diff --git a/2017/2017.06.26.Threat_Group-4127/threat-group-4127-targets-google-accounts.pdf b/2017/2017.06.26.Threat_Group-4127/threat-group-4127-targets-google-accounts.pdf new file mode 100644 index 0000000..88d9b71 Binary files /dev/null and b/2017/2017.06.26.Threat_Group-4127/threat-group-4127-targets-google-accounts.pdf differ diff --git a/2017/2017.11.02.KeyBoys_are_back/Appendix_A_IoC.txt b/2017/2017.11.02.KeyBoys_are_back/Appendix_A_IoC.txt new file mode 100644 index 0000000..224c915 --- /dev/null +++ b/2017/2017.11.02.KeyBoys_are_back/Appendix_A_IoC.txt @@ -0,0 +1,75 @@ +Indicators +Indicator Type +101.200.135.85 IP address +103.215.81.196 IP address +103.215.83.193 IP address +103.86.86.177 IP address +118.163.165.20 IP address +142.4.34.92 IP address +144.48.8.68 IP address +174.139.29.6 IP address +180.101.75.169 IP address +213.183.51.187 IP address +23.234.27.100 IP address +27.126.186.74 IP address +47.89.58.141 IP address +http://213.183.51[.]187/debug.dll URI +dumblamb.zzux.com Domain +foxsay.mefound.com Domain +greentree.yourtrap.com Domain +kawayi.zzux.com Domain +mianliu.party Domain +mianliu.video Domain +mir2dun.cn Domain +weblogic.ddns.mobi Domain +weblogic.xxuz.com Domain +weblogic1709.justdied.com Domain +weblogic1709.my03.com Domain +weblogic1709.zzux.com Domain +weblogic727.2waky.com Domain +weblogic727.dumb1.com Domain +www.yierzhi.com Domain +xiaomayun.online Domain +yunmian.loan Domain +yunmian.party Domain +yunmian.video Domain +yunnian.online Domain +yunnian.top Domain +657603405@qq.com Email address +sensr9.dat Filename +sensr3.dat Filename +netis9.tsp Filename +netis3.tsp Filename +52d11a0a5142f0b37aa2d288321ba099 Hash (MD5) +581ddf0208038a90f8bc2cdc75833425 Hash (MD5) +64b2ac701a0d67da134e13b2efc46900 Hash (MD5) +1dbbdd99cb8d7089ab31efb5dcf09706 Hash (MD5) +7aea7486e3a7a839f49ebc61f1680ba3 Hash (MD5) +a55b0c98ac3965067d0270a95e60e87e Hash (MD5) +7d39cef34bdc751e9cf9d46d2f0bef95 Hash (MD5) +5708e0320879de6f9ac928046b1e4f4e Hash (MD5) +a6903d93f9d6f328bcfe3e196fd8c78b Hash (MD5) +292843976600e8ad2130224d70356bfc Hash (MD5) +2e04cdf98aead9dd9a5210d7e601cca7 Hash (MD5) +cf6f333f99ee6342d6735ac2f6a37c1e Hash (MD5) +ac9b8c82651eafff9a3bbe7c69d69447 Hash (MD5) +29e44cfa7bcde079e9c7afb23ca8ef86 Hash (MD5) +d6ddecdb823de235dd650c0f7a2f3d8f Hash (MD5) +42c63de7dac16366dfea14fa9ddac3cd Hash (MD5) +f21e3b927d269b0622d94c55db9d2808758379aa413c10971fa745cd6e0503c0 Hash (SHA-256) +f15d2e9deaeb495fe8a62c05993b9f69bf07331910ed2483e1bab7d31d30231b Hash (SHA-256) +f3f55c3df39b85d934121355bed439b53501f996e9b39d4abed14c7fe8081d92 Hash (SHA-256) +750f4a9ae44438bf053ffb344b959000ea624d1964306e4b3806250f4de94bc8 Hash (SHA-256) +12dfb83a3866c93cd1c08652ed0a16a492777355985a973ef50973896795eb34 Hash (SHA-256) +5d0aef905c9f8f74bb82eba89c11ec5b27d35e560b5cacf81087fca0775a8bfa Hash (SHA-256) +b4535aa71da630992392c3c202d59274ce49a3fe4f1ac01d7434f1dceeda47e5 Hash (SHA-256) +34f740e5d845710ede1d942560f503e117600bcc7c5c17e03c09bfc66556196c Hash (SHA-256) +a6e9951583073ab2598680b17b8b99bab280d6dca86906243bafaf3febdf1565 Hash (SHA-256) +d5c27308f50a9c6d8ccd01269ca09a7a13e1615945b8047c4e55c610718e317e Hash (SHA-256) +b5782f67054df36c49d9394c12c8bbbca69bfd0f9ccdcf934bc402c6881eca66 Hash (SHA-256) +1d716cee0f318ee14d7c3b946a4626a1afe6bb47f69668065e00e099be362e22 Hash (SHA-256) +0f9a7efcd3a2b1441834dae7b43cd8d48b4fc1daeb2c081f908ac5a1369de753 Hash (SHA-256) +97fa07a035f7b9ad9cc5c7fd3a5df4b8692e748ca5c40067446632f9a3c25952 Hash (SHA-256) +fc84856814307a475300d2a44e8d15635dedd02dc09a088a47d1db03bc309925 Hash (SHA-256) +842cb2bed58459445cd4c6f22acf4b6f77f8b93c9ce202aa54539c1d2b0d45c1 Hash (SHA-256) + diff --git a/2017/2017.11.02.KeyBoys_are_back/Appendix_B.txt b/2017/2017.11.02.KeyBoys_are_back/Appendix_B.txt new file mode 100644 index 0000000..a5586b1 --- /dev/null +++ b/2017/2017.11.02.KeyBoys_are_back/Appendix_B.txt @@ -0,0 +1,4 @@ +Embedded SSL certificate +-----BEGIN CERTIFICATE----- +MIID0TCCArmgAwIBAgIJALFGobpzN5MdMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCR1oxDDAKBgNVBAoMA1NTVDEP MA0GA1UECwwGSmVzc01BMRcwFQYDVQQDDA53d3cuamVzc21hLm9yZzEeMBwGCSqG SIb3DQEJARYPbGRjc2FhQDIxY24uY29tMB4XDTE2MDQwMTE1MDIwMFoXDTI0MDYx ODE1MDIwMFowfzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdEMQswCQYDVQQHDAJH WjEMMAoGA1UECgwDU1NUMQ8wDQYDVQQLDAZKZXNzTUExFzAVBgNVBAMMDnd3dy5q ZXNzbWEub3JnMR4wHAYJKoZIhvcNAQkBFg9sZGNzYWFAMjFjbi5jb20wggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDht6llexLtFkV8ijjdJGaHXXQysWOJ UM/YQFYP52nviurJSpMbWSXnuaDlfidk76B66Np5mlnN5BiHqbBj34GCVKz5VQtx 3kMY1y30YWyiHAEZiV3PLQc8/A9MnJM/q/mHaulmTuJi8A85TWadqUNXgiaIMkqz bKaauR1/GCxXuEVroqtyR99RCWhfakTz04KfIbt83QR0imWC6uhmvD/DXJ03XFzd XkK5aNp+ef1sBQgFKjeXV6EMuq+UgEDPXlCDUJAqsZt6W/ohrCAHWQYZ/RSvvaMJ O7aWROGAC/lh6ATOIbFlGVppw6zUGdIDkB5FVF1MC7CyDndncFrY+OJzAgMBAAGj UDBOMB0GA1UdDgQWBBT8fu6QFIfxlQvMWjl5pmfBjL6ciDAfBgNVHSMEGDAWgBT8 fu6QFIfxlQvMWjl5pmfBjL6ciDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA A4IBAQDI+f6GMBJxRJNKrgbUYLD1U6LWEQJQ50g2NxGy0j+TL6oypoo/kyME3tOR EmXEDzytGcSaQ78xYcg97UQd8OhXYQr0qwZ/JLarmhCVK/bfbGTIn4Mk4ZgDqcOU 46jsJeEZwUSrrq7svKO5d7+wV0VGPO+Ww4yzRCPwm2puXFY1+KpTxYX31+wwMB8p 7GuJEDgV08qzLfcBAfSFFYiOHL3tJ+XNKFNRqigjeYrWuAMphOhpYfYnU0d0upe8 wWx9Unm8qSkc7hiS/vvs1v7Pv1sqMFRBoaKOTqZ7Wz/5AySGPQjeMV/atmArDEkx z58OEgTzg1J/Keztxwj7I2KnYHyH +-----END CERTIFICATE----- diff --git a/2017/2017.11.02.KeyBoys_are_back/The KeyBoys are back in town.pdf b/2017/2017.11.02.KeyBoys_are_back/The KeyBoys are back in town.pdf new file mode 100644 index 0000000..654396f Binary files /dev/null and b/2017/2017.11.02.KeyBoys_are_back/The KeyBoys are back in town.pdf differ diff --git a/README.md b/README.md index f81646b..3270919 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,8 @@ Please fire issue to me if any lost of APT/Malware events/campaigns. * Jul 05 - [[Citizen Lab] Insider Information: An intrusion campaign targeting Chinese language news sites](https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/) | [Local](../../blob/master/2017/2017.07.05.insider-information) * Jun 30 - [[ESET] TeleBots are back: supply-chain attacks against Ukraine](https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/) | [Local](../../blob/master/2017/2017.06.30.telebots-back-supply-chain) * Jun 30 - [[Kaspersky] From BlackEnergy to ExPetr](https://securelist.com/from-blackenergy-to-expetr/78937/) | [Local](../../blob/master/2017/2017.06.30.From_BlackEnergy_to_ExPetr) -* Jun 22 - [[Palo Alto Networks] The New and Improved macOS Backdoor from OceanLotus](https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/) | [Local](../../blob/master/2017/2017.06.22.new-improved-macos-backdoor-oceanlotus) +* Jun 26 - [[Dell] Threat Group-4127 Targets Google Accounts]() | [Local](../../blob/master/2017/2017.06.26.Threat_Group-4127) +* Jun 22 - [[Palo Alto Networks] The New and Improved macOS Backdoor from OceanLotus](https://www.secureworks.com/research/threat-group-4127-targets-google-accounts) | [Local](../../blob/master/2017/2017.06.22.new-improved-macos-backdoor-oceanlotus) * Jun 22 - [[Trend Micro] Following the Trail of BlackTech’s Cyber Espionage Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/) | [Local](../../blob/master/2017/2017.06.22.following-trail-blacktech-cyber-espionage-campaigns) * Jun 19 - [[root9B] SHELLTEA + POSLURP MALWARE: memory resident point-of-sale malware attacks industry](https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_0.pdf) | [Local](../../blob/master/2017/2017.06.19.SHELLTEA_POSLURP_MALWARE) * Jun 15 - [[Recorded Future] North Korea Is Not Crazy](https://www.recordedfuture.com/north-korea-cyber-activity/) | [Local](../../blob/master/2017/2017.06.15.north-korea-cyber-activity)