ioc[.]one - OSINT Cyber Threat Intelligence Database

Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018

Tags

country:	Afghanistan Brazil North Korea Iran Japan Mongolia Russia Vietnam United States Of America U.S. Virgin Islands
maec-delivery-vectors:	Watering Hole
attack-pattern:	Dns - T1071.004 Dns - T1590.002 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Scheduled Task - T1053.005 Visual Basic - T1059.005 Vulnerabilities - T1588.006 Connection Proxy - T1090 Powershell - T1086 Scheduled Task - T1053

Show in Graph

Common Information

Type	Value
UUID	bba5d82c-e48d-4074-9af9-16bab285cf53
Fingerprint	a6351831882e03a1
Analysis status	DONE
Considered CTI value	2
Text language
Published	July 3, 2019, midnight
Added to db	Jan. 16, 2023, 4:59 p.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018
Title	Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018
Detected Hints/Tags/Attributes	87/3/106

Source URLs

	Redirection	Url
Details	Source	https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018

URL Provider

Details	Provider	Source level domain
Details	anomali.com	www.anomali.com

Attributes

Details	Type	#Events	Value
Details	CVE	58	cve-2018-0798
Details	CVE	375	cve-2017-11882
Details	CVE	117	cve-2018-0802
Details	Domain	1	vvcxvsdvx.dynamic-dns.net
Details	Domain	2	loge.otzo.com
Details	File	1208	powershell.exe
Details	File	1	argetflag.dat
Details	File	5	app.doc
Details	File	2	17.doc
Details	File	3	жагсаалт.doc
Details	File	3	team.doc
Details	File	2	doc.rtf
Details	File	2	reformu-not-3.doc
Details	File	1	02_2019_tt-bng.doc
Details	File	3	nghi.doc
Details	File	1	anh.doc
Details	File	1	uuganaa-test.doc
Details	File	1	-vpcp.doc
Details	File	1	20181217.doc
Details	File	1	studies.rtf
Details	File	1	cục.doc
Details	File	15	wsc_proxy.exe
Details	File	18	wsc.dll
Details	File	1	usersusernameappdatalocaltempwsc_proxy.exe
Details	File	44	logo.png
Details	File	1	chromeapp.ps1
Details	File	1	chromeapp.vbs
Details	File	1	capp.php
Details	File	20	rastls.dll
Details	File	4	intelgraphicscontroller.exe
Details	File	28	word.exe
Details	File	1	unib490.bat
Details	File	1	unib4a0.bat
Details	File	15	s.bin
Details	File	68	config.ini
Details	File	1	c:\users\iran\desktop\s.bin
Details	md5	3	e228045ef57fb8cc1226b62ada7eee9b
Details	md5	1	264cee1c1854698ef0eb3a141912db40
Details	md5	1	019debaee6fdf9a9f872277563f0d9ee
Details	md5	1	21d0f19abd15d65aa755e89e55157ae7
Details	md5	1	2ef069d0e3bb636d2d969d3e6a4d5039
Details	md5	1	853136f00e87a1ab3e2fc3acb309573e
Details	md5	1	ac0eac22ce12eac9ee15ca03646ed70c
Details	md5	2	6930bd66a11e30dee1ef4f57287b1318
Details	md5	1	8f1ab1f96b8322c9e02d87a431a98823
Details	md5	1	b3f8abe274cb6a5926bd5c3fc2168997
Details	md5	1	f0424ed16b435f0c7c802f3a17cbd9de
Details	md5	1	7b9d386280da1b840f1b32b85ce74278
Details	md5	1	0764ecc46463fb10952d54515c73e6fc
Details	md5	1	d648c374439cf5fe9df8dc59eb472067
Details	md5	1	a94db3001c0c3fa3cf40bc7fdf9d21b7
Details	md5	1	6614a8776692c982ad766d23b2a5ea29
Details	md5	1	84fca27bc75f40194c95534b07838d6c
Details	md5	1	fc47442f175ff7e312a4aa4f5c8745b8
Details	md5	1	40cfeb699d239652dd4a79c18b1c7366
Details	md5	2	1690766e844034b3c2ab4f853bd59df7
Details	md5	1	9AD1DBA92734A53489180788A6B21856
Details	md5	1	B72448AF5F58E70C225AB6525126CF8B
Details	md5	1	0827f48e883f5a59f1c4bf70c98dc42a
Details	md5	1	0e8d3ae263fae7775ccc744a5c0c4dc1
Details	md5	1	10348b56b0e3466f9f9fa62bda081c98
Details	md5	1	109d51899c832287d7ce1f70b5bd885d
Details	md5	1	2868447eebdf897bdd6b7ce2a18f4609
Details	md5	1	29027a6d2a38a9a954c1e1315439baf9
Details	md5	1	31283ad09bc7cf618c32a1c893163891
Details	md5	1	36796fabb76eb946d211a2fcf5820929
Details	md5	1	4642e8712c8ada8d56bd36416abb4808
Details	md5	1	47353a86ea58df3714870e5755056d97
Details	md5	1	4eb14eb23d50b4c7ee768038172f9794
Details	md5	1	51c35cb62a0ad294979b0645e5aa4376
Details	md5	1	5271a5ddf476af87c6f833638375c72f
Details	md5	1	595e30b0c794f47fd768b24ae9caf210
Details	md5	1	5982ba16356ee8118e4cdbe54d182b11
Details	md5	1	600e14e4b0035c6f0c6a344d87b6c27f
Details	md5	1	67682e25939dce4406f55b6c0c741c0e
Details	md5	1	6bdc73a2fc8506d9e842fc7b7a4123db
Details	md5	1	6d2e6a61eede06fa9d633ce151208831
Details	md5	1	827c7048c269645ce36546c01c01f93f
Details	md5	1	8408641cfbcdb53e1e6802f07ea32f11
Details	md5	1	8621ff472360600ec2a6f7d61a66eeb8
Details	md5	2	923d60f3e63c95021f9e99f943fcfbbc
Details	md5	1	a02712c6cefb532e7928a781fe8d8592
Details	md5	1	a37df9b230c9d05210613b3c2916328f
Details	md5	1	a497426d0f65877947e92a14b8a086af
Details	md5	1	a5a4046989fa0f99c2076aec3ea0ab2a
Details	md5	1	a99efd6b4b69c55774a16ae157cd20b9
Details	md5	1	af7f59b2b197d454ab8c8a7b0bc371a2
Details	md5	1	b2bce665c9bcdf0d3d04dc7ce5e30f79
Details	md5	1	b72448af5f58e70c225ab6525126cf8b
Details	md5	2	b82e0ac46f6b812c83a3954038814cce
Details	md5	1	bb7aba40c6fc76291fd1cf2c4c558e9f
Details	md5	1	bcbea5b25356d768fd826e0376268ff5
Details	md5	2	c65b73dde66184bae6ead97afd1b4c4b
Details	md5	1	e004daf8e09b56940d6ca6e51974498b
Details	md5	1	e137b95f6149a8639f6d18e286a0a55f
Details	md5	1	f1824bd902251314a4fd5506caced48b
Details	md5	1	f1dcf1b2376360c9f0c23f1fb9f4355a
Details	md5	1	f333194c19730d6f82ab858210327051
Details	md5	1	f34514118eb4689560cd6c0c654f26d9
Details	IPv4	1	185.216.35.11
Details	IPv4	1	185.234.73.4
Details	IPv4	4	217.69.8.255
Details	IPv4	1	138.68.133.211
Details	Mandiant Temporary Group Assumption	8	TEMP.TRIDENT
Details	Windows Registry Key	1	HKCUSoftwareMicrosoftWindowsCurrentVersionRunIntelGraphicsController
Details	Yara rule	1	rule RTF_Equation_Editor_CVE_2018_0798 { meta: author = "Anomali" tlp = "GREEN" version = "1.0" date = "2019-05-10" hash = "264cee1c1854698ef0eb3a141912db40" description = "Detects Malicious RTFs exploiting CVE-2018-0798" strings: $S1 = "4460606060606060606061616161616161616161616161616161fb0b" $RTF = "{\rt" condition: $RTF at 0 and $S1 }