OPERATION ‘Arabian Night'

2017-05-12 ESTSecurity

http://blog.alyac.co.kr/attachment/[email protected]

Attachments

cfile4.uf996DB6365A7253830AD55C.pdf (1 MB)

ESTsecurity analyzed the Arabian Night operation using a malicious Word document named Hanssak System that relied on social engineering to prompt macro execution. When macros ran, the document XOR-decoded and dropped a decoy Kuipernet installation survey document and a svchost.exe bot that copied itself as java.exe, added JavaUpdate persistence, collected host and system information, and contacted four C2 IP addresses located in South Korea. The bot supported commands for disk and process discovery, file listing and theft, program execution, C2 reconfiguration, communication checks, timestamp changes, and destructive file operations. Metadata and code similarities linked the sinbad-authored document set to earlier IsOne-related Shadow Play material, including similar macro structure, CMD string construction, and forensic-resistant file deletion behavior.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 221.138.17.152 2017-04-07 2020-02-25
HASH 78e8c150481107d7a5ed99e7e420fd24 2017-05-12 2018-09-24
IPv4 211.233.13.62 2017-04-07 2018-04-11
HASH 8f47377f880cef626c30bcd3a68bfed0 2017-05-12 2017-05-12
HASH 2a161b4b7edcefa8afb06074b9d5b109 2017-05-12 2017-05-12
HASH e656e1e46e3ad644f9701378490880e2 2017-05-12 2017-05-12
HASH 8a5815d8213a0a35cffd38f2916b5a3c 2017-05-12 2017-05-12
HASH 853017d8231acf6aa912fb4a146ffd46 2017-05-12 2017-05-12
HASH a24582e2a9162f32d09349953fac52b1 2017-05-12 2017-05-12
HASH 45a88f2748b19690c4bf4f6e76f26389 2017-05-12 2017-05-12
HASH a16dad1248433bbad204ab4705afc47a 2017-05-12 2017-05-12
HASH 39b32e5fcec968631b6badeaf9bd517c 2017-05-12 2017-05-12
HASH 9728d9daa55bf2ad69dc9d89dbc9969b 2017-05-12 2017-05-12
HASH 01a07e5a28e53a5bc541d178fe229599 2017-05-12 2017-05-12
HASH 2b78a7f0cd2efb69bdacff9b9c59f9cc 2017-05-12 2017-05-12
HASH cefa6225208e4fd18e326c860398b0ac 2017-05-12 2017-05-12
HASH f450e6c90e9a3a907690fb66f08c8b49 2017-05-12 2017-05-12
HASH 3b13b419fa2e3fe7e93cf64cdd615a38 2017-05-12 2017-05-12
HASH 8672b3d11af66f45fd1baf0575f17c09 2017-05-12 2017-05-12
HASH 59b9fe0e284abc7f5d1017babf861db1 2017-05-12 2017-05-12
HASH c01a91a26dd90363f0ab90d5163a3c5f 2017-05-12 2017-05-12
HASH 7c4c8fa64b8a1d83ad171a841e4bb084 2017-05-12 2017-05-12
HASH e3b56b7bf01b029a6d929effa387f40b 2017-05-12 2017-05-12
HASH 58f87d07a46ccc284bc5d62b32fcbc27 2017-05-12 2017-05-12
HASH 3a6b48de605ac9e58ffd83d87db650eb 2017-05-12 2017-05-12
HASH 690f9a8bd0cae60aa75cb2c328d3ceac 2017-05-12 2017-05-12
HASH 2f9353046222a49317c9db3be4cd1e12 2017-05-12 2017-05-12
HASH 4ae49bc0ddffcf1ab5fa33faae966e98 2017-05-12 2017-05-12
HASH aeb690d932153c82881365aa2003af53 2017-05-12 2017-05-12
HASH 9fc67f7b83438067ec64202fbaf4bda… 2017-05-12 2017-05-12
HASH 380e87b6f8b2cd2349a6794f16edadde 2017-05-12 2017-05-12
HASH e4103ece1e3a2d9bc23954c0b4e2ff96 2017-05-12 2017-05-12
HASH b98bbc9b1158a6879da82357c2326644 2017-05-12 2017-05-12
HASH d47dc7af8814422dd36801c158707359 2017-05-12 2017-05-12
URL http://www.kuipernet.co.kr/about 2017-05-12 2017-05-12
URL http://www.kuipernet.co.kr/supp… 2017-05-12 2017-05-12
HASH cec26d8629c5f223a120677a5c7fbd8… 2017-04-07 2017-05-12
IPv4 211.49.171.243 2017-04-07 2017-05-12
IPv4 211.236.42.52 2017-04-07 2017-05-12

Related Actors

Related Reports

« Back