Merge pull request #76 from jgru/2021.10.19.LightBasin_UNC1945

Add CrowdStrike's report on UNC1945/LightBasin
2024-06-28 09:51:38 +00:00 · 2021-10-31 21:28:26 +08:00 · 2021-10-31 21:28:26 +08:00 · 0d8476a02e
commit 0d8476a02e
parent b2a8371de3 42c744e49d
4 changed files with 157 additions and 0 deletions
--- a/2021/2021.10.19.UNC1945_LightBasin/IOCs/indicators.csv
+++ b/2021/2021.10.19.UNC1945_LightBasin/IOCs/indicators.csv
@ -0,0 +1,24 @@
+Indicator,SHA256 Hashes,Description
+/usr/local/sbin/iptables, 97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb, Trojanized iptables binary that replaced legitimate version
+/usr/bin/pingg,e9c0f00c34dcd28fc3cc53c9496bff863b81b06723145e106ab7016c66581f72 4668561d60daeb7a4a50a9c3e210a4343f92cadbf2d52caab5684440da6bf562,PingPong Implant
+/usr/lib/om_proc,3a259ad7e5c19a782f7736b5ac50aac4ba4d03b921ffc6a3ff6a48d720f02012 65143ccb5a955a22d6004033d073ecb49eba9227237a46929495246e36eff8e1,Microsocks Proxy
+/usr/lib/frpc,05537c1c4e29db76a24320fb7cb80b189860389cdb16a9dbeb0c8d30d9b37006 16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2,Fast Reverse Proxy
+/usr/lib/frpc.ini,N/A,Fast Reverse Proxy Configuration
+/usr/lib/cord.lib /usr/lib/libcord.so /usr/bin/libcord.so,6d3759b3621f3e4791ebcd28e6ea60ce7e64468df24cf6fddf8efb544ab5aec0 c5ddd616e127df91418aeaa595ac7cd266ffc99b2683332e0f112043796ede1d 9973edfef797db84cd17300b53a7a35d1207d166af9752b3f35c72b4df9a98bc 4480b58979cc913c27673b2f681335deb1627e9ba95073a941f4cd6d6bcd6181 ad9fef1b86b57a504cfa1cfbda2e2ac509750035bff54e1ca06f7ff311d94689,CordScan – Telecommunications Scanning Utility
+/home/REDACTED/cordscan_raw_arm,cdf230a7e05c725a98ce95ad8f3e2155082d5a6b1e839c2b2653c3754f06c2e7,CordScan – Telecommunications Scanning Utility (ARM Architecture)
+/usr/lib/javacee,917495c2fd919d4d4baa2f8a3791bcfd58d605ee457a81feb52bc65eb706fd62,SIGTRANslator
+/usr/lib/sgsnemu /usr/bin/sgsnemu /usr/lib/sgsnemu_bak,bf5806cebc5d1a042f87abadf686fb623613ed33591df1a944b5e7879fb189c8 78c579319734a81c0e6d08f1b9ac59366229f1256a0b0d5661763f6931c3b63c b06f52e2179ec9334f8a3fe915d263180e538f7a2a5cb6ad8d60f045789123b6,SGSN Emulator
+/usr/lib/tshd,a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3,TinyShell
+/home/REDACTED/win7_exp/proxychains.conf /usr/lib/win7_exp/proxychains.conf,N/A,ProxyChains Configuration
+/var/tmp/.font-unix,N/A,SLAPSTICK Credential Output File
+/usr/local/sbin/iptables,97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb,Trojanized Iptables
+/usr/sbin/iptablesDir/ /sbin/iptablesDir/,N/A,Threat Actor-created directories containing legitimate copies of iptables utilities following installation of trojanized version
+45.76.215.0/24,N/A,Vultr IP range used by LightBasin
+167.179.91.0/24,N/A,Vultr IP range used by LightBasin
+45.32.116.0/24,N/A,Vultr IP range used by LightBasin
+207.148.24.0/24,N/A,Vultr IP range used by LightBasin
+172.104.79.0/24,N/A,Linode IP range used by LightBasin
+45.33.77.0/24,N/A,Linode IP range used by LightBasin
+139.162.156.0/24,N/A,Linode IP range used by LightBasin
+172.104.236.0/24,N/A,Linode IP range used by LightBasin
+172.104.129.0/24,N/A,Linode IP range used by LightBasin
--- a/2021/2021.10.19.UNC1945_LightBasin/IOCs/indicators.json
+++ b/2021/2021.10.19.UNC1945_LightBasin/IOCs/indicators.json
@ -0,0 +1,132 @@
+[
+    {
+        "/usr/local/sbin/iptables": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "/usr/bin/pingg": [
+            "e9c0f00c34dcd28fc3cc53c9496bff863b81b06723145e106ab7016c66581f72",
+            "4668561d60daeb7a4a50a9c3e210a4343f92cadbf2d52caab5684440da6bf562"
+        ]
+    },
+    {
+        "/usr/lib/om_proc": [
+            "3a259ad7e5c19a782f7736b5ac50aac4ba4d03b921ffc6a3ff6a48d720f02012",
+            "65143ccb5a955a22d6004033d073ecb49eba9227237a46929495246e36eff8e1"
+        ]
+    },
+    {
+        "/usr/lib/frpc": [
+            "05537c1c4e29db76a24320fb7cb80b189860389cdb16a9dbeb0c8d30d9b37006",
+            "16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2"
+        ]
+    },
+    {
+        "/usr/lib/frpc.ini": [
+            "05537c1c4e29db76a24320fb7cb80b189860389cdb16a9dbeb0c8d30d9b37006",
+            "16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2"
+        ]
+    },
+    {
+        "/usr/lib/cord.lib": [
+            "6d3759b3621f3e4791ebcd28e6ea60ce7e64468df24cf6fddf8efb544ab5aec0",
+            "c5ddd616e127df91418aeaa595ac7cd266ffc99b2683332e0f112043796ede1d",
+            "9973edfef797db84cd17300b53a7a35d1207d166af9752b3f35c72b4df9a98bc",
+            "4480b58979cc913c27673b2f681335deb1627e9ba95073a941f4cd6d6bcd6181",
+            "ad9fef1b86b57a504cfa1cfbda2e2ac509750035bff54e1ca06f7ff311d94689"
+        ]
+    },
+    {
+        "/usr/lib/libcord.so": [
+            "6d3759b3621f3e4791ebcd28e6ea60ce7e64468df24cf6fddf8efb544ab5aec0",
+            "c5ddd616e127df91418aeaa595ac7cd266ffc99b2683332e0f112043796ede1d",
+            "9973edfef797db84cd17300b53a7a35d1207d166af9752b3f35c72b4df9a98bc",
+            "4480b58979cc913c27673b2f681335deb1627e9ba95073a941f4cd6d6bcd6181",
+            "ad9fef1b86b57a504cfa1cfbda2e2ac509750035bff54e1ca06f7ff311d94689"
+        ]
+    },
+    {
+        "/usr/bin/libcord.so": [
+            "6d3759b3621f3e4791ebcd28e6ea60ce7e64468df24cf6fddf8efb544ab5aec0",
+            "c5ddd616e127df91418aeaa595ac7cd266ffc99b2683332e0f112043796ede1d",
+            "9973edfef797db84cd17300b53a7a35d1207d166af9752b3f35c72b4df9a98bc",
+            "4480b58979cc913c27673b2f681335deb1627e9ba95073a941f4cd6d6bcd6181",
+            "ad9fef1b86b57a504cfa1cfbda2e2ac509750035bff54e1ca06f7ff311d94689"
+        ]
+    },
+    {
+        "/home/REDACTED/cordscan_raw_arm": "cdf230a7e05c725a98ce95ad8f3e2155082d5a6b1e839c2b2653c3754f06c2e7"
+    },
+    {
+        "/usr/lib/javacee": "917495c2fd919d4d4baa2f8a3791bcfd58d605ee457a81feb52bc65eb706fd62"
+    },
+    {
+        "/usr/lib/sgsnemu": [
+            "bf5806cebc5d1a042f87abadf686fb623613ed33591df1a944b5e7879fb189c8",
+            "78c579319734a81c0e6d08f1b9ac59366229f1256a0b0d5661763f6931c3b63c",
+            "b06f52e2179ec9334f8a3fe915d263180e538f7a2a5cb6ad8d60f045789123b6"
+        ]
+    },
+    {
+        "/usr/bin/sgsnemu": [
+            "bf5806cebc5d1a042f87abadf686fb623613ed33591df1a944b5e7879fb189c8",
+            "78c579319734a81c0e6d08f1b9ac59366229f1256a0b0d5661763f6931c3b63c",
+            "b06f52e2179ec9334f8a3fe915d263180e538f7a2a5cb6ad8d60f045789123b6"
+        ]
+    },
+    {
+        "/usr/lib/sgsnemu_bak": [
+            "bf5806cebc5d1a042f87abadf686fb623613ed33591df1a944b5e7879fb189c8",
+            "78c579319734a81c0e6d08f1b9ac59366229f1256a0b0d5661763f6931c3b63c",
+            "b06f52e2179ec9334f8a3fe915d263180e538f7a2a5cb6ad8d60f045789123b6"
+        ]
+    },
+    {
+        "/usr/lib/tshd": "a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3"
+    },
+    {
+        "/home/REDACTED/win7_exp/proxychains.conf": "a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3"
+    },
+    {
+        "/usr/lib/win7_exp/proxychains.conf": "a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3"
+    },
+    {
+        "/var/tmp/.font-unix": "a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3"
+    },
+    {
+        "/usr/local/sbin/iptables": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "/usr/sbin/iptablesDir/": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "/sbin/iptablesDir/": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "45.76.215.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "167.179.91.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "45.32.116.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "207.148.24.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "172.104.79.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "45.33.77.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "139.162.156.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "172.104.236.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    },
+    {
+        "172.104.129.0/24": "97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb"
+    }
+]
+
--- a/2021/2021.10.19.UNC1945_LightBasin/LightBasin_A-Roaming-Threat-to-Telecommunications-Companies_CrowdStrike.pdf
+++ b/2021/2021.10.19.UNC1945_LightBasin/LightBasin_A-Roaming-Threat-to-Telecommunications-Companies_CrowdStrike.pdf
--- a/README.md
+++ b/README.md
@ -28,6 +28,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
 :small_blue_diamond: [vx-underground](https://vx-underground.org/apts.html) <br>

 ## 2021
+* Oct 19 - [[CrowdStrike] LightBasin: A Roaming Threat to Telecommunications Companies](https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/) | [:closed_book:](../../blob/master/2021/021.10.19.UNC1945_LightBasin)
 * Oct 26 - [[JPCERT] Malware WinDealer used by LuoYu Attack Group](https://blogs.jpcert.or.jp/en/2021/10/windealer.html) | [:closed_book:](../../blob/master/2021/2021.10.26.WinDealer_LuoYu_Group)
 * Oct 19 - [[Proofpoint] Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant](https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant) | [:closed_book:](../../blob/master/2021/2021.10.19.TA505_New_FlawedGrace)
 * Oct 19 - [[Trend Micro] PurpleFox Adds New Backdoor That Uses WebSockets](https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html) | [:closed_book:](../../blob/master/2021/2021.10.19.PurpleFox)