Hidden Cobra is an APT hacking group mostly targeting against media organizations, aerospace, financial and critical infrastructure across the globe. The malware Hidden Cobra uses Remote Access Trojan (RAT) called Joanap and Server Message Block (SMB) worm called Brambul.
Indicator of Compromise
1. Check for file integrity. Possible indicators of compromise are hash values listed below:
- 4613f51087f01715bf9132c704aea2c2
- 298775B04A166FF4B8FBD3609E716945
- e86c2f4fc88918246bf697b6a404c3ea
- 4731CBAEE7ACA37B596E38690160A749
- Following files present in the system
- scardprv.dll
- Wmmvsvc.dll
- Win32.Worm.Agent@077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885.bin
- Emails sent to the attacker from an infected host. Attacker emails listed below:
- Connection to Infected Hosts
181.1.253.234, 200.82.62.24, 81.243.151.226, 81.247.219.196, 138.204.211.197, 177.221.11.176, 177.221.11.233, 177.41.74.199, 179.107.219.90, 187.127.112.60, 187.127.115.206, 189.15.173.106, 103.227.174.79, 146.88.205.56, 113.57.34.213, 117.179.224.33, 181.234.231.152, 190.60.109.166, 196.204.141.76, 196.221.41.109, 1.186.218.107, 103.71.212.72, 106.51.226.188, 114.79.191.185, 117.213.169.79, 117.213.170.132, 117.213.170.252, 117.214.92.199, 117.254.85.138, 123.201.161.60, 157.49.171.35, 202.142.71.166, 49.206.100.19, 49.206.105.206, 59.92.69.202, 59.92.69.23, 59.92.69.254, 59.92.69.51, 59.92.70.122, 59.92.70.162, 59.92.70.164, 59.95.151.28, 59.97.22.192, 61.3.239.224, 2.182.31.181, 2.182.31.195, 2.182.31.84, 2.187.201.47, 82.212.93.217, 110.36.226.146, 203.130.24.202, 176.45.234.206, 176.45.248.239, 176.47.60.110, 188.49.198.65, 188.54.209.88, 188.54.251.115, 5.156.110.212, 5.156.137.47, 51.235.186.186, 90.148.206.252, 95.184.0.49, 95.218.39.84, 2.137.162.251, 124.43.35.86, 124.43.39.105, 124.43.41.213, 124.43.41.48, 124.43.42.30, 90.236.254.71, 1.160.139.122, 1.169.112.88, 1.170.194.142, 111.253.145.11, 111.255.198.92, 114.26.231.136, 114.36.15.80, 114.36.3.66, 114.39.179.133, 114.46.75.51, 122.121.9.203, 36.229.45.69, 36.231.179.65, 36.231.36.64, 36.235.81.169, 36.238.65.99, 41.224.255.67
- Following vulnerabilities present in the system
- CVE-2015-6585
- CVE-2015-8651
- CVE-2016-0034
- CVE-2016-1019
- CVE-2016-4117
Log Source Requirements
- Windows Server/Integrity Scanner
- Detects malicious file installation and malware infected hosts
- Mail Server
- Detects any emails sent to malicious address
- Firewall
- Detects connection to and from malicious listed sources
- Vulnerability Management
- Detects hosts vulnerable to malware