OPERA1ER APT IOCs - SEC-1275-1

В 2019 году команда Group-IB Threat Intelligence обнаружила серию целевых атак на финансовые организации в Африке. Позже, в 2020 году, Group-IB в сотрудничестве с Orange удалось собрать разрозненные на первый взгляд атаки в единую хронологию и успешно связать их с угрозой под кодовым названием OPERA1ER (также известной как DESKTOP-GROUP, Common Raven, NXSMS).

Содержание

Indicators of Compromise

IPv4

102.137.108.115
102.137.132.25
102.138.135.72
102.138.175.145
102.138.190.55
102.138.240.28
102.139.157.108
102.139.19.96
102.139.34.137
102.139.99.144
104.18.44.41
104.18.45.41
104.27.142.189
104.27.143.189
107.178.59.195
107.178.59.227
108.62.49.249
13.248.196.204
154.232.115.211
154.232.131.16
154.232.242.226
154.233.179.127
154.233.72.205
154.234.111.1
154.234.155.71
154.234.213.94
154.234.217.34
154.234.50.130
154.235.140.248
154.44.177.192
160.154.129.15
160.154.130.236
160.154.149.196
160.154.151.226
160.155.0.199
172.67.151.41
172.67.214.171
176.9.193.5
178.73.192.17
178.73.192.66
178.73.192.68
178.73.192.70
178.73.218.69
185.11.145.5
185.140.53.18
185.185.84.14
185.185.84.50
185.244.31.24
185.61.137.49
185.62.188.4
188.126.90.14
188.126.90.82
192.236.177.164
192.236.177.166
192.236.177.169
192.236.177.170
192.236.177.171
192.34.109.12
193.183.116.143
193.183.116.225
193.183.116.68
196.180.132.252
196.180.192.89
196.180.210.121
196.180.247.95
196.180.99.187
196.181.100.141
196.181.157.248
196.181.209.215
196.181.23.50
196.181.235.181
196.181.56.65
196.181.84.71
196.182.120.117
196.182.187.28
196.182.26.93
196.182.27.18
196.182.87.192
196.183.129.166
196.183.27.144
196.183.28.111
196.183.32.158
196.47.153.182
20.91.192.253
212.7.208.110
213.227.140.15
37.120.204.132
43.205.33.202
45.145.185.68
45.15.16.140
45.15.16.156
45.15.16.157
45.15.16.166
45.15.16.175
45.15.16.197
45.15.16.205
45.15.16.207
45.15.16.213
45.15.16.228
45.15.16.236
45.15.16.238
45.15.16.239
45.15.17.130
45.15.17.132
45.15.17.133
45.15.17.134
45.15.17.136
45.15.17.137
45.15.17.141
45.15.17.162
45.15.17.163
45.15.17.164
45.15.17.165
45.15.17.194
45.15.17.195
45.15.17.196
45.15.17.197
45.15.17.198
45.15.17.226
45.15.17.227
45.15.17.228
45.15.17.229
45.15.17.234
45.15.18.227
46.246.12.66
46.246.12.77
46.246.14.66
46.246.14.74
46.246.26.77
46.246.4.67
46.246.4.75
46.246.4.78
46.246.6.79
46.246.80.66
46.246.80.72
46.246.82.67
46.246.82.68
46.246.84.17
46.246.84.21
46.246.84.72
46.246.84.74
5.158.83.131
5.158.83.195
72.11.142.240
79.134.225.107
79.134.225.75
83.97.18.130
83.97.18.131
83.97.18.132
83.97.18.133
83.97.18.134
83.97.18.135
83.97.18.136
83.97.18.162
83.97.18.163
83.97.18.164
83.97.18.166
83.97.18.194
83.97.18.195
83.97.18.196
83.97.18.226
83.97.18.227
83.97.18.228
83.97.18.231
91.193.75.171
95.142.44.227

Domains

4x33.ignorelist.com
actu.afrikmedia.info
actu.banquealtantique.net
afijoh.net
afrikmedia.info
bac.eimaragon.org
bac.senegalsante.org
banquealtantique.net
banqueislamik.ddrive.online
bdm-sa.fr
blackid-35778.portmap.io
boa.eimaragon.org
bproduction.duckdns.org
bproduction.zapto.org
chance2019.ddns.net
cnam.myvnc.com
cobalt.warii.club
codir.ocitnetad.com
contact.senegalsante.org
coris-bank.fr
covid.ocitnetad.co
crazy.senegalsante.org
direct8.ddns.net
download.nortonupdate.com
driver.eimaragon.org
droid.senegalsante.org
dynastie.warzonedns.com
eimanet.eimaragon.org
eimaragon.org
EVAMACHINE.TK
files.ddrive.online
ftp.eimaragon.org
fuck90.duckdns.org
gamevnc.myvnc.com
HELPDESK-SECURITY.ORG
hostmaster.senegalsante.org
hunterX1-37009.portmap.io
info.senegalsante.org
info.warii.club
kaspersky-lab.org
kpersky.duckdns.org
mail.mcafee-endpoint.com
mail.warii.club
mcafee-endpoint.com
microsoft-af.com
news.afrikmedia.info
news.banquealtantique.net
news.coris-bank.fr
noreply.mcafee-endpoint.com
noreplyrobot.duckdns.org
ns.eimaragon.org
ns1.eimaragon.org
ns1.senegalsante.org
ns2.senegalsante.org
ocitnetad.com
operan.ddns.net
personnel.bdm-sa.fr
personnels.bdm-sa.fr
queen2012.ddns.net
reply2host.duckdns.org
senegalsante.org
server.senegalsante.org
server0.senegalsante.org
server1.senegalsante.org
server2.senegalsante.org
server3.senegalsante.org
serveur1.hopto.org
update.kaspersky-lab.org
update.mcafee-endpoint.com
update.microsoft-af.com
utils.afijoh.net
wa.eimaragon.org
wari.warii.club
warii.club
warima.warii.club
webdisk.bdm-sa.fr
windonwsxp.duckdns.org
windowsdefender.redirectme.net
windowsdwm.ddns.net
windowsupdaters.zapto.org
windowsupgraders.ddns.net
winsec.ddns.net
winsec.eimaragon.org
winsec.gotdns.ch
winsec.senegalsante.org
winsec.warii.club
wsus.microsoft-af.com
www.privacyfirst.sh
www.warii.club
zfs.life

MD5

009bcdb4cb4784df7e366921c523db16
017ba3cb35528108f6c4e05db99f3572
0258f4f0319fa77b10978dd92edf87c1
043956a214b56a2efd323ec305a813f2
044e0bb14076e83bcd38c537ff328f73
093ba856381c9e17e29a5fc2aadfa9f9
0a11428c5f4cb64bea4905576d30044d
0ca97bf824c3bf16818f9830c0ba83a5
0f304bd73274a6fd4a5b05eb5f0657f7
10260f016285a196e245493a0e50681a
1305f4fe0f5032c82e3dd5ca4ecae235
13c07511ff89f1567a8f39a5215bc884
13e7c5ad329a3e3c0568d27cc2242af6
18126be163eb7df2194bb902c359ba8e
2178d1efad5f2a1f7400e0d6d0a263f8
21bf477dbc9eaca77e0d7e77856bddd7
22fe5107805f9c5f1ce8051c9796df18
24aa5d597961bc1d902c5462052a1250
27304b246c7d5b4e149124d5f93c5b01
2806b0bfd215648edb1bb3ef32855a99
2b83d157f134a0388d6b48a4fbb85bd0
2c5dcd5c42ece2a91e53914f10b10270
2d03e001d92c099a002692c1669432b6
2d17eb61660c1e4390fe88c9ddefc6c7
2e2ddfd6d3a10d5dd51f8cbdeaeb4b75
2e5af496face122157e459e84e5fe14b
306447863f89c6962fc5c16517c8fb9c
330cf14b15f441462554917d66f4c4cf
34499495a77a34ce3a58899089f97062
351cbc60e73886519a8e1232adf80f28
368653e74934b6d649c8d08d66341177
37502ecc7f8575055873f92719e1c7b6
3a60017847cf09f334fd8a2d0b001543
3b6c29c8ff1ea1649da4863b6e543e04
3c1e90e8b5d180ff0f5455dd92bdb412
3cbe2c4d95d10a0d5f1d33db3e752df0
3d79e91b1382280535596ce7eaa5e29b
446a6e8c3876959ba1695899fe3584a7
472873942f0e7750ced3bc42c0b469f7
47777cb7a44e587e1c39eb4b7aec6ac4
478d8e6a7766702a584073c295c0eadc
49ad6020376caba051b4d6a6578efc1c
4b27c3d57fe01a2a5b2001854507e0e2
4b78df00aa863bc8b581b33289031500
4f27b4322117484847c7021a5325814d
4facb81f57e515a508040270849bcd35
52616e216f614ce92ea9512d49d039c4
52e666a32d0847b416b66ad9aa98bbed
5501196c0134a5a9eac0dfe250acd055
588afc20615b110b8bc0365397c3dbbf
58961c3ea961f0de2177b352d51e047d
5aa2bc6132915f9ddd56b7fd17f992e6
5d9d7de37e423d33aec86617a750662d
5ecc4ad7475caef78f0e035aa277b51e
63417ec71d3c7670c2306afc4164b0de
63649943c1ffb9d650d73bc375b6f224
63c7f3e2eb52298bdb9641b8ac319882
6414928547ef254886331378cfb97be1
64e61ec18ab4336798f667c4465a7b58
670a05010ba9c97e7451e1d7896801ae
67f6cea5ce043f1e4872c357d2752379
690d63a3dd05649f330df67b072df337
69c2af6fffd6537590c7bdba36b5823b
6a1bf6f6bc7d86fa77db57132ef65ee6
6ccdc868a729510a1c2f3ce447e1de05
6d56ab884f43028bb642f76acf286de1
6d93c6535945e0caadb6ebee9b2b5e17
70bc161f01937e17bae835b4df2c84b6
72902ec0df95a7dcfb3b66f9b02ef7f3
72f82d3fa5ffa8a82a5ac1176363dfef
7444684c7152c6089e68305c36f585e3
7584fa7ded7aed3b38635274719b7966
75e55496a2c4d240805291780478cb45
7803e73ea96be23f3499b4af3e100161
7ddee4ec4650bf7836478ca8f286ac10
7e2801b8d44eb6bece5b3b5467242111
7efe472be826bf387545117b3e463fed
8061ba44ebc7cc1adb5dc61c903f541f
808502752ca0492aca995e9b620d507b
809f42059da3058a1e62fa7ba56ce66b
80c0cd9971c1d458c40a10ffc54ec35d
834d61aa653f8503aa36fffc9774b2b6
8416149a694a4ad8b54ae06579f56908
8a3214f0631c3afe3b3fa269ff887318
8bed50e5bb8aaee9c8af1ee14623547e
8cd17229113b8f57d7db6b2719f93f4d
905de14f4c515e82bf4603fa7c3dae4e
9321c107d1f7e336cda550a2bf049108
9425024fe2b94a9c7cdf8ea60a1fbdb7
96d38bc4a675ab2505806d9ea4df6bea
9768250c8ad2861dd46c1a2d5f9b0ac3
97bfda8cede4baec095f0f24b4c47a56
98d1c565e5b6484e937efed5e777263d
9c38991c3770b0c2917659bdb7091ed9
9d5696758c45cceb3405a62af931c11d
9d61b753e7073a70fb6f4b577c9270f0
a0873962bca482a7d14dafbeaf5346cb
a1d02f0906e7cac845c1979b3e0c783a
a69f9a26f8cf8abddc0e105328198766
a919affc3ca6ae4f534d6acb2f31a5fa
a963112260daf1fcf30f394a21e123e1
a9ab4f14d339eb15d8209b13a51ce989
aae20b78c9bcba19e95fc56a630228a0
af67701a6387834d2195282719ef6636
b1de80dc4a1d8122909f53a101802449
b6c707729ac8e7fe2f6d358b5dd2736c
b9943a25caed8e251a9580ebb6148137
ba6d2148ecff70e2134953df18210c15
ba9a525cee898c867b2587a492167877
bace201a0f9bc25dda6b288e22023f61
bb431f144ae22c06662fcb0d64dd6b7d
bb592a79fd934e30df6832b67b918923
bcc73790f7b2d37704976cd78095a9e9
beceae2fdc4f7729a93e94ac2ccd78cc
bed4f32f0d6f97feee6c03f287e1832c
c1523055a02b61e0f4ba87547b29ec0c
c2a287fae215fa3c4ae4accf5186d014
c872af5d1182e865dc72e23fed938b5c
c9194a86915eb04b8293183dada19e79
ce5ac0502ff412be598914c12babfb03
ce83775b68686c01d1c45fe47d8e5325
cebbd06d6dbf99ab1eb868310f642027
cfbac2be66ebfe0a9324d188199c0de2
d1b2d809addb30c85c8344336f3bc6ff
d1dcf91ee3d482623365bf5976e19dc1
d440dd5375fd1dc90858cc4d2415b5f9
d532dd9036497a0ed71ace5ec1b45fb8
d6a3f830a51ec64acaab361e056f5e0d
db37a5c00a956bb8d6cc18974992a2dc
dbd7a7cc06ca8e4c5ccc5fb901271d80
dc1e1506c0c03663233911f4d0a22c70
dc33c287ffa253bc5af591e7f40877da
dda5a9d262181339921c04902bd77173
df88175fb96cad1ca9605db2352ae063
e2b0d44be0970b740afc27ff82bb29bf
e8848f591f9cd537e1feb84a54fe18ff
e89790f614197291933982e26f9214ca
ed5d15c55ee5cc0eba0aa8c4f42b45d9
eeb12aa59e79027fa2bafd0c6e244f9e
eebaef66a9d009ba52f40eb7b66c06f8
f1bef120cb72066000e67171ed5193a7
f2060ef4f0e02bb9f96f4f0ac295c03f
f24a401dc5974e995a2cf98f03a42e17
f58ccfae8b60f37e8d612532395170de
f61a31de0f8478b9b4332ae321b03c1b
f7533a09f0bc3b7e9317c65050f987d2
f7b0cf59a52e2c03a38bd6d04aab47fc
f7e6e117024b8936cf0f3ba1ac303a3b
fb6c7eb4f64f699511380721e9c8cabb
fbec4459fbf7018db2a0148406d8196f
fd4f43af4b47683256b31e74d5bdfb9c

SHA1

17e0b8fe9acfd1776a1566ce5ed6f051f7e0f91f
2707299e9ec7fb2173f6afb2e23a4d74865cf5a3
ac85af8395d1b97a8cbcbd16f995ce119e3c4955

Technical report

OPERA1ER.pdf