O'Reilly logo

Intelligence-Driven Incident Response by Scott J. Roberts, Rebekah Brown

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Appendix A. Intelligence Products

Here are some example products based on the GLASS WIZARD threat. 

Short-Form Products

As described in Chapter 9 Short Form products are one or two page tactical products meant for quick release and consumption. 

IOC Report: Hydraq Indicators

This is a short form IOC report detailing indicators of the Hydraq malware used by the GLASS WIZARD actor.

Summary

Hydraq is one of the pieces of malware used by GLASS WIZARD on important targets. The following indicators may be useful for identifying malicious activity.

Table A-1. Indicators
Indicator Context Notes
Rasmon.dll Filename
Securmon.dll Filename
A0029670.dll Filename
AppMgmt.dll Filename
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[% random 4 chars %] Malware reg key Space removed before random chars
%System%/acelpvc.dll Secondary file Not a definitive indicator
%System%/VedioDriver.dll Secondary file Not a definitive indicator
RaS[FOUR RANDOM CHARACTERS] Service name May have false positives as a result
yahooo.8866.org C2 domain
sl1.homelinux.org C2 domain
360.homeunix.com C2 domain
li107-40.members.linode.com C2 domain
ftp2.homeunix.com C2 domain
update.ourhobby.com C2 domain
blog1.servebeer.com C2 domain

Notes

  • Inactive domains are set to loopback (127.0.0.2).
  • Symantec also had information about network traffic indicators.

Related TTPs

  • Delivery is believed to be via spear phishing.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required