y5qa5B
y5qa5B
y5qa5B
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ASERT Threat Intelligence Report 2016-03: The Four-Element Sword Engagement<br />
SHA-‐256 (T9000, BC29.tmp): 5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c <br />
SHA-‐256 (~tmp.doc): 76d54a0c8ed8d9a0b02f52d2400c8e74a9473e9bc92aeb558b2f4c894da1b88f <br />
Connections to Historical and Ongoing Threat Campaign Activity<br />
This sample uses the same C2 that has been observed in the other T9000 samples analyzed herein. Targeted <br />
Exploitation #7 incident in this report features some assessment of the C2 itself to determine additional <br />
information about the actors and to generate other IOCs. <br />
Targeted Exploitation #9: Agent.XST and other malware<br />
This RTF document, exploiting CVE-‐2012-‐0158, CVE-‐2012-‐1856 and CVE-‐2015-‐1641, was observed using the <br />
name 2016 總 統 選 舉 民 情 中 心 預 測 值 .doc, which roughly translates in English to “Prediction of the 2016 <br />
presidential election people center value.Doc”. First submitted from the USA on 1/7/2016 to Virus Total. <br />
The bait file in use contains the following text: <br />
A rough translation to English reveals election related content: <br />
Office file metadata indicates when the document was created (1/6/2016 <br />
5:41 PM) and a less than helpful value of “User” for the author. <br />
30 Proprietary and Confidential Information of Arbor Networks, Inc.