ioc[.]one - OSINT Cyber Threat Intelligence Database

Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations | Mandiant

Tags

cmtmf-attack-pattern:	Stage Capabilities
country:	Czechia Germany India Norway Spain Turkey Ukraine
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Execution Guardrails - T1480 Execution Guardrails - T1627 Html Smuggling - T1027.006 Javascript - T1059.007 Malicious File - T1204.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Stage Capabilities - T1608 Web Services - T1583.006 Web Services - T1584.006 Tool - T1588.002

Show in Graph

Common Information

Type	Value
UUID	12b4c27c-44b2-4d27-829c-fa658fe3ceca
Fingerprint	c2168d1309350fe1
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 21, 2023, midnight
Added to db	Nov. 19, 2023, 12:31 a.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Title	Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations \| Mandiant
Detected Hints/Tags/Attributes	112/4/170

Source URLs

	Redirection	Url
Details	Source	https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing

URL Provider

Details	Provider	Source level domain
Details	mandiant.com	www.mandiant.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	330	✔	Threat Intelligence	https://www.mandiant.com/resources/blog/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	md5	1	c60aa80e0e58c2758f0bac037ec16dca
Details	md5	1	1f21f9948b412f0198f928ed3266786b
Details	md5	1	556857ccb27b527e05415eb6d443aee1
Details	md5	1	880120da2f075155524430ceab7c058e
Details	md5	1	0032b8eabdc41e01923fabca5fe8a06b
Details	md5	1	4355851b6fcf2d44e3fd47f47a5e9502
Details	md5	1	5ff4831ee70c07e33c1bbe091840d5ee
Details	md5	1	1ec49b2cb9d4ba265678359e117809b8
Details	md5	1	f089fd7204552aec41f64b1eb6b03eda
Details	md5	1	0b0707ce90548f0c8b952138fff62742
Details	md5	1	33312f16fd5b88470a0e7560954ae459
Details	md5	1	b382d0f8b130cd1804782d400a4d4f55
Details	md5	1	fc47284181f2bb6785e91c9b92710d78
Details	md5	1	b12a4b8ec485ad9f9c4cae1e25a35db8
Details	md5	1	4c00d883444c78f19c3a1af191614491
Details	md5	1	68cc826c2c58cb74abe3e5ef2123102c
Details	md5	1	9685dae9ed8d2bf13b66593c1d7cd2eb
Details	md5	1	dd2e5debb0ae8b8bccac5c1fbef6bb5a
Details	md5	1	5bcf04c0fb0f62fc5f4b83789477a699
Details	md5	1	3f57258dce31ba0c80002130b8657b2b
Details	md5	1	eccf100bc3d6e901f17a0eced5752ca7
Details	md5	1	dbc9223af733d0140be136cf32a990d9
Details	md5	1	ac78497929569682133e02dec9b67870
Details	md5	1	53270b3968004cb48dac1a1b239ed23d
Details	md5	1	6b41c60c24916e3c32acd90bbd7b92f9
Details	md5	1	036ab9f19b63d44aaccf0f965df9434c
Details	md5	1	2d794d1544f933aacbd8da2dad78b381
Details	md5	1	5569fb4e9140974a80b4b7587b026913
Details	md5	1	1c0059d976795ceded7c1dd706e74bd1
Details	md5	1	595d8ea258ef8d8ec70b0e8a740e903c
Details	md5	1	1ed822cc08ba08413c4a60023e0d590c
Details	md5	1	1d54c487e6c8a08517fdb8efedfcd459
Details	md5	1	7a5988423f731d8b36d01926e715dd11
Details	md5	1	41944bb155ecf70193245d8c3485dd2e
Details	md5	2	800f766f728a4418b0c682a867673341
Details	md5	2	5e1389b494edc86e17ff1783ed6b9d37
Details	md5	2	9e51506816ad620c9e6474c52a9004a6
Details	md5	1	301a7273418bceaa3fb15b15f69dd32a
Details	md5	1	b48a16fdf890283cac7484ef0911a1f2
Details	md5	3	fc53c75289309ffb7f65a3513e7519eb
Details	md5	1	78062da99751c0a520ca4ac9fa59af73
Details	md5	1	d6986d991c41afcc2e71fc30bde851d1
Details	md5	1	d67f83dcda6d01bedf08a51df7415d14
Details	md5	3	0be11b4f34ede748892ea49e473d82db
Details	md5	1	dfbdd308e22898f680b6c2c8eb052fb5
Details	md5	2	4f744666d2a2dc95419208c61e42f163
Details	Mandiant Security Validation Actions	1	A106-551
Details	Mandiant Security Validation Actions	1	A106-542
Details	Mandiant Security Validation Actions	1	A106-544
Details	Mandiant Security Validation Actions	1	A106-545
Details	Pdb	1	d:\dbs\el\na1\target\x64\ship\postc2r\x-none\winword.pdb
Details	Threat Actor Identifier - APT	665	APT29
Details	Url	2	https://tinyurl.com/mrxcjsbs
Details	Url	1	https://www.willyminiatures.com/e-yazi.htm/?v=bc78a8d162c6
Details	Url	2	https://simplesalsamix.com/e-yazi.html
Details	Url	1	https://parquesanrafael.cl/note.html
Details	Url	1	https://parquesanrafael.cl/note.php?ua=
Details	Url	3	https://api.ipify.org/?format=json
Details	Url	2	https://sylvio.com.br/form.php
Details	Url	3	https://resetlocations.com/bmw.htm
Details	Url	1	https://sgrfh.org.pk/wp-content/idx.php?n=ks&q=
Details	Url	1	https://inovaoftalmologia.com.br/note.php?ip=
Details	Url	1	https://sharpledge.com/login.php
Details	Url	1	https://t.ly/1ifg
Details	Url	1	https://tinyurl.com/ysvxa66c
Details	Url	6	https://graph.microsoft.com/v1.0/me/drive/root
Details	Url	1	https://gavice.ng/event_program.php
Details	Url	1	https://graph.microsoft.com/v1.0/me/drives/442834d38635845c/root
Details	Url	1	https://kitaeri.com/images
Details	Url	1	https://kitaeri.com/gen_204
Details	Url	1	https://kegas.id/search/s
Details	Url	1	https://sgrhf.org.pk/wp-content/idx.php?n=ks&q=
Details	Yara rule	1	rule M_Dropper_BURNTBATTER_1 { meta: author = "Mandiant" date_created = "2023/04/26" description = "Searches for the custom chaskey implementation" version = "1" weight = "100" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $chaskey_imp = { 41 81 C8 20 20 20 20 41 81 F8 6B 65 72 6E } condition: any of them }
Details	Yara rule	1	rule M_Dropper_Donut_1 { meta: author = "Mandiant" date_created = "2023-04-12" description = "Detects the structure of the Donut loader" version = "1" weight = "100" condition: uint8(0) == 0xE8 and uint32(1) == uint32(5) and uint8(uint32(1) + 5) == 0x59 }
Details	Yara rule	1	rule M_Downloader_STATICNOISE_1 { meta: author = "Mandiant" date_created = "2023-04-14" description = "Detects the deobfuscation algorithm and rc4 from STATICNOISE" version = "1" weight = "100" strings: $ = { 41 8A C8 48 B8 [8] 80 E1 07 C0 E1 03 48 D3 E8 41 30 04 10 49 FF C0 } $ = { 80 E1 07 C0 E1 03 48 B8 [8] 48 D3 E8 30 04 17 48 FF C7 48 83 FF } $ = { 40 88 2C 3A 49 8B 02 88 0C 06 45 89 0B 44 89 03 4D 8B 0A } $ = { 4D 8B 0A 46 0F BE 04 0A 44 03 C1 41 81 E0 FF 00 00 80 } condition: all of them }
Details	Yara rule	1	rule M_Dropper_MUSKYBEAT_1 { meta: author = "Mandiant" date_created = "2023-04-06" description = "Detects the RC4 encryption algorithm used in MUSKYBEAT" version = "1" weight = "100" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $ = { 42 8A 14 04 48 8D ?? ?? ?? ?? ?? 8A C2 41 02 04 08 44 02 D0 41 0F B6 CA } $ = { 41 B9 04 00 00 00 41 B8 00 30 00 00 48 8B D3 33 C9 } condition: all of them }
Details	Yara rule	1	rule M_Hunting_DaveShell_Dropper_1_2 { meta: author = "Mandiant" description = "Detects Shellcode RDI projects from https://github.com/monoxgas/sRDI/blob/master/ShellcodeRDI" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $ep = { E8 00 00 00 00 59 49 89 C8 BA [4] 49 81 C0 [4] 41 B9 [4] 56 48 89 E6 48 83 ?? F0 48 83 EC 30 48 89 4C 24 ?? 48 81 C1 [4] C7 44 24 ?? [4] E8 } condition: $ep at 0 }
Details	Domain	75	tinyurl.com
Details	Domain	2	www.willyminiatures.com
Details	Domain	3	simplesalsamix.com
Details	Domain	3	e-yazi.zip
Details	Domain	1	parquesanrafael.cl
Details	Domain	129	api.ipify.org
Details	Domain	2	sylvio.com.br
Details	Domain	3	resetlocations.com
Details	Domain	1	invintation.zip
Details	Domain	1	sgrfh.org.pk
Details	Domain	1	inovaoftalmologia.com.br
Details	Domain	3	note.zip
Details	Domain	2	sharpledge.com
Details	Domain	32	graph.microsoft.com
Details	Domain	1	gavice.ng
Details	Domain	1	kitaeri.com
Details	Domain	1	kegas.id
Details	Domain	2	sgrhf.org.pk
Details	File	1	e-yazi.htm
Details	File	1	e-yazi.iso
Details	File	3	e-yazi.html
Details	File	3	e-yazi.zip
Details	File	3	note.html
Details	File	8	note.php
Details	File	14	form.php
Details	File	3	bmw.htm
Details	File	4	bmw.iso
Details	File	1	invintation.zip
Details	File	1	idx.php
Details	File	2	e-yazi.pdf
Details	File	1	note.pdf
Details	File	3	note.iso
Details	File	1	event.pdf
Details	File	3	note.zip
Details	File	1	note____.exe
Details	File	323	winword.exe
Details	File	8	appvisvsubsystems64.dll
Details	File	1	hijacker.dll
Details	File	2	bdcmetadataresource.xsd
Details	File	2	runner.dll
Details	File	207	login.php
Details	File	9	2023.docx
Details	File	3	bmw1.png
Details	File	2	bmw2.png
Details	File	2	bmw3.png
Details	File	2	bmw4.png
Details	File	2	bmw5.png
Details	File	2	bmw6.png
Details	File	2	bmw7.png
Details	File	2	bmw8.png
Details	File	2	bmw9.png
Details	File	1	event_program.php
Details	File	1	2023_en.pdf
Details	File	1	2023_ua.pdf
Details	File	1	icucnv22.dll
Details	File	1	ed.bin
Details	File	2	invitation.svg
Details	File	4	invitation.iso
Details	File	1	ccleaner.dll
Details	File	3	ccleanerreactivator.exe
Details	File	1	invitation_farewell_de_emb.pdf
Details	File	2	invitation_farewell_de_emb.html
Details	File	1	invitation_farewell_de_emb.zip
Details	md5	1	a3067a0262e651e94329869f43a51722
Details	md5	1	eeded26943a7b2fdef7608fb21bbfd66
Details	md5	1	b051e8efb40c2c435d77f3be77c59488
Details	md5	1	854e5c592e93b69b8ab08dbc8a0b673f
Details	md5	1	1485b591e654327c1d032a901940b149
Details	md5	1	0d5b12c50173a176b0a8ba5a97a831d8
Details	md5	1	e306333093eaf198f4d416d25a40784a
Details	md5	1	38719acc6254b7ff70dc8a7723bd8e92
Details	md5	1	1aee5bf23edb7732fd0e6b2c61a959ce
Details	md5	1	b4141aa8d234137f0b9549a448158a95
Details	md5	2	295527e2e38da97167979ade004de880
Details	md5	2	50f57a4a4bf2c4b504954a36d48c99e7
Details	md5	1	ffce57940b0257a72db4969565cbcebc
Details	md5	1	4a13138e1f38b2817a63417d67038429
Details	md5	1	4b0921979d3054d9f0dad48e9560b9ca
Details	md5	1	84b078d4a9e6e2a03e8ae1eca072dc83
Details	md5	1	f4ef5672af889429d95f111ea65ff490
Details	md5	1	129da1e7c8613fd8c2843d9ec191e30e
Details	md5	1	aec65c1e6a6f9b3782174c192780f5b4
Details	md5	1	22adbffd1dbf3e13d036f936049a2e98
Details	md5	1	9e42b22d66f0fe0fae24af219773ac87
Details	md5	1	db2d9d2704d320ecbd606a8720c22559
Details	md5	1	166f7269c2a69d8d1294a753f9e53214
Details	md5	1	62b2031f8988105efdf473bdfedd07f5
Details	md5	1	efe86302838ad2ab091540f4e0f7b75a
Details	md5	1	b1820abc3a1ce2d32af04c18f9d2bfc3
Details	md5	1	9159d3c58c5d970ed25c2db9c9487d7a
Details	md5	1	bc4b0bd5da76b683cc28849b1eed504d
Details	md5	1	0065cffe5a1c6a33900b781835aa9693
Details	md5	1	16d489cc5a91e7dbe74d1c9399534eac