APT1: Additional Comment Crew Indicators of Compromise
http://www.symantec.com/connect/blogs/apt1-additional-comment-crew-indicators-compromise
Network indicators
Network based indications of possible compromise by the comment crew attackers.
HTTP POST traffic containing
• name=GeorgeBush&userid=<4 digit number>&other=
HTTP GET traffic to pages with paths:
• aspnet_client/report.asp
• Resource/device_Tr.asp
• images/device_index.asp
• news/media/info.html
• backsangho.jpg
• addCats.asp
• SmartNav.jpg
• nblogo2.jpg
Domains
• GT446.ezua.COM
• aunewsonline.com
• avvmail.com
• cas.ibooks.tk
• cas.m-e.org.ru
• colville.com
• cvba.com
• deebeedesigns.ca
• dev.teamattire.com
• doversolutions.co.in
• download.epac.to
• drgeorges.com
• dril-quip.deltae.com.br
• dsds.co.kr
• [REMOVED].ruok.org
• engineer.lflinkup.org
• exactearth.info.tm
• fbrshop.com
• firebirdonline.com
• forceoptions.net
• freelanceindy.com
• ftp.xmahone.ocry.com
• garyhart.com
• gobroadreach.com
• hint.happyforever.com
• hojutsu.com
• imly.org
• interradiology.com
• jimnaugle.com
• kayauto.net
• keenathomas.com
• ks.utworld.ch
• mast.zyns.com
• media.conci.com.au
• media.finanstalk.ru
• media.metdf.com.au
• meeting.toh.info
• mountainvalley.americanunfinished.com
• mrswehrman.com
• mwa.net
• news.hqrls.com
• odysseus.qs-va.orbcomm.net
• ohb-technology.brgh.de
• omegalogos.org
• pastorsrest.com
• portal.itsaol.com
• progammerli.com
• rbaparts.com
• report.crabdance.com
• [REMOVED].photo-frame.com
• route.cisco.ns01.info
• shunleewest.com
• slowblog.com
• smilecare.com
• software.myftp.info
• soko.com
• tcw.homier.com
• [REMOVED]comminc.us.to
• [REMOVED].arnotex.com
• thecrownsgolf.org
• [REMOVED].alfalcons.com
• twocirclesmusic.com
• un.linuxd.org
• update.sektori.org
• us.gnpes.org
• vwrm.com
• woodagency.com
• worldnews.kickingdruging.toythieves.com
Internet protocol addresses
• 140.116.70.8
• 143.89.35.7
• 143.89.35.7
• 150.176.164.6
• 202.105.39.39
• 202.39.61.136
• 202.6.235.83
• 203.200.205.245
• 204.111.73.150
• 209.124.51.194
• 209.124.51.219
• 209.161.249.125
• 209.208.114.83
• 209.233.16.84
• 209.253.17.229
• 211.232.57.235
• 212.130.19.154
• 218.232.66.12
• 218.233.206.2
• 218.234.17.30
• 24.73.192.154
• 46.149.18.151
• 60.248.52.95
• 61.219.67.1
• 63.192.38.11
• 64.80.153.108
• 65.105.157.228
• 65.110.1.32
• 65.114.195.226
• 65.89.173.68
• 66.151.16.30
• 66.155.114.145
• 66.170.3.43
• 66.228.132.53
• 66.228.132.8
• 68.17.104.162
• 68.96.31.136
• 69.20.5.219
• 69.25.50.10
• 69.28.168.10
• 69.74.43.87
• 69.90.123.6
• 69.90.18.22
• 69.90.18.23
• 70.108.241.36
• 70.62.232.98
• 74.86.197.56
• 74.93.92.50
• 78.95.63.1
File indicators
File based indications of possible compromise by the comment crew attackers.
Filenames and locations:
• %TEMP%\AdobeARM.exe
• %TEMP%\iTunesHelper.exe
• %PROGRAMS%\Startup\AdobeRe.exe
• rouj.exe
• %USERPROFILE%\Local Settings\iexplore.exe
• %USERAPPDATA%\Microsoft\wuauclt.exe
• %PROGRAMS%\Startup\adobeup.exe
• %TEMP%\AdobeUpdater.exe
• NTLMSVC.DLL
• %PROGRAMS%\Startup\adobe_sl.lnk
• %TEMP%\runinfo.exe
File version Info:
Product: SoundMAX service agent
Description: Microsoft NTLM Service Holder
Product & Description: JpgAsp
System indicators
System based indications of possible compromise by the comment crew attackers.
Registry entries:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Acroread"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Update"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCheck"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCom"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IMSCMig"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"McUpdate"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Register"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SysTray"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"systemupdate"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"wininstaller"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"APVSVC"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AdobeUpdate"
Service names:
• aec
• elpmasym
• Net CLR
Email indicators
Email based indications of possible compromise by the comment crew attackers.
Subject lines
• Capt [REMOVED] update
• Fw: LES Request
• Libya crisis
• Five Simple Questions for Democrats on Spending Cuts
• Behind the Easing of Israeli-Palestinian Tensions
• Business Exec Urges Broad Trade Agenda To Curb China Role In Latin America
• President Chavezs Comments About President Obama and the United States on Sundays "Alo,Presidente"
• FW: New Standdard Operational Procedures (SOPs) between the
• AGENDA
• [REMOVED] Help You Save Enough for Retirement
• Human right of north Afica under war
• Spreading Civil Unrest in the Middle East and North Africa
• The latest analysis on Syria
• International Atomic Energy Agency invite you to attend Atomic Energy Summit
• GAC Monthly Report
• Emergency notification
• Meeting information of [REMOVED]
• Meeting information of [REMOVED]
• Meeting notice from [REMOVED]
• Meeting notice from [REMOVED]
• FY12 Government Opportunities
• Yemen para for SC briefing
• Fighting Protectionism and Promoting Trade and Investment
• Weekly Security Report
• Agenda of [REMOVED] Visit in July 2011
• Agenda of [REMOVED] Visit in July 2011
• Obituary Notice
• Updated Roster 20110712
• 2011 project budget
• [REMOVED] National Security Seminar
• Current internatinal situation surrounding Syria
• New Update of Health & Medical force
• FW:How to Get Free Airline Tickets
• Nuclear Security and Summit Diplomacy
• Fw: [REMOVED] Defence & Security Industry Mission to [REMOVED] 201
• [REMOVED] heriketlik pilani
• 2012 Global aerospace and defense industry outlook
Email attachment names
• update.exe
• CTF 2011 (MF).xls
• BBC Monitoring reports..xls
• Five Simple Questions for Democrats on Spending Cuts.doc
• Behind the Easing of Israeli-Palestinian Tensions.doc
• Business Exec Urges Broad Trade AgendaTo Curb China Role In Latin America.doc
• PatriotLMSR2009Fin .doc
• New SOPs for HEC Coord with NATO.pdf
• agenda201005.pdf
• Human right report of noth Afica under the war.scr
• Middle_East_Civil_Unrest.pdf
• Protests Spread in Syria.pdf
• Cybersecurity and Cyber War.pdf
• The Meeting intivation of International Atomic Energy Agency 06-05-2011.scr
• meeting invitation of British Council 2011.scr
• Meeting information details of [REMOVED].exe
• Meeting information details of [REMOVED].exe
• Meeting detail information from [REMOVED].scr
• Meeting detail information from [REMOVED].scr
• FY12 Government Opportunities.pdf
• China's Jasmine protests.pdf
• Yemen para for SC briefing.doc
• DECLARATION- COMMENTS.Netherlands.pdf
• weekly_security_report-06-20-2011__-__06-26-2011.pdf
• 2011.xls
• Obituary.xls
• Updated_roster.xls
• 2011 project budget.xls
• Participant_Contacts.xls
• Current international situation surrounding Syria.doc
• Update of Health & Medical force.xls
• How to Get Free Airline Tickets.pdf
• REPLY_ FORM.doc
• Global A&D outlook 2012.pdf
• Global_A&D_outlook_2012.pdf
References
Mandiant Indicators of Compromise
http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip