Rectifyq📃Title: The eagle eye is back: old and new backdoors from APT30
📅Date: 2020-06-19
🔗References:
Description
On April 8, 2020, PT Security Center detected signs of life from the well-known APT30 group. Network signatures for dynamic malware analysis on a popular site alerted for APT30, which had not been active for some time.
In the article, PT Security will examine new versions of known Trojans, the features of the group’s recently detected malware, and network infrastructure.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: malware-analysis
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- target-information=“Malaysia”
- threat-actor APT30
- malpedia=“NETEAGLE”
- malpedia=“RCtrl”
- malpedia=“backspace”
- mitre-attack-pattern=[‘T1027’, ‘T1045’, ‘T1112’, ‘T1137’, ‘T1002’, ‘T1071’, ‘T1064’, ‘T1204’, ‘T1082’]
MISP event uuid: f2225e4e-678a-4018-9046-befc5d32e220
Indicator of Compromise (IoCs)
type,value,comment
url, http://www.techmicrost.com/infos/p, ''
url, http://www.kabadefender.com/plugins/r.exe, ''
url, http://www.gordeneyes.com/photo/, ''
url, http://www.gordeneyes.com/infos/p, ''
url, http://www.kabadefender.com/clntsignin.php, ''
url, http://www.kabadefender.com/clntcmd.php, ''
hostname, www.gordeneyes.com, ''
hostname, www.newpresses.com, ''
hostname, www.techmicrost.com, ''
hostname, www.kabadefender.com, ''
hostname, www.appsecnic.com, ''
hostname, www.km153.com, ''
domain, km153.com, ''
domain, newpresses.com, ''
domain, appsecnic.com, ''
url, http://103.233.10.152:4433/, ''
url, http://172.247.197.189:443/, ''
domain, kabadefender.com, ''
domain, gordeneyes.com, ''
domain, techmicrost.com, ''
Full IOCs available in Rectifyq's MISP```