← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS
In May 2017, NCC Groups Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15.
APT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon.
A number of sensitive documents were stolen by the attackers during the incident and we believe APT15 was targeting information related to UK government departments and military technology.
Indicators of Compromise (24)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | andspurs.com | — | 2018-03-10 | |
| domain | cavanic9.net | — | 2018-03-10 | |
| domain | ridingduck.com | — | 2018-03-10 | |
| domain | zipcodeterm.com | — | 2018-03-10 | |
| FileHash-SHA256 | 16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce | — | 2018-03-10 | |
| FileHash-SHA256 | 6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785 | — | 2018-03-10 | |
| FileHash-SHA256 | 6ea9cc475d41ca07fa206eb84b10cf2bbd2392366890de5ae67241afa2f4269f | — | 2018-03-10 | |
| FileHash-SHA256 | 750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b | — | 2018-03-10 | |
| FileHash-SHA256 | bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d | — | 2018-03-10 | |
| hostname | log.autocount.org | — | 2018-03-10 | |
| hostname | micakiz.wikaba.org | — | 2018-03-10 | |
| hostname | news.memozilla.org | — | 2018-03-10 | |
| hostname | run.linodepower.com | — | 2018-03-10 | |
| hostname | singa.linodepower.com | — | 2018-03-10 | |
| hostname | video.memozilla.org | — | 2018-03-10 | |
| YARA | afa29a15a03947083b2f8cbfc8e86cfcffe7c954 | Find generic data potentially relating to AP15 tools | 2018-03-10 | |
| YARA | f76276302a96b213c72b1ef7c583bd9deac6c968 | This is a an exchange enumeration/hijacking tool used by an APT 15 | 2018-03-10 | |
| FileHash-SHA256 | 90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f | — | 2018-03-10 | |
| FileHash-MD5 | d21a7e349e796064ce10f2f6ede31c71 | — | 2018-03-10 | |
| FileHash-MD5 | ed21ce2beee56f0a0b1c5a62a80c128b | — | 2018-03-10 | |
| YARA | ffa2a597a400a48b7a9363f3130de566096025de | This is a patched CMD. This is the CMD that RoyalCli uses. | 2018-03-10 | |
| YARA | 16fce535831b52e403aacd67b9bdfd38c2d021bd | Generic strings found in the Royal CLI tool | 2018-03-10 | |
| YARA | 3d6947287747d5bf210c702da7fede6c11933cbd | DLL implant, originally rights.dll and runs as a service | 2018-03-10 | |
| YARA | 795d5845b5ed79b00bd1c66667b9205d9b043a54 | APT15 RoyalCli backdoor | 2018-03-10 |