TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory

【図表】

f:id:tanigawa:20200724160822j:plain
f:id:tanigawa:20200724160836j:plain
出典: https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/


【ブログ】

◆OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory (UNIT42(Paloalto), 2020/07/22 06:00)
https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/


【検索】

google: AOT34 OR OilRig


【関連まとめ記事】

全体まとめ
 ◆攻撃組織 / Actor (まとめ)
  ◆標的型攻撃組織 / APT (まとめ)

◆APT34 (まとめ)
https://malware-log.hatenablog.com/entry/APT34


【インディケータ情報】

■ハッシュ情報(Sha256) - RDAT -

7395a3ada245df6c8ff1d66fcb54b96ae12961d5fd9b6a57c43a3e7ab83f3cc2
8f943bc5b20517fea08b2d0acc9afe8990703e9d4f7015b98489703ca51da7eb
8120849fbe85179a16882dd1a12a09fdd3ff97e30c3dfe52b43dd2ba7ed33c2a
bcdb63b3520e34992f292bf9a38498f49a9ca045b7b40caab5302c76ca10f035
f42c2b40574dc837b33c1012f7b6f41fcccc5ebf740a2b0af64e2c530418e9e0
fcabb86331cd5e2fa9edb53c4282dfcb16cc3d2cae85aabf1ee3c0c0007e508c
7b5042d3f0e9f077ef2b1a55b5fffab9f07cc856622bf79d56fc752e4dc04b28
ee32bde60d1175709fde6869daf9c63cd3227155e37f06d45a27a2f45818a3dc
de3f1cc2d4aac54fbdebd5bd05c9df59b938eb79bda427ae26dedef4309c55a9
4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec
acb50b02ab0ca846025e7ad6c795a80dc6f61c4426704d0f1dd7e195143f5323
55282007716b2b987a84a790eb1c9867e23ed8b5b89ef1a836cbedaf32982358
ba380e589261781898b1a54c2889f3360db09c61b9155607d7b4d11fcd85bd9d
6322cacf839b9c863f09c8ad9fd0e091501c9ba354730ab4809bb4c076610006

(以上は UNIT42(Paloalto)の情報: 引用元は https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/ )


■ハッシュ情報(Sha256) - Mimikatz -

e53cc5e62ba15e43877ca2fc1bee16061b4468545d5cc1515cb38000e22dd060

(以上は UNIT42(Paloalto)の情報: 引用元は https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/ )


■ハッシュ情報(Sha256) - Bitvise client -

476b40796be68a5ee349677274e438aeda3817f99ba9832172d81a2c64b0d4ae

(以上は UNIT42(Paloalto)の情報: 引用元は https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/ )


■ハッシュ情報(Sha256) - PowerShell downloader -

78584dadde1489a5dca0e307318b3d2d49e39eb3987de52e288f9882527078d5

(以上は UNIT42(Paloalto)の情報: 引用元は https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/ )


■FQDN - RDAT C2 -

rdmsi[.]com
rsshay[.]com
sharjatv[.]com
wwmal[.]com
allsecpackupdater[.]com
tacsent[.]com
acrlee[.]com
kopilkaorukov[.]com

(以上は UNIT42(Paloalto)の情報: 引用元は https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/ )


■FQDN - 関連サイト -

digi.shanx[.]icu
tprs-servers[.]eu
oudax[.]com
kizlarsoroyur[.]com
intelligent-finance[.]site

(以上は UNIT42(Paloalto)の情報: 引用元は https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/ )


【検索】

google: 7395a3ada245df6c8ff1d66fcb54b96ae12961d5fd9b6a57c43a3e7ab83f3cc2
google: 8f943bc5b20517fea08b2d0acc9afe8990703e9d4f7015b98489703ca51da7eb
google: 8120849fbe85179a16882dd1a12a09fdd3ff97e30c3dfe52b43dd2ba7ed33c2a
google: bcdb63b3520e34992f292bf9a38498f49a9ca045b7b40caab5302c76ca10f035
google: f42c2b40574dc837b33c1012f7b6f41fcccc5ebf740a2b0af64e2c530418e9e0
google: fcabb86331cd5e2fa9edb53c4282dfcb16cc3d2cae85aabf1ee3c0c0007e508c
google: 7b5042d3f0e9f077ef2b1a55b5fffab9f07cc856622bf79d56fc752e4dc04b28
google: ee32bde60d1175709fde6869daf9c63cd3227155e37f06d45a27a2f45818a3dc
google: de3f1cc2d4aac54fbdebd5bd05c9df59b938eb79bda427ae26dedef4309c55a9
google: 4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec
google: acb50b02ab0ca846025e7ad6c795a80dc6f61c4426704d0f1dd7e195143f5323
google: 55282007716b2b987a84a790eb1c9867e23ed8b5b89ef1a836cbedaf32982358
google: ba380e589261781898b1a54c2889f3360db09c61b9155607d7b4d11fcd85bd9d
google: 6322cacf839b9c863f09c8ad9fd0e091501c9ba354730ab4809bb4c076610006

google: e53cc5e62ba15e43877ca2fc1bee16061b4468545d5cc1515cb38000e22dd060

google: 476b40796be68a5ee349677274e438aeda3817f99ba9832172d81a2c64b0d4ae

google: 78584dadde1489a5dca0e307318b3d2d49e39eb3987de52e288f9882527078d5



【VT検索】

https://www.virustotal.com/gui/file/7395a3ada245df6c8ff1d66fcb54b96ae12961d5fd9b6a57c43a3e7ab83f3cc2
https://www.virustotal.com/gui/file/8f943bc5b20517fea08b2d0acc9afe8990703e9d4f7015b98489703ca51da7eb
https://www.virustotal.com/gui/file/8120849fbe85179a16882dd1a12a09fdd3ff97e30c3dfe52b43dd2ba7ed33c2a
https://www.virustotal.com/gui/file/bcdb63b3520e34992f292bf9a38498f49a9ca045b7b40caab5302c76ca10f035
https://www.virustotal.com/gui/file/f42c2b40574dc837b33c1012f7b6f41fcccc5ebf740a2b0af64e2c530418e9e0
https://www.virustotal.com/gui/file/fcabb86331cd5e2fa9edb53c4282dfcb16cc3d2cae85aabf1ee3c0c0007e508c
https://www.virustotal.com/gui/file/7b5042d3f0e9f077ef2b1a55b5fffab9f07cc856622bf79d56fc752e4dc04b28
https://www.virustotal.com/gui/file/ee32bde60d1175709fde6869daf9c63cd3227155e37f06d45a27a2f45818a3dc
https://www.virustotal.com/gui/file/de3f1cc2d4aac54fbdebd5bd05c9df59b938eb79bda427ae26dedef4309c55a9
https://www.virustotal.com/gui/file/4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec
https://www.virustotal.com/gui/file/acb50b02ab0ca846025e7ad6c795a80dc6f61c4426704d0f1dd7e195143f5323
https://www.virustotal.com/gui/file/55282007716b2b987a84a790eb1c9867e23ed8b5b89ef1a836cbedaf32982358
https://www.virustotal.com/gui/file/ba380e589261781898b1a54c2889f3360db09c61b9155607d7b4d11fcd85bd9d
https://www.virustotal.com/gui/file/6322cacf839b9c863f09c8ad9fd0e091501c9ba354730ab4809bb4c076610006

https://www.virustotal.com/gui/file/e53cc5e62ba15e43877ca2fc1bee16061b4468545d5cc1515cb38000e22dd060

https://www.virustotal.com/gui/file/476b40796be68a5ee349677274e438aeda3817f99ba9832172d81a2c64b0d4ae

https://www.virustotal.com/gui/file/78584dadde1489a5dca0e307318b3d2d49e39eb3987de52e288f9882527078d5

https://www.virustotal.com/gui/domain/rdmsi.com
https://www.virustotal.com/gui/domain/rsshay.com
https://www.virustotal.com/gui/domain/sharjatv.com
https://www.virustotal.com/gui/domain/wwmal.com
https://www.virustotal.com/gui/domain/allsecpackupdater.com
https://www.virustotal.com/gui/domain/tacsent.com
https://www.virustotal.com/gui/domain/acrlee.com
https://www.virustotal.com/gui/domain/kopilkaorukov.com

https://www.virustotal.com/gui/domain/digi.shanx.icu
https://www.virustotal.com/gui/domain/tprs-servers.eu
https://www.virustotal.com/gui/domain/oudax.com
https://www.virustotal.com/gui/domain/kizlarsoroyur.com
https://www.virustotal.com/gui/domain/intelligent-finance.site


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2020