The document summarizes a report from Symantec Security Response about a group called "Butterfly" that performs corporate espionage for financial gain. Butterfly is a small group of technically capable individuals that have compromised numerous technology, pharmaceutical, legal, and commodities companies since 2012. They gain initial access through techniques like watering hole attacks and exploits, then spread throughout the network accessing servers of interest like email and document servers. Symantec attributes the attacks to a group motivated by financial gain through stealing proprietary information.
Theft of intellectual property is troubling, no matter what the victim’s identity. But theft of IP from the defense industry can be terrifying. IP that falls into the wrong hands can have devastating security and espionage repercussions, troublesome competitiveness implications, and can even be used to target employees and families for blackmail or kidnapping. Learn more: http://www.cyberhub.com/research/IP_threat
Proactive Counterespionage as a Part of Business Continuity and ResiliencyDr. Lydia Kostopoulos
RSA Quick Look Webcast: http://www.rsaconference.com/media/quick-look-proactive-counterespionage-as-a-part-of-business-continuity-and-resiliency
This white paper corresponds to the RSA Presentation entitled: "Proactive Counterespionage as a Part of Business Continuity and Resiliency"
Presentation Abstract: The session will discuss means in which information assets and business continuity is protected and propose an additional layer of defense with a human counterespionage focus. The proposed proactive counterespionage plan includes operational security audits, reverse open source intelligence and classification of employees who are prime targets for disruptive espionage. - See more at: http://www.rsaconference.com/events/ad15/agenda/sessions/2219/proactive-counterespionage-as-a-part-of-business#sthash.DTYlHe6a.dpuf
Theft of intellectual property is troubling, no matter what the victim’s identity. But theft of IP from the defense industry can be terrifying. IP that falls into the wrong hands can have devastating security and espionage repercussions, troublesome competitiveness implications, and can even be used to target employees and families for blackmail or kidnapping. Learn more: http://www.cyberhub.com/research/IP_threat
Proactive Counterespionage as a Part of Business Continuity and ResiliencyDr. Lydia Kostopoulos
RSA Quick Look Webcast: http://www.rsaconference.com/media/quick-look-proactive-counterespionage-as-a-part-of-business-continuity-and-resiliency
This white paper corresponds to the RSA Presentation entitled: "Proactive Counterespionage as a Part of Business Continuity and Resiliency"
Presentation Abstract: The session will discuss means in which information assets and business continuity is protected and propose an additional layer of defense with a human counterespionage focus. The proposed proactive counterespionage plan includes operational security audits, reverse open source intelligence and classification of employees who are prime targets for disruptive espionage. - See more at: http://www.rsaconference.com/events/ad15/agenda/sessions/2219/proactive-counterespionage-as-a-part-of-business#sthash.DTYlHe6a.dpuf
Malware attacks have become increasingly prevalent with more than one million unique malware samples uncovered each month. And with threats on the rise, businesses are starting to question the capabilities of their security infrastructure.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
Grift horse money stealing trojan takes 10m android users for a rideRoen Branham
Watch the full episode on Youtube: https://youtu.be/M5Gsjwsnxtg
More than 10 million Android users have been saddled with a malware called GriftHorse that’s trojanizing various applications and secretly subscribing victims to premium mobile services – a type of billing fraud that researchers categorize as “fleeceware.”
Zimperium uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing, researchers said. In either case, once installed, they lead to victims being billed for premium services – but phone-owners are usually none the wiser until they take a look at their mobile bills.
Cybersecurity is the practice of defending computers and servers, mobile devices, electronic systems, networks and data from malicious attacks.
Topic Covered:
Cyber Security Introduction
Online & Offline Identities
Hackers and their types
Cyberwarfare
Cyber Attacks Concepts & Techniques
System, Software & Hardware Vulnerabilities
Security Vulnerabilities Categories
5 biggest cyber attacks and most famous hackersRoman Antonov
A computer hacker is a computer expert who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means.
Presentation by Charl de Walt in 2001.
The presentation aims to educate people that IT security is relevant to SA business. The presentation begins with examples of defaced SA company websites. Various attacks such as DDoS and semantic attacks are discussed. The presentation ends with a discussion on IP manipulation
Symantec propone un'analisi approfondita sui Rogue Security Software. I RSS sono applicazioni fasulle che fingono di fornire servizi di tutela della sicurezza informatica ma che, al contrario, hanno come obiettivo quello di installare dei codici maligni che compromettono la sicurezza generale della macchina.
Panoramica - Rischi - Principali modalità di diffusione e distribuzione.
Il periodo di osservazione va da luglio 2008 a giugno 2009, qui è presentato un sommario dello Studio.
Malware attacks have become increasingly prevalent with more than one million unique malware samples uncovered each month. And with threats on the rise, businesses are starting to question the capabilities of their security infrastructure.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
Grift horse money stealing trojan takes 10m android users for a rideRoen Branham
Watch the full episode on Youtube: https://youtu.be/M5Gsjwsnxtg
More than 10 million Android users have been saddled with a malware called GriftHorse that’s trojanizing various applications and secretly subscribing victims to premium mobile services – a type of billing fraud that researchers categorize as “fleeceware.”
Zimperium uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing, researchers said. In either case, once installed, they lead to victims being billed for premium services – but phone-owners are usually none the wiser until they take a look at their mobile bills.
Cybersecurity is the practice of defending computers and servers, mobile devices, electronic systems, networks and data from malicious attacks.
Topic Covered:
Cyber Security Introduction
Online & Offline Identities
Hackers and their types
Cyberwarfare
Cyber Attacks Concepts & Techniques
System, Software & Hardware Vulnerabilities
Security Vulnerabilities Categories
5 biggest cyber attacks and most famous hackersRoman Antonov
A computer hacker is a computer expert who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means.
Presentation by Charl de Walt in 2001.
The presentation aims to educate people that IT security is relevant to SA business. The presentation begins with examples of defaced SA company websites. Various attacks such as DDoS and semantic attacks are discussed. The presentation ends with a discussion on IP manipulation
Symantec propone un'analisi approfondita sui Rogue Security Software. I RSS sono applicazioni fasulle che fingono di fornire servizi di tutela della sicurezza informatica ma che, al contrario, hanno come obiettivo quello di installare dei codici maligni che compromettono la sicurezza generale della macchina.
Panoramica - Rischi - Principali modalità di diffusione e distribuzione.
Il periodo di osservazione va da luglio 2008 a giugno 2009, qui è presentato un sommario dello Studio.
The Ocean Lotus APT group is a hacker group operating against both private and government organizations and their opponents since 2014.
Vietnam-based threat actor that has been the group which has compromised various industries like manufacturing, network security, technology infrastructure, banking, media, and consumer products. Their signature malware payload includes WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL..
Ocean Lotus Main Motive is Information theft & Espionage.
Ocean Lotus uses Hacking Methods Like Watering Hole, Spear Phishing, APT32 [Mandiant], Ocean Lotus [SkyEye Labs].
Other Names of Ocean Lotus are Ocean Buffalo [Crowd Strike], Tin Woodlawn [SecureWorks].
The targets of the Ocean Lotus group are generally foreign companies with sure success and interests in Vietnam’s hospitality, manufacturing, and consumer goods sectors. As well as the private sector, the Ocean Lotus group targets politicians and journalists opposed to the Vietnamese government.
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docxalinainglis
54 Chapter 1 • The Threat Environment
FIGURE 1-18 Cyberwar and Cyberterror (Study Figure)
Nightmare Threats
Potential for far greater attacks than those caused by criminal attackers
Cyberwar
Computer-based attacks by national governments
Espionage
Cyber-only attacks to damage financial and communication infrastructure
To augment conventional physical attacks
Attack IT infrastructure along with physical attacks (or in place of physical attacks)
Paralyze enemy command and control
Engage in propaganda attacks
Cyberterror
Attacks by terrorists or terrorist groups
May attack IT resources directly
Use the Internet for recruitment and coordination
Use the Internet to augment physical attacks
Disrupt communication among first responders
Use cyberattacks to increase terror in physical attacks
Turn to computer crime to fund their attacks
espionage.87 Cyber espionage from China has been a serious problem since 1999.88
The Chinese government has been involved in, or sponsored, attacks aimed at the State
Department, Commerce Department, Senators, Congressmen, and US military labs.89
Cyberwar attacks can be launched without engaging in physical hostilities and still do
tremendous damage. Countries can use cyberwar attacks to do massive damage to one
another’s financial infrastructures, to disrupt one another’s communication infrastructures,
and to damage the country’s IT infrastructure all as precursors to actual physical hostilities.
Cyberterror
Another nightmare scenario is cyberterror, in which the attacker is a terrorist or group of
terrorists.90 Of course, cyberterrorists can attack information technology resources directly.
They can damage a country’s financial, communication, and utilities infrastructure.91
87 Dawn S. Onley and Patience Wait, “Red Storm Rising,” GCN.com, August 21, 2006. Keith Epstein, “China
Stealing U.S. Computer Data, Says Commission,” Business Week, November 21, 2008. http://www.businessweek.
com/bwdaily/dnflash/content/nov2008/db20081121_440892.htm.
88 Daniel Verton and L. Scott Tillett, “DOD Confirms Cyberattack ‘Something New’,” Cnn.com, March 6, 1999.
89 Josh Rogin, “The Top 10 Chinese Cyber Attacks (that we know of),” ForeignPolicy.com, January 22, 2010.
90 Although organized terrorist groups are very serious threats, a related group of attackers is somewhat dan-
gerous. These are hacktivists, who attack based on political beliefs. During tense periods between the United
States and China, for instance, hacktivists on both sides have attacked the IT resources of the other country.
91 In 2008, the CIA revealed that attacks over the Internet had cut off electrical power in several cities. Robert
McMillan, PC World, January 19, 2008. http://www.pcworld.com/article/id,141564/article.htm?tk=nl_dnxnws.
Chapter 1 • The Threat Environment 55
Most commonly, cyberterrorists use the Internet as a recruitment tool through
websites and to coordinate their activities.92 They can also use cyberterror in conjunc-
tion with .
This Frost & Sullivan analyst report reveals how the legal and threat environment, combined with BYOD and cost factors, make multi-factor, risk-based authentication the logical approach to solving the security challenges posed by threat actors.
UN session about modern ICT threat landscape.
The session was aimed to introduce recent threats targeting UN agencies and some potential recommendations to improve detection, investigation and understanding of these threats and their goals.
Running Head CYBERSECURITY1CYBERSECURITY 15.docxtodd271
Running Head: CYBERSECURITY 1
CYBERSECURITY 15
Cybersecurity in Financial Sector
Student Name
Tutor’s Name
Date
Table of Contents
Introduction 3
Background 3
Insiders Threats 5
Research Questions 6
Research Methodology 9
Data Analysis 10
Discussions 10
Conclusion 12
Reference 14
Introduction
Cyber threat has risen as a key danger to financial stability, following ongoing attacks on financial organizations. This research introduces a novel documentation of digital threats far and wide for financial organizations by breaking down the various sorts of cyber events and determining patterns by use of several datasets. As critical framework, financial establishments must execute the most elevated level of cybersecurity as the danger of a devastating cyberattack keeps on growing. Malignant actors, including disgruntled staff, state supported actors and conventional hackers, all have inspirations to attack the financial sector, and do so now and then. Be that as it may, the risk changes somewhat between financially stable organizations as well as new financial institutions. The challenging and multifaceted danger must be completely comprehended so as to appropriately address and dissect solutions to save the security of these foundations and the economy that they contribute to.Background
Financial institutions are a primary component, both to the US as well as the world in general. As basic foundation and guardians of cash, stuns felt in the business can resound, with outrageous results, into each element of American life, as outlined in the 2008 financial crisis. While banks, both momentously huge and modestly small, satisfy the desires to keep the variable worldwide economy generally steady, the risk of cyberattacks on such organizations keep on developing. Consistently, noxious actors, a classification that contains from state supported hackers to disappointed insiders, attack banks through specialized methods.
Some of the attacks are monetarily inspired; some are only interested to disturb and cause the tumult that happens when critical infrastructures are truly undermined. Information breach, a typical type of attack, leave a large number of clients' sensitive data available to anyone. This mixture of damaging variables has lead the money business to be the most elevated high-roller on cybersecurity much higher than the legislature (Rohmeyer & Bayuk, 2018). Albeit accessible literature has assessed the risk from numerous points of view, two key areas require a more top to bottom examination; the one of a kind circumstance looked by little and network banks, and the insider danger faced by organizations of any size. By comprehension and dismembering the danger faced by money related organizations, the expanded mindfulness makes it simpler to break down solution and look towards the eventual fate of the issue.
The dangers faced by financial organizations differ generally in source, methodology of attacks as .
Perform a search on the Web for articles and stories about social en.pdffasttrackcomputersol
Perform a search on the Web for articles and stories about social engineering attacks or reverse
social engineering attacks. Find an attack that was successful and describe how it could have
been prevented.
Solution
Answer:
As per Computer Weekly, social engineering attacks were the most well-known hacking strategy
utilized as a part of 2015. What\'s more, there\'s no indication of it backing off; in 2016 60
percent of undertakings were casualties of a social engineering attack or something to that affect.
Furthermore, as per EMC, phishing attacks—the least demanding and most normal sort of social
engineering attacks—brought about almost $6 billion in misfortunes in 2013 alone, spread out
finished around 450,000 separate bargains.
Some hurt more regrettable than others, however all brought about a sufficiently genuine shake
up for security directors to recalibrate their regard for the vector, investigate their conventions,
and make teaching staff a best need.
Here\'s our pick for five of the greatest social engineering attacks ever.
5. 2011 RSA SecurID Phishing Attack
Security firms ought to be the most secure targets with regards to a data framework attack, yet
they are likewise delicious focuses on that draw more than what\'s coming to them of endeavors.
In 2011, one of these attacks bit encryption mammoth RSA and prevailing with regards to mesh
hackers profitable data about the organization\'s SecurID two-factor validation coxcombs.
In spite of the fact that RSA at first denied that the data could enable hackers to trade off
anybody utilizing SecurID, protection temporary worker Lockheed Martin soon recognized
hackers endeavoring to rupture their system utilizing stolen SecurID information. RSA retreated
rapidly and consented to supplant a large portion of the disseminated security tokens.
This inconvenience came down to four workers at RSA parent organization EMC. Attackers sent
them email with a satirize deliver implying to be at a vocation enrollment site, with an Excel
connection titled 2011 Recruitment Plan. It wasn\'t clear why the representatives would think
about a spreadsheet from an outsider site, however they opened it—and a zero-day Flash
adventure covered in the spreadsheet introduced indirect access to their work machines that soon
exposed the keys to the kingdom.
4. 2015 Ubiquiti Networks Scam
Not all hackers are searching for touchy data; here and there they simply need chilly, hard
money.
In 2015, Ubiquiti, a particular producer of wifi hardware and software situated in San Jose,
discovered this out the most difficult way possible when their fund division was focused in an
extortion conspire rotating around worker pantomime.
The organization never uncovered precisely how the attack was organized, yet said that the
bookkeeping office got email indicating to be from the organization\'s Hong Kong auxiliary.
Regularly, such emails contain guidelines with respect to changes in installment account points
of interest or new selle.
Data Leak Protection Using Text Mining and Social Network AnalysisIJERD Editor
Data Leak prevention is a research field which deals with study of potential security threats to
organizational data and strategies to prevent such threats. Data leaks involve the release of sensitive information
to an untrusted third party, intentionally or otherwise while data loss on the other hand is disappearance or
damage of data, inwhich a correct data copy isno longer available to the organization.Thesecorrespond toa
compromise of data integrity oravailability. Data leak/loss has led to huge loss of revenue in the affected
organisation and a threat to their continued existence. All organisations using electronic data storage are
vulnerable to this attack. This research work is targeted at organisations with sensitive datasuch as Bank,
Manufacturing industries, GSM operators, research centres, Military, Higher Educational Institutions and so
on.The authorsanalyse the possible threats to organisational data and the parties that are involved in such threat,
the impact of successful attack on an organisation,and current approaches to DLP.The authorsalso design a DLP
modelusing “text mining” and “social network analysis”, and suggested further research into “text mining” and
“social network analysis”for effective future solution to DLP problems.In conclusion, implementation of this
design with adherence to good data security practices and proactive strategies suggested in thispaper will
significantly reduce the risk of such security threats.
A Guide to Internet Security For Businesses- Business.comBusiness.com
Recent revelations by National Security Agency (NSA) renegade contractor Edward Snowden have resulted in many businesses paying more attention to how secure their computer systems are. But even the most “cyber-savvy” businesses can have their computer networks hacked and compromised. Use this whitepaper to understand your threats, protective options, and trends in internet security for businesses.
1
2
Cyber Research Proposal
Cybersecurity in business
Introduction
Because of today's international economy, securing a company's intellectual property, financial information, and good name is critical for the company's long-term survival and growth. However, with the rise in risks and cyber vulnerability, most businesses find it difficult to keep up with the competition. Since their inception, most companies have reported 16% fraud, 37.7% financial losses, and an average of over 11% share value loss, according to data compiled by the US security. Most corporations and governments are working hard to keep their customers and residents safe from harm. There are both physical and cybersecurity risks involved with these threats. According to a recent study, many company owners aren't aware of the full scope of cybersecurity. People who own their businesses must deal with various issues daily.
Nevertheless, steps are being taken to address these issues. Customers and the company are likely to be protected by the measures adopted. Cybersecurity is one of the most pressing issues facing organizations today. Leaks of a company's intellectual property and other secrets may have devastating effects on its operations, as competitors and rivals will do all in their power to stop them. is an excellent illustration of this. This is perhaps the most talked-about security compromise of the year [footnoteRef:3]. The firm was severely damaged because of this. [1: "Database security attacks and control methods."] [2:q "Comprehending the IoT cyber threat landscape: A data dimensionality reduction technique to infer and characterize Internet-scale IoT probing campaigns."] [3: "The Equifax data breach: What cpas and firms need to know now." ]
Some individuals take advantage of clients by stealing highly important information to profit financially from their actions. For example, if the wrong individuals get their hands on your credit card information, you're in serious trouble since you might lose money. Some families lose all their resources, while others are forced to declare bankruptcy after being financially stable for a long period. Many of the findings of this study will be focused on cybersecurity and the sources of cybersecurity risks. The paper outlines a few of the issues and solutions that organizations may use to keep their operations and consumers safe from exploiting dishonest individuals.
Research question
According to the most recent study, more than 1500 companies have been exposed to some cybersecurity assault[footnoteRef:4]. This research details the specific types of attacks that have occurred. Organizational operations are affected, as is corporate governance, and the internal management of financial status is rendered ineffective due to these assaults. The question that will be investigated during the study is: [4: "Towards blockchain-based identity and access management for internet of things in enterprises."]
How doe ...
Similar to Butterfly: Corporate Spies out for Financial Gain (20)
Symantec Enterprise Security Products are now part of BroadcomSymantec
Symantec Enterprise Security Products are now part of Broadcom. The consumer division of Symantec Corp. is now NortonLifeLock Inc. -- a standalone company dedicated to consumer cyber safety.
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec
Youth in foster care face unique risks to their identity.In this webinar we discuss the risks, as well as tips for better protection. Watch on demand here: https://symc.ly/2N8cELV.
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec
Learn how to protect your data during Symantec's National Cyber Security Awareness Month webinar with the Identity Theft Resource Center and Infolock.To watch on demand https://symc.ly/2VMMWQX.
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec
Symantec, TechSoup and the Michigan Small Business Development Center share how to apply added layers of security to your devices and online accounts. Watch on-demand recording here: https://symc.ly/33ifcxo.
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec
View this webinar from Symantec and NCSAM partners, the National PTA, Connect Safety and the National Cyber Security Alliance, to learn how to protect the devices you use day to day.
Watch on demand here: https://symc.ly/2nLyXyB
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec
On January 1, 2020, one of the strictest privacy laws in the US, the California Consumer Privacy Act (CCPA), will come into effect. What should governance, risk and compliance executives know in order to prepare for CCPA? Watch the on demand recording here: https://symc.ly/2Pn7tvW.
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
Experts from Symantec and MITRE explore the latest research and best practices for detecting targeted ransomware in your environment.
Watch on-demand webinar here: https://symc.ly/2L7ESFI.
This webinar will explore the less-discussed topics of a mobile security strategy that everyone should understand – before it’s too late. Watch on-demand here: https://symc.ly/2z6hUsM.
Symantec Webinar | Tips for Successful CASB ProjectsSymantec
There is an art to securely using cloud apps and services, including SaaS, PaaS, and IaaS. In this Symantec webcast, hear from Steve Riley, a Gartner senior director analyst who focuses on public cloud security, and Eric Andrews, Symantec’s vice president of cloud security, as they share best practices with practical tips for deploying CASB. Watch here: https://symc.ly/2QTyUec.
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec
This webinar to shares insight into how an Advanced Threat Assessment does root analysis to uncover unknown, unique threats happening in your environment. Watch here: https://symc.ly/2W52MoA
Learn if you’ve got the right security strategy, and investment plan, to protect your organization and ensure regulatory compliance with the General Data Protection Regulation (GDPR). Watch now here: https://symc.ly/2VMNHIm
2019 Symantec Internet Security Threat Report (ISTR): The New Threat Landscape presented by Kevin Haley, Director Product Management, Security Technology & Response, Symantec. Watch webinar recording here: https://symc.ly/2FJ9T18.
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec
Gain valuable insight whether you’re well on your way to Zero Trust implementation or are just considering it. Watch the original webinar here https://www.symantec.com/about/webcasts?commid=347274.
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
First-hand insights on the newest cloud-delivered endpoint security solutions. Hear from Joakim Liallias, Symantec and special guest speakers Sundeep Vijeswarapu from PayPal and top industry analyst Fernando Montenegro, 451 Research. Listen here: https://symc.ly/2UY2TlS.
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec
Learn how Symantec Endpoint Protection & Response (EDR) and the MITRE ATT&CK framework can expose and thwart persistent adversaries like APT28 otherwise known as Fancy Bear. Watch Webinar here: https://symc.ly/2WyPD8I
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Butterfly: Corporate Spies out for Financial Gain
1. SECURITY RESPONSE
There are some indications that this group may be made up of
native English speakers, are familiar with Western culture, and
may operate from an Eastern Standard Time (EST) time zone.
Butterfly: Corporate spies
out for financial gain
Symantec Security Response
Version 1.1 – July 9, 2015
3. Butterfly* is a group of highly capable, professional attackers who perform corporate
espionage with a laser-like focus on operational security. The team is a major threat to
organizations that have large volumes of proprietary intellectual property, all of which is
at risk of being stolen by this group for monetary gain.
The Butterfly attackers, who Symantec believes are a small number of technically capable
individuals, compromised several major technology companies including Twitter, Facebook,
Apple and Microsoft in early 2013. In these campaigns, the attackers used a Java zero-day
exploit to drop malware onto victims’ computers.
Since those attacks, there has been little-to-no public information about the Butterfly
attackers. Symantec has been working with victims to track these attackers over the past
two years. We found that Butterfly compromised multiple pharmaceutical companies,
technology firms, law practices, and oil and precious metal mining organizations during
this period. The attackers are versatile and spread their threats quickly within compromised
organizations. They may also have had access to at least one other zero-day exploit,
affecting Internet Explorer 10.
There are some indications that this group may be made up of native English speakers,
are familiar with Western culture, and may operate from an Eastern Standard Time (EST)
time zone.
OVERVIEW
4. Prior to Butterfly, the majority of documented cyberespionage attacks has been conducted
against politically sensitive entities such as embassies, government ministries, central
banks, dissidents, militaries, and associated defense contractors. Government-sponsored
attackers have also attacked private sector organizations, presumably to steal intellectual
property in order to provide their local industry with an unfair advantage in the market.
Butterfly is a timely reminder to organizations that as well as defending against
state-sponsored attacks, organizations must be aware of the potential threat of corporate
espionage, where attacks are performed at the behest of competitors or by individuals
looking to monetize stolen information such as through stock trading using insider
knowledge. A key difference between attacks coming from competitors and state-
sponsored attackers is that competitors are likely in a better position to request the
theft of specific information of value and make more rapid use of this information than
government-sponsored attackers would.
Butterfly appears to be part of this class of attack group. The attackers appear to be
motivated by financial gain, either by using the information themselves for their own
benefit or selling it to a third party.
* “Morpho” was used in the original publication to refer to this attack group. Symantec has renamed
the group “Butterfly” to avoid any link whatsoever to other legitimate corporate entities named
“Morpho”.
5. The attackers appear
to be motivated
by financial gain,
either by using
the information
themselves for their
own benefit or selling
it to a third party.
BACKGROUND
6. Page 6
Butterfly: Corporate spies out for financial gain
Background
The corporate espionage threat
Prior to Butterfly, the majority of documented cyberespionage attacks has been conducted against politically
sensitive entities such as embassies, government ministries, central banks, dissidents, militaries, and associated
defense contractors. Government-sponsored attackers have also attacked private sector organizations,
presumably to steal intellectual property in order to provide their local industry with an unfair advantage in the
market.
Butterfly is a timely reminder to organizations that as well as defending against state-sponsored attacks,
organizations must be aware of the potential threat of corporate espionage, where attacks are performed at the
behest of competitors or by individuals looking to monetize stolen information such as through stock trading
using insider knowledge. A key difference between attacks coming from competitors and state-sponsored
attackers is that competitors are likely in a better position to request the theft of specific information of value
and make more rapid use of this information than government-sponsored attackers would.
Butterfly appears to be part of this class of attack group. The attackers appear to be motivated by financial gain,
either by using the information themselves for their own benefit or selling it to a third party.
Butterfly attacks against tech firms
On February 1, 2013, Twitter published a blog, stating that it had “discovered one live attack” and added that
it was “able to shut it down in process moments later.” Twitter encouraged users “to disable Java” in their
browsers. “The attackers were extremely sophisticated, and we believe other companies and organizations have
also been recently similarly attacked,” said Twitter.
Fourteen days later, on February 15, Facebook issued a statement, disclosing that several of its systems
“had been targeted in a sophisticated attack.” Facebook said that the attackers used “a ‘zero-day’ (previously
unseen) exploit to bypass the Java sandbox,” which had been hosted on a “mobile developer website that was
compromised.”
Reuters referenced a similar statement from Apple a few days later on February 19. According to Apple,
attackers used a Java zero-day exploit to compromise a number of Apple employees’ Mac OS X computers. Apple
said that the exploit was delivered through a “site aimed at iPhone developers.”
Finally, Microsoft published a statement on February 22, stating that it too had “experienced a similar security
intrusion” as the ones reported by Facebook and Apple.
The attacks against these technology firms appeared to take place between 2012 and early 2013. The zero-day
exploit referred to in the various statements took advantage of the Oracle Java Runtime Environment Multiple
Remote Code Execution Vulnerabilities (CVE-2013-0422). The vulnerability had been patched by Oracle on
January 13, 2013, after the attacks occurred. Various parties published details of the attack vector, as well as
the malware used in the attacks, several days later.
F-Secure blogged that a Mac OS X back door (detected by Symantec as OSX.Pintsized) was the attack’s payload.
According to the website StopMalvertising, the compromised website that hosted the exploit was an iPhone
developer website called iPhoneDevSDK.com.
Independent researcher Eric Romang published some technical details about the attacks and established a
timeline suggesting that the attackers have been active from September 2012. Symantec telemetry indicates
that the timeline goes back even further than this, with malicious activity starting from at least April 2012.
Romang analyzed many of the OSX.Pintsized samples and also identified a Windows back door, which he claimed
was related to the attacks. This Windows file is a variant of what Symantec detects as Backdoor.Jiripbot. Other
vendors called the variant Jripbot.
Since Romang’s analysis, there has been little-to-no public information related to the attackers behind the Java
zero-day exploit or the use of OSX.Pintsized and Backdoor.Jiripbot.
7. Some victims
seem to have been
compromised as a
result of collateral
damage, as the
attackers appeared
uninterested in them
and either cleaned
up or abandoned the
infection.
VICTIMS
8. Page 8
Butterfly: Corporate spies out for financial gain
Victims
After the events of late 2012 and early 2013, the Butterfly attackers appeared to have maintained a low profile,
compromising a small number of organizations. Each year however, that number has increased. Symantec has
discovered that the Butterfly attackers have compromised 49 unique organizations. Out of the 49 organizations,
27 of the companies’ industries could be identified, while the remaining are unknown.
Some victims
seem to have been
compromised as a
result of collateral
damage, as the
attackers appeared
uninterested in them
and either cleaned
up or abandoned the
infection. However,
other victims were
clearly of value to
Butterfly, as the
attackers spread
quickly in the networks
until they found
computers of interest.
The chart in Figure 1
shows the number of
infected organizations
per industry over
time. The graph is
filtered to only include
organizations that
could be classified into
a sector.
Symantec found that there was a lull in activity following the very public documentation of the late 2012 and
early 2013 attacks. Butterfly’s activity resumed in August 2013, and there has been a substantial increase in the
number of victims from late 2014 to the present.
The three regions that were
most heavily targeted by
Butterfly since 2012 are
shown in Figure 2.
The other regions affected
by Butterfly’s attacks are:
• Brazil
• China
• Hong Kong
• India
• Israel
• Japan
• Kazakhstan
• Malaysia
• Morocco
• Nigeria
• Taiwan
• Thailand
• South Korea
• United Arab Emirates
Figure 1. Number of infected organizations per industry by year
Figure 2. Three regions most heavily targeted by Butterfly attackers
9. Page 9
Butterfly: Corporate spies out for financial gain
The industries of known victims have remained relatively consistent over time, with some notable exceptions.
Industries
The Java zero-day attack that exploited CVE-2013-0422 appears to have targeted technology companies, judging
from the nature of the watering-hole website. This claim is backed up by the organizations that publicly reported
how they were compromised in the attacks. Butterfly has continued to target a number of technology companies,
which are primarily based in the US.
Other Butterfly victims of note are involved in the pharmaceutical, legal, and commodities industries. The
Butterfly attackers continued to attack these industries intermittently over the following two years.
Pharmaceutical
In January 2014, a major European pharmaceutical company was compromised. The attackers appear to have
first breached a small European office and a month later, spread across the network to the company’s US office,
as well as the European headquarters.
Two more major European pharmaceutical companies were later compromised−one in September 2014 and
the other in June 2015. In both incidents, the attackers appear to have gained access to computers in several
regional offices. In the June 2015 compromise, the affected company quickly identified the infection from
Symantec’s alerts, as well as other notifications on Secure Shell (SSH) traffic on non-standard ports.
Technology
The Butterfly attackers have consistently targeted major technology companies from late 2012 to the present.
At least five companies, in addition to those who publicly documented the attacks in 2013, have been
compromised, to Symantec’s knowledge. The technology companies are primarily headquartered in the US.
Law
In the watering-hole attacks of early 2012, two US-based law firms were attacked. No other known legal entities
were attacked until June
2015, when the Central Asian
offices of a global law firm
were compromised. This most
recent victim specializes in a
number of topics, including
finance and natural resources
specific to the region.
Commodities
Two major natural
resources organizations
were compromised in late
2014. These organizations
specifically work with gold
and oil. The timing of these
compromises, along with the
later breach of the law firm
as previously mentioned, is
notable. It seems very likely
that the Butterfly attackers
have a specific interest in the
commodities industry and are
in a position to profit from
information stolen from the
breached organizations.
Figure 3. Timeline showing when attacks against different industry sectors began
10. Page 10
Butterfly: Corporate spies out for financial gain
Government, logistics, and education
A number of victims appear to have been of little interest to the attackers. This was the case for one Middle
Eastern government agency, a Japanese logistics company, and an American university. With all three victims,
either the attack was not successful or, if it was, the malware was not used after the initial compromise. It seems
likely that these victims were collateral damage.
Targeted computers
The attackers focused on obtaining access to specific systems of interest in all of the compromised
organizations. In most organizations, these systems were email servers: either Microsoft Exchange or Lotus
Domino servers. Once the attackers had this access, they presumably then eavesdropped on email conversations
and may have been in a position to potentially insert fraudulent emails as well.
Other systems that the attackers compromised were enterprise content management servers. These systems are
used for indexing and storing a company’s various documents and other digital assets. Such servers would not
contain source code, but rather legal documents, internal policies, training documents, product descriptions,
and financial records.
In one technology company breach, Butterfly compromised a more unusual system. The attackers gained access
to what is known as a Physical Security Information Management (PSIM) system. This software is used for
aggregating, managing, and monitoring physical security systems and devices. The physical security systems
could consist of CCTV, swipe card access, HVAC, and other building security. After compromised that system, the
attackers could have monitored employees through the company’s own CCTV systems and tracked the activities
of individuals within the building.
Tools, tactics, and procedures
Butterfly operates consistently across its breaches, deploying the same set of tools and targeting the same
types of computers, which we detail in the Victims section of this report. Butterfly adapts quickly to targeted
environments and takes advantage of systems already in place, such as remote access tools or management
systems, in order to spread across the network.
While Butterfly has used one confirmed zero-day exploit (CVE-2013-0422), the group appears to have used at
least one more zero-day exploit against a vulnerability in Internet Explorer 10.
Based on our analysis of a command-and-control (C&C) server used in an attack, the Butterfly operators
demonstrate exceptional operational security, as they use encrypted virtual machines and multi-staged C&C
servers to make it difficult to investigate their activities.
Gaining initial access
The attack vector for Butterfly’s campaigns in late 2012 and early 2013 was well documented. The group
conducted a watering-hole attack that compromised a popular mobile phone developer website, iPhoneDevSDK.
com, to deliver a Java zero-day exploit. However, little information is known about how the Butterfly attackers
have continued to gain access to victims’ systems, except for a few cases.
In one of the most serious cases, on June 25, 2014, Internet Explorer 10 created a file called bda9.tmp
on a victim’s computer. It is likely that bda9.tmp was created as a result of an exploit targeting Internet
Explorer. Bda9.tmp was then executed and went on to create a variant of Backdoor.Jiripbot with the file name
LiveUpdate.exe.
The affected version of Internet Explorer was a fully up-to-date, patched version of the browser, so the exploit
was very likely either a zero-day for Internet Explorer 10 or for a plugin used in Internet Explorer.
Microsoft patched a number of Internet Explorer 10 remote code execution vulnerabilities in subsequent Patch
11. Page 11
Butterfly: Corporate spies out for financial gain
Tuesday releases. It is possible that one of these patches covered the exploit, as there is no additional evidence
of an Internet Explorer 10 exploit in use. It was not possible to identify the website hosting the exploit or to
retrieve a copy of the exploit.
In late 2014, Java was used to create a file called updt.dat on a system belonging to another targeted
organization. The updt.dat file was located in a JBossweb folder, which is a sub-folder of Apache Tomcat. Based
on this activity, it seems likely that the JBoss server was compromised to deploy the malware. The breach may
have been a result of an SQL injection attack. This is based on evidence from an analyzed C&C server, where we
discovered that the Butterfly attackers use the SQLMap tool against their targets.
Once Butterfly gains a foothold in the victim’s network, they begin to carefully spread through it, until they
locate a system of interest.
Spreading
In at least two incidents, the attackers appear to have taken advantage of internal systems to spread through
a network once they gained initial access. In one instance, the attackers used a Citrix profile management
application to create a back door on a newly infected system. This application can be used to install applications
or manage a user’s profile for authentication. It’s likely that the attackers took advantage of this system and
placed the back door in a specific profile, which was triggered when the profile’s owner logged in.
In the second incident, the TeamViewer application was used to create copies of Backdoor.Jiripbot on the
compromised computers. It appears that TeamViewer was legitimately present on the targeted computers and
was then taken advantage of by the attackers.
However the attackers spread within a network, they are able to move quickly. In one breach, the attackers first
compromised a computer on April 16, 2014. Within one day, they compromised three more computers. Once a
computer is infected, the attackers seem to rapidly determine whether or not the computer is valuable to them.
There are two instances where there was no additional Butterfly activity after the computers were infected, apart
from the creation of shred.exe. In these cases, the attackers likely determined that the infected computers were
not valuable targets and used shred.exe to securely remove the infections.
The Butterfly toolkit
The Butterfly attackers use a number of different tools, a subset of which has been retrieved from compromised
computers. This set of tools appears to be unique to the attackers, as the tools have been in use in combination
with each other and there has been no open source data on the various tools used.
The attackers use the hacking tools once they gain a foothold on a network. They generally give the tools .dat
extensions and file names that usually give some indication of the tools’ purposes. For example, the attackers
refer to one of the tools as “Banner Jack” and deploy it with the name bj.dat. It is likely that these files are
encrypted when they are downloaded and are then decrypted when on disk.
Known hashes and corresponding file names are listed in the appendix under the Hashes section. A number of
the hacking tools also contain help documentation, which details how to use the tool. Each help description is
listed in the appendix, where present.
OSX.Pintsized and Hacktool.Securetunnel
The back door OSX.Pintsized was well documented by F-Secure, Intego, and Romang after the 2012/2013 tech
company attacks. OSX.Pintsized is a modification of OpenSSH that runs on Mac OS X, and contains additional
code to read two new arguments and an embedded RSA key. The two additional arguments are “-z” and “-p”,
which are used to pass a C&C server address and port respectively. The back door has also been observed using
a very basic Perl script that opens a reverse shell.
12. Page 12
Butterfly: Corporate spies out for financial gain
The Butterfly attackers use the same modified version of OpenSSH on 32-bit Windows systems. This version uses
the exact same “-z” and “-p” additional arguments and also includes an embedded RSA key. The attackers have
two versions: one which is statically linked against OpenSSH and the other which is compiled using a Cygwin
DLL. Symantec detects these samples as Hacktool.Securetunnel.
Backdoor.Jiripbot
Romang referenced a malware family called Backdoor.Jiripbot (aka Jripbot) in his blog. This is the Butterfly
group’s primary back door tool, which has a fallback domain generation algorithm (DGA) for maintaining
command and control. A comprehensive technical description of this malware family is provided in the appendix.
One notable point about Backdoor.Jiripbot is the use of the string “AYBABTU” as an encryption key. This is the
acronym for “All your base are belong to us”, a popular meme used by gamers.
The attackers have used several variants of this malware family from 2013 to at least June of 2015, with several
minor modifications adding or removing commands.
Hacktool.Bannerjack
Hacktool.Bannerjack is used to retrieve default messages issued by Telnet, HTTP, and generic Transmission
Control Protocol (TCP) servers. The help documentation for the tool is listed in the appendix. The tool takes
an IP address range and port. It then connects to each IP address on a given port, retrieving and logging any
data printed by the server. The tool is presumably used to locate any potentially vulnerable servers on the local
network, likely including printers, routers, HTTP servers, and any other generic TCP servers.
Hacktool.Multipurpose
Hacktool.Multipurpose also appears to be a custom-developed tool. It is designed to assist attackers in
spreading through a network. It hides activity by editing events logs, dumping passwords, securely deleting files,
encrypting files, and performing basic network enumeration.
The help documentation for this tool is quite comprehensive and extensively explains the tool’s functionality.
This documentation is listed in the appendix.
Hacktool.Eventlog
Hacktool.Eventlog is another multipurpose tool, but its primary functionality is to parse event logs, dumping out
ones of interest, and to delete entries. The tool will also end processes and perform a secure self-delete. The help
documentation for the tool is listed in the appendix.
Hacktool.Proxy.A
Hacktool.Proxy.A creates a proxy connection that allows attackers to route traffic through an intermediary node
onto their destination node. The documentation for the tool is listed in the appendix.
Operational security
The Butterfly attackers have demonstrated excellent operational security, as we have observed in several
aspects of their attacks.
The Butterfly attackers use a number of anti-forensics techniques to prevent detection and presumably hinder
investigation into their activity when discovered. The group’s malware and other files are securely deleted using
either the GNU Shred tool, which overwrites a file’s contents as well as deleting the index from the file allocation
13. Page 13
Butterfly: Corporate spies out for financial gain
table, or the shred functionality written into a custom tool. Similarly, event logs are modified to remove any
evidence of the attackers’ activity. A specific tool, Hacktool.Eventlog, appears to have been developed to perform
just this function. Using both techniques, the attackers can securely remove infections from computers that are
of no interest, letting them avoid leaving any trace of activity.
Another aspect of Butterfly’s operational security is the use of throwaway registrant names for C&C domains.
There appears to be no re-use of email addresses or names when registering different domains and C&C servers.
Similarly, the Butterfly attackers use bitcoins to pay hosting providers to host their C&C servers. This method of
payment makes it difficult for investigators to track the transaction back to a particular entity.
Finally, one of the most telling aspects of the Butterfly attackers’ level of operational security is how they run
their C&C servers. Symantec performed a forensic analysis of a C&C server used by the Butterfly attackers in late
2014. These attackers typically use a multi-staged C&C infrastructure, with several servers acting as proxies and
redirecting connections back to a final server. Symantec believes that the analyzed server was this final server,
however, it was not possible to confirm this.
The analyzed server was running Debian Linux and was very clean, with little traces of activity. Logging had been
disabled and any log files that had been created before logging was disabled were securely deleted. A single file
was present in the /root/ directory. This file, called “hd-porn-corrupted_tofix.rar”, was 400GB in size. Despite
the .rar extension, it was not a .rar file. However, there were some indications on the server as to what this file
actually was.
Truecrypt was installed on the server, as was Virtual Box. Truecrypt is an encryption tool that can be used to
create an encrypted file system in a single file. Virtual Box is software that can be used to run a virtual machine.
It is likely that the 400GB “.rar” file was an encrypted Truecrypt file which contains a Virtual Box virtual machine.
The Butterfly attackers would decrypt and run the virtual machine, redirecting SSH traffic from the physical
hosting server to the virtual machine. This would give the attackers the ability to control compromised systems
from within the virtual machine. This type of design is effective at hindering analysis without a live memory
image of the C&C server.
There were other hints of activity on the C&C server as well. There was evidence to suggest that the attackers
used the SQLMap tool. This tool looks for SQL weaknesses in web applications, and indeed, as previously
mentioned, at least one victim was compromised through a JBoss server, possibly through an SQL injection
attack. Also, the local time zone of the C&C server was changed to New York, UTC-5.
However, apart from the SQLMap activity and the modified time zone, there was no other evidence on the C&C
server. The Butterfly attackers maintained a very clean house.
14. Page 14
Butterfly: Corporate spies out for financial gain
Attribution
Based on the gathered evidence, there are several plausible theories that describe the nature of the Butterfly
attackers. A summary of some of the data gathered is presented below:
• Victims are primarily large corporations, mostly related to technology, pharmaceutical, commodities, and law.
• The targeted technology companies are mostly based in the US, however, other victims are spread across the
globe.
• There is one government victim
• Infection numbers are generally quite low; there are not many concurrent infections
• Activity remains consistent across infected organizations; the attackers use same file names and deploy the
same tools
• The group has excellent operational security
• The attackers have had access to at least one zero-day exploit, likely two and possibly more.
• The attackers appear to develop their own tools.
• The group’s various hacktools have extensive documentation written in good English.
• Several memes or colloquialisms specific to English speakers are used
• “All your bases are belong to us”–The AYBABTU encryption key in Backdoor.Jiripbot
• “Stuffz”–A phrase used in the Hacktool.Multipurpose description
• “Zap”–To mean delete, used in the Hacktool.Eventlog description
• The time zone of the C&C server is set to EST
The nature of the observed victims indicates that it’s likely that Butterfly attackers’ motivation is not for national
security intelligence, but rather for financial purposes. While there is one government victim, this likely appears
to be collateral damage.
As the hack tools include detailed documentation, it’s likely that there is more than one person performing
the attacks, as a single attacker would not need to document their own tools. Based on the few concurrent
infections, Butterfly may be made up of a small number of attackers, perhaps between three and ten people.
It is also easier to maintain good operational security with a small number of people.
The attackers are well resourced, given that they have access to at least one zero-day (the Java exploit), and
possibly more (potential Internet Explorer 10 zero-day exploit). Their access to zero-day exploits implies that
they either have the funding to purchase a zero-day or the technical skills to identify and exploit undiscovered
vulnerabilities.
If the Butterfly group is small, then it would make more sense to utilize people with a general skill set, rather
than individuals who specialize in exploit discovery. This implies that the purchase of zero-day exploits is more
likely. Along with this, if Butterfly is a professional group of hackers who work against deadlines and has internal
goals, that would imply the need to be able to access zero-day exploits on demand. That would mean purchasing
them, rather than waiting for a team member to discover one.
At least some of the Butterfly attackers appear to be native English speakers, based on the help documentation
in the hack tools and the use of memes and colloquialisms. It is possible that these English speakers are based in
the US, judging from the time zone set on the C&C server. However, this seems like a very basic mistake for the
attackers to make, considering how they have demonstrated great attention to detail in most aspects of
their operations.
Some attribution theories that may fit the evidence and conclusions are as follows:
• This is economic espionage by a government agency
• This is an organization made up of hackers-for-hire
• This is an organization with a single customer
A government agency is the least likely of these theories, given the number of victims that span across various
geopolitical boundaries and the lack of targeting of any victims that are related to traditional
intelligence-gathering. It is far more likely that the Butterfly attackers are an organization of individuals working
closely together to either steal intellectual property for another client or for their own financial gain, for example
through the stock market.
16. Page 16
Butterfly: Corporate spies out for financial gain
Conclusion
Butterfly is a skilled, persistent, and effective attack group which has been active since at least March 2012.
They are well resourced, using at least one or possibly two zero-day exploits. Their motivation is very likely
to be financial gain and given that they have been active for at least three years, they must be successful at
monetizing their operation.
Based on our analysis, the Butterfly attackers are likely a small team that steals data either as a service to
another client or to monetize it themselves through insider trading. Symantec believes that some members of
Butterfly are native English speakers, given some of the colloquialisms and Western meme references included
in their infrastructure.
The Butterfly attackers represent a threat to organizations involved in technology, pharmaceutical, law,
investment, energy and natural resources. However, over the past three years, the attackers have demonstrated
that they can change their targets quickly, as they moved to include commodities in their list of targets in 2014.
Clearly, the Butterfly attackers will go where the money is.
Organizations need to be aware of the threat that corporate espionage groups like Butterfly can pose. The attack
group or their potential clients may have strong knowledge on how to leverage the stolen data to unfairly make
gains in the market.
17. Page 17
Butterfly: Corporate spies out for financial gain
Protection
Symantec customers are protected against the Butterfly attacker toolset with the following signatures.
Additionally, YARA signatures and other indicators of compromise (IoCs) are listed in the appendix.
Antivirus
• Backdoor.Jiripbot
• Hacktool.Multipurpose
• Hacktool.Securetunnel
• Hacktool.Eventlog
• Hacktool.Bannerjack
• Hacktool.Proxy.A
IPS
• System Infected: Backdoor.Jiripbot DGA Activity
• System Infected: Backdoor.Jripbot Activity
19. Page 19
Butterfly: Corporate spies out for financial gain
Appendix
Technical description of Backdoor.Jiripbot
There are several
different versions
of Backdoor.
Jiripbot, with the
attackers adding
or removing
functionality over
time. Details of
one version is
presented in this
document, with
the majority of functionality remaining unchanged across different versions.
Functionality
If the samples are executed with no command line argument and expected registry entries are missing,
an infinite loop is entered that calculates SHA-1 hashes on random data. This is likely an attempt to avoid
automation engines.
To perform any activity, the samples need to be executed with a command line argument that begins with ‘http’.
This value is encrypted and stored in the registry; the registry location varies based on the sample. Each sample
first encrypts the URL using RC4 with a hard-coded key. It should be noted that the hard-coded key is stored in
the binary as a wide character string, but is converted to a multibyte character string before the key is used.
This conversion will vary based on the region of the system executing the code.
The malware takes exactly one command line argument, but the single command line argument has a structure
that is manually parsed by the malware. The structure of the command line argument is as follows:
“http://[DOMAIN NAME].com /opts opt=val,opt=val...”
Where “opt” is one of the following:
• vm: Set to a number. “2” will disable vmware checks
• proxy_username: HTTP proxy user name to use
• proxy_password: HTTP proxy password to use
• proxy_host: HTTP proxy host to use
• proxy_port: HTTP proxy port to use
• resolv: Host name to resolve to
• delay: Number of delay loops to execute
• sleeptime: Number of seconds to sleep at certain points in the code
• cnx: Parameter that modifies how C&C server is interacted with
Once the URL from the command line is RC4-encrypted, it is encrypted a second time using the
crypt32!CryptProtectData API, with “OptionalEntropy” set to the ASCII string ‘AYBABTU’ (this is the acronym for
the phrase “All your base are belong to us”). The use of crypt32!CryptProtectData ensures that if the encrypted
data is retrieved from an infected computer, it is very hard to decrypt the data on another computer. The
documentation for crypt32!CryptProtectData states:
“Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data.”
Next the malware examines its execution environment. It first checks to make sure that the file name it is
currently running under is the same as the original name when the executable was created. It also looks for
certain process names of running processes. The process names it searches for are hashed, so we are not clear
what it is looking for.
It checks that the hashed value of the registry subkey HKEY_LOCAL_MACHINEMicrosoftWindowsNT
CurrentVersionProductId is not equal to a number of hashed values. It checks the hashed values of the registry
Table 1. Files analyzed from one variant of Jiripbot
PE timestamp MD5 Size File name Purpose
12/13/2013 08:42 95ffe4ab4b158602917dd2a999a8caf8 302,592 FlashUtil.exe Back door
06/20/2014 07:06 531f2014a2a9ba4ddf3902418be23b52 302,592 LiveUpdater.exe Back door
06/20/2014 07:06 a0132c45e8afe84091b7b5bf75da9037 302,592 LiveUpdater.exe Back door
06/20/2014 07:06 1d5f0018921f29e8ee2e666137b1ffe7 302,592 LiveUpdater.exe Back door
08/20/2013 20:16 a90e836e0a6f5551242a823a6f30c035 361472 bda9.tmp Dropper
20. Page 20
Butterfly: Corporate spies out for financial gain
keys in HKEY_LOCAL_MACHINESOFTWARE against a list of hashes. It also checks the registry subkeysHKEY_
LOCAL_MACHINESYSTEMCurrentControlSetservicesDiskEnum and HKEY_LOCAL_MACHINEHARDWARE
DESCRIPTIONSystemBIOSSystemProductName
‘resolv’ command
When the resolv command line argument is set to a domain name, a domain name system (DNS) resolution
request is made for that domain name with the current computer name and calculated UID value prepended to
it.
For example, we observed the following:
resolv=h30026.drfx.chickenkiller.com
When the sample is run with resolv set to that value, the following DNS query was observed:
thread-2d9f4de5.1401420000c29bfea70f49b94b825e3e7586ce61350.h30026.drfx.
chickenkiller.com
In this query, “thread-2d9f4de5” is the computer name and
“1401420000c29bfea70f49b94b825e3e7586ce61350” is the calculated UID value. It is possible that the
attackers use this method to exfiltrate the UID value, as the value is used in the DGA algorithm.
UID/UPDATE_ID calculation
The UID is a unique ID calculated by the malware, as the following example shows:
1401420000c29bfea70f49b94b825e3e7586ce61350
This ID consists of the following elements:
• 14014: Hard-coded string in the malware. May be a version number
• 2: The operating system version
• 0: 0 indicates x86, 1 indicates x86_64
• 000c29bfea70: This is the last six bytes of the UUID generated by a call to rpcrt4!UuidCreateSequential. This
corresponds to the media access control (MAC) address of the infected computer.
• f49b94b8: This is the first eight bytes of the volume serial number from a call to
kernel32!GetVolumeInfomationW
• 25e3e758: This is a dword hash of the string “[COMPUTER NAME][USER NAME]” using the current values
from the computer name and user name
• 6ce61350: This is a hard-coded dword in the binary
For the operating system (the number at offset 5 in previous UID example), the complete table is:
• 0: Unknown/Error/Windows 8.1/Windows Server 2012 R2
• 1: Windows 2000
• 2: Windows XP
• 3: Windows 2003, Windows XP Pro x64, Windows Home Server, Windows 2003 R2
• 4: Windows Vista
• 5: Windows Server 2008
• 6: Windows 7
• 7: Windows Server 2008 R2, Windows Server 2012
• 8: Windows 8
Installation
The following registry subkeys may be used by Butterfly to maintain persistence:
• HKEY_CURRENT_USERSoftwareAdobePreferences
• HKEY_CURRENT_USERSoftwareAdobeOptions
• HKEY_CURRENT_USERSoftwareAdobeUID
21. Page 21
Butterfly: Corporate spies out for financial gain
• HKEY_CURRENT_USERSoftwareAcerUPDATE_ID
• HKEY_CURRENT_USERSoftwareAcerPreferences
• HKEY_CURRENT_USERSoftwareAcerOptions
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunAcer LiveUpdater (likely named
Liveupdater.exe)
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunAdobe Flash Plugin Updater
(FlashUtil.exe)
The registry data stored in the “Preferences” and “Options” subkeys are REG_BINARY keys and the data within is
encrypted using RC4 and crypt32!CryptProtectData, as described previously. The registry data stored in the UID
is not encrypted; it is stored in plain text.
The value of “Preferences” is the encrypted version of the first command line argument used to first start the
malware. For example, if the malware is launched as:
FlashUtil.exe “http://[DOMAIN NAME].com /opts vm=2”
The value of “Preferences” will be:
“http://[DOMAIN NAME].com /opts vm=2.”
The value of “Options” is the URL from the command line argument, so for the previous example, the value
would be:
“http://[DOMAIN NAME].com”
Networking
DGA Algorithm
The DGA computes a URL similar to the following:
• http://jdk.MD5([MM].[YYYY].[UID AS WIDE-CHARACTER STRING]).org
[MM] is the current month and [YYYY] is the current year. Note that the value of [UID AS WIDE-CHARACTER
STRING] is the value of the UID registry entry, but as a wide characters, so “07.2014.140...” would be “0x007
x00.x002x000x001x004x00.x001x004x000x00...” for the purposes of the MD5 calculation.
For example, on July 22, 2014 on a system with the UID set to
“1401420000c29bfea70f49b94b825e3e7586ce61350”, the DGA URL would be:
• http://jdk.MD5(’07.2014.1401420000c29bfea70f49b94b825e3e7586ce61350’).org
Finally:
• http://jdk.20e8ad99287f7fc244651237cbe8292a.org
Note that some samples use HTTPS instead of HTTP.
C&C commands
The following commands implement back door functionality.
• cd: Changes current working directory
• exec: Executes a file using cmd.exe
• install: Sets the registry subkey for persistence. The registry subkey is only set if this command is sent
• quit: Ends the back door session
• sleeptime: Sets the sleep time between C&C queries
• shred: Overwrites file multiple times to perform a forensic-safe delete. Only found in samples with a PE
timestamp in 2014
• sysinfo: Gathers and reports system information
• uninstall: Uninstalls itself
22. Page 22
Butterfly: Corporate spies out for financial gain
• update: Updates itself
• url: Updates C&C URL in registry (although this feature appears to be disabled)
• wget: Downloads file to infected computer
Decryption keys
The following MD5s used the corresponding keys for decryption:
• 95ffe4ab4b158602917dd2a999a8caf8: 0xb4
• 531f2014a2a9ba4ddf3902418be23b52: 0xa9
• a0132c45e8afe84091b7b5bf75da9037: 0xa9
• 1d5f0018921f29e8ee2e666137b1ffe7: 0xa9
There is a string in all of the binaries equal to “la revedere”, which is “goodbye” in Romanian.
Hacktool help descriptions
Hacktool.BannerJack
The following information details the help output of Hacktool.BannerJack:
Usage: ./banner-jack [options]
-f: file.csv
-s: ip start
-e: ip end
-p: port
-t: thread numbers (optional, default 4)
-v: verbose (optional)
-d: daemonize (optional - not supported on win32)
-T: timeout connect (optional, default %d secs)
-R: timeout read (optional, default %d secs)
Hacktool.MultiPurpose
The following information is the help output of Hacktool.MultiPurpose:
Version: 1.5
General options
---------------
--install: install server on local host and load it
--host <host>: hostname or IP (local host if not set)
--password <password>: server password connection (mandatory)
--forceload: load server on local host without test
Server options
--------------
--cmd: server command:
dump: dump stuffz
--sam: fetch LM/NTLM hashes
--machines: fetch machines hashes
--history: fetch history for LM/NTLM hashes
--sh: fetch logon sessions hashes
--sp: fetch security packages cleartext passwords
--accounts: <account list>: with --sam, specify accounts to dump
(comma separated)
--lsa: fetch LSA secrets
23. Page 23
Butterfly: Corporate spies out for financial gain
--vnc: fetch VNC server password
pth <PID:USER:DOMAIN:NTLM>: change credentials of PID
startlog: start recording of loggon sessions
stoplog: stop recording of loggon sessions
getlog: retrieve stored loggon sessions
callback <IP:port>: create a callback to IP:host
ping: ping server
shred <file>: shred a file
remove: cancel null session, clean logs, wipe library
quit: unload library
reboot: reboot windows
info: show info (version, library path, etc.)
listevt: list events logs
showevt <file>[:num]: show <num> last entries in <file> events log
(default num: 15)
last [num]: show last <num> login/logoff (default num: all)
cleanlast-user <user>: remove user from security logs
cleanlast-desc <word>: remove word from security logs (in description)
cleanlast-quit <1|0>: enable/disable cleaning ANONYMOUS LOGON entries
before quit
Output options
--------------
--file <filename>: output filename to dump information in
--compress: compress data (only used when file is set)
--encrypt <key>: encrypt data (only used when file is set)
Misc options
------------
--print <key>: print a compress and/or encrypted specified file
--test445: test if port 445 is available on specified host
--establishnullsession, --ens: establish a null session on specified host
--cancelnullsession, --cns: cancel an established null session with a
specified host
Hacktool.Proxy.A
The following information details the help output of Hacktool.Proxy.A:
-z ip/host : destination ip or host
-P port : destination port
-x ip/host : proxy ip or host
-Y port : proxy port
-C cmdline : commandline to exec
-u user : proxy username
-p pass : proxy password
-n : NTLM auth
-v : displays program version
-m : bypass mutex check
--pleh : displays help
24. Page 24
Butterfly: Corporate spies out for financial gain
Hacktool.Eventlog
The following information details the help output of Hacktool.Eventlog:
-z Zap (kill) all processes with specified name
-y Dump logon/logoff events from Security channel (-t and -n optionals)
-X Secure self delete our program
-x Secure delete a file
-w Show all logs from a .evtx file (requires -f)
-v Enable verbose mode
-t Delta time (in hours
-s Dump logon/logoff events from System channel (-t and -n optionals)
-r RecordIds list, comma separated without spaces (“1234,5678”)
-q Query Mode
-p Filter with provider
-n Number of events to show (default 16, 0=all)
-ll List all channels
-l List used channels
-K Match a keyword in XML data (case insensitive) from all channels
-k Match a keyword in XML data (case insensitive) from a specific channel
-h Help
-f Specify a .evtx file (system.evtx)
-F Flush all logs to disk
-e EventIds list, comma separated without spaces (“1234,5678”)
-Dr Dump all logs from a channel or .evtx file (raw parser) (-c or -f)
-D Dump all logs from a channel .evtx file (requires -c or -f)
-d Delete mode (requires -e or -r)
-c Specify a channel (‘Security’, ‘System’, ‘Application’, ...)
YARA signatures
The following details are the YARA signatures related to this analysis:
rule Bannerjack
{
meta:
author = “Symantec Security Response”
date = “2015-07-01”
description = “Butterfly BannerJack hacktool”
strings:
$str _ 1 = “Usage: ./banner-jack [options]”
$str _ 2 = “-f: file.csv”
$str _ 3 = “-s: ip start”
$str _ 4 = “-R: timeout read (optional, default %d secs)”
condition:
all of them
}
rule Eventlog
{
meta:
author = “Symantec Security Response”
date = “2015-07-01”
description = “Butterfly Eventlog hacktool”
strings:
$str _ 1 = “wevtsvc.dll”
$str _ 2 = “Stealing %S.evtx handle ...”
$str _ 3 = “ElfChnk”
25. Page 25
Butterfly: Corporate spies out for financial gain
$str _ 4 = “-Dr Dump all logs from a channel or .evtx file (raw”
condition:
all of them
}
rule Hacktool
{
meta:
author = “Symantec Security Response”
date = “2015-07-01”
description = “Butterfly hacktool”
strings:
$str _ 1 = “.pipewinsession” wide
$str _ 2 = “WsiSvc” wide
$str _ 3 = “ConnectNamedPipe”
$str _ 4 = “CreateNamedPipeW”
$str _ 5 = “CreateProcessAsUserW”
condition:
all of them
}
rule Multipurpose
{
meta:
author = “Symantec Security Response”
date = “2015-07-01”
description = “Butterfly Multipurpose hacktool”
strings:
$str _ 1 = “dump %d|%d|%d|%d|%d|%d|%s|%d”
$str _ 2 = “kerberos%d.dll”
$str _ 3 = “.pipelsassp”
$str _ 4 = “pth <PID:USER:DOMAIN:NTLM>: change”
condition:
all of them
}
rule Securetunnel
{
meta:
author = “Symantec Security Response”
date = “2015-07-01”
description = “Butterfly Securetunnel hacktool”
strings:
$str _ 1 = “KRB5CCNAME”
$str _ 2 = “SSH _ AUTH _ SOCK”
$str _ 3 = “f:l:u:cehR”
$str _ 4 = “.o+=*BOX@%&#/^SE”
condition:
all of them
}
rule Proxy
28. Page 28
Butterfly: Corporate spies out for financial gain
File hashes
Many of the hashes listed in Table 2 are for clean files which are used by the Butterfly attackers. Do not use any
marked with “N/A” or “Clean” files in any automated detection system. They are provided merely as potential
indicators of compromise, not as definitively malicious files.
Any files that are marked as “N/A” were not retrievable by Symantec, but are believed to be used by the
attackers.
Table 2. File hashes of tools used by the Butterfly attackers, including filenames. (List includes clean files)
SHA-256 File name Description
2a8cb295f85f8d1d5aae7744899875ebb4e6c3ef74fbc5bfad6e7723c192c5cf winsession.dll Hacktool
da41d27070488316cbf9776e9468fae34f2e14651280e3ec1fb8524fda0873de bj.dat Hacktool.Bannerjack
796b1523573c889833f154aeb59532d2a9784e4747b25681a97ec00b9bb4fb19 bj.dat Hacktool.Bannerjack
c54f31f190b06649dff91f6b915273b88ee27a2f8e766d54ee4213671fc09f90 pc.dat Hacktool.Multipurpose
54a8afb10a0569785d4a530ff25b07320881c139e813e58cb5a621da85f8a9f5 pc.dat Hacktool.Multipurpose
2bd5f7e0382956a7c135cdeb96edfdbccfcfc1955d26e317e2328ea83ace7cee pc.dat Hacktool.Multipurpose
c83bb0330d69f6ad4c79d4a0ce1891e6f34091aecfeaf72cf80b2532268a0abc pc.dat Hacktool.Multipurpose
178b25ddca2bd5ea1b8c3432291d4d0b5b725e16961f5e4596fb9267a700fa2f PC.DAT Hacktool.Multipurpose
9bff19ca48b43b148ff95e054efc39882d868527cdd4f036389a6f11750adddc PC.DAT Hacktool.Multipurpose
e8591c1caa53dee10e1ef748386516c16ab2ae37d9555308284690ea38ddf0c5 clapi32.dll Clean Cygwin DLL
d15b8071994bad01226a06f2802cbfe86a5483803244de4e99b91f130535d972 Bda9.tmp. Backdoor.Jiripbot
0ac7b594aaae21b61af2f3aabdc5eda9b6811eca52dcbf4691c4ec6dfd2d5cd8 wlc.dat Hacktool.EventLog
b81484220a46c853dc996c19db9416493662d943b638915ed2b3a4a0471cc8d8 wlc.dat Hacktool.EventLog
49e4198c94b80483302e11c2e7d83e0ac2379f081ee3a3aa32d96d690729f2d6 wlc.dat Hacktool.EventLog
fcaab8f77e4c9ba922d825b837acfffc9f231c3abb21015369431afae679d644 wlc.dat Hacktool.EventLog
534004a473761e60d0db8afbc99390b19c32e7c5af3445ecd63f43ba6187ded4 a.exe Backdoor.Jiripbot
534004a473761e60d0db8afbc99390b19c32e7c5af3445ecd63f43ba6187ded4 FLASHUTIL.EXE Backdoor.Jiripbot
758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92 N/A Backdoor.Jiripbot
683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9 N/A Backdoor.Jiripbot
8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a N/A Backdoor.Jiripbot
14bfc2bf8a80a19ff2c1480f513c96b8e8adc89a8d75d7c0064f810f1a7a2e61 LiveUpdater.exe Backdoor.Jiripbot
c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0 LiveUpdater.exe Backdoor.Jiripbot
ccc851cbd600592f1ed2c2969a30b87f0bf29046cdfa1590d8f09cfe454608a5 LiveUpdater.exe Backdoor.Jiripbot
2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94 LiveUpdater.exe Backdoor.Jiripbot
6fb43afb191b09c7b62da7a5ddafdc1a9a4c46058fd376c045d69dd0a2ea71a6 LiveUpdater.exe Backdoor.Jiripbot
48c0bd55e1cf3f75e911ef66a9ccb9436c1571c982c5281d2d8bf00a99f0ee1a N/A Backdoor.Jiripbot
781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e FlashUtil.exe Backdoor.Jiripbot
1a9f679016e38d399ff33efcfe7dc6560ec658d964297dbe377ff7c68e0dfbaf LiveUpdater.exe Backdoor.Jiripbot
b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45 RtlUpd.exe Backdoor.Jiripbot
cafc745e41dbb1e985ac3b8d1ebbdbafc2fcff4ab09ae4c9ab4a22bebcc74e39 clapi32.dll Clean Cygwin DLL
25fe7dd1e2b19514346cb2b8b5e91ae110c6adb9df5a440b8e7bbc5e8bc74227 rtlupd.exe Backdoor.Jiripbot
8db5c2b645eee393d0f676fe457cd2cd3e4b144bbe86a61e4f4fd48d9de4aeae IASTOR32.EXE Hacktool.Securetunnel
9fab34fa2d31a56609b56874e1265969dbfa6c17d967cca5ecce0e0760670a60 iastor32.exe Hacktool.Securetunnel
bc177e879fd941911eb2ea404febffa2042310c632d9922205949155e9b35cb6 iastor32.exe Hacktool.Securetunnel
2d3ea11c5aea7e8a60cd4f530c1e234a2aa2df900d90122dd2fcf1fa9f47b935 IASTOR32.EXE Hacktool.Securetunnel
81955e36dd46f3b05a1d7e47ffd53b7d1455406d952c890b5210a698dd97e938 iastor32.dat Hacktool.Securetunnel
30. Page 30
Butterfly: Corporate spies out for financial gain
C&C server details
The following IP addresses were used for C&C traffic using SSH over port 443:
• 46.183.217.132
• 46.165.237.75
• 217.23.3.112
• 178.162.197.9
The following C&C servers were used by Backdoor.Jiripbot and OSX.Pintsized:
• ddosprotected.eu
• drfx.chickenkiller.com
The following C&C domains were used by Butterfly-related back doors. They were also used to host exploits over
HTTP:
• digitalinsight-ltd.com
• clust12-akmai.net
• jdk-update.com
• corp-aapl.com
• cloudprotect.eu
The following shows the format of Backdoor.Jiripbot’s DGA domains:
• jdk.[a-f0-9]{32}.org e.g. jdk.20e8ad99287f7fc244651237cbe8292a.org
9d077a37b94bf69b94426041e5d5bf1fe56c482ca358191ca911ae041305f3ed N/A Back door
29906c51217d15b9bbbcc8130f64dabdb69bd32baa7999500c7a230c218e8b0a N/A Back door
3cfdd3cd1089c4152c0d4c7955210d489565f28fb0af9861b195db34e7ad2502 N/A Back door
4327ce696b5bce9e9b2a691b4e915796218c00998363c7602d8461dd0c1c8fbb N/A Back door
5ab4c378fd8b3254808d66c22bbaacc035874f1c9b4cee511b96458fedff64ed N/A Back door
fba34e970c6d22fe46b22d4b35f430c78f43a0f4debde3f7cbcddca9e4bb8bbb N/A N/A
11b42a5b944d968cbfdaac5075d195cc4c7e97ba4ff827b75a03c44a3b4c179a N/A N/A
6e62ee740e859842595281513dd7875d802a6d88bcbb7e21c1c5b173a9e2e196 N/A N/A