Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack ---------------------------------------------------------------- Earth Kitsune samples (SHA-256) Detection Name Note ---------------------------------------------------------------- CE7016067C97421E3050FA8BD7F1950E0707E6DEEAC20003F5F30F1C58F435BC Trojan.JS.SLUB.A Delivery script 1C24D9013B3EAE373FC28D40F9E475E1DD22C228E8F1E539ED9229E21807839D Trojan.Win32.SLUB.AA Installer 076BA1135B2F9F4DBC38E306DC533AF71B311C1DC98788C18253448FCA096C46 Trojan.Win32.SLUB.AA Installer 371CFA10A7262438E5BC0694BA5628EB21E044DC8173710DF51826DAFA11E300 Trojan.Win32.SLUB.B Google Chrome persistence payload E01399D47CDA45F1AF496FA460F20620A5B08C39714875FE292A5FC3D1C7A215 Trojan.Win32.SLUB.B Google Chrome persistence payload 6F0A0AC477C73C2533A39CB3D8FBF45365761D11B7368460964A4572E91C5FCB Trojan.Win64.SLUB.B Google Chrome persistence payload C357E572DD7C618C54F8333313266A8A9CF07C1038D6B2F711CDBAE714BC2654 Trojan.JS.SLUB.A Google Chrome persistence payload 902902B5457C6945C2B3878521D23D05D448DE179D19761C718FB67C15A4BCC0 Trojan.Win64.SLUB.B Microsoft OneDrive persistence payload 20C214D58CCFB5AD797F1A02667078D182629AC7E157162566C123519E039D55 Trojan.Win32.SLUB.B Backdoor loader 3D62E122E31D7929E76633773D752B8BEE31462BB79CB5B8B7C6952341E93482 Trojan.Win32.SLUB.B Backdoor dropper 66C8E0ACFE030C4EEC474CD75C4D831601DAE3EF4E1CEF78B624DE3C346C186D Trojan.Win32.SLUB.B Backdoor dropper C78CB41F4FB4E5F5476EB2C1414F138643494C2B8ABE2CF539FAFC54199E2AEF Trojan.Win32.SLUB.B Backdoor dropper FBAC7B40A12970CDCC36F48945BEB83BF9461F14C59CB8106AD8E43E5D22A970 Trojan.Win32.SLUB.B Backdoor dropper 7365F661AD9E558FDD668D3563E0A1B85CCF1A543BE51CB942DB508F9CCBCF5E Trojan.Win32.SLUB.B Backdoor dropper 3D4107C738B46F75C5B1B88EF06F82A5779DDD830527C9BECC951080A5491F13 Backdoor.Win64.WHISKERSPY.A WhiskerSpy (64-bit version using HTTP) 84E9BCC055225BD50534147E355834325B97AD948C3A10D792928B48C56C1712 Backdoor.Win64.WHISKERSPY.A WhiskerSpy (64-bit version using HTTP) EFFA1AE32DBCF6BC64A5025BCA4F4C41572439B69EDD58B5F78952A407CEB5DF Backdoor.Win32.WHISKERSPY.A WhiskerSpy (32-bit version using FTP) Earth Kitsune infrastructure Note ---------------------------------------------------------------- microsoftwindow[.]sytes[.]net Delivery server domain updategoogle[.]servehttp[.]com WhiskerSpy HTTP C&C domain londoncity[.]hopto[.]org WhiskerSpy FTP C&C domain windowsupdate[.]sytes[.]net Related domain florida[.]serveblog[.]net Related domain googlemap[.]hopto[.]org Related domain liveupdate[.]servepics[.]com Related domain chromecast[.]hopto[.]org Related domain googlemap[.]serveblog[.]net Related domain selectorioi[.]ddns[.]net Related domain rs[.]myftp[.]biz Related domain