In several of the attacks, Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed. This tool is exclusively associated with the group. In addition to this, several Stonefly indicators of compromise recently documented by Microsoft were found on the compromised networks. The attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates (see Indicators of Compromise) that appear to be unique to this campaign. Author: AlienVault
Related Tags:
Snap2HTML
T1114.001
T1573.002
T1573.001
T1566.001
T1056.001
T1204.002
T1059.001
plink
Associated Indicators:
09795D17D027C561E8E48F6089A8CF37E71C5985AFBF7F51945FC359B4697A16
89AA7B67E9476D0F91DF71A2B92EBE21F63F218AFB6446296403F34F91831D15
93B75BC724A4A85B93FB749B734381EF79AB54C2DEBF27907794C8FD632FA0F5
75448C81D54ACB16DD8F5C14E3D4713B3228858E07E437875FBEA9B13F431437
EA2867C5DE97E512B9780B6E73C075291259F5B24E95569CCBB05ED249D511A3
94EEF46095C231B1EE33CD63E063D8A2FC663E44832E45A294CF8D8CF9DF31F8
3F880395C9D5820C4018DAECF56711CE4EE719736590792F652EA29CBCBDB8F3
88B3C100D4A3168B1807FE9D1C4CB9D772E294C1CDF29FF287BC451D37891D8C
5633691B680B46B8BD791A656B0BB9FE94E6354F389AB7BC6B96D007C9D41FFA