search

kbandla / APTnotes

Various public documents, whitepapers and articles about APT campaigns
3.48k stars 880 forks source link

Bookworm Trojan: A Model of Modular Architecture #204

Closed threatcrowd closed 8 years ago

threatcrowd commented 8 years ago

http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/

Bookworm Trojan: A Model of Modular Architecture POSTED BY: Robert Falcone, Mike Scott and Juan Cortes on November 10, 2015 11:00 AM FILED IN: Malware, Threat Prevention, Unit 42
TAGGED: Bookworm, KBLogger, PlugX, RAT, Trojan Recently, while researching attacks on targets in Thailand, Unit 42 discovered a tool that initially appeared to be a variant of the well-known PlugX RAT based on similar observed behavior such as the usage of DLL side-loading and a shellcode file. After closer inspection, it appears to be a completely distinct Trojan, which we have dubbed Bookworm and track in Autofocus using the tag Bookworm.

Indicators of Compromise File Names sgkey[.]data Known Bookworm C2 Servers bkmail[.]blogdns[.]com debain[.]servehttp[.]com linuxdns[.]sytes[.]net news[.]nhknews[.]hk sswmail[.]gotdns[.]com sswwmail[.]gotdns[.]com sysnc[.]sytes[.]net systeminfothai[.]gotdns[.]ch thailandbbs[.]ddns[.]net ubuntudns[.]sytes[.]net web12[.]nhkews[.]hk Bookworm Smart Install Maker Samples 0f41c853a2d522e326f2c30b4b951b04 8ae2468d3f208d07fb47ebb1e0e297d7 35755a6839f3c54e602d777cd11ef557 87d71401e2b8978c2084eb9a1d59c172 599b6e05a38329081b80a461b57cec37 ba1aea40182861e1d1de8c0c2ae78cb7 de1595a7585219967a87a909f38acaa2 f8c8c6683d6ca880293f7c1a78d7f8ce 0b4ad1bd093e0a2eb8968e308e900180 cba74e507e9741740d251b1fb34a1874 fcd68032c39cca3385c539ea38914735 3e69c34298a8fd5169259a2fef506d63 Bookworm Self-Extracting RAR Samples 04d63e2a3da0a171e5c15d8e904387b9 0d57d2bef1296be62a3e791bfad33bcd 4389fc820d0edd96bac26fa0b7448aee 74c293acdda0d2c3b5087763dae27ec6 b030c619bb24804cbcc05065530fcf2e 29df124f370752a87b3426dcad539ec6 9df45e8d8619e234d0449daf2f617ba3 40f1b160b88ff98934017f3f1e7879a5 210816c8bde338bf206f13bb923327a1 40f1b160b88ff98934017f3f1e7879a5 187cdb58fbc30046a35793818229c573 0b4ad1bd093e0a2eb8968e308e900180 499ccc8d6d7c08e135a91928ccc2fd7a 5e4852c8e5ef3cbceb69a9bc3d554d6c 5282b503b061eaa843c0bcda1c74b14f

kbandla commented 8 years ago

Added in 49a3634b1e5951744ae95139683856568dd688e8. Thanks @threatcrowd !