Analysis of New APT attacks using hot spots in the Boston Marathon bombing

Source: Internet
Author: User
Tags net domain

The nebula device we deployed the day before yesterday captured an event using the Boston Marathon explosion hotspot

APT email attacks with topics are attached with a doc file, which is triggered immediately after being opened.

Cve-2012-0158after the loopholes are successful, release ipolicer.exe

Connect to the c & c northpoint.eicp.net website and receive command execution.

Phish email

The email targeted attacks on the subject of a recent prayer for the Boston Marathon explosion, hoping that someone else could open the attachment to pray for the explosion.

Attack doc sample

The apt doc attack sample uses the rtf format to trigger the cve2012-0158 vulnerability, and uses a large number of rtf annotations against script rule detection.

Currently, the vast majority of anti-bot programs cannot detect this vulnerability.

The rtf is embedded with a pony, which adopts an exclusive or encrypted method, and does not perform an exclusive or adversarial soft detection on 0.

The offset 0 × 2509 h is the encrypted MZ, And the offset 0 × 25d9 is the encrypted PE.

Small Horse

The vulnerability is triggered successfully. The Trojan and confusing doc files are released and executed through the bat file.

Pony injects the QueryUserApc method into the ie zombie process and downloads the trojan from the server. At the same time, the self-built ipolicer.exe is disguised as "C: \ WINDOWS \ system32 \ ymsgr_tray.exe" and set to boot and restart. At the same time, a large number of 0-80 data entries will be generated randomly and added to ymsgr_tray.exe to prevent the file from being reported by the soft cloud detection and removal.

The domain name of the pony connection is as follows:

Use https connection to download and run the program.

Data Packet Diagram

Big Horse

Similarly, the connection to the gnorthpoint.eicp.net domain name is mainly used to obtain a large amount of information about the machine to be recruited, it includes host name, ip address, current network tcp, udp connection, disk information, system process, all file names in the folder, file content, and so on, and then transmitted through encrypted HTTPS.

Host Name and ip address information

Collect disk Information

Collect important file information

Collect current process information

Encrypted transmission data packets

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.