3 items related to APT32 operations (#86)

wietze · Sep 6, 2024 · bd3d926 · bd3d926
1 parent 30299fa
commit bd3d926
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 0 deletions.
diff --git a/yml/3rd_party/calibre/calibre-launcher.yml b/yml/3rd_party/calibre/calibre-launcher.yml
@@ -0,0 +1,25 @@
+---
+Name: calibre-launcher.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-08-07
+Vendor: Calibre
+ExpectedLocations:
+  - '%PROGRAMFILES%\Calibre2'
+VulnerableExecutables:
+  - Path: 'calibre.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - OriginalFilename: calibre.exe
+        InternalName: calibre
+        FileDescription: The main calibre program
+    SHA256:
+      - 735e7b33b97bff3cf6416ed3b8ed7213d7258eec05202cbf8f8f8002c6435fd1
+Resources:
+  - https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'
+  - Name: Craig Sweeney
+    Company: Huntress
+    Twitter: '@bumbucha'
diff --git a/yml/3rd_party/dropbox/goopdate.yml b/yml/3rd_party/dropbox/goopdate.yml
@@ -0,0 +1,35 @@
+---
+Name: goopdate.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-08-08
+Vendor: Dropbox
+ExpectedLocations:
+  - '%PROGRAMFILES%\Dropbox\Update'
+  - '%PROGRAMFILES%\Dropbox\Update\%VERSION%'
+  - '%LOCALAPPDATA%\DropboxUpdate\Update'
+VulnerableExecutables:
+  - Path: 'DropboxUpdate.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - OriginalFilename: DropboxUpdate.exe
+        InternalName: Dropbox Update
+        FileDescription: Dropbox Update
+    SHA256:
+      - 47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc
+  - Path: 'DropboxCrashHandler.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - OriginalFilename: DropboxUpdate.exe
+        InternalName: Dropbox Update
+        FileDescription: Dropbox Update
+    SHA256:
+      - 47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc
+Resources:
+  - https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'
+  - Name: Craig Sweeney
+    Company: Huntress
+    Twitter: '@bumbucha'
diff --git a/yml/3rd_party/mcafee/mcutil.yml b/yml/3rd_party/mcafee/mcutil.yml
@@ -0,0 +1,28 @@
+---
+Name: mcutil.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-08-07
+Vendor: McAfee
+ExpectedLocations:
+  - '%PROGRAMFILES%\McAfee Inc.\McAfee Total Protection 2009'
+VulnerableExecutables:
+  - Path: 'mcoemcpy.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - OriginalFilename: mcoemcpy.exe
+        InternalName: mcoemcpy
+        FileDescription: McAfee OEM Info Copy Files
+    SHA256:
+      - 3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe
+Resources:
+  - https://www.virustotal.com/gui/file/3bcb28d19a779b6da0c42c1506cd1908f9bcceeffff45f572677e032551f9a96/relations
+  - https://www.virustotal.com/gui/file/b0263de0622050091a0fbf06428229e5da291b87926ca29c8ee3b01a2a514e4f/detection
+  - https://web-assets.esetstatic.com/wls/2018/03/ESET_OceanLotus.pdf
+  - https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'
+  - Name: Craig Sweeney
+    Company: Huntress
+    Twitter: '@bumbucha'