ASERT-Threat-Intelligence-Report-2016-03-The-Four-Element-Sword-Engagement

Recommendations

Info

ASERT Threat Intelligence Report 2016-03: The Four-Element Sword Engagement The e-‐mail was sent on Thursday Dec 31, 2015 at 19:08:25 +0800 (HKT) and was submitted to Virus Total from Taiwan. The Chinese language text in the mail message, when translated to English, mentions a meteor shower and the Hong Kong Space Museum. This is a different approach than threat actors providing the usual geopolitical content, but perhaps the intent was to provide some item that may be considered personally interesting to the target. The attachment filename “ 與天空有約 !12 個 2016 年不可錯過的天文現象 mm.doc” roughly translates from Chinese as “About the sky ! 12 2016 astronomical phenomenon not to be missed”. The Word document metadata, to the left, shows our now-‐familiar timeframe of December 31, 2015 and a name of “webAdmin” as the document author and modifier. Depending upon the generation scenario at play, such document metadata may or may not be useful, but is being included inside this report to provide potential indicators that may help track down other APT activity. 14 Proprietary and Confidential Information of Arbor Networks, Inc.
ASERT Threat Intelligence Report 2016-03: The Four-Element Sword Engagement The original text of the document and a rough English translation is as follows: The final payload in this document exploit is also Grabber – the same sample used in Targeted Exploitation #1. Therefore, this sample uses the same C2 as Targeted Exploitation #1 and other samples profiled in this set. IOC’s C2: 180.169.28.58:8080 Filename: 與天空有約 !12 個 2016 年不可錯過的天文現象 mm.doc MD5 (spearphish): b6e22968461bfb2934c556fc44d0baf0 MD5 (RTF): 74a4fe17dc7101dbb2bb8f0c41069057 MD5 (~tmp.doc): fcfe3867e4fa17d52c51235cf68a86c2 © Copyright 2016 Arbor Networks, Inc. All rights reserved. 15
Page 1 and 2: ASERT Threat Intelligence Report 20
Page 13: ASERT Threat Intelligence Report 20

ASERT-Threat-Intelligence-Report-2016-03-The-Four-Element-Sword-Engagement

Create successful ePaper yourself

Delete template?

Save as template?