https://www.us-cert.gov/sites/defaul...-2016-1229.pdf
"Both groups have historically targeted government organizations, think tanks, universities, and
corporations around the world. APT29 has been observed crafting targeted spearphishing
campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote
Access Tools (RATs) an
d evades detection using a range of techniques. APT28 is known for
leveraging domains that closely mimic those of targeted organizations and tricking potential
victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in
their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both
groups exfiltrate and analyze information to gain intelligence value. These groups use this
information to craft highly targeted spearphishing campaigns. These actors set up operational
infrastructure to obfuscate their source infrastructure, host domains and malware for targeting
organizations, establish command and control nodes, and harvest credentials and other valuable
information from their targets.
In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link
to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to
host malware and send spearphishing emails. In the course of that campaign, APT29 successfully
compromised a U.S. political party. At least one targeted individual activated links to malware
hosted on operational infrastructure of opened attachments containing malware. APT29
delivered malware to the political party’s systems, established persistence, escalated privileges,
enumerated active directory accounts, and exfiltrated email from several accounts through
encrypted connections back through opera
tional infrastructure.
In spring 2016, APT28 compromised the same political party, again via targeted spearphishing.
This time, the spearphishing email tricked recipients into changing their passwords through a
fake webmail domain hosted on APT28 operational infrastructure. Using the harvested
credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of
information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.
"Indicators of Compromise (IOCs)
IOCs
associated with RIS cyber actors are provided within the accompanying .csv and .stix files of JAR-16-20296.
Yara Signature
rule PAS_TOOL_PHP_WEB_KIT
{
meta:
description = "PAS TOOL PHP WEB KIT FOUND"
strings:
$php = " $base64decode = /
\='base'
\.\(\d+\*\d+\)\
.'_de'
\.'code'/
$strreplace = "(str_replace("
$md5 = ".substr(md5(strrev("
$gzinflate = "gzinflate"
$cookie = "_COOKIE"
$isset = "isset"
condition:
(filesize > 20KB and filesize < 22KB) and
#cookie == 2 and
#isset == 3 and
all of them
}
Actions to Take Using Indicators
DHS recommends that network administrators review the IP addresses, file hashes, and
Yara
signature provided and add the IPs to their watchlist to determine whether
malicious
activity has
been observed within their organizations. The review of network perimeter netflow or firewall
logs will assist in determining whether
your network
has experienced suspicious activity.
When reviewing network perimeter logs for the IP addresses, organizations may find numerous
instances of these IPs attempting to connect to their systems."
"Both groups have historically targeted government organizations, think tanks, universities, and
corporations around the world. APT29 has been observed crafting targeted spearphishing
campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote
Access Tools (RATs) an
d evades detection using a range of techniques. APT28 is known for
leveraging domains that closely mimic those of targeted organizations and tricking potential
victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in
their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both
groups exfiltrate and analyze information to gain intelligence value. These groups use this
information to craft highly targeted spearphishing campaigns. These actors set up operational
infrastructure to obfuscate their source infrastructure, host domains and malware for targeting
organizations, establish command and control nodes, and harvest credentials and other valuable
information from their targets.
In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link
to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to
host malware and send spearphishing emails. In the course of that campaign, APT29 successfully
compromised a U.S. political party. At least one targeted individual activated links to malware
hosted on operational infrastructure of opened attachments containing malware. APT29
delivered malware to the political party’s systems, established persistence, escalated privileges,
enumerated active directory accounts, and exfiltrated email from several accounts through
encrypted connections back through opera
tional infrastructure.
In spring 2016, APT28 compromised the same political party, again via targeted spearphishing.
This time, the spearphishing email tricked recipients into changing their passwords through a
fake webmail domain hosted on APT28 operational infrastructure. Using the harvested
credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of
information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.
"Indicators of Compromise (IOCs)
IOCs
associated with RIS cyber actors are provided within the accompanying .csv and .stix files of JAR-16-20296.
Yara Signature
rule PAS_TOOL_PHP_WEB_KIT
{
meta:
description = "PAS TOOL PHP WEB KIT FOUND"
strings:
$php = " $base64decode = /
\='base'
\.\(\d+\*\d+\)\
.'_de'
\.'code'/
$strreplace = "(str_replace("
$md5 = ".substr(md5(strrev("
$gzinflate = "gzinflate"
$cookie = "_COOKIE"
$isset = "isset"
condition:
(filesize > 20KB and filesize < 22KB) and
#cookie == 2 and
#isset == 3 and
all of them
}
Actions to Take Using Indicators
DHS recommends that network administrators review the IP addresses, file hashes, and
Yara
signature provided and add the IPs to their watchlist to determine whether
malicious
activity has
been observed within their organizations. The review of network perimeter netflow or firewall
logs will assist in determining whether
your network
has experienced suspicious activity.
When reviewing network perimeter logs for the IP addresses, organizations may find numerous
instances of these IPs attempting to connect to their systems."
Comment