← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
BBSRAT Attacks Targeting Russian Organizations
WHITE Roaming Tiger AlienVault 2015-12-23 Modified: 2017-07-22
43
IOCs
MEDIUM VOLUME
In late 2014, ESET presented an attack campaign that had been observed over a period of time targeting Russia and other Russian speaking nations, dubbed “Roaming Tiger”. The attack was found to heavily rely on RTF exploits and at the time, thought to make use of the PlugX malware family. ESET did not attribute the attacks to a particular attack group, but noted that the objective of the campaign was espionage and general information stealing. The adversaries behind these attacks continued to target Russia and other Russian speaking nations using similar exploits and attack vectors. However, while the malware used in these new attacks uses similar infection mechanisms to PlugX, it is a completely new tool with its own specific behavior patterns and architecture. We have named this tool “BBSRAT.”
bbsratPowerSploitrussiaroaming tigerratremote access toolpaloalto
Indicators of Compromise (43)
All FileHash-SHA256 domain hostname YARA
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 61a692e615e31b97b47a215479e6347fbd8e6e33d7c9d044766b4c1d1ae1b1fb 2015-12-23
FileHash-SHA256 567a5b54d6c153cdd2ddd2b084f1f66fc87587dd691cd2ba8e30d689328a673f 2015-12-23
FileHash-SHA256 2d81d65d09bf1b864d8964627e13515cee7deddfbd0dc70b1e67f123ab91421e 2015-12-23
FileHash-SHA256 5aa7db3344aa76211bbda3eaaccf1fc1b2e76df97ff9c30e7509701a389bd397 2015-12-23
FileHash-SHA256 77a2e26097285a794e42c9e813d14936d0e7a1dd3504205dd6b28a71626f8c3c 2015-12-23
FileHash-SHA256 7438ed5f0fbe4b26afed2fe0e4e4531fc129a44d8ea416f12a77d0c0cd873520 2015-12-23
FileHash-SHA256 13d0bd83a023712b54c1dd391dfc1bc27b22d9df4fe3942e2967ec82d7c95640 2015-12-23
FileHash-SHA256 0fc52c74dd54a97459e964b340d694d8433a3229f61e1c305477f8c56c538f27 2015-12-23
FileHash-SHA256 0baf36ca2d3772fdff989e2b7e762829d30db132757340725bb50dee3b51850c 2015-12-23
FileHash-SHA256 71dc584564b726ed2e6b1423785037bfb178184419f3c878e02c7da8ba87c64d 2015-12-23
FileHash-SHA256 b1737f3a1c50cb39cd9938d5ec3b4a6a10b711f17e917886481c38967b93e259 2015-12-23
FileHash-SHA256 d579255852720d794349ae2238f084c6393419af38479f3d0e3d2a21c9eb8e18 2015-12-23
FileHash-SHA256 95f198ed29cf3f7d4ddd7cf688bfec9e39d92b78c0a1fd2288e13a92459bdb35 2015-12-23
FileHash-SHA256 6fae5305907ce99f9ab51e720232ef5acf1950826db520a847bf8892dc9578de 2015-12-23
FileHash-SHA256 44171afafca54129b89a0026006eca03d5307d79a301e4a8a712f796a3fdec6e 2015-12-23
FileHash-SHA256 fc4b465ee8d2053e9e41fb0a6ae32843e4e23145845967a069e584f582279725 2015-12-23
FileHash-SHA256 012ec51657d8724338a76574a39db4849579050f02c0103d46d406079afa1e8b 2015-12-23
FileHash-SHA256 22592a32b1193587a707d8b20c04d966fe61b37f7def7613d9bb91ff2fe9b13b 2015-12-23
FileHash-SHA256 4ea23449786b655c495edf258293ac446f2216464b3d1bccb314ef4c61861101 2015-12-23
FileHash-SHA256 e049bd90028a56b286f4b0b9062a8df2ab2ddf492764e3962f295e9ce33660e3 2015-12-23
domain futuresgolda.com 2015-12-23
domain transactiona.com 2015-12-23
hostname herman.eergh.com 2015-12-23
hostname pagbine.ofhloe.com 2015-12-23
hostname kop.gupdiic.com 2015-12-23
hostname systemupdate5.dtdns.net 2015-12-23
hostname wap.hbwla.com 2015-12-23
hostname adobeflashupdate1.strangled.net 2015-12-23
hostname panaba.empleoy-plan.com 2015-12-23
hostname adobeflashupdate.dynu.com 2015-12-23
hostname www.testzake.com 2015-12-23
hostname windowsupdate.dyn.nu 2015-12-23
hostname winwordupdate.dynu.com 2015-12-23
hostname cdaklle.housejjk.com 2015-12-23
hostname loomon.gupdiicc.com 2015-12-23
hostname peak.measurepeak.com 2015-12-23
hostname wap.kylxt.com 2015-12-23
hostname jowwln.cocolco.com 2015-12-23
hostname wap.gxqtc.com 2015-12-23
hostname www.yunw.top 2015-12-23
hostname support.yandexmailru.kr 2015-12-23
hostname prdaio.unbrtel.com 2015-12-23
YARA d86e4e29a47311ed239cbefc31616e431bf2d008 2017-07-22
References (1)
↗ http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/