Add IOCs for TA410

ta410/README.adoc

@@ -0,0 +1,98 @@
+= A Lookback Under The TA410 Umbrella: Its Cyberespionage TTPs And Activity -- Indicators of Compromise
+
+The blog post on TA410 is available on WeLiveSecurity at
+https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/.
+
+== Files
+
+[options="header"]
+|===
+|SHA-1 |Filename |Detection |Description
+|`C96558312FBF5847351B0B6F724D7B3A31CCAF03` |N/A |Win32/Agent.UWR |FlowCloud v5.0.3 initial loader
+|`1403241C415A8D686B1148FA4229A2EB833D8D08` |setlangloc.dll |Win32/Agent.UNL |FlowCloud DLL hijacking malicious library
+|`38D0E92AFF991CFC9C68D7BAAD6CB85916139AF5` |hidmouse.sys |Win32/Agent.UKR |TA410 32-bit Rootkit/Keylogger driver
+|`AF978ED8AD37CE1437A6B42D96BF518D5C4CFD19` |hidmouse.sys |Win64/Agent.UKR |TA410 64-bit Rootkit/Keylogger driver
+|`B70F3A3A9B5B8506EE95791469CA496E01AD7DAF` |winver32.dll |Win32/Agent.ULH |FlowCloud v4.1.3 hcClientLoaderZero_x86 backdoor
+|`014421BDB1EA105A6DF0C27FC114819FF3637704` |hhh.exe |Win32/Agent.ABYK |FlowCloud v4.1.3 initial loader
+|`EA298866E5A61FEEA4D062987F23B10A78C8A4CA` |N/A |Win32/Agent.ULH |FlowCloud v4.1.3 backdoor
+|`021B9E2E8AA30B29569254C0378A9F43E4F32EEC` |winver64.dll |Win64/Agent.KM |FlowCloud v4.1.3 hcClientLoaderZero_x64 backdoor
+|`2A2F08FAD6B0A86DC94885224687D954E739CC21` |N/A |Win32/ParanoidFish.A |Pafish sandbox detection tool
+|`3658B7CCA13C8C8AD03E9B6AEFE4B9CBE48E3C81` |hidmouse.sys |Win64/Agent.UKR |TA410 Rootkit/Keylogger driver
+|`517488F6BD0E7FC9EDE82F37226A75212B277E21` |hidmouse.sys |Win64/Agent.UKR |TA410 Rootkit/Keylogger driver
+|`C05B4AD7A3322917E17710842FB88A090198D51F` |N/A |Win32/Agent.TWI |LookBack trojanized libcurl loader
+|`DB2DF1BDF8145CB8ABA3A2026A3CC3EF4F1762BE` |phx.dll |Win32/Agent.TWI |LookBack trojanized libcurl loader
+|`EDE2AB811311FC011B1E89C5A0B7A60C123B7398` |hidmouse.sys |Win64/Agent.UKR |TA410 Rootkit/Keylogger driver
+|`7AA35BA7030AFCD271436DE8173D7B2F317A1BFC` |libcurl.dll |Win32/Agent.TWI |LookBack trojanized libcurl loader
+|`A5C02ABE698300F3DE0B7CC7F0856652753831DA` |libcurl.dll |Win32/Agent.TWI |LookBack trojanized libcurl loader
+|`613C4AFAE8F5F80F22DCD1827E3230FCA361ADA5` |libcurl.dll |Win32/Agent.UKD |LookBack trojanized libcurl loader
+|`859CD6DFDADAB3D6427C6C1C29581CB2094D648F` |meterpreter.exe |Win32/Rozena.CP |Metasploit Meterpreter backdoor
+|`DBEA7F0C0D2BF8BC365A2D1572CA1538FE8FB9A3` |responsor.dat |Win32/Agent.ULL |FlowCloud fcClientDLL final stage backdoor
+|`ADD5B4FD9AEA6A38B5A8941286BC9AA4FE23BD20` |絆邧坋蔡趕昴.doc |Win32/Exploit.Agent.TY |Malicious Royal Road document.
+|`7BA42061568FF6D9CA5FE5360DCE74C25EA48ADA` |N/A |Win32/Agent.ACKQ |Packed Tendyron downloader.
+|`D81215890703C48B8EA07A1F50FEC1A6CA9DF88B` |N/A |Win32/TrojanDownloader.Agent.FLI |Unpacked Tendyron downloader.
+|`F359D3C074135BBCA9A4C98A6B6544690EDAE93D` |OnKeyToken_KEB.dll |Win32/Injector.ELGA |Tendyron malicious DLL.
+|`621B31D5778EC2FB72D38FB61CED110A6844D094` |N/A |Win64/Rozena.AO |X4 network shellcode.
+|`BC11DC8D86A457A07CFE46B5F2EF6598B83C8A1F` |m.exe |Win32/Injector.EMVA |Korplug dropper.
+|`C369E1466F66744AA0E658588E7CF2C051EE842F` |qrt.dll |Win32/Injector.EMVA |Korplug loader.
+|`5379FBB0E02694C524463FDF7F267A7361ECDD68` |sll.exe |MSIL/TrojanDownloader.Agent.GPS |QuasarRAT downloader.
+|`6CC6170977327541F8185288BB9B1B81F56D3FD0` |PresentationCache.exe |MSIL/Agent.TZG |QuasarRAT loader.
+|`D95185A4A3F8512D92F69D2ED7B8743638C54BE8` |N/A |MSIL/Spy.Agent.AES |QuasarRAT backdoor.
+|`BE7F0E41CD514561AED43B07AA9F5F0842BF876C` |HTra.exe |Win32/HackTool.Hucline.AB |HUC Packet Transmitter (HTran).
+|`7F663F50E9D6376715AEB3AB66DEDE038258EF6C` |HTran13.exe |Win32/HackTool.Hucline.S |HUC Packet Transmitter (HTran).
+|`BEDA1224B3BB9F98F95FF7757D2687F4D9F4B53A` |event.exe |Win32/Agent.UJN |Simple cmd.exe-based backdoor compiled with MingW.
+|`2B61E7C63A0A33AAC4CF7FE0CEB462CF6DACC080` |htran.exe |Win32/HackTool.Hucline.AB |HUC Packet Transmitter (HTran).
+|`EF3C796652141B8A68DCCF488159E96903479C29` |htran_f-secury.exe |Win32/HackTool.Hucline.AB |HUC Packet Transmitter (HTran).
+|`6B547C244A3086B5B6EA2B3A0D9594BBE54AE06B` |inbt.zip |Python/HackTool.Agent.J |EXE masquerading as ZIP. This is a Python network scanner (compiled with PyInstaller).
+|`4CDCE3AF614C2A5E60E71F1205812AB129C0955B` |msd017.exe |Python/Exploit.MS17-010.B |This is a Python scanner (compiled with PyInstaller) for the vulnerability MS17-010 (EternalBlue).
+|===
+
+== Network IOCs
+
+[options="header"]
+|===
+|Domain |IP |First seen |Details
+| |`43.254.216[.]104` |2020-06 |Delivery server
+| |`45.124.115[.]103` |2020-08 |Delivery server
+| |`161.82.181[.]4` |2020-12 |Delivery server
+| |`43.254.219[.]153` |2020-07 |X4 C&C server
+| |`154.223.141[.]36` |2020-06 |HTran C&C server
+| |`103.139.2[.]93` |2020-10 |Tendyron C&C server
+|`cahe.microsofts[.]com` | | |QuasarRAT C&C server
+|`ffca.caibi379[.]com` | | |QuasarRAT downloader C&C server
+|`smtp.nsfwgo[.]com` | | |Korplug C&C server
+| |`45.124.115[.]103` |2020-06 |LookBack C&C server
+| |`185.225.19[.]17` |2021-01 |LookBack C&C server
+| |`94.158.245[.]249` |2020-03 |LookBack C&C server
+| |`5.252.179[.]227` |2021-03 |LookBack C&C server
+| |`222.186.151[.]141` |2019-11 |FlowCloud C&C server
+| |`47.111.22[.]65` |2020-09 |FlowCross C&C server
+| |`114.55.109[.]199` |2020-05 |FlowCloud C&C server
+|`dlaxpcmghd[.]com` |`185.225.17[.]39` |2020-09 |LookBack C&C server
+|`wwww.dlmum[.]com` | |N/A |FlowCloud C&C server
+|===
+
+== Code Signing Certificates
+
+|===
+|Serial number |0x0F8B600FF1882E
+|Thumbprint (SHA-1)|`02ED6A578C575C8D9C72398E790354B095BB07BC`
+|Subject CN |Hangzhou Leishite Laser Technology Co., Ltd.
+|Subject O |Hangzhou Leishite Laser Technology Co., Ltd.
+|Subject L |Hangzhou
+|Subject S |Zhejiang
+|Subject C |CN
+|Valid from |2012-03-29 09:07:04 UTC
+|Valid to |2014-04-02 06:24:19 UTC
+|===
+
+|===
+|Serial number |0x4ED8730F4E1B8558CD1CB0107B5F776B
+|Thumbprint (SHA-1)|`850821D88A4475F0310F10FBA806353A4113D252`
+|Subject CN |北京和赢讯时科技有限公司 (Beijing Heyingxunshi Technology Co., Ltd.)
+|Subject O |北京和赢讯时科技有限公司 (Beijing Heyingxunshi Technology Co., Ltd.)
+|Subject OU |研发部 (R&D Department)
+|Subject S |北京市 (Beijing)
+|Subject C |CN
+|Valid from |2019-11-13 00:00:00 UTC
+|Valid to |2020-11-12 23:59:59 UTC
+|===

ta410/samples.md5

@@ -0,0 +1,35 @@
+23c77075baf7c9ba4e669239a7e1ab4c
+62275cf62d57f129768b586d440e77c6
+c0568d6c0aa6d019454c9613b1a9b0ef
+db78e9d16572571e5f8477c7065b489e
+77fd81f1b4d217c0545a35af4cf50cb8
+d97ffec8b482d0bdee0db144fe9abf1d
+761e49319f58717041cd00794b500ee9
+f6e4793f519184c80622b458b6eeeb72
+ebf7fb64cd3c24d4a7824e6722803e0a
+a7f147bec8b27c3f7183fb23dd17e444
+c77c5f52fff3a1d633be6bc230059e59
+2e30c1205e945bf64d04bb03b464acc8
+c0fe8c9e74a16ab198c0e8c457d643c1
+b983bf11e915bee310abf448287b2c94
+ecd3fab8c93d82941e181d588cd0e137
+79e8171ebf8f2e36949df13342e73515
+cc56b5f738187b9163e44daacdc14f2b
+c6a066c9a050a61ebbfc1fe58a8681b1
+b807b7e6dc70c94f4fa0d1eb82922b4b
+0e519a47ee4ee5cd194cccedf4e02c65
+fbb71e5ec052a3a416190fdb4cf990d6
+08adb52ebf843972ba58cfcce35d189f
+dac3d74fd1a847a03d8eac04fb918e9f
+9ed9f52b849940a7a486df81a5c35f25
+9fcbcb1a66139e0ce9a80ed5375792a0
+2c2b954b2e7d9a713cade62f76502d17
+40a41c2cccbaa3101a5391156112489a
+62d76cb1cc911fc7baf88938a5dfdbe7
+6b87b8b9f52ebb6dbb3ebb94ac6c611f
+801e52c8c4cf971546a32deaf1b5c0a3
+35295a1a9e1072e8c12e2efca96e854a
+4ea0d84ba279f3f7053add4cc9aab27d
+9057b82fbc1452e30a6a0495b40c2094
+74e1faae3f71981caf67aca434337100
+02825976b19f123872914c233cf309bb

ta410/samples.sha1

@@ -0,0 +1,35 @@
+014421bdb1ea105a6df0c27fc114819ff3637704
+021b9e2e8aa30b29569254c0378a9f43e4f32eec
+1403241c415a8d686b1148fa4229a2eb833d8d08
+2a2f08fad6b0a86dc94885224687d954e739cc21
+2b61e7c63a0a33aac4cf7fe0ceb462cf6dacc080
+3658b7cca13c8c8ad03e9b6aefe4b9cbe48e3c81
+38d0e92aff991cfc9c68d7baad6cb85916139af5
+4cdce3af614c2a5e60e71f1205812ab129c0955b
+517488f6bd0e7fc9ede82f37226a75212b277e21
+5379fbb0e02694c524463fdf7f267a7361ecdd68
+613c4afae8f5f80f22dcd1827e3230fca361ada5
+621b31d5778ec2fb72d38fb61ced110a6844d094
+6b547c244a3086b5b6ea2b3a0d9594bbe54ae06b
+6cc6170977327541f8185288bb9b1b81f56d3fd0
+7aa35ba7030afcd271436de8173d7b2f317a1bfc
+7ba42061568ff6d9ca5fe5360dce74c25ea48ada
+7f663f50e9d6376715aeb3ab66dede038258ef6c
+859cd6dfdadab3d6427c6c1c29581cb2094d648f
+a5c02abe698300f3de0b7cc7f0856652753831da
+add5b4fd9aea6a38b5a8941286bc9aa4fe23bd20
+b70f3a3a9b5b8506ee95791469ca496e01ad7daf
+bc11dc8d86a457a07cfe46b5f2ef6598b83c8a1f
+be7f0e41cd514561aed43b07aa9f5f0842bf876c
+beda1224b3bb9f98f95ff7757d2687f4d9f4b53a
+c05b4ad7a3322917e17710842fb88a090198d51f
+c369e1466f66744aa0e658588e7cf2c051ee842f
+c96558312fbf5847351b0b6f724d7b3a31ccaf03
+d81215890703c48b8ea07a1f50fec1a6ca9df88b
+d95185a4a3f8512d92f69d2ed7b8743638c54be8
+db2df1bdf8145cb8aba3a2026a3cc3ef4f1762be
+dbea7f0c0d2bf8bc365a2d1572ca1538fe8fb9a3
+ea298866e5a61feea4d062987f23b10a78c8a4ca
+ede2ab811311fc011b1e89c5a0b7a60c123b7398
+ef3c796652141b8a68dccf488159e96903479c29
+f359d3c074135bbca9a4c98a6b6544690edae93d

ta410/samples.sha256

@@ -0,0 +1,35 @@
+b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f
+cc49c5d39e7ef34a9caa318d48ac7c02e5ede160a5041cd6ba9438e65beaad7d
+6cf78943728286d0bddd99049d81065673ab7f679029cdd5f5dc69f90197136e
+8044d0a0395c0a2c085868949de16ffa3779fc174854b247d684a416d532cad5
+f2a8c5a7496db7fcc0c58eac98d1d22d0364ffef8560a59b6df8952353e9462f
+4e6b9a6d0870e85cbb957fc5e33503841f79f48e9f701f6e3d62a00dd8c82388
+4f6b732dfa5b4d91c56235f7c69974a4c557d6348f4ed9b862fa4938f7ce3848
+d4f98a531efcf5c3a8f701aa0c5166f3321c27ef931df9ad0a1cdda8e9988a65
+f5c207db7ddc7290f24faa9234bd48c833ddf6176d1fac1a23b6ea3844658a1f
+06eb951a9c5d3ce99182d535c5d714cc4e1aae53ef9fe51838189b41fc08380b
+f0a8811e329a3eadc5ab6db6f28c6fcbafb09931b515581084eaa1fc5d78e36b
+0f4694b31b69b02152540f29de041393627b72f1ba8827912afa8d2d1b27b838
+802eaa563f8630f8111938556652fb9c5ab4efa5a1f045e8d320b93a0b6b5a72
+65860fd476c7dfefd529d74047b9cfdb00c686d81d284f39e06e21b8182dab90
+3463fc02a19960c9f35114ec3f8183961143e69adb4e0a0a8418bd89cc09d094
+2fc6cfe417dd127e0cf6f73bd5d19d47148a1f0b302b4aea4a4214391435232b
+1d427675347f59861ed5788a1e73e1512e25190967b8690af2071dcc179909bc
+df672d823db88ecd32f14f5c366b21d6427611ab01aa54d246ef609bb04395a0
+f483ae96b8af441b865d0c013f24f17a7164f9f27afeecc04d11df1a51aff0ba
+c88d0f7d623b2a2c066dd6b15597d1f4c44d89e7a8e660e28c3494f441826ea5
+5e6ec1df775e88300cc64d9ce37a7055dfd0c4fa70c7a463c3a0848067e80a76
+e8317a7d1a3ed644cf903741fcc336c7fe6e6eef7da759d703937f0c725f5255
+c613aa296781b5fe7676d4508e6c7f41cf4720be3b9d91424d82a0959b9eec20
+ad1fc56fcb6577f1859c8a9c4e10a01e716303d81dfcdff8fe584d8a038451e7
+cdedf3362b002233105cb7aadf442fc64eeafd423d36f0b2a844d101f192f4e3
+7cc734d6b76fbac57f412088eeb3ad75ca9c9c489f9e63a8fdcb9a7b08ba3ce1
+04f120488b87d307437033845175138abb44795624819911195f71cf5132ed89
+73ac85ff4e098cbaedb9f0bdd0df6bb3eee16d7381e9811c62c31e20eabb2ed1
+0afd93d3061810fd79d28e2e1ba4dd4f030bddda9a88642d4150bb71255907e5
+fcaa7ba06e33d9aca87873b830eac85b5d511df9e4ceaba45b8c9fe88e68821b
+d09e91df5d7772d386e2843fc225241cb437333e344f607d1dd0ef9b15df326a
+80bdbad6ec889aba7ac0defbfbef7dc14a01f3ca3980d7b6c7b4d46e41af2e17
+4351223becfb9da09652cead154e81346fc912d856a1468498791e1820798c9f
+8eb0a62e7811df521c28dcf40cde643e7ed29909dd2a91cb3e4f414535e35955
+0dd700bb6a992ffd40b0d2b41fc5875cd3b319a7079f67b3dc37428b5005b354

ta410/ta410.rules

@@ -0,0 +1,66 @@
+# For feedback or questions contact us at: github@eset.com
+# https://github.com/eset/malware-ioc/
+#
+# These snort rules are provided to the community under the two-clause BSD
+# license as follows:
+#
+# Copyright (c) 2022, ESET
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation
+# and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+alert tcp any any -> any any \
+	(msg:"TA410 FlowCloud Hardcoded HTTP request"; gid:45534554; sid:45410003; rev:1;\
+	metadata: author "Alexandre Côté", date "2021-10-19", source "https://github.com/eset/malware-ioc/",\
+	license "BSD 2-Clause, reference "https://www.welivesecurity.com/";\
+	content:"Origin: http://s.peheavens.com"; http_header; content:"X-Requested-With: ShockwaveFlash/20.0.0.306"; http_header;\
+	content:"http://s.peheavens.com/html/portlet/ext/draco/resources/draco_manager.swf/[[DYNAMIC]]/1"; http_header;\
+	content:"COOKIE_SUPPORT=true\; JSESSIONID=5C7E7A60D01D2891F40648DAB6CB3DF4.jvm1\; COMPANY_ID=10301\; ID=666e7375545678695645673d\; PASSWORD=7a4b48574d746470447a303d\; LOGIN=6863303130\; SCREEN_NAME=4a2b455377766b657451493d\; GUEST_LANGUAGE_ID=en-US"; http_cookie;)
+
+alert tcp any any -> any any \
+	(msg:"TA410 FlowCloud Hardcoded HTTP request"; gid:45534554; sid:45410004; rev:1;\
+	metadata: author "Alexandre Côté", date "2021-10-19", source "https://github.com/eset/malware-ioc/",\
+	license "BSD 2-Clause, reference "https://www.welivesecurity.com/";\
+	content:"200"; http_stat_code; content:"Server: Apache-Coyote/1.1"; http_header;\
+	content:"Expires: Thu, 01 Jan 1970 08:00:00 CST"; http_header; content:"Last-Modified: Fri, 27 Apr 2012 08:11:04 GMT"; http_header;)
+
+alert tcp any any -> any any \
+	(msg:"TA410 LookBack HTTP client packet magic bytes"; gid:45534554; sid:45410000; rev:1;\
+	metadata: author "Alexandre Côté", date "2021-10-19", source "https://github.com/eset/malware-ioc/",\
+	license "BSD 2-Clause, reference "https://www.welivesecurity.com/";\
+	content:"=mccoklei"; http_client_body;)
+
+alert tcp any any -> any any \
+	(msg:"TA410 LookBack HTTP server packet"; gid:45534554; sid:45410001; rev:1;\
+	metadata: author "Alexandre Côté", date "2021-10-19", source "https://github.com/eset/malware-ioc/",\
+	license "BSD 2-Clause, reference "https://www.welivesecurity.com/";\
+	content:"200"; http_stat_code; content:"Content-Type: image/gif"; http_header;\
+	pcre:"/ETag: \"[0-9]{6}-[0-9]{3,5}-[0-9]{8}\"/H";\
+	file_data; content:"|c2 2e ab 48|"; depth:4;)
+
+alert tcp any any <> any any \
+	(msg:"TA410 LookBack raw TCP packet"; gid:45534554; sid:45410002; rev:1;\
+	metadata: author "Alexandre Côté", date "2021-10-19", source "https://github.com/eset/malware-ioc/",\
+	license "BSD 2-Clause, reference "https://www.welivesecurity.com/";\
+	dsize:>31; flags:PA;\
+	content:"|c2 2e ab 48|"; depth:4; byte_extract:4,8,payload_size; isdataat:31+payload_size;)