2019-01-28: APT28 XTunnel Backdoor

Event ID1040
UUID5c500809-453c-4245-83e1-435c950d210f 
Creator orgCIRCL
Owner orgLUNCHBOX
Creator useradmin@admin.test
Protected Event (experimental)  Event is in unprotected mode.
Tagsmisp-galaxy:mitre-enterprise-attack-intrusion-set=”APT28″x misp-galaxy:mitre-enterprise-attack-relationship=”APT28 (G0007) uses XTunnel (S0117)”x misp-galaxy:mitre-enterprise-attack-relationship=”APT28 uses XTunnel”x misp-galaxy:mitre-intrusion-set=”APT28″x misp-galaxy:mitre-mobile-attack-intrusion-set=”APT28″x misp-galaxy:mitre-enterprise-attack-malware=”XTunnel”x misp-galaxy:mitre-malware=”XTunnel”x ecsirt:intrusions=”backdoor”x veris:action:malware:variety=”Backdoor”x ms-caro-malware:malware-type=”Backdoor”x ms-caro-malware-full:malware-type=”Backdoor”x type:OSINTx osint:lifetime=”perpetual”x osint:certainty=”50″x tlp:whitex osint:source-type=”microblog-post”x   
Date2019-01-29
Threat LevelLow
AnalysisInitial
DistributionAll communities   
PublishedYes 2022-08-17 16:57:52
#Attributes20 (5 Objects)
First recorded change2019-01-29 08:37:40
Last change2019-01-29 14:03:55
Modification map
Sightings0 (0) – restricted to own organisation only.  

Order by dateOrder by count

Related Events

OSINT – FlawedAmmy RAT
2019-06-021
OSINT – [Emering] FIN7 JScript Loader Malware
2019-05-131
2019-01-28: Turla Kazuar RAT
2019-01-281

Related Feeds (show)

Galaxies

Microsoft Activity Group actor 

  •  STRONTIUM   

Enterprise Attack – Intrusion Set 

  •  APT28 – G0007   

Intrusion Set 

  •  APT28 – G0007   

Mobile Attack – Intrusion Set 

  •  APT28 – G0007   

Enterprise Attack – Malware 

  •  XTunnel – S0117   

Threat Actor 

  •  Sofacy   

Scope toggle  Deleted Decay score SightingDB Context Related Tags Filtering tool

DateOrgCategoryTypeValueTagsGalaxiesCommentCorrelateRelated EventsFeed hitsIDSDistributionSightingsActivityActions
2019-01-29Object name: virustotal-report 



References: Referenced by: 
Inherit 
2019-01-29Otherlast-submission:datetime2019-01-29T12:48:40.000000    Inherit   (0/0/0)     
2019-01-29External analysispermalink:linkhttps://www.virustotal.com/file/be2e58669dbdec916f7aaaf4d7c55d866c4f38ac290812b10d680d943bb5b757/analysis/1548766120/    Inherit   (0/0/0)     
2019-01-29Otherdetection-ratio:text43/68     Inherit   (0/0/0)     
2019-01-29Object name: file 



References: 1  
Inherit 
2019-01-29Payload deliverymd5:md516b6d63390340941ec0fe60b0177384f     Inherit   (0/0/0)         
2019-01-29Payload deliverysha1:sha1c3212e1e609588cb5736b1fd9aa8581c965ffa08     Inherit   (0/0/0)         
2019-01-29Payload deliverysha256:sha256be2e58669dbdec916f7aaaf4d7c55d866c4f38ac290812b10d680d943bb5b757     Inherit   (0/0/0)         
2019-01-29Network activityip-dst109.236.93.138     C2Inherit   (0/0/0)         
2019-01-29External analysisattachment     Inherit   (0/0/0)         
2019-01-29External analysisattachment     Inherit   (0/0/0)         
2019-01-29External analysisattachment     Inherit   (0/0/0)         
2019-01-29Object name: file 



References: 
Inherit 
2019-01-29Payload deliverymd5:md516b6d63390340941ec0fe60b0177384f     Inherit   (0/0/0)         
2019-01-29Otherstate:textMalicious     Inherit   (0/0/0)     
2019-01-29Object name: file 



References: 
Inherit 
2019-01-29Payload deliveryfilename:filenameXtunnel_Http_Method.exe    Inherit   (0/0/0)         
2019-01-29Otherstate:textMalicious     Inherit   (0/0/0)     
2019-01-29Object name: microblog 



References: 
Inherit 
2019-01-29Otherpost:text2019-01-28: #APT28 #XTunnel #Backdoor C2 🛡️ : 109.236.93[.138 | â€œHow are you?” Marker  Original Filename: “Xtunnel_Http_Method.exe”  😉 h/t @CNMF_VirusAlert MD5: 16b6d63390340941ec0fe60b0177384f     Inherit   (0/0/0)     
2019-01-29Othertype:textTwitter     Inherit   (0/0/0)     
2019-01-29Network activityurl:urlhttps://twitter.com/VK_Intel/status/1090111749284614144       Inherit   (0/0/0)         
2019-01-29Otherusername-quoted:textCNMF_VirusAlert     Inherit   (0/0/0)     
2019-01-29Othercreation-date:datetime2019-01-28T20:57:00.000000    Inherit   (0/0/0)     
2019-01-29Otherusername:textVK_Intel     1041 1079 1090 Inherit   (0/0/0)