Trusted Design

ISC 2015-12-30: Actor using Rig EK to deliver Qbot - update

概要

A follow-up to a previous SANS Institute diary entry on the actor using Rig exploit kit (EK) to deliver Qbot. The author infected more Windows hosts from other compromised websites in order to obtain additional data about the actor. This actor has been delivering Qbot (also known as Qakbot) malware. The actor uses a gate to route traffic from the compromised website to the EK landing page. In this case, the gate returns a variable that is translated to a URL for the EK landing page. The sequence of events is: 1) User visits a website compromised by this actor; 2) An HTTP GET request for a .js file from the compromised site returns text with malicious script appended to it; 3) An HTTP GET request to the gate returns a variable used by the malicious script; and 4) The variable sent by the gate is decrypted, and an HTTP GET request for the EK landing page is sent.

Created: 2026-02-23

Indicators

Indicatorsは見つかっていない。

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

Transparent Tribe

Score: 6.29
Matched TTPs:
  • T1608.004 - Drive-by Target
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

LuminousMoth

Score: 3.03
Matched TTPs:
  • T1608.004 - Drive-by Target
MITREへのリンク →

Dragonfly

Score: 10.89
Matched TTPs:
  • T1608.004 - Drive-by Target
  • T1505.003 - Web Shell
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1584.004 - Server
MITREへのリンク →

CURIUM

Score: 6.56
Matched TTPs:
  • T1608.004 - Drive-by Target
  • T1505.003 - Web Shell
  • T1189 - Drive-by Compromise
MITREへのリンク →

APT32

Score: 21.50
Matched TTPs:
  • T1608.004 - Drive-by Target
  • T1505.003 - Web Shell
  • T1550.003 - Pass the Ticket
  • T1218.005 - Mshta
  • T1218.010 - Regsvr32
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1046 - Network Service Discovery
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

FIN7

Score: 12.31
Matched TTPs:
  • T1608.004 - Drive-by Target
  • T1674 - Input Injection
  • T1218.005 - Mshta
  • T1102.002 - Bidirectional Communication
MITREへのリンク →

Threat Group-3390

Score: 12.98
Matched TTPs:
  • T1608.004 - Drive-by Target
  • T1505.003 - Web Shell
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1046 - Network Service Discovery
  • T1027.015 - Compression
MITREへのリンク →

Mustard Tempest

Score: 4.80
Matched TTPs:
  • T1608.004 - Drive-by Target
  • T1189 - Drive-by Compromise
MITREへのリンク →

APT28

Score: 11.55
Matched TTPs:
  • T1505.003 - Web Shell
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1550.001 - Application Access Token
MITREへのリンク →

OilRig

Score: 18.49
Matched TTPs:
  • T1505.003 - Web Shell
  • T1218.001 - Compiled HTML File
  • T1203 - Exploitation for Client Execution
  • T1137.004 - Outlook Home Page
  • T1573.002 - Asymmetric Cryptography
  • T1046 - Network Service Discovery
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

FIN13

Score: 6.46
Matched TTPs:
  • T1505.003 - Web Shell
  • T1046 - Network Service Discovery
  • T1090.001 - Internal Proxy
MITREへのリンク →

BackdoorDiplomacy

Score: 3.53
Matched TTPs:
  • T1505.003 - Web Shell
  • T1046 - Network Service Discovery
MITREへのリンク →

Agrius

Score: 3.53
Matched TTPs:
  • T1505.003 - Web Shell
  • T1046 - Network Service Discovery
MITREへのリンク →

Deep Panda

Score: 4.51
Matched TTPs:
  • T1505.003 - Web Shell
  • T1218.010 - Regsvr32
MITREへのリンク →

APT39

Score: 8.86
Matched TTPs:
  • T1505.003 - Web Shell
  • T1102.002 - Bidirectional Communication
  • T1046 - Network Service Discovery
  • T1090.001 - Internal Proxy
MITREへのリンク →

Mustang Panda

Score: 14.24
Matched TTPs:
  • T1505.003 - Web Shell
  • T1218.005 - Mshta
  • T1203 - Exploitation for Client Execution
  • T1046 - Network Service Discovery
  • T1027.007 - Dynamic API Resolution
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

Tropic Trooper

Score: 7.77
Matched TTPs:
  • T1505.003 - Web Shell
  • T1203 - Exploitation for Client Execution
  • T1573.002 - Asymmetric Cryptography
  • T1046 - Network Service Discovery
MITREへのリンク →

Ember Bear

Score: 9.16
Matched TTPs:
  • T1505.003 - Web Shell
  • T1203 - Exploitation for Client Execution
  • T1046 - Network Service Discovery
  • T1588.005 - Exploits
MITREへのリンク →

HAFNIUM

Score: 5.90
Matched TTPs:
  • T1505.003 - Web Shell
  • T1550.001 - Application Access Token
MITREへのリンク →

Sandworm Team

Score: 8.49
Matched TTPs:
  • T1505.003 - Web Shell
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
  • T1584.004 - Server
MITREへのリンク →

Fox Kitten

Score: 6.82
Matched TTPs:
  • T1505.003 - Web Shell
  • T1217 - Browser Information Discovery
  • T1046 - Network Service Discovery
MITREへのリンク →

Tonto Team

Score: 3.26
Matched TTPs:
  • T1505.003 - Web Shell
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Volt Typhoon

Score: 12.58
Matched TTPs:
  • T1505.003 - Web Shell
  • T1217 - Browser Information Discovery
  • T1584.004 - Server
  • T1046 - Network Service Discovery
  • T1090.001 - Internal Proxy
MITREへのリンク →

APT38

Score: 12.60
Matched TTPs:
  • T1505.003 - Web Shell
  • T1217 - Browser Information Discovery
  • T1218.005 - Mshta
  • T1218.001 - Compiled HTML File
  • T1189 - Drive-by Compromise
MITREへのリンク →

APT29

Score: 18.52
Matched TTPs:
  • T1505.003 - Web Shell
  • T1550.003 - Pass the Ticket
  • T1218.005 - Mshta
  • T1203 - Exploitation for Client Execution
  • T1090.004 - Domain Fronting
  • T1027.006 - HTML Smuggling
MITREへのリンク →

Magic Hound

Score: 7.69
Matched TTPs:
  • T1505.003 - Web Shell
  • T1102.002 - Bidirectional Communication
  • T1189 - Drive-by Compromise
  • T1046 - Network Service Discovery
MITREへのリンク →

BlackByte

Score: 3.53
Matched TTPs:
  • T1505.003 - Web Shell
  • T1046 - Network Service Discovery
MITREへのリンク →

Medusa Group

Score: 10.81
Matched TTPs:
  • T1505.003 - Web Shell
  • T1573.002 - Asymmetric Cryptography
  • T1046 - Network Service Discovery
  • T1218.014 - MMC
MITREへのリンク →

Leviathan

Score: 13.76
Matched TTPs:
  • T1505.003 - Web Shell
  • T1218.010 - Regsvr32
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1584.004 - Server
  • T1027.015 - Compression
MITREへのリンク →

Sea Turtle

Score: 3.26
Matched TTPs:
  • T1505.003 - Web Shell
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Kimsuky

Score: 13.38
Matched TTPs:
  • T1505.003 - Web Shell
  • T1218.005 - Mshta
  • T1218.010 - Regsvr32
  • T1102.002 - Bidirectional Communication
  • T1588.005 - Exploits
MITREへのリンク →

Scattered Spider

Score: 11.55
Matched TTPs:
  • T1217 - Browser Information Discovery
  • T1204 - User Execution
  • T1556.009 - Conditional Access Policies
MITREへのリンク →

Moonstone Sleet

Score: 3.29
Matched TTPs:
  • T1217 - Browser Information Discovery
MITREへのリンク →

Chimera

Score: 5.05
Matched TTPs:
  • T1217 - Browser Information Discovery
  • T1046 - Network Service Discovery
MITREへのリンク →

BRONZE BUTLER

Score: 7.10
Matched TTPs:
  • T1550.003 - Pass the Ticket
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

Sidewinder

Score: 3.83
Matched TTPs:
  • T1218.005 - Mshta
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Lazarus Group

Score: 22.40
Matched TTPs:
  • T1218.005 - Mshta
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1584.004 - Server
  • T1046 - Network Service Discovery
  • T1027.007 - Dynamic API Resolution
  • T1090.001 - Internal Proxy
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

MuddyWater

Score: 6.23
Matched TTPs:
  • T1218.005 - Mshta
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

TA2541

Score: 8.24
Matched TTPs:
  • T1218.005 - Mshta
  • T1573.002 - Asymmetric Cryptography
  • T1027.015 - Compression
MITREへのリンク →

Inception

Score: 6.58
Matched TTPs:
  • T1218.005 - Mshta
  • T1218.010 - Regsvr32
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Earth Lusca

Score: 6.94
Matched TTPs:
  • T1218.005 - Mshta
  • T1189 - Drive-by Compromise
  • T1584.004 - Server
MITREへのリンク →

Confucius

Score: 3.83
Matched TTPs:
  • T1218.005 - Mshta
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

TA551

Score: 5.09
Matched TTPs:
  • T1218.005 - Mshta
  • T1218.010 - Regsvr32
MITREへのリンク →

Gamaredon Group

Score: 12.43
Matched TTPs:
  • T1218.005 - Mshta
  • T1001 - Data Obfuscation
  • T1102.002 - Bidirectional Communication
  • T1027.015 - Compression
MITREへのリンク →

PROMETHIUM

Score: 5.90
Matched TTPs:
  • T1205.001 - Port Knocking
  • T1189 - Drive-by Compromise
MITREへのリンク →

UNC3886

Score: 5.63
Matched TTPs:
  • T1205.001 - Port Knocking
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

LAPSUS$

Score: 4.13
Matched TTPs:
  • T1204 - User Execution
MITREへのリンク →

Dark Caracal

Score: 5.20
Matched TTPs:
  • T1218.001 - Compiled HTML File
  • T1189 - Drive-by Compromise
MITREへのリンク →

Silence

Score: 3.44
Matched TTPs:
  • T1218.001 - Compiled HTML File
MITREへのリンク →

APT41

Score: 6.70
Matched TTPs:
  • T1218.001 - Compiled HTML File
  • T1203 - Exploitation for Client Execution
  • T1046 - Network Service Discovery
MITREへのリンク →

Cobalt Group

Score: 8.75
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1203 - Exploitation for Client Execution
  • T1573.002 - Asymmetric Cryptography
  • T1046 - Network Service Discovery
MITREへのリンク →

Storm-0501

Score: 6.88
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1556.009 - Conditional Access Policies
MITREへのリンク →

Blue Mockingbird

Score: 7.28
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1574.012 - COR_PROFILER
MITREへのリンク →

APT19

Score: 4.51
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1189 - Drive-by Compromise
MITREへのリンク →

APT37

Score: 5.66
Matched TTPs:
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

APT12

Score: 3.89
Matched TTPs:
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Turla

Score: 9.93
Matched TTPs:
  • T1102.002 - Bidirectional Communication
  • T1189 - Drive-by Compromise
  • T1584.004 - Server
  • T1090.001 - Internal Proxy
MITREへのリンク →

Andariel

Score: 3.26
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

BlackTech

Score: 3.26
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1046 - Network Service Discovery
MITREへのリンク →

Patchwork

Score: 3.26
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

Axiom

Score: 7.80
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1001.002 - Steganography
MITREへのリンク →

Higaisa

Score: 7.57
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1090.001 - Internal Proxy
  • T1027.015 - Compression
MITREへのリンク →

Elderwood

Score: 3.26
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

Darkhotel

Score: 3.26
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

APT33

Score: 4.24
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

Velvet Ant

Score: 5.67
Matched TTPs:
  • T1573.002 - Asymmetric Cryptography
  • T1090.001 - Internal Proxy
MITREへのリンク →

RedCurl

Score: 4.51
Matched TTPs:
  • T1573.002 - Asymmetric Cryptography
  • T1046 - Network Service Discovery
MITREへのリンク →

FIN6

Score: 7.26
Matched TTPs:
  • T1573.002 - Asymmetric Cryptography
  • T1046 - Network Service Discovery
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

FIN8

Score: 5.49
Matched TTPs:
  • T1573.002 - Asymmetric Cryptography
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

Leafminer

Score: 3.53
Matched TTPs:
  • T1189 - Drive-by Compromise
  • T1046 - Network Service Discovery
MITREへのリンク →

Daggerfly

Score: 4.60
Matched TTPs:
  • T1189 - Drive-by Compromise
  • T1584.004 - Server
MITREへのリンク →

Equation

Score: 4.13
Matched TTPs:
  • T1564.005 - Hidden File System
MITREへのリンク →

Strider

Score: 7.06
Matched TTPs:
  • T1564.005 - Hidden File System
  • T1090.001 - Internal Proxy
MITREへのリンク →

Contagious Interview

Score: 7.28
Matched TTPs:
  • T1204.004 - Malicious Copy and Paste
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

Lotus Blossom

Score: 4.69
Matched TTPs:
  • T1046 - Network Service Discovery
  • T1090.001 - Internal Proxy
MITREへのリンク →

Molerats

Score: 3.15
Matched TTPs:
  • T1027.015 - Compression
MITREへのリンク →

Mofang

Score: 3.15
Matched TTPs:
  • T1027.015 - Compression
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

APT32

Score: 0.79
Matched TTPs:
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
  • T1218.010 - Regsvr32
  • T1189 - Drive-by Compromise
  • T1505.003 - Web Shell
  • T1550.003 - Pass the Ticket
  • T1218.005 - Mshta
  • T1608.004 - Drive-by Target
  • T1046 - Network Service Discovery
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Lazarus Group

Score: 0.77
Matched TTPs:
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
  • T1189 - Drive-by Compromise
  • T1102.002 - Bidirectional Communication
  • T1218.005 - Mshta
  • T1027.007 - Dynamic API Resolution
  • T1090.001 - Internal Proxy
  • T1046 - Network Service Discovery
  • T1203 - Exploitation for Client Execution
  • T1584.004 - Server
MITREへのリンク →

APT29

Score: 0.66
Matched TTPs:
  • T1027.006 - HTML Smuggling
  • T1505.003 - Web Shell
  • T1550.003 - Pass the Ticket
  • T1218.005 - Mshta
  • T1203 - Exploitation for Client Execution
  • T1090.004 - Domain Fronting
MITREへのリンク →

OilRig

Score: 0.65
Matched TTPs:
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
  • T1505.003 - Web Shell
  • T1046 - Network Service Discovery
  • T1137.004 - Outlook Home Page
  • T1218.001 - Compiled HTML File
  • T1203 - Exploitation for Client Execution
  • T1573.002 - Asymmetric Cryptography
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る