Pulse Detail — Threat Intelligence

PULSE NAME

Possible New APT29 Malware

WHITE CozyDuke AlienVault 2018-11-15 Modified: 2019-01-17

IOCs

MEDIUM VOLUME

FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting.

Indicators of Compromise (39)

All URL domain FileHash-SHA256 email FileHash-MD5 FileHash-SHA1

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJl1D8QPmBiAElSRF5C-r7FnqyjQYTMSpwohcZJlQ	—	2018-11-15
URL	http://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJI1D8QPmBiAEISRF5-r7FnqyjQYTMSpwohcZJIQ	—	2018-11-15
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJlVwasCkzgFJ643Ufb-JErgHKw076Qo952sBeDtQ	—	2018-11-15
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJlNwgDrORaP0JBUHLp-D0uE6fVHA5YvGwcZanLTQ	—	2018-11-15
domain	pandorasong.com	—	2018-11-15
FileHash-SHA256	1cc77858e5f3513a051a8cf2895891eebe52fdd604017b55030fed0d63cf3faf	—	2018-11-15
FileHash-SHA256	2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c	—	2018-11-15
FileHash-SHA256	e2945268c976f8dc33ba9a8d1a804f00cff46aabc01cd3196651322a71863b87	—	2018-11-15
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJlGPQxhTiD0s4yqjlR-l6t4eJmabHpBfgqGnj10Q	—	2018-11-15
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJlkhn1F7vUCp63GHrb-vM5wHIQOhqXYb4L0GCKaQ	—	2018-11-15
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJlrzNf3vTyuabOHkJo-jcQwkHRgeWM70tzJd6LTQ	—	2018-11-15
email	vleger@tutanota.com	—	2018-11-15
FileHash-SHA256	bb192911340e7df8560360c7acd92a7bd8e1c055e19955a2f572cd0b4ca5eb75	—	2018-11-16
FileHash-SHA256	b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05	—	2018-11-16
URL	https://www.jmj.com/personal/nauerthn_state_gov	—	2018-11-20
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJlGPQx	—	2018-11-20
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJI1D8QPmBiAEISRF5-r7FnqyjQYTMSpwohcZJIQ	—	2018-11-20
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJlGPQxhTiD0s4yqjlRl6t4eJmabHpBfgqGnj10Q	—	2018-11-20
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJlNInl6EYKJ8QZBt4R-y2XQ4rg9dphAE6fSRCT0Q	—	2018-11-20
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJlVwasCkzgFJ643Ufb-JErgHKw076Qo952sBeDtQ)	—	2018-11-20
URL	https://pandorasong.com/radio/xmlrpc/v45	—	2018-11-20
URL	http://pandorasong.com/access/	—	2018-11-20
URL	http://pandorasong.com/radio/xmlrpc/v45	—	2018-11-20
FileHash-MD5	16bbc967a8b6a365871a05c74a4f345b	—	2018-11-20
FileHash-MD5	2b13b244aafe1ecace61ea1119a1b2ee	—	2018-11-20
FileHash-MD5	313f4808aa2a2073005d219bc68971cd	—	2018-11-20
FileHash-MD5	3fccf531ff0ae6fedd7c586774b17a2d	—	2018-11-20
FileHash-MD5	658c6fe38f95995fa8dc8f6cfe41df7b	—	2018-11-20
FileHash-MD5	6ed0020b0851fb71d5b0076f4ee95f3c	—	2018-11-20
FileHash-MD5	f713d5df826c6051e65f995e57d6817d	—	2018-11-20
email	0245@northshorehealthgm.org	—	2018-11-20
email	dosonedrivenotifications-svct-mailboxe36625aaa85747214aa50342836a2315aaa36928202aa46271691a8255aaa15382822aa25821925a0245@northshorehealthgm.org	—	2018-11-20
URL	https://pandorasong.com/access/	—	2018-12-03
URL	https://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJlqdzvn7sAwbxHEOm5-6I98ZEsHDNiOMF4ATbm3Q	—	2018-12-03
URL	https://www.jmj.com/personal/nauerthn_state_gov/VFVKRTdRSm	—	2018-12-03
FileHash-SHA1	8e928c550e5d44fb31ef8b6f3df2e914acd66873	—	2018-12-03
FileHash-SHA1	9858d5cb2a6614be3c48e33911bf9f7978b441bf	—	2018-12-03
FileHash-SHA1	cd92f19d3ad4ec50f6d19652af010fe07dca55e1	—	2018-12-03
FileHash-SHA1	e431261c63f94a174a1308defccc674dabbe3609	—	2018-12-03

References (4)

↗ https://twitter.com/DrunkBinary/status/1063075530180886529 ↗ https://twitter.com/FireEye/status/1063107895401857026 ↗ https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html ↗ https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/