APT-C-35组织(肚脑虫)的最新攻击活动分析

2017年3月,360追日团队发清楚明了一类定向进击的样本,确认是之前所未知的APT组织的进击行动样本,今朝可以追溯到的该组织至少在2016年4月便开始活动。追日团队将该进击组织编号为APT-C-35。2017年6月,360要挟情报中间又发明该组织新的进击活动,确认并曝光了该团伙针对巴基斯坦的定向进击活动,并具体阐发了该组织应用的独占的EHDevel恶意代码框架(见参考[1])。

2018年3月,国外安然团队ASERT继承表露了该组织新的恶意代码框架yty,并根据PDB路径中的机械用户名将该组织命名为Donot。鉴于该组织的活动是由360自力发明,并在举世率先表露的,相符360要挟情报中间对APT组织进行自力命名的前提。故,参考国外已有命名及360要挟情报中间对APT组织的命名规则,我们将APT-C-35组织正式名为“肚脑虫”组织(Donot音译)。

APT-C-35主要针对巴基斯坦等南亚地区国家进行收集特工活动,该组织主要针对政府机构等领域进行进击,此中以偷取敏感信息为主。从2017年至今,该组织针对巴基斯坦至少发动了4波进击行动,进击历程主如果以携带Office破绽或者恶意宏的鱼叉邮件进行恶意代码的传播,并先后应用了两套独占的恶意代码框架:EHDevel和yty。

自第一次发明该组织的进击活动以来,360要挟情报中间对该组织不停维持着持续跟踪,近期我们再次跟踪到该团伙使用较新的Office Nday破绽提议的新的进击活动,并对进击中应用的yty框架最新的恶意代码进行了具体阐发。

活动光阴线

360要挟情报中间与360追日团队对APT-C-35组织的进击活动跟踪阐发的光阴线如下:

滥觞

2018年6月下旬,360要挟情报中间在对恶意代码的跟踪历程中发明疑似定向进击的APT样本,经由过程对该样本的深入阐发,并使用360要挟情报中间数据平台进行关联,确认其为360要挟情报中间2017年头?年月次曝光的针对性进击活动的后续(详见参考[1])。

样本分析

捕获的诱饵文档文件名为:kahsmirissue abida.doc(克什米尔问题),克什米尔地区南部属于印度统领,北部属于巴基斯坦统领,两国均传播鼓吹对克什米尔全境拥有主权,不停以来处于地区主权纷争傍边。是以我们初步推想该进击主要针对该地区相近的国家。

履行流程

全部进击流程如下:

Dropper(CVE-2017-8570)

发明的样本是名为kahsmirissue abida.doc的破绽使用文档,该破绽使用样本包孕三个Objdata,此中两个为Package工具,一个为包孕CVE-2017-8570破绽的OLE2Link。样本使用RTF文档自动开释Package工具的特点,将包孕的两个Package工具开释至%TMP%目录下,着末经由过程CVE-2017-8570触发履行开释的恶意脚本,再经由过程脚本履行开释的EXE文件,包孕破绽的Objdata工具信息如下:

包孕破绽的OLE2Link工具中设置FileMoniker对应的文件为_JVGHBCYYKRAE2DU.sct脚本,破绽触发后履行,其主要功能为履行开释在%TMP%目录下的Setup.exe:

Downloader(Setup.exe)

开释的Setup.exe是C++编写的下载者法度榜样,其起开创建一个名为“toptwo”的互斥量,包管系统中只有一个实例运行:

然后在%APPDATA%Roaming/HexRun目录下创建名为lset.txt的调试文件,输出一些运行信息:

并在%APPDATA%Roaming/HexRun创建kt.bat文件,经由过程创建CMD.exe进程启动该文件:

kt.bat主要功能为设置义务计划,从当前光阴开始每5分钟启动一次%APPDATA%Roaming/HexRun/Setup.exe:

设置完成的义务计划如下:

设置完义务计划后,样本开始网络系统信息,获取磁盘信息:

获取MAC地址:

还会检测是否为虚拟机履行情况,并将该情况信息一并发送给进击者办事器:

[1] [2] [3] [4] [5] [6] [7]下一页

之后还会网络谋略机名、用户名、program file下的文件名,系统版本号等信息,将获取的所有信息组合成以“|||”瓜分的字符串:

之后从Google文档:获取文件内容作为C2:

获取的文件名为customer.txt,C2地址为:tes.sessions4life.pw,若获取掉败则应用硬编码的C2地址:aoc.sessions4life.pw

进一步拷贝自身到%AppData%/Roaming/Hexrun目录下:

随后与C2进行通信,将获取的信息颠末AES加密后POST到tes.sessions4life.pw/football/goal:

当C2返回为“win”时,样本将进行后续的下载行径,若系统中没安装.NET,样本会先从tes.sessions4life.pw/jszx/jquery/3x/simple.exe下载.NET框架进行安装:

若已有安装了.NET则首先将网络到的‘谋略机名-用户名-MAC地址|||work.exe’经AES加密后POST到tes.sessions4life.pw/football/download/3/work.exe,获取work.exe文件。并将:‘谋略机名-用户名-MAC地址|||boothelp.exe’加密后POST到tes.sessions4life.pw/football/download/2并获取boothelp.exe文件。Work.exe主要功能为启动boothelp.exe:

Backdoor(Boothelp.exe)

Boothelp.exe是C#编写的后门法度榜样,其根据C2返回的指令下载插件并履行。与Setup.exe一样,boothelp.exe的字符串也是整个倒序后再经BASE64编码存储,解码算法如下:

boothelp的C2地址也是经由过程Google获取:http://docs.google.com/uc?id=1wUaESzjGT2fSuP_hOJMpqidyzqwu15sz&export=download

且还硬编码了一个C2地址:aoc.sessions4life.pw

该后门会获取谋略机名、用户名、MAC地址,再经AES加密后POST到aoc.sessions4life.pw/football/flag:

AES加密算法:

着末处置惩罚返回的数据,判断指令是否包孕有必要下载的插件。若指令内包孕插件名,则以款式“谋略机名-用户名-MAC地址|||插件名”经AES加密后发送到aoc.sessions4life.pw/football/download/2或者aoc.sessions4life.pw/football/download/5获取插件并履行:

在我们调试历程中,C2返回数据包括了7个插件,但我们只成功获取了五个插件并进行了阐发:

相关插件功能如下:

插件名

功能

dspcheck.exe

截图插件

mdriver.exe

键盘记录插件

abode.exe

文件选择上传插件

vstservice.exe

文件列表插件

mboard.exe

系统信息插件

cell.exe

未知

bro.exe

未知

Backdoor – Plugins

下载回来的后门插件功能具体阐发如下:

vstservice.exe

vstservice.exe是.NET法度榜样,功能为网络文件发送到C2,与之前的文件同等,其C2也滥觞于Google,文档名为goods.txt,内容为qwe.sessions4life.pw。与前面阐发的样本同等,该插件中也硬编码了一个C2:mon.sessions4life.pw

上一页[1] [2] [3] [4] [5] [6] [7]下一页

获取系统磁盘信息的功能:

判断磁盘是固定磁盘且%appdata%/Roming/vstservice/vstservice目录下没有.man结尾的文件,则在该磁盘下网络文件:

网络磁盘内的.ppt/.doc/.pdf/.rtf等敏感文档:

将上述款式文件保存到%appdata%/Roming/vstservice/vstservice目录下的“磁盘名.doc”中,并以文件名>文件大年夜小>着末改动光阴的款式保存:

将出上述款式外的文件保存到%appdata%/Roming/vstservice/vstservice目录下的“磁盘名.man”中:

之后将文件发送到C2:mon.sessions4life.pw/panel/bigdata/file_upload

abode.exe

该文件主要功能是上传除vstservice.exe之外的其他插件天生的文件以及C2指令中的文件(vstservice.exe具有与C2通信的功能,其他插件没有),同样的,与其他yty框架中的文件相同,adode.exe的C2也滥觞于Google,且与vstservice.exe应用相同的C2:

按期发送其他插件天生的文件到C2,并根据C2返回指令发送指定文件:

获取插件天生的文件:

之后将“谋略机名-用户名-MAC地址”经加密后发送到mon.sessions4life.pw/panel/bigdata/orderfile并获取指定文件名:

上传指定文件到mon.sessions4life.pw/panel/bigdata/file_upload:

mdriver.exe

mdriver.exe插件是C++编写的键盘记录器,该插件主要功能记录键盘输入,并保存到%user%/LanConfig/ mdriver/mdriver目录下:

保存的键盘输进款式如下:

dspcheck.exe

截图插件,每五分钟截屏一次,并以文件名款式为”日月 年 时 分 秒”保存到” %user%/LanConfig/dspcheck/dspcheck.exe”下:

mboard.exe

mboard.exe应用UPX加壳,脱壳后根据字符串相关信息可知是go说话编写的法度榜样,该插件创建多个CMD进程履行敕令,获取系统相关信息,并将获取的信息保存到” %user%/LanConfig/ mboard/ mboard下,并以.qr结尾。然后获取系统中的doc、pdf、msg等文件保存到” %user%/LanConfig/mboard/ mboard目录下:

相关CMD敕令如下表

敕令

上一页[1] [2] [3] [4] [5] [6] [7]下一页

功能

dir /a /s 磁盘名:;

获取磁盘相关文件

systeminfo

获取系统信息

Ipconfig /all

IP相关信息

net view

当前域的谋略机列表

tasklist

进程列表

溯源与关联

经由过程对这次进击中应用的PDB路径、域名/IP关联阐发,以及应用360要挟情报中间阐发平台对相关样本和收集根基举措措施进行拓展,我们确认这次进击的幕后团伙为360要挟情报中间2017年头?年月次曝光的针对巴基斯坦的APT组织APT-C-35。

PDB关联

在阐发的下载者Setup.exe中我们发明一个特殊的PDB路径:

根据其PDB路径及代码特性确定该样本应用的是yty恶意框架,其与ASERT表露的dspcheck.exe插件PDB路径同等(详见参考[3]):

域名关联

经由过程360要挟情报中间数据平台对样本中应用的C2域名tes.sessions4lif4.pw进行搜索,左下角可以望见已收录了相关申报:

而该申报引用了360要挟情报中间在2017年6月宣布的关于APT-C-35的进击活动阐发文章:《针对巴基斯坦的某APT活动事故阐发》

可以看到本次事故中应用的域名 tes.session4life.pw在17年时就已经被该APT组织应用:

并且我们发明Setup.exe中有一个颠末base64编码的目录football/download2:

我们考试测验在tes.session4life.pw/football/download2目录下获取文件,并成下载了一个名为helpdll.dll的文件,该文件采纳C#编写,经阐发该文件与ASERT表露的boothelp.exe文件布局基础同等:

且在helpdll.dll的getGoogle措施中,我们同样的发清楚明了一个google文档下载地址(https://drive.google.com/uc?authuser=0&id=1BUuYXU6bLdH_k_NWQIo7n5Uo_7L-uZSu&export=download),下载回来的文件名为ip2.txt,内容为一个IP地址:5.135.199.0。

经由过程360要挟情报中间数据平台对IP进行查询,也成功关联到APT-C-35组织(2018年5月被ASERT命名为Donot)

由此我们可以确认,360要挟情报中间本次捕获的APT进击样本和最早表露针对巴基斯坦且应用EHDevel恶意代码框架的APT进击样本以及国外安然公司表露的应用yty恶意代码框架的APT进击样本均来自于同一个APT组织:APT-C-35。

经由过程360要挟情报中间大年夜数据关联阐发,对C&C地址的造访均来自于巴基斯坦,可以确认APT-C-35最新的进击目标仍旧是巴基斯坦。

溯源关联图

360要挟情报中间对本次的进击样本溯源关联历程如下:

拓展

360要挟情报中间经由过程样本分析和大年夜数据关联获得了APT-C-35组织近年来应用的大年夜部分样本MD5、PDB路径、C&C地址(详见IOC节)。并发清楚明了很多从未被公开过的该组织的样本和C&C地址:

比如PDB路径为D:SoftDevelopedCode_Lastyty2.0 – CopyRelease.Netvstservice.pdb的样本,该样本功能与插件阐发中的vstservice.exe同等,编译光阴为2018.4.10:

与其他样本一样,该样本C2地址也来自Google:http://docs.google.com/uc?id=1xCEI_NZX9HQIq5bkpd7FsamzWFvmiC6Q&export=download

返回的文档名为mnpby.txt,内容为一个全新的C2地址:qwe.drivethrough.top

总结

自2017年360要挟情报中间首次表露APT-C-35组织的活动以来,该组织从EHDevel框架到如今的yty框架不停在赓续进行更新。本次捕获的样本框架较三个月前,功能虽然同等,但其字符串整个经倒序后再经Base64编码,且在数据传输中不再采纳明文传输的要领,而是将获取的系统信息等经AES加密落后行发送。各种迹象注解,APT-C-35从未竣事自己的活动,或许近期会再次发动新的收集特工进击。

上一页[1] [2] [3] [4] [5] [6] [7]下一页

今朝,基于360要挟情报中间的要挟情报数据的全线产品,包括360要挟情报平台(TIP)、天眼高档要挟检测系统、360 NGSOC等,都已经支持对此APT进击团伙进击活动的检测。

IOC

C&C

qwe.drivethrough.top

qwe.sessions4life.pw

aoc.sessions4life.pw

mon.sesions4life.pw

tes.sessions4life.pw

5.135.199.0

yty框架的恶意文件MD5

f422bc9c0d0b9d80d09ee1fc7aed3682

3fca54599f30f248246f69290c07696e

e534cf9606a1b9f9a05c6c5514603f77

ff630e55e7278aab1683c7fdc23e9aa9

56e2df3cd980763b2a81e83a452383ff

1278dbbcb4b7e6696c3c4bddc899001e

4c2e7108aecafc0dec046a0365ce4471

7075cd558285d7477486c2d4558616a9

603286d46d1909e0c18d6664576f6259

6afdc230df3b88232eeafa96abb18190

c3b46c33b58d11fce800a5ec497fdd7a

1d5e98fc11a1fc4e166010ba78ef907d

004d7a567705f9d780e52db6531ee7de

317bbfaf910403152b8d05fc97648944

136f84e3fc794e99df35a3ab56b7998b

86828e3b5bf5daf35988339815b5991e

3d2fa81fb093136655e046b80cdb4242

52ac6664478a32b5cabdaa54278b4229

c82bb37071e2db07c128042f9b22af0f

EHDevel框架的恶意代码

0158315f683dfee6d4d906b776e5229c

01710a4b3ea78b63dc9076dbeff6629c

022f7646c6eb3f91baba88105a2b3eda

029f25e50d98f602e966ee8b7858fd88

03db95ef308d88ebb7f8b8c7cc157dff

04b3610c4857c0cbd2608885f46cd18c

066c1c5b0405bcf35cd583aed2f79235

0676f6c5414691310ed75ad0ffe41819

06e077a9d3777df42e97fafb01c8beae

08feae41e8622595c30c12aafcdc8594

09041eeb065709c0a6946a62dd350e13

0be3ccbbd88e72e90a78cdc314f200c2

0c669f4bf656eadadad76fae3cd3fd3a

0d16496069ee7c998f2975d8e8475781

0d195b660596810172bb3874bebcd470

0f90989277ece07337f4eb28f004e04b

11836203fc84f5581d249330c5099573

12770f49e6e4180263733515b1cfb1b5

154ee0c3bb8250cae00d5ed0e6f894b4

180431cf5adbd2a9f23e20950c4cb03f

1a392f6145755a6c94b475d06d68ed6a

1d90a398a721ea2a0dfcf99990a88b15

21d26dd1cfbd8105d732ea38dea8c7d0

22c577ce2426e6498c585a03055c62a6

232fba01682fda9c45c30bde970828a1

265f854bbdddf6622192bbe640391d2b

292a3d40f58b9798c1bb6d8a7d210585

2c2d04507e7c227f496ac569a149745b

2de11dfee67c690636f5e6f7225e813a

2fec52f10a4037d5c6749f9e3b27b23a

30d014883489bee0ad5919ac161c06ce

3520b051a02ec0c29891adf487d7817c

3712614ae6591086d78a2876fa0c84bb

39ecdafabd014884445e7161af76e5f7

3a204440803713c0181a831506fdbb36

3c02d149a36bbe214e8f78a0dab58fa5

3cb74f7b1e324dd93ac76d18e2f18644

41ccc717afca85216d5587d88f608332

4311d80e8f243b7f0cf8805457b76463

48077007f323510bacda73b03f95ecd1

4d6d4f2a288384c9493784272ea37ce7

4e1b2f4cf9ce675bb080095e971a6fcb

4e279fac2d347b23f02e4f8b48d11088

4e4eb3d6fdfbc7860546a2166ab886e5

4fb6b27375baa0d59fef03a34aea2b34

5473be0d12bc9a38c8edbf3090c9ea4d

559b920616cf2b05c593340584070458

572d7f2b1926a83b55bdc74d94746d8d

58ea5b92bc087d80e6290d822b78a4e3

5acad73439bcd4bbbb78af15117c7bfd

5d68af6734a0fb0433af27b77c112e47

5f3bdc311c0bd5702ff437c50b380c7e

62dc5cafa222f2a27478c03b69c02a2b

64e93902777723ea52ed9fa0afe338e9

662364f4f84e26e0e988e331416eb239

6889e5533f15713cf8068fc777cc8e77

6b33c6c8149a469d924d7f3466a9a2ef

6c867ecbfe5ad161bc00deba1414a304

6ca65e166dbc681f10a17f34a35a94e6

6d7ef5c67604d62e63aa06c4a7832dac

6e444898cc7cbfc6aad429ce37d2b263

702b7a97ddb0a51c1cc1673d14543ac5

710fa61c082a655e01136cc3631611ef

7142221ea2993c790bb310292115e5f9

762eb395a7933568ee035f16b9646e55

784063ef8e81352874292cf77b15c579

791c812a13b2cc7481b4d270d0dc9e68

79c74abdbad8f73008ca40e53c0c4089

7fe93da897a426e1aa6fe7cd58ced772

84ebd0e871b1f3a88865ba7f3fc25104

88139edf03327665ae8260641b273e7c

887f351e2026d5fe3e4c805182932e3c

8b7e9d7f51fca9c50fc83902a279d3e9

93222f8403909d118be09829bea3e313

979040f0051d8a2ce6aed44ec56368ca

9a9eb739a62630504b27372e883504b8

9afdf7da3c5c84b4995da79d410d22d9

9cddfd8fa9dc98149e63f08f02a179cf

9daf47741735df9d4e1764ba8dbeff14

9dc50377498fd0959686863fa46231d1

9e101d386f2ce003dd353b07d264f7fc

9f0bc83a6f8141b749695e46180a8def

a46ee9a1337cf102db2dcc005d60312a

a7c7ae8cd6a78e5d01edcf726f2b6d4a

a98a255e592c43200f6c10cf12e900a5

aad1a7163c3cbe2de17406f54dce14ff

aae979afa172627bc9a47365ca5b5f51

ac65fb0a1b23f20184ac612880d1f9c9

ae3fcf6b00cdcf0d5d095b3dd65245fa

ae6c7ffb09c72f32e47cca8436278f8b

aeb0c9cb9814b1ef1b08f18c0e34cf77

aee1b77f646c0befece129b4c477bbe4

af19938fd664df46c9f85efad6833ce1

b0c51170204204f33f956284f030aec5

ba7658e80591021a7881ac7573226dbc

bb37bc32d243a36ce9ae0d1045019de6

bd0bca06908fdb5db31cbc9f43e11597

c1c7bd5972d78c0d5f10059100659025

c2be017b2fb3ad6f0f1c05ef10573b90

c2e8c3dbee0fa8ce92865075074c80ca

c3b94d765a3d6e43735f7e1acf8cf187

c3c03fd55c0cd0c2247ca96376203c9a

c43bab60cbf7922a35979e4f41f9aa9e

上一页[1] [2] [3] [4] [5] [6] [7]下一页

c4912e801677d8aa489772490fe5388a

c5f76015b2cb15f59070d2e5cfdd8f6e

c64e0565fdd0ebb92fa41915b67ef8cc

c91abd2f3bc2a574022461c17276c227

c9449dbfd66fb6d75eab5012cfb66731

c94778c158863da20114f4e89d2d84ce

c957de76259c9a82c3c0a1768ccbd878

c9d0348dd015babe48f3b46a737b9025

ca50a3a1728e015228f6d97f5dc15999

cd449159beda255bb06be1d6c35bc1e9

d04f4c43bbc5b37d7b1a46ceadd3c674

d0caf019af2e5c4d62acec3402fbb583

d0dd1c70581606aa2a4926c5df4a32ee

d1486baee307fe9b8221a7dddc8ff21b

d384476cd94ec6c44522f1ea6529ef69

d523ba7bb4ec5488c6c46b800eeba176

d64f3242a89732d5ef69e35b25145412

d6a11b35ec7f08c8960db871b44fd9d0

d6bc758448dd510cd97f92f1dc99a2db

d7aa03f274d55b8d485221083957d504

d8b31e7523c1681d1838c50090468942

da71dfe35125d59c487d9d3d63e0cb18

dc9ea0a9eabc152104dadf984d14b03b

dea87bd6e6b6bf97a29f83224385dc18

dfddba46a62ad7972018c2f6b980b978

e02377364a3833bb4e89965b0c344a25

e16afc1f98446d224a2a96703da64b2d

e1a83a4c342f784ad83bcad061c5845a

e2088460b1a0401c40f944a1d0e4f7c0

e417457a04cf9da41fc0c8787985a790

e5f32003347c18109e3c39e2bf2f36de

e7073a90345b2ed4584c3c69f22298d9

e8cdaafd6deefcee21530070444de679

eaa9a54b67673f68066bc13f42e5ca2c

edc4346e5fb6f68868938767625a0b16

edc6bdd204dd2a849693e148b00c0ea9

ee5db4f50ab4cdfaf40f89de7a140309

ef1bf0fa405ba45046c19e3efdb17b23

f04e31ff256a6dc44af48dbf0b917e7d

f0ecd67f81d95cb79a1ae93859d6b480

f10d72646b1d9bc6643be80dee99ba85

f1166a382755674c5071436fa9d48f3e

f3e9d98948db0249d73df5304e20e6b3

f9ff89d9149cd0cb702b0a6578d33078

fd17c9eb665e665b9d9e3af8592271c1

fd7a602e34dae2dd608567232d5b9eff

feea1d90e77dff5ff9f896122cf768f6

ff5ffc315daab5abd4a2cdd6f6be5d86

yty恶意代码框架的PDB路径

C:Users803Desktopytybothyty 2.0ReleaseSetup.pdb

C:Users803Desktopytybothyty 2.0Releaseabode.pdb

C:Users803Desktopytybothyty 2.0Releaseboothelp.pdb

C:Users803Desktopytybothyty 2.0Releasediskvol.pdb

C:Users803Desktopytybothyty 2.0Releasemdriver.pdb

C:Users803Desktopytybothyty 2.0Releasevstservice.pdb

C:Users803Desktopytybothyty 2.0Releaseyty.pdb

C:Users803Desktopytybothyty 4.0Releaseabode.pdb

C:Users803Desktopytybothyty 4.0Releaseboothelp.pdb

C:Users803Desktopytybothyty 4.0Releasevstservice.pdb

D:SoftDevelopedCodeyty 2.0Releasedspcheck.pdb

D:SoftDevelopedCode_Lastyty 2.0 – CopyRelease.Netvstservice.pdb

D:SoftDevelopedCode_Lastyty 2.0Release.Netabode.pdb

D:SoftDevelopedCode_Lastyty 2.0Release.Netboothelp.pdb

D:SoftDevelopedCode_Lastyty 2.0Release.Netdspcheck.pdb

D:SoftDevelopedCode_Lastyty 2.0Release.Netvstservice.pdb

D:SoftDevelopedCode_Lastyty 2.0ReleaseC++Setup.pdb

C:Users803Desktopytybothyty 2.0ReleaseSetup.pdb

D:SoftDevelopedCode_Lastyty2.0ReleaseC++Setup.pdb

C:users803documentsvisualstudio2010ProjectshelpdllReleasehelpdll.pdb

EHDevel恶意代码框架的PDB路径

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseActDon.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseAdminNewDll.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseAdminServerDll.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseComDeck.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseDiplyFreq.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseDiskPlug.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseEsstnalUpdte.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseFlashCom.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseLangDock.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseLangDockUp.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseMetaDamDoc.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleasePatchQueue.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseProcNeo.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseTxtActDoc.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinAeroBat.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinAud.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinExe.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinIntDataAndCred.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinKey.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinLTUP_Doc.pdb

上一页[1] [2] [3] [4] [5] [6] [7]下一页

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinLTUP_NonDoc.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinOn.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinRMDrive.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinScrnGrabber.pdb

D:EH_DEVELOPMENT_SVNEHDevelopmentSolution3EHDevelopmentSolution3ReleaseWinTasks.pdb

E:EHDevelopmentSolution3 IB2.1EHDevelopmentSolution3ReleaseUninstall.pdb

E:EHDevelopmentSolution3 PB2.1EHDevelopmentSolution3ReleaseAdminNewDll.pdb

E:EHDevelopmentSolution3 PB2.1EHDevelopmentSolution3ReleaseAdminServerDll.pdb

E:EHDevelopmentSolution3 PB2.1EHDevelopmentSolution3ReleaseClock.pdb

E:EHDevelopmentSolution3 PB2.1EHDevelopmentSolution3ReleasePatchQueue.pdb

E:EHDevelopmentSolution3 PB2.1EHDevelopmentSolution3ReleaseSystemBus.pdb

E:EHDevelopmentSolution3 PB2.1EHDevelopmentSolution3ReleaseTimeClock.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3Release InfoPath.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3ReleaseAdminNewDll.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3ReleaseAdminServerDll.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3ReleaseClock.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3ReleaseDiskHealth.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3ReleaseInstallingDevice.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3ReleasePlugnPlayMoniter.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3ReleasePrimaryVolume.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3ReleaseRegionalLanguage.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3ReleaseSystemBus.pdb

E:EHDevelopmentSolution3 SI2.1EHDevelopmentSolution3ReleaseWorkspaceShare.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseAdminNewDll.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseAdminServerDll.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseClock.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseDiskHealth.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseDocuments.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseENGUnicode.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseInstallingDevice.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseLicenseManager.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseNetLogOn.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseRegionalLanguage.pdb

E:EHDevelopmentSolution3 SI2.2EHDevelopmentSolution3ReleaseWMPlayer.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseAdminNewDll.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseAdminServerDll.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseCustomUI.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseDalyMotion.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseDefenderReference.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseEsstnalUpdte.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseFoldrOpt.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseInstntAccel.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseInstntAccelx.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseLangEngUTF16.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseLangEngUTF8.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseMSOBuild.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseOpenOffce.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseOptimisedDisply.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleasePackageMSOffce.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleasePlayMedia.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseProcNeo.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseRuntimeLibsUpdte.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseTimeSyncApp.pdb

E:EHDevelopmentSolution3EHDevelopmentSolution3ReleaseWelcomeScrn.pdb

参考

[1].https://ti.360.net/blog/articles/pakistan-targeted-apt-campaign/

[2].https://labs.bitdefender.com/wp-content/uploads/downloads/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/

[3].https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/

[4].https://ti.360.net

原文链接

https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/

上一页[1] [2] [3] [4] [5] [6] [7]

赞(0) 打赏
分享到: 更多 (0)
免责申明:本站所有资料均来自于网络,版权归原创者所有!本站不提供任何保证,不保证真实性,并不承担任何法律责任

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

阿里云优惠网 更专业 更优惠

阿里云优惠券阿里云大礼包