Trellix Insights: Countering APT35 Threats

Technical Articles ID: KB95158
Last Modified: 2022-09-07 04:58:37 Etc/GMT

Environment

IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by Trellix Insights technology. The content is intended for use by Trellix Insights users, but is provided for general knowledge to all customers. Contact us for more information about Trellix Insights.

Summary

Description of Campaign
The APT35 threat group targeted high-risk users in the government, academia, and journalism sectors, as well as non-governmental organizations. The actor used hijacked websites and phishing campaigns with malicious links to harvest credentials. APT35 abused services from Dropbox and Microsoft, as well as Google Drive, App Scripts, and Sites pages to avoid defenses.

Our Threat Research team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Google and shared publicly.

How to use this article:

If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
Review KB91836 - Countermeasures for entry vector threats.
Review KB87843 - Dynamic Application Containment rules and best practices.
Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check Trellix Insights for the latest IOCs.

Campaign IOC

Type	Value
SHA256	5D3FF202F20AF915863EEE45916412A271BAE1EA3A0E20988309C16723CE4DA5
HOSTNAME	service-reset-password-moderate-digital.rf.gd
HOSTNAME	reset-service-identity-mail.42web.io
HOSTNAME	digital-email-software.great-site.net
DOMAIN	nco2.live
DOMAIN	summit-files.com
DOMAIN	filetransfer.club
DOMAIN	continuetogo.me
DOMAIN	accessverification.online
DOMAIN	customers-verification-identifier.site
DOMAIN	service-activity-session.online
DOMAIN	identifier-service-review.site
DOMAIN	recovery-activity-identification.site
DOMAIN	review-session-confirmation.site
DOMAIN	recovery-service-activity.site
DOMAIN	verify-service-activity.site
DOMAIN	service-manager-notifications.info
DOMAIN	communication-shield.site
DOMAIN	cdsa.xyz

Minimum Content Versions

Content Type	Version
V2 DAT (VirusScan Enterprise)	10155
V3 DAT (Endpoint Security)	4607

Detection Summary

IOC	Scanner	Detection
5D3FF202F20AF915863EEE45916412A271BAE1EA3A0E20988309C16723CE4DA5	AVEngine V2	ANDROID/Spy.m
	AVEngine V3	ANDROID/Spy.m
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

Affected Products

Trellix insights

Knowledge Center

Trellix Insights: Countering APT35 Threats

Environment

Summary

Affected Products

Title

Title

Knowledge Center

Trellix Insights: Countering APT35 Threats

Environment

Summary

Affected Products

Choose your region

Title

Title