#1267067: Buhtrap group uses zero‑day in latest espionage campaigns - Additional IOCs

Description: The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia. However, since late 2015, we have witnessed an interesting change in its traditional targets. From a pure criminal group perpetrating cybercrime for financial gain, its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia.

Reference:
https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/
First Aid: IOCs:

FileHash-SHA1 2f2640720cce2f83ca2f0633330f13651384dd6a
FileHash-SHA1 5e662e84b62ca6bdf6d050a1a4f5db6b28fbb7c5
FileHash-SHA256 6e820b5732cd8bb95546cf39aeb6babe90cf4cc7dde675b718710babcf1740b5
hostname 7812.reg0.4621.toor.win10.ipv6-microsoft.org
hostname 7812.reg0.5173.toor.win10.ipv6-microsoft.org
hostname 7812.reg0.5204.toor.win10.ipv6-microsoft.org
hostname 7812.reg0.5267.toor.win10.ipv6-microsoft.org
hostname 7812.reg0.5314.toor.win10.ipv6-microsoft.org
hostname 7812.reg0.5361.toor.win10.ipv6-microsoft.org
FileHash-SHA1 9c3434ebdf29e5a4762afb610ea59714d8be2392
FileHash-SHA1 b25def9ac34f31b84062a8e8626b2f0ef589921f
FileHash-SHA256 b475f14a1ffdeaf883c73e97724544b9bba0f6c481830bd25e3ba0d0f69b9181
FileHash-SHA1 c17c335b7ddb5c8979444ec36ab668ae8e4e0a72
domain corp-microsoft.com
CVE CVE-2015-23871
CVE CVE-2019-1132
FileHash-SHA1 e0f3557ea9f2ba4f7074caa0d0cf3b187c4472ff
FileHash-SHA256 fd6c772c31da19a66283af4703d1d5072a9158d03031a4094ac2eb8dccd3d6d1
domain hdfilm-seyret.com
URL http://redmond.corp-microsoft.com/g/help/index.php
URL https://hdfilm-seyret.com/help/index.php
URL https://redmond.corp-microsoft.com/help/index.php
URL https://secure-telemetry.net/wp-login.php
URL https://services-glbdns2.com/FIGm6uJx0MhjJ2ImOVurJQTs0rRv5Ef2UGoSc
domain ipv6-microsoft.org
hostname redmond.corp-microsoft.com
domain secure-telemetry.net
domain services-glbdns2.com
hostname win10.ipv6-microsoft.org
More info: https://otx.alienvault.com/pulse/5d270b29fccc021c80764db4/?utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

Date added July 11, 2019, 2:10 p.m.
Source AlienVault
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - Russia - New Reports in
  • Operation Buhtrap
  • Russian - Cobalt hacker group / TEMP.Metastrike (also linked to Buhtrap) / Gold Kingswood