CFC REPORT SPHINX MOTH
1WLUwDt
1WLUwDt
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>CFC</strong> <strong>REPORT</strong>: <strong>SPHINX</strong> <strong>MOTH</strong><br />
OVERVIEW<br />
Sphinx Moth<br />
Since mid-2014, the Kudelski Security Cyber Fusion Center has been monitoring and investigating Sphinx Moth. This powerful<br />
corporate espionage threat is specifically designed to target large enterprises in the technology, pharma, commodities and legal<br />
sectors, penetrating their security and exfiltrating commercially sensitive information.<br />
Over the course of our investigations, we discovered new Indicators of Compromise (IOCs) and attack techniques, complementing<br />
those published recently by Symantec and Kaspersky 1 .<br />
Our report provides the following:<br />
• An analysis of 5 new binaries<br />
• 5 new Command and Control server IP addresses<br />
• 2 new Command and Control domains<br />
• 6 new YARA rules<br />
• 1 new tactic to regain access<br />
• A Powershell script to detect the named pipes IOC on an SCCM infrastructure<br />
We have detailed them here with the aim of furthering a collective understanding of the attack methods, tools and targets of this<br />
advanced persistent threat, and of improving general capabilities of detection and defense.<br />
1 Sphinx Moth corresponds to the advanced persistent threat called “Wild Neutron” or “Butterfly/Morpho” by Kaspersky and Symantec respectively.<br />
Cybersecurity unit of Kudelski Group<br />
3<br />
www.kudelskisecurity.com<br />
request@kudelskisecurity.com