y5qa5B
y5qa5B
y5qa5B
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ASERT Threat Intelligence Report 2016-03: The Four-Element Sword Engagement<br />
The body of the document is about aid for the Tibetan community. A portion is reproduced here: <br />
Document metadata indicates that someone using the name “bull” <br />
was the last person to modify and save the document. The last <br />
modification date was December 31, 2015 – the same day the mail <br />
was sent to targets. <br />
Rendering the Tibetan themed RTF document with a vulnerable <br />
instance of Office results in the injection of the Grabber (aka <br />
EvilGrab) malware into the ctfmon.exe process. Grabber provides all <br />
of the usual Remote Access Trojan (RAT) capabilities that any actor <br />
would want, such as the capability to remotely control the target <br />
system, list files, download and execute, spy on the user, download other code and execute commands to <br />
perform lateral movement, exfiltrate data, etc. For those seeking more background, a helpful document to <br />
understand the full capabilities of Grabber was written by Unit 42 in 2015 [13]. <br />
Inside the compromised machine, the Process Hacker tool allows us to easily observe the injected process <br />
ctfmon.exe initiating an outbound connection to the C2 180.169.28[.]58 on TCP/8080. <br />
We can observe the User-‐Agent value hardcoded inside the Grabber binary (as discussed in the “Uncovering <br />
the Seven Pointed Dagger” document from Arbor ASERT (http://www.arbornetworks.com/blog/asert/wp-‐<br />
6 Proprietary and Confidential Information of Arbor Networks, Inc.