【訳】
Iron TigerのSysUpdateが再登場、Linuxをターゲットにした機能を追加
【概要】
| 日 | 内容 |
|---|---|
| 2022/04/02 | 弊社最古のWindowsサンプルであるSysUpdateにリンクしたドメイン名の登録 |
| 2022/05/11 | コマンド&コントロール(C&C)インフラがセットアップされた |
| 2022/06/08 | 改ざんされた可能性もあるが、最古のWindowsサンプルのコンパイル日を観測した |
| 2022/07/20 | 最も古いWindowsのサンプルがVirus Totalにアップロードされる |
| 2022/10/24 | 最古のLinuxサンプルがVirus Totalにアップロードされる |
【ブログ】
◆Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting (Trendmicro, 2023/03/01)
[Iron TigerのSysUpdateが再登場、Linuxをターゲットにした機能を追加]
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
| SHA256 |
Command and Control (C&C) |
Malware family |
Detection |
|---|---|---|---|
| 6d9031eb617096439bc8c8f7c32f4a11ffefc4326d99229fc78722873092e400 | oa.88tech.me | Linux Sysupdate (UPX-packed) | Trojan.Linux.SYSUPDATE.A |
| 11f21d08f819dea21a09c602a4391142a5648f3e17a07a24d41418fcc17ea83f | *.ns.mlnrm.com | Linux Sysupdate | Trojan.Linux.SYSUPDATE.A |
| 9add546cb9527f9d7e4930aaddec6e14c70d1400d0d531a9102efd4c83b27dd7 | *.ns.mlnrm.com | Linux Sysupdate (UPX-packed) | Trojan.Linux.SYSUPDATE.A |
| 3ac029e49ca71d948bfe1a7bc691967cf26cb5a731c7807d5be3cf6b579fa8ab | oa.myvandyke.net | Linux Sysupdate (UPX-packed) | Trojan.Linux.SYSUPDATE.A |
| 2ada1b48457c169cf3f80e248190374102615e2c89b70e574fba4ddc09b5fcd5 | oa.myvandyke.net | Linux Sysupdate | Trojan.Linux.SYSUPDATE.A |
| 09a3231a300d794010c3f400617cd0b1b7aab7141735a2b8635a8362584e196d | *.ns.mlnrm.com | Linux Sysupdate (UPX-packed) | Trojan.Linux.SYSUPDATE.A |
| c65c435737ac02132d9dfeb6ec1d7d903648f61ecdda8a85b4250f064cb4673f | ybupdate.me | Linux Sysupdate | Trojan.Linux.SYSUPDATE.A |
| 43ae4e624413a587667027c03416d78b2515ac9081b8c9c967aadb1157f49e55 | *.ns.sportxx.me | Linux Sysupdate | Trojan.Linux.SYSUPDATE.A |
| b92a9dcdcf0bec8cd1e8b701dbf7bd6f7e68473a9e711267a4af8e4be783bb1e | *.ns.sportwo8.me | Linux Sysupdate (UPX-packed) | Trojan.Linux.SYSUPDATE.A |
| 08dd5a9fdc387855fb5a23c167abec63b22272f66de099155036c5ce7e4deeb8 | Linux Sysupdate | Trojan.Linux.SYSUPDATE.A | |
| 1e2b05838edfb0460fc97e2d7bab2271891c55ca0c895d4db30cf2acfaea51d2 | Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| d950cc937f4df9ab0bad44513d23ea7ecdfae2b0de8ba351018de5fb5d7b1382 | Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| b504ab7a4a35e6deb34536d4663db696918961aadc03662b2c34e89b50ba10a1 | Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| a8527a88fb9a48f043a0b762c7431fb52e601b72ff2fa0d35327e5cc72404edc | Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| 0daa82650712f2338803521969f7dc7deebba0e34c4797a9e39d99595d7eb423 | Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| 9499eabf880a55522c1b78d5afaa9ff34ae958950627ccd15099f2e771c9b0b1 | Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| ff6502b16b0c2eebef15964fd6fcc60c23b4afa88bebe99cfc54ee73f11aeb62 | Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| 735eddc24aa98f30d8e6839dc8c669f565aa760952af8d00d4f6fbfe6776631d | Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| ba1dabf7ff0a4bca8d7ff6e541b1930fc8328d240ba8a56ede96cc203daf6772 | Probable Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| 2027784b3f0e8e5f6add0aa42c6b9b6ea3e3e1af6373a465cb57b145d24373bf | Probable Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| 76b5fa39d5b519e82e63466df1a6b2068cc9754343efbabf862924557c0fc213 | Probable Windows Sysupdate DLL | Trojan.Win32.SYSUPDATE.BZE | |
| 0cd3df91582551182a0decf662a112e59591cf07f3d107f09df3194f7d498e62 | ybupdate.me | Windows Sysupdate payload | TrojanSpy.Win64.SYSUPDATE.A.enc |
| 83209d9b8ebd0add8665e533d0948ae4e878ccc21ba5e3b00bea8833b59acf9a | dev.gitlabs.me | Windows Sysupdate payload | TrojanSpy.Win64.SYSUPDATE.A.enc |
| ba484eebda8dbe07b36eb07fa6c5cbb8d1dcc6638808cdcf7f33d7bab51d2805 | jira.atlas-sian.net | Windows Sysupdate payload | TrojanSpy.Win64.SYSUPDATE.A.enc |
| 123880edc91f7dc033a769d9523f783f7b426673ee95e9e33654cdfa95a6462c | *.ns.mlnrm.com | Windows Sysupdate payload | TrojanSpy.Win64.SYSUPDATE.A.enc |
| fac0009d615e98238cf348819b21f0dbbb462653c2257f1c6ef552838894e166 | order.myvandyke.net | Windows Sysupdate payload | TrojanSpy.Win64.SYSUPDATE.A.enc |
| 39f90ef532307c23f485f6d337fd820651581aeb72f678477bcb106a3d831997 | oa.myvandyke.net | Windows Sysupdate payload | TrojanSpy.Win64.SYSUPDATE.A.enc |
| ed5047461b2cccac4e81bd9fa73469d69468521174b981b5f76abb450c6fdabe | jira.atlas-sian.net | Windows Sysupdate payload | TrojanSpy.Win64.SYSUPDATE.A.enc |
| cc196ee155bf864071cbeec3ddcd3e2451a37d4296f53a024142c70193b9691d | order.myvandyke.net | Windows Sysupdate packed with VMProtect | TrojanSpy.Win64.SYSUPDATE.A |
| 3f808df5af6889c2219fd4982dd49946535528237cc00530cce5c69c3e7f0e34 | Chrome password and cookie stealer | TrojanSpy.Win32.IRONTHIEF.A | |
| aad2e40411aa08e398cdf7397c7a1b3b7ab2a5ba833b6d65f68b145d51c2ed05 | Chrome password and cookie stealer | TrojanSpy.Win32.IRONTHIEF.A | |
| c256b85747ad81e3f3f6c49ce496e77f024b302f921cb007a5f5375ac5b672d7 | Chrome password and cookie stealer | TrojanSpy.Win32.IRONTHIEF.A |
