Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Synthetic Threat Intelligence report generated by GPT2

Checkerboard Spider:

https://blog.talosintelligence.com/2020/10/cve-2018-0158-analysis-of-apt-group-targets-minority-organizations/

6/10

10/12/2020

Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: APT Group Targets Minority Organizations | WeLiveSecurity

The APT group was active from January 2019 to March 2020, but was not observed in any of the samples analyzed. The threat actor has been active since at least 2018, and it is believed that the threat actor is still active at this time. However, this group is not a new threat actor. In June 2019, Talos detected the threat actor in a campaign against a U.S.-based video game company that targeted a U.S.-based video game company. The actor used a new remote access trojan (RAT) to perform reconnaissance on the company’s video game system. This RAT is a backdoor that allows the actor to steal video game files. The actor leveraged a previously unknown tool called nmap, which was developed by a local administrator at the company, to download and execute additional malicious code. The actor used the nmap command to download and execute additional malicious code, as well as a legitimate Java file called Inject.jar. Inject.jar is a legitimate Java file that is used to download additional malicious code from the infected system. Inject.jar contains code that is used to download additional malicious code from the infected system. The malicious code downloaded from the infected system has been analyzed in detail in the next section. The malware is designed to evade detection by Windows Defender products and is likely developed for use in targeted attacks. In this attack, the actor used an exploit kit that was compiled using the same exploit kit as the one described in the previous section. The malware is written in C++. The actor has used the following obfuscation techniques to hide its malicious code in the memory:

• The code obfuscated the embedded code in the code (the obfuscation technique described in this section) and uses a hardcoded string to store the embedded code within the malicious code to evade detection

• The obfuscation technique used by the code obfuscate the embedded code in the code (the string obfuscation technique described in this section) The code is designed to hide its malicious code in the memory to avoid detection by Microsoft Visual Studio applications

• The obfuscated code is used to hide the obfuscation technique that is used to hide the embedded code in the memory in the memory of the memory of the infected system This is a technique that is used to avoid detection by Microsoft Visual Studio applications

• The obfuscation technique is used to hide the embedded code in the memory of the infected system (the code obfuscated by the string obfuscation technique described in this section)

• The code is obfuscated using the same technique that is used to hide the embedded code in the memory of the infected system (the code obfuscated by the string obfuscation technique described in this section) The code is obfuscated using the same technique that is used to hide the embedded code in the memory of the infected system

• The code obfuscation technique is used to obfuscate the embedded code in the memory of the infected system (the code obfuscated by the string obfuscation technique described in this section)

The code has an internal name of “hxxp://”, which is an internal name of the Windows Command and Control server (e.g. “winmgt.com”). This information is not encrypted, so it is used to hide the malicious code in the memory of the infected system. The code is then executed using the malware to encrypt the embedded code and then execute it using a randomly generated key to encrypt the embedded code. The malware performs the following actions:

  1. It checks the system name of the system.
  2. It retrieves the name of the current process (e.g. “winmgt.com”) and checks if the system name is “winmgt.com”.
  3. It checks if the process name of the system is “winmgt.com” and if it is “winmgt.com”.
  4. It tries to determine if the file “winmgt.com” is running in the system. It then checks if the file “winmgt.com” is running in the system. The malware uses the following command to get the system name: “winmgt.com”: winmgt.com.exe (c:\windows\system32\winmgt.com.exe)
  5. It tries to set the file “winmgt.com” to “winmgt.com.exe” and then starts the “winmgt.com”'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment