【ブログ】
◆Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems (paloalto, 2018/06/22)
https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/
【関連まとめ記事】
◆全体まとめ
◆攻撃組織 / Actor (まとめ)
◆標的型攻撃組織 / APT (まとめ)
◆Tick / Bronze Butler (まとめ)
http://malware-log.hatenablog.com/entry/Tick
【インディケータ情報】
■ハッシュ情報(Sha256) - Malformed Legitimate software (SymonLoader) -
8549dcbdfc6885e0e7a1521da61352ef4f084d969dd30719166b47fdb204828a
(以上は paloalto の情報: 引用元は https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/ )
■ハッシュ情報(Sha256) - Malformed Legitimate software (SymonLoader) -
31aea8630d5d2fcbb37a8e72fe4e096d0f2d8f05e03234645c69d7e8b59bb0e8
(以上は paloalto の情報: 引用元は https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/ )
■ファイルパス - SymonLoader -
%ProgramFiles%\Windows NT\Accessories\Microsoft\msxml.exe
%UserProfile%\Applications\Microsoft\msxml.exe
■レジストリ - SymonLoader -
HKLM\Software\Microsof\Windows\CurrentVersion\run\”xml” = %ProgramFiles%\Windows NT\Accessories\Microsoft\msxml.exe
HKCU\Software\Microsof\Windows\CurrentVersion\run\”xml” = %UserProfile%\Applications\Microsoft\msxml.exe
■Mutex - SymonLoader -
SysMonitor_3A2DCB47
■ハッシュ情報(Sha256) - Trojanized Legitimate Software(HomamDownloader) -
b1bb1d5f178b064eb1d7c9cc7cadcf8b3959a940c14cee457ce3aba5795660aa
3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6
92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78
33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb
(以上は paloalto の情報: 引用元は https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/ )
■ハッシュ情報(Sha256) - HomamDownloader -
019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e
ee8d025c6fea5d9177e161dbcedb98e871baceae33b7a4a12e9f73ab62bb0e38
f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec
(以上は paloalto の情報: 引用元は https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/ )
■URL
pre.englandprevail.com
【検索】- SymonLoader -
google: 8549dcbdfc6885e0e7a1521da61352ef4f084d969dd30719166b47fdb204828a
google: 31aea8630d5d2fcbb37a8e72fe4e096d0f2d8f05e03234645c69d7e8b59bb0e8
【検索】 - HomamDownloader -
google: b1bb1d5f178b064eb1d7c9cc7cadcf8b3959a940c14cee457ce3aba5795660aa
google: 3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6
google: 92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78
google: 33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb
google: 019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e
google: ee8d025c6fea5d9177e161dbcedb98e871baceae33b7a4a12e9f73ab62bb0e38
google: f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec
【VT検索】 - SymonLoader -
https://www.virustotal.com/gui/file/8549dcbdfc6885e0e7a1521da61352ef4f084d969dd30719166b47fdb204828a
https://www.virustotal.com/gui/file/31aea8630d5d2fcbb37a8e72fe4e096d0f2d8f05e03234645c69d7e8b59bb0e8
【VT検索】- HomamDownloader -
https://www.virustotal.com/gui/file/b1bb1d5f178b064eb1d7c9cc7cadcf8b3959a940c14cee457ce3aba5795660aa
https://www.virustotal.com/gui/file/3227d1e39fc3bc842245ccdb16eeaadad3bcd298e811573b2e68ef2a7077f6f6
https://www.virustotal.com/gui/file/92e0d0346774127024c672cc7239dd269824a79e85b84c532128fd9663a0ce78
https://www.virustotal.com/gui/file/33665d93ab2a0262551c61ec9a3adca2c2b8dfea34e6f3f723274d88890f6ceb
https://www.virustotal.com/gui/file/019874898284935719dc74a6699fb822e20cdb8e3a96a7dc8ec4f625e3f1116e
https://www.virustotal.com/gui/file/ee8d025c6fea5d9177e161dbcedb98e871baceae33b7a4a12e9f73ab62bb0e38
https://www.virustotal.com/gui/file/f817c9826089b49d251b8a09a0e9bf9b4b468c6e2586af60e50afe48602f0bec
