【ニュース】
◆北朝鮮グループ由来の新種トロイの木馬「BANKSHOT」が判明 - 米政府が注意喚起 (Security NEXT, 2017/12/25)
http://www.security-next.com/088782
◆ALERT: NORTH KOREAN MALICIOUS CYBER ACTIVITY (INFOWARS, 2017/12/21)
https://www.infowars.com/alert-north-korean-malicious-cyber-activity/
【公開情報】
◆Malware Analysis Report (MAR) - 10135536-B (US-CERT, 2017/12/13)
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF
【インディケータ情報】
■ハッシュ情報(MD5)
- 0137f688436c468d43b3e50878ec1a1f
- 114d8db4843748d79861b49343c8b7ca
- 2950e3741d7af69e0ca0c5013abc4209
- 964b291ad9bafa471da3f80fb262dbe7
- 9e4d9edb07c348b10863d89b6bb08141
- c74e289ad927e81d2a1a56bc73e394ab
- fc9e40100d8dfae2df0f30a3414f50ec
■Yara
rule Unauthorized_Proxy_Server_RAT
{
meta:
Author="US-CERT Code Analysis Team"Incident="10135536"
MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"
MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"Info="Detects Proxy Server RAT"
super_rule = 1
strings:
$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}
$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}
$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}
$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}
$s4 = {B91A7900008A140780F29A8810404975F4}
$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9FD19CA59F7E9F539CEF9F029F969C6C9E5C9D949FC99F}
$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}
TLP:WHITE
US-CERT MAR-10135536-B
2 of 12
TLP:WHITE
$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}
$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}
$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}
$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}
$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}
$s12 = {448BE8B84FECC44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}
$s13 = {8A0A80F9627C2380F9797F1E80F9647C0A80F96D7F0580C10BEB0D80F96F7C0A80F9787F05}
condition:
any of them
}