← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Privileges and Credentials: Phished at the Request of Counsel
WHITE Shell Crew AlienVault 2017-06-06 Modified: 2019-12-06
28
IOCs
MEDIUM VOLUME
In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the macro-enabled Microsoft Excel (XLSM) documents. At least one observed phishing lure delivered a Cobalt Strike payload.
excelrtfspearphishingcobal strikefireeye
Indicators of Compromise (5 / 28 total)
All URL hostname FileHash-MD5 email CVE YARA
TYPEINDICATORDESCRIPTIONCREATED
URL http://autodiscover.2bunny.com/K5om 2017-06-06
URL http://lyncdiscover.2bunny.com/Autodiscover 2017-06-06
URL http://sfo02s01-in-f2.cloudsend.net/IE9CompatViewList.xml 2017-06-06
URL http://sfo02s01-in-f2.cloudsend.net/submit.php 2017-06-06
URL http://tk-in-f156.2bunny.com/Agreement.doc 2017-06-06
References (1)
↗ https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html