攻撃キャンペーン「Operation Bitter Biscuit」を実行した標的型攻撃グループに関する脅威情報

2021-01-17 • JPCERT • Threat information regarding the targeted attack group that carried out the attack campaign "Operation Bitter Biscuit" •

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf

#BitterBiscuit

Attachments

JSAC2020_3_takai_jp.pdf (3 MB)

Thumbnail for 攻撃キャンペーン「Operation Bitter Biscuit」を実行した標的型攻撃グループに関する脅威情報

The JSAC presentation analyzes Operation Bitter Biscuit, a targeted attack campaign reported by multiple security vendors against government, military, defense, and some IT targets. The observed intrusion began with a compressed file attached to a targeted email and abused CVE-2018-20250 in WinRAR or the Microsoft Word add-in folder to launch a dropper. The material details persistence through the Run registry key, first-stage and second-stage backdoors, C2 commands, downloads such as Acrobat.exe, and Bisonal variant comparisons.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	3gstudent.github.io	2021-01-17	2024-10-03
HASH	6e9491d40225995e59194ae70f174226	2021-01-17	2021-01-17
HASH	46c3dbf662b827d898c593ca22f50231	2021-01-17	2021-01-17
HASH	e533247f71aa1c28e89803d6fe61ee58	2021-01-17	2021-01-17
HASH	fee03709c03ad49846a9af6aa973c27d	2021-01-17	2021-01-17
HASH	aa3e738f0a1271c2dc13722b0c2b5d19	2021-01-17	2021-01-17
HASH	8a9b594a1da07e7309c9a3613356e5c7	2021-01-17	2021-01-17
HASH	3008ac3ccd5d9df590878f2893cf8477	2021-01-17	2021-01-17
HASH	bec5bf2bd310b887460103924f13962c	2021-01-17	2021-01-17
HASH	ad3adc82db44b1655a921e5fdd0cbb40	2021-01-17	2021-01-17
HASH	e6ab1aeb7c6ba5290309c327ea6ddc58	2021-01-17	2021-01-17
HASH	56df97ae98aab8200801c3100bc31d26	2021-01-17	2021-01-17
HASH	d2d36a668cb1e3e9f9dced3a59b19ec4	2021-01-17	2021-01-17
HASH	802312f75c4e4214eb7a638aecc48741	2021-01-17	2021-01-17
HASH	5dab4eade11006d7d81a3f0fd8fe050f	2021-01-17	2021-01-17
HASH	c0d5f9b93e799099dd07342f61c46cd1	2021-01-17	2021-01-17
HASH	3bfcc37fa750bf6ff4a2217a3970bbaf	2021-01-17	2021-01-17
HASH	1c2b058a55434f6c9066b493fe8024ce	2021-01-17	2021-01-17
HASH	ea084cde17c0167e12b724d2b8cc97b4	2021-01-17	2021-01-17
HASH	9a484560846be80d34c70efe44069c1a	2021-01-17	2021-01-17
HASH	6f7faf801464e2858ce6328ead6887ab	2021-01-17	2021-01-17
HASH	e354f8767b7077655c315c210f152947	2021-01-17	2021-01-17
HASH	0b24fffce8a5def63214dbe04ab05bb1	2021-01-17	2021-01-17
HASH	e06205ca2c80ad7870f29de8fae60be7	2021-01-17	2021-01-17
HASH	775a4a957aed69c0a907756793dcec4b	2021-01-17	2021-01-17
HASH	423262f84fcd3e6eeeb6e9898991ac69	2021-01-17	2021-01-17
HASH	cbabcdf63e6b4196f71df444a8658eec	2021-01-17	2021-01-17
HASH	1b31c41b3dc1e31c56946b8fd8ae8a1a	2021-01-17	2021-01-17
HASH	b3c93ff309351cb531be33fbd4ed7188	2021-01-17	2021-01-17
HASH	eeb9e9b187bdf25fab41680952c32dd5	2021-01-17	2021-01-17
HASH	b59d9bce9fbfe49b2bacf2019d8cfb2e	2021-01-17	2021-01-17
HASH	95f941b8d393c515771b1eebc583fc20	2021-01-17	2021-01-17
HASH	b9471a911a76c4aaacd0d16e6fa55e9b	2021-01-17	2021-01-17
HASH	b871d9c06f84043e9ff9fc606da1a423	2021-01-17	2021-01-17
HASH	f10ee63e777617def660d6ca881a7cff	2021-01-17	2021-01-17
HASH	54e3237ece37203723f36400963e2da2	2021-01-17	2021-01-17
HASH	e0c5a23fb845b5089c8527c3fa55082f	2021-01-17	2021-01-17
HASH	96c2d3af9e3c2216cd9c9342f82e6cf9	2021-01-17	2021-01-17
URL	https://3gstudent.github.io/3gs…	2021-01-17	2021-01-17
DOMAIN	lovehome.zzux.com	2021-01-17	2021-01-17
IPv4	12.12.12.254	2021-01-17	2021-01-17
IPv4	12.12.12.12	2021-01-17	2021-01-17