Monthly Archives: March 2017

Introducing Monitor.app for macOS

UPDATE 2 (Oct. 24, 2018): Monitor.app now supports macOS 10.14.

UPDATE (April 4, 2018): Monitor.app now supports macOS 10.13.

As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware capabilities and undocumented components of the operating system. One obvious tool that comes to mind is Procmon from the legendary Sysinternals Suite from Microsoft. Those tools only work on Windows though and we love macOS.

macOS has some fantastic dynamic instrumentation software included with the operating system and Xcode. In the past, we have used dynamic instrumentation tools such as Dtrace, a very powerful tracing subsystem built into the core of macOS. While it is very powerful and efficient, it commonly required us to write D scripts to get the interesting bits. We wanted something simpler.

Today, the Innovation and Custom Engineering (ICE) Applied Research team presents the public release of Monitor.app for macOS, a simple GUI application for monitoring common system events on a macOS host. Monitor.app captures the following event types:

  • Process execution with command line arguments
  • File creates (if data is written)
  • File renames
  • Network activity
  • DNS requests and replies
  • Dynamic library loads
  • TTY Events

Monitor.app identifies system activities using a kernel extension (kext). Its focus is on capturing data that matters, with context. These events are presented in the UI with a rich search capability allowing users to hunt through event data for areas of interest.

The goal of Monitor is simplicity. When launching Monitor, the user is prompted for root credentials to launch a process and load our kext (don’t worry, the main UI process doesn’t run as root). From there, the user can click on the start button and watch the events roll in!

The UI is sparse with a few key features. There is the start/stop button, filter buttons, and a search bar. The search bar allows us to set simple filters on types of data we may want to filter or search for over all events. The event table is a listing of all the events Monitor is capable of presenting to the user. The filter buttons allow the user to turn off some classes of events. For example, if a TimeMachine backup were to kick off when the user was trying to analyze a piece of malware, the user can click the file system filter button and the file write events won’t clutter the display.

As an example, perhaps we were interested in seeing any processes that communicated with xkcd.com. We can simply use an “Any” filter and enter xkcd into the search bar, as seen in Figure 1.

Figure 1: Monitor.app User Interface

We think you will be surprised how useful Monitor can be when trying to figure out how components of macOS or even malware work under the hood, all without firing up a debugger or D script.

Click here to download Monitor.app. Please send any feature requests/bugs to monitorapp-bugs@fireeye.com.

Apple, Mac and MacOS are registered trademarks or trademarks of Apple Inc.

Part II. APT29 Russian APT including Fancy Bear





This is the second part of Russian APT series.

"APT29 - The Dukes Cozy Bear: APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.1210 This group reportedly compromised the Democratic National Committee starting in the summer of 2015" (src.  Mitre ATT&CK)

Please see the first post here: Russian APT - APT28 collection of samples including OSX XAgent




I highly recommend reading and studying these resources first:

List of References (and samples mentioned) listed from oldest to newest:

  1. 2012-02 FSecure. COZYDUKE
  2. 2013-02_Crysys_Miniduke Indicators
  3. 2013-04_Bitdefender_A Closer Look at MiniDuke
  4. 2014-04 FSecure_Targeted Attacks and Ukraine
  5. 2014-05_FSecure.Miniduke still duking it out
  6. 2014-07_Kaspersky_Miniduke is back_Nemesis Gemina and the Botgen Studio
  7. 2014-07_Kaspersky_The MiniDuke Mystery PDF 0-day
  8. 2014-11_FSecure_OnionDuke APT Attacks Via the Tor Network
  9. 2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke
  10. 2015-04_Kaspersky_CozyDuke-CozyBear
  11. 2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support
  12. 2015-07_Fireeye_Hammertoss_Stealthy_tactics_define_Russian_Cyber
  13. 2015-07_Kaspersky_Minidionis one more APT with a usage of cloud drives
  14. 2015-07_PaloAlto_Tracking_MiniDionis
  15. 2015-07_Palo_Alto_Unit 42 Technical Analysis Seaduke
  16. 2015-07_Symantec_Seaduke latest weapon in the Duke armory
  17. 2015-08_Prevenity Stealing data from public institutions
  18. 2015-09_FSecure_THE DUKES7 years of Russian cyberespionage
  19. 2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National Committee
  20. 2016-11_Volexity_PowerDukePostElection
  21. 2016-12_Chris_Grizzly SteppeLighting up Like A Christmas Tree
  22. 2017-03 Fireeye APT29 Domain Fronting With TOR
  23. Fancy Bear source code 

Download


Download sets (matching research listed above). Email me if you need the password
          Download all files/folders listed (MB)





Sample list

Parent FolderFile NameMD5 ChecksumSHA256 Checksum
APT29APT29_2012-02_FSecure_Cozyduke
APT29_2012-02_FSecure_CozydukeCozyDuke
CozyDuke00F67DEB6E435C68F8A39336C9EFFC45D395B1346761106f816313394a653db5172dc48737ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7
CozyDuke01D3973E1BB46E2B75034736991C567862A112635b4250a6bb4c6915ce962d489ee912d6637cabc343e3ed5b447dccb13aa7caf4d3a3eb3cd617d360167f270ec34596ea
CozyDuke04AEFBF1527536159D72D20DEA907CBD080793E31a42acbdb285a7fba17f95068822ea4e4464c945c88ac9a4a22e86f0922f18c164e87f26c3f3fa054eb488fdd7d4bfc8
CozyDuke210BC99275368DF7EA179055737CFFC3A12A6614d9703d014c5d4f55e2996f3573544476f16cfb7e54a11689fc1a37145b7ff28f17a1930c74324650e9a080ac87d69ac7
CozyDuke23E20C523B9970686D913360D438C88E6067C157f0a6436ffee12558a434a0fc24b3b33f5f827730c7bd155997121f023ca9775077a37a58111738fcb3213757170bd860
CozyDuke29A91E7823046F4EC3FD6B3FD1B442EAA92F356552474b705610245f67bbd1c86ab8bd7bf9987e6be134bf29458a336a76600a267e14b07a57032b6a8fc656f750e40ce5
CozyDuke31163D35C5A3CAA5E82E1D9B0D1B4DB8FBDD79FA9f612661000605c5d0787fe13746e4cc363bf9a64718ae7af673f199b04b90abd5196b176932091927f6386271912442
CozyDuke32B0C8C46F8BAABA0159967C5602F58DD73EBDE90e0182694c381f8b68afc5f3ff4c4653c1b19af1e354f13c90163780be6ad50f02d5bf8bac1c9cc1eab1377a159de1be
CozyDuke33BEB7A410F1CD699733000B5B30B5E4EB2062BA330ed7549d50bdb56497a5577132610a907a743b5d1d028f9bfb5f053311b0f8be8516cb97dbc48ac0511de9c41d3c32
CozyDuke3583647EF8158E29E3C18413ECE70C2851720926992d2386998566a2a95c2affbfe3f3fe73b7d89340126a441e483229deefb017c8c680d0c8f571c55744e6141576f68a
CozyDuke42CFE068B0F476198B93393840D400424FD77F0Cd596827d48a3ff836545b3a999f2c3e30dc7438be5b21a36651de0a08361b18d76f0920517a7d51f75dc234740f392ca
CozyDuke443BC2E77B10AE64AF6321C2C7BFD311C0772503b4ae6966e65e47afa41610b1fb554607b75cc5e0ad70347b3fad6c3e3b6b2bd224ec75e6ea9c906f01b53af58b52f038
CozyDuke44406A80F13045442CE6A28EE62A923AC8F8C56A01a2c13c42f1a0557421d341f41654237188e3a11c12e48098fb24aa288068ff5dabeff8ba88b138c20811ef751d5f07
CozyDuke482D1624F9450CA1C99926CEEC2606260E7CE544fd8e27f820bdbdf6cb80a46c67fd978af7f4d18dbc0b822b89ba14ffea24114f92b593be0f287f300bb269b310883039
CozyDuke49FB759D133EEAAB3FCC78CEC64418E44ED649AB08709ef0e3d467ce843af4deb77d74d5bc7bcb663477238508ce8ad366cc9a77811c7f5eabaec47175858fe972639f40
CozyDuke4A16674C799FAE6535C82F878F6A37F94EE9A49B5fa3c3dabb8edd601302d9cf02db899d0d5d39ad12361b6ea6b3856e55a63cad4611c7b49795b1f2a517621de298e4fa
CozyDuke5150174A4D5E5BB0BCCC568E82DBB864064875102ef51f1ca11ce73fa20b54a5886ad1dd89996b66d5a339939b2072d29675ec3ca6d793f42a5d335a8ea7dab8773321ef
CozyDuke5BCD74E0C3C661580201E7D8122D7525A1480B4C859f167704b5c138ed9a9d4d3fdc0723f99efa337e1b7cef4e68570a23da9183526c3db72c6410d41f63e38c8b515466
CozyDuke5FFE420A3CC848024884DB8E2CFED68C47368DAE5eabc9c54b73fffb5f3fddb37a653d7b9d047bd757faff57539c885d46fdf8e7db383d850b355d7a829a203c9184def4
CozyDuke6B5EF7B76B35203DD323AF49BFA27CFA7E1B6376c42bf27579eaadfa080134f3400a417bfbbcac3f053a480ca28cc2910c74846af7efb0b291cbe006cf15c612986e5d2c
CozyDuke71C59EAA445346251467942BAC489A9D4E807F7F69cab1853df0749d42b68bf41d78e655c3329be592d90fdc0383d05ae9c251b3387f366f2aeb57ac595a5538aea0bfd9
CozyDuke75AEAEE253B5C8AE701195E3B0F49308F3D1D93295b3ec0a4e539efaa1faa3d4e25d51de7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5
CozyDuke7765A0869530C1A17B8FD339BBE55CC4C1BDBA305ebce6cbedfec82f1428c3409e3df0ef89cd924e6bb24ea151ba653573c64f07b22802473ea94c63c2c94843172998d6
CozyDuke78E9960CC5819583FB98FB619B33BFF7768EE861181a88c911b10d0fcb4682ae552c0de3a5373b33ac970dedeb52528b123959145bf51c95b159a30a7823ad8018ac4b41
CozyDuke7C710CF31F20EF7E0AD1809672255D4EDFDFF05283acacbd57997f6326817f709f8578936e7f6146b428af5eaec4dec1616df980764110120ae54bb765ae662c87496d50
CozyDuke87668D14910C1E1BB8BBEA0C6363F76E664DCD09f58a4369b8176edbde4396dc977c900830c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73
CozyDuke883292F00E5836F99A1943A6E0164D8C6C124478bc626c8f11ed753f33ad1c0fe848d8988853979fce0f767b495abd55b696203209e95f04aaefe16c52c1724d07972154
CozyDuke8B357FF017DF3ED882B278D0DBBDF129235D123D3d3363598f87c78826c859077606e51401468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9
CozyDuke8BA7932A40008881A4ED975F52271C0B679EAFF245d6515ebb7f57404b8703f1e77a461a99f53b96a264b56542cd0f7c631339f8a3f3bdd3817fc9fddcdf44edd91ea90e
CozyDuke8C3ED0BBDC77AEC299C77F666C21659840F5CE23e8510a7ae4919a3fcedad985fbbca35218c0b02776487babbf6219cdaf97cbf2b534e0cf87a527228dda2d4a468a257f
CozyDuke8F1AC45360196A7B5A1680FF839A131394E9D9B49e3c39aaa240da8c7002924170019f7884a941d828813301c2634c6a818b9d7455c6493a073a0646d9a4e263a5a0e082
CozyDuke9319BF72000F8E468C182947DD5C82FB8B9AE4191ff0ed11fc6a41db458a75ae71670f94509347f4a5b81a65e327363b9eb6773d57cb6df0c834bfdb19eda8defcfecadb
CozyDuke93D53BE2C3E7961BC01E0BFA5065A2390305268C90bd910ee161b71c7a37ac642f910059ff9edb92ee8125519aa1eea60cab9999bcd4caa87b891882caddc73a2a5ae9cf
CozyDuke93EE1C714FAD9CC1BF2CBA19F3DE9D1E83C665E2f02da961eb7b87b41aee5fd9537022f0ac4ffc7a2ba8840a20f6b07aa44328f1802b79ced6a56b3ac7e78fa1178ba65a
CozyDuke94520B93510DB0DC10387A65E0A46F45AB50122650992eefe5df1c85dde85dc008b5010d64533e377bc50faa161ebf98639385c119de07dd22ed2525b26bfba608e4da95
CozyDuke9B56155B82F14000F0EC027F29FF20E6AE5205C29ad55b83f2eec0c19873a770b0c86a2f7cdb9c2e8b6ca7f0a683a39c0bdadc7a512cff5d8264fdec012c541fd19c0522
CozyDuke9F8F1672594A6FBAC43793C857DD7718E75F328Ac79bf9a04913a5018ab8de65ffd1060f463e19dfd8dc9a2712deb50ccbe2bf59693cee322fb6f0d45d333e34fe4a3d45
CozyDukeA38EA2533E3DFA6339726AAFD4BC2BC7E3EEC5296f535a0f5c7f710ec4739e52f35a567395f8e91fb2059954866e52459cb88f5ff7b2aea590fce587e51f1140222ef27f
CozyDukeAC2B5928F46069111F4334F650A7DBF1B5F026D5fef254d6c46fdced294db44acef8d839da3ee90d5ae8b82775567bc35896f7752b5f9a1eb686feb2e32f376e8e936e7a
CozyDukeB26BC0A3E35C474F7099BD2B066F1680F3394B1466d2b5ed8646a0ef38eef822555b98286b31c287e93d7d4a5a92a5ad50ee903534af4ee34ed2879b002b139eaed7510d
CozyDukeB5E973DF0A159AB583FC8923C796C8CBF5B535DF864bb9137f6bf94e59fbaa9b21065d1e6b8d05118610f97f7fee199e29c193ef763f344b425a01b6cf471ec591ad4280
CozyDukeBDD2BAE83C3BAB9BA0C199492FE57E70C6425DD3416db420e781c709bb71acee0b79282f4bcb2a5d99297b30f8ff00e08cf7330d5e2f69fc602bb317bf8e9f703a137a99
CozyDukeBF265227F9A8E22EA1C0035AC4D2449CEED43E2B1dde02ff744fa4e261168e2008fd613a418a21d49fe5bca8a3e050f039a0e2aa03db6d2de0fb49e3ff9d987f31b22dda
CozyDukeBF9D3A45273608CAF90084C1157DE2074322A23043c012086c1ae0a67c38b0926d6cba3f3dea35172449f0b9a86dff9af3b4480cc4c37a30e8cb54963ff91c4c1ffe7b0d
CozyDukeC117608DAB3AB632DE8110F8981DD7E773C61D052aabd78ef11926d7b562fd0d91e68ad3f9ff78669e4b251ac1e31076eaf420bee6f2060dbc926cc33603f893658ca86c
CozyDukeC3D8A548FA0525E1E55AA592E14303FC6964D28Df16dff8ec8702518471f637eb5313ab22b160b7eef5ce5fdb83889f96fc40cbbbc7b85450ff2afdf781a8eb5d6a0f541
CozyDukeC3FDE950FE7D668805B40B1680D519F20C18B899f16629ad4bc9473ef4978d6a3dd551f1ea8357db1071cda3e9a63592e584410d071673433a89215c220e0e7310729229
CozyDukeC62E840FFE4BBA50F6584B33A877475F0EBCF55810b852b9f669aa6ec60bc838dbee6de3aaea9387a63a20aed6e41029ea14af41a76e09069fd3aa7f7fa210f540f42b9a
CozyDukeC6472898E9085E563CD56BAEB6B6E21928C5486D98a6484533fa12a9ba6b1bd9df1899dc9891b5586cede16aa1e1b87380621f68e8956b991cf7675bbe18d2ec61a7522f
CozyDukeC8FE2296565C211E019CDAD3918A5736D4B12D4493176df76e351b3ea829e0e6c6832bdf950c8f9dbec3a2a1603f9202408cf49ea5a9573c7296e5940a42581cbd6fc8c2
CozyDukeCCF83CD713E0F078697F9E842A06D624F8B9757Eacffb2823fc655637657dcbd25f35af8262dbadca239e5259161130ac9f0f5ef50691fd9dc3e3490b6c0d7b76e7ee34e
CozyDukeCE9D077349638FFD3E1AD68CDA76C12CFB0240694121414c63079b7fa836be00f8d0a93bfde146d9d8c42d3b7803285bfa73976b81234f9ef37a16f9319929ec1e686bb3
CozyDukeCEBCF2F495C3B95138128D0577DCAC5CDE29490D3a746f525877b3d006758def2957ddaf4d5d056e501bc3fca73a156b23e05612bd2fc7f09b44745766b98b6ca2599bfb
CozyDukeD3254F1F4C4DEF8C023982DFB28FA31E91B69AB5cb52ba412736c9966c02265946b0fdb09d217fc19800472327465066f4cf369df9ef9c43dd3822af1d7cda79c74e7793
CozyDukeD5CBF554E4E700B37DDCB026D4407FCD87032D873dce9f631cc0b8a1b1bdc1b4671e25696928d9fda1b31c72067ba2a1d3f21efe8595f6e8d54a196ccabbc953f10b2d38
CozyDukeE0779AC6E5CC76E91FCA71EFEADE2A5D7F099C80209a4a102a977b698544c99d8236e9ca86056f462d5783604b7f050047db210ecf698e72f3664b27d58265663ff5b324
CozyDukeE76DA232EC020D133530FDD52FFCC38B7C1D766262c4ce93050e48d623569c7dcc4d0278f44bead117d2cf34b8e50b81c82fbd1b938b94387cdf84386ace46b1f3b5df1a
CozyDukeE99A03EBE3462D2399F1B819F48384F6714DCBA11a262a7bfecd981d7874633f41ea5de8099524703c250d1d1a16288dbd2f425d6cd0491f608e207a82f239b39bb26b7e
CozyDukeEA0CFE60A7B7168C42C0E86E15FEB5B0C9674029eb22b99d44223866e24872d80a4ddefdf722677df4fb7eb4ac986a944d4f6630b91ac22b31f8d39ec9bf941376d5d4db
CozyDukeEB851ADFADA7B40FC4F6C0AE348694500F878493b5553645fe819a93aafe2894da13dae71a7239c006a3adf893bdb5c2300b2964ed8bb454e1b622853e4460707dc63c16
CozyDukeF2FFC4E1D5FAEC0B7C03A233524BB78E44F0E50B9f65e3b320ec91380ebc28d4fdff48958a5d8d103cb175d7dc41932ef9a890997e25dbe15f94ecd2105835fe49779354
CozyDukeF33C980D4B6AAAB1DC401226AB452CE840AD4F407f6bca4f08c63e597bed969f5b729c5665fa52f632e4e83ff83120c7df6b90291025a76d5daeb183e814ec0b3bd2bd4e
CozyDukeF7693E5D39DB067D97CD91FB22522F94C59FDA3D90674c3cca487fedbe77c4986d0232968cc0f8322ce5f546cdccac553420a8ff9784212c5aada89c04a8ec2c5324f983
CozyDukeF7D47C38ECA7EC68AA478C06B1BA983D9BF02E15a5d6ad8ad82c266fda96e076335a50807ed2d1aceab5f54df4acca63b5d269842d49521e13bab5e652237667c7eef261
APT29_2012-02_FSecure_CozydukeCozyDukeDropper
CozyDukeDropper0E0182694C381F8B68AFC5F3FF4C46530e0182694c381f8b68afc5f3ff4c4653c1b19af1e354f13c90163780be6ad50f02d5bf8bac1c9cc1eab1377a159de1be
CozyDukeDropper181A88C911B10D0FCB4682AE552C0DE3181a88c911b10d0fcb4682ae552c0de3a5373b33ac970dedeb52528b123959145bf51c95b159a30a7823ad8018ac4b41
CozyDukeDropper1DDE02FF744FA4E261168E2008FD613A1dde02ff744fa4e261168e2008fd613a418a21d49fe5bca8a3e050f039a0e2aa03db6d2de0fb49e3ff9d987f31b22dda
CozyDukeDropper4121414C63079B7FA836BE00F8D0A93B4121414c63079b7fa836be00f8d0a93bfde146d9d8c42d3b7803285bfa73976b81234f9ef37a16f9319929ec1e686bb3
CozyDukeDropper43C012086C1AE0A67C38B0926D6CBA3F43c012086c1ae0a67c38b0926d6cba3f3dea35172449f0b9a86dff9af3b4480cc4c37a30e8cb54963ff91c4c1ffe7b0d
CozyDukeDropper91AAF47843A34A9D8D1BB715A6D4ACEC91aaf47843a34a9d8d1bb715a6d4acecdc70d3046b59785b2b9b7091e26f2484ba7a488dba420a8a05be388a337c399e
CozyDukeDropper95B3EC0A4E539EFAA1FAA3D4E25D51DE95b3ec0a4e539efaa1faa3d4e25d51de7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5
CozyDukeDropper9AD55B83F2EEC0C19873A770B0C86A2F9ad55b83f2eec0c19873a770b0c86a2f7cdb9c2e8b6ca7f0a683a39c0bdadc7a512cff5d8264fdec012c541fd19c0522
CozyDukeDropper9F65E3B320EC91380EBC28D4FDFF48959f65e3b320ec91380ebc28d4fdff48958a5d8d103cb175d7dc41932ef9a890997e25dbe15f94ecd2105835fe49779354
CozyDukeDropperEB22B99D44223866E24872D80A4DDEFDeb22b99d44223866e24872d80a4ddefdf722677df4fb7eb4ac986a944d4f6630b91ac22b31f8d39ec9bf941376d5d4db
CozyDukeDropperF58A4369B8176EDBDE4396DC977C9008f58a4369b8176edbde4396dc977c900830c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73
CozyDukeDropperFEF254D6C46FDCED294DB44ACEF8D839fef254d6c46fdced294db44acef8d839da3ee90d5ae8b82775567bc35896f7752b5f9a1eb686feb2e32f376e8e936e7a
APT29APT29_2013-02_Crysys_Miniduke Indicators
APT29_2013-02_Crysys_Miniduke IndicatorsDocument_Droppers
Document_Droppers2402C2DC6ACC5A8418201FEA5B2043F985E1DD69_EUAG_report.pdf_cf5a5239ada9b43592757c0d7bf661695fbe3c1075e1afb6c1a3ce757bb8d401e1b1f61db42902cb72fd7b85e4e5f1a5
Document_Droppers5951EEF7C336E442C95F247AB2ECC4895F5D3E45_report.pdf_0cdf55626e56ffbf1b198beb4f6ed55959b62e650a437032886e1cc74dd7cdf0abab5ee6bc85fb4aa18568733aa89370
Document_DroppersADCB57BCE7FBB5E076F3272990BEDEE1D9544EE5_EUAG_report.pdf__3f301758aa3d5d123a9ddbad1890853b8a844864e62650905fc438f6291fa64ae2d3822054cc8354c44a923d5364905e
Document_DroppersDD2C3592281EC09602AAA8488EB2F4509F75EF81_The 2013 Armenian Economic Association.pdf_c03bcb0cde62b3f45b4d772ab635e2b0da7f82d0c80c7d95d787185c04ecc116062bc655e513eaf1ccb4a1423bdbd289
Document_DroppersFBC3856FD689E1AC0F8FB56BBD7D0A2B8332A928_ASEM_Seminar.pdf_88292d7181514fda5390292d73da28d4784d1ebd1faccec27f98970cc266859eaf5676da1c451e3304fb55435d8c8473
Document_DroppersFC53525F4E2E5B8EBE86778C20FD8916612CFD29_action_plan.pdf_3668b018b4bb080d1875aee346e3650a5b21100b828b77758bfd6495c924e71f8bbd890c78d07067928bd7beccae087e
APT29_2013-02_Crysys_Miniduke IndicatorsStage2
Stage2109E1E387F8B2BB8D92F45E79881809384E9AE54d39f2202b421561cfc36a8802184685ce8d7b9fc80a87688fe6c6515117a6ebd96cfaea72a6bddb4bdc05404869f5f26
Stage21BA5BCD62ABCBFF517A4ADB2609F721DD7F609DF48bbce47e4d2d51811ea99d5a771cd1a1f19bd932336fa721e739b32c07b67c01ea4bd0ebc70e92a70f41e51f4668a0a
Stage21E6B9414FCE4277207AAB2AA12E4F0842A23F9C1a4ad6b55b1bc9e16123de1388f6ef9bf7889fbd40f65cfe21d0c7486b29eb4c5042abff4ac660c12c7936831445cfd6e
Stage2223C7EB7B9DDE08EE028BBA6552409EE144DB54Aa67ad3e2a020f690d892b727102a759b35c08566dc38ad65e906b3683ace98e5beef855aeedc611a0317a72eee193539
Stage228A43EAC3BE1B96C68A1E7463AE91367434A2AC4297ef5bf99b5e4fd413f3755ba6aad79c60621e82f58b5ea5b36cde40889a076cb2c7f1612144998b1d388200bc7e295
Stage2296FD4C5B4BF8EA288F45B4801512D7DEC7C497Bb8e89f9908262b5385623c0e39d6b9408e28dcf7fd7ce1ad9a65c186e09a7843ee31af924509148f085958cadfdda8fb
Stage22CEAE0F5F3EFE366EBDED0A413E5EA264FBF2A33441ee6a307e672c24d334d66cd7b2e1af4b01a3a299b09d2b4418cb66e80c34e3ec04016ed27199c472515cf95a023d0
Stage230B377E7DC2418607D8CF5D01AE1F925EAB2F0372dcd049c591644e35102921a48799975354786c5df71cd090c96d1328b4e31cd28b8ddc77904863d100b6c35ad235b69
Stage231AB6830F4E39C2C520AE55D4C4BFFE0B347C947ffefe16d581340c1e49f585a576a1fd8764f8c8f8832954c99fb0c2ac5ac5d89506dc5dc50310c9112318b75e9f9e2bf
Stage2352A2CF4BB2C9E300CE9A51740F238C9282CA6E47049aa581874752093bb98850ff45dac889fffd6f073755742324757394a6cbca41f72562af846105b51007855149903
Stage236B969C1B3C46953077E4AABB75BE8CC6AA6A327ab2d8a0d5b03d40f148f2f907b55f9f155265193d63d56553e8e135e9a60d7d7c13cbf9d82ac25f84306ec98d74725b0
Stage243FA0D5A30B4CD72BB7E156C00C1611BB4F4BD0Ab100d530d67cfbe76394bb01605673829c13a32033bc7dd06016651b0f21a2bed9be1dc40c6879f925c71e05f4f1c8f7
Stage24EC769C15A9E318D41FD4A1997EC13C029976FC205d10323111f02233163a6742556c97462a2df9d001d3e0f222d77b6781eb279761f1354570773ef1929a86557a11454
Stage253140342B8FE2DD7661FCE0D0E88D909F55099DBe990e0d1ee90cd10c4be7bfde6cc3e5acc6ad212f50e0a7a708bb1b63a01d8932f471618cdda69b2e12106ae112b2415
Stage25551408323086F31D9BC3358AB5B2ED4DDE86C5Dfdc96d77af6fdae487002e32d61df123c150dc87a29f23f909498fc13107187416618cacdfe0ecdf6976bf2a2632e82e
Stage25ACAEA49540635670036DC626503431B5A783B56c519eef57001ad3ae60cdcb0009bf778acd886fa7b9117807f1e11f0f38b9fad1afce51aa9cfbe3810a39d883d0ca663
Stage2634A1649995309B9C7D163AF627F7E39F42D5968b8088f6594dd8cba31b4f52a2d91f40e5569b85532adb1e637f83c997910924345f10aa9c2948b3d26be13eec6cbeb8b
Stage2683104D28BD5C52C53D2E6C710A7BD19676C28B8e1a659473ae1e828508309b77da13783830ee990a6d4aaf00bb051704c93b468792561e8dd6a6ed4662f6032d38dd37a
Stage273366C1EB26B92886531586728BE4975D56F7CA5c92252487615d5379317febc22dba7d47f5d3a8dfa13ba8e2142a3b1d644f107cc89c7e90cda2a5543df5787f8bfde1e
Stage281612FC09CFAE280CC35B1331C832A5A87C2EDFFafe0190820b3edc296daefe6d161105163eebf042547a7549fe9f5affaa1cee6bf11cf0450ede8f42e13bf4656e2f9b0
Stage2827DE388E0FEABD92FE7BD433138AA35142BD01A2ab25d33d61cf4cfbac92c26c7c0598e6a95d2895362fc8657bc90d73d77e32f09b86699eb625905ddeb45ccd6b13c71
Stage2A32817E9FF07BC69974221D9B7A9B980FA80B6771528567b1a2f1da31d602ce1ddfd89188d457e4189017712917c5c8f900bb9072c5910c9f975c50337115f952d885635
Stage2A6C18FCBE6B25C370E1305D523B5DE662172875Bb68677e04fcc9103560bb0a5e5c7303f94d39845ec228ff1c84668207c4591ae0e2b6605bdf11e84916534ab09744736
Stage2A9E529C7B04A99019DD31C3C0D7F576E1BBD0970d2f39019bfa05c7e71748d0624be9a9419580f275b82ee091bdc3028e6e5018fdcc915fe7853d4151b44f3d7e101e531
Stage2AD9734B05973A0A0F1D34A32CD1936E66898C034a58e8e935341b6f5cc1369c616de37655b96b07528f762dfcb9d6936995ed4e358d29542ae756f6e5547fa3b5b7797b6
Stage2C39D0B12BB1C25CF46A5AE6B197A59F8EA90CAA02d87ab160291664d62445548a2164c6023486eedb5fe8a026f602507f490b4df4721e8befa65007b84c4f5b1ed95e1bd
Stage2CC492D4B188F4CF5003F8B6954F6DD071A8066C206def6c642dcbd58d0291ac110a572743c28d41fbe5f6f0e4a8402fdd036f2a8cf271dabe135919ea0de0d5f1348f871
Stage2D81B0705D26390EB82188C03644786DD6F1A2A9Ef19345e0e5aecc0da45b4c110591bdd9b55e6e10a7f46c97cd247028287ea664bacf7ec7e500a4bf4f53c9dea7625426
Stage2ED64FBA3195F52192C65CAD491A28BF18F6F67A392a2c993b7a1849f11e8a95defacd2f75de532fd62bd4e528ed6e0ccf746e20e2e58041b7ff5327ddbbcf37628429077
Stage2EDF74413A6E2763147184B5E1B8732537A8543658282eb6d6f20c5de6e7f4ae3a42438d2fe2672737205351df003e1969ef1ef0df9e13a9a31bf77f844236857ed0b0bf5
Stage2EFCB9BE7BF162980187237BCB50F4DA2D55430C2935892bb70d954efdc5ee1b0c5f97184a962ea9027514712ba3949dc3ca54559d1d42e116837dda5f9809d6523a41255
Stage2F62600984C5086F2DA3D70BC1F5042CF464F928D381691b297f7f5694709e21ad61ec64513a50942322977d6471f71debc6d3db38807d88778366bae6cfcae45823a17f8
APT29_2013-02_Crysys_Miniduke IndicatorsStage3
Stage300852745CB40730DC333124549A768B471DFF4BCcf59ed2b5473281cc2e083eba3f4b6623d0b1f970eaeeabf9372ffc1ad7e61226632904cf0311ea8f872ddbfd34a3a2a
Stage30E263D80C46D5A538115F71E077A6175168ABC5C78e51be60eab2c6e952c9538a46ab52105e4224d4dd4e5fbd381ed33edb5bf847fbc138fbe9f57cb7d1f8fc9fa9a382d
Stage3118114446847EAD7A2FE87ECB4943FDBDD2BBD1E4c6608203e751cf27f627220269d683529ad305cba186c07cedc1f633c09b9b0171289301e1d4319a1d76d0513a6ac50
Stage315C75472F160F082F6905D57A98DE94C026E2C56738c60fff066934b6f33e368cfe9a88cde8184c6850d17f90e861309828af1f7b7e3b1695ebe5d303d3d4b6ef4ba1218
Stage31DF9B4DC693CE7250F51CBC7CED53AD0A6E1C587c48d0822eedd75c9c56f688fb8a0525979bc1595ad701ab8a72874a96bcfb94986daeee26b996241e691f3d53f7ec53a
Stage3416D1035168B99CC8BA7227D4C7C3C6BC1CE169A811f66d6dd2c713073c0b0aebbe74ce84809c2c7fa19acfa011f97946205f979afb54ac2c166f48ab35a20cd9d53a2ca
Stage3493D0660C9CF738BE08209BFD56351D4CF07587786ef8f5f62ae8590d6edf45e04806515a6e2852f2e6701656da74adb412cd0850b0d27750803613223be3eb5ac5cc26c
Stage3497F9C688ED142AE91E354B3D9C9E13243A268B0626489f8cafacb1b24fe6ecf0db52f23163eda7f8382b3981e23d81318505806260d2657ca3cd9d7e0995299a5647318
Stage36CF8CA847EE317255A9084BB44AE3F38EF61E5C392ff4df1d079a003ae2a8ac47dd5e81bf4698d9429b004357d1008ea8c9b94ec2a0370900616165db2315a9cbdda28fd
Stage3804701959A1DBFBBFC6D8142DE850DB9FCE9A61107a9975d7d96ff3b56de024ab2017582684f863b5af69ef3dc4e86a54cbb1f5486adfe79e08bd0b12d89684c0a9fb2fe
Stage39D716D2F8F1C2841A2707EBA2EBADD01ED83003044ee71de720fc1a50c919bc5a01c592da982838c4e90db3cb331f1d2f7b5b74f389da64e642bda75335a6137fdd627d8
Stage3D22D80DA6F042C4DA3392A69C713EE4D64BE8BC8b798c968cbfd53f878e13c7698610d9c12a057ca7c92cda3cd0e09efc5bff2ebd3f7d2991e999038c7f31a6ac6a95c3d
Stage3E4ADD0B118113B2627143C7EF1D5B1327DE395F118e64b8e5ce5bdd33ce8bd9e00af672cb1584a6f1059ad1c24bde2a9a8ae83ffc6679eb531d30f3f1c69f81e3a3819dc
APT29APT29_2013-04_Bitdefender_A Closer Look at MiniDuke
APT29_2013-04_Bitdefender_A Closer Look at MiniDuke2011
2011_20111c658719e6dedb929a6d85359c59682d91b97f3b8ef8ebc8bbd06e06927e7b38090c026f8fca77e209e69c056b042cb7
APT29_2013-04_Bitdefender_A Closer Look at MiniDuke2012
201215101f74f974e3e80cc37805ebe5cc2efed77bb5745d82e1b44b1da4f0c8369173931351f883cff5dbdcc54cc4eb10a715101f74f974e3e80cc37805ebe5cc2efed77bb5745d82e1b44b1da4f0c83691
20121db9187b7b0e5bc97aca233f29b96295c0bc4058fdcff50df543c1f044e588361de51ec5d2b8466f0d424e1c8dcd64541db9187b7b0e5bc97aca233f29b96295c0bc4058fdcff50df543c1f044e58836
20122f9834f7b7fe09d98ef7b27d3828691ed4b361d1ccbbf8e10703f9ec03b05259612fba96383a5098c26fe1a222e1e7552f9834f7b7fe09d98ef7b27d3828691ed4b361d1ccbbf8e10703f9ec03b05259
2012415f88765b88dd90e5b0502e4fa1408e06ac9552c7c8974a510e6e23a9756a45e48fb57ce3d9c56ca3cf6c4aed8ad0ea415f88765b88dd90e5b0502e4fa1408e06ac9552c7c8974a510e6e23a9756a45
201255129d34050b2c028de564e3166611e1d148c26de0972cbe047caf530f11846874593127f50abff5327b3f7038b456d255129d34050b2c028de564e3166611e1d148c26de0972cbe047caf530f118468
20126e57c69963562d28a3a9da9f9103c199c909d0baa185a5d21e1b200a5a14ab729f13dc03904dbd45374acc21344772736e57c69963562d28a3a9da9f9103c199c909d0baa185a5d21e1b200a5a14ab72
2012bf210e54c65ea69ebda418f701c2c6b8aff840f31c1072d641a726cef8c7b5added2f80457aaefe1a80a9cefd1f4645dbf210e54c65ea69ebda418f701c2c6b8aff840f31c1072d641a726cef8c7b5ad
2012c13794601c5bdec3d5d76de9571e6c0e0b022b9fc62907018566895e3b949982423bb8914078a587d08b54d16bbd527cc13794601c5bdec3d5d76de9571e6c0e0b022b9fc62907018566895e3b949982
2012dfe146fffd2ae59172f52048f7e7d231807e0d732e19bdb443820a8305165741561017f887865b8d13f85c5474cdcbb8dfe146fffd2ae59172f52048f7e7d231807e0d732e19bdb443820a8305165741
2012e961202d84aad7fa9faaeb63651735416612d25c611a7a025e2eaab67c79e272ff83dad77ac2b526849930f1860dfd3fe961202d84aad7fa9faaeb63651735416612d25c611a7a025e2eaab67c79e272
2012f151f5a656d43a76a07fa03166906d51f9683b27b0e9b86464e3a68e9dba1fac8d3542af992b1de4cf1f587f61dddb50f151f5a656d43a76a07fa03166906d51f9683b27b0e9b86464e3a68e9dba1fac
APT29_2013-04_Bitdefender_A Closer Look at MiniDuke2013
201356dfc5905e7dfc67912ed164dc68c0806fdd3d7cd151415aaffcc1b7ab2f1a842530f54b87508e6f09a6bc5ab863b5db56dfc5905e7dfc67912ed164dc68c0806fdd3d7cd151415aaffcc1b7ab2f1a84
20136c2409d415e66faebf0a031350b44d5a014ab4f62f2c1a3115982d452b7f97b9527537cc28705e01af8d8006ae8308a96c2409d415e66faebf0a031350b44d5a014ab4f62f2c1a3115982d452b7f97b9
20137815e5275ea849a9ed1f193abd8781ff7ae6b88ef6282f6a0900175a4bb59131810de1b9fa0a9396acae23dcd113a60d7815e5275ea849a9ed1f193abd8781ff7ae6b88ef6282f6a0900175a4bb59131
2013abfffd23c81b6301675567622ccee08cf578ce91f372fce68cff8fc1dbc3053dc786a4cdfe08dbe7c64972a14669c4d1abfffd23c81b6301675567622ccee08cf578ce91f372fce68cff8fc1dbc3053d
2013ecc5e2526ca32a447c862612b71c1db5675a759897e680573fa143ac0a8e662ae863737773f64498091cd775c7abde66ecc5e2526ca32a447c862612b71c1db5675a759897e680573fa143ac0a8e662a
2013f0d822926f4e6aec2cf2bd7701d67e8399ccc05bc028377a275a90e06620a1096942f1dfd61d231df8acb7ed0f6310c4f0d822926f4e6aec2cf2bd7701d67e8399ccc05bc028377a275a90e06620a109
APT29APT29_2014-04_FSecure_Targeted Attacks and Ukraine
APT29_2014-04_FSecure_Targeted Attacks and Ukraine77A62F51649388E8DA9939D5C467F56102269EB1_Nato_pdf_06cca401a1049ae2fbb4f00aac720136081a9def7150ffd17d6c794b10609fd3463bebe0810bbf241162699a53779113
APT29_2014-04_FSecure_Targeted Attacks and Ukrainedownload
download1e5525eb2b80ed57635f0922bc5d1c56812fb8e0da64a9333b0ba66c4411b6b4ba57f95eba99722ebdeae433fc168d721e5525eb2b80ed57635f0922bc5d1c56812fb8e0da64a9333b0ba66c4411b6b4
downloadbd4928921ddadb44f9f573da61dac034533bf14fe38acd5754f3ccec1d566300edf7a81dab0bf0520bfb8204a010b730bd4928921ddadb44f9f573da61dac034533bf14fe38acd5754f3ccec1d566300
APT29APT29_2014-05_FSecure.Miniduke still duking it out
APT29_2014-05_FSecure.Miniduke still duking it out58be4918df7fbf1e12de1a31d4f622e570a81b93_Proposal-Cover-Sheet-English.rtf_6b08ff05b50dd89d81e2aa47554aa5e64c663f1b23d44283bbd2693ffb03a3864ad4455deb079a4f5c94d92be53a88cd
APT29_2014-05_FSecure.Miniduke still duking it outb27f6174173e71dc154413a525baddf3d6dea1fd.dll_270ca8368cd4216b1813281d3efe485d2ae4cc6834e3679e99fc93d2f5fba02167a31cf5b68a5a9ca7aa1a4b9f7cb4ae
APT29APT29_2014-07_Kaspersky_Miniduke is back_Nemesis Gemina and the Botgen Studio
APT29_2014-07_Kaspersky_Miniduke is back_Nemesis Gemina and the Botgen Studio86EC70C27E5346700714DBAE2F10E168A08210E4ba57f95eba99722ebdeae433fc168d721e5525eb2b80ed57635f0922bc5d1c56812fb8e0da64a9333b0ba66c4411b6b4
APT29_2014-07_Kaspersky_Miniduke is back_Nemesis Gemina and the Botgen StudioECD2FEB0AFD5614D7575598C63D9B0146A67ECAAedf7a81dab0bf0520bfb8204a010b730bd4928921ddadb44f9f573da61dac034533bf14fe38acd5754f3ccec1d566300
APT29APT29_2014-07_Kaspersky_The MiniDuke Mystery PDF 0-day
APT29_2014-07_Kaspersky_The MiniDuke Mystery PDF 0-day2402C2DC6ACC5A8418201FEA5B2043F985E1DD69_EUAG_report.pdf_cf5a5239ada9b43592757c0d7bf661695fbe3c1075e1afb6c1a3ce757bb8d401e1b1f61db42902cb72fd7b85e4e5f1a5
APT29_2014-07_Kaspersky_The MiniDuke Mystery PDF 0-day5951EEF7C336E442C95F247AB2ECC4895F5D3E45_ c.pdf_0cdf55626e56ffbf1b198beb4f6ed55959b62e650a437032886e1cc74dd7cdf0abab5ee6bc85fb4aa18568733aa89370
APT29_2014-07_Kaspersky_The MiniDuke Mystery PDF 0-dayADCB57BCE7FBB5E076F3272990BEDEE1D9544EE5_EUAG_report.pdf__3f301758aa3d5d123a9ddbad1890853b8a844864e62650905fc438f6291fa64ae2d3822054cc8354c44a923d5364905e
APT29_2014-07_Kaspersky_The MiniDuke Mystery PDF 0-dayFBC3856FD689E1AC0F8FB56BBD7D0A2B8332A928_ ASEM_Seminar.pdf_88292d7181514fda5390292d73da28d4784d1ebd1faccec27f98970cc266859eaf5676da1c451e3304fb55435d8c8473
APT29_2014-07_Kaspersky_The MiniDuke Mystery PDF 0-dayFC53525F4E2E5B8EBE86778C20FD8916612CFD29_action_plan.pdf_3668b018b4bb080d1875aee346e3650a5b21100b828b77758bfd6495c924e71f8bbd890c78d07067928bd7beccae087e
APT29_2014-07_Kaspersky_The MiniDuke Mystery PDF 0-dayThe 2013 Armenian Economic Association.pdf _c03bcb0cde62b3f45b4d772ab635e2b0da7f82d0c80c7d95d787185c04ecc116062bc655e513eaf1ccb4a1423bdbd289
APT29_2014-07_Kaspersky_The MiniDuke Mystery PDF 0-daythemysteryofthepdf0-dayassemblermicrobackdoor.pdf304bb5f1419a2e56f4bcd0d0f3b1312fb7cf61434cb485baafd9c3205f64c0cc8f1fa2302f9405a16cd421e888f4973e
APT29APT29_2014-11_FSecure_OnionDuke APT Attacks Via the Tor Network
APT29_2014-11_FSecure_OnionDuke APT Attacks Via the Tor NetworkA75995F94854DEA8799650A2F4A97980B71199D228f96a57fa5ff663926e9bad51a1d0cb19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d
APT29_2014-11_FSecure_OnionDuke APT Attacks Via the Tor NetworkB491C14D8CFB48636F6095B7B16555E9A575D57Fc8eb6040fd02d77660d19057a38ff769366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
APT29_2014-11_FSecure_OnionDuke APT Attacks Via the Tor NetworkD433F281CF56015941A1C2CB87066CA62EA1DB37d1ce79089578da2d41f1ad901f7b10140102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade
APT29APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke0E5F55676E01D8E41D77CDC43489DA8381B68086dc6cc442c0900104a5601a6049354fad41d63d293a6e2722fcf82f8bf67b8f566bd4d3f669ede146ccc286f0228d8f62
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke353540C6619F2BBA2351BABAD736599811D3392Eab7a66ed3c6de1b7449d6054a8b46d7f8cad0a40dd87e5d77e5c939bd7ea838c3549c44b525e2f4a1227d53c4af925be
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke4E3C9D7EB8302739E6931A3B5B605EFE8F211E519d95c8f09f991a5fc37b79c45ebd20433c5d2fcacafc21d9f43c595ddf03bec801ccb958b8641018612c21bc741800d0
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke5295B09592D5A651CA3F748F0E6401BD48FE7BDA6571a2d3892ca937697e96f8bb795e428c6c57f7e9c81fcf194d17a752f8da4295fab5dad8eb79bd289256b9cdb7415e
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke55F83FF166AB8978D6CE38E80FDE858CF29E660B8e5106565fd96df1308d208d1e3426a37e371cd323898e403df7a80add34d791e160e443bcd2d02f27ddc0c04ba1bdab
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke580ECA9E36DCD1A2DEB9075BCAE90AFEE46AACE2351c913e4120081d8f04317121654a391590bdbaff2c178387e924b689b030057b4cbd2865e9c4dd3886a8791ac8e4ee
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke5A199A75411047903B7BA7851BF705EC545F6DA9f22606385080d35551e7f8e8f49b7de9fe5bc1248fc79fc15663ef169f0a269c1abe847d00b01e9571fe5c0d760d68f0
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke5C5EC0B5112A74A95EDC23EF093792EB3698320E3729a14be6b3a92265cf6d8e14c79abe64e3a2bba82027dd6ff631fa5890a7ba8331b62a0a4c0b1ca24d143c2b61c323
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke65681390D203871E9C21C68075DBF38944E782E86542cd548182d6adc08a63c942f9bc54880ae80fdc874002a6d9c807802794d4a35c384551d73bb36277b2f1e63d67e2
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke6A43ADA6A3741892B56B0EF38CDF48DF1ACE236Ddc92eba92885f2e937cb6f694647eb713d37e753812687fb7287cf8644d13fe2673ea7c3b540637c1ce1c6819f1c521b
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke6DB1151EEB4339FC72D6D094E2D6C2572DE894705a7659b691a3caf107e6636d8906dcb0334ed05005ce829224d0dd4cc5baab6b837cf02ac0e321c8f97d11b3ba1c77a7
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke74BC93107B1BBAE2D98FCA6D819C2F0BBE8C9F8Afc0e380447be2bbdf9f06fc3358f8648b3236d1d0924cd9a17babd13209fe6706fd3a9228f22fe658eb4eb0c71360b73
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke7631F1DB92E61504596790057CE674EE9057075520d86cb4ebbffb739faa47f7354ee134d5f1d8d2629b91744fe812207cb3f0bebfd1aec9937b7744a263d1a4e3421063
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke764ADD69922342B8C4200D64652FBEE1376ADF1Ce175be029dd2b78c059278a567b3ada12146da9bc0e27d7eb10983b7dd89f250fa0015ce284dde8f0bb6a79626d34a2a
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke7803F160AF428BCFB4B9EA2ABA07886F232CDE4Eb59199877e0d68a5e93fc8ea76374ed15b50e26a01b320f05d66727e9d220d5858cdac203ff62e4b9ced1cafc2683637
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke8949C1D82DDA5C2EAD0A73B532C4B2E1FBB58A0E23d2592db15c251382706515cf4fd37e7e9c0bda27bbc80d947bc0c6ce29a19c824288d2b481f92a1637b7b8dfc8b81c
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke8AA9F5D426428EC360229F4CB9F722388F0E535C1a874e5ecd67dffab45e17e9b730daed51b4e69183f3d02124f3314cc64a7869425f053d8021c74c12f21d7c2afe2163
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke9700C8A41A929449CFBA6567A648E9C5E4A14E70608b22fcd2d067730176e335d3c6454b4fc0bbb90aeecd3229aa932437273ba59f887a6eac569b56693602b957e205e2
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDukeB54B3C67F1827DAB4CC2B3DE94FF0AF4E5DB3D4Cf611f8b0655a8980cf71a252536c7a5a16870c6b572934f5a106d5f632b6d41bb23924c12ddf172be24c6dfca25226b1
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDukeC671786ABD87D214A28D136B6BAFD4E33EE669512aa2a6e004159b9e3a590c63a0cc47b3ba35aa14ccc0e4fa8e47b621ea1d1efe1b012b623afd469e56015c0857fec646
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDukeCCB29875222527AF4E58B9DD8994C3C7EF617FD80be02d5f66f84ebd03f362ad4b4a06e604819cde7e928e6ff376daeb73b894959f672a85b363753c227416fc0f4a8acd
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDukeED14DA9B9075BD3281967033C90886FD7D4F14E5acac7584d7dc066d27555997d0f6d6cf9c2562e05eb940ae8d73c9baa7cfe85cb3ec619689227f65e4fbeeb3fec598ad
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDukeF621EC1B363E13DD60474FCFAB374B8570EDE4DEd824cbf08604dea9724ab8e707bb9fec68355d29ce79a5177084fe6292f0f8b9daa2018c571b552fff9f4a0815b432ce
APT29_2014_FSecure_Cosmicduke Cosmu with a twist of MiniDukeFECDBA1D903A51499A3953B4DF1D850FBD5438BDdffcd7f930f8874dc9f5115d0ae50b573e889cd495e008760fd12751d6d45cadf8a7280c4545f2ebe469f84b9b77c835
APT29APT29_2015-04_Kaspersky_CozyDuke-CozyBear
APT29_2015-04_Kaspersky_CozyDuke-CozyBear1A262A7BFECD981D7874633F41EA5DE8_5463.exe_1a262a7bfecd981d7874633f41ea5de8099524703c250d1d1a16288dbd2f425d6cd0491f608e207a82f239b39bb26b7e
APT29_2015-04_Kaspersky_CozyDuke-CozyBear1A42ACBDB285A7FBA17F95068822EA4E_ativvaxy_cik.dat_1a42acbdb285a7fba17f95068822ea4e4464c945c88ac9a4a22e86f0922f18c164e87f26c3f3fa054eb488fdd7d4bfc8
APT29_2015-04_Kaspersky_CozyDuke-CozyBear2AABD78EF11926D7B562FD0D91E68AD3_ Monkeys.exe_2aabd78ef11926d7b562fd0d91e68ad3f9ff78669e4b251ac1e31076eaf420bee6f2060dbc926cc33603f893658ca86c
APT29_2015-04_Kaspersky_CozyDuke-CozyBear3D3363598F87C78826C859077606E514_ player.exe_3d3363598f87c78826c859077606e51401468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9
APT29_2015-04_Kaspersky_CozyDuke-CozyBear57A1F0658712EE7B3A724B6D07E97259_ _3852.exe__57a1f0658712ee7b3a724b6d07e97259bc5625c674f08cca18e73eb661eed0182ef16e27983098cf1c61892ca621d60b
APT29_2015-04_Kaspersky_CozyDuke-CozyBear57A1F0658712EE7B3A724B6D07E97259_3852.exe_57a1f0658712ee7b3a724b6d07e97259bc5625c674f08cca18e73eb661eed0182ef16e27983098cf1c61892ca621d60b
APT29_2015-04_Kaspersky_CozyDuke-CozyBear6761106F816313394A653DB5172DC487_ amdhcp32.dll__6761106f816313394a653db5172dc48737ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7
APT29_2015-04_Kaspersky_CozyDuke-CozyBear7F6BCA4F08C63E597BED969F5B729C56_ aticalrt.dll_7f6bca4f08c63e597bed969f5b729c5665fa52f632e4e83ff83120c7df6b90291025a76d5daeb183e814ec0b3bd2bd4e
APT29_2015-04_Kaspersky_CozyDuke-CozyBear83f57f0116a3b3d69ef7b1dbe9943801.dll_83f57f0116a3b3d69ef7b1dbe9943801fdd7e8582ef8d7a23f269653435582cfe924ca9b2db34af63af5e57d1f3e09c2
APT29_2015-04_Kaspersky_CozyDuke-CozyBear8670710bc9477431a01a576b6b5c1b2.dll_8670710bc9477431a01a576b6b5c1b2a1233cca912fb61873c7388f299a4a1b78054e681941beb31f0a48f8c6d7a182b
APT29_2015-04_Kaspersky_CozyDuke-CozyBear90BD910EE161B71C7A37AC642F910059_5463.exe__90bd910ee161b71c7a37ac642f910059ff9edb92ee8125519aa1eea60cab9999bcd4caa87b891882caddc73a2a5ae9cf
APT29_2015-04_Kaspersky_CozyDuke-CozyBear93176DF76E351B3EA829E0E6C6832BDF_ hppscan854.pdf_93176df76e351b3ea829e0e6c6832bdf950c8f9dbec3a2a1603f9202408cf49ea5a9573c7296e5940a42581cbd6fc8c2
APT29_2015-04_Kaspersky_CozyDuke-CozyBear95B3EC0A4E539EFAA1FAA3D4E25D51DE_Office Monkeys (Short Flash Movie).exe_95b3ec0a4e539efaa1faa3d4e25d51de7fd72a36f7e0e6e0a8bc777fc9ed41e0a6d5526c98bc95a09e189531cf7e70d5
APT29_2015-04_Kaspersky_CozyDuke-CozyBear9AD55B83F2EEC0C19873A770B0C86A2F_reader_sl.exe_9ad55b83f2eec0c19873a770b0c86a2f7cdb9c2e8b6ca7f0a683a39c0bdadc7a512cff5d8264fdec012c541fd19c0522
APT29_2015-04_Kaspersky_CozyDuke-CozyBear9AD55B83F2EEC0C19873A770B0C86A2F_reader_sl.exe__9ad55b83f2eec0c19873a770b0c86a2f7cdb9c2e8b6ca7f0a683a39c0bdadc7a512cff5d8264fdec012c541fd19c0522
APT29_2015-04_Kaspersky_CozyDuke-CozyBear9E3F3B5E9ECE79102D257E8CF982E09E_Cache.dl_9e3f3b5e9ece79102d257e8cf982e09e8d86c0985530271618a342579afd1a9ecb27dfb080866e3b888bd3e45e1eb8f5
APT29_2015-04_Kaspersky_CozyDuke-CozyBearA5D6AD8AD82C266FDA96E076335A5080_reader_sl.exe_2a5d6ad8ad82c266fda96e076335a50807ed2d1aceab5f54df4acca63b5d269842d49521e13bab5e652237667c7eef261
APT29_2015-04_Kaspersky_CozyDuke-CozyBearB5553645FE819A93AAFE2894DA13DAE7_ amd_opencl32.dll_b5553645fe819a93aafe2894da13dae71a7239c006a3adf893bdb5c2300b2964ed8bb454e1b622853e4460707dc63c16
APT29_2015-04_Kaspersky_CozyDuke-CozyBearD543904651B180FD5E4DC1584E639B5E_3852.ZIP_d543904651b180fd5e4dc1584e639b5e6a177de940ba477574947ed2d06fd7c08c7baf04b83cb7f3a46e4a93f889bf64
APT29_2015-04_Kaspersky_CozyDuke-CozyBearD596827D48A3FF836545B3A999F2C3E3_ aticaldd.dll__d596827d48a3ff836545b3a999f2c3e30dc7438be5b21a36651de0a08361b18d76f0920517a7d51f75dc234740f392ca
APT29_2015-04_Kaspersky_CozyDuke-CozyBearD596827D48A3FF836545B3A999F2C3E3_aticaldd.dll_d596827d48a3ff836545b3a999f2c3e30dc7438be5b21a36651de0a08361b18d76f0920517a7d51f75dc234740f392ca
APT29_2015-04_Kaspersky_CozyDuke-CozyBearEB22B99D44223866E24872D80A4DDEFD_ reader_sl.exe__eb22b99d44223866e24872d80a4ddefdf722677df4fb7eb4ac986a944d4f6630b91ac22b31f8d39ec9bf941376d5d4db
APT29_2015-04_Kaspersky_CozyDuke-CozyBearF16DFF8EC8702518471F637EB5313AB2_ hppscan854.exe_f16dff8ec8702518471f637eb5313ab22b160b7eef5ce5fdb83889f96fc40cbbbc7b85450ff2afdf781a8eb5d6a0f541
APT29_2015-04_Kaspersky_CozyDuke-CozyBearF58A4369B8176EDBDE4396DC977C9008_reader_sl.exe_f58a4369b8176edbde4396dc977c900830c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73
APT29_2015-04_Kaspersky_CozyDuke-CozyBearf2b05e6b01be3b6cb14e9068e7a66fc1.dll_f2b05e6b01be3b6cb14e9068e7a66fc1036c5c0075d67f67fee546321f5b9c4f00d37aa9249ffe1627e71946bad4a3d1
APT29APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support04299C0B549D4A46154E0A754DDA2BC9E43DFF76bfd2d6bf8e99332157a0fe46a4a91c5256531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support28D29C702FDF3C16F27B33F3E32687DD82185E8B8c9113aec4d0585f2744e2027ef8a03d8aba704299ad5f649a48b822f548464a031a9c10fc28683010a5f6329a1bdc77
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support2F53BFCD2016D506674D0A05852318F9E8188EE107660a9b83b7fbc7ab372a911c69a85be1490d6e5ce4c2cddef0815c55bf8946cb830ce0ac7f586cf1ae16ef66f1bd8b
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support317BDE14307D8777D613280546F47DD0CE54F95Ba4f3e00b3da3e9d9382840dfbdbef3115d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support476099EA132BF16FA96A5F618CB44F87446E3B0227f3d0556c59e32791567a09236507d9b3bf1b4415afcdda6b7fbe07302fab1d865d1dc8fc6b024c98366a633e0612cb
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support4800D67EA326E6D037198ABD3D95F4ED594493138473fae7fdae7ee5a8b0fb64ebb596c197d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support52D44E936388B77A0AFDB21B099CF83ED6CBAA6F72512c49401bd3d04a8ef6c7a64753070f7d64f514e99a2abdc10dc85e7e6f57c210a0f35472f7b897a19b73be36bece
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support6A3C2AD9919AD09EF6CDFFC80940286814A0AA2C50bf9c6de53b7de6906c2d5ed6177c2851e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support78FBDFA6BA2B1E3C8537BE48D9EFC0C47F417F3Cf338e21422eca3a52239089f821519d6dea20c241265e2995244187c8476570893df41b9623784a4ca6ed075721b8cdf
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux Support9F5B46EE0591D3F942CCAA9C950A8BFF94AA7A0F97886672cc570ba4a5d6a162e92d015585c5ba695992ed59269ea7f7a58f3453f6047729d1f68a444d450439bbccc1f4
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux SupportBFE26837DA22F21451F0416AA9D241F98FF1C0F8837b522730ff896435682b36f7b27a3e12f58639a883b0fcfe3d2e8bcb0330b978731975c9dfa2f8e583adbafc4d534e
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux SupportC16529DBC2987BE3AC628B9B413106E5749999EDe163d9a91f97f133b0e3f2bbe4dc226ad4d79be85dc98f74088d6393a8fdf2b5d947ae4f279909af2aed0221dcecfe94
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux SupportCC15924D37E36060FAA405E5FA8F6CA15A3CACE2b0a9a175e2407352214b2d005253bc0c6c8eb3365b7fb7683b9b465817e5cb87574026e306c700f3d103eba056777720
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux SupportDEA6E89E36CF5A4A216E324983CC0B8F6C58EAA84d3a94134aaf590ae8ece0a57257e12980cb4007b9756246404c260bc69abf5d4938a1cc217d40ecbfdd6171b02b9e24
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux SupportE33E6346DA14931735E73F544949A57377C6B4A0e268e5c53da8361d4f7b6a884d7dfc8abc207257bb88e323c57360a06895a45c29d15ad91c803b2af6132d8be620569a
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux SupportED0CF362C0A9DE96CE49C841AA55997B4777B326856b224da7525ea5192efbef7a9b8112bfc1bafd9b01178037226fa55546d7ed7e9203c13e1b66419e887fee704d5196
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux SupportF54F4E46F5F933A96650CA5123A4C41E115A9F61ffb407dc2b20357302a4550a73f6c342ecd0ce1973500c27bb5d70f326d115fba84c0b1680a726a041ed57b42063e7b1
APT29_2015-07_FSecure_Duke APT Groups Latest Tools Cloud Services and Linux SupportF97C5E8D018207B1D546501FE2036ADFBF774CFDb8690064dc61333c591252c4204fbbb3c3ea57eea9f522cfc70ef8c3b614f7e44903293a2e8354359b99efbf4cd436df
APT29APT29_2015-07_Fireeye_Hammertoss_Stealthy_tactics_define_Russian_Cyber
APT29_2015-07_Fireeye_Hammertoss_Stealthy_tactics_define_Russian_Cyber42e6da9a08802b5ce5d1f754d4567665637b47bc_WerMgr.ex_d3109c83e07dd5d7fe032dc80c581d088995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96
APT29APT29_2015-07_Kaspersky_Minidionis one more APT with a usage of cloud drives
APT29_2015-07_Kaspersky_Minidionis one more APT with a usage of cloud drives6c8eb3365b7fb7683b9b465817e5cb87574026e306c700f3d103eba056777720 (1)b0a9a175e2407352214b2d005253bc0c6c8eb3365b7fb7683b9b465817e5cb87574026e306c700f3d103eba056777720
APT29APT29_2015-07_PaloAlto_Tracking_MiniDionis
APT29_2015-07_PaloAlto_Tracking_MiniDionis10B31A17449705BE20890DDD8AD97A2FEB0936743a04a5d7ed785daa16f4ebfd3acf0867ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145
APT29_2015-07_PaloAlto_Tracking_MiniDionis38DD05B9CC892491347F4347870A6B77D9AEA8564cbd9a0832dcf23867b092de37c10d9d2a36823323b857921d056c0161fc15d47f29b7513443346a0aeb537cbf437f0d
APT29_2015-07_PaloAlto_Tracking_MiniDionis44403A3E51E337C1372B0BECDAB74313125452C7e00bf9b8261410744c10ae3fe2ce904956ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e
APT29_2015-07_PaloAlto_Tracking_MiniDionis47F26990D063C947DEBBDE0E10BD267FB0F3271942ffc84c6381a18b1f6d000b94c74b09c1ee4232d1b6504fc7f93cb0478e90049a71992498ed2d701925d852e91cfcc3
APT29_2015-07_PaloAlto_Tracking_MiniDionis4F977DEBAA25925E82F254080E8F7C42B70CB669030da7510113c28ee68df8a19c643bb07b3e344ea44a9b5fdcee89818435d377b4413e704f8c2ef5522a0255bd4eca74
APT29_2015-07_PaloAlto_Tracking_MiniDionis5367186E3AA9B2B178BA82922C88AF538D61A99A01039a95e0a14767784acc8f07035935c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f
APT29_2015-07_PaloAlto_Tracking_MiniDionis5875E9E27607AAB5D39E312CD141D8941B07746298613ecb3afde5fc48ca4204f8363f1d7f8d8992dda6a48c54234e76cf0a0f445842aea1cd91d3252185c7b436e51cde
APT29_2015-07_PaloAlto_Tracking_MiniDionis6C95CDBE7D3C65104ABD0912AA7DC990998870302e64131c0426a18c1c363ec69ae6b5f226fdc7682cf367d4d1e635a40beab0762cee43978a0f86867be03aab81244107
APT29_2015-07_PaloAlto_Tracking_MiniDionis71031EBB535923722C8FCFDCBA127E4FDEF24F49e07ef8ffe965ec8b72041ddf9527cac4502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d
APT29_2015-07_PaloAlto_Tracking_MiniDionis7B8851F98F765038F275489C69A485E1BED4F82Da9c045c401afb9766e2ca838dc6f47a4d3d503934c0dfe75e386d0fb8da2e32238d93739624b6c5a929fe5b722b35d36
APT29_2015-07_PaloAlto_Tracking_MiniDionis84BA6B6A0A3999C0932F35298948F149EE05BC0270f5574e4e7ad360f4f5c2117a7a1ca7a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004
APT29_2015-07_PaloAlto_Tracking_MiniDionis890B943BA5C43B74AD2965874A21C7EF4BA896FF0f9534b63cb7af1e3aa34839d7d6e63208b410d359ec2d6cab73bd6c0be138d9bdc475e3f63fec65794a74e5d5958b3b
APT29_2015-07_PaloAlto_Tracking_MiniDionis910DFE45905B63C12C6F93193F5DC08F5B012BC39018fa0826f237342471895f315dbf39ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46
APT29_2015-07_PaloAlto_Tracking_MiniDionis9EAE02E8D4BC405AFD78DD364E96650F3608BF3Bc8b49b42e6ebb6b977ce7001b6bd96c893ecd67c6102802e2e058eac512a2c75434912c28dc2eae6c108451272008bc5
APT29_2015-07_PaloAlto_Tracking_MiniDionis9EEF49FC724B9F40BE795A80BC6363EB0C6B6DD651ea28f4f3fa794d5b207475897b1eefca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f
APT29_2015-07_PaloAlto_Tracking_MiniDionisCC15924D37E36060FAA405E5FA8F6CA15A3CACE2b0a9a175e2407352214b2d005253bc0c6c8eb3365b7fb7683b9b465817e5cb87574026e306c700f3d103eba056777720
APT29_2015-07_PaloAlto_Tracking_MiniDionisD7F7AEF824265136AD077AE4F874D265AE45A6B03195110045f64a3c83fc3e043c46d25388a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f
APT29_2015-07_PaloAlto_Tracking_MiniDionisF19873B6D0DB1D2DDE9134D69F5E2D5F6B939AA7719cf63a3922953ceaca6fb4dbed6584a544aa392c1f519aebdb2a7b6dc23290082b7f7103c7e3022af35dfd6bc10dde
APT29APT29_2015-07_Palo_Alto_Unit 42 Technical Analysis Seaduke
APT29_2015-07_Palo_Alto_Unit 42 Technical Analysis SeadukeBB71254FBD41855E8E70F05231CE77FEE6F00388_LogonUI.exe_a25ec7749b2de12c2a86167afa88a4dd3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d
APT29APT29_2015-07_Symantec_Seaduke latest weapon in the Duke armory
APT29APT29_2015-08_Prevenity Stealing data from public institutions
APT29_2015-08_Prevenity Stealing data from public institutionsF1F1ACE3906080CEF52CA4948185B665D1D7B13E_RD RCB 11.06.docx_84137c8e7509a0e9cf7ff71ba060cdb5e745fc57f816b2b507406ce1c0ec47f8f84d8f5efeaf327c657723c897522c83
APT29APT29_2015-09_FSecure_THE DUKES7 years of Russian cyberespionage
APT29_2015-09_FSecure_THE DUKES7 years of Russian cyberespionageCloudDuke
CloudDuke04299C0B549D4A46154E0A754DDA2BC9E43DFF76bfd2d6bf8e99332157a0fe46a4a91c5256531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198
CloudDuke10B31A17449705BE20890DDD8AD97A2FEB0936743a04a5d7ed785daa16f4ebfd3acf0867ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145
CloudDuke2E27C59F0CF0DBF81466CC63D87D421B33843E87964e4b516d72b7717aabb71ad7cc7bf61d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7
CloudDuke2F53BFCD2016D506674D0A05852318F9E8188EE107660a9b83b7fbc7ab372a911c69a85be1490d6e5ce4c2cddef0815c55bf8946cb830ce0ac7f586cf1ae16ef66f1bd8b
CloudDuke317BDE14307D8777D613280546F47DD0CE54F95Ba4f3e00b3da3e9d9382840dfbdbef3115d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48
CloudDuke44403A3E51E337C1372B0BECDAB74313125452C7e00bf9b8261410744c10ae3fe2ce904956ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e
CloudDuke47F26990D063C947DEBBDE0E10BD267FB0F3271942ffc84c6381a18b1f6d000b94c74b09c1ee4232d1b6504fc7f93cb0478e90049a71992498ed2d701925d852e91cfcc3
CloudDuke4800D67EA326E6D037198ABD3D95F4ED594493138473fae7fdae7ee5a8b0fb64ebb596c197d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7
CloudDuke52D44E936388B77A0AFDB21B099CF83ED6CBAA6F72512c49401bd3d04a8ef6c7a64753070f7d64f514e99a2abdc10dc85e7e6f57c210a0f35472f7b897a19b73be36bece
CloudDuke6A3C2AD9919AD09EF6CDFFC80940286814A0AA2C50bf9c6de53b7de6906c2d5ed6177c2851e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57
CloudDuke7B8851F98F765038F275489C69A485E1BED4F82Da9c045c401afb9766e2ca838dc6f47a4d3d503934c0dfe75e386d0fb8da2e32238d93739624b6c5a929fe5b722b35d36
CloudDuke84BA6B6A0A3999C0932F35298948F149EE05BC0270f5574e4e7ad360f4f5c2117a7a1ca7a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004
CloudDuke910DFE45905B63C12C6F93193F5DC08F5B012BC39018fa0826f237342471895f315dbf39ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46
CloudDuke9F5B46EE0591D3F942CCAA9C950A8BFF94AA7A0F97886672cc570ba4a5d6a162e92d015585c5ba695992ed59269ea7f7a58f3453f6047729d1f68a444d450439bbccc1f4
CloudDukeBFE26837DA22F21451F0416AA9D241F98FF1C0F8837b522730ff896435682b36f7b27a3e12f58639a883b0fcfe3d2e8bcb0330b978731975c9dfa2f8e583adbafc4d534e
CloudDukeC16529DBC2987BE3AC628B9B413106E5749999EDe163d9a91f97f133b0e3f2bbe4dc226ad4d79be85dc98f74088d6393a8fdf2b5d947ae4f279909af2aed0221dcecfe94
CloudDukeCC15924D37E36060FAA405E5FA8F6CA15A3CACE2b0a9a175e2407352214b2d005253bc0c6c8eb3365b7fb7683b9b465817e5cb87574026e306c700f3d103eba056777720
CloudDukeD7F7AEF824265136AD077AE4F874D265AE45A6B03195110045f64a3c83fc3e043c46d25388a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f
CloudDukeDEA6E89E36CF5A4A216E324983CC0B8F6C58EAA84d3a94134aaf590ae8ece0a57257e12980cb4007b9756246404c260bc69abf5d4938a1cc217d40ecbfdd6171b02b9e24
CloudDukeED0CF362C0A9DE96CE49C841AA55997B4777B326856b224da7525ea5192efbef7a9b8112bfc1bafd9b01178037226fa55546d7ed7e9203c13e1b66419e887fee704d5196
CloudDukeF54F4E46F5F933A96650CA5123A4C41E115A9F61ffb407dc2b20357302a4550a73f6c342ecd0ce1973500c27bb5d70f326d115fba84c0b1680a726a041ed57b42063e7b1
CloudDukeF97C5E8D018207B1D546501FE2036ADFBF774CFDb8690064dc61333c591252c4204fbbb3c3ea57eea9f522cfc70ef8c3b614f7e44903293a2e8354359b99efbf4cd436df
CloudDukeFE33B9F95DB53C0096AE9FB9672F9C7C32D22ACF4f148ffeac50df60f9f9015b909d8ed06c7e768e48b9b225b7b9f84528c53c2e6f9b639ce2e7919fe0dff9aad07ea4f5
APT29_2015-09_FSecure_THE DUKES7 years of Russian cyberespionageCosmicDuke
CosmicDuke01E5080B832C6E4FCB7B9D06CAFFE03DAB8D95DAa4008cf300fd22f470c38489da9e25cfaecb468db5cebcfa25deadeb3b12fbc48b05a485b44deb500b4002521bc3e685
CosmicDuke02F55947402689EC755356AB6B0345A592446DA7cb8624999aa959b873e9bdb60ee65c0f187b1cc7264c04c3158f835546cad0be74e6411bb50cb8899179a71018f0b4b9
CosmicDuke03C5690728B7DFFB2F4AB947FE390264751428AA3a2ba475bf6a60dbe3ed59330c53c3f7246543cc4a538472bed0626c159715a963e39dfc69d79f60c3ab227c62277016
CosmicDuke0653A8F06B140F4FAC44ACB3BE723D7BB26025585dabff44971cc53bef7d8e17e85dda737c14761d20617ab7f408d6c63367f16026377d7c13f3e3c67525e034fc0c6d7c
CosmicDuke0BC8485CE6C24BB888E2329D479C9B7303BB98B48988f29396515f47de0457f9daa1dd62dad4c4aea24f2bd3e2f4b93bf782ebef70e8fdf930aff25a3e1b85a717314aa0
CosmicDuke0C8DB6542172DE98FA16C9BACFEF9ED4099FD87291a50a90cb31fad48908d5c6294e92baccd3c69710977360459c0d2539d5e7e7defce097bcfee3ae62e564de7c938f17
CosmicDuke0D8F41FE09DBD75AB953F9E64A6CDBBBC198BF2B0ee0f7fd55843d1ef7c9d6396bbcb99ba8200a476f72ef77f4cd6bd71ebae9f473e923b140600b9da0bbaf1f22e1cecb
CosmicDuke0E5F55676E01D8E41D77CDC43489DA8381B68086dc6cc442c0900104a5601a6049354fad41d63d293a6e2722fcf82f8bf67b8f566bd4d3f669ede146ccc286f0228d8f62
CosmicDuke0FF7CE34841C03C876B141C1F46D0FF2519889CCfa52383868abf82d027b971e799a599aa31551902d2cbb7110a9f5f04bfba7269410850155dc6163c7bf8cad171ed68c
CosmicDuke11B5CFB37EFB45D2C721CBF20CAB7C1F5C1AA44B51a96f279e790d2f861bb0ff843a7328620da58f80640661ccec202a3b20f138b8a0c9f374fb1fb5525dd3fe00ac5a8c
CosmicDuke151362502D569B16453E84A2F5D277D8E4E878C2685d678b3ffd72fce3f8b48d82a76f6070a7248b90573ba2edde5d9e8f0acd478235054480d98b0531d85725555f3a5c
CosmicDuke174373AB44CF6E7355F9DBB8469453519CB61A4478c6245367e6ef00ca76b8106eb738161dbb96c130b12eacfe2956b536ca8e8ef59691f513816011866320e0e77daab2
CosmicDuke18D983BA09DA695CE704AB8093296366B543996A9dc3d5da2f68b4ed9336c5b78b95578005637ef950feaeb0944d9fccca38eeff38e366c24a137ef08c9f1442aeb6afb7
CosmicDuke1A31245E943B131D81375D70B489D8E4BF3D6DCEcce1577e03093dcf195449d208e544d70314ed09890d5aa2dba659fe1343be93d48c3875a89e261484967fea7ea6c7eb
CosmicDuke1CE049522C4DF595A1C4C9E9CA24BE72DC5C6B281270217794b67491365048584a27a5ed0a013787f9c1731213059f2d8e1a7514f610783aaaea8fa5736063ab7793c0d7
CosmicDuke1DF78A1DC0AA3382FCC6FAC172B70AAFD0ED8D3D39e1b41b4118f4ea3ce2119c054b29e852d1b5387739dcf6a68efb21e8ccf83b9b29fb29724091d7a8084d2315f81d80
CosmicDuke1E5C6D3F64295CB36D364F7FA183177A3F5E6B7E868915de8b23cfc87765525efbdb4fa01c86bcc74684c2533026a8b4d9463ad4b5a1f30f6915ca19197b41e0cb893b77
CosmicDuke2345CD5C112E55BA631DAC539C8EFAB850C536B20b78ad10bb56a3f69f13297e427806cf2c480399bff7d05736caa1858fd43d9223df3fd531ae574dc3c9eb06cc3579ef
CosmicDuke2B1E7D54723CF9EE2FD133B8F17FA99470D7A51A2c6a49568e1733b66ef9dd2fa659aedb182ab7eb1dce2827a05aff0d83a13dd8346bd3b8ab2dfb681817a0d3aab05b15
CosmicDuke322E042CF1CB43A8072C4A4CBF6E37004A88D6F7b5304f94cd5baae6fb5dad19c2759d2c55ba0c04d488903e07f0747407ed56319f0d9aac113c7f9c62287442f1f78c45
CosmicDuke332AAC7BDB0F697FD96E35C31C54D15E548061F4dee4b9c620a390be143a79f555225c85ffc6a96b542196dbe322de199ee7b2621966d4c0d32ab43f78b9516a3576da09
CosmicDuke365F61C7886CA82BFDF8EE19CE0F92C4F7D0901E0295fb28f715a19e2b0c497b5dd55629cae1277446cb62f1ed3674e7ea87063a28b9d364e3638fa779fe8e3d6e1fb15f
CosmicDuke3980F0E3FE80B2E7378325AB64ECBE725AE5ECA952c73a7801a186077ed27a4cb7c7f8872e8aa9dac584a51c7d960baccf76747c858175573f5c013b7c44328f0871da04
CosmicDuke3F4A5BF72A15B7A8638655B24EB3359E229B9AEA8019dea970331823a504baaa90d3470f82670519b8d63d36967c611bc94659e5bff867837129ac93bcffe7589af46384
CosmicDuke42DBFBEDD813E6DBEA1398323F085A88FA014293933b3c5d3728ef6e08af4ae579c00d1147f3405ab0da5af125bcc6ebb6d17a1573b090c54d7a0a00630ec170ccc4b9d1
CosmicDuke4A9875F646C5410F8317191EF2A91F934CE76F5768f6d84ac9a28c2fea59ff5e045779115ef73d904cf5dcbec5919fba0b640168d6feb8f7021507568297e3da1a7e47a5
CosmicDuke4AAAC99607013B21863728B9453E4FFEE67B902Ed22c02dafb1ee0ef8d4ea90ac48a6988f61cdc7f68f47d23c4571b517ab4cdcfd984cf3f6f8f91dec99dfd7dc5a2dcff
CosmicDuke4E3C9D7EB8302739E6931A3B5B605EFE8F211E519d95c8f09f991a5fc37b79c45ebd20433c5d2fcacafc21d9f43c595ddf03bec801ccb958b8641018612c21bc741800d0
CosmicDuke4FBC518DF60DF395EA27224CB85C4DA2FF327E98ad02edae5173d0b7ba39a3065c9d5d63b7c4b998d7ebea62b81f2a12c5e8608a21079a0bcecdef81c0f5818a80b0c7eb
CosmicDuke4FD46C30FB1B6F5431C12A38430D684ED1FF5A7575d15f552aba5ed0df80ec2c16ab683ea1176b60ca96cfeb37dde61bde935f645a64fabd8e300f072fc355434b711dcf
CosmicDuke524AAF596DC12B1BB479CD69C620914FD4C3F9C93c0ca0ab63a76dbf836725c95e2a5b7a75e8567e7667eb02eec661134ecc07a7970d9448fc5b7dc021b5bcb039953a47
CosmicDuke541816260C71535CFEBC743B9E2770A3A601ACDF6629b432266d78f9eb74d2d1a71d0d32831267e0977becf098b5064aac6fd39b5f8e6fd975c06d4b8540cea71d402317
CosmicDuke558F1D400BE521F8286B6A51F56D362D642781325400d3db044befebbc39087ee1fe9533fede980fc70a86f949828b834edc0847490d497efcbd3a1155b7d3afe7c32543
CosmicDuke55F83FF166AB8978D6CE38E80FDE858CF29E660B8e5106565fd96df1308d208d1e3426a37e371cd323898e403df7a80add34d791e160e443bcd2d02f27ddc0c04ba1bdab
CosmicDuke580ECA9E36DCD1A2DEB9075BCAE90AFEE46AACE2351c913e4120081d8f04317121654a391590bdbaff2c178387e924b689b030057b4cbd2865e9c4dd3886a8791ac8e4ee
CosmicDuke5A199A75411047903B7BA7851BF705EC545F6DA9f22606385080d35551e7f8e8f49b7de9fe5bc1248fc79fc15663ef169f0a269c1abe847d00b01e9571fe5c0d760d68f0
CosmicDuke5C5EC0B5112A74A95EDC23EF093792EB3698320E3729a14be6b3a92265cf6d8e14c79abe64e3a2bba82027dd6ff631fa5890a7ba8331b62a0a4c0b1ca24d143c2b61c323
CosmicDuke63AEDCD38FE947404DDA4FBADDB1DA539D63241789c6c5439a2747d7f2a7305521dddcbb027c9da59c77e83b42535a0c965c4994a144715e796453fc2a5b189f0036c4b4
CosmicDuke6483ED51BD244C7B2CF97DB62602B19C27FA30591e417aa350346731f6e0c936d725f1a58290b324f5cdb5c3ea17fa48a74bc11c856f0da0b049d07d9316d161f71f26a5
CosmicDuke658DB78C0CE62E08E86B51988A222B5FB5FBB91318edd6bc785e56990f6721cd553c24ad38c0252f75b1c6b3980e40bb69cb932773a6e0b189fc8a80efc2dcb455209eab
CosmicDuke6A43ADA6A3741892B56B0EF38CDF48DF1ACE236Ddc92eba92885f2e937cb6f694647eb713d37e753812687fb7287cf8644d13fe2673ea7c3b540637c1ce1c6819f1c521b
CosmicDuke6B7A4CCD5A411C03E3F1E86F86B273965991EB85cd012e8f5340d2e148d2c2cbac4270a192172ff7bfeee332409a145bc626bebf732225d006877168f35c046368e5118c
CosmicDuke6DB1151EEB4339FC72D6D094E2D6C2572DE894705a7659b691a3caf107e6636d8906dcb0334ed05005ce829224d0dd4cc5baab6b837cf02ac0e321c8f97d11b3ba1c77a7
CosmicDuke7631F1DB92E61504596790057CE674EE9057075520d86cb4ebbffb739faa47f7354ee134d5f1d8d2629b91744fe812207cb3f0bebfd1aec9937b7744a263d1a4e3421063
CosmicDuke764ADD69922342B8C4200D64652FBEE1376ADF1Ce175be029dd2b78c059278a567b3ada12146da9bc0e27d7eb10983b7dd89f250fa0015ce284dde8f0bb6a79626d34a2a
CosmicDuke7803F160AF428BCFB4B9EA2ABA07886F232CDE4Eb59199877e0d68a5e93fc8ea76374ed15b50e26a01b320f05d66727e9d220d5858cdac203ff62e4b9ced1cafc2683637
CosmicDuke78D1C1E11EBAE22849BCCB3EB154EC986D99236423273a83bfd7aed10b9403e23a8bcba9f6c62f9f846b3d100d60b1f2ae57a71c91dd8dc215dce652e2c85dff60c0197f
CosmicDuke7AD1BEF0BA61DBED98D76D4207676D08C893FC13925b37a936304a5914941ac4584e346c29585bb17b28e8b15b2a250be9516f416fa7cac84cc24aa4e004f6987323147e
CosmicDuke807C3DB7385972A78B6D217A379DAB67E68A3CF5fa3b44b8a4a2a2b473cd5d934d1ec4bc1c348f1582385bfbf030abe20caabbd289d0f48a4076b1b6ccc417864070e9fe
CosmicDuke88B7EAD7C0BF8B3D8A54B4A9C8871F44D1577CE7664b149ae8469cbda7fd7ed48c7dc9b64f9b6a88245f782d81e9eec9315b9444c83d68941f9fc23641e3909c8da9db9d
CosmicDuke8A2227CAFA5713297313844344D6B6D9E08850932a998ce2750335079d73e6b2eb2bd011008beba8635e24baa50beee2e98654f73c04476a06fdcb893655f0a8201932d2
CosmicDuke8AA9F5D426428EC360229F4CB9F722388F0E535C1a874e5ecd67dffab45e17e9b730daed51b4e69183f3d02124f3314cc64a7869425f053d8021c74c12f21d7c2afe2163
CosmicDuke8AB7F806FA18DD9A9C2DC43DB0AD3EE79060B6E8d729fbb50665932fe529f7073acca9c19ce93f04dbb6a3b833f1146a54dadfdc224fdf24e3cca1f8a1eb4e902d597ff6
CosmicDuke8F4138E9588EF329B5CF5BC945DEE4AD9FEC1DFF50a56d98be79a1e6f04a1964e170a5d71005b40f977b92cbc01b7a66558ff0621cbaf36f7b4b2ab2ca3c3a267891bc8d
CosmicDuke9090DE286CE9126E8E9C1C3A175A70AB4656CA09baffad69d3ce95853a6db80711b74a38cb0d78c79ad46c04e7ab66ca95588db8ccde4d2710a171585b0276736aa4e059
CosmicDuke91FD13A6B44E99F7235697AB5FE520D540279741d34c6d5875f5d2aab929d1f7ce9688600dc70c0f2ed18c813a89c59686f375787ba683b549b1e6bb9aee6ca33be64bfb
CosmicDuke926046F0C727358D1A6FBDD6FF3E28BC67D5E2F62bd46a980dde8eaa13e3defffb87e1e0f6af08e31471c98adcc26f9916e26d41aa0c47ff94949d3174d55c320032be26
CosmicDuke9700C8A41A929449CFBA6567A648E9C5E4A14E70608b22fcd2d067730176e335d3c6454b4fc0bbb90aeecd3229aa932437273ba59f887a6eac569b56693602b957e205e2
CosmicDuke97C62E04B0CE401BD338224CDD58F5943F47C8DE37c394e3e15d211a050446bc90edac94ec49400e70c02a884a5df74ca99690886ec2d528e200c42dbdf057fd9b7f87f8
CosmicDukeA2ED0EAAEADAA90D25F8B1DA23033593BB76598Ecf2041ddfdc177b863a23ab7ade780434e9942bddfeb3369897c58d9b8fe2478c1df96e5b13733bfb24d975282685c29
CosmicDukeA421E0758F1007527FEC4D72FA2668DA340554C975c97ca9b085411af1860523c3c884b585d75a3eddc2f849e1dee40b47629ea0d1e3a1da6ba3cd9078177bb61a63f4fd
CosmicDukeA74ECEEA45207A6B46F461D436B73314B2065756704381812f4cc3c5b3875ea33232c842a7b230593aa43c701c30862d3054b4510ed1dea1fd5f219b1c3bc11321bab73b
CosmicDukeA7819C06746AE8D1E5D5111B1CA711DB0C8D923Ed47b25667effc0f88ab460c6edeecc5530b24935c8537c51ce56a69510019d8481ac78e6c5ccdbe792c625c69c5358f9
CosmicDukeA81B58B2171C6A728039DC493FAAF2CAB7D146A535c6928790ce08309af997654ed6d7197d9296ac474b991780b41f654b557e01ba93ae932ba717146e60c1b9ed579539
CosmicDukeB2A951C5B2613ABDB9174678F43A579592B0ABC9b2737204531a80c31bb30e9be9a1cc4c7c2bb277e3a982e9e2f76da2c96119514dde4f3e36b16eca5994be5f28bd0029
CosmicDukeB54B3C67F1827DAB4CC2B3DE94FF0AF4E5DB3D4Cf611f8b0655a8980cf71a252536c7a5a16870c6b572934f5a106d5f632b6d41bb23924c12ddf172be24c6dfca25226b1
CosmicDukeB579845C223331FEA9DFD674517FA4633082970E2337a4fa99547eb0cf7600601ab44dda73aac0b568f83746c9a54a2a6fdd2984c3e6f8d0c77a681c219abb9480859197
CosmicDukeBBE24AA5E554002F8FD092FC5AF7747931307A1526e8b95dfbc6a8aafe40ab84b1d2ab5e910a016a7b6e0a76bc7ddf12f9135090e0b23d00c382d70084b46bea4bbbcae7
CosmicDukeC2B5AFF3435A7241637F288FEDEF722541C4DAD8345adb4594e3a2b02041c7e2b5fde46bbf012045464ba2aadc1547940eb3ce262d0e023c2198c134dee658c859ecd8ab
CosmicDukeC637A9C3FB08879E0F54230BD8DCA81DEB6E1BCFbc304fb92a79bab73b75772427d14ffa4203168c1bad752af7f39f8fa8eae4e8a5e41f39892abffa804d52a008e2dfd7
CosmicDukeCBCA642ACDB9F6DF1B3EFEF0AF8E675E32BD71D19003e1d69cd29280d2233c1634370c60a38e41831d495ceb07dd232506447c62203ab05fe9e15e2b2a6a74aa9b0b0e96
CosmicDukeCCB29875222527AF4E58B9DD8994C3C7EF617FD80be02d5f66f84ebd03f362ad4b4a06e604819cde7e928e6ff376daeb73b894959f672a85b363753c227416fc0f4a8acd
CosmicDukeCD7116FC6A5FA170690590E161C7589D502BD6A737369a91ad462f1fac9004f3a86bb3ac4bc8280a99d07165055fabed11049d8da275f27f5d8cffc4ed10a68be2d0cb84
CosmicDukeD303A6DDD63CE993A8432F4DAAB51327327488433adea70969f52d365c119b3d25619de9c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665
CosmicDukeE60D36EFD6B307BEF4F18E31E7932A711106CD4461c6d0076ee4187f9ec31841aa645d422eafc64769c500d635b7225c9b1411db8f50db8618e4d5807e1640b641a2f5ee
CosmicDukeE841CA216CE4EE9E967FFFF9B059D31CCBF126BDf239e79e87f09000c247ff7e91ab96036322e8bbb5a7cc542a7da0fb33a60fc7443bcbd8601b828c9c7f138c71cce090
CosmicDukeECD2FEB0AFD5614D7575598C63D9B0146A67ECAAedf7a81dab0bf0520bfb8204a010b730bd4928921ddadb44f9f573da61dac034533bf14fe38acd5754f3ccec1d566300
CosmicDukeED14DA9B9075BD3281967033C90886FD7D4F14E5acac7584d7dc066d27555997d0f6d6cf9c2562e05eb940ae8d73c9baa7cfe85cb3ec619689227f65e4fbeeb3fec598ad
CosmicDukeED328E83CDA3CDF75FF68372D69BCBACFE2C9C5Ef5cc1c0c90fb89e4b4fc048c5a03b46f43bcee4067c067d9063ddfc101fc8b5a6e8d42184ef8b0fdd9bb14102cb9973d
CosmicDukeF621EC1B363E13DD60474FCFAB374B8570EDE4DEd824cbf08604dea9724ab8e707bb9fec68355d29ce79a5177084fe6292f0f8b9daa2018c571b552fff9f4a0815b432ce
CosmicDukeFBF290F6ADAD79AE9628EC6D5703E5FFB86CF8F15080bc705217c614b9cbf67a679979a8f21794d0b0938643e2aabe9f2ed762528e631a2ebda76020d0b59ce91fb51e41
CosmicDukeFECDBA1D903A51499A3953B4DF1D850FBD5438BDdffcd7f930f8874dc9f5115d0ae50b573e889cd495e008760fd12751d6d45cadf8a7280c4545f2ebe469f84b9b77c835
APT29_2015-09_FSecure_THE DUKES7 years of Russian cyberespionageCozyDuke
CozyDuke01D3973E1BB46E2B75034736991C567862A112635b4250a6bb4c6915ce962d489ee912d6637cabc343e3ed5b447dccb13aa7caf4d3a3eb3cd617d360167f270ec34596ea
CozyDuke04AEFBF1527536159D72D20DEA907CBD080793E31a42acbdb285a7fba17f95068822ea4e4464c945c88ac9a4a22e86f0922f18c164e87f26c3f3fa054eb488fdd7d4bfc8
CozyDuke0E020C03FFFABC6D20ECA67F559C46B4939BB4F483f57f0116a3b3d69ef7b1dbe9943801fdd7e8582ef8d7a23f269653435582cfe924ca9b2db34af63af5e57d1f3e09c2
CozyDuke1E5F6A5624A9E5472D547B8AA54C6D146813F91Dbd52b2a371ff397c90b891b7a4f04c66b9c996b06e0db273a4edede3fd6fda2b40b2e0201eba3e8ac581d802fc610a4a
CozyDuke207BE5648C0A2E48BE98DC4DC1D5D1694418921914d779777af6eb7c556ae338b462c48db9ea2cc39808780ade1fe51287072e958448be7e3a7b32bfd48438453592018c
CozyDuke23E20C523B9970686D913360D438C88E6067C157f0a6436ffee12558a434a0fc24b3b33f5f827730c7bd155997121f023ca9775077a37a58111738fcb3213757170bd860
CozyDuke25B6C73124F11F70474F2687AD1DE407343AC0256332176672744320e9fee2117b059193d469000ca9e6af92876334e3a460ea4ac8a61c1a6ee819eefbfd0c79ea4fb315
CozyDuke32B0C8C46F8BAABA0159967C5602F58DD73EBDE90e0182694c381f8b68afc5f3ff4c4653c1b19af1e354f13c90163780be6ad50f02d5bf8bac1c9cc1eab1377a159de1be
CozyDuke446DAABB7AC2B9F11DC1267FBD192628CC2BAC1991aaf47843a34a9d8d1bb715a6d4acecdc70d3046b59785b2b9b7091e26f2484ba7a488dba420a8a05be388a337c399e
CozyDuke482D1624F9450CA1C99926CEEC2606260E7CE544fd8e27f820bdbdf6cb80a46c67fd978af7f4d18dbc0b822b89ba14ffea24114f92b593be0f287f300bb269b310883039
CozyDuke49FB759D133EEAAB3FCC78CEC64418E44ED649AB08709ef0e3d467ce843af4deb77d74d5bc7bcb663477238508ce8ad366cc9a77811c7f5eabaec47175858fe972639f40
CozyDuke5150174A4D5E5BB0BCCC568E82DBB864064875102ef51f1ca11ce73fa20b54a5886ad1dd89996b66d5a339939b2072d29675ec3ca6d793f42a5d335a8ea7dab8773321ef
CozyDuke543783DF44459A3878AD00ECAE47FF077F5EFD7Bd5a82520ebf38a0c595367ff0ca89fae70ae2363191e8b20d1773ecc73afc2b9a5dd8247c7b97eecfd1378f3e7aabf92
CozyDuke6B0721A9CED806076F84E828D9C65504A77D106C57a1f0658712ee7b3a724b6d07e97259bc5625c674f08cca18e73eb661eed0182ef16e27983098cf1c61892ca621d60b
CozyDuke6E00B86A2480ABC6DBD971C0BF6495D81ED1B629556b9eca4a85f52e2f3176c306e1866112e1139ef422c2c0884fb5b1786a8489c1769a96880a30406e4a28b76ea4a73a
CozyDuke78E9960CC5819583FB98FB619B33BFF7768EE861181a88c911b10d0fcb4682ae552c0de3a5373b33ac970dedeb52528b123959145bf51c95b159a30a7823ad8018ac4b41
CozyDuke7E9EB570EF07B793828C28CA3F84177E1AB76E14ac7a22d1af180c21b0061b8d512586d3f6d52c5608931cdf66d71502fcf012b6781edde64ba1f956c1868f7e36d8c8d2
CozyDuke8099A40B9EF478EE50C466EB65FE71B247FCF0148670710bc9477431a01a576b6b5c1b2a1233cca912fb61873c7388f299a4a1b78054e681941beb31f0a48f8c6d7a182b
CozyDuke87668D14910C1E1BB8BBEA0C6363F76E664DCD09f58a4369b8176edbde4396dc977c900830c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73
CozyDuke8B357FF017DF3ED882B278D0DBBDF129235D123D3d3363598f87c78826c859077606e51401468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9
CozyDuke8C3ED0BBDC77AEC299C77F666C21659840F5CE23e8510a7ae4919a3fcedad985fbbca35218c0b02776487babbf6219cdaf97cbf2b534e0cf87a527228dda2d4a468a257f
CozyDuke93D53BE2C3E7961BC01E0BFA5065A2390305268C90bd910ee161b71c7a37ac642f910059ff9edb92ee8125519aa1eea60cab9999bcd4caa87b891882caddc73a2a5ae9cf
CozyDuke93EE1C714FAD9CC1BF2CBA19F3DE9D1E83C665E2f02da961eb7b87b41aee5fd9537022f0ac4ffc7a2ba8840a20f6b07aa44328f1802b79ced6a56b3ac7e78fa1178ba65a
CozyDuke9B56155B82F14000F0EC027F29FF20E6AE5205C29ad55b83f2eec0c19873a770b0c86a2f7cdb9c2e8b6ca7f0a683a39c0bdadc7a512cff5d8264fdec012c541fd19c0522
CozyDukeB65AA8590A1BAC52A85DBD1EA091FC586F6AB00Af2b05e6b01be3b6cb14e9068e7a66fc1036c5c0075d67f67fee546321f5b9c4f00d37aa9249ffe1627e71946bad4a3d1
CozyDukeBDD2BAE83C3BAB9BA0C199492FE57E70C6425DD3416db420e781c709bb71acee0b79282f4bcb2a5d99297b30f8ff00e08cf7330d5e2f69fc602bb317bf8e9f703a137a99
CozyDukeBF265227F9A8E22EA1C0035AC4D2449CEED43E2B1dde02ff744fa4e261168e2008fd613a418a21d49fe5bca8a3e050f039a0e2aa03db6d2de0fb49e3ff9d987f31b22dda
CozyDukeBF9D3A45273608CAF90084C1157DE2074322A23043c012086c1ae0a67c38b0926d6cba3f3dea35172449f0b9a86dff9af3b4480cc4c37a30e8cb54963ff91c4c1ffe7b0d
CozyDukeC3D8A548FA0525E1E55AA592E14303FC6964D28Df16dff8ec8702518471f637eb5313ab22b160b7eef5ce5fdb83889f96fc40cbbbc7b85450ff2afdf781a8eb5d6a0f541
CozyDukeC6472898E9085E563CD56BAEB6B6E21928C5486D98a6484533fa12a9ba6b1bd9df1899dc9891b5586cede16aa1e1b87380621f68e8956b991cf7675bbe18d2ec61a7522f
CozyDukeCCF83CD713E0F078697F9E842A06D624F8B9757Eacffb2823fc655637657dcbd25f35af8262dbadca239e5259161130ac9f0f5ef50691fd9dc3e3490b6c0d7b76e7ee34e
CozyDukeDEA73F04E52917DC71CC4E9D7592B6317E09A0547688be226b946e231e0cd36e6b708d203f0ebe892ab87ea24db172ae96cfc216b591d3967821c9d2581a9e11faccde28
CozyDukeE0779AC6E5CC76E91FCA71EFEADE2A5D7F099C80209a4a102a977b698544c99d8236e9ca86056f462d5783604b7f050047db210ecf698e72f3664b27d58265663ff5b324
CozyDukeE76DA232EC020D133530FDD52FFCC38B7C1D766262c4ce93050e48d623569c7dcc4d0278f44bead117d2cf34b8e50b81c82fbd1b938b94387cdf84386ace46b1f3b5df1a
CozyDukeE78870F3807A89684085D605DCD57A06E732712575457cc94b1d1dfa3f5d1aedc2edb0446eeffe540693418a107db3e7d2d9b72a54b2354aa6886b571272aa41f8cc8e0c
CozyDukeE99A03EBE3462D2399F1B819F48384F6714DCBA11a262a7bfecd981d7874633f41ea5de8099524703c250d1d1a16288dbd2f425d6cd0491f608e207a82f239b39bb26b7e
CozyDukeEA0CFE60A7B7168C42C0E86E15FEB5B0C9674029eb22b99d44223866e24872d80a4ddefdf722677df4fb7eb4ac986a944d4f6630b91ac22b31f8d39ec9bf941376d5d4db
CozyDukeEB851ADFADA7B40FC4F6C0AE348694500F878493b5553645fe819a93aafe2894da13dae71a7239c006a3adf893bdb5c2300b2964ed8bb454e1b622853e4460707dc63c16
CozyDukeF2FFC4E1D5FAEC0B7C03A233524BB78E44F0E50B9f65e3b320ec91380ebc28d4fdff48958a5d8d103cb175d7dc41932ef9a890997e25dbe15f94ecd2105835fe49779354
CozyDukeF33C980D4B6AAAB1DC401226AB452CE840AD4F407f6bca4f08c63e597bed969f5b729c5665fa52f632e4e83ff83120c7df6b90291025a76d5daeb183e814ec0b3bd2bd4e
CozyDukeF7D47C38ECA7EC68AA478C06B1BA983D9BF02E15a5d6ad8ad82c266fda96e076335a50807ed2d1aceab5f54df4acca63b5d269842d49521e13bab5e652237667c7eef261
APT29_2015-09_FSecure_THE DUKES7 years of Russian cyberespionageExploitFile
ExploitFile1E770F2A17664E7D7687C53860B1C0DC0DA7157Ef81f858335b253d4708fbdfa6ca92ee9b219c95fac620b25fdaed082a0bc93644443d236e9173829214d587d17a32a87
ExploitFile353540C6619F2BBA2351BABAD736599811D3392Eab7a66ed3c6de1b7449d6054a8b46d7f8cad0a40dd87e5d77e5c939bd7ea838c3549c44b525e2f4a1227d53c4af925be
ExploitFile412D488E88DEEF81225D15959F48479FC8D387B3335160cad23e28d4597c1546458042c4afbd1f13132c2f047861b2ea90c18d546a326dbfca4dfeffd8b4ebf852204275
ExploitFile5295B09592D5A651CA3F748F0E6401BD48FE7BDA6571a2d3892ca937697e96f8bb795e428c6c57f7e9c81fcf194d17a752f8da4295fab5dad8eb79bd289256b9cdb7415e
ExploitFile65681390D203871E9C21C68075DBF38944E782E86542cd548182d6adc08a63c942f9bc54880ae80fdc874002a6d9c807802794d4a35c384551d73bb36277b2f1e63d67e2
ExploitFile74BC93107B1BBAE2D98FCA6D819C2F0BBE8C9F8Afc0e380447be2bbdf9f06fc3358f8648b3236d1d0924cd9a17babd13209fe6706fd3a9228f22fe658eb4eb0c71360b73
ExploitFile8949C1D82DDA5C2EAD0A73B532C4B2E1FBB58A0E23d2592db15c251382706515cf4fd37e7e9c0bda27bbc80d947bc0c6ce29a19c824288d2b481f92a1637b7b8dfc8b81c
ExploitFileC671786ABD87D214A28D136B6BAFD4E33EE669512aa2a6e004159b9e3a590c63a0cc47b3ba35aa14ccc0e4fa8e47b621ea1d1efe1b012b623afd469e56015c0857fec646
ExploitFileF1F1ACE3906080CEF52CA4948185B665D1D7B13E84137c8e7509a0e9cf7ff71ba060cdb5e745fc57f816b2b507406ce1c0ec47f8f84d8f5efeaf327c657723c897522c83
APT29_2015-09_FSecure_THE DUKES7 years of Russian cyberespionageGeminiduke
Geminiduke3ED561786CA07C8E9862F4F682C1828A039D6DD4e36d73c6c8e832b7955c442b484472e51323e3d7656a427733663f03b3037326ffa9c57c68fa8e014a5bf7cb1455359a
Geminiduke6B0B8AD038C7AE2EFBAD066B8BA22DE859B81F987ad50c9e4a4bab73bba38860906220b6bc54acf4e60688ea668ef40ef965f2bad41dcf260ddae26d28b5551461c4b402
GeminidukeA3653091334892CF97A55715C7555C8881230BC4f1583641033d66873ed1604e2f1bea1ba8b01a219a9fe565aadf82bc28b60048c60b640e780386c7a84a425049df5af9
GeminidukeB14B9241197C667F00F86D096D71C47D6FA9ACA66d45f34e6d29391ee6f0e91bf344a7d0ce2c4dd21b99407bfa7066a6a57d180c00527e7db8ee52558c597550ac8b5d7c
GeminidukeC011552D61AC5A87D95E43B90F2BF13077856DEF6f5a73931c6c109bd6504a5ee0476ae77b9e542426408aa384d0394820f82f330e615a1ad17a777d04720458b33b08a3
APT29_2015-09_FSecure_THE DUKES7 years of Russian cyberespionageHammerDuke
HammerDuke42E6DA9A08802B5CE5D1F754D4567665637B47BCd3109c83e07dd5d7fe032dc80c581d088995535721ebeaf6983c6cecf3182d756ca5b3911607452dd4ba2ad8ec86cf96
APT29_2015-09_FSecure_THE DUKES7 years of Russian cyberespionageMiniDuke
MiniDuke00852745CB40730DC333124549A768B471DFF4BCcf59ed2b5473281cc2e083eba3f4b6623d0b1f970eaeeabf9372ffc1ad7e61226632904cf0311ea8f872ddbfd34a3a2a
MiniDuke03661A5E2352A797233C23883B25BB652F03F2059f13dc03904dbd45374acc21344772736e57c69963562d28a3a9da9f9103c199c909d0baa185a5d21e1b200a5a14ab72
MiniDuke045867051A6052D1D910ABFCB24A7674BCC046CAff83dad77ac2b526849930f1860dfd3fe961202d84aad7fa9faaeb63651735416612d25c611a7a025e2eaab67c79e272
MiniDuke0D78D1690D2DB2EE322CA11B82D79C758A901EBCc786a4cdfe08dbe7c64972a14669c4d1abfffd23c81b6301675567622ccee08cf578ce91f372fce68cff8fc1dbc3053d
MiniDuke0E263D80C46D5A538115F71E077A6175168ABC5C78e51be60eab2c6e952c9538a46ab52105e4224d4dd4e5fbd381ed33edb5bf847fbc138fbe9f57cb7d1f8fc9fa9a382d
MiniDuke103C37F6276059A5FF47117B7F638013CCFFE40774593127f50abff5327b3f7038b456d255129d34050b2c028de564e3166611e1d148c26de0972cbe047caf530f118468
MiniDuke118114446847EAD7A2FE87ECB4943FDBDD2BBD1E4c6608203e751cf27f627220269d683529ad305cba186c07cedc1f633c09b9b0171289301e1d4319a1d76d0513a6ac50
MiniDuke15C75472F160F082F6905D57A98DE94C026E2C56738c60fff066934b6f33e368cfe9a88cde8184c6850d17f90e861309828af1f7b7e3b1695ebe5d303d3d4b6ef4ba1218
MiniDuke1BA5BCD62ABCBFF517A4ADB2609F721DD7F609DF48bbce47e4d2d51811ea99d5a771cd1a1f19bd932336fa721e739b32c07b67c01ea4bd0ebc70e92a70f41e51f4668a0a
MiniDuke1E6B9414FCE4277207AAB2AA12E4F0842A23F9C1a4ad6b55b1bc9e16123de1388f6ef9bf7889fbd40f65cfe21d0c7486b29eb4c5042abff4ac660c12c7936831445cfd6e
MiniDuke223C7EB7B9DDE08EE028BBA6552409EE144DB54Aa67ad3e2a020f690d892b727102a759b35c08566dc38ad65e906b3683ace98e5beef855aeedc611a0317a72eee193539
MiniDuke28A43EAC3BE1B96C68A1E7463AE91367434A2AC4297ef5bf99b5e4fd413f3755ba6aad79c60621e82f58b5ea5b36cde40889a076cb2c7f1612144998b1d388200bc7e295
MiniDuke296FD4C5B4BF8EA288F45B4801512D7DEC7C497Bb8e89f9908262b5385623c0e39d6b9408e28dcf7fd7ce1ad9a65c186e09a7843ee31af924509148f085958cadfdda8fb
MiniDuke2A13AE3806DE8E2C7ADBA6465C4B2A7BB347F0F5561017f887865b8d13f85c5474cdcbb8dfe146fffd2ae59172f52048f7e7d231807e0d732e19bdb443820a8305165741
MiniDuke2CEAE0F5F3EFE366EBDED0A413E5EA264FBF2A33441ee6a307e672c24d334d66cd7b2e1af4b01a3a299b09d2b4418cb66e80c34e3ec04016ed27199c472515cf95a023d0
MiniDuke2D74A4EFAECD0D23AFCAD02118E00C08E17996ED73931351f883cff5dbdcc54cc4eb10a715101f74f974e3e80cc37805ebe5cc2efed77bb5745d82e1b44b1da4f0c83691
MiniDuke30B377E7DC2418607D8CF5D01AE1F925EAB2F0372dcd049c591644e35102921a48799975354786c5df71cd090c96d1328b4e31cd28b8ddc77904863d100b6c35ad235b69
MiniDuke31AB6830F4E39C2C520AE55D4C4BFFE0B347C947ffefe16d581340c1e49f585a576a1fd8764f8c8f8832954c99fb0c2ac5ac5d89506dc5dc50310c9112318b75e9f9e2bf
MiniDuke36B969C1B3C46953077E4AABB75BE8CC6AA6A327ab2d8a0d5b03d40f148f2f907b55f9f155265193d63d56553e8e135e9a60d7d7c13cbf9d82ac25f84306ec98d74725b0
MiniDuke416D1035168B99CC8BA7227D4C7C3C6BC1CE169A811f66d6dd2c713073c0b0aebbe74ce84809c2c7fa19acfa011f97946205f979afb54ac2c166f48ab35a20cd9d53a2ca
MiniDuke43FA0D5A30B4CD72BB7E156C00C1611BB4F4BD0Ab100d530d67cfbe76394bb01605673829c13a32033bc7dd06016651b0f21a2bed9be1dc40c6879f925c71e05f4f1c8f7
MiniDuke493D0660C9CF738BE08209BFD56351D4CF07587786ef8f5f62ae8590d6edf45e04806515a6e2852f2e6701656da74adb412cd0850b0d27750803613223be3eb5ac5cc26c
MiniDuke4B4841CA3F05879CA0DAB0659B07FC93A780F9F18d3542af992b1de4cf1f587f61dddb50f151f5a656d43a76a07fa03166906d51f9683b27b0e9b86464e3a68e9dba1fac
MiniDuke4EC769C15A9E318D41FD4A1997EC13C029976FC205d10323111f02233163a6742556c97462a2df9d001d3e0f222d77b6781eb279761f1354570773ef1929a86557a11454
MiniDuke53140342B8FE2DD7661FCE0D0E88D909F55099DBe990e0d1ee90cd10c4be7bfde6cc3e5acc6ad212f50e0a7a708bb1b63a01d8932f471618cdda69b2e12106ae112b2415
MiniDuke5ACAEA49540635670036DC626503431B5A783B56c519eef57001ad3ae60cdcb0009bf778acd886fa7b9117807f1e11f0f38b9fad1afce51aa9cfbe3810a39d883d0ca663
MiniDuke5B2C4DA743798BDE4158848A8A44094703E842CBe863737773f64498091cd775c7abde66ecc5e2526ca32a447c862612b71c1db5675a759897e680573fa143ac0a8e662a
MiniDuke634A1649995309B9C7D163AF627F7E39F42D5968b8088f6594dd8cba31b4f52a2d91f40e5569b85532adb1e637f83c997910924345f10aa9c2948b3d26be13eec6cbeb8b
MiniDuke683104D28BD5C52C53D2E6C710A7BD19676C28B8e1a659473ae1e828508309b77da13783830ee990a6d4aaf00bb051704c93b468792561e8dd6a6ed4662f6032d38dd37a
MiniDuke694FA03160D50865DCE0C35227DC97FFA1ACFA486942f1dfd61d231df8acb7ed0f6310c4f0d822926f4e6aec2cf2bd7701d67e8399ccc05bc028377a275a90e06620a109
MiniDuke73366C1EB26B92886531586728BE4975D56F7CA5c92252487615d5379317febc22dba7d47f5d3a8dfa13ba8e2142a3b1d644f107cc89c7e90cda2a5543df5787f8bfde1e
MiniDuke827DE388E0FEABD92FE7BD433138AA35142BD01A2ab25d33d61cf4cfbac92c26c7c0598e6a95d2895362fc8657bc90d73d77e32f09b86699eb625905ddeb45ccd6b13c71
MiniDuke909D369C42125E84E0650F7E1183ABE740486F58423bb8914078a587d08b54d16bbd527cc13794601c5bdec3d5d76de9571e6c0e0b022b9fc62907018566895e3b949982
MiniDuke9796D22994FF4B4E838079D2E5613E7AC425DD1Dded2f80457aaefe1a80a9cefd1f4645dbf210e54c65ea69ebda418f701c2c6b8aff840f31c1072d641a726cef8c7b5ad
MiniDukeA32817E9FF07BC69974221D9B7A9B980FA80B6771528567b1a2f1da31d602ce1ddfd89188d457e4189017712917c5c8f900bb9072c5910c9f975c50337115f952d885635
MiniDukeA4E39298866B72E5399D5177F717C46861D8D3DF1de51ec5d2b8466f0d424e1c8dcd64541db9187b7b0e5bc97aca233f29b96295c0bc4058fdcff50df543c1f044e58836
MiniDukeA6C18FCBE6B25C370E1305D523B5DE662172875Bb68677e04fcc9103560bb0a5e5c7303f94d39845ec228ff1c84668207c4591ae0e2b6605bdf11e84916534ab09744736
MiniDukeA9E529C7B04A99019DD31C3C0D7F576E1BBD0970d2f39019bfa05c7e71748d0624be9a9419580f275b82ee091bdc3028e6e5018fdcc915fe7853d4151b44f3d7e101e531
MiniDukeAD9734B05973A0A0F1D34A32CD1936E66898C034a58e8e935341b6f5cc1369c616de37655b96b07528f762dfcb9d6936995ed4e358d29542ae756f6e5547fa3b5b7797b6
MiniDukeB27F6174173E71DC154413A525BADDF3D6DEA1FD270ca8368cd4216b1813281d3efe485d2ae4cc6834e3679e99fc93d2f5fba02167a31cf5b68a5a9ca7aa1a4b9f7cb4ae
MiniDukeB8B116D11909A05428B7CB6DCCE06113F4CC9E58e48fb57ce3d9c56ca3cf6c4aed8ad0ea415f88765b88dd90e5b0502e4fa1408e06ac9552c7c8974a510e6e23a9756a45
MiniDukeC17AD20E3790BA674E3FE6F01B9C10270BF0F0E41c658719e6dedb929a6d85359c59682d91b97f3b8ef8ebc8bbd06e06927e7b38090c026f8fca77e209e69c056b042cb7
MiniDukeC39D0B12BB1C25CF46A5AE6B197A59F8EA90CAA02d87ab160291664d62445548a2164c6023486eedb5fe8a026f602507f490b4df4721e8befa65007b84c4f5b1ed95e1bd
MiniDukeC6D3DAC500DE2F46E56611C13C589E037E4CA5E0527537cc28705e01af8d8006ae8308a96c2409d415e66faebf0a031350b44d5a014ab4f62f2c1a3115982d452b7f97b9
MiniDukeCB3A83FC24C7B6B0B9D438FBF053276CCEAACD2E612fba96383a5098c26fe1a222e1e7552f9834f7b7fe09d98ef7b27d3828691ed4b361d1ccbbf8e10703f9ec03b05259
MiniDukeCC3DF7DE75DB8BE4A0A30EDE21F226122D2DFE87810de1b9fa0a9396acae23dcd113a60d7815e5275ea849a9ed1f193abd8781ff7ae6b88ef6282f6a0900175a4bb59131
MiniDukeCD50170A70B9CC767AA4B21A150C136CB25FBD442530f54b87508e6f09a6bc5ab863b5db56dfc5905e7dfc67912ed164dc68c0806fdd3d7cd151415aaffcc1b7ab2f1a84
MiniDukeCDCFAC3E9D60AAE54586B30FA5B99F180839DEED7040ee4cd4be4b84f8510c04663a2500e375d40412845c4476536307f28b64c0128e1cb88a3f505bafdcd013d542fa85
MiniDukeD22D80DA6F042C4DA3392A69C713EE4D64BE8BC8b798c968cbfd53f878e13c7698610d9c12a057ca7c92cda3cd0e09efc5bff2ebd3f7d2991e999038c7f31a6ac6a95c3d
MiniDukeD81B0705D26390EB82188C03644786DD6F1A2A9Ef19345e0e5aecc0da45b4c110591bdd9b55e6e10a7f46c97cd247028287ea664bacf7ec7e500a4bf4f53c9dea7625426
MiniDukeDE8E9DEF2553F4D211CC0B34A3972D9814F156AA1e1b0d16a16cf5c7f3a7c053ce78f515a1015f0b99106ae2852d740f366e15c1d5c711f57680a2f04be0283e8310f69e
MiniDukeE4ADD0B118113B2627143C7EF1D5B1327DE395F118e64b8e5ce5bdd33ce8bd9e00af672cb1584a6f1059ad1c24bde2a9a8ae83ffc6679eb531d30f3f1c69f81e3a3819dc
MiniDukeE95E2C166BE39A4D9CD671531B376B1A8CEB4A55f78f1359fcf04e89e3bb0fbdf74c1e05f2ede48413704b3efc4d629d3db1a1331352a0afb0d91683640dc4b4af2921d1
MiniDukeEDF74413A6E2763147184B5E1B8732537A8543658282eb6d6f20c5de6e7f4ae3a42438d2fe2672737205351df003e1969ef1ef0df9e13a9a31bf77f844236857ed0b0bf5
MiniDukeEFCB9BE7BF162980187237BCB50F4DA2D55430C2935892bb70d954efdc5ee1b0c5f97184a962ea9027514712ba3949dc3ca54559d1d42e116837dda5f9809d6523a41255
MiniDukeF62600984C5086F2DA3D70BC1F5042CF464F928D381691b297f7f5694709e21ad61ec64513a50942322977d6471f71debc6d3db38807d88778366bae6cfcae45823a17f8
APT29_2015-09_FSecure_THE DUKES7 years of Russian cyberespionageOnionDuke
OnionDuke073FAAD9C18DBE0E0285B2747EAE0C629E56830C1aa8a941ec22a3ffe32d079323a2e6c40474111e44b9aa56d6e6024c6f278e915d57b7862ceb927672fc3417f76a3ba3
OnionDuke145C5081037FAD98FA72AA4D6DC6C193FDB1C127e1db6b72ec26311b175663b7d88e3c00930939256e2c2fa30e7260897d96859c08cf767664e4bd3cedf156b6765b5413
OnionDuke16B632B4076A458B6E2087D64A42764D86B5B021af534ba7bfc624c76e718ceab3477118ef0fab7757a6b5e842297fa2e0dc7a7ce084278c5d12b878bba7d90759a0e22b
OnionDuke1E200FBB02DC4A51EA3EDE0B6D1FF9004F07FE739993445521ca03ac3a693625b5ca1f363877a522c924f834e442ef19d9b11ab6d3385849e60d5f310f6320e2d9e42804
OnionDuke22BAE6BE13561CEC758D25FA7ADAC89E67A1F33Ab602adb677d0560601e7668eaf158605a9e2d988781e970882fb1cee420bf01dda30730046a82f0faf4703523842feb5
OnionDuke25E0AF331B8E9FED64DC0DF71A2687BE348100E80753697172046fcfb03d6445fff1f093bd589360b299dc4803aa35abca527137a51feadae2b1e3bc2b5a301bb5b245da
OnionDuke3BF6B0D49B8E594F8B59EEC98942E1380E16DD22d26ff50f81e76dffd1382fbf16783b4765a2ca760bfce4762cd1cb3623c7d5d0ff86187d3bf3ba8fdea1339585a57ec2
OnionDuke42429D0C0CADE08CFE4F72DCD77892B883E8A4BC4649609b8394283ec36ada132b02a0c6567332c2a6813d529bcb9196102ad45eceb982143e9d2f326f02cec1511954b0
OnionDuke5CCFF14CE7C1732FADFE74AF95A912093007357F89b3cf1023825cc49efe59b06092dba1d07a802eb6d2c296c3f1bc726b5a716c4a7d8e97053c53e81658a31f969e6ce7
OnionDuke61283EF203F4286F1D366A57E077B0A581BE1659db9ccc6fa0f7605f39d93487fbaba866540913b3647c28a14418a6f288be9e4d8f99048227efea8ca1b13877269002eb
OnionDuke6B3B42F584B6DC1E0A7B0E0C389F1FBE040968AA65c40b01a0870250fb358efc8b201192c218b779461d83d70791e0578175503cd69128c9723f2c5d7d36b85073b0f2f9
OnionDuke6B631396013DDFD8C946772D3CD4919495298D40a4c77494cccb41aaa8849176bd58055e97afcd01e00d32dc4d1161d7a127933593cfc092ec635af5dc7a775a088b6091
OnionDuke7B3652F8D51BF74174E1E5364DBBF901A2EBCBA119aca5da05ee8e5862e1d1ee50e84cecdf818c2dccacc532ba0205749329b7e46d1f6616b40da55e0d994105bd988bd2
OnionDuke7D17917CB8BC00B022A86BB7BAB59E28C34531269e3f3b5e9ece79102d257e8cf982e09e8d86c0985530271618a342579afd1a9ecb27dfb080866e3b888bd3e45e1eb8f5
OnionDuke7D871A2D467474178893CD017E4E3E04E589C9A03a6b45a7c8fa74bc342b69e9260799603af9cfb2797bed22e1d12970d068d794270a0f07d3f3dcfdcdb9abfc3a80e0f8
OnionDuke7EFD300EFED0A42C7D1F568E309C45B2B641F5C26a5a0ac42161333e9758589ecabed3c6c47f2973f077f21abfb202b54ea18ee2a182e4305ee0046c1bc6d15a1179a43c
OnionDuke91CB047F28A15B558A9A4DFF26DF642B9001F8D7ccb6d74a8577ca44ca56cfc7fa6332b649dca913ff5c4782e8f8fa2dfd161110bc5c8cd36c9ce8aa0efd1860ab668e6e
OnionDuke9A277A63E41D32D9AF3EDDEA1710056BE0D423470ea4ccf2737f7095b367eda58e475e1f489d448514a3ddf30144cc1634e6623e529dd3aee54a050a920a3d4342b4b96a
OnionDukeA75995F94854DEA8799650A2F4A97980B71199D228f96a57fa5ff663926e9bad51a1d0cb19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d
OnionDukeB3873D2C969D224B0FD17B5F886EA253AC1BFB5B2d96b4c95152819a888deccf7ec965d6ac9c7ac457a605ff836eb6fe127eabc7a251dd73ea0a1fa59a591de30fa75d3f
OnionDukeB491C14D8CFB48636F6095B7B16555E9A575D57Fc8eb6040fd02d77660d19057a38ff769366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b
OnionDukeC1EC762878A0EED8EBF47E122E87C79A5E3F7B44c0f27bcdede7fe36664770dfe9f840446271c4909f39e1f29dcc79cde0f526cbde45d906726e73bd3b52d041a34eda38
OnionDukeCCE5B3A2965C500DE8FA75E1429B8BE5AA744E1416bb0f9d98eb7a832b6db1e92f4e4f1addce4b5e1c03d04bb82780a2d0f08469bb589b6fe8f0d4cc2a140b16344f5bd1
OnionDukeD433F281CF56015941A1C2CB87066CA62EA1DB37d1ce79089578da2d41f1ad901f7b10140102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade
OnionDukeE09F283ADE693FF89864F6EC9C2354091FBD186E80a93e5dd3a3ea22f9a9af1547f797abdf03f0ae0622f5040bf449ab8b7559a97da7f746cc2ce24a8ad5336b18699296
OnionDukeE519198DE4CC8BCB0644AA1AB6552B1D15C99A0Ed33e91246924adb5edc97ceae8a600844558eb18504f724e4f33f1504ff924ce64701d26d703cf1e42a48504e7f51927
OnionDukeF2B4B1605360D7F4E0C47932E555B36707F287BE591a5ef38c1be504fbbc88219eb39692d04bef6765408d528fdf82a46c157b44e8b5e7762a15b0264033c9558ccc48dd
OnionDukeF3DCBC016393497F681E12628AD9411C27E57D48f23a89f3b7b6fa1312e6a10ede4e23a6316528ade312cc5ed76f0b44c7f2c2fc84f60ae215992d9393f57431383cf776
APT29_2015-09_FSecure_THE DUKES7 years of Russian cyberespionageSeaDuke
SeaDuke3459D9C27C31C0E8B2EA5B21FDC200E784C7EDF4e315436c42e681962a8e174ef7fad480c0b939598bf5913885b1837637f166fda09d932f3484525c8cbcc0b1efba2520
SeaDukeAA7CF4F1269FA7BCA784A18E5CECAB962B901CC222a46be630c877e2885c51147de10863c11212ff6474a15402ac848d1e4b9c6ced3deafb959b59837f14b834e5d0ad15
SeaDukeBB71254FBD41855E8E70F05231CE77FEE6F00388a25ec7749b2de12c2a86167afa88a4dd3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d
APT29APT29_2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National Committee
APT29_2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National Committee0B3852AE641DF8ADA629E245747062F889B26659.exe_d41d8cd98f00b204e9800998ecf8427ee3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
APT29_2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National Committee74C190CD0C42304720C686D50F8184AC3FADDBE9.exe_d41d8cd98f00b204e9800998ecf8427ee3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
APT29_2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National CommitteeCB872EDD1F532C10D0167C99530A65C4D4532A1E.exe_d41d8cd98f00b204e9800998ecf8427ee3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
APT29_2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National CommitteeE2B98C594961AAE731B0CCEE5F9607080EC57197_pagemgr.exe_d41d8cd98f00b204e9800998ecf8427ee3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
APT29_2016-06_Crowdstrike_Bears in the Midst Intrusion into the Democratic National CommitteeF09780BA9EB7F7426F93126BC198292F5106424B_VmUpgradeHelper.exe_d41d8cd98f00b204e9800998ecf8427ee3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
APT29APT29_2016-11_Volexity_PowerDukePostElection
APT29_2016-11_Volexity_PowerDukePostElectionSamples
Samples4BCBF078A78BA0E842F78963BA9DD71240AB6A6D_cldsys.dll_57c627d68e156676d08bfc0829b943316119c92f5b5cb2cd953925e17ceb4a02a9007029dd27a35d44b116ff9718f814
Samples5CC807F80F14BC4A1D6036865E50D576200DFD2E_RWP16-038_Norris.exe_3335f0461e5472803f4b19b706eaf4b54538af0a76fecc6e45e6d45c22618c52ba89bf596a0b68dd2d4d2358fb5c86ef
Samples68CE4C0324F03976247FF48803A7D988F9F9F43F_37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk_f713d5df826c6051e65f995e57d6817d2d2fa32f928f8abf31b9e79153422d65fe72cd5ad0d1f815a9d2ffa42fc8d224
SamplesA76C02C067EAE26D78F4B494274DFA6AEDC6FA7A_37486.ZIP_f79caf27a99c091e6c1775b306993341f37da55a4329df13b1283cbfd237ae832cebb4b9c4ed16e5a1e0b98d9b7fdf25
SamplesB5684384C8028F0324ED7119F6ABF379F2789970_election-headlines-FTE2016.docm_a8e700492e113f73558131d94bc9ae2fef4a4319b9c37c1f05a4cbfb136c0eaf4a05476028d40a2a6bb07afc567f0f88
SamplesD5DCF445830C54AF145C0DFEAEBF28F8EC780EB5_RWP_16-038_Norris.ZIP_8b3050a95e3ce00424b85f6e9cc3ccec6412ea144bb0b8f7d32becda26cd1549825fd7b282f1f96319e5f4000e3d4618
APT29APT29_2016-12_Chris_Grizzly SteppeLighting up Like A Christmas Tree
APT29_2016-12_Chris_Grizzly SteppeLighting up Like A Christmas Tree617BA99BE8A7D0771628344D209E9D8A_Star Polk.exe_617ba99be8a7d0771628344d209e9d8a9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5
APT29_2016-12_Chris_Grizzly SteppeLighting up Like A Christmas Tree7FCE89D5E3D59D8E849D55D604B70A6F_default.php_7fce89d5e3d59d8e849d55d604b70a6f2d5afec034705d2dc398f01c100636d51eb446f459f1c2602512fd26e86368e4
APT29_2016-12_Chris_Grizzly SteppeLighting up Like A Christmas Tree81F1AF277010CB78755F08DFCC379CA6_ fhyge.rtf_81f1af277010cb78755f08dfcc379ca6ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d3235b9c1e0dad683538cc8e
APT29_2016-12_Chris_Grizzly SteppeLighting up Like A Christmas Tree8f154d23ac2071d7f179959aaba37ad5.dll_SayWhatBackdoor8f154d23ac2071d7f179959aaba37ad555058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641
APT29_2016-12_Chris_Grizzly SteppeLighting up Like A Christmas Treeae7e3e531494b201fbf6021066ddd188.dll_SayWhatBackdoorae7e3e531494b201fbf6021066ddd1889acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0
APT29_2017-03_Fireeye_Domain_Fronting_with_Tor8ddef83c57a5a752b20e3f98209acba42ab6c907b4fe844c01294a8dcfbc11ba966124b5b5aeb8af34a49d112fdbea60
APT29_2017-03_Fireeye_Domain_Fronting_with_Tor57e2f0fdc2566f11af661dc02e989dd65132a3f4_GoogleService.exe_31b3069cef380b4bf85e75a8885bcee82f39dee2ee608e39917cc022d9aae399959e967a2dd70d83b81785a98bd9ed36
APT29_2017-03_Fireeye_Domain_Fronting_with_Tor6842243f5a41f66a81b85ee524c3cfc7ace10da8_googleService.exe_628d4f33bd604203d25dbc6a5bb35b90fe744a5b2d07de396a8b3fe97155fc64e350b76d88db36c619cd941279987dc5

Review: Consider VPN services for hotspot protection

Virtual private networks have many uses. Typically, businesses deploy VPNs so employees can securely access the corporate network from outside the office. However, we’ve seen a rise in third-party VPN services that use the same underlying technology, the encrypted tunnel, to simply provide a secure Internet connection.

Why would you ever need to do this?

When connected to a VPN service, the websites you access think you’re at the location where the VPN server is located. This can help anonymize your Internet traffic so it’s much harder for websites to track your personal browsing history.

This also allows you to access websites, services, and content that’s restricted where you are currently located, such as Netflix or Hulu when traveling overseas.

To read this article in full, please click here

Reflection on Working From Home

In a moment of introspection last night, it occurred to me that working from home tends to amplify any perceived slight or sources of negativity. Most of my "human" interactions are online only, which - for this extrovert - means my energy is derived from whatever "interaction" I have online in Twitter, Facebook, email, Slack, etc.

It turns out that this can be highly problematic. Last year I turned off Facebook for months at a time because of all the negativity. I constantly felt myself slipping into depression because everything weighed me down. And don't get me wrong, I'm as much a source of negative posts as anyone else. I don't think we can help it in this political environment.

However, where this gets particularly challenging is around non-internet interactions. Whether it be having tea with a friend or just chatting with them on the phone... I've come to realize that a lot of my happiness ends up hanging on these very rare interactions, which can be highly problematic when folks are busy or when unexpected events conspire to prevent such meetings. The negative side of my brain then latches onto these as "proof" that I'm unworthy of friends or friendship and starts trying to commence the dark downward spiral.

To that end, now that I'm aware of these feelings, I can start developing mechanisms to cope with them. I think one of the big challenges for someone my age, with a family and working from home, is trying to find new opportunities for interaction. Real interactions - not phony interactions via "networking" events and BS like that. We're kind of at that point in the parenthood cycle where the kids' schedules tend to dominate our lives.

Anyway... this is my observation for the morning. I need to find new forms of positive human interactions. Preferably real human interactions. And, in the meantime, I need to stop letting negative interactions and disappointments amplify disproportionately to the degree that it triggers a major downward swing. This is not an easy thing to do, but in seeing the pattern, at least now I can tackle it.

Miele Professional PG 8528 Vulnerability

NCCIC/ICS-CERT is aware of a public report of a directory traversal vulnerability with proof-of-concept (PoC) exploit code affecting the embedded webserver (“PST10 WebServer”) in Miele Professional PG 8528, a large capacity washer and disinfector used in hospitals and laboratory settings to disinfect medical and laboratory equipment. According to this report, the vulnerability is remotely exploitable.

Three privacy tools that block your Internet provider from tracking you

It's official: Congress has sold you out to Internet service providers, passing a bill that dismantles Internet privacy rules and allows ISPs to sell your web history and other personal information without your permission. Assuming President Trump signs the bill into law, it means anyone concerned about privacy will have to protect themselves against over zealous data collection from their ISP.

Some privacy-conscious folks are already doing that—but many aren’t. If you want to keep your ISP from looking over your shoulder for data to sell to advertisers, here are three relatively simple actions you can take to get started.

To read this article in full, please click here

How to keep a private stash of bookmarks in Chrome

Incognito Mode in Chrome can keep your browsing history secret unless you have a nosy Internet Service Provider, and you’re not using a VPN. But one thing incognito doesn’t keep secret are any bookmarks you’ve got. If you’ve ever wanted to keep a private collection of bookmarks the Chrome extension Hush is one solution.

The extension only works in incognito mode and encrypts your store of private bookmarks that can only be accessed with the password.

To read this article in full, please click here

QOTD – Hubbard on the Risk Management Method

The single most important metric in all of risk management is the performance of the risk management method itself. The list of risks identified can be no more valid than the entire process of identifying risks. I would think that also applies to the method of "approving" mechanisms of measurement.
-- Douglas W. Hubbard, President of Hubbard Decision Research

[Source: statement made by the author on a closed mailing list.Posted with permission of the author.]

Toolsmith #124: Dripcap – Caffeinated Packet Analyzer

Dripcap is a modern, graphical packet analyzer based on Electron.
Electron, you say? "Electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application."
We should all be deeply familiar with the venerable Wireshark, as it has long been the forerunner for packet analysts seeking a graphical interface to their PCAPs. Occasionally though, it's interesting to explore alternatives. I've long loved NetworkMiner, and the likes of Microsoft Message Analyzer and Xplico each have unique benefits.
For basic users comfortabel with Wireshark, you'll likely find Dripcap somewhat rudimentary at this stage, but it does give you opportunities to explore packet captures at fundamental levels and learn without some of the feature crutches more robust tools offer.
However, for JavaScript developers,  Dripcap opens up a whole other world of possibilities. Give the Create NTP dissector package tutorial a read, you can create, then publish and load dissector (and others) packages of your choosing.

Installation
I built Dripcap from source on Windows as follows, using Chocolatey.
From a administrator PowerShell prompt (ensure Get-ExecutionPolicy is not Restricted), execute the following (restart your admin PS prompt after #2):
  1. iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex
  2. choco install git make jq nodejs
  3. git clone https://github.com/dripcap/dripcap.git
  4. cd dripcap
  5. npm install -g gulp node-gyp babel-cli
  6. npm install
  7. gulp
Step 1 installs Chocolatey, step 2 uses Chocolatey to install tools, step 3 clones Dripcap, steps 5 & 6 install packages, and step 7 builds it all.    
Execute dripcap, and you should be up and running.
You can also  use npm, part of Node.js' package ecosystem to install Dripcap CLI with npm install -g dripcap, or just download dripcap-windows-amd64.exe from Dripcap Releases.

Experiment 

I'll walk you through packet carving of sorts with Dripcap. One of Dripcap's strongest features is its filtering capabilities. I used an old PCAP with an Operation Aurora Internet Explorer exploit (CVE-2010-0249) payload for this tool test.
Ctrl+O will Import Pcap File for you.

Click Developer, then Toggle Log Panel for full logging.

Figure 1: Dripcap
You'll note four packets with lengths of 1514, as seen in Figure 1. Exploring the first of these packets indicates just what we'd expect: an Ethernet MTU (maximum transmission unit) of 1500 bytes, and a TCP payload of 1460 bytes, leaving 40 bytes for our header (20 byte IP and 20 byte TCP).

Figure 2: First large packet
 Hovering your mouse over the TCP details in the UI will highlight all the TCP specific data, but you can take such actions a step further. First, let's filter down to just the large packets with tcp.payload.length == 1460.
Figure 3: Filtered packets
 With our view reduced we can do some down and dirty carving pretty easily with Dripcap. In each of the four filtered packets I hovered over Payload 1460 bytes as seen in Figure 4, which highlighted the payload-specific hex. I then used the mouse to capture the highlighted content and, using Dripcap's Edit and Copy, grabbed only that payload-specific hex and pasted it to a text file.
Figure 4: Hex payload
I did this with each of these four packets and copied content, one hex blob after the other, into my text file, in tight, seamless sequence. I then used Python Tools for Visual Studio to do a quick hexadecimal to ASCII translation as easily as bytearray.fromhex("my hex snippet here").decode(). The result, in Figure 5, shows the resulting JavaScript payload the exploits CVE-2010-0249.
Figure 5: ASCII results
You can just as easily use online converters as well. I saved the ASCII results to a text file in a directory which I had excluded from my anti-malware protection. After uploading the file to VirusTotal as payload.txt, my expectations were confirmed: 32 of 56 AV providers detected the file as the likes of Exploit:JS/Elecom.D or, more to the point, Exploit.JS.Aurora.a.

In closing
Perhaps not the most elegant method, but it worked quickly and easily with Dripcap's filtering and editing functions. I hope to see this tool, and its community, continue to grow. Build dissector packages, create themes, become part of the process, it's always good to see alternatives in available to security practitioners.
Cheers...until next time.

Hackers Spark Revival of Sticky Keys Attacks

password

Hackers are constantly trying to find new ways to bypass cyber-security efforts, sometimes turning to older, almost forgotten methods to gain access to valuable data. Researchers at PandaLabs, Panda Security’s anti-malware research facility, recently detected a targeted attack which did not use malware, but rather used scripts and other tools associated with the operating system itself in order to bypass scanners.

Using an attack method that has gained popularity recently, the hacker launch a brute-force attack against the server with the Remote Desktop Protocol (RDP) enabled. Once they have access to the log-in credentials of a device, the intruders gain complete access to it.
At this stage, the attackers run the seethe.exe file with the parameter 211 from the computers’ Command Prompt window (CMD) – turning on the ‘Sticky Keys’ feature.

1-1

Next, the hacker initiates Traffic Spirit – a traffic generator application that ensure the attack is lucrative for the cyber-criminals.

2

Once this is complete, a self-extracting file is launched that uncompresses the following files in the %Windows%\cmdacoBin folder:
• registery.reg
• SCracker.bat
• sys.bat

The hacker then runs the Windows registry editor (Regedit.exe) to add the following key contained in the registery.reg file:

3

This key aims at ensuring that every time the Sticky Keys feature is used (sethc.exe), a file called SCracker.bat is run. This is a batch file that implements a very simple authentication system. Running the file displays the following window:

4

The user name and password are obtained from two variables included in the sys.bat file:

5

This creates a backdoor into the device through which the hacker gains access. Using the backdoor, the hacker is able to connect to the targeted computer without having to enter the login credentials, enable the Sticky Keys feature, or enter the relevant user name and password to open a command shell:

6

The command shell shortcuts allow the hacker to access certain directories, change the console colour, and make use of other typical command-line actions.

7

The attack doesn’t stop there. In their attempt to capitalise on the attack, a Bitcoin miner is installed, to take advantage of every compromised computer. This software aims to use the victims’ computer resources to generate the virtual currency without them realising it.
Even if the victim realises their device has been breached and changes their credentials – the hacker is still able to gain access to the system. To enable Sticky Keys, the hacker enter the SHIFT key five times, allowing the cyber-criminal to activate the backdoor one again.

Adaptive Defense 360, Panda Security’s advanced cyber-security solution, was capable of stopping this targeted attack thanks to the continuous monitoring of the company’s IT network, saving the organisation from serious financial and reputational harm. Business leaders need to recognise the need for advanced security, such as AD360, to protect their network from these kinds of attacks.

The post Hackers Spark Revival of Sticky Keys Attacks appeared first on CyberSafety.co.za.

I thought everyone knew this by now

But apparently not. I just saw some “Security Awareness Training” that gave the bad old advice of “look for the padlock” in your web browser. Here’s my answer to that:

image

In a world where most of us face a constant threat from phishing we need to better educate folks, and we need to make it easier to be secure. And since the latter isn’t that easy, we need to teach better. Also, “don’t click stuff” really defeats the point of the web, so while I understand the sentiment, it is not practical advice.

The padlock can mean a variety of things, but what it really signifies is that your web traffic is encrypted. It does not mean that all of the traffic on the page is encrypted, or that it is encrypted well. It also doesn’t assure you that the traffic isn’t being decrypted, inspected, and re-encrypted. Or maybe it isn’t encrypted at all and someone just used a padlock as a favicon on the website (this varies somewhat by web browser). The padlock doesn’t prove the identity of the site owner unless it is an EV(extended validation) certificate, and even then the validation is imperfect. When we just say “look for the padlock” we are giving people bad information and a false sense of security. It makes us less secure, so we need to kill this message. Even though it isn’t entirely true if we are going to oversimplify this I think we’re better off telling folks that the padlock doesn’t mean a damn thing anymore, if it ever did.

While we’re on the subject of browsers, you know the average computer user is just trying to do something, so the warnings they see are mentally translated to “just keep clicking until we let you go where you want”. I did find a few things which made me think of typical browser warnings:

BrowserWarning

This means it’s OK to trespass up to this point, but no further? Is that like this website is unsafe? No, because if you look around this sign you can see the end of the pier is missing, if you click past the browser warning you will not fall into the ocean.

And this, you know what it means, but what does it say?

image

That’s right, it says don’t P on the grass. Just because you know what something means does not mean you can assume others do, we need to do a better job of explaining things. Reminding folks of the invention of indoor plumbing when what you want is to keep cars off the grass, sounds like a browser warning to me.

Jack

Review: Canary Flex security camera lives up to its name

Canary’s initial foray into the networked home security camera space was very impressive – my colleague David Newman touted its high security settings in the wake of revelations about the general insecurity of these types of devices. The Canary camera was also somewhat large – a cylindrical tower that took up some significant space on your desk, cabinet or shelf.

The latest camera the company sent me is the Canary Flex, a much smaller unit meant to be more flexible (hence the name) in terms of placement, but also in power options. Like the Arlo Pro camera, the Canary Flex is powered by an internal battery (it’s charged via USB cable and power adapter). This means you can move the Flex to a location inside or outside your home where there’s no power outlet. The Flex comes with wall mounting screws and a 360-degree magnetic stand so you can position the camera in different spots. Additional accessories, such as a plant mount or twist mount (pictured below), offer even more location choices.

To read this article in full, please click here

Where’s Jack?

As I mentioned in a post earlier this year I am traveling extensively this year, connecting and reconnecting with a lot of people. And thanks to a lot of wonderful people inside and out of the hacker and security communities I am doing very well after a rough few months. So, it’s time to share my plans and encourage folks to come and chat with me if our paths cross. I know I have a reputation of being a cranky old bastard, one which is well deserved, but I’m really not a miserable person- truly, seek me out and tell me stories, ask questions, whatever. If I can help you I will, or maybe I’ll point you to someone who can help if I can’t. I meant what I said in my recent post about the loss of Becky Bace and others, they set an example for those of us who knew them and I’m not about to let InfoMom down.

So, here’s my schedule as it looks from here:

Tomorrow, Friday March 24 I’ll be speaking at BSidesOK in Tulsa. Yeah, short notice, but there it is.

I’ll be speaking at the North Florida ISSA meeting in Jacksonville on April 6.

I’ll also be speaking at BSides Boston on April 15th.

BSides Nashville on April 22, I’ll be there, not speaking, so I’ll have more time to chat.

May 2 in Denver I’ll be speaking at the EDUCAUSE annual conference.

Later that week I’ll be attending Thotcon (May 4-5) and probably BurbSecCon (May 6) in Chicago.

Then things calm down a little before spending most of June in Europe, but more on that later.

See you on the road

Jack

Panda Security Rated Top in Antivirus Test

IMG AVComp 03-17 - Blog

A recent study conducted by AV Comparatives recognised Panda Security for having obtained the highest possible score by detecting 100% of the malware samples tested.
 

AV Comparatives most rigorous test ranks Panda Security number one for malware detection

 

The analysis took into account the same infection vectors that a user might experience on an ordinary day. The fundamental objective of AV Comparatives’ Real-World Test is to determine if the security solutions are able to protect the system as it is exposed to an array of malware samples. Panda Security’s Free Antivirus proved it was able to detect 100% of malware to which it had been exposed.

“We are proud of the excellent results we received in the AV-Comparatives Real-World Test – these results validate our efforts to offer our users the best protection against all types of threats under real conditions. Panda Security is fully committed to the constant improvement of our solutions in order to provide maximum security levels with minimum performance impact.” say Jeremy Matthews, Regional Manager Panda Security Africa.
 
Infographic AVComp
 
These results speak to the success of the set of technologies leveraged by Panda Security to develop a solution that is ideal for all types of users – private or public, large or small. Panda Security’s solution comes in response to the rapid evolution of malware in recent years. In this regard, it offers the most effective response to threats such as ransomware, and proves to be the best ally in the prevention, protection and response to the latest attacks.

The post Panda Security Rated Top in Antivirus Test appeared first on CyberSafety.co.za.

VirusTotal += Symantec Mobile Insight

We welcome the Symantec Mobile Insight scanner to VirusTotal. This engine is specialized in Android and reinforces the participation of Symantec that already had a multi-platform scanner in our service. In the words of the company:

"Symantec Mobile Insight is a comprehensive mobile security service capable of identifying suspicious and malicious apps using a broad array of endpoint-based and cloud-hosted techniques. These techniques blend traditional code and behavior analysis with cutting edge similarity and machine learning applications. Leveraging analysis of over 50 million apps and telemetry from millions of endpoints on a daily basis, we're able to provide superior protection. Our App Advisor technology can help end users identify malware and other unwanted apps on the App Store, prior to installation.

Symantec has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-TEST, an AMTSO-member tester.

A quick REVENGE Analysis

Another free weekend, another suspicious link provided by a colleague of mine and another compelling feeling to understand "how it works".  The following analysis is made "just for fun" and is not part of my professional analyses which have to follows a complete different process before being released. So please consider it as a "sport activity".

A colleague of mine provided me a suspicious link which I decided to analyze.

The infection starts by redirecting the browser to the page "see.aliharperweddings.com" through a GET request with the following parameters:
biw=diamonds.104wh99.406v6e7i0&que=diamonds.124if80.406v5h6e9&qtuif=3654&fix=diamonds.108bf93.406p9e7i4&oq=CeliDpvspJOdZNQOyj0SGfwZkm4pcBwhH9Pqqj0bWmxCag57W9CW9UU4HupE&q=z3jQMvXcJwDQDoTBMvrESLtEMU_OHEKK2OH_783VCZ39JHT1vvHPRAPytgW&ct=diamonds&tuif=6124
The page is not build to return rendered content but rather to return three different scripts. Indeed the returned visible page holds a weird displayed content as follows:

Weird visible content by: see.aliharperweddings.com

Getting a little deeper on the page source code it is easy to experience nice obfuscated scripts, which look like (at least to my experience) a first infection stage. Let's have fun and try to understand how this new sample works. The following image shows an obfuscated piece of code portion. We are getting into the first stage of analysis.

First Stage: The fun begins.

Just few steps on google V8 engine to de-obfuscate the first stage which uses a couple of techniques to run VBscript on the target machine. The first implemented trick, as shown in next image, is to use the classic  but "ever green" window.execScript which is no longer supported on Explorer >= 11. execScript takes two parameters: "the code to be run" and the "used programming language". The function invokes the right interpreter depending on "programming language" parameter.

Second Stage: Running VBScript

The second trick is to use eval to de-obfuscate the second stage and later on to run its functions through VBArray technique.  Decoding the second stage was easier if compared to the first stage since less obfuscation rounds are involved. Once de-obfuscated the second stage I've run into another "browser" stage (let's call it Third Stage) written in VisualBasic Language as follows:

Third Stage: The VBScript saving Windows PE
The resulting script is quite simple to read no further obfuscated loops were involved.  The script per se is quite big so I am not going to describe every single line of code but just the most interesting one (at least in my personal opinion), so let's focalize on the "random function" (showed in the following image) which returns strLen number of "random" letters from a well defined alphabet :).

Third Stage: Implemented "random" function

This function is used later on to save the PE FileSystemObject into temporary file by using the number "8" as parameter to the rnds function. A nice and dirty IoC would be: "8 letters" from "abcdehiklmnoprstuw02346" alphabet ".exe" into system temporary directory as shown in the next image. 

Third Stage: Saving PE Object using 8 "random" (not really) characters

The FileSystemObject is then executed through the WScript.Shell technique as shown in the next image.

Third Stage: Running the fake shell32.dll

A key argument is defined as "gexywoaxor" and a stream is taken from an url as shown in the following image.

Third Stage: Key and Stream

A special function is crafted to decrypt the stream having as a key the defined one. The decoded stream is getting saved and launched according to the fake shell32.dll.

Third Stage: Decryption stream function (key= gexywoaxor)
Most of you would recognize RIG Exploit kit which used to decrypt streaming (ADOBE StreamObj) objects through inline xor. That decrypt function would not use a simple xor, and for such a reason I would consider it as new version of RIG Exploit Kit. The overall behavior looks like standard RIG EK having threes infection browser scripts and stream decoding procedure.

Finally I've got a Windows PE on my temporary directory and a script launching it from browser ! 

Let's move on and see what it does. A first run the PE file gets information from its Command and Control server which, on my time, happened to be: 193.70.90.120 (France)
It downloaded a Public Key (maybe for encrypting files ?) as follows:

Fourth Stage: Downloaded Public Key
This behavior reminds me a romantic Ransomware attack, which happens to fit pretty well with RIG distribution rings. The sample starts with simple http GET but later on it keeps trace of its malicious activity (encrypted files) by posting, on the same C&C, the number of encrypted files and a unique serial number as well. The sample returns back two parameters: id and count.

Fourth Stage: POST to C&C

id is different for every infection while it could be consider as a unique constant for a given one. count constantly increases its value as a counter depending to the number of encrypted files.
The sample presents some tricks to control the running environments such as (but not limited to): IsDebugPresent and VolumeChecking. The sample is a multi-thread encryptor which spawns an encrypting thread for each found system folder (limiting to 10 per times). The sample is not packed/encrypted from a well known packer/encryptor as the following image shows, but the real code (payload) is encoded into a Fourth Stage (let me define the Windows PE as fourth stage of infection).

Fourth Stage: No known packers/encrypters are found

The following image shows the real payload dynamically build in the heap of the fourth stage. As analyst I decided to not extract it but rather following on the original sample in order to understand how happens the control flow switch.


Stage Fifth: HEAP built payload 

The fifth stage is run by the following code which after having built the payload straight into the memory gets the control flow by simple dynamic "call" to dynamic memory [ebp+var_4].


Fifth Stage: getting control by call [ebp+var_4]
This is the last stage where the payload runs over the folders, read files and encrypt them by using a dynamically loaded cryptbase.dll and the downloaded public key. The payload per-se saves itself and get persistence by infiltrating on register keys. The following images show where the payload copies itself in the target machine

Fifth Stage: Payload Persistence
Te payload saves itself as svchost file creating a folder named Microsofts\ Windows NT\svchost.exe as the most classic payloads does ! Cryptobase.dll functions are dynamically loaded, only few library functions have been involved which takes easy to track them down (the following images show the tracking down imported libraries).

Stage Fifth: Cryptobase.dll tracking functions
Finally the SaveFile function write the ransom file: # !!!HELP_FILE!!! #.TXT  to physical drives having the following content and encrypts file through .REVENGE extension

Ransom File
Since the implemented languages are: English, Italian, German, Polish and Korean  it is easy t believe this ransomware attack would target European countries mainly.

While the infected website (see.aliharperweddings.com) has promptly been closed (now it belongs to GoDaddy) the Command and Control page is still up and running. Indeed the command and control appears to be an old vulnerable fake website created on 2016-10-07T08:19:40Z weaponized with an ancient content back to November 2014. The website is not a real one, it's a simple "lorem ipsum" with no apparent purpose. The following images shows the apparent not real website.

Command and Control Vulnerable Web Site
Conclusions

Despite the reverse engineering difficulty and/or the technical details I addressed in this quick and dirty post, I found an unusual C&C behavior. Usually attackers want to protect their C&C and are the first system (page, connection, services) to be closed and/or moved after a first disclosure. Indeed the attacker wont be "syncholed" by receiving injection commands into her malicious network. Contrary in this example the current C&C looks to be alive from October 2016. Please note that I am not saying it servers RIG from 2016 but it might have served many different EK over time, which makes me thinking to a well defined operation attributable to a RIG as a service group.

Useful IoC:
- url: see.aliharperweddings.com
- url: far.nycfatfreeze.com
- ip: 193.70.90.120
- ip: 188.225.38.186
- email: rev00@india.com
- email: revenge00@writeme.com
- email: rev_reserv@india.com
- string: 5427136ABEE9451E
- string: # !!!HELP_FILE!!! #.TXT
- string: gexywoaxor 
- file extension: REVENGE
- File Name: 8 characters from {abcdehiklmnoprstuw02346}.exe

BONUS:
A similar dropper (Third Stage) has been published on March 9th 2017 on pastebin.

msfrpcd

Did you forget the PostgresSQLcredentials to start msfrpcd in your Metasploit instance? There's a quick way to recover that username and password. Open up msfconsole, and run the command "load msgrpc". You'll get output like this:


msf > load msgrpc
[*] MSGRPC Service:  127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: aKCU4AgT
[*] Successfully loaded plugin: msgrpc
msf >

Now start msfrpcd with -P and you're set. 


Reference https://help.rapid7.com/metasploit/Content/framework/msf-rpc-service.html for more info.

On loss and responsibility

We have lost more great figures in our world of InfoSec, and we are diminished by their loss.

Spaf has written eloquently on the passing of Kevin Ziese, Howard Schmidt, and Becky Bace. I never met Kevin, and I only met Howard a couple of times, but I know of them and their impact on our industry and people in our field.

Becky had become a friend over the past several years, and her loss has hit me hard. Becky has a long and storied history in InfoSec and cybersecurity (and damn, could she tell great stories). Becky was instrumental in nurturing the fledgling fields of network analysis and IDS when she was at NSA, but more importantly than her technical work she was  a great friend and mentor to so many in our field that it is hard to overstate how many people she touched in her life and career. For a glimpse into what Becky was like, check out Avi’s very personal and touching remembrance of meeting Becky.

Once again, we take time to remember lost friends. While natural to mourn their passing we must remember that there are still many in our communities who need the kind of friends and mentors that Kevin, Howard, and Becky were to those of us who knew them. It is our responsibility to them and many others we’ve lost in our young field to remember them, but more importantly to fill those roles of friends and mentors to those who never knew them.

 

Jack

MS16-084 – Critical: Cumulative Security Update for Internet Explorer (3169991) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 17, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

VirusTotal += SentinelOne

We welcome the SentinelOne scanner to VirusTotal. This is a machine learning engine from the US. In the words of the company:

"SentinelOne (Static ML) is a machine learning engine designed to identify unknown malware. It is part of SentinelOne’s unique offering of a multi-layer detection and prevention agent – utilizing behavioral monitoring and static analysis that is capable of keeping organizations ahead of any advanced threat in real-time. SentinelOne protects Windows, OS X and Linux-based endpoint devices against advanced malware, exploits and fileless attacks.

SentinelOne has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester.

MS17-019 – Important: Security Update for Active Directory Federation Services (4010320) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system.

MS17-006 – Critical: Cumulative Security Update for Internet Explorer (4013073) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS17-016 – Important: Security Update for Windows IIS (4013074) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Click here to enter text.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS17-008 – Critical: Security Update for Windows Hyper-V (4013082) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.

MS17-0113 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS17-022 – Important: Security Update for Microsoft XML Core Services (4010321) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

MS17-009 – Critical: Security Update for Microsoft Windows PDF Library (4010319) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow information disclosure if a user views specially crafted PDF content online or opens a specially crafted PDF document.

MS17-011 – Critical: Security Update for Microsoft Uniscribe (4013076) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS17-018 – Important: Security Update for Windows Kernel-Mode Drivers (4013083) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

MEMS Accelerometer Hardware Design Flaws (Update A)

This updated alert is a follow-up to the original alert titled ICS-ALERT-17-073-01 MEMS Accelerometer Hardware Design Flaws that was published March 14, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of public reporting of hardware design flaws in some capacitive micro-electromechanical systems (MEMS) accelerometer sensors, which are produced by the following manufacturers: Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., Analog Devices Inc., and Murata Manufacturing Company.

M-Trends 2017: A View From the Front Lines

Every year Mandiant responds to a large number of cyber attacks, and 2016 was no exception. For our M-Trends 2017 report, we took a look at the incidents we investigated last year and provided a global and regional (the Americas, APAC and EMEA) analysis focused on attack trends, and defensive and emerging trends.

When it comes to attack trends, we’re seeing a much higher degree of sophistication than ever before. Nation-states continue to set a high bar for sophisticated cyber attacks, but some financial threat actors have caught up to the point where we no longer see the line separating the two. These groups have greatly upped their game and are thinking outside the box as well. One unexpected tactic we observed is attackers calling targets directly, showing us that they have become more brazen.

While there has been a marked acceleration of both the aggressiveness and sophistication of cyber attacks, defensive capabilities have been slower to evolve. We have observed that a majority of both victim organizations and those working diligently on defensive improvements are still lacking adequate fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Fortunately, we’re seeing that organizations are becoming better are identifying breaches. The global median time from compromise to discovery has dropped significantly from 146 days in 2015 to 99 days 2016, but it’s still not good enough. As we noted in M-Trends 2016, Mandiant’s Red Team can obtain access to domain administrator credentials within roughly three days of gaining initial access to an environment, so 99 days is still 96 days too long.

We strongly recommend that organizations adopt a posture of continuous cyber security, risk evaluation and adaptive defense or they risk having significant gaps in both fundamental security controls and – more critically – visibility and detection of targeted attacks.

On top of our analysis of recent trends, M-Trends 2017 contains insights from our FireEye as a Service (FaaS) teams for the second consecutive year. FaaS monitors organizations 24/7, which gives them a unique perspective into the current threat landscape. Additionally, this year we partnered with law firm DLA Piper for a discussion of the upcoming changes in EMEA data protection laws.

You can learn more in our M-Trends 2017 report. Additionally, you can register for our live webinar on March 29, 2017, to hear more from our experts.

Home Lab – VPN

Since our lab is isolated from the home network behind the router we need a way to access the VM's inside from our research systems. To access the systems behind the router we can use a VPN. With VyOS we have 2 options:

  • L2TP/IPSec - Native support on Windows and OS X. Linux client support can be tricky.
  • OpenVPN - Requires third party client installed, works well on Windows, OS X and Linux.

Depending on your client machine the type of VPN solution will vary. In the case of Windows and OS X L2TP/IPSec works very well in my experience. When developing my tools on Linux, OpenVPN tends to be more stable. 

Configuring L2TP/IPSec VyOS

We start configuring L2TP/IPSec by first changing to configuration mode after logging in to the router and specifying the interface we will use for IPSec  connections. In addition to this I configured NAT Traversal, this step is not required it is only in the case one VM inside the network wants to VPN in to another environment.

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 10.101.0.0/16

Now we start configuring L2TP settings, we start by creating an account that we will use for authentication. If you use special character make sure to enclose the password between quotes.

set vpn l2tp remote-access authentication local-users username labuser password 1abPass01

The next step is to create a pool of IP addresses that will be used by VPN clients when they connect and the DNS server they will use. When we setup Active Directory we have to go back and modify the dns-servers configuration block. 

# Set L2TP Client IP Pool for VPN
set vpn l2tp remote-access client-ip-pool start '10.101.101.10'
set vpn l2tp remote-access client-ip-pool stop '10.101.101.14'
set vpn l2tp remote-access dns-servers server-1 10.101.101.1

We configure the L2TP authentication method and pre-shared secret IPSec settings. We ensure that we validate against the local user we created and we specify what is the external IP address and next hop of our external interface.

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'My$secret'
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access outside-address 192.168.1.9
set vpn l2tp remote-access outside-nexthop 192.168.1.1

commit
save

After running commit and save we now need to open the proper ports in the firewall from the outside to the external interface. We open UDP 500 for IKE and we allow Encapsulating Security Payload (ESP) traffic.

# Allow IKE and ESP traffic for IPsec:
set firewall name OUTSIDE-LOCAL rule 100 action 'accept'
set firewall name OUTSIDE-LOCAL rule 100 destination port '500'
set firewall name OUTSIDE-LOCAL rule 100 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 200 action 'accept'
set firewall name OUTSIDE-LOCAL rule 200 protocol 'esp'

Now we open the port for L2TP over IPSEC and we ensure that the protocol is IPSec.

# Allow L2TP over IPsec
set firewall name OUTSIDE-LOCAL rule 210 action 'accept'
set firewall name OUTSIDE-LOCAL rule 210 destination port '1701'
set firewall name OUTSIDE-LOCAL rule 210 ipsec 'match-ipsec'
set firewall name OUTSIDE-LOCAL rule 210 protocol 'udp'

We also add a rule for NAT traversal traffic. 

# Allow NAT traversal of IPsec:
set firewall name OUTSIDE-LOCAL rule 250 action 'accept'
set firewall name OUTSIDE-LOCAL rule 250 destination port '4500'
set firewall name OUTSIDE-LOCAL rule 250 protocol 'udp'

Once all rules are created we only need to commit and save to have the settings and ports open.

commit
save

Configuring IPSec VPN on Windows

On Windows 10 it only takes one single PowerShell cmdlet to create the VPN connection. To create the connection we use Add-VpnConnection cmdlet with the following parameters:

  • Name - Nave for the connection.
  • ServerAddress - IP address or FQDN of the VPN server.
  • TunnelType - we specify L2TP
  • RememberCredentials - we pass the booles $true so it will remember the credentials used.
  • L2tpPsk - The IPSec pre-shared secret.
  • AuthenticationMethod - We specify a supported authentication method, in this case we specify MSChapv2.
  • EncryptionLevel - we set the encryption level to Maximum.
  • Forece - this will suppress the warning that the L2TP tunnel is not encrypted with a certificate.
  • PassThru - this parameter will show the resulting connection and the parameter with which it is configured.
Add-VpnConnection -Name LAB1 -ServerAddress 192.168.1.9 -TunnelType L2tp -RememberCredential $true -L2tpPsk 'My$secret' -AuthenticationMethod MSChapv2 -EncryptionLevel Maximum -force -PassThru

 

Configuring IPSec VPN on OS X

  • Choose Apple menu > System Preferences, then click Network.
  • Click Add  at the bottom of the network connection services list, click the Interface pop-up menu, then choose VPN and the VPN Type L2TP over IPSec.
  • Enter the IP Address if the external interface of the lab router and the username of the account configured.
  • Click on Authentication Settings and enter the password for the use and under Machine Authentication enter the shared secret entered in the configuration.
  • Click Ok and the main Network preference pane click on the gear under the list of connection and select Set Service Order.
vpn4.jpg

Configuring OpenVPN on VyOS

Lets take a look at configuring OpenVPN. As mentioned earlier in my experience when working from a Linux development machine OpenVPN has been an easier and more stable VPN solution for my development needs. 

OpenVPN is a SSL/TLS based VPN solution and as such we need to use a CA for generating and signing our certificates for use. Since this will be used in a home lab environment there is no need to build a proper CA infrastructure so in this post I will cover using the easy-rsa2 scripts that OpenVPN provides. Also since this is a home lab environment I will generate the keys in the router it self, in a real production environment this should not be done but generated in a secure machine and proper accounting of all keys generated and revocation must be maintained. 

We will start by copying the easy-rsa version 2.0 folder from the OpenVPN examples directory from its documentation in to the config directory on the router and set the proper variables for the generation of our certificates.

cp -pr /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2
nano /config/easy-rsa2/vars

I increased the size for my Diffie-Helman key to 2048, you can put 4096 for it but it will take a very long time to generate the key. 2048 for a lab is a good compromise given that it is a home lab and not production

Once the modifications to the file are saved we will source the variables so they are set as the defaults for when we generate the certificates. 

cd /config/easy-rsa2/
source ./vars

We run the clean-all script to make sure the environment is properly set for key generation. 

./clean-all

We now start by building the CA root certificate using the build-ca script.

./build-ca

We now generate the Diffie-Hellman certificate in PEM format using the build-dh script. 

./build-dh

We now generate the keys for our router using the build-key-server script and we give it the name of the router. 

./build-key-server R0

once the keys are generated we can copy our certificates to the proper location for use by OpenVPN in the /config/auth directory.

sudo cp /config/easy-rsa2/keys/ca.crt /config/auth/
sudo cp /config/easy-rsa2/keys/dh2048.pem /config/auth/
sudo cp /config/easy-rsa2/keys/R0.key /config/auth/
sudo cp /config/easy-rsa2/keys/R0.crt /config/auth/

The router section is now done and we will proceed to create and sign the certificates that will be used by the user to authenticate to the router. 

./build-key labuser

We will now create single configuration file that can be used by most OpenVPN clients. 

echo "client" >> labuser.ovpn
echo "proto udp" >> labuser.ovpn
echo "remote-cert-tls server" >> labuser.ovpn
echo "verb 2" >> labuser.ovpn
echo "dev tun0" >> labuser.ovpn
echo "remote 192.168.1.9 1194" >> labuser.ovpn
echo "<ca>" >> labuser.ovpn
cat /config/easy-rsa2/keys/ca.crt >> labuser.ovpn
echo "</ca>" >> labuser.ovpn
echo "<cert>" >> labuser.ovpn
cat /config/easy-rsa2/keys/labuser.crt >> labuser.ovpn
echo "</cert>" >> labuser.ovpn
echo "<key>" >> labuser.ovpn
cat /config/easy-rsa2/keys/labuser.key >> labuser.ovpn
echo "</key>" >> labuser.ovpn

Once the file is created you can use SCP to copy the file to your machine for use with the OpenVPN client of choice for the platform being used. 

We now need to configure the VPN service by creatine a tun interface and specify the certificates it will use including the settings it will pass to the machines that connect so they can interact with the services behind the router.. 

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 10.101.100.0/24
set interfaces openvpn vtun0 server name-server 10.101.101.1
set interfaces openvpn vtun0 server domain-name 'acmelabs.pvt'
set interfaces openvpn vtun0 server push-route 10.101.0.0/16
set service dns forwarding listen-on vtun0
set interfaces openvpn vtun0 tls cert-file /config/auth/R0.crt
set interfaces openvpn vtun0 tls key-file /config/auth/R0.key
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem

The last step is to open the ports in the firewall so clients can connect and commit and save the configuration.

# Allow OpenVPN Connection
set firewall name OUTSIDE-LOCAL rule 50 action 'accept'
set firewall name OUTSIDE-LOCAL rule 50 destination port '1194'
set firewall name OUTSIDE-LOCAL rule 50 protocol 'udp'

commit
save

I will let the configuration part of the client to the reader since there are multiple clients that can be used per platform, in Linux there are several UI interfaces that can be used depending on the desktop used. 

FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

In late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and procedures (TTPs), we have high confidence that this campaign is associated with the financially motivated threat group tracked by FireEye as FIN7.

FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware. We have observed FIN7 attempt to compromise diverse organizations for malicious operations – usually involving the deployment of point-of-sale malware – primarily against the retail and hospitality industries.

Spear Phishing Campaign

All of the observed intended recipients of the spear phishing campaign appeared to be involved with SEC filings for their respective organizations. Many of the recipients were even listed in their company’s SEC filings. The sender email address was spoofed as EDGAR <filings@sec.gov> and the attachment was named “Important_Changes_to_Form10_K.doc” (MD5: d04b6410dddee19adec75f597c52e386). An example email is shown in Figure 1.

Figure 1: Example of a phishing email sent during this campaign

We have observed the following TTPs with this campaign:

  • The malicious documents drop a VBS script that installs a PowerShell backdoor, which uses DNS TXT records for its command and control. This backdoor appears to be a new malware family that FireEye iSIGHT Intelligence has dubbed POWERSOURCE. POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams. Using DNS TXT records to communicate is not an entirely new finding, but it should be noted that this has been a rising trend since 2013 likely because it makes detection and hunting for command and control traffic difficult.
  • We also observed POWERSOURCE being used to download a second-stage PowerShell backdoor called TEXTMATE in an effort to further infect the victim machine. The TEXTMATE backdoor provides a reverse shell to attackers and uses DNS TXT queries to tunnel interactive commands and other data. TEXTMATE is “memory resident” – often described as “fileless” malware. This is not a novel technique by any means, but it’s worth noting since it presents detection challenges and further speaks to the threat actor’s ability to remain stealthy and nimble in operations.
  • In some cases, we identified a Cobalt Strike Beacon payload being delivered via POWERSOURCE. This particular Cobalt Strike stager payload was previously used in operations linked to FIN7.
  • We observed that the same domain hosting the Cobalt Strike Beacon payload was also hosting a CARBANAK backdoor sample compiled in February 2017. CARBANAK malware has been used heavily by FIN7 in previous operations.
Victims

Thus far, we have directly identified 11 targeted organizations in the following sectors:

  • Financial services, with different victims having insurance, investment, card services, and loan focuses
  • Transportation
  • Retail
  • Education
  • IT services
  • Electronics

All these organizations are based in the United States, and many have international presences. As the SEC is a U.S. regulatory organization, we would expect recipients of these spear phishing attempts to either work for U.S.-based organizations or be U.S.-based representatives of organizations located elsewhere. However, it is possible that the attackers could perform similar activity mimicking other regulatory organizations in other countries.

Implications

We have not yet identified FIN7’s ultimate goal in this campaign, as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft.  However, we surmise FIN7 can profit from compromised organizations in several ways. If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse. Alternatively, if they are tailoring their social engineering to these individuals, but have other goals once they have established a foothold, they may intend to pursue one of many other fraud types.

Previous FIN7 operations deployed multiple point-of-sale malware families for the purpose of collecting and exfiltrating sensitive financial data. The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions, ATM compromise, and other monetization schemes.

Community Protection Event

FireEye implemented a Community Protection Event – FaaS, Mandiant, Intelligence, and Products – to secure all clients affected by this campaign. In this instance, an incident detected by FaaS led to the deployment of additional detections by the FireEye Labs team after FireEye Labs Advanced Reverse Engineering quickly analyzed the malware. Detections were then quickly deployed to the suite of FireEye products.

The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information based on our investigations of a variety of topics discussed in this post, including FIN7 and the POWERSOURCE and TEXTMATE malware. Click here for more information.

Securing autonomous vehicles

Roborace unveiled the design for their autonomous race car at Mobile World Congress in Barcelona this week. Without a driver the car is lightweight and high performing. Powered by four 300kW motors which run off a 540kWh battery, the vehicle is capable of speeds up to 200 mph. Last month, an FIA Formula E event …

Bye Empire, Hello Nebula Exploit Kit.

Nebula Logo




While Empire (RIG-E) disappeared at the end of December after 4 months of activity

Illustration of  the last month of witnessed Activity for Empire
on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.

------
Selling EK Nebula
------
Nebula Exploit kit

Features:
-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon...)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support

Subscriptions:
24h - 100$
7d - 600$
31d - 2000$

Jabber - nebula-support@xmpp.jp


Offering free tests to trusted users 
------

In same thread some screenshots were shared by a customer.







Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown.

"GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17
Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) 

This Sundown variation was not so much different from the mainstream one.
No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.

Digging more it appeared it was featuring an Internal TDS (as Empire). 
The same exact call would give you a different payload in France or in United Kingdom/Japan.
"GamiNook" traffic with geo in France - 2017-02-17
Identicall payload call gives you Gootkit instead of Pitou
Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)
Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.


At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).

So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.

The following days i saw other actor sending traffic to this EK.
Taxonomy tied to Nebula Activity in MISP - 2017-03-02
Taxonomy tied to GamiNook traffic activity, EK and resulting payload

Today URI pattern changed from this morning :

/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM
/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB
/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM
/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN
/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA
/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf
/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf
/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM
/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM
/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN

(which is Sundown/Beps without the index.php) to

/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8
/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU
/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4
/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT
/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1
/2003/01/27/exchange-monday-wilderness
/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c
/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7
/2006/08/05/fur-copper-shark
/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7
/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h
/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi
/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1
/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14
/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18
/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361
/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20
/2012/04/22/present-measure-physical-examination



(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )


2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02

This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.

Exploits:
CVE-2014-6332 + CVE-2015-0016
CVE-2013-2551
CVE-2016-0189 godmode
CVE-2015-8651
CVE-2015-7645
CVE-2016-4117

Files:  Nebula_2017-03-02 (2 fiddler - password is malware)

Acknowledgement :
Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.

Edit:
2017-03-03 Corrected some CVE id + not all payload are in clear
---
Some IOCs

DateSha256Comment
2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)
2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)
2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)
2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)
2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou
2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit
2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit
2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFox


DateDomainIPComment
2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain
2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain
2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain
2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula
2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula
2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula
2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula
2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula
2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula
2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula
2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula
2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula
2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula
2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula
2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula
2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula
2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula
2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula
2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula
2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula
2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula
2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula
2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula
2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula
2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula
2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula
2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula
2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula
2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula
2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula
2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula
2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula
2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula
2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula
2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula
2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula
2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula
2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula
2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula
2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula
2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula
2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula
2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula
2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula
2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula
2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula
2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula
2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula
2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula
2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula
2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula
2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39Nebula