APT32 Análisis
IOB - Indicator of Behavior (631)
Cronología
Ocupaciones
Interesar
Vulnerabilidad
Campañas (2)
These are the campaigns that can be associated with the actor:
- Cobalt Kitty
- OceanLotus
IOC - Indicator of Compromise (60)
These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.
ID | dirección IP | Hostname | Actor | Campañas | Identified | Escribe | Confianza |
---|---|---|---|---|---|---|---|
1 | 23.227.196.126 | 23-227-196-126.static.hvvc.us | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto |
2 | 23.227.196.210 | 23-227-196-210.static.hvvc.us | APT32 | 2020-12-15 | verified | Alto | |
3 | 23.227.199.121 | 23-227-199-121.static.hvvc.us | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto |
4 | 27.102.70.211 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
5 | 37.59.198.130 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
6 | 37.59.198.131 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
7 | 45.32.100.179 | 45.32.100.179.vultr.com | APT32 | OceanLotus | 2020-12-15 | verified | Medio |
8 | 45.32.105.45 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
9 | 45.32.114.49 | 45.32.114.49.vultr.com | APT32 | OceanLotus | 2020-12-15 | verified | Medio |
10 | 45.76.147.201 | 45.76.147.201.vultr.com | APT32 | OceanLotus | 2020-12-15 | verified | Medio |
11 | 45.76.179.28 | 45.76.179.28.vultr.com | APT32 | OceanLotus | 2020-12-15 | verified | Medio |
12 | 45.76.179.151 | 45.76.179.151.vultr.com | APT32 | OceanLotus | 2020-12-15 | verified | Medio |
13 | 45.77.39.101 | 45.77.39.101.vultr.com | APT32 | OceanLotus | 2020-12-15 | verified | Medio |
14 | 45.114.117.137 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
15 | 45.114.117.164 | folien.reisnart.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
16 | 64.62.174.9 | agent2.jenkins.aoindustries.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
17 | 64.62.174.16 | unassigned16.net2.fc.aoindustries.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
18 | 64.62.174.17 | unassigned17.net2.fc.aoindustries.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
19 | 64.62.174.21 | unassigned21.net2.fc.aoindustries.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
20 | 64.62.174.41 | dev1.plant-orbit.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
21 | 64.62.174.99 | unassigned99.net2.fc.aoindustries.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
22 | 64.62.174.145 | unassigned145.net2.fc.aoindustries.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
23 | 64.62.174.146 | unassigned146.net2.fc.aoindustries.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
24 | 79.143.87.174 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
25 | 80.255.3.87 | APT32 | 2020-12-15 | verified | Alto | ||
26 | 89.33.64.207 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
27 | 89.33.64.232 | mypicsfromplane.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
28 | 103.28.44.112 | 103028044112.hkserverdomain.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
29 | 103.28.44.115 | 103028044115.hkserverdomain.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
30 | 103.41.177.33 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
31 | 103.53.197.202 | sg06.dewaweb.com | APT32 | 2020-12-15 | verified | Alto | |
32 | 104.24.118.185 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
33 | 104.24.119.185 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
34 | 104.27.166.79 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
35 | 104.27.167.79 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
36 | 104.237.218.67 | usgreatly.com | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto |
37 | 104.237.218.70 | 70.utdanne.104.xandien.nl | APT32 | 2020-12-15 | verified | Alto | |
38 | 104.237.218.72 | emudd.pointumetwe.com | APT32 | 2020-12-15 | verified | Alto | |
39 | 108.170.31.69 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
40 | 110.10.179.65 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
41 | 128.199.90.216 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
42 | 128.199.227.80 | 426977.cloudwaysapps.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
43 | 138.197.236.215 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
44 | 139.59.217.207 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
45 | 139.59.220.10 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
46 | 139.59.220.12 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
47 | 139.59.223.191 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
48 | 176.107.176.6 | 176.107.176.6.ptr | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto |
49 | 176.107.177.216 | 176.107.177.216.deltahost-ptr | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto |
50 | 176.223.111.116 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
51 | 184.95.51.179 | pen179.penflexhost.com | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto |
52 | 184.95.51.181 | mx.earthgeneration.org | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto |
53 | 184.95.51.190 | laudantiumkvgqi.finewonu.club | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto |
54 | 185.157.79.3 | 185.157.79.3.deltahost-ptr | APT32 | 2020-12-15 | verified | Alto | |
55 | 188.166.219.18 | 696006.cloudwaysapps.com | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
56 | 192.121.176.148 | APT32 | Cobalt Kitty | 2020-12-15 | verified | Alto | |
57 | 193.169.245.78 | 193.169.245.78.deltahost-ptr | APT32 | 2020-12-15 | verified | Alto | |
58 | 193.169.245.137 | n116.deltahost.com.ua | APT32 | 2020-12-15 | verified | Alto | |
59 | 203.114.75.22 | APT32 | OceanLotus | 2020-12-15 | verified | Alto | |
60 | 203.114.75.73 | APT32 | OceanLotus | 2020-12-15 | verified | Alto |
TTP - Tactics, Techniques, Procedures (23)
Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Vulnerabilidad | Vector de acceso | Escribe | Confianza |
---|---|---|---|---|---|
1 | T1006 | CWE-21, CWE-22, CWE-23 | Path Traversal | predictive | Alto |
2 | T1040 | CWE-319 | Authentication Bypass by Capture-replay | predictive | Alto |
3 | T1055 | CWE-74 | Improper Neutralization of Data within XPath Expressions | predictive | Alto |
4 | T1059 | CWE-94 | Argument Injection | predictive | Alto |
5 | T1059.007 | CWE-79, CWE-80 | Cross Site Scripting | predictive | Alto |
6 | T1068 | CWE-264, CWE-269, CWE-284 | Execution with Unnecessary Privileges | predictive | Alto |
7 | T1110.001 | CWE-798 | Hard-coded Credentials | predictive | Alto |
8 | T1202 | CWE-77, CWE-78 | Command Shell in Externally Accessible Directory | predictive | Alto |
9 | T1204.001 | CWE-601 | Open Redirect | predictive | Alto |
10 | T1211 | CWE-254 | 7PK Security Features | predictive | Alto |
11 | T1222 | CWE-275, CWE-276 | Permission Issues | predictive | Alto |
12 | T1505 | CWE-89 | SQL Injection | predictive | Alto |
13 | T1548.002 | CWE-285 | Improper Authorization | predictive | Alto |
14 | T1552 | CWE-255, CWE-522 | Credentials Management | predictive | Alto |
15 | T1574 | CWE-426, CWE-427 | Untrusted Search Path | predictive | Alto |
16 | T1587.003 | CWE-295 | Improper Certificate Validation | predictive | Alto |
17 | T1588.001 | CWE-912 | Backdoor | predictive | Alto |
18 | T1592 | CWE-200, CWE-209, CWE-532 | Invocation of Process Using Visible Sensitive Information | predictive | Alto |
19 | T1592.004 | CWE-16 | Configuration | predictive | Alto |
20 | T1600 | CWE-310, CWE-311, CWE-326, CWE-327 | Cryptographic Issues | predictive | Alto |
21 | T1600.001 | CWE-320, CWE-321, CWE-547 | Key Management Error | predictive | Alto |
22 | T1608.002 | CWE-434 | Incomplete Identification of Uploaded File Variables | predictive | Alto |
23 | T1611 | CWE-265 | Containment Errors | predictive | Alto |
IOA - Indicator of Attack (227)
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
ID | Clase | Indicator | Escribe | Confianza |
---|---|---|---|---|
1 | File | /admin/ | predictive | Bajo |
2 | File | /api/ | predictive | Bajo |
3 | File | /cgi-bin/cgiServer.exx | predictive | Alto |
4 | File | /cgi-bin/login_action.cgi | predictive | Alto |
5 | File | /cgi-bin/nobody/Search.cgi | predictive | Alto |
6 | File | /cgi-bin/webviewer_login_page | predictive | Alto |
7 | File | /dev/sg0 | predictive | Medio |
8 | File | /event/runquery.do | predictive | Alto |
9 | File | /filemanager/php/connector.php | predictive | Alto |
10 | File | /forum/away.php | predictive | Alto |
11 | File | /goform/setmac | predictive | Alto |
12 | File | /log_download.cgi | predictive | Alto |
13 | File | /manager?action=getlogcat | predictive | Alto |
14 | File | /mgmt/tm/util/bash | predictive | Alto |
15 | File | /pages/systemcall.php?command={COMMAND} | predictive | Alto |
16 | File | /password.html | predictive | Alto |
17 | File | /system/ws/v11/ss/email | predictive | Alto |
18 | File | /uncpath/ | predictive | Medio |
19 | File | /upload | predictive | Bajo |
20 | File | add_vhost.php | predictive | Alto |
21 | File | admin/gv_mail.php | predictive | Alto |
22 | File | admin/images.aspx | predictive | Alto |
23 | File | admin/index.php | predictive | Alto |
24 | File | adv2.php?action=modify | predictive | Alto |
25 | File | agent.cfg | predictive | Medio |
26 | File | arch/x86/include/asm/fpu/internal.h | predictive | Alto |
27 | File | asm/float.c | predictive | Medio |
28 | File | asm/nasm.c | predictive | Medio |
29 | File | auth.php | predictive | Medio |
30 | File | backup.cgi | predictive | Medio |
31 | File | binder.c | predictive | Medio |
32 | File | bitfield.c | predictive | Medio |
33 | File | blob.cpp | predictive | Medio |
34 | File | books.php | predictive | Medio |
35 | File | c.php | predictive | Bajo |
36 | File | cgi-bin/ | predictive | Medio |
37 | File | cgi-bin/ddns_enc.cgi | predictive | Alto |
38 | File | cgi-bin/luci/admin/network/firewall/rules | predictive | Alto |
39 | File | cgi-bin/MANGA/admin.cgi | predictive | Alto |
40 | File | cli.conf | predictive | Medio |
41 | File | coders/png.c | predictive | Medio |
42 | File | coders/tiff.c | predictive | Alto |
43 | File | coffgen.c | predictive | Medio |
44 | File | config.xml | predictive | Medio |
45 | File | connector.minimal.php | predictive | Alto |
46 | File | data/gbconfiguration.dat | predictive | Alto |
47 | File | db.php | predictive | Bajo |
48 | File | detail.php | predictive | Medio |
49 | File | devtools.sh | predictive | Medio |
50 | File | domain/section/markdown/markdown.go | predictive | Alto |
51 | File | drivers/gpu/drm/udl/udl_fb.c | predictive | Alto |
52 | File | drivers/scsi/sr_ioctl.c | predictive | Alto |
53 | File | drivers/usb/misc/iowarrior.c | predictive | Alto |
54 | File | ebmlstring.c | predictive | Medio |
55 | File | elf.c | predictive | Bajo |
56 | File | email.php | predictive | Medio |
57 | File | events-manager.js | predictive | Alto |
58 | File | ExceptionHandler.php | predictive | Alto |
59 | File | extensions.load | predictive | Alto |
60 | File | FlexPaperViewer.swf | predictive | Alto |
61 | File | folder_view.php | predictive | Alto |
62 | File | FortiClientOnlineInstaller.exe | predictive | Alto |
63 | File | framework/core/subsystems/expRouter.php | predictive | Alto |
64 | File | fs/userfaultfd.c | predictive | Alto |
65 | File | function.c | predictive | Medio |
66 | File | functions.php | predictive | Alto |
67 | File | functions_mod_user.php | predictive | Alto |
68 | File | getRemoteImage.php | predictive | Alto |
69 | File | get_set.ccp | predictive | Medio |
70 | File | gki_buffer.cc | predictive | Alto |
71 | File | handle_load_config.php | predictive | Alto |
72 | File | hh.exe | predictive | Bajo |
73 | File | image_upload.php | predictive | Alto |
74 | File | imap/lmtp_sieve.c | predictive | Alto |
75 | File | inc/config.php | predictive | Alto |
76 | File | inc/filebrowser/browser.php | predictive | Alto |
77 | File | include/findusers.php | predictive | Alto |
78 | File | includes/head.inc.php | predictive | Alto |
79 | File | index.php | predictive | Medio |
80 | File | init.inc.php | predictive | Medio |
81 | File | intervalCheck.jsp | predictive | Alto |
82 | File | iptc.c | predictive | Bajo |
83 | File | ItemReview.php | predictive | Alto |
84 | File | items.c | predictive | Bajo |
85 | File | items.queries.php | predictive | Alto |
86 | File | item_show.php | predictive | Alto |
87 | File | JBIG2Stream.cc | predictive | Alto |
88 | File | jeecgFormDemoController.do?commonUpload | predictive | Alto |
89 | File | jfinal_cms/admin/filemanager/list | predictive | Alto |
90 | File | jpgraph.php | predictive | Medio |
91 | File | kbdint.c | predictive | Medio |
92 | File | kernel/events/core.c | predictive | Alto |
93 | File | kernel/exit.c | predictive | Alto |
94 | File | kernel/trace/trace_events_filter.c | predictive | Alto |
95 | File | launchd | predictive | Bajo |
96 | File | libnvmmlite_video.so | predictive | Alto |
97 | File | libr/asm/asm.c | predictive | Alto |
98 | File | main/scala/authentikat/jwt/JsonWebToken.scala | predictive | Alto |
99 | File | misc/apr_rmm.c | predictive | Alto |
100 | File | mm/mempolicy.c | predictive | Alto |
101 | File | mm/oom_kill.c | predictive | Alto |
102 | File | model/__show_info.php | predictive | Alto |
103 | File | modules/m_sasl.c | predictive | Alto |
104 | File | NativeNfcManager.cpp | predictive | Alto |
105 | File | net/ipv4/datagram.c | predictive | Alto |
106 | File | net/ipv4/inet_connection_sock.c | predictive | Alto |
107 | File | net/packet/af_packet.c | predictive | Alto |
108 | File | openjp2/pi.c | predictive | Medio |
109 | File | pages_system_settings.php | predictive | Alto |
110 | File | plugins\meta_engine\libfolder_plugin.dll | predictive | Alto |
111 | File | prod.php | predictive | Medio |
112 | File | prog/htmlviewer.c | predictive | Alto |
113 | File | proxy.cgi | predictive | Medio |
114 | File | public/index.php/home | predictive | Alto |
115 | File | public/index.php/home/membersnsfriend/findlist.html | predictive | Alto |
116 | File | QueryComponentRendererValue!Default.jspa | predictive | Alto |
117 | File | RecentLocationApps.java | predictive | Alto |
118 | File | register/check/username?username | predictive | Alto |
119 | File | registration_detailed.inc.php | predictive | Alto |
120 | File | reports_mta_queue_status.html | predictive | Alto |
121 | File | secure_img_render.php | predictive | Alto |
122 | File | server_databases.php | predictive | Alto |
123 | File | setenv.sh | predictive | Medio |
124 | File | setup/index.php | predictive | Alto |
125 | File | shop.cgi | predictive | Medio |
126 | File | shop_display_products.php | predictive | Alto |
127 | File | showcat.php | predictive | Medio |
128 | File | SimpleDecodingSource.cpp | predictive | Alto |
129 | File | software-description.php | predictive | Alto |
130 | File | svox_ssml_parser.cpp | predictive | Alto |
131 | File | SystemEvent.jsp | predictive | Alto |
132 | File | system_log.cgi | predictive | Alto |
133 | File | tls1.c | predictive | Bajo |
134 | File | ui/artifact/upload | predictive | Alto |
135 | File | upgrade_handle.php | predictive | Alto |
136 | File | view/ProductsView.php | predictive | Alto |
137 | File | WealthT24/GetImage | predictive | Alto |
138 | File | welcome.php | predictive | Medio |
139 | File | www/content/lessons/"lesson | predictive | Alto |
140 | Library | AeXNSPkgDLLib.dll | predictive | Alto |
141 | Library | ATIDXX64.DLL | predictive | Medio |
142 | Library | ENCDEC.DLL | predictive | Medio |
143 | Library | filmfd.sys | predictive | Medio |
144 | Library | fs/ncpfs/ncplib_kernel.c | predictive | Alto |
145 | Library | igcore19d.dll | predictive | Alto |
146 | Library | Lib/DocXMLRPCServer.py | predictive | Alto |
147 | Library | lib/MongoLite/Database.php | predictive | Alto |
148 | Library | lib/rrd.php | predictive | Medio |
149 | Library | Monitor_win7_x64.sys | predictive | Alto |
150 | Library | Monitor_x86.sys | predictive | Alto |
151 | Library | wsdk-driver.sys | predictive | Alto |
152 | Argument | $line | predictive | Bajo |
153 | Argument | %s | predictive | Bajo |
154 | Argument | agentid | predictive | Bajo |
155 | Argument | app | predictive | Bajo |
156 | Argument | AUTHENTICATE | predictive | Medio |
157 | Argument | basePath | predictive | Medio |
158 | Argument | bauth | predictive | Bajo |
159 | Argument | bookid | predictive | Bajo |
160 | Argument | cat | predictive | Bajo |
161 | Argument | catid | predictive | Bajo |
162 | Argument | cat_id | predictive | Bajo |
163 | Argument | ccp_act | predictive | Bajo |
164 | Argument | charset | predictive | Bajo |
165 | Argument | code_no | predictive | Bajo |
166 | Argument | configFile | predictive | Medio |
167 | Argument | content | predictive | Bajo |
168 | Argument | Content-Length | predictive | Alto |
169 | Argument | CPG_M_DIR | predictive | Medio |
170 | Argument | data3 | predictive | Bajo |
171 | Argument | docDownloadPath/uploadLocation | predictive | Alto |
172 | Argument | err | predictive | Bajo |
173 | Argument | file | predictive | Bajo |
174 | Argument | filename | predictive | Medio |
175 | Argument | fromName/message | predictive | Alto |
176 | Argument | go | predictive | Bajo |
177 | Argument | groups | predictive | Bajo |
178 | Argument | hostname | predictive | Medio |
179 | Argument | id | predictive | Bajo |
180 | Argument | ipAddr | predictive | Bajo |
181 | Argument | IP address | predictive | Medio |
182 | Argument | item_id | predictive | Bajo |
183 | Argument | l/dl/del | predictive | Medio |
184 | Argument | layout | predictive | Bajo |
185 | Argument | mapTitle | predictive | Medio |
186 | Argument | mosConfig_absolute_path | predictive | Alto |
187 | Argument | name | predictive | Bajo |
188 | Argument | page | predictive | Bajo |
189 | Argument | password | predictive | Medio |
190 | Argument | Password | predictive | Medio |
191 | Argument | phpbb_root_path | predictive | Alto |
192 | Argument | priority | predictive | Medio |
193 | Argument | reason | predictive | Bajo |
194 | Argument | redirect | predictive | Medio |
195 | Argument | redirect_uri | predictive | Medio |
196 | Argument | Referer | predictive | Bajo |
197 | Argument | referrer | predictive | Medio |
198 | Argument | resourceName | predictive | Medio |
199 | Argument | rootpath | predictive | Medio |
200 | Argument | sbp | predictive | Bajo |
201 | Argument | search | predictive | Bajo |
202 | Argument | searchid | predictive | Medio |
203 | Argument | sid | predictive | Bajo |
204 | Argument | site | predictive | Bajo |
205 | Argument | sms_content | predictive | Medio |
206 | Argument | sort_by | predictive | Bajo |
207 | Argument | src | predictive | Bajo |
208 | Argument | Swfile | predictive | Bajo |
209 | Argument | sys_name | predictive | Medio |
210 | Argument | tpldir/filename/type/nid | predictive | Alto |
211 | Argument | upfile | predictive | Bajo |
212 | Argument | uploaddir | predictive | Medio |
213 | Argument | up_auto_log | predictive | Medio |
214 | Argument | url | predictive | Bajo |
215 | Argument | uselang | predictive | Bajo |
216 | Argument | wd | predictive | Bajo |
217 | Argument | _receivers | predictive | Medio |
218 | Input Value | %0a/%0d | predictive | Bajo |
219 | Input Value | ./../../../ | predictive | Medio |
220 | Input Value | 1" onmouseover=prompt(947671) bad=" | predictive | Alto |
221 | Input Value | </script><script>alert(1)</script> | predictive | Alto |
222 | Input Value | <ScRiPt >alert(991)</ScRiPt> | predictive | Alto |
223 | Input Value | welc0me | predictive | Bajo |
224 | Input Value | \x3D../../../../etc/passwd | predictive | Alto |
225 | Network Port | 8888 | predictive | Bajo |
226 | Network Port | tcp/873 | predictive | Bajo |
227 | Network Port | tcp/6200 | predictive | Medio |
Referencias (4)
The following list contains external sources which discuss the actor and the associated activities:
- https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf
- https://github.com/vuldb/cyber_threat_intelligence/tree/main/actors/APT32
- https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
- https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/