ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger
ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger
ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>ASERT</strong> <strong>Threat</strong> <strong>Intelligence</strong> Report – <strong>Uncovering</strong> <strong>the</strong> <strong>Seven</strong> <strong>Pointed</strong> <strong>Dagger</strong><br />
Malware set #1: Six RAR files (two PlugX, one EvilGrab, one unknown, two Trochilus RAT)<br />
Figure 1: Screenshot of website containing additional malware (UEC-Invitiation.rar) as of October 20, 2015 <br />
The newly observed file, stored in a RAR, is a storage tactic that has been previously observed on <strong>the</strong> same <br />
site. Two prior filenames (discussed in <strong>the</strong> White Elephant report) were invitations.rar and PlanProposal.rar. <br />
Inside <strong>the</strong> UEC-‐Invitation.rar file <strong>the</strong>re is a folder called UEC Invitation that contains ano<strong>the</strong>r folder called <br />
Invitation. Inside this folder is a shortcut file, Invitation.LNK with a timestamp of August 24, 2015. Analysis of <br />
<strong>the</strong> .LNK file turns up some interesting elements, such as <strong>the</strong> use of PowerShell inside <strong>the</strong> Target field, which <br />
performs a download and execute of additional malware. <br />
Figure 2:<br />
Analysis of <strong>the</strong> .LNK file reveals malicious Powershell<br />
4 Proprietary and Confidential Information of Arbor Networks, Inc.