WEEKLY THREATS

Individuato dal CNAIPIC l’avversario Glaaki

12 Febbraio 2021

Un’operazione del CNAIPIC, della Polizia di Stato, ha portato all’identificazione di un quarantacinquenne residente nella provincia di Taranto resosi responsabile di una complessa attività criminale volta all’illecita acquisizione di credenziali personali ai danni di ignari cittadini. Si tratterebbe dell’avversario Glaaki.

Glaaki è un avversario italiano di tipo cyber crime attivo dalla metà del 2017 che prende di mira realtà italiane.

Il principale vettore di infezione è rappresentato da email di spear-phishing con la finalità di inoculare malware, anche di natura proprietaria.

L’avversario fa utilizzo del sistema di cloud fronting ngrok per la distribuzione di stage di primo e secondo livello ed utilizza prevalentemente sistemi VPN per mascherare la localizzazione dei server di Comando e Controllo (C2) dei propri malware.

Il Cyber Intelligence Operation Center (CIOC) di TS-WAY ha iniziato a tracciare l’avversario cibernetico e ad erogare – all’interno della piattaforma informativa di Cyber Threat Intelligence, denominata TS-Intelligence – Indicatori di Compromissione rispetto alle campagne perpetrate a partire dal novembre 2018.

Identificando elementi tecnici utili a collocare in via ipotetica l’avversario come italiano, il CIOC di TS-WAY, oltre a monitorare l’attività e le campagne malevole perpetrate da Glaaki, ha comunicato alle Autorità le proprie rilevazioni ed analisi.

Importante evidenziare come l’avversario non abbia sospeso le proprie attività di targettizzazione nel periodo di pandemia. Risulterebbe infatti che lo stesso abbia sfruttato il tema del “COVID-19” come elemento psicologico per indurre le proprie vittime all’apertura dei documenti malevoli inviati.

TS-Intelligence Insight Special Report declassificati (TLP WHITE)

20/04/2020 Glaaki: l’avversario prepara campagne personalizzate sulla tipologia di target [PDF]
09/04/2020 Glaaki: l’avversario sperimenta Lime RAT [PDF]
19/03/2020 Glaaki: analisi della nuova campagna “Zaratustra” [PDF]
03/03/2020 Glaaki: architettura di supporto al ransomware Hidden Tear in corso di sviluppo [PDF]
27/02/2020 Glaaki: nuova campagna sfrutta il tema Coronavirus per veicolare Revenge-RAT [PDF]
20/11/2018 Glaaki: analisi del keylogger Nak [PDF]

Indicatori di Compromissione

HOSTNAME

04c077be.ngrok.io
2843d636.ngrok.io
8a8e6597.ngrok.io
5bfb9a90.ngrok.io
0560a9e7.ngrok.io
4ed6a6b1.ngrok.io
uninured-fashion.000webhostapp.com
photoviewer.altervista.org
1ec6b9e8.ngrok.io
12e28cc8.ngrok.io
b02aee36.ngrok.io
f4566231.ngrok.io
microsoft.altervista.org
d09d074b.ngrok.io
3f9b6579.ngrok.io
4955d2b8.ngrok.io
firends4all.altervista.org
195123a6.ngrok.io

URL

http://195123a6.ngrok.io/11
http://4955d2b8.ngrok.io/11%20-%20Copia
https://3f9b6579.ngrok.io/namida/
https://04c077be.ngrok.io/11
https://04c077be.ngrok.io/12
https://2843d636.ngrok.io/12
https://8a8e6597.ngrok.io/client.exe
https://5bfb9a90.ngrok.io/1
https://0560a9e7.ngrok.io/hta/test32
https://4ed6a6b1.ngrok.io/start.vbs
http://d09d074b.ngrok.io/file
http://4955d2b8.ngrok.io/kaspersky
http://d09d074b.ngrok.io/docs2.hta
http://d09d074b.ngrok.io/docs.hta
http://d09d074b.ngrok.io/doc.hta
https://4ed6a6b1.ngrok.io/documento.php
http://d09d074b.ngrok.io/11
https://b7267844.ngrok.io/11
https://195123a6.ngrok.io/12
https://195123a6.ngrok.io/11
https://1ec6b9e8.ngrok.io/11
http://d09d074b.ngrok.io/inizio
https://12e28cc8.ngrok.io/1
https://uninured-fashion.000webhostapp.com/send.php
http://firends4all.altervista.org/send.php
https://195123a6.ngrok.io/bla.hta
https://2843d636.ngrok.io/11
https://4ed6a6b1.ngrok.io/docs2.hta
https://4ed6a6b1.ngrok.io/start.html
http://photoviewer.altervista.org/stage1_2
http://d09d074b.ngrok.io/file2
https://4ed6a6b1.ngrok.io/1.hta
http://photoviewer.altervista.org/xor.txt
https://4ed6a6b1.ngrok.io/11
https://3f9b6579.ngrok.io/11
http://photoviewer.altervista.org/test
https://4ed6a6b1.ngrok.io/file
https://4ed6a6b1.ngrok.io/redirect.php
http://d09d074b.ngrok.io/encoded2.crt
https://f4566231.ngrok.io/1
http://microsoft.altervista.org/update2
http://d09d074b.ngrok.io/12
http://d09d074b.ngrok.io/excel2
http://d09d074b.ngrok.io/form.hta
https://4ed6a6b1.ngrok.io/wp-content/15.txt
https://4ed6a6b1.ngrok.io/12
https://4ed6a6b1.ngrok.io/MINISTERODELLASALUTE.GOV/Documento.html
http://d09d074b.ngrok.io/13
https://4ed6a6b1.ngrok.io/wp-content/16.txt
http://microsoft.altervista.org/update
https://4ed6a6b1.ngrok.io/excel2
https://4ed6a6b1.ngrok.io/wp-content/17.txt
https://4ed6a6b1.ngrok.io/adobe.html
https://4ed6a6b1.ngrok.io/wp-content/14.txt
https://4ed6a6b1.ngrok.io/docs.hta
https://b02aee36.ngrok.io/1
http://d09d074b.ngrok.io/encoded.crt
https://4ed6a6b1.ngrok.io/doc.hta
http://4955d2b8.ngrok.io/11
https://4ed6a6b1.ngrok.io/file2

ARTEFATTI

f8ca052d62554ee8731806fa2639ff5162ecafa4e9bf35b55f65593db679e379
45657cac3a9a16d1683c04b6b7850c1fc4a36034234e816080a4491a6698f003
c0914462061b7ae6a4640aafb671d8b4cbb076d753e86be580e9f41b1d1300ce
f3f9f2b4d691de8d3571223af11a63a6f05850d658bbe077608d1fe5bdea6f20
e4754f14a308b52bbb17c203d80d6aeeb33d05ee05b31192f9f721a94d1db879
202609cd8a50b4bf08b4c72267dbb4468adf875d569bba459c74144031ba5369
1a310557a041bba02b1f3b16e2988ca9cc0c508da7672edbe1c89ea972a9d39d
7358f07a2181363196dbbd9cf197e67b7c24ec2c1080584abb3a7c29fa765c26
d0a05e4f2f7bd2600bd53dad3727ac72c1aef39eb34c5b32e59137b58b5cd8cb
53c786ae17cb66041001b0766763485214de821593ee1335f0686c1bcdc0f015
5fce55794bc4c766d8e96e4874357a486f43ca6e7dddfefe0d49e43a23230d56
5c0f0978fa46f497acb6bdd56cc58b345ae014b6a34dc4d1c3ddb2e8727028f2
23737384dda958025d377ff4c1b9db8e8f801f9295ccc3751d6138533335c8c6
f86004b43548ca75d87876801ebaf571afabd18d19d39338fc487aafaa572874
ed5460f3c62bb07872964a521a184ba27a58d7c240a68318e5518b880a51d921
7c4ab975f2e0a53986f29befddc62b38116c088775f85202cee62ac32f176b2b
0254491272ef3e177510f99ef11605094f98c2a169c9910b78a2c4db578811cf
a0c782c69c1b854093d4c32db6f92638c6a14c60cec8b8da1cfe594aadf34173
4fe3f311028a885bbff1dcfe010f32e5488bd6c819a614a231be2c671566b884
0a3eb7034b050b45ad8541731b14ba4b64725c961118fb8b7c06f89e4ecbc389
c219460a4408b9dde76b00920ec892e9a7c196bbbf9b6182b47d9a65b4af3633
0cbede1e47a9ce34edc385ac2803c76aa14d42b9c6c408a83325535cb8f961c6
0e50239dfdbe515b4153d9b5bdfda0cc512fd6eaa92928eea3b5b482e144981e
81ac238f982ed59d49ba2aaad161015093a36bc9dee2616ca6a095b223a600f2
fa93a4974b504c3bc2c09af58a1bd383ed9d6e3307e6da157a0cd27e1c9614f5
2993352d4ae68153572c50ed137eea2380cf2a0c3122f2e7489d9e6dab07fccc
c09c27155bef02563d980a6c84ccd9f29c1eb9a4808913f0065b45b10c0f4e10
bb92b8a5fbe7111784583d1a73fb71017d69710077d805089c56acf6542d9f5c
edef2e9b1c59133e856bc5702e63b8aaf641bbc26773e1296ffaf57cee9a1129
66b53a89a1d9ca7f1ef84ac6b639a42e9bceea32232bc48630fd0de00951dfe7
da26fbcab28b11e069f73ee9cfea550cf55ada4076e96fa510ad6723ce37fa1c
c212ebbafd979c5692e12552fdcd40971145b09884d897fa85ff9b52509592d3
da65e2ddb3c6eb90da9e4b959d48b99dac9408d1f232c243ea3af70e3818b5f4
5f4bf45ea37258d52e46d82c3c10407750e90d62ef75ec97530356ae0c21d843
701539c67931f6bda1d7a7692b123f954c040986ebaa187e89f50622cb54831d
850e90cf3b340f76cdae994f83b1914c0df3a7d515da080fc6061ab017d775f3
8ddaa636e853400879b669bdb18856631089ab7d285729302c7bb5f52bb96976
62a0c6d02bc0bbe3f50c24431376afc01b523b6757b340cbfcef693bda13cd08
66642c1c4c74bf64b55e1384d093715daaab333c451c0c5c48696c2a687a3d55
205b881701d3026d7e296570533e5380e7aaccaa343d71b6fcc60802528bdb74
b56751bd81d1c7de3101585166b2faa17ec851cfd8f7d0c8af042e43f5efeb87
24ebe5bc8d8321fda73d1a6617a8b0c9a32424a9a64f0923deed8e17c81b3d13
c37e8e240b5b361eeba9b289b41c2c773e34f33908a2c8de2869bac5dbc24ffb
742baaf663ff02051b6ed1fc8df00e9df30efb2cde6bddd29478a7975b1ed041
83cbc1a46ed419ebb57102a5e061602e9ecd011bdfa049c1b49eb70b322d19c1
8c1e6217062a299bb4cccddd7e905e363d2f4fdc10979edff496d5107b091079
14db821c34ee0df4e6bd6b4b11a0cf361e2450d15ad440d8e21fa3c32706de58
3fd75c3c68aa331f3ac9f4c562eea6cfe8455504f299da1cce3344709fec5be3
4d8f599c43f897a6fa5896b4e770fd98f4743d6a9a657265529de22c9ff6912d
cbf8a0f6bde2727ed1368b9945bffbdc3fa0e2002c316f65811f63bad5d5edcb
b30426b7836eccdf63c09ac4a532c747c3db73eead8e803aabee9658871653d7
5e4c194bbd783275dbc2eac29e77afb8d20d26238974723bea87cd31a5437001
4a92078769cc4d93d53537d6073bbf3941555c457ef0a188517bc32436d5df0a
d1076ebbbf29c0cdd11cee1d13ad2d7da578914e34927071e45c191302e6a43b
b54ae4b5d5ee78bec08c1a192494155fc28a347d7ecec470e8c336f398064ed4
f947558e0d70e9d3a81c7c5cb057e06a6b2b973abb0e99536c9672aea0c7f79d
dcab07a40f627e7426049fb8dc794d2ad0f397cf334de85e6fb5c8b9453db98c
0e7b6427915588724d393d2f835c2f40338f1f71ed8e7cccadec57543a3390f3
850ed7c820f3fef8e275704b451b23b77b019ceabe2edbd8e883bf2c509f5848
392a0fb26663b152035c712d6384b284305dcd5b0799e519d86880f11c296dfe
69779bf240b4e5b62981beffa3713733a4d00c2d207ede92dc66ec0ce3a1fc86
41efcd1e2a5e66e94405c0bf95e517b1a2beee28f57c8cbcba6654cc514d7111
4b377bad418d0d754d7904c8473239f79d0d104fb828b3cb2022d402b43fac4a
a8f37cc6b1fe375b689c2422f28baaa7e103b44c89d38ec51a078cda153498d6
3ce47edbc124fb291ac8945e3f05550b4ad6d712d3510a6c8c4ab6239c4fa881
f1e2a865d8f80f7a1bf38c2011712715541151c1ff826f7bf1d4fd6b0bcea9bd
0a06a5f0d0294e4def241cb484a74ebca21cf693ea17312bc318c65f75a22976
9a93467ec6184b090c5c4bf6e753230da72515248d9c1e7a4d8f0acadffe2b8b
b363aaa303951deb44c1579ae9dea9436df657a877de43147aff41ddaaadc53a
790d711caf185c89654e8ce5faf73dd1dc36d058ef0165a7d1374f6152e81387
2f7a29ab2a7ee38923b0262eaf15fcc812a9e7c060e55945b6622dd67ed9805a
d2230bd9eccbfb2c6d59b3bdaf4373be8f82a98ac42244a250ef5a12d11749b9
1a0b5bb1a26fbb15c1aa6d3e06be5c2788b1723d42b177ecc551501d82897102
27d9326cd86260af2715dab519f2a0bfc18790f48f45e623b167e829e08e8360
ab6ae5097cc1a862ee2b03a3de59ad6b19216f645b02a51c2ef1d8de49361c87
515ae4dfba4d87493a08771f526bfa1abbf5b7f72d2bebd7396e34b0c2aeb6d3
d3a45f00cc280920e38d93598b0fbd1d08f9b9329d588cf210d659a0e1f3d2c0
46a7d5aacf0a13069d6503baf3ca6801dac16df80ed6c73771745e58a01d11a8
c2db91e5c34652e8179e3e63d7a964d6a79b8f14bbbd4c18f8700a508967f8ef
81988c1b32309508460144bf831bae6627a90b8e19aab07c09a49ce96a85b69d
6469be5aeea0b5e8d64da493e50a419b07a495c888afc8f872ac60a597038e0f
57f813a158b80e6891ce755df38207fc5aad61ad383c890dc95ef49191c1f132
0fb68bcef188fcd67142ca06efa2072697c05a782d97a84615c89fd015ec0eb7
22c0dd4b65a748cd7e8aec6f6539825d2f11ba9e16b858aa02f8aedeed94c53d
99c24a9731c6abac21afffc3ae84dc4bba0f6b9fda02fc6bd7ac8ef70411493b
6c8a4751ad4bae5e53b89679bce0a8cd0f0f101f745c4229075291550269232c
3e86b242160efae963a15db1ce39df9f7da8ce75861ffe5b57a7dd5ab33ccdd3
25695eaaa49838b7289784c90a1f2c3d1d0502d8d3e6c0fbbb25243c9cdfb568
f76151646a0b94024761812cde1097ae2c6d455c28356a3db1f7905d3d9d6718
c1413d0012c7579e63c833e0a1cf574604796010a33fd5043e454be94d1fcee7
007c6a9ae654bf084c4f58b803104d3dcf053104bc4cc63ddd56f7240d83517d
ef7f114aa0386e96d1d35a4f4301f74cf2e84112408d3ee442891e194e5053c5
5b7d67a591d87def61c5f4e0b84336652423a21769f6cb22275a3d09370db361
899fd0dcdc8cbbb61d1c6607dfc68ec84560101e0739e69fae705d3c56bf379d
119c84b480b8c26190e2af3ae7f2dcd5bcffa5d039117871b820dabc08ab64b4
973d736ea74d0b04ba9ca4a8dd8d20b176110253d791e889eb1f19ef6af8e022
b755c09b13e52ec459277ea42a1cdc304c0db6897c919581956bc53ba761edb6
d976b50cb3283abdd891120ca0cdf9a29d7779d37fdbbf9a724666dc7ec9247f
9c87bed8d5dc97908a4afa5504308583ac518be980e1a7afa50537541fbf36e2
a26f9993a2cbdf20532eb20749a95ce9ff7caad4b2fed2522a04108ff2bc26ae
630777971f42b59196eee3b63d889d716f2e08c3f020eaad639b8e816893cb98
95cfb24599ce0ee6cec41ec4325ccfd5b0c3c7fcfcabc350a42bca7fc3676401
ab64e0f1c14c82ec5a8bb5515a82b464a65554ae7d826dc20927a4bed01709d6
1f7ac4d6b463ac01071bb30d921528d8d34e8b374cfce3fd049689664b649552
62d3bc5f12274ca732a02132ea61e0bcf2dd32e68a509bcffd3b64f828e1ba88
18c127db12603d00bd5c722b8a442e848c8d0a97b1b5fbf56c2d4811542d53b2
05b932020d5ea39922fa38181a017a6cacf50deed3d8f221e97860e113685fff
6407d257ab5db3a4cdd9981e2057bea454adfac36453f100d3d21be68197db82
2559a46543161d7648ae3ef5c52c983d74b2e142b6b248bda8267491af8b8ab6
16f158611e576da8dac4ea69949fb0b19005b24cf56b7a630dfa15728eb8c2a1
c6cf58e0912255e87119048e050db5925c65777c608b54344a7948ec654c618f
6f0c227ca0c3f5c5d6968286252282e2ce717b568aff9fc28bf2670a822e27db
5a68e8c9b6300f626ed893df7c64dbe60e6a66231e37fd293b053a942851b16f
fc7f10c69abf1817ee4dd8d2b33f122f91e3f7e576400a6816bf6d0e8dd05dc9
0a8b9e46aa2e122835ced857c0ac3987dabc5eb87332c66857aee00e920fbb36
eee523e3645eba6b9579d3abd8df49ada9277b41ad24988aa6ac4d683119a754

[post_tags]