蔓灵花(BITTER)APT组织针对中国境内军工、核能、政府等敏感机构的最新攻击活动报告 - FreeBuf网络安全行业门户
Tags
| country: | Pakistan |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Exploits - T1587.004 Exploits - T1588.005 Malware - T1587.001 Malware - T1588.001 |
Common Information
| Type | Value |
|---|---|
| UUID | d8e27754-7b02-4761-9ae8-6f729c7300b6 |
| Fingerprint | 5433592c2556ba8 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Dec. 25, 2018, 8:30 a.m. |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Oct. 22, 2024, 10:48 a.m. |
| Headline | UNKNOWN |
| Title | 蔓灵花(BITTER)APT组织针对中国境内军工、核能、政府等敏感机构的最新攻击活动报告 - FreeBuf网络安全行业门户 |
| Detected Hints/Tags/Attributes | 32/3/103 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.freebuf.com/articles/database/192726.html |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | aroundtheworld123.net |
|
| Details | Domain | 2 | hartraders.com |
|
| Details | Domain | 2 | fst.gov.pk |
|
| Details | Domain | 2 | hewle.kielsoservice.net |
|
| Details | Domain | 1 | nethostsupport.ddns.net |
|
| Details | Domain | 2 | wcnchost.ddns.net |
|
| Details | Domain | 1 | spring.tulipnetworks.net |
|
| Details | Domain | 23 | www.forcepoint.com |
|
| Details | Domain | 41 | www.freebuf.com |
|
| Details | Domain | 20 | ti.360.net |
|
| Details | Domain | 23 | paper.seebug.org |
|
| Details | File | 2 | 随后将其重命名为.exe |
|
| Details | File | 1 | agencies.exe |
|
| Details | File | 1 | 而dropper释放的恶意文件为slidebar.exe |
|
| Details | File | 1 | 且很有特点的是创建一个cmd.exe |
|
| Details | File | 1 | 随后关闭cmd.exe |
|
| Details | File | 2 | dec.doc |
|
| Details | File | 63 | ctfmon.exe |
|
| Details | File | 2 | engset.php |
|
| Details | File | 1 | rankin.php |
|
| Details | File | 1 | spoolvs.exe |
|
| Details | File | 3 | 120002.html |
|
| Details | File | 1 | appendixes.pdf |
|
| Details | md5 | 2 | 25689fc7581840e851c3140aa8c3ac8b |
|
| Details | md5 | 1 | d6b565b8f95ab6e20e4f39206c8c356d |
|
| Details | md5 | 2 | 863f2bfed6e8e1b8b4516e328c8ba41b |
|
| Details | md5 | 1 | e152b5b7e9079f689ebaaa9b8fe2ed66 |
|
| Details | md5 | 1 | 9dd90551b6299787ddb478e5a0ab9eab |
|
| Details | md5 | 1 | 734e552fe9ffd1ffdea3434c62dd2e4b |
|
| Details | md5 | 1 | f099cd511e9d10d80105d96f29dd28b7 |
|
| Details | md5 | 1 | 488f39e81fa6ab497062631595da2bb8 |
|
| Details | md5 | 2 | 7cc0b212d1b8ceb808c250495d83bae4 |
|
| Details | md5 | 1 | fc516905e3237f1aa03a38a0dde84b52 |
|
| Details | md5 | 1 | c5de8edeaadc6495999bcb174a58592e |
|
| Details | md5 | 1 | 23a8ce358b16128f1ca291a284c0f6ef |
|
| Details | md5 | 1 | 3614f736035e1cf1792bf64f5864683b |
|
| Details | md5 | 1 | 13b283464f9401c653b81d9e6afe6fe4 |
|
| Details | md5 | 1 | 62bb4224d8e8ec5c3495090b09b52e1c |
|
| Details | md5 | 1 | 7195c706fab11b258c769649c7e4cce0 |
|
| Details | md5 | 2 | a1bdb1889d960e424920e57366662a59 |
|
| Details | md5 | 1 | be171b4df9b7db48c67f31c678421bfd |
|
| Details | md5 | 1 | efec7464f07633415cbc36a97b900587 |
|
| Details | md5 | 1 | f413ad5233cdf707fd1cddd53b858027 |
|
| Details | md5 | 1 | 38ba17b9ae3a4a4733d716c2ecade70d |
|
| Details | md5 | 1 | 3c4bed8d649375050dba3a3a8df87d12 |
|
| Details | md5 | 1 | adb46f52791b5e3ba26256daf3936dc8 |
|
| Details | md5 | 1 | ecca8f4c7e14bbc1e3a06b9f8a41b53a |
|
| Details | md5 | 2 | 1c2a3aa370660b3ac2bf0f41c342373b |
|
| Details | md5 | 1 | 5b942290149f5666ddfb1e2dd81a03ea |
|
| Details | md5 | 1 | e402c05ce9c46c0cf2f4e3db6f0ba4b5 |
|
| Details | md5 | 1 | 68a1ca909e2fa34b5ffe42fa62312766 |
|
| Details | md5 | 1 | 4cbfd989a44cf8f1a0025bbd07069d19 |
|
| Details | md5 | 2 | f9aeac76f92f8b2ddc253b3f53248c1d |
|
| Details | md5 | 2 | c3f5add704f2c540f3dd345f853e2d84 |
|
| Details | md5 | 2 | 8dda6f85f06b5952beaabbfea9e28cdd |
|
| Details | md5 | 1 | 525105d4f6904d567a98fac2eb25873e |
|
| Details | md5 | 1 | 84c96f8dd42d79679ce1e5dee643c58b |
|
| Details | md5 | 1 | 1960ac9d5b1192a9b2bfec15842cf3d1 |
|
| Details | md5 | 1 | aa2ed003ae8a2ccaa999aad38898d060 |
|
| Details | Pdb | 1 | d:\backupfrom old bldg\c++\new_downloader_wingames_180917\release\new_downloader.pdb |
|
| Details | Pdb | 2 | d:\c++\new_downloader_aroundtheworld123\release\audiodq.pdb |
|
| Details | Pdb | 1 | d:\backupfrom old bldg\c++\keylogger_06092017\keylogger_06022017with feature of filesizecheck n copy to neat file\offkl\release\kill.pdb |
|
| Details | Pdb | 1 | c:\users\bit\desktop\uploader-catroot 09-09-14 - edit me\final uploader for ibmsoft-16-07-2014 - copy -copy\uploader\fupldr_wapp\release\svcf.pdb |
|
| Details | Pdb | 1 | d:\c++\downloader_sandywin seperate download\release\ndlr.pdb |
|
| Details | Pdb | 1 | c:\users\john\desktop\edit\dnew23062015-runno rest req - copy\release\dwe01.pdb |
|
| Details | Pdb | 1 | c:\users\john\desktop\dnew01052015-runmul exes avgok\release\dwe01.pdb |
|
| Details | Pdb | 1 | d:\backup fromold bldg\c++\keylogger_06092017\keylogger_06022017with feature of filesizecheck n copy to neat file\offkl\release\kill.pdb |
|
| Details | Pdb | 1 | e:\data\user\mfc-projects\keyloggerwin32-spectram\release\slidebar.pdb |
|
| Details | Pdb | 1 | d:\new_downloader_healthnewsone\release\audiodq.pdb |
|
| Details | Pdb | 1 | d:\backup from oldbldg\c++\keylogger_06092017\keylogger_06022017with feature of filesize check ncopy to neat file\offkl\release\kill.pdb |
|
| Details | Pdb | 2 | d:\c++\reg_entry\reg_en\release\reg_en.pdb |
|
| Details | Pdb | 1 | g:\c++\keylogger_06022017with feature of filesizecheck n copy to neat file\offkl\release\kill.pdb |
|
| Details | Pdb | 1 | c:\users\infinite\documents\visual studio2008\projects\downwin32\release\downwin32.pdb |
|
| Details | Pdb | 1 | c:\users\anonymous\documents\visual studio2008\projects\down free\downwin32\release\downwin32.pdb |
|
| Details | Pdb | 1 | c:\users\john\desktop\dnew01052015-run mul exesavgok\release\dwe01.pdb |
|
| Details | Pdb | 1 | c:\users\john\desktop\edit\dnew23062015-run norest req - copy\release\dwe01.pdb |
|
| Details | Pdb | 1 | c:\users\predator\desktop\dwn and up forppsx\downloader_sandy _ok-sschanged av av\release\dltest1.pdb |
|
| Details | Pdb | 1 | c:\users\stone\documents\visual studio2008\projects\15mar2017\release\15mar2017.pdb |
|
| Details | Pdb | 1 | c:\users\windows 7\documents\visual studio2008\projects\12oct2017\release\12oct2017.pdb |
|
| Details | Pdb | 1 | c:\users\asterix\documents\visual studio2008\projects\28novdwn\release\28novdwn.pdb |
|
| Details | Pdb | 1 | d:\c++\downloader_sandy win seperatedownload\release\ndlr.pdb |
|
| Details | Pdb | 1 | d:\backups\projects5june2017\15mar2017\release\15mar2017.pdb |
|
| Details | Pdb | 1 | c:\tcro\release\tcro.pdb |
|
| Details | Threat Actor Identifier by Tencent | 13 | T-APT-17 |
|
| Details | Url | 1 | http://aroundtheworld123.net/healthne/healthne/regdl |
|
| Details | Url | 1 | http://aroundtheworld123.net/healthne/healthne/igfxsrvk |
|
| Details | Url | 1 | http://aroundtheworld123.net/healthne/healthne/spoolvs |
|
| Details | Url | 1 | http://khurram.com.pk/js/drv |
|
| Details | Url | 1 | http://hartraders.com/wp-sig |
|
| Details | Url | 2 | http://fst.gov.pk/images/winsvc |
|
| Details | Url | 1 | http://hewle.kielsoservice.net/engset.php |
|
| Details | Url | 1 | http://hewle.kielsoservice.net/rankin.php |
|
| Details | Url | 1 | http://nethostsupport.ddns.net |
|
| Details | Url | 1 | http://hewle.kielsoservice.net |
|
| Details | Url | 1 | http://spring.tulipnetworks.net |
|
| Details | Url | 1 | https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan |
|
| Details | Url | 3 | https://www.freebuf.com/articles/paper/120002.html |
|
| Details | Url | 1 | https://ti.360.net/blog/articles/analysis-of-apt-campaign-bitter |
|
| Details | Url | 1 | https://community.rsa.com/community/products/netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018 |
|
| Details | Url | 2 | https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families |
|
| Details | Url | 1 | https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations |
|
| Details | Url | 2 | https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork |
|
| Details | Url | 1 | https://paper.seebug.org/papers/apt/apt_cybercriminal_campagin/2013/unveilingan |