APT -An introduction
An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data.
Yesterday we heard about APT34 leak and we initiated event analysis towards it.
Unzip password: vJrqJeJo2n005FF*
Recently, a hacking tool for the APT attack organization APT34 (oilrig, Helix Kitten) belonging to the Iranian national background was released. This incident is similar to the hacker tool incident where the shadow broker leaked the NSA. Since mid-March, these tools have been The person who claimed to be Lab Dookhtegan leaked on the telegram program.
In addition to hacking tools, Dookhtegan also released data on some of the hacker victims who appear to be from APT34, including data and password combinations that appear to be collected through phishing pages.
List of hacking tools contents which were present in apt34 were:
- PoisonFrog (old version BondUpdater)
- HyperShell (a webshell named TwoFace)
- HighShell (another webshell)
- Webmask (DNS Tunnel, the famous DNSpionage)
We have analysed the code and the following were the analysis about it.Powershell code of tool can be found at the ghostbin.
Ghostbin url : https://ghostbin.com/paste/5j3kyr9p
Password : Velon
The agent part contains 2 base64s, which load powershell, which seems to be the first stage of the payload. It gets the configuration file from myleftheart.com (now closed), creates a bunch of folders in C:\Users\Public\Public, and deletes the other two payloads there. It also creates two scheduled tasks, one with administrator privileges and one with normal user rights, which will run two PowerShell scripts; dUpdater.ps1 and hUpdater.ps every 10 minutes. As is now clear from these two payloads that it can receive and send files.
How you can save your network.
We created a set of snort rules which can be used to prevent such attacks inside your network.
Please find the snort rules at our private ghostbin.
Password : snortvelon.
What is encoding :
So to get around this, people encode the binary data into characters. Base64 is one of these types of encodings.
Because you can generally rely on the same 64 characters being present in many character sets, and you can be reasonably confident that your data's going to end up on the other side of the wire uncorrupted.
Why only snort for fix
As of now we have identified fix through snort an open source intrusion detection tool which helps us to evade possible threats within network.We were working on solution for end users whom does not own any networks.
Stay tuned with us for future updates.