[
  {
    "instruction": "Medium Headline: Mid-December \u2013 January 31st 2016 (ongoing)\nWhen we began systematically tracking the campaign in late November 2016 almost all of the messages we observed concerned issues related to Case 173, as well as being personalized to the recipient. This approach continued until late December. However, by mid-December, we began observing a growing number of generic phishing messages, mostly emphasizing account security issues.\nHere is an example of such a \"generic,\" but still personalized message.\nThese messages, while still personalized with users' names, relied on a range of common phishing tactics, such as warnings of suspicious login attempts, and other account security issues. In a few cases, the operators also included package-delivery notifications. After December 26, we no longer observed any personalized messages. This shift maps onto changes in server infrastructure (see: (<https://citizenlab.org/2017/02/nilephish-report/nilephishinfrastructure>)Nile Phish Infrastructure).\nExample Domains from Phase 2 Phishing\nIt is unclear why Nile Phish operators wound-down their use of Case 173 themes as the campaign went on. It is possible, for example, that they began to suspect that the targets were wary of such messages. It is equally possible that they simply decided to scale back some of their efforts, and rely more heavily on the pre-built examples in the toolkit they used. It is also possible that this represents a fluke either in how the messages were collected, or a pause on the part of the operators.\nThe final possibility is that Nile Phish is a component of a larger operation, and that the operators may intend to continue to use tailored social engineering for other purposes, such as delivering malware.\nBig Headline: Nile Phish Using Open-Source Phishing Toolkit\nNile Phish mounted this campaign with (<https://github.com/gophish/gophish>)gophish, an open-source phishing framework written in the Go language.\nThe gophish framework is intended to be used defensively, as part of anti-phishing trainings. This is the first offensive use of gophish of which we are aware. Its (<https://github.com/gophish/gophish/blob/master/README.md>)developer describes it as \"designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training.\" Support for capturing credentials submitted on phishing pages was added to gophish in (<https://twitter.com/jw_sec/status/694745865198514176>)February 2016.\nThe growing number of open-source and widely available phishing frameworks designed for penetration testing have made it easy to set up a phishing campaign. While some free and hosted phishing frameworks require a degree of authentication onto a particular domain, such as the online (<https://duo.com/resources/duo-insight>)Duo Insight, many that are self-hosted do not. The lack of authentication, while minimizing invasiveness and protecting user privacy, is also a double-edged sword, and means that it can be abused to conduct non-consensual and illegal phishing campaigns.\nMedium Headline: Discovery and Identification\nExamination of the phishing infrastructure provided evidence of artefacts from a cloned git repository, suggesting that this was a likely from a project on Github. This led us to conclude that the operators were likely making use of an existing phishing framework. Further investigation revealed that the domains were serving the gophish admin page on port 7777, and the scheme of the phishing URLs matched those of gophish.\nGophish links have a common format, which can be used to quickly identify a link sent via the platform.\nMedium Headline: Contact with Gophish\nCitizen Lab contacted (<https://github.com/jordan-wright>)Jordan Wright, the developer of Gophish and provided examples of the links used in the campaign. Wright provided us the following response:\n\"\u2026The links have the same structure as those sent in a Gophish campaign and there are Gophish administrative portals available on those hosts.\nGophish is designed to help administrators test their organization's exposure to phishing. By running phishing tests against one's own organization, the hope is that members of the organization will be better at spotting and avoiding phishing emails in the future, mitigating attacks like this.\nThe Gophish team does not condone using the software for any purpose other than running controlled tests to measure your own organization's exposure to phishing. While we cannot control users and prevent all misuse of the software, we will continue taking any measures possible to prevent this kind of abuse in the future.\"\nBig Headline: Nile Phish Infrastructure\nThe campaign's operators used commercial web hosting located in Europe ( (<https://www.choopa.com/>)Choopa and (<https://alexhost.com/>)AlexHost) to host the campaign. They have shown evidence of basic operational security practices, including server compartmentation between Phase 1 and Phase 2. Nevertheless, in what appears to have been a mistake, one domain resolved to servers from both phases at different times.\nUsing passive DNS analysis tools including (<https://www.passivetotal.org/>)PassiveTotal, we were able to further characterize the infrastructure, and how it was used throughout Phase 1 and Phase 2 of the campaign. We also identified an additional 13 domains through passive DNS research, indicating that the campaign may include a range of other targets not uncovered in our investigation.\n\nHow did the Nile Phish campaign leverage the gophish framework, and what implications does this have for the broader use of open-source phishing tools?",
    "output": "The Nile Phish campaign leveraged gophish, an open-source phishing framework written in the Go language, which is intended for defensive use in anti-phishing training. This is the first known offensive use of gophish. The growing availability of open-source phishing frameworks designed for penetration testing has made it easy to set up phishing campaigns. While some frameworks require authentication onto a particular domain, many self-hosted ones do not, which can lead to abuse for non-consensual and illegal phishing campaigns. This highlights the double-edged nature of such tools, where ease of use for legitimate purposes can also facilitate malicious activities.",
    "category": "apt-notes",
    "instruction_type": "retrieval1"
  },
  {
    "instruction": "Write an answer to the following question: How does the Operation Groundbait APT use Phishing: Spearphishing Attachment to target its victims?",
    "output": "Phishing: Spearphishing Attachment is a technique used by adversaries to gain access to victim systems by sending spearphishing emails with a malicious attachment. In the case of Operation Groundbait, the attackers used this technique to target anti-government separatists in Eastern Ukraine, as well as Ukrainian government officials, politicians, and journalists. The attackers sent spearphishing emails with attached malicious executables or links to malicious files hosted on remote servers. The emails were crafted to appear relevant to the victims, with subject lines and attachment names that were designed to trick them into opening the malicious files. For example, one email had an attachment named '\u041d\u0430\u0446\u0433\u0432\u0430\u0440\u0434\u0435\u0439\u0446\u044b \u0441\u043e \u0448\u043f\u0440\u0438\u0446\u0430\u043c\u0438 \u0441\u0434\u0435\u043b\u0430\u043b\u0438 \u0438\u0437 \u0434\u043e\u043d\u0435\u0446\u043a\u043e\u0433\u043e \u043c\u0430\u043b\u044c\u0447\u0438\u043a\u0430 \u043c\u0438\u0448\u0435\u043d\u044c \u0434\u043b\u044f \u0440\u0430\u043a\u0435\u0442.exe', which translates to 'National Guard of Ukraine aimed rockets at boy from Donetsk'. Once the victim opened the attachment, the Prikormka dropper would display a decoy document to distract the victim while the malware was installed. The attackers also used social engineering tricks, such as posing as a trusted source, to convince the victims to open the malicious attachments. Overall, the use of Phishing: Spearphishing Attachment was a key component of the Operation Groundbait APT's tactics, allowing them to gain access to the systems of their targets and conduct cyber-surveillance operations.",
    "category": "apt-notes",
    "instruction_type": "retrieval1"
  },
  {
    "instruction": "Big Headline: C&C INFRASTRUCTURE\nThe majority of the IXESHE campaign's C&C servers were based in Taiwan and the United States.\nThis is, however, not an indicator of attribution. It is not possible to determine where the attackers are based solely on where their C&C infrastructures are located. In addition, not all of the C&C servers are currently active. Many, if not all of them, appear to be compromised machines. In fact, at least 11 of the C&C servers were hosted on the compromised machines of an East Asian government, which made these very useful for launching targeted attacks against it.\nMost of the malware samples directly accessed an IP address as a C&C server. Connections to domains did exist in some cases. The domains were usually registered using free dynamic DNS service providers or compromised websites.\nOverall, this strategy was part of the attackers' modus operandi. By choosing compromised machines to act as C&C servers, fewer clues were left for investigators to follow in an attempt to find out who is behind the attacks compared with those using bulletproof hosting services and registered domain names. To conduct research on these servers, investigators need to differentiate between information related to malicious and legitimate use.\n\nBased on the above text, answer a question. Why did the IXESHE attackers choose to use compromised machines as C&C servers instead of bulletproof hosting services and registered domain names? How does this choice impact the investigation process?",
    "output": "The IXESHE attackers chose to use compromised machines as C&C servers to leave fewer clues for investigators. This strategy makes it harder to trace the attacks back to the perpetrators compared to using bulletproof hosting services and registered domain names. By utilizing compromised machines, the attackers can blend their malicious activities with legitimate usage, making it more challenging for investigators to differentiate between the two. This approach effectively covers their tracks and complicates the investigation process.",
    "category": "apt-notes",
    "instruction_type": "retrieval1"
  },
  {
    "instruction": "Answer based on context:\n\nBig Headline: GOOD HOSPITALITY, OR SWEPT UNDER THE RUG?\nOracle maintains in (PDF) about the MICROS attack that \"Oracle's Corporate network and Oracle's other cloud and service offerings were not impacted.\" But a confidential source within Oracle's Hospitality Division told KrebsOnSecurity that the breach first started in one of Oracle's major point-of-sale data centers \u2014 specifically the company's large data center in Manassas, Va.\nAccording to my source, that particular center helps large Oracle hospitality industry clients manage their fleets of MICROS point-of-sale devices.\n\"Initially, the customer's network and the internal Oracle network were on the same network,\" said my source, who spoke under condition of anonymity because he did not have permission\nfrom his employer to speak on the record. \"The networking team did a network segmentation of these two networks \u2014 ironically for security purposes. However, it seems as if what they have done actually allowed access from the Russian Cybercrime group.\"\nMy source said that in mid-July 2016 Oracle sent out an email alert to employees of its hospitality division that they had to re-image their laptops without backing anything up.\n\"All of the files and software that were on an employee's computer were deleted, which was crippling to business operations,\" my source recalled. \"Project management lost all their schedules, deployment teams lost all the software that they use to install on customer sites. Oracle did not tell the employees in this email that they got hacked but just to re-image everything with no backups. It seems as if Oracle did a pretty good job sweeping this incident under the rug. Most employees don't know about the hack and it hasn't been a huge deal to the customers. However, it is estimated that this cost them billions, so it is a really major breach.\"\nI sent Oracle a litany of questions based on the above, but a spokesperson for the company said Oracle would comment on none of it.\n= Indicators =\n104.156.240.212\n104.232.35.136\n104.250.153.57\n107.181.246.211\n107.181.250.221\n108.61.57.43\n128.177.144.59\n144.168.45.128\n151.80.8.10\n162.212.105.78\n172.28.202.31\n184.22.81.68\n185.29.9.28 (c)\n185.86.149.115\n185.86.149.60\n186.106.120.113\n190.82.81.132\n194.146.180.58\n195.154.43.52\n198.23.210.156\n207.182.98.21\n208.167.254.234\n209.51.131.190\n216.155.131.74\n216.170.116.120\n220.130.157.99\n23.227.196.99\n23.249.164.109\n31.131.17.128\n45.63.23.135\n45.63.96.216\n5.45.179.185\n5.45.192.117\n51.254.95.100\n51.254.95.99\n59.55.142.171\n60.228.38.213/login.aspx\n66.232.124.175\n71.63.154.49\n72.233.55.10\n74.125.39.18\n80.83.118.240\n80.83.118.245\n82.163.78.188\n83.183.76.156\n85.186.125.217\n86.55.7.54\n87.236.210.109\n87.236.210.116\n87.98.153.34\n91.207.60.68\n94.140.120.133\n95.215.44.136\n95.215.45.228\n95.215.45.64\n95.215.45.69\n95.215.45.90\n95.215.45.98\n95.215.46.2\n95.215.46.32\n95.215.46.76\n95.85.12.179\n98.129.249.174\nclients14-google.com\nmail.clients12-google.com\nns1.stats1-google.com\nns2.stats1-google.com\nwambiri.net/login.aspx\n\nWhat measures did Oracle take internally in response to the breach, and how did these actions impact business operations and employees?",
    "output": "In mid-July 2016, Oracle sent out an email alert to employees of its hospitality division instructing them to re-image their laptops without backing up any data. This action resulted in the deletion of all files and software on employees' computers, which significantly disrupted business operations. Project management teams lost their schedules, and deployment teams lost the software they used for installations on customer sites. Oracle did not explicitly inform employees in this email that they had been hacked, but the directive to re-image everything without backups suggests a serious security concern. This measure was part of Oracle's efforts to address the breach, which is estimated to have cost them billions of dollars.",
    "category": "apt-notes",
    "instruction_type": "retrieval1"
  },
  {
    "instruction": "Write an answer to the following question: How does the 'zehir4.asp' script facilitate file manipulation on the victim's system, and what specific actions can an attacker perform using this script?",
    "output": "The 'zehir4.asp' script facilitates file manipulation on the victim's system by allowing the attacker to perform various actions through its interface. Specifically, the script enables the attacker to edit, delete, copy, and download files. Additionally, the attacker can browse, delete, or move folders. This is evident from the provided code snippet where functions like 'driveGo' are used to navigate different drives and paths. For example, when the attacker adds the text 'Hacked by STTEAM' to the 'TEST_FILE.txt', the script processes this request and updates the file accordingly. The attacker can also delete files, as shown in the subsequent request where the 'TEST_FILE.txt' is deleted.",
    "category": "apt-notes",
    "instruction_type": "retrieval1"
  },
  {
    "instruction": "The PlugX malware revisited: introducing \"Smoaler\"\nBy Gabor Szappanos, Principal Researcher, SophosLabs\nJuly 2013\nIn a recent SophosLabs article about the [(<>)A], we concluded with these words:\nThere is no doubt that PlugX development will go on, and new features and tricks will be introduced.\nWe'll keep an eye on them, and if any interesting or important new features appear, we'll be sure to let you know.\nFast forward just under two months, and we're ready to tell you the next stage in this ongoing saga.\nThe malware family we'll be looking at in this report is known as Smoaler, and it shares many features with PlugX, notably that:\n\u2022 Smoaler relies on the same vulnerability, . [(<>)B]\n\u2022 Smoaler uses the same exploit shellcode.\n\u2022 Smoaler uses similar visual distractions, or decoys, with a Tibetan theme.\n\u2022 Smoaler uses the same initial malware modules to initiate infection.\nThereafter, the new malware follows a different path to the PlugX samples we looked at last time.\nWe shall analyse the \"what happens next\" component of Smoaler later on.\nTo clarify the terminology we have used above, remember that:\n\u2022 A vulnerability is a software bug that could potentially be abused to make your computer behave insecurely.\n\u2022 An exploit is a real-world trick by which a vulnerability can be activated to bypass security.\n\u2022 Shellcode is runnable program code delivered inside a file that is supposed to be plain data, and therefore implicitly safe, but that can be executed without the user's knowledge or consent by exploiting a vulnerability.\n\u2022 Initial malware modules, also called droppers, are malware components, often delivered or activated by shellcode, used to deliver the full malware, or payload, that the attacker wants to install.\nQ: How does the Smoaler malware leverage its shared characteristics with PlugX to initiate an infection, and what are the key components involved in this process?",
    "output": "Smoaler malware leverages several shared characteristics with PlugX to initiate an infection. These key components include: \\n\\n1. **Vulnerability Exploitation**: Smoaler relies on the same software vulnerability as PlugX to gain unauthorized access to a system. \\n\\n2. **Exploit Shellcode**: Both Smoaler and PlugX use identical exploit shellcode to activate the vulnerability and bypass security measures. \\n\\n3. **Visual Distractions**: Smoaler employs similar visual distractions or decoys with a Tibetan theme to divert the user's attention while the malware operates in the background. \\n\\n4. **Initial Malware Modules (Droppers)**: Smoaler utilizes the same initial malware modules, also known as droppers, to deliver the full malware payload. These droppers are often delivered or activated by the shellcode. \\n\\nThese components work together to initiate the infection process, with the vulnerability providing the entry point, the shellcode executing the exploit, the decoys distracting the user, and the droppers delivering the final malicious payload.",
    "category": "apt-notes",
    "instruction_type": "retrieval1"
  },
  {
    "instruction": "Medium Headline: 3.1. Infection Vectors\nMalware writers are using multiple techniques to deliver their files and entice the victims to run them, creating an effective infection vector. Mainly depending on social engineering the attackers exploit:\n\u2022 Victims' trust in social networking forums\n\u2022 Victims' curiosity in following news related to political conflict in Syria\n\u2022 Victims' fear of attacks from government\n\u2022 Victims' lack of technology awareness\nOnce they have infected the victim's computer, attackers have full access and control over victim's devices. In the following section we show different versions of posts sent via popular file sharing sites or social networking platforms. The sample details and domain lists used by the attackers can be found in the Appendices 1 and 2 in the end of the document.\nSmall Headline: New samples\nMore recent samples, starting from the end of 2013, have shown a more organized development effort, creating highly stealth and graphically-enticing applications.\nIn this analysis we have seen how Syrian malware has evolved, showing no signs of stopping any time soon. Even though new malicious Syrian samples are appearing each day, the subset presented here will hopefully give the reader an overall view of the techniques and tools that are currently being used to target Syrian citizens.\nVery Small Headline: Curiosity killed the cat: browsing a  of wanted activists leads to infection.\n\u0627\n\u0631\u062a\u062e\u0627\u0642 \u0623\u0632\u0647\u062c\u0629 \u0627\u0648\u064a\u0628\u0645\u0643\u0644\u0631\u062a \u0627\u0627\u062e\u0644\u0629\u0635 \u0627\u0628\u0631\u062c\u0645\u0644\u0645 \u064a\u0644\u0639 \u0648\u0644\u0645\u0645\u0643 \u0648\u0627\u0628\u064a\u0642 \u0627\u0635\u0639\u0629\u0628 \u0627\u0644\u0627\u062f\u0633\nWe found a set of compressed files on a popular social networking site; when, extracted it showed a database containing a list of activists and wanted individuals in Syria. A video entitled was published on November 9 2013, and \" \u0655\" the download link for this database application was included in the information section of the video.\n\u0644\u0627\u0627 \u062c\u0645\u0627\u0646\u0631\u0628\u0654\u064a\u0646\u0637\u0648\u0644\u0627 \u0646\u0645\nThe download URL redirected victims to a file-sharing service where the file was being hosted. The .rar\", with the MD5 signature 0c711bf29815aecc65016712981compressed RAR file \" 59a74 and a file-size of 7,921,063 bytes was protected with the password \"111222333\".\nThe video requests the victim to scan the password protected \".rar\" file using VirusTotal to verify that it is not infected.\nAfter extracting all the files to a temporary folder, we were presented with the application itself and a text file needed to access the \"hidden\" features of the program.\nThe file \"PASSWORD.txt file\" contained the following text:\nVery Small Headline: syria123!@#\n\u0629\u0631\u0635\u0646\u0644\u0627 \u0629\u0647\u0628\u062c \u0629\u0646\u0635\u0627\u0631\u0642 \u0621\u0627\u0639\u062f\u0644\u0627\u0628 \u0627\u0646\u064a\u0644\u0639 \u0627\u0648\u0644\u062e\u0628\u062a \u0644\u0627\nUpon closer inspection, the first and last buttons of the application were functional, but the others generated error messages (claiming that some files were missing).\n\u0641\u064a\u0639 \u0634\u0627\u0634 \u0645\u0627\u0645\u0644\n, General Global File) uses \"data-base.db.exe\" (MD5 8f16efb51fe67961eThe first button ( e31c4f36cbe11db), which was placed into \"C:\\Users\\User\\AppData\\Roaming\"and, when executed, extracts the  Excel spreadsheet file \"Data-Base.xslx\" (MD5 f0a8a1556efbb106b6297700d4cce61b) from the \"Data-Base.db\" (MD5 95a5c3e91bbb4a3a323433841fbef82a) file in the main folder.\n\u0625\u0647\u0646\u0627\u0621 \u0627\u0644\u0631\u0628\u0646\u0627\u062c\u0645\n) is the exit button. The last button (\nHere is some interesting information worth noting:\n\u0628\u0631\u0646\u0627\u0645\u0627 \u062c\u0644\u0623\u0645\u0627 \u0646\u0644\u0648\u0637\u0646\u064a\n.exe\" is not detected as a malicious file. \"\u2022\n\u2022 The file \"data-Base.db\" is detected as a malicious file.\nThe file \"data-base.db\" is a compressed archive:\n\u2022 Product name from the file signature: Project1\n\u2022 Publisher name from the signature: Syrian malware\n\u2022 Compilation Timestamp: 2013-11-09 14:47:26\nWhen system32.exe is run, the process \"iexplorer.exe\" is spawned and is automatically registered for Startup.  The file connects to the IP address 31.9.48.7 TCP on port 999. As mentioned in , the IP address 31.9.48.7 belongs to the Syrian Telecommunications Establishment (STE).\nOther temporary files used for the infection were also detected, such as \"system32.exe\" (MD5: 9424b355a3670fd7749d3d25cbea18cb) which was copied into the \"C:\\Users\\user\\appdata\\ local\\temp\\\" folder.\nThe presence of DarkComet's \"DC_MUTEX-*\" was a giveaway of the usage of this remote administration tool.\nDuring infection, the Excel spreadsheet is displayed, comprising 96763 rows and 13 columns of activist information. The rows correspond to records of individuals wanted by the government and the columns correspond to information about the individuals. While there is no column description, data in each column reflects the type of data.\nSmall Headline: 3.2.2. Files named \"Scandals\" are quite attractive Using shockingly disturbing videos to distribute malware\n\u0641\u0636\u0627\u062d\u0626\nA disturbing video showing injured victims of recent bombings was used to appeal to people's fear and exert them to download a malicious application available in a public file-sharing website. After .exe\" proved to be heavily obfuscated with the commercial our initial analysis, the file named \" utility \"MaxToCode\" for .NET as a means of avoiding early detection by antivirus solutions.\nWhen executed, the original sample created another executable file in the Windows' temporary folder (C:\\Users\\[USERNAME]\\AppData\\Local\\Temp) named \"Trojan.exe\", which corresponds to the code of the RAT itself. This is used to save all keystrokes and system activity to another file in the same location, \"Trojan.exe.tmp\".\nCaptured information is sent to a dynamic domain corresponding to the host \"hacars11.no-ip.biz\", using local port 1177 with no SSL encryption (but base64 encoded), making the analysis of the network traffic a much easier task. During the initial connection to the remote server (after an initial ping to check for internet connectivity), the Trojan will send the machine's name, installed Windows version, logged username, webcam availability and the version of the RAT in use.\nSeveral embedded command line scripts are in charge of adding the Trojan's executable file to the Windows Firewall allowed list, while at the same time disabling security zone checking in Internet Explorer. System persistence is obtained via a modification in the \"Software\\Microsoft\\Windows\\ CurrentVersion\\Run\" registry key and by adding a copy of the malware to the Startup folder.\nEven though different obfuscation techniques are used in the samples we analysed, all of them have underlying dependencies on the .NET framework namespaces, which eventually allows deep source code inspection of the threat.\nSmall Headline: 3.2.3. \"Ammazon Internet Security\" the \"popular Antivirus\"\nIf you thought the era of fake antivirus programs was over, here comes a newly developed sample to challenge your beliefs. With the innocent title of \"Ammazon Internet Security\", this malicious application tries to mimic a security scanner, even including a quite thorough graphical user interface and some interactive functionality.\nAgain, this shows the simplicity of creating a graphical user interface that will trick most of the non-tech-savvy population. Using nothing more than a couple of buttons and a catchy name, Syrian malware groups were hoping that the intended victims would fall for the trap. Analyzing the code interestingly revealed that it has the look--feel of a security application; but, of course, no real security features. While silently executing a remote administration tool when launching this \"security suite\", targeted victims were left without their \"Ammazon\" protection but witha RAT installed.\nFrom the Windows process list shown in Process Explorer, we were able to see \"J. L Antivirus 4.0\" executing in our system, and through Process Monitor we caught the creation of the \"analysis\" log file for our fake antivirus. Behind the curtains, a connection is made to a remote host, sending real time information on all our activities \u2014 the real cost of this free internet security suite!\nAmong the many programming methods found inside the source code, we were even able to find a \"CheckForUpdates\" function; and if you look closely enough you can even see \"Detection\" and \"Quarantine\" assemblies included in this application. So, not only has a lot of work gone into creating this fake antivirus, the authors also followed good programming practices and implemented modules for each specific (albeit fake) functionality. Maybe at a really quick first sight this could pose as a legitimate tool, but a deeper inspection reveals its true malicious nature.\nThe real log file was one where all keystrokes were recorded and later sent from the computer via a TCP connection. Even though this type of keylogging functionality is nothing new, when we consider how these malicious applications are being used, and the control they give to the attackers, we can start to measure the importance of reporting these threats and providing protection from them.\nEvidently, the malware authors didn't care much to provide an option to close the \"antivirus\", and if you were to kill the process you would get a nice 'blue screen of death' and an unexpected system reboot. Surely, the fake application will load  again once everything is back up, creating an interesting method for guaranteeing persistence.\nRead the text above and answer this question: How did the attackers ensure persistence and control over the infected systems in the case of the 'Curiosity killed the cat' infection vector?",
    "output": "In the 'Curiosity killed the cat' infection vector, the attackers ensured persistence and control over the infected systems by using a multi-step approach. The malicious application extracted a malicious Excel spreadsheet from a hidden file. The file 'system32.exe' was copied into the temporary folder and executed, spawning the process 'iexplorer.exe' and registering it for Startup. The file connected to the IP address 31.9.48.7 on port 999, which belonged to the Syrian Telecommunications Establishment (STE). Temporary files used for the infection were also detected, and the presence of DarkComet's 'DC_MUTEX-*' indicated the usage of a remote administration tool.",
    "category": "apt-notes",
    "instruction_type": "retrieval1"
  },
  {
    "instruction": "Big Headline: \" It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.\"2\n\u2014 Chinese Defense Ministry, January, 2013\n1 \"Mike Rogers, Statement to the U.S. House, Permanent Select Committee on Intelligence, Open Hearing: Cyber Threats and Ongoing Efforts to Protect the Nation, Hearing, October 4, 2011, http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/100411CyberHearingRogers. pdf, accessed February 6, 2013.\n2 \"Chinese hackers suspected in attack on The Post's computers.\" The Washington Post, Feb. 1, 2013, http://www.washingtonpost.com/business/ technology/chinese-hackers-suspected-in-attack-on-the-posts-computers/2013/02/01/d5a44fde-6cb1-11e2-bd36-c0fe61a205f6_story.html, accessed Feb. 1, 2013.\nSmall Headline: aPt1 is believed to be the 2nd Bureau of the People's Liberation army (PLa) General staff Department's (GsD) 3rd Department (\u603b\u53c2\u4e09\u90e8\u4e8c\u5c40), which is most commonly known by its Military unit Cover Designator (MuCD) as unit 61398 (61398\u90e8\u961f).\n\u00bb\u00bb The nature of \"Unit 61398's\" work is considered by China to be a state secret; however, we believe it engages in harmful \"Computer Network Operations.\"\n\u00bb\u00bb Unit 61398 is partially situated on Datong Road (\u5927\u540c\u8def) in Gaoqiaozhen (\u9ad8\u6865\u9547), which is located in the Pudong New Area (\u6d66\u4e1c\u65b0\u533a) of Shanghai (\u4e0a\u6d77). The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007.\n\u00bb\u00bb We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of Unit 61398's physical infrastructure.\n\u00bb\u00bb China Telecom provided special fiber optic communications infrastructure for the unit in the name of national defense.\n\u00bb\u00bb Unit 61398 requires its personnel to be trained in computer security and computer network operations and also requires its personnel to be proficient in the English language.\n\u00bb\u00bb Mandiant has traced APT1's activity to four large networks in Shanghai, two of which serve the Pudong New Area where Unit 61398 is based.\nSmall Headline: aPt1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.4\n\u00bb\u00bb Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries.\n\u00bb\u00bb APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property.\n\u00bb\u00bb Once APT1 has established access, they periodically revisit the victim's network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations' leadership.\n\u00bb\u00bb APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal email \u2014 GETMAIL and MAPIGET.\n\u00bb\u00bb APT1 maintained access to victim networks for an average of 356 days.5 The longest time period APT1 maintained access to a victim's network was 1,764 days, or four years and ten months.\n\u00bb\u00bb Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period.\n\u00bb\u00bb In the first month of 2011, APT1 successfully compromised at least 17 new victims operating in 10 different industries.\n4  We believe that the extensive activity we have directly observed represents only a small fraction of the cyber espionage that APT1 has conducted. Therefore, Mandiant is establishing the lower bounds of APT1 activities in this report.\n5  This is based on 91 of the 141 victim organizations. In the remaining cases, APT1 activity is either ongoing or else we do not have visibility into the last known date of APT1 activity in the network.\nSmall Headline: aPt1 maintains an extensive infrastructure of computer systems around the world.\n\u00bb\u00bb APT1 controls thousands of systems in support of their computer intrusion activities.\n\u00bb\u00bb In the last two years we have observed APT1 establish a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries. The majority of these 849 unique IP addresses were registered to organizations in China (709), followed by the U.S. (109).\n\u00bb\u00bb In the last three years we have observed APT1 use fully qualified domain names (FQDNs) resolving to 988 unique IP addresses.\n\u00bb\u00bb Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors logging into their attack infrastructure from 832 different IP addresses with Remote Desktop, a tool that provides a remote user with an interactive graphical interface to a system.\n\u00bb\u00bb In the last several years we have confirmed 2,551 FQDNs attributed to APT1.\nSmall Headline: In over 97% of the 1,905 times Mandiant observed aPt1 intruders connecting to their attack infrastructure, aPt1 used IP addresses registered in shanghai and systems set to use the simplified Chinese language.\n\u00bb\u00bb In 1,849 of the 1,905 (97%) of the Remote Desktop sessions APT1 conducted under our observation, the APT1 operator's keyboard layout setting was \"Chinese (Simplified) \u2014 US Keyboard\". Microsoft's Remote Desktop client configures this setting automatically based on the selected language on the client system. Therefore, the APT1 attackers likely have their Microsoft\u00ae operating system configured to display Simplified Chinese fonts.\n\u00bb\u00bb 817 of the 832 (98%) IP addresses logging into APT1 controlled systems using Remote Desktop resolved back to China.\n\u00bb\u00bb We observed 767 separate instances in which APT1 intruders used the \"HUC Packet Transmit Tool\" or HTRAN to communicate between 614 distinct routable IP addresses and their victims' systems using their attack infrastructure. Of the 614 distinct IP addresses used for HTRAN communications:\n\u2212\u00bb 614 of 614 (100%) were registered in China.\n\u2212\u00bb 613 (99.8%) were registered to one of four Shanghai net blocks.\nSmall Headline: the size of aPt1's infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.\n\u00bb\u00bb We conservatively estimate that APT1's current attack infrastructure includes over 1,000 servers.\n\u00bb\u00bb Given the volume, duration and type of attack activity we have observed, APT1 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors.\n\u00bb\u00bb APT1 would also need a sizable IT staff dedicated to acquiring and maintaining computer equipment, people who handle finances, facility management, and logistics (e.g., shipping).\nSmall Headline: In an effort to underscore that there are actual individuals behind the keyboard, Mandiant is revealing three personas that are associated with aPt1 activity.\n\u00bb\u00bb The first persona, \"UglyGorilla\", has been active in computer network operations since October 2004. His activities include registering domains attributed to APT1 and authoring malware used in APT1 campaigns. \"UglyGorilla\" publicly expressed his interest in China's \"cyber troops\" in January 2004.\n\u00bb\u00bb The second persona, an actor we call \"DOTA\", has registered dozens of email accounts used to conduct social engineering and spear phishing attacks in support of APT1 campaigns. \"DOTA\" used a Shanghai phone number while registering these accounts.\n\u00bb\u00bb We have observed both the \"UglyGorilla\" persona and the \"DOTA\" persona using the same shared infrastructure, including FQDNs and IP ranges that we have attributed to APT1.\n\u00bb\u00bb The third persona, who uses the nickname \"SuperHard,\" is the creator or a significant contributor to the AURIGA and BANGAT malware families which we have observed APT1 and other APT groups use. \"SuperHard\" discloses his location to be the Pudong New Area of Shanghai.\nSmall Headline: Mandiant is releasing more than 3,000 indicators to bolster defenses against aPt1 operations.\n\u00bb\u00bb Specifically, Mandiant is providing the following:\n\u2212\u00bb Digital delivery of over 3,000 APT1 indicators, such as domain names, IP addresses, and MD5 hashes of malware.\n\u2212 \u00bb Sample Indicators of Compromise (IOCs) and detailed descriptions of over 40 families of malware in APT1's arsenal of digital weapons.\n\u2212\u00bb Thirteen (13) X.509 encryption certificates used by APT1.\n\u2212\u00bb A compilation of videos showing actual attacker sessions and their intrusion activities.\n\u00bb\u00bb While existing customers of Mandiant's enterprise-level products,  and \u00ae, have had prior access to these APT1 Indicators, we are also making them available for use with Redline\u2122, our free host-based investigative tool. Redline can be downloaded at .\nSmall Headline: Conclusion\nThe sheer scale and duration of sustained attacks against such a wide set of industries from a singularly identified group based in China leaves little doubt about the organization behind APT1. We believe the totality of the evidence we provide in this document bolsters the claim that APT1 is Unit 61398. However, we admit there is one other unlikely possibility:\nA secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398's gates, performing tasks similar to Unit 61398's known mission.\n\nWhat are the key personas associated with APT1's activities, and how do their roles contribute to the overall operation?",
    "output": "A: Three key personas are associated with APT1's activities: 'UglyGorilla', 'DOTA', and 'SuperHard'. 'UglyGorilla' has been active since October 2004, registering domains attributed to APT1 and authoring malware used in their campaigns. 'DOTA' registers dozens of email accounts used for social engineering and spear phishing attacks, utilizing a Shanghai phone number. Both 'UglyGorilla' and 'DOTA' share the same infrastructure, including FQDNs and IP ranges attributed to APT1. 'SuperHard' is the creator or a significant contributor to the AURIGA and BANGAT malware families used by APT1 and other APT groups. These personas play crucial roles in domain registration, malware creation, and social engineering, contributing to the overall effectiveness and reach of APT1's cyber espionage operations.",
    "category": "apt-notes",
    "instruction_type": "retrieval1"
  },
  {
    "instruction": "Medium Headline: ROOT9B RELEASES ZERO DAY HASHES\nCybersecurity experts are increasingly concerned about the threat posed by Russian hacking groups. Besides well-known events such as the attacks against Estonia, Georgia, and Ukraine; recent headlines have seen Russian hacking syndicates credited with targeting NATO officials at conferences, stealing hundreds of millions from banks, and successfully penetrating the White House unclassified computer network. The increase in cyber-exploits is also accompanied by a much more aggressive Russian foreign policy, which has seen them invade Ukraine and literally seize control of sovereign territory in Crimea.  So it should not surprise anyone that just as nuclear capable Russian bombers are increasingly penetrating foreign airspace, their cyber-warriors appear to be ramping up their intrusions as well. But this time, perhaps for the first time, root9B has managed to find where they were hiding and identified effective defenses against their intended attacks. This is what happened in late April and early May of this year.\nOur firm of cybersecurity experts, staffed by veterans from the United States Department of Defense, identified suspicious activity within one of our client's networks; a threat which on closer inspection bore the unique signature of a group of Russian hackers well-known in the cyber-security\nindustry. As Cyber Threat analysts continued to follow the indicators, they uncovered a global attack in the making, and took steps to protect not only our clients, but other identified victims as well.\nSofacy, Sednit, Sourface, APT-28, and a host of other names are all used to describe this particularly prolific and superbly talented group of Russian hackers, which has strongly suspected ties to Russian intelligence services.   In the last year alone Russian hackers have reportedly stolen up to 900 million dollars from banks around the world.  Over the past three to five years they have built the largest botnets ever discovered, and stolen the log-in and password credentials to literally\ntens of millions of online accounts. Well known for their ability to infiltrate and remain undiscovered in networks for long periods of time, they may be the most successful group of hackers in the world. Whereas previous attacks have been attributed and analyzed only after they have run their course, this was the first and only known Sofacy attack to be discovered, identified, and reported \u2013 all before it could even begin!  The analysts and tools that enabled this to happen are unique and proprietary. This report documents the first ever operation to use threat intelligence and adversary tactics to discover and reveal the prepositioning of Sofacy zero-day malware. This document also includes the reporting of previously unknown malware  indicators and hashes.\nQuestion: What makes the Sofacy group (APT-28) particularly notable among other hacking groups, and how have their activities evolved over the past few years?",
    "output": "Answer: The Sofacy group, also known by various names such as Sednit, Sourface, and APT-28, is notable for its prolific and highly skilled activities, with strong suspected ties to Russian intelligence services. They are well-known for their ability to infiltrate and remain undetected in networks for extended periods. Over the past three to five years, they have reportedly stolen up to 900 million dollars from banks worldwide, built the largest botnets ever discovered, and stolen login and password credentials for tens of millions of online accounts. Their activities have evolved to include high-profile targets such as NATO officials, banks, and even the White House unclassified computer network.",
    "category": "apt-notes",
    "instruction_type": "retrieval1"
  },
  {
    "instruction": "Big Headline: PERSISTENCE MECHANISM\nThe Duqu 2.0 malware platform was designed in a way that survives almost exclusively in memory of the infected systems, without need for persistence. To achieve this, the attackers infect servers with high uptime and then re-infect any machines in the domain that get disinfected by reboots. Surviving exclusively in memory while running kernel level code through exploits is a testimony to the technical prowess of the group. In essence, the attackers were confident enough they can survive within an entire network of compromised computers without relying on any persistence mechanism at all.\nThe reason why there is no persistence with Duqu 2.0 is probably because the attackers wanted to stay under the radar as much as possible. Most modern anti-APT technologies can pinpoint anomalies on the disk, such as rare drivers, unsigned programs or maliciously-acting programs. Additionally, a system where the malware survives reboot can be imaged and then analyzed thoroughly at a later time. With Duqu 2.0, forensic analysis of infected systems is extremely difficult \u2013 one needs to grab memory snapshots of infected machines and then identify the infection in memory.\nHowever, this mechanism has one weakness; in case of a massive power failure, all computers will reboot and the malware will be eradicated. To get around this problem, the attackers have another solution \u2013 they deploy drivers to a small number of computers, with direct Internet connectivity. These drivers can tunnel traffic from the outside into the network, allowing the attackers to access remote desktop sessions or to connect to servers inside the domain by using previously acquired credentials. Using these credentials, they can re-deploy the entire platform following a massive power loss.\nBig Headline: COMMAND AND CONTROL MECHANISMS\nDuqu 2.0 uses a sophisticated and highly flexible command-and-control mechanism that builds on top of the 2011 variant, with new features that appear to have been inspired by other top class malware such as Regin. This includes the usage of network pipes and mailslots, raw filtering of network traffic and masking C&C traffic inside image files.\nInside a Windows LAN, newly infected clients may not have a C&C hardcoded in their installation MSI packages. Without a C&C, they are in \"dormant\" state and can be activated by the attackers over SMB network pipes with a special TCP/IP packet that contains the magic string \"tttttttttttttttt\". If a C&C is included in the configuration part of the MSI file, this can be either a local IP address, which serves as a bouncing point or an external IP address. As a general strategy for infection, the attackers identify servers with high uptime and set them as intermediary C&C points. Hence, an infected machine can jump between several internal servers in the LAN before reaching out to the Internet.\nTo connect the the C&C servers, both 2011 and 2014/2015 versions of Duqu can hide the traffic as encrypted data appended to a harmless image file. The 2011 version used a JPEG file for this; the new version can use either a GIF file or a JPEG file. Here's how these image files look like:\nAnother modification to the 2014/2015 variants is the addition of multiple user agent strings for the HTTP communication. The 2011 used the following user agent string:\n\u2022 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)\nThe new variants will randomly select an user agent string from a table of 53 different possible ones.\nAnother unusual C&C mechanism relies on driver files that are used to tunnel the C&C communications and attacker's RDP/SMB activity into the network. The attackers deploy such translation drivers on servers with direct Internet connectivity. Through a knocking mechanism, the attackers can activate the translation mechanism for their IPs and tunnel their traffic directly into the LAN. Outside the LAN, the traffic can be masked over port 443; inside the LAN, it can be either direct SMB/RDP or it can be further translated over fake TCP/IP packets to IP 8.8.8.8.\nDuring our investigation, we observed several such drivers. A description can be found below.\nMedium Headline: The \"portserv.sys\" driver analysis\nMD5: 2751e4b50a08eb11a84d03f8eb580a4e\nSize: 14336\nCompiled: Sat Feb 11 21:55:30 2006 (fake timestamp)\nInternal name: termport.sys\nType: Win32 device driver (a 64 bit version is known as well)\nThis is a malicious NDIS filter driver designed to perform manipulation of TCP/IP packets to allow the attacker to access internal servers in the victim's infrastructure.\nUpon startup, the filter driver hooks into the NDIS stack and starts processing TCP/IP packets.\nTo leverage the driver, the attacker first sends a special TCP/IP packet with the string \"romanian.antihacker\" to any of the hardcoded IPs belonging to infected server. In general, such servers are computers with direct Internet connectivity, such as a webserver or a proxy. The driver sees the packet, recognizes the magic string \"romanian. antihacker\" and saves the attacker's IP for later use.\nMagic string used for knocking inside the driver.\nWhen a packet comes from the attacker's IP (saved before), the following logic applies:\n\u2022 Packet to server 1's IP on port 443, is redirected on port 445 (Samba/Windows file system)\n\u2022 Packet from server 1's IP from port 445, is redirected to attacker's IP port 443\n\u2022 Packet to server 2's IP on port 443 is redirected on port 3389 (Remote Desktop)\n\u2022 Packet from server 2's IP from port 3389 is redirected to attacker's IP port 443\nThis effectively allows the attackers to tunnel SMB (remote file system access) and Remote Desktop into these two servers while making it look like SSL traffic (port 443).\nThese drivers allow the Duqu attackers to easily access servers inside the LAN from remote, including tunneling RDP sessions over Port 443 (normally SSL). It also gives them a persistence mechanism that allows them to return even if all the infected machines with the malware in memory are rebooted. The attackers can simply use existing credentials to log back into any of the servers that the driver is serving and can reinitialize the backdoors from there.\n\nHow does the command and control (C&C) mechanism of Duqu 2.0 differ from its 2011 variant, and what new features were inspired by other top-class malware like Regin?",
    "output": "The C&C mechanism of Duqu 2.0 builds on the 2011 variant with new features inspired by other top-class malware like Regin. These features include the usage of network pipes and mailslots, raw filtering of network traffic, and masking C&C traffic inside image files. Unlike the 2011 version, which used only JPEG files, the 2014/2015 version can use either GIF or JPEG files. Additionally, the new variants randomly select a user agent string from a table of 53 different possibilities for HTTP communication, whereas the 2011 version used a single user agent string.",
    "category": "apt-notes",
    "instruction_type": "retrieval1"
  }
]