These are the IoCs from "Exchange servers under siege from at least 10 APT groups"
SHA-1 |
ESET Detection name |
Details |
|
Win32/Korplug.RT |
Calypso loader |
|
Win32/Korplug.RU |
Calypso loader |
|
Win32/Agent.ACUS |
Calypso loader |
|
Win64/HackTool.Mimikat.A |
Mimikat_ssp used by Calypso |
|
Win32/Agent.ACUQ |
Opera Cobalt Strike loader |
|
Win64/Mikroceen.AN |
Mikroceen RAT |
|
Win64/HackTool.Mimikat.A |
Mimikat_ssp used by Mikroceen |
|
Win32/HackTool.Proxy.A |
Proxy used by Mikroceen |
|
Win64/Kryptik.CHN |
ShadowPad backdoor used by Tonto Team |
|
Win64/Riskware.LsassDumper.J |
LSASS dumper used by Tonto Team |
|
Win32/Agent.ACGZ |
PlugX injector used by the Winnti Group |
|
Win64/Winnti.DA |
Winnti loader |
|
Win64/HackTool.Mimikat.A |
Mimikatz used by the Winnti Group |
|
Win64/HackTool.Mimikat.A |
Mimikatz used by the Winnti Group |
|
Win32/PSWTool.QuarksPwDump.E |
Pasword dumper used by the Winnti Group |
|
Win64/Shadowpad.E |
Unclassified ShadowPad |
|
Win64/Shadowpad.E |
Unclassified ShadowPad |
|
PowerShell/TrojanDownloader.Agent.CEK |
DLTMiner |
|
PowerShell/TrojanDownloader.Agent.CEK |
DLTMiner |
|
Win64/Agent.AKS |
Websiic |
|
Win64/Agent.AKS |
Websiic |
|
Win64/Agent.AKT |
Websiic |
|
Win64/Agent.IG |
IIS Backoor |
Ip address / domain |
Details |
|
LuckyMouse SysUpdate C&C server |
|
Calypso C&C server |
|
Calypso C&C server |
|
“Opera Cobalt Strike” C&C & distribution server |
|
“Opera Cobalt Strike” distribution server |
|
Mikroceen RAT C&C server |
|
Mikroceen proxy C&C server |
|
Tick Delphi backdoor C&C server |
|
Tick Delphi backdoor C&C server |
|
Tonto Team distribution server |
|
Tonto Team ShadowPad C&C server |
|
Winnti Group PlugX C&C server |
|
Winnti Group PlugX C&C server |
|
Winnti malware C&C server |
|
Unclassified ShadowPad C&C server |
|
Unclassified ShadowPad C&C server |
|
DLTMiner C&C server |