Platinum April 2016


Чтобы посмотреть этот PDF файл с форматированием и разметкой, скачайте его и откройте на своем компьютере.
��&#x/MCI; 1 ;&#x/MCI; 1 ;&#x/MCI; 2 ;&#x/MCI; 2 ;&#x/MCI; 3 ;&#x/MCI; 3 ;&#x/MCI; 4 ;&#x/MCI; 4 ;&#x/MCI; 5 ;&#x/MCI; 5 ;&#x/MCI; 6 ;&#x/MCI; 6 ;&#x/MCI; 7 ;&#x/MCI; 7 ;&#x/MCI; 8 ;&#x/MCI; 8 ;&#x/MCI; 9 ;&#x/MCI; 9 ;&#x/MCI; 10;&#x 000;&#x/MCI; 10;&#x 000;&#x/MCI; 11;&#x 000;&#x/MCI; 11;&#x 000;&#x/MCI; 12;&#x 000;&#x/MCI; 12;&#x 000;&#x/MCI; 13;&#x 000;&#x/MCI; 13;&#x 000;&#x/MCI; 14;&#x 000;&#x/MCI; 14;&#x 000;&#x/MCI; 15;&#x 000;&#x/MCI; 15;&#x 000;&#x/MCI; 16;&#x 000;&#x/MCI; 16;&#x 000;&#x/MCI; 17;&#x 000;&#x/MCI; 17;&#x 000;This document is for informationa
purposes o
MICROSOFT MAKES NO
WARRANTIE
IMPLIED, OR STATUT
INFORMATION
THIS DOCUMENT.
This document is provided “as
is.” Informatio
and views expressed
this
document, including U
and other Internet website references, may change
without notice. You bear the risk of using it.
Microsoft Corporation. All rights reserved.
The names of actua
companies and products mentioned here
may be the
trademarks of the
respective owners.
PLATINUM: Targeted attacks in South and Southeast Asia
........................................... 4
Adversary profile
............................................................................................................................
4
Methods of attack
..........................................................................................................................
6
Technical details
.............................................................................................................................
Dipsind
................................................................................................................................................................................
JPIN
.....................................................................................................................................................................................
adbupd
...............................................................................................................................................................................
Keyloggers
.........................................................................................................................................................................
Hot patcher
........................................................................................................................................................................
Miscellaneous
...................................................................................................................................................................
Exploit (CVE
2015
-2545)
............................................................................................................
20
Identity
...........................................................................................................................................
22
Guidance
.......................................................................................................................................
23
Detection indicators
....................................................................................................................
24
PLATINUM: Targeted attacks in South
and Southeast Asia
Microsoft
proactively monitors the threat landscape for emerging threats. Part of this job involves

PLATINUM has
victims since at
least as early as
2009.
Methods of attack
Figure
Known victims attacked by PLATINUM since 2009, by country/region (left) and type of
institution (right)

PLATINUM prim
Malaysia
51.4%
Indonesia
21.4%
China
11.4%
Singapore
4.3%
India
4.3%
Thailand
2.9%
Other
4.3%
Other
government
31.4%
Other
25.7%
ISP
24.3%
Gov’t
Defense
7.1%
Gov’t
Diplomatic
7.1%
Gov’t
Intelligence
2.9%
Academic
1.4%
Lure documents are typically given topical names that may be of interest to the recipient.
Such lures
often address controversial subjects or offer provocative opinions, in an effort to incite the reader into
opening them.
Figure
shows a sample of such titles.
Figure
Example document titles used by PLATINUM to deliver exploits
SHA1
Filename
e9f900b5d01320ccd4990fd322a459d709d43e4b
Gambar gambar Rumah Gay Didiet Pr
abowo di Sentul Bogor.doc
9a4e82ba371cd2fedea0b889c879daee7a01e1b1
The real reason Prabowo wants to be President.doc
92a3ece981bb5e0a3ee4277f08236c1d38b54053
Malaysia a victim of American irregular warfare ops.doc
0bc08dca86bd95f43ccc78ef4b27d81f28b4b76
Tu Vi Nam Tan Mao 2011.doc
f4af574124e9020ef3d0a7be9f1e42c2261e97e6
Indians having fun.doc
infect
ing
an unsuspecting user this way,
the attackers had complete control of the user’s computer and

Microsoft thanks Google for identifying and reporting this attack.
Microsoft issued Security Bulletin
MS14
in September 2014 to addre
ss the issue. CVE
2013
7331 has never affected Windows 10.
Figure
.
Malicious Word 2003 files used by PLATINUM
to deliver CVE
2013
7331
Filename
SHA1
URL for PNG Exploit
Gerakan Anti SBY II.doc
1bdc1a0bc995c1beb363b11b71c14324be8577c9
mister.nofrillspace.com/users/web8_dice/4226/space.gif
Tu_Vi_Nam_Tan_
Mao_2011.doc
2a33542038a85db4911d7b846573f6b251e16b2d
inten
t.nofrillspace.com/users/web11_focus/3807/space.gif
Wikileaks Indonesia.doc
d6a795e839f51c1a5aeabf5c10664936ebbef8ea
mister.nofrillspace.com/users/web8_dice/3791/space.gif
Top 11 Aerial
Surveillance Devices.doc
f362feedc046899a78c4480c32dda4ea82a3e8c0
tent.nofrillspace.com/users/web11_focus/4307/space.gif
SEMBOYAN_1.doc
f751cdfaef99c6184f45a563f3d81ff1ada25565
Figure
Malicious JavaScript used by PLATINUM to p
erform fingerprinting on a victim’s browser
While fingerprinting the versions of the browser plugins, the script loads a remotely hosted malicious
PNG file that exploited another previously unknown vulnerability (designated
CVE
1331
), which
affected Microsoft Office 2003 SP3.
Exploiting the vulnerability resulted in memory corruption, which
allowed the attacker to
execute
remote code on the computer.
Figure
An exploit mechanism used by PLATINUM
Also a combination of lure documents with the aforementioned embedded ActiveX control was seen
along with a Dipsind executable named as ‘
pp4x322.dll
’ during a different attack. The
unique name of
this executable indicated a possible DLL side
loading vulnerability also being used by PLATINUM
against Powerpoint 2007.
In another case from August 2015, Microsoft
investigated a malicious document
(named Resume.docx)
that
had been uploade
d to
the
VirusTotal
malware analysis service
The person
who
submitted the file

Microsoft issued Security Bulletin
MS13
in June 2013 to address the issue
Microsoft thanks FireEye for identifying a
nd reporting this attack.
did so through an IP address based
in India,
suggesting that the person or their
organization
had been

Microsoft issued Security Bulletin
MS15
in September 2015 to address the issue.
Windows 10 is not affected by the exploit used in this
case due to built
in mitigations.
Microsoft issued Security Bulletin
MS15
in September 2015 to address the issue.
In total, PLATINUM made
use of four zero
day exploits during these two attack campaigns (two remote
code execution bugs, one privilege escalation, and one information disclosure), showing an ability to
spend a non
trivial amount of resources to either acquire professionally writt
en zero
day exploits from
unknown markets, or research and utilize the zero
day exploits themselves. In both
these campaigns the activity group
included remote triggers to deactivate
exploitation, with an attempt to conceal the vulnerability, and prevent a
nalysis of the
attack.
The resources required to research and deploy multiple zero
day exploits
within the same attack campaign
are considerable.
Such activity requires a
significant amount of
investment in
research and development, along with
the
discipli
ne to
ensure that the exploits are not used until the appropriate time, and
that no one involved with the project leaks them to other parties.
echnical d
PLATINUM used
four zero
day ex
ploits during these
two campaigns.
Figure
Sample configuration file for Win32/Dipsind
Each Dipsind file contains an embedded encrypted configuration file that acts as a control for the
backdoor. This configuration file also includes the initial command and control
(C&C) location the
Dipsind backdoor uses
in addition to the
pollcommandsite
variable which references a URL where
additional backup C&Cs can be polled.
Figure
Some of the domains and addresses used by PLATINUM
Registered domains
Dynamic DNS
Hardcoded IPs
box62.a
inet.net
eclipse.a
inet.net
joomlastats.a
inet.net
updates.joomlasta
ts.co.cc
server.joomlastats.co.cc
scienceweek.scieron.com
mobileworld.darktech.org

bpl.blogsite.org
wiki.servebbs.net
200.61.248.8
209.45.65.163
190.96.47.9
192.192.114.1
61.31.203.98
After
Dipsind.A
is installed on the victim
comput
it
connects to its C&C server for authentication
. All
A second Dipsind variant registers as a Winlogon Event Notify DLL. This backdoor contain
s a minimized
feature list fr
om the original Dipsind variant, and
supports a
more limited number of commands
Pk2.exe IP&#xI-1.;P-2;&#x.400; UDP Port&#xU-7.;ߑ.; P-2;&#x.5 P;&#x-2.4;&#xo-1.;r2.;t1.;退 TCP Port&#xT-2.;|-1;&#x.9P-;.5 ;&#xP-2.;o-1;&#x.8r2;&#x.1t1;&#x.900; Password&#xP-7.;ঢ.;ssw;&#x-0.6;&#xo-7.;r-3;&#x.3d2;&#x.600;
where the IP address is that of the computer with the backdoor, the UDP port is the one specified
by the backd
oor, and the password is a string encrypted by the tool before being sent.
Figure
.
How the Dipsind knocker component communicates with an attacker
PK2 is also designed to connect to such open TCP ports and act as a console client
for issuing
commands to the backdoor. When running PK2 as a console client, the attacker needs to re
enter the
password to authenticate a second time against the backdoor, and issue commands such as #sz to
upload a file and #rz to download a file. During
this research, one such collection of tools was obtained
that had the password set to “[email protected]@ss”. All communication used by this backdoor and PK2 is
encrypted. If a connection from PK2 is not received within the 3
second window, the TCP port is shut
and P
K2 would need to reinitialize the port
knocking process.
JPIN
In addition to Dipsind and its variants, PLATINUM uses a few other families of custom
built backdoors
Figure
Security
related processes avoided by the JPIN installer
Process
Security product
360tray.exe
360 Safeguard
bdagent.exe
BitDefender
proguard.exe
Process Guard
blackd.exe
BlackICE
blackice.exe
BlackICE
savservice.exe
Sophos Anti
Virus
avp.exe
Kaspersky Anti
Virus
rstray.exe
Rising Anti
virus
cmccore.exe
CMC Antivirus
cmctrayicon.exe
CMC Antivirus
zhudongfangyu.exe
360 Safeguard
After installing the backdoor, the i
nstaller deletes itself from the compromised computer.
PLATINUM uses at least three distinct JPIN
variants. One variant typically
runs with a mutex name
“hMSVmm” and installs itself in the folders
%appdata%
Comm
Jpin and
%userprofile%
AppData
Resource
Jpi
After it is installed and started, the JPIN service can perform
the following tasks, among others:
Obtain information about the computer, such as
operating system
version, user name, privileges,
disk space,
and so on
List running services, processes, j
ob IDs, and task IDs.
Enumerate drives and their types.
Enumerate registry keys.
Load a custom keylogger.
Download files.
Download and upgrade itself.
Acquire network information such as DNS, IP, proxies,
and so on
Exfiltrate information over HTTP GET and
POST requests, with the data stored either within the
Communicate via FTP.
Send email via SMTP.
Change permissions on files using the cacls.exe command
line utility.
JPIN can also target mobile suite applications and extract data from
them
. The backdoor contains code
that looks for install
ed instances of Symbian, Blackberry, and Windows Phone management
applications. If any are found, the backdoor logs sync dates, IMEI data, phone manufacturer and model
information, software version date, memory, location, and capacity, among other things.
The second JPIN
variant is very similar to the first
one
. It downloads
the backdoor payload from remote locations via the BITS service,
using the COM object for BITS. This variant also has its own installer
JPIN can target
mobile suite appli
cations
and extract
data from them.
Figure
WMI script used by the Adpupd backdoor to achieve persistence
#pragma namespace("
ROOT
cimv2")
instance of __Win32Provider as $P

Name = "adbupdConsumer";
ClsId = "{74ba9ce4
fbf1
4097
34f446f037d8}";
HostingModel = "LocalSystemHost";

instance of __EventConsumerProviderRegistration

Provider = $P;
ConsumerClassNames = {"adbupdConsumer"};

class adbupdConsumer : __EventConsumer

[key] string Mode;

instance of ad
bupdConsumer as $CONSMR

Mode = "persistent";

instance of __EventFilter as $FLT

Name = "adbupdFilter";
"Win32_NTLogEvent
"";
QueryLanguage = "WQL";

instance o
f __FilterToConsumerBinding as $B

Consumer = $CONSMR;
Filter = $FLT;

Keyloggers
The PLATINUM group has written a few different versions of
keyloggers that perform their functions in
different ways, most likely to take advantage of different we
aknesses in victims’ computing
environments. The
keyloggers can be broadly classified into
two
groups:
those that log keystrokes
through raw device input, and user mode keyloggers that use Windows hook interfaces to gather
information. In partic
ular, this
second group also has the capability of dumping users’ credentials using
the same technique employed by
Mimikatz
Both groups can set
rmissions on specific files to
Everyone
, and
work
in tandem with the PLATINUM
backdoors.
Hot patcher
One of PLATINUM’s most recent and interesting tools is meant to inject code into processes using a
variety of injection techniques. In addition to using several publicly known injection methods to per
form
this task, it also takes advantage of an obscure operating system feature known as
hot patching
Hot patching is an operating system
supported feature for installing updates without having to reboot
or restart a process. At a high level, hot patching
can transparently apply patches to executables and
DLLs in actively running processes, which does not happen with traditional methods of code injection

Alex Ionescu, “Hotpatching the Hotpatcher: Stealth File
less DLL Injection,” Sy
Scan 2013,
https://www.yumpu.com/en/document/view/14255220/alexsyscan13/23
he backdoor is injected into svchost using the hot
patch API. Patching the loader is d
one by
creating a section named
knowndlls
mstbl.dll. This
DLL
does not reside on disk, but is rather
treated as a cached
DLL
by the session manager. It then proceeds to write a PE file within that
section.
The PE file will have one section (.hotp1) with
the hot
patch header structure. This structure contains
all the information necessary to perform the patching of function ntdll!LdrpMapViewOfSection
which will cause
the loader
treat created sections as PAGE_EXECUTE_READWRITE instead of
PAGE_READWRITE.
The patch is successfully applied by invoking NtSetSystemInformation.
After the memory permission issue is solved, the injector proceeds to inject the malicious DLL into
svchost. Again, it creates a (now executable) section named knowndlls
fgrps.dll and i
nvokes
NtSetSystemInformation, which causes the final payload to be loaded and executed within the
The malicious hot patching component appears to have an expiration date of January 15, 2017.
After that date, the DLL will no lon
ger perform the injection, but rather execute another PLATINUM
implant (
Program Files
Windows Journal
Templates
Cpl
jnwmon
exe
), which may be
related to an uninstall routine. (The component has not been observed in use since March 9, 2016,
which may
indicate that PLATINUM has chosen to stop using it earlier than the configured
expiration date.)
Miscellaneous
Finally, the PLATINUM group also uses small single
purpose applications that duplicate some of the
functionality of the backdoors. A couple
of
xamples are:
A stand
alone persistence tool that takes other files as input and ensure
persistence across
reboots.
A stand
alone loader that runs another executable. It has some exported functions whose names
can be used in DLL files installed as LSA pass
word filters, but such functions are basically empty and
there is no known evidence that this tool was ever used in this way. On the whole, this DLL looks like
a test, suggesting that the attackers may have researched and possibly implemented variants of
heir malware that can be installed as LSA password filters.
Exploit (CVE
2015
2545)
2545
after
free vulnerability in the
embedded PostScript
filter
of Microso
ft Office.
The exploit was crafted in PostScript and is able to bypass Address Space Layout Randomization (ASLR)
and Data Execution Prevention (DEP).

Microsoft issued Security Bulletin
MS15
in September 2015 to address the issue.
This vulnerability allowed the attacker to forge a CAssoc structure, shown in
igure
, and so also
indirectly the PSObjs in the structure. The PostScript interpreter deciphers the value field (Val) based on
the type field (m_type), which are under complete control of the attacker. Having developed this
technique, the attacker will
craft and use a combination of file, string, and integer objects to gain a
reliable arbitrary code execution.
Figure
Memory layout of CSssoc structure and its embedded PSObjs
Root
ause:
The attacker def
ined
in PostScript
a dictionary wit
h three elements, which leads to an
allocation of three CAssoc structures in PSTMap.
Within a Forall loop, the last two elements are undefined and a string is initialized. The PostScript
statement results in a deallocati
on of the last two CAssoc structures and the string gets allocated in the
previously freed memory address. The PostScript
put operand is used to fill the string with data to
Acquire
ull
emory RW
ccess:
The described method is used to craft a PSString object in which the
Figure
Getinterval method of PSString is used to find ROP gadgets
Arbitrary code execution:
To redirect code execution to the ROP chain, the exploit crafts a PSFile Object
Identity
Although the exact identity of PLATINUM remains unknown, the technical indicators observed so far
can help create a profile of the attacker.

Usage of multiple backdoors
The different
backdoors written by or for the group indicate a
considerable investment over time. Research indicates that PLATINUM has used multiple
backdoors concurrently at times, which could represent either multiple teams within the activity
group performing differ
ent campaigns, or different versions of the tools being used against varying

Zero day exploits
PLATINUM has used several zero
day exploits against their victims. Regardless of

Victim geography
More often than not, research into targeted attacks shows
activity groups becoming opportunistic an

Tools
Some of the tools used by PLATINUM, such as the port
knocking
backdoor, show signs of organized thinking. PLATINUM has developed or
commissioned a nu
mber of custom tools to provide the group with access to victim resources. This
The monetary in
vestment required
to collect and
deploy zero
day
exploits at this level
is considerable.
Any of these
traits by themselves could be the work of a single resourceful attacker or a small
group of like
minded individuals, but the presence of all of them is a clear indication of a well
resourced, focused, and disciplined group of attackers vying for informatio
n from government
related entities.
Guidance
should be strictly en
forced. In the case of PLATINUM, such a network architecture would prevent
rule
Trojan_Win32_PlaSrv : Platinum

author = "Microsoft"
description = "Hotpatching Injector"
original_sample_sha1 = "ff7f949da665ba8ce9fb01da357b51415634eaad"
unpacked_sample_sha1 = "dff2fee984ba9f5a8f5d97582c83fca4fa1fe131"
activ
ity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
Apply all security
updates as soon as
they become
available.
strings:
$Section_name = ".hotp1"

condition:
$Section_name and $offset_x59

rule Trojan_Win32_Platual : Platinu

author = "Microsoft"
description = "Installer component"
original_sample_sha1 = "e0ac2ae221328313a7eee33e9be0924c46e2beb9"
unpacked_sample_sha1 = "ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a"
activity_group = "Platinum"
ver
sion = "1.0"
last_modified = "2016
12"
strings:
$class_name = "AVCObfuscation"
$scrambled_dir = { A8 8B B8 E3 B1 D7 FE 85 51 32 3E C0 F1 B7 73 99 }

condition:
$class_name and $scrambled_dir

rule Trojan_Win32_Plaplex : Platinum

author = "Microsoft"
description = "Variant of the JPin backdoor"
original_sample_sha1 = "ca3bda30a3cdc15afb78e54fa1bbb9300d268d66"
unpacked_sample_sha1 = "2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$class_name1 = "AVCObfuscation"

condition:
$class_name1 and $class_name2

rule Trojan_Win32_Dipsind_B : Platinum

author = "Mi
crosoft"
description = "Dipsind Family"
sample_sha1 = "09e0dfbb5543c708c0dd6a89fd22bbb96dc4ca1c"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$frg1 = {8D 90 04 01 00 00 33 C0 F2 AE F7 D1 2B F9
8B C1 8B F7 8B FA C1 E9 02 F3
A5 8B C8 83 E1 03 F3 A4 8B 4D EC 8B 15 ?? ?? ?? ?? 89 91 ?? 07 00 00 }
$frg2 = {68 A1 86 01 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA}
$frg3 = {C0 E8 07 D0 E1 0A C1 8A C8 32 D0 C0 E9 07 D0 E0 0A C8 32 CA 80 F1 63}

condition:
$frg1 and $frg2 and $frg3

rule Trojan_Win32_PlaKeylog_B : Platinum

author = "Microsoft"
description = "Keylogger component"
original_sample_sha1 = "0096a3e0c97b85ca75164f48230ae530c94a2b77"
unpacked_sample_sha1 =
"6a1412daaa9bdc553689537df0a004d44f8a45fd"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$hook = {C6 06 FF 46 C6 06 25}
$dasm_engine = {80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05}

con
dition:
$hook and $dasm_engine

rule Trojan_Win32_Adupib : Platinum

author = "Microsoft"
description = "Adupib SSL Backdoor"
original_sample_sha1 = "d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd"
unpacked_sample_sha1 = "a80051d5ae
124fd9e5cc03e699dd91c2b373978b"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = "POLL_RATE"
$str2 = "OP_TIME(end hour)"
$str3 = "%d:TCP:*:Enabled"
$str4 = "%s[PwFF_cfg%d]"
$str5 =
"Fake_GetDlgItemTextW: ***value***="
condition:
$str1 and $str2 and $str3 and $str4 and $str5

rule Trojan_Win32_PlaLsaLog : Platinum

author = "Microsoft"
orig
inal_sample_sha1 = "fa087986697e4117c394c9a58cb9f316b2d9f7d8"
unpacked_sample_sha1 = "29cb81dbe491143b2f8b67beaeae6557d8944ab4"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = {8A 1C 01 32 DA
88 1C 01 8B 74 24 0C 41 3B CE 7C EF 5B 5F C6 04 01 00 5E
81 C4 04 01 00 00 C3}
$str2 = "PasswordChangeNotify"

condition:
$str1 and $str2

rule Trojan_Win32_Plagon : Platinum

author = "Microsoft"
description = "Dipsind vari
ant"
original_sample_sha1 = "48b89f61d58b57dba6a0ca857bce97bab636af65"
unpacked_sample_sha1 = "6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"

strings:
$str1
= "VPLRXZHTU"
$str2 = {64 6F 67 32 6A 7E 6C}
$str3 = "Dqpqftk(Wou
"Isztk)"
$str4 = "StartThreadAtWinLogon"


condition:
$str1 and $str2 and $str3 and $str4

rule Trojan_Win32_Plakelog : Platinum

author = "Microsoft"
description = "Raw
input based keylogger"
original_sample_sha1 = "3907a9e41df805f912f821a47031164b6636bd04"
unpacked_sample_sha1 = "960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2"
activity_group = "Platinum"
version = "1.0"
last_modified
= "2016
12"

strings:
$str1 = "0x0.1;&#xx06.;ሀ2" wide
$str2 = "[CTR
BRK]" wide
$str3 = "[/WIN]" wide
$str4 = {8A 16 8A 18 32 DA 46 88 18 8B 15 08 E6 42 00 40 41 3B CA 72 EB 5E 5B}

condition:
$str1 and $str2 and $str3 and $str4

rule Trojan_Win32_Plainst : Platinum

author = "Microsoft"
description = "Installer component"
original_sample_sha1 = "99c08d31af211a0e17f92dd312ec7ca2b9469ecb"
unpacked_sample_sha1 = "dcb6cf7cf7c8fdfc89656a042f81136bda354ba6"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = {66 8B 14 4D 18 50 01 10 8B 45 08 66 33 14 70 46 66 89 54 77 FE 66 83 7C
77 FE 00 75 B7 8B 4D FC 89 41 08 8D 04 36 89 41 0C 89 79 04}
$str2 = {4b D3
91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}
condition:

$str1 and $str2

rule Trojan_Win32_Plagicom : Platinum

author = "Microsoft"
description = "Installer component"
original_sample_sha1 = "99dcb148b053f4cef6df5fa1ec5d33971a
58bd1e"
unpacked_sample_sha1 = "c1c950bc6a2ad67488e675da4dfc8916831239a7"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = {C6 44 24 ?? 68 C6 44 24 ?? 4D C6 44 24 ?? 53 C6 44 24 ?? 56 C6 44 24
??

$str2 = "OUEMM/EMM"
$str3 = {85 C9 7E 08 FE 0C 10 40 3B C1 7C F8 C3}

last_modified = "2016
12"
strings:
$str1 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}
$str2
= "GetInstanceW"
$str3 = {8B D0 83 E2 1F 8A 14 0A 30 14 30 40 3B 44 24 04 72 EE}

condition:
$str1 and $str2 and $str3

rule Trojan_Win32_Placisc2 : Platinum

author = "Microsoft"
description = "Dipsind variant"
origina
l_sample_sha1 = "bf944eb70a382bd77ee5b47548ea9a4969de0527"
unpacked_sample_sha1 = "d807648ddecc4572c7b04405f496d25700e0be6e"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = {76 16 8B D0 83 E2
07 8A 4C 14 24 8A 14 18 32 D1 88 14 18 40 3B C7 72 EA

$str2 = "VPLRXZHTU"
$str3 = "%d) Command:%s"
$str4 = {0D 0A 2D 2D 2D 2D 2D 09 2D 2D 2D 2D 2D 2D 0D 0A}

condition:
$str1 and $str2 and $str3 and $str4

rule Trojan_Win32_Placisc
3 : Platinum

author = "Microsoft"
description = "Dipsind variant"
original_sample_sha1 = "1b542dd0dacfcd4200879221709f5fa9683cdcda"
unpacked_sample_sha1 = "bbd4992ee3f3a3267732151636359cf94fb4575d"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = {BA 6E 00 00 00 66 89 95 ?? ?? FF FF B8 73 00 00 00 66 89 85 ?? ?? FF FF
B9 64 00 00 00 66 89 8D ?? ?? FF FF BA 65 00 00 00 66 89 95 ?? ?? FF FF B8 6C 00 00

$str2 = "VPLRXZ
HTU"
$str3 = {8B 44 24 ?? 8A 04 01 41 32 C2 3B CF 7C F2 88 03}

condition:
$str1 and $str2 and $str3

rule Trojan_Win32_Placisc4 : Platinum

author = "Microsoft"
description = "Installer for Dipsind variant"
original_sam
ple_sha1 = "3d17828632e8ff1560f6094703ece5433bc69586"
unpacked_sample_sha1 = "2abb8e1e9cac24be474e4955c63108ff86d1a034"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = {8D 71 01 8B C6 99 BB 0A
00 00 00 F7 FB 0F BE D2 0F BE 04 39 2B C2 88 04
39 84 C0 74 0A}
$str2 = {6A 04 68 00 20 00 00 68 00 00 40 00 6A 00 FF D5}
$str3 = {C6 44 24 ?? 64 C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 32 C6 44 24 ??


condition:
$str1 and $str2 an
d $str3

rule Trojan_Win32_Plakpers : Platinum

author = "Microsoft"
description = "Injector / loader component"
original_sample_sha1 = "fa083d744d278c6f4865f095cfd2feabee558056"
unpacked_sample_sha1 = "3a678b5c9c46b5b87bfcb18306e
d50fadfc6372e"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = "MyFileMappingObject"
$str2 = "[%.3u] %s %s %s [%s:" wide
$str3 = "%s
{%s}
%s" wide

condition:
$str1 and $str
2 and $str3

rule Trojan_Win32_Plainst2 : Platinum

author = "Microsoft"
description = "Zc tool"
original_sample_sha1 = "3f2ce812c38ff5ac3d813394291a5867e2cddcf2"
unpacked_sample_sha1 = "88ff852b1b8077ad5a19cc438afb2402462fbd1a"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = "Connected [%s:%d]..."
$str2 = "reuse possible: %c"
$str3 = "] �= %d%%
x0a"


condition:
$str1 and $str2 and $str3

rule Troja
n_Win32_Plakpeer : Platinum

author = "Microsoft"
description = "Zc tool v2"
original_sample_sha1 = "2155c20483528377b5e3fde004bb604198463d29"
unpacked_sample_sha1 = "dc991ef598825daabd9e70bac92c79154363bab2"
activity_group = "
Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = "@@E0020(%d)" wide
$str2 = /exit.{0,3}@exit.{0,3}new.{0,3}query.{0,3}rcz.{0,3}scz/ wide
$str3 = "
---
###
---
" wide
$str4 = "
---
@@@
---
" wide


condition:
$str1 and $str2 and $str3 and $str4


condition:
$str1 and $str2 and $str3
}
rule Trojan_Win32_Plaklog : Platinum
{
author = "Microsoft"
description = "Hook
based keylogger"
origi
nal_sample_sha1 = "831a5a29d47ab85ee3216d4e75f18d93641a9819"
unpacked_sample_sha1 = "e18750207ddbd939975466a0e01bd84e75327dda"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = "++[%s^^unkn
own^^%s]++"
$str2 = "vtfs43/emm"
$str3 = {33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0

condition:
$str1 and $str2 and $str3
rule Trojan_Win32_Plapiio : Platinum
{
author = "Microsoft"
escription = "JPin backdoor"
original_sample_sha1 = "3119de80088c52bd8097394092847cd984606c88"
unpacked_sample_sha1 = "3acb8fe2a5eb3478b4553907a571b6614eb5455c"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = "ServiceMain"
$str2 = "Startup"
$str3 = {C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D}
condition:
$str1 and $str2 and $str3
}
rule Trojan_Win32_Plabit : Platinum
{
sample_sha1
d1169775a552230302131f9385135d385efd166"
activity_group =
Platinum"
version
= "1.0"
PLATINUM
Targeted attacks in South and
Southeast Asia
Windows Defender Advanced Threat Hunting Team
PLATINUM
Targeted attacks in South and
Southeast Asia
Windows Defender Advanced Threat Hunting Team
last_modified = "2016
12"
strings:
$str1 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}
$str2
= "GetInstanceW"
$str3 = {8B D0 83 E2 1F 8A 14 0A 30 14 30 40 3B 44 24 04 72 EE}
condition:
$str1 and $str2 and $str3
}
rule Trojan_Win32_Placisc2 : Platinum
{
author = "Microsoft"
description = "Dipsind variant"
origina
l_sample_sha1 = "bf944eb70a382bd77ee5b47548ea9a4969de0527"
unpacked_sample_sha1 = "d807648ddecc4572c7b04405f496d25700e0be6e"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = {76 16 8B D0 83 E2 07 8A 4C 14 24 8A 14 18 32 D1 88 14 18 40 3B C7 72 EA
}
$str2 = "VPLRXZHTU"
$str3 = "%d) Command:%s"
$str4 = {0D 0A 2D 2D 2D 2D 2D 09 2D 2D 2D 2D 2D 2D 0D 0A}
condition:
$str1 and $str2 and $str3 and $str4
}
rule Trojan_Win32_Placisc3 : Platinum
{
author = "Microsoft"
description = "Dipsind variant"
original_sample_sha1 = "1b542dd0dacfcd4200879221709f5fa9683cdcda"
unpacked_sample_sha1 = "bbd4992ee3f3a3267732151636359cf94fb4575d"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = {BA 6E 00 00 00 66 89 95 ?? ?? FF FF B8 73 00 00 00 66 89 85 ?? ?? FF FF
B9 64 00 00 00 66 89 8D ?? ?? FF FF BA 65 00 00 00 66 89 95 ?? ?? FF FF B8 6C 00 00

$str2 = "VPLRXZ
HTU"
$str3 = {8B 44 24 ?? 8A 04 01 41 32 C2 3B CF 7C F2 88 03}
condition:
$str1 and $str2 and $str3
condition:
$str1 and $str2 and $str3
}
rule Trojan_Win32_Plaklog : Platinum
{
author = "Microsoft"
description = "Hook
based keylogger"
origi
nal_sample_sha1 = "831a5a29d47ab85ee3216d4e75f18d93641a9819"
unpacked_sample_sha1 = "e18750207ddbd939975466a0e01bd84e75327dda"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = "++[%s^^unkn
own^^%s]++"
$str2 = "vtfs43/emm"
$str3 = {33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0

condition:
$str1 and $str2 and $str3
rule Trojan_Win32_Plapiio : Platinum
{
author = "Microsoft"
escription = "JPin backdoor"
original_sample_sha1 = "3119de80088c52bd8097394092847cd984606c88"
unpacked_sample_sha1 = "3acb8fe2a5eb3478b4553907a571b6614eb5455c"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = "ServiceMain"
$str2 = "Startup"
$str3 = {C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D}
condition:
$str1 and $str2 and $str3
}
rule Trojan_Win32_Plabit : Platinum
{
sample_sha1
d1169775a552230302131f9385135d385efd166"
activity_group =
Platinum"
version
= "1.0"
unpacked_sample_sha1 = "960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2"
activity_group = "Platinum"
version = "1.0"
last_modified
= "2016
12"
strings:
$str1 = "0x0.1;&#xx06.;ሀ2" wide
$str2 = "[CTR
BRK]" wide
$str3 = "[/WIN]" wide
$str4 = {8A 16 8A 18 32 DA 46 88 18 8B 15 08 E6 42 00 40 41 3B CA 72 EB 5E 5B}
condition:
$str1 and $str2 and $str3 and $str4
}
rule Trojan_Win32_Plainst : Platinum
{
author = "Microsoft"
description = "Installer component"
original_sample_sha1 = "99c08d31af211a0e17f92dd312ec7ca2b9469ecb"
unpacked_sample_sha1 = "dcb6cf7cf7c8fdfc89656a042f81136bda354ba6"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = {66 8B 14 4D 18 50 01 10 8B 45 08 66 33 14 70 46 66 89 54 77 FE 66 83 7C
77 FE 00 75 B7 8B 4D FC 89 41 08 8D 04 36 89 41 0C 89 79 04}
$str2 = {4b D3
91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}
condition:
$str1 and $str2
}
rule Trojan_Win32_Plagicom : Platinum
{
author = "Microsoft"
description = "Installer component"
original_sample_sha1 = "99dcb148b053f4cef6df5fa1ec5d33971a
58bd1e"
unpacked_sample_sha1 = "c1c950bc6a2ad67488e675da4dfc8916831239a7"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = {C6 44 24 ?? 68 C6 44 24 ?? 4D C6 44 24 ?? 53 C6 44 24 ?? 56 C6 44 24
??

$str2 = "OUEMM/EMM"
$str3 = {85 C9 7E 08 FE 0C 10 40 3B C1 7C F8 C3}
condition:
$str1 and $str2 and $str3
}
rule Trojan_Win32_Plaklog : Platinum
{
author = "Microsoft"
description = "Hook
based keylogger"
origi
nal_sample_sha1 = "831a5a29d47ab85ee3216d4e75f18d93641a9819"
unpacked_sample_sha1 = "e18750207ddbd939975466a0e01bd84e75327dda"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = "++[%s^^unkn
own^^%s]++"
$str2 = "vtfs43/emm"
$str3 = {33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0

condition:
$str1 and $str2 and $str3
rule Trojan_Win32_Plapiio : Platinum
{
author = "Microsoft"
escription = "JPin backdoor"
original_sample_sha1 = "3119de80088c52bd8097394092847cd984606c88"
unpacked_sample_sha1 = "3acb8fe2a5eb3478b4553907a571b6614eb5455c"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016
12"
strings:
$str1 = "ServiceMain"
$str2 = "Startup"
$str3 = {C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D}
condition:
$str1 and $str2 and $str3
}
rule Trojan_Win32_Plabit : Platinum
{


"6
activity_group =

Приложенные файлы

  • pdf 4188488
    Размер файла: 1 MB Загрузок: 0

Добавить комментарий