← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Privileges and Credentials: Phished at the Request of Counsel
In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government.
APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the macro-enabled Microsoft Excel (XLSM) documents. At least one observed phishing lure delivered a Cobalt Strike payload.
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| URL | http://autodiscover.2bunny.com/K5om | — | 2017-06-06 | |
| URL | http://lyncdiscover.2bunny.com/Autodiscover | — | 2017-06-06 | |
| URL | http://sfo02s01-in-f2.cloudsend.net/IE9CompatViewList.xml | — | 2017-06-06 | |
| URL | http://sfo02s01-in-f2.cloudsend.net/submit.php | — | 2017-06-06 | |
| URL | http://tk-in-f156.2bunny.com/Agreement.doc | — | 2017-06-06 | |
| hostname | autodiscover.2bunny.com | — | 2017-06-06 | |
| hostname | lyncdiscover.2bunny.com | — | 2017-06-06 | |
| hostname | tf-in-f167.2bunny.com | — | 2017-06-06 | |
| hostname | tk-in-f156.2bunny.com | — | 2017-06-06 | |
| FileHash-MD5 | 0bef39d0e10b1edfe77617f494d733a8 | — | 2017-06-06 | |
| FileHash-MD5 | 0e6da59f10e1c4685bb5b35a30fc8fb6 | — | 2017-06-06 | |
| FileHash-MD5 | 1151619d06a461456b310096db6bc548 | — | 2017-06-06 | |
| FileHash-MD5 | 30f149479c02b741e897cdb9ecd22da7 | — | 2017-06-06 | |
| FileHash-MD5 | 38125a991efc6ab02f7134db0ebe21b6 | — | 2017-06-06 | |
| FileHash-MD5 | 3a1dca21bfe72368f2dd46eb4d9b48c4 | — | 2017-06-06 | |
| FileHash-MD5 | bae0b39197a1ac9e24bdf9a9483b18ea | — | 2017-06-06 | |
| FileHash-MD5 | cebd0e9e05749665d893e78c452607e2 | — | 2017-06-06 | |
| angela.suh@cloudsend.net | — | 2017-06-06 | ||
| ashley.safronoff@cloudsend.net | — | 2017-06-06 | ||
| infodept@cloudsend.net | — | 2017-06-06 | ||
| lindsey.hersh@cloudsend.net | — | 2017-06-06 | ||
| noreply@cloudsend.net | — | 2017-06-06 | ||
| sarah.roberto@cloudsend.net | — | 2017-06-06 | ||
| CVE | CVE-2017-0199 | — | 2017-06-06 | |
| YARA | c57de3b161f6a0c449b9aae07599dc014e6292cf | — | 2017-07-25 | |
| YARA | 87b1cbd501e24498247313f4961dbd1582ae496c | This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7. | 2018-04-10 | |
| YARA | 909de46c299d3a923d08ef24e5fd0f27a9071263 | This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4. | 2018-04-10 | |
| hostname | www.2bunny.com | — | 2019-12-06 |