MONSOON – ANALYSIS OF AN APT CAMPAIGN
2aWUb2X
2aWUb2X
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Forcepoint Security Labs | Special Investigations<br />
Window Message Processor ............................................................................................................... 29<br />
Updater VBScript ................................................................................................................................. 30<br />
AutoIt Backdoor ....................................................................................................................................... 30<br />
Decompiled AutoIt Script ..................................................................................................................... 31<br />
Document Exfiltration .......................................................................................................................... 31<br />
Privilege Escalation. ............................................................................................................................ 31<br />
PowerShell Second Stage & Metasploit Meterpreter ........................................................................... 32<br />
Unknown Logger Public V 1.5 ................................................................................................................. 37<br />
Configuration ....................................................................................................................................... 40<br />
TINYTYPHON ......................................................................................................................................... 41<br />
Configuration & Persistence ................................................................................................................ 41<br />
Document Crawler ............................................................................................................................... 42<br />
Victims ................................................................................................................................................. 44<br />
Attribution ................................................................................................................................................... 47<br />
Victims .................................................................................................................................................... 47<br />
Adversaries ............................................................................................................................................. 47<br />
Cui Bono? ........................................................................................................................................... 47<br />
Infrastructure ........................................................................................................................................... 48<br />
Indicators of Compromise ........................................................................................................................... 49<br />
Lure URLs ............................................................................................................................................... 49<br />
Weaponised Document Hashes (SHA1) .................................................................................................. 49<br />
BADNEWS Malware Hashes (SHA1) ...................................................................................................... 50<br />
AutoIt Malware Hashes (SHA1) ............................................................................................................... 50<br />
TINYTYPHON Malware Hashes (SHA1) ................................................................................................. 50<br />
Unknown Logger Malware Hashes (SHA1) ............................................................................................. 50<br />
Miscellaneous Samples (SHA1) .............................................................................................................. 50<br />
BADNEWS C&C ...................................................................................................................................... 50<br />
AutoIt C&C .............................................................................................................................................. 51<br />
Meterpreter C&C ..................................................................................................................................... 51<br />
TINYTYPHON C&C ................................................................................................................................. 51<br />
Names of Lure & Weaponised Files ........................................................................................................ 51<br />
About Us .................................................................................................................................................... 55<br />
Figures ....................................................................................................................................................... 56<br />
References ................................................................................................................................................. 57<br />
<strong>MONSOON</strong> <strong>–</strong> <strong><strong>AN</strong>ALYSIS</strong> <strong>OF</strong> <strong>AN</strong> <strong>APT</strong> <strong>CAMPAIGN</strong> Revision: 1.07 | TLP-WHITE | 3/57