Energetic Bear/Crouching Yeti: attacks on servers
Tags
country: Brazil Switzerland Germany France Georgia Greece Kazakhstan Turkey Russia Vietnam Ukraine
maec-delivery-vectors: Watering Hole
attack-pattern: Data Dns Server - T1583.002 Dns Server - T1584.002 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Python - T1059.006 Search Engines - T1593.002 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 Web Shell - T1505.003 Tool - T1588.002 Vulnerabilities - T1588.006 Connection Proxy - T1090 Web Shell - T1100
Show in Graph
Common Information
Type Value
UUID bebf04e3-9eea-4cc5-bdc6-cc7ecd84c944
Fingerprint 95cb8c4b0071a685
Analysis status DONE
Considered CTI value 2
Text language
Published April 23, 2018, 10 a.m.
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 11:40 p.m.
Headline Energetic Bear/Crouching Yeti: attacks on servers
Title Energetic Bear/Crouching Yeti: attacks on servers
Detected Hints/Tags/Attributes 105/3/46
Source URLs
Redirection Url
Details Source https://securelist.com/energetic-bear-crouching-yeti/85345/
URL Provider
Details Provider Source level domain
Details securelist.com securelist.com
Attributes
Details Type #Events CTI Value
Details Domain 2 
kashey.ru
Details Domain 2 
www.esodedi.ru
Details Domain 2 
www.i-stroy.ru
Details Domain 2 
www.saledoor.ru
Details Domain 2 
ftpchecker.py
Details Domain 4128 
github.com
Details File 4 
filename.png
Details File 2 
ftpchecker.py
Details File 4 
ini.php
Details File 5 
mysql.php
Details File 2 
opts.php
Details File 2 
error_log.php
Details File 2 
code29.php
Details File 2 
proxy87.php
Details File 7 
theme.php
Details File 2 
sma.php
Details File 3 
media.php
Details File 2 
db-config.php
Details File 2 
find-smbtrap.txt
Details File 2 
find-dirsearch.txt
Details File 2 
find-nmap.txt
Details File 2 
find-wpscan.txt
Details File 2 
find-sublist3r.txt
Details File 2 
dpkg-grep.txt
Details File 2 
openssh-server.md5
Details File 2 
sshd.md5
Details File 2 
rpm-grep.txt
Details File 2 
rpm-qa-dump.txt
Details Github username 1 
phpfilemanager
Details Github username 2 
bediger4000
Details Github username 4 
jivoi
Details Github username 14 
sqlmapproject
Details md5 2 
f3e3e25a822012023c6e81b206711865
Details md5 2 
c76470e85b7f3da46539b40e5c552712
Details md5 2 
155385cc19e3092765bcfed034b82ccb
Details md5 2 
1644af9b6424e8f58f39c7fa5e76de51
Details md5 2 
2292f5db385068e161ae277531b2e114
Details md5 2 
7ec514bbdc6dd8f606f803d39af8883f
Details md5 2 
78c31eff38fdb72ea3b1800ea917940f
Details md5 2 
428c5fcf495396df04a459e317b70ca2
Details Url 2 
file://ip/filename.png
Details Url 1 
https://github.com/phpfilemanager/wso
Details Url 2 
https://github.com/bediger4000/php-malware-analysis/tree/master/db-config.php
Details Url 2 
https://github.com/jivoi/openssh-backdoor-kit
Details Url 7 
https://github.com/sqlmapproject/sqlmap.git
Details Yara rule 2 
rule Backdoored_ssh {
	strings:
		$a1 = "OpenSSH"
		$a2 = "usage: ssh"
		$a3 = "HISTFILE"
	condition:
		uint32(0) == 0x464c457f and filesize < 1000000 and all of ($a*)
}