2018.01.06.malicious-document-targets-pyeongchang-olympics

2015/2015.01.22.Scarab_attackers_Russian_targets/Scarab_IOCs_January_2015.txt

@@ -0,0 +1,125 @@
+Scieron DLL
+===========
+01c694c4ce68254edae3491c8245f839
+0ad2821d0ed826082c8adead19c0c441
+1c15767a091e32c3163390668eae8eab
+21c861900a557d3375c94a959742122f
+24a35bf10cb091eae0ab56486ff3453f
+2518be42bb0713d29b60fd08d3b5fed4
+3515daf08a5daa104a8be3169d64bef2
+4556056b0228ee6ca66cec17711b8f62
+6cffa20c14e4b6309f867f253c546fd2
+7b236dc0e3ab71d32c47f70cf9a68728
+7fa1df91016374d4b1bfb157716b2196
+97692bc24a40175a12ffbcb68ade237f
+9cd780d7349ee496639371a3ed492fe0
+ad94a29538ee89cd4eb50f7786ae3392
+b5f2cc8e8580a44a6aefc08f9776516a
+c330b6aa705b60e5bec414299b387fe1
+c630abbefb3c3503c37453ecb9bbcbb8
+cd3dc15104d22fb86b7ba436a7c9a393
+cfbc6a5407d465a125cbd52a97bd9eff
+eb7f32f9fc3aeb26d7e867a263d3d325
+eea30d5a1a83a396183d8f1d451b3b13
+f38e4bf41df736b4785f15513b3e660d
+f870a5c2360932a35aa76568a07f9c16
+fb7d2714e73b143243b7041a38a70ac8
+
+Scieron PE Dropper
+==================
+0ef2259ee73ab6c8fbb195f0b686642c
+26b13ba4aaa87615ff38ff3d04329a9a
+28395195dc75ac41e9d42f25473703f5
+3c976017a568920f27e06023781718c8
+46cb4d82ab2077b9feec587bc58c641a
+4a7b76e9610ea581268103fbfe8156a8
+66984d9371636067e9ea6ae327e2427e
+6876a99ddb8c5cc4dd4c80902a102895
+a5e144523b490722b283c70775688732
+cf08c09fcc7ca2dc9424bd703ab09550
+d6365ce1f71a8dda9e485427c8a3d680
+e5e15a46352b84541e8f9da7f26f174c
+faa1e548a846e9c91e8bb1d1c7b3d6b9
+fd4b54bb92dd5c8cd056da618894816a
+
+Exploit DOC droppers
+====================
+45b8d83f7f583156fa923583acf16fe9
+6d3c6d452cd013de459351eade91d878
+767b243a7b84d51f333c056cae5d2d67
+
+Scieron.B
+=========
+57789c4f3ba3e8f4921c6cbdc83e60cc	hidsvc.dat
+1e08a2dbbd422b546837802ef932f26c	seclog32.dll
+03f789b0b8c40e4d813ec626f32cae7c	seclog32.dll
+
+C&Cs
+====
+
+apple.dynamic-dns.net
+autocar.ServeUser.com
+blackblog.chatnook.com
+bulldog.toh.info
+cew58e.xxxy.info
+coastnews.darktech.org
+demon.4irc.com
+dynamic.ddns.mobi
+expert.4irc.com
+football.mrbasic.com
+gjjb.flnet.org
+imirnov.ddns.info
+jingnan88.chatnook.com
+lehnjb.epac.to
+logoff.25u.com
+logoff.ddns.info
+ls910329.my03.com
+mailru.25u.com
+Markshell.etowns.net
+mydear.ddns.info
+nazgul.zyns.com
+newdyndns.scieron.com
+newoutlook.darktech.org
+photocard.4irc.com
+pricetag.deaftone.com
+rubberduck.gotgeeks.com
+shutdown.25u.com
+sorry.ns2.name
+sskill.b0ne.com
+text-First.flnet.org
+uudog.4pu.com
+will-smith.dtdns.net
+www.ndcinformation.acmetoy.com
+www.service.authorizeddns.net
+www.text-first.trickip.org
+yellowblog.flnet.org
+
+Yara Signature
+
+rule Scieron
+{
+    meta:
+        author = "Symantec Security Response"
+
+    strings:
+        // .text:10002069 66 83 F8 2C                       cmp     ax, ','
+        // .text:1000206D 74 0C                             jz      short loc_1000207B
+        // .text:1000206F 66 83 F8 3B                       cmp     ax, ';'
+        // .text:10002073 74 06                             jz      short loc_1000207B
+        // .text:10002075 66 83 F8 7C                       cmp     ax, '|'
+        // .text:10002079 75 05                             jnz     short loc_10002080
+        $code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05}
+        
+        // .text:10001D83 83 F8 09                          cmp     eax, 9          ; switch 10 cases
+        // .text:10001D86 0F 87 DB 00 00 00                 ja      loc_10001E67    ; jumptable 10001D8C default case
+        // .text:10001D8C FF 24 85 55 1F 00+                jmp     ds:off_10001F55[eax*4] ; switch jump
+        $code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24}
+        
+        $str1  = "IP_PADDING_DATA" wide ascii
+        
+        $str2  = "PORT_NUM" wide ascii
+        
+    condition:
+        all of them
+}
+

README.md

@@ -14,6 +14,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
 
 ## 2018
 * Jan 09 - [[ESET] Diplomats in Eastern Europe bitten by a Turla mosquito](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf) | [Local](../../blob/master/2018/2018.01.09.Turla_Mosquito) 
+* Jan 06 - [[McAfee] Malicious Document Targets Pyeongchang Olympics](https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/) | [Local](../../blob/master/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics) 
 * Jan 04 - [[Carnegie] Iran’s Cyber Threat: Espionage, Sabotage, and Revenge](http://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf) | [Local](../../blob/master/2018/2018.01.04.Iran_Cyber_Threat_Carnegie) 
 
 ## 2017
@@ -336,21 +337,21 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
 * Feb 27 - [The Anthem Hack: All Roads Lead to China](http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/) | [Local](../../blob/master/2015/2015.02.27.The_Anthem_Hack_All_Roads_Lead_to_China)
 * Feb 25 - [Southeast Asia: An Evolving Cyber Threat Landscape](https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf)
 * Feb 25 - [PlugX goes to the registry (and India)](http://blogs.sophos.com/2015/02/25/sophoslabs-research-uncovers-new-developments-in-plugx-apt-malware/)
-* Feb 18 - [Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html)
-* Feb 18 - [Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view)
-* Feb 17 - [Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/)
-* Feb 17 - [A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/)
-* Feb 16 - [Operation Arid Viper](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome)
-* Feb 16 - [The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/)
-* Feb 16 - [Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/)
-* Feb 10 - [CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf)
-* Feb 04 - [Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/)
-* Feb 02 - [Behind the Syrian Conflict’s Digital Frontlines](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf)
-* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html)
-* Jan 29 - [Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet)
-* Jan 27 - [Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/)
-* Jan 22 - [Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/)
-* Jan 22 - [Scarab attackers Russian targets](http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012) | [IOCs](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Scarab_IOCs_January_2015.txt)
+* Feb 18 - [[G DATA] Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html) | [Local](../../blob/master/2015/2015.02.18.Babar)
+* Feb 18 - [[CIRCL Luxembourg] Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view) | [Local](../../blob/master/2015/2015.02.18.Shooting_Elephants)
+* Feb 17 - [[Kaspersky] Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/) | [Local](../../blob/master/2015/2015.02.17.Desert_Falcons_APT)
+* Feb 17 - [[Kaspersky] A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/) | [Local](../../blob/master/2015/2015.02.17.A_Fanny_Equation)
+* Feb 16 - [[Trend Micro] Operation Arid Viper](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome) | [Local](../../blob/master/2015/2015.02.16.Operation_Arid_Viper)
+* Feb 16 - [[Kaspersky] The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) | [Local](../../blob/master/2015/2015.02.16.Carbanak.APT)
+* Feb 16 - [[Kaspersky] Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) | [Local](../../blob/master/2015/2015.02.16.equation-the-death-star)
+* Feb 10 - [[CrowdStrike] CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf) | [Local](../../blob/master/2015/2015.02.10.CrowdStrike_GlobalThreatIntelReport_2014)
+* Feb 04 - [[Trend Micro] Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/) | [Local](../../blob/master/2015/2015.02.04.Pawn_Storm_Update_iOS_Espionage)
+* Feb 02 - [[FireEye] Behind the Syrian Conflict’s Digital Frontlines](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf) | [Local](../../blob/master/2015/2015.02.02.behind-the-syria-conflict)
+* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html) | [Local](../../blob/master/2015/2015.01.29.P2P_PlugX)
+* Jan 29 - [[Symantec] Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet) | [Local](../../blob/master/2015/2015.01.29.Backdoor.Winnti_attackers)
+* Jan 27 - [[Kaspersky] Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/) | [Local](../../blob/master/2015/2015.01.27.QWERTY_keylog_Regin_compare)
+* Jan 22 - [[Kaspersky] Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/) | [Local](../../blob/master/2015/2015.01.22.Regin_Hopscotch_and_Legspin)
+* Jan 22 - [[Symantec] Scarab attackers Russian targets](http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012) | [IOCs](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Scarab_IOCs_January_2015.txt) | [Local](../../blob/master/2015/2015.01.22.Scarab_attackers_Russian_targets)
 * Jan 22 - [[Symantec] The Waterbug attack group](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [Local](../../blob/master/2015/2015.01.22.Waterbug.group)
 * Jan 20 - [[BlueCoat] Reversing the Inception APT malware](https://www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware) | [Local](../../blob/master/2015/2015.01.20.Reversing_the_Inception_APT_malware)
 * Jan 20 - [[G DATA] Analysis of Project Cobra](https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html) | [Local](../../blob/master/2015/2015.01.20.Project_Cobra)