| Name | Category | Info |
|---|---|---|
| Google Quic Version 43 | Data Transfer/File Sharing | This is a simulation of Google proprietary Quic protocol(gQUIC) version 43. The traffic is encapsulated in UDP packets. The protocol uses Quic Crypto over the common TLS, for enhanced security and performance. |
| WeChat Payments Mobile May21 | Financial | WeChat is a Chinese social platform, WeChat Payments is a financial function in WeChat, it allows users to top up the WeChat wallet from bank cards and scan QR code to pay. |
| Youku Mobile Apr21 | Voice/Video/Media | Youku is a Chinese popular online TV application, it allows users to view, search, watch and comment videos. This is the simulation of mobile version of Youku. |
| Name | Category | Tags | Info |
|---|---|---|---|
| Google QUIC Q043 - 1 RTT | Data Transfer/File Sharing | Security HTTP/3 |
Simulates generic Google QUIC Q043 handshake and payload session in 1 RTT scenario. This traffic is generally observed in Youtube. |
| WeChat Payments Mobile May21 | Financial | ChinaApp MobileApp |
Simulates WeChat Payments as of May 2021. The user goes to WeChat wallet, tops up wallet from bank card and scans QR code to pay. The clients in this flow conform to WeChat v7.0. |
| Youku Mobile Apr21 | Voice/Video/Media | ChinaApp MobileApp |
Simulates Youku mobile as of April 2021, the user browses video lists, searches for videos and watches videos. |
| Name | Info | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Zebrocy May 2021 Campaign | This strikelist contains 3 strikes simulating the 'Zebrocy May 2021 Campaign'. Zebrocy Group is a subgroup of the Sofacy APT Group and they target countries from the former Soviet Republic and, more recently, Asia. Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group that may be tied to the Russian government. Sofacy is known to target government, military, and security organizations started from 2007. It has been characterized as an advanced persistent threat. 1. The first strike simulates the download of the download of a malicious macro-embedded Word file. This is the first infection vector for this campaign in which a Microsoft Word macro executes to download the next stage malware. 2. The second strike simulates the download of the 'Wininition' malware. This malware is the second infection vector for this campaign in which an EXE file will download and execute. 3. The third strike simulates the traffic that occurs after executing the 'Wininition' executable. The victim sends HTTPS encrypted traffic to the attacker. It contains the following sequence of strikes: 1) /strikes/malware/apt/zebrocy_may_2021_campaign/malware_fc0b7ad2ae9347d6d2ababe2947ffb9f7cc73030.xml 2) /strikes/malware/apt/zebrocy_may_2021_campaign/malware_afbdb13d8f620d0a5599cbc7a7d9ce8001ee32f1.xml 3) /strikes/botnets/apt/zebrocy_may_2021_campaign/zebrocy_may_2021_campaign_command_control.xml
|
| CVSS | ID | References | Category | Info |
|---|---|---|---|---|
| 4.9 | E21-cd0h1 | CVE-2021-30657CVSSCVSSv3CWE-371URLURL | Exploits | This strike sends a specially crafted payload which when executed can bypass the security checks present in macOS. This strike specifically exploits the macOS Gatekeeper bypass vulnerability. This zero day vulnerability has been known to be abused by macOS malware specifically Shlayer malware untill Apple patched it. |
| Component | Info |
|---|---|
| NewEvasion | We now by-default do not encode reserved characters in the URI, "? & =" and have introduced an evasion profile "EncodeReservedChars" to override this behaviour. |
| Component | Info |
|---|---|
| Apps | Updated RTP Stream Length(ms) parameter description to better differentiate from the Frames per second Test settings. |
| Apps | The HTTP/2 actions "Response 200OK" and "Response 304(Not Modified)" have been modified to use the same stream ID as their Client Request Messages. |