- SPARTACUS IN THE HOUSE IN A HEARTBEAT LICENSE KEY
- SPARTACUS IN THE HOUSE IN A HEARTBEAT FULL
- SPARTACUS IN THE HOUSE IN A HEARTBEAT SOFTWARE
Code comments in any particular language only mean that the malware was created by a speaker of that language, who may have sold it afterward. The same problem applies to determining the attackers' country.
If different cybercriminals use the same services, they could be mistakenly thought to be in the same group. Growing malware supply has pushed cybercriminals to use ready-made tools, which significantly complicate attack attribution. As a result, malware is increasingly available to anyone willing to pay. In a previous report, we noted that demand for malware development on the darkweb significantly exceeds supply 1. Reference to the developers in script interface This artifact is present both in client backdoors and server components. In addition, some of the attackers' self-developed utilities contain the string "by AiMi". This would be consistent with English being a second language for the developers. Many of the utilities contain error messages and other debugging information in broken English. One of the tasks made use of the domain, which had been registered through a Chinese registrar.
SPARTACUS IN THE HOUSE IN A HEARTBEAT LICENSE KEY
WinRAR license key published on Chinese-language forums The attackers used a copy of WinRAR that had been activated with a key widely distributed on Chinese-language web forums.
SPARTACUS IN THE HOUSE IN A HEARTBEAT SOFTWARE
This most likely was caused by a software VPN going offline during the attack. However, the event log of the proxy server at one of the attacked organizations captured the moment when the attackers switched to the residential Chinese IP address 115.171.23.103. The requests sent to the web shells contained IP addresses belonging to a hosting provider and printing house in Eastern Europe. However, the version we discovered instead contains a reference to. The GitHub code of the ASPXSpy2014 web shell, which was used in the attack process, contains references to Chinese developers (see Figure 1).
As a result, the group has been dubbed TaskMasters. Identified by the PT Expert Security Center in 2018, the group used an unusual method for lateral movement on network infrastructure: creation of tasks in the Task Scheduler. A significant number of their targets were located in Russia and the CIS. The group attacked companies in a number of countries.
In total we are aware of compromise of over 30 companies and organizations in various sectors, including: Most of the attacked companies relate to manufacturing and industry.
SPARTACUS IN THE HOUSE IN A HEARTBEAT FULL
Since the group had obtained full control of some servers and workstations by that time, the initial breach must have occurred much earlier.
The attackers attempt to burrow into corporate information systems for extended periods and obtain access to key servers, executive workstations, and business-critical systems.Īt one of the attacked companies, the earliest traces of the group's presence on infrastructure dated to 2010. The main objective of the group is to steal confidential information. In this report, we will pay a close look at the tools, techniques, and procedures employed by the group as well as share indicators of compromise for detecting attacks. In the course of cyberincident investigations and threat analysis research, Positive Technologies experts have identified activity by a criminal group whose aims include theft of confidential documents and espionage.
0 kommentar(er)
