API tools faq
paste
Guest User

Charming Kitten - December 2017

a guest
Dec 6th, 2017
11,727
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 55.31 KB | None | 0 0
raw download clone embed print report
  1. Contents Introduction .......................................................................................................................................................... 3 Targets ......................................................................................................................................................... 3 Charming Kitten or Rocket kitten? ....................................................................................................................... 4 The HBO hacker and Charming Kitten .................................................................................................................. 5 HBO hacking indictment .............................................................................................................................. 5 Connection to Iranian government backed threat agent ............................................................................ 5 From Mesri to Charming Kitten ................................................................................................................... 6 Delivery and Infection ........................................................................................................................................16 Made up organizations and people ...............................................................................................................16 British News ...............................................................................................................................................16 Made up studens and jurnalists .................................................................................................................24 Impersonating real companies .......................................................................................................................30 United Technologies impersonation ..........................................................................................................30 Watering holes ...............................................................................................................................................32 Spear Phishing for credential stealing ............................................................................................................34 Wave 1 .......................................................................................................................................................34 Wave 2 .......................................................................................................................................................36 Wave 3 .......................................................................................................................................................37 Email tracking services ...............................................................................................................................45 Targeted emails with malware .......................................................................................................................46 DownPaper Malware ..........................................................................................................................................47 Additional samples.....................................................................................................................................49 MAGICHOUND.RETRIEVER .................................................................................................................................50 Appendix A - Indicators of Compromise .............................................................................................................51 Appendix B - Previous reports about Charming Kitten and Rocket Kitten .........................................................59
  2. Introduction Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes their vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation, made up organizations and individuals, spear phishing and watering hole attacks. We analyze their exploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware developed by the attackers, which has not been publicly documented to date. Incidents documented in this report are likely a small fraction of the actual amount of targeted attacks, which may reach thousands of individuals. We expose more than 85 IP addresses, 240 malicious domains, hundreds of hosts, and multiple fake entities – most of which were created in 2016-2017. The most recent domains (com-archivecenter[.]work, com-messengerservice[.]work and com-videoservice[.]work) were registered on December 2nd, 2017, and have probably not been used in attacks yet. We present the connection between Behzad Mesri, an Iranian national recently indicted for his involvement in hacking HBO, and Charming Kitten. We also identify other members of the group. This report refers to two likely distinct groups, Charming Kitten and Rocket Kitten, together. This is not to say that the two groups are one, but that due to overlap in infrastructure, tools, targets, and modus operandi we are unable to precisely attribute each incident to one or the other. Further discussion appears in the section "Charming Kitten or Rocket kitten?" Targets The attackers' focus appears to be individuals of interest to Iran in the fields of Academic research (i.e. Iranists - Scholars who study Iran), Human right and media. Emphasis is given to Iranian dissidents living in Iran or abroad, and people who come in touch with Iranians or report on Iranian affairs such as journalists and reporters, media outlets covering Iran, and political advisors. Most targets known to us are individuals living in Iran, the United States, Israel, and the UK. Others live in Turkey, France, Germany, Switzerland, United Arab Emirates, India, Denmark and other countries. Notably, the attackers usually try to gain access to private email and Facebook accounts. They seek to infiltrate the targets’ social network as a hop point to breach other accounts in their social network, or to collect information about their targets. Sometimes, they aim at establishing a foothold on the target’s computer to gain access into their organization, but, based on our data, this is usually not their main objective, as opposed to other Iranian threat groups, such as Oilrig1 and CopyKittens2. 1 http://www.clearskysec.com/oilrig/ 2 http://www.clearskysec.com/tulip/
  3. Charming Kitten or Rocket kitten? While Iranian threat actors have been well documented by security researchers, the inner workings of the ecosystem of Iran's hackers is not entirely clear. Groups can be vigorously active for years and then disappear abruptly, sometimes due to being publicly outed. Researchers make a best-faith effort to assign operations to certain groups, but the instability in the field makes the process challenging. A case of these obscure lines can be found in a blogpost published in coordination and parallel to this report -“Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code”3 by Collin Anderson and Claudio Guarnieri. Flying Kitten (which is another name given by the security industry to Charming Kitten) was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of the IRI (Islamic Republic of Iran) government and foreign espionage targets. FireEye’s publication of “Operation Saffron Rose” report, which described Flying Kitten’s operations against aviation firms, led to the dismantling of Flying kitten's infrastructure and the apparent end of its activities. Months later, another, seemingly distinct group, “Rocket Kitten,” would be described by a series of reports. While the two groups exhibited different behaviors that lend credence to the assumption they were distinct, disclosures of private toolkits strongly suggest that Rocket Kitten had used Flying Kitten resources throughout its credential-theft operations. Moreover, Rocket Kitten had experimented with reusing malware that appeared to be an undisclosed precursor to Flying Kitten's “Stealer” agent documented by FireEye. These overlaps provide some indication that Rocket Kitten had some relationship to Flying Kitten – perhaps members of the latter joining the new team. Rocket Kitten has since largely subsided as a formidable actor, and repeating the theme of its predecessor now only appears in echoes of other campaigns. Read -“Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code” here: https://iranthreats.github.io/resources/attribution-flying-rocket-kitten. Further information is available in "Appendix B - Previous reports about Charming Kitten and Rocket Kitten". 3 https://iranthreats.github.io/resources/attribution-flying-rocket-kitten
  4. The HBO hacker and Charming Kitten HBO hacking indictment In November 21, 2017, the United States Department of Justice unsealed an indictment4 against Behzad Mesri (A.K.A “Skote Vahshat”)5 for his involvement hacking and extorting HBO, and for subsequently leaking the stolen content on the Internet. Leaked content included confidential information about upcoming episodes of the popular television series, “Game of Thrones,” and video files containing unreleased episodes of other television series created by HBO6. According to the indictment, "Mesri is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure. At certain times, Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team". Connection to Iranian government backed threat agent Security researcher Collin Anderson of Iran Threats7 tagged Mesri's twitter account8 in a tweet9 suggesting that Mesri might be related to Charming Kitten. 4 https://www.justice.gov/usao-sdny/pr/acting-manhattan-us-attorney-announces-charges-against-iranian-national-conducting 5 https://www.fbi.gov/wanted/cyber/behzad-mesri 6 Other stolen content includes: (a) confidential video files containing unaired episodes of original HBO television programs, including episodes of “Barry,” “Ballers,” “Curb Your Enthusiasm,” “Room 104,” and “The Deuce”; (b) scripts and plot summaries for unaired programs, including but not limited to episodes of “Game of Thrones”; (c) confidential cast and crew contact lists; (d) emails belonging to at least one HBO employee; (e) financial documents; and (f) online credentials for HBO social media accounts (collectively, the “Stolen Data”). 7 https://iranthreats.github.io/ 8 https://twitter.com/skote_vahshat 9 https://twitter.com/CDA/status/932992141466279936
  5. Subsequently, we tried to find connections of Mesri to other activities and people mentioned in this report. Thanks to the public nature of how Mesri and other members of Turk Black Hat conducted their hacking activities and private online life, we could find several connections. This is not to say that the HBO hack was ordered by the Iranian government. Rather, we try to strengthen the assumption that Mesri was, at a certain time, part of, or related to Charming Kitten. In addition, we unmask other members of the group based on their connection to Mesri and to Charming Kitten infrastructure. From Mesri to Charming Kitten ArYaIeIrAN (AKA aryaieiran@gmail.com AKA aryaieiran@hotmail.com AKA mno_1988_fgh@yahoo.com) is a 29 years old Iranian hacker and member of Turk Black Hat. Below is his profile page in "Iranian engineers club"10: 10 http://www.iran-eng.ir/member.php/77662-ArYaiEiRan?langid=1
  6. A list of websites he defaced, listed on Zone-H11: And a mirror page of a defacement he made in 2012, showing some of his team members and email address: 11 http://www.zone-h.org/archive/notifier=ArYaIeIrAn
  7. The same email address, aryaieiran@gmail.com, shows up in the SOA (Start of Authority) record of multiple domains registered and used by Charming Kittens that are presented in this report. These include britishnews.com[.]co, britishnews[.]org, broadcastbritishnews[.]com and mehrnews[.]info. All these websites used persiandns[.]net as their NS (name server), as can be seen in PassiveTotal12 13: 12 https://community.riskiq.com/search/britishnews.org 13 https://community.riskiq.com/search/britishnews.com.co
  8. aryaieiran@gmail.com also registered persiandns[.]net, potentially indicating that he is the administrator of the services and an employee in the company: In a defacement, still online at the time of writing, both ArYaIeIrAn and Skote_Vahshat, the HBO hacker, take credit as members of Turk Black Hat. This indicates that both were members of Turk Black Hat at the same time, and likely knew each other.
  9. persiandns[.]net hosting services, which hosted malicious domains used by charming kitten, redirects to mahanserver[.]ir, indicating it is the same company: The about page (ام هرابرد) of mahanserver[.]ir leads to a 404 error page:
  10. The CEO of mahanserver[.]ir is Mohammad Rasoul Akbari (A.K.A ra3ou1), likely the boss or partner of ArYaIeIrA:
  11. The two follow each other on twitter: Akbari is a Facebook friend of the HBO hacker, Behzad Mesri 14. 14 https://www.facebook.com/friendship/sk0te.vahshat/ra3ou1/
  12. On Linkedin, MahanServer only has two employees: CEO Mohammad Rasoul Akbari and Mohammadamin Keshvari: Interestingly, Mohammadamin Keshvari's profile picture is a pomegranate, like that of ArYaIeIrAN’s twitter account15: 15 https://twitter.com/aryaieiran
  13. Moreover, Mohammadamin Keshvari mentions in his LinkedIn profile that he works at ARia Dc (ariadc[.]com, ariadc[.]net) which was registered by aryaieiran@gmail.com for three days in 2013 before changing to a generic email16: ARia Dc later turned into MahanServer, as can be seen in Waybac Machine: 16 Data from DomainTools whois history.
  14. To sum up, the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn, who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari, who is a Facebook friend of Behzad Mesri's. We tend to identify ArYaIeIrAn with Mohammadamin Keshvari, because the latter is the only other employee of Mahanserver and works in a company whose domain was registered by the former (and both have a similar and unique profile picture). We estimate with medium certainty that the three are directly connected to Charming Kitten, and potentially, along with others – are Charming Kitten. We used SocialNet, Shadow Dragon’s Maltego transform for social media analysis17 to analyze these connections and visually depict them, as can be seen below: 17 https://shadowdragon.io/product/socialnet
  15. Delivery and Infection Charming Kitten attack their targets using the following methods: • Made up organizations and people – entities are made up to lure people into malicious websites or to receive malicious messages. • Impersonating real companies – real companies are impersonated, making victims believe they are communicating or visiting the website of the real companies. • Watering hole attacks – inserting malicious JavaScript code into breached strategic websites. • Spear phishing – pretending to be Gmail, Facebook, and other services providers, or pretending to be a friend of the target sharing a file or a link. These methods are elaborated below. Made up organizations and people British News Charming kitten regularly target international media outlets with Persian-language services. Two recent reports – "How Iran tries to control news coverage by foreign-based journalists"18 and "Iranian agents blackmailed BBC reporter with ‘naked photo’ threats"19 describe harassment and intimidation methods applied by Iranian intelligence agencies. These campaigns often target reporters and journalists in phishing attempts. On the same note, we identified a fake-news agency "established" by the attackers, called “The British news agency” or “Britishnews” (inspired by BBC)20. Its website domain is britishnews.com[.]co and two other domains, broadcastbritishnews[.]com and britishnews[.]org, redirected to it. Below are screenshots of the main page of the website, which is online at time of writing: 18 https://rsf.org/en/news/how-iran-tries-control-news-coverage-foreign-based-journalists 19 http://www.arabnews.com/node/1195681/media 20 Outed in collaboration with Forbs On Jan 2017, see “With Fake News And Femmes Fatales, Iran's Spies Learn To Love Facebook” forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage
  16. Below is a screenshot from the “about” page of the fake news agency website, detailing its objectives and giving the email addresses of various “employees”:
  17. Note the use of present perfect instead of past simple in "has been established" (instead of "was established"), present progressive (we are covering) instead of present simple (we cover) to mark a habitual aspect, and "began this work" – all suggesting a Persian-thinking writer. This fake news-agency and accompanying social media accounts are not used to disseminate propaganda or false information. Their content was automatically copied from legitimate sources. The purpose of this news agency is to create legitimacy, with the end goal of reaching out to their targets and infecting them while visiting the infected website. The website contains BeEF (Browser Exploitation Framework – a penetration testing tool that focuses on web browsers), however it seems that the payload is sent only when the victim visits the site from IPs in a whitelist managed by the attackers. This might indicate they are after specific targets or organizations rather than widespread infection. The screenshot below shows w3school.hopto[.]org, which served BeEF, called when britishnews.com[.]co is loading:
  18.  
  19. At the bottom of the site are links to social media accounts created by the attackers: Below are screenshots of the accounts. Instagram, Instagram[.]com/britishnewslive with over 13,000 followers (unavailable for several months):
  20. Twitter, https://twitter[.]com/britishnewslive (online at time of writing): Facebook page - facebook[.]com/officialbritishnewslive (unavailable for several months):
  21. LinkedIn company page, linkedin[.]com/company/britishnews (unavailable for several months): The attackers also created a fake LinkedIn profile, Isabella Carey, that “worked” at the fake news company: linkedin[.]com/in/isabella-carey-98a42a129 (unavailable for several months):
  22. An email address with the same name, isabella.careyy@gmail.com, was used to register 12 malicious domains by Charming Kitten, as can be seen in PassiveTotal21: 21 https://community.riskiq.com/search/whois/email/isabella.careyy@gmail.com
  23. Made up studens and jurnalists Multiple Israeli Iranist and middle east researchers were sent emails and Twitter direct messages by made up entities. These entities are reviewed below. Zehavit Yehuda One of the fake entities is “KNBC News journalist Zehavit Yehuda”, who sent the following phishing email: The email links to a website, https://sites.google[.]com/view/docs-downloads, which was built with Google Sites:
  24. The Download button is a redirection link: http://www.google[.]com/url?q=http%3A%2F%2Fdownload-google.com-orginallinks.ga%2Fdownload%2Ffile%2Fusr%<redacted>&sa=D&sntz=1&usg=<redacted> Which leads to a fake log-in page in a domain registered by the attackers: http://download-google.com-orginal-links[.]ga/download/file/usr/<redacted> Yafa Hyat Fake entity "Yafa Hyat" (@yafa1985hyat, online at time of writing) has contacted an Israeli Iranist via a direct message on twitter, pretending to be a political researcher who needs help with an article:
  25. The researcher was asked to read the article in her "google account", which was also a phishing page in Google sites: https://sites.google[.]com/site/yaffadocuments/ :
  26. The site automatically redirects to a phishing website hosted in a domain registered by the attackers, download-google.orginal-links[.]com: "Yafa" also sent an email from yaffa.hyatt9617@gmail.com to a university professor, asking to work at the university center she is heading. The email itself did not contain malicious content, and was likely sent to build trust prior to sending a phishing link or malware:
  27. Bahar Azadeh Fake entity "Bahar Azadeh" (bahra.azadeh88@gmail.com and @baharazadeh122, online at time of writing) sent emails with different background stories to multiple researchers. In two cases, she was a "Jewish girl who has an Iranian origin and who has studied in the field of political science": 22 https://twitter.com/baharazadeh1
  28. Yet in a third case she claimed to be Baha'i living in Tehran: Translation: Hello, Mr. Dr., I am a Bahai living in Tehran, if you can call it a life. As you know, the present situation in Iran for us Bahais is not good at all, so that we are even deprived of our natural right, that is, higher education, as if we Bahais are not human and have no right to live. <redacted>, I have been accepted to universities all across Iran, and after two years of studying in a university, they realized from certain sources that I was Bahai, and expelled me. I did not sit idle and began to constantly protest, I've been summoned [to court] quite a few times for this thing, and I already feel Iran has become a hell for me, and as much as I try I can't find salvation from this hell. One of the reasons I've asked you for help and guidance was reading your book (<redacted>), and your research in this field has been really valuable and helpful, which made this book so beautiful. "I have a few questions for you, please answer me". The entities’ email address is connected to a fake Facebook entity called Emilia Karter (online at time of writing):
  29. Impersonating real companies United Technologies impersonation The attackers created a website impersonating UTC (United Technologies), “an American multinational conglomerate which researches, develops and manufactures products in numerous areas, including aircraft engines, [and] aerospace systems […]. UTC is a large military contractor, getting about 10% of its revenue from the U.S. government”23. The fake website was first reported by Iran Threats researchers on 6 February 201724. We do not have evidence that UTC was targeted or impacted. The fake website, which was built in January 2017, claimed to offer “Free Special Programs And Courses For Employees Of Aerospace Companies like Lockheed Martin, SNCORP, ….”. It was a decoy to make visitor download a “Flash Player”, which was in fact DownPaper malware, analyzed later in this report. 23 https://en.wikipedia.org/wiki/United_Technologies 24 https://iranthreats.github.io/resources/macdownloader-macos-malware/
  30. The malware was served from the following location: http://login.radio-m[.]cf/utc/dnld.exe It was contained in a cabinet self-extractor that impersonates a legitimate Windows software: dnld.exe be207941ce8a5e212be8dde83d05d38d 3b4926014b9cc028d5fb9d47fee3dbd9376525dcb3b6e2173c5edb22494cfa9b
  31. Watering holes The attackers breached the following websites pertaining to Iranian and Jewish cultural affairs: Breached website Description hamijoo[.]com An Iranian crowdfunding platform www.jewishjournal[.]com A Jewish news site www.estherk[.]com A personal blog of one of JewishJournal's writers www.boloogh[.]com A sex education website for Iranian youth levazand[.]com A personal blog of an Iranian living in United sates A script tag that loads BeEF JavaScript from w3school.hopto[.]org or from bootstrap.serveftp[.]com was added, as can be seen in the images below:
  32.  
  33. Spear Phishing for credential stealing The attackers sent hundreds, maybe thousands, of spear phishing emails to hundreds of targets. In this section, we will present samples of spear phishing emails25. Wave 1 The attackers breached the Gmail account of Alon Gur Arye, an Israeli film producer. Alon produced a satire film about the Israeli Mossad, which potentially confused the attackers to thinking he is associated with the Israeli Mossad. The breached account was used to send a phishing email to Thamar Eilam Gindin (who is targeted by the group since 201526). Below is a screenshot of the phishing email: The email contained a shortened bit.ly link to a domain registered by the attackers - drivers.document-supportsharing[.]bid. In the statistics and usage page of the bit.ly URL we can see that the first click, likely a test run performed by the attackers before sending the phish, was from Iran. 25 Names of victims and targets are shared with their permission. 26 See , Thamar Reservoir: http://www.clearskysec.com/thamar-reservoir/
  34. The phishing page pretends to be a Gmail shared document downed page that requires the visitor to log in:
  35. Wave 2 Sometimes the phishing email does not contain live text, but only an image of text linked to a phishing page. This is usually done to bypass text based spam filters. The attackers used WebRTC (code copied from Github27) to detect the real IP address of targets who use proxies (This method was documented by Iran Threats28): While sending the spear phishing, the attackers preformed password recovery on the target’s Facebook account, as can be seen below. Thus, she received fake emails and legitimate ones at the same time which could cause her confusion and subsequently to give her credentials in the phishing. 27 https://github.com/diafygi/webrtc-ips/blob/master/README.md 28 https://iranthreats.github.io/resources/webrtc-deanonymization/
  36. Wave 3 The attackers often open a new Gmail account and send phishing emails from it. For example, suspended.user.noitification@gmail.com was used to send the following email to targets: Which leads to:
  37. In other cases, 7 different targeted phishing emails were sent to the same victim on the same day from customers.mailservice@gmail.com:
  38.  
  39. The phishing messages were sent to hundreds of recipients from a previously unknown email address: mails.customerservices@gmail.com They contained a link to goo-gle[.]mobi Below are screen captures of two of the messages. The content is not copied directly from Googles original notices, as evident from the spelling and grammatical errors, some of them typical of Persian speakers, e.g. using direct speech where English would use indirect speech ("that" instead of "whether"):
  40. Hamed Hashemi, an Iranian Independent researcher and photographer living in the Netherlands was targeted in this campaign. He detected the malicious emails and wrote about them in his twitter account29 30: Translation: "The brothers'31 new method for hacking e-mails. Do not be fooled by such an email". 29 https://twitter.com/hamed_hashemi/status/869835075550162944 30 https://twitter.com/hamed_hashemi/status/869865703939219456 31 I.e. people working for the IRI.
  41. Translation: "Ramezān (The month of Ramadan) operation continues." Other reported receiving 6 spear phishing emails within a few minutes. For example, Soudeh Rad32 board member at ILGAEurope33 (an organization for human rights and equality for lesbian, gay, bisexual, trans and intersex people at European level): Translation: "What's the most important thing to do when you're under a phishing attack? Keep your calm ☺ 6 e-mails arrived within 10 minutes (saying) someone signed into your email (account), confirm your account." 32 https://twitter.com/soudehrad/status/876062478685396992 33 https://twitter.com/ILGAEurope
  42. Behrang Tajdin34 a BBC Persian TV Reporter said35 36 he was targeted in a similar campaign in April 2017: Translation: "If you get an email like this, don't fall for it and don't click. It's nothing but a useless phishing attempt to hack your google and Gmail account." 34 https://twitter.com/Behrang 35 https://twitter.com/Behrang/status/855761991117484032
  43. Translation: “And if you click on the link but don't type your password, they send you another email. Don't fall for "if you wait you regret" “
  44. Email tracking services The attackers often use mailtrack.io to track when phishing emails are opened. These services are often used by marketing people to monitor their campaign effectiveness. Below is the source code of a spear phishing email with a mailtrack.io tracking link: Sometimes the attackers used a similar email tracking service, by Pointofmail. In this case, the malicious email was sent from Pointofmail’s servers (this is part of their service, not due to a breach). The email contained a redirect link to legitimate address advmailservice.com: Which redirects several times, eventually reaching the malicious page:
  45. Targeted emails with malware Email address customers.mailservice@gmail.com was mostly used for spear phishing. Occasionally, it was used to deliver links to malware. For example, the email below linked to http://tinyurl[.]com/hjtaeak which redirected to http://login.radio-m[.[cf/i/10-unique-chocolates-in-the-world.zip. The final URL contained the same sample of DownPaper that was hosted in the fake UTC website mentioned above (be207941ce8a5e212be8dde83d05d38d). Note, that the person who “shared” the file with the target in the malicious email was indeed a Facebook friend of the target (the target shared a link by her a few hours prior to receiving this message), and the subject of chocolate was trending on the target's feed at the time. The attackers spied on the target (potentially by following her on various social networks), and crafted an email she would be likely to receive.
  46. DownPaper Malware DownPaper, sometimes delivered as sami.exe, is a Backdoor trojan. Its main functionality is to download and run a second stage. The sample used in our analysis (3261d45051542ab3e54fa541f132f899) was contained in a Cabinet self-extractor (be207941ce8a5e212be8dde83d05d38d), served from the following URL: http://login.radio-m[.]cf/utc/dnld.exe The process tree below shows dnld.exe drops sami.exe (DownPaper), which in turn runs Powershell to gain persistency: DownPaper performs the following steps: 1. Loads from a resource file a URL of a command and control server. In the sample we analyzed, the URL was “http://46.17.97[.]37/downloader/poster.php”, Base64 encoded as can be seen below: 2. Searches and reads the value of Window Update registry key in the following path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. a. If the value is Null, a new mutex is created, called Global\UpdateCenter, and a mutex synchronization function is executed. b. If the value is different than the name of the running file, section 2.a. is executed and a function called SetStartUp is called via PowerShell to create a registry key named Window Update with the following value:
  47. Locations C:\Users\user1\AppData\Local\Temp\IXP000.TMP\sami.exe C:\Users\user1\AppData\Local\Microsoft\Windows\wuauclt.exe Assembly Details: PDB path: d:\Task\D\Task\FUD\DownPaper\trunk\Downloader\obj\Debug\wuauclt.pdb 3. Sends an HTTP POST request to get the location of a second stage from the command and control server. The requests contain the following fields: a. Infected computer host name b. Username c. Serial Number – Retrieved via the following query: SELECT * FROM Win32_BaseBoard 4. When a file is received, runs it in a new thread. 5. Pause for ten seconds, then repeat step 3. $scriptRoot\AppData\Local\Microsoft\Windows\wuauclt.exe
  48. Additional samples wuauclt.exe d6ea39e1d4aaa8c977a835e72d0975e3 msoffice-update[.]com 93.158.215.50 http://msoffice-update[.]com/gallery/help.php C:\Users\user1\AppData\Local\Temp\IXP000.TMP\sami.exe key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Window Update data: C:\Users\user1\AppData\Local\Microsoft\Windows\wuauclt.exe 10 unique chocolates in the world.exe be207941ce8a5e212be8dde83d05d38d 3b4926014b9cc028d5fb9d47fee3dbd9376525dcb3b6e2173c5edb22494cfa9b sami.exe 3261d45051542ab3e54fa541f132f899 479e1e02d379ad6c3c7f496d705448fa955b50a1 C:\Users\user1\AppData\Local\Temp\IXP000.TMP\sami.exe C:\Users\user1\AppData\Local\Microsoft\Windows\wuauclt.exe 20f2da7b0c482ab6a78e9bd65a1a3a92 http://msoffice-update[.]com/gallery/help.php d:\Task\D\Task\FUD\DownPaper\trunk\Downloader\obj\Debug\wuauclt.pdb ax haye ayin.exe 276befa70cff36860cd97e3e19f10343 753b73b82ec8307f54cfb80091600fb283476aa6df7102d6af82048ef4a5913f 5.79.69[.]206:4455 pita.exe 60753796905458fa6a4407f48309aa25 53f7b95262971d79e676055d239180d653fd838dc6ffb9a3418ccad2b66c54bc C:\Users\user1\AppData\Local\Temp\IXP000.TMP\pita.exe aziii.exe 3c01793380fbd3f101603af68e96f058 13ac10cd2595fb8fefd4e15c1b82bd2c8e1953809f0d1c349641997aeb9f935c Azita Gallery.exe 30124b5c56cecf2045abd24011bdf06b 9aa7fc0835e75cbf7aadde824c484d7dc53fdc308a706c9645878bbd6f5d3ad8
  49. MAGICHOUND.RETRIEVER By pivoting off the malicious infrastructure we found a sample of MAGICHOUND.RETRIEVER, a malware which is covered in a report by Palo Alto Networks about a group they call Magic Hound37. The report says that Magic Hound “has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia”. Also, “Link analysis of infrastructure and tools […] revealed a potential relationship between Magic Hound and the adversary group called ‘Rocket Kitten’”. The last notion is in line with our findings. MAGICHOUND.RETRIEVER is a .NET downloader that retrieves secondary payloads using an embedded URL in its configuration as the C2. Below is the sample that we found. flashplayer.exe 9d0e761f3803889dc83c180901dc7b22 ecf9b7283fda023fa37ad7fdb15be4eadded4e06 d4375a22c0f3fb36ab788c0a9d6e0479bd19f48349f6e192b10d83047a74c9d7 http://update-microsoft[.]bid/img/WebService.asmx http://update-driversonline[.]bid/img/WebService.asmx The connections between the sample and Charming Kitten’s infrastructure is depicted in the graph below: 37 https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/
  50. Appendix A - Indicators of Compromise 012mail-net-uwclogin[.]ml 443[.]tcp[.]shorturlbot[.]club 874511478[.]account-login[.]net 8ghefkwdvbfdsg3asdf1[.]com account-customerservice[.]com account-dropbox[.]net account-google[.]co account-login[.]net account-logins[.]com account-log-user-verify-mail[.]com account-permission-mail-user[.]com accounts[.]account-google[.]co accounts[.]activities[.]devices[.]com[.]accounts[.]activities[.]devices[.]com[.]usersettings[.]cf accounts[.]activities[.]devices[.]com[.]accounts[.]google[.]com[.]usersettings[.]cf accounts[.]activities[.]devices[.]com[.]drive[.]google[.]com[.]usersettings[.]cf accounts[.]activities[.]devices[.]com[.]usersettings[.]cf accounts[.]google[.]com[.]accounts[.]activities[.]devices[.]com[.]usersettings[.]cf accounts[.]google[.]com[.]accounts[.]google[.]com[.]usersettings[.]cf accounts[.]google[.]com[.]drive[.]google[.]com[.]usersettings[.]cf accounts[.]google[.]com[.]usersettings[.]cf accountservice[.]support account-servicerecovery[.]com accounts-googelmail[.]com accounts-googelmails[.]com account-signin-myaccount-users[.]ga accounts-logins[.]net accountsrecovery[.]ddns[.]net accounts-service[.]support accountsservice-support[.]com account-support-user[.]com accounts-yahoo[.]us accountts-google[.]com account-user[.]com account-user-permission-account[.]com account-users-mail[.]com account-user-verify-mail[.]com acounts-qooqie-con[.]ml addons-mozilla[.]download ae[.]ae[.]asus-support[.]net ae[.]asus-support[.]net ae[.]bocaiwang[.]asus-support[.]net ae[.]client[.]asus-support[.]net aipak[.]org aiqac[.]org aol-mail-account[.]com apache-utility[.]com api[.]com-service[.]net app-documents[.]com app-facebook[.]co appleid[.]apple[.]com[.]account-logins[.]com araamco[.]com araamco[.]com archive-center[.]com asus-support[.]net asus-update[.]com berozkhodro[.]com blog[.]group-google[.]com bocaiwang[.]ae[.]asus-support[.]net bocaiwang[.]asus-support[.]net bocaiwang[.]bocaiwang[.]asus-support[.]net bocaiwang[.]client[.]asus-support[.]net book-archivecenter[.]bid books-archivecenter[.]bid books-archivecenter[.]club books-google[.]accountservice[.]support books-google[.]books-archivecenter[.]bid books-google[.]www[.]books-archivecenter[.]bid books-view[.]com bootstrap[.]serveftp[.]com britishnews[.]com[.]co britishnews[.]org broadcastbritishnews[.]com brookings-edu[.]in change-mail-accounting-register-single[.]com change-mail-account-nodes-permision[.]com change-permission-mail-user-managment[.]com change-user-account-mail-permission[.]com client[.]ae[.]asus-support[.]net client[.]asus-support[.]net client[.]bocaiwang[.]asus-support[.]net client[.]client[.]asus-support[.]net codeconfirm-recovery[.]bid codeconfirm-recovery[.]club com-account-login[.]com com-accountrecovery[.]bid com-accountsecure-recovery[.]name com-accountsrecovery[.]name com-archivecenter[.]work com-customeradduser[.]bid com-customerservice[.]bid com-customerservice[.]name com-customerservices[.]name com-customersuperuser[.]bid
  51. com-download[.]ml com-manage-accountuser[.]club com-messagecenter[.]bid com-messengerservice[.]bid com-messengerservice[.]work com-microsoftonline[.]club com-mychannel[.]bid com-orginal-links[.]ga com-recoversessions[.]bid com-recovery[.]com com-recoveryadduser[.]bid com-recoveryidentifier[.]bid com-recoveryidentifier[.]name com-recoveryidentifiers[.]bid com-recoverymail[.]bid com-recoverysecureuser[.]club com-recoverysecureusers[.]club com-recoveryservice[.]bid com-recoveryservice[.]info com-recoverysessions[.]bid com-recoverysubusers[.]bid com-recoverysuperuser[.]bid com-recoverysuperuser[.]club com-recoverysuperuser[.]name com-recoverysuperusers[.]bid com-recoverysupport[.]bid com-recoverysupport[.]club com-service[.]net com-servicecustomer[.]bid com-servicecustomer[.]name com-servicemail[.]bid com-servicerecovery[.]bid com-servicerecovery[.]club com-servicerecovery[.]info com-servicerecovery[.]name com-servicescustomer[.]name com-serviceslogin[.]com com-showvideo[.]gq com-statistics[.]com com-stats[.]com com-video[.]net com-videoservice[.]work com-viewchannel[.]club confirm-code[.]account-support-user[.]com crcperss[.]com cvcreate[.]org digitalqlobe[.]com display-error-runtime[.]com display-ganavaro-abrashimchi[.]com docs-google[.]co documents[.]sytes[.]net documents-supportsharing[.]bid documents-supportsharing[.]club document-supportsharing[.]bid doc-viewer[.]com download[.]account-login[.]net download-google[.]com-orginal-links[.]ga download-google[.]orginal-links[.]com download-link[.]top drive[.]change-mail-account-nodes-permision[.]com drive[.]google[.]com[.]accounts[.]activities[.]devices[.]com[.]usersettings[.]cf drive[.]google[.]com[.]accounts[.]google[.]com[.]usersettings[.]cf drive[.]google[.]com[.]drive[.]google[.]com[.]usersettings[.]cf drive[.]google[.]com[.]usersettings[.]cf drive[.]privacy-yahoomail[.]com drive-download[.]account-support-user[.]com drive-download[.]account-user-permission-account[.]com drive-file[.]account-support-user[.]com drive-google[.]co drive-login[.]cf drive-mail[.]account-support-user[.]com drive-permission-user-account[.]com drivers[.]document-supportsharing[.]bid drives-google[.]co drives-google[.]com drives-google[.]com[.]co drive-useraccount-signin-mail[.]ga dropbox[.]com-servicecustomer[.]name dropbox[.]com-servicescustomer[.]name drop-box[.]vip dropebox[.]co embraer[.]co emiartas[.]com error-exchange[.]com eursaia[.]org facebook[.]com-service[.]gq facebook[.]notification-accountrecovery[.]com fanderfart22[.]xyz fardenfart2017[.]xyz fb[.]com-download[.]ml fb-login[.]cf ftp[.]account-logins[.]com ftp[.]account-permission-mail-user[.]com ftp[.]accountservice[.]support ftp[.]accountsservice-support[.]com ftp[.]archive-center[.]com ftp[.]britishnews[.]com[.]co ftp[.]com-recoveryservice[.]info ftp[.]com-service[.]net ftp[.]goo-gle[.]cloud ftp[.]goo-gle[.]mobi
  52. ftp[.]microsoft-upgrade[.]mobi ftp[.]news-onlines[.]info ftp[.]officialswebsites[.]info ftp[.]orginal-links[.]com ftp[.]screen-royall-in-corporate[.]com ftp[.]screen-shotuser-trash-green[.]com ftp[.]sdfsd[.]screen-royall-in-corporate[.]com ftp[.]service-broadcast[.]com ftp[.]service-recoveryaccount[.]com ftp[.]set-ymail-user-account-permission-challenge[.]com ftp[.]support-aasaam[.]com ftp[.]support-recoverycustomers[.]com ftp[.]uk-service[.]org ftp[.]verify-account[.]services ftp[.]w3schools-html[.]com ftp[.]www[.]britishnews[.]com[.]co ftp[.]www[.]screen-shotuser-trash-green[.]com gle-mail[.]com gmail[.]com-recoverymail[.]bid gmail[.]com-u6[.]userlogin[.]security-login[.]activity[.]com-verification-accounts[.]com gmail-recovery[.]ml gmal[.]cf goog-le[.]bid goo-gle[.]bid goo-gle[.]cloud google[.]mail[.]com-servicecustomer[.]bid google[.]mail[.]mail[.]google[.]com-servicecustomer[.]bid google[.]mail[.]www[.]com-servicecustomer[.]bid goo-gle[.]mobi google-drive[.]account-servicerecovery[.]com google-drive[.]accounts-service[.]support google-drive[.]account-support-user[.]com google-drive[.]com[.]accountservice[.]support google-drive[.]service-recoveryaccount[.]com google-hangout[.]accountservice[.]support google-hangout[.]accounts-service[.]support google-hangout[.]account-support-user[.]com google-hangout[.]verify-account[.]services google-mail[.]com[.]co googlemail[.]com-customersuperuser[.]bid google-mail-recovery[.]com googlemails[.]co google-profile[.]com google-profiles[.]com google-setting[.]com google-verification[.]com google-verify[.]com google-verify[.]net hangout[.]com-messagecenter[.]bid hangout[.]messageservice[.]club help-recovery[.]com hot-mail[.]ml hqr-mail[.]nioc-intl[.]account-user-permission-account[.]com id-bayan[.]com iforget-memail-user-account[.]com iranianuknews[.]com ir-owa-accountservice[.]bid itunes-id-account[.]users-login[.]com k2intelliqence[.]com k2intelliqence[.]com komputertipstrik[.]com-customeradduser[.]bid line-en[.]me log[.]account[.]accountservice[.]support login[.]com-service[.]net login[.]radio-m[.]cf login-account[.]net login-account-google[.]orginal-links[.]com login-account-mail[.]com login-again[.]ml login-mail[.]account-servicerecovery[.]com login-mail[.]verify-account[.]services login-mails[.]account-servicerecovery[.]com login-mails[.]accounts-service[.]support login-mails[.]account-support-user[.]com login-mails[.]verify-account[.]services login-required[.]ga login-required[.]ml login-required[.]tk logins-mails[.]account-customerservice[.]com logins-mails[.]account-servicerecovery[.]com logins-mails[.]accounts-service[.]support logins-mails[.]accountsservice-support[.]com logins-mails[.]com-servicecustomer[.]name logins-mails[.]service-recoveryaccount[.]com login-webmail[.]accounts-service[.]support login-webmail[.]account-support-user[.]com login-webmail[.]verify-account[.]services logn-micrsftonine-con[.]ml m[.]com-service[.]net mail[.]account-google[.]co mail[.]com-service[.]net mail[.]google[.]com-customerservice[.]name mail[.]google[.]com-customerservices[.]name mail[.]google[.]com-recoveryservice[.]info mail[.]google[.]com-servicecustomer[.]bid mail[.]google[.]com-servicescustomer[.]name mail[.]google[.]mail[.]google[.]com-servicecustomer[.]bid mail[.]google[.]www[.]com-servicecustomer[.]bid mail[.]google[.]www[.]dropbox[.]com-servicescustomer[.]name mail[.]group-google[.]com
  53. mail[.]mehrnews[.]info mail[.]orginal-links[.]com mail[.]yahoo[.]com-servicecustomer[.]name mail[.]youtube-com[.]watch mail3[.]google[.]com-servicecustomer[.]name mail-account-register-recovery[.]com mailgate[.]youtube-com[.]watch mailgoogle[.]com-recoveryidentifier[.]bid mailgoogle[.]com-recoverymail[.]bid mailgoogle[.]com-recoveryservice[.]bid mailgoogle[.]com-recoverysuperuser[.]bid mailgoogle[.]com-recoverysupport[.]bid mail-google[.]com-servicecustomer[.]name mailgoogle[.]com-servicerecovery[.]bid mail-inbox[.]account-support-user[.]com mail-login[.]account-login[.]net mail-login[.]accountservice[.]support mail-login[.]account-servicerecovery[.]com mail-login[.]service-recoveryaccount[.]com mail-login[.]verify-account[.]services mail-macroadvisorypartners[.]ml mails[.]com-servicerecovery[.]name mails-account-signin-users-permssion[.]com mailscustomer[.]recovery-emailcustomer[.]com mailssender[.]bid mail-user-permission-sharedaccount[.]com mail-usr[.]account-support-user[.]com mail-verify[.]account-support-user[.]com mail-yahoo[.]com[.]co market-account-login[.]net me[.]youtube[.]com-mychannel[.]bid mehrnews[.]info messageservice[.]bid messageservice[.]club mfacebook[.]login-required[.]ga microsoft-hotfix[.]com microsoft-update[.]bid microsoft-upgrade[.]mobi microsoft-utility[.]com msoffice-update[.]com mx1[.]group-google[.]com my[.]youtube[.]com-mychannel[.]bid myaccount-login[.]net mychannel[.]ddns[.]net mychannel[.]ddns[.]net mydrives[.]documents-supportsharing[.]bid myemails[.]com-recoverysuperuser[.]name my-healthequity[.]com mymail[.]com-recoveryidentifiers[.]bid mymail[.]com-recoverysuperuser[.]name my-mailcoil[.]ml mymails[.]com-recoverysuperuser[.]bid mymails[.]com-recoverysuperuser[.]name myscreenname[.]bid news-onlines[.]info nex1music[.]ml notification-accountrecovery[.]com ns1[.]check-yahoo[.]com ns1[.]com-service[.]net ns2[.]check-yahoo[.]com nvidia-support[.]com nvidia-update[.]com officialswebsites[.]info official-uploads[.]com ogin-mails[.]accounts-service[.]support onedrive-signin[.]com onlinedocument[.]bid onlinedocuments[.]org onlinedrie-account-permission-verify[.]com onlineserver[.]myftp[.]biz online-supportaccount[.]com orginal-links[.]com outlook-livecom[.]bid owa-insss-org-ill-owa-authen[.]ml paypal[.]com[.]webapp[.]logins-mails[.]service-recoveryaccount[.]com paypal[.]com[.]webapp[.]paypal[.]com[.]webapp[.]service-recoveryaccount[.]com paypal[.]com[.]webapp[.]service-recoveryaccount[.]com picofile[.]xyz policy-facebook[.]com pop[.]group-google[.]com privacy-facebook[.]com privacy-gmail[.]com privacy-yahoomail[.]com profile[.]facebook[.]accountservice[.]support profile[.]facebook[.]notification-accountrecovery[.]com profile-facebook[.]co profiles-facebook[.]com profile-verification[.]com qet-adobe[.]com radio-m[.]cf raykiel[.]net recoverycodeconfirm[.]bid recovery-customerservice[.]com recovery-emailcustomer[.]com recoverysuperuser[.]bid register-multiplay[.]ml reset-login[.]accountservice[.]support reset-login[.]account-support-user[.]com reset-login-yahoo-com[.]account-support-user[.]com reset-mail[.]account-support-user[.]com
  54. reset-mail-yahoo-com[.]account-support-user[.]com resets-mails[.]account-support-user[.]com result2[.]com-servicescustomer[.]name result2[.]www[.]dropbox[.]com-servicescustomer[.]name sadashboard[.]com saudiarabiadigitaldashboards[.]com saudi-government[.]com saudi-haj[.]com screen-royall-in-corporate[.]com screen-shotuser-trash-green[.]com sdfsd[.]screen-royall-in-corporate[.]com sdfsd[.]screen-shotuser-trash-green[.]com security-supportteams-mail-change[.]ga service-accountrecovery[.]com service-broadcast[.]com servicecustomer[.]bid servicelogin-mail[.]account-servicerecovery[.]com service-logins[.]net servicemailbroadcast[.]bid service-recoveryaccount[.]com set-ymail-user-account-permission-challenge[.]com shared-access[.]com shared-login[.]com shared-permission[.]com shop[.]account-dropbox[.]net shorturlbot[.]club show[.]video-youtube[.]cf show-video[.]info slmkhubi[.]ddns[.]net smstagram[.]com smtp[.]com-service[.]net smtp[.]group-google[.]com smtp[.]youtube-com[.]watch sports[.]accountservice[.]support sprinqer[.]com support[.]account-google[.]co support-aasaam[.]bid support-aasaam[.]com support-accountsrecovery[.]com support-google[.]co support-recoverycustomers[.]com supports-recoverycustomers[.]com support-verify-account-user[.]com tadawul[.]com[.]co tai-tr[.]com tcp[.]shorturlbot[.]club team-speak[.]cf team-speak[.]ga team-speak[.]ml teamspeak-download[.]ml teamspeaks[.]cf telagram[.]cf test[.]service-recoveryaccount[.]com token-ep[.]com uk-service[.]org update-checker[.]net update-driversonline[.]bid update-driversonline[.]club update-finder[.]com update-microsoft[.]bid updater-driversonline[.]club update-system-driversonline[.]bid uploader[.]sytes[.]net upload-services[.]com uri[.]cab us[.]battle[.]net[.]cataclysm[.]account-logins[.]com usersettings[.]cf users-facebook[.]com users-login[.]com users-yahoomail[.]com utc[.]officialswebsites[.]info utopaisystems[.]net verify-account[.]services verify-accounts[.]info verify-facebook[.]com verify-gmail[.]tk verify-your-account-information[.]users-login[.]com video[.]yahoo[.]com[.]accountservice[.]support video[.]yahoo[.]com-showvideo[.]gq video[.]youtube[.]com-showvideo[.]ga video-mail[.]account-support-user[.]com video-yahoo[.]accountservice[.]support video-yahoo[.]account-support-user[.]com video-yahoo[.]com[.]accountservice[.]support video-youtube[.]cf w3sch00ls[.]hopto[.]org w3school[.]hopto[.]org w3schools[.]hopto[.]org w3schools-html[.]com watch-youtube[.]org[.]uk webmaiil-tau-ac-il[.]ml webmail-login[.]accountservice[.]support webmail-tidhar-co-il[.]ml wildcarddns[.]com-service[.]net windows-update[.]systems wp[.]com-microsoftonline[.]club ww2[.]group-google[.]com ww62[.]group-google[.]com ww62[.]mx1[.]group-google[.]com ww92[.]group-google[.]com xn--googe-q2e[.]ml
  55. yahoo[.]com[.]accountservice[.]support yahoo-proflles[.]com yahoo-verification[.]net yahoo-verification[.]org yahoo-verify[.]net youetube[.]ga yourl[.]bid youttube[.]ga youttube[.]gq youtubbe[.]cf youtubbe[.]ml youtube[.]com[.]login-account[.]net youtube[.]com-service[.]gq youtube-com[.]watch youtubee-videos[.]com youtubes[.]accounts[.]com-serviceslogin[.]com youtuebe[.]co youtuobe[.]com[.]co youutube[.]cf yurl[.]bid admin@doc-viewer.com admin@dropebox.co admin@screen-royall-in-corporate.com admin@screen-shotuser-trash-green.com anita.jepherson@gmail.com aryaieiran@gmail.com aryaieiran@gmail.com bahra.azadeh88@gmail.com cave.detector@yandex.com cave.detector@yandex.com center2016@yandex.com chada.martini@yandex.com chada.martini@yandex.com cool.hiram@yandex.com customers.mailservice@gmail.com customers.noreplyservice@gmail.com international.research@mail.com isabella.careyy@gmail.com isabella.careyy@gmail.com john.lennon@uymail.com jully.martin@yandex.com jully.martin@yandex.com mails.customerservices@gmail.com martin.switch911@gmail.com martin.switch911@gmail.com message.intercom@gmail.com message.intercom@gmail.com nami.rosoki@gmail.com online.nic@yandex.com online.nic@yandex.com rich.safe@yandex.com rskitman@gmail.com sali.rash@yandex.com sali.rash@yandex.com service.center2016@yandex.com service.center2016@yandex.com suspended.user.noitification@gmail.com yaffa.hyatt9617@gmail.com 107.150.38.19 107.150.60.156 107.150.60.158 107.6.179.131 136.243.108.100 136.243.221.148 136.243.226.189 137.74.131.208 137.74.148.218 144.76.97.61 144.76.97.62 145.239.120.88 149.56.135.42 149.56.201.205 158.255.1.34 164.132.251.217 164.132.29.69 173.208.129.180 173.244.180.131 173.244.180.132 173.244.180.133 173.244.180.134 173.45.108.55 173.90.180.125 178.33.38.128 185.117.74.165 185.141.24.64 185.141.24.66 185.82.202.174 192.99.127.216 194.88.107.63 204.12.207.108 204.12.207.110 204.12.242.84 204.12.242.85 207.244.77.15 207.244.79.143 207.244.79.144 207.244.79.147 207.244.79.148 208.110.73.219 208.110.73.220 208.110.73.221 208.110.73.222 209.190.3.113 209.190.3.114 209.190.3.115 209.190.3.41
  56. 209.190.3.42 209.190.3.43 213.152.173.198 213.32.11.30 213.32.49.232 217.23.3.158 217.23.5.166 31.3.236.90 31.3.236.91 31.3.236.92 37.220.8.13 46.17.97.240 46.17.97.243 46.17.97.37 46.17.97.40 5.152.202.51 5.152.202.52 5.79.105.153 5.79.105.156 5.79.105.161 5.79.105.165 5.79.69.198 51.254.254.217 51.255.28.57 54.36.217.8 69.30.221.126 69.30.224.244 69.30.224.245 81.171.25.229 81.171.25.232 85.17.172.170 86.105.1.111 91.218.245.251 92.222.206.208 93.158.200.170 93.158.215.50 93.158.215.52 94.23.90.226 00b5d45433391146ce98cd70a91bef08 07fb3f925f8ef2c53451b37bdd070b55 0a3f454f94ef0f723ac6a4ad3f5bdf01 0e3cb289f65ef5faf40fa830ac9b1bf6 1c00fd5e1ddd0226bd854775180fd361 1db12ec1f335ee5995b29dea360514a2 20f2da7b0c482ab6a78e9bd65a1a3a92 253b4f5c6611a4bc9c7f5269b127c8e9 3261d45051542ab3e54fa541f132f899 356439bfb9b2f49858897a22dd85df86 365482f10808ddd1d26f3dc19c41c993 3bb2f304a59255dddc5ef6bb0a32aec7 3edec580845d7ab85fa893afb391fbfb 5e9a458dcdfc9d2ce996081ec87c30e0 5ec9f484603b89f80f351bb88279ebb1 6bd505616e12e3dd7f2287f24f34609f 6cfa579dd1d33c2fa42d85c2472f744c 7df3a83dfcce130c01aabede3cfe8140 7e1cf48d84e503499c9718c50e7a1c52 9c7ae44baf8df000bb614738370d1171 9d0e761f3803889dc83c180901dc7b22 a43b7cc495741248f3647e647f776467 a9117da1cb51adbc88a52a6e3b16a6c4 ae797446710e375f0fc9a33432d64256 af5c01a7a3858bc3712ab69bc673cec4 bd0a6fe7a852fdd61c1da37cf99103d2 be207941ce8a5e212be8dde83d05d38d bfd21f2847c1d7aa0f409ef52ed52e05 c7760dc8f7baf67f80ab549af27df9e9 c96453247ee1ecbd4053da8bbb4cf572 ccaf21e122ca9d2e2397a9e28eb4cc87 d6ea39e1d4aaa8c977a835e72d0975e3 d6fa439f0278babb1edff32d8dc31c59 da1f6a5f2a5564c2131b4a311c55f487 e7dd9b8fe7ae14faad304d139f71b629 e93992f26f224ea53d9bdd9564e8e1c0 edd4011696ddd349575278aed7031a47 f5763b8b796b1c5d04febcc65f853967 f7f9806af42adb80d100e55f35cfa86c f9255e0d492eb20df1e78ccc970b121a fac158623b0e3ed3bea6e24b1795cb95 479e1e02d379ad6c3c7f496d705448fa955b50a1 67bb83bbe82ffa910386216619c5ebf9eecf13e6 6cacf83033fa97f4ac27eb27e4aa265afa4dc51d a2f17906ca39e7f41a8adeea4be5ffb7d1465c4a c5ea8680162d3e8bc3d71c060c15bf224c873f7a d97b13ed0fe3e41b60b9d45b6e7f68c9b6187b96 eac4a47f238ee62661f464a807b3e0b5079b835f ecf9b7283fda023fa37ad7fdb15be4eadded4e06 19c0977fdbc221f7d6567fb268a4ef4cd2a759fcbc1039a82366978089f080d2 1a24714fd99030bd63804ab96fc2612f148a5f08d1c2845152c3a0e168600db9 261c5f32abb8801576ce81be2c66bca564a8a28ab5ea0954bad6bac7071e299b 2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f 2db1e2c49ff0792b54d84538c9a420de7aa619602b66add502e2b6ea7c79fd4b 4fff9cd7f5f4c9048cfaf958a54cc4c4bc14c9fdbfd63e2c17f79913f0ea8c21 6618051ea0c45d667c9d9594d676bc1f4adadd8cb30e0138489fee05ce91a9cb 8aff94ceb2fed8ba864df929fbbec3dd82cbd968c5b2f42971fb756d1ba1ecb6 a86ccf0049be20c105e2c087079f18098c739b86d52acb13f1d41f1ccc9f8e1c
  57. acca9f004a596ea33af65725c2319bf845a442ee9fa09c511d359df2f632cf4d b0b177d06fb987429f01d937aaa1cbb7c93a69cfaef146b60f618f8ab26fac38 d4375a22c0f3fb36ab788c0a9d6e0479bd19f48349f6e192b10d83047a74c9d7 d7e1d13cab1bd8be1f00afbec993176cc116c2b233209ea6bd33e6a9b1ec7a7f d7f2b4188b7c30c1ef9c075891329dbcf8e9b5ebac1ef8759bc3bb2cf68c586f d84e808e7d19a86bea3862710cae1c45f7291e984c9857d0c86881812674d4bb e6cd39cf0af6a0b7d8129bf6400e671d5fd2a3797b92e0fe4a8e93f3de46b716
  58. Appendix B - Previous reports about Charming Kitten and Rocket Kitten Rocket Kitten: • rocket kitten: a campaign with 9 lives - Check Point Blog38 • LONDON CALLING Two-Factor Authentication Phishing From Iran39 • Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East40 • Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign41 • The Kittens Strike Back: Rocket Kitten Continues Attacks on Middle East Targets42 • Increased Use of Android Malware Targeting Journalists43 • Iran and the Soft War for Internet Dominance44 Charming Kitten: • iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)45 • Fictitious Profiles and WebRTC’s Privacy Leaks Used to Identify Iranian Activists46 • Freezer Paper around Free Meat47 38 https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf 39 https://citizenlab.ca/2015/08/iran_two_factor_phishing/ 40 http://www.clearskysec.com/thamar-reservoir/ 41https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing 42 https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/rocket-kitten-continues-attacks-on-middle-east-targets 43 https://iranthreats.github.io/resources/android-malware/ 44 https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf 45 https://iranthreats.github.io/resources/macdownloader-macos-malware/ 46 https://iranthreats.github.io/resources/webrtc-deanonymization/ 47 https://securelist.com/freezer-paper-around-free-meat/74503/
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!