Using remote access tools Quasar, Sobaken and Vermin, cybercriminals have been systematically spying on Ukrainian government institutions and exfiltrating data from their systems.
The threat actors, first mentioned in a report from January 2018 and tracked by ESET since mid-2017, continue to develop new versions of their stealthy malware.
In this white paper, we take a closer look at this ongoing campaign. We provide further details on the malware used to compromise victims’ systems and on the payloads installed on compromised systems, and describe the various methods the attackers use to distribute and target their malware while avoiding detection
Black_Hat_Python_Python_Programming_for_Hackers_and_Pentesters.pdfBoucif David
The document discusses Python's suitability for hacking and penetration testing tasks. It introduces the Black Hat Python book, which explores Python's capabilities for security analysis such as network sniffing, packet manipulation, infecting virtual machines, creating trojans, and more. The book teaches how to perform various offensive security techniques and how to create your own exploits. When it comes to offensive security, being able to quickly create powerful tools is indispensable, and the book aims to teach how to do this in Python.
Reference Manual for the "SysSorting Professional" application. Throughout this manual we have access to portions or parts of the application source code and the core libraries developed specifically for the evaluation of strategies for sorting taking into account the nature of the generators of pseudo-random numbers used in the experiments.
The document analyzes a cyber espionage case targeting RUAG, providing technical details of the attack and recommendations. The attackers used malware from the multi-year Turla/Epic family to infiltrate RUAG's network since 2014. They moved laterally, targeting the active directory and specific devices, exfiltrating data during periods of high activity separated by quiet phases. The report provides indicators of compromise and recommendations to detect and prevent similar advanced persistent threat attacks.
Black_Hat_Python_Python_Programming_for_Hackers_and_Pentesters.pdfBoucif David
The document discusses Python's suitability for hacking and penetration testing tasks. It introduces the Black Hat Python book, which explores Python's capabilities for security analysis such as network sniffing, packet manipulation, infecting virtual machines, creating trojans, and more. The book teaches how to perform various offensive security techniques and how to create your own exploits. When it comes to offensive security, being able to quickly create powerful tools is indispensable, and the book aims to teach how to do this in Python.
Reference Manual for the "SysSorting Professional" application. Throughout this manual we have access to portions or parts of the application source code and the core libraries developed specifically for the evaluation of strategies for sorting taking into account the nature of the generators of pseudo-random numbers used in the experiments.
The document analyzes a cyber espionage case targeting RUAG, providing technical details of the attack and recommendations. The attackers used malware from the multi-year Turla/Epic family to infiltrate RUAG's network since 2014. They moved laterally, targeting the active directory and specific devices, exfiltrating data during periods of high activity separated by quiet phases. The report provides indicators of compromise and recommendations to detect and prevent similar advanced persistent threat attacks.
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...UltraUploader
The document discusses blended threats that combine exploits and vulnerabilities with computer viruses. It begins with definitions of blended attacks and buffer overflows. It then describes three generations of buffer overflow techniques as well as other vulnerabilities exploited by blended threats, such as URL encoding and MIME header parsing. The document also discusses past threats like the Morris worm and CodeRed that blended exploits with viruses, and techniques used to combat future blended threats through defense in depth.
Nominum 2017 Spring Data Revelations Security ReportYuriy Yuzifovich
This document provides an executive summary and introduction to Nominum Data Science's Spring 2017 Security Report. It discusses how cybercrime dominated headlines in 2016 and continues to increase in 2017. It introduces the Nominum Cyberattack Ladder framework, which analyzes cyberattacks from the perspective of a criminal breaking attacks into preparation, intrusion, and attack stages. The report will examine trends in malware, phishing, botnets, ransomware and IoT threats over the past six months based on Nominum's analysis of over 100 billion daily DNS queries from around the world.
@author Jane Programmer @cwid 123 45 678 @class.docxShiraPrater50
/**
* @author Jane Programmer
* @cwid 123 45 678
* @class COSC 2336, Spring 2019
* @ide Visual Studio Community 2017
* @date April 8, 2019
* @assg Assignment 12
*
* @description Assignment 12 Binary Search Trees
*/
#include <cassert>
#include <iostream>
#include "BinaryTree.hpp"
using namespace std;
/** main
* The main entry point for this program. Execution of this program
* will begin with this main function.
*
* @param argc The command line argument count which is the number of
* command line arguments provided by user when they started
* the program.
* @param argv The command line arguments, an array of character
* arrays.
*
* @returns An int value indicating program exit status. Usually 0
* is returned to indicate normal exit and a non-zero value
* is returned to indicate an error condition.
*/
int main(int argc, char** argv)
{
// -----------------------------------------------------------------------
cout << "--------------- testing BinaryTree construction ----------------" << endl;
BinaryTree t;
cout << "<constructor> Size of new empty tree: " << t.size() << endl;
cout << t << endl;
assert(t.size() == 0);
cout << endl;
// -----------------------------------------------------------------------
cout << "--------------- testing BinaryTree insertion -------------------" << endl;
t.insert(10);
cout << "<insert> Inserted into empty tree, size: " << t.size() << endl;
cout << t << endl;
assert(t.size() == 1);
t.insert(3);
t.insert(7);
t.insert(12);
t.insert(15);
t.insert(2);
cout << "<insert> inserted 5 more items, size: " << t.size() << endl;
cout << t << endl;
assert(t.size() == 6);
cout << endl;
// -----------------------------------------------------------------------
cout << "--------------- testing BinaryTree height -------------------" << endl;
//cout << "<height> Current tree height: " << t.height() << endl;
//assert(t.height() == 3);
// increase height by 2
//t.insert(4);
//t.insert(5);
//cout << "<height> after inserting nodes, height: " << t.height()
// << " size: " << t.size() << endl;
//cout << t << endl;
//assert(t.height() == 5);
//assert(t.size() == 8);
cout << endl;
// -----------------------------------------------------------------------
cout << "--------------- testing BinaryTree clear -------------------" << endl;
//t.clear();
//cout << "<clear> after clearing tree, height: " << t.height()
// << " size: " << t.size() << endl;
//cout << t << endl;
//assert(t.size() == 0);
//assert(t.height() == 0);
cout << endl;
// return 0 to indicate successful completion
return 0;
}
C y b e r A t t a c k s
“Dr. Amoroso’s fi fth book Cyber Attacks: Protecting National Infrastructure outlines the chal-
lenges of protecting our nation’s infrastructure from cyber attack using security techniques
established to protect much smalle ...
This document is an outline for an online book about computer, network, technical, physical, information and cryptographic security. It covers a wide range of security topics across 15 chapters, including security concepts, physical security, hardware security, distributed systems, identification and authentication, authorization and access control, secure system administration, logging, and abuse detection. The author intends it to be a comprehensive but incomplete reference work on security.
@author Jane Programmer @cwid 123 45 678 @classtroutmanboris
This document provides the code and comments for a C++ program that tests the construction and functionality of a binary search tree data structure. The main() function contains code to test constructing an empty tree, inserting nodes, checking the size and printing the tree, and clearing the tree. Comments provide descriptions of the program and the parameters and return value for main(). The code tests functions for inserting nodes, getting the size, printing the tree, and clearing it. Assertions confirm the expected behavior.
This document provides information about security features in IBM z/VSE, including the Basic Security Manager (BSM). It discusses how BSM uses System Authorization Facility to control access to resources through security files. It also covers LDAP sign-on support, which allows users to sign on with their LDAP credentials instead of a z/VSE user ID. The document provides guidance on installing, customizing, administering and backing up BSM, as well as configuring and activating LDAP sign-on support on z/VSE.
This document contains legal notices and disclaimers from AccessData Corp. regarding their software products. AccessData makes no warranties and disclaims any liability. They reserve the right to change their software and documentation without notice. Export of the software is subject to applicable laws and regulations. Copyright is claimed for the publication and no part may be reproduced without permission. The document provides version information and contact details for AccessData Corp.
Comparative Analysis of Personal FirewallsAndrej Šimko
This thesis describes the analysis of 18 personal firewalls. It discovers the differences in their behaviour while they are under various techniques of port scanning and Denial of Service (DoS) attacks. With port scanning, the detection ability, time consumption, leaked port states and obfuscation techniques are analysed. With using different DoS attacks, performance measurements of CPU and network adapter are taken. The potential of firewall fingerprinting based on the different behaviour across multiple products is also addressed.
The document is an overview about the most used and effective anti-spam techniques based on adding suitable fields in the header of an email message. There are described the most used standards for preventing/recognising spam messages, like DKIM, SPF and DMARC and also some possible non-standard implementations deployed by relevant players (e.g., Google, Yahoo, Microsoft...).
VeraCode State of software security report volume5 2013Cristiano Caetano
The document is the State of Software Security Report Volume 5 from Veracode. It analyzes data on 22,430 application builds assessed over an 18 month period to examine trends in application security quality, remediation, and policy compliance. A key finding is that 70% of applications failed to comply with security policies on first submission, representing a significant increase from the previous report. Additionally, the prevalence of SQL injection vulnerabilities has plateaued at around 32% over the last 6 quarters. The report provides predictions for how these trends could continue and recommendations for improving application security.
This document is a final year project report submitted by Ciaran McDonald to the Department of Computer Science at University College Cork in April 2016. The project involved developing a testbed and tools to help OpenStack administrators identify anomalies in network access control policies, including security group policies and perimeter firewall policies. The report provides background on firewalls, OpenStack, and related technologies. It then describes building a testbed with DevStack and analyzing anomalies within and between OpenStack security groups and perimeter firewall policies.
This document discusses automatic Android malware analysis. It begins with introductions to Android application fundamentals like application components and intents. It then discusses the APK file format and Dex file format. It covers static analysis using the Androguard tool to extract information from APKs. It also covers dynamic analysis using the CuckooDroid tool and discusses fixes needed for it to work with newer Android versions. It explores techniques for emulator evasion/detection and discusses using Frida for instrumentation. The conclusion discusses areas for future work like integrating Frida with CuckooDroid and improving emulator performance and Android support.
Machine Learning for Application-Layer Intrusion Detectionbutest
This document is Konrad Rieck's dissertation on using machine learning techniques for application-layer intrusion detection. The dissertation proposes extracting numerical, sequential, and syntactical features from network payloads to represent them as vectors. It applies kernel functions to these features to enable efficient learning in high-dimensional spaces. Learning methods are developed for geometric anomaly detection using kernels to model normal behavior with hyperspheres and neighborhoods. An implementation of these techniques called Spheric detects over 90% of unknown attacks in evaluation with less than 1% false positives, outperforming misuse detection and other anomaly detection baselines.
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...Mostafa El-Beheiry
This document is a bachelor's thesis submitted by Mostafa Ahmed Mostafa El Beheiry to the German University in Cairo that examines challenges in VoIP (Voice over IP) systems. The thesis identifies four main categories of challenges - security, quality, dependency, and emergency services. It discusses specific issues within each category such as packet sniffing, bandwidth, power outages, and inability to call emergency services. It also includes a simulation of a SPIT (Spam over IP telephony) attack on a VoIP client/server setup. The thesis aims to comprehensively document challenges in VoIP systems and propose possible solutions to advance the field.
This document is a 55-page master's thesis submitted by Edward M. Poot in July 2016. The thesis proposes developing a proof-of-concept tool to automatically assess a software system's exposure to known security vulnerabilities in its third-party dependencies. It involves determining which vulnerable methods from dependencies are actually invoked by the system by analyzing dependency information, vulnerability data from CVE databases, and generating a call graph of the system. The thesis describes designing and implementing such a tool, then evaluating it on sample projects and with security consultants. It aims to validate the usefulness of this approach for assessing vulnerability exposure in dependencies.
This thesis examines the wireless security of mobile applications, with a focus on banking apps, on the Android platform. The author conducted a static code analysis of apps on the Google Play Store and found widespread security flaws in how apps validate SSL certificates for secure connections. To address false positives from the static analysis, the author developed a method using dynamic code analysis and manual log file analysis to identify the critical code sections for certificate validation. The goal is to evaluate security and reduce false positives from the static analysis tool.
This document specifies the Linked Media Layer architecture and describes its key components. The architecture includes a repository layer for media storage and metadata, an integration layer, and a service layer. It also describes modules for unstructured search using Apache Nutch/Solr, media collection from social networks, searching media resources with latent semantic indexing, and participation in the MediaEval 2013 benchmarking initiative for video search and hyperlinking tasks.
This document is an introduction to cybersecurity titled "Information Security Handbook for Network Beginners" published by Japan's National Center of Incident Readiness and Strategy for Cybersecurity (NISC). It aims to help beginners understand cyber attacks and provide basic steps to strengthen security. The handbook covers topics like common types of attacks, attackers and malware, examples of attacks, and social engineering. It also provides guidance on maintaining security through keeping systems updated, using strong passwords, making intrusions difficult and time-consuming, and protecting against social engineering. The handbook is meant to simplify complex topics for easier understanding while encouraging further reading on cybersecurity.
Kali Linux Revealed - Mastering the Penetration Testing (Raphaël Hertzog, Jim...SomiMukerjee
This document provides an overview and introduction to the Kali Linux operating system. It discusses Kali Linux's history and relationship to Debian Linux. The document outlines Kali Linux's main features such as being a live system, using a customized Linux kernel, and its focus on penetration testing tools. It also covers Kali Linux's policies around disabling network services by default and curating included applications. The table of contents previews that the document will cover topics like getting started with Kali Linux, Linux fundamentals, and installing Kali Linux.
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
The document examines major software vulnerabilities and exploits from 2017-2018, including EternalBlue, WannaCryptor, CoinMiner, Diskcoder (aka Petya), and Meltdown/Spectre. It discusses how the number of reported vulnerabilities reached a historic peak in 2017, with the number of high severity vulnerabilities increasing by 68% from 2016. Exploits like EternalBlue were utilized by ransomware like WannaCryptor to devastating effect by taking advantage of vulnerabilities in older, unpatched systems. The risk posed by vulnerabilities underscores the need for multilayered endpoint security through timely patching and protection layers.
More Related Content
Similar to Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaign
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...UltraUploader
The document discusses blended threats that combine exploits and vulnerabilities with computer viruses. It begins with definitions of blended attacks and buffer overflows. It then describes three generations of buffer overflow techniques as well as other vulnerabilities exploited by blended threats, such as URL encoding and MIME header parsing. The document also discusses past threats like the Morris worm and CodeRed that blended exploits with viruses, and techniques used to combat future blended threats through defense in depth.
Nominum 2017 Spring Data Revelations Security ReportYuriy Yuzifovich
This document provides an executive summary and introduction to Nominum Data Science's Spring 2017 Security Report. It discusses how cybercrime dominated headlines in 2016 and continues to increase in 2017. It introduces the Nominum Cyberattack Ladder framework, which analyzes cyberattacks from the perspective of a criminal breaking attacks into preparation, intrusion, and attack stages. The report will examine trends in malware, phishing, botnets, ransomware and IoT threats over the past six months based on Nominum's analysis of over 100 billion daily DNS queries from around the world.
@author Jane Programmer @cwid 123 45 678 @class.docxShiraPrater50
/**
* @author Jane Programmer
* @cwid 123 45 678
* @class COSC 2336, Spring 2019
* @ide Visual Studio Community 2017
* @date April 8, 2019
* @assg Assignment 12
*
* @description Assignment 12 Binary Search Trees
*/
#include <cassert>
#include <iostream>
#include "BinaryTree.hpp"
using namespace std;
/** main
* The main entry point for this program. Execution of this program
* will begin with this main function.
*
* @param argc The command line argument count which is the number of
* command line arguments provided by user when they started
* the program.
* @param argv The command line arguments, an array of character
* arrays.
*
* @returns An int value indicating program exit status. Usually 0
* is returned to indicate normal exit and a non-zero value
* is returned to indicate an error condition.
*/
int main(int argc, char** argv)
{
// -----------------------------------------------------------------------
cout << "--------------- testing BinaryTree construction ----------------" << endl;
BinaryTree t;
cout << "<constructor> Size of new empty tree: " << t.size() << endl;
cout << t << endl;
assert(t.size() == 0);
cout << endl;
// -----------------------------------------------------------------------
cout << "--------------- testing BinaryTree insertion -------------------" << endl;
t.insert(10);
cout << "<insert> Inserted into empty tree, size: " << t.size() << endl;
cout << t << endl;
assert(t.size() == 1);
t.insert(3);
t.insert(7);
t.insert(12);
t.insert(15);
t.insert(2);
cout << "<insert> inserted 5 more items, size: " << t.size() << endl;
cout << t << endl;
assert(t.size() == 6);
cout << endl;
// -----------------------------------------------------------------------
cout << "--------------- testing BinaryTree height -------------------" << endl;
//cout << "<height> Current tree height: " << t.height() << endl;
//assert(t.height() == 3);
// increase height by 2
//t.insert(4);
//t.insert(5);
//cout << "<height> after inserting nodes, height: " << t.height()
// << " size: " << t.size() << endl;
//cout << t << endl;
//assert(t.height() == 5);
//assert(t.size() == 8);
cout << endl;
// -----------------------------------------------------------------------
cout << "--------------- testing BinaryTree clear -------------------" << endl;
//t.clear();
//cout << "<clear> after clearing tree, height: " << t.height()
// << " size: " << t.size() << endl;
//cout << t << endl;
//assert(t.size() == 0);
//assert(t.height() == 0);
cout << endl;
// return 0 to indicate successful completion
return 0;
}
C y b e r A t t a c k s
“Dr. Amoroso’s fi fth book Cyber Attacks: Protecting National Infrastructure outlines the chal-
lenges of protecting our nation’s infrastructure from cyber attack using security techniques
established to protect much smalle ...
This document is an outline for an online book about computer, network, technical, physical, information and cryptographic security. It covers a wide range of security topics across 15 chapters, including security concepts, physical security, hardware security, distributed systems, identification and authentication, authorization and access control, secure system administration, logging, and abuse detection. The author intends it to be a comprehensive but incomplete reference work on security.
@author Jane Programmer @cwid 123 45 678 @classtroutmanboris
This document provides the code and comments for a C++ program that tests the construction and functionality of a binary search tree data structure. The main() function contains code to test constructing an empty tree, inserting nodes, checking the size and printing the tree, and clearing the tree. Comments provide descriptions of the program and the parameters and return value for main(). The code tests functions for inserting nodes, getting the size, printing the tree, and clearing it. Assertions confirm the expected behavior.
This document provides information about security features in IBM z/VSE, including the Basic Security Manager (BSM). It discusses how BSM uses System Authorization Facility to control access to resources through security files. It also covers LDAP sign-on support, which allows users to sign on with their LDAP credentials instead of a z/VSE user ID. The document provides guidance on installing, customizing, administering and backing up BSM, as well as configuring and activating LDAP sign-on support on z/VSE.
This document contains legal notices and disclaimers from AccessData Corp. regarding their software products. AccessData makes no warranties and disclaims any liability. They reserve the right to change their software and documentation without notice. Export of the software is subject to applicable laws and regulations. Copyright is claimed for the publication and no part may be reproduced without permission. The document provides version information and contact details for AccessData Corp.
Comparative Analysis of Personal FirewallsAndrej Šimko
This thesis describes the analysis of 18 personal firewalls. It discovers the differences in their behaviour while they are under various techniques of port scanning and Denial of Service (DoS) attacks. With port scanning, the detection ability, time consumption, leaked port states and obfuscation techniques are analysed. With using different DoS attacks, performance measurements of CPU and network adapter are taken. The potential of firewall fingerprinting based on the different behaviour across multiple products is also addressed.
The document is an overview about the most used and effective anti-spam techniques based on adding suitable fields in the header of an email message. There are described the most used standards for preventing/recognising spam messages, like DKIM, SPF and DMARC and also some possible non-standard implementations deployed by relevant players (e.g., Google, Yahoo, Microsoft...).
VeraCode State of software security report volume5 2013Cristiano Caetano
The document is the State of Software Security Report Volume 5 from Veracode. It analyzes data on 22,430 application builds assessed over an 18 month period to examine trends in application security quality, remediation, and policy compliance. A key finding is that 70% of applications failed to comply with security policies on first submission, representing a significant increase from the previous report. Additionally, the prevalence of SQL injection vulnerabilities has plateaued at around 32% over the last 6 quarters. The report provides predictions for how these trends could continue and recommendations for improving application security.
This document is a final year project report submitted by Ciaran McDonald to the Department of Computer Science at University College Cork in April 2016. The project involved developing a testbed and tools to help OpenStack administrators identify anomalies in network access control policies, including security group policies and perimeter firewall policies. The report provides background on firewalls, OpenStack, and related technologies. It then describes building a testbed with DevStack and analyzing anomalies within and between OpenStack security groups and perimeter firewall policies.
This document discusses automatic Android malware analysis. It begins with introductions to Android application fundamentals like application components and intents. It then discusses the APK file format and Dex file format. It covers static analysis using the Androguard tool to extract information from APKs. It also covers dynamic analysis using the CuckooDroid tool and discusses fixes needed for it to work with newer Android versions. It explores techniques for emulator evasion/detection and discusses using Frida for instrumentation. The conclusion discusses areas for future work like integrating Frida with CuckooDroid and improving emulator performance and Android support.
Machine Learning for Application-Layer Intrusion Detectionbutest
This document is Konrad Rieck's dissertation on using machine learning techniques for application-layer intrusion detection. The dissertation proposes extracting numerical, sequential, and syntactical features from network payloads to represent them as vectors. It applies kernel functions to these features to enable efficient learning in high-dimensional spaces. Learning methods are developed for geometric anomaly detection using kernels to model normal behavior with hyperspheres and neighborhoods. An implementation of these techniques called Spheric detects over 90% of unknown attacks in evaluation with less than 1% false positives, outperforming misuse detection and other anomaly detection baselines.
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...Mostafa El-Beheiry
This document is a bachelor's thesis submitted by Mostafa Ahmed Mostafa El Beheiry to the German University in Cairo that examines challenges in VoIP (Voice over IP) systems. The thesis identifies four main categories of challenges - security, quality, dependency, and emergency services. It discusses specific issues within each category such as packet sniffing, bandwidth, power outages, and inability to call emergency services. It also includes a simulation of a SPIT (Spam over IP telephony) attack on a VoIP client/server setup. The thesis aims to comprehensively document challenges in VoIP systems and propose possible solutions to advance the field.
This document is a 55-page master's thesis submitted by Edward M. Poot in July 2016. The thesis proposes developing a proof-of-concept tool to automatically assess a software system's exposure to known security vulnerabilities in its third-party dependencies. It involves determining which vulnerable methods from dependencies are actually invoked by the system by analyzing dependency information, vulnerability data from CVE databases, and generating a call graph of the system. The thesis describes designing and implementing such a tool, then evaluating it on sample projects and with security consultants. It aims to validate the usefulness of this approach for assessing vulnerability exposure in dependencies.
This thesis examines the wireless security of mobile applications, with a focus on banking apps, on the Android platform. The author conducted a static code analysis of apps on the Google Play Store and found widespread security flaws in how apps validate SSL certificates for secure connections. To address false positives from the static analysis, the author developed a method using dynamic code analysis and manual log file analysis to identify the critical code sections for certificate validation. The goal is to evaluate security and reduce false positives from the static analysis tool.
This document specifies the Linked Media Layer architecture and describes its key components. The architecture includes a repository layer for media storage and metadata, an integration layer, and a service layer. It also describes modules for unstructured search using Apache Nutch/Solr, media collection from social networks, searching media resources with latent semantic indexing, and participation in the MediaEval 2013 benchmarking initiative for video search and hyperlinking tasks.
This document is an introduction to cybersecurity titled "Information Security Handbook for Network Beginners" published by Japan's National Center of Incident Readiness and Strategy for Cybersecurity (NISC). It aims to help beginners understand cyber attacks and provide basic steps to strengthen security. The handbook covers topics like common types of attacks, attackers and malware, examples of attacks, and social engineering. It also provides guidance on maintaining security through keeping systems updated, using strong passwords, making intrusions difficult and time-consuming, and protecting against social engineering. The handbook is meant to simplify complex topics for easier understanding while encouraging further reading on cybersecurity.
Kali Linux Revealed - Mastering the Penetration Testing (Raphaël Hertzog, Jim...SomiMukerjee
This document provides an overview and introduction to the Kali Linux operating system. It discusses Kali Linux's history and relationship to Debian Linux. The document outlines Kali Linux's main features such as being a live system, using a customized Linux kernel, and its focus on penetration testing tools. It also covers Kali Linux's policies around disabling network services by default and curating included applications. The table of contents previews that the document will cover topics like getting started with Kali Linux, Linux fundamentals, and installing Kali Linux.
Similar to Quasar, Sobaken, and Vermin: A deeper look into an ongoing espionage campaign (20)
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
The document examines major software vulnerabilities and exploits from 2017-2018, including EternalBlue, WannaCryptor, CoinMiner, Diskcoder (aka Petya), and Meltdown/Spectre. It discusses how the number of reported vulnerabilities reached a historic peak in 2017, with the number of high severity vulnerabilities increasing by 68% from 2016. Exploits like EternalBlue were utilized by ransomware like WannaCryptor to devastating effect by taking advantage of vulnerabilities in older, unpatched systems. The risk posed by vulnerabilities underscores the need for multilayered endpoint security through timely patching and protection layers.
ESET Technology: The multi-layered approach and its effectivenessESET Middle East
ESET uses a multi-layered approach to security that provides protection at various stages of a threat's lifecycle. Some key layers include UEFI Scanner which protects the pre-boot environment, DNA Detections which identify malware based on behavioral genes, machine learning algorithms which help detect both known and unknown malware, ESET LiveGrid which shares threat data in real-time with other users, and a multi-layered approach combining multiple detection techniques to stop threats throughout their lifecycle. This multi-layered approach is necessary to effectively protect against modern threats that constantly evolve and employ evasion techniques against single-layer defenses.
ESET’s guide to deobfuscating and devirtualizing FinFisherESET Middle East
To help malware analysts and security researchers overcome FinFisher’s advanced anti-disassembly obfuscation and virtualization features, ESET researchers have framed some clever tricks into a whitepaper.
Cybersecurity Trends 2018: The costs of connectionESET Middle East
To help the reader navigate through the maze of current threats, ESET’s thought leaders have zeroed in on several areas that top the priority list in our exercise in looking forward.
The Internet of Things (IoT) can be a network of connected convenience but this should not come at the expense of safeguarding your privacy and the personal data that connected devices collect and share.
Our deep dive into OceanLotus’s latest marauding campaigns shows that the group isn’t letting up in its efforts and combines legitimate code and publicly available tools with its own harmful creations.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
DDS Security Version 1.2 was adopted in 2024. This revision strengthens support for long runnings systems adding new cryptographic algorithms, certificate revocation, and hardness against DoS attacks.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
4. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign3
TIMELINE
Another way to look at telemetry data is in the form of a timeline, as in Figure 2.
DISTRIBUTION METHODS
According to our telemetry, the attackers have been using email as the primary distribution channel for
all three strains of malware. They have been quite successful in using social engineering to lure victims
into downloading and executing the malware.
In most cases, filenames are in Ukrainian and refer to specific topics likely to be relevant to victims’
occupations.
Figure 2 // Timeline of these ongoing campaigns.
5. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign4
Examples of such filenames:
• “ІНСТРУКЦІЯ з організації забезпечення військовослужбовців Збройних Сил України та членів їх
сімей” (roughly translates to “Directive on providing security for military personnel of Ukranian Army
and their family members”)
• “новий проекту наказу, призначення перевірки вилучення” – (translates to “A new draft of directive
regarding verification of seizure“)
• “Відділення забезпечення Дон ОВК. Збільшення ліміту” – (translates to “Purchasing department
Don OVK. Increase of credit limit”)
Along with the basic social engineering technique of making email attachments attractive to their
intended victims, three specific technical methods have been observed in use by these attackers. These
presumably further improve the effectiveness of these campaigns.
Method #1: Email attachments using Unicode right-to-left override in their filenames to obscure their
real extension. These are actually executable files using Word, Excel, PowerPoint or Acrobat Reader
icons to appear more trustworthy.
Example file name: As seen in Figure 3 “Перевезення твердого палива (дров) для забезпечення
опалювання_<<RLO>>xcod.scr” (translates to “Transport of firewood in order to provide heating”) will
be seen with what the unwary may take to be a .DOCX extension.
Method #2: Email attachments disguised as RAR self-extracting archives.
Example: Email with the attachment “Наказ_МОУ_Додатки_до_Iнструкцii_440_ост.rar” (Translation -
“Order of Ministry of Defense, Appendixes to Instruction No. 440”), as seen in Figure 4. Inside of the RAR
archive, there is an executable file named “Наказ_МОУ_Додатки_до_Iнструкцii_440_ост.exe” that
uses a RAR SFX icon. Victims would presumably run this file, thinking that further contents of a self-
extracting archive would be extracted, but will inadvertently launch the malicious executable instead.
Method #3: Word document plus CVE-2017-0199 exploit. This vulnerability is triggered when the victim
opens a specially crafted Word document. The Word process issues an HTTP request for an HTA file that
contains a malicious script, located on a remote server. The malicious script will then be executed by
mshta.exe. The first public information about this vulnerability appeared in April 2017 and Microsoft fixed
it by issuing Security updates for all versions of Windows and Office.
According to ESET’s telemetry, these threat actors started using this method in May 2017. Attackers
used hxxp://chip-tuning.lg[.]ua/ to deliver the HTA files and the final payload.
Figure 3 // Executable file disguised as a Word document.
6. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign5
INSTALLATION AND PERSISTENCE
The installation procedure is the same for all three malware strains used by these attackers. A dropper
drops a malicious payload file (Vermin, Quasar or Sobaken malware) into the %APPDATA% folder, in a
subfolder named after a legitimate company (usually Adobe, Intel or Microsoft). Then, as seen
in Figure 5, it creates a scheduled task that runs the payload every 10 minutes to ensure its persistence.
Some versions also employ a trick of abusing the Windows Control Panel shortcut functionality to make
their folders inaccessible from Windows Explorer. Such a folder will not open when clicked in Windows
Explorer; instead it leads to the All Tasks page in the Windows Control Panel.
Figure 4 // File disguised as a RAR self-extracting archive. Version
information and copyright year reliably tell us that it’s a fake.
Figure 5 // Task scheduled to run the dropped malicious payload every 10 minutes.
7. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign6
Examples:
C:UsersAdminAppDataRoamingMicrosoftProofSettings.{ED7BA470-8E54-465E-825C-
99712043E01C}TransactionBroker32.exe
C:UsersAdminAppDataRoamingAdobeSLStoreSetting.{ED7BA470-8E54-465E-825C-
99712043E01C}AdobeSLService.exe
VICTIM TARGETING
The attackers have been using quite a few tricks to ensure that the malware runs on targeted machines
only, with special focus on avoiding automated analysis systems and sandboxes.
Method #1: Windows keyboard layout check.
The malware checks if Russian or Ukrainian keyboard layout is installed. If not, it terminates
immediately.
Method #2: IP address check.
The malware obtains its host computer’s IP address via a request to the legitimate service
ipinfo.io/json. The malware terminates if the IP address is not located in Ukraine or Russia, or if the IP
address is registered to one of several selected antimalware vendors or cloud providers. Code related to
these checks is seen in the disassemblies in Figures 6 and 7.
Figure 6 // Code checking geolocation of host IP address.
8. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign7
Method #3: Emulated network environment check.
Automated analysis systems often use tools like Fakenet-NG where all DNS/HTTP communication
succeeds and returns some result. Malware authors try to identify such systems by generating a random
website name/URL and testing for connection to the URL to fail, such as in Figure 8, as would be
expected on a real system.
Figure 7 // Code checking IP address against a list of cloud providers and antimalware vendors.
9. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign8
Method #4: Specific username check.
The malware refuses to run under accounts with usernames typical of automated malware analysis
systems, as seen in Figure 9.
Figure 8 // Code generating random URL and attempting download.
Figure 9 // Checking current username against a list of known malware analysis systems.
10. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign9
USE OF STEGANOGRAPHY TO BYPASS CONTENT FILTERING
In mid-2017, the attackers explored the possibility of hiding payloads in images that were hosted on the
free image hosting websites saveshot.net and ibb.co.
Steganography is the science of hiding data “in plain sight” – within other, non-secret data. In this case,
a malicious EXE file was encrypted and hidden inside a valid JPEG file, such as the example in Figure 10.
The malware downloaded and decoded the JPEG file, extracted the hidden data, decrypted the EXE file
from that data, and launched it.
The decryption process is quite complex and can be described as follows:
1. Download the JPEG from the URL hardcoded in the downloader binary.
2. Brute-force an 8-digit password by calculating its hash and verifying against the hash hardcoded
in the downloader binary. This step is very CPU intensive and takes typical desktop computer 10+
minutes to complete. This is most likely another measure against automated malware analysis
systems.
3. Process the JPEG file and extract data hidden in it, as seen in the code disassemblies
in Figures 11 and 12. The algorithm used by the malware is very similar to JSteg, one of the oldest and
simplest steganography algorithms for JPEG files that hides data in the LSB (least significant bit)
of JPEG DCT coefficients. Such hidden data does not usually affect an image in a way that is visible
to the naked eye, but the presence of hidden data is easily detectable with specialized algorithms.
However, this steganography algorithm is very easy to implement, which is probably the reason it
was chosen by the malware authors.
4. Extract data and decompress using GZip.
5. Decrypt the decompressed data using AES and the password obtained in step 2.
6. Decode decrypted data using Base64.
7. Write EXE file to disk and execute it.
Eventually, these threat authors abandoned the steganography idea and started using
hxxp://chip-tuning.lg[.]ua to serve unencrypted malware executables.
Figure 10 // Example of a JPEG image used for payload hiding (image resized and payload removed).
11. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign10
Figure 12 // Steganography code inside JPEG decoder.
Figure 11 // Steganography code inside JPEG decoder.
12. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign11
MALWARE STRAINS
These threat actors are using three different malware strains in their attacks. We will provide a quick
overview of each of them and focus on describing their unique features.
Quasar
Quasar is an open-source RAT (Remote Access Tool) which is freely available on GitHub. We’ve seen
several campaigns where these threat actors used Quasar RAT binaries.
The first campaign we are aware of lasted from October 2015 to April 2016.
The next campaign utilizing the Quasar RAT took place in February 2017. Compilation artifacts show the
PDB path n:projectsViralbaybak_files_onlyQRClientQuasarRAT-masterLibraryobj
ReleaseLibrary.pdb
Another Quasar RAT campaign using these attackers’ C&C servers (mailukr.net) occurred in July-
September 2017. In this case, attackers used an old version of the Quasar RAT named “xRAT 2.0
RELEASE3”. Compilation artifacts in the dropper show the PDB path N:shtormWinRARArchive
objReleaseWinRAR.pdb
Sobaken
Sobaken is a heavily modified version of the Quasar RAT. When comparing the program structure of
Quasar and Sobaken, we can see quite a few similarities, such as in Figure 13.
The malware authors keep removing functionality, thus creating a much smaller executable, which is
also easier to hide. They also added anti-sandbox, and other evasion, tricks described above.
Figure 13 // Evolution of Sobaken. Left: Quasar RAT v1.3, middle and right – 2 versions of Sobaken.
13. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign12
Vermin
Vermin is a custom-made backdoor that is used only by these threat actors, and was first documented
in Palo Alto Networks report from January 2018. It first appeared in mid-2016 and is still in use. Just like
Quasar and Sobaken, it is written in .NET. To slow down analysis, the program code is protected using
the commercial .NET code protection system .NET Reactor or the open-source protector ConfuserEx.
Also, just like Sobaken, it uses Vitevic Assembly Embedder, free software for embedding required DLLs
into the main executable, available from Visual Studio Marketplace.
Functionality
Vermin is a full-featured backdoor with several optional components. The latest known version of
Vermin at the time of writing (Vermin 2.0) supports the following, self-explanatory, commands:
• StartCaptureScreen
• StopCaptureScreen
• ReadDirectory
• UploadFile
• DownloadFile
• CancelUploadFile
• CancelDownloadFile
• GetMonitors
• DeleteFiles
• ShellExec
• GetProcesses
• KillProcess
• CheckIfProcessIsRunning
• CheckIfTaskIsRunning
• RunKeyLogger
• CreateFolder
• RenameFolder
• DeleteFolder
• UpdateBot
• RenameFile
• ArchiveAndSplit
• StartAudioCapture
• StopAudioCapture
• SetMicVolume.
Most of the commands are implemented in the main payload, though several commands and additional
functionality are implemented via optional components that attackers upload to the victim’s machine.
Known optional components include:
• Audio recorder
• Keylogger
• Password stealer
• USB file stealer
14. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign13
Audio recorder (AudioManager)
This is a full-featured component of Vermin that can record audio from the microphone on the victim’s
computer. It implements three of Vermin’s commands: StartAudioCapture, StopAudioCapture and
SetMicVolume. Captured data is compressed using Speex codecs and uploaded in SOAP format to
Vermin’s C&C servers.
Keylogger (KeyboardHookLib)
Vermin’s keylogger is a simple standalone executable that sets global keyboard hooks and writes all
keystrokes into a file in an encrypted form. It also logs clipboard contents and active window titles. The
keylogger cannot connect to Vermin’s C&C servers by itself – the main backdoor component is used to
transfer collected information to the attackers’ servers.
The PDB path in the keylogger component confirms its association with the Vermin malware:
Z:ProjectsVerminKeyboardHookLibobjReleaseAdobePrintLib.pdb
Password stealer (PwdFetcher)
Vermin’s standalone password stealer is used to extract saved passwords from browsers (Chrome,
Opera). The majority of its code appears to be copy-pasted from an article on the Russian forum
Habrahabr. Some samples also contain code for extracting information from the Firefox browser,
however, it appears to be unused. As seen in Figure 14, this component also contains PDB paths similar
to that seen in the keylogger component, confirming its association with the Vermin malware.
USB file stealer (UsbGuard)
UsbGuard.exe is an optional component used by both Sobaken and Vermin. It is a small, standalone
program that monitors USB drives connected to the computer and copies all files that match the filter
chosen by the attackers. The stolen files were later exfiltrated using the main backdoor module. Many
and various PDB paths clearly linking them to Vermin are found in samples of this component.
Since April 2018, the file stealer has been used as a standalone tool. It copies files and immediately
uploads them to a server controlled by the attackers.
Figure 14 // Compilation artifacts linking the password stealer to the Vermin malware.
15. Quasar, Sobaken and Vermin: A deeper look into an ongoing espionage campaign14
In the analyzed samples, attackers were after files with the following extensions:
• .doc
• .docx
• .xls
• .xlsx
• .zip
• .rar
• .7z
• .docm
• .txt
• .rtf
• .xlsm
• .pdf
• .jpg
• .jpeg
• .tif
• .odt
• .ods
CONCLUSION
Among the many different malware attacks targeted at high value assets in Ukraine, these attackers
haven’t received much public attention – perhaps because of their initial use of open-source-based
malware before developing their own strain (Vermin).
Employing multiple malware families, as well as various infection mechanisms – including common
social engineering techniques but also not-so-common steganography – over the past three years,
could be explained by the attackers simply experimenting with various techniques and malware, or it
may suggest operations by multiple subgroups.
The fact that the attackers successfully used relatively trivial techniques, such as sending RAR and EXE
files by email (a bad practice, which still takes place among users) highlights the importance of securing
the human factor in computer network protection.
IOCs
C&Cs
Sobaken C&C
• akamaicdn.ru
• akamainet021.info
• cdnakamai.ru
• windowsupdate.kiev.ua
• akamainet022.info
• akamainet066.info
• akamainet067.info
• notifymail.ru
• mailukr.net