2020-06-19 The eagle eye is back old and new backdoors from APT30

📃Title: The eagle eye is back: old and new backdoors from APT30
📅Date: 2020-06-19
🔗References:

• https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30

Description

On April 8, 2020, PT Security Center detected signs of life from the well-known APT30 group. Network signatures for dynamic malware analysis on a popular site alerted for APT30, which had not been active for some time.

In the article, PT Security will examine new versions of known Trojans, the features of the group’s recently detected malware, and network infrastructure.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: malware-analysis
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• target-information=“Malaysia”
• threat-actor= APT30
• malpedia=“NETEAGLE”
• malpedia=“RCtrl”
• malpedia=“backspace”
• mitre-attack-pattern=[‘T1027’, ‘T1045’, ‘T1112’, ‘T1137’, ‘T1002’, ‘T1071’, ‘T1064’, ‘T1204’, ‘T1082’]

MISP event uuid: f2225e4e-678a-4018-9046-befc5d32e220

Indicator of Compromise (IoCs)

type,value,comment
md5, 56725556d1ac8a58525ae91b6b02cf2c, 'IOC-title:Win32.Tavex.A\nIOC-description:SHA256 of 56725556d1ac8a58525ae91b6b02cf2c'
md5, 9cb8a0cb778906c046734fbe67778c61, 'IOC-title:ConventionEngine_Keyword_Svchost\nIOC-description:SHA256 of 9cb8a0cb778906c046734fbe67778c61'
md5, f4f8f64fd66a62fc456da00dd25def0d, 'NETEAGLE dropper'
md5, 95fde34187552a2b0b7e3888bfbff802, 'RCtrl'
md5, ed09b0dba74bf68ec381031e2faf4448, 'RHttpCtrl'
md5, c9b1c8b51234265983cf8427592b0a68, ''
md5, 101bda268bf8277d84b79fe52e25fee4, 'BACKSPACE'
md5, d9c42dacfae73996ccdab58e429548c0, 'BACKSPACE'
md5, 634e79070ba21e1e8f08aba995c98112, ''
md5, 4fdfe014bed72317fa40e4a425350288, ''
url, http://www.techmicrost.com/infos/p, ''
url, http://www.kabadefender.com/plugins/r.exe, ''
url, http://www.gordeneyes.com/photo/, ''
url, http://www.gordeneyes.com/infos/p, ''
url, http://www.kabadefender.com/clntsignin.php, ''
url, http://www.kabadefender.com/clntcmd.php, ''
hostname, www.gordeneyes.com, ''
hostname, www.newpresses.com, ''
hostname, www.techmicrost.com, ''
hostname, www.kabadefender.com, ''
hostname, www.appsecnic.com, ''
hostname, www.km153.com, ''
domain, km153.com, ''
domain, newpresses.com, ''
domain, appsecnic.com, ''
url, http://103.233.10.152:4433/, ''
url, http://172.247.197.189:443/, ''
domain, kabadefender.com, ''
domain, gordeneyes.com, ''
domain, techmicrost.com, ''

Full IOCs available in Rectifyq’s MISP