• Skip to primary navigation
  • Skip to main content
  • Skip to footer
lab52

lab52

The threat intelligence division of S2 Grupo

  • Home
  • Faq
  • Blog
  • About
  • Contact

TA428 Group abusing recent conflict between Iran and USA

January 09, 2020

Recently, a suspicious document has caught our attention due to its recent creation date (06-01-2020) and its title “How Swuleimani’s death will affect India and Pakistan.doc” which is directly related to recent political events between Iran and the USA.

The document is in RTF format, and has an OLE object related with the Equation Editor. During the last years, this OLE objects have been a good indicator that a document may aim to exploit the CVE-2018-0798 vulnerability in order to infect with some kind of malware. This particular document turns out to be one of these examples, and does it by dropping a binary called 8.t. in the “% TEMP%” folder of the user.

Up to this point, everything coincides in terms of TTPs with what is described in the following report, from ProofPoint related with a suspected Chinese cybercrime Group known as TA428.

After this infection chain, what we get is a DLL executable file with extension “.wll” used for “Word.addin.8” files, that is installed in the path “%APPDATA%\Microsoft\Word\STARTUP” which causes that MSWord at the next application startup to load this “.wll” executable file. (Which also coincides with the TTPs described in the previous post)

This DLL consists in a packed version of a PoisonIvy RAT sample, that after a few seconds makes traffic to the C2 server “95.179.131.29”, through port 443, and in case of error, through port 8080 using HTTP traffic.

The IP address is part of the infrastructure that appears in the post, indicating that it is probably the same actor reusing his old infrastructure in a new campaign, taking advantage of the conflict mentioned at the beginning of the article.

It is always critical to remain alert with any attachments that is related to any recent geopolitical conflict, as previously stated, the attackers usually take advantage of them as a mean of infecting their victims through this kind of phishing campaings.

Document
SHA256
0eb7ba6457367f8f5f917f37ebbf1e7ccf0e971557dbe5d7547e49d129ac0e98
Poison Ivy
SHA256
02dec90a18545d4bfbac5de19c6499142e141c3c0abaecdc8ac56b8eede167aa
Poison Ivy
C2
95.179.131.29

JagaimoKawaii

Reader Interactions

Comments

  1. AvatarLana says

    January 10, 2020 at 15:16

    https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology

    Proofpoint does not track TA428 as Icefog. We believe Icefog is a distinct group. The signature written by Florian Roth that detects as Icefog is identifying RTF obfuscation artifact strings that are present in a shared builder utilized by multiple Chinese Groups including Icefog and TA428. In this cases TA428 is closer to what has historically been tracked as the Maudi Surveillance Operation.

    Reply
    • AvatarJagaimokawaii says

      January 13, 2020 at 09:06

      Yes, it’s been my mistake mixing different sources, allready corrected.

      Thanks for the advice! 🙂

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related

GRU: Military Unit 54777
February 03, 2025
GRU military unit 29155
October 11, 2024
Tags: cyberwar, GRU
Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor)
February 19, 2024
Tags: Backdoor, Kazuar, Pelmeni Wrapper, Trula, Wrapper

Footer

Copyright &copy Lab52 2019 by S2 Grupo | Legal notice | Cookie policy | Privacy policy