mirror of
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
synced 2024-06-28 09:51:38 +00:00
Merge pull request #76 from jgru/2021.10.19.LightBasin_UNC1945
Add CrowdStrike's report on UNC1945/LightBasin
This commit is contained in:
commit
0d8476a02e
24
2021/2021.10.19.UNC1945_LightBasin/IOCs/indicators.csv
Normal file
24
2021/2021.10.19.UNC1945_LightBasin/IOCs/indicators.csv
Normal file
@ -0,0 +1,24 @@
|
||||
Indicator,SHA256 Hashes,Description
|
||||
/usr/local/sbin/iptables, 97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb, Trojanized iptables binary that replaced legitimate version
|
||||
/usr/bin/pingg,e9c0f00c34dcd28fc3cc53c9496bff863b81b06723145e106ab7016c66581f72 4668561d60daeb7a4a50a9c3e210a4343f92cadbf2d52caab5684440da6bf562,PingPong Implant
|
||||
/usr/lib/om_proc,3a259ad7e5c19a782f7736b5ac50aac4ba4d03b921ffc6a3ff6a48d720f02012 65143ccb5a955a22d6004033d073ecb49eba9227237a46929495246e36eff8e1,Microsocks Proxy
|
||||
/usr/lib/frpc,05537c1c4e29db76a24320fb7cb80b189860389cdb16a9dbeb0c8d30d9b37006 16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2,Fast Reverse Proxy
|
||||
/usr/lib/frpc.ini,N/A,Fast Reverse Proxy Configuration
|
||||
/usr/lib/cord.lib /usr/lib/libcord.so /usr/bin/libcord.so,6d3759b3621f3e4791ebcd28e6ea60ce7e64468df24cf6fddf8efb544ab5aec0 c5ddd616e127df91418aeaa595ac7cd266ffc99b2683332e0f112043796ede1d 9973edfef797db84cd17300b53a7a35d1207d166af9752b3f35c72b4df9a98bc 4480b58979cc913c27673b2f681335deb1627e9ba95073a941f4cd6d6bcd6181 ad9fef1b86b57a504cfa1cfbda2e2ac509750035bff54e1ca06f7ff311d94689,CordScan – Telecommunications Scanning Utility
|
||||
/home/REDACTED/cordscan_raw_arm,cdf230a7e05c725a98ce95ad8f3e2155082d5a6b1e839c2b2653c3754f06c2e7,CordScan – Telecommunications Scanning Utility (ARM Architecture)
|
||||
/usr/lib/javacee,917495c2fd919d4d4baa2f8a3791bcfd58d605ee457a81feb52bc65eb706fd62,SIGTRANslator
|
||||
/usr/lib/sgsnemu /usr/bin/sgsnemu /usr/lib/sgsnemu_bak,bf5806cebc5d1a042f87abadf686fb623613ed33591df1a944b5e7879fb189c8 78c579319734a81c0e6d08f1b9ac59366229f1256a0b0d5661763f6931c3b63c b06f52e2179ec9334f8a3fe915d263180e538f7a2a5cb6ad8d60f045789123b6,SGSN Emulator
|
||||
/usr/lib/tshd,a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3,TinyShell
|
||||
/home/REDACTED/win7_exp/proxychains.conf /usr/lib/win7_exp/proxychains.conf,N/A,ProxyChains Configuration
|
||||
/var/tmp/.font-unix,N/A,SLAPSTICK Credential Output File
|
||||
/usr/local/sbin/iptables,97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb,Trojanized Iptables
|
||||
/usr/sbin/iptablesDir/ /sbin/iptablesDir/,N/A,Threat Actor-created directories containing legitimate copies of iptables utilities following installation of trojanized version
|
||||
45.76.215.0/24,N/A,Vultr IP range used by LightBasin
|
||||
167.179.91.0/24,N/A,Vultr IP range used by LightBasin
|
||||
45.32.116.0/24,N/A,Vultr IP range used by LightBasin
|
||||
207.148.24.0/24,N/A,Vultr IP range used by LightBasin
|
||||
172.104.79.0/24,N/A,Linode IP range used by LightBasin
|
||||
45.33.77.0/24,N/A,Linode IP range used by LightBasin
|
||||
139.162.156.0/24,N/A,Linode IP range used by LightBasin
|
||||
172.104.236.0/24,N/A,Linode IP range used by LightBasin
|
||||
172.104.129.0/24,N/A,Linode IP range used by LightBasin
|
|
132
2021/2021.10.19.UNC1945_LightBasin/IOCs/indicators.json
Normal file
132
2021/2021.10.19.UNC1945_LightBasin/IOCs/indicators.json
Normal file
@ -0,0 +1,132 @@
|
||||
[
|
||||
{
|
||||
"/usr/local/sbin/iptables": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"/usr/bin/pingg": [
|
||||
"e9c0f00c34dcd28fc3cc53c9496bff863b81b06723145e106ab7016c66581f72",
|
||||
"4668561d60daeb7a4a50a9c3e210a4343f92cadbf2d52caab5684440da6bf562"
|
||||
]
|
||||
},
|
||||
{
|
||||
"/usr/lib/om_proc": [
|
||||
"3a259ad7e5c19a782f7736b5ac50aac4ba4d03b921ffc6a3ff6a48d720f02012",
|
||||
"65143ccb5a955a22d6004033d073ecb49eba9227237a46929495246e36eff8e1"
|
||||
]
|
||||
},
|
||||
{
|
||||
"/usr/lib/frpc": [
|
||||
"05537c1c4e29db76a24320fb7cb80b189860389cdb16a9dbeb0c8d30d9b37006",
|
||||
"16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2"
|
||||
]
|
||||
},
|
||||
{
|
||||
"/usr/lib/frpc.ini": [
|
||||
"05537c1c4e29db76a24320fb7cb80b189860389cdb16a9dbeb0c8d30d9b37006",
|
||||
"16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2"
|
||||
]
|
||||
},
|
||||
{
|
||||
"/usr/lib/cord.lib": [
|
||||
"6d3759b3621f3e4791ebcd28e6ea60ce7e64468df24cf6fddf8efb544ab5aec0",
|
||||
"c5ddd616e127df91418aeaa595ac7cd266ffc99b2683332e0f112043796ede1d",
|
||||
"9973edfef797db84cd17300b53a7a35d1207d166af9752b3f35c72b4df9a98bc",
|
||||
"4480b58979cc913c27673b2f681335deb1627e9ba95073a941f4cd6d6bcd6181",
|
||||
"ad9fef1b86b57a504cfa1cfbda2e2ac509750035bff54e1ca06f7ff311d94689"
|
||||
]
|
||||
},
|
||||
{
|
||||
"/usr/lib/libcord.so": [
|
||||
"6d3759b3621f3e4791ebcd28e6ea60ce7e64468df24cf6fddf8efb544ab5aec0",
|
||||
"c5ddd616e127df91418aeaa595ac7cd266ffc99b2683332e0f112043796ede1d",
|
||||
"9973edfef797db84cd17300b53a7a35d1207d166af9752b3f35c72b4df9a98bc",
|
||||
"4480b58979cc913c27673b2f681335deb1627e9ba95073a941f4cd6d6bcd6181",
|
||||
"ad9fef1b86b57a504cfa1cfbda2e2ac509750035bff54e1ca06f7ff311d94689"
|
||||
]
|
||||
},
|
||||
{
|
||||
"/usr/bin/libcord.so": [
|
||||
"6d3759b3621f3e4791ebcd28e6ea60ce7e64468df24cf6fddf8efb544ab5aec0",
|
||||
"c5ddd616e127df91418aeaa595ac7cd266ffc99b2683332e0f112043796ede1d",
|
||||
"9973edfef797db84cd17300b53a7a35d1207d166af9752b3f35c72b4df9a98bc",
|
||||
"4480b58979cc913c27673b2f681335deb1627e9ba95073a941f4cd6d6bcd6181",
|
||||
"ad9fef1b86b57a504cfa1cfbda2e2ac509750035bff54e1ca06f7ff311d94689"
|
||||
]
|
||||
},
|
||||
{
|
||||
"/home/REDACTED/cordscan_raw_arm": "cdf230a7e05c725a98ce95ad8f3e2155082d5a6b1e839c2b2653c3754f06c2e7"
|
||||
},
|
||||
{
|
||||
"/usr/lib/javacee": "917495c2fd919d4d4baa2f8a3791bcfd58d605ee457a81feb52bc65eb706fd62"
|
||||
},
|
||||
{
|
||||
"/usr/lib/sgsnemu": [
|
||||
"bf5806cebc5d1a042f87abadf686fb623613ed33591df1a944b5e7879fb189c8",
|
||||
"78c579319734a81c0e6d08f1b9ac59366229f1256a0b0d5661763f6931c3b63c",
|
||||
"b06f52e2179ec9334f8a3fe915d263180e538f7a2a5cb6ad8d60f045789123b6"
|
||||
]
|
||||
},
|
||||
{
|
||||
"/usr/bin/sgsnemu": [
|
||||
"bf5806cebc5d1a042f87abadf686fb623613ed33591df1a944b5e7879fb189c8",
|
||||
"78c579319734a81c0e6d08f1b9ac59366229f1256a0b0d5661763f6931c3b63c",
|
||||
"b06f52e2179ec9334f8a3fe915d263180e538f7a2a5cb6ad8d60f045789123b6"
|
||||
]
|
||||
},
|
||||
{
|
||||
"/usr/lib/sgsnemu_bak": [
|
||||
"bf5806cebc5d1a042f87abadf686fb623613ed33591df1a944b5e7879fb189c8",
|
||||
"78c579319734a81c0e6d08f1b9ac59366229f1256a0b0d5661763f6931c3b63c",
|
||||
"b06f52e2179ec9334f8a3fe915d263180e538f7a2a5cb6ad8d60f045789123b6"
|
||||
]
|
||||
},
|
||||
{
|
||||
"/usr/lib/tshd": "a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3"
|
||||
},
|
||||
{
|
||||
"/home/REDACTED/win7_exp/proxychains.conf": "a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3"
|
||||
},
|
||||
{
|
||||
"/usr/lib/win7_exp/proxychains.conf": "a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3"
|
||||
},
|
||||
{
|
||||
"/var/tmp/.font-unix": "a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3"
|
||||
},
|
||||
{
|
||||
"/usr/local/sbin/iptables": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"/usr/sbin/iptablesDir/": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"/sbin/iptablesDir/": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"45.76.215.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"167.179.91.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"45.32.116.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"207.148.24.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"172.104.79.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"45.33.77.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"139.162.156.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"172.104.236.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
},
|
||||
{
|
||||
"172.104.129.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
|
||||
}
|
||||
]
|
||||
|
BIN
2021/2021.10.19.UNC1945_LightBasin/LightBasin_A-Roaming-Threat-to-Telecommunications-Companies_CrowdStrike.pdf
Normal file
BIN
2021/2021.10.19.UNC1945_LightBasin/LightBasin_A-Roaming-Threat-to-Telecommunications-Companies_CrowdStrike.pdf
Normal file
Binary file not shown.
@ -28,6 +28,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
|
||||
:small_blue_diamond: [vx-underground](https://vx-underground.org/apts.html) <br>
|
||||
|
||||
## 2021
|
||||
* Oct 19 - [[CrowdStrike] LightBasin: A Roaming Threat to Telecommunications Companies](https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/) | [:closed_book:](../../blob/master/2021/021.10.19.UNC1945_LightBasin)
|
||||
* Oct 26 - [[JPCERT] Malware WinDealer used by LuoYu Attack Group](https://blogs.jpcert.or.jp/en/2021/10/windealer.html) | [:closed_book:](../../blob/master/2021/2021.10.26.WinDealer_LuoYu_Group)
|
||||
* Oct 19 - [[Proofpoint] Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant](https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant) | [:closed_book:](../../blob/master/2021/2021.10.19.TA505_New_FlawedGrace)
|
||||
* Oct 19 - [[Trend Micro] PurpleFox Adds New Backdoor That Uses WebSockets](https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html) | [:closed_book:](../../blob/master/2021/2021.10.19.PurpleFox)
|
||||
|
Loading…
Reference in New Issue
Block a user