The Blockbuster Saga Continues
Contents
Unit 42 researchers at Palo Alto Networks have discovered new attack activity targeting individuals involved with United States defense contractors. Through analysis of malicious code, files, and infrastructure it is clear the group behind this campaign is either directly responsible for or has cooperated with the group which conducted Operation Blockbuster Sequel and, ultimately, Operation Blockbuster (originally outlined by researchers from Novetta). The threat actors are reusing tools, techniques, and procedures which overlap throughout these operations with little variance. Attacks originating from this threat group have not ceased since our previous report (from April of 2017) and have continued through July of 2017.
New Activity
Recently, we’ve identified weaponized Microsoft Office Document files which use the same malicious macros as attacks from earlier this year. Based on the contents of these latest decoy documents which are displayed to a victim after opening the weaponized document the attackers have switched targets from Korean …
New Activity
Recently, we’ve identified weaponized Microsoft Office Document files which use the same malicious macros as attacks from earlier this year. Based on the contents of these latest decoy documents which are displayed to a victim after opening the weaponized document the attackers have switched targets from Korean …
IoC
062aadf3eb69686f4881860d88ce472e6b1c07e1f586d840dd2ee1f7b76cabe7
104.192.193.149
107.6.12.135
108.222.149.173
118.140.97.6
1288e105c83a6f4bbad8471a9b5bedafeea684a8d8b73a1a7518137d446c2e1e
16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd
176.35.250.93
197.246.6.83
210.202.40.35
213.152.51.169
2f133525f76ab0ebb0b370601673361253074c337f0b0895d0f0cb5bc261cfcb
4d4465bd9a57c7a3c0b80fa3282697554a1419794afa36e544a4ae06d60c1615
59.90.93.97
6f673981892701d42159489c1b2614c098a04e4674b23e1cd0fd8911766e71a0
7429a6b6e8518a1ec1d1c37a8786359885f2fd4abde560adaef331ca9deaeefd
acfae7e2fdda02e81b3e03f8c30741744d629cd672db424027f7caa59c975897
ad075279d2ee6958105889d852e0d7f4266f746cb0078ac1b362f05a45b5828d
c63a415d23fc4ab10ad3acfdd47d42b5c7444604485ab45147277cca82fffb34
de2d458c8e4befcd478a0010789d80997793790b18a347d10a595d6e87d91f34
e09224a24a14a08c6fcb79b00b4a7b3097c84f805f5f2adefe2f7d04d7b4a8ee
e83a08bcb4353bfd6edcdedbc9ead9ab179a620e15155b60d18153bed9892f38
f390ef86a4ad92dde125c983e6470f08344b9eaa14c17a1e6c4bb7ebfa7c4ec9
http://104.192.193.149
http://104.192.193.149/Event/careers/jobs/description/docs/LJC077.doc
http://107.6.12.135
http://108.222.149.173
http://118.140.97.6
http://176.35.250.93
http://197.246.6.83
http://210.202.40.35
http://210.202.40.35/CKRQST/Company/HR/Position/lm/L1915.doc
http://210.202.40.35/CKRQST/event/careers/jobs/description/docs/NGC1398.doc
http://213.152.51.169
http://59.90.93.97
http://lansingturbo.org/docs/WebDAV.exe
104.192.193.149
107.6.12.135
108.222.149.173
118.140.97.6
1288e105c83a6f4bbad8471a9b5bedafeea684a8d8b73a1a7518137d446c2e1e
16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd
176.35.250.93
197.246.6.83
210.202.40.35
213.152.51.169
2f133525f76ab0ebb0b370601673361253074c337f0b0895d0f0cb5bc261cfcb
4d4465bd9a57c7a3c0b80fa3282697554a1419794afa36e544a4ae06d60c1615
59.90.93.97
6f673981892701d42159489c1b2614c098a04e4674b23e1cd0fd8911766e71a0
7429a6b6e8518a1ec1d1c37a8786359885f2fd4abde560adaef331ca9deaeefd
acfae7e2fdda02e81b3e03f8c30741744d629cd672db424027f7caa59c975897
ad075279d2ee6958105889d852e0d7f4266f746cb0078ac1b362f05a45b5828d
c63a415d23fc4ab10ad3acfdd47d42b5c7444604485ab45147277cca82fffb34
de2d458c8e4befcd478a0010789d80997793790b18a347d10a595d6e87d91f34
e09224a24a14a08c6fcb79b00b4a7b3097c84f805f5f2adefe2f7d04d7b4a8ee
e83a08bcb4353bfd6edcdedbc9ead9ab179a620e15155b60d18153bed9892f38
f390ef86a4ad92dde125c983e6470f08344b9eaa14c17a1e6c4bb7ebfa7c4ec9
http://104.192.193.149
http://104.192.193.149/Event/careers/jobs/description/docs/LJC077.doc
http://107.6.12.135
http://108.222.149.173
http://118.140.97.6
http://176.35.250.93
http://197.246.6.83
http://210.202.40.35
http://210.202.40.35/CKRQST/Company/HR/Position/lm/L1915.doc
http://210.202.40.35/CKRQST/event/careers/jobs/description/docs/NGC1398.doc
http://213.152.51.169
http://59.90.93.97
http://lansingturbo.org/docs/WebDAV.exe