2-Extended Analysis-Full

Recommendations

Info

Communities @ Risk 45EXTENDED ANALYSIS: 2.2 Cluster <strong>Analysis</strong>FIGURE 10: Revir/IMuler attacksThe attack in September 2011 is particularly interesting because the Revir/IMulercomponents show very clear development progress compared to the version sent in May.The May version is a two-stage program. The initial program dropped as /tmp/hostdownloads a second program as /tmp/updtdata, which is then used for communicationwith the C2 server. The September version integrates the second program into the first,merging functionality. This change means that the download of a second executable isnot required, eliminating a more suspicious component of the infection process.The malware version sent in September 2011 was also used in another campaignreported by Eset in March 2012, using photos of a topless model as the lure to runthe attachment.MacControlOn September 7, 2012, we identified an attack targeting Tibet Group 2 usinganother malware family, MacControl. The samples seen from this family have atechnical score of 1.25
Communities @ Risk 46EXTENDED ANALYSIS: 2.2 Cluster <strong>Analysis</strong>This email repurposed content from Radio Free Asia and claimed to contain a list ofself-immolations giving it a social engineering score of 3 (TTI 3.75). The attached executableconnects to a C2 server at 61.178.77.158:80 and functions as a standard RAT.FIGURE 11: MacControl attacksAnother email received by the same organization three weeks later contained a maliciousExcel file that installed Gh0st RAT with the variant-identifying text LURK0.This RAT shared the same C2 as the MacControl, connecting back to 61.178.77.158on port 8080.This paring of MacControl with Gh0st RAT has been used in attacks against Uyghurusers, as reported by Kaspersky and AlienVault.Outside of our study participants, we have also seen MacControl campaigns similar tothose reported by Kaspersky and AlienVault, targeting Tibetan and Uyghur communities.These differ slightly than those described above in that they use different flag textin the Gh0st RAT component, and connect to a nearby IP (61.178.77.169). They arealso delivered using a Word vulnerability, while the email sent to the in-study recipientcontained an executable inside a .zip file.Olyx / Lamadai / PubSabOlyx, Lamadai, and PubSab (or SabPub) are variants of the same malware that aredifferentiated by the C2 server used and the location where the malware hides ona compromised system. These names are often used interchangeably by differentantivirus or security companies. Further complicating matters, there is often overlapbetween names: for example, Olyx.C is the same as Lamadai.B.
Page 2 and 3: EXTENDED ANALYSIS:2.1Summary, Metho
Page 4 and 5: Communities @ Risk 3EXTENDED ANALYS
Page 12 and 13: Communities @ Risk 11EXTENDED ANALY
Page 20 and 21: Communities @ Risk 19EXTENDED ANAL
Page 30 and 31: EXTENDED ANALYSIS:2.2Cluster Analys
Page 64: Communities @ Risk 63EXTENDED ANALY
Page 97 and 98:
Communities @ Risk 96EXTENDED ANALY
Page 99 and 100:
Communities @ Risk 98EXTENDED ANALY
Page 101 and 102:
Communities @ Risk 100EXTENDED ANAL
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
EXTENDED ANALYSIS:2.3Civil Society
Page 111 and 112:
Page 113 and 114:
Communities @ Risk 112duced new ris
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125:
show all

2-Extended Analysis-Full

Create successful ePaper yourself

Delete template?

Save as template?