Recently, the United States Cyber Command (USCYBERCOM Malware Alert @CNMF_VirusAlert) highlighted several VirusTotal uploads of theirs – and the executable objects relating to 2016 – 2017 NewsBeef/APT33 activity are interesting for a variety of reasons. Before continuing, it’s important to restate yet again that we defend customers, and research malware and intrusions, regardless of their source. Accordingly, subscribers to our private APT intelligence reports receive unique and extraordinary data on the significant activity and campaigns of over 100 APTs from all over the world, including this 2016-2017 NewsBeef /APT33 activity.
USCYBERCOM’s VirusTotal executable object uploads appeared in our January 2017 private report “NewsBeef Delivers Christmas Presence”, an examination of a change in the tactics used in spear-phishing and watering hole attacks against Saudi Arabian targets. Two files uploaded by USCYBERCOM are of particular interest. These were first seen Dec 2016 and Jan 2017:
MD5: d87663ce6a9fc0e8bc8180937b3566b9, served as
jquerycode-download[.]live/flashplayer23pp_xa_install.exe
jquerycode-download[.]live/chrome_update.exe
Detected as BSS:Exploit.Win32.Generic, Trojan-Downloader.Win32.Powdr.a, Trojan-Downloader.MSIL.Steamilik.zzo
MD5: 9b1a06590b091d300781d8fbee180e75, served as
jquerycode-download[.]live/citrixreceiver.exe
jquerycode-download[.]live/citrixcertificate.exe
ntg-sa[.]com/downloads/citrix_certificate.exe
Detected as BSS:Exploit.Win32.Generic, Trojan-Downloader.PowerShell.Agent.ah, DangerousObject.Multi.Generic
Read more…
Source: Kaspersky Lab