Shares tag: OnionDog
OnionDog is not a Targeted Attack—It’s a Cyber Drill
2017-08-09 • Trend Micro •
https://www.trendmicro.com/en_us/research/17/h/oniondog-not-targeted-attack-cyber-drill.html
Trend Micro reassessed OnionDog activity that had been publicly linked to alleged attacks on South Korean energy and transportation organizations and concluded the samples were part of cyber drills rather than a targeted intrusion campaign. Historical passive DNS and HTTP-response evidence tied most cited C2 IP addresses back to South Korea's National Cyber Security Center, while older samples displayed Ulchi drill infection messages during exercise windows. Later OnionDog samples used .onion.city C2 domains, dropped multiple resources, bypassed UAC, installed Windows services, sent basic host information, and could download second-stage payloads. The report matters because about 200 OnionDog samples were found in the wild, showing how live or simulated malware used in exercises can leak tradecraft and create attribution and response confusion.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 46fb5bcea417d7ff38edff7e39982aa… | 2017-08-09 | 2017-08-09 |
| HASH | fa5799c25b5ea2ecb24ee982a202e68… | 2017-08-09 | 2017-08-09 |
| HASH | fd03f3f65979ec7b8b6055f92f023b0… | 2017-08-09 | 2017-08-09 |
| HASH | f8c71f34a6cfdc9e3c4a0061d5e395f… | 2017-08-09 | 2017-08-09 |
| HASH | 7564990506f59660c1a434ce1526b2a… | 2017-08-09 | 2017-08-09 |
| HASH | b35b7a1b437d5998b77e10fdbf16686… | 2017-08-09 | 2017-08-09 |
| HASH | 65d226469d6bdb1e7056864fe6d3866… | 2017-08-09 | 2017-08-09 |
| HASH | 0ea456fd1274a784924d27beddc1a5c… | 2017-08-09 | 2017-08-09 |
| HASH | 19e3aa92bc16915d9f3ff17731caf43… | 2017-08-09 | 2017-08-09 |
| HASH | 6dd79b5b9778dc0b0abefa261933214… | 2017-08-09 | 2017-08-09 |
| HASH | 1e926d83c25320bcc1f9497898deac0… | 2017-08-09 | 2017-08-09 |
| HASH | caf4b03118e5c5580c67b094d58389a… | 2017-08-09 | 2017-08-09 |
| HASH | 04e87e473d34974874dd0a5289433c9… | 2017-08-09 | 2017-08-09 |
| HASH | 7461e8b7416bf8878d20a696a27ccf3… | 2017-08-09 | 2017-08-09 |
| HASH | 999c1d4c070e6817c3d447cf9b9869b… | 2017-08-09 | 2017-08-09 |
| HASH | 1ffa34f88855991bdc9a153e01c9e18… | 2017-08-09 | 2017-08-09 |
| HASH | 8b91cfd40529b5667bbdab970d8dba0… | 2017-08-09 | 2017-08-09 |
| HASH | e20d0a8e1dec96ed20bd476323409f8… | 2017-08-09 | 2017-08-09 |
| HASH | dbb0878701b8512daa057c93d9653f9… | 2017-08-09 | 2017-08-09 |
| IPv4 | 222.107.13.113 | 2017-08-09 | 2017-08-09 |
| IPv4 | 221.149.223.209 | 2017-08-09 | 2017-08-09 |
| IPv4 | 220.85.160.3 | 2017-08-09 | 2017-08-09 |
| IPv4 | 218.153.172.53 | 2017-08-09 | 2017-08-09 |
| IPv4 | 218.145.131.130 | 2017-08-09 | 2017-08-09 |
| IPv4 | 221.149.32.213 | 2017-08-09 | 2017-08-09 |
| IPv4 | 112.169.154.65 | 2017-08-09 | 2017-08-09 |