One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 740342 |
| Date de publication | 2018-06-11 13:00:00 (vue: 2018-07-11 17:03:30) |
| Titre | More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea |
| Texte | Written By Chris Doman and Jaime Blasco Introduction Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government. These attacks have been attributed to Lazarus, a group thought to be linked to North Korea. Below we’ve shared our brief analysis of of the attack. Profiling Script The first step appears to have been a profiling script to get information on possible targets for their attack. We’ve seen Lazarus do this before on other sites they have infected, and it’s a technique that other advanced attackers have been seen to employ. This was followed by scripts to perform additional profiling and actually delivery the ActiveX exploit. Some details of these scripts were kindly shared by issuemakerslab, who identified a number of infections that moved over time: |
| Notes | ★★★★ |
| Envoyé | Oui |
| Condensat | $a1 $a2 $a3 $a4 $a5 $a6 $a7 $a8 $external $home $resp rule 0a| 0x5a4d 112 132 164 176 189445 191 209 223 26amp;sa 26amp;ust 3d1528410725420000&sa=d&ust=1528410725440000&usg=afqjcnghebjiov8cvvojjii8payigbixya 3dd 3dhttp://ashiyane 8796fda0510420f6a1daff6ed89851ab; 9d3fd05a6f31cf4b7ab858825e58d8008d446fad9fddb03aeb8ee107bceb3641 >previously able activex activexsejonginstitute activity; acubefilectrl acubefilectrlctrl additional ahnlab akdoor alert all amp any appendix as: asp backdoor based bcec9c6ff39106505c472c38c94e32773c03facda2e1064c20e3905894e9529e bf4a0fcfe8ef5205d1ca13c5040335df11daebee45c994bd7504f19937d8da20 blank c&c can can’t certain classtype:trojan com/hdd/images/image com/url command commands communication condition: content: context control date decoded delivered depth:38; details detected detection different distinctive download dsize:38; duzonerpsso duzonerpssoctrl easypayplugin epplugin executes file filename find flow:established from google has hashes http://aega http://alphap1 http://www https://www id=ksjdnks id=sj identified as in otx indicators iniwallet61 iniwallet61ctrl korea kr/board/icon/image kr/board/skin kr/mall/skin/skin lazarus lib/conf/conf likely this file login machine malware min more msg: net net/www/custom network org/ org/forums/showthread org/js/jquery org/pub/inc/config other otx over peaceind php php poll/gallery/poll poll/gallery/result profiling prompt protocol pulse r228914 rare recently reference:md5 responds response rev:1; rule rules samples script sejong sends server server; servers share siclientaccess sid:xxx; simple south splwow32lazaruspayload srider status strings: such suricata target target= tcp tg9naw4gu3vjy2vzcyfcclxuv2vsy29tzse= tg9naw4gu3vjy2vzcyfcclxuv2vsy29tzse=|0d them trojan two uint16 uploader/page17 url urls used users victim vulnerability vulnerable when whilst with: www x2e x31 x41 x42 x43 x44 x45 x46 x49 x4c x4e x4f x50 x52 x53 x54 x55 x5a x61 x62 x63 x65 x67 x69 x6c x6e x70 x72 x73 x74 x75 x79 yara |
| Tags | Malware Vulnerability |
| Stories | APT 38 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.