Hidden Cobra - from a shed skin to the viper’s nest
Contents
Introduction
Large malware campaigns with the potential to cause severe damage and operational problems on a nationwide scale often attract the attention of government institutions like the FBI, DHS and similar organizations. To help prevent further malicious activity and reduce the malware’s damage potential, these institutions produce technical reports that describe the malware in detail.
While those threat reports can have varying levels of detail and technical complexity, they almost always have a list of IOCs (Indicators of Compromise) with information about file samples and infrastructure used in malicious campaigns. Those IOCs are then used by defenders to detect malicious activity in their networks. Even though using the IOC lists is a good way to strengthen the company network security, it is hard to tell how comprehensive they are and how many sample and infrastructure variants they cover.
If a malicious campaign is highly targeted, the malware samples will most likely be adapted …
Large malware campaigns with the potential to cause severe damage and operational problems on a nationwide scale often attract the attention of government institutions like the FBI, DHS and similar organizations. To help prevent further malicious activity and reduce the malware’s damage potential, these institutions produce technical reports that describe the malware in detail.
While those threat reports can have varying levels of detail and technical complexity, they almost always have a list of IOCs (Indicators of Compromise) with information about file samples and infrastructure used in malicious campaigns. Those IOCs are then used by defenders to detect malicious activity in their networks. Even though using the IOC lists is a good way to strengthen the company network security, it is hard to tell how comprehensive they are and how many sample and infrastructure variants they cover.
If a malicious campaign is highly targeted, the malware samples will most likely be adapted …
IoC
03138278b603bc120b2cba001a8adb0b2d7d82ea
0faf5540bcb8782dd70bcb31f3aa9baf7e65a043
14b681e0c9ce9a02f2fb093927f043bbb608afc6
17e5e9fcd31ba8df50ef5474c27121615d704b8f
221.161.45.202
29ddf9baad018518060814a03d424f4e08a0e914
2c879a1d4b6334c59ac5f11c2038d273d334befe
38D90F98DD0A903CB156499FE3691588
3a25b9bd8c0995c5a2e2a3a31fe4691a18d44e72
49379896fa096f523e55f8daf1db00cf262852da
5692a8fb1e5c1f0802c8e552dd043087e2914aa7
588a298b51921f4ee8f6fb7ec837f80039328afe
7202fea74865e085104f839574cd150613fbcf99
78292E4C5DA3B5D067F081B736E5D593
78925505b266e973ad7b5ec5b28c0f77cd65a628
84f3437bbccb514d639c0a6134298261aefb457e
8c6d92becc487dc0043e446f99f165b06af36d72
976553cafd72f8e1908f81f297fbc7dbc04c90cd
9ff4836ff1670816995297234cb5f6e326c16d26
b233b56cd9a11a273df389b98431f1deb8ab7e12
b5e134bc58f8eda4efd99a45628eb433c4bcbc19
e211559f3dfc6db100958b8c12e20f064111f26a
ef0c0ef95b1542184a6a1f4d1f4ece583046ba0a
f744f5f97ace1a4862e764971449c28c4b880e8f
fe0f8a37887c8f8fb5eb3e8252a8df395b3e66e7
rule Copperhedge_F {
strings:
$user_agent1 = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome"
$user_agent2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome"
$form_data1 = "_webident_f"
$form_data2 = "_webident_s"
condition:
($user_agent1 or $user_agent2) and $form_data1 and $form_data2
}
0faf5540bcb8782dd70bcb31f3aa9baf7e65a043
14b681e0c9ce9a02f2fb093927f043bbb608afc6
17e5e9fcd31ba8df50ef5474c27121615d704b8f
221.161.45.202
29ddf9baad018518060814a03d424f4e08a0e914
2c879a1d4b6334c59ac5f11c2038d273d334befe
38D90F98DD0A903CB156499FE3691588
3a25b9bd8c0995c5a2e2a3a31fe4691a18d44e72
49379896fa096f523e55f8daf1db00cf262852da
5692a8fb1e5c1f0802c8e552dd043087e2914aa7
588a298b51921f4ee8f6fb7ec837f80039328afe
7202fea74865e085104f839574cd150613fbcf99
78292E4C5DA3B5D067F081B736E5D593
78925505b266e973ad7b5ec5b28c0f77cd65a628
84f3437bbccb514d639c0a6134298261aefb457e
8c6d92becc487dc0043e446f99f165b06af36d72
976553cafd72f8e1908f81f297fbc7dbc04c90cd
9ff4836ff1670816995297234cb5f6e326c16d26
b233b56cd9a11a273df389b98431f1deb8ab7e12
b5e134bc58f8eda4efd99a45628eb433c4bcbc19
e211559f3dfc6db100958b8c12e20f064111f26a
ef0c0ef95b1542184a6a1f4d1f4ece583046ba0a
f744f5f97ace1a4862e764971449c28c4b880e8f
fe0f8a37887c8f8fb5eb3e8252a8df395b3e66e7
rule Copperhedge_F {
strings:
$user_agent1 = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome"
$user_agent2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome"
$form_data1 = "_webident_f"
$form_data2 = "_webident_s"
condition:
($user_agent1 or $user_agent2) and $form_data1 and $form_data2
}