MONSOON – ANALYSIS OF AN APT CAMPAIGN

Recommendations

Info

Forcepoint Security Labs | Special Investigations Distribution Mechanism. The final Google search result was a report generated by the URLQuery.net site: Figure 7 – URLQuery.net The site t.ymlp50[.com] is a legitimate web and e-mail marketing service. It is owned and operated by the Belgian company Your Mailing List Provider (YMLP). Further Google searches of other document names revealed similar redirection chains using the same service. Consequently, it is reasonable to conclude that a number of “weaponised” documents were delivered using YMLP. MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 9/57
Forcepoint Security Labs | Special Investigations E-MAIL LURES & MALWARE DISTRIBUTION Email Lures. Using the information from the initial discoveries and correlating against the ‘known bad’ data collected by Forcepoint’s Triton® AP-Email it was possible to track down at least some of the targeted e-mail lures used by the HANGOVER group in the MONSOON campaign. The e-mail themes are typically current political events that may be of interest to the target recipient. It was possible to identify several Chinese politically themed e-mails linking to weaponised documents. A redacted example e-mail can be seen below. Figure 8 – Known Bad Email Lure MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 10/57
Page 1 and 2: MONSOON - ANALYSIS OF AN APT CAMPAI
Page 3 and 4: Forcepoint Security Labs | Special
Page 9: Forcepoint Security Labs | Special

MONSOON – ANALYSIS OF AN APT CAMPAIGN

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?