APT28最新攻击分析报告

主要内容：APT28仍然使用DDE进行投放，并且他们的Zebrocy和Koadic家族出现变种，其使用的UserAgents可加特征

资产关联图

User Agents特征

隐藏的DDE域命令

相关url（顺便一提，火绒已经拦截了访问请求，弹出上网保护，很迅速，大力推荐）

hxxp://86.106.131.177:6500/zIZFh\

hxxp://86.106.131[.]177/link/GRAPH.EXE

hxxp://92.114.92[.]102:80/d

hxxp://220.158.216[.]127/MScertificate.exe & MScertificate.exe

报告地址

https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/  

IOCs

Domain

supservermgr[.]com

URL

hxxp://supservermgr[.]com/sys/upd/pageupd.php

Zebrocy

d697160aecf152a81a89a6b5a7d9e1b8b5e121724038c676157ac72f20364edc

cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df

25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8

115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03

f27836430742c9e014e1b080d89c47e43db299c2e00d0c0801a2830b41b57bc1

5b5e80f63c04402d0b282e95e32155b2f86cf604a6837853ab467111d4ac15e2

dd7e69e14c88972ac173132b90b3f4bfb2d1faec15cca256a256dd3a12b6e75d

Koadic

abbad7acd50754f096fdc6551e728aa6054dcf8e55946f90a02b17db552471ca

User Agents

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)

Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko

Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1

IPs

185.25.51[.]198

185.25.50[.]93

220.158.216[.]127

92.114.92[.]102

86.106.131[.]177

85.25.50[.]93

86.106.131[.]177

DDE Docs

85da72c7dbf5da543e10f3f806afd4ebf133f27b6af7859aded2c3a6eced2fd5

8cf3bc2bf36342e844e9c8108393562538a9af2a1011c80bb46416c0572c86ff