魔罗桫组织新一轮对南亚军工企业的窃密攻击
Common Information
Type Value
UUID 3cd5a075-6793-4fde-808a-eb6ee38ee53d
Fingerprint 10a79405dfe63295
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 21, 2022, midnight
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Dec. 21, 2024, 4:49 a.m.
Headline 魔罗桫组织新一轮对南亚军工企业的窃密攻击
Title 魔罗桫组织新一轮对南亚军工企业的窃密攻击
Detected Hints/Tags/Attributes 15/2/35
Attributes
Details Type #Events CTI Value
Details Domain 4
msoffice.user-assist.site
Details Domain 3
syncronize.3utilities.com
Details File 3
army.docx
Details File 1
恶意代码会释放加载内嵌的bing.dll
Details File 1
原始文件名为linknew.dll
Details File 1
content下载到本地命名为update.exe
Details File 1
恶意文件会首先注入到explorer.exe
Details File 1
之后该恶意文件会通过com功能复制自身并改名为update.exe
Details File 1
c:\programdata\software\update.exe
Details File 1
c:\users\xxxx\appdata\roaming\svchost.exe
Details File 1199
svchost.exe
Details File 1
是update.exe
Details File 1
利用pkgmgr.exe
Details File 25
dism.exe
Details File 1
运行机制加com功能替换系统掉dismcore.dll
Details File 1
然后释放programs.bat
Details File 3
programs.bat
Details File 1
c:\users\xxxx\appdata\roaming\microsoft\windows\start menu\programs\startup\programs.bat
Details File 1
start文件是母体为上述programs.bat
Details File 1
最终发现update.exe
Details File 3
bing.dll
Details File 17
dismcore.dll
Details md5 4
9f54962d644966cfad560cb606aeade2
Details md5 3
912141bb5b4020c2cc75a77c37928a3b
Details md5 3
e13134c8411557ce9c9e58d57b855a62
Details md5 1
915F528202B036DC5D660F44C187F121
Details md5 3
6b906764a35508a7fd266cdd512e46b1
Details md5 1
7707871515E16C8E8461CED7AF1CACDD
Details IPv4 1
45.147.231.232
Details IPv4 2
45.84.204.148
Details Pdb 3
c:\users\admin\documents\dll\linknew\release\linknew.pdb
Details Url 1
http://msoffice.user-assist.site/update/content下载到本地命名为update.exe,接着创建快捷方式设置到启动目录为update.lnk文件,后续重启后启动。在32位系统环境下,恶意文件会首先注入到explorer.exe进程,之后该恶意文件会通过com功能复制自身并改名为update.exe
Details Url 2
http://msoffice.user-assist.site/refresh/word
Details Url 2
http://msoffice.user-assist.site/update/content
Details Windows Registry Key 199
HKCU\Software\Microsoft\Windows\CurrentVersion\Run