{"id":683,"date":"2020-01-09T18:46:38","date_gmt":"2020-01-09T17:46:38","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=683"},"modified":"2020-01-10T22:25:38","modified_gmt":"2020-01-10T21:25:38","slug":"icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu\/","title":{"rendered":"TA428 Group abusing recent conflict between Iran and USA"},"content":{"rendered":"\n

Recently, a suspicious document has caught our attention due to its recent creation date (06-01-2020) and its title \u201cHow Swuleimani’s death will affect India and Pakistan.doc\u201d which is directly related to recent political events between Iran and the USA.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The document is in RTF format, and has an OLE object related with the Equation Editor. During the last years, this OLE objects have been a good indicator that a document may aim to exploit the CVE-2018-0798 vulnerability in order to infect with some kind of malware. This particular document turns out to be one of these examples, and does it by dropping a binary called 8.t. in the \u201c% TEMP%\u201d folder of the user.<\/p>\n\n\n\n

Up to this point, everything coincides in terms of TTPs with what is described in the following report, from ProofPoint related with a suspected Chinese cybercrime Group known as TA428<\/a>. <\/p>\n\n\n\n

After this infection chain, what we get is a DLL executable file with extension \u201c.wll\u201d used for \u201cWord.addin.8\u201d files, that is installed in the path \u201c%APPDATA%\\Microsoft\\Word\\STARTUP\u201d which causes that MSWord at the next application startup to load this “.wll” executable file. (Which also coincides with the TTPs described in the previous post)<\/p>\n\n\n\n

This\nDLL consists\nin a\npacked version of a PoisonIvy\n RAT\nsample, that\nafter a few seconds\nmakes\ntraffic to the C2 server “95.179.131.29”, through port 443,\nand in case of error, through port 8080 using HTTP traffic.<\/p>\n\n\n\n

The IP address is part of the infrastructure that appears in the post, indicating that it is probably the same actor reusing his old infrastructure in a new campaign, taking advantage of the conflict mentioned at the beginning of the article.<\/p>\n\n\n\n

It is always critical to remain alert with any attachments that is related to any recent geopolitical conflict, as previously stated, the attackers usually take advantage of them as a mean of infecting their victims through this kind of phishing campaings.<\/p>\n\n\n\n
Document
SHA256<\/td>		0eb7ba6457367f8f5f917f37ebbf1e7ccf0e971557dbe5d7547e49d129ac0e98<\/td><\/tr>
Poison Ivy
SHA256<\/td>		02dec90a18545d4bfbac5de19c6499142e141c3c0abaecdc8ac56b8eede167aa<\/td><\/tr>
Poison Ivy
C2<\/td>		95.179.131.29<\/td><\/tr><\/tbody><\/table>\n","protected":false},"excerpt":{"rendered":"

Recently, a suspicious document has caught our attention due to its recent creation date (06-01-2020) and its title \u201cHow Swuleimani’s death will affect India and Pakistan.doc\u201d which is directly related to recent political events between Iran and the USA. The document is in RTF format, and has an OLE object related with the Equation Editor. […]<\/p>\n","protected":false},"author":5,"featured_media":705,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-683","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-uncategorised","8":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/01\/Captura-de-pantalla-de-2020-01-10-22-30-55.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2020\/01\/Captura-de-pantalla-de-2020-01-10-22-30-55.png","author_info":{"display_name":"JagaimoKawaii","author_link":"https:\/\/lab52.io\/blog\/author\/jagaimokawaii\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/683"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=683"}],"version-history":[{"count":14,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/683\/revisions"}],"predecessor-version":[{"id":700,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/683\/revisions\/700"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/705"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}