Operation HARKONNEN - German Speaking

[chrisddom]

Might be worth adding-

http://cybertinel.com/wp-content/uploads/2014/09/HARKONNEN-OPERATION-CYBER-ESPIONAGE.pdf

[GelosSnake]

really? have you read this report?

[the-shelter]

It’s like a sale pitch. Couldn’t find any other reports getting deeper in a quick google search

[GelosSnake]

Google for Win7.Generic (:

[chrisddom]

I skipped the sales guff, saw the description of a long targeted campaign that I saw had been previously tagged as crimeware and thought - ah that tends to be interesting.
But looking at the domains eg; http://totalhash.com/search/dnsrr:download-web-shield.com
yeah... that really does look like crimeware a sales guy has written up as something very different.

[chrisddom]

And I don't know how $150k comes from a few domains and ssl certs :)

[kbandla]

This has been in various .il news past week. The only metadata/IOCs I found are here, like chris pointed
Yeah looks salesy overall. I'll keep an eye open for any hashes.

[the-shelter]

I saw that one. I was hoping to find some deeper analysing document. So far nothing found

[chrisddom]

Lots of samples available in german installers for freeware packed with typical adware https://malwr.com/analysis/ZGY4MGNjZDQ1NjZjNGQ4MTk2ZGZhYTg4Zjk4ODBjYTA/

[GelosSnake]

https://www.virustotal.com/en/domain/amazon.com/information/
https://www.virustotal.com/en/ip-address/82.98.97.183/information/
https://www.virustotal.com/en/file/24d45dd46080a847876fa028e8b370397b99ba172384e3b82cbc2b76066c93d2/analysis/
https://www.virustotal.com/en/file/4bab75a8910f97820351e2d7a0b8ca448e6f9de6a7e3f42a0d22f4185f2580c6/analysis/

between 30-40/55 positives

[the-shelter]

I did found those. I was interested in the background of the operation (Harkonnen).

[kbandla]

Dynamoo has some analysis on the same malware. This shows that it is adware, and not apt.
After collecting info and asking around, this report seems is a little too fantastic. Skipping this report. Thanks for the discussion!