【図表】
【概要】
■攻撃組織(Attack Actor)
| 攻撃組織 | 備考 |
|---|---|
| DragonOK | 江蘇省が拠点 |
| Moafee | 広東省が拠点 |
【資料】
◆OPERATION QUANTUM ENTANGLEMENT (FireEye, 2015/03/17)
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf
【IoC情報】
◆NewCT2 (2015/03/17) (IoC (TT Malware Log))
https://ioc.hatenablog.com/entry/2015/03/17/000000
【関連まとめ記事】
◆標的型攻撃組織 / APT (まとめ)
https://malware-log.hatenablog.com/entry/APT
【インディケータ情報】
■Campaign codes embedded in NewCT/CT
| First stage payload | Version | Implant | Implant Name | C2 Server | Campaign code |
|---|---|---|---|---|---|
| 46e55cdf507ef10b11d74dad6af8b94e | NewCT2 | 81998ee8b8f8304d038e3cb5ff10b4d2 | MSSoap.DLL | http.jpaols[.]com | hc_NewCT |
| 989d04ab23385260a402ce7b6751e60e | NewCT2 | 81998ee8b8f8304d038e3cb5ff10b4d2 | MSSoap.DLL | facebook.pktmedia[.]com facebook.skyppee[.]com | face_NewCT |
| 6de67d5bfe61fbdc2febfd289e9660c3 | NewCT2 | 81998ee8b8f8304d038e3cb5ff10b4d2 | MSSoap.DLL | http.jpaols[.]com | jp80_NewCT |
| 908d847fd39a285185b3f0e8dc874dad | NewCT2 | 81998ee8b8f8304d038e3cb5ff10b4d2 | MSSoap.DLL | sslc.moafee[.]com | sslc_NewCT |
| 26a48ee15b8f976db35e219428e05ef3 | NewCT2 | 81998ee8b8f8304d038e3cb5ff10b4d2 | MSSoap.DLL | http.jpaols[.]com | jp80_NewCT |
| bd5ed9168632e6daa6bcee6b6c48d60f | NewCT2 | 81998ee8b8f8304d038e3cb5ff10b4d2 | BurnDCSrv.DLL | butitistrun.blogdns[.]com | lcl918_NewCT |
| 46ac122183c32858581e95ef40bd31b3 | CT V2.1 | 81998ee8b8f8304d038e3cb5ff10b4d2 | IntelAMTPP.dll | ct.datangcun[.]com | 20120509_CT |
(以上は FireEyeの情報。 引用元は https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf)
