y5qa5B

More documents

Recommendations

Info

ASERT Threat Intelligence Report 2016-03: The Four-Element Sword Engagement Domain name First seen Last seen www.tibetimes.com 2015-‐12-‐01 02:04:24 2015-‐12-‐04 01:25:34 softinc.pw 2015-‐11-‐01 06:43:26 2015-‐11-‐30 18:57:21 An email address associated with these domains is lobsang[@]gmx.com and another is 2732115454[@]qq.com. The IP and these mail addresses associate with Uyghur and Tibetan themed domains as shown here: The following diagram zooms in on the Uyghur-‐based domain names highlighting the connection between this Gh0stRAT sample domain metadata and other activity observed, such as the domain whitewall[.]top used in the PlugX configuration previously mentioned. 42 Proprietary and Confidential Information of Arbor Networks, Inc.
ASERT Threat Intelligence Report 2016-03: The Four-Element Sword Engagement Additional investigations are underway to determine the scope of the particular threat herein. Targeted Exploitation #12: T9000 Malware; Tibet House Lure This malware originates on December 31, 2015 and used the original filename “[tibethouse] Upcoming Program Announcement Last Week of December.doc”. This timing and naming scheme is consistent with the Tibetan-‐themed engagement seen in late December of 2015. The malware was first submitted to Virus Total from India, and exploits CVE-‐2012-‐0158, CVE-‐2012-‐1856, and CVE-‐2016-‐1641. The bait file is a seven page “Upcoming Programme Announcement” apparently written by the Tibet House. Document metadata shows the user name “HighSea” (previously observed in Targeted Exploitation #8 herein): © Copyright 2016 Arbor Networks, Inc. All rights reserved. 43
Page 1 and 2: ASERT Threat Intelligence Report 20
Page 41: ASERT Threat Intelligence Report 20

y5qa5B

Create successful ePaper yourself

Delete template?

Save as template?