APT1: Additional Comment Crew Indicators of Compromise http://www.symantec.com/connect/blogs/apt1-additional-comment-crew-indicators-compromise Network indicators Network based indications of possible compromise by the comment crew attackers. HTTP POST traffic containing • name=GeorgeBush&userid=<4 digit number>&other= HTTP GET traffic to pages with paths: • aspnet_client/report.asp • Resource/device_Tr.asp • images/device_index.asp • news/media/info.html • backsangho.jpg • addCats.asp • SmartNav.jpg • nblogo2.jpg Domains • GT446.ezua.COM • aunewsonline.com • avvmail.com • cas.ibooks.tk • cas.m-e.org.ru • colville.com • cvba.com • deebeedesigns.ca • dev.teamattire.com • doversolutions.co.in • download.epac.to • drgeorges.com • dril-quip.deltae.com.br • dsds.co.kr • [REMOVED].ruok.org • engineer.lflinkup.org • exactearth.info.tm • fbrshop.com • firebirdonline.com • forceoptions.net • freelanceindy.com • ftp.xmahone.ocry.com • garyhart.com • gobroadreach.com • hint.happyforever.com • hojutsu.com • imly.org • interradiology.com • jimnaugle.com • kayauto.net • keenathomas.com • ks.utworld.ch • mast.zyns.com • media.conci.com.au • media.finanstalk.ru • media.metdf.com.au • meeting.toh.info • mountainvalley.americanunfinished.com • mrswehrman.com • mwa.net • news.hqrls.com • odysseus.qs-va.orbcomm.net • ohb-technology.brgh.de • omegalogos.org • pastorsrest.com • portal.itsaol.com • progammerli.com • rbaparts.com • report.crabdance.com • [REMOVED].photo-frame.com • route.cisco.ns01.info • shunleewest.com • slowblog.com • smilecare.com • software.myftp.info • soko.com • tcw.homier.com • [REMOVED]comminc.us.to • [REMOVED].arnotex.com • thecrownsgolf.org • [REMOVED].alfalcons.com • twocirclesmusic.com • un.linuxd.org • update.sektori.org • us.gnpes.org • vwrm.com • woodagency.com • worldnews.kickingdruging.toythieves.com Internet protocol addresses • 140.116.70.8 • 143.89.35.7 • 143.89.35.7 • 150.176.164.6 • 202.105.39.39 • 202.39.61.136 • 202.6.235.83 • 203.200.205.245 • 204.111.73.150 • 209.124.51.194 • 209.124.51.219 • 209.161.249.125 • 209.208.114.83 • 209.233.16.84 • 209.253.17.229 • 211.232.57.235 • 212.130.19.154 • 218.232.66.12 • 218.233.206.2 • 218.234.17.30 • 24.73.192.154 • 46.149.18.151 • 60.248.52.95 • 61.219.67.1 • 63.192.38.11 • 64.80.153.108 • 65.105.157.228 • 65.110.1.32 • 65.114.195.226 • 65.89.173.68 • 66.151.16.30 • 66.155.114.145 • 66.170.3.43 • 66.228.132.53 • 66.228.132.8 • 68.17.104.162 • 68.96.31.136 • 69.20.5.219 • 69.25.50.10 • 69.28.168.10 • 69.74.43.87 • 69.90.123.6 • 69.90.18.22 • 69.90.18.23 • 70.108.241.36 • 70.62.232.98 • 74.86.197.56 • 74.93.92.50 • 78.95.63.1 File indicators File based indications of possible compromise by the comment crew attackers. Filenames and locations: • %TEMP%\AdobeARM.exe • %TEMP%\iTunesHelper.exe • %PROGRAMS%\Startup\AdobeRe.exe • rouj.exe • %USERPROFILE%\Local Settings\iexplore.exe • %USERAPPDATA%\Microsoft\wuauclt.exe • %PROGRAMS%\Startup\adobeup.exe • %TEMP%\AdobeUpdater.exe • NTLMSVC.DLL • %PROGRAMS%\Startup\adobe_sl.lnk • %TEMP%\runinfo.exe File version Info: Product: SoundMAX service agent Description: Microsoft NTLM Service Holder Product & Description: JpgAsp System indicators System based indications of possible compromise by the comment crew attackers. Registry entries: • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Acroread" • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Update" • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCheck" • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AdobeCom" • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IMSCMig" • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"McUpdate" • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Register" • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SysTray" • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"systemupdate" • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"wininstaller" • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"APVSVC" • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AdobeUpdate" Service names: • aec • elpmasym • Net CLR Email indicators Email based indications of possible compromise by the comment crew attackers. Subject lines • Capt [REMOVED] update • Fw: LES Request • Libya crisis • Five Simple Questions for Democrats on Spending Cuts • Behind the Easing of Israeli-Palestinian Tensions • Business Exec Urges Broad Trade Agenda To Curb China Role In Latin America • President Chavezs Comments About President Obama and the United States on Sundays "Alo,Presidente" • FW: New Standdard Operational Procedures (SOPs) between the • AGENDA • [REMOVED] Help You Save Enough for Retirement • Human right of north Afica under war • Spreading Civil Unrest in the Middle East and North Africa • The latest analysis on Syria • International Atomic Energy Agency invite you to attend Atomic Energy Summit • GAC Monthly Report • Emergency notification • Meeting information of [REMOVED] • Meeting information of [REMOVED] • Meeting notice from [REMOVED] • Meeting notice from [REMOVED] • FY12 Government Opportunities • Yemen para for SC briefing • Fighting Protectionism and Promoting Trade and Investment • Weekly Security Report • Agenda of [REMOVED] Visit in July 2011 • Agenda of [REMOVED] Visit in July 2011 • Obituary Notice • Updated Roster 20110712 • 2011 project budget • [REMOVED] National Security Seminar • Current internatinal situation surrounding Syria • New Update of Health & Medical force • FW:How to Get Free Airline Tickets • Nuclear Security and Summit Diplomacy • Fw: [REMOVED] Defence & Security Industry Mission to [REMOVED] 201 • [REMOVED] heriketlik pilani • 2012 Global aerospace and defense industry outlook Email attachment names • update.exe • CTF 2011 (MF).xls • BBC Monitoring reports..xls • Five Simple Questions for Democrats on Spending Cuts.doc • Behind the Easing of Israeli-Palestinian Tensions.doc • Business Exec Urges Broad Trade AgendaTo Curb China Role In Latin America.doc • PatriotLMSR2009Fin .doc • New SOPs for HEC Coord with NATO.pdf • agenda201005.pdf • Human right report of noth Afica under the war.scr • Middle_East_Civil_Unrest.pdf • Protests Spread in Syria.pdf • Cybersecurity and Cyber War.pdf • The Meeting intivation of International Atomic Energy Agency 06-05-2011.scr • meeting invitation of British Council 2011.scr • Meeting information details of [REMOVED].exe • Meeting information details of [REMOVED].exe • Meeting detail information from [REMOVED].scr • Meeting detail information from [REMOVED].scr • FY12 Government Opportunities.pdf • China's Jasmine protests.pdf • Yemen para for SC briefing.doc • DECLARATION- COMMENTS.Netherlands.pdf • weekly_security_report-06-20-2011__-__06-26-2011.pdf • 2011.xls • Obituary.xls • Updated_roster.xls • 2011 project budget.xls • Participant_Contacts.xls • Current international situation surrounding Syria.doc • Update of Health & Medical force.xls • How to Get Free Airline Tickets.pdf • REPLY_ FORM.doc • Global A&D outlook 2012.pdf • Global_A&D_outlook_2012.pdf References Mandiant Indicators of Compromise http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip