韩国“伪猎者”APT组织利用多款国产化软件漏洞对中国的攻击活动 | CTF导航
Tags
Show in Graph
Common Information
Type Value
UUID f74c65b6-d8ee-4554-abf7-8919328d6efb
Fingerprint 9af41a07ff781f24
Analysis status DONE
Considered CTI value -2
Text language
Published Aug. 9, 2024, midnight
Added to db Aug. 31, 2024, 10:42 a.m.
Last updated Nov. 12, 2024, 7:58 a.m.
Headline 韩国“伪猎者”APT组织利用多款国产化软件漏洞对中国的攻击活动
Title 韩国“伪猎者”APT组织利用多款国产化软件漏洞对中国的攻击活动 | CTF导航
Detected Hints/Tags/Attributes 3/0/28
Source URLs
Redirection Url
Details Source https://www.ctfiot.com/198700.html
URL Provider
Details Provider Source level domain
Details ctfiot.com www.ctfiot.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 476 APT – CTF导航 https://www.ctfiot.com/apt/feed 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 78 
bitbucket.org
Details Domain 2 
sandbox.dbappsecurity.com.cn
Details File 1 
wps程序会调用wpscloudsvr.exe
Details File 1 
最终通过promecefpluginhost.exe
Details File 1 
会滥用合法的windows的照片库查看器组件shimgvw.dll
Details File 3 
从远程服务器上下载文件eqlist.txt
Details File 3 
和mylink.tmp
Details File 1 
文件eqlist.txt
Details File 3 
mylink.tmp
Details File 3 
滥用合法系统程序pcalua.exe
Details File 3 
da分别重命名为crypt86.dat
Details File 4 
和profapii.dat
Details File 3 
利用该com组件执行crypt86.dat
Details File 1 
子crypt86.dat
Details File 3 
crypt86.dat
Details File 1 
0.cab
Details File 1 
该数据用于调用profapii.dat
Details File 1 
包含有profapii.dat
Details File 7 
update.txt
Details File 1 
获取profapii.dat
Details File 1 
执行profapii.dat
Details File 1 
子profapii.dat
Details File 1 
%appdata%microsoftwindowstemplatessamtamples.dat
Details File 2 
sandbox.db
Details Url 1 
http://104.xxx.xxx.112/cache
Details Url 1 
http://104.xxx.xxx.112/list/,并根据上一阶段获取到的路径x,拼接出一个cab文件的地址,例如http://104.xxx.xxx.112/list/0.cab
Details Url 1 
https://bitbucket.org/xxxxx/refresh/downloads/update.txt,获取profapii.dat文件的执行参数
Details Url 2 
https://sandbox.dbappsecurity.com.cn