One Article Review
| Source |  BAE |
|---|---|
| Identifiant | 352308 |
| Date de publication | 2017-03-06 12:13:22 (vue: 2017-03-06 12:13:22) |
| Titre | Lazarus & Watering-hole attacks |
| Texte | On 3rd February 2017, researchers at badcyber.com released an article that detailed a series of attacks directed at Polish financial institutions. The article is brief, but states that "This is – by far – the most serious information security incident we have seen in Poland" followed by a claim that over 20 commercial banks had been confirmed as victims.This report provides an outline of the attacks based on what was shared in the article, and our own additional findings. ANALYSISAs stated in the blog, the attacks are suspected of originating from the website of the Polish Financial Supervision Authority (knf.gov[.]pl), shown below: From at least 2016-10-07 to late January the website code had been modified to cause visitors to download malicious JavaScript files from the following locations: hxxp://sap.misapor[.]ch/vishop/view.jsp?pagenum=1hxxps://www.eye-watch[.]in/design/fancybox/Pnf.action Both of these appear to be compromised domains given they are also hosting legitimate content and have done for some time. The malicious JavaScript leads to the download of malware to the victim's device. Some hashes of the backdoor have been provided in BadCyber's technical analysis: 85d316590edfb4212049c4490db08c4bc1364bbf63b3617b25b58209e4529d8c1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae The C&Cs given in the BadCyber analysis were the following IP addresses: 125.214.195.17196.29.166.218 LAZARUS MALWAREOnly one of the samples referenced by BadCyber is available in public malware repositories. At the moment we cannot verify that it originated from the watering-hole on the KNF website – but we have no reason to doubt this either. MD5 hash Filename File Info First seen |
| Envoyé | Oui |
| Condensat | byte 115 116 array for type • there /> id= /> href= /> name= /design/dfbox/list /domaincmd /http://go /svccmd /web/20170203175640/http://go /web/20170203175640im 0034 006 0703:09:43 0host: 0xbc0f1dad 100 101 104 105 112 116 117 120 125 126 127 1507e7a741367745425e0530e23768e6 1518:20:34 15once 166 17196 17; 195 196 1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae 1connection: 1f7897b041a812f96f1925138ea38c46 2016 2017 214 218 2412:10:33 255 256 2607:46:24 2714:29:58 2811:50:15 2nd 30720 3rd 40624 4cc10ab3f4ee6769e520694a10f611d5 56: 56; array 6dffcfa68433f886b2e88fd984b4995a 720 736 7b4a8be258ecb191c4c519d7c486ed8a 85d316590edfb4212049c4490db08c4b 85d316590edfb4212049c4490db08c4bc1364bbf63b3617b25b58209e4529d8c1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae 911de8d67af652a87415f8c0a30688b2 ;for ;this ;try > src= > data= > name= >additional accessible across action action=what&u=10729854751740 activity activitythe actors additional additionally address addresses addresses: advanced after against agent: aliveuser all allcmd alongside also alt= analysis analysis: analysisas analysisthe angler ano another appear appears appendix application application/x applications applied appmanifest apt archive archived are args arguments: around array artefacts article aspx assembly assess associated attack attacker attacks attempts authority autoupgrade available b; backdoor background badcyber bancaria bangladesh bank banking banks based basic beacon been began behind being believe below below: below:from benefit binaryreader block blockcopy blog border both brazil brief brou browsing buffer but byte bytes c&c c&cs c1364bbf63b3617b25b58209e4529d8c cache called cambio campaign can cannot cases categorised cause cb52c013f7af0219d45953bae663c9a2 central ch/default ch/silverlight ch/vishop/view change channel checks chile choice claim clean clientbin/misaporportalui cmd cnbv code coded colombia com com/fwlink/ comcmd comes comisión command commands commercial commission compile compiled compromise compromised compromises conclude conclusionsthe confirmed connect connection connections contain contained contains content continuing corresponded corruption count countries country course crimeware criminal culprits currently currentversion cve data data:application/x december decoded decoration: decrypted default defensive deliver delivered delivery denmark desktop despite detailed details device directed dll dllsystem does domain domains done doubt download downloaded drop/install dropper drops due either emerge empty encoded end enigma equivalent even event evidence examining example exe executable exist exploit exploits eye far feature february file filename files files: filethe filter financial find findings firefox/47 first flash followed following following: follows: form format found found: from from: further gather gecko/20100101 get given globe: goal gob google gov gpsvc group had hard has hash hash: hashes have heavily height= heists historyframe hkcu hole holesthe hosting hostnamecmd however html htmlhttp://web http/1 http://web hxxp://brou hxxp://sap hxxp://www hxxps://www id= identical identified identify image implant implants in/design/fancybox/include/cambio in/design/fancybox/pnf in/jscroll/images/images in:443 incident including incomplete india indicators infiltrating info information initializecomponent initparams insights instance instead institutions int internal internally internet investigators invokemember ipconfig ips issue its itself january javascript jsp jsthe keep keys kingdom kit kits kkk knf known last late later lazarus leads least legitimate leverage leveraged library likely line link linkid=108181 linkid=149156&v=3 linq list list: little load loads located locations: longer loosely ma |
| Tags | Guideline Medical |
| Stories | APT 38 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.