ATI Update ATI-2021-25

New Protocols & Applications (3)

Name Category Info
Citi Mobile Nov 2021 Secure Data Transfer Citi Mobile App provides a convenient way to take care of everyday banking.
Spotify Greenroom Nov 2021 Secure Data Transfer Greenroom is a new social audio app from Spotify that lets users host and participate in live chat.
Tencent Meeting Voice/Video/Media Tencent Meeting is a Chinese popular on-line meeting platform developed by Tencent, it allows users to start a meeting, join in a meeting with video or audio mode.

New Superflows (11)

Name Category Tags Info
Citi Mobile Nov 2021 Secure Data Transfer Financial
MobileApp
SimulatedTLS
Citi Mobile App provides a convenient way to take care of everyday banking. This simulated scenario includes: user-login, make a credit card payment, and review rewards.
iQiyi Web Dec 19 Bandwidth Social Networking/Search ChinaApp The use of the iQiyi application as of December 2019. All of the available actions for this flow are exercised.
Kuaishou Mobile Oct21 Video Bandwidth Voice/Video/Media ChinaApp
MobileApp
The use of the Kuaishou mobile application as of October 2021. All of the available actions for this flow are exercised.
Kugou Music Dec20 Bandwidth Voice/Video/Media ChinaApp The use of the Kugou music application as of December 2020. All of the available actions for this flow are exercised.
Mango TV Nov21 Bandwidth Voice/Video/Media ChinaApp The use of Mango TV application as of November 2021. All of the available actions for this flow are exercised.
Netease Music Dec20 Bandwidth Voice/Video/Media ChinaApp The use of the Netease music application as of December 2020. All of the available actions for this flow are exercised.
Spotify Greenroom Nov 2021 Secure Data Transfer MobileApp
SimulatedTLS
Greenroom is a new social audio app from Spotify that lets users host and participate in live chat. The user performs the following actions: scroll through feed, search for a user, follow an existing user, search for groups, join a group and create a new room.
Tencent Meeting Voice/Video/Media ChinaApp Simulates Tencent Meeting as of November 2021, where the user joins a video/audio meeting.
Tencent Meeting Bandwidth Voice/Video/Media ChinaApp Simulates Tencent Meeting as of November 2021, where the user joins a video meeting.
Youku Mobile Apr21 Bandwidth Voice/Video/Media ChinaApp
MobileApp
The use of the Youku mobile application as of April 2021. All of the available actions for this flow are exercised.
Zhihu Oct21 Question Bandwidth Voice/Video/Media ChinaApp The use of the Zhihu application as of October 2021. All of the available actions for this flow are exercised.

New Application Profiles (5)

Name Info
China Social Media Traffic 2021 This simulates traffic generated by top social media in China in 2021.
China Streaming Traffic 2021 This simulates traffic generated by top streaming applications in China in 2021.
China Streaming Traffic 2021 (Proxy) This simulates traffic generated by top streaming applications in China in 2021.
China Top Mobile Application Traffic 2021 This simulates traffic generated by top mobile applications in China in 2021.
Social Audio Rooms 2021 This simulates traffic generated by the top 4 social audio room applications in 2021.

New Security Tests (1)

Name Info
NjRAT Nov 2021 Campaign NjRAT, also known as Bladabindi, is a remote access tool (RAT) that allows the attacker to control the victim's computer. It can be spread through document phishing and infected drives.

* https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

This strikelist contains 3 strikes simulating the 'NjRAT Nov 2021 Campaign'.

1. The first strike simulates the download of a Word document. If the Word document is opened, an embedded macro would attempt to download the NjRAT malware.
2. The second strike simulates the download of the NjRAT malware.
3. The third strike simulates the command and control traffic that occurs after executing the NjRAT malware. The victim sends a TCP message to the attacker contains host information such as username, base64 encoded operating system version and Base64 encoded running process name over port 2022.


It contains the following sequence of strikes:
1) /strikes/malware/apt/njrat_nov_2021_campaign/malware_7be5dfcb518eddbd2b3094efb051237b8d119ea9.xml
2) /strikes/malware/apt/njrat_nov_2021_campaign/malware_056ca8025419891738b6d0f71ee61710d0c599d4.xml
3) /strikes/botnets/apt/njrat_nov_2021_campaign/njrat_nov_2021_campaign_njrat_command_control.xml

# Strike ID Name Description
1 M21-pkme3 NjRAT Nov 2021 Campaign - Document File Transfer This strike simulates the download of a Word document via an HTTP GET request.
2 M21-ksvr2 NjRAT Nov 2021 Campaign - NjRAT File Transfer This strike simulates the download of a windows binary file via an HTTP GET request. This file is a malicious NjRAT which sends command and control traffic after execution.
3 B21-ijep3 NjRAT Nov 2021 Campaign - NjRAT Command and Control This strike simulates the Command and Control traffic that occurs after executing the NjRAT malware.

New Strikes (2)

CVSS ID References Category Info
7.5 E21-zyxy1 CVE-2015-4022CVSSCVSSv3CWE-189URL Exploits This strike exploits an integer overflow in the PHP ftp_genlist function which might lead to remote code execution. A remote attacker can exploit this vulnerability by forcing a PHP server connect to a FTP server controlled by the attacker. The PHP server connects to the FTP server and performs a LIST request which result in a big buffer being sent by the FTP server controlled by the attacker . Successful exploitation could result in code execution on the server which is running PHP. Note: This strike does not include the PHP request and the buffer sent by the attacker is smaller than the real one.
5.0 E21-c5r21 CVE-2021-21246CVSSCVSSv3CWE-862URLURL Exploits This strike exploits a lack of authentication vulnerability in OneDev Platform. Attackers can send crafted request to the endpoint /users/{id} where there are no security checks enforced, so it is possible to retrieve arbitrary user details including their Access Tokens. *NOTE: When running this strike in OneArm mode, the strike attempts to read information containing access token for the user with id equals 1.