diff --git a/2015/Regin_Hopscotch_Legspin.pdf b/2015/2015.01.22.Regin_Hopscotch_and_Legspin/Regin_Hopscotch_Legspin.pdf similarity index 100% rename from 2015/Regin_Hopscotch_Legspin.pdf rename to 2015/2015.01.22.Regin_Hopscotch_and_Legspin/Regin_Hopscotch_Legspin.pdf diff --git a/2015/2015.01.22.Scarab_attackers_Russian_targets/Scarab_IOCs_January_2015.txt b/2015/2015.01.22.Scarab_attackers_Russian_targets/Scarab_IOCs_January_2015.txt new file mode 100644 index 0000000..b31e23d --- /dev/null +++ b/2015/2015.01.22.Scarab_attackers_Russian_targets/Scarab_IOCs_January_2015.txt @@ -0,0 +1,125 @@ +Scieron DLL +=========== +01c694c4ce68254edae3491c8245f839 +0ad2821d0ed826082c8adead19c0c441 +1c15767a091e32c3163390668eae8eab +21c861900a557d3375c94a959742122f +24a35bf10cb091eae0ab56486ff3453f +2518be42bb0713d29b60fd08d3b5fed4 +3515daf08a5daa104a8be3169d64bef2 +4556056b0228ee6ca66cec17711b8f62 +6cffa20c14e4b6309f867f253c546fd2 +7b236dc0e3ab71d32c47f70cf9a68728 +7fa1df91016374d4b1bfb157716b2196 +97692bc24a40175a12ffbcb68ade237f +9cd780d7349ee496639371a3ed492fe0 +ad94a29538ee89cd4eb50f7786ae3392 +b5f2cc8e8580a44a6aefc08f9776516a +c330b6aa705b60e5bec414299b387fe1 +c630abbefb3c3503c37453ecb9bbcbb8 +cd3dc15104d22fb86b7ba436a7c9a393 +cfbc6a5407d465a125cbd52a97bd9eff +eb7f32f9fc3aeb26d7e867a263d3d325 +eea30d5a1a83a396183d8f1d451b3b13 +f38e4bf41df736b4785f15513b3e660d +f870a5c2360932a35aa76568a07f9c16 +fb7d2714e73b143243b7041a38a70ac8 + +Scieron PE Dropper +================== +0ef2259ee73ab6c8fbb195f0b686642c +26b13ba4aaa87615ff38ff3d04329a9a +28395195dc75ac41e9d42f25473703f5 +3c976017a568920f27e06023781718c8 +46cb4d82ab2077b9feec587bc58c641a +4a7b76e9610ea581268103fbfe8156a8 +66984d9371636067e9ea6ae327e2427e +6876a99ddb8c5cc4dd4c80902a102895 +a5e144523b490722b283c70775688732 +cf08c09fcc7ca2dc9424bd703ab09550 +d6365ce1f71a8dda9e485427c8a3d680 +e5e15a46352b84541e8f9da7f26f174c +faa1e548a846e9c91e8bb1d1c7b3d6b9 +fd4b54bb92dd5c8cd056da618894816a + +Exploit DOC droppers +==================== +45b8d83f7f583156fa923583acf16fe9 +6d3c6d452cd013de459351eade91d878 +767b243a7b84d51f333c056cae5d2d67 + +Scieron.B +========= +57789c4f3ba3e8f4921c6cbdc83e60cc hidsvc.dat +1e08a2dbbd422b546837802ef932f26c seclog32.dll +03f789b0b8c40e4d813ec626f32cae7c seclog32.dll + +C&Cs +==== + +apple.dynamic-dns.net +autocar.ServeUser.com +blackblog.chatnook.com +bulldog.toh.info +cew58e.xxxy.info +coastnews.darktech.org +demon.4irc.com +dynamic.ddns.mobi +expert.4irc.com +football.mrbasic.com +gjjb.flnet.org +imirnov.ddns.info +jingnan88.chatnook.com +lehnjb.epac.to +logoff.25u.com +logoff.ddns.info +ls910329.my03.com +mailru.25u.com +Markshell.etowns.net +mydear.ddns.info +nazgul.zyns.com +newdyndns.scieron.com +newoutlook.darktech.org +photocard.4irc.com +pricetag.deaftone.com +rubberduck.gotgeeks.com +shutdown.25u.com +sorry.ns2.name +sskill.b0ne.com +text-First.flnet.org +uudog.4pu.com +will-smith.dtdns.net +www.ndcinformation.acmetoy.com +www.service.authorizeddns.net +www.text-first.trickip.org +yellowblog.flnet.org + +Yara Signature + +rule Scieron +{ + meta: + author = "Symantec Security Response" + + strings: + // .text:10002069 66 83 F8 2C cmp ax, ',' + // .text:1000206D 74 0C jz short loc_1000207B + // .text:1000206F 66 83 F8 3B cmp ax, ';' + // .text:10002073 74 06 jz short loc_1000207B + // .text:10002075 66 83 F8 7C cmp ax, '|' + // .text:10002079 75 05 jnz short loc_10002080 + $code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05} + + // .text:10001D83 83 F8 09 cmp eax, 9 ; switch 10 cases + // .text:10001D86 0F 87 DB 00 00 00 ja loc_10001E67 ; jumptable 10001D8C default case + // .text:10001D8C FF 24 85 55 1F 00+ jmp ds:off_10001F55[eax*4] ; switch jump + $code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24} + + $str1 = "IP_PADDING_DATA" wide ascii + + $str2 = "PORT_NUM" wide ascii + + condition: + all of them +} + diff --git a/2015/Scarab_Russian.pdf b/2015/2015.01.22.Scarab_attackers_Russian_targets/Scarab_Russian.pdf similarity index 100% rename from 2015/Scarab_Russian.pdf rename to 2015/2015.01.22.Scarab_attackers_Russian_targets/Scarab_Russian.pdf diff --git a/2015/2015.01.27.QWERTY_keylog_Regin_compare/Comparing_Regin_Qwerty.pdf b/2015/2015.01.27.QWERTY_keylog_Regin_compare/Comparing_Regin_Qwerty.pdf new file mode 100644 index 0000000..da104b6 Binary files /dev/null and b/2015/2015.01.27.QWERTY_keylog_Regin_compare/Comparing_Regin_Qwerty.pdf differ diff --git a/2015/Backdoor.Winnti_Trojan.Skelky.pdf b/2015/2015.01.29.Backdoor.Winnti_attackers/Backdoor.Winnti_Trojan.Skelky.pdf similarity index 100% rename from 2015/Backdoor.Winnti_Trojan.Skelky.pdf rename to 2015/2015.01.29.Backdoor.Winnti_attackers/Backdoor.Winnti_Trojan.Skelky.pdf diff --git a/2015/P2P_PlugX_Analysis.pdf b/2015/2015.01.29.P2P_PlugX/P2P_PlugX_Analysis.pdf similarity index 100% rename from 2015/P2P_PlugX_Analysis.pdf rename to 2015/2015.01.29.P2P_PlugX/P2P_PlugX_Analysis.pdf diff --git a/2015/rpt-behind-the-syria-conflict.pdf b/2015/2015.02.02.behind-the-syria-conflict/rpt-behind-the-syria-conflict.pdf similarity index 100% rename from 2015/rpt-behind-the-syria-conflict.pdf rename to 2015/2015.02.02.behind-the-syria-conflict/rpt-behind-the-syria-conflict.pdf diff --git a/2015/PawnStorm_iOS.pdf b/2015/2015.02.04.Pawn_Storm_Update_iOS_Espionage/PawnStorm_iOS.pdf similarity index 100% rename from 2015/PawnStorm_iOS.pdf rename to 2015/2015.02.04.Pawn_Storm_Update_iOS_Espionage/PawnStorm_iOS.pdf diff --git a/2015/GlobalThreatIntelReport.pdf b/2015/2015.02.10.CrowdStrike_GlobalThreatIntelReport_2014/GlobalThreatIntelReport.pdf similarity index 100% rename from 2015/GlobalThreatIntelReport.pdf rename to 2015/2015.02.10.CrowdStrike_GlobalThreatIntelReport_2014/GlobalThreatIntelReport.pdf diff --git a/2015/Carbanak_APT_eng.pdf b/2015/2015.02.16.Carbanak.APT/Carbanak_APT_eng.pdf similarity index 100% rename from 2015/Carbanak_APT_eng.pdf rename to 2015/2015.02.16.Carbanak.APT/Carbanak_APT_eng.pdf diff --git a/2015/operation-arid-viper-whitepaper-en.pdf b/2015/2015.02.16.Operation_Arid_Viper/operation-arid-viper-whitepaper-en.pdf similarity index 100% rename from 2015/operation-arid-viper-whitepaper-en.pdf rename to 2015/2015.02.16.Operation_Arid_Viper/operation-arid-viper-whitepaper-en.pdf diff --git a/2015/Equation_group_questions_and_answers.pdf b/2015/2015.02.16.equation-the-death-star/Equation_group_questions_and_answers.pdf similarity index 100% rename from 2015/Equation_group_questions_and_answers.pdf rename to 2015/2015.02.16.equation-the-death-star/Equation_group_questions_and_answers.pdf diff --git a/2015/2015.02.16.equation-the-death-star/blog_equation-the-death-star.pdf b/2015/2015.02.16.equation-the-death-star/blog_equation-the-death-star.pdf new file mode 100644 index 0000000..bc7be10 Binary files /dev/null and b/2015/2015.02.16.equation-the-death-star/blog_equation-the-death-star.pdf differ diff --git a/2015/2015.02.17.A_Fanny_Equation/A_Fanny_Equation.pdf b/2015/2015.02.17.A_Fanny_Equation/A_Fanny_Equation.pdf new file mode 100644 index 0000000..31cd8ff Binary files /dev/null and b/2015/2015.02.17.A_Fanny_Equation/A_Fanny_Equation.pdf differ diff --git a/2015/The-Desert-Falcons-targeted-attacks.pdf b/2015/2015.02.17.Desert_Falcons_APT/The-Desert-Falcons-targeted-attacks.pdf similarity index 100% rename from 2015/The-Desert-Falcons-targeted-attacks.pdf rename to 2015/2015.02.17.Desert_Falcons_APT/The-Desert-Falcons-targeted-attacks.pdf diff --git a/2015/2015.02.18.Babar/24270-babar-espionage-software-finally-found-and-put-under-the-microscope.pdf b/2015/2015.02.18.Babar/24270-babar-espionage-software-finally-found-and-put-under-the-microscope.pdf new file mode 100644 index 0000000..e1b496a Binary files /dev/null and b/2015/2015.02.18.Babar/24270-babar-espionage-software-finally-found-and-put-under-the-microscope.pdf differ diff --git a/2015/Elephantosis.pdf b/2015/2015.02.18.Shooting_Elephants/Elephantosis.pdf similarity index 100% rename from 2015/Elephantosis.pdf rename to 2015/2015.02.18.Shooting_Elephants/Elephantosis.pdf diff --git a/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics/Malicious Document Targets Pyeongchang Olympics _ McAfee Blogs.pdf b/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics/Malicious Document Targets Pyeongchang Olympics _ McAfee Blogs.pdf new file mode 100644 index 0000000..0776789 Binary files /dev/null and b/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics/Malicious Document Targets Pyeongchang Olympics _ McAfee Blogs.pdf differ diff --git a/README.md b/README.md index 3f6ea86..9a5deee 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns. ## 2018 * Jan 09 - [[ESET] Diplomats in Eastern Europe bitten by a Turla mosquito](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf) | [Local](../../blob/master/2018/2018.01.09.Turla_Mosquito) +* Jan 06 - [[McAfee] Malicious Document Targets Pyeongchang Olympics](https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/) | [Local](../../blob/master/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics) * Jan 04 - [[Carnegie] Iran’s Cyber Threat: Espionage, Sabotage, and Revenge](http://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf) | [Local](../../blob/master/2018/2018.01.04.Iran_Cyber_Threat_Carnegie) ## 2017 @@ -336,21 +337,21 @@ Please fire issue to me if any lost APT/Malware events/campaigns. * Feb 27 - [The Anthem Hack: All Roads Lead to China](http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/) | [Local](../../blob/master/2015/2015.02.27.The_Anthem_Hack_All_Roads_Lead_to_China) * Feb 25 - [Southeast Asia: An Evolving Cyber Threat Landscape](https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf) * Feb 25 - [PlugX goes to the registry (and India)](http://blogs.sophos.com/2015/02/25/sophoslabs-research-uncovers-new-developments-in-plugx-apt-malware/) -* Feb 18 - [Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html) -* Feb 18 - [Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view) -* Feb 17 - [Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/) -* Feb 17 - [A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/) -* Feb 16 - [Operation Arid Viper](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome) -* Feb 16 - [The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) -* Feb 16 - [Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) -* Feb 10 - [CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf) -* Feb 04 - [Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/) -* Feb 02 - [Behind the Syrian Conflict’s Digital Frontlines](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf) -* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html) -* Jan 29 - [Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet) -* Jan 27 - [Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/) -* Jan 22 - [Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/) -* Jan 22 - [Scarab attackers Russian targets](http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012) | [IOCs](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Scarab_IOCs_January_2015.txt) +* Feb 18 - [[G DATA] Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html) | [Local](../../blob/master/2015/2015.02.18.Babar) +* Feb 18 - [[CIRCL Luxembourg] Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view) | [Local](../../blob/master/2015/2015.02.18.Shooting_Elephants) +* Feb 17 - [[Kaspersky] Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/) | [Local](../../blob/master/2015/2015.02.17.Desert_Falcons_APT) +* Feb 17 - [[Kaspersky] A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/) | [Local](../../blob/master/2015/2015.02.17.A_Fanny_Equation) +* Feb 16 - [[Trend Micro] Operation Arid Viper](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome) | [Local](../../blob/master/2015/2015.02.16.Operation_Arid_Viper) +* Feb 16 - [[Kaspersky] The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) | [Local](../../blob/master/2015/2015.02.16.Carbanak.APT) +* Feb 16 - [[Kaspersky] Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) | [Local](../../blob/master/2015/2015.02.16.equation-the-death-star) +* Feb 10 - [[CrowdStrike] CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf) | [Local](../../blob/master/2015/2015.02.10.CrowdStrike_GlobalThreatIntelReport_2014) +* Feb 04 - [[Trend Micro] Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/) | [Local](../../blob/master/2015/2015.02.04.Pawn_Storm_Update_iOS_Espionage) +* Feb 02 - [[FireEye] Behind the Syrian Conflict’s Digital Frontlines](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf) | [Local](../../blob/master/2015/2015.02.02.behind-the-syria-conflict) +* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html) | [Local](../../blob/master/2015/2015.01.29.P2P_PlugX) +* Jan 29 - [[Symantec] Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet) | [Local](../../blob/master/2015/2015.01.29.Backdoor.Winnti_attackers) +* Jan 27 - [[Kaspersky] Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/) | [Local](../../blob/master/2015/2015.01.27.QWERTY_keylog_Regin_compare) +* Jan 22 - [[Kaspersky] Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/) | [Local](../../blob/master/2015/2015.01.22.Regin_Hopscotch_and_Legspin) +* Jan 22 - [[Symantec] Scarab attackers Russian targets](http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012) | [IOCs](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Scarab_IOCs_January_2015.txt) | [Local](../../blob/master/2015/2015.01.22.Scarab_attackers_Russian_targets) * Jan 22 - [[Symantec] The Waterbug attack group](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [Local](../../blob/master/2015/2015.01.22.Waterbug.group) * Jan 20 - [[BlueCoat] Reversing the Inception APT malware](https://www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware) | [Local](../../blob/master/2015/2015.01.20.Reversing_the_Inception_APT_malware) * Jan 20 - [[G DATA] Analysis of Project Cobra](https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html) | [Local](../../blob/master/2015/2015.01.20.Project_Cobra)