【ニュース】
◆Orangeworm Hackers Infect X-Ray and MRI Machines In Their Quest for Patient Data (BleepingComputer, 2018/04/23)
https://www.bleepingcomputer.com/news/security/orangeworm-hackers-infect-x-ray-and-mri-machines-in-their-quest-for-patient-data/
【ブログ】
◆米国、ヨーロッパ、アジアの医療業界を狙う新しい攻撃グループ「Orangeworm」を確認 (Symantec, 2018/04/23)
Orangeworm という新しい攻撃グループが、医療業界やその関連業界を狙った標的型攻撃でバックドア Kwampirs を拡散していることを、シマンテックは確認しました。
◆New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia (Symantec, 2018/04/23)
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
【関連情報】
コマンド一覧
出典: https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
【インディケータ情報】
■ハッシュ情報(MD5, Dropper)
0240ed7e45567f606793dafaff024acf | wmipsrvce.exe |
047f70dbac6cd9a4d07abef606d89fb7 | wmiapsrvce.exe |
0240ed7e45567f606793dafaff024acf | WMIAPSRVUX.EXE |
2ae53de1a1f65a6d57e96dab26c73cda | wmiapsrve.exe |
47345640c135bd00d9f2969fabb4c9fa | WMIPSVRCE.EXE |
cb9954509dc82e6bbed2aee202d88415 | wmipsrvce.exe |
cb9954509dc82e6bbed2aee202d88415 | WMIPSVRE.EXE |
b680b119643876286030c4f6134dc4e3 | wmiapsrve.exe |
fac94bc2dcfbef7c3b248927cb5abf6d | wmipvsre.exe |
856683aee9687f6fdf00cfd4dc4c2aef | wmiapsvrce.exe |
847459c8379250d8be2b2d365be877f5 | wmiapsrve.exe |
fac94bc2dcfbef7c3b248927cb5abf6d | WMIAPSRVE.EXE |
fac94bc2dcfbef7c3b248927cb5abf6d | WMIPRVSE.EXE |
cb9954509dc82e6bbed2aee202d88415 | WMIPVSRE.EXE |
6277e675d335fd69a3ff13a465f6b0a8 | wmipsrvce.exe |
847459c8379250d8be2b2d365be877f5 | wmiapsvre.exe |
3bedc1c4c1023c141c2f977e846c476e | wmipsvrce.exe |
ce3894ee6f3c2c2c828148f7f779aafe | WMIAPVSRE.EXE |
3b3a1062689ffa191e58d5507d39939d | wmiaprvse.exe |
47345640c135bd00d9f2969fabb4c9fa | WMIAPSVRE.EXE |
3bedc1c4c1023c141c2f977e846c476e | wmiapvsre.exe |
6277e675d335fd69a3ff13a465f6b0a8 | wmiapsrve.exe |
856683aee9687f6fdf00cfd4dc4c2aef | wmipsvrce.exe |
cb9954509dc82e6bbed2aee202d88415 | wmipsvrce.exe |
fac94bc2dcfbef7c3b248927cb5abf6d | wmipsrvce.exe |
847459c8379250d8be2b2d365be877f5 | WMIPRVSE.EXE |
cb9954509dc82e6bbed2aee202d88415 | wmiapsrvcx.exe |
856683aee9687f6fdf00cfd4dc4c2aef | wmiapsrvce.exe |
cb9954509dc82e6bbed2aee202d88415 | wmiprvse.exe |
7e5f76c7b5bf606b0fdc17f4ba75de03 | wmiapsvrce.exe |
177bece20ba6cc644134709a391c4a98 | wmiapsrvex.exe |
fac94bc2dcfbef7c3b248927cb5abf6d | wmiaprvse.exe |
fac94bc2dcfbef7c3b248927cb5abf6d | wmipsvre.exe |
3b3a1062689ffa191e58d5507d39939d | wmiapsrvex.exe |
b59e4942f7c68c584a35d59e32adce3a | wmiapsrve.exe |
81e61e5f44a6a476983e7a90bdac6a55 | WMIAPSRVCX.EXE |
https://content.connect.symantec.com/sites/default/files/2018-04/Orangeworm%20IOCs.pdf
■ハッシュ情報(MD5, DLL)
ec968325394f3e6821bf90fda321e09b | WMIAMGMT.DLL |
01cf05a07af57a7aafd0ad225a6fd300 | WMIASSN.DLL |
d57df638c7befd7897c9013e90b678f0 | wmiamgmt.dll |
5c3499acfe0ad7563b367fbf7fb2928c | wmipadp.dll |
4b91ec8f5d4a008dd1da723748a633b6 | wmipadp.dll |
134846465b8c3f136ace0f2a6f15e534 | wmiassn.dll |
9d2cb9d8e73fd879660d9390ba7de263 | WMIPDPA.DLL |
939e76888bdeb628405e1b8be963273c | wmiadrv.dll |
de9b01a725d4f19da1c1470cf7a948ee | wmipdpa.dll |
bb939a868021db963916cc0118aab8ee | wmipadp.dll |
3289c9a1b534a19925a14a8f7c39187c | wmiadrv.dll |
9d3839b39d699336993df1dd4501892b | wmipdpa.dll |
5c3499acfe0ad7563b367fbf7fb2928c | wmipadp.dll |
fece72bd41cb0e06e05a847838fbde56 | wmiassn.dll |
bbd9e4204514c66c1babda178c01c213 | wmiadrv.dll |
ee4206cf4227661d3e7ec846f0d69a43 | wmipadp.dll |
290d8e8524e57783e8cc1b9a3445dfe9 | wmiamgmt.dll |
https://content.connect.symantec.com/sites/default/files/2018-04/Orangeworm%20IOCs.pdf
■IPアドレス
- 65.116.107.24
- 13.44.61.126
- 56.28.111.63
- 118.71.138.69
- 117.32.65.101
- 18.25.62.70
- 92.137.43.17
- 33.25.72.21
- 16.48.37.37
- 91.29.51.11
■URL
- hxxp://65.116.107.24/login/login.php?q=kt[REDACTED_BASE64_STRING]==
- hxxp://13.44.61.126/main/indexmain.php?q=KT[REDACTED_BASE64_STRING]==
- hxxp://56.28.111.63/group/group/defaultmain.php?q=KT[REDACTED_BASE64_STRING]==
- hxxp://118.71.138.69/new/main/default.php?q=KT[REDACTED_BASE64_STRING]==
- hxxp://117.32.65.101/users/login.php?q=kt[REDACTED_BASE64_STRING]==
- hxxp://18.25.62.70/groupgroup/default.php?q=kt[REDACTED_BASE64_STRING]==
- hxxp://92.137.43.17/group/group/home/login/home.php?q=KT[REDACTED_BASE64_STRING]==
- hxxp://33.25.72.21/group/main.asp?q=KT[REDACTED_BASE64_STRING]==
- hxxp://16.48.37.37/groupusers/default.php?q=kt[REDACTED_BASE64_STRING]==
- hxxp://91.29.51.11/default/main.php?q=KT[REDACTED_BASE64_STRING]==