{ "type": "bundle", "id": "bundle--571a302c-e5c4-4014-8131-4e9c950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:47.000Z", "modified": "2016-04-22T14:13:47.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--571a302c-e5c4-4014-8131-4e9c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:47.000Z", "modified": "2016-04-22T14:13:47.000Z", "name": "OSINT - Teaching an old RAT new tricks", "published": "2016-04-22T14:14:57Z", "object_refs": [ "observed-data--571a303a-3c3c-4030-885f-400b950d210f", "url--571a303a-3c3c-4030-885f-400b950d210f", "x-misp-attribute--571a3056-7f64-4ee4-99d6-425b950d210f", "indicator--571a307d-d2a8-48f3-a7fa-4c68950d210f", "indicator--571a30f3-44ec-4b50-a024-40d702de0b81", "indicator--571a30f4-dd90-4bbc-8f25-4cfd02de0b81", "observed-data--571a30f4-5ec4-4d2a-86ed-40c602de0b81", "url--571a30f4-5ec4-4d2a-86ed-40c602de0b81", "indicator--571a312c-ada4-409a-9d75-437e950d210f", "indicator--571a3163-6690-403b-9d75-43e6950d210f", "indicator--571a317a-55bc-42d0-a5b2-4164950d210f", "indicator--571a3185-2014-41d4-8f7f-45dc02de0b81", "indicator--571a3186-1514-4141-a640-482702de0b81", "observed-data--571a3186-bcbc-4ce1-a073-439e02de0b81", "url--571a3186-bcbc-4ce1-a073-439e02de0b81", "indicator--571a3186-6a4c-409f-948d-4df502de0b81", "indicator--571a3187-e8b0-4cb8-9896-49c802de0b81", "observed-data--571a3187-a00c-45ee-b49b-49ec02de0b81", "url--571a3187-a00c-45ee-b49b-49ec02de0b81", "indicator--571a3188-39b4-474d-adbd-414502de0b81", "indicator--571a3188-fb1c-4924-8bcb-4d7f02de0b81", "observed-data--571a3188-e618-4f9d-8024-420b02de0b81", "url--571a3188-e618-4f9d-8024-420b02de0b81", "indicator--571a319a-7aa4-48bc-bc4b-4ffb950d210f", "indicator--571a319b-f570-4379-b681-476c950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a303a-3c3c-4030-885f-400b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:07:54.000Z", "modified": "2016-04-22T14:07:54.000Z", "first_observed": "2016-04-22T14:07:54Z", "last_observed": "2016-04-22T14:07:54Z", "number_observed": 1, "object_refs": [ "url--571a303a-3c3c-4030-885f-400b950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a303a-3c3c-4030-885f-400b950d210f", "value": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--571a3056-7f64-4ee4-99d6-425b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:08:22.000Z", "modified": "2016-04-22T14:08:22.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Attackers have been successfully deploying RATs for years to remotely control users systems - giving them full access to the victim\u00e2\u20ac\u2122s files or resources such as cameras, recording key strokes, or downloading further malware. Traditionally RATs have been deployed when a user opens an email attachment, or downloads a file from a website or peer-to-peer network. In both cases, these vectors involve use of files to deliver the payload - which are easier to detect.\r\n\r\nRecently we detected a more sophisticated technique that a handful of countries across Asia are actively using to infect systems with RATs. This new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state. In doing so, the attacker can remain out of view from antivirus technologies, and even \u00e2\u20ac\u02dcnext-generation\u00e2\u20ac\u2122 technologies that only focus on file-based threat vectors. Also, the samples analyzed have the ability detect the presence of a virtual machine to ensure it\u00e2\u20ac\u2122s not being analyzed in a network sandbox.\r\n\r\nAnd finally it\u00e2\u20ac\u2122s important to highlight that the RAT itself is not new. In fact this technique can be used to deliver any \u00e2\u20ac\u0153known\u00e2\u20ac\u009d RAT to a victim\u00e2\u20ac\u2122s system. We analyzed this sample against our SentinelOne EPP to confirm is does not evade our behavior-based detection mechanisms. This is due to the fact that we\u00e2\u20ac\u2122re monitoring all processes at the user-space/kernel-space interface - and because all communication between the application and the kernel must be unencrypted, we detect the sample at both process-injection points." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a307d-d2a8-48f3-a7fa-4c68950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:09:01.000Z", "modified": "2016-04-22T14:09:01.000Z", "description": "Win32 PE .NET 2.0 - Samples Analyzed", "pattern": "[file:hashes.SHA256 = 'b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:09:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a30f3-44ec-4b50-a024-40d702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:10:59.000Z", "modified": "2016-04-22T14:10:59.000Z", "description": "Win32 PE .NET 2.0 - Samples Analyzed - Xchecked via VT: b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8", "pattern": "[file:hashes.SHA1 = '3b1ac573509281cdc0b6141f8ea6ed3af393b554']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:10:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a30f4-dd90-4bbc-8f25-4cfd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:11:00.000Z", "modified": "2016-04-22T14:11:00.000Z", "description": "Win32 PE .NET 2.0 - Samples Analyzed - Xchecked via VT: b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8", "pattern": "[file:hashes.MD5 = '65752e742d643d121ee7e826ab65dc9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:11:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a30f4-5ec4-4d2a-86ed-40c602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:11:00.000Z", "modified": "2016-04-22T14:11:00.000Z", "first_observed": "2016-04-22T14:11:00Z", "last_observed": "2016-04-22T14:11:00Z", "number_observed": 1, "object_refs": [ "url--571a30f4-5ec4-4d2a-86ed-40c602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a30f4-5ec4-4d2a-86ed-40c602de0b81", "value": "https://www.virustotal.com/file/b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8/analysis/1461260966/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a312c-ada4-409a-9d75-437e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:11:56.000Z", "modified": "2016-04-22T14:11:56.000Z", "description": "Packed \"Benchmark\" DLL", "pattern": "[file:hashes.MD5 = 'e5c71180f117270538487cd9b9b1b6d8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:11:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a3163-6690-403b-9d75-43e6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:12:51.000Z", "modified": "2016-04-22T14:12:51.000Z", "description": "Monitor (PerfWatson.exe)", "pattern": "[file:hashes.MD5 = '9e05fb115bd4e85cfc0e32c72aa721be']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:12:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a317a-55bc-42d0-a5b2-4164950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:14.000Z", "modified": "2016-04-22T14:13:14.000Z", "description": "NanoCore RAT dumped from memory", "pattern": "[file:hashes.MD5 = 'd740ed3f33ca4cef3a6aa717f94bf52a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:13:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a3185-2014-41d4-8f7f-45dc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:25.000Z", "modified": "2016-04-22T14:13:25.000Z", "description": "NanoCore RAT dumped from memory - Xchecked via VT: d740ed3f33ca4cef3a6aa717f94bf52a", "pattern": "[file:hashes.SHA256 = '755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:13:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a3186-1514-4141-a640-482702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:26.000Z", "modified": "2016-04-22T14:13:26.000Z", "description": "NanoCore RAT dumped from memory - Xchecked via VT: d740ed3f33ca4cef3a6aa717f94bf52a", "pattern": "[file:hashes.SHA1 = '8105e6146d9cacf30ca38920a5a8483b52ddff62']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:13:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a3186-bcbc-4ce1-a073-439e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:26.000Z", "modified": "2016-04-22T14:13:26.000Z", "first_observed": "2016-04-22T14:13:26Z", "last_observed": "2016-04-22T14:13:26Z", "number_observed": 1, "object_refs": [ "url--571a3186-bcbc-4ce1-a073-439e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a3186-bcbc-4ce1-a073-439e02de0b81", "value": "https://www.virustotal.com/file/755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050/analysis/1460984076/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a3186-6a4c-409f-948d-4df502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:26.000Z", "modified": "2016-04-22T14:13:26.000Z", "description": "Monitor (PerfWatson.exe) - Xchecked via VT: 9e05fb115bd4e85cfc0e32c72aa721be", "pattern": "[file:hashes.SHA256 = '51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:13:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a3187-e8b0-4cb8-9896-49c802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:27.000Z", "modified": "2016-04-22T14:13:27.000Z", "description": "Monitor (PerfWatson.exe) - Xchecked via VT: 9e05fb115bd4e85cfc0e32c72aa721be", "pattern": "[file:hashes.SHA1 = '407abece50b4905197d5132c19f19b5321fa9a55']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:13:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a3187-a00c-45ee-b49b-49ec02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:27.000Z", "modified": "2016-04-22T14:13:27.000Z", "first_observed": "2016-04-22T14:13:27Z", "last_observed": "2016-04-22T14:13:27Z", "number_observed": 1, "object_refs": [ "url--571a3187-a00c-45ee-b49b-49ec02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a3187-a00c-45ee-b49b-49ec02de0b81", "value": "https://www.virustotal.com/file/51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1/analysis/1455165681/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a3188-39b4-474d-adbd-414502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:28.000Z", "modified": "2016-04-22T14:13:28.000Z", "description": "Packed \"Benchmark\" DLL - Xchecked via VT: e5c71180f117270538487cd9b9b1b6d8", "pattern": "[file:hashes.SHA256 = 'e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:13:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a3188-fb1c-4924-8bcb-4d7f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:28.000Z", "modified": "2016-04-22T14:13:28.000Z", "description": "Packed \"Benchmark\" DLL - Xchecked via VT: e5c71180f117270538487cd9b9b1b6d8", "pattern": "[file:hashes.SHA1 = '3a35080da4c0e71bdd1445fdae886a87d27a419e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:13:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a3188-e618-4f9d-8024-420b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:28.000Z", "modified": "2016-04-22T14:13:28.000Z", "first_observed": "2016-04-22T14:13:28Z", "last_observed": "2016-04-22T14:13:28Z", "number_observed": 1, "object_refs": [ "url--571a3188-e618-4f9d-8024-420b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a3188-e618-4f9d-8024-420b02de0b81", "value": "https://www.virustotal.com/file/e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06/analysis/1461269734/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a319a-7aa4-48bc-bc4b-4ffb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:46.000Z", "modified": "2016-04-22T14:13:46.000Z", "description": "On port 1617", "pattern": "[domain-name:value = 'azona2015.chickenkiller.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:13:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a319b-f570-4379-b681-476c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T14:13:47.000Z", "modified": "2016-04-22T14:13:47.000Z", "description": "On port 1617", "pattern": "[domain-name:value = 'azona.chickenkiller.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T14:13:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }