Virus Bulletin :: VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
Tags
Common Information
Type | Value |
---|---|
UUID | b6aad8e6-e447-4069-9d5f-cf0bfaa30ad1 |
Fingerprint | a431ab13a5d70fcd |
Analysis status | DONE |
Considered CTI value | 2 |
Text language | |
Published | April 17, 2019, midnight |
Added to db | Sept. 26, 2022, 9:30 a.m. |
Last updated | Nov. 17, 2024, 7:44 p.m. |
Headline | VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers |
Title | Virus Bulletin :: VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers |
Detected Hints/Tags/Attributes | 168/3/186 |
Source URLs
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | CVE | 4 | cve-2018-8570 |
|
Details | CVE | 117 | cve-2018-0802 |
|
Details | CVE | 375 | cve-2017-11882 |
|
Details | CVE | 269 | cve-2017-0199 |
|
Details | CVE | 51 | cve-2014-1761 |
|
Details | CVE | 176 | cve-2012-0158 |
|
Details | CVE | 58 | cve-2018-0798 |
|
Details | CVE | 30 | cve-2015-7645 |
|
Details | CVE | 57 | cve-2016-4117 |
|
Details | CVE | 32 | cve-2016-1019 |
|
Details | CVE | 63 | cve-2017-8570 |
|
Details | Domain | 358 | pastebin.com |
|
Details | Domain | 3 | mtanews.vzglagtime.net |
|
Details | Domain | 5 | enterprise.verizon.com |
|
Details | Domain | 170 | www.sans.org |
|
Details | Domain | 184 | www.fireeye.com |
|
Details | Domain | 403 | securelist.com |
|
Details | Domain | 1 | seebug.org |
|
Details | Domain | 23 | paper.seebug.org |
|
Details | Domain | 4127 | github.com |
|
Details | Domain | 16 | www.anquanke.com |
|
Details | Domain | 8 | myonlinesecurity.co.uk |
|
Details | Domain | 6 | dodcio.defense.gov |
|
Details | Domain | 1373 | twitter.com |
|
Details | Domain | 224 | unit42.paloaltonetworks.com |
|
Details | Domain | 317 | bit.ly |
|
Details | File | 6 | qclite.dll |
|
Details | File | 5 | qcconsol.exe |
|
Details | File | 1122 | svchost.exe |
|
Details | File | 142 | wmiprvse.exe |
|
Details | File | 2 | afer125419.tmp |
|
Details | File | 3 | жагсаалт.doc |
|
Details | File | 3 | team.doc |
|
Details | File | 20 | rastls.dll |
|
Details | File | 4 | intelgraphicscontroller.exe |
|
Details | File | 2 | summit_archive_1548184559.pdf |
|
Details | File | 1 | how_rtf_malware_evad.html |
|
Details | File | 3 | normanshark-maudioperation.pdf |
|
Details | File | 2 | reaver-mapping-connections-between-disparate-chinese-apt-groups.html |
|
Details | File | 2 | cyberdis-impplan.pdf |
|
Details | Github username | 15 | decalage2 |
|
Details | md5 | 3 | e228045ef57fb8cc1226b62ada7eee9b |
|
Details | md5 | 2 | 5cc1272272a6de91e1c43832f289c73f |
|
Details | sha256 | 2 | 1e78ebbfb5fd1ee66f44030d52f80806d184e6daa00dd7aaa1a30b53c629912d |
|
Details | sha256 | 3 | 9d0c4ec62abe79e754eaa2fd7696f98441bc783781d8656065cddfae3dbf503e |
|
Details | sha256 | 2 | 941868f366d65c8859253c869e405c5bbb91e1ed0227090656295c54bb0be9f2 |
|
Details | sha256 | 2 | a58366b412b6d3c5aeebd716ae81b892b51bd5dbafbe26c5bac79f06912085eb |
|
Details | sha256 | 3 | 332aa26d719a20f3a26b2b00a9ca5d2e090b33f5070b057f4950d4f088201ab9 |
|
Details | sha256 | 3 | bd1e7b42a9c265266b8cc5cc966470497c4f9cba2b247d1f036b6b3892106b52 |
|
Details | sha256 | 2 | 8f81142a9482c2a96c43c4b325f90794c2a32b61e8261da55f306a36df9ec18c |
|
Details | sha256 | 3 | b70069e1c8e829bfd7090ba3dfbf0e256fc7dfcefc6acafb3b53abcf2caa2253 |
|
Details | sha256 | 2 | dd89d33e275e99e288e4c50bdafbb4584a9565189491af0a66f8a506eaf53859 |
|
Details | sha256 | 3 | 42162c495e835cdf28670661a53d47d12255d9c791c1c5653673b25fb587ffed |
|
Details | sha256 | 2 | c374f7f30b34d95dd99d9cf16f54192d439f830918d342558945e5809809b847 |
|
Details | sha256 | 2 | 344fbc5e86e6477cdb24848ace149303e22b41f7b01b2eca923109868c1f458f |
|
Details | sha256 | 2 | 46714a1fd1a5ce598f761a885857dee8d90b6e7d6f4a303ecaec246a77b58fff |
|
Details | sha256 | 2 | b45087ad4f7d84758046e9d6eb174530fee98b069105a78f124cbde1ecfb0415 |
|
Details | sha256 | 2 | 44e564ab86be5be2ce5f31c9072cd05adb91663be4904759cbcafa30c5b87660 |
|
Details | sha256 | 2 | ab35b2b22718624fcaf1a290b3f138c009469b7449d1a280ec67767ea55b44ae |
|
Details | sha256 | 2 | 152f95a5bdf549c5ca789d0dd99d635ee69cca6fe464ced5b39d0316707a4914 |
|
Details | sha256 | 2 | f2e28b48ee338fddd97272b191a55641c7835ad687d7b65c8db1c5f747811c57 |
|
Details | sha256 | 3 | 130daacff74d57bb2319fc5cf815e783c6505883f69e4adcd4c2b1cac3e598ce |
|
Details | sha256 | 2 | eb772b325bdeaaa551a4f50399fe6059bc856e41ba23dd14fbc956605a9c838e |
|
Details | sha256 | 2 | c6a01f392e4c317e6c9b6b3ce860f6368fad7687336ce995246d01fb52b83ca4 |
|
Details | sha256 | 2 | bf9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a |
|
Details | sha256 | 2 | afcbe545dc27d757fb1231019248fdd6b3ec2237e09007656d0ccd4de094f2ef |
|
Details | sha256 | 2 | 81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6 |
|
Details | sha256 | 2 | d732a7741182741b6c14fdce201b839c8e380be242de034ce764c61778be8fc1 |
|
Details | sha256 | 2 | 5e7663f662cedcc2c520b88928824a4c7caf5a6833f77cdb0051328d74ace1c8 |
|
Details | sha256 | 2 | 41f0757ca4367f22b0aece325208799135c96ebe1dcafcd752d3f3c8dd4a5ccf |
|
Details | sha256 | 2 | a9b3b44f048cc145bd4703ead369c9104746966f94b679da51d97bf7b70a26fb |
|
Details | sha256 | 2 | aa4874e3d49e9765797b96aff5262b802352e575deee17308f7539f8916fac33 |
|
Details | sha256 | 2 | 1c6cb02ae9dceb3a647260f409dd837fa5c66794804623c9cf97395cf406d4df |
|
Details | sha256 | 2 | 9ac09ea38c9cf11ca13a2c3dbdcfbe0fe4a15cb609be451f7159ecebdd20d311 |
|
Details | sha256 | 2 | 3df19abbf961a6d795362f5408d65aa5a31e34620aa3518a010d4d6d9e79c60e |
|
Details | sha256 | 2 | 5e3cd28d9ab02de8d816b7a0719e715330b4ad28cb2d2778a5f54a3396620991 |
|
Details | sha256 | 2 | 16cb245d9a78c81c25605695a2cf8dbdb36d85bcb61726c56ee358254253df2e |
|
Details | sha256 | 2 | 9be6d671dd901326fc834296fbd2ed015d64e6037e83d8d1d08a9dcdc107cb33 |
|
Details | sha256 | 2 | 5898e729b7305c4e5db54847396b15d06b74153213a242d295cf64c951a021ca |
|
Details | sha256 | 2 | 803c25767414c31259e15f058d62b6102dfe09d3cfacece57f527d7fb2a50632 |
|
Details | sha256 | 2 | c63ccc5c08c3863d7eb330b69f96c1bcf1e031201721754132a4c4d0baff36f8 |
|
Details | sha256 | 2 | c92a26c42c5fe40bd343ee94f5022e05647876daa9b9d76a4eeb8a89b7f7103d |
|
Details | sha256 | 2 | c67625e2b5e2f01b74e854c0c1fdf0b3b4733885475fe35b80a5f4bca13eccc7 |
|
Details | sha256 | 2 | 138d62f8ee7e4902ad23fe81e72a1f3b7ac860d3c1fd5889ed8b8236b51ba64b |
|
Details | sha256 | 3 | c0b8d15cd0f3f3c5a40ba2e9780f0dd1db526233b40a449826b6a7c92d31f8d9 |
|
Details | sha256 | 4 | f5365387320ae6e6907fd2700f340ba8712cb08f7e52b2ec4dccfe99b3d648ef |
|
Details | sha256 | 5 | 9d239ddd4c925d14e00b5a95827e9191bfda7d59858f141f6f5dcc52329838f0 |
|
Details | sha256 | 4 | a95bbc1f067783c1107566ed7897549f6504d5367b8282efe6f06dc31414c314 |
|
Details | sha256 | 4 | 4e1a2f731688f9aab80b1f55d9101bb1cddec08214d4379621c434899a01efbf |
|
Details | sha256 | 5 | 597c0c6f397eefb06155abdf5aa9a7476c977c44ef8bd9575b01359e96273486 |
|
Details | sha256 | 3 | 71c94bb0944eb59cb79726b20177fb2cd84bf9b4d33b0efbe9aed58bb2b43e9c |
|
Details | sha256 | 3 | 722e5d3dcc8945f69135dc381a15b5cad9723cd11f7ea20991a3ab867d9428c7 |
|
Details | sha256 | 4 | c580d77722d85238ed76689a17b0205b4d980c010bef9616b8611ffba21b142e |
|
Details | sha256 | 2 | 87114b56ef4de4500fd0c64af913915f159b95e3cbdb7932772230aae8bfed40 |
|
Details | sha256 | 2 | 60ac67f0511fc984990e826d44e8a5eddd1ab7f21c7d847ee3a821875260cea6 |
|
Details | sha256 | 2 | 61488eaafad84e8b86c6a2e87b022e133ccc77701f817c589ef4b01a89dd74ee |
|
Details | sha256 | 2 | f3c120cde34e4e2a45d924ada9e53d3ebc7d73132e359eca8d48f813b6e021a1 |
|
Details | sha256 | 2 | ec46e1feed5199a332c76021a8bb446dca37b8e736bcd1e5505f35fb70526a04 |
|
Details | sha256 | 2 | 5d4de75f7900b6e765d8878234e06d8e07490d5decc6ec5d41c704af38a0abc5 |
|
Details | sha256 | 3 | 4fce3d38e0a308088cd75c2ef1bb5aa312e83447d63a82f62839d3609a283b02 |
|
Details | sha256 | 3 | 4123a19cda491f4d31a855e932b8b7afdcf3faf5b448f892da624c768205a289 |
|
Details | sha256 | 2 | a3e81e5bbf5beeb9568f0c801b2407e33cf9bcc0c12842d6bd6bc62280add81d |
|
Details | sha256 | 2 | 70195e390a5cb92c2e32ded9ef80a935ad7bdda6d6d8e21cc4cf74e98998de32 |
|
Details | sha256 | 2 | 532b68e6bbcea3980f5fc9a2d939b062b1e3f5f5175267adc158d3a877204e1e |
|
Details | sha256 | 2 | b9e1145546dba4fe2428fdb43566a7eb5ac472bd8b5e5f30998477693a08ede1 |
|
Details | sha256 | 2 | e8e86359b06cefdc5c1115dacea21240aa090450e83744b495e784d8bff49a09 |
|
Details | sha256 | 4 | 5238f8d8c3d16b52d39aa722daff663a5e6307c4b46e360969d84bf409a2690f |
|
Details | sha256 | 2 | 97c0ba7e6cb7eb507bb6e9d819786240292f2c3c72e4d7732dd007a9bbf4af5e |
|
Details | sha256 | 2 | 69f44ca082ed90c97d9c4ebaae589d7e41c69b02e582cc69886ebfd9cfb93951 |
|
Details | sha256 | 2 | 4f6b8f51fdaf708bb4fa0dbbc72da50d24f694bce2996eff3df7eeb3c1592e62 |
|
Details | sha256 | 2 | 0598a55dad563ffd3d7a0bcdf8699086527104cf3bad1a0d2192fe805bfef84d |
|
Details | sha256 | 2 | fb2bfa7985be5b9855c7b114d3c201540effc6b7cb249256717d6c56cc069b09 |
|
Details | sha256 | 2 | 484f52e80141809f7482f027f5eadb5305ee1966f55f64656765b7408e1c60dc |
|
Details | sha256 | 2 | 52730e7f52afbc6a99d3a83b12b6a8393d1e979e189cffbcf4fba2ff8a7ca99f |
|
Details | sha256 | 2 | 3504d4583c59ed0fe6c2d916619714f187638bde835908e02d78cf05b1a9be53 |
|
Details | sha256 | 2 | e757993b2cefe2a7dd7ea3e9222cf40e968af1c82370ee5775f768fa29d5efe5 |
|
Details | sha256 | 2 | 3b593d85b18c9457f8c52cf0f2c5f1f549518f9422d0a5bb10fb1edf4c9ea303 |
|
Details | sha256 | 3 | 3e04eb55095ad6a45905564d91f2ab6500e07afcdf9d6c710d6166d4eef28185 |
|
Details | sha256 | 3 | 7079d8c92cc668f903f3a60ec04dbb2508f23840ef3c57efffb9f906d3bc05ff |
|
Details | sha256 | 3 | 892859ea9d86fc441b24222148db52eb33cd106c2ac68eafbe83ab0064215488 |
|
Details | sha256 | 3 | 22062b6bcda194e3734285fed6b2de341c694c52a8f60c9f389f880cefab7644 |
|
Details | sha256 | 3 | 9001056791a03ec998f26805d462bc2ca336b2c3aeac2e210f73ff841dfe3eec |
|
Details | sha256 | 2 | 8ec1e8bc139cbd84858c3997f0635fb5640dbd85f73e8b537e3ae7e14d4870ce |
|
Details | sha256 | 2 | 47880521119cee06588476fdcc7c47a91903366671448650830b7dd310c3c3ea |
|
Details | sha256 | 2 | 129d74a8f31622e605cea1a03cdac723a5adb002f877c304ef2ceb5f6cdd2654 |
|
Details | sha256 | 2 | c81d67472715b6d3bf601147ff8e81f670a429ea0fb8ac3ba82a19c02ad38d0b |
|
Details | sha256 | 2 | c8b5d8f4304725e19edd9ff9e7a8d3325ed06b91adecad691fea23f429072cbd |
|
Details | sha256 | 2 | 2f193d55f38d1e4149aa2424f79f184e3059469be4ee386276fb946bdc83bc30 |
|
Details | sha256 | 2 | 2cfb86699b675919d17beeefa5d993f195358bce6119cc9cebea62d149739421 |
|
Details | sha256 | 2 | 6e8cd76dba16d159c4e68ed15a60af7f86afb0964ed9d2ebe43c6d6af7749397 |
|
Details | sha256 | 2 | 299cc5c74b5c44aa4c270da19673f20670b00399038d7ad7dac412b91137a552 |
|
Details | sha256 | 2 | 30298f89888e5104145ecb1c27053640812a1545f3b7c558ec76fe302d2afb04 |
|
Details | sha256 | 2 | 2c8ee28cc3884d37019f7b29b37634468fcebaff4a6094564b1443de0c32cbd2 |
|
Details | sha256 | 2 | 48257a0d98cc8d8c31b449f7e4737507031b06a4165b305b498a8b3f136dcd6b |
|
Details | sha256 | 2 | c9d2728ab7d43379b8b50b3bb05f10bb39f9d073d0ad0e2d533dfab77957d13c |
|
Details | sha256 | 2 | 5cd4f11155c34ba32382f297776891d6f2d9f747ffbfdba7594e5c4f1fcd0f59 |
|
Details | sha256 | 2 | d3428b542596490f320b86e5473a80249082580713116aaa8299634524507102 |
|
Details | sha256 | 2 | 511522dd26bafc2aaf46a861e479455695f85fbde0873b23baaebcadec07bd7e |
|
Details | sha256 | 2 | 5fae7d03b8113987f3c776f0988af9522688cc9ad53c5072c7cb7ba445e78aef |
|
Details | sha256 | 2 | b40fefbe1835c440da19145d825d8fbdea179d362009364af09e89b1819a6c52 |
|
Details | sha256 | 2 | 6be40b52667cc4876a3eabf4b671235b053e0e44bf98f80fa5394c3b2030f4eb |
|
Details | sha256 | 2 | 0f515163f98845b2b2f85f8a56563a2fe29834643cb067099b209387ff14cb36 |
|
Details | sha256 | 2 | 8a40970e308c4e00a03a44f7cfb8decf2b788ab054bdc695dbe7225742e15944 |
|
Details | sha256 | 2 | 4d62e94a8adc8ab177d02ba20af3f50a0bb4a1db995630c5bbb7527c9e46d4be |
|
Details | sha256 | 2 | 42afaac637e3f9e805464e2bba017ebbf3d0fd87bbea9482088ed2710683942c |
|
Details | sha256 | 2 | 8dda3787bcee130ff447283fa05fdad2f68a73f6d5c321fbf723ced1660af0e5 |
|
Details | sha256 | 2 | d1a5280696f1581b0b82a067cff1b5426db0429428ed2553903cc0de3021a764 |
|
Details | sha256 | 2 | 9341049cd265f8b03bc444de891d4e397cb6daec462e62e50306724fbe0b423f |
|
Details | sha256 | 2 | 9b7f09f16cd36ff6b50407e1823d7cf030445ad1e055cf9478ef964419c90580 |
|
Details | sha256 | 2 | 9fa727fbb18f84d7572dc4017bc3d1410af1c469591317415f53e99c06d68b30 |
|
Details | sha256 | 2 | 898117f2c43d6cfa52af70df919a366a47f31a7c902ee1bd9e2abfc52cf0b9e5 |
|
Details | sha256 | 2 | 22c09d51ca46efe5bb00c88841fba6ce23247e7982501fcf5f95e0a64120bef6 |
|
Details | sha256 | 2 | 07c59af6d98a4606a3b7a82c73a6714a6ac597192877a32e908245921d96d88c |
|
Details | sha256 | 2 | d70e5230a21921169ad729c557a9759879774445648df99eee18aa54b181b2fa |
|
Details | sha256 | 2 | 90e3f6e5996b378801c0018d0aaaffd46e9e7a1fa058ad4605edf6a43078d23e |
|
Details | sha256 | 2 | 6347b1a237217fc9d736094eb3d32117f8b397ec808614cddc4cda8c190b8548 |
|
Details | sha256 | 2 | 8414918e868dcacf59abffdfee10f487488381170f3c044338c5cec62693691c |
|
Details | sha256 | 2 | c8ec45b617e378f6fbe29027523d53f20138cc1122f899a7f61320a6acf69226 |
|
Details | sha256 | 2 | 126853c0b4fe9d83c06fd64cd0306b1d038bad12b2f162777e63dd0850afd7ea |
|
Details | sha256 | 2 | b6f6600d8c655610a2bf3affcaf999b1030d0559ee457b52b2b184e30e95b47e |
|
Details | sha256 | 2 | d74e7786c5c733e88eaccfbc265e155538a504f530e3ce2639c138277418c716 |
|
Details | sha256 | 2 | c16f7e2dba5a2c68c0ac0efd8579e9e1260857a1de2c334466c57287e64b67dc |
|
Details | sha256 | 2 | 4f57853be12840f120bf8dd4a22f16345536b2e38a4dfaa3b3ba1e3792a6e040 |
|
Details | sha256 | 2 | 37f464da00d5ea3a3644f3856c13427d2c50c64c4af25b4bc9b3ae3c5837dfb9 |
|
Details | sha256 | 2 | bc785e8fec0e308cc587e557f3a7172b7af58bdeaa6a49c298fb2c5375e8ab6a |
|
Details | sha256 | 2 | 821eaae98f64db31a6e0dc4b3e4576cc33e8d94b1e122b6397661720704953e1 |
|
Details | IPv4 | 4 | 217.69.8.255 |
|
Details | Mandiant Temporary Group Assumption | 44 | TEMP.PERISCOPE |
|
Details | Mandiant Temporary Group Assumption | 8 | TEMP.TRIDENT |
|
Details | Mandiant Temporary Group Assumption | 35 | TEMP.HEX |
|
Details | Threat Actor Identifier - APT | 143 | APT40 |
|
Details | Url | 1 | https://enterprise.verizon.com/resources/reports/dbir/. |
|
Details | Url | 1 | https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1548184559.pdf |
|
Details | Url | 1 | https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html |
|
Details | Url | 1 | https://securelist.com/disappearing-bytes/84017/. |
|
Details | Url | 2 | https://paper.seebug.org/papers/apt/apt_cybercriminal_campagin/2012/normanshark-maudioperation.pdf |
|
Details | Url | 1 | https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html |
|
Details | Url | 2 | https://github.com/decalage2/oletools/issues/307 |
|
Details | Url | 1 | https://www.anquanke.com/post/id/168455. |
|
Details | Url | 1 | https://myonlinesecurity.co.uk/scan-from-a-samsung-mfp-malspam-delivers-locky-osiris/. |
|
Details | Url | 2 | https://dodcio.defense.gov/portals/0/documents/cyber/cyberdis-impplan.pdf |
|
Details | Url | 1 | https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain. |
|
Details | Url | 1 | https://twitter.com/gossithedog/statuses/1118478326908248064. |
|
Details | Url | 1 | https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/. |
|
Details | Url | 1 | https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/. |
|
Details | Yara rule | 1 | rule Royal_Road_RTF_weaponizer { meta: author = "Anomali" tlp = "GREEN" version = "2.0" date = "2018-11-10" hash = "9d0c4ec62abe79e754eaa2fd7696f98441bc783781d8656065cddfae3dbf503e" description = "Detects malicious Royal Road RTF from object dimension" strings: $S1 = "objw2180\\objh300" $RTF = "{\\rt" condition: $RTF at 0 and $S1 } |