misp-circl-feed/feeds/circl/misp/58e3f451-6ff8-4bf1-8412-4e5a950d210f.json


			
				
				
					
						
						
						
							
							
							{"Event": {"info": "OSINT - Introducing ROKRAT", "Tag": [{"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:rat=\"rokrat\""}], "publish_timestamp": "1491334593", "timestamp": "1511874210", "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "58e3f463-21ac-4f6a-adc1-4e36950d210f", "timestamp": "1491334504", "to_ids": false, "value": "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "58e3f472-01f8-4f87-a9d4-44e7950d210f", "timestamp": "1491334504", "to_ids": false, "value": "A few weeks ago, Talos published research on a Korean MalDoc. As we previously discussed this actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign. We identified a new campaign, again leveraging a malicious Hangul Word Processor (HWP) document. After analyzing the final payload, we determined the winner was\u2026 a Remote Administration Tool, which we have named ROKRAT.\r\n\r\nLike in the previous post, the campaign started with a spear phishing email containing a malicious attachment, the HWP document. One of the identified emails was sent from the email server of Yonsei, a private university in Seoul. The address used in the email was 'kgf2016@yonsei.ac.kr' which is the contact email of the Korea Global Forum where the slogan in 2016 was \"Peace and Unification of the Korean Peninsula\". This fact gives more credit and legitimacy to the email.\r\n\r\nThe HWP document contained an embedded Encapsulated PostScript (EPS) object. As with our previous publication this again is zlib compressed and trivial to obtain. The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an executable is launched: ROKRAT. This RAT has the added complexity that the command and control servers are legitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for both C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases. Additionally, these 3 platforms all make use of HTTPS connectivity, making it much more difficult to identify specific patterns or the usage of specific tokens.", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "text"}, {"comment": "HWP Documents", "category": "Payload delivery", "uuid": "58e3f4b1-0674-48ec-8197-dbe7950d210f", "timestamp": "1491334504", "to_ids": true, "value": "7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "HWP Documents", "category": "Payload delivery", "uuid": "58e3f4b2-5594-45b7-a9ce-dbe7950d210f", "timestamp": "1491334504", "to_ids": true, "value": "5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "ROKRAT PE32", "category": "Payload delivery", "uuid": "58e3f4c0-e40c-4d59-a481-4977950d210f", "timestamp": "1491334504", "to_ids": true, "value": "cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "ROKRAT PE32", "category": "Payload delivery", "uuid": "58e3f4c1-d2cc-4220-a25b-4557950d210f", "timestamp": "1491334504", "to_ids": true, "value": "051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Malicious URL", "category": "Network activity", "uuid": "58e3f4dc-4264-4991-a3a2-480b950d210f", "timestamp": "1491334504", "to_ids": true, "value": "http://discgolfglow.com/wp-content/plugins/maintenance/images/worker.jpg", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Malicious URL", "category": "Network activity", "uuid": "58e3f4dd-fdbc-4c26-b78f-4bdf950d210f", "timestamp": "1491334504", "to_ids": true, "value": "http://acddesigns.com.au/clients/ACPRCM/kingstone.jpg", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Not malicious URLs but could be use to identify RAT execution:", "category": "Network activity", "uuid": "58e3f4ec-be0c-4e20-b032-4c21950d210f", "timestamp": "1491334504", "to_ids": true, "value": "https://www.amazon.com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "Not malicious URLs but could be use to identify RAT execution:", "category": "Network activity", "uuid": "58e3f4ed-94a0-4e0e-9baa-4636950d210f", "timestamp": "1491334504", "to_ids": true, "value": "http://www.hulu.com/watch/559035/episode3.mp4", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "TOKENS", "category": "Payload delivery", "uuid": "58e3f50e-5d14-4600-8c01-47f2950d210f", "timestamp": "1491334504", "to_ids": false, "value": "MEDIAFIRE\r\nAccount #1\r\nUsername: ksy182824@gmail.com\r\nApplication ID: 81342\r\nTWITTER\r\nAccount #1\r\nConsumer key: sOPcUKjJteYrg8klXC4XUlk9l\r\nToken: 722226174008315904-u6P1FlI7IDg8VIYe720X0gqDYcAMQAR\r\n\r\nAccount #2\r\nConsumer key: sgpalyF1KukVKaPAePb3EGeMT\r\nToken: 759577633630593029-CQzXMfvsQ2RztFYawUPeVbAzcSnwllX\r\n\r\nAccount #3\r\nConsumer key: XVvauoXKfnAUm2qdR1nNEZqkN\r\nToken: 752302142474051585-r2TH1Dk8tU5TetUyfnw9c5OgA1popTj\r\n\r\nAccount #4\r\nConsumer key: U1AoCSLLHxfeDbtxRXVgj7y00\r\nToken: 779546496603561984-Qm8CknTvS4nKxWOB4tJvbtBUMBfNCKE\r\n\r\nAccount #5\r\nConsumer key: 9ndXAB6UcxhQVoBAkEKnwzt4C\r\nToken: 777852155245080576-H0kXYcQCpV6qiFER38h3wS1tBFdROcQ\r\n\r\nAccount #6\r\nConsumer key: QCDXTaOCPBQM4VZigrRj2CnJi\r\nToken: 775849572124307457-4ICTjYmOfAy5MX2FxUHVdUfqeNTYYqj\r\n\r\nAccount #7\r\nConsumer key: 2DQ8GqKhDWp55XIl77Es9oFRV\r\nToken: 778855419785154560-0YUVZtZjKblo2gTGWKiNF67ROwS9MMq\r\nYANDEX\r\nToken #1: AQAAAAAYm4qtAANss-XFfX3FjU8VmVR76k4aMA0\r\nToken #2: AQAAAAAA8uDKAANxExojbqps-UOIi8kc8EAhcq8\r\nToken #3: AQAAAAAY9j8KAANyULDuYU1240rjvpNXcRdF5Tw\r\nToken #4: AQAAAAAZDPB1AAN6l1Ht3ctALU1flix57TvuMa4", "disable_correlation": false, "object_relation": null, "type": "text"}, {"comment": "MEDIAFIRE account", "category": "Social network", "uuid": "58e3f53a-e950-4870-83e2-45d4950d210f", "timestamp": "1491334504", "to_ids": true, "value": "ksy182824@gmail.com", "disable_correlation": false, "object_relation": null, "type": "email-src"}, {"comment": "ROKRAT PE32 - Xchecked via VT: 051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00", "category": "Payload delivery", "uuid": "58e3f573-cecc-4128-a46d-450502de0b81", "timestamp": "1491334515", "to_ids": true, "value": "75d7f88e010e5c7d9a4617157034cff16da0733f", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "ROKRAT PE32 - Xchecked via VT: 051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00", "category": "Payload delivery", "uuid": "58e3f574-86dc-479a-8de4-4f7602de0b81", "timestamp": "1491334516", "to_ids": true, "value": "c909ca40d1124fc86662a12d72e0fb78", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "ROKRAT PE32 - Xchecked via VT: 051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00", "category": "External analysis", "uuid": "58e3f575-ee78-489f-8e55-4f5502de0b81", "timestamp": "1491334517", "to_ids": false, "value": "https://www.virustotal.com/file/051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00/analysis/1491317438/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "ROKRAT PE32 - Xchecked via VT: cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c", "category": "Payload delivery", "uuid": "58e3f576-be44-4546-bbbd-4d7902de0b81", "timestamp": "1491334518", "to_ids": true, "value": "24d5d32c5b171f375b92bf3af83f55579eefe23d", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "ROKRAT PE32 - Xchecked via VT: cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c", "category": "Payload delivery", "uuid": "58e3f577-1340-4135-8b8b-4f3802de0b81", "timestamp": "1491334519", "to_ids": true, "value": "033284841a9c8edbbad3422a0ae82566", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "ROKRAT PE32 - Xchecked via VT: cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c", "category": "External analysis", "uuid": "58e3f578-9c24-4edc-890c-468402de0b81", "timestamp": "1491334520", "to_ids": false, "value": "https://www.virustotal.com/file/cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c/analysis/1491235235/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "HWP Documents - Xchecked via VT: 5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f", "category": "Payload delivery", "uuid": "58e3f579-7f4c-4562-aa37-475d02de0b81", "timestamp": "1491334521", "to_ids": true, "value": "b29394fcc40fa661094bda2f885b1d3982dea73a", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "HWP Documents - Xchecked via VT: 5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f", "category": "Payload delivery", "uuid": "58e3f57a-acc4-485c-bcdc-4ddc02de0b81", "timestamp": "1491334522", "to_ids": true, "value": "aa1541d198207d261652e0f6f74098a4", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "HWP Documents - Xchecked via VT: 5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f", "category": "External analysis", "uuid": "58e3f57b-ea60-4866-8026-4cf402de0b81", "timestamp": "1491334523", "to_ids": false, "value": "https://www.virustotal.com/file/5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f/analysis/1491235236/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "HWP Documents - Xchecked via VT: 7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e", "category": "Payload delivery", "uuid": "58e3f57c-f834-43f2-bf32-456d02de0b81", "timestamp": "1491334524", "to_ids": true, "value": "c835764ecaa382ae4262fe6fc1a049b09710d151", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "HWP Documents - Xchecked via VT: 7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e", "category": "Payload delivery", "uuid": "58e3f57d-ea80-4673-ba8a-4b4502de0b81", "timestamp": "1491334525", "to_ids": true, "value": "183be2035d5a546670d2b9deeca4eb59", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "HWP Documents - Xchecked via VT: 7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e", "category": "External analysis", "uuid": "58e3f57e-fe50-4632-a869-48f302de0b81", "timestamp": "1491334526", "to_ids": false, "value": "https://www.virustotal.com/file/7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e/analysis/1491280391/", "disable_correlation": false, "object_relation": null, "type": "link"}], "extends_uuid": "", "published": false, "date": "2017-04-04", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "58e3f451-6ff8-4bf1-8412-4e5a950d210f"}}
						
						
					
				
				
					
						Reference in a new issue
					
					View git blame
					Copy permalink