Quedagh和BE2 APT、VOODOO BEAR、ELECTRUM、TeleBots
https://github.com/eset/malware-ioc/tree/master/telebots
https://malpedia.caad.fkie.fraunhofer.de/actor/sandworm
2014年
https://www.washingtonpost.com/r/2010-2019/WashingtonPost/2014/10/14/National-Security/Graphics/briefing2.pdf
2015年12月乌克兰断电
https://vulners.com/fireeye/FIREEYE:34E62B1760A7FC5F67EEFECD290F1C09
https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
2016年12月ICS警告
https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B
https://www.sans.org/blog/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid/
BlackEnergy
BlackEnergy是基于插件的MUMA,这意味着插件可以被编写和使用,几乎可以用于任何目的,包括键盘记录,音频录制和屏幕截图获取。
https://arstechnica.com/information-technology/2014/11/this-system-will-self-destruct-crimeware-gets-powerful-new-functions/
安全公司卡巴斯基实验室(Kaspersky Labs)提供的BlackEnergy的范围更广。为Windows和Linux系统定制的大量扩展程序包含执行DoS***,窃取密码,扫描端口,记录IP源,秘密获取屏幕截图,获得对命令和控制通道的持久访问权以及破坏硬盘驱动器的命令。研究人员Kurt Baumgartner和Maria Garnaeva还获得了可在基于ARM和MIPS的系统上运行的版本,并且发现了BlackEnergy感染了Cisco Systems制造的网络设备的证据。他们不确定某些插件的用途是什么,包括一个在连接的USB驱动器上收集设备实例ID和其他信息的插件,以及一个在BIOS,主板和受感染系统的处理器上收集详细信息的插件。
BE2样本分析
https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/?_ga=2.63016042.474927172.1585579152-2101879073.1584116726
https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf
https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/
https://marcusedmondson.com/2019/01/18/black-energy-analysis/
https://www.secureworks.com/research/blackenergy2
https://www.freebuf.com/news/46569.html
Industroyer
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
KillDisk是一种旨在清除硬盘驱动器数据的恶意软件变体
https://www.cyber.nj.gov/threat-profiles/trojan-variants/killdisk
https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
NotPetya
2017年7月30日网络战试验场
https://www.freebuf.com/news/141277.html
主要两类恶意软件:BlackEnergy、KillDisk
来源:oschina
链接:https://my.oschina.net/u/4353702/blog/3221345