Darkhotel(APT-C-06)组织利用Thinmon后门框架的多起攻击活动揭秘
Tags
| attack-pattern: | Data Software - T1592.002 |
Common Information
| Type | Value |
|---|---|
| UUID | 6359ea55-9605-4096-9a58-1432b8b6a1ae |
| Fingerprint | 2fde4ea4731d403b |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 21, 2022, midnight |
| Added to db | Sept. 26, 2022, 9:31 a.m. |
| Last updated | Oct. 22, 2024, 10:48 a.m. |
| Headline | Darkhotel(APT-C-06)组织利用Thinmon后门框架的多起攻击活动揭秘 |
| Title | Darkhotel(APT-C-06)组织利用Thinmon后门框架的多起攻击活动揭秘 |
| Detected Hints/Tags/Attributes | 14/1/183 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | account163-mail.com |
|
| Details | Domain | 2 | apple-onlineservice.com |
|
| Details | Domain | 2 | onlineservice.bounceme.net |
|
| Details | Domain | 41 | www.freebuf.com |
|
| Details | File | 2 | 下发的后门程序被伪装成了漏洞升级补丁kb3928472.exe |
|
| Details | File | 28 | wlbsctrl.dll |
|
| Details | File | 2 | wmdusdt.dat |
|
| Details | File | 2 | sublogus.dat |
|
| Details | File | 15 | update.dll |
|
| Details | File | 1 | 该组织通常将payload伪装成wlbsctrl.dll |
|
| Details | File | 1 | ikeext服务自动启动并加载wlbsctrl.dll |
|
| Details | File | 1 | 攻击者先在系统中安装正常的打印服务tpwinprn.dll |
|
| Details | File | 2 | 由于tpwinprn.dll |
|
| Details | File | 1 | 运行时会去加载模块文件thinmon.dll |
|
| Details | File | 2 | 因此攻击者会下发伪装成thinmon.dll |
|
| Details | File | 2 | 通过注册表安装tpwinprn.dll |
|
| Details | File | 2 | 正常的tpwinprn.dll |
|
| Details | File | 2 | 加载thinmon.dll |
|
| Details | File | 2 | 主要以thinmon.dll |
|
| Details | File | 2 | 解密文件后注入service.exe |
|
| Details | File | 1 | 远控模块使用了开源项目meterpreter的metsrv.dll |
|
| Details | File | 2 | 并在该目录下写入jusched.htm |
|
| Details | File | 2 | 其中jusched.htm |
|
| Details | File | 2 | ascfree.php |
|
| Details | File | 2 | pack1.dat |
|
| Details | File | 2 | pack2.dat |
|
| Details | File | 2 | pack3.dat |
|
| Details | File | 2 | 360safe.css |
|
| Details | File | 2 | sfverify.php |
|
| Details | File | 2 | 171254.html |
|
| Details | md5 | 2 | f6bb14997964930cae7d91f1250551c0 |
|
| Details | md5 | 2 | 67b65dff4b436d0ffeacb8c73ffbfb65 |
|
| Details | md5 | 2 | 9b66952270bee7560f48999b003e9fb1 |
|
| Details | md5 | 2 | 58f6a9c7b9c075b5b0e4d1d6f8d70283 |
|
| Details | md5 | 2 | 32c3937fc91f2bf4a36ea99ffd0cbb77 |
|
| Details | md5 | 2 | e88aad7dfac4e60acbc42322bdcb920a |
|
| Details | md5 | 2 | 38a67aa7a9365c1df62094e1d25bad3d |
|
| Details | md5 | 2 | 12828458034f3fcb7215b1428ca5ed18 |
|
| Details | md5 | 2 | 05db01d01657c484bd10b8bd14a8e74f |
|
| Details | md5 | 2 | bee985e833e864aec5c2502f0228a4a3 |
|
| Details | md5 | 2 | ea2444e6a9947b686f7c2cec0abed87f |
|
| Details | md5 | 2 | e74cf875fbd03fe47fdd5c6631213502 |
|
| Details | md5 | 2 | 49fd304ef3ed638cd08ef895c55e998d |
|
| Details | md5 | 2 | aeb995a0ae6cab11fe8fbcd2ca413e09 |
|
| Details | md5 | 2 | 81868cb673f40ef1ee1a3c0d3b0a66c9 |
|
| Details | md5 | 2 | 82868815710d0428a1c893ce923ce102 |
|
| Details | md5 | 2 | 24e4c5eefb59b707879c89a33455b016 |
|
| Details | md5 | 2 | bb552beabf99b014bb8c841b0ad91df4 |
|
| Details | md5 | 2 | 40ece520b9562cd84a7d869fe3c89dab |
|
| Details | md5 | 2 | fb391f0cd34121fb412e2ead65283a3f |
|
| Details | md5 | 2 | aa517a3f48deb2eb08965731c593e2fc |
|
| Details | md5 | 2 | cc8f707c40b5b810dcb1ee8583e7b94f |
|
| Details | md5 | 2 | c44bbe3e576ac7d52dbebec3ccbadb51 |
|
| Details | md5 | 2 | f7fcd54f2814dc31d8614fb444c5f732 |
|
| Details | md5 | 2 | 227abe5dc940307ac3074a930d8c3c3c |
|
| Details | md5 | 2 | dfcf5c5ef07892d793714e7c91248777 |
|
| Details | md5 | 2 | 6c8079c065f1d64dccbce9ee43066f80 |
|
| Details | md5 | 2 | cf4908e291f147359e7c84ff1475c3a6 |
|
| Details | md5 | 2 | 59f1f2c0090b119b1565c5f7d4807d18 |
|
| Details | md5 | 2 | 5812ee7b18ac055e504e068cc18b4d09 |
|
| Details | md5 | 2 | a614701769e2ab31c12f06bf65c1984c |
|
| Details | md5 | 2 | 2cc60b641c6b6f0f9603e190d6cf32ab |
|
| Details | md5 | 2 | 183460d874392ff9b3ccacfc460814f3 |
|
| Details | md5 | 2 | 8f2d7f328c3a161fdbbeec851d3bceba |
|
| Details | md5 | 2 | 595f52e7609ea101e9b81826c2a7f4fd |
|
| Details | md5 | 2 | 1f4de902321ce4c646580b60e75a91e8 |
|
| Details | md5 | 2 | da1ffe2b24e9f6148d0932b3053ba10a |
|
| Details | md5 | 2 | a74bc3e40d597c362c12370575c79308 |
|
| Details | md5 | 2 | ed5c6af5dd328bb1d8d1354e4eea4d88 |
|
| Details | md5 | 2 | 89849da283f0473bc6f5449d281f5bc8 |
|
| Details | md5 | 2 | 156d3ede86b1d47142ba26a566a319c6 |
|
| Details | md5 | 2 | 6054ba191cae52455f92cdb11cbfd4dd |
|
| Details | md5 | 2 | ec227a3e29bec0c43759bf8783bdca93 |
|
| Details | md5 | 2 | 39bceabd1df729ca500967ef577162a2 |
|
| Details | md5 | 2 | 52d1754cbd4ada3fed909a0126ced593 |
|
| Details | md5 | 2 | 8d0aa12bb77a7588ab67e2fbde402ae1 |
|
| Details | md5 | 2 | 5ca7052c60024f8a768343989f126af4 |
|
| Details | md5 | 2 | cb6fd1ca131800174f2b7e6c93040292 |
|
| Details | md5 | 2 | 271b6c538dfe64a5de275671520d51ab |
|
| Details | md5 | 2 | 833a604d7b9f6626584ff6da2ca1fe1a |
|
| Details | md5 | 2 | 908a3af309f12b509f30dff4073c41c2 |
|
| Details | md5 | 2 | b9013c4252103795c74b84547bfc212e |
|
| Details | md5 | 2 | 4eca750e9817b38695ac4d49d09f42b6 |
|
| Details | md5 | 2 | 2d958190c963b07fed077103d2c0c165 |
|
| Details | md5 | 2 | fe3812eaea1dde2bda7efcac10bc3875 |
|
| Details | md5 | 2 | 39c63176a48ca16cc81029ca80606c8b |
|
| Details | md5 | 2 | d2ae4cd314969838ad2368dfb683caef |
|
| Details | md5 | 2 | 6e6924d8032120700a023f6a54a0b44c |
|
| Details | md5 | 2 | d26f9034e6e681c3117010cf155a7d0d |
|
| Details | md5 | 2 | 0fafcbeb7cf6f5d170056ef8f5ef899d |
|
| Details | md5 | 2 | 099748c21565b48d8dda8df02313cb00 |
|
| Details | md5 | 2 | a44cc189fdf364ef3c72b40bad6dc205 |
|
| Details | md5 | 2 | b752653c818d616b7098b74202c66e5c |
|
| Details | md5 | 2 | afcae8c39967e0b34e07b6de7b40dc47 |
|
| Details | md5 | 2 | c67edaa6a4fe3d633abeea1c3faaa216 |
|
| Details | md5 | 2 | c28222727ee1ad1934a2fc834d3aa496 |
|
| Details | md5 | 2 | 247ca9c7e4eb353d8febac292e1db7c3 |
|
| Details | md5 | 2 | a717291bf45e8b87dc5681e6e3b35cb6 |
|
| Details | md5 | 2 | 02584732906684d2da99e5d79c80a8fc |
|
| Details | md5 | 2 | 61a304da9df9b2a07a0e6047b46f3931 |
|
| Details | md5 | 2 | a208ac02c6a311e7f3f4034c9fdc2d9e |
|
| Details | md5 | 2 | b5ed77f2cc2c8b071791be2f17b27b11 |
|
| Details | md5 | 2 | 63048a073cd69cdb71727e69aaf7433b |
|
| Details | md5 | 2 | d4dbd113ff2060f5a9ed3de7aec97fe4 |
|
| Details | md5 | 2 | 050e5bd75dabea59ae26894dae45960d |
|
| Details | md5 | 2 | bde8aa9dbb8d24719b80a249869e58b8 |
|
| Details | md5 | 2 | aff2eedc9f872ea3ce64c4c127cbf3d5 |
|
| Details | md5 | 2 | b0e8edfcfc264b21c65dfb46b5105d6d |
|
| Details | md5 | 2 | 88a2e9efe5d264de7136d5ec2ac18557 |
|
| Details | md5 | 2 | 3e7efbed5846602fbfca3fa9b1c34d4c |
|
| Details | md5 | 2 | 07bd08cf86f8c31806829688dbfd104a |
|
| Details | md5 | 2 | 191ac1a11e1cf96df267c0ccd85c5656 |
|
| Details | md5 | 2 | 02635a1f3d27a8780961f6463c8d8879 |
|
| Details | md5 | 2 | 3bf9370520bbe071b6820070ec8cead5 |
|
| Details | md5 | 2 | 1b0f92afa9c4dd1464ea2a9bb090ab33 |
|
| Details | md5 | 2 | 51cf8f6f9290b934d00a3fac0f196b3b |
|
| Details | md5 | 2 | 8bc015f728cd21fd8d6e8617bd86edd0 |
|
| Details | md5 | 2 | 5ffd69b00c96c84e298edd74ec2994cd |
|
| Details | md5 | 2 | 86d0a914b84b09e81fac347e4f6ec81b |
|
| Details | md5 | 2 | a711d13de8badc06bb0a6566aeef5b99 |
|
| Details | md5 | 2 | bda63d70557114e33c745ff8d2eb076b |
|
| Details | md5 | 2 | 42bfe662c68bef328a2e25365132eb9d |
|
| Details | md5 | 2 | 4e744f7ad4db3c605b4707eec5ee5f34 |
|
| Details | md5 | 2 | 3cd789528d1805149a818840fd3865cb |
|
| Details | md5 | 2 | d57f99432db7a2c1668654eb4f3d7d98 |
|
| Details | md5 | 2 | 0ab275dac59803a1ad692c1c58678666 |
|
| Details | md5 | 2 | 96a88ce3fede3b20de058ea1139b2de4 |
|
| Details | md5 | 2 | b256ad66b3670ae9735f03f9a89c85c9 |
|
| Details | md5 | 2 | f1f0033b446fca7894f8442421b2d94a |
|
| Details | md5 | 2 | 9ea0f11501e1b3c6960d43fee2dc9c50 |
|
| Details | md5 | 2 | 013d4dd1d8f9c7cd47b99328db78d781 |
|
| Details | md5 | 2 | 020274f8a575e5d3e277eadd1051acd1 |
|
| Details | md5 | 2 | efe9017e8fa38474673b0a75d00c1501 |
|
| Details | md5 | 2 | 8ba2ef1fd12a5006b7cd2973827e54f6 |
|
| Details | md5 | 2 | 45f9876d0313be5d43000a61bcbb9094 |
|
| Details | md5 | 2 | 3252795620ae504c6e7be84dd3675633 |
|
| Details | md5 | 2 | c8a6737feba2d6c9d110dca98c68fe01 |
|
| Details | md5 | 2 | ed26df1cf67ab1aedf168adc81982c68 |
|
| Details | md5 | 2 | ee351896703cb780d1402e3575bb133d |
|
| Details | md5 | 2 | 21acec60f4025e7293e320857f702ffa |
|
| Details | md5 | 2 | ecd59fe4e80883f36a6db7b505722d40 |
|
| Details | md5 | 2 | cd14348d154afbd3eac69c1d185433ee |
|
| Details | md5 | 2 | 53e44e7c89f2a03ca5530d0de083e37c |
|
| Details | md5 | 2 | 8f9915566f49ca190970024884a60ff7 |
|
| Details | md5 | 2 | 4f7ab80c7eaa1f1bc5b8eda1ae934d4a |
|
| Details | md5 | 2 | 8ce38a6e9c1f9b33b236cf8e874b10dd |
|
| Details | md5 | 2 | 9c4c59b6c1f9c6748e29f974ef1aa29c |
|
| Details | md5 | 2 | 5c270a1bc3fbd338277635b273d07d6e |
|
| Details | md5 | 2 | 9ec0ea047c488b2293c41cc94684343c |
|
| Details | md5 | 2 | 290f69d8b342bf1881d237934943d9f3 |
|
| Details | md5 | 2 | 1647902f72f7bfe19b2685836545d5a0 |
|
| Details | md5 | 2 | a765e31e02acf7849430bfc20314325d |
|
| Details | md5 | 2 | b68322ca486c5b40e1139010629e4404 |
|
| Details | md5 | 2 | cc06a27d43bdce4cea40d484cedfb854 |
|
| Details | md5 | 2 | cdff194c6a2428caa86fa9941e743171 |
|
| Details | md5 | 2 | d4bd05f7101a1c20165cf1a10ca0bd83 |
|
| Details | md5 | 2 | db22937b4b0e350cb7092b9b689d7fb6 |
|
| Details | md5 | 2 | 869ecd7f6b44be679f32f7b5fb7b32a2 |
|
| Details | md5 | 2 | 703e15d526b4268ebe57cf0cd12bf268 |
|
| Details | md5 | 2 | 02a87a84c961619a650ca31e61ee2134 |
|
| Details | md5 | 2 | 5d1d4aabe132309cb914724e02280fca |
|
| Details | md5 | 2 | 9d5b97ba0bf6a5bab004b98b7974b0b5 |
|
| Details | md5 | 2 | 50ded49ecac8984b806768eb0675bc01 |
|
| Details | md5 | 2 | 86a1f796668191113692d02a99e2eb97 |
|
| Details | md5 | 2 | 71709a1f32f62ee9a7560eef969c589d |
|
| Details | md5 | 2 | 65723802d9912da7f3f84e50e20caddf |
|
| Details | md5 | 2 | b2f7c0d2eddcb6430544ddcfa06a9bd5 |
|
| Details | md5 | 2 | f3437776d4854bb5cfd5df8db67c2009 |
|
| Details | IPv4 | 2 | 206.221.187.130 |
|
| Details | IPv4 | 2 | 185.4.227.2 |
|
| Details | IPv4 | 2 | 134.119.220.118 |
|
| Details | IPv4 | 2 | 185.198.56.191 |
|
| Details | Threat Actor Identifier - APT-C | 24 | APT-C-06 |
|
| Details | Url | 2 | http://account163-mail.com/recommend/ascfree.php |
|
| Details | Url | 2 | http://apple-onlineservice.com/recommend/ascfree.php |
|
| Details | Url | 2 | http://onlineservice.bounceme.net/recommend/ascfree.php |
|
| Details | Url | 2 | http://134.119.220.118/update64/pack1.dat |
|
| Details | Url | 2 | http://134.119.220.118/update64/pack2.dat |
|
| Details | Url | 2 | http://134.119.220.118/update64/pack3.dat |
|
| Details | Url | 2 | http://134.119.220.118/360safe.css |
|
| Details | Url | 2 | http://185.198.56.191:80/sfverify.php |
|
| Details | Url | 2 | https://www.freebuf.com/articles/paper/171254.html |
|
| Details | Windows Registry Key | 1 | HKLM\software\classes\CLSID |