ATI Update ATI-2022-10

New Protocols & Applications (3)

Name Category Info
BeReal May 2022 Secure Data Transfer BeReal is a new social media app, which allows user to post photos on the platform.
Twitter Apr22 Social Networking/Search Simulates the use of the Twitter as of April 2022 where a user gets in the sign in page, signs into the Twitter website, browses his feed, posts a tweet, follows an account and signs out.
XueXiQiangGuo May22 Voice/Video/Media XueXiQiangGuo is a popular Chinese online learning platform. It allows users to view contents and watch all kinds of learning videos.

New Superflows (7)

Name Category Tags Info
BeReal May 2022 Secure Data Transfer Web
SimulatedTLS
Simulates viewing learning contents and watching videos on XueXiQiangGuo website as of May 2022. The user opens the website, views educational resources and watches a video.
Twitter Apr22 Social Networking/Search Search
Social Networking
Simulates the use of the Twitter as of April 2022 where a user gets in the sign in page, signs into the Twitter website, browses his feed, posts a tweet, follows an account and signs out.
Twitter Apr22 Browse Social Networking/Search Search
Social Networking
Simulates the use of the Twitter as of April 2022 where a user gets in the sign in page, signs into the Twitter website, browses his feed and signs out.
Twitter Apr22 Follow Account Social Networking/Search Search
Social Networking
Simulates the use of the Twitter as of April 2022 where a user gets in the sign in page, signs into the Twitter website, follows an account and signs out.
Twitter Apr22 Post Tweet Social Networking/Search Search
Social Networking
SSimulates the use of the Twitter as of April 2022 where a user gets in the sign in page, signs into the Twitter website, posts a tweet and signs out.
XueXiQiangGuo May22 Voice/Video/Media Education
ChinaApp
Simulates viewing learning contents and watching videos on XueXiQiangGuo website as of May 2022. The user opens the website, views educational resources and watches a video.
XueXiQiangGuo May22 Video Voice/Video/Media Education
ChinaApp
Simulates watching videos on XueXiQiangGuo website as of May 2022. The user watches learning videos.

New Security Tests (1)

Name Info
Qakbot DarkVNC Apr 2022 Campaign This strikelist contains 6 strikes simulating the 'Qakbot DarkVNC Apr 2022 Campaign'.

1. The first strike simulates the download of a compressed Excel document. If the Excel document is opened, an embedded macro would attempt to download the Qakbot malware.
2. The second strike simulates the download of part 1 of the Qakbot malware.
3. The third strike simulates the download of part 2 of the Qakbot malware.
4. The fourth strike simulates the download of part 3 of the Qakbot malware.
5. The fifth strike simulates the command and control traffic that occurs after executing the Qakbot malware. The victim sends an HTTPS message to the attacker over port 443 and then another message over port 65400.
6. The sixth strike simulates the DarkVNC command and control traffic that occurs after communicating with the C2 server. The victim sends an message over port 443 to to the attacker.

It contains the following sequence of strikes:
1) /strikes/malware/apt/qakbot_darkvnc_apr_2022_campaign/malware_cd4c02ff9bc9e27c1384d10bb668d376.xml
2) /strikes/malware/apt/qakbot_darkvnc_apr_2022_campaign/malware_9f8bd274644f4dc95f66f963facdd0dd.xml
3) /strikes/malware/apt/qakbot_darkvnc_apr_2022_campaign/malware_d5715f6020fdb99e2451c931cfac43fb.xml
4) /strikes/malware/apt/qakbot_darkvnc_apr_2022_campaign/malware_e7ba93bbeb866e107e65aae0ca992050.xml
5) /strikes/botnets/apt/qakbot_darkvnc_apr_2022_campaign/qakbot_darkvnc_apr_2022_campaign_qakbot_command_control.xml
6) /strikes/botnets/apt/qakbot_darkvnc_apr_2022_campaign/qakbot_darkvnc_apr_2022_campaign_darkvnc_c2.xml

# Strike ID Name Description
1 M22-Ce8w4 Qakbot DarkVNC Apr 2022 Campaign - Zip File Transfer This strike simulates the download of a compressed Excel document via an HTTP GET request.
2 M22-Ce8w1 Qakbot DarkVNC Apr 2022 Campaign - Qakbot dll Part 1 File Transfer This strike simulates the download of part 1 of the Qakbot dll.
3 M22-Ce8w2 Qakbot DarkVNC Apr 2022 Campaign - Qakbot dll Part 2 File Transfer This strike simulates the download of part 2 of the Qakbot dll.
4 M22-Ce8w3 Qakbot DarkVNC Apr 2022 Campaign - Qakbot dll Part 3 File Transfer This strike simulates the download of part 3 of the Qakbot dll.
5 B22-ofcl2 Qakbot DarkVNC Apr 2022 Campaign - Qakbot Command and Control This strike simulates the Command and Control traffic that occurs after executing the Qakbot malware. After the initial HTTPS messages Qakbot sends this message to the C2 server over port 65400.
6 B22-ofcl1 Qakbot DarkVNC Apr 2022 Campaign - DarkVNC Traffic This strike simulates the DarkVNC traffic that occurs after executing the Qakbot malware. After communicating with the C2 server the victim sends a message over port 443 to the attacker.

New Strikes (1)

CVSS ID References Category Info
7.5 E22-ckmz1 CVE-2021-40539CVSSCVSSv3CWE-287URLURL Exploits This strike exploits an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus. The vulnerability is due to an error in normalizing the URLs before validation. A remote attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could allow the attacker to bypass authentication and exploit endpoints to perform subsequent attacks leading to arbitrary command execution. *NOTE: The strike attempts to perform authentication bypass and call random endpoints which usually requires authentication.