Appendix A. Intelligence Products
Here are some example products based on the GLASS WIZARD threat.Â
Short-Form Products
As described in Chapter 9 Short Form products are one or two page tactical products meant for quick release and consumption.Â
IOC Report: Hydraq Indicators
This is a short form IOC report detailing indicators of the Hydraq malware used by the GLASS WIZARD actor.
Summary
Hydraq is one of the pieces of malware used by GLASS WIZARD on important targets. The following indicators may be useful for identifying malicious activity.
| Indicator | Context | Notes |
|---|---|---|
| Rasmon.dll | Filename | |
| Securmon.dll | Filename | |
| A0029670.dll | Filename | |
| AppMgmt.dll | Filename | |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %] | Malware reg key | Space removed before random chars |
| %System%/acelpvc.dll | Secondary file | Not a definitive indicator |
| %System%/VedioDriver.dll | Secondary file | Not a definitive indicator |
| RaS[FOUR RANDOM CHARACTERS] | Service name | May have false positives as a result |
| yahooo.8866.org | C2 domain | |
| sl1.homelinux.org | C2 domain | |
| 360.homeunix.com | C2 domain | |
| li107-40.members.linode.com | C2 domain | |
| ftp2.homeunix.com | C2 domain | |
| update.ourhobby.com | C2 domain | |
| blog1.servebeer.com | C2 domain |
Notes
- Inactive domains are set to loopback (127.0.0.2).
- Symantec also had information about network traffic indicators.
Related TTPs
- Delivery is believed to be via spear phishing.
References
Get Intelligence-Driven Incident Response now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
