [[22, 30]], "Malware: Chanitor": [[62, 70]]}, "info": {"id": "dnrti_train_004279", "source": "dnrti_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server .", "spans": {"Malware: Pony DLL": [[89, 97]], "Malware: Vawtrak": [[102, 109]]}, "info": {"id": "dnrti_train_004280", "source": "dnrti_train"}}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data .", "spans": {"Malware: Pony": [[48, 52]], "Malware: Vawtrak": [[57, 64]]}, "info": {"id": "dnrti_train_004281", "source": "dnrti_train"}}
{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine .", "spans": {"Malware: RIPPER": [[58, 64]]}, "info": {"id": "dnrti_train_004282", "source": "dnrti_train"}}
{"text": "Ploutus-D will load KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) .", "spans": {"Malware: Ploutus-D": [[0, 9]]}, "info": {"id": "dnrti_train_004283", "source": "dnrti_train"}}
{"text": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category .", "spans": {"Malware: DarkPulsar": [[0, 10]], "Malware: backdoor": [[81, 89]], "Malware: sipauth32.tsp": [[98, 111]]}, "info": {"id": "dnrti_train_004284", "source": "dnrti_train"}}
{"text": "According to Wikipedia , the CSS was formed in 1972 to integrate the NSA and the Service Cryptologic Elements ( SCE ) of the U.S armed forces .", "spans": {}, "info": {"id": "dnrti_train_004285", "source": "dnrti_train"}}
{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad .", "spans": {}, "info": {"id": "dnrti_train_004286", "source": "dnrti_train"}}
{"text": "Emotet is a type of general-purpose malware that evolved from a well-known banking Trojan , \" Cridex \" , which was first discovered in 2014 .", "spans": {"Malware: Emotet": [[0, 6]], "Malware: banking Trojan": [[75, 89]], "Malware: Cridex": [[94, 100]]}, "info": {"id": "dnrti_train_004287", "source": "dnrti_train"}}
{"text": "It seems that the main objective of the attackers was information gathering from the infected computers .", "spans": {}, "info": {"id": "dnrti_train_004288", "source": "dnrti_train"}}
{"text": "Transparent Tribe has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets .", "spans": {}, "info": {"id": "dnrti_train_004289", "source": "dnrti_train"}}
{"text": "Between May 2017 and December 2018 , a multi-purpose command tool that has been used by Whitefly was also used in attacks against defense , telecoms , and energy targets in Southeast Asia and Russia .", "spans": {"Organization: Whitefly": [[88, 96]]}, "info": {"id": "dnrti_train_004290", "source": "dnrti_train"}}
{"text": "In this case , a small group reusing exploit code , some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015 .", "spans": {"Organization: group": [[23, 28]], "Malware: powershell-based malware": [[57, 81]]}, "info": {"id": "dnrti_train_004291", "source": "dnrti_train"}}
{"text": "The group exploits known vulnerabilities in Microsoft Office products to infect their targets with malware .", "spans": {"Organization: group": [[4, 9]], "Malware: Microsoft Office products": [[44, 69]]}, "info": {"id": "dnrti_train_004292", "source": "dnrti_train"}}
{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Organization: PittyTiger": [[0, 10]], "Vulnerability: Heartbleed vulnerability": [[36, 60]]}, "info": {"id": "dnrti_train_004293", "source": "dnrti_train"}}
{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Vulnerability: Heartbleed vulnerability": [[31, 55]]}, "info": {"id": "dnrti_train_004294", "source": "dnrti_train"}}
{"text": "The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment .", "spans": {"Organization: Pitty Tiger group": [[4, 21]], "System: spear phishing": [[34, 48]]}, "info": {"id": "dnrti_train_004295", "source": "dnrti_train"}}
{"text": "Like many such groups , PLATINUM seeks to steal sensitive intellectual property related to government interests , but its range of preferred targets is consistently limited to specific governmental organizations , defense institutes , intelligence agencies , diplomatic institutions , and telecommunication providers in South and Southeast Asia .", "spans": {"Organization: groups": [[15, 21]], "Organization: PLATINUM": [[24, 32]], "Organization: governmental organizations": [[185, 211]], "Organization: defense institutes": [[214, 232]], "Organization: intelligence agencies": [[235, 256]], "Organization: diplomatic institutions": [[259, 282]], "Organization: telecommunication providers": [[289, 316]]}, "info": {"id": "dnrti_train_004296", "source": "dnrti_train"}}
{"text": "LATINUM makes a concerted effort to hide their infection tracks , by self-deleting malicious components , or by using server side logic in ' one shot mode ' where remotely hosted malicious components are only allowed to load once .", "spans": {"Organization: LATINUM": [[0, 7]], "Malware: self-deleting malicious components": [[69, 103]], "Malware: server side logic": [[118, 135]]}, "info": {"id": "dnrti_train_004297", "source": "dnrti_train"}}
{"text": "PLATINUM does not conduct its espionage activity to engage in direct financial gain , but instead uses stolen information for indirect economic advantages .", "spans": {"Organization: PLATINUM": [[0, 8]]}, "info": {"id": "dnrti_train_004298", "source": "dnrti_train"}}
{"text": "PLATINUM uses a number of different custom-developed backdoors to communicate with infected computers .", "spans": {"Organization: PLATINUM": [[0, 8]], "Malware: custom-developed backdoors": [[36, 62]]}, "info": {"id": "dnrti_train_004299", "source": "dnrti_train"}}
{"text": "The lack of any significant evidence of shared code between any of these backdoor families is another clue as to the scope of the resources on which the activity group is able to draw , and the precautions the group is willing and able to take in order to avoid losing its ability to conduct its espionage operations .", "spans": {"Organization: activity group": [[153, 167]], "Organization: group": [[210, 215]]}, "info": {"id": "dnrti_train_004300", "source": "dnrti_train"}}
{"text": "PLATINUM has developed or commissioned a number of custom tools to provide the group with access to victim resources .", "spans": {"Organization: PLATINUM": [[0, 8]], "Malware: custom tools": [[51, 63]]}, "info": {"id": "dnrti_train_004301", "source": "dnrti_train"}}
{"text": "The updated tool has only been seen in a handful of victim computers within organizational networks in Southeast Asia—PLATINUM is known to customize tools based on the network architecture of targeted organizations .", "spans": {}, "info": {"id": "dnrti_train_004302", "source": "dnrti_train"}}
{"text": "The PLATINUM tool is , to our knowledge , the first malware sample observed to misuse chipset features in this way .", "spans": {"Malware: PLATINUM tool": [[4, 17]], "Malware: malware": [[52, 59]]}, "info": {"id": "dnrti_train_004303", "source": "dnrti_train"}}
{"text": "The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives .", "spans": {"Organization: Poseidon Group": [[4, 18]], "Organization: executives": [[188, 198]]}, "info": {"id": "dnrti_train_004304", "source": "dnrti_train"}}
{"text": "This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets , primarily relating to the satellite , aerospace and communication industries .", "spans": {}, "info": {"id": "dnrti_train_004305", "source": "dnrti_train"}}
{"text": "PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries .", "spans": {"Organization: PUTTER PANDA": [[0, 12]], "Organization: group": [[39, 44]], "Organization: Technology sectors": [[144, 162]]}, "info": {"id": "dnrti_train_004306", "source": "dnrti_train"}}
{"text": "But according to Gnosticplayers , his foray into a public marketplace like Dream has two goals --besides the first and obvious one being money .", "spans": {}, "info": {"id": "dnrti_train_004307", "source": "dnrti_train"}}
{"text": "However , CTU analysis indicates that GOLD LOWELL is motivated by financial gain , and there is no evidence of the threat actors using network access for espionage or data theft .", "spans": {"Organization: CTU": [[10, 13]], "Organization: GOLD LOWELL": [[38, 49]]}, "info": {"id": "dnrti_train_004308", "source": "dnrti_train"}}
{"text": "The targeting of an organization rather than individuals , and the high ransom demands , made BitPaymer stand out from other contemporary ransomware at the time .", "spans": {"Malware: BitPaymer": [[94, 103]]}, "info": {"id": "dnrti_train_004309", "source": "dnrti_train"}}
{"text": "Ransom demands have varied significantly , suggesting that INDRIK SPIDER likely calculates the ransom amount based on the size and value of the victim organization .", "spans": {"Organization: INDRIK SPIDER": [[59, 72]]}, "info": {"id": "dnrti_train_004310", "source": "dnrti_train"}}
{"text": "Since they were first identified in January 2-16 , this adversary has consistently targeted large organizations for high ransom demands .", "spans": {}, "info": {"id": "dnrti_train_004311", "source": "dnrti_train"}}
{"text": "The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud , through the use of webinjects and a malware distribution function .", "spans": {"Malware: BokBot malware": [[4, 18]]}, "info": {"id": "dnrti_train_004312", "source": "dnrti_train"}}
{"text": "Instead , OurMine had managed to alter WikiLeaks 's DNS records ( held by a third-party registrar ) to direct anyone who tried to visit wikileaks.org to visit a different IP address which definitely wasn't under the control of Julian Assange and his cronies .", "spans": {"Organization: OurMine": [[10, 17]], "Organization: WikiLeaks": [[39, 48]]}, "info": {"id": "dnrti_train_004313", "source": "dnrti_train"}}
{"text": "Alternatively , OurMine might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address .", "spans": {"System: social engineering": [[40, 58]], "Organization: WikiLeaks": [[68, 77]], "Organization: DNS provider": [[81, 93]]}, "info": {"id": "dnrti_train_004314", "source": "dnrti_train"}}
{"text": "Alternatively , the attackers might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address .", "spans": {"System: social engineering": [[46, 64]], "Organization: WikiLeaks": [[74, 83]], "Organization: DNS provider": [[87, 99]]}, "info": {"id": "dnrti_train_004315", "source": "dnrti_train"}}
{"text": "The group 's primary goal is demonstrating to companies that they have weak security .", "spans": {}, "info": {"id": "dnrti_train_004316", "source": "dnrti_train"}}
{"text": "The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines .", "spans": {}, "info": {"id": "dnrti_train_004317", "source": "dnrti_train"}}
{"text": "It is worth noting that during our investigation f-secure uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances .", "spans": {"Organization: Callisto": [[117, 125]]}, "info": {"id": "dnrti_train_004318", "source": "dnrti_train"}}
{"text": "The tool then starts a new web browser instance on the attacker’s system and submits credentials on the real VPN portal .", "spans": {"Organization: attacker’s": [[55, 65]]}, "info": {"id": "dnrti_train_004319", "source": "dnrti_train"}}
{"text": "The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server .", "spans": {"Malware: PowerShell script": [[87, 104]]}, "info": {"id": "dnrti_train_004320", "source": "dnrti_train"}}
{"text": "First , the attacker’s mission is to disrupt an operational process rather than steal data .", "spans": {"Organization: attacker’s": [[12, 22]]}, "info": {"id": "dnrti_train_004321", "source": "dnrti_train"}}
{"text": "Georgian military security issues , particularly with regard to U.S. cooperation and NATO , provide a strong incentive for Russian state-sponsored threat actors to steal information that sheds light on these topics .", "spans": {"Organization: threat actors": [[147, 160]]}, "info": {"id": "dnrti_train_004322", "source": "dnrti_train"}}
{"text": "The espionage group , which according to the U.S. Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": {"Organization: espionage group": [[4, 19]], "Organization: Department of Homeland Security": [[50, 81]], "Organization: DHS": [[84, 87]], "Organization: FBI": [[132, 135]]}, "info": {"id": "dnrti_train_004323", "source": "dnrti_train"}}
{"text": "The APT28 , which is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": {"Organization: APT28": [[4, 9]]}, "info": {"id": "dnrti_train_004324", "source": "dnrti_train"}}
{"text": "Another attack group , Earworm ( aka Zebrocy ) , has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe , Central Asia , and Eastern Asia .", "spans": {"Organization: attack group": [[8, 20]], "Organization: Earworm": [[23, 30]], "Organization: Zebrocy": [[37, 44]]}, "info": {"id": "dnrti_train_004325", "source": "dnrti_train"}}
{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": {"Organization: APT28": [[0, 5]], "Vulnerability: EternalBlue exploit": [[46, 65]], "Malware: open source tool": [[74, 90]], "Malware: Responder": [[91, 100]]}, "info": {"id": "dnrti_train_004326", "source": "dnrti_train"}}
{"text": "This whitepaper explores the tools - such as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , etc- of the Dukes , a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": {"Malware: MiniDuke": [[45, 53]], "Malware: CosmicDuke": [[56, 66]], "Malware: OnionDuke": [[69, 78]], "Malware: CozyDuke": [[81, 89]], "Organization: Dukes": [[104, 109]], "Organization: cyberespionage group": [[162, 182]]}, "info": {"id": "dnrti_train_004327", "source": "dnrti_train"}}
{"text": "The Dukes are a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": {"Organization: Dukes": [[4, 9]], "Organization: cyberespionage group": [[64, 84]]}, "info": {"id": "dnrti_train_004328", "source": "dnrti_train"}}
{"text": "We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia .", "spans": {"Organization: APT33": [[112, 117]]}, "info": {"id": "dnrti_train_004329", "source": "dnrti_train"}}
{"text": "APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_004330", "source": "dnrti_train"}}
{"text": "APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training , maintenance and support for Saudi 's military and commercial fleet .", "spans": {"Organization: APT33": [[0, 5]], "Organization: aviation companies": [[67, 85]]}, "info": {"id": "dnrti_train_004331", "source": "dnrti_train"}}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_004332", "source": "dnrti_train"}}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_004333", "source": "dnrti_train"}}
{"text": "It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations .", "spans": {"Organization: APT37": [[20, 25]], "Malware: KARAE malware": [[45, 58]], "System: distributed denial-of-service": [[140, 169]], "System: DDoS": [[172, 176]]}, "info": {"id": "dnrti_train_004334", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails .", "spans": {"Organization: attackers": [[60, 69]], "System: spear-phishing e-mails": [[109, 131]]}, "info": {"id": "dnrti_train_004335", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails .", "spans": {"Organization: APT37": [[52, 57]], "System: spear-phishing e-mails": [[97, 119]]}, "info": {"id": "dnrti_train_004336", "source": "dnrti_train"}}
{"text": "APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world 's largest cyber heists .", "spans": {"Organization: APT38": [[0, 5]], "Organization: regime-backed group": [[46, 65]], "Organization: financial institutions": [[121, 143]], "Organization: cyber heists": [[186, 198]]}, "info": {"id": "dnrti_train_004337", "source": "dnrti_train"}}
{"text": "APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world .", "spans": {"Organization: APT38": [[0, 5]], "Organization: regime-backed group": [[46, 65]], "Organization: financial institutions": [[121, 143]]}, "info": {"id": "dnrti_train_004338", "source": "dnrti_train"}}
{"text": "APT38 is believed to operate more similarly to an espionage operation , carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems .", "spans": {"Organization: APT38": [[0, 5]], "Organization: financial institutions": [[127, 149]]}, "info": {"id": "dnrti_train_004339", "source": "dnrti_train"}}
{"text": "APT38 is a financially motivated group linked to North Korean cyber espionage operators , renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware .", "spans": {"Organization: APT38": [[0, 5]], "Organization: group": [[33, 38]], "Organization: cyber espionage operators": [[62, 87]], "Organization: financial institutions": [[158, 180]]}, "info": {"id": "dnrti_train_004340", "source": "dnrti_train"}}
{"text": "Based on observed activity , we judge that APT38 's primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime .", "spans": {"Organization: APT38": [[43, 48]], "Organization: financial institutions": [[81, 103]]}, "info": {"id": "dnrti_train_004341", "source": "dnrti_train"}}
{"text": "Since 2015 , APT38 has attempted to steal hundreds of millions of dollars from financial institutions .", "spans": {"Organization: APT38": [[13, 18]], "Organization: financial institutions": [[79, 101]]}, "info": {"id": "dnrti_train_004342", "source": "dnrti_train"}}
{"text": "APT38 , in particular , is strongly distinguishable because of its specific focus on financial institutions and operations that attempt to use SWIFT fraud to steal millions of dollars at a time .", "spans": {"Organization: APT38": [[0, 5]], "Organization: financial institutions": [[85, 107]], "Malware: SWIFT": [[143, 148]]}, "info": {"id": "dnrti_train_004343", "source": "dnrti_train"}}
{"text": "As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions to raise money for the North Korean regime .", "spans": {"Organization: APT38": [[62, 67]], "Organization: financial institutions": [[103, 125]]}, "info": {"id": "dnrti_train_004344", "source": "dnrti_train"}}
{"text": "As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions and financial systems to raise money for the North Korean regime .", "spans": {"Organization: APT38": [[62, 67]], "Organization: financial institutions": [[103, 125]]}, "info": {"id": "dnrti_train_004345", "source": "dnrti_train"}}
{"text": "Since at least the beginning of 2014 , APT38 operations have focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities , whereas TEMP.Hermit is generally linked to operations focused on South Korea and the United States .", "spans": {"Organization: APT38": [[39, 44]], "Organization: international entities": [[159, 181]], "Organization: TEMP.Hermit": [[192, 203]]}, "info": {"id": "dnrti_train_004346", "source": "dnrti_train"}}
{"text": "APT38 relies on DYEPACK , a SWIFT transaction-hijacking framework , to initiate transactions , steal money , and hide any evidence of the fraudulent transactions from the victimized bank .", "spans": {"Organization: APT38": [[0, 5]], "Malware: DYEPACK": [[16, 23]]}, "info": {"id": "dnrti_train_004347", "source": "dnrti_train"}}
{"text": "During this heist , APT38 waited for a holiday weekend in the respective countries to increase the likelihood of hiding the transactions from banking authorities .", "spans": {"Organization: APT38": [[20, 25]]}, "info": {"id": "dnrti_train_004348", "source": "dnrti_train"}}
{"text": "APT39 's focus on the widespread theft of personal information sets it apart from other Iranian groups FireEye tracks , which have been linked to influence operations , disruptive attacks , and other threats .", "spans": {"Organization: APT39": [[0, 5]], "Organization: groups": [[96, 102]], "Organization: FireEye": [[103, 110]]}, "info": {"id": "dnrti_train_004349", "source": "dnrti_train"}}
{"text": "APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns .", "spans": {"Organization: APT39": [[0, 5]], "Organization: specific individuals": [[149, 169]]}, "info": {"id": "dnrti_train_004350", "source": "dnrti_train"}}
{"text": "Targeting data supports the belief that APT39 's key mission is to track or monitor targets of interest , collect personal information , including travel itineraries , and gather customer data from telecommunications firms .", "spans": {"Organization: APT39": [[40, 45]], "Organization: telecommunications firms": [[198, 222]]}, "info": {"id": "dnrti_train_004351", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER uses credential theft tools such as Mimikatz and WCE to steal authentication information from the memory of compromised hosts .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "Malware: Mimikatz": [[50, 58]], "Malware: WCE": [[63, 66]]}, "info": {"id": "dnrti_train_004352", "source": "dnrti_train"}}
{"text": "Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Malware: Carberp": [[51, 58]], "Organization: espionage": [[76, 85]]}, "info": {"id": "dnrti_train_004353", "source": "dnrti_train"}}
{"text": "In some cases , the attackers used the Society for Worldwide Interbank Financial Telecommunication ( SWIFT ) network to transfer money to their accounts .", "spans": {"Organization: attackers": [[20, 29]], "Malware: Worldwide Interbank Financial Telecommunication": [[51, 98]], "Malware: SWIFT": [[101, 106]]}, "info": {"id": "dnrti_train_004354", "source": "dnrti_train"}}
{"text": "If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation .", "spans": {"Vulnerability: Carbanak": [[32, 40]], "Vulnerability: CVE-2013-3660": [[209, 222]]}, "info": {"id": "dnrti_train_004355", "source": "dnrti_train"}}
{"text": "To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto .", "spans": {"Malware: Remote Desktop Protocol": [[57, 80]], "Malware: RDP": [[83, 86]], "Vulnerability: Carbanak": [[91, 99]]}, "info": {"id": "dnrti_train_004356", "source": "dnrti_train"}}
{"text": "Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as OilRig and CopyKittens .", "spans": {"Organization: threat groups": [[212, 225]], "Organization: OilRig": [[236, 242]], "Organization: CopyKittens": [[247, 258]]}, "info": {"id": "dnrti_train_004357", "source": "dnrti_train"}}
{"text": "During intense intelligence gathering over the last 24 months , we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort .", "spans": {"Organization: Operation Cleaver": [[110, 127]]}, "info": {"id": "dnrti_train_004358", "source": "dnrti_train"}}
{"text": "Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines .", "spans": {"Organization: Gallmaker": [[0, 9]], "System: lure documents": [[15, 29]]}, "info": {"id": "dnrti_train_004359", "source": "dnrti_train"}}
{"text": "Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries .", "spans": {"Vulnerability: Carbanak": [[75, 83]], "Organization: cyber-criminal gang": [[88, 107]], "System: APT techniques": [[137, 151]], "Organization: financial institutions": [[209, 231]]}, "info": {"id": "dnrti_train_004360", "source": "dnrti_train"}}
{"text": "Our investigations revealed that the attackers drove around several cities in Russia , stealing money from ATMs belonging to different banks .", "spans": {"Organization: attackers": [[37, 46]]}, "info": {"id": "dnrti_train_004361", "source": "dnrti_train"}}
{"text": "Utilizing KillDisk in the attack scenario most likely served one of two purposes : the attackers covering their tracks after an espionage operation , or it was used directly for extortion or cyber-sabotage .", "spans": {"Malware: KillDisk": [[10, 18]], "Organization: attackers": [[87, 96]], "Organization: cyber-sabotage": [[191, 205]]}, "info": {"id": "dnrti_train_004362", "source": "dnrti_train"}}
{"text": "The Lazarus Group 's objective was to gain access to the target 's environment and obtain key military program insight or steal money .", "spans": {"Organization: Lazarus Group": [[4, 17]]}, "info": {"id": "dnrti_train_004363", "source": "dnrti_train"}}
{"text": "Just last week Lazarus were found stealing millions from ATMs across Asia and Africa .", "spans": {"Organization: Lazarus": [[15, 22]]}, "info": {"id": "dnrti_train_004364", "source": "dnrti_train"}}
{"text": "The backdoors Lazarus are deploying are difficult to detect and a significant threat to the privacy and security of enterprises , allowing attackers to steal information , delete files , install malware , and more .", "spans": {"Organization: Lazarus": [[14, 21]], "Organization: attackers": [[139, 148]]}, "info": {"id": "dnrti_train_004365", "source": "dnrti_train"}}
{"text": "Bankshot is designed to persist on a victim 's network for further exploitation ; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations .", "spans": {"Malware: Bankshot": [[0, 8]], "Organization: Advanced Threat Research": [[91, 115]], "Organization: financial organizations": [[184, 207]]}, "info": {"id": "dnrti_train_004366", "source": "dnrti_train"}}
{"text": "The Leafminer 's post-compromise toolkit suggests that Leafminer is looking for email data , files , and database servers on compromised target systems .", "spans": {"Organization: Leafminer": [[4, 13], [55, 64]]}, "info": {"id": "dnrti_train_004367", "source": "dnrti_train"}}
{"text": "Another intrusion approach used by Leafminer seems a lot less sophisticated than the previously described methods but can be just as effective : using specific hacktools to guess the login passwords for services exposed by a targeted system .", "spans": {"Organization: Leafminer": [[35, 44]], "Malware: hacktools": [[160, 169]]}, "info": {"id": "dnrti_train_004368", "source": "dnrti_train"}}
{"text": "While the group has not yet demonstrated an ICS capability , RASPITE 's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events .", "spans": {"Organization: group": [[10, 15]], "Malware: ICS": [[44, 47], [245, 248]], "Organization: RASPITE": [[61, 68]]}, "info": {"id": "dnrti_train_004369", "source": "dnrti_train"}}
{"text": "FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40 .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: actor": [[155, 160]], "Organization: APT40": [[169, 174]]}, "info": {"id": "dnrti_train_004370", "source": "dnrti_train"}}
{"text": "APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia .", "spans": {"Organization: APT40": [[0, 5]]}, "info": {"id": "dnrti_train_004371", "source": "dnrti_train"}}
{"text": "The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan .", "spans": {"Organization: individual": [[22, 32]], "Organization: actors": [[46, 52]]}, "info": {"id": "dnrti_train_004372", "source": "dnrti_train"}}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": {"Organization: APT32": [[27, 32]], "System: social engineering emails": [[43, 68]], "Malware: Microsoft ActiveMime file": [[74, 99]]}, "info": {"id": "dnrti_train_004373", "source": "dnrti_train"}}
{"text": "APT35 also installed BROKEYOLK , a custom backdoor , to maintain persistence on the compromised host .", "spans": {"Organization: APT35": [[0, 5]], "Malware: custom backdoor": [[35, 50]]}, "info": {"id": "dnrti_train_004374", "source": "dnrti_train"}}
{"text": "They then proceeded to log directly into the VPN using the credentials of the compromised user .", "spans": {"Malware: credentials of the compromised user": [[59, 94]]}, "info": {"id": "dnrti_train_004375", "source": "dnrti_train"}}
{"text": "Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks .", "spans": {"Organization: APT35": [[13, 18]]}, "info": {"id": "dnrti_train_004376", "source": "dnrti_train"}}
{"text": "The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT .", "spans": {"Organization: group": [[4, 9]], "System: Excel documents": [[162, 177]], "Malware: RATs": [[189, 193]], "Malware: PupyRAT": [[202, 209]]}, "info": {"id": "dnrti_train_004377", "source": "dnrti_train"}}
{"text": "Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as Oilrig1 and CopyKittens2 .", "spans": {"Organization: threat groups": [[212, 225]], "Organization: Oilrig1": [[236, 243]], "Organization: CopyKittens2": [[248, 260]]}, "info": {"id": "dnrti_train_004378", "source": "dnrti_train"}}
{"text": "To sum up , the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn , who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari , who is a Facebook friend of Behzad Mesri 's .", "spans": {"Organization: hacker": [[20, 26]], "Organization: Behzad Mesri": [[29, 41], [249, 261]], "Organization: Turk Black Hat": [[57, 71]], "Organization: ArYaIeIrAn": [[83, 93]], "Malware: PersianDNS": [[157, 167]], "Malware: Mahanserver": [[170, 181]], "Organization: Facebook": [[230, 238]]}, "info": {"id": "dnrti_train_004379", "source": "dnrti_train"}}
{"text": "They move laterally and escalate system privileges to extract sensitive information — whenever the attacker wants to do so.4 ,5 Because some RATs used in targeted attacks are widely available , determining whether an attack is part of a broader APT campaign can be difficult .", "spans": {"Organization: attacker": [[99, 107]], "Malware: RATs": [[141, 145]]}, "info": {"id": "dnrti_train_004380", "source": "dnrti_train"}}
{"text": "In 2011 , three years after the most recent release of PIVY , attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system .", "spans": {"Malware: PIVY": [[55, 59]], "Organization: attackers": [[62, 71]], "Malware: RAT": [[81, 84]], "Organization: security firm RSA": [[99, 116]]}, "info": {"id": "dnrti_train_004381", "source": "dnrti_train"}}
{"text": "Attackers can point and click their way through a compromised network and exfiltrate data .", "spans": {"Organization: Attackers": [[0, 9]]}, "info": {"id": "dnrti_train_004382", "source": "dnrti_train"}}
{"text": "The campaign , which we refer to as Operation Cloud Hopper , has targeted managed IT service providers ( MSPs ) , allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally .", "spans": {"Organization: managed IT service providers": [[74, 102]], "Organization: MSPs": [[105, 109], [217, 221]], "Organization: APT10": [[123, 128]]}, "info": {"id": "dnrti_train_004383", "source": "dnrti_train"}}
{"text": "PwC UK and BAE Systems assess it is highly likely that APT10 is a China-based threat actor with a focus on espionage and wide ranging information collection .", "spans": {"Organization: PwC UK": [[0, 6]], "Organization: BAE Systems": [[11, 22]], "Organization: APT10": [[55, 60]], "Organization: threat actor": [[78, 90]], "Organization: espionage": [[107, 116]]}, "info": {"id": "dnrti_train_004384", "source": "dnrti_train"}}
{"text": "APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world .", "spans": {"Organization: APT10": [[0, 5]], "Malware: MSP networks": [[104, 116]], "Organization: customers": [[138, 147]]}, "info": {"id": "dnrti_train_004385", "source": "dnrti_train"}}
{"text": "This , in turn , would provide access to a larger amount of intellectual property and sensitive data .", "spans": {}, "info": {"id": "dnrti_train_004386", "source": "dnrti_train"}}
{"text": "APT10 has been observed to exfiltrate stolen intellectual property via the MSPs , hence evading local network defences .", "spans": {"Organization: APT10": [[0, 5]], "Organization: MSPs": [[75, 79]]}, "info": {"id": "dnrti_train_004387", "source": "dnrti_train"}}
{"text": "In order to gain any further credentials , APT10 will usually deploy credential theft tools such as mimikatz or PwDump , sometimes using DLL load order hijacking , to use against a domain controller , explained further in Annex B .", "spans": {"Organization: APT10": [[43, 48]], "Malware: mimikatz": [[100, 108]], "Malware: PwDump": [[112, 118]], "Malware: DLL load order hijacking": [[137, 161]]}, "info": {"id": "dnrti_train_004388", "source": "dnrti_train"}}
{"text": "For example , in addition to compromising high value domain controllers and security servers , the threat actor has also been observed identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business , and are thus less likely to draw the attention of system administrators .", "spans": {"Organization: threat actor": [[99, 111]]}, "info": {"id": "dnrti_train_004389", "source": "dnrti_train"}}
{"text": "Primarily focused on governments and military operations of countries with interests in the South China Sea , Moafee likely chooses its targets based on region 's rich natural resources .", "spans": {"Organization: Moafee": [[110, 116]]}, "info": {"id": "dnrti_train_004390", "source": "dnrti_train"}}
{"text": "By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage .", "spans": {"Organization: DragonOK": [[74, 82]]}, "info": {"id": "dnrti_train_004391", "source": "dnrti_train"}}
{"text": "It is in use by the Molerats ( aka Gaza cybergang ) , a politically motivated group whose main objective , we believe , is intelligence gathering .", "spans": {"Organization: Molerats": [[20, 28]], "Organization: Gaza cybergang": [[35, 49]], "Organization: group": [[78, 83]]}, "info": {"id": "dnrti_train_004392", "source": "dnrti_train"}}
{"text": "DustySky has been developed and used since May 2015 by Molerats ( aka \" Gaza cybergang \" ) , a terrorist group whose main objective in this campaign is intelligence gathering .", "spans": {"Malware: DustySky": [[0, 8]], "Organization: Molerats": [[55, 63]], "Organization: Gaza cybergang": [[72, 86]], "Organization: terrorist group": [[95, 110]]}, "info": {"id": "dnrti_train_004393", "source": "dnrti_train"}}
{"text": "FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors .", "spans": {"Organization: FIN7": [[0, 4]], "Organization: threat actor group": [[10, 28]], "Organization: financial sectors": [[105, 122]]}, "info": {"id": "dnrti_train_004394", "source": "dnrti_train"}}
{"text": "Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor 's interests .", "spans": {"Organization: Seedworm": [[0, 8]], "Organization: cyber espionage group": [[31, 52]]}, "info": {"id": "dnrti_train_004395", "source": "dnrti_train"}}
{"text": "After compromising a system , typically by installing Powermud or Powemuddy , Seedworm first runs a tool that steals passwords saved in users ' web browsers and email , demonstrating that access to the victim 's email , social media , and chat accounts is one of their likely goals .", "spans": {"Malware: Powermud": [[54, 62]], "Malware: Powemuddy": [[66, 75]], "Organization: Seedworm": [[78, 86]], "System: web browsers": [[144, 156]], "System: email": [[161, 166]], "System: demonstrating": [[169, 182]]}, "info": {"id": "dnrti_train_004396", "source": "dnrti_train"}}
{"text": "It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data exfiltration from high-profile victim organizations .", "spans": {"Organization: attackers": [[56, 65]], "Malware: Naikon proxies": [[73, 87]]}, "info": {"id": "dnrti_train_004397", "source": "dnrti_train"}}
{"text": "In addition to stealing keystrokes , Naikon also intercepted network traffic .", "spans": {"Organization: Naikon": [[37, 43]], "System: network traffic": [[61, 76]]}, "info": {"id": "dnrti_train_004398", "source": "dnrti_train"}}
{"text": "Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals .", "spans": {"Organization: espionage": [[67, 76]], "Organization: activity groups": [[116, 131]], "Organization: specific individuals": [[165, 185]]}, "info": {"id": "dnrti_train_004399", "source": "dnrti_train"}}
{"text": "PROMETHIUM uses a unique set of tools and methods to perform actions like lateral movement and data exfiltration .", "spans": {"Organization: PROMETHIUM": [[0, 10]]}, "info": {"id": "dnrti_train_004400", "source": "dnrti_train"}}
{"text": "Last year , Microsoft researchers described Neodymium 's behavior as unusual : \" unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": {"Organization: Microsoft": [[12, 21]], "Organization: Neodymium": [[44, 53]], "Organization: activity groups": [[93, 108]], "Organization: PROMETHIUM": [[188, 198]], "Organization: NEODYMIUM": [[203, 212]]}, "info": {"id": "dnrti_train_004401", "source": "dnrti_train"}}
{"text": "Unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": {"Organization: activity groups": [[12, 27]], "Organization: PROMETHIUM": [[107, 117]], "Organization: NEODYMIUM": [[122, 131]]}, "info": {"id": "dnrti_train_004402", "source": "dnrti_train"}}
{"text": "The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication , designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods .", "spans": {"Malware: ProjectSauron": [[24, 37]]}, "info": {"id": "dnrti_train_004403", "source": "dnrti_train"}}
{"text": "In March 2016 , Symantec published a blog on Suckfly , an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates .", "spans": {"Organization: Symantec": [[16, 24]]}, "info": {"id": "dnrti_train_004404", "source": "dnrti_train"}}
{"text": "During this time they were able to steal digital certificates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations .", "spans": {"Organization: companies": [[80, 89]], "Organization: government organizations": [[142, 166]]}, "info": {"id": "dnrti_train_004405", "source": "dnrti_train"}}
{"text": "The ultimate objective of targeted attacks is to acquire sensitive data .", "spans": {}, "info": {"id": "dnrti_train_004406", "source": "dnrti_train"}}
{"text": "Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization 's vertical or demographic to increase the likelihood of finding victims with relevant information .", "spans": {"Organization: TG-3390": [[26, 33]], "System: strategic web compromises": [[43, 68]], "Malware: SWCs": [[71, 75]]}, "info": {"id": "dnrti_train_004407", "source": "dnrti_train"}}
{"text": "Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs .", "spans": {"Organization: CTU": [[28, 31]], "Organization: TG-3390": [[56, 63]]}, "info": {"id": "dnrti_train_004408", "source": "dnrti_train"}}
{"text": "CTU researchers have discovered numerous details about TG-3390 operations , including how the adversaries explore a network , move laterally , and exfiltrate data .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-3390": [[55, 62]]}, "info": {"id": "dnrti_train_004409", "source": "dnrti_train"}}
{"text": "Within six hours of entering the environment , the threat actors compromised multiple systems and stole credentials for the entire domain .", "spans": {}, "info": {"id": "dnrti_train_004410", "source": "dnrti_train"}}
{"text": "As of this publication , BRONZE UNION remains a formidable threat group that targets intellectual property and executes its operations at a swift pace .", "spans": {}, "info": {"id": "dnrti_train_004411", "source": "dnrti_train"}}
{"text": "This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain \" access to a wide range of government resources at one fell swoop \" .", "spans": {}, "info": {"id": "dnrti_train_004412", "source": "dnrti_train"}}
{"text": "Dell SecureWorks researchers unveiled a report on Threat Group-3390 that has targeted companies around the world while stealing massive amounts of industrial data .", "spans": {"Organization: Dell SecureWorks": [[0, 16]], "Organization: Group-3390": [[57, 67]]}, "info": {"id": "dnrti_train_004413", "source": "dnrti_train"}}
{"text": "LAS VEGAS—Today at the Black Hat information security conference , Dell SecureWorks researchers unveiled a report on a newly detected hacking group that has targeted companies around the world while stealing massive amounts of industrial data .", "spans": {"Organization: Dell SecureWorks": [[67, 83]]}, "info": {"id": "dnrti_train_004414", "source": "dnrti_train"}}
{"text": "Once inside networks , the group generally targeted Windows network domain controllers and Exchange e-mail servers , targeting user credentials to allow them to move to other systems throughout the targeted network .", "spans": {"System: e-mail servers": [[100, 114]]}, "info": {"id": "dnrti_train_004415", "source": "dnrti_train"}}
{"text": "Also , by creating this type of API access , Turla could use one accessible server as a single point to dump data to and exfiltrate data from .", "spans": {"System: API access": [[32, 42]]}, "info": {"id": "dnrti_train_004416", "source": "dnrti_train"}}
{"text": "However , based on the findings shared in this report we assess with high confidence that the actor 's primary long-term mission is politically focused .", "spans": {}, "info": {"id": "dnrti_train_004417", "source": "dnrti_train"}}
{"text": "The primary goal of these attacks was likely to find code-signing certificates for signing future malware .", "spans": {}, "info": {"id": "dnrti_train_004418", "source": "dnrti_train"}}
{"text": "ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks , including collecting and distributing screenshots of industrial control systems .", "spans": {"Malware: compromised websites": [[43, 63]], "System: watering holes": [[71, 85]]}, "info": {"id": "dnrti_train_004419", "source": "dnrti_train"}}
{"text": "ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities .", "spans": {}, "info": {"id": "dnrti_train_004420", "source": "dnrti_train"}}
{"text": "A current round of cyber-attacks from Chinese source groups are targeting the maritime sector in an attempt to steal technology .", "spans": {"Organization: maritime sector": [[78, 93]]}, "info": {"id": "dnrti_train_004421", "source": "dnrti_train"}}
{"text": "Dragos does not corroborate nor conduct political attribution to threat activity .", "spans": {"Organization: Dragos": [[0, 6]]}, "info": {"id": "dnrti_train_004422", "source": "dnrti_train"}}
{"text": "As recently as this past week , researchers observed Chinese hackers escalating cyber-attack efforts to steal military research secrets from US universities .", "spans": {}, "info": {"id": "dnrti_train_004423", "source": "dnrti_train"}}
{"text": "The group has also targeted businesses operating in the South China Sea , which is a strategically important region and the focus of disputes between China and other states .", "spans": {}, "info": {"id": "dnrti_train_004424", "source": "dnrti_train"}}
{"text": "Like many espionage campaigns , much of APT40 's activity begins by attempting to trick targets with phishing emails , before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network .", "spans": {"Organization: APT40": [[40, 45]], "System: phishing emails": [[101, 116]], "Malware: Gh0st RAT trojan": [[156, 172]]}, "info": {"id": "dnrti_train_004425", "source": "dnrti_train"}}
{"text": "The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company 's relationships with other telecommunications companies .", "spans": {"Organization: telecommunications companies": [[144, 172]]}, "info": {"id": "dnrti_train_004426", "source": "dnrti_train"}}
{"text": "We suspect that the group sought access to these networks to obtain information that would enable it to monitor communications passing through the providers' systems .", "spans": {}, "info": {"id": "dnrti_train_004427", "source": "dnrti_train"}}
{"text": "Bahamut was shown to be resourceful , not only maintaining their own Android malware but running propaganda sites , although the quality of these activities varied noticeably .", "spans": {"Organization: Bahamut": [[0, 7]], "Malware: Android malware": [[69, 84]]}, "info": {"id": "dnrti_train_004428", "source": "dnrti_train"}}
{"text": "One curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities , rather than push nonfunctional fake apps or bundle malware with legitimate software .", "spans": {"Malware: legitimate software": [[184, 203]]}, "info": {"id": "dnrti_train_004429", "source": "dnrti_train"}}
{"text": "Curiously , Bahamut appears to track password attempts in response to failed phishing attempts or to provoke the target to provide more passwords .", "spans": {"System: phishing": [[77, 85]]}, "info": {"id": "dnrti_train_004430", "source": "dnrti_train"}}
{"text": "Thus far , Bahamut 's campaigns have appeared to be primarily espionage or information operations – not destructive attacks or fraud .", "spans": {"Organization: Bahamut": [[11, 18]]}, "info": {"id": "dnrti_train_004431", "source": "dnrti_train"}}
{"text": "Once the Barium Defendants have access to a victim computer through the malware described above , they monitor the victim 's activity and ultimately search for and steal sensitive documents ( for example , exfiltration of intellectual property regarding technology has been seen ) , and personal information fi\"om the victim 's network .", "spans": {}, "info": {"id": "dnrti_train_004432", "source": "dnrti_train"}}
{"text": "Based on the mutexes and domain names of some of their C&C servers , BlackTech 's campaigns are likely designed to steal their target 's technology .", "spans": {}, "info": {"id": "dnrti_train_004433", "source": "dnrti_train"}}
{"text": "Bookworm has little malicious functionality built-in , with its only core ability involving stealing keystrokes and clipboard contents .", "spans": {"Malware: Bookworm": [[0, 8]]}, "info": {"id": "dnrti_train_004434", "source": "dnrti_train"}}
{"text": "Also , Bookworm uses a combination of encryption and compression algorithms to obfuscate the traffic between the system and C2 server .", "spans": {"Malware: Bookworm": [[7, 15]]}, "info": {"id": "dnrti_train_004435", "source": "dnrti_train"}}
{"text": "They have different functions and ways of spreading , but the same purpose — to steal money from the accounts of businesses .", "spans": {}, "info": {"id": "dnrti_train_004436", "source": "dnrti_train"}}
{"text": "At that time it was the name of a cybercriminal group that was stealing money from Russian financial establishments — to the tune of at least $150,000 per hit .", "spans": {"Organization: financial establishments": [[91, 115]]}, "info": {"id": "dnrti_train_004437", "source": "dnrti_train"}}
{"text": "Estimating the damages is challenging , but as we learned , the criminals are siphoning off assets in transactions that do not exceed $15,000 each .", "spans": {}, "info": {"id": "dnrti_train_004438", "source": "dnrti_train"}}
{"text": "Once an exploitable page is identified , Clever Kitten will attempt to upload a PHP backdoor to gain remote access to the system .", "spans": {}, "info": {"id": "dnrti_train_004439", "source": "dnrti_train"}}
{"text": "Once an exploitable page is identified , the actor will attempt to upload a PHP backdoor to gain remote access to the system .", "spans": {}, "info": {"id": "dnrti_train_004440", "source": "dnrti_train"}}
{"text": "In Clever Kitten 's attacks , the goal is lateral movement ; this is an attempt to move further into the target environment in order to begin intelligence collection .", "spans": {}, "info": {"id": "dnrti_train_004441", "source": "dnrti_train"}}
{"text": "Confucius' operations include deploying bespoke backdoors and stealing files from their victim 's systems with tailored file stealers , some of which bore resemblances to Patchwork 's .", "spans": {"Organization: Patchwork": [[171, 180]]}, "info": {"id": "dnrti_train_004442", "source": "dnrti_train"}}
{"text": "Threat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving techniques that can render traditional security solutions — which are often not designed to handle the persistent and sophisticated threats detailed in this blog — ineffective .", "spans": {"Organization: Confucius": [[19, 28]], "Organization: Patchwork": [[33, 42]]}, "info": {"id": "dnrti_train_004443", "source": "dnrti_train"}}
{"text": "In order to increase the likelihood of their malware successfully communicating home , cyber espionage threat actors are increasingly abusing legitimate web services , in lieu of DNS lookups to retrieve a command and control address .", "spans": {"System: abusing legitimate web services": [[134, 165]], "System: DNS lookups": [[179, 190]]}, "info": {"id": "dnrti_train_004444", "source": "dnrti_train"}}
{"text": "To spread the Corkow malware criminals use a drive-by downloads method , when victims are infected while visiting compromised legitimate websites .", "spans": {}, "info": {"id": "dnrti_train_004445", "source": "dnrti_train"}}
{"text": "Group-IB specialists detected various sites used by criminals to spread the Trojan : mail tracking websites , news portals , electronic books , computer graphics resources , music portals , etc .", "spans": {"Organization: Group-IB": [[0, 8]], "Malware: mail tracking websites": [[85, 107]], "Malware: news portals": [[110, 122]], "Malware: electronic books": [[125, 141]], "Malware: computer graphics resources": [[144, 171]], "Malware: music portals": [[174, 187]]}, "info": {"id": "dnrti_train_004446", "source": "dnrti_train"}}
{"text": "Metel is a banking Trojan ( also known as Corkow ) discovered in 2011 when it was used to attack users of online banking services .", "spans": {"Malware: Metel": [[0, 5]], "Malware: banking Trojan": [[11, 25]], "Organization: Corkow": [[42, 48]]}, "info": {"id": "dnrti_train_004447", "source": "dnrti_train"}}
{"text": "After the infection stage , criminals move laterally with the help of legitimate and pentesting tools , stealing passwords from their initial victims ( entry point ) to gain access to the computers within the organization that have access to money transactions .", "spans": {}, "info": {"id": "dnrti_train_004448", "source": "dnrti_train"}}
{"text": "Delivering a backdoor and spyware , this campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video .", "spans": {"System: phishing email": [[216, 230]]}, "info": {"id": "dnrti_train_004449", "source": "dnrti_train"}}
{"text": "Delivering a backdoor and spyware , Desert Falcons 's campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video .", "spans": {"System: phishing email": [[229, 243]]}, "info": {"id": "dnrti_train_004450", "source": "dnrti_train"}}
{"text": "Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets , so that all email and virtual private networking ( VPN ) traffic was redirected to an Internet address controlled by the attackers .", "spans": {"Organization: Talos": [[0, 5]], "System: email": [[252, 257]], "Malware: VPN": [[291, 294]]}, "info": {"id": "dnrti_train_004451", "source": "dnrti_train"}}
{"text": "Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains ( e.g.webmail.finance.gov.lb ) , which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text .", "spans": {"Organization: Talos": [[0, 5]], "System: DNS hijacks": [[26, 37]]}, "info": {"id": "dnrti_train_004452", "source": "dnrti_train"}}
{"text": "This APT group usually carries out target attacks against government agencies to steal sensitive information .", "spans": {"Organization: government agencies": [[58, 77]]}, "info": {"id": "dnrti_train_004453", "source": "dnrti_train"}}
{"text": "All attackers simply moved to new C2 infrastructure , based largely around dynamic DNS domains , in addition to making minimal changes to the malware in order to evade signature-based detection .", "spans": {"System: dynamic DNS domains": [[75, 94]]}, "info": {"id": "dnrti_train_004454", "source": "dnrti_train"}}
{"text": "With GozNym , attackers dupe users by showing them the actual bank 's URL and SSL certificate .", "spans": {"Malware: GozNym": [[5, 11]], "Malware: URL": [[70, 73]], "Malware: SSL certificate": [[78, 93]]}, "info": {"id": "dnrti_train_004455", "source": "dnrti_train"}}
{"text": "During these intrusions , LEAD 's objective was to steal sensitive data , including research materials , process documents , and project plans .", "spans": {}, "info": {"id": "dnrti_train_004456", "source": "dnrti_train"}}
{"text": "While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions .", "spans": {"Organization: SOC personnel": [[36, 49]]}, "info": {"id": "dnrti_train_004457", "source": "dnrti_train"}}
{"text": "In Russia , there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS .", "spans": {}, "info": {"id": "dnrti_train_004458", "source": "dnrti_train"}}
{"text": "Since 2011 , the robbers had allegedly been stealing money directly from bank accounts in Russia and other countries of the Commonwealth of Independent States ( CIS ) by using a Trojan called Lurk .", "spans": {"Malware: Trojan": [[178, 184]], "Malware: Lurk": [[192, 196]]}, "info": {"id": "dnrti_train_004459", "source": "dnrti_train"}}
{"text": "Cadelle 's threats are capable of opening a back door and stealing information from victims' computers .", "spans": {}, "info": {"id": "dnrti_train_004460", "source": "dnrti_train"}}
{"text": "These threats are capable of opening a back door and stealing information from victims' computers .", "spans": {}, "info": {"id": "dnrti_train_004461", "source": "dnrti_train"}}
{"text": "Callisto Group appears to be intelligence gathering related to European foreign and security policy .", "spans": {}, "info": {"id": "dnrti_train_004462", "source": "dnrti_train"}}
{"text": "Based on our analysis of Callisto Group 's usage of RCS Galileo , we believe the Callisto Group did not utilize the leaked RCS Galileo source code , but rather used the leaked readymade installers to set up their own installation of the RCS Galileo platform .", "spans": {"Organization: Callisto Group": [[25, 39]], "Malware: installers": [[186, 196]]}, "info": {"id": "dnrti_train_004463", "source": "dnrti_train"}}
{"text": "Called Greenbug , this group is believed to be instrumental in helping Shamoon steal user credentials of targets ahead of Shamoon 's destructive attacks .", "spans": {}, "info": {"id": "dnrti_train_004464", "source": "dnrti_train"}}
{"text": "On Tuesday , Arbor Networks said that it has new leads on a credential stealing remote access Trojan ( RAT ) called Ismdoor , possibly used by Greenbug to steal credentials on Shamoon 's behalf .", "spans": {"Organization: Arbor Networks": [[13, 27]], "Malware: Trojan": [[94, 100]], "Malware: RAT": [[103, 106]], "Malware: Ismdoor": [[116, 123]]}, "info": {"id": "dnrti_train_004465", "source": "dnrti_train"}}
{"text": "It's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost .", "spans": {"Malware: DNS-based attack technique": [[26, 52]], "Organization: Arbor 's ASERT Team": [[183, 202]]}, "info": {"id": "dnrti_train_004466", "source": "dnrti_train"}}
{"text": "t's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost .", "spans": {"Malware: DNS-based attack technique": [[25, 51]], "Organization: Arbor 's ASERT Team": [[182, 201]]}, "info": {"id": "dnrti_train_004467", "source": "dnrti_train"}}
{"text": "In the context of the Ismdoor RAT , the DNS attack technique is used primarily by Greenbug for stealing credentials .", "spans": {"Malware: Ismdoor RAT": [[22, 33]]}, "info": {"id": "dnrti_train_004468", "source": "dnrti_train"}}
{"text": "According to the security experts , this collection of malware was discovered after their first initial report was published , meaning that Group 27 ignored the fact they were unmasked and continued to infect their targets regardless , through the same entry point , the Myanmar Union Election Commission ( UEC ) website .", "spans": {"Organization: Myanmar Union Election Commission": [[271, 304]], "Organization: UEC": [[307, 310]]}, "info": {"id": "dnrti_train_004469", "source": "dnrti_train"}}
{"text": "The attackers compromised two legitimate Thai websites to host the malware , which is a tactic this group has used in the past .", "spans": {"Malware: legitimate Thai websites": [[30, 54]]}, "info": {"id": "dnrti_train_004470", "source": "dnrti_train"}}
{"text": "We were not able to find additional tools , but the attackers again compromised a legitimate Thai website to host their malware , in this case the student portal for a Thai University .", "spans": {}, "info": {"id": "dnrti_train_004471", "source": "dnrti_train"}}
{"text": "As we have seen in some previous targeted malware attacks , the attackers in this incident are taking advantage of services like changeip.com to establish free subdomains in their infrastructure .", "spans": {}, "info": {"id": "dnrti_train_004472", "source": "dnrti_train"}}
{"text": "Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar .", "spans": {"Malware: legitimate traffic": [[17, 35]]}, "info": {"id": "dnrti_train_004473", "source": "dnrti_train"}}
{"text": "The Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information .", "spans": {"Organization: Tibetan community": [[4, 21]], "Malware: malware": [[91, 98]]}, "info": {"id": "dnrti_train_004474", "source": "dnrti_train"}}
{"text": "he Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information .", "spans": {"Organization: Tibetan community": [[3, 20]], "Malware: malware": [[90, 97]]}, "info": {"id": "dnrti_train_004475", "source": "dnrti_train"}}
{"text": "In another modification , first observed in the most recent October 11 Parliamentarian operation ( version agewkassif ) , the developer (s ) of KeyBoy began using a string obfuscation routine in order to hide many of the critical values referenced within the malware .", "spans": {"Malware: KeyBoy": [[144, 150]], "Malware: string obfuscation routine": [[165, 191]]}, "info": {"id": "dnrti_train_004476", "source": "dnrti_train"}}
{"text": "To control the full operation , MoneyTaker uses a Pentest framework Server .", "spans": {"Organization: MoneyTaker": [[32, 42]], "Malware: Pentest framework Server": [[50, 74]]}, "info": {"id": "dnrti_train_004477", "source": "dnrti_train"}}
{"text": "At the end of June 2015 Mofang started its campaign to gather information of a specific target in relation to the sezs : the cpg Corporation .", "spans": {"Organization: cpg Corporation": [[125, 140]]}, "info": {"id": "dnrti_train_004478", "source": "dnrti_train"}}
{"text": "After successfully infecting one of the computers and gaining initial access to the system , the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network .", "spans": {}, "info": {"id": "dnrti_train_004479", "source": "dnrti_train"}}
{"text": "This newly observed activity uses a series of redirections and fileless , malicious implementations of legitimate tools to gain access to the targeted systems .", "spans": {}, "info": {"id": "dnrti_train_004480", "source": "dnrti_train"}}
{"text": "The goal of the attackers appears to be to collect intellectual property such as design documents , formulas , and manufacturing processes .", "spans": {}, "info": {"id": "dnrti_train_004481", "source": "dnrti_train"}}
{"text": "The purpose of the attacks appears to be industrial espionage , collecting intellectual property for competitive advantage .", "spans": {}, "info": {"id": "dnrti_train_004482", "source": "dnrti_train"}}
{"text": "This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users .", "spans": {}, "info": {"id": "dnrti_train_004483", "source": "dnrti_train"}}
{"text": "These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage , military institutions , and governmental organizations often in search of documents related to current political events and human rights organizations .", "spans": {"Organization: military institutions": [[122, 143]], "Organization: governmental organizations": [[150, 176]], "Organization: human rights organizations": [[246, 272]]}, "info": {"id": "dnrti_train_004484", "source": "dnrti_train"}}
{"text": "Nitro 's campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": {"Organization: Nitro": [[0, 5]], "Organization: chemical sector": [[33, 48]]}, "info": {"id": "dnrti_train_004485", "source": "dnrti_train"}}
{"text": "This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": {"Organization: chemical sector": [[36, 51]]}, "info": {"id": "dnrti_train_004486", "source": "dnrti_train"}}
{"text": "Examples of notable Potao dissemination techniques , some of which were previously unseen , or at least relatively uncommon , include the use of highly-targeted spear-phishing SMS messages to drive potential victims to malware download sites and USB worm functionality that tricked the user into ' willingly ' executing the trojan .", "spans": {"Malware: Potao": [[20, 25]], "System: spear-phishing": [[161, 175]]}, "info": {"id": "dnrti_train_004487", "source": "dnrti_train"}}
{"text": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates .", "spans": {"Organization: PassCV group": [[4, 16]]}, "info": {"id": "dnrti_train_004488", "source": "dnrti_train"}}
{"text": "The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations .", "spans": {"Organization: PassCV": [[4, 10]], "Organization: game companies": [[90, 104]]}, "info": {"id": "dnrti_train_004489", "source": "dnrti_train"}}
{"text": "The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration .", "spans": {"Organization: ScarCruft": [[4, 13]]}, "info": {"id": "dnrti_train_004490", "source": "dnrti_train"}}
{"text": "Financially motivated APT groups which focus efforts on targeted attacks on the financial sector such as — Anunak , Corkow , Buhtrap — usually managed botnets using developed or modified banking Trojans .", "spans": {"Organization: financial sector": [[80, 96]], "Malware: Corkow": [[116, 122]]}, "info": {"id": "dnrti_train_004491", "source": "dnrti_train"}}
{"text": "They are selective in their attacks and wait for about three months between incidents , which is approximately three times longer than other financially motivated APT groups , like MoneyTaker , Anunak ( Carbanak ) , Buhtrap or Cobalt .", "spans": {}, "info": {"id": "dnrti_train_004492", "source": "dnrti_train"}}
{"text": "The company specializes in finance and natural resources specific to that region .", "spans": {}, "info": {"id": "dnrti_train_004493", "source": "dnrti_train"}}
{"text": "Based on the profile of the victims and the type of information targeted by the attackers , Symantec believes that Butterfly is financially motivated , stealing information it can potentially profit from .", "spans": {"Organization: Symantec": [[92, 100]]}, "info": {"id": "dnrti_train_004494", "source": "dnrti_train"}}
{"text": "Fxmsp specialize in breaching highly secure protected networks to access private corporate and government information .", "spans": {"Organization: Fxmsp": [[0, 5]]}, "info": {"id": "dnrti_train_004495", "source": "dnrti_train"}}
{"text": "But , thanks to the attackers known affection for decoy documents that pose as news summaries , we were able to date the campaign back to March 2018 .", "spans": {"Organization: attackers": [[20, 29]]}, "info": {"id": "dnrti_train_004496", "source": "dnrti_train"}}
{"text": "Donot attacked government agencies , aiming for classified intelligence .", "spans": {"Organization: Donot": [[0, 5]]}, "info": {"id": "dnrti_train_004497", "source": "dnrti_train"}}
{"text": "Lazarus is a very active attack group involved in both cyber crime and espionage .", "spans": {"Organization: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_004498", "source": "dnrti_train"}}
{"text": "To make the fraudulent withdrawals , Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions .", "spans": {"Organization: Lazarus": [[37, 44]]}, "info": {"id": "dnrti_train_004499", "source": "dnrti_train"}}
{"text": "The operation , known as FASTCash” has enabled Lazarus to fraudulently empty ATMs of cash .", "spans": {"Organization: Lazarus": [[47, 54]]}, "info": {"id": "dnrti_train_004500", "source": "dnrti_train"}}
{"text": "This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses , allowing the attackers to steal cash from ATMs .", "spans": {"Malware: malware": [[5, 12]], "Organization: Lazarus": [[43, 50]]}, "info": {"id": "dnrti_train_004501", "source": "dnrti_train"}}
{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space .", "spans": {"Organization: threat actors": [[4, 17]]}, "info": {"id": "dnrti_train_004502", "source": "dnrti_train"}}
{"text": "If an attacker was able to compromise an organization's network administrator credentials , the attacker would be able to change that particular organization's DNS records at will .", "spans": {"Organization: attacker": [[6, 14]]}, "info": {"id": "dnrti_train_004503", "source": "dnrti_train"}}
{"text": "If the attackers were able to obtain one of these EPP keys , they would be able to modify any DNS records that were managed by that particular registrar .", "spans": {"Organization: attackers": [[7, 16]]}, "info": {"id": "dnrti_train_004504", "source": "dnrti_train"}}
{"text": "Captured legitimate user credentials when users interacted with these actor - controlled servers .", "spans": {"Organization: actor": [[70, 75]], "System: controlled": [[78, 88]], "System: servers": [[89, 96]]}, "info": {"id": "dnrti_train_004505", "source": "dnrti_train"}}
{"text": "During a typical incident , the actor would modify the NS records for the targeted organization , pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries .", "spans": {"Organization: actor": [[32, 37]]}, "info": {"id": "dnrti_train_004506", "source": "dnrti_train"}}
{"text": "The next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials .", "spans": {"Organization: actor": [[22, 27]], "Malware: MitM servers": [[41, 53]]}, "info": {"id": "dnrti_train_004507", "source": "dnrti_train"}}
{"text": "This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa) .", "spans": {"Organization: attackers": [[29, 38]]}, "info": {"id": "dnrti_train_004508", "source": "dnrti_train"}}
{"text": "Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs .", "spans": {"Organization: attackers": [[61, 70]]}, "info": {"id": "dnrti_train_004509", "source": "dnrti_train"}}
{"text": "Once they have access to the network , they steal the organization's legitimate SSL certificate and use it on actor-controlled servers .", "spans": {"System: access to the network": [[15, 36]], "Organization: they": [[39, 43]], "Malware: actor-controlled": [[110, 126]], "Malware: servers": [[127, 134]]}, "info": {"id": "dnrti_train_004510", "source": "dnrti_train"}}
{"text": "The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection .", "spans": {"Vulnerability: CVE-2012-0158": [[23, 36]]}, "info": {"id": "dnrti_train_004511", "source": "dnrti_train"}}
{"text": "iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 .", "spans": {"Organization: iSiGHT Partners": [[0, 15]], "Organization: Sandworm Team": [[28, 41]], "Vulnerability: zero-day exploit": [[163, 179]], "Vulnerability: CVE-2014-4114": [[182, 195]]}, "info": {"id": "dnrti_train_004512", "source": "dnrti_train"}}
{"text": "In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document .", "spans": {"System: e-mail": [[39, 45]], "Vulnerability: Scarlet Mimic exploit": [[103, 124]]}, "info": {"id": "dnrti_train_004513", "source": "dnrti_train"}}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated .", "spans": {"Organization: group": [[4, 9]], "Malware: legitimate administration tools": [[15, 46]]}, "info": {"id": "dnrti_train_004514", "source": "dnrti_train"}}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": {"Vulnerability: CVE-2017-1099": [[71, 84]], "Malware: RTF attachments": [[100, 115]]}, "info": {"id": "dnrti_train_004515", "source": "dnrti_train"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": {"System: phishing lures": [[19, 33]], "Malware: RTF attachments": [[44, 59]], "Vulnerability: CVE-2017-0199": [[124, 137]]}, "info": {"id": "dnrti_train_004516", "source": "dnrti_train"}}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": {"Malware: malicious documents": [[29, 48]], "Vulnerability: CVE-2017-0199": [[60, 73]], "Malware: LATENTBOT malware": [[99, 116]]}, "info": {"id": "dnrti_train_004517", "source": "dnrti_train"}}
{"text": "FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: actors": [[26, 32]], "Vulnerability: CVE-2017-0261": [[120, 133]], "Organization: APT28": [[140, 145]], "Vulnerability: CVE-2017-0262": [[180, 193]], "Vulnerability: CVE-2017-0263": [[250, 263]]}, "info": {"id": "dnrti_train_004518", "source": "dnrti_train"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"Malware: st07383.en17.docx": [[12, 29]], "Vulnerability: CVE-2017-0001": [[80, 93]], "Malware: SHIRIME": [[199, 206]]}, "info": {"id": "dnrti_train_004519", "source": "dnrti_train"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” .", "spans": {"Malware: document": [[34, 42]], "Vulnerability: Trump's_Attack_on_Syria_English.docx”": [[49, 86]]}, "info": {"id": "dnrti_train_004520", "source": "dnrti_train"}}
{"text": "It is possible that CVE-2017-8759 was being used by additional actors .", "spans": {"Vulnerability: CVE-2017-8759": [[20, 33]], "Organization: actors": [[63, 69]]}, "info": {"id": "dnrti_train_004521", "source": "dnrti_train"}}
{"text": "The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities .", "spans": {"Vulnerability: EternalBlue": [[20, 31]], "Malware: Metasploit": [[43, 53]], "Organization: actors": [[82, 88]]}, "info": {"id": "dnrti_train_004522", "source": "dnrti_train"}}
{"text": "The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched .", "spans": {"Malware: Magnitude EK": [[4, 16]], "Vulnerability: CVE-2016-0189": [[43, 56]], "Organization: FireEye": [[87, 94]], "Malware: Neutrino Exploit Kit": [[112, 132]]}, "info": {"id": "dnrti_train_004523", "source": "dnrti_train"}}
{"text": "The malware leverages an exploit , codenamed EternalBlue” , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"Vulnerability: EternalBlue”": [[45, 57]], "Organization: Shadow Brokers": [[85, 99]]}, "info": {"id": "dnrti_train_004524", "source": "dnrti_train"}}
{"text": "Some hackers even went onto use the Cisco exploits in the wild .", "spans": {"Vulnerability: Cisco exploits": [[36, 50]]}, "info": {"id": "dnrti_train_004525", "source": "dnrti_train"}}
{"text": "DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar .", "spans": {"Malware: DanderSpritz": [[0, 12]], "Malware: FuZZbuNch": [[81, 90]], "Malware: DisableSecurity": [[196, 211]], "Malware: EnableSecurity": [[216, 230]], "Malware: DarkPulsar": [[235, 245]]}, "info": {"id": "dnrti_train_004526", "source": "dnrti_train"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server .", "spans": {"Vulnerability: UNITEDRAKE NSA exploit": [[46, 68]]}, "info": {"id": "dnrti_train_004527", "source": "dnrti_train"}}
{"text": "On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious ETERNALBLUE that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide .", "spans": {"Organization: NSA": [[133, 136]], "Vulnerability: ETERNALBLUE": [[161, 172]]}, "info": {"id": "dnrti_train_004528", "source": "dnrti_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_train_004529", "source": "dnrti_train"}}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": {"Vulnerability: CVE-2012-0158": [[79, 92]], "Malware: Microsoft Word": [[104, 118]]}, "info": {"id": "dnrti_train_004530", "source": "dnrti_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"Organization: security firm": [[17, 30]], "System: spear-phishing emails": [[86, 107]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_train_004531", "source": "dnrti_train"}}
{"text": "In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers .", "spans": {"Malware: publicly available tools": [[47, 71]], "Malware: Mimikatz": [[84, 92]], "Malware: Hacktool.Mimikatz": [[95, 112]], "Vulnerability: CVE-2016-0051": [[206, 219]]}, "info": {"id": "dnrti_train_004532", "source": "dnrti_train"}}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": {"Malware: .doc files": [[54, 64]], "Malware: RTF documents": [[85, 98]], "Vulnerability: CVE-2017-8570": [[123, 136]], "Vulnerability: Composite": [[139, 148]], "Vulnerability: Moniker": [[149, 156]]}, "info": {"id": "dnrti_train_004533", "source": "dnrti_train"}}
{"text": "The Word document usually exploits CVE-2012-0158 .", "spans": {"Malware: Word document": [[4, 17]], "Vulnerability: CVE-2012-0158": [[35, 48]]}, "info": {"id": "dnrti_train_004534", "source": "dnrti_train"}}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: attackers": [[14, 23]], "Malware: MS PowerPoint document": [[32, 54]], "Vulnerability: CVE-2014-6352": [[80, 93]]}, "info": {"id": "dnrti_train_004535", "source": "dnrti_train"}}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: Patchwork": [[10, 19]], "Malware: MS PowerPoint document": [[28, 50]], "Vulnerability: CVE-2014-6352": [[76, 89]]}, "info": {"id": "dnrti_train_004536", "source": "dnrti_train"}}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": {"Organization: Unit 42": [[29, 36]], "Malware: EPS files": [[109, 118]], "Vulnerability: CVE-2015-2545": [[133, 146]], "Vulnerability: CVE-2017-0261": [[151, 164]]}, "info": {"id": "dnrti_train_004537", "source": "dnrti_train"}}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": {"Organization: Pitty Tiger group": [[40, 57]], "Malware: Microsoft Office Word document": [[86, 116]], "Vulnerability: CVE-2012-0158": [[159, 172]]}, "info": {"id": "dnrti_train_004538", "source": "dnrti_train"}}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": {"Malware: ActiveX control": [[46, 61]], "Malware: JavaScript file": [[76, 91]], "Vulnerability: CVE-2013-7331": [[203, 216]]}, "info": {"id": "dnrti_train_004539", "source": "dnrti_train"}}
{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section .", "spans": {"Malware: document files": [[4, 18]], "Vulnerability: vulnerabilities": [[48, 63]]}, "info": {"id": "dnrti_train_004540", "source": "dnrti_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_train_004541", "source": "dnrti_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"Organization: security firm": [[17, 30]], "System: spear-phishing emails": [[86, 107]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_train_004542", "source": "dnrti_train"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishing tactics": [[30, 52]], "System: phishing": [[55, 63]], "Vulnerability: zero-day exploits": [[143, 160]]}, "info": {"id": "dnrti_train_004543", "source": "dnrti_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: group": [[4, 9]], "System: spear phishing tactics": [[31, 53]], "System: phishing": [[56, 64]], "Vulnerability: zero-day exploits": [[144, 161]]}, "info": {"id": "dnrti_train_004544", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]]}, "info": {"id": "dnrti_train_004545", "source": "dnrti_train"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Malware: Carberp": [[176, 183]]}, "info": {"id": "dnrti_train_004546", "source": "dnrti_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"Organization: CSIS": [[50, 54]], "Vulnerability: Carbanak": [[88, 96]]}, "info": {"id": "dnrti_train_004547", "source": "dnrti_train"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"Malware: PIVY": [[0, 4], [266, 270]], "Organization: government agencies": [[96, 115]], "Organization: defense contractors": [[118, 137]], "Organization: attackers": [[208, 217]], "Vulnerability: zero-day vulnerability": [[225, 247]]}, "info": {"id": "dnrti_train_004548", "source": "dnrti_train"}}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": {"Malware: .doc files": [[54, 64]], "Malware: RTF documents": [[85, 98]], "Vulnerability: CVE-2017-8570": [[123, 136]], "Vulnerability: Composite": [[139, 148]], "Vulnerability: Moniker": [[149, 156]]}, "info": {"id": "dnrti_train_004549", "source": "dnrti_train"}}
{"text": "The Word document usually exploits CVE-2012-0158 .", "spans": {"Malware: Word document": [[4, 17]], "Vulnerability: CVE-2012-0158": [[35, 48]]}, "info": {"id": "dnrti_train_004550", "source": "dnrti_train"}}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: attackers": [[14, 23]], "Malware: MS PowerPoint document": [[32, 54]], "Vulnerability: CVE-2014-6352": [[80, 93]]}, "info": {"id": "dnrti_train_004551", "source": "dnrti_train"}}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: Patchwork": [[10, 19]], "Malware: MS PowerPoint document": [[28, 50]], "Vulnerability: CVE-2014-6352": [[76, 89]]}, "info": {"id": "dnrti_train_004552", "source": "dnrti_train"}}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": {"Organization: Unit 42": [[29, 36]], "Malware: EPS files": [[109, 118]], "Vulnerability: CVE-2015-2545": [[133, 146]], "Vulnerability: CVE-2017-0261": [[151, 164]]}, "info": {"id": "dnrti_train_004553", "source": "dnrti_train"}}
{"text": "Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability .", "spans": {"Organization: Patchwork": [[24, 33]], "Vulnerability: CVE-2017-0261": [[49, 62]], "Vulnerability: CVE-2015-2545": [[196, 209]]}, "info": {"id": "dnrti_train_004554", "source": "dnrti_train"}}
{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Organization: PittyTiger": [[0, 10]], "Vulnerability: Heartbleed vulnerability": [[36, 60]]}, "info": {"id": "dnrti_train_004555", "source": "dnrti_train"}}
{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Vulnerability: Heartbleed vulnerability": [[31, 55]]}, "info": {"id": "dnrti_train_004556", "source": "dnrti_train"}}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": {"Organization: Pitty Tiger group": [[40, 57]], "Malware: Microsoft Office Word document": [[86, 116]], "Vulnerability: CVE-2012-0158": [[159, 172]]}, "info": {"id": "dnrti_train_004557", "source": "dnrti_train"}}
{"text": "PittyTiger could also use CVE-2014-1761 , which is more recent .", "spans": {"Organization: PittyTiger": [[0, 10]], "Vulnerability: CVE-2014-1761": [[26, 39]]}, "info": {"id": "dnrti_train_004558", "source": "dnrti_train"}}
{"text": "PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts .", "spans": {"Organization: PLATINUM": [[0, 8]], "Vulnerability: zero-day exploits": [[43, 60]]}, "info": {"id": "dnrti_train_004559", "source": "dnrti_train"}}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": {"Malware: ActiveX control": [[46, 61]], "Malware: JavaScript file": [[76, 91]], "Vulnerability: CVE-2013-7331": [[203, 216]]}, "info": {"id": "dnrti_train_004560", "source": "dnrti_train"}}
{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"Malware: Word": [[32, 36]], "Organization: PLATINUM": [[39, 47]], "Vulnerability: CVE-2015-2545": [[153, 166]], "Organization: attacker": [[200, 208]], "System: malicious DLL": [[248, 261]]}, "info": {"id": "dnrti_train_004561", "source": "dnrti_train"}}
{"text": "The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application .", "spans": {"Malware: DLL": [[4, 7]], "Vulnerability: CVE-2015-2546": [[72, 85]], "Malware: Word": [[159, 163]]}, "info": {"id": "dnrti_train_004562", "source": "dnrti_train"}}
{"text": "When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"Malware: Word": [[32, 36]], "Vulnerability: CVE-2015-2545": [[147, 160]], "Organization: attacker": [[194, 202]], "System: malicious DLL": [[242, 255]]}, "info": {"id": "dnrti_train_004563", "source": "dnrti_train"}}
{"text": "In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves .", "spans": {"Organization: PLATINUM": [[11, 19]], "Vulnerability: zero-day exploits": [[37, 54], [289, 306], [358, 375]], "System: remote code execution": [[95, 116]]}, "info": {"id": "dnrti_train_004564", "source": "dnrti_train"}}
{"text": "PLATINUM has used several zero-day exploits against their victims .", "spans": {"Organization: PLATINUM": [[0, 8]], "Vulnerability: zero-day exploits": [[26, 43]]}, "info": {"id": "dnrti_train_004565", "source": "dnrti_train"}}
{"text": "Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers .", "spans": {"Vulnerability: CVE-2015-2546": [[8, 21]], "Organization: attackers": [[168, 177]]}, "info": {"id": "dnrti_train_004566", "source": "dnrti_train"}}
{"text": "For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 .", "spans": {"Vulnerability: zero-day vulnerability": [[18, 40]], "Vulnerability: CVE-2015-2545": [[51, 64]], "Organization: PLATINUM": [[75, 83]]}, "info": {"id": "dnrti_train_004567", "source": "dnrti_train"}}
{"text": "It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks .", "spans": {"Malware: technical exploitation capabilities": [[29, 64]], "Vulnerability: zero-day exploits": [[131, 148]]}, "info": {"id": "dnrti_train_004568", "source": "dnrti_train"}}
{"text": "In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched .", "spans": {"Organization: group": [[37, 42]], "Vulnerability: CVE-2016-4117": [[101, 114]]}, "info": {"id": "dnrti_train_004569", "source": "dnrti_train"}}
{"text": "To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion .", "spans": {"Vulnerability: Rocke group exploits vulnerabilities": [[52, 88]]}, "info": {"id": "dnrti_train_004570", "source": "dnrti_train"}}
{"text": "However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 .", "spans": {"Organization: Rocke": [[31, 36]], "Vulnerability: CVE-2018-1000861": [[105, 121]], "Vulnerability: CVE-2019-1003000": [[126, 142]]}, "info": {"id": "dnrti_train_004571", "source": "dnrti_train"}}
{"text": "The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites .", "spans": {"Vulnerability: NSA exploits": [[86, 98]]}, "info": {"id": "dnrti_train_004572", "source": "dnrti_train"}}
{"text": "In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group’s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild .", "spans": {"Organization: 360 Core Security": [[22, 39]], "Organization: APT-C-06": [[72, 80]], "Vulnerability: (CVE-2018-8174)": [[132, 147]]}, "info": {"id": "dnrti_train_004573", "source": "dnrti_train"}}
{"text": "The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802) , and the ability to incorporate them into operations .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: (CVE-2018-0802)": [[62, 77]]}, "info": {"id": "dnrti_train_004574", "source": "dnrti_train"}}
{"text": "FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 .", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: CVE-2017-10271": [[79, 93]]}, "info": {"id": "dnrti_train_004575", "source": "dnrti_train"}}
{"text": "If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host .", "spans": {"Malware: PingCastle MS17-010": [[71, 90]], "Vulnerability: EternalBlue": [[218, 229]]}, "info": {"id": "dnrti_train_004576", "source": "dnrti_train"}}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() .", "spans": {"Vulnerability: CVE-2017-10271": [[110, 124]], "Malware: PowerShell": [[138, 148]], "System: executing": [[222, 231]], "System: using ShellExecute()": [[235, 255]]}, "info": {"id": "dnrti_train_004577", "source": "dnrti_train"}}
{"text": "We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper .", "spans": {"Vulnerability: zero-day": [[54, 62]], "Organization: TEMP.Reaper": [[110, 121]]}, "info": {"id": "dnrti_train_004578", "source": "dnrti_train"}}
{"text": "Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 .", "spans": {"Organization: Zyklon": [[10, 16]], "Vulnerability: CVE-2017-8759": [[49, 62]]}, "info": {"id": "dnrti_train_004579", "source": "dnrti_train"}}
{"text": "This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild .", "spans": {"Vulnerability: vulnerability": [[5, 18]], "Organization: FireEye": [[37, 44]]}, "info": {"id": "dnrti_train_004580", "source": "dnrti_train"}}
{"text": "Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office .", "spans": {"Vulnerability: CVE-2017-11882": [[37, 51]], "Organization: actors": [[86, 92]], "Vulnerability: (CVE-2017-11882)": [[146, 162]]}, "info": {"id": "dnrti_train_004581", "source": "dnrti_train"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network (etool.exe) , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket (psexec.exe) .", "spans": {"Vulnerability: CVE-2017-0144": [[152, 165]], "Malware: MS07-010": [[191, 199]], "Malware: PsExec": [[299, 305]]}, "info": {"id": "dnrti_train_004582", "source": "dnrti_train"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell .", "spans": {"Malware: python script": [[63, 76]], "Vulnerability: CVE-2017-0144": [[132, 145]], "Malware: errr.aspx": [[194, 203]]}, "info": {"id": "dnrti_train_004583", "source": "dnrti_train"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 .", "spans": {"Organization: actors": [[15, 21]], "Vulnerability: CVE-2017-0144": [[109, 122]], "Malware: MS17-010": [[162, 170]]}, "info": {"id": "dnrti_train_004584", "source": "dnrti_train"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": {"Malware: slides": [[33, 39]], "Vulnerability: CVE-2017-8759": [[64, 77]], "Malware: Microsoft .NET framework": [[121, 145]]}, "info": {"id": "dnrti_train_004585", "source": "dnrti_train"}}
{"text": "According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Organization: FireEye": [[13, 20]], "Organization: admin@338": [[27, 36]], "System: emails": [[46, 52]], "Vulnerability: Microsoft Office vulnerabilities": [[104, 136]], "Malware: LOWBALL": [[187, 194]]}, "info": {"id": "dnrti_train_004586", "source": "dnrti_train"}}
{"text": "According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Organization: FireEye": [[13, 20]], "Organization: attackers": [[27, 36]], "System: emails": [[46, 52]], "Vulnerability: Microsoft Office vulnerabilities": [[104, 136]], "Malware: LOWBALL": [[187, 194]]}, "info": {"id": "dnrti_train_004587", "source": "dnrti_train"}}
{"text": "Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 .", "spans": {"Organization: APT12": [[31, 36]], "Malware: HIGHTIDE": [[65, 73]], "Malware: Microsoft Word": [[82, 96]], "Malware: .doc": [[99, 103]], "Vulnerability: CVE-2012-0158": [[129, 142]]}, "info": {"id": "dnrti_train_004588", "source": "dnrti_train"}}
{"text": "The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"Organization: Sofacy group": [[4, 16]], "Vulnerability: Flash exploits": [[60, 74]], "Malware: Carberp": [[92, 99]], "Malware: JHUHUGIT downloaders": [[106, 126]]}, "info": {"id": "dnrti_train_004589", "source": "dnrti_train"}}
{"text": "APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"Organization: APT28": [[0, 5]], "Vulnerability: Flash exploits": [[49, 63]], "Malware: Carberp": [[81, 88]], "Malware: JHUHUGIT downloaders": [[95, 115]]}, "info": {"id": "dnrti_train_004590", "source": "dnrti_train"}}
{"text": "The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: Flash exploits": [[53, 67]], "Malware: Carberp": [[85, 92]], "Malware: JHUHUGIT downloaders": [[99, 119]]}, "info": {"id": "dnrti_train_004591", "source": "dnrti_train"}}
{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": {"Organization: APT28": [[0, 5]], "Vulnerability: EternalBlue exploit": [[46, 65]], "Malware: open source tool": [[74, 90]], "Malware: Responder": [[91, 100]]}, "info": {"id": "dnrti_train_004592", "source": "dnrti_train"}}
{"text": "The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 .", "spans": {"Malware: JHUHUGIT": [[4, 12]], "Vulnerability: Java zero-day": [[110, 123]], "Vulnerability: CVE-2015-2590": [[126, 139]]}, "info": {"id": "dnrti_train_004593", "source": "dnrti_train"}}
{"text": "We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit .", "spans": {"Vulnerability: CVE-2013-0640": [[64, 77]], "Malware: MiniDuke": [[88, 96]], "Vulnerability: zero-day": [[150, 158]], "Organization: group": [[180, 185]]}, "info": {"id": "dnrti_train_004594", "source": "dnrti_train"}}
{"text": "FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: APT37": [[54, 59]], "Vulnerability: zero-day Adobe Flash vulnerability": [[72, 106]], "Vulnerability: CVE-2018-4878": [[109, 122]], "Malware: DOGCALL malware": [[139, 154]]}, "info": {"id": "dnrti_train_004595", "source": "dnrti_train"}}
{"text": "FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"Organization: FireEye iSIGHT Intelligence": [[0, 27]], "Organization: APT37": [[74, 79]], "Vulnerability: zero-day Adobe Flash vulnerability": [[92, 126]], "Vulnerability: CVE-2018-4878": [[129, 142]], "Malware: DOGCALL malware": [[159, 174]]}, "info": {"id": "dnrti_train_004596", "source": "dnrti_train"}}
{"text": "A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"Organization: group": [[30, 35]], "Organization: hackers": [[54, 61]], "Vulnerability: zero-day exploit": [[105, 121]], "Organization: Gamma Group": [[247, 258]]}, "info": {"id": "dnrti_train_004597", "source": "dnrti_train"}}
{"text": "A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"Organization: BlackOasis group": [[30, 46]], "Organization: hackers": [[65, 72]], "Vulnerability: zero-day exploit": [[116, 132]], "Organization: Gamma Group": [[258, 269]]}, "info": {"id": "dnrti_train_004598", "source": "dnrti_train"}}
{"text": "Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: BlackOasis group": [[20, 36]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[54, 95]], "Vulnerability: CVE-2016-4117": [[98, 111]], "Malware: FinSpy": [[158, 164]]}, "info": {"id": "dnrti_train_004599", "source": "dnrti_train"}}
{"text": "Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: group": [[20, 25]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[43, 84]], "Vulnerability: CVE-2016-4117": [[87, 100]], "Malware: FinSpy": [[147, 153]]}, "info": {"id": "dnrti_train_004600", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "Vulnerability: zero-day vulnerability": [[69, 91]], "System: scan-and-exploit techniques": [[146, 173]]}, "info": {"id": "dnrti_train_004601", "source": "dnrti_train"}}
{"text": "The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: zero-day vulnerability": [[65, 87]], "System: scan-and-exploit techniques": [[142, 169]]}, "info": {"id": "dnrti_train_004602", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "System: phishing emails": [[23, 38]], "Malware: Daserf malware": [[96, 110]], "Vulnerability: Flash exploits": [[136, 150]]}, "info": {"id": "dnrti_train_004603", "source": "dnrti_train"}}
{"text": "The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"Organization: group": [[4, 9]], "System: phishing emails": [[19, 34]], "Malware: Daserf malware": [[92, 106]], "Vulnerability: Flash exploits": [[132, 146]]}, "info": {"id": "dnrti_train_004604", "source": "dnrti_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"Organization: Secureworks": [[39, 50]], "Organization: BRONZE BUTLER": [[62, 75]], "System: remote code execution": [[104, 125]], "Vulnerability: CVE-2016-7836": [[142, 155]]}, "info": {"id": "dnrti_train_004605", "source": "dnrti_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"Organization: Secureworks": [[39, 50]], "Organization: BRONZE BUTLER": [[82, 95]], "System: remote code execution": [[124, 145]], "Vulnerability: CVE-2016-7836": [[162, 175]]}, "info": {"id": "dnrti_train_004606", "source": "dnrti_train"}}
{"text": "Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Malware: Carberp": [[51, 58]], "Organization: espionage": [[76, 85]]}, "info": {"id": "dnrti_train_004607", "source": "dnrti_train"}}
{"text": "If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation .", "spans": {"Vulnerability: Carbanak": [[32, 40]], "Vulnerability: CVE-2013-3660": [[209, 222]]}, "info": {"id": "dnrti_train_004608", "source": "dnrti_train"}}
{"text": "To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto .", "spans": {"Malware: Remote Desktop Protocol": [[57, 80]], "Malware: RDP": [[83, 86]], "Vulnerability: Carbanak": [[91, 99]]}, "info": {"id": "dnrti_train_004609", "source": "dnrti_train"}}
{"text": "Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system .", "spans": {"Vulnerability: Carbanak": [[0, 8]]}, "info": {"id": "dnrti_train_004610", "source": "dnrti_train"}}
{"text": "Sensitive bank documents have be found on the servers that were controlling Carbanak .", "spans": {"Vulnerability: Carbanak": [[76, 84]]}, "info": {"id": "dnrti_train_004611", "source": "dnrti_train"}}
{"text": "Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa .", "spans": {"Vulnerability: Carbanak": [[38, 46]], "Organization: attackers": [[47, 56]]}, "info": {"id": "dnrti_train_004612", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]]}, "info": {"id": "dnrti_train_004613", "source": "dnrti_train"}}
{"text": "This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies .", "spans": {"Vulnerability: Carbanak": [[72, 80]], "Organization: payment providers": [[126, 143]], "Organization: PR companies": [[166, 178]]}, "info": {"id": "dnrti_train_004614", "source": "dnrti_train"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Malware: Carberp": [[176, 183]]}, "info": {"id": "dnrti_train_004615", "source": "dnrti_train"}}
{"text": "From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space .", "spans": {"Vulnerability: Carbanak": [[10, 18]]}, "info": {"id": "dnrti_train_004616", "source": "dnrti_train"}}
{"text": "Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems .", "spans": {"Vulnerability: Carbanak": [[11, 19]]}, "info": {"id": "dnrti_train_004617", "source": "dnrti_train"}}
{"text": "To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer .", "spans": {"Vulnerability: Carbanak": [[71, 79]], "Malware: Ammy Admin": [[174, 184]], "Malware: Team Viewer": [[189, 200]]}, "info": {"id": "dnrti_train_004618", "source": "dnrti_train"}}
{"text": "Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research .", "spans": {"Vulnerability: Carbanak": [[28, 36]]}, "info": {"id": "dnrti_train_004619", "source": "dnrti_train"}}
{"text": "These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider .", "spans": {"Organization: criminal groups": [[28, 43]], "Organization: PoSeidon": [[104, 112]], "Vulnerability: Carbanak": [[148, 156]], "Organization: criminal organization": [[174, 195]], "Organization: Carbon Spider": [[208, 221]]}, "info": {"id": "dnrti_train_004620", "source": "dnrti_train"}}
{"text": "The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police .", "spans": {"Organization: crime gang": [[18, 28]], "Vulnerability: Carbanak": [[40, 48]], "Organization: financial institutions": [[97, 119]]}, "info": {"id": "dnrti_train_004621", "source": "dnrti_train"}}
{"text": "Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt .", "spans": {"Organization: cybercrime gang": [[17, 32]], "Organization: financial institutions": [[88, 110]], "Vulnerability: Carbanak": [[160, 168]], "Malware: Cobalt": [[173, 179]]}, "info": {"id": "dnrti_train_004622", "source": "dnrti_train"}}
{"text": "Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent .", "spans": {"Organization: CopyKittens": [[31, 42]], "Malware: Metasploit": [[47, 57]], "Malware: Mimikatz": [[180, 188]], "Malware: Empire": [[255, 261]], "Malware: PowerShell": [[266, 276]]}, "info": {"id": "dnrti_train_004623", "source": "dnrti_train"}}
{"text": "Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries .", "spans": {"Vulnerability: Carbanak": [[75, 83]], "Organization: cyber-criminal gang": [[88, 107]], "System: APT techniques": [[137, 151]], "Organization: financial institutions": [[209, 231]]}, "info": {"id": "dnrti_train_004624", "source": "dnrti_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"Organization: CSIS": [[50, 54]], "Vulnerability: Carbanak": [[88, 96]]}, "info": {"id": "dnrti_train_004625", "source": "dnrti_train"}}
{"text": "In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company .", "spans": {"Vulnerability: Carbanak": [[29, 37]], "Organization: financial institution": [[68, 89]]}, "info": {"id": "dnrti_train_004626", "source": "dnrti_train"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"System: spear phishing emails": [[37, 58]], "Malware: Microsoft Word documents": [[64, 88]], "Vulnerability: CVE-2017-0199": [[100, 113]]}, "info": {"id": "dnrti_train_004627", "source": "dnrti_train"}}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": {"Organization: Ke3chang": [[0, 8]], "Vulnerability: Java zero-day vulnerability": [[30, 57]], "Vulnerability: CVE-2012-4681": [[60, 73]], "Malware: Microsoft Word": [[119, 133]], "Vulnerability: CVE-2010-3333": [[136, 149]], "Malware: Adobe PDF Reader": [[156, 172]], "Vulnerability: CVE-2010-2883": [[175, 188]]}, "info": {"id": "dnrti_train_004628", "source": "dnrti_train"}}
{"text": "While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 .", "spans": {"Vulnerability: CVE-2015-8651": [[147, 160]], "Vulnerability: CVE-2016-1019": [[163, 176]], "Vulnerability: CVE-2016-4117": [[183, 196]]}, "info": {"id": "dnrti_train_004629", "source": "dnrti_train"}}
{"text": "The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant .", "spans": {"Vulnerability: CVE-2018-4878": [[39, 52]], "Organization: attacker": [[65, 73]]}, "info": {"id": "dnrti_train_004630", "source": "dnrti_train"}}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"Malware: Documents": [[0, 9]], "Vulnerability: Flash exploit": [[19, 32]]}, "info": {"id": "dnrti_train_004631", "source": "dnrti_train"}}
{"text": "WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system .", "spans": {"Malware: WannaCry": [[0, 8]], "Vulnerability: EternalBlue": [[18, 29]], "Malware: SMB": [[51, 54]]}, "info": {"id": "dnrti_train_004632", "source": "dnrti_train"}}
{"text": "WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"Malware: WannaCry": [[0, 8]], "Vulnerability: EternalBlue": [[44, 55]], "Organization: Shadow Brokers": [[85, 99]]}, "info": {"id": "dnrti_train_004633", "source": "dnrti_train"}}
{"text": "Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 .", "spans": {"Organization: Microsoft": [[0, 9]], "Vulnerability: SMBv1 vulnerabilities": [[24, 45]]}, "info": {"id": "dnrti_train_004634", "source": "dnrti_train"}}
{"text": "The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April .", "spans": {"Vulnerability: SMBv1 exploit": [[22, 35]], "Organization: Shadow Brokers": [[79, 93]], "Organization: threat group": [[94, 106]]}, "info": {"id": "dnrti_train_004635", "source": "dnrti_train"}}
{"text": "If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit .", "spans": {"Malware: DoublePulsar backdoor": [[7, 28]], "Malware: SMB worm": [[55, 63]], "Vulnerability: Eternalblue SMBv1 exploit": [[108, 133]]}, "info": {"id": "dnrti_train_004636", "source": "dnrti_train"}}
{"text": "Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft .", "spans": {"Organization: Leafminer": [[0, 9]], "Vulnerability: SMB vulnerabilities": [[124, 143]], "Organization: Microsoft": [[157, 166]]}, "info": {"id": "dnrti_train_004637", "source": "dnrti_train"}}
{"text": "The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 .", "spans": {"Vulnerability: EternalBlue exploit": [[4, 23]], "Malware: Petya": [[137, 142]], "Malware: NotPetya": [[145, 153]]}, "info": {"id": "dnrti_train_004638", "source": "dnrti_train"}}
{"text": "The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers .", "spans": {"Organization: Leafminer": [[4, 13]], "Organization: operators": [[14, 23]], "Vulnerability: EternalBlue": [[28, 39]]}, "info": {"id": "dnrti_train_004639", "source": "dnrti_train"}}
{"text": "Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Leafminer": [[35, 44]], "Vulnerability: Heartbleed vulnerability": [[61, 85]], "Vulnerability: CVE-2014-0160": [[88, 101]]}, "info": {"id": "dnrti_train_004640", "source": "dnrti_train"}}
{"text": "The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign .", "spans": {"Vulnerability: CVE-2017-8759": [[26, 39]]}, "info": {"id": "dnrti_train_004641", "source": "dnrti_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_train_004642", "source": "dnrti_train"}}
{"text": "The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: CVE-2012-0158": [[59, 72]]}, "info": {"id": "dnrti_train_004643", "source": "dnrti_train"}}
{"text": "Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack .", "spans": {"Organization: Spring Dragon group": [[14, 33]], "Vulnerability: spearphish exploits": [[60, 79]], "System: strategic web compromises": [[82, 107]]}, "info": {"id": "dnrti_train_004644", "source": "dnrti_train"}}
{"text": "The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: PDF exploits": [[41, 53]], "Vulnerability: Adobe Flash Player exploits": [[56, 83]], "Vulnerability: CVE-2012-0158": [[101, 114]], "Vulnerability: Word exploits": [[115, 128]], "Malware: Tran Duy Linh": [[175, 188]]}, "info": {"id": "dnrti_train_004645", "source": "dnrti_train"}}
{"text": "While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well .", "spans": {"Organization: actor": [[22, 27]], "Vulnerability: CVE-2012-0158": [[67, 80]], "Organization: Spring Dragon": [[104, 117]]}, "info": {"id": "dnrti_train_004646", "source": "dnrti_train"}}
{"text": "To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability .", "spans": {"Vulnerability: CVE-2017-11882": [[239, 253]]}, "info": {"id": "dnrti_train_004647", "source": "dnrti_train"}}
{"text": "The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign .", "spans": {"Organization: actors": [[4, 10]], "Vulnerability: CVE-2014-6332": [[32, 45]], "Malware: Emissary": [[144, 152]]}, "info": {"id": "dnrti_train_004648", "source": "dnrti_train"}}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": {"Malware: malicious Word documents": [[21, 45]], "Vulnerability: Windows OLE Automation Array Remote Code Execution Vulnerability": [[74, 138]], "Vulnerability: CVE-2014-6332": [[150, 163]]}, "info": {"id": "dnrti_train_004649", "source": "dnrti_train"}}
{"text": "Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild .", "spans": {"Organization: Lotus Blossom": [[0, 13]], "Vulnerability: CVE-2014-6332": [[35, 48]]}, "info": {"id": "dnrti_train_004650", "source": "dnrti_train"}}
{"text": "Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 .", "spans": {"Organization: Lotus Blossom": [[0, 13]], "Vulnerability: CVE-2014-6332": [[40, 53]], "Malware: Emissary Trojan": [[86, 101]]}, "info": {"id": "dnrti_train_004651", "source": "dnrti_train"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Malware: POWRUNER": [[0, 8]], "Malware: RTF file": [[41, 49]], "Vulnerability: CVE-2017-0199": [[65, 78]]}, "info": {"id": "dnrti_train_004652", "source": "dnrti_train"}}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"Organization: APT34": [[19, 24]], "Vulnerability: Microsoft Office vulnerability": [[39, 69]], "Vulnerability: CVE-2017-11882": [[70, 84]], "Malware: POWRUNER": [[95, 103]], "Malware: BONDUPDATER": [[108, 119]], "Organization: Microsoft": [[143, 152]]}, "info": {"id": "dnrti_train_004653", "source": "dnrti_train"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"Malware: PIVY": [[0, 4], [266, 270]], "Organization: government agencies": [[96, 115]], "Organization: defense contractors": [[118, 137]], "Organization: attackers": [[208, 217]], "Vulnerability: zero-day vulnerability": [[225, 247]]}, "info": {"id": "dnrti_train_004654", "source": "dnrti_train"}}
{"text": "Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others .", "spans": {"Malware: PIVY": [[16, 20]], "Vulnerability: zero-day exploit": [[42, 58]]}, "info": {"id": "dnrti_train_004655", "source": "dnrti_train"}}
{"text": "It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 .", "spans": {"Malware: Tran Duy Linh": [[27, 40]], "Vulnerability: CVE-2012-0158": [[43, 56]]}, "info": {"id": "dnrti_train_004656", "source": "dnrti_train"}}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": {"Malware: bait document": [[5, 18]], "System: email attachment": [[24, 40]], "Malware: Word document": [[68, 81]], "Vulnerability: CVE-2012-0158": [[102, 115]]}, "info": {"id": "dnrti_train_004657", "source": "dnrti_train"}}
{"text": "PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Organization: NEODYMIUM": [[15, 24]], "Vulnerability: CVE-2016-4117": [[50, 63]]}, "info": {"id": "dnrti_train_004658", "source": "dnrti_train"}}
{"text": "PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Organization: NEODYMIUM": [[15, 24]], "Vulnerability: zero-day exploit": [[37, 53]]}, "info": {"id": "dnrti_train_004659", "source": "dnrti_train"}}
{"text": "NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence .", "spans": {"Organization: NEODYMIUM": [[0, 9]], "Vulnerability: CVE-2016-4117": [[35, 48]], "Organization: PROMETHIUM": [[67, 77]]}, "info": {"id": "dnrti_train_004660", "source": "dnrti_train"}}
{"text": "In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown .", "spans": {"Organization: activity groups": [[39, 54]], "Organization: PROMETHIUM": [[57, 67]], "Organization: NEODYMIUM": [[72, 81]], "Vulnerability: zeroday exploit": [[140, 155]]}, "info": {"id": "dnrti_train_004661", "source": "dnrti_train"}}
{"text": "The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"Organization: hacker group": [[19, 31]], "Organization: BlackOasis": [[60, 70]], "Organization: Kaspersky": [[73, 82]], "Organization: group": [[93, 98]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[116, 157]], "Vulnerability: CVE-2016-4117": [[160, 173]], "Malware: FinSpy": [[220, 226]]}, "info": {"id": "dnrti_train_004662", "source": "dnrti_train"}}
{"text": "The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 .", "spans": {"Organization: Kaspersky": [[17, 26]], "Vulnerability: zero-day exploit": [[52, 68]], "Organization: BlackOasis": [[77, 87]]}, "info": {"id": "dnrti_train_004663", "source": "dnrti_train"}}
{"text": "Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": {"Organization: Microsoft": [[23, 32]], "Vulnerability: CVE-2017-11882": [[52, 66]], "Organization: FireEye": [[87, 94]], "Organization: attacker": [[107, 115]], "Vulnerability: Microsoft Office vulnerability": [[141, 171]], "Organization: government organization": [[184, 207]]}, "info": {"id": "dnrti_train_004664", "source": "dnrti_train"}}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": {"Malware: .rtf file": [[43, 52]], "Vulnerability: CVE-2017-0199": [[68, 81]]}, "info": {"id": "dnrti_train_004665", "source": "dnrti_train"}}
{"text": "In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER .", "spans": {"Organization: APT34": [[26, 31]], "Vulnerability: Microsoft Office vulnerability": [[53, 83]], "Vulnerability: CVE-2017-11882": [[84, 98]], "Malware: POWRUNER": [[109, 117]], "Malware: BONDUPDATER": [[122, 133]]}, "info": {"id": "dnrti_train_004666", "source": "dnrti_train"}}
{"text": "During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East .", "spans": {"Organization: APT34": [[29, 34]], "Vulnerability: CVE-2017-0199": [[125, 138]], "Vulnerability: CVE-2017-11882": [[143, 157]]}, "info": {"id": "dnrti_train_004667", "source": "dnrti_train"}}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"Organization: APT34": [[19, 24]], "Vulnerability: Microsoft Office vulnerability": [[39, 69]], "Vulnerability: CVE-2017-11882": [[70, 84]], "Malware: POWRUNER": [[95, 103]], "Malware: BONDUPDATER": [[108, 119]], "Organization: Microsoft": [[143, 152]]}, "info": {"id": "dnrti_train_004668", "source": "dnrti_train"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Malware: POWRUNER": [[0, 8]], "Malware: malicious RTF": [[31, 44]], "Vulnerability: CVE-2017-0199": [[65, 78]]}, "info": {"id": "dnrti_train_004669", "source": "dnrti_train"}}
{"text": "Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows .", "spans": {"Vulnerability: Microsoft Windows OLE Remote Code Execution Vulnerability": [[87, 144]], "Vulnerability: CVE-2014-6332": [[147, 160]]}, "info": {"id": "dnrti_train_004670", "source": "dnrti_train"}}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[51, 72]], "Malware: Microsoft Word attachment": [[80, 105]], "Vulnerability: CVE-2017-0199": [[138, 151]], "Malware: ZeroT Trojan": [[166, 178]], "Malware: PlugX Remote Access Trojan": [[210, 236]], "Malware: RAT": [[239, 242]]}, "info": {"id": "dnrti_train_004671", "source": "dnrti_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[55, 76]], "Malware: Microsoft Word attachment": [[84, 109]], "Vulnerability: CVE-2017-0199": [[142, 155]], "Malware: ZeroT Trojan": [[170, 182]], "Malware: PlugX Remote Access Trojan": [[214, 240]], "Malware: RAT": [[243, 246]]}, "info": {"id": "dnrti_train_004672", "source": "dnrti_train"}}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": {"Malware: malicious.DOC": [[86, 99]], "Vulnerability: Microsoft Common Controls vulnerability": [[119, 158]], "Vulnerability: CVE-2012-0158": [[161, 174]]}, "info": {"id": "dnrti_train_004673", "source": "dnrti_train"}}
{"text": "TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication .", "spans": {"Organization: TG-3390": [[0, 7]], "Organization: CTU": [[56, 59]], "Vulnerability: zero-day exploits": [[114, 131]]}, "info": {"id": "dnrti_train_004674", "source": "dnrti_train"}}
{"text": "TG-3390 actors have used Java exploits in their SWCs .", "spans": {"Organization: TG-3390": [[0, 7]], "Vulnerability: Java exploits": [[25, 38]], "Malware: SWCs": [[48, 52]]}, "info": {"id": "dnrti_train_004675", "source": "dnrti_train"}}
{"text": "In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"Organization: TG-3390": [[16, 23]], "Vulnerability: CVE-2011-3544": [[38, 51]], "Malware: HTTPBrowser backdoor": [[119, 139]], "Vulnerability: CVE-2010-0738": [[146, 159]], "Malware: JBoss": [[181, 186]]}, "info": {"id": "dnrti_train_004676", "source": "dnrti_train"}}
{"text": "In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"Vulnerability: CVE-2011-3544": [[49, 62]], "Malware: HTTPBrowser backdoor": [[130, 150]], "Vulnerability: CVE-2010-0738": [[157, 170]], "Malware: JBoss": [[192, 197]]}, "info": {"id": "dnrti_train_004677", "source": "dnrti_train"}}
{"text": "TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems .", "spans": {"System: leveraging SWCs": [[48, 63]], "System: scan-and-exploit techniques": [[68, 95]]}, "info": {"id": "dnrti_train_004678", "source": "dnrti_train"}}
{"text": "Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can′t prove they were related to this particular attack .", "spans": {"Vulnerability: CVE-2017-11882": [[65, 79]], "Malware: Microsoft Office Equation Editor": [[82, 114]]}, "info": {"id": "dnrti_train_004679", "source": "dnrti_train"}}
{"text": "LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) .", "spans": {"Vulnerability: Microsoft Office vulnerability": [[48, 78]], "Vulnerability: CVE-2017-11882": [[81, 95]]}, "info": {"id": "dnrti_train_004680", "source": "dnrti_train"}}
{"text": "No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" — a near-year-old Java security hole — \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported .", "spans": {"Vulnerability: zero-day vulnerabilities": [[3, 27]], "Vulnerability: CVE-2011-3544": [[124, 137]], "Vulnerability: CVE-2010-0738": [[185, 198]], "Organization: Dell SecureWorks'": [[231, 248]]}, "info": {"id": "dnrti_train_004681", "source": "dnrti_train"}}
{"text": "Execute a command through exploits for CVE-2017-11882 .", "spans": {"Vulnerability: CVE-2017-11882": [[39, 53]]}, "info": {"id": "dnrti_train_004682", "source": "dnrti_train"}}
{"text": "Execute a command through exploits for CVE-2018-0802 .", "spans": {"Vulnerability: CVE-2018-0802": [[39, 52]]}, "info": {"id": "dnrti_train_004683", "source": "dnrti_train"}}
{"text": "The document attached to this e-mail exploits CVE-2012-0158 .", "spans": {"Vulnerability: e-mail exploits": [[30, 45]], "Vulnerability: CVE-2012-0158": [[46, 59]]}, "info": {"id": "dnrti_train_004684", "source": "dnrti_train"}}
{"text": "Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors .", "spans": {"Organization: Tropic Trooper": [[0, 14]], "Vulnerability: CVE-2012-0158": [[40, 53]]}, "info": {"id": "dnrti_train_004685", "source": "dnrti_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"Malware: documents": [[4, 13]], "System: spear-phishing e-mails": [[26, 48]], "Vulnerability: CVE-2012-0158": [[97, 110]], "Vulnerability: Microsoft Word vulnerabilities": [[166, 196]]}, "info": {"id": "dnrti_train_004686", "source": "dnrti_train"}}
{"text": "the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated .", "spans": {"Vulnerability: CVE-2013-5065": [[43, 56]], "Vulnerability: EoP exploit": [[57, 68]]}, "info": {"id": "dnrti_train_004687", "source": "dnrti_train"}}
{"text": "While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July .", "spans": {"Vulnerability: CVE-2014-0515": [[89, 102]], "Vulnerability: Adobe Flash exploit": [[103, 122]], "Organization: Cisco TRAC": [[141, 151]]}, "info": {"id": "dnrti_train_004688", "source": "dnrti_train"}}
{"text": "However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised .", "spans": {"Organization: APT20": [[36, 41]], "Vulnerability: zero-day exploits": [[50, 67]]}, "info": {"id": "dnrti_train_004689", "source": "dnrti_train"}}
{"text": "PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach .", "spans": {"Vulnerability: Flash vulnerability": [[108, 127]], "Vulnerability: CVE-2015-5119": [[130, 143]]}, "info": {"id": "dnrti_train_004690", "source": "dnrti_train"}}
{"text": "PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server .", "spans": {"Vulnerability: CVE-2017-7269": [[16, 29]]}, "info": {"id": "dnrti_train_004691", "source": "dnrti_train"}}
{"text": "Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Vulnerability: flash exploit": [[96, 109]], "Vulnerability: CVE-2015-5119": [[112, 125]]}, "info": {"id": "dnrti_train_004692", "source": "dnrti_train"}}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": {"Malware: document": [[7, 15]], "Vulnerability: CVE-2012-0158": [[64, 77]], "Vulnerability: CVE-2013-3906": [[80, 93]], "Vulnerability: CVE-2014-1761": [[97, 110]]}, "info": {"id": "dnrti_train_004693", "source": "dnrti_train"}}
{"text": "Moreover , they used the same exploit kit Niteris as that in the Corkow case .", "spans": {"Vulnerability: kit Niteris": [[38, 49]], "Malware: Corkow": [[65, 71]]}, "info": {"id": "dnrti_train_004694", "source": "dnrti_train"}}
{"text": "The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story .", "spans": {"Vulnerability: CVE-2012-0773": [[4, 17]]}, "info": {"id": "dnrti_train_004695", "source": "dnrti_train"}}
{"text": "The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated .", "spans": {"Malware: decoy documents": [[4, 19]], "Vulnerability: InPage exploits": [[32, 47]]}, "info": {"id": "dnrti_train_004696", "source": "dnrti_train"}}
{"text": "While documents designed to exploit the InPage software are rare , they are not new – however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky .", "spans": {"Malware: InPage software": [[40, 55]], "Organization: Unit42": [[110, 116]], "Vulnerability: InPage exploits": [[139, 154]], "Organization: Kaspersky": [[250, 259]]}, "info": {"id": "dnrti_train_004697", "source": "dnrti_train"}}
{"text": "Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"Organization: Patchwork": [[12, 21]], "Vulnerability: CVE-2015-1641": [[191, 204]], "Vulnerability: CVE-2017-11882": [[209, 223]]}, "info": {"id": "dnrti_train_004698", "source": "dnrti_train"}}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": {"Organization: Patchwork": [[9, 18]], "Malware: RTF files": [[45, 54]], "Vulnerability: CVE-2017-8570": [[66, 79]]}, "info": {"id": "dnrti_train_004699", "source": "dnrti_train"}}
{"text": "Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"Malware: Confucius'": [[0, 10]], "Vulnerability: CVE-2015-1641": [[105, 118]], "Vulnerability: CVE-2017-11882": [[123, 137]]}, "info": {"id": "dnrti_train_004700", "source": "dnrti_train"}}
{"text": "The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 .", "spans": {"Malware: sctrls backdoor": [[4, 19]], "System: RTF files": [[52, 61]], "Vulnerability: CVE-2015-1641": [[73, 86]]}, "info": {"id": "dnrti_train_004701", "source": "dnrti_train"}}
{"text": "The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"Vulnerability: CVE2017-11882": [[27, 40]], "Malware: HTML Application": [[71, 87]], "Malware: HTA": [[90, 93]], "Malware: mshta.exe": [[223, 232]]}, "info": {"id": "dnrti_train_004702", "source": "dnrti_train"}}
{"text": "Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users .", "spans": {"Vulnerability: Nitris Exploit Kit": [[27, 45]], "Vulnerability: CottonCastle": [[67, 79]]}, "info": {"id": "dnrti_train_004703", "source": "dnrti_train"}}
{"text": "Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance .", "spans": {"Vulnerability: Niteris exploit": [[45, 60]]}, "info": {"id": "dnrti_train_004704", "source": "dnrti_train"}}
{"text": "In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware .", "spans": {"Vulnerability: CVE-2012-0158": [[81, 94]]}, "info": {"id": "dnrti_train_004705", "source": "dnrti_train"}}
{"text": "Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) .", "spans": {"Organization: The Lamberts": [[45, 57]], "Organization: ITSec community": [[97, 112]], "Organization: FireEye": [[148, 155]], "Vulnerability: zero day vulnerability": [[185, 207]], "Vulnerability: CVE-2014-4148": [[210, 223]]}, "info": {"id": "dnrti_train_004706", "source": "dnrti_train"}}
{"text": "The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild .", "spans": {"Malware: Lambert family malware": [[19, 41]], "Organization: FireEye": [[92, 99]], "Vulnerability: zero day exploit": [[122, 138]], "Vulnerability: CVE-2014-4148": [[141, 154]]}, "info": {"id": "dnrti_train_004707", "source": "dnrti_train"}}
{"text": "While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) .", "spans": {"Vulnerability: zero-day exploit": [[125, 141]], "Vulnerability: CVE-2014-4148": [[144, 157]]}, "info": {"id": "dnrti_train_004708", "source": "dnrti_train"}}
{"text": "To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 .", "spans": {"Malware: Lamberts toolkit": [[69, 85]], "Malware: Black Lambert": [[102, 115]], "Vulnerability: zero day exploit": [[152, 168]], "Vulnerability: CVE-2014-4148": [[171, 184]]}, "info": {"id": "dnrti_train_004709", "source": "dnrti_train"}}
{"text": "This sample was also found to be deployed using the CVE-2012-0158 vulnerability .", "spans": {"Vulnerability: CVE-2012-0158": [[52, 65]]}, "info": {"id": "dnrti_train_004710", "source": "dnrti_train"}}
{"text": "Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"Vulnerability: CVE-2012-0158": [[52, 65]], "Malware: NetTraveler Trojan": [[77, 95]]}, "info": {"id": "dnrti_train_004711", "source": "dnrti_train"}}
{"text": "Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: NetTraveler": [[31, 42]], "Vulnerability: CVE-2012-0158": [[64, 77]], "Malware: NetTraveler Trojan": [[89, 107]]}, "info": {"id": "dnrti_train_004712", "source": "dnrti_train"}}
{"text": "Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"Malware: NetTraveler": [[24, 35]], "Vulnerability: CVE-2012-0158": [[57, 70]], "Malware: NetTraveler Trojan": [[82, 100]]}, "info": {"id": "dnrti_train_004713", "source": "dnrti_train"}}
{"text": "In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"Vulnerability: CVE-2012-0158": [[66, 79]], "Malware: NetTraveler Trojan": [[95, 113]]}, "info": {"id": "dnrti_train_004714", "source": "dnrti_train"}}
{"text": "In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"Malware: NetTraveler": [[34, 45]], "Vulnerability: CVE-2012-0158": [[67, 80]], "Malware: NetTraveler Trojan": [[96, 114]]}, "info": {"id": "dnrti_train_004715", "source": "dnrti_train"}}
{"text": "In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"Malware: NetTraveler": [[38, 49]], "Vulnerability: CVE-2012-0158": [[71, 84]], "Malware: NetTraveler Trojan": [[100, 118]]}, "info": {"id": "dnrti_train_004716", "source": "dnrti_train"}}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Vulnerability: Microsoft Office exploits": [[37, 62]], "Malware: Exploit.MSWord.CVE-2010-333": [[110, 137]], "Malware: Exploit.Win32.CVE-2012-0158": [[140, 167]]}, "info": {"id": "dnrti_train_004717", "source": "dnrti_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_train_004718", "source": "dnrti_train"}}
{"text": "Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks .", "spans": {"Organization: Securelist": [[21, 31]], "Vulnerability: zero-day Adobe Flash Player exploit": [[61, 96]]}, "info": {"id": "dnrti_train_004719", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit .", "spans": {"Vulnerability: 0-day": [[111, 116]], "Vulnerability: Adobe Flash Player exploit": [[119, 145]]}, "info": {"id": "dnrti_train_004720", "source": "dnrti_train"}}
{"text": "Adobe Flash Player exploit .", "spans": {"Vulnerability: Adobe Flash Player exploit": [[0, 26]]}, "info": {"id": "dnrti_train_004721", "source": "dnrti_train"}}
{"text": "It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April .", "spans": {"Organization: ScarCruft": [[25, 34]], "Vulnerability: zero day exploit": [[52, 68]], "Vulnerability: CVE-2016-0147": [[71, 84]]}, "info": {"id": "dnrti_train_004722", "source": "dnrti_train"}}
{"text": "Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"Vulnerability: Flash Player exploit": [[35, 55]], "Vulnerability: CVE-2016-4117": [[58, 71]]}, "info": {"id": "dnrti_train_004723", "source": "dnrti_train"}}
{"text": "ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"Organization: ScarCruft": [[0, 9]], "Vulnerability: Flash Player exploit": [[48, 68]], "Vulnerability: CVE-2016-4117": [[71, 84]]}, "info": {"id": "dnrti_train_004724", "source": "dnrti_train"}}
{"text": "Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets .", "spans": {"Organization: ScarCruft": [[49, 58]], "Vulnerability: zero-day exploits": [[92, 109]]}, "info": {"id": "dnrti_train_004725", "source": "dnrti_train"}}
{"text": "This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams .", "spans": {"Vulnerability: CVE-2018-8120": [[63, 76]], "Malware: UACME": [[80, 85]]}, "info": {"id": "dnrti_train_004726", "source": "dnrti_train"}}
{"text": "Earlier this month , we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks .", "spans": {"Vulnerability: zero-day Adobe Flash Player exploit": [[39, 74]]}, "info": {"id": "dnrti_train_004727", "source": "dnrti_train"}}
{"text": "The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"Vulnerability: CVE-2016-4117": [[77, 90]], "System: watering holes": [[105, 119]]}, "info": {"id": "dnrti_train_004728", "source": "dnrti_train"}}
{"text": "The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"Vulnerability: CVE-2016-4117": [[68, 81]], "System: watering holes": [[96, 110]]}, "info": {"id": "dnrti_train_004729", "source": "dnrti_train"}}
{"text": "The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily .", "spans": {"Vulnerability: Flash zero day": [[41, 55]]}, "info": {"id": "dnrti_train_004730", "source": "dnrti_train"}}
{"text": "Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia .", "spans": {"Vulnerability: zero-day vulnerability": [[28, 50]]}, "info": {"id": "dnrti_train_004731", "source": "dnrti_train"}}
{"text": "Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak .", "spans": {"Organization: Kaspersky Lab": [[15, 28], [156, 169]], "Vulnerability: zero-day": [[94, 102]]}, "info": {"id": "dnrti_train_004732", "source": "dnrti_train"}}
{"text": "Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: ScarCruft": [[26, 35]], "Vulnerability: zero-day": [[65, 73]], "Vulnerability: CVE-2016-0147": [[76, 89]]}, "info": {"id": "dnrti_train_004733", "source": "dnrti_train"}}
{"text": "Another set of attacks called Operation Erebus leverages another Flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation .", "spans": {"Vulnerability: Flash exploit": [[65, 78]], "Vulnerability: CVE-2016-4117": [[81, 94]]}, "info": {"id": "dnrti_train_004734", "source": "dnrti_train"}}
{"text": "Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 .", "spans": {"Vulnerability: zero day": [[82, 90]], "Vulnerability: CVE-2016-4171": [[91, 104]]}, "info": {"id": "dnrti_train_004735", "source": "dnrti_train"}}
{"text": "Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit .", "spans": {"Organization: Wild Neutron": [[0, 12]], "Malware: stolen code signing certificate": [[39, 70]], "Vulnerability: Flash Player exploit": [[132, 152]]}, "info": {"id": "dnrti_train_004736", "source": "dnrti_train"}}
{"text": "Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes .", "spans": {"Organization: Wild Neutron": [[0, 12]], "Vulnerability: Java zero-day exploit": [[43, 64]], "System: watering holes": [[91, 105]]}, "info": {"id": "dnrti_train_004737", "source": "dnrti_train"}}
{"text": "Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b .", "spans": {"Vulnerability: Flash exploits": [[11, 25]], "System: watering holes": [[64, 78]], "Vulnerability: Java zero-day": [[95, 108]], "Organization: Kaspersky Lab": [[168, 181]], "Vulnerability: Exploit.Java.CVE-2012-3213.b": [[194, 222]]}, "info": {"id": "dnrti_train_004738", "source": "dnrti_train"}}
{"text": "In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims .", "spans": {"Organization: Buhtrap": [[27, 34]], "Vulnerability: CVE-2019-1132": [[80, 93]]}, "info": {"id": "dnrti_train_004739", "source": "dnrti_train"}}
{"text": "Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus .", "spans": {"Vulnerability: CVE-2018-8414": [[74, 87]], "Organization: DarkHydrus": [[177, 187]]}, "info": {"id": "dnrti_train_004740", "source": "dnrti_train"}}
{"text": "WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet .", "spans": {"Vulnerability: CVE-2017-0144": [[100, 113]], "Vulnerability: CVE-2017-0145": [[118, 131]]}, "info": {"id": "dnrti_train_004741", "source": "dnrti_train"}}
{"text": "One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec .", "spans": {"Vulnerability: zero-day vulnerability": [[31, 53]], "Organization: Symantec": [[84, 92]]}, "info": {"id": "dnrti_train_004742", "source": "dnrti_train"}}
{"text": "Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers .", "spans": {"Organization: Bemstour": [[0, 8]], "Vulnerability: vulnerabilities": [[30, 45]]}, "info": {"id": "dnrti_train_004743", "source": "dnrti_train"}}
{"text": "The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak .", "spans": {"Vulnerability: vulnerability": [[19, 32]], "Organization: Shadow Brokers": [[211, 225]]}, "info": {"id": "dnrti_train_004744", "source": "dnrti_train"}}
{"text": "These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 .", "spans": {"Vulnerability: CVE-2010-3962": [[14, 27]], "Vulnerability: CVE-2014-1776": [[70, 83]]}, "info": {"id": "dnrti_train_004745", "source": "dnrti_train"}}
{"text": "Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group .", "spans": {"Organization: Shadow Brokers": [[54, 68]], "Organization: Equation": [[130, 138]]}, "info": {"id": "dnrti_train_004746", "source": "dnrti_train"}}
{"text": "The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests .", "spans": {"Organization: Symantec": [[49, 57]], "Vulnerability: (CVE-2019-0703)": [[58, 73]]}, "info": {"id": "dnrti_train_004747", "source": "dnrti_train"}}
{"text": "CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 .", "spans": {"Vulnerability: CVE-2017-0143": [[0, 13]], "Malware: tools—EternalRomance": [[49, 69]], "Malware: EternalSynergy—that": [[74, 93]]}, "info": {"id": "dnrti_train_004748", "source": "dnrti_train"}}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe .", "spans": {"Malware: RTF": [[5, 8]], "Vulnerability: CVE-2017_1882": [[28, 41]], "Malware: eqnedt32.exe": [[45, 57]]}, "info": {"id": "dnrti_train_004749", "source": "dnrti_train"}}
{"text": "At this time , we do not believe that the attackers found a new ASA exploit .", "spans": {"Organization: we": [[15, 17]], "Organization: attackers": [[42, 51]], "Vulnerability: ASA": [[64, 67]], "Vulnerability: exploit": [[68, 75]]}, "info": {"id": "dnrti_train_004750", "source": "dnrti_train"}}
{"text": "We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor .", "spans": {"Organization: groups": [[15, 21]], "Vulnerability: CVE-2018-0798": [[35, 48]]}, "info": {"id": "dnrti_train_004751", "source": "dnrti_train"}}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": {"Malware: sample": [[146, 152]], "Vulnerability: CVE-2017-11882": [[172, 186]], "Vulnerability: CVE-2018-0802": [[190, 203]]}, "info": {"id": "dnrti_train_004752", "source": "dnrti_train"}}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) .", "spans": {"Malware: RTF files": [[52, 61]], "Vulnerability: CVE-2018-0798": [[82, 95]]}, "info": {"id": "dnrti_train_004753", "source": "dnrti_train"}}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": {"Organization: Anomali": [[0, 7]], "Malware: ITW": [[86, 89]], "Vulnerability: CVE-2018-0798": [[117, 130]]}, "info": {"id": "dnrti_train_004754", "source": "dnrti_train"}}
{"text": "CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption .", "spans": {"Vulnerability: CVE-2018-0798": [[0, 13]], "Organization: threat actor": [[91, 103]]}, "info": {"id": "dnrti_train_004755", "source": "dnrti_train"}}
{"text": "As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity .", "spans": {"Vulnerability: CVE-2017-11882": [[28, 42]], "Vulnerability: CVE-2018-0802": [[47, 60]], "Malware: weaponizer": [[67, 77]], "Organization: actors": [[126, 132]]}, "info": {"id": "dnrti_train_004756", "source": "dnrti_train"}}
{"text": "Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer .", "spans": {"Organization: threat groups": [[90, 103]], "Vulnerability: CVE-2018-0798": [[122, 135]], "Malware: RTF weaponizer": [[145, 159]]}, "info": {"id": "dnrti_train_004757", "source": "dnrti_train"}}
{"text": "These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers .", "spans": {"Organization: threat groups": [[37, 50]], "Vulnerability: CVE-2018-0798": [[103, 116]]}, "info": {"id": "dnrti_train_004758", "source": "dnrti_train"}}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": {"Vulnerability: CVE-2017-11882": [[66, 80]], "Malware: 'NavShExt.dll'": [[147, 161]], "Malware: iexplore.exe": [[192, 204]]}, "info": {"id": "dnrti_train_004759", "source": "dnrti_train"}}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": {"Vulnerability: CVE-2017-1182": [[87, 100]], "Malware: Microsoft Equation Editor": [[118, 143]], "Malware: 'EQNEDT32.exe'": [[146, 160]]}, "info": {"id": "dnrti_train_004760", "source": "dnrti_train"}}
{"text": "Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT Maudi Surveillance Operation which was previously reported in 2013 .", "spans": {"Organization: Attackers": [[0, 9]], "Vulnerability: CVE-2018-0798": [[54, 67]], "Organization: Maudi": [[145, 150]]}, "info": {"id": "dnrti_train_004761", "source": "dnrti_train"}}
{"text": "specifically CVE-2018-0798 , before downloading subsequent payloads .", "spans": {"Vulnerability: CVE-2018-0798": [[13, 26]]}, "info": {"id": "dnrti_train_004762", "source": "dnrti_train"}}
{"text": "Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year .", "spans": {"Organization: ‘Operation Sheep’": [[7, 24]], "Vulnerability: Man-in-the-Disk": [[123, 138]]}, "info": {"id": "dnrti_train_004763", "source": "dnrti_train"}}
{"text": "Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence .", "spans": {"Organization: APT41": [[10, 15]], "System: using proof-of-concept": [[29, 51]], "Vulnerability: exploit": [[52, 59]], "Vulnerability: CVE-2019-3396": [[69, 82]]}, "info": {"id": "dnrti_train_004764", "source": "dnrti_train"}}
{"text": "We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Organization: BalkanDoor": [[34, 44]], "Vulnerability: CVE-2018-20250": [[134, 148]]}, "info": {"id": "dnrti_train_004765", "source": "dnrti_train"}}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Malware: BalkanDoor": [[33, 43]], "Vulnerability: CVE-2018-20250": [[228, 242]]}, "info": {"id": "dnrti_train_004766", "source": "dnrti_train"}}
{"text": "The actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit .", "spans": {"Organization: actor": [[4, 9]], "Vulnerability: CVE-2018–8440": [[30, 43]], "Vulnerability: vulnerability": [[72, 85]], "Vulnerability: proof-of-concept": [[208, 224]], "Vulnerability: exploit": [[225, 232]]}, "info": {"id": "dnrti_train_004767", "source": "dnrti_train"}}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": {"Malware: China Chopper": [[4, 17]], "Vulnerability: CVE-2015-0062": [[146, 159]], "Vulnerability: CVE-2015-1701": [[162, 175]], "Vulnerability: CVE-2016-0099": [[180, 193]], "Organization: attacker": [[207, 215]]}, "info": {"id": "dnrti_train_004768", "source": "dnrti_train"}}
{"text": "Previously , Cloud Atlas dropped its validator” implant named PowerShower” directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 .", "spans": {"Organization: Cloud Atlas": [[13, 24]], "Vulnerability: CVE-2017-11882": [[140, 154]], "Vulnerability: CVE-2018-0802": [[166, 179]]}, "info": {"id": "dnrti_train_004769", "source": "dnrti_train"}}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": {"Malware: archive": [[14, 21]], "Vulnerability: vulnerability": [[82, 95]]}, "info": {"id": "dnrti_train_004770", "source": "dnrti_train"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": {"Malware: Mimikatz": [[0, 8]]}, "info": {"id": "dnrti_train_004771", "source": "dnrti_train"}}
{"text": "Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability .", "spans": {"Vulnerability: exploit": [[65, 72]], "Vulnerability: CVE-2017-11882 vulnerability": [[81, 109]]}, "info": {"id": "dnrti_train_004772", "source": "dnrti_train"}}
{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs .", "spans": {"Vulnerability: exploit": [[4, 11]], "Organization: Silence’s": [[21, 30]]}, "info": {"id": "dnrti_train_004773", "source": "dnrti_train"}}
{"text": "We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell .", "spans": {"Organization: Emissary Panda": [[11, 25]], "Vulnerability: vulnerability": [[55, 68]], "Vulnerability: CVE-2019-0604": [[104, 117]]}, "info": {"id": "dnrti_train_004774", "source": "dnrti_train"}}
{"text": "Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 .", "spans": {"Vulnerability: CVE-2017-0144": [[75, 88]]}, "info": {"id": "dnrti_train_004775", "source": "dnrti_train"}}
{"text": "NetWire , DarkComet , NanoCore , LuminosityLink , Remcos and Imminent Monitor are all designed to provide remote access to compromised systems .", "spans": {"Malware: NetWire": [[0, 7]], "Malware: DarkComet": [[10, 19]], "Malware: NanoCore": [[22, 30]], "Malware: LuminosityLink": [[33, 47]], "Malware: Remcos": [[50, 56]], "Malware: Imminent Monitor": [[61, 77]]}, "info": {"id": "dnrti_train_004776", "source": "dnrti_train"}}
{"text": "The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes .", "spans": {"Organization: threat actor": [[53, 65]], "Malware: mimikatz": [[81, 89]]}, "info": {"id": "dnrti_train_004777", "source": "dnrti_train"}}
{"text": "This ' connection bouncer ' tool lets the threat actor redirect ports and connections between different networks and obfuscate C2 server traffic .", "spans": {"Malware: connection bouncer": [[7, 25]], "Organization: threat actor": [[42, 54]]}, "info": {"id": "dnrti_train_004778", "source": "dnrti_train"}}
{"text": "It is capable of a variety of functions , including credential theft , hard drive and data wiping , disabling security software , and remote desktop functionality .", "spans": {}, "info": {"id": "dnrti_train_004779", "source": "dnrti_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"Malware: flare-qdb": [[18, 27]]}, "info": {"id": "dnrti_train_004780", "source": "dnrti_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": {"Malware: them": [[22, 26]]}, "info": {"id": "dnrti_train_004781", "source": "dnrti_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server .", "spans": {"Malware: Pony DLL": [[89, 97]], "Malware: Vawtrak": [[102, 109]]}, "info": {"id": "dnrti_train_004782", "source": "dnrti_train"}}
{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll” along with a standard Vawtrak trojan .", "spans": {"Malware: Pony malware": [[102, 114]]}, "info": {"id": "dnrti_train_004783", "source": "dnrti_train"}}
{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism .", "spans": {"Malware: RIPPER": [[0, 6]]}, "info": {"id": "dnrti_train_004784", "source": "dnrti_train"}}
{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself .", "spans": {"Malware: RIPPER": [[0, 6]], "Organization: ATM vendors": [[77, 88]]}, "info": {"id": "dnrti_train_004785", "source": "dnrti_train"}}
{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine .", "spans": {"Malware: RIPPER": [[58, 64]]}, "info": {"id": "dnrti_train_004786", "source": "dnrti_train"}}
{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices .", "spans": {"Malware: malware": [[5, 12]]}, "info": {"id": "dnrti_train_004787", "source": "dnrti_train"}}
{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August .", "spans": {"Malware: Locky": [[43, 48]]}, "info": {"id": "dnrti_train_004788", "source": "dnrti_train"}}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before .", "spans": {"Malware: Ploutus": [[55, 62]]}, "info": {"id": "dnrti_train_004789", "source": "dnrti_train"}}
{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL’s Kalignite multivendor ATM platform .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: Ploutus": [[68, 75]], "Malware: Ploutus-D": [[85, 94]]}, "info": {"id": "dnrti_train_004790", "source": "dnrti_train"}}
{"text": "That post included download links for a slew of NSA hacking tools and exploits , many of which could be used to break into hardware firewall appliances , and in turn , corporate or government networks .", "spans": {"Organization: NSA": [[48, 51]]}, "info": {"id": "dnrti_train_004791", "source": "dnrti_train"}}
{"text": "Some hackers even went onto use the Cisco exploits in the wild .", "spans": {"Vulnerability: Cisco exploits": [[36, 50]]}, "info": {"id": "dnrti_train_004792", "source": "dnrti_train"}}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines .", "spans": {"Malware: DanderSpritz": [[0, 12]]}, "info": {"id": "dnrti_train_004793", "source": "dnrti_train"}}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines .", "spans": {"Malware: DanderSpritz": [[0, 12]]}, "info": {"id": "dnrti_train_004794", "source": "dnrti_train"}}
{"text": "PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines .", "spans": {"Malware: PeddleCheap": [[0, 11]], "Malware: DanderSpritz": [[27, 39]]}, "info": {"id": "dnrti_train_004795", "source": "dnrti_train"}}
{"text": "Each of them consists of a set of plugins designed for different tasks : while FuzzBunch plugins are responsible for reconnaissance and attacking a victim , plugins in the DanderSpritz framework are developed for managing already infected victims .", "spans": {"Malware: FuzzBunch plugins": [[79, 96]], "Malware: DanderSpritz": [[172, 184]]}, "info": {"id": "dnrti_train_004796", "source": "dnrti_train"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server .", "spans": {"Vulnerability: UNITEDRAKE NSA exploit": [[46, 68]]}, "info": {"id": "dnrti_train_004797", "source": "dnrti_train"}}
{"text": "The ShadowBrokers is a group of hackers known for leaking exclusive information about the National Security Agency – NSA 's hacking tools and tactics .", "spans": {"Organization: ShadowBrokers": [[4, 17]], "Organization: NSA": [[117, 120]]}, "info": {"id": "dnrti_train_004798", "source": "dnrti_train"}}
{"text": "It captures information using plugins to compromise webcam and microphone output along with documenting log keystrokes , carrying out surveillance and access external drives .", "spans": {}, "info": {"id": "dnrti_train_004799", "source": "dnrti_train"}}
{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection .", "spans": {"Malware: Canhadr/Ndriver": [[29, 44]]}, "info": {"id": "dnrti_train_004800", "source": "dnrti_train"}}
{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad .", "spans": {}, "info": {"id": "dnrti_train_004801", "source": "dnrti_train"}}
{"text": "The Ham Backdoor functions primarily as a modular platform , which provides the attacker with the ability to directly download additional modules and execute them in memory from the command and control ( C2 ) server .", "spans": {"Malware: Ham Backdoor": [[4, 16]]}, "info": {"id": "dnrti_train_004802", "source": "dnrti_train"}}
{"text": "Originally targeting Western European banks , Emotet has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others .", "spans": {"Malware: Emotet": [[46, 52], [166, 172]]}, "info": {"id": "dnrti_train_004803", "source": "dnrti_train"}}
{"text": "Originally targeting Western European banks , it has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others .", "spans": {"Malware: Emotet": [[162, 168]]}, "info": {"id": "dnrti_train_004804", "source": "dnrti_train"}}
{"text": "Beginning in mid-January 2019 , TA542 distributed millions of Emotet-laden emails in both English and German .", "spans": {"System: Emotet-laden emails": [[62, 81]]}, "info": {"id": "dnrti_train_004805", "source": "dnrti_train"}}
{"text": "DanaBot is a Trojan that includes banking site web injections and stealer functions .", "spans": {"Malware: DanaBot": [[0, 7]], "Malware: Trojan": [[13, 19]]}, "info": {"id": "dnrti_train_004806", "source": "dnrti_train"}}
{"text": "Two binder tools — used to disguise custom executables as legitimate Microsoft implants — were discovered by Falcon Intelligence and linked to MYTHIC LEOPARD in July 2017 .", "spans": {"Organization: Microsoft": [[69, 78]], "Organization: Falcon Intelligence": [[109, 128]], "Organization: MYTHIC LEOPARD": [[143, 157]]}, "info": {"id": "dnrti_train_004807", "source": "dnrti_train"}}
{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers .", "spans": {"Malware: Neptun": [[0, 6]], "Organization: attackers": [[108, 117]]}, "info": {"id": "dnrti_train_004808", "source": "dnrti_train"}}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory .", "spans": {"Malware: CreateRemoteThread": [[192, 210]], "Malware: WriteProcessMemory": [[214, 232]]}, "info": {"id": "dnrti_train_004809", "source": "dnrti_train"}}
{"text": "This isn’t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier .", "spans": {"Malware: it": [[26, 28]]}, "info": {"id": "dnrti_train_004810", "source": "dnrti_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_train_004811", "source": "dnrti_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": {"Malware: them": [[22, 26]]}, "info": {"id": "dnrti_train_004812", "source": "dnrti_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server .", "spans": {"Malware: Pony DLL": [[89, 97]], "Malware: Vawtrak": [[102, 109]]}, "info": {"id": "dnrti_train_004813", "source": "dnrti_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_train_004814", "source": "dnrti_train"}}
{"text": "Both groups can set permissions on specific files to Everyone , and work in tandem with the PLATINUM backdoors .", "spans": {"Organization: groups": [[5, 11]], "Malware: PLATINUM backdoors": [[92, 110]]}, "info": {"id": "dnrti_train_004815", "source": "dnrti_train"}}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory .", "spans": {"Malware: CreateRemoteThread": [[192, 210]], "Malware: WriteProcessMemory": [[214, 232]]}, "info": {"id": "dnrti_train_004816", "source": "dnrti_train"}}
{"text": "Hot patching is an operating system-supported feature for installing updates without having to reboot or restart a process .", "spans": {"Malware: operating system-supported feature": [[19, 53]]}, "info": {"id": "dnrti_train_004817", "source": "dnrti_train"}}
{"text": "Until this incident , no malware had been discovered misusing the AMT SOL feature for communication .", "spans": {"System: AMT SOL": [[66, 73]]}, "info": {"id": "dnrti_train_004818", "source": "dnrti_train"}}
{"text": "The folders seem to contain information about the company 's development documentation , artificial intelligence model , web security software , and antivirus software base code .", "spans": {"Malware: folders": [[4, 11]]}, "info": {"id": "dnrti_train_004819", "source": "dnrti_train"}}
{"text": "As mentioned in the Hermes to Ryuk section , Ryuk uses a combination of symmetric ( AES ) and asymmetric ( RSA ) encryption to encrypt files .", "spans": {"Malware: Hermes": [[20, 26]], "Malware: Ryuk": [[30, 34], [45, 49]], "Malware: AES": [[84, 87]], "Malware: RSA": [[107, 110]]}, "info": {"id": "dnrti_train_004820", "source": "dnrti_train"}}
{"text": "Their software , once surreptitiously installed on a target 's cell phone or computer , can be used to monitor the target 's communications , such as phone calls , text messages , Skype calls , or emails .", "spans": {"System: phone calls": [[150, 161]], "System: text messages": [[164, 177]], "System: Skype calls": [[180, 191]], "System: emails": [[197, 203]]}, "info": {"id": "dnrti_train_004821", "source": "dnrti_train"}}
{"text": "This isn’t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier .", "spans": {"Malware: it": [[26, 28]]}, "info": {"id": "dnrti_train_004822", "source": "dnrti_train"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": {"Malware: Mimikatz": [[0, 8]]}, "info": {"id": "dnrti_train_004823", "source": "dnrti_train"}}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server .", "spans": {"Malware: GoogleUpdate.exe": [[4, 20]]}, "info": {"id": "dnrti_train_004824", "source": "dnrti_train"}}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries .", "spans": {"Malware: malware": [[15, 22]]}, "info": {"id": "dnrti_train_004825", "source": "dnrti_train"}}
{"text": "They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage .", "spans": {"Malware: They": [[0, 4]]}, "info": {"id": "dnrti_train_004826", "source": "dnrti_train"}}
{"text": "The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system .", "spans": {"Organization: SectorJ04": [[4, 13]], "System: spear phishing email": [[38, 58]], "Malware: document files": [[106, 120]], "Organization: attacker": [[188, 196]]}, "info": {"id": "dnrti_train_004827", "source": "dnrti_train"}}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format .", "spans": {"Malware: email stealer": [[4, 17]]}, "info": {"id": "dnrti_train_004828", "source": "dnrti_train"}}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer .", "spans": {"Malware: Silence.Main Trojan": [[4, 23]]}, "info": {"id": "dnrti_train_004829", "source": "dnrti_train"}}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine .", "spans": {"Malware: Silence.Downloader": [[17, 35]]}, "info": {"id": "dnrti_train_004830", "source": "dnrti_train"}}
{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server .", "spans": {"Malware: Silence.MainModule": [[0, 18]]}, "info": {"id": "dnrti_train_004831", "source": "dnrti_train"}}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more .", "spans": {"Malware: PlugX": [[0, 5]]}, "info": {"id": "dnrti_train_004832", "source": "dnrti_train"}}
{"text": "TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution .", "spans": {"Malware: TONEDEAF": [[0, 8]]}, "info": {"id": "dnrti_train_004833", "source": "dnrti_train"}}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file .", "spans": {"Malware: PICKPOCKET": [[0, 10]]}, "info": {"id": "dnrti_train_004834", "source": "dnrti_train"}}
{"text": "The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation .", "spans": {"Malware: GRIFFON": [[35, 42]]}, "info": {"id": "dnrti_train_004835", "source": "dnrti_train"}}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less” aspect of this method .", "spans": {"Malware: GRIFFON": [[8, 15]]}, "info": {"id": "dnrti_train_004836", "source": "dnrti_train"}}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger .", "spans": {"Malware: AveMaria": [[10, 18]]}, "info": {"id": "dnrti_train_004837", "source": "dnrti_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_train_004838", "source": "dnrti_train"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests .", "spans": {"Malware: malware": [[4, 11]], "Malware: CMD/PowerShell": [[40, 54]], "Organization: attackers": [[72, 81]]}, "info": {"id": "dnrti_train_004839", "source": "dnrti_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_train_004840", "source": "dnrti_train"}}
{"text": "The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets .", "spans": {"Malware: LOWBALL": [[4, 11]], "Organization: group": [[43, 48]], "Malware: BUBBLEWRAP": [[106, 116]]}, "info": {"id": "dnrti_train_004841", "source": "dnrti_train"}}
{"text": "The batch script would then attempt to have the VNC program connect to a command and control ( C2 ) server to enable the server to control the compromised system .", "spans": {"Malware: VNC": [[48, 51]]}, "info": {"id": "dnrti_train_004842", "source": "dnrti_train"}}
{"text": "The IndiaBravo-PapaAlfa installer is responsible for installing the service DLL variant .", "spans": {"Malware: IndiaBravo-PapaAlfa installer": [[4, 33]]}, "info": {"id": "dnrti_train_004843", "source": "dnrti_train"}}
{"text": "These tools often lay the groundwork for further malicious activity , such as the targeting of antivirus capabilities and the disabling of firewalls , both of which are very fundamental defensive measures .", "spans": {}, "info": {"id": "dnrti_train_004844", "source": "dnrti_train"}}
{"text": "The first class , colloquially known as \" wipers \" , are a class of malware has the primary intent of destroying data on a victim 's machine .", "spans": {"Malware: wipers": [[42, 48]]}, "info": {"id": "dnrti_train_004845", "source": "dnrti_train"}}
{"text": "DDoS malware floods a target 's network-connected service with an excessive number of request at once in order to overload the capacity of the server .", "spans": {"Malware: DDoS malware": [[0, 12]]}, "info": {"id": "dnrti_train_004846", "source": "dnrti_train"}}
{"text": "The naming scheme used by Novetta for the malware identified during Operation Blockbuster consists of at least two identifiers which each identifier coming from the International Civil Aviation Organization ( ICAO ) 's phonetic alphabet ,2 commonly referred to as the NATO phonetic alphabet .", "spans": {"Organization: Novetta": [[26, 33]], "Organization: International Civil Aviation Organization": [[165, 206]]}, "info": {"id": "dnrti_train_004847", "source": "dnrti_train"}}
{"text": "Loaders are typically responsible for loading a DLL component into memory given that a DLL cannot operate in a standalone mode such as an executable .", "spans": {}, "info": {"id": "dnrti_train_004848", "source": "dnrti_train"}}
{"text": "This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans .", "spans": {}, "info": {"id": "dnrti_train_004849", "source": "dnrti_train"}}
{"text": "FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors .", "spans": {"Malware: FALLCHILL": [[0, 9]], "Malware: HIDDEN COBRA malware": [[64, 84]], "Organization: HIDDEN COBRA actors": [[165, 184]]}, "info": {"id": "dnrti_train_004850", "source": "dnrti_train"}}
{"text": "As a backdoor Trojan , Volgmer has several capabilities including : gathering system information , updating service registry keys , downloading and uploading files , executing commands , terminating processes , and listing directories .", "spans": {"Malware: backdoor Trojan": [[5, 20]], "Malware: Volgmer": [[23, 30]]}, "info": {"id": "dnrti_train_004851", "source": "dnrti_train"}}
{"text": "RATANKBA is delivered to its victims using a variety of lure documents , including Microsoft Office documents , malicious CHM files , and different script downloaders .", "spans": {"Malware: RATANKBA": [[0, 8]], "Malware: Microsoft Office documents": [[83, 109]], "Malware: CHM files": [[122, 131]]}, "info": {"id": "dnrti_train_004852", "source": "dnrti_train"}}
{"text": "These files have the capability to download and install malware , install proxy and Remote Access Trojans ( RATs ) , connect to command and control ( C2 ) servers to receive additional instructions , and modify the victim 's firewall to allow incoming connections .", "spans": {"Malware: RATs": [[108, 112]]}, "info": {"id": "dnrti_train_004853", "source": "dnrti_train"}}
{"text": "The WannaCry malware consists of two distinct components , one that provides ransomware functionality and a component used for propagation , which contains functionality to enable SMB exploitation capabilities .", "spans": {"Malware: WannaCry malware": [[4, 20]], "Malware: SMB": [[180, 183]]}, "info": {"id": "dnrti_train_004854", "source": "dnrti_train"}}
{"text": "WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data .", "spans": {"Malware: WannaCry": [[0, 8]], "Malware: .WCRY": [[47, 52]]}, "info": {"id": "dnrti_train_004855", "source": "dnrti_train"}}
{"text": "WCry uses a combination of the RSA and AES algorithms to encrypt files .", "spans": {"Malware: WCry": [[0, 4]], "Malware: RSA": [[31, 34]], "Malware: AES": [[39, 42]]}, "info": {"id": "dnrti_train_004856", "source": "dnrti_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_train_004857", "source": "dnrti_train"}}
{"text": "Depending on placement , a web shell can provide continued access to victims ' environments , re-infect victim systems , and facilitate lateral movement .", "spans": {}, "info": {"id": "dnrti_train_004858", "source": "dnrti_train"}}
{"text": "While it lacks more advanced functionality like screen capturing , it is still able to carry out most tasks desired by threat actors : exfiltration of files , ability to download and execute additional payloads , and gain remote shell access .", "spans": {"Organization: threat actors": [[119, 132]]}, "info": {"id": "dnrti_train_004859", "source": "dnrti_train"}}
{"text": "To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys .", "spans": {"Malware: c:\\temp\\rr.exe": [[54, 68]]}, "info": {"id": "dnrti_train_004860", "source": "dnrti_train"}}
{"text": "For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer .", "spans": {"Malware: DropIt sample": [[28, 41]], "Malware: %TEMP%\\flash_update.exe": [[179, 202]], "Malware: Flash Player installer": [[227, 249]]}, "info": {"id": "dnrti_train_004861", "source": "dnrti_train"}}
{"text": "DROPSHOT is a notable piece of malware used to deliver variants of the TURNEDUP backdoor .", "spans": {"Malware: DROPSHOT": [[0, 8]], "Malware: malware": [[31, 38]]}, "info": {"id": "dnrti_train_004862", "source": "dnrti_train"}}
{"text": "The SHAPESHIFT wiper is capable of wiping disks and volumes , as well as deleting files .", "spans": {"Malware: SHAPESHIFT wiper": [[4, 20]]}, "info": {"id": "dnrti_train_004863", "source": "dnrti_train"}}
{"text": "The HTA files contained job descriptions and links to job postings on popular employment websites .", "spans": {"Malware: HTA files": [[4, 13]]}, "info": {"id": "dnrti_train_004864", "source": "dnrti_train"}}
{"text": "The attacker used a spear-phishing email containing a link to a fake resume hosted on a legitimate website that had been compromised .", "spans": {"Organization: attacker": [[4, 12]], "System: spear-phishing email": [[20, 40]]}, "info": {"id": "dnrti_train_004865", "source": "dnrti_train"}}
{"text": "Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims .", "spans": {}, "info": {"id": "dnrti_train_004866", "source": "dnrti_train"}}
{"text": "The macro ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT , a research and penetration-testing tool that has been used in attacks .", "spans": {"Malware: PowerShell command": [[16, 34]], "Malware: PupyRAT": [[103, 110]], "Malware: research and penetration-testing tool": [[115, 152]]}, "info": {"id": "dnrti_train_004867", "source": "dnrti_train"}}
{"text": "ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints .", "spans": {"Malware: ChopShop1": [[0, 9]], "Organization: MITRE Corporation": [[46, 63]]}, "info": {"id": "dnrti_train_004868", "source": "dnrti_train"}}
{"text": "Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com .", "spans": {"Malware: Poison Ivy": [[0, 10]]}, "info": {"id": "dnrti_train_004869", "source": "dnrti_train"}}
{"text": "Poison Ivy includes features common to most Windows-based RATs , including key logging , screen capturing , video capturing , file transfers , system administration , password theft , and traffic relaying .", "spans": {"Malware: Poison Ivy": [[0, 10]], "Malware: RATs": [[58, 62]]}, "info": {"id": "dnrti_train_004870", "source": "dnrti_train"}}
{"text": "The Poison Ivy builder kit allows attackers to customize and build their own PIVY server , which is delivered as mobile code to a target that has been compromised , typically using social engineering .", "spans": {"Malware: Poison Ivy": [[4, 14]], "Organization: attackers": [[34, 43]]}, "info": {"id": "dnrti_train_004871", "source": "dnrti_train"}}
{"text": "We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded .", "spans": {"Malware: Powermud backdoor": [[29, 46]], "Malware: Backdoor.Powemuddy": [[66, 84]], "Malware: custom tools": [[93, 105]], "Malware: makecab.exe": [[238, 249]]}, "info": {"id": "dnrti_train_004872", "source": "dnrti_train"}}
{"text": "Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload .", "spans": {"Malware: Microsoft Word document": [[60, 83]]}, "info": {"id": "dnrti_train_004873", "source": "dnrti_train"}}
{"text": "Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system .", "spans": {"Organization: OilRig": [[65, 71]], "Malware: Clayslide delivery documents": [[79, 107]]}, "info": {"id": "dnrti_train_004874", "source": "dnrti_train"}}
{"text": "The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas .", "spans": {"Malware: Equation Editor": [[36, 51]], "Malware: EQNEDT32.EXE": [[54, 66]]}, "info": {"id": "dnrti_train_004875", "source": "dnrti_train"}}
{"text": "ISMDoor is able to exfiltrate data , take screenshots , and execute arbitrary commands on the victim 's machine .", "spans": {"Malware: ISMDoor": [[0, 7]]}, "info": {"id": "dnrti_train_004876", "source": "dnrti_train"}}
{"text": "The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information .", "spans": {"Malware: cmd.exe": [[80, 87]]}, "info": {"id": "dnrti_train_004877", "source": "dnrti_train"}}
{"text": "Based on the command capabilities of the Taidoor malware , we were able to determine that data theft and data destruction was possible .", "spans": {"Malware: Taidoor malware": [[41, 56]]}, "info": {"id": "dnrti_train_004878", "source": "dnrti_train"}}
{"text": "This script relays commands and output between the controller and the system .", "spans": {}, "info": {"id": "dnrti_train_004879", "source": "dnrti_train"}}
{"text": "But two tools used were unique to the group : ASPXTool , an Internet Information Services ( IIS ) specific \" Web shell \" used to gain access to servers inside a target 's network ; and the OwaAuth credential stealing tool and Web shell , used to attack Microsoft Exchange servers running the Web Outlook interface .", "spans": {"Malware: ASPXTool": [[46, 54]], "Malware: OwaAuth credential stealing tool": [[189, 221]], "Malware: Web shell": [[226, 235]]}, "info": {"id": "dnrti_train_004880", "source": "dnrti_train"}}
{"text": "PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land .", "spans": {"Malware: PsExec": [[0, 6]]}, "info": {"id": "dnrti_train_004881", "source": "dnrti_train"}}
{"text": "Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection .", "spans": {"Malware: Catchamas": [[0, 9]]}, "info": {"id": "dnrti_train_004882", "source": "dnrti_train"}}
{"text": "As detailed in the previous section , this malware is able to manipulate and exfiltrate emails .", "spans": {}, "info": {"id": "dnrti_train_004883", "source": "dnrti_train"}}
{"text": "Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string \" [username]=>singleton-instance-mutex \" .", "spans": {"Organization: Kazuar": [[0, 6]]}, "info": {"id": "dnrti_train_004884", "source": "dnrti_train"}}
{"text": "MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) .", "spans": {"Malware: MXI Player": [[0, 10]]}, "info": {"id": "dnrti_train_004885", "source": "dnrti_train"}}
{"text": "Using XREFs during static analysis is a common technique to quickly find where functions of interest are called .", "spans": {"Malware: XREFs": [[6, 11]]}, "info": {"id": "dnrti_train_004886", "source": "dnrti_train"}}
{"text": "Although the developers of Bookworm have included only keylogging functionality in Bookworm as a core ability , as suggested in Table 1 , several of the embedded DLLs provide Leader with cryptographic and hashing functions , while others support Leader 's ability to communicate with its C2 server .", "spans": {"Malware: Bookworm": [[27, 35], [83, 91]], "Malware: Leader": [[246, 252]]}, "info": {"id": "dnrti_train_004887", "source": "dnrti_train"}}
{"text": "As mentioned in our previous blog on Bookworm , the Trojan sends a static date string to the C2 server that we referred to as a campaign code .", "spans": {"Malware: Bookworm": [[37, 45]], "Malware: Trojan": [[52, 58]]}, "info": {"id": "dnrti_train_004888", "source": "dnrti_train"}}
{"text": "We believed that the actors would use this date code to track their attack campaigns ; however , after continued analysis of the malware , we think these static dates could also be a build identifier for the Trojan .", "spans": {"Malware: date code": [[43, 52]]}, "info": {"id": "dnrti_train_004889", "source": "dnrti_train"}}
{"text": "Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier .", "spans": {"Malware: date string hardcoded": [[26, 47]], "Malware: Bookworm sample": [[58, 73]]}, "info": {"id": "dnrti_train_004890", "source": "dnrti_train"}}
{"text": "A Trojan sending a build identifier to its C2 server is quite common , as it notifies the threat actors of the specific version of the Trojan in which they are interacting .", "spans": {}, "info": {"id": "dnrti_train_004891", "source": "dnrti_train"}}
{"text": "Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier .", "spans": {"Malware: date string": [[35, 46]], "Malware: date codes": [[64, 74]], "Malware: Bookworm": [[120, 128]]}, "info": {"id": "dnrti_train_004892", "source": "dnrti_train"}}
{"text": "We believe that Bookworm samples use the static date string as campaign codes , which we used to determine the approximate date of each attack that we did not have detailed targeting information .", "spans": {"Malware: Bookworm samples": [[16, 32]]}, "info": {"id": "dnrti_train_004893", "source": "dnrti_train"}}
{"text": "Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central bank of Russia ( further referred to as BCS CBR ) .", "spans": {}, "info": {"id": "dnrti_train_004894", "source": "dnrti_train"}}
{"text": "In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task .", "spans": {"Malware: Careto": [[59, 65]]}, "info": {"id": "dnrti_train_004895", "source": "dnrti_train"}}
{"text": "Tweety Chat 's Android version can record audio , too .", "spans": {"Malware: Tweety Chat": [[0, 11]]}, "info": {"id": "dnrti_train_004896", "source": "dnrti_train"}}
{"text": "One of its file stealers , swissknife2 , abuses a cloud storage service as a repository of exfiltrated files .", "spans": {"Malware: swissknife2": [[27, 38]]}, "info": {"id": "dnrti_train_004897", "source": "dnrti_train"}}
{"text": "The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon .", "spans": {"Malware: CONFUCIUS_B": [[4, 15]], "Malware: RTLO": [[104, 108]]}, "info": {"id": "dnrti_train_004898", "source": "dnrti_train"}}
{"text": "The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio .", "spans": {"Malware: Android version": [[4, 19]]}, "info": {"id": "dnrti_train_004899", "source": "dnrti_train"}}
{"text": "If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs .", "spans": {"Malware: bot": [[5, 8]]}, "info": {"id": "dnrti_train_004900", "source": "dnrti_train"}}
{"text": "To obtain logins and passwords they applied keyloggers built into Corkow , as well as a commonly used feature of Mimikatz , dumping clear text Windows credentials from LSA .", "spans": {"Malware: keyloggers": [[44, 54]], "Malware: Corkow": [[66, 72]]}, "info": {"id": "dnrti_train_004901", "source": "dnrti_train"}}
{"text": "Palo Alto Networks has noted and described the differences of two malware agents developed in parallel , with commonalities in behavior but differing functionalities ; families described as Infy and Infy M. Our primary observation was of the Infy ( non-M ) malware , which primarily functions as a keylogger for the collection of account credentials .", "spans": {"Organization: Palo Alto Networks": [[0, 18]], "Malware: Infy": [[190, 194], [242, 246]], "Malware: Infy M.": [[199, 206]], "Malware: malware": [[257, 264]], "Malware: keylogger": [[298, 307]]}, "info": {"id": "dnrti_train_004902", "source": "dnrti_train"}}
{"text": "At this stage , the malware gathers information about the infected computer .", "spans": {}, "info": {"id": "dnrti_train_004903", "source": "dnrti_train"}}
{"text": "Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C .", "spans": {"Malware: Win32/Barlaiy": [[37, 50]]}, "info": {"id": "dnrti_train_004904", "source": "dnrti_train"}}
{"text": "The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat .", "spans": {"Malware: Windows 10 Creators Update": [[4, 30]], "Organization: Windows Defender ATP": [[66, 86]], "Organization: SOC personnel": [[105, 118]]}, "info": {"id": "dnrti_train_004905", "source": "dnrti_train"}}
{"text": "If it did , the malware downloaded additional modules , including ones allowing for the automatic creation of unauthorized payment orders , changing details in legal payment orders , etc .", "spans": {}, "info": {"id": "dnrti_train_004906", "source": "dnrti_train"}}
{"text": "Lurk uses a form of steganography : that's where one file is hidden away inside another file of a completely different sort , such as an image , audio , or video file .", "spans": {"Malware: Lurk": [[0, 4]]}, "info": {"id": "dnrti_train_004907", "source": "dnrti_train"}}
{"text": "To do this , it employs a number of specific commands via DNSMessenger .", "spans": {"Malware: DNSMessenger": [[58, 70]]}, "info": {"id": "dnrti_train_004908", "source": "dnrti_train"}}
{"text": "This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics .", "spans": {"Malware: document": [[5, 13]]}, "info": {"id": "dnrti_train_004909", "source": "dnrti_train"}}
{"text": "There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information .", "spans": {"Malware: exploit code": [[13, 25]]}, "info": {"id": "dnrti_train_004910", "source": "dnrti_train"}}
{"text": "We believe the 2013 , 2015 , and 2016 KeyBoy samples provide evidence of a development effort focused on changing components that would be used by researchers to develop detection signatures .", "spans": {"Malware: KeyBoy samples": [[38, 52]]}, "info": {"id": "dnrti_train_004911", "source": "dnrti_train"}}
{"text": "KeyBoy provides basic backdoor functionality , allowing the operators to select from various capabilities used to surveil and steal information from the victim machine .", "spans": {"Malware: KeyBoy": [[0, 6]]}, "info": {"id": "dnrti_train_004912", "source": "dnrti_train"}}
{"text": "If KeyBoy is a single component of a larger espionage toolkit , the developers may have realized that this older , static-key based , configuration encoding algorithm was inadvertently providing a link between disparate components of their malware suite .", "spans": {"Malware: KeyBoy": [[3, 9]], "Malware: configuration encoding algorithm": [[134, 166]]}, "info": {"id": "dnrti_train_004913", "source": "dnrti_train"}}
{"text": "The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data .", "spans": {"Malware: NetTraveler trojan": [[4, 22]]}, "info": {"id": "dnrti_train_004914", "source": "dnrti_train"}}
{"text": "This program is designed to capture keystrokes , take screenshots of the user 's desktop and get contents from the clipboard .", "spans": {}, "info": {"id": "dnrti_train_004915", "source": "dnrti_train"}}
{"text": "This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page .", "spans": {"Malware: .lnk file": [[53, 62]]}, "info": {"id": "dnrti_train_004916", "source": "dnrti_train"}}
{"text": "Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": {"Malware: attachment": [[35, 45]], "Malware: NetTraveler": [[79, 90]], "Malware: DLL side-loading": [[99, 115]]}, "info": {"id": "dnrti_train_004917", "source": "dnrti_train"}}
{"text": "In addition , the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor , and it could be customized to steal other types of sensitive information such as configuration details for an application or computer-aided design files .", "spans": {"Malware: NetTraveler toolkit": [[18, 37]]}, "info": {"id": "dnrti_train_004918", "source": "dnrti_train"}}
{"text": "The PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) .", "spans": {"Organization: PassCV group": [[4, 16]], "Malware: publicly available RATs": [[36, 59]]}, "info": {"id": "dnrti_train_004919", "source": "dnrti_train"}}
{"text": "he PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) .", "spans": {"Organization: PassCV": [[3, 9]], "Malware: publicly available RATs": [[35, 58]]}, "info": {"id": "dnrti_train_004920", "source": "dnrti_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_train_004921", "source": "dnrti_train"}}
{"text": "One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges .", "spans": {"Malware: dropper": [[49, 56]]}, "info": {"id": "dnrti_train_004922", "source": "dnrti_train"}}
{"text": "Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it .", "spans": {}, "info": {"id": "dnrti_train_004923", "source": "dnrti_train"}}
{"text": "The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload .", "spans": {"Malware: downloader malware": [[4, 22]]}, "info": {"id": "dnrti_train_004924", "source": "dnrti_train"}}
{"text": "He is responsible for developing tools for conducting attacks and is also able to modify complex exploits and third party software .", "spans": {}, "info": {"id": "dnrti_train_004925", "source": "dnrti_train"}}
{"text": "wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 .", "spans": {"Malware: wuaupdt.exe": [[0, 11]], "Malware: CMD": [[17, 20]]}, "info": {"id": "dnrti_train_004926", "source": "dnrti_train"}}
{"text": "As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC .", "spans": {"Malware: AutoHotKey scripts": [[66, 84]]}, "info": {"id": "dnrti_train_004927", "source": "dnrti_train"}}
{"text": "The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc .", "spans": {"Malware: RAT": [[4, 7]]}, "info": {"id": "dnrti_train_004928", "source": "dnrti_train"}}
{"text": "Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor .", "spans": {"Malware: Bemstour": [[0, 8]], "Malware: DoublePulsar backdoor": [[62, 83]]}, "info": {"id": "dnrti_train_004929", "source": "dnrti_train"}}
{"text": "DoublePulsar is then used to inject a secondary payload , which runs in memory only .", "spans": {"Malware: DoublePulsar": [[0, 12]]}, "info": {"id": "dnrti_train_004930", "source": "dnrti_train"}}
{"text": "The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation .", "spans": {"Malware: Okrum": [[52, 57]]}, "info": {"id": "dnrti_train_004931", "source": "dnrti_train"}}
{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space .", "spans": {"Organization: threat actors": [[4, 17]]}, "info": {"id": "dnrti_train_004932", "source": "dnrti_train"}}
{"text": "The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals .", "spans": {"Malware: Sea Turtle": [[67, 77]]}, "info": {"id": "dnrti_train_004933", "source": "dnrti_train"}}
{"text": "If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file .", "spans": {"Malware: xlsm file": [[38, 47]], "Malware: it": [[50, 52]]}, "info": {"id": "dnrti_train_004934", "source": "dnrti_train"}}
{"text": "The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984 , but Weeping Angel , developed by the CIA's Embedded Devices Branch (EDB) , which infests smart TVs , transforming them into covert microphones , is surely its most emblematic realization .", "spans": {"Malware: Weeping Angel": [[111, 124]], "Organization: CIA's": [[144, 149]], "Malware: smart TVs": [[196, 205]]}, "info": {"id": "dnrti_train_004935", "source": "dnrti_train"}}
{"text": "Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies .", "spans": {"Malware: Margarita": [[33, 42]]}, "info": {"id": "dnrti_train_004936", "source": "dnrti_train"}}
{"text": "The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant .", "spans": {"Malware: Honeycomb": [[4, 13]]}, "info": {"id": "dnrti_train_004937", "source": "dnrti_train"}}
{"text": "UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques .", "spans": {"Malware: UMBRAGE": [[0, 7]]}, "info": {"id": "dnrti_train_004938", "source": "dnrti_train"}}
{"text": "'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) .", "spans": {"Malware: 'Improvise'": [[0, 11]], "System: Windows": [[182, 189]], "System: MacOS": [[204, 209]], "System: Linux": [[224, 229]]}, "info": {"id": "dnrti_train_004939", "source": "dnrti_train"}}
{"text": "This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 .", "spans": {"Malware: sample": [[5, 11]], "Malware: Trochilus": [[31, 40]]}, "info": {"id": "dnrti_train_004940", "source": "dnrti_train"}}
{"text": "The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process .", "spans": {"Malware: configuration file": [[4, 22]]}, "info": {"id": "dnrti_train_004941", "source": "dnrti_train"}}
{"text": "Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials .", "spans": {"Organization: Insikt Group": [[0, 12]], "Malware: Citrix-hosted": [[111, 124]]}, "info": {"id": "dnrti_train_004942", "source": "dnrti_train"}}
{"text": "This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more .", "spans": {"Malware: backdoor": [[14, 22]]}, "info": {"id": "dnrti_train_004943", "source": "dnrti_train"}}
{"text": "In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document .", "spans": {"Malware: VBA2Graph": [[23, 32]]}, "info": {"id": "dnrti_train_004944", "source": "dnrti_train"}}
{"text": "The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” .", "spans": {"Malware: JavaScript": [[4, 14]]}, "info": {"id": "dnrti_train_004945", "source": "dnrti_train"}}
{"text": "The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware .", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "dnrti_train_004946", "source": "dnrti_train"}}
{"text": "The malware starts communicating with the C&C server by sending basic information about the infected machine .", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "dnrti_train_004947", "source": "dnrti_train"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests .", "spans": {"Malware: malware": [[4, 11]], "Malware: CMD/PowerShell": [[40, 54]], "Organization: attackers": [[72, 81]]}, "info": {"id": "dnrti_train_004948", "source": "dnrti_train"}}
{"text": "After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers .", "spans": {"Malware: SWAnalytics": [[34, 45]]}, "info": {"id": "dnrti_train_004949", "source": "dnrti_train"}}
{"text": "This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge .", "spans": {"Malware: module": [[5, 11]]}, "info": {"id": "dnrti_train_004950", "source": "dnrti_train"}}
{"text": "It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in .", "spans": {"Malware: SWAnalytics": [[60, 71]]}, "info": {"id": "dnrti_train_004951", "source": "dnrti_train"}}
{"text": "With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” .", "spans": {"Malware: SWAnalytics": [[24, 35]]}, "info": {"id": "dnrti_train_004952", "source": "dnrti_train"}}
{"text": "By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device .", "spans": {"Malware: SWAnalytics": [[25, 36]]}, "info": {"id": "dnrti_train_004953", "source": "dnrti_train"}}
{"text": "To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control .", "spans": {"Malware: SWAnalytics": [[50, 61]]}, "info": {"id": "dnrti_train_004954", "source": "dnrti_train"}}
{"text": "Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue .", "spans": {"Malware: TajMahal": [[37, 45]]}, "info": {"id": "dnrti_train_004955", "source": "dnrti_train"}}
{"text": "The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine .", "spans": {"Malware: KopiLuwak": [[21, 30]]}, "info": {"id": "dnrti_train_004956", "source": "dnrti_train"}}
{"text": "The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems .", "spans": {"Malware: Trojan": [[33, 39]]}, "info": {"id": "dnrti_train_004957", "source": "dnrti_train"}}
{"text": "The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": {"Malware: PowerShell": [[4, 14]]}, "info": {"id": "dnrti_train_004958", "source": "dnrti_train"}}
{"text": "Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations .", "spans": {"Malware: HIGHNOON": [[22, 30]], "Organization: Winnti": [[69, 75]]}, "info": {"id": "dnrti_train_004959", "source": "dnrti_train"}}
{"text": "BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse .", "spans": {"Malware: BalkanRAT": [[0, 9]], "Malware: BalkanDoor": [[120, 130]]}, "info": {"id": "dnrti_train_004960", "source": "dnrti_train"}}
{"text": "The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience .", "spans": {"Malware: backdoor": [[4, 12]]}, "info": {"id": "dnrti_train_004961", "source": "dnrti_train"}}
{"text": "China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool .", "spans": {"Malware: China Chopper": [[0, 13]], "Organization: attackers": [[36, 45]]}, "info": {"id": "dnrti_train_004962", "source": "dnrti_train"}}
{"text": "China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED .", "spans": {"Malware: China Chopper": [[0, 13]]}, "info": {"id": "dnrti_train_004963", "source": "dnrti_train"}}
{"text": "The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords .", "spans": {"Malware: tool": [[4, 8]]}, "info": {"id": "dnrti_train_004964", "source": "dnrti_train"}}
{"text": "Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe .", "spans": {"Malware: More_eggs malware": [[31, 48]], "Malware: cmd.exe": [[132, 139]]}, "info": {"id": "dnrti_train_004965", "source": "dnrti_train"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": {"Malware: Mimikatz": [[0, 8]]}, "info": {"id": "dnrti_train_004966", "source": "dnrti_train"}}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server .", "spans": {"Malware: GoogleUpdate.exe": [[4, 20]]}, "info": {"id": "dnrti_train_004967", "source": "dnrti_train"}}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries .", "spans": {"Malware: malware": [[15, 22]]}, "info": {"id": "dnrti_train_004968", "source": "dnrti_train"}}
{"text": "They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage .", "spans": {"Malware: They": [[0, 4]]}, "info": {"id": "dnrti_train_004969", "source": "dnrti_train"}}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format .", "spans": {"Malware: email stealer": [[4, 17]]}, "info": {"id": "dnrti_train_004970", "source": "dnrti_train"}}
{"text": "AdroMut downloads the malware ServHelper and FlawedAmmy RAT used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor .", "spans": {"Malware: ServHelper": [[30, 40]], "Malware: FlawedAmmy": [[45, 55]], "Organization: SectorJ04": [[72, 81]]}, "info": {"id": "dnrti_train_004971", "source": "dnrti_train"}}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer .", "spans": {"Malware: Silence.Main Trojan": [[4, 23]]}, "info": {"id": "dnrti_train_004972", "source": "dnrti_train"}}
{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs .", "spans": {"Vulnerability: exploit": [[4, 11]], "Organization: Silence’s": [[21, 30]]}, "info": {"id": "dnrti_train_004973", "source": "dnrti_train"}}
{"text": "As we described in Silence: Moving into the darkside report , Silence has experience with theft using compromised card processing systems .", "spans": {"Organization: Silence:": [[19, 27]], "Organization: Silence": [[62, 69]]}, "info": {"id": "dnrti_train_004974", "source": "dnrti_train"}}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine .", "spans": {"Malware: Silence.Downloader": [[17, 35]]}, "info": {"id": "dnrti_train_004975", "source": "dnrti_train"}}
{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server .", "spans": {"Malware: Silence.MainModule": [[0, 18]]}, "info": {"id": "dnrti_train_004976", "source": "dnrti_train"}}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more .", "spans": {"Malware: PlugX": [[0, 5]]}, "info": {"id": "dnrti_train_004977", "source": "dnrti_train"}}
{"text": "A backdoor that communicates with a single command and control (C2) server using HTTP GET and POST requests , TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution .", "spans": {"Malware: TONEDEAF": [[110, 118]]}, "info": {"id": "dnrti_train_004978", "source": "dnrti_train"}}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file .", "spans": {"Malware: PICKPOCKET": [[0, 10]]}, "info": {"id": "dnrti_train_004979", "source": "dnrti_train"}}
{"text": "The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation .", "spans": {"Malware: GRIFFON": [[35, 42]]}, "info": {"id": "dnrti_train_004980", "source": "dnrti_train"}}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less” aspect of this method .", "spans": {"Malware: GRIFFON": [[8, 15]]}, "info": {"id": "dnrti_train_004981", "source": "dnrti_train"}}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger .", "spans": {"Malware: AveMaria": [[10, 18]]}, "info": {"id": "dnrti_train_004982", "source": "dnrti_train"}}
{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers .", "spans": {"Malware: Neptun": [[0, 6]], "Organization: attackers": [[108, 117]]}, "info": {"id": "dnrti_train_004983", "source": "dnrti_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"Malware: flare-qdb": [[18, 27]]}, "info": {"id": "dnrti_train_004984", "source": "dnrti_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"Malware: flare-qdb": [[18, 27]]}, "info": {"id": "dnrti_train_004985", "source": "dnrti_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"Malware: flare-qdb": [[18, 27]]}, "info": {"id": "dnrti_train_004986", "source": "dnrti_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": {"Malware: them": [[22, 26]]}, "info": {"id": "dnrti_train_004987", "source": "dnrti_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server .", "spans": {"Malware: Pony DLL": [[89, 97]], "Malware: Vawtrak": [[102, 109]]}, "info": {"id": "dnrti_train_004988", "source": "dnrti_train"}}
{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll” along with a standard Vawtrak trojan .", "spans": {"Malware: Pony malware": [[102, 114]], "Malware: pm.dll”": [[117, 124]]}, "info": {"id": "dnrti_train_004989", "source": "dnrti_train"}}
{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism .", "spans": {"Malware: RIPPER": [[0, 6]]}, "info": {"id": "dnrti_train_004990", "source": "dnrti_train"}}
{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself .", "spans": {"Malware: RIPPER": [[0, 6]], "Organization: ATM vendors": [[77, 88]]}, "info": {"id": "dnrti_train_004991", "source": "dnrti_train"}}
{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices .", "spans": {"Malware: malware": [[5, 12]]}, "info": {"id": "dnrti_train_004992", "source": "dnrti_train"}}
{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August .", "spans": {"Malware: Locky": [[43, 48]]}, "info": {"id": "dnrti_train_004993", "source": "dnrti_train"}}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before .", "spans": {"Malware: Ploutus": [[55, 62]]}, "info": {"id": "dnrti_train_004994", "source": "dnrti_train"}}
{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL’s Kalignite multivendor ATM platform .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: Ploutus": [[68, 75]], "Malware: Ploutus-D": [[85, 94]]}, "info": {"id": "dnrti_train_004995", "source": "dnrti_train"}}
{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection .", "spans": {"Malware: Canhadr/Ndriver": [[29, 44]]}, "info": {"id": "dnrti_train_004996", "source": "dnrti_train"}}
{"text": "WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data .", "spans": {"Malware: WannaCry": [[0, 8]], "Malware: .WCRY": [[47, 52]]}, "info": {"id": "dnrti_train_004997", "source": "dnrti_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_train_004998", "source": "dnrti_train"}}
{"text": "To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys .", "spans": {"Malware: c:\\temp\\rr.exe": [[54, 68]]}, "info": {"id": "dnrti_train_004999", "source": "dnrti_train"}}
{"text": "For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer .", "spans": {"Malware: DropIt sample": [[28, 41]], "Malware: %TEMP%\\flash_update.exe": [[179, 202]], "Malware: Flash Player installer": [[227, 249]]}, "info": {"id": "dnrti_train_005000", "source": "dnrti_train"}}
{"text": "The HTA files contained job descriptions and links to job postings on popular employment websites .", "spans": {"Malware: HTA files": [[4, 13]]}, "info": {"id": "dnrti_train_005001", "source": "dnrti_train"}}
{"text": "ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints .", "spans": {"Malware: ChopShop1": [[0, 9]], "Organization: MITRE Corporation": [[46, 63]]}, "info": {"id": "dnrti_train_005002", "source": "dnrti_train"}}
{"text": "We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded .", "spans": {"Malware: Powermud backdoor": [[29, 46]], "Malware: Backdoor.Powemuddy": [[66, 84]], "Malware: custom tools": [[93, 105]], "Malware: makecab.exe": [[238, 249]]}, "info": {"id": "dnrti_train_005003", "source": "dnrti_train"}}
{"text": "Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload .", "spans": {"Malware: Microsoft Word document": [[60, 83]]}, "info": {"id": "dnrti_train_005004", "source": "dnrti_train"}}
{"text": "Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system .", "spans": {"Organization: OilRig": [[65, 71]], "Malware: Clayslide delivery documents": [[79, 107]]}, "info": {"id": "dnrti_train_005005", "source": "dnrti_train"}}
{"text": "The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas .", "spans": {"Malware: Equation Editor": [[36, 51]], "Malware: EQNEDT32.EXE": [[54, 66]]}, "info": {"id": "dnrti_train_005006", "source": "dnrti_train"}}
{"text": "The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information .", "spans": {"Malware: cmd.exe": [[80, 87]]}, "info": {"id": "dnrti_train_005007", "source": "dnrti_train"}}
{"text": "Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection .", "spans": {"Malware: Catchamas": [[0, 9]]}, "info": {"id": "dnrti_train_005008", "source": "dnrti_train"}}
{"text": "MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) .", "spans": {"Malware: MXI Player": [[0, 10]]}, "info": {"id": "dnrti_train_005009", "source": "dnrti_train"}}
{"text": "Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier .", "spans": {"Malware: date string hardcoded": [[26, 47]], "Malware: Bookworm sample": [[58, 73]]}, "info": {"id": "dnrti_train_005010", "source": "dnrti_train"}}
{"text": "Research presented in this report shows that the PUTTER PANDA operators are likely members of the 12th Bureau , 3rd General Staff Department ( GSD ) of the People 's Liberation Army ( PLA ) , operating from the unit 's headquarters in Shanghai with MUCD 61486 .", "spans": {"Organization: PUTTER PANDA": [[49, 61]], "Organization: operators": [[62, 71]], "Organization: MUCD 61486": [[249, 259]]}, "info": {"id": "dnrti_train_005011", "source": "dnrti_train"}}
{"text": "That this group is mostly targeting businesses is apparent from the processes they are looking for on a compromised system .", "spans": {"Organization: group": [[10, 15]]}, "info": {"id": "dnrti_train_005012", "source": "dnrti_train"}}
{"text": "They are both targeting businesses using accounting software , are fingerprinting systems of interest similarly , are looking for smart card readers , and finally , they deploy an array of malicious tools to spy on their victims .", "spans": {}, "info": {"id": "dnrti_train_005013", "source": "dnrti_train"}}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , industrial control systems and SCADA , government , and media for espionage and destructive purposes , since at least 2011 .", "spans": {"Malware: Black Energy": [[117, 129]], "Organization: espionage": [[240, 249]]}, "info": {"id": "dnrti_train_005014", "source": "dnrti_train"}}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , government , and media for espionage and destructive purposes , since at least 2011 .", "spans": {"Malware: Black Energy": [[117, 129]], "Organization: espionage": [[201, 210]]}, "info": {"id": "dnrti_train_005015", "source": "dnrti_train"}}
{"text": "If you haven't heard about it for some reason , I would recommend to read this detailed report by Group-IB , as this APT attacks not only Russian banks , but also banks in more than 25 countries .", "spans": {"Organization: Group-IB": [[98, 106]]}, "info": {"id": "dnrti_train_005016", "source": "dnrti_train"}}
{"text": "The credentials they use to register their malware infrastructure are easily associated with their public social media accounts on Google® , Facebook® , MySpace® , Instagram® , and various dating and blogging sites .", "spans": {"Organization: Google®": [[131, 138]], "Organization: Facebook®": [[141, 150]], "Organization: MySpace®": [[153, 161]], "Organization: Instagram®": [[164, 174]], "Organization: dating and blogging sites": [[189, 214]]}, "info": {"id": "dnrti_train_005017", "source": "dnrti_train"}}
{"text": "We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply .", "spans": {"Organization: groups": [[28, 34]], "Organization: government": [[83, 93]]}, "info": {"id": "dnrti_train_005018", "source": "dnrti_train"}}
{"text": "North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide .", "spans": {}, "info": {"id": "dnrti_train_005019", "source": "dnrti_train"}}
{"text": "CapabilitiesFormBook is a data stealer , but not a full-fledged banker .", "spans": {"Organization: banker": [[64, 70]]}, "info": {"id": "dnrti_train_005020", "source": "dnrti_train"}}
{"text": "Furthermore , there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations .", "spans": {"Organization: APT32": [[41, 46]]}, "info": {"id": "dnrti_train_005021", "source": "dnrti_train"}}
{"text": "The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in , or preparing to invest in , the country .", "spans": {"Organization: APT32": [[45, 50]], "Organization: FireEye": [[66, 73]]}, "info": {"id": "dnrti_train_005022", "source": "dnrti_train"}}
{"text": "While the motivation for each APT32 private sector compromise varied – and in some cases was unknown – the unauthorized access could serve as a platform for law enforcement , intellectual property theft , or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations .", "spans": {"Organization: APT32": [[30, 35]]}, "info": {"id": "dnrti_train_005023", "source": "dnrti_train"}}
{"text": "The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions , ATM compromise , and other monetization schemes .", "spans": {"Malware: CARBANAK malware": [[15, 31]], "Organization: FIN7": [[35, 39]]}, "info": {"id": "dnrti_train_005024", "source": "dnrti_train"}}
{"text": "For our M-Trends 2017 report , we took a look at the incidents we investigated last year and provided a global and regional (the Americas , APAC and EMEA) analysis focused on attack trends , and defensive and emerging trends .", "spans": {"Organization: M-Trends": [[8, 16]]}, "info": {"id": "dnrti_train_005025", "source": "dnrti_train"}}
{"text": "In April 2015 , we uncovered the malicious efforts of APT30 , a suspected China-based threat group that has exploited the networks of governments and organizations across the region , targeting highly sensitive political , economic and military information .", "spans": {"Organization: APT30": [[54, 59]], "Organization: governments": [[134, 145]], "Organization: organizations": [[150, 163]]}, "info": {"id": "dnrti_train_005026", "source": "dnrti_train"}}
{"text": "Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets , including the Office of the President of Iran and the Russian Federal Nuclear Center .", "spans": {"Organization: NSA": [[68, 71]]}, "info": {"id": "dnrti_train_005027", "source": "dnrti_train"}}
{"text": "Emotet activity in 2019 included several high-volume campaigns that collectively distributed tens of millions of messages primarily targeting the manufacturing and healthcare industries .", "spans": {}, "info": {"id": "dnrti_train_005028", "source": "dnrti_train"}}
{"text": "Originally targeting Western European banks , Emotet has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others .", "spans": {"Malware: Emotet": [[46, 52], [166, 172]]}, "info": {"id": "dnrti_train_005029", "source": "dnrti_train"}}
{"text": "Originally targeting Western European banks , it has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others .", "spans": {"Malware: Emotet": [[162, 168]]}, "info": {"id": "dnrti_train_005030", "source": "dnrti_train"}}
{"text": "Transparent Tribe has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets .", "spans": {}, "info": {"id": "dnrti_train_005031", "source": "dnrti_train"}}
{"text": "In previous incidents involving this threat actor , we observed them using malicious documents hosted on websites about the Indian Army , instead of sending these documents directly as an email attachment .", "spans": {"System: email attachment": [[188, 204]]}, "info": {"id": "dnrti_train_005032", "source": "dnrti_train"}}
{"text": "To date , Whitefly has attacked organizations in the healthcare , media , telecommunications , and engineering sectors .", "spans": {"Organization: Whitefly": [[10, 18]], "Organization: engineering sectors": [[99, 118]]}, "info": {"id": "dnrti_train_005033", "source": "dnrti_train"}}
{"text": "Between May 2017 and December 2018 , a multi-purpose command tool that has been used by Whitefly was also used in attacks against defense , telecoms , and energy targets in Southeast Asia and Russia .", "spans": {"Organization: Whitefly": [[88, 96]]}, "info": {"id": "dnrti_train_005034", "source": "dnrti_train"}}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior .", "spans": {"Malware: malicious documents": [[4, 23]]}, "info": {"id": "dnrti_train_005035", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]], "Organization: customers": [[187, 196]]}, "info": {"id": "dnrti_train_005036", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]], "Organization: customers": [[187, 196]]}, "info": {"id": "dnrti_train_005037", "source": "dnrti_train"}}
{"text": "APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_005038", "source": "dnrti_train"}}
{"text": "The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_train_005039", "source": "dnrti_train"}}
{"text": "They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes .", "spans": {"Organization: They": [[0, 4]]}, "info": {"id": "dnrti_train_005040", "source": "dnrti_train"}}
{"text": "Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code .", "spans": {"Organization: Kaspersky": [[14, 23]], "Organization: Lazarus": [[50, 57]]}, "info": {"id": "dnrti_train_005041", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]]}, "info": {"id": "dnrti_train_005042", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]]}, "info": {"id": "dnrti_train_005043", "source": "dnrti_train"}}
{"text": "We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare .", "spans": {}, "info": {"id": "dnrti_train_005044", "source": "dnrti_train"}}
{"text": "Orangeworm 's secondary targets include Manufacturing , Information Technology , Agriculture , and Logistics .", "spans": {}, "info": {"id": "dnrti_train_005045", "source": "dnrti_train"}}
{"text": "While these industries may appear to be unrelated , we found them to have multiple links to healthcare , such as large manufacturers that produce medical imaging devices sold directly into healthcare firms , IT organizations that provide support services to medical clinics , and logistical organizations that deliver healthcare products .", "spans": {"Organization: healthcare firms": [[189, 205]], "Organization: IT organizations": [[208, 224]], "Organization: medical clinics": [[258, 273]], "Organization: logistical organizations": [[280, 304]]}, "info": {"id": "dnrti_train_005046", "source": "dnrti_train"}}
{"text": "Patchwork targets were chosen worldwide with a focus on personnel working on military and political assignments , and specifically those working on issues relating to Southeast Asia and the South China Sea .", "spans": {"Organization: Patchwork": [[0, 9]], "Organization: personnel": [[56, 65]]}, "info": {"id": "dnrti_train_005047", "source": "dnrti_train"}}
{"text": "Patchwork ( also known as Dropping Elephant ) is a cyberespionage group whose targets included diplomatic and government agencies as well as businesses .", "spans": {"Organization: Patchwork": [[0, 9]], "Organization: Dropping Elephant": [[26, 43]], "Organization: cyberespionage group": [[51, 71]], "Organization: diplomatic": [[95, 105]], "Organization: government agencies": [[110, 129]]}, "info": {"id": "dnrti_train_005048", "source": "dnrti_train"}}
{"text": "Dropping Elephant ( also known as \" Chinastrats \" and \" Patchwork \" ) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools .", "spans": {"Organization: Dropping Elephant": [[0, 17]], "Organization: Chinastrats": [[36, 47]], "Organization: Patchwork": [[56, 65]], "Organization: threat actor": [[90, 102]]}, "info": {"id": "dnrti_train_005049", "source": "dnrti_train"}}
{"text": "In this case , a small group reusing exploit code , some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015 .", "spans": {"Organization: group": [[23, 28]], "Malware: powershell-based malware": [[57, 81]]}, "info": {"id": "dnrti_train_005050", "source": "dnrti_train"}}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior .", "spans": {"Malware: malicious documents": [[4, 23]]}, "info": {"id": "dnrti_train_005051", "source": "dnrti_train"}}
{"text": "PittyTiger leverages social engineering to deliver spearphishing emails , in a variety of languages including English , French and Chinese , and email phishing pages to their targets .", "spans": {"Organization: PittyTiger": [[0, 10]], "System: spearphishing emails": [[51, 71]], "System: email phishing pages": [[145, 165]]}, "info": {"id": "dnrti_train_005052", "source": "dnrti_train"}}
{"text": "The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions — often including military installations , intelligence agencies , and other government bodies .", "spans": {"Organization: groups": [[107, 113]], "Organization: STRONTIUM": [[127, 136]], "Organization: PLATINUM": [[141, 149]], "Organization: specific individuals": [[247, 267]], "Organization: institutions": [[272, 284]], "Organization: intelligence agencies": [[328, 349]]}, "info": {"id": "dnrti_train_005053", "source": "dnrti_train"}}
{"text": "This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets , primarily relating to the satellite , aerospace and communication industries .", "spans": {}, "info": {"id": "dnrti_train_005054", "source": "dnrti_train"}}
{"text": "PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries .", "spans": {"Organization: PUTTER PANDA": [[0, 12]], "Organization: group": [[39, 44]], "Organization: Technology sectors": [[144, 162]]}, "info": {"id": "dnrti_train_005055", "source": "dnrti_train"}}
{"text": "In 2015 and 2016 , Dridex was one of the most prolific eCrime banking trojans on the market and , since 2014 , those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits .", "spans": {"Malware: Dridex": [[19, 25]], "Organization: INDRIK SPIDER": [[152, 165]]}, "info": {"id": "dnrti_train_005056", "source": "dnrti_train"}}
{"text": "In August 2017 , a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K. 's National Health Service ( NHS ) , with a high ransom demand of 53 BTC ( approximately $200,000 USD ) .", "spans": {"Malware: BitPaymer": [[56, 65]]}, "info": {"id": "dnrti_train_005057", "source": "dnrti_train"}}
{"text": "Known for hijacking prominent social media accounts , the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network .", "spans": {"Organization: Twitter": [[133, 140]], "Organization: Facebook": [[145, 153]]}, "info": {"id": "dnrti_train_005058", "source": "dnrti_train"}}
{"text": "Through research , 360 Helios Team has found that , since 2007 , the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments , such as national defense , government , science and technology , education and maritime agencies .", "spans": {"Organization: 360 Helios Team": [[19, 34]], "Organization: Poison Ivy Group": [[69, 85]], "Organization: government": [[211, 221]], "Organization: maritime agencies": [[263, 280]]}, "info": {"id": "dnrti_train_005059", "source": "dnrti_train"}}
{"text": "Dragos has reported that XENOTIME , the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017 , has expanded its focus beyond the oil and gas industries .", "spans": {"Organization: Dragos": [[0, 6]], "Organization: XENOTIME": [[25, 33]], "Organization: TRISIS": [[61, 67]]}, "info": {"id": "dnrti_train_005060", "source": "dnrti_train"}}
{"text": "Known targets of this group have been involved in the maritime industry , as well as engineering-focused entities , and include research institutes , academic organizations , and private firms in the United States .", "spans": {"Organization: group": [[22, 27]], "Organization: private firms": [[179, 192]]}, "info": {"id": "dnrti_train_005061", "source": "dnrti_train"}}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base .", "spans": {"Organization: South Korean government": [[71, 94]]}, "info": {"id": "dnrti_train_005062", "source": "dnrti_train"}}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base .", "spans": {"Organization: South Korean government": [[71, 94]]}, "info": {"id": "dnrti_train_005063", "source": "dnrti_train"}}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities .", "spans": {"Organization: TEMP.Periscope": [[0, 14], [54, 68]], "Organization: engineering firms": [[157, 174]], "Organization: government": [[233, 243]], "Organization: research universities": [[258, 279]]}, "info": {"id": "dnrti_train_005064", "source": "dnrti_train"}}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities .", "spans": {"Organization: TEMP.Periscope": [[0, 14], [54, 68]], "Organization: engineering firms": [[157, 174]], "Organization: government": [[233, 243]], "Organization: research universities": [[258, 279]]}, "info": {"id": "dnrti_train_005065", "source": "dnrti_train"}}
{"text": "These malware families have a rich history of being used in many targeted attacks against government and private organizations .", "spans": {"Malware: malware": [[6, 13]]}, "info": {"id": "dnrti_train_005066", "source": "dnrti_train"}}
{"text": "In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage .", "spans": {"Organization: APT10": [[26, 31]]}, "info": {"id": "dnrti_train_005067", "source": "dnrti_train"}}
{"text": "The admin@338 has largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors .", "spans": {"Organization: admin@338": [[4, 13]], "Malware: publicly available RATs": [[117, 140]], "Malware: Poison Ivy": [[149, 159]], "Malware: non-public backdoors": [[175, 195]]}, "info": {"id": "dnrti_train_005068", "source": "dnrti_train"}}
{"text": "The admin@338 started targeting Hong Kong media companies , probably in response to political and economic challenges in Hong Kong and China .", "spans": {"Organization: admin@338": [[4, 13]], "Organization: media companies": [[42, 57]]}, "info": {"id": "dnrti_train_005069", "source": "dnrti_train"}}
{"text": "The admin@338 linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong .", "spans": {"Organization: admin@338": [[4, 13]]}, "info": {"id": "dnrti_train_005070", "source": "dnrti_train"}}
{"text": "An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong .", "spans": {"Organization: APT": [[3, 6]], "Organization: gang": [[7, 11]]}, "info": {"id": "dnrti_train_005071", "source": "dnrti_train"}}
{"text": "The group targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy .", "spans": {"Organization: group": [[4, 9]], "Organization: admin@338": [[54, 63]], "Malware: remote access Trojans": [[121, 142]], "Malware: Poison Ivy": [[151, 161]], "Organization: financial firms": [[187, 202]]}, "info": {"id": "dnrti_train_005072", "source": "dnrti_train"}}
{"text": "The agroup targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy .", "spans": {"Organization: agroup": [[4, 10]], "Organization: admin@338": [[55, 64]], "Malware: remote access Trojans": [[122, 143]], "Malware: Poison Ivy": [[152, 162]], "Organization: financial firms": [[188, 203]]}, "info": {"id": "dnrti_train_005073", "source": "dnrti_train"}}
{"text": "The admin@338 , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors .", "spans": {"Organization: admin@338": [[4, 13]], "Organization: defense sectors": [[130, 145]]}, "info": {"id": "dnrti_train_005074", "source": "dnrti_train"}}
{"text": "The APT actor , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors .", "spans": {"Organization: APT actor": [[4, 13]], "Organization: defense sectors": [[130, 145]]}, "info": {"id": "dnrti_train_005075", "source": "dnrti_train"}}
{"text": "FireEye said it has tracked admin@338 's activity since 2013 and the group has largely targeted organizations involved in financial , economic , and trade policy .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: admin@338": [[28, 37]], "Organization: group": [[69, 74]]}, "info": {"id": "dnrti_train_005076", "source": "dnrti_train"}}
{"text": "They have largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors .", "spans": {"Malware: publicly available RATs": [[109, 132]], "Malware: Poison Ivy": [[141, 151]], "Malware: non-public backdoors": [[167, 187]]}, "info": {"id": "dnrti_train_005077", "source": "dnrti_train"}}
{"text": "Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT16 launched several spear phishing attacks targeting Japan and Taiwan in the high-tech , government services , media and financial services industries .", "spans": {"Organization: APT16": [[85, 90]]}, "info": {"id": "dnrti_train_005078", "source": "dnrti_train"}}
{"text": "Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries .", "spans": {"Organization: APT groups": [[85, 95]]}, "info": {"id": "dnrti_train_005079", "source": "dnrti_train"}}
{"text": "TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology .", "spans": {"Organization: TG-0416": [[0, 7]], "Organization: Advanced Persistent Threat": [[47, 73]], "Organization: APT": [[76, 79]], "Organization: human rights groups": [[205, 224]]}, "info": {"id": "dnrti_train_005080", "source": "dnrti_train"}}
{"text": "APT19 seemed to be going after defense sector firms , Chinese dissident groups and political , financial , pharmaceutical and energy sectors that could benefit the Chinese economy .", "spans": {"Organization: APT19": [[0, 5]], "Organization: defense sector firms": [[31, 51]], "Organization: energy sectors": [[126, 140]]}, "info": {"id": "dnrti_train_005081", "source": "dnrti_train"}}
{"text": "APT19 seemed to be going after defense sector firms , Chinese dissident groups and other political target , as well as certain financial targets and other commercial targets in pharmaceutical and energy sectors that could benefit the Chinese economy .", "spans": {"Organization: APT19": [[0, 5]], "Organization: defense sector firms": [[31, 51]], "Organization: energy sectors": [[196, 210]]}, "info": {"id": "dnrti_train_005082", "source": "dnrti_train"}}
{"text": "FANCY BEAR ( also known as Sofacy or APT 28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors .", "spans": {"Organization: FANCY BEAR": [[0, 10]], "Organization: Sofacy": [[27, 33]], "Organization: APT 28": [[37, 43]], "Organization: threat actor": [[74, 86]], "Organization: Media sectors": [[245, 258]]}, "info": {"id": "dnrti_train_005083", "source": "dnrti_train"}}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government .", "spans": {"Organization: media entities": [[183, 197]], "Organization: dissidents": [[204, 214]], "Organization: figures": [[219, 226]]}, "info": {"id": "dnrti_train_005084", "source": "dnrti_train"}}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government .", "spans": {"Organization: media entities": [[185, 199]], "Organization: dissidents": [[206, 216]], "Organization: figures": [[221, 228]]}, "info": {"id": "dnrti_train_005085", "source": "dnrti_train"}}
{"text": "Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam 's manufacturing , consumer products , and hospitality sectors .", "spans": {"Organization: FireEye": [[22, 29]], "Organization: APT32": [[43, 48]], "Organization: hospitality sectors": [[157, 176]]}, "info": {"id": "dnrti_train_005086", "source": "dnrti_train"}}
{"text": "APT33 has targeted organizations – spanning multiple industries – headquartered in the United States , Saudi Arabia and South Korea .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_005087", "source": "dnrti_train"}}
{"text": "During the same time period , APT33 also targeted companies in South Korea involved in oil refining and petrochemicals .", "spans": {"Organization: APT33": [[30, 35]]}, "info": {"id": "dnrti_train_005088", "source": "dnrti_train"}}
{"text": "The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups , indicating a common interest in the sectors across Iranian actors .", "spans": {"Organization: threat groups": [[146, 159]], "Organization: actors": [[221, 227]]}, "info": {"id": "dnrti_train_005089", "source": "dnrti_train"}}
{"text": "APT33 's targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests , implying that the threat actor is most likely government sponsored .", "spans": {"Organization: APT33": [[0, 5]], "Organization: threat actor": [[137, 149]]}, "info": {"id": "dnrti_train_005090", "source": "dnrti_train"}}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_005091", "source": "dnrti_train"}}
{"text": "Specifically , the targeting of organizations in the aerospace and energy sectors indicates that the APT33 is likely in search of strategic intelligence capable of benefitting a government or military sponsor .", "spans": {"Organization: energy sectors": [[67, 81]], "Organization: APT33": [[101, 106]]}, "info": {"id": "dnrti_train_005092", "source": "dnrti_train"}}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": {"Organization: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_005093", "source": "dnrti_train"}}
{"text": "In 2017 , APT37 expanded its targeting beyond the Korean peninsula to include Japan , Vietnam and the Middle East , and to a wider range of industry verticals , including chemicals , electronics , manufacturing , aerospace , automotive and healthcare entities .", "spans": {"Organization: APT37": [[10, 15]], "Organization: healthcare entities": [[240, 259]]}, "info": {"id": "dnrti_train_005094", "source": "dnrti_train"}}
{"text": "We surmise that the targeting of banks , media , and government agencies is conducted in support of APT38 's primary mission .", "spans": {"Organization: government agencies": [[53, 72]], "Organization: APT38": [[100, 105]]}, "info": {"id": "dnrti_train_005095", "source": "dnrti_train"}}
{"text": "The APT38 targeted news outlets known for their business and financial sector reporting , probably in support of efforts to identify and compromise additional financial institutions .", "spans": {"Organization: APT38": [[4, 9]], "Organization: financial sector": [[61, 77]], "Organization: financial institutions": [[159, 181]]}, "info": {"id": "dnrti_train_005096", "source": "dnrti_train"}}
{"text": "APT39 has prioritized the telecommunications sector , with additional targeting of the travel industry and IT firms that support it and the high-tech industry .", "spans": {"Organization: APT39": [[0, 5]], "Organization: telecommunications sector": [[26, 51]], "Organization: IT firms": [[107, 115]]}, "info": {"id": "dnrti_train_005097", "source": "dnrti_train"}}
{"text": "APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns .", "spans": {"Organization: APT39": [[0, 5]], "Organization: specific individuals": [[149, 169]]}, "info": {"id": "dnrti_train_005098", "source": "dnrti_train"}}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japanese organizations such as government agencies ( including defense ) as well as those in biotechnology , electronics manufacturing , and industrial chemistry .", "spans": {"Organization: REDBALDKNIGHT": [[0, 13]], "Organization: BRONZE BUTLER": [[30, 43]], "Organization: Tick": [[48, 52]], "Organization: cyberespionage group": [[60, 80]], "Organization: government agencies": [[128, 147]]}, "info": {"id": "dnrti_train_005099", "source": "dnrti_train"}}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japan such as government agencies as well as those in biotechnology , electronics manufacturing , and industrial chemistry .", "spans": {"Organization: REDBALDKNIGHT": [[0, 13]], "Organization: BRONZE BUTLER": [[30, 43]], "Organization: Tick": [[48, 52]], "Organization: cyberespionage group": [[60, 80]], "Organization: government agencies": [[111, 130]]}, "info": {"id": "dnrti_train_005100", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]], "Organization: customers": [[187, 196]]}, "info": {"id": "dnrti_train_005101", "source": "dnrti_train"}}
{"text": "This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies .", "spans": {"Vulnerability: Carbanak": [[72, 80]], "Organization: payment providers": [[126, 143]], "Organization: PR companies": [[166, 178]]}, "info": {"id": "dnrti_train_005102", "source": "dnrti_train"}}
{"text": "From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space .", "spans": {"Vulnerability: Carbanak": [[10, 18]]}, "info": {"id": "dnrti_train_005103", "source": "dnrti_train"}}
{"text": "Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems .", "spans": {"Vulnerability: Carbanak": [[11, 19]]}, "info": {"id": "dnrti_train_005104", "source": "dnrti_train"}}
{"text": "The Charming Kitten' focus appears to be individuals of interest to Iran in the fields of academic research .", "spans": {"Organization: Charming Kitten'": [[4, 20]]}, "info": {"id": "dnrti_train_005105", "source": "dnrti_train"}}
{"text": "However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army ( botnets ) , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team .", "spans": {"Organization: Cleaver": [[38, 45]], "Organization: Cyber Army": [[99, 109]], "Organization: Ashiyane": [[124, 132]], "System: SQL injection": [[135, 148]], "System: phishing": [[180, 188]]}, "info": {"id": "dnrti_train_005106", "source": "dnrti_train"}}
{"text": "Since 2013 , the Cobalt have attempted to attack banks and financial institutions using pieces of malware they designed .", "spans": {"Organization: Cobalt": [[17, 23]], "Organization: financial institutions": [[59, 81]]}, "info": {"id": "dnrti_train_005107", "source": "dnrti_train"}}
{"text": "Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt .", "spans": {"Organization: cybercrime gang": [[17, 32]], "Organization: financial institutions": [[88, 110]], "Vulnerability: Carbanak": [[160, 168]], "Malware: Cobalt": [[173, 179]]}, "info": {"id": "dnrti_train_005108", "source": "dnrti_train"}}
{"text": "Gallmaker 's activity appears to be highly targeted , with its victims all related to government , military , or defense sectors .", "spans": {"Organization: Gallmaker": [[0, 9]], "Organization: defense sectors": [[113, 128]]}, "info": {"id": "dnrti_train_005109", "source": "dnrti_train"}}
{"text": "There are no obvious links between the Eastern European and Middle Eastern targets , but it is clear that Gallmaker is specifically targeting the defense , military , and government sectors .", "spans": {"Organization: Gallmaker": [[106, 115]], "Organization: government sectors": [[171, 189]]}, "info": {"id": "dnrti_train_005110", "source": "dnrti_train"}}
{"text": "traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors .", "spans": {"Organization: mining sectors": [[127, 141]]}, "info": {"id": "dnrti_train_005111", "source": "dnrti_train"}}
{"text": "The Ke3chang have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , chemicals , manufacturing , mining sectors .", "spans": {"Organization: Ke3chang": [[4, 12]], "Organization: mining sectors": [[193, 207]]}, "info": {"id": "dnrti_train_005112", "source": "dnrti_train"}}
{"text": "The attackers have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors .", "spans": {"Organization: attackers": [[4, 13]], "Organization: mining sectors": [[198, 212]]}, "info": {"id": "dnrti_train_005113", "source": "dnrti_train"}}
{"text": "APT15 was targeting information related to UK government departments and military technology .", "spans": {"Organization: APT15": [[0, 5]]}, "info": {"id": "dnrti_train_005114", "source": "dnrti_train"}}
{"text": "APT15 is known for committing cyberespionage against companies and organizations located in many different countries , targeting different sectors such as the oil industry , government contractors , military , and more .", "spans": {"Organization: APT15": [[0, 5]], "Organization: cyberespionage": [[30, 44]], "Organization: government contractors": [[174, 196]]}, "info": {"id": "dnrti_train_005115", "source": "dnrti_train"}}
{"text": "cyber actors of the North Korean to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally .", "spans": {"Organization: cyber actors": [[0, 12]], "Organization: critical infrastructure sectors": [[83, 114]]}, "info": {"id": "dnrti_train_005116", "source": "dnrti_train"}}
{"text": "According to trusted third-party reporting , HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace , telecommunications , and finance industries .", "spans": {"Organization: HIDDEN COBRA actors": [[45, 64]], "Malware: FALLCHILL malware": [[88, 105]]}, "info": {"id": "dnrti_train_005117", "source": "dnrti_train"}}
{"text": "McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure , entertainment , finance , health care , and telecommunications .", "spans": {"Organization: McAfee Advanced Threat Research": [[0, 31]]}, "info": {"id": "dnrti_train_005118", "source": "dnrti_train"}}
{"text": "Since at least 2013 , HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government , financial , automotive , and media industries .", "spans": {"Organization: HIDDEN COBRA actors": [[22, 41]], "Malware: Volgmer malware": [[67, 82]]}, "info": {"id": "dnrti_train_005119", "source": "dnrti_train"}}
{"text": "Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others .", "spans": {"Malware: WannaCry": [[42, 50]], "Malware: WCry": [[57, 61]], "Malware: WanaCrypt0r": [[69, 80]]}, "info": {"id": "dnrti_train_005120", "source": "dnrti_train"}}
{"text": "Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others .", "spans": {"Malware: WannaCry": [[42, 50]], "Malware: WCry": [[57, 61]], "Malware: WanaCrypt0r": [[69, 80]]}, "info": {"id": "dnrti_train_005121", "source": "dnrti_train"}}
{"text": "Known targets of the Leviathan have been involved in the maritime industry , and research institutes , academic organizations , and private firms in the United States .", "spans": {"Organization: Leviathan": [[21, 30]], "Organization: research institutes": [[81, 100]], "Organization: academic organizations": [[103, 125]], "Organization: private firms": [[132, 145]]}, "info": {"id": "dnrti_train_005122", "source": "dnrti_train"}}
{"text": "Active since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities .", "spans": {"Organization: TEMP.Periscope": [[29, 43]], "Organization: engineering firms": [[132, 149]], "Organization: government offices": [[208, 226]]}, "info": {"id": "dnrti_train_005123", "source": "dnrti_train"}}
{"text": "Within a year APT40 was observed masquerading as a UUV manufacturer , and targeting universities engaged in naval research .", "spans": {"Organization: APT40": [[14, 19]]}, "info": {"id": "dnrti_train_005124", "source": "dnrti_train"}}
{"text": "APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia .", "spans": {"Organization: APT40": [[0, 5]]}, "info": {"id": "dnrti_train_005125", "source": "dnrti_train"}}
{"text": "Lotus Blossom targeted the government , higher education , and high tech companies .", "spans": {"Organization: Lotus Blossom": [[0, 13]], "Organization: high tech companies": [[63, 82]]}, "info": {"id": "dnrti_train_005126", "source": "dnrti_train"}}
{"text": "The Lotus Blossom largely targets military or government , with some cases of higher education and high tech companies .", "spans": {"Organization: Lotus Blossom": [[4, 17]], "Organization: high tech companies": [[99, 118]]}, "info": {"id": "dnrti_train_005127", "source": "dnrti_train"}}
{"text": "Organizations in the government , energy , and technology sectors have been targeted by Magic Hound , specifically organizations based in or doing business in Saudi Arabia .", "spans": {"Organization: technology sectors": [[47, 65]]}, "info": {"id": "dnrti_train_005128", "source": "dnrti_train"}}
{"text": "Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents .", "spans": {"Organization: APT32": [[22, 27]], "Organization: OceanLotus Group": [[48, 64]], "Organization: foreign governments": [[131, 150]], "Organization: journalists": [[153, 164]], "Organization: dissidents": [[182, 192]]}, "info": {"id": "dnrti_train_005129", "source": "dnrti_train"}}
{"text": "Evidence also suggests that APT32 has targeted network security and technology infrastructure corporations with connections to foreign investors .", "spans": {"Organization: APT32": [[28, 33]], "Organization: technology infrastructure corporations": [[68, 106]]}, "info": {"id": "dnrti_train_005130", "source": "dnrti_train"}}
{"text": "Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations foreign governments .", "spans": {"Organization: APT32": [[22, 27]], "Organization: OceanLotus Group": [[48, 64]]}, "info": {"id": "dnrti_train_005131", "source": "dnrti_train"}}
{"text": "Additionally , there is evidence to suggest APT33 targeted Saudi Arabian and Western organizations that provide training , maintenance and support for Saudi Arabia 's military and commercial fleets .", "spans": {"Organization: APT33": [[44, 49]]}, "info": {"id": "dnrti_train_005132", "source": "dnrti_train"}}
{"text": "The OilRig group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries .", "spans": {"Organization: OilRig group": [[4, 16]]}, "info": {"id": "dnrti_train_005133", "source": "dnrti_train"}}
{"text": "APT35 typically targets military , diplomatic and government , media , energy , engineering , business services and telecommunications sectors in U.S. and the Middle East .", "spans": {"Organization: APT35": [[0, 5]], "Organization: telecommunications sectors": [[116, 142]]}, "info": {"id": "dnrti_train_005134", "source": "dnrti_train"}}
{"text": "APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors .", "spans": {"Organization: APT35": [[0, 5]], "Organization: military": [[52, 60]], "Organization: diplomatic": [[63, 73]], "Organization: government personnel": [[78, 98]], "Organization: defense industrial base": [[141, 164]], "Organization: DIB": [[167, 170]], "Organization: telecommunications sectors": [[215, 241]]}, "info": {"id": "dnrti_train_005135", "source": "dnrti_train"}}
{"text": "Since at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": {"Organization: threat group": [[34, 46]], "Organization: FireEye": [[52, 59]], "Organization: APT33": [[70, 75]], "Organization: petrochemical organizations": [[172, 199]]}, "info": {"id": "dnrti_train_005136", "source": "dnrti_train"}}
{"text": "Since at least 2013 , the Iranian threat group FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": {"Organization: threat group": [[34, 46]], "Organization: FireEye": [[47, 54]], "Organization: APT33": [[65, 70]], "Organization: petrochemical organizations": [[167, 194]]}, "info": {"id": "dnrti_train_005137", "source": "dnrti_train"}}
{"text": "Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks .", "spans": {"Organization: APT35": [[13, 18]]}, "info": {"id": "dnrti_train_005138", "source": "dnrti_train"}}
{"text": "Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims .", "spans": {}, "info": {"id": "dnrti_train_005139", "source": "dnrti_train"}}
{"text": "COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites .", "spans": {"Organization: COBALT GYPSY": [[0, 12]], "System: spearphishing": [[22, 35]], "Organization: financial services organizations": [[100, 132]], "Organization: individual victims": [[191, 209]]}, "info": {"id": "dnrti_train_005140", "source": "dnrti_train"}}
{"text": "The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents .", "spans": {"Organization: employees": [[79, 88]], "System: Excel documents": [[140, 155]]}, "info": {"id": "dnrti_train_005141", "source": "dnrti_train"}}
{"text": "We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages .", "spans": {"Malware: decoy files": [[14, 25]], "System: spear phishing messages": [[66, 89]]}, "info": {"id": "dnrti_train_005142", "source": "dnrti_train"}}
{"text": "This group has used a large array of infection vectors , mostly revolving around drive-by downloads and spam .", "spans": {"Organization: group": [[5, 10]], "System: drive-by downloads": [[81, 99]], "System: spam": [[104, 108]]}, "info": {"id": "dnrti_train_005143", "source": "dnrti_train"}}
{"text": "To infect individuals with access to the data the actors desire , Scarlet Mimic deploys both spear-phishing and watering hole ( strategic web compromise ) attacks .", "spans": {"Organization: actors": [[50, 56]], "Organization: Scarlet Mimic": [[66, 79]], "System: spear-phishing": [[93, 107]]}, "info": {"id": "dnrti_train_005144", "source": "dnrti_train"}}
{"text": "As with many other attackers who use spear-phishing to infect victims , Scarlet Mimic makes heavy use of \" decoy \" files .", "spans": {"Organization: attackers": [[19, 28]], "System: spear-phishing": [[37, 51]], "Organization: Scarlet Mimic": [[72, 85]]}, "info": {"id": "dnrti_train_005145", "source": "dnrti_train"}}
{"text": "The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin .", "spans": {"Organization: group": [[96, 101]], "Organization: Muslim activists": [[137, 153]]}, "info": {"id": "dnrti_train_005146", "source": "dnrti_train"}}
{"text": "Using these tactics Scarlet Mimic can directly target previously identified individuals ( spear phishing ) as well as unidentified individuals who are interested in a specific subject ( watering hole ) .", "spans": {"Organization: Scarlet Mimic": [[20, 33]], "System: spear phishing": [[90, 104]]}, "info": {"id": "dnrti_train_005147", "source": "dnrti_train"}}
{"text": "Scarlet Mimic primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 .", "spans": {"Organization: Scarlet Mimic": [[0, 13]], "System: spear-phishing e-mails": [[32, 54]]}, "info": {"id": "dnrti_train_005148", "source": "dnrti_train"}}
{"text": "Scarlet Mimic has carried out attacks using both spear-phishing and watering holes since at least 2009 with increasingly advanced malware , and has deployed malware to attack multiple operating systems and platforms .", "spans": {"Organization: Scarlet Mimic": [[0, 13]], "System: spear-phishing": [[49, 63]], "System: watering holes": [[68, 82]]}, "info": {"id": "dnrti_train_005149", "source": "dnrti_train"}}
{"text": "The group primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 .", "spans": {"Organization: group": [[4, 9]], "System: spear-phishing e-mails": [[28, 50]]}, "info": {"id": "dnrti_train_005150", "source": "dnrti_train"}}
{"text": "When using email scams , SilverTerrier actors preferred to use large target audiences , which maximized the likelihood of success with very little risk .", "spans": {"System: email scams": [[11, 22]], "Organization: SilverTerrier actors": [[25, 45]]}, "info": {"id": "dnrti_train_005151", "source": "dnrti_train"}}
{"text": "The malware may inject itself into browser processes and explorer.exe .", "spans": {"Malware: malware": [[4, 11]], "System: inject itself": [[16, 29]], "Malware: explorer.exe": [[57, 69]]}, "info": {"id": "dnrti_train_005152", "source": "dnrti_train"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": {"System: phishing lures": [[19, 33]], "Malware: RTF attachments": [[44, 59]], "Vulnerability: CVE-2017-0199": [[124, 137]]}, "info": {"id": "dnrti_train_005153", "source": "dnrti_train"}}
{"text": "In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros .", "spans": {"Organization: APT32": [[28, 33]], "Malware: ActiveMime files": [[48, 64]], "System: social engineering": [[77, 95]]}, "info": {"id": "dnrti_train_005154", "source": "dnrti_train"}}
{"text": "APT32 actors continue to deliver the malicious attachments via spear-phishing emails .", "spans": {"Organization: APT32": [[0, 5]], "Malware: malicious attachments": [[37, 58]], "System: spear-phishing": [[63, 77]]}, "info": {"id": "dnrti_train_005155", "source": "dnrti_train"}}
{"text": "In the following weeks , FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32’s tools and phishing lures .", "spans": {"Organization: FireEye": [[25, 32]], "Organization: APT32’s": [[159, 166]], "System: phishing": [[177, 185]]}, "info": {"id": "dnrti_train_005156", "source": "dnrti_train"}}
{"text": "FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware .", "spans": {"Organization: FIN7": [[0, 4]], "System: spear phishing": [[88, 102]]}, "info": {"id": "dnrti_train_005157", "source": "dnrti_train"}}
{"text": "The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 .", "spans": {"Malware: malware": [[4, 11]], "System: stolen credentials": [[116, 134]], "System: SMB exploits": [[139, 151]], "Malware: EternalBlue exploit": [[168, 187]], "Organization: WannaCry": [[200, 208]]}, "info": {"id": "dnrti_train_005158", "source": "dnrti_train"}}
{"text": "The threat actors , observed by FireEye Labs , use a variety of different methods to either compromise or acquire already compromised payment card credentials , including sharing or purchasing dumps online , hacking vulnerable merchant websites and compromising payment card processing devices .", "spans": {"Organization: actors": [[11, 17]], "Organization: FireEye Labs": [[32, 44]], "System: compromising payment card": [[249, 274]]}, "info": {"id": "dnrti_train_005159", "source": "dnrti_train"}}
{"text": "Another common step taken by threat actors is changing their system's MAC Address to avoid being uniquely identified .", "spans": {"Organization: actors": [[36, 42]], "System: changing their system's": [[46, 69]]}, "info": {"id": "dnrti_train_005160", "source": "dnrti_train"}}
{"text": "The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to the download of Hancitor .", "spans": {"System: Microsoft Office document": [[47, 72]], "Malware: Hancitor": [[149, 157]]}, "info": {"id": "dnrti_train_005161", "source": "dnrti_train"}}
{"text": "FireEye Labs detects this phishing attack and customers will be protected against the usage of these sites in possible future campaigns .", "spans": {"Organization: FireEye": [[0, 7]], "System: phishing": [[26, 34]]}, "info": {"id": "dnrti_train_005162", "source": "dnrti_train"}}
{"text": "The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process .", "spans": {"Organization: actors": [[11, 17]], "System: inject shellcode": [[108, 124]], "Malware: userinit.exe": [[134, 146]]}, "info": {"id": "dnrti_train_005163", "source": "dnrti_train"}}
{"text": "To run its code in kernel mode in the most recent versions of operating systems , that have Driver Signature Enforcement , Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities .", "spans": {"Malware: Slingshot": [[123, 132]], "System: vulnerable drivers": [[146, 164]]}, "info": {"id": "dnrti_train_005164", "source": "dnrti_train"}}
{"text": "To date , all observed Snake Wine 's attacks were the result of spear phishing attempts against the victim organizations .", "spans": {"Organization: Snake Wine": [[23, 33]], "System: spear phishing": [[64, 78]]}, "info": {"id": "dnrti_train_005165", "source": "dnrti_train"}}
{"text": "Beginning in mid-January 2019 , TA542 distributed millions of Emotet-laden emails in both English and German .", "spans": {"System: Emotet-laden emails": [[62, 81]]}, "info": {"id": "dnrti_train_005166", "source": "dnrti_train"}}
{"text": "Proofpoint researchers observed one DanaBot affiliate ( Affid 11 ) specifically targeting Canada with \" Canada Post \" themed lures between January 1 and May 1 , 2019 .", "spans": {"Organization: Proofpoint": [[0, 10]], "Malware: DanaBot": [[36, 43]], "Organization: Canada Post": [[104, 115]], "System: themed lures": [[118, 130]]}, "info": {"id": "dnrti_train_005167", "source": "dnrti_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Organization: government officials": [[28, 48]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_train_005168", "source": "dnrti_train"}}
{"text": "In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day .", "spans": {"System: spear phishing emails": [[131, 152]], "Organization: government officials": [[163, 183]]}, "info": {"id": "dnrti_train_005169", "source": "dnrti_train"}}
{"text": "In previous incidents involving this threat actor , we observed them using malicious documents hosted on websites about the Indian Army , instead of sending these documents directly as an email attachment .", "spans": {"System: email attachment": [[188, 204]]}, "info": {"id": "dnrti_train_005170", "source": "dnrti_train"}}
{"text": "In this latest incident , Transparent Tribe registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day .", "spans": {"System: spear phishing emails": [[139, 160]], "Organization: government officials": [[171, 191]]}, "info": {"id": "dnrti_train_005171", "source": "dnrti_train"}}
{"text": "This exploit file made use of the same shellcode that we have observed Transparent Tribe use across a number of spear phishing incidents .", "spans": {"System: spear phishing": [[112, 126]]}, "info": {"id": "dnrti_train_005172", "source": "dnrti_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"Organization: security firm": [[17, 30]], "Organization: military officials": [[63, 81]], "System: spear-phishing emails": [[86, 107]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_train_005173", "source": "dnrti_train"}}
{"text": "Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics , such as malicious PowerShell scripts .", "spans": {"Organization: Whitefly": [[0, 8]], "System: land tactics": [[109, 121]], "Malware: PowerShell scripts": [[142, 160]]}, "info": {"id": "dnrti_train_005174", "source": "dnrti_train"}}
{"text": "After the demise of Storm , it was replaced by another new botnet known as Waledac that also leveraged peer-to-peer communications .", "spans": {"Malware: Waledac": [[75, 82]], "System: peer-to-peer communications": [[103, 130]]}, "info": {"id": "dnrti_train_005175", "source": "dnrti_train"}}
{"text": "ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal .", "spans": {"Organization: ESET": [[0, 4]], "Malware: sample": [[36, 42]], "Organization: OceanLotus": [[52, 62]], "System: uploaded to VirusTotal": [[83, 105]]}, "info": {"id": "dnrti_train_005176", "source": "dnrti_train"}}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable .", "spans": {"Organization: attackers": [[20, 29]], "System: spear-phishing email": [[85, 105]], "Malware: MS Word document": [[132, 148]]}, "info": {"id": "dnrti_train_005177", "source": "dnrti_train"}}
{"text": "In one case from 2013 , the target was sent a malicious document through a spear phishing email message .", "spans": {"Malware: malicious document": [[46, 64]], "System: spear phishing email message": [[75, 103]]}, "info": {"id": "dnrti_train_005178", "source": "dnrti_train"}}
{"text": "The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so .", "spans": {"Malware: malware": [[4, 11]], "System: The Onion Router": [[74, 90]]}, "info": {"id": "dnrti_train_005179", "source": "dnrti_train"}}
{"text": "Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network .", "spans": {"System: Harvested credentials": [[0, 21]], "Malware: Mimikatz": [[46, 54]]}, "info": {"id": "dnrti_train_005180", "source": "dnrti_train"}}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[51, 72]], "Malware: Microsoft Word attachment": [[80, 105]], "Vulnerability: CVE-2017-0199": [[138, 151]], "Malware: ZeroT Trojan": [[166, 178]], "Malware: PlugX Remote Access Trojan": [[210, 236]], "Malware: RAT": [[239, 242]]}, "info": {"id": "dnrti_train_005181", "source": "dnrti_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[55, 76]], "Malware: Microsoft Word attachment": [[84, 109]], "Vulnerability: CVE-2017-0199": [[142, 155]], "Malware: ZeroT Trojan": [[170, 182]], "Malware: PlugX Remote Access Trojan": [[214, 240]], "Malware: RAT": [[243, 246]]}, "info": {"id": "dnrti_train_005182", "source": "dnrti_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"Malware: documents": [[4, 13]], "System: spear-phishing e-mails": [[26, 48]], "Vulnerability: CVE-2012-0158": [[97, 110]], "Vulnerability: Microsoft Word vulnerabilities": [[166, 196]]}, "info": {"id": "dnrti_train_005183", "source": "dnrti_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Organization: government officials": [[28, 48]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_train_005184", "source": "dnrti_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"Organization: security firm": [[17, 30]], "Organization: military officials": [[63, 81]], "System: spear-phishing emails": [[86, 107]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_train_005185", "source": "dnrti_train"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishing tactics": [[30, 52]], "System: phishing": [[55, 63]], "Organization: specific individuals": [[82, 102]], "Vulnerability: zero-day exploits": [[143, 160]]}, "info": {"id": "dnrti_train_005186", "source": "dnrti_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: group": [[4, 9]], "System: spear phishing tactics": [[31, 53]], "System: phishing": [[56, 64]], "Organization: specific individuals": [[83, 103]], "Vulnerability: zero-day exploits": [[144, 161]]}, "info": {"id": "dnrti_train_005187", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]], "Organization: customers": [[187, 196]]}, "info": {"id": "dnrti_train_005188", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]], "Organization: customers": [[187, 196]]}, "info": {"id": "dnrti_train_005189", "source": "dnrti_train"}}
{"text": "Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own .", "spans": {"Organization: APT41": [[41, 46]], "System: injected malicious code": [[47, 70]]}, "info": {"id": "dnrti_train_005190", "source": "dnrti_train"}}
{"text": "SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker’s server when the malicious documents were run .", "spans": {"Organization: SectorJ04": [[0, 9]], "System: spear phishing": [[19, 33]], "Organization: attacker’s": [[130, 140]]}, "info": {"id": "dnrti_train_005191", "source": "dnrti_train"}}
{"text": "Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity .", "spans": {"System: Spam emails": [[0, 11]]}, "info": {"id": "dnrti_train_005192", "source": "dnrti_train"}}
{"text": "Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials .", "spans": {"System: phishing": [[34, 42], [124, 132]], "Organization: Scattered Canary": [[95, 111]]}, "info": {"id": "dnrti_train_005193", "source": "dnrti_train"}}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": {"Organization: APT32": [[27, 32]], "System: social engineering emails": [[43, 68]], "Malware: Microsoft ActiveMime file": [[74, 99]]}, "info": {"id": "dnrti_train_005194", "source": "dnrti_train"}}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() .", "spans": {"Vulnerability: CVE-2017-10271": [[110, 124]], "Malware: PowerShell": [[138, 148]], "System: executing": [[222, 231]], "System: using ShellExecute()": [[235, 255]]}, "info": {"id": "dnrti_train_005195", "source": "dnrti_train"}}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[51, 72]], "Malware: Microsoft Word attachment": [[80, 105]], "Vulnerability: CVE-2017-0199": [[138, 151]], "Malware: ZeroT Trojan": [[166, 178]], "Malware: PlugX Remote Access Trojan": [[210, 236]], "Malware: RAT": [[239, 242]]}, "info": {"id": "dnrti_train_005196", "source": "dnrti_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[55, 76]], "Malware: Microsoft Word attachment": [[84, 109]], "Vulnerability: CVE-2017-0199": [[142, 155]], "Malware: ZeroT Trojan": [[170, 182]], "Malware: PlugX Remote Access Trojan": [[214, 240]], "Malware: RAT": [[243, 246]]}, "info": {"id": "dnrti_train_005197", "source": "dnrti_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"Malware: documents": [[4, 13]], "System: spear-phishing e-mails": [[26, 48]], "Vulnerability: CVE-2012-0158": [[97, 110]], "Vulnerability: Microsoft Word vulnerabilities": [[166, 196]]}, "info": {"id": "dnrti_train_005198", "source": "dnrti_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"Organization: security firm": [[17, 30]], "System: spear-phishing emails": [[86, 107]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_train_005199", "source": "dnrti_train"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishing tactics": [[30, 52]], "System: phishing": [[55, 63]], "Vulnerability: zero-day exploits": [[143, 160]]}, "info": {"id": "dnrti_train_005200", "source": "dnrti_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: group": [[4, 9]], "System: spear phishing tactics": [[31, 53]], "System: phishing": [[56, 64]], "Vulnerability: zero-day exploits": [[144, 161]]}, "info": {"id": "dnrti_train_005201", "source": "dnrti_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]]}, "info": {"id": "dnrti_train_005202", "source": "dnrti_train"}}
{"text": "Should a user enable this content , Gallmaker is then able to use the DDE protocol to remotely execute commands in memory on the victima 's system .", "spans": {"Organization: Gallmaker": [[36, 45]], "Malware: DDE protocol": [[70, 82]], "System: remotely execute commands": [[86, 111]]}, "info": {"id": "dnrti_train_005203", "source": "dnrti_train"}}
{"text": "These socially engineered emails contain web links of weaponized documents containing exploits or macros .", "spans": {"System: socially engineered emails": [[6, 32]]}, "info": {"id": "dnrti_train_005204", "source": "dnrti_train"}}
{"text": "It contains an additional meta tag at the end of the web page source code , \" refreshing \" ( redirecting ) the site visitor to the weaponized document .", "spans": {"System: additional meta tag": [[15, 34]]}, "info": {"id": "dnrti_train_005205", "source": "dnrti_train"}}
{"text": "Volexity has also found that , in addition to sending malware lures , the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages .", "spans": {"Organization: Volexity": [[0, 8]], "System: malware lures": [[54, 67]], "Organization: Patchwork threat actors": [[74, 97]], "System: e-mails": [[144, 151]], "System: e-mail messages": [[213, 228]]}, "info": {"id": "dnrti_train_005206", "source": "dnrti_train"}}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable .", "spans": {"Organization: attackers": [[20, 29]], "System: spear-phishing email": [[85, 105]], "Malware: MS Word document": [[132, 148]]}, "info": {"id": "dnrti_train_005207", "source": "dnrti_train"}}
{"text": "The majority of the code for TINYTYPHON is taken from the MyDoom worm and has been repurposed to find and exfiltrate documents .", "spans": {"Malware: MyDoom worm": [[58, 69]], "System: find and exfiltrate documents": [[97, 126]]}, "info": {"id": "dnrti_train_005208", "source": "dnrti_train"}}
{"text": "Pitty Tiger group is sometimes using stolen material as spear phishing content to target other persons .", "spans": {"Organization: Pitty Tiger group": [[0, 17]], "System: spear phishing": [[56, 70]]}, "info": {"id": "dnrti_train_005209", "source": "dnrti_train"}}
{"text": "The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment .", "spans": {"Organization: Pitty Tiger group": [[4, 21]], "System: spear phishing": [[34, 48]]}, "info": {"id": "dnrti_train_005210", "source": "dnrti_train"}}
{"text": "PittyTiger leverages social engineering to deliver spearphishing emails , in a variety of languages including English , French and Chinese , and email phishing pages to their targets .", "spans": {"Organization: PittyTiger": [[0, 10]], "System: spearphishing emails": [[51, 71]], "System: email phishing pages": [[145, 165]]}, "info": {"id": "dnrti_train_005211", "source": "dnrti_train"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishing tactics": [[30, 52]], "System: phishing": [[55, 63]], "Organization: specific individuals": [[82, 102]], "Vulnerability: zero-day exploits": [[143, 160]]}, "info": {"id": "dnrti_train_005212", "source": "dnrti_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: group": [[4, 9]], "System: spear phishing tactics": [[31, 53]], "System: phishing": [[56, 64]], "Organization: specific individuals": [[83, 103]], "Vulnerability: zero-day exploits": [[144, 161]]}, "info": {"id": "dnrti_train_005213", "source": "dnrti_train"}}
{"text": "PLATINUM often spear phishes its targets at their non-official or private email accounts , to use as a stepping stone into the intended organization 's network .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishes": [[15, 28]]}, "info": {"id": "dnrti_train_005214", "source": "dnrti_train"}}
{"text": "PLATINUM primarily targets its intended victims using spear phishing .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishing": [[54, 68]]}, "info": {"id": "dnrti_train_005215", "source": "dnrti_train"}}
{"text": "In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television .", "spans": {"Organization: admin@338": [[21, 30]], "System: spear phishing emails": [[36, 57]], "Organization: media organizations": [[89, 108]]}, "info": {"id": "dnrti_train_005216", "source": "dnrti_train"}}
{"text": "In August 2015 , the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television .", "spans": {"Organization: threat actors": [[21, 34]], "System: spear phishing emails": [[40, 61]], "Organization: media organizations": [[93, 112]]}, "info": {"id": "dnrti_train_005217", "source": "dnrti_train"}}
{"text": "In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations .", "spans": {"Organization: admin@338": [[21, 30]], "System: spear phishing emails": [[36, 57]], "Organization: media organizations": [[89, 108]]}, "info": {"id": "dnrti_train_005218", "source": "dnrti_train"}}
{"text": "The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"Organization: admin@338": [[4, 13]], "Organization: policy organizations": [[56, 76]], "System: spear phishing emails": [[101, 122]], "Organization: audiences": [[165, 174]]}, "info": {"id": "dnrti_train_005219", "source": "dnrti_train"}}
{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"Malware: Word": [[32, 36]], "Organization: PLATINUM": [[39, 47]], "Vulnerability: CVE-2015-2545": [[153, 166]], "Organization: attacker": [[200, 208]], "System: malicious DLL": [[248, 261]]}, "info": {"id": "dnrti_train_005220", "source": "dnrti_train"}}
{"text": "n one case from 2013 , the target was sent a malicious document through a spear phishing email message .", "spans": {"Malware: malicious document": [[45, 63]], "System: spear phishing email message": [[74, 102]]}, "info": {"id": "dnrti_train_005221", "source": "dnrti_train"}}
{"text": "According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Organization: FireEye": [[13, 20]], "Organization: admin@338": [[27, 36]], "System: emails": [[46, 52]], "Vulnerability: Microsoft Office vulnerabilities": [[104, 136]], "Malware: LOWBALL": [[187, 194]]}, "info": {"id": "dnrti_train_005222", "source": "dnrti_train"}}
{"text": "According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Organization: FireEye": [[13, 20]], "Organization: attackers": [[27, 36]], "System: emails": [[46, 52]], "Vulnerability: Microsoft Office vulnerabilities": [[104, 136]], "Malware: LOWBALL": [[187, 194]]}, "info": {"id": "dnrti_train_005223", "source": "dnrti_train"}}
{"text": "This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose .", "spans": {"Organization: FireEye": [[25, 32]], "Organization: group": [[51, 56]], "Organization: hackers": [[74, 81]], "Organization: admin@338": [[89, 98]], "System: spear phishing emails": [[130, 151]], "Organization: attackers": [[158, 167]], "Organization: government officials": [[177, 197]], "Organization: cyber espionage": [[233, 248]]}, "info": {"id": "dnrti_train_005224", "source": "dnrti_train"}}
{"text": "The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"Organization: group": [[4, 9]], "Organization: policy organizations": [[52, 72]], "System: spear phishing emails": [[97, 118]], "Organization: audiences": [[161, 170]]}, "info": {"id": "dnrti_train_005225", "source": "dnrti_train"}}
{"text": "On November 26 , 2015 , a suspected China-based APT16 sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": {"Organization: APT16": [[48, 53]], "System: spear phishing emails": [[90, 111]], "Organization: financial": [[133, 142]], "Organization: high-tech companies": [[147, 166]]}, "info": {"id": "dnrti_train_005226", "source": "dnrti_train"}}
{"text": "On November 26 , 2015 , a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": {"Organization: APT group": [[48, 57]], "System: spear phishing emails": [[94, 115]], "Organization: financial": [[137, 146]], "Organization: high-tech companies": [[151, 170]]}, "info": {"id": "dnrti_train_005227", "source": "dnrti_train"}}
{"text": "APT16 actors sent spear phishing emails to two Taiwanese media organizations .", "spans": {"Organization: APT16 actors": [[0, 12]], "System: spear phishing emails": [[18, 39]], "Organization: media organizations": [[57, 76]]}, "info": {"id": "dnrti_train_005228", "source": "dnrti_train"}}
{"text": "On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website .", "spans": {"Organization: APT16": [[22, 27]], "Organization: APT actors": [[73, 83]], "Organization: government agency": [[110, 127]], "System: lure document": [[140, 153]]}, "info": {"id": "dnrti_train_005229", "source": "dnrti_train"}}
{"text": "APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": {"Organization: APT28": [[0, 5]], "Organization: rockers": [[22, 29]], "Organization: dissidents": [[34, 44]], "System: spear-phishing emails": [[60, 81]]}, "info": {"id": "dnrti_train_005230", "source": "dnrti_train"}}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": {"Organization: APT32": [[10, 15]], "System: spear-phishing attachment": [[28, 53]], "Malware: Vietnam.exe": [[114, 125]], "Organization: diaspora": [[185, 193]]}, "info": {"id": "dnrti_train_005231", "source": "dnrti_train"}}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" .", "spans": {"Organization: APT32": [[10, 15]], "System: spear-phishing attachment": [[28, 53]], "Malware: Vietnam.exe": [[114, 125]]}, "info": {"id": "dnrti_train_005232", "source": "dnrti_train"}}
{"text": "APT33 sent spear phishing emails to employees whose jobs related to the aviation industry .", "spans": {"Organization: APT33": [[0, 5]], "System: spear phishing emails": [[11, 32]], "Organization: employees": [[36, 45]]}, "info": {"id": "dnrti_train_005233", "source": "dnrti_train"}}
{"text": "It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations .", "spans": {"Organization: APT37": [[20, 25]], "Malware: KARAE malware": [[45, 58]], "System: distributed denial-of-service": [[140, 169]], "System: DDoS": [[172, 176]]}, "info": {"id": "dnrti_train_005234", "source": "dnrti_train"}}
{"text": "In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company .", "spans": {"Organization: APT37": [[14, 19]], "System: spear phishing lure": [[56, 75]], "Organization: board member": [[86, 98]], "Organization: financial company": [[119, 136]]}, "info": {"id": "dnrti_train_005235", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails .", "spans": {"Organization: attackers": [[60, 69]], "System: spear-phishing e-mails": [[109, 131]]}, "info": {"id": "dnrti_train_005236", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails .", "spans": {"Organization: APT37": [[52, 57]], "System: spear-phishing e-mails": [[97, 119]]}, "info": {"id": "dnrti_train_005237", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "Vulnerability: zero-day vulnerability": [[69, 91]], "System: scan-and-exploit techniques": [[146, 173]]}, "info": {"id": "dnrti_train_005238", "source": "dnrti_train"}}
{"text": "The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: zero-day vulnerability": [[65, 87]], "System: scan-and-exploit techniques": [[142, 169]]}, "info": {"id": "dnrti_train_005239", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"Organization: BRONZE BUTLER": [[0, 13]], "System: phishing emails": [[23, 38]], "Malware: Daserf malware": [[96, 110]], "Vulnerability: Flash exploits": [[136, 150]]}, "info": {"id": "dnrti_train_005240", "source": "dnrti_train"}}
{"text": "The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"Organization: group": [[4, 9]], "System: phishing emails": [[19, 34]], "Malware: Daserf malware": [[92, 106]], "Vulnerability: Flash exploits": [[132, 146]]}, "info": {"id": "dnrti_train_005241", "source": "dnrti_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"Organization: Secureworks": [[39, 50]], "Organization: BRONZE BUTLER": [[62, 75]], "System: remote code execution": [[104, 125]], "Vulnerability: CVE-2016-7836": [[142, 155]]}, "info": {"id": "dnrti_train_005242", "source": "dnrti_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"Organization: Secureworks": [[39, 50]], "Organization: BRONZE BUTLER": [[82, 95]], "System: remote code execution": [[124, 145]], "Vulnerability: CVE-2016-7836": [[162, 175]]}, "info": {"id": "dnrti_train_005243", "source": "dnrti_train"}}
{"text": "Symantec discovered the most recent wave of Tick attacks in July 2015 , when the group compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: group": [[81, 86]], "System: Flash ( .swf ) exploit": [[140, 162]]}, "info": {"id": "dnrti_train_005244", "source": "dnrti_train"}}
{"text": "Symantec discovered the most recent wave of Tick attacks in July 2015 , when BRONZE BUTLER compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: BRONZE BUTLER": [[77, 90]], "System: Flash ( .swf ) exploit": [[144, 166]]}, "info": {"id": "dnrti_train_005245", "source": "dnrti_train"}}
{"text": "However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army ( botnets ) , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team .", "spans": {"Organization: Cleaver": [[38, 45]], "Organization: Cyber Army": [[99, 109]], "Organization: Ashiyane": [[124, 132]], "System: SQL injection": [[135, 148]], "System: phishing": [[180, 188]]}, "info": {"id": "dnrti_train_005246", "source": "dnrti_train"}}
{"text": "In several cases , the Cobalt compromised company infrastructure and employee accounts in order to send phishing messages to partner companies in North and South America , Europe , CIS countries , and Central and Southeast Asia .", "spans": {"Organization: Cobalt": [[23, 29]], "System: phishing messages": [[104, 121]]}, "info": {"id": "dnrti_train_005247", "source": "dnrti_train"}}
{"text": "To ensure remote access to the workstation of an employee at a target organization , the Cobalt group ( as in previous years ) uses Beacon , a Trojan available as part of commercial penetration testing software .", "spans": {"System: remote access": [[10, 23]], "Organization: Cobalt group": [[89, 101]], "Malware: Beacon": [[132, 138]]}, "info": {"id": "dnrti_train_005248", "source": "dnrti_train"}}
{"text": "In a recent spear-phishing campaign , the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike .", "spans": {"Organization: Cobalt Hacking Group": [[42, 62]], "System: remote code execution": [[70, 91]], "Malware: Cobalt Strike": [[184, 197]]}, "info": {"id": "dnrti_train_005249", "source": "dnrti_train"}}
{"text": "Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines .", "spans": {"Organization: Gallmaker": [[0, 9]], "System: lure documents": [[15, 29]]}, "info": {"id": "dnrti_train_005250", "source": "dnrti_train"}}
{"text": "We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare .", "spans": {}, "info": {"id": "dnrti_valid_005251", "source": "dnrti_valid"}}
{"text": "Orangeworm 's secondary targets include Manufacturing , Information Technology , Agriculture , and Logistics .", "spans": {}, "info": {"id": "dnrti_valid_005252", "source": "dnrti_valid"}}
{"text": "While these industries may appear to be unrelated , we found them to have multiple links to healthcare , such as large manufacturers that produce medical imaging devices sold directly into healthcare firms , IT organizations that provide support services to medical clinics , and logistical organizations that deliver healthcare products .", "spans": {"Organization: healthcare firms": [[189, 205]], "Organization: IT organizations": [[208, 224]], "Organization: medical clinics": [[258, 273]], "Organization: logistical organizations": [[280, 304]]}, "info": {"id": "dnrti_valid_005253", "source": "dnrti_valid"}}
{"text": "Once Orangeworm has infiltrated a victim 's network , they deploy Trojan.Kwampirs , a backdoor Trojan that provides the attackers with remote access to the compromised computer .", "spans": {"Malware: backdoor Trojan": [[86, 101]], "Organization: attackers": [[120, 129]], "System: remote access": [[135, 148]]}, "info": {"id": "dnrti_valid_005254", "source": "dnrti_valid"}}
{"text": "Patchwork targets were chosen worldwide with a focus on personnel working on military and political assignments , and specifically those working on issues relating to Southeast Asia and the South China Sea .", "spans": {"Organization: Patchwork": [[0, 9]], "Organization: personnel": [[56, 65]]}, "info": {"id": "dnrti_valid_005255", "source": "dnrti_valid"}}
{"text": "Kwampirs uses a fairly aggressive means to propagate itself once inside a victim 's network by copying itself over network shares .", "spans": {"Organization: Kwampirs": [[0, 8]], "System: network shares": [[115, 129]]}, "info": {"id": "dnrti_valid_005256", "source": "dnrti_valid"}}
{"text": "In mid-August , the OilRig threat group sent what appeared to be a highly targeted phishing email to a high-ranking office in a Middle Eastern nation .", "spans": {"Organization: OilRig": [[20, 26]], "Organization: threat group": [[27, 39]], "System: phishing email": [[83, 97]]}, "info": {"id": "dnrti_valid_005257", "source": "dnrti_valid"}}
{"text": "Patchwork 's attack was detected as part of a spear phishing against a government organization in Europe in late May 2016 .", "spans": {"Organization: Patchwork": [[0, 9]], "System: spear phishing": [[46, 60]], "Organization: government organization": [[71, 94]]}, "info": {"id": "dnrti_valid_005258", "source": "dnrti_valid"}}
{"text": "The attack was detected as part of a spear phishing against a government organization in Europe in late May 2016 .", "spans": {"System: spear phishing": [[37, 51]], "Organization: government organization": [[62, 85]]}, "info": {"id": "dnrti_valid_005259", "source": "dnrti_valid"}}
{"text": "The Patchwork attack group has been targeting more than just government-associated organizations .", "spans": {"Organization: Patchwork": [[4, 13]], "Organization: attack group": [[14, 26]], "Organization: government-associated organizations": [[61, 96]]}, "info": {"id": "dnrti_valid_005260", "source": "dnrti_valid"}}
{"text": "Symantec has been actively monitoring Patchwork , also known as Dropping Elephant , which uses Chinese-themed content as bait to compromise its targets ' networks .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Patchwork": [[38, 47]], "Organization: Dropping Elephant": [[64, 81]]}, "info": {"id": "dnrti_valid_005261", "source": "dnrti_valid"}}
{"text": "Two security companies , Cymmetria and Kaspersky , each recently released reports on the campaign , most of which are in line with our observations .", "spans": {"Organization: Kaspersky": [[39, 48]]}, "info": {"id": "dnrti_valid_005262", "source": "dnrti_valid"}}
{"text": "Symantec Security Response has been actively monitoring Patchwork , also known as Dropping Elephant , which uses Chinese-themed content as bait to compromise its targets ' networks .", "spans": {"Organization: Symantec Security Response": [[0, 26]], "Organization: Patchwork": [[56, 65]], "Organization: Dropping Elephant": [[82, 99]]}, "info": {"id": "dnrti_valid_005263", "source": "dnrti_valid"}}
{"text": "While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec , we have seen infections in multiple countries due to the nature of the victims operating large international corporations .", "spans": {"Organization: Symantec": [[88, 96]]}, "info": {"id": "dnrti_valid_005264", "source": "dnrti_valid"}}
{"text": "Although approximately half of the attacks focus on the US , other targeted regions include China , Japan , Southeast Asia , and the United Kingdom .", "spans": {}, "info": {"id": "dnrti_valid_005265", "source": "dnrti_valid"}}
{"text": "While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec telemetry , we have seen infections in multiple countries due to the nature of the victims operating large international corporations .", "spans": {"Organization: Symantec": [[88, 96]]}, "info": {"id": "dnrti_valid_005266", "source": "dnrti_valid"}}
{"text": "Our first observation of an attempted attack related to this campaign dates back to November 2015 , although Symantec telemetry data indicates that the campaign may have already existed in early 2015 or perhaps even earlier .", "spans": {"Organization: Symantec": [[109, 117]]}, "info": {"id": "dnrti_valid_005267", "source": "dnrti_valid"}}
{"text": "Should a user enable this content , Gallmaker is then able to use the DDE protocol to remotely execute commands in memory on the victima 's system .", "spans": {"Organization: Gallmaker": [[36, 45]], "Malware: DDE protocol": [[70, 82]], "System: remotely execute commands": [[86, 111]]}, "info": {"id": "dnrti_valid_005268", "source": "dnrti_valid"}}
{"text": "While both back door Trojans wait for commands from the threat actor , they can search for files and upload them to the specified server once activated .", "spans": {"Organization: threat actor": [[56, 68]]}, "info": {"id": "dnrti_valid_005269", "source": "dnrti_valid"}}
{"text": "Patchwork ( also known as Dropping Elephant ) is a cyberespionage group whose targets included diplomatic and government agencies as well as businesses .", "spans": {"Organization: Patchwork": [[0, 9]], "Organization: Dropping Elephant": [[26, 43]], "Organization: cyberespionage group": [[51, 71]], "Organization: diplomatic": [[95, 105]], "Organization: government agencies": [[110, 129]]}, "info": {"id": "dnrti_valid_005270", "source": "dnrti_valid"}}
{"text": "Patchwork is known for rehashing off-therack tools and malware for its own campaigns .", "spans": {"Organization: Patchwork": [[0, 9]], "Malware: rehashing off-therack tools": [[23, 50]], "Malware: malware": [[55, 62]]}, "info": {"id": "dnrti_valid_005271", "source": "dnrti_valid"}}
{"text": "They also included Dynamic Data Exchange ( DDE ) and Windows Script Component ( SCT ) abuse to their tactics , as well as started exploiting recently reported vulnerabilities .", "spans": {}, "info": {"id": "dnrti_valid_005272", "source": "dnrti_valid"}}
{"text": "These socially engineered emails contain web links of weaponized documents containing exploits or macros .", "spans": {"System: socially engineered emails": [[6, 32]]}, "info": {"id": "dnrti_valid_005273", "source": "dnrti_valid"}}
{"text": "It contains an additional meta tag at the end of the web page source code , \" refreshing \" ( redirecting ) the site visitor to the weaponized document .", "spans": {"System: additional meta tag": [[15, 34]]}, "info": {"id": "dnrti_valid_005274", "source": "dnrti_valid"}}
{"text": "It 's probable that Patchwork uses this package to facilitate server installation when using a Windows environment .", "spans": {"Organization: Patchwork": [[20, 29]]}, "info": {"id": "dnrti_valid_005275", "source": "dnrti_valid"}}
{"text": "In March and April 2018 , Volexity identified multiple spear phishing campaigns attributed to Patchwork , an Indian APT group also known as Dropping Elephant .", "spans": {"Organization: Volexity": [[26, 34]], "Organization: Patchwork": [[94, 103]], "Organization: APT group": [[116, 125]], "Organization: Dropping Elephant": [[140, 157]]}, "info": {"id": "dnrti_valid_005276", "source": "dnrti_valid"}}
{"text": "This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia .", "spans": {"Organization: 360 Threat Intelligence Center": [[120, 150]], "Organization: Trend Micro": [[198, 209]]}, "info": {"id": "dnrti_valid_005277", "source": "dnrti_valid"}}
{"text": "Volexity has also found that , in addition to sending malware lures , the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages .", "spans": {"Organization: Volexity": [[0, 8]], "System: malware lures": [[54, 67]], "Organization: Patchwork threat actors": [[74, 97]], "System: e-mails": [[144, 151]], "System: e-mail messages": [[213, 228]]}, "info": {"id": "dnrti_valid_005278", "source": "dnrti_valid"}}
{"text": "The newsletter includes a link to the attacker 's website , which has content focusing on topics related to China to draw the target 's interest .", "spans": {"Organization: attacker": [[38, 46]]}, "info": {"id": "dnrti_valid_005279", "source": "dnrti_valid"}}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": {"Malware: .doc files": [[54, 64]], "Malware: RTF documents": [[85, 98]], "Vulnerability: CVE-2017-8570": [[123, 136]], "Vulnerability: Composite": [[139, 148]], "Vulnerability: Moniker": [[149, 156]]}, "info": {"id": "dnrti_valid_005280", "source": "dnrti_valid"}}
{"text": "The threat actors appear to have leveraged publicly available exploit code that can be found on Github at the URL : https://github.com/rxwx/CVE-2017-8570 .", "spans": {"Organization: threat actors": [[4, 17]]}, "info": {"id": "dnrti_valid_005281", "source": "dnrti_valid"}}
{"text": "Dropping Elephant ( also known as \" Chinastrats \" and \" Patchwork \" ) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools .", "spans": {"Organization: Dropping Elephant": [[0, 17]], "Organization: Chinastrats": [[36, 47]], "Organization: Patchwork": [[56, 65]], "Organization: threat actor": [[90, 102]]}, "info": {"id": "dnrti_valid_005282", "source": "dnrti_valid"}}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable .", "spans": {"Organization: attackers": [[20, 29]], "System: spear-phishing email": [[85, 105]], "Malware: MS Word document": [[132, 148]]}, "info": {"id": "dnrti_valid_005283", "source": "dnrti_valid"}}
{"text": "The Word document usually exploits CVE-2012-0158 .", "spans": {"Malware: Word document": [[4, 17]], "Vulnerability: CVE-2012-0158": [[35, 48]]}, "info": {"id": "dnrti_valid_005284", "source": "dnrti_valid"}}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: attackers": [[14, 23]], "Malware: MS PowerPoint document": [[32, 54]], "Vulnerability: CVE-2014-6352": [[80, 93]]}, "info": {"id": "dnrti_valid_005285", "source": "dnrti_valid"}}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: Patchwork": [[10, 19]], "Malware: MS PowerPoint document": [[28, 50]], "Vulnerability: CVE-2014-6352": [[76, 89]]}, "info": {"id": "dnrti_valid_005286", "source": "dnrti_valid"}}
{"text": "From the attacks observed by Volexity , what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks .", "spans": {"Organization: Volexity": [[29, 37]], "Organization: Patchwork": [[69, 78]]}, "info": {"id": "dnrti_valid_005287", "source": "dnrti_valid"}}
{"text": "Once started , it downloads additional malware from the C2 and also uploads some basic system information , stealing , among other things , the user 's Google Chrome credentials .", "spans": {}, "info": {"id": "dnrti_valid_005288", "source": "dnrti_valid"}}
{"text": "It repeatedly attempts to iterate through directories and to collect files with the following extensions : doc , docx , ppt , pptx , pps , ppsx , xls , xlsx , and pdf .", "spans": {"Malware: doc": [[107, 110]], "Malware: docx": [[113, 117]], "Malware: ppt": [[120, 123]], "Malware: pptx": [[126, 130]], "Malware: pps": [[133, 136]], "Malware: ppsx": [[139, 143]], "Malware: xls": [[146, 149]], "Malware: xlsx": [[152, 156]], "Malware: pdf": [[163, 166]]}, "info": {"id": "dnrti_valid_005289", "source": "dnrti_valid"}}
{"text": "In this case , a small group reusing exploit code , some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015 .", "spans": {"Organization: group": [[23, 28]], "Malware: powershell-based malware": [[57, 81]]}, "info": {"id": "dnrti_valid_005290", "source": "dnrti_valid"}}
{"text": "In the past few months , Unit 42 has observed the Patchwork group , alternatively known as Dropping Elephant and Monsoon , conducting campaigns against targets located in the Indian subcontinent .", "spans": {"Organization: Unit 42": [[25, 32]], "Organization: Patchwork group": [[50, 65]], "Organization: Dropping Elephant": [[91, 108]], "Organization: Monsoon": [[113, 120]]}, "info": {"id": "dnrti_valid_005291", "source": "dnrti_valid"}}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior .", "spans": {"Malware: malicious documents": [[4, 23]]}, "info": {"id": "dnrti_valid_005292", "source": "dnrti_valid"}}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": {"Organization: Unit 42": [[29, 36]], "Malware: EPS files": [[109, 118]], "Vulnerability: CVE-2015-2545": [[133, 146]], "Vulnerability: CVE-2017-0261": [[151, 164]]}, "info": {"id": "dnrti_valid_005293", "source": "dnrti_valid"}}
{"text": "Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability .", "spans": {"Organization: Patchwork": [[24, 33]], "Vulnerability: CVE-2017-0261": [[49, 62]], "Vulnerability: CVE-2015-2545": [[196, 209]]}, "info": {"id": "dnrti_valid_005294", "source": "dnrti_valid"}}
{"text": "The Patchwork group continues to plague victims located within the Indian subcontinent .", "spans": {"Organization: Patchwork group": [[4, 19]]}, "info": {"id": "dnrti_valid_005295", "source": "dnrti_valid"}}
{"text": "The overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia .", "spans": {"Organization: government agencies": [[98, 117]]}, "info": {"id": "dnrti_valid_005296", "source": "dnrti_valid"}}
{"text": "It appears to have started in December 2015 and is still ongoing as of July 2016 .", "spans": {}, "info": {"id": "dnrti_valid_005297", "source": "dnrti_valid"}}
{"text": "The use of weaponized legitimate documents is a longstanding operational standard of Patchwork .", "spans": {"Malware: weaponized legitimate documents": [[11, 42]], "Organization: Patchwork": [[85, 94]]}, "info": {"id": "dnrti_valid_005298", "source": "dnrti_valid"}}
{"text": "It is dropped by at least one of the weaponised documents17 used in the MONSOON campaign where it is embedded inside another executable .", "spans": {"Malware: documents17": [[48, 59]]}, "info": {"id": "dnrti_valid_005299", "source": "dnrti_valid"}}
{"text": "The majority of the code for TINYTYPHON is taken from the MyDoom worm and has been repurposed to find and exfiltrate documents .", "spans": {"Malware: MyDoom worm": [[58, 69]], "System: find and exfiltrate documents": [[97, 126]]}, "info": {"id": "dnrti_valid_005300", "source": "dnrti_valid"}}
{"text": "The targeting of Chinese nationals may also be related to this campaign , but equally may be part of a separate campaign by the adversary or even as part of them selling Surveillance-As-A-Service in a similar manner previously seen with the HANGOVER group .", "spans": {"Malware: Surveillance-As-A-Service": [[170, 195]], "Organization: HANGOVER group": [[241, 255]]}, "info": {"id": "dnrti_valid_005301", "source": "dnrti_valid"}}
{"text": "The use of weaponized legitimate documents is a longstanding operational standard of this group .", "spans": {"Malware: weaponized legitimate documents": [[11, 42]], "Organization: group": [[90, 95]]}, "info": {"id": "dnrti_valid_005302", "source": "dnrti_valid"}}
{"text": "We decided to spend some time to investigate around this malware and found out that it was used exclusively by a single group of attackers .", "spans": {"Organization: group": [[120, 125]], "Organization: attackers": [[129, 138]]}, "info": {"id": "dnrti_valid_005303", "source": "dnrti_valid"}}
{"text": "The newsnstat.com domain was used earlier in 2015 for previous HANGOVER campaigns , and was then repurposed in December 2015 for the MONSOON campaign .", "spans": {}, "info": {"id": "dnrti_valid_005304", "source": "dnrti_valid"}}
{"text": "Our researches around the malware family revealed the \" Pitty Tiger \" group has been active since 2011 , yet we found traces which makes us believe the group is active since 2010 .", "spans": {"Organization: Pitty Tiger": [[56, 67]], "Organization: group": [[70, 75], [152, 157]]}, "info": {"id": "dnrti_valid_005305", "source": "dnrti_valid"}}
{"text": "The group exploits known vulnerabilities in Microsoft Office products to infect their targets with malware .", "spans": {"Organization: group": [[4, 9]], "Malware: Microsoft Office products": [[44, 69]]}, "info": {"id": "dnrti_valid_005306", "source": "dnrti_valid"}}
{"text": "Pitty Tiger group is sometimes using stolen material as spear phishing content to target other persons .", "spans": {"Organization: Pitty Tiger group": [[0, 17]], "System: spear phishing": [[56, 70]]}, "info": {"id": "dnrti_valid_005307", "source": "dnrti_valid"}}
{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Organization: PittyTiger": [[0, 10]], "Vulnerability: Heartbleed vulnerability": [[36, 60]]}, "info": {"id": "dnrti_valid_005308", "source": "dnrti_valid"}}
{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Vulnerability: Heartbleed vulnerability": [[31, 55]]}, "info": {"id": "dnrti_valid_005309", "source": "dnrti_valid"}}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": {"Organization: Pitty Tiger group": [[40, 57]], "Malware: Microsoft Office Word document": [[86, 116]], "Vulnerability: CVE-2012-0158": [[159, 172]]}, "info": {"id": "dnrti_valid_005310", "source": "dnrti_valid"}}
{"text": "PittyTiger could also use CVE-2014-1761 , which is more recent .", "spans": {"Organization: PittyTiger": [[0, 10]], "Vulnerability: CVE-2014-1761": [[26, 39]]}, "info": {"id": "dnrti_valid_005311", "source": "dnrti_valid"}}
{"text": "\" PittyTiger \" is a mutex used by the malware .", "spans": {"Organization: PittyTiger": [[2, 12]], "Malware: mutex": [[20, 25]]}, "info": {"id": "dnrti_valid_005312", "source": "dnrti_valid"}}
{"text": "This RAT is the origin of the attackers ' group name .", "spans": {"Malware: RAT": [[5, 8]], "Organization: attackers": [[30, 39]], "Organization: group": [[42, 47]]}, "info": {"id": "dnrti_valid_005313", "source": "dnrti_valid"}}
{"text": "Paladin RAT is another remote administration tool used by the Pitty Tiger group .", "spans": {"Malware: Paladin RAT": [[0, 11]], "Organization: Pitty Tiger group": [[62, 79]]}, "info": {"id": "dnrti_valid_005314", "source": "dnrti_valid"}}
{"text": "Pitty Tiger , like other APT attackers , often use anti-virus \" familiar names \" when registering domains or creating subdomains .", "spans": {"Organization: Pitty Tiger": [[0, 11]], "Organization: APT": [[25, 28]], "Organization: attackers": [[29, 38]]}, "info": {"id": "dnrti_valid_005315", "source": "dnrti_valid"}}
{"text": "\" Pitty Tiger \" is also a string transmitted in the network communications of the RAT .", "spans": {"Organization: Pitty Tiger": [[2, 13]], "Malware: string": [[26, 32]], "Malware: RAT": [[82, 85]]}, "info": {"id": "dnrti_valid_005316", "source": "dnrti_valid"}}
{"text": "A recent report documents a group of attackers known as \" PittyTiger \" that appears to have been active since at least 2011 ; however , they may have been operating as far back as 2008 .", "spans": {"Organization: group": [[28, 33]], "Organization: attackers": [[37, 46]], "Organization: PittyTiger": [[58, 68]]}, "info": {"id": "dnrti_valid_005317", "source": "dnrti_valid"}}
{"text": "We have been monitoring the activities of this group and believe they are operating from China .", "spans": {"Organization: group": [[47, 52]]}, "info": {"id": "dnrti_valid_005318", "source": "dnrti_valid"}}
{"text": "This threat group uses a first-stage malware known as Backdoor.APT.Pgift ( aka Troj/ReRol.A ) , which is dropped via malicious documents and connects back to a C2 server .", "spans": {"Organization: threat group": [[5, 17]], "Malware: Backdoor.APT.Pgift": [[54, 72]]}, "info": {"id": "dnrti_valid_005319", "source": "dnrti_valid"}}
{"text": "By integrating the findings with prior research , it was possible to connect MONSOON directly with infrastructure used by the HANGOVER group via a series of strong connections .", "spans": {"Organization: MONSOON": [[77, 84]], "Organization: HANGOVER group": [[126, 140]]}, "info": {"id": "dnrti_valid_005320", "source": "dnrti_valid"}}
{"text": "Backdoor.APT.PittyTiger – This malware is the classic \" PittyTiger \" malware ( PittyTigerV1.0 ) that was heavily used by this group in 2012 - 2013 .", "spans": {"Malware: Backdoor.APT.PittyTiger": [[0, 23]], "Organization: PittyTiger": [[56, 66]], "Malware: PittyTigerV1.0": [[79, 93]], "Organization: group": [[126, 131]]}, "info": {"id": "dnrti_valid_005321", "source": "dnrti_valid"}}
{"text": "Backdoor.APT.PittyTiger1.3 ( aka CT RAT ) – This malware is likely used as a second-stage backdoor .", "spans": {"Malware: Backdoor.APT.PittyTiger1.3": [[0, 26]], "Malware: CT RAT": [[33, 39]], "Malware: second-stage backdoor": [[77, 98]]}, "info": {"id": "dnrti_valid_005322", "source": "dnrti_valid"}}
{"text": "It also appears the attackers use this as second-stage malware .", "spans": {"Organization: attackers": [[20, 29]], "Malware: second-stage malware": [[42, 62]]}, "info": {"id": "dnrti_valid_005323", "source": "dnrti_valid"}}
{"text": "We have observed the Enfal malware in use since 2011 and in conjunction with Backdoor.APT.Pgift as the payload of a malicious document used in spearphishing attacks .", "spans": {"Malware: Enfal malware": [[21, 34]], "Malware: Backdoor.APT.Pgift": [[77, 95]]}, "info": {"id": "dnrti_valid_005324", "source": "dnrti_valid"}}
{"text": "The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment .", "spans": {"Organization: Pitty Tiger group": [[4, 21]], "System: spear phishing": [[34, 48]]}, "info": {"id": "dnrti_valid_005325", "source": "dnrti_valid"}}
{"text": "PittyTiger leverages social engineering to deliver spearphishing emails , in a variety of languages including English , French and Chinese , and email phishing pages to their targets .", "spans": {"Organization: PittyTiger": [[0, 10]], "System: spearphishing emails": [[51, 71]], "System: email phishing pages": [[145, 165]]}, "info": {"id": "dnrti_valid_005326", "source": "dnrti_valid"}}
{"text": "PLATINUM has been targeting its victims since at least as early as 2009 , and may have been active for several years prior .", "spans": {"Organization: PLATINUM": [[0, 8]]}, "info": {"id": "dnrti_valid_005327", "source": "dnrti_valid"}}
{"text": "This section describes the history , behavior , and tactics of a newly discovered targeted activity group , which Microsoft has code-named PLATINUM .", "spans": {"Organization: activity group": [[91, 105]], "Organization: Microsoft": [[114, 123]], "Organization: PLATINUM": [[139, 147]]}, "info": {"id": "dnrti_valid_005328", "source": "dnrti_valid"}}
{"text": "Like many such groups , PLATINUM seeks to steal sensitive intellectual property related to government interests , but its range of preferred targets is consistently limited to specific governmental organizations , defense institutes , intelligence agencies , diplomatic institutions , and telecommunication providers in South and Southeast Asia .", "spans": {"Organization: groups": [[15, 21]], "Organization: PLATINUM": [[24, 32]], "Organization: governmental organizations": [[185, 211]], "Organization: defense institutes": [[214, 232]], "Organization: intelligence agencies": [[235, 256]], "Organization: diplomatic institutions": [[259, 282]], "Organization: telecommunication providers": [[289, 316]]}, "info": {"id": "dnrti_valid_005329", "source": "dnrti_valid"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishing tactics": [[30, 52]], "System: phishing": [[55, 63]], "Organization: specific individuals": [[82, 102]], "Vulnerability: zero-day exploits": [[143, 160]]}, "info": {"id": "dnrti_valid_005330", "source": "dnrti_valid"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: group": [[4, 9]], "System: spear phishing tactics": [[31, 53]], "System: phishing": [[56, 64]], "Organization: specific individuals": [[83, 103]], "Vulnerability: zero-day exploits": [[144, 161]]}, "info": {"id": "dnrti_valid_005331", "source": "dnrti_valid"}}
{"text": "LATINUM makes a concerted effort to hide their infection tracks , by self-deleting malicious components , or by using server side logic in ' one shot mode ' where remotely hosted malicious components are only allowed to load once .", "spans": {"Organization: LATINUM": [[0, 7]], "Malware: self-deleting malicious components": [[69, 103]], "Malware: server side logic": [[118, 135]]}, "info": {"id": "dnrti_valid_005332", "source": "dnrti_valid"}}
{"text": "PLATINUM often spear phishes its targets at their non-official or private email accounts , to use as a stepping stone into the intended organization 's network .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishes": [[15, 28]]}, "info": {"id": "dnrti_valid_005333", "source": "dnrti_valid"}}
{"text": "PLATINUM uses custom-developed malicious tools and has the resources to update these applications often to avoid being detected .", "spans": {"Organization: PLATINUM": [[0, 8]], "Malware: custom-developed malicious tools": [[14, 46]]}, "info": {"id": "dnrti_valid_005334", "source": "dnrti_valid"}}
{"text": "PLATINUM primarily targets its intended victims using spear phishing .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishing": [[54, 68]]}, "info": {"id": "dnrti_valid_005335", "source": "dnrti_valid"}}
{"text": "PLATINUM configures its backdoor malware to restrict its activities to victims ' working hours , in an attempt to disguise post-infection network activity within normal user traffic .", "spans": {"Organization: PLATINUM": [[0, 8]]}, "info": {"id": "dnrti_valid_005336", "source": "dnrti_valid"}}
{"text": "PLATINUM does not conduct its espionage activity to engage in direct financial gain , but instead uses stolen information for indirect economic advantages .", "spans": {"Organization: PLATINUM": [[0, 8]]}, "info": {"id": "dnrti_valid_005337", "source": "dnrti_valid"}}
{"text": "PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts .", "spans": {"Organization: PLATINUM": [[0, 8]], "Vulnerability: zero-day exploits": [[43, 60]]}, "info": {"id": "dnrti_valid_005338", "source": "dnrti_valid"}}
{"text": "For the initial infection , PLATINUM typically sends malicious documents that contain exploits for vulnerabilities in various software programs , with links or remotely loaded components ( images or scripts or templates ) that are delivered to targets only once .", "spans": {"Organization: PLATINUM": [[28, 36]]}, "info": {"id": "dnrti_valid_005339", "source": "dnrti_valid"}}
{"text": "PLATINUM 's approach toward exploiting vulnerabilities varies between campaigns .", "spans": {"Organization: PLATINUM": [[0, 8]]}, "info": {"id": "dnrti_valid_005340", "source": "dnrti_valid"}}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": {"Malware: ActiveX control": [[46, 61]], "Malware: JavaScript file": [[76, 91]], "Vulnerability: CVE-2013-7331": [[203, 216]]}, "info": {"id": "dnrti_valid_005341", "source": "dnrti_valid"}}
{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"Malware: Word": [[32, 36]], "Organization: PLATINUM": [[39, 47]], "Vulnerability: CVE-2015-2545": [[153, 166]], "Organization: attacker": [[200, 208]], "System: malicious DLL": [[248, 261]]}, "info": {"id": "dnrti_valid_005342", "source": "dnrti_valid"}}
{"text": "n one case from 2013 , the target was sent a malicious document through a spear phishing email message .", "spans": {"Malware: malicious document": [[45, 63]], "System: spear phishing email message": [[74, 102]]}, "info": {"id": "dnrti_valid_005343", "source": "dnrti_valid"}}
{"text": "The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application .", "spans": {"Malware: DLL": [[4, 7]], "Vulnerability: CVE-2015-2546": [[72, 85]], "Malware: Word": [[159, 163]]}, "info": {"id": "dnrti_valid_005344", "source": "dnrti_valid"}}
{"text": "When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"Malware: Word": [[32, 36]], "Vulnerability: CVE-2015-2545": [[147, 160]], "Organization: attacker": [[194, 202]], "System: malicious DLL": [[242, 255]]}, "info": {"id": "dnrti_valid_005345", "source": "dnrti_valid"}}
{"text": "In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves .", "spans": {"Organization: PLATINUM": [[11, 19]], "Vulnerability: zero-day exploits": [[37, 54], [289, 306], [358, 375]], "System: remote code execution": [[95, 116]]}, "info": {"id": "dnrti_valid_005346", "source": "dnrti_valid"}}
{"text": "Researching this attack and the malware used therein led Microsoft to discover other instances of PLATINUM attacking users in India around August 2015 .", "spans": {"Organization: Microsoft": [[57, 66]], "Organization: PLATINUM": [[98, 106]], "Organization: users": [[117, 122]]}, "info": {"id": "dnrti_valid_005347", "source": "dnrti_valid"}}
{"text": "In both these campaigns the activity group included remote triggers to deactivate exploitation , with an attempt to conceal the vulnerability , and prevent analysis of the attack .", "spans": {"Organization: activity group": [[28, 42]]}, "info": {"id": "dnrti_valid_005348", "source": "dnrti_valid"}}
{"text": "After gaining access to a victim 's computer , PLATINUM installs its own custom-built malware to communicate with the compromised system , issue commands , and move laterally through the network .", "spans": {"Organization: PLATINUM": [[47, 55]], "Malware: custom-built malware": [[73, 93]]}, "info": {"id": "dnrti_valid_005349", "source": "dnrti_valid"}}
{"text": "PLATINUM uses a number of different custom-developed backdoors to communicate with infected computers .", "spans": {"Organization: PLATINUM": [[0, 8]], "Malware: custom-developed backdoors": [[36, 62]]}, "info": {"id": "dnrti_valid_005350", "source": "dnrti_valid"}}
{"text": "This section describes some of the tools used by the group .", "spans": {"Organization: group": [[53, 58]]}, "info": {"id": "dnrti_valid_005351", "source": "dnrti_valid"}}
{"text": "The lack of any significant evidence of shared code between any of these backdoor families is another clue as to the scope of the resources on which the activity group is able to draw , and the precautions the group is willing and able to take in order to avoid losing its ability to conduct its espionage operations .", "spans": {"Organization: activity group": [[153, 167]], "Organization: group": [[210, 215]]}, "info": {"id": "dnrti_valid_005352", "source": "dnrti_valid"}}
{"text": "In addition to Dipsind and its variants , PLATINUM uses a few other families of custom-built backdoors within its attack toolset .", "spans": {"Malware: Dipsind": [[15, 22]], "Organization: PLATINUM": [[42, 50]], "Malware: custom-built backdoors": [[80, 102]]}, "info": {"id": "dnrti_valid_005353", "source": "dnrti_valid"}}
{"text": "The PLATINUM group has written a few different versions of keyloggers that perform their functions in different ways , most likely to take advantage of different weaknesses in victims ' computing environments .", "spans": {"Organization: PLATINUM group": [[4, 18]], "Malware: keyloggers": [[59, 69]]}, "info": {"id": "dnrti_valid_005354", "source": "dnrti_valid"}}
{"text": "While one family relies on a small number of supported commands and simple shells , the other delves into more convoluted methods of injections , checks , and supported feature sets .", "spans": {}, "info": {"id": "dnrti_valid_005355", "source": "dnrti_valid"}}
{"text": "Both groups can set permissions on specific files to Everyone , and work in tandem with the PLATINUM backdoors .", "spans": {"Organization: groups": [[5, 11]], "Malware: PLATINUM backdoors": [[92, 110]]}, "info": {"id": "dnrti_valid_005356", "source": "dnrti_valid"}}
{"text": "In particular , this second group also has the capability of dumping users ' credentials using the same technique employed by Mimikatz .", "spans": {"Organization: group": [[28, 33]], "Malware: Mimikatz": [[126, 134]]}, "info": {"id": "dnrti_valid_005357", "source": "dnrti_valid"}}
{"text": "In addition to using several publicly known injection methods to perform this task , it also takes advantage of an obscure operating system feature known as hot patching .", "spans": {}, "info": {"id": "dnrti_valid_005358", "source": "dnrti_valid"}}
{"text": "One of PLATINUM 's most recent and interesting tools is meant to inject code into processes using a variety of injection techniques .", "spans": {"Organization: PLATINUM": [[7, 15]], "System: injection techniques": [[111, 131]]}, "info": {"id": "dnrti_valid_005359", "source": "dnrti_valid"}}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory .", "spans": {"Malware: CreateRemoteThread": [[192, 210]], "Malware: WriteProcessMemory": [[214, 232]]}, "info": {"id": "dnrti_valid_005360", "source": "dnrti_valid"}}
{"text": "Hot patching is an operating system-supported feature for installing updates without having to reboot or restart a process .", "spans": {"Malware: operating system-supported feature": [[19, 53]]}, "info": {"id": "dnrti_valid_005361", "source": "dnrti_valid"}}
{"text": "Multiple Dipsind variants have been identified , all of which are believed to be used exclusively by PLATINUM .", "spans": {"Malware: Dipsind": [[9, 16]], "Organization: PLATINUM": [[101, 109]]}, "info": {"id": "dnrti_valid_005362", "source": "dnrti_valid"}}
{"text": "The group 's most frequently used backdoors belong to a malware family that Microsoft has designated Dipsind , although some variants are detected under different names .", "spans": {"Organization: group": [[4, 9]], "Organization: Microsoft": [[76, 85]], "Malware: Dipsind": [[101, 108]]}, "info": {"id": "dnrti_valid_005363", "source": "dnrti_valid"}}
{"text": "The technique PLATINUM uses to inject code via hot patching was first documented by security researchers in 2013.7 Administrator permissions are required for hot patching , and the technique used by PLATINUM does not attempt to evade this requirement through exploitation .", "spans": {"Organization: PLATINUM": [[14, 22], [199, 207]]}, "info": {"id": "dnrti_valid_005364", "source": "dnrti_valid"}}
{"text": "PLATINUM has used several zero-day exploits against their victims .", "spans": {"Organization: PLATINUM": [[0, 8]], "Vulnerability: zero-day exploits": [[26, 43]]}, "info": {"id": "dnrti_valid_005365", "source": "dnrti_valid"}}
{"text": "The technique PLATINUM uses to inject code via hot patching was first documented by security researchers in 2013.7 .", "spans": {"Organization: PLATINUM": [[14, 22]], "System: hot patching": [[47, 59]]}, "info": {"id": "dnrti_valid_005366", "source": "dnrti_valid"}}
{"text": "PLATINUM has consistently targeted victims within a small set of countries in South and Southeast Asia .", "spans": {"Organization: PLATINUM": [[0, 8]]}, "info": {"id": "dnrti_valid_005367", "source": "dnrti_valid"}}
{"text": "PLATINUM has developed or commissioned a number of custom tools to provide the group with access to victim resources .", "spans": {"Organization: PLATINUM": [[0, 8]], "Malware: custom tools": [[51, 63]]}, "info": {"id": "dnrti_valid_005368", "source": "dnrti_valid"}}
{"text": "Some of the tools used by PLATINUM , such as the port-knocking backdoor , show signs of organized thinking .", "spans": {"Organization: PLATINUM": [[26, 34]]}, "info": {"id": "dnrti_valid_005369", "source": "dnrti_valid"}}
{"text": "Take advantage of native mitigations built into Windows 10 .", "spans": {}, "info": {"id": "dnrti_valid_005370", "source": "dnrti_valid"}}
{"text": "For example , the summer 2015 attack that used the unusual ' resume ' would not have been successful on Windows 10 as-is because of the presence of the Supervisor Mode Execution Prevention ( SMEP ) mitigation , even without the latest security updates installed .", "spans": {}, "info": {"id": "dnrti_valid_005371", "source": "dnrti_valid"}}
{"text": "Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers .", "spans": {"Vulnerability: CVE-2015-2546": [[8, 21]], "Organization: attackers": [[168, 177]]}, "info": {"id": "dnrti_valid_005372", "source": "dnrti_valid"}}
{"text": "For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 .", "spans": {"Vulnerability: zero-day vulnerability": [[18, 40]], "Vulnerability: CVE-2015-2545": [[51, 64]], "Organization: PLATINUM": [[75, 83]]}, "info": {"id": "dnrti_valid_005373", "source": "dnrti_valid"}}
{"text": "Since the 2016 publication , Microsoft has come across an evolution of PLATINUM 's file-transfer tool , one that uses the Intel® Active Management Technology ( AMT ) Serial-over-LAN ( SOL ) channel for communication .", "spans": {"Organization: Microsoft": [[29, 38]], "Organization: PLATINUM": [[71, 79]], "Malware: Intel® Active Management Technology": [[122, 157]], "Malware: AMT": [[160, 163]], "Malware: Serial-over-LAN": [[166, 181]], "Malware: SOL": [[184, 187]]}, "info": {"id": "dnrti_valid_005374", "source": "dnrti_valid"}}
{"text": "Since the 2016 publication , Microsoft has come across an evolution of PLATINUM 's file-transfer tool , one that uses the Intel Active Management Technology ( AMT ) Serial-over-LAN ( SOL ) channel for communication .", "spans": {"Organization: Microsoft": [[29, 38]], "Organization: PLATINUM": [[71, 79]], "Malware: Intel Active Management Technology": [[122, 156]], "Malware: AMT": [[159, 162]], "Malware: Serial-over-LAN": [[165, 180]], "Malware: SOL": [[183, 186]]}, "info": {"id": "dnrti_valid_005375", "source": "dnrti_valid"}}
{"text": "Until this incident , no malware had been discovered misusing the AMT SOL feature for communication .", "spans": {"System: AMT SOL": [[66, 73]]}, "info": {"id": "dnrti_valid_005376", "source": "dnrti_valid"}}
{"text": "We confirmed that the tool did not expose vulnerabilities in the management technology itself , but rather misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications .", "spans": {"System: AMT SOL": [[115, 122]]}, "info": {"id": "dnrti_valid_005377", "source": "dnrti_valid"}}
{"text": "In either case , PLATINUM would need to have gained administrative privileges on targeted systems prior to the feature 's misuse .", "spans": {"Organization: PLATINUM": [[17, 25]]}, "info": {"id": "dnrti_valid_005378", "source": "dnrti_valid"}}
{"text": "The updated tool has only been seen in a handful of victim computers within organizational networks in Southeast Asia—PLATINUM is known to customize tools based on the network architecture of targeted organizations .", "spans": {}, "info": {"id": "dnrti_valid_005379", "source": "dnrti_valid"}}
{"text": "One possibility is that PLATINUM might have obtained compromised credentials from victim networks .", "spans": {"Organization: PLATINUM": [[24, 32]], "System: compromised credentials": [[53, 76]]}, "info": {"id": "dnrti_valid_005380", "source": "dnrti_valid"}}
{"text": "Another possibility is that the targeted systems did not have AMT provisioned and PLATINUM , once they've obtained administrative privileges on the system , proceeded to provision AMT .", "spans": {"Malware: AMT": [[62, 65]], "Organization: PLATINUM": [[82, 90]], "System: proceeded to provision AMT": [[157, 183]]}, "info": {"id": "dnrti_valid_005381", "source": "dnrti_valid"}}
{"text": "During the provisioning process , PLATINUM could select whichever username and password they wish .", "spans": {"Organization: PLATINUM": [[34, 42]]}, "info": {"id": "dnrti_valid_005382", "source": "dnrti_valid"}}
{"text": "The new SOL protocol within the PLATINUM file-transfer tool makes use of the AMT Technology SDK 's Redirection Library API ( imrsdk.dll ) .", "spans": {"Organization: PLATINUM": [[32, 40]], "Malware: AMT Technology SDK": [[77, 95]], "Malware: Redirection Library API": [[99, 122]], "Malware: imrsdk.dll": [[125, 135]]}, "info": {"id": "dnrti_valid_005383", "source": "dnrti_valid"}}
{"text": "The PLATINUM tool is , to our knowledge , the first malware sample observed to misuse chipset features in this way .", "spans": {"Malware: PLATINUM tool": [[4, 17]], "Malware: malware": [[52, 59]]}, "info": {"id": "dnrti_valid_005384", "source": "dnrti_valid"}}
{"text": "Microsoft reiterates that the PLATINUM tool does not expose flaws in Intel® Active Management Technology ( AMT ) , but uses the technology within an already compromised network to evade security monitoring tools .", "spans": {"Organization: Microsoft": [[0, 9]], "Organization: PLATINUM": [[30, 38]], "Malware: Intel® Active Management Technology": [[69, 104]], "Malware: AMT": [[107, 110]]}, "info": {"id": "dnrti_valid_005385", "source": "dnrti_valid"}}
{"text": "The discovery of this new PLATINUM technique and the development of detection capabilities highlight the work the Windows Defender ATP team does to provide customers greater visibility into suspicious activities transpiring on their networks .", "spans": {"Organization: PLATINUM": [[26, 34]], "Organization: Windows Defender ATP": [[114, 134]]}, "info": {"id": "dnrti_valid_005386", "source": "dnrti_valid"}}
{"text": "It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks .", "spans": {"Malware: technical exploitation capabilities": [[29, 64]], "Vulnerability: zero-day exploits": [[131, 148]]}, "info": {"id": "dnrti_valid_005387", "source": "dnrti_valid"}}
{"text": "This signals just how long ago the Poseidon threat actor was already working on its offensive framework .", "spans": {"Organization: Poseidon threat actor": [[35, 56]]}, "info": {"id": "dnrti_valid_005388", "source": "dnrti_valid"}}
{"text": "However , Poseidon 's practice of being a ' custom-tailored malware implants boutique ' kept security researchers from connecting different campaigns under the umbrella of a single threat actor .", "spans": {"Organization: Poseidon": [[10, 18]], "Organization: threat actor": [[181, 193]]}, "info": {"id": "dnrti_valid_005389", "source": "dnrti_valid"}}
{"text": "Poseidon Group is dedicated to running targeted attacks campaigns to aggressively collect information from company networks through the use of spear-phishing packaged with embedded , executable elements inside office documents and extensive lateral movement tools .", "spans": {"Organization: Poseidon Group": [[0, 14]], "System: spear-phishing": [[143, 157]]}, "info": {"id": "dnrti_valid_005390", "source": "dnrti_valid"}}
{"text": "The Poseidon Group is a long-running team operating on all domains : land , air , and sea .", "spans": {"Organization: Poseidon Group": [[4, 18]]}, "info": {"id": "dnrti_valid_005391", "source": "dnrti_valid"}}
{"text": "The Poseidon Group has been active , using custom code and evolving their toolkit since at least 2005 .", "spans": {"Organization: Poseidon Group": [[4, 18]], "Malware: custom code": [[43, 54]]}, "info": {"id": "dnrti_valid_005392", "source": "dnrti_valid"}}
{"text": "Poseidon has maintained a consistently evolving toolkit since the mid-2000s .", "spans": {"Organization: Poseidon": [[0, 8]]}, "info": {"id": "dnrti_valid_005393", "source": "dnrti_valid"}}
{"text": "The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives .", "spans": {"Organization: Poseidon Group": [[4, 18]], "Organization: executives": [[188, 198]]}, "info": {"id": "dnrti_valid_005394", "source": "dnrti_valid"}}
{"text": "PROMETHIUM is an activity group that has been active as early as 2012 .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Organization: activity group": [[17, 31]]}, "info": {"id": "dnrti_valid_005395", "source": "dnrti_valid"}}
{"text": "This malware family is known as \" PittyTiger \" by the anti-virus community .", "spans": {"Organization: PittyTiger": [[34, 44]], "Organization: anti-virus community": [[54, 74]]}, "info": {"id": "dnrti_valid_005396", "source": "dnrti_valid"}}
{"text": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird .", "spans": {"Organization: NEODYMIUM": [[0, 9]], "Organization: activity group": [[16, 30]], "Organization: Microsoft": [[83, 92]], "Malware: Wingbird": [[96, 104]]}, "info": {"id": "dnrti_valid_005397", "source": "dnrti_valid"}}
{"text": "The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions — often including military installations , intelligence agencies , and other government bodies .", "spans": {"Organization: groups": [[107, 113]], "Organization: STRONTIUM": [[127, 136]], "Organization: PLATINUM": [[141, 149]], "Organization: specific individuals": [[247, 267]], "Organization: institutions": [[272, 284]], "Organization: intelligence agencies": [[328, 349]]}, "info": {"id": "dnrti_valid_005398", "source": "dnrti_valid"}}
{"text": "PROMETHIUM distributed links through instant messengers , pointing recipients to malicious documents that invoked the exploit code to launch Truvasys on victim computers .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Malware: Truvasys": [[141, 149]]}, "info": {"id": "dnrti_valid_005399", "source": "dnrti_valid"}}
{"text": "PROMETHIUM is an activity group that has been active since at least 2012 .", "spans": {"Organization: PROMETHIUM": [[0, 10]], "Organization: activity group": [[17, 31]]}, "info": {"id": "dnrti_valid_005400", "source": "dnrti_valid"}}
{"text": "In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched .", "spans": {"Organization: group": [[37, 42]], "Vulnerability: CVE-2016-4117": [[101, 114]]}, "info": {"id": "dnrti_valid_005401", "source": "dnrti_valid"}}
{"text": "Truvasys is a collection of modules written in the Delphi programming language , a variant of Pascal .", "spans": {"Malware: Truvasys": [[0, 8]], "Malware: Pascal": [[94, 100]]}, "info": {"id": "dnrti_valid_005402", "source": "dnrti_valid"}}
{"text": "While studying Truvasys , Microsoft uncovered a previously undocumented piece of malware known as Myntor that is a completely separate malware family .", "spans": {"Malware: Truvasys": [[15, 23]], "Organization: Microsoft": [[26, 35]], "Malware: Myntor": [[98, 104]]}, "info": {"id": "dnrti_valid_005403", "source": "dnrti_valid"}}
{"text": "Unit 61486 is the 12th Bureau of the PLA 's 3rd General Staff Department ( GSD ) and is headquartered in Shanghai , China .", "spans": {"Organization: Unit 61486": [[0, 10]]}, "info": {"id": "dnrti_valid_005404", "source": "dnrti_valid"}}
{"text": "The CrowdStrike has been tracking this particular unit since 2012 , under the codename PUTTER PANDA , and has documented activity dating back to 2007 .", "spans": {"Organization: CrowdStrike": [[4, 15]], "Organization: PUTTER PANDA": [[87, 99]]}, "info": {"id": "dnrti_valid_005405", "source": "dnrti_valid"}}
{"text": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012 , under the codename PUTTER PANDA , and has documented activity dating back to 2007 .", "spans": {"Organization: CrowdStrike Intelligence": [[4, 28]], "Organization: PUTTER PANDA": [[105, 117]]}, "info": {"id": "dnrti_valid_005406", "source": "dnrti_valid"}}
{"text": "This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets , primarily relating to the satellite , aerospace and communication industries .", "spans": {}, "info": {"id": "dnrti_valid_005407", "source": "dnrti_valid"}}
{"text": "Parts of the PUTTER PANDA toolset and tradecraft have been previously documented , both by CrowdStrike , and in open source , where they are referred to as the MSUpdater group .", "spans": {"Organization: PUTTER PANDA": [[13, 25]], "Organization: CrowdStrike": [[91, 102]], "Organization: MSUpdater group": [[160, 175]]}, "info": {"id": "dnrti_valid_005408", "source": "dnrti_valid"}}
{"text": "PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries .", "spans": {"Organization: PUTTER PANDA": [[0, 12]], "Organization: group": [[39, 44]], "Organization: Technology sectors": [[144, 162]]}, "info": {"id": "dnrti_valid_005409", "source": "dnrti_valid"}}
{"text": "According to the hacking collective , they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies' internal networks .", "spans": {}, "info": {"id": "dnrti_valid_005410", "source": "dnrti_valid"}}
{"text": "The folders seem to contain information about the company 's development documentation , artificial intelligence model , web security software , and antivirus software base code .", "spans": {"Malware: folders": [[4, 11]]}, "info": {"id": "dnrti_valid_005411", "source": "dnrti_valid"}}
{"text": "Targeting antivirus companies appears to have been the primary goal of Fxmps' latest network intrusions .", "spans": {"Organization: antivirus companies": [[10, 29]]}, "info": {"id": "dnrti_valid_005412", "source": "dnrti_valid"}}
{"text": "This period started with their seeming disappearance in October 2018 and concluded with their return in April 2019 .", "spans": {}, "info": {"id": "dnrti_valid_005413", "source": "dnrti_valid"}}
{"text": "The hacker 's name is Gnosticplayers , and since February 11 the hacker has put up for sale data for 32 companies in three rounds [stories on Round 1 , Round 2 , and Round 3] on Dream Market , a dark web marketplace .", "spans": {}, "info": {"id": "dnrti_valid_005414", "source": "dnrti_valid"}}
{"text": "But according to Gnosticplayers , his foray into a public marketplace like Dream has two goals --besides the first and obvious one being money .", "spans": {}, "info": {"id": "dnrti_valid_005415", "source": "dnrti_valid"}}
{"text": "Data collected by Secureworks incident response ( IR ) analysts and analyzed by CTU researchers indicates that GOLD LOWELL extorts money from victims using the custom SamSam ransomware .", "spans": {"Organization: Secureworks": [[18, 29]], "Organization: CTU": [[80, 83]], "Organization: GOLD LOWELL": [[111, 122]], "Malware: SamSam": [[167, 173]]}, "info": {"id": "dnrti_valid_005416", "source": "dnrti_valid"}}
{"text": "Some sources claimed that GOLD LOWELL operations specifically targeted the healthcare vertical following public SamSam incidents in 2016 and 2018 .", "spans": {"Organization: GOLD LOWELL": [[26, 37]], "Malware: SamSam": [[112, 118]]}, "info": {"id": "dnrti_valid_005417", "source": "dnrti_valid"}}
{"text": "However , CTU analysis indicates that GOLD LOWELL is motivated by financial gain , and there is no evidence of the threat actors using network access for espionage or data theft .", "spans": {"Organization: CTU": [[10, 13]], "Organization: GOLD LOWELL": [[38, 49]]}, "info": {"id": "dnrti_valid_005418", "source": "dnrti_valid"}}
{"text": "In January 2017 , GOLD LOWELL began targeting legitimate RDP account credentials , in some cases discovering and compromising accounts using brute-force techniques .", "spans": {"Malware: RDP": [[57, 60]]}, "info": {"id": "dnrti_valid_005419", "source": "dnrti_valid"}}
{"text": "In 2015 and 2016 , GOLD LOWELL frequently exploited JBoss enterprise applications using several versions of this open-source JBoss exploitation tool .", "spans": {"Malware: JBoss": [[52, 57], [125, 130]]}, "info": {"id": "dnrti_valid_005420", "source": "dnrti_valid"}}
{"text": "In 2017 and early 2018 , the group used PowerShell commands to call Mimikatz from an online PowerSploit repository , which is a collection of publicly available PowerShell modules for penetration testing .", "spans": {"Malware: PowerShell commands": [[40, 59]], "Malware: Mimikatz": [[68, 76]], "Malware: PowerShell modules": [[161, 179]]}, "info": {"id": "dnrti_valid_005421", "source": "dnrti_valid"}}
{"text": "Gold Lowell responded by modifying a registry entry to disable the endpoint tool 's scanning functionality .", "spans": {"Organization: Gold Lowell": [[0, 11]]}, "info": {"id": "dnrti_valid_005422", "source": "dnrti_valid"}}
{"text": "Gold Lowell then provide a download link to a unique XML executable file and corresponding RSA private key to decrypt the files .", "spans": {"Organization: Gold Lowell": [[0, 11]], "Malware: XML executable file": [[53, 72]], "Malware: RSA": [[91, 94]]}, "info": {"id": "dnrti_valid_005423", "source": "dnrti_valid"}}
{"text": "This methodology , known as \" big game hunting \" , signals a shift in operations for WIZARD SPIDER , a criminal enterprise of which GRIM SPIDER appears to be a cell .", "spans": {}, "info": {"id": "dnrti_valid_005424", "source": "dnrti_valid"}}
{"text": "The WIZARD SPIDER threat group , known as the Russia-based operator of the TrickBot banking malware , had focused primarily on wire fraud in the past .", "spans": {"Organization: WIZARD SPIDER threat group": [[4, 30]], "Malware: TrickBot banking malware": [[75, 99]]}, "info": {"id": "dnrti_valid_005425", "source": "dnrti_valid"}}
{"text": "Similar to Samas and BitPaymer , Ryuk is specifically used to target enterprise environments .", "spans": {"Malware: Samas": [[11, 16]], "Malware: BitPaymer": [[21, 30]], "Malware: Ryuk": [[33, 37]]}, "info": {"id": "dnrti_valid_005426", "source": "dnrti_valid"}}
{"text": "Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release .", "spans": {"Malware: Ryuk": [[36, 40], [78, 82]], "Malware: Hermes ransomware": [[45, 62]], "Malware: Hermes": [[104, 110]]}, "info": {"id": "dnrti_valid_005427", "source": "dnrti_valid"}}
{"text": "Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors .", "spans": {"Malware: Hermes": [[0, 6]]}, "info": {"id": "dnrti_valid_005428", "source": "dnrti_valid"}}
{"text": "However , Ryuk is only used by GRIM SPIDER and , unlike Hermes , Ryuk has only been used to target enterprise environments .", "spans": {"Malware: Ryuk": [[10, 14], [65, 69]], "Malware: Hermes": [[56, 62]]}, "info": {"id": "dnrti_valid_005429", "source": "dnrti_valid"}}
{"text": "Since Ryuk 's appearance in August , the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD .", "spans": {"Malware: Ryuk": [[6, 10]]}, "info": {"id": "dnrti_valid_005430", "source": "dnrti_valid"}}
{"text": "Hermes ransomware , the predecessor to Ryuk , was first distributed in February 2017 .", "spans": {"Malware: Hermes ransomware": [[0, 17]], "Malware: Ryuk": [[39, 43]]}, "info": {"id": "dnrti_valid_005431", "source": "dnrti_valid"}}
{"text": "In mid-August 2018 , a modified version of Hermes , dubbed Ryuk , started appearing in a public malware repository .", "spans": {"Malware: Hermes": [[43, 49]], "Malware: Ryuk": [[59, 63]]}, "info": {"id": "dnrti_valid_005432", "source": "dnrti_valid"}}
{"text": "Ryuk was tailored to target enterprise environments and some of the modifications include removing anti-analysis checks .", "spans": {"Malware: Ryuk": [[0, 4]]}, "info": {"id": "dnrti_valid_005433", "source": "dnrti_valid"}}
{"text": "As mentioned in the Hermes to Ryuk section , Ryuk uses a combination of symmetric ( AES ) and asymmetric ( RSA ) encryption to encrypt files .", "spans": {"Malware: Hermes": [[20, 26]], "Malware: Ryuk": [[30, 34], [45, 49]], "Malware: AES": [[84, 87]], "Malware: RSA": [[107, 110]]}, "info": {"id": "dnrti_valid_005434", "source": "dnrti_valid"}}
{"text": "For each mounted drive , Ryuk calls GetDriveTypeW to determine the drive 's type .", "spans": {"Malware: Ryuk": [[25, 29]], "Malware: GetDriveTypeW": [[36, 49]]}, "info": {"id": "dnrti_valid_005435", "source": "dnrti_valid"}}
{"text": "To retrieve IP addresses that have ARP entries , Ryuk calls GetIpNetTable .", "spans": {"Malware: Ryuk": [[49, 53]], "Malware: GetIpNetTable": [[60, 73]]}, "info": {"id": "dnrti_valid_005436", "source": "dnrti_valid"}}
{"text": "Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA ( activities of which have been public reported as part of the \" Lazarus Group \" ) , because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017 .", "spans": {"Malware: Hermes ransomware": [[43, 60]], "Malware: Hermes": [[212, 218]]}, "info": {"id": "dnrti_valid_005437", "source": "dnrti_valid"}}
{"text": "The two executables related to Hermes are bitsran.exe and RSW7B37.tmp .", "spans": {"Malware: Hermes": [[31, 37]], "Malware: bitsran.exe": [[42, 53]], "Malware: RSW7B37.tmp": [[58, 69]]}, "info": {"id": "dnrti_valid_005438", "source": "dnrti_valid"}}
{"text": "Falcon Intelligence has medium-high confidence that the GRIM SPIDER threat actors are operating out of Russia .", "spans": {"Organization: Falcon Intelligence": [[0, 19]]}, "info": {"id": "dnrti_valid_005439", "source": "dnrti_valid"}}
{"text": "Based on these factors , there is considerably more evidence supporting the hypothesis that the GRIM SPIDER threat actors are Russian speakers and not North Korean .", "spans": {}, "info": {"id": "dnrti_valid_005440", "source": "dnrti_valid"}}
{"text": "The hackers also started tweeting a few samples of internal emails from the company .", "spans": {"System: internal emails": [[51, 66]]}, "info": {"id": "dnrti_valid_005441", "source": "dnrti_valid"}}
{"text": "From a process and file perspective , Hermes and Ryuk target files in a similar fashion .", "spans": {"Malware: Hermes": [[38, 44]], "Malware: Ryuk": [[49, 53]]}, "info": {"id": "dnrti_valid_005442", "source": "dnrti_valid"}}
{"text": "Claudio Guarnieri , a security researcher who has investigated Hacking Team along with others at the Citizen Lab , was quick to point this out .", "spans": {"Organization: Claudio Guarnieri": [[0, 17]], "Organization: Citizen Lab": [[101, 112]]}, "info": {"id": "dnrti_valid_005443", "source": "dnrti_valid"}}
{"text": "The breach on Hacking Team comes almost a year after another surveillance tech company , the competing FinFisher , was hacked in a similar way , with a hacker leaking 40 Gb of internal files .", "spans": {"Organization: FinFisher": [[103, 112]]}, "info": {"id": "dnrti_valid_005444", "source": "dnrti_valid"}}
{"text": "Their software , once surreptitiously installed on a target 's cell phone or computer , can be used to monitor the target 's communications , such as phone calls , text messages , Skype calls , or emails .", "spans": {"System: phone calls": [[150, 161]], "System: text messages": [[164, 177]], "System: Skype calls": [[180, 191]], "System: emails": [[197, 203]]}, "info": {"id": "dnrti_valid_005445", "source": "dnrti_valid"}}
{"text": "In 2015 and 2016 , Dridex was one of the most prolific eCrime banking trojans on the market and , since 2014 , those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits .", "spans": {"Malware: Dridex": [[19, 25]], "Organization: INDRIK SPIDER": [[152, 165]]}, "info": {"id": "dnrti_valid_005446", "source": "dnrti_valid"}}
{"text": "In August 2017 , a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K. 's National Health Service ( NHS ) , with a high ransom demand of 53 BTC ( approximately $200,000 USD ) .", "spans": {"Malware: BitPaymer": [[56, 65]]}, "info": {"id": "dnrti_valid_005447", "source": "dnrti_valid"}}
{"text": "The targeting of an organization rather than individuals , and the high ransom demands , made BitPaymer stand out from other contemporary ransomware at the time .", "spans": {"Malware: BitPaymer": [[94, 103]]}, "info": {"id": "dnrti_valid_005448", "source": "dnrti_valid"}}
{"text": "Though the encryption and ransom functionality of BitPaymer was not technically sophisticated , the malware contained multiple anti-analysis features that overlapped with Dridex .", "spans": {"Malware: BitPaymer": [[50, 59]], "Malware: Dridex": [[171, 177]]}, "info": {"id": "dnrti_valid_005449", "source": "dnrti_valid"}}
{"text": "Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER , suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy .", "spans": {"Malware: BitPaymer": [[28, 37]], "Organization: INDRIK SPIDER": [[78, 91]]}, "info": {"id": "dnrti_valid_005450", "source": "dnrti_valid"}}
{"text": "The beginning of 2017 also brought a turning point in INDRIK SPIDER 's operation of Dridex .", "spans": {"Organization: INDRIK SPIDER": [[54, 67]], "Malware: Dridex": [[84, 90]]}, "info": {"id": "dnrti_valid_005451", "source": "dnrti_valid"}}
{"text": "CrowdStrike® Falcon® Intelligence™ also observed a strong correlation between Dridex infections and BitPaymer ransomware .", "spans": {"Organization: CrowdStrike® Falcon® Intelligence™": [[0, 34]], "Malware: Dridex": [[78, 84]], "Malware: BitPaymer ransomware": [[100, 120]]}, "info": {"id": "dnrti_valid_005452", "source": "dnrti_valid"}}
{"text": "During incidents that involved BitPaymer , Dridex was installed on the victim network prior to the deployment of the BitPaymer malware .", "spans": {"Malware: BitPaymer": [[31, 40]], "Malware: Dridex": [[43, 49]], "Malware: BitPaymer malware": [[117, 134]]}, "info": {"id": "dnrti_valid_005453", "source": "dnrti_valid"}}
{"text": "Also unusual was the observation that both Dridex and BitPaymer were spread through the victim network using lateral movement techniques traditionally associated with nation-state actors and penetration testing .", "spans": {"Malware: Dridex": [[43, 49]], "Malware: BitPaymer": [[54, 63]]}, "info": {"id": "dnrti_valid_005454", "source": "dnrti_valid"}}
{"text": "The information gathered from these engagements , combined with information from prior Dridex IR engagements , provides insight into how INDRIK SPIDER deploys and operates both Dridex and BitPaymer .", "spans": {"Malware: Dridex IR": [[87, 96]], "Organization: INDRIK SPIDER": [[137, 150]], "Malware: Dridex": [[177, 183]], "Malware: BitPaymer": [[188, 197]]}, "info": {"id": "dnrti_valid_005455", "source": "dnrti_valid"}}
{"text": "In recent BitPaymer IR engagements , Falcon Intelligence linked the initial infection vector to fake updates for a FlashPlayer plugin and the Chrome web browser .", "spans": {"Malware: BitPaymer IR engagements": [[10, 34]], "Organization: Falcon Intelligence": [[37, 56]], "Malware: FlashPlayer plugin": [[115, 133]], "Malware: Chrome web browser": [[142, 160]]}, "info": {"id": "dnrti_valid_005456", "source": "dnrti_valid"}}
{"text": "With the move to targeting select victims for high-value payouts , the INDRIK SPIDER adversary group is no longer forced to scale its operations , and now has the capacity to tailor its tooling to the victim 's environment and play a more active role in the compromise with \" hands on keyboard \" activity .", "spans": {"Organization: INDRIK SPIDER": [[71, 84]]}, "info": {"id": "dnrti_valid_005457", "source": "dnrti_valid"}}
{"text": "This web hosting service provider continues to be the hosting provider of choice for the threat actors behind NetTraveler .", "spans": {"Organization: web hosting service provider": [[5, 33]], "Organization: hosting provider": [[54, 70]], "Malware: NetTraveler": [[110, 121]]}, "info": {"id": "dnrti_valid_005458", "source": "dnrti_valid"}}
{"text": "These new tactics of selectively targeting organizations for high ransomware payouts have signaled a shift in INDRIK SPIDER 's operation with a new focus on targeted , low-volume , high-return criminal activity : a type of cybercrime operation we refer to as big game hunting .", "spans": {}, "info": {"id": "dnrti_valid_005459", "source": "dnrti_valid"}}
{"text": "Later , in January 2018 , a report was released that identified similarities between the BitPaymer ransomware and Dridex malware .", "spans": {"Malware: BitPaymer ransomware": [[89, 109]], "Malware: Dridex malware": [[114, 128]]}, "info": {"id": "dnrti_valid_005460", "source": "dnrti_valid"}}
{"text": "The report authors renamed the malware \" FriedEx \" .", "spans": {"Malware: FriedEx": [[41, 48]]}, "info": {"id": "dnrti_valid_005461", "source": "dnrti_valid"}}
{"text": "Falcon Intelligence has analyzed this malware and can confirm the overlap between BitPaymer/FriedEx and Dridex malware .", "spans": {"Organization: Falcon Intelligence": [[0, 19]], "Malware: BitPaymer/FriedEx": [[82, 99]], "Malware: Dridex malware": [[104, 118]]}, "info": {"id": "dnrti_valid_005462", "source": "dnrti_valid"}}
{"text": "Though there is no functionality to collect this information in the ransomware itself , the ransomware is deployed by INDRIK SPIDER in parallel with Dridex malware , and the Dridex malware contains modules that may be used to collect information from infected hosts .", "spans": {"Malware: Dridex malware": [[149, 163], [174, 188]]}, "info": {"id": "dnrti_valid_005463", "source": "dnrti_valid"}}
{"text": "Falcon Intelligence has acquired multiple decryption tools related to BitPaymer , which confirm the theory that a unique key is used for each infection .", "spans": {"Organization: Falcon Intelligence": [[0, 19]], "Malware: BitPaymer": [[70, 79]]}, "info": {"id": "dnrti_valid_005464", "source": "dnrti_valid"}}
{"text": "Unlike many ransomware operations , which usually just require victims to make the payment and subsequently download a decryptor , INDRIK SPIDER requires the victim to engage in communication with an operator .", "spans": {"System: communication": [[178, 191]]}, "info": {"id": "dnrti_valid_005465", "source": "dnrti_valid"}}
{"text": "Falcon Intelligence has had unique insight into the email dialogue between a victim and an INDRIK SPIDER operator .", "spans": {"Organization: Falcon Intelligence": [[0, 19]], "System: email": [[52, 57]]}, "info": {"id": "dnrti_valid_005466", "source": "dnrti_valid"}}
{"text": "Initial victim communication with the INDRIK SPIDER operator , using one of the email addresses provided , results in the operator providing key pieces of information up front , such as the BTC address and the ransom amount .", "spans": {"System: victim communication": [[8, 28]], "Organization: INDRIK SPIDER": [[38, 51]]}, "info": {"id": "dnrti_valid_005467", "source": "dnrti_valid"}}
{"text": "It was made clear during communications that INDRIK SPIDER is not willing to negotiate on the ransom amount , explicitly stating that the victim can use multiple Bitcoin exchanges to obtain the number of BTC required , and the exchange rate should be calculated based on the rate posted on the cryptocurrency exchange Bittrex .", "spans": {}, "info": {"id": "dnrti_valid_005468", "source": "dnrti_valid"}}
{"text": "Of note , INDRIK SPIDER specifies the geographical location of where the victim should seek help , confirming that they know key information about the victim .", "spans": {"Organization: INDRIK SPIDER": [[10, 23]], "System: geographical location": [[38, 59]]}, "info": {"id": "dnrti_valid_005469", "source": "dnrti_valid"}}
{"text": "INDRIK SPIDER uses file sharing platforms to distribute the BitPaymer decryptor .", "spans": {"Organization: INDRIK SPIDER": [[0, 13]], "Malware: file sharing platforms": [[19, 41]], "Malware: BitPaymer decryptor": [[60, 79]]}, "info": {"id": "dnrti_valid_005470", "source": "dnrti_valid"}}
{"text": "In an extensive email to the victim , the INDRIK SPIDER operator provides a decryptor download link , decryptor deletion link ( to be used following decryptor download ) and a password .", "spans": {"System: email": [[16, 21]], "Organization: INDRIK SPIDER": [[42, 55]]}, "info": {"id": "dnrti_valid_005471", "source": "dnrti_valid"}}
{"text": "The recommendations provided are not only good advice , but also provide indications of how INDRIK SPIDER breaches organizations and moves laterally until domain controller access is gained .", "spans": {"Organization: INDRIK SPIDER": [[92, 105]]}, "info": {"id": "dnrti_valid_005472", "source": "dnrti_valid"}}
{"text": "Ransom demands have varied significantly , suggesting that INDRIK SPIDER likely calculates the ransom amount based on the size and value of the victim organization .", "spans": {"Organization: INDRIK SPIDER": [[59, 72]]}, "info": {"id": "dnrti_valid_005473", "source": "dnrti_valid"}}
{"text": "INDRIK SPIDER consists of experienced malware developers and operators who have likely been part of the group since the early days of Dridex operations , beginning in June 2014 .", "spans": {"Organization: INDRIK SPIDER": [[0, 13]], "Malware: Dridex": [[134, 140]]}, "info": {"id": "dnrti_valid_005474", "source": "dnrti_valid"}}
{"text": "The formation of the group and the modus operandi changed significantly in early 2017 .", "spans": {}, "info": {"id": "dnrti_valid_005475", "source": "dnrti_valid"}}
{"text": "Dridex operations became more targeted , resulting in less distribution and Dridex sub-botnets in operation , and BitPaymer ransomware operations began in July 2017 .", "spans": {"Malware: Dridex": [[0, 6], [76, 82]], "Malware: BitPaymer ransomware": [[114, 134]]}, "info": {"id": "dnrti_valid_005476", "source": "dnrti_valid"}}
{"text": "There is no doubt that BitPaymer ransomware operations are proving successful for Indrik Spider , with an average estimate take of over $200,000 USD per victim , but it is also important to remember that INDRIK SPIDER continues to operate the Dridex banking trojan .", "spans": {"Malware: BitPaymer": [[23, 32]], "Malware: ransomware": [[33, 43]], "Organization: INDRIK SPIDER": [[204, 217]], "Malware: Dridex banking trojan": [[243, 264]]}, "info": {"id": "dnrti_valid_005477", "source": "dnrti_valid"}}
{"text": "There is no doubt that BitPaymer ransomware operations are proving successful for this criminal group , with an average estimate take of over $200,000 USD per victim , but it is also important to remember that INDRIK SPIDER continues to operate the Dridex banking trojan .", "spans": {"Malware: BitPaymer": [[23, 32]], "Malware: ransomware": [[33, 43]], "Malware: Dridex banking trojan": [[249, 270]]}, "info": {"id": "dnrti_valid_005478", "source": "dnrti_valid"}}
{"text": "Though Dridex is still bringing in criminal revenue for the actor after almost four years of operation , targeted wire fraud operations likely require lengthy planning .", "spans": {"Malware: Dridex": [[7, 13]]}, "info": {"id": "dnrti_valid_005479", "source": "dnrti_valid"}}
{"text": "In scenarios where wire fraud is not as lucrative an option , INDRIK SPIDER might use ransomware to monetize the compromise instead .", "spans": {}, "info": {"id": "dnrti_valid_005480", "source": "dnrti_valid"}}
{"text": "INDRIK SPIDER isn't the only criminal actor running big game hunting operations ; The first ransomware to stake a claim for big game hunting was Samas ( aka SamSam ) , which is developed and operated by BOSS SPIDER .", "spans": {"Malware: ransomware": [[92, 102]], "Malware: Samas": [[145, 150]], "Malware: SamSam": [[157, 163]]}, "info": {"id": "dnrti_valid_005481", "source": "dnrti_valid"}}
{"text": "Since they were first identified in January 2-16 , this adversary has consistently targeted large organizations for high ransom demands .", "spans": {}, "info": {"id": "dnrti_valid_005482", "source": "dnrti_valid"}}
{"text": "In July 2017 , INDRIK SPIDER joined the movement of targeted ransomware with BitPaymer .", "spans": {"Malware: BitPaymer": [[77, 86]]}, "info": {"id": "dnrti_valid_005483", "source": "dnrti_valid"}}
{"text": "Most recently , the ransomware known as Ryuk came to market in August 2017 and has netted its operators , tracked by Falcon Intelligence as GRIM SPIDER , a significant ( and immediate ) profit in campaigns also targeting large organizations .", "spans": {"Malware: ransomware": [[20, 30]], "Malware: Ryuk": [[40, 44]], "Organization: Falcon Intelligence": [[117, 136]], "Organization: GRIM SPIDER": [[140, 151]]}, "info": {"id": "dnrti_valid_005484", "source": "dnrti_valid"}}
{"text": "The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware .", "spans": {"Organization: WIZARD SPIDER": [[4, 17]], "Malware: TrickBot banking malware": [[67, 91]]}, "info": {"id": "dnrti_valid_005485", "source": "dnrti_valid"}}
{"text": "The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot ( aka IcedID ) , which was first observed in April 2017 .", "spans": {"Organization: LUNAR SPIDER threat group": [[4, 29]], "Malware: BokBot": [[123, 129]], "Malware: IcedID": [[136, 142]]}, "info": {"id": "dnrti_valid_005486", "source": "dnrti_valid"}}
{"text": "The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud , through the use of webinjects and a malware distribution function .", "spans": {"Malware: BokBot malware": [[4, 18]]}, "info": {"id": "dnrti_valid_005487", "source": "dnrti_valid"}}
{"text": "campaigns involving both BokBot and TrickBot were first identified by CrowdStrike Intelligence in July 2017 .", "spans": {"Malware: BokBot": [[25, 31]], "Malware: TrickBot": [[36, 44]], "Organization: CrowdStrike Intelligence": [[70, 94]]}, "info": {"id": "dnrti_valid_005488", "source": "dnrti_valid"}}
{"text": "These gtags have been closely associated with LUNAR SPIDER activity .", "spans": {"Malware: gtags": [[6, 11]]}, "info": {"id": "dnrti_valid_005489", "source": "dnrti_valid"}}
{"text": "Unit 42 followed network traces and pivoted on the information left behind by this actor , such as open directories , document metadata , and binary peculiarities , which enabled us to find a custom-made piece of malware , that we named \" CapturaTela \" .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: CapturaTela": [[239, 250]]}, "info": {"id": "dnrti_valid_005490", "source": "dnrti_valid"}}
{"text": "Our telemetry for this campaign identified email as the primary delivery mechanism and found the first related samples were distributed in August 2018 .", "spans": {"System: email": [[43, 48]]}, "info": {"id": "dnrti_valid_005491", "source": "dnrti_valid"}}
{"text": "Aside from the use of the custom trojan CapturaTela , the actor makes extensive use of several other remote access Trojans to perform its malicious activities .", "spans": {"Malware: CapturaTela": [[40, 51]], "Malware: remote access Trojans": [[101, 122]]}, "info": {"id": "dnrti_valid_005492", "source": "dnrti_valid"}}
{"text": "Why would OurMine want to target WikiLeaks .", "spans": {"Organization: OurMine": [[10, 17]], "Organization: WikiLeaks": [[33, 42]]}, "info": {"id": "dnrti_valid_005493", "source": "dnrti_valid"}}
{"text": "Instead , OurMine had managed to alter WikiLeaks 's DNS records ( held by a third-party registrar ) to direct anyone who tried to visit wikileaks.org to visit a different IP address which definitely wasn't under the control of Julian Assange and his cronies .", "spans": {"Organization: OurMine": [[10, 17]], "Organization: WikiLeaks": [[39, 48]]}, "info": {"id": "dnrti_valid_005494", "source": "dnrti_valid"}}
{"text": "We don't know how OurMine managed to access WikiLeaks 's DNS records , but past experience has shown that their typical modus operandi is simply to log in using their victim 's password .", "spans": {"Organization: WikiLeaks": [[44, 53]]}, "info": {"id": "dnrti_valid_005495", "source": "dnrti_valid"}}
{"text": "Alternatively , OurMine might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address .", "spans": {"System: social engineering": [[40, 58]], "Organization: WikiLeaks": [[68, 77]], "Organization: DNS provider": [[81, 93]]}, "info": {"id": "dnrti_valid_005496", "source": "dnrti_valid"}}
{"text": "Alternatively , the attackers might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address .", "spans": {"System: social engineering": [[46, 64]], "Organization: WikiLeaks": [[74, 83]], "Organization: DNS provider": [[87, 99]]}, "info": {"id": "dnrti_valid_005497", "source": "dnrti_valid"}}
{"text": "Known for hijacking prominent social media accounts , the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network .", "spans": {"Organization: Twitter": [[133, 140]], "Organization: Facebook": [[145, 153]]}, "info": {"id": "dnrti_valid_005498", "source": "dnrti_valid"}}
{"text": "Last year , OurMine victimized Marvel , The New York Times , and even the heads of some of the biggest technology companies in the world .", "spans": {"Organization: OurMine": [[12, 19]], "Organization: The New York Times": [[40, 58]], "Organization: technology companies": [[103, 123]]}, "info": {"id": "dnrti_valid_005499", "source": "dnrti_valid"}}
{"text": "Mark Zuckerberg , Jack Dorsey , Sundar Pichai , and Daniel Ek — the CEOs of Facebook , Twitter , Google and Spotify , respectively — have also fallen victim to the hackers , dispelling the notion that a career in software and technology exempts one from being compromised .", "spans": {"Organization: Facebook": [[76, 84]], "Organization: Twitter": [[87, 94]], "Organization: Google": [[97, 103]]}, "info": {"id": "dnrti_valid_005500", "source": "dnrti_valid"}}
{"text": "The group is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": {"Organization: WikiLeaks'": [[40, 50]], "Organization: Twitter": [[102, 109], [166, 173]], "Organization: Pinterest": [[178, 187]], "Organization: BuzzFeed": [[217, 225]], "Organization: TechCrunch": [[230, 240]]}, "info": {"id": "dnrti_valid_005501", "source": "dnrti_valid"}}
{"text": "OurMine is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": {"Organization: OurMine": [[0, 7]], "Organization: WikiLeaks'": [[38, 48]], "Organization: Twitter": [[100, 107], [164, 171]], "Organization: Pinterest": [[176, 185]], "Organization: BuzzFeed": [[215, 223]], "Organization: TechCrunch": [[228, 238]]}, "info": {"id": "dnrti_valid_005502", "source": "dnrti_valid"}}
{"text": "The group 's primary goal is demonstrating to companies that they have weak security .", "spans": {}, "info": {"id": "dnrti_valid_005503", "source": "dnrti_valid"}}
{"text": "US intelligence agencies pinned the breach on North Korea ( one of the hacking group 's demands was that Sony pull The Interview , Seth Rogan 's comedy about a plot to assassinate Kim Jong-Un ) .", "spans": {"Organization: intelligence agencies": [[3, 24]], "Organization: Sony": [[105, 109]]}, "info": {"id": "dnrti_valid_005504", "source": "dnrti_valid"}}
{"text": "Of course , Sony ( one of Vevo 's joint owners ) fell victim to a devastating hack in 2014 after a group of hackers calling themselves the \" Guardians of Peace \" dumped a wealth of its confidential data online .", "spans": {"Organization: Sony": [[12, 16]]}, "info": {"id": "dnrti_valid_005505", "source": "dnrti_valid"}}
{"text": "The cryptominer employed by Pacha Group , labeled Linux.GreedyAntd by Intezer , was completely undetected by all leading engines , demonstrating the sophistication of this malware .", "spans": {"Malware: Linux.GreedyAntd": [[50, 66]], "Organization: Intezer": [[70, 77]]}, "info": {"id": "dnrti_valid_005506", "source": "dnrti_valid"}}
{"text": "Intezer has evidence dating back to September 2018 which shows Pacha Group has been using a cryptomining malware that has gone undetected on other engines .", "spans": {"Organization: Intezer": [[0, 7]]}, "info": {"id": "dnrti_valid_005507", "source": "dnrti_valid"}}
{"text": "The new miner employed by Pacha Group , named Linux.GreedyAntd , has shown to be more sophisticated than the average Linux threat , using evasion techniques rarely seen in Linux malware .", "spans": {"Organization: Pacha Group": [[26, 37]], "Malware: Linux.GreedyAntd": [[46, 62]], "Malware: Linux malware": [[172, 185]]}, "info": {"id": "dnrti_valid_005508", "source": "dnrti_valid"}}
{"text": "Pacha Group is believed to be of Chinese origin , and is actively delivering new campaigns , deploying a broad number of components , many of which are undetected and operating within compromised third party servers .", "spans": {"Organization: Pacha Group": [[0, 11]]}, "info": {"id": "dnrti_valid_005509", "source": "dnrti_valid"}}
{"text": "We have labeled the undetected Linux.Antd variants , Linux.GreedyAntd and classified the threat actor as Pacha Group .", "spans": {"Malware: Linux.GreedyAntd": [[53, 69]]}, "info": {"id": "dnrti_valid_005510", "source": "dnrti_valid"}}
{"text": "Based on our findings Linux.GreedyAntd 's operations closely resemble previous cryptojacking campaigns deployed by Pacha Group in the past .", "spans": {"Malware: Linux.GreedyAntd": [[22, 38]]}, "info": {"id": "dnrti_valid_005511", "source": "dnrti_valid"}}
{"text": "Among the artifacts hosted in GreedyAntd 's servers , we managed to find a single component not related to the same cryptojacking operation just previously discussed and leveraged by Pacha Group .", "spans": {"Malware: GreedyAntd": [[30, 40]]}, "info": {"id": "dnrti_valid_005512", "source": "dnrti_valid"}}
{"text": "It was one of the few ransomware strains that were being mass-distributed via email spam and exploit kits , but also as part of targeted attacks against high-profile organizations ( a tactic known as big-game hunting ) at the same time .", "spans": {"System: email spam": [[78, 88]], "System: exploit kits": [[93, 105]], "Organization: high-profile organizations": [[153, 179]]}, "info": {"id": "dnrti_valid_005513", "source": "dnrti_valid"}}
{"text": "The GandCrab author also had a spat with South Korean security vendor AhnLab last summer after the security firm released a vaccine for the GandCrab ransomware .", "spans": {"Malware: GandCrab": [[4, 12]], "Organization: AhnLab": [[70, 76]], "Organization: security firm": [[99, 112]], "Malware: GandCrab ransomware": [[140, 159]]}, "info": {"id": "dnrti_valid_005514", "source": "dnrti_valid"}}
{"text": "Recently , Sophos Labs has observed criminal groups scanning the internet for open MySQL databases running on Windows systems , which they tried to infect with GandCrab .", "spans": {"Organization: Sophos Labs": [[11, 22]], "Malware: GandCrab": [[160, 168]]}, "info": {"id": "dnrti_valid_005515", "source": "dnrti_valid"}}
{"text": "CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments , using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams .", "spans": {"Organization: CrowdStrike Intelligence": [[0, 24]], "Organization: PINCHY SPIDER": [[47, 60]], "Malware: GandCrab ransomware": [[82, 101]]}, "info": {"id": "dnrti_valid_005516", "source": "dnrti_valid"}}
{"text": "Probably the most high-profile attack that GandCrab was behind is a series of infections at customers of remote IT support firms in the month of February .", "spans": {"Malware: GandCrab": [[43, 51]], "Organization: customers": [[92, 101]], "Organization: IT support firms": [[112, 128]]}, "info": {"id": "dnrti_valid_005517", "source": "dnrti_valid"}}
{"text": "CrowdStrike® Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments , using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams .", "spans": {"Organization: CrowdStrike® Intelligence": [[0, 25]], "Organization: PINCHY SPIDER": [[48, 61]], "Malware: GandCrab ransomware": [[83, 102]]}, "info": {"id": "dnrti_valid_005518", "source": "dnrti_valid"}}
{"text": "PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab , which has been active since January 2018 .", "spans": {"Organization: PINCHY SPIDER": [[0, 13]], "Malware: GandCrab": [[100, 108]]}, "info": {"id": "dnrti_valid_005519", "source": "dnrti_valid"}}
{"text": "PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts .", "spans": {"Organization: PINCHY SPIDER": [[0, 13]], "Malware: GandCrab ransomware": [[34, 53]]}, "info": {"id": "dnrti_valid_005520", "source": "dnrti_valid"}}
{"text": "The main catalyst for dedicated development by PINCHY SPIDER , however , has been an ongoing battle with cybersecurity providers that are actively developing GandCrab mitigations and decryptors .", "spans": {"Organization: PINCHY SPIDER": [[47, 60]], "Organization: cybersecurity providers": [[105, 128]], "Malware: GandCrab": [[158, 166]]}, "info": {"id": "dnrti_valid_005521", "source": "dnrti_valid"}}
{"text": "In February , PINCHY SPIDER released version 5.2 of GandCrab , which is immune to the decryption tools developed for earlier versions of GandCrab and in fact , was deployed the day before the release of the latest decryptor .", "spans": {"Organization: PINCHY SPIDER": [[14, 27]], "Malware: GandCrab": [[52, 60], [137, 145]]}, "info": {"id": "dnrti_valid_005522", "source": "dnrti_valid"}}
{"text": "CrowdStrike Intelligence first identified new GandCrab ransomware deployment tactics in mid-February , when a threat actor was observed performing actions on a victim host in order to install GandCrab .", "spans": {"Organization: CrowdStrike Intelligence": [[0, 24]], "Malware: GandCrab ransomware": [[46, 65]], "Malware: GandCrab": [[192, 200]]}, "info": {"id": "dnrti_valid_005523", "source": "dnrti_valid"}}
{"text": "Using RDP and stolen credentials from the initially compromised host , the threat actor then proceeded to move laterally around the victim network and was able to deploy GandCrab across several other hosts .", "spans": {"Malware: RDP": [[6, 9]], "Malware: GandCrab": [[170, 178]]}, "info": {"id": "dnrti_valid_005524", "source": "dnrti_valid"}}
{"text": "Near the end of February , CrowdStrike Intelligence observed another incident in which similar manual lateral movement techniques were used to deploy GandCrab across multiple hosts in an enterprise .", "spans": {"Organization: CrowdStrike Intelligence": [[27, 51]], "Malware: GandCrab": [[150, 158]]}, "info": {"id": "dnrti_valid_005525", "source": "dnrti_valid"}}
{"text": "Once Domain Controller access was acquired , Pinchy Spider used the enterprise 's own IT systems management software , LANDesk , to deploy a loader to hosts across the enterprise .", "spans": {"Malware: LANDesk": [[119, 126]]}, "info": {"id": "dnrti_valid_005526", "source": "dnrti_valid"}}
{"text": "This loader , known as Phorpiex Downloader , is not specifically tied to GandCrab or PINCHY SPIDER , and it has previously been observed dropping other malware , such as Smoke Bot , Azorult , and XMRig .", "spans": {"Malware: Phorpiex Downloader": [[23, 42]], "Organization: GandCrab": [[73, 81]], "Organization: PINCHY SPIDER": [[85, 98]], "Malware: Smoke Bot": [[170, 179]], "Malware: Azorult": [[182, 189]], "Malware: XMRig": [[196, 201]]}, "info": {"id": "dnrti_valid_005527", "source": "dnrti_valid"}}
{"text": "As reported in the CrowdStrike 2018 Global Threat Report , big game hunting was a trend that helped define the criminal threat landscape in 2018 .", "spans": {}, "info": {"id": "dnrti_valid_005528", "source": "dnrti_valid"}}
{"text": "BOSS SPIDER used both enterprise and per-host pricing during their campaigns .", "spans": {"Organization: BOSS SPIDER": [[0, 11]], "Malware: enterprise": [[22, 32]], "Malware: per-host pricing": [[37, 53]]}, "info": {"id": "dnrti_valid_005529", "source": "dnrti_valid"}}
{"text": "Both INDRIK SPIDER ( with BitPaymer ransomware ) and GRIM SPIDER ( with Ryuk ransomware ) have made headlines with their high profile victims and ransom profits , demonstrating that big game hunting is a lucrative enterprise .", "spans": {"Organization: INDRIK SPIDER": [[5, 18]], "Malware: BitPaymer": [[26, 35]], "Malware: ransomware": [[36, 46]], "Organization: GRIM SPIDER": [[53, 64]], "Malware: Ryuk ransomware": [[72, 87]]}, "info": {"id": "dnrti_valid_005530", "source": "dnrti_valid"}}
{"text": "Running successful big game hunting operations results in a higher average profit per victim , allowing adversaries like PINCHY SPIDER and their partners to increase their criminal revenue quickly .", "spans": {}, "info": {"id": "dnrti_valid_005531", "source": "dnrti_valid"}}
{"text": "The threat actor Rocke was originally revealed by Talos in August of 2018 and many remarkable behaviors were disclosed in their blog post .", "spans": {"Organization: Talos": [[50, 55]]}, "info": {"id": "dnrti_valid_005532", "source": "dnrti_valid"}}
{"text": "The family was suspected to be developed by the Iron cybercrime group and it's also associated with the Xbash malware we reported on in September of 2018 .", "spans": {"Malware: Xbash malware": [[104, 117]]}, "info": {"id": "dnrti_valid_005533", "source": "dnrti_valid"}}
{"text": "The threat actor Rocke was first reported by Cisco Talos in late July 2018 .", "spans": {"Organization: Cisco Talos": [[45, 56]]}, "info": {"id": "dnrti_valid_005534", "source": "dnrti_valid"}}
{"text": "The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines .", "spans": {}, "info": {"id": "dnrti_valid_005535", "source": "dnrti_valid"}}
{"text": "To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion .", "spans": {"Vulnerability: Rocke group exploits vulnerabilities": [[52, 88]]}, "info": {"id": "dnrti_valid_005536", "source": "dnrti_valid"}}
{"text": "Once the C2 connection is established , malware used by the Rocke group downloads shell script named as \" a7 \" to the victim machine .", "spans": {"Organization: Rocke": [[60, 65]], "Malware: a7": [[106, 108]]}, "info": {"id": "dnrti_valid_005537", "source": "dnrti_valid"}}
{"text": "To be more specific , the malware uninstalls cloud security products by Alibaba Cloud and Tencent Cloud .", "spans": {}, "info": {"id": "dnrti_valid_005538", "source": "dnrti_valid"}}
{"text": "Public cloud infrastructure is one of the main targets for Rocke .", "spans": {"Organization: Rocke": [[59, 64]]}, "info": {"id": "dnrti_valid_005539", "source": "dnrti_valid"}}
{"text": "FortiGuard Labs has been monitoring a Linux coin mining campaign from \" Rocke \" – a malware threat group specializing in cryptomining .", "spans": {"Organization: FortiGuard Labs": [[0, 15]]}, "info": {"id": "dnrti_valid_005540", "source": "dnrti_valid"}}
{"text": "The malicious bash script components of the malware are hosted in Pastebin , with the profile name \" SYSTEMTEN \" , which is very similar to previous names used by the \" Rocke \" threat group .", "spans": {"Malware: Pastebin": [[66, 74]], "Malware: SYSTEMTEN": [[101, 110]]}, "info": {"id": "dnrti_valid_005541", "source": "dnrti_valid"}}
{"text": "However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 .", "spans": {"Organization: Rocke": [[31, 36]], "Vulnerability: CVE-2018-1000861": [[105, 121]], "Vulnerability: CVE-2019-1003000": [[126, 142]]}, "info": {"id": "dnrti_valid_005542", "source": "dnrti_valid"}}
{"text": "By utilizing a hook library , it is more complicated for users to manually detect and remove the infection from their systems , giving the threat actors more time to generate profit .", "spans": {"Malware: hook library": [[15, 27]]}, "info": {"id": "dnrti_valid_005543", "source": "dnrti_valid"}}
{"text": "The group also made it back into the news with the recent WannaCry ransomware that targeted computers around the globe ; it piggybacked on exploits revealed by the Shadow Brokers .", "spans": {"Malware: WannaCry ransomware": [[58, 77]], "Organization: Shadow Brokers": [[164, 178]]}, "info": {"id": "dnrti_valid_005544", "source": "dnrti_valid"}}
{"text": "A mysterious hacker or hackers going by the name \" The Shadow Brokers \" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools .", "spans": {"Organization: NSA": [[116, 119]]}, "info": {"id": "dnrti_valid_005545", "source": "dnrti_valid"}}
{"text": "The Shadow Brokers claimed to have hacked the Equation Group and stolen some of its hacking tools .", "spans": {}, "info": {"id": "dnrti_valid_005546", "source": "dnrti_valid"}}
{"text": "The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites .", "spans": {"Vulnerability: NSA exploits": [[86, 98]]}, "info": {"id": "dnrti_valid_005547", "source": "dnrti_valid"}}
{"text": "The Shadow Brokers , the group that publicly dumped a cache of NSA hacking tools , appears to be back and ready to sell stolen material on an individual basis .", "spans": {"Organization: Shadow Brokers": [[4, 18]], "Malware: NSA hacking tools": [[63, 80]]}, "info": {"id": "dnrti_valid_005548", "source": "dnrti_valid"}}
{"text": "Wh1sks estimated that , between June and early August , the Shadow Brokers have made up to $88,000 in an alternative cryptocurrency called Monero .", "spans": {"Organization: Wh1sks": [[0, 6]], "Organization: Shadow Brokers": [[60, 74]]}, "info": {"id": "dnrti_valid_005549", "source": "dnrti_valid"}}
{"text": "Moreover , Wh1sks was able to find out the email addresses of five people who have subscribed to the Shadow Brokers' monthly dump service .", "spans": {"Organization: Wh1sks": [[11, 17]], "Organization: Shadow Brokers'": [[101, 116]]}, "info": {"id": "dnrti_valid_005550", "source": "dnrti_valid"}}
{"text": "Buried among this new treasure trove , there are several mentions of previously disclosed NSA top secret programs and software such as \" STRAITBIZARRE \" , used to control implants remotely , and \" JEEPFLEA \" , a project to hack the money transferring system SWIFT .", "spans": {"Malware: trove": [[31, 36]], "Organization: NSA": [[90, 93]], "Malware: STRAITBIZARRE": [[137, 150]], "Malware: JEEPFLEA": [[197, 205]]}, "info": {"id": "dnrti_valid_005551", "source": "dnrti_valid"}}
{"text": "The Shadow Brokers have long claimed that the tools they release are from the \" Equation Group \" , the name of a government hacking group outed by Kaspersky Lab in 2015 , which is widely believed to be the NSA .", "spans": {"Organization: Shadow Brokers": [[4, 18]], "Organization: Kaspersky Lab": [[147, 160]], "Organization: NSA": [[206, 209]]}, "info": {"id": "dnrti_valid_005552", "source": "dnrti_valid"}}
{"text": "Recently , FireEye released a great report on one of the more active groups , now known as APT30 .", "spans": {"Organization: FireEye": [[11, 18]], "Organization: APT30": [[91, 96]]}, "info": {"id": "dnrti_valid_005553", "source": "dnrti_valid"}}
{"text": "In addition , Kaspersky discovered that the Winnti group uses a popular backdoor known as PlugX which also has Chinese origins .", "spans": {"Organization: Kaspersky": [[14, 23]], "Organization: Winnti": [[44, 50]], "Malware: PlugX": [[90, 95]]}, "info": {"id": "dnrti_valid_005554", "source": "dnrti_valid"}}
{"text": "Previous work published by security vendor FireEye in October 2014 suggests APT28 might be of Russian origin .", "spans": {"Organization: FireEye": [[43, 50]], "Organization: APT28": [[76, 81]]}, "info": {"id": "dnrti_valid_005555", "source": "dnrti_valid"}}
{"text": "After publishing our initial series of blogposts back in 2016 , Kaspersky has continued to track the ScarCruft threat actor .", "spans": {"Organization: Kaspersky": [[64, 73]], "Organization: ScarCruft": [[101, 110]]}, "info": {"id": "dnrti_valid_005556", "source": "dnrti_valid"}}
{"text": "Based on the ScarCruft’s recent activities , Kaspersky strongly believes that this ScarCruft group is likely to continue to evolve .", "spans": {"Organization: ScarCruft’s": [[13, 24]], "Organization: Kaspersky": [[45, 54]], "Organization: ScarCruft": [[83, 92]]}, "info": {"id": "dnrti_valid_005557", "source": "dnrti_valid"}}
{"text": "Kaspersky also discovered an interesting piece of rare malware created by this threat actor ScarCruft .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: ScarCruft": [[92, 101]]}, "info": {"id": "dnrti_valid_005558", "source": "dnrti_valid"}}
{"text": "Kaspersky witnessed the ScarCruft threat actor extensively testing a known public exploit during its preparation for the next campaign .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: ScarCruft": [[24, 33]]}, "info": {"id": "dnrti_valid_005559", "source": "dnrti_valid"}}
{"text": "Based on our telemetry , Kaspersky can reassemble ScarCruft’s binary infection procedure .", "spans": {"Organization: Kaspersky": [[25, 34]], "Organization: ScarCruft’s": [[50, 61]]}, "info": {"id": "dnrti_valid_005560", "source": "dnrti_valid"}}
{"text": "In addition , Kaspersky analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel .", "spans": {"Organization: Kaspersky": [[14, 23]], "Organization: DarkHotel": [[146, 155]]}, "info": {"id": "dnrti_valid_005561", "source": "dnrti_valid"}}
{"text": "Secureworks researchers investigated activities associated with the BRONZE BUTLER (also known as Tick) threat group , which likely originates in the People .", "spans": {"Organization: Secureworks": [[0, 11]], "Organization: BRONZE BUTLER": [[68, 81]]}, "info": {"id": "dnrti_valid_005562", "source": "dnrti_valid"}}
{"text": "However , an investigation by Symantec has found that Butterfly has been active since at least March 2012 and its attacks have not only continued to the present day , but have also increased in number .", "spans": {"Organization: Symantec": [[30, 38]], "Organization: Butterfly": [[54, 63]]}, "info": {"id": "dnrti_valid_005563", "source": "dnrti_valid"}}
{"text": "Talos assesses with high confidence that Group 123 was responsible for six campaigns .", "spans": {"Organization: Talos": [[0, 5]], "Organization: Group 123": [[41, 50]]}, "info": {"id": "dnrti_valid_005564", "source": "dnrti_valid"}}
{"text": "Attacks launched by Scarlet Mimic were publicly exposed on 2013 in a Trend Micro report about the FakeM Trojan .", "spans": {"Organization: Scarlet Mimic": [[20, 33]], "Organization: Trend Micro": [[69, 80]], "Malware: FakeM": [[98, 103]], "Malware: Trojan": [[104, 110]]}, "info": {"id": "dnrti_valid_005565", "source": "dnrti_valid"}}
{"text": "Finally , Talos identified a 6th campaign that is also linked to Group 123 .", "spans": {"Organization: Talos": [[10, 15]], "Organization: Group 123": [[65, 74]]}, "info": {"id": "dnrti_valid_005566", "source": "dnrti_valid"}}
{"text": "As Talos observed at the beginning of 2017 , Group 123 started a campaign corresponding with the new year in 2018 .", "spans": {"Organization: Talos": [[3, 8]], "Organization: Group 123": [[45, 54]]}, "info": {"id": "dnrti_valid_005567", "source": "dnrti_valid"}}
{"text": "Last month , researchers at Kaspersky reported on a Lazarus APT campaign targeting both macOS and Windows users .", "spans": {"Organization: Kaspersky": [[28, 37]], "Organization: Lazarus": [[52, 59]]}, "info": {"id": "dnrti_valid_005568", "source": "dnrti_valid"}}
{"text": "Cylance uncovered several bespoke backdoors deployed by the OceanLotus APT Group a.k.a APT32 , Cobalt Kitty .", "spans": {"Organization: Cylance": [[0, 7]], "Organization: OceanLotus": [[60, 70]], "Organization: APT32": [[87, 92]], "Organization: Cobalt Kitty": [[95, 107]]}, "info": {"id": "dnrti_valid_005569", "source": "dnrti_valid"}}
{"text": "While continuing to monitor activity of the OceanLotus APT Group , Cylance researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file .", "spans": {"Organization: OceanLotus": [[44, 54]], "Organization: Cylance": [[67, 74]]}, "info": {"id": "dnrti_valid_005570", "source": "dnrti_valid"}}
{"text": "Gobelin Panda , a.k.a Goblin Panda , is a group that has been identified by CrowdStrike as a Chinese threat actor .", "spans": {"Organization: Gobelin Panda": [[0, 13]], "Organization: Goblin Panda": [[22, 34]], "Organization: CrowdStrike": [[76, 87]]}, "info": {"id": "dnrti_valid_005571", "source": "dnrti_valid"}}
{"text": "CrowdStrike observed Goblin Panda activity spike as tensions among South China Sea nations has risen .", "spans": {"Organization: CrowdStrike": [[0, 11]], "Organization: Goblin Panda": [[21, 33]]}, "info": {"id": "dnrti_valid_005572", "source": "dnrti_valid"}}
{"text": "This confirms Tropic Trooper is using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them .", "spans": {"Organization: Tropic Trooper": [[14, 28]], "Malware: Poison Ivy": [[38, 48]], "Organization: Trend Micro": [[113, 124]]}, "info": {"id": "dnrti_valid_005573", "source": "dnrti_valid"}}
{"text": "In a 2018 blogpost , ESET researchers predicted that Turla would use more and more generic tools .", "spans": {"Organization: ESET": [[21, 25]], "Organization: Turla": [[53, 58]]}, "info": {"id": "dnrti_valid_005574", "source": "dnrti_valid"}}
{"text": "ESET researchers will continue monitoring new Turla activities and will publish relevant information on our blog .", "spans": {"Organization: ESET": [[0, 4]], "Organization: Turla": [[46, 51]]}, "info": {"id": "dnrti_valid_005575", "source": "dnrti_valid"}}
{"text": "ESET researchers analyze new TTPs attributed to the Turla group that leverage PowerShell to run malware in-memory only .", "spans": {"Organization: ESET": [[0, 4]], "Organization: Turla": [[52, 57]], "Malware: PowerShell": [[78, 88]]}, "info": {"id": "dnrti_valid_005576", "source": "dnrti_valid"}}
{"text": "ESET have been tracking the malicious activities related to the Ke3chang group .", "spans": {"Organization: ESET": [[0, 4]], "Organization: Ke3chang": [[64, 72]]}, "info": {"id": "dnrti_valid_005577", "source": "dnrti_valid"}}
{"text": "According to Kaspersky Lab’s report , NetTraveler has been active since as early as 2004; however , the highest volume of activity occurred from 2010 – 2013 .", "spans": {"Organization: Kaspersky": [[13, 22]], "Organization: NetTraveler": [[38, 49]]}, "info": {"id": "dnrti_valid_005578", "source": "dnrti_valid"}}
{"text": "Kaspersky Lab’s experts calculated the amount of stolen data stored on NetTraveler’s C&C servers to be more than 22 gigabytes .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: NetTraveler’s": [[71, 84]]}, "info": {"id": "dnrti_valid_005579", "source": "dnrti_valid"}}
{"text": "FireEye believes the Ke3chang attackers likely began attempting to exfiltrate sensitive data shortly thereafter .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: Ke3chang": [[21, 29]]}, "info": {"id": "dnrti_valid_005580", "source": "dnrti_valid"}}
{"text": "This report details some of the technical findings of the Lazarus Group’s malware , observed by Novetta during Operation Blockbuster .", "spans": {"Organization: Lazarus": [[58, 65]], "Organization: Novetta": [[96, 103]], "Organization: Operation Blockbuster": [[111, 132]]}, "info": {"id": "dnrti_valid_005581", "source": "dnrti_valid"}}
{"text": "The Lazarus Group was first identified in Novetta’s report Operation Blockbuster in February 2016 .", "spans": {"Organization: Lazarus": [[4, 11]], "Organization: Novetta’s": [[42, 51]]}, "info": {"id": "dnrti_valid_005582", "source": "dnrti_valid"}}
{"text": "FireEye has not identified APT33 using SHAPESHIFT , but APT33 is the only group FireEye has seen to use DROPSHOT .", "spans": {"Organization: FireEye": [[0, 7], [80, 87]], "Organization: APT33": [[27, 32], [56, 61]], "Malware: SHAPESHIFT": [[39, 49]], "Malware: DROPSHOT": [[104, 112]]}, "info": {"id": "dnrti_valid_005583", "source": "dnrti_valid"}}
{"text": "In 2018 , Kaspersky Labs published a report that analyzed Turla threat group .", "spans": {"Organization: Kaspersky": [[10, 19]], "Organization: Turla": [[58, 63]]}, "info": {"id": "dnrti_valid_005584", "source": "dnrti_valid"}}
{"text": "Starting in February 2018 , Palo Alto identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"Organization: Palo Alto": [[28, 37]], "Organization: Gorgon Group": [[95, 107]], "Organization: governmental organizations": [[118, 144]]}, "info": {"id": "dnrti_valid_005585", "source": "dnrti_valid"}}
{"text": "Proofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak .", "spans": {"Organization: Proofpoint": [[0, 10]], "Organization: Turla": [[100, 105]], "Malware: dropper": [[128, 135]], "Malware: JS/KopiLuwak": [[168, 180]]}, "info": {"id": "dnrti_valid_005586", "source": "dnrti_valid"}}
{"text": "Insikt Group investigated the domain and hosting infrastructure used by the APT33 group .", "spans": {"Organization: Insikt Group": [[0, 12]], "Organization: APT33": [[76, 81]]}, "info": {"id": "dnrti_valid_005587", "source": "dnrti_valid"}}
{"text": "Symantec tracks the group behind this activity as Blackfly and detects the malware they use as Backdoor.Winnti .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Blackfly": [[50, 58]], "Malware: Backdoor.Winnti": [[95, 110]]}, "info": {"id": "dnrti_valid_005588", "source": "dnrti_valid"}}
{"text": "As shown within the timeline above , the WINDSHIFT activity observed by Unit 42 falls between January and May of 2018 .", "spans": {"Organization: Unit 42": [[72, 79]]}, "info": {"id": "dnrti_valid_005589", "source": "dnrti_valid"}}
{"text": "Symantec discovered Suckfly , an advanced threat group , conducting targeted attacks using multiple stolen certificates , as well as hacktools and custom malware .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Suckfly": [[20, 27]], "System: stolen certificates": [[100, 119]], "Malware: hacktools": [[133, 142]]}, "info": {"id": "dnrti_valid_005590", "source": "dnrti_valid"}}
{"text": "In April Novetta released its excellent report on the Winnti malware spotted in the operations of Axiom group .", "spans": {"Organization: Novetta": [[9, 16]], "Organization: Winnti": [[54, 60]], "Organization: Axiom": [[98, 103]]}, "info": {"id": "dnrti_valid_005591", "source": "dnrti_valid"}}
{"text": "A few days ago , Symantec discovered a new document that appears to be part of the ongoing BlackEnergy APT group attacks against Ukraine .", "spans": {"Organization: Symantec": [[17, 25]], "Organization: BlackEnergy": [[91, 102]]}, "info": {"id": "dnrti_valid_005592", "source": "dnrti_valid"}}
{"text": "While analyzing a campaign run by the Gamaredon group , FortiGuard Labs discovered the tools they used to prepare the attack and found artifacts left behind by the actors that allowed us to perform a large amount of forensic analysis .", "spans": {"Organization: Gamaredon": [[38, 47]], "Organization: FortiGuard Labs": [[56, 71]], "Organization: actors": [[164, 170]]}, "info": {"id": "dnrti_valid_005593", "source": "dnrti_valid"}}
{"text": "In this blog , Unit 42 provides details of the tools and tactics we observed on these compromised SharePoint servers , explain how we believe these connect to the Emissary Panda threat group .", "spans": {"Organization: Unit 42": [[15, 22]], "Malware: SharePoint servers": [[98, 116]], "Organization: Emissary Panda": [[163, 177]]}, "info": {"id": "dnrti_valid_005594", "source": "dnrti_valid"}}
{"text": "QiAnXin identified this APT group coded as ‘APT-C-35’ in 2017 , who is mainly targeting Pakistan and other South Asian countries for cyber espionage .", "spans": {"Organization: QiAnXin": [[0, 7]], "Organization: ‘APT-C-35’": [[43, 53]], "Organization: Pakistan": [[88, 96]]}, "info": {"id": "dnrti_valid_005595", "source": "dnrti_valid"}}
{"text": "CTU researchers assess with moderate confidence that APT28 is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government .", "spans": {"Organization: CTU": [[0, 3]], "Organization: APT28": [[53, 58]], "Organization: Russian government": [[147, 165]]}, "info": {"id": "dnrti_valid_005596", "source": "dnrti_valid"}}
{"text": "It is worth noting that during our investigation f-secure uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances .", "spans": {"Organization: Callisto": [[117, 125]]}, "info": {"id": "dnrti_valid_005597", "source": "dnrti_valid"}}
{"text": "As Unit 42 have observed throughout our tracking of the OilRig group , adopting proven tactics has been a common behavior over time .", "spans": {"Organization: Unit 42": [[3, 10]], "Organization: OilRig": [[56, 62]]}, "info": {"id": "dnrti_valid_005598", "source": "dnrti_valid"}}
{"text": "The OceanLotus group was first revealed and named by QiAnXin in May 2015 .", "spans": {"Organization: OceanLotus": [[4, 14]], "Organization: QiAnXin": [[53, 60]]}, "info": {"id": "dnrti_valid_005599", "source": "dnrti_valid"}}
{"text": "The OceanLotus , an APT group said to have a Vietnamese background , was first exposed and named by QiAnXin in May 2015 .", "spans": {"Organization: OceanLotus": [[4, 14]], "Organization: QiAnXin": [[100, 107]]}, "info": {"id": "dnrti_valid_005600", "source": "dnrti_valid"}}
{"text": "The QiAnXin keeps a close eye on activities made by OceanLotus .", "spans": {"Organization: QiAnXin": [[4, 11]], "Organization: OceanLotus": [[52, 62]]}, "info": {"id": "dnrti_valid_005601", "source": "dnrti_valid"}}
{"text": "Donot , named and tracked by PatchSky , is an attack group that mainly targets countries such as Pakistan in South Asia .", "spans": {"Organization: Donot": [[0, 5]], "Organization: PatchSky": [[29, 37]]}, "info": {"id": "dnrti_valid_005602", "source": "dnrti_valid"}}
{"text": "After investigation , QiAnXin suspect this attack is carried out by Molerats .", "spans": {"Organization: QiAnXin": [[22, 29]], "Organization: Molerats": [[68, 76]]}, "info": {"id": "dnrti_valid_005603", "source": "dnrti_valid"}}
{"text": "In June 2017 , QiAnXin discovered new malware used by Molerats .", "spans": {"Organization: QiAnXin": [[15, 22]], "Organization: Molerats": [[54, 62]]}, "info": {"id": "dnrti_valid_005604", "source": "dnrti_valid"}}
{"text": "Last month , QiAnXin captured multiple phishing emails sent by TA505 Group to target financial institutions .", "spans": {"Organization: QiAnXin": [[13, 20]], "Organization: TA505": [[63, 68]]}, "info": {"id": "dnrti_valid_005605", "source": "dnrti_valid"}}
{"text": "QiAnXin confirmed that this is a DarkHydrus Group’s new attack targeting Middle East region .", "spans": {"Organization: QiAnXin": [[0, 7]], "Organization: DarkHydrus": [[33, 43]]}, "info": {"id": "dnrti_valid_005606", "source": "dnrti_valid"}}
{"text": "First described by Kaspersky in 2014 and later by Cylance in 2017 , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries .", "spans": {"Organization: Kaspersky": [[19, 28]], "Organization: Cylance": [[50, 57]], "Malware: Machete": [[68, 75]]}, "info": {"id": "dnrti_valid_005607", "source": "dnrti_valid"}}
{"text": "It’s now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware , ” said Dennis Schwarz , research analyst on Arbor , in an interview with Threatpost .", "spans": {"Malware: malware": [[129, 136]], "Malware: Dennis Schwarz": [[146, 160]], "Organization: Arbor": [[183, 188]]}, "info": {"id": "dnrti_valid_005608", "source": "dnrti_valid"}}
{"text": "After thorough analysis , ESET researchers are highly confident that this campaign is run by the OceanLotus group , also known as APT32 and APT-C-00 .", "spans": {"Organization: ESET": [[26, 30]], "Organization: OceanLotus": [[97, 107]], "Organization: APT32": [[130, 135]], "Organization: APT-C-00": [[140, 148]]}, "info": {"id": "dnrti_valid_005609", "source": "dnrti_valid"}}
{"text": "360 Helios Team captured the first Trojan of the Poison Ivy Group in December 2007 .", "spans": {"Organization: 360 Helios Team": [[0, 15]], "Malware: Poison Ivy": [[49, 59]]}, "info": {"id": "dnrti_valid_005610", "source": "dnrti_valid"}}
{"text": "Through research , 360 Helios Team has found that , since 2007 , the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments , such as national defense , government , science and technology , education and maritime agencies .", "spans": {"Organization: 360 Helios Team": [[19, 34]], "Organization: Poison Ivy Group": [[69, 85]], "Organization: government": [[211, 221]], "Organization: maritime agencies": [[263, 280]]}, "info": {"id": "dnrti_valid_005611", "source": "dnrti_valid"}}
{"text": "In addition , Antiy Lab revealed the APT organization Green Spot on September 19 , 2018 .", "spans": {"Organization: Antiy Lab": [[14, 23]], "Organization: Green Spot": [[54, 64]]}, "info": {"id": "dnrti_valid_005612", "source": "dnrti_valid"}}
{"text": "Recently , the 360 Core Security discovered an APT attack code named as APT-C-26 against cryptocurrency institutions and related individuals .", "spans": {"Organization: 360 Core Security": [[15, 32]], "Organization: APT-C-26": [[72, 80]]}, "info": {"id": "dnrti_valid_005613", "source": "dnrti_valid"}}
{"text": "This APT attack was analyzed and attributed upon the detection and 360 Core Security now confirmed its association with the APT-C-06 Group .", "spans": {"Organization: 360 Core Security": [[67, 84]], "Organization: APT-C-06": [[124, 132]]}, "info": {"id": "dnrti_valid_005614", "source": "dnrti_valid"}}
{"text": "In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group’s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild .", "spans": {"Organization: 360 Core Security": [[22, 39]], "Organization: APT-C-06": [[72, 80]], "Vulnerability: (CVE-2018-8174)": [[132, 147]]}, "info": {"id": "dnrti_valid_005615", "source": "dnrti_valid"}}
{"text": "ESET researchers have dissected some of the latest additions to the malicious toolkit of the Advanced Persistent Threat (APT) group known as OceanLotus , also dubbed APT32 and APT-C-00 .", "spans": {"Organization: ESET": [[0, 4]], "Malware: malicious toolkit": [[68, 85]], "Organization: OceanLotus": [[141, 151]], "Organization: APT32": [[166, 171]], "Organization: APT-C-00": [[176, 184]]}, "info": {"id": "dnrti_valid_005616", "source": "dnrti_valid"}}
{"text": "Earlier this year , our colleagues at Symantec uncovered an interesting story about the use of Equation group exploitation tools by an alleged Chinese group named Buckeye a.k.a APT3 , or UPS team .", "spans": {"Organization: Symantec": [[38, 46]], "Organization: Equation": [[95, 103]], "Organization: Buckeye": [[163, 170]], "Organization: APT3": [[177, 181]]}, "info": {"id": "dnrti_valid_005617", "source": "dnrti_valid"}}
{"text": "In addition , OceanLotus is also known to use ‘watering hole attacks’ , which involve the compromise of a website that the victim is likely to visit .", "spans": {"Organization: OceanLotus": [[14, 24]]}, "info": {"id": "dnrti_valid_005618", "source": "dnrti_valid"}}
{"text": "Kaspersky found Zebrocy deploying a compiled Python script , which we call PythocyDbg , within a Southeast Asian foreign affairs organization: this module primarily provides for the stealthy collection of network proxy and communications debug capabilities .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: Zebrocy": [[16, 23]], "Malware: Python script": [[45, 58]], "Malware: PythocyDbg": [[75, 85]]}, "info": {"id": "dnrti_valid_005619", "source": "dnrti_valid"}}
{"text": "ESET researchers have investigated a distinctive backdoor used by the notorious APT group known as Turla (or Snake , or Uroburos) to siphon off sensitive communications from the authorities of at least three European countries .", "spans": {"Organization: ESET": [[0, 4]], "Organization: Turla": [[99, 104]], "Organization: Snake": [[109, 114]], "Organization: Uroburos)": [[120, 129]]}, "info": {"id": "dnrti_valid_005620", "source": "dnrti_valid"}}
{"text": "Dragos has reported that XENOTIME , the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017 , has expanded its focus beyond the oil and gas industries .", "spans": {"Organization: Dragos": [[0, 6]], "Organization: XENOTIME": [[25, 33]], "Organization: TRISIS": [[61, 67]]}, "info": {"id": "dnrti_valid_005621", "source": "dnrti_valid"}}
{"text": "ESET researchers have observed a significant change in the campaign of the infamous espionage group .", "spans": {"Organization: ESET": [[0, 4]], "Organization: group": [[94, 99]]}, "info": {"id": "dnrti_valid_005622", "source": "dnrti_valid"}}
{"text": "On the technical side , since mid-January Kaspersky researchers have been tracking an active Turla campaign targeting government bodies in Turkmenistan and Tajikistan .", "spans": {"Organization: Kaspersky": [[42, 51]], "Organization: Turla": [[93, 98]], "Organization: government": [[118, 128]]}, "info": {"id": "dnrti_valid_005623", "source": "dnrti_valid"}}
{"text": "Kaspersky also published details on how Zebrocy has added the Go” language to its arsenal – the first time that we have observed a well-known APT threat actor deploy malware with this compiled , open source language .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: Zebrocy": [[40, 47]]}, "info": {"id": "dnrti_valid_005624", "source": "dnrti_valid"}}
{"text": "ESET researchers have found that Turla , the notorious state-sponsored cyberespionage group , has added a fresh weapon to its arsenal that is being used in new campaigns targeting embassies and consulates in the post-Soviet states .", "spans": {"Organization: ESET": [[0, 4]], "Organization: Turla": [[33, 38]]}, "info": {"id": "dnrti_valid_005625", "source": "dnrti_valid"}}
{"text": "Turla has been operating for a number of years and its activities have been monitored and analyzed by ESET research laboratories .", "spans": {"Organization: Turla": [[0, 5]], "Organization: ESET": [[102, 106]]}, "info": {"id": "dnrti_valid_005626", "source": "dnrti_valid"}}
{"text": "Kaspersky researchers attribute the campaign , which we call SpoiledLegacy” , to the LuckyMouse APT group (aka EmissaryPanda and APT27) .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: LuckyMouse": [[85, 95]], "Organization: EmissaryPanda": [[111, 124]], "Organization: APT27)": [[129, 135]]}, "info": {"id": "dnrti_valid_005627", "source": "dnrti_valid"}}
{"text": "Further tracking of the Lazarus’s activities has enabled Kaspersky researchers to discover a new operation , active since at least November 2018 , which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers .", "spans": {"Organization: Lazarus’s": [[24, 33]], "Organization: Kaspersky": [[57, 66]], "Malware: PowerShell": [[162, 172]], "Organization: Apple customers": [[229, 244]]}, "info": {"id": "dnrti_valid_005628", "source": "dnrti_valid"}}
{"text": "However , over the last nine campaigns since Trend Micro‘s June report , TA505 also started using .ISO image attachments as the point of entry , as well as a .NET downloader , a new style for macro delivery , a newer version of ServHelper , and a .DLL variant of FlawedAmmyy downloader .", "spans": {"Organization: Trend Micro‘s": [[45, 58]], "Organization: TA505": [[73, 78]], "Malware: .NET downloader": [[158, 173]], "Malware: ServHelper": [[228, 238]], "Malware: .DLL variant": [[247, 259]]}, "info": {"id": "dnrti_valid_005629", "source": "dnrti_valid"}}
{"text": "In this blog post , FireEye researchers are going to examine a recent instance where FireEye Managed Defense came toe-to-toe with APT41 .", "spans": {"Organization: FireEye": [[20, 27], [85, 92]], "Organization: APT41": [[130, 135]]}, "info": {"id": "dnrti_valid_005630", "source": "dnrti_valid"}}
{"text": "The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802) , and the ability to incorporate them into operations .", "spans": {"Organization: group": [[4, 9]], "Vulnerability: (CVE-2018-0802)": [[62, 77]]}, "info": {"id": "dnrti_valid_005631", "source": "dnrti_valid"}}
{"text": "More information on this threat actor is found in our report , APT37 (Reaper): The Overlooked North Korean Actor .", "spans": {"Organization: APT37": [[63, 68]]}, "info": {"id": "dnrti_valid_005632", "source": "dnrti_valid"}}
{"text": "There have been reports of real-time phishing in the wild as early as 2010 .", "spans": {"System: phishing": [[37, 45]]}, "info": {"id": "dnrti_valid_005633", "source": "dnrti_valid"}}
{"text": "Explanation of ToolTo improve social engineering assessments , we developed a tool – named ReelPhish – that simplifies the real-time phishing technique .", "spans": {"Malware: ReelPhish": [[91, 100]], "System: phishing": [[133, 141]]}, "info": {"id": "dnrti_valid_005634", "source": "dnrti_valid"}}
{"text": "We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests .", "spans": {}, "info": {"id": "dnrti_valid_005635", "source": "dnrti_valid"}}
{"text": "Known targets of this group have been involved in the maritime industry , as well as engineering-focused entities , and include research institutes , academic organizations , and private firms in the United States .", "spans": {"Organization: group": [[22, 27]], "Organization: private firms": [[179, 192]]}, "info": {"id": "dnrti_valid_005636", "source": "dnrti_valid"}}
{"text": "By releasing ReelPhish , we at Mandiant hope to highlight the need for multiple layers of security and discourage the reliance on any single security mechanism .", "spans": {"Organization: Mandiant": [[31, 39]]}, "info": {"id": "dnrti_valid_005637", "source": "dnrti_valid"}}
{"text": "The group has also been reported as Leviathanby other security firms .", "spans": {"Organization: group": [[4, 9]], "Organization: Leviathanby": [[36, 47]]}, "info": {"id": "dnrti_valid_005638", "source": "dnrti_valid"}}
{"text": "Like multiple other Chinese cyber espionage actors , TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit .", "spans": {"Organization: TEMP.Periscope": [[53, 67]]}, "info": {"id": "dnrti_valid_005639", "source": "dnrti_valid"}}
{"text": "The tool then starts a new web browser instance on the attacker’s system and submits credentials on the real VPN portal .", "spans": {"Organization: attacker’s": [[55, 65]]}, "info": {"id": "dnrti_valid_005640", "source": "dnrti_valid"}}
{"text": "These tools include:AIRBREAK: a JavaScript-based backdoor also reported as Orz that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.BADFLICK: a backdoor that is capable of modifying the file system , generating a reverse shell , and modifying its command and control (C2) configuration .", "spans": {"Malware: JavaScript-based backdoor": [[32, 57]], "System: modifying": [[301, 310]], "System: control": [[327, 334]]}, "info": {"id": "dnrti_valid_005641", "source": "dnrti_valid"}}
{"text": "HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors .", "spans": {"Malware: AIRBREAK": [[100, 108]], "Malware: BADFLICK": [[113, 121]]}, "info": {"id": "dnrti_valid_005642", "source": "dnrti_valid"}}
{"text": "The following are tools that TEMP.Periscope has leveraged in past operations and could use again , though these have not been seen in the current wave of activity:Beacon: a backdoor that is commercially available as part of the Cobalt Strike software platform , commonly used for pen-testing network environments .", "spans": {"Organization: TEMP.Periscope": [[29, 43]], "Organization: Cobalt Strike": [[228, 241]]}, "info": {"id": "dnrti_valid_005643", "source": "dnrti_valid"}}
{"text": "This entry was posted on Fri Mar 16 00:00 EDT 2018 and filed under Targeted Attacks , FireEye , and China .", "spans": {"Organization: FireEye": [[86, 93]]}, "info": {"id": "dnrti_valid_005644", "source": "dnrti_valid"}}
{"text": "Read our report , APT37 (Reaper): The Overlooked North Korean Actor , to learn more about our assessment that this threat actor is working on behalf of the North Korean government , as well as various other details about their operations .", "spans": {"Organization: APT37": [[18, 23]], "Organization: North Korean government": [[156, 179]]}, "info": {"id": "dnrti_valid_005645", "source": "dnrti_valid"}}
{"text": "A brief timeline of this activity is shown in Figure 1.Figure 1: Timeline of this recently observed spear phishing campaign .", "spans": {"System: spear phishing": [[100, 114]]}, "info": {"id": "dnrti_valid_005646", "source": "dnrti_valid"}}
{"text": "The first part of the campaign From Jan. 23 , 2018 , to Feb. 26 , 2018 used a macro-based document that dropped a VBS file and an INI file .", "spans": {"Malware: VBS file": [[114, 122]], "Malware: INI file": [[130, 138]]}, "info": {"id": "dnrti_valid_005647", "source": "dnrti_valid"}}
{"text": "One such email that we were able to obtain was targeting users in Turkey , as shown in Figure 4:Figure 4: Sample spear phishing email containing macro-based document attachment The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey , Pakistan , Tajikistan and India .", "spans": {"System: spear phishing": [[113, 127]], "Malware: attachments": [[208, 219]]}, "info": {"id": "dnrti_valid_005648", "source": "dnrti_valid"}}
{"text": "The INI file contains the Base64 encoded PowerShell command , which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe .", "spans": {"Malware: INI file": [[4, 12]], "Malware: PowerShell": [[100, 110]], "Malware: VBS file": [[151, 159]], "Malware: WScript.exe": [[179, 190]]}, "info": {"id": "dnrti_valid_005649", "source": "dnrti_valid"}}
{"text": "cmstp.exe system restart , cmstp.exe will be used to execute the SCT file indirectly through the INF file .", "spans": {"Malware: cmstp.exe": [[0, 9], [27, 36]], "Malware: SCT file": [[65, 73]], "Malware: INF file": [[97, 105]]}, "info": {"id": "dnrti_valid_005650", "source": "dnrti_valid"}}
{"text": "The following are the three files:Defender.sct – The malicious JavaScript based scriptlet file .", "spans": {"Malware: files:Defender.sct": [[28, 46]], "Malware: scriptlet": [[80, 89]], "Malware: file": [[90, 94]]}, "info": {"id": "dnrti_valid_005651", "source": "dnrti_valid"}}
{"text": "FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 .", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: CVE-2017-10271": [[79, 93]]}, "info": {"id": "dnrti_valid_005652", "source": "dnrti_valid"}}
{"text": "Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors .", "spans": {"Organization: Users": [[0, 5]], "Organization: actors": [[93, 99]]}, "info": {"id": "dnrti_valid_005653", "source": "dnrti_valid"}}
{"text": "This entry was posted on Tue Mar 13 12:15 EDT 2018 and filed under Yogesh Londhe , Dileep .", "spans": {"Organization: Yogesh Londhe": [[67, 80]], "Organization: Dileep": [[83, 89]]}, "info": {"id": "dnrti_valid_005654", "source": "dnrti_valid"}}
{"text": "If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host .", "spans": {"Malware: PingCastle MS17-010": [[71, 90]], "Vulnerability: EternalBlue": [[218, 229]]}, "info": {"id": "dnrti_valid_005655", "source": "dnrti_valid"}}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() .", "spans": {"Vulnerability: CVE-2017-10271": [[110, 124]], "Malware: PowerShell": [[138, 148]], "System: executing": [[222, 231]], "System: using ShellExecute()": [[235, 255]]}, "info": {"id": "dnrti_valid_005656", "source": "dnrti_valid"}}
{"text": "The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server .", "spans": {"Malware: PowerShell script": [[87, 104]]}, "info": {"id": "dnrti_valid_005657", "source": "dnrti_valid"}}
{"text": "Notably , cryptocurrency mining malware is being distributed using various tactics , typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits .", "spans": {"Malware: various tactics": [[67, 82]], "Organization: cyber criminals": [[144, 159]]}, "info": {"id": "dnrti_valid_005658", "source": "dnrti_valid"}}
{"text": "After all network derived IPs have been processed , the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host .", "spans": {"Malware: malware": [[56, 63]], "Malware: PingCastle": [[118, 128]], "Malware: EternalBlue": [[133, 144]]}, "info": {"id": "dnrti_valid_005659", "source": "dnrti_valid"}}
{"text": "They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors .", "spans": {"Organization: They": [[0, 4]]}, "info": {"id": "dnrti_valid_005660", "source": "dnrti_valid"}}
{"text": "We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper .", "spans": {"Vulnerability: zero-day": [[54, 62]], "Organization: TEMP.Reaper": [[110, 121]]}, "info": {"id": "dnrti_valid_005661", "source": "dnrti_valid"}}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base .", "spans": {"Organization: South Korean government": [[71, 94]]}, "info": {"id": "dnrti_valid_005662", "source": "dnrti_valid"}}
{"text": "While we have observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks , we have not thus far observed TEMP.Reaper use their wiper malware actively against any targets .", "spans": {"Organization: TEMP.Hermit": [[74, 85]], "Organization: TEMP.Reaper": [[161, 172]]}, "info": {"id": "dnrti_valid_005663", "source": "dnrti_valid"}}
{"text": "In the past year , FireEye iSIGHT Intelligence has discovered newly developed wiper malware being deployed by TEMP.Reaper , which we detect as RUHAPPY .", "spans": {"Organization: FireEye iSIGHT": [[19, 33]], "Organization: TEMP.Reaper": [[110, 121]]}, "info": {"id": "dnrti_valid_005664", "source": "dnrti_valid"}}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base .", "spans": {"Organization: South Korean government": [[71, 94]]}, "info": {"id": "dnrti_valid_005665", "source": "dnrti_valid"}}
{"text": "FireEye products have robust detection for the malware used in this campaign .", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "dnrti_valid_005666", "source": "dnrti_valid"}}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities .", "spans": {"Organization: TEMP.Periscope": [[0, 14], [54, 68]], "Organization: engineering firms": [[157, 174]], "Organization: government": [[233, 243]], "Organization: research universities": [[258, 279]]}, "info": {"id": "dnrti_valid_005667", "source": "dnrti_valid"}}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities .", "spans": {"Organization: TEMP.Periscope": [[0, 14], [54, 68]], "Organization: engineering firms": [[157, 174]], "Organization: government": [[233, 243]], "Organization: research universities": [[258, 279]]}, "info": {"id": "dnrti_valid_005668", "source": "dnrti_valid"}}
{"text": "Infection VectorWe have observed this recent wave of Zyklon malware being delivered primarily through spam emails .", "spans": {"Organization: Zyklon": [[53, 59]], "System: delivered": [[74, 83]], "Malware: spam emails": [[102, 113]]}, "info": {"id": "dnrti_valid_005669", "source": "dnrti_valid"}}
{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section .", "spans": {"Malware: document files": [[4, 18]], "Vulnerability: vulnerabilities": [[48, 63]]}, "info": {"id": "dnrti_valid_005670", "source": "dnrti_valid"}}
{"text": "Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 .", "spans": {"Organization: Zyklon": [[10, 16]], "Vulnerability: CVE-2017-8759": [[49, 62]]}, "info": {"id": "dnrti_valid_005671", "source": "dnrti_valid"}}
{"text": "This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild .", "spans": {"Vulnerability: vulnerability": [[5, 18]], "Organization: FireEye": [[37, 44]]}, "info": {"id": "dnrti_valid_005672", "source": "dnrti_valid"}}
{"text": "We have observed this recent wave of Zyklon malware being delivered primarily through spam emails .", "spans": {"Organization: Zyklon": [[37, 43]], "Malware: spam emails": [[86, 97]]}, "info": {"id": "dnrti_valid_005673", "source": "dnrti_valid"}}
{"text": "The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so .", "spans": {"Malware: malware": [[4, 11]], "System: The Onion Router": [[74, 90]]}, "info": {"id": "dnrti_valid_005674", "source": "dnrti_valid"}}
{"text": "Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office .", "spans": {"Vulnerability: CVE-2017-11882": [[37, 51]], "Organization: actors": [[86, 92]], "Vulnerability: (CVE-2017-11882)": [[146, 162]]}, "info": {"id": "dnrti_valid_005675", "source": "dnrti_valid"}}
{"text": "It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016 .", "spans": {"Organization: Sandworm": [[104, 112]]}, "info": {"id": "dnrti_valid_005676", "source": "dnrti_valid"}}
{"text": "Command & Control Communication The C2 communication of Zyklon is proxied through the Tor network .", "spans": {"Organization: Zyklon": [[56, 62]], "Malware: Tor network": [[86, 97]]}, "info": {"id": "dnrti_valid_005677", "source": "dnrti_valid"}}
{"text": "At this time of writing , FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat .", "spans": {"Organization: FireEye": [[26, 33]], "Malware: (MVX)": [[57, 62]]}, "info": {"id": "dnrti_valid_005678", "source": "dnrti_valid"}}
{"text": "The targeting of critical infrastructure to disrupt , degrade , or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian , Iranian , North Korean , U.S. , and Israeli nation state actors .", "spans": {"Organization: critical infrastructure": [[17, 40]], "Organization: actors": [[239, 245]]}, "info": {"id": "dnrti_valid_005679", "source": "dnrti_valid"}}
{"text": "Specifically , the following facts support this assessment: The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences .", "spans": {"Organization: attacker": [[64, 72]]}, "info": {"id": "dnrti_valid_005680", "source": "dnrti_valid"}}
{"text": "First , the attacker’s mission is to disrupt an operational process rather than steal data .", "spans": {"Organization: attacker’s": [[12, 22]]}, "info": {"id": "dnrti_valid_005681", "source": "dnrti_valid"}}
{"text": "The TRITON malware contained the capability to communicate with Triconex SIS controllers .", "spans": {"Malware: TRITON malware": [[4, 18]]}, "info": {"id": "dnrti_valid_005682", "source": "dnrti_valid"}}
{"text": "the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities .", "spans": {"Organization: attacker": [[4, 12]], "Organization: TRITON’s": [[37, 45]]}, "info": {"id": "dnrti_valid_005683", "source": "dnrti_valid"}}
{"text": "This file is decrypted and injected into an instance of InstallUtiil.exe , and functions as a Tor anonymizer .", "spans": {"Malware: InstallUtiil.exe": [[56, 72]], "Malware: Tor": [[94, 97]], "Malware: anonymizer": [[98, 108]]}, "info": {"id": "dnrti_valid_005684", "source": "dnrti_valid"}}
{"text": "For instance , Russian operators , such as Sandworm Team , have compromised Western ICS over a multi-year period without causing a disruption .", "spans": {"Organization: Sandworm": [[43, 51]]}, "info": {"id": "dnrti_valid_005685", "source": "dnrti_valid"}}
{"text": "The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller .", "spans": {"Organization: TRITON": [[4, 10]], "Organization: Mandiant": [[18, 26]], "Malware: Triconex controller": [[101, 120]]}, "info": {"id": "dnrti_valid_005686", "source": "dnrti_valid"}}
{"text": "Along with the executable , two binary files , inject.bin (malicious function code) and imain.bin (malicious control logic) , were deployed as the controller’s payload .", "spans": {"Malware: binary files": [[32, 44]], "Malware: imain.bin": [[88, 97]]}, "info": {"id": "dnrti_valid_005687", "source": "dnrti_valid"}}
{"text": "We assess that this was an anti-forensics technique to hide the presence of the attacker code on the Triconex controller .", "spans": {"Organization: attacker": [[80, 88]], "Malware: Triconex controller": [[101, 120]]}, "info": {"id": "dnrti_valid_005688", "source": "dnrti_valid"}}
{"text": "This entry was posted on Thu Dec 14 10:00 EST 2017 and filed under Malware , Nathan Brubaker , Christopher Glyer , Blake Johnson , Dan Caban , Marina Krotofil , ICS Security , and Dan Scali .", "spans": {"Organization: ICS Security": [[161, 173]]}, "info": {"id": "dnrti_valid_005689", "source": "dnrti_valid"}}
{"text": "This isn’t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier .", "spans": {"Malware: it": [[26, 28]]}, "info": {"id": "dnrti_valid_005690", "source": "dnrti_valid"}}
{"text": "Keeping in mind the sensitivity of passwords , GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task .", "spans": {"Organization: GoCrack": [[47, 54]], "Organization: additional users": [[188, 204]]}, "info": {"id": "dnrti_valid_005691", "source": "dnrti_valid"}}
{"text": "Throughout 2017 , we observed two versions of BACKSWING and saw a significant increase in May with an apparent focus on compromising Ukrainian websites .", "spans": {"Malware: BACKSWING": [[46, 55]]}, "info": {"id": "dnrti_valid_005692", "source": "dnrti_valid"}}
{"text": "During our investigation into the activity , FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we’ve been tracking as BACKSWING .", "spans": {"Organization: FireEye": [[45, 52]], "Malware: BADRABBIT": [[89, 98]], "Malware: BACKSWING": [[166, 175]]}, "info": {"id": "dnrti_valid_005693", "source": "dnrti_valid"}}
{"text": "This entry was posted on Tue Nov 28 14:00 EST 2017 and filed under Malware , Sandor Nemes , Malware Analysis , and Abhay Vaish .", "spans": {"Malware: Sandor Nemes": [[77, 89]], "Malware: Malware Analysis": [[92, 108]], "Malware: Abhay Vaish": [[115, 126]]}, "info": {"id": "dnrti_valid_005694", "source": "dnrti_valid"}}
{"text": "FireEye network devices blocked infection attempts at over a dozen victims primarily in Germany , Japan , and the U.S until Oct. 24 at 15:00 UTC , when the infection attempts ceased and attacker infrastructure – both 1dnscontrol.com and the legitimate websites containing the rogue code – were taken offline .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: attacker": [[186, 194]]}, "info": {"id": "dnrti_valid_005695", "source": "dnrti_valid"}}
{"text": "Incident Background Beginning on Oct. 24 at 08:00 UTC , FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe) that delivered a wormable variant of ransomware .", "spans": {"Organization: FireEye": [[56, 63]], "Malware: (install_flash_player.exe)": [[177, 203]], "Malware: ransomware": [[241, 251]]}, "info": {"id": "dnrti_valid_005696", "source": "dnrti_valid"}}
{"text": "FireEye observed that BACKSWING , a malicious JavaScript profiling framework , was deployed to at least 54 legitimate sites starting as early as September 2016 .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: profiling framework": [[57, 76]]}, "info": {"id": "dnrti_valid_005697", "source": "dnrti_valid"}}
{"text": "Figure 3: BACKSWING Version 2Version 1:FireEye observed the first version of BACKSWING in late 2016 on websites belonging to a Czech Republic hospitality organization in addition to a government website in Montenegro .", "spans": {"Organization: 1:FireEye": [[37, 46]], "Malware: BACKSWING": [[77, 86]], "Organization: hospitality organization": [[142, 166]], "Organization: government": [[184, 194]]}, "info": {"id": "dnrti_valid_005698", "source": "dnrti_valid"}}
{"text": "Beginning in May 2017 , FireEye observed a number of Ukrainian websites compromised with BACKSWING v1 , and in June 2017 , began to see content returned from BACKSWING receivers .", "spans": {"Organization: FireEye": [[24, 31]], "Organization: BACKSWING v1": [[89, 101]], "Organization: BACKSWING": [[158, 167]]}, "info": {"id": "dnrti_valid_005699", "source": "dnrti_valid"}}
{"text": "FireEye observed this framework on compromised Turkish sites and Montenegrin sites over the past year .", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "dnrti_valid_005700", "source": "dnrti_valid"}}
{"text": "While FireEye has not directly observed BACKSWING delivering BADRABBIT , BACKSWING was observed on multiple websites that were seen referring FireEye customers to 1dnscontrol.com , which hosted the BADRABBIT dropper .", "spans": {"Organization: FireEye": [[6, 13], [142, 149]], "Organization: BACKSWING": [[40, 49], [73, 82]], "Malware: BADRABBIT": [[61, 70]], "Malware: BADRABBIT dropper": [[198, 215]]}, "info": {"id": "dnrti_valid_005701", "source": "dnrti_valid"}}
{"text": "Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network .", "spans": {"System: Harvested credentials": [[0, 21]], "Malware: Mimikatz": [[46, 54]]}, "info": {"id": "dnrti_valid_005702", "source": "dnrti_valid"}}
{"text": "Like EternalPetya , infpub.dat determines if a specific file exists on the system and will exit if found .", "spans": {"Malware: infpub.dat": [[20, 30]], "Malware: specific file": [[47, 60]]}, "info": {"id": "dnrti_valid_005703", "source": "dnrti_valid"}}
{"text": "This entry was posted on Mon Dec 04 12:00 EST 2017 and filed under Code , Reverse Engineering , Nick Harbour , and Incident Response .", "spans": {"Malware: entry": [[5, 10]], "Malware: Reverse Engineering": [[74, 93]], "Malware: Nick Harbour": [[96, 108]]}, "info": {"id": "dnrti_valid_005704", "source": "dnrti_valid"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": {"Malware: Mimikatz": [[0, 8]]}, "info": {"id": "dnrti_valid_005705", "source": "dnrti_valid"}}
{"text": "The developer consistently used Accept-Enconding” (note the extra ‘n’) in all DanBot samples analyzed by CTU researchers .", "spans": {"Malware: DanBot": [[78, 84]], "Organization: CTU": [[105, 108]]}, "info": {"id": "dnrti_valid_005706", "source": "dnrti_valid"}}
{"text": "Previous versions were described by Kaspersky in 2014 and Cylance in 2017 .", "spans": {"Malware: Previous versions": [[0, 17]], "Organization: Kaspersky": [[36, 45]], "Organization: Cylance": [[58, 65]]}, "info": {"id": "dnrti_valid_005707", "source": "dnrti_valid"}}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server .", "spans": {"Malware: GoogleUpdate.exe": [[4, 20]]}, "info": {"id": "dnrti_valid_005708", "source": "dnrti_valid"}}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries .", "spans": {"Malware: malware": [[15, 22]]}, "info": {"id": "dnrti_valid_005709", "source": "dnrti_valid"}}
{"text": "They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage .", "spans": {"Malware: They": [[0, 4]]}, "info": {"id": "dnrti_valid_005710", "source": "dnrti_valid"}}
{"text": "The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system .", "spans": {"Organization: SectorJ04": [[4, 13]], "System: spear phishing email": [[38, 58]], "Malware: document files": [[106, 120]], "Organization: attacker": [[188, 196]]}, "info": {"id": "dnrti_valid_005711", "source": "dnrti_valid"}}
{"text": "Backdoor installed in the infected system distributed additional botnet malware , ransomware and email stealers .", "spans": {"Malware: Backdoor": [[0, 8]], "System: additional botnet": [[54, 71]], "System: ransomware": [[82, 92]], "System: email": [[97, 102]], "System: stealers": [[103, 111]]}, "info": {"id": "dnrti_valid_005712", "source": "dnrti_valid"}}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format .", "spans": {"Malware: email stealer": [[4, 17]]}, "info": {"id": "dnrti_valid_005713", "source": "dnrti_valid"}}
{"text": "The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": {"Organization: actor’s": [[11, 18]], "Malware: malicious payload": [[72, 89]], "Organization: users": [[154, 159]]}, "info": {"id": "dnrti_valid_005714", "source": "dnrti_valid"}}
{"text": "Group-IB has also detected recon emails sent out to New Zealand .", "spans": {"Organization: Group-IB": [[0, 8]], "Malware: recon emails": [[27, 39]]}, "info": {"id": "dnrti_valid_005715", "source": "dnrti_valid"}}
{"text": "In 2019 , Group-IB also observed the use of a new fileless PowerShell loader called Ivoke .", "spans": {"Organization: Group-IB": [[10, 18]], "Malware: Ivoke": [[84, 89]]}, "info": {"id": "dnrti_valid_005716", "source": "dnrti_valid"}}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer .", "spans": {"Malware: Silence.Main Trojan": [[4, 23]]}, "info": {"id": "dnrti_valid_005717", "source": "dnrti_valid"}}
{"text": "Group-IB specialists tracked a massive mailout of emails containing a malicious Microsoft Word attachment titled Договор.doc” [Contract.doc] .", "spans": {"Organization: Group-IB": [[0, 8]], "Malware: malicious Microsoft Word attachment": [[70, 105]]}, "info": {"id": "dnrti_valid_005718", "source": "dnrti_valid"}}
{"text": "On 24 March 2019 , Silence.ProxyBot (MD5 2fe01a04d6beef14555b2cf9a717615c) was uploaded to VirusTotal from an IP address in Sri Lanka .", "spans": {"Malware: Silence.ProxyBot": [[19, 35]]}, "info": {"id": "dnrti_valid_005719", "source": "dnrti_valid"}}
{"text": "To do this , the actor may have used a unique tool called Atmosphere , a Trojan developed by Silence to remotely control ATM dispensers , or a similar program called xfs-disp.exe , which the actor may have used in their attack on IT Bank .", "spans": {"Malware: Atmosphere": [[58, 68]], "Organization: Silence": [[93, 100]], "Malware: xfs-disp.exe": [[166, 178]]}, "info": {"id": "dnrti_valid_005720", "source": "dnrti_valid"}}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine .", "spans": {"Malware: Silence.Downloader": [[17, 35]]}, "info": {"id": "dnrti_valid_005721", "source": "dnrti_valid"}}
{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server .", "spans": {"Malware: Silence.MainModule": [[0, 18]]}, "info": {"id": "dnrti_valid_005722", "source": "dnrti_valid"}}
{"text": "Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe .", "spans": {"Organization: Rapid7": [[0, 6]], "Organization: APT10": [[22, 27]], "Malware: ccSEUPDT.exe": [[52, 64]]}, "info": {"id": "dnrti_valid_005723", "source": "dnrti_valid"}}
{"text": "These malware families have a rich history of being used in many targeted attacks against government and private organizations .", "spans": {"Malware: malware": [[6, 13]]}, "info": {"id": "dnrti_valid_005724", "source": "dnrti_valid"}}
{"text": "The samples we analyzed originated from the Philippines .", "spans": {"Malware: samples": [[4, 11]]}, "info": {"id": "dnrti_valid_005725", "source": "dnrti_valid"}}
{"text": "Also , the certificate embedded in the Quasar sample was issued at 22.12.2018 , which correlates with the file’s compilation date .", "spans": {"Malware: sample": [[46, 52]]}, "info": {"id": "dnrti_valid_005726", "source": "dnrti_valid"}}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more .", "spans": {"Malware: PlugX": [[0, 5]]}, "info": {"id": "dnrti_valid_005727", "source": "dnrti_valid"}}
{"text": "TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution .", "spans": {"Malware: TONEDEAF": [[0, 8]]}, "info": {"id": "dnrti_valid_005728", "source": "dnrti_valid"}}
{"text": "Of note , FireEye discovered two additional new malware families hosted at this domain , VALUEVAULT and LONGWATCH .", "spans": {"Organization: FireEye": [[10, 17]], "Malware: VALUEVAULT": [[89, 99]], "Malware: LONGWATCH": [[104, 113]]}, "info": {"id": "dnrti_valid_005729", "source": "dnrti_valid"}}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file .", "spans": {"Malware: PICKPOCKET": [[0, 10]]}, "info": {"id": "dnrti_valid_005730", "source": "dnrti_valid"}}
{"text": "FireEye detects this activity across our platforms , including named detection for TONEDEAF , VALUEVAULT , and LONGWATCH .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: TONEDEAF": [[83, 91]], "Malware: VALUEVAULT": [[94, 104]], "Malware: LONGWATCH": [[111, 120]]}, "info": {"id": "dnrti_valid_005731", "source": "dnrti_valid"}}
{"text": "Banks in countries such as Russia , the United Kingdom , the Netherlands , Spain , Romania , Belarus , Poland , Estonia , Bulgaria , Georgia , Moldova , Kyrgyzstan , Armenia , Taiwan and Malaysia have allegedly been targeted with spearphishing emails , luring victims into clicking malicious URLs and executing booby-trapped documents .", "spans": {"Malware: spearphishing emails": [[230, 250]]}, "info": {"id": "dnrti_valid_005732", "source": "dnrti_valid"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network (etool.exe) , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket (psexec.exe) .", "spans": {"Vulnerability: CVE-2017-0144": [[152, 165]], "Malware: MS07-010": [[191, 199]], "Malware: PsExec": [[299, 305]]}, "info": {"id": "dnrti_valid_005733", "source": "dnrti_valid"}}
{"text": "Also , the NCSC advisory mentioned that the actors used a file name stylecss.aspx for their webshell , which is the same filename we saw associated with China Chopper .", "spans": {"Malware: stylecss.aspx": [[68, 81]], "Malware: China Chopper": [[153, 166]]}, "info": {"id": "dnrti_valid_005734", "source": "dnrti_valid"}}
{"text": "We will provide an analysis of the HyperBro tool in an upcoming section .", "spans": {"Organization: We": [[0, 2]], "Malware: HyperBro": [[35, 43]]}, "info": {"id": "dnrti_valid_005735", "source": "dnrti_valid"}}
{"text": "Figure 9 shows a code comparison between the PYTHON33.dll (right) and inicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822) , which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign .", "spans": {"Malware: PYTHON33.dll": [[45, 57]], "Malware: inicore_v2.3.30.dll": [[70, 89]], "Malware: SysUpdate": [[206, 215]], "Organization: Emissary Panda": [[235, 249]]}, "info": {"id": "dnrti_valid_005736", "source": "dnrti_valid"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell .", "spans": {"Malware: python script": [[63, 76]], "Vulnerability: CVE-2017-0144": [[132, 145]], "Malware: errr.aspx": [[194, 203]]}, "info": {"id": "dnrti_valid_005737", "source": "dnrti_valid"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 .", "spans": {"Organization: actors": [[15, 21]], "Vulnerability: CVE-2017-0144": [[109, 122]], "Malware: MS17-010": [[162, 170]]}, "info": {"id": "dnrti_valid_005738", "source": "dnrti_valid"}}
{"text": "The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation .", "spans": {"Malware: GRIFFON": [[35, 42]]}, "info": {"id": "dnrti_valid_005739", "source": "dnrti_valid"}}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less” aspect of this method .", "spans": {"Malware: GRIFFON": [[8, 15]]}, "info": {"id": "dnrti_valid_005740", "source": "dnrti_valid"}}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger .", "spans": {"Malware: AveMaria": [[10, 18]]}, "info": {"id": "dnrti_valid_005741", "source": "dnrti_valid"}}
{"text": "The main payload is usually Imminent Monitor RAT ; however , at the beginning of 2018 , we also observed the use of LuminosityLink RAT , NetWire RAT , and NjRAT .", "spans": {"Malware: Monitor RAT": [[37, 48]], "Malware: LuminosityLink RAT": [[116, 134]], "Malware: NetWire RAT": [[137, 148]], "Malware: NjRAT": [[155, 160]]}, "info": {"id": "dnrti_valid_005742", "source": "dnrti_valid"}}
{"text": "In a case in June 2019 , we also noticed Warzone RAT being used .", "spans": {"Malware: Warzone RAT": [[41, 52]]}, "info": {"id": "dnrti_valid_005743", "source": "dnrti_valid"}}
{"text": "Xpert RAT reportedly first appeared in 2011 .", "spans": {"Malware: Xpert RAT": [[0, 9]]}, "info": {"id": "dnrti_valid_005744", "source": "dnrti_valid"}}
{"text": "The first version of Proyecto RAT” was published at the end of 2010 .", "spans": {"Malware: Proyecto RAT”": [[21, 34]]}, "info": {"id": "dnrti_valid_005745", "source": "dnrti_valid"}}
{"text": "Similar to previous campaigns , the JAR was directly attached to emails and used file names such as Order_2018.jar .", "spans": {"Malware: JAR": [[36, 39]], "Malware: Order_2018.jar": [[100, 114]]}, "info": {"id": "dnrti_valid_005746", "source": "dnrti_valid"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": {"Malware: slides": [[33, 39]], "Vulnerability: CVE-2017-8759": [[64, 77]], "Malware: Microsoft .NET framework": [[121, 145]]}, "info": {"id": "dnrti_valid_005747", "source": "dnrti_valid"}}
{"text": "On June 24 , we found another campaign targeting Lebanon with the ServHelper malware .", "spans": {"Malware: ServHelper": [[66, 76]]}, "info": {"id": "dnrti_valid_005748", "source": "dnrti_valid"}}
{"text": "Nonetheless , these spam emails were not delivered to the UAE or Arabic-speaking users , but to banks in Asian countries such as India , Indonesia , and the Philippines .", "spans": {"Malware: spam emails": [[20, 31]]}, "info": {"id": "dnrti_valid_005749", "source": "dnrti_valid"}}
{"text": "In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security .", "spans": {"Vulnerability: CVE-2019-0604": [[75, 88]], "Organization: Cyber Security Center": [[141, 162]], "Organization: Canadian Center": [[171, 186]]}, "info": {"id": "dnrti_valid_005750", "source": "dnrti_valid"}}
{"text": "Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell .", "spans": {"Organization: actors": [[50, 56]], "Vulnerability: CVE-2019-0604": [[66, 79]], "Malware: China Chopper webshell": [[125, 147]]}, "info": {"id": "dnrti_valid_005751", "source": "dnrti_valid"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network (etool.exe) , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket (psexec.exe) .", "spans": {"Vulnerability: CVE-2017-0144": [[152, 165]], "Malware: MS07-010": [[191, 199]], "Malware: PsExec": [[299, 305]]}, "info": {"id": "dnrti_valid_005752", "source": "dnrti_valid"}}
{"text": "The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 .", "spans": {"Organization: Emissary Panda": [[4, 18]], "Malware: China Chopper": [[43, 56]], "Vulnerability: CVE-2019-0604": [[264, 277]]}, "info": {"id": "dnrti_valid_005753", "source": "dnrti_valid"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell .", "spans": {"Malware: python script": [[63, 76]], "Vulnerability: CVE-2017-0144": [[132, 145]], "Malware: errr.aspx": [[194, 203]]}, "info": {"id": "dnrti_valid_005754", "source": "dnrti_valid"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 .", "spans": {"Organization: actors": [[15, 21]], "Vulnerability: CVE-2017-0144": [[109, 122]], "Malware: MS17-010": [[162, 170]]}, "info": {"id": "dnrti_valid_005755", "source": "dnrti_valid"}}
{"text": "To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT .", "spans": {"Organization: cyber criminals": [[31, 46]], "Malware: spearphishing emails": [[51, 71]], "Malware: attachments:": [[94, 106]], "Malware: documents": [[117, 126], [209, 218]], "Vulnerability: CVE-2017-11882": [[189, 203]]}, "info": {"id": "dnrti_valid_005756", "source": "dnrti_valid"}}
{"text": "This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills. In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks .", "spans": {"Organization: Scattered Canary": [[75, 91], [146, 162]], "Vulnerability: phishing": [[231, 239]]}, "info": {"id": "dnrti_valid_005757", "source": "dnrti_valid"}}
{"text": "The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability .", "spans": {"Organization: SLUB": [[22, 26]], "System: watering hole": [[48, 61]], "Vulnerability: CVE-2018-8174": [[81, 94]]}, "info": {"id": "dnrti_valid_005758", "source": "dnrti_valid"}}
{"text": "This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro’s Zero Day Initiative (ZDI) that was just patched this April .", "spans": {"Vulnerability: CVE-2019-0752": [[25, 38]], "Organization: Trend Micro’s": [[90, 103]]}, "info": {"id": "dnrti_valid_005759", "source": "dnrti_valid"}}
{"text": "The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 .", "spans": {"Organization: SLUB": [[4, 8]], "Vulnerability: CVE-2018-8174": [[99, 112]], "Vulnerability: CVE-2019-0752": [[116, 129]]}, "info": {"id": "dnrti_valid_005760", "source": "dnrti_valid"}}
{"text": "In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution .", "spans": {"Organization: SWEED": [[43, 48]], "Vulnerability: CVE-2017-11882": [[109, 123]]}, "info": {"id": "dnrti_valid_005761", "source": "dnrti_valid"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": {"Malware: slides": [[33, 39]], "Vulnerability: CVE-2017-8759": [[64, 77]], "Malware: Microsoft .NET framework": [[121, 145]]}, "info": {"id": "dnrti_valid_005762", "source": "dnrti_valid"}}
{"text": "Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits .", "spans": {"Organization: Zebrocy": [[0, 7]], "System: spearphishing": [[32, 45]], "Vulnerability: 0day exploits": [[132, 145]]}, "info": {"id": "dnrti_valid_005763", "source": "dnrti_valid"}}
{"text": "On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": {"Organization: FireEye": [[18, 25]], "Organization: APT34": [[35, 40]], "Vulnerability: vulnerability": [[83, 96]], "Organization: government organization": [[109, 132]]}, "info": {"id": "dnrti_valid_005764", "source": "dnrti_valid"}}
{"text": "Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack .", "spans": {"Organization: Google": [[0, 6]], "Organization: Microsoft": [[11, 20]], "Organization: APT28": [[69, 74]], "Vulnerability: CVE-2016-7855": [[102, 115]]}, "info": {"id": "dnrti_valid_005765", "source": "dnrti_valid"}}
{"text": "Kaspersky first became aware of BlackOasis’ activities in May 2016 , while investigating another Adobe Flash zero day .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: BlackOasis’": [[32, 43]], "Vulnerability: zero day": [[109, 117]]}, "info": {"id": "dnrti_valid_005766", "source": "dnrti_valid"}}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": {"Vulnerability: CVE-2017-1099": [[71, 84]], "Malware: RTF attachments": [[100, 115]]}, "info": {"id": "dnrti_valid_005767", "source": "dnrti_valid"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": {"System: phishing lures": [[19, 33]], "Malware: RTF attachments": [[44, 59]], "Vulnerability: CVE-2017-0199": [[124, 137]]}, "info": {"id": "dnrti_valid_005768", "source": "dnrti_valid"}}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": {"Malware: malicious documents": [[29, 48]], "Vulnerability: CVE-2017-0199": [[60, 73]], "Malware: LATENTBOT malware": [[99, 116]]}, "info": {"id": "dnrti_valid_005769", "source": "dnrti_valid"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"Malware: st07383.en17.docx": [[12, 29]], "Vulnerability: CVE-2017-0001": [[80, 93]], "Malware: SHIRIME": [[199, 206]]}, "info": {"id": "dnrti_valid_005770", "source": "dnrti_valid"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” .", "spans": {"Malware: document": [[34, 42]], "Vulnerability: Trump's_Attack_on_Syria_English.docx”": [[49, 86]]}, "info": {"id": "dnrti_valid_005771", "source": "dnrti_valid"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"Malware: st07383.en17.docx": [[12, 29]], "Vulnerability: CVE-2017-0001": [[80, 93]], "Malware: SHIRIME": [[199, 206]]}, "info": {"id": "dnrti_valid_005772", "source": "dnrti_valid"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” .", "spans": {"Malware: document": [[34, 42]], "Vulnerability: Trump's_Attack_on_Syria_English.docx”": [[49, 86]]}, "info": {"id": "dnrti_valid_005773", "source": "dnrti_valid"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Organization: government officials": [[28, 48]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_valid_005774", "source": "dnrti_valid"}}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": {"Vulnerability: CVE-2012-0158": [[79, 92]], "Malware: Microsoft Word": [[104, 118]]}, "info": {"id": "dnrti_valid_005775", "source": "dnrti_valid"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"System: spear phishing emails": [[37, 58]], "Malware: Microsoft Word documents": [[64, 88]], "Vulnerability: CVE-2017-0199": [[100, 113]]}, "info": {"id": "dnrti_valid_005776", "source": "dnrti_valid"}}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": {"Organization: Ke3chang": [[0, 8]], "Vulnerability: Java zero-day vulnerability": [[30, 57]], "Vulnerability: CVE-2012-4681": [[60, 73]], "Malware: Microsoft Word": [[119, 133]], "Vulnerability: CVE-2010-3333": [[136, 149]], "Malware: Adobe PDF Reader": [[156, 172]], "Vulnerability: CVE-2010-2883": [[175, 188]]}, "info": {"id": "dnrti_valid_005777", "source": "dnrti_valid"}}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"Malware: Documents": [[0, 9]], "Vulnerability: Flash exploit": [[19, 32]]}, "info": {"id": "dnrti_valid_005778", "source": "dnrti_valid"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_valid_005779", "source": "dnrti_valid"}}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": {"Malware: malicious Word documents": [[21, 45]], "Vulnerability: Windows OLE Automation Array Remote Code Execution Vulnerability": [[74, 138]], "Vulnerability: CVE-2014-6332": [[150, 163]]}, "info": {"id": "dnrti_valid_005780", "source": "dnrti_valid"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Malware: POWRUNER": [[0, 8]], "Malware: RTF file": [[41, 49]], "Vulnerability: CVE-2017-0199": [[65, 78]]}, "info": {"id": "dnrti_valid_005781", "source": "dnrti_valid"}}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": {"Malware: bait document": [[5, 18]], "System: email attachment": [[24, 40]], "Malware: Word document": [[68, 81]], "Vulnerability: CVE-2012-0158": [[102, 115]]}, "info": {"id": "dnrti_valid_005782", "source": "dnrti_valid"}}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": {"Malware: .rtf file": [[43, 52]], "Vulnerability: CVE-2017-0199": [[68, 81]]}, "info": {"id": "dnrti_valid_005783", "source": "dnrti_valid"}}
{"text": "The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials , allowing the actors to gain access to the targeted network .", "spans": {"Organization: attackers": [[4, 13]], "Malware: ASA": [[96, 99]]}, "info": {"id": "dnrti_valid_005784", "source": "dnrti_valid"}}
{"text": "More importantly , one of these files also enables the download of TeamViewer , a remote access tool that gives threat actors remote control over the system .", "spans": {"System: download": [[55, 63]], "Malware: TeamViewer": [[67, 77]], "Organization: threat actors": [[112, 125]]}, "info": {"id": "dnrti_valid_005785", "source": "dnrti_valid"}}
{"text": "The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities .", "spans": {"Organization: hacking division": [[13, 29]], "Organization: NSA": [[105, 108]]}, "info": {"id": "dnrti_valid_005786", "source": "dnrti_valid"}}
{"text": "After infestation , Weeping Angel places the target TV in a 'Fake-Off' mode , so that the owner falsely believes the TV is off when it is on .", "spans": {"Organization: Weeping Angel": [[20, 33]]}, "info": {"id": "dnrti_valid_005787", "source": "dnrti_valid"}}
{"text": "The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones .", "spans": {"Organization: CIA's": [[4, 9]]}, "info": {"id": "dnrti_valid_005788", "source": "dnrti_valid"}}
{"text": "These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied .", "spans": {"Organization: CIA": [[28, 31]]}, "info": {"id": "dnrti_valid_005789", "source": "dnrti_valid"}}
{"text": "The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware .", "spans": {"Organization: CIA": [[4, 7]]}, "info": {"id": "dnrti_valid_005790", "source": "dnrti_valid"}}
{"text": "As an example , specific CIA malware revealed in Year Zero is able to penetrate , infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts .", "spans": {"Organization: CIA": [[25, 28]], "Malware: malware": [[29, 36]]}, "info": {"id": "dnrti_valid_005791", "source": "dnrti_valid"}}
{"text": "we assess with high confidence that these incidents were conducted by APT10 also known as Stone Panda , menuPass , CVNX in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage .", "spans": {"Organization: APT10": [[70, 75]], "Organization: Stone Panda": [[90, 101]], "Organization: menuPass": [[104, 112]], "Organization: CVNX": [[115, 119]]}, "info": {"id": "dnrti_valid_005792", "source": "dnrti_valid"}}
{"text": "Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd , the MSS has conducted an unprecedented campaign , dubbed Operation Cloud Hopper , ” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients .", "spans": {"Organization: MSS": [[116, 119]]}, "info": {"id": "dnrti_valid_005793", "source": "dnrti_valid"}}
{"text": "We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks , and not of stealing Visma intellectual property .", "spans": {"Organization: APT10": [[15, 20]]}, "info": {"id": "dnrti_valid_005794", "source": "dnrti_valid"}}
{"text": "In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage .", "spans": {"Organization: APT10": [[26, 31]]}, "info": {"id": "dnrti_valid_005795", "source": "dnrti_valid"}}
{"text": "Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds , if not thousands , of corporations around the world .", "spans": {"Organization: MSS": [[73, 76]]}, "info": {"id": "dnrti_valid_005796", "source": "dnrti_valid"}}
{"text": "In all three incidents , the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials .", "spans": {"Organization: attackers": [[29, 38]], "System: stolen": [[136, 142]]}, "info": {"id": "dnrti_valid_005797", "source": "dnrti_valid"}}
{"text": "In early 2017 , APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers’ networks .", "spans": {"Organization: APT10": [[16, 21]], "Organization: (MSPs)": [[91, 97]]}, "info": {"id": "dnrti_valid_005798", "source": "dnrti_valid"}}
{"text": "This was followed by an initial exploitation , network enumeration , and malicious tool deployment on various Visma endpoints within two weeks of initial access .", "spans": {"Malware: Visma endpoints": [[110, 125]]}, "info": {"id": "dnrti_valid_005799", "source": "dnrti_valid"}}
{"text": "They also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API .", "spans": {"Malware: Visma": [[120, 125]], "Malware: Dropbox API": [[141, 152]]}, "info": {"id": "dnrti_valid_005800", "source": "dnrti_valid"}}
{"text": "The attacker gained access to the victim’s internet-accessible Citrix systems and authenticated to them from networks associated with low-cost VPN providers owned by VPN Consumer Network .", "spans": {"Organization: attacker": [[4, 12]], "Malware: Citrix": [[63, 69]]}, "info": {"id": "dnrti_valid_005801", "source": "dnrti_valid"}}
{"text": "The attackers used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script .", "spans": {"Organization: attackers": [[4, 13]], "Malware: 1.bat": [[106, 111]]}, "info": {"id": "dnrti_valid_005802", "source": "dnrti_valid"}}
{"text": "APT10's unprecedented campaign against MSPs , alleged to have included some of the largest MSPs in the world , in order to conduct secondary attacks against their clients , grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world .", "spans": {"Organization: APT10's": [[0, 7]], "Organization: MSPs": [[39, 43]]}, "info": {"id": "dnrti_valid_005803", "source": "dnrti_valid"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests .", "spans": {"Malware: malware": [[4, 11]], "Malware: CMD/PowerShell": [[40, 54]], "Organization: attackers": [[72, 81]]}, "info": {"id": "dnrti_valid_005804", "source": "dnrti_valid"}}
{"text": "What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists , human rights defenders , trade unions and labour rights activists , many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal .", "spans": {}, "info": {"id": "dnrti_valid_005805", "source": "dnrti_valid"}}
{"text": "It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile , along with a professional biography also stolen from yet another person .", "spans": {"Organization: attackers": [[20, 29]]}, "info": {"id": "dnrti_valid_005806", "source": "dnrti_valid"}}
{"text": "Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year .", "spans": {"Organization: ‘Operation Sheep’": [[7, 24]], "Vulnerability: Man-in-the-Disk": [[123, 138]]}, "info": {"id": "dnrti_valid_005807", "source": "dnrti_valid"}}
{"text": "In theory , Shun Wang Technologies could have collected a third of China’s population names and contact numbers if not more .", "spans": {"Organization: Shun Wang": [[12, 21]]}, "info": {"id": "dnrti_valid_005808", "source": "dnrti_valid"}}
{"text": "With no clear declaration of usage from Shun Wang , nor proper regulatory supervision , such data could circulate into underground markets for further exploit , ranging from rogue marketing , targeted telephone scams or even friend referral program abuse during November’s Single’s Day and December’s Asian online shopping fest .", "spans": {"Organization: Shun Wang": [[40, 49]]}, "info": {"id": "dnrti_valid_005809", "source": "dnrti_valid"}}
{"text": "In Operation Sheep’s case , Shun Wang likely harvests end user contact lists without application developer acknowledgement .", "spans": {"Organization: Shun Wang": [[28, 37]]}, "info": {"id": "dnrti_valid_005810", "source": "dnrti_valid"}}
{"text": "APT41 has executed multiple software supply chain compromises , gaining access to software companies to inject malicious code into legitimate files before distributing updates .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_valid_005811", "source": "dnrti_valid"}}
{"text": "Learning to access video game production environments enabled APT41 to develop the tactics , techniques , and procedures (TTPs) that were later leveraged against software companies to inject malicious code into software updates .", "spans": {"Organization: APT41": [[62, 67]]}, "info": {"id": "dnrti_valid_005812", "source": "dnrti_valid"}}
{"text": "We believe that like other Chinese espionage operators , APT41 has moved toward strategic intelligence collection and establishing access , but away from direct intellectual property theft .", "spans": {"Organization: APT41": [[57, 62]]}, "info": {"id": "dnrti_valid_005813", "source": "dnrti_valid"}}
{"text": "In June 2018 , APT41 sent spear-phishing emails using an invitation lure to join a decentralized gaming platform linked to a cryptocurrency service (Figure 5) that had positioned itself as a medium of exchange for online games and gambling sites .", "spans": {"Organization: APT41": [[15, 20]], "System: spear-phishing": [[26, 40]]}, "info": {"id": "dnrti_valid_005814", "source": "dnrti_valid"}}
{"text": "We suggest that APT41 sought to target in-game currency but found they could not monetize the specific targeted game , so the group resorted to ransomware to attempt to salvage their efforts and profit from the compromise .", "spans": {"Organization: APT41": [[16, 21]], "System: resorted to ransomware": [[132, 154]]}, "info": {"id": "dnrti_valid_005815", "source": "dnrti_valid"}}
{"text": "In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks .", "spans": {"System: run a malicious DLL": [[164, 183]], "Organization: Emissary Panda": [[218, 232]]}, "info": {"id": "dnrti_valid_005816", "source": "dnrti_valid"}}
{"text": "In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security .", "spans": {"Vulnerability: CVE-2019-0604": [[75, 88]], "Organization: Cyber Security Center": [[141, 162]], "Organization: Canadian Center": [[171, 186]]}, "info": {"id": "dnrti_valid_005817", "source": "dnrti_valid"}}
{"text": "Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell .", "spans": {"Organization: actors": [[50, 56]], "Vulnerability: CVE-2019-0604": [[66, 79]], "Malware: China Chopper webshell": [[125, 147]]}, "info": {"id": "dnrti_valid_005818", "source": "dnrti_valid"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network (etool.exe) , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket (psexec.exe) .", "spans": {"Vulnerability: CVE-2017-0144": [[152, 165]], "Malware: MS07-010": [[191, 199]], "Malware: PsExec": [[299, 305]]}, "info": {"id": "dnrti_valid_005819", "source": "dnrti_valid"}}
{"text": "The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 .", "spans": {"Organization: Emissary Panda": [[4, 18]], "Malware: China Chopper": [[43, 56]], "Vulnerability: CVE-2019-0604": [[264, 277]]}, "info": {"id": "dnrti_valid_005820", "source": "dnrti_valid"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell .", "spans": {"Malware: python script": [[63, 76]], "Vulnerability: CVE-2017-0144": [[132, 145]], "Malware: errr.aspx": [[194, 203]]}, "info": {"id": "dnrti_valid_005821", "source": "dnrti_valid"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 .", "spans": {"Organization: actors": [[15, 21]], "Vulnerability: CVE-2017-0144": [[109, 122]], "Malware: MS17-010": [[162, 170]]}, "info": {"id": "dnrti_valid_005822", "source": "dnrti_valid"}}
{"text": "To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT .", "spans": {"Organization: cyber criminals": [[31, 46]], "Malware: spearphishing emails": [[51, 71]], "Malware: attachments:": [[94, 106]], "Malware: documents": [[117, 126], [209, 218]], "Vulnerability: CVE-2017-11882": [[189, 203]]}, "info": {"id": "dnrti_valid_005823", "source": "dnrti_valid"}}
{"text": "This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills. In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks .", "spans": {"Organization: Scattered Canary": [[75, 91], [146, 162]], "Vulnerability: phishing": [[231, 239]]}, "info": {"id": "dnrti_valid_005824", "source": "dnrti_valid"}}
{"text": "The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability .", "spans": {"Organization: SLUB": [[22, 26]], "System: watering hole": [[48, 61]], "Vulnerability: CVE-2018-8174": [[81, 94]]}, "info": {"id": "dnrti_valid_005825", "source": "dnrti_valid"}}
{"text": "This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro’s Zero Day Initiative (ZDI) that was just patched this April .", "spans": {"Vulnerability: CVE-2019-0752": [[25, 38]], "Organization: Trend Micro’s": [[90, 103]]}, "info": {"id": "dnrti_valid_005826", "source": "dnrti_valid"}}
{"text": "The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 .", "spans": {"Organization: SLUB": [[4, 8]], "Vulnerability: CVE-2018-8174": [[99, 112]], "Vulnerability: CVE-2019-0752": [[116, 129]]}, "info": {"id": "dnrti_valid_005827", "source": "dnrti_valid"}}
{"text": "In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution .", "spans": {"Organization: SWEED": [[43, 48]], "Vulnerability: CVE-2017-11882": [[109, 123]]}, "info": {"id": "dnrti_valid_005828", "source": "dnrti_valid"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": {"Malware: slides": [[33, 39]], "Vulnerability: CVE-2017-8759": [[64, 77]], "Malware: Microsoft .NET framework": [[121, 145]]}, "info": {"id": "dnrti_valid_005829", "source": "dnrti_valid"}}
{"text": "Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits .", "spans": {"Organization: Zebrocy": [[0, 7]], "System: spearphishing": [[32, 45]], "Vulnerability: 0day exploits": [[132, 145]]}, "info": {"id": "dnrti_valid_005830", "source": "dnrti_valid"}}
{"text": "On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": {"Organization: FireEye": [[18, 25]], "Organization: APT34": [[35, 40]], "Vulnerability: vulnerability": [[83, 96]], "Organization: government organization": [[109, 132]]}, "info": {"id": "dnrti_valid_005831", "source": "dnrti_valid"}}
{"text": "Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack .", "spans": {"Organization: Google": [[0, 6]], "Organization: Microsoft": [[11, 20]], "Organization: APT28": [[69, 74]], "Vulnerability: CVE-2016-7855": [[102, 115]]}, "info": {"id": "dnrti_valid_005832", "source": "dnrti_valid"}}
{"text": "Kaspersky first became aware of BlackOasis’ activities in May 2016 , while investigating another Adobe Flash zero day .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: BlackOasis’": [[32, 43]], "Vulnerability: zero day": [[109, 117]]}, "info": {"id": "dnrti_valid_005833", "source": "dnrti_valid"}}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": {"Vulnerability: CVE-2017-1099": [[71, 84]], "Malware: RTF attachments": [[100, 115]]}, "info": {"id": "dnrti_valid_005834", "source": "dnrti_valid"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": {"System: phishing lures": [[19, 33]], "Malware: RTF attachments": [[44, 59]], "Vulnerability: CVE-2017-0199": [[124, 137]]}, "info": {"id": "dnrti_valid_005835", "source": "dnrti_valid"}}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": {"Malware: malicious documents": [[29, 48]], "Vulnerability: CVE-2017-0199": [[60, 73]], "Malware: LATENTBOT malware": [[99, 116]]}, "info": {"id": "dnrti_valid_005836", "source": "dnrti_valid"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"Malware: st07383.en17.docx": [[12, 29]], "Vulnerability: CVE-2017-0001": [[80, 93]], "Malware: SHIRIME": [[199, 206]]}, "info": {"id": "dnrti_valid_005837", "source": "dnrti_valid"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” .", "spans": {"Malware: document": [[34, 42]], "Vulnerability: Trump's_Attack_on_Syria_English.docx”": [[49, 86]]}, "info": {"id": "dnrti_valid_005838", "source": "dnrti_valid"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"Malware: st07383.en17.docx": [[12, 29]], "Vulnerability: CVE-2017-0001": [[80, 93]], "Malware: SHIRIME": [[199, 206]]}, "info": {"id": "dnrti_valid_005839", "source": "dnrti_valid"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” .", "spans": {"Malware: document": [[34, 42]], "Vulnerability: Trump's_Attack_on_Syria_English.docx”": [[49, 86]]}, "info": {"id": "dnrti_valid_005840", "source": "dnrti_valid"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_valid_005841", "source": "dnrti_valid"}}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": {"Vulnerability: CVE-2012-0158": [[79, 92]], "Malware: Microsoft Word": [[104, 118]]}, "info": {"id": "dnrti_valid_005842", "source": "dnrti_valid"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"System: spear phishing emails": [[37, 58]], "Malware: Microsoft Word documents": [[64, 88]], "Vulnerability: CVE-2017-0199": [[100, 113]]}, "info": {"id": "dnrti_valid_005843", "source": "dnrti_valid"}}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": {"Organization: Ke3chang": [[0, 8]], "Vulnerability: Java zero-day vulnerability": [[30, 57]], "Vulnerability: CVE-2012-4681": [[60, 73]], "Malware: Microsoft Word": [[119, 133]], "Vulnerability: CVE-2010-3333": [[136, 149]], "Malware: Adobe PDF Reader": [[156, 172]], "Vulnerability: CVE-2010-2883": [[175, 188]]}, "info": {"id": "dnrti_valid_005844", "source": "dnrti_valid"}}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"Malware: Documents": [[0, 9]], "Vulnerability: Flash exploit": [[19, 32]]}, "info": {"id": "dnrti_valid_005845", "source": "dnrti_valid"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_valid_005846", "source": "dnrti_valid"}}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": {"Malware: malicious Word documents": [[21, 45]], "Vulnerability: Windows OLE Automation Array Remote Code Execution Vulnerability": [[74, 138]], "Vulnerability: CVE-2014-6332": [[150, 163]]}, "info": {"id": "dnrti_valid_005847", "source": "dnrti_valid"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Malware: POWRUNER": [[0, 8]], "Malware: RTF file": [[41, 49]], "Vulnerability: CVE-2017-0199": [[65, 78]]}, "info": {"id": "dnrti_valid_005848", "source": "dnrti_valid"}}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": {"Malware: bait document": [[5, 18]], "System: email attachment": [[24, 40]], "Malware: Word document": [[68, 81]], "Vulnerability: CVE-2012-0158": [[102, 115]]}, "info": {"id": "dnrti_valid_005849", "source": "dnrti_valid"}}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": {"Malware: .rtf file": [[43, 52]], "Vulnerability: CVE-2017-0199": [[68, 81]]}, "info": {"id": "dnrti_valid_005850", "source": "dnrti_valid"}}
{"text": "Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier .", "spans": {"Malware: date string": [[35, 46]], "Malware: date codes": [[64, 74]], "Malware: Bookworm": [[120, 128]]}, "info": {"id": "dnrti_valid_005851", "source": "dnrti_valid"}}
{"text": "In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task .", "spans": {"Malware: Careto": [[59, 65]]}, "info": {"id": "dnrti_valid_005852", "source": "dnrti_valid"}}
{"text": "The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon .", "spans": {"Malware: CONFUCIUS_B": [[4, 15]], "Malware: RTLO": [[104, 108]]}, "info": {"id": "dnrti_valid_005853", "source": "dnrti_valid"}}
{"text": "The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio .", "spans": {"Malware: Android version": [[4, 19]]}, "info": {"id": "dnrti_valid_005854", "source": "dnrti_valid"}}
{"text": "If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs .", "spans": {"Malware: bot": [[5, 8]]}, "info": {"id": "dnrti_valid_005855", "source": "dnrti_valid"}}
{"text": "This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics .", "spans": {"Malware: document": [[5, 13]]}, "info": {"id": "dnrti_valid_005856", "source": "dnrti_valid"}}
{"text": "There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information .", "spans": {"Malware: exploit code": [[13, 25]]}, "info": {"id": "dnrti_valid_005857", "source": "dnrti_valid"}}
{"text": "This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page .", "spans": {"Malware: .lnk file": [[53, 62]]}, "info": {"id": "dnrti_valid_005858", "source": "dnrti_valid"}}
{"text": "Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": {"Malware: attachment": [[35, 45]], "Malware: NetTraveler": [[79, 90]], "Malware: DLL side-loading": [[99, 115]]}, "info": {"id": "dnrti_valid_005859", "source": "dnrti_valid"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_valid_005860", "source": "dnrti_valid"}}
{"text": "wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 .", "spans": {"Malware: wuaupdt.exe": [[0, 11]], "Malware: CMD": [[17, 20]]}, "info": {"id": "dnrti_valid_005861", "source": "dnrti_valid"}}
{"text": "As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC .", "spans": {"Malware: AutoHotKey scripts": [[66, 84]]}, "info": {"id": "dnrti_valid_005862", "source": "dnrti_valid"}}
{"text": "The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc .", "spans": {"Malware: RAT": [[4, 7]]}, "info": {"id": "dnrti_valid_005863", "source": "dnrti_valid"}}
{"text": "Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor .", "spans": {"Malware: Bemstour": [[0, 8]], "Malware: DoublePulsar backdoor": [[62, 83]]}, "info": {"id": "dnrti_valid_005864", "source": "dnrti_valid"}}
{"text": "DoublePulsar is then used to inject a secondary payload , which runs in memory only .", "spans": {"Malware: DoublePulsar": [[0, 12]]}, "info": {"id": "dnrti_valid_005865", "source": "dnrti_valid"}}
{"text": "The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation .", "spans": {"Malware: Okrum": [[52, 57]]}, "info": {"id": "dnrti_valid_005866", "source": "dnrti_valid"}}
{"text": "The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals .", "spans": {"Malware: Sea Turtle": [[67, 77]]}, "info": {"id": "dnrti_valid_005867", "source": "dnrti_valid"}}
{"text": "If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file .", "spans": {"Malware: xlsm file": [[38, 47]], "Malware: it": [[50, 52]]}, "info": {"id": "dnrti_valid_005868", "source": "dnrti_valid"}}
{"text": "Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies .", "spans": {"Malware: Margarita": [[33, 42]]}, "info": {"id": "dnrti_valid_005869", "source": "dnrti_valid"}}
{"text": "Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant .", "spans": {"Malware: Honeycomb": [[0, 9]]}, "info": {"id": "dnrti_valid_005870", "source": "dnrti_valid"}}
{"text": "UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques .", "spans": {"Malware: UMBRAGE": [[0, 7]]}, "info": {"id": "dnrti_valid_005871", "source": "dnrti_valid"}}
{"text": "'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) .", "spans": {"Malware: 'Improvise'": [[0, 11]], "System: Windows": [[182, 189]], "System: MacOS": [[204, 209]], "System: Linux": [[224, 229]]}, "info": {"id": "dnrti_valid_005872", "source": "dnrti_valid"}}
{"text": "This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 .", "spans": {"Malware: sample": [[5, 11]], "Malware: Trochilus": [[31, 40]]}, "info": {"id": "dnrti_valid_005873", "source": "dnrti_valid"}}
{"text": "The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process .", "spans": {"Malware: configuration file": [[4, 22]]}, "info": {"id": "dnrti_valid_005874", "source": "dnrti_valid"}}
{"text": "Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials .", "spans": {"Organization: Insikt Group": [[0, 12]], "Malware: Citrix-hosted": [[111, 124]]}, "info": {"id": "dnrti_valid_005875", "source": "dnrti_valid"}}
{"text": "This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more .", "spans": {"Malware: backdoor": [[14, 22]]}, "info": {"id": "dnrti_valid_005876", "source": "dnrti_valid"}}
{"text": "In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document .", "spans": {"Malware: VBA2Graph": [[23, 32]]}, "info": {"id": "dnrti_valid_005877", "source": "dnrti_valid"}}
{"text": "The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” .", "spans": {"Malware: JavaScript": [[4, 14]]}, "info": {"id": "dnrti_valid_005878", "source": "dnrti_valid"}}
{"text": "The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT .", "spans": {"Organization: group": [[4, 9]], "System: Excel documents": [[162, 177]], "Malware: RATs": [[189, 193]], "Malware: PupyRAT": [[202, 209]]}, "info": {"id": "dnrti_valid_005879", "source": "dnrti_valid"}}
{"text": "CTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering .", "spans": {"Organization: CTU": [[0, 3]], "Organization: COBALT GYPSY": [[30, 42]]}, "info": {"id": "dnrti_valid_005880", "source": "dnrti_valid"}}
{"text": "The persistent use of social media to identify and manipulate victims indicates that COBALT GYPSY successfully achieves its objectives using this tactic .", "spans": {"Organization: COBALT GYPSY": [[85, 97]]}, "info": {"id": "dnrti_valid_005881", "source": "dnrti_valid"}}
{"text": "COBALT GYPSY 's continued social media use reinforces the importance of recurring social engineering training .", "spans": {"Organization: COBALT GYPSY": [[0, 12]]}, "info": {"id": "dnrti_valid_005882", "source": "dnrti_valid"}}
{"text": "The report specifies the Magic Hound targeted political , military and defense industry in the US , UK and Israel .", "spans": {}, "info": {"id": "dnrti_valid_005883", "source": "dnrti_valid"}}
{"text": "PwC UK and BAE Systems , working closely with industry and government , have uncovered a new , unparallelled campaign which we refer to as Operation Cloud Hopper .", "spans": {"Organization: PwC UK": [[0, 6]], "Organization: BAE Systems": [[11, 22]]}, "info": {"id": "dnrti_valid_005884", "source": "dnrti_valid"}}
{"text": "By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage .", "spans": {"Organization: DragonOK": [[74, 82]]}, "info": {"id": "dnrti_valid_005885", "source": "dnrti_valid"}}
{"text": "Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers .", "spans": {"Organization: Molerats": [[20, 28]], "Organization: governmental": [[37, 49]], "Organization: embassies": [[90, 99]], "Organization: financial institutions": [[156, 178]], "Organization: journalists": [[181, 192]], "Organization: software developers": [[195, 214]]}, "info": {"id": "dnrti_valid_005886", "source": "dnrti_valid"}}
{"text": "FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors .", "spans": {"Organization: FIN7": [[0, 4]], "Organization: threat actor group": [[10, 28]], "Organization: financial sectors": [[105, 122]]}, "info": {"id": "dnrti_valid_005887", "source": "dnrti_valid"}}
{"text": "Over the past year , we've seen the group extensively targeting a wide gamut of entities in various sectors , including Governments , Academy , Crypto-Currency , Telecommunications and the Oil sectors .", "spans": {"Organization: group": [[36, 41]], "Organization: Oil sectors": [[189, 200]]}, "info": {"id": "dnrti_valid_005888", "source": "dnrti_valid"}}
{"text": "The group has focused mainly on governmental targets in Iraq and Saudi Arabia , according to past telemetry .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_valid_005889", "source": "dnrti_valid"}}
{"text": "The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros .", "spans": {"System: spear-phishing": [[8, 22]], "Organization: MuddyWater": [[36, 46]]}, "info": {"id": "dnrti_valid_005890", "source": "dnrti_valid"}}
{"text": "Given the use of lure documents designed with social engineering in mind , it is likely that MuddyWater use phishing or spam to target users who are unaware of these documents ' malicious nature .", "spans": {"Organization: MuddyWater": [[93, 103]], "System: phishing": [[108, 116]], "System: spam": [[120, 124]]}, "info": {"id": "dnrti_valid_005891", "source": "dnrti_valid"}}
{"text": "The oil and gas infrastructure nexus observed in connection with greensky27.vicp.net and other Unit 78020 ( Naikon ) infrastructure suggests targeting patterns supportive of the PRC 's strategic interests over energy resources within the South China Sea and Southeast Asia .", "spans": {"Organization: Naikon": [[108, 114]]}, "info": {"id": "dnrti_valid_005892", "source": "dnrti_valid"}}
{"text": "These attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations .", "spans": {"Malware: remote administration tools": [[199, 226]], "Malware: RATs": [[229, 233]]}, "info": {"id": "dnrti_valid_005893", "source": "dnrti_valid"}}
{"text": "Night Dragon 's attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations .", "spans": {"Organization: Night Dragon": [[0, 12]], "Malware: remote administration tools": [[209, 236]], "Malware: RATs": [[239, 243]]}, "info": {"id": "dnrti_valid_005894", "source": "dnrti_valid"}}
{"text": "It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries .", "spans": {"Organization: group": [[20, 25]]}, "info": {"id": "dnrti_valid_005895", "source": "dnrti_valid"}}
{"text": "Should a user enable this content , the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim 's system .", "spans": {"Organization: attackers": [[40, 49]], "Malware: DDE protocol": [[75, 87]], "System: remotely execute commands": [[91, 116]]}, "info": {"id": "dnrti_valid_005896", "source": "dnrti_valid"}}
{"text": "These VNC exectuables would either be included in the SFX file or downloaded by the batch script .", "spans": {"Malware: VNC": [[6, 9]], "System: SFX file": [[54, 62]], "System: batch script": [[84, 96]]}, "info": {"id": "dnrti_valid_005897", "source": "dnrti_valid"}}
{"text": "Our investigation revealed an attack where the GCMAN group then planted a cron script into bank 's server , sending financial transactions at the rate of $200 per minute .", "spans": {"Organization: GCMAN group": [[47, 58]], "System: cron script": [[74, 85]]}, "info": {"id": "dnrti_valid_005898", "source": "dnrti_valid"}}
{"text": "The GCMAN group used an MS SQL injection in commercial software running on one of bank 's public web services , and about a year and a half later , they came back to cash out .", "spans": {"Organization: GCMAN group": [[4, 15]], "System: MS SQL injection": [[24, 40]]}, "info": {"id": "dnrti_valid_005899", "source": "dnrti_valid"}}
{"text": "Gorgon Group used common URL shortening services to download payloads .", "spans": {"Organization: Gorgon Group": [[0, 12]], "System: URL shortening services": [[25, 48]]}, "info": {"id": "dnrti_valid_005900", "source": "dnrti_valid"}}
{"text": "Gorgon used numerous decoy documents and phishing emails , both styles of attacks lacked overall sophistication .", "spans": {"Organization: Gorgon": [[0, 6]], "System: decoy documents": [[21, 36]], "System: phishing emails": [[41, 56]]}, "info": {"id": "dnrti_valid_005901", "source": "dnrti_valid"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"System: spear phishing emails": [[37, 58]], "Malware: Microsoft Word documents": [[64, 88]], "Vulnerability: CVE-2017-0199": [[100, 113]]}, "info": {"id": "dnrti_valid_005902", "source": "dnrti_valid"}}
{"text": "This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics .", "spans": {"System: Visual Basic macro": [[35, 53]], "Malware: SYSCON": [[124, 130]], "Malware: malicious Word documents": [[159, 183]]}, "info": {"id": "dnrti_valid_005903", "source": "dnrti_valid"}}
{"text": "All contain the same Visual Basic macro code and author name as Honeybee .", "spans": {"System: Visual Basic macro code": [[21, 44]], "Organization: Honeybee": [[64, 72]]}, "info": {"id": "dnrti_valid_005904", "source": "dnrti_valid"}}
{"text": "Ke3chang attackers have used spear-phishing emails .", "spans": {"Organization: Ke3chang": [[0, 8]], "Organization: attackers": [[9, 18]], "System: spear-phishing emails": [[29, 50]]}, "info": {"id": "dnrti_valid_005905", "source": "dnrti_valid"}}
{"text": "Traditionally , the Ke3chang attackers have used spear-phishing emails with either a malware attachment or a link to a malicious download .", "spans": {"Organization: Ke3chang": [[20, 28]], "Organization: attackers": [[29, 38]], "System: spear-phishing emails": [[49, 70]]}, "info": {"id": "dnrti_valid_005906", "source": "dnrti_valid"}}
{"text": "DLL hijacking techniques have been seen in the past with the APT15 group .", "spans": {"System: DLL hijacking techniques": [[0, 24]], "Organization: APT15 group": [[61, 72]]}, "info": {"id": "dnrti_valid_005907", "source": "dnrti_valid"}}
{"text": "This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations .", "spans": {"Organization: Lazarus": [[44, 51]], "System: phishing emails": [[63, 78]], "Organization: Bitcoin users": [[129, 142]], "Organization: financial organizations": [[154, 177]]}, "info": {"id": "dnrti_valid_005908", "source": "dnrti_valid"}}
{"text": "This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets financial organizations .", "spans": {"Organization: Lazarus": [[44, 51]], "System: phishing emails": [[63, 78]], "Organization: financial organizations": [[129, 152]]}, "info": {"id": "dnrti_valid_005909", "source": "dnrti_valid"}}
{"text": "Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents .", "spans": {"Organization: Lazarus group": [[24, 37]], "System: spear phishing emails": [[72, 93]], "Organization: job recruiters": [[108, 122]]}, "info": {"id": "dnrti_valid_005910", "source": "dnrti_valid"}}
{"text": "Therefore , it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer .", "spans": {"Malware: HIDDEN COBRA malware": [[43, 63]], "System: network infrastructure": [[82, 104]], "Malware: Volgmer": [[122, 129]]}, "info": {"id": "dnrti_valid_005911", "source": "dnrti_valid"}}
{"text": "Notably , after the first SMB packet sent to the victim 's IP address , WannaCry sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5 .", "spans": {"System: SMB packet": [[26, 36]], "Malware: WannaCry": [[72, 80]]}, "info": {"id": "dnrti_valid_005912", "source": "dnrti_valid"}}
{"text": "Kaspersky believes both Shamoon and StoneDrill groups are aligned in their interests , but are two separate actors , which might also indicate two different groups working together .", "spans": {"Organization: Kaspersky": [[0, 9]], "Organization: Shamoon": [[24, 31]], "Organization: StoneDrill": [[36, 46]]}, "info": {"id": "dnrti_test_005913", "source": "dnrti_test"}}
{"text": "Indeed , Kaspersky started tracking the BlueNoroff actor a long time ago .", "spans": {"Organization: Kaspersky": [[9, 18]], "Organization: BlueNoroff": [[40, 50]]}, "info": {"id": "dnrti_test_005914", "source": "dnrti_test"}}
{"text": "Eset‍ has published a report on the state-sponsored Russian turla apt group ‍.", "spans": {"Organization: Eset‍": [[0, 5]], "Organization: turla": [[60, 65]]}, "info": {"id": "dnrti_test_005915", "source": "dnrti_test"}}
{"text": "It seems Eset has discovered and published on a new malware module created by Turla .", "spans": {"Organization: Eset": [[9, 13]], "Organization: Turla": [[78, 83]]}, "info": {"id": "dnrti_test_005916", "source": "dnrti_test"}}
{"text": "The majority of NewsBeef targets that Kaspersky researchers have observed are located in SA .", "spans": {"Organization: NewsBeef": [[16, 24]], "Organization: Kaspersky": [[38, 47]]}, "info": {"id": "dnrti_test_005917", "source": "dnrti_test"}}
{"text": "While not directly overlapping , this potential infrastructure link is interesting , as Vixen Panda has previously displayed TTPs similar to COMMENT PANDA , and has extensively targeted European entities .", "spans": {"Organization: Vixen Panda": [[88, 99]], "Organization: COMMENT PANDA": [[141, 154]]}, "info": {"id": "dnrti_test_005918", "source": "dnrti_test"}}
{"text": "Given the evidence outlined above , CrowdStrike attributes the PUTTER PANDA group to PLA Unit 61486 within Shanghai , China with high confidence .", "spans": {"Organization: CrowdStrike": [[36, 47]], "Organization: PUTTER PANDA group": [[63, 81]], "Organization: Unit 61486": [[89, 99]]}, "info": {"id": "dnrti_test_005919", "source": "dnrti_test"}}
{"text": "Several RATs are used by PUTTER PANDA .", "spans": {"Malware: RATs": [[8, 12]], "Organization: PUTTER PANDA": [[25, 37]]}, "info": {"id": "dnrti_test_005920", "source": "dnrti_test"}}
{"text": "The most common of these , the 4H RAT and the 3PARA RAT , have been documented previously by CrowdStrike in previous CrowdStrike Intelligence reporting .", "spans": {"Malware: 4H RAT": [[31, 37]], "Malware: 3PARA RAT": [[46, 55]], "Organization: CrowdStrike": [[93, 104]], "Organization: CrowdStrike Intelligence": [[117, 141]]}, "info": {"id": "dnrti_test_005921", "source": "dnrti_test"}}
{"text": "This analysis will be revisited below , along with an examination of two other PUTTER PANDA tools : pngdowner and httpclient .", "spans": {"Organization: PUTTER PANDA": [[79, 91]], "Malware: pngdowner": [[100, 109]], "Malware: httpclient": [[114, 124]]}, "info": {"id": "dnrti_test_005922", "source": "dnrti_test"}}
{"text": "Other CrowdStrike reporting describes a dropper used by PUTTER PANDA to install the 4H RAT .", "spans": {"Organization: CrowdStrike": [[6, 17]], "Malware: dropper": [[40, 47]], "Organization: PUTTER PANDA": [[56, 68]], "Malware: 4H RAT": [[84, 90]]}, "info": {"id": "dnrti_test_005923", "source": "dnrti_test"}}
{"text": "This dropper uses RC4 to decrypt an embedded payload from data in an embedded resource before writing the payload to disk and executing it .", "spans": {"Malware: dropper": [[5, 12]], "Malware: RC4": [[18, 21]]}, "info": {"id": "dnrti_test_005924", "source": "dnrti_test"}}
{"text": "It contains a Word document in plaintext ( written to Bienvenue_a_Sahaja_Yoga_Toulouse.doc ) , along with an executable ( Update.exe ) and DLL ( McUpdate.dll ) .", "spans": {"Malware: Word document": [[14, 27]], "Malware: Bienvenue_a_Sahaja_Yoga_Toulouse.doc": [[54, 90]], "Malware: Update.exe": [[122, 132]], "Malware: McUpdate.dll": [[145, 157]]}, "info": {"id": "dnrti_test_005925", "source": "dnrti_test"}}
{"text": "PUTTER PANDA are a determined adversary group who have been operating for several years , conducting intelligence-gathering operations with a significant focus on the space sector .", "spans": {"Organization: PUTTER PANDA": [[0, 12]], "Organization: group": [[40, 45]], "Organization: space sector": [[167, 179]]}, "info": {"id": "dnrti_test_005926", "source": "dnrti_test"}}
{"text": "Research presented in this report shows that the PUTTER PANDA operators are likely members of the 12th Bureau , 3rd General Staff Department ( GSD ) of the People 's Liberation Army ( PLA ) , operating from the unit 's headquarters in Shanghai with MUCD 61486 .", "spans": {"Organization: PUTTER PANDA": [[49, 61]], "Organization: operators": [[62, 71]], "Organization: MUCD 61486": [[249, 259]]}, "info": {"id": "dnrti_test_005927", "source": "dnrti_test"}}
{"text": "PUTTER PANDA is likely to continue to aggressively target Western entities that hold valuable information or intellectual property relevant to these interests .", "spans": {"Organization: PUTTER PANDA": [[0, 12]]}, "info": {"id": "dnrti_test_005928", "source": "dnrti_test"}}
{"text": "Mandiant 's APT1 report was the first to change the game , and paved the way for private security companies to expose advanced threat actors en masse .", "spans": {"Organization: Mandiant": [[0, 8]], "Organization: APT1": [[12, 16]], "Organization: private security companies": [[81, 107]], "Organization: threat actors": [[127, 140]]}, "info": {"id": "dnrti_test_005929", "source": "dnrti_test"}}
{"text": "Mandianta 's APT1 report was the first to change the game , and paved the way for private security companies to expose advanced threat actors en masse .", "spans": {"Organization: Mandianta": [[0, 9]], "Organization: APT1": [[13, 17]], "Organization: private security companies": [[82, 108]], "Organization: threat actors": [[128, 141]]}, "info": {"id": "dnrti_test_005930", "source": "dnrti_test"}}
{"text": "In 2014 , our colleagues at Crowdstrike wrote an exposé about a long-standing Chinese APT threat group they self-named Putter Panda , which Mandiant / FireEye refers to as APT2 .", "spans": {"Organization: Crowdstrike": [[28, 39]], "Organization: APT threat group": [[86, 102]], "Organization: Putter Panda": [[119, 131]], "Organization: Mandiant": [[140, 148]], "Organization: FireEye": [[151, 158]], "Organization: APT2": [[172, 176]]}, "info": {"id": "dnrti_test_005931", "source": "dnrti_test"}}
{"text": "In 2014 , our colleagues at Crowdstrike wrote an expos about a long-standing Chinese APT threat group they self-named Putter Panda , which Mandiant / FireEye refers to as APT2 .", "spans": {"Organization: Crowdstrike": [[28, 39]], "Organization: APT threat group": [[85, 101]], "Organization: Putter Panda": [[118, 130]], "Organization: Mandiant": [[139, 147]], "Organization: FireEye": [[150, 157]], "Organization: APT2": [[171, 175]]}, "info": {"id": "dnrti_test_005932", "source": "dnrti_test"}}
{"text": "This threat group attacked defense contractors and aerospace companies .", "spans": {"Organization: threat group": [[5, 17]], "Organization: defense contractors": [[27, 46]], "Organization: aerospace companies": [[51, 70]]}, "info": {"id": "dnrti_test_005933", "source": "dnrti_test"}}
{"text": "The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection .", "spans": {"Vulnerability: CVE-2012-0158": [[23, 36]]}, "info": {"id": "dnrti_test_005934", "source": "dnrti_test"}}
{"text": "Unit 42 believes this group is previously unidentified and therefore have we have dubbed it \" RANCOR \" .", "spans": {"Organization: Unit 42": [[0, 7]], "Organization: group": [[22, 27]], "Organization: RANCOR": [[94, 100]]}, "info": {"id": "dnrti_test_005935", "source": "dnrti_test"}}
{"text": "The Rancor group 's attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE .", "spans": {"Organization: Rancor group": [[4, 16]], "Malware: DDKONG": [[122, 128]], "Malware: PLAINTEE": [[133, 141]]}, "info": {"id": "dnrti_test_005936", "source": "dnrti_test"}}
{"text": "We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages .", "spans": {"Malware: decoy files": [[14, 25]], "System: spear phishing messages": [[66, 89]]}, "info": {"id": "dnrti_test_005937", "source": "dnrti_test"}}
{"text": "Based on this , we believe the Rancor attackers were targeting political entities .", "spans": {"Organization: Rancor": [[31, 37]], "Organization: attackers": [[38, 47]], "Organization: political entities": [[63, 81]]}, "info": {"id": "dnrti_test_005938", "source": "dnrti_test"}}
{"text": "Additionally , these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case , Facebook .", "spans": {"Malware: decoy documents": [[21, 36]], "Organization: Cambodia Government": [[119, 138]], "Organization: Facebook": [[167, 175]]}, "info": {"id": "dnrti_test_005939", "source": "dnrti_test"}}
{"text": "Our Investigation into both clusters further showed that they were both involved in attacks targeting organizations in South East Asia .", "spans": {}, "info": {"id": "dnrti_test_005940", "source": "dnrti_test"}}
{"text": "We observed DDKONG in use between February 2017 and the present , while PLAINTEE is a newer addition with the earliest known sample being observed in October 2017 .", "spans": {"Malware: DDKONG": [[12, 18]], "Malware: PLAINTEE": [[72, 80]]}, "info": {"id": "dnrti_test_005941", "source": "dnrti_test"}}
{"text": "The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region .", "spans": {}, "info": {"id": "dnrti_test_005942", "source": "dnrti_test"}}
{"text": "They are interested in users of remote banking systems ( RBS ) , mainly in Russia and neighboring countries .", "spans": {}, "info": {"id": "dnrti_test_005943", "source": "dnrti_test"}}
{"text": "That this group is mostly targeting businesses is apparent from the processes they are looking for on a compromised system .", "spans": {"Organization: group": [[10, 15]]}, "info": {"id": "dnrti_test_005944", "source": "dnrti_test"}}
{"text": "While both RTM and Buhtrap are looking for a quite similar process list , the infection vectors are quite different .", "spans": {"Malware: RTM": [[11, 14]], "Malware: Buhtrap": [[19, 26]]}, "info": {"id": "dnrti_test_005945", "source": "dnrti_test"}}
{"text": "This group has used a large array of infection vectors , mostly revolving around drive-by downloads and spam .", "spans": {"Organization: group": [[5, 10]], "System: drive-by downloads": [[81, 99]], "System: spam": [[104, 108]]}, "info": {"id": "dnrti_test_005946", "source": "dnrti_test"}}
{"text": "They are both targeting businesses using accounting software , are fingerprinting systems of interest similarly , are looking for smart card readers , and finally , they deploy an array of malicious tools to spy on their victims .", "spans": {}, "info": {"id": "dnrti_test_005947", "source": "dnrti_test"}}
{"text": "In particular , we will focus on the samples SHA-1 AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 and 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B .", "spans": {}, "info": {"id": "dnrti_test_005948", "source": "dnrti_test"}}
{"text": "Despite its known weaknesses , the RC4 algorithm is regularly used by malware authors .", "spans": {"Malware: RC4": [[35, 38]]}, "info": {"id": "dnrti_test_005949", "source": "dnrti_test"}}
{"text": "Based on the use of the relatively unique PLAINTEE malware , the malware 's use of the same file paths on in each cluster , and the similar targeting , we have grouped these attacks together under the RANCOR campaign moniker .", "spans": {"Malware: PLAINTEE malware": [[42, 58]]}, "info": {"id": "dnrti_test_005950", "source": "dnrti_test"}}
{"text": "Bdo is the Russian translation for RBS ( Remote Banking System ) so it is clear that RBS is a target for this malware .", "spans": {}, "info": {"id": "dnrti_test_005951", "source": "dnrti_test"}}
{"text": "Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia .", "spans": {"Organization: groups": [[6, 12]], "Organization: Buhtrap": [[23, 30]], "Organization: Corkow": [[33, 39]], "Organization: Carbanak": [[44, 52]], "Organization: financial institutions": [[118, 140]], "Organization: customers": [[151, 160]]}, "info": {"id": "dnrti_test_005952", "source": "dnrti_test"}}
{"text": "Our research on the RTM malware shows that the Russian banking system is still a target of choice for criminals .", "spans": {"Malware: RTM malware": [[20, 31]], "Organization: criminals": [[102, 111]]}, "info": {"id": "dnrti_test_005953", "source": "dnrti_test"}}
{"text": "Since last week , iSIGHT Partners has worked to provide details on the power outage in Ukraine to our global customers .", "spans": {"Organization: iSIGHT Partners": [[18, 33]], "Organization: customers": [[109, 118]]}, "info": {"id": "dnrti_test_005954", "source": "dnrti_test"}}
{"text": "Shortly after releasing information on their espionage operations , our friends at TrendMicro found evidence that the operators were not only conducting classic strategic espionage but targeting SCADA systems as well .", "spans": {"Organization: TrendMicro": [[83, 93]], "Organization: operators": [[118, 127]], "Organization: espionage": [[171, 180]]}, "info": {"id": "dnrti_test_005955", "source": "dnrti_test"}}
{"text": "iSiGHT has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 .", "spans": {"Organization: iSiGHT": [[0, 6]], "Organization: Sandworm Team": [[19, 32]], "Vulnerability: zero-day exploit": [[154, 170]], "Vulnerability: CVE-2014-4114": [[173, 186]]}, "info": {"id": "dnrti_test_005956", "source": "dnrti_test"}}
{"text": "Sandworm Team went to ground shortly after being exposed in October of 2014 , and malware with Dune references ( the genesis for the ' Sandworm ' moniker ) which we had previously used to track them disappeared entirely .", "spans": {"Organization: Sandworm Team": [[0, 13]], "Organization: Sandworm": [[135, 143]]}, "info": {"id": "dnrti_test_005957", "source": "dnrti_test"}}
{"text": "However , the unique malware variant , BlackEnergy 3 , reemerged in Ukraine early in 2015 , where we had first found Sandworm Team .", "spans": {"Malware: BlackEnergy 3": [[39, 52]], "Organization: Sandworm Team": [[117, 130]]}, "info": {"id": "dnrti_test_005958", "source": "dnrti_test"}}
{"text": "iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 .", "spans": {"Organization: iSiGHT Partners": [[0, 15]], "Organization: Sandworm Team": [[28, 41]], "Vulnerability: zero-day exploit": [[163, 179]], "Vulnerability: CVE-2014-4114": [[182, 195]]}, "info": {"id": "dnrti_test_005959", "source": "dnrti_test"}}
{"text": "SIGHT Partners is still collecting information on the mechanics of the power outage and what role the KillDisk malware played in the greater event .", "spans": {"Organization: SIGHT Partners": [[0, 14]], "Malware: KillDisk malware": [[102, 118]]}, "info": {"id": "dnrti_test_005960", "source": "dnrti_test"}}
{"text": "Last week iSIGHT 's sources provided us with the same KillDisk malware published by Rob Lee of SANS and Dragos Security .", "spans": {"Organization: iSIGHT": [[10, 16]], "Malware: KillDisk malware": [[54, 70]], "Organization: SANS": [[95, 99]], "Organization: Dragos Security": [[104, 119]]}, "info": {"id": "dnrti_test_005961", "source": "dnrti_test"}}
{"text": "The aggressive nature of Sandworm Team 's previous activity in Europe and the United States exposed their interest in targeting critical systems and indicated preparation for cyber attack .", "spans": {"Organization: Sandworm Team": [[25, 38]]}, "info": {"id": "dnrti_test_005962", "source": "dnrti_test"}}
{"text": "This year we are going to be releasing a monthly blog post introducing the \" Threat Actor of the Month \" , complete with detailed background information on that actor .", "spans": {"Organization: Threat Actor": [[77, 89]], "Organization: actor": [[161, 166]]}, "info": {"id": "dnrti_test_005963", "source": "dnrti_test"}}
{"text": "VOODOO BEAR is a highly advanced adversary with a suspected nexus to the Russian Federation .", "spans": {"Organization: VOODOO BEAR": [[0, 11]]}, "info": {"id": "dnrti_test_005964", "source": "dnrti_test"}}
{"text": "Destructive malware used by VOODOO BEAR includes a wiper called PassKillDisk .", "spans": {"Organization: VOODOO BEAR": [[28, 39]], "Malware: PassKillDisk": [[64, 76]]}, "info": {"id": "dnrti_test_005965", "source": "dnrti_test"}}
{"text": "Some tools used by this actor — specifically BlackEnergy and GCat — have been adapted from commodity malware .", "spans": {"Organization: actor": [[24, 29]], "Organization: BlackEnergy": [[45, 56]], "Organization: GCat": [[61, 65]]}, "info": {"id": "dnrti_test_005966", "source": "dnrti_test"}}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , industrial control systems and SCADA , government , and media for espionage and destructive purposes , since at least 2011 .", "spans": {"Malware: Black Energy": [[117, 129]], "Organization: espionage": [[240, 249]]}, "info": {"id": "dnrti_test_005967", "source": "dnrti_test"}}
{"text": "A commonly observed element of implants from VOODOO BEAR — at least until this information was made public in late 2014 — were references in the malware to the 1965 science fiction novel Dune , by Frank Herbert .", "spans": {"Organization: VOODOO BEAR": [[45, 56]]}, "info": {"id": "dnrti_test_005968", "source": "dnrti_test"}}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , government , and media for espionage and destructive purposes , since at least 2011 .", "spans": {"Malware: Black Energy": [[117, 129]], "Organization: espionage": [[201, 210]]}, "info": {"id": "dnrti_test_005969", "source": "dnrti_test"}}
{"text": "these characteristics all highlight the likelihood that VOODOO BEAR operates in alignment with Russian state interests .", "spans": {"Organization: VOODOO BEAR": [[56, 67]]}, "info": {"id": "dnrti_test_005970", "source": "dnrti_test"}}
{"text": "This adversary displays a particular focus on targeting entities in the Ukraine and is believed to be behind the Ukrainian energy sector attacks that caused widespread power outages in late 2015 .", "spans": {}, "info": {"id": "dnrti_test_005971", "source": "dnrti_test"}}
{"text": "VOODOO BEAR appears to be integrated into an organization that also operates or tasks multiple pro-Russian hacktivist entities .", "spans": {"Organization: VOODOO BEAR": [[0, 11]]}, "info": {"id": "dnrti_test_005972", "source": "dnrti_test"}}
{"text": "In the summer of 2014 , BlackEnergy caught our attention when we noticed that samples of it were now tailored to target Ukrainian government institutions .", "spans": {"Organization: BlackEnergy": [[24, 35]], "Organization: government institutions": [[130, 153]]}, "info": {"id": "dnrti_test_005973", "source": "dnrti_test"}}
{"text": "Related or not , one thing is certain : the actor ( s ) using these customized BlackEnergy malware are intent on stealing information from the targets .", "spans": {"Organization: actor": [[44, 49]], "Malware: BlackEnergy malware": [[79, 98]]}, "info": {"id": "dnrti_test_005974", "source": "dnrti_test"}}
{"text": "In this paper we focus only on BlackEnergy samples known to be used specifically by the actors we identify as Quedagh , who seem to have a particular interest in political targets .", "spans": {"Malware: BlackEnergy samples": [[31, 50]], "Organization: actors": [[88, 94]], "Organization: Quedagh": [[110, 117]]}, "info": {"id": "dnrti_test_005975", "source": "dnrti_test"}}
{"text": "Special focus will be on the samples that were used in targeted attacks against Ukrainian government organizations earlier this year .", "spans": {"Organization: government organizations": [[90, 114]]}, "info": {"id": "dnrti_test_005976", "source": "dnrti_test"}}
{"text": "Although they may have started much earlier , the earliest BlackEnergy sample we could attribute to the Quedagh gang is from December 14 , 2010 .", "spans": {"Malware: BlackEnergy sample": [[59, 77]], "Organization: Quedagh gang": [[104, 116]]}, "info": {"id": "dnrti_test_005977", "source": "dnrti_test"}}
{"text": "We warned our clients of new features suggesting an increased focus on European targets - though verification of targets was not possible at the time .", "spans": {}, "info": {"id": "dnrti_test_005978", "source": "dnrti_test"}}
{"text": "Sandworm Team may have opted for a ' hide in plain sight ' approach to evade detections from rootkit scanners , such as GMER and RootkitRevealer , that checks for system anomalies .", "spans": {"Organization: Sandworm Team": [[0, 13]]}, "info": {"id": "dnrti_test_005979", "source": "dnrti_test"}}
{"text": "Table 3 ( above ) summarizes the commands supported by the variants used in the attack against Ukrainian government organizations .", "spans": {"Organization: government organizations": [[105, 129]]}, "info": {"id": "dnrti_test_005980", "source": "dnrti_test"}}
{"text": "In the summer of 2014 , we noted that certain samples of BlackEnergy malware began targeting Ukranian government organizations for information harvesting .", "spans": {"Malware: BlackEnergy malware": [[57, 76]], "Organization: government organizations": [[102, 126]]}, "info": {"id": "dnrti_test_005981", "source": "dnrti_test"}}
{"text": "These samples were identified as being the work of one group , referred to in this document as \" Quedagh \" , which has a history of targeting political organizations .", "spans": {"Organization: group": [[55, 60]], "Organization: Quedagh": [[97, 104]], "Organization: political organizations": [[142, 165]]}, "info": {"id": "dnrti_test_005982", "source": "dnrti_test"}}
{"text": "The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes .", "spans": {"Organization: Scarlet Mimic": [[28, 41]], "Organization: Uyghur": [[66, 72]], "Organization: Tibetan activists": [[77, 94]]}, "info": {"id": "dnrti_test_005983", "source": "dnrti_test"}}
{"text": "To infect individuals with access to the data the actors desire , Scarlet Mimic deploys both spear-phishing and watering hole ( strategic web compromise ) attacks .", "spans": {"Organization: actors": [[50, 56]], "Organization: Scarlet Mimic": [[66, 79]], "System: spear-phishing": [[93, 107]]}, "info": {"id": "dnrti_test_005984", "source": "dnrti_test"}}
{"text": "As with many other attackers who use spear-phishing to infect victims , Scarlet Mimic makes heavy use of \" decoy \" files .", "spans": {"Organization: attackers": [[19, 28]], "System: spear-phishing": [[37, 51]], "Organization: Scarlet Mimic": [[72, 85]]}, "info": {"id": "dnrti_test_005985", "source": "dnrti_test"}}
{"text": "The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin .", "spans": {"Organization: group": [[96, 101]], "Organization: Muslim activists": [[137, 153]]}, "info": {"id": "dnrti_test_005986", "source": "dnrti_test"}}
{"text": "Using these tactics Scarlet Mimic can directly target previously identified individuals ( spear phishing ) as well as unidentified individuals who are interested in a specific subject ( watering hole ) .", "spans": {"Organization: Scarlet Mimic": [[20, 33]], "System: spear phishing": [[90, 104]]}, "info": {"id": "dnrti_test_005987", "source": "dnrti_test"}}
{"text": "This group has been conducting attacks for at least four years using a backdoor Trojan that has been under active development .", "spans": {"Organization: group": [[5, 10]], "Malware: backdoor Trojan": [[71, 86]]}, "info": {"id": "dnrti_test_005988", "source": "dnrti_test"}}
{"text": "Based on analysis of the data and malware samples we have collected , Unit 42 believes the attacks described herein are the work of a group or set of cooperating groups who have a single mission , collecting information on minority groups who reside in and around northwestern China .", "spans": {"Organization: Unit 42": [[70, 77]], "Organization: group": [[134, 139]], "Organization: groups": [[162, 168]], "Organization: minority groups": [[223, 238]]}, "info": {"id": "dnrti_test_005989", "source": "dnrti_test"}}
{"text": "Attacks launched by this group were publicly exposed on 2013 in a Trend Micro report about the FakeM Trojan .", "spans": {"Organization: group": [[25, 30]], "Organization: Trend Micro": [[66, 77]], "Malware: FakeM Trojan": [[95, 107]]}, "info": {"id": "dnrti_test_005990", "source": "dnrti_test"}}
{"text": "We will also provide detailed analysis of the latest variants of the malware they deploy ( known as FakeM ) as well as other associated tools that allow Scarlet Mimic to target Android and OS X devices .", "spans": {"Malware: FakeM": [[100, 105]], "Organization: Scarlet Mimic": [[153, 166]]}, "info": {"id": "dnrti_test_005991", "source": "dnrti_test"}}
{"text": "In the past , Scarlet Mimic has primarily targeted individuals who belong to these minority groups as well as their supporters , but we've recently found evidence to indicate the group also targets individuals working inside government anti-terrorist organizations .", "spans": {"Organization: Scarlet Mimic": [[14, 27]], "Organization: minority groups": [[83, 98]], "Organization: supporters": [[116, 126]], "Organization: group": [[179, 184]], "Organization: anti-terrorist organizations": [[236, 264]]}, "info": {"id": "dnrti_test_005992", "source": "dnrti_test"}}
{"text": "We also know Scarlet Mimic uses a number of toolkits to create documents that contain exploit code to install the FakeM payload on a compromised system .", "spans": {"Organization: Scarlet Mimic": [[13, 26]], "Malware: FakeM": [[114, 119]]}, "info": {"id": "dnrti_test_005993", "source": "dnrti_test"}}
{"text": "Unit 42 tracks the toolkits delivering FakeM under the names MNKit , WingD and Tran Duy Linh .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: FakeM": [[39, 44]], "Malware: MNKit": [[61, 66]], "Malware: WingD": [[69, 74]], "Malware: Tran Duy Linh": [[79, 92]]}, "info": {"id": "dnrti_test_005994", "source": "dnrti_test"}}
{"text": "In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document .", "spans": {"System: e-mail": [[39, 45]], "Vulnerability: Scarlet Mimic exploit": [[103, 124]]}, "info": {"id": "dnrti_test_005995", "source": "dnrti_test"}}
{"text": "We are aware of one case where Scarlet Mimic broke from the spear-phishing pattern described above .", "spans": {"Organization: Scarlet Mimic": [[31, 44]], "System: spear-phishing": [[60, 74]]}, "info": {"id": "dnrti_test_005996", "source": "dnrti_test"}}
{"text": "In 2013 , the group deployed a watering hole attack , also known as a strategic web compromise to infect victims with their backdoor .", "spans": {"Organization: group": [[14, 19]]}, "info": {"id": "dnrti_test_005997", "source": "dnrti_test"}}
{"text": "FakeM 's functional code is shellcode-based and requires another Trojan to load it into memory and execute it .", "spans": {"Malware: FakeM": [[0, 5]]}, "info": {"id": "dnrti_test_005998", "source": "dnrti_test"}}
{"text": "First discussed in January 2013 in a Trend Micro whitepaper , FakeM is a Trojan that uses separate modules to perform its functionality .", "spans": {"Organization: Trend Micro": [[37, 48]], "Malware: FakeM": [[62, 67]], "Malware: Trojan": [[73, 79]]}, "info": {"id": "dnrti_test_005999", "source": "dnrti_test"}}
{"text": "We end this section with a discussion on tools related to FakeM and used by Scarlet Mimic .", "spans": {"Malware: FakeM": [[58, 63]], "Organization: Scarlet Mimic": [[76, 89]]}, "info": {"id": "dnrti_test_006000", "source": "dnrti_test"}}
{"text": "Microsoft patched this vulnerability in September 2012 , suggesting that this watering hole attack used an older vulnerability , which aligns with the threat groups continued use of older vulnerabilities in their spear-phishing efforts .", "spans": {"Organization: Microsoft": [[0, 9]], "Organization: threat groups": [[151, 164]], "System: spear-phishing": [[213, 227]]}, "info": {"id": "dnrti_test_006001", "source": "dnrti_test"}}
{"text": "Microsoft patched this vulnerability in September 2012 , suggesting that this watering hole attack used an older vulnerability , which aligns with Scarlet Mimic continued use of older vulnerabilities in their spear-phishing efforts .", "spans": {"Organization: Microsoft": [[0, 9]], "Organization: Scarlet Mimic": [[147, 160]], "System: spear-phishing": [[209, 223]]}, "info": {"id": "dnrti_test_006002", "source": "dnrti_test"}}
{"text": "Based on the timeline , it appears that the actors were actively developing several of the loaders at the same time from 2009 until the early months of 2014 .", "spans": {"Organization: actors": [[44, 50]]}, "info": {"id": "dnrti_test_006003", "source": "dnrti_test"}}
{"text": "Unit 42 tracks this mobile Trojan as MobileOrder , as the authors specifically refer to commands within the app as orders .", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: mobile Trojan": [[20, 33]], "Malware: MobileOrder": [[37, 48]]}, "info": {"id": "dnrti_test_006004", "source": "dnrti_test"}}
{"text": "There are also infrastructure ties between some FakeM variants and older activity using Trojans such as Elirks , Poison Ivy , and BiFrost , which were used in attacks as old as 2009 .", "spans": {"Malware: FakeM": [[48, 53]], "Malware: Elirks": [[104, 110]], "Malware: Poison Ivy": [[113, 123]]}, "info": {"id": "dnrti_test_006005", "source": "dnrti_test"}}
{"text": "There is some infrastructure overlap in the C2 servers used by almost all of the FakeM variants , as well other Trojans such as MobileOrder , Psylo , and CallMe .", "spans": {"Malware: FakeM": [[81, 86]], "Malware: MobileOrder": [[128, 139]], "Malware: Psylo": [[142, 147]], "Malware: CallMe": [[154, 160]]}, "info": {"id": "dnrti_test_006006", "source": "dnrti_test"}}
{"text": "Trend Micro published their analysis of the FakeM Trojan on January 17 , 2013 that discussed the original variant of FakeM .", "spans": {"Organization: Trend Micro": [[0, 11]], "Malware: FakeM Trojan": [[44, 56]], "Malware: FakeM": [[117, 122]]}, "info": {"id": "dnrti_test_006007", "source": "dnrti_test"}}
{"text": "The primary source of data used in this analysis is Palo Alto Networks WildFire , which analyzes malware used in attacks across the world .", "spans": {"Organization: Palo Alto Networks WildFire": [[52, 79]]}, "info": {"id": "dnrti_test_006008", "source": "dnrti_test"}}
{"text": "Scarlet Mimic also uses the infamous HTRAN tool on at least some of their C2 servers .", "spans": {"Organization: Scarlet Mimic": [[0, 13]], "Malware: HTRAN tool": [[37, 47]]}, "info": {"id": "dnrti_test_006009", "source": "dnrti_test"}}
{"text": "Scarlet Mimic primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 .", "spans": {"Organization: Scarlet Mimic": [[0, 13]], "System: spear-phishing e-mails": [[32, 54]]}, "info": {"id": "dnrti_test_006010", "source": "dnrti_test"}}
{"text": "Kaspersky Lab has produced excellent research on Scarlet Mimic group .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Organization: Scarlet Mimic group": [[49, 68]]}, "info": {"id": "dnrti_test_006011", "source": "dnrti_test"}}
{"text": "Actors will run HTRAN on a server and configure their malware to interact with that server ; however , the actor will configure HTRAN to forward traffic to another server where the actual C2 server exists .", "spans": {"Organization: Actors": [[0, 6]], "Malware: HTRAN": [[16, 21], [128, 133]], "Organization: actor": [[107, 112]]}, "info": {"id": "dnrti_test_006012", "source": "dnrti_test"}}
{"text": "The information discovered by Unit 42 and shared here indicates Scarlet Mimic is likely a well-funded and skillfully resourced cyber adversary .", "spans": {"Organization: Unit 42": [[30, 37]], "Organization: Scarlet Mimic": [[64, 77]]}, "info": {"id": "dnrti_test_006013", "source": "dnrti_test"}}
{"text": "Scarlet Mimic has carried out attacks using both spear-phishing and watering holes since at least 2009 with increasingly advanced malware , and has deployed malware to attack multiple operating systems and platforms .", "spans": {"Organization: Scarlet Mimic": [[0, 13]], "System: spear-phishing": [[49, 63]], "System: watering holes": [[68, 82]]}, "info": {"id": "dnrti_test_006014", "source": "dnrti_test"}}
{"text": "This time I'm going to focus on malicious CHM files used by Silence APT .", "spans": {"Malware: CHM files": [[42, 51]], "Organization: Silence APT": [[60, 71]]}, "info": {"id": "dnrti_test_006015", "source": "dnrti_test"}}
{"text": "If you haven't heard about it for some reason , I would recommend to read this detailed report by Group-IB , as this APT attacks not only Russian banks , but also banks in more than 25 countries .", "spans": {"Organization: Group-IB": [[98, 106]]}, "info": {"id": "dnrti_test_006016", "source": "dnrti_test"}}
{"text": "The group primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 .", "spans": {"Organization: group": [[4, 9]], "System: spear-phishing e-mails": [[28, 50]]}, "info": {"id": "dnrti_test_006017", "source": "dnrti_test"}}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated .", "spans": {"Organization: group": [[4, 9]], "Malware: legitimate administration tools": [[15, 46]]}, "info": {"id": "dnrti_test_006018", "source": "dnrti_test"}}
{"text": "On January 12 , 2016 , Cylance published a blog linking an exploit document to the group Mandiant refers to as APT2 and CrowdStrike as \" Putter Panda \" .", "spans": {"Organization: Cylance": [[23, 30]], "Organization: Mandiant": [[89, 97]], "Organization: APT2": [[111, 115]], "Organization: CrowdStrike": [[120, 131]], "Organization: Putter Panda": [[137, 149]]}, "info": {"id": "dnrti_test_006019", "source": "dnrti_test"}}
{"text": "In 2016 , Unit 42 launched an unprecedented analytic effort focused on developing a modern assessment of the size , scope and complexity of this threat .", "spans": {"Organization: Unit 42": [[10, 17]]}, "info": {"id": "dnrti_test_006020", "source": "dnrti_test"}}
{"text": "In 2014 , Unit 42 released a report titled \" 419 Evolution \" that documented one of the first known cases of Nigerian cybercriminals using malware for financial gain .", "spans": {"Organization: Unit 42": [[10, 17]], "Organization: cybercriminals": [[118, 132]]}, "info": {"id": "dnrti_test_006021", "source": "dnrti_test"}}
{"text": "A few months later , in February 2017 , the FBI published a press release revising its estimates and stating that \" Since January 2015 , there has been a 1,300 percent increase in identified exposed losses , now totaling over $3 billion \" Recognizing the significance of this threat group , Unit 42 continues to track the evolution of Nigerian cybercrime under the code name SilverTerrier .", "spans": {"Organization: FBI": [[44, 47]], "Organization: threat group": [[276, 288]], "Organization: Unit 42": [[291, 298]], "Organization: SilverTerrier": [[375, 388]]}, "info": {"id": "dnrti_test_006022", "source": "dnrti_test"}}
{"text": "In the 2016 Internet Crime Report published by the FBI , BEC was specifically highlighted as a \" Hot Topic \" , having been attributed to more than US$360 million in losses and gaining status as its own category of attack .", "spans": {"Organization: FBI": [[51, 54]]}, "info": {"id": "dnrti_test_006023", "source": "dnrti_test"}}
{"text": "Recognizing the significance of this threat group , Unit 42 continues to track the evolution of Nigerian cybercrime under the code name SilverTerrier .", "spans": {"Organization: threat group": [[37, 49]], "Organization: Unit 42": [[52, 59]], "Organization: SilverTerrier": [[136, 149]]}, "info": {"id": "dnrti_test_006024", "source": "dnrti_test"}}
{"text": "Pony is a fairly common malware family that has existed in various forms since 2012 , with our first indications of Nigerian use occurring in August 2014 .", "spans": {"Malware: Pony": [[0, 4]]}, "info": {"id": "dnrti_test_006025", "source": "dnrti_test"}}
{"text": "Of the four , KeyBase stands out due to its rapid rise in popularity , with a peak deployment of 160 samples per month and usage by 46 separate SilverTerrier actors , followed by a fairly rapid decline .", "spans": {"Malware: KeyBase": [[14, 21]], "Organization: SilverTerrier actors": [[144, 164]]}, "info": {"id": "dnrti_test_006026", "source": "dnrti_test"}}
{"text": "NetWire , DarkComet , NanoCore , LuminosityLink , Remcos and Imminent Monitor are all designed to provide remote access to compromised systems .", "spans": {"Malware: NetWire": [[0, 7]], "Malware: DarkComet": [[10, 19]], "Malware: NanoCore": [[22, 30]], "Malware: LuminosityLink": [[33, 47]], "Malware: Remcos": [[50, 56]], "Malware: Imminent Monitor": [[61, 77]]}, "info": {"id": "dnrti_test_006027", "source": "dnrti_test"}}
{"text": "Unit 42 analyzed the use of these six malware families and found that Nigerian actors are currently producing an average of 146 unique samples of malware per month ( see Figure 6 ) .", "spans": {"Organization: Unit 42": [[0, 7]], "Organization: actors": [[79, 85]]}, "info": {"id": "dnrti_test_006028", "source": "dnrti_test"}}
{"text": "Given this requirement , SilverTerrier actors often rely on Dynamic DNS and virtual private servers to provide a layer of obfuscation to protect their identities .", "spans": {"Organization: SilverTerrier actors": [[25, 45]], "Malware: Dynamic DNS": [[60, 71]], "Malware: virtual private servers": [[76, 99]]}, "info": {"id": "dnrti_test_006029", "source": "dnrti_test"}}
{"text": "When using email scams , SilverTerrier actors preferred to use large target audiences , which maximized the likelihood of success with very little risk .", "spans": {"System: email scams": [[11, 22]], "Organization: SilverTerrier actors": [[25, 45]]}, "info": {"id": "dnrti_test_006030", "source": "dnrti_test"}}
{"text": "Unit 42 tracks roughly 300 SilverTerrier actors who have registered a combined 11,600 domains over the past five years .", "spans": {"Organization: Unit 42": [[0, 7]], "Organization: SilverTerrier actors": [[27, 47]]}, "info": {"id": "dnrti_test_006031", "source": "dnrti_test"}}
{"text": "To support the rapid growth and pace of malware distribution efforts , SilverTerrier actors are in constant need of domains to serve as C2 nodes .", "spans": {"Organization: SilverTerrier actors": [[71, 91]]}, "info": {"id": "dnrti_test_006032", "source": "dnrti_test"}}
{"text": "To that end , it is very unlikely that the United States government or Shell , a global energy company , would commission SilverTerrier actors to develop domains that impersonate their own legitimate websites and services .", "spans": {"Organization: global energy company": [[81, 102]], "Organization: SilverTerrier actors": [[122, 142]]}, "info": {"id": "dnrti_test_006033", "source": "dnrti_test"}}
{"text": "The credentials they use to register their malware infrastructure are easily associated with their public social media accounts on Google® , Facebook® , MySpace® , Instagram® , and various dating and blogging sites .", "spans": {"Organization: Google®": [[131, 138]], "Organization: Facebook®": [[141, 150]], "Organization: MySpace®": [[153, 161]], "Organization: Instagram®": [[164, 174]], "Organization: dating and blogging sites": [[189, 214]]}, "info": {"id": "dnrti_test_006034", "source": "dnrti_test"}}
{"text": "Earlier this year , Cybereason identified an advanced , persistent attack targeting telecommunications providers that has been underway for years , soon after deploying into the environment .", "spans": {"Organization: Cybereason": [[20, 30]], "Organization: telecommunications providers": [[84, 112]]}, "info": {"id": "dnrti_test_006035", "source": "dnrti_test"}}
{"text": "Based on the data available to us , Operation Soft Cell has been active since at least 2012 , though some evidence suggests even earlier activity by the threat actor against telecommunications providers .", "spans": {"Organization: threat actor": [[153, 165]], "Organization: telecommunications providers": [[174, 202]]}, "info": {"id": "dnrti_test_006036", "source": "dnrti_test"}}
{"text": "Threat actors , especially those at the level of nation state , are seeking opportunities to attack these organizations , conducting elaborate , advanced operations to gain leverage , seize strategic assets , and collect information .", "spans": {"Organization: Threat actors": [[0, 13]]}, "info": {"id": "dnrti_test_006037", "source": "dnrti_test"}}
{"text": "The tools and techniques used throughout these attacks are consistent with several Chinese threat actors , such as APT10 , a threat actor believed to operate on behalf of the Chinese Ministry of State Security .", "spans": {"Organization: threat actors": [[91, 104]], "Organization: APT10": [[115, 120]], "Organization: threat actor": [[125, 137]]}, "info": {"id": "dnrti_test_006038", "source": "dnrti_test"}}
{"text": "The threat actor attempted to compromise critical assets , such as database servers , billing servers , and the active directory .", "spans": {"Organization: threat actor": [[4, 16]]}, "info": {"id": "dnrti_test_006039", "source": "dnrti_test"}}
{"text": "The attack began with a web shell running on a vulnerable , publicly-facing server , from which the attackers gathered information about the network and propagated across the network .", "spans": {"Malware: web shell": [[24, 33]], "Organization: attackers": [[100, 109]]}, "info": {"id": "dnrti_test_006040", "source": "dnrti_test"}}
{"text": "The initial indicator of the attack was a malicious web shell that was detected on an IIS server , coming out of the w3wp.exe process .", "spans": {"Malware: w3wp.exe": [[117, 125]]}, "info": {"id": "dnrti_test_006041", "source": "dnrti_test"}}
{"text": "An investigation of the web shell , later classified as a modified version of the China Chopper web shell , uncovered several attack phases and TTPs .", "spans": {"Malware: China Chopper web shell": [[82, 105]]}, "info": {"id": "dnrti_test_006042", "source": "dnrti_test"}}
{"text": "The threat actor was able to leverage the web shell to run reconnaissance commands , steal credentials , and deploy other tools .", "spans": {"Organization: threat actor": [[4, 16]], "Malware: web shell": [[42, 51]]}, "info": {"id": "dnrti_test_006043", "source": "dnrti_test"}}
{"text": "The web shell parameters in this attack match to the China Chopper parameters , as described in FireEye 's analysis of China Chopper .", "spans": {"Organization: China Chopper": [[53, 66], [119, 132]], "Organization: FireEye": [[96, 103]]}, "info": {"id": "dnrti_test_006044", "source": "dnrti_test"}}
{"text": "It is used to remotely control web servers , and has been used in many attacks against Australian web hosting providers .", "spans": {"Organization: hosting providers": [[102, 119]]}, "info": {"id": "dnrti_test_006045", "source": "dnrti_test"}}
{"text": "This tool has been used by several Chinese-affiliated threat actors , such as APT 27 and APT 40 .", "spans": {"Organization: threat actors": [[54, 67]], "Organization: APT 27": [[78, 84]], "Organization: APT 40": [[89, 95]]}, "info": {"id": "dnrti_test_006046", "source": "dnrti_test"}}
{"text": "The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes .", "spans": {"Organization: threat actor": [[53, 65]], "Malware: mimikatz": [[81, 89]]}, "info": {"id": "dnrti_test_006047", "source": "dnrti_test"}}
{"text": "The threat actor relied on WMI and PsExec to move laterally and install their tools across multiple assets .", "spans": {"Organization: threat actor": [[4, 16]], "Malware: WMI": [[27, 30]], "Malware: PsExec": [[35, 41]]}, "info": {"id": "dnrti_test_006048", "source": "dnrti_test"}}
{"text": "Nbtscan has been used by APT10 in Operation Cloud Hopper to search for services of interest across the IT estate and footprint endpoints of interest .", "spans": {"Malware: Nbtscan": [[0, 7]], "Organization: APT10": [[25, 30]]}, "info": {"id": "dnrti_test_006049", "source": "dnrti_test"}}
{"text": "A second method the threat actor used to maintain access across the compromised assets was through the deployment of the PoisonIvy RAT ( PIVY ) .", "spans": {"Organization: threat actor": [[20, 32]], "Malware: PoisonIvy RAT": [[121, 134]], "Malware: PIVY": [[137, 141]]}, "info": {"id": "dnrti_test_006050", "source": "dnrti_test"}}
{"text": "This infamous RAT has been associated with many different Chinese threat actors , including APT10 , APT1 , and DragonOK .", "spans": {"Malware: RAT": [[14, 17]], "Organization: threat actors": [[66, 79]], "Organization: APT10": [[92, 97]], "Organization: APT1": [[100, 104]], "Organization: DragonOK": [[111, 119]]}, "info": {"id": "dnrti_test_006051", "source": "dnrti_test"}}
{"text": "It is a powerful , multi-featured RAT that lets a threat actor take total control over a machine .", "spans": {"Malware: multi-featured RAT": [[19, 37]], "Organization: threat actor": [[50, 62]]}, "info": {"id": "dnrti_test_006052", "source": "dnrti_test"}}
{"text": "In an attempt to hide the contents of the stolen data , the threat actor used winrar to compress and password-protect it .", "spans": {"Organization: threat actor": [[60, 72]], "Malware: winrar": [[78, 84]]}, "info": {"id": "dnrti_test_006053", "source": "dnrti_test"}}
{"text": "The winrar binaries and compressed data were found mostly in the Recycle Bin folder , a TTP that was previously observed in APT10-related attacks , as well as others .", "spans": {"Malware: winrar": [[4, 10]], "Malware: Recycle Bin folder": [[65, 83]], "Malware: TTP": [[88, 91]]}, "info": {"id": "dnrti_test_006054", "source": "dnrti_test"}}
{"text": "This ' connection bouncer ' tool lets the threat actor redirect ports and connections between different networks and obfuscate C2 server traffic .", "spans": {"Malware: connection bouncer": [[7, 25]], "Organization: threat actor": [[42, 54]]}, "info": {"id": "dnrti_test_006055", "source": "dnrti_test"}}
{"text": "In order to exfiltrate data from a network segment not connected to the Internet , the threat actor deployed a modified version of hTran .", "spans": {"Organization: threat actor": [[87, 99]], "Malware: hTran": [[131, 136]]}, "info": {"id": "dnrti_test_006056", "source": "dnrti_test"}}
{"text": "There have been numerous reports of hTran being used by different Chinese threat actors , including : APT3 , APT27 and DragonOK .", "spans": {"Malware: hTran": [[36, 41]], "Organization: threat actors": [[74, 87]], "Organization: APT3": [[102, 106]], "Organization: APT27": [[109, 114]], "Organization: DragonOK": [[119, 127]]}, "info": {"id": "dnrti_test_006057", "source": "dnrti_test"}}
{"text": "The threat actor made some modifications to the original source code of hTran .", "spans": {"Organization: threat actor": [[4, 16]], "Malware: hTran": [[72, 77]]}, "info": {"id": "dnrti_test_006058", "source": "dnrti_test"}}
{"text": "The threat actor had a specific pattern of behavior that allowed us to understand their modus operandi : they used one server with the same IP address for multiple operations .", "spans": {"Organization: threat actor": [[4, 16]]}, "info": {"id": "dnrti_test_006059", "source": "dnrti_test"}}
{"text": "There are previous reports of threat actors including APT10 and APT1 using dynamic DNS .", "spans": {"Organization: threat actors": [[30, 43]], "Organization: APT10": [[54, 59]], "Organization: APT1": [[64, 68]], "Malware: dynamic DNS": [[75, 86]]}, "info": {"id": "dnrti_test_006060", "source": "dnrti_test"}}
{"text": "Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries .", "spans": {"Organization: threat actor": [[73, 85]], "Organization: specific individuals": [[125, 145]]}, "info": {"id": "dnrti_test_006061", "source": "dnrti_test"}}
{"text": "The data exfiltrated by this threat actor , in conjunction with the TTPs and tools used , allowed us to determine with a very high probability that the threat actor behind these malicious operations is backed by a nation state , and is affiliated with China .", "spans": {"Organization: threat actor": [[29, 41], [152, 164]]}, "info": {"id": "dnrti_test_006062", "source": "dnrti_test"}}
{"text": "Symantec saw the first evidence of Sowbug-related activity with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia .", "spans": {"Organization: Symantec": [[0, 8]], "Malware: Felismus": [[135, 143]]}, "info": {"id": "dnrti_test_006063", "source": "dnrti_test"}}
{"text": "Symantec saw the first evidence of Sowbug group with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Sowbug group": [[35, 47]], "Malware: Felismus": [[124, 132]]}, "info": {"id": "dnrti_test_006064", "source": "dnrti_test"}}
{"text": "Symantec has also been able to connect earlier attack campaigns with Sowbug , demonstrating that it has been active since at least early-2015 and may have been operating even earlier .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Sowbug": [[69, 75]]}, "info": {"id": "dnrti_test_006065", "source": "dnrti_test"}}
{"text": "To date , Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina , Brazil , Ecuador , Peru , Brunei and Malaysia .", "spans": {"Organization: Sowbug": [[10, 16]], "Organization: government entities": [[49, 68]], "Organization: infiltrated organizations": [[113, 138]]}, "info": {"id": "dnrti_test_006066", "source": "dnrti_test"}}
{"text": "For example , in a 2015 attack on one South American foreign ministry , the group appeared to be searching for very specific information .", "spans": {"Organization: group": [[76, 81]]}, "info": {"id": "dnrti_test_006067", "source": "dnrti_test"}}
{"text": "The first evidence of its intrusion dated from May 6 , 2015 but activity appeared to have begun in earnest on May 12 .", "spans": {}, "info": {"id": "dnrti_test_006068", "source": "dnrti_test"}}
{"text": "In total , the attackers maintained a presence on the target 's network for four months between May and September 2015 .", "spans": {"Organization: attackers": [[15, 24]]}, "info": {"id": "dnrti_test_006069", "source": "dnrti_test"}}
{"text": "We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply .", "spans": {"Organization: groups": [[28, 34]], "Organization: government": [[83, 93]]}, "info": {"id": "dnrti_test_006070", "source": "dnrti_test"}}
{"text": "Instead , sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government , a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims .", "spans": {"Malware: KHNP documents": [[20, 34]], "Organization: actors": [[54, 60]], "Organization: South Korean Government": [[134, 157]]}, "info": {"id": "dnrti_test_006071", "source": "dnrti_test"}}
{"text": "North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide .", "spans": {}, "info": {"id": "dnrti_test_006072", "source": "dnrti_test"}}
{"text": "FireEye has detected more than 20 cyber threat groups suspected to be sponsored by at least four other nation-states attempting to gain access to targets in the energy sector that could have been used to cause disruptions .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: groups": [[47, 53]]}, "info": {"id": "dnrti_test_006073", "source": "dnrti_test"}}
{"text": "CapabilitiesFormBook is a data stealer , but not a full-fledged banker .", "spans": {"Organization: banker": [[64, 70]]}, "info": {"id": "dnrti_test_006074", "source": "dnrti_test"}}
{"text": "FormBook OverviewFormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016 .", "spans": {"Malware: FormBook OverviewFormBook": [[0, 25]]}, "info": {"id": "dnrti_test_006075", "source": "dnrti_test"}}
{"text": "The malware may inject itself into browser processes and explorer.exe .", "spans": {"Malware: malware": [[4, 11]], "System: inject itself": [[16, 29]], "Malware: explorer.exe": [[57, 69]]}, "info": {"id": "dnrti_test_006076", "source": "dnrti_test"}}
{"text": "The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware .", "spans": {"Organization: attackers": [[4, 13]]}, "info": {"id": "dnrti_test_006077", "source": "dnrti_test"}}
{"text": "Much of the activity was observed in the United States (Figure 11) , and the most targeted industry vertical was Aerospace/Defense Contractors (Figure 12) .", "spans": {}, "info": {"id": "dnrti_test_006078", "source": "dnrti_test"}}
{"text": "In the last few weeks , FormBook was seen downloading other malware families such as NanoCore .", "spans": {"Malware: FormBook": [[24, 32]], "Malware: NanoCore": [[85, 93]]}, "info": {"id": "dnrti_test_006079", "source": "dnrti_test"}}
{"text": "We have associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government .", "spans": {"Organization: APT19": [[38, 43]], "Organization: Chinese": [[137, 144]], "Organization: government": [[145, 155]]}, "info": {"id": "dnrti_test_006080", "source": "dnrti_test"}}
{"text": "The vulnerability is bypassing most mitigations; however , as noted above , FireEye email and network products detect the malicious documents .", "spans": {"Organization: FireEye": [[76, 83]], "Malware: malicious documents": [[122, 141]]}, "info": {"id": "dnrti_test_006081", "source": "dnrti_test"}}
{"text": "We have previously observed APT19 steal data from law and investment firms for competitive economic purposes .", "spans": {"Organization: APT19": [[28, 33]]}, "info": {"id": "dnrti_test_006082", "source": "dnrti_test"}}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": {"Vulnerability: CVE-2017-1099": [[71, 84]], "Malware: RTF attachments": [[100, 115]]}, "info": {"id": "dnrti_test_006083", "source": "dnrti_test"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": {"System: phishing lures": [[19, 33]], "Malware: RTF attachments": [[44, 59]], "Vulnerability: CVE-2017-0199": [[124, 137]]}, "info": {"id": "dnrti_test_006084", "source": "dnrti_test"}}
{"text": "Furthermore , there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations .", "spans": {"Organization: APT32": [[41, 46]]}, "info": {"id": "dnrti_test_006085", "source": "dnrti_test"}}
{"text": "This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions , consolidating four previously unrelated clusters of threat actor activity into FireEye’s newest named advanced persistent threat group: APT32 .", "spans": {"Organization: FireEye’s": [[254, 263]], "Organization: APT32": [[311, 316]]}, "info": {"id": "dnrti_test_006086", "source": "dnrti_test"}}
{"text": "In mid-2016 , malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam .", "spans": {"Organization: mid-2016": [[3, 11]], "Organization: FireEye": [[27, 34]], "Organization: APT32": [[60, 65]]}, "info": {"id": "dnrti_test_006087", "source": "dnrti_test"}}
{"text": "In March 2017 , in response to active targeting of FireEye clients , the team launched a Community Protection Event (CPE) – a coordinated effort between Mandiant incident responders , FireEye as a Service (FaaS) , FireEye iSight Intelligence , and FireEye product engineering – to protect all clients from APT32 activity .", "spans": {"Organization: FireEye": [[51, 58], [184, 191], [248, 255]], "Organization: Mandiant": [[153, 161]], "Organization: FireEye iSight Intelligence": [[214, 241]], "Organization: APT32": [[306, 311]]}, "info": {"id": "dnrti_test_006088", "source": "dnrti_test"}}
{"text": "In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros .", "spans": {"Organization: APT32": [[28, 33]], "Malware: ActiveMime files": [[48, 64]], "System: social engineering": [[77, 95]]}, "info": {"id": "dnrti_test_006089", "source": "dnrti_test"}}
{"text": "APT32 actors continue to deliver the malicious attachments via spear-phishing emails .", "spans": {"Organization: APT32": [[0, 5]], "Malware: malicious attachments": [[37, 58]], "System: spear-phishing": [[63, 77]]}, "info": {"id": "dnrti_test_006090", "source": "dnrti_test"}}
{"text": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits .", "spans": {"Organization: APT19": [[0, 5]], "Malware: Microsoft Excel files": [[57, 78]]}, "info": {"id": "dnrti_test_006091", "source": "dnrti_test"}}
{"text": "In the following weeks , FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32’s tools and phishing lures .", "spans": {"Organization: FireEye": [[25, 32]], "Organization: APT32’s": [[159, 166]], "System: phishing": [[177, 185]]}, "info": {"id": "dnrti_test_006092", "source": "dnrti_test"}}
{"text": "Also in 2014 , APT32 carried out an intrusion against a Western country’s national legislature .", "spans": {"Organization: APT32": [[15, 20]]}, "info": {"id": "dnrti_test_006093", "source": "dnrti_test"}}
{"text": "In 2015 , SkyEye Labs , the security research division of the Chinese firm Qihoo 360 , released a report detailing threat actors that were targeting Chinese public and private entities including government agencies , research institutes , maritime agencies , sea construction , and shipping enterprises .", "spans": {"Organization: SkyEye Labs": [[10, 21]], "Organization: Qihoo 360": [[75, 84]], "Organization: government agencies": [[195, 214]], "Organization: research institutes": [[217, 236]], "Organization: maritime agencies": [[239, 256]], "Organization: sea construction": [[259, 275]], "Organization: shipping enterprises": [[282, 302]]}, "info": {"id": "dnrti_test_006094", "source": "dnrti_test"}}
{"text": "In order to track who opened the phishing emails , viewed the links , and downloaded the attachments in real-time , APT32 used cloud-based email analytics software designed for sales organizations .", "spans": {"System: phishing": [[33, 41]], "Organization: APT32": [[116, 121]], "Organization: sales organizations": [[177, 196]]}, "info": {"id": "dnrti_test_006095", "source": "dnrti_test"}}
{"text": "Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnama's manufacturing , consumer products , and hospitality sectors .", "spans": {"Organization: FireEye": [[22, 29]], "Organization: APT32": [[43, 48]], "Organization: manufacturing": [[117, 130]], "Organization: consumer products": [[133, 150]], "Organization: hospitality sectors": [[157, 176]]}, "info": {"id": "dnrti_test_006096", "source": "dnrti_test"}}
{"text": "Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images .", "spans": {"Organization: Mandiant": [[0, 8]], "Organization: APT32": [[34, 39]]}, "info": {"id": "dnrti_test_006097", "source": "dnrti_test"}}
{"text": "APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor .", "spans": {"Organization: APT32": [[0, 5]], "Malware: backdoors": [[26, 35]], "Organization: Cobalt Strike": [[74, 87]], "Malware: BEACON": [[88, 94]], "Malware: backdoor": [[95, 103]]}, "info": {"id": "dnrti_test_006098", "source": "dnrti_test"}}
{"text": "The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in , or preparing to invest in , the country .", "spans": {"Organization: APT32": [[45, 50]], "Organization: FireEye": [[66, 73]]}, "info": {"id": "dnrti_test_006099", "source": "dnrti_test"}}
{"text": "While the motivation for each APT32 private sector compromise varied – and in some cases was unknown – the unauthorized access could serve as a platform for law enforcement , intellectual property theft , or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations .", "spans": {"Organization: APT32": [[30, 35]]}, "info": {"id": "dnrti_test_006100", "source": "dnrti_test"}}
{"text": "While actors from China , Iran , Russia , and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye , APT32 reflects a growing host of new countries that have adopted this dynamic capability .", "spans": {"Organization: FireEye": [[133, 140]], "Organization: APT32": [[143, 148]]}, "info": {"id": "dnrti_test_006101", "source": "dnrti_test"}}
{"text": "Several Mandiant investigations revealed that , after gaining access , APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation framework .", "spans": {"Organization: Mandiant": [[8, 16]], "Organization: APT32": [[71, 76]], "Malware: PowerShell-based tools": [[149, 171]]}, "info": {"id": "dnrti_test_006102", "source": "dnrti_test"}}
{"text": "Furthermore , APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide .", "spans": {"Organization: APT32": [[14, 19]], "Organization: public sector": [[103, 116]]}, "info": {"id": "dnrti_test_006103", "source": "dnrti_test"}}
{"text": "North Korea's Office 39 is involved in activities such as gold smuggling , counterfeiting foreign currency , and even operating restaurants .", "spans": {}, "info": {"id": "dnrti_test_006104", "source": "dnrti_test"}}
{"text": "With these details , we will then draw some conclusions about the operators of CARBANAK .", "spans": {"Organization: CARBANAK": [[79, 87]]}, "info": {"id": "dnrti_test_006105", "source": "dnrti_test"}}
{"text": "Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time .", "spans": {"Malware: CARBANAK": [[80, 88]]}, "info": {"id": "dnrti_test_006106", "source": "dnrti_test"}}
{"text": "Since May 2017 , Mandiant experts observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds .", "spans": {"Organization: Mandiant": [[17, 25]]}, "info": {"id": "dnrti_test_006107", "source": "dnrti_test"}}
{"text": "February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker , a macOS version of APT28’s Xagent malware , and a new Trojan ransomware .", "spans": {"Organization: attacker": [[181, 189]], "Organization: APT28’s": [[211, 218]], "Malware: Trojan ransomware": [[246, 263]]}, "info": {"id": "dnrti_test_006108", "source": "dnrti_test"}}
{"text": "Per a 2015 report from CitizenLab , Gamma Group licenses their software to clients and each client uses unique infrastructure , making it likely that the two documents are being used by a single client .", "spans": {"Organization: CitizenLab": [[23, 33]], "Organization: Gamma Group": [[36, 47]], "Organization: infrastructure": [[111, 125]]}, "info": {"id": "dnrti_test_006109", "source": "dnrti_test"}}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": {"Malware: malicious documents": [[29, 48]], "Vulnerability: CVE-2017-0199": [[60, 73]], "Malware: LATENTBOT malware": [[99, 116]]}, "info": {"id": "dnrti_test_006110", "source": "dnrti_test"}}
{"text": "LATENTBOT is a modular and highly obfuscated type of malware first discovered by FireEye iSIGHT intelligence in December 2015 .", "spans": {"Malware: LATENTBOT": [[0, 9]], "Organization: FireEye iSIGHT intelligence": [[81, 108]]}, "info": {"id": "dnrti_test_006111", "source": "dnrti_test"}}
{"text": "It is capable of a variety of functions , including credential theft , hard drive and data wiping , disabling security software , and remote desktop functionality .", "spans": {}, "info": {"id": "dnrti_test_006112", "source": "dnrti_test"}}
{"text": "Additionally , this incident exposes the global nature of cyber threats and the value of worldwide perspective – a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere .", "spans": {}, "info": {"id": "dnrti_test_006113", "source": "dnrti_test"}}
{"text": "Recent DRIDEX activity began following a disclosure on April 7 , 2017 .", "spans": {}, "info": {"id": "dnrti_test_006114", "source": "dnrti_test"}}
{"text": "This campaign primarily affected the government sector in the Middle East , U.S. , and Japan .", "spans": {"Organization: government": [[37, 47]]}, "info": {"id": "dnrti_test_006115", "source": "dnrti_test"}}
{"text": "This campaign primarily affected the government sector in the Middle East , U.S. , and Japan .", "spans": {"Organization: government sector": [[37, 54]]}, "info": {"id": "dnrti_test_006116", "source": "dnrti_test"}}
{"text": "FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: actors": [[26, 32]], "Vulnerability: CVE-2017-0261": [[120, 133]], "Organization: APT28": [[140, 145]], "Vulnerability: CVE-2017-0262": [[180, 193]], "Vulnerability: CVE-2017-0263": [[250, 263]]}, "info": {"id": "dnrti_test_006117", "source": "dnrti_test"}}
{"text": "Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities .", "spans": {"Organization: Turla": [[0, 5]], "Organization: APT28": [[10, 15]]}, "info": {"id": "dnrti_test_006118", "source": "dnrti_test"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"Malware: st07383.en17.docx": [[12, 29]], "Vulnerability: CVE-2017-0001": [[80, 93]], "Malware: SHIRIME": [[199, 206]]}, "info": {"id": "dnrti_test_006119", "source": "dnrti_test"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” .", "spans": {"Malware: document": [[34, 42]], "Vulnerability: Trump's_Attack_on_Syria_English.docx”": [[49, 86]]}, "info": {"id": "dnrti_test_006120", "source": "dnrti_test"}}
{"text": "It is possible that CVE-2017-8759 was being used by additional actors .", "spans": {"Vulnerability: CVE-2017-8759": [[20, 33]], "Organization: actors": [[63, 69]]}, "info": {"id": "dnrti_test_006121", "source": "dnrti_test"}}
{"text": "Russian cyber espionage actors use zero-day exploits in addition to less complex measures .", "spans": {}, "info": {"id": "dnrti_test_006122", "source": "dnrti_test"}}
{"text": "The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities .", "spans": {"Vulnerability: EternalBlue": [[20, 31]], "Malware: Metasploit": [[43, 53]], "Organization: actors": [[82, 88]]}, "info": {"id": "dnrti_test_006123", "source": "dnrti_test"}}
{"text": "Given the release of sensitive victim data , extortion , and destruction of systems , FireEye considers FIN10 to be one of the most disruptive threat actors observed in the region so far .", "spans": {"Organization: FireEye": [[86, 93]], "Organization: FIN10": [[104, 109]]}, "info": {"id": "dnrti_test_006124", "source": "dnrti_test"}}
{"text": "To install and register the malicious shim database on a system , FIN7 used a custom Base64 encoded PowerShell script , which ran the sdbinst.exe” utility to register a custom shim database file containing a patch onto a system .", "spans": {"Organization: FIN7": [[66, 70]], "Malware: PowerShell script": [[100, 117]], "Malware: sdbinst.exe”": [[134, 146]]}, "info": {"id": "dnrti_test_006125", "source": "dnrti_test"}}
{"text": "During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe” with their CARBANAK payload .", "spans": {"Organization: Mandiant": [[28, 36]], "Organization: FIN7": [[51, 55]], "Malware: services.exe”": [[132, 145]], "Malware: CARBANAK": [[157, 165]]}, "info": {"id": "dnrti_test_006126", "source": "dnrti_test"}}
{"text": "FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware .", "spans": {"Organization: FIN7": [[0, 4]], "System: spear phishing": [[88, 102]]}, "info": {"id": "dnrti_test_006127", "source": "dnrti_test"}}
{"text": "During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of a??services.exea?? with their CARBANAK payload .", "spans": {"Organization: Mandiant": [[28, 36]], "Organization: FIN7": [[51, 55]], "Malware: CARBANAK": [[162, 170]]}, "info": {"id": "dnrti_test_006128", "source": "dnrti_test"}}
{"text": "CARBANAK malware has been used heavily by FIN7 in previous operations .", "spans": {"Malware: CARBANAK": [[0, 8]], "Organization: FIN7": [[42, 46]]}, "info": {"id": "dnrti_test_006129", "source": "dnrti_test"}}
{"text": "We have not yet identified FIN7’s ultimate goal in this campaign , as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft .", "spans": {"Organization: FIN7’s": [[27, 33]], "Malware: malicious emails": [[113, 129]]}, "info": {"id": "dnrti_test_006130", "source": "dnrti_test"}}
{"text": "If the attackers are attempting to compromise persons involved in SEC filings due to their information access , they may ultimately be pursuing securities fraud or other investment abuse .", "spans": {"Organization: attackers": [[7, 16]]}, "info": {"id": "dnrti_test_006131", "source": "dnrti_test"}}
{"text": "The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions , ATM compromise , and other monetization schemes .", "spans": {"Malware: CARBANAK malware": [[15, 31]], "Organization: FIN7": [[35, 39]]}, "info": {"id": "dnrti_test_006132", "source": "dnrti_test"}}
{"text": "Figure 1 shows a sample phishing email used by HawkEye operators in this latest campaign .", "spans": {"Malware: phishing email": [[24, 38]]}, "info": {"id": "dnrti_test_006133", "source": "dnrti_test"}}
{"text": "The HawkEye malware is primarily used for credential theft and is often combined with additional tools to extract passwords from email and web browser applications .", "spans": {"Malware: HawkEye malware": [[4, 19]]}, "info": {"id": "dnrti_test_006134", "source": "dnrti_test"}}
{"text": "HawkEye is a versatile Trojan used by diverse actors for multiple purposes .", "spans": {"Malware: HawkEye": [[0, 7]], "Organization: actors": [[46, 52]]}, "info": {"id": "dnrti_test_006135", "source": "dnrti_test"}}
{"text": "We have seen different HawkEye campaigns infecting organizations across many sectors globally , and stealing user credentials for diverse online services .", "spans": {"Organization: HawkEye": [[23, 30]]}, "info": {"id": "dnrti_test_006136", "source": "dnrti_test"}}
{"text": "Mandiant disclosed these vulnerabilities to Lenovo in May of 2016 .", "spans": {"Organization: Mandiant": [[0, 8]]}, "info": {"id": "dnrti_test_006137", "source": "dnrti_test"}}
{"text": "For our M-Trends 2017 report , we took a look at the incidents we investigated last year and provided a global and regional (the Americas , APAC and EMEA) analysis focused on attack trends , and defensive and emerging trends .", "spans": {"Organization: M-Trends": [[8, 16]]}, "info": {"id": "dnrti_test_006138", "source": "dnrti_test"}}
{"text": "As we noted in M-Trends 2016 , Mandiant’s Red Team can obtain access to domain administrator credentials within roughly three days of gaining initial access to an environment , so 99 days is still 96 days too long .", "spans": {"Organization: M-Trends": [[15, 23]], "Organization: Mandiant’s": [[31, 41]]}, "info": {"id": "dnrti_test_006139", "source": "dnrti_test"}}
{"text": "On top of our analysis of recent trends , M-Trends 2017 contains insights from our FireEye as a Service (FaaS) teams for the second consecutive year .", "spans": {"Organization: M-Trends": [[42, 50]], "Organization: FireEye": [[83, 90]]}, "info": {"id": "dnrti_test_006140", "source": "dnrti_test"}}
{"text": "In Figure 1 , which is based on FireEye Dynamic threat Intelligence (DTI) reports shared in March 2017 , we can see the regions affected by Magnitude EK activity during the last three months of 2016 and the first three months of 2017 .", "spans": {"Organization: FireEye": [[32, 39]]}, "info": {"id": "dnrti_test_006141", "source": "dnrti_test"}}
{"text": "Magnitude EK activity then fell off the radar until Oct. 15 , 2017 , when it came back and began focusing solely on South Korea .", "spans": {"Malware: Magnitude EK": [[0, 12]]}, "info": {"id": "dnrti_test_006142", "source": "dnrti_test"}}
{"text": "The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched .", "spans": {"Malware: Magnitude EK": [[4, 16]], "Vulnerability: CVE-2016-0189": [[43, 56]], "Organization: FireEye": [[87, 94]], "Malware: Neutrino Exploit Kit": [[112, 132]]}, "info": {"id": "dnrti_test_006143", "source": "dnrti_test"}}
{"text": "Throughout the final quarter of 2016 and first month of 2017 , FireEye Dynamic Threat Intelligence (DTI) observed consistent Magnitude EK hits from several customers , the majority of whom reside in the APAC region .", "spans": {"Organization: FireEye": [[63, 70]], "Malware: Magnitude EK": [[125, 137]]}, "info": {"id": "dnrti_test_006144", "source": "dnrti_test"}}
{"text": "In January 2017 , new domain names appeared in the campaign hosted on a different IP location .", "spans": {}, "info": {"id": "dnrti_test_006145", "source": "dnrti_test"}}
{"text": "Many groups leverage the regsvr32.exe application whitelisting bypass , including APT19 in their 2017 campaign against law firms .", "spans": {"Malware: regsvr32.exe": [[25, 37]], "Organization: APT19": [[82, 87]], "Organization: law firms": [[119, 128]]}, "info": {"id": "dnrti_test_006146", "source": "dnrti_test"}}
{"text": "This trend continued until late September 2017 , when we saw Magnitude EK focus primarily on the APAC region , with a large chunk targeting South Korea .", "spans": {"Malware: Magnitude EK": [[61, 73]]}, "info": {"id": "dnrti_test_006147", "source": "dnrti_test"}}
{"text": "These ransomware payloads only seem to target Korean systems , since they won’t execute if the system language is not Korean .", "spans": {"Malware: ransomware": [[6, 16]]}, "info": {"id": "dnrti_test_006148", "source": "dnrti_test"}}
{"text": "The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 .", "spans": {"Malware: malware": [[4, 11]], "System: stolen credentials": [[116, 134]], "System: SMB exploits": [[139, 151]], "Malware: EternalBlue exploit": [[168, 187]], "Organization: WannaCry": [[200, 208]]}, "info": {"id": "dnrti_test_006149", "source": "dnrti_test"}}
{"text": "In our Revoke-Obfuscation white paper , first presented at Black Hat USA 2017 , we provide background on obfuscated PowerShell attacks seen in the wild , as well as defensive mitigation and logging best practices .", "spans": {"Organization: Black Hat": [[59, 68]]}, "info": {"id": "dnrti_test_006150", "source": "dnrti_test"}}
{"text": "The malware leverages an exploit , codenamed EternalBlue” , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"Vulnerability: EternalBlue”": [[45, 57]], "Organization: Shadow Brokers": [[85, 99]]}, "info": {"id": "dnrti_test_006151", "source": "dnrti_test"}}
{"text": "The malware appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD (via Bitcoin) to decrypt the data .", "spans": {"Malware: malware": [[4, 11]], "Malware: .WCRY extension": [[50, 65]]}, "info": {"id": "dnrti_test_006152", "source": "dnrti_test"}}
{"text": "The malware then builds two DLLs in memory – they are 32 and 64-bit DLLs that have identical functionality .", "spans": {"Malware: malware": [[4, 11]], "Malware: DLLs": [[28, 32]]}, "info": {"id": "dnrti_test_006153", "source": "dnrti_test"}}
{"text": "The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments -m security .", "spans": {"Malware: malware": [[4, 11]], "Malware: mssecsvc2.0": [[50, 61]]}, "info": {"id": "dnrti_test_006154", "source": "dnrti_test"}}
{"text": "The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe .", "spans": {"Malware: malware": [[4, 11]], "Malware: file": [[51, 55]]}, "info": {"id": "dnrti_test_006155", "source": "dnrti_test"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"Malware: flare-qdb": [[18, 27]]}, "info": {"id": "dnrti_test_006156", "source": "dnrti_test"}}
{"text": "Attaching with IDA Pro via WinDbg as in Figure 11 shows that the program counter points to the infinite loop written in memory allocated by flare-qdb .", "spans": {"Malware: IDA Pro": [[15, 22]], "Malware: WinDbg": [[27, 33]]}, "info": {"id": "dnrti_test_006157", "source": "dnrti_test"}}
{"text": "We recently observed a resurgence of the same phishing campaign when our systems detected roughly 90 phony Apple-like domains that were registered from July 2016 to September 2016 .", "spans": {}, "info": {"id": "dnrti_test_006158", "source": "dnrti_test"}}
{"text": "In this blog we provide insight into the tactics , techniques and procedures (TTPs) of a Brazilian cyber crime group that specializes in payment card fraud operations .", "spans": {"Organization: crime group": [[105, 116]]}, "info": {"id": "dnrti_test_006159", "source": "dnrti_test"}}
{"text": "The threat actors , observed by FireEye Labs , use a variety of different methods to either compromise or acquire already compromised payment card credentials , including sharing or purchasing dumps online , hacking vulnerable merchant websites and compromising payment card processing devices .", "spans": {"Organization: actors": [[11, 17]], "Organization: FireEye Labs": [[32, 44]], "System: compromising payment card": [[249, 274]]}, "info": {"id": "dnrti_test_006160", "source": "dnrti_test"}}
{"text": "Once in their possession , the actors use these compromised payment card credentials to generate further card information .", "spans": {"Organization: actors": [[31, 37]]}, "info": {"id": "dnrti_test_006161", "source": "dnrti_test"}}
{"text": "The members of the group use a variety of tools , including CCleaner , on a daily basis to effectively remove any evidence of their operations .", "spans": {"Organization: group": [[19, 24]], "Malware: CCleaner": [[60, 68]]}, "info": {"id": "dnrti_test_006162", "source": "dnrti_test"}}
{"text": "Another common step taken by threat actors is changing their system's MAC Address to avoid being uniquely identified .", "spans": {"Organization: actors": [[36, 42]], "System: changing their system's": [[46, 69]]}, "info": {"id": "dnrti_test_006163", "source": "dnrti_test"}}
{"text": "For this purpose , these actors often use tools such as Technitium MAC Address Changer .", "spans": {"Organization: actors": [[25, 31]], "Malware: Technitium MAC Address Changer": [[56, 86]]}, "info": {"id": "dnrti_test_006164", "source": "dnrti_test"}}
{"text": "We have observed these actors using Tor or proxy-based tools similar to Tor (e.g , UltraSurf , as seen in Figure 2) .", "spans": {"Organization: actors": [[23, 29]], "Malware: Tor": [[36, 39]], "Malware: proxy-based tools": [[43, 60]]}, "info": {"id": "dnrti_test_006165", "source": "dnrti_test"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": {"Malware: them": [[22, 26]]}, "info": {"id": "dnrti_test_006166", "source": "dnrti_test"}}
{"text": "Based on our observations , this group uses a variety of different methods to either compromise or acquire already compromised payment card credentials .", "spans": {"Organization: group": [[33, 38]]}, "info": {"id": "dnrti_test_006167", "source": "dnrti_test"}}
{"text": "Payment card dumps are commonly shared amongst Brazilian threat actors via social media forums such as Facebook , Skype , and web-based WhatsApp messenger .", "spans": {"Organization: actors": [[64, 70]], "Organization: social media forums": [[75, 94]]}, "info": {"id": "dnrti_test_006168", "source": "dnrti_test"}}
{"text": "Similarly , the group takes advantage of freely available consolidations of email credentials , personal information , and other data shared in eCrime forums for fraud purposes .", "spans": {"Organization: group": [[16, 21]], "Malware: email credentials": [[76, 93]], "Malware: personal information": [[96, 116]]}, "info": {"id": "dnrti_test_006169", "source": "dnrti_test"}}
{"text": "These actors scan websites for vulnerabilities to exploit to illicitly access databases .", "spans": {"Organization: actors": [[6, 12]]}, "info": {"id": "dnrti_test_006170", "source": "dnrti_test"}}
{"text": "They most commonly target Brazilian merchants , though others use the same tactics to exploit entities outside Brazil .", "spans": {"Organization: They": [[0, 4]]}, "info": {"id": "dnrti_test_006171", "source": "dnrti_test"}}
{"text": "The group also uses the SQL injection (SQLi) tools Havij Advanced SQL Injection Tool and SQLi Dumper version 7.0 (Figure 4) to scan for and exploit vulnerabilities in targeted eCommerce sites .", "spans": {"Organization: group": [[4, 9]], "Malware: SQL injection": [[24, 37]]}, "info": {"id": "dnrti_test_006172", "source": "dnrti_test"}}
{"text": "At least eight sellers update the website as frequently as daily , offering newly obtained databases from the U.S .", "spans": {"Organization: sellers": [[15, 22]]}, "info": {"id": "dnrti_test_006173", "source": "dnrti_test"}}
{"text": "Once in possession of compromised payment card credentials , these actors use tools commonly known as card generators to generate new card numbers based on the compromised ones , creating additional opportunities for monetization .", "spans": {"Malware: card credentials": [[42, 58]], "Organization: actors": [[67, 73]]}, "info": {"id": "dnrti_test_006174", "source": "dnrti_test"}}
{"text": "One bulk card-checking tool this group uses is Testador Amazon.com v1.1 (Figure 8). Despite its name , this tool does not use Amazon’s website , but exploits an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability of a merchant website allowing the abuse of PayPal Payflow link functionality (Figure 9) .", "spans": {"Malware: bulk card-checking": [[4, 22]], "Organization: group": [[33, 38]], "Malware: PayPal Payflow": [[269, 283]]}, "info": {"id": "dnrti_test_006175", "source": "dnrti_test"}}
{"text": "Based on our observations of interactions in this channel , between May 2016 and June 2016 , malicious actors validated 2 , 987 cards from 62 countries , with the most coming from the U.S. (nearly half) , Brazil , and France .", "spans": {"Organization: actors": [[103, 109]]}, "info": {"id": "dnrti_test_006176", "source": "dnrti_test"}}
{"text": "The actors frequently use the stolen data to create cloned physical cards , which they use to attempt to withdraw funds from ATMs .", "spans": {"Organization: actors": [[4, 10]]}, "info": {"id": "dnrti_test_006177", "source": "dnrti_test"}}
{"text": "The group primarily uses the MSR 606 Software (Figure 12) and Hardware (Figure 13) to create cloned cards .", "spans": {"Organization: group": [[4, 9]], "Malware: MSR 606 Software": [[29, 45]], "Malware: Hardware": [[62, 70]]}, "info": {"id": "dnrti_test_006178", "source": "dnrti_test"}}
{"text": "However , Brazilian actors commonly use several methods to do so , such as reselling cards they have created , paying bills with stolen cards in return for a portion of the bill's value and reselling illicitly obtained goods .", "spans": {"Organization: actors": [[20, 26]]}, "info": {"id": "dnrti_test_006179", "source": "dnrti_test"}}
{"text": "Some attacker tools were used to almost exclusively target organizations within APAC .", "spans": {"Organization: attacker": [[5, 13]]}, "info": {"id": "dnrti_test_006180", "source": "dnrti_test"}}
{"text": "In April 2015 , we uncovered the malicious efforts of APT30 , a suspected China-based threat group that has exploited the networks of governments and organizations across the region , targeting highly sensitive political , economic and military information .", "spans": {"Organization: APT30": [[54, 59]], "Organization: governments": [[134, 145]], "Organization: organizations": [[150, 163]]}, "info": {"id": "dnrti_test_006181", "source": "dnrti_test"}}
{"text": "The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims .", "spans": {"Organization: individuals": [[4, 15]], "Malware: Hancitor": [[22, 30]], "Malware: Chanitor": [[62, 70]]}, "info": {"id": "dnrti_test_006182", "source": "dnrti_test"}}
{"text": "We recently observed Hancitor attacks against some of our FireEye Exploit Guard customers .", "spans": {"Organization: Hancitor": [[21, 29]], "Organization: FireEye": [[58, 65]]}, "info": {"id": "dnrti_test_006183", "source": "dnrti_test"}}
{"text": "The group has performed these activities at multiple locations across Brazil , possibly using multiple mules .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_test_006184", "source": "dnrti_test"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server .", "spans": {"Malware: Pony DLL": [[89, 97]], "Malware: Vawtrak": [[102, 109]]}, "info": {"id": "dnrti_test_006185", "source": "dnrti_test"}}
{"text": "The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to the download of Hancitor .", "spans": {"System: Microsoft Office document": [[47, 72]], "Malware: Hancitor": [[149, 157]]}, "info": {"id": "dnrti_test_006186", "source": "dnrti_test"}}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data .", "spans": {"Malware: Pony": [[48, 52]], "Malware: Vawtrak": [[57, 64]]}, "info": {"id": "dnrti_test_006187", "source": "dnrti_test"}}
{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll” along with a standard Vawtrak trojan .", "spans": {"Malware: Pony malware": [[102, 114]]}, "info": {"id": "dnrti_test_006188", "source": "dnrti_test"}}
{"text": "In this blog , FireEye Labs dissects this new ATM malware that we have dubbed RIPPER (due to the project name ATMRIPPER” identified in the sample) and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand .", "spans": {"Organization: FireEye": [[15, 22]], "Malware: ATM malware": [[46, 57]], "Malware: RIPPER": [[78, 84]]}, "info": {"id": "dnrti_test_006189", "source": "dnrti_test"}}
{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism .", "spans": {"Malware: RIPPER": [[0, 6]]}, "info": {"id": "dnrti_test_006190", "source": "dnrti_test"}}
{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself .", "spans": {"Malware: RIPPER": [[0, 6]], "Organization: ATM vendors": [[77, 88]]}, "info": {"id": "dnrti_test_006191", "source": "dnrti_test"}}
{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine .", "spans": {"Malware: RIPPER": [[58, 64]]}, "info": {"id": "dnrti_test_006192", "source": "dnrti_test"}}
{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices .", "spans": {"Malware: malware": [[5, 12]]}, "info": {"id": "dnrti_test_006193", "source": "dnrti_test"}}
{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August .", "spans": {"Malware: Locky": [[43, 48]]}, "info": {"id": "dnrti_test_006194", "source": "dnrti_test"}}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before .", "spans": {"Malware: Ploutus": [[55, 62]]}, "info": {"id": "dnrti_test_006195", "source": "dnrti_test"}}
{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL’s Kalignite multivendor ATM platform .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: Ploutus": [[68, 75]], "Malware: Ploutus-D": [[85, 94]]}, "info": {"id": "dnrti_test_006196", "source": "dnrti_test"}}
{"text": "The samples we identified target the ATM vendor Diebold .", "spans": {"Malware: samples": [[4, 11]], "Organization: ATM vendor Diebold": [[37, 55]]}, "info": {"id": "dnrti_test_006197", "source": "dnrti_test"}}
{"text": "This blog covers the changes , improvements , and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat .", "spans": {"Malware: Ploutus-D": [[84, 93]]}, "info": {"id": "dnrti_test_006198", "source": "dnrti_test"}}
{"text": "Ploutus-D also allows the attackers to enter the amount to withdraw (billUnits – 4 digits) and the number of cycles (billCount – 2 digits) to repeat the dispensing operation (see Figure 10) .", "spans": {"Malware: Ploutus-D": [[0, 9]], "Organization: attackers": [[26, 35]]}, "info": {"id": "dnrti_test_006199", "source": "dnrti_test"}}
{"text": "Ploutus-D will load KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) .", "spans": {"Malware: Ploutus-D": [[0, 9]]}, "info": {"id": "dnrti_test_006200", "source": "dnrti_test"}}
{"text": "Since Ploutus-D interacts with the Kalignite Platform , only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide .", "spans": {"Malware: Ploutus-D": [[6, 15], [88, 97]], "Organization: ATM vendors": [[139, 150]]}, "info": {"id": "dnrti_test_006201", "source": "dnrti_test"}}
{"text": "Finally , Mandiant’s Devon Kerr and John Miller of FireEye iSIGHT Intelligence will expose the tactics of FIN7 , a financially motivated hacker group that FireEye tracked throughout 2016 .", "spans": {"Organization: Mandiant’s": [[10, 20]], "Organization: FireEye": [[51, 58], [155, 162]], "Organization: FIN7": [[106, 110]]}, "info": {"id": "dnrti_test_006202", "source": "dnrti_test"}}
{"text": "In mid-November , Mandiant , a FireEye company , responded to the first Shamoon 2.0 incident against an organization located in the Gulf states .", "spans": {"Organization: Mandiant": [[18, 26]], "Organization: FireEye": [[31, 38]]}, "info": {"id": "dnrti_test_006203", "source": "dnrti_test"}}
{"text": "These attackers can potentially grab sensitive online banking information and other personal data , and even provided support for multifactor authentication and OTP .", "spans": {"Organization: attackers": [[6, 15]]}, "info": {"id": "dnrti_test_006204", "source": "dnrti_test"}}
{"text": "FireEye Labs detects this phishing attack and customers will be protected against the usage of these sites in possible future campaigns .", "spans": {"Organization: FireEye": [[0, 7]], "System: phishing": [[26, 34]]}, "info": {"id": "dnrti_test_006205", "source": "dnrti_test"}}
{"text": "Our visibility into APT28’s operations , which date to at least 2007 , has allowed us to understand the group’s malware , operational changes and motivations .", "spans": {"Organization: APT28’s": [[20, 27]]}, "info": {"id": "dnrti_test_006206", "source": "dnrti_test"}}
{"text": "This intelligence has been critical to protecting and informing our clients , exposing this threat and strengthening our confidence in attributing APT28 to the Russian government .", "spans": {"Organization: APT28": [[147, 152]], "Organization: Russian government": [[160, 178]]}, "info": {"id": "dnrti_test_006207", "source": "dnrti_test"}}
{"text": "The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process .", "spans": {"Organization: actors": [[11, 17]], "System: inject shellcode": [[108, 124]], "Malware: userinit.exe": [[134, 146]]}, "info": {"id": "dnrti_test_006208", "source": "dnrti_test"}}
{"text": "The regsvr32.exe executable can be used to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument .", "spans": {"Malware: regsvr32.exe": [[4, 16]], "Malware: SCT file": [[121, 129]]}, "info": {"id": "dnrti_test_006209", "source": "dnrti_test"}}
{"text": "We observed implementation of this bypass in the macro code to invoke regsvr32.exe , along with a URL passed to it which was hosting a malicious SCT file .", "spans": {"Malware: regsvr32.exe": [[70, 82]], "Malware: SCT file": [[145, 153]]}, "info": {"id": "dnrti_test_006210", "source": "dnrti_test"}}
{"text": "There was code to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet .", "spans": {"Malware: winword.exe": [[86, 97]], "Malware: Start-Process": [[116, 129]], "Malware: cmdlet": [[130, 136]]}, "info": {"id": "dnrti_test_006211", "source": "dnrti_test"}}
{"text": "Ordnance will be able to immediately generate shellcode after users provide the IP and Port that the shellcode should connect to or listen on .", "spans": {"Malware: Ordnance": [[0, 8]], "Malware: shellcode": [[101, 110]]}, "info": {"id": "dnrti_test_006212", "source": "dnrti_test"}}
{"text": "Therefore , the Stuxnet MOF file creation tool that the Shadow Brokers dropped on Friday is possibly the earliest technical evidence that NSA hackers and developers coded Stuxnet , as many suspect .", "spans": {"Malware: Stuxnet MOF": [[16, 27]], "Organization: NSA": [[138, 141]], "Malware: Stuxnet": [[171, 178]]}, "info": {"id": "dnrti_test_006213", "source": "dnrti_test"}}
{"text": "Of course , it 's also possible that whatever group The Shadow Brokers have exposed simply gained access to the Stuxnet tools secondhand , and reused them .", "spans": {"Malware: Stuxnet tools": [[112, 125]]}, "info": {"id": "dnrti_test_006214", "source": "dnrti_test"}}
{"text": "That post included download links for a slew of NSA hacking tools and exploits , many of which could be used to break into hardware firewall appliances , and in turn , corporate or government networks .", "spans": {"Organization: NSA": [[48, 51]]}, "info": {"id": "dnrti_test_006215", "source": "dnrti_test"}}
{"text": "Some hackers even went onto use the Cisco exploits in the wild .", "spans": {"Vulnerability: Cisco exploits": [[36, 50]]}, "info": {"id": "dnrti_test_006216", "source": "dnrti_test"}}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines .", "spans": {"Malware: DanderSpritz": [[0, 12]]}, "info": {"id": "dnrti_test_006217", "source": "dnrti_test"}}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines .", "spans": {"Malware: DanderSpritz": [[0, 12]]}, "info": {"id": "dnrti_test_006218", "source": "dnrti_test"}}
{"text": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category .", "spans": {"Malware: DarkPulsar": [[0, 10]], "Malware: backdoor": [[81, 89]], "Malware: sipauth32.tsp": [[98, 111]]}, "info": {"id": "dnrti_test_006219", "source": "dnrti_test"}}
{"text": "DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar .", "spans": {"Malware: DanderSpritz": [[0, 12]], "Malware: FuZZbuNch": [[81, 90]], "Malware: DisableSecurity": [[196, 211]], "Malware: EnableSecurity": [[216, 230]], "Malware: DarkPulsar": [[235, 245]]}, "info": {"id": "dnrti_test_006220", "source": "dnrti_test"}}
{"text": "PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines .", "spans": {"Malware: PeddleCheap": [[0, 11]], "Malware: DanderSpritz": [[27, 39]]}, "info": {"id": "dnrti_test_006221", "source": "dnrti_test"}}
{"text": "The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools .", "spans": {"Malware: FuzzBunch": [[4, 13]], "Malware: DanderSpritz": [[18, 30]]}, "info": {"id": "dnrti_test_006222", "source": "dnrti_test"}}
{"text": "Each of them consists of a set of plugins designed for different tasks : while FuzzBunch plugins are responsible for reconnaissance and attacking a victim , plugins in the DanderSpritz framework are developed for managing already infected victims .", "spans": {"Malware: FuzzBunch plugins": [[79, 96]], "Malware: DanderSpritz": [[172, 184]]}, "info": {"id": "dnrti_test_006223", "source": "dnrti_test"}}
{"text": "The leaked NSA documents and tools published in recent months by the mysterious Shadow Brokers group have provided rare insight into the clandestine digital espionage operations pursued by the spy agency over the past few years , including information on operations aimed at Iran and Russia .", "spans": {"Organization: NSA": [[11, 14]], "Organization: spy agency": [[193, 203]]}, "info": {"id": "dnrti_test_006224", "source": "dnrti_test"}}
{"text": "Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets , including the Office of the President of Iran and the Russian Federal Nuclear Center .", "spans": {"Organization: NSA": [[68, 71]]}, "info": {"id": "dnrti_test_006225", "source": "dnrti_test"}}
{"text": "The ShadowBrokers' latest dump of Equation Group hacks focuses on UNIX systems and GSM networks , and was accompanied by an open letter to President Trump .", "spans": {}, "info": {"id": "dnrti_test_006226", "source": "dnrti_test"}}
{"text": "Numerous Windows hacking tools are also among the new batch of files the Shadow Brokers dumped Friday .", "spans": {"Malware: Windows hacking tools": [[9, 30]]}, "info": {"id": "dnrti_test_006227", "source": "dnrti_test"}}
{"text": "The leaked files show the NSA was allegedly targeting EastNets in Dubai , Belgium , and Egypt .", "spans": {"Organization: NSA": [[26, 29]], "Organization: EastNets": [[54, 62]]}, "info": {"id": "dnrti_test_006228", "source": "dnrti_test"}}
{"text": "The files appear to include logs from 2013 that show the NSA was also targeting oil and investment companies across the Middle East .", "spans": {"Organization: NSA": [[57, 60]], "Organization: investment companies": [[88, 108]]}, "info": {"id": "dnrti_test_006229", "source": "dnrti_test"}}
{"text": "According to Kaspersky , the Equation Group has more than 60 members and has been operating since at least 2001 .", "spans": {"Organization: Kaspersky": [[13, 22]]}, "info": {"id": "dnrti_test_006230", "source": "dnrti_test"}}
{"text": "The existence of the Equation Group was first posited in Feb. 2015 by researchers at Russian security firm Kaspersky Lab , which described it as one of the most sophisticated cyber attack teams in the world .", "spans": {"Organization: security firm": [[93, 106]], "Organization: Kaspersky Lab": [[107, 120]]}, "info": {"id": "dnrti_test_006231", "source": "dnrti_test"}}
{"text": "Most of the Equation Group 's targets have been in Iran , Russia , Pakistan , Afghanistan , India , Syria , and Mali .", "spans": {"Organization: Equation Group": [[12, 26]]}, "info": {"id": "dnrti_test_006232", "source": "dnrti_test"}}
{"text": "According to Wikipedia , the CSS was formed in 1972 to integrate the NSA and the Service Cryptologic Elements ( SCE ) of the U.S armed forces .", "spans": {}, "info": {"id": "dnrti_test_006233", "source": "dnrti_test"}}
{"text": "KrebsOnSecurity was first made aware of the metadata in the Shadow Brokers leak by Mike Poor , Rob Curtinseufert , and Larry Pesce .", "spans": {"Organization: KrebsOnSecurity": [[0, 15]], "Organization: Shadow Brokers": [[60, 74]]}, "info": {"id": "dnrti_test_006234", "source": "dnrti_test"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server .", "spans": {"Vulnerability: UNITEDRAKE NSA exploit": [[46, 68]]}, "info": {"id": "dnrti_test_006235", "source": "dnrti_test"}}
{"text": "The ShadowBrokers is a group of hackers known for leaking exclusive information about the National Security Agency – NSA 's hacking tools and tactics .", "spans": {"Organization: ShadowBrokers": [[4, 17]], "Organization: NSA": [[117, 120]]}, "info": {"id": "dnrti_test_006236", "source": "dnrti_test"}}
{"text": "It captures information using plugins to compromise webcam and microphone output along with documenting log keystrokes , carrying out surveillance and access external drives .", "spans": {}, "info": {"id": "dnrti_test_006237", "source": "dnrti_test"}}
{"text": "UNITEDRAKE is described as a \" fully extensible \" data collection tool that is specifically developed for Windows machines to allow operators the chance of controlling a device completely .", "spans": {"Malware: UNITEDRAKE": [[0, 10]]}, "info": {"id": "dnrti_test_006238", "source": "dnrti_test"}}
{"text": "On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious ETERNALBLUE that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide .", "spans": {"Organization: NSA": [[133, 136]], "Vulnerability: ETERNALBLUE": [[161, 172]]}, "info": {"id": "dnrti_test_006239", "source": "dnrti_test"}}
{"text": "This turned out to be a malicious loader internally named ' Slingshot ' , part of a new , and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity .", "spans": {"Malware: Slingshot": [[60, 69]], "Malware: Project Sauron": [[143, 157]], "Malware: Regin": [[162, 167]]}, "info": {"id": "dnrti_test_006240", "source": "dnrti_test"}}
{"text": "One of them – ipv4.dll – has been placed by the APT with what is , in fact , a downloader for other malicious components .", "spans": {"Malware: ipv4.dll": [[14, 22]], "Malware: downloader": [[79, 89]]}, "info": {"id": "dnrti_test_006241", "source": "dnrti_test"}}
{"text": "To run its code in kernel mode in the most recent versions of operating systems , that have Driver Signature Enforcement , Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities .", "spans": {"Malware: Slingshot": [[123, 132]], "System: vulnerable drivers": [[146, 164]]}, "info": {"id": "dnrti_test_006242", "source": "dnrti_test"}}
{"text": "During our research we also found a component called KPWS that turned out to be another downloader for Slingshot components .", "spans": {"Malware: KPWS": [[53, 57]], "Malware: Slingshot": [[103, 112]]}, "info": {"id": "dnrti_test_006243", "source": "dnrti_test"}}
{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection .", "spans": {"Malware: Canhadr/Ndriver": [[29, 44]]}, "info": {"id": "dnrti_test_006244", "source": "dnrti_test"}}
{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad .", "spans": {}, "info": {"id": "dnrti_test_006245", "source": "dnrti_test"}}
{"text": "So far , researchers have seen around 100 victims of Slingshot and its related modules , located in Kenya , Yemen , Afghanistan , Libya , Congo , Jordan , Turkey , Iraq , Sudan , Somalia and Tanzania .", "spans": {"Malware: Slingshot": [[53, 62]]}, "info": {"id": "dnrti_test_006246", "source": "dnrti_test"}}
{"text": "Some of the techniques used by Slingshot , such as the exploitation of legitimate , yet vulnerable drivers has been seen before in other malware , such as White and Grey Lambert .", "spans": {"Malware: Slingshot": [[31, 40]], "Malware: White": [[155, 160]], "Malware: Grey Lambert": [[165, 177]]}, "info": {"id": "dnrti_test_006247", "source": "dnrti_test"}}
{"text": "Cylance tracks this threat group internally as ' Snake Wine ' .", "spans": {"Organization: Cylance": [[0, 7]], "Organization: Snake Wine": [[49, 59]]}, "info": {"id": "dnrti_test_006248", "source": "dnrti_test"}}
{"text": "To date , all observed Snake Wine 's attacks were the result of spear phishing attempts against the victim organizations .", "spans": {"Organization: Snake Wine": [[23, 33]], "System: spear phishing": [[64, 78]]}, "info": {"id": "dnrti_test_006249", "source": "dnrti_test"}}
{"text": "The Ham Backdoor functions primarily as a modular platform , which provides the attacker with the ability to directly download additional modules and execute them in memory from the command and control ( C2 ) server .", "spans": {"Malware: Ham Backdoor": [[4, 16]]}, "info": {"id": "dnrti_test_006250", "source": "dnrti_test"}}
{"text": "Based upon Cylance 's observations , the Tofu Backdoor was deployed in far fewer instances than the Ham Backdoor .", "spans": {"Organization: Cylance": [[11, 18]], "Malware: Tofu Backdoor": [[41, 54]], "Malware: Ham Backdoor": [[100, 112]]}, "info": {"id": "dnrti_test_006251", "source": "dnrti_test"}}
{"text": "This suggests that the Snake Wine group will likely continue to escalate their activity and persistently target both private and government entities within Japan .", "spans": {"Organization: government entities": [[129, 148]]}, "info": {"id": "dnrti_test_006252", "source": "dnrti_test"}}
{"text": "The group was first publicly disclosed by FireEye in this report .", "spans": {"Organization: FireEye": [[42, 49]]}, "info": {"id": "dnrti_test_006253", "source": "dnrti_test"}}
{"text": "MenuPass is a well-documented CN-APT group , whose roots go back to 2009 .", "spans": {"Organization: MenuPass": [[0, 8]]}, "info": {"id": "dnrti_test_006254", "source": "dnrti_test"}}
{"text": "Snake Wine was first publicly disclosed by FireEye in this report .", "spans": {"Organization: FireEye": [[43, 50]]}, "info": {"id": "dnrti_test_006255", "source": "dnrti_test"}}
{"text": "Although the MenuPass Group used mostly publicly available RATs , they were successful in penetrating a number of high value targets , so it is entirely possible this is indeed a continuation of past activity .", "spans": {"Malware: publicly available RATs": [[40, 63]]}, "info": {"id": "dnrti_test_006256", "source": "dnrti_test"}}
{"text": "Also of particular interest was the use of a domain hosting company that accepts BTC and was previously heavily leveraged by the well-known Russian group APT28 .", "spans": {"Organization: domain hosting company": [[45, 67]], "Organization: APT28": [[154, 159]]}, "info": {"id": "dnrti_test_006257", "source": "dnrti_test"}}
{"text": "Germany 's Der Spiegel re-published the slide set with far less deletions recently , in January 2015 , and therefore gave a deeper insight about what CSEC actually says they have tracked down .", "spans": {"Organization: Der Spiegel": [[11, 22]]}, "info": {"id": "dnrti_test_006258", "source": "dnrti_test"}}
{"text": "According to slide 22 , \" CSEC assesses , with moderate certainty , SNOWGLOBE to be a state-sponsored Cyber Network Operation effort , put forth by a French intelligence agency \" .", "spans": {}, "info": {"id": "dnrti_test_006259", "source": "dnrti_test"}}
{"text": "The information given dates back to 2011 and nothing else has been published since .", "spans": {}, "info": {"id": "dnrti_test_006260", "source": "dnrti_test"}}
{"text": "Now that specific Babar samples have been identified and analyzed , there might be new information , also with regards to similarities or differences between the two Remote Administration Tools ( RATs ) EvilBunny and Babar .", "spans": {"Malware: Babar samples": [[18, 31]], "Malware: Remote Administration Tools": [[166, 193]], "Malware: RATs": [[196, 200]], "Malware: EvilBunny": [[203, 212]], "Malware: Babar": [[217, 222]]}, "info": {"id": "dnrti_test_006261", "source": "dnrti_test"}}
{"text": "We recommend reading Marion 's report \" Shooting Elephants \" , a complementary piece of work regarding the Babar malware .", "spans": {"Malware: Babar malware": [[107, 120]]}, "info": {"id": "dnrti_test_006262", "source": "dnrti_test"}}
{"text": "And finally , as every elephant , Babar has big ears and the malware is able to listen to conversations and log them by using the dsound and winmm libraries .", "spans": {"Malware: Babar": [[34, 39]], "Malware: dsound": [[130, 136]], "Malware: winmm libraries": [[141, 156]]}, "info": {"id": "dnrti_test_006263", "source": "dnrti_test"}}
{"text": "The G DATA SecurityLabs are convinced that the number of similarities identified between EvilBunny and Babar show that both malware families originate from the same developers .", "spans": {"Organization: G DATA SecurityLabs": [[4, 23]], "Malware: EvilBunny": [[89, 98]], "Malware: Babar": [[103, 108]]}, "info": {"id": "dnrti_test_006264", "source": "dnrti_test"}}
{"text": "TA542 , the primary actor behind Emotet , is known for the development of lures and malicious mail specific to given regions .", "spans": {"Organization: TA542": [[0, 5]], "Malware: Emotet": [[33, 39]]}, "info": {"id": "dnrti_test_006265", "source": "dnrti_test"}}
{"text": "While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences .", "spans": {"Organization: audiences": [[247, 256]]}, "info": {"id": "dnrti_test_006266", "source": "dnrti_test"}}
{"text": "Emotet is a type of general-purpose malware that evolved from a well-known banking Trojan , \" Cridex \" , which was first discovered in 2014 .", "spans": {"Malware: Emotet": [[0, 6]], "Malware: banking Trojan": [[75, 89]], "Malware: Cridex": [[94, 100]]}, "info": {"id": "dnrti_test_006267", "source": "dnrti_test"}}
{"text": "While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences .", "spans": {"Organization: audiences": [[247, 256]]}, "info": {"id": "dnrti_test_006268", "source": "dnrti_test"}}
{"text": "Emotet activity in 2019 included several high-volume campaigns that collectively distributed tens of millions of messages primarily targeting the manufacturing and healthcare industries .", "spans": {}, "info": {"id": "dnrti_test_006269", "source": "dnrti_test"}}
{"text": "Originally targeting Western European banks , Emotet has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others .", "spans": {"Malware: Emotet": [[46, 52], [166, 172]]}, "info": {"id": "dnrti_test_006270", "source": "dnrti_test"}}
{"text": "Originally targeting Western European banks , it has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others .", "spans": {"Malware: Emotet": [[162, 168]]}, "info": {"id": "dnrti_test_006271", "source": "dnrti_test"}}
{"text": "Beginning in mid-January 2019 , TA542 distributed millions of Emotet-laden emails in both English and German .", "spans": {"System: Emotet-laden emails": [[62, 81]]}, "info": {"id": "dnrti_test_006272", "source": "dnrti_test"}}
{"text": "DanaBot is a Trojan that includes banking site web injections and stealer functions .", "spans": {"Malware: DanaBot": [[0, 7]], "Malware: Trojan": [[13, 19]]}, "info": {"id": "dnrti_test_006273", "source": "dnrti_test"}}
{"text": "Proofpoint researchers observed one DanaBot affiliate ( Affid 11 ) specifically targeting Canada with \" Canada Post \" themed lures between January 1 and May 1 , 2019 .", "spans": {"Organization: Proofpoint": [[0, 10]], "Malware: DanaBot": [[36, 43]], "Organization: Canada Post": [[104, 115]], "System: themed lures": [[118, 130]]}, "info": {"id": "dnrti_test_006274", "source": "dnrti_test"}}
{"text": "FormBook is a browser form stealer/keylogger that is under active development .", "spans": {"Malware: FormBook": [[0, 8]], "Malware: stealer/keylogger": [[27, 44]]}, "info": {"id": "dnrti_test_006275", "source": "dnrti_test"}}
{"text": "While Canada-targeted threats are not new , Emotet in particular , with its frequent region-specific email campaigns , is bringing new attention to geo-targeting in Canada and beyond .", "spans": {"Malware: Emotet": [[44, 50]]}, "info": {"id": "dnrti_test_006276", "source": "dnrti_test"}}
{"text": "First observed in mid-2014 , this malware shared code with the Bugat ( aka Feodo ) banking Trojan .", "spans": {"Malware: Bugat": [[63, 68]], "Malware: banking Trojan": [[83, 97]]}, "info": {"id": "dnrti_test_006277", "source": "dnrti_test"}}
{"text": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo .", "spans": {"Organization: MUMMY SPIDER": [[0, 12]], "Malware: Emotet": [[103, 109]], "Malware: Geodo": [[113, 118]]}, "info": {"id": "dnrti_test_006278", "source": "dnrti_test"}}
{"text": "After a 10 month hiatus , MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects , it is currently acting as a ' loader ' delivering other malware packages .", "spans": {"Organization: MUMMY SPIDER": [[26, 38]], "Malware: Emotet": [[48, 54]], "Malware: banking Trojan": [[127, 141]]}, "info": {"id": "dnrti_test_006279", "source": "dnrti_test"}}
{"text": "The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot .", "spans": {"Malware: banking Trojans Dridex": [[96, 118]], "Malware: Qakbot": [[123, 129]]}, "info": {"id": "dnrti_test_006280", "source": "dnrti_test"}}
{"text": "It seems that the main objective of the attackers was information gathering from the infected computers .", "spans": {}, "info": {"id": "dnrti_test_006281", "source": "dnrti_test"}}
{"text": "For the TeamViewer-based activities , we have traces in the past until September 2012 .", "spans": {}, "info": {"id": "dnrti_test_006282", "source": "dnrti_test"}}
{"text": "In the actual targeted attack detected by the Hungarian National Security Agency , TeamSpy used components of the TeamViewer tool combined with other malware modules .", "spans": {"Malware: TeamViewer tool": [[114, 129]], "Malware: malware modules": [[150, 165]]}, "info": {"id": "dnrti_test_006283", "source": "dnrti_test"}}
{"text": "In the actual targeted attack detected by the Hungarian National Security Agency , they used components of the TeamViewer tool combined with other malware modules .", "spans": {"Malware: TeamViewer tool": [[111, 126]], "Malware: malware modules": [[147, 162]]}, "info": {"id": "dnrti_test_006284", "source": "dnrti_test"}}
{"text": "TeamViewer has also been used in the \" Sheldor \" attack campaign , which was detected between 2010 and 2011 , and which resulted in assets stolen at the value of $600k and $832k .", "spans": {"Malware: TeamViewer": [[0, 10]]}, "info": {"id": "dnrti_test_006285", "source": "dnrti_test"}}
{"text": "This match shows a direct relationship between Sheldor and TeamSpy , although we do not known if the connection is only at the tool level or at the operation level too .", "spans": {}, "info": {"id": "dnrti_test_006286", "source": "dnrti_test"}}
{"text": "Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM , following our internal practice of assigning rogue actors chemical element names .", "spans": {"Organization: Microsoft Threat Intelligence": [[0, 29]], "Organization: TERBIUM": [[83, 90]]}, "info": {"id": "dnrti_test_006287", "source": "dnrti_test"}}
{"text": "From the samples we collected , we can conclude that the same threat actor produced many individual malware modules during the last ten years .", "spans": {"Malware: malware modules": [[100, 115]]}, "info": {"id": "dnrti_test_006288", "source": "dnrti_test"}}
{"text": "Once TERBIUM has a foothold in the organization , its infection chain starts by writing an executable file to disk that contains all the components required to carry out the data-wiping operation .", "spans": {"Organization: TERBIUM": [[5, 12]]}, "info": {"id": "dnrti_test_006289", "source": "dnrti_test"}}
{"text": "Microsoft Threat Intelligence has observed that the malware used by TERBIUM , dubbed \" Depriz \" by Microsoft , reuses several components and techniques seen in the 2012 attacks , and has been highly customized for each targeted organization .", "spans": {"Organization: Microsoft Threat Intelligence": [[0, 29]], "Organization: TERBIUM": [[68, 75]], "Organization: Depriz": [[87, 93]], "Organization: Microsoft": [[99, 108]]}, "info": {"id": "dnrti_test_006290", "source": "dnrti_test"}}
{"text": "Note : TERBIUM establishes a foothold throughout the organization and does not proceed with the destructive wiping operation until a specific date/time : November 17 , 2016 at 8:45 p.m .", "spans": {"Organization: TERBIUM": [[7, 14]]}, "info": {"id": "dnrti_test_006291", "source": "dnrti_test"}}
{"text": "Transparent Tribe has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets .", "spans": {}, "info": {"id": "dnrti_test_006292", "source": "dnrti_test"}}
{"text": "We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016 .", "spans": {"Malware: UPDATESEE malware": [[53, 70]], "Organization: FireEye Intelligence": [[78, 98]]}, "info": {"id": "dnrti_test_006293", "source": "dnrti_test"}}
{"text": "We initially reported on Transparent Tribe and their UPDATESEE malware in our FireEye Intelligence Center in February 2016 .", "spans": {"Malware: UPDATESEE malware": [[53, 70]], "Organization: FireEye Intelligence": [[78, 98]]}, "info": {"id": "dnrti_test_006294", "source": "dnrti_test"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Organization: government officials": [[28, 48]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_test_006295", "source": "dnrti_test"}}
{"text": "In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day .", "spans": {"System: spear phishing emails": [[131, 152]], "Organization: government officials": [[163, 183]]}, "info": {"id": "dnrti_test_006296", "source": "dnrti_test"}}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": {"Vulnerability: CVE-2012-0158": [[79, 92]], "Malware: Microsoft Word": [[104, 118]]}, "info": {"id": "dnrti_test_006297", "source": "dnrti_test"}}
{"text": "In previous incidents involving this threat actor , we observed them using malicious documents hosted on websites about the Indian Army , instead of sending these documents directly as an email attachment .", "spans": {"System: email attachment": [[188, 204]]}, "info": {"id": "dnrti_test_006298", "source": "dnrti_test"}}
{"text": "In this latest incident , Transparent Tribe registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day .", "spans": {"System: spear phishing emails": [[139, 160]], "Organization: government officials": [[171, 191]]}, "info": {"id": "dnrti_test_006299", "source": "dnrti_test"}}
{"text": "This exploit file made use of the same shellcode that we have observed Transparent Tribe use across a number of spear phishing incidents .", "spans": {"System: spear phishing": [[112, 126]]}, "info": {"id": "dnrti_test_006300", "source": "dnrti_test"}}
{"text": "The first time this happened was at the beginning of the month , when Proofpoint researchers blew the lid off a cyber-espionage campaign named Operation Transparent Tribe , which targeted the Indian embassies in Saudi Arabia and Kazakhstan .", "spans": {"Organization: Proofpoint": [[70, 80]], "Organization: embassies": [[199, 208]]}, "info": {"id": "dnrti_test_006301", "source": "dnrti_test"}}
{"text": "Back in February 2016 , Indian army officials issued a warning against the usage of three apps , WeChat , SmeshApp , and Line , fearing that these apps collected too much information if installed on smartphones used by Indian army personnel .", "spans": {"Organization: army officials": [[31, 45]], "Malware: WeChat": [[97, 103]], "Malware: SmeshApp": [[106, 114]], "Malware: Line": [[121, 125]], "Organization: army personnel": [[226, 240]]}, "info": {"id": "dnrti_test_006302", "source": "dnrti_test"}}
{"text": "The May 2018 adversary spotlight is on MYTHIC LEOPARD , a Pakistan-based adversary with operations likely located in Karachi .", "spans": {"Organization: MYTHIC LEOPARD": [[39, 53]]}, "info": {"id": "dnrti_test_006303", "source": "dnrti_test"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"Organization: security firm": [[17, 30]], "Organization: military officials": [[63, 81]], "System: spear-phishing emails": [[86, 107]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_test_006304", "source": "dnrti_test"}}
{"text": "The CrowdStrike Falcon Intelligence™ team 's tracking of MYTHIC LEOPARD began in late 2016 , when evidence of an attack surfaced against a victim based in India and working in the hospitality sector .", "spans": {"Organization: CrowdStrike Falcon Intelligence™": [[4, 36]], "Organization: hospitality sector": [[180, 198]]}, "info": {"id": "dnrti_test_006305", "source": "dnrti_test"}}
{"text": "Two binder tools — used to disguise custom executables as legitimate Microsoft implants — were discovered by Falcon Intelligence and linked to MYTHIC LEOPARD in July 2017 .", "spans": {"Organization: Microsoft": [[69, 78]], "Organization: Falcon Intelligence": [[109, 128]], "Organization: MYTHIC LEOPARD": [[143, 157]]}, "info": {"id": "dnrti_test_006306", "source": "dnrti_test"}}
{"text": "Falcon Intelligence has observed MYTHIC LEOPARD using this technique for several years to install multiple first-stage implants and downloaders , including the isqlmanager and Waizsar RAT malware families .", "spans": {"Organization: Falcon Intelligence": [[0, 19]], "Organization: MYTHIC LEOPARD": [[33, 47]], "Malware: isqlmanager": [[160, 171]], "Malware: Waizsar RAT malware families": [[176, 204]]}, "info": {"id": "dnrti_test_006307", "source": "dnrti_test"}}
{"text": "Patchwork also uses the Delphi file stealer as a similarity with Urpage , which suggests the three groups are somehow related .", "spans": {"Organization: Patchwork": [[0, 9]]}, "info": {"id": "dnrti_test_006308", "source": "dnrti_test"}}
{"text": "Patchwork has also recently employed Android malware in its attacks , with its use of a customized version of AndroRAT .", "spans": {"Organization: Patchwork": [[0, 9]], "Malware: Android malware": [[37, 52]], "Malware: AndroRAT": [[110, 118]]}, "info": {"id": "dnrti_test_006309", "source": "dnrti_test"}}
{"text": "Trend Micro 's Mobile App Reputation Service ( MARS ) covers Android and iOS threats using leading sandbox and machine learning technologies .", "spans": {"Organization: Trend Micro": [[0, 11]], "Malware: leading sandbox": [[91, 106]], "Malware: machine learning technologies": [[111, 140]]}, "info": {"id": "dnrti_test_006310", "source": "dnrti_test"}}
{"text": "Symantec researchers have discovered that this attack group , which we call Whitefly , has been operating since at least 2017 , has targeted organizations based mostly in Singapore across a wide variety of sectors , and is primarily interested in stealing large amounts of sensitive information .", "spans": {"Organization: Symantec": [[0, 8]], "Organization: Whitefly": [[76, 84]]}, "info": {"id": "dnrti_test_006311", "source": "dnrti_test"}}
{"text": "Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics , such as malicious PowerShell scripts .", "spans": {"Organization: Whitefly": [[0, 8]], "System: land tactics": [[109, 121]], "Malware: PowerShell scripts": [[142, 160]]}, "info": {"id": "dnrti_test_006312", "source": "dnrti_test"}}
{"text": "From mid-2017 to mid-2018 , Whitefly launched targeted attacks against multiple organizations .", "spans": {"Organization: Whitefly": [[28, 36]]}, "info": {"id": "dnrti_test_006313", "source": "dnrti_test"}}
{"text": "While most of these organizations were based in Singapore , some were multinational organizations with a presence in Singapore .", "spans": {}, "info": {"id": "dnrti_test_006314", "source": "dnrti_test"}}
{"text": "To date , Whitefly has attacked organizations in the healthcare , media , telecommunications , and engineering sectors .", "spans": {"Organization: Whitefly": [[10, 18]], "Organization: engineering sectors": [[99, 118]]}, "info": {"id": "dnrti_test_006315", "source": "dnrti_test"}}
{"text": "Whitefly first infects its victims using a dropper in the form of a malicious.exe or .dll file that is disguised as a document or image .", "spans": {"Organization: Whitefly": [[0, 8]], "Malware: dropper": [[43, 50]], "Malware: malicious.exe": [[68, 81]], "Malware: .dll file": [[85, 94]]}, "info": {"id": "dnrti_test_006316", "source": "dnrti_test"}}
{"text": "If opened , the dropper runs a loader known as Trojan.Vcrodat on the computer .", "spans": {"Malware: dropper": [[16, 23]], "Malware: Trojan.Vcrodat": [[47, 61]]}, "info": {"id": "dnrti_test_006317", "source": "dnrti_test"}}
{"text": "Whitefly has consistently used a technique known as search order hijacking to run Vcrodat .", "spans": {"Organization: Whitefly": [[0, 8]], "Malware: search order hijacking": [[52, 74]], "Malware: Vcrodat": [[82, 89]]}, "info": {"id": "dnrti_test_006318", "source": "dnrti_test"}}
{"text": "Once executed , Vcrodat loads an encrypted payload on to the victim 's computer .", "spans": {"Malware: Vcrodat": [[16, 23]]}, "info": {"id": "dnrti_test_006319", "source": "dnrti_test"}}
{"text": "Whitefly rely heavily on tools such as Mimikatz to obtain credentials .", "spans": {"Organization: Whitefly": [[0, 8]], "Malware: Mimikatz": [[39, 47]]}, "info": {"id": "dnrti_test_006320", "source": "dnrti_test"}}
{"text": "Using these credentials , the attackers are able to compromise more machines on the network and , from those machines , again obtain more credentials .", "spans": {"Malware: credentials": [[12, 23]]}, "info": {"id": "dnrti_test_006321", "source": "dnrti_test"}}
{"text": "Whitefly usually attempts to remain within a targeted organization for long periods of time—often months—in order to steal large volumes of information .", "spans": {"Organization: Whitefly": [[0, 8]]}, "info": {"id": "dnrti_test_006322", "source": "dnrti_test"}}
{"text": "In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers .", "spans": {"Malware: publicly available tools": [[47, 71]], "Malware: Mimikatz": [[84, 92]], "Malware: Hacktool.Mimikatz": [[95, 112]], "Vulnerability: CVE-2016-0051": [[206, 219]]}, "info": {"id": "dnrti_test_006323", "source": "dnrti_test"}}
{"text": "Like Vcrodat , Nibatad is also a loader that leverages search order hijacking , and downloads an encrypted payload to the infected computer .", "spans": {"Malware: Vcrodat": [[5, 12]], "Malware: Nibatad": [[15, 22]]}, "info": {"id": "dnrti_test_006324", "source": "dnrti_test"}}
{"text": "Why Whitefly uses these two different loaders in some of its attacks remains unknown .", "spans": {"Organization: Whitefly": [[4, 12]], "Malware: loaders": [[38, 45]]}, "info": {"id": "dnrti_test_006325", "source": "dnrti_test"}}
{"text": "While Vcrodat is delivered via the malicious dropper , we have yet to discover how Nibatad is delivered to the infected computer .", "spans": {"Malware: Vcrodat": [[6, 13]], "Malware: dropper": [[45, 52]], "Malware: Nibatad": [[83, 90]]}, "info": {"id": "dnrti_test_006326", "source": "dnrti_test"}}
{"text": "Between May 2017 and December 2018 , a multi-purpose command tool that has been used by Whitefly was also used in attacks against defense , telecoms , and energy targets in Southeast Asia and Russia .", "spans": {"Organization: Whitefly": [[88, 96]]}, "info": {"id": "dnrti_test_006327", "source": "dnrti_test"}}
{"text": "In another case , Vcrodat was also used in an attack on a UK-based organization in the hospitality sector .", "spans": {"Malware: Vcrodat": [[18, 25]], "Organization: hospitality sector": [[87, 105]]}, "info": {"id": "dnrti_test_006328", "source": "dnrti_test"}}
{"text": "Whitefly is a highly adept group with a large arsenal of tools at its disposal , capable of penetrating targeted organizations and maintaining a long-term presence on their networks .", "spans": {"Organization: Whitefly": [[0, 8]]}, "info": {"id": "dnrti_test_006329", "source": "dnrti_test"}}
{"text": "WICKED PANDA has also targeted chemical and think tank sectors around the world .", "spans": {"Organization: think tank": [[44, 54]]}, "info": {"id": "dnrti_test_006330", "source": "dnrti_test"}}
{"text": "The WICKED PANDA adversary makes use of a number of open-source and custom tools to infect and move laterally in victim networks .", "spans": {"Organization: WICKED PANDA": [[4, 16]], "Malware: custom tools": [[68, 80]]}, "info": {"id": "dnrti_test_006331", "source": "dnrti_test"}}
{"text": "WICKED PANDA refers to the targeted intrusion operations of the actor publicly known as \" Winnti \" , whereas WICKED SPIDER represents this group 's financially-motivated criminal activity .", "spans": {"Organization: WICKED PANDA": [[0, 12]], "Organization: WICKED SPIDER": [[109, 122]]}, "info": {"id": "dnrti_test_006332", "source": "dnrti_test"}}
{"text": "WICKED SPIDER has been observed targeting technology companies in Germany , Indonesia , the Russian Federation , South Korea , Sweden , Thailand , Turkey , the United States , and elsewhere .", "spans": {"Organization: WICKED SPIDER": [[0, 13]], "Organization: technology companies": [[42, 62]]}, "info": {"id": "dnrti_test_006333", "source": "dnrti_test"}}
{"text": "Subsequently , two additional articles ( here and here ) were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems .", "spans": {"Organization: Objective-See": [[74, 87]], "Malware: WINDSHIFT samples": [[132, 149]]}, "info": {"id": "dnrti_test_006334", "source": "dnrti_test"}}
{"text": "Pivoting on specific file attributes and infrastructure indicators , Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency .", "spans": {"Organization: Unit 42": [[69, 76]], "Organization: government agency": [[244, 261]]}, "info": {"id": "dnrti_test_006335", "source": "dnrti_test"}}
{"text": "The following is a summary of observed WINDSHIFT activity which targeted a Middle Eastern government agency .", "spans": {"Organization: government agency": [[90, 107]]}, "info": {"id": "dnrti_test_006336", "source": "dnrti_test"}}
{"text": "The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware .", "spans": {"Organization: WIZARD SPIDER threat group": [[4, 30]], "Malware: TrickBot banking malware": [[67, 91]]}, "info": {"id": "dnrti_test_006337", "source": "dnrti_test"}}
{"text": "Whitefly configures multiple C&C domains for each target .", "spans": {"Organization: Whitefly": [[0, 8]]}, "info": {"id": "dnrti_test_006338", "source": "dnrti_test"}}
{"text": "In some attacks , Whitefly has used a second piece of custom malware , Trojan.Nibatad .", "spans": {"Malware: Trojan.Nibatad": [[71, 85]]}, "info": {"id": "dnrti_test_006339", "source": "dnrti_test"}}
{"text": "LUNAR SPIDER had already introduced BokBot to the criminal market at the time Neverquest operations ceased , suggesting that the malware change may have been planned .", "spans": {"Organization: LUNAR SPIDER": [[0, 12]], "Malware: BokBot": [[36, 42]]}, "info": {"id": "dnrti_test_006340", "source": "dnrti_test"}}
{"text": "Its origins can be traced back to the Storm Worm , a botnet that emerged in 2007 and was one of the earliest criminal malware infrastructures to leverage peer-to-peer technology .", "spans": {}, "info": {"id": "dnrti_test_006341", "source": "dnrti_test"}}
{"text": "After the demise of Storm , it was replaced by another new botnet known as Waledac that also leveraged peer-to-peer communications .", "spans": {"Malware: Waledac": [[75, 82]], "System: peer-to-peer communications": [[103, 130]]}, "info": {"id": "dnrti_test_006342", "source": "dnrti_test"}}
{"text": "Although BokBot has aided the distribution of TrickBot since 2017 , the development of custom TrickBot modules for the specific campaign has not been observed before .", "spans": {"Malware: BokBot": [[9, 15]], "Malware: TrickBot": [[46, 54]], "Malware: TrickBot modules": [[94, 110]]}, "info": {"id": "dnrti_test_006343", "source": "dnrti_test"}}
{"text": "Kelihos , like many others , implemented a sophisticated spam engine that automatically constructs spam messages from templates and additional inputs to avoid any patterns that can be used in filters .", "spans": {"Malware: Kelihos": [[0, 7]]}, "info": {"id": "dnrti_test_006344", "source": "dnrti_test"}}
{"text": "A second attack that targeted the host 154.46.32.129 started on March 14 , 2017 at 14:44:42 GMT .", "spans": {}, "info": {"id": "dnrti_test_006345", "source": "dnrti_test"}}
{"text": "As shown within the timeline above , the WINDSHIFT activity observed by Unit 42 falls between January and May of 2018 .", "spans": {"Organization: Unit 42": [[72, 79]]}, "info": {"id": "dnrti_test_006346", "source": "dnrti_test"}}
{"text": "With the Kelihos spam botnet no longer in operation and Levashov behind bars , multiple criminal operators turned to different spam botnets to distribute their crimeware .", "spans": {"Malware: Kelihos spam botnet": [[9, 28]]}, "info": {"id": "dnrti_test_006347", "source": "dnrti_test"}}
{"text": "CraP2P has frequently been used to distribute other malware such as Locky and Dridex , but also supported large scale spam campaigns for dating advertisement and pump-and-dump scams after the demise of Kelihos .", "spans": {"Malware: CraP2P": [[0, 6]], "Malware: Locky": [[68, 73]], "Malware: Dridex": [[78, 84]]}, "info": {"id": "dnrti_test_006348", "source": "dnrti_test"}}
{"text": "The first attack occurred in early January of 2018 with an inbound WINDTAIL sample ( the backdoor family used by WINDSHIFT ) originating from the remote IP address 109.235.51.110 to a single internal IP address within the government agency .", "spans": {"Malware: WINDTAIL sample": [[67, 82]], "Malware: WINDSHIFT": [[113, 122]], "Organization: government agency": [[222, 239]]}, "info": {"id": "dnrti_test_006349", "source": "dnrti_test"}}
{"text": "Unit 42 assesses with high confidence that both the IP address 185.25.50.189 and the domain domforworld.com is associated with WINDSHIFT activity .", "spans": {"Organization: Unit 42": [[0, 7]]}, "info": {"id": "dnrti_test_006350", "source": "dnrti_test"}}
{"text": "The CrowdStrike Falcon Intelligence team , which had been tracking Levashov as the adversary called ZOMBIE SPIDER , was able to help law enforcement seize control of the Kelihos botnet so that it could no longer be used by criminal actors .", "spans": {"Organization: CrowdStrike Falcon Intelligence": [[4, 35]], "Organization: ZOMBIE SPIDER": [[100, 113]]}, "info": {"id": "dnrti_test_006351", "source": "dnrti_test"}}
{"text": "Over the past few years , Animal Farm has targeted a wide range of global organizations .", "spans": {"Organization: Animal Farm": [[26, 37]]}, "info": {"id": "dnrti_test_006352", "source": "dnrti_test"}}
{"text": "The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007 .", "spans": {}, "info": {"id": "dnrti_test_006353", "source": "dnrti_test"}}
{"text": "Over the years Kaspersky is tracked multiple campaigns by the Animal Farm group .", "spans": {"Organization: Kaspersky": [[15, 24]], "Organization: Animal Farm group": [[62, 79]]}, "info": {"id": "dnrti_test_006354", "source": "dnrti_test"}}
{"text": "Most recently , Animal Farm deployed the Casper Trojan via a watering-hole attack in Syria .", "spans": {"Organization: Animal Farm": [[16, 27]], "Malware: Casper Trojan": [[41, 54]]}, "info": {"id": "dnrti_test_006355", "source": "dnrti_test"}}
{"text": "A full description of this zero-day attack can be found in this blog post by Kaspersky Lab 's Vyacheslav Zakorzhevsky .", "spans": {"Organization: Kaspersky Lab": [[77, 90]]}, "info": {"id": "dnrti_test_006356", "source": "dnrti_test"}}
{"text": "In addition to these , the Animal Farm attackers used at least one unknown , mysterious malware during an operation targeting computer users in Burkina Faso .", "spans": {"Organization: users": [[135, 140]]}, "info": {"id": "dnrti_test_006357", "source": "dnrti_test"}}
{"text": "The malware known as Tafacalou ( aka \" TFC \" , \" Transporter \" ) is perhaps of greatest interest here , because it acts as an entry point for the more sophisticated spy platforms Babar and Dino .", "spans": {"Malware: Tafacalou": [[21, 30]], "Malware: TFC": [[39, 42]], "Malware: Transporter": [[49, 60]], "Malware: Babar": [[179, 184]], "Malware: Dino": [[189, 193]]}, "info": {"id": "dnrti_test_006358", "source": "dnrti_test"}}
{"text": "Based on the Tafacalou infection logs , we observed that most of the victims are in the following countries : Syria , Iran , Malaysia , USA , China , Turkey , Netherlands , Germany , Great Britain , Russia , Sweden , Austria , Algeria , Israel , Iraq , Morocco , New Zealand , Ukraine .", "spans": {"Malware: Tafacalou": [[13, 22]]}, "info": {"id": "dnrti_test_006359", "source": "dnrti_test"}}
{"text": "In 2013 , both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations .", "spans": {"Organization: COSEINC": [[15, 22]], "Organization: FireEye": [[27, 34]], "Malware: Bisonal": [[58, 65]]}, "info": {"id": "dnrti_test_006360", "source": "dnrti_test"}}
{"text": "In October 2017 , AhnLab published a report called \" Operation Bitter Biscuit \" , an attack campaign against South Korea , Japan , India and Russia using Bisonal and its successors , Bioazih and Dexbia .", "spans": {"Organization: AhnLab": [[18, 24]], "Malware: Bisonal": [[154, 161]], "Malware: Bioazih": [[183, 190]], "Malware: Dexbia": [[195, 201]]}, "info": {"id": "dnrti_test_006361", "source": "dnrti_test"}}
{"text": "We observed all these characteristics in the Bisonal 's attacks against both Russia and South Korea .", "spans": {"Malware: Bisonal": [[45, 52]]}, "info": {"id": "dnrti_test_006362", "source": "dnrti_test"}}
{"text": "We observed all these characteristics in the Bisonal 's attacks against both Russia and South Korea .", "spans": {"Malware: Bisonal": [[45, 52]]}, "info": {"id": "dnrti_test_006363", "source": "dnrti_test"}}
{"text": "The biggest number of Orangeworm 's victims are located in the U.S. , accounting for 17 percent of the infection rate by region .", "spans": {}, "info": {"id": "dnrti_test_006364", "source": "dnrti_test"}}
{"text": "In the campaign that targeted Japan , Philippines , and Argentina on June 20 , we found what seems to be a new , undisclosed malware , which we named Gelup .", "spans": {"Malware: Gelup": [[150, 155]]}, "info": {"id": "dnrti_test_006365", "source": "dnrti_test"}}
{"text": "Also , some code pieces are directly re-used in the analyzed campaigns , such as the i.cmd” and exit.exe” files , and , at the same time , some new components have been introduced , for instance the rtegre.exe” and the veter1605_MAPS_10cr0.exe” file .", "spans": {"Malware: i.cmd”": [[85, 91]], "Malware: exit.exe”": [[96, 105]], "Malware: rtegre.exe”": [[199, 210]], "Malware: veter1605_MAPS_10cr0.exe”": [[219, 244]]}, "info": {"id": "dnrti_test_006366", "source": "dnrti_test"}}
{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers .", "spans": {"Malware: Neptun": [[0, 6]], "Organization: attackers": [[108, 117]]}, "info": {"id": "dnrti_test_006367", "source": "dnrti_test"}}
{"text": "The malware then uses WebDAV to upload the RAR archive to a Box account .", "spans": {"Malware: malware": [[4, 11]], "Malware: WebDAV": [[22, 28]], "Malware: RAR archive": [[43, 54]]}, "info": {"id": "dnrti_test_006368", "source": "dnrti_test"}}
{"text": "The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded .", "spans": {"Malware: PowerShell script": [[4, 21]], "Malware: malicious DLL files": [[81, 100]]}, "info": {"id": "dnrti_test_006369", "source": "dnrti_test"}}
{"text": "McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 .", "spans": {"Organization: McAfee": [[0, 6]], "Organization: Lazarus": [[64, 71], [219, 226]], "Malware: malicious document": [[193, 211]]}, "info": {"id": "dnrti_test_006370", "source": "dnrti_test"}}
{"text": "According to security 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor .", "spans": {"Organization: 360 Threat Intelligence Center": [[22, 52]], "Malware: njRAT backdoor": [[101, 115]]}, "info": {"id": "dnrti_test_006371", "source": "dnrti_test"}}
{"text": "Additionally Kaspersky identified a new backdoor that we attribute with medium confidence to Turla .", "spans": {"Organization: Kaspersky": [[13, 22]], "Malware: backdoor": [[40, 48]], "Organization: Turla": [[93, 98]]}, "info": {"id": "dnrti_test_006372", "source": "dnrti_test"}}
{"text": "Trend Micro also reported MuddyWater’s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3 .", "spans": {"Organization: Trend Micro": [[0, 11]], "Organization: MuddyWater’s": [[26, 38]], "Malware: POWERSTATS v3": [[97, 110]]}, "info": {"id": "dnrti_test_006373", "source": "dnrti_test"}}
{"text": "ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal .", "spans": {"Organization: ESET": [[0, 4]], "Malware: sample": [[36, 42]], "Organization: OceanLotus": [[52, 62]], "System: uploaded to VirusTotal": [[83, 105]]}, "info": {"id": "dnrti_test_006374", "source": "dnrti_test"}}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": {"Malware: .doc files": [[54, 64]], "Malware: RTF documents": [[85, 98]], "Vulnerability: CVE-2017-8570": [[123, 136]], "Vulnerability: Composite": [[139, 148]], "Vulnerability: Moniker": [[149, 156]]}, "info": {"id": "dnrti_test_006375", "source": "dnrti_test"}}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable .", "spans": {"Organization: attackers": [[20, 29]], "System: spear-phishing email": [[85, 105]], "Malware: MS Word document": [[132, 148]]}, "info": {"id": "dnrti_test_006376", "source": "dnrti_test"}}
{"text": "The Word document usually exploits CVE-2012-0158 .", "spans": {"Malware: Word document": [[4, 17]], "Vulnerability: CVE-2012-0158": [[35, 48]]}, "info": {"id": "dnrti_test_006377", "source": "dnrti_test"}}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: attackers": [[14, 23]], "Malware: MS PowerPoint document": [[32, 54]], "Vulnerability: CVE-2014-6352": [[80, 93]]}, "info": {"id": "dnrti_test_006378", "source": "dnrti_test"}}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: Patchwork": [[10, 19]], "Malware: MS PowerPoint document": [[28, 50]], "Vulnerability: CVE-2014-6352": [[76, 89]]}, "info": {"id": "dnrti_test_006379", "source": "dnrti_test"}}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior .", "spans": {"Malware: malicious documents": [[4, 23]]}, "info": {"id": "dnrti_test_006380", "source": "dnrti_test"}}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": {"Organization: Unit 42": [[29, 36]], "Malware: EPS files": [[109, 118]], "Vulnerability: CVE-2015-2545": [[133, 146]], "Vulnerability: CVE-2017-0261": [[151, 164]]}, "info": {"id": "dnrti_test_006381", "source": "dnrti_test"}}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": {"Organization: Pitty Tiger group": [[40, 57]], "Malware: Microsoft Office Word document": [[86, 116]], "Vulnerability: CVE-2012-0158": [[159, 172]]}, "info": {"id": "dnrti_test_006382", "source": "dnrti_test"}}
{"text": "This threat group uses a first-stage malware known as Backdoor.APT.Pgift ( aka Troj/ReRol.A ) , which is dropped via malicious documents and connects back to a C2 server .", "spans": {"Organization: threat group": [[5, 17]], "Malware: Backdoor.APT.Pgift": [[54, 72]]}, "info": {"id": "dnrti_test_006383", "source": "dnrti_test"}}
{"text": "Backdoor.APT.PittyTiger1.3 ( aka CT RAT ) – This malware is likely used as a second-stage backdoor .", "spans": {"Malware: Backdoor.APT.PittyTiger1.3": [[0, 26]], "Malware: CT RAT": [[33, 39]], "Malware: second-stage backdoor": [[77, 98]]}, "info": {"id": "dnrti_test_006384", "source": "dnrti_test"}}
{"text": "We have observed the Enfal malware in use since 2011 and in conjunction with Backdoor.APT.Pgift as the payload of a malicious document used in spearphishing attacks .", "spans": {"Malware: Enfal malware": [[21, 34]], "Malware: Backdoor.APT.Pgift": [[77, 95]]}, "info": {"id": "dnrti_test_006385", "source": "dnrti_test"}}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": {"Malware: ActiveX control": [[46, 61]], "Malware: JavaScript file": [[76, 91]], "Vulnerability: CVE-2013-7331": [[203, 216]]}, "info": {"id": "dnrti_test_006386", "source": "dnrti_test"}}
{"text": "In one case from 2013 , the target was sent a malicious document through a spear phishing email message .", "spans": {"Malware: malicious document": [[46, 64]], "System: spear phishing email message": [[75, 103]]}, "info": {"id": "dnrti_test_006387", "source": "dnrti_test"}}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory .", "spans": {"Malware: CreateRemoteThread": [[192, 210]], "Malware: WriteProcessMemory": [[214, 232]]}, "info": {"id": "dnrti_test_006388", "source": "dnrti_test"}}
{"text": "The new SOL protocol within the PLATINUM file-transfer tool makes use of the AMT Technology SDK 's Redirection Library API ( imrsdk.dll ) .", "spans": {"Organization: PLATINUM": [[32, 40]], "Malware: AMT Technology SDK": [[77, 95]], "Malware: Redirection Library API": [[99, 122]], "Malware: imrsdk.dll": [[125, 135]]}, "info": {"id": "dnrti_test_006389", "source": "dnrti_test"}}
{"text": "The two executables related to Hermes are bitsran.exe and RSW7B37.tmp .", "spans": {"Malware: Hermes": [[31, 37]], "Malware: bitsran.exe": [[42, 53]], "Malware: RSW7B37.tmp": [[58, 69]]}, "info": {"id": "dnrti_test_006390", "source": "dnrti_test"}}
{"text": "Proofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak .", "spans": {"Organization: Proofpoint": [[0, 10]], "Organization: Turla": [[100, 105]], "Malware: dropper": [[128, 135]], "Malware: JS/KopiLuwak": [[168, 180]]}, "info": {"id": "dnrti_test_006391", "source": "dnrti_test"}}
{"text": "However , over the last nine campaigns since Trend Micro‘s June report , TA505 also started using .ISO image attachments as the point of entry , as well as a .NET downloader , a new style for macro delivery , a newer version of ServHelper , and a .DLL variant of FlawedAmmyy downloader .", "spans": {"Organization: Trend Micro‘s": [[45, 58]], "Organization: TA505": [[73, 78]], "Malware: .NET downloader": [[158, 173]], "Malware: ServHelper": [[228, 238]], "Malware: .DLL variant": [[247, 259]]}, "info": {"id": "dnrti_test_006392", "source": "dnrti_test"}}
{"text": "The first part of the campaign From Jan. 23 , 2018 , to Feb. 26 , 2018 used a macro-based document that dropped a VBS file and an INI file .", "spans": {"Malware: VBS file": [[114, 122]], "Malware: INI file": [[130, 138]]}, "info": {"id": "dnrti_test_006393", "source": "dnrti_test"}}
{"text": "The INI file contains the Base64 encoded PowerShell command , which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe .", "spans": {"Malware: INI file": [[4, 12]], "Malware: PowerShell": [[100, 110]], "Malware: VBS file": [[151, 159]], "Malware: WScript.exe": [[179, 190]]}, "info": {"id": "dnrti_test_006394", "source": "dnrti_test"}}
{"text": "cmstp.exe system restart , cmstp.exe will be used to execute the SCT file indirectly through the INF file .", "spans": {"Malware: cmstp.exe": [[0, 9], [27, 36]], "Malware: SCT file": [[65, 73]], "Malware: INF file": [[97, 105]]}, "info": {"id": "dnrti_test_006395", "source": "dnrti_test"}}
{"text": "The following are the three files:Defender.sct – The malicious JavaScript based scriptlet file .", "spans": {"Malware: files:Defender.sct": [[28, 46]], "Malware: scriptlet": [[80, 89]], "Malware: file": [[90, 94]]}, "info": {"id": "dnrti_test_006396", "source": "dnrti_test"}}
{"text": "After all network derived IPs have been processed , the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host .", "spans": {"Malware: malware": [[56, 63]], "Malware: PingCastle": [[118, 128]], "Malware: EternalBlue": [[133, 144]]}, "info": {"id": "dnrti_test_006397", "source": "dnrti_test"}}
{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section .", "spans": {"Malware: document files": [[4, 18]], "Vulnerability: vulnerabilities": [[48, 63]]}, "info": {"id": "dnrti_test_006398", "source": "dnrti_test"}}
{"text": "The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so .", "spans": {"Malware: malware": [[4, 11]], "System: The Onion Router": [[74, 90]]}, "info": {"id": "dnrti_test_006399", "source": "dnrti_test"}}
{"text": "This file is decrypted and injected into an instance of InstallUtiil.exe , and functions as a Tor anonymizer .", "spans": {"Malware: InstallUtiil.exe": [[56, 72]], "Malware: Tor": [[94, 97]], "Malware: anonymizer": [[98, 108]]}, "info": {"id": "dnrti_test_006400", "source": "dnrti_test"}}
{"text": "Along with the executable , two binary files , inject.bin (malicious function code) and imain.bin (malicious control logic) , were deployed as the controller’s payload .", "spans": {"Malware: binary files": [[32, 44]], "Malware: imain.bin": [[88, 97]]}, "info": {"id": "dnrti_test_006401", "source": "dnrti_test"}}
{"text": "This isn’t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier .", "spans": {"Malware: it": [[26, 28]]}, "info": {"id": "dnrti_test_006402", "source": "dnrti_test"}}
{"text": "During our investigation into the activity , FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we’ve been tracking as BACKSWING .", "spans": {"Organization: FireEye": [[45, 52]], "Malware: BADRABBIT": [[89, 98]], "Malware: BACKSWING": [[166, 175]]}, "info": {"id": "dnrti_test_006403", "source": "dnrti_test"}}
{"text": "Incident Background Beginning on Oct. 24 at 08:00 UTC , FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe) that delivered a wormable variant of ransomware .", "spans": {"Organization: FireEye": [[56, 63]], "Malware: (install_flash_player.exe)": [[177, 203]], "Malware: ransomware": [[241, 251]]}, "info": {"id": "dnrti_test_006404", "source": "dnrti_test"}}
{"text": "Figure 3: BACKSWING Version 2Version 1:FireEye observed the first version of BACKSWING in late 2016 on websites belonging to a Czech Republic hospitality organization in addition to a government website in Montenegro .", "spans": {"Organization: 1:FireEye": [[37, 46]], "Malware: BACKSWING": [[77, 86]], "Organization: hospitality organization": [[142, 166]], "Organization: government": [[184, 194]]}, "info": {"id": "dnrti_test_006405", "source": "dnrti_test"}}
{"text": "While FireEye has not directly observed BACKSWING delivering BADRABBIT , BACKSWING was observed on multiple websites that were seen referring FireEye customers to 1dnscontrol.com , which hosted the BADRABBIT dropper .", "spans": {"Organization: FireEye": [[6, 13], [142, 149]], "Organization: BACKSWING": [[40, 49], [73, 82]], "Malware: BADRABBIT": [[61, 70]], "Malware: BADRABBIT dropper": [[198, 215]]}, "info": {"id": "dnrti_test_006406", "source": "dnrti_test"}}
{"text": "Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network .", "spans": {"System: Harvested credentials": [[0, 21]], "Malware: Mimikatz": [[46, 54]]}, "info": {"id": "dnrti_test_006407", "source": "dnrti_test"}}
{"text": "Like EternalPetya , infpub.dat determines if a specific file exists on the system and will exit if found .", "spans": {"Malware: infpub.dat": [[20, 30]], "Malware: specific file": [[47, 60]]}, "info": {"id": "dnrti_test_006408", "source": "dnrti_test"}}
{"text": "This entry was posted on Mon Dec 04 12:00 EST 2017 and filed under Code , Reverse Engineering , Nick Harbour , and Incident Response .", "spans": {"Malware: entry": [[5, 10]], "Malware: Reverse Engineering": [[74, 93]], "Malware: Nick Harbour": [[96, 108]]}, "info": {"id": "dnrti_test_006409", "source": "dnrti_test"}}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[51, 72]], "Malware: Microsoft Word attachment": [[80, 105]], "Vulnerability: CVE-2017-0199": [[138, 151]], "Malware: ZeroT Trojan": [[166, 178]], "Malware: PlugX Remote Access Trojan": [[210, 236]], "Malware: RAT": [[239, 242]]}, "info": {"id": "dnrti_test_006410", "source": "dnrti_test"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[55, 76]], "Malware: Microsoft Word attachment": [[84, 109]], "Vulnerability: CVE-2017-0199": [[142, 155]], "Malware: ZeroT Trojan": [[170, 182]], "Malware: PlugX Remote Access Trojan": [[214, 240]], "Malware: RAT": [[243, 246]]}, "info": {"id": "dnrti_test_006411", "source": "dnrti_test"}}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": {"Malware: malicious.DOC": [[86, 99]], "Vulnerability: Microsoft Common Controls vulnerability": [[119, 158]], "Vulnerability: CVE-2012-0158": [[161, 174]]}, "info": {"id": "dnrti_test_006412", "source": "dnrti_test"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"Malware: documents": [[4, 13]], "System: spear-phishing e-mails": [[26, 48]], "Vulnerability: CVE-2012-0158": [[97, 110]], "Vulnerability: Microsoft Word vulnerabilities": [[166, 196]]}, "info": {"id": "dnrti_test_006413", "source": "dnrti_test"}}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": {"Malware: document": [[7, 15]], "Vulnerability: CVE-2012-0158": [[64, 77]], "Vulnerability: CVE-2013-3906": [[80, 93]], "Vulnerability: CVE-2014-1761": [[97, 110]]}, "info": {"id": "dnrti_test_006414", "source": "dnrti_test"}}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": {"Organization: Patchwork": [[9, 18]], "Malware: RTF files": [[45, 54]], "Vulnerability: CVE-2017-8570": [[66, 79]]}, "info": {"id": "dnrti_test_006415", "source": "dnrti_test"}}
{"text": "The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"Vulnerability: CVE2017-11882": [[27, 40]], "Malware: HTML Application": [[71, 87]], "Malware: HTA": [[90, 93]], "Malware: mshta.exe": [[223, 232]]}, "info": {"id": "dnrti_test_006416", "source": "dnrti_test"}}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Vulnerability: Microsoft Office exploits": [[37, 62]], "Malware: Exploit.MSWord.CVE-2010-333": [[110, 137]], "Malware: Exploit.Win32.CVE-2012-0158": [[140, 167]]}, "info": {"id": "dnrti_test_006417", "source": "dnrti_test"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_test_006418", "source": "dnrti_test"}}
{"text": "CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 .", "spans": {"Vulnerability: CVE-2017-0143": [[0, 13]], "Malware: tools—EternalRomance": [[49, 69]], "Malware: EternalSynergy—that": [[74, 93]]}, "info": {"id": "dnrti_test_006419", "source": "dnrti_test"}}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe .", "spans": {"Malware: RTF": [[5, 8]], "Vulnerability: CVE-2017_1882": [[28, 41]], "Malware: eqnedt32.exe": [[45, 57]]}, "info": {"id": "dnrti_test_006420", "source": "dnrti_test"}}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": {"Malware: sample": [[146, 152]], "Vulnerability: CVE-2017-11882": [[172, 186]], "Vulnerability: CVE-2018-0802": [[190, 203]]}, "info": {"id": "dnrti_test_006421", "source": "dnrti_test"}}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) .", "spans": {"Malware: RTF files": [[52, 61]], "Vulnerability: CVE-2018-0798": [[82, 95]]}, "info": {"id": "dnrti_test_006422", "source": "dnrti_test"}}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": {"Organization: Anomali": [[0, 7]], "Malware: ITW": [[86, 89]], "Vulnerability: CVE-2018-0798": [[117, 130]]}, "info": {"id": "dnrti_test_006423", "source": "dnrti_test"}}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": {"Vulnerability: CVE-2017-11882": [[66, 80]], "Malware: 'NavShExt.dll'": [[147, 161]], "Malware: iexplore.exe": [[192, 204]]}, "info": {"id": "dnrti_test_006424", "source": "dnrti_test"}}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": {"Vulnerability: CVE-2017-1182": [[87, 100]], "Malware: Microsoft Equation Editor": [[118, 143]], "Malware: 'EQNEDT32.exe'": [[146, 160]]}, "info": {"id": "dnrti_test_006425", "source": "dnrti_test"}}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Malware: BalkanDoor": [[33, 43]], "Vulnerability: CVE-2018-20250": [[228, 242]]}, "info": {"id": "dnrti_test_006426", "source": "dnrti_test"}}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": {"Malware: China Chopper": [[4, 17]], "Vulnerability: CVE-2015-0062": [[146, 159]], "Vulnerability: CVE-2015-1701": [[162, 175]], "Vulnerability: CVE-2016-0099": [[180, 193]], "Organization: attacker": [[207, 215]]}, "info": {"id": "dnrti_test_006427", "source": "dnrti_test"}}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": {"Malware: archive": [[14, 21]], "Vulnerability: vulnerability": [[82, 95]]}, "info": {"id": "dnrti_test_006428", "source": "dnrti_test"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Organization: government officials": [[28, 48]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_test_006429", "source": "dnrti_test"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"Organization: security firm": [[17, 30]], "Organization: military officials": [[63, 81]], "System: spear-phishing emails": [[86, 107]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_test_006430", "source": "dnrti_test"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishing tactics": [[30, 52]], "System: phishing": [[55, 63]], "Organization: specific individuals": [[82, 102]], "Vulnerability: zero-day exploits": [[143, 160]]}, "info": {"id": "dnrti_test_006431", "source": "dnrti_test"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: group": [[4, 9]], "System: spear phishing tactics": [[31, 53]], "System: phishing": [[56, 64]], "Organization: specific individuals": [[83, 103]], "Vulnerability: zero-day exploits": [[144, 161]]}, "info": {"id": "dnrti_test_006432", "source": "dnrti_test"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]], "Organization: customers": [[187, 196]]}, "info": {"id": "dnrti_test_006433", "source": "dnrti_test"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Organization: consumer": [[76, 84]], "Malware: Carberp": [[176, 183]]}, "info": {"id": "dnrti_test_006434", "source": "dnrti_test"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"Organization: CSIS": [[50, 54]], "Vulnerability: Carbanak": [[88, 96]], "Organization: customers": [[126, 135]]}, "info": {"id": "dnrti_test_006435", "source": "dnrti_test"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"Malware: PIVY": [[0, 4], [266, 270]], "Organization: chemical makers": [[78, 93]], "Organization: government agencies": [[96, 115]], "Organization: defense contractors": [[118, 137]], "Organization: attackers": [[208, 217]], "Vulnerability: zero-day vulnerability": [[225, 247]]}, "info": {"id": "dnrti_test_006436", "source": "dnrti_test"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]], "Organization: customers": [[187, 196]]}, "info": {"id": "dnrti_test_006437", "source": "dnrti_test"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Organization: consumer": [[76, 84]], "Malware: Carberp": [[176, 183]]}, "info": {"id": "dnrti_test_006438", "source": "dnrti_test"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"Organization: CSIS": [[50, 54]], "Vulnerability: Carbanak": [[88, 96]], "Organization: customers": [[126, 135]]}, "info": {"id": "dnrti_test_006439", "source": "dnrti_test"}}
{"text": "Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own .", "spans": {"Organization: APT41": [[41, 46]], "System: injected malicious code": [[47, 70]]}, "info": {"id": "dnrti_test_006440", "source": "dnrti_test"}}
{"text": "In these instances , APT41 leveraged TeamViewer to transfer malware into the compromised environment , although we do not have direct evidence of APT41 compromising TeamViewer .", "spans": {"Organization: APT41": [[21, 26], [146, 151]], "Malware: TeamViewer": [[37, 47]]}, "info": {"id": "dnrti_test_006441", "source": "dnrti_test"}}
{"text": "APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases .", "spans": {"Organization: APT41": [[0, 5]]}, "info": {"id": "dnrti_test_006442", "source": "dnrti_test"}}
{"text": "In some instances , APT41 leveraged POISONPLUG as a first-stage backdoor to deploy the HIGHNOON backdoor in the targeted environment .", "spans": {"Organization: APT41": [[20, 25]], "Malware: POISONPLUG": [[36, 46]], "Malware: HIGHNOON": [[87, 95]]}, "info": {"id": "dnrti_test_006443", "source": "dnrti_test"}}
{"text": "In another instance , APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there , suggesting the group was tasked to reconnoiter the facility for security reasons .", "spans": {"Organization: APT41": [[22, 27]]}, "info": {"id": "dnrti_test_006444", "source": "dnrti_test"}}
{"text": "The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets .", "spans": {"Organization: APT41": [[34, 39]]}, "info": {"id": "dnrti_test_006445", "source": "dnrti_test"}}
{"text": "At the time of analysis , the subdomains did not host a website; however , based on BITTER APT group’s targeting patterns , it is highly likely that they were created to host faux login phishing pages designed to steal user’s credentials .", "spans": {"Organization: BITTER APT": [[84, 94]]}, "info": {"id": "dnrti_test_006446", "source": "dnrti_test"}}
{"text": "The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_test_006447", "source": "dnrti_test"}}
{"text": "They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes .", "spans": {"Organization: They": [[0, 4]]}, "info": {"id": "dnrti_test_006448", "source": "dnrti_test"}}
{"text": "SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker’s server when the malicious documents were run .", "spans": {"Organization: SectorJ04": [[0, 9]], "System: spear phishing": [[19, 33]], "Organization: attacker’s": [[130, 140]]}, "info": {"id": "dnrti_test_006449", "source": "dnrti_test"}}
{"text": "Group-IB specialists have established that the aim of the attack was to deliver and launch the second stage of Silence’s Trojan , known as Silence.MainModule .", "spans": {"Organization: Group-IB": [[0, 8]], "Organization: Silence’s": [[111, 120]]}, "info": {"id": "dnrti_test_006450", "source": "dnrti_test"}}
{"text": "The hackers will map a company’s network and look for strategically favorable locations for placing their malware .", "spans": {"Organization: hackers": [[4, 11]]}, "info": {"id": "dnrti_test_006451", "source": "dnrti_test"}}
{"text": "Typically , APT10 tends to employ a namesquatting scheme in their domains that aims to confuse the observer by posing as a legitimate domain .", "spans": {"Organization: APT10": [[12, 17]], "System: employ": [[27, 33]]}, "info": {"id": "dnrti_test_006452", "source": "dnrti_test"}}
{"text": "If the attack had succeeded , it would have given hackers control over the ATM network , while money mules would have been standing by the ATM machines at pre-set time intervals to cash them out .", "spans": {"Organization: hackers": [[50, 57]]}, "info": {"id": "dnrti_test_006453", "source": "dnrti_test"}}
{"text": "Based on the functionality of the various tools uploaded to the webshells , we believe the threat actors breach the SharePoint servers to use as a beachhead , then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities .", "spans": {"Organization: threat actors": [[91, 104]]}, "info": {"id": "dnrti_test_006454", "source": "dnrti_test"}}
{"text": "The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure .", "spans": {"Organization: FIN7": [[36, 40]], "Organization: various companies": [[74, 91]]}, "info": {"id": "dnrti_test_006455", "source": "dnrti_test"}}
{"text": "Alpha’s early role was fairly simple: engage with individuals , who he chose based on the goods they were selling , and then provide personal shipping addresses back to Omega .", "spans": {"Organization: Alpha’s": [[0, 7]]}, "info": {"id": "dnrti_test_006456", "source": "dnrti_test"}}
{"text": "Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials .", "spans": {"System: phishing": [[34, 42], [124, 132]], "Organization: Scattered Canary": [[95, 111]]}, "info": {"id": "dnrti_test_006457", "source": "dnrti_test"}}
{"text": "In some samples deployed since March 2019 , Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI) .", "spans": {"Organization: Turla": [[44, 49]]}, "info": {"id": "dnrti_test_006458", "source": "dnrti_test"}}
{"text": "Distinct changes to Azazel by the Winnti developers include the addition of a function named ‘Decrypt2’ , which is used to decode an embedded configuration similar to the core implant .", "spans": {"Malware: Azazel": [[20, 26]], "Organization: Winnti developers": [[34, 51]]}, "info": {"id": "dnrti_test_006459", "source": "dnrti_test"}}
{"text": "Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code .", "spans": {"Organization: Kaspersky": [[14, 23]], "Organization: Lazarus": [[50, 57]]}, "info": {"id": "dnrti_test_006460", "source": "dnrti_test"}}
{"text": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits .", "spans": {"Organization: APT19": [[0, 5]], "Malware: Microsoft Excel files": [[57, 78]]}, "info": {"id": "dnrti_test_006461", "source": "dnrti_test"}}
{"text": "Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time .", "spans": {"Malware: CARBANAK": [[80, 88]]}, "info": {"id": "dnrti_test_006462", "source": "dnrti_test"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": {"Malware: them": [[22, 26]]}, "info": {"id": "dnrti_test_006463", "source": "dnrti_test"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server .", "spans": {"Malware: Pony DLL": [[89, 97]], "Malware: Vawtrak": [[102, 109]]}, "info": {"id": "dnrti_test_006464", "source": "dnrti_test"}}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data .", "spans": {"Malware: Pony": [[48, 52]], "Malware: Vawtrak": [[57, 64]]}, "info": {"id": "dnrti_test_006465", "source": "dnrti_test"}}
{"text": "Ploutus-D will load KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) .", "spans": {"Malware: Ploutus-D": [[0, 9]], "Malware: (K3A.Platform.dll)": [[82, 100]]}, "info": {"id": "dnrti_test_006466", "source": "dnrti_test"}}
{"text": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category .", "spans": {"Malware: DarkPulsar": [[0, 10]], "Malware: backdoor": [[81, 89]], "Malware: sipauth32.tsp": [[98, 111]]}, "info": {"id": "dnrti_test_006467", "source": "dnrti_test"}}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": {"Organization: APT32": [[27, 32]], "System: social engineering emails": [[43, 68]], "Malware: Microsoft ActiveMime file": [[74, 99]]}, "info": {"id": "dnrti_test_006468", "source": "dnrti_test"}}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated .", "spans": {"Organization: group": [[4, 9]], "Malware: legitimate administration tools": [[15, 46]]}, "info": {"id": "dnrti_test_006469", "source": "dnrti_test"}}
{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Organization: PittyTiger": [[0, 10]], "Vulnerability: Heartbleed vulnerability": [[36, 60]]}, "info": {"id": "dnrti_test_006470", "source": "dnrti_test"}}
{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Vulnerability: Heartbleed vulnerability": [[31, 55]]}, "info": {"id": "dnrti_test_006471", "source": "dnrti_test"}}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() .", "spans": {"Vulnerability: CVE-2017-10271": [[110, 124]], "Malware: PowerShell": [[138, 148]], "System: executing": [[222, 231]], "System: using ShellExecute()": [[235, 255]]}, "info": {"id": "dnrti_test_006472", "source": "dnrti_test"}}
{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": {"Organization: APT28": [[0, 5]], "Vulnerability: EternalBlue exploit": [[46, 65]], "Malware: open source tool": [[74, 90]], "Malware: Responder": [[91, 100]]}, "info": {"id": "dnrti_test_006473", "source": "dnrti_test"}}
{"text": "Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Malware: Carberp": [[51, 58]], "Organization: espionage": [[76, 85]]}, "info": {"id": "dnrti_test_006474", "source": "dnrti_test"}}
{"text": "If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation .", "spans": {"Vulnerability: Carbanak": [[32, 40]], "Vulnerability: CVE-2013-3660": [[209, 222]]}, "info": {"id": "dnrti_test_006475", "source": "dnrti_test"}}
{"text": "To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto .", "spans": {"Malware: Remote Desktop Protocol": [[57, 80]], "Malware: RDP": [[83, 86]], "Vulnerability: Carbanak": [[91, 99]]}, "info": {"id": "dnrti_test_006476", "source": "dnrti_test"}}
{"text": "Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries .", "spans": {"Vulnerability: Carbanak": [[75, 83]], "Organization: cyber-criminal gang": [[88, 107]], "System: APT techniques": [[137, 151]], "Organization: financial institutions": [[209, 231]]}, "info": {"id": "dnrti_test_006477", "source": "dnrti_test"}}
{"text": "Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year .", "spans": {"Organization: ‘Operation Sheep’": [[7, 24]], "Vulnerability: Man-in-the-Disk": [[123, 138]]}, "info": {"id": "dnrti_test_006478", "source": "dnrti_test"}}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[51, 72]], "Malware: Microsoft Word attachment": [[80, 105]], "Vulnerability: CVE-2017-0199": [[138, 151]], "Malware: ZeroT Trojan": [[166, 178]], "Malware: PlugX Remote Access Trojan": [[210, 236]], "Malware: RAT": [[239, 242]]}, "info": {"id": "dnrti_test_006479", "source": "dnrti_test"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"System: spear-phishing emails": [[55, 76]], "Malware: Microsoft Word attachment": [[84, 109]], "Vulnerability: CVE-2017-0199": [[142, 155]], "Malware: ZeroT Trojan": [[170, 182]], "Malware: PlugX Remote Access Trojan": [[214, 240]], "Malware: RAT": [[243, 246]]}, "info": {"id": "dnrti_test_006480", "source": "dnrti_test"}}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": {"Malware: malicious.DOC": [[86, 99]], "Vulnerability: Microsoft Common Controls vulnerability": [[119, 158]], "Vulnerability: CVE-2012-0158": [[161, 174]]}, "info": {"id": "dnrti_test_006481", "source": "dnrti_test"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"Malware: documents": [[4, 13]], "System: spear-phishing e-mails": [[26, 48]], "Vulnerability: CVE-2012-0158": [[97, 110]], "Vulnerability: Microsoft Word vulnerabilities": [[166, 196]]}, "info": {"id": "dnrti_test_006482", "source": "dnrti_test"}}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": {"Malware: document": [[7, 15]], "Vulnerability: CVE-2012-0158": [[64, 77]], "Vulnerability: CVE-2013-3906": [[80, 93]], "Vulnerability: CVE-2014-1761": [[97, 110]]}, "info": {"id": "dnrti_test_006483", "source": "dnrti_test"}}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": {"Organization: Patchwork": [[9, 18]], "Malware: RTF files": [[45, 54]], "Vulnerability: CVE-2017-8570": [[66, 79]]}, "info": {"id": "dnrti_test_006484", "source": "dnrti_test"}}
{"text": "The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"Vulnerability: CVE2017-11882": [[27, 40]], "Malware: HTML Application": [[71, 87]], "Malware: HTA": [[90, 93]], "Malware: mshta.exe": [[223, 232]]}, "info": {"id": "dnrti_test_006485", "source": "dnrti_test"}}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Vulnerability: Microsoft Office exploits": [[37, 62]], "Malware: Exploit.MSWord.CVE-2010-333": [[110, 137]], "Malware: Exploit.Win32.CVE-2012-0158": [[140, 167]]}, "info": {"id": "dnrti_test_006486", "source": "dnrti_test"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_test_006487", "source": "dnrti_test"}}
{"text": "CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 .", "spans": {"Vulnerability: CVE-2017-0143": [[0, 13]], "Malware: tools—EternalRomance": [[49, 69]], "Malware: EternalSynergy—that": [[74, 93]]}, "info": {"id": "dnrti_test_006488", "source": "dnrti_test"}}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe .", "spans": {"Malware: RTF": [[5, 8]], "Vulnerability: CVE-2017_1882": [[28, 41]], "Malware: eqnedt32.exe": [[45, 57]]}, "info": {"id": "dnrti_test_006489", "source": "dnrti_test"}}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": {"Malware: sample": [[146, 152]], "Vulnerability: CVE-2017-11882": [[172, 186]], "Vulnerability: CVE-2018-0802": [[190, 203]]}, "info": {"id": "dnrti_test_006490", "source": "dnrti_test"}}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) .", "spans": {"Malware: RTF files": [[52, 61]], "Vulnerability: CVE-2018-0798": [[82, 95]]}, "info": {"id": "dnrti_test_006491", "source": "dnrti_test"}}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": {"Organization: Anomali": [[0, 7]], "Malware: ITW": [[86, 89]], "Vulnerability: CVE-2018-0798": [[117, 130]]}, "info": {"id": "dnrti_test_006492", "source": "dnrti_test"}}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": {"Vulnerability: CVE-2017-11882": [[66, 80]], "Malware: 'NavShExt.dll'": [[147, 161]], "Malware: iexplore.exe": [[192, 204]]}, "info": {"id": "dnrti_test_006493", "source": "dnrti_test"}}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": {"Vulnerability: CVE-2017-1182": [[87, 100]], "Malware: Microsoft Equation Editor": [[118, 143]], "Malware: 'EQNEDT32.exe'": [[146, 160]]}, "info": {"id": "dnrti_test_006494", "source": "dnrti_test"}}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Malware: BalkanDoor": [[33, 43]], "Vulnerability: CVE-2018-20250": [[228, 242]]}, "info": {"id": "dnrti_test_006495", "source": "dnrti_test"}}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": {"Malware: China Chopper": [[4, 17]], "Vulnerability: CVE-2015-0062": [[146, 159]], "Vulnerability: CVE-2015-1701": [[162, 175]], "Vulnerability: CVE-2016-0099": [[180, 193]], "Organization: attacker": [[207, 215]]}, "info": {"id": "dnrti_test_006496", "source": "dnrti_test"}}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": {"Malware: archive": [[14, 21]], "Vulnerability: vulnerability": [[82, 95]]}, "info": {"id": "dnrti_test_006497", "source": "dnrti_test"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"System: emails": [[7, 13]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]]}, "info": {"id": "dnrti_test_006498", "source": "dnrti_test"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"Organization: security firm": [[17, 30]], "System: spear-phishing emails": [[86, 107]], "Vulnerability: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "dnrti_test_006499", "source": "dnrti_test"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: PLATINUM": [[0, 8]], "System: spear phishing tactics": [[30, 52]], "System: phishing": [[55, 63]], "Vulnerability: zero-day exploits": [[143, 160]]}, "info": {"id": "dnrti_test_006500", "source": "dnrti_test"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"Organization: group": [[4, 9]], "System: spear phishing tactics": [[31, 53]], "System: phishing": [[56, 64]], "Vulnerability: zero-day exploits": [[144, 161]]}, "info": {"id": "dnrti_test_006501", "source": "dnrti_test"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]]}, "info": {"id": "dnrti_test_006502", "source": "dnrti_test"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Malware: Carberp": [[176, 183]]}, "info": {"id": "dnrti_test_006503", "source": "dnrti_test"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"Organization: CSIS": [[50, 54]], "Vulnerability: Carbanak": [[88, 96]]}, "info": {"id": "dnrti_test_006504", "source": "dnrti_test"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"Malware: PIVY": [[0, 4], [266, 270]], "Organization: government agencies": [[96, 115]], "Organization: defense contractors": [[118, 137]], "Organization: attackers": [[208, 217]], "Vulnerability: zero-day vulnerability": [[225, 247]]}, "info": {"id": "dnrti_test_006505", "source": "dnrti_test"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: criminals": [[95, 104]], "System: APT techniques": [[109, 123]]}, "info": {"id": "dnrti_test_006506", "source": "dnrti_test"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Vulnerability: Carbanak": [[0, 8]], "Malware: Carberp": [[176, 183]]}, "info": {"id": "dnrti_test_006507", "source": "dnrti_test"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"Organization: CSIS": [[50, 54]], "Vulnerability: Carbanak": [[88, 96]]}, "info": {"id": "dnrti_test_006508", "source": "dnrti_test"}}
{"text": "The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware .", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "dnrti_test_006509", "source": "dnrti_test"}}
{"text": "The malware starts communicating with the C&C server by sending basic information about the infected machine .", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "dnrti_test_006510", "source": "dnrti_test"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests .", "spans": {"Malware: malware": [[4, 11]], "Malware: CMD/PowerShell": [[40, 54]], "Organization: attackers": [[72, 81]]}, "info": {"id": "dnrti_test_006511", "source": "dnrti_test"}}
{"text": "After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers .", "spans": {"Malware: SWAnalytics": [[34, 45]]}, "info": {"id": "dnrti_test_006512", "source": "dnrti_test"}}
{"text": "This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge .", "spans": {"Malware: module": [[5, 11]]}, "info": {"id": "dnrti_test_006513", "source": "dnrti_test"}}
{"text": "It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in .", "spans": {"Malware: SWAnalytics": [[60, 71]]}, "info": {"id": "dnrti_test_006514", "source": "dnrti_test"}}
{"text": "With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” .", "spans": {"Malware: SWAnalytics": [[24, 35]]}, "info": {"id": "dnrti_test_006515", "source": "dnrti_test"}}
{"text": "By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device .", "spans": {"Malware: SWAnalytics": [[25, 36]]}, "info": {"id": "dnrti_test_006516", "source": "dnrti_test"}}
{"text": "To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control .", "spans": {"Malware: SWAnalytics": [[50, 61]]}, "info": {"id": "dnrti_test_006517", "source": "dnrti_test"}}
{"text": "Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue .", "spans": {"Malware: TajMahal": [[37, 45]]}, "info": {"id": "dnrti_test_006518", "source": "dnrti_test"}}
{"text": "The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine .", "spans": {"Malware: KopiLuwak": [[21, 30]]}, "info": {"id": "dnrti_test_006519", "source": "dnrti_test"}}
{"text": "The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems .", "spans": {"Malware: Trojan": [[33, 39]]}, "info": {"id": "dnrti_test_006520", "source": "dnrti_test"}}
{"text": "The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": {"Malware: PowerShell": [[4, 14]]}, "info": {"id": "dnrti_test_006521", "source": "dnrti_test"}}
{"text": "Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations .", "spans": {"Malware: HIGHNOON": [[22, 30]], "Organization: Winnti": [[69, 75]]}, "info": {"id": "dnrti_test_006522", "source": "dnrti_test"}}
{"text": "BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse .", "spans": {"Malware: BalkanRAT": [[0, 9]], "Malware: BalkanDoor": [[120, 130]]}, "info": {"id": "dnrti_test_006523", "source": "dnrti_test"}}
{"text": "The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience .", "spans": {"Malware: backdoor": [[4, 12]]}, "info": {"id": "dnrti_test_006524", "source": "dnrti_test"}}
{"text": "China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool .", "spans": {"Malware: China Chopper": [[0, 13]], "Organization: attackers": [[36, 45]]}, "info": {"id": "dnrti_test_006525", "source": "dnrti_test"}}
{"text": "China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED .", "spans": {"Malware: China Chopper": [[0, 13]]}, "info": {"id": "dnrti_test_006526", "source": "dnrti_test"}}
{"text": "The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords .", "spans": {"Malware: tool": [[4, 8]]}, "info": {"id": "dnrti_test_006527", "source": "dnrti_test"}}
{"text": "Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe .", "spans": {"Malware: More_eggs malware": [[31, 48]], "Malware: cmd.exe": [[132, 139]]}, "info": {"id": "dnrti_test_006528", "source": "dnrti_test"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server .", "spans": {"Vulnerability: UNITEDRAKE NSA exploit": [[46, 68]]}, "info": {"id": "dnrti_test_006529", "source": "dnrti_test"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_test_006530", "source": "dnrti_test"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": {"Malware: Mimikatz": [[0, 8]]}, "info": {"id": "dnrti_test_006531", "source": "dnrti_test"}}
{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs .", "spans": {"Vulnerability: exploit": [[4, 11]], "Organization: Silence’s": [[21, 30]]}, "info": {"id": "dnrti_test_006532", "source": "dnrti_test"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": {"Malware: them": [[22, 26]]}, "info": {"id": "dnrti_test_006533", "source": "dnrti_test"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server .", "spans": {"Malware: Pony DLL": [[89, 97]], "Malware: Vawtrak": [[102, 109]]}, "info": {"id": "dnrti_test_006534", "source": "dnrti_test"}}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data .", "spans": {"Malware: Pony": [[48, 52]], "Malware: Vawtrak": [[57, 64]]}, "info": {"id": "dnrti_test_006535", "source": "dnrti_test"}}
{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine .", "spans": {"Malware: RIPPER": [[58, 64]]}, "info": {"id": "dnrti_test_006536", "source": "dnrti_test"}}
{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad .", "spans": {}, "info": {"id": "dnrti_test_006537", "source": "dnrti_test"}}
{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space .", "spans": {"Organization: threat actors": [[4, 17]]}, "info": {"id": "dnrti_test_006538", "source": "dnrti_test"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server .", "spans": {"Vulnerability: UNITEDRAKE NSA exploit": [[46, 68]]}, "info": {"id": "dnrti_test_006539", "source": "dnrti_test"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]]}, "info": {"id": "dnrti_test_006540", "source": "dnrti_test"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]]}, "info": {"id": "dnrti_test_006541", "source": "dnrti_test"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": {"Malware: Mimikatz": [[0, 8]]}, "info": {"id": "dnrti_test_006542", "source": "dnrti_test"}}
{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs .", "spans": {"Vulnerability: exploit": [[4, 11]], "Organization: Silence’s": [[21, 30]]}, "info": {"id": "dnrti_test_006543", "source": "dnrti_test"}}
{"text": "It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries .", "spans": {"Organization: group": [[20, 25]]}, "info": {"id": "dnrti_test_006544", "source": "dnrti_test"}}
{"text": "This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East .", "spans": {"Organization: threat group": [[5, 17]]}, "info": {"id": "dnrti_test_006545", "source": "dnrti_test"}}
{"text": "This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications .", "spans": {"Organization: threat group": [[5, 17]]}, "info": {"id": "dnrti_test_006546", "source": "dnrti_test"}}
{"text": "Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government , with a mission that would benefit nation-state geopolitical and economic needs .", "spans": {"Organization: threat group": [[45, 57]], "Organization: Iranian Government": [[104, 122]]}, "info": {"id": "dnrti_test_006547", "source": "dnrti_test"}}
{"text": "The group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries .", "spans": {"Organization: group": [[4, 9]]}, "info": {"id": "dnrti_test_006548", "source": "dnrti_test"}}
{"text": "HELIX KITTEN is likely an Iranian-based adversary group , active since at least late 2015 , targeting organizations in the aerospace , energy , financial , government , hospitality and telecommunications business verticals .", "spans": {"Organization: HELIX KITTEN": [[0, 12]], "Organization: group": [[50, 55]]}, "info": {"id": "dnrti_test_006549", "source": "dnrti_test"}}
{"text": "The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry .", "spans": {"Organization: companies": [[60, 69]]}, "info": {"id": "dnrti_test_006550", "source": "dnrti_test"}}
{"text": "Suckfly 's attacks on government organizations that provide information technology services to other government branches is not limited to India .", "spans": {"Organization: government organizations": [[22, 46]]}, "info": {"id": "dnrti_test_006551", "source": "dnrti_test"}}
{"text": "In this report we continue our research of the actor 's operations with a specific focus on a selection of custom information technology ( IT ) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle .", "spans": {}, "info": {"id": "dnrti_test_006552", "source": "dnrti_test"}}
{"text": "CTU researchers have evidence that the TG-3390 compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": {"Organization: CTU": [[0, 3]], "Organization: TG-3390": [[39, 46]], "Organization: defense contractors": [[164, 183]]}, "info": {"id": "dnrti_test_006553", "source": "dnrti_test"}}
{"text": "Based on analysis of the group 's SWCs , TG-3390 operations likely affect organizations in other countries and verticals .", "spans": {"Malware: SWCs": [[34, 38]], "Organization: TG-3390": [[41, 48]]}, "info": {"id": "dnrti_test_006554", "source": "dnrti_test"}}
{"text": "TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication .", "spans": {"Organization: TG-3390": [[0, 7]]}, "info": {"id": "dnrti_test_006555", "source": "dnrti_test"}}
{"text": "CTU researchers have evidence that the threat group compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": {"Organization: CTU": [[0, 3]], "Organization: defense contractors": [[169, 188]]}, "info": {"id": "dnrti_test_006556", "source": "dnrti_test"}}
{"text": "Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs .", "spans": {"Organization: CTU": [[28, 31]], "Organization: TG-3390": [[56, 63]]}, "info": {"id": "dnrti_test_006557", "source": "dnrti_test"}}
{"text": "In 2016 , the threat actors conducted a strategic web compromise ( SWC ) on the website of an international industry organization that affected aerospace , academic , media , technology , government , and utilities organizations around the world .", "spans": {"Malware: SWC": [[67, 70]], "Organization: international industry organization": [[94, 129]], "Organization: utilities organizations": [[205, 228]]}, "info": {"id": "dnrti_test_006558", "source": "dnrti_test"}}
{"text": "In addition , BRONZE UNION activity on multiple U.S.-based defense manufacturer networks included the threat actors seeking information associated with aerospace technologies , combat processes , and naval defense systems .", "spans": {}, "info": {"id": "dnrti_test_006559", "source": "dnrti_test"}}
{"text": "Leafminer attempts to infiltrate target networks through various means of intrusion : watering hole websites , vulnerability scans of network services on the internet , and brute-force login attempts .", "spans": {"Organization: Leafminer": [[0, 9]], "System: network services": [[134, 150]], "System: brute-force login": [[173, 190]]}, "info": {"id": "dnrti_test_006560", "source": "dnrti_test"}}
{"text": "Leafminer also utilized Process Doppelganging , a detection evasion technique first discussed at the Black Hat EU conference last year .", "spans": {"Organization: Leafminer": [[0, 9]], "System: Process Doppelganging": [[24, 45]]}, "info": {"id": "dnrti_test_006561", "source": "dnrti_test"}}
{"text": "On September 15 and 19 , 2017 , Proofpoint detected and blocked spearphishing emails from this group targeting a US shipbuilding company and a US university research center with military ties .", "spans": {"Organization: Proofpoint": [[32, 42]], "System: spearphishing emails": [[64, 84]], "Organization: group": [[95, 100]], "Organization: shipbuilding company": [[116, 136]]}, "info": {"id": "dnrti_test_006562", "source": "dnrti_test"}}
{"text": "Between August 2 and 4 , the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors .", "spans": {"Organization: actor": [[29, 34]], "System: spearphishing emails": [[49, 69]], "Organization: defense contractors": [[129, 148]]}, "info": {"id": "dnrti_test_006563", "source": "dnrti_test"}}
{"text": "Between August 2 and 4 , the Leviathan sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors .", "spans": {"Organization: Leviathan": [[29, 38]], "System: spearphishing emails": [[53, 73]], "Organization: defense contractors": [[133, 152]]}, "info": {"id": "dnrti_test_006564", "source": "dnrti_test"}}
{"text": "The Leviathan generally emailed Microsoft Excel documents with malicious macros to US universities with military interests , most frequently related to the Navy .", "spans": {"Organization: Leviathan": [[4, 13]], "System: Microsoft Excel documents": [[32, 57]], "Organization: Navy": [[156, 160]]}, "info": {"id": "dnrti_test_006565", "source": "dnrti_test"}}
{"text": "Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack .", "spans": {"Organization: Spring Dragon group": [[14, 33]], "Vulnerability: spearphish exploits": [[60, 79]], "System: strategic web compromises": [[82, 107]]}, "info": {"id": "dnrti_test_006566", "source": "dnrti_test"}}
{"text": "On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"Organization: threat actors": [[24, 37]], "System: spear-phishing email": [[45, 65]], "Organization: individual": [[72, 82]]}, "info": {"id": "dnrti_test_006567", "source": "dnrti_test"}}
{"text": "On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"Organization: Lotus Blossom": [[24, 37]], "System: spear-phishing email": [[45, 65]], "Organization: individual": [[72, 82]]}, "info": {"id": "dnrti_test_006568", "source": "dnrti_test"}}
{"text": "The Magic Hound attacks did not rely on exploit code to compromise targeted systems , instead relying on Excel and Word documents containing malicious macros .", "spans": {"System: Excel": [[105, 110]], "System: Word documents": [[115, 129]]}, "info": {"id": "dnrti_test_006569", "source": "dnrti_test"}}
{"text": "The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method , specifically attempting to load MagicHound.Rollover .", "spans": {"System: Word": [[30, 34]], "System: Excel": [[39, 44]], "Malware: MagicHound.Rollover": [[138, 157]]}, "info": {"id": "dnrti_test_006570", "source": "dnrti_test"}}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": {"Organization: APT32": [[27, 32]], "System: social engineering emails": [[43, 68]], "Malware: Microsoft ActiveMime file": [[74, 99]]}, "info": {"id": "dnrti_test_006571", "source": "dnrti_test"}}
{"text": "APT33 often conducts spear-phishing operations using a built-in phishing module .", "spans": {"Organization: APT33": [[0, 5]], "System: spear-phishing": [[21, 35]], "System: phishing module": [[64, 79]]}, "info": {"id": "dnrti_test_006572", "source": "dnrti_test"}}
{"text": "In a recent attack , APT33 sent spear-phishing emails to workers in the aviation industry .", "spans": {"Organization: APT33": [[21, 26]], "System: spear-phishing emails": [[32, 53]]}, "info": {"id": "dnrti_test_006573", "source": "dnrti_test"}}
{"text": "These emails included recruitment-themed lures and links to malicious HTML application ( HTA ) files .", "spans": {"System: emails": [[6, 12]], "System: recruitment-themed lures": [[22, 46]], "Malware: HTML application": [[70, 86]], "Malware: HTA": [[89, 92]]}, "info": {"id": "dnrti_test_006574", "source": "dnrti_test"}}
{"text": "APT34 often uses compromised accounts to conduct spear-phishing operations .", "spans": {"Organization: APT34": [[0, 5]], "Malware: compromised accounts": [[17, 37]], "System: spear-phishing": [[49, 63]]}, "info": {"id": "dnrti_test_006575", "source": "dnrti_test"}}
{"text": "APT33 leverages a mix of public and non-public tools and often conducts spear-phishing operations using a built-in phishing module from \" ALFA TEaM Shell \" , a publicly available web shell .", "spans": {"Organization: APT33": [[0, 5]], "Malware: public and non-public tools": [[25, 52]], "System: spear-phishing": [[72, 86]], "System: phishing module": [[115, 130]], "Malware: ALFA TEaM Shell": [[138, 153]], "Malware: publicly available web shell": [[160, 188]]}, "info": {"id": "dnrti_test_006576", "source": "dnrti_test"}}