{"uuid": "1de74162-a2c3-4dd5-ae5f-a1a82ebbe186", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-40444", "type": "exploited", "source": "https://t.me/CherepawwkaChannel/255", "content": "\u0410\u043d\u0430\u043b\u0438\u0437 TTPs APT \u0433\u0440\u0443\u043f\u043f\u0438\u0440\u043e\u0432\u043e\u043a \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 TI \u043e\u0442\u0447\u0435\u0442\u043e\u0432, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0430 \u0438 \u0442\u0435\u0441\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0430\u0442\u043e\u043c\u0430\u0440\u043d\u044b\u0445 \u0442\u0435\u0441\u0442-\u043a\u0435\u0439\u0441\u043e\u0432 \u0434\u043b\u044f \u0440\u0435\u0430\u043b\u0438\u0437\u0443\u0435\u043c\u044b\u0445 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0435\u0432 \u0432\u0441\u0435\u0433\u0434\u0430 \u0437\u0430\u043d\u0438\u043c\u0430\u0435\u0442 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u043e\u0435 \u0432\u0440\u0435\u043c\u044f \u043d\u0430 \u044d\u0442\u0430\u043f\u0435 \u043f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u043a\u0438 \u043a \u043f\u0440\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044e Purple Teaming. \u041f\u043e\u044d\u0442\u043e\u043c\u0443 \u043c\u044b \u0432\u0441\u0435\u0433\u0434\u0430 \u0441\u0442\u0430\u0440\u0430\u0435\u043c\u0441\u044f \u0441\u043d\u0430\u0447\u0430\u043b\u0430 \u043d\u0430\u0439\u0442\u0438 \u043d\u043e\u0440\u043c\u0430\u043b\u044c\u043d\u0443\u044e \u0430\u043d\u0430\u043b\u0438\u0442\u0438\u043a\u0443 \u0441 \u0442\u0435\u0445\u043d\u0438\u0447\u0435\u0441\u043a\u0438\u043c\u0438 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0441\u0442\u044f\u043c\u0438, \u0431\u0435\u0437 \u043c\u0430\u0440\u043a\u0435\u0442\u0438\u043d\u0433\u043e\u0432\u043e\u0439 \u0432\u043e\u0434\u044b \u0438 \"highly sophisticated\" \u0444\u043e\u0440\u043c\u0443\u043b\u0438\u0440\u043e\u0432\u043e\u043a\ud83d\ude0e \u041d\u0435\u0434\u0430\u0432\u043d\u043e \u043c\u043d\u0435 \u043d\u0430 \u0433\u043b\u0430\u0437\u0430 \u043f\u043e\u043f\u0430\u043b\u0441\u044f \u043e\u0447\u0435\u043d\u044c \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0439 \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0439, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0445\u043e\u0442\u0435\u043b\u043e\u0441\u044c \u0431\u044b \u043f\u043e\u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u043e\u0432\u0430\u0442\u044c \u0432 \u044d\u0442\u043e\u0439 \u0437\u0430\u043c\u0435\u0442\u043a\u0435.\n\n\u0410\u0432\u0442\u043e\u0440 \u0434\u0435\u0442\u0430\u043b\u044c\u043d\u043e \u0440\u0430\u0437\u0431\u0438\u0440\u0430\u0435\u0442 \u043e\u0442\u0447\u0435\u0442\u044b \u0438 \u043f\u0443\u0431\u043b\u0438\u043a\u0443\u0435\u0442 \u0433\u043e\u0442\u043e\u0432\u044b\u0439 \u043f\u043b\u0430\u043d \u0438 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u044b\u0435 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u0441\u0438\u043c\u0443\u043b\u044f\u0446\u0438\u0438 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f \u0432 \u0444\u043e\u0440\u043c\u0430\u0442\u0435 Purple Teaming. \n\u041d\u0430 \u043f\u0440\u0438\u043c\u0435\u0440\u0435 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e - Fancy Bear APT28 Adversary Simulation:\n\n\ud83d\udfe3 Create dll downloads files through base64, This is to download two files the first is (dfsvc.dll) the second is (Stager.dll)\n\ud83d\udfe3 Exploiting CVE-2021-40444 to inject the DLL file into Word File and create an execution for DLL by opening Word File\n\ud83d\udfe3 Word File is running and the actual payload is downloaded through DLLDownloader.dll and we have two files Stager.dll and dfsvc.dll\n\ud83d\udfe3 The Stager decrypts the actual payload and runs it which in turn is responsible for command and control\n\ud83d\udfe3 Data exfiltration over OneDrive API C2. This integrates OneDrive API functionality to facilitate communication between the compromised system and the attacker-controlled server thereby potentially hiding the traffic within legitimate OneDrive communication\n\ud83d\udfe3 Get Command and Control through payload uses the OneDrive API to upload data including command output to OneDrive, the payload calculates the CRC32 checksum of the MachineGuid and includes it in the communication with the server for identification purposes\n\n\u0412 \u0438\u0442\u043e\u0433\u0435 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u0442\u0441\u044f \u0433\u043e\u0442\u043e\u0432\u044b\u0439 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0439, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043c\u043e\u0436\u043d\u043e \u043a\u0430\u0441\u0442\u043e\u043c\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f Purple Teaming.", "creation_timestamp": "2024-06-13T10:28:37.000000Z"}