APT vs Internet service providers – a threat hunter's perspective
Show in Graph
Image Description
Common Information
Type Value
UUID a499fc98-2006-447c-bde4-20bb28064c28
Fingerprint b4bf2e6de80f4f0ce828f47733a2e75932e643071184415847a3b5d38612de4c
Analysis status DONE
Considered CTI value 2
Text language
Published Oct. 20, 2020, 10:52 a.m.
Added to db April 18, 2024, 11:05 a.m.
Last updated Aug. 31, 2024, 1:17 a.m.
Headline APT vs Internet service providers – a threat hunter's perspective
Title APT vs Internet service providers – a threat hunter's perspective
Detected Hints/Tags/Attributes 100/2/13
Source URLs
Redirection Url
Details Source https://www.virusbulletin.com/uploads/pdf/magazine/2020/202010-apt-vs-isp.pdf
URL Provider
Details Provider Source level domain
Details virusbulletin.com www.virusbulletin.com
Attributes
Details Type #Events CTI Value
Details Domain 247 
www.virusbulletin.com
Details Domain 1 
rc4.new
Details Domain 1 
em.netvigator.com
Details Domain 150 
www.w3.org
Details Domain 7 
www.telsy.com
Details File 185 
shell32.dll
Details Threat Actor Identifier - APT 31 
APT30
Details Threat Actor Identifier - APT 522 
APT41
Details Threat Actor Identifier - APT 258 
APT34
Details Url 1 
https://em.netvigator.com/service/soap/authrequest
Details Url 1 
http://www.w3.org/2003/05/soapenvelope
Details Url 1 
https://www.telsy.com/deadlykiss-malware/.
Details Yara rule 1 
rule APT_DeadlyKiss_81893_23211 : APT {
	meta:
		description = "Detects DeadlyKiss based on imported IsUserAnAdmin function and XOR"
		author = "Emanuele De Lucia"
	strings:
		$export_1 = "DllRegisterServer"
		$export_2 = "ServiceMain"
		$export_3 = "DllUnregisterServer"
		$export_4 = "DllCanUnloadNow"
		$isuseradmin = { A8 02 00 }
		$shell = "SHELL32.dll"
		$xor_x32 = { C1 E9 02 32 48 FC 32 08 }
		$xor_x64 = { C1 E8 02 32 44 0A FC 32 04 0A }
	condition:
		(uint16(0) == 0x5A4D and ($isuseradmin and $shell and 1 of ($export_*) and ($xor_x32 or $xor_x64)))
}