-Table 3066. Table References
+Table 3065. Table References
@@ -108837,7 +108826,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
The malware in question is configured with the following three exported functions: ServiceMain,Rundll32Call, DllEntryPoint. The ServiceMain exported function indicates that this DLL is expected to be loaded as a service. If this function is successfully loaded, it will ultimately spawn a new instance of itself with the Rundll32Call export via a call to rundll32.exe. The Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. If it’s not, it dies. This ensures that only a single instance of DDKong is executed at a given time. DDKong attempts to decode an embedded configuration using a single byte XOR key of 0xC3. After this configuration is decoded and parsed, DDKONG proceeds to send a beacon to the configured remote server via a raw TCP connection. The packet has a header of length 32 and an optional payload. In the beacon, no payload is provided, and as such, the length of this packet is set to zero. After it sends the beacon, the malware expects a response command of either 0x4 or 0x6. Both responses instruct the malware to download and load a remote plugin. In the event 0x4 is specified, the malware is instructed to load the exported ‘InitAction’ function. If 0x6 is specified, the malware is instructed to load the exported ‘KernelDllCmdAction’ function. Prior to downloading the plugin, the malware downloads a buffer that is concatenated with the embedded configuration and ultimately provided to the plugin at runtime. As we can see in the above text, two full file paths are included in this buffer, providing us with insight into the original malware family’s name, as well as the author. After this buffer is collected, the malware downloads the plugin and loads the appropriate function. This plugin provides the attacker with the ability to both list files and download/upload files on the victim machine.
-Table 3067. Table References
+Table 3066. Table References
@@ -108857,7 +108846,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
This sample is configured with three exported functions: Add, Sub, DllEntryPoint. The DLL expects the export named ‘Add’ to be used when initially loaded. When this function is executed PLAINTEE executes a command in a new process to add persistence. Next, the malware calls the ‘Sub’ function which begins by spawning a mutex named ‘microsoftfuckedupb’ to ensure only a single instance is running at a given time. In addition, PLAINTEE will create a unique GUID via a call to CoCreateGuid() to be used as an identifier for the victim. The malware then proceeds to collect general system enumeration data about the infected machine and enters a loop where it will decode an embedded config blob and send an initial beacon to the C2 server. The configuration blob is encoded using a simple single-byte XOR scheme. The first byte of the string is used as the XOR key to in turn decode the remainder of the data. The malware then proceeds to beacon to the configured port via a custom UDP protocol. The network traffic is encoded in a similar fashion, with a random byte being selected as the first byte, which is then used to decode the remainder of the packet via XOR. This beacon is continuously sent out until a valid response is obtained from the C2 server (there is no sleep timer set). After the initial beacon, there is a two second delay in between all other requests made. This response is expected to have a return command of 0x66660002 and to contain the same GUID that was sent to the C2 server. Once this response is received, the malware spawns several new threads, with different Command parameters, with the overall objective of loading and executing a new plugin that is to be received from the C2 server. During a file analysis of PLAINTEE in WildFire, we observed the attackers download and execute a plugin during the runtime for that sample. PLAINTEE expects the downloaded plugin to be a DLL with an export function of either ‘shell’ or ‘file’. The plugin uses the same network protocol as PLAINTEE and so we were able to trivially decode further commands that were sent. The following commands were observed: tasklist, ipconfig /all. The attacker performed these two commands 33 seconds apart. As automated commands are typically performed more quickly this indicates that they may have been sent manually by the attacker.
-Table 3068. Table References
+Table 3067. Table References
@@ -108877,7 +108866,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host
-Table 3069. Table References
+Table 3068. Table References
@@ -108900,7 +108889,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. To date, we have only collected 14 samples of this variant, indicating it may be sparingly used. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents. Attacks using Bisonal have been blogged about in the past. In 2013, both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations . In October 2017, AhnLab published a report called “Operation Bitter Biscuit,” an attack campaign against South Korea, Japan, India and Russia using Bisonal and its successors, Bioazih and Dexbia.
-Table 3070. Table References
+Table 3069. Table References
@@ -108923,7 +108912,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
Sekur has been CARBON SPIDER’s primary tool for several years, although usage over the last year appears to have declined. It contains all the functionality you would expect from a RAT, allowing the adversary to execute commands, manage the file system, manage processes, and collect data. In addition, it can record videos of victim sessions, log keystrokes, enable remote desktop, or install Ammyy Admin or VNC modules. From July 2014 on, samples were compiled with the capability to target Epicor POS systems and to collect credit card data.
-Table 3071. Table References
+Table 3070. Table References
@@ -108956,7 +108945,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
-Table 3072. Table References
+Table 3071. Table References
@@ -108986,7 +108975,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
-Table 3073. Table References
+Table 3072. Table References
@@ -109016,7 +109005,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
-Table 3074. Table References
+Table 3073. Table References
@@ -109036,7 +109025,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
Bateleur deployments began not long after JS Flash and were also written in JavaScript. Deployments were more infrequent and testing was not observed. It is likely that Bateleur was run in parallel as an alternative tool and eventually replaced JS Flash as CARBON SPIDER’s first stage tool of choice. Although much simpler in design than JS Flash, all executing out of a single script with more basic obfuscation, Bateleur has a wealth of capabilities—including the ability to download arbitrary scripts and executables, deploy TinyMet, execute commands via PowerShell, deploy a credential stealer, and collect victim system information such as screenshots.
-Table 3075. Table References
+Table 3074. Table References
@@ -109056,7 +109045,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
A tool for testing and exploiting vulnerabilities in JBoss Application Servers.
-Table 3076. Table References
+Table 3075. Table References
@@ -109076,7 +109065,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
“Provides TCP tunneling over HTTP and bolts a SOCKS4/5 proxy on top of it, so, reGeorg is a fully-functional SOCKS proxy and gives ability to analyze target internal network.”
-Table 3077. Table References
+Table 3076. Table References
@@ -109096,7 +109085,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
An Active Directory and Windows system management software, which can be used for remote administration of servers and workstations.
-Table 3078. Table References
+Table 3077. Table References
@@ -109116,7 +109105,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
Imports and exports data from Active Directory Lightweight Directory Services (AD LDS) using files that store data in the comma-separated value (CSV) format.
-Table 3079. Table References
+Table 3078. Table References
@@ -109136,7 +109125,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
A tool to brute-force Remote Desktop Protocol (RDP) passwords.
-Table 3080. Table References
+Table 3079. Table References
@@ -109156,7 +109145,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
Used to create new RDP user accounts.
-Table 3081. Table References
+Table 3080. Table References
@@ -109176,7 +109165,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
Used to profile servers for potential sale on the dark net
-Table 3082. Table References
+Table 3081. Table References
@@ -109196,7 +109185,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
A PsExec-like tool, which executes commands through Windows Management Instrumentation (WMI).
-Table 3083. Table References
+Table 3082. Table References
@@ -109216,7 +109205,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
Allows a user to be logged in both locally and remotely at the same time.
-Table 3084. Table References
+Table 3083. Table References
@@ -109236,7 +109225,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
A light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. When a command is executed on a remote computer using PsExec, then the service PSEXESVC will be installed on that system, which means that an executable called psexesvc.exe will execute the commands.
-Table 3085. Table References
+Table 3084. Table References
@@ -109256,7 +109245,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
A PsExec-like tool, which lets you launch Windows programs on remote Windows computers without needing to install software on the remote computer first. When the PAExec service is running on the remote computer, the name of the source system is added to service’s name, e.g., paexec-<id>-<source computer name>.exe, which can help to identify the entry point of the attack.
-Table 3086. Table References
+Table 3085. Table References
@@ -109276,7 +109265,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as KEYMARBLE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity.
-Table 3087. Table References
+Table 3086. Table References
@@ -109296,7 +109285,7 @@ Talos have identified the samples, with moderate confidence, used in this attack
The BISKVIT Trojan is a multi-component malware written in C#. We dubbed this malware BISKVIT based on the namespaces used in the code, which contain the word “biscuit”. Unfortunately, there is already an existing unrelated malware called BISCUIT, so BISKVIT is used instead, which is the Russian translation of biscuit.
-Table 3088. Table References
+Table 3087. Table References
@@ -109327,7 +109316,7 @@ Members of the family can also change search results, which can generate money f
-Table 3089. Table References
+Table 3088. Table References
@@ -109346,7 +109335,7 @@ Members of the family can also change search results, which can generate money f