Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide
Contents
McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, we dive deeply into this campaign. For a brief overview of this threat, see “Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries.”
Our investigation into this campaign reveals that the actor used multiple malware implants, including an unknown implant with capabilities similar to Bankshot. From March 18 to 26 we observed the malware operating in multiple areas of the world. This new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.
Furthermore, the Advanced Threat Research team has discovered Proxysvc, which appears to …
Our investigation into this campaign reveals that the actor used multiple malware implants, including an unknown implant with capabilities similar to Bankshot. From March 18 to 26 we observed the malware operating in multiple areas of the world. This new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.
Furthermore, the Advanced Threat Research team has discovered Proxysvc, which appears to …
IoC
121.240.155.74
121.240.155.76
121.240.155.77
121.240.155.78
14.140.116.172
193.248.247.59
196.4.67.45
203.131.222.109
203.131.222.83
223.30.98.169
223.30.98.170
33ffbc8d6850794fa3b7bccb7b1aa1289e6eaa45
7fe373376e0357624a1d21cd803ce62aa86738b6
8a7621dba2e88e32c02fe0889d2796a0c7cb5144
8f2918c721511536d8c72144eabaf685ddc21a35
d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76
fe887fcab66d7d7f79f05e0266c0649f0114ba7c
121.240.155.76
121.240.155.77
121.240.155.78
14.140.116.172
193.248.247.59
196.4.67.45
203.131.222.109
203.131.222.83
223.30.98.169
223.30.98.170
33ffbc8d6850794fa3b7bccb7b1aa1289e6eaa45
7fe373376e0357624a1d21cd803ce62aa86738b6
8a7621dba2e88e32c02fe0889d2796a0c7cb5144
8f2918c721511536d8c72144eabaf685ddc21a35
d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76
fe887fcab66d7d7f79f05e0266c0649f0114ba7c