# Blacktech, CIRCUIT PANDA, Earth Hundun, G0098, HUAPI, Manga Taurus, Palmerworm, Red Djinn, T-APT-03, Temp.Overboard ## software Flagpro Kivars PLEAD PsExec TSCookie Waterbear [1] ``` 28ca0c218e14041b9f32a0b9a17d6ee5804e4ff52e9ef228a1f0f8b00ba24c11 3277e3f370319f667170fc7333fc5e081a0a87cb85b928219b3b3caf7f1e549c 35bd3c96abbf9e4da9f7a4433d72f90bfe230e3e897a7aaf6f3d54e9ff66a05a 485d5af4ad86e9241abd824df7b3f7d658b1b77c7dcc3c9b74bfe1ddc074c87d 4c05ee584530fd9622b9e3be555c9132fad961848ea215ecb0dd9430df7e4ed8 50ba9a2235b9b67e16e6bd26ae042a958d065eb2c5273f07eee20ec86c58a653 5818bfe75d73a92eb775fae3b876086a9e70e1e677b7c162b49fb8c1cc996788 5a35672f293f8f586fa9cfac0b09c2c52a85d4e8bc77b1ed4d7c16c58fe97a81 69d60562a8d69500e8cb47a48293894385743716e2214fd4e81682ab6ed1c46b 6d40c289a154142cdd5298e345bcea30b13f26b9eddfe2d9634e71e1fb935fbe 6f97022782d63c6cea53ad151c5b7e764e62533d8257e439033c0307437bfb2a 73799d67d32a2b5554c39330e81e7c8069feaa56520e22a7fd0a52e8857c510c 81a4b84700b5f4770b11a5fe30a8df42e5579fd622fd54143b3d2578df4b559d 884cefccd5b3c3a219a176c0c614834b5b6676abbac1d1c98f39624fccc71bf9 8cd6dfffc251f9571f7a82cca2eca09914c950f3b96aaaeaeaaeeac342f9b550 8da532ea294cc2c99e02ce8513a15b108a7c49bd90f7001ce6148955304733cb 9c436db49b27bed20b42157b50d8bdad414b12f01e2127718250565017a08d84 9e3ecda0f8e23116e1e8f2853cf07837dd5bc0e2e4a70d927b37cfe4f6e69431 a7f3b8afb963528b4821b6151d259cf05ae970bc4400b805f7713bd8a0902a42 aa51b69d05741144d139b422c3b90fdf6d7d5a36dd6c7090c226a0fc155ada34 b32ab70f3f441a775771d6c824d4526715460c0fd72a1dfdec8cd531aef5fabd d4d5c73c40f50cdef1500fca8329bc8f3f05f6e2ffda9c8feb9be1dcca6ccd31 eed2ab9f2c09e47c7689204ad7f91e5aef3cb25a41ea524004a48bb7dc59f969 f11e2146b4b7da69112f4681daca0c5ec18917acc4cf4f78d8bff7ac0b53e15c f21601686a2af1a312e0f99effa2c2755f872b693534dbe14f034fa23587ac0b asiainfo.hpcloudnews.com loop.microsoftmse.com 103.40.112.228 172.104.92.110 45.76.218.116 45.77.181.203 ``` [2] ``` CVE-2015-5119, patched by Adobe last July, 2015 CVE-2012-0158, patched by Microsoft last April, 2012 CVE-2014-6352, patched by Microsoft last October, 2014 CVE-2017-0199, patched by Microsoft last April, 2017 itaiwans[.]com microsoftmse[.]com 211[.]72[.]242[.]120 ``` [3] ``` 649675baef92381ffcdfa42e8959015e83c1ab1c7bbfd64635ce5f6f65efd651 BKDR_WATERBEAR.ZTGF 3909e837f3a96736947e387a84bb57e57974db9b77fb1d8fa5d808a89f9a401b TROJ_WATERBEAR.ZTGD fcfdd079b5861c0192e559c80e8f393b16ba419186066a21aab0294327ea9e58 TROJ_WATERBEAR.ZTGJ 3f26a971e393d7f6ce7bf4416abdbfa1def843a0cf74d8b7bb841ca90f5c9ed9 TROJ_WATERBEAR.ZTGH abb91dfd95d11a232375d6b5cdf94b0f7afb9683fb7af3e50bcecdb2bd6cb035 TROJ_WATERBEAR.ZTGH bda6812c3bbba3c885584d234be353b0a2d1b1cbd29161deab0ef8814ac1e8e1 TROJ_WATERBEAR.ZTGI 53402b662679f0bfd08de3abb064930af40ff6c9ec95469ce8489f65796e36c3 TROJ_WATERBEAR.ZTGH f9f6bc637f59ef843bc939cb6be5000da5b9277b972904bf84586ea0a17a6000 TROJ_WATERBEAR.ZTGI 3442c076c8824d5da065616063a6520ee1d9385d327779b5465292ac978dec26 BKDR_WATERBEAR.ZTGD 7858171120792e5c98cfa75ccde7cba49e62a2aeb32ed62322aae0a80a50f1ea TROJ64_WATERBEAR.ZTGI acb2abc7fb44c2fdea0b65706d1e8b4c0bfb20e4bd4dcee5b95b346a60c6bd31 BKDR_WATERBEARENC.ZTGF b9f3a3b9452a396c3ba0ce4a644dd2b7f494905e820e7b1c6dca2fdcce069361 BKDR64_WATERBEAR.ZTGD 7c0d2782a33debb65b488893705e71a001ea06c4eb4fe88571639ed71ac85cdd BKDR_WATERBEARENC.ZTGH c7c7b2270767aaa2d66018894a7425ba6192730b4fe2130d290cd46af5cc0b7b BKDR_WATERBEARENC.ZTGI 7532fe7a16ba1db4d5e8d47de04b292d94882920cb672e89a48d07e77ddd0138 BKDR_WATERBEARENC.ZTGI dea5c564c9d961ccf2ed535139fbfca4f1727373504f2972ac92acfaf21da831 BKDR_WATERBEARENC.ZTGI 05d0ab2fbeb7e0ba7547afb013d307d32588704daac9c12002a690e5c1cde3a4 BKDR64_WATERBEARENC.ZTGJ 39668008deb49a9b9a033fd01e0ea7c5243ad958afd82f79c1665fb73c7cfadf BKDR_WATERBEARENC.ZTGD ``` [4] - some tweet ``` 59.125.119[.]202 apple[.]wikaba[.]com ``` [5] ``` 139.180.201.6 108.160.138.235 108.160.132.108 naaakkk.wikaba.com ntstore.hosthampster.com blog.mysecuritycamera.com 139.162.112.74 9603b62268c2bbb06da5c99572c3dc2ec988c49c86db2abc391acf53c1cccceb cb1a536e11ae1000c1b29233544377263732ca67cd679f3f6b20016fbd429817 3d18bb8b9a5af20ab10441c8cd40feff0aabdd3f4c669ad40111e3aa5e8c54b8 ``` [6] ``` 638cfbe609d7f3e88767133be5ea5f9a75f1d703275f38eb9ec2414e179483b9 220[.]135[.]71[.]92:443 C2 ``` [7] ``` mx[.]msdtc.tw 3fefceeab9f845f9ddbe9c3a0712d45aad4c87fdbb178d13955944dbe6b338a3 168.95.1[.]1 ``` [8] TsCookie ``` app.dynamicrosoft.com home.mwbsys.org fc863fbd71e22c99eaa2b1b0eb72d806cedeb536213e600afb03f0fbea9d2bb3 ``` [9] BiFrost ``` 107.191.61.247 8fd3925dadf37bebcc8844214f2bcd18 ``` ``` rule RAT_BiFrost_UNIX { meta: description= "HUAPI UNIX BiFrost RAT" author = "TeamT5" date = "2020-04-15" strings: $hex1 = {25 ?? 00 00 00 85 C0 75 37 8B 45 F0 89 C1 03 4D 08 8B 45 F0 03 45 08 0F B6 10 8B 45 F8 01 C2 B8 FF FF FF FF 21 D0 88 01 8B 45 F0 89 C2 03 55 08 8B 45 F0 03 45 08 0F B6 00 32 45 FD 88 02} $hex2 = {8B 45 F0 03 45 08 0F B6 00 30 45 FD 8B 45 F0 89 C1 03 4D 08 8B 45 F8 89 C2 02 55 FD B8 FF FF FF FF 21 D0 88 01} condition: all of them } ``` [10] ``` 3cc380f2e0f3333e064f37666631962e6 34e38d4b970be9f19b6f29c83023b498 dc60b65a6082e800ac55d39aca18c1b b3dfe482568c508bc21f8da8a291f2cd 57c0114780d2860a3adbae095c72a97d 5fc4a20161b6d95d5bd0c0567472c4b0 1134972f093ab1ef08b912cabbc43b39 6b022a8cea1bd0e3b511961c7f12da0e 58ebad50377af27347a4a216625ec8c7 bc6b1264f9dfebdde7a4b94ff0f61c83 b0969efc34fe6d06542942b14295305b 4085f90f6934422921bd8602f0a975c0 fda02aaff2ea8c91283f1041257cf36f f0d23a1d2db6f1c52e46f1f0c09ab98 0fd48bd160854bea6e9df66a9451b9ed f3ebe8a08320fe1106e3932873a4bfe f9fb509be917ac38f440e716fa6a332 8c2e717c09cee5234bec059decc04fbc 3d356c2d84c39bab9fcb1fea1a132f6a 2267326efac998fa4ddbc7d8e3940c0d 3c4fe121835467d056a7b60eaf3257b 5708d6c871e56833020be00fcac9b4fa 23b1717f7690f2670585ce42abcf07c0 dcd88df79393a92bbf29824580649d0c fa4bb0c43fcfaaa4d98d6322c376281d 87835a271ff098d7a0a44e45be83a9d8 3b30e94191d82f3566de058a60c4ce41 462372c1f7f27ad12cc452dbb3358122 d152bfd10a93bf3db0fcacbc3455e9a 1c00baebd1d2979a1009652dbc58c1fd 6a97ff47b8d715be62305ff15fb47332 9b6f818f769655c8618ae0420bc994ec 0f8c95206cbfe067d033185b37de467 3470568793761e75d72eb0c99a4bb6ec c74a645b0a52812f026f5cfe6d168f40 c56f890e9a3e4d9ffd2aba80d95b2f89 6ea02a64df51ab2f12530ffd2e3688de dbeb16d8745a9b9b0daf946d2caecae0 acc03ef1eef25c397972ae27087621a6 97fdb683e7b56bdf198d2b4c0e9b2715 3406ce96eaafd68fa469af2409ad6ffe 639637d46f64f4e0164e704be98c7c67 f5cce3e8c5d8d24edca83ae34d505d61 5a7d8fe286333416796cefc19b0f5cba 87af1c51d21d13899db75f675b1faa87 289286f8289b707d41e74a199a88be64 c6dc9f750f5ddb01f92ab2b062b80a 296dcc2bd1f6359466ff068c8001bbec b2559336f0e73830a411ce6032474d6e c40b172d7e99335e1724dc8ba18a42d7 089d583667b28c2182be1b65b74c2ffb 50ee06096d78ca5eff8d19de8aacf76e cab9d743c0868f7edfe11fa9fb99262b d39b01a44f1487c4bb3c68a528438144 59e9af5b230f46df15e076cd6dd82d1e 45ed3086b3d03b253f8746a174a060d1 1423e253f7a8954ca3c74432b5e4d038 a735b9c81e6cffd576abd914cc635aea cb612bd16abae8bdbd551e78278988f4 76055e90b1e1e9d67139c7645c21092e 7745f7a89aa20da8d681fee4f25741df 65a4384fcbe3d010a57a8530b27e0a4e 976f0e7d1b1d5a4c5dc3f714885134dd 791dbd6071c8d5e04fcaad95b9b6a039 808e8a7ff27e284bbd07cee65403b66c dee1f09ef83a041555ce8b1f3effab01 73add080471429445ecba08d95f03b01 8a81e6a62d3bdcffe074807d7173840f c288f4729f7cdce991dcf7c2b156e854 fd016b952c98a8be9c51c44d2a288c71 cea5d1fcf92da7212bcdc2989a3518e7 463d74f0085a613c44dc9ded28ba903d 6b18b1e939e5a06303220ee16f045a50 062bcc4ed28b41bab70d7efc2e8b1b11 468571266346f4b659b948a67e8ab005 662edc1100e2d8863bf713ae47985245 ab9b323901bcf38b8b990db3cae2b596 bd917f5ac3dc380a6fc53c60c9223deb 4bcb99623c05fc2abaa1b4090b0bee6c 79f1af23d5ab729a3071d1f4c2a0606f 6c3fd725a76d13447306288934ff31c 9d014bc00ecb311db63beeadf0d8bb19 ea1a6799ee02bcadf70b34f7801e525f d016d961bf0cf4b3aec5619b1b5ebc60 73fabddce8887d0253503daa4a50fdf7 f2f1156cc008c30dcd333110a3e279 a11d30dcfb8cedcb56dad172b213f388 f77bd5d0d0b85c0fb2f986d952891071 455aa863278828122b40eb4c2987551 4c4647f35c0583fb87ce4a7322d6028 34a0be585725b0076e017c8fcb0fc180 3214cdac71fa4313d195eb81eace4db8 4892a108c084f7471b601194957ec431 6c145f1ad75de785a75903a4a5d485e8 63d453db999cb3a9b388180b7364d43c dc2b8aefe8bd08f196ea7a6f0caa2764 3d341703a981388b3fde70173a172f89 21328d7653daf14e15eefd3260568a 69d83dd95abf0f3e9cccaf30d909d8ab a2bfef210952aa4177ec03000b231228 8820d713e7052abe411cccb92c365783 77e8503f721a715a5309f89c88f1da8c 7a00205cdb74c1d5811cc3c44739a348 04a420981c8724b654b30ecb13a1b9a5 7f84dea46b4e29911604a2afaf1c57ab c64778a2ddcc66db666e63ca6781ef3f c6c5b4de5cc10418e2f14305d6541bd4 28da4707d69de5cc3d544d6a90fff8ff 259ce74e8a6ddc2507efa64371f3d45e 89eb892d945034e549118cda2120c17d 7021e319704ba7bddcdc37716a5c879e 123a97612de9089409ad512f3bb2379a 7d166e7a86084eeae5f42211ace8622c a54ef716802bfdcdf362e433efdnedab 402627c57c6127187c7ee1ba9b4e11ad 391974cd1e5338938faf7f9a22ee3bf5 64ec5419edd9ff050d839845a0a5bea3 f7675431685701edb506ffebc182f6ef 2a233c4f6571a2fc3342d6edf3c1e98d 2a94c32c20dd4632e0a5084b134e6344 73993f9f448449f0c5c6977664cfd8fa f0c1cc799d56d58f528f41039895f8f8 019ef03e6b34991c31518ceafa3c6498 01a916c6863f98d8126bb75a4f291a5d c6e098547bace9c4844dd99230a525b8 413a34cb61e954c4e82a63875cce9a67 1c460850b55125a7d1f554ee0203fa25 886cedd85d6d4F65233cd1ae844d41e7 7ca58dd5daa70dd5dc278070512eb394 b7bf246b1481b24ff262cd03c53caf15 410ceb4d5008887a66587130d57adeee cf128ba5945102e1b1a089032f2e4bc1 cad875330c25231211fc9a416c3846b7 842e7ed1d9a3148c706e2f5e80e01735 cfc48c66c7630653faa136ba83617cb0 7fbeaaa329ceb7deb0077d9c95b99883f e5c8b3017d309a7383c9504d7e318596 737c6923effeee58717f613db304955a 601a4718678a290c004b531b498e40fa 18c409071622553a1d66e0a02d261f7f 70b31b12a5ba644de0093970af9866b8 69b4467e347dcf360ef7d2dd2a869601 ec7c6b43beec56df72cb74dd28b5b1d2 22ede86834e0060a88d6f45ce3982277 9bb0135b4808331933490d4749d30c11 4446ba673bc5c2adf31823301a4fdd3a 18ca4159820c1766f358de2ffc92a271 eb83262ff12ae0839058adeefb7276edb b90b0ff065be669d4d882a2861115ea5 a6b48f5675c55b124908dd11635919ac 9e529a8fbc25cc73bafc1e9d881f320f c8edfbeec6cbc5de1d81da3311e2536 ec07db228c8b271a3e9b0325ad6a56 87375cc6cdf60fc92c973ca984946e7f 8edf98a3e38cf8e2a5414f2ff9a1c2a6 9c863613cc5890067a9733eb15cf749e b14f8f099e4ebbaf4312eb86d739267f c22937cee87b45ba18c1631853648fb 37bf2df225650b39c9874ecf392a9a9b 47a0e644aae76b040aaecf7f7b75404b 299d0c5f43e59fc9415d70816aee56c6 76b464c98790d8f01e02d24b53f4486d 93b68ae2023940bb2e8506d6131d9d27 32549e52c76cacf4a4725340c5eaaabd 0db2c1195c97fc909b6fdb4b09227457 5f06d234fc285ee9f127f95206696796 7a1b0e86d2c7da3f52c74a4ce4b675af b9b6488f990a96a1c2f5c3e99a43a212 f60de91238d965455629b12694fb9dbc 926f008ef342ae1cc138687ff68a424a 03823081d5de20d03cf85259ae7ee47c 1fe7391ac994bf37d7ccb9c7358c4419 5694a226f66e3b07aeb188a54304b371 3da2ad2d32f02172623cc5dfb342e43c cc18bdaf99fa701796518db86e651702 6d355a4339f92d6056f2708194213440 e448666cf15651eff32e7296f2f57206 5b83dcd3f6615e9b18104088523eaaf3 5bb14699b14e48608d43f51c56b88a04 5bc08352ad0ca4b3727bd7c509515693 ea475f5a99ae4f81d23be81bdcfbb6ac 0929230644a301857bac09379257883a 96be4a1c418f10c50659bab0b25b9115 7163a7326321ce88f14c2156c29f8386 8d31ebecdf790a80175d358212b3dd19 5e72bcafef281999bafeff7b9085dc7c 811ad8d894c461c446843de4a9a3fd42 5633009e7ce55be0213e76c74fdcf9d6 17cece9c7bbe0c2d6c37056742a7a7e9 0fbf6146e6478d9a6945341a45885400 09d1ebf1a6c10083f8d66003418e6e06 eae2ea929c754a6d65e2b216e5d32e7a e5761a294e7955bf234f7dd38b980633 b04fab560ac090e0ff3f1c602f3fcfd7 6ff0374bf169ddedaf2654c94b985617 61d318aacfd97961a9248f696025177e 593d2f1113836a49cb27cef3ce699933 5699884869d8796ab33416c3af5305a2 65f4245e3e7f80c47c7e5b7aa23c5920 1d87a00f54a16f9c0ee135731296eb58 greeting.hopewill.com beersale.servebeer.com pictures.happyforever.com cert.dynet.com soo.dtdns.net rio.onmypc.org paperspot.wikaba.com sysinfo.itemdb.com asus0213.asuscomm.com firstme.mysecondarydns.com nspo.itaiwans.com injure.ignorelist.com dcns.soniceducation.com setting.herbalsolo.com kh7710103.qnoddns.org.cn zing.youdontcare.com moutain.onmypc.org icst.compress.to twcert.compress.to festival.lflinkup.net xuite.myMom.info avira.justdied.com showgirls.mooo.com linenews.mypicure.info zip.zyns.com sushow.xxuz.com applestore.dnset.com superapple.sendsmtp.com newspaper.otzo.com yahoo.zzux.com microsfot.ikwb.com facebook.itsaol.com amazon.otzo.com cecs.ben-wan.com av100.mynetav.net rdec.compress.to forums.toythieves.com kukupy.chatnook.com pictures.wasson.com moea.crabdance.com hinet.homenet.org freeonshop.x24hr.com blognews.onmypc.org ametoy.acmetoy.com usamovie.mylftv.com timehigh.ddns.info ikwb55.ikwb.com dpp.edesizns.com hehagame.Got-Game.org wendy.uberleet.com needjustword.bbsindex.com front.fartit.com accounts.fartit.com 177.135.177.54 18.163.14.17 60.249.208.167 220.133.73.13 220.134.10.17 122.147.248.69 220.132.50.81 111.249.102.102 118.163.14.17 59.124.71.29 220.134.98.3 61.219.96.18 114.27.132.233 123.110.131.86 61.58.90.63 122.117.107.178 114.39.59.244 61.222.32.205 60.251.199.226 61.56.11.42 61.58.90.11 123.110.131.86 210.67.101.84 210.242.211.175 211.23.191.4 203.74.123.121 59.125.7.185 59.125.132.175 59.120.169.51 125.227.241.2 125.227.225.181 118.163.168.223 1.170.118.233 dcns.chickenkiller.com subnotes.ignorelist.com mozila.strangled.net boe.pixarworks.com moc.mrface.com su27.oCry.com motc.linestw.com ting.qpoe.com blognews.ezua.com every.b0ne.com jog.punked.us africa.themafia.info tios.nsicscores.com dream.wikaba.com pcphoto.servehalflife.com 17ublig.1dumb.com effinfo.effers.com edit.ctotw.tw tw.chatnook.com dwnic.crabdance.com asus.strangled.net furniture.home.kg newpower.jkub.com cypd.slyip.com tabf.garrarufaworld.com wordhasword.darktech.org techlaw.linestw.com techlawilo.effers.com support.bonbonkids.hk zany.strangled.net flog.pgp.com.mx job.jobical.com picture.diohwm.com npa.dynamicdns.org.uk webmail.24-7.ro docsedit.cleansite.us fastnews.ezua.com INetGIS.faceboktw.com teacher.yahoomit.com idb.jamescyoung.com picture.brogrammer.org idb.jamescyoung.com picture.brogrammer.org movieonline.redirectme.net formosa.happyforever.com mirdc.happyforever.com webey.sbfhome.net cust.compradecedines.com.ar cwb.soportetechmdp.com.ar tw.shop.tm music.ftp.sh forums.happyforever.com ``` [11] ``` https[:]//wwww.uinvest-europe[.]com/pfxg.bin ``` [12] ``` TsCookie 6d2f5675630d0dae65a796ac624fb90f42f35fbe5dec2ec8f4adce5ebfaabf75 cdf0e4c415eb55bccb43a650e330348b63bc3cbb53f71a215c44ede939b4b830 17f1996ad7e602bd2a7e9524d7d70ee8588dac51469b08017df9aaaca09d8dd9 1fa7cbe57eedea0ebc8eb37b91e7536c07be7da7775a6c01e5b14489387b9ca8 e451a1e05c0cc363a185a98819cd2af421ac87154702bf72007ecc0134c7f417 1da9b4a84041b8c72dad9626db822486ce47b9a3ab6b36c41b0637cd1f6444d6 35f966187098ac42684361b2a93b0cee5e2762a0d1e13b8d366a18bccf4f5a91 0683437aebd980c395a83e837a6056df1a21e137e875f234d1ed9f9a91dfdc7f 0debbcc297cb8f9b81c8c217e748122243562357297b63749c3847af3b7fd646 96306202b0c4495cf93e805e9185ea6f2626650d6132a98a8f097f8c6a424a33 6b66c6d8859dfe06c0415be4df2bd836561d5a6eabce98ddd2ee54e89e37fd44 06a9c71342eeb14b7e8871f77524e8acc7b86670411b854fa7f6f57c918ffd2b 20f7f367f9cb8beca7ce1ba980fafa870863245f27fea48b971859a8cb47eb09 f16befd79b7f8ffdaf934ef337a91a5f1dc6da54c4b2bee5fe7a0eb38e8af39e 12b0f1337bda78f8a7963d2744668854d81e1f1b64790b74d486281bc54e6647 201bf3cd2a723d6c728d18a9e41ff038549eac8406f453c5197a1a7b45998673 5443ee54a532846da3182630e2bb031f54825025700bcd5f0e34802e7345c7b2 39d7d764405b9c613dff6da4909d9bc46620beee7a7913c4666acf9e76a171e4 afe780ba2af6c86babf2d0270156da61f556c493259d4ca54c67665c17b02023 4a8237f9ecdad3b51ffd00d769e23f61f1e791f998d1959ad9b61d53ea306c09 203c924cd274d052e8e95246d31bd168f3d8a0700a774c98eff882c8b8399a2f 220.130.216.76 60.244.52.29 45.76.102.145 jpcerts.jpcertinfo.com jpcert.ignorelist.com twnicsi.ignorelist.com twcertcc.jumpingcrab.com okinawas.ssl443.org apk36501.flnet.org appinfo.fairuse.org carcolors.effers.com edu.microsoftmse.com eoffice.etowns.org epayplus.flnet.org fatgirls.fatdiary.org gethappy.effers.com iawntsilk.dnset.com inewdays.csproject.org ktyguxs.dnset.com lang.suroot.com langlang.dnset.com longdays.csproject.org lookatinfo.dnset.com newtowns.flnet.org ntp.ukrootns1.com office.dns04.com savecars.dnset.com splashed.effers.com sslmaker.ssl443.org TSCookieRAT 2bd13d63797864a70b775bd1994016f5052dc8fd1fd83ce1c13234b5d304330d ``` [12] ``` flagpro 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b e197c583f57e6c560b576278233e3ab050e38aa9424a5d95b172de66f9cfe970 655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5 840ce62f92fc519cd1a33b62f4b9f92a962b7fb28c12d2f607dec0b520e6a4b2 ba27ae12e6f3c2c87fd2478072dfa2747d368a507c69cd90b653c9e707254a1d 77680fb906476f0d84e15d5032f09108fdef8933bcad0b941c9f375fedd0b2c9 e81255ff6e0ed937603748c1442ce9d6588decf6922537037cf3f1a7369a8876 45[.]76.184.227 45[.]32.23.140 139[.]162.87.180 107[.]191.61.40 172[.]104.109.217 org.misecure[.]com update.centosupdates[.]com ``` [13] ``` plead malware 80AE7B26AC04C93AD693A2D816E8742B906CC0E3 62A693F5E4F92CCB5A2821239EFBE5BD792A46CD B01D8501F1EEAF423AA1C14FCC816FAB81AC8ED8 11A5D1A965A3E1391E840B11705FFC02759618F8 239786038B9619F9C22401B110CF0AF433E0CEAD 1DB4650A89BC7C810953160C6E41A36547E8CF0B CA160884AE90CFE6BEC5722FAC5B908BF77D9EEF 9C4F8358462FAFD83DF51459DBE4CD8E5E7F2039 13D064741B801E421E3B53BC5DABFA7031C98DD9 amazon.panasocin[.]com office.panasocin[.]com okinawas.ssl443[.]org ``` [1]: https://www.security.com/threat-intelligence/palmerworm-blacktech-espionage-apt [2]: https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html [3]: https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html [5]: https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html [6]: https://x.com/ESETresearch/status/1382054011264700416 [7]: https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/ [8]: https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html [9]: https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/ [10]: https://www.freebuf.com/column/159865.html [11]: https://x.com/8th_grey_owl/status/1481433481485844483 [12]: https://jp.security.ntt/tech_blog/102hf3q