APT39 Analysis

IOB - Indicator of Behavior (258)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en228
it8
es8
ru6
jp2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us144
ru24
ir14
cn12
it8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows10
PHP8
Joomla6
phpMyAdmin6
nginx6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.040.04187CVE-2007-1192
2Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.500.25090CVE-2017-0055
3nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined5.230.00000CVE-2020-12440
4Rust Programming Language Standard Library type_id memory corruption7.77.3$0-$5k$0-$5kNot DefinedOfficial Fix0.030.01108CVE-2019-12083
5ciubotaru share-on-diaspora new_window.php cross site scripting3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix1.070.00890CVE-2017-20176
6OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.530.49183CVE-2016-6210
7Postfix Admin functions.inc.php sql injection7.37.0$5k-$25k$0-$5kHighOfficial Fix0.170.01232CVE-2014-2655
8jQuery Property extend Pollution cross site scripting6.66.0$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.600.58527CVE-2019-11358
9D-Link DCS-2530L/DCS-2670L ddns_enc.cgi command injection7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.050.02055CVE-2020-25079
10PHPMailer Phar Deserialization addAttachment deserialization5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00954CVE-2020-36326
11Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.330.29797CVE-2014-4078
12SourceCodester Library Management System bookdetails.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.040.00890CVE-2022-2214
13Phplinkdirectory PHP Link Directory conf_users_edit.php cross-site request forgery6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.070.04187CVE-2011-0643
14Lotus Domino Request information disclosure5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.030.01213CVE-2002-0245
15PHP socket_connect memory corruption7.36.9$5k-$25k$0-$5kProof-of-ConceptNot Defined0.030.27992CVE-2011-1938
16phpMyAdmin PMA_safeUnserialize deserialization9.89.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.01018CVE-2016-9865
17Facebook Hermes JavaScript integer overflow to buffer overflow7.67.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.070.01440CVE-2022-35289
18tagDiv Composer Plugin Facebook Login improper authentication7.77.6$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00885CVE-2022-3477
19Gimmie Plugin trigger_login.php sql injection5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix1.170.00950CVE-2014-125086
20Gimmie Plugin trigger_ratethread.php sql injection5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix1.100.00950CVE-2014-125085

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Chafer

IOC - Indicator of Compromise (17)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22Pathname TraversalpredictiveHigh
2T1040CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CWE-74InjectionpredictiveHigh
4T1059CWE-94Cross Site ScriptingpredictiveHigh
5TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
13TXXXXCWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
14TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
15TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxxxxpredictiveHigh
16TXXXXCWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh
17TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh
18TXXXXCWE-XXXXxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (115)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File//etc/RT2870STA.datpredictiveHigh
2File/admin/index.php?id=themes&action=edit_template&filename=blogpredictiveHigh
3File/bin/boapredictiveMedium
4File/cgi-bin/wapopenpredictiveHigh
5File/cwp_{SESSION_HASH}/admin/loader_ajax.phppredictiveHigh
6File/jquery_file_upload/server/php/index.phppredictiveHigh
7File/librarian/bookdetails.phppredictiveHigh
8File/magnoliaPublic/travel/members/login.htmlpredictiveHigh
9File/Main_AdmStatus_Content.asppredictiveHigh
10File/requests.phppredictiveHigh
11File/server-statuspredictiveHigh
12File/uncpath/predictiveMedium
13File/var/log/nginxpredictiveHigh
14File/xxxxxxxx/xxxx_xxxxx.xxxpredictiveHigh
15Filexxxxxxx.xxxpredictiveMedium
16Filexxxxx.xxxpredictiveMedium
17Filexxxxx/xxxx_xxxxx_xxxx.xxxpredictiveHigh
18Filexxxxx/xxxxx.xxxpredictiveHigh
19Filexxxxxxxxxxxxx/xxxxxxxxxx/xxx_xxxxx/xxxxxxx/xxxxx.xxxpredictiveHigh
20Filexxxxxxxxxx.xxxpredictiveHigh
21Filexxxxxxxxxxx.xxxpredictiveHigh
22Filexx_xxxxxxxxxx.xxxpredictiveHigh
23Filexxx:.xxxpredictiveMedium
24Filexxxxxxx.xxxpredictiveMedium
25Filexxxxxxxx.xxxpredictiveMedium
26Filexxx-xxx/xxxx_xxx.xxxpredictiveHigh
27Filexxxxxx.xxxpredictiveMedium
28Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
29Filexxxxxx.xxxpredictiveMedium
30Filexxx.xxxpredictiveLow
31Filexxx/xxxxxxxx/xxx_xxxxxxxxxxxx.xxpredictiveHigh
32Filexxxxxxxxx.xxx.xxxpredictiveHigh
33Filexxx_xxxxxx.xxxpredictiveHigh
34Filexxxx_xxxx.xpredictiveMedium
35Filexxxxxxxx/xxxxx.xxxx-xxx.xxxpredictiveHigh
36Filexxxxx.xxxpredictiveMedium
37Filexxxxxx.xpredictiveMedium
38Filexxxx/xxx_xxx.xpredictiveHigh
39Filexxxxxxxx.xxxpredictiveMedium
40Filexxxxxxx/xxxxxxx/xxx_xxxxxxx.xpredictiveHigh
41Filexxxx/xxxx/xxxxx.xxxpredictiveHigh
42Filexxx_xxxxxx.xxxpredictiveHigh
43Filexxxxxx.xxxpredictiveMedium
44Filexxxxxxxxxxxxxx.xxxpredictiveHigh
45Filexxxxx.xxxxx.xxxpredictiveHigh
46Filexxxxxx/?x=xxxxx/\xxxxx\xxx/xxxxxxxxxxxxxx&xxxxxxxx=xxxx_xxxx_xxxx_xxxxx&xxxx[x]=xxxxxx&xxxx[x][]predictiveHigh
47Filexxxxxxxxxx.xxxpredictiveHigh
48Filexxxxxxxx_xxxx.xxxpredictiveHigh
49Filexxxxxxxx.xxx?x=xxxxxx&x=xxxxxxxxxxpredictiveHigh
50Filexxxxxxx.xpredictiveMedium
51Filexxxxxx.xxxpredictiveMedium
52Filexxxxx/xxx/xxxx.xpredictiveHigh
53Filexxxxxx_xxx_xxxxx_xxx.xxxpredictiveHigh
54Filexxx_xxx_xxxxx.xxxpredictiveHigh
55Filexxxx/xxxxxxxxxxxxxxx.xxxxxxpredictiveHigh
56Filexxxxxxx_xxxxx.xxxpredictiveHigh
57Filexxxxxxx_xxxxxxxxxx.xxxpredictiveHigh
58Filexxx.xxxpredictiveLow
59Filexxxxxx.xxxpredictiveMedium
60Filexxxxxx.xxxpredictiveMedium
61Filexxxxxxxxxxxxxx.xxxpredictiveHigh
62Filexxxxxxx.xxxpredictiveMedium
63Filexx-xxxxx/xxxx-xxx.xxxpredictiveHigh
64Filexx-xxxxxxx/xxxxxxx/xxxx-xx-xxxx/predictiveHigh
65Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
66Filexx-xxxxxxxxxxx.xxxpredictiveHigh
67Libraryxxxxxx.xxxpredictiveMedium
68Argument$xxxxx_xxxxxxxxxxpredictiveHigh
69Argument$_xxxxxxxpredictiveMedium
70ArgumentxxxxxxxpredictiveLow
71ArgumentxxxxxpredictiveLow
72ArgumentxxxxxxpredictiveLow
73ArgumentxxxpredictiveLow
74ArgumentxxxxxpredictiveLow
75ArgumentxxxxxxxxxxxxxxxpredictiveHigh
76Argumentxxxx/xxxxpredictiveMedium
77ArgumentxxxxxxxxpredictiveMedium
78ArgumentxxxxpredictiveLow
79ArgumentxxxxxxxxxxpredictiveMedium
80ArgumentxxxxpredictiveLow
81ArgumentxxxxxxxxxxpredictiveMedium
82Argumentxxxx_xxxxxxxxpredictiveHigh
83Argumentxxxx[xxx]predictiveMedium
84ArgumentxxpredictiveLow
85ArgumentxxxxxpredictiveLow
86Argumentxxxxx_xxpredictiveMedium
87Argumentxxxx_xxxxxxxpredictiveMedium
88ArgumentxxpredictiveLow
89ArgumentxxxxpredictiveLow
90Argumentxxxxxxxxxxxxx/xxxxxxxxxxxxxxpredictiveHigh
91Argumentxx_xxxxxxxpredictiveMedium
92ArgumentxxxpredictiveLow
93ArgumentxxxxxxxxxxpredictiveMedium
94ArgumentxxxxxxxxxxxxxpredictiveHigh
95Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
96ArgumentxxxxxxpredictiveLow
97Argumentxxxxx_xxxxpredictiveMedium
98ArgumentxxxxxxxxpredictiveMedium
99ArgumentxxxxxxxxpredictiveMedium
100ArgumentxxxxxxxpredictiveLow
101Argumentxxxx xxxxxpredictiveMedium
102Argumentxxxx_xxxxxpredictiveMedium
103ArgumentxxxxxxpredictiveLow
104Argumentx/xxxxxxxxxxxxpredictiveHigh
105ArgumentxxxxpredictiveLow
106ArgumentxxxxxxxxpredictiveMedium
107Argumentxxxxx/xxxpredictiveMedium
108ArgumentxxxxxxxxxxpredictiveMedium
109ArgumentxxxpredictiveLow
110ArgumentxxxxxxpredictiveLow
111ArgumentxxxxxxxxpredictiveMedium
112Input Value' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx)-- xxxxpredictiveHigh
113Input Value../..predictiveLow
114Network Portxxx/xxxxpredictiveMedium
115Network Portxxx/xxx (xxx)predictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!