Trusted Design

Privileges and Credentials: Phished at the Request of Counsel

概要

In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the macro-enabled Microsoft Excel (XLSM) documents. At least one observed phishing lure delivered a Cobalt Strike payload.

Created: 2026-02-23

Indicators

• URL - http://autodiscover.2bunny.com/K5om -
• YARA - 87b1cbd501e24498247313f4961dbd1582ae496c -
• URL - http://lyncdiscover.2bunny.com/Autodiscover -
• URL - http://tk-in-f156.2bunny.com/Agreement.doc -
• email - infodept@cloudsend.net -
• email - noreply@cloudsend.net -
• hostname - lyncdiscover.2bunny.com -
• FileHash-MD5 - 0e6da59f10e1c4685bb5b35a30fc8fb6 -
• CVE - CVE-2017-0199 -
• URL - http://sfo02s01-in-f2.cloudsend.net/IE9CompatViewList.xml -
• email - angela.suh@cloudsend.net -
• hostname - tk-in-f156.2bunny.com -
• FileHash-MD5 - 3a1dca21bfe72368f2dd46eb4d9b48c4 -
• email - sarah.roberto@cloudsend.net -
• FileHash-MD5 - 1151619d06a461456b310096db6bc548 -
• YARA - 909de46c299d3a923d08ef24e5fd0f27a9071263 -
• YARA - c57de3b161f6a0c449b9aae07599dc014e6292cf -
• FileHash-MD5 - 30f149479c02b741e897cdb9ecd22da7 -
• hostname - autodiscover.2bunny.com -
• hostname - www.2bunny.com -
• URL - http://sfo02s01-in-f2.cloudsend.net/submit.php -
• email - lindsey.hersh@cloudsend.net -
• FileHash-MD5 - 38125a991efc6ab02f7134db0ebe21b6 -
• FileHash-MD5 - cebd0e9e05749665d893e78c452607e2 -
• hostname - tf-in-f167.2bunny.com -
• FileHash-MD5 - 0bef39d0e10b1edfe77617f494d733a8 -
• FileHash-MD5 - bae0b39197a1ac9e24bdf9a9483b18ea -
• email - ashley.safronoff@cloudsend.net -

類似Pulses

• NetTraveler APT Targets Russian, European Interests (score: 0.67)
• Multiple Chinese APT Groups Quickly Use Flash Zero-Day (score: 0.65)
• Fidelis Threat Advisory #1017: Phishing in Plain Sight (score: 0.62)
• Dridex, Vawtrak and others increase focus on Canada (score: 0.62)
• Enterprises Hit by BARTALEX Macro Malware (score: 0.62)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る