Whack-A-Mole: The Impact of Threat Intelligence on Adversaries

POST /p5Pss34GvX21pxO0bz25vLqU.php HTTP/1.1
  Content-Type: application/x-www-form-urlencoded
  Accept: */*
  Content-Type: application/x-www-form-urlencoded
  Accept: */*
  User-Agent: Edge/8.0 (Windows NT 5.1; Win32; x86)
  Host: upd2-app-state.com
  Content-Length: 25
  Connection: Keep-Alive

name=v6_kt38p5_2618871294

Figure 1: Example Initial HTTP POST

To anyone performing SSL traffic inspection this should appear plainly anomalous. The headers “Content-Type” and “Accept” are both repeated due to a programming error and the User-Agent differs substantially from the standard one used by Microsoft’s Edge browser.

The group or groups behind Promethium/StrongPity will likely continue to adapt to security publications about them. It’s clear they have significant resources at their disposal and will continue to evolve as necessary.  Only minor adjustments are needed to be effective as the information security world constantly shifts its focus to the next big news item.  

Defenders and those they serve would do well to think historically and look back more frequently to inspect the “living memory” of threat actor behavior and campaigns in both the target organization’s history as well as that of the larger threat intelligence community.

In this way, defenders can remain attentive to potential threats from behind that they would otherwise have considered “old news” – threats that were done and dealt with by the security community, but which may not be done dealing with their targets.

May to August 2018 Updated Activity

SHA256 Hashes:
Trojanized Installers – Droppers
418203a531ceb1f08a21b354bc0d3bf8f157c76b521495c29639d7bffa416b38
61f8dc6d618572a86bd0b646d16186bb6b0fff970947a7df754add4f65ec8625
ae41ba7b4728a6322660443273d7ea6e50c6f804a7d726d0439fac956c7923e7
b14b9c123d19388b81b9ddbb6e7f8807238967db4bd3b8b0be93026a4c7806bb
baafd8f9b5889d49921f5e4c6fc3ca051f42d1c50a6b1db65986bcfb6e10f344
c35a1337f9e0d9ff41800ad5d1925a750813d9e98a13f54e5846426a0a4def8f
42d178417abe68ba9742250ee5eaeb0802e3d0f24c7e585ed200979ed8cd07ea

IpOve32.exe
158e4057f3d2751cf110c5924f289e5b45348f037b3931b9695d3ba045026b4e
645c3ae40a8572fc18ba5808e000dbd52fb1ffff679c044c497189abbcc5c549
6b0a28fe1954ae41e17ffd6b83a2ac7112cc98b64ba6b2a05448d200b42bb2dc
6d4af9f7e14e1ae7f871cd0bcdd87927cde8d236fd9d37e76554729abe3e31e4
79f02a935266a6a8322dec44c7007f7a148d4327f99b3251cba23625de5d5d5e
7c3c9d054e82b4c1b1eeadf1e246850fbd2ad4ee831fb9bc2e21cdd4d30ef225
fa71584f27f5eacca9f3d5644fd06ccebcc14b8394efeaccd38259f8382c26e5
Ad89961b343366abf28faadbdc9f56e25087bafff1b856c05f62b66ac9b5990a
92ff23ab81cc20c4916441547745f336cf612c21a049cdcbb01f11d83a40979e

netplviz.exe
1d0fc58a1167b5d4982c5aba2443a45e26870c51de9621a10f642879b842dac0
35b3eae0eaed90c2f1b4f087aa9f00d5646590fa25d205e2566e3f6e31f757d0
3c6c7a9558ecf7864cf65be5ea08a4a6aa2c2439c956dc988ebb6cf8bc04e272
707ad515c41cd42d696f2d2fb8745af8b36900391db4a477c48f7f75ec4a9c38
7d689fce4d4a8bfb1df041359a3cd4918915a332d11f678039d68f7f6ae5afe5
8f4474b5c3efad963f054f4b18963bf98c3ec746e2ec4c850b0a6196788b2de2
d12b4759bcd3832f76e04f521d5d8829537f008d7bc040c8869474f86fcc2759

C2 Domains:  
dwn-balance[.]net
ms-sys-security[.]com
svr-sec2-system[.]com
upd2-app-state[.]com
srv-mx2-cdn-app[.]com
system-upload-srv[.]com

IP Addresses:
109.201.142[.]122
89.45.67[.]34
46.17.63[.]239
185.193.36[.]109
176.119.28[.]38
(Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Threat Intelligence Bulletin. Read the original post at: https://threatvector.cylance.com/en_us/home/whack-a-mole-the-impact-of-threat-intelligence-on-adversaries.html