2018.01.06.malicious-document-targets-pyeongchang-olympics
This commit is contained in:
parent
049507fae5
commit
a06bfedd34
|
@ -0,0 +1,125 @@
|
|||
Scieron DLL
|
||||
===========
|
||||
01c694c4ce68254edae3491c8245f839
|
||||
0ad2821d0ed826082c8adead19c0c441
|
||||
1c15767a091e32c3163390668eae8eab
|
||||
21c861900a557d3375c94a959742122f
|
||||
24a35bf10cb091eae0ab56486ff3453f
|
||||
2518be42bb0713d29b60fd08d3b5fed4
|
||||
3515daf08a5daa104a8be3169d64bef2
|
||||
4556056b0228ee6ca66cec17711b8f62
|
||||
6cffa20c14e4b6309f867f253c546fd2
|
||||
7b236dc0e3ab71d32c47f70cf9a68728
|
||||
7fa1df91016374d4b1bfb157716b2196
|
||||
97692bc24a40175a12ffbcb68ade237f
|
||||
9cd780d7349ee496639371a3ed492fe0
|
||||
ad94a29538ee89cd4eb50f7786ae3392
|
||||
b5f2cc8e8580a44a6aefc08f9776516a
|
||||
c330b6aa705b60e5bec414299b387fe1
|
||||
c630abbefb3c3503c37453ecb9bbcbb8
|
||||
cd3dc15104d22fb86b7ba436a7c9a393
|
||||
cfbc6a5407d465a125cbd52a97bd9eff
|
||||
eb7f32f9fc3aeb26d7e867a263d3d325
|
||||
eea30d5a1a83a396183d8f1d451b3b13
|
||||
f38e4bf41df736b4785f15513b3e660d
|
||||
f870a5c2360932a35aa76568a07f9c16
|
||||
fb7d2714e73b143243b7041a38a70ac8
|
||||
|
||||
Scieron PE Dropper
|
||||
==================
|
||||
0ef2259ee73ab6c8fbb195f0b686642c
|
||||
26b13ba4aaa87615ff38ff3d04329a9a
|
||||
28395195dc75ac41e9d42f25473703f5
|
||||
3c976017a568920f27e06023781718c8
|
||||
46cb4d82ab2077b9feec587bc58c641a
|
||||
4a7b76e9610ea581268103fbfe8156a8
|
||||
66984d9371636067e9ea6ae327e2427e
|
||||
6876a99ddb8c5cc4dd4c80902a102895
|
||||
a5e144523b490722b283c70775688732
|
||||
cf08c09fcc7ca2dc9424bd703ab09550
|
||||
d6365ce1f71a8dda9e485427c8a3d680
|
||||
e5e15a46352b84541e8f9da7f26f174c
|
||||
faa1e548a846e9c91e8bb1d1c7b3d6b9
|
||||
fd4b54bb92dd5c8cd056da618894816a
|
||||
|
||||
Exploit DOC droppers
|
||||
====================
|
||||
45b8d83f7f583156fa923583acf16fe9
|
||||
6d3c6d452cd013de459351eade91d878
|
||||
767b243a7b84d51f333c056cae5d2d67
|
||||
|
||||
Scieron.B
|
||||
=========
|
||||
57789c4f3ba3e8f4921c6cbdc83e60cc hidsvc.dat
|
||||
1e08a2dbbd422b546837802ef932f26c seclog32.dll
|
||||
03f789b0b8c40e4d813ec626f32cae7c seclog32.dll
|
||||
|
||||
C&Cs
|
||||
====
|
||||
|
||||
apple.dynamic-dns.net
|
||||
autocar.ServeUser.com
|
||||
blackblog.chatnook.com
|
||||
bulldog.toh.info
|
||||
cew58e.xxxy.info
|
||||
coastnews.darktech.org
|
||||
demon.4irc.com
|
||||
dynamic.ddns.mobi
|
||||
expert.4irc.com
|
||||
football.mrbasic.com
|
||||
gjjb.flnet.org
|
||||
imirnov.ddns.info
|
||||
jingnan88.chatnook.com
|
||||
lehnjb.epac.to
|
||||
logoff.25u.com
|
||||
logoff.ddns.info
|
||||
ls910329.my03.com
|
||||
mailru.25u.com
|
||||
Markshell.etowns.net
|
||||
mydear.ddns.info
|
||||
nazgul.zyns.com
|
||||
newdyndns.scieron.com
|
||||
newoutlook.darktech.org
|
||||
photocard.4irc.com
|
||||
pricetag.deaftone.com
|
||||
rubberduck.gotgeeks.com
|
||||
shutdown.25u.com
|
||||
sorry.ns2.name
|
||||
sskill.b0ne.com
|
||||
text-First.flnet.org
|
||||
uudog.4pu.com
|
||||
will-smith.dtdns.net
|
||||
www.ndcinformation.acmetoy.com
|
||||
www.service.authorizeddns.net
|
||||
www.text-first.trickip.org
|
||||
yellowblog.flnet.org
|
||||
|
||||
Yara Signature
|
||||
|
||||
rule Scieron
|
||||
{
|
||||
meta:
|
||||
author = "Symantec Security Response"
|
||||
|
||||
strings:
|
||||
// .text:10002069 66 83 F8 2C cmp ax, ','
|
||||
// .text:1000206D 74 0C jz short loc_1000207B
|
||||
// .text:1000206F 66 83 F8 3B cmp ax, ';'
|
||||
// .text:10002073 74 06 jz short loc_1000207B
|
||||
// .text:10002075 66 83 F8 7C cmp ax, '|'
|
||||
// .text:10002079 75 05 jnz short loc_10002080
|
||||
$code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05}
|
||||
|
||||
// .text:10001D83 83 F8 09 cmp eax, 9 ; switch 10 cases
|
||||
// .text:10001D86 0F 87 DB 00 00 00 ja loc_10001E67 ; jumptable 10001D8C default case
|
||||
// .text:10001D8C FF 24 85 55 1F 00+ jmp ds:off_10001F55[eax*4] ; switch jump
|
||||
$code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24}
|
||||
|
||||
$str1 = "IP_PADDING_DATA" wide ascii
|
||||
|
||||
$str2 = "PORT_NUM" wide ascii
|
||||
|
||||
condition:
|
||||
all of them
|
||||
}
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
31
README.md
31
README.md
|
@ -14,6 +14,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
|
|||
|
||||
## 2018
|
||||
* Jan 09 - [[ESET] Diplomats in Eastern Europe bitten by a Turla mosquito](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf) | [Local](../../blob/master/2018/2018.01.09.Turla_Mosquito)
|
||||
* Jan 06 - [[McAfee] Malicious Document Targets Pyeongchang Olympics](https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/) | [Local](../../blob/master/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics)
|
||||
* Jan 04 - [[Carnegie] Iran’s Cyber Threat: Espionage, Sabotage, and Revenge](http://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf) | [Local](../../blob/master/2018/2018.01.04.Iran_Cyber_Threat_Carnegie)
|
||||
|
||||
## 2017
|
||||
|
@ -336,21 +337,21 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
|
|||
* Feb 27 - [The Anthem Hack: All Roads Lead to China](http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/) | [Local](../../blob/master/2015/2015.02.27.The_Anthem_Hack_All_Roads_Lead_to_China)
|
||||
* Feb 25 - [Southeast Asia: An Evolving Cyber Threat Landscape](https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf)
|
||||
* Feb 25 - [PlugX goes to the registry (and India)](http://blogs.sophos.com/2015/02/25/sophoslabs-research-uncovers-new-developments-in-plugx-apt-malware/)
|
||||
* Feb 18 - [Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html)
|
||||
* Feb 18 - [Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view)
|
||||
* Feb 17 - [Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/)
|
||||
* Feb 17 - [A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/)
|
||||
* Feb 16 - [Operation Arid Viper](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome)
|
||||
* Feb 16 - [The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/)
|
||||
* Feb 16 - [Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/)
|
||||
* Feb 10 - [CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf)
|
||||
* Feb 04 - [Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/)
|
||||
* Feb 02 - [Behind the Syrian Conflict’s Digital Frontlines](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf)
|
||||
* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html)
|
||||
* Jan 29 - [Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet)
|
||||
* Jan 27 - [Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/)
|
||||
* Jan 22 - [Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/)
|
||||
* Jan 22 - [Scarab attackers Russian targets](http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012) | [IOCs](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Scarab_IOCs_January_2015.txt)
|
||||
* Feb 18 - [[G DATA] Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html) | [Local](../../blob/master/2015/2015.02.18.Babar)
|
||||
* Feb 18 - [[CIRCL Luxembourg] Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view) | [Local](../../blob/master/2015/2015.02.18.Shooting_Elephants)
|
||||
* Feb 17 - [[Kaspersky] Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/) | [Local](../../blob/master/2015/2015.02.17.Desert_Falcons_APT)
|
||||
* Feb 17 - [[Kaspersky] A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/) | [Local](../../blob/master/2015/2015.02.17.A_Fanny_Equation)
|
||||
* Feb 16 - [[Trend Micro] Operation Arid Viper](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome) | [Local](../../blob/master/2015/2015.02.16.Operation_Arid_Viper)
|
||||
* Feb 16 - [[Kaspersky] The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) | [Local](../../blob/master/2015/2015.02.16.Carbanak.APT)
|
||||
* Feb 16 - [[Kaspersky] Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) | [Local](../../blob/master/2015/2015.02.16.equation-the-death-star)
|
||||
* Feb 10 - [[CrowdStrike] CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf) | [Local](../../blob/master/2015/2015.02.10.CrowdStrike_GlobalThreatIntelReport_2014)
|
||||
* Feb 04 - [[Trend Micro] Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/) | [Local](../../blob/master/2015/2015.02.04.Pawn_Storm_Update_iOS_Espionage)
|
||||
* Feb 02 - [[FireEye] Behind the Syrian Conflict’s Digital Frontlines](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf) | [Local](../../blob/master/2015/2015.02.02.behind-the-syria-conflict)
|
||||
* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html) | [Local](../../blob/master/2015/2015.01.29.P2P_PlugX)
|
||||
* Jan 29 - [[Symantec] Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet) | [Local](../../blob/master/2015/2015.01.29.Backdoor.Winnti_attackers)
|
||||
* Jan 27 - [[Kaspersky] Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/) | [Local](../../blob/master/2015/2015.01.27.QWERTY_keylog_Regin_compare)
|
||||
* Jan 22 - [[Kaspersky] Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/) | [Local](../../blob/master/2015/2015.01.22.Regin_Hopscotch_and_Legspin)
|
||||
* Jan 22 - [[Symantec] Scarab attackers Russian targets](http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012) | [IOCs](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Scarab_IOCs_January_2015.txt) | [Local](../../blob/master/2015/2015.01.22.Scarab_attackers_Russian_targets)
|
||||
* Jan 22 - [[Symantec] The Waterbug attack group](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [Local](../../blob/master/2015/2015.01.22.Waterbug.group)
|
||||
* Jan 20 - [[BlueCoat] Reversing the Inception APT malware](https://www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware) | [Local](../../blob/master/2015/2015.01.20.Reversing_the_Inception_APT_malware)
|
||||
* Jan 20 - [[G DATA] Analysis of Project Cobra](https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html) | [Local](../../blob/master/2015/2015.01.20.Project_Cobra)
|
||||
|
|
Loading…
Reference in New Issue