Analysis of New APT attacks using hot spots in the Boston Marathon bombing

The nebula device we deployed the day before yesterday captured an event using the Boston Marathon explosion hotspot

APT email attacks with topics are attached with a doc file, which is triggered immediately after being opened.

Cve-2012-0158after the loopholes are successful, release ipolicer.exe

Connect to the c & c northpoint.eicp.net website and receive command execution.

Phish email

The email targeted attacks on the subject of a recent prayer for the Boston Marathon explosion, hoping that someone else could open the attachment to pray for the explosion.

Attack doc sample

The apt doc attack sample uses the rtf format to trigger the cve2012-0158 vulnerability, and uses a large number of rtf annotations against script rule detection.

Currently, the vast majority of anti-bot programs cannot detect this vulnerability.

The rtf is embedded with a pony, which adopts an exclusive or encrypted method, and does not perform an exclusive or adversarial soft detection on 0.

The offset 0 × 2509 h is the encrypted MZ, And the offset 0 × 25d9 is the encrypted PE.

Small Horse

The vulnerability is triggered successfully. The Trojan and confusing doc files are released and executed through the bat file.

Pony injects the QueryUserApc method into the ie zombie process and downloads the trojan from the server. At the same time, the self-built ipolicer.exe is disguised as "C: \ WINDOWS \ system32 \ ymsgr_tray.exe" and set to boot and restart. At the same time, a large number of 0-80 data entries will be generated randomly and added to ymsgr_tray.exe to prevent the file from being reported by the soft cloud detection and removal.

The domain name of the pony connection is as follows:

Use https connection to download and run the program.

Data Packet Diagram

Big Horse

Similarly, the connection to the gnorthpoint.eicp.net domain name is mainly used to obtain a large amount of information about the machine to be recruited, it includes host name, ip address, current network tcp, udp connection, disk information, system process, all file names in the folder, file content, and so on, and then transmitted through encrypted HTTPS.

Host Name and ip address information

Collect disk Information

Collect important file information

Collect current process information

Encrypted transmission data packets