Posted
Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).
Note: Viewing the pages linked in this blog post requires a ThreatConnect account.
In this edition, we cover:
- Mustang Panda PlugX
- Fancy Bear
- Emotet
- Prometei
Roundup Highlight: Mustang Panda
Our highlight in this Roundup is Incident 20200728A: File Matching YARA Rule Associated to Mustang Panda PlugX. File d92a74ec57e53d449e0f0d4053f8adb6e1bb6ca339284e1e0045d416fcd022a6 was identified via a YARA rule as a Mustang Panda PlugX binary.
The embedded config contains the following Command and Control locations which have been associated with this Incident:
185.239.226(.)65:80
185.239.226(.)65:443
Probable connection to Mustang Panda is due to the similarity in the PlugX samples when compared to the details found at:
https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/
Similar traits include:
- The same config decryption key was used: “123456789”
- The binary is obfuscated using a 10 byte XOR key.
- The use of shell code in the MZ header
File d92a74ec57e53d449e0f0d4053f8adb6e1bb6ca339284e1e0045d416fcd022a6 was decrypted from File 27ea939f41712a8655dc2dc0bce7d32a85e73a341e52b811b109befc043e762a.
ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.
- 20200724A: Possible Fancy Bear Domain revampme[.]net ThreatConnect Research identified a possible Fancy Bear domain which was registered through Nemo Hosts on May 15 2020 and is hosted on a possible dedicated server.
- 20200721A: File Matching YARA Rule Associated to Mustang Panda PlugX A file was identified via a YARA rule as a Mustang Panda PlugX binary.
Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
- Daily Emotet IoCs and Notes for 07/22/20 (Source: https://paste.cryptolaemus.com/emotet/2020/07/22/emotet-malware-IoCs_07-22-20.html)
- Prometei botnet and its quest for Monero (Source: https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html)
- Daily Emotet IoCs and Notes for 07/23/20 (Source: https://paste.cryptolaemus.com/emotet/2020/07/23/emotet-malware-IoCs_07-23-20.html)
- Threat Roundup for July 17 to July 24 (Source: https://blog.talosintelligence.com/2020/07/threat-roundup-0717-0724.html)
- Daily Emotet IoCs and Notes for 07/27/20 (Source: https://paste.cryptolaemus.com/emotet/2020/07/27/emotet-malware-IoCs_07-27-20.html)
- Daily Emotet IoCs and Notes for 07/28/20 (Source: https://paste.cryptolaemus.com/emotet/2020/07/28/emotet-malware-IoCs_07-28-20.html)