{ "type": "bundle", "id": "bundle--d4fb15ff-c435-4e37-a4e2-a1b2d743fb8f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--99f7ec53-5be5-4fbe-8e20-06a244fbb703", "created": "2023-03-08T12:51:46.782365Z", "modified": "2023-03-08T13:21:39.376208Z", "name": "PWC", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf32b88-bb0a-4d46-8ade-cac42b8d6ffe", "created": "2026-06-24T21:04:38.557484Z", "modified": "2026-06-24T21:04:38.557484Z", "name": "YARA Rule", "pattern": "rule Microsoft_Signed_DLL_With_High_Entropy_Data_After_Digital_Signature : Heuristic_and_General {\r\nmeta:\r\n\t\t\r\ndescription = \u201cDetects Windows signed DLLs that have had a payload encrypted and embedded in the\r\ndigital signature section which is at least 50KB in size (seen by APT10 with its DESLoader/SigLoader\r\ncampaigns)\u201d\r\n\t\t\r\nTLP = \u201cWHITE\u201d\r\n\t\t\r\nauthor = \u201cPwC Cyber Threat Operations :: BitsOfBinary\u201d\r\n\t\t\r\ncopyright = \u201cCopyright PwC UK 2021 (C)\u201d\r\n\t\t\r\nlicense = \u201cApache License, Version 2.0\u201d\r\n\t\t\r\ncreated_date = \u201c2021-02-19\u201d\r\n\t\t\r\nmodified_date = \u201c2021-02-19\u201d\r\n\t\t\r\nrevision = \u201c0\u201d\r\n\t\t\r\nhash = \u201c8ef94327cab01af04a83df86a662f3abe9ae35aa1084eff7273d8292941bebdb\u201d\r\n\t\t\r\nhash = \u201c69adaf19cc19594e0193da88597b6af886f1c0e148ad980fa0fe3f9250d52332\u201d\r\n\t\t\r\nhash = \u201c697be6add418ca9e1ebcef6cc6fdbb6277851e1892e48264b1e6720e48122c40\u201d\r\n\t\t\r\nreference = \u201chttps://www.lac.co.jp/lacwatch/report/20201201_002363.html\u201d\r\nstrings:\r\n\t\t\r\n$timestamp = \u201cMicrosoft Time-Stamp PCA\u201d\r\ncondition:\r\n// Start with some initial conditions to rule out most samples (e.g. check that it\u2019s a DLL with one\r\nsignature from Microsoft)\r\n\t\t\r\nuint16(0) == 0x5A4D and filesize < 1MB and (pe.characteristics & pe.DLL) and pe.number_of_signatures\r\n== 1 and for any sig in pe.signatures : (\r\n\t\t\t\r\nsig.subject contains \u201cO=Microsoft Corporation\u201d and\r\n\t\t\t\r\nsig.subject contains \u201cCN=Microsoft Windows\u201d\r\n\t\t\r\n) and\r\n// Sanity check that the timestamp string we\u2019re looking for is actually in the digital signature\r\nsection\r\n// Throughout these next conditions, we only care about the last timestamp string, i.e. @\r\ntimestamp[#timestamp]\r\n\t\t (\r\n\t\t\t\r\n@timestamp[#timestamp] > pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_\r\naddress and\r\n\t\t\t\r\n@timestamp[#timestamp] < (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_\r\naddress + pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].size)\r\n\t\t\r\n) and\r\n// Check that the extra data at the end of the digital signature section is greater than roughly 5KB\r\n\t\t (\r\n\t\t\t\r\npe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].size - (@timestamp[#timestamp] pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address) > 5000\r\n\t\t\r\n) and\r\n\t\t // Extra check to make sure the entropy of this extra data is very high (i.e. encrypted)\r\n\t\t (\r\n\t\t\t\r\nmath.entropy(@timestamp[#timestamp], (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_\r\nSECURITY].size - (@timestamp[#timestamp] - pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_\r\naddress))) > 6\r\n\t\t )\r\n}", "pattern_type": "yara", "valid_from": "2022-04-29T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--97073c51-3857-44cd-8d14-7fd44500b8a5", "created": "2026-06-24T21:04:38.558636Z", "modified": "2026-06-24T21:04:38.558636Z", "name": "YARA Rule", "pattern": "rule Red_Lich_Encoded_PlugX : Red_Lich {\r\nmeta:\r\n\t\t\r\ndescription = \u201cDetects PlugX payloads that have been encoded with a multi-byte XOR key (of varying\r\nlength) that is stored at the start of the file. Many of these decoded payloads are associated with Mustang\r\nPanda.\u201d\r\n\t\t\r\nTLP = \u201cWHITE\u201d\r\n\t\t\r\nauthor = \u201cPwC Cyber Threat Operations\u201d\r\n\t\t\r\ncopyright = \u201cCopyright PwC UK 2021 (C)\u201d\r\n\t\t\r\ncreated_date = \u201c2021-03-31\u201d\r\n\t\t\r\nmodified_date = \u201c2021-10-29\u201d\r\n\t\t\r\nrevision = \u201c3\u201d\r\n\t\t\r\nhash = \u201c5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028\u201d\r\n\t\t\r\nhash = \u201cd69d200513a173aff3a4b2474ccc11812115c38a5f27f7aafe98b813c3121208\u201d\r\n\t\t\r\nhash = \u201c94c7965e0fba7deb71ca0ff7901b1a1074b41140528ea5bc75a14dfbd3782c8b\u201d\r\n\t\t\r\nhash = \u201c56e9b0c2b87d45ee0c109fb71d436621c7ada007f1bd3d43c3e8cf89c0182b90\u201d\r\n\t\t\r\nreference = \u201chttps://twitter.com/dtcert/status/1454022175254618114\u201d\r\nstrings:\r\n\t\t\r\n$dos = \u201cThis program cannot be run in DOS mode.\u201d\r\n\t\t\r\ncondition:\r\n// Rule out some file headers\r\n\t\t (\r\n\t\t\t\r\nuint16(0) != 0x5A4D and //PE\r\n\t\t\t\r\nuint32(0) != 0x464c457f and //ELF\r\n\t\t\t\r\nuint32be(0) != 0x504B0304 and //ZIP\r\n\t\t\t\r\nuint32be(0) != 0x41564620 and //AVF\r\n\t\t\t\r\nuint32be(0) != 0x414b504b and //PKG\r\n\t\t\t\r\nuint16be(0) != 0x4944 and uint8(2) != 0x33 and //MP3\r\n\t\t\t\r\nuint32be(0) != 0x25504446 and //PDF\r\n\t\t\t\r\nuint32be(0) != 0xd0cf11e0 and //PPT\r\n\t\t\t\r\nuint32be(0) != 0x4d534346 and //CAB\r\n\t\t\t\r\nuint32be(0) != 0x556e6974 and //Unity\r\n\t\t\t\r\nuint32be(0) != 0x38425053 and //PSD\r\n\t\t\t\r\nuint32be(0) != 0x63616666 and //caff\r\n\t\t\t\r\nuint32be(0) != 0x64617461 and //data\r\n\t\t\t\r\nuint32be(0) != 0x664c6143 and //fLaC\r\n\t\t\t\r\nuint32be(0) != 0x424b504b // BKPK\r\n\t\t\r\n) and\r\n\t\t (\r\n\t\t\t\r\nnot $dos\r\n\t\t\r\n) and\r\n// Strict filesize\r\n\t\t\r\n(filesize > 50KB and filesize < 800KB) and\r\n\t\t // Check if there is an XOR key at the beginning of the file in the range [A-Za-z]\r\n\t\t\r\nfor any i in (4 .. 0x1F) : (\r\n\t\t\t\r\nuint8(i) == 0x00 and for all j in (0 .. i-1) : (\r\n\t\t\t\t\r\nfor any k in (0x41 .. 0x5A) : (\r\n\t\t\t\t\tuint8(j) == k\r\n\t\t\t\t\r\n) or for any k in (0x61 .. 0x7A) : (\r\n\t\t\t\t\tuint8(j) == k\r\n\t\t\t\t)\r\n\t\t\t\r\n)\r\n\t\t\r\n) and\r\n\t\t // Entropy should be sufficiently high\r\n\t\t\r\n(math.entropy(0, filesize) >= 6.8 and math.entropy(0, filesize) < 7.9) and\r\n\t\t // Check that the last 10 characters are in the range [A-Za-z]\r\n\t\t\r\nfor all i in (filesize - 10 .. filesize - 1) : (\r\n\t\t\t\r\nfor any j in (0x41 .. 0x5A) : (\r\n\t\t\t\t\r\nuint8(i) == j\r\n\t\t\t\r\n) or for any j in (0x61 .. 0x7A) : (\r\n\t\t\t\t\r\nuint8(i) == j\r\n\t\t\t\r\n)\r\n\t\t )\r\n}", "pattern_type": "yara", "valid_from": "2022-04-29T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--e05f388b-26b0-408d-ab4f-2951bbf096bc", "hashes": { "SHA-256": "56e9b0c2b87d45ee0c109fb71d436621c7ada007f1bd3d43c3e8cf89c0182b90" } }, { "type": "file", "spec_version": "2.1", "id": "file--2126f852-1c81-445c-8faa-2a00241f0030", "hashes": { "SHA-256": "d69d200513a173aff3a4b2474ccc11812115c38a5f27f7aafe98b813c3121208" } }, { "type": "file", "spec_version": "2.1", "id": "file--09890785-73f6-4a20-9a67-304a73742b95", "hashes": { "SHA-256": "69adaf19cc19594e0193da88597b6af886f1c0e148ad980fa0fe3f9250d52332" } }, { "type": "file", "spec_version": "2.1", "id": "file--f9de83b8-38e3-4327-8fb9-1069c7bf6a2c", "hashes": { "SHA-256": "8ef94327cab01af04a83df86a662f3abe9ae35aa1084eff7273d8292941bebdb" } }, { "type": "file", "spec_version": "2.1", "id": "file--5a4ec582-a1d2-4a34-a297-c894fa50185c", "hashes": { "SHA-256": "94c7965e0fba7deb71ca0ff7901b1a1074b41140528ea5bc75a14dfbd3782c8b" } }, { "type": "file", "spec_version": "2.1", "id": "file--f5cccd18-6bec-465d-99f7-2820233c9c49", "hashes": { "SHA-256": "5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028" } }, { "type": "file", "spec_version": "2.1", "id": "file--2396629b-0c6a-4889-baad-0ea04ec62a9b", "hashes": { "SHA-256": "697be6add418ca9e1ebcef6cc6fdbb6277851e1892e48264b1e6720e48122c40" } }, { "type": "url", "spec_version": "2.1", "id": "url--664f81bb-0b40-438b-a7a0-5f77ca1786ac", "value": "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/#_Technical_Analysis:_" }, { "type": "url", "spec_version": "2.1", "id": "url--b83500ba-ba4a-4444-acbc-bcb7ab5f3f7b", "value": "http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" }, { "type": "url", "spec_version": "2.1", "id": "url--67f6f658-b21a-4632-acb1-452397dd3107", "value": "https://www.technologyreview.com/2021/09/23/1036140/2021record-0-day-hacks-reasons/" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--98fccac2-98d9-4999-8303-20cd4dabc3c4", "value": "mail-mailbox-microsoft.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--bd056837-919d-4c4b-893c-dc712019bd56", "value": "micr0soft.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--cc98da72-4f8b-4c04-bfb4-50c443b60433", "value": "attack.mitre" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--98745c2b-0829-5825-903b-bc3d49555baa", "created": "2026-06-24T21:04:38.572014Z", "modified": "2026-06-24T21:04:38.572014Z", "name": "BlackBanshee" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--da6a0bdd-e672-5472-8528-f46a25c7d852", "created": "2026-06-24T21:04:38.574858Z", "modified": "2026-06-24T21:04:38.574858Z", "name": "BlackAlicanto" }, { "type": "report", "spec_version": "2.1", "id": "report--09ac1f23-1d9c-46f5-8e69-84e8129f05cd", "created_by_ref": "identity--99f7ec53-5be5-4fbe-8e20-06a244fbb703", "created": "2026-06-24T21:04:38.696536Z", "modified": "2026-06-24T21:04:38.696536Z", "name": "Cyber Threats 2021: A Year in Retrospect", "published": "2022-04-29T00:00:00Z", "object_refs": [ "identity--99f7ec53-5be5-4fbe-8e20-06a244fbb703", "indicator--5cf32b88-bb0a-4d46-8ade-cac42b8d6ffe", "indicator--97073c51-3857-44cd-8d14-7fd44500b8a5", "file--e05f388b-26b0-408d-ab4f-2951bbf096bc", "file--2126f852-1c81-445c-8faa-2a00241f0030", "file--09890785-73f6-4a20-9a67-304a73742b95", "file--f9de83b8-38e3-4327-8fb9-1069c7bf6a2c", "file--5a4ec582-a1d2-4a34-a297-c894fa50185c", "file--f5cccd18-6bec-465d-99f7-2820233c9c49", "file--2396629b-0c6a-4889-baad-0ea04ec62a9b", "url--664f81bb-0b40-438b-a7a0-5f77ca1786ac", "url--b83500ba-ba4a-4444-acbc-bcb7ab5f3f7b", "url--67f6f658-b21a-4632-acb1-452397dd3107", "domain-name--98fccac2-98d9-4999-8303-20cd4dabc3c4", "domain-name--bd056837-919d-4c4b-893c-dc712019bd56", "domain-name--cc98da72-4f8b-4c04-bfb4-50c443b60433", "threat-actor--98745c2b-0829-5825-903b-bc3d49555baa", "threat-actor--da6a0bdd-e672-5472-8528-f46a25c7d852" ], "external_references": [ { "source_name": "source", "url": "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf" } ] } ] }