Targeted Malware
66 views | +0 today
Follow
Your new post is loading...
Your new post is loading...
Scooped by Cyberwoodpecker
Scoop.it!

Carnal0wnage & Attack Research Blog: More on APTSim

Carnal0wnage & Attack Research Blog: More on APTSim | Targeted Malware | Scoop.it

From the site author...

we analyzed some samples and activity from a group of APT actors that we call "UPS". The typical UPS attack performed the following activities (this information was compiled from IR activity and shared data from other victims):

-Generate a particularly timed beacon that communicates over HTTP

-Drop the command line Chinese language version of  winrar on the target

-Replace sticky keys with cmd.exe for persistence and access via RDP

-Turn on RDP if it's not already enabled

-Index and archive all office documents, compress and encrypt them with RAR and a specific password and store them in the recycle bin

-Enable the support_388945a0 account and add it to the local admin group

-Exfiltrate the data encoded over port 443 (but not SSL)

-Setup an insecure service for persistence / privilege escalation

Cyberwoodpecker's insight:

Inspired by the recent Fireeye blog sparked by CVE-2014-1776 and a reference to Pirpi, I stumbled across this nugget regarding UPS: the same name I've used to refer to this actor or group. I too have seen several of these techniques used heavily when this group attacks. I also noted that this post is dated Friday, September 21, 2012 which is several years after my first encounters with this actor. 

more...
No comment yet.
Scooped by Cyberwoodpecker
Scoop.it!

New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks

New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks | Targeted Malware | Scoop.it
Summary FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks.  The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11.  This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776…
Cyberwoodpecker's insight:

Pirpi is back. If you're not in the know, here is some historic info. Submission to Threatexpert received: 9 December 2009, 05:50:41 with a call out to twadcorp[.]com

 

http://www.threatexpert.com/report.aspx?md5=522be13d9cd7cd19ac491808e43d642c

more...
No comment yet.