14. ddddddasdfsdf
FinFisher – Gamma Group
Instala un driver
Modifica MBR
Se inyecta en procesos legítimos
(winlogon.exe, svchost.exe)
Packer & anti-debugging
AES-256-CBC
C2: 77.69.140.194 (Bahrain) Puertos: 22, 53,
80, 443, 4111
15. ddddddasdfsdf
FinFisher – Gamma Group
Bypassing of 40 regularly tested Antivirus Systems
Covert Communication with Headquarters
Full Skype Monitoring (Calls, Chats, File Transfers, Video,
Contact List)
Recording of common communication like Email, Chats
and Voice-over-IP
Live Surveillance through Webcam and Microphone
Country Tracing of Target
Silent Extracting of Files from Hard-Disk
Process-based Key-logger for faster analysis
Live Remote Forensics on Target System
Advanced Filters to record only important information
Supports most common Operating Systems (Windows,
Mac OSX and Linux)
21. ddddddasdfsdf
Mamfakinch.com
Svp ne mentionnez pas mon nom ni rien du tout je ne
veux pas d embrouilles…
http://freeme.eu5.org/scandale%20(2).doc
Mamfakinch.com
Hacking Team – RCS
OSX.Crisis / W32.Crisis
Fichero adobe.jar -> versión para mac y win32
Win32: CurrentVersion/Run. Infección de procesos
Infecta imágenes VMware
25. ddddddasdfsdf
Concerns over Uyghur People.doc
Hosh Hewer.doc
Jenwediki yighingha iltimas qilish Jediwili.doc
list.doc
Press Release on Commemorat the Day of Mourning.doc
The Universal Declaration of Human Rights and the
Unrecognized Population Groups.doc
Uyghur Political Prisoner.doc
2013-02-04 - Deported Uyghurs.doc
Jenwediki yighingha iltimas qilish Jediwili(Behtiyar
Omer).doc
Kadeer Logistics detail.doc
27. ddddddasdfsdf
Vulnerabilidad Word para Mac CVE-2012-
0158
Abre documento real y ejecuta binario
Keylogger, información de la máquina, control
remoto
LaunchDaemon ‘systm’
Tiny Shell
AES (12345678) y SHA1
‘me’ como contacto
C2: update.googmail.org (207.204.245.192)
35. ddddddasdfsdf
Vulnerabilidad Word para Mac CVE-2012-
0158
Abre documento real y ejecuta binario
Keylogger, información de la máquina, control
remoto
Binario firmado digitalmente
C2: 61.178.77.76 TCP/1080
49. ddddddasdfsdf
APT1 / GOGGLES vs GLASSES
Aplicación simula ser carpeta
Instala un PDF no malicioso (job posting en
Nepal), un binario spkptdhv.exe en %temp%
que se instala en el registro
Comandos: sleep / download & run
GET /ewpindex.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; Windows
NT 5.1; MSIE 7.0; Trident/4.0; Clj26Dbj.XYZ)
Host: ewplus.com
Cache-Control: no-cache
52. ddddddasdfsdf
Spoof en el From
Tibetanos generalmente ‘rootean’ los Android
para instalar fuentes
También instalan APK debido a restricciones
en Google Play
Apps modificadas
Intercepta SMS para dar posición
Roba histórico de llamadas, SMS y contactos
C2 android.uyghur.dnsd.me
69. ddddddasdfsdf
Capture webcam activity
Disable the notification setting for certain
antivirus programs
Download and execute arbitrary programs
and commands
Modify the hosts file
Record key strokes
Retrieve system information about the
computer
Start or end processes
Steal passwords
Update itself
84. ddddddasdfsdf
[] Aleppo Team
[] Aleppo Team
rar
[29/05/2012 18:03:44] Aleppo Team | | ...: Last
modified plan Aleppo time for Jihad
[29/05/2012 18:03:46] Aleppo Team | | ...:
Send the file "plan eventually 2.rar"
101. ddddddasdfsdf
DarkComet RAT
Se conecta a 216.6.0.28/google.exe
Keylogger:
C:DOCUME~1ADMINI~1LOCALS~1
Tempdclogs.sys
C:Documents and
SettingsAdministratorStart
MenuProgramsStartup..lnk
104. ddddddasdfsdf
With Blackshades Remote Controller you can:
- Control several computers at once, performing tasks
ranging from viewing their screens to
uploading/downloading files from them
- Perform maintenance on a Network
- Help a client out by using the screen capture feature,
even if they are on the other side of the world
- Monitor a specific PC, recording the keystrokes and
remotely managing the files
- Access your computer that you have at home if you are
on holiday
- Monitor the computers of students and their activity while
teaching a computing lesson
- Chat with clients that you are connected to