Embed Size (px)
Citation preview
Copyright © 2018 Accenture Security. All rights reserved.
DRAGONFISH 「ELISE」
ASEAN
THREAT ANALYSIS
THREAT ANALYSIS
Copyright © 2018 Accenture Security. All rights reserved. 2
DRAGONFISH Lotus Blossom
Elise DRAGONFISH
iDefense
ADMM
SOC
Elise IoC
EDR
IoC
C2
THREAT ANALYSIS
Copyright © 2018 Accenture Security. All rights reserved. 3
TECHNICAL REPORT
DESCRIPTION
iDefense ASEAN ADMM
iDefense
DRAGONFISH Lotus Blossom Spring Dragon
MALWARE ANALYSIS
DRAGONFISH TTP
iDefense Microsoft Word
Exhibit 1 :
• MD5: f12fc711529b48bcef52c5ca0a52335a
• mary
• mary
• 2018:01:19 14:56:00 ( )
• 2018:01:19 14:56:00 ( )
THREAT ANALYSIS
Copyright © 2018 Accenture Security. All rights reserved. 4
Exhibit 1: Decoy Document
ADMM-Plus Word OLE
Exhibit 2
Exhibit 2: Original Source Path
Word a.b %temp%
CVE-2017-11882 NavShExt.dll
\AppData\Roaming\Microsoft\Windows\Caches\ a.b
NavShExt.dll PE32 DLL
Symantec
Norton Security Shell Extension Module
DLL :
• MD5 cd36bbd7f949cf017edba0e6aaadf28c
• : 2018-01-12 17:59:58
• : Setting
THREAT ANALYSIS
Copyright © 2018 Accenture Security. All rights reserved. 5
1. iexplore.exe (Internet Explorer) suspended
2. iexplore.exe NavShExt.dll DLL export Setting
3. iexplore.exe
4. mutex「donotbotherme」 (Exhibit 3 )
5. AppData\Local\Microsoft\Windows\Explorer\ thumbcache_1CD60.db
• LAN WAN IP ( IP ipaddress.com )
•
•
•
•
Exhibit 3: Mutex Creation
THREAT ANALYSIS
Copyright © 2018 Accenture Security. All rights reserved. 6
%temp% FXSAPIDebugLogFile.tmp
Client Start!や
[2018-1-25 13:35:22] Try All Addr Failed! Sleep
For: 10.100000 Minutes!
AES
Ss)4:WKsRr(3/VJrQq&2.UIqPp%1-THp
:
• runexe 1.exe /c command…
• rundll 1.dll, DllMain
cfa7954722d4277d26e96edc3289a4ce MD5
Palo Alto Networks Unit42 2015 Operation
Lotus Blossom』
Elise C :
•
• dropper DLL: Setting
• EXE DLL
• C2
base64 cookie
IAStorD
:
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD
DLL iexplore.exe
DePatchEntry EvilEntry
DLL
THREAT ANALYSIS
Copyright © 2018 Accenture Security. All rights reserved. 7
• 3qyo4o7.7r7i3[.]info
• dtdf5vu.nt7yq[.]info
• j.4tc3ldw.g9ml.www0[.]org
• 38qmk6.0to9[.]info
• ubkv1t.ec0[.]com
• 7g91xhp.envuy3[.]net
• l.hovux.eln9wj7.7gpj[.]org
• w.7sytdjc.wroi.cxy[.]com
C2 103.236.150[.]14 Exhibit 4
Exhibit 4: Real C2 Server Hardcoded in the Malware
THREAT ANALYSIS
Copyright © 2018 Accenture Security. All rights reserved. 8
MITIGATION
103.236.150[.]14
Microsoft Security Update KB2553204
iDefense
:
• A value named IAStorD in the autorun key
• A file named FXSAPIDebugLogFile.tmp
• A mutex handle named donotbotherme
• thumbcache_1CD60.db in AppData\Local\Microsoft\Windows\Explorer\
Microsoft Security Update KB25533204 :
https://support.microsoft.com/en-us/help/2553204/description-of-the-security-
update-for-office-2010-november-14-2017
Given the inherent nature of threat intelligence, the content contained in this alert is
based on information gathered and understood at the time of its creation. It is subject
to change.
ACCENTURE PROVIDES THE INFORMATION ON AN “AS-IS” BASIS WITHOUT
REPRESENTATION OR WARRANTY AND ACCEPTS NO LIABILITY FOR ANY ACTION OR
FAILURE TO ACT TAKEN IN RESPONSE TO THE INFORMATION CONTAINED OR
REFERENCED IN THIS REPORT.
THREAT ANALYSIS
Copyright © 2018 Accenture Security. All rights reserved. 9
https://www.accenture.com/jp-ja/security-index
LEGAL NOTICE & DISCLAIMER: © 2018 Accenture. All rights reserved. Accenture, the Accenture logo, iDefense and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from iDefense. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.
Given the inherent nature of threat intelligence, the content contained in this alert is based on information gathered and understood at the time of its creation. It is subject to change.
ACCENTURE PROVIDES THE INFORMATION ON AN “AS-IS” BASIS WITHOUT REPRESENTATION OR WARRANTY AND ACCEPTS NO LIABILITY FOR ANY ACTION OR FAILURE TO ACT TAKEN IN RESPONSE TO THE INFORMATION CONTAINED OR REFERENCED IN THIS REPORT.
