Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
Tags
| country: | Laos |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Control Panel - T1218.002 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Visual Basic - T1059.005 Windows Credential Manager - T1555.004 Tool - T1588.002 Powershell - T1086 |
Common Information
| Type | Value |
|---|---|
| UUID | 9c6ef27c-582f-4d74-afc1-a27d71606b81 |
| Fingerprint | 85050c3803ed88d1 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 20, 2019, midnight |
| Added to db | Sept. 11, 2022, 12:48 p.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments |
| Title | Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments |
| Detected Hints/Tags/Attributes | 95/3/66 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | sha256 | 1 | a1d9f5b9ca7dda631f30bd1220026fc8c3a554d61db09b5030b8eb9d33dc9356 |
|
| Details | sha256 | 1 | c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e |
|
| Details | sha256 | 1 | cb7ecd6805b12fdb442faa8f61f6a2ee69b8731326a646ba1e8886f0a5dd61e0 |
|
| Details | sha256 | 1 | db9902cb42f6dc9f1c02bd3413ab3969d345eb6b0660bd8356a0c328f1ec0c07 |
|
| Details | sha256 | 1 | e0c316b1d9d3d9ec5a97707a0f954240bbc9748b969f9792c472d0a40ab919ea |
|
| Details | sha256 | 1 | 5da013a64fd60913b5cb94e85fc64624d0339e09d7dce25ab9be082f0ca5e38b |
|
| Details | sha256 | 1 | c8a864039f4d271f4ab6f440cbc14dffd8c459aa3af86f79f0619a13f67c309f |
|
| Details | sha256 | 1 | 588fd8eba6e62c28a584781deefe512659f6665daeb8c85100e0bf7a472ad825 |
|
| Details | sha256 | 1 | cda5b20712e59a6ba486e55a6ab428b9c45eb8d419e25f555ae4a7b537fc2f26 |
|
| Details | sha256 | 1 | 694d9c8a1f0563c08e0d3ab7d402ffbf5a0fa11340c50fba84d709384ccef021 |
|
| Details | sha256 | 1 | caaed70daa7832952ae93f41131e74dcb6724bb8669d18f28fbed4aa983fdc0c |
|
| Details | sha256 | 1 | 493eee2c55810201557ef0e5d134ca0d9569f25ae732df139bb0cb3d1478257f |
|
| Details | sha256 | 1 | 0e9c3779fece579bed30cb0b7093a962d5de84faa2d72e4230218d4a75ee82bc |
|
| Details | sha256 | 1 | 5bbeed53aaa40605aabbfde31cbfafd5b92b52720e05fa6469ce1502169177a0 |
|
| Details | sha256 | 1 | d153e4b8a11e2537ecf99aec020da5fad1e34bbe79f617a3ee5bc0b07c3abdca |
|
| Details | sha256 | 1 | 10d1bfd5e8e1c8fa75756a9f1787c3179da9ab338a476f1991d9e300c6186575 |
|
| Details | sha256 | 1 | 3fbec774da2a145974a917aeb64fc389345feb3e581b46d018077e28333601a5 |
|
| Details | sha256 | 1 | 52169d7cdd01098efdde4da3fb22991aaa53ab9e02db5d80114a639bf65bce39 |
|
| Details | sha256 | 1 | 56098ed50e25f28d466be78a36c643d19fedc563a2250ae86a6d936318b7f57e |
|
| Details | sha256 | 1 | 595a54f0bbf297041ce259461ae8a12f37fb29e5180705eafb3668b4a491cecc |
|
| Details | sha256 | 1 | 5dc26566b4dec09865ea89edd4f9765ef93e789870ed4c25fcc4ebad19780b40 |
|
| Details | sha256 | 1 | 6b60b27385738cac65584cf7d486913ff997c66d97a94e1dde158c9cd03a4206 |
|
| Details | sha256 | 1 | 846a95a26aac843d1fcec51b2b730e9e8f40032ee4f769035966169d68d144c4 |
|
| Details | sha256 | 1 | c4a6db706c59a5a0a29368f80731904cc98a26e081088e5793764a381708b1ea |
|
| Details | sha256 | 1 | d0b99353cb6500bb18f6e83fe9eed9ce16e5a8d5b940181e5eafd8d82f328a59 |
|
| Details | sha256 | 1 | ee7f92a158940a0b5d9b902eb0ed9a655c7e6ba312473b1e2c9ef80d58baa6dd |
|
| Details | sha256 | 2 | 454e6c3d8c1c982cd301b4dd82ec3431935c28adea78ed8160d731ab0bed6cb7 |
|
| Details | sha256 | 1 | 4ecb587ee9b872747408c00de5619cb6b973e7d39ce4937655c5d1a07b7500fc |
|
| Details | sha256 | 1 | 528e2567e24809d2d0ba96fd70e41d71c18152f0f0c4f29ced129ed7701fa42a |
|
| Details | sha256 | 1 | 6928e212874686d29c85eac72553ccdf89aacb475c61fa3c086c796df3ab5940 |
|
| Details | sha256 | 1 | b22bbda8f504f8cced886f566f954cc245f3e7c205e57139610bbbff0412611c |
|
| Details | sha256 | 1 | d52b08dd27f2649bad764152dfc2a7dea0c8894ce7c20b51482f4a4cf3e1e792 |
|
| Details | sha256 | 1 | e7e41b3d7c0ee2d0939bb56d797eaf2dec44516ba54b8bf1477414b03d4d6e48 |
|
| Details | sha256 | 1 | ec3da59d4a35941f6951639d81d1c5ff73057d9cf779428d80474e9656db427c |
|
| Details | sha256 | 1 | fbefe503d78104e04625a511528584327ac129c3436e4df09f3d167e438a1862 |
|
| Details | IPv4 | 1 | 94.249.192.182 |
|
| Details | IPv4 | 1 | 185.141.62.32 |
|
| Details | IPv4 | 1 | 212.21.52.110 |
|
| Details | Threat Actor Identifier - APT | 258 | APT34 |
|
| Details | Url | 1 | https://vision2030.tk/static/googleupdate.txt |
|
| Details | Url | 1 | https://dubaiexpo2020.cf/counter.aspx |
|
| Details | Url | 1 | https://microsoft.updatemeltdownkb7234.com/windows/update.aspx |
|
| Details | Url | 1 | https://codewizard.ml/productivity/update.aspx |
|
| Details | Domain | 1 | vision2030.tk |
|
| Details | Domain | 1 | vision2030.cf |
|
| Details | Domain | 1 | dubaiexpo2020.cf |
|
| Details | Domain | 1 | microsoft.updatemeltdownkb7234.com |
|
| Details | Domain | 1 | codewizard.ml |
|
| Details | Domain | 2 | updatenodes.site |
|
| Details | Domain | 1 | markham-travel.com |
|
| Details | Domain | 1 | zebra.wikaba.com |
|
| Details | File | 1 | photobased.dll |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 226 | certutil.exe |
|
| Details | File | 1 | msfgi.exe |
|
| Details | File | 1 | javavs.exe |
|
| Details | File | 7 | javaws.exe |
|
| Details | File | 1 | tasklistw.exe |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 1 | googleupdate.txt |
|
| Details | File | 2 | counter.aspx |
|
| Details | File | 2 | update.aspx |
|
| Details | sha256 | 1 | 24fe571f3066045497b1d8316040734c81c71dcb1747f1d7026cda810085fad7 |
|
| Details | sha256 | 2 | 66893ab83a7d4e298720da28cd2ea4a860371ae938cdd86035ce920b933c9d85 |
|
| Details | sha256 | 1 | 7942eee31d8cb1c8853ce679f686ee104d359023645c7cb808361df791337145 |
|
| Details | sha256 | 1 | 7bd3ff9ba43020688acaa05ce4e0a8f92f53d9d9264053255a5937cbd7a5465e |