266 lines
No EOL
10 KiB
JSON
266 lines
No EOL
10 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-03-30",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations",
|
|
"publish_timestamp": "1490879848",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1490879821",
|
|
"uuid": "58dd02b3-cfa8-4044-b533-4935950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"Trochilus\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"MoonWind\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58dd02c0-3028-4d64-95ee-40b6950d210f",
|
|
"value": "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#075200",
|
|
"local": "0",
|
|
"name": "admiralty-scale:source-reliability=\"b\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "58dd02cd-d94c-4787-bbc0-4fd8950d210f",
|
|
"value": "From September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly idenfied RAT we\u00e2\u20ac\u2122ve named MoonWind to target organizations in Thailand, including a utility organization. We chose the name \u00e2\u20ac\u02dcMoonWind\u00e2\u20ac\u2122 based on debugging strings we saw within the samples, as well as the compiler used to generate the samples. The attackers compromised two legitimate Thai websites to host the malware, which is a tactic this group has used in the past. Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time. The attackers used different command and control servers (C2s) for each malware family, a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone. The compromised websites are the site for a group of information technology companies in Thailand, and all the tools were stored in the same directory.\r\n\r\nWe were also able to find a post-compromise tool along with the two RATs, which afforeded us insight into one of the tools the attackers used once they gained a foothold inside an organization. In addition to Trochilus and MoonWind we found Mimikatz, a popular credential harvesting tool.\r\n\r\nFurther research led us to additional MoonWind samples using the same C2 (dns[.] webswindows [.]com) but hosted on a different compromised but legitimate website. The attacks in that case took place in late September to early October 2016 and the attackers stored the MoonWind samples as RAR files, while in the November attacks the RATs were stored as executables. We were not able to find additional tools, but the attackers again compromised a legitimate Thai website to host their malware, in this case the student portal for a Thai University.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#075200",
|
|
"local": "0",
|
|
"name": "admiralty-scale:source-reliability=\"b\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Trochilus C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "58dd03ab-29ac-47c6-8607-4e72950d210f",
|
|
"value": "webswindows.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Trochilus C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "58dd03ac-8dc4-4450-8213-4c30950d210f",
|
|
"value": "192.225.226.195"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Trochilus",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58dd03b9-9bb0-4402-82d2-4aa8950d210f",
|
|
"value": "59f8a31d66f053f1efcc8d7c7ebb209a8c12233423cc2dc3673373dde9b3a149"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "MoonWind Persistence Mechanism",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58dd03c4-9234-4631-939b-42b8950d210f",
|
|
"value": "815df680be80b26b5dff0bcaf73f7495b9cae5e3ad3acb7348be188af3e75201"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "MoonWind",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58dd03d2-2338-4147-9aa4-4d53950d210f",
|
|
"value": "fd4856f2ec676f273ff71e1b0a1729cf6251c82780fc9e7d628deca690b02928"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "MoonWind",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58dd03d3-7828-47bd-8b3e-4f62950d210f",
|
|
"value": "ce3da112e68e00621920911b1f9c72d7175894901173e703a44ac3700e4d427c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "MoonWind",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58dd03d4-cf54-4aed-b402-4a06950d210f",
|
|
"value": "e31679b82be58ace96b1d9fdfc2b62b6e91d371ed93957e0764cd7c464b04b9d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "MoonWind",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58dd03d5-4f64-40f1-b5f7-4004950d210f",
|
|
"value": "f2589745671949422b19beec0856ca8b9608c02d5df4402f92c0dcc9d403010b"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879753",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58dd03f4-b198-4a25-beff-4772950d210f",
|
|
"value": "dns.webswindows.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "MoonWind - Xchecked via VT: ce3da112e68e00621920911b1f9c72d7175894901173e703a44ac3700e4d427c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879763",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58dd0513-3288-4c5f-822f-4cc402de0b81",
|
|
"value": "ae2905c603ebc1b41c11ef26ac344bd695a24580"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "MoonWind - Xchecked via VT: ce3da112e68e00621920911b1f9c72d7175894901173e703a44ac3700e4d427c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879764",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58dd0514-8510-4c9e-ab20-49bb02de0b81",
|
|
"value": "278a95ffe4e8f8f33d56ae4276b4799b"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "MoonWind - Xchecked via VT: ce3da112e68e00621920911b1f9c72d7175894901173e703a44ac3700e4d427c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879765",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58dd0515-b4ac-4721-9936-4a7b02de0b81",
|
|
"value": "https://www.virustotal.com/file/ce3da112e68e00621920911b1f9c72d7175894901173e703a44ac3700e4d427c/analysis/1477397321/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "MoonWind - Xchecked via VT: fd4856f2ec676f273ff71e1b0a1729cf6251c82780fc9e7d628deca690b02928",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879766",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58dd0516-b8d4-4956-bd8c-4bd402de0b81",
|
|
"value": "36e367bd403f30d18314911ad129810cc7aa03aa"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "MoonWind - Xchecked via VT: fd4856f2ec676f273ff71e1b0a1729cf6251c82780fc9e7d628deca690b02928",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879767",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58dd0517-5b48-425e-bf27-433b02de0b81",
|
|
"value": "9ad1b81ca2d37a63faf2aaf279fed71c"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "MoonWind - Xchecked via VT: fd4856f2ec676f273ff71e1b0a1729cf6251c82780fc9e7d628deca690b02928",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1490879768",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58dd0518-22f4-4dd1-948d-4fc302de0b81",
|
|
"value": "https://www.virustotal.com/file/fd4856f2ec676f273ff71e1b0a1729cf6251c82780fc9e7d628deca690b02928/analysis/1481830025/"
|
|
}
|
|
]
|
|
}
|
|
} |