蛇从暗黑中袭来——响尾蛇(SideWinder) APT组织2020年上半年活动总结报告
Tags
| attack-pattern: | Mshta - T1218.005 Mshta - T1170 |
Common Information
| Type | Value |
|---|---|
| UUID | 91ea6560-80b5-4111-9e04-50e5b1e90bea |
| Fingerprint | 67481e35d3d00450 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 21, 2022, midnight |
| Added to db | April 15, 2023, 12:58 p.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | 蛇从暗黑中袭来——响尾蛇(SideWinder) APT组织2020年上半年活动总结报告 |
| Title | 蛇从暗黑中袭来——响尾蛇(SideWinder) APT组织2020年上半年活动总结报告 |
| Detected Hints/Tags/Attributes | 16/1/46 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://mp.weixin.qq.com/s/5mBqxf_v6G006EnjECoTHw |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 269 | cve-2017-0199 |
|
| Details | CVE | 43 | cve-2020-0674 |
|
| Details | CVE | 28 | cve-2019-2215 |
|
| Details | Domain | 2 | nrots.net |
|
| Details | Domain | 3 | www.d01fa.net |
|
| Details | Domain | 2 | www.fdn-en.net |
|
| Details | Domain | 4 | ap-ms.net |
|
| Details | Domain | 2 | r0dps.net |
|
| Details | Domain | 1 | www-afc.chrom3.net |
|
| Details | Domain | 4 | cloud-apt.net |
|
| Details | Domain | 2 | www.link-cdnl.net |
|
| Details | Domain | 3 | kat0x.net |
|
| Details | Domain | 1 | www.au-edu.km01s.net |
|
| Details | File | 1 | 另一类为使用mshta.exe |
|
| Details | File | 1 | %windir%\system32\cftmo.exe |
|
| Details | File | 1 | cftmo.exe |
|
| Details | File | 456 | mshta.exe |
|
| Details | File | 3 | linkzip.dll |
|
| Details | File | 2 | stinstaller.dll |
|
| Details | File | 1 | 参数1-加密的duser.dll |
|
| Details | File | 1 | %windir%\syswow64\ 拷贝 rekeywiz.exe |
|
| Details | File | 33 | duser.dll |
|
| Details | File | 1 | 以组成rekeywiz.exe |
|
| Details | File | 2 | 与duser.dll |
|
| Details | File | 1 | 并且通过写注册表启动项的方式将rekeywiz.exe |
|
| Details | File | 13 | rekeywiz.exe |
|
| Details | File | 4 | systemapp.dll |
|
| Details | File | 1 | 该组织依旧沿用了rekeywiz.exe |
|
| Details | File | 1 | 存在rekeywiz.exe |
|
| Details | File | 1 | 或者通过进程遍历查找rekeywiz.exe |
|
| Details | File | 1 | 删除目标路径为rekeywiz.exe |
|
| Details | File | 1 | 请广大win7用户务必检查自己的jscript.dll |
|
| Details | File | 1 | thread-259500.htm |
|
| Details | File | 2 | apt-c-06_0day.html |
|
| Details | File | 1 | ie-firefox-0day.html |
|
| Details | md5 | 1 | FEF12D62A3B2FBF1D3BE1F0C71AE393E |
|
| Details | md5 | 1 | 69A173DC32E084E7F1E1633526F80CA2 |
|
| Details | md5 | 1 | DBB09FD0DA004742CAC805150DBC01CA |
|
| Details | md5 | 1 | 2C798C915568B3FD8EE7909C45A43168 |
|
| Details | md5 | 1 | 865E7C8013537414B97749E7A160A94E |
|
| Details | md5 | 1 | 3AD91B31956CE49FE3736C0E7344228D |
|
| Details | md5 | 1 | D7187130CF52199FAE92D7611DC41DAC |
|
| Details | md5 | 1 | B6932A288649B3CEB9A454F808D6EB35 |
|
| Details | md5 | 1 | 7E461F6366681C5AE24920A31C3CFEC6 |
|
| Details | Threat Actor Identifier by Tencent | 27 | T-APT-04 |
|
| Details | Url | 1 | https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/•https://mp.weixin.qq.com/s/yxutg3qva169-xiyv0payq•https://mp.weixin.qq.com/s/9lfeldbkcrqx1qzgfisfpw•https://mp.weixin.qq.com/s/kb_wohp1miacgdzyhlhnga•https://mp.weixin.qq.com/s/czrdslzes4iwlatzjh7ubg•https://bbs.pediy.com/thread-259500.htm•https://blogs.360.cn/post/apt-c-06_0day.html•https://blogs.jpcert.or.jp/en/2020/04/ie-firefox-0day.html |