2-Extended Analysis-Full

Recommendations

Info

Communities @ Risk 47EXTENDED ANALYSIS: 2.2 Cluster <strong>Analysis</strong>Olyx.A»»Threat location: /Library/Application Support/google/startp»»Launcher: ~/Library/LaunchAgents/www.google.com.tstart.plistOlyx.B (Lamadai.A)»»Threat location: /Library/Audio/Plug-Ins/AudioServer»»Launcher: ~/Library/LaunchAgents/com.apple.DockActions.plistOlyx.C (Lamadai.B)»»Threat location: Applications/Automator.app/Contents/MacOS/DockLight»»Launcher: ~/Library/LaunchAgents/com.apple.DockActions.plistPubSab.A»»Threat location: ~/Library/Preferences/com.apple.PubSabAgent.pfile»»Launcher: ~/Library/LaunchAgents/com.apple.PubSabAgent.plistOlyx.C was observed in emails sent to Tibet Group 1, and via a NIDS on the networkof Tibet Group 3.The campaign against Tibet Group 1 consisted of five emails that contained links tomalicious .jar files that exploited Java vulnerabilities (CVE-2011-2544 or CVE-2012-0507). All of these emails appeared to come from real people or organizations, andreferenced Tibetan themes giving them a social engineering score of 3. The malware isbasic with a technical score of 1. The total TTI is 3.
Communities @ Risk 48EXTENDED ANALYSIS: 2.2 Cluster <strong>Analysis</strong>FIGURE 12: Olyx/Lamadai/PubSab attacksOn January 29, 2013, the NIDS on the network of Tibet Group 3 detected evidence ofa Java vulnerability being used to serve multi-platform malware pretending to beAdobe Flash Player. This sample was distributed through a web page that does webbrowser user agent detection. Tibet Group 3 did not submit any emails containing thislink, so the specific attack vector used is unclear.The website hosting the malware was hxxp://services.addons.mozilla.publicvm.com,and had an .xpi file for Firefox and a .jar containing Olyx.C for Mac. The way themalware was served was different than other similar attacks in that it checked bothbrowser and OS, not just OS, to determine which malware program would be used.On February 5, 2013, we received additional alerts that showed similar maliciouspages were visited by Tibet Group 3, again without indication of the original attackvector. A web page was flagged by the NIDS due to a suspicious encoded string thatdecoded to a tinyurl.com redirector. This link led to a page on hxxp://adobeupdate.publicvm.com, which had attacks for IE, Firefox, Java (Windows, but not OS X), and
Page 2 and 3: EXTENDED ANALYSIS:2.1Summary, Metho
Page 4 and 5: Communities @ Risk 3EXTENDED ANALYS
Page 12 and 13: Communities @ Risk 11EXTENDED ANALY
Page 20 and 21: Communities @ Risk 19EXTENDED ANAL
Page 30 and 31: EXTENDED ANALYSIS:2.2Cluster Analys
Page 64: Communities @ Risk 63EXTENDED ANALY
Page 99 and 100:
Communities @ Risk 98EXTENDED ANALY
Page 101 and 102:
Communities @ Risk 100EXTENDED ANAL
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
EXTENDED ANALYSIS:2.3Civil Society
Page 111 and 112:
Page 113 and 114:
Communities @ Risk 112duced new ris
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125:
show all

2-Extended Analysis-Full

Create successful ePaper yourself

Delete template?

Save as template?