TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

APT27 (まとめ)

【目次】

概要

【要点】

◎中国のサイバー攻撃組織(APT攻撃)。

【概要】

■組織名

攻撃組織名 命名組織
APT27 FireEye
Emissary Panda CrowdStrike, NCC Group
Bronze Union SecureWorks
TG-3390 SecureWorks
Threat Group-3390
ZipToken
ARCHERFISH
Iron Tiger
Group 35 Cisco
TEMP.Hippo
LuckyMouse Kaspersky
HIPPOTeam


■関係国

  • 中国


【最新情報】

◆中国系ハッカーが台湾の重要インフラを攻撃しない理由 (Wedge, 2022/08/08 13:46)
https://wedge.ismedia.jp/articles/-/27534
https://malware-log.hatenablog.com/entry/2022/08/08/000000_2

◆Chinese hackers backdoor chat app with new Linux, macOS malware (BleepingComputer, 2022/08/12)
[中国のハッカーがLinuxとmacOSの新マルウェアでチャットアプリをバックドア化]
https://www.bleepingcomputer.com/news/security/chinese-hackers-backdoor-chat-app-with-new-linux-macos-malware/
https://malware-log.hatenablog.com/entry/2022/08/12/000000_4

記事

【ニュース】

■2015年

◆Threat Group 3390 Cyberespionage (Secureworks, 2015/08/05)
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
http://malware-log.hatenablog.com/entry/2015/08/05/000000_3


■2018年

◆LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities (ZDNet, 2018/09/10)
https://www.zdnet.com/article/luckymouse-targets-govt-entities-through-malicious-ndisproxy-driver/
http://malware-log.hatenablog.com/entry/2018/09/10/000000_5

◆Kaspersky Lab、サイバー犯罪組織「LuckyMouse」が盗んだ正規のデジタル証明書でマルウェアに署名し、攻撃に利用していることを確認 (産経新聞, 2018/09/18 14:44)
http://www.sankei.com/economy/news/180918/prl1809180243-n1.html
http://malware-log.hatenablog.com/entry/2018/09/18/185335


■2019年

◆RSAC 2019: Bronze Union APT Updates Remote Access Trojans in Fresh Wave of Attacks (ThreatPost, 2019/02/27)
https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/
http://malware-log.hatenablog.com/entry/2019/02/27/000000_4

◆少数ながら、APTグループ「Emmissary Panda」に類似した攻撃を検知(ラック)(NetSecurity, 2019/12/26 06:06)
https://scan.netsecurity.ne.jp/article/2019/12/26/43462.html
https://malware-log.hatenablog.com/entry/2019/12/26/000000_8


■2021年

◆China's APT hackers move to ransomware attacks (BleepingComputer, 2021/01/04 09:36)
[中国のAPTハッカーがランサムウェア攻撃に動く]
https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/
https://malware-log.hatenablog.com/entry/2021/01/04/000000

◆APT27 continues targeting the gambling industry. New APT34 activity. Malicious code in APKPure app store. (Cyberwire, 2021/04/14)
[APT27は引き続きギャンブル業界を標的にしています。新たなAPT34の活動。APKPureアプリストアに悪意のあるコード]
https://thecyberwire.com/newsletters/research-briefing/3/15
https://malware-log.hatenablog.com/entry/2021/04/14/000000_3


■2022年

◆サイバー攻撃の被害に遭った赤十字、「国家が支援」するハッカーが未パッチの脆弱性を悪用したと発表 (TechCrunch, 2022/02/18)
https://jp.techcrunch.com/2022/02/18/2022-02-16-red-cross-links-january-cyberattack-to-state-sponsored-hackers/
https://malware-log.hatenablog.com/entry/2022/02/18/000000_3

◆中国系ハッカーが台湾の重要インフラを攻撃しない理由 (Wedge, 2022/08/08 13:46)
https://wedge.ismedia.jp/articles/-/27534
https://malware-log.hatenablog.com/entry/2022/08/08/000000_2

◆Chinese hackers backdoor chat app with new Linux, macOS malware (BleepingComputer, 2022/08/12)
[中国のハッカーがLinuxとmacOSの新マルウェアでチャットアプリをバックドア化]
https://www.bleepingcomputer.com/news/security/chinese-hackers-backdoor-chat-app-with-new-linux-macos-malware/
https://malware-log.hatenablog.com/entry/2022/08/12/000000_4

【ブログ】

■2015年

◆Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes” (Ars Technica, 2015/08/06 04:00)

Emissary Panda group penetrated the networks of industrial espionage targets.

https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/
https://malware-log.hatenablog.com/entry/2015/08/06/000000_1


■2016年

◆ThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence? (ThreatConnect, 2016/10/17)
https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/
https://malware-log.hatenablog.com/entry/2016/10/17/000000_4


■2017年

◆BRONZE UNION Cyberespionage Persists Despite Disclosures (SecureWorks, 2017/06/27)
https://www.secureworks.com/research/bronze-union
https://malware-log.hatenablog.com/entry/2017/06/27/000000_3


■2018年

◆Decoding network data from a Gh0st RAT variant (nccgroup, 2018/04/17)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/
https://malware-log.hatenablog.com/entry/2018/04/17/000000_5

◆LuckyMouse hits national data center to organize country-level waterholing campaign (Kaspersky, 2018/06/13 10:00)
https://securelist.com/luckymouse-hits-national-data-center/86083/
http://malware-log.hatenablog.com/entry/2018/06/13/000000_2

◆Emissary Panda – A potential new malicious tool Introduction (nccgroup, 2018/05/18)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/
https://malware-log.hatenablog.com/entry/2018/05/18/000000_4

◆Chinese Hackers Carried Out Country-Level Watering Hole Attack (The Hacker News, 2018/06/14)
https://thehackernews.com/2018/06/chinese-watering-hole-attack.html
https://malware-log.hatenablog.com/entry/2018/06/14/000000_7

◆LuckyMouse Group is back and using a legitimate certificate to sign malware (Kaspersky, 2018/09/10)
https://www.kaspersky.com/about/press-releases/2018_luckymouse-group-is-back-and-using-a-legitimate-certificate-to-sign-malware
http://malware-log.hatenablog.com/entry/2018/09/10/000000_4


■2021年

◆Exchange servers under siege from at least 10 APT groups (WeLiveSecurity, 2021/03/10 14:00)
[少なくとも10のAPTグループから四面楚歌のExchangeサーバー]

ESET Research has found LuckyMouse, Tick, Winnti Group, and Calypso, among others, are likely using the recent Microsoft Exchange vulnerabilities to compromise email servers all around the world
[ESETリサーチによると、LuckyMouse、Tick、Winnti Group、Calypsoなどが、最近のMicrosoft Exchangeの脆弱性を利用して世界中のメールサーバーを危険にさらしている可能性が高いことがわかりました]

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
https://malware-log.hatenablog.com/entry/2021/03/10/000000_3


■2023年

◆Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting (Trendmicro, 2023/03/01)
[Iron TigerのSysUpdateが再登場、Linuxをターゲットにした機能を追加]
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
https://malware-log.hatenablog.com/entry/2023/03/01/000000_3

関連情報

【関連まとめ記事】

全体まとめ
 ◆攻撃組織 / Actor (まとめ)

◆標的型攻撃組織 / APT (まとめ)
https://malware-log.hatenablog.com/entry/APT


【インディケータ情報】

■ハッシュ情報(MD5)

  • 3BEA073FA50B62C561CEDD9619CD8425

■ハッシュ情報(Sha256)

SHA-256 Filename
EE04B324F7E25B59D3412232A79D1878632D6817C3BB49500B214BF19AFA4E2C Mozilla.exe
0BA49FEB7784E6D33D821B36C5C669D09E58B6795ACA3EEBBF104B763B3B3C20 Updateproxy.dll
33B7407E534B46BF8EC06D9F45ECD2D3C7D954340669E94CD7CEDCBAE5BAD2DD Telnet.dll
6160AF383794212B6AD8AB9D6D104BBE7AEFB22410F3AB8EA238F98DABFC48B7 Socks.dll
C63B01C40038CA076072A35913F56D82E32FCEE3567650F3392B5C5DA0004548 Shell.dll
D51EC4ACEAFA971E7ABD0CF4D27539A4212A448268EF1DB285CD9CE9024D6EB3 Session.dll
BD8086DE44E16EFDD380E23E49C4058D956538B01E1AE999B679B6B76B643C7D Screen.dll
B44A9545B697B4D46D5B96862A6F19EA72F89FED279F56309B2F245AC8380BE0 Port.dll
F4DF97108F18654089CFB863F2A45AA41D17A3CE8A44CCCC474F281A20123436 File.dll
D31D38403E039F5938AE8A5297F35EB5343BB9362D08499B1E07FAD3936CE6F7 ConEmu.exe
A591D4D5B8D23FF12E44A301CE5D4D9BF966EBA0FC0068085B4B4EC3CE352963 Noodles.exe
EEBFF21DEF49AF4E85C26523AF2AD659125A07A09DB50AC06BD3746483C89F9D Coal.exe (Malicious executable)
97B9D7E16CD6B78A090E9FA7863BD9A57EA5BBE6AE443FA788603EEE5DA0BFC3 Abg.exe (Malicious executable)
B6C21C26AEF75AD709F6C9CFA84BFA15B7EE709588382CE4BC3544A04BCEB661 23d.exe (Malicious executable)
DB9B9FA9EFA53662EC27F4B74B79E745F54B6C30C547A4E5BD2754E9F635F6DB 89d.exe (Malicious executable)


■IPアドレス(C&C)

  • 23.227.207.137
  • 89.249.65.194


■ファイル

  • C:\ProgramData\HIDMgr
  • C:\ProgramData\Rascon
  • C:\ProgramData\TrkSvr


■サービス

  • HIDMgr
  • RasconMan
  • TrkSvr


■レジストリ

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(以上は nccgroupの情報。 引用元は https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/)



■マルウェア情報

MD5 3bea073fa50b62c561cedd9619cd8425
SHA1 ae917a61cb01df3906472b3140193c1ef62f8d75
SHA256 df7bafe27b2ac5121d3c46405f7c168453dbc09200049d693dceff6c4b59b2db
SHA512
SSDEEP 768:8kTUqTrSxd1WaNmN+NoF4P2MBL/enc8RGIcA2YvrK3gHLXokP:LwqCd1dINmEYYBGIcA2UK3Mok
authentihash 8e313f41dc7e65a09f3b2b944cdc53276e01988e85834bb3053d23b9d7eb5013
imphash e62620335bb00fe44ca7fe6a8bd55a4b
File Size 86016 bytes
File Type Win32 EXE (PE32 executable for MS Windows (GUI) Intel 80386 32-bit)
コンパイル日時 2015-06-30 10:29:41
Debug Path
File Name
File Path
生成ファイル
特徴
参考情報 https://www.virustotal.com/ja/file/df7bafe27b2ac5121d3c46405f7c168453dbc09200049d693dceff6c4b59b2db/analysis/


◆ハッシュ情報(MD5)

  • 22CBE2B0F1EF3F2B18B4C5AED6D7BB79
  • 0D0320878946A73749111E6C94BF1525
  • ac337bd5f6f18b8fe009e45d65a2b09b
  • 04dece2662f648f619d9c0377a7ba7c0

◆FQDN

  • bbs.sonypsps[.]com
  • update.iaacstudio[.]com
  • wh0am1.itbaydns[.]com
  • google-updata[.]tk
  • windows-updata[.]tk

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2023